lunes, 5 de marzo de 2018

File Parser: OnBelay Flash/Disk Media Backup (CompuApps, Inc.)

This type of file have a header "33 00 00 00 43 4F 4D 50 55 41 50 50 53"

Usage: java -jar FMBParser.jar "/path/file.FMB"

Mount with: losetup -f -P /path/file.FMB.img

miércoles, 17 de enero de 2018

LeakVM: Research & Pentesting Framework for Android, Run security tests instantly.

Why LeakVM: LeakVM fast security test on Android, by skipping the time-consuming build pen-testing laboratories, you can test on real devices or virtual devices. LeakVM makes researchers and pen-testers more productive since they can run the test on real time and with zero knowledge on malware develop or attacks.

Our technology uses the same techniques used in criminal software, but in a controlled environment, you always have control over the SDK, our product, gives you a real approach against real malware and real attacks.

Why Pentesting: With 2000 million active devices, 90% of mobile users are vulnerable to exploit kits (software vulnerabilities), Cyber crime damage costs to hit $6 trillion annually by 2021, Mobile Malware Shows Rapid Growth in Volume and Sophistication, Mobile security is a big data problem.

Unsecured devices and apps are the norm, In 2017 every 4.2 seconds a new malware specimen emerges, You need to reduce the threat surface.

Our platform is designed even so that anyone can make money with us, without any type of investment, by sharing your reseller link, the customer that is obtained will bring you rewards, now we have 3 methods of payment: Western Union, Wire Transfer and PayPal, These rewards will be received for life, is just share a link.

For first 100 customers: new client 20%, renewal 10%.
For next 900 clients: new client 15%, renewal 10%.
After reaching 1000 clients: new client 10%, renewal 5%.

  • Ptrace/ASLR/Yama Bypass
  • API for 3rd party projects
  • Linux common features
  • Dynamic library loading
  • SmartLock extraction
  • Private file extractor
  • KeyStore extraction
  • Advanced reflection
  • WebServices Engine
  • Privilege escalation
  • Core Observers
  • Library injection
  • OOP Bypass
  • Extensible
  • Android 4.4 to 6.0
  • Architectures Arm(32/64 bits), x86(32/64 bits), MIPS(32/64 bits)


Social Media:

It has been a long time developing this platform, with delays, problems and bugs of the Android core, now this are ready, we are packaging the product, in around two weeks we will be available on Google Play, thanks for await. 

miércoles, 22 de marzo de 2017

Xtreme Tech LLC: An Offensive Security Startup

Finally are finishing our first commercial product 'LeakVM', and be published under our company 'Xtreme Tech'.

LeakVM fast security test on Android, by skipping the time consuming build pentest laboratories, you test on real devices, do not need root your smartphone. LeakVM makes researchers and pentesters more productive since they can run test on real time and on real environments.

Our technology uses the same techniques used in criminal software, but in a controlled environment, you always have control over the SDK, our product, gives you a real approach against real malware and/or real attacks.

Current features:

  • Linux common features
  • Dynamic library loading
  • Native/VM library injection
  • Private file extractor
  • Privilege escalation
  • KeyStore extraction
  • Advanced reflection
  • Core Observers
  • Extensible

We are currently under development, in a short time LeakVM will be available to the public with 10 days Trial Free, you can test our Web Interface, and check our JavaDoc

Follow us on: TwitterLinkedIn, Facebook

jueves, 22 de diciembre de 2016

LeakVM: You team are ready for us ?

I be working hard for an long time on related projects: code transformation, reflexing, modify, remove, overwrite, hooking, injecting, bypass security, spy/crypt tech, oh well now i be very close to finish my first commercial version of LeakVM, on the next weeks i update info about, payment ways, documentation, code examples, SDK, etc.

Surely your team has a very important question, can everyone buy this? Yes absolutely everyone, we are not HackTeam, we sell our tools thinking on an good price, an price averyone can pay, there are no rules, it's the real world, The Free Market, no matter that they try to ban my accounts, I always will found how to trade this, we do not have stupid rules like in US or EU, simply our only rule is: you can pay it? 

LeakVM web interface

You team are ready for us ? LeakVM 

Insecure Cordova Banking App

This time i be exposes to: Davivienda Móvil, BANCO DAVIVIENDA S.A.

Which it has a number of serious security problems:

1-Insufficient Transport Layer Protection
2-Lack of Binary Protections
3-Insecure Local Storage
4-Broken Cryptography

This application allows cloning of credentials via VM Injection attacks, the company responsible for developing the app was "Todo1", too detect an insecure library developed by "Easy Solutions".


GitHub: ExposingIndustryMediocrity

miércoles, 12 de octubre de 2016

The Untold Truth about Zeus Case

So many publications on the case were made, this gave around the world, still does.

A judge sentenced two hackers involved in the creation, maintenance, and marketing of the SpyEye financial botnet to a combined sentence of 24 years in prison, the US Department of Justice has announced today

Aleksandr Andreevich Panin, 27, from Russia, known online as Gribodemon and Harderman, received nine and a half years in prison, while his accomplice, Hamza Bendelladj, 27, from Algeria, known online as Bx1, got 15 years in jail.

The official documents say that:

The lawsuit names "John Does 1-39" which are described by their online monickers or "handles", many of which will be well known to anyone who has been researching Zeus:

JOHN DOES 1-39 D/B/A Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits AND JabberZeus Crew CONTROLLING COMPUTER BOTNETS THEREBY INJURING PLAINTIFFS, AND THEIR CUSTOMERS AND MEMBERS.

All of the supporting legal documents can be found on the Microsoft-registered server: 

The Zeus malware also goes under the name Ice-IX and SpyEye. Microsoft said John Doe 1, who goes by the name Slavik, Monstr, IOO, and Nu11, is the creator. John Doe 2, aka zebra 7753, lexa_mef, gss, and iceIX, created a Zeus family member called Ice-IX, Microsoft said, and John Doe 3, aka Harderman and Gribodemon, created another family member called SpyEye, the complaint said.

John Doe 5, aka miami and miamibc, John Doe 9, aka Kusunagi, and John Doe 38, aka jheto2002, are other developers involved, writing "Web inject" code that gets the malware onto victims' computers, the complaint said. Some other defendants also were involved in developing the software.

John Doe 4, aka Aqua, aquaSecond, percent, cp01, and other aliases, recruits "money mules" whose job it is to travel to different countries to create bogus bank accounts into which victims' money is transferred. Several of the other John Does are these money mules. John Does 23 and 24, aka jtk and Veggi Roma, respectively, also recruited money mules, the lawsuit said.

My mistake was publish an link of my PoC without source code on Hackforums, now not remember the post, that is the Source Code

For years i searching info about that, why , why, why, Until both found on LinkedIn, "Jorge Mieres" an researcher, he knowns all about Zeus, the he told me that had spent much time researching and long after demand also, we talk more for months, he explained that, the research was done lightly, without a thorough analysis, without facts simply they wrote down on paper, any damn profile fit on that, the investigation was not serious, just fish in a jumbled barrel, he spoke with many people from Microsoft and thought the same, but everyone kept his mouth shut, criminals, protecting criminals i always say, you do wrong things, you not like be "catched", especially if your company is "Microsoft" trying to "catch" Banking Trojans criminals.

On this time i be really desperate, months without job, freelance, nothing, all people call me criminal, that was the shit, and continues today, on this times i "decide" be "an criminal", an write a lot of shit on Pastebin, saying good bye, Jasper Hamill , write an article on Forbes "A Hacker's Guide To Finding A Job"

On 2011 the Source Code of Zeus was published on Github that contains the Server Code

On this days i try to demand this guys for that, but all layers on my country only talk about of lot money to review my case, and more money to send that to the court, well i continue with my life, doing more "PoC's", doing more reversing, cheeking Apps, Libs, API, a lot of things, is a lot of bullshit on the head, on this time i meet security people on LinkedIn (Kandy, Bob, Jorge, Hernan, Mayur, Dave, Remo, Marnix, Dhamu, and more) and Twitter (Disassembler, Claus, Odisseus, maldevel, and more), they always try give me ideas to get job or make tools to sell, sharing post's, or this type of things, really good people, while everyone called me criminal they always try to help me.

But the top news never says they spoke lies about me, I was never part of a criminal network, Internet all the idiots believe that "you are a criminal".

Some days ago, again come back this mother fucker, and sent an inbox message:

8 Oct, 21:57 Request: Please tell me a little bit about yourself. I remember your name from the Zeus botnet matter that I was involved with. I would appreciate learning a bit more about you. Thanks, Gabe.

That explode on my mind, this guy not have shame, i'm not "involved with", you say more crap about me, but i remember the words of Kandy: You are gifted, not an criminal, be an legend; That is the reason of this post and all my PoC's and Tools.

All my Twitter, LinkedIn and Blogger followers knowns what i can do with the code, if i be criminal, i be fully of money, and would not be seeking employment and/or trying to create my own LLC Company.

For this reason i send an email to "Public Defender on California", telling him this story, oh well, if these guys do not get charges, the legal system in the US sucks and is criminal, plain and simple.

How i probe i not be an criminal simple, i found and report this vulnerabilities:

Android CitiBank Colombia
Android IPC Communication 

Android Third Party Validation
Android Amazon AWS SDK 

Android Parse SDK

Technicolor TC7300 Bad configuration
Windows Privilege Escalation

Too i develop this things to detect vulnerabilities and protect the data of the people.

VectorAttackScanner - VAS
E2EE (End To End Encryption, RSA2048 + AES256 + PBKDF2 + RSA Signature Verification)

Too the news say that:

Thanks to Alexander Knorr for the research, and Security Scorecard by publishing: The Calm Before the Mobile API Data Breach Storm
Thanks to Jeremy Wagstaff for the research, and Reuters by
publishing: 'Billions' of Records at Risk From Mobile App Data Flaw  

Too if you compare My code and Zeus code is another thing, You need to be a very big ignorant if try to compare my PoC with the code of Zeus.

Or well, if i be an criminal spreading "Zeus", where are my fucking thousands or millions dollars ?  The reality is if i not finish my new tool LeakVM on few months, literally "we be on the street". 

When you say on an legal case, "jheto2002 (Jheto Xekri - Me), are other developers involved, writing "Web inject" code that gets the malware onto victims'", you are affirming, you need
facts, you defame me, you do damage the my public image, you doing damages their mental health and tranquility, and utterly destroy job opportunities on software/security industry, and maybe more, this makes you a criminal by you acts and by you words, you are a liar.

miércoles, 28 de septiembre de 2016

Exposing the Colombian Industry Mediocrity

This time i be exposes to: CitiMobile CO, Citibank Colombia S.A

Which it has a number of serious security problems:

1-Insufficient Transport Layer Protection
2-Lack of Binary Protections
3-Insecure Local Storage
4-Broken Cryptography

This application allows cloning of credentials via MITM attacks, It is something really serious in a banking application.

Details: CityBank.CO

GitHub: ExposingIndustryMediocrity

miércoles, 3 de agosto de 2016

Transformation Oriented Programming (TOP)

For some time now I can not stop thinking about how this built our world (opcodes), developing Vector Attack Scanner and Dark Ether, I've seen this is as primordial matter, apparently are only actions for a processor, but this is like elementary particles , all together form our universe, meet each other to create more complex elements, if all the matter of our universe is created by frequency (M and String Theory), this is almost the same, I can not sleep of thinking in this, so I stopped a few things that was developing and testing it out in my free time, I think to finish this is more important, not how long it takes to write me, you maybe a few months or more, but it will be great fun to do, so it will not be more PoC's for a while, just the usual publications on Twitter and LinkedIn.

All this on the theory of Dark Ether has made me think about a paradigm: "Transformation Oriented Programming" when this is over is the'll show you, I know you will love it, this is no longer tries to find an 0day, or bypass something, is like not to see a world solid in three dimensions, it is like seeing formless, multidimensional to infinity, where all dimensions are one above the other, communicating among themselves, where everything can be what you want it to be, if know how to do it, it sounded crazy, but it's always the same, only the crazy people can create different things.

Thanks for reading me and send me emails.

sábado, 7 de mayo de 2016

Turning Android on an Cyber War Camp

Again we come back with the same problems of Android and Java; Serialization and methods unvalidated.

This time, our new security flaw, It allows us crashing applications, creating a permanent denial of service (DoS), if runs that, can crashing repeatedly, and stop application completely and indefinitely, too, this security issue affects all applications Android from version SDK 2.0 to 6+.

Well, the reason this happens is very simple: Each application has a different ClassLoader, which has classes of the core android and the current compiled APK, referenced by a DexClassLoader, and only that, not the other clasess compiled in other APK's.

It is really simple to send a Parcelable or Serializable to an application, service, methods, etc, if the application does not contain these classes simply crash (explodes), Well with this simple theory, just enough to find entry points to send these Parcelable and / or Serializable.

PoC preview

Github: MissileGuidedForAndroid