Security Techniques


ikkisoft/ParrotNG: ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461

ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461

ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461. For more details, please refer to the slides of our Troopers 2015 talk.


  • Written in Java, based on swfdump
  • One JAR, two flavors: command line utility and Burp Pro Passive Scanner plugin
  • Detection of SWF files compiled with either a vulnerable Flex SDK version, patched by Adobe’s tool or not affected

How To Use – Command Line

  • Download the latest ParrotNG from the release page
  • Simply use the following command:
  • $ java -jar parrotng_v0.2.jar
  • The tool accepts a single SWF file or an entire directory.

How To Use – Burp Pro Passive Scanner Plugin

  • Download the latest ParrotNG from the release page
  • Load Burp Suite Professional
  • From the Extender tab in Burp Suite, add parrotng_v0.2.jar as a standard Java-based Burp Extension
  • Enable Burp Scanner Passive Scanning
  • Browse your target web application. All SWF files passing through Burp Suite are automatically analyzed
Security Techniques

gethostbyname() GHOST Buffer Overflow

During a code audit performed internally at Qualys, we discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it — and its
impact — thoroughly, and named this vulnerability “GHOST”.

Security Techniques

Diaphora, a program diffing plugin for IDA Pro

Diaphora, a program diffing plugin for IDA Pro: Some weeks ago I started developing a binary diffing plugin for IDA Pro (in IDA Python) like Zynamics BinDiff, DarunGrim or Turbo Diff. The reasons to create one more (open source) plugin for such task are various, but the following are the main ones:

  • We need an Open Source plugin/tool that is updated, maintained and easy to modify or adapt.
  • The plugin should do much more than what the current ones do. It must offer much more functionality than previously existing ones.
  • The plugin should be as deeply integrated in IDA as possible (because 99% of serious researchers use IDA as the main tool).
  • The plugin must not be subject to big corporation’s desires (i.e., Google).

The plugin or tool I have more used and the one I liked the most was Zynamics BinDiff. However, after Google bought the company, updates to it are either too slow or non existent (you can check this issue and, my favourite, this one, where Google people tells to actually patch the binary and that, may be, they can have a real fix for the next week). Also, nobody can be sure Google is not going to finally kill the product making it exclusively a private tool (i.e., only for Google) or simply killing it because they don’t want to support it for a reason (like it killed GoogleCode or other things before). Due to this reason, because I like no current open source plugins for bindiffing and, also, because they lack most of the features that, on my mind, a decent todays binary diffing tool should have, I decided to create one of mine: Diaphora.

Security Techniques


wishstudio/flinux: Foreign LINUX is a dynamic binary translator and a Linux system call interface emulator for the Windows platform. It is capable of running unmodified Linux binaries on Windows without any drivers or modifications to the system. This provides another way of running Linux applications under Windows in constrast to Cygwin and other tools. There is a comparison over existing projects.

Security Techniques

Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution

Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution: It is possible to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup: An Apache web server with default configuration on Windows (XAMPP). A SOAP web service which has written in PHP and vulnerable to SQL injection. Netscaler WAF with SQL injection rules.First request: ‘ union select current_user,2# – Netscaler blocks it.

Second request: The same content and an additional HTTP header which is “Content-Type: application/octet-stream”. – It bypasses the WAF but the web server misinterprets it.

Third request: The same content and two additional HTTP headers which are “Content-Type: application/octet-stream” and “Content-Type: text/xml” in that order. The request is able to bypass the WAF and the web server runs it.

Security Techniques

Rowhammer: Linux Kernel Privilege Escalation PoC

Rowhammer: Linux Kernel Privilege Escalation PoC:

Full PoC:

This is a proof-of-concept exploit that is able to gain kernel privileges on machines that are susceptible to the DRAM “rowhammer” problem.  It runs as an unprivileged userland process on x86-64 Linux. It works by inducing bit flips in page table entries (PTEs).

For development purposes, the exploit program has a test mode in which it induces a bit flip by writing to /dev/mem. will run the exploit program in test mode in a QEMU VM.  It assumes that “bzImage” (in the current directory) is a Linux kernel image that was
built with /dev/mem enabled (specifically, with the the CONFIG_STRICT_DEVMEM option disabled).

Security Techniques

Exploiting the DRAM rowhammer bug to gain kernel privileges

Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges: “Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.

We don’t know for sure how many machines are vulnerable to this attack, or how many existing vulnerable machines are fixable. Our exploit uses the x86 CLFLUSH instruction to generate many accesses to the underlying DRAM, but other techniques might work on non-x86 systems too.

We expect our PTE-based exploit could be made to work on other operating systems; it is not inherently Linux-specific. Causing bit flips in PTEs is just one avenue of exploitation; other avenues for exploiting bit flips can be practical too. Our other exploit demonstrates this by escaping from the Native Client sandbox.

Security Techniques


faber03/AndroidMalwareEvaluatingTools: In order to accomplish a deep antimalwares’ detection algorithms analysis, we developed two different tools, both coded in Java.

The first tool, named Alan, through a simple UI, provides the application of eight different smali code transformations
(detailed informations about these transformations can be found into the paper attached with the project).
This tool contains other two free tools (signapk, apktool) used to decompile and recompile an android
application, providing almost original resources of the application.
The tool works on smali code, a human readable dalvik bytecode.
The aim of these transformations is hiding a malicious behaviour of an application from static malware scanning techniques. A transformed application can be submitted on the website VirusTotal where it can be analyzed by 57 well-known (free and paid) anti-malwares.

In order to work on a large malaware data-set, we developed a second tool, composed basically of code enabling an automatic upload of the android applications on virus-total, using his specific java API, storing result analysis on a relational database (we provide the schema in the project).
This tool provides a simple UI to select among several queries, presenting results on html files
Everything is well-documented and ready to be improved for future works.

If you are interested in the results of the study we’ve carried out analyzing how 57 antimalwares
from VirusTotal perform against 5600 malwares, before and after the application of
obfuscating transformations, you can contact us.