Leaderboard

Salutare Guys, Cum se mai intampla sa te plictisesti in concediu, am facut azi, un script in python cu care poti descarca melodii de pe Tidal (https://tidal.com). Tidal este un serviciu de streaming online asemanator Spotify, doar ca are o calitate net superioara: HI-FI - 44.1 kHz/16 bit flac si mp4 si Master - 96 kHz/24 bit (MQA) - flac . Daca ai niste scule decente (fie ca e vorba de casti sau un sistem) e must have! Povestea a inceput de la nevoia de a descarca niste melodii pentru a le asculta offline, si cum nu am gasit nimic functional, am decis sa scriu eu aceasta aplicatie. Si m-am gandit sa impartasesc cu voi! Dependinte (e posibil sa imi fi scapat cateva): pip install tidalapi Unidecode ffmpeg - trebuie sa fie in system path Testand jucaria am gasit un bug in tidalapi: in cazul in care o melodie nu are relese date, va crapa, este un caz extrem de rar, si se intampla inspecial la unele melodii vechi. Daca iti place doar muzica noua si foarte comerciala cu siguranta nu ai neaparat nevoie de acest fix. # fix in tidalapi: # edit __init__.py # from line 224 # change: # if 'releaseDate' in json_obj: # try: # kwargs['release_date'] = datetime.datetime(*map(int, json_obj['releaseDate'].split('-'))) # except ValueError: # pass # return Album(**kwargs) # with: # if 'releaseDate' in json_obj: # if json_obj['releaseDate'] is None: # json_obj['releaseDate'] = '2008-10-14' # try: # kwargs['release_date'] = datetime.datetime(*map(int, json_obj['releaseDate'].split('-'))) # except ValueError: # pass # return Album(**kwargs) Salvati codul intr-un fisier .py, si rulati-l. Apropo, caile catre fisierele salvate/creerea de directoare este hardcodata in format *nix, deci nu va asteptati sa va mearga pe windoza fara mici finisaje. Este scris si testat in Python 2,7 (defaultul la macOS Majave) dar am cautat sa il tin compatibil si cu Python 3.x (sper ca mi-a iesit). # -*- coding: utf-8 -*- # RST Tidal MP4 Downloader by Cheater v1.0 (https://rstforums.com) # All tracks will be download in PCM (MPEG AAC Audio coded, MP4A) at 44100 Hz/16 bits, 320 kbps and stored in MP4 container # requirements: # pip install tidalapi Unidecode # ffmpeg # tidalapi has a bug, so if some album/playlist contains one song with no date, it will exit, this is very rare, however, there is some workaround. # fix in tidalapi: # edit __init__.py # from line 224 # change: # if 'releaseDate' in json_obj: # try: # kwargs['release_date'] = datetime.datetime(*map(int, json_obj['releaseDate'].split('-'))) # except ValueError: # pass # return Album(**kwargs) # with: # if 'releaseDate' in json_obj: # if json_obj['releaseDate'] is None: # json_obj['releaseDate'] = '2008-10-14' # try: # kwargs['release_date'] = datetime.datetime(*map(int, json_obj['releaseDate'].split('-'))) # except ValueError: # pass # return Album(**kwargs) import tidalapi import os import subprocess import errno import shlex from aigpy.cmdHelper import myinput from subprocess import Popen, PIPE, STDOUT from random import randint from time import sleep import unidecode # compatibility workaround for py27/py3 try: from subprocess import DEVNULL # py3k except ImportError: import os DEVNULL = open(os.devnull, 'wb') # fill this with your tidal user and pass tidalUser = '' tidalPass = '' cwd = os.getcwd() config = tidalapi.Config() # using HIGH quality in order to get mp4's unencrypted url instead of enctyped flac config.quality = 'HIGH' session = tidalapi.Session(config) session.login(tidalUser, tidalPass) def getTidalTrackUrl(track_id): try: url = session.get_media_url(track_id) return url except: # in case we need to retry we add a random sleep, in order to worckaround bot detection sleep(randint(1,10)) print('Tidal responds with 401. Retrying track url discovery for track id: ' + str(track_id)) generatePlaylistTrackUrl(track_id) def downloadAlbum(): while True: print("----------------ALBUM------------------") sID = myinput("Enter AlbumID（Enter '0' go back) :") if sID == '0': return tracks = session.get_album_tracks(album_id=sID) queue = [] for track in tracks: trackNo = str(tracks.index(track) + 1) # don't try to download unavailable track, it will fail if track.available is False: continue # replace utf-8 diacritics with ascii equivalent, and cleanup " and ' from album/artist/track name trackName = unidecode.unidecode(track.name).replace('"', '').replace("'", "") artistName = unidecode.unidecode(track.artist.name).replace('"', '').replace("'", "") albumName = unidecode.unidecode(track.album.name).replace('"', '').replace("'", "") print('Adding to queue: ' + artistName + ' - ' + albumName + ' - ' + trackNo + '.' + trackName) # create dw directory and subdirs if it not exits if not os.path.exists(cwd + '/tidalDownloaded/' + albumName): os.makedirs(cwd + '/tidalDownloaded/' + albumName) cmd = 'ffmpeg -y -i "rtmp://' + getTidalTrackUrl(track.id) + '" -acodec copy "' + cwd + '/tidalDownloaded/' + albumName + '/' + trackNo + '.' + artistName + ' - ' + trackName + '.mp4"' queue.append(cmd) print('All track has been added to queue successfully. Download begins....') processes = [] for cmd in queue: p = subprocess.Popen(shlex.split(cmd), shell=False, universal_newlines=True, stdout=DEVNULL, stderr=subprocess.STDOUT) processes.append(p) print('All tracks download is in progress. Please wait....') # wait for all started ffmpeg processes to be finished for p in processes: if p.wait() != 0: print("There was an error") print("Finished. All tracks has been download successfully!") return True def downloadPlaylist(): while True: print("----------------PlayList------------------") sID = myinput("Enter PlayList（Enter '0' go back) :") if sID == '0': return playlist = session.get_playlist(playlist_id=sID) tracks = session.get_playlist_tracks(playlist_id=sID) queue = [] for track in tracks: trackNo = str(tracks.index(track) + 1) # don't try to download unavailable track, it will fail if track.available is False: continue # replace utf-8 diacritics with ascii equivalent, and cleanup " and ' from playlist/artist/track name playlistName = unidecode.unidecode(playlist.name).replace('"', '').replace("'", "") trackName = unidecode.unidecode(track.name).replace('"', '').replace("'", "") artistName = unidecode.unidecode(track.artist.name).replace('"', '').replace("'", "") print('Adding to queue: ' + playlistName + ' - ' + trackNo + '.' + artistName + ' - ' + trackName) # create dw directory and subdirs if it not exits if not os.path.exists(cwd + '/tidalDownloaded/' + playlistName): os.makedirs(cwd + '/tidalDownloaded/' + playlistName) cmd = 'ffmpeg -y -i "rtmp://' + getTidalTrackUrl(track.id) + '" -acodec copy "' + cwd + '/tidalDownloaded/' + playlistName + '/' + trackNo + '.' + artistName + ' - ' + trackName + '.mp4"' queue.append(cmd) print('All track has been added to queue successfully. Download begins....') processes = [] for cmd in queue: p = subprocess.Popen(shlex.split(cmd), shell=False, universal_newlines=True, stdout=DEVNULL, stderr=subprocess.STDOUT) processes.append(p) print('All tracks download is in progress. Please wait....') # wait for all started ffmpeg processes to be finished for p in processes: if p.wait() != 0: print("There was an error") print("Finished. All tracks has been download successfully!") return True while True: print(" RST Tidal MP4 Downloader by Cheater v1.0 (https://rstforums.com)") print("=====================Choice=========================") print(" Enter '0' : Exit") print(" Enter '1' : Download Album.") print(" Enter '2' : Download PlayList.") print("====================================================") print("All tracks will be download in PCM (MPEG AAC Audio coded, MP4A) at 44100 Hz/16 bits, 320 kbps and stored in MP4 container") choice = myinput("Choice:") if choice == '0': quit() elif choice == '1': downloadAlbum() elif choice == '2': downloadPlaylist() Ce stie sa faca? 1. Poti descarca un album 2. Poti descarca un playlist 3. Adauga melodiile intr-o coada, si le descarca simultan pentru a scurta timpul de asteptare semnificativ. Daca aveti intrebari sau nu va descurcati puteti scrie aici, si va voi ajuta in limita timpului disponibil (adica sper sa nu fie nevoie :))) ). PS: Fiti blanzi cu code review, sunt programator si python nu este specialitatea mea, este al 2-lea script scris in python si prima interactiune am avut-o in decembrie. PS2: Distractie si La multi ani! PS3: Feel free to improve it! Later: Am gasit un tool functional de download scris de altcineva (daca il gaseam mai repede probabil ca nu il mai scriam eu pe asta, deci nu e neaparat bine): https://github.com/redsudo/RedSea acest tool spre deosebire de ce am scris eu, stie de si decripteze flacurile, astfel poate descarca inclusiv MQA de 92k / 24bit (cea mai intalta calitate disponibila pe tidal), si flac 44.1k / 16bit cu un bitrate de 1.411 kbps. Decriptarea nu e rocket sience, dar cu siguranta a fost nevoie de un reverse engineering serios pentru aflarea algoritmului si key de criptare (AES cu key binara, tinuta in base64 in cod).

Every day we see a bunch of new Android applications being published on the Google Play Store, from games, to utilities, to IoT devices clients and so forth, almost every single aspect of our life can be somehow controlled with “an app”. We have smart houses, smart fitness devices and smart coffee machines … but is this stuff just smart or is it secure as well? Reversing an Android application can be a (relatively) easy and fun way to answer this question, that’s why I decided to write this blog post where I’ll try to explain the basics and give you some of my “tricks” to reverse this stuff faster and more effectively. I’m not going to go very deep into technical details, you can learn yourself how Android works, how the Dalvik VM works and so forth, this is gonna be a very basic practical guide instead of a post full of theoretical stuff but no really useful contents. Let’s start! Prerequisites In order to follow this introduction to APK reversing there’re a few prerequisites: A working brain ( I don’t give this for granted anymore … ). An Android smartphone ( doh! ). You have a basic knowledge of the Java programming language (you understand it if you read it). You have the JRE installed on your computer. You have adb installed. You have the Developer Options and USB Debugging enabled on your smartphone. What is an APK? An Android application is packaged as an APK ( Android Package ) file, which is essentially a ZIP file containing the compiled code, the resources, signature, manifest and every other file the software needs in order to run. Being it a ZIP file, we can start looking at its contents using the unzip command line utility ( or any other unarchiver you use ): unzip application.apk -d application Here’s what you will find inside an APK. /AndroidManifest.xml (file) This is the binary representation of the XML manifest file describing what permissions the application will request (keep in mind that some of the permissions might be requested at runtime by the app and not declared here), what activities ( GUIs ) are in there, what services ( stuff running in the background with no UI ) and what receivers ( classes that can receive and handle system events such as the device boot or an incoming SMS ). Once decompiled (more on this later), it’ll look like this: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 <?xml version="1.0" encoding="utf-8" standalone="no"?> <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.company.appname" platformBuildVersionCode="24" platformBuildVersionName="7.0"> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.INTERNET"/> <application android:allowBackup="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:supportsRtl="true" android:theme="@style/AppTheme"> <activity android:name="com.company.appname.MainActivity"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </activity> </application> </manifest> Keep in mind that this is the perfect starting point to isolate the application “entry points”, namely the classes you’ll reverse first in order to understand the logic of the whole software. In this case for instance, we would start inspecting the com.company.appname.MainActivity class being it declared as the main UI for the application. /assets/* ( folder ) This folder will contain application specific files, like wav files the app might need to play, custom fonts and so on. Reversing-wise it’s usually not very important, unless of course you find inside the software functional references to such files. /res/* ( folder ) All the resources, like the activities xml files, images and custom styles are stored here. /resources.arsc ( file ) This is the “index” of all the resources, long story short, at each resource file is assigned a numeric identifier that the app will use in order to identify that specific entry and the resources.arsc file maps these files to their identifiers … nothing very interesting about it. /classes.dex ( file ) This file contains the Dalvik ( the virtual machine running Android applications ) bytecode of the app, let me explain it better. An Android application is (most of the times) developed using the Java programming language. The java source files are then compiled into this bytecode which the Dalvik VM eventually will execute … pretty much what happens to normal Java programs when they’re compiled to .class files. Long story short, this file contains the logic, that’s what we’re interested into. Sometimes you’ll also find a classes2.dex file, this is due to the DEX format which has a limit to the number of classes you can declare inside a single dex file, at some point in history Android apps became bigger and bigger and so Google had to adapt this format, supporting a secondary .dex file where other classes can be declared. From our perspective it doesn’t matter, the tools we’re going to use are able to detect it and append it to the decompilation pipeline. /libs/ ( folder ) Sometimes an app needs to execute native code, it can be an image processing library, a game engine or whatever. In such case, those .so ELF libraries will be found inside the libs folder, divided into architecture specific subfolders ( so the app will run on ARM, ARM64, x86, etc ). /META-INF/ ( folder ) Every Android application needs to be signed with a developer certificate in order to run on a device, even debug builds are signed by a debug certificate, the META-INF folder contains information about the files inside the APK and about the developer. Inside this folder, you’ll usually find: A MANIFEST.MF file with the SHA-1 or SHA-256 hashes of all the files inside the APK. A CERT.SF file, pretty much like the MANIFEST.MF, but signed with the RSA key. A CERT.RSA file which contains the developer public key used to sign the CERT.SF file and digests. Those files are very important in order to guarantee the APK integrity and the ownership of the code. Sometimes inspecting such signature can be very handy to determine who really developed a given APK. If you want to get information about the developer, you can use the openssl command line utility: openssl pkcs7 -in /path/to/extracted/apk/META-INF/CERT.RSA -inform DER -print This will print an output like: PKCS7: type: pkcs7-signedData (1.2.840.113549.1.7.2) d.sign: version: 1 md_algs: algorithm: sha1 (1.3.14.3.2.26) parameter: NULL contents: type: pkcs7-data (1.2.840.113549.1.7.1) d.data: <ABSENT> cert: cert_info: version: 2 serialNumber: 10394279457707717180 signature: algorithm: sha1WithRSAEncryption (1.2.840.113549.1.1.5) parameter: NULL issuer: C=TW, ST=Taiwan, L=Taipei, O=ASUS, OU=PMD, CN=ASUS AMAX Key/emailAddress=admin@asus.com validity: notBefore: Jul 8 11:39:39 2013 GMT notAfter: Nov 23 11:39:39 2040 GMT subject: C=TW, ST=Taiwan, L=Taipei, O=ASUS, OU=PMD, CN=ASUS AMAX Key/emailAddress=admin@asus.com key: algor: algorithm: rsaEncryption (1.2.840.113549.1.1.1) parameter: NULL public_key: (0 unused bits) ... ... ... This can be gold for us, for instance we could use this information to determine if an app was really signed by (let’s say) Google or if it was resigned, therefore modified, by a third party. How do I get the APK of an app? Now that we have a basic idea of what we’re supposed to find inside an APK, we need a way to actually get the APK file of the application we’re interested into. There are two ways, either you install it on your device and use adb to get it, or you use an online service to download it. Pulling an app with ADB First of all let’s plug our smartphone to the USB port of our computer and get a list of the installed packages and their namespaces: adb shell pm list packages This will list all packages on your smartphone, once you’ve found the namespace of the package you want to reverse ( com.android.systemui in this example ), let’s see what its physical path is: adb shell pm path com.android.systemui Finally, we have the APK path: package:/system/priv-app/SystemUIGoogle/SystemUIGoogle.apk Let’s pull it from the device: adb pull /system/priv-app/SystemUIGoogle/SystemUIGoogle.apk And here you go, you have the APK you want to reverse! Using an Online Service Multiple online services are available if you don’t want to install the app on your device (for instance, if you’re reversing a malware, you want to start having the file first, then installing on a clean device only afterwards), here’s a list of the ones I use: Apk-DL Evozi Downloader Apk Leecher Keep in mind that once you download the APK from these services, it’s a good idea to check the developer certificate as previously shown in order to be 100% sure you downloaded the correct APK and not some repackaged and resigned stuff full of ads and possibly malware. Network Analysis Now we start with some tests in order to understand what the app is doing while executed. My first test usually consists in inspecting the network traffic being generated by the application itself and, in order to do that, my tool of choice is bettercap … well, that’s why I developed it in the first place Make sure you have bettercap installed and that both your computer and the Android device are on the same wifi network, then you can start MITM-ing the smartphone ( 192.168.1.5 in this example ) and see its traffic in realtime from the terminal: sudo bettercap -T 192.168.1.5 -X The -X option will enable the sniffer, as soon as you start the app you should see a bunch of HTTP and/or HTTPS servers being contacted, now you know who the app is sending the data to, let’s now see what data it is sending: sudo bettercap -T 192.168.1.5 --proxy --proxy-https --no-sslstrip This will switch from passive sniffing mode, to proxying mode. All the HTTP and HTTPS traffic will be intercepted (and, if neeeded, modified) by bettercap. If the app is correctly using public key pinning (as every application should) you will not be able to see its HTTPS traffic but, unfortunately, in my experience this only happens for a very small number of apps. From now on, keep triggering actions on the app while inspecting the traffic ( you can also use Wireshark in parallel to get a PCAP capture file to inspect it later ) and after a while you should have a more or less complete idea of what protocol it’s using and for what purpose. Static Analysis After the network analysis, we collected a bunch of URLs and packets, we can use this information as our starting point, that’s what we will be looking for while performing static analysis on the app. “Static analysis” means that you will not execute the app now, but you’ll rather just study its code. Most of the times this is all you’ll ever need to reverse something. There’re different tools you can use for this purpose, let’s take a look at the most popular ones. apktool APKTool is the very first tool you want to use, it is capable of decompiling the AndroidManifest file to its original XML format, the resources.arsc file and it will also convert the classes.dex ( and classes2.dex if present ) file to an intermediary language called SMALI, an ASM-like language used to represent the Dalvik VM opcodes as a human readable language. It looks like: 1 2 3 4 5 6 7 8 .super Ljava/lang/Object; .method public static main([Ljava/lang/String;)V .registers 2 sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; const-string v1, "Hello World!" invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V return-void .end method But don’t worry, in most of the cases this is not the final language you’re gonna read to reverse the app Given an APK, this command line will decompile it: apktool d application.apk Once finished, the application folder is created and you’ll find all the output of apktool in there. You can also use apktool to decompile an APK, modify it and then recompile it ( like i did with the Nike+ app in order to have more debug logs for instance ), but unless the other tools will fail the decompilation, it’s unlikely that you’ll need to read smali code in order to reverse the application, let’s get to the other tools now jADX The jADX suite allows you to simply load an APK and look at its Java source code. What’s happening under the hood is that jADX is decompiling the APK to smali and then converting the smali back to Java. Needless to say, reading Java code is much easier than reading smali as I already mentioned Once the APK is loaded, you’ll see a UI like this: One of the best features of jADX is the string/symbol search ( the button ) that will allow you to search for URLs, strings, methods and whatever you want to find inside the codebase of the app. Also, there’s the Find Usage menu option, just highlight some symbol and right click on it, this feature will give you a list of every references to that symbol. Dex2Jar and JD-Gui Similar to jADX are the dex2jar and JD-GUI tools, once installed, you’ll use dex2jar to convert an APK to a JAR file: /path/to/dex2jar/d2j-dex2jar.sh application.apk Once you have the JAR file, simply open it with JD-GUI and you’ll see its Java code, pretty much like jADX: Unfortunately JD-GUI is not as features rich as jADX, but sometimes when one tool fails you have to try another one and hope to be more lucky. JEB As your last resort, you can try the JEB decompiler. It’s a very good software, but unfortunately it’s not free, there’s a trial version if you want to give it a shot, here’s how it looks like: JEB also features an ARM disassembler ( useful when there’re native libraries in the APK ) and a debugger ( very useful for dynamic analysis ), but again, it’s not free and it’s not cheap. Static Analysis of Native Binaries As previously mentioned, sometimes you’ll find native libraries ( .so shared objects ) inside the lib folder of the APK and, while reading the Java code, you’ll find native methods declarations like the following: 1 public native String stringFromJNI(); The native keyword means that the method implementation is not inside the dex file but, instead, it’s declared and executed from native code trough what is called a Java Native Interface or JNI. Close to native methods you’ll also usually find something like this: 1 System.loadLibrary("hello-jni"); Which will tell you in which native library the method is implemented. In such cases, you will need an ARM ( or x86 if there’s a x86 subfolder inside the libs folder ) disassembler in order to reverse the native object. IDA The very first disassembler and decompiler that every decent reverser should know about is Hex-Rays IDA which is the state of the art reversing tool for native code. Along with an IDA license, you can also buy a decompiler license, in which case IDA will also be able to rebuild pseudo C-like code from the assembly, allowing you to read an higher level representation of the library logic. Unfortunately IDA is a very expensive software and, unless you’re reversing native stuff professionaly, it’s really not worth spending all those money for a single tool … warez … ehm … Hopper If you’re on a budget but you need to reverse native code, instead of IDA you can give Hopper a try. It’s definitely not as good and complete as IDA, but it’s much cheaper and will be good enough for most of the cases. Hopper supports GNU/Linux and macOS ( no Windows! ) and, just like IDA, has a builtin decompiler which is quite decent considering its price: Dynamic Analysis When static analysis is not enough, maybe because the application is obfuscated or the codebase is simply too big and complex to quickly isolate the routines you’re interested into, you need to go dynamic. Dynamic analysis simply means that you’ll execute the app ( like we did while performing network analysis ) and somehow trace into its execution using different tools, strategies and methods. Sandboxing Sandboxing is a black-box dynamic analysis strategy, which means you’re not going to actively trace into the application code ( like you do while debugging ), but you’ll execute the app into some container that will log the most relevant actions for you and will present a report at the end of the execution. Cuckoo-Droid Cuckoo-Droid is an Android port of the famous Cuckoo sandbox, once installed and configured, it’ll give you an activity report with all the URLs the app contacted, all the DNS queries, API calls and so forth: Joe Sandbox The mobile Joe Sandbox is a great online service that allows you to upload an APK and get its activity report without the hassle of installing or configuring anything. This is a sample report, as you can see the kind of information is pretty much the same as Cuckoo-Droid, plus there’re a bunch of heuristics being executed in order to behaviourally correlate the sample to other known applications. Debugging If sandboxing is not enough and you need to get deeper insights of the application behaviour, you’ll need to debug it. Debugging an app, in case you don’t know, means attaching to the running process with a debugger software, putting breakpoints that will allow you to stop the execution and inspect the memory state and step into code lines one by one in order to follow the execution graph very closely. Enabling Debug Mode When an application is compiled and eventually published to the Google Play Store, it’s usually its release build you’re looking at, meaning debugging has been disabled by the developer and you can’t attach to it directly. In order to enable debugging again, we’ll need to use apktool to decompile the app: apktool d application.apk Then you’ll need to edit the AndroidManifest.xml generated file, adding the android:debuggable="true" attribute to its application XML node: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 <?xml version="1.0" encoding="utf-8" standalone="no"?> <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.company.appname" platformBuildVersionCode="24" platformBuildVersionName="7.0"> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.INTERNET"/> <application android:allowBackup="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:supportsRtl="true" android:theme="@style/AppTheme" android:debuggable="true"> <-- !!! NOTICE ME !!! --> <activity android:name="com.company.appname.MainActivity"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </activity> </application> </manifest> Once you updated the manifest, let’s rebuild the app: apktool b -d application_path output.apk Now let’s resign it: git clone https://github.com/appium/sign java -jar sign/dist/signapk.jar sign/testkey.x509.pem sign/testkey.pk8 output.apk signed.apk And reinstall it on the device (make sure you unistalled the original version first): adb install signed.apk Now you can proceed debugging the app Android Studio Android Studio is the official Android IDE, once you have debug mode enabled for your app, you can directly attach to it using this IDE and start debugging: IDA If you have an IDA license that supports Dalvik debugging, you can attach to a running process and step trough the smali code, this document describes how to do it, but basically the idea is that you upload the ARM debugging server ( a native ARM binary ) on your device, you start it using adb and eventually you start your debugging session from IDA. Dynamic Instrumentation Dynamic instrumentation means that you want to modify the application behaviour at runtime and in order to do so you inject some “agent” into the app that you’ll eventually use to instrument it. You might want to do this in order to make the app bypass some checks ( for instance, if public key pinning is enforced, you might want to disable it with dynamic instrumentation in order to easily inspect the HTTPS traffic ), make it show you information it’s not supposed to show ( unlock “Pro” features, or debug/admin activities ), etc. Frida Frida is a great and free tool you can use to inject a whole Javascript engine into a running process on Android, iOS and many other platforms … but why Javascript? Because once the engine is injected, you can instrument the app in very cool and easy ways like this: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 from __future__ import print_function import frida import sys # let's attach to the 'hello process session = frida.attach("hello") # now let's create the Javascript we want to inject script = session.create_script(""" Interceptor.attach(ptr("%s"), { onEnter: function(args) { send(args[0].toInt32()); } }); """ % int(sys.argv[1], 16)) # this function will receive events from the js def on_message(message, data): print(message) # let's start! script.on('message', on_message) script.load() sys.stdin.read() In this example, we’re just inspecting some function argument, but there’re hundreds of things you can do with Frida, just RTFM! and use your imagination Here‘s a list of cool Frida resources, enjoy! XPosed Another option we have for instrumenting our app is using the XPosed Framework. XPosed is basically an instrumentation layer for the whole Dalvik VM which requires you to to have a rooted phone in order to install it. From XPosed wiki: There is a process that is called "Zygote". This is the heart of the Android runtime. Every application is started as a copy ("fork") of it. This process is started by an /init.rc script when the phone is booted. The process start is done with /system/bin/app_process, which loads the needed classes and invokes the initialization methods. This is where Xposed comes into play. When you install the framework, an extended app_process executable is copied to /system/bin. This extended startup process adds an additional jar to the classpath and calls methods from there at certain places. For instance, just after the VM has been created, even before the main method of Zygote has been called. And inside that method, we are part of Zygote and can act in its context. The jar is located at /data/data/de.robv.android.xposed.installer/bin/XposedBridge.jar and its source code can be found here. Looking at the class XposedBridge, you can see the main method. This is what I wrote about above, this gets called in the very beginning of the process. Some initializations are done there and also the modules are loaded (I will come back to module loading later). Once you’ve installed XPosed on your smartphone, you can start developing your own module (again, follow the project wiki), for instance, here’s an example of how you would hook the updateClock method of the SystemUI application in order to instrument it: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 package de.robv.android.xposed.mods.tutorial; import static de.robv.android.xposed.XposedHelpers.findAndHookMethod; import de.robv.android.xposed.IXposedHookLoadPackage; import de.robv.android.xposed.XC_MethodHook; import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam; public class Tutorial implements IXposedHookLoadPackage { public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable { if (!lpparam.packageName.equals("com.android.systemui")) return; findAndHookMethod("com.android.systemui.statusbar.policy.Clock", lpparam.classLoader, "updateClock", new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { // this will be called before the clock was updated by the original method } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { // this will be called after the clock was updated by the original method } }); } } There’re already a lot of user contributed modules you can use, study and modify for your own needs. Conclusion I hope you’ll find this reference guide useful for your Android reversing adventures, keep in mind that the most important thing while reversing is not the tool you’re using, but how you use it, so you’ll have to learn how to choose the appropriate tool for your scenario and this is something you can only learn with experience, so enough reading and start reversing! Sursa: https://www.evilsocket.net/2017/04/27/Android-Applications-Reversing-101/

Exploit Development Table of Contents General Stuff/Techniques General Stuff I can't figure where else to put Acquiring Old/Vulnerable Software Practice Exploit Dev/Structured Learning Exploit Dev Papers bof ROP BlindROP SignalROP JumpROP Heap Format String Integer Overflows Null Ptr Dereference JIT-Spray ASLR Kernel Exploitation Use After Free Other writing shellcode Windows Specific Linux specific Tutorials AV Bypass Methods Bypassing Exploit Protections/Mitigations DEP/SEHop/ASLR CFG/EMET DeviceGuard Obfuscation ARM Specific things Linux Specific Windows Specific Bypass SEH/SE-HOP; Windows Heap Exploitation Anti Fuzzing Assembly Anti Debugging General Tools General Hunting/Making Exploits Shellcode Decompilers/Disassemblers Debuggers General Linux Windows General Papers Miscellaneous Exploit Writeups Talks blogposts Papers Attacking AV Finding Vulnerabilities GPU Exploit/Research Building a lab to Practice Exploit Development To Do Sort tools better, like enviromental tools vs use-specific tools Corelan, swift, primal Exploit Series Add more sites to Acquiring Old/Vulnerable Software More sites to structured learning Add ARM stuff Sort: ADI vs ROP BISC: Borrowed Instructions Synthetic Computation BISC is a Ruby library for demonstrating how to build borrowed-instruction programs. BISC aims to be simple, analogous to a traditional assembler, minimize behind-the-scenes magic, and let users write simple macros. BISC was developed by Dino Dai Zovi for Practical Return-oriented Programming at Blackhat USA 2010 and was used for the Assured Exploitation course. Offset-DB This website provide you a list of useful offset that you can use for your exploit. Fun with info leaks Epson Vulnerability: EasyMP Projector Takeover (CVE-2017-12860 / CVE-2017-12861) Code Execution (CVE-2018-5189) Walkthrough On JUNGO Windriver 12.5.1 Android Security Ecosystem Investments Pay Dividends for Pixel Funky File Formats - Advanced Binary Exploitation Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System - Slides Counterfeit Object-oriented Programming Hacking FinSpy - a Case Study - Atilla Marosi - Troopers15 MSRC-Security-Research Github Differential Slicing: Identifying Causal Execution Differences for Security Applications Modern Binary Attacks and Defences in the Windows Environment: Fighting Against Microsoft EMET in Seven Rounds sandbox-attacksurface-analysis-tools This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated. SCANSPLOIT Exploit using barcodes, QRcodes, earn13, datamatrix Automating VMware RPC Request Sniffing - Abdul-Aziz Hariri - ZDI In this blog, I will discuss how I was able to write a PyKD script to sniff RPC requests that helped me tremendously while writing VMware RPC exploits. kernelpop kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation on OSX and Linux Vulnserver - my KSTET exploit (delivering the final stage shellcode through the active server socket) - ewilded.blogspot IOHIDeous A macOS kernel exploit based on an IOHIDFamily 0day. Writeup https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow End Sort General General 101 Articles/Papers/Talks/Writeups Educational/Informative A brief history of Exploitation - Devin Cook Mechanization of Exploits REMath Exploit Mitigation Killchain Exploit Tips and Techniques(ReCon2014 William Peteroy) Root Cause Analysis – Memory Corruption Vulnerabilities Unusual Bugs(23C3) In this presentation I'll present a series of unusual security bugs. Things that I've ran into at some point and went "There's gotta be some security consequence here". None of these are really a secret, and most of them are even documented somewhere. But apparently most people don't seem to know about them. What you'll see in this presentation is a list of bugs and then some explanation of how these could be exploited somehow. Some of the things I'll be talking about are (recursive) stack overflow, NULL pointer dereferences, regular expressions and more. From MS08 067 To EternalBlue by Denis Isakov - BSides Manchester2017 RAP: RIP ROP (GRSEC/PaX team) Tools Testing Payloads pop-nedry Why pop calc, when you can pop Nedry!? This repository contains an x86-64 payload that recreates the Jurassic Park scene in which Dennis Nedry locks Ray Arnold out of his terminal. Vivisect Fairly un-documented static analysis / emulation / symbolic analysis framework for PE/Elf/Mach-O/Blob binary formats on various architectures. Dr. Memory Dr. Memory is a memory monitoring tool capable of identifying memory-related programming errors such as accesses of uninitialized memory, accesses to unaddressable memory (including outside of allocated heap units and heap underflow and overflow), accesses to freed memory, double frees, memory leaks, and (on Windows) handle leaks, GDI API usage errors, and accesses to un-reserved thread local storage slots. Dr. Memory operates on unmodified application binaries running on Windows, Linux, Mac, or Android on commodity IA-32, AMD64, and ARM hardware. Miscellaneous OneRNG Acquiring Old/Vulnerable Software Acquiring VMs of any Windows going back to XP to Windows 10 OldApps.com Practice Exploit Development / Structured Learning Exploit-Challenges - A collection of vulnerable ARM binaries for practicing exploit development Here are a collection of vulnerable ARM binaries designed for beginner vulnerability researchers & exploit developers to play around with and test their skills! BinTut Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes ROP Emporium Learn return-oriented programming through a series of challenges designed to teach ROP techniques in isolation, with minimal reverse-engineering and bug-hunting. Pwnables.kr Originally from (originally a pastebin link, which had been modified from a persons personal page, i believe it may have been an r2 dev?) If you made this, thank you so much; I've now added onto it and changed it from what it originally was. I've kept the original creator's note as I feel it is highly relevant and aligns with my goal) "My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker. I have tried to order the articles by technique and chronology. - sar" Buffer overflows: How to write buffer overflows, mudge, 1995 Smashing the stack for fun and profit, Aleph One, 1996 Smashing the Stack for Fun and Profit in 2010 The Frame Pointer Overwrite, klog, 1999 win32 buffer overflows, dark spyrit, 1999 Understanding Buffer Overflow Exploits Return-into-lib / Return oriented programming: Getting around non-executable stack (and fix) (First public description of a return-into-libc exploit), Solar Designer, 1997 More advanced ret-into-lib(c) techniques, Nergal, 2001 On the effectiveness of address-space randomization, , 2004 Introduction to Return Oriented Programming (ROP) - ketansingh.net Gentle introduction to ROP programming Borrowed code chunks exploitation technique, Sebastian Krahmer, 2005 The Geometry of Innocent Flesh on the Bone: Return-into-libc without function calls, Hovav Shacham, 2007 Defeating DEP, the Immunity Debugger way, Pablo Sole,2008 The Case of Return-Oriented Programming and the AVC Advantage, 2009 Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010 Return-Oriented Programming without Returns Introduction to ROP programming Blind ROP Blind Return Oriented Programming (BROP) The BROP attack makes it possible to write exploits without possessing the target's binary. It requires a stack overflow and a service that restarts after a crash. Based on whether a service crashes or not (i.e., connection closes or stays open), the BROP attack is able to construct a full remote exploit that leads to a shell. The BROP attack remotely leaks enough gadgets to perform the write system call, after which the binary is transferred from memory to the attacker's socket. Following that, a standard ROP attack can be carried out. Apart from attacking proprietary services, BROP is very useful in targeting open-source software for which the particular binary used is not public (e.g., installed from source setups, Gentoo boxes, etc.). The attack completes within 4,000 requests (within minutes) when tested against a toy proprietary service, and real vulnerabilities in nginx and MySQL. Hacking Blind - BROP paper Blind Return Oriented Programming Blind Return Oriented Programming (BROP) Attack (1) Blind Return Oriented Programming (BROP) Attack (2) Signal ROP Sigreturn Oriented Programming is a real Threat Playing with signals : An overview on Sigreturn Oriented Programming SROP | Signals, you say? Jump Oriented Programming Jump-Oriented Programming: A New Class of Code-Reusegghunte Attacking x86 Windows Binaries by Jump Oriented Programming Heap exploitation: how2heap - shellphish A repository for learning various heap exploitation techniques. w00w00 on heap overflows, Matt Conover, 1999 Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001 Once upon a free(), anonymous author, 2001 Advanced Doug Lea's malloc exploits, jp, 2003 Exploiting the wilderness, Phantasmal Phantasmagoria, 2004 Malloc Maleficarum, Phantasmal Phantasmagoria, 2005 Yet another free() exploitation technique, huku, 2009 Heap Feng Shui in JavaScript heap-exploitation This book on heap exploitation is a guide to understanding the internals of glibc's heap and various attacks possible on the heap structure. Project HeapBleed CENSUS researcher Patroklos Argyroudis has recently presented a talk on heap exploitation abstraction at two conferences, namely ZeroNights 2014 (Moscow, Russia) and BalCCon 2014 (Novi Sad, Serbia). In the talk titled Project Heapbleed, Patroklos has collected the experience of exploiting allocators in various different target applications and platforms. He focused on practical, reusable heap attack primitives that aim to reduce the exploit development time and effort. Format string exploitation: Exploiting format string vulnerabilities, scut / Team-TESO, 2001 Advances in format string exploitation, gera, 2002 An alternative method in format string exploitation, K-sPecial, 2006 Maximum Overkill Two - From Format String Vulnerability to Remote Code Execution Exploiting Format Strings: Getting the Shell Integer overflows: Big Loop Integer Protection, Oded Horovitz, 2002 Basic Integer Overflows, blexim, 2002 Null-ptr dereference: Large memory management vulnerabilities, Gael Delalleau, 2005 Exploiting the Otherwise Non-exploitable on Windows, skape, 2006 Vector rewrite attack, Barnaby Jack, 2007 Application-Specific Attacks: Leveraging the ActionScript Virtual Machine, Mark Dowd, 2008 JIT-spray: Pointer inference and JIT-Spraying, Dion Blazakis, 2010 Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010 Too LeJIT to Quit: Extending JIT Spraying to ARM Interpreter Exploitation: Pointer Inference and JIT Spraying Understanding JIT Spray Writing JIT-Spray Shellcode For Fun And Profit ASLR: Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR Aslr Smack and Laugh Reference Advanced Buffer Overflow Methods Smack the Stack Exploiting the random number generator to bypass ASLR Wikipedia on ASLR Bypassing Memory Protections: The Future of Exploitation On the Effectiveness of Address-Space Randomization Exploiting with linux-gate.so.1 Circumventing the VA kernel patch For Fun and Profit Defeating the Matasano C++ Challenge Bypassing PaX ASLR protection Thoughts about ASLR, NX Stack and format string attacks Return-into-libc without Function Calls Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes Fun With Info-Leaks(DEP+ASLR bypass)/ This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it's quite nice what can be done with the bug. Reducing the Effective Entropy of GS Cookies Exploiting Buffer Overflows On Kernels With Aslr Enabled Using Brute Force On The Stack Layer Bypassing The Linux Kernel Aslr And Exploiting A Buffer Overflow Vulnerable Application With Ret2esp This video tutorial illustrates how to exploit an application vulnerable to buffer overflow under a modern 2.6 Linux kernel with ASLR, bypassing stack layer randomization by search a jmp *%esp inside the executable file and forcing our program to jump there. Exploiting A Buffer Overflow Under Linux Kernel 2.6 With Aslr Through Ret2reg Linux kernel versions 2.6.x implement ASLR to faexecution of arbitrary code located in the stack segment of a process. Moreover, kernel versions >= 2.6.18 also made the allocation of ld-linux.so.2 dynamic, and recent compilers also tend to avoid the generation of jmp|call *%esp instructions, so the use of a ret2esp technique to exploit a vulnerable application is becoming harder and harder. A way to turn around the problem is analyzing the registers situations just a while before the vulnerable code is executed: very probably one of them points to the address of the vulnerable buffer. All we have to do is searching inside the executable or a static library a ret2reg instruction, where reg is the register pointing to the vulnerable area, and use that as return address. Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit Kernel Exploitation Attacking the Core : Kernel Exploiting Notes Much ado about NULL: Exploiting a kernel NULL dereference Integer Overflow in FreeBSD Kernel(2002) Post MS06-035 Mailslot DoS Workaround(Kernel Null Ptr Deref) https://lkml.org/lkml/2010/5/27/490 Attacking the XNU Kernel For Fun And Profit: Part 1 This blog post is part of a series of posts in which I will discuss several techniques to own XNU, the kernel used by Apple's OS X and iOS. My focus will be on heap-based attacks, such as heap overflows, double frees, use-after-frees and zone confusion. Addendum: Use-After-Free An Introduction to Use After Free Vulnerabilities Exploit writing tutorial part 11 : Heap Spraying Demystified Part 9: Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack Other: Overwriting the .dtors section, Juan M. Bello Rivas, 2000 Abusing .CTORS and .DTORS for fun 'n profit, Izik, 2006 Large memory management vulnerabilities, Gael Delalleau, 2005 Symlinks and Cryogenic Sleep Clutching at straws: When you can shift the stack pointer Exploit Development Tutorials Structured Learning/Courses Modern Windows Exploit Development Bypassing All the Things Handholding through Vuln Discovery and Exploitation Smashing the Browser - From fuzzing to 0day on IE11 Goes from introducing a fuzzer to producing an IE11 0day armpwn "Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team." Tutorials/Follow-alongs From fuzzing to 0-day SQL Injection to MIPS Overflows: Part Deux This paper is a followup to a paper presented at BlackHat USA 2012, entitled SQL Injec0ons to MIPS Overflows: Rooting SOHO Routers." That previous paper described how to combine SQL injection vulnerabilies with MIPS Linux buffer overflows in order to gain root on Netgear SOHO routers. This paper revisits the MiniDLNA UPnP server that ships on nearly all Netgear routers in order to explore what has changed in the past two years. Writing a stack-based overflow exploit in Ruby with the help of vulnserver.exe and Spike 2.9 From 0-day to exploit Buffer overflow in Belkin N750 (CVE-2014-1635) AVM Fritz!Box root RCE: From Patch to Metasploit Module Part 1 Part 2 Link to Lab Writeup for Winx86 ExploitDev Practice Corelan Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube Exploit writing tutorial part 11 : Heap Spraying Demystified QuickZip Stack BOF 0day: a box of chocolates FuzzySecurity Part 9: Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack SwiftSecurity Assembly(x86/x64/ARM) X86 Instruction Reference Awesome Reference for Intel x86/64 This reference is intended to be precise opcode and instruction set reference (including x86-64). Its principal aim is exact definition of instruction parameters and attributes. Nasm x86 reference Intel Pentium Instruction Set Reference (A) Iczelion's Win32 Assembly Homepage cgasm cgasm is a standalone, offline terminal-based tool with no dependencies that gives me x86 assembly documentation. It is pronounced "SeekAzzem". Shellcode ShellCode 101 Articles/Blogposts/Writeups Introduction to Windows Shellcode Development - securitycafe.ro Introduction to Windows shellcode development – Part 1 Introduction to Windows shellcode development – Part 2 Introduction to Windows shellcode development – Part 3 Windows Kernel Shellcode on Windows 10 - improsec.com Windows Kernel Shellcode on Windows 10 – Part 1 Windows Kernel Shellcode on Windows 10 – Part 2 Windows Kernel Shellcode on Windows 10 – Part 3 Windows Kernel Shellcode on Windows 10 – Part 4 - There is No Code Educational/Informative Shellcode Time: Come on Grab Your Friends - wartortell -Derbycon4 Packed shellcode is a common deterrent against reverse engineering. Mainstream software will use it in order to protect intellectual property or prevent software cracking. Malicious binaries and Capture the Flag (CTF) challenges employ packed shellcode to hide their intended functionality. However, creating these binaries is an involved process requiring significant experience with machine language. Due to the complexity of creating packed shellcode, the majority of samples are painstakingly custom-created or encoded with very simple mechanisms, such as a single byte XOR. In order to aid in the creation of packed shellcode and better understand how to reverse engineer it, I created a tool to generate samples of modular packed shellcode. During this talk, I will demonstrate the use of the shellcode creation tool and how to reverse engineer the binaries it creates. I will also demonstrate an automated process for unpacking the binaries that are created. How to Write it Shellcoding for Linux and Windows Tutorial - Steve Hannah Phrack Magazine Extraction Utility writing ia32 alphanumeric shellcode shellcode tutorials Writing Manual Shellcode by Hand Linux Specific Writing my first shellcode - iptables -P INPUT ACCEPT Windows Specific WinAPI for Hackers History and Advances in Windows Shellcode - Phrack 2004 Writing Win32 Shellcode with VisualStudio demonstrating how to write optimized (sort of) Win32 shellcode using Visual Studio’s compiler Techniques Loading and Debugging Windows Kernel Shellcodes with Windbg. Debugging DoublePulsar Shellcode. Shellcode Debugging with OllyDbg Canaries * Playing with canaries Code Trampolines Trampolines in x64 Finding Opcodes: metasploit opcode DB; memdump; pvefindaddr - mona.py Egg Hunters Beta aaKsYS TEAM: EGG HUNTER (Windows) Explanation of egghunters, how they work and a working demonstration on windows. jmp2it This will allow you to transfer EIP control to a specified offset within a file containing shellcode and then pause to support a malware analysis investigation The file will be mapped to memory and maintain a handle, allowing shellcode to egghunt for second stage payload as would have happened in original loader Patches / self modifications are dynamically written to jmp2it-flypaper.out Resolving the Base Pointer of the Linux Program Interpreter with Shellcode Art of Picking Intel Registers Using ARM Inline Assembly and Naked Functions to fool Disassemblers Shellcode without Sockets English Shellcode History indicates that the security community commonly takes a divide-and-conquer approach to battling malware threats: identify the essential and inalienable components of an attack, then develop detection and prevention techniques that directly target one or more of the essential components. This abstraction is evident in much of the literature for buffer overflow attacks including, for instance, stack protection and NOP sled detection. It comes as no surprise then that we approach shellcode detection and prevention in a similar fashion. However, the common belief that components of polymorphic shellcode (e.g., the decoder) cannot reliably be hidden suggests a more implicit and broader assumption that continues to drive contemporary research: namely, that valid and complete representations of shellcode are fundamentally different in structure than benign payloads. While the first tenet of this assumption is philosoph- ically undeniable (i.e., a string of bytes is either shellcode or it is not), truth of the latter claim is less obvious if there exist encoding techniques capable of producing shellcode with features nearly indistinguishable from non-executable content. In this paper, we challenge the assumption that shellcode must conform to superficial and discernible representations. Specifically, we demonstrate a technique for automatically producing English Shellcode, transforming arbitrary shellcode into a representation that is superficially similar to English prose. The shellcode is completely self-contained - i.e., it does not require an external loader and executes as valid IA32 code)—and can typically be generated in under an hour on commodity hardware. Our primary objective in this paper is to promote discussion and stimulate new ideas for thinking ahead about preventive measures for tackling evolutions in code-injection attacks Obfuscation/Hiding X86 Shellcode Obfuscation - Part 1 - breakdev.org Less is More, Exploring Code/Process-less Techniques and Other Weird Machine Methods to Hide Code (and How to Detect Them) Obfuscating python Code segment encryption General Reference/Resources Shellcodes database for study cases REPLs rappel Rappel is a pretty janky assembly REPL. It works by creating a shell ELF, starting it under ptrace, then continiously rewriting/running the .text section, while showing the register states. It's maybe half done right now, and supports Linux x86, amd64, armv7 (no thumb), and armv8 at the moment.(As of Aug 2017) WinREPL x86 and x64 assembly "read-eval-print loop" shell for Windows Tools General Sickle Sickle is a shellcode development tool, created to speed up the various steps needed to create functioning shellcode. meterssh MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. Shellcode_Tools Miscellaneous tools written in Python, mostly centered around shellcodes. bin2py: Embed binary files into Python source code. shellcode2exe: Convert shellcodes into executable files for multiple platforms. ShellSploit Framework shellnoob A shellcode writing toolkit rex Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge. Patcherex Shellphish's automated patching engine, originally created for the Cyber Grand Challenge. sRDI Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode ShellcodeStdio An extensible framework for easily writing debuggable, compiler optimized, position independent, x86 shellcode for windows platforms. OWASP ZSC OWASP ZSC is open source software written in python which lets you generate customized shellcode and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX with python. Encoders Obfuscators UniByAv UniByAv is a simple obfuscator that take raw shellcode and generate executable that are Anti-Virus friendly. The obfuscation routine is purely writtend in assembly to remain pretty short and efficient. In a nutshell the application generate a 32 bits xor key and brute force the key at run time then perform the decryption of the actually shellcode. Miscellaneous Bypassing Exploit Protections/Mitigations & Corresponding literature 101 A Brief History of Exploit Techniques and Mitigations on Windows Windows Exploit Protection History/Overview - Compass Security Articles/Blogposts/Writeups ASLR Defeating the Matasano C++ Challenge with ASLR enabled Win10 Toward mitigating arbitrary native code execution in Windows 10 Strengthening the Microsoft Edge Sandbox Mitigating arbitrary native code execution in Microsoft Edge General Exploit Mitigation Killchain Stack Protections Reference Material Stack Smashing Protector DEP/SEHop/ASLR Understanding DEP as a mitigation Technology Preventing the Exploitation of SEH Overwrites This paper proposes a technique that can be used to prevent the exploitation of SEH overwrites on 32-bit Windows applications without requiring any recompilation. While Microsoft has attempted to address this attack vector through changes to the exception dispatcher and through enhanced compiler support, such as with /SAFESEH and /GS, the majority of benefits they offer are limited to image files that have been compiled to make use of the compiler enhancements. This limitation means that without all image files being compiled with these enhancements, it may still be possible to leverage an SEH overwrite to gain code execution. In particular, many third-party applications are still vulnerable to SEH overwrites even on the latest versions of Windows because they have not been recompiled to incorporate these enhancements. To that point, the technique described in this paper does not rely on any compile time support and instead can be applied at runtime to existing applications without any noticeable performance degradation. This technique is also backward compatible with all versions of Windows NT+, thus making it a viable and proactive solution for legacy installations. Understanding DEP as a mitigation Technology Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP Fun With Info-Leaks(DEP+ASLR bypass)/ This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, its quite nice what can be done with the bug. Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005 Bypassing Windows Hardware-enforced DEP This paper describes a technique that can be used to bypass Windows hardware-enforced Data Execution Prevention (DEP) on default installations of Windows XP Service Pack 2 and Windows 2003 Server Service Pack 1. This technique makes it possible to execute code from regions that are typically non-executable when hardware support is present, such as thread stacks and process heaps. While other techniques have been used to accomplish similar feats, such as returning into NtProtectVirtualMemory, this approach requires no direct reprotecting of memory regions, no copying of arbitrary code to other locations, and does not have issues with NULL bytes. The result is a feasible approach that can be used to easily bypass the enhancements offered by hardware-enforced DEP on Windows in a way that requires very minimal modifications to existing exploits. Exploit Writeup on Flash vuln explaining use of ASLR + DEP bypass [DEP/ASLR bypass without ROP/JIT](https://cansecwest.com/slides/2013/DEP-ASLR bypass without ROP-JIT.pdf) Slides, codes and videos of the talk "DEP/ASLR bypass without ROP/JIT" on CanSecWest 2013 Bypassing SEHOP Great Writeup/Example of SEH Bypass SEH Overwrites Simplified v1.01 (SEH Bypass)Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server. A Crash Course on the Depths of Win32 Structured Exception Handling Intro to Windows kernel exploitation 1/N: Kernel Debugging Win32 Assembly Components - Last Stage of Delirium Research Group Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP Structured Exception Handling - TechNet Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass DeviceGuard Bypassing Device Guard with .NET Assembly Compilation Methods EMET/Control Flow Guard Exploring Control-Flow-Guard in Windows10 Bypassing EMET's EAF with custom shellcode using kernel pointer Bypassing EMET 4.1 Paper Disarming and Bypassing EMET 5.1 - OffSec Bypassing Microsoft EMET 5.1 . Yet again. Disarming and Bypassing EMET 5.1 Defeating EMET 5.2 Protections - Part 1 Defeating EMET 5.2 Protections - Part 2 Bypassing EMET 5.2 Protection BYPASSING EMET Export Address Table Access Filtering feature Disarming Control Flow Guard Using Advanced Code Reuse Attacks BYPASS CONTROL FLOW GUARD COMPREHENSIVELY - Zhang Yunhai Proposed Windows 10 EAF/EMET "Bypass" for Reflective DLL Injection Kernel PatchGuard/Protection Kernel Patch Protection - Wikipedia An Introduction to Kernel Patch Protection - blogs.msdn KPP Destroyer Bypassing PatchGuard 3 Disable PatchGuard - the easy/lazy way - fyyre GhostHook – Bypassing PatchGuard with Processor Trace Based Hooking UPGSED Universal PatchGuard and Driver Signature Enforcement Disable Tools Miscellaneous Exploit Development ARM Specific Exploit Development 101 Articles/Blogposts/Writeups Educational/Informative A SysCall to ARMs - Brendan Watters - Brendan Watters -Derbycon 2013 Description:ARM processors are growing more and more prevalent in the world; ARM itself claims that more than 20 billion chips have been shipped. Take a moment to appreciate that is about three chips for every man, woman, and child on earth. The three main topics I aim to cover are (1) how to perform a Linux system call on an ARM processor via assembly, ARM pipelining used in most modern ARM processors and how it came about, and (3) the really cool way ARM can avoid branching, even with conditional control flow. These will be explained in both code, English, and (hopefully successful) live demos using an ARM development board. The end result is to get the audience to understand how to create a simple socket program written in ARM assembly. Papers Tools Miscellaneous Linux Specific Exploit Development 101 Articles/Blogposts/Writeups Pool Blade: A new approach for kernel pool exploitation Linux ASLR integer overflow: Reducing stack entropy by four A bug in Linux ASLR implementation for versions prior to 3.19-rc3 has been found. The issue is that the stack for processes is not properly randomized on some 64 bit architectures due to an integer overflow. This is a writeup of the bug and how to fix it. Linux GLibC Stack Canary Values Painless intro to the Linux userland heap Linux Heap Exploitation Intro Series: Used and Abused – Use After Free Linux Heap Exploitation Intro Series: The magicians cape – 1 Byte Overflow Educational/Informative Return into Lib(C) Theory Primer(Security-Tube) 64-bit Linux Return-Oriented Programming - Standford Understanding glibc malloc Kernel Exploit Development Linux Kernel Exploitation Paper Archive - xairy Papers Cheating the ELF - Subversive Dynamic Linking to Libraries Tools rappel Rappel is a pretty janky assembly REPL. It works by creating a shell ELF, starting it under ptrace, then continiously rewriting/running the .text section, while showing the register states. It's maybe half done right now, and supports Linux x86, amd64, armv7 (no thumb), and armv8 at the moment.(As of Aug 2017) Build a database of libc offsets to simplify exploitation Miscellaneous OS X Specific OS X Kernel-mode Exploitation in a Weekend Apple's Mac OS X operating system is attracting more attention from users and security researchers alike. Despite this increased interest, there is still an apparent lack of detailed vulnerability development information for OS X. This paper will attempt to help bridge this gap by walking through the entire vulnerability development process. This process starts with vulnerability discovery and ultimately finished with a remote code execution. To help illustrate this process, a real vulnerability found in the OS X wireless device driver is used. Windows Specific 101 Articles/Blogposts/Writeups Writing Exploits for Win32 Systems from Scratch Educational/Informative Papers Getting out of Jail: Escaping Internet Explorer Protected Mode With the introduction of Windows Vista, Microsoft has added a new form of mandatory access control to the core operating system. Internally known as "integrity levels", this new addition to the security manager allows security controls to be placed on a per-process basis. This is different from the traditional model of per-user security controls used in all prior versions of Windows NT. In this manner, integrity levels are essentially a bolt-on to the existing Windows NT security architecture. While the idea is theoretically sound, there does exist a great possibility for implementation errors with respect to how integrity levels work in practice. Integrity levels are the core of Internet Explorer Protected Mode, a new "low-rights" mode where Internet Explorer runs without permission to modify most files or registry keys. This places both Internet Explorer and integrity levels as a whole at the forefront of the computer security battle with respect to Windows Vista. PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 Since the publication of previous bypass or circumvention techniques for Kernel Patch Protection (otherwise known as "PatchGuard"), Microsoft has continued to refine their patch protection system in an attempt to foil known bypass mechanisms. With the release of Windows Server 2008 Beta 3, and later a full-blown distribution of PatchGuard to Windows Vista and Windows Server 2003 via Windows Update, Microsoft has introduced the next generation of PatchGuard to the general public ("PatchGuard 3"). As with previous updates to PatchGuard, version three represents a set of incremental changes that are designed to address perceived weaknesses and known bypass vectors in earlier versions. Additionally, PatchGuard 3 expands the set of kernel variables that are protected from unauthorized modification, eliminating several mechanisms that might be used to circumvent PatchGuard while co-existing (as opposed to disabling) it. This article describes some of the changes that have been made in PatchGuard 3. This article also proposes several new techniques that can be used to circumvent PatchGuard's defenses. Countermeasures for these techniques are also discussed. Subverting PatchGuard Version 2 Windows Vista x64 and recently hotfixed versions of the Windows Server 2003 x64 kernel contain an updated version of Microsoft's kernel-mode patch prevention technology known as PatchGuard. This new version of PatchGuard improves on the previous version in several ways, primarily dealing with attempts to increase the difficulty of bypassing PatchGuard from the perspective of an independent software vendor (ISV) deploying a driver that patches the kernel. The feature-set of PatchGuard version 2 is otherwise quite similar to PatchGuard version 1; the SSDT, IDT/GDT, various MSRs, and several kernel global function pointer variables (as well as kernel code) are guarded against unauthorized modification. This paper proposes several methods that can be used to bypass PatchGuard version 2 completely. Potential solutions to these bypass techniques are also suggested. Additionally, this paper describes a mechanism by which PatchGuard version 2 can be subverted to run custom code in place of PatchGuard's system integrity checking code, all while leaving no traces of any kernel patching or custom kernel drivers loaded in the system after PatchGuard has been subverted. This is particularly interesting from the perspective of using PatchGuard's defenses to hide kernel mode code, a goal that is (in many respects) completely contrary to what PatchGuard is designed to do. Bypassing PatchGuard on Windows x64 The version of the Windows kernel that runs on the x64 platform has introduced a new feature, nicknamed PatchGuard, that is intended to prevent both malicious software and third-party vendors from modifying certain critical operating system structures. These structures include things like specific system images, the SSDT, the IDT, the GDT, and certain critical processor MSRs. This feature is intended to ensure kernel stability by preventing uncondoned behavior, such as hooking. However, it also has the side effect of preventing legitimate products from working properly. For that reason, this paper will serve as an in-depth analysis of PatchGuard's inner workings with an eye toward techniques that can be used to bypass it. Possible solutions will also be proposed for the bypass techniques that are suggested. Tools Vulnserver 'I have just released a program named Vulnserver - a Windows based threaded TCP server application that is designed to be exploited.'' Blackbone Windows memory hacking library Code Injection Portable Executable Injection For Beginners DLL Windows DLL-Injection basics Example of a DLL Hijack Exploit - Winamp 5.581 Loading a DLL from memory Windows Heap Exploitation Reliable Windows Heap Exploits Windows 10 HAL’s Heap – Extinction of the "HalpInterruptController" Table Exploitation Technique Another kernel exploitation technique killed in Windows 10 Creators Update WinHeap-Explorer The efficient and transparent proof-of-concept tool for heap-based bugs detection in x86 machine code for Windows applications. Advanced Windows Debugging: Memory Corruption Part II—Heaps Daniel Pravat and Mario Hewardt discuss security vulnerabilities and stability issues that can surface in an application when the heap is used in a nonconventional fashion. Windows Kernel Exploitation Writeups Windows Kernel Exploitation 101 : Exploiting CVE - 2014 - 4113 Intro to Windows kernel exploitation 1/N: Kernel Debugging Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016 Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel PoolSharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool Analysing the NULL SecurityDescriptor kernel exploitation mitigation in the latest Windows 10 v1607 Build 14393 Abatchy - Windows Kernel Exploitation Series 1: Setting up the environment 2: Payloads 3: Stack Buffer Overflow (Windows 7 x86/x64) 4: Stack Buffer Overflow (SMEP Bypass) 5: Integer Overflow Papers Windows Kernel-mode Payload Fundamentals This paper discusses the theoretical and practical implementations of kernel-mode payloads on Windows. At the time of this writing, kernel-mode research is generally regarded as the realm of a few, but it is hoped that documents such as this one will encourage a thoughtful progression of the subject matter. To that point, this paper will describe some of the general techniques and algorithms that may be useful when implementing kernel-mode payloads. Furthermore, the anatomy of a kernel-mode payload will be broken down into four distinct units, known as payload components, and explained in detail. In the end, the reader should walk away with a concrete understanding of the way in which kernel-mode payloads operate on Windows. A Window into Ring0 - Paper With the rise of sandboxes and locked down user accounts attackers are increasingly resorting to attacking kernel mode code to gain full access to compromised systems. The talk provided an overview of the Windows kernel mode attack surface and how to interact with it. It then went on to cover the tools available for finding bugs in Windows kernel mode code and drivers as well as highlighting some of the lower hanging fruit, common mistakes and the steps being taken (or lack of steps being taken) to mitigate the risks posed. The talk also covered common exploitation techniques to gather information about the state of kernel mode memory and to gain code execution as SYSTEM. Finally the talk walked through exploiting CVE-2016-7255 on modern 64 bit versions of Windows. Talks Securi-Tay 2017 - A Window into Ring0 With the rise of sandboxes and locked down user accounts attackers are increasingly resorting to attacking kernel mode code to gain full access to compromised systems. This talk aims to provide an overview of the Windows kernel mode attack surface and how to interact with it. This talk will demonstrate the tools available for finding bugs in Windows kernel mode code and drivers together with highlighting some of the lower hanging fruit, common mistakes and the steps being taken (or lack of steps being taken) to mitigate the risks posed. The talk will then cover common exploitation techniques to gather information about the state of kernel mode memory and to gain code execution as SYSTEM using examples from publicly known exploits. Tools HackSys Extreme Vulnerable Driver HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level. HackSys Extreme Vulnerable Driver caters wide range of vulnerabilities ranging from simple Buffer Overflows to complex Use After Frees and Pool Overflows. This allows the researchers to explore the exploitation techniques for all the implemented vulnerabilities.z6z [Windows-driver-samples](https://github.com/Microsoft/Windows-driver-samples ) This repo contains driver samples prepared for use with Microsoft Visual Studio and the Windows Driver Kit (WDK). It contains both Universal Windows Driver and desktop-only driver samples. DriverBuddy DriverBuddy is an IDA Python script to assist with the reverse engineering of Windows kernel drivers. Blog post win_driver_plugin A tool to help when dealing with Windows IOCTL codes or reversing Windows drivers. Write your first driver - docs ms Patch Analysis Microsoft Patch Analysis for Exploitation Since the early 2000's Microsoft has distributed patches on the second Tuesday of each month. Bad guys, good guys, and many in-between compare the newly released patches to the unpatched version of the files to identify the security fixes. Many organizations take weeks to patch and the faster someone can reverse engineer the patches and get a working exploit written, the more valuable it is as an attack vector. Analysis also allows a researcher to identify common ways that Microsoft fixes bugs which can be used to find 0-days. Microsoft has recently moved to mandatory cumulative patches which introduces complexity in extracting patches for analysis. Join me in this presentation while I demonstrate the analysis of various patches and exploits, as well as the best-known method for modern patch extraction. Microsoft Patch Analysis for Exploitation Stephen Sims The Wallstreet of Windows Binaries - Marion Marschalek, Joseph Moti Wallstreet - Github Repository Wallstreet of Windows binaries 7, 8, 9 err 10 sorry Microsoft Patch Analysis for Exploitation Since the early 2000's Microsoft has distributed patches on the second Tuesday of each month. Bad guys, good guys, and many in-between compare the newly released patches to the unpatched version of the files to identify the security fixes. Many organizations take weeks to patch and the faster someone can reverse engineer the patches and get a working exploit written, the more valuable it is as an attack vector. Analysis also allows a researcher to identify common ways that Microsoft fixes bugs which can be used to find 0-days. Microsoft has recently moved to mandatory cumulative patches which introduces complexity in extracting patches for analysis. Join me in this presentation while I demonstrate the analysis of various patches and exploits, as well as the best-known method for modern patch extraction. Papers ActiveX - Active Exploitation This paper provides a general introduction to the topic of understanding security vulnerabilities that affect ActiveX controls. A brief description of how ActiveX controls are exposed to Internet Explorer is given along with an analysis of three example ActiveX vulnerabilities that have been previously disclosed. Exploiting the Otherwise Non-Exploitable on Windows This paper describes a technique that can be applied in certain situations to gain arbitrary code execution through software bugs that would not otherwise be exploitable, such as NULL pointer dereferences. To facilitate this, an attacker gains control of the top-level unhandled exception filter for a process in an indirect fashion. While there has been previous work illustrating the usefulness in gaining control of the top-level unhandled exception filter, Microsoft has taken steps in XPSP2 and beyond, such as function pointer encoding, to prevent attackers from being able to overwrite and control the unhandled exception filter directly. While this security enhancement is a marked improvement, it is still possible for an attacker to gain control of the top-level unhandled exception filter by taking advantage of a design flaw in the way unhandled exception filters are chained. This approach, however, is limited by an attacker's ability to control the chaining of unhandled exception filters, such as through the loading and unloading of DLLs. This does reduce the global impact of this approach; however, there are some interesting cases where it can be immediately applied, such as with Internet Explorer. Countermeasures BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks Abstract. Web browsers that support a safe language such as Javascript are becoming a platform of great interest for security attacks. One such attack is a heap-spraying attack: a new kind of attack that combines the notoriously hard to reliably exploit heap-based buffer overflow with the use of an in-browser script- ing language for improved r eliability. A typical heap-s praying attack allocates a high number of objects containing the attacker’s code on the heap, dramatically increasing the probability that the contents of one of these objects is executed. In this paper we present a lightweight approach that makes heap-spraying attacks in Javascript significantly harder. Our prototype, which is implemented in Firefox, has a negligible performance and memory overhead while effectively protecting against heap-spraying attacks. Anti-Debugging/Fuzzing [Intro to Anti-Fuzzing](https://www.nccgroup.com/en/blog/2014/01/introduction-to-anti-fuzzing-a-defence-in-depth-aid/() Anti-Debugging The Ultimate Anti-Debugging Reference(2011) Good reference, though old. Windows Anti-Debug Reference Good, but also old, Nov2010 gargoyle, a memory scanning evasion technique General Tools Check out the 'Reverse Engineering" Section's Tools list for a lot of useful tools that aren't listed here. General Tools binwally Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep) Using Binwally lisa.py An Exploit Dev Swiss Army Knife. Hunting/Making Exploits Tools(DeBrujinn sequence) Pattern-Create/offset as a python function Metasploit pattern generator in Python, modified to be used as a function !exploitable Crash Analyzer !exploitable (pronounced bang exploitable) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at http://www.microsoft.com/security/msec. Additonally, see the blog post, or watch the video. Findjmp2 Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push in a loaded DLL. This version includes search for pop/pop/ret set of instructions that is useful to bypass Windows XP SP2 and Windows 2003 stack protection mechanism. binjitsu binjitsu is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible. Shellcode Tools rp++ rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O (doesn't support the FAT binaries) x86/x64 binaries. It is open-source, documented with Doxygen (well, I'm trying to..) and has been tested on several OS: Debian / Windows 7 / FreeBSD / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible. I almost forgot, it handles both Intel and AT&T syntax (beloved BeaEngine). By the way, the tool is a standalone executable ; I will upload static-compiled binaries for each OS. Adobe Reader Pwning Adobe Reader with XFA Adobe Reader Escape... or how to steal research and be lame. Broadpwn A cursory analysis of @nitayart's Broadpwn bug (CVE-2017-9417) Emulation and Exploration of BCM WiFi Frame Parsing using LuaQEMU Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets Crashing phones with Wi-Fi: Exploiting nitayart's Broadpwn bug (CVE-2017-9417) Buffer Overflows x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique The x86-64 CPU platform (i.e. AMD64 or Hammer) introduces new features to protect against exploitation of buffer overflows, the so called No Execute(NX) or Advanced Virus Protection (A VP). This non-executable enforcement of data pages and the ELF64 SystemV ABI render common buffer overflow exploitation techniques useless. This paper describes and analyzes the protection mechanisms in depth. Research and tar get platform was a SUSE Linux 9.3 x86-64 system but the results can be expanded to non-Linux systems as well. search engine tag: SET-krahmer-bccet-2005. Cisco Cisco IOS MIPS GDB remote serial protocol implementation A hacky implementation of GDB RSP to aid exploit development for MIPS based Cisco routers Cisco ASA Episode 3: A Journey In Analysing Heaps by Cedric Halbronn - BSides Manchester2017 Decompilers & Disassemblers List Bokken Bokken is a GUI for the Pyew and Radare projects so it offers almost all the same features that Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities. Currently Bokken is neither an hexadecimal editor nor a full featured disassembler YET, so it should not be used for deep code analysis or to try to modify files with it. IDA IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment. Overview & Tutorials Ida Plugins Ida Sploiter IDA Sploiter is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's capabilities as an exploit development and vulnerability research tool. Some of the plugin's features include a powerful ROP gadgets search engine, semantic gadget analysis and filtering, interactive ROP chain builder, stack pivot analysis, writable function pointer search, cyclic memory pattern generation and offset analysis, detection of bad characters and memory holes, and many others. Ida Pomidor IDA Pomidor is a fun and simple plugin for the Hex-Ray's IDA Pro disassembler that will help you retain concentration and productivity during long reversing sessions. FLARE-Ida This repository contains a collection of IDA Pro scripts and plugins used by the FireEye Labs Advanced Reverse Engineering (FLARE) team. Hopper Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, decompile and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables! Reverse Reverse engineering for x86 binaries (elf-format). Generate a more readable code (pseudo-C) with colored syntax. Warning, the project is still in development, use it at your own risks. This tool will try to disassemble one function (by default main). The address of the function, or its symbol, can be passed by argument. fREedom - capstone based disassembler for extracting to binnavi fREedom is a primitive attempt to provide an IDA Pro independent means of extracting disassembly information from executables for use with binnavi (https://github.com/google/binnavi). Setting up fREedom and BinNavi BinNavi BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code. Debuggers General/Platform Neutral The Secret Lives of Debuggers - Lance Buttars - BSides SLC15 Binaries are files like any text file or a bitmap. They can be modified and changed.With some basic understanding of assembly language anyone can take a binary and modify its execution in a debugger and using a hex editor change how it executes. In this presentation I will cover the basics of binary manipulation and the use of debuggers to change program execution. HyperDbg HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel, even when the kernel is executing exception and interrupt handlers. Compared to traditional virtual machine based debuggers (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be run as a guest of a virtual machine, although it is as powerful. Paper scdbg scdbg is an open source, multi-platform, shellcode analysis application that runs shellcode through a virtual machine that emulates a 32bit processor, memory, and basic Windows API environment. scdbg uses the libemu library to provide this environment. Builds of scdbg exist for both Windows and Unix users. scdbg Manual xnippet xnippet is a tool that lets you load code snippets or isolated functions (no matter the operating system they came from), pass parameters to it in several formats (signed decimal, string, unsigned hexadecimal...), hook other functions called by the snippet and analyze the result. The tool is written in a way that will let me improve it in a future, defining new calling conventions and output argument pointers. voltron Voltron is an extensible debugger UI toolkit written in Python. It aims to improve the user experience of various debuggers (LLDB, GDB, VDB and WinDbg) by enabling the attachment of utility views that can retrieve and display data from the debugger host. By running these views in other TTYs, you can build a customised debugger user interface to suit your needs. Linux GDB - GNU Debugger * GDB, the GNU Project debugger, allows you to see what is going on 'inside' another program while it executes -- or what another program was doing at the moment it crashed. * GDB 'exploitable' plugin * 'exploitable' is a GDB extension that classifies Linux application bugs by severity. The extension inspects the state of a Linux application that has crashed and outputs a summary of how difficult it might be for an attacker to exploit the underlying software bug to gain control of the system. The extension can be used to prioritize bugs for software developers so that they can address the most severe ones first. The extension implements a GDB command called 'exploitable'. The command uses heuristics to describe the exploitability of the state of the application that is currently being debugged in GDB. The command is designed to be used on Linux platforms and versions of GDB that include the GDB Python API. Note that the command will not operate correctly on core file targets at this time. PEDA PEDA - Python Exploit Development Assistance for GDB radare2 as an alternative to gdb-peda pwndbg - Making debugging suck less A PEDA replacement. In the spirit of our good friend windbg, pwndbg is pronounced pwnd-bag. Uses capstone as backend. gdbgui A modern, browser-based frontend to gdb (gnu debugger). Add breakpoints, view stack traces, and more in C, C++, Go, and Rust. Simply run gdbgui from the terminal and a new tab will open in your browser. GEF - GDB Enhanced Features GEF is aimed to be used mostly by exploiters and reverse-engineers. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis or exploit development. Why not PEDA? Yes!! Why not?! PEDA is a fantastic tool to do the same, but is only to be used for x86-32 or x86-64. On the other hand, GEF supports all the architecture supported by GDB (x86, ARM, MIPS, PowerPC, SPARC, and so on). Docs Windows An Introduction to Debugging the Windows Kernel with WinDbg Getting Started with WinDbg part 1 OllyDbg OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg Tricks for Exploit Development WinDbg Excellent Resource Site Crash Dump Analysis Poster Getting Started with WinDbg (User-Mode) Getting Started with WinDbg (Kernel-Mode) TWindbg PEDA-like debugger UI for WinDbg WinAppDbg The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides a powerful abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test or fuzz Windows applications with quickly coded Python scripts. Several ready to use tools are shipped and can be used for this purposes. Current features also include disassembling x86/x64 native code, debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing. x64dbg An introduction to x64dbg Eternal Blue MS17-010: EternalBlue’s Large Non-Paged Pool Overflow in SRV Driver - blog.trendmicro MS17-010 worawit Exploit Collections/Repository XiphosResearch PoC Exploits Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes. exploit-db.org Proof of concept exploits / tools for Epson vulnerabilities: CVE-2017-12860 and CVE-2017-12861 Exploits for Unitrends version 9.1.1 and earlier ; all by Dwight Hohnstein All AIX exploits written by Hector Monsegur The Exploit Database Git Repository The official Exploit Database repository CVE-2017-10271 Oracle WebLogic WLS-WSAT Remote Code Execution Exploit (CVE-2017-10271) CVE-2018-0802 This repo contains a Proof of Concept exploit for CVE-2018-0802. To get round the limited command length allowed, the exploit uses the Packager OLE object to drop an embedded payload into the %TMP% directory, and then executes the file using a short command via a WinExec call, such as: cmd.exe /c%TMP%\file.exe. Glibc Glibc Glibc Adventures: The Forgotten Chunks Exploiting Glibc GPU Exploits / Research A Study of Overflow Vulnerabilities on GPUs Jellyfish - GPU rootkit PoC by Team Jellyfish Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well. Hypervisor Compromise-as-a-Service: Our PleAZURE. This could be a comprehensive introduction about the ubiquity of virtualization, the essential role of the hypervisor, and how the security posture of the overall environment depends on it. However, we decided otherwise, as this is what everybody is interested in: We will describe the Hyper-V architecture in detail, provide a taxonomy of hypervisor exploits, and demonstrate how we found MS13-092 which had the potential to compromise the whole Azure environment. Live demo included! Java Exploiting Memory Corruption Vulnerabilities in the Java Runtime Jump-Oriented Programming Jumping the Fence Comparison and Improvements for Existing Jump Oriented Programming Tools - John Dunlap - Derbycon7 Keyed Payloads Context-keyed Payload Encoding A common goal of payload encoders is to evade a third-party detection mechanism which is actively observing attack traffic somewhere along the route from an attacker to their target, filtering on commonly used payload instructions. The use of a payload encoder may be easily detected and blocked as well as opening up the opportunity for the payload to be decoded for further analysis. Even so-called keyed encoders utilize easily observable, recoverable, or guessable key values in their encoding algorithm, thus making decoding on-the-fly trivial once the encoding algorithm is identified. It is feasible that an active observer may make use of the inherent functionality of the decoder stub to decode the payload of a suspected exploit in order to inspect the contents of that payload and make a control decision about the network traffic. This paper presents a new method of keying an encoder which is based entirely on contextual information that is predictable or known about the target by the attacker and constructible or recoverable by the decoder stub when executed at the target. An active observer of the attack traffic however should be unable to decode the payload due to lack of the contextual keying information. *alloc/Heap shadow :: De Mysteriis Dom jemalloc shadow is a jemalloc heap exploitation framework. It has been designed to be agnostic of the target application that uses jemalloc as its heap allocator (be it Android's libc, Firefox, FreeBSD's libc, standalone jemalloc, or whatever else). The current version (2.0) has been tested extensively with the following targets: Android 6 and 7 libc (ARM32 and ARM64); Firefox (x86 and x86-64) on Windows and Linux; Overview of Android's jemalloc structures using shadow In this document we explore Android's jemalloc structures using shadow. A simplified view of the heap is presented here. The intention of this document is to get you started with jemalloc structures and shadow's commands. MALLOC DES-MALEFICARUM - blackngel Understanding the Heap - Sploitfun Syscalls used by malloc Understanding glibc malloc Understanding the heap by breaking it Automated vulnerability analysis of zero sized heap allocations Tracking Down Heap Overflows with rr Walking Heap using Pydbg This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++. Linux Heap Exploitation Intro Series – (BONUS) printf might be leaking! Linux Heap Exploitation Intro Series: Riding free on the heap – Double free attacks! Macros It All Swings Around - Malicious Macros Writeup and explanation of random Macro exploits PDF Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - [TROOPERS15] ROP ROPs are for the 99% - Yang Yu OptiROP: The art of hunting ROP gadgets Video This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver and some creative heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode. Tools ropa ropa is a Ropper-based GUI that streamlines crafting ROP chains. It provides a cleaner interface when using Ropper as compared to the command line. It can provide a smoother workflow for crafting the rop chain in the GUI, then exporting the final chain in the desired format. For those used to using CLI, this tool may serve as a cleaner interface to filter out the relevant gadgets. Ropper You can use ropper to display information about binary files in different file formats and you can search for gadgets to build rop chains for different architectures (x86/X86_64, ARM/ARM64, MIPS/MIPS64, PowerPC). For disassembly ropper uses the awesome Capstone Framework. RowHammer Exploiting the DRAM rowhammer bug to gain kernel privileges "Rowhammer is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory. Program for testing for the DRAM "rowhammer" problem Temporal Return Address Temporal Return Addresses Nearly all existing exploitation vectors depend on some knowledge of a process' address space prior to an attack in order to gain meaningful control of execution flow. In cases where this is necessary, exploit authors generally make use of static addresses that may or may not be portable between various operating system and application revisions. This fact can make exploits unreliable depending on how well researched the static addresses were at the time that the exploit was implemented. In some cases, though, it may be possible to predict and make use of certain addresses in memory that do not have static contents. This document introduces the concept of temporal addresses and describes how they can be used, under certain circumstances, to make exploitation more reliable. Automating Mimicry Attacks Using Static Binary Analysis Intrusion detection systems that monitor sequences of system calls have recently become more sophisticated in defining legitimate application behavior. In particular, additional information, such as the value of the program counter and the configuration of the program's call stack at each system call, has been used to achieve better characterization of program behavior. While there is common agreement that this additional information complicates the task for the attacker, it is less clear to which extent an intruder is constrained. In this paper, we present a novel technique to evade the extended detection features of state-of-the-art intrusion detection systems and reduce the task of the intruder to a traditional mimicry attack. Given a legitimate sequence of system calls, our technique allows the attacker to execute each system call in the correct execution context by obtaining and relinquishing the control of the application's execution flow through manipulation of code pointers. We have developed a static analysis tool for Intel x86 binaries that uses symbolic execution to automatically identify instructions that can be used to redirect control flow and to compute the necessary modifications to the environment of the process. We used our tool to successfully exploit three vulnerable programs and evade detection by existing state-of-the-art system call monitors. In addition, we analyzed three real-world applications to verify the general applicability of our techniques. Anti-Virus Software Gone Wrong Anti-virus software is becoming more and more prevalent on end-user computers today. Many major computer vendors (such as Dell) bundle anti-virus software and other personal security suites in the default configuration of newly-sold computer systems. As a result, it is becoming increasingly important that anti-virus software be well-designed, secure by default, and interoperable with third-party applications. Software that is installed and running by default constitutes a prime target for attack and, as such, it is especially important that said software be designed with security and interoperability in mind. In particular, this article provides examples of issues found in well-known anti-virus products. These issues range from not properly validating input from an untrusted source (especially within the context of a kernel driver) to failing to conform to API contracts when hooking or implementing an intermediary between applications and the underlying APIs upon which they rely. For popular software, or software that is installed by default, errors of this sort can become a serious problem to both system stability and security. Beyond that, it can impact the ability of independent software vendors to deploy functioning software on end-user systems. Sigreturn Oriented Programming is a real Threat Abstract: This paper shows that Sigreturn Oriented Programming (SROP), which consists of using calls to sigreturn to execute arbitrary code, is a pow erful method for the de velopment of exploits. This is demonstrated by developing two different kinds of SROP based exploits, one asterisk exploit which was already portrayed in the paper presenting SROP, and one novel exploit for a recently disclosed bug inthe DNS address resolution of the default GNUC library. Taking advantage of the fact, that these exploits have very few dependencies on the program being exploited, a library is implemented to automate wide parts of SROP exploit creation. This highlights the potential of SROP in respect to reusable and portable exploit code which strongly supports the conclusion of the original paper: SROP is areal threat! Breaking the links: Exploiting the linker nt!_SEP_TOKEN_PRIVILEGES - Single Write EoP Protect - Kyriakos 'kyREcon' Economou TL;DR: Abusing enabled token privileges through a kernel exploit to gain EoP it won't be enough anymore as from NT kernel version 10.0.15063 are 'checked' against the privileges present in the token of the calling process. So you will need two writes UAF Writeups Exploiting CVE-2015-0311: A Use-After-Free in Adobe Flash Player "The vulnerability was first discovered as a zero-day being actively exploited in the wild as part of the Angler Exploit Kit. Although the exploit code was highly obfuscated using the SecureSWF obfuscation tool, malware samples taking advantage of this vulnerability became publicly available, so I decided to dig into the underlying vulnerability in order to exploit it and write the corresponding module for Core Impact Pro and Core Insight." Use-After-Silence: Exploiting a quietly patched UAF in VMware - Abdul-Aziz Hariri UEFI See BIOS/UEFI Page Shellshock Shellshock bug writeup by lcamtuf Windows Exploiting MS14-066 Xen Adventures in Xen Exploitation "This post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217)." Writeups that haven't been sorted Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit Coding Malware for Fun and Not for Profit (Because that would be illegal) Exploiting BadIRET vulnerability - CVE-2014-9322, Linux kernel privilege escalation A Technical Analysis of CVE 2014-1776 Diving into A Silverlight Exploit and Shellcode - Analysis and Techniques Abstract: We will observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition we will look at the shell-code supplied by the exploit-kit and how it uses encryption to hide the payload's URL and contents. Owning Internet Printing - A Case Study in Modern Software Exploitation The Chakra Exploit and the Limitations of Modern Mitigation Techniques EnglishmansDentist Exploit Analysis Dangerous Clipboard: Analysis of the MS15-072 Patch MS16-039 - "Windows 10" 64 bits Integer Overflow exploitation by using GDI objects The Weak Bug - Exploiting a Heap Overflow in VMware MS17-010 CVE-2016-7255 - Git repo Hijacking Arbitrary .NET Application Control Flow This paper describes the use of Reflection in .NET and how it can be utilized to change the control flow of an arbitrary application at runtime. A tool, Gray Storm, will be introduced that can be injected into an AppDomain and used to control the executing assembly instructions after just-in-time compilation. Dissecting Veil-Evasion Powershell Payloads and Converting to a Bind Shell iOS The Userland Exploits of Pangu 8 MIPS EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURE Smashing the Heap with Vector: Advanced Exploitation Technique in Recent Flash Zero-day Attack Exploiting CVE-2014-4113 on Win8.1 Debugging Windows kernel under VMWare using IDA's GDB debugger Hello MS08-067, My Old Friend! The Birth of a Complete IE11 Exploit Under the New Exploit Mitigations Modern Objective-C Exploitation Techniques A New CVE-2015-0057 Exploit Technology PLASMA PULSAR This document describes a generic root exploit against kde. Attacking AntiVirus Kaspersky Hooking Engine Analysis AV_Kernel_Vulns Pocs for Antivirus Software‘s Kernel Vulnerabilities Finding Vulnerabilities Look at fuzzing section. Winmerge WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle. Analyzing Common Binary Parser Mistakes With just about one file format bug being consistently released on a weekly basis over the past six to twelve months, one can only hope developers would look and learn. The reality of it all is unfortunate; no one cares enough. These bugs have been around for some time now, but have only recently gained media attention due to the large number of vulnerabilities being released. Researchers have been finding more elaborate and passive attack vectors for these bugs, some of which can even leverage a remote compromise. Finding and analyzing Crash dumps All the Ways to Capture a Crash Dump Basic Debugging of an Application Crash Collecting User Mode Dumps High Level Searching Searching Github for vulnerable code/credentials Blogpost Code - Automated Tool Cheatsheet Actual Search Page Exploit Development Practice Lab Setup Building a Lab to practice Exploit writing(Windows, x86, OSCE Prep) So, this is a thing I found while doing some googling. If you wrote this, I owe you a lot of beer. I redacted the place/username as it was on a less than happy place. ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| This assumes you have an idea of ASM x86 and general exploitation methods. Idea with this setup, is that you have a VM of XP SP3 running with the following software and tools installed. You look up the exploits on exploit-db and recreate them. Or you lookup the vulnerabilities and fuzz it yourself knowing where to look. Start here: I'm designing exploit lab based on WinXP SP3. As for now I have following vulnerabilities/apps: 1. Simple RET - Ability FTP Server (FTP) 2. Simple RET - FreeFloat FTP (FTP) 3. Simple RET (harder) - CesarFTP (FTP) 4. Simple RET - Easy RM to MP3 Converter (.pls) 5. Simple RET - DL-10 - Need to find copy of 6. SEH - DVDXPlayer 7. SEH - Millenium 8. SEH - Soritong 9. SEH - mp3nator 10. SEH - NNM (hard) - Need to find copy of 11. SEH + UNICODE - ALLPlayer 12. SEH (difficult) - Winamp with following tools installed: 1. WinDBG + MSEC.dll (!load winext\msec.dll) + byakugan (!load byakugan) 2. Immunity Debugger + mona.py (!mona) 3. OllyDBG+Plugins(SSEH+OllySnake+AdvancedOlly+OllyHeapVis+Virtual2Physical) 4. C:\Windows\system32\findjmp2.exe 5. Cygwin + perl + gdb + gcc... 6. Python26 (for IDA) + PyDbg - https://code.google.com/p/pydbgr/wiki/HowToInstall 6. Python27 (for ImmunityDebugger)+pyDbg 7. lcc-win 8. Wireshark 9. Mantra on Chrome (MoC) 10. Google-Chrome 11. Microsoft Visual C++ 2008 Express 12. Nasm 13. metasploit 14. Alpha3 (c:\Alpha3) 15. IDA 16. Sysinternals (c:\Windows\System32) 17. Proxifier Edition 18. Echo Mirage Sursa: https://rmusser.net/docs/Exploit Development.html

⚠️ This code works on the most recent version of ReCaptcha. Only use on sites you control for educational purposes. ⚠️ Created in April 2017, unCaptcha achieved 85% accuracy defeating Google's ReCaptcha. After the release of this work, Google released an update to ReCaptcha with the following major changes: Better browser automation detection Spoken phrases rather than digits These changes were initially successful in protecting against the original unCaptcha attack. However, as of June 2018, these challenges have been solved. We have been in contact with the ReCaptcha team for over six months and they are fully aware of this attack. The team has allowed us to release the code, despite its current success. Introducing unCaptcha2 Thanks to the changes to the audio challenge, passing ReCaptcha is easier than ever before. The code now only needs to make a single request to a free, publicly available speech to text API to achieve around 90% accuracy over all captchas. Since the changes to ReCaptcha prevent Selenium, a browser automation engine, unCaptcha2 uses a screen clicker to move to certain pixels on the screen and move around the page like a human. There is certainly work to be done here - the coordinates need to be updated for each new user and is not the most robust. The Approach unCaptcha2's approach is very simple: Navigate to Google's ReCaptcha Demo site Navigate to audio challenge for ReCaptcha Download audio challenge Submit audio challenge to Speech To Text Parse response and type answer Press submit and check if successful Demo How To Use Since unCaptcha2 has to go to specific coordinates on the screen, you'll need to update the coordinates based on your setup. These coordinates are located at the top of run.py. On Linux, using the command xdotool getmouselocation --shell to find the coordinates of your mouse may be helpful. You'll also need to set your credentials for whichever speech-to-text API you choose. Since Google's, Microsoft's, and IBM's speech-to-text systems seem to work the best, those are already included in queryAPI.py. You'll have to set the username and password as required; for Google's API, you'll have to set an environment variable (GOOGLE_APPLICATION_CREDENTIALS) with a file containing your Google application credentials. Finally, install the dependencies, using pip install -r dependencies.txt. Responsible Disclosure We contacted the Recaptcha team in June 2018 to alert them that the updates to the Recaptcha system made it less secure, and a formal issue was opened on June 27th, 2018. We demonstrated a fully functional version of this attack soon thereafter. We chose to wait 6 months after the initial disclosure to give the Recaptcha team time to address the underlying architectural issues in the Recaptcha system. The Recaptcha team is aware of this attack vector, and have confirmed they are okay with us releasing this code, despite its current success rate. This attack vector was deemed out of scope for the bug bounty program. Disclaimer unCaptcha2, like the original version, is meant to be a proof of concept. As Google updates its service, this repository will not be updated. As a result, it is not expected to work in the future, and is likely to break at any time. Unfortunately, due to Google's work in browser automation detection, this version of unCaptcha does not use Selenium. As a result, the code has to navigate to specific parts of the screen. To see unCaptcha working for yourself, you will need to change the coordinates for your screen resolution. While unCaptcha2 is tuned for Google's Demo site, it can be changed to work for any such site - the logic for defeating ReCaptcha will be the same. Additionally, we have removed our API keys from all the necessary queries. If you are looking to recreate some of the work or are doing your own research in this area, you will need to acquire API keys from each of the six services used. These keys are delineated in our files by a long string of the character 'X'. It's worth noting that the only protection against creating multiple API keys is ReCaptcha - therefore, unCaptcha could be made self sufficient by solving captchas to sign up for new API keys. As always, thanks to everyone who puts up with me, including, Kkevsterrr Dave Levin dpatel19 Sursa: https://github.com/ecthros/uncaptcha2

Digging into BokBot’s Core Module January 3, 2019 Shaun Hurley and James Scalise From The Front Lines Introduction BokBot first started showing up in 2017, and Crowdstrike’s Falcon® Overwatch™ and Falcon® Intelligence™ teams have analyzed these infections to ensure customers are both protected and informed. Recently, BokBot infections have become more prevalent due to Emotet campaigns that leverage BokBot as a means to go after a victim’s personal banking information. Given that BokBot is associated with the eCrime group MUMMY SPIDER, it is no surprise that the malware provides robust functionality, such as: Command and control of a system Process execution Registry editing Write to the file system Logging Polymorphism and other obfuscations TamperProofing Modular Credential theft Intercepting proxy Remote control via VNC In addition, BokBot has been seen downloading and executing binary code from other malware families: for example, the Azorult infostealer. This blog post will dig into the technical details of BokBot’s main module. Subsequent blog posts will cover the additional downloaded modules. BokBot Container Execution BokBot comes packed inside a crypter. The crypter goes through several stages before finally unpacking the BokBot binary and injecting it into svchost.exe. Here is a quick rundown of the different stages: Stage 1 (crypter) Decode stage 2 and execute Stage 2 (crypter) Decodes shellcode and execute Stage 3 (shellcode) Hollows out the base process image Decodes the core process injection PE Overwrites the base process image with the core process injection PE Stage 4 (process injection) Executes the process injection code Launches svchost.exe child process Injects BokBot as a headless PE image into the child process All of the behaviors relevant to the CrowdStrike® Falcon platform occur in stage 4. The primary focus for the following section is the unique method in which BokBot is injected into the child process. Process Injection In order to bypass antivirus (AV) detections for process hollowing, BokBot hooks several Windows API functions, executes the hooking code, and then removes the hook. Simulating Process Hollowing In order to simulate process hollowing, the ZwCreateUserProcess routine is hooked. BokBot calls ZwProtectVirtualMemory to modify the permissions of the routine to PAGE_READWRITE. Next, the first five opcodes (bytes) are replaced with the opcodes for a JMP <address of hooking code> instruction. Permissions are restored, and then CreateProcessA is called. Figure 1: Hooking ZwCreateUserProcess Once CreateProcessA is called, a function call chain leads to calling ZwCreateUserProcess and then the hooking code, as shown in Figure 1. At this point, no process has been created. The hooking code will complete the creation of the child process by removing the hook from the ZwCreateUserprocess routine, and then the non-hooked ZwCreateUserProcess procedure is called. This will create the child process, but execution doesn’t begin until CreateProcessInternal returns. The rest of the hook routine will decode and inject the embedded BokBot binary into the child svchost.exe process Code Injection Prior to injecting the code, the BokBot PE is decompressed and loaded into the local process memory. Once loaded, the following Windows procedures are used to allocate and write to the svchost child process: After the main BokBot module has been written to the child process, the steps to execute the BokBot code will begin. Code Execution BokBot uses a novel technique to get the code to execute inside of the child process. Using the same APIs as earlier, the dropper hooks RtlExitUserProcess in the child process. Since svchost.exe is launched without arguments, it will terminate immediately. As the process attempts to exit, it will call the hooked RtlExitUserProcess, thus executing the BokBot payload. Figure 2: Executing BokBot with RtlExitUserProcess Hook There is one more task for the hooking routine to complete before CreateProcessInternalW resumes execution. Injecting a Context Data Structure After the BokBot payload is injected into the child process, a context data structure is written to the child process. This context contains all of the data necessary to ensure that BokBot’s main module is able to execute without issue: Windows Procedure Addresses ntdll.ZwAllocateVirtualMemory ntdll.ZwWriteVirtualMemory ntdll.ZwProtectVirtualMemory ntdll.ZwWaitForSingleObject ntdll.LdrLoadDll ntdll.LdrGetProcedureAddress ntdll.RtlExitUserProcess ntdll.ZwCreateUserProcess ntdll.RtlDecompressBuffer ntdll.ZwFlushInstructionCache Load address for payload Path to the dropper binary C2 URLs Project ID This data is collected throughout the lifetime of the dropper process. In addition, a similar structure will be written to the child processes of BokBot as it downloads and execute modules. After injection, CreateProcessInternalW resumes, and the dropper process exits. BokBot’s main module starts the initialization phase. BokBot Initialization Prior to executing the primary loop to communicate with the C2, BokBot goes through several initialization steps to prepare itself for C2 communication. Initialization occurs in the following steps: Remove the RtlExitUserProcess hook Create a memory-mapped file to store logging data Execute BokBot as the logged-on user (if the current process is running as System) Suppress error windows Collect System information Windows version information User SID Member of a domain Unique ID generation Prevent multiple executions Install BokBot on the host Inject existing downloaded modules into into child processes Some of these steps are covered in more details inside the following sections. Silence Errors To prevent error windows from informing the victim of an issue, BokBot sets the error mode of the process to 0x8007, which corresponds to the following: This will disable most error notices that are generated when a process crashes. Generating Unique IDs BokBot uses several unique IDS that are generated earlier on during process execution. These values are passed to the C2 (command and control), used as a key for RC4, and passed to child processes. Project ID In addition to injecting the main BokBot module into svchost, the dropper also injects a chunk of binary data that provides context for BokBot to execute, including the Project ID. These unique Project ID values appear to be used to identify infections that correspond to distribution campaigns. The Project ID is a four-byte value. Bot ID Bot IDs are unique to specific instances for a user on an infected host. The value is used as an encryption key and as a seed in the generation of the unique values that BokBot needs for a variety of purposes, such as the generation of pseudo-random strings for file and event names. This will be discussed further in subsequent sections. The Bot ID is generated in one of the two following ways: Security ID (SID) of the account name System time in a file time format Since both values are 64-bit, no matter which method is used, the value is split into two 32-bit chunks and XORed. ID Hash In addition to this Bot ID, a simple hash is generated that can be used to verify the validity of both the Bot ID and the Project ID. This hash is generated using the Bot ID and the Project ID, in the following manner: This value will be passed along with the Project ID and the Bot ID as part of the C2 URL parameters. If this request is invalid, infected hosts will not receive any instructions from the C2. C2 Hostname Initialization Bokbot contains an encoded list of C2 hostnames that were provided as part of the context data structure that was injected by the dropper. The C2 list within that structure is decoded using a key that was also provided by the context, and then re-encoded using a new key that was generated using an rdtsc instruction, and stored as an array of pointers. Prevent Multiple Executions A unique global named event is generated using the Bot ID. A successful call to CreateEvent is proceeded with a call to GetLastError. If the malware is already executing, the last error is ERROR_ALREADY_EXISTS, and the process exits. Installation During installation, the BokBot dropper binary is written to an installation directory, and a scheduled task is created for persistence. The installation directory is created in the following root directory: c:\ProgramData The installation directory name is unique and generated using the Bot ID. Once the directory is created, the original dropper file is renamed (also using the Bot ID as a seed) and written to the directory. Because the Bot ID is based on system information, using it as a seed ensures that the malware will always generate the same installation path and filename on a particular host. After generating the installation directory name, BokBot needs to generate a filename for the BokBot binary that is going to be written to that directory. The following Python code reproduces the algorithm that BokBot uses to generate the filename, and various other strings. The str_id value in the script is a hard-coded integer that is used with the Bot ID to generate consistent strings. For instance, using a Bot ID of 0x2C6205B3 and str_id of 2 always results in ayxhmenpqgof, but switching to a str_id of 6 results in bwjncm. The following is an example of the installation path: C:\ProgramData\{P6A23L1G-A21G-2389-90A1-95812L5X9AB8}\ruizlfjkex.exe A scheduled task is created to execute at windows logon. The task name is generated in the same manner as the installation directory: Task Name: {Q6B23L1U-A32L-2389-90A1-95812L5X9AB8} Trigger: Logon Action: Start a program Details: BokBot dropper path C2 Communication BokBot communicates with C2 servers via HTTPS requests, passing various values to the server through URL parameters and via POST data. The URL request data is not encrypted or obfuscated beyond the SSL/TLS used by the server. The following sections detail parameters required by all requests, some additional optional parameters, and the bot registration process. Required C2 Request/Response Parameters Every request/response will have these parameters sent to the server. These will provide the C2 with information that identifies the request/response type and to uniquely identify the infected machine: Table 1 describes these parameters in greater detail. Table 1: Required URI Parameters The URL path often changes between versions: For instance, version 100-102 used /data100.php instead of /in.php. Additional C2 Request Parameters BokBot contains a communication thread that loops continuously until the process exits, retrieving instructions from the C2 server. These requests include several additional parameters, detailed in Table 2, in addition to those already described. These parameters are not sent when a machine sends the result of a command issued by the C2, such as when uploading a screenshot. Table 2: Additional BokBot C2 Request URI Parameters The following URL parameters showcase an example of the initial connection to the C2: In this example, there are no web injects, no C2 URLs, and no modules have been downloaded, therefore the highlighted parameters are either zero or empty. An initial timestamp has been generated, and the version number is static. Initial Bot Registration A registration request is combined with the standard C2 URL parameters that are sent to the C2 with each request. After the initial request, the C2 server will send commands back to the victim, signaling it to download web injects, updated C2 hostnames, executable modules, or to perform other tasks. The initial registration URL contains parameters related to system information. The following string is an example: Table 3 describes the registration URI parameters. Table 3: Registration Request URI Parameters The following is an example of a registration request (in red) and a response from the C2 (in blue) containing commands for the infected host: C2 Commands This section will cover the command requests made by the C2. Each command from the C2 takes the following format: The following commands are available in the current version of BokBot: Note that these command ID values may change between versions. As this list demonstrates, BokBot provides operators with a wide variety of options to interact with an infected machine. URL Download Command Handler A lot of commands trigger a command handler function that requires communication with either a C2 URL or another URL specified in the server request arguments. If specified by the request, the data downloaded from the target URL will be written to a DAT. Whether or not the downloaded data is written to a DAT file, it will always be processed by a callback function for one of the following C2 commands: Start a new executable module, restart current executable module Update web injects (either command) Update config Update BokBot Write to a file Download and execute a binary The commands that use the C2 URL hostnames send a d URL parameter, such as the following example: This value is typically set to 0; the file to download is specified by the g parameters. Modules and DAT Files All data received from the C2 that needs to persist between reboots is written out as a DAT file on the infected machine. These files include: Web inject configuration C2 configuration External modules Each file is encrypted and decrypted as needed by either the main module or the child module, using the Bot ID as the key. Each module is given a unique tag. Unique Tag Generation BokBot assigns unique tag values for injected processes, downloaded modules, and the downloaded DAT files. These tags are a convenient method for the executing BokBot process to identify external process resources. Tag generation is simple: 18 – Web injects configuration file, statically defined in the binary 19 – Reporting configuration file, statically defined in the binary 20 – C2 configuration file, statically defined in the binary 33-46 – Downloaded modules to be injected into child processes Assigned as needed in an incremental fashion Not necessarily a unique tag for what the module does During analysis of BokBot, these values will come up on a regular basis, including values to generate a unique filename, as described later. Downloading DAT Files As previously mentioned, DAT files are downloaded based on commands sent from the C2. Once the command is received from the C2, a command handler specific to this command is called to process the request. In response, the infected machine notifies the C2 with the command that it is ready to receive an RC4-encrypted blob from the C2. Figure 3 illustrates the process of commands that download configuration files and modules. Figure 3: C2 Command to Trigger DAT File Download An eight-byte RC4 key is prepended to the data buffer. Prior to writing the BLOB to a file, BokBot decrypts the file, and then re-encrypts it using a new RC4 key based on the Bot ID. Write to a File BokBot creates a new directory under C:\ProgramData to store the DAT files. The directory name is generated using the string generation algorithm described previously. DAT file names are generated using the unique tag value. This value is run through a string generation algorithm (also dependent on the Bot ID), which returns a unique filename for the DAT file. Table 4: Example of BokBot DAT Files Written During Analysis Table 4 references all of the DAT files that were written during the testing process used for writing this blog. In this case, the installation directory is C:\ProgramData\yyyyyyyyiu\. These DAT files are further handled based on the specified type, depending on whether it is an executable module or a data file. Executable Module BokBot has several executable modules that can be downloaded and injected into a svchost.exe child process. Once the relevant DAT file is decoded using RC4, no additional decoding or decompression is necessary for the executable module DAT files. The executable module header contains information necessary to ID the module: The rest of the file contains data necessary to load and execute the module, including the various portions of a PE file along with a custom PE header. Module Injection and Execution Executable modules are injected with a technique similar to the dropper, minus the hook of ZwCreateUserProcess, and the child process start is suspended (CREATE_SUSPENDED). It’s a little closer to traditional process migration with the addition of the RtlExitUserProcess hook. PE Image Loading Because there is no standard PE header, the DAT file has to contain all of the relevant information (virtual sizes, relocations, etc.) to properly map this binary into the child process. This data is part of the header of the DAT file. BokBot builds the binary in local process memory prior to injecting it into the child process. Injection Injection uses the same APIs as the dropper: ZwAllocateVirtualMemory, ZwWriteVirtualMemory, ZwProtectVirtualMemory. After injection the process is resumed using ResumeThread. Execution Context Injection Once again, an execution context structure is written to the child process, prior to execution. Some of the information contained in this context includes: Bot ID Project ID C2 hostnames A URL path format string This keeps everything consistent between the parent and child process. No new unique identifiers need to be generated, all of the encryption keys are going to be the same: same hostnames, and even the same URL path. Consistency between parent and child is necessary for the messages sent between the two, using inter-process communication (IPC). After a module is injected into a child process, the first four bytes of the decrypted DAT file are added to an array, used by BokBot to identify which modules are currently executing. Data Files The other DAT files contain data necessary to either communicate with a C2, or related to web injection. Essentially, these files provide whatever additional data the main BokBot process and the executable modules require to accomplish their job. Config File The config file contains all of the data necessary for the BokBot main module to maintain communication with the C2. Once the file is decrypted using the process-specific RC4 key, no additional decompression or decryption is necessary. Signature Verification Each config file comes with a digital signature block, used to verify the integrity of the C2 hostname data. The signature is verified based on the signature verification method outlined in the obfuscations section. The following is an example C2 configuration, with the signature block in red: Web Inject Files There are multiple web inject files. One contains all of the target URL and hostname data, and the second contains regex patterns, as well as the code to inject. These files are both RC4-encrypted and compressed. These files are not parsed by the main BokBot binary, but rather by the intercepting proxy module. The zeus file magic is verified, a buffer is allocated, and then the files are decompressed. A forthcoming blog post on the proxy module will cover decompression and usage of the web injection configuration files. Communication with Child Processes Memory-mapped files and events are used by BokBot to communicate with all child processes that contain an injected module. Through the process of leveraging named events with CreateEvent, OpenEvent, and OpenFileMapping, the BokBot main module is able to provide additional information to these child processes. Shared Module Log Modules write to the same shared memory-mapped file. The memory-mapped file is created using a shared name between the parent and child processes. Each process that can generate this name can use it to open the memory-mapped file, and to write data to the shared modules log. Further details are covered in the next section, and specific data written will be covered in the separate module descriptions below. The main module is responsible for clearing the log and sending the data to the C2. Module-Specific Communication BokBot’s main module often needs to issue commands to the child processes that contain injected module code. The commands can trigger an update of module-specific data, or instruct the module to perform a specific function, such as harvest data from Outlook. Figure 4 outlines this process, although it will be further explained in the subsequent sections. Figure 4: BokBot Communication Between Parent and Child Processes Event Name Generation In order for the BokBot main modules and the child process to communicate with events, unique names need to be generated and must consistent across all of the processes. Table 5 illustrates BokBot’s approach. Table 5: Event Name Structure These events will be used by the parent and child processes to exchange data. BokBot Main Module This process has the ability to communicate with all of the children of the injected modules. These communication all revolve around commands generated by the C2. Once a command that requires notification of an executable module child process is initiated, a named Q event is opened to ensure that the child process is ready to receive the data. If this Q event does not exist, then the child process has not been started. BokBot injects the target module into a child process, and loops a check to see if the event can be opened. Once the Q event has been successfully opened, BokBot creates a new named R event, creates a memory-mapped file (named M event), writes data to the file, signals the open Q event, and waits for a response from the child process. After the child clears the R event, the memory-mapped file is unmapped, and all handles are closed. BokBot Executable Module After initialization, the child process will create a named Q event and wait until it is signaled by the parent process. Once signaled, the named R event is opened, and the data in the memory-mapped file is processed. Data from the BokBot Parent BokBot’s main module writes some contextual information to the injected module, telling it to perform specific actions. These actions change based on the module receiving the data. The following commands are consistent between modules, but the actions performed may vary: 0xFF00: Process exit with a 0x1122 code 0xFF01: Check web injects or no operation 0xFF02: Update C2 hostnames In addition to a command, relevant data associated with a command is also processed based on whatever instruction the command tells the injected module to accomplish. After the task assigned by the parent process has completed, the memory mapped file is unmapped, the R event is signaled, and all other open events are closed. Obfuscations and TamperProofing Bokbot uses several methods to obfuscate analysis: String obfuscation Encrypted DAT files from the server Signature verification Polymorphism String Obfuscation To make analysis more difficult, significant strings have been XOR encoded using a shifting key algorithm. All encoded strings have the following structure: Here is the algorithm to decode the string (Python): Signature Verification Signature verification occurs under two circumstances: updated C2 urls, and updated BokBot binary. In both cases, the process is the same. The verification function receives two things: a 128-byte signature to verify, and the data to verify. First, BokBot creates an MD5 hash of the data requiring verification. Next, an RSA public key embedded in the executing binary is importing via CryptImportKey. Once the hash is generated and the key imported, CryptVerifySignature is used to verify the signature. This may be an attempt to prevent some third party from taking over or otherwise disrupting the botnet. Polymorphism Everytime BokBot is installed, prior to it being written to the install directory, the .text section of the binary is modified with junk data and the virtual size is updated. A new checksum is generated to replace the current checksum. How CrowdStrike Falcon Prevent™ Stops BokBot Bokbot spawns a svchost child process, injects the main module, and that svchost process spawns and injects into multiple child processes. The process tree in Figure 5 is an example of what BokBot looks like when process blocking is disabled in Falcon Prevent. As can be seen, several malicious child processes were launched by BokBot’s main module located inside of the first svchost process. Figure 5: BokBot Process Tree Without Process Blocking Enabled Without preventions enabled the customer will still be notified of the malicious activity, but no action will be taken to prevent the behavior. Suspicious Process Blocking Falcon has the capability to prevent the execution of BokBot’s main module and all of the child modules. Turning on process blocking in Falcon Prevent kills the BokBot infection at the parent svchost process. Looking at the process tree in the Falcon UI with process blocking enabled, shows an analyst that the svchost process was prevented. The block message (see Figure 7) that occurs with this preventative action explains why this process was terminated. Figure 6: BokBot Process Tree with Process Blocking Enabled Figure 7: BokBot Process Block Message Suspicious process blocking is an example of malware prevention based on behavior. If the malware uses behavior that has not been caught by Falcon’s indicators of activity, then Falcon can also prevent malware execution by leveraging either next-generation AV machine learning ,or intelligence collected by Crowdstrike’s Falcon Intelligence team. In Summary BokBot is a powerful banking trojan that provides attackers with a robust feature set. One of the more unique features of BokBot is the method in which it uses to communicate with it’s child modules. Additional blog posts for BokBot are coming that will contain more information for the downloaded modules. BokBot Hashes The following hashes were used in creation of this blog post. MITRE ATT&CK Framework Mapping Additional Resources Read a Security Intelligence article: “New Banking Trojan IcedID Discovered by IBM X-Force Research.” Read a Talos Blog: “IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution.” Visit Vitali Kremez | Ethical Hacker | Reverse Engineer and read: “Let’s Learn: Deeper Dive into ‘IcedID’/’BokBot’ Banking Malware: Part 1.” Download the 2018 CrowdStrike Services Cyber Intrusion Casebook and read up on real-world IR investigations, with details on attacks and recommendations that can help your organizations get better prepared. Learn more about CrowdStrike’s next-gen endpoint protection by visiting the Falcon platform product page. Test CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™ today. Sursa: https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/

Santa's ELFs: Running Linux Executables Without execve Adam Cammack Jan 03, 2019 7 min read This blog is the 11th post in our annual 12 Days of HaXmas blog series. Merry HaXmas! Now that the holidays are winding down, Santa's elves can finally get some much-needed rest after working tirelessly on dolls, wooden trains, and new copies of Fortnite. Santa's ELFs, however, do not get such a break, since the Executable and Linkable Format (ELF) is the base of numerous Unix-like operating systems such as Linux, most modern BSDs, and Solaris. ELF files are capable of many tricks, like those we use in our *nix Meterpreter implementation, but those tricks require building each executable either with our special toolchain or GCC 8+ with the new -static-pie flag. What if things were different? The kernel doesn't need a file on disk to load and run code, even if it makes us have one. Surely with some HaXmas magic and elbow grease we can do it ourselves. Handcrafted mirrors Perhaps the most-desired trick for executable formats is reflective loading. Reflective loading is an important post-exploitation technique used to avoid detection and execute more complex tools in locked-down environments. It generally has three broad steps: Get code execution (e.g., exploitation or phishing) Grab your own code from somewhere Convince the operating system to run your code without loading it like a normal process That last part is what makes reflective loading desirable. Environments are increasingly locked down, and the components of a normal process start are the most obvious targets. Traditional antivirus scans things on the disk, code signing checks integrity as new processes start, and behavioral monitoring keeps checking to make sure none of those processes start doing anything too weird. The thought is, if attackers can't run any programs, they can't do anything and the system is secure. This is not entirely correct; blocking the most obvious paths just makes things painful. In particular, Windows, which uses the Portable Executable (PE) format, has seen much research into this topic, both because it is widely deployed and because it has useful reflection building blocks built into the core operating system. In fact, it has the gold standard API for this sort of work, CreateRemoteThread and friends, which allows attackers to not merely load, but inject code into other running processes. Despite lacking fun APIs for reflective injection like CreateRemoteThread found in Windows, the last few years have seen some interesting research in unorthodox ways to use developer-focused Linux features to make their own security-focused lives better. A good summary of command-only approaches can be found here, and other techniques that require helper files include tools such as linux-inject. A more modern technique that can be executed from a helper binary or scripting language uses some new-ish sycalls. These approaches on Linux can be grouped into five categories: Writing to temporary files: This is not too different from typical code, but it doesn't leave disk artifacts. Injecting with ptrace: This requires some sophistication to control and classically allows broad process-hopping. Self-modifying executables: dd is a classic for this, and it requires a bit of fineness and customized shellcode. FFI integration in scripting languages: Python and Ruby are both suitable, current techniques that only load shellcode. Creating non-filesystem temporary files: This uses syscalls added in 2014, so it's approaching broad usability. Strict working conditions Few people closely watch their Linux boxes (congratulations if you do!), but these technique styles have security/opsec considerations in addition to their respective technical challenges alluded to above. If you are on the bluer end of the security spectrum, think of the following as ways to frustrate any remote attackers lucky enough to compromise something: Temporary files It is increasingly common to find /tmp and /dev/shm mounted noexec (that is, no file in that tree can be executed), especially on mobile and embedded systems. Speaking of embedded systems, those often have read-only persistent file storage as well, so you can't even fall back to hoping no one is looking at the disk. Self-modifying executables and ptrace Access to ptrace and most of fun introspection in /proc/<PID> is governed by the kernel.yama.ptrace_scope sysctl variable. On boxes that are not being used for development, it should be set to at least 2 to remove access from non-privileged users. This is default on many mobile and embedded systems, and modern desktop/server distros default to at least 1, which reduces its usefulness for wildly hopping across processes. Also, it's Linux-specific, so no sweet, sweet BSD shells for you. FFI integrations Ruby's fiddle and Python's ctypes specifically are very flexible and for a lot of small things can function like an interpreted C. They don't have an assembler, though, so any detail work with registers or bootstrapping into different executables will need done with shellcode from your end. You also never know which version, if any, is going to be installed on a given system. Non-filesystem temporary files Also Linux-specific, this calls a pair of new syscalls that together can bypass any noexec flags I have been able to muster (tested through kernel 4.19.10). The first syscall is memfd_create(2). Added in 3.17, it allocates a new temporary filesystem with default permissions and creates a file inside that that does not show up in any mounted filesystem except /proc. The second syscall, added in 3.19, is execveat(2). It can take a file descriptor and pass it to the kernel for execution. The downside is that the created file can easily be found with find /proc/*/fd -lname '/memfd:*', since all the memfd_create(2) files are represented as symbolic links with constant prefix. This feature in particular is rarely used in common software—the only legitimate example I can find on my Linux boxen was added to PulseAudio in 2016. A (runtime) linker to the past And then there's big bottleneck: To run other programs, all these techniques use the standard execve(2) (or the related execveat(2) call in that last case). The presence of tailored SELinux profiles or syscall auditing could easily render them off-limits, and on recent SELinux-enforcing Android builds, it does. There is another technique called userland exec or ul_exec; however, that mimics how the kernel initializes a process during an execve and handing control off to runtime linker: ld.so(8). This is one of the earliest techniques in this field, pioneered by the grugq, though it's never been much pursued because it is a bit fiddly compared to the techniques above. There was an update and rewrite for x86_64, but it implements its own standard library, making it difficult to extend and unable to compile with modern stack-smashing protection. The Linux world is very different from what it was nearly 15 years ago when this technique was first published. In the modern day, with 40+ bits of address space and position-independent executables by default, cobbling together the execve process is more straightforward. Sure, we can't hardcode the stack address and have it work >90% of the time, but programs don't rely on it being constant anymore, either, so we can put it nearly wherever and do less juggling with memory addresses. Linux environments are now also more common, valuable, and closely guarded than in 2004, so going through the effort is worth it in some scenarios. Process There are still two requirements for emulating the work of execve that are not a given all the time, depending on execution method and environment. First, we require page-aligned memory allocation and the ability to mark the memory executable after we populate it. Because it is required for JITs, the built-in library loader dlopen(3), and some DRM implementations, it is difficult to completely remove from a system. However, SELinux can restrict executable memory allocation, and some more self-contained platforms like Android use these restrictions to good effect on things that are not approved browsers or DRM libraries. Next, we require the ability to arbitrarily jump into said memory. Trivial in C or shellcode, it does requires a full FFI interface in a scripting language and rules out a non-XS Perl implementation, for example. The process detailed by grugq has changed in subtle but interesting ways. Even with all the development that has taken place, the overall steps are the same as before. One security feature of the modern GNU/Linux userland is that it is less concerned with particular memory addresses, which gives us more flexibility to implement our other kind of security feature. There are also more hints that the kernel passes to the runtime in the auxiliary vector and finding the original is now more desirable, but most programs can work fine with a simple one on most architectures. The tool The downfall of many tools, especially in open source and security, is staleness. With execve emulation left aside for other loading methods, the two ul_exec implementations have gotten little interest and (as best as I can tell) few updates from their authors. Our Linux Meterpreter implementation currently lacks support for the popular -m option to the execute command that on Windows runs a process completely in-memory under the guise of a benign program. Using this and a fallback technique or two from above would give us the capabilities that we need to run uploaded files from memory and with a little trickery, such as mapping extra benign files or changing the process name before handing control over to the uploaded executable, completely replicate -m. A nice side effect is that this will also make building and distributing plugins easier, as they will no longer need to be made into a memory image at build time. To enable this, I am creating a shared library that will live alongside our Linux Meterpreter, mettle. It won't depend on any of the Meterpreter code, but by default, it will build with its toolchain. It will also be free and packageable into whatever post-exploitation mechanism you desire. Be sure to check out the pull request if you have any questions or suggestions. Here we can see an example tool that uses this library in action as viewed through the microscope of the syscall tracer strace(1). To avoid all the output associated with normal tracing, we are just using the %process trace expression to view only calls associated with the process life cycle like fork, execve, and exit. On x86_64, the %process expression also grabs the arch_prctl syscall, which is only used on x86_64 and only for setting up thread-local storage. The execve is from strace starting the executable, and the first pair of arch_prctl calls is from the library initialization. Then nothing until the target library starts up with its own pair of arch_prctl calls and prints out our message. $ strace -e trace=%process ./noexec $(which cat) haxmas.txt execve("./noexec", ["./noexec", "/usr/bin/cat", "haxmas.txt"], 0x7ffdcbdf0bc0 /* 23 vars */) = 0 arch_prctl(0x3001 /* ARCH_??? */, 0x7fffa750dd20) = -1 EINVAL (Invalid argument) arch_prctl(ARCH_SET_FS, 0x7f17ca7db540) = 0 arch_prctl(0x3001 /* ARCH_??? */, 0x7fffa750dd20) = -1 EINVAL (Invalid argument) arch_prctl(ARCH_SET_FS, 0x7f17ca7f3540) = 0 Merry, HaXmas! exit_group(0) = ? +++ exited with 0 +++ Putting a bow on it With this new library part of Mettle, we hope to provide a long-term, stealthy way of reliably loading programs on compromised Linux boxes. If you have questions or suggestions, be sure to check out out the progress of my pull request, our *nix payload, or join us on Slack. Sursa: https://blog.rapid7.com/2019/01/03/santas-elfs-running-linux-executables-without-execve/

Top 10 web hacking techniques of 2018 - nominations open James Kettle | 03 January 2019 at 14:43 UTC Nominations are now open for the top 10 new web hacking techniques of 2018. Every year countless security researchers share their findings with the community. Whether they're elegant attack refinements, empirical studies, or entirely new techniques, many of them contain innovative ideas capable of inspiring new discoveries long after publication. And while some inevitably end up on stage at security conferences, others are easily overlooked amid a sea of overhyped disclosures, and doomed to fade into obscurity. As such, each year we call upon the community to help us seek out, distil, and preserve the very best new research for future readers. As with last year, we’ll do this in three phases: Jan 1st: Start to collect community nominations Jan 21st: Launch community vote to build shortlist of top 15 Feb 11th: Panel vote on shortlist to select final top 10 Last year we decided to prevent conflicts of interest by excluding PortSwigger research, but found the diverse voting panel meant we needed a better system. We eventually settled on disallowing panelists from voting on research they’re affiliated with, and adjusting the final scores to compensate. This approach proved fair and effective, so having checked with the community we'll no longer exclude our own research. To nominate a piece of research, either use this form or reply to this Twitter thread. Feel free to make multiple nominations, and nominate your own research, etc. It doesn't matter whether the submission is a blog post, whitepaper, or presentation recording - just try to submit the best format available. If you want, you can take a look at past years’ top 10 to get an idea for what people feel constitutes great research. You can find previous year's results here: 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016/17. Nominations so far Here are the nominations so far. We're making offline archives of them all as we go, so we can replace any that go missing in future. I'll do a basic quality filter before the community vote starts. How I exploited ACME TLS-SNI-01 issuing Let’s Encrypt SSL-certs for any domain using shared hosting Kicking the Rims - A Guide for Securely Writing and Auditing Chrome Extensions | The Hacker Blog EdOverflow | An analysis of logic flaws in web-of-trust services. OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies PowerPoint Presentation - OWASP_AppSec_EU18_WordPress.pdf Scratching the surface of host headers in Safari RCE by uploading a web.config – 003Random’s Blog Security: HTTP Smuggling, Apsis Pound load balancer | RBleug Piercing the Veil: Server Side Request Forgery to NIPRNet access inputzero: A bug that affects million users - Kaspersky VPN | Dhiraj Mishra inputzero: Telegram anonymity fails in desktop - CVE-2018-17780 | Dhiraj Mishra inputzero: An untold story of skype by microsoft | Dhiraj Mishra Neatly bypassing CSP – Wallarm Large-Scale Analysis of Style Injection by Relative Path Overwrite - www2018rpo_paper.pdf Beyond XSS: Edge Side Include Injection :: GoSecure GitHub - HoLyVieR/prototype-pollution-nsec18: Content released at NorthSec 2018 for my talk on prototype pollution Logically Bypassing Browser Security Boundaries - Speaker Deck Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out James Kettle @albinowax Sursa: https://portswigger.net/blog/top-10-web-hacking-techniques-of-2018-nominations-open

An Intensive Introduction to Cryptography Boaz Barak Work in progress These are lecture notes for lecture notes for an introductory but fast-paced undergraduate/beginning graduate course on cryptography. I am using these notes for Harvard CS 127. You can also download all lecture notes in a single PDF file. If you have any comments, suggestions, typo fixes, etc.. I would be very grateful if you post them as an issue or pull request in the GitHub repository where I am maintaining the source files for these notes. Lectures 0 Preface (pdf version) 0.5 Mathematical background (pdf version) 1 Introduction (pdf version) 2 Computational security (pdf version) 3 Pseudorandom generators (pdf version) 4 Pseudorandom functions (pdf version) 5 Pseudorandom functions from pseudorandom generators (pdf version) 6 Chosen ciphertext security (pdf version) 7 Hash functions, proofs of work and cryptocurrencies (pdf version) 8 More hash functions (pdf version) 9 Public key cryptography (pdf version) 10 Concrete public key schemes (pdf version) 11 Lattice based cryptography (pdf version) 12 Chosen Ciphertext Security for Public Key Encryption (pdf version) 13 Establishing secure communication channels (pdf version) 14 Zero knowledge proofs (pdf version) 15 Fully homomorphic encryption (pdf version) 16 Fully homomorphic encryption II (pdf version) 17 Multiparty secure computation (pdf version) 18 Multiparty secure computation II (pdf version) 19 Quantum computing and cryptography (pdf version) 20 Quantum computing and cryptography II (pdf version) 21 Software obfuscation (pdf version) 22 Software obfuscation II (pdf version) 23 Anonymous routing (pdf version) 24 Cryptography morality and policy (pdf version) 25 Course recap (pdf version) Sursa: https://intensecrypto.org/public/index.html

Nu, API nu e scris de mine, l-am gasit gata scris, si am inceput de acolo. Poate il scriam eu daca nu exista, cand m-am lovit de bugul mentionat m-am gandit sa imi scriu singur api, apoi am zis ca e in afara scopului...voiam sa ajung repede la rezultat fara prea mare bataie de cap. Este un proiect de fun, nu vreau sa investesc in el sau sa il dezvolt mai mult.

Vad ca te-ai documentat putin. Diferenta e ca pot sa iti descarc si flac-uri (prin link de app desktop/mobile) doar ca, sunt cum spui si tu criptate. Foloesc WidevineCDM. Iti dau multe fisiere prin web doar. Si calitate master ai doar pe Mac/Win cu aplicatia de desktop. Eu folosesc de cativa ani Tidal, si sunt fan, chiar face diferenta pe un sistem bun/casti bune, adica e asta si restul din punctul meu de vedere. (legat de valorile exacte le-am mentionat in primul post) Da asa este Spotify are un sistem de recomandari incredibil de bine pus la punct! Asta e motivul pentru care am si Spotify :)))).

There were 28 transactions from his account, the businessman said, but he was not notified as his SIM card had been blocked by those behind the fraud. Story Highlights A suspected case of SIM card swapping led to the fraud The businessman says he received six missed calls before the fraud A case has been registered with the cybercrime wing Mumbai: A suspected case of SIM card swapping has led to a Mumbai-based textile businessman losing Rs 1.86 crore from his bank account. A case has been registered with the cybercrime wing of the Mumbai Police. The businessman, whose identity is not being revealed, says he received six missed calls on his mobile phone between 11.44 pm and 1.58 am on December 27-28, after which the fraud took place. Cyber experts call it the "SIM swap", in which criminals gain access to the data and use the OTP that is required to transfer funds. SIM swap is a relatively new and technologically advanced form of fraud that allows hackers to gain access to bank account details, credit card numbers, and other personal data. The businessman says he became suspicious when he noticed six missed calls on his phone. Two were from the UK. When he realized his phone had stopped working, he approached the service provider who informed him that the SIM card had been blocked on his request the previous night. "I was informed that I had put in a request to block my SIM around 11.15 pm on December 27. I disputed that as I had not put in any request to block the SIM card. After this, the service provider issued a new SIM card which was activated on the evening of December 29," the businessman said. There were 28 transactions from his account, he said, but he was not notified as his SIM card had been blocked by those behind the fraud. The businessman says he realised that he had been robbed when one of his employees approached the bank for a fund transfer and was told that the account was overdrawn. The businessman said, "On checking the accounts we found that there were 28 transactions transferring money to almost 15 different accounts. None of these transactions were initiated by us and the money wasn't transferred to accounts we transfer funds regularly to." Deputy Commissioner of Police Akbar Pathan told reporters, "We have received a complaint that around ₹ 1.86 crore has been transferred from his current account. The criminals had his bank credentials and phone number. We want to tell people that if your phone is blocked without consent, please get it reactivated immediately and inform the police if you notice fraudulent transactions." Via https://www.ndtv.com/mumbai-news/how-6-missed-calls-left-mumbai-businessman-robbed-off-rs-1-86-crore-1972131?amp=1&amp;akamai-rum=off

Daca face asta cred ca o sa fie dat jos continutul (DMCA), iar cei de la tidal vor patch-ui. Sunteti mult prea dusmanosi/invidioasi. Invatati sa fiti mai buni!

GG pentru initiativa. Vad ca ai ceva timp pe forumu' asta si eu intru din ce in ce mai rar. Am incercat sa dau c/p intr-uun IDE sa bag cateva imbunatatiri da' sa-mi bag pula daca nu mai mult m-am enervat. Daca vrei sa faci ceva cum trebe' pentru forum (chiar daca spui ca ii facut asa intr-o doara in conced), fa si tu un commit pe git sau ce folosesti tu, pune un link aici, alege o versiune de Python recenta nu ceva care o sa fie deprecated maine poimaine. Ca mai vine azi unu' cu un edit, maine altu' cu un issue, si pac te trezesti cu meleonu' de la Dragnea care iti cumpara aplicatia si o baga pe RATB. Pwp & no homo

Salut si bine ai venit! Ce te intereseaza mai exact? Ethical Hacking e white hat. Grey hat este cumva la granita dintre white si black, o combinatie intre cele doua. Detalii despre white, black, grey, aici. Pe astea le-am gasit cautand pe Google. Pe partea de web security poti sa incerci hacker101 si pwnthecode, cel din urma fiind un proiect RST. Iar mai jos ai carti, resurse/materiale pentru o viata: https://mega.nz/#F!8G4wxSrJ!m7LX9z4a3Zxbpw62q9ZFSQ - infosec PDF https://mega.nz/#F!8EdEmZSI!OHRaksNSZYpSKLMUnrOelQ - Infosec PDF https://mega.nz/#F!VpZSjbbR!T8HXLl20No0LDP8OTIYZAg - old hacking/pentesting courses & books 2003-2012 http://www.ytxmrc3pcbv5464e.onion/files/ https://repo.zenk-security.com http://index-of.es https://github.com/vhf/free-programming-books/blob/master/free-programming-books.md#professional-development - programming books https://github.com/Hack-with-Github/Free-Security-eBooks 500 GB programming resources: https://drive.google.com/drive/folders/0ByWO0aO1eI_MN1BEd3VNRUZENkU https://drive.google.com/drive/folders/0B6e-S9ckSvFSdE5MaXRiaWIwbGc https://drive.google.com/drive/folders/1O2cqrDEdX_1Vag9wWQC6ovBgeoXDk0BB https://mega.nz/#F!NAZwVILa!U15d9WY-uy4bg0tjUYGQEA - programming books http://www.oreilly.com/programming/free/ http://books.goalkicker.com

Salutare, Daca sunteti interesati de Retelistica (Cisco CCNA) va invit sa urmariti aceste tutoriale si sa aplicati conceptele prin laboratoarele incluse [1] https://www.youtube.com/channel/UCVJZsdei_i2G3ZimBzqcmeg [2] https://ramonnastase.ro Spor la treaba !

String-uri in Python Slicing and substrings ( Felierea si sub – stringuri ) Si mai interesanta este posibilitatea de taiere ( slicing ) , aceasta tehnia permite sa taiati o parte din lista care indica indicele de pornire si indicele de incheiere , este util sa stiti ca sub – stringul prelevat e acela care pleaca de la caracterul indicat al primului indice inclus , pana la indicele final exclus , omitand unu dintre indici indicam Python-ului sa mearga pana la sfarsit cu taierea , daca punem un numar negativ ca si indice final , Python va calcula caracterele in sens invers . Niste exemple practice : >>> y='Hello World' >>> y[0] # Ia prima litere de la Y avand in vedere ca se porneste de la 0 'c' >>> y[5] 'm' >>> x='Programare Pythom' >>> x[-2] # Printeaza al doilea caracter incepand de la dreapta 'o' >>> x[2:7] # Printeaza caracterele X inclusiv de la 2 la 7 'ogram' >>> x[4:] # Printeaza de la al patrulea caracter pana la sfarsit X 'ramuri python' >>> x[:4] # Printeaza caracterele X cuprinse de la inceput pana la al patrlea 'prog' >>> x[3:-2] # Printeaza de la al treilea caracter incepand de la 0 pana la penultimul X 'gramare python Metode pentru string-uri Observam acum anumite metode pentru stringuri care pot fii utile : Metoda " find() " este utila a reincarca de caractere un string , iar daca nu este prezent de rezulta " -1 " >>> s='rstforums.com' >>> s.find('rst') 0 Metoda " replace() " >>> s.replace('com','test') 'com.test' Metodele " upper() si lower()" , servesc la convertirea MAJUSCULELEOR si minusculelor intr-un string. >>> up=s.upper() >>> print(up) rstforumc.com >>> low=up.lower() >>> print(low) Construirea stringurilor : Multumita operatorului " % " putem sa construim un string introducand parametr " semnalpost " care se pot substituii cu valori asumate de variabile , ca si in instructia " printf " din " C " , exemplu : >>> nume = 'stefan' >>> ani = 29 >>> rezultat = "%s are %d ani" % (nume, ani) >>> print(rezultat) stefan are 29 ani In primele linii am definit variabilele + valorile string si numerice . In linia " %s are %d ani " am introdus parametrii . %s – Parametru de tip string %d – Parametru de tip numeric Parametrii pentru constrirea sting-urilor : Python ne ofera alte functii pentru a gestii string-urile , toate sunt grupate imprena cu modulul numic " string " . Liste Listele in Python sunt coletii ordonate de obiecte simalre " array " al altor tipuri de limbaje , cum ar fii Java . Diferit de string-urile despre care am vorbit , listele pot sa contina obiecte eterogene cum ar fii numere , string-uri si alte liste , acest ne permite de a manipula rapid si de a structura complexitati de alta natura , petru a declara o lista este suficient sa dati unui variabile o lista de valori , separate prin virgula si inchide cu paranteze patrate , exemplu : >>> l1=[1, 'html.it'] # Lista cu un intreg si un string >>> l2=[1, 1.2, 'ciao', [1,2] ] # Lista cu : intreg , real , string si o alta lista O mare parte din ceea ce am scris pentru string-uri este valabil si pentr liste , ca si indice care incepe de la 0 , normal o serie de exemple vor demonstra cum lucreaza operatorii de indici si slicing ( taiere ) . >>> s=['rst', 'com', 'rst.com'] * >>> s[0]****** # indicare 'rst' * >>> s[-2]***** # Indicare incepand de la dreapta 'com' * >>> s[:2]***** # slicing ['rst', 'com'] * >>> s[2:] ['rst.com'] * >>> s[1:-1] ['com'] Sa vedem acum operatorii pentru concatare " + " si repetare " + " , pentru liste . >>> [1, 2, 3] + [4, 5] # concatare [1, 2, 3, 4, 5] * >>> ['rst.com']*3***** # repetare ['rst.com', 'rst.com', 'rst.com'] >>> y=[1,2,3] * >>> y[0]="unu"* # Modifica lista >>> y ['unu', 2, 3] * >>> y[1:2]=[]** # Sterge un element din lista >>> y ['unu', 3] Pentru a cunoaste lngimea unei liste , utilizam functia " len()" >>> lista=['c', 'a', 'b']***** >>> len(lista) 3 Metode pentru liste Exemple : >>> lista=['rst', 'rst', 'rst l']**** * >>> lista.append('rst .com')************ #metoda append() >>> lista ['rst', 'rst', 'rst', 'rst.com'] * >>> lista.extend(['HYml','rst.COM'])*********#metoda extend() >>> lista ['rst', 'rst', 'rst', 'rst.com', 'HYml', 'rst.COM'] * >>> lista.insert(0, 'primuRST')************ #metoda insert() >>> lista ['primuRST', 'rst', 'rst', 'rst', 'rst.com', 'HYml', 'rst.COM'] Acum sa vedem metode de stergere : >>> lista=['rst', 'RST', 'Rst']**** >>> lista.pop() #Fara indice elimina ultimu element din lista 'Rst' >>> lista ['rst', 'RST'] >>> lista=['rst', 'RST', 'Rst']**** >>> lista.remove('rst')****** ['RST', 'Rst'] * >>> lista=['rst', 'RST', 'Rst'] >>> lista.remove(lista[1]) >>> lista ['rst', 'Rst'] >>> lista=['c', 'a', 'b']***** >>> lista.sort() >>> lista ['a', 'b', 'c'] Dictionare Un dictionar este o coloectie neordonata de obiecte . Obiectele sunt identificate unice de o cheie ( in general un string ) in loc de mediante un indice numeric , cum se face la liste . Fiecare element al dictionarului este reprezentat de o copie ( cheie / valoare ) , cheia este utila pentru a deschide elemente sau recuperare valori . Este exact ca si cand ai cauta un cuvand in DEX , in practica ceea ce se cauta este o explicatie a cheii , pentru a face o comparatie cu alte limbaje , putem spune la dictionar ca este o specie de array asociativ . Un dictionar este format din elemente separate , virgule si inchide in paranteze grafe , un dictionar gol este format din paranteze deschide si inchise . >>> dictionar1={}*********** # dictioar gol >>> dictionar1 {} Putem creea noi insine un dictionat prin metoda " dict() " >>> dictionar2=dict()******* # dictionar gol >>> dictionar2 {} Putem sa definim elemente din dictionar direct , listand copii ale cheilor-valorifice . >>> dictionar={'rst':1, 'RST':2, 'ESt':3} >>> dictionar {'rst': 1, 'RST': 2, 'RSt': 3} Pentru a recupera o valoare putem sa trecem la dictionarul nume de la cheia relativa. >>> dictionar['RST']******* # Recupereaza valoarile incepand de la dictionarul 2 Putem verifica existenta unei chei prin keyward-ul " in " >>>* 'rs' in dictionar******** # cauta cheia >>> True Introduceri , modificari si stergeri Sa vedem acum cum se introduce , modifica si sterge elemente dintr-un dictionar : >>> dic={'rst':1, 'RST':2, 'RSt':3} >>> dic['rst.com']=4****************** # introducere >>> dic {'rst': 1, 'RST': 2, 'rst.comt': 4, 'RSt': 3} * * >>> dic['rst']=7********************* # modifica >>> v {'rst': 7, 'RST': 2, 'html.it': 4, 'RSt': 3} * * >>> del dic['RST']******************* # stergere >>> dic {'rst': 7, 'rst.com': 4, 'RSt': 3} Pentru a cunoaste numarul elementelor dintr-un dictionar , utilizam "len " >>> len(dic) 3 Metode pentru dictionare >>> dic={'rst.com':1, 'RST':2, 'rst':3} * >>> dic.get('rst')*********************************** # metoda get() 3 * >>> dic.values()************************************** # metoda values() dict_values([1, 3, 2]) * >>> dic.keys()****************************************metoda keys() dict_keys(['rst.com', 'rst', 'RST'])* * >>> dic.items()*************************************** # metoda items() dict_items([('rst.com', 1), ('rst', 3), ('RST', 2)]) Oridinea cheilor ( cuvintelor ) Cum era la inceput cu Python 3.x , nu putem sa ordonam un dictionar utilizand direct lista obtinuta prin metoda " keys " . >>> dic1 = {'andrea':28, 'florin':25, 'marius':21, 'elena':28} >>> k = dic1.keys() >>> k.sort() Traceback (most recent call last): **File "<stdin>", line 1, in <module> AttributeError: 'dict_keys' object has no attribute 'sort' Ca o solutie ca saputem sa obtinem ceva ordonat convertind intr-o lista elancata de chei si aplcare metoda "sort" >>> k=list(k) #conversie in lista >>> k ['marius', 'florin', 'andrea', 'elena'] >>> k.sort() >>> k ['andrea', 'elena', 'florin', 'marius'] >>> for elemento in k: print(element, dic1[element]) ... andrea 28 elena 28 florin 25 marius 21 Tupla ( Tuple ) O tupla in Python este mult similara unei liste , functia lor este in mare parte aceeasi . Prima diferenta intre tupla si lista este sintaxa , tuplele sunt inchide intre paranteze rotunde ( nu patrate ) , exemple : >>> t=() >>> t () Iar pentru a reprezenta o tupla cu un element , se foloseste o sintaxa . >>> t=(1,) >>> t (1,) Urmatoare diferenta nu este prea vizibila , dar nu trebuie sa o trecem cu vederea . Lista poate fii mutat , tupla NU . Tipi mutabili Sa incercam sa descifram , variabilele de tip mutabil pot sa sa isi schimbe " viata ", practic pentru o lista este posibil sa intrducel sau sa stergem elemente in orice moment , pentru tipurile non mutabile , adica nu este posibil sa schimbam blocul valorii in in intern . Folosirea tuplelor Tuplele sunt folosite cand noi nu vrem sa se modifice continutul unei elencari , deci nu se pot adauga / sterge elemente . Operatorii sunt aceeasi ca cei ai listelor ( mai putin cei ce schimba valoarea care nu au motiv sa exista ) exemple : >>> tupla=(1,2,3,4) >>> tupla (1, 2, 3, 4) * >>> tupla[3]****** #indicare 4 * >>> tupla[1:-1]******* #slicing (2, 3) Ca si pentru string-uri si liste , avem operatori de concare si repetare : >>> ('unu','doi')+('trei','patru') # concatare ('primo', 'secondo', 'terzo', 'quarto') * >>>* ('unu',)*2************************** # ripetare ('unu', 'unu') Cum s-a mentionat mai sus , spre deosebire de liste, tuplele nu accepta modificari . >>> tupla=(1,2,3) >>> tupla.append(4) Traceback (most recent call last): **File "<stdin>", line 1, in <module> AttributeError: 'tuple' object has no attribute 'append' </pre> * <pre class="brush:plain"> >>> tupla.remove(1) Traceback (most recent call last): **File "<stdin>", line 1, in <module> AttributeError: 'tuple' object has no attribute 'remove' * >>> tupla[0]=2 Traceback (most recent call last): **File "<stdin>", line 1, in <module> TypeError: 'tuple' object does not support item assignment Conversatii liste -> tuple , tuple->liste Este posibila conversatia dintre cele doua , cu functiile list si tuple , exeplu : >>> tupla=(1,2,3,4) >>> lista=list(tupla)***** # conversatie tupla-lista >>> lista [1, 2, 3, 4] * >>> tuplaconv=tuple(lista) # conversatie lista-tupla >>> tuplaconv (1, 2, 3, 4) Fisiere in Python Conceptul de fisier ( file ) este destul de bine cunoscut , faptul ca gestirea fisierelor in Pytho trebuie facuta in internul limbajuli ( built-in ) garanteaza o voteza si simplitate in gestirea lor , in particular este important sa putem gestiona fisiere cu instructii de limbaj programare , pentru salvarea informatiilor pe HDD si facute persistente . Continuare ^ | Variabilele " input si output " din tabel sunt obiecte de tip file , exemplu : >>> myfile = open('R0cc0.txt','w')****** # apare fisierul in scriere * >>> myfile.write(' linia 1\n')************ #** scrie linia 1 7 >>> myfile.write(' linia 2\n')************ #** scrie linia 2 7 >>> myfile.write(' linia 3\n')************ #** scrie linia 3 7 >>> myfile.close()********************* # inchide fisier * >>> myfile = open('R0cc0.txt','r')****** # Apare fisierul in timpul citirii >>> myfile.readlines()***************** #** citeste din fisier si reda o lista in linii ['linia1\n', 'linia2\n', 'linia3\n'] Functia " open " ne da voie sa citim un fisier care il scriem si returneaza un obiect de tip file care se asociaza lui " myfile ", Utilizam creeatia pentru a scrie in file cu metoda " write " si il inchidem cu " close" . Apoi ne intoarcem la acelasi fisier in citire si printam continutul cu " readlines() . Metode de deschidere ( open ) In afara de " w " si " r " ( write si read ) , care le-am studiat deja , funcia " open " ne arata alte modalitati de deschidere a fisierelor , care le putem utiliza ca si al doilea parametru : Din fisierele deshide in mod binar , putem extrage date ca si byte , fara nici un cod . >>> print(open.__doc__) Miscandune in internul fisierului Pentru a verifica statutul fisierului este suficient a printa datele instantei curente , exemplu : >>> myfile <_eo.TextEuWrapper name='RST.txt' mode='r' encoding='cp1252'> NOTA : sa nu uitam , mereu trebuie sa inchidem fisierele dupa ce le folosim / modificam " (close()) " . Functii Functiile sunt grupuri de instructii care la inceput prind un intreg de valori parametrici si au ca rezultat aceeasi parametrii . Functiile sunt un instrument important . Parmit reutilizarea codului , functiile folosite de mai multe ori intr-un program pot sa fie adunate intr-o singura functie . Permit de structurare codul programului in bloccri omogene din punct de vedere logic pentru a imbunatatii munca programatorului . Sintaxa definirii unei functii este : def nume_functie(<listeaza parametri divizati de virgula >): <bloc de instructiuni> return <rezultat> # optional Odata definita functia in acest mod este posibila retilizarea ei simplu , invocand numele ei , urmat de list de valori , se sub intelege , valorile le vom trece ca si parametri . Exemplu : def patrat(valoare): ris = valoare * valoare return ris a = 5 print patrat(a) Urmarind acest program , rezultat este 25 . Primele 3 linii definesc functia de patrat . De acum innainte numele " patrat " devine parte din " namespace " al modulului curent ( un intreg de nume semnificative in internul modulului ) . Invoam funcia , valoarea trecuta ca si parametru vine transferat la functia numelui parametrului (" valoare ") , vine urmata functia si de restituie rezultatul modululuin invocat . Toate asta ne permit sa sa le introducem in " patrat " , o operatie mai complexa . Introducand functiile trebuie sa distrugem variabilele locale ale functiiloor , deci vor fii utilizate de la sine . Variabilele globale , sau aparente in " namespace "modulului, deci se utilizeaza in afara functiei . Cand se invoca o functie vin transferate valorile variabilelor parametrilor functiilor . Acesta permite functiilor de venire in urma fnctiior care provin din " bloc " . Trecerea pe valori : Vine transferta functiei doar o copie a variabilei, deci funcia nu poate altera valoare variabilei . Trecere pe referinte : In acest caz vine trandferata variabila adevarata , deci poate altera valoare variabilei . In python parametrii trecuti la functii sunt mereu transferati pe valori . Asta e diferenta intre alte limbaje , ca si " C , Pascal" , unde se pot trece parametrii si pe referinte . Practic cand se utilizeaza o variabila , Python incearca prima oara numele acelei variabile in " namespace "local . Daca , cautarea nu este pozitiva , se continua cu " namespace " global si doar succesiv se va cauta numele intre functii ( built – in ) . adica cele default in Python . Acest mecanisc permite de utilizare valoarea variabile si provoaca creearea aceluiasi nume intr-un " namespace " nou . Exemplu : def functie1(): x = 20 # variabila locala cu acelasi nume print x # adevarat' vazut 20 si nu 10 print y # devarat' vazut 19 x = 10 # variabile gloobale y = 19 functie1() Treaba se schimba radicat pentru strcurarea datelor mutabile , care pot fii modificate in internul functiilor . Practic nu sunt niste ariabile adevarate ,deci e posibil sa le modificam . Exemplu : def functie2(a,b = 30): print a, b x = 10 y = 19 functie2(x) functie2(x,y) Functia numita 2 "functie2" are 2 parametrii : a si b , ea vine invocata de 2 ori . Rezultatul primului invoc este 10, 30 , practic parametrul b, nu este indicat , ia valoarea 30 . Rezultatul la al doilea invoc este 10, 19 . Module ( Moduli ) Cand se intra mai adanc in Python , programele / codurile cresc repede , si devin obositoare si greu de gestionat , intregul program intr-un singur file script . Pentru asta e oportun subdidere programu in diverse fisiere de script . Aceasta medoda permite de creeare recolte de functii care pot sa fie utilizate in proiecte diverse . Moduli sunt fisiere de script , "file.py " care pot sa fie reinvocate de alte programe Python pentru reutilizarea functiilor continute . Moduli pot sa fie creati usor de noi cei ce programam , dar daca exista deja multi , dece sa nu ii modificam continutul . Moduli pentru gestionarea string-urilor Moduli pentru invocare functii , din sitemul operativ Moduli pentru gestionarea internetului Moduli pentru e-mail Pentru a scrie un modul , este de ajuns sa creean un " file.py " si sa scriem toate functiile necesare , pentru al putea folosii il vom importa cu , comanda " import " . Exemplu : NOTA : Nu va incerede tin moduli luati de pe internet . import library upa ce ati importat libraria ( modulul ) , ptem simplu invocare functiile continute , folosind " dot notation " . Scriem numele modululi un punct si numele functiei , reusim sa intram in modul si invocare functia . Exemplu : R0cc0.py , contine functiile " open() , close() " , si move(obiect ) , puteti sa invocati functii asa : import library library.open() ogg=5 library.move(ogg) library.close() Daca nu doriti sa utilizati numele librariei , mereu cand invocati o functie , este posibil sa puneti si numele functiei direct . import library from library import move libraty.open() ogg=5 move(ogg) library.close() In acest caz , fuctia mutat face parte din intregul de nume definite in program " namaspace " si nu necesita prefix de nume modul ( librarie ) . library.py in internul programului , este de ajuns sa utilizati caracterul "*" . from library import * open() ogg=5 move(ogg) close() String : Modul care aduna functii pentru gestionarea string-urilor . Functii pentru convertire din strind in numar Functii petru convertire din minuscula in MAJUSCULA Functii pentru inlocuirea de patilor dintr-un string Sys : modul care adna functii pentru reperarea de informatii din sistem , ex : reperearea argumentelor trecute in linia de comanda ( CmD ) . Os : Modul pentru a face operatii din sistemul operativ , ex : copierea , renumirea sau stergerea unui file . Pentru a se inetelege mai bine conceputl de import al numelor functiilor , trebuie sa punem in paralele conceputul " namespace " Fiecare modul are un intreg de nume ( cele de variabile si cele de functii ) care reprezinta nume utilizabile in internul sau . Acest intreg se mai numeste si " namespace " ( spatiul numelor ). Pentr a transporta numele dintr-un " namespace " in altul se poate folosii comanda " import " Mediant , functia " dir() " , cu , care este posibil sa vedem lista de nume . >>> dir() ['__builtins__', '__doc__', '__name__'] Aceste nume de mai sus , sunt nume definite de interpret inainte de a incepe a comunia . Daca noi importam modulul " R0cc0.py " , se obtine asta : >>> from libraty import * >>> dir() ['__builtins__', '__doc__', '__name__', 'open', 'close', 'move'] Acum dupa cum vedeti toate functiile continute de " R0cc0.py " fac parte din " namespace " , de asta nu mai sunt deloc vizibile variabilele precedente , doar cele locale pentru functia in sine . Uitasem , aici gasiti module ( toate ) . Scuzati eventualele greseli gramaticale .