•October 3, 2012 • 3 Comments
HTML5 Heap Spray – EUSecWest 2012
Federico and I have just come back from our holidays after EUSecWest.
The conference was awesome, as usual. Very interesting talks, great ppl, and of course, great hosts.
In our talk, we presented a new technique to populate the heap in a multithreaded fashion making use of HTML5.
It’s very simple and it offers several benefits:
- Very fast
- Browser independent
- Supported by computers, smartphones, smart TVs and video game consoles
Still using strings to heap spray & feng shui? Take a look to the slides.
You can download it here or view it online here. Alternatively, if you dont like Prezi, you can obtain a pdf version here.
•July 2, 2012 • Leave a Comment
Very often, you find yourself reversing a completely unknown firmware from some memory dump, and know very little about it. Probably, the processor architecture, the kind of work it makes, etc.
Generally, you can search for patterns (like the opcodes from the function prologue) to try to define the first functions , look for strings that could add some extra info, look for headers giving us an idea of how the firmware is structured and of course, try to identify the libc itself and its location.
This last two points are, in my opinion, the most important ones.
Often, we have to go without all this important information. Maybe we don’t have any strings. Or we have it but there are no code references to it so we can’t link them to the code. Maybe, we can’t reproduce the in-memory layout of the firmware and its structure.
Well, this is the exact situation that made me think on developing this script.
Continue reading ‘[Quickpost] [IDAPython] Locating libc in an unknown firmware without string references.’
•March 9, 2012 • 3 Comments
Today, I’m releasing through Core a python tool (with an amazing ultra l337 GUI) that helps the exploit writer to add reliability to its exploits by tracking his heap sprays in a graphical way. Then, this graphics can be analyzed together in order to find heap spray intersections between several runs of different software versions and platforms.
Heappie! counts with 3 main scripts:
- heappie-analyzer.py: Is the script in charge of the process/dump analysis, it finds the patterns in memory and generates a log to be visualized with the viewer:
- heappie-viewer.py: The script that generates the graphics.
- Heappie.py: The front end. It’s just a cheap gui I made to simplify the whole process of running the scripts .
Continue reading ‘Heappie! – Heap spray analysis tool.’
•December 6, 2011 • 1 Comment
Hey folks! This time I’m gonna share with you a small IDAPython tool made by Federico Muttis (aka @acid_. Maybe you remember him from the -pretty awesome- pidgin vulnerability or the WebEx one). This is one of those scripts that you have to use and reuse several times when working with obscure firmwares, memory dumps or even unknown pieces of code. A lot of us made something like this in the past. It’s a must. But I felt that we really needed something with a little more generical approach. Like Acid did.
Let’s see what he has to say about it
Continue reading ‘Quickpost: IDAPython script to identify unrecognized functions.’
•November 14, 2011 • Leave a Comment
Today I wanna mention a little bug we found together with Matias Eissler. It’s not the big thing, that’s clear. But it’s potentially dangerous and it shows the complexity of a sandbox implementation.
This is the story: After a few hours fooling around with the sandbox, we found this method that allowed us to bypass the network access restriction. The funny thing here is that we did a quick search on google about the topic to see if some of this was reported before and guess what? Charlie Miller publicly disclosed the same thing (that apple events were allowed in a sandbox profile) in the quicklookd profile like 3 years ago.
Continue reading ‘Apple OS X Sandbox Predefined Profiles Bypass’
•May 23, 2011 • 21 Comments
And the day finally came. The last (public, at least) edition of Ph-Neutral is very close and i gotta say: I’m very excited about being there. Luckily, I’ll be arriving two days before the conference so I’m gonna have enough time to recover myself after the flight. I wanna be in good shape to deal with the -pretty insane- Ph-Neutral rhythm that usually consist in the mix of highly technical talks with amazing parties at night.
Continue reading ‘Ph-Neutral 0x7db’
•November 9, 2010 • 3 Comments
Hey guys! It’s been a long time since my last post… I’ve been very busy with some personal projects but i though this advisory deserveded at least a small post about it.
I’ll make it short; Matias Eissler, a teammate at Core triggered the Jailbreakme bug in OSX, so we decided to spend some time researching it.
Continue reading ‘[Unpatched] Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch (The Jailbreakme bug in OSX)’