As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the fourth one.
pecheck.py is a wrapper for pefile, but this version has a new feature: check a PE file stored in a (password protected) ZIP file (password infected).
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the third one.
010 Editor has a search feature with wildcards (like FC 01 * 10 CF), but no search and replace with wildcards (like FC 01 * 10 CF -> FD 02 * 20 DF). This scripts implements such a feature.
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the second one.
fuzzer.1sc is a 010 Editor script that implements a simple fuzzer. It overwrites bytes in a file or selection. A selection is particularly useful combined with a template. For example, with a couple of clicks you can fuzz the control structures of a JPEG image.
4 parameters (number of fuzz sequences to overwrite, minimum length and maximum length of a sequence, and the fuzz character) allow you to control the random overwriting process.
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the first one.
shift.1sc is a 010 Editor script that allows you to shift bytes in a file or selection.
XORStrings is best described as the combination of my XORSearch tool and the well-known strings command.
XORStrings will search for strings in the (binary) file you provide it, using the same encodings as XORSearch (XOR, ROL, ROT and SHIFT). For every encoding/key, XORStrings will search for strings and report the number of strings found, the average string length and the maximum string length. The report is sorted by the number of strings found, but can also be sorted by the maximum string length (use option -m). By default, the string terminator is 0×00, but you can provide your own with option -t, like the space character (0×20) in this example:
I’ve used XORStrings to identify the encoding used in TeamViewer traffic.
There are more options than the ones I mentioned here. I’ll create a dedicated page for this tool, but for now, I invite you to discover the options yourself.
I will give a talk on network forensics at my local ISSA chapter.
I’m preparing it with a couple of PoCs.
First PoC is how changing the canary value 0xFD0110DF to another value can provide defense against exploits like FX explained in this paper. I changed the appropriate instructions so that IOS uses canary value OxFC0220CF. You can see it at the bottom of this memory dump:
Second PoC is how I can change the behavior of an IOS command for offensive purposes. Topo mentioned this idea at Black Hat. The verify command checks the embedded MD5 signature in an IOS image. I patched the appropriate instructions so that the verify command always reports a valid signature, regardless of the actual embedded value:
I did not change CCO hash. This is the MD5 hash of the complete IOS image. I did not change this on purpose, but it would be as easy as changing the embedded hash. If you lookup this CCO hash with Cisco, you will not find it.
This new version is a bugfix version for Python 3 plus I added a new name in the default report: /XFA
From version 0.4.1 on, you can also pass a URL or a ZIP file as argument to pdf-parser:
When you pass a URL as argument, pdf-parser will download the PDF document and analyze it. The PDF document will not be written to disk. Supported protocols are http and https.
Passing a ZIP file as argument instructs pdf-parser to open the ZIP file and analyze the first file it finds in the ZIP archive. If the ZIP file is password protected, pdf-parser will try to access the compressed file with password infected. Same as with URLs, the PDF file in the ZIP container is not written to disk.
Further changes are: bug fixes, performance improvement and option –content. This option allows you to view the content of an object without stream or with stream but without filters.
A month before my PDF training at HITB, it’s time to release new versions of my pdf tools.
I start with PDFiD. From version 0.1.0 on, you can also pass a URL or a ZIP file as argument to PDFiD:
When you pass a URL as argument, PDFiD will download the PDF document and analyze it. The PDF document will not be written to disk. Supported protocols are http and https.
Passing a ZIP file as argument instructs PDFiD to open the ZIP file and analyze the first file it finds in the ZIP archive. If the ZIP file is password protected, PDFiD will try to access the compressed file with password infected. Same as with URLs, the PDF file in the ZIP container is not written to disk.
One last thing regarding my TeamViewer research: I had to resolve a bunch of hostnames and IP addresses, so I quickly wrote a Python program that did just that. Later I took the time to make some generic and versatile programs: lookup-hosts.py and lookup-ips.py.
lookup-hosts.py takes hostnames or files with hostnames via arguments or stdin, and then uses getaddrinfo to lookup the IP addresses. And you can use a counter if you need to lookup sequentially numbered hosts, like this: master[0-20].teamviewer.com. This will instruct the program to lookup master0.teamviewer.com, master1.teamviewer.com, … and master20.teamviewer.com. If you need a leading zero, use this syntax: master[0-20:2].teamviewer.com
The programs take options, use the -h option to explore them.
As it names implies, lookup-ips.py does the opposite of lookup-hosts.py by using gethostbyaddr. You provide it IP addresses and/or subnets (like X.X.X.X/24).