Nytro

[h=3]History of memory corruption vulnerabilities and exploits[/h] I came across a great paper, “Memory Errors: The Past, the Present, and the Future” by van der Veen et al. The authors cover the history of memory corruption errors as well as exploitation and countermeasures. I think there are a number of interesting conclusions to draw from it. It seems that the number of flaws in common software is still much too high. Consider what’s required to compromise today’s most hardened consumer platforms, iOS and Chrome. You need a flaw in the default install that is useful and remotely accessible, memory disclosure bug, sandbox bypass (or multiple ones), and often a kernel or other privilege escalation flaw. Given a sufficiently small trusted computing base, it should be impossible to find this confluence of flaws. We clearly have too large a TCB today since this combination of flaws has been found not once, but multiple times in these hardened products. Other products that haven’t been hardened require even less flaws to compromise, making them more vulnerable even if they have the same rate of bug occurrence. The paper’s conclusion shows that if you want to prevent exploitation, your priority should be preventing stack, heap, and integer overflows (in that order). Stack overflows are by far still the most commonly exploited class of memory corruption flaws, out of proportion to their prevalence. We’re clearly not smart enough as a species to stop creating software bugs. It takes a Dan Bernstein to reason accurately about software in bite-sized chunks such as in qmail. It’s important to face this fact and make fundamental changes to process and architecture that will make the next 18 years better than the last. Download: http://www.isg.rhul.ac.uk/sullivan/pubs/raid-2012.pdf Sursa: History of memory corruption vulnerabilities and exploits | root labs rdist

Am gasit un "bridge" intre Wordpress si vBulletin, insa nu merge pe aceasta versiune. Mai exact, crapa tot blog-ul. Voi incerca sa fac eu ceva "manual" pentru comentarii, insa nu stiu cand. Deocamdata lasam asa, sa vedem ce iese.

' or username=NUMELE_TAU_REAL/**/and/**/aDDreSS=ADRESA_TA_DE_ACASA Inlocuiesti ce e cu majuscule cu datele tale reale.

1. 6 (1 + 2 + 3) 2. RSTRSTRSTRST (cand b ajunge 0) 3. Hello world (format de compatibilitate cu tastaturile "vechi" adica antice) 4. Nu ai "using namespace std;". Invalid lvalue... ? 5. RST 6. Acum este ora 4 noaptea! Sa fac un challenge pe RST 7. 9 (2 + 3 + 4) 8. exit(0), RST (nu se mai compileaza deci nu mai afiseaza nimic) Plm

Da, de acea pagina am avea nevoie, de un design pentru ea.

Legat de istorie, sunt foarte putini persoane pe care o cunosc, care activeaza de cel putin 5-6 ani. Daca tot veni vorba, se ofera cineva sa faca un homepage? Doar de design avem nevoie, de integrare ma voi ocupa eu.

Da, m-am gandit la asta. Cand voi avea timp liber voi scrie un articol mai detaliat, sper doar sa am timp...

Salut, Pentru a completa forumul am decis sa deschidem un blog: https://rstforums.com/blog/ Blog-ul are doar rol informativ, va contine anunturi administrative, mici articole in limba romana si multe altele. Mai multe informatii: https://rstforums.com/blog/2013/03/23/blog-ul-rst/ Pe blog vor posta doar membrii din staff. Daca aveti ceva frumos care considerati ca se poate posta, luati legatura cu cineva din staff. Daca sunt probleme sau daca aveti sugestii le asteptam cu placere aici. // RST

La revedere.

Nu te risca, sunt multi tepari. Nu am incercat si nici nu voi incerca, dar aia sunt ratatii care copiau exploit-urile altora si spuneau ca sunt ale lor: injector. Daca vrei exploit-uri e simplu: inchiriaza un exploit kit! Si da-mi si mie de veste daca faci asta

Cand suni in alta retea se aude un "bipuit" care te anunta ca "poti fi taxat suplimentar".

www.youtube.com/watch?v=Z1eX1vEgiRQ

Info: Sun? la 544 ?i afl? dac? ai telefonul ascultat: Ofi?erii de la Informa?ii pot fi surprin?i în „flagrant”? Cine le autorizeaz? intercept?rile

Da, parca un joc, parca de la Steam era. Adica nu stiu daca avea treaba cu OpenGL, parca nu OpenGL optimizasera ci acel joc...

Link "permanent" (cod sursa): https://rstforums.com/proiecte/DK_v3.3.zip Voi proceda la fel pentru cat mai multe proiecte.

[h=1]Windows 8 Outperforming Ubuntu Linux With Intel OpenGL Graphics[/h] Published on March 21, 2013 Written by Michael Larabel In our benchmarks of Microsoft Windows 8, we have found that Intel's Windows OpenGL driver is generally superior to that of their open-source Linux graphics driver. Some progress has been made, but in today's testing of an ASUS Ultrabook bearing an Ivy Bridge processor, Linux has a ways to go for some games in matching the Windows binary performance and features. Over the years there have been many Windows 7 vs. Linux benchmarks on Phoronix. Having recently picked up an ASUS Ultrabook for benchmarking, some Windows 8 vs. Ubuntu 13.04 development benchmarks were carried out to see the positioning today. An ASUS S56CA-WH31 was the candidate for this testing, which is a $500 Intel Ultrabook sporting an Intel Core i3 3217U CPU, 4GB of DDR3 system memory, 500GB 5400RPM HDD + 24GB Solid-State Drive, and a 15.6-inch display with 1366 x 768 resolution. The ASUS Ultrabook comes pre-loaded with Microsoft Windows 8. The Intel Core i3 3217U processor provides HD 4000 graphics, two physical cores plus Hyper Threading, 1.8GHz clock frequency, 3MB cache, and is rated at a 17 Watt TDP. All benchmarking in this article between Windows and Linux happened from this ASUS S56CA-WH31 Ultrabook. The stock Intel Windows 8 graphics performance was compared to Ubuntu 13.04 in a variety of cross-platform games using OpenGL where the games are known to have quality/similar ports to Windows and Linux. Benchmarking on both operating systems were all handled via the open-source Phoronix Test Suite software in conjunction with OpenBenchmarking.org. The Ubuntu 13.04 development snapshot used was from mid-March and packaged the Linux 3.8 kernel, Unity 6.6.0, xf86-video-intel 2.21.4, X.Org Server 1.13.2, GCC 4.7.2, and Mesa 9.0.2. For also seeing the very latest state of the Intel OpenGL driver software on Linux, Ubuntu 13.04 was additionally tested when using a Git development snapshot of the Linux 3.9 kernel and then Mesa 9.2-devel Git master from mid-March. This represents the very latest state of the Intel Linux graphics driver. (Ubuntu 13.04 will ship with Mesa 9.1, but that stable release wasn't pulled into the repository at the time of testing and 9.2-devel offers the absolute latest innovations for this open-source driver.) Previous to this article, my latest Windows 7 test articles were: Intel Linux OpenGL Driver Remains Slower Than Windows, NVIDIA Performance: Windows 7 vs. Ubuntu Linux 12.10, and AMD Radeon Catalyst: Windows 7 vs. Ubuntu 12.04 LTS. This testing is quite straightforward and looking namely at the "out of the box" OpenGL gaming performance between Windows 8 and Ubuntu 13.04 for Intel Ivy Bridge graphics. Articol complet: [Phoronix] Windows 8 Outperforming Ubuntu Linux With Intel OpenGL Graphics

[h=1][C++] Dump wireless passwords[/h]By RAGE Before I get started I just want to say some things first. This application WILL NOT crack passwords or hack wifi, this program simply displays information on your PC that you can already access. Moving on, this program simply queries Native Wifi for a list of Wireless Network Profiles which it then "parses" the resultant xml looking for the network key. To actually retrieve the plain text key you need to be a member of the administrators group and elevate the exe. The binary has an easter egg for bored members with nothing to do #ifndef WLAN_PROFILE_GET_PLAINTEXT_KEY #define WLAN_PROFILE_GET_PLAINTEXT_KEY 4 // Dont have the latest platform SDK on this box #endif #pragma comment(lib, "wlanapi.lib") #include <stdio.h> #include <windows.h> #include <wlanapi.h> BOOL IsElevated() { DWORD dwSize = 0; HANDLE hToken = NULL; BOOL bReturn = FALSE; TOKEN_ELEVATION tokenInformation; if(!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) return FALSE; if(GetTokenInformation(hToken, TokenElevation, &tokenInformation, sizeof(TOKEN_ELEVATION), &dwSize)) { bReturn = (BOOL)tokenInformation.TokenIsElevated; } CloseHandle(hToken); return bReturn; } bool IsVistaOrHigher() { OSVERSIONINFO osVersion; ZeroMemory(&osVersion, sizeof(OSVERSIONINFO)); osVersion.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); if(!GetVersionEx(&osVersion)) return false; if(osVersion.dwMajorVersion >= 6) return true; return false; } int main(int argc, char *argv[]) { HANDLE hWlan = NULL; DWORD dwError = 0; DWORD dwSupportedVersion = 0; DWORD dwClientVersion = (IsVistaOrHigher() ? 2 : 1); GUID guidInterface; ZeroMemory(&guidInterface, sizeof(GUID)); WLAN_INTERFACE_INFO_LIST *wlanInterfaceList = (WLAN_INTERFACE_INFO_LIST*)WlanAllocateMemory(sizeof(WLAN_INTERFACE_INFO_LIST)); ZeroMemory(wlanInterfaceList, sizeof(WLAN_INTERFACE_INFO_LIST)); WLAN_PROFILE_INFO_LIST *wlanProfileList = (WLAN_PROFILE_INFO_LIST*)WlanAllocateMemory(sizeof(WLAN_PROFILE_INFO_LIST)); ZeroMemory(wlanProfileList, sizeof(WLAN_PROFILE_INFO_LIST)); if(!IsElevated()) printf("[!] Running without administrative rights\n"); try { if(dwError = WlanOpenHandle(dwClientVersion, NULL, &dwSupportedVersion, &hWlan) != ERROR_SUCCESS) throw("[x] Unable access wireless interface"); if(dwError = WlanEnumInterfaces(hWlan, NULL, &wlanInterfaceList) != ERROR_SUCCESS) throw("[x] Unable to enum wireless interfaces"); if(wlanInterfaceList->dwNumberOfItems == 0) // Almost missed this before posting throw("[x] No wireless adapters detected"); if(dwError = WlanGetProfileList(hWlan, &guidInterface, NULL, &wlanProfileList) != ERROR_SUCCESS) throw("[x] Unable to get profile list"); LPWSTR profileXML; printf("\nNetwork\t\t\t\t\tPassword\n\n"); for(int i = 0; i < wlanProfileList->dwNumberOfItems; i++) { DWORD dwFlags = WLAN_PROFILE_GET_PLAINTEXT_KEY, dwAccess = 0; wprintf(L"%s", wlanProfileList->ProfileInfo[i].strProfileName); int j = 20 - wcslen(wlanProfileList->ProfileInfo[i].strProfileName); for(int k = 0; k < j; k++) printf(" "); if(IsElevated()) { if(WlanGetProfile(hWlan, &guidInterface, wlanProfileList->ProfileInfo[i].strProfileName, NULL, &profileXML, &dwFlags, &dwAccess) == ERROR_SUCCESS) { // This is really half assed but I'm really hungover WCHAR *pszStr = wcstok(profileXML, L"<>"); while(pszStr) { if(!wcscmp(pszStr, L"keyMaterial")) { pszStr = wcstok(NULL, L"<>"); wprintf(L"\t\t\t%s\n", pszStr); break; } pszStr = wcstok(NULL, L"<>"); } WlanFreeMemory(profileXML); } } else { printf("\t\t\tAccess Denied.\n"); } } } catch(char *szError) { printf("%s (0x%X)\nQuitting...\n", szError); } if(wlanProfileList) WlanFreeMemory(wlanProfileList); if(wlanInterfaceList) WlanFreeMemory(wlanInterfaceList); if(hWlan) WlanCloseHandle(hWlan, NULL); return dwError; } Screenshot: Enjoy! [h=4]Attached Files[/h] wldecrypt.zip 40.62K 1446 downloads Sursa: [C++] Dump wireless passwords - rohitab.com - Forums

Linux Kernel kvm Multiple Vulns * CVE-2013-1796 Description of the problem: If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. Thewrite is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Upstream commit: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=c300aa64ddf57d9c5d9c898a64b36877345dd4a9 References: https://bugzilla.redhat.com/show_bug.cgi?id=917012 * CVE-2013-1797 Description of the problem: There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Upstream commit: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=0b79459b482e85cb7426aa7da683a9f2c97aeae1 References: https://bugzilla.redhat.com/show_bug.cgi?id=917013 * CVE-2013-1798 Description of the problem: If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Upstream commit: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=a2c118bfab8bc6b8bb213abfc35201e441693d55 References: https://bugzilla.redhat.com/show_bug.cgi?id=917017 All three issues were found and reported by Andrew Honig of Google. References: https://bugzilla.redhat.com/show_bug.cgi?id=917012 https://bugzilla.redhat.com/show_bug.cgi?id=917013 https://bugzilla.redhat.com/show_bug.cgi?id=917017 http://seclists.org/oss-sec/2013/q1/702 Sursa: Linux Kernel kvm Multiple Vulns - CXSecurity.com

TorProject-Annual-Report Da, nu e tutorial, dar contine catev statisici si informatii interesante... Download: https://www.torproject.org/about/findoc/2012-TorProject-Annual-Report.pdf

[h=3]Infiltrate Preview - TrueType Font Fuzzing and Vulnerability[/h] TrueType font files are made up of a number of tables; each table begins on a 4 byte boundary that comprises an outline font and must be long aligned and padded with zeroes if necessary. Referring to the “TrueType 1.0 Font File Technical Specification”, provided by Microsoft; the TrueType font file begins at byte 0 with the Offset Table. Offset Table is divided into 5 subtable: sfnt version : 65536(0x0001 0000) for version 1.0 numTables : Number of tables searchRange : (Maximum power of 2 ? numTables) x 16 entrySelector : Log2(Maximum power of 2 ? numTables) rangeShift : numTables x 16 – searchRange Beginning at byte 12, after the Offset Table, is the Font Table Directory. Entries in the Table Directory must be sorted in ascending order by ‘tag’ name. Overall, the Font Table Directory Header consists of: tag : 4 byte identifier checkSum : checksum of the table offset : Beginning offset of the font table entry length : Length of the table [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center] The Structure of True Type Font Directory [/TD] [/TR] [/TABLE] The required tables in the Font Table Directory: cmap : character to glyph mapping glyf : glyph data head : font header hhea : horizontal header hmtx : horizontal metrics loca : index to location maxp : maximum profile name : naming table post : PostScript information OS/2 : OS/2 and Windows specific metrics The optional tables in the Font Table Directory: cvt : Control Value Table EBDT : Embedded bitmap data EBLC : Embedded bitmap location data EBSC : Embedded bitmap Scaling data fpgm : font program gasp : grid-fitting and scan conversion procedure hdmx : horizontal device metrics kern : kerning LTSH : Linear threshold table prep : CVT Program PCLT :PCL5 VDMX : Vertical Metrics header vhea : Vertical Metrics Due to font validation purposes, the dumb fuzzing technique is not recommended for these fields: ‘checkSum’, ‘offset’, ‘length’ and ‘Table’. To reduce the number of irrelevant tests, a checksum validation program is used to determine the checksum of ‘head’ table. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center] Fix the Checksum value of the “head” Font Table Directory [/TD] [/TR] [/TABLE] During the fuzzing process, the table checksum has to re-compute. The checksum calculation implies 4 byte boundaries as shown in Python program below: Data provided by Pastebin.com - Download Raw - See Original [LIST=1]def chk(tab): total_data=0 for i in range(0, len(tab), 4): data=unpack(“>I”,tab[i:i+4])[0] total_data += data final_data=0xFFFFFFFF & total_data return final_data [/LIST] <NOTE TO NICO: NO PYTHON PROGRAM IS HERE> Our font fuzzer is to fuzz the TrueType font file into different sizes which enables the generation of the test cases to determine the size of font in triggering the vulnerability. Each fuzzing process starts with automating the installation of the mutated font in Windows system. It will then display the font; both in open the font file via fontview.exe and displaying the character maps. Lastly, uninstall the font and repeat the process if no vulnerability is found. The windll.gdi32.AddFontResourceExA function is used to automate the installation of the crafted font into the “C:\Windows\Fonts” folder. htr = windll.gdi32.AddFontResourceExA(FileFont, FR_PRIVATE, None) Once the fuzzing environment is ready, a LOGFONT object is created to define the attributes of a font. lf=win32gui.LOGFONT() Assuming no vulnerability has been found at a font with a specified size that has been called; the windll.gdi32.RemoveFontResourceExW function will be called to remove the fonts in “C:\Windows\Fonts” folder. windll.gdi32.RemoveFontResourceExW(fileFont, FR_PRIVATE, None) Another size of font in the range that has been set will be called and the same process will repeat until vulnerability is found or the list of font size elements under a loop function has all been called and no vulnerability is found. Figure below shows the Blue Screen of Death (BSOD) proof of concept via our font fuzzer. [Editor's note: BOOM! :>] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center] BSOD of Windows 8 Pro [/TD] [/TR] [/TABLE] The details of the fuzzer and findings will be discussed in the talk. Looking forward to see you guys in INFILTRATE 2013. --- Ling Chuan Lee & Lee Yee Chan from F13 Labs Sursa: Immunity Products: Infiltrate Preview - TrueType Font Fuzzing and Vulnerability

Am inteles ca pustiul e roman si ca mesajul e pentru bozgori.

http://www.youtube.com/watch?v=AJ_I8uKNi2g

Publish apps. Get up to $2000* Publish your app(s) in the Windows Store and/or Windows Phone Store from March 8th to June 30th, 2013. Enter up to 10 apps per Store and get a $100 virtual Visa card for each that qualifies (up to $2000*). Now, fill out the form below. You can get a $100 virtual Visa card for every qualified app you enter (up to $2000*). So don't stop with just one app! If you're eligible to receive the offer, we'll notify you by email. Info: Keep The Cash

http://www.youtube.com/watch?v=nfMecofhBQk