Congratulations to the winners of the BlueHat Prize contest.
My entry was CounterHeapSpray:
CounterHeapSpray monitors the private memory usage of an application to guard against heap sprays. When the private memory usage of the application exceeds a predefined threshold, CounterHeapSpray assumes that a heap spray is ongoing and will pre-allocate virtual memory pages and populate these pages with its own shellcode. When the heap spray terminates and the exploit executes, code execution will transfer to CounterHeapSpray’s own shellcode. This shellcode will suspend all threads and display a warning message for the user. When the user clicks OK, CounterHeapSpray’s shellcode terminates the application.
By planting its own shellcode before the heap spray can fill the heap with malicious shellcode, CounterHeapSpray not only prevents execution of this malicious shellcode but is able to suspend the process and to inform the user of the attack.
I finally took the time to merge UserAssist version 2.4.3 and UserAssist version 2.5.0 (Windows 7) into UserAssist version 2.6.0.
Thus version 2.6.0 supports all versions of Windows starting with Windows 2000 up to Windows 8. Support for Windows 8 is experimental.
Here is a new spreadsheet that lists all installed programs. It does this by enumerating registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
This spreadsheet works on 32-bit and 64-bit Excel.
I’ve worked together with Daniel Miller (@bonsaiviking) on an Nmap version script to identify the McAfee ePO Agent. By default, this agent listens on port 8081 and replies to HTTP requests.
You can find the script here on the nmap site.
PORT STATE SERVICE VERSION
8081/tcp open http McAfee ePolicy Orchestrator Agent 220.127.116.112 (ePOServerName: EPOSERVER, AgentGuid: D2E157F4-B917-4D31-BEF0-32074BADF081)
Service Info: Host: TESTSERVER