Leon Jacobs
pipetap – a windows named pipe proxy tool
Windows named pipes, being one of many available mechanisms for inter-component / inter-process communications, is interesting from a security perspective. While hunting for vulnerabilities in various bits of software, I often see the pattern of a privileged process that exposes a named pipe such that a client process can interact with it. More often than not, you’ll eventually be curious enough to want to snoop on the data that is transferred over this named pipe. At this stage you’ll Google “Windows Named Pipe Proxy”, find some results and away you go. My hope is that pipetap is another one of these results you’ll find that can help with your Windows named pipe reverse engineering journey. You can find it here: https://github.com/sensepost/pipetap
pwning asus driverhub, msi center, acer control centre and razer synapse 4
At the beginning of this year I spent a week finding several vulnerabilities in various “bloatware” software. This was after I got suspicious of how my ASUS motherboard’s “DriverHub” behaved. In the end I looked at 6 targets from 6 random vendors (apart from ASUS) and found vulnerabilities ranging from Remote Code Execution to Local Privilege Escalation in all of them. Those were: ASUS, Acer, Lenovo, HP, MSI and Razer.
make prs, not war
Everyday we’re faced with a choice – some glaringly obvious, others more subtle. The choice to give, or to take, is something that I believe is deeply rooted in each of us, and choosing to give, to contribute no matter how big or small, almost always ends up bigger than ourselves.
Imagined by us, and illustrated by the amazingly talented @christidutoit, I’m excited to show you “make pr’s, not war” – our 2024 SensePost artwork.
your contributions, today
Keynoting 0xcon in Johannesburg this year, I had the immense privilege of talking and sharing ideas about something that is dear to my heart. That is, giving back more than you take. And by giving back I don’t mean *just* doing research or writing tools. Instead, giving back includes things like writing documentation or even just teaching someone else! In my talk, “your contributions, today” I reflected on a current view of practical security research and contributions in a time of ever-increasing systems complexity, abstractions and Instagram reels. By drawing parallels to the “Free-rider Problem” as described in an economics context, I argued that as an industry we need to caution against this phenomenon manifesting by actively making contributions.
we’re going to bsides cape town 2023
Arguably one of the largest hacking conferences in South Africa, BSides Cape Town 2023 is around the corner and the SensePost Team is there with a jam packed agenda demonstrating our latest research (with five talks), challenges and more! In this post, I’ll summarise what you can expect. For timing related information, check out the schedule here. Be sure to come and say hi at our stand in the chill area too.
select * from projectdiscovery join steampipe
Recently, I decided to take a look at Steampipe again. I like SQL and the structure it provides, and after playing around a bit I figured: “Wouldn’t it be cool to write a plugin for the immensely popular projectdiscovery tools?”. That is exactly what I did and you can find the source code for it here: https://github.com/sensepost/steampipe-plugin-projectdiscovery.
overview For the purposes of footprinting, everything you can do with steampipe you can do with a bash script. You technically don’t need SQL. However, with bash you always need to bust out some text wrangling with tools like sed and awk. That in itself isn’t bad, but the data is inherently unstructured and error-prone as a result. Instead, if we could have our data in a database, we could do arbitrary lookups, join and more!
an offensive look at docker desktop extensions
For our annual internal hacker conference dubbed SenseCon in 2023, I decided to take a quick look at Docker Desktop Extensions. Almost exactly a year after being announced, I wondered what the risks of a malicious docker extension could be. This is a writeup of what I learned, a few tricks I used to get some answers and how I found a “non-issue” command injection in the extensions SDK. Everything in this post was tested on macOS and Docker Desktop 4.19.0 (106363).
sensecon 2022 – wait a minute, you got legs? edition
In a world of returning back to, well, “normal” it meant that we could finally have our annual internal hackathon as Orange Cyberdefense in person! And that is exactly what SenseCon 2022 was. An internal, global ethical hacker conference spread across six regions. In this post we’ll talk about exactly that, the challenges as well as the projects people worked on.
As a bonus, we have one of the challenges, BuzzWord, available for you to play via our Discord server, today! Just join using this link, and check out the instructions in the #buzzword-instructions channel.
me vs request smugglingPOST
I’ve come to realise that I wasn’t the only one that has never actually exploited an HTTP Request Smuggling vulnerability, three years after James Kettle reminded the world of it. Like many, I’ve seen the buzz, read it all, thought I understood it, but honestly, I didn’t. While the potential impact sounds great from an attacker perspective, I’ve been mostly confused by a lot of it. That was until the 2022 HackTheBox Business CTF challenge called PhishTale in the web category came around. Focussing less on the overall solving of the challenge and more on the request smuggling, in this post I’ll tell you about my journey of how I finally got to exploit an HTTP desync attack (specifically HTTP2 request smuggling).
using a cloud mac with a local ios device
Doing iOS mobile assessments without macOS around is not exactly fun. This can be for many reasons that include code signing and app deployment to name a few. Alternatives exist for some of these tasks (like the amazing libimobiledevice project or more recently an attempt to get code signing to work without macOS), but nothing beats using a real macOS device for most of those tasks. Be it to patch mobile apps with a Frida gadget, or to deploy an application from Xcode, whatever your reason for needing this, in this short post I’ll show you how to use @CorelliumHQ‘s usbfluxd project or a simple SSH tunnel to make a locally connected iOS device (eg. your Linux laptop) available to a remote macOS device such that you could expose it to Xcode, in the cloud.
Page 1 of 3
Next