https://www.msuiche.com/categories/software/Recent content in Software on Matt SuicheHugoen-usWed, 12 Aug 2020 00:00:00 +0000https://www.msuiche.com/posts/azure-sphere-internals-overview/Wed, 12 Aug 2020 00:00:00 +0000https://www.msuiche.com/posts/azure-sphere-internals-overview/<ul> <li><a href="https://github.com/msuiche/ruby-square" target="_blank" rel="noopener"><strong>GitHub Repository</strong></a>: <a href="https://github.com/msuiche/ruby-square" target="_blank" rel="noopener">https://github.com/msuiche/ruby-square</a></li> </ul> <h2 id="introduction">Introduction <a href="#introduction" class="anchor">🔗</a></h2><p>In May, Microsoft announced a bounty for their new IoT platform called Azure Sphere. The interesting part about it is that it&rsquo;s created with security in mind, which is a much needed initiative, so we decided to take a look.</p> <p>While we didn&rsquo;t find any issues worth reporting, we thought it would be a waste not to share what we&rsquo;ve learned. Hopefully, this will be useful for others wanting to research the platform or those considering to use it for their projects.</p>https://www.msuiche.com/posts/smbaloo-building-a-rce-exploit-for-windows-arm64-smbghost-edition/Wed, 01 Jul 2020 00:00:00 +0000https://www.msuiche.com/posts/smbaloo-building-a-rce-exploit-for-windows-arm64-smbghost-edition/<h1 id="smbaloo">SMBaloo <a href="#smbaloo" class="anchor">🔗</a></h1><p><p class="markdown-image"> <img src="images/logo.png" alt="alt text" /> </p></p> <p>A CVE-2020-0796 (aka &ldquo;SMBGhost&rdquo;) exploit for Windows ARM64.</p> <p><em>Because vulnerabilities and exploits don&rsquo;t need to always have scary names and logos.</em></p> <ul> <li><a href="https://www.github.com/msuiche/smbaloo" target="_blank" rel="noopener"><strong>GitHub Repository</strong></a>: <a href="https://www.github.com/msuiche/smbaloo" target="_blank" rel="noopener">https://www.github.com/msuiche/smbaloo</a></li> <li><a href="https://www.comae.com/posts/2020-06-25_smbaloo-building-a-rce-exploit-for-windows-arm64-smbghost-edition/" target="_blank" rel="noopener"><strong>Original post on Comae&rsquo;s blog</strong></a>: <a href="https://www.comae.com/posts/2020-06-25_smbaloo-building-a-rce-exploit-for-windows-arm64-smbghost-edition/" target="_blank" rel="noopener">https://www.comae.com/posts/2020-06-25_smbaloo-building-a-rce-exploit-for-windows-arm64-smbghost-edition/</a></li> <li><strong>Author</strong>: Matt Suiche (<a href="https://www.twitter.com/msuiche" target="_blank" rel="noopener">@msuiche</a>)</li> </ul> <h1 id="acknowledgments">Acknowledgments <a href="#acknowledgments" class="anchor">🔗</a></h1><ul> <li><a href="https://twitter.com/hugeh0ge" target="_blank" rel="noopener">@hugeh0ge</a> for his great blogpost and <a href="https://twitter.com/chompie1337" target="_blank" rel="noopener">@chompie1337</a> for her excellent POC! On top of answering my questions on Twitter, their materials were really good and helped me immensely to understand the vulnerability and the exploitation part. Really HUGE kudos to both of them!</li> <li>ZecOps &amp; Michael Maltsev (<a href="https://twitter.com/m417z" target="_blank" rel="noopener">@m417z</a>) for their write-ups.</li> <li>Special thanks to Stephen Ridley (<a href="https://twitter.com/s7ephen" target="_blank" rel="noopener">@s7ephen</a>) for being the ultimate ARM64 enabler and a great Aniki.</li> <li>Barnaby (RIP), I also gave a refresh to your APC injection technique. I hope you like it, we miss you.. Alex says hi.</li> <li>Thanks to Satoshi Tanda (<a href="https://twitter.com/standa_t" target="_blank" rel="noopener">@standa_t</a>) and Petr Beneš (<a href="https://twitter.com/PetrBenes" target="_blank" rel="noopener">@PetrBenes</a>) for helping me troubleshooting my original debugging set-up :)</li> <li>A big thanks to Sean Dillon (<a href="https://twitter.com/zerosum0x0" target="_blank" rel="noopener">@zerosum0x0</a>) for his prior work on SMB exploitation and our brainstorming sessions :)</li> <li>Laurent Gaffie (<a href="https://twitter.com/PythonResponder" target="_blank" rel="noopener">@PythonResponder</a>) for his prior work on SMB.</li> <li>The NSA for developing (or buying) (and leaking? Cheers to TheShadowBrokers) ETERNALBLUE and DOUBLEPULSAR, that exploit is soon gonna be 10 years old&hellip; it almost feels like nothing new got released since then.</li> <li>Microsoft Platform Security Assurance &amp; Vulnerability Research for finding CVE-2020-0796.</li> <li>Nicolas Economou (<a href="https://twitter.com/NicoEconomou" target="_blank" rel="noopener">@NicoEconomou</a>) and Alex Ionescu (<a href="https://twitter.com/aionescu" target="_blank" rel="noopener">@aionescu</a>) for their publications on HAL stuff.</li> <li>Nikita Karetnikov (<a href="https://twitter.com/karetnikovn" target="_blank" rel="noopener">@karetnikovn</a>) for the ARM ninjutsu.</li> <li>Souhail Hammou (<a href="https://twitter.com/dark_puzzle?" target="_blank" rel="noopener">@Dark_Puzzle</a>) for making fun of APC ETW.</li> <li>And the OPCDE community for the continuous support! Join us on <a href="https://discord.gg/Wp8Nzxh" target="_blank" rel="noopener">Discord</a> or go on our <a href="www.opcde.com">website</a> if the link is dead :)</li> </ul> <h1 id="introduction">Introduction <a href="#introduction" class="anchor">🔗</a></h1><p>Do not use this for anything else other than educational purposes, this was only tested on the only ARM64 machine (Windows 10 18362 ARM 64-bit (AArch64)) that I had a direct access to. I have been happy enough that it was running consistently against it. Make sure that KB4551762 is not installed if you do some tests. I&rsquo;m gonna try to make this write-up as readable as possible even if you have limited experience with exploit development, if you have any questions - do not hesitate just to come on Discord to ask them on the <a href="https://discord.gg/Wp8Nzxh" target="_blank" rel="noopener">OPCDE Discord server</a>.</p>