https://www.matteomalvica.com/categories/security/ Recent content in Security on Hugo en This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. Thu, 24 Sep 2020 00:00:00 +0000 https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/ Thu, 24 Sep 2020 00:00:00 +0000 https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/ Preamble - Why are drivers still a valuable target? Kernels are, no euphemism intended, complex piece of software and the Windows OS is no exception. Being one of the toughest to scrutinize due to its lack of source code and undocumented APIs, it is now being more documented thanks to the immense effort from the research community. Regrettably, during recent times, it has also increased in complexity and its mitigation way improved. https://www.matteomalvica.com/blog/2020/07/15/silencing-the-edr/ Wed, 15 Jul 2020 00:00:00 +0000 https://www.matteomalvica.com/blog/2020/07/15/silencing-the-edr/ Backround - TL;DR This post is about resuming the very inspiring Rui’s piece on Windows Kernel’s callbacks and taking it a little further by extending new functionalities and build an all-purpose AV/EDR runtime detection bypass. Specifically, we are going to see how Kaspersky Total Security and Windows Defender are using kernel callbacks to either inhibit us from accessing LSASS loaded module or detect malicious activities. We’ll then use our evil driver to temporarily silence any registered AV’s callbacks and restore EDR original code once we are done with our task. https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/ Thu, 21 May 2020 00:00:00 +0000 https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/ Intro - TL;DR On April 29th, exploit-db published a Local Privilege Escalation (LPE) exploit for Druva InSync. Druva had by then implemented a patch on their latest InSync release, fixing the bug. However, the patch introduced an additional bug, paving the way for further exploitation and making it possible for a local low-privileged user to obtain SYSTEM level privileges. A team from Tenable Research and I concurrently discovered this new vulnerability, resulting in a new CVE (CVE-2020-5752) and exploit being published. https://www.matteomalvica.com/blog/2020/04/10/x64-trap-flag-antidebugger/ Fri, 10 Apr 2020 00:00:00 +0000 https://www.matteomalvica.com/blog/2020/04/10/x64-trap-flag-antidebugger/ A single step for a debugger a giant leap for the obfuscator. When a debugger hits a breakpoint, it can perform single-stepping into the subsequent instructions by halting itself each time. To do so, it uses a specially crafted flag called Trap Flag (TF) residing at 0x8th bit position inside the EFLAGS x86 register. If the Trap Flag is enabled, the processor then triggers an interrupt after each instruction has been executed. https://www.matteomalvica.com/blog/2020/03/24/heappo-windbg-heap-tracing/ Tue, 24 Mar 2020 00:00:00 +0000 https://www.matteomalvica.com/blog/2020/03/24/heappo-windbg-heap-tracing/ Preface During these days of forced quarantine time-off, I have been reviewing notes and exercises from the outstanding Corelan Advanced training I took last October at Brucon, and so I decided to work on some tooling I had in mind lately. The idea came from thisresearch by Sam Brown from F-Secure: after testing the tool I decided to port it to the latest PyKD version to support both Python3 and Python2, and can run on both x86 and x64 (tested on latest Win10 1909) I aptly named this effort Heappo and here some of its key-features and enhancements. https://www.matteomalvica.com/blog/2020/01/20/mimikatz-lsass-dump-windg-pykd/ Mon, 20 Jan 2020 00:00:00 +0000 https://www.matteomalvica.com/blog/2020/01/20/mimikatz-lsass-dump-windg-pykd/ Preface All the value that a tool such as mimikatz provides in extrapolating Windows credential’s from memory resides in every pentester’s heart and guts. It is so resilient and flexible that it has quickly become the de facto standard in credential dumping and we cannot thank Benjamin Delpy enough for the immense quality work that has been done in recent years. Since the code is open source , I recently decided to take up the not-so-leisurely hobby of understanding the mimikatz codebase. https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/ Mon, 02 Dec 2019 00:00:00 +0000 https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/ Intro Recently, I became rather intrigued after reading this article from MSTIC about how Windows Defender Advanced Threat Protection (WDATP) is supposed to detect credential dumping by statistically probing the amount of data read from the LSASS process. A little background is first necessary, though: on a host guarded by WDATP, when a standard credential-dumper such as mimikatz is executed, it should trigger an alert like the following one. https://www.matteomalvica.com/blog/2019/11/18/linux-syscall-monitoring/ Mon, 18 Nov 2019 00:00:00 +0000 https://www.matteomalvica.com/blog/2019/11/18/linux-syscall-monitoring/ This ten-year-old vulnerability found by Chris Evans should remind us once more how, on modern linux systems, is important to take care of how we do security monitoring of software and user behaviour on modern linux systems. Here’s the knot. This simple assembly code spwans /bin/sh via execve and then exit. BITS 64 global _start section .text _start: jmp short jump main: pop rbx ; stack needs x64 register [rbx]- ; string address offset fits into 32 bit though xor eax, eax mov ecx, eax mov edx, eax mov al, 0xb int 0x80 ; execve_syscall xor eax,eax inc eax int 0x80 ; exit_syscall jump: call main message db "/bin/sh" If we compile it as an x64 ELF binary we can start noticing a few shenanigans. https://www.matteomalvica.com/blog/2019/07/06/windows-kernel-shellcode/ Sat, 06 Jul 2019 00:00:00 +0000 https://www.matteomalvica.com/blog/2019/07/06/windows-kernel-shellcode/ Intro As opposed to the multi-purpose windows’ userland shellcode, kernel ones merely try to elevate privileges and obtain an NT\SYSTEM status. There are several ways to accomplish this, and we are going to explore some of the different scenarios. Most of the following ideas have been inspired by Morten Schenk and Cesar Cerrudo excellent works, which I have then gathered and readapted to the latest Win10 version. Before jumping too quickly into shellcoding, we want would like to setup a comfortable and easy-to-fire shellcode loader on our system. https://www.matteomalvica.com/blog/2019/06/13/converting-win-shellcode-from-msfvenom-to-fasm/ Thu, 13 Jun 2019 00:00:00 +0000 https://www.matteomalvica.com/blog/2019/06/13/converting-win-shellcode-from-msfvenom-to-fasm/ Intro During the last couple of weeks I started focusing more and more on windows internals and the way shellcode is crafted for the different windows platforms. There are many good windows shellcodes examples available out for grabs on the internet, but some of them are written in MASM or others are not so keen having a small memory footprint. Hence, I decided to focus on probably the best shellcode actively mantained repository: msfvenom. https://www.matteomalvica.com/blog/2019/05/18/injecting-shellcode-into-x64-elf-binaries/ Sat, 18 May 2019 00:00:00 +0000 https://www.matteomalvica.com/blog/2019/05/18/injecting-shellcode-into-x64-elf-binaries/ Intro Recently, I have decided to tackle another challenge from the Practical Binary Analysis book, which is the latest one from Chapter 7. It asks the reader to create a parasite binary from a legitimate one. I have picked ps, the process snapshot utility, where I have implanted a bind-shell as a child process. DISCLAIMER : The following PoC will work only on a non-PIE binary due to the hardcoded entry-point address https://www.matteomalvica.com/blog/2019/04/17/baffling-objdump/ Wed, 17 Apr 2019 00:00:00 +0000 https://www.matteomalvica.com/blog/2019/04/17/baffling-objdump/ objdump is one of the most widley adopted linear disassembler, which often gives a significant help during initial binary analysis. A linear disassmbling algorithm, as opposed to a recursive one, is faster but also more prone to errors, as it only weeps through the file sections one instruction at a time, instead of inspecting every conditional statement. Here, I would like to give a simple demo of how easily objdump can be confused, by filling the binary with instructions in the rdata section and strings in the text section. https://www.matteomalvica.com/blog/2019/03/31/pba-ctf-level7/ Sun, 31 Mar 2019 00:00:00 +0000 https://www.matteomalvica.com/blog/2019/03/31/pba-ctf-level7/ Following the wake of the previous post, here is Practical Binary Analysis level 7 CTF walkthrough. As we pay attention to the oracle’s hint, we begin to suspect that this level might be two-staged: $ ./oracle 0fa355cbec64a05f7a5d050e836b1a1f -h Find out what I expect, then trace me for a hint If we try to open the level7 file 1.$ ./lvl7 -bash: ./lvl7: cannot execute binary file: Exec format error $ file lvl7 lvl7: gzip compressed data, last modified: Sat Dec 1 17:30:15 2018, from Unix We can see it’s a gzip format, so we need to decompress it first. https://www.matteomalvica.com/blog/2019/03/25/pba-ctf-level6/ Mon, 25 Mar 2019 00:00:00 +0000 https://www.matteomalvica.com/blog/2019/03/25/pba-ctf-level6/ During the last month I have been busy reading this awesome book by Dennis Andriesse, which quickly became one of my favourite reads on the subject: it does an excellent job on covering the foundation about Linux’s binary analysis and also going above and beyond by providing the reader with all the necessary techniques to be highly proficient and effective when dealing with such alchemical matter. Chapter 5 has the purpose of illustrating all these different tools of the trade which culminates with an intriguing CTF, whose goal is to challenge the reader to put in practice all the skills&tricks gained up to this point. https://www.matteomalvica.com/blog/2019/01/21/custom-base64-alphabet-encoder/decoder/ Mon, 21 Jan 2019 00:00:00 +0000 https://www.matteomalvica.com/blog/2019/01/21/custom-base64-alphabet-encoder/decoder/ As I am spending slices of my time refreshing some Malware Analysis theory, I thought was valuable (at least to my future amnesiac self) writing down a simple ‘custom base64 alphabet translator.’ This can/should be extended to support CLI/WebApp i ntegration. So, here is the skeleton: UPDATE: added interactive mode below and also found this great tool which is already doing what I aimed for and much more. import string import base64 # custom encoding function def EncodeCustomBase64(stringToBeEncoded,custom_b64): standard_b64 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=' encoded = base64. https://www.matteomalvica.com/blog/2018/12/05/detecting-vmware-on-64-bit-systems/ Wed, 05 Dec 2018 00:00:00 +0000 https://www.matteomalvica.com/blog/2018/12/05/detecting-vmware-on-64-bit-systems/ Hot on the heels of the latest post, I have decided to port to linux another lab example from Intermediate x86 class. This time I will talk about the RedPill paper by Joanna Rutkowska. This test is expected to work on single-core CPUs only The main purpose of this test code is to call the SIDT instruction and save its return value inside an array: this value will tell us whether we are running it inside a vm or not.