0xw3bs3c
diff --git a/‎Pwn2Win/2020/at_your_command/command
9.98 KB b/‎Pwn2Win/2020/at_your_command/command
9.98 KB
diff --git a/‎Pwn2Win/2020/at_your_command/libc.so.6
1.94 MB b/‎Pwn2Win/2020/at_your_command/libc.so.6
1.94 MB
diff --git a/‎Pwn2Win/2020/butcher_bmc/README.txt
+25 b/‎Pwn2Win/2020/butcher_bmc/README.txt
+25
diff --git a/‎Pwn2Win/2020/butcher_bmc/content
32 MB b/‎Pwn2Win/2020/butcher_bmc/content
32 MB
diff --git a/‎Pwn2Win/2020/butcher_bmc/qemu-system-arm
59.8 MB b/‎Pwn2Win/2020/butcher_bmc/qemu-system-arm
59.8 MB
diff --git a/‎Pwn2Win/2020/butcher_bmc/run.py
+33 b/‎Pwn2Win/2020/butcher_bmc/run.py
+33
diff --git a/‎Pwn2Win/2020/hardware_trojan_v2_pt2/rootfs.ext2
60 MB b/‎Pwn2Win/2020/hardware_trojan_v2_pt2/rootfs.ext2
60 MB
diff --git a/‎Pwn2Win/2020/omnitmizer/Dockerfile
+11 b/‎Pwn2Win/2020/omnitmizer/Dockerfile
+11
diff --git a/‎Pwn2Win/2020/omnitmizer/OmniTmizer.patch
+37 b/‎Pwn2Win/2020/omnitmizer/OmniTmizer.patch
+37
diff --git a/‎Pwn2Win/2020/omnitmizer/codes/omnitmize.me.js
+1 b/‎Pwn2Win/2020/omnitmizer/codes/omnitmize.me.js
+1
diff --git a/‎Pwn2Win/2020/omnitmizer/run.bat
+2 b/‎Pwn2Win/2020/omnitmizer/run.bat
+2
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-console-l1-1-0.dll
11.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-console-l1-1-0.dll
11.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-console-l1-2-0.dll
11.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-console-l1-2-0.dll
11.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-datetime-l1-1-0.dll
11.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-datetime-l1-1-0.dll
11.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-debug-l1-1-0.dll
11.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-debug-l1-1-0.dll
11.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-errorhandling-l1-1-0.dll
11.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-errorhandling-l1-1-0.dll
11.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-file-l1-1-0.dll
14.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-file-l1-1-0.dll
14.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-file-l1-2-0.dll
11.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-file-l1-2-0.dll
11.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-file-l2-1-0.dll
11.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-file-l2-1-0.dll
11.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-handle-l1-1-0.dll
11.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-handle-l1-1-0.dll
11.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-heap-l1-1-0.dll
11.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-heap-l1-1-0.dll
11.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-interlocked-l1-1-0.dll
11.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-interlocked-l1-1-0.dll
11.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-libraryloader-l1-1-0.dll
12.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-libraryloader-l1-1-0.dll
12.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-localization-l1-2-0.dll
13.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-localization-l1-2-0.dll
13.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-memory-l1-1-0.dll
11.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-memory-l1-1-0.dll
11.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-namedpipe-l1-1-0.dll
11.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-namedpipe-l1-1-0.dll
11.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-processenvironment-l1-1-0.dll
12.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-processenvironment-l1-1-0.dll
12.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-processthreads-l1-1-0.dll
13.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-processthreads-l1-1-0.dll
13.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-processthreads-l1-1-1.dll
11.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-processthreads-l1-1-1.dll
11.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-profile-l1-1-0.dll
10.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-profile-l1-1-0.dll
10.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-rtlsupport-l1-1-0.dll
11.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-rtlsupport-l1-1-0.dll
11.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-string-l1-1-0.dll
11.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-string-l1-1-0.dll
11.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-synch-l1-1-0.dll
13.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-synch-l1-1-0.dll
13.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-synch-l1-2-0.dll
11.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-synch-l1-2-0.dll
11.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-sysinfo-l1-1-0.dll
12.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-sysinfo-l1-1-0.dll
12.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-timezone-l1-1-0.dll
11.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-timezone-l1-1-0.dll
11.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-util-l1-1-0.dll
11.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-core-util-l1-1-0.dll
11.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-conio-l1-1-0.dll
12.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-conio-l1-1-0.dll
12.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-convert-l1-1-0.dll
15.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-convert-l1-1-0.dll
15.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-environment-l1-1-0.dll
11.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-environment-l1-1-0.dll
11.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-filesystem-l1-1-0.dll
13.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-filesystem-l1-1-0.dll
13.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-heap-l1-1-0.dll
12.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-heap-l1-1-0.dll
12.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-locale-l1-1-0.dll
11.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-locale-l1-1-0.dll
11.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-math-l1-1-0.dll
20.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-math-l1-1-0.dll
20.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-multibyte-l1-1-0.dll
19.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-multibyte-l1-1-0.dll
19.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-private-l1-1-0.dll
62.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-private-l1-1-0.dll
62.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-process-l1-1-0.dll
12.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-process-l1-1-0.dll
12.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-runtime-l1-1-0.dll
15.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-runtime-l1-1-0.dll
15.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-stdio-l1-1-0.dll
17.4 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-stdio-l1-1-0.dll
17.4 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-string-l1-1-0.dll
17.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-string-l1-1-0.dll
17.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-time-l1-1-0.dll
13.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-time-l1-1-0.dll
13.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-utility-l1-1-0.dll
11.9 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/api-ms-win-crt-utility-l1-1-0.dll
11.9 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/d8.exe
14.1 MB b/‎Pwn2Win/2020/omnitmizer/x64.release/d8.exe
14.1 MB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/dbgcore.dll
163 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/dbgcore.dll
163 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/dbghelp.dll
1.85 MB b/‎Pwn2Win/2020/omnitmizer/x64.release/dbghelp.dll
1.85 MB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/flag.exe
11.5 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/flag.exe
11.5 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/msvcp140.dll
576 KB b/‎Pwn2Win/2020/omnitmizer/x64.release/msvcp140.dll
576 KB
diff --git a/‎Pwn2Win/2020/omnitmizer/x64.release/omnitmize.bat
+1 b/‎Pwn2Win/2020/omnitmizer/x64.release/omnitmize.bat
+1
@@ -0,0 +1,25 @@
+Description:
+
+We discovered that the ButcherCorp has a data center in the city of
+Boston. Each server of this data center has a custom BMC (Baseboard Management
+Controller), named 'Butcher BMC' and they manage the servers remotely through an
+exposed IPMI interface. Luckly, the Rebelious Fingers were able to deploy a
+backdoor on this data center. Below is the information that they sent to us:
+
+root@butcher:~# journalctl -b --no-pager | grep Echo
+May 25 00:45:49 butcher ipmid[234]: Registering OEM:[0X003039], Cmd:[0X7E] for Echo Commands
+
+Instructions:
+
+1- Install dependency, e.g.,:
+$ sudo apt install ipmitool
+
+2- Connect to server, e.g.,:
+$ nc butcherbmc.pwn2.win 1337
+
+3- Solve PoW, get your ipmi port, and wait for system initialization.
+
+4- Use ipmitool to run commands, e.g.,:
+$ ipmitool -I lanplus -H butcherbmc.pwn2.win -p <ipmi port> -U root -P 0penBmc chassis status
+
+Note that the credentials are the default (i.e., root:0penBmc).
@@ -0,0 +1,33 @@
+#!/usr/bin/python3 -u
+import random
+import signal
+import string
+import subprocess
+import sys
+
+def random_string(n):
+    return ''.join(random.choice(string.ascii_lowercase) for _ in range(n))
+
+def check_pow(bits):
+    r = random_string(10)
+    print(f"hashcash -mb{bits} {r}")
+    solution = input("Solution: \n").strip()
+    if subprocess.call(["hashcash", f"-cdb{bits}", "-r", r, solution],
+                       cwd="/tmp",
+                       stdout=subprocess.DEVNULL,
+                       stderr=subprocess.DEVNULL) != 0:
+        raise Exception("Invalid PoW")
+
+check_pow(25)
+
+port = random.randint(1024, 65535)
+print(f"IPMI over lan will be listening on port {port}\n")
+
+subprocess.call(["./qemu-system-arm",
+                 "-monitor", "/dev/null",
+                 "-m", "128M",
+                 "-M", "romulus-bmc",
+                 "-drive", "file=./content,format=raw,if=mtd,readonly",
+                 "-net", "nic",
+                 "-net", f"user,hostfwd=udp::{port}-:623",
+                 "-nographic"], stdin=subprocess.DEVNULL, timeout=200)
@@ -0,0 +1,11 @@
+FROM mcr.microsoft.com/windows/servercore:ltsc2019
+
+COPY /x64.release/ /omnitmizer/
+
+WORKDIR /omnitmizer
+
+RUN icacls flag.exe /setowner "user manager\containeruser"
+USER ContainerUser
+RUN icacls flag.exe /deny "user manager\containeruser":RX
+
+ENTRYPOINT ["omnitmize.bat"]
@@ -0,0 +1,37 @@
+https://github.com/v8/v8/tree/50dd84ca317ae35c926ed34d001a72b62aea6662
+diff --git a/src/compiler/escape-analysis.cc b/src/compiler/escape-analysis.cc
+index b3f684ea61..ae2cbdabca 100644
+--- a/src/compiler/escape-analysis.cc
++++ b/src/compiler/escape-analysis.cc
+@@ -726,29 +726,8 @@ void ReduceNode(const Operator* op, EscapeAnalysisTracker::Scope* current,
+       break;
+     }
+     case IrOpcode::kCheckMaps: {
+-      CheckMapsParameters params = CheckMapsParametersOf(op);
+-      Node* checked = current->ValueInput(0);
+-      const VirtualObject* vobject = current->GetVirtualObject(checked);
+-      Variable map_field;
+-      Node* map;
+-      if (vobject && !vobject->HasEscaped() &&
+-          vobject->FieldAt(HeapObject::kMapOffset).To(&map_field) &&
+-          current->Get(map_field).To(&map)) {
+-        if (map) {
+-          Type const map_type = NodeProperties::GetType(map);
+-          if (map_type.IsHeapConstant() &&
+-              params.maps().contains(
+-                  map_type.AsHeapConstant()->Ref().AsMap().object())) {
+-            current->MarkForDeletion();
+-            break;
+-          }
+-        } else {
+-          // If the variable has no value, we have not reached the fixed-point
+-          // yet.
+-          break;
+-        }
+-      }
+-      current->SetEscaped(checked);
++      //OmniTmizer - Improving performance
++      current->MarkForDeletion();
+       break;
+     }
+     case IrOpcode::kCompareMaps: {
@@ -0,0 +1 @@
+console.log('OmniTmize me!');
@@ -0,0 +1,2 @@
+docker build -t omnitmizer .
+docker run --rm -v %cd%/codes:c:/omnitmizer/codes omnitmizer
@@ -0,0 +1 @@
+d8.exe ./codes/omnitmize.me.js
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+docker build -t omnitmizer .`
	`2`	`+docker run --rm -v %cd%/codes:c:/omnitmizer/codes omnitmizer`