carnal0wnage [Shared Reader]

Friday, June 24, 2011

Welcome Ken "cktricky" Johnson!

Ken "cktricky" Johnson has agreed to join the carnal0wnage/attackresearch blog and I cant be more excited. Ken brings tons of webappsec kung fu and is the core developer for wXf. He should be adding lots of webappsec goodness.

you can catch him on twitter as well @cktricky

Welcome Ken!


Thursday, June 23, 2011

Restricted Citrix Excel Application Escapes

SynJunkie has a couple good posts on citrix escapes:

and of course iKat

So recently I had to break out of restricted citrix environment. All I had was Excel 2010 and Word 2010.

I also didnt have a fancy "jump to url" option when I clicked on the title bar and none of the hot keys were working for me. So goal was to get a web broswer or cmd shell.

I was able to create macros though. So first I added the developers ribbon.

Click the visual basic button, and paste in some sweet macro code.

Then you save the file as macro enabled workbook.

Once its saved, you can hit the macro button and run your macro.

and get shell

** To be clear all of this is running remotely on the citrix host.**

The macro code

'execute EXE file
Shell "CMD /K C:\windows\system32\cmd.exe", vbNormalFocus
End Sub

You could also just type a url into excel...

and click it..But that's pretty low tech and not much fun :-)

Again this IE browser is running remotely on the citrix host. From here you can client-side exploit yourself...i.e. java applet exloit... to get your outbound shell.

Sunday, June 19, 2011

Strategic Security -- Exploit Development Course

Joe McCray with Strategic Security is running a two week exploit dev course.

Course Description & Instructor Information:

Strategic Security has teamed up with Net-Square to provide the most comprehensive exploit development course package available to the public. Occasionally similar courses are offered privately to various three letter agencies and large financial institutions.

Exploit development is often considered the most difficult area of focus in the entire field of IT security. It requires both a broad range of skills and deep level of knowledge in Networking, Operating Systems, and Programming. Now you too can learn what has long been thought to be "Black Magic" by many from one of the top practitioners and trainers in the world.

How is this course put together?
The course is actually a 2 week package deal designed to both teach the fundamentals of modern exploit development and give the student ample guided practice time with the instructor to actually get proficient.


Exploit Dev: No Assembly Required Oct 31 - 4 Nov 2011 (5 Days)
Exploit Dev: Target Practice Nov 7 - 11 2011 (5 Days)

Training Location

The workshops will be held at "The Academy of Computer Education" in Greenbelt, MD.
The address is:

7833 Walker Drive, Suite 520C Greenbelt, Maryland 20770

$1000 Discount by using these links

Exploit Dev 1 Week @ $5,000

Exploit Dev 1 Week @ $6,000

Exploit Dev 2 Week Package Deal @ 8,500

Wednesday, June 15, 2011

Incident Analysis: Million Dollars Lost In A Minute

Dudes, I and two other fellows have dealt with an incident about a victim whose online banking account has been compromised and a huge lumpsum of money is transferred out to eastern europe. In fact, the victim is still using the old two-factor authentication token, it means we cannot identify the generated passcode is for authentication, money transfer to a specific account , bill payment, etc, attacker manipulates it indeed. Please download it from here.
Enjoy it, mate ;-)

Friday, June 3, 2011

wXf module buby/keyword_search_send

I've created a video on how to use the latest module addition to the buby family of modules in wXf. The purpose behind the module is to search Burp's history and seek out parameters in requests to an application which match our list of keywords. The keywords are basically parameters that might warrant manual analysis.

Consider we've made the following requests:

Most folks would agree that the request with a parameter of accountid warrants some manual analysis. On a larger scale (think thousands of requests), this can be tedious to search and then send to intruder or repeater. So the idea is that we have a keyword list to help speed things up, when a match is found, an alert is sent to burp and the request is sent over to repeater & intruder for manual analysis.

As of now the keyword list in wXf isn't huge but I plan on adding to it over the next few days. If you'd like to utilize GitHub's fork/edit/merge function to contribute interesting parameter names please fork the following file.

If you have a personal keyword list that you'd like to use privately that is okay too. The video shows you how to add a file under the datum directory and reload the list of "lfiles" (files under the datum directory).

Don't forget that if you have questions on usage, installation or anything else we've provided documentation here .

Lastly, here is the video:

wXf module buby/keyword_search_send from cktricky on Vimeo.