Before creating this blog, I had the opportunity to create numerous posts under the SensePost blog. These cover a few topics including mobile apps, web apps and infrastructure.

Here is a list of those posts, in chronological order, with a brief abstract about each post.

PSloggedon Module for Metasploit

Brief description and release of a new Metasploit module that implements a post exploitation module for running Psloggedon in Metasploit. It also included an experimental history module for Metasploit.

Link: https://sensepost.com/blog/2013/windows-domain-privilege-escalation-implementing-psloggedon-in-metasploit-%2B-a-bonus-history-module/

Poking Around in Android Memory

My first dive into mobile application analysis. This outlined a technique I’d been playing around with for alternate means to view traffic/data generated by Android apps. This technique was memory analysis and the post described how to dump Android application memory. Since each application on Android is run in the Dalvik VM and is allocated it’s own heap space, this allowed full insight into the application state at runtime.

Link: https://sensepost.com/blog/2013/poking-around-in-android-memory/

Revisting XXE and Abusing Protocols

After a security researcher reported a bug in Facebook that could potentially allow Remote Code Execution (RCE). I dug into the bug he found and found a similar bug in another OpenID provider.

Link: https://sensepost.com/blog/2014/revisting-xxe-and-abusing-protocols/

Abusing File Converters

This was simply a cross-post of one of the same post on this blog, how meta.

Link: https://sensepost.com/blog/2015/abusing-file-converters/

Another Intercepting Proxy

In this post I released a proxy for websockets. This allows for intercepting, modifying and replaying websocket messages.

Link: https://sensepost.com/blog/2015/another-intercepting-proxy/

Advanced Cycript and Substrate

Another dive into mobile application testing, focusing on iOS this time around. This outlined how I used Cycript and Substrate to dig into a custom protocol used for communication between the mobile application and server. The protocol was over TCP, wrapped data in custom crypto, and included signing of the payload to prevent tampering. All of these processes can greatly frustrate testers using standard network intercepting tools. By using Cycript it was possible to see and modify how messages were constructed before being sent over the network.

Link: https://sensepost.com/blog/2016/advanced-cycript-and-substrate/

Mapi over HTTP and Mailrule Pwnage

The first release of Ruler, allowing for easy exploitation of malicious Outlook rules to get a shell remotely.

Link: https://sensepost.com/blog/2016/mapi-over-http-and-mailrule-pwnage/

Pass the Hash with Ruler

Updates to Ruler to allow interaction with Exchange through the RPC/HTTP. This also included the option to use an NTLM hash rather than a password with Ruler.

Link: https://sensepost.com/blog/2017/pass-the-hash-with-ruler/

Outlook Forms and Shells

Continues the “pwning with Ruler” theme, and introduced a brand new method for getting a shell through Ruler. This abused the forms feature built into Outlook. This provides a more flexible means for gaining a remote shell through Outlook and resulted in Microsoft disabling VBScript execution in forms.

Link: https://sensepost.com/blog/2017/outlook-forms-and-shells/

Liniaal - Empire Through Exchange

This blog post describes a new tool, based on the functions introduced in Ruler, to allow for a covert C2 channel to be established through MAPI/HTTP and RPC/HTTP. This work was released at Troopers 17 and the recorded talk is available here YouTube.

Link: https://sensepost.com/blog/2017/liniaal-empire-through-exchange

Macro-less Code Exec in MSWord

A blog post written along with Saif El-Sherei about our research into DDE in MSWord. This blew up a bit more than expected and ultimately lead to DDE being disabled throughout the Office suite.

Link: https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

Outlook Home Page - Another Ruler Vector

This introduced a third technique for gaining a shell through Outlook. The underlying vulnerability was assigned CVE-2017-11774. This included an update to Ruler to allow for effortless exploitation. The work was also presented at EkoParty 2017 and a recording of the talk is available here YouTube.

Link: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/