Nytro

Real life: WordPress < 3.6.1 PHP Object Injection - VaGoSec

Mai adaug eu o conditie. Sa fiti VIP.

The Art of Assembly Language Programming [TABLE=width: 615] [TR] [TD=width: 560, colspan: 6, align: left]The PDF version of "The Art of Assembly Language Programming" is a complete, high-quality version of the text. It is much easier to read and provides an excellent vehicle for printing your own copy of the text. However, to view and print PDF files, you will need a copy of Adobe's Acrobat reader program. You may obtain a free copy of this program for a wide variety of operating systems directly from Adobe.[/TD] [TD=width: 36][/TD] [/TR] [TR] [TD=width: 1][/TD] [TD=width: 16][/TD] [TD=width: 512, colspan: 5, align: left]If you have installed Adobe Acrobat Reader, clicking on the following links should automatically bring up the PDF version of the specified chapter.[/TD] [TD=width: 48][/TD] [TD=width: 36][/TD] [/TR] [TR] [TD=width: 1][/TD] [TD=width: 16][/TD] [TD=width: 16][/TD] [TD=width: 224, colspan: 1, align: left] Short Table of Contents Long Table of Contents Forward Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 [/TD] [TD=width: 16][/TD] [TD=width: 256, colspan: 2, align: left] Chapter 15 Chapter 16 Chapter 17 Chapter 18 Chapter 19 Chapter 20 Chapter 21 Chapter 22 Chapter 23 Chapter 24 Chapter 25 Note: Appendix A is non-existant Appendix B Appendix C Appendix D Index [/TD] [/TR] [/TABLE] Sursa: Art of Assembly Language, PDF Files

Nu mi se pare nimic critic: https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf

Coding Principles Every Engineer Should Know Throughout my engineering career, I’ve had the opportunity work alongside and learn from many incredibly talented people, solve some serious technical challenges, and scale several successful companies. Recently, I was talking with the engineering team at Box about what I’ve learned along this journey, and what came out of that conversation were my personal engineering principals. These aren’t rules or engineering guidelines. They’re simply the principles that I pay attention to when I write and operate code. Be paranoid. This one comes naturally to me. Since I’m mostly self-taught as a programmer, I never trust computers. I never trust that the system I just launched is really up. That the bug I fixed is really fixed. That code really does work the way I think it does without a test. I don’t trust anything. I don’t even trust myself! I never trust that I understand anything as well as I think I do until I check more than once. Paranoia is my friend, and it should be your friend, too. Always try to find a way to test assumptions along some other path, or get a second set of eyes to see what you’ve missed. Most of the time it’s not needed. Sometimes it’s really important. Don’t lie to the computer. Another way to say this is “avoid leaky abstractions.” Don’t use systems in ways they’re not meant to be used. Don’t count on side effects. Don’t do things that won’t be obvious to the next person because the system wasn’t designed for them or they’re undocumented. If usage is three orders of magnitude more than current usage, then you should probably rethink the design. If the contract implies, but doesn’t guarantee, your use, you should change the component and the contract to be aligned. Computers are nasty things. They always bite when lied to, eventually. Keep it simple. We like building things and solving problems. That’s why we do what we do. But a lot of the time, just because we can see a problem that could be solved, doesn’t mean it’s useful to solve it right now. I always think of myself as a fairly dumb programmer?—?I like clean, simple designs that are easy to understand. And this is a high challenge?—?anyone can solve a problem in a complex way, but only good programmers can solve problems in simple, understandable ways. It’s much harder to really think through the problem and solve only what needs to be solved in a simple, robust manner. Making yourself understood is the most important thing. Most time in code is spent maintaining, not creating. First rule of optimizing: don’t. This is from a good book by John Bentley called Programming Pearls. (It’s explicitly meant to help you learn to think like an experienced programmer. It may be an old book but most of the lessons are incredibly relevant today.) Optimization can take many forms: speed, future-proofing, potential scale, possible uses, etc. The problem is, most optimization is ultimately never used, and, more or less by definition, optimization makes designs more complicated. So, first rule of thumb is don’t optimize until it’s really clear that you understand the problem completely. (His second rule: “don’t optimize, yet.” Meaning, even if you do understand it, don’t optimize until you really need to.) Don’t just fix the bug; fix all possibility of it ever happening again. Don’t be sorry if you made a mistake?—?be angry and make it something you never have to think about again. I hate bugs. I hate systems that let me create bugs. I hate it when my own software lets my fragile human brain down and I create a bug that could have been avoided. And I really, really hate fixing the same bug twice. So I try as much as I can, every single time I fix a bug, to think about the following: where else might this bug be happening now? Where might it happen in the future? What are the adjacent patterns that create similar bugs? And how can I kill all the bastards at once, right now? Question assumptions constantly. Because I have spent most of my time in my own startups, I’ve gotten in the habit of asking myself constantly “Why am I doing this? What problem does it solve? Is there a better way? Is there something else I could do instead that’s more important?” You should have that attitude all the time. Constantly be questioning the assumptions given to you. What’s the real problem you’re solving? Did someone ask you to solve an effect rather than the root cause? Is the solution complete? Over-complete? Is the impact worthwhile? Think long term. Slow down, it goes faster. This might be one of the most important ones. It’s easy to hack things out. As engineers, we like efficiency; we like to build as many things as we can. But if we don’t build for the long term, eventually it gets harder and harder to build anything. Sometimes we don’t understand the problem at first and we write code that we later have to back out. Sometimes we do things that are easy for our local problem, but make things worse or harder for someone else or for a larger problem. Sometimes we rush and don’t finish the design, and this causes much more time later on for someone to fix. Sometimes we don’t bother to write it the right way, we just make a copy or hack something in because we’re under time pressure or don’t want to really think it through. I’ve seen all these things too many times. Others have said this better than I have. But I’ll repeat?—?the goal is building the largest number of great features, reaching the largest number users over time. The area under the curve for a given day doesn’t add much, no matter how much gets done on that day, relative to all the days added together. Think long term. Care about your code. I guess this one doesn’t need much explanation, but it’s still something I see people missing from time to time. Take pride in your work! Care about the code you produce! I usually think of my poor future self, having to deal with my crappy code, when I’m tempted to be lazy and cut a corner. You don’t have to take this to an extreme?—?I used to joke at Google that other engineers treated their code like a pet, where my relationship with mine was more like a ranchers?—?pragmatic, not sentimental. But even still, I always hate it if my code isn’t well designed, doesn’t work well, isn’t readable, all that stuff. Cheap, fast, right?—?pick two. This is the iron triangle of software. This is the way the world of software engineering works. But it’s not an excuse for complacency. In fact, this is your opponent every single day. The difference between good and great programmers is often measured in how well they navigate the iron triangle. And really great ones find ways to bend it and get some of all three, more often than not. Try to be that kind of programmer?—?can you find a more elegant design that’s faster to build and is still right? Can you relax some constraint in the spec to get to the goal more quickly? You might not always be able to do that; in fact, you won’t beat the triangle. But if nothing else, make sure you understand what compromise you are choosing, and why, and that it’s the right one for the current situation. Conclusion: Be curious. Learn as much as you can, all the time. Okay, this one is more career advice than anything else. But if you’re not curious and don’t really care that much about learning new things as an engineer and don’t care about new tech or new languages or new ideas, then why are you here? By no means are my principles perfect or an absolute representation of thinking/acting like a successful engineer, but I’m willing to bet there’s a fair amount of overlap with what others might be thinking. I’d love to hear your thoughts. Written by Sam Schillace Sursa: https://medium.com/on-coding/coding-principles-every-engineer-should-know-b946b48cc946

Bucuresti Bookfest

Jegosilor, care ati fost? Muie _|_

De ceva timp: https://www.demonoid.ph/

[h=1]Aparatele se blocheaz?, iar astronau?ii au senza?ii stranii: ce este „Triunghiul Bermudelor spa?ial”, care produce aceste fenomene ciudate?[/h] Unele vehicule spa?iale, precum telescopul spa?ial Hubble, au fost proiectate astfel încât instrumentele delicate de la bordul lor s? închid? la trecerea prin zon?, pentru a evita defectarea lor. Unele defec?iuni ap?rute la sateli?ii re?elei Globalstar sunt atribuite tot trecerii sateli?ilor prin aceast? regiune. Se crede c? tot radia?iile puternice din aceast? regiune ar fi cauza fosfenelor (un fel de scântei sau „stele zbur?toare” care apar în câmpul vizual) raportate de astronau?i. Link: Aparatele se blocheaz?, iar astronau?ii au senza?ii stranii: ce este „Triunghiul Bermudelor spa?ial”, care produce aceste fenomene ciudate?

Da, nu prea ai ce ii face Si versiunea Desktop e "safe". Uite cateva detalii: https://rstforums.com/forum/85016-windows-7-security-features.rst Cateva idei: - pe Desktop nu prea ai limitari la ce poate face un program (desi nu ar fi o idee rea sa se implementeze asa ceva) - pe Desktop ai o flexibilitate mult mai mare in dezvoltarea aplicatiilor, de la exe la bat-uri si X limbaje de programare - daca consideram ca versiunea "Desktop" nu e "safe", atunci nici Linux-ul nu e "safe" deoarece la fel ca pe Windows, o aplicatie malitioasa e foarte usor de facut, de la executabile la "rm -rf"-uri A aparut Windows Phone mai tarziu, dar a avut timp sa invete si sa nu faca aceleasi greseli ca Android si iOS.

how to hack a windows phone In today’s how to we will be discussing on how to hack a Windows Phone 8. Every hacker should know about the internals of a device and operating system before he could attempt to compromise it. So lets try to understand the underlying hardware and OS security before we try to break it. To begin, we will try to compromise the hardware so that we can gain access to the hardware and then exploit the OS and ultimately take control of it or at least to steal data from it. Windows Phone employs UEFI Firmware Hardware at the very low level. In addition to that, every hardware which runs Windows Phone 8 OS has to be certified by Microsoft. Now when we say certified, it also means that all the hardware has to be signed and the chips will be burned with the keys from Microsoft. The “Trusted Boot Chain” component will make sure that all the signatures are in place and if they are valid before and during the process. Every program written in the silicon chip has to be signed including the BIOS, drivers etc. On top of these Windows Phone 8 device will also come with a TPM chip which means your encrypted data it is as good your Windows 7 & 8 PC. UEFI Windows Phone Lets see what are the options we have to break the security of the device. Hardware Now that we know all the components / programs are verified for the signature by the “Trusted Boot Chain”, why don’t we try to spoof the boot chain program itself with our own. If we are able to do that then we could easily make the device load our own components instead of the Windows Phone OS exploiting it completely naked. Though at the first look it is appears to be a very good idea, unfortunately all the hardware chips which can’t or can be overwritten comes with something called an efuse. The moment when you are trying to write something in these chips without a valid signature which will be there only with Microsoft and the device manufacturer, the efuse will trip. Once the efuse trips off, the boot loader will not be able to boot up your device. Congratulations! now you have a phone which is officially no better than a brick. For a moment even if we assume that you somehow fooled the efuse, the device still wont boot up just because you don’t have a valid key. Operating System Windows NT kernel it is. The Redmond guys have made sure that its sturdy enough. Windows NT kernel along with “Code Signing” makes a killer shield that you will not be able to penetrate. If you think you can get the control of the kernel using some code, wait till you read the “Malicious Code” section. For now lets think about the Windows Phone updates. Windows Phone does do regular updates just like your PC so what if we can trick the windows phone to install my program? Unfortunately the windows phone is programmed to get the updates only from the Microsoft update servers and no other place. Still its no big deal because I can always trick my network to believe some malicious hardware / software as the update server. Sadly, the update will again need the code signing process to pass. You can never break through it unless you are hacking into the Microsoft update server; definitely not a great plan. Storage How about the internal storage itself? Why don’t we break the phone take out the internal storage and may be at least try to steal the data? But wait, the storage again uses a 128 bit Bitlocker for encryption. The drive remains encrypted until the boot loader performs the job completely. The TPM chip which comes with the hardware is the one which manages the key for the encryption which means that once the disk is outside the hardware, you will need the 128 bit recovery key to break in the data. The storage behaves the same way as what your bitlocked hard drive behaves. Brute force opening a encryption is a very well known procedure to break encryption however its impossible when it comes to a 128 bit encryption. So to understand the quantum of complexity, lets assume that you have 10 million computers where every computer can process 100 billion keys per second (higher than 100GHz) and if you put them all together to crack the key, it will take 1013 years to find the key which is longer than the age of universe itself. If you are thinking of trying the PIN instead, you can always configure your phone to automatically wipe after a amount of incorrect tries. Some people try to snoop the data from the disk after it is wiped because it is easier that way since it wont have any encryption constraints. Luckily for the user what Windows Phone, it never decrypts the data but it wipes the encrypted data along with the key. You can be pretty sure that not even NSA can retrieve them. Malicious Code We have now almost come to the last and the mot favorite resort of a hacker. Most the hackers disassemble the system instructions and try to inject or alter the commands in the memory location. However the app model which windows phone function is always a sandbox, which means the app will have its own area where it can execute store data and perform actions. Windows Phone with the advantage of Code Signing will sign the apps based on the feature set they are allowed to access. E.g.) If a program does not have a valid signature to access the Camera, it wont be able to. This is true for any feature or hardware access in the device. So even for a moment if we assume that you are able to try writing something into the system memory location of the phone, the “Code Signing” will invalidate the program and unload it immediately. Starting from the phone to your protected mail message, everything is safe in Windows Phone 8. More information on the security of Windows Phone can be found at http://www.windowsphone.com/en-US/business/security-us This how to is written based on Windows Phone 8. Actual functionality might differ from device to device. Some features may not be available with pre-Windows Phone 8. Sursa: how to hack a windows phone | how to windows phone

E doar o colectie de metode de anti-debug. Daca e folosita la un proiect, persoana care face reverse engineering trebuie sa se fereasca de toate metodele pentru a putea face linistit reverse engineering.

This is a blog by Szymon Sidor. Its original purpose was to present nontrival Computer Science and Mathematical problems in an accessible way, but it evolved and now diverse topics are covered. Thursday, May 22, 2014 Exploring limits of covert data collection on Android: apps can take photos with your phone without you knowing. SHORT VERSION: Android apps can take photos with your phone in background phones without displaying any notification and you won't see the app on the list of installed applications. App can send the photos over the internet to their private server. You can also find video with demo in this post. Introduction I discovered this almost by accident while doing a team project for a Computer and Network Security course at my university. The project suggested by college of mine (Predrag Gruevski) was mostly about using cameras on PC's without turning on indicator light. There were already promising findings in this field (iSeeYou paper discussed doing so on old Mac models). Since the project was relatively general each of member of our team took different approach. I initially started with low-level USB hacking, but despite genuine efforts I found nothing really interesting. Further experiments seemed really boring to me, because they in general involved trying various different cameras and hours of starting at LED light hoping the camera light won't blink. I switched my focus to Android. Initial research was promising. There are many apps on Play Store (if you are iPhone user think App Store) that aim at taking pictures without any visual indication (ACLU-NJ Police Tape, Mobile Hidden Camera and more) but from what I found all of them require app activity to be visible and phone screen to be on. Some of them manage to record video without visible preview. Technical Details What I wanted is to take pictures without user knowing, but at any time, not only when the app is on. I started googling and first thing that I found is that using Camera technically requires a preview to be displayed on screen in order to take video, but background services do not have associated visible activity. But let's not get discouraged an keep trying. I wrote a small camera app for my Nexus 5. My first approach was to create a View object that is not attached to any activity and feed preview to that object. That fails (I literally get "take picture failed" exception). The I remembered something that later turned out to be very relevant. Facebook messages draws to the UI, even when the app is not technically running: This turned out to be indeed the right track. I attached preview to the screen from the background service and indeed I was able to take a photo! This is not yet ideal - the preview is visible on the screen user can clearly see that something is going on. But then I tried to remove it. Here's a list of approaches: Make preview invisible - failed: Android just ignores this setting for preview Make preview transparent - failed: Android just ignores this settings for preview Cover preview by another view - partially failed: the view on top is still obstructing the screen Make preview 1x1 pixel - successful The result was amazing and scary at the same time - the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)! Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there. Demo If you cannot see this video here's a direct link: How can you protect yourself form malicious apps? If you are as disturbed by this find as I am you will start asking what can we do to avoid such situations. The bad news is that it's kind of a cat and mouse game - no matter how hard you try attackers can find more ways to obfuscate malicious activity. The good news is there are some ways that seem (at least given my current knowledge hard to circumvent: Pay attention to permissions (for example does Simple Notepad* really need access to your camera?) Keep your Google Account secure - if somebody can access your Google account they can install apps on your phone remotely without you approving it! Set up two step verification. Change your password from time to time. Set up secure password. Uninstall unused apps. High battery consumption (settings -> battery), and high bandwidth (settings -> data usage) are potential culprits Look at the background services that are running (settings -> apps -> running) - does Simple Notepad* really require background service Swiping app out of application list does not switch off background services (if you want to completely switch it off go to App Info (long press app icon inside menu and drag it to app info section) and click force stop - this ensures no background services are running. *Simple Notepad is a made up example - I am not referring to any app in particular. (hopefully constructive) criticism of Android design decisions Let me start by the fact that I really like Android SDK (maybe except the fact that it's Java - but I understand the logic behind that decision). It's nice because it gives a developer a lot of power. There are just some things that are possible on Android that simply would not be possible on other platforms. However given the fact that privacy is recently more and more of a growing concern, it would be nice to adjust accordingly. In my opinion privacy can be achieved by transparency without sacrificing comport. I could imagine use cases where I want app to take photos from background service. But I think it's inexcusable that user is not notified about this face. Android has a very nice notification bar. Users are very used to it. Why not make a use of it here. Same goes for sounds recording location recording etc. Another thing I think Android team should look into is modern security research. There's lot of ways of using data without direct access. Very simple example would be that can send emails to users without learning their email address - with Google acting as a intermediary. All of those suggestions can be summarized in on sentence - please put more effort into ensuring users' privacy. Szymon Sidor at 1:48 AM

Pwners

Bypassing SSL Pinning on Android via Reverse Engineering Denis Andzakovic – Security-Assessment.com 15 May 2014 Table of Contents Bypassing SSL Pinning on Android via Reverse Engineering ......................................................................... 1 Introduction .................................................................................................................................................. 3 Tools Used ..................................................................................................................................................... 3 The Victim ..................................................................................................................................................... 3 The Approach ................................................................................................................................................ 4 Reversing ....................................................................................................................................................... 5 Retrieving and Disassembling the APK ..................................................................................................... 5 Patching .................................................................................................................................................... 6 Patch at class instantiation ................................................................................................................... 6 Patch the Class ...................................................................................................................................... 7 Hijacking the Keystore .......................................................................................................................... 8 Repacking and Running ........................................................................................................................... 10 Tricks ........................................................................................................................................................... 11 Information in Stack Traces .................................................................................................................... 11 Decompiling into Java Code .................................................................................................................... 12 References .................................................................................................................................................. 12 Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/33430.pdf

Linux x86 Reverse Engineering Shellcode Disassembling and XOR decryption Harsh N. Daftary Sr. Security Researcher at CSPF Security Consultant at Trunkoz Technologies info@securityLabs.in Abstract: Most of the Windows as well as Linux based programs contains bugs or security holes and/or errors. These bugs or error in program can be exploited in order to crash the program or make system do unwanted stuff. A code which crashes the given program is called an exploit. Exploit usually attack a program on Memory Corruption, Segmentation Dump, format string, Buffer overflow or something else. Now exploit's work is just to attack the bug but there is another piece of code attacked with the exploit called as Shellcode whose debugging and analysis we will understand in this paper. Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/33429.pdf

SpiderFoot 2.1.4 released From: Steve Micallef <steve () binarypool com> Date: Mon, 28 Apr 2014 10:34:40 +0200 Hi all, SpiderFoot 2.1.4 is now available, and will be the last enhancement release on the 2.1 branch as I focus on 2.2. SpiderFoot is an open source footprinting and intelligence gathering tool, written in Python and runs on Linux, *BSD and Windows. Since 2.1.0 was announced here in January, the following enhancements have been implemented.. - Integration with: - SHODAN - VirusTotal - AlienVault IP Reputation DB - projecthoneypot.org - nothink.org - autoshun.org - isc.sans.edu - openbl.org - SORBS and a bunch more... - PasteBin searching - Zone-H.org defacement look-up - TOR exit node check - Whole bunch of DNS-based functionality - Extracts meta data from PDF, DOCX, PPTX and XLSX files - Identifies human names in content - Finds associated Facebook, Google+ and LinkedIn profiles - SOCKS proxy support - Real-time scan status UI - Bug fixes and smaller miscellaneous enhancements Website: SpiderFoot - The Open Source Footprinting tool GitHub: https://github.com/smicallef/spiderfoot Twitter: https://twitter.com/binarypool Feel free to mail me any questions, enhancement requests or general feedback. Thanks, Steve Sursa: Penetration Testing: SpiderFoot 2.1.4 released

From: rage <ragesploit () 0xrage com> Date: Wed, 21 May 2014 23:13:20 -0400 I've written and released a packer/crypter called rcrypt that might be fun for some of you to play around with. The latest public version is 1.4 although there is a functional 1.5 non public version currently in progress. The general summary is as follows: rcrypt is a Windows PE binary crypter (a type of packer) that makes use of timelock techniques to cause a delay in execution. This delay can cause analysis to fail on time constrained systems such as on disk scanners. rcrypt can pack exes and dll files. It bypasses KAV and many others. I'm always interested in feedback and suggestions/criticisms. There are many other features and functions as well! Released on my site: rcrypt v1.4 released | 0xrage Writeup also available: rcrypt packer writeup | 0xrage enjoy! - rage Sursa: Full Disclosure: rcrypt packer/crypter writeup and POC tool

From: Tavis Ormandy <taviso () cmpxchg8b com> Date: Wed, 21 May 2014 11:57:31 -0700 Apparently I'm being lured into pointless discussions today, so here's another. As I'm sure everyone is aware, Microsoft introduced basic NULL page mitigations for Windows 8 (both x86 and x64), and even backported the mitigation to Vista+ (On x64 only). There are some weaknesses, but this is a topic for another time. Interestingly, on Windows 8 x86, there is an intentional exception, if an Administrator has installed the 16bit subsystem the mitigation is worthless because you can run your exploit in the context of NTVDM (simply use the technique I documented in CVE-2010-0232 Windows NT - User Mode to Ring 0 Escalation Vulnerability). An Administrator can do this either on-demand by running an 16bit program, e.g. C:\> debug Or using fondue to install it manually: C:\> fondue /enable-feature:ntvdm /hide-ux:all Let's look at an example of a NULL dereference. It's obvious from the code that win32k!GreSetPaletteEntries doesn't validate the MDCOBJA call succeeds in the HDC list traversal, resulting in a very clean NULL dereference. .text:001EAF49 lea esi, [ebp+var_2C] ; out pointer .text:001EAF4C call ??0MDCOBJA@@QAE () PAUHDC__@@@Z ; MDCOBJA::MDCOBJA(HDC__ *) .text:001EAF51 push 1 .text:001EAF53 mov edx, edi .text:001EAF55 call _GreGetObjectOwner () 8 ; GreGetObjectOwner(x,x) .text:001EAF5A mov esi, eax .text:001EAF5C call ds:__imp__PsGetCurrentProcessId () 0 ; PsGetCurrentProcessId() .text:001EAF62 and eax, 0FFFFFFFCh .text:001EAF65 cmp esi, eax .text:001EAF67 jnz short loc_1EAFBA .text:001EAF69 and [ebp+ms_exc.registration.TryLevel], 0 .text:001EAF6D mov eax, [ebp+var_2C] ; load pointer .text:001EAF70 mov ecx, [eax+38h] ; NULL dereference .text:001EAF73 mov eax, [ecx+4] Callers like GreIsRendering, GreSetDCOrg, GreGetBounds, etc, etc check correctly for comparison. This better code is from win32k!GreSetDCOrg: .text:00213DA2 lea esi, [ebp+var_C] ; out pointer .text:00213DA5 xor ebx, ebx .text:00213DA7 call ??0MDCOBJA@@QAE () PAUHDC__@@@Z ; MDCOBJA::MDCOBJA(HDC__ *) .text:00213DAC mov edi, [ebp+var_C] ; load result .text:00213DAF test edi, edi ; check for NULL .text:00213DB1 jz short loc_213E15 ; error This bug can be triggered with typical resource exhaustion patterns (see my exploit for CVE-2013-3660 for reference Windows NT - Windows 8 EPATHOBJ Local Ring 0 Exploit). However, I have also stumbled onto a Windows 8 specific technique that does not require resource exhaustion, using the (undocumented) Xferable object flag. See the attached code (the testcase is Windows 8+ on x86 specific, although the bug affects other versions and platforms). This seems exploitable on 32bit systems prior to Windows 8, but on Windows 8 it's only exploitable (ignoring mitigation failures) with NTVDM configured. It's my understanding that Microsoft no longer consider this a supported configuration, and are only interested in fixing NULL page mitigation bypasses. I'm not convinced this is a reasonable stance, what do other people think? Tavis. P.S. I think linux introduced it's mmap_min_addr mitigation to stable around 2007? Seven years lag, I guess that's the power of the SDL ;-) -- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred ------------------------------------------------------- Attachment: SetPalette.c Sursa: Full Disclosure: NULL page mitigations on Windows 8 x86

Manual Unpacking of UPX using OllyDbg [TABLE] [TR] [TD=class: page_subheader]Introduction[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]In this tutorial, you will learn how to unpack any UPX packed Executable file using OllyDbg UPX is a free, portable, executable packer for several different executable formats. It achieves an excellent compression ratio and offers very fast decompression. [/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]Here we will do live debugging using OllyDbg to fully unpack and produce the original Executable FILE from the packed file. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Packing EXE using UPX[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]To start with, we need to pack sample EXE file with UPX. First you need to download latest UPX packer from UPX website and then use the following command to pack your sample EXE file.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_code]upx -9 c:\sample.exe[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]If you already have UPX packed binary file then proceed further. In such case make sure to use PEiD or 'RDG Packer Detector' to confirm if it is packed with UPX as shown in the screenshot below.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]UPX Unpacking Process[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] Before we begin with unpacking exercise, lets try to understand the working of UPX. When you pack any Executable with UPX, all existing sections (text, data, rsrc etc) are compressed. Each of these sections are named as UPX0, UPX1 etc. Then it adds new code section at the end of file which will actually decompress all the packed sections at execution time. Here is what happens during the execution of UPX packed EXE file.. [/TD] [/TR] [TR] [TD] Execution starts from new OEP (from newly added code section at the end of file) First it saves the current Register Status using PUSHAD instruction All the Packed Sections are Unpacked in memory Resolve the import table of original executable file. Restore the original Register Status using POPAD instruction Finally Jumps to Original Entry point to begin the actual execution [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Manual Unpacking of UPX[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]Here are the standard steps involved in any Unpacking operation Debug the EXE to find the real OEP (Original Entry Point) At OEP, Dump the fully Unpacked Program to Disk Fix the Import Table [/TD] [/TR] [TR] [TD=align: justify] Based on type and complexity of Packer, unpacking operation may vary in terms of time and difficulty. UPX is the basic Packer and serves as great example for anyone who wants to learn Unpacking. Here we will use OllyDbg to debug & unpack the UPX packed EXE file. Although you can use any debugger, OllyDbg is one of the best ring 3 debugger for Reverse Engineering with its useful plugins. Here is the screenshot of OllyDbg in action [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]Lets start the unpacking operation[/TD] [/TR] [TR] [TD] Load the UPX packed EXE file into the OllyDbg Start tracing the EXE, until you encounter a PUSHAD instruction. Usually this is the first instruction or it will be present after first few instructions based on the UPX version. When you reach PUSHAD instruction, put the Hardware Breakpoint (type 'hr esp-4' at command bar) so as to stop at POPAD instruction. This will help us to stop the execution when the POPAD instruction is executed later on. Other way is to manually search for POPAD (Opcode 61) instruction and then set Breakpoint on it. Once you set up the breakpoint, continue the execution (press F9). Shortly, it will break on the instruction which is immediately after POPAD or on POPAD instruction based on the method you have chosen. Now start step by step tracing with F7 and soon you will encounter a JMP instruction which will take us to actual OEP in the original program. When you reach OEP, dump the whole program using OllyDmp plugin (use default settings). It will automatically fix all the Import table as well. That is it, you have just unpacked UPX !!! [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Fixing Import Table[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] In the current example, OllyDmp plugin will take care of fixing the Import table. However for most of the packers, we need to use advanced tool called ImpRec (Import Reconstructor). ImpREC is highly advanced tool used for fixing the import table. It provides multiple methods to trace the API functions as well as allow writing custom plugins. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]For interested users, here are simple instructions on how to fix Import Table using ImpRec.[/TD] [/TR] [TR] [TD] When you are at the OEP of the program, just dump the memory image of binary file using Ollydmp WITHOUT asking it to fix the Import table. Now launch the ImpREC tool and select the process that you are currently debugging. Then in the ImpREC, enter the actual OEP (enter only RVA, not a complete address). Next click on 'IAT Autosearch' button to automatically search for Import table. Now click on 'Get Imports' to retrieve all the imported functions. You will see all the import functions listed under their respective DLL names. If you find any import function which is invalid (marked as VALID: NO) then remove it by by right clicking on it and then from the popup menu, click on 'Delete Thunks'. Once all the import functions are identified, click on "Fix Dump" button in ImpREC and then select the previously dumped file from OllyDbg. Now run the final fixed executable to see if everything is alright. [/TD] [/TR] [TR] [TD]For advanced packers, you may have to use different methods in ImpRec and some times need to write your own custom plugin to resolve the import table functions. For more interesting details refer to our PESpin ImpRec plugin. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Video Demonstration[/TD] [/TR] [/TABLE] [TABLE] [TR] [TD]This video demonstration uses slightly different way to put a hardware breakpoint than described in the article. Also it uses ImpREC to fix import table which is useful while unpacking advanced packers. Here are the steps shown in video [/TD] [/TR] [TR] [TD] Load your EXE in Ollydbg Step Over (Shortcut-F8) PUSHAD instruction Next Go to ESP (right click and follow in DUMP Window) Put Hardware Read Breakpoint (Access) on first dword at ESP. (This is similar 'hr esp-4 at PUSHAD instruction as described earlier) Now Run EXE until we hit breakpoint (shortcut-F9) It will break right after POPAD instruction. You will see a JMP instruction few lines below the current instructions. Put breakpoint on JMP Run exe again until it stops at JMP instruction (shortcut-F9) Step Over JMP (Shortcut- F8) Now we are at OEP, Here just Dump Process using OllyDump without fixing Import table. Here we will use ImpREC to fix the import table as mentioned in 'Fixing Import Table' section. Finally after fixing import table, run the new unpacked EXE to make sure it is perfect ! [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]References[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] UPX: Ultimate Packer for Executables. OllyDbg: Popular Ring 3 Debugger. ImpREC: Import Table Reconstruction Tool PESpin Plugin for ImpREC RDG Packer Detector PEid Packer Detector [/TD] [/TR] [/TABLE] Sursa: Manual Unpacking of UPX Packed Binary File - www.SecurityXploded.com

Discovering Oracle Accounts With Nmap If we are conducting an infrastructure penetration test and we have discover an Oracle database during the information gathering stage then we can use Nmap to perform some checks that will help us to obtain potentially the accounts that exists on the database. These checks can be executed with two scripts that Nmap contains in his scripting engine.Specifically the scripts that we will need to use are the following: oracle-sid-brute oracle-brute Oracle databases are running on port 1521 so in most of the cases we can identify them just by checking if this port is open on our target host.The next step is to use the script oracle-sid-brute which will try to brute force common oracle SID’s.The next image is showing the use of this script and that has successfully identified that the SID is XE. Brute Forcing Oracle SID’s – Nmap Now that we know the SID of the Oracle database we can use the oracle-brute script to discover the valid accounts.by specifying the SID name Discovering Oracle Accounts Conclusion With these two scripts we can perform security audits against an Oracle database with Nmap.However the drawback as the above image indicates is that we can lock the accounts as the script doesn’t have a check about the number of tries that will execute in order to prevent the account lockout.From the other hand it is a very fast approach for detecting oracle accounts through Nmap during the information gathering. Sursa: Discovering Oracle Accounts With Nmap | Penetration Testing Lab

SQL Injection Authentication Bypass With Burp Burp is a tool that can be used in every web application penetration test to perform a variety of activities and to automate tasks.As a penetration tester you might want to test some things automatically and effectively because this will reduce the amount of time that you will spend on specific checks and it will give you more time to focus on the tricky parts of your assessment.One of the checks that you must do in a web application that contains a login form is to examine whether or not this form is vulnerable to SQL injection and if it is to try to bypass it and to login as administrator. In order to bypass authentication in a form that is vulnerable to SQL injection vulnerability we will need to understand how the query has constructed and to append to this query the appropriate parameters.If we want to do a fast test before starting exploiting this manually we can use Burp intruder and a cheat sheet that has created for this purpose.Burp intruder will send HTTP requests by passing each parameter from this list to a specific position in the request.This method is going to be examined in this article and for the demonstration needs we will use the mutillidae as the target application which contains this vulnerability. The first thing that we have to do in this situation is of course to discover if the login form is vulnerable.We can simply insert a single ‘ on the username field and then we must watch for the response.If the application returns an error like the one in the image below then it is likely to be vulnerable. SQL Injection Error Then we must capture the HTTP request with Burp proxy and we should send this to Intruder.In the Intruder there are two things that we need to check.The first is the attack type and the second is the payload position.For the attack type the choice must be sniper because in this mode Burp Intruder will take a single input from a list that we will provide later and it will send this input on the position that we specify in the HTTP request (each input at a time).For the position we choose the field that is vulnerable (in this case the username). Burp Intruder – Attack Type and Position Next thing to do is to set the payloads.As a payload type for this attack a simple list will used.So in the payload options we have to load our .txt list. Burp Intruder – Setting up the payloads Now the attack is ready to be launched.Burp Intruder will start passing these parameters from the list to the payload position and from the payload position to the web application as an HTTP request.When this process finishes the successful payloads will have different status code as it can be seen from the next image. SQL Injection Bypass Authentication – Burp payloads Now we can go back to the application and to use one of the successful payloads in order to bypass the authentication and to login with admin privilleges to the application. Bypass Authentication by passing the correct payload Conclusion This was a simple tutorial that showed the major capabilities of Burp against web applications as we managed to logged into the application as admin.The cheat sheet about SQL injection authentication bypass that we used in this article has developed by Dr. Emin ?slam Tatl?If and all the credits goes to him.If you want to use the list or to expand it you can find it here. Sursa: SQL Injection Authentication Bypass With Burp | Penetration Testing Lab

[h=1]Defeating Driver Singing Enforcement, Not That Much Hard![/h] November 4, 2012 These days everybody talks about Driver Signing Enforcement, and the ways we can bypass it. J00ru talked about the hard way, and I tell you about the easy and very long know way. What we need is just a Singed Vulnerable X64 Driver. As we know, loading drivers require administrator privilege, but these days a normal user with default UAC setting can silently achieve Admin privilege without popping up a UAC dialog. The driver I was talking about is DCR from DriveCrypt. The X64 version is singed and is vulnerable to a write4 bug. the latest version is not anymore vulnerable but this version still has a valid signature and that’s enough. I think it’s obvious that you can make the whole process of escalating privilege from normal user to Admin for loading vulnerable drive ( silently with one of UAC bypass methods) and exploitation pragmatically automatic. You can find vulnerable version of drive along the exploit at “DriveCrypt\x64\Release“. Sursa: Defeating Driver Singing Enforcement, Not That Much Hard! | REP RET

Troopers 14 - Easy Ways To Bypass Anti-Virus Systems - Attila Marosi Description: All IT security professionals know that antivirus systems can be avoided. But few of them knows that it is very easy to do. (If it is easy to do, its impact is huge!) In this presentation I will, on the spot, fully bypass several antivirus systems using basic techniques! I will bypass: signatures detection, emulation/virtualization, sandboxing, firewalls. How much time (development) is needed for it, for this result? Not more than 15 hours without a cent of investment! If I could do this, anyone can do this… so I think we have to focus to this problem. Using these easy techniques I can create a ‘dropper’ that can deliver any kind of Metasploit (or anything else) shellcode and bypass several well-known antivirus in real-life and full bypass the VirusTotal.com detection with a detection rate in 0. In my presentation I use 6 virtual machines and 9 real-time demos. Resulting the audience always have a big fun and surprise when they see the most well-know systems to fail – and the challenges what the AVs cannot solved are ridiculously simple and old. So the IT professionals might think too much about the systems which they rely on and which cost so much. Bypassed AntiVirus Systems: F-Secure, AVG, NOD32 6 and 7, !avast, Kaspersky, Trend Micro, McAfee… Educational value of the topic: We look at how the virus writers develop their codes. We will develop a puzzle which may distract the AV virtualization engine to avoid the detection. We will develop a code to encrypt/decypt our malicious shellcode. We will look at which built-in Windows functions helps the attacker to inject malicious code to a viction process and we try it. (We will use the iexplorer.exe to bypass the firewall.) We will look at what solutions are often used to avoid the sandbox. Learn the difference between the metamorphous and polymorphous code. I wrote a python script which can create a metamorphous version from a byte code. We will test it in realtime and it will be able to seen, that it is a real challenge for the AVs. BIO: Attila Marosi has always been working in information security field since he started working. As a lieutenant of active duty he worked for years on special information security tasks occuring within the SSNS. Newly he was transferred to the just established GovCERT-Hungary, wich is an additional national level in the internationally known system of CERT offices. He has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he also read lections and does some teaching on different levels; on the top of them for white hat hackers. He has presented at many security conferences including Hacker Halted, DeepSEC and Ethical Hacking. For More Information please visit : - https://www.troopers.de Sursa: Troopers 14 - Easy Ways To Bypass Anti-Virus Systems - Attila Marosi

How To Crack A Wpa/Wpa2 Wireless Network Description: In this video i will show you how to crack a WPA/WPA2 Wireless network. We will need a Kali Linux and a Compatible Wireless card that supports Injection and Promiscuous mode. For more information on Promiscuous mode check out: Promiscuous mode - Wikipedia, the free encyclopedia Recommended Wireless card is a Alfa Network AWUS036H Getting started we need to put our wireless card into Monitor Mode to do that lets open a Terminal and type in: airmon-ng start wlan0 Next we need to find the network we wanna the password for First we need to Capture the 4-Way Handshake! Lets open a new Terminal and this time lets time in: airodump-ng mon0 Hopefully we should start to see networks showing up find the network you wanna crack hold CTRL+C tp stop airodump-ng Alright so assuming you found the network your going to wanna crack we need to get the 4-way handshake now! In the Terminal we need to type in: airodump-ng -c 1 --bssid 88:F7:C7:3A:D9:72 -w test mon0 change 88:F7:C7:3A:D9:72 to the target network you're trying to crack. Press enter and we should now be watching just that network! To get the handshake we must Deauthenticate a device or client already connected! If nothing shows up under STATION then we must wait till a wireless device shows up under their otherwise we can't get the handshake. Basically a waiting game till a wireless device is connected! Assuming you see a device listed under STATION we can then send a deauthentication using aireplay-ng Lets open a new Terminal and type in: aireplay-ng -0 1 -a 88:F7:C7:3A:D9:72 -c D8:50:E6:84:6C:74 mon0 Change 88:F7:C7:3A:D9:72 to the BSSID of the target network change D8:50:E6:84:6C:74 to the victims mac address under STATION. Once we get the Handshake its time to give it a try on cracking it! First you're going to need a wordlist so happy hunting! Their are tons of them out their some might work some might not! This video i have added my own password to a wordlist to make this an ethical video. Got you're wordlist? Lets move on to the next step! CRACKING! Open a Terminal and type in: aircrack-ng -w /path/to/wordlist/list.txt test-01.cap Assuming you didn't try using the same name ex; test more then once you should see a bunch of things in /root/ called test-01.cap, test-02.cap ect... Press enter and happy cracking good luck likely you have a better chance of getting hit by lighting on a nice day then getting the password. I recommend you try some online WPA cracking services for a better out come. Some sites like https://www.cloudcracker.com/ Charge $17 USD to try and crack it for you! Be sure to check out Matthew H Knight – Internet Security Professional Sursa: How To Crack A Wpa/Wpa2 Wireless Network