Black Hat USA 2014 – Computrace backdoor revisited

•August 14, 2014 • Leave a Comment

bhusa

 

Hey there!  Another quick post.
After our presentation in SAS2014, we kept working together with Vitaly and Sergey on this topic and decided to go to BH with all the results.
It was really cool. I think this time more people realized the risk of having such kind of technology preinstaled on their BIOS/UEFI…
Anyway, you can take a look to our slides and whitepaper here.

I will update this post later with more stuff.
See you!

Catching up – Security Analyst Summit 2014

•August 14, 2014 • Leave a Comment

Security Analyst Summit 2014 - Punta Cana

Yeah, well. A bit late… I know.

This last months have been a complete madness. But, a good madness, I have to say.
So I will try to catch up with a few quick posts.

I’ve been contacted by the Kaspersky guys, and invited to give a joint talk at his private summit about Computrace. This guys: Vitaly Kamluk and Sergey Belov are two amazing researchers that, after finding an activated instance of computrace in his personal computers, did what it wass needed to do. Research it and attack it.

In this joint talk I’ve presented our (with Alfredo Ortega) original findings, and introduced the topic so them could show yours, together with some new -remote- attacks they’ve worked on.
This was an extremely cool conference. Really good researchers, good presentations with several parallel tracks that allow you to choose the one that fits better with your interests.

Honestly. The Hard Rock Hotel is an excellent place to held a security conference. Definitely Kaspersky knows how to do it ;)
Here you can take a look to the report published by kaspersky about his findings and attacks: http://securelist.com/analysis/publications/58278/absolute-computrace-revisited/

Cubica Labs

•March 18, 2014 • Leave a Comment

Cubica Labs

The day finally came. This is Cubica Labs.

You will find more information on LinkedIn here. Or, eventually, at our webpage: www.cubicalabs.com

A new episode.

•November 27, 2013 • Leave a Comment

beginning-500x332

Eight years has passed since my first interview at Core Security.

I’ve got to say, it has been an amazing experience. I’ve had the luck to work with some of the greatest researchers of the infosec industry (and others industries too). But, as you can imagine, 8 years developing binary exploits and researching for (only) one company can be too much.

It has its pros and its cons, though. It’s ridiculous how much I’ve learned there, and I couldn’t be more thankful but, at the same time, it can be a complex scenario when your main interest is to try to research (and break) every new technology out there. So, after thinking this for a long time, I decided It was time of a fresh start.

This is, in part, the reason of the low activity in the blog. I have some projects that I’m working on and, hopefully, will see the light soon.

In the meantime, I’m on my own. So I’ll be glad to hear from you ;)

HTML5 Heap Spray. EUSecWest 2012

•October 3, 2012 • 8 Comments
HTML5 Heap Spray

HTML5 Heap Spray – EUSecWest 2012

Federico and I have just come back from our holidays after EUSecWest.

The conference was awesome, as usual. Very interesting talks, great ppl, and of course, great hosts.

In our talk, we presented a new technique to populate the heap in a multithreaded fashion making use of HTML5.
It’s very simple and it offers several benefits:

  • Very fast
  • Browser independent
  • Aligned
  • Supported by computers, smartphones, smart TVs and video game consoles

Still using strings to heap spray & feng shui? Take a look to the slides.
You can download it here or view it online here.  Alternatively,  if you dont like Prezi, you can obtain a pdf version here.

[Quickpost] [IDAPython] Locating libc in an unknown firmware without string references.

•July 2, 2012 • Leave a Comment

Very often, you find yourself reversing a completely unknown firmware from some memory dump, and know very little about it.  Probably, the processor architecture, the kind of work it makes, etc.

Generally, you can search for patterns (like the opcodes from the function prologue) to try to define the first functions , look for strings that could add some extra info, look for headers giving us an idea of how the firmware is structured and of course, try to identify the libc itself and its location.

This last two points are, in my opinion, the most important ones.

Often, we have to go without all this important information. Maybe we don’t have any strings. Or we have it but there are no code references to it so we can’t link them to the code. Maybe, we can’t reproduce the in-memory layout of the firmware and its structure.

Well, this is the exact situation that made me think on developing this script.

Continue reading ‘[Quickpost] [IDAPython] Locating libc in an unknown firmware without string references.’

Heappie! – Heap spray analysis tool.

•March 9, 2012 • 3 Comments
Heappie! - Heap spray analyzer

Heappie!

Today, I’m releasing through Core a python tool (with an amazing ultra l337 GUI) that helps the exploit writer to add reliability to its exploits by tracking his heap sprays in a graphical way. Then, this graphics can be analyzed together in order to find heap spray intersections between several runs of different software versions and platforms.

Heappie! counts with 3 main scripts:

- heappie-analyzer.py: Is the script in charge of the process/dump analysis, it finds the patterns in memory and generates a log to be visualized with the viewer:
– heappie-viewer.py: The script that generates the graphics.
– Heappie.py: The front end. It’s just a cheap gui I made to simplify the whole process of running the scripts .

Continue reading ‘Heappie! – Heap spray analysis tool.’

 
Follow

Get every new post delivered to your Inbox.