Nytro

Din cate stiu eu, din cazul unui prieten, nu a mai platit abonamentul si nu a avut probleme cu justitia/bancile sau mai stiu eu ce, doar ca cei din familia sa, TOTI, nu mai aveau dreptul sa isi faca abonament la compania respectiva. Cred ca Vodafone era.

Factura nu e obligatorie. O sa iti zica "aduci cand mai treci pe aici". Zici ca nu ai la tine si gata. Nu am inteles exact ce vrei sa zici. "numai" sau "nu mai"? Si de ce sa te dea in judecata?

Ce ar putea sa se posteze in acea categorie? E prea "mic" domeniul in legatura cu securitatea IT.

[h=1]Security Summer School[/h] From „Voodoo“ to „You Do“ via hex and fun. Proudly brought to you by ACS, Ixia and Hexcellents. [h=2]Period[/h] 23rd of June - 10th of August 2014 [h=2]Links[/h] Wiki Facebook page Google Plus page E-mail contact address [h=2]Summary[/h] The first edition of a new Security Summer School focused on Practical Software Exploitation will take place between June 23rd and August 10th 2014, at the Faculty of Automatic Control and Computers, University POLITEHNICA of Bucharest. Students will be go through an in-depth tour of what it means to discover, successfully exploit and patch a software vulnerability and develop the necessary skills and insights needed to embark on such an endeavor. Activities will take place during two intensive training sessions per week as well as two Capture the Flag (CTF) contests that will be held mid-term and at the end of the summer school. The final CTF contest will be the highlight of the summer school and students will able to showcase the skills they have learned and be awarded prizes offered by Ixia. [h=2]Application[/h] We welcome students to apply via Stagii pe Bune. Choose „Security Summer School“ under the „Summer Schools“ heading, for the company „Facultatea de Automatica si Calculatoare, UPB“. Apart from filling out your CV, we want to see your h4x0r sk111z by solving set of three challenges. Please download the challenge tasks, go through the README and then submit your solution on this Google form; you may edit your submission if you forget something during the first try. The deadline for submitting your answers is Sunday, May 25th. After May 25th we will organize a set of interviews to decide who will take place in the Security Summer School. [h=3]Requirements[/h] We expect good programming skills and a fair knowledge of C programming language. Python and shell scripting skills are welcome. More than anything we expect a proactive attitude, a love for challenges and „tinkering“ and the interest in security and hacking. [h=2]Location & Schedule[/h] The Security Summer School will take place in Faculty of Automatic Control and Computers, University POLITEHNICA of Bucharest, room EG106 (Ixia lab), first floor, EG wing. Activities will take place twice a week: Monday, 4pm-8pm Thursday, 9am-1pm Each session will be highly practical: a presentation of a set of basic concepts on slides follow by hands-on activities (tutorials and tasks). The 9th-10th of August week-end is reserved for the final CTF contest and awards ceremony. [h=2]Syllabus[/h] Introduction into the World of Security 23rd of June: crash course CTF, OS (pmap, strace, ltrace, file descriptors, lsof, ldd), Linux dinamic analysis 26th of June: assembly intro: registers, mnemonics, the stack, gdb (step instruction/read-only) Binary Formats 30th of June: writing assembly, executable code analysis (IDA) 3rd of July: from ELF to a process, PLT, PIC ? gdb / IDA [*] Vulnerability Assessment 7th of July: overwrite data in GDB, overflow of allkinds: function pointers, vtable, local variables, format string, use after free 10th of July: CTF Demo (4 challenge tasks) [*] Vulnerability Discovery 14th of July: stateless fuzzing (on files), fuzzer + gdb 17th of July: stateful fuzzing (on protocol) [*] Weaponizing the vulnerability 21st of July: shellcode + stack, NUL terminator, call trampoline 24th of July: DEP, ASLR [*] Weaponizing the vulnerability II 28th of July: information leak, canary value, format strings 31st of July: ROP, remote + socket reuse [*] Preventing vulnerabilities in your own code + Windows 4th of August: secure programming techniques (sanitizing, system()) 7th of August: Windows: shell code exploit on windows (Immunity, WinDbg) [h=2]Team[/h] Adrian ?endroiu Dan Gioga Drago? Com?neci Radu Caragea R?zvan Crainea R?zvan Deaconescu Silviu Popescu Tudor Azoi?ei [h=3]Supporting members[/h] Irina Pre?a Lucian Cojocar Vlad Dumitrescu In case of any inquiries please send us an e-mail. Sursa: Security Summer School [Wiki-ul Departamentului de Calculatoare]

Ma pis pe Ucraina. Dar totul pana la Rep. Moldova sau Romania.

Ar trebui sa fim indeajuns de civilizati incat sa nu inceapa un razboi, mai ales ca la armele nucleare din ziua de azi nu e nevoie de mare lucru ca sa "dispara" cateva tari. Eu imi fac ceva griji, pentru Romania si Republica Moldova, in privinta rusilor pentru ca sunt capabili de multe lucruri.

https://www.youtube.com/watch?feature=player_embedded&v=NJmi_QCbYGU + http://site.oasteafiara.net/2012/01/ce-ar-fi-daca-ati-recunoaste-ca.html

Fara a face vreo referire la conflictul ruso-ucrainian, cred ca si Romania se apropie de un conflict cu Rusia. Incet, incet. Rogozin: România a închis spa?iul aerian pentru avionul meu. Autorit??ile române nu comenteaz? informa?ia: Rogozin: România a închis spa?iul aerian pentru avionul meu. Autorit??ile române nu comenteaz? informa?ia | adevarul.ro Suntem in NATO, SUA ar trebui sa ne ia apararea, dar tare sunt curios daca vor face asta. Daca "ataca" Republica Moldova, ar trebui sa luam in considerare un conflict. Desi Ucraina si Republica Moldova sunt "pe jumatate" rusi (nici chiar asa), eu ma gandesc ca relatia noastra cu Rusia nu va fi tocmai una de prietenie. As fi curios, daca avem membri din Republica Moldova, care locuiesc acolo, sa ne spuna care este situatia.

Sa salvati si voi undeva discutiile. De pe HY nu vorbeste nimeni? PS: Probabil ar fi fost mai interesant pe TeamSpeak.

[h=1]An Experiment In Performing Remote Calls on x64[/h] Posted on May 4, 2014 by admin Recently I was trying to do something more than just executing code in the context of a remote process: I wanted to call a function remotely, including supplying arguments, and have the program continue execution afterwards. What I will present in this post is what I have quickly come up with to achieve the task. There certainly are edge cases (discussed at the end) where the code will run into issues, but the general logic of it is Suspend all threads in the target process. This is achieved in the code with a call to the NtSuspendProcess native API. Allocate space in the process that will contain the x64 assembly code which will set up the parameters and stack to perform the call. Save all registers that will be used in performing the call. The example code does not save flags, but a full implementation will want to do that as well. Write in the parameters following the Windows x64 ABI (first four parameters in RCX, RDX, R8, and R9) respectively, with the rest on the stack. The caller will have to know and supply the stack offset to the other parameters. Set up the trampoline to perform the call. Resume the process via NtResumeProcess and let the call happen. Save the result of the call and continue execution. Articol: An Experiment In Performing Remote Calls on x64 | RCE Endeavors

Mic? antologie a patriotismului am?rât Andrei Ple?u Am publicat ?i cu alte prilejuri textele de mai jos. Simt nevoia s? le reamintesc cititorilor, într-un moment în care trîmbi?ele unui patriotism rudimentar, l?ut?resc, ?îfnos, au reaprins spiritele. Patriotismul a ajuns s? fie un amestec indigest de vorbe l?cr?moase ?i încrunt?turi de grot?. Pentru campionii lui, patria nu trebuie „ajutat?” decît cu lingu?eli ?i jocuri de bicep?i. Ideea c? o po?i iubi cu disperare, întristat de relele care o desfigureaz? (?i care, nu odat?, vin din noi în?ine) e prea subtil? pentru l?tr?torii de parad?, convin?i c? a te gudura servil în poala ??ri?oarei e modul optim de a o sluji, cînd, de fapt, e un soi de r?zgîi mai curînd dezonorant. În general, profesioni?tii retoricii patriotarde sunt, mai curînd, oameni f?r? identitate, incapabili de ispr?vi cu adev?rat ziditoare ?i, tocmai de aceea, dornici s? se salveze identificîndu-se cu str?mo?i mai f?lo?i. Gigi luat în sine nu e nimic. Dar Gigi ca „urma?” al lui ?tefan cel Mare, sau ca veri?or al lui Brâncu?i începe s? cread? c? exist?… Citeste mai mult: adev.ro/n53au0

[h=1]Reverse DOM XSS[/h] by Pedro Laguna on May 4, 2014 I came recently with an idea about how to exploit a DOM XSS vulnerability that it might be worth sharing here so others can use this trick, adapt it and defeat some poor filters with a little of JavaScript and some creativity. During an engagement I found a piece of code similar to this one: <a href="#" onclick="goToWebsite(this, 'url', '/ShowInfo.php?id=[INJECTION]&category=CARS');"> The code behind goToWebsite was something like this: function goToWebsite(e, param, base) { window.location = base + param + "=" + actionURL.value; } It’s a very clear example of DOM XSS where we can control the flow of the page using the window.location element. But why it wasn’t a reflected XSS? Well, they have some filters in place. Double quotes ( ‘”‘ ), brackets ( ‘<’ and ‘>’ ) and even semicolon ( ‘;’ ) where filtered so we couldn’t escape from the injection point, having to dig deeper into the goToWebsite function to find our way into executing arbitrary JavaScript. Lucky for us we were still allowed to use some characters that were necessary for this trick, like parenthesis ( ‘(‘ and ‘)’ ), quotes ( ”’ ) and dots ( ‘.’ ). For a DOM XSS attack we need to modify the address where the window.location is going to navigate and make it go to javascript: URL handler. But, in this case we couldn’t write directly as the injection is happening in the middle of a string, which contains some reference to a relative URL: “/ShowInfo.php?id=“ How do we overcome this problem? Well, we cannot escape from the function call but as we can insert quotes and parenthesis we can modify the string that is received by the goToWebsite function like this: <a href="#" onclick="goToWebsite(this, 'url', '/ShowInfo.php?id='.split('').reverse().join('').concat('&category=CARS');"> These function (split, reverse and join) will reverse the string ‘/ShowInfo.php?id=‘ to be ‘=di?php.ofnIwohS/‘. And we are using concat to make the code valid and as it’s at the end of the result string we don’t care about modifying it. So now we need to insert our payload, the classic alert(1): <a href="#" onclick="goToWebsite(this, 'url', '/ShowInfo.php?id=//)1(trela:tpircsavaj'.split('').reverse().join('').concat('&category=CARS');"> Now, if we execute that code, the resulting string will be: javascript:alert(1)//=di?php.ofnIwohS/&category=CARS Perfe… wait! What’s this? Code is not being executed! We have managed to insert our javascript payload at the beginning of the string passed to window.location but the code is not being executed. A closer look at the generated code on the page revealed the mystery: %2f%2f)1(trela%3Atpircsavaj'.split('').reverse().join('').concat(' Key characters as slash ( ‘/’ ) and colon ( ‘:’ ) were encoded, so our code wasn’t able to executed. Time to think how to bypass the encoding of these characters. JavaScript has the ability to replace a character inside a string like: replace(‘old’, ‘new’) so I thought I could use String.fromCharCode to bypass the character limitations and make my code execute, replacing ‘/’ and ‘:’ by two other characters that are not URLEncoded like ‘~’ and ‘+’ but it was a problem: comma character was also URL encoded so I couldn’t use the replace function. Time for the second trick! Apparently, in JavaScript, you can split a string by a character and then use another character to join the strings together, like this: 'abc-def'.split('-').join('!') After being executed this will render abc!def The best part? We are not using any forbidden characters! Just again our old friends quotes and parenthesis. If we put everything together we have something like this in order to exploit this DOM XSS bug: ~~)1(trela+tpircsavaj'.split('').reverse().join('').split('~').join(String.fromCharCode(47)).split('+').join(String.fromCharCode(58))).concat(' That way I was able to execute JavaScript code in this particular scenario without using any forbidden char. I am pretty sure you will not find yourself in this exact situation in the future but hopefully you can use these two little tricks someday! Sursa: Reverse DOM XSS | Pentura Labs's Blog

New Flash Player 0-day (CVE-2014-0515) used in watering-hole attacks Vyacheslav Zakorzhevsky Kaspersky Lab Expert In mid-April we detected two new SWF exploits. After some detailed analysis it was clear they didn't use any of the vulnerabilities that we already knew about. We sent the exploits off to Adobe and a few days later got confirmation that they did indeed use a 0-day vulnerability that was later labeled as CVE-2014-0515. The vulnerability is located in the Pixel Bender component, designed for video and image processing. We received a sample of the first exploit on April 14, while a sample of the second came on April 16. The first exploit was initially recorded by KSN on April 9, when it was detected by a generic heuristic signature. There were numerous subsequent detections on April 14 and 16. In other words, we succeeded in detecting a previously unknown threat using heuristics. According to KSN data, these exploits were stored as movie.swf and include.swf at an infected site. The only difference between the two pieces of malware is their shellcodes. It should be noted that the second exploit (include.swf) wasn't detected using the same heuristic signature as the first, because it contained a unique shellcode. Each exploit comes as an unpacked flash video file. The Action Script code inside was neither obfuscated nor encrypted. As is usually the case with this kind of exploit, the first stage is a heap spray - preparing the dynamic memory for exploitation of the vulnerability. The exploits are also designed to check the OS version. If Windows 8 is detected, a slightly modified byte-code of the Pixel Bender component is used. A fragment of the vulnerable Pixel Bender code (the data in the red box is changed according to system version) Fragment of the decompiled exploit code Next comes the actual exploitation of the vulnerability, namely modification of one of the indices in the table of methods/virtual functions. Interestingly, both exploits have two shellcodes. The first is similar in both applications; it is quite short and prepares the memory for the successful functioningof the second shellcode. A fragment of the first shellcode debugged in WinDBG Firstly, the current memory is marked as read, write and execute with the API function VirtualProtect, and then additional memory is allocated using VirtualAlloc. The second shellcode is copied to this memory and control is transferred to it. The initialization of API functions and transfer of the control to the second shellcode appear in red boxes in the screenshot above. The exploits' second shellcodes differ significantly. The exploit that we detected first has a standard shellcode (movie.swf). It performs a search of system libraries in the memory, and then downloads and runs the payload. Unfortunately, the link turned out to be inactive at the time of our research. Fragment of the movie.swf exploit's second shellcode responsible for the download and launch of the payload In the other exploit - include.swf - the second shellcode was unusual. It receives the base DLL address for flash10p.ocx, searching it for specific fragments and interacts with the ciscompeaddin5x0 - Cisco MeetingPlace Express Add-In version 5x0. This add-in is used by web-conference participants to view documents and images from presenter's screen. It should be noted that the exploit will not work if the required versions of Adobe Flash Player ActiveX and Cisco MPE are not present on the system. Fragment of the include.swf exploit's second shellcode It appears that part of the information for the exploit include.swf is passed on from outside. According to KSN data, the referer to include.swf points to another SWF file: stream.swf. At the same time, the referer of the first exploit - movie.swf - points to index.php located in the same folder as the exploit (see below). We couldn't establish the exact payload of the exploit include.swf due to a lack of data relayed from the landing page and/or other exploits. We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer. Both the exploits detected by us spread from a site located at ???? ??????? ???????? ??????. The site was launched back in 2011 by the Syrian Ministry of Justice and was designed as an online form for citizens to complain about law and order violations. We believe the attack was designed to target Syrian dissidents complaining about the government. The site was hacked in September 2013, something the alleged hacker announced on his twitter account. The link to these exploits is as follows: http://jpic.gov.sy/css/images/_css/***********. When we entered the site, the installed malware payloads were already missing from the "_css" folder. We presume the criminals created a folder whose name doesn't look out of place on an administration resource, and where they loaded the exploits. The victims were probably redirected to the exploits using a frame or a script located at the site. To date, April 28, the number of detections by our products has exceeded 30. They were detected on the computers of seven unique users, all of them in Syria, which is not surprising considering the nature of the site. Interestingly, all the attacked users entered the website using various versions of Mozilla Firefox. It's likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this. Moreover, while the first exploit is pretty standard and can infect practically any unprotected computer, the second exploit (include.swf) only functions properly on computers where Adobe Flash Player 10 ActiveX and Cisco MeetingPlace Express Add-In are installed. The Flash Player Pixel Bender component, which Adobe no longer supports, was used as the attack vector. The authors were counting on the developers not finding a vulnerability in that component and that the exploit would remain active for longer. All this suggests that the attackers were not targeting users en masse. We detect such exploits by AEP technology as PDM:Exploit.Win32.Generic and by heuristics as HEUR:Exploit.SWF.CVE-2014-0515.gen. Sursa: https://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks

[h=3]Windows Heap Overflow Exploitation[/h]Hi , In this article I will be talking about exploiting a custom heap : which is a big chunk of memory allocated by the usermode application using VirtualAlloc for example . The application will then work on managing 'heap' block allocations and frees (in the allocated chunk) in a custom way with complete ignorance of the Windows's heap manager. This method gives the software much more control over its custom heap, but it can result in security flaws if the manager doesn't do it's job properly , we'll see that in detail later. To see an implementation of a custom heap manager in C/C++ please refer to my previous blog post : Reverse Engineering 0x4 Fun: Creating and using your own 'heap' manager Heap Manager Source code : [C++] Custom Heap Manager - Pastebin.com The vulnerability that we'll exploit together today is a 'heap' overflow vulnerability that's occuring in a custom heap built by the application. The vulnerable software is : ZipItFast 3.0 and we'll be exploiting it today and gaining code execution under Windows 7 . ASLR , DEP , SafeSEH aren't enabled by default in the application which makes it even more reliable to us . Even though , there's still some painful surprises waiting for us ... Let's just start : The Exploit : I've actually got the POC from exploit-db , you can check it right here : http://www.exploit-db.com/exploits/17512/ Oh , and there's also a full exploit here : http://www.exploit-db.com/exploits/19776/ Unfortunately , you won't learn much from the full exploitation since it will work only on Windows XP SP1. Why ? simply because it's using a technique that consists on overwriting the vectored exception handler node that exists in a static address under windows XP SP1. Briefly , all you have to do is find a pointer to your shellcode (buffer) in the stack. Then take the stack address which points to your pointer and after that substract 0x8 from that address and then perform the overwrite. When an exception is raised , the vectored exception handlers will be dispatched before any handler from the SEH chain, and your shellcode will be called using a CALL DWORD PTR DS: [ESI + 0x8] (ESI = stack pointer to the pointer to your buffer - 0x8). You can google the _VECTORED_EXCEPTION_NODE and check its elements. And why wouldn't this work under later versions of Windows ? Simply because Microsoft got aware of the use of this technique and now EncodePointer is used to encode the pointer to the handler whenever a new handler is created by the application, and then DecodePointer is called to decode the pointer before the handler is invoked. Okay, let's start building our exploit now from scratch. The POC creates a ZIP file with the largest possible file name , let's try it : N.B : If you want to do some tests , execute the software from command line as follows : Cmd :> C:\blabla\ZipItFast\ZipItFast.exe C:\blabla\exploit.zip Then click on the Test button under the program. Let's try executing the POC now : An access violation happens at 0x00401C76 trying to access an invalid pointer (0x41414141) in our case. Let's see the registers : Basically the FreeList used in this software is a circular doubly linked lists similar to Windows's . The circular doubly linked list head is in the .bss section at address 0x00560478 and its flink and blink pointers are pointing to the head (self pointers) when the custom heap manager is initialized by the software. I also didn't check the full implementation of the FreeList and the free/allocate operations in this software to see if they're similar to Windows's (bitmap , block coalescing ...etc). It's crucial also to know that in our case , the block is being unlinked from the FreeList because the manager had a 'request' to allocate a new block , and it was chosen as best block for the allocation. Let's get back to analysing the crash : - First I would like to mention that we'll be calling the pointer to the Freelist Entry struct : "entry". Registers State at 0x00401C76 : EAX = entry->Flink EDX = entry->Blink [EAX] = entry->Flink->Flink [EAX+4] = entry->Flink->Blink (Next Block's Previous block) [EDX] = entry->Blink->Flink [EDX+4] = entry->Blink->Blink (Previous Block's Next block) Logically speaking : Next Block's Previous Block and Previous Block's Next Block are nothing but the current block. So the 2 instructions that do the block unlinking from the FreeList just : - Set the previous freelist entry's flink to the block entry's flink. - Set the next freelist entry's blink to the block entry's blink. By doing so , the block doesn't belong to the freelist anymore and the function simply returns after that. So it'll be easy to guess what's happening here , the software allocates a static 'heap' block to store the name of the file and it would have best to allocate the block based on the filename length from the ZIP header (this could be a fix for the bug , but heap overflows might be found elsewhere , I'll propose a better method to fix ,but not fully, this bug later in this article). Now , we know that we're writing past our heap block and thus overwriting the custom metadata of the next heap block (flink and blink pointers). So, We'll need to find a reliable way to exploit this bug , as the 2 unlinking instructions are the only available to us and we control both EAX and EDX. (if it's not possible in another case you can see if there are other close instructions that might help), you can think of overwriting the return address or the pointer to the structured exception handler as we have a stack that won't be rebased after reboot. This might be a working solution in another case where your buffer is stored in a static memory location. But Under Windows 7 , it's not the case , VirtualAlloc allocates a chunk of memory with a different base in each program run. In addition , even if the address was static , the location of the freed block that we overwrite varies. So in both cases we'll need to find a pointer to our buffer. The best place to look is the stack , remember that the software is trying to unlink (allocate) the block that follows the block where we've written the name , so likely all near pointers in the stack (current and previous stack frame) are poiting to the newly allocated block (pointer to metadata) . That's what we don't want because flink and blink pointers that we might set might not be valid opcodes and might cause exceptions , so all we need to do is try to find a pointer to the first character of the name and then figure out how to use this pointer to gain code execution , this pointer might be in previous stack frames. And here is a pointer pointing to the beginning of our buffer : 3 stack frames away Remember that 0x01FB2464 will certainly be something else when restarting the program , but the pointer 0x0018F554 is always static , even when restarting the machine. So when I was at this stage , I started thinking and thinking about a way that will help me redirect execution to my shellcode which is for sure at the address pointed by 0x0018F554 , and by using only what's available to me : - Controlled registers : EAX and EDX. - Stack pointer to a dynamic buffer pointer. - 2 unlinking instructions. - No stack rebase. Exploiting the vulnerability and gaining code execution: And Then I thought , why wouldn't I corrupt the SEH chain and create a Fake frame ? Because when trying to corrupt an SEH chain there are 3 things that you must know : - SafeSEH and SEHOP are absent. - Have a pointer to an exisiting SEH frame. - Have a pointer to a pointer to the shellcode. The pointer to the shellcode will be treated as the handler,and the value pointed by ((ptr to ptr to shellcode)-0x4) will be treated as the pointer to the next SEH frame. Let's illustrate the act of corrupting the chain : (with a silly illustration , sorry) Let me explain : we need to achieve our goal by using these 2 instructions , right ? : MOV [EDX],EAX MOV [EAX+4], EDX We'll need 2 pointers and we control 2 registers , but which pointer give to which register ? This must not be a random choice because you might overwrite the pointer to the shellcode if you chose EAX as a pointer to your fake SEH frame. So we'll need to do the reverse , but with precaution of overwriting anything critical. In addition we actually don't care about the value of "next SEH frame" of our fake frame. So our main goal is to overwrite the "next SEH frame" pointer of an exisiting frame , to do so we need to have a pointer to our fake frame in one of the 2 registers. As [EAX+4] will overwrite the pointer to the buffer if used as a pointer to the fake SEH frame , we will use EDX instead. We must not also overwrite the original handler pointer because it will be first executed to try to handle the exception , if it fails , then our fake handler (shellcode) will be invoked then. So : EDX = &(pointer to shellcode) - 0x4 = Pointer to Fake "Next SEH frame" element. EDX must reside in the next frame field of the original frame which is : [EAX+4]. And EAX = SEH Frame - 0x4. Original Frame after overwite : Pointer to next SEH : Fake Frame Exception Handler : Valid Handler Fake Frame : Pointer to next SEH : (Original Frame) - 0x4 (we just don't care about this one) Exception Handler : Pointer to shellcode The SEH frame I chose is at : 0x0018F4B4 So : EAX = 0x0018F4B4 - 0x4 = 0x0018F4B0 and EDX =0x0018F554 - 0x4 = 0x0018F550 When the overwrite is done the function will return normally to its caller , and all we have to do now is wait for an exception to occur . An exception will occur after a dozen of instructions as the metadata is badly corrupted. The original handler will be executed but it will fail to handle the access violation and then our fake handler will be called which is the shellcode . Making the exploit work : Now all we need to do is calculate the length between the 1st character of the name and the flink and blink pointers , and then insert our pointers in the POC. Inserting the shellcode : The space between the starting address of the buffer and the heap overwritten metadata is not so large , so it's best to put an unconditional jump at the start of our buffer to jump past the overwritten flink and blink pointers and then put the shellcode just after the pointers. As we can calculate the length , this won't cause any problem. Final exploit here : [Perl] ZipItFast Heap Overflow - Pastebin.com I chose a bind shellcode , which opens a connection to (0.0.0.0:4444). Let's try opening the ZIP file using ZipItFast and then check "netstat -an | find "4444" : Bingo ! A Fix for this vulnerability ?? The method I stated before which consists on allocating the block based on the filename length from the ZIP headers can be valid only to fix the vulnerability in this case , but what if the attackers were also able to cause an overflow elsewhere in the software ? The best way to fix the bug is that : when a block is about to be allocated and it's about to be unlinked from the Freelist the first thing that must be done is checking the validity of the doubly linked list , to do so : safe unlinking must be performed and which was introduced in later versions of Windows. Safe unlinking is done the following way : if ( entry->flink->blink != entry->blink->flink || entry->blink->flink != entry){ //Fail , Freelist corrupted , exit process } else { //Unlink then return the block to the caller } Let's see how safe unlinking is implemented under Windows 7 : The function is that we'll look at is : RtlAllocateHeap exported by ntdll Even if this method looks secure , there is some research published online that provides weaknesses of this technique and how can it be bypassed. I also made sure to implement this technique in my custom heap manager (Line 86) , link above. I hope that you've enjoyed reading this paper . See you again soon , Souhail Hammou. Sursa: Reverse Engineering 0x4 Fun: Windows Heap Overflow Exploitation

[h=1]Let's Write Some X86-64[/h] This a beautiful quote, one that I think truly captures the relationship between higher level languages and the Instruction Set Architecture (ISA)’s machine code, though this is from the angle of controlling the machine with its implementation specific quirks which can detract from what you’re actually trying to do. This blog is meant for those who don’t know x86-64 assembly, but maybe know a little C, and are curious about code generation. Or maybe if you’ve ever tried to hand write x86-64 assembly, and got stuck trying to understand the tooling or seemingly random segfaults from what appears to be valid instructions. Articol: https://nickdesaulniers.github.io/blog/2014/04/18/lets-write-some-x86-64/

[h=2]Volafox Mac OS X Memory Analysis Toolkit[/h]May 4th, 2014 Mourad Ben Lakhoua Volafox is an open source toolkit that you can use for Mac OS X and BSD forensics. The tool is a python based and allows investigating security incidents and finding information for malwares and any malicious program on the system. Security analyst can have the following information using this tool: MAC Kernel version, CPU, and memory specification Mounted filesystems Kernel Extensions listing Process listing Task listing (Finding process hiding) Syscall table (Hooking detection) Mach trap table (Hooking detection) Network socket listing (Hash table) Open files listing by process Show Boot information EFI System Table, EFI Runtime Services Print a hostname Screenshot for volafox (click to enlarge) You can download the tool on the following link: https://code.google.com/p/volafox/ Sursa: Volafox Mac OS X Memory Analysis Toolkit | SecTechno

[h=2]LiME – Linux Memory Extractor[/h]January 19th, 2014 Mourad Ben Lakhoua Mobile platform security tools are increasing and we have more open source tools that allow to conduct forensic analyses on phone devices. if you want to investigate Android operating system you can use LiME. LiME (formerly DMD) allows to investigate file system from memory or over network, this can be used to have a full memory capture to see if there are abnormal process or services that have been used in a previous attack. Working on the system during the analyses is not recommended as this may modify file system so LiME minimizes the interaction between user and kernel space processes during acquisition, which allows it to produce memory dumps that are more forensically sound than those of other tools designed for Linux memory acquisition. To have the memory over TCP tunnel we need to first make the device listen on specified port which we connect from our host. when the host connect to the socket it will automatically start to get the RAM image to the host for analysis. On the host computer, we connect to this port with netcat and redirect output to a file. You can download the tool on the following link: lime-forensics - LiME - Linux Memory Extractor - Google Project Hosting Sursa: LiME – Linux Memory Extractor | SecTechno

[h=2]DSploit Android Toolkit for Security Testing[/h]April 20th, 2014 Mourad Ben Lakhoua dSploit is a very comfortable tool that you can install on Android to run a pentest or network security assessment. The toolkit allows fingerprinting the remote operating systems and identifying different hosts, scans the network for system vulnerabilities and performing MITM to sniff sensitive information such as user’s password. The features included in dSploit are: WiFi Scanning & Common Router Key Cracking Deep Inspection Vulnerability Search Multi Protocol Login Cracker Packet Forging with Wake On Lan Support HTTPS/SSL Support ( SSL Stripping + HTTPS -> Redirection ) MITM Real-time Network Stats MITM Multi Protocol Password Sniffing MITM HTTP/HTTPS Session Hijacking MITM HTTP/HTTPS Hijacked Session File Persistence MITM HTTP/HTTPS Real-time Manipulation MITM module screenshot from dSploit (click to enlarge) The toolkit will help security officer or penetration tester to demonstrate how it is possible to exploit vulnerabilities and take control on targeted systems. The team have officially announced that they have a new nightly builds that you can download over this link: http://update.dsploit.net/nightly

[h=2]Watcher Web passive vulnerability scanner[/h]September 29th, 2013 Mourad Ben Lakhoua Web applications are one of the most targeted systems as they are directly exposed to internet. There is no web server without serious vulnerabilities, it is enough that you open exploit DB where you will find how it is simple to exploit vulnerable CMS or web applications. Hackers are often searching and having those bugs where there is no correct code that may leak some very sensitive information, by the end developers are people and they often conduct some incautious mistakes. Developers mostly looking to have more functionality to increase usability and as you add that functionality you need to add more code which may lead to more vulnerabilities. That’s why you need to conduct penetration testing on periodic bases to detect those bugs. During a pentest you can try Watcher. Watcher is an open source tool that can be a good addition to your penetration testing toolkit. it will passively scan the web applications searching for some serious vulnerabilities in the user input fields. First you start by installing Fiddler a proxy framework to integrate watcher. Next you just open on the browser the website you need to verify where you can find important information by severity if high, medium or low. Online reference for the security issue and how to fix the bug, you can also export the results to an html or xml report. screenshot for Watsher (click to enlarge) Watcher is developed using C# and contain more then 30 checks to perform the vulnerability assessment against your target. this will be as part from your evaluation project and it is extremely fast to find the security issues. You can download the latest release on the following link: Watcher: Web security testing tool and passive vulnerability scanner - Home Sursa: Watcher Web passive vulnerability scanner | SecTechno

[h=2]Weevely 1.1 – PHP Webshell[/h]June 16th, 2013 Mourad Ben Lakhoua Weevely – is a PHP webshell that provides SSH connection to manage website remotely. it can be used as a backdoor system to PoC during a pentest or a web shell to manage legit web accounts. The shell consists of more then 30 modules to automate both administrative and post-operational tasks including: Execute commands and browse remote filesystem, even with PHP security restriction Audit common server misconfigurations Run SQL console pivoting on target machine Proxy your HTTP traffic through target Mount target filesystem to local mount point Simple file transfer from and to target Spawn reverse and direct TCP shells Bruteforce SQL accounts through target system Run port scans from target machine. First of all penetration tester needs to generate the php backdoor file with password of connection. Next upload the weevely.php file to the webserver that is generated by the tool, weevely will automatically detects the best way to execute the commands on targeted system. Weevely communications are hidden in HTTP Cookies and is obfuscated to bypass NIDS signature detection. if you are using Backtrack you can find the tool already integrated under /pentest/web/backdoors/. it is also possible to find it on BackBox. To download and use Weevely make sure to follow this link. Sursa: Weevely 1.1 – PHP Webshell | SecTechno

[h=2]HookME 0.2 – API Spying Tool[/h]April 28th, 2013 Mourad Ben Lakhoua Hooking API calls on operating system allows to intercept useful information, new release of HookMe have been issued to add more stability to the application , a way to choose what API functions to hook and some fixes to the program. HookMe provides a nice graphic user interface allowing you to change the packet content in real time, dropping or forwarding the packet. It also has a python system plugin to extend the HookMe functionality. HookME application interface (click to enlarge) the tool can be a perfectly used in penetration testing for analyzing and modifying network protocols, creating some type of malwares or backdoors for PoC embebed into network protocols. hooking the API calls for sending and receiving network data (even SSL clear data). or to investigate any rootkit that is hooking API calls. You can download the latest version of HookMe over this link: https://code.google.com/p/hookme/ Sursa: HookME 0.2 – API Spying Tool | SecTechno

[h=2]Fino Android Security Assessment Tool[/h]February 2nd, 2014 Mourad Ben Lakhoua Security assessment tools have several ways for conducting the technical analyses. Fino is another program that you can use to run dynamic analyses for Android based application. The tool allows injecting services in the application for controlling and monitoring the change. The android application we want to verify will be running in emulator that is called gadget or what we call usually a sandbox and dynamically verify all changes on the system. Next it is possible to run python scripts to get or modify the services. You may get all target activities by running “activities =app.find(‘android.app.Activity’)“ the idea of monitoring services with the injection can make you monitor the application from inside and you will have details about the android application with more accurate results. Fino design in the slide deck the full pdf file over here: http://events.ccc.de/congress/2012/Fahrplan/attachments/2237_SmallFootprintInspectionAndroid-slides.pdf You can download Fino on the following link: https://github.com/sysdream/fino Sursa: Fino Android Security Assessment Tool | SecTechno

[h=2]Fuzzware 1.5- Fuzzing Tool[/h]March 2nd, 2014 Mourad Ben Lakhoua Fuzzing is a process that is used during a penetration testing to find out if the application is vulnerable, the process come by sending incorrect data to the targeted application in order to cause a failure or an error situation that security analyst will use as a PoC in their report. Fuzzware is a generic fuzzing framework that can be considered for such operation. Fuzzware UI (click to enlarge) Fuzzware allows to make testcases as required: fuzz a file format such as XML file. fuzz network protocol or a network service by sending a predefined network packets. fuzz an interface that you need to test including web services. you can define a custom input that is coming from a code. You can download Fuzzware 1.5 over this link: download Sursa: Fuzzware 1.5- Fuzzing Tool | SecTechno

https://rstforums.com/proiecte/LikePwnerChromeExtension.crx