The research team at Insomnia Security are constantly researching security vulnerabilities, exploitation techniques and other aspects of information security. Below you will find links to the Advisories, Presentations, Whitepapers, and Tools that have been produced by Insomnia Security team members.
|March 25th, 2018||Presentation||The Path To Ring-0
Debasis Mohanty provides an in-depth overview of exploitation of Windows Kernel vulnerabilities.
|February 24th, 2018||Presentation||In Certificates we Trust
Presentation given by Mark Piper, at CrikeyCon, about the use cases of certificate transparency logs. Video
|February 5th, 2018||Presentation||Rails Derailed
Presentation given by Tim Goddard on detection and exploitation of Rails insecurities.
|November, 2016||Presentation||Not So Random - Exploiting Unsafe Random Number Generator Use
Presentation given by Brendan Jamieson at Kiwicon X and ChchCon, November 2016 on exploitation of insecure use of random number generation.
|September 16, 2016||Advisory||BSDTar Code Execution (on Linux), CVE-2016-5418
Advisory and PoC code for CVE-2016-5418, code execution when libarchive (bsdtar) unpacks a crafted .tar file on Linux.
|February 4, 2016||Presentation||Deserialisation - What Could Go Wrong?
Presentation given by Brendan Jamieson at OWASP New Zealand Day, 2016 on deserialisation vulnerabilities.
|December 15, 2015||Presentation||Practical PHP Object Injection
Presentation given by Brendan Jamieson at Kiwicon 2015 on finding and exploiting PHP Object Injection vulnerabilities.
|December 15, 2015||Presentation||Modern Corporate Wifi Rustling
Presentation given by Chris Smith at Kiwicon 2015 on exploiting EAP-MSCHAPv2 via wireless clients.
|June 30, 2015||Advisory||OpenCFP RCE Advisory
Pre-authentication remote code execution in the OpenCFP web application.
|February 26, 2015||Presentation||PHP Magic Tricks-Type Juggling
Presentation given by Chris Smith at OWASP Day 2015 on PHP Type Confusion issues.
|March 03, 2014||Advisory||IBM Jazz Team Server RCE Advisory
CVE-2014-0862, pre-authentication remote code execution in IBM Jazz Team Server suite.
|November 20, 2012||Presentation||Rop and Roll
Presentation given at Kiwicon 2012 on some method of rop chain mutation.
|April 30, 2012||Presentation||Post Exploitation Process Continuation
Presentation given at SyScan 2012 on some methods of process continuation after exploit execution.
|November 11, 2011||Presentation||Encyclopaedia Of Windows Privilege Escalation
Presentation given at Ruxcon 2011 on the various techniques for gaining a higher level of access on Windows sytems.
|October 11, 2011||Presentation||Fruit, why you so low?
Presentation given at hack.lu 2011 on the practicality, implementation and effect of datamining country-scale network targeting databases, in NZ and beyond.
|September 6, 2011||Whitepaper||LFI With PHPInfo Assistance
Whitepaper explaining how PHPInfo can be used to assist with the exploitation of LFI vulnerabilities on PHP
phpinfolfi.py - Script
|August 22, 2011||Advisory||Pidgin
Pidgin IM Insecure URL Handling Remote Code Execution
|July 18, 2011||Presentation||Concurrency Vulnerabilities
Presentation given at OWASP NZ Day 2011 on web application concurrency vulnerabilities.
|April 27, 2011||Advisory||Up.Time
Administration Interface Authentication Bypass Vulnerability
|April 27, 2011||Advisory||IGSS SCADA System
ODBC service remote overflow leading to denial of service or code execution.
|December 08, 2010||Presentation||DEP in Depth
Presentation given at Ruxcon about bypassing DEP. Includes notes on SEH thread suspension, Heap Segment metadata exploitation, and a walkthrough of an exploit for MYSQL.
|November 2010||Presentation||The Shell Game
Presentation and demo tools from the Kiwicon 4, "The Shell Game", which addressed non-root "rootkits" on Linux. Discussion and demos of process hiding (in-place replacement, thread-injection) and file hiding (via inotify racing) from root as a non-privileged user.
Demo tools link
|July 30, 2010||Advisory||EasyManage CMS
Multiple SQL injection Vulnerabilities were discovered in this locally developed CMS system.
|July 20, 2010||Presentation||Don't Try This At Home
OWASP NZ Day Presentation discussing various 'not so common' application vulnerabilities. Plenty of bad code examples and some coverage of steps you can take to prevent these.
|June 18, 2010||Presentation||DEP in Depth
Presentation given at Syscan about bypassing DEP. Includes notes on SEH thread suspension, Heap Segment metadata exploitation, and a walkthrough of an exploit for MYSQL.
|February 16, 2010||Advisory||(MS10-007) - URL Validation Vulnerability
Microsoft has released the second and final patch for the URL validation vulnerability we reported.
|January 21, 2010||Advisory||(MS10-002) - URL Validation Vulnerability
Microsoft has released the second and final patch for the URL validation vulnerability we reported.
|July 07 2009||Presentation||Hacking Citrix
Presentation given at Syscan about Citrix Insecurities. The presentation covers off a standard Citrix implementation and some of the flaws that are commonly seen. It was accompanied with a live demonstration which included hacking into a citrix install and gaining domain adminstrator access.
|December 09, 2008||Advisory||(MS08-073) - Webdav Request Parsing Heap Corruption Vulnerability|
|December 09, 2008||Advisory||(MS08-070) - Windows Common AVI Parsing Overflow Vulnerability|
|November 2008||Presentation||Common Application Flaws
Presentation given at the November OWASP NZ meeting, providing a basic introduction to the OWASP top 10 and common application flaws.
|October 20, 2008||Advisory||Symantec - Altiris Deployment Server Agent Privilege Escalation|
|September 10, 2008||Advisory||(MS08-055) - MS Office OneNote URL Handling Vulnerability|
|August 12, 2008||Advisory||VMWare - VirtualCenter User Account Disclosure|
|July 31, 2008||Tool||PuttyHijack
PuttyHijack is a POC tool that injects a dll into the Putty process to hijack an existing, or soon to be created, connection. This can be useful during penetration tests when a windows box that has been compromised is used to SSH/Telnet into other servers.
|July 09, 2008||Advisory||(MS08-040) - Microsoft SQL Server Corrupt Backup File Heap Overflow|
|July 2008||Presentation||Heaps About Heaps
Presentation documenting various heap exploitation techniques that can be used against Windows 2003 servers. This presentation details entries in the heap header, and explains mutliple exploitation techniques including an improved version of the lookaside list attack. As a bonus it also provides a step by step example of exploiting a heap based overflow on Windows 2003 including static addresses that can be used to obtain execution context.
.rar archive link
|June 18, 2008||Advisory||Symantec - Altiris Notification Server Agent Privilege Escalation|
|May 16, 2008||Advisory||Symantec - Altiris Deployment Solution - SQL Injection|
|May 16, 2008||Advisory||Symantec - Altiris Deployment Solution - Domain Account Disclosure|
|May 2008||Whitepaper||Access Through Access
Whitepaper covering some technical details of MS Jet exploitation. Topics include MS Access Default Tables, SQL Injection and Jet Vulnerabilities. Builds on the existing publically available research and has become a concise point of information for hacking access databases.
|April 2008||Presentation||Increasing The Value Of Penetration Testing
Presentation and whitepaper discussing some ways for a customer to increase the value of a penetration test. Explains, from the viewpoint of both parties, what should be expected from each when a penetration test is undertaken. What should expect as an outcome, and how to get more for you money, are all questions answered within.
Whitepaper download link
|March 29, 2008||Advisory||CMS Made Simple - Unauthenticated Arbitrary File Upload|
|March 10, 2008||Advisory||Symantec - Altiris Deployment Server Escalation of Privileges|
|February 12, 2008||Tool||InsomniaShell
This is a tool for use during penetration tests, when you have ability to upload or create an arbitrary .aspx page. This .aspx page is an example of using native calls through pinvoke to provide either a reverse shell or a bind shell.
It has the added advantage of searching through all accessible processes looking for a SYSTEM or Administrator token to use for impersonation.
|February 9, 2008||Tool||ShatterAttackSuite
Shatter Attack Suite is a collection of .c source that can be used to fuzz for and exploit shatter attacks. Originally released at Blackhat USA 2004, a couple of new additions are included in this package.
|February 06, 2008||Advisory||Symantec - Altiris Notification Server Escalation of Privileges|
|August 14, 2007||Advisory||(MS07-045) - tlbinf32.dll ActiveX Vulnerability|
|July 10, 2007||Advisory||(SUN-200071) - Java Web Start URL Parsing|
|February 15, 2007||Advisory||(LizardTech) - DjVu Browser Plug-in - Multiple Vulnerabilities|
|February 13, 2007||Advisory||(MS07-005) - Interactive Training Vulnerability|
|December 12, 2006||Advisory||(SiteKiosk) - SiteKiosk - FileSystem Access|
|December 11, 2006||Advisory||(Adobe) - ColdFusion MX7 - Multiple Vulnerabilities|
|July 11, 2006||Advisory||(MS06-034) - ASP.DLL Include File Overflow|
|June 19, 2006||Advisory||(Skype) - URI Handling Vulnerability|
|December 2005||Presentation||Exploiting Freelist On XPSP2
This paper explains techniques of using exploiting freelist overwrites to bypass the protection measures introduced with Windows XP Service pack 2. This leads to exploitation of other functionality within the heap management code to gain execution control after a chunk header has been overwritten.
|October 11, 2005||Advisory||(MS05-049) - Webview Script Injection|
|October 2005||Presentation||SBDA - Same Bug, Different App
This presentation explains some trends with vulnerabilities that researchers should realise in the relationships between reported vulnerabilities that could be used to help speed up the discovery of new vulnerabilities. It includes the methodology used that led to the discovery of vulnerabilities such as fp30reg.dll overflow, nsiislog.dll overflow, and many more. This is the version shown at Bluehat and includes full presentation notes.
Whitepaper download link
|September 07, 2005||Advisory||(CSystems) - WebArchiveX - Unsafe Methods Vulnerability|
|June 14, 2005||Advisory||(MS05-031) - Interactive Training Vulnerability|
|April 2005||Whitepaper||Bugger The Debugger
This whitepaper discusses techniques in which malware can execute code within a debugger during the load period, before control is handed back to the user. These techniques could be used as anti-debugging methods, or to run different code paths if a debugger is detected.
|December 14, 2004||Advisory||(MS04-043) - HyperTerminal Buffer Overflow|
|Novemeber 23, 2004||Advisory||(Winamp) - Buffer Overflow in IN_CDDA.dll|
|Novemeber 23, 2004||Advisory||(Vandyke) - SecureCRT - Remote Command Execution|
|October 12, 2004||Advisory||(MS04-033) - Excel 2000 Buffer Overflow|
|October 12, 2004||Advisory||(MS04-032) - SetWindowLong() Shatter Attacks|
|July 13, 2004||Advisory||(MS04-023) - HTML Help Heap Overflow|
|July 13, 2004||Advisory||(MS04-022) - Task Scheduler Buffer Overflow|
|July 2004||Whitepaper||0x00 vs ASP File Uploads
This whitepaper explains how the ASP FileSystemObject can be exploited when uploading a file with a NULL byte included in the filename. This problem arises when data is compared and validated in ASP script but not validated by the underlying lower level calls.
|July 2004||Presentation||Windows Shatter Attacks
Presentation on windows shatter attacks that was given at the Blackhat conference. This presentation was based off research done while producing the shattering by example whitepaper, and includes multiple examples of shatter attacks in various forms.
|April 13, 2004||Advisory||(MS04-011) - Utility Manager Privilege Escalation|
|November 11, 2003||Advisory||(MS03-051) - FrontPage Server Extensions Buffer Overflow|
|October 15, 2003||Advisory||(MS03-045) - Buffer Overflow In ListBox and ComboBox|
|October 2003||Whitepaper||Shattering By Example
Whitepaper detailing various windows shatter attacks against multiple windows controls and API calls.
|July 16, 2003||Advisory||(MS03-028) - ISA Server - Cross Site Scripting|
|March 9, 2003||Advisory||(MS03-022) - Windows Media Services ISAPI Buffer Overflow #2|
|May 28, 2003||Advisory||(MS03-019) - Windows Media Services ISAPI Buffer Overflow #1|