tag:blogger.com,1999:blog-78328878320113824992024-03-18T11:03:46.343+08:00c0decstuffUnknownnoreply@blogger.comBlogger142125tag:blogger.com,1999:blog-7832887832011382499.post-86132951162467068372012-12-19T16:33:00.000+08:002012-12-19T16:33:27.454+08:00Defeating Windows 8 ROP Mitigation
Windows 8 introduced a number of exploit mitigation features, including hardening of both the userland and kernel heaps, mitigation against kernel-mode NULL pointer dereferences, and protection against abuse of virtual function pointer tables. One feature that stood out to me appears to be designed to help mitigate exploits leveraging return-oriented programming (ROP).Return-Oriented Unknownnoreply@blogger.com19tag:blogger.com,1999:blog-7832887832011382499.post-57823229463231558272012-04-19T11:31:00.001+08:002012-04-19T11:32:25.866+08:00Pivoting from the ARP attackPivoting from the age old ARP attack
Translating layer 2 local addresses to layer 3 globally routable addresses is the sole responsibility of the Address Resolution Protocol. ARP spoofing is a fun way to mess with your room mates, get an A in a security class at your local college, impress your tech savvy boss, take a practical approach to learning a crap ton about local area networks, or be a Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-7832887832011382499.post-22333458593663910382012-04-19T10:47:00.000+08:002012-04-19T10:47:13.136+08:00WLAN Penetration TestOSINT and pre-game show for a on-site WLAN Penetration Test
Wireless Penetration Testing in my opinion is one of the most fun parts of Ethical Hacking. It incorporates application exploits once you are on the WLAN/LAN, web application hacking to attack router web interfaces and a lot of networking trade craft. Needless to say gaining complete control of a WLAN is a daunting task. Luckily there Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-7832887832011382499.post-5275900529550953212012-03-22T03:46:00.001+08:002012-03-22T03:47:38.316+08:00Configuring Network Level Authentication for RDPRecently there has been a lot of attention given to the Remote Desktop Protocol for attacker. The protocol has seen a work in 2011 that abused week passwords and it’s features to copy files and infect other machines and now in 2012 there is a remote code execution bug in the protocol it self. Since the days of Vista and Windows 2008 Microsoft has provided a new mechanism for securing RDP Unknownnoreply@blogger.com14tag:blogger.com,1999:blog-7832887832011382499.post-15995290439779701862012-03-05T06:34:00.004+08:002012-03-05T06:50:35.335+08:00Finding Evil: Automating Autoruns AnalysisYou can buy appliances to put in your network in an effort to find evil on systems in your enterpise. I know a wicked smart individual who develops one such system and I strongly recommend you check them out, especially if you can afford them.
But let's say you didn't budget for one of these systems this year, there's still something you can cobble together using Autoruns , Psexec , Cygwin Unknownnoreply@blogger.com19tag:blogger.com,1999:blog-7832887832011382499.post-40846424176855649892012-03-05T06:23:00.001+08:002012-03-05T06:25:00.984+08:00An analysis of recent website defacementsLate on Friday news came through that the Bangladeshi stock exchange had been hacked by Teamgreyhat. I went to have a look, because I’m keen to understand the psychology involved in destroying somebody else’s website – and there have been enough recent hacks to compare and contrast.
There’s this current one, screenshot below. I tried to pick out clues from the components of the message, such Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-7832887832011382499.post-74356959195514143032011-12-20T02:58:00.001+08:002011-12-20T03:08:14.933+08:00Hacking VLANIntroduction
In Virtual LAN or VLAN is a group of hosts communicate with each other, even thoughthey are in different physical location. Virtual LAN provides location independence to the users, able to save the bandwidth, manage the device, cost effective for the organization are some of the facilities provided by the Virtual LAN.
VLAN is based on Layer 2 “Data link” of the OSI Model. The OSI Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-7832887832011382499.post-33749294437429059662011-12-20T02:13:00.000+08:002011-12-20T02:13:07.224+08:00Bypassing EMET’s EAF with custom shellcode using kernel pointerRecently I have been testing out Microsoft’s “Enhanced Mitigation Experience Toolkit” (EMET) tool for exploit mitigation. This is a free tool and is designed to harden or secure applications without having to recode them. One exploit I used to test was Adobe Flash’s “Action script type confusion” vulnerability (CVE-2010-3654). This vulnerability affects version 10.1.53.64 and below. I used the Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-7832887832011382499.post-19011945236961841072011-12-05T03:28:00.001+08:002011-12-05T03:29:54.102+08:00AndroidMalwareAnalysisFoncy
Foncy is a sms android malware which targets european countries, with few analysis :
kaspersky
We can analyze it (sample sha256: 98a402d885cdb941dca8b45a4bbcbbe7f44ba62910d519bc1c2161dba117ebd2) with Androguard, and Ded decompiler:
And we can obtain easily where permissions are used:
The sendTextMessage method is called 5 times in the bytecodes. If you would like to have a better view Unknownnoreply@blogger.com9tag:blogger.com,1999:blog-7832887832011382499.post-74279299274710482472011-11-27T22:31:00.000+08:002011-11-27T22:31:23.832+08:00How to Fix iOS 5 ErrorsHow to fix iOS 5 Problems ? Believe me almost every user of iOS 5 must have been faced with such errors while updating to iOS 5. The problem might have been a result of excessive phone calls, downloading, updating and pinging Apple’s servers.
There is nothing much to worry about, but the only solution is to carry on with the updating trials. The following tips work and all only for those who are Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-7832887832011382499.post-68139749498224099932011-11-27T22:04:00.000+08:002011-11-27T22:04:42.970+08:00Jailbreak iOS 5.0/iOS 5.0.1 Using Ac1dSn0wWait, don’t get your hopes up! Yes, Ac1dSn0w is a new jailbreak tool but it doesn’t bring a new “jailbreak” for iPhone 4S, iPad 2 or untethers iOS 5. Ac1dsn0w jailbreak tool developed by PwnDevTeam which makes jailbreaking much easier. Below we’ll explain more.
Ac1dSn0w beta version is now available which is currently available only for Mac OS X users. It does a tethered jailbreak of iOS 5 and Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-7832887832011382499.post-16828443800540395642011-11-17T06:50:00.013+08:002011-11-17T07:34:18.207+08:00Anatomy of Self Inflicted Javascript Injection "facebook"Facebook: Anatomy of Self-Inflicted Javascript InjectionMany are already familiar with "likejacking" (a form of "clickjacking") in which a user is tricked into clicking on and interacting with the Facebook "like" button -- this has been one of the most common vectors of abusing Facebook. For example, the "like" button may be hidden behind an image such as a picture of an embedded YouTube video Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-7832887832011382499.post-68169224553615448712011-11-14T23:52:00.000+08:002011-11-14T23:52:59.118+08:00Understanding Private CloudsUnknownnoreply@blogger.com1tag:blogger.com,1999:blog-7832887832011382499.post-81881059858134099962011-11-14T05:02:00.004+08:002011-11-14T05:14:18.687+08:00HTML5, Local Storage, and XSSA nice new feature of HTML 5 is local storage. Briefly, this is a client side storage option that can be easily accessed via JavaScript. The benefit of local storage over other client side storage options is that local storage allows more storage space than other options (cookies, flash obj, etc). In addition, unlike cookies, the data is not automatically appended to every request by the browser.Unknownnoreply@blogger.com5tag:blogger.com,1999:blog-7832887832011382499.post-12895627040914715382011-11-13T00:26:00.000+08:002011-11-13T00:26:25.066+08:00Honey Potting for MS11-083MS11-083 has arrived and people are getting both excited and scared, it looks like its going to be the next MS08-067. Which if you remember, Conficker used to bend windows over and have a jol. Time for a honeypot?
In anycase I took a moment and decided to write a script that would capture potential MS11-083 traffic in an attempt to capture this exploit in the wild (once its out there, mightUnknownnoreply@blogger.com1tag:blogger.com,1999:blog-7832887832011382499.post-45668623115684694622011-11-09T08:40:00.003+08:002011-11-09T08:43:17.997+08:00Duqu Installer Contained Microsoft Word Zero-Day ExploitEarlier this week Symantec released an update on Duqu. Apparently an installer was found for Duqu (dubbed Stuxnet II) that used a Microsoft Zero-day:
“The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they’re working diligently towards issuing a Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7832887832011382499.post-87048298544456163402011-11-09T08:35:00.000+08:002011-11-09T08:35:38.008+08:00The History of Computer VirusesUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7832887832011382499.post-59693102805485422442011-11-09T08:14:00.000+08:002011-11-09T08:15:00.000+08:00Memory ForensicsPull Process & Network Connections from a Memory Dump
In the previous article, we learned how to pull passwords from a memory dump file. This time, we will cover viewing a process list and network connections out of captured memory files.
Volatility’s “pslist” command can be used to view the processes that were running on a Windows system:
volatility pslist -f memdumpfilename.raw –profileUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7832887832011382499.post-26696565397182753862011-11-07T19:38:00.002+08:002011-11-07T19:44:02.709+08:00Hijacking Google AnalyticsThe Rambling IntroThis is a fun one I came up with while looking at a site this week. I feel sure that somebody else must have come up with this before me, but I’ve never seen anyone blog about it or anything, so here goes.
The back story is that somebody posted a link to some “password strength checker” website, in which of course you type your password and it tells you how long it thinks itUnknownnoreply@blogger.com1tag:blogger.com,1999:blog-7832887832011382499.post-78764934683758427262011-11-07T06:08:00.000+08:002011-11-07T06:08:06.117+08:00RemoteExec Computers List Buffer Overflow ROP ExploitIn this post I’ll be writing about a ROP (Return Object Programming) exploit that I had recently developed for a vulnerability I had discovered in an application called “RemoteExec”. The vulnerability is caused when opening a .rec file containing an overly long line triggering a stack-based buffer overflow. It was first published in March 2010 reported in version 4.04 and fixed in version Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-7832887832011382499.post-38566113056701012232011-11-04T22:14:00.000+08:002011-11-04T22:14:50.213+08:00Jailbreak iOS 5.0.1 On Windows Using Sn0wbreeze 2.8b9 – videoSn0wbreeze v2.8b9 has been released by iH8snow the well known hacker to jailbreak iOS 5.0.1 beta, the new jailbreaking tool fixes ibooks sandbox crashing issues, location services issues with iPhone 3GS users running the iPad baseband finally Sn0wbreeze v2.8b9 fixes many issues and bugs.
Notes: Don’t forget it’s a tethered jailbreak for all device expect iPhone 3G old bootrom and it Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7832887832011382499.post-42679744899167657322011-10-29T01:37:00.000+08:002011-10-29T01:37:33.383+08:00Win32/Duqu analysis: the RPC editionMy Russian colleagues Aleksandr Matrosov and Eugene Rodionov have found some time to do some more analysis on Win32/Duqu. (Don’t you guys sleep?)
In the previous post (http://blog.eset.com/2011/10/25/win32duqu-it%e2%80%99s-a-date) they concentrated on analyzing the Duqu configuration file format and extracting the exact date on which the system was infected. This time they investigated Duqu’sUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7832887832011382499.post-49171637741550836502011-10-28T04:45:00.007+08:002011-10-28T04:56:35.677+08:00Facebook Attach EXE Vulnerability1. Summary:
When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.
-----------------------------------------------------Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-7832887832011382499.post-25373787829237731082011-08-19T07:08:00.000+08:002011-08-19T07:08:07.093+08:00Vulnerabilities in DNS Server Could Allow Remote Code ExecutionReleased MS11-058 to address two vulnerabilities in the Microsoft DNS Service. One of the two issues, CVE-2011-1966, could potentially allow an attacker who successfully exploited the vulnerability to run arbitrary code on Windows Server 2008 and Windows Server 2008 R2 DNS servers having a particular DNS configuration. We’d like to share more detail in this blog post and help you make a Unknownnoreply@blogger.com140tag:blogger.com,1999:blog-7832887832011382499.post-77247823833353289442011-08-19T07:03:00.000+08:002011-08-19T07:03:17.435+08:00SANS Investigate Forensic Toolkit (SIFT) Workstation v.2.1 ReleasedAn international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Investigative Forensic Toolkit (SIFT) Workstation and made it available to the whole community as a public service. The free SIFT toolkit, that can match any modern forensic tool suite, is also featured in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). It Unknownnoreply@blogger.com2