The research team at Insomnia Security are constantly researching security vulnerabilities, exploitation techniques and other aspects of information security. Below you will find links to the Advisories, Presentations, Whitepapers, and Tools that have been produced by Insomnia Security team members.

November 19th, 2018 Presentation Router Hacking
The slides from the CHCon 2018 talk presented by Ben Knight.
March 25th, 2018 Presentation The Path To Ring-0
Debasis Mohanty provides an in-depth overview of exploitation of Windows Kernel vulnerabilities.
February 24th, 2018 Presentation In Certificates we Trust
Presentation given by Mark Piper, at CrikeyCon, about the use cases of certificate transparency logs. Video
February 5th, 2018 Presentation Rails Derailed
Presentation given by Tim Goddard on detection and exploitation of Rails insecurities.
November, 2016 Presentation Not So Random - Exploiting Unsafe Random Number Generator Use
Presentation given by Brendan Jamieson at Kiwicon X and ChchCon, November 2016 on exploitation of insecure use of random number generation.
September 16, 2016 Advisory BSDTar Code Execution (on Linux), CVE-2016-5418
Advisory and PoC code for CVE-2016-5418, code execution when libarchive (bsdtar) unpacks a crafted .tar file on Linux.
February 4, 2016 Presentation Deserialisation - What Could Go Wrong?
Presentation given by Brendan Jamieson at OWASP New Zealand Day, 2016 on deserialisation vulnerabilities.
December 15, 2015 Presentation Practical PHP Object Injection
Presentation given by Brendan Jamieson at Kiwicon 2015 on finding and exploiting PHP Object Injection vulnerabilities.
December 15, 2015 Presentation Modern Corporate Wifi Rustling
Presentation given by Chris Smith at Kiwicon 2015 on exploiting EAP-MSCHAPv2 via wireless clients.
June 30, 2015 Advisory OpenCFP RCE Advisory
Pre-authentication remote code execution in the OpenCFP web application.
February 26, 2015 Presentation PHP Magic Tricks-Type Juggling
Presentation given by Chris Smith at OWASP Day 2015 on PHP Type Confusion issues.
March 03, 2014 Advisory IBM Jazz Team Server RCE Advisory
CVE-2014-0862, pre-authentication remote code execution in IBM Jazz Team Server suite.
November 20, 2012 Presentation Rop and Roll
Presentation given at Kiwicon 2012 on some method of rop chain mutation.
April 30, 2012 Presentation Post Exploitation Process Continuation
Presentation given at SyScan 2012 on some methods of process continuation after exploit execution.
November 11, 2011 Presentation Encyclopaedia Of Windows Privilege Escalation
Presentation given at Ruxcon 2011 on the various techniques for gaining a higher level of access on Windows sytems.
October 11, 2011 Presentation Fruit, why you so low?
Presentation given at 2011 on the practicality, implementation and effect of datamining country-scale network targeting databases, in NZ and beyond.
September 6, 2011 Whitepaper LFI With PHPInfo Assistance
Whitepaper explaining how PHPInfo can be used to assist with the exploitation of LFI vulnerabilities on PHP - Script
August 22, 2011 Advisory Pidgin
Pidgin IM Insecure URL Handling Remote Code Execution
July 18, 2011 Presentation Concurrency Vulnerabilities
Presentation given at OWASP NZ Day 2011 on web application concurrency vulnerabilities.
April 27, 2011 Advisory Up.Time
Administration Interface Authentication Bypass Vulnerability
April 27, 2011 Advisory IGSS SCADA System
ODBC service remote overflow leading to denial of service or code execution.
December 08, 2010 Presentation DEP in Depth
Presentation given at Ruxcon about bypassing DEP. Includes notes on SEH thread suspension, Heap Segment metadata exploitation, and a walkthrough of an exploit for MYSQL.
November 2010 Presentation The Shell Game
Presentation and demo tools from the Kiwicon 4, "The Shell Game", which addressed non-root "rootkits" on Linux. Discussion and demos of process hiding (in-place replacement, thread-injection) and file hiding (via inotify racing) from root as a non-privileged user.
Demo tools link
July 30, 2010 Advisory EasyManage CMS
Multiple SQL injection Vulnerabilities were discovered in this locally developed CMS system.
July 20, 2010 Presentation Don't Try This At Home
OWASP NZ Day Presentation discussing various 'not so common' application vulnerabilities. Plenty of bad code examples and some coverage of steps you can take to prevent these.
June 18, 2010 Presentation DEP in Depth
Presentation given at Syscan about bypassing DEP. Includes notes on SEH thread suspension, Heap Segment metadata exploitation, and a walkthrough of an exploit for MYSQL.
February 16, 2010 Advisory (MS10-007) - URL Validation Vulnerability
Microsoft has released the second and final patch for the URL validation vulnerability we reported.
January 21, 2010 Advisory (MS10-002) - URL Validation Vulnerability
Microsoft has released the second and final patch for the URL validation vulnerability we reported.
July 07 2009 Presentation Hacking Citrix
Presentation given at Syscan about Citrix Insecurities. The presentation covers off a standard Citrix implementation and some of the flaws that are commonly seen. It was accompanied with a live demonstration which included hacking into a citrix install and gaining domain adminstrator access.
December 09, 2008 Advisory (MS08-073) - Webdav Request Parsing Heap Corruption Vulnerability
December 09, 2008 Advisory (MS08-070) - Windows Common AVI Parsing Overflow Vulnerability
November 2008 Presentation Common Application Flaws
Presentation given at the November OWASP NZ meeting, providing a basic introduction to the OWASP top 10 and common application flaws.
October 20, 2008 Advisory Symantec - Altiris Deployment Server Agent Privilege Escalation
September 10, 2008 Advisory (MS08-055) - MS Office OneNote URL Handling Vulnerability
August 12, 2008 Advisory VMWare - VirtualCenter User Account Disclosure
July 31, 2008 Tool PuttyHijack
PuttyHijack is a POC tool that injects a dll into the Putty process to hijack an existing, or soon to be created, connection. This can be useful during penetration tests when a windows box that has been compromised is used to SSH/Telnet into other servers.
July 09, 2008 Advisory (MS08-040) - Microsoft SQL Server Corrupt Backup File Heap Overflow
July 2008 Presentation Heaps About Heaps
Presentation documenting various heap exploitation techniques that can be used against Windows 2003 servers. This presentation details entries in the heap header, and explains mutliple exploitation techniques including an improved version of the lookaside list attack. As a bonus it also provides a step by step example of exploiting a heap based overflow on Windows 2003 including static addresses that can be used to obtain execution context.
.rar archive link
June 18, 2008 Advisory Symantec - Altiris Notification Server Agent Privilege Escalation
May 16, 2008 Advisory Symantec - Altiris Deployment Solution - SQL Injection
May 16, 2008 Advisory Symantec - Altiris Deployment Solution - Domain Account Disclosure
May 2008 Whitepaper Access Through Access
Whitepaper covering some technical details of MS Jet exploitation. Topics include MS Access Default Tables, SQL Injection and Jet Vulnerabilities. Builds on the existing publically available research and has become a concise point of information for hacking access databases.
April 2008 Presentation Increasing The Value Of Penetration Testing
Presentation and whitepaper discussing some ways for a customer to increase the value of a penetration test. Explains, from the viewpoint of both parties, what should be expected from each when a penetration test is undertaken. What should expect as an outcome, and how to get more for you money, are all questions answered within.
Whitepaper download link
March 29, 2008 Advisory CMS Made Simple - Unauthenticated Arbitrary File Upload
March 10, 2008 Advisory Symantec - Altiris Deployment Server Escalation of Privileges
February 12, 2008 Tool InsomniaShell
This is a tool for use during penetration tests, when you have ability to upload or create an arbitrary .aspx page. This .aspx page is an example of using native calls through pinvoke to provide either a reverse shell or a bind shell.
It has the added advantage of searching through all accessible processes looking for a SYSTEM or Administrator token to use for impersonation.
February 9, 2008 Tool ShatterAttackSuite
Shatter Attack Suite is a collection of .c source that can be used to fuzz for and exploit shatter attacks. Originally released at Blackhat USA 2004, a couple of new additions are included in this package.
February 06, 2008 Advisory Symantec - Altiris Notification Server Escalation of Privileges
August 14, 2007 Advisory (MS07-045) - tlbinf32.dll ActiveX Vulnerability
July 10, 2007 Advisory (SUN-200071) - Java Web Start URL Parsing
February 15, 2007 Advisory (LizardTech) - DjVu Browser Plug-in - Multiple Vulnerabilities
February 13, 2007 Advisory (MS07-005) - Interactive Training Vulnerability
December 12, 2006 Advisory (SiteKiosk) - SiteKiosk - FileSystem Access
December 11, 2006 Advisory (Adobe) - ColdFusion MX7 - Multiple Vulnerabilities
July 11, 2006 Advisory (MS06-034) - ASP.DLL Include File Overflow
June 19, 2006 Advisory (Skype) - URI Handling Vulnerability
December 2005 Presentation Exploiting Freelist[0] On XPSP2
This paper explains techniques of using exploiting freelist[0] overwrites to bypass the protection measures introduced with Windows XP Service pack 2. This leads to exploitation of other functionality within the heap management code to gain execution control after a chunk header has been overwritten.
October 11, 2005 Advisory (MS05-049) - Webview Script Injection
October 2005 Presentation SBDA - Same Bug, Different App
This presentation explains some trends with vulnerabilities that researchers should realise in the relationships between reported vulnerabilities that could be used to help speed up the discovery of new vulnerabilities. It includes the methodology used that led to the discovery of vulnerabilities such as fp30reg.dll overflow, nsiislog.dll overflow, and many more. This is the version shown at Bluehat and includes full presentation notes.
Whitepaper download link
September 07, 2005 Advisory (CSystems) - WebArchiveX - Unsafe Methods Vulnerability
June 14, 2005 Advisory (MS05-031) - Interactive Training Vulnerability
April 2005 Whitepaper Bugger The Debugger
This whitepaper discusses techniques in which malware can execute code within a debugger during the load period, before control is handed back to the user. These techniques could be used as anti-debugging methods, or to run different code paths if a debugger is detected.
December 14, 2004 Advisory (MS04-043) - HyperTerminal Buffer Overflow
Novemeber 23, 2004 Advisory (Winamp) - Buffer Overflow in IN_CDDA.dll
Novemeber 23, 2004 Advisory (Vandyke) - SecureCRT - Remote Command Execution
October 12, 2004 Advisory (MS04-033) - Excel 2000 Buffer Overflow
October 12, 2004 Advisory (MS04-032) - SetWindowLong() Shatter Attacks
July 13, 2004 Advisory (MS04-023) - HTML Help Heap Overflow
July 13, 2004 Advisory (MS04-022) - Task Scheduler Buffer Overflow
July 2004 Whitepaper 0x00 vs ASP File Uploads
This whitepaper explains how the ASP FileSystemObject can be exploited when uploading a file with a NULL byte included in the filename. This problem arises when data is compared and validated in ASP script but not validated by the underlying lower level calls.
July 2004 Presentation Windows Shatter Attacks
Presentation on windows shatter attacks that was given at the Blackhat conference. This presentation was based off research done while producing the shattering by example whitepaper, and includes multiple examples of shatter attacks in various forms.
April 13, 2004 Advisory (MS04-011) - Utility Manager Privilege Escalation
November 11, 2003 Advisory (MS03-051) - FrontPage Server Extensions Buffer Overflow
October 15, 2003 Advisory (MS03-045) - Buffer Overflow In ListBox and ComboBox
October 2003 Whitepaper Shattering By Example
Whitepaper detailing various windows shatter attacks against multiple windows controls and API calls.
July 16, 2003 Advisory (MS03-028) - ISA Server - Cross Site Scripting
March 9, 2003 Advisory (MS03-022) - Windows Media Services ISAPI Buffer Overflow #2
May 28, 2003 Advisory (MS03-019) - Windows Media Services ISAPI Buffer Overflow #1

Back to Home