Technical Exploitation

After the Gamma Group hack, I described a process for searching for vulnerabilities [1]. Hacking Team had one public IP range: inetnum: 93.62.139.32 - 93.62.139.47 descr: HT public subnet

Hacking Team had very little exposed to the internet. For example, unlike Gamma Group, their customer support site needed a client certificate to connect. What they had was their main website (a Joomla blog in which Joomscan [2] didn't find anything serious), a mail server, a couple routers, two VPN appliances, and a spam filtering appliance. So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices. A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit. Since the vulnerabilities still haven't been patched, I won't give more details, but for more information on finding these kinds of vulnerabilities, see [3] and [4].

[1] http://pastebin.com/raw.php?i=cRYvK4jb [2] http://sourceforge.net/projects/joomscan/ [3] http://www.devttys0.com/ [4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A