Wednesday, October 21, 2009
Saturday, August 08, 2009
Sliding Home
As promised, my slides for Blackhat/Defcon 2009 have been placed in a web-accessible location: Using Guided Missiles in Drive-bys. Thanks everyone who showed up. To those who didn't, maybe I'll see you next time.
Tuesday, July 14, 2009
A Dark-colored Chapeau
I'm making this post in the vain hope that someone cares about what security conference topics I find interesting. With that being said, Blackhat is going to be awesome this year, not least because of the Metasploit track. Without further ado, here are the talks I plan to attend.
Day One:
I'm presenting at 13:45 and, judging by my history, I probably won't be done with my slides until about 13:43, so I'm planning to miss all of the morning stuff.
15:15 Stefan Esser: State of the Art Post Exploitation in Hardened PHP Environments
This is a tough choice and I may end up flipping on it later. Valsmith and Colin's stuff is freaking awesome but I think Esser's work could end up being really useful for PHP meterpreter.
16:45 Valsmith, Ames, Kerb: Metaphish pt2.
I hope I can get into the room after the break.
Day Two:
10:00 Datagram: Lockpicking Forensics
Lockpicking is a terrifically fun hobby and I'd like to learn more about it.
11:15 Nick Harbour: Win at Reversing
I usually lose.
13:45 Danny Quist & Lorie Liebrock: Reverse Engineering by Crayon
Dr. Liebrock was a professor of mine and Danny is one of the best Reverse Engineers I've ever met. Can't miss this one.
15:15 Kostya Kortchinsky: Cloudburst - Hacking 3D and Breaking out of VMware
I'm not especially interested in VMware but Kostya Kortchinsky is an exploit machine. If I die half as good as Kostya is today, I'll be happy.
16:45 Vincenzo Iozzo & Charlie Miller: Post Exploitation Bliss - Loading Meterpreter on a Factory iPhone
Meterpreter is awesome and having the same post-exploitation toolkit available on multiple platforms is something I've wanted for a long time. The fact that these guys ported it to a tiny embedded device that frequently gets connected to tons of open wifi networks is an extra bonus.
Day One:
I'm presenting at 13:45 and, judging by my history, I probably won't be done with my slides until about 13:43, so I'm planning to miss all of the morning stuff.
15:15 Stefan Esser: State of the Art Post Exploitation in Hardened PHP Environments
This is a tough choice and I may end up flipping on it later. Valsmith and Colin's stuff is freaking awesome but I think Esser's work could end up being really useful for PHP meterpreter.
16:45 Valsmith, Ames, Kerb: Metaphish pt2.
I hope I can get into the room after the break.
Day Two:
10:00 Datagram: Lockpicking Forensics
Lockpicking is a terrifically fun hobby and I'd like to learn more about it.
11:15 Nick Harbour: Win at Reversing
I usually lose.
13:45 Danny Quist & Lorie Liebrock: Reverse Engineering by Crayon
Dr. Liebrock was a professor of mine and Danny is one of the best Reverse Engineers I've ever met. Can't miss this one.
15:15 Kostya Kortchinsky: Cloudburst - Hacking 3D and Breaking out of VMware
I'm not especially interested in VMware but Kostya Kortchinsky is an exploit machine. If I die half as good as Kostya is today, I'll be happy.
16:45 Vincenzo Iozzo & Charlie Miller: Post Exploitation Bliss - Loading Meterpreter on a Factory iPhone
Meterpreter is awesome and having the same post-exploitation toolkit available on multiple platforms is something I've wanted for a long time. The fact that these guys ported it to a tiny embedded device that frequently gets connected to tons of open wifi networks is an extra bonus.
Thursday, May 14, 2009
VMWare keyboard issues
I've been fighting with keyboard issues in VMWare since I started using Ubuntu. I'm not sure if the problems are specific to Ubuntu or if they were just introduced around the time I moved away from Gentoo, but either way, it's really annoying. First, VMWare would occasionally not recognize keys correctly in guests. The down arrow would become the windows key, shift would become ctrl, and alt, home, end, pgup, pgdn and the rest of the arrow keys would appear to quit functioning altogether. Outside of the guest, everything was fine. The fix for that was to tell VMWare to use the keymap provided by X instead of trying to figure it out. Open up ~/.vmware/config with your favorite editor (creating it if it doesn't exist) and add the following line:
Thanks to http://nthrbldyblg.blogspot.com/2008/06/vmware-and-fubar-keyboard-effect.html for this one.
Next, VMWare would occasionally cause all of the same keys from the previous bug either to stop working or to act as though they are permanently pressed in the host. After playing with this bug for awhile I found that it happens most reliably when coming out of full-screen mode. There's no real solution for this one, but running "setxkbmap" from a terminal fixes it. The vmware forums have a thread about this issue. Since I sometimes can't type when this bug strikes (e.g. when ctrl is stuck), I added a launcher to my gnome panel so that a single mouse click can give me my keyboard back.
Lastly, when using ctrl-g to have vmware grab input, it never releases the g key. I haven't found a fix for this (except to avoid using ctrl-g) and the only way I've found to get a working desktop back is to ssh in from another machine and killall vmware.
xkeymap.noKeycodeMap = "TRUE"Thanks to http://nthrbldyblg.blogspot.com/2008/06/vmware-and-fubar-keyboard-effect.html for this one.
Next, VMWare would occasionally cause all of the same keys from the previous bug either to stop working or to act as though they are permanently pressed in the host. After playing with this bug for awhile I found that it happens most reliably when coming out of full-screen mode. There's no real solution for this one, but running "setxkbmap" from a terminal fixes it. The vmware forums have a thread about this issue. Since I sometimes can't type when this bug strikes (e.g. when ctrl is stuck), I added a launcher to my gnome panel so that a single mouse click can give me my keyboard back.
Lastly, when using ctrl-g to have vmware grab input, it never releases the g key. I haven't found a fix for this (except to avoid using ctrl-g) and the only way I've found to get a working desktop back is to ssh in from another machine and killall vmware.
Posted by
egypt
at
Thursday, May 14, 2009
Labels:
keyboard,
ubuntu,
vmware
Links to this post
0
comments
Sunday, December 07, 2008
rubuntu
The Ubuntu package ruby1.8 does not install an executable called ruby. It is expected that users install the package ruby which depends on ruby1.8 and installs a single file: a symlink called /usr/bin/ruby that points to /usr/bin/ruby1.8.
Wednesday, November 19, 2008
Metasploit 3.2 released
Despite a number of delays and HDM's slave-driving schedule, The Metasploit Framework version 3.2 was officially released today. My main contributions include reliable bind, reverse, and findsock payloads for PHP script vulnerabilities and Browser Autopwn, a web client fingerprinting exploit machine.
I will post more about Browser Autopwn, including some step-by-step explanations of how I use it, in the coming days.
I will post more about Browser Autopwn, including some step-by-step explanations of how I use it, in the coming days.
Sunday, November 09, 2008
obj.grabAnkles();
As far as I can tell, it is impossible to determine whether an ActiveX object created by classid actually works without just calling specific methods of that control and catching any exceptions. It doesn't seem to matter whether it was created with an <object> tag, or through javascript's document.createElement("object") or document.write("<object...>"). Internet Explorer turns anything with an id attribute into a property of document, and yet if you have
document.foo advertises no property or method that is not available from an object with no classid.
For those of you playing at home, yes this classid is one of the vulnerable ActiveX controls used in the MDAC / ie_createobject exploits. If the object actually got instantiated correctly and we can talk to it, typeof(document.foo.CreateObject) returns "unknown" rather than the "undefined" returned for properties that don't exist. So if we know a specific method that the ActiveX implements, we can check to make sure it worked using that. It is unfortunate, then, that there does not seem to be a standard method or property that all ActiveX objects must implement. Unless I'm missing something, because of the lack of a universal method or property, we cannot generically determine whether an ActiveX control created in this way was successfully instantiated. Thus, my "solution" for now is to save a method to test along with the classid. If this doesn't work, I just might give up on browser_autopwn's fingerprinting altogether and simply throw every single exploit at the client. And also maybe shoot myself. I really hate IE.
<object id="foo" classid="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" />
document.foo advertises no property or method that is not available from an object with no classid.
For those of you playing at home, yes this classid is one of the vulnerable ActiveX controls used in the MDAC / ie_createobject exploits. If the object actually got instantiated correctly and we can talk to it, typeof(document.foo.CreateObject) returns "unknown" rather than the "undefined" returned for properties that don't exist. So if we know a specific method that the ActiveX implements, we can check to make sure it worked using that. It is unfortunate, then, that there does not seem to be a standard method or property that all ActiveX objects must implement. Unless I'm missing something, because of the lack of a universal method or property, we cannot generically determine whether an ActiveX control created in this way was successfully instantiated. Thus, my "solution" for now is to save a method to test along with the classid. If this doesn't work, I just might give up on browser_autopwn's fingerprinting altogether and simply throw every single exploit at the client. And also maybe shoot myself. I really hate IE.
Subscribe to:
Posts (Atom)