Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 01/18/19 in all areas

  1. yoyois
    Cei care lucreaza in R&D in tehnologie poate au mai vazut graful asta. Pe scurt poti vedea diferenta dintre opinia publicului si timpul in care o tehnologie devine matura/productiva (aka da niste rezultate). PS: Blockchain, Quantum, Fusion, AI sunt toate la varful hype-ului si minimul productivitatii...
    2 points
  2. louis3341
    1 point
  3. Nytro
    Creating your own Wallhack niemand Posted on January 13, 2019 Wallhack In the previous posts we have done most of the heavy work, but what comes now is really simple compared with the rest. We have created a basic template for hooking DirectX11 and inject our own interface, then we created a Model Logger to allows us to highlight and identify the most important Models we wanted to modify, but something is missing, right? What can we do once we have the correct model highlighted? One of those things is a Wallhack of course! If you are here you know what a Wallhack is, this kind of game tweaking has been always known. In this post, we are going to see how to use our template to enable Wallhacking on the selected models, or what it is the same, disable Z-Buffering on DirectX. Revealing enemies behind another objects. How Z-Buffering works? Z-Buffering or Depth-Stencil (as is known in version 11), is a property that stored depth information used by DirectX when it is rendering a scene. It determines how deep each pixel is in the scene. By doing this, DirectX knows exactly which pixels to render from each model based on the value of this attribute. If we imagine this as two dimensions array, it will select for each pixel in X and Y the value based on Z-Buffering value. In other words, the object/model that its closer to the point of view. http://www.racketboy.com/retro/about-video-games-rasterization-and-z-buffer The main idea here will be to disable Z-Buffering for the models we want to reveal behind the rest of the models (walls, floors, etc). DirectX 9 vs DirectX 11 In both versions, this is actually quite easy, however, I want to remark the differences. For version 9, disabling is as simple as calling the method IDirect3DDevice9::SetRenderState, which receives two parameters: the device state variable that will be modified, and the new value. pDevice->SetRenderState(D3DRS_ZENABLE, false); In this case, the variable we need to modify is D3DRS_ZENABLE, and the new value is false. It’s just as simple as that. Something important that we have to remember for both versions is that we need to enable this again after calling the original DrawIndexedPrimitive, enabling Z-Buffering for all the rest of the models. For version 11, two different methods are required: ID3D11Device::CreateDepthStencilStateand ID3D11DeviceContext::OMSetDepthStencilState. The first one will be used to create an ID3D11DepthStencilState that will disable Z-Buffering and then be sent as a parameter to the second method when the model we want to reveal is being rendered, that means inside DrawIndexed. More info here. Let’s jump to the code! Oh wait, before that, I will like to resume the steps we need to implement our wallhack. Create a new DepthStencilState disabling Z-Buffering Check if we are rendering the target model. Disable Z-Buffering Render the Model Enable Z-Buffering again Create a new DepthStencilState disabling Z-Buffering How to create a new DepthStencilState is detailed in Microsoft documentation: Configuring Depth-Stencil Functionality. But remember that we will need to disable the Z-Buffering, so our version will be like this: ID3D11DepthStencilState *m_DepthStencilState; // Disabling Z-Buffering D3D11_DEPTH_STENCIL_DESC depthStencilDesc; depthStencilDesc.DepthEnable = TRUE; depthStencilDesc.DepthWriteMask = D3D11_DEPTH_WRITE_MASK_ALL; depthStencilDesc.DepthFunc = D3D11_COMPARISON_ALWAYS; depthStencilDesc.StencilEnable = FALSE; depthStencilDesc.StencilReadMask = 0xFF; depthStencilDesc.StencilWriteMask = 0xFF; // Stencil operations if pixel is front-facing depthStencilDesc.FrontFace.StencilFailOp = D3D11_STENCIL_OP_KEEP; depthStencilDesc.FrontFace.StencilDepthFailOp = D3D11_STENCIL_OP_INCR; depthStencilDesc.FrontFace.StencilPassOp = D3D11_STENCIL_OP_KEEP; depthStencilDesc.FrontFace.StencilFunc = D3D11_COMPARISON_ALWAYS; // Stencil operations if pixel is back-facing depthStencilDesc.BackFace.StencilFailOp = D3D11_STENCIL_OP_KEEP; depthStencilDesc.BackFace.StencilDepthFailOp = D3D11_STENCIL_OP_DECR; depthStencilDesc.BackFace.StencilPassOp = D3D11_STENCIL_OP_KEEP; depthStencilDesc.BackFace.StencilFunc = D3D11_COMPARISON_ALWAYS; Now its time to call CreateDepthStencilState. We will pass as parameter the D3D11_DEPTH_STENCIL_DESC we just created and a pointer to our new ID3D11DepthStencilState. pDevice->CreateDepthStencilState(&depthStencilDesc, &m_DepthStencilState); Now we are ready to move to the next step. Check if we are rendering the target model In our previous version of the template, we have been doing something similar to what we need here, but it will be better if we do some improvements. Until now we were checking the model we were currently rendering inside our hooked DrawIndexed method, but this was when we had a list of Models and we wanted to identify our target. What could we do now? Well, if we did our homework, we should have by now the Model Properties of our target and it’s time to use them. Let’s create a new std::unordered_set to store all the properties belonging to the Models we want to reveal and store there our collected values: std::unordered_set<propertiesModel> wallhackParams; void setupWallhack() { propertiesModel wallhackParamsItem; wallhackParamsItem.stride = 8; wallhackParamsItem.vedesc_ByteWidth = 16552; wallhackParamsItem.indesc_ByteWidth = 10164; wallhackParamsItem.pscdesc_ByteWidth = 832; wallhackParams.insert(wallhackParamsItem); } Those values, belong to the models of the enemies in mid/large range for Vermintide 2, and I found them by logging the Models with our template. In many games you will see that enemies may be split in multiple models, not only for the parts of the body/clothes but also this models could change depending on the distance between you and the object. By selecting the model used for rendering my enemy in a mid/large range, allows me to see them normally when they are close but highlighted when they aren’t next to me. Now we will modify our validations to see if we are rendering not only our current item from the Model List, but also one of the targeted models: if ((paramsModel == currentParams || wallhackParams.find(paramsModel) != wallhackParams.end() )&& bShader) { // SNIPPED if (bWallhack) { // DISABLE Z-Buffering } } else if ( (paramsModel == currentParams || wallhackParams.find(paramsModel) != wallhackParams.end()) && bTexture) { // SNIPPED if (bWallhack) { // DISABLE Z-Buffering } } If wallhackParams.find does not contain paramsModel it will be equal to .end element as the documentation says: std::set::find Disable Z-Buffering It’s so simple as the following line: pContext->OMSetDepthStencilState(m_DepthStencilState, 0); We are calling OMSetDepthStencilState with the DepthStencilState pointer we created before. Render the Model Then we have to call to the original the original DrawIndexed: fnID3D11DrawIndexed(pContext, IndexCount, StartIndexLocation, BaseVertexLocation); Enable Z-Buffering again What would happen if we do not enable Z-Buffering again? We are reveling multiple objects of the game since non of them have Z-Buffering enabled That’s why we will need to store the original DepthStencilState we had before disabling it: UINT stencilValue = 0; pContext->OMGetDepthStencilState(&m_origDepthStencilState, &stencilValue); And finally, after calling DrawIndexed, we set this value again: pContext->OMSetDepthStencilState(m_origDepthStencilState, stencilValue); Result Once we have everything working we will see something like this: Next Steps? DirectX is extremely powerful and we have seen just a few examples of what we can do. In the following posts we will continue discovering all the different kind of things we can achieve and the best way to approach them. Sursa: https://niemand.com.ar/2019/01/13/creating-your-own-wallhack/
    1 point
  4. ARUBA
    Code practice and mentorship for everyone. https://exercism.io/ Improve your skills by training with others on real code challenges. https://www.codewars.com LeetCode is the best platform to help you enhance your skills, expand your knowledge and prepare for technical interviews. https://leetcode.com/ Solutions to LeetCode problems (Python 3) https://github.com/delirious-lettuce/LeetCode Project Euler is a series of challenging mathematical/computer programming problems that will require more than just mathematical insights to solve. https://projecteuler.net/ Learn Ruby: https://rubymonk.com/ 57 challenges to develop your coding skills by Brian P. Hogan: https://mega.nz/#!IPR3GRSD!zX538mN_vrN1xAlTfWvjJjEbEYOE-FzU-i8g-aIpQ1M
    1 point
  5. xzsdyx
    + https://www.hackerrank.com/ https://www.hackerearth.com/
    1 point
  6. Nytro
    Exploit Development Table of Contents General Stuff/Techniques General Stuff I can't figure where else to put Acquiring Old/Vulnerable Software Practice Exploit Dev/Structured Learning Exploit Dev Papers bof ROP BlindROP SignalROP JumpROP Heap Format String Integer Overflows Null Ptr Dereference JIT-Spray ASLR Kernel Exploitation Use After Free Other writing shellcode Windows Specific Linux specific Tutorials AV Bypass Methods Bypassing Exploit Protections/Mitigations DEP/SEHop/ASLR CFG/EMET DeviceGuard Obfuscation ARM Specific things Linux Specific Windows Specific Bypass SEH/SE-HOP; Windows Heap Exploitation Anti Fuzzing Assembly Anti Debugging General Tools General Hunting/Making Exploits Shellcode Decompilers/Disassemblers Debuggers General Linux Windows General Papers Miscellaneous Exploit Writeups Talks blogposts Papers Attacking AV Finding Vulnerabilities GPU Exploit/Research Building a lab to Practice Exploit Development To Do Sort tools better, like enviromental tools vs use-specific tools Corelan, swift, primal Exploit Series Add more sites to Acquiring Old/Vulnerable Software More sites to structured learning Add ARM stuff Sort: ADI vs ROP BISC: Borrowed Instructions Synthetic Computation BISC is a Ruby library for demonstrating how to build borrowed-instruction programs. BISC aims to be simple, analogous to a traditional assembler, minimize behind-the-scenes magic, and let users write simple macros. BISC was developed by Dino Dai Zovi for Practical Return-oriented Programming at Blackhat USA 2010 and was used for the Assured Exploitation course. Offset-DB This website provide you a list of useful offset that you can use for your exploit. Fun with info leaks Epson Vulnerability: EasyMP Projector Takeover (CVE-2017-12860 / CVE-2017-12861) Code Execution (CVE-2018-5189) Walkthrough On JUNGO Windriver 12.5.1 Android Security Ecosystem Investments Pay Dividends for Pixel Funky File Formats - Advanced Binary Exploitation Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System - Slides Counterfeit Object-oriented Programming Hacking FinSpy - a Case Study - Atilla Marosi - Troopers15 MSRC-Security-Research Github Differential Slicing: Identifying Causal Execution Differences for Security Applications Modern Binary Attacks and Defences in the Windows Environment: Fighting Against Microsoft EMET in Seven Rounds sandbox-attacksurface-analysis-tools This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated. SCANSPLOIT Exploit using barcodes, QRcodes, earn13, datamatrix Automating VMware RPC Request Sniffing - Abdul-Aziz Hariri - ZDI In this blog, I will discuss how I was able to write a PyKD script to sniff RPC requests that helped me tremendously while writing VMware RPC exploits. kernelpop kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation on OSX and Linux Vulnserver - my KSTET exploit (delivering the final stage shellcode through the active server socket) - ewilded.blogspot IOHIDeous A macOS kernel exploit based on an IOHIDFamily 0day. Writeup https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow End Sort General General 101 Articles/Papers/Talks/Writeups Educational/Informative A brief history of Exploitation - Devin Cook Mechanization of Exploits REMath Exploit Mitigation Killchain Exploit Tips and Techniques(ReCon2014 William Peteroy) Root Cause Analysis – Memory Corruption Vulnerabilities Unusual Bugs(23C3) In this presentation I'll present a series of unusual security bugs. Things that I've ran into at some point and went "There's gotta be some security consequence here". None of these are really a secret, and most of them are even documented somewhere. But apparently most people don't seem to know about them. What you'll see in this presentation is a list of bugs and then some explanation of how these could be exploited somehow. Some of the things I'll be talking about are (recursive) stack overflow, NULL pointer dereferences, regular expressions and more. From MS08 067 To EternalBlue by Denis Isakov - BSides Manchester2017 RAP: RIP ROP (GRSEC/PaX team) Tools Testing Payloads pop-nedry Why pop calc, when you can pop Nedry!? This repository contains an x86-64 payload that recreates the Jurassic Park scene in which Dennis Nedry locks Ray Arnold out of his terminal. Vivisect Fairly un-documented static analysis / emulation / symbolic analysis framework for PE/Elf/Mach-O/Blob binary formats on various architectures. Dr. Memory Dr. Memory is a memory monitoring tool capable of identifying memory-related programming errors such as accesses of uninitialized memory, accesses to unaddressable memory (including outside of allocated heap units and heap underflow and overflow), accesses to freed memory, double frees, memory leaks, and (on Windows) handle leaks, GDI API usage errors, and accesses to un-reserved thread local storage slots. Dr. Memory operates on unmodified application binaries running on Windows, Linux, Mac, or Android on commodity IA-32, AMD64, and ARM hardware. Miscellaneous OneRNG Acquiring Old/Vulnerable Software Acquiring VMs of any Windows going back to XP to Windows 10 OldApps.com Practice Exploit Development / Structured Learning Exploit-Challenges - A collection of vulnerable ARM binaries for practicing exploit development Here are a collection of vulnerable ARM binaries designed for beginner vulnerability researchers & exploit developers to play around with and test their skills! BinTut Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes ROP Emporium Learn return-oriented programming through a series of challenges designed to teach ROP techniques in isolation, with minimal reverse-engineering and bug-hunting. Pwnables.kr Originally from (originally a pastebin link, which had been modified from a persons personal page, i believe it may have been an r2 dev?) If you made this, thank you so much; I've now added onto it and changed it from what it originally was. I've kept the original creator's note as I feel it is highly relevant and aligns with my goal) "My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker. I have tried to order the articles by technique and chronology. - sar" Buffer overflows: How to write buffer overflows, mudge, 1995 Smashing the stack for fun and profit, Aleph One, 1996 Smashing the Stack for Fun and Profit in 2010 The Frame Pointer Overwrite, klog, 1999 win32 buffer overflows, dark spyrit, 1999 Understanding Buffer Overflow Exploits Return-into-lib / Return oriented programming: Getting around non-executable stack (and fix) (First public description of a return-into-libc exploit), Solar Designer, 1997 More advanced ret-into-lib(c) techniques, Nergal, 2001 On the effectiveness of address-space randomization, , 2004 Introduction to Return Oriented Programming (ROP) - ketansingh.net Gentle introduction to ROP programming Borrowed code chunks exploitation technique, Sebastian Krahmer, 2005 The Geometry of Innocent Flesh on the Bone: Return-into-libc without function calls, Hovav Shacham, 2007 Defeating DEP, the Immunity Debugger way, Pablo Sole,2008 The Case of Return-Oriented Programming and the AVC Advantage, 2009 Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010 Return-Oriented Programming without Returns Introduction to ROP programming Blind ROP Blind Return Oriented Programming (BROP) The BROP attack makes it possible to write exploits without possessing the target's binary. It requires a stack overflow and a service that restarts after a crash. Based on whether a service crashes or not (i.e., connection closes or stays open), the BROP attack is able to construct a full remote exploit that leads to a shell. The BROP attack remotely leaks enough gadgets to perform the write system call, after which the binary is transferred from memory to the attacker's socket. Following that, a standard ROP attack can be carried out. Apart from attacking proprietary services, BROP is very useful in targeting open-source software for which the particular binary used is not public (e.g., installed from source setups, Gentoo boxes, etc.). The attack completes within 4,000 requests (within minutes) when tested against a toy proprietary service, and real vulnerabilities in nginx and MySQL. Hacking Blind - BROP paper Blind Return Oriented Programming Blind Return Oriented Programming (BROP) Attack (1) Blind Return Oriented Programming (BROP) Attack (2) Signal ROP Sigreturn Oriented Programming is a real Threat Playing with signals : An overview on Sigreturn Oriented Programming SROP | Signals, you say? Jump Oriented Programming Jump-Oriented Programming: A New Class of Code-Reusegghunte Attacking x86 Windows Binaries by Jump Oriented Programming Heap exploitation: how2heap - shellphish A repository for learning various heap exploitation techniques. w00w00 on heap overflows, Matt Conover, 1999 Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001 Once upon a free(), anonymous author, 2001 Advanced Doug Lea's malloc exploits, jp, 2003 Exploiting the wilderness, Phantasmal Phantasmagoria, 2004 Malloc Maleficarum, Phantasmal Phantasmagoria, 2005 Yet another free() exploitation technique, huku, 2009 Heap Feng Shui in JavaScript heap-exploitation This book on heap exploitation is a guide to understanding the internals of glibc's heap and various attacks possible on the heap structure. Project HeapBleed CENSUS researcher Patroklos Argyroudis has recently presented a talk on heap exploitation abstraction at two conferences, namely ZeroNights 2014 (Moscow, Russia) and BalCCon 2014 (Novi Sad, Serbia). In the talk titled Project Heapbleed, Patroklos has collected the experience of exploiting allocators in various different target applications and platforms. He focused on practical, reusable heap attack primitives that aim to reduce the exploit development time and effort. Format string exploitation: Exploiting format string vulnerabilities, scut / Team-TESO, 2001 Advances in format string exploitation, gera, 2002 An alternative method in format string exploitation, K-sPecial, 2006 Maximum Overkill Two - From Format String Vulnerability to Remote Code Execution Exploiting Format Strings: Getting the Shell Integer overflows: Big Loop Integer Protection, Oded Horovitz, 2002 Basic Integer Overflows, blexim, 2002 Null-ptr dereference: Large memory management vulnerabilities, Gael Delalleau, 2005 Exploiting the Otherwise Non-exploitable on Windows, skape, 2006 Vector rewrite attack, Barnaby Jack, 2007 Application-Specific Attacks: Leveraging the ActionScript Virtual Machine, Mark Dowd, 2008 JIT-spray: Pointer inference and JIT-Spraying, Dion Blazakis, 2010 Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010 Too LeJIT to Quit: Extending JIT Spraying to ARM Interpreter Exploitation: Pointer Inference and JIT Spraying Understanding JIT Spray Writing JIT-Spray Shellcode For Fun And Profit ASLR: Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR Aslr Smack and Laugh Reference Advanced Buffer Overflow Methods Smack the Stack Exploiting the random number generator to bypass ASLR Wikipedia on ASLR Bypassing Memory Protections: The Future of Exploitation On the Effectiveness of Address-Space Randomization Exploiting with linux-gate.so.1 Circumventing the VA kernel patch For Fun and Profit Defeating the Matasano C++ Challenge Bypassing PaX ASLR protection Thoughts about ASLR, NX Stack and format string attacks Return-into-libc without Function Calls Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes Fun With Info-Leaks(DEP+ASLR bypass)/ This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it's quite nice what can be done with the bug. Reducing the Effective Entropy of GS Cookies Exploiting Buffer Overflows On Kernels With Aslr Enabled Using Brute Force On The Stack Layer Bypassing The Linux Kernel Aslr And Exploiting A Buffer Overflow Vulnerable Application With Ret2esp This video tutorial illustrates how to exploit an application vulnerable to buffer overflow under a modern 2.6 Linux kernel with ASLR, bypassing stack layer randomization by search a jmp *%esp inside the executable file and forcing our program to jump there. Exploiting A Buffer Overflow Under Linux Kernel 2.6 With Aslr Through Ret2reg Linux kernel versions 2.6.x implement ASLR to faexecution of arbitrary code located in the stack segment of a process. Moreover, kernel versions >= 2.6.18 also made the allocation of ld-linux.so.2 dynamic, and recent compilers also tend to avoid the generation of jmp|call *%esp instructions, so the use of a ret2esp technique to exploit a vulnerable application is becoming harder and harder. A way to turn around the problem is analyzing the registers situations just a while before the vulnerable code is executed: very probably one of them points to the address of the vulnerable buffer. All we have to do is searching inside the executable or a static library a ret2reg instruction, where reg is the register pointing to the vulnerable area, and use that as return address. Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit Kernel Exploitation Attacking the Core : Kernel Exploiting Notes Much ado about NULL: Exploiting a kernel NULL dereference Integer Overflow in FreeBSD Kernel(2002) Post MS06-035 Mailslot DoS Workaround(Kernel Null Ptr Deref) https://lkml.org/lkml/2010/5/27/490 Attacking the XNU Kernel For Fun And Profit: Part 1 This blog post is part of a series of posts in which I will discuss several techniques to own XNU, the kernel used by Apple's OS X and iOS. My focus will be on heap-based attacks, such as heap overflows, double frees, use-after-frees and zone confusion. Addendum: Use-After-Free An Introduction to Use After Free Vulnerabilities Exploit writing tutorial part 11 : Heap Spraying Demystified Part 9: Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack Other: Overwriting the .dtors section, Juan M. Bello Rivas, 2000 Abusing .CTORS and .DTORS for fun 'n profit, Izik, 2006 Large memory management vulnerabilities, Gael Delalleau, 2005 Symlinks and Cryogenic Sleep Clutching at straws: When you can shift the stack pointer Exploit Development Tutorials Structured Learning/Courses Modern Windows Exploit Development Bypassing All the Things Handholding through Vuln Discovery and Exploitation Smashing the Browser - From fuzzing to 0day on IE11 Goes from introducing a fuzzer to producing an IE11 0day armpwn "Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team." Tutorials/Follow-alongs From fuzzing to 0-day SQL Injection to MIPS Overflows: Part Deux This paper is a followup to a paper presented at BlackHat USA 2012, entitled SQL Injec0ons to MIPS Overflows: Rooting SOHO Routers." That previous paper described how to combine SQL injection vulnerabilies with MIPS Linux buffer overflows in order to gain root on Netgear SOHO routers. This paper revisits the MiniDLNA UPnP server that ships on nearly all Netgear routers in order to explore what has changed in the past two years. Writing a stack-based overflow exploit in Ruby with the help of vulnserver.exe and Spike 2.9 From 0-day to exploit Buffer overflow in Belkin N750 (CVE-2014-1635) AVM Fritz!Box root RCE: From Patch to Metasploit Module Part 1 Part 2 Link to Lab Writeup for Winx86 ExploitDev Practice Corelan Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube Exploit writing tutorial part 11 : Heap Spraying Demystified QuickZip Stack BOF 0day: a box of chocolates FuzzySecurity Part 9: Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack SwiftSecurity Assembly(x86/x64/ARM) X86 Instruction Reference Awesome Reference for Intel x86/64 This reference is intended to be precise opcode and instruction set reference (including x86-64). Its principal aim is exact definition of instruction parameters and attributes. Nasm x86 reference Intel Pentium Instruction Set Reference (A) Iczelion's Win32 Assembly Homepage cgasm cgasm is a standalone, offline terminal-based tool with no dependencies that gives me x86 assembly documentation. It is pronounced "SeekAzzem". Shellcode ShellCode 101 Articles/Blogposts/Writeups Introduction to Windows Shellcode Development - securitycafe.ro Introduction to Windows shellcode development – Part 1 Introduction to Windows shellcode development – Part 2 Introduction to Windows shellcode development – Part 3 Windows Kernel Shellcode on Windows 10 - improsec.com Windows Kernel Shellcode on Windows 10 – Part 1 Windows Kernel Shellcode on Windows 10 – Part 2 Windows Kernel Shellcode on Windows 10 – Part 3 Windows Kernel Shellcode on Windows 10 – Part 4 - There is No Code Educational/Informative Shellcode Time: Come on Grab Your Friends - wartortell -Derbycon4 Packed shellcode is a common deterrent against reverse engineering. Mainstream software will use it in order to protect intellectual property or prevent software cracking. Malicious binaries and Capture the Flag (CTF) challenges employ packed shellcode to hide their intended functionality. However, creating these binaries is an involved process requiring significant experience with machine language. Due to the complexity of creating packed shellcode, the majority of samples are painstakingly custom-created or encoded with very simple mechanisms, such as a single byte XOR. In order to aid in the creation of packed shellcode and better understand how to reverse engineer it, I created a tool to generate samples of modular packed shellcode. During this talk, I will demonstrate the use of the shellcode creation tool and how to reverse engineer the binaries it creates. I will also demonstrate an automated process for unpacking the binaries that are created. How to Write it Shellcoding for Linux and Windows Tutorial - Steve Hannah Phrack Magazine Extraction Utility writing ia32 alphanumeric shellcode shellcode tutorials Writing Manual Shellcode by Hand Linux Specific Writing my first shellcode - iptables -P INPUT ACCEPT Windows Specific WinAPI for Hackers History and Advances in Windows Shellcode - Phrack 2004 Writing Win32 Shellcode with VisualStudio demonstrating how to write optimized (sort of) Win32 shellcode using Visual Studio’s compiler Techniques Loading and Debugging Windows Kernel Shellcodes with Windbg. Debugging DoublePulsar Shellcode. Shellcode Debugging with OllyDbg Canaries * Playing with canaries Code Trampolines Trampolines in x64 Finding Opcodes: metasploit opcode DB; memdump; pvefindaddr - mona.py Egg Hunters Beta aaKsYS TEAM: EGG HUNTER (Windows) Explanation of egghunters, how they work and a working demonstration on windows. jmp2it This will allow you to transfer EIP control to a specified offset within a file containing shellcode and then pause to support a malware analysis investigation The file will be mapped to memory and maintain a handle, allowing shellcode to egghunt for second stage payload as would have happened in original loader Patches / self modifications are dynamically written to jmp2it-flypaper.out Resolving the Base Pointer of the Linux Program Interpreter with Shellcode Art of Picking Intel Registers Using ARM Inline Assembly and Naked Functions to fool Disassemblers Shellcode without Sockets English Shellcode History indicates that the security community commonly takes a divide-and-conquer approach to battling malware threats: identify the essential and inalienable components of an attack, then develop detection and prevention techniques that directly target one or more of the essential components. This abstraction is evident in much of the literature for buffer overflow attacks including, for instance, stack protection and NOP sled detection. It comes as no surprise then that we approach shellcode detection and prevention in a similar fashion. However, the common belief that components of polymorphic shellcode (e.g., the decoder) cannot reliably be hidden suggests a more implicit and broader assumption that continues to drive contemporary research: namely, that valid and complete representations of shellcode are fundamentally different in structure than benign payloads. While the first tenet of this assumption is philosoph- ically undeniable (i.e., a string of bytes is either shellcode or it is not), truth of the latter claim is less obvious if there exist encoding techniques capable of producing shellcode with features nearly indistinguishable from non-executable content. In this paper, we challenge the assumption that shellcode must conform to superficial and discernible representations. Specifically, we demonstrate a technique for automatically producing English Shellcode, transforming arbitrary shellcode into a representation that is superficially similar to English prose. The shellcode is completely self-contained - i.e., it does not require an external loader and executes as valid IA32 code)—and can typically be generated in under an hour on commodity hardware. Our primary objective in this paper is to promote discussion and stimulate new ideas for thinking ahead about preventive measures for tackling evolutions in code-injection attacks Obfuscation/Hiding X86 Shellcode Obfuscation - Part 1 - breakdev.org Less is More, Exploring Code/Process-less Techniques and Other Weird Machine Methods to Hide Code (and How to Detect Them) Obfuscating python Code segment encryption General Reference/Resources Shellcodes database for study cases REPLs rappel Rappel is a pretty janky assembly REPL. It works by creating a shell ELF, starting it under ptrace, then continiously rewriting/running the .text section, while showing the register states. It's maybe half done right now, and supports Linux x86, amd64, armv7 (no thumb), and armv8 at the moment.(As of Aug 2017) WinREPL x86 and x64 assembly "read-eval-print loop" shell for Windows Tools General Sickle Sickle is a shellcode development tool, created to speed up the various steps needed to create functioning shellcode. meterssh MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. Shellcode_Tools Miscellaneous tools written in Python, mostly centered around shellcodes. bin2py: Embed binary files into Python source code. shellcode2exe: Convert shellcodes into executable files for multiple platforms. ShellSploit Framework shellnoob A shellcode writing toolkit rex Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge. Patcherex Shellphish's automated patching engine, originally created for the Cyber Grand Challenge. sRDI Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode ShellcodeStdio An extensible framework for easily writing debuggable, compiler optimized, position independent, x86 shellcode for windows platforms. OWASP ZSC OWASP ZSC is open source software written in python which lets you generate customized shellcode and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX with python. Encoders Obfuscators UniByAv UniByAv is a simple obfuscator that take raw shellcode and generate executable that are Anti-Virus friendly. The obfuscation routine is purely writtend in assembly to remain pretty short and efficient. In a nutshell the application generate a 32 bits xor key and brute force the key at run time then perform the decryption of the actually shellcode. Miscellaneous Bypassing Exploit Protections/Mitigations & Corresponding literature 101 A Brief History of Exploit Techniques and Mitigations on Windows Windows Exploit Protection History/Overview - Compass Security Articles/Blogposts/Writeups ASLR Defeating the Matasano C++ Challenge with ASLR enabled Win10 Toward mitigating arbitrary native code execution in Windows 10 Strengthening the Microsoft Edge Sandbox Mitigating arbitrary native code execution in Microsoft Edge General Exploit Mitigation Killchain Stack Protections Reference Material Stack Smashing Protector DEP/SEHop/ASLR Understanding DEP as a mitigation Technology Preventing the Exploitation of SEH Overwrites This paper proposes a technique that can be used to prevent the exploitation of SEH overwrites on 32-bit Windows applications without requiring any recompilation. While Microsoft has attempted to address this attack vector through changes to the exception dispatcher and through enhanced compiler support, such as with /SAFESEH and /GS, the majority of benefits they offer are limited to image files that have been compiled to make use of the compiler enhancements. This limitation means that without all image files being compiled with these enhancements, it may still be possible to leverage an SEH overwrite to gain code execution. In particular, many third-party applications are still vulnerable to SEH overwrites even on the latest versions of Windows because they have not been recompiled to incorporate these enhancements. To that point, the technique described in this paper does not rely on any compile time support and instead can be applied at runtime to existing applications without any noticeable performance degradation. This technique is also backward compatible with all versions of Windows NT+, thus making it a viable and proactive solution for legacy installations. Understanding DEP as a mitigation Technology Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP Fun With Info-Leaks(DEP+ASLR bypass)/ This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, its quite nice what can be done with the bug. Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005 Bypassing Windows Hardware-enforced DEP This paper describes a technique that can be used to bypass Windows hardware-enforced Data Execution Prevention (DEP) on default installations of Windows XP Service Pack 2 and Windows 2003 Server Service Pack 1. This technique makes it possible to execute code from regions that are typically non-executable when hardware support is present, such as thread stacks and process heaps. While other techniques have been used to accomplish similar feats, such as returning into NtProtectVirtualMemory, this approach requires no direct reprotecting of memory regions, no copying of arbitrary code to other locations, and does not have issues with NULL bytes. The result is a feasible approach that can be used to easily bypass the enhancements offered by hardware-enforced DEP on Windows in a way that requires very minimal modifications to existing exploits. Exploit Writeup on Flash vuln explaining use of ASLR + DEP bypass [DEP/ASLR bypass without ROP/JIT](https://cansecwest.com/slides/2013/DEP-ASLR bypass without ROP-JIT.pdf) Slides, codes and videos of the talk "DEP/ASLR bypass without ROP/JIT" on CanSecWest 2013 Bypassing SEHOP Great Writeup/Example of SEH Bypass SEH Overwrites Simplified v1.01 (SEH Bypass)Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server. A Crash Course on the Depths of Win32 Structured Exception Handling Intro to Windows kernel exploitation 1/N: Kernel Debugging Win32 Assembly Components - Last Stage of Delirium Research Group Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP Structured Exception Handling - TechNet Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass DeviceGuard Bypassing Device Guard with .NET Assembly Compilation Methods EMET/Control Flow Guard Exploring Control-Flow-Guard in Windows10 Bypassing EMET's EAF with custom shellcode using kernel pointer Bypassing EMET 4.1 Paper Disarming and Bypassing EMET 5.1 - OffSec Bypassing Microsoft EMET 5.1 . Yet again. Disarming and Bypassing EMET 5.1 Defeating EMET 5.2 Protections - Part 1 Defeating EMET 5.2 Protections - Part 2 Bypassing EMET 5.2 Protection BYPASSING EMET Export Address Table Access Filtering feature Disarming Control Flow Guard Using Advanced Code Reuse Attacks BYPASS CONTROL FLOW GUARD COMPREHENSIVELY - Zhang Yunhai Proposed Windows 10 EAF/EMET "Bypass" for Reflective DLL Injection Kernel PatchGuard/Protection Kernel Patch Protection - Wikipedia An Introduction to Kernel Patch Protection - blogs.msdn KPP Destroyer Bypassing PatchGuard 3 Disable PatchGuard - the easy/lazy way - fyyre GhostHook – Bypassing PatchGuard with Processor Trace Based Hooking UPGSED Universal PatchGuard and Driver Signature Enforcement Disable Tools Miscellaneous Exploit Development ARM Specific Exploit Development 101 Articles/Blogposts/Writeups Educational/Informative A SysCall to ARMs - Brendan Watters - Brendan Watters -Derbycon 2013 Description:ARM processors are growing more and more prevalent in the world; ARM itself claims that more than 20 billion chips have been shipped. Take a moment to appreciate that is about three chips for every man, woman, and child on earth. The three main topics I aim to cover are (1) how to perform a Linux system call on an ARM processor via assembly, ARM pipelining used in most modern ARM processors and how it came about, and (3) the really cool way ARM can avoid branching, even with conditional control flow. These will be explained in both code, English, and (hopefully successful) live demos using an ARM development board. The end result is to get the audience to understand how to create a simple socket program written in ARM assembly. Papers Tools Miscellaneous Linux Specific Exploit Development 101 Articles/Blogposts/Writeups Pool Blade: A new approach for kernel pool exploitation Linux ASLR integer overflow: Reducing stack entropy by four A bug in Linux ASLR implementation for versions prior to 3.19-rc3 has been found. The issue is that the stack for processes is not properly randomized on some 64 bit architectures due to an integer overflow. This is a writeup of the bug and how to fix it. Linux GLibC Stack Canary Values Painless intro to the Linux userland heap Linux Heap Exploitation Intro Series: Used and Abused – Use After Free Linux Heap Exploitation Intro Series: The magicians cape – 1 Byte Overflow Educational/Informative Return into Lib(C) Theory Primer(Security-Tube) 64-bit Linux Return-Oriented Programming - Standford Understanding glibc malloc Kernel Exploit Development Linux Kernel Exploitation Paper Archive - xairy Papers Cheating the ELF - Subversive Dynamic Linking to Libraries Tools rappel Rappel is a pretty janky assembly REPL. It works by creating a shell ELF, starting it under ptrace, then continiously rewriting/running the .text section, while showing the register states. It's maybe half done right now, and supports Linux x86, amd64, armv7 (no thumb), and armv8 at the moment.(As of Aug 2017) Build a database of libc offsets to simplify exploitation Miscellaneous OS X Specific OS X Kernel-mode Exploitation in a Weekend Apple's Mac OS X operating system is attracting more attention from users and security researchers alike. Despite this increased interest, there is still an apparent lack of detailed vulnerability development information for OS X. This paper will attempt to help bridge this gap by walking through the entire vulnerability development process. This process starts with vulnerability discovery and ultimately finished with a remote code execution. To help illustrate this process, a real vulnerability found in the OS X wireless device driver is used. Windows Specific 101 Articles/Blogposts/Writeups Writing Exploits for Win32 Systems from Scratch Educational/Informative Papers Getting out of Jail: Escaping Internet Explorer Protected Mode With the introduction of Windows Vista, Microsoft has added a new form of mandatory access control to the core operating system. Internally known as "integrity levels", this new addition to the security manager allows security controls to be placed on a per-process basis. This is different from the traditional model of per-user security controls used in all prior versions of Windows NT. In this manner, integrity levels are essentially a bolt-on to the existing Windows NT security architecture. While the idea is theoretically sound, there does exist a great possibility for implementation errors with respect to how integrity levels work in practice. Integrity levels are the core of Internet Explorer Protected Mode, a new "low-rights" mode where Internet Explorer runs without permission to modify most files or registry keys. This places both Internet Explorer and integrity levels as a whole at the forefront of the computer security battle with respect to Windows Vista. PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 Since the publication of previous bypass or circumvention techniques for Kernel Patch Protection (otherwise known as "PatchGuard"), Microsoft has continued to refine their patch protection system in an attempt to foil known bypass mechanisms. With the release of Windows Server 2008 Beta 3, and later a full-blown distribution of PatchGuard to Windows Vista and Windows Server 2003 via Windows Update, Microsoft has introduced the next generation of PatchGuard to the general public ("PatchGuard 3"). As with previous updates to PatchGuard, version three represents a set of incremental changes that are designed to address perceived weaknesses and known bypass vectors in earlier versions. Additionally, PatchGuard 3 expands the set of kernel variables that are protected from unauthorized modification, eliminating several mechanisms that might be used to circumvent PatchGuard while co-existing (as opposed to disabling) it. This article describes some of the changes that have been made in PatchGuard 3. This article also proposes several new techniques that can be used to circumvent PatchGuard's defenses. Countermeasures for these techniques are also discussed. Subverting PatchGuard Version 2 Windows Vista x64 and recently hotfixed versions of the Windows Server 2003 x64 kernel contain an updated version of Microsoft's kernel-mode patch prevention technology known as PatchGuard. This new version of PatchGuard improves on the previous version in several ways, primarily dealing with attempts to increase the difficulty of bypassing PatchGuard from the perspective of an independent software vendor (ISV) deploying a driver that patches the kernel. The feature-set of PatchGuard version 2 is otherwise quite similar to PatchGuard version 1; the SSDT, IDT/GDT, various MSRs, and several kernel global function pointer variables (as well as kernel code) are guarded against unauthorized modification. This paper proposes several methods that can be used to bypass PatchGuard version 2 completely. Potential solutions to these bypass techniques are also suggested. Additionally, this paper describes a mechanism by which PatchGuard version 2 can be subverted to run custom code in place of PatchGuard's system integrity checking code, all while leaving no traces of any kernel patching or custom kernel drivers loaded in the system after PatchGuard has been subverted. This is particularly interesting from the perspective of using PatchGuard's defenses to hide kernel mode code, a goal that is (in many respects) completely contrary to what PatchGuard is designed to do. Bypassing PatchGuard on Windows x64 The version of the Windows kernel that runs on the x64 platform has introduced a new feature, nicknamed PatchGuard, that is intended to prevent both malicious software and third-party vendors from modifying certain critical operating system structures. These structures include things like specific system images, the SSDT, the IDT, the GDT, and certain critical processor MSRs. This feature is intended to ensure kernel stability by preventing uncondoned behavior, such as hooking. However, it also has the side effect of preventing legitimate products from working properly. For that reason, this paper will serve as an in-depth analysis of PatchGuard's inner workings with an eye toward techniques that can be used to bypass it. Possible solutions will also be proposed for the bypass techniques that are suggested. Tools Vulnserver 'I have just released a program named Vulnserver - a Windows based threaded TCP server application that is designed to be exploited.'' Blackbone Windows memory hacking library Code Injection Portable Executable Injection For Beginners DLL Windows DLL-Injection basics Example of a DLL Hijack Exploit - Winamp 5.581 Loading a DLL from memory Windows Heap Exploitation Reliable Windows Heap Exploits Windows 10 HAL’s Heap – Extinction of the "HalpInterruptController" Table Exploitation Technique Another kernel exploitation technique killed in Windows 10 Creators Update WinHeap-Explorer The efficient and transparent proof-of-concept tool for heap-based bugs detection in x86 machine code for Windows applications. Advanced Windows Debugging: Memory Corruption Part II—Heaps Daniel Pravat and Mario Hewardt discuss security vulnerabilities and stability issues that can surface in an application when the heap is used in a nonconventional fashion. Windows Kernel Exploitation Writeups Windows Kernel Exploitation 101 : Exploiting CVE - 2014 - 4113 Intro to Windows kernel exploitation 1/N: Kernel Debugging Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016 Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel PoolSharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool Analysing the NULL SecurityDescriptor kernel exploitation mitigation in the latest Windows 10 v1607 Build 14393 Abatchy - Windows Kernel Exploitation Series 1: Setting up the environment 2: Payloads 3: Stack Buffer Overflow (Windows 7 x86/x64) 4: Stack Buffer Overflow (SMEP Bypass) 5: Integer Overflow Papers Windows Kernel-mode Payload Fundamentals This paper discusses the theoretical and practical implementations of kernel-mode payloads on Windows. At the time of this writing, kernel-mode research is generally regarded as the realm of a few, but it is hoped that documents such as this one will encourage a thoughtful progression of the subject matter. To that point, this paper will describe some of the general techniques and algorithms that may be useful when implementing kernel-mode payloads. Furthermore, the anatomy of a kernel-mode payload will be broken down into four distinct units, known as payload components, and explained in detail. In the end, the reader should walk away with a concrete understanding of the way in which kernel-mode payloads operate on Windows. A Window into Ring0 - Paper With the rise of sandboxes and locked down user accounts attackers are increasingly resorting to attacking kernel mode code to gain full access to compromised systems. The talk provided an overview of the Windows kernel mode attack surface and how to interact with it. It then went on to cover the tools available for finding bugs in Windows kernel mode code and drivers as well as highlighting some of the lower hanging fruit, common mistakes and the steps being taken (or lack of steps being taken) to mitigate the risks posed. The talk also covered common exploitation techniques to gather information about the state of kernel mode memory and to gain code execution as SYSTEM. Finally the talk walked through exploiting CVE-2016-7255 on modern 64 bit versions of Windows. Talks Securi-Tay 2017 - A Window into Ring0 With the rise of sandboxes and locked down user accounts attackers are increasingly resorting to attacking kernel mode code to gain full access to compromised systems. This talk aims to provide an overview of the Windows kernel mode attack surface and how to interact with it. This talk will demonstrate the tools available for finding bugs in Windows kernel mode code and drivers together with highlighting some of the lower hanging fruit, common mistakes and the steps being taken (or lack of steps being taken) to mitigate the risks posed. The talk will then cover common exploitation techniques to gather information about the state of kernel mode memory and to gain code execution as SYSTEM using examples from publicly known exploits. Tools HackSys Extreme Vulnerable Driver HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level. HackSys Extreme Vulnerable Driver caters wide range of vulnerabilities ranging from simple Buffer Overflows to complex Use After Frees and Pool Overflows. This allows the researchers to explore the exploitation techniques for all the implemented vulnerabilities.z6z [Windows-driver-samples](https://github.com/Microsoft/Windows-driver-samples ) This repo contains driver samples prepared for use with Microsoft Visual Studio and the Windows Driver Kit (WDK). It contains both Universal Windows Driver and desktop-only driver samples. DriverBuddy DriverBuddy is an IDA Python script to assist with the reverse engineering of Windows kernel drivers. Blog post win_driver_plugin A tool to help when dealing with Windows IOCTL codes or reversing Windows drivers. Write your first driver - docs ms Patch Analysis Microsoft Patch Analysis for Exploitation Since the early 2000's Microsoft has distributed patches on the second Tuesday of each month. Bad guys, good guys, and many in-between compare the newly released patches to the unpatched version of the files to identify the security fixes. Many organizations take weeks to patch and the faster someone can reverse engineer the patches and get a working exploit written, the more valuable it is as an attack vector. Analysis also allows a researcher to identify common ways that Microsoft fixes bugs which can be used to find 0-days. Microsoft has recently moved to mandatory cumulative patches which introduces complexity in extracting patches for analysis. Join me in this presentation while I demonstrate the analysis of various patches and exploits, as well as the best-known method for modern patch extraction. Microsoft Patch Analysis for Exploitation Stephen Sims The Wallstreet of Windows Binaries - Marion Marschalek, Joseph Moti Wallstreet - Github Repository Wallstreet of Windows binaries 7, 8, 9 err 10 sorry Microsoft Patch Analysis for Exploitation Since the early 2000's Microsoft has distributed patches on the second Tuesday of each month. Bad guys, good guys, and many in-between compare the newly released patches to the unpatched version of the files to identify the security fixes. Many organizations take weeks to patch and the faster someone can reverse engineer the patches and get a working exploit written, the more valuable it is as an attack vector. Analysis also allows a researcher to identify common ways that Microsoft fixes bugs which can be used to find 0-days. Microsoft has recently moved to mandatory cumulative patches which introduces complexity in extracting patches for analysis. Join me in this presentation while I demonstrate the analysis of various patches and exploits, as well as the best-known method for modern patch extraction. Papers ActiveX - Active Exploitation This paper provides a general introduction to the topic of understanding security vulnerabilities that affect ActiveX controls. A brief description of how ActiveX controls are exposed to Internet Explorer is given along with an analysis of three example ActiveX vulnerabilities that have been previously disclosed. Exploiting the Otherwise Non-Exploitable on Windows This paper describes a technique that can be applied in certain situations to gain arbitrary code execution through software bugs that would not otherwise be exploitable, such as NULL pointer dereferences. To facilitate this, an attacker gains control of the top-level unhandled exception filter for a process in an indirect fashion. While there has been previous work illustrating the usefulness in gaining control of the top-level unhandled exception filter, Microsoft has taken steps in XPSP2 and beyond, such as function pointer encoding, to prevent attackers from being able to overwrite and control the unhandled exception filter directly. While this security enhancement is a marked improvement, it is still possible for an attacker to gain control of the top-level unhandled exception filter by taking advantage of a design flaw in the way unhandled exception filters are chained. This approach, however, is limited by an attacker's ability to control the chaining of unhandled exception filters, such as through the loading and unloading of DLLs. This does reduce the global impact of this approach; however, there are some interesting cases where it can be immediately applied, such as with Internet Explorer. Countermeasures BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks Abstract. Web browsers that support a safe language such as Javascript are becoming a platform of great interest for security attacks. One such attack is a heap-spraying attack: a new kind of attack that combines the notoriously hard to reliably exploit heap-based buffer overflow with the use of an in-browser script- ing language for improved r eliability. A typical heap-s praying attack allocates a high number of objects containing the attacker’s code on the heap, dramatically increasing the probability that the contents of one of these objects is executed. In this paper we present a lightweight approach that makes heap-spraying attacks in Javascript significantly harder. Our prototype, which is implemented in Firefox, has a negligible performance and memory overhead while effectively protecting against heap-spraying attacks. Anti-Debugging/Fuzzing [Intro to Anti-Fuzzing](https://www.nccgroup.com/en/blog/2014/01/introduction-to-anti-fuzzing-a-defence-in-depth-aid/() Anti-Debugging The Ultimate Anti-Debugging Reference(2011) Good reference, though old. Windows Anti-Debug Reference Good, but also old, Nov2010 gargoyle, a memory scanning evasion technique General Tools Check out the 'Reverse Engineering" Section's Tools list for a lot of useful tools that aren't listed here. General Tools binwally Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep) Using Binwally lisa.py An Exploit Dev Swiss Army Knife. Hunting/Making Exploits Tools(DeBrujinn sequence) Pattern-Create/offset as a python function Metasploit pattern generator in Python, modified to be used as a function !exploitable Crash Analyzer !exploitable (pronounced bang exploitable) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at http://www.microsoft.com/security/msec. Additonally, see the blog post, or watch the video. Findjmp2 Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push in a loaded DLL. This version includes search for pop/pop/ret set of instructions that is useful to bypass Windows XP SP2 and Windows 2003 stack protection mechanism. binjitsu binjitsu is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible. Shellcode Tools rp++ rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O (doesn't support the FAT binaries) x86/x64 binaries. It is open-source, documented with Doxygen (well, I'm trying to..) and has been tested on several OS: Debian / Windows 7 / FreeBSD / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible. I almost forgot, it handles both Intel and AT&T syntax (beloved BeaEngine). By the way, the tool is a standalone executable ; I will upload static-compiled binaries for each OS. Adobe Reader Pwning Adobe Reader with XFA Adobe Reader Escape... or how to steal research and be lame. Broadpwn A cursory analysis of @nitayart's Broadpwn bug (CVE-2017-9417) Emulation and Exploration of BCM WiFi Frame Parsing using LuaQEMU Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets Crashing phones with Wi-Fi: Exploiting nitayart's Broadpwn bug (CVE-2017-9417) Buffer Overflows x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique The x86-64 CPU platform (i.e. AMD64 or Hammer) introduces new features to protect against exploitation of buffer overflows, the so called No Execute(NX) or Advanced Virus Protection (A VP). This non-executable enforcement of data pages and the ELF64 SystemV ABI render common buffer overflow exploitation techniques useless. This paper describes and analyzes the protection mechanisms in depth. Research and tar get platform was a SUSE Linux 9.3 x86-64 system but the results can be expanded to non-Linux systems as well. search engine tag: SET-krahmer-bccet-2005. Cisco Cisco IOS MIPS GDB remote serial protocol implementation A hacky implementation of GDB RSP to aid exploit development for MIPS based Cisco routers Cisco ASA Episode 3: A Journey In Analysing Heaps by Cedric Halbronn - BSides Manchester2017 Decompilers & Disassemblers List Bokken Bokken is a GUI for the Pyew and Radare projects so it offers almost all the same features that Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities. Currently Bokken is neither an hexadecimal editor nor a full featured disassembler YET, so it should not be used for deep code analysis or to try to modify files with it. IDA IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment. Overview & Tutorials Ida Plugins Ida Sploiter IDA Sploiter is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's capabilities as an exploit development and vulnerability research tool. Some of the plugin's features include a powerful ROP gadgets search engine, semantic gadget analysis and filtering, interactive ROP chain builder, stack pivot analysis, writable function pointer search, cyclic memory pattern generation and offset analysis, detection of bad characters and memory holes, and many others. Ida Pomidor IDA Pomidor is a fun and simple plugin for the Hex-Ray's IDA Pro disassembler that will help you retain concentration and productivity during long reversing sessions. FLARE-Ida This repository contains a collection of IDA Pro scripts and plugins used by the FireEye Labs Advanced Reverse Engineering (FLARE) team. Hopper Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, decompile and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables! Reverse Reverse engineering for x86 binaries (elf-format). Generate a more readable code (pseudo-C) with colored syntax. Warning, the project is still in development, use it at your own risks. This tool will try to disassemble one function (by default main). The address of the function, or its symbol, can be passed by argument. fREedom - capstone based disassembler for extracting to binnavi fREedom is a primitive attempt to provide an IDA Pro independent means of extracting disassembly information from executables for use with binnavi (https://github.com/google/binnavi). Setting up fREedom and BinNavi BinNavi BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code. Debuggers General/Platform Neutral The Secret Lives of Debuggers - Lance Buttars - BSides SLC15 Binaries are files like any text file or a bitmap. They can be modified and changed.With some basic understanding of assembly language anyone can take a binary and modify its execution in a debugger and using a hex editor change how it executes. In this presentation I will cover the basics of binary manipulation and the use of debuggers to change program execution. HyperDbg HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel, even when the kernel is executing exception and interrupt handlers. Compared to traditional virtual machine based debuggers (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be run as a guest of a virtual machine, although it is as powerful. Paper scdbg scdbg is an open source, multi-platform, shellcode analysis application that runs shellcode through a virtual machine that emulates a 32bit processor, memory, and basic Windows API environment. scdbg uses the libemu library to provide this environment. Builds of scdbg exist for both Windows and Unix users. scdbg Manual xnippet xnippet is a tool that lets you load code snippets or isolated functions (no matter the operating system they came from), pass parameters to it in several formats (signed decimal, string, unsigned hexadecimal...), hook other functions called by the snippet and analyze the result. The tool is written in a way that will let me improve it in a future, defining new calling conventions and output argument pointers. voltron Voltron is an extensible debugger UI toolkit written in Python. It aims to improve the user experience of various debuggers (LLDB, GDB, VDB and WinDbg) by enabling the attachment of utility views that can retrieve and display data from the debugger host. By running these views in other TTYs, you can build a customised debugger user interface to suit your needs. Linux GDB - GNU Debugger * GDB, the GNU Project debugger, allows you to see what is going on 'inside' another program while it executes -- or what another program was doing at the moment it crashed. * GDB 'exploitable' plugin * 'exploitable' is a GDB extension that classifies Linux application bugs by severity. The extension inspects the state of a Linux application that has crashed and outputs a summary of how difficult it might be for an attacker to exploit the underlying software bug to gain control of the system. The extension can be used to prioritize bugs for software developers so that they can address the most severe ones first. The extension implements a GDB command called 'exploitable'. The command uses heuristics to describe the exploitability of the state of the application that is currently being debugged in GDB. The command is designed to be used on Linux platforms and versions of GDB that include the GDB Python API. Note that the command will not operate correctly on core file targets at this time. PEDA PEDA - Python Exploit Development Assistance for GDB radare2 as an alternative to gdb-peda pwndbg - Making debugging suck less A PEDA replacement. In the spirit of our good friend windbg, pwndbg is pronounced pwnd-bag. Uses capstone as backend. gdbgui A modern, browser-based frontend to gdb (gnu debugger). Add breakpoints, view stack traces, and more in C, C++, Go, and Rust. Simply run gdbgui from the terminal and a new tab will open in your browser. GEF - GDB Enhanced Features GEF is aimed to be used mostly by exploiters and reverse-engineers. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis or exploit development. Why not PEDA? Yes!! Why not?! PEDA is a fantastic tool to do the same, but is only to be used for x86-32 or x86-64. On the other hand, GEF supports all the architecture supported by GDB (x86, ARM, MIPS, PowerPC, SPARC, and so on). Docs Windows An Introduction to Debugging the Windows Kernel with WinDbg Getting Started with WinDbg part 1 OllyDbg OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg Tricks for Exploit Development WinDbg Excellent Resource Site Crash Dump Analysis Poster Getting Started with WinDbg (User-Mode) Getting Started with WinDbg (Kernel-Mode) TWindbg PEDA-like debugger UI for WinDbg WinAppDbg The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides a powerful abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test or fuzz Windows applications with quickly coded Python scripts. Several ready to use tools are shipped and can be used for this purposes. Current features also include disassembling x86/x64 native code, debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing. x64dbg An introduction to x64dbg Eternal Blue MS17-010: EternalBlue’s Large Non-Paged Pool Overflow in SRV Driver - blog.trendmicro MS17-010 worawit Exploit Collections/Repository XiphosResearch PoC Exploits Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes. exploit-db.org Proof of concept exploits / tools for Epson vulnerabilities: CVE-2017-12860 and CVE-2017-12861 Exploits for Unitrends version 9.1.1 and earlier ; all by Dwight Hohnstein All AIX exploits written by Hector Monsegur The Exploit Database Git Repository The official Exploit Database repository CVE-2017-10271 Oracle WebLogic WLS-WSAT Remote Code Execution Exploit (CVE-2017-10271) CVE-2018-0802 This repo contains a Proof of Concept exploit for CVE-2018-0802. To get round the limited command length allowed, the exploit uses the Packager OLE object to drop an embedded payload into the %TMP% directory, and then executes the file using a short command via a WinExec call, such as: cmd.exe /c%TMP%\file.exe. Glibc Glibc Glibc Adventures: The Forgotten Chunks Exploiting Glibc GPU Exploits / Research A Study of Overflow Vulnerabilities on GPUs Jellyfish - GPU rootkit PoC by Team Jellyfish Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well. Hypervisor Compromise-as-a-Service: Our PleAZURE. This could be a comprehensive introduction about the ubiquity of virtualization, the essential role of the hypervisor, and how the security posture of the overall environment depends on it. However, we decided otherwise, as this is what everybody is interested in: We will describe the Hyper-V architecture in detail, provide a taxonomy of hypervisor exploits, and demonstrate how we found MS13-092 which had the potential to compromise the whole Azure environment. Live demo included! Java Exploiting Memory Corruption Vulnerabilities in the Java Runtime Jump-Oriented Programming Jumping the Fence Comparison and Improvements for Existing Jump Oriented Programming Tools - John Dunlap - Derbycon7 Keyed Payloads Context-keyed Payload Encoding A common goal of payload encoders is to evade a third-party detection mechanism which is actively observing attack traffic somewhere along the route from an attacker to their target, filtering on commonly used payload instructions. The use of a payload encoder may be easily detected and blocked as well as opening up the opportunity for the payload to be decoded for further analysis. Even so-called keyed encoders utilize easily observable, recoverable, or guessable key values in their encoding algorithm, thus making decoding on-the-fly trivial once the encoding algorithm is identified. It is feasible that an active observer may make use of the inherent functionality of the decoder stub to decode the payload of a suspected exploit in order to inspect the contents of that payload and make a control decision about the network traffic. This paper presents a new method of keying an encoder which is based entirely on contextual information that is predictable or known about the target by the attacker and constructible or recoverable by the decoder stub when executed at the target. An active observer of the attack traffic however should be unable to decode the payload due to lack of the contextual keying information. *alloc/Heap shadow :: De Mysteriis Dom jemalloc shadow is a jemalloc heap exploitation framework. It has been designed to be agnostic of the target application that uses jemalloc as its heap allocator (be it Android's libc, Firefox, FreeBSD's libc, standalone jemalloc, or whatever else). The current version (2.0) has been tested extensively with the following targets: Android 6 and 7 libc (ARM32 and ARM64); Firefox (x86 and x86-64) on Windows and Linux; Overview of Android's jemalloc structures using shadow In this document we explore Android's jemalloc structures using shadow. A simplified view of the heap is presented here. The intention of this document is to get you started with jemalloc structures and shadow's commands. MALLOC DES-MALEFICARUM - blackngel Understanding the Heap - Sploitfun Syscalls used by malloc Understanding glibc malloc Understanding the heap by breaking it Automated vulnerability analysis of zero sized heap allocations Tracking Down Heap Overflows with rr Walking Heap using Pydbg This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++. Linux Heap Exploitation Intro Series – (BONUS) printf might be leaking! Linux Heap Exploitation Intro Series: Riding free on the heap – Double free attacks! Macros It All Swings Around - Malicious Macros Writeup and explanation of random Macro exploits PDF Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - [TROOPERS15] ROP ROPs are for the 99% - Yang Yu OptiROP: The art of hunting ROP gadgets Video This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver and some creative heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode. Tools ropa ropa is a Ropper-based GUI that streamlines crafting ROP chains. It provides a cleaner interface when using Ropper as compared to the command line. It can provide a smoother workflow for crafting the rop chain in the GUI, then exporting the final chain in the desired format. For those used to using CLI, this tool may serve as a cleaner interface to filter out the relevant gadgets. Ropper You can use ropper to display information about binary files in different file formats and you can search for gadgets to build rop chains for different architectures (x86/X86_64, ARM/ARM64, MIPS/MIPS64, PowerPC). For disassembly ropper uses the awesome Capstone Framework. RowHammer Exploiting the DRAM rowhammer bug to gain kernel privileges "Rowhammer is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory. Program for testing for the DRAM "rowhammer" problem Temporal Return Address Temporal Return Addresses Nearly all existing exploitation vectors depend on some knowledge of a process' address space prior to an attack in order to gain meaningful control of execution flow. In cases where this is necessary, exploit authors generally make use of static addresses that may or may not be portable between various operating system and application revisions. This fact can make exploits unreliable depending on how well researched the static addresses were at the time that the exploit was implemented. In some cases, though, it may be possible to predict and make use of certain addresses in memory that do not have static contents. This document introduces the concept of temporal addresses and describes how they can be used, under certain circumstances, to make exploitation more reliable. Automating Mimicry Attacks Using Static Binary Analysis Intrusion detection systems that monitor sequences of system calls have recently become more sophisticated in defining legitimate application behavior. In particular, additional information, such as the value of the program counter and the configuration of the program's call stack at each system call, has been used to achieve better characterization of program behavior. While there is common agreement that this additional information complicates the task for the attacker, it is less clear to which extent an intruder is constrained. In this paper, we present a novel technique to evade the extended detection features of state-of-the-art intrusion detection systems and reduce the task of the intruder to a traditional mimicry attack. Given a legitimate sequence of system calls, our technique allows the attacker to execute each system call in the correct execution context by obtaining and relinquishing the control of the application's execution flow through manipulation of code pointers. We have developed a static analysis tool for Intel x86 binaries that uses symbolic execution to automatically identify instructions that can be used to redirect control flow and to compute the necessary modifications to the environment of the process. We used our tool to successfully exploit three vulnerable programs and evade detection by existing state-of-the-art system call monitors. In addition, we analyzed three real-world applications to verify the general applicability of our techniques. Anti-Virus Software Gone Wrong Anti-virus software is becoming more and more prevalent on end-user computers today. Many major computer vendors (such as Dell) bundle anti-virus software and other personal security suites in the default configuration of newly-sold computer systems. As a result, it is becoming increasingly important that anti-virus software be well-designed, secure by default, and interoperable with third-party applications. Software that is installed and running by default constitutes a prime target for attack and, as such, it is especially important that said software be designed with security and interoperability in mind. In particular, this article provides examples of issues found in well-known anti-virus products. These issues range from not properly validating input from an untrusted source (especially within the context of a kernel driver) to failing to conform to API contracts when hooking or implementing an intermediary between applications and the underlying APIs upon which they rely. For popular software, or software that is installed by default, errors of this sort can become a serious problem to both system stability and security. Beyond that, it can impact the ability of independent software vendors to deploy functioning software on end-user systems. Sigreturn Oriented Programming is a real Threat Abstract: This paper shows that Sigreturn Oriented Programming (SROP), which consists of using calls to sigreturn to execute arbitrary code, is a pow erful method for the de velopment of exploits. This is demonstrated by developing two different kinds of SROP based exploits, one asterisk exploit which was already portrayed in the paper presenting SROP, and one novel exploit for a recently disclosed bug inthe DNS address resolution of the default GNUC library. Taking advantage of the fact, that these exploits have very few dependencies on the program being exploited, a library is implemented to automate wide parts of SROP exploit creation. This highlights the potential of SROP in respect to reusable and portable exploit code which strongly supports the conclusion of the original paper: SROP is areal threat! Breaking the links: Exploiting the linker nt!_SEP_TOKEN_PRIVILEGES - Single Write EoP Protect - Kyriakos 'kyREcon' Economou TL;DR: Abusing enabled token privileges through a kernel exploit to gain EoP it won't be enough anymore as from NT kernel version 10.0.15063 are 'checked' against the privileges present in the token of the calling process. So you will need two writes UAF Writeups Exploiting CVE-2015-0311: A Use-After-Free in Adobe Flash Player "The vulnerability was first discovered as a zero-day being actively exploited in the wild as part of the Angler Exploit Kit. Although the exploit code was highly obfuscated using the SecureSWF obfuscation tool, malware samples taking advantage of this vulnerability became publicly available, so I decided to dig into the underlying vulnerability in order to exploit it and write the corresponding module for Core Impact Pro and Core Insight." Use-After-Silence: Exploiting a quietly patched UAF in VMware - Abdul-Aziz Hariri UEFI See BIOS/UEFI Page Shellshock Shellshock bug writeup by lcamtuf Windows Exploiting MS14-066 Xen Adventures in Xen Exploitation "This post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217)." Writeups that haven't been sorted Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit Coding Malware for Fun and Not for Profit (Because that would be illegal) Exploiting BadIRET vulnerability - CVE-2014-9322, Linux kernel privilege escalation A Technical Analysis of CVE 2014-1776 Diving into A Silverlight Exploit and Shellcode - Analysis and Techniques Abstract: We will observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition we will look at the shell-code supplied by the exploit-kit and how it uses encryption to hide the payload's URL and contents. Owning Internet Printing - A Case Study in Modern Software Exploitation The Chakra Exploit and the Limitations of Modern Mitigation Techniques EnglishmansDentist Exploit Analysis Dangerous Clipboard: Analysis of the MS15-072 Patch MS16-039 - "Windows 10" 64 bits Integer Overflow exploitation by using GDI objects The Weak Bug - Exploiting a Heap Overflow in VMware MS17-010 CVE-2016-7255 - Git repo Hijacking Arbitrary .NET Application Control Flow This paper describes the use of Reflection in .NET and how it can be utilized to change the control flow of an arbitrary application at runtime. A tool, Gray Storm, will be introduced that can be injected into an AppDomain and used to control the executing assembly instructions after just-in-time compilation. Dissecting Veil-Evasion Powershell Payloads and Converting to a Bind Shell iOS The Userland Exploits of Pangu 8 MIPS EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURE Smashing the Heap with Vector: Advanced Exploitation Technique in Recent Flash Zero-day Attack Exploiting CVE-2014-4113 on Win8.1 Debugging Windows kernel under VMWare using IDA's GDB debugger Hello MS08-067, My Old Friend! The Birth of a Complete IE11 Exploit Under the New Exploit Mitigations Modern Objective-C Exploitation Techniques A New CVE-2015-0057 Exploit Technology PLASMA PULSAR This document describes a generic root exploit against kde. Attacking AntiVirus Kaspersky Hooking Engine Analysis AV_Kernel_Vulns Pocs for Antivirus Software‘s Kernel Vulnerabilities Finding Vulnerabilities Look at fuzzing section. Winmerge WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle. Analyzing Common Binary Parser Mistakes With just about one file format bug being consistently released on a weekly basis over the past six to twelve months, one can only hope developers would look and learn. The reality of it all is unfortunate; no one cares enough. These bugs have been around for some time now, but have only recently gained media attention due to the large number of vulnerabilities being released. Researchers have been finding more elaborate and passive attack vectors for these bugs, some of which can even leverage a remote compromise. Finding and analyzing Crash dumps All the Ways to Capture a Crash Dump Basic Debugging of an Application Crash Collecting User Mode Dumps High Level Searching Searching Github for vulnerable code/credentials Blogpost Code - Automated Tool Cheatsheet Actual Search Page Exploit Development Practice Lab Setup Building a Lab to practice Exploit writing(Windows, x86, OSCE Prep) So, this is a thing I found while doing some googling. If you wrote this, I owe you a lot of beer. I redacted the place/username as it was on a less than happy place. ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| This assumes you have an idea of ASM x86 and general exploitation methods. Idea with this setup, is that you have a VM of XP SP3 running with the following software and tools installed. You look up the exploits on exploit-db and recreate them. Or you lookup the vulnerabilities and fuzz it yourself knowing where to look. Start here: I'm designing exploit lab based on WinXP SP3. As for now I have following vulnerabilities/apps: 1. Simple RET - Ability FTP Server (FTP) 2. Simple RET - FreeFloat FTP (FTP) 3. Simple RET (harder) - CesarFTP (FTP) 4. Simple RET - Easy RM to MP3 Converter (.pls) 5. Simple RET - DL-10 - Need to find copy of 6. SEH - DVDXPlayer 7. SEH - Millenium 8. SEH - Soritong 9. SEH - mp3nator 10. SEH - NNM (hard) - Need to find copy of 11. SEH + UNICODE - ALLPlayer 12. SEH (difficult) - Winamp with following tools installed: 1. WinDBG + MSEC.dll (!load winext\msec.dll) + byakugan (!load byakugan) 2. Immunity Debugger + mona.py (!mona) 3. OllyDBG+Plugins(SSEH+OllySnake+AdvancedOlly+OllyHeapVis+Virtual2Physical) 4. C:\Windows\system32\findjmp2.exe 5. Cygwin + perl + gdb + gcc... 6. Python26 (for IDA) + PyDbg - https://code.google.com/p/pydbgr/wiki/HowToInstall 6. Python27 (for ImmunityDebugger)+pyDbg 7. lcc-win 8. Wireshark 9. Mantra on Chrome (MoC) 10. Google-Chrome 11. Microsoft Visual C++ 2008 Express 12. Nasm 13. metasploit 14. Alpha3 (c:\Alpha3) 15. IDA 16. Sysinternals (c:\Windows\System32) 17. Proxifier Edition 18. Echo Mirage Sursa: https://rmusser.net/docs/Exploit Development.html
    1 point
  7. WarLord
    https://www.jollyfrogs.com/osee-awestralia-2018-preparations/ OSEE - AWEstralia 2018 preparations Living in Australia, the total cost of attending the AWE training in Vegas, including flights and hotel would exceed AUD 10,000$. So instead I decided to ask the Offensive Security trainers if they wanted to come and deliver the AWE training in my home town of Brisbane, Australia. I was able to rally together a few large companies interested in participating in the training. We now have over 25 interested people - enough for Offensive Security to come to Brisbane and host the training right here in Australia! Since the training is called Advanced Windows Exploitation (AWE), we call the training AWEstralia 2018 - it will be a lot of fun! This post is to help myself and other participants prepare for the AWE exam. Many thanks to Alpine for helping put together this guide. This guide was written based on existing AWE (OSEE) reviews and the official AWE syllabus topics. We're in the preparation stages now - lots of learning and finding good resources to prepare for the onslaught of AWE. Offensive Security has not yet confirmed a date for 2018 but we expect them to confirm very soon. The date will be around May 2018 and the course will be held in Brisbane Australia. If you'd like to join us, please contact me on TheFrog at jollyfrogs -dot -com. WinDBG usage AWE students are expected to know how to use the WinDBG debugger WinDBG general information: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/ WinDBG configuration: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windows-debugging WinDBG configuration in VMWare: http://silverstr.ufies.org/lotr0/windbg-vmware.html WinDBG configuration in VirtualBox: https://hshrzd.wordpress.com/2017/05/28/starting-with-windows-kernel-exploitation-part-1-setting-up-the-lab/ WinDBG Lab: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debug-universal-drivers---step-by-step-lab--echo-kernel-mode- WinDBG Useful commands reference: https://briolidz.wordpress.com/2013/11/17/windbg-some-debugging-commands/ Module 0x01 Custom Shellcode Creation http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html SLAE32 and SLAE64 discount code https://www.fuzzysecurity.com/tutorials/expDev/6.html https://blahcat.github.io/2017/08/14/a-primer-to-windows-x64-shellcoding/ The Shellcoder's Handbook http://sh3llc0d3r.com/windows-reverse-shell-shellcode-ii/ http://blog.harmonysecurity.com/2009/06/retrieving-kernel32s-base-address.html http://nagareshwar.securityxploded.com/2013/09/21/using-peb-to-get-base-address-of-kernelbase-dll/ http://www.rohitab.com/discuss/topic/38717-quick-tutorial-finding-kernel32-base-and-walking-its-export-table/ http://www.hick.org/code/skape/papers/win32-shellcode.pdf http://expdev-kiuhnm.rhcloud.com/2015/05/22/shellcode/ https://www.offensive-security.com/vulndev/fldbg-a-pykd-script-to-debug-flashplayer/ https://exploit.courses/files/bfh2017/day6/0x60_WindowsExploiting.pdf https://secure2.sophos.com/de-de/medialibrary/PDFs/other/Comprehensive-Exploit-Prevention.ashx Module 0x02 DEP/ASLR/EMET Bypass and Sandbox Escape via Flash HeapSpray https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/ https://www.offensive-security.com/vulndev/disarming-emet-v5-0/ https://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/ https://www.blackhat.com/presentations/bh-europe-07/Sotirov/Whitepaper/bh-eu-07-sotirov-WP.pdf https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ https://www.fuzzysecurity.com/tutorials/expDev/8.html https://www.fuzzysecurity.com/tutorials/expDev/11.html https://www.corelan.be/index.php/2016/07/05/windows-10-x86wow64-userland-heap/ https://www.corelan.be/index.php/2013/01/18/heap-layout-visualization-with-mona-py-and-windbg/ https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/ http://gsec.hitb.org/sg2016/sessions/look-mom-i-dont-use-shellcode-a-browser-exploitation-case-study-for-internet-explorer-11/ https://github.com/shellphish/how2heap https://0x00sec.org/t/heap-exploitation-abusing-use-after-free/3580 http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-1/ http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-2/ http://expdev-kiuhnm.rhcloud.com/2015/06/01/ie10-use-free-bug/ https://sites.google.com/site/zerodayresearch/smashing_the_heap_with_vector_Li.pdf http://blog.morphisec.com/exploit-bypass-emet-cve-2015-2545 http://casual-scrutiny.blogspot.sg/2015/01/simple-emet-eaf-bypass.html Module 0x03 32-bit Kernel Driver Exploitation https://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/ https://github.com/hacksysteam/HackSysExtremeVulnerableDriver https://theevilbit.blogspot.sg/2017/09/pool-spraying-fun-part-1.html https://theevilbit.blogspot.in/2017/09/windows-kernel-pool-spraying-fun-part-2.html https://theevilbit.blogspot.in/2017/09/windows-kernel-pool-spraying-fun-part-3.html https://www.fuzzysecurity.com/tutorials/expDev/14.html https://www.fuzzysecurity.com/tutorials/expDev/15.html https://www.fuzzysecurity.com/tutorials/expDev/19.html https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/ https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/ https://glennmcgui.re/introduction-to-windows-kernel-exploitation-pt-1/ https://glennmcgui.re/introduction-to-windows-kernel-driver-exploitation-pt-2/ http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html https://github.com/hatRiot/token-priv https://rootkits.xyz/blog/2017/06/kernel-setting-up/ https://rootkits.xyz/blog/2017/08/kernel-stack-overflow/ https://rootkits.xyz/blog/2017/09/kernel-write-what-where/ Module 0x04 64-bit Kernel Driver Exploitation http://trackwatch.com/windows-kernel-pool-spraying/ https://blahcat.github.io/2017/08/31/arbitrary-write-primitive-in-windows-kernel-hevd/
    1 point
  8. Nytro
    Introducere Am decis sa scriu un astfel de tutorial deoarece nu am mai vazut niciun astfel de articol scris in limba romana care sa explice pe intelesul tuturor care este cauza acestor probleme dar si cum se pot exploata. Tutorialul se adreseaza incepatorilor, dar sunt necesare cel putin cunostinte de programare C/C++ pentru a putea intelege conceptele. Sistemul pe care vom descoperi si exploata problema este Windows XP (pe 32 de biti) din motive de simplitate: nu exista ASLR, o notiune pe care o vom discuta in detaliu mai jos. Vreau sa incep cu o scurta introducere in limbaje de asamblare. Nu voi prezenta in detaliu, dar voi descrie pe scurt notiunile necesare pentru a intelege cum apare un "buffer overflow" si cum se poate exploata. Exista mai multe tipuri de buffer overflow-uri, aici il vom discuta pe cel mai simplu, stack based buffer overflow. Daca doriti acest articol in format PDF, il puteti descarca de aici: https://rstforums.com/fisiere/SBOF.pdf Introducere in ASM Pentru a ma asigura ca inteleg toti programatorii C/C++, voi explica ce se intampla cu codul C/C++ cand este compilat. Un programator scrie codul: #include <stdio.h> int main() { puts("RST rullz"); return 0; } Compilatorul va translata aceste instructiuni in limbaj de asamblare apoi aceste intructiuni vor fi transpuse in "cod masina" (cunoscut si ca shellcode). Exemplu, intructiunile in limbaj de asamblare: [B][COLOR=#0000ff]PUSH [/COLOR][/B]OFFSET [COLOR=#ff0000]SimpleEX.??_C@_09GGKPFABJ@RST?5rullz?$AA@[/COLOR] ; /s = "RST rullz"[B][COLOR=#0000ff]CALL [/COLOR][/B]DWORD PTR [B][COLOR=#008000]DS[/COLOR][/B]:[<&[COLOR=#ff0000]MSVCR100.puts[/COLOR]>] ; \puts[B][COLOR=#0000ff]ADD [/COLOR][COLOR=#008000]ESP[/COLOR][/B],[COLOR=#ff0000]4[/COLOR][B][COLOR=#0000ff]XOR [/COLOR][COLOR=#008000]EAX[/COLOR][/B],[B][COLOR=#008000]EAX[/COLOR][/B][COLOR=#0000ff][B]RETN[/B][/COLOR] Nu e nevoie sa intelegeti deocamdata ce se intampla acolo. Apoi, acest cod e reprezentabil in cod masina: 68 F4200300 [B][COLOR=#0000ff]PUSH [/COLOR][/B]OFFSET [COLOR=#ff0000]SimpleEX.??_C@_09GGKPFABJ@RST?5rullz?$AA@[/COLOR] ; /s = "RST rullz"FF15 A0200300 [B][COLOR=#0000ff]CALL [/COLOR][/B]DWORD PTR [B][COLOR=#008000]DS[/COLOR][/B]:[<&[COLOR=#ff0000]MSVCR100.puts[/COLOR]>] ; \puts83C4 04 [B][COLOR=#0000ff]ADD [/COLOR][COLOR=#008000]ESP[/COLOR][/B],[COLOR=#ff0000]4[/COLOR]33C0 [B][COLOR=#0000ff]XOR [/COLOR][COLOR=#008000]EAX[/COLOR][/B],[B][COLOR=#008000]EAX[/COLOR][/B]C3 [B][COLOR=#0000ff]RETN[/COLOR][/B] Se poate vedea ca acum avem in plus o serie de octeti: 0x68 0xF4 0x20 0x03 0x00 0xFF 0x15 0xA0 0x20 0x03 0x00 0x83 0xC4 0x04 0x33 0xC0 0xC3. Prin acei octeti din dreptul lor sunt reprezentate si intelese de catre procesor instructiunile. Cu alte cuvinte, procesorul va citi aceasta serie de octeti si le va interpreta ca pe instructiunile din limbajul de asamblare. Procesorul nu stie de variabilele din C. Procesorul are propriile sale "variabile", mai exact fiecare procesor are doar niste registri in care poate memora date. Acesti registri sunt urmatorii (doar cei necesari): - EAX, EBX, ECX, EDX, ESI, EDI - Registrii generali care memoreaza date - EIP - Registru special: un program care executa rand pe rand fiecare instructiune a sa (din ASM). Sa zicem ca prima instructiune se afla in memorie la adresa 0x10000000. O instructiune poate sa aiba unu sau mai multi octeti. Sa presupunem ca are 3 octeti. Initial, valoarea acestui registru e 0x10000000. Dupa ce procesorul executa acea instructiune, valoarea registrului va fi schimbata la 0x10000003 - ESP - Stack pointer. Vom discuta mai in detaliu stack-ul ulterior. Pentru moment e de ajuns sa intelegeti ca stack-ul se afla in memorie si acest registru memoreaza adresa de memorie la care se afla varful stivei (stack). Mai exista de asemenea registru EBP care reprezinta "baza stivei" Toti acesti registri au 4 octeti. Acel "E" vine de la "Extended" deoarece procesoarele pe 16 biti aveau registri pe 16 biti: AX, BC, CX, DX. Informativ, pe sistemele pe 64 de biti, registrii sunt: RAX, RBX... Un concept extrem de important si care trebuie inteles cand vine vorba de limbaje de asamblare il reprezinta stiva (stack). Stiva e o structura de date in care datele (elementele de pe stiva) sunt puse "una peste alta" si la un moment dat poate fi scos de pe stiva doar elementul din varful stivei. Sau, cum explica o doamna profesoara de la Universitate, o stiva este ca niste farfurii puse una peste alta: cand adaugi una, o pui peste celelalte, iar cand vrei sa scoti una, o scoti mai intai pe cea din varf. Stiva este foarte folosita la nivel de procesor deoarece: - variabilele locale dintr-o functie sunt puse pe stiva - parametrii cu care e apelata o functie sunt pusi pe stiva Exista doua notiuni importante care trebuie intelese cand se lucreaza cu procesoare Intel: - procesoarele sunt little endian: mai exact, daca aveti o variabila int x = 0x11223344, aceasta nu se va afla in memorie ca "0x11223344" ci ca "0x44332211" - cand se adauga un element pe stiva, valoarea ESP-ului, registru care memoreaza varful stivei, va scadea! Exista doua intructiuni folosite pentru a lucra cu stiva: - PUSH - va pune o valoare (pe 32 de biti) pe stiva - POP - va scoate o valoare (pe 32 de biti) de pe stiva Exemplu de stiva: 24 - 1111 28 - 2222 32 - 3333 Prima coloana o reprezinta valoarea varfului stivei, valoare care scade cand se adauga un nou element, iar a doua coloana contine niste valori aleatoare. Sa adaugam doua elemente pe stiva: PUSH 5555 PUSH 6666 Stiva va arata astfel: 16 - 6666 20 - 5555 24 - 1111 28 - 2222 32 - 3333 Ca sa intelegeti mai usor cum valoarea ESP-ului, registrul care contine un pointer la varful stivei, scade cand sunt puse date pe stiva, priviti acest registru ca pe o valoare "spatiu disponibil pe stiva" care scade cand sunt adaugate date. Dupa cum am exemplificat si mai sus, la fel ca PUSH si POP, procesorul executa "instructiuni" pentru a-si face datoria. Fiecare instructiune are rolul sau, asa cum PUSH pune un element pe stiva si POP il scoate, alte instructiuni realizeaza: - ADD - Face o adunare - SUB - Face o scadere - CALL - Apeleaza o functie - RETN - Returneaza dintr-o functie - JMP - Sare la o adresa - XOR - Operatie binara, dar "XOR EAX, EAX" de exemplu e echivalentul mai optim al atribuirii EAX = 0 - MOV - Face o atribuire - INC - Incrementeaza o valoare (variabila++) - DEC - Decrementeaza o valoare (variabila--) Exista foarte multe astfel de instructiuni, dar acestea ar fi cele mai importante. Sa vedem cateva exemple: - ADD EAX, 5 ; Adauga valoarea 5 la registrul EAX. Adica EAX = EAX + 5 - SUB EDX, 7 ; Scade 5 din valoarea registrului EDX - CALL puts ; Apeleaza functia puts - RETN ; return-ul din C - JMP 0x11223344 ; Sare la instructiunea de la acea adresa - XOR EBX, EBX ; Echivalentul pentru EBX = 0 - MOV ECX, 3 ; Echivalentul pentru ECX = 3 - INC ECX; Echivalentul pentru ECX++ - DEC ECX ; Echivalentul pentru ECX-- Cred ca e destul de usor de inteles. Acum putem intelege ce face mai exact procesorul cu codul nostru care afiseaza un simplu mesaj: 1. PUSH OFFSET SimpleEX.@_rst_@ - Am inlocuit acel sir urat cu ceva mai simplu: este de fapt un pointer la sirul de caractere "RST rullz" din memorie. Instructiunea pune pe stiva pointerul la acest sir. Are ca efect scaderea a 4 octeti (sistem pe 32 de biti) din ESP. Adica "ESP = ESP -4" 2. CALL DWORD PTR DS:[<&MSVCR100.puts>] - Apeleaza functia "puts" din biblioteca "MSVCR100.dll" (Microsoft Visual C Runtime v10) folosita de Visual Studio 2010. Vom detalia mai jos ca pentru a apela o functie, trebuie mai intai sa punem parametrii pe stiva 3. ADD ESP,4 - Acel PUSH a avut ca efect scaderea a 4 octeti necesari pentru a apela functia, acum ii vom elibera de pe stiva adaugand 4 octeti 4. XOR EAX,EAX - Inseamna EAX = 0. Intr-o functie, la return, valoarea returnata va fi continuta de acest registru 5. RETN - Facem "return" din functie Pentru a intelege mai bine cum functioneaza un apel de functie luam urmatorul exemplu: #include <stdio.h>int functie(int a, int { return a + b; } int main() { functie(5, 6); return 0; } Functia "main" va arata astfel: [B][COLOR=#0000ff]PUSH [/COLOR][COLOR=#008000]EBP[/COLOR][/B][COLOR=#0000ff][B]MOV [/B][/COLOR][B][COLOR=#008000]EBP[/COLOR][/B],[COLOR=#008000][B]ESP[/B][/COLOR][COLOR=#0000ff][B]PUSH [/B][/COLOR][COLOR=#ff0000]6[/COLOR] [COLOR=#0000ff][B]PUSH [/B][/COLOR][COLOR=#ff0000]5 [/COLOR][COLOR=#0000ff][B]CALL [/B][/COLOR][COLOR=#ff0000]SimpleEX.functie [/COLOR] [COLOR=#0000ff][B]ADD [/B][/COLOR][COLOR=#008000][B]ESP[/B][/COLOR],[COLOR=#ff0000]8[/COLOR][COLOR=#0000ff][B]XOR [/B][/COLOR][COLOR=#008000][B]EAX[/B][/COLOR],[COLOR=#008000][B]EAX[/B][/COLOR][COLOR=#0000ff][B]POP [/B][/COLOR][COLOR=#008000][B]EBP[/B][/COLOR][COLOR=#0000ff][B]RETN[/B][/COLOR] Iar "functie" va fi de forma: [B][COLOR=#0000ff]PUSH [/COLOR][COLOR=#008000]EBP[/COLOR][/B][B][COLOR=#0000ff]MOV [/COLOR][COLOR=#008000]EBP[/COLOR][/B],[B][COLOR=#008000]ESP[/COLOR][/B][B][COLOR=#0000ff]MOV [/COLOR][COLOR=#008000]EAX[/COLOR][/B],DWORD PTR [B][COLOR=#008000]SS[/COLOR][/B]:[[B][COLOR=#008000]EBP[/COLOR][/B]+[COLOR=#ff0000]8[/COLOR]][B][COLOR=#0000ff]ADD [/COLOR][COLOR=#008000]EAX[/COLOR][/B],DWORD PTR [B][COLOR=#008000]SS[/COLOR][/B]:[[B][COLOR=#008000]EBP[/COLOR][/B]+[COLOR=#ff0000]C[/COLOR]][B][COLOR=#0000ff]POP [/COLOR][/B][COLOR=#008000][B]EBP[/B][/COLOR][B][COLOR=#0000ff]RETN[/COLOR][/B] Nota: Visual Studio e al dracu de destept (nu sunt ironic) si a facut calculele astfel incat nu mai exista niciun apel catre o alta functie, ci doar o valoare 0xB (adica 11, adica 5+6). Pentru teste puteti dezactiva complet optimizarile din Properties > C++ > Optimization. Se pot observa cateva instructiuni: - PUSH EBP (la inceputul functiilor) - MOV EBP,ESP (la inceputul functiilor) - POP EBP (la final) Ei bine, aceste instructiuni au rolul de a crea "stack frame-uri". Mai exact, au rolul de a "separa" cumva functiile pe stiva, astfel incat registrii EBP si ESP (registrii care contin valorile ce reprezinta baza si varful stivei) sa delimiteze stiva folosita de catre functia respectiva. Spus altfel, cum fiecare functie poate avea propriile variabile, folosind aceste instructiuni, registrul EBP va contine adresa de unde incep datele folosite de functia care a fost apelata, iar ESP va contine varful stivei. Intre valorile ESP - EBP (ESP este mai mic) se afla datele folosite de functie. Sa incepem cu functia care realizeaza adunarea: - MOV EAX,DWORD PTR SS:[EBP+8] - ADD EAX,DWORD PTR SS:[EBP+C] Nu va speriati de acesti DWORD PTR SS:[EBP+8] si DWORD PTR SS:[EBP+C]. Asa cum am discutat anterior, intre EBP si ESP se afla datele folosite de functie. In cazul de fata, aceste date sunt parametrii cu care a fost apelata functia. Acesti parametri se afla pe stiva si sunt accesibili la locatiile EBP+8 si EBP+C, adica la 8 respectiv 12 octeti fata de registrul EBP. De asemenea, in ASM, parantezele patrate sunt folosite ca si "*" in C/C++ cand e vorba de pointeri. Asa cum *p inseamna "valoarea de la adresa p" asa [EBP] inseamna "valoarea de la adresa EBP". E nevoie de o astfel de abordare deoarece EBP contine o adresa de memorie (de pe stiva) si noi avem nevoie de valorile de la adresele respective de memorie. O alta notiune utila este faptul ca "DWORD" specifica faptul ca la acea adresa se afla o valoare pe 4 octeti. Exista cateva tipuri de date care specifica dimensiunile datelor cu care se lucreaza: - BYTE - 1 octet - WORD - 2 octeti - DWORD - 4 octeti Acei SS (Stack Segment) sau DS (Data Segment) sau CS (Code Segment) reprezinta alti registrii care identifica diverse zone/segmente de memorie: stiva, date sau cod, fiecare dintre acestea avand anumite drepturi de acces: read, write sau execute. Functia pune in EAX valoarea primului parametru (a) si adauga la aceasta valoarea celui de-al doilea parametru (. Astfel EAX contine a+b. Trecem acum la ceea ce ne intereseaza de fapt si anume cum se realizeaza apelul unei functii: [B][COLOR=#0000ff]PUSH [/COLOR][/B][COLOR=#ff0000]6[/COLOR] [B][COLOR=#0000ff]PUSH [/COLOR][/B][COLOR=#ff0000]5[/COLOR] [B][COLOR=#0000ff]CALL [/COLOR][/B][COLOR=#ff0000]SimpleEX.functie[/COLOR] [B][COLOR=#0000ff]ADD [/COLOR][COLOR=#008000]ESP[/COLOR][/B],[COLOR=#ff0000]8[/COLOR] Ne amintim ca apelul este "functie(5, 6)". Ei bine, pentru a apela o functie se executa urmatorii pasi: 1. Se pun pe stiva parametrii de la dreapta la stanga. Adica mai intai 6, apoi 5 2. Se apeleaza functia 3. Se elibereaza stiva, se curata parametrii de pe stiva Astfel, mai intai se pun pe stiva doua valori (32 de biti, adica 4 octeti fiecare): 6 apoi 5, se apeleaza functia si apoi se curata stiva: ESP-ul devine ESP+8 (spatiul ocupat de catre cei doi parametri ai functiei) astfel incat ajunge la valoarea initiala, de dinainte de apelul de functie. Am discutat anterior ca pentru eliminarea datelor de pe stiva se poate folosi instructiunea POP, insa nu avem nevoie de POP deoarece nu ne intereseaza valorile de pe stiva, iar in acest caz ar fi nevoie de doua instructiuni POP pentru a elibera stiva. Daca am avea 100 de parametri la o functie ar trebui sa facem 100 de POP-uri, putem rezolva aceasta problema cu o simpla astfel de adunare. Nota: E important dar nu e in scopul acestui tutorial: exista mai multe metode de a apela o functie. Aceasta metoda, care presupune adaugarea parametrilor pe stiva de la dreapta la stanga, apoi eliberarea stivei DUPA apelul functie se numeste "cdecl". Alte functii, precum cele ale sistemului de operare Windows, folosesc o alta metoda de a apela functiile (numita calling convention) numita "stdcall" si care presupune de asemenea punerea parametrilor functiilor pe stiva de la dreapta la stanga, DAR curatarea stivei se face in interiorul functiei, nu dupa apelul acesteia. Un alt lucru important la apelul unei functii este urmatorul, apel realizat folosind intructiunea "call" il reprezinta faptul ca adresa imediat urmatoare instructiunii call care apeleaza functia, este pusa pe stiva! Exemplu: 00261013 | PUSH 6 ; /Arg2 = 00000006 00261015 | PUSH 5 ; |Arg1 = 00000005 00261017 | CALL SimpleEX.functie ; \functie 0026101C | ADD ESP,8 In stanga se afla adresele de memorie la care se afla instructiunile respective. Instructiunile PUSH 5 si PUSH 6 au cate doi octeti. Instructiunea CALL, care se afla la adresa 0x00261017, are 5 octeti. Asadar adresa instructiunii urmatoare este 0x0026101C (adica 0x00261017 + 5). Aceasta este adresa care va fi pusa pe stiva la apelul functiei. Stiva va arata astfel inainte de apelul functiei, dupa cele doua instructiuni PUSH: 24 - 0x5 28 - 0x6 32 - 0x1337 ; Ce se afla inainte de PUSH-uri Dupa executarea instructiunii CALL, stiva va arata astfel (adresele stivei din prima coloana sunt informative): 20 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 24 - 0x5 28 - 0x6 32 - 0x1337 ; Ce se afla inainte de PUSH-uri Urmeaza apoi seria de instructiuni, prolog-ul functiei, care creaza stackframe-urile: - PUSH EBP - MOV EBP,ESP Dupa acel PUSH, stiva va fi de forma: 16 - 32 ; EBP-ul anterior apelului functiei 20 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 24 - 0x5 28 - 0x6 32 - 0x1337 ; Ce se afla inainte de PUSH-uri Dupa MOV EBP,ESP - EBP-ul va avea valoarea "varful curent al stivei". E important de retinut ca variabilele locale ale functiei sunt plasate AICI pe stiva! Sa modificam functia astfel: int functie(int a, int { int v1 = 3, v2 = 4; return a + b; } Avem acum in plus doua variabile initializate cu valorile 3 si 4. Noul cod al functiei va avea in plus: SUB ESP,8 ; Se aloca spatiu pentru cele doua variabile (fiecare cate 4 octeti) MOV DWORD PTR SS:[EBP-4],3 ; Initializarea primei variabile MOV DWORD PTR SS:[EBP-8],4 ; Initializarea celei de-a doua variabile Astfel stiva va contine: 08 - 4 ; Variabilele locale 12 - 3 16 - 32 ; EBP-ul anterior apelului functiei 20 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 24 - 0x5 28 - 0x6 32 - 0x1337 ; Ce se afla inainte de PUSH-uri E obligatoriu de retinut faptul ca variabilele locale ale functiilor sunt puse pe stiva. E de asemenea obligatoriu de inteles ca "adresa de return" e retinuta tot pe stiva. Daca pana in acest punct nu ati inteles exact cum stau lucrurile, ori cereti mai multe detalii explicand ceea ce nu intelegeti, ori incercati sa va documentati singuri citind multitudinea de tutoriale pe care le gasiti pe Google. Stack Based Buffer Overflow Daca ati inteles toate conceptele de mai sus puteti trece mai departe. Daca nu, recititi si incercati sa intelegeti sau va mai puteti documenta, exista o multitudine de articole din care puteti intelege aceste notiuni. Daca totul este in regula, puteti trece la acest capitol. Discutam ca stiva contine urmatoarele (in aceasta ordine, unde "variabilele locale" se afla la "adresa cea mai mica" iar "parametrii functiei" la "adresa cea mai mare"): - Variabilele locale ale functiei (variabil, sa zicem 20 bytes) - EBP-ul anterior (salvat cu PUSH EBP) - Adresa de return (de exemplu 0x0026101C) - Parametri cu care a fost apelata functia Este destul de usor de inteles acum cum functioneaza un Stack Based Buffer Overflow. Sa luam urmatorul caz. Avem functia urmatoare, apelata din main: #include <stdio.h>#include <string.h> // Functia de afisare a numelui void Afiseaza(char *p_pcNume) { // Buffer-ul in care va fi stocat numele char buffer[20]; // Copiem numele in buffer strcpy(buffer, p_pcNume); // Afisam numele printf("Salut: %s", buffer); } // Functia main int main(int argc, char* argv[]) { // Trebuie sa avem un argument, numele if(argc != 2) { puts("Lipseste argumentul: Ex: ./sbof Ionut"); return 1; } // Apelam functia de afisare Afiseaza(argv[1]); return 0; } Programelul este simplu: primeste un parametru in linia de comanda si apeleaza functia "Afiseaza". Problema se poate vedea aici: char buffer[20]; strcpy(buffer, p_pcNume); Avem un buffer (vector) local, de 20 de octeti. Atentie! Nu confundati un vector cu un pointer (char *buffer)! In cazul unui pointer pentru care s-a alocat spatiu cu "malloc" sau "new []", pe stiva se afla doar pointer-ul (4 octeti) NU si spatiul care a fost alocat pe HEAP! Avand un buffer de 20 de octeti pe stiva, copiem in acea variabila sirul de caractere pe care il primim din linia de comanda. Ce se intampla insa daca sirul de caractere depaseste dimensiunea de 20 de octeti? Avem un buffer overflow. Denumirea de "Stack Based Buffer Overflow" vine de la faptul ca acest buffer este memorat pe stiva. Sa vedem cum ar arata o stiva care ar contine toate datele in momentul apelului functiei. 100 - BUFFER - octetii 0-4 104 - BUFFER - octetii 4-8 108 - BUFFER - octetii 8-12 112 - BUFFER - octetii 12-16 116 - BUFFER - octetii 16-20 120 - 136 ; EBP-ul anterior apelului functiei 124 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 128 - 0x5 132 - 0x6 136 - 0x1337 ; Ce se afla inainte de PUSH-uri Daca apelam functia folosind sirul de caractere "Nytro @ RST", stiva va arata astfel: 100 - Nytr 104 - o @ 108 - RST\0 112 - XXXX - octetii 12-16 (XXXX sunt date aleatoare) 116 - XXXX - octetii 16-20 120 - 136 ; EBP-ul anterior apelului functiei ... Probabil v-ati dat seama singuri cum se poate exploata aceasta problema: daca suprascriem CORECT stiva, daca apelam programul cu un sir de caractere corect, astfel incat sa SUPRASCRIEM ADRESA DE RETURN, dupa ce functia "Afiseaza" isi va termina executia, in momentul in care se va apela instructiunea RETN, procesorul va sari la adresa pe care noi am suprascris-o: in locul adresei 0x0026101C vom pune noi o anumita adresa. Putem astfel controla executia procesului! Daca vom apela programul astfel: StackBOF.exe aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa In debugger se va putea observa urmatoarea eroare: "Access violation when executing [61616161]" Daca nu v-ati dat seama, 0x61 este codul ascii al caracterului "a". Deci procesorul incearca sa execute codul de la adresa "aaaa". Ce putem face in acest caz? Ii putem oferi CORECT (adica la locatia corecta in sirul "aaaa...aaaa") o adresa valida de memorie, la care se afla cod valid, obtinand astfel posibilitatea de a executa cod propriu! Cum putem insa executa propriul cod astfel? Raspunsul este simplu: "jmp esp". Intelegem ca am suprascris stiva. Am suprascris atat "adresa de return" dar am suprascris si ce era DUPA adresa de return. Si e important de precizat faptul ca asa cum la "CALL" pe stiva se pune automat adresa de return, asa la RETN, adresa de return e eliberata de pe stiva si procesorul executa instructiuni incepand cu acea adresa. Asa cum la CALL registrul ESP devine ESP-4 deoarece se adauga 4 octeti (adresa de return), asa la RETN registrul ESP devine ESP+4 deoarece se scoate de pe stiva respectiva adresa. Asta inseamna ca ESP este acum un pointer la datele de DUPA adresa de return, un pointer la niste date pe care NOI le-am pus acolo. Asadar, pentru a dezvolta raspunsul "jmp esp": daca gasim undeva in spatiul de memorie al procesului pe care il exploatam, adica in codul executabilului sau codul din DLL-urile folosite de catre proces, o secventa de cod "jmp esp" putem sa plasam adresa acestei instructiuni in locul adresei de return, astfel incat procesorul, dupa executia instructiunii RETN va sari la acea adresa si va executa "jmp esp" si apoi procesorul va executa instructiunile de pe stiva pe care noi o controlam. Sa presupunem ca gasim instructiunea "jmp ESP" la adresa de memorie 0x11223344. Avem pe stiva: 100 - BUFFER - octetii 0-4 104 - BUFFER - octetii 4-8 108 - BUFFER - octetii 8-12 112 - BUFFER - octetii 12-16 116 - BUFFER - octetii 16-20 120 - 136 ; EBP-ul anterior apelului functiei 124 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 128 - 0x5 132 - 0x6 136 - 0x1337 ; Ce se afla inainte de PUSH-uri DAR, daca vom suprascrie in mod corect stiva, o vom face astfel: 1. Vom pune "aaaaaaaaaaaaaaaaaaaa" - 20 de octeti - pentru a umple buffer-ul 2. Vom mai pune "aaaa" - 4 octeti - pentru a suprascrie EBP-ul anterior 3. Vom pune 0x11223344 - 4 octeti - adresa de return (adresa instructiunii jmp esp) 4. Vom pune shellcode-ul (cod masina) - pe care vrem sa il executam Stiva va arata astfel: 100 - aaaa 104 - aaaa 108 - aaaa 112 - aaaa 116 - aaaa 120 - aaaa 124 - 0x44332211 ; Little endian 128 - XXXX 132 - XXXX 136 - XXXX ... Unde XXX... e shellcode-ul pe care vrem sa il executam. Daca nu ati mai intalnit acest termen, tineti minte doar ca puteti gasi pe Google/Exploit-DB/Shell-Storm o gramada de shellcode-uri. Exemple: - Download & Execute: care permite descarcarea si executarea unui EXE - Bind TCP: care deschide un port si permite executarea de comenzi - Calc.exe/MessageBox: care deschide calc.exe sau afiseaza un mesaj (pentru teste) Sa vedem pas cu pas cum functioneaza totul (simplificat): void Afiseaza(char *p_pcNume){ char buffer[20]; strcpy(buffer, p_pcNume); } 1. Se primeste argumentul (pentru exploatare) de la tastatura 2. Se apeleaza functia Afiseaza cu acest argument 3. Se pun pe stiva: - pointer la sirul de caractere (parametrul functiei) - adresa de return (la CALL) - EBP anterior (in corpul functiei) (cu PUSH EBP) - buffer-ul (20 de octeti - variabila locala) 4. Se apeleaza strcpy() - se copiaza in buffer primii 20 de octeti (din argumentul de la tastatura) - urmatorii 4 octeti suprascriu EBP-ul enterior - urmatorii 4 octeti suprascriu adresa de return - urmatorii bytes suprascriu restul stivei 5. Se elibereaza spatiul folosit de buffer (se face ADD ESP, 0x14) 6. Se face RETN Ce se intampla acum e important: 1. Se scoate de pe stiva adresa de return (suprascrisa de noi cu o adresa de memorie la care se afla instructiunea "jmp esp") 2. Procesorul sare la adresa respectiva si executa "jmp esp" 3. Efectul este saltul si executia codului prezent pe stiva (ESP-ul contine acum un pointer la datele de dupa "adresa de return") Pe stiva, la adresa ESP, se afla acum shellcode-ul nostru: un limbaj masina care ne permite sa efectuam o anumita actiune, probabil cele mai folosite astfel de actiuni sunt "Download & Execute", adica infectarea cu un trojan sau altceva, sau "Bind TCP", adica ascultarea pe un port pe care noi, ca atacatori, ne putem conecta ulterior si putem executa comenzi. Cum gasim insa o adresa unde se afla instructiunea jmp esp? Ei bine, aici depinde de voi si de debugger-ul pe care il folositi. Scopul acestui articol este sa intelegeti cum se exploateaza un buffer overflow, nu cum sa folositi un debugger, dar voi face o scurta descriere a acestor programe. In testele facute de mine am folosit Immunity Debugger. Este gratuit, simplu si frumos. Puteti incerca de asemenea OllyDbg, IDA Free sau WinDbg. Un debugger poate deschide un executabil (sau dll), il incarca in memorie, il dezasambleaza (transforma codul masina in cod ASM) si permite debugging-ul, adica permite executarea programului instructiune cu instructiune oferind toate informatiile necesare: - instructiunile care se executa sau care urmeaza sa fie executate - toti registrii (EAX, EBX... EBP, ESP, EIP) - anumite zone de memorie (pe care le doriti) - memory dump - stiva, afisand unde este varful acesteia (ESP) De asemenea, un debugger ofera mai multe functionalitati: - permite setarea unor breakpoint-uri, adica permite sa opriti executia programului la o anumita instructiune - permite vizualizarea DLL-urilor folosite de catre executabil (cele incarcate in memorie) si vizualizarea functiilor exportate (Names) - in cazul in care vreti sa puneti breakpoint pe o anumita functie sunt foarte utile aceste informatii - permite vizualizarea thread-urilor curente, a handle-urilor si multe altele - permite cautari in functie de multe criterii - permite modificarea instructiunilor care urmeaza sa fie executate - permite modificarea valorilor registrilor - permite cam tot ce ar putea fi util Pentru a putea gasi o instructiune "jmp esp", ne vom folosi de doua functionalitati: - vizualizarea codului DLL-urilor - cautarea comenzilor (sau sirurilor binare) in memoria executabilului sau a DLL-urilor In Immunity debugger, pentru a deschide kernel32.dll (toate executabilele incarca in memorie si folosesc DLL-urile kernel32 si ntdll), de exemplu, apasam pe butonul "E" apoi facem dublu click pe kernel32.dll. Daca nu vom gasi un jmp esp in acest DLL, incercam in toate celelalte "module" (.exe sau .dll). Dupa ce s-a deschis, dam click dreapta > Search for > All commands si introducem "jmp esp". Vom vedea apoi o lista cu toate adresele la care gasim acea instructiune. Ei bine, asa se poate face in Immunity, exista mult mai multe metode, in functie de Debugger, alegeti ceea ce vi se pare mai simplu. O alta metoda ar fi Search For > Binary String > "FF E4", adica codul masina care reprezinta instructiunea "jmp esp". In cazul meu, pe Windows XP, am gasit instructiunea "jmp esp" in kernel32.dll la adresa 0x7C86467B, reprezentata in little endian ca 0x7b46867c. Scopul acestui articol este doar de a intelege cum functioneaza si vom folosi un shellcode de teste, un cod masina care afiseaza un simplu mesaj pentru a stii daca am reusit sau nu sa exploatam problema. Pentru teste eu am ales acest shellcode: http://www.exploit-db.com/exploits/28996/ "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42""\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03""\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b""\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e""\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c""\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74""\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe""\x49\x0b\x31\xc0\x51\x50\xff\xd7" Pe intelesul tuturor, cand procesorul va executa acel cod masina pe un sistem Windows, va apela functia "MessageBox" si va afisa un mesaj. Astfel, pentru simplitate, vom scrie codul in Python. Adica din Python vom genera sirul de caractere necesar pentru a apela programul si a executa codul nostru. Exploit-ul scris in Python este urmatorul: #!/usr/bin/pythonimport ctypes import subprocess buffer = "\x41" * 24 buffer += "\x7b\x46\x86\x7c" buffer += ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e" "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c" "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74" "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe" "\x49\x0b\x31\xc0\x51\x50\xff\xd7") subprocess.call(['C:\\Documents and Settings\\Administrator\\Desktop\\Stack BOF\\StackBOF.exe', buffer]) E destul de usor de inteles ce face pentru ca am explicat anterior: - buffer = "\x41" * 24 - Suprascriem buffer si EBP de pe stack - buffer += "\x7b\x46\x86\x7c" - Suprascriem adresa de return cu adresa unei instructiuni jmp esp (instructiunea se va afla intotdeauna la acea adresa daca nu exista ASLR si daca e vorba despre ACELASI sistem de operare - altfel spus, poate sa difere intre XP SP1, XP SP2 si XP SP3) - buffer += ("\x31\xd2\xb2...\x51\x50\xff\xd7") - Shellcode-ul care afiseaza un mesaj - subprocess.call(...) - Apelam executabilul cu buffer-ul (numit si PAYLOAD) nostru care ne permite sa executam propriul cod Daca nu vi se pare foarte util, incercati sa va ganditi ca aceasta problema poate sa apara in cazuri mai "utile": - la deschiderea unui document (.pdf, .docx, .xlsx) - la citirea unor date pe socket (server FTP, server SSH) - la deschiderea unor pagini web (IE, Firefox) Problema poate sa apara in foarte multe locuri si se poate exploata pentru multe programe. Sa nu aveti insa asteptari prea mari sa descoperiti o astfel de problema in programe importante: Google Chrome, Mozilla, Office Word/Excel, Adobe Reader... Puteti gasi insa probleme mai complicate: Use after free, Type confusion, Heap overflow etc, probleme care sunt insa mult mai dificil de descoperit si de exploatat. Mecanisme de protectie Exsita cateva mecanisme create special pentru a proteja aplicatiile de astfel de probleme. Aceste mecanisme pot fi oferite atat de catre sistemul de operare cat si de catre compilator. DEP - Data Execution Prevention este un mecanism de protectie atat hardware (NX bit) cat si software care NU permite executia de cod din zonele care nu au permisiunile de "execute". O zona/pagina de memorie poate avea permisiuni de "read", "write" si/sau "execute". O zona de date ar avea in mod normal permisiuni de "read" si/sau "write" iar o zona de cod ar avea permisiuni de "read" si "execute". Stiva (read+write) este o zona de memorie de pe care nu ar trebui sa existe posibilitatea de a se executa cod (dar fara DEP exista), iar DEP ofera exact aceasta masura de protectie. Probabil ati inteles mai devreme ca shellcode-ul este pus pe stiva si executat de catre procesor de pe stiva. DEP nu va permite acest lucru. Pentru a activa DEP pe un executabil, din Visual Studio activati optiunea din Configuration > Linker > Advanced > Data Execution Prevention (/NXCOMPAT). ASLR - Address Space Layour Randomization, care a fost introdus in Windows Vista si este motivul pentru care din simplitate am ales sa invatam pe un Windows XP, este o alta metoda de protectie a sistemului de operare impotriva acestor atacuri. Dupa cum ati observat, un proces si DLL-urile folosite de catre acesta sunt incarcate in mod obisnuit la aceeasi adresa de memorie. De aceea exista posibilitatea de a stii cu exactitate la ce adresa de memorie se afla anumite instructiuni (jmp esp de exemplu) pe care le putem folosi in exploatarea unui buffer overflow. ASLR randomizeaza adresele la care sunt incarcate in memorie mai multe elemente cheie ale unui proces: executabilul si DLL-urile, heap-ul si stiva. Astfel este mult mai dificil pentru un atacator sa ghiceasca adresa la care se afla o anumita instructiune pentru a o putea executa. Activarea din Visual Studio se face ca si DEP din Configuration > Linker > Advanced > Randomized Base Address (/DYNAMICBASE). Stack Cookies - Este o alta metoda de protectie oferita de catre compilator care are rolul de a proteja aplicatiile impotriva atacurilor de acest tip prin plasarea pe stiva, la inceputul unei functii, a unei valori aleatoare denumita "stack cookie" (___stack_cookie). Imediat inainte de a pune pe stiva variabilele locale este pusa aceasta valoare aleatoare. Ceea ce intampla de fapt, este faptul ca daca o variabila locala (buffer) este suprascrisa si datele de pe stack sunt suprascrise, atunci va fi suprascrisa si aceasta valoare aleatoare care este verificata imediat inainte de iesirea din functie (inainte de RETN). Daca a fost suprascrisa, executia programului va fi oprita. Este foarte dificil ca un atacator sa ghiceasca exact acea valoare si sa nu o corupa. Atentie! Daca vreti sa faceti teste, dezactivati aceasta optiune din Visual Studio deoarece este activata in mod implicit. Pentru activare sau dezactivare mergeti la Configuration > C/C++ > Code Generation > Buffer Security Check (/GS). Tutorialul se adreseaza incepatorilor, de aceea am ales: - Windows XP pentru ca nu ofera ASLR - Executabilul nu are DEP activat - Executabilul nu are GS (stack cookies) activate Concluzie Desi poate parea foarte usor sa exploatezi o astfel de problema, principala dificultate consta in intelegerea limbajului de asamblare si a anumitor concepte, o exploatare efectiva a unei astfel de probleme este mult mai dificila, tocmai din cauza faptului ca exista mai multe mecanisme de protectie. Exista anumite lucruri care se pot face in anumite cazuri pentru a face "bypass" acestor elemente de protectie, insa dificultatea acestora depaseste scopul acestui material. Sugestia mea pentru voi este sa compilati un astfel de programel, excluzand mecanismele de protectie, si sa incercati sa il exploatati singuri. De asemenea, puteti incerca sa modificati dimensiunea buffer-ului sa vedeti ce se intampla si cel mai important este sa executati pas cu pas fiecare instructiune urmarind stiva pentru a intelege complet aceste notiuni. Lasati acum teoria, puneti mana pe debugger si treceti la treaba! Daca aveti intrebari le astept aici. De asemenea astept pareri legate de acest articol, daca m-am facut inteles, daca e corect tot ce am spus etc. pentru a-l putea perfectiona. Multumesc, Nytro @ Romanian Security Team
    1 point
This leaderboard is set to Bucharest/GMT+02:00
×
×
  • Create New...