"When dealing with Windows exploits, an issue that often emerge is their cross-platform reliability, meaning they often work against either some given service packs of the OS, or some localization of the OS. It is quite rare tfind exploits that will work on a very wide range of Windows installs.

While multiplying the number of targets in an exploit is often the solution found in the wild, it seems that nobody has yet disclosed a solution tfingerprint a Windows language, or discuss about cross languages and service packs return addresses (though cross SP only is now fairly well mastered).

Immunity, Inc. had twork on this issue for CANVAS, in order tbuild more reliable exploits, and this paper intend texplain some of the solutions that were found tthese issues.

"

"Fuzzing is a software testing technique that consists in finding implementation bugs. Fuzzing Wi-Fi drivers is becoming more and more attractive as any exploitable security bug will enable the attacker trun arbitrary code with ring0 privileges (within victim's radicoverage).

This presentation will describe all the processes involved in the design from scratch of a fully-featured Wi-Fi fuzzer. It will pinpoint all issues and constraints when fuzzing 802.11 stacks (scanning, bugs identification, replaying bugs, analyzing kernel crashes...).

Then some features will be focused on, in order tunderstand which kind of implementation bugs may be discovered and which vulnerabilities we discovered thanks tthis tool (CVE-2006-6059, CVE-2006-6125).

Finally, a real-world example will be fully explained: how we found the first (publicly known) madwifi stack-based overflow thanks tour Wi-Fi fuzzer (CVE-2006-6332)."

"The SMTP protocol, used in the transport and delivery of e-mail messages, includes control headers along with the body of messages which, as opposed tother protocols, are not stripped after the message is delivered, leaving a detailed record of e-mail transactions in the recipient mailbox.

Detailed analysis of SMTP headers can be used tmap the networks traversed by messages, including information on the messaging software of clients and gateways. Furthermore, analysis of messages over time can reveal organization patching policies and trends in user location and movements - making headers a very valuable resource during the target selection phase of targeted attacks."

"Introduction:The following presentation is twparts, the first covers aspects of Microsoft's GS implementation and usage. The second is a complementary section dealing with ASLR in Windows Vista, its implementation and some surprising results...

Part I Synopsis:

GS is a Visual Studicompiler option that was introduced in Visual Studi2002 tmitigate the local stack variable overflows that resulted in arbitrary code execution. The following paper details the methods Symantec used tassess which binaries within Windows Vista 32bit leveraged GS as a defensive mechanism. This paper presents the results of this analysis, the techniques that have been developed, and supporting material. The results in this paper are from the 32bit RTM release of Microsoft Windows Vista

Part II Synopsis:

Address Space Layout Randomization (ASLR) is a mitigation technique designed thinder the ability of an attacker tachieve arbitrary code execution when exploiting software vulnerabilities. As the name implies, ASLR involves placing a computer program and its associated memory at random locations, either between reboots or executions, thinder the attacker's ability treliably locate either their shell code or other required data. This paper is the result of a brief analysis of the implementation of ASLR within Microsoft Windows Vista 32bit RTM, conducted by Symantec's Advanced Threat Research. "

"SS7 has been a walled garden for a long time: only big telcwould be interconnected tthe network. Due tderegulation and a push toward all-IP architecture, SS7 is opening up, notably with SIGTRAN (SS7 over IP) and NGN (Next Gen Networks) initiatives.

SCTP is the protocol used tcarry all telecom signalling information on IP according tthe SIGTRAN protocol suite. it's the foundation, as TCP is the foundation for the web and email. SCTP is alsused for high-performance clusters, resources pooling and very high-speed file transfer.

When you discover open SCTP ports, you discover a secret door tthis walled garden. As a walled garden, the internal security of the SS7 network is not as good as one might expect. SCTPscan is a tool tdexactly just that, and is released as open source.

This presentation will explain how SCTPscan manages tscan without being detected by remote application, how discrepancies between RFC and implementation enable us tscan more efficiently and how we manage tscan without even being detect by systems like SANS - Dshield.org. Here we will have a look at INIT packet construction, stealth scanning and a beginning of SCTP fingerprinting.

Then, we gon tdetail upper layer protocols that use SCTP and the potentials of the SIGTRAN protcol suite in term of security. we'll see the M2UA, M3UA, M2PA, IUA which are SIGTRAN-specific protocols, and alsthe more generic SS7 protocols such as ISUP, BICC, BSSAP, TCAP, SCCP and MTP. "

"In this talk, after briefly reviewing why we should build a good

anomaly-based intrusion detection system, we will briefly present twIDS prototypes developed at the Politecnicdi Milanfor network and host based intrusion detection through unsupervised algorithms.

We will then use them as a case study for presenting the difficulties in integrating anomaly based IDS systems (as if integrating usual misuse based IDS system was not complex enough...).

We will then present our ideas, based on fuzzy aggregation and causality analysis, for extracting meaningful attack scenarios from alert streams, building the core of the first 360anomaly based IDS.

Also, we will introduce some brand new ideas for correlation based on statistical fitting tests."

"This paper will show a extremely simple technique tquickly audit a software product in order tinfer how trustable and secure it is. I will show you step by step how tidentify half dozen of local 0day vulnerabilities in few minutes just making a couple of clicks on very easy tuse free tools, then for the technical guys enjoyment the vulnerabilities will be easily pointed out on disassembled code and detailed, finally a 0day exploit for one of the vulnerabilities will be demonstrated and explained.

While this technique can be applied tany software in this case I will take a look at the latest version of Oracle Database Server: 10gR2 for Windows, which is a extremely secure product sit will be a very difficult challenge tfind vulnerabilities since Oracle is using advanced next generation tools tidentify and fix vulnerabilities."

"Today, other than doing a full static analysis of the code, the most common practice tfind vulnerabilities in your web application is tget off-the-shelf automated web scanner, point ta URL, and hope that itos doing the right thing.

But is it? How dyou know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way tfind all vulnerabilities in an application? What if there was a way tlook at whatos happening inside the application while these web scanners were hitting the application?

In this talk, weoll explore that "looking inside the application as the security test runs" possibility - through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ tinject security monitors directly inside a pre-compiled Java / .NET web application. We will alsgthrough a proof of concept and dem- turning a typical blackbox test inta owhiteboxtest using the techniques discussed in this talk, gaining a more complete picture: gaining coverage insight, finding more vulnerabilities, weeding out false positives reported by the scanners, and gaining root cause source information.

"

"Vboot kit is first of its kind technology tdemonstrate Windows vista kernel subversion using custom boot sector. Vboot Kit shows how custom boot sector code can be used tcircumvent the whole protection and security mechanisms of Windows Vista.The booting process of windows Vista is substantially different from the earlier versions of Windows.The talk will give you details and know abouts for the Vista booting process.Then, we will be explaining the vboot kit functionality and how it works.We will alshave an insight intthe Windows Vista Kernel.We alsgthrough a sample Ring 0 Shell code(for Vista).The sample shellcode effectively raises the privileges of certain programs tSYSTEM.Also, a live demonstration of vboot kit POC will be done.

Prerequisites :- Knowledge about Windows Internals, and a bit assembly language."