Nytro

Da, frumos, felicitari. Nu aveam idee ca exista atatea tool-uri utile...

Cine vine? USL ?i PDL: aceea?i mizerie! - RomanianUltras.net

Reversing mrxsmb.sys. Chapter II "NtClose DeadLock" [TABLE=class: contentpaneopen] [TR] [TD=colspan: 2, align: left]Written by Rubén [/TD] [/TR] [TR] [TD=class: createdate, colspan: 2] Tuesday, 13 June 2006 [/TD] [/TR] [TR] [TD=colspan: 2] Reversing Mrxsmb.sys. Chapter II: "NtClose DeadLock" This paper/advisory describes a vulnerability within the Kernel Object Manager Download References: Microsoft Security Bulletin MS06-030 iDefense Advisory CVE: CAN- 2006-2374 [/TD] [/TR] [/TABLE] Download: http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=startdown&id=19 Sursa: Reverse Mode - Reversing mrxsmb.sys. Chapter II "NtClose DeadLock"

Reversing mrxsmb.sys. Chapter I "Getting Ring0" [TABLE=class: contentpaneopen] [TR] [TD=colspan: 2, align: left]Written by Rubén [/TD] [/TR] [TR] [TD=class: createdate, colspan: 2] Tuesday, 13 June 2006 [/TD] [/TR] [TR] [TD=colspan: 2] Reversing Mrxsmb.sys. Chapter I: "Getting Ring0" This paper/advisory describes a vulnerability in Microsoft Server Message Block Driver. Download References: Microsoft Security Bulletin MS06-030 iDefense Advisory CVE: CAN- 2006-2373 [/TD] [/TR] [/TABLE] Download: http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=startdown&id=18 Sursa: Reverse Mode - Reversing mrxsmb.sys. Chapter I "Getting Ring0"

Generic detection and classification of Polymorphic malware using Neural Pattern Recognition [TABLE=class: contentpaneopen] [TR] [TD=colspan: 2, align: left]Written by Rubén [/TD] [/TR] [TR] [TD=class: createdate, colspan: 2] Tuesday, 13 June 2006 [/TD] [/TR] [TR] [TD=colspan: 2] Download Overview This paper describes how to develop a Neural Pattern Recognition System in order to detect polymorphic.The widely extended Polymorphic Packer/Cypher Morphine is used as example. Abstract The obsolete way in which some anti-virus products are generating malware signatures, makes that polymorphic samples detection, a tedious problem when it actually is not so difficult. This paper describes the basics of a method by which the generic classification of polymorphic malware could be considered as a trivial issue [/TD] [/TR] [/TABLE] Download: http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=startdown&id=22 Sursa: Reverse Mode - Generic detection and classification of Polymorphic malware using Neural Pattern Recognition

Exploiting WDM Audio Drivers [TABLE=class: contentpaneopen] [TR] [TD=colspan: 2, align: left]Written by Rubén [/TD] [/TR] [TR] [TD=class: createdate, colspan: 2] Friday, 21 December 2007 This paper explains an attack vector inherent to certain WDM audio drivers running on Windows Vista, XP, 2000 and 2003. Successful exploitation could lead to local escalation of privileges. It is oriented towards researchers and developers with the aim of helping them to keep their code safe and/or to identify vulnerabilities. [/TD] [/TR] [TR] [TD=colspan: 2] Download Overview This paper covers an attack vector which is inherent to certain WDM audio drivers running on Windows Vista, XP, 2000 and 2003. [/TD] [/TR] [/TABLE] Download: http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=startdown&id=54 Sursa: Reverse Mode - Exploiting WDM Audio Drivers

Nu se pune problema stergerii conturilor inactive, dar problema link-urilor vizibile utilizatorilor neinregistrati e discutabila.

Asta e doar o modalitate de a "atrage" utilizatori noi. De exemplu, cineva gaseste ceva util, apoi da o privire pe forum. Poate vede ca Vasile are o problema si il poate ajuta. Insa nu isi va face cont special pentru a-l ajuta. Insa daca deja are cont, fiind cumva "fortat" sa aiba cont, fiind logat, ii va fi foarte usor sa posteze. Practic cam asta inseamna un forum: colaborare. Daca nu ar fi cumva fortati sa isi faca cont, ar fi numai leecheri si nu ar contribui cu nimic. Avand cont, o eventuala contributie e mult mai simpla.

Cunosti bine limbajele de programare in care au fost scrise? Stii bine structura PE (Portable Executable)? Cunosti WinAPI pentru a lucra cu aceste structuri, lucrul cu procese si thread-uri? Cunosti cum functioneaza scanarea antivirus si pe ce se bazeaza detectiile?

E cam aiurea daca vrei sa gasesti fereastra in functie de proces. Poti face asta: folosesti EnumWindows function (Windows) pentru a gasi toate ferestrele, ce necesita crearea unei functii callback EnumWindowsProc callback function (Windows) si pentru fiecare fereastra cauti process ID-ul cu GetWindowThreadProcessId function (Windows) , pe acesta fiind usor sa il afli GetProcessId function . Dar NU se procedeaza asa. Trebuie sa gasesti direct fereastra cu functiile FindWindow function si FindWindowEx function . Foloseste un program ca Spy++ sau WinspectorSpy pentru a descoperi clasele si numele/titlurile ferestrelor (proprietati ale ferestrelor dupa care poti face cautarea cu aceste functii) si astfel vei avea handler-ul ferestrei. Apoi vei putea folosi SendMessage pentru a trimite KEYDOWN/UP: SendMessage(hWnd, WM_KEYDOWN, buton, 0); SendMessage(hWnd, WM_KEYUP, buton, 0); Cu keybd_event function sau SendInput function e mai simplu in sensul ca nu ai nevoie de nicio fereastra, functiile pur si simplu simuleaza apasarea unor taste, mesajele acestea ajungand la fereastra activa. Adica pui codul sa apeleze in timp ce te afli in joc, poti cauta intr-un Timer/cu un Sleep() fereastra de joc cu GetForegroundWindow function . Folosirea lui SendInput function poate fi putin greoaie, dar e foarte practica functia. Uite aici un exemplu de folosire: Google Answers: Using SendInput to send a number Ai grija cu C#-ul, e posibil sa ai foarte multe probleme, cu Pointeri sau dimensiunea parametrilor cu care apelezi functiile API, e posibil sa trebuiasca sa folosesti functiile din clasa Marshal Class (System.Runtime.InteropServices) .

La programul principal? Eu am folosit keybd_event function cu WM_KEYUP si WM_KEYDOWN sau SendInput function . Am avut ceva probleme cu SendMessage, daca incerci sa trimiti unui program mai "prioritar" nu o sa poti, sunt anumite restrictii. Oricum, si cu SendMessage cu WM_KEYDOWN/UP ar trebui sa mearga.

[h=3]Inside Flame: You Say Shell32, I Say MSSECMGR[/h][h=2]Thursday, June 28, 2012[/h]By Ruben Santamarta When I was reading the CrySyS report on Flame (sKyWIper)[1], one paragraph in particular caught my attention: In case of sKyWIper, the code injection mechanism is stealthier such that the presence of the code injection cannot be determined by conventional methods such as listing the modules of the corresponding system processes (winlogon, services, explorer). The only trace we found at the first sight is that certain memory regions are mapped with the suspicious READ, WRITE and EXECUTE protection flags, and they can only be grasped via the Virtual Address Descriptor (VAD) kernel data structure So I decided to take a look and see what kind of methods Flame was using. Flame is conceived to gather as much information as possible within heterogeneous environments that can be protected by different solutions, isolated at certain levels, and operated upon by different profiles. Which means that, from the developers point of view, you can't assume anything and should be prepared for everything. Some of the tricks implemented in Flame seem to focus on bypass just as much AV products, specifically in terms of heuristics. A distributed "setup" functionality through three different processes (winlogon, explorer, and services ) is way more confusing than letting a unique, trusted process do the job; i.e. it's less suspicious to detect Internet Explorer coming from explorer.exe than winlogon. In essence, the injection method seems to pivot around the following three key features: · Disguise the malicious module as a legitimate one; Shell32.dll in this case. · Bypass common registration methods supplied by the operating system, such as LoadLibrary, to avoid being detected as an active module. · Achieve the same functionality as a correctly-registered module. So, let's see how Flame implements it. During the initial infection when DDEnumCallback is called, Flame injects a blob and creates a remote thread in Services.exe. The blob has the following structure: The loader stub is a function that performs the functionality previously described: basically a custom PE loader that's similar to the CryptoPP dllloader.cpp[2] with some additional tricks. The injection context is a defined structure that contains all the information the loader stub may need including API addresses or names, DLL names, and files—in fact, the overall idea reminded me of Didier Stevens' approach to generating shellcodes directly from a C compiler[3] Injection Context: Blob + 0x710 API Addresses: [TABLE] [TR] [TD]esi OpenMutexW esi+4 VirtualAlloc esi+8 VirtualFree esi+0Ch VirtualProtect esi+10h LoadLibraryA esi+14h LoadLibraryW esi+18h GetModuleHandleA esi+1Ch GetProcAddress esi+20h memcpy esi+24h memset esi+28h CreateFileMappingW esi+2Ch OpenFileMappingW [/TD] [TD]esi+30h MapViewOfFile esi+34h UnmapViewOfFile esi+38h ReleaseMutex esi+3Ch NtQueryInformationProcess esi+40h GetLastError esi+44h CreateMutexW esi+48h WaitForSingleObject esi+4Ch CloseHandle esi+50h CreateFileW esi+54h FreeLibrary esi+58h Sleep esi+5Ch LocalFree [/TD] [/TR] [/TABLE] The loader stub also contains some interesting tricks. [h=3][/h][h=3]Shell32.dll: A matter of VAD[/h]To conceal its own module, Flame hides itself behind Shell32.dll, which is one of the largest DLLs you can find on any Windows system, meaning it's large enough to hold Flame across different versions. Once shell32.dll has been mapped, a VAD node is created that contains a reference to the FILE_OBJECT, which points to Shell32.dll. Flame then zeroes that memory and loads its malicious module through the custom PE loader, copying sections, adjusting permissions, and fixing relocations. As a result, those forensics/AntiMalware/AV engines walking the VAD tree to discover hidden DLLs (and not checking images) would be bypassed since they assume that memory belongs to Shell32.dll, a trusted module, when it's actually mssecmgr.ocx. The stub then calls to DllEntryPoint, passing in DLL_PROCESS_ATTACH to initialize the DLL. The malicious DLL currently has been initialized, but remember it isn't registered properly, so cannot receive remaining events such as DLL_THREAD_ATTACH, DLL_THREAD_DETACH, and DLL_PROCESS_DETACH. And here comes the final trick: The msvcrt.dll is loaded up to five times, which is a little bit weird, no? Then the PEB InLoadOrder structure is traversed to find the entry that corresponds to msvcrt.dll by comparing the DLL base addresses: Once found, Flame hooks this entry point: InjectedBlock1 (0x101C36A1) is a small piece of code that basically dispatches the events received to both the malicious DLL and the original module. The system uses this entry point to dispatch events to all the DLLs loaded in the process; as a result, by hooking into it Flame's main module achieves the goal of receiving all the events other DLLs receive. Therefore, it can complete synchronization tasks and behaves as any other DLL. Neat. I assume that Flame loads msvcrt.dll several times to increase its reference count to prevent msvcrt.dll from being unloaded, since this hook would then become useless. See you in the next post! [1] http://www.crysys.hu/skywiper/skywiper.pdf[2] dllloader.cpp - secureimplugin - SecureIM plugin for Miranda IM - Google Project Hosting [3] Shellcode

Timpul e Nytro si Nytro e timpul... De acord?

Au fost cateva editii de RoCyberCon, am prezentat si eu PHP5 OOP, si nu au fost foarte multi entuziasmati sa participe.

RST-ul vrea sa ii incurajeze pe cei sub 18 ani sa invete, sa citeasca atat tutoriale cat si carti si sa ii ajute in problemele pe care le intampina (in domeniu).

Nu e nevoie de ReadProcessMemory in cazul de fata, SetWindowHookEx iti va injecta DLL-ul in proces si codul se va executa in cadrul acelui proces. Nu stiu exact cum se trimit mesajele de adaugare de element in ListView, dar e posibil sa se foloseasca LVM_SETITEM si LVM_SETITEMTEXT pentru setarea textului pe un element adaugat anterior cu LVM_INSERTITEM. Pentru ca e dubios acel pszText, se poate seta ca LPSTR_TEXTCALLBACK fiind apoi necesara apelarea LVM_SETITEM sau LVM_SETITEMTEXT pentru a fi setat.

Nu prea inteleg cum ai procedat. Dll-ul e injectat in TaskManager.exe nu? Cum ai facut sa preiei mesajele? Mai exact, codul tau ruleaza in cadrul procesului de Task Manager? Pentru ca pointerii (LVITEMW*) sunt relativi la proces, si daca lucrezi cu siruri de caractere trebuie sa tot ReadProcessMemory/WriteProcessMemory nu numai pe acei pointeri, dar si pe pointerii la sirurile de caractere l2->pszText.

Sau, fiind poate "cel mai mare peste": hacking for fun and profit...

[h=1]Mii de imprimante office, infectate cu un virus[/h] de Liviu Petrescu | 25 iunie 2012 Virusul Milicenso a atacat din nou mii de PC-uri la nivel global, insa noua versiune a malware-ului are un efect cu adevarat neplacut: virusul isi printeaza singur codul. Mai multe companii din SUA, Europa, India si America de Sud au suferit pierderi dupa ce imprimantele atasate PC-urilor virusate au inceput sa printeze un text neinteligibil, scrie BBC. Firma de securitate online Symantec sustine ca printarea codului virusului de catre imprimantele conectate la PC-urile infectate este un efect secundar, nu scopul principal al aplicatiei malware. Creat in 2010, virusul Milicenso a circulat sub diferite forme pana acum, raspandindu-se ca atasament de email sau prin site-uri infectate ce ofera descarcari de codecuri video. Virusul are ca scop distributia de adware, insa cea mai noua versiune trimite automat tot codul malware al virusului in printer queue. Sursa: Mii de imprimante office, infectate cu un virus | Hit.ro

De ce as vrea sa apar pe site-ul lor? Initial am vrut sa pun ceva la caterinca, dar nu ar fi acceptat.

Vin si eu.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [x] Official Website: http://www.1337day.com 0 1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1 0 0 1 ========================================== 1 0 I'm Taurus Omar Member From Inj3ct0r TEAM 1 1 ========================================== 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1 | | | C _:_ A | | C _:_ A | | Google Maps - Remote File Disclosure /SQL Injection Vulnerability | -------------------------------------------------------------------------- ==> ABOUT ME: --- TAURUS OMAR --- INDEPENDENT SECURITY RESEARCHER --- ACCESOILEGAL.BLOGSPOT.COM --- @omartaurus --- omar-taurus[at]dragonsecurity[dot]org --- omar-taurus[at]live[dot]com ===> INFO: Author : TAURUS OMAR Category : Webapps / 0day Title Exploit : Google Maps - Remote File Disclosure /SQL Injection Vulnerability Vendor : Google Maps URL Vendor : http://maps.google.com/ 0day exploits : 1337day.com Inj3ct0r Exploit DataBase ++++++++++++++++++++++++++++++++++++ Proof of CONCEPT IMAGES : http://img256.imageshack.us/img256/5621/googlemapsr.jpg http://img341.imageshack.us/img341/995/googlemaps2i.jpg ++++++++++++++++++++++++++++++++++++ ==> SAMPLE'S SQLi: http://maps.google.com/maps?q=1001%20+longwod+%20road+%2019348 [SQL Injection] http://maps.google.com/maps?q=1001%20+Webb%20+Rd+%20Chadds%20+Ford+%20Delaware+%20Pennsylvania+%2019317 [SQL Injection] http://maps.google.com/maps?q=1001%20+Webb%20+Rd+%20Wolverine+%20Cheboygan+%20Michigan+%2049799 [SQL Injection] http://maps.google.com/maps?q=1001%20+Webb%20+Rd+%20Crum+%20Wayne+%20West+%20Virginia+%2025669 [SQL Injection] http://maps.google.com/maps?q=1001%20+Webb%20+Rd+%20Simpsonville+%20Shelby+%20Kentucky+%2040067 [SQL Injection] http://maps.google.com/maps?q=1001%20+Webb%20+Rd+%20Cottage+%20Grove+%20Weakley+%20Tennessee+%2038224 [SQL Injection] http://maps.google.com/maps?q=1001%20+Webb%20+Rd+%20Dothan+%20Houston+%20Alabama+%2036303 [SQL Injection] http://maps.google.com/maps?q=1001%20+Webb%20+Rd+%20Clarksville+%20Montgomery+%20Tennessee+%2037040 [SQL Injection] http://maps.google.com/maps?q=1001%20+Webb%20+Rd+%20Chattanooga+%20Hamilton+%20Tennessee+%2037416 [SQL Injection] http://maps.google.com/maps?q=1001%20+Webb%20+Rd+%20Ellenboro+%20Rutherford+%20North+%20Carolina+%2028040 [SQL Injection] ==>REMOTE FILE DISCLOSURE http://maps.google.com/ads/displaynetwork/adtypes/xxxxx/../../../../maps/ms ---------------------------------------------------------------------------- http://maps.google.com/ads/displaynetwork/adtypes/hilton-300x250.html/../../../../maps/ms http://maps.google.com/ads/displaynetwork/adtypes/lenovo-728x90.html/../../../../maps/ms # 1337day.com [2012-06-22] Sursa: Inj3ct0r Member found Google Maps Remote File Disclosure / SQL Injection | Inj3ct0r - exploit database : vulnerability : 0day : shellcode Nu pare sa mearga, nu acum Oricum injectorii astia sunt de cacat, se lauda cu exploit-uri gasite de altii si sunt cam paraleli cu orice, deci probabil fake, dar na, nu pot fi sigur.

Care din Bucuresti aveti masina? A, cacat, il iau pe Ahead si mergem

Da ma, companii mari din domeniul financiar platesc bani buni pentru asa ceva, pe cand altele...

Asta sa fie? Profesor Petre Paulina - profesor Engleza