Nytro

[h=2]bypassing all anti-virus in the world (Good Bye Detection , Hello Infection)[/h]Posted by shahin in news, Pen-test Method, reversing hello to all readers [h=2]Introduction[/h] as you may read in @abysssec in twitter actually in past a few months we did a cool research on bypassing anti-viruses and got really great result . Bypassing anti-viruses is not a new topic and it’s still about encrypting / decrypting of a program to being hide from AV eyes. In past it was really, really easy task to do but AV’s getting smarter and bypassing all anti-viruses with some really unique methods that each of them use is not funny and neither easy to do. before i go feature i like to have a simple glossary for unfamiliar readers. [h=2]Glossary[/h] Crypter : the program (mostly GUI) will crypt the malware / bot to make it hide from anti-viruses Stub : the Decryptor of crypted program FUD : Fully Un Detectable (FUD = no AV detect) RUNPE : run the PE without headers in memory USG : unique stub generator. (make unique stubs) Binder: will join two file will drop in hdd or mem Pumper: will increase size of tool EOF : end of file(in crypter it need to preserve) Cloner : will clone the file (Decryptor like in HDD) Icon Changer: will change the final exe icon well there are two also different kind of crypters scan time and run time. The good crypter is run time one because as it name says the scan time crypter is just FUD at scan time and when you run it and after real malware decrypted it will be detect so not that useful. And the real crypter is the runtime one. [h=2]How it works ?[/h] if we remove all complex technical info for bypassing all 35 anti-virus around the world it works really sample. it simply encrypt program, decrypt, and then run it in memory. encryption algorithm is not important and sample ideas are enough to make a crypter fud but some of mostly used alghortims are : I. RC4 II. AES III.DES IV. TEA V. XOR VI. CryptoAPI VII. blowfish note that there is important part in your job and that is run the malware safely in memory after decrypting it , and this is done by RunPE . the idea of RunPE comes from great PoC by Tan Chew Keong called dynamic forking of win32 exe : SIG^2 G-TEC - Dynamic Forking of Win32 EXE steps and idea are really sample : CreateProcess Find Base address Virtualalloc Align sections Fix thread context Resume thread but this is not easy to hide this kind of API chaining from anti-viruses . so we finished our research by writing a new fud crypter and our crypter is unique and different with public ones . our crypter is unique and can bypass all 35 exist av right now . here is list of AV we fully tested our crypters on them . - Ad-Aware - AhnLab V3 Internet Security - ArcaVir - Avast - Avast 5 - AVG Free - AntiVir (Avira) - BitDefender - BullGuard - VirusBuster Internet Security - Clam Antivirus - COMODO Internet Security - Dr.Web - eTrust-Vet - F-PROT Antivirus - F-Secure Internet Security - G Data - IKARUS Security - Kaspersky Antivirus - McAfee - MS Security Essentials - ESET NOD32 - Norman - Norton Antivirus - Panda Security - A-Squared - Quick Heal Antivirus - Rising Antivirus - Solo Antivirus - Sophos - Trend Micro Internet Security - VBA32 Antivirus - Vexira Antivirus - Webroot Internet Security - Zoner AntiVirus we even tested 10 year ago malware and our crypter can hide them from any anti-virus system . our crypter comes with some unique features here is some of them - FUD 0 / 35 detection - EOF support - Coded in C/ASM Stub and GUI In C# - Compatible with Win 2k/XP/7 x32 and x64 - Ability of bypassing heuristic and emulators (Kaspersky pro-acvtive defense , Nod32 advanced heuristic , Norton Sonar, Avira heuristic) - Command line support - Unicode support (chines , russian and so on) - Right-to-Left Exploit after crypting you can have .mp3 , doc , pdf , avi or anything as output !!! - inbuilt scanner and scanning with 35 anti-virus after cryptring - advanced file binder with drop in disk and memory - Anti-debug - Anti-sandbox - advanced encryption : Double XOR , RC4, AES256 - Advanced resource storage : unique method here is some screen shot of GUI : and finally you can see the actual work in a demo here : http://abysssec.com/files/VampCrypt.rar as we don’t want harm anyone if you are : - penetration testing company - anti virus / IDS company - any legit company who needs it ” please note that WE DON”T give tool / technology to PERSON . ONLY VERIFIED COMPANY ” contact : info [at] abysssec.com and as always you can follow @abysssec in twitter happy fudding . Sursa: bypassing all anti-virus in the world (Good Bye Detection , Hello Infection) | Abysssec Security Research

[h=2]Exploiting CVE-2011-2140 another flash player vulnerability[/h]Posted by shahin hello all . before going future we are sorry to not update blog regularly, but it’s due to we are busy with stack of projects and also working on our expert training courses. so as we didn’t post any blog post here we go with another flash player exploit we wrote long time ago. [h=1]1) Advisory information[/h] [TABLE] [TR] [TD=width: 638] Title : Adobe flash player memory overwrite exploit Version : <= 10.3.186.3 Discovery : Zero Day Initiative Vendor : http://adobe.com Impact : Critical Contact : info [at] abysssec.com Twitter : @abysssec [/TD] [/TR] [/TABLE] [h=1]2) Vulnerability Information[/h] [TABLE] [TR] [TD=width: 638]Class 1- Stack OverwriteImpactSuccessfully exploiting this issue allows remote attackers to gain code execution on vulnerable system Remotely Exploitable Yes Locally Exploitable Yes [/TD] [/TR] [/TABLE] [h=1]3) Vulnerabilities detail[/h] [h=2]1- Stack overwrite vulnerability[/h] Before we go deep into the vulnerability for understanding this vulnerability you should take a look at MP4 format and H.264/AVC data structures.The actual vulnerability occurs during processing data units in Sequence Parameter Set in MP4. Sub_1005B396 function, is responsible for processing Sequence Parameter Set. In this function pic_order_cnt_type from SPS will be check, if it’s equal with 1, other fields like data_pic_order_always_zero_flag , offset_for_non_ref_pic , offset_for_top_to_bottom_field will be initialize : [TABLE] [TR] [TD=width: 638].text:1005B396 sub_1005B396 proc near ; CODE XREF: sub_1005B8DB+4Bp.text:1005B397 push ebp.text:1005B398 push esi.text:1005B399 push edi .text:1005B39A mov edi, ecx .text:1005B39C call sub_1005A95B .text:1005B3A1 mov esi, [esp+10h+arg_0] .text:1005B3A5 mov ecx, edi .text:1005B3A7 mov [esi], al … .text:1005B47D mov ecx, edi .text:1005B47F mov [esi+20h], eax .text:1005B482 call sub_1005AA64 .text:1005B487 mov [esi+40h], eax .text:1005B48A cmp eax, ebp à if( pic_order_cnt_type ) .text:1005B48C jnz short loc_1005B49D … .text:1005B49D loc_1005B49D: ; CODE XREF: sub_1005B396+F6j .text:1005B49D xor ebx, ebx .text:1005B49F inc ebx .text:1005B4A0 cmp eax, ebx à if( pic_order_cnt_type == 1 ) .text:1005B4A2 jnz short loc_1005B4EF .text:1005B4A4 mov ecx, edi .text:1005B4A6 call sub_1005A99A à offset_for_top_to_bottom_field .text:1005B4AB mov ecx, edi .text:1005B4AD mov [esi+48h], al .text:1005B4B0 call sub_1005AA93 à offset_for_non_ref_pic .text:1005B4B5 mov ecx, edi .text:1005B4B7 mov [esi+54h], eax .text:1005B4BA call sub_1005AA93 à offset_for_top_to_bottom_field [/TD] [/TR] [/TABLE] Then the num_ref_frames_in_pic_order_cnt_cycle will be set and if it’s bigger than 0 the values in offset_for_ref_frame will be copied into buffer. [TABLE] [TR] [TD=width: 638]text:1005B4BF mov ecx, edi.text:1005B4C1 mov [esi+50h], eax.text:1005B4C4 call sub_1005AA64 à num_ref_frames_in_pic_order_cnt_cycle.text:1005B4C9 mov [esi+4Ch], eax .text:1005B4CC test eax, eax .text:1005B4CE jbe short loc_1005B4EF .text:1005B4D0 lea eax, [esi+58h] .text:1005B4D3 mov [esp+10h+arg_0], eax .text:1005B4D7 .text:1005B4D7 loc_1005B4D7: à do{ .text:1005B4D7 mov ecx, edi .text:1005B4D9 call sub_1005AA93 à offset_for_ref_frame .text:1005B4DE mov ecx, [esp+10h+arg_0] .text:1005B4E2 add [esp+10h+arg_0], 4 à buf = &buf + 4 .text:1005B4E7 inc ebp à i++ .text:1005B4E8 mov [ecx], eax à buf = offset_for_ref_frame .text:1005B4EA cmp ebp, [esi+4Ch] .text:1005B4ED jb short loc_1005B4D7 à } while(i < num_ref_frames_…) [/TD] [/TR] [/TABLE] You should got the vulnerability at this point. There is no boundary check for num_ref_frames_in_pic_order_cnt_cycle, so our data related to offset_for_ref_frame will be copy into the stack , that’s all . [h=2]2- Exploitation[/h] Thanks to windows memory manager, browser and class of bug it’s not that hard to archive RCE. The only thing that should care about is return address. Because values which copied from MP4 file into stack, come with the changes. In other words, these values ??after reading from file will be decode and then are copied into stack. Values ??are copied into the buffer are generated from values in file into Signed Exp-Golomb code.After taking controll of EIP it’s easy to finish the job we used basic heap spray. here is reliable exploit : CVE-2011-2140 happy hunting ! Sursa: Exploiting CVE-2011-2140 another flash player vulnerability | Abysssec Security Research

dsfsdfdsfdsfdsf

ghjghj

Da, interesanta idee, poate fi foarte utila o astfel de utilitate.

Avem o categorie numita "Cos de gunoi" unde mutam toate porcariile. Tu ai postat niste link-uri de 2 lei, nu vad ce ar cauta asa ceva la Show-Off. Ai extras macar versiunea bazei de date? Intrati pe un link, puneti o ghilimea si sunteti 1337.Sau puneti acel link in Havij si sunteti 31337. O sa dau ban pentru astfel de porcarii.

Alcoolul dauneaza grav sanatatii. Lasati cacaturile si faceti ceva constructiv.

Trebuie sa facem "discriminari" apoi. Si pentru ce, pentru niste conturi? Trebuie sa luam in considerare cine si de ce ar avea acces la continut pus de alte persoane, si care persoane sa aiba permisiunea de a posta. Apoi, sincer, ce cacat faceti cu acele conturi? Cate persoane AR POSTA conturi?

Vad doar un link, deci nimic de Show-Off, deci se muta la gunoi.

Asta e "Show Off" ba? Ratatii din ziua de azi... In trecut prin "Show off" se intelegea un Full Disclosure, acum vad numai un cacat de link pe care il bagati in Havij si gata. Muie generatiei "tinere"!

Nu conteaza, e bine pentru inceput.

Ce dracu sa va cer, daca atat va duce capul sa va luati dupa niste copii copaci...

Foarte interesant. Ban. Mi s-a luat de posturi de cacat,

Poate e pentru ca baui, dar ma pis pe amandoi. Muie.

Sa ma fut pe anonimusii vostri ratatilor.

Copii fara viitor, au invatat sa foloseasca Google si au devenit hackeri, patetici.

Eu ii dadeam ban lui Tinkode aici, Tinkode imi dadea ban pe ISR. Ce vremuri

De la ieu pt baety: Florin Salam - Cap si pajura 2011 (Live Club One Million Timisoara) - YouTube

dsfMrdfUfxIcvE AdfNsdOdsfNtyYfgMzOxcUasSdf.

Sa nu va plangeti la mine ca a venit valu' de copii copaci peste voi...

L-am oprit pe Salam ca sa ascult porcaria aia? Muie!

In C un vector e un pointer, adresa de memorie contigua unde e memorat acel vector. Ex. char plm[13] = "Ana are mere"; plm == 0x12345678, adresa de unde incepe acel sir, adica la adresa 0x12345678 e caracterul "A", adica 65, adresa 0x12345679 corespunde lui "n" si tot asa. Tipul de date al vectorului, char, indica faptul ca fiecare element ocupa un octet pentru ca sizeof(char) este 1.

Integer overflow - Wikipedia, the free encyclopedia

Fals. Nu se aloca nimic pentru acel s[256], e un pointer si se vor pune pe stiva 4 octeti (respectiv 8 pentru sisteme pe 64 de biti) indiferent daca e s[1] sau s[1337]. Ii este trimis un pointer la un sir de caractere deja alocat. Practic va copia sirul "dupa" sirul existent (in memorie). Revin cu detalii mai tarziu.

Ce hackeri avem noi? Acestia sunt hackeri? Persoane care ghicesc parole? Persoane care ruleaza o comanda "./scan cacat" si nu stiu ce e ala kernel? Acestia? Apoi, SUA poate "cumpara" persoane capabile, daca are nevoie.