Ghidra v9.0.1 Released: Security Fixes and New Features.

Reading time ~1min

Ghidra is a software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate. The latest version of Ghidra (v9.0.1.) addresses security issues and bugs as well as introduces some improvements to enhance the overall user experience. One of the most notable fixes is an XXE vulnerability that could allow an attacker to trick a user into opening or restoring a specially crafted project.

A new feature was also added on version 9.0.1 – a script that shows all equates within the current selection.

Continue reading “Ghidra v9.0.1 Released: Security Fixes and New Features.”

Ghidra: All you Need to Know about the NSA’s Reverse Engineering Tool

Reading time ~10min

Ghidra is a Software Reverse Engineering (SRE) framework created and maintained by the National Security Agency (NSA) Research Directorate. Ghidra is an open-source tool that allows security researchers and malware analysts to ‘hack’ into the code behind the software.

The program’s 1.2 million lines of code are designed to reverse the compiler process, decompiling executable code into assembly listings and finally into approximate C code. Capabilities include disassembly, assembly, decompilation, graphing control flows through functions, scripting, inspecting symbols and references, identifying variables, data along with hundreds of other features. It’ll all be very familiar to you if you used similar reverse engineering tools, such as IDA, Binary Ninja, Radare, Hopper, Snowman etc.

Continue reading “Ghidra: All you Need to Know about the NSA’s Reverse Engineering Tool”

New Ransomware dubbed ‘Bad Rabbit’ used NSA’s EternalRomance Exploit

Reading time ~10min

Earlier last week, a newly identified ransomware affected several computer systems around Europe.

The new strain of ransomware dubbed as ‘Bad Rabbit’ spreading primarily in Russia, Ukraine, Turkey, and Germany is utilising one of the leaked NSA’s exploits leaked by WikiLeaks earlier this year. According to several malware researchers and subsequent analysis, an NSA exploit (EternalRomance) was used to distribute itself and move across the network.

Cybersecurity firm Kaspersky Lab was monitoring the malware and compared it to the WannaCry and Petya attacks that caused so much chaos earlier this year. Continue reading “New Ransomware dubbed ‘Bad Rabbit’ used NSA’s EternalRomance Exploit”

Abusing GDI Objects for ring0 Primitives Revolution

Reading time ~20min

Exploiting MS17-017 EoP Using Color Palettes

This post is an accompaniment to the Defcon 25 talk given by Saif. One of the core topics of the talk was the release of a new technique GDI object abuse technique, name Palette Objects. Saif presented a previously unreleased Windows 7 SP1 x86 exploit involving the abuse of a newly discovered GDI object abuse technique.

A complete white-paper on the topic was released and can be found here: Whitepaper

Both exploits discussed in the talk, were also released and the source code of these can be found here:

Continue reading “Abusing GDI Objects for ring0 Primitives Revolution”