We will be presenting our new research on Mac OS X to Black Hat Asia in Singapore. This is our 3rd Blackhat talk.
Please let me know if you will be there too. :)
Friday, March 14, 2014
Wednesday, May 8, 2013
VXCON 2012 - Advanced Mac OS Rootkit
Celebrating the announcement of HITCON 2013, we decided to release the slides that we gave to VXCON 2012 in last december. :)
Nanika did a great research in Mac OS kernel last year. Here is the introduction and slides.
Attacking Mac OS has become a trend as we see more and more malware with more advanced attack techniques on Mac OS. In order to gain persistent control and avoid detection, malware have started to adopt rootkit tricks. In this presentation, we will start from basic details, and try to provide a comprehensive view of rootkit on Mac OS, including both user and kernel mode.
Not only introducing general rootkit techniques, we will also disclose new and more advanced rootkit tricks by digging into more kernel objects and data structures. Besides the advanced rootkit technique, a new way to anti-tracing (anti-dtrace) will be introduced as well.
On the other hand, preventing rootkit attack is also critical. We will describe how do we design a rootkit scanner as well as host IPS to against rootkits we mentioned above.
Contact us if you need the PoC file. :)
Friday, August 3, 2012
Exploitation of Windows .NET Framework - HITCon 2012 Materials and PoC Release
This presentation describes some possible attack vectors by leveraging features of .NET framework.
Slides
HITCon 2012 - Exploitation of Windows DotNET Framework - Release
Demo video:
And the PoC files.
PoC
pass:hitcon2012
Nanika & TT
Slides
HITCon 2012 - Exploitation of Windows DotNET Framework - Release
Demo video:
And the PoC files.
PoC
pass:hitcon2012
Nanika & TT
Sunday, July 29, 2012
The Subway Line 8 - Exploitation of Windows 8 Metro Style Apps
Luckily, this year we had a chance to again present our research in Black Hat USA. Nanika did really great researches on Windows 8 Metro style apps. In this presentation we not only discuss the methodology of AppContainer sandbox (application sandbox with Metro style apps) bypassing, we also disclose some issues/problems that we found during the testing.
Abstract of the presentation:
And here is the slides:
Blackhat USA 2012 - The Line 8 Subway - Exploitation of Windows 8 Metro Style App (Slides)
The demo video:
The paper:
Blackhat USA 2012 - The Line 8 Subway - Exploitation of Windows 8 Metro Style App (Paper)
Nanika & TT
Abstract of the presentation:
Windows 8 introduces lots of security improvements; one of the most interesting features is the Metro-style app. It not only provides fancy user interface, but also a solid application sandbox environment. All Metro-style applications run in AppContainer, and the AppContainer sandbox isolates the execution of each application. It can make sure that an App does not have access to capabilities that it hasn't declared and been granted by the user.This presentation will introduce the design of Metro-style app as well as AppContainer sandbox. We will dive into details of the architecture and see how it works, how does it protect from a malicious App attack. After reviewing the design, we are going to look for possible attack vectors to bypass the sandbox. Analysis will start from low level to high level. We will describe how we find the target to attack, and how we do analyze in different layers, such as debug of APLC, COM server attack, WinRT API fuzzing, and logic flaw discovery. Not only the methodology, we will also demonstrate some problems we have discovered, including tricks to bypass AppContainer to access files, launch program, and connect to Internet.
And here is the slides:
Blackhat USA 2012 - The Line 8 Subway - Exploitation of Windows 8 Metro Style App (Slides)
The demo video:
The paper:
Blackhat USA 2012 - The Line 8 Subway - Exploitation of Windows 8 Metro Style App (Paper)
Nanika & TT
Sunday, September 4, 2011
Black Hat Materials and PoC Release
It is already a month since our talk in Black Hat USA 2011. It's time to release the materials.
Slides:
Black Hat USA 2011 - Weapons of Targeted Attack: Modern Document Exploit Techniques (Slides)
Demo videos:
Microsoft Office DEP bypass
New Flash JIT Spraying - 01 - Why you need this trick.
New Flash JIT Spraying - 02 - MS11-050 with NEW Flash JIT Spraying.
New Flash JIT Spraying - 03 - CVE-2010-3333 with NEW Flash JIT Spraying (Flash 11)
Flash Sandbox Bypass - Stealing Gmail Cookie using Document Exploit
HIPS Bypass - 01 - Bypass McAfee HIPS
HIPS Bypass - 02 - Bypass COMODO HIPS
And here are PoC files.
Paper:
Black Hat USA 2011 - Weapons of Targeted Attack: Modern Document Exploit Techniques (Paper)
Slides:
Black Hat USA 2011 - Weapons of Targeted Attack: Modern Document Exploit Techniques (Slides)
Demo videos:
Microsoft Office DEP bypass
New Flash JIT Spraying - 01 - Why you need this trick.
New Flash JIT Spraying - 02 - MS11-050 with NEW Flash JIT Spraying.
New Flash JIT Spraying - 03 - CVE-2010-3333 with NEW Flash JIT Spraying (Flash 11)
Flash Sandbox Bypass - Stealing Gmail Cookie using Document Exploit
HIPS Bypass - 01 - Bypass McAfee HIPS
HIPS Bypass - 02 - Bypass COMODO HIPS
And here are PoC files.
Paper:
Black Hat USA 2011 - Weapons of Targeted Attack: Modern Document Exploit Techniques (Paper)
Monday, July 25, 2011
Weapons of Targeted Attack: Modern Document Exploit Techniques
Nanika and me will be speaking at Blackhat USA 2011 next week. The presentation will disclouse many new document exploit techniques, including our new Flash JIT spraying approach.
Our Flash JIT spraying technique could defeat memory protections, even EMET has been adopted and all functions are enabled!
Here are two demonstration videos.
(1) MS11-050 with NEW Flash JIT Spraying (IE)
(2) CVE-2010-3333 with NEW Flash JIT Spraying (Office 2010)
Not only JIT spraying, we will also introduce our Flash AVM fuzzing technique, new tricks to bypass sandbox protection, and new ways to defeat HIPS protection.
See you in Vegas, and welcome to see us and talk to us.
Saturday, June 4, 2011
The Flash JIT Spraying is Back
Celebrating the announcement of Hacks in Taiwan Conference 2011, I would like to publish part of our recent researches to share with all document security researchers.
Flash JIT Spraying couldn't work since Flash 10.1. Now we bring it back.
The Flash JIT Spraying is Back
Demonstration:
Welcome to HITCon, welcome to Taiwan.
Flash JIT Spraying couldn't work since Flash 10.1. Now we bring it back.
The Flash JIT Spraying is Back
Demonstration:
Welcome to HITCon, welcome to Taiwan.
Subscribe to:
Posts (Atom)