Cubica Labs

•March 18, 2014 • Leave a Comment

Cubica Labs

The day finally came. This is Cubica Labs.

You will find more information on LinkedIn here. Or, eventually, at our webpage: www.cubicalabs.com

A new episode.

•November 27, 2013 • Leave a Comment

beginning-500x332

Eight years has passed since my first interview at Core Security.

I’ve got to say, it has been an amazing experience. I’ve had the luck to work with some of the greatest researchers of the infosec industry (and others industries too). But, as you can imagine, 8 years developing binary exploits and researching for (only) one company can be too much.

It has its pros and its cons, though. It’s ridiculous how much I’ve learned there, and I couldn’t be more thankful but, at the same time, it can be a complex scenario when your main interest is to try to research (and break) every new technology out there. So, after thinking this for a long time, I decided It was time of a fresh start.

This is, in part, the reason of the low activity in the blog. I have some projects that I’m working on and, hopefully, will see the light soon.

In the meantime, I’m on my own. So I’ll be glad to hear from you ;)

HTML5 Heap Spray. EUSecWest 2012

•October 3, 2012 • 8 Comments
HTML5 Heap Spray

HTML5 Heap Spray – EUSecWest 2012

Federico and I have just come back from our holidays after EUSecWest.

The conference was awesome, as usual. Very interesting talks, great ppl, and of course, great hosts.

In our talk, we presented a new technique to populate the heap in a multithreaded fashion making use of HTML5.
It’s very simple and it offers several benefits:

  • Very fast
  • Browser independent
  • Aligned
  • Supported by computers, smartphones, smart TVs and video game consoles

Still using strings to heap spray & feng shui? Take a look to the slides.
You can download it here or view it online here.  Alternatively,  if you dont like Prezi, you can obtain a pdf version here.

[Quickpost] [IDAPython] Locating libc in an unknown firmware without string references.

•July 2, 2012 • Leave a Comment

Very often, you find yourself reversing a completely unknown firmware from some memory dump, and know very little about it.  Probably, the processor architecture, the kind of work it makes, etc.

Generally, you can search for patterns (like the opcodes from the function prologue) to try to define the first functions , look for strings that could add some extra info, look for headers giving us an idea of how the firmware is structured and of course, try to identify the libc itself and its location.

This last two points are, in my opinion, the most important ones.

Often, we have to go without all this important information. Maybe we don’t have any strings. Or we have it but there are no code references to it so we can’t link them to the code. Maybe, we can’t reproduce the in-memory layout of the firmware and its structure.

Well, this is the exact situation that made me think on developing this script.

Continue reading ‘[Quickpost] [IDAPython] Locating libc in an unknown firmware without string references.’

Heappie! – Heap spray analysis tool.

•March 9, 2012 • 3 Comments
Heappie! - Heap spray analyzer

Heappie!

Today, I’m releasing through Core a python tool (with an amazing ultra l337 GUI) that helps the exploit writer to add reliability to its exploits by tracking his heap sprays in a graphical way. Then, this graphics can be analyzed together in order to find heap spray intersections between several runs of different software versions and platforms.

Heappie! counts with 3 main scripts:

- heappie-analyzer.py: Is the script in charge of the process/dump analysis, it finds the patterns in memory and generates a log to be visualized with the viewer:
– heappie-viewer.py: The script that generates the graphics.
– Heappie.py: The front end. It’s just a cheap gui I made to simplify the whole process of running the scripts .

Continue reading ‘Heappie! – Heap spray analysis tool.’

Quickpost: IDAPython script to identify unrecognized functions.

•December 6, 2011 • 1 Comment
WhatTheFunct?

WhatTheFunct?

Hey folks! This time I’m gonna share with you a small IDAPython tool made by Federico Muttis (aka @acid_. Maybe you remember him from the -pretty awesome- pidgin vulnerability or the WebEx one). This is one of those scripts that you have to use and reuse several times when working with obscure firmwares, memory dumps or even unknown pieces of code.  A lot of us made something like this in the past. It’s a must. But I felt that we really needed something with a little more generical approach. Like Acid did.

Let’s see what he has to say about it ;)

Continue reading ‘Quickpost: IDAPython script to identify unrecognized functions.’

Apple OS X Sandbox Predefined Profiles Bypass

•November 14, 2011 • Leave a Comment
 You know... the apple sandbox, the 'seatbelt', the dog. Heh, that's Funny, Isn't It?

Nice seatbelt.

Hey guys!
Today I wanna mention a little bug we found together with Matias Eissler. It’s not the big thing,  that’s clear. But it’s potentially dangerous and it shows the complexity of a sandbox implementation.

This is the story: After a few hours fooling around with the sandbox, we found this method that allowed us to bypass the network access restriction. The funny thing here is that we did a quick search on google about the topic to see if some of this was reported before and guess what?  Charlie Miller publicly disclosed the same thing (that apple events were allowed in a sandbox profile) in the quicklookd profile like 3 years ago.

Continue reading ‘Apple OS X Sandbox Predefined Profiles Bypass’

 
Follow

Get every new post delivered to your Inbox.