Latest Articles

Ghost In The Shellcode 2015 CTF: Write-up for cloudfs challenge

Hello there, in this post I will describe how I solved the cloudfs challenge of Ghost In The Shellcode 2015. This challenge was under the Forensics category and was awarded 200 points (middle ground!). It wasn’t so hard, and someone could argue that shouldn’t award the same points with “the alpha molecular” or the similars from the crypto category but it’s okay (it’s very common actually in every CTF to argue about points etc..). The point of that challenge was that it was using ICMP (so there isn’t any TCP Follow Stream option…) and that the file that was included was scattered across multiple packets.

January 19, 2015

LAYER 8 – Patching the un-patchable….

Computer systems and software have been continually evolving year upon year. Faster processing and data transfer coupled with more accessible storage have made crunching vast amounts of data possible in mere nanoseconds. Computer security and controls have improved as well, we now have intelligent firewalls, web proxies, file integrity monitoring, DLP, IAM and all sorts of amazing new technologies and emerging acronyms to help busy IT departments maintain the confidentiality, integrity and availability of their data and systems.

November 10, 2014,st

Playing with MS14-060 and MS14-058 [CVE-2014-4113 CVE-2014-4114] : Attacks and Defenses

Recently two 0-day exploits were revealed. The first one was given the name Sandworm, however, the name convention was mistakenly including the “worm” term as we will see. The second one CVE-2014-4113 is a privilege escalation local exploit for Windows. Sandworm as said includes the word “worm” most likely for making the situation more dramatic. A worm is a self-propagating piece of code that does not take human intervention. It is said that Sandworm was used in cyber espionage operations from Russians against NATO, European Union, and also against specific industries such as the energy sector (by targeting SCADA systems). Vulnerable targets are Windows Office 2010 and 2013. In order to have a successful attack, someone naive (or convinced!) to execute (open) a PowerPoint show file is needed. It is said that CVE 4113 strikes win32k.sys which is the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012, and allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014. Win32k.sys is responsible for window management, and any GUI process/thread that will use it. Its related user-mode modules are user32.dll and GDI32.dll. Due to the complex interaction with user-mode applications, there are many problems in Win32k.sys. The exploit was acquired in the wild, and a hacking team called HURRICANE PANDA created it. A null pointer de-reference in win32k.sys is the vulnerability and by abusing the xxxSendMessageTimeout function it is possible to execute arbitrary code.

November 10, 2014