Sunday, January 13, 2013

About Shellcodes in C

This is a follow up of our previous introductory post about shellcodes. Here we aim for coding more complex shellcodes directly in C. We'll mostly use default tools like gcc and as, at the end also a small python script to reorder and pack things. We'll play with linux but the concepts and scripts posted here can also be used to generate Windows shellcode (both 32 and 64 bits).

Wednesday, January 9, 2013

A micro windows crash catcher in python

In this article we describe how to write a minimalistic Windows debugging loop in python. Modern applications usually spawn more than one process and the bugs in them generate different type of crashes. Our minimalistic debugger shall detect "any" crash condition of a process or process tree. Be aware that our aim is purely educational and more mature and complete options exist. If you need a full fledged debugger in python you should check winappdbg.

Tuesday, January 8, 2013

About shellcodes

In this post we have documented a beginners introduction to shellcode writing. We go from zero to a super simple shellcode using tools you may find already installed in any serious operating system. If you are looking for a digested and more mature way of generating shellcode you should check InlineEggMOSDEF or impurity first.

Monday, January 7, 2013

Uncover Adobe Reader Sandbox Exceptions

Since version 10 Adobe Reader has included a flavor of the Chrome sandbox. This technology is much better explained here, and in the 4 Adobe specific posts: part1, part2, part3 and part4. But in very few words it works dividing responsibilities in at least 2 processes; the broker and a target. The target process is a low integrity process that basically can't access any resources by itself. To access almost any operating system entity it must relay on the broker process. 
The target simply ask the broker via IPC to do certain system calls for him. The broker then checks if the request comply with a preset list of rules and eventually gives the result back to the target. The set of rules are configured at the beginning. In this post we'll inspect this list for the different Adobe Reader versions. We'll build a python script that programatically generates a process monitor filter file for all the different Reader versions.  Then We'll show how to further inspect sensitive interactions between the target and other higher integrity processes using the generated filters.