Skip to content
Dec 11 13

Turning your Antivirus into my botnet – OWASP Benelux 2013 – Slides

by foip

Below are the slides that I’ve presented at the OWASP Benelux day 2013 (Amsterdam). It covers partial results of my research about Managed Antivirus software, especially how I’ve chained multiple McAfee ePolicy Orchestrator bugs and weaknesses in order to compromise both the ePO server(s) and the managed stations. This is how ePolicy 0wner tool was born.

Thanks to the audience and the staff ! It was a very pleasant moment :-)




1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading ... Loading ...

Oct 27 13

WatchGuard – CVE-2013-6021 – Stack Based Buffer Overflow Exploit

by foip

1. Introduction

This blog entry aims to provide the reader with technical details about the stack-based buffer overflow that we’ve discovered in the web administration console of the WatchGuard XTM appliance (CVE-2013-6021), as well as our journey into the exploit development. While the bug was quite easy to discover, writing a reliable exploit was more challenging due to several limitations, including an impressive hardening of the device.

It is worth to mention that by default,  the web console of the XTM appliance is not reachable from the Untrusted interface as long as the firewall policy hasn’t been modified to allow external access. However, the XTMv version (virtual appliance) allows external access to the web console by default.

1.1 References

read more…

Sep 23 13

Cracking WatchGuard passwords

by foip

Watchguard Firewall appliances offer the ability to manage policies per user. Several mechanisms can be used to authenticate users (Active Directory, LDAP, Radius, ..) including a local database called “Firebox database” (Firebox-DB). Based on the XML configuration file of the appliance (which includes the Firebox-DB accounts), I recently needed to evaluate the passwords strength defined by a customer. Unfortunately, the firebox passwords appeared to be encrypted or hashed and I couldn’t find any information about the algorithm used.

Sample hash

Hereunder is an excerpt of the XML configuration file, showing the definition of the user “john“. The password was set to “readwrite“, a deliberately simple choice for testing purposes.


read more…

Jun 14 13

Exploit: McAfee ePolicy 0wner (ePowner) – Preview

by foip

If you heard about the following vulnerabilities in McAfee ePolicy Orchestrator version 4.6.5 and earlier:

and your environments haven’t been updated yet, then you should consider watching this video…

Main Features:

  • Remote command execution on the ePo server.
  • Remote command execution on the Managed stations (one ring to rule them all).
  • File upload on the ePo server.
  • Active Directory credentials stealing.

More information:

1 Star2 Stars3 Stars4 Stars5 Stars (18 votes, average: 4.50 out of 5)
Loading ... Loading ...
Oct 13 12

Metasploit stager: reverse_https with basic authentication against proxy

by foip

1. Introduction

If reverse_https does an amazing job by supporting proxy server and NTLM authentication, it exists some situations where the proxy server only manage basic authentication, and where you hold a valid pair of username and password.

Unlike NTLM, the username and password used during a basic authentication remains in the scope of the process (example: in your browser, after a successful authentication against the proxy server). This is the reason why reverse_http(s) doesn’t know anything about this password. Instead, reverse_http(s) stager use WinInet API to let Windows manages how to reach the Internet.

Back to our basic authentication mechanism, this customized version of reverse_https will let you embed a valid username and password inside the payload, to allow proper basic authentication against the proxy server. The proxy settings (IP, port, proxy.pac, …) are automatically managed by WinInet.

read more…

Oct 12 12

Metasploit plugin: notify_mail.rb (email notification)

by foip

1. Introduction

Here is a Metasploit plug-in which allows you to get e-mail notifications when new sessions open. The usage of this plug-in makes sense during Social Engineering attacks, or during client-side exploitations since you don’t always know when the payload will be executed on the victim computer.

In order to use this plug-in:

  • Copy the Ruby script (notify_mail.rb) into the “/plugin/” folder of Metasploit.
  • Load an exploit module (or multi/handler) and activate the plug-in by typing “load notify_mail“.
  • Setup your sender/recipient email addresses and the SMTP server you want to use.

Note that you may need to set up a valid sender email address (at least a valid domain name) depending on the configuration of the SMTP server you use.

read more…

Jul 14 12

Antivirus Sandbox Evasion (part3) – The Tool

by foip

Ok, here we are..

Thank you for your patience. It is time to release the version 0.1 of the “tool“.. ;-)

The archive is composed of:

  • An EXE template (ultimate-payload-template1.exe) which manage the sandbox evasion.
  • A Perl script ( which read a shellcode in binary format from STDIN, encode it, and build a new EXE file based on the template.
  • The source code of the encoder (in assembly) and the template (Visual Studio 2008).

The (stupid) sandbox evasion technique used in the EXE template is explained in the part2 of this story. And the output of the tool is shown in part1.

I do not expect it to bypass all AVs forever. I guess new signatures of the template will appear shortly. But don’t worry, all you have to do is to modify the source code of the template,  and recompile it. In case of new sandbox problems, just use your imagination ;-)

Note: this technique doesn’t work anymore against MS Essential Security. For this reason, I wrote a new version (0.2) with a new technique, but this one will not be published.. (yet). However, a little bird told me that using a stupid junk loop in v0.1 would do the trick against Essential Security ;-)

Download the tool: ultimate-payload-v0.1.tar.gz and read the HOWTO.txt file.

As usual, be nice. Ask the permission of the owner before infecting a computer…

Enjoy ;-)


1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 3.67 out of 5)
Loading ... Loading ...
Jul 6 12

psk-crack (ike-scan) CUDA add-on

by foip

UPDATE: Thinks are moving well on !


If you are familiar with ike-scan and you hold NVidia card(s), you could be interested by cracking Pre-Shared Keys with your GPU(s).

As it is my first CUDA/GPU implementation and that I have limited knowledge of cryptography, this code must not be considered as optimized. Technically, I only reused basic source codes of MD5 and SHA-1 inside a CUDA code. Don’t blame me. I was working on a pentest and I thought : “Cracking this PSK could be nice for my report, let’s do ‘man cuda’ .. ”

To give you an idea of the improvement, brute-forcing the PSK “hello1“requires about:

  • 2 hours and 50 minutes with CPU (HP EliteBook 8440p - 2.5GHz Intel Core 5)
  • 2 minutes and 40  seconds with GPUs (GTX480 + GTX570)

It’s not that bad for a first try, even if the occupancy rate of the cards is low.

read more…

© 2010-2014 Fun Over IP All Rights Reserved -- Copyright notice by Blog Copyright