PoC or GTFO, Volume 2
Page 42
FaceWhisperer, 664
Fadecandy, 194
Fail0verflow, 423
Falkner, Katrina, 50
fbz, 126, 128
FCC, 26, 82
FDF, 476
Fenders, Trolly, 13
Fermentation, 61
Ferrie, Peter, 220, 374
Feynman, Alice, 687
Feynman, Richard, 436
FFT, 707
Filedescriptor, 455
Firefox, 472
Firmware, 174, 194, 210, 311, 343, 387, 403, 659, 676
Floppy Disk, 220, 374
Forensics, 57
FormCalc, 457
Forshaw, James, 645
Fortran, Soldier of, 490
Fouladi, Behrang, 438
Galaksija, 84
Galileo, 13
Gambatte, 147, 190
GameBoy, 144, 190
Gaming, 220, 374
GDB, 685
Gelfand, Israel, 697
Geman, Donald, 738
Geman, Stuart, 738
GetProcAddress, 536
Ghanoun, Sahand, 438
Ghostscript, 757
Glitching, 663
Globalstar, 20
GnuPG, 43
GNURadio, 20, 449, 732
Gonadotropin, 208
Goodspeed, Travis, 71, 311, 387, 403, 664, 676
Gray Coding, 716
Group Code Recording, 234
GRSecurity, 19
Grugq, 13
Guinart, Olivier, 268
Gustafsson, Roland, 308
Hall, Joseph, 437
Handbook, Shellcoder’s, 548
Hash Collision, 535, 652, 698
Haverinen, Juhani, 355
HAVOC, 552
Heap, 31
Heineman, Rebecca, 264
Heinlein, Robert A., 82
Hickey, Patrick, 335
Hlavaty, Peter, 31
Holtek, 205
HOPE, 691
Hornby, Taylor, 43
HR C5000, 313
HT48C06, 205
HTML, 194, 415
HTTP, 200, 415, 453
HVCI, 576
Hypervisor, 47, 576
IBM, 490
IDA Pro, 327, 342, 393, 403, 679
Ilari, 144
Infocom, 223, 491
Inführ, Alex, 457
Insertscript, see Inführ, Alex
Internet Explorer, 472
Internet of Things, 702
Intuos Pro, 674
Ionescu, Alex, 33, 553
iPhone Dev Team, 423
Hрония судьбы, 535
Irsdl, see Dalili, Soroush
ISM Band, 702
IVT, 320, 403, 667
Javascript, 200, 419, 473, 589
JCL, 496
Johns Hopkins, 738
JSON, 472
JT65, 71
JTAG, 194
Juels, Ari, 50
Junk Hacking, 342
Juras, Zvonko, 122
K1JT, 71
KA1OVM, 71
Kaba Mas, 688
Keen Team, 31
Kernel Threads, 553
KK4VCZ, 311, 676
Knight, Matt, 702
Knuth, Donald, 143, 200
Kolmogorov, Andrei, 697
Kotowicz, Krzysztof, 453
Krakić, Blažo, 122
Labrosse, Jean J., 331
Lady Ada, 662
Lakatos, Imre, 734
Langsec, 587
Laphroaig, Manul, 13, 139, 342, 431, 687, 734
LATEX, 128
Laughton, Paul, 635
LC87, 662
Lebrun, Arnaud, 437
Lechner, Pieter, 308
LED, 215
Lekies, Sebastian, 481
Ligatti, Jay, 396
Linux, 35, 676
Literate Programming, 139, 200
Liusvaara, Ilari, 144
LLVM, 396
Lock, 687
LoRa, 702
LSNES, 144, 190
Lu, Jihui, 31
Lua, 181
Luebbert, William F., 308
LZMA, 289
M/o/Vfuscator, 483
Mainframe, 490
MAME, 347, 383
Manchester Coding, 719
Mandt, Tarjei, 31
Master Boot Record, 355
McAfee Enterprise, 57
MD380, 311, 676
memset(), 43
Metasploit, 549
mfence, 47
MiCasaVerde, 440
MicroC/OS-II, 331, 683
Miller, Charlie, 343
MIME Type, 454
Minesweeper, 489
Minsky Rotation, 621
MIPRO, 122
MIPS, 401
MKE04Z8VFK4, 194
Mockingboard, 277
Molnár, Gábor, 453
Monroe, Marilyn, 126
Moore, Colby, 20
MotoTrbo, see DMR
MPlayer, 128
MSP430, 403
Mudge, 552
Murphy, Dade, 499
Myers, Michael, 535
Network Job Entry, 490
Neubauer, Doug, 604
Nibbles, 355
NJE, 490
Nodal Message Records, 505
NOP Sled, 345
NPAPI, 472
Nyquist rate, 673
O’Brien, Kathleen, 635
O’Flynn, Collin, 663
Obfuscation, 483
Object Manager Namespace, 645
OMVS, 491
ONsemi, 662
Opcode, Illegal, 279
OpenBarley, 449
OpenZwave, 437
Orland, Kyle, 189
Ormandy, Tavis, 31
OS/360, 490
osdev.org, 355
Ossmann, Michael, 20, 318
OWASP, 455
P25, 311
P4Plus2, 144
Pac Man, 604
Packet in Packet, 79
Page Fault Liberation Army, 483
Pascal, 292
Password, 45
PatchGuard, 553
PaX, 19
PCAP, 448
PCB, 208, 667
PDF, 415, 453, 593, 757
PDFium, 420
Peak Computation, 431
(212) PE6-500, 691
Perl, 420
Pfistner, Stephan, 481
Philippe, Teuwen, 415, 593, 757
Photodetector, 215
Phrack, 18, 71, 491, 535
PHY, 20, 702
PIC16, 205
Picod, Jean-Michel, 437
Pigeonhole Principle, 698
PIT, 355
Plumbing, 734
Pokémon, 144, 190
Pólya, György, 697
Polyglot, 128, 190, 415, 453, 593, 757
Pong, 146
Popper, Karl, 734
Population Bomb, 433
PostScript, 757
Potter, Jordan, 144
Pregnancy Test, 205
Preservation, 220, 374
Preshing, Jeff, 51
PRNG, 699, 723
ProDOS, 220
PSK, 20
Puzzle Corner, 131
Pwn2Own, 31
Qboot, 267
Qemu, 355, 676
Qkumba, see Ferrie, Peter
Quine, 415
Rabbit Test, 205
Race Condition, 645
Rad Warrior, 381
Radare2, 327, 393, 403, 679
Radio, 20, 437
Amateur, 71, 311, 676
Räisänen, Oona, 131
Ramsey, Ben, 437
Real Mode, 355
Recon, 31, 47
Reiter, Michael K., 50
Renesas, 674
REPL, 590
ret2dir, 42
Reynolds, Aaron R., 603
RFID, 659
RISC, 387, 483
Ristanović, Dejan, 84
Ristenpart, Thomas, 50
ROM, 292
ROP, 18,
397, 437, 553, 669
Rosetta Flash, 456
Rowhammer, 132
RTOS, 331
RTTY, 82
Ruby, 415
Самиздат, 415, 687
Sanitization, 587
Sanyo, 662
Satellite, 20
Sather, Jim, 264
Scapy, 437
SCIF, 688
Scott, Micah Elizabeth, 194, 659
Security, Physical, 687
Seeber, Balint, 715
Self-Modifying Code, 181, 286, 355
Semtech, 702
Sethi, Shikhin, 355
Shellcode, 535
Shepherd, Owen, 355
Shim Database Compiler, 740
Shugart SA400, 226
Sidechannel, 47
Silvanovich, Natalie, 344
Skape, 571
Skywing, 571
SLUB, 35
SMEP, 567
SMT Solver, 549
Snake, 146, 355
SNES, 144
Software Defined Radio, 29, 437, 702
Soviet Union, 535
Space Invaders, 604
Spagnuolo, Michele, 456
Speedrun, Tool Assisted, 146
Speers, Ryan, 387, 403
Spellbreaker, 223
SPI
EEPROM, 442
Flash, 314
Spin Lock, 687
SpiraDisc, 275
SPOT, 20
SpyEye, 551
SQL Injection, 587
SRAM, 151
Star Raiders, 604
Star Wars, 347
Starcross, 223
Stevens, Didier, 548
STM32, 313, 387, 684
Dr. Strangelove, 217
Strongly Ordered Model, 51
Studebaker, 343
Sugihara, Kokichi, 756
Sultanik, Evan, 415, 535, 687, 757
Super GameBoy, 144
Super NES, 190
SWD, 194
SWF, see Adobe
Szemerédi, Endre, 699
Tamagotchi, 142, 207
TASBot, 148
Taylor, Joe, 71
TCP/IP, 499
TCP/IPa, 61
Tektronix 1720, 350
TelosB, 410
Terminator (T-800), 607
Tetranglix, 355
Teuwen, Philippe, 128, 190
Texas Instruments, 342
The 4th R – Reasoning, 261, 385
TinyOS, 410
TNC, 79
Total Phase, 317
Translation Lookaside Buffer, 568
Tron, 355
TSO, 491
Tuco the Cat, 661
Turing Completeness, 13, 483, 577, 671
Twiizers, Team, 423
Tytera, 311, 676
Ubertooth, 318
UMPOwn, 553
Underhanded Crypto Contest, 43
USB, 311, 664
Usenix
Security, 50, 311
WOOT, 483
Valasek, Chris, 34
Vectorportal, 129
Vectorscope, 350
Vesalius, Andreas, 139
VIM, 577
Virtualization, 47
Vivisection, 139
VLC, 128
VMWare, 317
Vogelfrei, 71
Vorontsov, Vladimir, 481
V.st, 350
W7PCH, 335
Wacom Tablet, 662
Wang, Haining, 50
WavPack, 128
WB4APR, 71
Wen, Jun, 702
Wiest, Lorenz, 604
Wilkinson, Bill, 635
Windows, 31, 535, 645, 740 10, 553
Windows 3.1, 603
Witchcraft Compiler Collection, 686
Worth, Don, 308
Wozniak, Amanda, 205
Wu, Zhenyu, 50
WV, 128
x86, 47, 396, 483
XFDF, 476
XlogicX, 57, 355
XSS, 453
Xu, Wen, 42
Xu, Zhang, 50
Yarom, Yuval, 50
Yeast, 61
Yugoslavia, 84
Z-Wave, 437
z/OS, 490
Z3, 549
Z80, 84, 153
Zer0mem, 31
Zero Cool, 499
Zhang, Yinqian, 50
ZIP, 415, 593, 757
Zork, 491
ZW0501
Transceiver, 443
Zylon, 604
Colophon
The text of this bible was typeset using the LATEX document markup language for the TEX document preparation system. The primary typefaces used in this bible are from the Computer Modern family, created by Donald Knuth in METAFONT. The æsthetics of this book are attributable to these excellent tools.
This bible contains one hundred ninety-one thousand eight hundred forty-seven words and one million fourteen thousand seven hundred fifty-seven characters, including those of this sentence.
Footnotes
Introduction
1 PoC‖GTFO 9:3 on page 20.
2 PoC‖GTFO 9:9 on page 71.
3 PoC‖GTFO 12:3 on page 437.
4 PoC‖GTFO 13:7 on page 702.
5 PoC‖GTFO 9:10 on page 84.
6 PoC‖GTFO 10:7 on page 220 and PoC‖GTFO 11:5 on page 374.
7 PoC‖GTFO 13:2 on page 604.
8 PoC‖GTFO 10:8 on page 311.
9 PoC‖GTFO 13:5 on page 676.
10 PoC‖GTFO 9:4 on page 31.
11 PoC‖GTFO 12:8 on page 553.
12 PoC‖GTFO 13:4 on page 659.
13 PoC‖GTFO 9:12 on page 128.
14 PoC‖GTFO 10:4 on page 190.
15 PoC‖GTFO 11:9 on page 415.
16 PoC‖GTFO 12:11 on page 593.
9 Elegies of the Second Crypto War
1 Whether one actually understands them or not—and, if you value your sanity, do not try to find if your physics teachers actually understand them either. You have been warned.
2 Not that stationary steam engines were weaklings either: driving ironworks and mining pumps takes a lot of horses.
3 Typically, a priest of a religion that involves central planning and state-run science. This time they’ll get it right, never fear!
4 The question of whether that which is not power is still knowledge is best left to philosophers. One can blame Nasir al-Din al-Tusi for explaining the value of Astrology to Khan Hulagu by dumping a cauldron down the side of a mountain to wake up the Khan’s troops and then explaining that those who knew the causes above remained calm while those who didn’t whirled in confusion below—but one can hardly deny that being able to convince a Khan was, in fact, power. Not to mention his horde. Because a Khan, by definition, has a very convincing comeback for “Yeah? You and what horde?”
5 And some of these papers were true Phrack-like gems that, true to the old-timey tradition, explained and exposed surprising depths of common mechanisms: see, for example, SROP and COOP.
6 While, for example, products of the modern web development “revolution” already do, despite being much less complex than a CPU.
7 “Are Simplex Messages Secure,” GlobalStar Product Support, Feb. 2009.
8 DSSS theory shows us that DSSS is the same as BPSK for a BPSK data signal.
9 git clone https://github.com/synack/globalstar unzip pocorgtfo09.pdf globalstar.tar.bz2
10 http://www.k33nteam.org/noks.html
11 http://j00ru.vexillium.org/dump/recon2015.pdf
12 Intro to Windows Kernel Security Research by T. Ormandy, May 2013.
13 This Time Font Hunt You Down in 4 Bytes, Peter Hlavaty and Jihui Lu, Recon 2015
14 Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool, Alex Ionescu, Dec 2014
15 Windows 8 Heap Internals presentation.
16 SLUB, the unqueued slab allocator, has been the default since Linux 2.6.23.
17 SPLICE When Something is Overflowing by Peter Hlavaty, Confidence 2015
18 ret2dir: Ret
hinking Kernel Isolation by Kemerlis, Polychronakis, and Keromytis
19 Universal Android Rooting is Back! by Wen Xu, BHUSA 2015 unzip pocorgtfo09.pdf bhusa15wenxu.pdf
20 unzip pocorgtfo09.pdf uhc-subs.tar.xz
21 FLUSH+RELOAD: a High Resolution, Low Noise, L3 Cache Side-Channel Attack by Yarom and Falkner from USENIX Security 2014
22 Cross-Tenant Side-Channel Attacks in PaaS Clouds by Zhang et al at ACM CCS 2014
23 Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud by Wu, Xu, and Wang at USENIX Security 2012
24 Weak vs. Strong Memory Models from Preshing on Programming
25 unzip pocorgtfo09.pdf crossvm.pdf
26 git clone https://github.com/BinaryBrewWorks/Beer unzip pocorgtfo09.pdf beer.zip
27 jt65stego by Drapeau (KA1OVM) and Dukes, 2014
28 This is the exact opposite of your WiFi, where every data frame is acknowledged, and no more data is sent unless either the ACK arrives or a timeout is reached.
29 unzip pocorgtfo09.pdf aprsl01.pdf
30 Don’t do this. Acting like an asshole on the radio is the surest way to convince a brilliant RF engineer to spend his retirement hunting you down.
31 In Heinlein’s “Between the planets,” 1951, the same celestial path of the Circum-Terra station is used for a much less benign purpose: worldwide delivery of nukes. That book also introduced the idea of stealth technology vehicle with a radar-reflecting surface, long before any scientific publications on the subject. —PML
32 unzip pocorgtfo09.pdf encham.html #Encryption and Amateur Radio by KD0LIX
33 unzip pocorgtfo09.pdf part97.pdf
34 Also note §97.217: Telemetry transmitted by an amateur station on or within 50 km of the Earth’s surface is not considered to be codes or ciphers intended to obscure the meaning of communications.
35 Yes, this is the one thing all instruction manuals tell you never to do.
36 Mechanical parts = 4600, set of ICs = 6500, 3250 import fees, housing and passive components = 1200 dinars.
37 Sorry Spectrum and ZX 81 owners!
38 Why the fifth? Well, because this special edition doesn’t reach all the kiosks at the same time. We wish, therefore, all the readers to have the same chances.
39 This is not a mistake, two different MIPRO companies are helping our action!
40 http://en.true-audio.com/TTA_Lossless_Audio_Codec_-_Format_Description
41 http://wiki.hydrogenaud.io/index.php?title=APEv2_specification
42 http://www.wavpack.com/file_format.txt
43 http://www.vecteezy.com/people/23511-marilyn-monroe-vector
10 The Theater of Literate Disassembly
1 unzip pocorgtfo10.pdf adventure.pdf
2 http://tasvideos.org
3 It should also be noted that all recent AGDQ events have directly benefited the Prevent Cancer Foundation which was a huge motivator for several of us who worked on this project. The block we presented this exploit in at AGDQ 2015 helped raise over $50K and the marathon as a whole raised more than $1.5M toward cancer research, making this project a huge success on multiple levels.
4 In brief, the detection routine is extremely sensitive to how many DMG clock cycles various operations take; the emulator is likely slightly inaccurate, which causes the detection to fail, but from looking at the behavior it seems like it “just works” on the real hardware. This is sheer luck, and the game developers likely never even knew it was so fragile.