Breaking Code

April 8, 2012

Quickpost: Installers for BeaEnginePython, Pymsasid, PyDasm and Libdisassemble

Filed under: Tools — Tags: , , , , , , , — Mario Vilas @ 7:25 pm

I’ve packaged the BeaEngine Disassembler along with its Python bindings into a no-frills Windows installer. Certainly easier than manual install, and it really helps me when installing it on virtual machines. :)


Update: Just added another disassembler package, Pymsasid.

Update: Added precompiled Windows binaries for PyDasm on Python 2.6 and 2.7.

Update: My installers were added to the Python Arsenal for RE. :)

Update: The Pymsasid package was updated with a small change, so the importation works just the same as loading the .py files from the current directory (it’s just an “import *” in

Update: Added a simple setup script for Libdisassemble 2.0. Since I had to put the sources inside a package the import statement in your scripts will have to be adjusted if using this version. With a simple try/except block you can make scripts compatible with both versions as well, if you need to.


BeaEngine win32 installer: BeaEnginePython-3.1.0.win32.exe

BeaEngine win64 installer:

BeaEngine source installer: (run “python install”)

Libdisassemble 2.0 win32 installer: libdisassemble-2.0.win32.msi

Libdisassemble 2.0 win64 installer:

Libdisassemble 2.0 source installer: (run “python install”)

PyDasm precompiled binaries: (run “python install”)

Pymsasid source installer: (run “python install”)

March 18, 2012

Heappie! + WinAppDbg

Filed under: Tools — Tags: , , , , , , — Mario Vilas @ 7:35 pm

In case you missed it, Aníbal Sacco released a new tool called Heappie! to analyze heap sprays in multiple platforms. It uses PyGame and PythonCard for the GUI and Kenshoto’s VTrace as the backend. It’s really cool, check it out :)

Trippy screenshot, dude!

Now, I never get tired of saying how great VTrace is. It’s written in Python, supports multiple platforms and quite comfortable to develop with. But alas, I tend to prefer my own debugger (call me biased if you wish!). So today I went ahead and added WinAppDbg support to Heappie!. When WinAppDbg is installed, it’s chosen automatically as the backend. If not found, it falls back to VTrace. That way we don’t lose support for other platforms, since WinAppDbg naturally only works on Windows.

This patch also adds support for 64 bit versions of Windows, in case you were thinking this was just an exercise in self indulgence. Well, it is that, but not just that. Ahem.


Just download the file above, go to Aníbal’s blog to learn how to use it, and exploit all the bugs! :D

So many vulns, so little time.


January 27, 2012

Posting anonymously to

Filed under: Privacy, Tools, Web applications — Tags: , , , , , , , , , — Mario Vilas @ 6:58 pm

Updated 3-Jun-2013: the API this script was using has been deprecated, and the new one requires credentials to be used. :(

I’m keeping the blog post online for a while as a curiosity, but the technique described here no longer works.

While going through some old code of mine to document it using Epydoc at a friend’s request, I found something funny. Some time ago I made a quick and dirty script to access the API from Python. Well, it turns out the API has changed quite a bit since then – most importantly, now it requires a mandatory API key that’s linked to a user account (which in turn, if you used OAuth, is linked to your Gmail address or Twitter feed). That means it’s no longer possible to post anonymously using the official API.

Funny thing is, my old script was still working! :) Apparently the folks at Pastebin have left the legacy API still running. The old documentation is gone though, and now even to read the updated documentation you need to log in… :(

Now, this takes care of the API key problem, but there’s still the issue of Pastebin seeing your IP address. An HTTP proxy can fix that… provided you trust that proxy not to store your IP somewhere in the logs. The procedure is simple, just set the HTTP_PROXY environment variable to wherever your proxy is, and voilà! The standard Python module urllib will automatically connect through the proxy.

If you don’t have a trusty HTTP proxy, the best way to go is through the Tor network. You’ll need to install the Tor service itself and the Privoxy HTTP proxy in your machine, then set the HTTP_PROXY variable to This document from the Tor Project explains it in detail.

Once you’ve set up your proxy, download and send a file to Pastebin like this:

    $ python manifesto.txt
    manifesto.txt -->

The script accepts multiple filenames as well. You can also set the syntax highlighting format (useful for source code, config files or logs) as follows:

    python --format=apache /var/log/apache2/access.log /var/log/apache2/error.log

And set an expiration time, after which it gets automatically deleted. In the following example a SQL dump is uploaded and automatically deleted the next day:

    python dump.sql --format=sql --expire=1D

So, that’s pretty much it. There’s a limit of 512Kb per file uploaded, in order to bypass this you’ll have to split the file into multiple pieces (something similar to this but using pastes instead of URLs). I may do it another day, but for now it’s left as an exercise to the reader. ;)

There’s one thing I don’t quite understand: why did the Pastebin folks think it was necessary to have a mandatory API key? Even if the legacy API had been shut down, it would still be possible to figure out how the web page was doing it and replicate it in Python. The API key being linked to the user account seems a bit strange too… Their intention might be to catch script kiddies uploading illegal stuff, but it may also be an attempt to do data mining on people’s posts. Who knows…


No longer works!

July 20, 2011

Quickpost: Listing all available Java cryptographic services

Filed under: Cryptography, Tools — Tags: , , , , — Mario Vilas @ 1:17 pm

I recently wanted to know which hash functions were available to Java in a given machine, so I cooked up a little command line tool for that. Maybe this could be useful to others so I posted it here.

Java hash functions are implemented as a MessageDigest object, which you can’t instance directly but rather get an instance through the MessageDigest.getInstance() static method. It takes as it’s only argument a string with the name of the algorithm – but I couldn’t find an easy way to enumerate all available algorithms.

After a little googling I found this code example at Example Depot to do it programatically. Since results may vary from one installation of Java to the next, a command line tool would have been more useful to me, but I don’t know of any. (If you do, let me know!)

Anyway, I wrapped the code in a very simple Main function and compiled it using Eclipse. I called this little tool “ListServices” because I didn’t feel like thinking of a catchy name. :P

By default this tool lists all available cryptographic providers, but you can specify just the ones you need (in the example below, we type MessageDigest to get just the hashing algorithms):

        $ java -jar ListServices.jar

                (... output omitted for brevity ...)

        $ java -jar ListProviders.jar MessageDigest


Enjoy! :)

Update: Added source code to Github.


Executable JAR

Source code + Eclipse project

September 8, 2010

A dual screen hack: x2vnc

Filed under: Just for fun — Tags: , , , , — Mario Vilas @ 6:30 pm

Today I just had to use two laptop computers simultaneously, and switching back and forth was driving me insane. Then I remembered an old trick I used to pull back at my old job: the dual screen hack.

Most of you probably know it already, but just in case, here goes the explanation. You can connect two computers and simulate what would happen if you had two monitors instead: when the mouse leaves the screen in one computer, it “enters” the other computer on the opposite side of the screen. For example, if you have two laptops on your table and you move the mouse to the right, after reaching the border of the screen you see it coming out on the left side of the other computer. :)

The magic is done by using a remote desktop protocol like VNC, which lets you send keystrokes and mouse events, but discarding the framebuffer updates. That is, a program that connects to the remote desktop, but instead of showing you the remote screen, it monitors mouse movements locally and when the mouse reaches the screen limits, it captures the mouse and starts sending mouse events to the remote system. Similarly, when the mouse reaches the opposite limit on the remote system, it stops capturing the mouse so you can use it on the local system.

Since I use Linux my choice was x2vnc, the Linux cousin of the more famous Win2VNC, also by the same author. But unlike Win2VNC which is now actively maintained at SourceForge, x2vnc seems to have been abandoned.

x2vnc supports SSH tunneling, which is just perfect since VNC is a plaintext-only protocol and insecure by design. However there’s no easy way to tell x2vnc to which port to connect or which username to login as – it defaults always to the current local user and port 22.

I also had a problem with my other laptop, which had Windows 7. When the mouse cursor leaves the screen, it is “parked” to a corner of the screen so it doesn’t show (it’d be confusing to see two mouse cursors as you wouldn’t know which one is active). But the corner chosen by x2vnc is always the lower right corner, causing Windows 7 to hide all active windows… very annoying.

So I did what any other geek would do in my situation – branch it! :D

The patched code is now at Google Code. The new command line switches I added were:

-sshuser: Log in to the SSH tunnel using the given username.

-sshport: Connect to the given TCP port number instead of the SSH default (22).

-restingx and -restingy: Tell x2vnc where to park the mouse cursor. A value of 0 means left or top, a value of -1 means right or bottom. Then for example, -restingx 0 -restingy -1 means the top right corner of the screen.

Currently there’s only the source code but if I have the time I’ll upload a precompiled Debian package as well. Enjoy! :)


Source code:

July 23, 2010

Quickpost: “Hiding” your Python source with ROT13

Filed under: Just for fun — Tags: , , , , , — Mario Vilas @ 5:50 pm

First of all I want to make something clear: this is an absolutely lame way to obfuscate your code. I guess some antivirus, IDS or other kind of security scanner may fail to properly analyze the code if it’s encoded like this, but you can’t really fool a human.

Anyway, it was fun :) and that’s my main motivation to write this blog in the first place, soooo… here it is! A Python source code obfuscator that uses ROT13.

How does it work? Simply put, by misusing the Python source encodings feature. I stumbled upon this idea while reading a thread in Stack Overflow. Python allows us to use any supported form of text encoding for our source code, by placing a magic comment in either the first or second line of the script:

    #!/usr/bin/env python
    # -*- coding: <codec-name-goes-here> -*-

This is useful for example to use UTF-8 and other encodings that allow non-english characters. But Python also has some other fun encodings, like ROT13 (the ancient Roman empire encryption system). The following snippet from Stack Overflow shows how to do it:

    #!/usr/bin/env python
    # -*- coding: rot13 -*-

    cevag "Uryyb fgnpxbiresybj!".rapbqr("rot13")

The only caveat is, ASCII strings are not decoded when you run the script, so you have to do it yourself. Unicode strings on the other hand are decoded automatically.

    #!/usr/bin/env python
    # -*- coding: rot13 -*-

    cevag h"Uryyb fgnpxbiresybj!"

There are some other fun encodings like “base64”, “uuencode”, “zlib” or “bz2” that you can experiment with too. If you try them let me know how it went. :)

I wrote a quick script to use the ROT13 trick. Naturally the source code itself is also encoded in ROT13, decoding it is left as an exercise for the reader. Enjoy!


Source code:

June 29, 2010

Quickpost: Using Google Search from your Python code

Filed under: Tools, Web applications — Tags: , , , , , , , , — Mario Vilas @ 6:31 pm

Hi everyone. Today I’ll be showing you a quick script I wrote to make Google searches from Python. There are previous projects doing the same thing -actually, doing it better-, namely Googolplex by Sebastian Wain and xgoogle by Peteris Krumins, but unfortunately they’re no longer working. Maybe the lack of complexity of this script will keep it working a little longer… :)

The interface is extremely simple, the module exports only one function called search().

        # Get the first 20 hits for: "Breaking Code" WordPress blog
        from google import search
        for url in search('"Breaking Code" WordPress blog', stop=20):

You can control which one of the Google Search pages to use, which language to search in, how many results per page, which page to start searching from and when to stop, and how long to wait between queries – however the only mandatory argument is the query string, everything else has a default value.

        # Get the first 20 hits for "Mariposa botnet" in Google Spain
        from google import search
        for url in search('Mariposa botnet', tld='es', lang='es', stop=20):

A word of caution, though: if you wait too little between requests or make too many of them, Google may block your IP for a while. This is especially annoying when you’re behind a corporate proxy – I won’t be made responsible when your coworkers suddenly develop an urge to kill you! :D

Below are the download links (source code and Windows installers) and the source code for you to read online. Enjoy! :)


  • Version 1.0 (initial release).
  • Version 1.01 (fixed the IOError exception bug).
  • Version 1.02 (fixed the missing href bug reported by Rahul Sasi and the duplicate results bug reported by Slawek).
  • Version 1.03 (extracts the hidden links from the results page, thanks ubershmekel!).
  • Version 1.04 (added support for BeautifulSoup 4, thanks alxndr!).
  • Version 1.05 (added compatibility with Python 3.x, better command line parser, and also added some improvements by machalekj)
  • Version 1.06 (added an option to only grab the relevant results, instead of all possible links from each result page, as requested by user Nicky and others).


Source code: google-1.06.tar.gz

Windows 32 bits installer: google-1.06.win32.msi

Windows 64 bits installer:


Source code

Get the source code from GitHub:

May 5, 2010

The forgotten bug: silently patched vulnerabilities

Filed under: Vulnerabilities — Tags: , , , , , — Mario Vilas @ 10:39 am

Last month, Microsoft released the security bulletin MS10-024 with a patch for a denial of service vulnerability in Exchange and the Windows SMTP service:

“This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Exchange and Windows SMTP Service. The more severe of these vulnerabilities could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service.”

However, researcher Nicolás Economou found an interesting surprise in this patch: two additional, undisclosed vulnerabilities had also been patched… and they were far more severe than the ones reported! From the Core Security advisory:

“Nicolas found that the Windows SMTP Service does its own DNS resolution of MX records rather that use the DNS resolver from the operating system while investigating CVE-2010-0024.

Furthermore, he found that the patch referenced in MS10-024 fixed two severe bugs that were not disclosed as such in the bulletin and had no CVE identifiers assigned to them. Basic analysis of the vulnerabilities disclosed in this advisory indicates that the threat of DNS spoofing attacks against Windows SMTP service and Microsoft Exchange or of exploitation of CVE-2010-0024 was underestimated in MS10-024.

An attacker may leverage the two previously undisclosed vulnerabilities fixed by MS10-014 to spoof responses to any DNS query sent by the Windows SMTP service trivially. DNS response spoofing and cache poisoning attacks are well known to have a variety of security implications with impact beyond just Denial of Service and Information Disclosure as originally stated in MS10-024.”

In fact, the two “new” vulnerabilities were quite crass. Both Exchange and the SMTP service were doing their own manually crafted DNS queries using incremental transaction IDs, which is a big no-no when implementing DNS because it makes it real easy for attackers to guess the transaction ID and spoof replies, as is a well known fact for… say… the last 16 years or so? But as it turns out, attackers didn’t even need to guess the transaction IDs… because they weren’t even being used when parsing the DNS responses! :shock:

This omission may be easily attributed to the “embarrasment factor” :) but it’s still a terrible idea to patch vulnerabilities silently: IT administrators, unaware of the real danger of the problem, may give the patch a lower priority. A denial of service just means having the mail server down for a while until it restarts, so the patch can wait – it’d be worse if the server didn’t work at all because patching went wrong. On the other hand, a DNS poison vulnerability means having an attacker browse through everyone’s emails and taking over all other services you may have on the same machine – patching becomes much more worth the risk.

Of course, this isn’t the first time this happens. Practically every vendor did this at one time or another. A quick Google search for “silently patched vulnerability” shows some 1.400.000 hits at the time I’m writing this, showing this is neither new or uncommon – and that even small software vendors may easily get caught. Especially thanks to the rise of binary diffing tools that can pinpoint precisely where and how the code was patched.

Thanks Alfredo Ortega for pointing out this advisory and providing such a cool sounding title. ;)

April 2, 2010

Using Impacket/Pcapy with Python 2.6 on Windows

Filed under: Tools — Tags: , , , , , , , , , , — Mario Vilas @ 5:30 pm

Hello everyone! Today we’ll be installing Impacket and Pcapy for Python 2.6 on Windows. The Impacket module lets you parse network packets, this is very useful for example when developing a sniffer. The Pcapy module interfaces with WinPcap to do the actual packet capture.

From the CORE Security webpage:

What is Impacket?

Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies.

What is Pcapy?

Pcapy is a Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network. Pcapy is highly effective when used in conjunction with a packet-handling package such as Impacket, which is a collection of Python classes for constructing and dissecting network packets.

There is a problem though – Pcapy hasn’t been updated in quite a while, so there is no MSI installer for Python 2.6. I’ve built it myself and hosted in here in the blog, so you don’t have to. :) I’ve also built an EXE installer for Impacket, it’s not really needed since it’s a pure Python module, but why not?

So this is the list of files we’ll be needing:




Installation is now pretty much straight forward. After running all the installers, let’s try it out with this example script to dump all connection attempts by sniffing SYN packets:

    C:\Documents and Settings\Mario Vilas\Desktop>python
    Available network interfaces:
            1 - \Device\NPF_GenericDialupAdapter
            2 - \Device\NPF_{5BE055D9-461D-4F51-99DD-188224D1A6D0}
            3 - \Device\NPF_{9B7DC2FB-7660-4E68-B4EC-DB9682C76E40}
            4 - \Device\NPF_{166A618C-4230-42E7-93AD-298D1145F5BC}
            5 - \Device\NPF_{BE987C8D-D523-49B8-8B95-DDDBAA46EB3F}

    Choose an interface [0 to quit]: 2
    Listening on: \Device\NPF_{5BE055D9-461D-4F51-99DD-188224D1A6D0}
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->
    Connection attempt ->

Below is the source code to the script. Enjoy! :)


  • A newer version of Impacket is hosted at Google Code, so I built a new installer. The previous version of the installer, based on the version of Impacket found in the Core Security webpage, is still available here: Impacket-
  • Ge0 has built Pcapy for Python 2.7 using MingW to avoid having a depencency against the Visual Studio runtimes. You can download it from here: pcapy.pyd


Source code


March 6, 2010

Quickpost: Using the API with Python

Filed under: Tools, Web applications — Tags: , , , , , — Mario Vilas @ 11:59 pm

Hello everyone. Today we have a quick script I just coded to access the API from Python. It can be imported like a module or run as a command line script, and the interface is really simple (just one function!). The command line interface allows you to upload files. Enjoy! :)

Edit: Also see this post on how to use this script to send files anonymously to Pastebin.

Updated 28-Jun-2011: small changes made
Updated 27-Jan-2012: fixed bug in paste_expire_date, added Epydoc documentation
Updated 28-Jan-2012: removed paste_subdomain, feature seems to have been deprecated
Updated 3-Jun-2013: the API this script was using has been deprecated, and the new one requires credentials to be used. :(


The API this script was using has been deprecated, and the new one requires credentials to be used. :(

Source code


« Newer PostsOlder Posts »

The Silver is the New Black Theme. Blog at


Get every new post delivered to your Inbox.

Join 2,597 other followers