PCB UV exposure scanner

In the past years I always had some DIY electronics related projects, which I tried to make somehow at home. For prototyping the breadboards are fine, but as soon as you have to make the next steps to create a stable and final hardware, you should work with PCBs. I do not count with pre-made prototype PCBs, which have their structured and distributed pads and traces across the board. These are not so good for SMD parts, moreover, the overall look with them will be most probably just simply disgusting not professional.

So, if you would like to work with your own designed and nice PCBs, then you can chose from several PCB manufacturers who support hobbyists with low cost and low quantity PCB production. However, for early prototyping there are some issues with them:

  • You have to wait 1-2 weeks or even more before you get your boards, or you should pay much more for fast production/delivery.
  • HW development is pretty much the same as SW development. In case of a complex project, there is a big chance to have some issues with your first (and second, and third…) board. So you have to pay for every variants and wait much more for the production/delivery.

If you make PCBs often, it is definitely worth to create your own “PCB fab” at home, to be able to prototype your own PCBs quickly. Then, if it is still necessary, you can order the final version from a professional manufacturer.

I am not a big fan of the toner transfer and other alternate methods and as I used to make projects in the school by photoresist PCBs, I decided to create an UV exposure “tool” for this purpose.

Plenty of DIY PCB UV exposure tool building posts are available on the internet with total different approaches. I also designed my own, to fulfill my needs: it should be relative small and portable and the hacking/modding should be fun. ūüôā Flat bed scanners were found as possibly good target. Compared to most of the other scanner mods, which use LED arrays or¬†fluorescent tubes across the whole scanner bed area, my plan was to use the scanner carriage with only few LEDs and control its movement (and brightness) under the given PCB.

After a quick search on the local second hand portal I found a nice old Mustek 1200CP for about 4 EUR. I made the investment ūüôā and started the work.

Continue reading

SAP ConfigServlet remote code execution metasploit module

Mirrored from my previous site, original URL was: http://blog.kabaiandras.hu/2013/04/sap-configservlet-remote-code-execution.html

Still SAP, still the same OS command execution vulnerability I mentioned in my previous post. But what is the difference? Well, it is good if you can run OS commands on the target system but probably you would like something more. Yes, I am talking about binary payloads.

After making my SAP ConfigServlet OS Command Execution metasploit module, I started to create a new module for remote code execution.

As it is possible to execute OS commands through the ConfigServlet it is relatively easy to deliver binary payloads and execute them through metasploit’s command stagers. These stagers convert the binary payloads to ASCII deliverable format and use OS commands to write out the payload and the stager line by line and finally execute the payload through the dropped stager. Because VBS is more common in windows environment than PS I chose¬†CmdStagerVBS.

Continue reading

SAP ConfigServlet OS command execution metasploit module

Mirrored from my previous site, original URL was: http://blog.kabaiandras.hu/2013/04/sap-configservlet-os-command-execution.html

If you ever tried to search for SAP vulnerabilities then I am sure you met some form of ERPScan’s team awesome researches. This happened in our current pentest project as well. A colleague of mine identified several SAP systems in the target network range and we tried to find well known vulnerabilities for them.

We found a great presentation (Breaking SAP Portal) from Hacker Halted 2012 by Dmitry Chastuchin from ERPScan. One of the slides contains a very interesting screenshot about an exploitation of a simple, remote, authentication less OS command execution vulnerability. Yes, with a simple GET request it is possible to execute OS commands on the remote system. I tried to search for existing exploit implementations for this vulnerability but there were no public metasploit or other exploits available. Surprisingly not just exploits were not available but there were no relevant search results to this vulnerability so I decided to create a metasploit module for that.

Continue reading