RCE with Arbitrary File Write and XSS in Reprise License Manager TW-2018-006: Unpatched Remote Code Execution and XSS in Reprise License Manager During a recent engagement, I came across a particularly interesting web application called RLM, running on the non-standard port 5054. This naturally
Malware Malicious Document Analysis – Macro to Shellcode I came across an interesting Word document which at first glance definitely looked malicious. It had everything from random variable names to lyrics from Garbage - Run Baby Run in the comments. It
Malware Analyzing Obfuscated SWFs A few days ago I was alerted of a host communicating with a (bad) domain and downloading SWF files. There was some concern that there was malware beaconing out and I needed to
Reverse Engineering IceCTF: Analyzing PCAPs and Reversing Encryption IceCTF started a little while a go and we got a team together to try and grab some of these flags. If you're doing the challenges right now... well spoiler alert. One of
Malware A Look at Zepto Ransomware - Payload Delivery Analysis It's another quiet Friday when we are alerted of bunch of files with the .zepto extension being created all over the place. It seems that a Zepto sample that worked its way through
Malware Analysis Walking Through Angler Exploit Kit - Payload Delivery Analysis A few days ago I was alerted of a potentially compromised website serving Angler EK: hxxp://www.stadiumseatingcharts.com/rogers-centre/ The Angler exploit kit will redirect the client to a separate compromised server
A Trick to Bypass an XSS Filter and Execute JavaScript I've recently come across an application which had a very simple XSS filter. If the input contained the following chars, the application would throw an error: ( ) < > Simple, but annoying. I found
An Encounter with Dridex - Malicious Document Analysis Got my hands on a Dridex sample (SKM_C3350160212101601.docm) the other day and I wanted to figure out exactly how it managed to slip by our controls. The binary dropped did get
TLS Changing the DirectAccess and Web Application Proxy external certificate In my lab I have a gateway server that is responsible for both DirectAccess and RD Gateway operations. Since I only have one external IP, I sit behind a NAT (or two). In
Linux Out-of-memory Micro Instance Woes: setsebool Killed The other day I deployed a micro CentOS instance in Google Cloud's Compute Engine. Normally 600mb of RAM is more than enough to do some light nginx/node.js work for me, but
Netflix Creating Your Own US Netflix Proxy with Google Cloud Say you wanted to create your own Unblock-Us or Tunlr service... maybe for educational purposes or maybe because Netflix is starting to block access from VPN providers used by people for region-restriction bypass.
PowerShell Transfer Files To and From Sandboxed Guest on Hyper-V One of the things I missed after switching from VMware to Hyper-V is the ability to copy-paste files from host to guest via the interface. The workaround for Hyper-V (at this time) is
Security Making gdb More Useful For Reversing Unless you're using something like DDD or Gdbinit, gdb vanilla is pretty hard to work with when reversing binaries. The following is a bunch of display commands that gdb will execute after every
OSD CMTrace in WinPE CMTrace is a great tool for troubleshooting deployment issues from within WinPE, no doubt about that. It makes errors and warnings clearly visible in thousands of lines of markup logs. Adding CMTrace.exe
Infrastructure SETroubleshoot Email Notification on SELinux Denial I've recently installed setroubleshoot-server on my RHEL6 server to help diagnose various SELinux denials as I attempt to secure the box. SETroubleshoot also has an email notification system that is really easy to
Security SELinux’s setroubleshoot Install on a RHEL6 Server I am planning on using RHEL6 as a web server, primarily for my Mercurial/GIT repositories. This was to replace my current Fedora13 instance. After the initial minimal install, there were a couple
Infrastructure Identify and block malicious HTTP traffic with IPtables So I was looking through my httpd access_log files and this popped up every couple of days: 93.157.0.142 - - [14/Dec/2010:16:01:19 -0500] "GET
Development Force Google Chrome Incognito Mode on Startup Much like its competitors, Chrome allows an Incognito mode which will discard any browser data after the session ends. This is great however there is no way (that I could find) to tell
Development Drive Backup Over SSH With GZip Compression If you've worked hard to configure your Linux machine and can't afford to lose it, try creating an image of it using dd periodically. It wouldn't make much sense to store the image
Development Batch file rename with PowerShell and Regular Expressions There have been a few times in the past where I've had to rename a large number of files for various reasons (ie: remove a common piece of text from the name) and
Infrastructure SCCM upstream and downstream SUPs fail SSL/TLS negotiation I have two SCCM SUP systems, one is the top and the other is downstream. The SCCM infrastructure is operating in Native Mode and all WSUS synchronizations and configurations happen over HTTPS. The
Perl Search Keyword Highlighting with Perl Here's how to break down a search string into uniq keywords and highlight them using HTML: # user input my $search_string = "I really really need this"; # highlighting, get the s _uniq_
