Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Exploit

[BSidesLV] ExploitHub: Arming the Pen Testers to Plug the Holes

ExploitHub: Arming the Pen Testers to Plug the Holes Vik Phatak

The State of Security

You can only rely on vendors to a certain point. They can’t protect from everything.

Exploit test results  –> Top 5 (Endpoint protection)

  1. Trend Micro
  2. McAfee
  3. Kaspersky
  4. Sophos
  5. F-Secure

Most tested do significantly better detecting the original exploit than a variant (altered payload etc….)

It’s not about a single product however, as a combination of protections is best to give overall protection

When using evasion techniques, no vendor comes out clean.

So how do you make things better –> By shining a light on it, and putting public pressure ont he vendors

Between Metasploit, Core and Canvas… under 10% of vulns are accounted for with a working exploit. This means 90% of vulns aren’t easily exploitable.

Just because it’s not in these products, doesn’t mean you’re secure.

Leveling the playing field

This is where the problem lies. The bad guys have some of these exploits. These aren’t always 0-day, they’re things that have been patched but there’s no PUBLIC exploit available for it.

How do we level the playing field? The security researchers aren’t getting together to share!

The answer is to create a marketplace for exploits…. you choose the price and see who wants to buy!

Connecting the buyers who need the exploit, with the sellers who have the technical skill to write the exploit.

No more free bugs… maybe tis is the solution?

Exploit Hub

Guiding principles

  • Enabling whitehats to do their job
  • Legitimize researchers
  • Create economically sustainable ecosystem
  • Researchers control the content and prices
    • If you want to sell an exploit for $10,000 per download… feel free

Working closely with Metasploit to create templates and integrate with Metasploit. Making it easier to buy and use without trying to get an exploit working first!

NSS Role –> Validation of the exploit where possible, making available in the store

Goal is to increase availability of exploits

0-day un-patched exploits won’t be available to prevent blackmail of companies



  • Vik Phatak Bio –> LINK
  • NSSLabs –> LINK

0-Day in Microsoft Windows Help Centre

Travis Ormandy (@Taviso) has just released the technical information about a bug he discovered in the
Microsoft Windows Help Centre. Travis has released a good technical breakdown of the vulnerability along with some hints for mitigation on his website –> (UPDATE: this link now forwards to the advisory on Full disclosure).

Having looked at the PoC it’s amazing in its simplicity. I’m sure there’s an art to making such complex things look so effortless 😉

PoC removed…. please check advisory for ful PoC

Currently there’s no patch available from Microsoft to fix this issue (although the Microsoft Security Team have been informed). Travis gives a few points of mitigation within the advisory that might be useful to reduce exposure. Please see the advisory for full technical information.

I’m sure this one will end up in Metasploit within a very (very) short time as the PoC seems to be simple enough to change into a workable module. So best mitigate this while you can!


  • Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly –> Advisory (Full Disclosure)
  • Link directly to PoC –> Use Caution!
  • Travis Ormandy –> Twitter, Homepage

Internet Explorer iepeers.dll use-after-free

A few days back (9th March 2010), Microsoft confirmed the presence of an (as yet) un-patched vulnerability in Internet Explorer 6 and 7. McAffee also released information regarding targeted attacks discovered in the wild actively using this exploit. Since then, full information about the vulnerability and proof of concept code has been publicly released. As usual, the great guys behind Metasploit have a working exploit courtesy of Trancer at http://www.rec-sec.com.

After fighting with my VMWare install under Ubuntu 10.04 (yes, I know…. it’s Alpha, why is that on your main box!!!) last night after the release, I finally got a chance to play a little with the exploit today in a test environment. As you can imagine the exploit is simple to use and works like a charm (at least in the testing I’ve done). I’ve put together a quick video of the exploit for those that want to show their management types why this is such a serious issue.

I particularly like the addition of the migrate -f automatically into the exploit (see ‘show advanced’). This spawns a new notepad process and migrates to it so that if the victim closes/kills IE, the meterpreter session won’t be automatically killed along with the process. You learn something new everyday!

Microsoft have now posted a number of workarounds (most centered around disabling or limiting access to the peer class). For more information checkout KB981374 and CVE-2010-0806

All credit for the exploit goes to Tracer, All credit to HD Moore and the Metasploit team for producing such a great tool, for people like me (another tool), to rely on so much.

Keep up the good work.

Typo3 Weak Encryption Key

rtemagicc_typo3-logoA few months back I discovered a vulnerabilty in the core of Typo3 (versions  4.0.0 to 4.0.9, 4.1.0 to 4.1.7, 4.2.0 to 4.2.3). Now that the Typo3 security team have responded with a patch against this issue (see the official Security Note from the Typo3 security team) I can release the details of the vulnerability, as well as some proof-of-concept python scripts that I’ve been holding onto now for a while. The Typo3 Security Team were very quick to respond to the issue, and I found them very good to work with during the disclosure process. If only some larger companies were so easyto work with, and responsive.

The following announcement has been made public in co-ordination with the Typo3 Security Team.

Technical Details <— link to release information

PoC Tools <— Link to tools

For those looking for a brief overview in 100 words or less .:

The default encryption key used by Typo3 is create at time of setup using inadequate sources of entropy. This design flaw resulted in there only being 1000 possible keys. If an administrator manually changes the Encryption Key through the administrative install console, then this vulnerability can be avoided.

Alongside this flaw, Typo3 also uses the Enryption Key to create MD5 hashes to protect URL links from being manipulated (see full release information for more details and examples). In this case, the Encryption Key is the only peice of information not directly available to the end-user. This allows an attacker to perform an offline brute-force against the Encryption Key. Breaking this key could allow an attacker to form malicious URL’s containing script commands of their choice.

The PoC scripts for this are available for demonstration purposes only. Any comments are gratefully received.