Blog « Bulb Security : Training, Assessments and Research

Finding Bad Characters with Immunity Debugger and Mona.py

In my book chapters about exploit development, I note that finding bad characters is outside of the scope of the chapters and just give the readers the bad characters list. With only four exploit development chapters in the book, there is just so much I can cover. My editors asked me to provide a…»Read the full article


Superbowl 4 Hackers Announcement

This capture the flag game and accompanying class is designed with security beginners and those who are new to CTFs in mind. The vulnerabilities will range from blank passwords to custom buffer overflow vulnerabilities. Choose the instructor of your choice and work with the rest of the students to defend servers built by the other…»Read the full article


Backdooring APKs Programmatically

One of the features of SPF is being able to take a compiled Android APK and refactor it to include the SPF Agent. Details of how to do this in SPF are in the SPF User manual Backdooring APKs section. The resulting app looks and feels like the original app, but with some…»Read the full article


Pivoting a Shell through Android with SMS

I’ve been messing with SMS for hidden out of bounds communication since 2011. My earlier work involved a backdoored device driver:

Demo Video: Background SMS Demo Whitepaper: Transparent Botnet Command and Control for Smartphones over SMS PoC Code: botPoCrelease-android.c Slides: Shmoocon 2011 Slides

Working at the application layer in Android…»Read the full article


Using Infected Mobile Devices to Attack Nearby Devices

This post assumes basic knowledge of using the Smartphone Pentest Framework (SPF). Specific required knowledge is referenced in the User Manual as it is referenced.

SPF can be downloaded here: Github The SPF User Guide is here: User Guide Videos about SPF are here: SPF Videos

In 2013 I started taking…»Read the full article