A deeper analysis of the RTF exploit CVE-2010-3333

Looking for an old white paper I authored online today and couldn’t find it. The link is dead on the Sophos website 😦



SMS Phishing Reporting

This morning, 22nd Jan 2018, at stupid o’clock I received an SMS.


This message was obviously a phishing text, not least because I do not bank with HSBC.

Now by the time I looked at this message, GoDaddy had already suspended the domain. When I ran a Whois on the domain I saw:

Name servers:

The whois also showed a few other typical signs of spam.

Registered on: 21-Jan-2018

How to report this?

Reporting spam or smishing from a mobile couldn’t be easier all you have to do is forward the message to 7726 (or 87726 for Vodafone). 7726 being spam in the telephone keypad encoding.

Coding trick: Setattr vs. Exec

Recently, while writing a parser for files, in Python, I needed to dynamically assign variables. As an aide memoire for me and maybe for the rest of the world this post will talk about the trick.

code_snippet from Komodo IDE

So what is the code doing?

reg_01 = re.compile(r'.*core.xml')

Here we are compiling a Regex to match something ending ‘core.xml’.

if filter(reg_01.match,self.plist):

We are searching a list of pseudo files (from an archive) using the filter function.

The filter resembles a for loop but it is a builtin function and faster.

for item in filter(reg_01.match,self.plist):
parsed = XML(extract_file(self.pf,item))

This extracts the file from the archive and parses it as an XML file.

for elem in parsed:
taggy = re.sub(r'{[^}]*}','',elem.tag)

The XML tag has extraneous information that the Regular Expression substitution removes.

Before we go any further let us look at an example core.xml file.

<dc:title>This is the title</dc:title>
<dcterms:created xsi:type="dcterms:W3CDTF">1970-01-01T00:00:00Z</dcterms:created>

So what I would like to be displayed is:

  • self.title = ‘This is the title’
  • self.creator = ‘God’
  • self.lastModifiedBy = ‘Woman’
  • self.revision = ‘2’
  • self.created = ‘1970-01-01T00:00:00Z’

The first way of getting this result I found was:

#exec('self.' + taggy +' = ' + 'elem.text')

The use of the exec is frowned upon. When I came to rewrite the code (for another similar parser) I found setattr.

setattr(self, taggy, elem.text)

This code using setattr is much cleaner and simpler. Python unlike Perl strives that: “There should be one– and preferably only one –obvious way to do it.” see PEP 20.

Book review: Practical Packet Analysis – Using Wireshark to solve real-world network problems

Networks​ are a dark art and to truly understand them you must practise by analysing packets. Like Harry and friends in Dumbledore’s Army found that book learning, classroom learning isn’t sufficient alone. This book, doesn’t get bogged down in the minutiae but uses walked through examples to teach directly. In fact, nearly two-thirds of the book is the examples and while SANS “Intrusion Detection In-Depth” (which I attended in 2011) provides more details the examples mean that this book is ‘practical’.

The first third of the book, race through the groundwork of what is Packet Analysis, the OSI model, types of Traffic, and what is a, and types of, Network Taps at a rapid pace. Moving quickly onto what is and why Wireshark. Then we have a Wireshark tutorial that is terse but covers all the main areas you will need. With online help and documentation being more update it is always a hard thing to balance but in this case I think the author has put just the right amount of ‘How to …’ to get the reader up and running with Wireshark without regurgitating a manual. Then we have a quick diversion into Packet Analysis on the Command Line using TShark and tcpdump.

The next few chapters, concentrate on Protocol looking at Network, Transport and some Common upper layer Protocols like:

  • ARP
  • IPv4
  • IPv6
  • ICMP
  • TCP
  • UDP
  • DHCP
  • DNS
  • HTTP
  • SMTP

All with worked through packet captures (available here).

The rest of the book is analysis of some Basic and Advanced Scenarios including:

  • Missing Web Content
  • Inconsistent Printer
  • Slow Network
  • Finding Malware

The book finishes with a discussion of sniffing Wireless Traffic.

This is the 3rd edition of the book and I wish I had known of its predecessors because it is rare that I have to slice and dice packets nowadays and having this will get me upto speed without the fumbling in the dark. The book is clear written and is both an easy read and valuable resource when you have to do Packet Analyse.

Black Hat Python

Black Hat Python: ‘Python Programming for Hackers and Pentesters’ by Justin Seitz

This is a great follow-up to ‘Gray Hat Python’ from the same author. If you aren’t a Black Hat or Grey Hat don’t let the titles put you off as these books are for all hues of hatted security researchers. While the examples may espouse grey/black uses they are tools that can be set to defense as well as offense.

Knowing how to slice and dice network packets with Python has universal usage and seeing how to do it well will give you ideas to slice and dice other objects. A main theme of the book is that when you setup a quick and dirty environment then you may fine your favourite tools missing. Having the skill set to improvise with Python will be useful and for both attackers and defending point-of-views the Python scripts will have different hashes/identifiers. Malware checking for an VM will not know your scripts and similar for scanning software.

I find that though there are plenty of resources for finding examples: Stackoverflow, ActiveState etc. but having example scripts to:

  • replace Netcat
  • to SSH
  • sniff packets
  • hack HTML
  • create a keylogger
  • do privilege escalation

at your finger tips is useful too. More useful than the scripts is the methodology and explanations.

Write a script, harden it and test it. Repeat the process adding more parts until you have a finished program or stop when you have a good enough solution. Every section has a paragraph or two called ‘Kicking the tyres’ that explains the process.

I have never really been taught programming and hacking others code is how I learn. So for me and other like me having well written, well documented code like this in a easily digestible form is a godsend.

Keep Java updated! Erroneous information from BBC.

Over the weekend while trying to find programs to keep my children quiet I stumbled across one of the Click videos on terrestrial TV. I normally only ever watch these videos while stuck in a hotel but I had to re-find this episode to confirm what I thought I saw.

      Keep your browser — updated Check
      Keep Java updated — What!!
      Run antivirus software — Check

I agree with two out of three of the recommendations but ‘Keep Java Updated’ is equivalent to making tea in a chocolate teapot. Currently, security advice is to uninstall Java or at least disable it in the browser.

Oracle are currently patching Java quarterly and the number of zero days this year alone is larger than all other common software applications. Security messages are are to formulate because there are always codicils but in this case the path of least harm is to say: