In this article i’d like to share a windbg script that will let us to load a shellcode from a file to kernel memory and create a kernel thread to execute it. I have not played a lot with the script yet, if you find some bug please tell me.
In my previous post i described a vulnerability that would let configure DNS in multiple models of Comtrend routers by clicking an url like this:
I am pretty sure that many models of Comtrend and other manufacturers suffer vulnerabilities of this type. In this post i am going to describe how to attack a router Linksys WAG120N in a similar way.
It is well known by all the poor security of SOHO routers distributed by ISPs. Vulnerabilities, default passwords,… These routers expose inexperienced users to be hacked.
I want to share here a method which I have been playing that would let us to configure some router models when a user clicks a link created by us. I have not read about this method on the internet, sorry if I am wrong and it’s not new. The method is quite simple. It is usual to find routers with default passwords. And these devices usually offers a HTTP based interface to configure them. And some models accept configuration parameters through the URL.
The last days my computer started to crash suddenly, with bug check 0x51 (REGISTRY_ERROR). It was totally random, so i decided to analyze the crash. I decided to write an article about this because, in spite of the fact that it doesn’t seem a security problem, i learnt some interesting things about windows registry.
A couple of days ago i found a weird behaviour in my computer. When i double-clicked a .docx file, an error message appeared saying c:\Program couldn’t be executed. I don’t know when and why i had an empty file named “c:\Program” on my computer (i had been doing tests with %PROGRAMFILES% envar in my code and i guess the file derived of this).
I investigated a bit about it and it seems to be a bug of the “Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats”. It seems it keeps into a registry key a path to wordconv.exe without quotes, so when svchost.exe tries to execute c:\Program files\Microsoft office\Office12\Wordconv.exe, if c:\Program exists in the machine, it executes c:\Program.
It’s not an important bug and doesnt seem a security problem, because c:\Program is executed in the context of the currently logged user. However i decided to analyze the bug and you can find the analysis in this article.