Profile cover photo
Profile photo
zero sum
8 followers
8 followers
About
Posts

Post has attachment
Public
Dissecting a Bug in the EternalBlue Client for Windows XP (FuzzBunch)
See Also: Dissecting a Bug in the EternalRomance Client (FuzzBunch) Background Multiple Exploit Chains Payload Methodology Single Core Branch Anomaly Root Cause Analysis NT Red Herring HAL Variation Byte Table Conclusion Background   Pwning Windows 7 was no...
Add a comment...

Post has attachment
Public
Dissecting a Bug in the EternalBlue Client for Windows XP (FuzzBunch)
See Also: Dissecting a Bug in the EternalRomance Client (FuzzBunch) Background Multiple Exploit Chains Payload Methodology Single Core Branch Anomaly Root Cause Analysis NT Red Herring HAL Variation Byte Table Conclusion Background   Pwning Windows 7 was no...
Add a comment...

Post has attachment
Dissecting a Bug in the EternalRomance Client (FuzzBunch)
Note: This post does not explain the EternalRomance exploit chain, just a minor bug in the Equation Group's client. For comprehensive exploit details, come see my presentation at DEF CON 26 (August 2018). Background In SMBv1, transactions are looked up via ...
Add a comment...

Post has attachment
Obfuscated/Encrypted C/C++ Online String Generator Tool
ADD SUB XOR SHIFT NOT NEG MORPH Rounds: Generate About this tool I'm in the process of preparing a malware reverse engineering class and I'm building some crackmes for the CTF. I needed to encrypt/obfuscate the flags so that they don't just show up with a s...
Add a comment...

Post has attachment
Puppet Strings - Dirty Secret for Free Windows Ring 0 Code Execution
Ever since I started reversing Shadow Brokers dumps, I've gotten into the habit of codenaming my projects. This trick is called Puppet Strings , and it lets you hitch a free ride into Ring 0 (kernel mode) on Windows. This is not a new technique. Some nation...
Add a comment...

Post has attachment
ThreadContinue - Reflective Injection Using SetThreadContext() and NtContinue()
Attackers go at great lengths to avoid the common reflective injection code execution function, CreateRemoteThread(). Alternative techniques include native API thread creation and user APCs (necessary for SysWow64->x64), etc. This technique uses SetThreadCo...
Add a comment...

Post has attachment
Proposed EAF/EMET "Bypass" for Reflective DLL Injection
Windows 10 Redstone 3 (Fall Creator's Update) is adding Exploit Guard , bringing EMET's Export Address Table Access Filtering (EAF) mitigation, among others, to the system. We are still living in a golden era of Windows exploitation and post-exploitation, t...
Add a comment...

Post has attachment
Talk/Workshop at DEF CON 25
Just got the word from DEF CON that @aleph___naught and I will be speaking at DEF CON 25. Our presentation is a post-exploitation RAT using the Windows Script Host. Executing completely from memory with tons of ways to fork to shellcode. Will contain some o...
Add a comment...

Post has attachment
ETERNALBLUE: Exploit Analysis and Port to Microsoft Windows 10
The whitepaper for the research done by @JennaMagius and I has been completed.

There are a few minor errata and graphics we will add in a future version. Be sure to check the bibliography for other great writeups of the pool grooming and overflow process. ...
Add a comment...

Post has attachment
On the Misuse of Artifacts of Whitehat Research
The Metasploit module for EternalBlue was developed by myself and JennaMagius, previous community contributors of the project, and security researchers at RiskSense, a provider of pro-active cyber risk management solutions. The module was developed to enabl...
Add a comment...
Wait while more posts are being loaded