Meeting: 2007.08.29 0x000b

Our twelfth technical meeting was held August 29th, 2007, from 7pm to 9pm, in a meeting room at Mangia. Mangia is located at 8012 Mesa Dr, Austin, Texas (map).

Food and drinks are permissible at the meeting, provided you purchase said food and drink from Mangia.

Speaker Notes


I spoke about context-keyed payload encoding. I'm not making my slides available this time since I'm submitting this as my talk for ToorCon 9, but you can read the abstract for the paper if you like:

Abstract: A common goal of payload encoders is to evade a third-party detection mechanism which is actively observing the attack traffic somewhere along the route from an attacker to target application, filtering on commonly used payload instructions. More often than not, however, payload encoders are easily detected themselves and either decoded or blocked. Even so-called keyed encoders utilize easily observable, recoverable, or guessable key values in their encoding algorithm, thus making decoding on-the-fly trivial once the encoding algorithm is identified. It is feasible that an active observer may exploit the inherent functionality of the decoder stub to decode a suspected exploit's payload in a sandbox environment in order to inspect the contents of that payload and make a control decision about the traffic. This paper presents a new method of keying an encoder which is based entirely on contextual information which is predictable or known about the target by the attacker and constructable or recoverable by the decoder stub when executed at the target. An active observer of the attack traffic, however, should be unable to decode the payload due to lack of the contextual keying information.

I also mentioned an auxiliary tool that I wrote for this research called smem-map. You can grab it at it's sourceforge project page:


In my talk, I explained one set of bugs patched by Microsoft this month. Several gadgets included with Vista suffer from remote code execution bugs due to the use of Internet Explorer running all gadget javascript in the 'local' zone. After explaining the process of finding the bug from the patches, I attempt to demonstrate the exploit. After several disappointing mid-demo moments of non-successfulness, all the appropriate attacker-side tools were up and running, and the damn thing worked finally.


Tod Beardsley

Tod demoed the Right Way to install Metasploit in a Cygwin environment with a minimum of fuss and without blowing away an existing Cygwin installation. Screenshots here. He will provide the the simplified step-by-step to the Metasploit Project Viziers later today in hopes of getting the official documentation updated.


RSnake discussed interesting ways to hack intranets through web-pages. The web-pages allow users to request images from the internet for uploading (for the purpose of customizing web-boards for instance). Instead of pointing to images on the internet, the attacker points to images in RFC1918 address space. More info here.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.