2017
Linux Heap Exploitation Intro Series: Riding free on the heap – Double free attacks!
Hello again and welcome to the third of our series. On today’s blog post we are going to see what is and how can we abuse a double free(). We are also going to take advantage of leaks that happen when doing double free()‘s and see some examples of code execution using said leaks – we are making our execution ride on frees! As a last note, we are going to…
building the bsidescpt17 rfchallenge
In this post I want to talk a little about the BSides Cape Town 17 RFCat challenge and how I went about trying to build a challenge for it. Unfortunately I was not able to able to attend the con itself, but still had the privilege to contribute in some way! The first question you may have could be: “But why RFCat?”. Truthfully, some people that are way better at…
gowitness – a new tool for an old idea
On a recent assessment I had an incredibly large IP space that was in scope. Almost an entire /8 to be precise. While it is possible to scan ranges like that with things like masscan, nmap and the likes, I was interested in web interfaces for this particular client as I quickly came to realise that they had a large amount of third party web services exposed with default login…
A distinguisher for SHA256 using Bitcoin (mining faster along the way)
This post assumes a passing familiarity with what a Distinguishing Attack on a cryptographic hash is, as well as the high level composition of Bitcoin block headers and mining them. tldr: To distinguish between an ideal random permutation hash and SHA256, hash a large amount (~2^80) of candidate 1024 bit blocks twice, as done in Bitcoin. Ensure that the bits of the candidate blocks are sparsely set (much fewer than…
Outlook Home Page – Another Ruler Vector
Ruler has become a go to tool for us on external engagements, easily turning compromised mailbox credentials into shells. This has resulted in security being pushed forward and Microsoft responding with patches for the two vectors used in Ruler, namely rules and forms. These were patched with KB3191938 and KB4011091 respectively. This puts us back into the cat and mouse game of attack versus defence, with attack needing to find a new vector.…
Macro-less Code Exec in MSWord
Authors: Etienne Stalmans, Saif El-Sherei What if we told you that there is a way to get command execution on MSWord without any Macros, or memory corruption?! Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to…
Recreating certificates using Apostille
Sometimes on an engagement, you’d like to construct a believable certificate chain, that you have the matching private keys for. An example might be that a mobile app is doing cert pinning, based on attributes of the signing certificate, such as the Canonical Name (CN), serial number, or Issuer, or that you are intercepting an embedded app that only supports a particular algorithm. Whatever the reason, it’s a fairly complicated…
NotRuler – Turning Offence into Defence
We’ve spent a lot of time creating Ruler and turning it into, what we think, is a useful attack tool. The goal behind the project was to highlight the command execution potential around weak credentials when combined with Exchange and Microsoft Outlook. That goal has largely been met, with the ability to now demonstrate that compromising user credentials can be much more than “just” reading email. Microsoft has also been…
Linux Heap Exploitation Intro Series: The magicians cape – 1 Byte Overflow
Hello again! It’s been a while since the last blog post. This is due to not having as much time as we wanted but hopefully you all kept the pace with this heapy things as they are easy to forget due to the heavy amount of little details the heap involves. On this post we are going to demonstrate how a single byte overflow, with a user controlled value, can…
DEEP INSERT – Card Skimmer Research
So I get a phone call from Daniel on a Wednesday night, Stu, can you bring your hardware stuff with you tomorrow, I’ve been given a card skimmer that i want us to see what we can get from it. So I get my bag ready with the hardware tools i have, RS232 to USB UART adapter, Saelea 8 Channel Logic Analyser, and numerous other components. Thursday comes round and…
Page 1 of 3
Next