Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Download as pptx, pdf6 likes1,942 views
Exploit Research and Development Megaprimer http://opensecurity.in/exploit-research-and-development-megaprimer/ http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
1 of 14
Downloaded 112 times
![@ajinabraham
•
•
• JMP TO SHELLCODE
We can’t use actual JMP. We will walk to shellcode
We will use single byte instructions along with some NOP
like harmless aligning instructions(Venetian Shellcode).
nSEH
You need to try out
and choose the
working one.
But you can check it
only after you check
SEH
popad/inc eax or
selecting the nops
Example
“x61x41” implies 61 ->POPAD
004100 ->ADD BYTE PTR DS:[ECX],AL
“x41x71” implies 41 ->INC ECX
007100 ->ADD BYTE PTR DS:[ECX],DH
1Byte Instruction
41 : INC ECX
61 POPAD](https://image.slidesharecdn.com/exploitresearchunicode-130824054333-phpapp01/85/Exploit-Research-and-Development-Megaprimer-Unicode-Based-Exploit-Development-9-320.jpg)
Ad
Recommended
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part In|u - The Open Security Community Return Oriented Programming (ROP) Based Exploits - Part I by Anish & Team @ null B'lore Meet in September, 2010
How Functions Work
How Functions WorkSaumil Shah A function is a reusable block of code that can be called from different parts of a program. Functions accept parameters as input and may return a value. When a function is called, its parameters and local variables are stored on the stack. Each function call creates a stack frame that contains its parameters, local variables, and return address. This allows functions to maintain separate variable scopes while sharing the call stack.
Advance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community This document discusses return-oriented programming (ROP) attacks and variants. It begins with an introduction to ROP attacks, explaining that they circumvent data execution prevention by chaining small snippets of executable code (called gadgets) that end in return instructions. It then covers different ROP attack techniques like using arithmetic, comparison, and loop gadgets to achieve Turing completeness. The document discusses challenges like handling null bytes and describes variants like jump-oriented programming (JOP) that uses indirect jumps. It also covers creating alphanumeric ROP shellcode by selecting printable addresses. In the end, it provides tips for effectively searching gadgets.
What's new in Perl 5.10?
What's new in Perl 5.10?acme Perl 5.10 introduces several new features including say for easy printing, smart matching with ~~, switch statement, defined-or operator //, and state variables for persistent data within subs. It also includes improvements to the regex engine, modules like Hash::Util::FieldHash, better Windows support and a faster UTF-8 implementation. The release timeline is 5.8.9 stable by April 1st 2006, 5.10 after lunch before Christmas 2006, and Perl 6 after lunch before Christmas 2006.
ROP 輕鬆談
ROP 輕鬆談hackstuff Demo File: http://l4ys.tw/f/rop_demo.zip
介紹從 Buffer Overflow 到 Return-Oriented Programming 的基本原理以及簡單的 ROP 攻擊代碼撰寫與利用方式
An introduction to ROP
An introduction to ROPSaumil Shah Slides from my workshop at Hack.LU 2010 in Luxembourg. This workshop introduced the basic concepts of Return Oriented Programming with some hands-on exercises.
Introduction to Debuggers
Introduction to DebuggersSaumil Shah A quick tutorial on what debuggers are and how to use them. We present a debugging example using GDB. At the end of this tutorial, you will be able to work your way through a crash and analyze the cause of the error responsible for the crash.
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan This document provides an introduction and overview of Return Oriented Programming (ROP). It discusses classical stack overflow attacks and the mitigations put in place like Address Space Layout Randomization (ASLR) and No eXecute (NX) bit. It then introduces ROP as a technique to bypass these mitigations by chaining small snippets of existing code, called gadgets, to perform malicious tasks without injecting code. Several tools for finding gadgets are presented, and an example exploitation of the CVE-2011-1938 vulnerability is discussed to demonstrate ROP in practice. The document concludes with discussing mitigations against ROP and some related research topics.
Introduction to Functional Programming (w/ JS)
Introduction to Functional Programming (w/ JS)Allan Marques Baptista A presentation that tries to introduce some functional programming's core concepts in a more digestible way. It tries to stay away from all the complicated lingo and math, so the average developer can start his adventures through the dangerous but beautiful realms of functional programming.
Operating Systems - A Primer
Operating Systems - A PrimerSaumil Shah The document provides an introduction to operating systems and key concepts such as processes, virtual memory, and multitasking. It discusses how the CPU uses registers to perform computations and access memory. It explains that an operating system allows multiple programs to run simultaneously through time-slicing and context-switching between processes. Each process has its own virtual address space and sees its own "virtual machine" presented by the operating system.
Arduino section programming slides
Arduino section programming slidesvivek k This document provides an overview of key concepts for programming Arduino boards including comments, variables, logic operators, and loops. It explains that comments are lines of text preceded by // or between /* and */. Variables can be boolean, integer, character, or strings, and are declared with keywords like boolean or int followed by the variable name. Common logic operators include = for assignment, == for comparison, && for AND, and || for OR. The Arduino setup function is used to initialize pins and serial communication. The loop function repeats code continuously. For, while, and basic repetition are covered with for loops iterating with a counter variable and while loops checking a condition.
PHP 7 OPCache extension review
PHP 7 OPCache extension reviewjulien pauli This document provides an overview of OPCache, PHP's opcode cache. It begins with introductions to PHP, how PHP works by parsing, compiling and executing code, and the need for an opcode cache. It then discusses what opcodes are and how OPCache works by caching compiled opcodes in shared memory to improve performance by avoiding recompilation. The document outlines various OPCache configuration settings and optimizations like interned strings. It provides examples of opcodes generated from PHP code and discusses tuning OPCache for best performance.
Arduino sectionprogramming slides
Arduino sectionprogramming slidesJorge Joens This document provides an overview of the Arduino environment and programming basics. It covers topics like board type, serial communication, parts of a sketch like setup and loop functions, variables, data types, operators, conditional statements, and repetition structures like for and while loops. Comments are also discussed as a way to annotate code. The document serves as an introduction for programmers new to Arduino.
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah The document introduces Return Oriented Programming (ROP) and its core concepts. It discusses how Data Execution Prevention (DEP) prevents execution of injected shellcode by marking the stack and heap as non-executable. ROP overcomes this by chaining together small snippets of existing code (called "gadgets") in libraries and binaries to achieve arbitrary code execution. This is done by creating fake stack frames and controlling the instruction pointer (EIP) to return to addresses of gadgets. An example demonstrates overflowing a function and making it return to another function by placing a fake stack frame.
PHP7 is coming
PHP7 is comingjulien pauli PHP 7 is scheduled for release in November 2015 and will be a major new version that introduces many new features and changes. Some key points include: PHP 7 will provide improved performance through a new Zend Engine 3.0 and full support for 32-bit and 64-bit platforms. New features include scalar type declarations, return type declarations, new operators like the null coalesce operator and the spaceship operator, and anonymous classes. The release will also change some behaviors and remove deprecated features.
Phpをいじり倒す10の方法
Phpをいじり倒す10の方法Moriyoshi Koizumi This document discusses various ways to customize and extend PHP beyond its typical usage as a templating language. It explores how PHP's opcode cache, extensions, object model, and virtual machine can be leveraged. It also provides examples of PHP's lexer, parser, and how opcodes are generated from PHP code.
Quick tour of PHP from inside
Quick tour of PHP from insidejulien pauli The document discusses PHP performance and dives into the internals of how PHP works, including details on the Zend engine, compilation process involving lexing, parsing and compiling to opcodes, and execution through opcode interpretation by the virtual machine. It provides examples and tips on optimizing performance by reducing compilation overhead through opcode caching, profiling execution to find bottlenecks, and analyzing PHP functions at the C level to optimize system calls and memory usage.
Php engine
Php enginejulien pauli This document provides an overview of the inner workings of PHP from three perspectives:
1) The PHP engine consists of the Zend Engine virtual machine, which interprets PHP code, and extensions that add additional features.
2) PHP code is compiled into an intermediate opcode representation before being executed by the Zend Engine.
3) The Zend Engine executes opcode by running each instruction through a handler function in an infinite dispatch loop.
PHP traits, treat or threat?
PHP traits, treat or threat?Nick Belhomme This document discusses PHP traits and their use and advantages. It begins by showing PHP's large market share for web programming compared to other languages. It then demonstrates how traits allow eliminating duplicated code by defining common functionality in traits that can be used by multiple classes. The document provides an example of using a "Options" trait to DRY up option handling code across multiple classes. It discusses trait precedence and how to selectively override trait methods using "insteadof". The document explains how traits solve problems caused by multiple inheritance through their precedence rules.
Profiling php5 to php7
Profiling php5 to php7julien pauli The document discusses performance improvements in PHP 7 compared to PHP 5. It summarizes profiling results that show PHP 7 code runs 25% faster and uses 30% less memory than PHP 5 code. It then discusses various internal optimizations in PHP 7 that provide these performance gains, such as improved compiler optimizations, more efficient variable, hashtable and string handling. The document provides examples of how these internal changes help optimize CPU cache usage and reduce memory overhead.
PHP Tips for certification - OdW13
PHP Tips for certification - OdW13julien pauli This document provides tips, tricks, and examples of common gotchas in PHP programming. It demonstrates unexpected behaviors that can occur due to PHP's highly dynamic nature and weakly typed system. A series of code snippets are shown with their expected versus actual outputs to illustrate issues one may encounter with variables, strings, arrays, and type coercion. The document also provides best practices for PHP development and an overview of common topics covered in the PHP certification exam.
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee 2012 CodeEngn Conference 06
Secuinside는 코스콤에서 주최, 연합해킹그룹 HARU, 고려대 정보보호대학원에서 주관하는 국제 해킹대회 및 보안컨퍼런스로써 얼마전 개최된 해킹대회 예선전 문제들을 풀기위해 사용한 분석기술과 ASLR과 NX를 우회하는 새로운 익스플로잇 기술에 대해서 소개한다.
http://codeengn.com/conference/06
Specs Presentation
Specs PresentationSynesso Specs is a Scala library for behaviour-driven development (BDD) that allows tests to be written in a business-domain language. It provides structures, matchers, and other tools to specify systems and examples to be tested. Matchers are used for assertions, and setup/teardown mechanisms are available at different levels. Contexts and mocking can also be used to share state and isolate dependencies.
Php and threads ZTS
Php and threads ZTSjulien pauli This document discusses Zend Thread Safety (ZTS) in PHP. It explains that ZTS provides a layer that abstracts thread libraries and makes PHP core and extensions thread-safe when running in a threaded environment. It does this by using thread-local storage to maintain separate data for each thread. Extensions must be compiled with ZTS to store their global data in this thread-local storage so it is properly separated for each thread. ZTS slows down PHP startup but is important for running PHP on threaded web servers or using threaded extensions. In most cases, PHP applications do not need to be run in a threaded environment.
Linux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary The document provides a basic guide to reverse engineering Linux x86 shellcode. It summarizes reversing two sample shellcodes: 1) A simple program that reads the /etc/passwd file by executing the cat command. By examining registers, it is determined the shellcode executes execve to read the file. 2) An XOR encrypted shellcode that decrypts itself before launching a ksh shell with root privileges using the setreuid system call. Breakpoints are used to stop and disassemble the shellcode at key points to understand its functionality.
Exception handling poirting in gcc
Exception handling poirting in gccShiva Chen This document discusses exception handling porting in GCC. It explains why exception handling is needed, provides an example, and describes the two unwinding methods - SJLJ and Dwarf2 unwinding. Dwarf2 unwinding records frame information in .eh_frame and exception handling locations in .gcc_except_table. It also involves porting code to handle ABI specific aspects of passing exception info, adjusting stack pointers, and modifying return values.
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger The document discusses bypassing address space layout randomization (ASLR) on Linux. It begins with a refresher on buffer overflows and modern protections like ASLR and DEP. It then explores finding fixed addresses in the .text section that are not subject to ASLR to redirect execution, such as calls and jumps to registers. The document shows searching binaries for these instruction sequences and checking register values to leverage them for exploiting a vulnerable program while ASLR is enabled.
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski The document discusses efficient techniques for detecting shellcode inline. It describes the structure of shellcode and challenges in detecting it. It introduces libscizzle, which uses efficient emulation to identify possible shellcode execution sequences and verifies candidates using sandboxed hardware execution. Libscizzle scans data at gigabit speeds with no false positives and no known false negatives, representing about a 1000x speed improvement over previous tools like libemu.
More Related Content
What's hot (20)
Introduction to Debuggers
Introduction to DebuggersSaumil Shah A quick tutorial on what debuggers are and how to use them. We present a debugging example using GDB. At the end of this tutorial, you will be able to work your way through a crash and analyze the cause of the error responsible for the crash.
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan This document provides an introduction and overview of Return Oriented Programming (ROP). It discusses classical stack overflow attacks and the mitigations put in place like Address Space Layout Randomization (ASLR) and No eXecute (NX) bit. It then introduces ROP as a technique to bypass these mitigations by chaining small snippets of existing code, called gadgets, to perform malicious tasks without injecting code. Several tools for finding gadgets are presented, and an example exploitation of the CVE-2011-1938 vulnerability is discussed to demonstrate ROP in practice. The document concludes with discussing mitigations against ROP and some related research topics.
Introduction to Functional Programming (w/ JS)
Introduction to Functional Programming (w/ JS)Allan Marques Baptista A presentation that tries to introduce some functional programming's core concepts in a more digestible way. It tries to stay away from all the complicated lingo and math, so the average developer can start his adventures through the dangerous but beautiful realms of functional programming.
Operating Systems - A Primer
Operating Systems - A PrimerSaumil Shah The document provides an introduction to operating systems and key concepts such as processes, virtual memory, and multitasking. It discusses how the CPU uses registers to perform computations and access memory. It explains that an operating system allows multiple programs to run simultaneously through time-slicing and context-switching between processes. Each process has its own virtual address space and sees its own "virtual machine" presented by the operating system.
Arduino section programming slides
Arduino section programming slidesvivek k This document provides an overview of key concepts for programming Arduino boards including comments, variables, logic operators, and loops. It explains that comments are lines of text preceded by // or between /* and */. Variables can be boolean, integer, character, or strings, and are declared with keywords like boolean or int followed by the variable name. Common logic operators include = for assignment, == for comparison, && for AND, and || for OR. The Arduino setup function is used to initialize pins and serial communication. The loop function repeats code continuously. For, while, and basic repetition are covered with for loops iterating with a counter variable and while loops checking a condition.
PHP 7 OPCache extension review
PHP 7 OPCache extension reviewjulien pauli This document provides an overview of OPCache, PHP's opcode cache. It begins with introductions to PHP, how PHP works by parsing, compiling and executing code, and the need for an opcode cache. It then discusses what opcodes are and how OPCache works by caching compiled opcodes in shared memory to improve performance by avoiding recompilation. The document outlines various OPCache configuration settings and optimizations like interned strings. It provides examples of opcodes generated from PHP code and discusses tuning OPCache for best performance.
Arduino sectionprogramming slides
Arduino sectionprogramming slidesJorge Joens This document provides an overview of the Arduino environment and programming basics. It covers topics like board type, serial communication, parts of a sketch like setup and loop functions, variables, data types, operators, conditional statements, and repetition structures like for and while loops. Comments are also discussed as a way to annotate code. The document serves as an introduction for programmers new to Arduino.
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah The document introduces Return Oriented Programming (ROP) and its core concepts. It discusses how Data Execution Prevention (DEP) prevents execution of injected shellcode by marking the stack and heap as non-executable. ROP overcomes this by chaining together small snippets of existing code (called "gadgets") in libraries and binaries to achieve arbitrary code execution. This is done by creating fake stack frames and controlling the instruction pointer (EIP) to return to addresses of gadgets. An example demonstrates overflowing a function and making it return to another function by placing a fake stack frame.
PHP7 is coming
PHP7 is comingjulien pauli PHP 7 is scheduled for release in November 2015 and will be a major new version that introduces many new features and changes. Some key points include: PHP 7 will provide improved performance through a new Zend Engine 3.0 and full support for 32-bit and 64-bit platforms. New features include scalar type declarations, return type declarations, new operators like the null coalesce operator and the spaceship operator, and anonymous classes. The release will also change some behaviors and remove deprecated features.
Phpをいじり倒す10の方法
Phpをいじり倒す10の方法Moriyoshi Koizumi This document discusses various ways to customize and extend PHP beyond its typical usage as a templating language. It explores how PHP's opcode cache, extensions, object model, and virtual machine can be leveraged. It also provides examples of PHP's lexer, parser, and how opcodes are generated from PHP code.
Quick tour of PHP from inside
Quick tour of PHP from insidejulien pauli The document discusses PHP performance and dives into the internals of how PHP works, including details on the Zend engine, compilation process involving lexing, parsing and compiling to opcodes, and execution through opcode interpretation by the virtual machine. It provides examples and tips on optimizing performance by reducing compilation overhead through opcode caching, profiling execution to find bottlenecks, and analyzing PHP functions at the C level to optimize system calls and memory usage.
Php engine
Php enginejulien pauli This document provides an overview of the inner workings of PHP from three perspectives:
1) The PHP engine consists of the Zend Engine virtual machine, which interprets PHP code, and extensions that add additional features.
2) PHP code is compiled into an intermediate opcode representation before being executed by the Zend Engine.
3) The Zend Engine executes opcode by running each instruction through a handler function in an infinite dispatch loop.
PHP traits, treat or threat?
PHP traits, treat or threat?Nick Belhomme This document discusses PHP traits and their use and advantages. It begins by showing PHP's large market share for web programming compared to other languages. It then demonstrates how traits allow eliminating duplicated code by defining common functionality in traits that can be used by multiple classes. The document provides an example of using a "Options" trait to DRY up option handling code across multiple classes. It discusses trait precedence and how to selectively override trait methods using "insteadof". The document explains how traits solve problems caused by multiple inheritance through their precedence rules.
Profiling php5 to php7
Profiling php5 to php7julien pauli The document discusses performance improvements in PHP 7 compared to PHP 5. It summarizes profiling results that show PHP 7 code runs 25% faster and uses 30% less memory than PHP 5 code. It then discusses various internal optimizations in PHP 7 that provide these performance gains, such as improved compiler optimizations, more efficient variable, hashtable and string handling. The document provides examples of how these internal changes help optimize CPU cache usage and reduce memory overhead.
PHP Tips for certification - OdW13
PHP Tips for certification - OdW13julien pauli This document provides tips, tricks, and examples of common gotchas in PHP programming. It demonstrates unexpected behaviors that can occur due to PHP's highly dynamic nature and weakly typed system. A series of code snippets are shown with their expected versus actual outputs to illustrate issues one may encounter with variables, strings, arrays, and type coercion. The document also provides best practices for PHP development and an overview of common topics covered in the PHP certification exam.
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee 2012 CodeEngn Conference 06
Secuinside는 코스콤에서 주최, 연합해킹그룹 HARU, 고려대 정보보호대학원에서 주관하는 국제 해킹대회 및 보안컨퍼런스로써 얼마전 개최된 해킹대회 예선전 문제들을 풀기위해 사용한 분석기술과 ASLR과 NX를 우회하는 새로운 익스플로잇 기술에 대해서 소개한다.
http://codeengn.com/conference/06
Specs Presentation
Specs PresentationSynesso Specs is a Scala library for behaviour-driven development (BDD) that allows tests to be written in a business-domain language. It provides structures, matchers, and other tools to specify systems and examples to be tested. Matchers are used for assertions, and setup/teardown mechanisms are available at different levels. Contexts and mocking can also be used to share state and isolate dependencies.
Php and threads ZTS
Php and threads ZTSjulien pauli This document discusses Zend Thread Safety (ZTS) in PHP. It explains that ZTS provides a layer that abstracts thread libraries and makes PHP core and extensions thread-safe when running in a threaded environment. It does this by using thread-local storage to maintain separate data for each thread. Extensions must be compiled with ZTS to store their global data in this thread-local storage so it is properly separated for each thread. ZTS slows down PHP startup but is important for running PHP on threaded web servers or using threaded extensions. In most cases, PHP applications do not need to be run in a threaded environment.
Linux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary The document provides a basic guide to reverse engineering Linux x86 shellcode. It summarizes reversing two sample shellcodes: 1) A simple program that reads the /etc/passwd file by executing the cat command. By examining registers, it is determined the shellcode executes execve to read the file. 2) An XOR encrypted shellcode that decrypts itself before launching a ksh shell with root privileges using the setreuid system call. Breakpoints are used to stop and disassemble the shellcode at key points to understand its functionality.
Exception handling poirting in gcc
Exception handling poirting in gccShiva Chen This document discusses exception handling porting in GCC. It explains why exception handling is needed, provides an example, and describes the two unwinding methods - SJLJ and Dwarf2 unwinding. Dwarf2 unwinding records frame information in .eh_frame and exception handling locations in .gcc_except_table. It also involves porting code to handle ABI specific aspects of passing exception info, adjusting stack pointers, and modifying return values.
Viewers also liked (20)
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger The document discusses bypassing address space layout randomization (ASLR) on Linux. It begins with a refresher on buffer overflows and modern protections like ASLR and DEP. It then explores finding fixed addresses in the .text section that are not subject to ASLR to redirect execution, such as calls and jumps to registers. The document shows searching binaries for these instruction sequences and checking register values to leverage them for exploiting a vulnerable program while ASLR is enabled.
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski The document discusses efficient techniques for detecting shellcode inline. It describes the structure of shellcode and challenges in detecting it. It introduces libscizzle, which uses efficient emulation to identify possible shellcode execution sequences and verifies candidates using sandboxed hardware execution. Libscizzle scans data at gigabit speeds with no false positives and no known false negatives, representing about a 1000x speed improvement over previous tools like libemu.
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali The document discusses different types of shellcodes and their uses. It provides examples of x86 and x86_64 shellcode code to execute a Linux system call. It also lists resources for further information on shellcode design and exploitation techniques.
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAbhineet Ayan This is a basic guide to step by step analysing of a shell code and a good example of reverse engineering by Abhineet Ayan
Java Shellcode Execution
Java Shellcode ExecutionRyan Wincey This document discusses running shellcode from Java by overwriting the pointer to a Java method with a pointer to shellcode. It explains that Java is cross-platform, has an extensive library, and is widely deployed. It then provides an example of NOP shellcode in C to call the shellcode. It links to resources on injecting shellcode from Java without JNI. The document shows a Java method with volatile variables that is overwritten by the shellcode and demonstrates calling the shellcode from Java.
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger This document discusses bypassing address space layout randomization (ASLR) protections to execute shellcode on the stack. It begins with an overview of stack-based buffer overflows and modern protections like non-executable stacks. It then describes using return-oriented programming (ROP) techniques like ret2libc to hijack control flow and call library functions like system() to spawn a shell. Specifically, it outlines overwriting a return address to call mprotect() to make the stack executable, then jumping to shellcode on the stack. The document provides example exploit code and steps to find needed addresses in memory.
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycZ Chen The document discusses using the libemu library to detect shellcode and heapspray in the Python honeyclient phoneyc. Libemu allows for shellcode detection using x86 instruction emulation and GetPC heuristics. The document outlines integrating libemu into phoneyc to defend browsers against drive-by downloads and heap-spraying code injection attacks in web-based malware.
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru This document discusses using the Browser Exploitation Framework (BeEF) and inter-protocol exploitation techniques to gain control of victim browsers. It begins with an overview of traditional browser attack vectors and their limitations. It then introduces BeEF and how it can be used to hook victim browsers through XSS and control them remotely with JavaScript. The document proposes revitalizing inter-protocol exploitation techniques to bypass cross-domain restrictions and allow executing commands on the victim's machine. It presents the design of a new BeEF Bind shellcode that sets up a web server to accept commands and control a process like cmd.exe on the victim internally without needing an outbound connection.
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Positive Hack Days This document provides an overview of shellcode mastering techniques. It discusses the basics of shellcode including features, types, and development tasks. It covers basic shellcode techniques like call/ret algorithms and delta offset approaches. Optimization techniques are analyzed like instruction format optimizations, register value reusing, and avoiding the stack. An example analysis is given of the evolution of smaller shellcodes over time in a shellcode size competition. Hands-on labs are described to practice skills like addressing variables, using strings, and finding Windows API entry points. Required tools are listed for the labs including debuggers and assemblers.
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr Patching Windows Executives with the Backdoor Factory is a presentation about binary patching techniques. It discusses the history of patching, how key generators and Metasploit patch binaries, and how the author learned to manually patch binaries. The presentation then introduces the Backdoor Factory tool, which can automatically patch Windows binaries by injecting shellcode into code caves. It demonstrates patching via code cave insertion, single cave jumps, and cave jumping. Mitigations like self-validation and antivirus are discussed.
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptJulia Yu-Chin Cheng The document discusses analyzing malicious PDF files. It describes decompressing PDFs using PDFTK to extract JavaScript. JavaScript is analyzed using a JavaScript emulator like SpiderMonkey to deobfuscate code. Any shellcode is reformed from Unicode and analyzed using Sctest for its behavior. The document provides examples of analyzing sample PDFs, extracting JavaScript, decompressing streams, and inspecting shellcode payloads. Analysis steps and tools used are explained to help understand how malicious PDF files work and discover embedded exploits.
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio The document discusses various topics related to hacking including motivations, methodologies, and tools. It describes how hackers conduct reconnaissance on targets, develop exploits, execute exploits, and maintain access. Specific hacking methods like fuzzing, malware kits, and shellcode are explained. Potential targets mentioned include students, faculty computers, wireless networks, and websites. The document also provides biographical information about the author and recommends books and resources for hacking.
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton As the internet of things becomes less a buzzword, and more a reality, we're noticing that it's growing increasingly common to see embedded software which runs across different architectures -whether that's the same router firmware running across different models, or the operating system for a smart TV being used by different manufacturers. In a world where even your toaster might have internet access, we suspect that the ability to write cross-platform shellcode is going transition from being a merely neat trick, to a viable tool for attackers.
Writing cross-platform shellcode is tough, but there's a few techniques you can use to simplify the problem. We discuss one such method, which we used to great success during the DEFCON CTF qualifiers this year.
Presented by Tinfoil Security founder Michael Borohovski and engineer Shane Wilton at Secuinside 2014, in Seoul.
https://www.tinfoilsecurity.com/blog/cross-platform-exploitation
Software Exploits
Software ExploitsKevinCSmallwood This is a presentation I put together and presented for my colleagues at IBM back in 2006. I started on the section featuring heap exploits and never finished it. I want to finish it someday.
Shellcode injection
Shellcode injectionDhaval Kapil A talk about injecting shellcode in a binary vulnerable to buffer overflow as well as bypassing ASLR(Address Space Layout Randomization)
Writing Metasploit Plugins
Writing Metasploit Pluginsamiable_indian The document discusses exploiting a buffer overflow vulnerability in Internet Explorer's VML implementation (MS06-055) to execute arbitrary code. It describes overwriting the structured exception handler to gain control of the instruction pointer, using heap spraying to load a buffer in memory, and having the instruction pointer jump to the buffer to execute shellcode and spawn a command shell. Metasploit is introduced as an open-source framework for developing exploits.
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you?
The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session.
This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker.
So how does the new BeEF Bind Exploit Proxy work? BeEF is configured to use the BeEF Bind Exploit Proxy, and is set as the payload for XSS exploits or Phishing attacks. Once the victim visits the malicious site, their web browser becomes hooked and performs JavaScript port scanning across the internal corporate network looking for chosen open ports. Once a server has been identified, the BeEF server is notified and begins to send exploits through the hooked web browser to the service on the internal server. Each of these exploits are configured to use the new BeEF Bind shellcode.
Once an exploit has successfully triggered a vulnerability within the internal service, the BeEF Bind shellcode is executed. This shellcode is designed to setup a web-listener that proxies commands through to a shell on the compromised server. This allows the attacker to send commands through the hooked web browser to the BeEF Bind payload. The command is executed on the compromised server and returned to the web browser in HTTP responses. The hooked web browser is then able to receive the command output and proxy it back to the attacker at the BeEF server.
Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall.
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia This document discusses Cisco IOS shellcoding and reverse engineering. It covers topics like Cisco IOS shellcodes that are image-independent by disassembling or interrupting hijacking. It also discusses Tcl shellcodes, Cisco IOS reverse engineering challenges including lack of modularity and APIs. The document details subsystems, registries, processes, command parser tree, debugging Cisco IOS, and magic numbers used in Cisco IOS.
Low Level Exploits
Low Level Exploitshughpearse This document discusses various low-level exploits, beginning with creating shellcode by extracting opcodes from a compiled C program. It then covers stack-based buffer overflows, including return-to-stack exploits and return-to-libc. Next it discusses heap overflows using the unlink technique, integer overflows, and format string vulnerabilities. The document provides code examples and explanations of the techniques.
Ad
Similar to Exploit Research and Development Megaprimer: Unicode Based Exploit Development (20)
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessThomas Gregory This presentation was presented at IT Audit & IT Security Meetup #4 at Indonesian Cloud, Jakarta.
The exploit development process was quite challenging and we think that it's worth to share.
For educational purposes only.
writing self-modifying code and utilizing advanced assembly techniques
writing self-modifying code and utilizing advanced assembly techniquesRussell Sanford This document provides instructions for creating shellcode using only alphanumeric characters. It begins by outlining the plan, which is to use IMUL and XOR instructions to reconstruct bytes not in the alphanumeric range. It then provides a blueprint, explaining how IMUL and XOR can be used to generate needed values. The first code example walks through transforming an existing 24-byte shellcode into an alphanumeric version by pushing and popping values and using XOR to zero registers.
x86
x86Wei-Bo Chen This document provides information about x86 architecture including registers, flags, modes, common instructions, Intel and AT&T syntax, system calls, examples, and references. It defines the purpose of key registers like EAX, EBX, ESP and flags. It explains real and protect modes and differences between Intel and AT&T syntax. Examples demonstrate how to write assembly code and call system calls. References provided can be used to learn more about x86 assembly programming.
Exploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security The document discusses various techniques for exploiting buffer overflows to bypass data execution prevention (DEP) protections, including return-oriented programming (ROP). It describes using Windows API functions like VirtualAlloc to allocate executable memory and copy shellcode. ROP gadgets can be used to craft the stack and call the API functions with the correct parameters, such as allocating memory at a given address and size and marking it executable. The document provides an example stack layout to call VirtualAlloc and memcpy to allocate and copy shellcode into executable memory to bypass DEP.
Shellcode mastering
Shellcode masteringPositive Hack Days This document provides an overview of shellcode mastering techniques. It discusses the basics of shellcode including features, types, and development tasks. It covers basic shellcode techniques like call/ret algorithms and delta offset approaches. Optimization techniques are explored like instruction format, opcode maps, and common rules. Examples of optimized shellcode from a past competition are analyzed to extract the optimization changes between versions. Practice tasks are provided to write shellcode that performs a reverse connect and executes a second stage payload. Questions from attendees are solicited at the end.
17
17dano2osu The Y86 architecture has 8 32-bit registers, 3 condition codes (ZF, SF, OF), a program counter (PC), and up to 4GB of memory. It supports normal, register, and displacement addressing modes. Instructions include arithmetic, logical operations, jumps, calls, returns, and memory load/store. The execution cycle fetches, decodes, executes, and updates the PC for each instruction. Condition codes track the results of arithmetic operations for conditional jumps.
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Svetlana Gaivoronski The document discusses detecting ARM shellcode. It proposes analyzing ARM shellcodes to identify static and dynamic features that could be used for detection, similar to existing x86 shellcode detection techniques. Some potential static features include checking for CPU mode switching, Get-UsePC code, and argument initialization patterns. Dynamic features may include monitoring reads/writes to memory and conditional execution patterns. Experiments would test the techniques on shellcode samples versus legitimate files. The goal is to add ARM shellcode detection capabilities to existing tools like Demorpheus.
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationNational Cheng Kung University QEMU is an open source system emulator that uses just-in-time (JIT) compilation to achieve high performance system emulation. It works by translating target CPU instructions to simple host CPU micro-operations at runtime. These micro-operations are cached and chained together into basic blocks to reduce overhead. This approach avoids the performance issues of traditional emulators by removing interpretation overhead and leveraging CPU parallelism through pipelining of basic blocks.
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...Anne Nicolas I have always wanted to understand x86 instruction encoding in detail but never gotten around to it. Of course not, who has time nowadays?! So, in order to force me to do it, I decided to write an x86 instruction decoder.
This talk attempts to show what I have learned in the process and how instruction encoding is done on x86.
As a practical aspect, the decoder I’ve scratched together tries to verbosely show some of the crazy low-level hacks^Wtechniques we do in the Linux kernel like alternatives patching, jump labels, exception tables, etc – they have a lot to do with deep knowledge of x86 instructions and how code is generally laid out in the binary kernel image. Maybe this talk can help shed some light on the whole lowlevel fun that’s happening under the hood in the kernel and so many are missing out on. And maybe it’ll make it more interesting and palatable to people and they wont scare so fast anymore when we go deep into the bowels of the kernel and the machine.
Borislav Petkov, SUSE
unit1.pdf
unit1.pdfSaruM1 The 8086 microprocessor supports 8 types of instructions: data transfer, arithmetic, bit manipulation, string, program execution/transfer, processor control, iteration control, and interrupt instructions. Data transfer instructions move data between registers, memory, ports. Arithmetic instructions perform operations like addition, subtraction. Bit manipulation instructions perform logical, shift, rotate operations. String instructions operate on groups of bytes/words in memory. Program execution instructions transfer program flow, including conditional jumps. Processor control instructions set processor flags. Iteration control instructions loop a block of code a number of times. Interrupt instructions call interrupt handlers during execution.
Lec06
Lec06siddu kadiwal The document discusses the 8086 microprocessor and assembly language programming. It covers the 8086 block diagram and registers, memory models, instruction set, addressing modes, procedures, example programs, peripheral devices, and assembly code examples. It provides details on data types, arithmetic and logic instructions, comparisons and jumps, macros, procedures, interrupts, and interfacing assembly with high-level languages. The document is intended as reference material for learning 8086 assembly programming.
Flag control
Flag controlRobert Almazan The document discusses various flag control and flow control instructions in the 8086/8088 architecture. It describes instructions like LAHF, SAHF, CLC, STC, CMC, PUSHF, and POPF that directly affect the status of flags. It also explains conditional jump instructions, loop instructions, and how to implement control structures like IF-THEN, IF-THEN-ELSE, CASE, and loops using these instructions. Examples are provided to illustrate different branching scenarios and loop implementations.
8086 arch instns
8086 arch instnsRam Babu The document discusses the key features of the 8086 microprocessor. It notes that the 8086 has a 16-bit ALU and data bus, allowing it to process 16-bit numbers directly and read/write 16 bits of data at a time. It has 20 address lines, allowing it to access up to 1MB of memory. The 8086 also includes features that enhance multiprocessing capabilities and comes in versions with clock speeds of 5MHz, 8MHz, or 10MHz.
8051 assembly programming
8051 assembly programmingsergeiseq The document discusses programming the 8051 microcontroller. It can be programmed using low-level assembly language or high-level languages like C. Assembly language code is faster but more difficult to write and less portable, while C code is easier but slower. The document provides examples of adding two numbers in both C and assembly. It also discusses the 8051 instruction set, addressing modes, subroutines, and arithmetic operations.
X86 assembly & GDB
X86 assembly & GDBJian-Yu Li This document provides an overview of x86 assembly language and the GNU Debugger (GDB). It describes the process of creating an executable file from source code using preprocessing, compilation, assembly and linking. It also covers x86 registers, common instructions like MOV, PUSH, CALL and RET. The document introduces Intel and AT&T syntax and system calls. Finally, it outlines basic operations and commands in GDB like breaking, running, examining memory and registers.
Virtual machine re building
Virtual machine re buildingMartin Dominguez Alvarez The document summarizes the process of reversing the source code of a virtual machine (VM) used in the T2'06 challenge. It identifies key structures like the VM context, instruction pointer, opcode table, and instruction decoder. It analyzes individual VM instructions to understand operations like incrementing the instruction pointer. The author maps out the VM's memory management and "machine control" registers used for I/O and error handling. Reversing the full VM source code provides insights into how VMs work and how to approach reversing complex VM protections.
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.informatik Universität Basel This document discusses software vulnerabilities and exploits. It begins with an introduction to remote code execution and provides legal aspects of data interception for Germany and Switzerland. It then discusses the goals of preventing teaching how to write malware or hack systems illegally. The document covers basics of function calls, stack smashing vulnerabilities, and how to redirect program flow to injected shellcode through buffer overflows. It provides examples of finding vulnerabilities using debuggers and generating exploits in Python to execute shellcode by overwriting return addresses. Methods discussed include placing shellcode in registers or on the stack and dealing with gaps between the stack pointer and shellcode.
Lec05
Lec05siddu kadiwal The document summarizes key points about the 8086 microprocessor architecture and assembly language programming. It discusses the 8086 architecture including its registers, data path, and parallel execution units. It also provides examples of assembly language programs using loops and addressing modes. Finally, it outlines the topics to be covered in the next class, including a summary of 8085/8086/i386 architectures and assembly programming basics, as well as an introduction to device interfacing.
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019 corehard_by The document describes the implementation of a function that calculates the greatest common divisor (gcd) of two integers. It provides the C code for the gcd function, as well as the assembly code generated by the compiler. It also includes sample calls to the gcd function and diagrams showing how the assembly code works.
Ad
More from Ajin Abraham (20)
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham This document discusses a method called Runtime Application Self Defence (RASP) to securely inject protections into web applications at runtime without requiring code changes. RASP works by hooking into critical APIs, learning an application's behavior to generate rules, and then monitoring for context breaks to prevent attacks like SQL injection and cross-site scripting. The key advantages of RASP over traditional WAFs are that it operates from within the application so it understands the application context and can prevent zero-day attacks.
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham Ajin Abraham presents the Mobile Security Framework, an open source tool for automating security analysis of Android and iOS mobile applications. It performs static analysis on application binaries and source code to detect vulnerabilities. It also includes dynamic analysis capabilities like monitoring network traffic, system calls and application data during runtime. The tool is hosted locally and does not send any data to the cloud. The talk demonstrates the tool's static and dynamic analysis features and provides examples of vulnerabilities it has discovered in real world applications. Future plans are discussed to add additional testing capabilities and improve the tool. Users are encouraged to download, test and contribute to the open source project.
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham Mobile Security Framework is an open source automated mobile application testing framework capable of static and dynamic analysis of Android and iOS apps. It performs various analyses including permission analysis, API monitoring, and HTTP traffic analysis. The framework supports analyzing APK, IPA, and source code. It is available on GitHub and includes demos of static analysis on sample APK and IPA files. The presentation also describes a mobile security CTF challenge involving two Android apps, GETSECRET and SENDSECRET, that can be solved by analyzing the apps with Mobile Security Framework or other reversing techniques.
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham Tizen is an open source operating system that can run on various devices including smart TVs and IoT devices. It uses a security model that isolates applications using SMACK mandatory access control and enforces content security policies for web applications. The presentation discusses hacking techniques tested against Tizen like exploiting shellshock vulnerabilities, bypassing address space layout randomization protections, and circumventing content security policies. It also provides an overview of methodologies for analyzing Tizen application security like static analysis of manifest and configuration files, decompiling native applications, and network analysis using a proxy. Overall the presentation evaluates the security of Tizen and highlights some implementation issues found.
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture.
The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. As a bonus, an overview of pentesting Tizen applications will also be presented along with some of the security implications. There will be comparisons made to traditional Android applications and how these security issues differ with Tizen.
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.
Tizen IVI (in-vehicle infotainment)
Tizen Mobile
Tizen TV, and
Tizen Wearable
Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.
The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen.
For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc.
Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham This document outlines security vulnerabilities in Firefox add-ons and demonstrates proof of concept exploits. It discusses how Firefox add-ons have full privileges without sandboxing, allowing exploits like keyloggers and downloading executables. Attack techniques to spread malicious add-ons like social engineering and tabnabbing are described. Mitigations include updating Firefox, using antivirus software, and disabling session restoring. The document aims to demonstrate weaknesses to motivate the Firefox team to improve add-on security.
Abusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control CenterAjin Abraham This presentation is about abusing Google Apps to implement various attacks that ranges from Hostless Phishing to setting up a Botnet’s Command & Control Center.
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Ajin Abraham Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginnersAjin Abraham Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Ajin Abraham This document discusses using a web shell proxy to serve malicious JavaScript files to victims attempting to access legitimate sites like Facebook.com, exploiting cross-site scripting (XSS) vulnerabilities without the need to directly hack the target sites' servers. The proxy intercepts requests and responds with payloads that can then attack the victims.
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Ajin Abraham Paper: http://keralacyberforce.in/abusing-exploiting-and-pwning-with-firefox-add-ons/
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham The paper is about abusing and exploiting Firefox add-on Security model and explains how JavaScript functions, XPCOM and XPConnect interfaces, technologies like CORS and WebSocket, Session storing and full privilege execution can be abused by a hacker for malicious purposes. The widely popular browser add-ons can be targeted by hackers to implement new malicious attack vectors resulting in confidential data theft and full system compromise. This paper is supported by proof of concept add-ons which abuse and exploits the add-on coding in Firefox 17, the release which Mozilla boasts to have a more secure architecture against malicious plugins and add-ons. The proof of concept includes the implementation of a Local keylogger, a Remote keylogger, stealing Linux password files, spawning a Reverse Shell, stealing the authenticated Firefox session data, and Remote DDoS attack. All of these attack vectors are fully undetectable against anti-virus solutions and can bypass protection mechanisms.
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Ajin Abraham After analyzing vulnerabilities in Wi-Fi security standards like WEP, WPA, and WPA2, the authors propose a new security architecture called Wi-Fi P+ that acts as an additional security layer over WPA/WPA2. Wi-Fi P+ encrypts plain text data transmitted during the WPA handshake process and includes additional security features like MAC address filtering, intrusion detection, and a VPN for more secure data transmission. The authors argue that Wi-Fi P+ provides a simpler yet more secure solution compared to existing Wi-Fi security protocols.
Recently uploaded (20)
How to Create a Stage or a Pipeline in Odoo 18 CRM
How to Create a Stage or a Pipeline in Odoo 18 CRMCeline George In Odoo, the CRM (Customer Relationship Management) module’s pipeline is a visual representation of a company's sales process that helps sales teams track and manage their interactions with potential customers.
Stewart Butler - OECD - How to design and deliver higher technical education ...
Stewart Butler - OECD - How to design and deliver higher technical education ...EduSkills OECD Stewart Butler, Labour Market Economist at the OECD presents at the webinar 'How to design and deliver higher technical education to develop in-demand skills' on 3 June 2025. You can check out the webinar recording via our website - https://oecdedutoday.com/webinars/ .
You can check out the Higher Technical Education in England report via this link 👉 - https://www.oecd.org/en/publications/higher-technical-education-in-england-united-kingdom_7c00dff7-en.html
You can check out the pathways to professions report here 👉 https://www.oecd.org/en/publications/pathways-to-professions_a81152f4-en.html
Coleoptera: The Largest Insect Order.pptx
Coleoptera: The Largest Insect Order.pptxArshad Shaikh Coleoptera, commonly known as beetles, is the largest order of insects, comprising approximately 400,000 described species. Beetles can be found in almost every habitat on Earth, exhibiting a wide range of morphological, behavioral, and ecological diversity. They have a hardened exoskeleton, with the forewings modified into elytra that protect the hind wings. Beetles play important roles in ecosystems as decomposers, pollinators, and food sources for other animals, while some species are considered pests in agriculture and forestry.
Search Engine Optimization (SEO) for Website Success
Search Engine Optimization (SEO) for Website SuccessMuneeb Rana Unlock the essentials of Search Engine Optimization (SEO) with this concise, visually driven PowerPoint. Inside you’ll find:
✅ Clear definitions and core concepts of SEO
✅ A breakdown of On‑Page, Off‑Page, and Technical SEO
✅ Actionable best‑practice checklists for keyword research, content optimization, and link building
✅ A quick‑start toolkit featuring Google Analytics, Search Console, Ahrefs, SEMrush, and Moz
✅ Real‑world case study demonstrating a 70 % organic‑traffic lift
✅ Common challenges, algorithm updates, and tips for long‑term success
Whether you’re a digital‑marketing student, small‑business owner, or PR professional, this deck will help you boost visibility, build credibility, and drive sustainable traffic. Download, share, and start optimizing today!
Parenting Teens: Supporting Trust, resilience and independence
Parenting Teens: Supporting Trust, resilience and independencePooky Knightsmith For more information about my speaking and training work, visit: https://www.pookyknightsmith.com/speaking/
SESSION OVERVIEW:
Parenting Teens: Supporting Trust, Resilience & Independence
The teenage years bring new challenges—for teens and for you. In this practical session, we’ll explore how to support your teen through emotional ups and downs, growing independence, and the pressures of school and social life.
You’ll gain insights into the teenage brain and why boundary-pushing is part of healthy development, along with tools to keep communication open, build trust, and support emotional resilience. Expect honest ideas, relatable examples, and space to connect with other parents.
By the end of this session, you will:
• Understand how teenage brain development affects behaviour and emotions
• Learn ways to keep communication open and supportive
• Explore tools to help your teen manage stress and bounce back from setbacks
• Reflect on how to encourage independence while staying connected
• Discover simple strategies to support emotional wellbeing
• Share experiences and ideas with other parents
How to Create Quotation Templates Sequence in Odoo 18 Sales
How to Create Quotation Templates Sequence in Odoo 18 SalesCeline George In this slide, we’ll discuss on how to create quotation templates sequence in Odoo 18 Sales. Odoo 18 Sales offers a variety of quotation templates that can be used to create different types of sales documents.
Optimization technique in pharmaceutical product development.pptx
Optimization technique in pharmaceutical product development.pptxUrmiPrajapati3 Optimization techniques in pharmaceutical product development
Rai dyansty Chach or Brahamn dynasty, History of Dahir History of Sindh NEP.pptx
Rai dyansty Chach or Brahamn dynasty, History of Dahir History of Sindh NEP.pptxDr. Ravi Shankar Arya Mahila P. G. College, Banaras Hindu University, Varanasi, India. This presentation has been made keeping in mind the students of undergraduate and postgraduate level. To keep the facts in a natural form and to display the material in more detail, the help of various books, websites and online medium has been taken. Whatever medium the material or facts have been taken from, an attempt has been made by the presenter to give their reference at the end.
In the seventh century, the rule of Sindh state was in the hands of Rai dynasty. We know the names of five kings of this dynasty- Rai Divji, Rai Singhras, Rai Sahasi, Rai Sihras II and Rai Sahasi II. During the time of Rai Sihras II, Nimruz of Persia attacked Sindh and killed him. After the return of the Persians, Rai Sahasi II became the king. After killing him, one of his Brahmin ministers named Chach took over the throne. He married the widow of Rai Sahasi and became the ruler of entire Sindh by suppressing the rebellions of the governors.
"Hymenoptera: A Diverse and Fascinating Order".pptx
"Hymenoptera: A Diverse and Fascinating Order".pptxArshad Shaikh Hymenoptera is a diverse order of insects that includes bees, wasps, ants, and sawflies. Characterized by their narrow waists and often social behavior, Hymenoptera play crucial roles in ecosystems as pollinators, predators, and decomposers, with many species exhibiting complex social structures and communication systems.
Different pricelists for different shops in odoo Point of Sale in Odoo 17
Different pricelists for different shops in odoo Point of Sale in Odoo 17Celine George Price lists are a useful tool for managing the costs of your goods and services. This can assist you in working with other businesses effectively and maximizing your revenues. Additionally, you can provide your customers discounts by using price lists.
Unit 3 Poster Sketches with annotations.pptx
Unit 3 Poster Sketches with annotations.pptxbobby205207 Unit 3 Poster Sketches with annotations.pptx
LDMMIA Reiki Yoga Next Week Grad Updates
LDMMIA Reiki Yoga Next Week Grad UpdatesLDM & Mia eStudios A short update and next week. I am writing both Session 9 and Orientation S1.
As a Guest Student,
You are now upgraded to Grad Level.
See Uploads for “Student Checkin” & “S8”. Thx.
Thank you for attending our workshops.
If you are new, do welcome.
Grad Students: I am planning a Reiki-Yoga Master Course (As a package). I’m Fusing both together.
This will include the foundation of each practice. Our Free Workshops can be used with any Reiki Yoga training package. Traditional Reiki does host rules and ethics. Its silent and within the JP Culture/Area/Training/Word of Mouth. It allows remote healing but there’s limits As practitioners and masters. We are not allowed to share certain secrets/tools. Some content is designed only for “Masters”. Some yoga are similar like the Kriya Yoga-Church (Vowed Lessons). We will review both Reiki and Yoga (Master tools) in the Course upcoming.
Session Practice, For Reference:
Before starting a session, Make sure to check your environment. Nothing stressful. Later, You can decorate a space as well.
Check the comfort level, any needed resources (Yoga/Reiki/Spa Props), or Meditation Asst?
Props can be oils, sage, incense, candles, crystals, pillows, blankets, yoga mat, any theme applies.
Select your comfort Pose. This can be standing, sitting, laying down, or a combination.
Monitor your breath. You can add exercises.
Add any mantras or affirmations. This does aid mind and spirit. It helps you to focus.
Also you can set intentions using a candle.
The Yoga-key is balancing mind, body, and spirit.
Finally, The Duration can be long or short.
Its a good session base for any style.
Next Week’s Focus:
A continuation of Intuition Development. We will review the Chakra System - Our temple. A misguided, misused situation lol. This will also serve Attunement later.
For Sponsor,
General updates,
& Donations:
Please visit:
https://ldmchapels.weebly.com
Module 4 Presentation - Enhancing Competencies and Engagement Strategies in Y...
Module 4 Presentation - Enhancing Competencies and Engagement Strategies in Y...GeorgeDiamandis11 Enhancing Competencies and Engagement Strategies in Youth Work
THERAPEUTIC COMMUNICATION included definition, characteristics, nurse patient...
THERAPEUTIC COMMUNICATION included definition, characteristics, nurse patient...parmarjuli1412 The document provides an overview of therapeutic communication, emphasizing its importance in nursing to address patient needs and establish effective relationships. THERAPEUTIC COMMUNICATION included some topics like introduction of COMMUNICATION, definition, types, process of communication, definition therapeutic communication, goal, techniques of therapeutic communication, non-therapeutic communication, few ways to improved therapeutic communication, characteristics of therapeutic communication, barrier of THERAPEUTIC RELATIONSHIP, introduction of interpersonal relationship, types of IPR, elements/ dynamics of IPR, introduction of therapeutic nurse patient relationship, definition, purpose, elements/characteristics , and phases of therapeutic communication, definition of Johari window, uses, what actually model represent and its areas, THERAPEUTIC IMPASSES and its management in 5th semester Bsc. nursing and 2nd GNM students
SEXUALITY , UNWANTED PREGANCY AND SEXUAL ASSAULT .pptx
SEXUALITY , UNWANTED PREGANCY AND SEXUAL ASSAULT .pptxPoojaSen20 SEXUALITY AND ITS TYPES , UNWANTED PREGANCY AND SEXUAL ASSAULT
Pests of Rice: Damage, Identification, Life history, and Management.pptx
Pests of Rice: Damage, Identification, Life history, and Management.pptxArshad Shaikh Rice pests can significantly impact crop yield and quality. Major pests include the brown plant hopper (Nilaparvata lugens), which transmits viruses like rice ragged stunt and grassy stunt; the yellow stem borer (Scirpophaga incertulas), whose larvae bore into stems causing deadhearts and whiteheads; and leaf folders (Cnaphalocrocis medinalis), which feed on leaves reducing photosynthetic area. Other pests include rice weevils (Sitophilus oryzae) and gall midges (Orseolia oryzae). Effective management strategies are crucial to minimize losses.
IDSP(INTEGRATED DISEASE SURVEILLANCE PROGRAMME...
IDSP(INTEGRATED DISEASE SURVEILLANCE PROGRAMME...SweetytamannaMohapat IDSP is a disease surveillance program in India that aims to strengthen/maintain decentralized laboratory-based IT enabled disease surveillance systems for epidemic prone diseases to monitor disease trends, and to detect and respond to outbreaks in the early phases swiftly.....
Rai dyansty Chach or Brahamn dynasty, History of Dahir History of Sindh NEP.pptx
Rai dyansty Chach or Brahamn dynasty, History of Dahir History of Sindh NEP.pptxDr. Ravi Shankar Arya Mahila P. G. College, Banaras Hindu University, Varanasi, India.
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
- 5. @ajinabraham
- 6. @ajinabraham
- 7. @ajinabraham nSEH •JMP TO SHELLCODE (xebx06x90x90) SEH •POP,POP,RET SEQUENCE Shellcode •SHELLCODE EIP 1 2 3
- 8. @ajinabraham • nSEH •JMP TO SHELLCODE We can’t use actual JMP. We will walk to shellcode We will use single byte instructions along with some NOP like harmless aligning instructions(Venetian Shellcode). SEH •POP,POP,RET SEQUENCE (The address will be of the format 0x00aa00bb) Shellcode •UNICODE SHELLCODE (Shellcode is Decoder + Shellcode. So we have to point a register to the decoder and jump to it. We use venetian shellcode technique for alignment.) EIP 1 2 3
- 9. @ajinabraham • • • JMP TO SHELLCODE We can’t use actual JMP. We will walk to shellcode We will use single byte instructions along with some NOP like harmless aligning instructions(Venetian Shellcode). nSEH You need to try out and choose the working one. But you can check it only after you check SEH popad/inc eax or selecting the nops Example “x61x41” implies 61 ->POPAD 004100 ->ADD BYTE PTR DS:[ECX],AL “x41x71” implies 41 ->INC ECX 007100 ->ADD BYTE PTR DS:[ECX],DH 1Byte Instruction 41 : INC ECX 61 POPAD
- 10. @ajinabraham SEH •POP,POP,RET SEQUENCE (The address will be of the format 0x00aa00bb) Selecting Suitable Address • The Address range should be between 0x00 and 0x7f • Choose address from modules without SAFESEH • Address should be in the format 0x00aa00bb • Say if you choose “0x004d0041” then specify “x41x4d”(little endian) in the shellcode. • “00” will be prepended by the program during execution. • Even if we get suitable addresses, all of these don’t work. You have to try out each address to find out the address that doesn’t harm the execution flow and reaches at our shellcode. !mona seh –cp unicode Suitable Address 0x004b00cb 0x004a0041 0x004a0059 0x004d0041 0x004100f2 0x004c0020
- 11. @ajinabraham • Generate the shellcode with Metasploit alone or use SkyLined’s alpha2 encoder. msfpayload windows/exec CMD=calc R | msfencode -e x86/unicode_upper BufferRegister=EAX -t raw msfpayload windows/exec CMD=calc R | ./alpha2 eax –unicode –uppercase • We need to point a register to contain our shellcode and jump to it. For alignment we use venetian shellcode technique. • We will use EAX to contain our shellcode. Shellcode UNICODE SHELLCODE (Shellcode is Decoder + Shellcode. So we have to point a register to the decoder and jump to it. We use venetian shellcode technique for alignment.) Shellcode Shellcode Decoder
- 12. @ajinabraham •
- 13. @ajinabraham • You will need to properly align the set of instructions with venetian shellcode so that it won’t break at execution time. • You should be creative. You should analyze the execution flow in the debugger. • At times we need to add extra venetian shellcode at the beginning and end to properly align everything. • So for example the previous code after adding some venetian shellcode may look like this. "x58“ pop eax # take the value of ebp and pop it to eax "x71“ # Venetian Padding "x05xbbxaa" add eax,0xaa00bb00 # "x71" # Venetian Padding > Add and Subtract,(0xaa00bb00 >0xcc00dd00) will give you a positive value X, and will be added to EAX in effect. "x2dxddxcc" sub eax,0xcc00dd00 # / "x71" # Venetian Padding "x50" push eax # push the new value of EAX in stack "x71" # Venetian Padding "xC3" ret # Return the address of shellcode in EAX to EIP for execution • Add sufficient NOP like instruction to reach our shellcode. • MSF Pattern can be used but better just tryout yourself manually.
- 14. @ajinabraham • • • • • https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unic ode-from-0x00410041-to-calc • http://www.fuzzysecurity.com/tutorials/expDev/5.html • http://net-ninja.net/article/2010/May/29/unicode-the-magic-of-exploiting-0x00410041/