Friday, November 2, 2012

extraexploit memories

Months and years ago, I spent many nights trying to expose what the cyber security was (is) avoiding the  academic perspective, although, my first post was quite close to an academic point of view   (the top cc tld called by conficker.C). I can remember a lot of posts never completed and tons and tons of grammar ,spelling and language mistakes... however I hope that something is still remained alive somewhere else.

Here I  found, thanks to mere random clicks sequences, a repository where is cached one of the most interesting (IMHO) posts I ever released in the past.

At that time i  spent nights to track and logs URLs , and was a funny period where all was done just to try to show something. I don't know if this link is trusted or not, so any bad consequence, is not my fault:

"some considerations on Ettercap source code repository breach"

Another good entry was the BGPlay "movie" during the Egypt protest where Internet was obscured by the Egyptian authorities in place at that time:

I still laughing remembering that  "ugly" movie that I released, but was has been used by a lot of media agencies to show what happens  when a country is isolated by the rest of the World from a Internet connectivity point of view.

Other posts have been mentioned in security advisories and so on even though the very poor and badly written English.

I would like just to say thank you to all the that came across this blog . I have also to thanks all the people they allowed me to growth up in terms of knowledge and skills.

This is the (reviewed) 100th post. The last one :-).

Thank you very much to all.

Thursday, January 26, 2012

the last/final touch!

It's very sad to recognize and discover that the screenshots on my blog, which for some reason have been saved in the "Gallery" of my Android mobile phone, once cleared from there, will be deleted from the Google cloud! Someone could confirm this ? This blog has been to me a lot although I have ceased to update it ... but with this last touch .. I almost want to finalize it.

what remains of my blog:*/

Tuesday, September 6, 2011

DigiNotar facts - just some links

DigiNotar Certificate Authority breach “Operation Black Tulip”
Google, Mozilla and Microsoft ban the DigiNotar Certificate Authority in their browsers

Thursday, August 4, 2011

Operation Shady RAT - HTran

HTran and the Advanced Persistent Threat

The code
(appears also in the Secureworks analysis)

What follows it's an abstract of the code:

Monday, July 4, 2011

an old bug for a new job ? CVE-2004-0194

A couple of months ago I receive an interesting challenge for get the final (I think) step in the job selection path for a big company (not a well known exploit research company but probably if you are reading this post you are using once of their os). The challenge it consist in the writing an exploit for the CVE-2004-0194. Obviously, at the first step I did follow, was a good googling acrivity. With my surprise I didn't get anything. I did found only the original advisory in a lot of version . The original is at the following link that is an old NGSSoftware Insight Security Research Advisory:

This issue was detected in the 5.1 version of Adobe Reader (if you want try you cand find it here: issue was related to a bug that it's triggered due a misuses of sprintf for format the OutputDebugString during the XFDF parsing. The origianl XFDF schema use the UTF-8 encoding. For fit well the unicode shell code via Metasploit module I have to choose another encoding like this one:

<?xml version="1.0" encoding="ISO-8859-1"?>
Anyway what follows is the proof of concept that launch calc.exe For this task I have used a SEH Overwriting technique using the code of not safeseh DLLs.

Also it’s possible download the poc from here: Anyay what did happens ? Well if I'm still updating this blog is because I haven't get this job although their compliments. Anyway what I did learn? I learn how to write up unicode shell code and that sometimes the encoding techniques are your best friends. What is sound strange is that the cve id is very near to my nightmare: cve-2010-4091. 

So, why I decided to post just now this stuff ? I dunno why . Enjoy it!
Greeting to 0xff for open my mind to the bytes encoding landscape (

Wednesday, June 22, 2011

TDSS - SRVs list

I just found via pastebin ( a domains list related to TDSS. The SRVs , in according with this analysis, are the C&C from where bots receive commands.What's sound a bit strange is that the content in the pastebin above match with the syntax used in the configuration file of the rootkit. Anyway is possible count 2514 entry (or config file ?). I simply sorted the domains reported with the following result:

Anoter interesting Google dork is "wsrv:=http://" that shown another Pastebin link with a WSRVs domain lists. The WSRVs are the handlers of results of the search provider activity on impacted systems.

Tuesday, June 7, 2011

DroidKungFu - just some piece of code

Following the trend of the moment, I play a bit with the sample of DroidKungFu retrieved from the  contagiodump malware sample repository. For obtaining the JAR archive I used dex2jar ( after that I extracted the Dalvik Executable Format embedded in the APK. Once obtained the JAR file is very easy obtain the clear code with (for example) Java Decompiler
One of the more interesting thing is that , at least the variant that I analyzed (md5 39D140511C18EBF7384A36113D48463D) use the method DoSearchReport notified using the well know Google Search gadget. Seems that this malware install as legacy app for grant persistence even after remove the rest of malicious packages from device. This is easily readable from the source code as shown in the following screen shots:

In the screenshot above is shown the  begin of DoSearchReport method where is called a custom method named  (updateInfo() ). While the following screenshot shown the place in the DoSeachReport method where all data , collected from impacted devices, are dropped via HTTP POST:

The data collected and sended to the URL are the following (extracted by code):
Some info about the URL (from Robtex):

Other domains related to the IP address: 

Playing a bit more with the URL above I found this IP form request:

This variant seems forged for Chinese users. In the code there are many others evidence of this.

Friday, March 18, 2011

FlashUtil10m_Plugin.exe command line crash

Is interesting observing how nowadays some old style bug are still available. I think that this one is not a security bug but a deeper investigation is left to all whose are interested.Anyway is sufficient pass a single char as command line parameter to this FlashUtil10m_Plugin.exe (also called Flash Player Installer/Uninstaller) for generate a crash. If you are Admin appear something like the following screenshot:

Opening it with a disassembler (in this case IDA) is possible know that is a problem within the parser that handle the command line parameters:

In screen shot above is reported  the function address where the bug is triggered. While in the following screen shot is shown the line of code where is tried an write in an address of kernel32.dll a not readable address:

This bug impact Adobe Flash Player Installer/Uninstaller 10.2 r152 distributed with the latest version of Adobe Flash Player..

Tuesday, March 15, 2011

cve-2011-0609 - bugix blog analysis

April 4, 2011 - Update:
RSA has release a blog post where is described that in the recently data-breach is been used this issue:

March 15, 2011: 
A researcher has just added a very interesting analysis about this 0day:

bugix blog cve-2010-0609 analysis - by villys777

Adobe Security Advisory APSA11-01

Sunday, March 6, 2011 - mobile malware depot

Following a well known mailing list (clean-mx aka viruswatch) it was been retrieved the following URL: (md5: 33EA90E2029478D47D33409B5F48E4EB)

The JAR file is already detected from Virustotal. Playing a bit around the URL path is possible retrieve another JAR file:

The MD5 (4CC0EBCE1428EE3649C67A13734F2EDE) of this JAR file is not still known around. Anyway, what follows is just a quick analysis of the contents of this file. Open it with Java Decompiler appears like a canonical small JAR apps for mobiles devices (Midlet class):

The main class is named "b" and is extended from Canvas Java class:

As shown above is possible view some Cyrillic strings:

Is also show a reference to a stream (embedded in the JAR) named "info.dat". The code above use this file for decode the stream that as we'll see is the destination phone number of the data gathered from mobile devices. The "info.dat" contains the following string:  75;4x=1?==8:<95

I write a small Java app that use the code for decoding the stream:

The output revealed is the following:

The string obtained is the phone destination number used for receive SMS from the user mobile devices. The content of the SMS body is still under investigation. Probably it send entire phonebook as well the phone number could be a payment number. The SMS is send when the user accept to view the picture in the postcard ("card.png") embedded in the JAR. There is also a file named "readme" which contains an ICQ id:

In according with the web site ( the number "+7 497 878542104" is a Russian phone number. Another detail is that the domain is attested on one IP ( where is attested another interesting domain:

Wednesday, February 2, 2011

Egypt Telecom back online– ASN8452 TE DATA– prefix

The prefix “ALL-Routes” seems announced again to the rest of the world via Telecom Italia Sparkle Autonomous System (ASN 6762). Here the animation made  with BGPlay:


The time range is between the 29 of January 2011 00:00 and 2 of February 2011 08:00 PM (local time). For more info on bgplay see my previous post

Friday, January 28, 2011

Egypt Telecom AS isolation - BGPlay show it ?

January 31, 2011 – Update:
An interesting snapshot of Egyptian's malware activity. ASN 20928 appears like still active

Egypt's malware activity post internet shutdown

Why One Egyptian ISP is Still Online

January 29, 2011 – Update:

I try to make the following video to shown what's  happened. BGP Isolation "frame by frame":


January 28, 2011:

isolation of the Internet in Egypt, I tried to see if is possible see something with a good tool: BGPlay. As input data I inserted AS8452 (Egypt Telecom) prefix labeled as "all routers". This information I obtained via robtex as follows: So, the inserted data are the prefix and the range date/time in latest 24h:

The result
is interesting
. For an animation could be better try to insert the value using BGPlay directly. (

The BGP traffic situation at 27/01/2011:

After the BGP withdrawals sequence the situation, now, appear in this mode:

The RIPE has also released a tool for check BGP withdrawals and announment requests:

Saturday, January 22, 2011

the sourceforge entry point seems still active

February 3, 2011 - Update:

A discussion on e107 official web site:

February 2, 2011 - Update:

Just another evidence of the sourceforge breach used by a web bot. At least , from the following screenshot, seems that the entrypoint was detected by a web vuln scanner bot. The following figure shown a well known method by web bots to post in some pastebin clone web site the result of their work.

This pastie was released at the end of 2010. The bad thing is that OFF keyword tell to bots admin that php_safe is OFF

January 30, 2011 – Update:
Sourceforge has formally admitted the problems that I have notify in December 2010. My research and my message on full disclosure mailing list about the possible exploiting of a not so new e107 bug that could permit privilege escalation attempts, looks like confirmed. Here the update:

Sourceforge Attack: Full Report

January 28, 2011 - Update:

On Hacker news is reported an update about and seem that the sourceforge server has been compromized:

Sourceforge servers compromised

The SourceForge response:

January 22, 2011:

just now I found a post from Imperva Intrigued by their results, similar to that published in my previous post approximately one month ago (, I decided to do some check. I noticed that the entry point of source forge is still active. This is what seem possible from the error message that appears on this page. As you can see from this screen shot the problem seems reside in a project home page that include a bugged e107 version:


With further investigation is possible find the page where is placed the vulnerable (to a remote command execution issue) version of e107 . This entry point could be used from a remote script for send system command on the server ( The following screen shot is the well common form that expose sourceforge  to this vulnerability:


The problem is that this breach, if confirmed, can be exploited to modify source code so as to fail the trust levels of applications mantained by this software repository.

Wednesday, December 29, 2010

some considerations on Ettercap source code repository breach

Recently it’s been released a new issue of a zine called “owned and exposed” ( I have to admit I laughed a lot when I saw this picture.


I think that the picture above is the truth of what the security field is today. Anyway , ending my personal considerations, I would show you a mind map that I made during a past research on web bot based botnet and that could be useful to understand how is possible find and use entry point in some very important web sites. As starting point I decided to focusing all the big picture on a generic bot source code. Given a bot is possible,  Googling enough and with some scripting language knowledge, make the rest.


This mind map is not so obvious as well is not so clear what are the links with the title of this post. I will try to describe what I intend with this process represented by this mindmap . During a research of some months ago, I have try to identify 3 contexts where a researcher (color independent)  could be found useful information for raise the level of details. In other words, starting from a bot source code analysis , you are on the first context (1 code analysis). In this context the analysis has generated information like authors (not so useful in this case), code snippet (useful for googling for other bot derived from the analyzed bot for example), crew (again not so useful), and c&c server (VERY USEFUL).

So with code snippet and c&c server is possible try to find many more information. Specifically with a c&c server that command web based bot, sometimes, is possible looking what happens in the c&c channel and coding and running, for example, a fake bot for catching them. The fake bot is linked to the c&c channel (usually an irc server) and start to log everything. The analysis process of what was logged put your mind in the 2nd context (named “intelligence”) . What could be founded is shown in the leafs of 2nd context. From the information gathered from a c&c  is possible to  known, for example, what are the web sites exposed  to a particular Remote File Include. Collecting many of these web site your mind is leaded in the 3rd context.

Usually you have to decide only what do you want to do with the exposed website list obtained from the 2nd context and thanks to someone (bot admin) which launch , for example, bots specialized for scanning for checking if a web site is prone to a specific issue. What is the link with Ettercap (and other cases reported by the zine “owned and exposed” ? If you are the main coder of a project and you decide to put this code in a source repository that expose to the users, exploitable web apps (like for example some old release of e107 csm prone to a remote code execution condition) is possible choose once (or more) of the leafs of the 3rd context. In other words, logging the tons of c&c channels is possible found many other famous web site exposed to this problems.

The following little screenshot make all more clear (I hope). What you see is the result of a fake bot that I coded months ago. In particular, the result of this fake bot is a log file where are logged all message in a c&c channel. The grep command it was launched on this log file. How can see on sourceforge some users accounts offer access to a vulnerable version of the popular CMS e107 (


One note: I decided to put the owning activities in the “counter measures” leaf beacuse  "good and evil" is just a matter of who does things.

For the moment it’s all. Maybe that I will pubblish some more explanation for this process as soon as possible.  Feedback and question are welcome.

Counter measures: don’t expose users with bugged web apps!.

Tuesday, December 14, 2010

LOIC - Crafted C&C Channel Topic Could Lead A Crash

Following the trend of these days I played (locally) with one of the latest release of LOIC (Low Orbit Ion Cannon DDOS Tool). Inserting a long (not so) string on the topic of a C&C irc channel, there seems to be a memory corruption condition.

 The screen shot above show a crafted topic that trigger the issue. The impacted tested released is the A few more details related to the .NET exception:

Some important notes: I saw on twitter that someone has retweet this post adding "remote code execution".  I never speak about a "remote code execution" condition for this issue.  

Anyway IMHO this issue could be insert in the counter measures list for this kind of threats. Act from a client side perspective some times maybe useful.

Tuesday, November 30, 2010

cve-2010-4091 exploited ? – 0.2 – Adobe Reader 9.3.0

Starting from the malwaretracker sample (see my previous posts) seem that edx and ecx are set to some interesting values:


Thursday, November 25, 2010

cve-2010-4091 exploited ? – 0.1

Trying to reversing the shell code contained within the PDF that seem exploit CVE-2010-4091, in according with the sample reported by MalwareTracker, it’s been founded the following URL:


From Robtex:


The URL above at this time is down or not more available. Did really exploited for retrieve malware from ? :) .  Many Thanks to binjo for his support and tools.  For the PDF check my previous post: 

All this things continues to be weird and funny! (WOMENS-PUZZLE.COM :-) ).  IMPORTANT: The PDF reported is not sure that exploit, really, the CVE-2010-4091

Friday, November 19, 2010

cve-2010-4091 exploited ?

November 24,  2010 – Update:

Looking for other  exploiting attempts I found a Malwaretracker sample where the PDF seem spread via URL that contains:  filepdf.php@v=zday


The following analysis report the objects used within this PDF (that is different from the fulldisclosure PDF):

November 22 , 2010 – update:

Some interesting (and useful) notes about the original full disclosure PDF PoC published on full disclosure mailing list:

Who’s looking for eggs in your PDF?

November 19, 2010:

This is my latest result. Seem that with a crafted PDF as explained by Haifei Li in his paper (see previous posts for reference), the code flow looks like could be hijacked. At least I have this impression from the debugger response as you can see in this screen shot:


feedback and suggestion are welcome. Some notes: this is only an attempt to try to understand better this issue.  My mistakes in this stage are very likely.

Thursday, November 11, 2010

cve-2010-4091 – printSeps - exploitation attempts

November 26, 2010 – update:
This is a very useful  presentation (from Immunity Sec) where is possible get some methods for approach the reversing of  Java script engine in Adobe Reader context:

Attacking Embedded Languages

November 16, 2010 – update:
In previous post I didn’t report where is the place in the AcroRD32.dll where the memory corruption is triggered (as result of the use after free bug).  The following screen shot is the leak screen shot:


At first view, the AcroRd32.dll offset 0094450, seem a zone involved with Acro Heap Manager, so this could confirm some of my doubts for the question like “where to play whit this bug ?”. So, IMHO, this bug is due from the double handling mechanism of the heap. In other words what the OS heap management has previously freed may be that the Adobe Heap Manager try to free again with the result as show.  I hope to release a more detailed analysis as soon as possible.

November 11, 2010
In my previous post (  it’s been followed  the timeline and what is called exposure time for this bug that seem have a bit strange history. After my initial analysis,  only few details has been released about. But after play a bit with this flaw I can confirm once of the latest and most clear comments fromVUPEN via Twitter:

exploiting the PDF printSeps was complicated. It involves allocating/freeing chained blocks before triggering the flaw

After this tweet I started to looking for more informations about. So IMHO a good support for “allocating/freeing before trigger” the flaw may be get from” heaplib” as well documented in

Is possible fitting the heaplib.js for Adobe Reader and insert inside a crafted PDF for obtaining the heap handling ? For this goal code be usefull play with what is called Acro Managing Pool. A very interesting reference is from a Fortinet researcher:

The heaplib.js for Internet Explorer is here:

Anyway what I could say from my experience with this flaw is that the PDF posted on full disclosure seem leaks of something and using a debugger may lead you on the wrong way sometimes. Are only ideas which could be wrong as well right. Feedback are welcome.

Thursday, November 4, 2010

full disclosure xpl.pdf Adober Reader 9.4 poc - printSeps() - cve-2010-4091

November 26,2010 – Update:

Thank you, Mario, but our printSeps() is in another castle !

November 22, 2010 – Update:

Who’s looking for eggs in your PDF?  (reported also in  cve-2010-4091 exploited ?)

November 16, 2010 – Update:

Security updates available for Adobe Reader and Acrobat – ABSP10-28

November 9, 2010 – Update:

Adobe  PSIRT released - CVE-2010-4091

US-CERT response:

November 8, 2010 – Update 2:

VUPEN confirms the "remote code execution"

November 8, 2010 – Update 1:

Some screenshots of my brief analysis for this bug.  The vtable where is referenced the PrintSeps() method:

the location where the Javascript code is being processed:
Where Adobe Reader 9.4 crash after PrintSeps is processed:

November 5, 2010 – Update:

emerging threats Snort sign

eEye report as remote code execution

Adobe response:

November 4, 2010:
The vulnerable method seem: printSeps():

more info:

The original xpl.pdf is retrived via