file format analysis tools

July 27, 2015 Leave a comment

offvis from microsoft:

Categories: Uncategorized

Protocol Readings

July 20, 2015 Leave a comment
Categories: Uncategorized

Generating and editing pcaps

July 17, 2015 Leave a comment

If you want to modify pcaps, use following tools:



colasoft packet builder


if you want to generate http traffic, use following tools:

wfetch from microsoft

send http tool


for raw packet processing use python and dpkt lib. you can also use httplib2 with python. some people uses scapy as well.

Categories: Uncategorized

drupal 5.0 form

November 29, 2014 Leave a comment

if you want to create and submit form in drupal form then make sure you give submit action as self. then only you can use drupal’s form function.

Categories: Uncategorized

Running Drupal 5.x on PHP 5.4.3

November 22, 2014 Leave a comment

Drupal5 does not support PHP 5.4.3 and for those who have sites which are based on drupal 5, this causes major headache. so some guys has wrote a patch which you can apply to core files and use drupal 5 on php 5.4.3.

you can download the patch here:



Categories: Uncategorized

CVE-2014-4715 Analysis

July 11, 2014 Leave a comment

Its a integer overflow vulnerability in LZ4 ‘lz4.c’. if we see the patch at

they have added following conditions:

/* overflow detection */
926 if ((sizeof(void*)==4) && unlikely((size_t)(op+length)<(size_t)(op))) goto _output_error; /* quickfix issue 134 */
927 if ((endOnInput) && (sizeof(void*)==4) && unlikely((size_t)(ip+length)<(size_t)(ip))) goto _output_error; /* quickfix issue 134 */


//if ((sizeof(void*)==4) && unlikely(length>LZ4_MAX_INPUT_SIZE)) goto _output_error; /* overflow detection */
967 if ((sizeof(void*)==4) && unlikely((size_t)(op+length)<(size_t)op)) goto _output_error; /* quickfix issue 134 */

as you may have figured out, we are adding some value to variable ip and then we are checking if some is less then the value of ip. this will be only true in case of integer overflow.simillar check is added for op variable.




Categories: 0 day analysis

HeartBleed Vulnerability, CVE-2014-0160 Analysis

April 11, 2014 Leave a comment

Here is the packet:


so whats the issue? lets look in to the patched code:

if you look at the checks there are following checks:

1. if (1 + 2 + 16 > s->s3->rrec.length)
return 0; /* silently discard */

2.if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */

3.if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
return 0;


first check make sure that it discard the packets where TLS length is less then 19 bytes. why? its because 1 byte denote msg type, 2 bytes denote length and 16 bytes is padding. so this will discard packet with 0 payload length.

second check will make sure that length of payload + header is equal to length mentioned in TLS packet.

third check will make sure that write length is not more then 16348 or 0x4000 which is SSL3_RT_MAX_PLAIN_LENGTH.


This is a quick post and hope it clarifies the things. if you have any questions feel free to mail me.


Categories: Uncategorized

Get every new post delivered to your Inbox.

Join 642 other followers

%d bloggers like this: