The day finally came. This is Cubica Labs.
Eight years has passed since my first interview at Core Security.
I’ve got to say, it has been an amazing experience. I’ve had the luck to work with some of the greatest researchers of the infosec industry (and others industries too). But, as you can imagine, 8 years developing binary exploits and researching for (only) one company can be too much.
It has its pros and its cons, though. It’s ridiculous how much I’ve learned there, and I couldn’t be more thankful but, at the same time, it can be a complex scenario when your main interest is to try to research (and break) every new technology out there. So, after thinking this for a long time, I decided It was time of a fresh start.
This is, in part, the reason of the low activity in the blog. I have some projects that I’m working on and, hopefully, will see the light soon.
In the meantime, I’m on my own. So I’ll be glad to hear from you ;)
Federico and I have just come back from our holidays after EUSecWest.
The conference was awesome, as usual. Very interesting talks, great ppl, and of course, great hosts.
In our talk, we presented a new technique to populate the heap in a multithreaded fashion making use of HTML5.
It’s very simple and it offers several benefits:
- Very fast
- Browser independent
- Supported by computers, smartphones, smart TVs and video game consoles
Very often, you find yourself reversing a completely unknown firmware from some memory dump, and know very little about it. Probably, the processor architecture, the kind of work it makes, etc.
Generally, you can search for patterns (like the opcodes from the function prologue) to try to define the first functions , look for strings that could add some extra info, look for headers giving us an idea of how the firmware is structured and of course, try to identify the libc itself and its location.
This last two points are, in my opinion, the most important ones.
Often, we have to go without all this important information. Maybe we don’t have any strings. Or we have it but there are no code references to it so we can’t link them to the code. Maybe, we can’t reproduce the in-memory layout of the firmware and its structure.
Well, this is the exact situation that made me think on developing this script.
Today, I’m releasing through Core a python tool (with an amazing ultra l337 GUI) that helps the exploit writer to add reliability to its exploits by tracking his heap sprays in a graphical way. Then, this graphics can be analyzed together in order to find heap spray intersections between several runs of different software versions and platforms.
Heappie! counts with 3 main scripts:
- heappie-analyzer.py: Is the script in charge of the process/dump analysis, it finds the patterns in memory and generates a log to be visualized with the viewer:
- heappie-viewer.py: The script that generates the graphics.
- Heappie.py: The front end. It’s just a cheap gui I made to simplify the whole process of running the scripts .
Hey folks! This time I’m gonna share with you a small IDAPython tool made by Federico Muttis (aka @acid_. Maybe you remember him from the -pretty awesome- pidgin vulnerability or the WebEx one). This is one of those scripts that you have to use and reuse several times when working with obscure firmwares, memory dumps or even unknown pieces of code. A lot of us made something like this in the past. It’s a must. But I felt that we really needed something with a little more generical approach. Like Acid did.
Let’s see what he has to say about it ;)
Today I wanna mention a little bug we found together with Matias Eissler. It’s not the big thing, that’s clear. But it’s potentially dangerous and it shows the complexity of a sandbox implementation.
This is the story: After a few hours fooling around with the sandbox, we found this method that allowed us to bypass the network access restriction. The funny thing here is that we did a quick search on google about the topic to see if some of this was reported before and guess what? Charlie Miller publicly disclosed the same thing (that apple events were allowed in a sandbox profile) in the quicklookd profile like 3 years ago.