Footnotes
Introduction
Chapter 0: A CFP with POC
1Since published as Implementation and Implications of a Stealth Hard Disk Backdoor by Zaddach, Kurmus et al.
2See PKI Layer Cake by Dan Kaminsky, Len Sassaman, and Meredith L. Patterson
4Cf. “The Format and the Parser,” a little-known variant of the “The Beauty and the Beast.” They resolved their parser differentials and lived invulnerably ever after.
6To achieve RTLD enlightenment, meditate on the Grugq’s subversiveld.pdf and Mayhem’s elf-rtld.txt, for surely these are the incarnations of the ABI Buddhas of our age, and none has described the runtime dynamic linking internals better since.
9Since published at WOOT 2013 as “Weird Machines” in ELF: A Spotlight on Unappreciated Metadata by Shapiro, Bratus, and Smith.
12+971.2.644.6693
Chapter 1: Proceedings of the Society of PoC∥GTFO
2See PoC∥GTFO 2:9 on page 115 for a break that was written in reply to this article. Dan’s challenge worked! —PML
3Exploiting the Hard Working Dwarf from WOOT 2011
4“Weird Machines” in ELF: A Spotlight on the Underappreciated Metadata from WOOT 2013
5Page Fault Liberation Army from 29C3
6Fast Small Good, by bart/xt
7See “TLS AddressOfIndex in an Imports descriptor” for differentiating OS versions by use of Corkami’s tls_aoiOSDET.asm.
Chapter 2: The Children’s Bible Coloring Book of PoC∥GTFO
1Because things marketed as “smart” usually aren’t, at least not for the buyer’s benefit. Truly, the world does occasionally need reminding that stupid is as stupid does.
2RFC 4880, OpenPGP Message Format
3Russ Cox, Zip Files All the Way Down, 2010-03-18
5Tavis Ormandy, BSD derived RFC 3173 IPcomp encapsulation will expand arbitrarily nested payload, CVE-2011-1547, posted to full-disclosure 2011-04-01.
7Half-Blind Attacks: Mask ROM Bootloaders are Dangerous, WOOT 2009, Goodspeed and Francillon
8How is a sermon like a binary file? Both have prescribed parts that follow each other in a conventional order, but may be skipped or used creatively by an extra neighborly preacher. Convention is there to help, but it’s the result that matters. So just think of exordium as the ELF/ABI header or vice versa and bear with the Preacher as you bear with your binary toolchain! –PML
10http://www.x86-64.org/documentation/abi.pdf, pages 17-21, Fig. 3.4—and don’t ask us in what world RDI, RSI, RDX might stand for A, B, C or suchlike. This program may be brought to you by the register RDI anyhow, but let’s just say if the Manul meets the amd64 Big Bird there might be feathers flying.
11“Weird Machines” in ELF: A Spotlight on Unappreciated Metadata by Shapiro, Bratus, and Smith.
12Note, memcpy would treat it as a destination pointer, but luckily nothing gets copied here, and the memcpy implementation isn’t paranoid about checking its arguments, since a bad pointer would trap anyway.
15The second coin flip in get_fair_bit complicates it a bit, but it cannot substantially improve the RNG’s entropy if it lacks in the first place.
Chapter 3: Address on the Smashing of Idols to Bits and Bytes
2Fingerprinting IEEE 802.15.4 Devices by Ira Ray Jenkins and the Dartmouth Scooby Crew, TR2014-746
3Note that Hamming-distance might not be the best metric to match the symbol. Other methods, such as finding the longest stretch of perfectly-matched chips, will still work for the bypass presented in this article.
4Fully Arbitrary 802.3 Packet Injection: Maximizing the Ethernet Attack Surface by Andrea Barisani and Daniele Bianco at Black Hat 2013
5Disclaimer: No one forces this phone on them; they choose to have it of their own will. No government or agency is involved in this, and the only motivation that drives customers to use this kind of phone is the community they live in.
7Thanks Mudge!
9As seems to be mentioned in every PoC∥GTFO issue, the header doesn’t need to appear exactly at the file’s beginning, but within the first 1,024 bytes.
11See Python PEP 0263, Defining Python Source Code Encodings
13“IND-CPA” in cryptographers’ jargon.
14JPEG File Interchange Format Version 1.02, Sept. 1, 1992
15If the first letter in the type field of a PNG block is lowercase, then that chunk will be ignored by the viewer, which interprets it as a custom dummy block.
16This part of the trick was learned from Tavis Ormandy.
Chapter 4: Tract de la Société Secrète
1So now you can put your attachments inside your attachments—but I digress. –PML
220xAA55 is 0b1010101001010101. The alternating bit pattern, with 0x55 being an inversion of 0xAA, was taken as an insurance against even extreme controller failure. The same identifier is also used in other parts of the BIOS interface.
3There is no deep reason behind 0x7C00 being the load address. This is how programming usually works (and standards proliferate).
4This is how PaX’s PAGEEXEC emulates the NX bit by memory trapping with very little performance overhead: it sets the page table entries for the “data” pages to always trap, but allows a data access (i.e., EIP not in the accessed page) to go through. After this, it immediately resets the page table entry, but relies on the TLB for repeated page accesses to not trap. Truly, it is a work of art! –PML
5CR3 is usually reloaded to change the process context (will be covered across future articles). However, a change of process does not require that the entries for the kernel pages in the TLB get flushed. To avoid this, the global bit in the page table entry can be set, and global pages can be enabled in CR4. Doing so ensures that the entry for the specific page in the TLB can only be invalidated via a invlpg.
6The x86-64 architecture saw the introduction of tags as a part of the TLB entry, in 2008. Thus, each TLB entry is associated with a particular tag, and context switches can only involve changing of the current tag.
7As a point of interest, I experimented with concatenating the entire data together, and including the sector offset in the table. That decreased the space quite significantly, but at a cost of increasing the size of the code, and making updating the data extremely difficult. That version saved over thirteen tracks on the first side, and over eighteen tracks on the second side. However, this was still not enough for a single-side version. In the end, it was not worth the effort, and it will not be released.
9A few people have mentioned to me that there are some 6502 processors for which this is not true, but this is definitely the case for GeneralPlus controllers.
11While I do have a few letters after my name that suggest I know a thing or two about Computer Science, cryptography is not my specific area of specialization.
12Paul Erdős and László Lovász. Problems and results on 3-chromatic hypergraphs and some related questions. Infinite and finite sets (Colloq., Keszthely, 1973; dedicated to Paul Erdős on his 60th birthday), Volume II, North-Holland, Amsterdam, 1975, pp. 609–627. Colloq. Math. Soc. János Bolyai, Volume 10.
14Leonid Taycher. Books of the world, stand up and be counted! All 129,864,880 of you. August 5, 2010. Retrieved March 21, 2014.
15While this is technically true, such pins are commonly sold in packages of 100. So you’re often out six to seven dollars for the bag, and a variety of sizes of key pins and driver pins are needed to do the job properly. It’s best to find a friendly locksmith who might sell you a handful of individual pins for a few dollars.
16I’ve heard that the Germans get good results with kolophonium, better known as rosin.
17Here’s a handy rhyme to remember safety:
Johnny was a Chemist’s Son,
but Johnny is No More.
What Johnny thought was H2O,
was H2SO4!
18For fancy things like recovering gates in delayered chips, more sophisticated software is needed, but panorama software suffices when only the top layer is being photographed.
22Of course, this advice is legally worth exactly what you paid for it, and likely less. No warranty intended or implied, void where prohibited by law, etc., etc., etc. Not endorsed by any lawyers real, imaginary, or played-on-TV, but may be considered “digital cyber-bullets” by some. You may be called a merchant of digital cyber-polyglot death, too—you have been warned! –PML
23Some alarmist neighbors predict that the Universe will gravitationally collapse upon itself due to uncontrolled PoC∥GTFO expansion. Fear not, neighbors: an international action on PoC footprint is coming! On a second thought, though, since you are all Merchants of Dire PoC now, maybe fear twice as hard? —PML
Chapter 5: Address to the Inhabitants of Earth
1This turn of phrase has been shamelessly stolen from Meredith L. Patterson’s essay “When nerds collide,” where she writes about our strange tribe of people brought together by the power to translate pure thought into actions that ripple across the world merely by the virtue of being phrased correctly—but that is another story.
2“Leaps tall buildings in a single bound”—look it up on the internets under “academic structure,” neighbor! The only finer bit of college-land folklore is the one that starts with “Biologists think they are biochemists. . .” and it is mostly found pinned to doors of rather squalid-looking offices around math departments.
4As harmless as PDF can be, at least!
7The 80486 featured an external local APIC, the 82489DX. The 82489DX acted both, as the LAPIC and the I/O APIC, and differs with the modern APIC in subtle ways. Systems with the 82489DX are rare, and the differences are beyond the scope of this article.
8For Family 5, Model 2, Stepping 0, 1, 2, 3, 4, and 11, writes to the local APIC registers can be lost. The bug can be avoided by doing a dummy read from any local APIC register before a write.
9The MultiProcessor Specification recommends that two successive SIPIs be sent with a delay of 200μs. However, not only is it tough to find a timer with that precision, but most CPUs only require one SIPI. To be completely compliant, a second SIPI can be sent after a small delay if the target CPU does not initialize itself by then.
10The MPS tables are known to be faulty for modern systems, especially those supporting hyperthreading. Thus, the ACPI tables are always recommended over the MPS ones.
12“Intel Galileo - Building Linux Image” from Sergey Kiselev’s Blog
13The ./qw program simply swaps endianess on all bytes in each quadword because of how we copied data from the output buffer for AES into the registers.
15Matthew 7:9
17“Trace logging” in Java.
18Try this with your favorite SMTP, XMPP and IMAP clients—you may be unpleasantly surprised.
19This is still an improvement over other vendors, which do not display any prompt and simply talk in the clear. At least one has devoted man-hours to fixing this since trying out my PoC.
20If you don’t believe us, neighbor, there’s an academic paper about that, “The most dangerous code in the world: validating SSL certificates in non-browser software,” by Georgiev et al. —PML
21If you can prove me wrong, I’d love to see the PoC.
24http://miki.it/RosettaFlash/rickroll.swf unzip pocorgtfo05.pdf rosettaflash/PoC/rickroll.swf pocorgtfo05.pdf
25Albertini A., Aumasson J.-Ph., Eichlseder M., Mendel F., Schlaeffer M. Malicious Hashing: Eve’s Variant of SHA-1. In: Joux, A. (ed.) Selected Areas in Cryptography 2014, LNCS, Springer (to appear)
Chapter 6: Old Timey Exploitation
1Especially because it’s all open-access. Please enjoy the Freehaven Selected Papers in Anonymity. http://www.freehaven.net/anonbib/
2Astronomy and astrology are not in the same business even though they both have to do with stars; so with journalism and clickbait generation. Be kind to good journalists, neighbors! They are few and far between, and their battles with bullshit tend to be a lot more uphill than ours.
3Dolphin-Emu issue 5864
6If the name is longer, something called a PaxHeader is used instead; we’ve come a long way since the 1950s, neighbors!
9Programming the MIPS32 24K Core Family, Section 2.2
11Linux MIPS Wiki, Qemu Processor
13See PoC∥GTFO 3:11 and its retrospectively funny quote: “We’ll use the standard AES-128 algorithm in CBC mode, which is proven to be semantically secure when used with a random IV.”
Chapter 7: PoC∥GTFO, Calisthenics and Orthodontia
1Bambaata, if you’re reading this, please call me. Your Amex is beyond its limit after you expensed two “Charlie Miller kitchens,” and we had to reject payment in the amount of $20,000 USD to “You Better Belize It Bail Bonds.” Oh, and if by chance you happen to be arrested in Brazil, please ask the Federales when the impounded H2HC 2013 conference badges will appear on Ebay. —PML
2unzip pocorgtfo07.pdf theMagicNumberAA55.mbr.asm.pdf qemu-system-i386 theMagicNumberAA55.mbr.asm.pdf
5There’s a Getting Started section in the README that should help.
7The Pastor notes that fragroute might beg to differ, and your neighborly IDS might agree. It suffices to say that the IDS evasion party that Rev. Ptacek and Rev. Newsham started in 1998 is still going strong.
8But if you are looking to light up your local IDS like a Christmas tree, by all means add some later! –PML
9But check out /proc/sys/net/ipv4/ip_default_ttl; for Windows, you are on your own—and many happy reboots! –PML
10Yes, neighbors, it is an OSI layering violation—and it has been extracting its cost, in sweat, blood, and 0day. And if you think you are properly scared, you are not scared enough—just think of that SCADA protocol that has kept your neighborhood’s lights on, so far. –PML
11In theory, this is the accuracy of time stamps in the capture; in practice, typically set to zero.
12This is the maximum length of captured packets, in octets, or zero for no limit.
34“AES-NI shows Disabled,” Dell Server Support Forum
35“Using SMM for other purposes,” Phrack 65:7
40With their eerie fixation on demonizing America, as much as we owe domestic swine for letting them have any dirt in first place, let’s not confuse things here and dodge the blame.
Chapter 8: Exploits Sit Lonely on the Shelf
1Wassenaar Arrangement 2013 Plenary Agreements, Federal Register 2015-11642.
2Affording the time for proper peer review, of course, that is, the time for the random selection of peers to catch up with what one is doing. But what’s a year or two on the grand Internet scale of things, eh?
4LLVM Project Bug 15940, identified by the Ishiura Lab Compiler Team.
7See The Linux Backdoor Attempt of 2003 by Ed Felton.
10You could also use loud speakers, but please don’t. Pastor Laphroaig reminds us that there is a special level of hell for such people, who will spend Eternity next to those who scratch fingernails on chalk boards.
12Which some haters call Fundamentalist instead of Fair, but that’s unsafe speech. Unsafe speech has consequences, neighbors. You don’t want to find out about the consequences, so stay safe!
13Campfires are definitely not safe, so enjoy them while they last!
14Some combinations are useful, such as amplitude and phase, used, e.g., in DOCSIS; others aren’t so useful, such as phase and frequency, because changes in one can’t always be told from changes in the other.
15 This is easy to see for frequency and phase, since these changes are added to the argument of the sine A · sin(ω · t + θ), the frequency ω and the phase θ. Seeing this for the amplitude A is a bit trickier, but imagine A to be another sine wave, modulating the carrier. Then we deal with the product of two sines, and this is, by the age-old trigonometric identities sin(α+ β) = sin(α) cos(β)+cos(α) sin(β) and sin(α- β) = sin(α) cos(β)- cos(α) sin(β); hence adding these and remembering that the cosine is the sine shifted by π/2, sin(α) sin(β + π/2) = 1/2 (sin(α + β) + sin(α - β)). That is, a product of sines is the arithmetic average of the sines of the sum and the difference of their arguments. If α is the carrier and β is the change, the rainfall diagram will show the band from α - β to α + β, that is 2β-wide.
Seeing this sum and knowing the carrier frequency, one might wonder: can’t we make do with just one term of the sum α + β, and ignore α - β ? Indeed, if one applies a filter to cut the frequencies less than the carrier from the transmitted signal, one can save half the bandwidth and still recover the signal. This trick is known as the Upper Side Band, and it used for the actual digital radio transmissions.
17Steganography in Commonly Used HF Protocols, Drapeau and Dukes, Defcon 22
24http://help.adobe.com/en_US/FlashPlatform/reference/action-script/3/flash/external/ExternalInterface.html
25http://ajaxian.com/archives/want-to-pack-js-and-css-really--well-convert-it-to-a-png-and-unpack-it-via-canvas
37These observations are based on encoding that involved messages averaging 2,500 bytes in size, the average size of a typical minified and compacted browser exploit.
38 Stack Overflow, “Strange issue with Canvas in Internet Explorer 9, is there any constraint of width and size of canvas/context?”
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.