Greg Linares (Laughing Mantis)
@Laughing_Mantis
Followers
36K
Following
67K
Media
3K
Statuses
44K
20+ yrs in Infosec. Malware Influencer. I turn Malware into Art and Music. Art @MalwareArt. 4x Pwnie Nominee. 𝕍𝕏. GameDev. Autistic.
Joined February 2014
My malware generated & cyberpunk themed album 'VX' is now live & the first 200 downloads are free. I hope you all enjoy, it has been quite a ride making this album. Huge shout out to @vxunderground whose massive malware collection was a huge part of this.
13
49
217
Since I'm 6 drinks in for 20 bucks, let me tell you all about the story of how the first Microsoft Office 2007 vulnerability was discovered, or how it wasn't. This was a story I was gonna save for a book but fuck it, I ain't gonna write it anyways.
252
2K
26K
Ever want to test systems & see if your password is ever stored/sent in plaintext?. Make it: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*. I am on the phone with a vendor right now because my test account is in an inoperable state. 🧐.
122
3K
11K
Nobody tell him
The Windows 11 Start Menu is comically bad. This machine has a $1600 Core i9 CPU and 128 GB of RAM and this is the performance I often get. What is going on in Redmond?
56
136
7K
Derek, Daniel, drew, Andre, Yuki, Marc, Matt, Permeh, Chris, Laurentiu. Guys I love you so much . Not a month goes by where I don't think about how much of bad asses each an every one of you are.
7
29
4K
I once used EICAR as a password and crashed a company's entire service.
what was your biggest twitter controversy?.
23
210
3K
Let me get this straight. All of you just installed a photo app from China that requires these permissions? Let me know how it works out.
113
3K
3K
Often overlooked pretty legit hacking movie scenes?. Tron Legacy
56
184
3K
I just wanna end this thread with one last thing. I love this community.I am not perfect, no one is.I have fucked up so times in my career.We all do and it happens.What matters is how we get back up, do it all over again, and help others learn from our mistakes. Love you all.
81
62
3K
So we are crying, screaming, throwing up, shitting, rolling on the floor, options eruptions, parties. The entire research team is screaming . I am literally crying because this is my first professional job and I had fucked up so bad, but every single researcher there stayed.
5
21
3K
I'm 14 drinks in everyone. The bartender has given me the eye as in "sir what are you doing standing". So I'm doing what every drunk AF person would do. Switching to Scotch.
9
30
3K
Sorry I keep getting served drinks because I dropped a 50 dollars. This is literally dumb amount of drinks.
2
14
3K
So my first month at working at eEye in late 2006 good ol Microsoft announced Office 2007. They said they added a shit ton of security including safe int, sandboxing, code analysis, and malformed doc detection. I told my boss I was gonna break it. So I started fuzzing by hand.
5
20
2K
I'm the kind of sicko who can open a Microsoft office document in a hex editor and start telling you what it is all about just by scrolling down. I have spent an embarrassing amount of time looking at BIFF format in a hex editor, trust me it's nothing special.
6
20
2K
David, man, I'm really sorry. I've been wanting to tell you I'm sorry for like nearly 20 years about this. I.Am.So.Fucking .Sorry.To.Have.You.Come.Back .On .Vacation.
2
18
2K
So I start digging in and it is from a legacy conversation function converting an ancient word art structure into a modern structure and it incorrectly trusts a user calculation to control a pointer . Game over.
3
19
2K
Update: I just got an 18 year old scotch for $15 dollars. This is so dumb.
10
8
2K
So guess fucking what. Microsoft recalls his vacation. David LeBlanc literally blogs about his vacation being cut. This man was enjoying touching grass out in the world. And we fucking broke something so bad they recalled him vacation. On horseback. In the wilderness.
4
28
2K
And I just wanna say 2 things about this thread. Fucking up is hard, it sucks, we all do it, it's what you do immediately after is what matters. Roll with the punches, get up, fight back. You got this. It is ok to fuck up, we all do it. We don't talk about it. But we do it.
3
160
2K
The entire research office explodes. We fucking did it. News articles have been asking us for updates. Microsoft has been asking us for further clarification. We have found a legit vulnerability and it bypasses safe int.
3
19
2K
This will be a thread discussing a real world breach involving a drone delivered exploit system that occurred this summer. Some details I am not able to discuss, however for the blue teams & red teams out there I hope this provides a good measure of capability. 🧵🚁 🎮🖥️🦠.
47
782
2K
I switched to mojitos because they are 4 dollars.
12
11
2K
It.Fucking.Crashes .At .The.Same.Spot.0x4141414141.
2
17
2K
The crash has a a full EIP overwrite . 0x4141414141. Yuji looks over and goes "oh shit". Derek awakens and runs over and he's like . Oh really?!!!. And my boss Andre is like. Remove the Debugger and run it again.
3
15
2K
So me, feeling awful I start manually fuzzing again, by myself terrified for my life. I have to find an 0day ASAP to save face. Like yesterday. I'm over my head but I go. And then to my dismay the entire research team comes over and goes "we are in this together. Let's do this".
2
12
2K
Except Le Blanc comes back & says. "So. About that crash. It's only exploitable when a debugger is attached.". So we look it over. there's a fucking 0xCC op code there that we blew past in our code path. We tested and replicated with a full exploit only with a debugger.
1
11
2K
And I don't mean just like let's research this and get a bug . We are all in the office for days, 24 hours, ordering pizza, ordering mountain dew, reversing, making fuzzers, we are all in this together. Every single researcher.
2
13
2K
So I start manually fuzzing legacy word documents, I literally bring up office 6.0 documents and start manually fuzzing the legacy controls in them the day office 2007 drops. After about 36 hours I get a promising crash in good ol Word . Exe.
1
15
2K
12 years ago my life was saved by Hurricane Sandy when I was supposed to be in a building performing incident response that got blown up. There are not many public stories of physically targeted incidents directly related to cybersecurity but they exist. This is the story.
16
164
2K
And the second thing: . Your team makes a difference. I was lucky enough to be one of the last researchers hired at eEye. It was a legendary period. I was the dumbest person in the room and they rallied every time as a team.
2
43
2K
Anyways so review the bug and holy shit he's right. We submitted an exploitable condition only under a debugged process and we literally contacted every press release. Every single one. There's like 8 major news articles saying we have an exploit in office 2007 in under 48 hours.
1
13
2K
So MSRC starts reviewing this cluster fuck and as your can imagine since it's a brand new product they call in their A Team to review it, including none other than David LeBlanc, the Creator of Safe Int and a huge component of the safety of office 2007. (I'm sorry David for this).
1
10
2K
3 days go by, we all haven't left the office. Girl friends and wives have called and yelled, pleaded and begged for each of us to come home. Every single member of the team stays. I feel guilty AF and keep at it.
2
8
2K
Marc says well, I am not retracting the press release, so you all better give me an 0day. We will tell MSRC we sent the wrong file, in the meantime find me an 0day.
4
16
2K
So yuji and Derek start reversing this crash. It's in publisher. Fucking publisher, the web site developing tool in office that no one uses. What the actual fuck. We don't care we are all exhausted at this point, we just want something, literally anything.
3
9
2K
Spoilers: it's all in the EULA for Riot games.
22
116
2K
So these 2 bad asses are literally IDAing this shit out of their heads. And I remember and they look at me and go "Greg! This crash is good, is a pointer overwrite because of an integer overflow". We retest without a debugger. Hell we retest on a fresh os install.
1
12
2K
My latest phishing campaign is spoofed ticketmaster emails telling people they got access to Taylor Swift tickets. It's at 140% success rate. I am going to hell but at least I got shells.
31
219
2K
We made 4 different fuzzers, an analysis tool kit, and a binary decompiler of the BIFF format. Drew Copley (RIP) makes an HTML fuzzer for Web objects. Yuki Ukai and Derek Soeder start reversing every crash we come up with. Me and Andre are fuzzing like no one has ever fuzzed.
3
18
2K
Game over - or so I thought. So at eEye we have a senior review every bug we report and my boss looks over this issue and gives it the green light. I take it to @marcmaiffret and he sends it right over to Microsoft and starts a press release as one does.
2
9
2K
So Marc calls us in our office and sits on us down and tells us the news . I have literally been on the team for less than 2 months . I feel fucking awful.I feel fucking dumb AF.I have let down this incredible team. I am utterly devastated.
1
9
2K
Anyways David and his team look over our crash . Meanwhile we are pumping press releases left and right because we got an 0day in office 2007 in 2 days after release . We are high fiving each other in the office, literally strutting around like Rockstars.
1
15
2K
Im in a half passed out state, filled with delirium, pizza half in my hand barely conscious when I hear a fuzzer really hit . I spill a mountain dew code red while I come back into consciousness.
6
13
2K
I just got served a fucking pizza, and they don't serve pizza here
12
13
2K
Day 4, I'm in a state of delirium. The office smells of dirty researcher but we all have found so many close AF vulns but nothing serious. I write a new fuzzer. There's a stack of pizzas ordered to the office that comes up to my chest.
1
9
2K
Worst hacking scene in movie history? . Independence Day. You are telling me a single scientist reverse engineer an alien ship hardware and its OS in a single night and it just happens to be compatible with MacOS 7.6 and PowerPC architecture? .Also this virus wtf?. GTFO man
107
84
2K
Derek and Yuki start reversing the shit out of this bug. They are literally going so hard core, reconstructing structures and white boarding this and the adjacent functions. This is before office had symbols and these 2 bad asses to are literally making symbols on the fly.
1
9
2K
We did it. We found a legit zero day in a major product, office 2007, within the first week of release . Everyone is relieved .Everyone hugs.Everyone goes home finally.
2
17
2K
David. LeBlanc. I will happily buy you a drink any time, any where. I have felt guilty about this for nearly 20 years. I am so so so so so sorry.
3
12
2K
mSRC replies and they are like "oh this looks like it might be something". Meanwhile, David LeBlanc is on horseback 100 miles out of Seattle on vacation enjoying his time off according to his blog. But the bug is in SafeInt, his baby.
1
8
2K
One of my favorite ways to detect if you're in a sandbox. Custom dictionary sizes in VMs are always tiny.
17
136
2K
I just got handed a mojito??????????????!!!??????. Fuck it I'm drinking it.
3
6
2K
So what do I as the founder add into the greetz????. 100 miles rides is absolutely David LeBlanc. 💀💀💀💀💀💀💀💀💀
3
11
2K
#Log4J based on what I've seen, there is evidence that a worm will be developed for this in the next 24 to 48 hours. Self propagating with the ability to stand up a self hosted server on compromised endpoints. In addition to spraying traffic, dropping files, it will have c2c.
27
524
1K
David sent us an email intricately detailing how bad ass safeint was and how it protects against integer overflows and how insanely cool it is. He's right. It's is. But we found the section of code it somehow didn't get applied too.
3
11
1K
So what does eEye do now? . We blast the press, we show off full demos, we write a core exploit module, we write a custom office to kennel c2 exploit chain (rare AF in 2007). We own this exploit, we work it. We make that fur coat fucking pur.
4
7
1K
Fucking confirmed the vulnerability. SafeInt wasn't applied to the structure we found. Get.Fucked.
1
14
1K
Fuck I'm trashed . Anyways we wrap that bug and slam that at MSRC.
1
7
1K
So we get a receipt from Microsoft. They called back LeBlanc, Marc is tossing even more news interviews. Meanwhile Derek Soeder has written a full sexy RCE with kernel privilege exploit that he combined with his CSRSS Windows 7 LPE in a chain with us. He even added C2 via ICMP.
2
11
1K
Wait until I tell you what they already have in stores and have had for years. Spoiler: 4g/5g relays in stores use signal triangulation units that can see where you stop in aisles and know what you buy based on your cellphones signal. I know this because I bought the data.
Kroger, in collaboration with Microsoft, $MSFT, has introduced facial recognition technology in its stores, per BBC. This system aims to personalize shopping experiences by identifying customers and possibly tailoring prices individually.
51
163
1K
@HuntressLabs Being on the shoulder of giants makes me truly appreciate the 20+ years I have been in this industry. Thank you for reading thru this drunk thread. This industry is crazy, and the fails we have aren't talked about. Please help normalize fucking up but owning it.
4
26
1K
So after MSRC confirms, we write up the blog post, we write up the advisory, we get a CVE, we write a sexy write up. Here it is in jpeg form
3
16
1K
DO. NOT. PUT. YOUR. DOMAIN. ADMIN. PASSWORDS. IN. AN. EXCEL. SHEET.
71
267
1K
Helped uncover a massive cyber incident today affecting multiple residential complexes and built in switches and infrastructure. It appears the attackers were trying to reroute and intercept numerous individuals WFH residential traffic. Add this to your threat list.
14
289
1K
#log4j Update:. IF YOU WERE DEPENDING ON JAVA VERSIONS TO PROTECT YOU FROM RCE INSTEAD OF DIRECTLY PATCHING LOG4J THAT IS NO LONGER A VIABLE MITIGATION STRATEGY. *ALL* VERSIONS OF JAVA CAN NOW TRIGGER FULL RCE DUE TO A BYPASS. PATCH LOG4J ASAP.
29
534
1K
Wake up honey new red team tricks just got posted.
25
127
1K
Best tools for password recovery in the field
45
175
1K
Yeah well have you ever BSODed this hard?
63
64
1K
It gets patched in MS07-037 and assigned CVE-2007-1754. But that's not all. Since we are eEye we always have greetz in our advisory, just like the old school VX authors in their zines.
1
10
1K
And that's all it took. Office 2007 wrecked, destroyed, defeated. You can probably find some live demo of Derek Soeders ICMP C2 root kit that he demoed live on some news using this.
1
10
1K
So I've been just been briefed on a very disturbing trend of events that I think everyone should know. Ransomware attackers have been targeting legal firms quite heavily in the last 6 months or so. I thought this was because pretty poor security, but there's much more. A 🧵.
27
403
1K
So MSRC responds with an email. Marc gathers all of us around to open it together. We, delirious, gather around open the email. .
1
8
1K
Pfft try setting your IRQ, DMA and address ports first
186
87
1K
Once upon a time a vendor didn't believe an issue was exploitable. So I made sprite Pacman chase ghosts across the screen in x86 ASM
15
318
1K
Guys I just got handed another drink??? Wtaf I won't even know what it is.
4
5
1K
In the end the full write up goes here. It's my first big exploit at eEye. I honestly have the entire research crew to thank for the fuck up turned success.
4
23
1K
I have never been on a team like this except currently at @HuntressLabs . This team stands by and has every single aspect the same as back in 2007 eEye . Having a team that has your back like this makes a world of a difference.
1
12
1K
Update: David LeBlanc has read this thread and was incredibly kind about this whole event. He truly is incredible kind, forgiving, and brilliant.
Fam. When David LeBlanc reads my last thread and I suddenly disappear I just want you all to know that I forgive him and his actions are very likely justified.
13
17
1K
Another thing to do is to turn it into a QR code and spray it all over the place. Compliments of @cveiche
13
145
1K
Ok crushed that mojito so I ordered another cuz why the fuck not.
1
6
1K
When I goto jail from the fallout of this just make sure they don't use my high school photos. Thanks fam <3.
7
13
948
Thank gods. I will die on the hill to which touch screens are awful input. Give me switches, knobs, sliders, buttons, toggles, turnkeys, rockers, rotaries, encoders, selectors.
43
103
958
Okta: 1% customer data was stolen. Okta several weeks later: We actually meant 100%, they even stole our 0's.
10
90
934
Microsoft's Spectre & Meltdown KB4056892 Patch when converted to MIDI makes psytrance @ 115 BPM. This is due to the repetitive and simplistic nature of ADD, CALL & MOVs it introduced. Very similar to psytrance melodies being generally only a few notes with alternating repeats.
21
351
897
I have a shirt of this and wear it all over the place where i think ill be video recorded. :).
16
26
830
Traveling with a custom made QR code visible on a bag or clothing between 2 airports and 2 countries reveals 16 unique scans over 96 hours.
24
108
867
Apple VP's gaslighting everyone and saying 8GB RAM on Mac is the same as 16GB else where is absolutely hilarious.
21
63
842
Congrats Twitch on going open-source. ?.
14
98
794
Here's a fun find. Microsoft Office is vulnerable to a binary planting issue when you place AI.exe into %ProgramFiles%\Microsoft Office\root\<Office Version>. MSWord.exe apparently looks there for AI.exe first and you can hijack the proper AI.exe load with your malicious one. 👀
14
208
801
New red team tool just dropped.
This app/tool assists an operator in creating a copy of a key without having the original one.
16
113
794
I stand by using this browser firmly.
@ERISMANIA_ We have detonated this user‘s balls remotely.
1
13
742
Fam. When David LeBlanc reads my last thread and I suddenly disappear I just want you all to know that I forgive him and his actions are very likely justified.
8
6
760
Guys it happened again. I broke an RSA vendor follow up demo by setting my data to X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*.
12
72
743
As someone who was involved in the Huawei and ZTE evaluations leading to their ban - I fully and whole heartedly agree.
US Government moving on China associated TP Link as another concern in our cyber supply chain. Growing to dominate the residential WiFi and router market, they are seen as vulnerable and a tool used in hacks. Similar to advisories on Huawei and Kaspersky, move away!
42
85
768
How did we ever allow Discord become the acceptable standard. This absolute inconsistent piece of bloated garbage software can't remember configurations or randomly changes them and the solution is just to restart. We used to be a society that wrote decent software.
46
44
737