본문 바로가기

malware

MS15-002是微软telnet服务中的缓冲区溢出漏洞,下面对其原理进行分析并构造POC MS15-002是微软telnet服务中的缓冲区溢出漏洞,下面对其原理进行分析并构造POC。telnet服务进程为tlntsvr.exe,针对每一个客户端连接会相应启动执行一个tlntsess.exe进程,补丁修补的是tlntsess.exe文件,通过补丁比对,确定漏洞位置如下,函数为1signed int __thiscall CRFCProtocol::ProcessDataReceivedOnSocket(CRFCProtocol *this, unsigned __int32 *a2)补丁前,该函数分别为:补丁后,该函数为:也就是说原来一个缓冲区变成了两个,调用完1(*(void (__thiscall **)(CRFCProtocol *, unsigned __int8 **, unsigned __int8 **, unsigned __int8))((char *)&o.. 더보기
DYNAMIC MALWARE ANALYSIS WITH REMNUX V5 – PART 1 Part 1 illustrates a series of very useful tools and techniques used for dynamic analysis. Security incident handlers and malware analysts can apply this knowledge to analyze a malware sample in a quick fashion using the multi-purpose REMnux v5. This way you can extract IOCs that might be used to identify the malware across your defense systems and aid your incident response actions. ~Luis]Malwa.. 더보기
Supreme Leader's Not-That-Supreme Malwares Recently while surfing Reddit, I came across this beautiful subreddit which is dedicated to NK. While reading "mind blowing" miracles of Supreme Leader, I clicked on several links, one link led to another and during my visits to several NK web sites, I came across Korean Central News Agency of DPRK. Just by taking look at very top of the HTML source code of homepage, I saw this code:As you can s.. 더보기
CapTipper - Malicious HTTP traffic explorer tool CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic. CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found. The tool provides the security researcher with easy access to the files and the understanding .. 더보기
PVS-Studio dives into Linux insides We took Linux kernel from The Linux Kernel Archives. Latest Stable Kernel 3.18.1 was checked.While I wrote this article, kernel 3.19-rc1 was already developed. Unfortunately, project check and article writing take a lot of time. That is why it is fine to be satisfied with checking of non-last version.I want to answer to those who would say we should have checked last version.We check large amoun.. 더보기
OSXCollector: Forensic Collection and Automated Analysis for OS X We use Macs a lot at Yelp, which means that we see our fair share of Mac-specific security alerts. Host based detectors will tell us about known malware infestations or weird new startup items. Network based detectors see potential C2 callouts or DNS requests to resolve suspicious domains. Sometimes our awesome employees just let us know, “I think I have like Stuxnet or conficker or something on.. 더보기
Time to fill OS X (Blue)tooth: Local privilege escalation vulnerabilities in Yosemite Motivated by our previous findings, we performed some more tests on service IOBluetoothHCIController of the latest version of Mac OS X (Yosemite 10.10.1), and we found five additional security issues. The issues have been reported to Apple Security and, since the deadline we agreed upon with them expired, we now disclose details & PoCs for four of them (the last one was notified few days later a.. 더보기
CVE-2014-8272: A Case of Weak Session-ID in Dell iDRAC Following Dan Farmer’s IPMI research in August 2013, one of our researchers dug further and discovered another vulnerability in the Dell Baseband Management Controller (also known as iDRAC) implementation of the Intelligent Platform Management Interface (IPMI) v1.5 protocol. This vulnerability, CVE-2014-8272, allows an unauthenticated or lower-privileged attacker to inject arbitrary commands int.. 더보기
Ntpdc Local Buffer Overflow Alejandro Hdez (@nitr0usmx) recently tweeted about a trivial buffer overflow in ntpdc, a deprecated NTP query tool still available and packaged with any NTP install. He posted a screenshot of the crash as the result of a large buffer passed into a vulnerable gets call. After digging into it a bit, I decided it’d be a fun exploit to write, and it was. There are a few quarks to it that make it of .. 더보기
Repackaging HTML5 Apps into Android Malware Predictably, with the finalization of HTML5 standard by World Wide Web Consortium (W3C) last October, there will be a rapid growth of new HTML5 web apps coming out in the near future. Considering the platform independent characteristic in web apps, we foresee that HTML5 will accelerate the repackaging from web apps to mobile apps for malicious intent.A Quick Overview of HTML5 Android AppsAccordi.. 더보기

티스토리툴바