Didier Stevens

Thursday 18 April 2013

search-and-replace-with-wildcards.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the third one.

010 Editor has a search feature with wildcards (like FC 01 * 10 CF), but no search and replace with wildcards (like FC 01 * 10 CF -> FD 02 * 20 DF). This scripts implements such a feature.

search-and-replace-with-wildcards_v0_0_1.zip (https)
MD5: 7D620E8BEFFD4ED5563D9944C9B0B859
SHA256: B7F074304660A8DBF7AB2261D8619FFFFD461EFB5EE4C6E42880C87A3C1A4AB7

Wednesday 17 April 2013

fuzzer.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the second one.

fuzzer.1sc is a 010 Editor script that implements a simple fuzzer. It overwrites bytes in a file or selection. A selection is particularly useful combined with a template. For example, with a couple of clicks you can fuzz the control structures of a JPEG image.

4 parameters (number of fuzz sequences to overwrite, minimum length and maximum length of a sequence, and the fuzz character) allow you to control the random overwriting process.

fuzzer_v0_0_1.zip (https)
MD5: E9B7114952E81A504C7CF3B06B99B5CF
SHA256: CF399EE2D86B6039236608F4FE882E579D7DCFED1DA980B4124ED06FD0C5807A

Tuesday 16 April 2013

shift.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the first one.

shift.1sc is a 010 Editor script that allows you to shift bytes in a file or selection.

shift_v0_0_1.zip (https)
MD5: 0E98DD182D12839FD86A30E696414E0A
SHA256: 07D849E9E898AFA705E57474FADFF001C9CAF9DB1D51AD8C9EB7E9A2A765D714

Monday 15 April 2013

New Tool: XORStrings

Filed under: Forensics,My Software,Reverse Engineering — Didier Stevens @ 0:00

XORStrings is best described as the combination of my XORSearch tool and the well-known strings command.

XORStrings will search for strings in the (binary) file you provide it, using the same encodings as XORSearch (XOR, ROL, ROT and SHIFT). For every encoding/key, XORStrings will search for strings and report the number of strings found, the average string length and the maximum string length. The report is sorted by the number of strings found, but can also be sorted by the maximum string length (use option -m). By default, the string terminator is 0x00, but you can provide your own with option -t, like the space character (0x20) in this example:

20130308-213053

I’ve used XORStrings to identify the encoding used in TeamViewer traffic.

There are more options than the ones I mentioned here. I’ll create a dedicated page for this tool, but for now, I invite you to discover the options yourself.

XORStrings_V0_0_1.zip (https)
MD5: 27DA0B3BC5296179CB58181BDFF99F8D
SHA256: 5EA7E063A41E38E9E6277F1CD73FCEA2AEF50C33C44D75C226900314FF84A1B5

Wednesday 27 March 2013

Cisco IOS Patching: Defense and Offense

Filed under: Forensics,Hacking,Networking,Reverse Engineering — Didier Stevens @ 22:39

I will give a talk on network forensics at my local ISSA chapter.

I’m preparing it with a couple of PoCs.

First PoC is how changing the canary value 0xFD0110DF to another value can provide defense against exploits like FX explained in this paper. I changed the appropriate instructions so that IOS uses canary value OxFC0220CF. You can see it at the bottom of this memory dump:

20130327-232310

Second PoC is how I can change the behavior of an IOS command for offensive purposes. Topo mentioned this idea at Black Hat. The verify command checks the embedded MD5 signature in an IOS image. I patched the appropriate instructions so that the verify command always reports a valid signature, regardless of the actual embedded value:

20130327-233004

I did not change CCO hash. This is the MD5 hash of the complete IOS image. I did not change this on purpose, but it would be as easy as changing the embedded hash. If you lookup this CCO hash with Cisco, you will not find it.

Thursday 21 March 2013

Update: PDFiD Version 0.1.2

Filed under: My Software,PDF,Update — Didier Stevens @ 9:05

This new version is a bugfix version for Python 3 plus I added a new name in the default report: /XFA

pdfid_v0_1_2.zip (https)
MD5: 60FC17757201F014A6ADA0744B74A740
SHA256: 1CF36C50427A2206275C322A8C098CD96A844CAF6077B105ADE9B1974789856F

Wednesday 13 March 2013

Update: pdf-parser Version 0.4.1

Filed under: My Software,PDF,Update — Didier Stevens @ 21:24

From version 0.4.1 on, you can also pass a URL or a ZIP file as argument to pdf-parser:

pdf-parser.py http://example.com/doc.pdf
pdf-parser.py maldoc.zip

When you pass a URL as argument, pdf-parser will download the PDF document and analyze it. The PDF document will not be written to disk. Supported protocols are http and https.

Passing a ZIP file as argument instructs pdf-parser to open the ZIP file and analyze the first file it finds in the ZIP archive. If the ZIP file is password protected, pdf-parser will try to access the compressed file with password infected. Same as with URLs, the PDF file in the ZIP container is not written to disk.

Further changes are: bug fixes, performance improvement and option –content. This option allows you to view the content of an object without stream or with stream but without filters.

pdf-parser_V0_4_1.zip (https)
MD5: A0314C0CD8AAE376C7448E74D4A7472C
SHA256: 633B7400015B2C936103CC64C37435FB333B0F2634B2A6CD3A8949EAB1D18E9B

Thursday 7 March 2013

Update: PDFiD Version 0.1.0

Filed under: My Software,PDF,Update — Didier Stevens @ 5:00

A month before my PDF training at HITB, it’s time to release new versions of my pdf tools.

I start with PDFiD. From version 0.1.0 on, you can also pass a URL or a ZIP file as argument to PDFiD:

pdfid.py http://example.com/doc.pdf
pdfid.py maldoc.zip

When you pass a URL as argument, PDFiD will download the PDF document and analyze it. The PDF document will not be written to disk. Supported protocols are http and https.

Passing a ZIP file as argument instructs PDFiD to open the ZIP file and analyze the first file it finds in the ZIP archive. If the ZIP file is password protected, PDFiD will try to access the compressed file with password infected. Same as with URLs, the PDF file in the ZIP container is not written to disk.

pdfid_v0_1_0.zip (https)
MD5: 6A5FF56C22EF2745C3D78C8FD8ACA01F
SHA256: D72FE8555DC89808EE7BFC9F791AD819A465106A95801C09C31B0FD2644B3977

Monday 25 February 2013

Looking Up Hosts and IP Addresses: Yet Another Tool

Filed under: My Software,Networking — Didier Stevens @ 19:30

One last thing regarding my TeamViewer research: I had to resolve a bunch of hostnames and IP addresses, so I quickly wrote a Python program that did just that. Later I took the time to make some generic and versatile programs: lookup-hosts.py and lookup-ips.py.

lookup-hosts.py takes hostnames or files with hostnames via arguments or stdin, and then uses getaddrinfo to lookup the IP addresses. And you can use a counter if you need to lookup sequentially numbered hosts, like this: master[0-20].teamviewer.com. This will instruct the program to lookup master0.teamviewer.com, master1.teamviewer.com, … and master20.teamviewer.com. If you need a leading zero, use this syntax: master[0-20:2].teamviewer.com

The programs take options, use the -h option to explore them.

As it names implies, lookup-ips.py does the opposite of lookup-hosts.py by using gethostbyaddr. You provide it IP addresses and/or subnets (like X.X.X.X/24).

20130225-194749

lookup-tools_V0_0_1.zip (https)
MD5: EB9C5BEF25EC5ED0F44297AA8A04679E
SHA256: 755E98BA0BC09C31E58ED4BF7B08CD42467BBF9B129C77DD6D558FD6B6E27124

Wednesday 20 February 2013

Update XORSearch V1.8.0: Shifting

Filed under: My Software,OSX,Reverse Engineering,Update — Didier Stevens @ 21:32

This new version of XORSearch comes with a new operation: shifting left.

It comes in handy to reverse engineer protocols like TeamViewer’s remote access protocol.

Here’s an example. When you run TeamViewer, your machine gets an ID:

20-02-2013 22-11-39

We capture some TeamViewer traffic with Wireshark, and then we use XORSearch to search for TeamViewer ID 441055893 in this traffic:

20130216-231230

And as you can see, XORSearch finds this ID by left-shifting the content of the pcap file with one bit.

« Previous PageNext Page »

Blog at WordPress.com.