Malwarebytes CrackMe 2: try another challenge

Last November, we released the first edition of the Malwarebytes CrackMe. Encouraged by the positive response we received from the security community, we decided to repeat the game, hopefully making it even more interesting and entertaining. As before, the CrackMe is dedicated to malware analysts...

DNSExfiltrator - Data exfiltration over DNS request covert channel

DNSExfiltrator allows for transfering exfiltrate a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel. DNSExfiltrator has two sides: 1. The server side , coming as a single python script dnsexfiltrator.py, which act...

Bye, bye Petya! Decryptor for old versions released.

Following the outbreak of the Petya-based malware in Ukraine, the author of the original version, Janus, decided to release his master key, probably closing the project. You can read the full story here. Based on the released key, we prepared a decryptor that is capable of unlocking all the...

EternalPetya and the lost Salsa20 key

We have recently been facing a huge outbreak of a new Petya-like malware armed with an infector similar to WannaCry. The research is still in progress, and the full report will be published soon. In this post, we will focus on some new important aspects of the current malware. The low-level attac...

Microsoft Office Word Malicious Macro Execution

This module injects a malicious macro into a Microsoft Office Word document docx. The comments field in the metadata is injected with a Base64 encoded payload, which will be decoded by the macro and execute as a Windows executable. For a successful attack, the victim is required to manually enabl...

Microsoft Office Word Malicious Macro Execution Exploit

This Metasploit module generates a macro-enabled Microsoft Office Word document. The comments metadata in the data is injected with a Base64 encoded payload, which will be decoded by the macro and execute as a Windows executable. For a successful attack, the victim is required to manually enable...

Microsoft Office Word Malicious Macro Execution

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'rex/zip' class MetasploitModule "Microsoft Office Word Malicious Macro Execution", 'Description' = %q This module generates a macro-enabled...

BlackHat issues resolved: Windows programs digital signature verification“vulnerability”-vulnerability warning-the black bar safety net

In this year's black hat conference, foreign a security researcher shows how by the Windows digital signature bypass for malicious code detection. Download the General Assembly of the presentation of the ppt probably looked at it, the report is divided into two parts, the first part shows the...

CVE-2015-0941

The Inetc plugin for Nullsoft Scriptable Install System NSIS, as used in CERT/CC Failure Observation Engine FOE and other products, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and possibly execute arbitrary code by sending a craft...

Code injection

The Inetc plugin for Nullsoft Scriptable Install System NSIS, as used in CERT/CC Failure Observation Engine FOE and other products, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and possibly execute arbitrary code by sending a craft...

CVE-2015-0941

CVE-2015-0941 : The Inetc plug‑in for NSIS does not validate SSL certificates, enabling MITM attacks that could spoof servers and potentially execute arbitrary code during download of Windows executables. Affected: NSIS Inetc plug‑in (used in FOE and other products). Impact: possible arbitrary co...

CoolPlayer-Portable-2.19.2-ASLR

Buffer overflow that bypasses ASLR by using a non-aslr module Tested against CoolPlayer Portable version 2.19.2 on Windows Vista Business 32 bit Written by Blake 233 bytes for shellcode available 227 byte windows/exec shellcode = CMD=calc.exe shellcode=...

[PeStudio v7.98] The Static Investigation tool for Windows executable binary

PeStudio is a free tool performing the static investigation of any Windows executable binary. A file being analyzed with PeStudio is never launched. Therefore you can evaluate unknown executable and even malware with no risk. PeStudio runs on any Windows Platform and is fully portable , no...

[Anubis] Online Analyzing Unknown Binaries

Anubis is a service for analyzing malware. Submit your Windows executable or Android APK and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL...

[Veil v1.2] A Payload Generator to Bypass Antivirus

Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions. Veil was designed to run on Kali Linux, but should function on any system capable of executing python scripts. Simply call Veil from the command line, and follow the menu to generate a payload. Upon...

GTA SA-MP server.cfg Local Buffer Overflow Vulnerability

Exploit for windows platform in category local exploits GTA SA-MP server.cfg Local Buffer Overflow Vulnerability 0day Date: 9-26-11 Author: SilentDream Software Link: http://team.sa-mp.com/files/samp03csvrR2-2win32.zip Tested on: XP SP3, Windows 7 Thanks to: corelanc0d3r & team, Metasploit,...

Millenium MP3 Studio 2.0 Stack Overflow

Vulnerability : .mpf File Local Stack Overflow Exploit SEH + Product : Millenium MP3 Studio + Versions affected : v2.0 + Download : http://www.software112.com/products/mp3-millennium+download.html + Method : seh + Tested on : Windows XP SP2/SP3 En + Written by : dellnull dellnullatgmaildotcom +...

MediaCoder 0.7.1.4488 (.lst & .m3u) Universal Buffer Overflow (SEH)

Exploit for unknown platform in category local exploits =================================================================== MediaCoder 0.7.1.4488 .lst & .m3u Universal Buffer Overflow SEH =================================================================== !/usr/bin/perl + software : MediaCoder...

5 3 since the start of the way-vulnerability warning-the black bar safety net

Source: CoolDiyer's Blog Registry 1. HKEYLOCALMACHINE\Software\Microsoft\windows\Curr entVersion\Run\ All values in this key are executed. 2. HKEYLOCALMACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce\ All values in this key are executed, and then their autostart reference is deleted. 3...

Windows Executable (PE) Files (CVE-2008-1437; CVE-2010-0233)

The Microsoft Malware Protection Engine provides the scanning, detection and cleaning capabilities for the following antivirus and antispyware clients: Windows Live OneCare, Microsoft Forefront Security, Microsoft Antigen, and Windows Defender. A denial of service vulnerability has been reported ...