After trying to get a copy of http.sys to examine, I discovered that it appeared to be in use on my desktop. Looking in to it, I found three desktop services using the HTTP Service provided by http.sys. There may be more, less obvious, vulnerable services/systems than just web servers. This post also demonstrates a brute-force approach to finding dependent services, for when you can’t find the proper way of doing so quickly enough.
What do you do when you’re a university student who’s just learnt about network sniffing and how anyone can capture your (unencrypted) UNIX account credentials from the network and log in as you? You create a challenge-response authentication system using a Bourne Shell script to stop them of course. It is also how I almost locked myself out of my university UNIX account. Continue Reading
Remember my parsetds.py script to extract data from MS-SQL TDS streams? Well here is a bit of an introduction to the Bro Network Security Monitoring software which implements my parsetds.py functionality using Bro‘s scripting language.
If you find monitoring networks for security related artefacts interesting, or it’s your job, then read on as I demonstrate some of Bro‘s scripting flexibility by using it to extract MS-SQL commands and login information from network traffic.
It’s been four months since the Bash ShellShock vulnerability was made public, and for some reason I hadn’t thought of modifying Dionaea to analyse and download any URLs in inbound ShellShock exploits until a week ago! If you’re interested in using Dionaea to download the URLs that in-the-wild ShellShock exploits are trying to download, or if you just like hairy regular expressions, then read on. Continue Reading
You may have heard about the shellshock bash vulnerability that allows remote code execution by setting a specially crafted environment variable before running bash. I investigated whether it was possible to place something in front of bash to attempt to detect and protect against a potential exploit.
It’s been about a year and a half since I wrote about a behavioural approach to automated unpacking, and I figured it was time to add some more functionality to unpack.py. This time, I’m going to look at malware decrypting/decompressing code from within itself, and process hollowing, and see if we can capture the decrypted/decompressed/newly written memory. Let’s spruce unpack.py up a tad. Continue Reading
It’s been two years since I launched malwaremusings.com, and a good time to launch malwearmusings — wearable malwaremusings. That is, t-shirts, albeit geeky ones. Continue Reading