With a group of friends we are organizing in Rosario THE largest security conference ever held before, RiseCON!

RiseCON - Rosario Information Security Conference - is the first and largest computer security and hacking event held in the city of Rosario, with international level and significance.

The assistants will be able to concur to presentations of great level, distributed by recognized hackers and professionals of the computer science of Argentina. In addition, they will have the possibility to participate in trainings and workshops.

During the conference, topics such as WebApp Security, Ethical Hacking, Mobile Security, Bitcoin, WiFi Hacking, Cloud, Privacy, Malware Analysis, Forensics, Exploiting, among others will be addressed.

The event will be held at Plataforma Lavardén, a traditional space in the city of Rosario, home of major cultural events.


  • LATIN AMERICA CYBER-CRIME EVOLUTION - Jorge Mieres - Thursday 06/11 - 14.00 hs
  • SECURITY IN GSM / GPRS / 3G MOBILE COMMUNICATIONS - Fernando Corvalán - Thursday 06/11 - 15.00 hs
  • ODILA PROJECT - Marcelo Temperini - Maxi Macedo - Thursday 06/11 - 15.00 hs
  • EXPLOITING MOBILE SAFARI - Felipe Manzano - Thursday 06/11 - 16.30 hs
  • SECURITY IN GSM / GPRS / 3G MOBILE COMMUNICATIONS - Fernando Corvalán - Friday 07/11 - 09.00 hs
  • CERTIFICATE PINNING: DO WE HAVE THE C ... ERTIFICATE BROKEN? - Cristian Borghello - Friday 07/11 - 10.00 hs
  • ADVENTURES AND DISADVANTAGES IN THE INVESTIGATION OF COMPUTER CRIMES - Ezequiel Sallis - Federico Marchetti - Friday 07/11 - 11.30 hs
  • MOBILE APPS AND HOW TO PENTEST THEM - Gustavo Sorondo - Friday 07/11 - 12.30 hs
  • HACKERS UNIVERSITY - Federico Pacheco - Friday 07/11 - 15.00 hs
  • HACKING WALL STREET - Juan Braña - Alexis Sarghel - Friday 07/11 - 16.00 hs
  • DO YOU KNOW WHO'S WATCHING YOU ?: AN IN-DEPTH EXAMINATION OF IP CAMERAS ATTACK SURFACE - Nahuel Riva - Francisco Falcón - Friday 07/11 - 17.30 hs


  • RASPBERRY PI - Mkit Staff - Thursday 06/11 and Friday 07/11
  • PENGOWIN FOR ALL AND ALL - Oscar Banchiero - Thursday 06/11 - 14.00 hs
  • VULNERABILITIES AND OTHER YERBS - Guido Macchi - Gustavo Griego - Ezequiel Ricas - Thursday 06/11 - 15.00 hs
  • BITCOIN IN DEPTH: A CRYPTOGRAPHYCAL JOURNEY - Maximiliano Cañellas - Friday 07/11 - 11.00 hs
  • MALWARE INTELLIGENCE FOR RESEARCH - Jorge Mieres - Friday 07/11 - 12.00 hs
  • INTRODUCTION TO FIRMWARE ANALYSIS AND EMULATION - Fernando Catoira - Friday 07/11 - 12.30 hs


  • INTRODUCTION TO ETHICAL HACKING AND PENETRATION TEST - Cristian Borghello - Thursday 06/11 - 09.00 hs
  • APPLIED PRACTICAL CRYOPTOGRAPHY - Diego G. Bruno and Javier Antúnez - Thursday 06/11 - 09.00 hs
  • For more details about the trainings and information on registration and tariffs, contact [email protected]
  • Students of public universities have a discount of 20% presenting proof of regular student


  • Av Mendoza 1085


  • Druidics
  • Core Security
  • Mkit
  • Malware Intelligence
  • Sinaptica
  • education




A while ago a friend and colleague of Telecom's work, Juan Pablo Yacubian, between talks and lectures taught me the world of Bug Bounties Programs which basically consists of responsibly reporting vulnerabilities to companies in exchange for some reward, which in some cases are monetary, others are t-shirts and accessories of their brands, publishing the name of the person who found the vulnerability in their "Wall of Fame" ( Hall of Fame) and even pay with bitcoins.

On April 2 I found a vulnerability of XML Injection in the company Lookout, which develops an application for Android and iPhone to protect cell phones.

The vulnerability allowed practically any file on the server to be read over which the webserver had permission. At the time of reporting the vulnerability I was able to read the file / etc / passwd and / etc / issue with which I obtained the entire list of users and the operating system on which the server ran.


















In this opportunity I received as a reward $ 1,000 (USD) that with the card Payoneer I bought a new notebook.


Short summary


I'm going to relay the mail I sent to the list a couple of years ago to start reliving the page.

Mail to the list

Hello people,
So long without writing.
It's been more than 1 year since the previous mail.
A brief summary.
- I received a degree in Systems Analyst in March 2009 at the Polytechnic of Rosario.
- I started the career of Engineering in Information Systems at the UAI the following month. They recognized me as an Analyst.
- On December 29, 2009 I finished with my girlfriend Laura, it was a relationship of almost 5 years.
- In December 2010 I finished studying 5th year.
- In the summer I started the Gym and Salsa :)
- I started a new relationship.
- At the end of last month I stopped working at Globant to come to work at the IT Security Area in Telecom Argentina where I am currently.
- I moved from Ciudad. I came to work in Buenos Aires, Federal Capital, leaving my beloved City, Rosario. The weekend I'm coming back.
- Carlos Tori, a friend of the house, puts me in thanks for his excellent book Ethical Hacking ( http://www.hackingetico.com ) and publishes it free for all.

Well, that is a brief summary of what happened in recent years.
My page at the moment I do not have it available.
I'm looking to do something more professional and take my programs like fuck-deepfreeze to other servers.

On September 21, 22 and 23 is the Ekoparty (www.ekoparty.org) I'm waiting for you there.


As I said in the previous post, I had not planned to start Systems Engineering for another year, but as a friend told me that I was going to start this year, I decided to start with it.

I calculated that we were going to be both in the same course so that would help us take the materials, but it turns out that they put us in different courses. Anyway, almost a month ago I started to study and I have already made a group of friends with whom we have already met a couple of times to study.

The main subjects that I am having in this semester are: Business Organization and Management, Information Systems and Databases for Administration. I also have English and Programming Language.

The Profile of a Computer Systems Engineer is to have the ability to perform in a highly competitive, multicultural, interfunctional and globalized environment, with competence to find solutions to real problems, through the modeling of virtual environments, applying their knowledge in the areas of Hardware, Software, Systems Analysis and Software Engineering, Telecommunications and Context and Organization.

Changing the subject, I have done before I get complicated times with faculty and work, two crack for two programs, one of them is the SQLYog Enterprise Edition and the other one Acunetix Web Vulnerability Scanner Consultant Edition. To this last one I have been using it frequently for my Web Application Penetration Testing together with W3AF.


Last Tuesday (03-03-09) I finished the career of University Analysts in Systems at the San Martín General Polytechnic. I presented the last two projects that I lacked that I had been doing since last year.

This year for now I do not have in mind to pursue any career in the faculty, but maybe next year I'll start with Systems Engineering but everything depends on what happens this year.

Today I am focusing a lot on computer security, I will continue to professionalize and learn.

Well, I did not write.

To resume the previous post, the vulnerability of MS08-067, at the time I made a video, a little bad and without anything editing, on how to exploit the vulnerability with metasploit.

You can see the mail that you send:


I also did a script in bash for linux that scanned a range of ip from a country, for example all of Argentina, and when I found the open ports 139 and 445 with the nmap, I used the metasploit to throw the exploit ms08-067 and as payload of the exploit tape a reverse connection trojan.

I had fun for a while with this "toy" for a couple of weeks until after I got bored and left all the machines in oblivion to continue with other things that were more important at that time.

I decided not to publish it to the script as soon as I did it because it was so small that the patch had come out and there were still a lot of unpatched machines.

I shared it with a couple of friends nothing but in private.

Now for those who want it here I leave:
ms08-067-scanner.tar.gz (write me if you want it @ ulises2k)


On October 23, Microsoft publishes a security patch (MS08-067) warning of the same one day before, outside of its usual cycle (second Tuesday of each month) about a failure in the RPC protocol which allows remote code execution in the user's equipment, without interaction or authentication of the same. From 3 weeks ago to the publication of the patch was taking advantage of the vulnerability by a Trojan and / or worm, it is still not very clear, called Win32 / Gimmiv.A.
Soon the people of Immunity releases for Windows 2000 an exploit only for those who have an account and a PoC public.
With this PoC I've been playing on Friday trying to compile it and I've achieved compile it but on Sunday I find out that a public exploit for the version Windows XP Chinese made by EMM of the group ph4nt0m.org and the PoC no longer serves me.

Alexander Sotirov, which incidentally gave a talk about XSS in the ekopartydecompiled the Windows patch (MS08-067) and I publish the source code of the vulnerable function for Windows XP SP3 and in one of these days that it happened it modified it with the changes of the patch for Windows Vista SP1.

This is a good example to practice in a simple way how to exploit the vulnerability without debugging the "services.exe" process in Windows 2000 or one of the "svchost.exe" in Windows XP. To debug it in Windows 2000, the OllyDbg is opened and the process is "attacheed" (File / Attach), it is run with F9 and the exploit is executed in a console. The OllyDbg will be paused and from there you have to start debugging.
The EMM exploit, as I said before, is for the Chinese version of Windows XP, it has the memory addresses "hard-coded" and it is not known what instruction they point to.

This exploit has as a shellcode a bind on port 4444, but something modified to be armed in metasploit, so if you can effectively inject the shellcode it would give a shell on port 4444 which would be obtained by making an "nc ip 4444" or a telnet.

This exploit motivates me to learn to use the IDA Pro next to the plugins Hex-Rays which passes the assembly code to C which is sometimes easier to understand the code.

One tool that I also used a little more deeply was the Immunity Debugger created to use in these cases.
At the time of writing these lines I find out that HD Moore tell on Twitter that I publish a PoC for Windows XP SP3, let's "play" tomorrow with this to see what comes out.

Some malware has already exploited this vulnerability and running code on the affected machine.
East plugin HD Moore to use on your metasploit  It is the best you have until now.

If someone has any news about new exploits and / or PoC, leave a comment or send me an email.


Ekoparty Security Conference 2008


He passed the Ekoparty and the truth that was better than last year.

The organizers "have" improved it a lot, first in the place they chose, the Borges Cultural Centerin the Pacific gallery, later with talks that were of the same level as other conferences and something that I personally liked a lot was the PacketWars, the adrenaline that ran at the time of playing is indescribable, those who played it lived the same.

We arrived early with Sebastian and we did the accreditation without delays practically.

At the table, I already saw familiar faces.

Alexa It was the first one I recognized although I had never seen it personally, only for photos, I knew its website and the link with Wikimedia Argentina. Then I saw the "Famous" Francisco Amato for his "EvilGrade"Which had presented it in the ekoparty of last year and then with the vulnerability of Dan Kaminsky he became more "famous";).

Veronica was the "heavy" girl with her tatoos who was the only woman in the organization of the ekoparty last year, but this year she was going to see more girls, Alexa and Burbuja (Lorena Giraldo). Burbuja is a Colombian girl who has lived here in Argentina for a long time and works in Metrovias in Buenos Aires and came last year to the ekoparty, now she was part of the organization of the ekoparty.

Then we found dear Andrés Riancho the creator of w3af which I met him in the ekoparty of last year and since then we have been in contact, I have contributed with the project from the Bugs report, to the Installer for Windows and Openware has contributed to the development of the GUI as well as looking for place for example in the Free Software Days to be present and in other factors and being a Sponsor with Cybsec.

Then even though the first talk had not yet started I see a familiar face, and even though there was only one photo of him on the Internet I recognized it, Ricardo Narvaja, the creator and moderator together with RedH @ wK from the list CracksLatinos and next to him Solid Y + NCR / CRC another two big "crack";)

And as the minutes passed before the first talk they were seeing more and more familiar faces.
The nice thing was that many also remembered me and that surprised me since I did not think it was like that.
After pure chance I found at @ ky one of the guys who won the ticket by answering some questions from the bugle supplement, Next.
In the course of the event I met Vampii, the winner of the phrase of the ekoparty, "Vi root and between".

The event opened Dave Aitel talking about security and IDS.

Then came the talk of Victor Muñoz talking about "Console Hacking" which was for me one of the most liked since it went out of the ordinary. The explanation of why the security of the consoles Xbox 360, Wii, PS2. All the chain of confidence that is armed in the devices inside these consoles so that they do not pirate the games, you can not do cheats, modify the saved screens and force their use exclusively for games. As for example in the protection of the Wii that has 7 levels of protection from the ROM until reaching the disk, breaking the BOOT1 level for a problem in the memory comparison that instead of making a mencmp was actually a string comparison ( menstr) and that by putting a value of NULL (0x00) as the first value, all the other protections were unusable and could reach the disk. He made a program called "Trucha Signer".

Then he came Mariano Nuñez Di Croce with his talk of "SAP Penetration Testing & Defense In-Depth" and the explanation about the in-security in SAP and the Sapyto Framework, which I already knew about last year but this year was improved and with a new Logo;)

After lunch came Pablo Solé with the talk of "Adobe JavaScript in the open" showing how to go debunking with Immunity Debugger, explaining something about how to fuzz with SPIKE and at the end a demo of code execution through a .PDF in Internet Explorer 7 obtaining shell without hanging to ie 7.

Nicolas Economou gave the talk "Code Injection On Virtual Machines" which was also one of the most interesting because it is something I usually work with. I explain how from a HOST in Windows GUEST can be accessed, read memory, write it and get to execute code without anything stopping or stop working. He demonstrated remote code execution within the GUEST.

Domingo Montanaro gave the talk of "In-Depth Anti-Forensics - Challenges of Steganography on Discovery Hidden Data" was similar to last year's although he skipped some parts in which he had expounded last year. This year luckily nothing happened with your notebook and I think that there was no problem with this style in this ekoparty. +1 for that. There were a couple of "Patovicas" taking care of and doing security in the eko.

After this was the Packetwars which I played and as I said at the beginning, was one of the best things about the ekoparty. The game consisted of only one thing, hacking the most amount of machining. There were three networks, in these two were the Server to attack, and and the other network were the players, It was worth everything and against everyone. A presentation video was shown, the game was explained, the attack began. Music at full volume ideal for that moment, all scanning ip ranges, discovering what servers there were, which ports were open, running services pulling all kinds of tools and exploit's and telling us how much time we had left. Adrenaline ran through our veins and many spectator boys watching what we were doing. I was able to enter an ftp. The one who took the prize from the jig that he wanted all the ekoparty was Andres from Peru who owneo a pair of Server completely. It will be because Andrew came to the Trainings of the Ekoparty?

The second day began with Sebastián García's talk with "Tell me how you attack and I'll tell you who you are" in which he made an investigation with Honeypots for about three years looking at the behavior of those who attacked their honeypots and drawing relationships between the attackers as so close they were among them, what countries they were, if they belonged to some team, etc. They had an average server session per day, in total 280 sessions (user / password) in three years, the curious thing they discovered is that for almost a year they have not received more. They saw that the attacks decreased and that nowadays the attacks are more on websites. It was also one of the best talks for the way Sebastian explained it.

Nelson Murilo and Luis Eduardo gave the talk "Beholder: New tool for WIFI monitoring "in which they presented the first OpenSource WIDS, Beholder. They gave a demo of their tool. They also talked about Karma, a security testing tool for wireless clients.

Hugo Scolnik gave the talk "Attacking RSA through a new method of integer factorization" in which he has been working on it for more than 3 months. It was a purely mathematical talk. He started by explaining the RSA algorithm and then he described the discovery he was making to reduce the possibility of reaching the result. He is currently using a filter technique to reduce the chances of reaching the result. A few months ago I had thousands of chances to get to the result and today with this filter technique has five possibilities. The maximum target is 1440.

After the Lunch Maximiliano Betacchini came and Luciano Bello with the talk of "Debian's OpenSSL random Number generator Bug" in which they explained the known bug in Debian. Personally I had researched the bug a lot since I gave a class in i-sec about it. Luciano made the talk quite funny and understandable. He also made a vulnerability demo attacking a trust relationship against a server with all previously generated private keys. I explain the amount of SSL certificates that were still vulnerable. I also explain how Debian is working to improve in this aspect and in others.

Nicolas Economou and Alfredo Ortega gave the talk "Smartphones (in) security" in which they created a bug on purpose in the iPhone and Android phones to explain what security was like and how similar they were to each other. Nicolas created his own debugger for the iPhone and Alfredo used the gdb. They made a demo with the iPhone as it could remotely be called by phone, in this case Luciano offered with his phone number in which to run the exploit I call him on his cell phone.
Alexander Sotirov He gave the talk "Blackbox Reversing of XSS Filters" in which I explain about the XSS filters that can be used. In addition Alexander is the creator of the pwnies awards.

After the talks, the prizes were awarded to those who won the PacketWars and then came the wardriving through the city of Buenos Aires along with Juan Pablo who, with his antenna and GPS, assembled the AccessPoint map of Buenos Aires. We were almost all with our notebooks and the kismet looking for AP with friendly names while Luciano became a tour guide to those who did not know Buenos Aires.

The party of the ekoparty this year ended in a bowling of the Costanera in which were several speakers and also those who attended the conference. We were all much more relaxed and we could chat about different topics.
Conclusion: It is a unique event in Argentina in which the technical level of talks on Security is what prevails and personal relationships as well. Thanks to Openware for giving me the possibility to go, I hope some year to be giving a talk.

Congratulations to all the organizers of the ekoparty.

Photos of the event and comments can be viewed at: http://picasaweb.google.es/ulises2k/Ekoparty2008#


W3af beta 7


The beta7 of w3af, so much for Windows as for Linux.

I have made the installer for windows in the previous version and the changes made since that version are the following:

- Association of w3af scripts (example.w3af) to the console (w3af_console.bat) to automatically execute the script in the console.

- Association of the profiles (.pw3af) to the GUI (w3af_gui.bat). This was solved in the rev 1777. Use w3af_update.bat to update it.

- New icons for w3af scripts (w3af_script_icon.ico)

- In the installation options we added a new sub-group within "w3af prerequisities" called "Scapy-Win requirements" in which are only the necessary programs for scapy for windows

- The% PATH% environment variable was added to the w3af directory.

- The shortcuts "w3af Console.lnk" and "w3af GUI.lnk" point to w3af_console.bat and w3af_gui.bat respectively.

- w3af_console.bat and w3af_gui.bat now accept passing parameters to it.

- Fixed an error. In the minimum installation were missing two libraries that were inside the svn-client. (libeay32.dll, ssleay32.dll)

- Internationalization added. The installer supports two languages, English and Spanish. More contributions are welcome.

The installer is made in NSIS and the source code you can see in the svn repository of w3af

On the changes of w3af beta 7 with respect to beta 6 and those that I remember are the following:

- Added a Wizard to arm the profile and throw plugins.

- Internationalization added. Little by little and with user's collaboration everything is being translated into Spanish, Russian, and other languages.

- The documentation was updated and from revision version 1823; accept the F1 key in each window to get help

- Added a profile called "OWASP_TOP 10" of the TOP 10 most common vulnerabilities.

- In the "Results" -> "URLs" tab, the URL you are finding is drawn as a tree.

- A Fuzzer was added for the request.

- New "Encode / Decode" was added.

- The "Manual Request" is expanded and strengthened.

- Stability!

- and many other things that I do not remember

enjoy it.

This early morning I will be traveling to Buenos Aires at Ekoparty Security Conference  with Sebastian Bortnik a companion of work.

Then I will tell how the "eko" was.


What is the ekoparty?

It is an Annual Conference on Information Security, unique in its kind, in South America. It is carried out in the city of Buenos Aires where different specialists from all over Latin America and from other countries have the opportunity to get involved with "state-of-the-art" techniques, vulnerabilities and tools in a calm environment and exchange of knowledge.

This event was born from the IT Underground, where consultants, security officers, researchers, programmers, technicians, system administrators, nerds and technology enthusiasts gather and enjoy two days of the most important security discoveries of the year - in addition to enjoying of the best climate in the continent.

What are the differences between the ekoparty and other computer security conferences in Argentina?

- First-hand techniques presented in Spanish and English

- No commercial exposures of sellers or manufacturers.

- Training days with the most important security professionals.

- Specialized technical hearing

- International relevance

- Relaxed atmosphere

- Promotion of social network

- Relax Zone

- Times for GetTogether

- Closing party

- Parallel events to have fun and learn from the experience during the event.

- Wardriving in Buenos Aires

- Lockpiking Challenge

- Wargame de Packetwars

Talks that are going to dictate:
- Dave Aitel - Keynote: Hacking Has An Economy of Scale

- Luciano Bello - Maximiliano Bertacchini - Debian's OpenSSL random number generator Bug

- Mariano Nuñez Di Croce - SAP Penetration Testing & Defense In-Depth

- Nicolas Economou - Code Injection On Virtual Machines

- Nicolas Economou - Alfredo Ortega -Smartphones (in) security

- Domingo Montanaro - In-depth Anti-Forensics - Challenges of Steganography on Discovering Hidden Data

- Victor Muñoz - Console Hacking

- Nelson Murilo - Luiz 'effffn' Eduardo - Beholder: New tool to monitor wifi

- Simon Rich - Daniel Mende - To be confirmed

- Hugo Scolnik - Attacking RSA through a new integer factorization method

- Pablo Solé - Adobe javascript in the open

- Alexander Sotirov - Blackbox Reversing of XSS Filters

- Julien Vanegue - A specific domain for static binary analysis

October 2 and 3


Borges Cultural Center in Buenos Aires, Argentina.

More info:


I have made a document that explains in a practical way the exploitation of the Vulnerability in Openssl discovered by Luciano Bello that affects all Debian-based operating systems including Ubuntu (DSA-1571-1) Y (CVE-2008-0166).

It is built in a laboratory since I gave it in a class and based on VMware Virtual Machines.

It explains the two main forms of exploitation of the vulnerability, decrypted a communication ssh v2 to obtain user / password and obtaining a shell doing bruteforce.

es_ESSpanish en_USEnglish