Jailbreakme
Hey guys! It’s been a long time since my last post… I’ve been very busy with some personal projects but i though this advisory deserveded at least a small post about it.
I’ll make it short; Matias Eissler, a teammate at Core triggered the Jailbreakme bug in OSX, so we decided to spend some time researching it.
Conditional breakpoints
Conditional breakpoints. Ohh beloved conditional breakpoints! Everybody loves conditional breakpoints. They allows us to wait at a certain moment to stop, sparing us a lot of tedious manual tracing. There isn’t anything easier and more gratifying that hooking our process’ code by just setting a breakpoint, typing some lines, and looking our process stopped right there, when the fun starts. Nowadays, almost every decent debugger counts with hardware breakpoints. Some of them with very flexibles interfaces and some others with very limited ones. In fact, this is a crucial point when deciding the limit between a complex hardware breakpoint and the use of a debugging library/tool that allows us to have full control of the context to programatically manipulate the process execution as we need. When talking about IDA, we can say that it has a very flexible interface because it allows us to define the breakpoint conditions using the IDC scripting language. It’s mostly used to express very simple conditions like EAX == 0x1 or to do little memory modifications. But, as an IDAPython fan, I’ve always wanted to be able to use IDAPython when handling my quick conditional breakpoints. Continue reading ‘IDAPython conditional breakpoints or ‘QuickHooking with IDAPython’’
IDAPython
Today, i want to share with you a very useful tip that ive been using for a while, and i particulary like. Gera posted a variation of it in the IDA official forum some time ago but i think that would be useful to share it also here.
Usually, in IDA, we find ourselves needing a way to define a shortcut for that useful IDAPython script to bypass the tedious “alt+9 + [select the wanted IDAPython script] + enter” procedure.
Continue reading ‘[TIP] How to define a keyboard shortcut for an IDAPython script’
It is very common, when involved on the reversing of a big function in IDA, to need to look for some specific instruction, basic block, or even some particular string within the function.
I know we can use Marks (CTRL+M) for this task but, to use that feature, we’d need to be previously there to set a mark (ALT+M).
Sometimes, we want to jump to some piece of code where we’ve never been before. We can not use the “Text Search” command for this task because it will search for the pattern through the whole binary. Well, we can in fact, but its not going to be so optimal.
Continue reading ‘FindInfunc.py (Little script to search for a pattern within a function)’
Peludo
Oh yeah!. Have you heard about Peludo from the Netifera guys?
You should. From the netifera’s page:
“Peludo is a system to create and run platform independent, self-contained and injectable applications written in the C programming language. It provides a cross compiling environment with the tools to generate applications in Peludo’s new binary format (PLD). The system also provides the runtime necessary to launch these programs as independent executable files or as position independent code that can be injected into a runnning process. Peludo makes the netifera probe’s Java virtual machine injectable and easier to port to new platforms.”
Continue reading ‘Peludo “Cachicamo” Beta 1.0 is finally out!’
Ekoparty Security Conference
Well… everybody knows Ekoparty. One of the most important Security Conferences at south america. And a very important event in the local scene.
Of course, Alfred and I will be talking there. This’ll be a great opportunity for us to show all the PoC that we left out (coz of the Turbo Talk) in the past Black Hat – Las Vegas.
So, i hope you be there.
If you wanna share a beer (or two) and chat a bit. Please drop me a msg.
BlackHat 2009 - Vegas
Has been a long time since my last post here… Alfred and I were working very hard for our last research/talk (the continuation of ‘Persistant BIOS Infection’) “Deactivate the rootkit” where we found that Computrace (an Anti-Theft Technology system) comes by default on most of the laptops BIOSes and it can be controlled by an attacker compromising the whole system’s security mechanisms.
Im not going to explain all the research here… a lot has been said about this. We just did a turbo-talk at black hat ( a very long one, im really happy about that) and we didnt have the time to show all the proofs we gathered but we did it through Core. Here is all the stuff. Draw Your Own Conclusions
Slides: Black Hat – Las Vegas 2009
White Paper : Black Hat – Las Vegas 2009
Continue reading ‘Deactivate the rootkit – Black Hat Vegas 2009’
SyScan
Alfred and I we’ll be giving our talk “Persistent BIOS Infection” at SyScan ’09, Singapore. This time with some added content and of course, with our multiple cOOl demos, including the one with the dismembered real box (i hope not to have problems when traveling with the hardware).
If someone wants to meet and go out for a beer or something i’ll be glad. Just drop me some line here or at als.alsx@gmail.com
c ya there!
We finally did it. Our paper is out, and the phrack #66 is the best place i can imagine to release it. We had to run a lot this last days for getting the paper ready on time. I would like to thank the whole Phrack team for putting together the outstanding issue that you can read right here.
Continue reading ‘Our paper ‘Persistent BIOS Infection’ has been released… on Phrack!’
Poor little CUPS… I feel bad for him.
I swear, i wasn’t looking for bugs in it (not for *new* bugs at least ;)). It just crashed in my face…
At the beginning i didn’t give so much importance to it but CUPS is shipped as the default printing service for OS X and almost all Linux distributions. Besides, it’s a pre-auth vulnerability so… i think it was worth to release an advisory for it – with the appropiated PoC and technical info, as usual –
So, here you have it. have phun. :p
Continue reading ‘Apple CUPS IPP_TAG_UNSUPPORTED Handling null pointer Vulnerability’
Exploiting Stuff. 