After trying to get a copy of http.sys to examine, I discovered that it appeared to be in use on my desktop. Looking in to it, I found three desktop services using the HTTP Service provided by http.sys. There may be more, less obvious, vulnerable services/systems than just web servers. This post also demonstrates a brute-force approach to finding dependent services, for when you can’t find the proper way of doing so quickly enough.
Vulnerabilities and Exploits
Blog posts related to vulnerabilities and known exploits thereof.
It’s been four months since the Bash ShellShock vulnerability was made public, and for some reason I hadn’t thought of modifying Dionaea to analyse and download any URLs in inbound ShellShock exploits until a week ago! If you’re interested in using Dionaea to download the URLs that in-the-wild ShellShock exploits are trying to download, or if you just like hairy regular expressions, then read on. Continue Reading
You may have heard about the shellshock bash vulnerability that allows remote code execution by setting a specially crafted environment variable before running bash. I investigated whether it was possible to place something in front of bash to attempt to detect and protect against a potential exploit.
Continue Reading
What do you do when you notice MS-SQL connections topping the list of top ten destination ports hitting your honeynet? You install an MS-SQL server, give the sa user a week password, and see what happens of course (don’t try this at home). Continue Reading
This post explains some measures that you can take to prevent the MySQL cna12.dll attacks from infecting your MySQL server. It follows on from a previous post which explains the attacks. If you find that a cna12.dll file or a piress user account keep reappearing on your MySQL server, then read on. Continue Reading
Have you, or your anti-virus software, noticed a file called ‘cna12.dll’ on your computer? Have you suddenly found that you have an imaginary friend called ‘piress’ whom you didn’t know about? If so, you may have fallen victim to a MySQL attack (and ‘piress’ may not be so imaginary, nor friendly for that matter). Continue Reading
Seeing an increase in MySQL attacks hitting your network and interested in knowing more about them? This post discusses how to run the attack within the Cuckoo Sandbox. Subsequent posts will analyse the results.
Seeing an increase in MySQL attacks hitting your network and interested in knowing more about them? This post follows on from the previous posts in this series, and analyses the binary file, cna12.dll, extracted from the MySQL commands. Continue Reading
Seeing an increase in MySQL attacks hitting your network and interested in knowing more about them? If so, then these posts are for you. They have all the fun involved from noticing an increase in traffic to extracting malware from a packet capture and analysing it. If you like the thrills and spills of scripting information processing tasks, then read on as this post will show you how to extract the binary files from the MySQL commands.
Continue Reading
I don’t think anyone will be too surprised if I mention receiving yet another fake email. This time I’ve received two emails claiming that I have new LinkedIn messages. Given the email address that it was sent to, I’m wondering if this is a result of an information leak that LinkedIn apparently experienced back in June 2012. Continue Reading