Everybody knows about SQL injections. It’s like a celebrity in the world of software security. But there are much more many different types of injection attacks which may feel jealous about popularity of SQL injections. That’s not fair. Let’s try to feel the gap, and talk about LDAP injections.
Global buffer overflows
There are a lot of articles, posts, and even books which describe stack buffer overflows. There are a little less stuff about heap buffer overflows. But there is one more thing which you can overflow – buffers in global memory. Although all of those types of issues are very similar, let me try to fill this little gap with global buffer overflows.
Math, beer, freeze, police
It’s 3pm, we came into the room at 8am, so we’ve been taking our mathematical analysis exam for 7 hours.
MicroPython on ESP8266: sending data to ThingSpeak
When you play with new microcontroller, first thing you usually do is driving an LED. That’s a classic “Hello World!” project for microcontrollers. That’s what I did when I was playing first time with ESP8266 and MicroPython. Let’s move on, and implement another classic project – measuring temperature and humidity with DHT22 sensor. But we don’t want to be quiet, so we are going to share this so important data on the Internet. ThingSpeak will help us with it. Let’s add a new warrior to the army of Internet of Shit!
Problems with running MicroPython on ESP8266 with 512K
In my previous post about running MicroPython on ESP8266, I mentioned that ESP8266 boards may have different amount of flash. Similarly there are two versions of MicroPython: limited version for 512K, and full version for boards which have more than 512K of flash. In that post, I played with ESP-07 which had only 512K, so I had to use a limited version of MicroPython. This limited MicroPython version was enough just to turn on/off an LED, but it turned out that it actually doesn’t work well.
Getting started with ESP8266 and MicroPython
I like the idea of Internet of Things (IoT) which is becoming so popular. We have everything connected to the Internet: TVs, printers, fridges, cars, even teeth brushes, etc. We already have botnets which consist of IoT devices, and are used for massive DDoS attacks. I personally prefer calling it “Internet of Shit” because sometimes it’s not clear why some devices connect to the Internet. By the way, there is a twitter called “Internet of Shit”. I highly recommend to follow.
Using those fancy IoT devices is fun. Furthermore, sometimes such devices are even helpful. But it’s more fun to participate more actively. For example, you can create your own IoT device with blackjack and hookers. God bless those people who developed ESP8266 boards which now allow everybody to build their own IoT devices. As you may know, ESP8266 boards are extremely cheap. And I would say they are relatively easy to use (especially if you know about Google).
I was going to try ESP8266 controllers for long time. Finally, I did it, and want to share my experience in hope it may be useful. I found a lot of articles about ESP8266 and NodeMCU firmware which allows you to run Lua scripts on your ESP8266 board. That’s cool, but the problem is that I don’t know anything about Lua language. Another problem is that I am lazy in this time of year, so I didn’t want to learn Lua. But luckily I know Python a little bit, and there is MicroPython project which allows you to run Python scripts on embedded devices including ESP8266.
Here is a tutorial how to get started with ESP8266 and MicroPython.
Русская версия – Как запустить MicroPython на ESP8266
Gorky city (if we’re back to USSR)
If you are visiting Russia, than you are probably in Moscow. Or, you may be in Saint Petersburg (by the way, there is ). Just because those two cities are the most famous and popular places in Russia.
If you are in Moscow, but got bored with looking at Kremlin, walking in Gorky park and Red Square – then you may want to explore Russia a little bit deeper. Just a little bit, don’t worry. For example, you can go to Nizhny Novgorod for one day.
What’s Gorky city? See below.
MessagePack fuzzing
is a binary serialization format. There are lots of open source implementations of this protocol on various languages including C/C++. It’s good to do something good in new year. For example, it can be a little contribution to an open source project. Let’s check quickly if the implementation on C/C++ has any memory corruption issues. One of the best ways is of course fuzzing.
Fuzzing GUI applications: AbiWord
Usually there is no problem if you want to fuzz a headless application. A headless application can be run just in a terminal, and doesn’t have any GUI. You can pick up your favorite fuzzer, and feed fuzzed data to the application. Normally, a headless application just processes data, and then quits or crashes right away. But it may be different if you are trying to fuzz an application with GUI. Let’s try to fuzz an open source text editor AbiWord.
Accessing private fields with synthetic methods in Java
In Java, you can define one class B inside another class A. Class B is called an inner class, and class A is called an outer class. It looks like the following:
public class A {
private int secret;
public class B {
public go() {
// do something
}
}
}
Class A has a private field “secret”. This private field can be accessed by both A and B classes. But in some cases, this private field can be accessed by other classes in the same package even if neither A or B provide any accessors. It actually depends on what we have in go() method.