TCC (Transparency, Consent and Control), is built into MacOS as a means to protect sensitive user data from access by applications. The idea is such that no application can access such user data without the user’s permission (but asked only once). TCC covers a wide spectrum of data within the…

Evilginx 2 is this super cool proxy framework that helps hardworking red teamers do phishing with ease. Gone are the days where you would have to painstakingly craft the website to look exactly like the target website manually. The diagram below is where Evilginx sits. It transparently proxies the connection…

Welcome to Part 2 of my previous post on loading a Java class in Tomcat. A possible way to stop this kind of attack would be to dynamically instrument the JVM to ensure that unknown classes are either prevented from loading or flagged to the SOC team. …

I had a situation where I could do JNDI injection into a Tomcat server leading to RCE. While off the shelf solutions such as this Github repo could work and invoke system commands, I wanted to take advantage of this unique vulnerability and push harder to create a unique implant…

Recently I needed to reverse engineer an application as I needed to figure out its login mechanisms. The diagram below is a high level diagram of its layout and it shall henceforth be collectively referred to as The Application. The primary question I wanted to answer was: Could I clone…

Introduction A few months ago, the team decided to stretch our wings and conduct vulnerability research on embedded devices. Due to budgetary and time constraints, we decided to focus on two devices, a Synology NAS, and a Netgear router. This article will focus on the process of emulating a router, specifically…

Introduction Most shellcode available on the internet comprises of two portions: a payload that is usually generated by msfvenom, and C boilerplate code to call it. The compilation process is also routine, with many articles recommending to specify “execstack” to the linker, which sets the GNU_STACK header to “executable”. However, if…

Program stability is somewhat different with regards to fuzzing versus how we generally perceive it. Generally, we perceive program stability as — the program behaves in a consistent fashion and does not crash when we do an operation multiple times without restarting. A simple example for this would be opening…

Problem I was using DynamoRIO to do instruction tracing to troubleshoot the runtime execution stability of my program and a DLL it was loading and realised that I could not easily diff the files as the addresses were always different. The output shown in Figure 1 illustrates a trace. My program…