SABANIZM - FISHING

2023年6月1日木曜日

August Connector

OWASP
Connector

August 2019

Communications | Projects | Events | Community | Membership

COMMUNICATIONS

Letter from the Vice-Chairman:

Dear OWASP Community,

I hope you are enjoying your summer, mines been pretty busy, getting married, traveling to Vegas and the board elections. August has been quite a busy month for the foundation. Attending BlackHat and DefCon as part of our outreach program, the upcoming elections ( I have to add, there were some really good questions from the community) and planning for the next two Global AppSec Conferences in September, it's been crazy. We the board would like to thank the staff and without naming any names (Jon McCoy) for their efforts during BlackHat and DefCon. I was there, on the stand, he did a good job of representing our community.

Two days prior to BlackHat and Defcon the board met as part of our second face to face meeting of the year. This was two days well spent, collaborating on some of the burning topics, but also how to move forward. At the beginning of the year, we set out our strategic goals. Even though these goals are part of our everyday OWASP life we decided to put a name against them to champion them, below are our goals and who will be championing them going forward:

Marketing - Chenxi
Membership - Ofer
Developer Outreach - Martin
Project Focus - Sherif
Improve Finances - Gary
Perception - Martin
Process Improvement - Owen
Consistent ED - Done!
Community Empowerment - Richard

If you are interested in getting involved in or would like to hear more about any of these strategic goals, please reach out to the relevant name above.

Some of the Global board members will be attending both our Global AppSec Conference in Amsterdam but also in DC. We will hold our next public board meeting during the Global AppSec Conference in Amsterdam if you haven't already done so I would encourage you to both attend and spread the word of the conference. There are some great keynotes/ speakers and trainers lined up.

Regards
Owen Pendlebury
Vice-Chairman of the OWASP Global Board of Directors

DC Registration Now Open Amsterdam Registration Now Open

Congratulations to the Global AppSec Tel Aviv 2019
Capture the Flag Winners

For two full days, 24 competitors from around the world attacked various challenges that were present within the CTF activity held at Global AppSec Tel Aviv 2019. The competition began with a handful of competitors running neck and neck with two competitors, 4lemon and vasya, at the top, slowly gathering more points in their race hoping to win it all. At the last moment, they were overtaken by Aleph who swooped in and took away the victory for himself with a total score of 29 points!

We would like to thank all of the individuals who participated and once again, congratulations to the top 3.
1st Place Winner: Aleph (29 points)
2nd Place: 4lemon (24 points)
3rd Place: vasya (24 points)

EVENTS

You may also be interested in one of our other affiliated events:

REGIONAL EVENTS

Event	Date	Location
OWASP Portland Training Day	September 25, 2019	Portland, OR
OWASP Italy Day Udine 2019	September 27, 2019	Udine, Italy
OWASP Poland Day	October 16,2019	Wroclaw, Poland
BASC 2019 (Boston Application Security Conference)	October 19,2019	Burlington, MA
LASCON X	October 24 - 25,2019	Austin, TX
OWASP AppSec Day 2019	Oct 30 - Nov 1, 2019	Melbourne, Australia
German OWASP Day 2019	December 9 - 10, 2019	Karlsruhe, Germany
AppSec California 2020	January 21 - 24. 2020	Santa Monica, CA
OWASP New Zealand Day 2020	February 20 - 21, 2020	Auckland, New Zealand

PARTNER AND PROMOTIONAL EVENTS

Event	Date	Location
it-sa-IT Security Expo and Congress	October 8 - 10, 2019	Germany

PROJECTS

Project Review Results from Global AppSec - Tel Aviv 2019
The results of the project reviews from Global AppSec Tel Aviv 2019 are in! The following projects have graduated to the indicated status:

Project	Leaders	Level
Mobile Security Testing Guide	Jeroen Willemsen, Sven Schleier	Flagship
Cheat Sheet Series	Jim Manico, Dominique Righetto	Flagship
Amass	Jeff Foley	Lab

Please congratulate the leaders and their teams for their achievements!
If your project was up for review at Global AppSec Tel Aviv 2019 and it is not on this list, it just means that the project did not yet receive enough reviews. And, if you are interested in helping review projects, send me an email (harold.blankenship@owasp.com).

Project Showcases at the Upcoming Global AppSecs
The Project Showcases for Global Appsec DC 2019 and Global AppSec Amsterdam 2019 are finalized. For a complete schedule, see the following links:

Global AppSec - DC 2019 Project Showcase
Global AppSec - Amsterdam 2019 Project Showcase

Google Summer of Code Update
Google Summer of Code is now in the final stages. Final Evaluations are due by September 2nd.

The Mentor Summit will be in Munich this year; congratulate the OWASP mentors who were picked by raffle to attend and represent OWASP: Azzeddine Ramrami & Ali Razmjoo.

Google Summer of Code Update

THE OWASP FOUNDATION HAS SELECTED THE TECHNICAL WRITER FOR GOOGLE SEASON OF DOCS by Fabio Cerullo

The OWASP Foundation has been accepted as the organization for the Google Seasons of Docs, a project whose goals are to give technical writers an opportunity to gain experience in contributing to open source projects and to give open-source projects an opportunity to engage the technical writing community.

During the program, technical writers spend a few months working closely with an open-source community. They bring their technical writing expertise to the project's documentation, and at the same time learn about open source and new technologies.

The open-source projects work with the technical writers to improve the project's documentation and processes. Together they may choose to build a new documentation set, or redesign the existing docs, or improve and document the open-source community's contribution procedures and onboarding experience. Together, we raise public awareness of open source docs, of technical writing, and of how we can work together to the benefit of the global open source community.

After a careful review and selection process, the OWASP Foundation has picked the primary technical writer who will work along the OWASP ZAP Team for the next 3 months to create the API documentation of this flagship project.

Congratulations to Nirojan Selvanathan!

Please refer to the linked document where you could look at the deliverables and work execution plan.
https://drive.google.com/open?id=1kwxAzaqSuvWhis9Xn1VKNJTJZPM2UV20

COMMUNITY

Welcome New OWASP Chapters

Tegucigalpa, Honduras
Johannesburg, South Africa

CORPORATE SPONSORS

Join us

Donate

Our mailing address is:
OWASP Foundation
1200-C Agora Drive, #232
Bel Air, MD 21014

Unsubscribe

This email was sent to *|EMAIL|*
why did I get this? unsubscribe from this list update subscription preferences
*|LIST:ADDRESSLINE|*

Emulating Shellcodes - Chapter 2

Lets check different Cobalt Strike shellcodes and stages in the shellcodes emulator SCEMU.

This stages are fully emulated well and can get the IOC and the behavior of the shellcode.

But lets see another first stage big shellcode with c runtime embedded in a second stage.

In this case is loading tons of API using GetProcAddress at the beginning, then some encode/decode pointer and tls get/set values to store an address. And ends up crashing because is jumping an address that seems more code than address 0x9090f1eb.

Here there are two types of allocations:

Lets spawn a console on -c 3307548 and see if some of this allocations has the next stage.

The "m" command show all the memory maps but the "ma" show only the allocations done by the shellcode.

Dumping memory with "md" we see that there is data, and dissasembling this address with "d" we see the prolog of a function.

So we have second stage unpacked in alloc_e40064

With "mdd" we do a memory dump to disk we found the size in previous screenshot, and we can do some static reversing of stage2 in radare/ghidra/ida

In radare we can verify that the extracted is the next stage:

I usually do correlation between the emulation and ghidra, to understand the algorithms.

If wee look further we can realize that the emulator called a function on the stage2, we can see the change of code base address and is calling the allocated buffer in 0x4f...

And this stage2 perform several API calls let's check it in ghidra.

We can see in the emulator that enters in the IF block, and what are the (*DAT_...)() calls

Before a crash lets continue to the SEH pointer, in this case is the way, and the exception routine checks IsDebuggerPresent() which is not any debugger pressent for sure, so eax = 0;

So lets say yes and continue the emulation.

Both IsDebuggerPresent() and UnHandledExceptionFilter() can be used to detect a debugger, but the emulator return what has to return to not be detected.

Nevertheless the shellcode detects something and terminates the process.

Lets trace the branches to understand the logic:

target/release/scemu -f shellcodes/unsuported_cs.bin -vv | egrep '(\*\*|j|cmp|test)'