extraexploit

the last/final touch!

2012-01-26T23:18:00.000-08:00

It's very sad to recognize and discover that the screenshots on my blog, which for some reason have been saved in the "Gallery" of my Android mobile phone, once cleared from there, will be deleted from the Google cloud! Someone could confirm this ? This blog has been to me a lot although I have ceased to update it ... but with this last touch .. I almost want to finalize it. what remains of my

DigiNotar facts - just some links

2011-09-06T03:38:00.000-07:00

DigiNotar Certificate Authority breach “Operation Black Tulip” http://t.co/VC91bjo DigiNotar CA compromise http://community.websense.com/blogs/securitylabs/archive/2011/08/30/diginotar-ca-compromise.aspx Certificate hacker probably paid by Iran, say victimised firms http://computerworld.co.nz/news.nsf/security/certificate-hacker-probably-paid-by-iran-say-victimized-firms DigiNotar

Operation Shady RAT - HTran

2011-08-04T02:18:00.000-07:00

HTran and the Advanced Persistent Threat http://www.secureworks.com/research/threats/htran/ The code http://www.pudn.com/downloads119/sourcecode/windows/network/detail508294.html. (appears also in the Secureworks analysis) What follows it's an abstract of the code:

an old bug for a new job ? CVE-2004-0194

2011-07-04T06:12:00.000-07:00

A couple of months ago I receive an interesting challenge for get the final (I think) step in the job selection path for a big company (not a well known exploit research company but probably if you are reading this post you are using once of their os). The challenge it consist in the writing an exploit for the CVE-2004-0194. Obviously, at the first step I did follow, was a good googling acrivity

TDSS - SRVs list

2011-06-22T07:13:00.000-07:00

I just found via pastebin (http://pastebin.com/jWDhEfGB) a domains list related to TDSS. The SRVs , in according with this analysis http://resources.infosecinstitute.com/tdss4-part-2/, are the C&C from where bots receive commands.What's sound a bit strange is that the content in the pastebin above match with the syntax used in the configuration file of the rootkit. Anyway is possible count 2514

DroidKungFu - just some piece of code

2011-06-07T05:33:00.000-07:00

Following the trend of the moment, I play a bit with the sample of DroidKungFu retrieved from the contagiodump malware sample repository. For obtaining the JAR archive I used dex2jar (http://code.google.com/p/dex2jar/downloads/list) after that I extracted the Dalvik Executable Format embedded in the APK. Once obtained the JAR file is very easy obtain the clear code with (for example) Java

FlashUtil10m_Plugin.exe command line crash

2011-03-18T07:19:00.000-07:00

Is interesting observing how nowadays some old style bug are still available. I think that this one is not a security bug but a deeper investigation is left to all whose are interested.Anyway is sufficient pass a single char as command line parameter to this FlashUtil10m_Plugin.exe (also called Flash Player Installer/Uninstaller) for generate a crash. If you are Admin appear something like the

cve-2011-0609 - bugix blog analysis

2011-03-15T09:00:00.000-07:00

April 4, 2011 - Update: RSA has release a blog post where is described that in the recently data-breach is been used this issue: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ March 15, 2011: A researcher has just added a very interesting analysis about this 0day: bugix blog cve-2010-0609 analysis - by villys777 http://bugix-security.blogspot.com/2011/03/cve-2011-0609-

mmspicture.ru - mobile malware depot

2011-03-06T04:13:00.000-08:00

Following a well known mailing list (clean-mx aka viruswatch) it was been retrieved the following URL: http://mmspicture.ru/mms112/mms112.jar (md5: 33EA90E2029478D47D33409B5F48E4EB) The JAR file is already detected from Virustotal. Playing a bit around the URL path is possible retrieve another JAR file: http://mmspicture.ru/mms113/mms113.jar The MD5 (4CC0EBCE1428EE3649C67A13734F2EDE) of this

Egypt Telecom back online– ASN8452 TE DATA– prefix 81.10.0.0/17

2011-02-02T12:36:00.001-08:00

The prefix 81.10.0.0/17 “ALL-Routes” seems announced again to the rest of the world via Telecom Italia Sparkle Autonomous System (ASN 6762). Here the animation made with BGPlay: The time range is between the 29 of January 2011 00:00 and 2 of February 2011 08:00 PM (local time). For more info on bgplay see my previous post http://extraexploit.blogspot.com/2011/01/

Egypt Telecom AS isolation - BGPlay show it ?

2011-01-28T05:45:00.000-08:00

January 31, 2011 – Update: An interesting snapshot of Egyptian's malware activity. ASN 20928 appears like still active Egypt's malware activity post internet shutdownhttp://www.unveillance.com/latest-news/egypts-malware-activity-post-internet-shutdown/ Why One Egyptian ISP is Still Online http://newsgrange.com/why-one-egyptian-isp-is-still-online/ January 29, 2011 – Update: I try to make the

the sourceforge entry point seems still active

2011-01-22T12:34:00.001-08:00

February 3, 2011 - Update: A discussion on e107 official web site: http://e107.org/comment.php?comment.news.878 February 2, 2011 - Update: Just another evidence of the sourceforge breach used by a web bot. At least , from the following screenshot, seems that the entrypoint was detected by a web vuln scanner bot. The following figure shown a well known method by web bots to post in some

some considerations on Ettercap source code repository breach

2010-12-29T10:06:00.001-08:00

Recently it’s been released a new issue of a zine called “owned and exposed” (http://www.exploit-db.com/papers/15823/). I have to admit I laughed a lot when I saw this picture. I think that the picture above is the truth of what the security field is today. Anyway , ending my personal considerations, I would show you a mind map that I made during a past research on web bot

LOIC 1.1.1.15 - Crafted C&C Channel Topic Could Lead A Crash

2010-12-14T01:33:00.000-08:00

Following the trend of these days I played (locally) with one of the latest release of LOIC (Low Orbit Ion Cannon DDOS Tool). Inserting a long (not so) string on the topic of a C&C irc channel, there seems to be a memory corruption condition. The screen shot above show a crafted topic that trigger the issue. The impacted tested released is the 1.1.1.15. A few more details related to the .NET

cve-2010-4091 exploited ? – 0.2 – Adobe Reader 9.3.0

2010-11-30T03:15:00.000-08:00

Starting from the malwaretracker sample (see my previous posts) seem that edx and ecx are set to some interesting values:

cve-2010-4091 exploited ? – 0.1

2010-11-25T08:43:00.001-08:00

Trying to reversing the shell code contained within the PDF that seem exploit CVE-2010-4091, in according with the sample reported by MalwareTracker, it’s been founded the following URL: http://212.117.168.89/ad/fi_16.php From Robtex: The URL above at this time is down or not more available. Did really exploited for retrieve malware from

cve-2010-4091 exploited ?

2010-11-19T06:40:00.001-08:00

November 24, 2010 – Update: Looking for other exploiting attempts I found a Malwaretracker sample where the PDF seem spread via URL that contains: filepdf.php@v=zday The following analysis report the objects used within this PDF (that is different from the fulldisclosure PDF): http://www.malwaretracker.com/pdfsearch.php?hash=0398e68507882a38a26a341058c94653&submit=Search November 22

cve-2010-4091 – printSeps - exploitation attempts

2010-11-11T16:57:00.000-08:00

November 26, 2010 – update: This is a very useful presentation (from Immunity Sec) where is possible get some methods for approach the reversing of Java script engine in Adobe Reader context: Attacking Embedded Languages http://www.immunitysec.com/downloads/ID_reCON_2008.odp November 16, 2010 – update: In previous post I didn’t report where is the place in the

full disclosure xpl.pdf Adober Reader 9.4 poc - printSeps() - cve-2010-4091

2010-11-04T08:24:00.000-07:00

November 26,2010 – Update: Thank you, Mario, but our printSeps() is in another castle ! http://esec-lab.sogeti.com/dotclear/index.php?post/2010/11/26/Thank-you-Mario-but-our-printSeps%28%29-is-in-another-castle November 22, 2010 – Update: Who’s looking for eggs in your PDF? (reported also in cve-2010-4091 exploited ?) http://labs.m86security.com/2010/11/

CVE-2010-3962 - yet another Internet Explorer RCE

2010-11-03T09:09:00.000-07:00

Update - November, 12 2010: Amnesty International Hong Kong Website Injected With Latest Internet Explorer 0-day http://community.websense.com/blogs/securitylabs/archive/2010/11/10/Amnesty-International-Hong-Kong-Website-Injected-With-Latest-Internet-Explorer-0_2D00_day-.aspx Update - November, 5 2010: CVE-2010-3962 - BindShell proof of concept: http://www.offensive-security.com/0day/ie-

CVE-2010-3765 - proof of concept - update

2010-10-28T02:40:00.000-07:00

October, 29 1010 - UPDATE: the working exploit (in according with BugX blog): http://bugix-security.blogspot.com/2010/10/firefox-exploitcve-2010-3765.html October, 28 2010 For those who still do not know .. The proof of concept for CVE-2010-3765 is the following: More details at: https://bugzilla.mozilla.org/show_bug.cgi?id=607222. The issue seem resolved with Firefox

Some domains for the LICAT / Murofet / Trojan/ZBOT.B threat

2010-10-14T08:24:00.001-07:00

Update (2 November): A deep and very itneresting analysis from Trend Micro: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/file-patching_zbot_variants_-_zeus_2.0_levels_up__oct_2010_.pdf Update (15 October): ThreatExpert has release the domain name generation algorithm for MUROFET/Licat http://blog.threatexpert.com/2010/10/domain-name-generator-for-murofet.html

dollars javascript code – yet another Javascript obfuscation method for cc frauds ( and black hat seo ) – part 0.2

2010-10-06T07:12:00.001-07:00

Trying to find some common factors in the pages included in the compromised sites (as indicated in the previous post (http://extraexploit.blogspot.com/2010/10/dollars-javascript-code-yet-another.html) there is evidence of a large number of sites that are suffering the same problem. In particular, using keywords that are common to many of these malicious pages, you have the following results:

dollars javascript code – yet another Javascript obfuscation method for cc frauds

2010-10-05T16:17:00.000-07:00

January 25, 2011 – Update: a detailed analysis also where is reported my post: Internet Explorer exSploit Milk codes http://utf-8.jp/public/20101106/avtokyo.pptx October 5, 2010: From MDL forum, I get a post where a user (many thanks to Edgar) has been reported a strange Javascript code injected in some Italian web site. Specifically the message is located at the following URL: http://

DLL Hijacking - my test cases on a default HP notebook installation - CyberLink products vulnerable

2010-08-25T19:23:00.000-07:00

CyberLink products appears like vulnerable. The Cyberlink tools (such as powet2go) exist in the default installation of the HP 64bit notebook (with Microsoft Windows 7). . I have check and test the proof of concept generated by dllhijacking. The products are: - CyberLink PowerDirector v7 - CyberLink Power2Go DVD v6.0 The issue is trigger with the iso,pdl,pds,p2g and p2i file

DLL Hijacking - my test cases

2010-08-25T08:45:00.000-07:00

One of my testcases list on a VM system.

Sorry, you may have found a bug.... (in Fiddler)

2010-08-25T02:05:00.000-07:00

Playing with the HD Moore tools for dll hicjacking stuff (Exploiting DLL Hijacking Flaws) , I found this interesting result on once of my VM: I don't know if I have time to spent for a deep investigation about this possible Fiddler bug... but in some cases the side effects are your best friends.

strange .info TLD domains

2010-07-30T06:12:00.000-07:00

Looking for something that might attract my attention I found the following URL: 9-4-1-0-1-4-1-1-1-0-.0-0-0-0-0-0-0-0-0-0-0-0-0-49-0-0-0-0-0-0-0-0-0-0-0-0-0.info If at a first look may appears like a nonsense URL, googling more I found this message on Symantec community blog where is said something about: http://www.symantec.com/connect/blogs/malware-infections Seems that this kind of domains

Win32/Chymine.A

2010-07-27T08:53:00.000-07:00

Reading something about this trojan, which use the CVE-2010-2568 as spreading vector, I found that the binary is located at hxxxp://205.209.171.119/bin.exe. The process try to contact the following host: imoges.dyndns.tv From Robtex: