Sniffing USB traffic with VMWare

Wed 06 April 2011 by jj

VMWare offers the possibility to dump any usb traffic at the lowest level to a dump file.We'll describe here how to activate this feature, and additionally publish a script to convert the dump file to the PCAP format, suitable for use with wireshark.

Enable USB logging

VMWare can ...

read more

x64 spoon

Wed 16 February 2011 by ivan

While coding and debugging some low-level stuff I sometime need to write a little piece of assembly code to see if i'm right. Until now, I was writing code into a process debugged with OllyDbg, and steping it. Pretty ugly, but it works when you want to know what ...

read more

Splitting a mercurial repository : HgSplit

Wed 09 February 2011 by jj

Here at the R&D lab we use mercurial for our code versionning.

One of the problems we faced was that sometimes we would commit big files like pdfs or raw data into a repository.This is fine, as long as the repository remains for internal eyes only.Then at ...

read more

Training at CanSecWest 2011: Advanced binary deobfuscation

Thu 03 February 2011 by jj

Yoann 'jj' Guillot will also be giving a course about advanced binary deobfuscation, during the next CanSecWest Dojo session in Vancouver (March 7th/8th).

The course will teach you how to overcome state-of-the-art binary obfuscation.

You will see, and learn to defeat :

  • traditional junk,
  • arithmetic code hiding,
  • code flattening,
  • and ...
read more

IIS Backdoor

Wed 02 February 2011 by julien

In this article I will explain how I designed a rootkit for Microsoft Internet Information Services (IIS).The question is: why a backdoor in a web server?

First obvious but useless answer: because we can.

Ok, let us give a more clever answer. The purpose of backdooring a web sever ...

read more

Training at CanSecWest 2011 : Analysis of malicious documents

Mon 31 January 2011 by guillaume

Jean-Baptiste and Guillaume will give a course about malicious document analysis during the next CanSecWest Dojo session at Vancouver (March 7th/8th).

The course deals with two major cases: PDF and Microsoft Office documents. Nowadays those two file formats have become a common vector to exploit end-user systems. Their respective ...

read more

Metasm recipes: working with a process image

Tue 18 January 2011 by jj

Today we'll discuss how metasm can be used to work with a process memory dump, and also how to search for gadgets suitable for a short ROP sequence.

While working on a vulnerability on a windows server, we had the following premises:

  • Non-executable heap
  • Randomised address space (except for ...
read more

CVE-2010-3830 - iOS < 4.2.1 packet filter local kernel vulnerability

Thu 09 December 2010 by jean

This post will describe a recent iPhone kernel vulnerability discovered by comex and used in the limera1n and Greenpois0n jailbreaking tools. Both tools exploit a BootROM vulnerability found by geohot to get initial code execution on the device, and comex's kernel exploit is then used to make the jailbreak ...

read more

Padding Oracle attack and its applications on ASP.NET

Fri 03 December 2010 by thomas

ASP.NET is a group of Web development technologies created by Microsoft, which offers developers an easy way to create dynamic web sites, web applications, or XML web services. To use it, a compatible web server is needed (like Microsoft IIS for example). ASP.NET is part of Microsoft.NET ...

read more

ESET CONFidence 2010 Crackme - WriteUp

Wed 01 December 2010 by JB

ESET proposed a crackme during the CONFidence conference. Challenge started on November, 29th and lasted two days. The goal was to find a valid username/serial combination. Challenge was won by Dmitry Sklyarov, from ElcomSoft. This article will present a solution for the crackme, and the steps needed to write ...

read more