Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    706

 Content Type 

Everything posted by Nytro

  1. Nytro
    Link "permanent" (cod sursa): https://rstforums.com/proiecte/DK_v3.3.zip Voi proceda la fel pentru cat mai multe proiecte.
  2. Nytro
    [h=1]Windows 8 Outperforming Ubuntu Linux With Intel OpenGL Graphics[/h] Published on March 21, 2013 Written by Michael Larabel In our benchmarks of Microsoft Windows 8, we have found that Intel's Windows OpenGL driver is generally superior to that of their open-source Linux graphics driver. Some progress has been made, but in today's testing of an ASUS Ultrabook bearing an Ivy Bridge processor, Linux has a ways to go for some games in matching the Windows binary performance and features. Over the years there have been many Windows 7 vs. Linux benchmarks on Phoronix. Having recently picked up an ASUS Ultrabook for benchmarking, some Windows 8 vs. Ubuntu 13.04 development benchmarks were carried out to see the positioning today. An ASUS S56CA-WH31 was the candidate for this testing, which is a $500 Intel Ultrabook sporting an Intel Core i3 3217U CPU, 4GB of DDR3 system memory, 500GB 5400RPM HDD + 24GB Solid-State Drive, and a 15.6-inch display with 1366 x 768 resolution. The ASUS Ultrabook comes pre-loaded with Microsoft Windows 8. The Intel Core i3 3217U processor provides HD 4000 graphics, two physical cores plus Hyper Threading, 1.8GHz clock frequency, 3MB cache, and is rated at a 17 Watt TDP. All benchmarking in this article between Windows and Linux happened from this ASUS S56CA-WH31 Ultrabook. The stock Intel Windows 8 graphics performance was compared to Ubuntu 13.04 in a variety of cross-platform games using OpenGL where the games are known to have quality/similar ports to Windows and Linux. Benchmarking on both operating systems were all handled via the open-source Phoronix Test Suite software in conjunction with OpenBenchmarking.org. The Ubuntu 13.04 development snapshot used was from mid-March and packaged the Linux 3.8 kernel, Unity 6.6.0, xf86-video-intel 2.21.4, X.Org Server 1.13.2, GCC 4.7.2, and Mesa 9.0.2. For also seeing the very latest state of the Intel OpenGL driver software on Linux, Ubuntu 13.04 was additionally tested when using a Git development snapshot of the Linux 3.9 kernel and then Mesa 9.2-devel Git master from mid-March. This represents the very latest state of the Intel Linux graphics driver. (Ubuntu 13.04 will ship with Mesa 9.1, but that stable release wasn't pulled into the repository at the time of testing and 9.2-devel offers the absolute latest innovations for this open-source driver.) Previous to this article, my latest Windows 7 test articles were: Intel Linux OpenGL Driver Remains Slower Than Windows, NVIDIA Performance: Windows 7 vs. Ubuntu Linux 12.10, and AMD Radeon Catalyst: Windows 7 vs. Ubuntu 12.04 LTS. This testing is quite straightforward and looking namely at the "out of the box" OpenGL gaming performance between Windows 8 and Ubuntu 13.04 for Intel Ivy Bridge graphics. Articol complet: [Phoronix] Windows 8 Outperforming Ubuntu Linux With Intel OpenGL Graphics
  3. Nytro
    [h=1][C++] Dump wireless passwords[/h]By RAGE Before I get started I just want to say some things first. This application WILL NOT crack passwords or hack wifi, this program simply displays information on your PC that you can already access. Moving on, this program simply queries Native Wifi for a list of Wireless Network Profiles which it then "parses" the resultant xml looking for the network key. To actually retrieve the plain text key you need to be a member of the administrators group and elevate the exe. The binary has an easter egg for bored members with nothing to do #ifndef WLAN_PROFILE_GET_PLAINTEXT_KEY #define WLAN_PROFILE_GET_PLAINTEXT_KEY 4 // Dont have the latest platform SDK on this box #endif #pragma comment(lib, "wlanapi.lib") #include <stdio.h> #include <windows.h> #include <wlanapi.h> BOOL IsElevated() { DWORD dwSize = 0; HANDLE hToken = NULL; BOOL bReturn = FALSE; TOKEN_ELEVATION tokenInformation; if(!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) return FALSE; if(GetTokenInformation(hToken, TokenElevation, &tokenInformation, sizeof(TOKEN_ELEVATION), &dwSize)) { bReturn = (BOOL)tokenInformation.TokenIsElevated; } CloseHandle(hToken); return bReturn; } bool IsVistaOrHigher() { OSVERSIONINFO osVersion; ZeroMemory(&osVersion, sizeof(OSVERSIONINFO)); osVersion.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); if(!GetVersionEx(&osVersion)) return false; if(osVersion.dwMajorVersion >= 6) return true; return false; } int main(int argc, char *argv[]) { HANDLE hWlan = NULL; DWORD dwError = 0; DWORD dwSupportedVersion = 0; DWORD dwClientVersion = (IsVistaOrHigher() ? 2 : 1); GUID guidInterface; ZeroMemory(&guidInterface, sizeof(GUID)); WLAN_INTERFACE_INFO_LIST *wlanInterfaceList = (WLAN_INTERFACE_INFO_LIST*)WlanAllocateMemory(sizeof(WLAN_INTERFACE_INFO_LIST)); ZeroMemory(wlanInterfaceList, sizeof(WLAN_INTERFACE_INFO_LIST)); WLAN_PROFILE_INFO_LIST *wlanProfileList = (WLAN_PROFILE_INFO_LIST*)WlanAllocateMemory(sizeof(WLAN_PROFILE_INFO_LIST)); ZeroMemory(wlanProfileList, sizeof(WLAN_PROFILE_INFO_LIST)); if(!IsElevated()) printf("[!] Running without administrative rights\n"); try { if(dwError = WlanOpenHandle(dwClientVersion, NULL, &dwSupportedVersion, &hWlan) != ERROR_SUCCESS) throw("[x] Unable access wireless interface"); if(dwError = WlanEnumInterfaces(hWlan, NULL, &wlanInterfaceList) != ERROR_SUCCESS) throw("[x] Unable to enum wireless interfaces"); if(wlanInterfaceList->dwNumberOfItems == 0) // Almost missed this before posting throw("[x] No wireless adapters detected"); if(dwError = WlanGetProfileList(hWlan, &guidInterface, NULL, &wlanProfileList) != ERROR_SUCCESS) throw("[x] Unable to get profile list"); LPWSTR profileXML; printf("\nNetwork\t\t\t\t\tPassword\n\n"); for(int i = 0; i < wlanProfileList->dwNumberOfItems; i++) { DWORD dwFlags = WLAN_PROFILE_GET_PLAINTEXT_KEY, dwAccess = 0; wprintf(L"%s", wlanProfileList->ProfileInfo[i].strProfileName); int j = 20 - wcslen(wlanProfileList->ProfileInfo[i].strProfileName); for(int k = 0; k < j; k++) printf(" "); if(IsElevated()) { if(WlanGetProfile(hWlan, &guidInterface, wlanProfileList->ProfileInfo[i].strProfileName, NULL, &profileXML, &dwFlags, &dwAccess) == ERROR_SUCCESS) { // This is really half assed but I'm really hungover WCHAR *pszStr = wcstok(profileXML, L"<>"); while(pszStr) { if(!wcscmp(pszStr, L"keyMaterial")) { pszStr = wcstok(NULL, L"<>"); wprintf(L"\t\t\t%s\n", pszStr); break; } pszStr = wcstok(NULL, L"<>"); } WlanFreeMemory(profileXML); } } else { printf("\t\t\tAccess Denied.\n"); } } } catch(char *szError) { printf("%s (0x%X)\nQuitting...\n", szError); } if(wlanProfileList) WlanFreeMemory(wlanProfileList); if(wlanInterfaceList) WlanFreeMemory(wlanInterfaceList); if(hWlan) WlanCloseHandle(hWlan, NULL); return dwError; } Screenshot: Enjoy! [h=4]Attached Files[/h] wldecrypt.zip 40.62K 1446 downloads Sursa: [C++] Dump wireless passwords - rohitab.com - Forums
  4. Nytro
    Linux Kernel kvm Multiple Vulns * CVE-2013-1796 Description of the problem: If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. Thewrite is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Upstream commit: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=c300aa64ddf57d9c5d9c898a64b36877345dd4a9 References: https://bugzilla.redhat.com/show_bug.cgi?id=917012 * CVE-2013-1797 Description of the problem: There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Upstream commit: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=0b79459b482e85cb7426aa7da683a9f2c97aeae1 References: https://bugzilla.redhat.com/show_bug.cgi?id=917013 * CVE-2013-1798 Description of the problem: If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Upstream commit: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=a2c118bfab8bc6b8bb213abfc35201e441693d55 References: https://bugzilla.redhat.com/show_bug.cgi?id=917017 All three issues were found and reported by Andrew Honig of Google. References: https://bugzilla.redhat.com/show_bug.cgi?id=917012 https://bugzilla.redhat.com/show_bug.cgi?id=917013 https://bugzilla.redhat.com/show_bug.cgi?id=917017 http://seclists.org/oss-sec/2013/q1/702 Sursa: Linux Kernel kvm Multiple Vulns - CXSecurity.com
  5. Nytro
    TorProject-Annual-Report Da, nu e tutorial, dar contine catev statisici si informatii interesante... Download: https://www.torproject.org/about/findoc/2012-TorProject-Annual-Report.pdf
  6. Nytro
    [h=3]Infiltrate Preview - TrueType Font Fuzzing and Vulnerability[/h] TrueType font files are made up of a number of tables; each table begins on a 4 byte boundary that comprises an outline font and must be long aligned and padded with zeroes if necessary. Referring to the “TrueType 1.0 Font File Technical Specification”, provided by Microsoft; the TrueType font file begins at byte 0 with the Offset Table. Offset Table is divided into 5 subtable: sfnt version : 65536(0x0001 0000) for version 1.0 numTables : Number of tables searchRange : (Maximum power of 2 ? numTables) x 16 entrySelector : Log2(Maximum power of 2 ? numTables) rangeShift : numTables x 16 – searchRange Beginning at byte 12, after the Offset Table, is the Font Table Directory. Entries in the Table Directory must be sorted in ascending order by ‘tag’ name. Overall, the Font Table Directory Header consists of: tag : 4 byte identifier checkSum : checksum of the table offset : Beginning offset of the font table entry length : Length of the table [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center] The Structure of True Type Font Directory [/TD] [/TR] [/TABLE] The required tables in the Font Table Directory: cmap : character to glyph mapping glyf : glyph data head : font header hhea : horizontal header hmtx : horizontal metrics loca : index to location maxp : maximum profile name : naming table post : PostScript information OS/2 : OS/2 and Windows specific metrics The optional tables in the Font Table Directory: cvt : Control Value Table EBDT : Embedded bitmap data EBLC : Embedded bitmap location data EBSC : Embedded bitmap Scaling data fpgm : font program gasp : grid-fitting and scan conversion procedure hdmx : horizontal device metrics kern : kerning LTSH : Linear threshold table prep : CVT Program PCLT :PCL5 VDMX : Vertical Metrics header vhea : Vertical Metrics Due to font validation purposes, the dumb fuzzing technique is not recommended for these fields: ‘checkSum’, ‘offset’, ‘length’ and ‘Table’. To reduce the number of irrelevant tests, a checksum validation program is used to determine the checksum of ‘head’ table. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center] Fix the Checksum value of the “head” Font Table Directory [/TD] [/TR] [/TABLE] During the fuzzing process, the table checksum has to re-compute. The checksum calculation implies 4 byte boundaries as shown in Python program below: Data provided by Pastebin.com - Download Raw - See Original [LIST=1]def chk(tab): total_data=0 for i in range(0, len(tab), 4): data=unpack(“>I”,tab[i:i+4])[0] total_data += data final_data=0xFFFFFFFF & total_data return final_data [/LIST] <NOTE TO NICO: NO PYTHON PROGRAM IS HERE> Our font fuzzer is to fuzz the TrueType font file into different sizes which enables the generation of the test cases to determine the size of font in triggering the vulnerability. Each fuzzing process starts with automating the installation of the mutated font in Windows system. It will then display the font; both in open the font file via fontview.exe and displaying the character maps. Lastly, uninstall the font and repeat the process if no vulnerability is found. The windll.gdi32.AddFontResourceExA function is used to automate the installation of the crafted font into the “C:\Windows\Fonts” folder. htr = windll.gdi32.AddFontResourceExA(FileFont, FR_PRIVATE, None) Once the fuzzing environment is ready, a LOGFONT object is created to define the attributes of a font. lf=win32gui.LOGFONT() Assuming no vulnerability has been found at a font with a specified size that has been called; the windll.gdi32.RemoveFontResourceExW function will be called to remove the fonts in “C:\Windows\Fonts” folder. windll.gdi32.RemoveFontResourceExW(fileFont, FR_PRIVATE, None) Another size of font in the range that has been set will be called and the same process will repeat until vulnerability is found or the list of font size elements under a loop function has all been called and no vulnerability is found. Figure below shows the Blue Screen of Death (BSOD) proof of concept via our font fuzzer. [Editor's note: BOOM! :>] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center] BSOD of Windows 8 Pro [/TD] [/TR] [/TABLE] The details of the fuzzer and findings will be discussed in the talk. Looking forward to see you guys in INFILTRATE 2013. --- Ling Chuan Lee & Lee Yee Chan from F13 Labs Sursa: Immunity Products: Infiltrate Preview - TrueType Font Fuzzing and Vulnerability
  7. Nytro
    Am inteles ca pustiul e roman si ca mesajul e pentru bozgori.
  8. Nytro
    http://www.youtube.com/watch?v=AJ_I8uKNi2g
  9. Nytro
    Publish apps. Get up to $2000* Publish your app(s) in the Windows Store and/or Windows Phone Store from March 8th to June 30th, 2013. Enter up to 10 apps per Store and get a $100 virtual Visa card for each that qualifies (up to $2000*). Now, fill out the form below. You can get a $100 virtual Visa card for every qualified app you enter (up to $2000*). So don't stop with just one app! If you're eligible to receive the offer, we'll notify you by email. Info: Keep The Cash
  10. Nytro
    http://www.youtube.com/watch?v=nfMecofhBQk
  11. Nytro
    Aveti de facut in C++ o functie care primeste niste date de intrare, nu conteaza ce, iar ca rezultat va avea un buffer (care contine cine stie ce date, nu e important) de dimensiune necunoscuta la apelul functiei. Cum ar arata pentru voi cel mai bine prototipul pentru acea functie: 1. Functia intoarce bool daca s-a efectuat cu succes si scrie datele la o adresa PREalocata, inainte de apelul functiei: bool Functie(int DateIntrare, char *Buffer, int &DimensiuneAlocata); Parametrul "DimensiuneAlocata" va fi transmis prin referinta si dupa apelul functiei va contine numarul de bytes folositi de functie. Problema e ca functia poate necesita mai multi octeti decat sunt prealocati, astfel datele vor fi trunchiate. 2. Functie care intoarce un pointer la datele ALOCATE DE FUNCTIE (deci vor trebui ulterior eliberate de utilizator) si un parametru transmis prin referinta care va contine dimensiunea datelor alocate: char *Functie(int DateIntrare, int &DimensiuneAlocata); 3. Functia va intoarce numarul de octeti alocati si va primi ca parametru o referinta la pointerul pe care il va aloca intern, urmand ca datele sa fie eliberate de utilizator. int Functie(int DateIntrare, char *& Buffer); Bine, sunt MULT mai multe variante. Voi pe care o preferati si de ce? Sper ca ati inteles la ce ma refer...
  12. Nytro
    Alte informatii: New! Samsung Security Flaw – Disable Lockscreen – Total Control | Terence Eden has a Blog
  13. Nytro
    BOPFunctionRecognition This python/jython script is used as plugin to BinNavi tool to analyze a x86 binanry file to find buffer overflow prone functions. Such functions are important for vulnerability analysis. — Read more Introduction: ============= The following abstract from the original paper "Sanjay Rawat and Laurent Mounier, "Finding Buffer Overflow Inducing Loops in Binary Executables", In Proc. of the IEEE International Conference on Software Security and Reliability (SERE) 2012, June 2012, Washington DC, USA", gives the hint about this tool: Abstract—Vulnerability analysis is one among the important components of overall software assurance practice. The main aim of vulnerability analysis is to find patterns in software that indicate possible vulnerabilities. Buffer overflow (BoF) is one of such vulnerabilities that has managed to top the list of vulnerabilities. A general practice to find BoF is to look for the presence of certain functions that manipulate string buffers. strcpy family of C/C++ functions is an example of such functions. A simple analysis of such functions reveals that data is moved from one buffer to another buffer within a loop without considering destination buffer size. We argue that similar behaviour may also be present in other functions that are coded separately and therefore, are equally vulnerable. In the present report, we investigate the detection of such functions by finding loops that exhibit similar behavior. We call such loops as Buffer Overflow Inducing Loops (BOIL) mainly from buffer overflow vulnerability standpoint. We implemented our solution and analyzed it on real-world x86 binary executables. The results obtained show that this (simple but yet efficient) vulnerability pattern may provide a drastic reduction of the part of the code to be analysed, while allowing to detect real vulnerabilities. Software Requirements: ===================== 1. BinNavi Version 4 (Note: version 3 uses MySQL databases, whereas from v4 onwards, BinNavi uses PostGreSQL) 2. IDA Pro v 6 3. Jython Installation: ============ No installation as such. In order to anlayze a binary file, follow the steps: A- Creating IDA pro IDB file 1. drag-n-drop executable into the opened IDA Pro pane. 6. In the following IDA pro window, uncheck "make imports segment" and then OK. 7. Wait until IDApro finishes its analysis and then close IDApro. It will ask to save the analysis and choose "yes" 8. The previous step will create a test.idb file in the same folder where exe resides. B- Importing IDB file to BinNavi 1. In Windows, go to the directory of BinNavi. 2. Double click on BinNavi.bat. It will open BinNavi GUI 3. In the BinNavi windows, double click on BinNavi1 DB sign (left top sidebar). 4. It will make connection to DB and will unfold the BInNavi1 DB field. 5. Click on "modules" which lists all the loaded modules in BinNAvi. 6. Right click on "MOdules" and choose "import IDB file". It will open another windows. 7. By traversing "Look in => HOme (symbol)", goto the folder and select the test.idb file and then press ">>" sign. Click import. 8. Once imported, test.exe will appear int he "Module" tree. Double click on this. 8. This will open another window, which has functions defined in the module (lower right pane). By double clicking on any function address, you can open this function graph. this step is not required for our purpose i.e. for API based script. 9.Just run the provied script as > jython BOPFunctionRecognition_simple.py and follow the instructions thereafter. The output of the script is two files 1. file with results describing the functions that are BOP functions along with loop information (at assembly level) 2. a pickle file that have a list of BOP function. NOTE: ===== The provided script is absolutely an unoptimized version and there are many things that can be improved a lot (both code and algorithm wise). We'll be updating it form time to time and also anticipate volunteers to suggest. Please write me mails if you would like to participate or contribute. Thanks Sanjay Rawat sanjayr@ymail.com Download: https://github.com/tosanjay/BOPFunctionRecognition
  14. Nytro
    Linux community adopts UEFI technology The Unified Extensible Firmware Interface (UEFI) Forum, a world-class, non-profit industry standards body of leading technology companies that promotes firmware innovation by creating specifications that enable the continual evolution of platform technologies, is gaining momentum as use of UEFI specifications increases in Linux-based operating systems, such as Ubuntu 12.10, Fedora 18 and OpenSUSE 12.3. UEFI specifications enable cross-functionality between devices, software and systems. By design, UEFI technology lends itself to utility and applicability across a range of platforms. Including UEFI Secure Boot in Linux-based distributions allows users to boot alternate operating systems without disabling UEFI Secure Boot. It also allows users to run the software they choose in the most secure and efficient way possible, promoting interoperability and technical innovation. UEFI specifications are designed to enhance security and standardization while allowing a speedier boot time. Companies responsible for delivering backup and disaster recovery for servers, desktops, laptops and virtual machines rely on robust UEFI technology to ensure crucial data remains protected under all circumstances. In the event of a system outage, use of UEFI technology reduces downtime and loss of revenue. “The increasing use of UEFI technology in Linux and proprietary systems is a testament to its ability to deliver next-generation technologies for nearly any platform,” said Mark Doran, president, UEFI Forum. “It’s exciting to watch UEFI enable the evolution of firmware technology in a variety of sectors as it continues to gain momentum.” Sursa: Linux community adopts UEFI technology
  15. Nytro
    E cel mai bun, cu un singur click, daca site-ul e vulnerabil, iti afiseaza datele de logare ale administratorilor.
  16. Nytro
    [h=2]PHP Security – Escape proof SQL injection in ORDER BY clause[/h] http://xkcd.com/327/ It’s a well known, well documented, and well abused fact that SQL injection attacks can take place in the WHERE clause of a SQL statement. The commonly applied practice among professionals is to run user input through mysql(i)_real_escape_string(). However, this only protects against user variables within quoted values, and does not protect against SQL injection attacks elsewhere in the query. One place that is commonly vulnerable is in the ORDER BY clause. Many developers either do not understand that mysql(i)_real_escape_string does not protect them from these types of attacks, or do not think that meaningful SQL injection can be done at this point in the query on a single statement engine like MySQL. As a result, this vulnerability can be found and exploited in many applications and websites, both commercial and open source, personal and corporate. Vulnerable code and SQL queries is basically: <php $sortColumn = mysqli_real_escape_string($_GET['sort_column']); $query ="SELECT * from some_table WHERE active = true ORDER BY $sortColumn DESC"; ?> This is vulnerable to a SQL injection attack that will allow a hacker to get information from any table in the database, whether it’s usernames, passwords, credit card account numbers, etc. [h=2]How this can be exploited[/h] The core theory behind the exploit is that this vulnerable query allow you to test a tiny piece of information from anywhere in the database in a boolean query that doesn’t rely on any unescaped characters, then use the value of that boolean to visibly change the output of the query. Assume that the vulnerable site is a news site and lets you sort the article listings by the date or title column. When you click on the column header you want to sort by, it sends a ‘sort_column’ parameter to the above script of either ‘date’ or ‘title’. If instead of sending ‘date’ or ‘title’, you sent something like the following string, you would be able to start reading information from anywhere in the database. In this particular case, we’ll try the users table. (CASE WHEN (SELECT ASCII(SUBSTRING(password, 1, 1)) FROM users where username = 0x61646D696E) = 65 THEN date ELSE title END) Assuming that this is the correct table and column names, this injection will allow you to tell whether or not the first character of the admin user’s password is ‘A’. If it is, the article list will be returned sorted by date. If not, it will be returned sorted by title. If it isn’t a match, then the 65 in the query just needs to be incremented/decremented until the match is made to try other various letters/symbols. Once the match is made and the first character is discovered, the substring offset just needs to be incremented to get the second character, but this time starting with null to see if the end of the string has already been reached. If not, start back at 65, and repeat the process until null matches. This does require some knowledge about the database schema, which can be guessed, looked up on open source applications, or can be learned by first querying against a known table like the information schema. A script can be written to do automate this process very quickly, as an 8 character password with upper and lowercase letters and numbers can be discovered with a maximum of 500 queries. MD5 encoded passwords will have the hashes revealed in less than 512 queries, which can then be brute force decoded (at over 500 million attempts/second, thanks to GPU computing), or directly looked up if the password is a common word or phrase. [h=2]Why This Works[/h] Because each of these queries puts user input in a place in the query that is not enclosed with ‘, there is no need to use any of the characters that would be escaped by mysql(i)_real_escape_string(). Instead, SQL can be directly passed directly into the query. In places that strings are normally used when making a query, Hex notation, ASCII or other character conversion can be used to convert strings to or from their numeric values. As demonstrated in these examples, anywhere that SQL can be injected into a query is a major security vulnerability. [h=2]How to Secure[/h] Securing this type of query is a rather simple process. If a column name is expected, the user input should be validated against a whitelist array. Applying this on the example query: <php $columns = array( 'title', 'date' ); if (in_array($_GET['sort_column'], $columns)) { $sortColumn = $_GET['sort_column']; } else { $sortColumn = 'title'; } ?> As you can see, the above code will ensure that only expected/allowed values make it through to the database. So remember, trust no one, and sanitize everything, regardless of how harmless you may think invalid input will be. Sursa: Joseph Keeler
  17. Nytro
    [h=2]Social-Engineer Toolkit (SET) v4.7 – Codename “Headshot” Released.[/h] The Social-Engineer Toolkit (SET) version 4.7 codename “Headshot” has been released. This version of SET introduces the ability to specify multi-powershell injection which allows you to use as many ports as you want. SET will automatically inject PowerShell onto the system on all of the reverse ports outbound. What’s nice with this technique is it never touches disk and also uses already whitelisted processes. So it should never trigger anything like anti-virus or whitelisting/blacklisting tools. In addition to multi-powershell injector, there are a total of 30 new features and a large rewrite of how SET handles passing information within different modules. Changelog: ~~~~~~~~~~~~~~~~ version 4.7 ~~~~~~~~~~~~~~~~ * removed a prompt that would come up when using the powershell injection technique, port.options is now written in prep.py versus a second prompt with information that was already provided * began an extremely large project of centralizing the SET config file by moving all of the options to the set.options file under src/program_junk * moved all port.options to the central routine file set.options * moved all ipaddr.file to the central routine file set.options * changed spacing on when launching the SET web server * changed the wording to reflect what operating systems this was tested on versus browsers * removed an un-needed print option1 within smtp_web that was reflecting a message back to user * added the updated java bean jmx exploit that was updated in Metasploit * added ability to specify a username list for the SQL brute forcing, can either specify sa, other usernames, or a filename with usernames in it * added new feature called multi-powershell-injection – configurable in the set config options, allows you to use powershell to do multiple injection points and ports. Useful in egress situations where you don’t know which port will be allowed outbound. * enabled multi-pyinjection through java applet attack vector, it is configured through set config * removed check for static powershell commands, will load regardless – if not installed user will not know regardless – better if path variables aren’t the same * fixed a bug that would cause linux and osx payloads to be selected even when disabled * fixed a bug that would cause the meta_config file to be empty if selecting powershell injection * added automatic check for Kali Linux to detect the default moved Metasploit path * removed a tail comma from the new multi injector which was causing it to error out * added new core routine check_ports(filename, ports) which will do a compare to see if a file already contains a metasploit LPORT (removes duplicates) * added new check to remove duplicates into multi powershell injection * made the new powershell injection technique compliant with the multi pyinjector – both payloads work together now * added encrypted and obfsucated jar files to SET, will automatically push new repos to git everyday. * rewrote the java jar file to handle multiple powershell alphanumeric shellcode points injected into applet. * added signed and unsigned jar files to the java applet attack vector * removed create_payload.py from saving files in src/html and instead in the proper folders src/program_junk * fixed a payload duplication issue in create_payload.py, will now check to see if port is there * removed a pefile check unless backdoored executable is in use * turned digital signature stealing from a pefile to off in the set_config file * converted all src/html/msf.exe to src/program_junk/ and fixed an issue where the applet would not load properly Download: https://www.trustedsec.com/downloads/social-engineer-toolkit/ Sursa: https://www.trustedsec.com/march-2013/social-engineer-toolkit-set-v4-7-codename-headshot-released/
  18. Nytro
    + St. Patrick’s Day Through Google Glass | Google Glass APPs
  19. Nytro
    [h=2]How Guys Will Use Google Glass[/h] Once Google Glass does not require voice recognition and is completely discreet then, and only then, will the true creepsters embrace said technology. Until that time, they’ll only begrudgingly embrace it. Sursa: How Guys Will Use Google Glass | Technology | Dueling Analogs - Video
  20. Nytro
    Advanced Heap Manipulation in Windows 8 Zhenhua(Eric) Liu zhliu@fortinet.com VERSION 1.0 Contents ABSTRACT ...................................................................................................................................................... 3 Prior Works ................................................................................................................................................... 4 Introduction .................................................................................................................................................. 5 Sandbox ..................................................................................................................................................... 5 Windows 8 Kernel Exploit mitigation improvements ............................................................................... 5 Heap feng shui and Windows 8 ................................................................................................................ 6 What Feng shui really is ............................................................................................................................ 7 What’s left? ............................................................................................................................................... 7 Uninitialized memory reference ........................................................................................................... 7 Application specific attacks ................................................................................................................... 7 Custom Memory Allocator .................................................................................................................... 8 The future ................................................................................................................................................. 8 Quick View of the Idea .................................................................................................................................. 9 Basics ......................................................................................................................................................... 9 Freelists ................................................................................................................................................. 9 Three ways could write into the FreeLists .......................................................................................... 10 Allocation Search ................................................................................................................................ 10 Splitting Pool Chunks process ............................................................................................................. 11 The Mandatory Search Technique .......................................................................................................... 12 Kernel Pool .................................................................................................................................................. 14 Implementation in Kernel Pool ............................................................................................................... 15 Basics ................................................................................................................................................... 15 Reliability Notes .................................................................................................................................. 17 Putting It All Together ......................................................................................................................... 21 User Heap .................................................................................................................................................... 22 Implementation in User Heap ................................................................................................................. 22 Applicable circumstance ..................................................................................................................... 25 Prerequisites ....................................................................................................................................... 25 The simple idea ................................................................................................................................... 26 Practices in User heap ............................................................................................................................. 28 A practical attack on _HEAP_USERDATA_HEADER ............................................................................. 28 Uninitialized memory reference ......................................................................................................... 29 Practical heap determining in IE 10 .................................................................................................... 29 Conclusion ................................................................................................................................................... 31 Acknowledgements ..................................................................................................................................... 31 Bibliography ................................................................................................................................................ 32 Attacking _HEAP_USERDATA_HEADER Source Code.................................................................................. 33 Download: https://media.blackhat.com/eu-13/briefings/Liu/bh-eu-13-liu-advanced-heap-WP.pdf
  21. Nytro
    [h=1]Chamelon – o re?ea botnet cu impact financiar de 6 milioane de dolari lunar[/h] Publicat de Andrei Av?d?nei în Securitate · ?tiri — 20 Mar, 2013 at 2:49 pm Chamelon este un botnet descoperit de spider.io, research-ul venind la foarte scurt timp de la închiderea botnet-ului Bamital de Microsoft ?i Symantec pe 6 februarie 2013. Chamelon s-a remarcat prin faptul c? are un impact financiar extrem de mare, fiind estimate ni?te costuri pentru advertiseri de peste 6 milioane de dolari lunar, cu 70% mai costisitor decât botnetul Bamital. De asemenea, e de remarcat faptul c? reclamele ce le pune Chamelon sunt foarte mari, spre deosebire de link-uri cu text în cazul precedent. Chamelon ruleaz? algoritmi de complexitate variat? pentru a gestiona reclamele într-un mod cat mai apropiat de tema site-urilor ce sunt accesate. Este foarte impresionat nivelul de sofisticare ?i mecanismele de evitare a sistemelor de detec?ie. Calculatoarele pe care ruleaz? Chamelon sunt ma?ini cu Microsoft Windows ca sistem de operare. Computerele infectate acceseaz? WWW-ul printr-un browser Trident cu Flash activat ce execut? Javascript. Pân? acum au fost identificate peste 120,000 de ma?ini infectate, 95% dintre acestea având IP-uri de SUA. Mai multe detalii despre acest subiect g?sim pe spider.io. — Andrei Av?d?nei Sursa: Chamelon – o re?ea botnet cu impact financiar de 6 milioane de dolari lunar | WorldIT
  22. Nytro
    [h=1]New Samsung flaw allows 'total bypass' of Android lock screen[/h]Summary: Another day, another lock screen flaw. Some Samsung devices running Android 4.1.2 can allow a 'total bypass' of the device's lock screen. By Zack Whittaker for Zero Day | March 20, 2013 -- 12:10 GMT (05:10 PDT) Another security flaw has been discovered on some Samsung phones that allows complete access to a device. Discovered by the same mobile enthusiast as the previous flaw, Terence Eden warns that this new bug could allow users to bypass the lock screen entirely through the use of third-party apps. This affects pattern unlocks, PIN code screens, and face detection security. The flaw was tested on a Samsung Galaxy Note II running Android 4.1.2 as before — but it does not appear to exist on stock Android from Google, suggesting this is limited to Samsung phones only. This flaw may exist in other Android phones, notably Samsung devices, and users and IT managers alike should test their devices immediately. The method involves much of the same steps as before, and involves having direct access to the device. Also, the methodology may include repeating some steps, so by far this is not an easy way to gain unauthorized access to a Samsung device. From the lock screen, an attacker can enter a fake emergency number to call which momentarily bypasses the lock screen, as before. But if these steps are repeated, the user has enough time to go into the Google Play application store and voice search for "no locking" apps, which then disables the lock screen altogether. From there, the device is left wide open. Here's the video: Eden said that he disclosed this to Samsung in late February, but unlike last time, the Korean giant responded. A software fix to this lock screen bypass will be "released shortly," according to Eden. It comes only a few weeks after a similar flaw was discovered in the lock screen of Apple's iPhone in iOS 6.1. This was fixed on March 19, more than a month after it was first discovered. Samsung did not fix the original lock screen bug, leaving millions of devices potentially at risk from privacy invasion. More worryingly, now a similar flaw can open up the device completely. For now, only a third-party ROM can prevent such attacks. According to Eden, one software ROM designed for the Galaxy S III claims to have fixed the problem. Sursa: New Samsung flaw allows 'total bypass' of Android lock screen | ZDNet
  23. Nytro
    Exploiting Software How to Break Code By Greg Hoglund Gary McGraw Publisher: Addison Wesley Pub Date: February 17, 2004 ISBN: 0-201-78695-8 Pages: 512 How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers. Exploiting Software is loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out. This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about Why software exploit will continue to be a serious problem When network security mechanisms do not work Attack patterns Reverse engineering Classic attacks against server software Surprising attacks against client software Techniques for crafting malicious input The technical details of buffer overflows Rootkits Download: http://par-anoia.net/assessment/books/security/Exploiting Software - How to Break Code - G. Hoglund, et al., (Addison-Wesley, 2004) WW.pdf
  24. Nytro
    Guvernul organizeaza primul Hackathon din Romania Tema: Miercuri, 20 februarie 2013 În acest week-end, sediul Guvernului devine locul de desf??urare al primului „maraton de programare” din România – Hackathon. Astfel, timp de dou? zile, 28 de elevi vor dezvolta aplica?ii, pagini web ?i interfe?e cu ajutorul Bitdefender ?i Microsoft, partenerii evenimentului, în încercarea de a aduce administra?ia public? mai aproape de cet??ean ?i de a responsabiliza guvernan?ii prin deschidere ?i transparen??. Cele cinci proiecte dezvoltate în cadrul acestui maraton centralizeaz? informa?ii de interes public. Acestea vor fi: • Buget.gov.ro – datele privind bugetul de stat ?i vizualizarea lor într-o forma u?or de în?eles • Angajati.gov.ro – datele privind angaja?ii din administra?ia public? • Posturi.gov.ro – datele privind posturile vacante scoase la concurs în administra?ia public? • Petitii.gov.ro – ini?iativele cet??enilor, pe domenii de interes • Data.gov.ro – faciliteaz? accesul publicului la datele incluse în platformele de mai sus La aceast? prim? edi?ie vor participa elevi cu rezultate foarte bune la concursurile de informatic?, a caror selec?ie a fost realizat? de c?tre Ministerul Educa?iei. Sursa: Guvernul organizeaza primul Hackathon din Romania Deci: 1. Programatorii sunt scumpi, punem niste copii sa lucreze pentru noi atrasi de termenul "hackathon" (care evident e folosit in mod incorect) 2. Ne plangem ca site-urile guvernamentale sunt vulnerabile la orice rahat si ca Vasile pune pe homepage "Mata-i grasa" PS: Daca ne dau pizza si bere ma gandesc sa ma duc si eu. PS 2: Ma gandesc sa merg si sa las si un backdoor pe acolo. (nu va mai dau idei)
  25. Nytro
    [h=3]Owning Samsung phones for fun (...but with no profit )[/h]I was planning to open a blog since some months, but I decided to do it only now, to summarize some of the findings of a quick look I gave at a couple of Samsung Android devices. But let's start at the beginning. During last Christmas holidays I finally had some free time to try to better understand the inner workings of some Samsung devices, focusing on the manufacturer's customizations to the Android system. I confess I was quite surprised to see how many Samsung applications are included in the original firmware image, including several customizations to lots of Android core packages. To make a long story short, I soon started to find some exploitable bugs, affecting both "old" device models (e.g., my Galaxy Tab GT-P1000) and newer devices (e.g., my Galaxy S3). All these issues were caused by Samsung-specific software or customizations. I must say I have nothing against Samsung: on the contrary I'm a happy Samsung customer, and I think their phones and tablets are quite cool, probably among the best devices around. However, their market share is making them an attractive target for attackers. I contacted Samsung at the beginning of January 2013, and on January 17th I gave them all the technical details and proof-of-concepts for the six vulnerabilities I found, plus some bonus denial-of-services and info leaks (for the sake of completeness, the MD5 of my report is af7ca8998079c5445a3b1bcff2e05f90). Since then, I have not received any official confirmation from Samsung about their intention to fix these issues: as far as I know, they are still "in the process of checking for the vulnerabilities". Despite this fact, on February 20th, they asked to delay my public disclosure until proper patches are developed, considering that "any patches [samsung] develops must first be approved by the network carriers". In the past, I have always followed a responsible disclosure policy to report the vulnerabilities I have found, but waiting until (all?) the network carriers approve a security patch seems to be a very, VERY, long time! Nevertheless, to avoid exposing Samsung users to possible threats, I won't disclose any technical detail, but I think it is acceptable to provide just a high-level overview of the issues. [h=4]Scenario[/h] All the vulnerabilities I reported can be exploited from an unprivileged local application. In other words, no specific Android privileges are required for the attacks to succeed. This allows attackers to conceal the exploit code inside a low-privileged (and apparently benign) application, distributed through Google Play or the Samsung Apps market. I would like to stress out one more time that these issues are not caused by bugs inside the "vanilla" Android system, but are all caused by Samsung-specific software and customizations. [h=4]Issues overview[/h] As I discussed before, no technical details will be provided. In this paragraph I will just sketch out a high-level description of the issues I found and their possible impacts. Two different vulnerabilities can be exploited to silently install highly-privileged applications with no user interaction. The privileged applications to be installed can be embedded right inside the unprivileged application package, or downloaded "on the fly" from an on-line market. Another issue, different from the previous ones, allows attackers to send SMS messages without requiring any Android privilege (normally, Android applications are required to have the android.permission.SEND_SMS permission to perform this task). An additional vulnerability can be used to silently perform almost any action on the victim's phone, ranging from placing phone calls to sending e-mails, SMS messages, and so on. The remaining security issues allow attackers to change other settings of the victim's phone, such as networking or Internet settings, without the user's consent. [h=4]Proof-of-concept[/h] A video that shows the exploitation of one of the issues discussed at point 1 (stealth installation of a privileged application) is shown below. I know the video is quite meaningless, but it is all I can disclose right now. I'm also sorry for the poor video quality , but it turned out that recording an Android screen video with a good fps rate is more difficult than finding 0-days . The video was taken using my Samsung Galaxy Tab, updated with the latest Samsung firmware and applications available at the time of writing. A similar vulnerability (but not the very same one) also affects the Galaxy S3 and probably other more recent devices. The video is organized as follows: An application named "Hacksung" is installed on the target device. At the beginning of the video I show that "Hacksung" has no specific permissions. Application "Hacksung" is executed and the exploit is launched when the "Pwn!" button is pressed. The exploit installs a second app, named "Malicious", embedded inside the "Hacksung" application package. As you can see from the video, no user confirmation is requested. The application "Malicious" is run. This application does nothing, and it simply displays a text message. To conclude, the video shows the permissions granted to "Malicious". As can be seen, several dangerous permissions are granted, such as the ability to read and send SMS messages. [h=4]Some final observations[/h] The ability to silently install privileged applications or to send SMS messages are quite appealing tasks for mobile malware authors and, to make things even worse, most of the issues I reported to Samsung are also pretty easy to find. As a consequence, I won't be surprised to find some malware in the wild that exploits these or similar vulnerabilities. Considering that most of these bugs can be fixed quite easily, without any drastic change to the device software, I admit that I was expecting a quick patch from Samsung. However, two months were not enough even to start the development of a security fix, and I don't think any patch will be released anyway soon. I really think Samsung cares about the security of its customers, but probably its vulnerability handling procedure should be revised a little bit. Smartphones, tablets and other portable devices are tomorrow's computing platform, and Android is one of the leading actors of this change. As a natural consequence, Android malware is also rapidly growing. In this situation, the prompt development and diffusion of security patches is simply mandatory. Sursa: Roberto Paleari's blog: Owning Samsung phones for fun (...but with no profit )
×
×
  • Create New...