SLAE: Custom Crypter (Linux/x86)


Do you want to fool antivirus software? When you look through hacking forums for a solution to this, you will likely encounter the term “crypter”. You will also find this tool in the arsenal of every advanced penetration tester and it is the obvious standard for an advanced persistent threat (APT). This blog post gives you some insights about crypters and finalizesRead More

SLAE: Polymorphic Shellcodes (Linux/x86)


Question: How can signature-based Intrusion Detection systems be defeated? Answer: Using polymorphic shellcodes! This might sound really crazy and cyber, but it has nothing to do with inventing fancy new hacking techniques, it’s rather about puzzling. By replacing assembly instructions with other assembly instructions the original functionality is kept intact and signature-based systems are defeated. For example, the following assembly code snippet should give youRead More

Ubiquiti Bug Bounty: UniFi v3.2.10 Generic CSRF Protection Bypass


Better late than never. This article will give you some insights about my discovered generic Cross-Site Request Forgery Protection Bypass in Ubiquiti’s UniFi v3.2.10 and below, as published some time earlier this year on HackerOne. This vulnerability basically allows an attacker to compromise the UniFi installation including connected devices by e.g. changing passwords of users, adding new users, changing device usernames and passwords or by creatingRead More

CVE-2015-5956: Bypassing the TYPO3 Core XSS Filter


TYPO3 is the most widely used enterprise content management system with more than 500.000 installations. I have recently discovered a Non-Persistent Cross-Site Scripting vulnerability in its core and disclosed the details of the vulnerability publicly as CVE-2015-5956. This blog article should give you some insights about the vulnerability, because it’s not only a simple XSS, but a rather nice XSS filter bypass. But beforeRead More

CVE-2014-7216: A Journey Through Yahoo’s Bug Bounty Program


I have published another security advisory about a vulnerability, which I have “recently” reported to Yahoo! via their Bug-Bounty program hosted by HackerOne. So this blog post is about the technical details of the CVE-2014-7216 (which is not very thrilling), but more about my experience with Yahoo’s Bug Bounty program. CVE-2014-7216: Attacking Yahoo! Messenger Users with Emoticons 🙂 😛 🙁 . To determine which emoticons andRead More

SLAE: Dissecting Msfvenom Payloads (Linux/x86)


One very common tool among penetration testers is Metasploit, which includes a lot of nice exploits and payloads. The 5th assignment of the SecurityTube Linux Assembly Expert certification is about Metasploit shellcode analyses for Linux/x86 target systems. The task is to take 3 shellcode payloads generated by msfpayload (which has been replaced by msfvenom in the meanwhile) and dissect their functionalities using different analysisRead More

Modern Lords of War


The Wassenaar Arrangement. Maybe you have already heard about that. With the implementation of this multilateral export control regime on conventional arms, dual-use goods and technologies, security researchers like me could be called lords of war and weapons dealers now – sounds cool, but unfortunately it’s not. While Google has officially commented on the problems, I would like to add an interesting and clarifying comparison of two recent cases,Read More

SLAE: Custom RBIX Shellcode Encoder/Decoder


Anti-Virus and Intrusion Detection Systems could become really nasty during a penetration test. They are often responsible for unstable or ineffective exploit payloads, system lock-downs or even angry penetration testers 😉 . The following article is about a simple AV and IDS evasion technique, which could be used to bypass pattern-based security software or hardware. It’s not meant to be an all-round solution forRead More

City of Cons: 31C3 Meets BSidesHH


While the year 2014 comes to an end, two very interesting conferences have taken place in Hamburg. The annual Chaos Communication Congress 31C3 occupied the Congress Center of Hamburg (CCH) for 4 days and the first BSidesHH was held in the heart of the city. Luckily, I was able to attend both and like to recap my experiences and outline their really different strengths in terms of their concepts andRead More