Cisco Talos Blog

August 4, 2022 07:01


We spend a lot of time preparing for Blackhat, and as part of putting together content for the show, one of our best, Lurene Grenier, submitted an unexpected piece of content: a poem. Now this poem isn't our regular security research or a shiny piece of corporate corresponden

June 21, 2010 11:29

Defenders of the Faith

Quite recently, Tavis Ormandy released a 0-day vulnerability in a prominent piece of software. For this transgression, both he and his employer received a good deal of bad press. Sadly, very few in the professional security researcher crowd made enough noise about this, and to th

December 17, 2009 17:13

DEP and Heap Sprays

Usually when you need to use a heap spray, you're SOL when it comes to DEP. The reason for this has to do with why you used the heap spray in the first place. In the case of a vtable overwrite you need a chain of pointers to get the job done. A neat way to deal with this is t

December 15, 2009 18:53

Adobe Reader media.newPlayer() Analysis (CVE-2009-4324)

First off its not Friday, and hopefully you'll have a better weekend. The reason for that is you are set with rules and clam sigs. Now what the heck am I talking about…. Last night Adobe released an advisory detailing an in the wild exploit for Adobe Acrobat that is current

December 8, 2009 11:17

Actual Conversation - botnets explained

[11:04] <[?] someone > Pusscat: basically im trying to walk an non-technical person though a simple irc bot [11:04] <[?] someone > my goal was for my mom to be able to accurately describe a botnet [11:04] <[?] someone > like code chunk - this is the c&c inte

September 24, 2009 13:06

Bamboo -> angel tongue

#include <stdio.h> struct newClass {        char    type;        int     size;        char    *data;        void (*printer)(char*); }; void painter(char *input) {        char buf[4096]; memcpy(buf, input, sizeof(buf)<strlen(input)?sizeof(buf):strlen(input));        r

September 10, 2009 16:49

SMBv2 <air quotes> DoS </air quotes>

Here's the dirty dirty dirt dirt. (All addresses SP2) If you send an SMBv2 packet off to Vista SP1 or SP2 that specifies the NEGOTIATE command, and the ProcessIDHigh word is not set to 0x0000, you do not in fact get a DoS. What happens, is this: (Note that we control eax, a

August 17, 2009 11:02

New Byakugan functionality - !jutsu searchVtptr

With heap metadata exploits going out of favor (hzon's fine work not withstanding), I've recently gone after a number of vtable overwrites. This can be no fun at all to do by hand, so I've added some helpful code to byakugan to let you search for the pointers to point

July 27, 2009 11:17

Only whitehat journalists need Metasploit to hack oracle

I'm astounded at the number of crazy articles concerning the release of Oracle exploits for PATCHED vulnerabilities. How is it that oracle in particular gets this kind of response, when Metasploit has been doing this with other vendors for years and years? Never mind the fact