Background Someone I know once told me about a device they purchased at a county fair. It’s a small box that you plug into your TV and hook up to your Internet connection. It’s basically a digital content streaming box (like a Roku), except the seller claimed that you could get any movie or TV show you wanted for free. This supposedly included live television and films that were still in theaters.

CVE-2023-40477 I’ve recently been looking at N-day vulnerabilities in Windows software in an attempt to hone my reverse engineering and exploit development skills. Last month, I read about an interesting bug in WinRAR version 6.22 and below which could result in remote code execution. This bug was assigned CVE-2023-40477. It was discovered by Zero Day Initiative. When I started, all the information I had to go on came from the ZDI page:

Intro After recently finishing the Offensive Security OSEE exam, I wanted to start looking at some real-world vulnerabilities in Windows. I had hoped I might find a recently patched vulnerability with an available PoC that could simply trigger the bug. If a PoC wasn’t available, then maybe a blog post somewhere doing a root cause analysis so I could build my own PoC to trigger the bug, and then later attempt to weaponize it.

Updates When I left off in my last post, I had only just started working on the OSEE course material at home by myself. Now a whopping nine months later, I’m finally done with the training. It’s been a long road and a lot of work, but it was worth it! Best Laid Plans My original plan when I got back from Blackhat and Defcon was to work on one module per month leading up to the exam.

Background Check Point Research recently disclosed three security bugs in the Microsoft Windows MSMQ service. The most critical bug disclosed was CVE-2023-21554. They’ve named this bug QueueJumper and claim that it can result in unauthenticated remote code execution. Recently, a few coworkers discovered some vulnerable systems on their network penetration tests and were trying to find public exploits for this bug. The best they were able to find was this PoC on Github.

Background OpenAI chat has exploded in popularity over the last couple of weeks. People are using it to do all sorts of interesting things. If you are unfamiliar with OpenAI Chat and GPT-3, you can find a primer here. The gist is that it’s an artificial intelligence model that you can chat with as if it were a person. It can do all kinds of things like answer questions, write code, find bugs in code, and more.

Background I’m currently taking Offensive Security’s PEN-401 course and studying for their OSEE exam. One concept I’ve been learning about is Supervisor Mode Execution Prevention (SMEP). I found it to be one of the more confusing topics to learn, so I thought I’d try to explain how it works to help fill my own knowledge gaps and better solidify my own understanding. Supervisor Mode Execution Prevention (SMEP) Supervisor mode execution prevention is an exploit mitigation feature built into some CPUs.

Summary of tips for the training course Study before you arrive Use the syllabus as a guide to fill knowledge gaps. Study the material they send before the course begins. When you are given time in class to do an exercise, find the exercise in the guidebook and follow along there. Study the guide book in the evening to fill in any knowledge gaps. Ask questions during class if you need to.

Last week I was working on a social engineering engagement that included pretext phone calls, email phishing, and USB drops. I had to build payloads for the phishing email attachments and USB drops. This engagement was standalone, and therefore was not supporting other testing efforts like an internal pentest. Therefore, the payloads didn’t have to do anything fancy. I just needed proof that they were executed. Ideally, I wanted to collect the following information with each execution:

Introduction I’m taking Offensive Security’s PEN-401 course this summer in an attempt to earn my OSEE certification. It’s the most difficult and most technical course they currently offer. I really enjoyed earning my OSCE and OSED certifications through them and I figured some day I would make an attempt at the OSEE. I wasn’t expecting to go for it in 2022, but they reached out to me with an available spot and I couldn’t pass up the chance.

Aha! I think I figured something out. I did some web searching to see if I could figure out how to identify the firmware entry point address. I found a StackExchange post that mentioned something called a “reset vector”. It sounds like a reset vector is a pointer that the CPU looks at to tell it where to begin program execution. The reset vector location is CPU-specific. I went back to the Motorola datasheet and searched for information about reset vectors.

After having dumped the firmware for my Kantronics KPC 9612+ TNC, my next thought was to try and disassemble this code with IDA Pro, however it turns out IDA Pro free edition doesn’t support this architecture. I’m not excited enough about this project to go spend the money on a professional license. Next I tried Ghidra. I hadn’t used Ghidra before, but it seemed like a good time to test it out.

After working on my WinAPRS exploits, I had a thought that my ham radio TNC (radio modem) could have vulnerabilities built right into the TNC itself. I have a Kantronics KPC 9612+ TNC. I think it originally was released sometime in the 1990’s and was finally discontinued in 2020 for a newer model. Mine still works just fine, though. The TNC runs its own little operating system that supports decoding different kinds of packet data.

In early 2021 I took an Offensive Security course to earn my Offensive Security Exploit Developer certification. This course taught me a lot about exploiting memory corruption vulnerabilities in Windows 32-bit programs. It was also a lot of fun. Aside from security things, I also dabble in ham radio. Most of my experience with ham radio has been through the use of packet radio and other digital modes. Rather than talking to people over the air using voice, I’m sending and receiving data through a computer over the airwaves.