Nytro

Puneti accent pe partea de aplicatII web. Oricum o sa mai discutam. Cat despre meeting, a fost super, felicitari pentru tot.

Atatia? 60.000 de dolari ti se pare mult? Nu da 1 milion pentru asta, da MAXIM 60.000 $. Cititi si voi tot...

[h=2]Chrome Hacked In 5 Minutes At Pwn2Own[/h]"After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security." Sursa: Chrome Hacked In 5 Minutes At Pwn2Own - Slashdot

[h=1]The Mystery of the Duqu Framework[/h] Igor Soumenkov Kaspersky Lab Expert Posted March 07, 15:58 GMT While analyzing the components of Duqu, we discovered an interesting anomaly in the main component that is responsible for its business logics, the Payload DLL. We would like to share our findings and ask for help identifying the code. [h=2]Code layout[/h] At first glance, the Payload DLL looks like a regular Windows PE DLL file compiled with Microsoft Visual Studio 2008 (linker version 9.0). The entry point code is absolutely standard, and there is one function exported by ordinal number 1 that also looks like MSVC++. This function is called from the PNF DLL and it is actually the “main” function that implements all the logics of contacting C&C servers, receiving additional payload modules and executing them. The most interesting is how this logic was programmed and what tools were used. The code section of the Payload DLL is common for a binary that was made from several pieces of code. It consists of “slices” of code that may have been initially compiled in separate object files before they were linked in a single DLL. Most of them can be found in any C++ program, like the Standard Template Library (STL) functions, run-time library functions and user-written code, except the biggest slice that contains most of C&C interaction code. Layout of the code section of the Payload DLL file This slice is different from others, because it was not compiled from C++ sources. It contains no references to any standard or user-written C++ functions, but is definitely object-oriented. We call it the Duqu Framework. [h=2]The Framework[/h] [h=3]Features[/h] The code that implements the Duqu Framework has several distinctive properties: Everything is wrapped into objects Function table is placed directly into the class instance and can be modified after construction There is no distinction between utility classes (linked lists, hashes) and user-written code Objects communicate using method calls, deferred execution queues and event-driven callbacks There are no references to run-time library functions, native Windows API is used instead [h=3]Objects[/h] All objects are instances of some class, we identified 60 classes. Each object is constructed with a “constructor” function that allocates memory, fills in the function table and initializes members. Constructor function for the linked list class. The layout of each object depends on its class. Some classes appear to have binary compatible function tables but there is no indication that they have any common parent classes (like in other OO languages). Furthermore, the location of the function table is not fixed: some classes have it at offset 0 of the instance, but some does not. Layout of the linked list object. First 10 fields are pointers to member functions. Objects are destroyed by corresponding “destructor” functions. These functions usually destroy all objects referenced by member fields and free any memory used. Member functions can be referenced by the object’s function table (like “virtual” functions in C++) or they can be called directly. In most object-oriented languages, member functions receive the “this” parameter that references the instance of the object, and there is a calling convention that defines the location of the parameter – either in a register, or in stack. This is not the case for the Duqu Framework classes – they can receive “this” parameter in any register or in stack. Member function of the linked list, receives “this” parameter on stack [h=3]Event driven framework[/h] The layout and implementation of objects in the Duqu Framework is definitely not native to C++ that was used to program the rest of the Trojan. There is an even more interesting feature of the framework that is used extensively throughout the whole code: it is event driven. There are special objects that implement the event-driven model: Event objects, based on native Windows API handles Thread context objects that hold lists of events and deferred execution queues Callback objects that are linked to events Event monitors, created by each thread context for monitoring events and executing callback objects Thread context storage manages the list of active threads and provides access to per-thread context objects This event-driven model resembles Objective C and its message passing features, but the code does not have any direct references to the language, neither does it look like compiled with known Objective C compilers. Event-driven model of the Duqu Framework Every thread context object can start a “main loop” that looks for and processes new items in the lists. Most of the Duqu code follow the same principle: create an object, bind several callbacks to internal or external events and return. Callback handlers are then executed by the event monitor object that is created within each thread context. Here is an example pseudocode for a socket object: SocketObjectConstructor { NativeSocket = socket(); SocketEvent = new MonitoredEvent(NativeSocket); SocketObjectCallback = new ObjectCallback(this, SocketEvent, OnCallbackFunc); connect(NativeSocket, ...); } OnCallbackFunc { switch(GetType(Event)) { case Connected: ... case ReadData: ... ...} } [h=2]Conclusions[/h] The Duqu Framework appears to have been written in an unknown programming language. Unlike the rest of the Duqu body, it's not C++ and it's not compiled with Microsoft's Visual C++ 2008. The highly event driven architecture points to code which was designed to be used in pretty much any kind of conditions, including asynchronous commutations. Given the size of the Duqu project, it is possible that another team was responsible for the framework than the team which created the drivers and wrote the system infection and exploits. The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked. Compared to Stuxnet (entirely written in MSVC++), this is one of the defining particularities of the Duqu framework. [h=2]The Duqu Framework: What was that?[/h] After having performed countless hours of analysis, we are 100% confident that the Duqu Framework was not programmed with Visual C++. It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language. We would like to make an appeal to the programming community and ask anyone who recognizes the framework, toolkit or the programming language that can generate similar code constructions, to contact us or drop us a comment in this blogpost. We are confident that with your help we can solve this deep mystery in the Duqu story. Sursa: The Mystery of the Duqu Framework - Securelist

Mai citeste o data...

Ce penala e faza: C:\Windows>ping www.facebook.com Ping request could not find host www.facebook.com. Please check the name and try again. C:\Windows>ping facebook.com Pinging facebook.com [69.171.224.11] with 32 bytes of data: Reply from 69.171.224.11: bytes=32 time=181ms TTL=244 Reply from 69.171.224.11: bytes=32 time=181ms TTL=244 Ping statistics for 69.171.224.11: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 181ms, Maximum = 181ms, Average = 181ms Control-C ^C C:\Windows> DNS... Nu mai vorbiti de DDOS daca nu cunoasteti sistemul DNS macar... PS: "Pentru serverul RST" pare ca merge Facebook-ul

PHP e un embedded in HTML. Mai exact ai asa: <html> <?php echo 'aaa'; ?> </html> Acest cod trece prin interpretorul PHP. Ce NU e cod PHP, adica ce nu e intre <?php si ?> e direct returnat catre browser, ce e intre, e interpretat. Cu formularele e aceeasi idee, se trimit date prin POST si se face ceva cu ele. Citeste si tu putin despre HTML, HTTP si PHP.

ERR_NAME_RESOLUTION_FAILED DNS aka Domain Name System.

E clar, se umple tara de lulji dinastia...

Pai in numele cacatului, posteaza acolo o exploatare manuala, nu un cacat de link. Si nu vad ce relevanta are Linux-ul, dar nu mai conteaza.

Ai ban daca mai postezi porcaria asta. Ori postezi SQL Injection, ari te abtii, oricine poate posta un link catre un site, indiferent ca e vulnerabil sau nu, problema e exploatarea acelei vulnerabilitati. Tu ce faci cu el, il bagi in Havij?

Ai postat corect, dar ai postat o porcarie. Nu vad niciun SQL Injection, vad doar un link. Ce faci cu el, il bagi in Havij?

Ai pus un link, si un link cu ghilimea. Nu ai facut nimic. Se muta la gunoi.

Ban.

Kernel-mode hook pe CreateRemoteThread(Ex), adica rootkit. Poti face un driver care suprascrie SSDT-ul, gasesti acolo NtCreateRemoteThread. PS: Abtineti-va de la replici inutile.

THOR : Another P2P Botnet in development with extra stealth features POSTED BY THN REPORTER ON 3/06/2012 07:59:00 PM The research community is now focusing on the integration of peer-to-peer (P2P) concepts as incremental improvements to distributed malicious software networks (now generically referred to as botnets). Because “botnets” can be used for illicit ?nancial gain,they have become quite popular in recent Internet attacks. A “botnet” is a network of computers that are compromised and controlled by an attacker. Each computer is infected witha malicious program called a “bot”, which actively communicates with other bots in the botnet or with several “botcontrollers” to receive commands from the botnet owner. Attackers maintain complete control of their botnets, andcan conduct Distributed Denial-of-Service (DDoS) attacks,email spamming, keylogging, abusing online advertisements, spreading new malware, etc. However, the first botnets that use peer-to-peer (P2P) networks for remote control of the compromised machines appeared in the wild recently. This new bot has a different code base, it uses the same spreading strategy and also seems to maintain a multi-relay (or peer-to-peer) infrastructure just like its predecessor. Thor is a decentralised P2P botnet , Coded in C / C++ & Developed by "TheGrimReap3r" that has been in development for some time now and is almost ready to go out on sale.The botnet itself has no central command point, so it will be very difficult to shut down, also, very difficult to track where commands are coming from, because all the nodes pass them on. Thor uses DLL injection, IAT hooking, ring3 rootkit amongst other things to hide. One more interesting Feature that It have it's own module system so you can write your own modules with our easy API system. It include peer to peer communication uses 256-AES encryption with random key generation at each startup. Thor works on Win 2000+, Win XP SP0/SP1/SP2/SP3, Win Vista SP0/SP1/SP2, Win 7 SP0/SP1 and Support x86 and x64 systems. The Developers of Thor going to sale this Botnet openly in underground market and various hacking forums at $8000, the package without modules and the expected modules that anyone can buy will be: advanced botkiller, DDoS, formgrabber, keylogger/password stealer and mass mailer. Sursa: THOR : Another P2P Botnet in development with extra stealth features | The Hacker News (THN)

Cred ca se poate folosi cu sysenter (daca se obtine acces la stiva) din user mode pentru privilegii kernel-mode.

GitHub hacked with Ruby on Rails public key vulnerability Posted by THN Reporter On 3/06/2012 07:07:00 AM Github, the service that many professional programmers use to store their work and collaborate on coding, was hacked over the weekend. A young Russian developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. When Github saw what happened, they suspended Homakov’s account, which created a firestorm of protest. A blog post entitled, Github, You Have Let Us All Down . Github has succumbed to a public key vulnerability in Ruby on Rails allowing a user administrator access to the popular Rails Git. Homakov's actions were relatively simple - he merely uploaded his public key to the repository so Git thought he was an approved administrator of that project. This would not only entitle Homakov to commit files but he could effectively wipe the entire project and its history clean. "The root cause of the vulnerability was a failure to properly check incoming form parameters, a problem known as the mass-assignment vulnerability," GitHub co-founder Tom Preston-Werner wrote in a blog post. "Two days ago he responsibly disclosed a security vulnerability to us and we worked with him to fix it in a timely fashion. Today, he found and exploited the public key form update vulnerability without responsible disclosure," Preston-Werner said, explaining that this had meant Homakov had broken GitHub's terms and conditions. Github is used by a number of high-profile projects including the Linux kernel. Homakev's actions were to exploit a well known weakness of Ruby on Rails and questions might be asked as to why Github's administrators did not block such an attack sooner. Moving forward, GitHub has apologized for obfuscating the how white hat hackers should disclose security vulnerabilities and set up a new help page that clearly lists how to report issues. Sursa: GitHub hacked with Ruby on Rails public key vulnerability | The Hacker News (THN)

[h=1]Avira Free Mac Security Beta – Antivirus gratuit pentru MAC adresat companiilor si utilizatorilor casnici[/h] By Radu FaraVirusi(com) on March 5, 2012 Avira lanseaza versiunea Beta pentru produsul lor de securitate adresat sistemelor Mac OS. Se numeste Avira Free Mac Security si va fi oferit gratuit atat pentru companii, cat si pentru utilizatorii casnici. Pentru a descarca Avira Free Mac Security BETA accesati link-ul: http://betacenter.avira.com/files/download.aspx/avira_mac_security_1.0.0.50-2.pkg Pentru alte detalii despre produs, accesati blogul Avira: Avira Free Mac Security – Beta now available | Avira – TechBlog Sursa: Avira Free Mac Security Beta – Antivirus gratuit pentru MAC adresat companiilor si utilizatorilor casnici

[h=1]Descarca Kaspersky Internet Security 2013 – Testarea Beta a inceput[/h] By Radu FaraVirusi(com) on March 5, 2012 Cei de la Kaspersky au lansat versiunea 2013 a celebrului produs de securitate Kaspersky Internet Security. Momentan este in stadiul de testare BETA si nu avem o lista a modificarilor in mod oficial. Interfata grafica a ramas si va ramane pana la final aceeasi ca in versiunea 2012, cu mici modificari de “nuanta”. Iata mai jos primele poze si la final, link-urile pentru descarcare: Pentru a descarca Kaspersky Internet Security 2013 Beta accesati link-ul: http://special.kaspersky-labs.com/3A8VCJNYOJN7JYU8HFUW/kis13.0.0.2292en.exe Pentru raportarea problemelor aparute in timpul evaluarii sau pentru alte informatii puteti vizita forumul oficial: Kaspersky Lab Forum -> KIS\KAV 2013 Sursa: Descarca Kaspersky Internet Security 2013 – Testarea Beta a inceput

Javascript != Node.js...

ICMP, TCP, UDP, e irelevant. Problema e simpla: cum faci o conexiune DIN BROWSER folosind un anume protocol, indiferent care? Cat despre ICMP, are alte scopuri, ca sa nu mai spun ca e necesar un raw socket pentru crearea sa (stiu ca stii astea), ceea ce inseamna rularea "programului" ca Administrator/root. Apoi, de multe ori, in ziua de azi, conexiunile la Internet nu dispun de o adresa IP publica UNICA, si nici nu cred ca se pune problema de port forwarding pe routerele ISP-urilor. Pe scurt, browser-ul nu este facut pentru asa ceva. Singura solutie posibila poate fi The WebSocket API dar nu stiu cum vei reusi sa pui un WebSocket in stare de "listening".

Nu se poate.

Salut, nu poti face nimic, nu functioneaza decat daca formularul (pagina din iframe) se afla pe acelasi server. Este o limitare impusa inca de pe vremea Netscape, de multi ani. Sa fim seriosi, daca se putea asta, se puteau face multe "lucruri". Sau, se poate face ceva, desigur, daca ai un XSS in site-ul respectiv.

Pacat ca sunt session cookies (fara 'expire'). Stiti voi ce sunt alea si cat sunt valide.