siberas blog
Because sharing is caring...
Pwn2Own 2014 - Escaping the sandbox through AFD.sys
This year Andy and I were finally able to take part in the Pwn2Own contest during the CanSecWest conference in Vancouver. We won the Internet Explorer 11 competition by compromising a fully-patched Windows 8.1 (x64) system. For successful exploitation we abused three distinct vulnerabilities:
Read MoreCustom Viewer
With release 0.9.17 watobo introduced a new viewer pane. This custom viewer gives you full control of how the output should look like. It enables you to parse the response (extract, format, decode, …) and display only the relevant parts by using the power of ruby – an example will follow shortly. The custom viewer is available in the main window’s response viewer as well as in the manual request editor response - the latter we use for this tutorial.
Read MoreInstalling FX/Ruby on (Kali) Linux
As most of the common linux distribution also Kali Linux has its own ruby package. But using these pre-built packages is often a pain in the … ahm … not the best choice, especially if you need to compile your own modules. From my experiences with Ruby on linux, I recommend to use RVM (Ruby Version Manager) for installing Ruby. This little tutorial will show you how to install (FX)Ruby on Kali Linux.
Read MoreWATOBO Running SQLMap
In WATOBO version 0.9.9 I introduced a new plugin which builds a bridge between WATOBO and sqlmap.
Read MoreWATOBO 0.9.9 Supports Transparent Mode
“Cool, WATOBO can act as a transparent proxy. But why do I need this feature?” Right, most of the time when you’re pentesting a web application you only have to configure your browser to use a proxy. This will work for most of the applications designed for web browsers.
Read More