Sample code how to use Control Flow Guard to intercept all indirect calls/jumps in CFG enabled binaries
more here........http://deroko.phearless.org/rce.html
more here........http://deroko.phearless.org/rce.html
↧
Control Flow Guard instrumentation example
↧
Anonabox Analysis
NOTICE! This is still a "work in progress"!
On April 6, 2015, I received a brand new Anonabox.
The Anonabox is, according to their website:
anonymity in a box
Anonabox is a Tor hardware router for increased online privacy &
anonymity. This pocket size device offers a plug-and-play solution
to route ALL of your network traffic over the Tor network. You
heard that right, no software to install, no activation, & no
registration. Just plug it in and start cloaking your online activity.
more here.......https://reclaim-your-privacy.com/wiki/Anonabox_Analysis#Breaking_and_Entering
On April 6, 2015, I received a brand new Anonabox.
The Anonabox is, according to their website:
anonymity in a box
Anonabox is a Tor hardware router for increased online privacy &
anonymity. This pocket size device offers a plug-and-play solution
to route ALL of your network traffic over the Tor network. You
heard that right, no software to install, no activation, & no
registration. Just plug it in and start cloaking your online activity.
more here.......https://reclaim-your-privacy.com/wiki/Anonabox_Analysis#Breaking_and_Entering
↧
↧
White Paper: “How to Design a Disaster Recovery and Business Continuit Plan“
The first step in a disaster recovery plan is to perform a readiness assessment to inventory
what systems will need to be restored (and in what order) in the event of a disaster. In general
I find it helpful to group all systems by category (see below), but you can do it however makes
sense for your organization
more here.......http://www.risk3sixty.com/wp-content/uploads/2015/03/Disaster-Recovery-Plan-in-5-Steps.pdf
what systems will need to be restored (and in what order) in the event of a disaster. In general
I find it helpful to group all systems by category (see below), but you can do it however makes
sense for your organization
more here.......http://www.risk3sixty.com/wp-content/uploads/2015/03/Disaster-Recovery-Plan-in-5-Steps.pdf
↧
Exploit.SWF CVE-2015-0336 Code
Description:
Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0334.
Exploit Code via Physicaldrive0 here..........http://pastebin.com/HnpPj4ug
Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0334.
Exploit Code via Physicaldrive0 here..........http://pastebin.com/HnpPj4ug
↧
Running System Commands Against Multiple SSH Servers With Metasploit
Want:
To run a command against multiple SSH servers and you want to use metasploit to do it
How:
There doesn't exist a multi_ssh_exec type aux module to run commands. Luckily ? the ssh_login module creates a command shell session for you, on successful logins. You can use the builtin sessions functionality to run a command against all your (SSH) sessions here...........http://carnal0wnage.attackresearch.com/2015/04/running-system-commands-against.html
To run a command against multiple SSH servers and you want to use metasploit to do it
How:
There doesn't exist a multi_ssh_exec type aux module to run commands. Luckily ? the ssh_login module creates a command shell session for you, on successful logins. You can use the builtin sessions functionality to run a command against all your (SSH) sessions here...........http://carnal0wnage.attackresearch.com/2015/04/running-system-commands-against.html
↧
↧
RDP TLS Certificate Deployment Using GPO
Remote Desktop has been the Go To remote administration tool for many IT professionals and sadly many even expose it to the internet leading to brutefoce attacks and Man in the Middle attacks. I still remember the fist time I saw how easy it is from Irongeek examples using Cain & Able http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff and http://www.irongeek.com/i.php?page=security/cain-rdp-mitm-parser I have taken great care to make sure RDP connections in my network and customer networks are as secure as possible. Here is an example on how to deploy TLS certificates for use of RDP via GPO and how to configure some none Microsoft systems
read more here.......http://www.darkoperator.com/blog/2015/3/26/rdp-tls-certificate-deployment-using-gpo
read more here.......http://www.darkoperator.com/blog/2015/3/26/rdp-tls-certificate-deployment-using-gpo
↧
HotExBilling Manager Cross-site scripting (XSS) vulnerability
Title:
====
HotExBilling Manager Cross-site scripting (XSS) vulnerability
Credit:
======
Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com
CVE:
=====
CVE-2015-2781
Date:
====
12-03-2015 (dd/mm/yyyy)
Vendor:
======
Hotspot Express has been in the billing solution business since 1997 in its earlier name EasyBrowsing. Initially, it
designed billing solution to address Internet Café. Till today we have more 10000 installations across the globe.
Hotspot Express is one of the pioneers of complete WiFi solutions and has been serving for the past 10 years. Be it
WiFi hardware from any leading manufacturer or software solutions to secure and manage wired or wireless networks,
Hotspot Express has a solution. Whether you are from a big Corporate, SME, Hotel, Resort, Cyber Café, we have a cost
effective solution for you. Not just for business alone, we have solution for Universities and colleges too.
Product:
=======
HotExBilling Manager is an integrated Captive Portal/AAA/Billing software solution from Hotspot Express on LINUX
platform.
Product link: http://www.hotspotexpress.in/products/hsp.html
Abstract:
=======
Cross-site scripting vulnerability in the HotEx Billing Manager software enables an anonymous attacker to inject
client-side script into Web pages viewed by other users.
Report-Timeline:
============
12-03-2013: Vendor notification
30-03-2013: Vendor notification (No response, Follow-up)
00-00-2013: Vendor Response/Feedback (No response)
00-00-2013: Vendor Fix/Patch (No response)
00-00-2013: Public or Non-Public Disclosure (No response)
Affected Version:
=============
V73
Exploitation-Technique:
===================
Remote
Severity Rating:
===================
5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Details:
=======
A Cross-site scripting vulnerability in the HotEx Billing Manager software enables an anonymous attacker to inject
client-side script into Web pages viewed by other users.
Missing HttpOnly flag in cookie could allow an attacker to steal the document.cookie with successful XSS attack.
If the an attacker could hijack the admin user cookie, he could further use it to login to admin portal and can get
overall control of the HotEx device, guest accounts and payment details.
Vulnerable Module(s):
hotspotlogin.cgi
Vulnerable Parameter:
reply
http://<Device
IP>/cgi-bin/hotspotlogin.cgi?res=failed&reply=%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e%2c%20Invalid%20username%20or%20Password
Caveats / Prerequisites:
======================
No Prerequisites
Proof Of Concept:
================
1) Open below URL after replacing device IP,
http://172.1.1.1/cgi-bin/hotspotlogin.cgi?res=failed&reply=%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e%2c%20Invalid%20username%20or%20Password
2) You should get a pop up with document cookie (PHPSESSID)
PoC image: http://i62.tinypic.com/2hgwubq.jpg
Credits:
=======
Bhadresh Patel
Security Analyst
HelpAG (www.helpag.com)
↧
BELL’S DEFAULT PASSWORD POLICY LEAVES TENS OF THOUSANDS OF USERS EXPOSED
Long story short, Bell’s residential modem/routers have weak default passwords that can be cracked in under a day. Few people change them, so tens of thousands of their customers are exposed to risk. To the best of my knowledge, they are not interested in fixing it.
more here...........http://blog.viktorstanchev.com/2015/04/06/bells-default-password-policy-leaves-tens-of-thousands-of-users-exposed/
more here...........http://blog.viktorstanchev.com/2015/04/06/bells-default-password-policy-leaves-tens-of-thousands-of-users-exposed/
↧
Security Audit Notes - Kerberos Security Issues (krb5-1.13 stable) - Advanced Information Security
-=[Advanced Information Security Corp]=-
Nicholas Lemonias
Report Date: 3/4/2015
Email: lem.nikolas () gmail com
Introduction
==============
During a source-code audit of the krb5-1.13 stable release (15 October 2014)
implementation for linux; conducted internally by the Advanced
Information Security Group, instances of insecure function use were
observed, which could
lead to a number of attacks.
Software Overview
==================
Kerberos is a computer network authentication protocol which works on
the basis of 'tickets' to allow nodes
communicating over a non-secure network to prove their identity to
one another in a secure manner.
Its designers aimed it primarily at a clientserver model and it
provides mutual authenticationboth the user
and the server verify each other's identity. Kerberos protocol
messages are protected against eavesdropping and replay attacks.
Kerberos builds on symmetric key cryptography and requires a trusted
third party, and optionally may use
public-key cryptography during certain phases of authentication.
Massachusetts Institute of Technology (MIT) developed Kerberos to
protect network services provided by Project Athena.
The protocol is based on the earlier NeedhamSchroeder symmetric key
protocol. Several versions of the protocol exist; versions
13 occurred only internally at MIT.
Steve Miller and Clifford Neuman, the primary designers of Kerberos
version 4, published that version in the late 1980s, although they had
targeted it primarily for Project Athena.
Version 5, designed by John Kohl and Clifford Neuman, appeared as RFC
1510 in 1993 (made obsolete by RFC 4120 in 2005), with the intention
of overcoming the limitations and security problems of version 4.
Authorities in the United States classified Kerberos as auxiliary
military technology and banned its export because it used the Data
Encryption Standard (DES) encryption algorithm (with 56-bit keys).
PoC 1 - Code Snippet [CWE 362]
==============================
(.../src/ccapi/server/win/ccs_win_pipe.c:67)
struct ccs_win_pipe_t* ccs_win_pipe_new (const char* uuid, const UINT64 h) {
cc_int32 err = ccNoError;
struct ccs_win_pipe_t* out_pipe = NULL;
char* uuidCopy = NULL;
if (!err) {
if (!uuid) {err = cci_check_error(ccErrBadParam);}
}
if (!err) {
uuidCopy = (char*)malloc(1+strlen(uuid));
if (!uuidCopy) {err = cci_check_error(ccErrBadParam);}
strcpy(uuidCopy, uuid);
}
if (!err) {
out_pipe = (struct ccs_win_pipe_t*)malloc(sizeof(struct
ccs_win_pipe_t));
if (!out_pipe) {err = cci_check_error(ccErrBadParam);}
out_pipe->uuid = uuidCopy;
out_pipe->clientHandle = h;
}
#if 0
cci_debug_printf("0x%X = %s(%s, 0x%X)", out_pipe, __FUNCTION__, uuid, h);
#endif
return out_pipe;
}
Description: Memory leak [1]
PoC 2 - Code Snippet [CWE 457]
==============================
(.../src/lib/kadm5/chpass_util.c:110)
int code, code2;
unsigned int pwsize;
static char buffer[255];
char *new_password;
kadm5_principal_ent_rec princ_ent;
kadm5_policy_ent_rec policy_ent;
_KADM5_CHECK_HANDLE(server_handle);
if (ret_pw)
*ret_pw = NULL;
if (new_pw != NULL) {
new_password = new_pw;
} else { /* read the password */
krb5_context context;
if ((code = (int) kadm5_init_krb5_context(&context)) == 0) {
pwsize = sizeof(buffer);
code = krb5_read_password(context, KADM5_PW_FIRST_PROMPT,
KADM5_PW_SECOND_PROMPT,
buffer, &pwsize);
krb5_free_context(context);
}
if (code == 0)
new_password = buffer;
else {
#ifdef ZEROPASSWD
memset(buffer, 0, sizeof(buffer));
#endif
if (code == KRB5_LIBOS_BADPWDMATCH) {
strncpy(msg_ret, string_text(CHPASS_UTIL_NEW_PASSWORD_MISMATCH),
msg_len - 1);
msg_ret[msg_len - 1] = '\0';
return(code);
} else {
snprintf(msg_ret, msg_len, "%s %s\n\n%s",
error_message(code),
string_text(CHPASS_UTIL_WHILE_READING_PASSWORD),
string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED));
msg_ret[msg_len - 1] = '\0';
return(code);
}
}
if (pwsize == 0) {
#ifdef ZEROPASSWD
memset(buffer, 0, sizeof(buffer));
#endif
strncpy(msg_ret,
string_text(CHPASS_UTIL_NO_PASSWORD_READ), msg_len - 1);
msg_ret[msg_len - 1] = '\0';
return(KRB5_LIBOS_CANTREADPWD); /* could do better */
}
}
if (ret_pw)
*ret_pw = new_password;
Description: Unitialized variable pwsize
PoC 3 - Code Snippet [CWE 401]
===============================
(.../src/lib/krb5/krb/rd_req_dec.c:672)
retval = krb5int_validate_times(context, &req->ticket->enc_part2->times);
if (retval != 0)
goto cleanup;
if ((retval = krb5_check_clockskew(context,
(*auth_context)->authentp->ctime)))
goto cleanup;
if (check_valid_flag) {
if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) {
retval = KRB5KRB_AP_ERR_TKT_INVALID;
goto cleanup;
}
if ((retval = krb5_authdata_context_init(context,
&(*auth_context)->ad_context)))
goto cleanup;
if ((retval = krb5int_authdata_verify(context,
(*auth_context)->ad_context,
AD_USAGE_MASK,
auth_context,
&decrypt_key,
req)))
goto cleanup;
}
/* read RFC 4537 etype list from sender */
retval = decode_etype_list(context,
(*auth_context)->authentp,
&desired_etypes,
&rfc4537_etypes_len);
if (retval != 0)
goto cleanup;
if (desired_etypes == NULL)
desired_etypes = (krb5_enctype *)calloc(4, sizeof(krb5_enctype));
else
desired_etypes = (krb5_enctype *)realloc(desired_etypes,
(rfc4537_etypes_len + 4) *
sizeof(krb5_enctype));
if (desired_etypes == NULL) {
retval = ENOMEM;
goto cleanup;
}
desired_etypes_len = rfc4537_etypes_len;
Description: desired_etypes nulled but not freed upon failure.
PoC 4 - Code Snippet [CWE 362]
================================
(.../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1440)
static char *
getstringtime(krb5_timestamp epochtime)
{
struct tm tme;
char *strtime=NULL;
time_t posixtime = epochtime;
strtime = calloc (50, 1);
if (strtime == NULL)
return NULL;
if (gmtime_r(&posixtime, &tme) == NULL)
return NULL;
strftime(strtime, 50, "%Y%m%d%H%M%SZ", &tme);
return strtime;
}
Description: Memory leak on strtime.
PoC 5 - Code Snippet [CWE 362]
================================
(.../src/plugins/preauth/pkinit/pkinit_crypto_nss.c:1897)
char *rnd_buf;
size_t kbyte, klength;
krb5_data rnd_data;
krb5_error_code result;
NSSInitContext *ncontext;
if (counter_length > sizeof(counter))
return EINVAL;
result = krb5_c_keylengths(context, etype, &kbyte, &klength);
if (result != 0)
return result;
rnd_buf = malloc(dh_key_len);
if (rnd_buf == NULL)
return ENOMEM;
memset(counter, 0, sizeof(counter));
for (i = sizeof(counter) - 1; i >= 0; i--)
counter[i] = (counter_start >> (8 * (counter_length - 1 - i))) & 0xff;
rnd_len = kbyte;
left = rnd_len;
ncontext = NSS_InitContext(DEFAULT_CONFIGDIR,
NULL,
NULL,
NULL,
NULL,
NSS_INIT_READONLY |
NSS_INIT_NOCERTDB |
NSS_INIT_NOMODDB |
NSS_INIT_FORCEOPEN |
NSS_INIT_NOROOTINIT |
NSS_INIT_PK11RELOAD);
while (left > 0) {
ctx = PK11_CreateDigestContext(hash_alg);
if (ctx == NULL) {
krb5int_zap(buf, sizeof(buf));
krb5int_zap(rnd_buf, dh_key_len);
free(rnd_buf);
return ENOMEM;
}
if (PK11_DigestBegin(ctx) != SECSuccess) {
PK11_DestroyContext(ctx, PR_TRUE);
krb5int_zap(buf, sizeof(buf));
krb5int_zap(rnd_buf, dh_key_len);
free(rnd_buf);
return ENOMEM;
}
if (PK11_DigestOp(ctx, counter, counter_length) != SECSuccess) {
PK11_DestroyContext(ctx, PR_TRUE);
krb5int_zap(buf, sizeof(buf));
krb5int_zap(rnd_buf, dh_key_len);
free(rnd_buf);
return ENOMEM;
}
if (PK11_DigestOp(ctx, dh_key, dh_key_len) != SECSuccess) {
PK11_DestroyContext(ctx, PR_TRUE);
krb5int_zap(buf, sizeof(buf));
krb5int_zap(rnd_buf, dh_key_len);
free(rnd_buf);
return ENOMEM;
}
if ((other_data_len > 0) &&
(PK11_DigestOp(ctx, (const unsigned char *) other_data,
other_data_len) != SECSuccess)) {
PK11_DestroyContext(ctx, PR_TRUE)
Description: rnd_buf in pkinit_octetstring_hkdf() can be leaked on
malloc failure.
PoC 6 - Code Snippet [CWE 401]
==================================
(.../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1909)
/* transfer the decoded PKCS7 SignedData message into a separate buffer */
for (;;) {
if ((tmp_buf = realloc(tmp_buf, size + 1024 * 10)) == NULL)
goto cleanup;
i = BIO_read(out, &(tmp_buf[size]), 1024 * 10);
if (i <= 0)
break;
else
size += i;
}
tmp_buf_len = size;
Description: Buffer tmp_buf is nulled but not freed upon failure.
PoC 7 - Code Snippet [CWE 467]
===============================
(.../src/windows/leashdll/krb5routines.c:183)
/* initialize ticket cache */
if ((icode = pkrb_in_tkt(v4creds->pname, v4creds->pinst,
v4creds->realm) != KSUCCESS)) {
goto cleanup;
}
/* stash ticket, session key, etc. for future use */
if ((icode =
pkrb_save_credentials(v4creds->service,v4creds->instance,v4creds->realm,v4creds->session,v4creds->lifetime,v4creds->kvno,
&(v4creds->ticket_st),v4creds->issue_date))) {
goto cleanup;
}
cleanup:
memset(v4creds, 0, sizeof(v4creds));
free(v4creds);
if (v5creds) {
pkrb5_free_creds(ctx, v5creds);
}
Description: size of pointer v4credis is used instead of its data.
This should be 'sizeof(*v4creds). This
could lead to buffer overflows.
PoC 8 - Code Snippet [CWE 120]
===============================
(.../src/windows/leashdll/lshfunc.c:534,539)
sscanf(principal, "%[/0-9a-zA-Z._-] () %[/0-9a-zA-Z._-]", first_part, second_part);
strcpy(temp, first_part);
strcpy(realm, second_part);
memset(first_part, '\0', sizeof(first_part));
memset(second_part, '\0', sizeof(second_part));
if (sscanf(temp, "%[ () 0-9a-zA-Z _-]/%[ () 0-9a-zA-Z _-]", first_part,
second_part) == 2)
{
strcpy(aname, first_part);
strcpy(inst, second_part);
}
Description: Function Scanf doesn't have field limits on input, and
could lead to a buffer overflow attack. [2]
Appendices
===========
Sincere Thanks to the Kerberos team for their mutual security efforts.
References
===========
[1] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press.
[2] Oracle. Basic Library Functions - Title: scaf() man pages
section 3: Basic Library Functions [Online]
Available at: http://docs.oracle.com/cd/E36784_01/html/E36874/scanf-3c.html
[Last Accessed 2 April, 2015]
↧
↧
Secure Coding – Some Developer Pitfalls
Over the next few weeks, I will be releasing some teaser information from my talk, “Secure Coding: Bad Guy says do this so I can pwn you”. Its an hour talk I am available to give to any organization. Please contact me to book a time.
Background… This talk takes a less traditional approach to talking about secure coding/development. It does not go into language specific, nit-noid details of buffer overflow (et al) preventions. Rather this talk presents the top 5 coarse coding meta vectors that an attacker like me takes to exploit code. These are the key entry points that are leveraged to gain that first “exploit” in the attack chain.
By presenting more “meta” level concepts, developers have easier to remember, higher level, and language agnostic concepts to guide their secure coding considerations.
One of the key threats to secure coding is what I call “Developer Mindset” pitfalls. Having been a developer, I know these exist and are real. I have fallen for them, as well as watched others. Repeatedly. These pitfalls represent the initial blocks preventing the the developer from embracing the meta vectors, much less actually instituting them.
more here............http://badguyfu.net/secure-coding-some-developer-pitfalls/
Background… This talk takes a less traditional approach to talking about secure coding/development. It does not go into language specific, nit-noid details of buffer overflow (et al) preventions. Rather this talk presents the top 5 coarse coding meta vectors that an attacker like me takes to exploit code. These are the key entry points that are leveraged to gain that first “exploit” in the attack chain.
By presenting more “meta” level concepts, developers have easier to remember, higher level, and language agnostic concepts to guide their secure coding considerations.
One of the key threats to secure coding is what I call “Developer Mindset” pitfalls. Having been a developer, I know these exist and are real. I have fallen for them, as well as watched others. Repeatedly. These pitfalls represent the initial blocks preventing the the developer from embracing the meta vectors, much less actually instituting them.
more here............http://badguyfu.net/secure-coding-some-developer-pitfalls/
↧
Decrypting WebLogic Passwords
The following blog walks through part of a recent penetration test and the the decryption process for WebLogic passwords that came out of it. Using these passwords I was able to escalate onto other systems and Oracle databases.
more here.........https://blog.netspi.com/decrypting-weblogic-passwords/
more here.........https://blog.netspi.com/decrypting-weblogic-passwords/
↧
OWASP ZAP Integration Guide for Web Penetration Testing
This is a quick tutorial on how to automate web penetration testing using OWASP ZAP's application integration settings. This makes running many applications such as Burpsuite, SQLMap, NMap, Nikto, SSLScan and others much more efficient and easier to manage here.........https://crowdshield.com/blog.php?name=owasp-zap-integrations-guide-for-web-penetration-testing
↧
MMD-0031-2015 - What is NetWire (multi platform) RAT?
It has been a talk internally in our group about a RAT (Remote Access Trojans) that is commonly found and used by crooks called "NetWire RAT". The talks are about why this RAT was commonly found during the carding, POS or etc hack cases related to the cyber criminal activities, and is this RAT multi platform supported, etc..
more here..........http://blog.malwaremustdie.org/2015/04/mmd-0031-2015-what-is-netwire-rat.html
more here..........http://blog.malwaremustdie.org/2015/04/mmd-0031-2015-what-is-netwire-rat.html
↧
↧
Lock Down Strategies for Linux Servers
Most of the security defenses on Linux, are based on the earlier performed hardening activities. By locking down components on the system, the chance of a full compromise is lowered. This step-by-step locking down is a time consuming process. Time to review some of the strategies which can be applied when you want to secure your systems here..........http://linux-audit.com/lock-down-strategies-for-linux-servers/
↧
Paper: Using Hardware Features for Increased Debugging Transparency
Abstract—With the rapid proliferation of malware attacks on
the Internet, understanding these malicious behaviors plays a
critical role in crafting effective defense. Advanced malware
analysis relies on virtualization or emulation technology to run
samples in a confined environment, and to analyze malicious
activities by instrumenting code execution. However, virtual machines
and emulators inevitably create artifacts in the execution
environment, making these approaches vulnerable to detection or
subversion. In this paper, we present MALT, a debugging framework
that employs System Management Mode, a CPU mode in
the x86 architecture, to transparently study armored malware.
MALT does not depend on virtualization or emulation and thus
is immune to threats targeting such environments. Our approach
reduces the attack surface at the software level, and advances
state-of-the-art debugging transparency. MALT embodies various
debugging functions, including register/memory accesses, breakpoints,
and four stepping modes. We implemented a prototype of
MALT on two physical machines, and we conducted experiments
by testing an array of existing anti-virtualization, anti-emulation,
and packing techniques against MALT. The experimental results
show that our prototype remains transparent and undetected
against the samples. Furthermore, our prototype of MALT
introduces moderate but manageable overheads on both Windows
and Linux platforms.
more here.........http://kleach.cs.virginia.edu/papers/sp-15.pdf
the Internet, understanding these malicious behaviors plays a
critical role in crafting effective defense. Advanced malware
analysis relies on virtualization or emulation technology to run
samples in a confined environment, and to analyze malicious
activities by instrumenting code execution. However, virtual machines
and emulators inevitably create artifacts in the execution
environment, making these approaches vulnerable to detection or
subversion. In this paper, we present MALT, a debugging framework
that employs System Management Mode, a CPU mode in
the x86 architecture, to transparently study armored malware.
MALT does not depend on virtualization or emulation and thus
is immune to threats targeting such environments. Our approach
reduces the attack surface at the software level, and advances
state-of-the-art debugging transparency. MALT embodies various
debugging functions, including register/memory accesses, breakpoints,
and four stepping modes. We implemented a prototype of
MALT on two physical machines, and we conducted experiments
by testing an array of existing anti-virtualization, anti-emulation,
and packing techniques against MALT. The experimental results
show that our prototype remains transparent and undetected
against the samples. Furthermore, our prototype of MALT
introduces moderate but manageable overheads on both Windows
and Linux platforms.
more here.........http://kleach.cs.virginia.edu/papers/sp-15.pdf
↧
How I hacked into the Warface in-game protocol
This analysis of Warface in-game communication protocol is against multiple points of the Crytek Terms of Service. So… I am not responsible for any other people acts trying to reproduce what’s shown here, and I discourage anyone not aware of the possible risks (permanent ban, account deletion, etc. ). Please do read the Crytek ToS before attempting to reproduce what’s described here.
Update: Some of the exploits or remarks have already been fixed the time you read this. Indeed, while I was writing this document, I also raised the issues to Crytek devs and let them time to digest. I’ve kept them here in hope it will make good stories to tell. Sadly for them, the main content of this analysis still remains valid.
In this analysis, we’ll go through the reverse-engineering process I’ve made in order to create an XMPP proxy for Warface, letting anyone chat to any in-game connected player without the need to launch the game itself at all.
more here.......http://wf.comuv.com/
Update: Some of the exploits or remarks have already been fixed the time you read this. Indeed, while I was writing this document, I also raised the issues to Crytek devs and let them time to digest. I’ve kept them here in hope it will make good stories to tell. Sadly for them, the main content of this analysis still remains valid.
In this analysis, we’ll go through the reverse-engineering process I’ve made in order to create an XMPP proxy for Warface, letting anyone chat to any in-game connected player without the need to launch the game itself at all.
more here.......http://wf.comuv.com/
↧
There's a Massive, Illicit Bust of Edward Snowden Stuck to a War Monument in Brooklyn
↧
↧
OVER-INDULGENCE IN THE EASTER EGGSPLOIT KIT
As Peter Cottontail went hippity-hoppin’ down the bunny trail this past Easter weekend, he found it strewn with a different kind of Easter egg: the Fiesta exploit kit, hidden in insidious fashion among the downloadable coloring pages at a popular freeware site for children and their parents.
more here..........http://community.websense.com/blogs/securitylabs/archive/2015/04/06/over-indulgence-in-the-easter-eggsploit-kit.aspx
more here..........http://community.websense.com/blogs/securitylabs/archive/2015/04/06/over-indulgence-in-the-easter-eggsploit-kit.aspx
↧
ChameleonMini
ChameleonMini is a versatile emulator for contactless smartcards compliant to ISO 14443 and ISO 15693. The freely programmable platform can create perfect clones of various existing commercial smartcards, including cryptographic functions and the Unique Identifier (UID). It can be employed to assess security aspects in RFID and NFC environments in different attack scenarios, such as replay or relay attacks, sniffing of RFID communication, or functional tests of RFID equipment.
more here..........https://github.com/emsec/ChameleonMini/wiki
more here..........https://github.com/emsec/ChameleonMini/wiki
↧
Writing Hacking Tools with Python, Part 1
Python is a brilliant language. It is known to be a lazy programming language which can be used to write codes small in number of lines, but able to do huge tasks. Today we will uncover some of these aspects.
more here..........http://resources.infosecinstitute.com/writing-hacking-tools-with-python-part-1/
more here..........http://resources.infosecinstitute.com/writing-hacking-tools-with-python-part-1/
↧