Introduction In the previous blog post (A Reverse Engineering Walkthrough Journey) we have covered a walkthrough guide to solve the Reverse Engineering challenge written for the NoHat24 security conference. In this blog post, we are going to cover the binary exploitation challenge that involves a custom userland allocator that has been specifically developed for this […]
Introduction This blog post is about a manually Reverse Engineered challenge we have written for this year NoHat24 security conference. The conference was a blast and we also did our best to contribute also with a worskhop on Linux Kernel Fuzzing. The challenge is a compiled C/C++ binary that implements a custom TCP protocol that […]
What you will read now is not a write-up, a to-do list of steps to follow or a standard to convey to those who are reading. It is simply a narrative. A story of a hypothetical activity, taking its cue and anonymizing evidence from an actual test that we, Riccardo and Christopher aka partywave and […]
TL;DR A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host. Update changedetection.io to version 0.45.21 or later. A huge thanks to the mantainer (https://github.com/dgtlmoon) that was very responsive and collaborative to fix the issue, request a CVE number and inform the […]
Generalmente questo genere di articoli cominciano dicendo: “da piccolo ero solito smontare e rimontare cose..” mentre la verità è che a me non interessavano. In realtà , ero più interessato ai misteri del mondo “reale“, quello tangibile, come la natura, gli amici, il calcio. Mi piaceva giocare all’aria aperta, a pallone e correre con le moto. […]
Il mio primo approccio al mondo dell’informatica, differentemente da quanto ci si aspetterebbe, è stato simile a quello di molti altri che, come me, sono nati alla fine degli anni ’90: la prima volta che ho interagito con un computer non ho fatto altro che accenderlo, aprire un file mp3 con il media player di […]
Disclaimer This article is intended to be an introduction to machine learning applied to cybersecurity that is understandable even to those who approach it without a prior knowledge of the subject. In order to show weaknesses not all best practices will be followed and some logical errors will be voluntarily included, including code. Therefore, the […]
DISCLAIMER – This article is provided for educational and informational purposes only. The techniques, tools, and examples discussed are intended to promote a better understanding of cybersecurity and to enhance defensive measures. The usage of these techniques should strictly adhere to applicable laws, regulations, and ethical guidelines. The author and publisher of this article shall […]
The devil and holy water THE SITUATION Having had the opportunity to observe a few hundred companies over the past 30 years, to date there is a greater and growing awareness of information security issues or corporate security more generally. It can be said that a good portion of the corporate and medium-sized enterprise has […]
In the vast realm of software development, the Python Package Index has long been a trusted repository for Python packages. However, even the most reliable platforms are not immune to the ever-evolving landscape of cyber threats. My recent investigation led me to stumble upon a malicious package lurking within PyPI, disguised as a seemingly “innocent […]