voidsec2020-03-13T09:49:32+01:00Assignment #3: Egghunter
This time the assignment was very interesting, here the requirements: study an egg hunting shellcode and create a working demo, it should be configurable for different payloads.
As many before me, I’ve started my research journey with Skape’s papers: “Searching Process Virtual Address Space”. I was honestly amazed by the paper content, it’s not only very well written and explained but it ‘s mind-blowing. Understanding why and how egg hunter shellcode should be crafted in such tailored way...
voidsec2020-03-13T09:49:22+01:00Assignment #2: Reverse TCP Shell
Create a shell_reverse_tcp shellcode that connects back to an IP address, on a specific a port and execute a shell. The IP address and port number should be easy configurable.
Again, instead of going for the path of writing a C TCP reverse shell from scratch, I decided to generate a raw Metasploit payload and analyze it with libemu.
Analyzing the Shellcode
All the code is also available on GitHub.
This time the analysis will be a lot shorter...
voidsec2020-03-13T14:56:23+01:00Before attending the Corelan training and the OSCE certification, I’ve decided to start the x86 Assembly Language and Shellcoding on Linux Pentester Academy’s course.
The next couple blogs (~7) will contains the assignments’ solutions for the SLAE certification exam.
Assignment #1: Bind TCP Shell
Create a shell_bind_tcp shellcode that binds to a port and execute a shell on an incoming connection, the port number should be easy to configure.
Instead of going for the path of writing a C bind TCP shell from...
Previous month I've been a speaker at the M0leCon Conference (Turin, Italy, 30 November) with a talk named:
SCADA, A PLC's Story
During the last few years, SCADA quickly gained the major news headlights with different frightening articles: from STUXNET to breaches like the electrical power supply grid in Ukraine (December 2015). Since SCADA systems are actively used across various industries (oil & gas, pharma, power plants, critical infrastructures) to perform critical operations on daily basis, SCADA security has also become...
voidsec2019-12-09T23:07:27+01:00During a recent Red Team engagement, I was able to become domain admin on the client’s network; I decided to investigate further into the “sys admin” workstations and management network in order to recover more information about the network topology and assets, dumping more password and gaining access to firewalls/switches and servers’ VLANs.
Enumerating the sysadmin’s workstations, I discovered a windows tool used to connect via SSH.
SolarPuttyDecrypt is a post-exploitation/forensics tool to decrypt SolarPuTTY's sessions files and retrieve plain-text credentials....
Windows Kernel Debugging & Exploitation Part1 – Setting up the lab
voidsec2019-07-17T14:35:29+02:00Recently I was thrilled with the opportunity to build a PoC for ms-14-066 vulnerability aka “winshock” (CVE-2014-6321). While that will be material for another blog post, in order to debug the vulnerability, I had to set up a lab with windows kernel mode debugging enabled. So, without any further ado, here my setup and the steps used in order to enable Windows Kernel Debug.
Host system: Windows 10 with VMware Workstation 15.1.0 (build-13591040)
Windows 7 x86 ultimate sp1 (debugger)
State of Industrial Control Systems (ICS) in Italy
voidsec2019-06-24T14:10:47+02:00Industrial Control System, what are they?
TL;DR: In a nutshell, Industrial control systems (ICS) are “computers” (PLC) that control the world around you. They're responsible for managing the air conditioning in your office, the turbines at a power plant, the lighting at the theatre or the robots at a factory
Industrial Control System (ICS) is a general term used to describe several types of control systems and associated instrumentation used for industrial process control.
Such systems can range from a few modular...
voidsec2021-01-08T14:42:40+01:00After a lot of effort and a long month of alpha testing, today I’m proud to announce the launch of ECG’s closed beta.
What is ECG? (tl;dr)
ECG is a TCL static source code analysis tool. It is the first commercial solution able to detect real and complex security vulnerabilities in TCL/ADP source-code.
Want to know more about ECG? Visit ECG's main website!
What is TCL?
TCL is a high-level, general-purpose, interpreted, dynamic programming language. It was designed with the goal of being very...
Rubyzip insecure ZIP handling & Metasploit RCE (CVE-2019-5624)
This is a re-posting of the original article "On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624)" that I have wrote on Doyensec
During one of our projects we had the opportunity to audit a Ruby-on-Rails (RoR) web application handling zip files using the Rubyzip gem. Zip files have always been an interesting entrypoint to triggering multiple vulnerability types, including path traversals and symlink file overwrite attacks. As the library under testing had symlink processing disabled, we focused on path...
During the previous months I've been a speaker for various international conferences: Hackinbo (Italy, 26-27 May), Sec-T (Stockholm, 13-14 September) and Hacktivity (Budapest, 12-13 October) with a talk named: "A Drone Tale: All Your Drones Belongs To Us".
A talk where I detailed analysed the DJI Phantom 3 model’s architecture , its attack vectors, reverse-engineered the SDK and the network protocol. I also had a specific focus section on Drones Forensics Artefacts Analysis and Methodology.
Here you can find and download...