Blog
Chaining multiple techniques and tools for domain takeover using RBCD
Intro
In this blog post I want to show a simulation of a real-world Resource Based Constrained Delegation attack scenario that could be used to escalate privileges on an Active Directory domain.
I recently faced a network that had had several assessments done before. Luckily for me, before this engagement I had used some of my research time to understand more advanced Active Directory attack concepts. This blog post isn’t new and I used lots of existing tools to perform the attack. Worse, there are easier ways to do it as well. But, this assessment required different approaches and I wanted to show defenders and attackers that if you understand the concepts you can take more than one path.
Intro to Chrome’s V8 from an exploit development angle
Intro Last Christmas I was doing quite a bit of research around an exploit for Chrome’s JavaScript engine, V8. While most of the concepts around the exploit might seem familiar: for example, what is known as a Type Confusion today has the almost exact concept (or outcome) as a Use-After-Free vulnerability, one of the differences is that there is no free/malloc exploited directly; there is a huge difference in the root cause of the exploitability of Type Confusion vulnerabilities. This is due to the optimisation phases that happen in the JavaScript engine before the Type Confusion bug is triggered. Because of this, after tackling an exploit and realising there’s so much about the internals that I needed to know, I tried getting my head around the tooling and the optimisation pipeline happening within V8, by reading the code and working on some examples while supporting myself on an amazing tool called Turbolizer by the v8 dev team.
[Dual-Pod-Shock] Emotional abuse of a DualShock
Hacking PlayStation DualShock controllers to stream audio to their internal speakers.
Ciao a tutti.
Introduction I didn’t really know what this project was going to be about and where or how it would end up. The only thing I know is that I started working on it because one day I was bored and having a chat with a friend of mine:
Your flat is like a Luna Park for nerds. Just look around and, I am sure, you’ll figure out what to do. — He said.
Bypassing access control in BMC Control-D Report Viewer
BMC makes a number of mainframe-focused applications, one of which is Control-D. Control-D is a “Report Distribution system for distributed and mainframe platforms”. This blog post describes an authentication bypass vulnerability that was found, allowing access to restricted reports.
To make mainframe-based reports accessible outside the mainframe, and to avoid having to create mainframe accounts for every report consumer, BMC provides a web application, making the reports available via a browser.
Obtaining shells via Logitech Unifying Dongles
In this post, I will recap some of the security research conducted on wireless keyboards and mice, and eventually show how current wireless keyboards and mice can be used to obtain a covert shell on a target computer.
Around 2009, Max Moser realised that most wireless keyboards were simply transmitting the keystrokes in clear text. His initial research targeted systems using 27MHz radios. In 2010, he presented followup research targeting systems using 2.4GHz radios, which suffered from similar vulnerabilities. Manufacturers responded (eventually!) by encrypting the keystrokes, but most elected not to encrypt the mouse movements, because that would introduce latency and increase power consumption for no real benefit.
Hacking doom for fun, health and ammo
Remember iddqd and idkfa? Those are two strings were etched into my brain at a very young age where fond memories of playing shareware Doom live. For SenseCon ’19, Lauren and Reino joined me as we dove into some reversing of chocolate-doom with the aim of recreating similar cheats. The results? Well, a video of it is shown below. We managed to get cheats working that would:
Increment your ammo instead of decrement it.Increment everyone’s health for the amount it would have gone down for. Yes, you read right, everyone.Toggle cheats just like how they behaved in classic doom. The source code for our cheats live here if you want to play along, or maybe even contribute new ones :)
The power of variant analysis (Semmle QL) CVE-2019-15937 and CVE-2019-15938
Intro This post will try to do a small introduction to the QL language using real-world vulnerabilities that I found in the past, and it will end with a small challenge using QL.
A few months ago, I heard of Semmle QL for the first time, what they do is perform multiple code analysis techniques against source code, and dump these results into a database. Then using the QL language, you can query this data to perform variant analysis.
mettle your ios with frida
For a long time I have wondered about getting Meterpreter running on an iOS device using Frida. It wasn’t until I had a Twitter conversation with @timwr that I was reminded of Mettle. It was finally time to give it a try. I built an objection plugin that would load it for you, which you can find here. My talk at DEF CON 27 mainly covered some ideas on how we could interact with live object instances in interesting ways. However, there were also some examples of how we could use Frida’s Module.load() API to side load existing external tooling that come in the form of shared libraries (either by default or wrapping them ourselves). With Mettle targeting low-resource or embedded devices, its native code approach meant it also supported iOS. So if we could get a compiled Mettle dylib, we could load it with Frida. You don’t need Frida to load a dylib of course. Using something like insert_dylib would work just as well. The nice thing about using something like Frida though is that we have some external control over the loading process and any post processing that we may need.
PEAP Relay Attacks with wpa_sycophant
Back in 2018, I was interested that MSCHAPv2 and NTLMv1 hashes crack using the same algorithms, and wanting to get onto the WiFi of one of our clients, I naively thought “Surely if you can relay NTLMv1 and it uses the same crypto as MSCHAPv2, you should be able to relay MSCHAPv2!”. The resulted in the creation of wpa_sycophant (and its helper berate_ap) to perform PEAP relay attacks. It was presented in our Defcon talk last year from about 17m in.
Analysis of a 1day (CVE-2019-0547) and discovery of a forgotten condition in the patch (CVE-2019-0726) – Part 1 of 2
This post will cover my journey into the analysis of CVE-2019-0547 (Affecting the windows DHCP client), a vulnerability discovered by Mitch Adair of Microsoft Windows Enterprise Security Team and how I found a new issue in the same function.
Part 1Patch extractionPatch diffingProgram flow to the functionDHCP Options0x000x00Part 2Integer overflowNobody respects RFCs0xC0 “compression algorithm”Final conclusions Patch extraction Even though these first steps around patch downloading, extraction and diffing are already heavily documented over the internet, I will cover them here in any case.