Grey bar Blue bar
Share this:

Wed, 28 Oct 2009

Fasm2009 - Videos online..

The "Fasm conference is an informal meeting of coders interested in x86 assembly programming."

Some of the videos can be grabbed [sp_local|Other]

/mh

Tue, 29 Sep 2009

SensePost again accredited as a PCI ASV

SensePost is proud to announce that they have retained their status as an Approved Scanning Vendor for PCI DSS purposes.

This letter of acknowledgement was gladly received:

Truth be told, we did pop the bubbly for this one.

Tue, 22 Sep 2009

MS Threat Modeller

Just arbitrary coolness regarding Microsoft's Threat Modeller. It's XSS-ible...

Since this all works in file:///, not overly sure what the benefits of these things will be, but I suppose since different folks may have different privilege levels for different protocol handlers (ie: file:// http:// etc), one might be able to instantiate previously unusable OCX'es, or even redirect to site for exploiting browser vulnerabilities.

Never happened unless there are pictures, so refer below...

XSS strings in MS Threat Modeller

Cute alert()

Redirect to www.sensepost.com

A little further playing, along with some vulnerable ActiveX controls, and we find ourselves with a nice mechanism for getting remote code execution... :)

CALC.EXE

Finally, a little update. After reporting the issue to secure@microsoft.com, we get a response from Nate mentioning the following:

"Thank you again for bringing this to our attention. Given that this product has been deprecated, the MSRC won't open a case to investigate the issue. I am however going to contact the Download Center and see if we can get the download removed since new tools/versions are available. If you find the same or other issues in the current version/tool please let us know. If you have any questions or concerns please let me know."

A subsequent Google for the Microsoft Threat Modeling (sic) Tool this morning, provides the following...

Googling for Threat Modeling Tool

The first link is the package we're looking for. Clicking on the Cached page, we get:

Google Cached page

Clicking on the "really-real" link, we get the following...

Page Not Found

/ian

Fri, 11 Sep 2009

2 pieces of coolness...

a) was the politely dropped kaminsky firefox bug [http://lists.grok.org.uk/pipermail/full-disclosure/2009-September/070620.html]

It still requires a click for command execution, but considering its multi platform firefox ownage sans shellcode, i think its cool.. i think its even cooler that dan dropped it sans any fanfare..

b) has to be Pusscat's attack on the SMBv2 Remote bug published on [the VRT blog..]

From the post:

"we get lucky here as well in that there is a pointer srv!pSrvStatistics which also points to srvnet!SrvNetStatistics, and counts the number of requests that have been made to a specific call (as well as other things).

So the technique here is to firstly increment srvnet!SrvNetStatistics to be ffe6, ffd6, or 56c3 (jmp esi, call esi, push esi -> ret). Then we set ProcessHighID to a value that when multiplied by four and added to the base address of ValidateRoutines pushes us outside of srv2.sys and into srvnet.sys where we then end up dereferencing the pointer to srvnet!SrvNetStatistics. This now transfers control to the data in our packet which we can massage to gain execution.

"

Awesome++

Wed, 2 Sep 2009

About:SnowLeopard

Sure it only cost $29, but when you consider the number of people bowing down and thanking our Cupertino overlords you have to consider the following:

If the Emperor was given his new clothes today, #emperors_clothes would be trending on twitter (with ppl thanking the tailors for reduced closet space requirements)

/mh