NX-Protected pages


Recently, while playing with ELF images inside of Linux kernel > 2.6.35 I was, by accident, surprised by a message from syslog, after having my module Killed:

kernel tried to execute NX-protected page – exploit attempt? (uid: 1000)

Now I am wondering if is possible to toggle off NX (NX stands for Never eXecute) bit, just like we can do with the 16th bit of cr0 for read-only pages…


SQL Injection back in 2006

Many years ago a friend of mine came around with an idea, not new even back on those days, but fun anyways.

The idea was to automate SQL Injection attacks by using search engines to find vulnerable targets.

Integrated with a tiny Delphi malware (yes, Delphi 0_o) it has became powerful.

This code lays in a separate part of my heart (yes, I do have a heart) not because it was 31337 (it wasn’t!) or extremely advanced but only because it was fun to write.

I did not run the code in the wild, not even once, truly. I wrote it with the help of other people testing it at the same time I was writing it down, back on 2006 when internet was a savage place with practically no rules. Nowadays things has changed a lot and everything you do is either illegal or shameful, so I do nothing else like this anymore.

This code is outdated and no longer work so it is not of much use, even less because the Deplhi malware is not included but I would like to share Volatile myself because other people already did this so it is my right, right?.

I believe I’ll sleep well and apart from that, this software is already out there on the internet since 2006 and it was used even  for teaching computer security in few Universities.

It has basically three steps to accomplish complete control over remote computers running ASP + Windows:

– Find possible vulnerable targets using web search engine by applying an specific SQL command and testing its return, if it was an error then:

+ Perform cmd_shell command, pinging origin IP, Volatile would then start an ICMP sniffer to see if ICMP packets would arrive from remote target, if so;

– Execute a new cmd_shell command downloading and executing the malware from a different remote host. Such malware would take control over the box and then send a screenshot and star to listen an specific port (backdoor) , waiting for connections.

– It would keep running through hundreds of possible vulnerable machines , creating a list of compromised hosts.

Fun enough, but nowadays pretty illegal and I do not recommend anyone to do anything similar to this in the times we live, so it is a fossil , only, for posterity (myself) appreciation.

Here is the code: https://gist.github.com/carloslack/9f6348606c4447b89830