Its been a while since i last blogged. I’m just back to India after BlackHat Abu Dhabi which was one of the best hackercons i’ve ever been to. The stay arranged by the BlackHat for the speakers was amazing, at Emirates Palace. Our (Me and Subho Halder) talk was on Day 2 : Dec 5th.
The talk went pretty good, and we released the framework (Android Framework for Exploitation) code on Github (will be updating it soon, with the server code).
The code has been fully written in Python, and could be extended by writing modules as well. The structure is pretty much self-explanatory and there is a command line help which you could get by typing in ? .
You could get the presentation slides and the Whitepaper from the BlackHat Archives page here.
Releasing Android Framework for Exploitation at BlackHat Abu Dhabi
BlackHat ended up pretty well with us getting a lot of private training requests on Android and ARM Exploitation classes.
Also, just few hours back, Subho Halder got an email from Facebook Security that we (Aditya Gupta and Subho Halder) will be getting a bounty of $2500 for a bug that we submitted 4 months back, that will come as a Facebook WhiteHat Debit Card.
The issue was in the video upload feature (via Webcam) of Facebook, as they didnt had proper security checks enforced. Using this, an attacker could trick a user to silently record his webcam video and publish it to his facebook wall, without the user even knowing about it.
Aditya Gupta and Subho Halder: Facebook WhiteHats
Plus, our names would be listed in the Facebook WhiteHat list.
(the below image is from CNET, as our card is still on its way)
Will be blogging more about Facebook security issue and Android Exploitation soon.
I am recently back from Toorcon San Diego, one of the famous hacker cons. Me and Subho Halder conducted a 2-day workshop on Hands-on Android Hacking. We covered mostly the application security stuffs, had a hands-on on AFE(Android Framework for Exploitation), traffic analysis, Malware Analysis and other similar stuffs. It went pretty well. The next day, we gave a 1-hour deep-knowledge seminar (as they call it) on Android Security, and an introduction to AFE.
We will be releasing this framework open-source soon. Here’s a quick sneak peak of one of the features (injecting android malwares into legitimate applications) of the framework .
The next 2-days was conference talks, so we decided to have a look at other events and lockpicking villages. I also got a chance to meet up with Michael Ossman, the Ubertooth guy – conducting a parallel workshop on Software Defined Radio Workshop.
He also designed this year Toorcon badge as well, and has covered it in an excellent blog post. Do have a look.
The guys from Tagged were having a Bug Bounty, in which they decided to award the 1st 3 bug hunters a Nexus 7. We went to our rooms (not leaving an opportunity to get a Nexus 7) and came back in 10 mins, showing 2 bugs.
We found out that we were the first 2 guys, to win it. Can’t disclose the vulnerability till 30 days, as per the BugBounty rules.
Anyways, Here’s the pic of our prizes.
Aditya Gupta and Subho Halder : Tagged BugBusters Toorcon 14
Later on this year, we will also be speaking at BlackHat Abu Dhabi on Droid Exploitation Saga. The talk will cover a wide range of latest Android Exploitation Techniques, and the full-fledged showcase of our framework.
While preparing for my MicroProcessor exam, i decided to take a time off and do something else. Only then, a friend of mine gave me back my 1 TB Hard Drive, which got infected by a virus, resulting in creation a hundreds of new executables with the name, same as the folder name.
The infected autorun.inf was corrected by my Kaspersky 2012, but it failed to remove the created executables. So, instead of deleting the exe’s from the thousands of folders, i decided to write a Python Script for that.
The first thing to notice was the executable being of the same name as that of the folder it is present. Also, another interesting thing was that all of the executables had the same file size.
Here is the code. The code is self-explanatory. If you have any doubt, leave me a mail, or drop a message.
import os
#New folder virus executable remover#
#Coded by Adi n Dev#
#Follow us on twitter#
# @adi1391 @devkar25 #
#Greetz : http://xysec.com #
#Replace with any path you want to clean
path="G:\\Songs"
for (path, dirs, files) in os.walk(path):
str1 = path
str2 = str1.split('\\')
n=len(str2)
str3 = str2[n-1]
str4 = "\\"+str3+".exe"
print path
str5 = path+str4
if os.path.exists(str5):
if os.path.getsize(str5) == 2842053:
os.remove(str5)
else:
print "Filesize does not match"
else:
print str5+"No file here"
That is it. Sweet and Simple.
However, it is not a tool to clean up the virus. Use some good anti virus scanner to do that. This is just to remove the executables.
I never miss the opportunity to make a video of anything. So here is this one.
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
Also, this was the reason behind most of the Spams you used to see on most of the famous Social Networking websites.
Simply put, don’t believe on whatever you click now-a-days in any unknown or malicious sites. I (along with Subho Halder and Dev Kar) have found some interesting clickjacking attacks in Google itself. Well they have now corrected the User Interface and also added the necessary X-FRAME headers to avoid Clickjacking.
Its Android everywhere these days. Be it the smart phones, the tablets or the TVs. Everything seems to be androidified. A lot has already been discussed about the basics of android.
So, this article is a description of how I created my own malware, which made it to Clubhack 2011.
One day, me and my friend Subho Halder, were discussing about Android malwares and the possibilities. The android malwares became quite popular after Geinimi (the first android malware with botnet capabilities). We decided to have a look at the android malwares and analyzing it.
Being geeks from the beginning, we looked for the sample. We stumbled on an amazing website (contagiodump.blogspot.com), which had most of the mobile malware samples. We downloaded the all the malware sample collection, did the reversing (with dex2jar and jd-gui), and studied almost every malware including simple ones like Dogowar, HippoSMS, LoveTrap to GGTracker and Geinimi.
My college techfest will be starting next week. I(along with Subho Halder and Dev Kar) am conducting two events in it : Hackathon and Hacktrack.
Hackathon is a online hacking competition, just like the CTF’s. But it will be of a much basic level depending on the participants of my college. I will be all the levels, plus there solutions once the online event is over, so that you could also practice it out and use it if you want.
For the CTF, “ideas” (ideas! not the questions) have been taken from “Nullcon HackIM”, “Hackthissite.org” and “Enigma Group”.
Hacktrack is a workshop I am conducting on Information Security. It will be a free workshop for the college students
Lets hope everything goes well.
(Next few posts will be about Use-After-free bugs !)
./Sign off
Aditya Gupta
Update : Here are the CTF basic levels http://hack.subho.me . The students need to have a basic knowledge of web, and should know about different types of encryption algorithms.
Finally I made it to the Google Hall of Fame too. Its not that much of an accomplishment, still, its a great thing to achieve ( have waited for this for so long!! ) .
Few weeks back, we ( Me, Subho Halder and Dev Kar ) reported 6-7 Clickjacking bugs in many google products, and made a nice POC of all of them.
The X-FRAME-OPTIONS was missing from some of the important Google Products like Translate, Scholar and many more.
Using the bug, a user’s status could be updated automatically, without the user coming to know about it.
Google guys responded promptly, and put us in their Hall of Fame – Honorable Mention for the report.
2 days back, I was credited in the Apple Security Researchers page, where they thanks to all the Security Researchers who identified severe security vulnerabilities in their website or servers.
This made me really happy, cause it was an really easy XSS bug, on consultants.apple.com.
Also, this bug remained unpatched for as far as 4 months. One of my friends, Cim Stordal, reported the same bug few months back, and is listed with me on the list.
Here is the link if you need to see the whole list
