a personal blog about vulnerability research, network security, software development, and other technobabble.


  • osx naughtiness: bypassing santa & hiding from av

    I recently became aware of Santa, an open source binary whitelisting system for MacOS created by Google (though not an official Google product). I was interested in it’s design and wanted to try to find a way to bypass it’s controls. I turned out to be successful and even found an interesting way to download “known bad” files without alerting a popular antivirus solution.

  • afl 0x0: my fuzzing environments and workflow

    I recently decided I wanted to learn more about using afl effectively and how it works under the hood. I’ve been using it for a short time and have stuck to fuzzing only applications that would build with the basic ‘configure+make’ combo, avoiding alternative build systems (since I don’t know much about them), and only fuzzing applications, not libraries. But now I want to move past the basics and really do a deep dive. I’ve had a hard time finding much good information that isn’t the same “how to install and instrument a simple binary”, so I thought I could help fill in this gap a little bit.

  • reversing a few lines from srec_scan(): notes

    I decided to go through the process of analyzing and documenting the assembly for ‘srec_scan()’ in binutils-2.24/bfd/srec.c to gain a better understanding of everything that was happening under the hood. I figured this would be a good way to get more practice with assembly and reverse engineering, since I had the source code available and would be able to follow along with it. This is the same function that contains the bug I wrote about in my previous post. The code does some interesting things, so there was exposure to some new instructions and constructs.

  • fuzzing binutils, part 1: out-of-bounds read in libbfd

    A few weeks ago, I finally got around to trying out American Fuzzy Lop for this first time. From the afl home page:

  • cve-2017-17065: d-link dir-605l hnap basic authentication buffer overflow discovery+analysis

    While testing different inputs in the HNAP functionality of the D-Link DIR-605L/B, I managed to cause a reboot of the device by sending sufficiently large string values in the HTTP Basic Authentication password field. If a long enough value was sent, the next request to the web server would cause the crash. The PoC script below triggers this behavior.

  • tiny-web-server: buffer overflow discovery + poc ret2libc->exit()

    I decided to hunt for bugs in code from Github to practice code auditing and exploit development, focusing on projects written in C. One of my searches was for web servers and that’s how I came across tiny-web-server.

  • collecting bro logs in elasticsearch with logstash+filebeat

    I recently completed a project in which I wanted to collect and parse Bro logs with ELK stack. Elasticsearch’s powerful querying capabilites and Kibana’s visualizations are very useful for making sense of the large quantities of data that Bro can produce in a few hours. Breaking the logs down and parsing them into Elasticsearch increases the usefulness of the data by providing a larger scope of visibility and a way to quickly get a sense of trends and what the network normally looks like.

  • cve-2017-9675: d-link dir-605l denial of service discovery+analysis

    With the wave of IoT/embedded device security incidents that struck last year, I became interested in looking for vulnerabilities in some of the devices I had laying around and in use around the house. Because I’m aware of the security and privacy issues most of these devices present, I don’t own many to begin with. I chose the D-Link DIR-615L out of the pile of old routers I had in a box mostly on a whim and it turned out to be a great place to start.

  • building a raspberry pi network tap/bridge

    While working on berry-sense and learning about network traffic analysis recently, I had the need for a dedicated device to use as an Ethernet bridge/tap for capturing traffic. This would give me a chance to test the Raspberry Pi’s performance while performing traffic captures, as well as produce a usable device for performing simple captures.

  • building a yaf+silk testing vm

    I am currently in the process of developing a collection of tools to provide network security monitoring and traffic analysis capabilities on a Raspberry Pi 3 called berry sense. After speaking with my mentor about this, he suggested I take a look at SiLK, a set of traffic analysis tools. Before any real development could begin, I needed to create a testing environment for these tools. This VM would be used solely for testing YaF+SiLK and generating output files that could later be used as template files for understanding how to process the data.

subscribe via RSS