Archive for the ‘Research’ Category

[Tool] Unique Pattern Generator for Exploit Development

CAUTION: I have realised, that this script gives wrong results after a certain length of characters. It’s not recommended for use. The intention for this script was for me to learn some coding – which I have. But I haven’ got the time at the moment to fix the errors. Hopefully, sometime in the future, I’ll be able to re-write the code. You can use corelanc0d3r’s pvefindaddr.py, which is an excellent script for Immunity Debugger.

Update: Thanks to corelanc0d3r for pointing out that my script does not generate an output same as the metasploit and pvefindaddr scripts. This is useful, as pointed by him, to anyone wishing to mix the outputs/offsets between the tools. I have made relevant changes to the code and also fixed another bug which prevented all offsets from being calculated.

While developing exploits, at times you require a unique string for which any 4 consecutive characters selected at an instance are unique across the string(or may be repeated only after a large gap of characters). This is mostly used to find the ‘offset’ of the characters which have over-written the EIP register.

Metasploit (version 3.0+) has a tool for both:
1) to generate the string pattern (tools/pattern_create.rb)
2) to find the offset of the required pattern (tools/pattern_offset.rb)
Continue reading

Exploiting ActiveX

I’ve been reading a very interesting paper over the weekend. It’s about exploiting ActiveX controls implemented in the Microsoft Windows OS (mostly IE).
The article is very lucid and easy to understand even for beginners. The paper is titled “ActiveX – Active Exploitation” and it’s written by ‘warlord’

Highly recommended. You can find the article here. I’m also adding it to my Reading Room for future reference.

Deobfuscating Javascript Malware

An edited version of this post has been added to my company blog at Checkmate

Some days back I was greeted by a Google Safe browsing warning when I tried visiting a ‘known’ site. As I was sure it was supposed to be clean and harmless site, I thought it would be good to dig further into this problem. The trail led to interesting amounts of codes, concepts and techniques.

Malware writers are very smart nowadays (haven’t they always been ?). They know that once their code is understood it most likely to be detected by anti-malware applications. To delay detection by such applications, they resort to a wide range of techniques. In this blog post I’ll be discussing the most potent and easily created malware.

Javascript has become the boon and bane of the Internet. It provides greater interactivity with the user but can also be used by malware writers to infect innocent users. Javascript is a client-side scripting technology which means the processing of the script is handled by the user’s browser.

Obfuscation is the concealment of intended meaning in communication, making communication confusing, intentionally ambiguous, and more difficult to interpret.

JavaScript is sometimes obfuscated to prevent users from easily understanding their functionality. ( Legitimate uses are to prevent stealing of code)
Continue reading

Indian Honeynet Project (IHP) Launched

The official India chapter of the Honeynet Project was launched some time back.

I’ve joined in as a member as it is a very interesting project and will provide for many learning opportunities.
I’ve even submitted a report on the initial setup and analysis that we’ve done at our office. You can check it out at
http://honeynet.org.in/projects_and_reports.htm

For further details about the initiative visit http://honeynet.org.in/index.htm

Follow

Get every new post delivered to your Inbox.

Join 299 other followers