Nytro

Blackhat 2012 Europe - Hdmi - Hacking Displays Made Interesting Description: https://media.blackhat.com/bh-eu-12/Davis/bh-eu-12-Davis-HDMI-WP.pdf https://media.blackhat.com/bh-eu-12/Davis/bh-eu-12-Davis-HDMI-Slides.pdf Picture this scene, which happens thousands of times every day all around the world: Someone walks into a meeting room, sees a video cable and plugs it into their laptop. The other end of the cable is out of sight . it just disappears through a hole in the table. What is it connected to? Presumably the video projector bolted to the ceiling, but can it be trusted to just display their PowerPoint presentation?... This presentation discusses the security of video drivers which interpret and process data supplied to them by external displays, projectors and KVM switches. It covers all the main video standards, including VGA, DVI, HDMI and DisplayPort. It also details the construction of a hardware-based EDID fuzzer using an Arduino Microcontroller and a discussion of some of its findings. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Blackhat 2012 Europe - Hdmi - Hacking Displays Made Interesting

Arata foarte bine. Sunt materialele de la masterul de Securitate Informatica de la ASE? Ai facut masterul acolo, poti da mai multe detalii? As fi si eu interesat sa fac acel master, de aceea intreb.

cat /dev/mem > ~/dump.bin Bine, de la 2.6 am citit ca nu mai merge chiar brut, e restrictionat.

[h=3]Fern Wifi Cracker 1.45 Released with Cookie Hijacker[/h] Fern Cookie Hijacker is a new feature add in Fern Wifi Cracker 1.45 ,it is a wifi based session hijacking tool able to clone remote online web sessions by sniffing and capturing wireless cookie packets from remote hosts by intercepting reachable wireless signals. It is capable of decrypting WEP encrypted packets on the fly to process session cookies transmitted over the air. Fern cookie Hijacker comes with smart intergrated code to detect and intercept cookie packets, unlike some cookie detection engines fern cookie hijacker does not wait to collect complete cookie acknowledgement during the initial authentication process, but pulls cookies and associate them with their hosts as they are transmitted over the wireless connection, its also forges to correctness values that are not captured e.g (exipry,isSecure). Download Fern Wifi Cracker 1.45 Sursa: Fern Wifi Cracker 1.45 Released with Cookie Hijacker | Tools Yard - The Hacker News

HTExploit : Open Source Tool to Bypass Standard Directory Protection HTExploit (HiperText access Exploit) is an open-source tool written in Python that exploits a weakness in the way that .htaccess files can be configured to protect a web directory with an authentication process to gain access to a protected directory contents. Presumably, if such an attack is successful, you can launch further attacks such as SQL Injection, Local File Inclusion, Remote File Inclusion, etc. on discovered files. Features of HTExploit: Multiples modules to execute. Save the output to an specify directory. HTML Reporting. Use multiples wordlist to probe against htaccess bypassing. Mode verbose for a full detailed information. Multi-platform and flexible. The vulnerability exists because web servers like Apache forward PHP-based requests within .htaccess to the PHP engine itself. The .htaccess file allows you to specify the requests get sent to PHP to try to interpret. However, on encountering non-standard input, PHP automatically treats it as a GET request, and allows the utility to start saving the PHP files on a webserver to your local filesystem, bypassing security restrictions! Download HTExploit Sursa: HTExploit : Open Source Tool to Bypass Standard Directory Protection | Tools Yard - The Hacker News

[h=3]jSQL : Java GUI for database Injection[/h]An easy to use SQL injection tool for retrieving database informations from a distant server. jSQL Injection features: GET, POST, header, cookie methods visual, errorbase, blind algorithms automatic best algorithms detection data retrieving progression proxy setting Download jSQL Sursa: jSQL : Java GUI for database Injection | Tools Yard - The Hacker News

--help

Biggest MD5 crack databases By Langy ----------------------------------------------------------------- MOST BIGGEST SITE OF MD5 DECRYPING ----------------------------------------------------------------- - Free Hash Cracker Online - MD5 Encrypt - MD5 Decrypt (40,000,000) - online md5 cracker,md5 reverse, md5 decrypt (457,354,352,282) - md5Crack.com | online md5 cracker - http://www.hashchecker.com - http://md5cracker.tk/ (MD5 Search engine by searches a total of 14 on-line crackers.) - MD5 Decrypter.com, MD5 Decryption, Free MD5 Decrypter (5,889,729) - md5.rednoize.com - reverse engineer md5 hashes - powered by rednoize.com (56,502,235) - http://www.tmto.org/?category=main&page=search_md5 (306.000.000.000) - http://www.milw0rm.com/cracker/insert.php (Milw0rm Cracker db) - http://blacklight.gotdns.org/cracker/crack.php (2,456,288) - http://www.shell-storm.org/md5 ( The data base currently contains 169582 passwords ) - Parallels Confixx (Need Account) - http://passcracking.com/ (Register to increase your priority) - http://www.xmd5.org - Perl Script: MD5 Brute Forcer ----------------------------------------------------------------- CRACKED PASSWORD LIST ----------------------------------------------------------------- http://www.md5oogle.com/md5hashes.php http://www.hashchecker.com/?_sls=hash_list&_from=1 http://www.milw0rm.com/cracker/list.php http://darkc0de.com/database/cracked.txt ----------------------------------------------------------------- RAINBOW TABLE ----------------------------------------------------------------- http://www.freerainbowtables.com/en/download/ http://www.rainbowtables.net/ +++++++++++++++++++++++++++++++++++++++++++++++++++ http://gdataonline.com/seekhash.php http://passcracking.com/ http://www.1hacker.com/md5/index.php http://www.gdataonline.com/seekhash.php http://www.rc.plain-text.info/ http://www.milw0rm.com/md5/index.php http://www.cracking.com/Good_values_list.asp http://www.passcracking.com/Good_values_list.asp http://www.hashchecker.com/index.php?_sls=info http://www.uploadpage.net/ap/php/pro...rt/addhash.php http://www.cmho.tk/ http://www.md5.rednoize.com/ http://www.us.md5.crysm.net/ http://www.milw0rm.com http://www.passcracking.com/ http://www.hashchecker.com/ http://www.plain-text.info http://www.md5.rednoize.com http://www.ice.breaker.free.fr http://www.md5.shalla.de http://www.nz.md5.crysm.net http://www.shm.hard-core.pl/md5/ http://www.lasecwww.epfl.ch/%7Eoechs...ects/ophcrack/ http://www.md5.benramsey.com Sursa: http://www.googlebig.com/forum/biggest-md5-crack-databases-t-68.html

Decat sa posteze mult si prost, e de preferat sa nu posteze deloc.

V-am pus buton de "Activity" pe tema RST. Daca e vreo problema postati aici.

BBQSQL : Blind SQL injection framework ( Python ) Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues. BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast. Must provide the usual information: URL HTTP Method Headers Cookies Encoding methods Redirect behavior Files HTTP Auth Proxies After you pull the tool from Github, you can install simply by typing: python setup.py install Download BBQSQL Sursa: BBQSQL : Blind SQL injection framework ( Python ) | Tools Yard - The Hacker News

The Social-Engineer Toolkit (SET) v3.5.1 released The Social-Engineer Toolkit (SET) v3.5.1 has been released. This version adds the ability to us ethe SET config to not deploy binaries to the victim machine through the Java Applet. The new configuration option can be found under config/set_config and DEPLOY_BINARIES. The Social Engineering Toolkit (SET) is an open source, python-driven, social-engineering penetration testing framework of custom tools which solely focuses on attacking the human element of penetration testing. It was designed in order to arm penetration testers and security researchers with the ability to effectively test heavily advanced social-engineering attacks armed with logical methods. The Social Engineer Toolkit leverages multiple attack vectors that take advantage of the human element of security in an effort to target attackers. By turning this off, SET will rely solely on the POWERSHELL_INJECTION technique for compromising the victim machine. This means that you have the ability to never touch disk period during the Java Applet attack. Full changelog below: Fixed a bug in command center that would cause it to not load properly. Fixed a bug in the new Java Applet Field Bytecode that would cause it to not properly select the payload Added compatibility for IE10 on the Java Applet Attack Vector Turned AUTO_MIGRATE=OFF to AUTO_MIGRATE=ON by default, allows sticky processes to free up when exploitation occurs Added a new config option DEPLOY_BINARIES. When this is turned OFF, the Java Applet will only use the POWERSHELL_INJECTION technique and never deploy a binary. Note that you must know if the victim has POWERSHELL installed. Fixed a couple typos in the credential harvester. In addition, AUTO_MIGRATE=ON has been turned on by default and will automatically migrate to a different thread/process. In IE10, IE would freeze periodically causing issues. Even though JVM is running in a separate thread pool, it would still cause freezing intermittently. The SET Command Center (web interface) had a bug fix to allow it to work properly. Download Social Engineer Toolkit 3.5.1 svn co / - Revision 1467: /social_engineering_toolkit set/ Sursa: The Social-Engineer Toolkit (SET) v3.5.1 released | Tools Yard - The Hacker News

The OWASP O2 Platform v 4.1 Released The OWASP O2 Platform is an OWASP Project which is a collection of Open Source modules that help Web Application Security Professionals to maximize their efforts and quickly obtain high visibility into an application's security profile. The objective is to 'Automate Application Security Knowledge and Workflows" Read More here Download The OWASP O2 Platform v 4.1 Sursa: The OWASP O2 Platform v 4.1 Released | Tools Yard - The Hacker News

Freenet 0.7.5 build 1409 released Freenet is free software which lets you publish and obtain information on the Internet without fear of censorship. To achieve this freedom, the network is entirely decentralized and publishers and consumers of information are anonymous. Without anonymity there can never be true freedom of speech, and without decentralization the network would be vulnerable to attack. Download Freenet 0.7.5 build 1409 Sursa: Freenet 0.7.5 build 1409 released | Tools Yard - The Hacker News

Network Tracking Database v1.10.2 released NetDB tracks all MAC addresses on your switches and ARP entries on your network over time. It supports extensive switch, VLAN and vendor code reports from a CLI or Web App. Can generate CSV reports, track the usage of static addresses and much more. What's new in v1.10.2: - See the UPGRADE document before installing - Added dedicated NX-OS scraper, devtype nxos. Improved NX-OS support for descriptions. Old scraper still supports NX-OS but support will be dropped in v1.11 in favor of the nxosscraper. - Ability to configure use_trunks from the devicelist.csv file - Improved secondary credential support and login error messages - Added use_fqdn knob in netdb.conf to use the FQDN for switch names instead of just hostnames (changing this on an existing database will destroy historical data on switches because the names will all change) Major Features: Track all entries in your MAC and ARP tables across your network routers and switches over time Track the usage of static IP addresses and generate reports for static address recovery Generate switch reports to recover unused ports or plan for network upgrades Find all switchports configured for a vlan and find what devices if any have been connected Find all devices on a VLAN and the last time they were online Quickly track down a problem with a device and locate its current state on the network or last connected state Includes a command line tool and an easy to use web interface with access control Web interface includes sortable columns and access controls Generate CSV reports from the web interface or the command line Change VLANs from the web interface with access controls on a per switch or per user basis Send Wake On Lan packets from the Web Interface to remotely wakeup workstations Fast imports, pulls data from 1,000 or more network devices in under five minutes (depends on the hardware used) Support for VRFs and almost every modern Cisco IOS and NX-OS device Support for port security, port-channels and trunk ports for VMWare and phones Optional graphing through MRTG to track the usage trends on your network Optionally integrate NAC registration data to retrieve user registration information based on the mac address Security Runs everything as the netdb user Uses and/or SSH/Telnet to gather information from your devices and does not require write access Does not use SNMP, so no security issues or MIBs to deal with Web Interface has access controls to restrict the information users can access based on their userid Web Interface is hardened Download Network Tracking Database v1.10.2 Sursa: Network Tracking Database v1.10.2 released | Tools Yard - The Hacker News

Ostinato : Packet/Traffic Generator and Analyzer Ostinato is an open-source, cross-platform network packet crafter/traffic generator and analyzer with a friendly GUI. Craft and send packets of several streams with different protocols at different rates. Windows, Linux, BSD and Mac OS X (Will probably run on other platforms also with little or no modification but this hasn't been tested) Open, edit, replay and save PCAP files Support for the most common standard protocols Ethernet/802.3/LLC SNAP VLAN (with QinQ) ARP, IPv4, IPv6, IP-in-IP a.k.a IP Tunnelling (6over4, 4over6, 4over4, 6over6) TCP, UDP, ICMPv4, ICMPv6, IGMP, MLD Any text based protocol (HTTP, SIP, RTSP, NNTP etc.) More protocols in the works ... Modify any field of any protocol (some protocols allow changing packet fields with every packet at run time e.g. changing IP/MAC addresses) User provided Hex Dump - specify some or all bytes in a packet User defined script to substitute for an unimplemented protocol (EXPERIMENTAL) Stack protocols in any arbitrary order Create and configure multiple streams Configure stream rates, bursts, no. of packets Single client can control and configure multiple ports on multiple computers generating traffic Exclusive control of a port to prevent the OS from sending stray packets provides a controlled testing environment Statistics Window shows realtime port receive/transmit statistics and rates Capture packets and view them (needs Wireshark to view the captured packets) Framework to add new protocol builders easily Demo Download Ostinato Sursa: Ostinato : Packet/Traffic Generator and Analyzer | Tools Yard - The Hacker News

The Network Diagnostic Tool (NDT) v 3.6.5 released The Network Diagnostic Tool (NDT) is a client/server program that provides network configuration and performance testing to a users desktop or laptop computer. The system is composed of a client program (command line or java applet) and a pair of server programs (a webserver and a testing/analysis engine). Both command line and web-based clients communicate with a Web100-enhanced server to perform these diagnostic functions. Multi-level results allow novice and expert users to view and understand the test results. How-To Setup your Own NDT Server Download The Network Diagnostic Tool (NDT) v 3.6.5 Sursa: The Network Diagnostic Tool (NDT) v 3.6.5 released | Tools Yard - The Hacker News

Bypassing SEHOP Stéfan Le Berre s.leberre a sysdream.com Damien Cauquil d.cauquil a sysdream.com Table of contents 0. Introduction...............................................................................................................3 1. SEHOP specifications (short version).......................................................................3 2. Dealing with SEHOP when exploiting a stack overflow...........................................6 2.1. Breaking out the classical exploitation scheme........................................................................6 2.2. The tricky part...........................................................................................................................7 3. Proof Of Concept.......................................................................................................7 3.1. Target program & constraints...................................................................................................7 3.2. crash and exploitation...............................................................................................................8 4. Conclusion.................................................................................................................9 5. Credits......................................................................................................................10 6. Bibliography............................................................................................................10 Download: http://shell-storm.org/papers/files/760.pdf

Anti-Debugging – A Developers View Tyler Shields tshields a veracode.com Veracode Inc., USA 4 Van de Graaff Drive, Burlington, MA 01803 Abstract— Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target binary. Within this paper we will present a number of the known methods of antidebugging in a fashion that is easy to implement for a developer of moderate expertise. We will include source code, whenever possible, with a line by line explanation of how the antidebugging technique operates. The goal of the paper is to educate development teams on anti-debugging methods and to ease the burden of implementation. Keywords— anti-debugging, security, debugging, copy protection, anti-piracy, reverse engineering I. INTRODUCTION Anti-debugging, when implemented properly, can be a significant deterrence to would be reverse engineers and software pirates. There is no foolproof solution to thwart the dedicated reverse engineer; however, making the task as arduous and difficult as possible increases the time and expertise required for full analysis of the binary application. Application developers should not be required to spend significant amounts of time understanding and examining the specifics of a software protection scheme. Straight forward implementation of a best of breed solution helps to achieve the aforementioned goals while leaving the developer additional time to implement features and other necessary application components. The majority of data on the topic of anti-debugging has been presented from the vantage point of a reverse engineer. Anti-debugging methods typically have been presented in assembly language dumps with minimal explanation as to the high level code constructs involved in the technique. Unless the developer is adept at reading and comprehending assembly language code, the anti-debugging method is incomprehensible and thus will not be implemented. Download: http://shell-storm.org/papers/files/764.pdf

Writing shellcode for Linux and *BSD Author: Daniele Mazzocchio Last update: Apr 26, 2005 Latest version: Writing shellcode for Linux and *BSD - Table of contents Table of Contents 1. Introduction...................................................................................................................................... 2 2. Linux system calls............................................................................................................................ 3 2.1 int 0x80...................................................................................................................................... 3 2.2 libc............................................................................................................................................. 4 3. *BSD system calls............................................................................................................................6 4. Writing the shellcode........................................................................................................................7 4.1 In assembler............................................................................................................................... 7 4.2 In C............................................................................................................................................ 9 5. Spawning a shell.............................................................................................................................11 6. Shellcode analysis.......................................................................................................................... 15 6.1 Trust is good............................................................................................................................ 15 6.2 ...but control is better............................................................................................................... 15 7. Appendix........................................................................................................................................ 19 7.1 References................................................................................................................................19 7.2 Bibliography............................................................................................................................ 19 Download: http://www.shell-storm.org/papers/files/442.pdf

Understanding Windows Shellcode skape mmiller a hick.org Last modified: 12/06/2003 Contents 1 Foreword 3 2 Introduction 4 3 Shellcode Basics 5 3.1 System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2 Finding kernel32.dll . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.1 PEB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.2 SEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2.3 TOPSTACK . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.3 Resolving Symbol Addresses . . . . . . . . . . . . . . . . . . . . . 11 3.3.1 Export Directory Table . . . . . . . . . . . . . . . . . . . 11 3.3.2 Import Address Table (IAT) . . . . . . . . . . . . . . . . 13 4 Common Shellcode 15 4.1 Connectback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.2 Portbind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5 Advanced Shellcode 29 5.1 Download/Execute . . . . . . . . . . . . . . . . . . . . . . . . . . 29 6 Staged Loading Shellcode 39 6.1 Dynamic File Descriptor Re-use . . . . . . . . . . . . . . . . . . . 39 6.2 Static File Descriptor Re-use . . . . . . . . . . . . . . . . . . . . 42 6.3 Egghunt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 6.4 Egghunt (syscall) . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 6.5 Connectback IAT . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 7 Conclusion 49 8 Detailed Shellcode Analysis 50 8.1 Finding kernel32.dll . . . . . . . . . . . . . . . . . . . . . . . . . 50 8.1.1 PEB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 8.1.2 SEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 8.1.3 TOPSTACK . . . . . . . . . . . . . . . . . . . . . . . . . 53 1 8.2 Resolving Symbol Addresses . . . . . . . . . . . . . . . . . . . . . 54 8.2.1 Export Table Enumeration . . . . . . . . . . . . . . . . . 54 8.3 Common Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . 56 8.3.1 Connectback . . . . . . . . . . . . . . . . . . . . . . . . . 56 8.3.2 Portbind . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 8.4 Advanced Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . 71 8.4.1 Download/Execute . . . . . . . . . . . . . . . . . . . . . . 71 8.5 Staged Loading Shellcode . . . . . . . . . . . . . . . . . . . . . . 81 8.5.1 Dynamic File Descriptor Re-use . . . . . . . . . . . . . . 81 8.5.2 Egghunt . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 8.5.3 Egghunt (syscall) . . . . . . . . . . . . . . . . . . . . . . . 88 Download: http://www.hick.org/code/skape/papers/win32-shellcode.pdf http://projectshellcode.com/downloads/http___www.hick.org_code_skape_papers_win32-shellcode.pdf

Return Oriented Programming CSCI 6621: Network Security Week 11, Lecture 21: Tuesday, 04/04/2011 Daniel Bilar University of New Orleans Department of Computer Science Spring 2011 Goals today • Review: Buffer overflow, format string • Return Oriented Programming – Chain together sequences (‘gadgets’) ending in RET – Can use good code chunks as ‘alphabet’, string together to get for bad code • Some similarities to an antigram (form of anagram) Within earshot ‡ I won't hear this – Build “gadgets” for load?store, arithmetic, logic, control flow, system calls – Attack can perform arbitrary computation using no injected code at all Some slides gratefully adapted from Shacham BH 08 presentation (UCSD) Download: http://shell-storm.org/papers/files/779.pdf

X86/WIN32 REVERSE ENGINEERING CHEATSHEET Instructions GENERAL PURPOSE 32BIT REGISTERS ADD <dest>, <source> Adds <source> to <dest>. <dest> may be a register or memory. <source> may EAX Contains the return value of a function call. Be a register, memory or immediate value. ECX Used as a loop counter. "this" pointer in C++. CALL <loc> Call a function and return to the next instruction when finished. <proc> EBX General Purpose may be a relative offset from the current location, a register or memory addr. EDX General Purpose CMP <dest>, <source> Compare <source> with <dest>. Similar to SUB instruction but does not ESI Source index pointer Modify the <dest> operand with the result of the subtraction. EDI Destination index pointer DEC <dest> Subtract 1 from <dest>. <dest> may be a register or memory. ESP Stack pointer DIV <divisor> Divide the EDX:EAX registers (64?bit combo) by <divisor>. <divisor> may be EBP Stack base pointer a register or memory. Download: http://shell-storm.org/papers/files/797.pdf

Defeating DEP through a mapped file by Homeostasie (Nicolas.D) Contents 1. Introduction............................................................................................................3 2. Description of the attack scenario..........................................................................4 3. Building a ROP exploit..........................................................................................7 3.1. Step 1 - Open a file containing our shellcode ......................................................................7 3.2. Step 2 - Craft mmap() parameters into the stack..................................................................9 3.2.1. ROP chaining for crafting the first argument to 0......................................................10 3.2.2. ROP chaining for crafting the second and the fourth argument to 1..........................12 3.2.3. ROP chaining for crafting the third argument to 4.....................................................13 3.2.4. ROP chaining for crafting the fifth argument to “fd” value (file descriptor).............14 3.2.5. ROP chaining for crafting the sixth argument to 0.....................................................14 3.3. Step 3 – Call mmap() and jump on the mapped area..........................................................15 4. Conclusion...........................................................................................................18 Download: http://shell-storm.org/papers/files/800.pdf

Autor: Nytro Data: 03.12.2011 Ultimele zile pe Yahoo! Messenger au fost foarte "interesante". Vreau sa lamuresc oarecum lumea, sa explic atat "povestea" cat si cateva detalii tehnice pe intelesul tuturor. Povestea: Pe scurt, de ceva timp exista o problema de securitate in Yahoo! Messenger, o problema care se stia de ceva timp de anumite persoane si care nu a fost facuta publica un timp, problema care, pe langa alte "facilitati", oferea atacatorului posibilitatea de a schimba statusul oricarui utilizator de Yahoo! Messenger (versiunea 11-11.5). Chiar daca problemele au aparut acum in jur de 2 zile pentru utilizaotrii de rand, soft pentru a schimba statusul exista de mai mult timp, insa nu aflasera de el "prietenii" nostri dragi. Mai intai a aparut un soft, destul de bine facut, numit "Y! Disruption". Programul e acesta: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Acest program a fost facut public pe un forum cu multi membri, cea mai mare dintre ei niste script-kiddies, adica persoane extrem de interesate de astfel de lucruri penibile, ce in ochii lor sunt numite "hacking". Astfel de persoane folosesc tot felul de programe in special pentru a fura parole sau alte informatii si aceste persoane sunt de vina pentru faptul ca acest program a devenit atat de "popular". Partea oarecum placuta e ca nu au ajuns extrem de multi romani in posesia sa, insa sunt o gramada de persoane care il au. Ideea e simpla: cu doua clickuri poti schimba statusul cuiva, deci nu trebuie sa fii tocmai un inginer pentru a face acest lucru. De aceea si aceasta popularitate a programului. Apoi a aparut problema: niste persoane pasionate de lucruri ca "yahoo invisible detector", pasionate de Yahoo!, au creat o versiune online a acestui program - Ymland. Chiar mai mult, au creat ei ID-urile de pe care se trimit datele (o sa revin cu detalii mai jos), iar copiii enervanti trebuie doar sa specifice un ID si un status, apoi sa apese un buton si gata, se schimba statusul. Moral vorbind, ar fi cateva concluzii de tras de catre cei care au avut statusul schimbat, principala fiind ca aveti persoane in lista de messenger, cunoasteti persoane care nu sunt tocmai genul de prieteni pe care si i-ar dori oricine. Apoi e ideea schimbatului statusului, lucru extrem de usor de realizat si cu rezultate extrem de "marete". Practic e ceva ce "se vede", si din acest motiv stupid au aparut multi ratati care au inceput sa schimbe statusuri. Ai facut si tu asta? Imi pare rau pentru tine daca ai mai mult de 15 ani, nu e tocmai un motiv de mandrie si tot un ratat ramai. Modul de functionare nu e deloc complicat, insa implementarea sa necesita destule cunostinte. Pe scurt, pasii care se executa pentru a se schimba statusul: 1. Se foloseste un ID de messenger de pe care se vor trimite datele, e nevoie de un ID si de o parola (orice cont de Yahoo!) 2. Se logheaza acel ID (numit bot) - cei de la Ymland au creat ei astfel de boti si ii folosesc 3. Acel bot incearca sa trimita un fisier, iar datele pe care le trimite sunt modificate 4. "Victimei" i se deschide o casuta noua de messenger in care botul respectiv incearca sa trimita fisierul 5. Datele modificate, contin un cod simplu HTML care se executa deoarece conversatiile de messenger apar intr-o "pagina" (sa zicem), aceeasi folosita de Internet Explorer 6. codul HTML apeleaza o functie folosita de Yahoo! Messenger, numita "SetCustonStatus" care schimba practic statusul Pentru a nu fi o astfel de "victima", poti face in principal doua lucruri: 1. Din messenger, din bara de meniu, click pe Messenger, apoi Preferences, mergeti la Ignore list, bifati "Ignore anyone who is not in my Yahoo! Contacts", click pe Apply apoi Ok. De ce va ajuta asta? Dupa cum spuneam mai sus, exista un bot care trimite acele date. Acel bot, desigur, poate sa fie un ID din lista voastra, dar astfel veti sti cine "va vrea raul", dar de cele mai multe ori sunt ID-uri aleatoare, create special pentru asa ceva. Practic, nu aveti acel ID in lista, deci daca bifati acea casuta, acel ID nu va putea sa va trimita acele date. Probleme pot sa apara daca doriti sa discutati cu persoane pe care nu le aveti in lista, pentru ca ele nu va vor putea contacta. 2. Folositi un alt client pentru Yahoo! Messenger. Eu va recomand sa folositi Pidgin, il puteti descarca de aici: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] , mie imi place foarte mult si are niste facilitati extraordinare. Exista si alternative: Trilian - Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] , Digsby - Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] si probabil altele. Problema nu mai apare deoarece acele programe nu folosesc acea "pagina" - frame - folosita de Yahoo! messenger, deci codul nu se poate executa. Partea tehnica: Nu e ceva complicat si oricine poate intelege ce se intampla practic, cum functioneaza aceste programe. Pentru inceput trebuie sa vorbim despre YMSG. Yahoo! Messenger, foloseste TCP (Transfer Control Protocol) ca protocol de comunicatie pe portul 5050, insa la nivel de aplicatie Yahoo! a definit un protocol special numit YMSG (va las sa ghiciti de la ce vine). Pe scurt, protocolul reprezinta regulile dupa care sunt trimise datele de Yahoo! Messenger astfel incat sa fie interpretate corect de destinatar. Partea oarecum buna, este ca acest protocol nu este public, dar e cunoscut in detalii oameni interesati. Ca idee, voi descrie procesul de logare in 3 pasi folosit de messenger: 1. Yahoo! Messenger se conecteaza la un server Yahoo! ca 67.195.187.213 - cs214.msg.ac4.yahoo.com si trimite un pachet YMSG (un pachet cu o strcutura bine stabilita, pachet ce contine de exemplu versiunea protocolului, dimensiunea pachetului si alte lucruri) care pe langa headerul YMSG contine doar ID-ul (doar ID-ul, fara parola sau altceva) pe care se doreste logarea. 2. Serverul trimite ca raspuns pe langa ID, o valoare calculata dupa un anumit algoritm specific Yahoo! 3. Yahoo! Messenger pe baza acelei valori, calculeaza folosind parola, dupa un anumit algormitm, doua valori pe care le trimite serverului, iar daca aceste valori sunt in regula, ID-ul e logat Screenshot-uri pentru fiecare pas: 1. Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] 2. Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] 3. Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Complet: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Pe acelasi principiu functioneaza si acest principiu functioneaza atat programul respectiv, cat si implementarea online a acestui "truc". Programul si scriptul folosit de ymland, logheaza un bot astfel, iar cu acel bot incearca sa trimita un fisier. Ce incearca sa trimita programul: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Deci codul e simplu: Code: <form><iframe onload="SetCustonStatus('Status nou');"></iframe></form> Problema este la ce face Yahoo! Messenger cu acest cod. Cum spuneam mai sus, foloseste frame-ul de la Internet Explorer pentru a reda conversatiile. Adica genereaza un HTML in functie de datele trimise/primite si se foloseste de ieframe.dll - pagina de continut din Internet Explorer (e un ActiveX Control, usor de folosit) si afiseaza acel HTML. In screenshot-ul de mai jos nu am facut decat sa modific cateva proproetati ale ferestrei respective pentru a se vedea mai clar acest lucru: Fereastra conversatii: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Am reusit dupa ceva chin sa obtin codul HTML al unei ferestre de messenger. Arata cam asa: Code: <BODY style="BACKGROUND: #fff" class=" IM" bottomMargin=0 background="" leftMargin=0 rightMargin=0 scroll=no topMargin=0 bgColor=white><BR style="DISPLAY: none"> <DIV id=ConversationBody class=" "> <DIV style="DISPLAY: none" id=RecentHistory></DIV> ................................................. Ceea ce ne intereseaza pe noi, este modul in care genereaza el codul HTML cand se trimite un fisier. Arata cam asa: ================================================== ================================================== ======= Code: <TABLE id=FT_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA= class=prompt border=0 cellSpacing=0 cellPadding=0> <TBODY> <TR> <TD vAlign=top width="1%"><IMG class=icon src="file:///C:/Program%20Files/Yahoo!/Messenger/TEMPFTICON_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=.JPG"></TD> <TD> <DIV id=FT_description_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=> <H3>poyo_vl is sending you 1 photo:</H3></DIV> <DIV id=FT_list_or_progress_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=>22222.JPG (189 KB) <BR></DIV> <DIV id=FT_action_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=><A onclick='$InlineAction("ft_action,YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=,1");return false' href="file:///c://#"><B>Save As...</B></A> (Alt+Shift+A) <A onclick='$InlineAction("ft_action,YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=,2");return false' href="file:///c://#"><B>Decline</B></A> (Alt+Shift+D)</DIV></TD></TR></TBODY></TABLE> ================================================== ================================================== ======= Exemplul e pentru o imagine, dar nu e dificil de inteles. Pentru imaginea care se primeste, se salveaza un thumbnail temporar: Code: <TD vAlign=top width="1%"><IMG class=icon src="file:///C:/Program%20Files/Yahoo!/Messenger/TEMPFTICON_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=.JPG"></TD> Mesajul care se afiseza (ce_requ_wa este un ID pentru teste), si dimensiunea fisierului: Code: <H3>ce_requ_wa is sending you 1 photo:</H3></DIV> <DIV id=FT_list_or_progress_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=>22222.JPG (189 KB) <BR></DIV> Insa ceea ce ne intereseaza pe noi este: Code: <A onclick='$InlineAction("ft_action,YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=,1");return false' href="file:///c://#"><B>Save As...</B></A> Un screenshot explicativ: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Dupa cum puteti vedea in screenshot, "YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=" este valoarea cheii 265 din pachetul de transfer al fisierului. Ei bine, acel program si implementarea sa in PHP (cel mai probabil), modifica acea valoare la valoarea: Code: <form><iframe onload="SetCustonStatus('Status nou');"></iframe></form> Si practic acest cod apeleaza functia SetCustonStatus() folosita de Yahoo! Messenger pentru a schimba statusul. Functia respectiva e definita astfel: Code: function SetCustomStatus(a){$Invoke(22,a)} Iar functia $Invoke este definita astfel: Code: function $Invoke(b,a){YAHOO.Msgr.Host.invokeCommand(b,a)} Si tot asa, poveseta cu JavaScriptul se complica, e 05:17 AM si imi e lene sa intru in detalii, oricum nu e nimic interesant. Tot ce trebuie sa stim e ca la apelul acestei functii se schimba statusul. Aveti aici un screenshot cu o parte din cod: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Am vazut ca si echipele de antivirusi s-au sesizat in aceasta privinta si mi-a placut de baietii de la BitDefender care au facut o prezentare tehnica a problemei, insa eu am vrut sa explic mai pe larg si pe intelesul tuturor. Aveti aici articolul lor: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Ei bine, cred ca este de ajuns. Sper ca v-a fost util. // Nyto @ Romanian Security Team