http://www.nopcode.org/blog en nopcode development crew doblog http://www.nopcode.org/blog/post_29.html Net Flanders security Tue, 20 Ago 2007 11:59:59 +0200
Today I have discovered a 0day at pans and company that allows you to make a reverse-xss plain attack on the bill.

A second bug it is not a 0day, but stands to make you think if the food is cheaper if you don't want a "BUEN PROVECHO".

Take a look:

---

NOTE: Serial IDs, hour, place and personal information has been altered for privacy. So don't don't take them seriously.



Yup..i'm also thinking about how to exploit this reverse-xss input. hahah


]]> http://www.nopcode.org/blog/post_28.html pancake news Tue, 18 Ago 2007 02:32:61 +0200 panda team at the CaptureTheFlag competition.

Few months ago a group of friends participate on the kenshoto prequals, which is a prequalification wargame with different categories and complexity. After the 48h we got qualified to participate at the DefCon final on a CTF.

This time we go there without a good preparation, we are wearing cheap network switches with broken RJs, and there was a long time most of us make an exploit or so, we had to remember all this things there O:)

We are 7 and decided to split the team in 3 groups: One doing server administrative tasks, exploiting automatism scripts and working together with the other two (reversing and exploiting).

The list of rules of a CTF are:
- you have two network cables and a table
- one of the cables reaches the gateway and the other one your server
- kernel patches are not allowed/permitted
- reverse engineering applications to find bugs to exploit
- patch your services (in binary)
- sniff the trafic to find other's exploits
- exploit them and take profit
- each service per each team has a token (key file with hex number)
- you should steal tokens from other teams and overwrite them with your own
- there are private and public tokens
- keep up your services

The first day of the ctf we were maintaining the first position, this is because we were focusing our time in the easiest ones, trying to get them rapidly and be able to steal as much points as possible from the rest of teams.

The second day there was some problems with the counters and we was unable to use the three breakthrougths we do during the night, and we had to spend all the day to finally exploit another because of another team constantly overwriting its key file. So we fall into the third position.

The third day was just the half of it, and this wasn't enought time to raise from the yestedays crackdown, but we were able to maintain the position and as a final note, We were able to exploit a 3-years old bug in about two hours before the end, but...we were too nervious and didn't look at the correct terminal O:).

Finally I will like to congratulate to Kenshoto and all the teams of the CTF for this great wargame and for having such a fun in a plastic city on the middle of a desert.

Hope to get classified next year and back to the CTF..This time with a 70% more of network switches

+ pandas/blog/report
+ Kenshoto
+ 48bits
+ cutaway-security
+ news.livedoor
+ atlas.blog





* pandas is a trademark of Osu Tatakae! Sexy Pandas wargaming team.
* 'we' in this article is refered to the panda team
]]> http://www.nopcode.org/blog/post_27.html pancake projects Tue, 1 Ago 2007 02:32:61 +0200
It aims to implement a Java API for publishing and accessing REST services using Java or Javascript.

The beauty of REST is that it's like the *nix friend of HTTP, simple and flexible. You can make GET, PUT, POST and DELETE calls against the published nodes.

Using the javax.script api of Java6 you can use ECMAScript (or another scripting language).

You can also use this api from commandline by using the 'rest' and 'restd' commands and load a REST profile from an XML file. A node can return the output of a shell command, return a setteable value, or a execution of a script.

It's almost easy to implement a distributed autoupdateable mesh network of rest servers sharing lines of javascript between them embedding all this magic on a single XML file.

Read more here.

Download the tarball here
]]> http://www.nopcode.org/blog/post_26.html nopcode news Tue, 10 Jul 2007 23:43:38 +0200
No, Seriously.

Lot of things are changing, and this blog does not reflect what's really happening.

We dislike to make presentations, definitions or expectations of anything, we are a dead generation.

But instead i'll enumerate a list of some of the projects we are currently involved, feel free to join the development mailing list. We are opened to new ideas, developments, hacks and challenges!

0xFFFF - A Free reverse engineered flasher for the Nokia Internet Tablets

HTCflasher - A flasher for the HTC devices

PVC - Most of our software development is moving from cvs and git to the branding new pvc version control

radare - an advanced commandline hexadecimal editor (really interesting for rce)

One of us is reverse engineering a proprietary router to run linux. Other projects like mksend and acr are going to grow soon.

We will try to open the blog a little bit more, so we hope to get more editors (>1) to feed you better :)

Welcome again and have phun!
]]> http://www.nopcode.org/blog/post_25.html nopcode releases Wed Feb 21 14:38:28 CET 2007 ]]> http://www.nopcode.org/blog/post_24.html nopcode releases Sat, 09 Dec 2006 02:20:54 +0100 ]]> http://www.nopcode.org/blog/post_23.html nopcode releases Fri, 08 Dec 2006 02:31:51 +0100
>> acr
]]> http://www.nopcode.org/blog/post_22.html nopcode news ]]> http://www.nopcode.org/blog/post_21.html nopcode news
It has been leaked from meneame and deepbit.

Feel free to submit your own termcasts. We need more f00d.
]]> http://www.nopcode.org/blog/post_20.html nopcode news TripleDES now, we have a new FTP mirror of nopcode.

>> nopcode mirror at bytezero
]]>