OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Dailydave] Latest HackInTheBox Conference Materials

From: Lin Yichong (kk_qq263.net)
Date: Tue Jan 06 2004 - 02:13:29 CST

Hi,all:

   I write a idc script to obtain RPC interface information from binary. It's a piece of unfinished code. Paremeters
recognition will be added soon.
  Wish it 's healpful. Any suggestion is welcome.

        kkqq
> Happy New Year Everyone!
>
> IIRC, LSD's RPC interface decompiler (called dmidl?) was developed in
> 2001 (as what they said). Decompiled IDL by dmidl can be even recompiled
> with Microsoft IDL compiler. Their second tool C decompiler FA is still
> in alpha stage but the output in the presentation looks great (btw, have
> anyone seen ilfac beta in ida pro? jc told me that it was r0x). Dont know
> when they will release their tools.
>
> RD / THC
> Visit us at http://www.thc.org
>
> On Wed, Dec 31, 2003 at 03:51:34PM -0600, H D Moore wrote:
> > The HITB staff is still incredibly busy, trying to sort out the all of the
> > financial cruft and organize the materials. They should have most of the
> > materials online by the end of January.
> >
> > LSD's presentation was an in-depth look at the DCOM interface, how to
> > fingerprint the OS based on the available interfaces, and a basic review
> > of two tools they developed.
> >
> > Both of the tools presented were still being finalized at 6:00am the day
> > of their talk, half of the members were up all night finishing slides and
> > code (hell, so was I for the first two nights).
> >
> > The first tool was called "fa" for flow analysis, IIRC it was a tool for
> > easily tracing user-supplied RPC parameters through compiled binaries, it
> > was able to detect format string and overflow bugs in this manner.
> >
> > The second tool was a RPC interface decompiler. (forgot the name
> > off-hand), it generated the appropriate C stubs to write a client for any
> > RPC service, using just the executable. It used a number of techniques to
> > scan for the the RPC structures and followed pointers around the binary
> > to determine the number and type of arguments for each function in the
> > RPC service.
> >
> > It will probably take them some time to get the code solid enough for a
> > public release; the decompiler looked like it was a real bitch to write,
> > mostly because of the different RPC types (different structures,
> > different signatures, etc).
> >
> > Er so yeah, loosen up the tin foil, the HITB stuff is all volunteer-based,
> > with a core team of maybe 5 people who are making up silly excuses to
> > their real employers so they can finish up the post-conference stuff :)
> >
> > If anyone cares, the reason why the public metasploit v2.0 release is
> > being held back is that I got a ton of development help at the last
> > minute and am trying to sort out all the new features/bug
> > fixes/organization structure. Hopefully will have something available
> > within the next two weeks, I really dont want to release until the
> > underlying API for the exploit modules stops changing and some docs get
> > written.
> >
> > -HD
> > _______________________________________________
> > Dailydave mailing list
> > Dailydavelists.immunitysec.com
> > http://www.immunitysec.com/mailman/listinfo/dailydave
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://www.immunitysec.com/mailman/listinfo/dailydave
>