-
Posts
63 -
Joined
-
Last visited
-
Days Won
11
NO-MERCY last won the day on December 27 2015
NO-MERCY had the most liked content!
About NO-MERCY
- Birthday 03/21/1988
Recent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
NO-MERCY's Achievements
Newbie (1/14)
250
Reputation
-
Excellent paper ... let's move to Overflow Routers Read More : WRT120N fprintf Stack Overflow Developing MIPS Exploits to Hack Routers Exploiting Embedded Devices Router Exploitation - BHUSA09-Lindner WRITING MIPS-IRIX SHELLCODE
- 1 reply
-
- 2
-
Hello RST: Shellcode Tutorials | Project Shellcode The following are tutorials on how to write Windows shellcode for beginners through to advanced. Maded by : Ty Miller http://www.projectshellcode.com and it's not available .. NO MORE .... So .. here you can download it as a book .. all in one PDF Hope You Find It Useful Contents: Shellcode Tutorial 1: Introduction and Tools Setup Gives an intro into shellcode and steps you through setting up your environment. Shellcode Tutorial 2: My First Simple Shellcode Steps you through creating and testing very simple shellcode. Shellcode Tutorial 3: Windows Command Execution Shellcode Define and locate a string constant, and use it to create a new administrative Windows user. Shellcode Tutorial 4: Message Box Shellcode Teaches you how to load libraries, call simple functions, and execute them. Shellcode Tutorial 5: Function Hash Generation Defining and using constants, more complex functions, generating function hashes, and an introduction to OllyDbg! Shellcode Tutorial 6: Dynamic Shellcode Dynamically locate Kernel32 and function addresses. No more hardcoded addreses! Shellcode Tutorial 7: Introduction to Sockets - Portbind Shellcode Dynamic shellcode that loads ws2_32.dll and creates a listening port that provides a command shell to remote users. Shellcode Tutorial 8: Introduction to Networking - Connectback Shellcode Dynamic shellcode that initializes a connection back to the attacker and connects them to a command shell on the compromised system. Shellcode Tutorial 9: Generating Shellcode Using Metasploit Use the Metasploit Exploit Framework web interface and msfpayload command to generate various shellcode for different platforms in a range of formats. Details: Pdf By: NO-MERCY File: Project Shellcode Development Framework.pdf CRC-32: 130372df MD4: a8dc3c59cac4797c555e3a9f20aaa642 MD5: 54f473cb20951c80f0b06e222b26ab06 SHA-1: ab0890de6346604f6f6ad7a2c20de890921e66d4 Pages:70 Size:1.35 MB Download Book Tools Used (part1 Contents) : all files will be available here .. Just some Minutes ----------------------------------------------------- Ok .. the link Contain tools used + skape paper + Steve Hanna article + 2 Books Note : You can Use any Metasploit Version it's not included because my Fu**ing Limited internet ..... Tools Used Size: 14.8 MB Password: infected why? because 'shellcode-compiler.sh' AV will catch it .. Regards NO-MERCY and Of Course Thanks Ty Miller
-
Hello Rst: How to write a (Linux x86) shellcode 1- Introduction to Linux shellcode writing (Part 1) 2- Introduction to Linux shellcode writing (Part 2) 3- How to write a (Linux x86) port-biding shellcode 4- How to write a (Linux x86) reverse connection shellcode 5- How to write a (Linux x86) egg hunter shellcode This is very brief and basic list of steps to follow if you want to write a shellcode under Linux operating system. Introduction to Linux shellcode writing (Part 1) | Adventures in the programming jungle In the previous ticket we created a dummy shellcode firstly in C language and then in the assembler language; we tested the dummy shellcode but we’ve seen that the execution was failing. In this ticket we will try to fix the dummy shellcode problems and hopefully we will be able to execute it successfully. Introduction to Linux shellcode writing (Part 2) | Adventures in the programming jungle The goal of this ticket is to write a shellcode that will open a socket on a specific port and executes a shell when someone connects to the specific port. How to write a (Linux x86) port-biding shellcode | Adventures in the programming jungle The goal of this ticket is to write a shellcode that makes a connection from the hacked system to a different system where it can be cached by different network tools like net cat How to write a (Linux x86) reverse connection shellcode | Adventures in the programming jungle The goal of this ticket is to write an egg hunter shellcode. An egg hunter is a piece of code that when is executed is looking for another piece of code (usually bigger) called the egg and it passes the execution to the egg. This technique is usually used when the space of executing shellcode is limited (the available space is less than the egg size) and it is possible to inject the egg in another memory location. Because the egg is injected in a non static memory location the egg must start with an egg tag in order to be recognized by the egg hunter. How to write a (Linux x86) egg hunter shellcode | Adventures in the programming jungle Regards NO-MERCY Source: http://itblog.adrian.citu.name/category/it-security/shellcode/
-
it's Not Added to torrent Yet .. Try Once Again with Valid Links (Nitroflare) & resume Download With idm without download it again "Refresh Download address" and "IDM" will go to webpage link and download the file without closing the small popup window it will close when catching new link and resume download
-
Linux (x86) Exploit Development Series
NO-MERCY replied to neox's topic in Reverse engineering & exploit development
Hello RST : Final Dark Pdf Edition Completed All Code Syn-taxed Cover : Details : File: Linux (x86) Exploit Development Series _ Final Black.pdf CRC-32: 5efc67a5 MD4: 8a7f2415918cf8bb1e94dcda68bf1608 MD5: 2142e345fad13acdfcea20ea85f23ce0 SHA-1: 7ae65d6515136e9e912be94a0e0013b056071639 Pages: 107 Size: 10.4 MB Download : 4SHARED Link Best Regards NO-MERCY -
thx .. I'll try to Make Final Edition Soon u Know it's Take Very Very Long Time But Promise .. tO be Continue .. you Mean all links in pdf or just pics hyperlinks or you don't trust any Damn link Greetings
- 9 replies
-
- development
- exploit
-
(and 3 more)
Tagged with:
-
Blind Return Oriented Programming (BROP) Hello Rst : When hacking software, there are three exploit scenarios: Open-source (e.g., Apache) Open-binary (e.g., Internet Explorer) Closed-binary and source (e.g., some proprietary network service) This work studies whether it is possible to attack the third case. The BROP attack makes it possible to write exploits without possessing the target's binary. It requires a stack overflow and a service that restarts after a crash. Based on whether a service crashes or not (i.e., connection closes or stays open), the BROP attack is able to construct a full remote exploit that leads to a shell. The BROP attack remotely leaks enough gadgets to perform the write system call, after which the binary is transferred from memory to the attacker's socket. Following that, a standard ROP attack can be carried out. Apart from attacking proprietary services, BROP is very useful in targeting open-source software for which the particular binary used is not public (e.g., installed from source setups, Gentoo boxes, etc.). The attack completes within 4,000 requests (within minutes) when tested against a toy proprietary service, and real vulnerabilities in nginx and MySQL. The fundamental problem sometimes seen in servers is that they fork a new worker process after a crash, without any rerandomization (e.g., no execve follows the fork). nginx for example does this. The paper describing the work is: A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, D. Boneh: Paper. In Oakland 2014. [slides] Attack outline Break ASLR by "stack reading" a return address (and canaries). Find a "stop gadget" which halts ROP chains so that other gadgets can be found. Find the BROP gadget which lets you control the first two arguments of calls. Find a call to strcmp, which as a side effect sets the third argument to calls (e.g., write length) to a value greater than zero. Find a call to write. Write the binary from memory to the socket. Dump the symbol table from the downloaded binary to find calls to dup2, execve, and build shellcode. Downloads Braille A fully automated tool that conducts a BROP attack (from crash to remote shell) when supplied with an input string that crashes a server due to a stack overflow. Optimized nginx BROP exploit A generic 64-bit exploit for nginx 1.4.0 that uses BROP, optimized for nginx's case. This also includes an IP fragmentation router to make the attack possible on WANs. nginx does a non-blocking read on a 4096 byte buffer, and typical MTUs are 1500, so IP fragmentation is needed to deliver a large TCP segment that will result in a single read of over 4096 bytes. Ali's server The toy proprietary service written by a colleague used as a test case in the paper for hacking without neither binary nor source code knowledge. Source : http://www.scs.stanford.edu/brop/ Tutorial In Chinese : Chung Fing Hung http://drops.wooyun.org/tips/3071 Tutorials by : Liu Yutao in English : Blind Return Oriented Programming (BROP) Attack (1) http://ytliu.info/blog/2014/05/31/blind-return-oriented-programming-brop-attack-yi/ Blind Return Oriented Programming (BROP) Attack (2) http://ytliu.info/blog/2014/06/01/blind-return-oriented-programming-brop-attack-er/ PART1 & 2 in PDF By : NO-MERCY Demo : http://ytliu.info/images/nginx-brop.mp4 Regards NO-MERCY
-
All In One Pdf Finished Today : Details : File: Modern Windows Exploit Development.pdf Size: 19.0 MB Pages: 529 CRC-32: 0c5c697f MD4: 5ed2b468e7d5e0d6938205cd5964354b MD5: 38a36b37a5105195795e57edde6cb217 SHA-1: bd23cc60c3508ecbb7fb87ec02ceb774d89ff49e Download : Modern Windows Exploit Development - Download - 4shared - NO-MERCY AT4RE Regards NO-MERCY FileShare Download Modern Windows Exploit Development.pdf (by: Church) https://mega.nz/#!9lwRnAAB!Hw0pP7NMLfdcE8saw0uI9coAG2a_0xckiL9IMhUJz_Y (by: m4v3rick) https://drive.google.com/file/d/0B8sHjc3kJKQrUTYxSkpldy01ZWs/view (By:Unknown)
- 9 replies
-
- development
- exploit
-
(and 3 more)
Tagged with:
-
Chrome and Sandbox issues.
NO-MERCY replied to StoneIce's topic in Reverse engineering & exploit development
Take a look : Project Zero: In-Console-Able https://bromiumlabs.files.wordpress.com/2013/07/application_sandboxes_a_pen_tester_s_perspective2.pdf -
Skape - From Metasploit to Microsoft Hello Rst : If You interested in Windows Exploitation Then you Saw This name several Times while Seaching Or Reading Some Papers & Articles Matt Miller Aka Skape (Who's This Guy ?) Metasploit developer , who for years frustrated Microsoft officials with the public release of Windows exploits, is heading to Redmond to join Microsoft's Security Science team. Miller, who uses the hacker moniker Skape,will work on improved ways to find security vulnerabilities and better software defenses through mitigations, according to an announcement by SDL guru Michael Howard. "Matt brings a massive amount of real-world exploit and defense experience to our team," Howard said, nothing that Miller has been focused on design review for Windows 7, the next major revision of the operating system. Miller's work around exploiting -- and attempting to secure -- the Windows ecosystem is legendary. In tandem with HD Moore, he has been one of the core developers on Metasploit, a free point-and-click pentest/attack tool, specializing in exploitation techniques/mitigations, reverse engineering, program analysis and modeling, rootkits and virtualization. Over IM this morning, HD Moore said Miller designed a large chunk of the Metasploit 3 architecture, built the meterpreter payload system, and generally led the entire win32 shellcode improvement efforts. "He has done some exploit work as well, but his focus was mostly on encoders, shellcode, and payloads," Moore said. Miller was the third 'full-time' developer at Metasploit, having joined the volunteer group in mid-2004. He is the author of several groundbreaking research papers, including techniques to bypass Windows Hardware-enforced DEP, improving software security analysis using exploitation properties and exploring the history of exploitation techniques (.pdf) and mitigations on Windows. Miller is also an editor for the Uninformed Journal, a free online journal that focuses on encouraging the sharing of technical knowledge. Miller just open-sourced his WehnTrust HIPS project, which adds anti-exploit mechanisms/mitigations to Windows 2000, Windows XP and Windows Server 2003 systems. skape mmiller [at] hickorg Interests Exploitation techniques Exploitation mitigations Program analysis & modeling Reverse engineering Rootkits Virtualization Software metasploit An advanced, open-source exploitation framework. wehntrust An implementation of Address Space Layout Randomization (ASLR) for Windows 2000, XP, and 2003 Server. x64auto IDA plugin designed to provide additional information when analyzing x64 PE files. winstrace A user-mode system call tracing utility for Windows. memgrep A dynamic memory analysis utility for Linux and FreeBSD. Presentations The Evolution of Microsoft's Exploit Mitigations (Blue Hat Fall 2008) Avoiding Driver Security Pitfalls (DDC 2008) Modeling the trust boundaries created by securable objects (WOOT 2008) State of the Exploit (Seattle ToorCon 2008) A Brief History of Exploitation Techniques and Mitigations on Windows (BreakPoint 2007) Cthulhu: A software analysis framework built on Phoenix (ToorCon 2007) Exploitation Chronomancy (ToorCon 2005) Beyond EIP (Black Hat USA 2005) Papers Using dual-mappings to evade automated unpackers (Oct, 2008) Automated unpackers such as Renovo, Saffron, and Pandora's Bochs attempt to dynamically unpack executables by detecting the execution of code from regions of virtual memory that have been written to. While this is an elegant method of detecting dynamic code execution, it is possible to evade these unpackers by dual-mapping physical pages to two distinct virtual address regions where one region is used as an editable mapping and the second region is used as an executable mapping. In this way, the editable mapping is written to during the unpacking process and the executable mapping is used to execute the unpacked code dynamically. This effectively evades automated unpackers which rely on detecting the execution of code from virtual addresses that have been written to. Modeling the trust boundaries created by securable objects (Jul, 2008) One of the most critical steps of any security review involves identifying the trust boundaries that an application is exposed to. While methodologies such as threat modeling can be used to help obtain this understanding from an application's design, it can be difficultcult to accurately map this understanding to an application's implementation. This difficultculty suggests that there is a need for techniques that can be used to gain a better understanding of the trust boundaries that exist within an application's implementation. To help address this problem, this paper describes a technique that can be used to model the trust boundaries that are created by securable objects on Windows. Dynamic instrumentation is used to generate object trace logs which describe the contexts in which securable objects are defned, used, and have their security descriptor updated. This information is used to identify the data flows that are permitted by the access rights granted to securable objects. It is then shown how these data flows can be analyzed to gain an understanding of the trust boundaries, threats, and potential elevation paths that exist within a given system. Improving Software Security Analysis using Exploitation Properties (Dec, 2007) Reliable exploitation of software vulnerabilities has continued to become more difficult as formidable mitigations have been established and are now included by default with most modern operating systems. Future exploitation of software vulnerabilities will rely on either discovering ways to circumvent these mitigations or uncovering flaws that are not adequately protected. Since the majority of the mitigations that exist today lack universal bypass techniques, it has become more fruitful to take the latter approach. It is in this vein that this paper introduces the concept of exploitation properties and describes how they can be used to better understand the exploitability of a system irrespective of a particular vulnerability. Perceived exploitability is of utmost importance to both an attacker and to a defender given the presence of modern mitigations. The ANI vulnerability (MS07-017) is used to help illustrate these points by acting as a simple example of a vulnerability that may have been more easily identified as code that should have received additional scrutiny by taking exploitation properties into consideration. A Catalog of Local Windows Kernel-mode Backdoor Techniques (Aug, 2007) This paper presents a detailed catalog of techniques that can be used to create local kernel-mode backdoors on Windows. These techniques include function trampolines, descriptor table hooks, model-specific register hooks, page table modifications, as well as others that have not previously been described. The majority of these techniques have been publicly known far in advance of this paper. However, at the time of this writing, there appears to be no detailed single point of reference for many of them. The intention of this paper is to provide a solid understanding on the subject of local kernel-mode backdoors. This understanding is necessary in order to encourage the thoughtful discussion of potential countermeasures and perceived advancements. In the vein of countermeasures, some additional thoughts are given to the common misconception that PatchGuard, in its current design, can be used to prevent kernel-mode rootkits. Generalizing Data Flow Information (Aug, 2007) Generalizing information is a common method of reducing the quantity of data that must be considered during analysis. This fact has been plainly illustrated in relation to static data flow analysis where previous research has described algorithms that can be used to generalize data flow information. These generalizations have helped support more optimal data flow analysis in certain situations. In the same vein, this paper describes a process that can be employed to generalize and persist data flow information along multiple generalization tiers. Each generalization tier is meant to describe the data flow behaviors of a conceptual software element such as an instruction, a basic block, a procedure, a data type, and so on. This process makes use of algorithms described in previous literature to support the generalization of data flow information. To illustrate the usefulness of the generalization process, this paper also presents an algorithm that can be used to determine reachability at each generalization tier. The algorithm determines reachability starting from the least specific generalization tier and uses the set of reachable paths found to progressively qualify data flow information for each successive generalization tier. This helps to constrain the amount of data flow information that must be considered to a minimal subset. Memalyze: Dynamic Analysis of Memory Access Behavior in Software (Apr, 2007) This paper describes strategies for dynamically analyzing an application's memory access behavior. These strategies make it possible to detect when a read or write is about to occur at a given location in memory while an application is executing. An application's memory access behavior can provide additional insight into its behavior. For example, it may be able to provide an idea of how data propagates throughout the address space. Three individual strategies which can be used to intercept memory accesses are described in this paper. Each strategy makes use of a unique method of intercepting memory accesses. These methods include the use of Dynamic Binary Instrumentation (DBI), x86 hardware paging features, and x86 segmentation features. A detailed description of the design and implementation of these strategies for 32-bit versions of Windows is given. Potential uses for these analysis techniques are described in detail. Reducing the Effective Entropy of GS Cookies (Mar, 2007) This paper describes a technique that can be used to reduce the effective entropy in a given GS cookie by roughly 15 bits. This reduction is made possible because GS uses a number of weak entropy sources that can, with varying degrees of accuracy, be calculated by an attacker. It is important to note, however, that the ability to calculate the values of these sources for an arbitrary cookie currently relies on an attacker having local access to the machine, such as through the local console or through terminal services. This effectively limits the use of this technique to stack-based local privilege escalation vulnerabilities. In addition to the general entropy reduction technique, this paper discusses the amount of effective entropy that exists in services that automatically start during system boot. It is hypothesized that these services may have more predictable states of entropy due to the relative consistency of the boot process. While the techniques described in this paper do not illustrate a complete break of GS, any inherent weakness can have disastrous consequences given that GS is a static, compile-time security solution. It is not possible to simply distribute a patch. Instead, applications must be recompiled to take advantage of any security improvements. In that vein, the paper proposes some solutions that could be applied to address the problems that are outlined. Locreate: An Anagram for Relocate (Dec, 2006) This paper presents a proof of concept executable packer that does not use any custom code to unpack binaries at execution time. This is different from typical packers which generally rely on packed executables containing code that is used to perform the inverse of the packing operation at runtime. Instead of depending on custom code, the technique described in this paper uses documented behavior of the dynamic loader as a mechanism for performing the unpacking operation. This difference can make binaries packed using this technique more difficult to signature and analyze, but only when presented to an untrained eye. The description of this technique is meant to be an example of a fun thought exercise and not as some sort of revolutionary packer. In fact, it's been used in the virus world many years prior to this paper. Exploiting 802.11 Wireless Driver Vulnerabilities on Windows (Nov, 2006) This paper describes the process of identifying and exploiting 802.11 wireless device driver vulnerabilities on Windows. This process is described in terms of two steps: pre-exploitation and exploitation. The pre-exploitation step provides a basic introduction to the 802.11 protocol along with a description of the tools and libraries the authors used to create a basic 802.11 protocol fuzzer. The exploitation step describes the common elements of an 802.11 wireless device driver exploit. These elements include things like the underlying payload architecture that is used when executing arbitrary code in kernel-mode on Windows, how this payload architecture has been integrated into the 3.0 version of the Metasploit Framework, and the interface that the Metasploit Framework exposes to make developing 802.11 wireless device driver exploits easy. Finally, three separate real world wireless device driver vulnerabilities are used as case studies to illustrate the application of this process. It is hoped that the description and illustration of this process can be used to show that kernel-mode vulnerabilities can be just as dangerous and just as easy to exploit as user-mode vulnerabilities. In so doing, awareness of the need for more robust kernel-mode exploit prevention technology can be raised. Preventing the Exploitation of SEH Overwrites (Sep, 2006) This paper proposes a technique that can be used to prevent the exploitation of SEH overwrites on 32-bit Windows applications without requiring any recompilation. While Microsoft has attempted to address this attack vector through changes to the exception dispatcher and through enhanced compiler support, such as with /SAFESEH and /GS, the majority of benefits they offer are limited to image files that have been compiled to make use of the compiler enhancements. This limitation means that without all image files being compiled with these enhancements, it may still be possible to leverage an SEH overwrite to gain code execution. In particular, many third-party applications are still vulnerable to SEH overwrites even on the latest versions of Windows because they have not been recompiled to incorporate these enhancements. To that point, the technique described in this paper does not rely on any compile time support and instead can be applied at runtime to existing applications without any noticeable performance degradation. This technique is also backward compatible with all versions of Windows NT+, thus making it a viable and proactive solution for legacy installations. Implementing a Custom x86 Encoder (Aug, 2006) This paper describes the process of implementing a custom encoder for the x86 architecture. To help set the stage, the McAfee Subscription Manager ActiveX control vulnerability, which was discovered by eEye, will be used as an example of a vulnerability that requires the implementation of a custom encoder. In particular, this vulnerability does not permit the use of uppercase characters. To help make things more interesting, the encoder described in this paper will also avoid all characters above 0x7f. This will make the encoder both UTF-8 safe and tolower safe. Exploiting the Otherwise Non-exploitable on Windows (May, 2006) This paper describes a technique that can be applied in certain situations to gain arbitrary code execution through software bugs that would not otherwise be exploitable, such as NULL pointer dereferences. To facilitate this, an attacker gains control of the top-level unhandled exception filter for a process in an indirect fashion. While there has been previous work illustrating the usefulness in gaining control of the top-level unhandled exception filter, Microsoft has taken steps in XPSP2 and beyond, such as function pointer encoding[4], to prevent attackers from being able to overwrite and control the unhandled exception filter directly. While this security enhancement is a marked improvement, it is still possible for an attacker to gain control of the top-level unhandled exception filter by taking advantage of a design flaw in the way unhandled exception filters are chained. This approach, however, is limited by an attacker's ability to control the chaining of unhandled exception filters, such as through the loading and unloading of DLLs. This does reduce the global impact of this approach; however, there are some interesting cases where it can be immediately applied, such as with Internet Explorer. Improving Automated Analysis of Windows x64 Binaries (Apr, 2006) As Windows x64 becomes a more prominent platform, it will become necessary to develop techniques that improve the binary analysis process. In particular, automated techniques that can be performed prior to doing code or data flow analysis can be useful in getting a better understanding for how a binary operates. To that point, this paper gives a brief explanation of some of the changes that have been made to support Windows x64 binaries. From there, a few basic techniques are illustrated that can be used to improve the process of identifying functions, annotating their stack frames, and describing their exception handler relationships. Source code to an example IDA plugin is also included that shows how these techniques can be implemented. Bypassing PatchGuard on Windows x64 (Dec, 2005) The Windows kernel that runs on the x64 platform has introduced a new feature, nicknamed PatchGuard, that is intended to prevent both malicious software and third-party vendors from modifying certain critical operating system structures. These structures include things like specific system images, the SSDT, the IDT, the GDT, and certain critical processor MSRs. This feature is intended to ensure kernel stability by preventing uncondoned behavior, such as hooking. However, it also has the side effect of preventing legitimate products from working properly. For that reason, this paper will serve as an in-depth analysis of PatchGuard's inner workings with an eye toward techniques that can be used to bypass it. Possible solutions will also be proposed for the bypass techniques that are suggested. Windows Kernel-mode Payload Fundamentals (Dec, 2005) This paper discusses the theoretical and practical implementations of kernel-mode payloads on Windows. At the time of this writing, kernel-mode research is generally regarded as the realm of a few, but it is hoped that documents such as this one will encourage a thoughtful progression of the subject matter. To that point, this paper will describe some of the general techniques and algorithms that may be useful when implementing kernel-mode payloads. Furthermore, the anatomy of a kernel-mode payload will be broken down into four distinct units, known as payload components, and explained in detail. In the end, the reader should walk away with a concrete understanding of the way in which kernel-mode payloads operate on Windows. Bypassing Windows Hardware-enforced Data Execution Prevention (Oct, 2005) This paper describes a technique that can be used to bypass Windows hardware-enforced Data Execution Prevention (DEP) on default installations of Windows XP Service Pack 2 and Windows 2003 Server Service Pack 1. This technique makes it possible to execute code from regions that are typically non-executable when hardware support is present, such as thread stacks and process heaps. While other techniques have been used to accomplish similar feats, such as returning into NtProtectVirtualMemory, this approach requires no direct reprotecting of memory regions, no copying of arbitrary code to other locations, and does not have issues with NULL bytes. The result is a feasible approach that can be used to easily bypass the enhancements offered by hardware-enforced DEP on Windows in a way that requires very minimal modifications to existing exploits. Temporal Return Addresses: Exploitation Chronomancy (Aug, 2005) Nearly all existing exploitation vectors depend on some knowledge of a process' address space prior to an attack in order to gain meaningful control of execution flow. In cases where this is necessary, exploit authors generally make use of static addresses that may or may not be portable between various operating system and application revisions. This fact can make exploits unreliable depending on how well researched the static addresses were at the time that the exploit was implemented. In some cases, though, it may be possible to predict and make use of certain addresses in memory that do not have static contents. This document introduces the concept of temporal addresses and describes how they can be used, under certain circumstances, to make exploitation more reliable. http://uninformed.org/?v=1&a=5&t=sumry"]Annoyances Caused by Unsafe Assumptions (Apr, 2005) This installation of What Were They Thinking illustrates some of the annoyances that can be caused when developing software that has to inter-operate with third-party applications. Two such cases will be dissected and discussed in detail for the purpose of showing how third-party applications can fail when used in conjunction with software that performs certain tasks. The analysis of the two cases is meant to show how complex failure conditions can be analyzed and used to determine inter-operability problems. Post-Exploitation on Windows using ActiveX Controls (Mar, 2005) When exploiting software vulnerabilities it is sometimes impossible to build direct communication channels between a target machine and an attacker's machine due to restrictive outbound filters that may be in place on the target machine's network. Bypassing these filters involves creating a post-exploitation payload that is capable of masquerading as normal user traffic from within the context of a trusted process. One method of accomplishing this is to create a payload that enables ActiveX controls by modifying Internet Explorer's zone restrictions. With ActiveX controls enabled, the payload can then launch a hidden instance of Internet Explorer that is pointed at a URL with an embedded ActiveX control. The end result is the ability for an attacker to run custom code in the form of a DLL on a target machine by using a trusted process that uses one or more trusted communication protocols, such as HTTP or DNS. Metasploit's Meterpreter (Dec, 2004) Meterpreter, short for The Meta-Interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared object (DLL) ï¬les that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection. Safely Searching Process Virtual Address Space (Sep, 2004) This paper describes some techniques that can be used to search the virtual address space of a process for a unique key as a part of running code that is at an unknown location in memory. The code that is used to search the process address space is designed to be extremely compact in order to make it useful in scenarios where a particularly imposes limitations on the size of the payload that can be used in the context of the initial overflow. Remote Library Injection (Apr, 2004) The common methods currently employed to compromise comput- ers are ineffective and easily detected by standard Anti-Virus practices. Despite this, worm authors continue to use these same approaches, blindly hoping that at least some of the hosts will remain infected long enough for the worm au- thor to make use of them. An alternative to the standard methods of computer compromise involves making use of a more complicated, yet high-yield, solution: library injection. When used in conjunction with a remote vulnerability, such as the DCOM vulnerability, library injection can lead to an undetectable com- promise at the host level as far as current Anti-Virus detection mechanisms are concerned. The impact from this is far-reaching; so much so that a completely automated, high-retention, operating system independent super-worm is an ever approaching reality. Reverse Engineering: Memory Analysis (Dec, 2003) This paper describes some basic techniques that can be used to dynamically analyze a program by inspecting the content of its address space at runtime. The techniques presented are then applied to show how they can be used to perform basic reverse engineering of a closed source game known as ADOM. Understanding Windows Shellcode (Dec, 2003) This paper provides an exhaustive description of the structure and purpose of windows shellcode. An in-depth walkthrough of various types of windows payloads is given including reverse connect, port bind, file descriptor re-use, and so on. ELF binary signing and verification (Jan, 2003) This paper provides an introduction to binary signing of ELF executables. Linux x86 run-time process manipulation (Jan, 2003) This paper illustrates run-time process manipulation techniques on Linux. Presented By: Matt Miller BlueHat v8: Mitigations Unplugged About This Video : Matt Miller explores the technical details of sophisticated mitigations like GS, DEP and ASLR. This presentation explores the technical details of these developments by illustrating the logical evolution of Microsoft mitigations and how they’ve stood the test of time. Download Exploit Mitigation Improvements in Win 8 By: Matt Miller & Ken Johnson Over the past decade, Microsoft has added security features to the Windows platform that help to mitigate risk by making it difficult and costly for attackers to develop reliable exploits for memory safety vulnerabilities. Some examples of these features include Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Visual C++'s code generation security (GS) protection for stack-based buffer overruns. In Windows 8, Microsoft has made a number of substantial improvements that are designed to break known exploitation techniques and in some cases prevent entire classes of vulnerabilities from being exploited. This presentation will provide a detailed technical walkthrough of the improvements that have been made along with an evaluation of their expected impact. In closing, this presentation will look beyond Windows 8 by providing a glimpse into some of the future directions in exploit mitigation research that are currently being explored by Microsoft. Slides Sources : http://www.hick.org/~mmiller/ http://www.uninformed.org/ http://www.zdnet.com/article/from-metasploit-to-microsoft-skape-goes-to-redmond/ Regards NO-MERCY
- 1 reply
-
- 1
-
Hello Rst : Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps The sale of exploits and bug bounty programs are at an all-time high, as is their use by cyber criminals. OS vendors, such as Microsoft have progressively implemented a gigantic number of controls to stem the bleeding. Learn how attackers side step mitigations in accessible live demonstrations. New to exploitation or want to learn about the latest mitigations? Come along and learn more! Speakers : James Lyne Global Head of Security Research, Sophos Stephen Sims Security Researcher and Instructor, SANS Institute Video Presentation Slides : https://www.rsaconference.com/writable/presentations/file_upload/exp-r01_patching-exploits-with-duct-tape-bypassing-mitigations-and-backward-steps.pdf Source : https://www.rsaconference.com/events/us15/agenda/sessions/1835/patching-exploits-with-duct-tape-bypassing Regards
-
Dll injection in chrome
NO-MERCY replied to StoneIce's topic in Reverse engineering & exploit development
Not spdy .... I think It's Google Chrome’s DLL Blacklisting Policy & Sandbox Technology You can Search & Read about Them because classic dll injection dosn't work Especially with browsers and See Also : CodeEmpire: DLL Injection into Google Chrome CodeEmpire: Code Injection into Mozilla Firefox madshi.net • View topic - Injection in Chrome process failing https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/3d5085c2-5506-43f8-b2f4-992f96a3ce22/security-protection-on-google-chrome?forum=windowssecurity https://stackoverflow.com/questions/11273449/internet-explorer-google-chrome-injection https://groups.google.com/forum/#!topic/securityxploded/ejE6dGNc0y0 https://www.chromium.org/developers/design-documents/sandbox https://www.chromium.org/Home/third-party-developers Regards -
Reverse Engineering and Exploit Development Hello RST : Description In this Reverse Engineering and Exploit Development training course, expert author Philip Polstra will teach you about common software vulnerabilities and how to find them, as well as how the vulnerabilities differ between various operating systems. This course is designed for beginners who are looking to get started in security, penetration testing, and reverse engineering. You will start by learning about reversing compiled Windows applications, including using fuzzing, stack overflows, and heap overflows. From there, Philip will teach you how to reverse compiled OS X, Linux, and Android applications. This video tutorial also covers how to find other vulnerabilities, including website and database vulnerabilities. Finally, you will learn about simple exploits, web exploitation, and ARM exploitation. Once you have completed this computer based training course, you will be fully capable of finding vulnerabilities and developing exploits for them. Working files are included, allowing you to follow along with the author throughout the lessons. Publisher: Infinite Skills Duration: 6 hours 69 tutorial videos Date Released: 2015-04-10 Price: $99.99 USD Table of Contents 01. Getting Started Introduction To Reversing About The Author Ethical Considerations Reversing Tools - Part 1 Reversing Tools - Part 2 Reversing Tools - Part 3 Reversing Tools - Part 4 Reversing Tools - Part 5 Reversing Tools - Part 6 0110 How To Access Your Working Files 02. Reversing Compiled Windows Applications 0201 Vulnerabilities - Part 1 0202 Vulnerabilities - Part 2 0203 Vulnerabilities - Part 3 0204 Using Fuzzing - Part 1 0205 Using Fuzzing - Part 2 0206 Using Fuzzing - Part 3 0207 Using Fuzzing - Part 4 0208 Just Enough Assembly - Part 1 0209 Just Enough Assembly - Part 2 0210 Just Enough Assembly - Part 3 0211 Stack Overflows - Part 1 0212 Stack Overflows - Part 2 0213 Stack Overflows - Part 3 0214 Heap Overflows - Part 1 0215 Heap Overflows - Part 2 0216 Heap Overflows - Part 3 0217 Heap Overflows - Part 4 0218 Format String Bugs - Part 1 0219 Format String Bugs - Part 2 0220 Format String Bugs - Part 3 0221 Format String Bugs - Part 4 0222 Section Overflows 0223 Windows Kernel Flaws 0224 Decompilers 0225 Automation - Part 1 0226 Automation - Part 2 03. Reversing Compiled OS X Applications 0301 Where Are The Vulnerabilities? 0302 Locating Stack Overflows 0303 Heap Overflows 04. Reversing Compiled Linux Applications 0401 Where Are The Vulnerabilities? 0402 Linux Stack Overflows - Part 1 0403 Linux Stack Overflows - Part 2 0404 Linux Stack Overflows - Part 3 0405 Linux Stack Overflows - Part 4 0406 Linux Stack Overflows - Part 5 0407 Linux Heap Overflows - Part 1 0408 Linux Heap Overflows - Part 2 0409 Linux Heap Overflows - Part 3 0410 Linux Heap Overflows - Part 4 0411 Linux Kernel Flaws - Part 1 0412 Linux Kernel Flaws - Part 2 05. Reversing Android Applications 0501 Introduction To Android And ARM 0502 Android Applications 06. Finding Other Vulnerabilities 0601 Web Site Vulnerabilities 0602 Database Vulnerabilities 07. Simple Exploits 0701 Going From Vulnerability To Exploit 0702 A Simple Exploit Script 0703 Creating A Metasploit Module For An Exploit - Part 1 0704 Creating A Metasploit Module For An Exploit - Part 2 0705 Creating A Metasploit Module For An Exploit - Part 3 08. Exploit Payloads 0801 Shellcode - Part 1 0802 Shellcode - Part 2 0803 Shellcode - Part 3 0804 Shellcode - Part 4 09. Making Exploits Harder To Detect 0901 Encoding Shellcode - Part 1 0902 Encoding Shellcode - Part 2 10. Web Exploitation 1001 Web Exploits In Metasploit 11. ARM Exploitation 1101 Android Exploits In Metasploit 12. Future Directions 1201 Wrap Up And Suggestions For Further Study Download NitroFlare - Upload Files [505 MB] NitroFlare - Upload Files [505 MB] NitroFlare - Upload Files [434.45 MB] Download Working_Files http://examples.oreilly.com/0636920040439/Working_Files.zip Source Reverse Engineering and Exploit Development Training Video, Online Tutorial Regards NO-MERCY
-
Linux (x86) Exploit Development Series
NO-MERCY replied to neox's topic in Reverse engineering & exploit development
ok ... Now All IN One PDF By ; NO-MERCY Details : File : Linux (x86) Exploit Development Series.pdf Pages : 164 Size : 4.1 MB CRC-32: d62360f5 MD4: f839f7d6ccc0c4c61846242a64a448f4 MD5: 1df6744fe419ca9e584723ad1fa79dd0 SHA-1: c117208aceded332cea96e0afa4dd33f91314b93 Download Regards NO-MERCY