Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation since 09/20/17 in all areas

  1. 19 points
    Mi-am facut si eu blog. Nu o sa scriu prea des, doar asa, din cand in cand... https://nytrosecurity.com/
  2. 12 points
  3. 10 points
  4. 10 points
    Se pare ca voi fi speaker la editia de anul acesta de la Defcamp. Deci va fi cel putin o prezentare ce va avea sigla RST-ului pe ea.
  5. 9 points
    Sa se cheme dupa cel mai tare hacker roman: Tinkoin
  6. 9 points
    Walkthrough: Facut pe Lubuntu 17.04 1. Descarcam imaginea si verificam daca este integra(cred ca am descarcat-o de trei ori pana sa o iau pe cea buna, in rest descarcam doar thumbnail-ul) deci pasul asta e destul de important. $ md5sum crack_me.jpg c720e708ab375e531bb77dca9dd08d38 crack_me.jpg # Deci e ok 2. Dupa cum observam, in imagine este un lacat cu trei rotite. O deschidem cu un editor hex si cautam sa vedem daca in afara de imagine mai este ceva. Ne uitam sa vedem daca dupa biti FF D9 mai este ceva: PK sa_nu_uitam.jpg Observam ca dupa biti de sfarsit al jpg-ului sunt initialele PK ceea ce inseamna ca avem o arhiva zip.(inițialele lui Phil Katz, creatorul formatului zip). In arhiva observam ca mai este o poza "sa_nu_uitam.jpg" 3. Incercam sa o dezarhivam, dar observam ca ne cere o parola, ne intoarcem la poza initiala si asteptam sa ne vina o idee. Prima idee e sa generam toate codurile posibile pentru acel lacat. Am folosit C++ pt asta(lucrez in el si mi-a fost mai usor): #include <iostream> using namespace std; int main() { char digits[] = "0123456789"; char pass[4]; pass[3] = 0; for( int i = 0; i < 10; i++) { pass[0] = digits[i]; for( int j = 0; j < 10; j++) { pass[1] = digits[j]; for( int z = 0; z < 10; z++) { pass[2] = digits[z]; cout << pass << endl; } } } return 0; } /// Il compilam iar cand il rulam ii redirectionam iesirea intr-un fisier: $ g++ main.cpp -o executabil $ ./executabil >> fisier.txt Se poate face in orice limbaj, aici aveti si ceva in python: https://stackoverflow.com/questions/22214949/generate-numbers-with-3-digits 4. Dupa ce am generat toate numerele e timpul sa trecem la bruteforce. Am folosit fcrackzip + am redenumit imaginea crack_me.zip(am schimbat extensia ca se plangea fcrackzip-ul): $ fcrackzip -D -p fisier.txt -u crack_me.zip 5. Primim confirmarea ca parola este : "PASSWORD FOUND!!!!: pw == 099". Dezarhivam si obtinem o nou imagine. 6. Repetam pasul doi si observam ca si aceasta imagine e tot o arhiva cu parola. Prima idee care mi-a venit in minte a fost sa incerc sa pun coordonatele boturilor avioanelor(cei care au jucat avioane stiu ca daca nimeresti botul avionul e pierdut). Asa ca am luat-o in ordine: avionul gri, cel albastru si cel portocaliu -> c2c8j5. Asta e parola. 7. Obtinem un fisier text "acum_e_acum.txt" cu mai cuvinte, fiecare pe o singura linie. La inceput am incercat Caesar's Cipher, dar fara vreun rezultata. Dupa ce am cerut un hint, mi s-a zis sa numar literele de pe fiecare linie. Deci vom avea: d o v g d u 6 - > F p j c d r 5 - > E a j i u g j s t k x r y 12 -> L c l f t c c p c g 9 -> I o l q 3 -> C z w w m y i l k a 9 -> I c o e g a p i c p f q h t j w x i p r t 20 -> T d 1 -> A e z v q o x b h d r g g d l t f z r 18 -> R n s v p m s r t l 9 -> I z m j j b 5 -> E p s r o g e m h p d d u v p k y y s a 19 -> S b e m p y l h o m m f w a j a o p c o s 20 -> T e j r q t u i u e 9 -> I g x m c o f a n b o q q w q u y t l i s a 21 -> U q b e g h l f b i f y o j k 14 -> N b y v a l i b t i h r z i c g l n t 18 -> R s h r f v i u h d g p q g s k 15 -> O g x c v s g q s u k v u s 13 -> M c 1 -> A z k o j u v l c l z w u h o 14 -> N k 1 -> A x i g c 4 -> D l c g b e 5 -> E x j t g r e i v d i r d s g d j t k j t g q 22 -> V n 1 -> A x k j k b c c u a j c p s t g m v e 18 -> R g 1 -> A m e k j w w o b j o y w w b u h a y p t 20 -> T Dupa ce am numarat literele fiecarui cuvant am pus in loc de numarul de litere, litera din alfabet care se afla la pozitia data de numarul literelor. Asa ca am obtinut: FELICITARI ESTI UN ROMAN ADEVARAT. Alte challenge-uri: [Easy] The big fat panda si The Eye of ... Multumesc @Usr6
  7. 9 points
    http://recordit.co/GTIROeGtVr
  8. 9 points
    The vulnerability It is a known issue that Microsoft NTLM architecture has some failures, hash stealing is not something new, it is one of the first things a pentester tries when attacking a Microsoft environment. But, most of these techniques require user intervention or traffic interception to fulfill the attack. These new attacks require no user interaction, everything is done from the attacker’s side, but of course, there are some conditions that need to be met to be successful with this attack. Link articol: http://www.sysadminjd.com/adv170014-ntlm-sso-exploitation-guide/
  9. 8 points
    Salutare, Aici avem singurul PoC real de meltdown, care functioneaza fara probleme (probat de mine). https://github.com/IAIK/meltdown This repository contains several videos demonstrating Meltdown Video #1 shows how Meltdown can be used to spy in realtime on a password input. Video #2 shows how Meltdown leaks physical memory content. Video #3 shows how Meltdown reconstructs a photo from memory. Video #4 shows how Meltdown reconstructs a photo from memory which is encoded with the FLIF file format. Video #5 shows how Meltdown leaks uncached memory. Am incercat sa scot parola de la un login de chrome (parola nefiind salvada, decat introdusa pentru login) merge ca si uns. Hai, la joaca!
  10. 8 points
    https://www.amazon.co.uk/gp/aw/d/B001FCN7O8/ si https://www.amazon.co.uk/gp/aw/d/B01D8N84D0/
  11. 8 points
  12. 8 points
    Try logging with the user "root" without a password on the latest ver of MacOS (try two times) https://mobile.twitter.com/lemiorhan/status/935581020774117381 LE: Already news https://www.laptopmag.com/articles/root-macos-high-sierra
  13. 8 points
    https://www.udemy.com/seo-training-link-building-backlinks-and-keyword-research/?couponCode=FREENOW https://www.udemy.com/insider-secrets-from-an-ethical-hacker-on-internet-safety/?couponCode=ISUFULLPROMO2017 https://www.udemy.com/python-complete/?couponCode=FREEFB4 250 Free Coupons Udemy Courses https://justpaste.it/1c5r5 Nu garantez că toate 250 cursuri sunt la liber dar gasiți voi ceva ce va interesează.
  14. 7 points
  15. 7 points
    With WPA3, Wi-Fi security is about to get a lot tougher Finally, a security reprieve for open Wi-Fi hotspot users. By Zack Whittaker for Zero Day | January 8, 2018 -- 22:28 GMT (22:28 GMT) | Topic: Security At last, Wi-Fi security -- or lack of -- is about to get its day in the sun. The Wi-Fi Alliance, an industry body made up of device makers including Apple, Microsoft, and Qualcomm, announced Monday its next-generation wireless network security standard, WPA3. The standard will replace WPA2, a near-two decades-old security protocol that's built in to protect almost every wireless device today -- including phones, laptops, and the Internet of Things. SECURITY 101 One of the key improvements in WPA3 will aim to solve a common security problem: open Wi-Fi networks. Seen in coffee shops and airports, open Wi-Fi networks are convenient but unencrypted, allowing anyone on the same network to intercept data sent from other devices. WPA3 employs individualized data encryption, which scramble the connection between each device on the network and the router, ensuring secrets are kept safe and sites that you visit haven't been manipulated. Another key improvement in WPA3 will protect against brute-force dictionary attacks, making it tougher for attackers near your Wi-Fi network to guess a list of possible passwords. The new wireless security protocol will also block an attacker after too many failed password guesses. WPA2, the current incarnation of the wireless security standard since 2004, uses a four-way handshake to securely allows new devices with a pre-shared password to join a network. The newer WPA3 will use a newer kind of handshake, Mathy Vanhoef, a computer security academic, told ZDNet, which will "not be vulnerable to dictionary attacks." A new wireless security standard can't come soon enough. A few months ago Wi-Fi security was under scrutiny amid a security vulnerability in WPA2, discovered by Vanhoef, which put every WPA2-compatible device -- including routers, phones, and computers -- at risk of hijack. The new WPA3 security standard is expected to land in devices later this year. Sursa: http://www.zdnet.com/article/wpa3-wireless-standard-tougher-wifi-security-revealed/
  16. 7 points
    Salut, Ma uitam azi peste modificarile facute de catre "prietenii" de la PSD-ALDE si observ ceva interesant. Este vorba de "Art. 223 Condițiile și cazurile de aplicare a măsurii arestării preventive", alineatul 2. Textul initial: "Măsura arestării preventive a inculpatului poate fi luată şi dacă din probe rezultă suspiciunea rezonabilă că acesta a săvârșit o infracțiune intenționată contra vieții, o infracțiune prin care s-a cauzat vătămarea corporală sau moartea unei persoane, o infracțiune contra securității naționale prevăzută de Codul penal și alte legi speciale, o infracțiune de trafic de droguri, de efectuare de operațiuni ilegale cu precursori sau cu alte produse susceptibile de a avea efecte psihoactive, o infracțiune privind nerespectarea regimului armelor, munițiilor, materialelor nucleare și al materiilor explozive, trafic și exploatarea persoanelor vulnerabile, acte de terorism, spălare a banilor, falsificare de monede, timbre sau de alte valori, șantaj, viol, lipsire de libertate în mod ilegal, evaziune fiscală, ultraj, ultraj judiciar, o infracțiune de corupție, o infracțiune săvârșită prin sisteme informatice sau mijloace de comunicare electronică sau o altă infracțiune pentru care legea prevede pedeapsa închisorii de 5 ani ori mai mare și, pe baza evaluării gravității faptei, a modului și a circumstanțelor de comitere a acesteia, a anturajului și a mediului din care acesta provine, a antecedentelor penale și a altor împrejurări privitoare la persoana acestuia, se constată că privarea sa de libertate este necesară pentru înlăturarea unei stări de pericol pentru ordinea publică." Textul modificat: "Măsura arestării preventive a inculpatului poate fi luată şi dacă din probe rezultă suspiciunea rezonabilă că acesta a săvârșit o infracțiune intenționată contra vieții, o infracțiune prin care s-a cauzat vătămarea corporală sau moartea unei persoane, o infracțiune contra securității naționale prevăzută de Codul penal și alte legi speciale, o infracțiune de trafic de stupefiante, trafic de arme, trafic de persoane, de terorism şi care vizează acte de terorism, falsificare de monede ori alte valori, șantaj, viol, lipsire de libertate, ultraj, ultraj judiciar sau o altă infracțiune comisă cu violență si, cumulativ, pe baza evaluării gravității faptei, a modului și a circumstanțelor de comitere a acesteia, a anturajului și a mediului din care acesta provine, a antecedentelor penale și a altor împrejurări privitoare la persoana acestuia, se constată că privarea sa de libertate este absolut necesară pentru înlăturarea unei stări de pericol concret pentru ordinea publică." Aveti aici un DIFF: Cum ma asteptam, se vede ca lipsesc urmatoarele lucruri: - spalarea banilor - evaziune fiscala - infractiune de coruptie Dar si "infractiune savarsita prin sisteme informatice sau mijloace de comunicare electronica". Cu alte cuvinta, dupa parerea mea de persoana care nu se pricepe in domeniul legal, pentru acele infractiuni nu se va mai aplica arestarea preventiva. Am postat acest lucru pentru ca in cazul in care sunteti acuzati de "infractiuni savarsite prin sisteme informatice", sa aveti in vedere ca (daca va trece legea si probabil va trece), nu veti putea fi retinuti. Gasiti aici o colectie de modificari marca PSD: http://media.hotnews.ro/media_server1/document-2017-12-14-22176865-0-transpunere-directiva-nevinovatie-13-dec.pdf
  17. 7 points
    Nu are rost pentru ca esti robot! Mizeria (teenspaidcash) e scam. Daca bagi o donatie de min 10 eur aici si postezi dovada iti voi explica si in detaliu de ce e scam.
  18. 7 points
    Dear Dr.d3v1l The vulnerabilities you reported has been fixed. As a token of our appreciation we would like to offer you a t-shirt. If you would like a t-shirt please provide us with your preferred t-shirt size (S/M/L/XL/XXL) and on what address you would like to receive the t-shirt. Thanks in advance for your reply and thanks again for your report. Sincerely,
  19. 7 points
  20. 7 points
    Cyber Security Base with F-Secure is a free course series by University of Helsinki in collaboration with F-Secure Cyber Security Academy that focuses on building core knowledge and abilities related to the work of a cyber security professional. About the Course Series The course series consists of multiple smaller courses, each with a specific theme. Themes include a brief introduction to cyber security, operational security, web software development, types of vulnerabilities typical of web software, discovery and mitigation of such vulnerabilities, and advanced topics such as secure software architectures and cryptography. There will be several case studies as well as projects for participants. At the end of the course series, we'll also organize a friendly competition where participants get to find and fix vulnerabilities within a limited time frame. The course will launch on 31st of October, 2017. More information at: mooc.fi. The material for the last year's course is still available here. Leave us your email and we will send you updates about Cyber Security Base with F‑Secure https://cybersecuritybase.github.io/
  21. 7 points
  22. 6 points
    Name: TheBodyguard.jpg MD5: 1593E87EA6754E3960A43F6592CC2509 import string alfabet = string.ascii_lowercase alfabet2 = string.ascii_uppercase parola = "?" plain_text = "" for i in parola: if i in alfabet: plain_text += i def enc1(text): ret = "" for i in text: tmp = alfabet.find(i) if tmp != -1: ret += alfabet2[(tmp + 3) % 26] return ret def enc2(t1, t2): ret = "" for i in range(len(t1)): ret += str(ord(t1[i]) + ord(t2[i])) + "," return ret print "You need this:", enc2(parola, enc1(parola)) Output: You need this:201,203,165,195,165,191,205,187,181,191,173,187,173,187,193,199,
  23. 6 points
  24. 6 points
    During a black-box penetration test we encountered a Java web application which presented us with a login screen. Even though we managed to bypass the authentication mechanism, there was not much we could do. The attack surface was still pretty small, there were only a few things we could tamper with. 1. Identifying the entry point In the login page I noticed a hidden POST parameter that was being sent for every login request: <input type="hidden" name="com.ibm.faces.PARAM" value="rO0..." /> The famous Base64 rO0 (ac ed in HEX) confirmed us that we were dealing with a Base64 encoded Java serialized object. The Java object was actually an unencrypted JSF ViewState. Since deserialization vulnerabilities are notorious for their trickiness, I started messing with it. Full Article: https://securitycafe.ro/2017/11/03/tricking-java-serialization-for-a-treat/
  25. 6 points
    There is no pre-established order of items in each category, the order is for contribution. If you want to contribute, please read the guide. Table of Contents Windows stack overflows Windows heap overflows Kernel based Windows overflows Windows Kernel Memory Corruption Return Oriented Programming Windows memory protections Bypassing filter and protections Typical windows exploits Exploit development tutorial series Corelan Team Fuzzysecurity Securitysift Whitehatters Academy TheSprawl Expdev-Kiuhnm Tools Windows stack overflows Stack Base Overflow Articles. Win32 Buffer Overflows (Location, Exploitation and Prevention) - by Dark spyrit [1999] Writing Stack Based Overflows on Windows - by Nish Bhalla’s [2005] Stack Smashing as of Today - by Hagen Fritsch [2009] SMASHING C++ VPTRS - by rix [2000] Windows heap overflows Heap Base Overflow Articles. Third Generation Exploitation smashing heap on 2k - by Halvar Flake [2002] Exploiting the MSRPC Heap Overflow Part 1 - by Dave Aitel (MS03-026) [September 2003] Exploiting the MSRPC Heap Overflow Part 2 - by Dave Aitel (MS03-026) [September 2003] Windows heap overflow penetration in black hat - by David Litchfield [2004] Glibc Adventures: The Forgotten Chunk - by François Goichon [2015] Pseudomonarchia jemallocum - by argp & huku The House Of Lore: Reloaded - by blackngel [2010] Malloc Des-Maleficarum - by blackngel [2009] free() exploitation technique - by huku Understanding the heap by breaking it - by Justin N. Ferguson [2007] The use of set_head to defeat the wilderness - by g463 The Malloc Maleficarum - by Phantasmal Phantasmagoria [2005] Exploiting The Wilderness - by Phantasmal Phantasmagoria [2004] Advanced Doug lea's malloc exploits - by jp Kernel based Windows overflows Kernel Base Exploit Development Articles. How to attack kernel based vulns on windows was done - by a Polish group called “sec-labs” [2003] Sec-lab old whitepaper Sec-lab old exploit Windows Local Kernel Exploitation (based on sec-lab research) - by S.K Chong [2004] How to exploit Windows kernel memory pool - by SoBeIt [2005] Exploiting remote kernel overflows in windows - by Eeye Security Kernel-mode Payloads on Windows in uninformed - by Matt Miller Exploiting 802.11 Wireless Driver Vulnerabilities on Windows BH US 2007 Attacking the Windows Kernel Remote and Local Exploitation of Network Drivers Exploiting Comon Flaws In Drivers I2OMGMT Driver Impersonation Attack Real World Kernel Pool Exploitation Exploit for windows 2k3 and 2k8 Alyzing local privilege escalations in win32k Intro to Windows Kernel Security Development There’s a party at ring0 and you’re invited Windows kernel vulnerability exploitation A New CVE-2015-0057 Exploit Technology - by Yu Wang [2016] Exploiting CVE-2014-4113 on Windows 8.1 - by Moritz Jodeit [2016] Easy local Windows Kernel exploitation - by Cesar Cerrudo [2012] Windows Kernel Exploitation - by Simone Cardona 2016 Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects - by Saif Sherei 2017 Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes - by keen team [2015] Abusing GDI for ring0 exploit primitives - [2016] Windows Kernel Memory Corruption Windows Kernel Memory Corruption Exploit Development Articles. Remote Windows Kernel Exploitation - by Barnaby Jack [2005] windows kernel-mode payload fundamentals - by Skape [2006] exploiting 802.11 wireless driver vulnerabilities on windows - by Johnny Cache, H D Moore, skape [2007] Kernel Pool Exploitation on Windows 7 - by Tarjei Mandt [2011] Windows Kernel-mode GS Cookies and 1 bit of entropy - [2011] Subtle information disclosure in WIN32K.SYS syscall return values - [2011] nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques - [2011] SMEP: What is it, and how to beat it on Windows - [2011] Kernel Attacks through User-Mode Callbacks - by Tarjei Mandt [2011] Windows Security Hardening Through Kernel Address Protection - by Mateusz "j00ru" Jurczyk [2011] Reversing Windows8: Interesting Features of Kernel Security - by MJ0011 [2012] Smashing The Atom: Extraordinary String Based Attacks - by Tarjei Mandt [2012] Easy local Windows Kernel exploitation - by Cesar Cerrudo [2012] Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement - by MJ0011 [2012] MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit - [2013] KASLR Bypass Mitigations in Windows 8.1 - [2013] First Dip Into the Kernel Pool: MS10-058 - by Jeremy [2014] Windows 8 Kernel Memory Protections Bypass - [2014] An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - by Weimin Wu [2014] Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool - [2014] Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE 2015-0057) bug on both 32-bit and 64-bit - by Aaron Adams [2015] Exploiting MS15-061 Microsoft Windows Kernel Use-After-Free (win32k!xxxSetClassLong) - by Dominic Wang [2015] Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit - by Cedric Halbronn [2015] Abusing GDI for ring0 exploit primitives - by Diego Juarez [2015] Duqu 2.0 Win32k exploit analysis - [2015] Return Oriented Programming The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls Blind return-oriented programming Sigreturn-oriented Programming Jump-Oriented Programming: A New Class of Code-Reuse Attack Out of control: Overcoming control-flow integrity ROP is Still Dangerous: Breaking Modern Defenses Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015] Systematic Analysis of Defenses Against Return-Oriented Programming -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013] Return-oriented programming without returns -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010] Jump-oriented programming: a new class of code-reuse attack -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011] Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection - by L. Davi, A. Sadeghi, and D. Lehmann [2014] Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014] Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1 - by Marco Mastropaolo [2005] Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2 - by Marco Mastropaolo [2005] Practical Rop - by Dino Dai Zovi [2010] Exploitation with WriteProcessMemory - by Spencer Pratt [2010] Exploitation techniques and mitigations on Windows - by skape A little return oriented exploitation on Windows x86 – Part 1 - by Harmony Security and Stephen Fewer [2010] A little return oriented exploitation on Windows x86 – Part 2 - by Harmony Security and Stephen Fewer [2010] Windows memory protections Windows memory protections Introduction Articles. Data Execution Prevention /GS (Buffer Security Check) /SAFESEH ASLR SEHOP Bypassing filter and protections Windows memory protections Bypass Methods Articles. Third Generation Exploitation smashing heap on 2k - by Halvar Flake [2002] Creating Arbitrary Shellcode In Unicode Expanded Strings - by Chris Anley Advanced windows exploitation - by Dave Aitel [2003] Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server - by David Litchfield Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2) - by Matt Conover in cansecwest 2004 Safely Searching Process Virtual Address Space - by Matt Miller [2004] IE exploit and used a technology called Heap Spray Bypassing hardware-enforced DEP - by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005] Exploiting Freelist[0] On XP Service Pack 2 - by Brett Moore [2005] Kernel-mode Payloads on Windows in uninformed Exploiting 802.11 Wireless Driver Vulnerabilities on Windows Exploiting Comon Flaws In Drivers Heap Feng Shui in JavaScript by Alexander sotirov [2007] Understanding and bypassing Windows Heap Protection - by Nicolas Waisman [2007] Heaps About Heaps - by Brett moore [2008] Bypassing browser memory protections in Windows Vista - by Mark Dowd and Alex Sotirov [2008] Attacking the Vista Heap - by ben hawkes [2008] Return oriented programming Exploitation without Code Injection - by Hovav Shacham (and others ) [2008] Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 - by Cesar Cerrudo [2008] Defeating DEP Immunity Way - by Pablo Sole [2008] Practical Windows XP2003 Heap Exploitation - by John McDonald and Chris Valasek [2009] Bypassing SEHOP - by Stefan Le Berre Damien Cauquil [2009] Interpreter Exploitation : Pointer Inference and JIT Spraying - by Dionysus Blazakis[2010] Write-up of Pwn2Own 2010 - by Peter Vreugdenhil All in one 0day presented in rootedCON - by Ruben Santamarta [2010] DEP/ASLR bypass using 3rd party - by Shahin Ramezany [2013] Bypassing EMET 5.0 - by René Freingruber [2014] Typical windows exploits Real-world HW-DEP bypass Exploit - by Devcode Bypassing DEP by returning into HeapCreate - by Toto First public ASLR bypass exploit by using partial overwrite - by Skape Heap spray and bypassing DEP - by Skylined First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability Exploit codes of bypassing browsers memory protections PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1 - by Cesar Cerrudo PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2 - by Cesar Cerrudo An exploit works from win 3.1 to win 7 - by Tavis Ormandy KiTra0d Old ms08-067 metasploit module multi-target and DEP bypass PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass SMBv2 Exploit - by Stephen Fewer Microsoft IIS 7.5 remote heap buffer overflow - by redpantz Browser Exploitation Case Study for Internet Explorer 11 - by Moritz Jodeit [2016] Exploit development tutorial series Exploid Development Tutorial Series Base on Windows Operation System Articles. Corelan Team Exploit writing tutorial part 1 : Stack Based Overflows Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode Exploit writing tutorial part 3 : SEH Based Exploits Exploit writing tutorial part 3b : SEH Based Exploits – just another example Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc Exploit writing tutorial part 8 : Win32 Egg Hunting Exploit writing tutorial part 9 : Introduction to Win32 shellcoding Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube Exploit writing tutorial part 11 : Heap Spraying Demystified Fuzzysecurity Part 1: Introduction to Exploit Development Part 2: Saved Return Pointer Overflows Part 3: Structured Exception Handler (SEH) Part 4: Egg Hunters Part 5: Unicode 0x00410041 Part 6: Writing W32 shellcode Part 7: Return Oriented Programming Part 8: Spraying the Heap Chapter 1: Vanilla EIP Part 9: Spraying the Heap Chapter 2: Use-After-Free Part 10: Kernel Exploitation -> Stack Overflow Part 11: Kernel Exploitation -> Write-What-Where Part 12: Kernel Exploitation -> Null Pointer Dereference Part 13: Kernel Exploitation -> Uninitialized Stack Variable Part 14: Kernel Exploitation -> Integer Overflow Part 15: Kernel Exploitation -> UAF Part 16: Kernel Exploitation -> Pool Overflow Part 17: Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit) Heap Overflows For Humans 101 Heap Overflows For Humans 102 Heap Overflows For Humans 102.5 Heap Overflows For Humans 103 Heap Overflows For Humans 103.5 Securitysift Windows Exploit Development – Part 1: The Basics Windows Exploit Development – Part 2: Intro to Stack Based Overflows Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules Windows Exploit Development – Part 4: Locating Shellcode With Jumps Windows Exploit Development – Part 5: Locating Shellcode With Egghunting Windows Exploit Development – Part 6: SEH Exploits Windows Exploit Development – Part 7: Unicode Buffer Overflows Whitehatters Academy Intro to Windows kernel exploitation 1/N: Kernel Debugging Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver Intro to Windows kernel exploitation 3/N: My first Driver exploit Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver Backdoor 103: Fully Undetected Backdoor 102 Backdoor 101 TheSprawl corelan - integer overflows - exercise solution heap overflows for humans - 102 - exercise solution exploit exercises - protostar - final levels exploit exercises - protostar - network levels exploit exercises - protostar - heap levels exploit exercises - protostar - format string levels exploit exercises - protostar - stack levels open security training - introduction to software exploits - uninitialized variable overflow open security training - introduction to software exploits - off-by-one open security training - introduction to re - bomb lab secret phase open security training - introductory x86 - buffer overflow mystery box corelan - tutorial 10 - exercise solution corelan - tutorial 9 - exercise solution corelan - tutorial 7 - exercise solution getting from seh to nseh corelan - tutorial 3b - exercise solution Expdev-Kiuhnm WinDbg Mona 2 Structure Exception Handling (SEH) Heap Windows Basics Shellcode Exploitme1 (ret eip overwrite) Exploitme2 (Stack cookies & SEH) Exploitme3 (DEP) Exploitme4 (ASLR) Exploitme5 (Heap Spraying & UAF) EMET 5.2 Internet Explorer 10 - Reverse Engineering IE Internet Explorer 10 - From one-byte-write to full process space read/write Internet Explorer 10 - God Mode (1) Internet Explorer 10 - God Mode (2) Internet Explorer 10 - Use-After-Free bug Internet Explorer 11 - Part 1 Internet Explorer 11 - Part 2 Tools Disassemblers, debuggers, and other static and dynamic analysis tools. angr - Platform-agnostic binary analysis framework developed at UCSB's Seclab. BARF - Multiplatform, open source Binary Analysis and Reverse engineering Framework. Binary Ninja - Multiplatform binary analysis IDE supporting various types of binaries and architecturs. Scriptable via Python. binnavi - Binary analysis IDE for reverse engineering based on graph visualization. Bokken - GUI for Pyew and Radare. Capstone - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages. codebro - Web based code browser using clang to provide basic code analysis. dnSpy - .NET assembly editor, decompiler and debugger. Evan's Debugger (EDB) - A modular debugger with a Qt GUI. GDB - The GNU debugger. GEF - GDB Enhanced Features, for exploiters and reverse engineers. hackers-grep - A utility to search for strings in PE executables including imports, exports, and debug symbols. IDA Pro - Windows disassembler and debugger, with a free evaluation version. Immunity Debugger - Debugger for malware analysis and more, with a Python API. ltrace - Dynamic analysis for Linux executables. objdump - Part of GNU binutils, for static analysis of Linux binaries. OllyDbg - An assembly-level debugger for Windows executables. PANDA - Platform for Architecture-Neutral Dynamic Analysis PEDA - Python Exploit Development Assistance for GDB, an enhanced display with added commands. pestudio - Perform static analysis of Windows executables. Process Monitor - Advanced monitoring tool for Windows programs. Pyew - Python tool for malware analysis. Radare2 - Reverse engineering framework, with debugger support. SMRT - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis. strace - Dynamic analysis for Linux executables. Udis86 - Disassembler library and tool for x86 and x86_64. Vivisect - Python tool for malware analysis. X64dbg - An open-source x64/x32 debugger for windows. Sursa: https://github.com/enddo/awesome-windows-exploitation
×