tag:blogger.com,1999:blog-81804294861630393982024-03-14T00:08:23.272+05:30Binary's blogDISCLAIMER - I IN NO WAY ENDORSE ILLEGAL ACTIVITIES - USE THE FOLLOWING POSTS IN A TEST ENVIRONMENT OR AT YOUR OWN LEGAL RISK.binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.comBlogger76125tag:blogger.com,1999:blog-8180429486163039398.post-71018377310940437562022-07-29T19:18:00.003+05:302022-07-29T19:20:19.958+05:30IronPython - ReflectionAs per IronPython site, IronPython is an open-source implementation of the Python
programming language which is tightly integrated with .NET.
IronPython can use .NET and Python libraries, and other .NET
languages can use Python code just as easily. IronPython is an excellent addition to .NET, providing Python
developers with the power of the .NET. Existing .NET developers binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-47450194490474093602021-12-24T10:14:00.005+05:302021-12-24T13:05:04.664+05:30Log4Shell - VMware Horizon VMware Horizon (formerly called Horizon View) is a commercial desktop and app virtualization product developed by VMware, Inc for Microsoft Windows, Linux and macOS operating systems.VMware Horizon provides virtual desktop and app capabilities to users utilizing VMware's virtualization technology. A desktop operating system - typically Microsoft Windows - runs within a virtual machine on a binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-3298741129098826252021-12-20T23:28:00.002+05:302021-12-20T23:41:43.837+05:30Btrace - Tracing JndiLookups - Log4jShell Exploitation Attempts BTrace is a safe, dynamic tracing tool for the Java platform.BTrace can be used to dynamically trace a running Java program. BTrace dynamically instruments the classes of the target application to inject tracing code ("bytecode tracing").BTrace can be used to define trace points that the user is interested to track and when the trace point is reached the user can perform their tasks of binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-58779788397936776092021-12-15T18:01:00.006+05:302021-12-15T18:03:25.465+05:30CVE-2021-44228 - Retrieving PayloadCVE-2021-44228 tracks a remote code execution vulnerability in Apache Log4j. An attacker who can control the logging message has the ability to execute arbitrary code loaded from attacker controlled JDNI related endpoints such as LDAP, RMI, DNS, HTTP etc.LDAP PayloadsA typical LDAP attack request can look like this,To download the payload defenders can resort to using curl. The payload can be binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-4773903145582766112021-11-29T23:43:00.001+05:302021-11-29T23:43:23.127+05:30Quick Analysis - CVE-2019-2725 PayloadSince few days now there has been a constant hammering of the weblogic honeypots with the exploits targeting a deserialization vulnerability leading to remote code execution vulnerability identified by CVE-2021-2725. The initial request to exploit the vulnerability looks like below,The payload is a base64 string that gets decoded and saved to "servers/AdminServer/tmp/_WL_internal/binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-26477333101483768982021-10-13T10:06:00.002+05:302021-10-13T10:06:35.643+05:30Analyzing Apache HTTP Server Information Disclosure Vulnerability - CVE-2021-42013It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-1988898470059103532020-12-29T23:02:00.002+05:302020-12-29T23:02:24.088+05:30Nullify AMSI Scanner with PowerShell AMSI as per Microsoft is: "The Windows Antimalware Scan Interface (AMSI) is a versatile
interface standard that allows your applications and services to
integrate with any antimalware product that's present on a machine. AMSI
provides enhanced malware protection for your end-users and their data,
applications, and workloads."AMSI is being used by multiple antimalware products and binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-66891060671498565992020-09-17T16:55:00.006+05:302020-09-17T17:05:41.013+05:30Brute-Force Flareon2015 Challenge#2 with QilingIn the previous post we used Qiling to decode strings in Aisuru malware. Qiling's snapshot mode is a cool feature that can be used to take snapshots of the process at critical stages. Qiling can save information about the memory, CPU state, registers state etc. In this post we'll use the snapshot feature of Qiling to brute-force the Flareon 2015 challenge#2.Running the binary we can see that its binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-27421462179702994062020-07-31T02:01:00.002+05:302020-07-31T02:16:08.434+05:30Decrypt Aisuru Bot Encoded Strings with Qiling FrameworkQiling is an advanced binary emulation framework, with the following features:
Cross platform: Windows, MacOS, Linux, BSD, UEFICross architecture: X86, X86_64, Arm, Arm64, MIPSMultiple file formats: PE, MachO, ELFEmulate & sandbox machine code in a isolated environmentSupports cross architecture and platform debugging capabilitiesProvide high level API to setup & configure the binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-80659753696864371682020-07-26T02:37:00.004+05:302020-07-31T01:23:22.393+05:30Break On x86 Syscalls from Pintool"Pin is a tool for the instrumentation of programs. It supports the Android*, Linux*, OS X* and Windows* operating
systems and executables for the IA-32, Intel(R) 64 and Intel(R) Many
Integrated Core architectures.
Pin allows a tool to insert arbitrary code (written in C or C++) in
arbitrary places in the executable. The code is added dynamically while
the executable is running. This also binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-32858629157501732112020-06-25T22:28:00.000+05:302020-06-25T22:43:38.532+05:30Frida DBI - DeObfuscate PowerShell Script
Frida is a Dynamic Binary Instrumentation (DBI) toolkit that can be used to hook into live processes, analyze various parts of the program and print out debug information including but not limited to getting loaded modules, executed functions, arguments passed to the function etc.
In this blog we'll use "frida-trace", part of Frida toolset to de-obfuscate obfuscated powershell script. When binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-91062908098436650372020-05-19T11:14:00.000+05:302020-05-19T18:07:36.204+05:30Tagging ARM Syscalls in IDA
While reversing ARM binaries you will come across multiple syscalls that in turn does specific things. These syscalls are identified by a number and each syscall has a unique number. For instance in ARM 32bit architecture the syscall for "FORK" function is '2'.
A typical syscall will first have a "MOV" or "LDR" function into the "R7" register followed by a "SVC" (supervisor call) or "SWI" (binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-29324649208639513992019-12-22T20:13:00.000+05:302019-12-23T11:58:46.425+05:30WinDbg pykd 101 - Dumping Meterpreter Payload
WinDbg is a kernel-mode and user-mode debugger that is included in Debugging Tools for Windows. WinDbg has a very powerful scripting language but using it can sometimes be very annoying. Alternatively there's an extension "pykd" that can used to run python scripts to automate various repetitive tasks while debugging.
In this blog post we'll see how to use pykd to automate dumping of Metrepreterbinaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-56753580697456268442019-10-28T16:06:00.000+05:302019-10-28T16:06:35.795+05:30Execute Specific Function in Debugged Program in IDA - Appcall
IDA has a very good feature called Appcall that can help call a specific function from a debugged program. This feature can come in handy in cases where you need to run a bunch of inputs against a specific function in your debugged program. For example, in case of malware decrypting strings using specific functions etc.
For the purpose of exploring the Appcall feature lets consider a trivial binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-42509036791198162342019-10-20T00:14:00.000+05:302019-10-20T00:14:32.485+05:30How to Debug Weblogic Server using Intellij - A Primer
In recent times there were multiple reports of Weblogic vulnerabilities and debugging becomes an important task if you are to understand the vulnerability/exploit. This blog post discusses how to setup Intellij for debugging Weblogic vulnerabilities.
To debug Weblogic vulnerabilities the first step would be download and install Intellij. Installing the Ultimate edition of Intellij is importantbinaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-49322433616372759432018-08-02T23:12:00.000+05:302018-08-02T23:12:49.390+05:30Mirai - Decoding Encoded Strings
In initial stages Mirai malware was seen using the credentials used for brute-forcing in plain text. But Mirai has evolved since then and has started encoding the strings. These encoded strings are just simple XOR encoding and can easily be decoded.
Checking the strings of the Mirai malware we can see that it doesn't make any sense with the encoding,
Find the decoding routine is very simplebinaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-40949407667338876172016-12-22T17:04:00.000+05:302016-12-22T17:05:00.171+05:30Mirai += SOAP vulnerability in DSL modems
The Vulnerability
The attacks targets port 7547 that runs a service named TR-069
–a protocol that’s used for remotely managing CPE’s from an ACS server
(CWMP – CPE WAN Management Protocol). The CPE in this case is modem and
ACS servers push commands to CPE – For example upgrading firmware.
In
routers such as Eir D1000 there’s also another use of this port 7547
that runs a TR-064 binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-63070938795211139092016-10-31T17:33:00.000+05:302016-11-04T18:40:29.726+05:30CVE-2016-8870 - Joomla Privilege Escalation vulnerability
CVE-2016-8870 tracks a privilege escalation vulnerability in Joomla. This
vulnerability allows hackers to create users on the webserver running
Joomla even if user creation is disabled. A typical request to create an
user on server running Joomla looks like,
From the patch that’s made available to mitigate this vulnerability,
it is seen that they have removed “register” method from
“binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com1tag:blogger.com,1999:blog-8180429486163039398.post-34798362426858579032016-09-30T16:32:00.002+05:302016-09-30T21:10:55.056+05:30Rig Exploit Kit - Shellcode Spawns WSCRIPT.EXE
Rig exploit kit is currently one of the most prevalent kit in the wild. Recently there were news saying that the kit is using "WSCRIPT.EXE" to download it's encrypted payload. Earlier Rig was known to be directly downloading it's payload through "IEXPLORE.EXE". Just guessing that the switch to "WSCRIPT.EXE" might be a trick to bypass security products.
I downloaded a PCAP from binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-71514648408492071192016-08-29T11:24:00.001+05:302016-08-29T11:24:24.333+05:30Neutrino Exploit Kit - SWF Analysis
Neutrino Exploit Kit is not new a member in the cyber space arena. The kit is now around for a while and has improved quite a lot over the months. This blog is a small walk through about the obfuscation methods employed by the kit.
A typical Neutrino Exploit Kit's SWF looks like below,
Neutrino uses RC4 algorithm for encrypting the inner SWF. The key and the encrypted SWF itself is binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-45745613872364797112016-07-29T12:25:00.001+05:302016-07-29T21:40:05.181+05:30Graphical representation of SWF - Dendrogram
Given the amount of obfuscation that's getting added to SWF files, it can be sometimes painful to analyze them. Going through a huge SWF file can be time consuming and irritating. A graphical representation can always give a perspective of what the SWF is all about and can give a head start during the analysis. In this blog post we'll see how can we create dendrogram graph out of a SWFbinaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-13322055768030107862016-07-05T12:45:00.000+05:302016-07-05T12:46:24.387+05:30Quick Post - DNS changer VBS
<!--[if gte mso 9]>
Normal
0
false
false
false
EN-IN
X-NONE
X-NONE
MicrosoftInternetExplorer4
<![endif]-->
<!--[if gte mso 9]>
binaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-28211056308870681982016-06-23T19:41:00.000+05:302016-06-23T19:41:56.699+05:30Angler Exploit Kit + Volatility Forensic Tool
Volatility is an excellent way for analyzing memory dumps. It can help find artifacts hidden within the memory which is otherwise little cumbersome to find during manual analysis. After fetching a memory dump post exploitation of Angler Exploit Kit, here's steps to get to the malware - which is executed directly from the memory.
I've got hold of a VM snapshot from here (thanks to "Malwarebinaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-85917612155404959062016-06-09T15:58:00.000+05:302016-06-09T15:58:50.919+05:30CVE-2016-4117 hidden in binaryData
Loading the SWF into FFDEC looks like this
The flash file holds a binaryData which when decrypted becomes
another flash file that exploit CVE-2016-4117. The logic to decode the
flash file looks like below,
while(_loc6_ < _loc4_)
{
_loc3_[_loc6_] = _loc3_[_loc6_] ^ _loc5_;
_loc6_++;
_loc5_ = _loc5_ + 17 & 255;
}
Simple porting of the above script script to Python for decodingbinaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0tag:blogger.com,1999:blog-8180429486163039398.post-8410702952032149862016-04-21T18:43:00.000+05:302016-04-21T18:43:38.616+05:30Decoding Angler Redirect SWF using JPEXS FFDEC
Of late Angler Exploit is seen to use SWF that redirects an unwary user to Angler Exploit Kit gate website. This SWF is not highly obfuscated, but encodes the redirection HTML code using "base64" and has a little algorithm that decodes the string post "base64" decoding. Below is the decoding logic, the function takes 2 arguments, "param1" is the "base64" decoded string and "param2" is an integerbinaryhax0rhttp://www.blogger.com/profile/10678479840175512899noreply@blogger.com0